diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index d26f0bf3f2..bd86e232cc 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,999 +1,1019 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-25:08.caroot" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:07.openssl" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:06.daemon" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:05.expat" +date = "2025-04-10" + +[[notices]] +name = "FreeBSD-EN-25:04.tzdata" +date = "2025-04-10" + [[notices]] name = "FreeBSD-EN-25:03.tzdata" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-25:02.audit" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-25:01.rpc" date = "2025-01-29" [[notices]] name = "FreeBSD-EN-24:17.pam_xdg" date = "2024-10-29" [[notices]] name = "FreeBSD-EN-24:16.pf" date = "2024-09-19" [[notices]] name = "FreeBSD-EN-24:15.calendar" date = "2024-09-04" [[notices]] name = "FreeBSD-EN-24:14.ifconfig" date = "2024-08-07" [[notices]] name = "FreeBSD-EN-24:13.libc++" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:12.killpg" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:11.ldns" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:10.zfs" date = "2024-06-19" [[notices]] name = "FreeBSD-EN-24:09.zfs" date = "2024-04-24" [[notices]] name = "FreeBSD-EN-24:08.kerberos" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:07.clang" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:06.wireguard" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:05.tty" date = "2024-03-28" [[notices]] name = "FreeBSD-EN-24:04.ip" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:03.kqueue" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:02.libutil" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-24:01.tzdata" date = "2024-02-14" [[notices]] name = "FreeBSD-EN-23:22.vfs" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:21.tty" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:20.vm" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:19.pkgbase" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:18.openzfs" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:17.ossl" date = "2023-12-05" [[notices]] name = "FreeBSD-EN-23:16.openzfs" date = "2023-12-01" [[notices]] name = "FreeBSD-EN-23:15.sanitizer" date = "2023-12-01" [[notices]] name = "FreeBSD-EN-23:14.regcomp" date = "2023-11-08" [[notices]] name = "FreeBSD-EN-23:13.freebsd-update" date = "2023-11-08" [[notices]] name = "FreeBSD-EN-23:12.freebsd-update" date = "2023-10-03" [[notices]] name = "FreeBSD-EN-23:11.caroot" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:10.pci" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:09.freebsd-update" date = "2023-09-06" [[notices]] name = "FreeBSD-EN-23:08.vnet" date = "2023-08-01" [[notices]] name = "FreeBSD-EN-23:07.mpr" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:06.loader" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:05.tzdata" date = "2023-06-21" [[notices]] name = "FreeBSD-EN-23:04.ixgbe" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:03.ena" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:02.sdhci" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-23:01.tzdata" date = "2023-02-08" [[notices]] name = "FreeBSD-EN-22:28.heimdal" date = "2022-11-29" [[notices]] name = "FreeBSD-EN-22:27.loader" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:26.cam" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:25.tcp" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:24.zfs" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:23.vm" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:22.tzdata" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:21.zfs" date = "2022-11-01" [[notices]] name = "FreeBSD-EN-22:20.tzdata" date = "2022-08-30" [[notices]] name = "FreeBSD-EN-22:19.pam_exec" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:18.wifi" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:17.cam" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:16.kqueue" date = "2022-08-09" [[notices]] name = "FreeBSD-EN-22:15.pf" date = "2022-04-06" [[notices]] name = "FreeBSD-EN-22:14.tzdata" date = "2022-03-22" [[notices]] name = "FreeBSD-EN-22:13.zfs" date = "2022-03-21" [[notices]] name = "FreeBSD-EN-22:12.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:11.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:10.zfs" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:09.freebsd-update" date = "2022-03-15" [[notices]] name = "FreeBSD-EN-22:08.i386" date = "2022-02-01" [[notices]] name = "FreeBSD-EN-22:07.la57" date = "2022-02-01" [[notices]] name = "FreeBSD-EN-22:06.libalias" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:05.tail" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:04.pcid" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:03.hyperv" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:02.xsave" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-22:01.fsck_ffs" date = "2022-01-11" [[notices]] name = "FreeBSD-EN-21:29.tzdata" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:28.vmci" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:27.caroot" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:26.libevent" date = "2021-11-03" [[notices]] name = "FreeBSD-EN-21:25.bhyve" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:24.libcrypto" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:23.virtio_blk" date = "2021-08-24" [[notices]] name = "FreeBSD-EN-21:22.linux_futex" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:21.ipfw" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:20.vlan" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:19.libcasper" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:18.libc++" date = "2021-06-29" [[notices]] name = "FreeBSD-EN-21:17.libradius" date = "2021-06-01" [[notices]] name = "FreeBSD-EN-21:16.bc" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:15.virtio" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:14.pms" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:13.mpt" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:12.divert" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:11.aesni" date = "2021-05-26" [[notices]] name = "FreeBSD-EN-21:10.lldb" date = "2021-04-06" [[notices]] name = "FreeBSD-EN-21:09.pf" date = "2021-04-06" [[notices]] name = "FreeBSD-EN-21:08.freebsd-update" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:07.caroot" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:06.microcode" date = "2021-02-24" [[notices]] name = "FreeBSD-EN-21:05.libatomic" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:04.zfs" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:03.vnet" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:02.extattr" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-21:01.tzdata" date = "2021-01-29" [[notices]] name = "FreeBSD-EN-20:22.callout" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:21.ipfw" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:20.tzdata" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:19.audit" date = "2020-12-01" [[notices]] name = "FreeBSD-EN-20:18.getfsstat" date = "2020-09-02" [[notices]] name = "FreeBSD-EN-20:17.linuxthread" date = "2020-09-02" [[notices]] name = "FreeBSD-EN-20:16.vmx" date = "2020-08-05" [[notices]] name = "FreeBSD-EN-20:15.mps" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:14.linuxkpi" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:13.bhyve" date = "2020-07-08" [[notices]] name = "FreeBSD-EN-20:12.iflib" date = "2020-06-09" [[notices]] name = "FreeBSD-EN-20:11.ena" date = "2020-06-09" [[notices]] name = "FreeBSD-EN-20:10.build" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:09.igb" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:08.tzdata" date = "2020-05-12" [[notices]] name = "FreeBSD-EN-20:07.quotad" date = "2020-04-21" [[notices]] name = "FreeBSD-EN-20:06.ipv6" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:05.mlx5en" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:04.pfctl" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:03.sshd" date = "2020-03-19" [[notices]] name = "FreeBSD-EN-20:02.nmount" date = "2020-01-28" [[notices]] name = "FreeBSD-EN-20:01.ssp" date = "2020-01-28" [[notices]] name = "FreeBSD-EN-19:19.loader" date = "2019-11-12" [[notices]] name = "FreeBSD-EN-19:18.tzdata" date = "2019-10-23" [[notices]] name = "FreeBSD-EN-19:17.ipfw" date = "2019-08-20" [[notices]] name = "FreeBSD-EN-19:16.bhyve" date = "2019-08-20" [[notices]] name = "FreeBSD-EN-19:15.libunwind" date = "2019-08-06" [[notices]] name = "FreeBSD-EN-19:14.epoch" date = "2019-08-06" [[notices]] name = "FreeBSD-EN-19:13.mds" date = "2019-07-24" [[notices]] name = "FreeBSD-EN-19:12.tzdata" date = "2019-07-02" [[notices]] name = "FreeBSD-EN-19:11.net" date = "2019-06-19" [[notices]] name = "FreeBSD-EN-19:10.scp" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:09.xinstall" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:08.tzdata" date = "2019-05-14" [[notices]] name = "FreeBSD-EN-19:07.lle" date = "2019-02-05" [[notices]] name = "FreeBSD-EN-19:06.dtrace" date = "2019-02-05" [[notices]] name = "FreeBSD-EN-19:05.kqueue" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:04.tzdata" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:03.sqlite" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:02.tcp" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-19:01.cc_cubic" date = "2019-01-09" [[notices]] name = "FreeBSD-EN-18:18.zfs" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:17.vm" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:16.ptrace" date = "2018-12-19" [[notices]] name = "FreeBSD-EN-18:15.loader" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:14.tzdata" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:13.icmp" date = "2018-11-27" [[notices]] name = "FreeBSD-EN-18:12.mem" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:11.listen" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:10.syscall" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:09.ip" date = "2018-09-27" [[notices]] name = "FreeBSD-EN-18:08.lazyfpu" date = "2018-09-12" [[notices]] name = "FreeBSD-EN-18:07.pmap" date = "2018-06-21" [[notices]] name = "FreeBSD-EN-18:06.tzdata" date = "2018-05-08" [[notices]] name = "FreeBSD-EN-18:05.mem" date = "2018-05-08" [[notices]] name = "FreeBSD-EN-18:04.mem" date = "2018-04-04" [[notices]] name = "FreeBSD-EN-18:03.tzdata" date = "2018-04-04" [[notices]] name = "FreeBSD-EN-18:02.file" date = "2018-03-07" [[notices]] name = "FreeBSD-EN-18:01.tzdata" date = "2018-03-07" [[notices]] name = "FreeBSD-EN-17:09.tzdata" date = "2017-11-02" [[notices]] name = "FreeBSD-EN-17:08.pf" date = "2017-08-10" [[notices]] name = "FreeBSD-EN-17:07.vnet" date = "2017-08-10" [[notices]] name = "FreeBSD-EN-17:06.hyperv" date = "2017-07-12" [[notices]] name = "FreeBSD-EN-17:05.xen" date = "2017-04-12" [[notices]] name = "FreeBSD-EN-17:04.mandoc" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:03.hyperv" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:02.yp" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-17:01.pcie" date = "2017-02-23" [[notices]] name = "FreeBSD-EN-16:21.localedef" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:20.tzdata" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:19.tzcode" date = "2016-12-06" [[notices]] name = "FreeBSD-EN-16:18.loader" date = "2016-10-25" [[notices]] name = "FreeBSD-EN-16:17.vm" date = "2016-10-25" [[notices]] name = "FreeBSD-EN-16:16.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:15.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:14.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:13.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:12.hv_storvsc" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:11.vmbus" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:10.dhclient" date = "2016-08-12" [[notices]] name = "FreeBSD-EN-16:09.freebsd-update" date = "2016-07-25" [[notices]] name = "FreeBSD-EN-16:08.zfs" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:07.ipi" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:06.libc" date = "2016-05-04" [[notices]] name = "FreeBSD-EN-16:05.hv_netvsc" date = "2016-03-16" [[notices]] name = "FreeBSD-EN-16:04.hyperv" date = "2016-03-16" [[notices]] name = "FreeBSD-EN-16:03.yplib" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-16:02.pf" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-16:01.filemon" date = "2016-01-14" [[notices]] name = "FreeBSD-EN-15:20.vm" date = "2015-11-04" [[notices]] name = "FreeBSD-EN-15:19.kqueue" date = "2015-11-04" [[notices]] name = "FreeBSD-EN-15:18.pkg" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:17.libc" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:16.pw" date = "2015-09-16" [[notices]] name = "FreeBSD-EN-15:15.pkg" date = "2015-08-25" [[notices]] name = "FreeBSD-EN-15:14.ixgbe" date = "2015-08-25" [[notices]] name = "FreeBSD-EN-15:13.vidcontrol" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:12.netstat" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:11.toolchain" date = "2015-08-18" [[notices]] name = "FreeBSD-EN-15:10.iconv" date = "2015-06-30" [[notices]] name = "FreeBSD-EN-15:09.xlocale" date = "2015-06-30" [[notices]] name = "FreeBSD-EN-15:08.sendmail" date = "2015-06-18" [[notices]] name = "FreeBSD-EN-15:07.zfs" date = "2015-06-09" [[notices]] name = "FreeBSD-EN-15:06.file" date = "2015-06-09" [[notices]] name = "FreeBSD-EN-15:05.ufs" date = "2015-05-13" [[notices]] name = "FreeBSD-EN-15:04.freebsd-update" date = "2015-05-13" [[notices]] name = "FreeBSD-EN-15:03.freebsd-update" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-15:02.openssl" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-15:01.vt" date = "2015-02-25" [[notices]] name = "FreeBSD-EN-14:13.freebsd-update" date = "2014-12-23" [[notices]] name = "FreeBSD-EN-14:12.zfs" date = "2014-11-04" [[notices]] name = "FreeBSD-EN-14:11.crypt" date = "2014-10-22" [[notices]] name = "FreeBSD-EN-14:10.tzdata" date = "2014-10-22" [[notices]] name = "FreeBSD-EN-14:09.jail" date = "2014-07-08" [[notices]] name = "FreeBSD-EN-14:08.heimdal" date = "2014-06-24" [[notices]] name = "FreeBSD-EN-14:07.pmap" date = "2014-06-24" [[notices]] name = "FreeBSD-EN-14:06.exec" date = "2014-06-03" [[notices]] name = "FreeBSD-EN-14:05.ciss" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:04.kldxref" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:03.pkg" date = "2014-05-13" [[notices]] name = "FreeBSD-EN-14:02.mmap" date = "2014-01-14" [[notices]] name = "FreeBSD-EN-14:01.random" date = "2014-01-14" [[notices]] name = "FreeBSD-EN-13:05.freebsd-update" date = "2013-11-28" [[notices]] name = "FreeBSD-EN-13:04.freebsd-update" date = "2013-10-26" [[notices]] name = "FreeBSD-EN-13:03.mfi" date = "2013-08-22" [[notices]] name = "FreeBSD-EN-13:01.fxp" date = "2013-06-28" [[notices]] name = "FreeBSD-EN-13:02.vtnet" date = "2013-06-28" [[notices]] name = "FreeBSD-EN-12:02.ipv6refcount" date = "2012-06-12" [[notices]] name = "FreeBSD-EN-12:01.freebsd-update" date = "2012-01-04" [[notices]] name = "FreeBSD-EN-10:02.sched_ule" date = "2010-02-27" [[notices]] name = "FreeBSD-EN-10:01.freebsd" date = "2010-01-06" [[notices]] name = "FreeBSD-EN-09:05.null" date = "2009-10-02" [[notices]] name = "FreeBSD-EN-09:04.fork" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:03.fxp" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:02.bce" date = "2009-06-24" [[notices]] name = "FreeBSD-EN-09:01.kenv" date = "2009-03-23" [[notices]] name = "FreeBSD-EN-08:02.tcp" date = "2008-06-19" [[notices]] name = "FreeBSD-EN-08:01.libpthread" date = "2008-04-17" [[notices]] name = "FreeBSD-EN-07:05.freebsd-update" date = "2007-03-15" [[notices]] name = "FreeBSD-EN-07:04.zoneinfo" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:03.rc.d_jail" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:02.net" date = "2007-02-28" [[notices]] name = "FreeBSD-EN-07:01.nfs" date = "2007-02-14" [[notices]] name = "FreeBSD-EN-06:02.net" date = "2006-08-28" [[notices]] name = "FreeBSD-EN-06:01.jail" date = "2006-07-07" [[notices]] name = "FreeBSD-EN-05:04.nfs" date = "2005-12-19" [[notices]] name = "FreeBSD-EN-05:03.ipi" date = "2005-01-16" [[notices]] name = "FreeBSD-EN-05:02.sk" date = "2005-01-06" [[notices]] name = "FreeBSD-EN-05:01.nfs" date = "2005-01-05" [[notices]] name = "FreeBSD-EN-04:01.twe" date = "2004-06-28" diff --git a/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc new file mode 100644 index 0000000000..acf18a34a7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:04.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2025-04-10 +Affects: All supported versions of FreeBSD. +Corrected: 2025-03-26 01:04:32 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:39 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-03-26 01:04:59 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:01 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:35 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The IANA Time Zone Database (often called tz or zoneinfo) contains code and +data that represent the history of local time for many representative +locations around the globe. It is updated periodically to reflect changes +made by political bodies to time zone boundaries, UTC offsets, and +daylight-saving rules. + +FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. +The tzsetup(8) utility allows the user to specify the default local time +zone. Based on the selected time zone, tzsetup(8) copies one of the files +from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected +for an individual process by setting its TZ environment variable to a desired +time zone name. + +II. Problem Description + +Several changes to future and past timestamps have been recorded in the IANA +Time Zone Database after previous FreeBSD releases were released. This +affects many users in different parts of the world. Because of these +changes, the data in the zoneinfo files need to be updated. If the local +timezone on the running system is affected, tzsetup(8) needs to be run to +update /etc/localtime. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected time zones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated version of the IANA Time Zone +Database from the misc/zoneinfo port and run tzsetup(8). + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Please note that some third party software, for instance PHP, Ruby, Java, +Perl and Python, may be using different zoneinfo data sources, in such cases +this software must be updated separately. Software packages that are +installed via binary packages can be upgraded by executing 'pkg upgrade'. + +Following the instructions in this Errata Notice will only update the IANA +Time Zone Database installed in /usr/share/zoneinfo. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch +# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch.asc +# gpg --verify tzdata-2025b.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 475082194ac8 stable/14-n270829 +releng/14.2/ 2c5831b3047d releng/14.2-n269519 +stable/13/ 7b17666c32f7 stable/13-n259218 +releng/13.5/ 74aa5e2a7b10 releng/13.5-n259163 +releng/13.4/ f8c2bedb03a2 releng/13.4-n258280 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38CwACgkQbljekB8A +Gu8ZtxAAgvGZHyMBOTxDHJimqZQWwFMTyUrqUDAt19N1ETuFTeDXYi7OGWLUV9sn +lSEVO+n5xEesF20vauQnv9vrXCK2gmvv97bT4SUEGjhdmPm78L14uD6UP8Ws/2+v +lrps0cu0qYfmNLZUsKYH05ZcNCHBi7kSG14CMLXqFHPBM/9pKefnU7wp89oWvWpe +0gsTvEEixmQELsmKDieIPiqlavRCzLLjtbUGr2/Apqe9WK2eyDwpZlSjqAUba7JR +N4zod+EHwVrXsQdzXM1nSHAUR2I7AC2dn7CJX+o1wN1qHpLov5mnkxvFxO2otalY +fLgOQCNzPpYlrMozCEDKTAVu+fL4qDB9NouE6uPo0AgPul9DVmJ/WsSdDEzbicss +giG1S47ulsb/MTi0pGWz7emdstqtoxu/bGsTcjzB1IaMYZufz67rQjayfjVkX8Iy +AOiRXJQMQnXCEOz30OskewXdrShbpV1siBBFUdvBOd/QUc4LrnrtdWUriDgdDi5w +13ahxer5jGh+QC8tueNkZ2HOBAbid7W7wy1pbThCguCbIjUlpTh4F9my8NzVIGtF +twmPrbwLXcX2G41NH3YWZ6U9pcB2r8JjAgbZrLjN/SytZu5Zc2hhO+JgjxAVxCdY +SrOpg0NrCqftfNPehxqNP7BiAHCRFFrOfdEiX2Wd7mUmb7CLK0g= +=aI5z +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc new file mode 100644 index 0000000000..552401a580 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc @@ -0,0 +1,159 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:05.expat Errata Notice + The FreeBSD Project + +Topic: Update expat to 2.7.1 + +Category: contrib +Module: libbsdxml +Announced: 2025-04-10 +Affects: All supported versions of FreeBSD. +Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5) +CVE Name: CVE-2024-8176 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Expat is an XML parser library written in C. It is a stream-oriented +parser in which an application registers handlers for things the parser +might find in the XML document (like start tags). + +The FreeBSD base system ships libexpat as libbsdxml for components that +need to parse XML data. Some of these applications use the XML parser +on trusted data from the kernel, for instance the geom(8) configuration +utilities, while other applications, like tar(1), cpio(1) and +unbound-anchor(8), may use the XML parser on input from network or the +user. + +II. Problem Description + +A stack overflow bug exists in the libexpat library due to the way it +handles recursive entity expansion in XML documents. When parsing an +XML document with deeply nested entity references, libexpat can be +forced to recurse indefinitely, exhausting the stack space and causing a +crash. + +III. Impact + +This stack overflow could cause e.g. tar(1) to crash. Owing to the +limited number of ways libbsdxml is used in FreeBSD, the base system is +not likely to be vulnerable to denial of service (DoS) or exploitable memory +corruption. + +IV. Workaround + +No workaround is available, but the problem only manifests when the +affected system needs to process data from an untrusted source. + +Because the library is used by many third party applications, we advise +system administrators to check and make sure that they have the latest +expat version as well, and restart all third party services, or reboot +the system. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.4, 14.2] +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc +# gpg --verify expat-13.4-14.2.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch +# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc +# gpg --verify expat-13.5.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -E < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +The FreeBSD base system does not install daemons that use the library. +A reboot is not required after updating the base system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ fd4592006b13 stable/14-n271000 +releng/14.2/ 700e7384dfbf releng/14.2-n269520 +stable/13/ 5630672e6f6d stable/13-n259244 +releng/13.5/ dec0bf8096b3 releng/13.5-n259164 +releng/13.4/ e3fd2734314d releng/13.4-n258281 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A +Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG +s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc +/jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6 +tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99 +LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ +Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS +Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR +bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab +6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY +eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ +zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U= +=9pZP +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc new file mode 100644 index 0000000000..f137953431 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:06.daemon Errata Notice + The FreeBSD Project + +Topic: daemon(8) missing signals + +Category: core +Module: daemon +Announced: 2025-04-10 +Affects: FreeBSD 14.2 and FreeBSD 13.4 +Corrected: 2024-12-10 23:05:46 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:41 UTC (releng/14.2, 14.2-RELEASE-p3) + 2024-12-10 23:06:11 UTC (stable/13, 13.4-STABLE) + 2025-04-10 14:59:37 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +daemon(8) can be sent some signals to control its behavior: SIGHUP to re-open +its output file, or SIGTERM to cleanly terminate the child and shutdown. + +II. Problem Description + +Following a change to use kqueue(2) to manage signals, daemon(8) would lose +signal events that occur while it waits to restart the supervised process. + +III. Impact + +The most notable impact is that daemon(8) may hang if a SIGTERM is sent to it +after the child has gone away, and before it is restarted. + +Note that FreeBSD 13.5 is not affected. FreeBSD 13.5-PRERELEASE and later +builds of stable/13 include the fix. + +IV. Workaround + +No workaround is available. daemon(8) invocations that do not use -r are not +affected, with a larger -R argument being specified making it more likely to +hit the problematic window. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and restart any daemon(8) +processes that may be affected or reboot the system. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch +# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch.asc +# gpg --verify daemon.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 7ea2874eadf9 stable/14-n269895 +releng/14.2/ 4651d400f100 releng/14.2-n269521 +stable/13/ 4bb1a558a281 stable/13-n258848 +releng/13.4/ a1f4a530dea3 releng/13.4-n258282 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DgACgkQbljekB8A +Gu97DRAAgNI+V5TOsP2a9hiQgQ5B1Za6gc28a0mFlhbl6CQn2CdaOrTGFMGXEHVv ++vXXwewBS8N1+fUloDiC6oLi7N9mwt8sI4U3jSnNc1LZhXBDohM0Pv67AOr7GfDp +i+rkYJeGV4uVPKaHbnxWo1LTO+/oJH8N4b4kvIlyzv+C3TRNi3aFarcA+dnw7woK +xL1qTk7uCcgvUn9zh6xlvGKHK605WqwQ3HcBv6sfghGzBdfhkArkMg45ww0z7Xoy +1viVwrdZOIFWMKngPaRypPonp1UZmEOCIT5UzkZv8u2vctJufZEF3mWwQHLYxZg4 +1wSTF0YgwrLBsdkLveU9YLG1YWDFIs3XhfMT3ES6PXvNLfDSKH6xrnjcdeki4wtN +wapUu+cKAmB9Itpa7jbyY3pgvqOhmCEprxZ8fAxB55iGIsuWx2jY70j0n6Dko5Z+ +AAxdIz6WmCakzpUC5q+cX0A3v33qtPZvzR3iH3ZTYsTYp7B/oKRZ6kW4snTaM/Id +5yI+4vZdVxfWEKWo3b+JWQEi/qRdZpnaRuBK9g7bCEPPv69dVpXfI1hXnczdZrQn +etdF21cnVyWt5brcpDBTk+0s1a2OA7kDqp1sQ/cTgoBEdVW317UDu+esgVzXkQmu +LpPBTXqnBUNhlwiL//APijkcd1iV53RUR3ylL/tC6j04nrURFxE= +=64Co +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc new file mode 100644 index 0000000000..d32ced3c9d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc @@ -0,0 +1,178 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:07.openssl Errata Notice + The FreeBSD Project + +Topic: Update OpenSSL to 3.0.16 + +Category: contrib +Module: openssl +Announced: 2025-04-10 +Affects: FreeBSD 14.2 +Corrected: 2025-03-25 21:07:59 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:42 UTC (releng/14.2, 14.2-RELEASE-p3) +CVE Name: CVE-2024-13176, CVE-2024-9143 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured Open +Source toolkit for the Transport Layer Security (TLS) protocol. It is also a +general-purpose cryptography library. + +II. Problem Description + +Automated security vulnerability scanners report that OpenSSL 3.0.15, included +with FreeBSD 14.2, is affected by CVE-2024-13176 and CVE-2024-9143. + +1) CVE-2024-13176 + +A timing side-channel which could potentially allow recovering the private key +exists in the ECDSA signature computation. + +2) CVE-2024-9143 + +Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit +values for the field polynomial can lead to out-of-bounds memory reads or +writes. + +III. Impact + +1) CVE-2024-13176 + +There is a timing signal of around 300 nanoseconds when the top word of the +inverted ECDSA nonce value is zero. This can happen with significant +probability only for some of the supported elliptic curves. In particular the +NIST P-521 curve is affected. + +To be able to measure this leak, the attacker process must either be located +in the same physical computer or must have a very fast network connection with +low latency. + +2) CVE-2024-9143 + +Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, +that make it possible to represent invalid field polynomials with a zero +constant term, via the EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), +and various supporting BN_GF2m_*() or similar APIs, may terminate abruptly as +a result of reading or writing outside of array bounds. Remote code execution +cannot easily be ruled out. + +In all the protocols involving Elliptic Curve Cryptography known to the +OpenSSL developers either only "named curves" are supported, or, if explicit +curve parameters are supported, they specify an X9.62 encoding of binary +(GF(2^m)) curves that can't represent problematic input values. Thus the +likelihood of existence of a vulnerable application is low. + +In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, +so problematic inputs cannot occur in the context of processing X.509 +certificates. Any problematic use-cases would have to be using an "exotic" +curve encoding. + +IV. Workaround + +No workaround is available. + +Systems not using base versions of OpenSSL are not affected. + +Systems not exposed to low-latency adversaries and systems not using "exotic" +elliptic curve parameters are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. A reboot is required following +the upgrade to ensure that all applications and kernel code has been rebuilt with +OpenSSL 3.0.16-provided code. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +The system should be rebooted after installing the update to ensure that all +applications are using OpenSSL 3.0.16. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch +# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ cb29db243bd0 stable/14-n270826 +releng/14.2/ 862cd6b8fa9d releng/14.2-n269522 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DoACgkQbljekB8A +Gu/03hAAhIoD5XT/ynR4g20mOs4e03spEnJSJARO6ZGSCdI7zis5dWjnWADu1gPi +GND4THVdOI50WDyg2kyvKivt06ykfxcfAzSV3mqn+mECsOjGknfs0UAmjc6ilW28 +PPA8QnJjYYKI+EGSFnG510MZWUTZKlldJ86ECnn7xh4xrOsMBKSK53Fjy8y96Tc2 +AUBzfu8uc0t9YdSCQlYp+T5ZEM8mXYiGbQBj+ZnLyVIhWjSWiR89wjUA7hjp0UQV +rzKEqx9kvPNLPLRT0belbzohSIwKiCYjL3ryqsMiCliGRn1Gyii7oLIOkVPIZNyt +QRCyifi/q5SdkYb3nkSzNlE7cYCDN2Qpnkdn6fVwxEjFgtsbG+Ljni/IXvFqf7A1 +6LNZsBLiYFGrEha9yxiI1av0jO81Ktbu2U1QUosT1T856FGR6/1KKQzUfmL1JJY7 +G0LTIrrzTJuuVeYe2f3AtwNpk+zjHH4plCORd7psdj5MwWtAAt5AifC7J0sdLcjj +V552p2qV18RBhY38zEpY8JmWxXukLp0IuKJjYLtP81I2g3JrSUkVvycyMmACKVm1 +wzOgeAwA4qlfOaYaOffeouaMFrOqR9UGBdtiwxCiuerU3ZWhG1eXwHYTwfhBC9U4 +eB7YiAdGz/xI1GK6OsfbCxWISXYiN+QXDIkSkdK4p3VPvjkVQeA= +=HLnD +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc new file mode 100644 index 0000000000..cfbbd2968c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-25:08.caroot Errata Notice + The FreeBSD Project + +Topic: Root certificate bundle update + +Category: core +Module: caroot +Announced: 2025-04-10 +Credits: michaelo@FreeBSD.org +Affects: All supported versions of FreeBSD. +Corrected: 2025-03-20 10:18:27 UTC (stable/14, 14.2-STABLE) + 2025-04-10 14:57:44 UTC (releng/14.2, 14.2-RELEASE-p3) + 2025-03-20 11:32:44 UTC (stable/13, 13.5-STABLE) + 2025-04-10 14:59:03 UTC (releng/13.5, 13.5-RELEASE-p1) + 2025-04-10 14:59:38 UTC (releng/13.4, 13.4-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The root certificate bundle is the trust store that is used by OpenSSL +programs and libraries to aid in determining whether it should trust a given +TLS certificate. + +II. Problem Description + +Several certificates were added to the bundle after the latest release of +FreeBSD 13.4, 13.5, and 14.2. + +III. Impact + +TLS connections using the missing root certificates as a trust anchor would +not be trusted causing an error. + +IV. Workaround + +No workaround is available. Software that uses an internal trust store is not +affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +Users of FreeBSD Update should ensure that freebsd-update(8) is allowed to +create and delete files. This is allowed by default. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.2] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch.asc +# gpg --verify caroot-14.2.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch.asc +# gpg --verify caroot-13.5.patch.asc + +[FreeBSD 13.4] +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch +# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch.asc +# gpg --verify caroot-13.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -E < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use OpenSSL, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 7577dae4d672 stable/14-n270816 +releng/14.2/ 23d06bb83d0a releng/14.2-n269523 +stable/13/ f89c056e1184 stable/13-n259216 +releng/13.5/ 74176002ff9f releng/13.5-n259165 +releng/13.4/ e8e9cb97d094 releng/13.4-n258283 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DwACgkQbljekB8A +Gu+y3BAAqgGHlCNdHu/XmCADpI+yNT30mBCN+eOQ7B5R5Ao9E65b2MdveoOScARA +wmleXASx7clmCJwUITlEC0H57omcEYk5y0o7//NalbaFNI5c3SA6TWSca3BaHoo+ +TkgRvu0vrAdT2nrqmpBPEQR1uVUyEa2bLuTSe+PwN00kIs70RSzHapAhUtfDA3ZV +PDimqQZSnAEvC6hWyrpZfWPXiKnFoUr+reS+zcBpslFy8CN0ybj2g5PmC38hxj16 +GTk5HFYrK8hi1iCw+nvu+s4A7BU58CxIu1Z4ieOUC8GpJj7TAA92Q+Jn8642gvkm +n9mZJiAcjq+OYfTE199xuV5XhF+dOv6maRm4dX8m1+B5SCYhpoM47fY55xnWJcOY +j/sK6JKpJypiMd5cyuzXTs1RiI6zujkwCTNRfh7FvR0WeywdBzMRYB8TFZs7pg+/ +ZCNoyookgMHEEVBoei+FGmAE0nSErqQTvIHhvIAL57xQ1sh5ArrrPnus5Se3xGhU +xwSMVFyVtnww79zI26czK6Fup3DaxStozw2D2As3f2PYAoXstjfL/JIWIZSJflno +oYj9noXzWNo7s6hG3NAUKllvq3Mb5m4eIZHQrLRWHY39Wij+6hyKj9kshLwQ6Lg9 +eDE8LLSbSNqgTuy9BfoS4OXIpYQl4aYLovqultTEjTe0iu2XKdc= +=JUPU +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:04/tzdata-2025b.patch b/website/static/security/patches/EN-25:04/tzdata-2025b.patch new file mode 100644 index 0000000000..fc854ac613 --- /dev/null +++ b/website/static/security/patches/EN-25:04/tzdata-2025b.patch @@ -0,0 +1,274 @@ +--- contrib/tzdata/NEWS.orig ++++ contrib/tzdata/NEWS +@@ -1,15 +1,40 @@ + News for the tz database + ++Release 2025b - 2025-03-22 13:40:46 -0700 ++ ++ Briefly: ++ New zone for Aysén Region in Chile which moves from -04/-03 to -03. ++ ++ Changes to future timestamps ++ ++ Chile's Aysén Region moves from -04/-03 to -03 year-round, joining ++ Magallanes Region. The region will not change its clocks on ++ 2025-04-05 at 24:00, diverging from America/Santiago and creating a ++ new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model ++ this as a change to standard offset effective 2025-03-20. ++ ++ Changes to past timestamps ++ ++ Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at ++ year end. (Thanks to Roozbeh Pournader.) ++ ++ Changes to code ++ ++ 'zic -l TIMEZONE -d . -l /some/other/file/system' no longer ++ attempts to create an incorrect symlink, and no longer has a ++ read buffer underflow. (Problem reported by Evgeniy Gorbanev.) ++ ++ + Release 2025a - 2025-01-15 10:47:24 -0800 + + Briefly: +- Paraguay adopts permanent -03 starting spring 2024. ++ Paraguay adopted permanent -03 starting spring 2024. + Improve pre-1991 data for the Philippines. + Etc/Unknown is now reserved. + + Changes to future timestamps + +- Paraguay will stop changing its clocks after the spring-forward ++ Paraguay stopped changing its clocks after the spring-forward + transition on 2024-10-06, so it is now permanently at -03. + (Thanks to Heitor David Pinto and Even Scharning.) + This affects timestamps starting 2025-03-22, as well as the +--- contrib/tzdata/asia.orig ++++ contrib/tzdata/asia +@@ -1500,6 +1500,16 @@ + # (UIT No. 143 17.XI.1977) and not 23 September (UIT No. 141 13.IX.1977). + # UIT is the Operational Bulletin of International Telecommunication Union. + ++# From Roozbeh Pournader (2025-03-18): ++# ... the exact time of Iran's transition from +0400 to +0330 ... was Friday ++# 1357/8/19 AP=1978-11-10. Here's a newspaper clip from the Ettela'at ++# newspaper, dated 1357/8/14 AP=1978-11-05, translated from Persian ++# (at https://w.wiki/DUEY): ++# Following the government's decision about returning the official time ++# to the previous status, the spokesperson for the Ministry of Energy ++# announced today: At the hour 24 of Friday 19th of Aban (=1978-11-10), ++# the country's time will be pulled back half an hour. ++# + # From Roozbeh Pournader (2003-03-15): + # This is an English translation of what I just found (originally in Persian). + # The Gregorian dates in brackets are mine: +@@ -1627,7 +1637,7 @@ + Zone Asia/Tehran 3:25:44 - LMT 1916 + 3:25:44 - TMT 1935 Jun 13 # Tehran Mean Time + 3:30 Iran %z 1977 Oct 20 24:00 +- 4:00 Iran %z 1979 ++ 4:00 Iran %z 1978 Nov 10 24:00 + 3:30 Iran %z + + +--- contrib/tzdata/northamerica.orig ++++ contrib/tzdata/northamerica +@@ -1611,6 +1611,15 @@ + # For more on Orillia, see: Daubs K. Bold attempt at daylight saving + # time became a comic failure in Orillia. Toronto Star 2017-07-08. + # https://www.thestar.com/news/insight/2017/07/08/bold-attempt-at-daylight-saving-time-became-a-comic-failure-in-orillia.html ++# From Paul Eggert (2025-03-20): ++# Also see the 1912-06-17 front page of The Evening Sunbeam, ++# reproduced in: Richardson M. "Daylight saving was a confusing ++# time in Orillia" in the 2025-03-15 Orillia Matters. Richardson writes, ++# "The first Sunday after the switch was made, [DST proponent and ++# Orillia mayor William Sword] Frost walked into church an hour late. ++# This became a symbol of the downfall of daylight saving in Orillia." ++# The mayor became known as "Daylight Bill". ++# https://www.orilliamatters.com/local-news/column-daylight-saving-was-a-confusing-time-in-orillia-10377529 + + # From Mark Brader (2010-03-06): + # +--- contrib/tzdata/southamerica.orig ++++ contrib/tzdata/southamerica +@@ -1246,35 +1246,45 @@ + # dates to 2014. + # DST End: last Saturday of April 2014 (Sun 27 Apr 2014 03:00 UTC) + # DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC) +-# http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf ++# From Tim Parenti (2025-03-22): ++# Decreto 307 of 2014 of the Ministry of the Interior and Public Security, ++# promulgated 2014-01-30 and published 2014-02-19: ++# https://www.diariooficial.interior.gob.cl/media/2014/02/19/do-20140219.pdf#page=1 ++# https://www.bcn.cl/leychile/navegar?idNorma=1059557 + + # From Eduardo Romero Urra (2015-03-03): + # Today has been published officially that Chile will use the DST time + # permanently until March 25 of 2017 +-# http://www.diariooficial.interior.gob.cl/media/2015/03/03/1-large.jpg +-# +-# From Paul Eggert (2015-03-03): +-# For now, assume that the extension will persist indefinitely. ++# From Tim Parenti (2025-03-22): ++# Decreto 106 of 2015 of the Ministry of the Interior and Public Security, ++# promulgated 2015-01-27 and published 2015-03-03: ++# https://www.diariooficial.interior.gob.cl/media/2015/03/03/do-20150303.pdf#page=1 ++# https://www.bcn.cl/leychile/navegar?idNorma=1075157 + + # From Juan Correa (2016-03-18): +-# The decree regarding DST has been published in today's Official Gazette: +-# http://www.diariooficial.interior.gob.cl/versiones-anteriores/do/20160318/ +-# http://www.leychile.cl/Navegar?idNorma=1088502 ++# The decree regarding DST has been published in today's Official Gazette... + # It does consider the second Saturday of May and August as the dates + # for the transition; and it lists DST dates until 2019, but I think + # this scheme will stick. +-# + # From Paul Eggert (2016-03-18): +-# For now, assume the pattern holds for the indefinite future. + # The decree says transitions occur at 24:00; in practice this appears + # to mean 24:00 mainland time, not 24:00 local time, so that Easter + # Island is always two hours behind the mainland. ++# From Tim Parenti (2025-03-22): ++# Decreto 253 of 2016 of the Ministry of the Interior and Public Security, ++# promulgated 2016-03-16 and published 2016-03-18. ++# https://www.diariooficial.interior.gob.cl/media/2016/03/18/do-20160318.pdf#page=1 ++# https://www.bcn.cl/leychile/navegar?idNorma=1088502 + + # From Juan Correa (2016-12-04): + # Magallanes region ... will keep DST (UTC -3) all year round.... + # http://www.soychile.cl/Santiago/Sociedad/2016/12/04/433428/Bachelet-firmo-el-decreto-para-establecer-un-horario-unico-para-la-Region-de-Magallanes.aspx +-# From Deborah Goldsmith (2017-01-19): +-# http://www.diariooficial.interior.gob.cl/publicaciones/2017/01/17/41660/01/1169626.pdf ++# From Tim Parenti (2025-03-22), via Deborah Goldsmith (2017-01-19): ++# Decreto 1820 of 2016 of the Ministry of the Interior and Public Security, ++# promulgated 2016-12-02 and published 2017-01-17: ++# https://www.diariooficial.interior.gob.cl/publicaciones/2017/01/17/41660/01/1169626.pdf ++# https://www.bcn.cl/leychile/Navegar?idNorma=1099217 ++# Model this as a change to standard offset effective 2016-12-04. + + # From Juan Correa (2018-08-13): + # As of moments ago, the Ministry of Energy in Chile has announced the new +@@ -1293,13 +1303,20 @@ + # https://twitter.com/MinEnergia/status/1029009354001973248 + # "We will keep the new time policy unchanged for at least the next 4 years." + # So we extend the new rules on Saturdays at 24:00 mainland time indefinitely. +-# From Juan Correa (2019-02-04): +-# http://www.diariooficial.interior.gob.cl/publicaciones/2018/11/23/42212/01/1498738.pdf ++# From Tim Parenti (2025-03-22), via Juan Correa (2019-02-04): ++# Decreto 1286 of 2018 of the Ministry of the Interior and Public Security, ++# promulgated 2018-09-21 and published 2018-11-23: ++# https://www.diariooficial.interior.gob.cl/publicaciones/2018/11/23/42212/01/1498738.pdf ++# https://www.bcn.cl/leychile/Navegar?idNorma=1125760 + + # From Juan Correa (2022-04-02): + # I found there was a decree published last Thursday that will keep +-# Magallanes region to UTC -3 "indefinitely". The decree is available at ++# Magallanes region to UTC -3 "indefinitely". ++# From Tim Parenti (2025-03-22): ++# Decreto 143 of 2022 of the Ministry of the Interior and Public Security, ++# promulgated 2022-03-29 and published 2022-03-31: + # https://www.diariooficial.interior.gob.cl/publicaciones/2022/03/31/43217-B/01/2108910.pdf ++# https://www.bcn.cl/leychile/Navegar?idNorma=1174342 + + # From Juan Correa (2022-08-09): + # the Internal Affairs Ministry (Ministerio del Interior) informed DST +@@ -1308,13 +1325,36 @@ + # will keep UTC -3 "indefinitely"... This is because on September 4th + # we will have a voting whether to approve a new Constitution. + # +-# From Eduardo Romero Urra (2022-08-17): ++# From Tim Parenti (2025-03-22), via Eduardo Romero Urra (2022-08-17): ++# Decreto 224 of 2022 of the Ministry of the Interior and Public Security, ++# promulgated 2022-07-14 and published 2022-08-13: + # https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf ++# https://www.bcn.cl/leychile/navegar?idNorma=1179983 + # + # From Paul Eggert (2022-08-17): + # Although the presidential decree stops at fall 2026, assume that + # similar DST rules will continue thereafter. + ++# From Paul Eggert (2025-01-15): ++# Diario Regional Aysén's Sebastián Martel reports that 94% of Aysén ++# citizens polled in November favored changing the rules from ++# -04/-03-with-DST to -03 all year... ++# https://www.diarioregionalaysen.cl/noticia/actualidad/2024/12/presentan-decision-que-gano-la-votacion-sobre-el-cambio-del-huso-horario-en-aysen ++# ++# From Yonathan Dossow (2025-03-20): ++# [T]oday we have more confirmation of the change. [Aysén] region will keep ++# UTC-3 all year... ++# https://www.cnnchile.com/pais/region-de-aysen-mantendra-horario-de-verano-todo-el-ano_20250320/ ++# https://www.latercera.com/nacional/noticia/tras-consulta-ciudadana-region-de-aysen-mantendra-el-horario-de-verano-durante-todo-el-ano/ ++# https://x.com/min_interior/status/1902692504270672098 ++# ++# From Tim Parenti (2025-03-22), via Eduardo Romero Urra (2025-03-20): ++# Decreto 93 of 2025 of the Ministry of the Interior and Public Security, ++# promulgated 2025-03-11 and published 2025-03-20: ++# https://www.diariooficial.interior.gob.cl/publicaciones/2025/03/20/44104/01/2624263.pdf ++# https://www.bcn.cl/leychile/Navegar?idNorma=1211955 ++# Model this as a change to standard offset effective 2025-03-20. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - + Rule Chile 1928 1932 - Apr 1 0:00 0 - +@@ -1371,6 +1411,20 @@ + -5:00 1:00 %z 1947 Mar 31 24:00 + -5:00 - %z 1947 May 21 23:00 + -4:00 Chile %z ++Zone America/Coyhaique -4:48:16 - LMT 1890 ++ -4:42:45 - SMT 1910 Jan 10 ++ -5:00 - %z 1916 Jul 1 ++ -4:42:45 - SMT 1918 Sep 10 ++ -4:00 - %z 1919 Jul 1 ++ -4:42:45 - SMT 1927 Sep 1 ++ -5:00 Chile %z 1932 Sep 1 ++ -4:00 - %z 1942 Jun 1 ++ -5:00 - %z 1942 Aug 1 ++ -4:00 - %z 1946 Aug 28 24:00 ++ -5:00 1:00 %z 1947 Mar 31 24:00 ++ -5:00 - %z 1947 May 21 23:00 ++ -4:00 Chile %z 2025 Mar 20 ++ -3:00 - %z + Zone America/Punta_Arenas -4:43:40 - LMT 1890 + -4:42:45 - SMT 1910 Jan 10 + -5:00 - %z 1916 Jul 1 +--- contrib/tzdata/version.orig ++++ contrib/tzdata/version +@@ -1 +1 @@ +-2025a ++2025b +--- contrib/tzdata/zone.tab.orig ++++ contrib/tzdata/zone.tab +@@ -139,7 +139,8 @@ + CI +0519-00402 Africa/Abidjan + CK -2114-15946 Pacific/Rarotonga + CL -3327-07040 America/Santiago most of Chile +-CL -5309-07055 America/Punta_Arenas Region of Magallanes ++CL -4534-07204 America/Coyhaique Aysen Region ++CL -5309-07055 America/Punta_Arenas Magallanes Region + CL -2709-10926 Pacific/Easter Easter Island + CM +0403+00942 Africa/Douala + CN +3114+12128 Asia/Shanghai Beijing Time +--- contrib/tzdata/zone1970.tab.orig ++++ contrib/tzdata/zone1970.tab +@@ -125,7 +125,8 @@ + CI,BF,GH,GM,GN,IS,ML,MR,SH,SL,SN,TG +0519-00402 Africa/Abidjan + CK -2114-15946 Pacific/Rarotonga + CL -3327-07040 America/Santiago most of Chile +-CL -5309-07055 America/Punta_Arenas Region of Magallanes ++CL -4534-07204 America/Coyhaique Aysén Region ++CL -5309-07055 America/Punta_Arenas Magallanes Region + CL -2709-10926 Pacific/Easter Easter Island + CN +3114+12128 Asia/Shanghai Beijing Time + CN +4348+08735 Asia/Urumqi Xinjiang Time +--- contrib/tzdata/zonenow.tab.orig ++++ contrib/tzdata/zonenow.tab +@@ -104,7 +104,7 @@ + XX +4734-05243 America/St_Johns Newfoundland ("NST/NDT") + # + # -03 +-XX -2332-04637 America/Sao_Paulo eastern South America ++XX -2332-04637 America/Sao_Paulo eastern and southern South America + # + # -03/-02 (North America DST) + XX +4703-05620 America/Miquelon St Pierre & Miquelon diff --git a/website/static/security/patches/EN-25:04/tzdata-2025b.patch.asc b/website/static/security/patches/EN-25:04/tzdata-2025b.patch.asc new file mode 100644 index 0000000000..9bf82f6a6c --- /dev/null +++ b/website/static/security/patches/EN-25:04/tzdata-2025b.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DQACgkQbljekB8A +Gu+J/A//VSf0jxzYzBKxFVW9ZkkHWpth3Aq6ai4cA6Gg4ZutD9YvRqWMING0YSZF +7ZQ/BFMUa1Zw3lPn1wnWtjZsHecVCnEhrZ+RuQSQlE0ihKbAQWL/Fo6SpK4RKlBO +OiVXQDOAkdoYc//4GAbTCpuMezKo7BsCAVrzWGPkb41IDN4ApMJ+IScun5RlpcIY +nthBMtAIn+UmChLQFd5yrmlYP91hfDn5rNWM/c0cNPqDSZjI1yd1Je7TGnDXjFTs +RTmty/OTrxzHM+aihNtAB9M6Lrcy+Zyb82nfcWlEdkdLY/yYMFKKH2bR/fzFpSqm +wHMfdbiOaCMKJ3WFDFxeDHUMliymW3elx8xI/4lr7aNMjFnvesVH51CUnpCjO0Y/ +VQ6/tQqjrLIgvTwz3V3mqrOFLKAEFXj0C51ozU+BPGSqtG1ZBZqnD+hfFkweH/1k +4iY8jkpJu3tKVjnacUsCD8g7yviCIOMC4nopmY1oEAvuLvDNbhlhVUBzUPvF36vA +EGakCphUYTEHtS9OcaEJi4J6rYP4yObf2EOk2QpG2VcCRNjRVK7EMOmGU/NU/U9t +AoeGqWmxkt9zNiWg+Z3eAaS6AXjfVx+IzEvI+A+ZtZnfz00//lsPRhyPwgiciYmr +N7UMmOfL9byJk/GrOu2U/AV3ekTMYvx0UshZeONYNqyQsiBDTmM= +=qhg5 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch b/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch new file mode 100644 index 0000000000..0b3ffe9739 --- /dev/null +++ b/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch @@ -0,0 +1,5223 @@ +--- contrib/expat/COPYING.orig ++++ contrib/expat/COPYING +@@ -1,5 +1,5 @@ + Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper +-Copyright (c) 2001-2022 Expat maintainers ++Copyright (c) 2001-2025 Expat maintainers + + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the +--- contrib/expat/Changes.orig ++++ contrib/expat/Changes +@@ -1,6 +1,286 @@ +-NOTE: We are looking for help with a few things: +- https://github.com/libexpat/libexpat/labels/help%20wanted +- If you can help, please get in touch. Thanks! ++ __ __ _ ++ ___\ \/ /_ __ __ _| |_ ++ / _ \\ /| '_ \ / _` | __| ++ | __// \| |_) | (_| | |_ ++ \___/_/\_\ .__/ \__,_|\__| ++ |_| XML parser ++ ++!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ++!! Expat is UNDERSTAFFED and WITHOUT FUNDING. !! ++!! ~~~~~~~~~~~~ !! ++!! The following topics need *additional skilled C developers* to progress !! ++!! in a timely manner or at all (loosely ordered by descending priority): !! ++!! !! ++!! - teaming up on researching and fixing future security reports and !! ++!! ClusterFuzz findings with few-days-max response times in communication !! ++!! in order to (1) have a sound fix ready before the end of a 90 days !! ++!! grace period and (2) in a sustainable manner, !! ++!! - helping CPython Expat bindings with supporting Expat's billion laughs !! ++!! attack protection API (https://github.com/python/cpython/issues/90949): !! ++!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! ++!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! ++!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !! ++!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !! ++!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! ++!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! ++!! - XML_SetReparseDeferralEnabled !! ++!! - implementing and auto-testing XML 1.0r5 support !! ++!! (needs discussion before pull requests), !! ++!! - smart ideas on fixing the Autotools CMake files generation issue !! ++!! without breaking CI (needs discussion before pull requests), !! ++!! - pushing migration from `int` to `size_t` further !! ++!! including edge-cases test coverage (needs discussion before anything). !! ++!! !! ++!! For details, please reach out via e-mail to sebastian@pipping.org so we !! ++!! can schedule a voice call on the topic, in English or German. !! ++!! !! ++!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! ++!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ++ ++Release 2.7.1 Thu March 27 2025 ++ Bug fixes: ++ #980 #989 Restore event pointer behavior from Expat 2.6.4 ++ (that the fix to CVE-2024-8176 changed in 2.7.0); ++ affected API functions are: ++ - XML_GetCurrentByteCount ++ - XML_GetCurrentByteIndex ++ - XML_GetCurrentColumnNumber ++ - XML_GetCurrentLineNumber ++ - XML_GetInputContext ++ ++ Other changes: ++ #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" ++ with Automake that were missing from 2.7.0 release tarballs ++ #983 #984 Fix printf format specifiers for 32bit Emscripten ++ #992 docs: Promote OpenSSF Best Practices self-certification ++ #978 tests/benchmark: Resolve mistaken double close ++ #986 Address compiler warnings ++ #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) ++ to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #982 CI: Start running Perl XML::Parser integration tests ++ #987 CI: Enforce Clang Static Analyzer clean code ++ #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized ++ for clang-tidy ++ #981 CI: Cover compilation with musl ++ #983 #984 CI: Cover compilation with 32bit Emscripten ++ #976 #977 CI: Protect against fuzzer files missing from future ++ release archives ++ ++ Special thanks to: ++ Berkay Eren Ürün ++ Matthew Fernandez ++ and ++ Perl XML::Parser ++ ++Release 2.7.0 Thu March 13 2025 ++ Security fixes: ++ #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number ++ of entities caused by stack overflow by resolving use of ++ recursion, for all three uses of entities: ++ - general entities in character data ("&g1;") ++ - general entities in attribute values ("") ++ - parameter entities ("%p1;") ++ Known impact is (reliable and easy) denial of service: ++ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C ++ (Base Score: 7.5, Temporal Score: 7.2) ++ Please note that a layer of compression around XML can ++ significantly reduce the minimum attack payload size. ++ ++ Other changes: ++ #935 #937 Autotools: Make generated CMake files look for ++ libexpat.@SO_MAJOR@.dylib on macOS ++ #925 Autotools: Sync CMake templates with CMake 3.29 ++ #945 #962 #966 CMake: Drop support for CMake <3.13 ++ #942 CMake: Small fuzzing related improvements ++ #921 docs: Add missing documentation of error code ++ XML_ERROR_NOT_STARTED that was introduced with 2.6.4 ++ #941 docs: Document need for C++11 compiler for use from C++ ++ #959 tests/benchmark: Fix a (harmless) TOCTTOU ++ #944 Windows: Fix installer target location of file xmlwf.xml ++ for CMake ++ #953 Windows: Address warning -Wunknown-warning-option ++ about -Wno-pedantic-ms-format from LLVM MinGW ++ #971 Address Cppcheck warnings ++ #969 #970 Mass-migrate links from http:// to https:// ++ #947 #958 .. ++ #974 #975 Document changes since the previous release ++ #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) ++ to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #926 tests: Increase robustness ++ #927 #932 .. ++ #930 #933 tests: Increase test coverage ++ #617 #950 .. ++ #951 #952 .. ++ #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on ++ #961 Google's libprotobuf-mutator ("LPM") ++ #957 Fuzzing|CI: Start producing fuzzing code coverage reports ++ #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh ++ #942 CI: Small fuzzing related improvements ++ #139 #203 .. ++ #791 #946 CI: Make GitHub Actions build using MSVC on Windows and ++ produce 32bit and 64bit Windows binaries ++ #956 CI: Get off of about-to-be-removed Ubuntu 20.04 ++ #960 #964 CI: Start uploading to Coverity Scan for static analysis ++ #972 CI: Stop loading DTD from the internet to address flaky CI ++ #971 CI: Adapt to breaking changes in Cppcheck ++ ++ Special thanks to: ++ Alexander Gieringer ++ Berkay Eren Ürün ++ Hanno Böck ++ Jann Horn ++ Mark Brand ++ Sebastian Andrzej Siewior ++ Snild Dolkow ++ Thomas Pröll ++ Tomas Korbar ++ valord577 ++ and ++ Google Project Zero ++ Linutronix ++ Red Hat ++ Siemens ++ ++Release 2.6.4 Wed November 6 2024 ++ Security fixes: ++ #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser ++ from a NULL pointer dereference by disallowing function ++ XML_StopParser to (stop or) suspend an unstarted parser. ++ A new error code XML_ERROR_NOT_STARTED was introduced to ++ properly communicate this situation. // CWE-476 CWE-754 ++ ++ Other changes: ++ #903 CMake: Add alias target "expat::expat" ++ #905 docs: Document use via CMake >=3.18 with FetchContent ++ and SOURCE_SUBDIR and its consequences ++ #902 tests: Reduce use of global parser instance ++ #904 tests: Resolve duplicate handler ++ #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) ++ #914 Fix signedness of format strings ++ #915 For use from C++, expat.h started requiring C++11 due to ++ use of C99 features ++ #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) ++ to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #907 CI: Upgrade Clang from 18 to 19 ++ #913 CI: Drop macos-12 and add macos-15 ++ #910 CI: Adapt to breaking changes in GitHub Actions ++ #898 Add missing entries to .gitignore ++ ++ Special thanks to: ++ Hanno Böck ++ José Eduardo Gutiérrez Conejo ++ José Ricardo Cardona Quesada ++ ++Release 2.6.3 Wed September 4 2024 ++ Security fixes: ++ #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with ++ len < 0 without noticing and then calling XML_GetBuffer ++ will have XML_ParseBuffer fail to recognize the problem ++ and XML_GetBuffer corrupt memory. ++ With the fix, XML_ParseBuffer now complains with error ++ XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse ++ has been doing since Expat 2.2.1, and now documented. ++ Impact is denial of service to potentially artitrary code ++ execution. ++ #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an ++ integer overflow for nDefaultAtts on 32-bit platforms ++ (where UINT_MAX equals SIZE_MAX). ++ Impact is denial of service to potentially artitrary code ++ execution. ++ #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can ++ have an integer overflow for m_groupSize on 32-bit ++ platforms (where UINT_MAX equals SIZE_MAX). ++ Impact is denial of service to potentially artitrary code ++ execution. ++ ++ Other changes: ++ #851 #879 Autotools: Sync CMake templates with CMake 3.28 ++ #853 Autotools: Always provide path to find(1) for portability ++ #861 Autotools: Ensure that the m4 directory always exists. ++ #870 Autotools: Simplify handling of SIZEOF_VOID_P ++ #869 Autotools: Support non-GNU sed ++ #856 Autotools|CMake: Fix main() to main(void) ++ #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM ++ #863 Autotools|CMake: Stop requiring dos2unix ++ #854 #855 CMake: Fix check for symbols size_t and off_t ++ #864 docs|tests: Convert README to Markdown and update ++ #741 Windows: Drop support for Visual Studio <=15.0/2017 ++ #886 Drop needless XML_DTD guards around is_param access ++ #885 Fix typo in a code comment ++ #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) ++ to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #880 Readme: Promote the call for help ++ #868 CI: Fix various issues ++ #849 CI: Allow triggering GitHub Actions workflows manually ++ #851 #872 .. ++ #873 #879 CI: Adapt to breaking changes in GitHub Actions ++ ++ Special thanks to: ++ Alexander Bluhm ++ Berkay Eren Ürün ++ Dag-Erling Smørgrav ++ Ferenc Géczi ++ TaiYou ++ ++Release 2.6.2 Wed March 13 2024 ++ Security fixes: ++ #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with ++ isolated use of external parsers. Please see the commit ++ message of commit 1d50b80cf31de87750103656f6eb693746854aa8 ++ for details. ++ ++ Bug fixes: ++ #839 #841 Reject direct parameter entity recursion ++ and avoid the related undefined behavior ++ ++ Other changes: ++ #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces ++ #837 Add missing #821 and #824 to 2.6.1 change log ++ #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) ++ to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ ++ for what these numbers do ++ ++ Special thanks to: ++ Philippe Antoine ++ Tomas Korbar ++ and ++ Clang UndefinedBehaviorSanitizer ++ OSS-Fuzz / ClusterFuzz ++ ++Release 2.6.1 Thu February 29 2024 ++ Bug fixes: ++ #817 Make tests independent of CPU speed, and thus more robust ++ #828 #836 Expose billion laughs API with XML_DTD defined and ++ XML_GE undefined, regression from 2.6.0 ++ ++ Other changes: ++ #829 Hide test-only code behind new internal macro ++ #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P ++ #821 #824 Autotools: Fix "make clean" for case: ++ ./configure --without-docbook && make clean all ++ #819 Address compiler warnings ++ #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) ++ to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #818 CI: Adapt to breaking changes in clang-format ++ ++ Special thanks to: ++ David Hall ++ Snild Dolkow + + Release 2.6.0 Tue February 6 2024 + Security fixes: +--- contrib/expat/FREEBSD-Xlist.orig ++++ contrib/expat/FREEBSD-Xlist +@@ -1,4 +1,3 @@ +-# $FreeBSD$ + *.MPW + *.cmake + *.def +--- contrib/expat/Makefile.am.orig ++++ contrib/expat/Makefile.am +@@ -6,10 +6,12 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2025 Sebastian Pipping + # Copyright (c) 2018 KangLin + # Copyright (c) 2022 Johnny Jazeix + # Copyright (c) 2023 Sony Corporation / Snild Dolkow ++# Copyright (c) 2024 Alexander Bluhm ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -94,6 +96,8 @@ + conftools/expat.m4 \ + conftools/get-version.sh \ + \ ++ fuzz/xml_lpm_fuzzer.cpp \ ++ fuzz/xml_lpm_fuzzer.proto \ + fuzz/xml_parsebuffer_fuzzer.c \ + fuzz/xml_parse_fuzzer.c \ + \ +@@ -114,10 +118,10 @@ + @echo 'ERROR: is no longer supported. INSTEAD please:' >&2 + @echo 'ERROR:' >&2 + @echo 'ERROR: * Mass-patch Makefile.am, e.g.' >&2 +- @echo 'ERROR: # find -name Makefile.am -exec sed \' >&2 ++ @echo 'ERROR: # find . -name Makefile.am -exec sed \' >&2 + @echo 'ERROR: -e "s,libexpat\.la,libexpatw.la," \' >&2 + @echo 'ERROR: -e "s,libexpat_la,libexpatw_la," \' >&2 +- @echo 'ERROR: -i {} +' >&2 ++ @echo 'ERROR: -i.bak {} +' >&2 + @echo 'ERROR:' >&2 + @echo 'ERROR: * Run automake to re-generate Makefile.in files' >&2 + @echo 'ERROR:' >&2 +--- contrib/expat/Makefile.in.orig ++++ contrib/expat/Makefile.in +@@ -22,10 +22,12 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2025 Sebastian Pipping + # Copyright (c) 2018 KangLin + # Copyright (c) 2022 Johnny Jazeix + # Copyright (c) 2023 Sony Corporation / Snild Dolkow ++# Copyright (c) 2024 Alexander Bluhm ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -384,6 +386,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -397,7 +400,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +@@ -492,6 +494,8 @@ + conftools/expat.m4 \ + conftools/get-version.sh \ + \ ++ fuzz/xml_lpm_fuzzer.cpp \ ++ fuzz/xml_lpm_fuzzer.proto \ + fuzz/xml_parsebuffer_fuzzer.c \ + fuzz/xml_parse_fuzzer.c \ + \ +@@ -1080,10 +1084,10 @@ + @echo 'ERROR: is no longer supported. INSTEAD please:' >&2 + @echo 'ERROR:' >&2 + @echo 'ERROR: * Mass-patch Makefile.am, e.g.' >&2 +- @echo 'ERROR: # find -name Makefile.am -exec sed \' >&2 ++ @echo 'ERROR: # find . -name Makefile.am -exec sed \' >&2 + @echo 'ERROR: -e "s,libexpat\.la,libexpatw.la," \' >&2 + @echo 'ERROR: -e "s,libexpat_la,libexpatw_la," \' >&2 +- @echo 'ERROR: -i {} +' >&2 ++ @echo 'ERROR: -i.bak {} +' >&2 + @echo 'ERROR:' >&2 + @echo 'ERROR: * Run automake to re-generate Makefile.in files' >&2 + @echo 'ERROR:' >&2 +--- contrib/expat/README.md.orig ++++ contrib/expat/README.md +@@ -3,9 +3,16 @@ + [![Packaging status](https://repology.org/badge/tiny-repos/expat.svg)](https://repology.org/metapackage/expat/versions) + [![Downloads SourceForge](https://img.shields.io/sourceforge/dt/expat?label=Downloads%20SourceForge)](https://sourceforge.net/projects/expat/files/) + [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) ++[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10205/badge)](https://www.bestpractices.dev/projects/10205) + ++> [!CAUTION] ++> ++> Expat is **understaffed** and without funding. ++> There is a [call for help with details](https://github.com/libexpat/libexpat/blob/master/expat/Changes) ++> at the top of the `Changes` file. + +-# Expat, Release 2.6.0 ++ ++# Expat, Release 2.7.1 + + This is Expat, a C99 library for parsing + [XML 1.0 Fourth Edition](https://www.w3.org/TR/2006/REC-xml-20060816/), started by +@@ -16,11 +23,11 @@ + document being parsed. A start tag is an example of the kind of + structures for which you may register handlers. + +-Expat supports the following compilers: ++Expat supports the following C99 compilers: + +-- GNU GCC >=4.5 ++- GNU GCC >=4.5 (for use from C) or GNU GCC >=4.8.1 (for use from C++) + - LLVM Clang >=3.5 +-- Microsoft Visual Studio >=15.0/2017 (rolling `${today} minus 5 years`) ++- Microsoft Visual Studio >=16.0/2019 (rolling `${today} minus 5 years`) + + Windows users can use the + [`expat-win32bin-*.*.*.{exe,zip}` download](https://github.com/libexpat/libexpat/releases), +@@ -37,16 +44,16 @@ + + ## Using libexpat in your CMake-Based Project + +-There are two ways of using libexpat with CMake: ++There are three documented ways of using libexpat with CMake: + +-### a) Module Mode ++### a) `find_package` with Module Mode + + This approach leverages CMake's own [module `FindEXPAT`](https://cmake.org/cmake/help/latest/module/FindEXPAT.html). + + Notice the *uppercase* `EXPAT` in the following example: + + ```cmake +-cmake_minimum_required(VERSION 3.0) # or 3.10, see below ++cmake_minimum_required(VERSION 3.10) + + project(hello VERSION 1.0.0) + +@@ -56,15 +63,10 @@ + hello.c + ) + +-# a) for CMake >=3.10 (see CMake's FindEXPAT docs) + target_link_libraries(hello PUBLIC EXPAT::EXPAT) +- +-# b) for CMake >=3.0 +-target_include_directories(hello PRIVATE ${EXPAT_INCLUDE_DIRS}) +-target_link_libraries(hello PUBLIC ${EXPAT_LIBRARIES}) + ``` + +-### b) Config Mode ++### b) `find_package` with Config Mode + + This approach requires files from… + +@@ -79,7 +81,7 @@ + Notice the *lowercase* `expat` in the following example: + + ```cmake +-cmake_minimum_required(VERSION 3.0) ++cmake_minimum_required(VERSION 3.10) + + project(hello VERSION 1.0.0) + +@@ -92,6 +94,45 @@ + target_link_libraries(hello PUBLIC expat::expat) + ``` + ++### c) The `FetchContent` module ++ ++This approach — as demonstrated below — requires CMake >=3.18 for both the ++[`FetchContent` module](https://cmake.org/cmake/help/latest/module/FetchContent.html) ++and its support for the `SOURCE_SUBDIR` option to be available. ++ ++Please note that: ++- Use of the `FetchContent` module with *non-release* SHA1s or `master` ++ of libexpat is neither advised nor considered officially supported. ++- Pinning to a specific commit is great for robust CI. ++- Pinning to a specific commit needs updating every time there is a new ++ release of libexpat — either manually or through automation —, ++ to not miss out on libexpat security updates. ++ ++For an example that pulls in libexpat via Git: ++ ++```cmake ++cmake_minimum_required(VERSION 3.18) ++ ++include(FetchContent) ++ ++project(hello VERSION 1.0.0) ++ ++FetchContent_Declare( ++ expat ++ GIT_REPOSITORY https://github.com/libexpat/libexpat/ ++ GIT_TAG 000000000_GIT_COMMIT_SHA1_HERE_000000000 # i.e. Git tag R_0_Y_Z ++ SOURCE_SUBDIR expat/ ++) ++ ++FetchContent_MakeAvailable(expat) ++ ++add_executable(hello ++ hello.c ++) ++ ++target_link_libraries(hello PUBLIC expat) ++``` ++ + + ## Building from a Git Clone + +@@ -158,10 +199,10 @@ + + 1. Mass-patch `Makefile.am` files to use `libexpatw.la` for a library name: +
+- `find -name Makefile.am -exec sed ++ `find . -name Makefile.am -exec sed + -e 's,libexpat\.la,libexpatw.la,' + -e 's,libexpat_la,libexpatw_la,' +- -i {} +` ++ -i.bak {} +` + + 1. Run `automake` to re-write `Makefile.in` files:
+ `automake` +@@ -250,7 +291,7 @@ + // Use /MT flag (static CRT) when compiling in MSVC + EXPAT_MSVC_STATIC_CRT:BOOL=OFF + +-// Build fuzzers via ossfuzz for the expat library ++// Build fuzzers via OSS-Fuzz for the expat library + EXPAT_OSSFUZZ_BUILD:BOOL=OFF + + // Build a shared expat library +--- contrib/expat/buildconf.sh.orig ++++ contrib/expat/buildconf.sh +@@ -8,6 +8,7 @@ + # + # Copyright (c) 2017-2022 Sebastian Pipping + # Copyright (c) 2018 Marco Maggi ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -31,25 +32,4 @@ + + set -e + +-# File expat_config.h.in (as generated by autoheader by autoreconf) contains +-# macro SIZEOF_VOID_P which is (1) not really needed by Expat as of today and +-# (2) a problem to "multilib" systems with one shared installed +-# /usr/include/expat_config.h for two Expats with different "void *" sizes +-# installed in e.g. /usr/lib32 and /usr/lib64. Hence we patch macro +-# SIZEOF_VOID_P out of template expat_config.h.in so that configure will +-# not put SIZEOF_VOID_P in the eventual expat_config.h. +-patch_expat_config_h_in() { +- local filename="$1" +- local sizeof_void_p_line_number="$(grep -F -n SIZEOF_VOID_P "${filename}" | awk -F: '{print $1}')" +- [[ ${sizeof_void_p_line_number} =~ ^[0-9]+$ ]] # cheap assert +- local first_line_to_delete=$(( sizeof_void_p_line_number - 1 )) +- local last_line_to_delete=$(( sizeof_void_p_line_number + 1 )) +- # Note: Avoiding "sed -i" only for macOS portability. +- local tempfile="$(mktemp)" +- sed "${first_line_to_delete},${last_line_to_delete}d" "${filename}" > "${tempfile}" +- mv "${tempfile}" "${filename}" +-} +- +-autoreconf --warnings=all --install --verbose "$@" +- +-patch_expat_config_h_in expat_config.h.in ++exec autoreconf --warnings=all --install --verbose "$@" +--- contrib/expat/configure.ac.orig ++++ contrib/expat/configure.ac +@@ -11,7 +11,7 @@ + dnl Copyright (c) 2000-2005 Fred L. Drake, Jr. + dnl Copyright (c) 2001-2003 Greg Stein + dnl Copyright (c) 2006-2012 Karl Waclawek +-dnl Copyright (c) 2016-2024 Sebastian Pipping ++dnl Copyright (c) 2016-2025 Sebastian Pipping + dnl Copyright (c) 2017 S. P. Zeidler + dnl Copyright (c) 2017 Stephen Groat + dnl Copyright (c) 2017-2020 Joe Orton +@@ -22,6 +22,8 @@ + dnl Copyright (c) 2019 Mohammed Khajapasha + dnl Copyright (c) 2019 Kishore Kunche + dnl Copyright (c) 2020 Jeffrey Walton ++dnl Copyright (c) 2024 Ferenc Géczi ++dnl Copyright (c) 2024 Dag-Erling Smørgrav + dnl Licensed under the MIT license: + dnl + dnl Permission is hereby granted, free of charge, to any person obtaining +@@ -82,9 +84,9 @@ + dnl If the API changes incompatibly set LIBAGE back to 0 + dnl + +-LIBCURRENT=10 # sync +-LIBREVISION=0 # with +-LIBAGE=9 # CMakeLists.txt! ++LIBCURRENT=11 # sync ++LIBREVISION=2 # with ++LIBAGE=10 # CMakeLists.txt! + + AC_CONFIG_HEADERS([expat_config.h]) + AH_TOP([#ifndef EXPAT_CONFIG_H +@@ -160,7 +162,6 @@ + AC_DEFINE_UNQUOTED([BYTEORDER], $BYTEORDER, [1234 = LILENDIAN, 4321 = BIGENDIAN]) + + AC_C_CONST +-AC_TYPE_SIZE_T + + AC_ARG_WITH([xmlwf], + [AS_HELP_STRING([--without-xmlwf], [do not build xmlwf])], +@@ -215,7 +216,7 @@ + #else + # include /* for arc4random_buf on BSD */ + #endif +- int main() { ++ int main(void) { + char dummy[[123]]; // double brackets for m4 + arc4random_buf(dummy, 0U); + return 0; +@@ -232,7 +233,7 @@ + #else + # include + #endif +- int main() { ++ int main(void) { + arc4random(); + return 0; + } +@@ -254,7 +255,7 @@ + AC_LINK_IFELSE([AC_LANG_SOURCE([ + #include /* for NULL */ + #include +- int main() { ++ int main(void) { + return getrandom(NULL, 0U, 0U); + } + ])], +@@ -275,10 +276,11 @@ + AS_IF([test "x$with_sys_getrandom" != xno], + [AC_MSG_CHECKING([for syscall SYS_getrandom (Linux 3.17+)]) + AC_LINK_IFELSE([AC_LANG_SOURCE([ ++ #define _GNU_SOURCE + #include /* for NULL */ + #include /* for syscall */ + #include /* for SYS_getrandom */ +- int main() { ++ int main(void) { + syscall(SYS_getrandom, NULL, 0, 0); + return 0; + } +@@ -357,11 +359,22 @@ + page for xmlwf.])])]) + + dnl This will make sure that a release tarball shipping a pre-rendered xmlwf man page will +-dnl get it installed, independent of whether some flavor of docbook2man is available. ++dnl get it installed, when no working flavor of docbook2man is available (or wanted). + dnl This relies on file xmlwf.1 being at least as recent as its source file xmlwf.xml. + AS_IF([test -f "${srcdir}"/doc/xmlwf.1], +- [AM_CONDITIONAL(WITH_DOCBOOK, [true])], +- [AM_CONDITIONAL(WITH_DOCBOOK, [test "x${DOCBOOK_TO_MAN}" != x])]) ++ [AM_CONDITIONAL(WITH_MANPAGE, [true]) ++ AS_IF([test "x$with_docbook" = xno -o "x${DOCBOOK_TO_MAN}" = x], ++ [AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [true]) ++ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [false])], ++ [AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [false]) ++ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [true])]) ++ ], ++ [AS_IF([test "x$with_docbook" != xno -a "x${DOCBOOK_TO_MAN}" != x], ++ [AM_CONDITIONAL(WITH_MANPAGE, [true]) ++ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [true])], ++ [AM_CONDITIONAL(WITH_MANPAGE, [false]) ++ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [false])]) ++ AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [false])]) + + dnl Configure CMake file templates + dnl NOTE: The *_TRUE variables read here are Automake conditionals +@@ -392,7 +405,6 @@ + SO_MAJOR="$(expr "${LIBCURRENT}" - "${LIBAGE}")" + SO_MINOR="${LIBAGE}" + SO_PATCH="${LIBREVISION}" +-AC_CHECK_SIZEOF([void *]) # sets ac_cv_sizeof_void_p + AC_SUBST([EXPAT_ATTR_INFO]) + AC_SUBST([EXPAT_DTD]) + AC_SUBST([EXPAT_LARGE_SIZE]) +@@ -405,8 +417,13 @@ + AC_SUBST([SO_MAJOR]) + AC_SUBST([SO_MINOR]) + AC_SUBST([SO_PATCH]) +-AC_SUBST([ac_cv_sizeof_void_p]) + ++dnl The canonical way of doing this is AC_CHECK_SIZEOF(void *), but ++dnl that adds SIZEOF_VOID_P to expat_config.h.in, making it difficult ++dnl to have 32-bit and 64-bit versions of libexpat installed on the ++dnl same system with a single, shared copy of the header. ++AC_COMPUTE_INT(SIZEOF_VOID_P, [sizeof(void *)]) ++AC_SUBST([SIZEOF_VOID_P]) + + dnl write the Automake flags we set + AC_SUBST([AM_CPPFLAGS]) +--- contrib/expat/doc/Makefile.am.orig ++++ contrib/expat/doc/Makefile.am +@@ -6,9 +6,10 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2022 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017 Stephen Groat + # Copyright (c) 2017 Joe Orton ++# Copyright (c) 2024 Tomas Korbar + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -32,26 +33,24 @@ + + .PHONY: dist-hook # not inside conditional to avoid automake warning + +-if WITH_DOCBOOK ++if WITH_MANPAGE + dist_man_MANS = xmlwf.1 + + xmlwf.1: xmlwf.xml + -rm -f $@ +- $(DOCBOOK_TO_MAN) $< ++ test "x$(DOCBOOK_TO_MAN)" != x && $(DOCBOOK_TO_MAN) $< + test -f $@ || mv XMLWF.1 $@ +-else ++endif ++ ++if !WITH_DISTRIBUTABLE_MANPAGE + dist-hook: + @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2 + @false + endif + +-# https://www.gnu.org/software/automake/manual/automake.html#What-Gets-Cleaned +-.PHONY: clean-local +-clean-local: clean-local-check +- +-.PHONY: clean-local-check +-clean-local-check: +- $(RM) xmlwf.1 ++if !WITH_PREBUILT_MANPAGE ++CLEANFILES = xmlwf.1 ++endif + + EXTRA_DIST = \ + ok.min.css \ +--- contrib/expat/doc/Makefile.in.orig ++++ contrib/expat/doc/Makefile.in +@@ -22,9 +22,10 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2022 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017 Stephen Groat + # Copyright (c) 2017 Joe Orton ++# Copyright (c) 2024 Tomas Korbar + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -285,6 +286,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -298,7 +300,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +@@ -345,7 +346,8 @@ + top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ +-@WITH_DOCBOOK_TRUE@dist_man_MANS = xmlwf.1 ++@WITH_MANPAGE_TRUE@dist_man_MANS = xmlwf.1 ++@WITH_PREBUILT_MANPAGE_FALSE@CLEANFILES = xmlwf.1 + EXTRA_DIST = \ + ok.min.css \ + reference.html \ +@@ -439,7 +441,7 @@ + + cscope cscopelist: + +-@WITH_DOCBOOK_TRUE@dist-hook: ++@WITH_DISTRIBUTABLE_MANPAGE_TRUE@dist-hook: + distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +@@ -505,6 +507,7 @@ + mostlyclean-generic: + + clean-generic: ++ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + + distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) +@@ -515,7 +518,7 @@ + @echo "it deletes files that may require special tools to rebuild." + clean: clean-am + +-clean-am: clean-generic clean-libtool clean-local mostlyclean-am ++clean-am: clean-generic clean-libtool mostlyclean-am + + distclean: distclean-am + -rm -f Makefile +@@ -584,38 +587,31 @@ + .MAKE: install-am install-strip + + .PHONY: all all-am check check-am clean clean-generic clean-libtool \ +- clean-local cscopelist-am ctags-am dist-hook distclean \ +- distclean-generic distclean-libtool distdir dvi dvi-am html \ +- html-am info info-am install install-am install-data \ +- install-data-am install-dvi install-dvi-am install-exec \ +- install-exec-am install-html install-html-am install-info \ +- install-info-am install-man install-man1 install-pdf \ +- install-pdf-am install-ps install-ps-am install-strip \ +- installcheck installcheck-am installdirs maintainer-clean \ +- maintainer-clean-generic mostlyclean mostlyclean-generic \ +- mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ +- uninstall-am uninstall-man uninstall-man1 ++ cscopelist-am ctags-am dist-hook distclean distclean-generic \ ++ distclean-libtool distdir dvi dvi-am html html-am info info-am \ ++ install install-am install-data install-data-am install-dvi \ ++ install-dvi-am install-exec install-exec-am install-html \ ++ install-html-am install-info install-info-am install-man \ ++ install-man1 install-pdf install-pdf-am install-ps \ ++ install-ps-am install-strip installcheck installcheck-am \ ++ installdirs maintainer-clean maintainer-clean-generic \ ++ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ++ ps ps-am tags-am uninstall uninstall-am uninstall-man \ ++ uninstall-man1 + + .PRECIOUS: Makefile + + + .PHONY: dist-hook # not inside conditional to avoid automake warning + +-@WITH_DOCBOOK_TRUE@xmlwf.1: xmlwf.xml +-@WITH_DOCBOOK_TRUE@ -rm -f $@ +-@WITH_DOCBOOK_TRUE@ $(DOCBOOK_TO_MAN) $< +-@WITH_DOCBOOK_TRUE@ test -f $@ || mv XMLWF.1 $@ +-@WITH_DOCBOOK_FALSE@dist-hook: +-@WITH_DOCBOOK_FALSE@ @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2 +-@WITH_DOCBOOK_FALSE@ @false +- +-# https://www.gnu.org/software/automake/manual/automake.html#What-Gets-Cleaned +-.PHONY: clean-local +-clean-local: clean-local-check +- +-.PHONY: clean-local-check +-clean-local-check: +- $(RM) xmlwf.1 ++@WITH_MANPAGE_TRUE@xmlwf.1: xmlwf.xml ++@WITH_MANPAGE_TRUE@ -rm -f $@ ++@WITH_MANPAGE_TRUE@ test "x$(DOCBOOK_TO_MAN)" != x && $(DOCBOOK_TO_MAN) $< ++@WITH_MANPAGE_TRUE@ test -f $@ || mv XMLWF.1 $@ ++ ++@WITH_DISTRIBUTABLE_MANPAGE_FALSE@dist-hook: ++@WITH_DISTRIBUTABLE_MANPAGE_FALSE@ @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2 ++@WITH_DISTRIBUTABLE_MANPAGE_FALSE@ @false + + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. +--- contrib/expat/doc/reference.html.orig ++++ contrib/expat/doc/reference.html +@@ -14,7 +14,7 @@ + Copyright (c) 2000 Clark Cooper + Copyright (c) 2000-2004 Fred L. Drake, Jr. + Copyright (c) 2002-2012 Karl Waclawek +- Copyright (c) 2017-2024 Sebastian Pipping ++ Copyright (c) 2017-2025 Sebastian Pipping + Copyright (c) 2017 Jakub Wilk + Copyright (c) 2021 Tomas Korbar + Copyright (c) 2021 Nicolas Cavallari +@@ -52,7 +52,7 @@ +
+

+ The Expat XML Parser +- Release 2.6.0 ++ Release 2.7.1 +

+
+
+@@ -319,7 +319,7 @@ + Developer Studio installed, + you can use CMake to generate a .sln file, e.g. + +-cmake -G"Visual Studio 15 2017" -DCMAKE_BUILD_TYPE=RelWithDebInfo . ++cmake -G"Visual Studio 16 2019" -DCMAKE_BUILD_TYPE=RelWithDebInfo . + , and build Expat using msbuild /m expat.sln after.

+ +

Alternatively, you may download the Win32 binary package that +@@ -356,10 +356,7 @@ +

Configuring Expat Using the Pre-Processor

+ +

Expat's feature set can be configured using a small number of +-pre-processor definitions. The definition of this symbols does not +-affect the set of entry points for Expat, only the behavior of the API +-and the definition of character types in the case of +-XML_UNICODE_WCHAR_T. The symbols are:

++pre-processor definitions. The symbols are:

+ +
+
XML_GE
+@@ -1138,7 +1135,9 @@ + that are part of the document is indicated by len. This means + that s doesn't have to be null-terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1186,11 +1185,17 @@ + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

+@@ -1262,6 +1267,11 @@ + XML_STATUS_ERROR otherwise. The possible error codes + are:

+
++
XML_ERROR_NOT_STARTED
++
++ when stopping or suspending a parser before it has started, ++ added in Expat 2.6.4. ++
+
XML_ERROR_SUSPENDED
+
when suspending an already suspended parser.
+
XML_ERROR_FINISHED
+--- contrib/expat/doc/xmlwf.1.orig ++++ contrib/expat/doc/xmlwf.1 +@@ -5,7 +5,7 @@ + \\$2 \(la\\$1\(ra\\$3 + .. + .if \n(.g .mso www.tmac +-.TH XMLWF 1 "February 6, 2024" "" "" ++.TH XMLWF 1 "March 27, 2025" "" "" + .SH NAME + xmlwf \- Determines if an XML document is well-formed + .SH SYNOPSIS +--- contrib/expat/doc/xmlwf.xml.orig ++++ contrib/expat/doc/xmlwf.xml +@@ -9,7 +9,7 @@ + Copyright (c) 2001 Scott Bronson + Copyright (c) 2002-2003 Fred L. Drake, Jr. + Copyright (c) 2009 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Ardo van Rangelrooij + Copyright (c) 2017 Rhodri James + Copyright (c) 2020 Joe Orton +@@ -21,7 +21,7 @@ + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + Scott"> + Bronson"> +- February 6, 2024"> ++ March 27, 2025"> + + 1"> + bronson@rinspin.com"> +--- contrib/expat/examples/Makefile.in.orig ++++ contrib/expat/examples/Makefile.in +@@ -313,6 +313,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -326,7 +327,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +--- contrib/expat/examples/element_declarations.c.orig ++++ contrib/expat/examples/element_declarations.c +@@ -15,6 +15,7 @@ + Copyright (c) 2016-2024 Sebastian Pipping + Copyright (c) 2017 Rhodri James + Copyright (c) 2019 Zhongyuan Zhou ++ Copyright (c) 2024 Hanno Böck + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -127,15 +128,15 @@ + } + + // Node +- printf("[%u] type=%s(%d), quant=%s(%d)", (unsigned)(model - root), +- contentTypeName(model->type), model->type, +- contentQuantName(model->quant), model->quant); ++ printf("[%u] type=%s(%u), quant=%s(%u)", (unsigned)(model - root), ++ contentTypeName(model->type), (unsigned int)model->type, ++ contentQuantName(model->quant), (unsigned int)model->quant); + if (model->name) { + printf(", name=\"%" XML_FMT_STR "\"", model->name); + } else { + printf(", name=NULL"); + } +- printf(", numchildren=%d", model->numchildren); ++ printf(", numchildren=%u", model->numchildren); + printf("\n"); + } + +--- contrib/expat/expat_config.h.in.orig ++++ contrib/expat/expat_config.h.in +@@ -139,7 +139,4 @@ + /* Define to `long int' if does not define. */ + #undef off_t + +-/* Define to `unsigned int' if does not define. */ +-#undef size_t +- + #endif // ndef EXPAT_CONFIG_H +--- contrib/expat/fix-xmltest-log.sh.orig ++++ contrib/expat/fix-xmltest-log.sh +@@ -7,6 +7,7 @@ + # |_| XML parser + # + # Copyright (c) 2019-2022 Sebastian Pipping ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -32,10 +33,10 @@ + + filename="${1:-tests/xmltest.log}" + +-dos2unix "${filename}" +- +-tempfile="$(mktemp)" +-sed \ ++sed -i.bak \ ++ -e '# convert DOS line endings to Unix without resorting to dos2unix' \ ++ -e $'s/\r//' \ ++ \ + -e 's/^wine: Call .* msvcrt\.dll\._wperror, aborting$/ibm49i02.dtd: No such file or directory/' \ + \ + -e '/^wine: /d' \ +@@ -46,5 +47,4 @@ + -e '/^wine client error:/d' \ + -e '/^In ibm\/invalid\/P49\/: Unhandled exception: unimplemented .\+/d' \ + \ +- "${filename}" > "${tempfile}" +-mv "${tempfile}" "${filename}" ++ "${filename}" +--- /dev/null ++++ contrib/expat/fuzz/xml_lpm_fuzzer.cpp +@@ -0,0 +1,464 @@ ++/* ++ __ __ _ ++ ___\ \/ /_ __ __ _| |_ ++ / _ \\ /| '_ \ / _` | __| ++ | __// \| |_) | (_| | |_ ++ \___/_/\_\ .__/ \__,_|\__| ++ |_| XML parser ++ ++ Copyright (c) 2022 Mark Brand ++ Copyright (c) 2025 Sebastian Pipping ++ Licensed under the MIT license: ++ ++ Permission is hereby granted, free of charge, to any person obtaining ++ a copy of this software and associated documentation files (the ++ "Software"), to deal in the Software without restriction, including ++ without limitation the rights to use, copy, modify, merge, publish, ++ distribute, sublicense, and/or sell copies of the Software, and to permit ++ persons to whom the Software is furnished to do so, subject to the ++ following conditions: ++ ++ The above copyright notice and this permission notice shall be included ++ in all copies or substantial portions of the Software. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN ++ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, ++ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR ++ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ++ USE OR OTHER DEALINGS IN THE SOFTWARE. ++*/ ++ ++#if defined(NDEBUG) ++# undef NDEBUG // because checks below rely on assert(...) ++#endif ++ ++#include ++#include ++#include ++ ++#include "expat.h" ++#include "xml_lpm_fuzzer.pb.h" ++#include "src/libfuzzer/libfuzzer_macro.h" ++ ++static const char *g_encoding = nullptr; ++static const char *g_external_entity = nullptr; ++static size_t g_external_entity_size = 0; ++ ++void ++SetEncoding(const xml_lpm_fuzzer::Encoding &e) { ++ switch (e) { ++ case xml_lpm_fuzzer::Encoding::UTF8: ++ g_encoding = "UTF-8"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::UTF16: ++ g_encoding = "UTF-16"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::ISO88591: ++ g_encoding = "ISO-8859-1"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::ASCII: ++ g_encoding = "US-ASCII"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::NONE: ++ g_encoding = NULL; ++ break; ++ ++ default: ++ g_encoding = "UNKNOWN"; ++ break; ++ } ++} ++ ++static int g_allocation_count = 0; ++static std::vector g_fail_allocations = {}; ++ ++void * ++MallocHook(size_t size) { ++ g_allocation_count += 1; ++ for (auto index : g_fail_allocations) { ++ if (index == g_allocation_count) { ++ return NULL; ++ } ++ } ++ return malloc(size); ++} ++ ++void * ++ReallocHook(void *ptr, size_t size) { ++ g_allocation_count += 1; ++ for (auto index : g_fail_allocations) { ++ if (index == g_allocation_count) { ++ return NULL; ++ } ++ } ++ return realloc(ptr, size); ++} ++ ++void ++FreeHook(void *ptr) { ++ free(ptr); ++} ++ ++XML_Memory_Handling_Suite memory_handling_suite ++ = {MallocHook, ReallocHook, FreeHook}; ++ ++void InitializeParser(XML_Parser parser); ++ ++// We want a parse function that supports resumption, so that we can cover the ++// suspend/resume code. ++enum XML_Status ++Parse(XML_Parser parser, const char *input, int input_len, int is_final) { ++ enum XML_Status status = XML_Parse(parser, input, input_len, is_final); ++ while (status == XML_STATUS_SUSPENDED) { ++ status = XML_ResumeParser(parser); ++ } ++ return status; ++} ++ ++// When the fuzzer is compiled with instrumentation such as ASan, then the ++// accesses in TouchString will fault if they access invalid memory (ie. detect ++// either a use-after-free or buffer-overflow). By calling TouchString in each ++// of the callbacks, we can check that the arguments meet the API specifications ++// in terms of length/null-termination. no_optimize is used to ensure that the ++// compiler has to emit actual memory reads, instead of removing them. ++static volatile size_t no_optimize = 0; ++static void ++TouchString(const XML_Char *ptr, int len = -1) { ++ if (! ptr) { ++ return; ++ } ++ ++ if (len == -1) { ++ for (XML_Char value = *ptr++; value; value = *ptr++) { ++ no_optimize += value; ++ } ++ } else { ++ for (int i = 0; i < len; ++i) { ++ no_optimize += ptr[i]; ++ } ++ } ++} ++ ++static void ++TouchNodeAndRecurse(XML_Content *content) { ++ switch (content->type) { ++ case XML_CTYPE_EMPTY: ++ case XML_CTYPE_ANY: ++ assert(content->quant == XML_CQUANT_NONE); ++ assert(content->name == NULL); ++ assert(content->numchildren == 0); ++ assert(content->children == NULL); ++ break; ++ ++ case XML_CTYPE_MIXED: ++ assert(content->quant == XML_CQUANT_NONE ++ || content->quant == XML_CQUANT_REP); ++ assert(content->name == NULL); ++ for (unsigned int i = 0; i < content->numchildren; ++i) { ++ assert(content->children[i].type == XML_CTYPE_NAME); ++ assert(content->children[i].quant == XML_CQUANT_NONE); ++ assert(content->children[i].numchildren == 0); ++ assert(content->children[i].children == NULL); ++ TouchString(content->children[i].name); ++ } ++ break; ++ ++ case XML_CTYPE_NAME: ++ assert((content->quant == XML_CQUANT_NONE) ++ || (content->quant == XML_CQUANT_OPT) ++ || (content->quant == XML_CQUANT_REP) ++ || (content->quant == XML_CQUANT_PLUS)); ++ assert(content->numchildren == 0); ++ assert(content->children == NULL); ++ TouchString(content->name); ++ break; ++ ++ case XML_CTYPE_CHOICE: ++ case XML_CTYPE_SEQ: ++ assert((content->quant == XML_CQUANT_NONE) ++ || (content->quant == XML_CQUANT_OPT) ++ || (content->quant == XML_CQUANT_REP) ++ || (content->quant == XML_CQUANT_PLUS)); ++ assert(content->name == NULL); ++ for (unsigned int i = 0; i < content->numchildren; ++i) { ++ TouchNodeAndRecurse(&content->children[i]); ++ } ++ break; ++ ++ default: ++ assert(false); ++ } ++} ++ ++static void XMLCALL ++ElementDeclHandler(void *userData, const XML_Char *name, XML_Content *model) { ++ TouchString(name); ++ TouchNodeAndRecurse(model); ++ XML_FreeContentModel((XML_Parser)userData, model); ++} ++ ++static void XMLCALL ++AttlistDeclHandler(void *userData, const XML_Char *elname, ++ const XML_Char *attname, const XML_Char *atttype, ++ const XML_Char *dflt, int isrequired) { ++ (void)userData; ++ TouchString(elname); ++ TouchString(attname); ++ TouchString(atttype); ++ TouchString(dflt); ++ (void)isrequired; ++} ++ ++static void XMLCALL ++XmlDeclHandler(void *userData, const XML_Char *version, ++ const XML_Char *encoding, int standalone) { ++ (void)userData; ++ TouchString(version); ++ TouchString(encoding); ++ (void)standalone; ++} ++ ++static void XMLCALL ++StartElementHandler(void *userData, const XML_Char *name, ++ const XML_Char **atts) { ++ (void)userData; ++ TouchString(name); ++ for (size_t i = 0; atts[i] != NULL; ++i) { ++ TouchString(atts[i]); ++ } ++} ++ ++static void XMLCALL ++EndElementHandler(void *userData, const XML_Char *name) { ++ (void)userData; ++ TouchString(name); ++} ++ ++static void XMLCALL ++CharacterDataHandler(void *userData, const XML_Char *s, int len) { ++ (void)userData; ++ TouchString(s, len); ++} ++ ++static void XMLCALL ++ProcessingInstructionHandler(void *userData, const XML_Char *target, ++ const XML_Char *data) { ++ (void)userData; ++ TouchString(target); ++ TouchString(data); ++} ++ ++static void XMLCALL ++CommentHandler(void *userData, const XML_Char *data) { ++ TouchString(data); ++ // Use the comment handler to trigger parser suspend, so that we can get ++ // coverage of that code. ++ XML_StopParser((XML_Parser)userData, XML_TRUE); ++} ++ ++static void XMLCALL ++StartCdataSectionHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++EndCdataSectionHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++DefaultHandler(void *userData, const XML_Char *s, int len) { ++ (void)userData; ++ TouchString(s, len); ++} ++ ++static void XMLCALL ++StartDoctypeDeclHandler(void *userData, const XML_Char *doctypeName, ++ const XML_Char *sysid, const XML_Char *pubid, ++ int has_internal_subset) { ++ (void)userData; ++ TouchString(doctypeName); ++ TouchString(sysid); ++ TouchString(pubid); ++ (void)has_internal_subset; ++} ++ ++static void XMLCALL ++EndDoctypeDeclHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++EntityDeclHandler(void *userData, const XML_Char *entityName, ++ int is_parameter_entity, const XML_Char *value, ++ int value_length, const XML_Char *base, ++ const XML_Char *systemId, const XML_Char *publicId, ++ const XML_Char *notationName) { ++ (void)userData; ++ TouchString(entityName); ++ (void)is_parameter_entity; ++ TouchString(value, value_length); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++ TouchString(notationName); ++} ++ ++static void XMLCALL ++NotationDeclHandler(void *userData, const XML_Char *notationName, ++ const XML_Char *base, const XML_Char *systemId, ++ const XML_Char *publicId) { ++ (void)userData; ++ TouchString(notationName); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++} ++ ++static void XMLCALL ++StartNamespaceDeclHandler(void *userData, const XML_Char *prefix, ++ const XML_Char *uri) { ++ (void)userData; ++ TouchString(prefix); ++ TouchString(uri); ++} ++ ++static void XMLCALL ++EndNamespaceDeclHandler(void *userData, const XML_Char *prefix) { ++ (void)userData; ++ TouchString(prefix); ++} ++ ++static int XMLCALL ++NotStandaloneHandler(void *userData) { ++ (void)userData; ++ return XML_STATUS_OK; ++} ++ ++static int XMLCALL ++ExternalEntityRefHandler(XML_Parser parser, const XML_Char *context, ++ const XML_Char *base, const XML_Char *systemId, ++ const XML_Char *publicId) { ++ int rc = XML_STATUS_ERROR; ++ TouchString(context); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++ ++ if (g_external_entity) { ++ XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, g_encoding); ++ rc = Parse(ext_parser, g_external_entity, g_external_entity_size, 1); ++ XML_ParserFree(ext_parser); ++ } ++ ++ return rc; ++} ++ ++static void XMLCALL ++SkippedEntityHandler(void *userData, const XML_Char *entityName, ++ int is_parameter_entity) { ++ (void)userData; ++ TouchString(entityName); ++ (void)is_parameter_entity; ++} ++ ++static int XMLCALL ++UnknownEncodingHandler(void *encodingHandlerData, const XML_Char *name, ++ XML_Encoding *info) { ++ (void)encodingHandlerData; ++ TouchString(name); ++ (void)info; ++ return XML_STATUS_ERROR; ++} ++ ++void ++InitializeParser(XML_Parser parser) { ++ XML_SetUserData(parser, (void *)parser); ++ XML_SetHashSalt(parser, 0x41414141); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ XML_SetElementDeclHandler(parser, ElementDeclHandler); ++ XML_SetAttlistDeclHandler(parser, AttlistDeclHandler); ++ XML_SetXmlDeclHandler(parser, XmlDeclHandler); ++ XML_SetElementHandler(parser, StartElementHandler, EndElementHandler); ++ XML_SetCharacterDataHandler(parser, CharacterDataHandler); ++ XML_SetProcessingInstructionHandler(parser, ProcessingInstructionHandler); ++ XML_SetCommentHandler(parser, CommentHandler); ++ XML_SetCdataSectionHandler(parser, StartCdataSectionHandler, ++ EndCdataSectionHandler); ++ // XML_SetDefaultHandler disables entity expansion ++ XML_SetDefaultHandlerExpand(parser, DefaultHandler); ++ XML_SetDoctypeDeclHandler(parser, StartDoctypeDeclHandler, ++ EndDoctypeDeclHandler); ++ // Note: This is mutually exclusive with XML_SetUnparsedEntityDeclHandler, ++ // and there isn't any significant code change between the two. ++ XML_SetEntityDeclHandler(parser, EntityDeclHandler); ++ XML_SetNotationDeclHandler(parser, NotationDeclHandler); ++ XML_SetNamespaceDeclHandler(parser, StartNamespaceDeclHandler, ++ EndNamespaceDeclHandler); ++ XML_SetNotStandaloneHandler(parser, NotStandaloneHandler); ++ XML_SetExternalEntityRefHandler(parser, ExternalEntityRefHandler); ++ XML_SetSkippedEntityHandler(parser, SkippedEntityHandler); ++ XML_SetUnknownEncodingHandler(parser, UnknownEncodingHandler, (void *)parser); ++} ++ ++DEFINE_TEXT_PROTO_FUZZER(const xml_lpm_fuzzer::Testcase &testcase) { ++ g_external_entity = nullptr; ++ ++ if (! testcase.actions_size()) { ++ return; ++ } ++ ++ g_allocation_count = 0; ++ g_fail_allocations.clear(); ++ for (int i = 0; i < testcase.fail_allocations_size(); ++i) { ++ g_fail_allocations.push_back(testcase.fail_allocations(i)); ++ } ++ ++ SetEncoding(testcase.encoding()); ++ XML_Parser parser ++ = XML_ParserCreate_MM(g_encoding, &memory_handling_suite, "|"); ++ InitializeParser(parser); ++ ++ for (int i = 0; i < testcase.actions_size(); ++i) { ++ const auto &action = testcase.actions(i); ++ switch (action.action_case()) { ++ case xml_lpm_fuzzer::Action::kChunk: ++ if (XML_STATUS_ERROR ++ == Parse(parser, action.chunk().data(), action.chunk().size(), 0)) { ++ // Force a reset after parse error. ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ } ++ break; ++ ++ case xml_lpm_fuzzer::Action::kLastChunk: ++ Parse(parser, action.last_chunk().data(), action.last_chunk().size(), 1); ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ break; ++ ++ case xml_lpm_fuzzer::Action::kReset: ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ break; ++ ++ case xml_lpm_fuzzer::Action::kExternalEntity: ++ g_external_entity = action.external_entity().data(); ++ g_external_entity_size = action.external_entity().size(); ++ break; ++ ++ default: ++ break; ++ } ++ } ++ ++ XML_ParserFree(parser); ++} +--- /dev/null ++++ contrib/expat/fuzz/xml_lpm_fuzzer.proto +@@ -0,0 +1,58 @@ ++/* ++ __ __ _ ++ ___\ \/ /_ __ __ _| |_ ++ / _ \\ /| '_ \ / _` | __| ++ | __// \| |_) | (_| | |_ ++ \___/_/\_\ .__/ \__,_|\__| ++ |_| XML parser ++ ++ Copyright (c) 2022 Mark Brand ++ Copyright (c) 2025 Sebastian Pipping ++ Licensed under the MIT license: ++ ++ Permission is hereby granted, free of charge, to any person obtaining ++ a copy of this software and associated documentation files (the ++ "Software"), to deal in the Software without restriction, including ++ without limitation the rights to use, copy, modify, merge, publish, ++ distribute, sublicense, and/or sell copies of the Software, and to permit ++ persons to whom the Software is furnished to do so, subject to the ++ following conditions: ++ ++ The above copyright notice and this permission notice shall be included ++ in all copies or substantial portions of the Software. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN ++ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, ++ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR ++ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ++ USE OR OTHER DEALINGS IN THE SOFTWARE. ++*/ ++ ++syntax = "proto2"; ++package xml_lpm_fuzzer; ++ ++enum Encoding { ++ UTF8 = 0; ++ UTF16 = 1; ++ ISO88591 = 2; ++ ASCII = 3; ++ UNKNOWN = 4; ++ NONE = 5; ++} ++ ++message Action { ++ oneof action { ++ string chunk = 1; ++ string last_chunk = 2; ++ bool reset = 3; ++ string external_entity = 4; ++ } ++} ++ ++message Testcase { ++ required Encoding encoding = 1; ++ repeated Action actions = 2; ++ repeated int32 fail_allocations = 3; ++} +--- contrib/expat/fuzz/xml_parse_fuzzer.c.orig ++++ contrib/expat/fuzz/xml_parse_fuzzer.c +@@ -5,7 +5,7 @@ + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * +- * http://www.apache.org/licenses/LICENSE-2.0 ++ * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, +--- contrib/expat/fuzz/xml_parsebuffer_fuzzer.c.orig ++++ contrib/expat/fuzz/xml_parsebuffer_fuzzer.c +@@ -5,7 +5,7 @@ + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * +- * http://www.apache.org/licenses/LICENSE-2.0 ++ * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, +--- contrib/expat/lib/Makefile.am.orig ++++ contrib/expat/lib/Makefile.am +@@ -6,7 +6,7 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2022 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017 Tomasz Kłoczko + # Copyright (c) 2019 David Loffredo + # Licensed under the MIT license: +@@ -36,7 +36,9 @@ + expat_external.h + + lib_LTLIBRARIES = libexpat.la +-noinst_LTLIBRARIES = libexpatinternal.la ++if WITH_TESTS ++noinst_LTLIBRARIES = libtestpat.la ++endif + + libexpat_la_LDFLAGS = \ + @AM_LDFLAGS@ \ +@@ -44,17 +46,16 @@ + -no-undefined \ + -version-info @LIBCURRENT@:@LIBREVISION@:@LIBAGE@ + +-libexpat_la_SOURCES = +- +-# This layer of indirection allows +-# the test suite to access internal symbols +-# despite compiling with -fvisibility=hidden +-libexpatinternal_la_SOURCES = \ ++libexpat_la_SOURCES = \ + xmlparse.c \ + xmltok.c \ + xmlrole.c + +-libexpat_la_LIBADD = libexpatinternal.la ++if WITH_TESTS ++libtestpat_la_CPPFLAGS = -DXML_TESTING ++ ++libtestpat_la_SOURCES = $(libexpat_la_SOURCES) ++endif + + doc_DATA = \ + ../AUTHORS \ +--- contrib/expat/lib/Makefile.in.orig ++++ contrib/expat/lib/Makefile.in +@@ -22,7 +22,7 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2022 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017 Tomasz Kłoczko + # Copyright (c) 2019 David Loffredo + # Licensed under the MIT license: +@@ -176,8 +176,8 @@ + am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(docdir)" \ + "$(DESTDIR)$(includedir)" + LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) +-libexpat_la_DEPENDENCIES = libexpatinternal.la +-am_libexpat_la_OBJECTS = ++libexpat_la_LIBADD = ++am_libexpat_la_OBJECTS = xmlparse.lo xmltok.lo xmlrole.lo + libexpat_la_OBJECTS = $(am_libexpat_la_OBJECTS) + AM_V_lt = $(am__v_lt_@AM_V@) + am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +@@ -186,9 +186,13 @@ + libexpat_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libexpat_la_LDFLAGS) $(LDFLAGS) -o $@ +-libexpatinternal_la_LIBADD = +-am_libexpatinternal_la_OBJECTS = xmlparse.lo xmltok.lo xmlrole.lo +-libexpatinternal_la_OBJECTS = $(am_libexpatinternal_la_OBJECTS) ++libtestpat_la_LIBADD = ++am__libtestpat_la_SOURCES_DIST = xmlparse.c xmltok.c xmlrole.c ++am__objects_1 = libtestpat_la-xmlparse.lo libtestpat_la-xmltok.lo \ ++ libtestpat_la-xmlrole.lo ++@WITH_TESTS_TRUE@am_libtestpat_la_OBJECTS = $(am__objects_1) ++libtestpat_la_OBJECTS = $(am_libtestpat_la_OBJECTS) ++@WITH_TESTS_TRUE@am_libtestpat_la_rpath = + AM_V_P = $(am__v_P_@AM_V@) + am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) + am__v_P_0 = false +@@ -204,8 +208,10 @@ + DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) + depcomp = $(SHELL) $(top_srcdir)/conftools/depcomp + am__maybe_remake_depfiles = depfiles +-am__depfiles_remade = ./$(DEPDIR)/xmlparse.Plo ./$(DEPDIR)/xmlrole.Plo \ +- ./$(DEPDIR)/xmltok.Plo ++am__depfiles_remade = ./$(DEPDIR)/libtestpat_la-xmlparse.Plo \ ++ ./$(DEPDIR)/libtestpat_la-xmlrole.Plo \ ++ ./$(DEPDIR)/libtestpat_la-xmltok.Plo ./$(DEPDIR)/xmlparse.Plo \ ++ ./$(DEPDIR)/xmlrole.Plo ./$(DEPDIR)/xmltok.Plo + am__mv = mv -f + COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +@@ -225,8 +231,9 @@ + am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) + am__v_CCLD_0 = @echo " CCLD " $@; + am__v_CCLD_1 = +-SOURCES = $(libexpat_la_SOURCES) $(libexpatinternal_la_SOURCES) +-DIST_SOURCES = $(libexpat_la_SOURCES) $(libexpatinternal_la_SOURCES) ++SOURCES = $(libexpat_la_SOURCES) $(libtestpat_la_SOURCES) ++DIST_SOURCES = $(libexpat_la_SOURCES) \ ++ $(am__libtestpat_la_SOURCES_DIST) + am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ +@@ -344,6 +351,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -357,7 +365,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +@@ -410,24 +417,20 @@ + expat_external.h + + lib_LTLIBRARIES = libexpat.la +-noinst_LTLIBRARIES = libexpatinternal.la ++@WITH_TESTS_TRUE@noinst_LTLIBRARIES = libtestpat.la + libexpat_la_LDFLAGS = \ + @AM_LDFLAGS@ \ + @LIBM@ \ + -no-undefined \ + -version-info @LIBCURRENT@:@LIBREVISION@:@LIBAGE@ + +-libexpat_la_SOURCES = +- +-# This layer of indirection allows +-# the test suite to access internal symbols +-# despite compiling with -fvisibility=hidden +-libexpatinternal_la_SOURCES = \ ++libexpat_la_SOURCES = \ + xmlparse.c \ + xmltok.c \ + xmlrole.c + +-libexpat_la_LIBADD = libexpatinternal.la ++@WITH_TESTS_TRUE@libtestpat_la_CPPFLAGS = -DXML_TESTING ++@WITH_TESTS_TRUE@libtestpat_la_SOURCES = $(libexpat_la_SOURCES) + doc_DATA = \ + ../AUTHORS \ + ../Changes +@@ -534,8 +537,8 @@ + libexpat.la: $(libexpat_la_OBJECTS) $(libexpat_la_DEPENDENCIES) $(EXTRA_libexpat_la_DEPENDENCIES) + $(AM_V_CCLD)$(libexpat_la_LINK) -rpath $(libdir) $(libexpat_la_OBJECTS) $(libexpat_la_LIBADD) $(LIBS) + +-libexpatinternal.la: $(libexpatinternal_la_OBJECTS) $(libexpatinternal_la_DEPENDENCIES) $(EXTRA_libexpatinternal_la_DEPENDENCIES) +- $(AM_V_CCLD)$(LINK) $(libexpatinternal_la_OBJECTS) $(libexpatinternal_la_LIBADD) $(LIBS) ++libtestpat.la: $(libtestpat_la_OBJECTS) $(libtestpat_la_DEPENDENCIES) $(EXTRA_libtestpat_la_DEPENDENCIES) ++ $(AM_V_CCLD)$(LINK) $(am_libtestpat_la_rpath) $(libtestpat_la_OBJECTS) $(libtestpat_la_LIBADD) $(LIBS) + + mostlyclean-compile: + -rm -f *.$(OBJEXT) +@@ -543,6 +546,9 @@ + distclean-compile: + -rm -f *.tab.c + ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmlparse.Plo@am__quote@ # am--include-marker ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmlrole.Plo@am__quote@ # am--include-marker ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libtestpat_la-xmltok.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmlparse.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmlrole.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xmltok.Plo@am__quote@ # am--include-marker +@@ -574,6 +580,27 @@ + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + ++libtestpat_la-xmlparse.lo: xmlparse.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-xmlparse.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-xmlparse.Tpo -c -o libtestpat_la-xmlparse.lo `test -f 'xmlparse.c' || echo '$(srcdir)/'`xmlparse.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-xmlparse.Tpo $(DEPDIR)/libtestpat_la-xmlparse.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xmlparse.c' object='libtestpat_la-xmlparse.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-xmlparse.lo `test -f 'xmlparse.c' || echo '$(srcdir)/'`xmlparse.c ++ ++libtestpat_la-xmltok.lo: xmltok.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-xmltok.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-xmltok.Tpo -c -o libtestpat_la-xmltok.lo `test -f 'xmltok.c' || echo '$(srcdir)/'`xmltok.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-xmltok.Tpo $(DEPDIR)/libtestpat_la-xmltok.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xmltok.c' object='libtestpat_la-xmltok.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-xmltok.lo `test -f 'xmltok.c' || echo '$(srcdir)/'`xmltok.c ++ ++libtestpat_la-xmlrole.lo: xmlrole.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libtestpat_la-xmlrole.lo -MD -MP -MF $(DEPDIR)/libtestpat_la-xmlrole.Tpo -c -o libtestpat_la-xmlrole.lo `test -f 'xmlrole.c' || echo '$(srcdir)/'`xmlrole.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libtestpat_la-xmlrole.Tpo $(DEPDIR)/libtestpat_la-xmlrole.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xmlrole.c' object='libtestpat_la-xmlrole.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libtestpat_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libtestpat_la-xmlrole.lo `test -f 'xmlrole.c' || echo '$(srcdir)/'`xmlrole.c ++ + mostlyclean-libtool: + -rm -f *.lo + +@@ -749,7 +776,10 @@ + clean-noinstLTLIBRARIES mostlyclean-am + + distclean: distclean-am +- -rm -f ./$(DEPDIR)/xmlparse.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo ++ -rm -f ./$(DEPDIR)/xmlparse.Plo + -rm -f ./$(DEPDIR)/xmlrole.Plo + -rm -f ./$(DEPDIR)/xmltok.Plo + -rm -f Makefile +@@ -798,7 +828,10 @@ + installcheck-am: + + maintainer-clean: maintainer-clean-am +- -rm -f ./$(DEPDIR)/xmlparse.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmlparse.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmlrole.Plo ++ -rm -f ./$(DEPDIR)/libtestpat_la-xmltok.Plo ++ -rm -f ./$(DEPDIR)/xmlparse.Plo + -rm -f ./$(DEPDIR)/xmlrole.Plo + -rm -f ./$(DEPDIR)/xmltok.Plo + -rm -f Makefile +--- contrib/expat/lib/expat.h.orig ++++ contrib/expat/lib/expat.h +@@ -11,13 +11,14 @@ + Copyright (c) 2000-2005 Fred L. Drake, Jr. + Copyright (c) 2001-2002 Greg Stein + Copyright (c) 2002-2016 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Cristian Rodríguez + Copyright (c) 2016 Thomas Beutlich + Copyright (c) 2017 Rhodri James + Copyright (c) 2022 Thijs Schreijer + Copyright (c) 2023 Hanno Böck + Copyright (c) 2023 Sony Corporation / Snild Dolkow ++ Copyright (c) 2024 Taichi Haradaguchi <20001722@ymail.ne.jp> + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -129,7 +130,9 @@ + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +@@ -1042,7 +1045,7 @@ + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + +-#if XML_GE == 1 ++#if defined(XML_DTD) || (defined(XML_GE) && XML_GE == 1) + /* Added in Expat 2.4.0 for XML_DTD defined and + * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) +@@ -1064,8 +1067,8 @@ + See https://semver.org + */ + #define XML_MAJOR_VERSION 2 +-#define XML_MINOR_VERSION 6 +-#define XML_MICRO_VERSION 0 ++#define XML_MINOR_VERSION 7 ++#define XML_MICRO_VERSION 1 + + #ifdef __cplusplus + } +--- contrib/expat/lib/internal.h.orig ++++ contrib/expat/lib/internal.h +@@ -28,10 +28,11 @@ + Copyright (c) 2002-2003 Fred L. Drake, Jr. + Copyright (c) 2002-2006 Karl Waclawek + Copyright (c) 2003 Greg Stein +- Copyright (c) 2016-2023 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2018 Yury Gribov + Copyright (c) 2019 David Loffredo +- Copyright (c) 2023 Sony Corporation / Snild Dolkow ++ Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow ++ Copyright (c) 2024 Taichi Haradaguchi <20001722@ymail.ne.jp> + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -126,6 +127,9 @@ + # elif ULONG_MAX == 18446744073709551615u // 2^64-1 + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "lu" ++# elif defined(EMSCRIPTEN) // 32bit mode Emscripten ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# define EXPAT_FMT_SIZE_T(midpart) "%" midpart "zu" + # else + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u" +@@ -155,14 +159,20 @@ + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, + const char **fromLimRef); + +-#if XML_GE == 1 ++#if defined(XML_GE) && XML_GE == 1 + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser); + unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser); + const char *unsignedCharToPrintable(unsigned char c); + #endif + +-extern XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c +-extern unsigned int g_parseAttempts; // used for testing only ++extern ++#if ! defined(XML_TESTING) ++ const ++#endif ++ XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c ++#if defined(XML_TESTING) ++extern unsigned int g_bytesScanned; // used for testing only ++#endif + + #ifdef __cplusplus + } +--- contrib/expat/lib/siphash.h.orig ++++ contrib/expat/lib/siphash.h +@@ -126,8 +126,7 @@ + | ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) \ + | ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56)) + +-#define SIPHASH_INITIALIZER \ +- { 0, 0, 0, 0, {0}, 0, 0 } ++#define SIPHASH_INITIALIZER {0, 0, 0, 0, {0}, 0, 0} + + struct siphash { + uint64_t v0, v1, v2, v3; +--- contrib/expat/lib/xmlparse.c.orig ++++ contrib/expat/lib/xmlparse.c +@@ -1,4 +1,4 @@ +-/* 628e24d4966bedbd4800f6ed128d06d29703765b4bce12d3b7f099f90f842fc9 (2.6.0+) ++/* d19ae032c224863c1527ba44d228cc34b99192c3a4c5a27af1f4e054d45ee031 (2.7.1+) + __ __ _ + ___\ \/ /_ __ __ _| |_ + / _ \\ /| '_ \ / _` | __| +@@ -13,7 +13,7 @@ + Copyright (c) 2002-2016 Karl Waclawek + Copyright (c) 2005-2009 Steven Solie + Copyright (c) 2016 Eric Rahm +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Gaurav + Copyright (c) 2016 Thomas Beutlich + Copyright (c) 2016 Gustavo Grieco +@@ -38,7 +38,9 @@ + Copyright (c) 2022 Jann Horn + Copyright (c) 2022 Sean McBride + Copyright (c) 2023 Owain Davies +- Copyright (c) 2023 Sony Corporation / Snild Dolkow ++ Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow ++ Copyright (c) 2024-2025 Berkay Eren Ürün ++ Copyright (c) 2024 Hanno Böck + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -210,7 +212,7 @@ + #endif + + /* Round up n to be a multiple of sz, where sz is a power of 2. */ +-#define ROUND_UP(n, sz) (((n) + ((sz)-1)) & ~((sz)-1)) ++#define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1)) + + /* Do safe (NULL-aware) pointer arithmetic */ + #define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0) +@@ -248,7 +250,7 @@ + it odd, since odd numbers are always relative prime to a power of 2. + */ + #define SECOND_HASH(hash, mask, power) \ +- ((((hash) & ~(mask)) >> ((power)-1)) & ((mask) >> 2)) ++ ((((hash) & ~(mask)) >> ((power) - 1)) & ((mask) >> 2)) + #define PROBE_STEP(hash, mask, power) \ + ((unsigned char)((SECOND_HASH(hash, mask, power)) | 1)) + +@@ -294,7 +296,7 @@ + The name of the element is stored in both the document and API + encodings. The memory buffer 'buf' is a separately-allocated + memory area which stores the name. During the XML_Parse()/ +- XMLParseBuffer() when the element is open, the memory for the 'raw' ++ XML_ParseBuffer() when the element is open, the memory for the 'raw' + version of the name (in the document encoding) is shared with the + document buffer. If the element is open across calls to + XML_Parse()/XML_ParseBuffer(), the buffer is re-allocated to +@@ -323,6 +325,10 @@ + const XML_Char *publicId; + const XML_Char *notation; + XML_Bool open; ++ XML_Bool hasMore; /* true if entity has not been completely processed */ ++ /* An entity can be open while being already completely processed (hasMore == ++ XML_FALSE). The reason is the delayed closing of entities until their inner ++ entities are processed and closed */ + XML_Bool is_param; + XML_Bool is_internal; /* true if declared in internal subset outside PE */ + } ENTITY; +@@ -413,6 +419,12 @@ + int *scaffIndex; + } DTD; + ++enum EntityType { ++ ENTITY_INTERNAL, ++ ENTITY_ATTRIBUTE, ++ ENTITY_VALUE, ++}; ++ + typedef struct open_internal_entity { + const char *internalEventPtr; + const char *internalEventEndPtr; +@@ -420,6 +432,7 @@ + ENTITY *entity; + int startTagLevel; + XML_Bool betweenDecl; /* WFC: PE Between Declarations */ ++ enum EntityType type; + } OPEN_INTERNAL_ENTITY; + + enum XML_Account { +@@ -479,8 +492,8 @@ + const char *next, const char **nextPtr, + XML_Bool haveMore, XML_Bool allowClosingDoctype, + enum XML_Account account); +-static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, +- XML_Bool betweenDecl); ++static enum XML_Error processEntity(XML_Parser parser, ENTITY *entity, ++ XML_Bool betweenDecl, enum EntityType type); + static enum XML_Error doContent(XML_Parser parser, int startTagLevel, + const ENCODING *enc, const char *start, + const char *end, const char **endPtr, +@@ -511,18 +524,22 @@ + const char *ptr, const char *end, + STRING_POOL *pool, + enum XML_Account account); +-static enum XML_Error appendAttributeValue(XML_Parser parser, +- const ENCODING *enc, +- XML_Bool isCdata, const char *ptr, +- const char *end, STRING_POOL *pool, +- enum XML_Account account); ++static enum XML_Error ++appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, ++ const char *ptr, const char *end, STRING_POOL *pool, ++ enum XML_Account account, const char **nextPtr); + static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType); + #if XML_GE == 1 + static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end, +- enum XML_Account account); ++ enum XML_Account account, ++ const char **nextPtr); ++static enum XML_Error callStoreEntityValue(XML_Parser parser, ++ const ENCODING *enc, ++ const char *start, const char *end, ++ enum XML_Account account); + #else + static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity); + #endif +@@ -629,8 +646,14 @@ + ? 0 \ + : ((*((pool)->ptr)++ = c), 1)) + +-XML_Bool g_reparseDeferralEnabledDefault = XML_TRUE; // write ONLY in runtests.c +-unsigned int g_parseAttempts = 0; // used for testing only ++#if ! defined(XML_TESTING) ++const ++#endif ++ XML_Bool g_reparseDeferralEnabledDefault ++ = XML_TRUE; // write ONLY in runtests.c ++#if defined(XML_TESTING) ++unsigned int g_bytesScanned = 0; // used for testing only ++#endif + + struct XML_ParserStruct { + /* The first member must be m_userData so that the XML_GetUserData +@@ -701,6 +724,10 @@ + const char *m_positionPtr; + OPEN_INTERNAL_ENTITY *m_openInternalEntities; + OPEN_INTERNAL_ENTITY *m_freeInternalEntities; ++ OPEN_INTERNAL_ENTITY *m_openAttributeEntities; ++ OPEN_INTERNAL_ENTITY *m_freeAttributeEntities; ++ OPEN_INTERNAL_ENTITY *m_openValueEntities; ++ OPEN_INTERNAL_ENTITY *m_freeValueEntities; + XML_Bool m_defaultExpandInternalEntities; + int m_tagLevel; + ENTITY *m_declEntity; +@@ -748,6 +775,7 @@ + ACCOUNTING m_accounting; + ENTITY_STATS m_entity_stats; + #endif ++ XML_Bool m_reenter; + }; + + #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s))) +@@ -1017,8 +1045,32 @@ + return XML_ERROR_NONE; + } + } +- g_parseAttempts += 1; +- const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr); ++#if defined(XML_TESTING) ++ g_bytesScanned += (unsigned)have_now; ++#endif ++ // Run in a loop to eliminate dangerous recursion depths ++ enum XML_Error ret; ++ *endPtr = start; ++ while (1) { ++ // Use endPtr as the new start in each iteration, since it will ++ // be set to the next start point by m_processor. ++ ret = parser->m_processor(parser, *endPtr, end, endPtr); ++ ++ // Make parsing status (and in particular XML_SUSPENDED) take ++ // precedence over re-enter flag when they disagree ++ if (parser->m_parsingStatus.parsing != XML_PARSING) { ++ parser->m_reenter = XML_FALSE; ++ } ++ ++ if (! parser->m_reenter) { ++ break; ++ } ++ ++ parser->m_reenter = XML_FALSE; ++ if (ret != XML_ERROR_NONE) ++ return ret; ++ } ++ + if (ret == XML_ERROR_NONE) { + // if we consumed nothing, remember what we had on this parse attempt. + if (*endPtr == start) { +@@ -1129,6 +1181,8 @@ + parser->m_freeBindingList = NULL; + parser->m_freeTagList = NULL; + parser->m_freeInternalEntities = NULL; ++ parser->m_freeAttributeEntities = NULL; ++ parser->m_freeValueEntities = NULL; + + parser->m_groupSize = 0; + parser->m_groupConnector = NULL; +@@ -1231,6 +1285,8 @@ + parser->m_eventEndPtr = NULL; + parser->m_positionPtr = NULL; + parser->m_openInternalEntities = NULL; ++ parser->m_openAttributeEntities = NULL; ++ parser->m_openValueEntities = NULL; + parser->m_defaultExpandInternalEntities = XML_TRUE; + parser->m_tagLevel = 0; + parser->m_tagStack = NULL; +@@ -1241,6 +1297,8 @@ + parser->m_unknownEncodingData = NULL; + parser->m_parentParser = NULL; + parser->m_parsingStatus.parsing = XML_INITIALIZED; ++ // Reentry can only be triggered inside m_processor calls ++ parser->m_reenter = XML_FALSE; + #ifdef XML_DTD + parser->m_isParamEntity = XML_FALSE; + parser->m_useForeignDTD = XML_FALSE; +@@ -1300,6 +1358,24 @@ + openEntity->next = parser->m_freeInternalEntities; + parser->m_freeInternalEntities = openEntity; + } ++ /* move m_openAttributeEntities to m_freeAttributeEntities (i.e. same task but ++ * for attributes) */ ++ openEntityList = parser->m_openAttributeEntities; ++ while (openEntityList) { ++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList; ++ openEntityList = openEntity->next; ++ openEntity->next = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = openEntity; ++ } ++ /* move m_openValueEntities to m_freeValueEntities (i.e. same task but ++ * for value entities) */ ++ openEntityList = parser->m_openValueEntities; ++ while (openEntityList) { ++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList; ++ openEntityList = openEntity->next; ++ openEntity->next = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = openEntity; ++ } + moveToFreeBindingList(parser, parser->m_inheritedBindings); + FREE(parser, parser->m_unknownEncodingMem); + if (parser->m_unknownEncodingRelease) +@@ -1313,6 +1389,19 @@ + return XML_TRUE; + } + ++static XML_Bool ++parserBusy(XML_Parser parser) { ++ switch (parser->m_parsingStatus.parsing) { ++ case XML_PARSING: ++ case XML_SUSPENDED: ++ return XML_TRUE; ++ case XML_INITIALIZED: ++ case XML_FINISHED: ++ default: ++ return XML_FALSE; ++ } ++} ++ + enum XML_Status XMLCALL + XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) { + if (parser == NULL) +@@ -1321,8 +1410,7 @@ + XXX There's no way for the caller to determine which of the + XXX possible error cases caused the XML_STATUS_ERROR return. + */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return XML_STATUS_ERROR; + + /* Get rid of any previous encoding name */ +@@ -1559,7 +1647,34 @@ + entityList = entityList->next; + FREE(parser, openEntity); + } +- ++ /* free m_openAttributeEntities and m_freeAttributeEntities */ ++ entityList = parser->m_openAttributeEntities; ++ for (;;) { ++ OPEN_INTERNAL_ENTITY *openEntity; ++ if (entityList == NULL) { ++ if (parser->m_freeAttributeEntities == NULL) ++ break; ++ entityList = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = NULL; ++ } ++ openEntity = entityList; ++ entityList = entityList->next; ++ FREE(parser, openEntity); ++ } ++ /* free m_openValueEntities and m_freeValueEntities */ ++ entityList = parser->m_openValueEntities; ++ for (;;) { ++ OPEN_INTERNAL_ENTITY *openEntity; ++ if (entityList == NULL) { ++ if (parser->m_freeValueEntities == NULL) ++ break; ++ entityList = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = NULL; ++ } ++ openEntity = entityList; ++ entityList = entityList->next; ++ FREE(parser, openEntity); ++ } + destroyBindings(parser->m_freeBindingList, parser); + destroyBindings(parser->m_inheritedBindings, parser); + poolDestroy(&parser->m_tempPool); +@@ -1601,8 +1716,7 @@ + return XML_ERROR_INVALID_ARGUMENT; + #ifdef XML_DTD + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return XML_ERROR_CANT_CHANGE_FEATURE_ONCE_PARSING; + parser->m_useForeignDTD = useDTD; + return XML_ERROR_NONE; +@@ -1617,8 +1731,7 @@ + if (parser == NULL) + return; + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return; + parser->m_ns_triplets = do_nst ? XML_TRUE : XML_FALSE; + } +@@ -1887,8 +2000,7 @@ + if (parser == NULL) + return 0; + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return 0; + #ifdef XML_DTD + parser->m_paramEntityParsing = peParsing; +@@ -1905,8 +2017,7 @@ + if (parser->m_parentParser) + return XML_SetHashSalt(parser->m_parentParser, hash_salt); + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return 0; + parser->m_hash_secret_salt = hash_salt; + return 1; +@@ -2030,6 +2141,12 @@ + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2214,11 +2331,19 @@ + return parser->m_bufferEnd; + } + ++static void ++triggerReenter(XML_Parser parser) { ++ parser->m_reenter = XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2229,7 +2354,7 @@ + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2240,6 +2365,9 @@ + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2504,6 +2632,9 @@ + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +@@ -2679,8 +2810,9 @@ + contentProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { + enum XML_Error result = doContent( +- parser, 0, parser->m_encoding, start, end, endPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT); ++ parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, start, end, ++ endPtr, (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); + if (result == XML_ERROR_NONE) { + if (! storeRawNames(parser)) + return XML_ERROR_NO_MEMORY; +@@ -2768,6 +2900,11 @@ + return XML_ERROR_NONE; + case XML_FINISHED: + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default: + start = next; + } +@@ -2941,7 +3078,7 @@ + reportDefault(parser, enc, s, next); + break; + } +- result = processInternalEntity(parser, entity, XML_FALSE); ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_INTERNAL); + if (result != XML_ERROR_NONE) + return result; + } else if (parser->m_externalEntityRefHandler) { +@@ -3067,7 +3204,9 @@ + } + if ((parser->m_tagLevel == 0) + && (parser->m_parsingStatus.parsing != XML_FINISHED)) { +- if (parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter)) + parser->m_processor = epilogProcessor; + else + return epilogProcessor(parser, next, end, nextPtr); +@@ -3128,7 +3267,9 @@ + } + if ((parser->m_tagLevel == 0) + && (parser->m_parsingStatus.parsing != XML_FINISHED)) { +- if (parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter)) + parser->m_processor = epilogProcessor; + else + return epilogProcessor(parser, next, end, nextPtr); +@@ -3261,14 +3402,22 @@ + break; + /* LCOV_EXCL_STOP */ + } +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ *nextPtr = next; ++ return XML_ERROR_NONE; ++ } ++ /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +@@ -4185,14 +4334,21 @@ + /* LCOV_EXCL_STOP */ + } + +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +@@ -4524,7 +4680,7 @@ + } + /* found end of entity value - can store it now */ + return storeEntityValue(parser, parser->m_encoding, s, end, +- XML_ACCOUNT_DIRECT); ++ XML_ACCOUNT_DIRECT, NULL); + } else if (tok == XML_TOK_XML_DECL) { + enum XML_Error result; + result = processXmlDecl(parser, 0, start, next); +@@ -4651,7 +4807,7 @@ + break; + } + /* found end of entity value - can store it now */ +- return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT); ++ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL); + } + start = next; + } +@@ -5094,9 +5250,9 @@ + #if XML_GE == 1 + // This will store the given replacement text in + // parser->m_declEntity->textPtr. +- enum XML_Error result +- = storeEntityValue(parser, enc, s + enc->minBytesPerChar, +- next - enc->minBytesPerChar, XML_ACCOUNT_NONE); ++ enum XML_Error result = callStoreEntityValue( ++ parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar, ++ XML_ACCOUNT_NONE); + if (parser->m_declEntity) { + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen +@@ -5521,7 +5677,7 @@ + enum XML_Error result; + XML_Bool betweenDecl + = (role == XML_ROLE_PARAM_ENTITY_REF ? XML_TRUE : XML_FALSE); +- result = processInternalEntity(parser, entity, betweenDecl); ++ result = processEntity(parser, entity, betweenDecl, ENTITY_INTERNAL); + if (result != XML_ERROR_NONE) + return result; + handleDefault = XML_FALSE; +@@ -5726,6 +5882,12 @@ + return XML_ERROR_NONE; + case XML_FINISHED: + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ *nextPtr = next; ++ return XML_ERROR_NONE; ++ } ++ /* Fall through */ + default: + s = next; + tok = XmlPrologTok(enc, s, end, &next); +@@ -5793,28 +5955,58 @@ + default: + return XML_ERROR_JUNK_AFTER_DOC_ELEMENT; + } +- parser->m_eventPtr = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ parser->m_eventPtr = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ parser->m_eventPtr = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default:; ++ parser->m_eventPtr = s = next; + } + } + } + + static enum XML_Error +-processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { +- const char *textStart, *textEnd; +- const char *next; +- enum XML_Error result; +- OPEN_INTERNAL_ENTITY *openEntity; ++processEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl, ++ enum EntityType type) { ++ OPEN_INTERNAL_ENTITY *openEntity, **openEntityList, **freeEntityList; ++ switch (type) { ++ case ENTITY_INTERNAL: ++ parser->m_processor = internalEntityProcessor; ++ openEntityList = &parser->m_openInternalEntities; ++ freeEntityList = &parser->m_freeInternalEntities; ++ break; ++ case ENTITY_ATTRIBUTE: ++ openEntityList = &parser->m_openAttributeEntities; ++ freeEntityList = &parser->m_freeAttributeEntities; ++ break; ++ case ENTITY_VALUE: ++ openEntityList = &parser->m_openValueEntities; ++ freeEntityList = &parser->m_freeValueEntities; ++ break; ++ /* default case serves merely as a safety net in case of a ++ * wrong entityType. Therefore we exclude the following lines ++ * from the test coverage. ++ * ++ * LCOV_EXCL_START ++ */ ++ default: ++ // Should not reach here ++ assert(0); ++ /* LCOV_EXCL_STOP */ ++ } + +- if (parser->m_freeInternalEntities) { +- openEntity = parser->m_freeInternalEntities; +- parser->m_freeInternalEntities = openEntity->next; ++ if (*freeEntityList) { ++ openEntity = *freeEntityList; ++ *freeEntityList = openEntity->next; + } else { + openEntity + = (OPEN_INTERNAL_ENTITY *)MALLOC(parser, sizeof(OPEN_INTERNAL_ENTITY)); +@@ -5822,56 +6014,34 @@ + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; ++ entity->hasMore = XML_TRUE; + #if XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + entity->processed = 0; +- openEntity->next = parser->m_openInternalEntities; +- parser->m_openInternalEntities = openEntity; ++ openEntity->next = *openEntityList; ++ *openEntityList = openEntity; + openEntity->entity = entity; ++ openEntity->type = type; + openEntity->startTagLevel = parser->m_tagLevel; + openEntity->betweenDecl = betweenDecl; + openEntity->internalEventPtr = NULL; + openEntity->internalEventEndPtr = NULL; +- textStart = (const char *)entity->textPtr; +- textEnd = (const char *)(entity->textPtr + entity->textLen); +- /* Set a safe default value in case 'next' does not get set */ +- next = textStart; + +-#ifdef XML_DTD +- if (entity->is_param) { +- int tok +- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); +- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_FALSE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- } else +-#endif /* XML_DTD */ +- result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding, +- textStart, textEnd, &next, XML_FALSE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- +- if (result == XML_ERROR_NONE) { +- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- entity->processed = (int)(next - textStart); +- parser->m_processor = internalEntityProcessor; +- } else if (parser->m_openInternalEntities->entity == entity) { +-#if XML_GE == 1 +- entityTrackingOnClose(parser, entity, __LINE__); +-#endif /* XML_GE == 1 */ +- entity->open = XML_FALSE; +- parser->m_openInternalEntities = openEntity->next; +- /* put openEntity back in list of free instances */ +- openEntity->next = parser->m_freeInternalEntities; +- parser->m_freeInternalEntities = openEntity; +- } ++ // Only internal entities make use of the reenter flag ++ // therefore no need to set it for other entity types ++ if (type == ENTITY_INTERNAL) { ++ triggerReenter(parser); + } +- return result; ++ return XML_ERROR_NONE; + } + + static enum XML_Error PTRCALL + internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + const char **nextPtr) { ++ UNUSED_P(s); ++ UNUSED_P(end); ++ UNUSED_P(nextPtr); + ENTITY *entity; + const char *textStart, *textEnd; + const char *next; +@@ -5881,72 +6051,67 @@ + return XML_ERROR_UNEXPECTED_STATE; + + entity = openEntity->entity; +- textStart = ((const char *)entity->textPtr) + entity->processed; +- textEnd = (const char *)(entity->textPtr + entity->textLen); +- /* Set a safe default value in case 'next' does not get set */ +- next = textStart; + +-#ifdef XML_DTD +- if (entity->is_param) { +- int tok +- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); +- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_TRUE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- } else +-#endif /* XML_DTD */ +- result = doContent(parser, openEntity->startTagLevel, +- parser->m_internalEncoding, textStart, textEnd, &next, +- XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); ++ // This will return early ++ if (entity->hasMore) { ++ textStart = ((const char *)entity->textPtr) + entity->processed; ++ textEnd = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ next = textStart; ++ ++ if (entity->is_param) { ++ int tok ++ = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); ++ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, ++ tok, next, &next, XML_FALSE, XML_FALSE, ++ XML_ACCOUNT_ENTITY_EXPANSION); ++ } else { ++ result = doContent(parser, openEntity->startTagLevel, ++ parser->m_internalEncoding, textStart, textEnd, &next, ++ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); ++ } + +- if (result != XML_ERROR_NONE) +- return result; ++ if (result != XML_ERROR_NONE) ++ return result; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed ++ if (textEnd != next ++ && (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter))) { ++ entity->processed = (int)(next - (const char *)entity->textPtr); ++ return result; ++ } + +- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- entity->processed = (int)(next - (const char *)entity->textPtr); ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openInternalEntities during doProlog or doContent calls above) ++ entity->hasMore = XML_FALSE; ++ triggerReenter(parser); + return result; +- } ++ } // End of entity processing, "if" block will return here + ++ // Remove fully processed openEntity from open entity list. + #if XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif ++ // openEntity is m_openInternalEntities' head, as we set it at the start of ++ // this function and we skipped doProlog and doContent calls with hasMore set ++ // to false. This means we can directly remove the head of ++ // m_openInternalEntities ++ assert(parser->m_openInternalEntities == openEntity); + entity->open = XML_FALSE; +- parser->m_openInternalEntities = openEntity->next; ++ parser->m_openInternalEntities = parser->m_openInternalEntities->next; ++ + /* put openEntity back in list of free instances */ + openEntity->next = parser->m_freeInternalEntities; + parser->m_freeInternalEntities = openEntity; + +- // If there are more open entities we want to stop right here and have the +- // upcoming call to XML_ResumeParser continue with entity content, or it would +- // be ignored altogether. +- if (parser->m_openInternalEntities != NULL +- && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- return XML_ERROR_NONE; +- } +- +-#ifdef XML_DTD +- if (entity->is_param) { +- int tok; +- parser->m_processor = prologProcessor; +- tok = XmlPrologTok(parser->m_encoding, s, end, &next); +- return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, +- XML_ACCOUNT_DIRECT); +- } else +-#endif /* XML_DTD */ +- { +- parser->m_processor = contentProcessor; +- /* see externalEntityContentProcessor vs contentProcessor */ +- result = doContent(parser, parser->m_parentParser ? 1 : 0, +- parser->m_encoding, s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); +- if (result == XML_ERROR_NONE) { +- if (! storeRawNames(parser)) +- return XML_ERROR_NO_MEMORY; +- } +- return result; ++ if (parser->m_openInternalEntities == NULL) { ++ parser->m_processor = entity->is_param ? prologProcessor : contentProcessor; + } ++ triggerReenter(parser); ++ return XML_ERROR_NONE; + } + + static enum XML_Error PTRCALL +@@ -5962,8 +6127,70 @@ + storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *ptr, const char *end, STRING_POOL *pool, + enum XML_Account account) { +- enum XML_Error result +- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account); ++ const char *next = ptr; ++ enum XML_Error result = XML_ERROR_NONE; ++ ++ while (1) { ++ if (! parser->m_openAttributeEntities) { ++ result = appendAttributeValue(parser, enc, isCdata, next, end, pool, ++ account, &next); ++ } else { ++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openAttributeEntities; ++ if (! openEntity) ++ return XML_ERROR_UNEXPECTED_STATE; ++ ++ ENTITY *const entity = openEntity->entity; ++ const char *const textStart ++ = ((const char *)entity->textPtr) + entity->processed; ++ const char *const textEnd ++ = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ const char *nextInEntity = textStart; ++ if (entity->hasMore) { ++ result = appendAttributeValue( ++ parser, parser->m_internalEncoding, isCdata, textStart, textEnd, ++ pool, XML_ACCOUNT_ENTITY_EXPANSION, &nextInEntity); ++ if (result != XML_ERROR_NONE) ++ break; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed. A XML_SUSPENDED check here is not required as ++ // appendAttributeValue will never suspend the parser. ++ if (textEnd != nextInEntity) { ++ entity->processed ++ = (int)(nextInEntity - (const char *)entity->textPtr); ++ continue; ++ } ++ ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openAttributeEntities during appendAttributeValue) ++ entity->hasMore = XML_FALSE; ++ continue; ++ } // End of entity processing, "if" block skips the rest ++ ++ // Remove fully processed openEntity from open entity list. ++#if XML_GE == 1 ++ entityTrackingOnClose(parser, entity, __LINE__); ++#endif ++ // openEntity is m_openAttributeEntities' head, since we set it at the ++ // start of this function and because we skipped appendAttributeValue call ++ // with hasMore set to false. This means we can directly remove the head ++ // of m_openAttributeEntities ++ assert(parser->m_openAttributeEntities == openEntity); ++ entity->open = XML_FALSE; ++ parser->m_openAttributeEntities = parser->m_openAttributeEntities->next; ++ ++ /* put openEntity back in list of free instances */ ++ openEntity->next = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = openEntity; ++ } ++ ++ // Break if an error occurred or there is nothing left to process ++ if (result || (parser->m_openAttributeEntities == NULL && end == next)) { ++ break; ++ } ++ } ++ + if (result) + return result; + if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20) +@@ -5976,7 +6203,7 @@ + static enum XML_Error + appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *ptr, const char *end, STRING_POOL *pool, +- enum XML_Account account) { ++ enum XML_Account account, const char **nextPtr) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + #ifndef XML_DTD + UNUSED_P(account); +@@ -5994,6 +6221,9 @@ + #endif + switch (tok) { + case XML_TOK_NONE: ++ if (nextPtr) { ++ *nextPtr = next; ++ } + return XML_ERROR_NONE; + case XML_TOK_INVALID: + if (enc == parser->m_encoding) +@@ -6134,21 +6364,11 @@ + return XML_ERROR_ATTRIBUTE_EXTERNAL_ENTITY_REF; + } else { + enum XML_Error result; +- const XML_Char *textEnd = entity->textPtr + entity->textLen; +- entity->open = XML_TRUE; +-#if XML_GE == 1 +- entityTrackingOnOpen(parser, entity, __LINE__); +-#endif +- result = appendAttributeValue(parser, parser->m_internalEncoding, +- isCdata, (const char *)entity->textPtr, +- (const char *)textEnd, pool, +- XML_ACCOUNT_ENTITY_EXPANSION); +-#if XML_GE == 1 +- entityTrackingOnClose(parser, entity, __LINE__); +-#endif +- entity->open = XML_FALSE; +- if (result) +- return result; ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_ATTRIBUTE); ++ if ((result == XML_ERROR_NONE) && (nextPtr != NULL)) { ++ *nextPtr = next; ++ } ++ return result; + } + } break; + default: +@@ -6177,7 +6397,7 @@ + static enum XML_Error + storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *entityTextPtr, const char *entityTextEnd, +- enum XML_Account account) { ++ enum XML_Account account, const char **nextPtr) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + STRING_POOL *pool = &(dtd->entityValuePool); + enum XML_Error result = XML_ERROR_NONE; +@@ -6195,8 +6415,9 @@ + return XML_ERROR_NO_MEMORY; + } + ++ const char *next; + for (;;) { +- const char *next ++ next + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +@@ -6232,7 +6453,7 @@ + dtd->keepProcessing = dtd->standalone; + goto endEntityValue; + } +- if (entity->open) { ++ if (entity->open || (entity == parser->m_declEntity)) { + if (enc == parser->m_encoding) + parser->m_eventPtr = entityTextPtr; + result = XML_ERROR_RECURSIVE_ENTITY_REF; +@@ -6258,16 +6479,8 @@ + } else + dtd->keepProcessing = dtd->standalone; + } else { +- entity->open = XML_TRUE; +- entityTrackingOnOpen(parser, entity, __LINE__); +- result = storeEntityValue( +- parser, parser->m_internalEncoding, (const char *)entity->textPtr, +- (const char *)(entity->textPtr + entity->textLen), +- XML_ACCOUNT_ENTITY_EXPANSION); +- entityTrackingOnClose(parser, entity, __LINE__); +- entity->open = XML_FALSE; +- if (result) +- goto endEntityValue; ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_VALUE); ++ goto endEntityValue; + } + break; + } +@@ -6355,6 +6568,81 @@ + # ifdef XML_DTD + parser->m_prologState.inEntityValue = oldInEntityValue; + # endif /* XML_DTD */ ++ // If 'nextPtr' is given, it should be updated during the processing ++ if (nextPtr != NULL) { ++ *nextPtr = next; ++ } ++ return result; ++} ++ ++static enum XML_Error ++callStoreEntityValue(XML_Parser parser, const ENCODING *enc, ++ const char *entityTextPtr, const char *entityTextEnd, ++ enum XML_Account account) { ++ const char *next = entityTextPtr; ++ enum XML_Error result = XML_ERROR_NONE; ++ while (1) { ++ if (! parser->m_openValueEntities) { ++ result ++ = storeEntityValue(parser, enc, next, entityTextEnd, account, &next); ++ } else { ++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openValueEntities; ++ if (! openEntity) ++ return XML_ERROR_UNEXPECTED_STATE; ++ ++ ENTITY *const entity = openEntity->entity; ++ const char *const textStart ++ = ((const char *)entity->textPtr) + entity->processed; ++ const char *const textEnd ++ = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ const char *nextInEntity = textStart; ++ if (entity->hasMore) { ++ result = storeEntityValue(parser, parser->m_internalEncoding, textStart, ++ textEnd, XML_ACCOUNT_ENTITY_EXPANSION, ++ &nextInEntity); ++ if (result != XML_ERROR_NONE) ++ break; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed. A XML_SUSPENDED check here is not required as ++ // appendAttributeValue will never suspend the parser. ++ if (textEnd != nextInEntity) { ++ entity->processed ++ = (int)(nextInEntity - (const char *)entity->textPtr); ++ continue; ++ } ++ ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openValueEntities during storeEntityValue) ++ entity->hasMore = XML_FALSE; ++ continue; ++ } // End of entity processing, "if" block skips the rest ++ ++ // Remove fully processed openEntity from open entity list. ++# if XML_GE == 1 ++ entityTrackingOnClose(parser, entity, __LINE__); ++# endif ++ // openEntity is m_openValueEntities' head, since we set it at the ++ // start of this function and because we skipped storeEntityValue call ++ // with hasMore set to false. This means we can directly remove the head ++ // of m_openValueEntities ++ assert(parser->m_openValueEntities == openEntity); ++ entity->open = XML_FALSE; ++ parser->m_openValueEntities = parser->m_openValueEntities->next; ++ ++ /* put openEntity back in list of free instances */ ++ openEntity->next = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = openEntity; ++ } ++ ++ // Break if an error occurred or there is nothing left to process ++ if (result ++ || (parser->m_openValueEntities == NULL && entityTextEnd == next)) { ++ break; ++ } ++ } ++ + return result; + } + +@@ -7008,6 +7296,16 @@ + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { +@@ -7550,6 +7848,15 @@ + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; +@@ -7779,6 +8086,8 @@ + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { ++ // 1.........1.........12 => 22 ++ const size_t lenOfShortestInclude = sizeof("") - 1; + const XmlBigCount countBytesOutput + = rootParser->m_accounting.countBytesDirect + + rootParser->m_accounting.countBytesIndirect; +@@ -7786,7 +8095,9 @@ + = rootParser->m_accounting.countBytesDirect + ? (countBytesOutput + / (float)(rootParser->m_accounting.countBytesDirect)) +- : 1.0f; ++ : ((lenOfShortestInclude ++ + rootParser->m_accounting.countBytesIndirect) ++ / (float)lenOfShortestInclude); + assert(! rootParser->m_parentParser); + return amplificationFactor; + } +@@ -7823,7 +8134,7 @@ + assert(! rootParser->m_parentParser); + + fprintf(stderr, +- " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%d, xmlparse.c:%d) %*s\"", ++ " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%u, xmlparse.c:%d) %*s\"", + bytesMore, (account == XML_ACCOUNT_DIRECT) ? "DIR" : "EXP", + levelsAwayFromRootParser, source_line, 10, ""); + +@@ -7936,11 +8247,11 @@ + + fprintf( + stderr, +- "expat: Entities(%p): Count %9d, depth %2d/%2d %*s%s%s; %s length %d (xmlparse.c:%d)\n", ++ "expat: Entities(%p): Count %9u, depth %2u/%2u %*s%s%s; %s length %d (xmlparse.c:%d)\n", + (void *)rootParser, rootParser->m_entity_stats.countEverOpened, + rootParser->m_entity_stats.currentDepth, + rootParser->m_entity_stats.maximumDepthSeen, +- (rootParser->m_entity_stats.currentDepth - 1) * 2, "", ++ ((int)rootParser->m_entity_stats.currentDepth - 1) * 2, "", + entity->is_param ? "%" : "&", entityName, action, entity->textLen, + sourceLine); + } +@@ -8499,11 +8810,13 @@ + return "\\xFE"; + case 255: + return "\\xFF"; ++ // LCOV_EXCL_START + default: + assert(0); /* never gets here */ + return "dead code"; + } + assert(0); /* never gets here */ ++ // LCOV_EXCL_STOP + } + + #endif /* XML_GE == 1 */ +--- contrib/expat/tests/Makefile.am.orig ++++ contrib/expat/tests/Makefile.am +@@ -6,9 +6,10 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017-2022 Rhodri James + # Copyright (c) 2020 Jeffrey Walton ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -32,7 +33,7 @@ + + SUBDIRS = . benchmark + +-AM_CPPFLAGS = @AM_CPPFLAGS@ -I$(srcdir)/../lib ++AM_CPPFLAGS = @AM_CPPFLAGS@ -I$(srcdir)/../lib -DXML_TESTING + + check_PROGRAMS = runtests runtests_cxx + TESTS = runtests runtests_cxx +@@ -72,8 +73,8 @@ + runtests_cxx.cpp \ + structdata_cxx.cpp + +-runtests_LDADD = ../lib/libexpatinternal.la +-runtests_cxx_LDADD = ../lib/libexpatinternal.la ++runtests_LDADD = ../lib/libtestpat.la ++runtests_cxx_LDADD = ../lib/libtestpat.la + + runtests_LDFLAGS = @AM_LDFLAGS@ @LIBM@ + runtests_cxx_LDFLAGS = @AM_LDFLAGS@ @LIBM@ +@@ -92,7 +93,7 @@ + structdata.h \ + minicheck.h \ + memcheck.h \ +- README.txt \ ++ README.md \ + udiffer.py \ + xmltest.log.expected \ + xmltest.sh +--- contrib/expat/tests/Makefile.in.orig ++++ contrib/expat/tests/Makefile.in +@@ -22,9 +22,10 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2024 Sebastian Pipping + # Copyright (c) 2017-2022 Rhodri James + # Copyright (c) 2020 Jeffrey Walton ++# Copyright (c) 2024 Dag-Erling Smørgrav + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +@@ -151,7 +152,7 @@ + nsalloc_tests.$(OBJEXT) runtests.$(OBJEXT) \ + structdata.$(OBJEXT) + runtests_OBJECTS = $(am_runtests_OBJECTS) +-runtests_DEPENDENCIES = ../lib/libexpatinternal.la ++runtests_DEPENDENCIES = ../lib/libtestpat.la + AM_V_lt = $(am__v_lt_@AM_V@) + am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) + am__v_lt_0 = --silent +@@ -168,7 +169,7 @@ + ns_tests_cxx.$(OBJEXT) runtests_cxx.$(OBJEXT) \ + structdata_cxx.$(OBJEXT) + runtests_cxx_OBJECTS = $(am_runtests_cxx_OBJECTS) +-runtests_cxx_DEPENDENCIES = ../lib/libexpatinternal.la ++runtests_cxx_DEPENDENCIES = ../lib/libtestpat.la + runtests_cxx_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CXX $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXXLD) $(AM_CXXFLAGS) \ + $(CXXFLAGS) $(runtests_cxx_LDFLAGS) $(LDFLAGS) -o $@ +@@ -485,7 +486,7 @@ + DIST_SUBDIRS = $(SUBDIRS) + am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/conftools/depcomp \ +- $(top_srcdir)/conftools/test-driver ++ $(top_srcdir)/conftools/test-driver README.md + DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) + am__relativize = \ + dir0=`pwd`; \ +@@ -515,7 +516,7 @@ + ACLOCAL = @ACLOCAL@ + AMTAR = @AMTAR@ + AM_CFLAGS = @AM_CFLAGS@ +-AM_CPPFLAGS = @AM_CPPFLAGS@ -I$(srcdir)/../lib ++AM_CPPFLAGS = @AM_CPPFLAGS@ -I$(srcdir)/../lib -DXML_TESTING + AM_CXXFLAGS = @AM_CXXFLAGS@ + AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ + AM_LDFLAGS = @AM_LDFLAGS@ +@@ -602,6 +603,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -615,7 +617,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +@@ -698,8 +699,8 @@ + runtests_cxx.cpp \ + structdata_cxx.cpp + +-runtests_LDADD = ../lib/libexpatinternal.la +-runtests_cxx_LDADD = ../lib/libexpatinternal.la ++runtests_LDADD = ../lib/libtestpat.la ++runtests_cxx_LDADD = ../lib/libtestpat.la + runtests_LDFLAGS = @AM_LDFLAGS@ @LIBM@ + runtests_cxx_LDFLAGS = @AM_LDFLAGS@ @LIBM@ + EXTRA_DIST = \ +@@ -716,7 +717,7 @@ + structdata.h \ + minicheck.h \ + memcheck.h \ +- README.txt \ ++ README.md \ + udiffer.py \ + xmltest.log.expected \ + xmltest.sh +--- /dev/null ++++ contrib/expat/tests/README.md +@@ -0,0 +1,11 @@ ++This directory contains the test suite for Expat. The tests provide ++general unit testing and regression coverage. The tests are not ++expected to be useful examples of Expat usage; see the ++[examples](../examples) directory for that. ++ ++The Expat tests use a partial internal implementation of the ++[Check](https://libcheck.github.io/check/) unit testing framework for ++C. ++ ++Expat must be built and, on some platforms, installed, before the ++tests can be run. +--- contrib/expat/tests/README.txt.orig ++++ contrib/expat/tests/README.txt +@@ -1,13 +0,0 @@ +-This directory contains the (fledgling) test suite for Expat. The +-tests provide general unit testing and regression coverage. The tests +-are not expected to be useful examples of Expat usage; see the +-examples/ directory for that. +- +-The Expat tests use a partial internal implementation of the "Check" +-unit testing framework for C. More information on Check can be found at: +- +- http://check.sourceforge.net/ +- +-Expat must be built and, depending on platform, must be installed, before "make check" can be executed. +- +-This test suite can all change in a later version. +--- contrib/expat/tests/acc_tests.c.orig ++++ contrib/expat/tests/acc_tests.c +@@ -360,13 +360,16 @@ + START_TEST(test_helper_unsigned_char_to_printable) { + // Smoke test + unsigned char uc = 0; +- for (; uc < (unsigned char)-1; uc++) { ++ for (;; uc++) { + set_subtest("char %u", (unsigned)uc); + const char *const printable = unsignedCharToPrintable(uc); + if (printable == NULL) + fail("unsignedCharToPrintable returned NULL"); + else if (strlen(printable) < (size_t)1) + fail("unsignedCharToPrintable returned empty string"); ++ if (uc == (unsigned char)-1) { ++ break; ++ } + } + + // Two concrete samples +@@ -378,6 +381,63 @@ + fail("unsignedCharToPrintable result mistaken"); + } + END_TEST ++ ++START_TEST(test_amplification_isolated_external_parser) { ++ // NOTE: Length 44 is precisely twice the length of "" ++ // (22) that is used in function accountingGetCurrentAmplification in ++ // xmlparse.c. ++ // 1.........1.........1.........1.........1..4 => 44 ++ const char doc[] = ""; ++ const int docLen = (int)sizeof(doc) - 1; ++ const float maximumToleratedAmplification = 2.0f; ++ ++ struct TestCase { ++ int offsetOfThreshold; ++ enum XML_Status expectedStatus; ++ }; ++ ++ struct TestCase cases[] = { ++ {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR}, ++ {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK}, ++ }; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const int offsetOfThreshold = cases[i].offsetOfThreshold; ++ const enum XML_Status expectedStatus = cases[i].expectedStatus; ++ const unsigned long long activationThresholdBytes ++ = docLen + offsetOfThreshold; ++ ++ set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold, ++ expectedStatus); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++ parser, maximumToleratedAmplification) ++ == XML_TRUE); ++ assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold( ++ parser, activationThresholdBytes) ++ == XML_TRUE); ++ ++ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); ++ assert_true(ext_parser != NULL); ++ ++ const enum XML_Status actualStatus ++ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE); ++ ++ assert_true(actualStatus == expectedStatus); ++ if (actualStatus != XML_STATUS_OK) { ++ assert_true(XML_GetErrorCode(ext_parser) ++ == XML_ERROR_AMPLIFICATION_LIMIT_BREACH); ++ } ++ ++ XML_ParserFree(ext_parser); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + #endif // XML_GE == 1 + + void +@@ -390,6 +450,8 @@ + tcase_add_test(tc_accounting, test_accounting_precision); + tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api); + tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable); ++ tcase_add_test__ifdef_xml_dtd(tc_accounting, ++ test_amplification_isolated_external_parser); + #else + UNUSED_P(s); + #endif /* XML_GE == 1 */ +--- contrib/expat/tests/alloc_tests.c.orig ++++ contrib/expat/tests/alloc_tests.c +@@ -19,6 +19,7 @@ + Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Donghee Na + Copyright (c) 2023 Sony Corporation / Snild Dolkow ++ Copyright (c) 2025 Berkay Eren Ürün + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -450,6 +451,31 @@ + } + END_TEST + ++START_TEST(test_alloc_parameter_entity) { ++ const char *text = "\">" ++ "%param1;" ++ "]> &internal;content"; ++ int i; ++ const int alloc_test_max_repeats = 30; ++ ++ for (i = 0; i < alloc_test_max_repeats; i++) { ++ g_allocation_count = i; ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ break; ++ alloc_teardown(); ++ alloc_setup(); ++ } ++ g_allocation_count = -1; ++ if (i == 0) ++ fail("Parameter entity processed despite duff allocator"); ++ if (i == alloc_test_max_repeats) ++ fail("Parameter entity not processed at max allocation count"); ++} ++END_TEST ++ + /* Test the robustness against allocation failure of element handling + * Based on test_dtd_default_handling(). + */ +@@ -2079,6 +2105,7 @@ + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_external_entity); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_ext_entity_set_encoding); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_internal_entity); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_parameter_entity); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_dtd_default_handling); + tcase_add_test(tc_alloc, test_alloc_explicit_encoding); + tcase_add_test(tc_alloc, test_alloc_set_base); +--- contrib/expat/tests/basic_tests.c.orig ++++ contrib/expat/tests/basic_tests.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -19,6 +19,7 @@ + Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Donghee Na + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow ++ Copyright (c) 2024-2025 Berkay Eren Ürün + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -1191,6 +1192,22 @@ + } + END_TEST + ++START_TEST(test_entity_start_tag_level_greater_than_one) { ++ const char *const text = "\n" ++ "]>\n" ++ "\n" ++ " &e1;\n" ++ "\n"; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), ++ /*isFinal*/ XML_TRUE) ++ == XML_STATUS_OK); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + START_TEST(test_wfc_no_recursive_entity_refs) { + const char *text = "\n" +@@ -1202,6 +1219,136 @@ + } + END_TEST + ++START_TEST(test_no_indirectly_recursive_entity_refs) { ++ struct TestCase { ++ const char *doc; ++ bool usesParameterEntities; ++ }; ++ ++ const struct TestCase cases[] = { ++ // general entity + character data ++ {"\n" ++ " \n" ++ "]>&e2;\n", ++ false}, ++ ++ // general entity + attribute value ++ {"\n" ++ " \n" ++ "]>\n", ++ false}, ++ ++ // parameter entity ++ {"\n" ++ " \n" ++ " \">\n" ++ " %define_g;\n" ++ "]>\n" ++ "\n", ++ true}, ++ }; ++ const XML_Bool reset_or_not[] = {XML_TRUE, XML_FALSE}; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ for (size_t j = 0; j < sizeof(reset_or_not) / sizeof(reset_or_not[0]); ++ j++) { ++ const XML_Bool reset_wanted = reset_or_not[j]; ++ const char *const doc = cases[i].doc; ++ const bool usesParameterEntities = cases[i].usesParameterEntities; ++ ++ set_subtest("[%i,reset=%i] %s", (int)i, (int)j, doc); ++ ++#ifdef XML_DTD // both GE and DTD ++ const bool rejection_expected = true; ++#elif XML_GE == 1 // GE but not DTD ++ const bool rejection_expected = ! usesParameterEntities; ++#else // neither DTD nor GE ++ const bool rejection_expected = false; ++#endif ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++#ifdef XML_DTD ++ if (usesParameterEntities) { ++ assert_true( ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS) ++ == 1); ++ } ++#else ++ UNUSED_P(usesParameterEntities); ++#endif // XML_DTD ++ ++ const enum XML_Status status ++ = _XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc), ++ /*isFinal*/ XML_TRUE); ++ ++ if (rejection_expected) { ++ assert_true(status == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_RECURSIVE_ENTITY_REF); ++ } else { ++ assert_true(status == XML_STATUS_OK); ++ } ++ ++ if (reset_wanted) { ++ // This covers free'ing of (eventually) all three open entity lists by ++ // XML_ParserReset. ++ XML_ParserReset(parser, NULL); ++ } ++ ++ // This covers free'ing of (eventually) all three open entity lists by ++ // XML_ParserFree (unless XML_ParserReset has already done that above). ++ XML_ParserFree(parser); ++ } ++ } ++} ++END_TEST ++ ++START_TEST(test_recursive_external_parameter_entity_2) { ++ struct TestCase { ++ const char *doc; ++ enum XML_Status expectedStatus; ++ }; ++ ++ struct TestCase cases[] = { ++ {"", XML_STATUS_ERROR}, ++ {"" ++ "", ++ XML_STATUS_ERROR}, ++ {"" ++ "", ++ XML_STATUS_OK}, ++ {"", XML_STATUS_OK}, ++ }; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const char *const doc = cases[i].doc; ++ const enum XML_Status expectedStatus = cases[i].expectedStatus; ++ set_subtest("%s", doc); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); ++ assert_true(ext_parser != NULL); ++ ++ const enum XML_Status actualStatus ++ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, (int)strlen(doc), XML_TRUE); ++ ++ assert_true(actualStatus == expectedStatus); ++ if (actualStatus != XML_STATUS_OK) { ++ assert_true(XML_GetErrorCode(ext_parser) ++ == XML_ERROR_RECURSIVE_ENTITY_REF); ++ } ++ ++ XML_ParserFree(ext_parser); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test incomplete external entities are faulted */ + START_TEST(test_ext_entity_invalid_parse) { + const char *text = "\n" + "\n" +@@ -2335,7 +2507,9 @@ + + g_resumable = XML_TRUE; + XML_SetCharacterDataHandler(g_parser, clearing_aborting_character_handler); +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + == XML_STATUS_ERROR) + xml_failure(g_parser); + XML_GetParsingStatus(g_parser, &status); +@@ -2761,6 +2935,61 @@ + } + END_TEST + ++/* Test XML_Parse for len < 0 */ ++START_TEST(test_negative_len_parse) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ set_subtest("isFinal=%d", isFinal); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Test XML_ParseBuffer for len < 0 */ ++START_TEST(test_negative_len_parse_buffer) { ++ const char *const doc = ""; ++ for (int isFinal = 0; isFinal < 2; isFinal++) { ++ set_subtest("isFinal=%d", isFinal); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_NONE) ++ fail("There was not supposed to be any initial parse error."); ++ ++ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc)); ++ ++ if (buffer == NULL) ++ fail("XML_GetBuffer failed."); ++ ++ memcpy(buffer, doc, strlen(doc)); ++ ++ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal); ++ ++ if (status != XML_STATUS_ERROR) ++ fail("Negative len was expected to fail the parse but did not."); ++ ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT) ++ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT."); ++ ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + /* Test odd corners of the XML_GetBuffer interface */ + static enum XML_Status + get_feature(enum XML_FeatureEnum feature_id, long *presult) { +@@ -3527,7 +3756,9 @@ + XML_SetXmlDeclHandler(g_parser, entity_suspending_xdecl_handler); + XML_SetUserData(g_parser, g_parser); + g_resumable = XML_TRUE; +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + xml_failure(g_parser); + if (XML_GetErrorCode(g_parser) != XML_ERROR_NONE) +@@ -3723,13 +3954,20 @@ + + /* Test syntax error is caught at parse resumption */ + START_TEST(test_resume_entity_with_syntax_error) { ++ if (g_chunkSize != 0) { ++ // this test does not use SINGLE_BYTES, because of suspension ++ return; ++ } ++ + const char *text = "Hi'>\n" + "]>\n" + "&foo;\n"; + + XML_SetStartElementHandler(g_parser, start_element_suspender); +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + xml_failure(g_parser); + if (XML_ResumeParser(g_parser) != XML_STATUS_ERROR) +@@ -3853,7 +4091,7 @@ + = {"\n" + "\n" + "%pe2;\n", +- external_entity_null_loader}; ++ external_entity_null_loader, NULL}; + + XML_SetUserData(g_parser, &test_data); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +@@ -3871,7 +4109,7 @@ + = {"\n" + "\n" + "%pe2;\n", +- NULL}; ++ NULL, NULL}; + + XML_SetUserData(g_parser, &test_data); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +@@ -5171,6 +5409,151 @@ + } + END_TEST + ++/* Test a possible early return location in internalEntityProcessor */ ++START_TEST(test_entity_ref_no_elements) { ++ const char *const text = "\n" ++ "]> &e1;"; // intentionally missing newline ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++/* Tests if chained entity references lead to unbounded recursion */ ++START_TEST(test_deep_nested_entity) { ++ const size_t N_LINES = 60000; ++ const size_t SIZE_PER_LINE = 50; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n", ++ (long unsigned)i, (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, "]> &s%lu;\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ const XML_Char *const expected = XCS("deepText"); ++ ++ CharData storage; ++ CharData_Init(&storage); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ XML_SetCharacterDataHandler(parser, accumulate_characters); ++ XML_SetUserData(parser, &storage); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ ++/* Tests if chained entity references in attributes ++lead to unbounded recursion */ ++START_TEST(test_deep_nested_attribute_entity) { ++ const size_t N_LINES = 60000; ++ const size_t SIZE_PER_LINE = 100; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n", ++ (long unsigned)i, (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, "]> mainText\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}}; ++ ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}}; ++ info[0].attributes = doc_info; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ParserAndElementInfo parserPlusElemenInfo = {parser, info}; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserPlusElemenInfo); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ ++START_TEST(test_deep_nested_entity_delayed_interpretation) { ++ const size_t N_LINES = 70000; ++ const size_t SIZE_PER_LINE = 100; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ " \n", (long unsigned)i, ++ (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, ++ " \">\n" ++ " %%define_g;\n" ++ "]>\n" ++ "\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ + START_TEST(test_nested_entity_suspend) { + const char *const text = "'>\n" +@@ -5201,14 +5584,37 @@ + } + END_TEST + ++START_TEST(test_nested_entity_suspend_2) { ++ const char *const text = "\n" ++ " \n" ++ " \n" ++ "]>\n" ++ "&ge3;"; ++ const XML_Char *const expected = XCS("head3") XCS("head2") XCS("head1") ++ XCS("Z") XCS("tail1") XCS("tail2") XCS("tail3"); ++ CharData storage; ++ CharData_Init(&storage); ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ParserPlusStorage parserPlusStorage = {parser, &storage}; ++ ++ XML_SetCharacterDataHandler(parser, accumulate_char_data_and_suspend); ++ XML_SetUserData(parser, &parserPlusStorage); ++ ++ enum XML_Status status = XML_Parse(parser, text, (int)strlen(text), XML_TRUE); ++ while (status == XML_STATUS_SUSPENDED) { ++ status = XML_ResumeParser(parser); ++ } ++ if (status != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for quadratic parsing on large tokens */ +-START_TEST(test_big_tokens_take_linear_time) { +- const char *const too_slow_failure_message +- = "Compared to the baseline runtime of the first test, this test has a " +- "slowdown of more than . " +- "Please keep increasing the value by 1 until it reliably passes the " +- "test on your hardware and open a bug sharing that number with us. " +- "Thanks in advance!"; ++START_TEST(test_big_tokens_scale_linearly) { + const struct { + const char *pre; + const char *post; +@@ -5220,65 +5626,57 @@ + {"<", "/>"}, // big elem name, used to be O(N²) + }; + const int num_cases = sizeof(text) / sizeof(text[0]); +- // For the test we need a value that is: +- // (1) big enough that the test passes reliably (avoiding flaky tests), and +- // (2) small enough that the test actually catches regressions. +- const int max_slowdown = 15; + char aaaaaa[4096]; + const int fillsize = (int)sizeof(aaaaaa); + const int fillcount = 100; ++ const unsigned approx_bytes = fillsize * fillcount; // ignore pre/post. ++ const unsigned max_factor = 4; ++ const unsigned max_scanned = max_factor * approx_bytes; + + memset(aaaaaa, 'a', fillsize); + + if (! g_reparseDeferralEnabledDefault) { + return; // heuristic is disabled; we would get O(n^2) and fail. + } +-#if ! defined(__linux__) +- if (CLOCKS_PER_SEC < 100000) { +- // Skip this test if clock() doesn't have reasonably good resolution. +- // This workaround is primarily targeting Windows and FreeBSD, since +- // XSI requires the value to be 1.000.000 (10x the condition here), and +- // we want to be very sure that at least one platform in CI can catch +- // regressions (through a failing test). +- return; +- } +-#endif + +- clock_t baseline = 0; + for (int i = 0; i < num_cases; ++i) { + XML_Parser parser = XML_ParserCreate(NULL); + assert_true(parser != NULL); + enum XML_Status status; +- set_subtest("max_slowdown=%d text=\"%saaaaaa%s\"", max_slowdown, +- text[i].pre, text[i].post); +- const clock_t start = clock(); ++ set_subtest("text=\"%saaaaaa%s\"", text[i].pre, text[i].post); + + // parse the start text ++ g_bytesScanned = 0; + status = _XML_Parse_SINGLE_BYTES(parser, text[i].pre, + (int)strlen(text[i].pre), XML_FALSE); + if (status != XML_STATUS_OK) { + xml_failure(parser); + } ++ + // parse lots of 'a', failing the test early if it takes too long ++ unsigned past_max_count = 0; + for (int f = 0; f < fillcount; ++f) { + status = _XML_Parse_SINGLE_BYTES(parser, aaaaaa, fillsize, XML_FALSE); + if (status != XML_STATUS_OK) { + xml_failure(parser); + } +- // i == 0 means we're still calculating the baseline value +- if (i > 0) { +- const clock_t now = clock(); +- const clock_t clocks_so_far = now - start; +- const int slowdown = clocks_so_far / baseline; +- if (slowdown >= max_slowdown) { +- fprintf( +- stderr, +- "fill#%d: clocks_so_far=%d baseline=%d slowdown=%d max_slowdown=%d\n", +- f, (int)clocks_so_far, (int)baseline, slowdown, max_slowdown); +- fail(too_slow_failure_message); +- } ++ if (g_bytesScanned > max_scanned) { ++ // We're not done, and have already passed the limit -- the test will ++ // definitely fail. This block allows us to save time by failing early. ++ const unsigned pushed ++ = (unsigned)strlen(text[i].pre) + (f + 1) * fillsize; ++ fprintf( ++ stderr, ++ "after %d/%d loops: pushed=%u scanned=%u (factor ~%.2f) max_scanned: %u (factor ~%u)\n", ++ f + 1, fillcount, pushed, g_bytesScanned, ++ g_bytesScanned / (double)pushed, max_scanned, max_factor); ++ past_max_count++; ++ // We are failing, but allow a few log prints first. If we don't reach ++ // a count of five, the test will fail after the loop instead. ++ assert_true(past_max_count < 5); + } + } ++ + // parse the end text + status = _XML_Parse_SINGLE_BYTES(parser, text[i].post, + (int)strlen(text[i].post), XML_TRUE); +@@ -5286,18 +5684,14 @@ + xml_failure(parser); + } + +- // how long did it take in total? +- const clock_t end = clock(); +- const clock_t taken = end - start; +- if (i == 0) { +- assert_true(taken > 0); // just to make sure we don't div-by-0 later +- baseline = taken; +- } +- const int slowdown = taken / baseline; +- if (slowdown >= max_slowdown) { +- fprintf(stderr, "taken=%d baseline=%d slowdown=%d max_slowdown=%d\n", +- (int)taken, (int)baseline, slowdown, max_slowdown); +- fail(too_slow_failure_message); ++ assert_true(g_bytesScanned > approx_bytes); // or the counter isn't working ++ if (g_bytesScanned > max_scanned) { ++ fprintf( ++ stderr, ++ "after all input: scanned=%u (factor ~%.2f) max_scanned: %u (factor ~%u)\n", ++ g_bytesScanned, g_bytesScanned / (double)approx_bytes, max_scanned, ++ max_factor); ++ fail("scanned too many bytes"); + } + + XML_ParserFree(parser); +@@ -5774,19 +6168,17 @@ + fillsize[2], fillsize[3]); + XML_Parser parser = XML_ParserCreate(NULL); + assert_true(parser != NULL); +- g_parseAttempts = 0; + + CharData storage; + CharData_Init(&storage); + XML_SetUserData(parser, &storage); + XML_SetStartElementHandler(parser, start_element_event_handler); + ++ g_bytesScanned = 0; + int worstcase_bytes = 0; // sum of (buffered bytes at each XML_Parse call) +- int scanned_bytes = 0; // sum of (buffered bytes at each actual parse) + int offset = 0; + while (*fillsize >= 0) { + assert_true(offset + *fillsize <= document_length); // or test is invalid +- const unsigned attempts_before = g_parseAttempts; + const enum XML_Status status + = XML_Parse(parser, &document[offset], *fillsize, XML_FALSE); + if (status != XML_STATUS_OK) { +@@ -5796,28 +6188,20 @@ + fillsize++; + assert_true(offset <= INT_MAX - worstcase_bytes); // avoid overflow + worstcase_bytes += offset; // we might've tried to parse all pending bytes +- if (g_parseAttempts != attempts_before) { +- assert_true(g_parseAttempts == attempts_before + 1); // max 1/XML_Parse +- assert_true(offset <= INT_MAX - scanned_bytes); // avoid overflow +- scanned_bytes += offset; // we *did* try to parse all pending bytes +- } + } + assert_true(storage.count == 1); // the big token should've been parsed +- assert_true(scanned_bytes > 0); // test-the-test: does our counter work? ++ assert_true(g_bytesScanned > 0); // test-the-test: does our counter work? + if (g_reparseDeferralEnabledDefault) { + // heuristic is enabled; some XML_Parse calls may have deferred reparsing +- const int max_bytes_scanned = -*fillsize; +- if (scanned_bytes > max_bytes_scanned) { ++ const unsigned max_bytes_scanned = -*fillsize; ++ if (g_bytesScanned > max_bytes_scanned) { + fprintf(stderr, +- "bytes scanned in parse attempts: actual=%d limit=%d \n", +- scanned_bytes, max_bytes_scanned); ++ "bytes scanned in parse attempts: actual=%u limit=%u \n", ++ g_bytesScanned, max_bytes_scanned); + fail("too many bytes scanned in parse attempts"); + } +- assert_true(scanned_bytes <= worstcase_bytes); +- } else { +- // heuristic is disabled; every XML_Parse() will have reparsed +- assert_true(scanned_bytes == worstcase_bytes); + } ++ assert_true(g_bytesScanned <= (unsigned)worstcase_bytes); + + XML_ParserFree(parser); + } +@@ -5889,7 +6273,9 @@ + tcase_add_test(tc_basic, test_wfc_undeclared_entity_with_external_subset); + tcase_add_test(tc_basic, test_not_standalone_handler_reject); + tcase_add_test(tc_basic, test_not_standalone_handler_accept); ++ tcase_add_test(tc_basic, test_entity_start_tag_level_greater_than_one); + tcase_add_test__if_xml_ge(tc_basic, test_wfc_no_recursive_entity_refs); ++ tcase_add_test(tc_basic, test_no_indirectly_recursive_entity_refs); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_invalid_parse); + tcase_add_test__if_xml_ge(tc_basic, test_dtd_default_handling); + tcase_add_test(tc_basic, test_dtd_attr_handling); +@@ -5940,6 +6326,8 @@ + tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter); + tcase_add_test(tc_basic, test_empty_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse); ++ tcase_add_test(tc_basic, test_negative_len_parse_buffer); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); + #if XML_CONTEXT_BYTES > 0 +@@ -5972,6 +6360,8 @@ + tcase_add_test__ifdef_xml_dtd(tc_basic, test_skipped_parameter_entity); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_recursive_external_parameter_entity); ++ tcase_add_test__ifdef_xml_dtd(tc_basic, ++ test_recursive_external_parameter_entity_2); + tcase_add_test(tc_basic, test_undefined_ext_entity_in_external_dtd); + tcase_add_test(tc_basic, test_suspend_xdecl); + tcase_add_test(tc_basic, test_abort_epilog); +@@ -6064,8 +6454,14 @@ + tcase_add_test(tc_basic, test_empty_element_abort); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_pool_integrity_with_unfinished_attr); ++ tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements); ++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity); ++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity); ++ tcase_add_test__if_xml_ge(tc_basic, ++ test_deep_nested_entity_delayed_interpretation); + tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend); +- tcase_add_test(tc_basic, test_big_tokens_take_linear_time); ++ tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend_2); ++ tcase_add_test(tc_basic, test_big_tokens_scale_linearly); + tcase_add_test(tc_basic, test_set_reparse_deferral); + tcase_add_test(tc_basic, test_reparse_deferral_is_inherited); + tcase_add_test(tc_basic, test_set_reparse_deferral_on_null_parser); +--- contrib/expat/tests/benchmark/Makefile.in.orig ++++ contrib/expat/tests/benchmark/Makefile.in +@@ -303,6 +303,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -316,7 +317,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +--- contrib/expat/tests/benchmark/benchmark.c.orig ++++ contrib/expat/tests/benchmark/benchmark.c +@@ -8,7 +8,7 @@ + + Copyright (c) 2003-2006 Karl Waclawek + Copyright (c) 2005-2007 Steven Solie +- Copyright (c) 2017-2023 Sebastian Pipping ++ Copyright (c) 2017-2025 Sebastian Pipping + Copyright (c) 2017 Rhodri James + Licensed under the MIT license: + +@@ -32,10 +32,18 @@ + USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + ++#define _POSIX_C_SOURCE 1 // fdopen ++ ++#if defined(_MSC_VER) ++# include // _open, _close ++#else ++# include // close ++#endif ++ ++#include // open + #include + #include + #include // ptrdiff_t +-#include + #include + #include + #include "expat.h" +@@ -52,17 +60,18 @@ + # define XML_FMT_STR "s" + #endif + +-static void ++static int + usage(const char *prog, int rc) { + fprintf(stderr, "usage: %s [-n] filename bufferSize nr_of_loops\n", prog); +- exit(rc); ++ return rc; + } + + int + main(int argc, char *argv[]) { + XML_Parser parser; + char *XMLBuf, *XMLBufEnd, *XMLBufPtr; +- FILE *fd; ++ int fd; ++ FILE *file; + struct stat fileAttr; + int nrOfLoops, bufferSize, i, isFinal; + size_t fileSize; +@@ -76,34 +85,48 @@ + ns = 1; + j = 1; + } else +- usage(argv[0], 1); ++ return usage(argv[0], 1); + } + } + + if (argc != j + 4) +- usage(argv[0], 1); ++ return usage(argv[0], 1); + +- if (stat(argv[j + 1], &fileAttr) != 0) { +- fprintf(stderr, "could not access file '%s'\n", argv[j + 1]); ++ fd = open(argv[j + 1], O_RDONLY); ++ if (fd == -1) { ++ fprintf(stderr, "could not open file '%s'\n", argv[j + 1]); + return 2; + } + +- fd = fopen(argv[j + 1], "r"); +- if (! fd) { +- fprintf(stderr, "could not open file '%s'\n", argv[j + 1]); +- exit(2); ++ if (fstat(fd, &fileAttr) != 0) { ++ close(fd); ++ fprintf(stderr, "could not fstat file '%s'\n", argv[j + 1]); ++ return 2; ++ } ++ ++ file = fdopen(fd, "r"); ++ if (! file) { ++ close(fd); ++ fprintf(stderr, "could not fdopen file '%s'\n", argv[j + 1]); ++ return 2; + } + + bufferSize = atoi(argv[j + 2]); + nrOfLoops = atoi(argv[j + 3]); + if (bufferSize <= 0 || nrOfLoops <= 0) { ++ fclose(file); // NOTE: this closes fd as well + fprintf(stderr, "buffer size and nr of loops must be greater than zero.\n"); +- exit(3); ++ return 3; + } + + XMLBuf = malloc(fileAttr.st_size); +- fileSize = fread(XMLBuf, sizeof(char), fileAttr.st_size, fd); +- fclose(fd); ++ if (XMLBuf == NULL) { ++ fclose(file); // NOTE: this closes fd as well ++ fprintf(stderr, "ouf of memory.\n"); ++ return 5; ++ } ++ fileSize = fread(XMLBuf, sizeof(char), fileAttr.st_size, file); ++ fclose(file); // NOTE: this closes fd as well + + if (ns) + parser = XML_ParserCreateNS(NULL, '!'); +@@ -132,7 +155,7 @@ + XML_GetCurrentColumnNumber(parser)); + free(XMLBuf); + XML_ParserFree(parser); +- exit(4); ++ return 4; + } + XMLBufPtr += bufferSize; + } while (! isFinal); +--- contrib/expat/tests/common.c.orig ++++ contrib/expat/tests/common.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2023 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -42,6 +42,8 @@ + */ + + #include ++#include ++#include // for SIZE_MAX + #include + #include + +@@ -51,6 +53,7 @@ + #include "chardata.h" + #include "minicheck.h" + #include "common.h" ++#include "handlers.h" + + /* Common test data */ + +@@ -201,6 +204,12 @@ + for (; len > chunksize; len -= chunksize, s += chunksize) { + enum XML_Status res = XML_Parse(parser, s, chunksize, XML_FALSE); + if (res != XML_STATUS_OK) { ++ if ((res == XML_STATUS_SUSPENDED) && (len > chunksize)) { ++ fail("Use of function _XML_Parse_SINGLE_BYTES with a chunk size " ++ "greater than 0 (from g_chunkSize) does not work well with " ++ "suspension. Please consider use of plain XML_Parse at this " ++ "place in your test, instead."); ++ } + return res; + } + } +@@ -221,30 +230,6 @@ + _xml_failure(g_parser, file, lineno); + } + +-/* Character data support for handlers, built on top of the code in +- * chardata.c +- */ +-void XMLCALL +-accumulate_characters(void *userData, const XML_Char *s, int len) { +- CharData_AppendXMLChars((CharData *)userData, s, len); +-} +- +-void XMLCALL +-accumulate_attribute(void *userData, const XML_Char *name, +- const XML_Char **atts) { +- CharData *storage = (CharData *)userData; +- UNUSED_P(name); +- /* Check there are attributes to deal with */ +- if (atts == NULL) +- return; +- +- while (storage->count < 0 && atts[0] != NULL) { +- /* "accumulate" the value of the first attribute we see */ +- CharData_AppendXMLChars(storage, atts[1], -1); +- atts += 2; +- } +-} +- + void + _run_character_check(const char *text, const XML_Char *expected, + const char *file, int line) { +@@ -273,12 +258,6 @@ + CharData_CheckXMLChars(&storage, expected); + } + +-void XMLCALL +-ext_accumulate_characters(void *userData, const XML_Char *s, int len) { +- ExtTest *test_data = (ExtTest *)userData; +- accumulate_characters(test_data->storage, s, len); +-} +- + void + _run_ext_character_check(const char *text, ExtTest *test_data, + const XML_Char *expected, const char *file, int line) { +@@ -323,3 +302,26 @@ + g_reallocation_count--; + return realloc(ptr, size); + } ++ ++// Portable remake of strndup(3) for C99; does not care about space efficiency ++char * ++portable_strndup(const char *s, size_t n) { ++ if ((s == NULL) || (n == SIZE_MAX)) { ++ errno = EINVAL; ++ return NULL; ++ } ++ ++ char *const buffer = (char *)malloc(n + 1); ++ if (buffer == NULL) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ ++ errno = 0; ++ ++ memcpy(buffer, s, n); ++ ++ buffer[n] = '\0'; ++ ++ return buffer; ++} +--- contrib/expat/tests/common.h.orig ++++ contrib/expat/tests/common.h +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2023 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -111,12 +111,6 @@ + /* Support functions for handlers to collect up character and attribute data. + */ + +-extern void XMLCALL accumulate_characters(void *userData, const XML_Char *s, +- int len); +- +-extern void XMLCALL accumulate_attribute(void *userData, const XML_Char *name, +- const XML_Char **atts); +- + extern void _run_character_check(const char *text, const XML_Char *expected, + const char *file, int line); + +@@ -135,9 +129,6 @@ + CharData *storage; + } ExtTest; + +-extern void XMLCALL ext_accumulate_characters(void *userData, const XML_Char *s, +- int len); +- + extern void _run_ext_character_check(const char *text, ExtTest *test_data, + const XML_Char *expected, const char *file, + int line); +@@ -155,6 +146,8 @@ + + extern void *duff_reallocator(void *ptr, size_t size); + ++extern char *portable_strndup(const char *s, size_t n); ++ + #endif /* XML_COMMON_H */ + + #ifdef __cplusplus +--- contrib/expat/tests/handlers.c.orig ++++ contrib/expat/tests/handlers.c +@@ -103,7 +103,9 @@ + void XMLCALL + counting_start_element_handler(void *userData, const XML_Char *name, + const XML_Char **atts) { +- ElementInfo *info = (ElementInfo *)userData; ++ ParserAndElementInfo *const parserAndElementInfos ++ = (ParserAndElementInfo *)userData; ++ ElementInfo *info = parserAndElementInfos->info; + AttrInfo *attr; + int count, id, i; + +@@ -120,12 +122,12 @@ + * is possibly a little unexpected, but it is what the + * documentation in expat.h tells us to expect. + */ +- count = XML_GetSpecifiedAttributeCount(g_parser); ++ count = XML_GetSpecifiedAttributeCount(parserAndElementInfos->parser); + if (info->attr_count * 2 != count) { + fail("Not got expected attribute count"); + return; + } +- id = XML_GetIdAttributeIndex(g_parser); ++ id = XML_GetIdAttributeIndex(parserAndElementInfos->parser); + if (id == -1 && info->id_name != NULL) { + fail("ID not present"); + return; +@@ -1840,6 +1842,15 @@ + XML_FreeContentModel(g_parser, model); + } + ++void XMLCALL ++suspend_after_element_declaration(void *userData, const XML_Char *name, ++ XML_Content *model) { ++ UNUSED_P(name); ++ XML_Parser parser = (XML_Parser)userData; ++ assert_true(XML_StopParser(parser, /*resumable*/ XML_TRUE) == XML_STATUS_OK); ++ XML_FreeContentModel(parser, model); ++} ++ + void XMLCALL + accumulate_pi_characters(void *userData, const XML_Char *target, + const XML_Char *data) { +@@ -1881,9 +1892,17 @@ + } + + void XMLCALL +-accumulate_char_data(void *userData, const XML_Char *s, int len) { +- CharData *const storage = (CharData *)userData; +- CharData_AppendXMLChars(storage, s, len); ++accumulate_char_data_and_suspend(void *userData, const XML_Char *s, int len) { ++ ParserPlusStorage *const parserPlusStorage = (ParserPlusStorage *)userData; ++ ++ CharData_AppendXMLChars(parserPlusStorage->storage, s, len); ++ ++ for (int i = 0; i < len; i++) { ++ if (s[i] == 'Z') { ++ XML_StopParser(parserPlusStorage->parser, /*resumable=*/XML_TRUE); ++ break; ++ } ++ } + } + + void XMLCALL +@@ -1910,6 +1929,34 @@ + CharData_AppendXMLChars(storage, XCS(")\n"), 2); + } + ++void XMLCALL ++accumulate_characters(void *userData, const XML_Char *s, int len) { ++ CharData *const storage = (CharData *)userData; ++ CharData_AppendXMLChars(storage, s, len); ++} ++ ++void XMLCALL ++accumulate_attribute(void *userData, const XML_Char *name, ++ const XML_Char **atts) { ++ CharData *const storage = (CharData *)userData; ++ UNUSED_P(name); ++ /* Check there are attributes to deal with */ ++ if (atts == NULL) ++ return; ++ ++ while (storage->count < 0 && atts[0] != NULL) { ++ /* "accumulate" the value of the first attribute we see */ ++ CharData_AppendXMLChars(storage, atts[1], -1); ++ atts += 2; ++ } ++} ++ ++void XMLCALL ++ext_accumulate_characters(void *userData, const XML_Char *s, int len) { ++ ExtTest *const test_data = (ExtTest *)userData; ++ accumulate_characters(test_data->storage, s, len); ++} ++ + void XMLCALL + checking_default_handler(void *userData, const XML_Char *s, int len) { + DefaultCheck *data = (DefaultCheck *)userData; +--- contrib/expat/tests/handlers.h.orig ++++ contrib/expat/tests/handlers.h +@@ -92,6 +92,11 @@ + AttrInfo *attributes; + } ElementInfo; + ++typedef struct StructParserAndElementInfo { ++ XML_Parser parser; ++ ElementInfo *info; ++} ParserAndElementInfo; ++ + extern void XMLCALL counting_start_element_handler(void *userData, + const XML_Char *name, + const XML_Char **atts); +@@ -320,6 +325,7 @@ + typedef struct ext_hdlr_data { + const char *parse_text; + XML_ExternalEntityRefHandler handler; ++ CharData *storage; + } ExtHdlrData; + + extern int XMLCALL external_entity_oneshot_loader(XML_Parser parser, +@@ -552,6 +558,10 @@ + extern void XMLCALL element_decl_suspender(void *userData, const XML_Char *name, + XML_Content *model); + ++extern void XMLCALL suspend_after_element_declaration(void *userData, ++ const XML_Char *name, ++ XML_Content *model); ++ + extern void XMLCALL accumulate_pi_characters(void *userData, + const XML_Char *target, + const XML_Char *data); +@@ -564,13 +574,23 @@ + const XML_Char *systemId, const XML_Char *publicId, + const XML_Char *notationName); + +-extern void XMLCALL accumulate_char_data(void *userData, const XML_Char *s, +- int len); ++extern void XMLCALL accumulate_char_data_and_suspend(void *userData, ++ const XML_Char *s, ++ int len); + + extern void XMLCALL accumulate_start_element(void *userData, + const XML_Char *name, + const XML_Char **atts); + ++extern void XMLCALL accumulate_characters(void *userData, const XML_Char *s, ++ int len); ++ ++extern void XMLCALL accumulate_attribute(void *userData, const XML_Char *name, ++ const XML_Char **atts); ++ ++extern void XMLCALL ext_accumulate_characters(void *userData, const XML_Char *s, ++ int len); ++ + typedef struct default_check { + const XML_Char *expected; + const int expectedLen; +--- contrib/expat/tests/minicheck.h.orig ++++ contrib/expat/tests/minicheck.h +@@ -14,7 +14,7 @@ + + Copyright (c) 2004-2006 Fred L. Drake, Jr. + Copyright (c) 2006-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2022 Rhodri James + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow + Licensed under the MIT license: +@@ -129,8 +129,10 @@ + * Prototypes for the actual implementation. + */ + +-# if defined(__GNUC__) ++# if defined(__has_attribute) ++# if __has_attribute(noreturn) + __attribute__((noreturn)) ++# endif + # endif + void + _fail(const char *file, int line, const char *msg); +--- contrib/expat/tests/misc_tests.c.orig ++++ contrib/expat/tests/misc_tests.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -59,6 +59,9 @@ + #include "handlers.h" + #include "misc_tests.h" + ++void XMLCALL accumulate_characters_ext_handler(void *userData, ++ const XML_Char *s, int len); ++ + /* Test that a failure to allocate the parser structure fails gracefully */ + START_TEST(test_misc_alloc_create_parser) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, realloc, free}; +@@ -208,7 +211,7 @@ + if (! versions_equal(&read_version, &parsed_version)) + fail("Version mismatch"); + +- if (xcstrcmp(version_text, XCS("expat_2.6.0"))) /* needs bump on releases */ ++ if (xcstrcmp(version_text, XCS("expat_2.7.1"))) /* needs bump on releases */ + fail("XML_*_VERSION in expat.h out of sync?\n"); + } + END_TEST +@@ -294,6 +297,7 @@ + parser = XML_ParserCreate(NULL); + XML_SetElementHandler(parser, start_element_issue_240, end_element_issue_240); + mydata = (DataIssue240 *)malloc(sizeof(DataIssue240)); ++ assert_true(mydata != NULL); + mydata->parser = parser; + mydata->deep = 0; + XML_SetUserData(parser, mydata); +@@ -315,6 +319,7 @@ + parser = XML_ParserCreate(NULL); + XML_SetElementHandler(parser, start_element_issue_240, end_element_issue_240); + mydata = (DataIssue240 *)malloc(sizeof(DataIssue240)); ++ assert_true(mydata != NULL); + mydata->parser = parser; + mydata->deep = 0; + XML_SetUserData(parser, mydata); +@@ -328,63 +333,119 @@ + END_TEST + + START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { +- const char *const inputOne = "'>\n" +- "\n" +- "%e;"; +- const char *const inputTwo = "'>\n" +- "\n" +- "%e2;"; +- const char *const inputThree = "\n" +- "\n" +- "%e;"; +- const char *const inputIssue317 = "\n" +- "Hell'>\n" +- "%foo;\n" +- "]>\n" +- "Hello, world"; ++ const char *const inputOne ++ = "'>\n" ++ "%element_d;\n" ++ "'>\n" ++ "\n" ++ "%e;"; ++ const char *const inputTwo ++ = "'>\n" ++ "%element_d;\n" ++ "'>\n" ++ "\n" ++ "%e2;"; ++ const char *const inputThree ++ = "'>\n" ++ "%element_d;\n" ++ "\n" ++ "\n" ++ "%e;/>"; ++ const char *const inputIssue317 ++ = "'>\n" ++ "%element_doc;\n" ++ "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; + + const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ const XML_Bool suspendOrNot[] = {XML_FALSE, XML_TRUE}; + size_t inputIndex = 0; + + for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { +- set_subtest("%s", inputs[inputIndex]); +- XML_Parser parser; +- enum XML_Status parseResult; +- int setParamEntityResult; +- XML_Size lineNumber; +- XML_Size columnNumber; +- const char *const input = inputs[inputIndex]; +- +- parser = XML_ParserCreate(NULL); +- setParamEntityResult +- = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +- if (setParamEntityResult != 1) +- fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); +- +- parseResult = _XML_Parse_SINGLE_BYTES(parser, input, (int)strlen(input), 0); +- if (parseResult != XML_STATUS_ERROR) { +- parseResult = _XML_Parse_SINGLE_BYTES(parser, "", 0, 1); ++ for (size_t suspendOrNotIndex = 0; ++ suspendOrNotIndex < sizeof(suspendOrNot) / sizeof(suspendOrNot[0]); ++ suspendOrNotIndex++) { ++ const char *const input = inputs[inputIndex]; ++ const XML_Bool suspend = suspendOrNot[suspendOrNotIndex]; ++ if (suspend && (g_chunkSize > 0)) { ++ // We cannot use _XML_Parse_SINGLE_BYTES below due to suspension, and ++ // so chunk sizes >0 would only repeat the very same test ++ // due to use of plain XML_Parse; we are saving upon that runtime: ++ return; ++ } ++ ++ set_subtest("[input=%d suspend=%s] %s", (int)inputIndex, ++ suspend ? "true" : "false", input); ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ if (suspend) { ++ XML_SetUserData(parser, parser); ++ XML_SetElementDeclHandler(parser, suspend_after_element_declaration); ++ } ++ ++ if (suspend) { ++ // can't use SINGLE_BYTES here, because it'll return early on ++ // suspension, and we won't know exactly how much input we actually ++ // managed to give Expat. ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ ++ while (parseResult == XML_STATUS_SUSPENDED) { ++ parseResult = XML_ResumeParser(parser); ++ } ++ ++ if (parseResult != XML_STATUS_ERROR) { ++ // can't use SINGLE_BYTES here, because it'll return early on ++ // suspension, and we won't know exactly how much input we actually ++ // managed to give Expat. ++ parseResult = XML_Parse(parser, "", 0, 1); ++ } ++ ++ while (parseResult == XML_STATUS_SUSPENDED) { ++ parseResult = XML_ResumeParser(parser); ++ } ++ } else { ++ parseResult ++ = _XML_Parse_SINGLE_BYTES(parser, input, (int)strlen(input), 0); ++ ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = _XML_Parse_SINGLE_BYTES(parser, "", 0, 1); ++ } ++ } ++ + if (parseResult != XML_STATUS_ERROR) { + fail("Parsing was expected to fail but succeeded."); + } +- } + +- if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) +- fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); + +- lineNumber = XML_GetCurrentLineNumber(parser); +- if (lineNumber != 4) +- fail("XML_GetCurrentLineNumber does not work as expected."); ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 6) ++ fail("XML_GetCurrentLineNumber does not work as expected."); + +- columnNumber = XML_GetCurrentColumnNumber(parser); +- if (columnNumber != 0) +- fail("XML_GetCurrentColumnNumber does not work as expected."); ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); + +- XML_ParserFree(parser); ++ XML_ParserFree(parser); ++ } + } + } + END_TEST +@@ -447,7 +508,7 @@ + XML_SetExternalEntityRefHandler(parser, + external_entity_failer__if_not_xml_ge); + XML_SetEntityDeclHandler(parser, accumulate_entity_decl); +- XML_SetCharacterDataHandler(parser, accumulate_char_data); ++ XML_SetCharacterDataHandler(parser, accumulate_characters); + + if (_XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc), XML_TRUE) + != XML_STATUS_OK) { +@@ -496,6 +557,127 @@ + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases[] = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const XML_Bool resumable = cases[i]; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE); ++ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ ++/* Adaptation of accumulate_characters that takes ExtHdlrData input to work with ++ * test_renter_loop_finite_content below */ ++void XMLCALL ++accumulate_characters_ext_handler(void *userData, const XML_Char *s, int len) { ++ ExtHdlrData *const test_data = (ExtHdlrData *)userData; ++ CharData_AppendXMLChars(test_data->storage, s, len); ++} ++ ++/* Test that internalEntityProcessor does not re-enter forever; ++ * based on files tests/xmlconf/xmltest/valid/ext-sa/012.{xml,ent} */ ++START_TEST(test_renter_loop_finite_content) { ++ CharData storage; ++ CharData_Init(&storage); ++ const char *const text = "\n" ++ "\n" ++ "\n" ++ "\n" ++ "\n" ++ "\n" ++ "]>\n" ++ "&e1;\n"; ++ ExtHdlrData test_data = {"&e4;\n", external_entity_null_loader, &storage}; ++ const XML_Char *const expected = XCS("(e5)\n"); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ XML_SetUserData(parser, &test_data); ++ XML_SetExternalEntityRefHandler(parser, external_entity_oneshot_loader); ++ XML_SetCharacterDataHandler(parser, accumulate_characters_ext_handler); ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++// Inspired by function XML_OriginalString of Perl's XML::Parser ++static char * ++dup_original_string(XML_Parser parser) { ++ const int byte_count = XML_GetCurrentByteCount(parser); ++ ++ assert_true(byte_count >= 0); ++ ++ int offset = -1; ++ int size = -1; ++ ++ const char *const context = XML_GetInputContext(parser, &offset, &size); ++ ++#if XML_CONTEXT_BYTES > 0 ++ assert_true(context != NULL); ++ assert_true(offset >= 0); ++ assert_true(size >= 0); ++ return portable_strndup(context + offset, byte_count); ++#else ++ assert_true(context == NULL); ++ return NULL; ++#endif ++} ++ ++static void ++on_characters_issue_980(void *userData, const XML_Char *s, int len) { ++ (void)s; ++ (void)len; ++ XML_Parser parser = (XML_Parser)userData; ++ ++ char *const original_string = dup_original_string(parser); ++ ++#if XML_CONTEXT_BYTES > 0 ++ assert_true(original_string != NULL); ++ assert_true(strcmp(original_string, "&draft.day;") == 0); ++ free(original_string); ++#else ++ assert_true(original_string == NULL); ++#endif ++} ++ ++START_TEST(test_misc_expected_event_ptr_issue_980) { ++ // NOTE: This is a tiny subset of sample "REC-xml-19980210.xml" ++ // from Perl's XML::Parser ++ const char *const doc = "\n" ++ "]>\n" ++ "&draft.day;\n"; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCharacterDataHandler(parser, on_characters_issue_980); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc), ++ /*isFinal=*/XML_TRUE) ++ == XML_STATUS_OK); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + void + make_miscellaneous_test_case(Suite *s) { + TCase *tc_misc = tcase_create("miscellaneous tests"); +@@ -520,4 +702,8 @@ + test_misc_create_external_entity_parser_with_null_context); + tcase_add_test(tc_misc, test_misc_general_entities_support); + tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); ++ tcase_add_test__if_xml_ge(tc_misc, test_renter_loop_finite_content); ++ tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980); + } +--- contrib/expat/tests/xmltest.sh.orig ++++ contrib/expat/tests/xmltest.sh +@@ -2,8 +2,8 @@ + # EXPAT TEST SCRIPT FOR W3C XML TEST SUITE + # + # This script can be used to exercise Expat against the +-# w3c.org xml test suite, available from +-# http://www.w3.org/XML/Test/xmlts20020606.zip. ++# w3c.org xml test suite, available from: ++# https://www.w3.org/XML/Test/xmlts20020606.zip + # + # To run this script, first set XMLWF below so that xmlwf can be + # found, then set the output directory with OUTPUT. +@@ -30,6 +30,7 @@ + # Copyright (c) 2002 Karl Waclawek + # Copyright (c) 2008-2019 Sebastian Pipping + # Copyright (c) 2017 Rhodri James ++# Copyright (c) 2025 Hanno Böck + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +--- contrib/expat/xmlwf/Makefile.in.orig ++++ contrib/expat/xmlwf/Makefile.in +@@ -311,6 +311,7 @@ + SED = @SED@ + SET_MAKE = @SET_MAKE@ + SHELL = @SHELL@ ++SIZEOF_VOID_P = @SIZEOF_VOID_P@ + SO_MAJOR = @SO_MAJOR@ + SO_MINOR = @SO_MINOR@ + SO_PATCH = @SO_PATCH@ +@@ -324,7 +325,6 @@ + ac_ct_CC = @ac_ct_CC@ + ac_ct_CXX = @ac_ct_CXX@ + ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@ + am__include = @am__include@ + am__leading_dot = @am__leading_dot@ + am__quote = @am__quote@ +--- contrib/expat/xmlwf/readfilemap.c.orig ++++ contrib/expat/xmlwf/readfilemap.c +@@ -14,6 +14,7 @@ + Copyright (c) 2017 Rhodri James + Copyright (c) 2017 Franek Korta + Copyright (c) 2022 Sean McBride ++ Copyright (c) 2025 Hanno Böck + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -55,7 +56,7 @@ + # define EXPAT_read_count_t int + # define EXPAT_read_req_t unsigned int + #else /* POSIX */ +-/* http://pubs.opengroup.org/onlinepubs/009695399/functions/read.html */ ++/* https://pubs.opengroup.org/onlinepubs/009695399/functions/read.html */ + # define EXPAT_read read + # define EXPAT_read_count_t ssize_t + # define EXPAT_read_req_t size_t +--- contrib/expat/xmlwf/xmlfile.c.orig ++++ contrib/expat/xmlwf/xmlfile.c +@@ -15,6 +15,7 @@ + Copyright (c) 2017 Rhodri James + Copyright (c) 2019 David Loffredo + Copyright (c) 2021 Donghee Na ++ Copyright (c) 2024 Hanno Böck + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -91,7 +92,8 @@ + filename, XML_GetErrorLineNumber(parser), + XML_GetErrorColumnNumber(parser), message); + else +- ftprintf(stderr, T("%s: (unknown message %d)\n"), filename, code); ++ ftprintf(stderr, T("%s: (unknown message %u)\n"), filename, ++ (unsigned int)code); + } + + /* This implementation will give problems on files larger than INT_MAX. */ +--- lib/libexpat/Makefile.orig ++++ lib/libexpat/Makefile +@@ -1,4 +1,3 @@ +- + PACKAGE= runtime + EXPAT= ${SRCTOP}/contrib/expat + +--- lib/libexpat/expat_config.h.orig ++++ lib/libexpat/expat_config.h +@@ -89,7 +89,7 @@ + #define PACKAGE_NAME "expat" + + /* Define to the full name and version of this package. */ +-#define PACKAGE_STRING "expat 2.6.0" ++#define PACKAGE_STRING "expat 2.7.1" + + /* Define to the one symbol short name of this package. */ + #define PACKAGE_TARNAME "expat" +@@ -98,7 +98,7 @@ + #define PACKAGE_URL "" + + /* Define to the version of this package. */ +-#define PACKAGE_VERSION "2.6.0" ++#define PACKAGE_VERSION "2.7.1" + + /* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for +@@ -106,7 +106,7 @@ + #define STDC_HEADERS 1 + + /* Version number of package */ +-#define VERSION "2.6.0" ++#define VERSION "2.7.1" + + /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +@@ -146,7 +146,4 @@ + /* Define to `long int' if does not define. */ + /* #undef off_t */ + +-/* Define to `unsigned int' if does not define. */ +-/* #undef size_t */ +- + #endif // ndef EXPAT_CONFIG_H +--- lib/libexpat/libbsdxml.3.orig ++++ lib/libexpat/libbsdxml.3 +@@ -23,7 +23,7 @@ + .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + .\" SUCH DAMAGE. + .\"/ +-.Dd February 17, 2024 ++.Dd April 7, 2025 + .Dt LIBBSDXML 3 + .Os + .Sh NAME +@@ -34,7 +34,7 @@ + .Sh DESCRIPTION + The + .Nm +-library is a verbatim copy of the eXpat XML library version 2.6.0. ++library is a verbatim copy of the eXpat XML library version 2.7.1. + .Pp + The + .Nm diff --git a/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch.asc b/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch.asc new file mode 100644 index 0000000000..119e7f3267 --- /dev/null +++ b/website/static/security/patches/EN-25:05/expat-13.4-14.2.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DYACgkQbljekB8A +Gu8Yrg/+JguFdGFbhE2OgfIaS+oDlMz40iuYIKDCOtVrdEz8LUjsaw5/3s9vKWaL +ahPxCIPM6h3rATJHwnwUHsH7pxcrubibh+fYgunblR89yvQ1cxqoSkmQ9REJxu5v +g7te/s52fXUNrmuGPHixeid6BMFeoRsuvwJVRT6X/uz5K+htn2n2bNBlDKSKQ6Mn +begg+36lIg1n3NQgLUnrK+L2C2Kwi+hQLiQHCjcO/oIDMs7ogNVzPm59P0YlJPQP +wEEeV8XU2skcvhCcO4TwBLbiH7YtDtgEhbsEBsluafGSAoG/TLZenP/Cminn8fPx +DLCrdLZoD9Hl7CV791ndNvdPChehjaVoLwrSvkPZnibmo+rLFrYuBBaMBQN83T0G +QDrP+DSuzECTr/WaGwFW2HLr1uDjMDs+LkAQGh7CwTApMr1L1S4x832XN5fd3fE9 +FO4rZtSZcv0wSrYmydTh42rO+3xD/XsMHo81zIaIFMfsRthoNv2c+F5Ql5O6iVte +xpZUypA+e6yoWMUaQA/gkVvuP+yGA8q1G2JZI7kpAvLXG2UtH2AsrTHg2SqsiXXz +Qd4Vb8v3cC7USwfEG0tmQg7kKoMEGy/mtbdywgfUTgUcbyKKtf23XWcSSyoq+fWI +Di3rmkDdO3lYdW/WHWsBhvacWKFj+aTOdeyQ0D5jGcf5JGvf1l8= +=2Hyc +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:05/expat-13.5.patch b/website/static/security/patches/EN-25:05/expat-13.5.patch new file mode 100644 index 0000000000..c32f754bdd --- /dev/null +++ b/website/static/security/patches/EN-25:05/expat-13.5.patch @@ -0,0 +1,3179 @@ +--- contrib/expat/COPYING.orig ++++ contrib/expat/COPYING +@@ -1,5 +1,5 @@ + Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper +-Copyright (c) 2001-2022 Expat maintainers ++Copyright (c) 2001-2025 Expat maintainers + + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the +--- contrib/expat/Changes.orig ++++ contrib/expat/Changes +@@ -11,16 +11,23 @@ + !! The following topics need *additional skilled C developers* to progress !! + !! in a timely manner or at all (loosely ordered by descending priority): !! + !! !! +-!! - fixing a complex non-public security issue, !! + !! - teaming up on researching and fixing future security reports and !! + !! ClusterFuzz findings with few-days-max response times in communication !! + !! in order to (1) have a sound fix ready before the end of a 90 days !! + !! grace period and (2) in a sustainable manner, !! ++!! - helping CPython Expat bindings with supporting Expat's billion laughs !! ++!! attack protection API (https://github.com/python/cpython/issues/90949): !! ++!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! ++!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! ++!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !! ++!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !! ++!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! ++!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! ++!! - XML_SetReparseDeferralEnabled !! + !! - implementing and auto-testing XML 1.0r5 support !! + !! (needs discussion before pull requests), !! + !! - smart ideas on fixing the Autotools CMake files generation issue !! + !! without breaking CI (needs discussion before pull requests), !! +-!! - the Windows binaries topic (needs requirements engineering first), !! + !! - pushing migration from `int` to `size_t` further !! + !! including edge-cases test coverage (needs discussion before anything). !! + !! !! +@@ -30,6 +37,116 @@ + !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + ++Release 2.7.1 Thu March 27 2025 ++ Bug fixes: ++ #980 #989 Restore event pointer behavior from Expat 2.6.4 ++ (that the fix to CVE-2024-8176 changed in 2.7.0); ++ affected API functions are: ++ - XML_GetCurrentByteCount ++ - XML_GetCurrentByteIndex ++ - XML_GetCurrentColumnNumber ++ - XML_GetCurrentLineNumber ++ - XML_GetInputContext ++ ++ Other changes: ++ #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" ++ with Automake that were missing from 2.7.0 release tarballs ++ #983 #984 Fix printf format specifiers for 32bit Emscripten ++ #992 docs: Promote OpenSSF Best Practices self-certification ++ #978 tests/benchmark: Resolve mistaken double close ++ #986 Address compiler warnings ++ #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) ++ to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #982 CI: Start running Perl XML::Parser integration tests ++ #987 CI: Enforce Clang Static Analyzer clean code ++ #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized ++ for clang-tidy ++ #981 CI: Cover compilation with musl ++ #983 #984 CI: Cover compilation with 32bit Emscripten ++ #976 #977 CI: Protect against fuzzer files missing from future ++ release archives ++ ++ Special thanks to: ++ Berkay Eren Ürün ++ Matthew Fernandez ++ and ++ Perl XML::Parser ++ ++Release 2.7.0 Thu March 13 2025 ++ Security fixes: ++ #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number ++ of entities caused by stack overflow by resolving use of ++ recursion, for all three uses of entities: ++ - general entities in character data ("&g1;") ++ - general entities in attribute values ("") ++ - parameter entities ("%p1;") ++ Known impact is (reliable and easy) denial of service: ++ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C ++ (Base Score: 7.5, Temporal Score: 7.2) ++ Please note that a layer of compression around XML can ++ significantly reduce the minimum attack payload size. ++ ++ Other changes: ++ #935 #937 Autotools: Make generated CMake files look for ++ libexpat.@SO_MAJOR@.dylib on macOS ++ #925 Autotools: Sync CMake templates with CMake 3.29 ++ #945 #962 #966 CMake: Drop support for CMake <3.13 ++ #942 CMake: Small fuzzing related improvements ++ #921 docs: Add missing documentation of error code ++ XML_ERROR_NOT_STARTED that was introduced with 2.6.4 ++ #941 docs: Document need for C++11 compiler for use from C++ ++ #959 tests/benchmark: Fix a (harmless) TOCTTOU ++ #944 Windows: Fix installer target location of file xmlwf.xml ++ for CMake ++ #953 Windows: Address warning -Wunknown-warning-option ++ about -Wno-pedantic-ms-format from LLVM MinGW ++ #971 Address Cppcheck warnings ++ #969 #970 Mass-migrate links from http:// to https:// ++ #947 #958 .. ++ #974 #975 Document changes since the previous release ++ #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) ++ to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ ++ for what these numbers do ++ ++ Infrastructure: ++ #926 tests: Increase robustness ++ #927 #932 .. ++ #930 #933 tests: Increase test coverage ++ #617 #950 .. ++ #951 #952 .. ++ #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on ++ #961 Google's libprotobuf-mutator ("LPM") ++ #957 Fuzzing|CI: Start producing fuzzing code coverage reports ++ #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh ++ #942 CI: Small fuzzing related improvements ++ #139 #203 .. ++ #791 #946 CI: Make GitHub Actions build using MSVC on Windows and ++ produce 32bit and 64bit Windows binaries ++ #956 CI: Get off of about-to-be-removed Ubuntu 20.04 ++ #960 #964 CI: Start uploading to Coverity Scan for static analysis ++ #972 CI: Stop loading DTD from the internet to address flaky CI ++ #971 CI: Adapt to breaking changes in Cppcheck ++ ++ Special thanks to: ++ Alexander Gieringer ++ Berkay Eren Ürün ++ Hanno Böck ++ Jann Horn ++ Mark Brand ++ Sebastian Andrzej Siewior ++ Snild Dolkow ++ Thomas Pröll ++ Tomas Korbar ++ valord577 ++ and ++ Google Project Zero ++ Linutronix ++ Red Hat ++ Siemens ++ + Release 2.6.4 Wed November 6 2024 + Security fixes: + #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser +@@ -46,6 +163,8 @@ + #904 tests: Resolve duplicate handler + #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) + #914 Fix signedness of format strings ++ #915 For use from C++, expat.h started requiring C++11 due to ++ use of C99 features + #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) + to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ + for what these numbers do +--- contrib/expat/Makefile.am.orig ++++ contrib/expat/Makefile.am +@@ -6,7 +6,7 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2025 Sebastian Pipping + # Copyright (c) 2018 KangLin + # Copyright (c) 2022 Johnny Jazeix + # Copyright (c) 2023 Sony Corporation / Snild Dolkow +@@ -96,6 +96,8 @@ + conftools/expat.m4 \ + conftools/get-version.sh \ + \ ++ fuzz/xml_lpm_fuzzer.cpp \ ++ fuzz/xml_lpm_fuzzer.proto \ + fuzz/xml_parsebuffer_fuzzer.c \ + fuzz/xml_parse_fuzzer.c \ + \ +--- contrib/expat/Makefile.in.orig ++++ contrib/expat/Makefile.in +@@ -22,7 +22,7 @@ + # \___/_/\_\ .__/ \__,_|\__| + # |_| XML parser + # +-# Copyright (c) 2017-2023 Sebastian Pipping ++# Copyright (c) 2017-2025 Sebastian Pipping + # Copyright (c) 2018 KangLin + # Copyright (c) 2022 Johnny Jazeix + # Copyright (c) 2023 Sony Corporation / Snild Dolkow +@@ -494,6 +494,8 @@ + conftools/expat.m4 \ + conftools/get-version.sh \ + \ ++ fuzz/xml_lpm_fuzzer.cpp \ ++ fuzz/xml_lpm_fuzzer.proto \ + fuzz/xml_parsebuffer_fuzzer.c \ + fuzz/xml_parse_fuzzer.c \ + \ +--- contrib/expat/README.md.orig ++++ contrib/expat/README.md +@@ -3,6 +3,7 @@ + [![Packaging status](https://repology.org/badge/tiny-repos/expat.svg)](https://repology.org/metapackage/expat/versions) + [![Downloads SourceForge](https://img.shields.io/sourceforge/dt/expat?label=Downloads%20SourceForge)](https://sourceforge.net/projects/expat/files/) + [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) ++[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10205/badge)](https://www.bestpractices.dev/projects/10205) + + > [!CAUTION] + > +@@ -11,7 +12,7 @@ + > at the top of the `Changes` file. + + +-# Expat, Release 2.6.4 ++# Expat, Release 2.7.1 + + This is Expat, a C99 library for parsing + [XML 1.0 Fourth Edition](https://www.w3.org/TR/2006/REC-xml-20060816/), started by +@@ -22,9 +23,9 @@ + document being parsed. A start tag is an example of the kind of + structures for which you may register handlers. + +-Expat supports the following compilers: ++Expat supports the following C99 compilers: + +-- GNU GCC >=4.5 ++- GNU GCC >=4.5 (for use from C) or GNU GCC >=4.8.1 (for use from C++) + - LLVM Clang >=3.5 + - Microsoft Visual Studio >=16.0/2019 (rolling `${today} minus 5 years`) + +@@ -52,7 +53,7 @@ + Notice the *uppercase* `EXPAT` in the following example: + + ```cmake +-cmake_minimum_required(VERSION 3.0) # or 3.10, see below ++cmake_minimum_required(VERSION 3.10) + + project(hello VERSION 1.0.0) + +@@ -62,12 +63,7 @@ + hello.c + ) + +-# a) for CMake >=3.10 (see CMake's FindEXPAT docs) + target_link_libraries(hello PUBLIC EXPAT::EXPAT) +- +-# b) for CMake >=3.0 +-target_include_directories(hello PRIVATE ${EXPAT_INCLUDE_DIRS}) +-target_link_libraries(hello PUBLIC ${EXPAT_LIBRARIES}) + ``` + + ### b) `find_package` with Config Mode +@@ -85,7 +81,7 @@ + Notice the *lowercase* `expat` in the following example: + + ```cmake +-cmake_minimum_required(VERSION 3.0) ++cmake_minimum_required(VERSION 3.10) + + project(hello VERSION 1.0.0) + +@@ -295,7 +291,7 @@ + // Use /MT flag (static CRT) when compiling in MSVC + EXPAT_MSVC_STATIC_CRT:BOOL=OFF + +-// Build fuzzers via ossfuzz for the expat library ++// Build fuzzers via OSS-Fuzz for the expat library + EXPAT_OSSFUZZ_BUILD:BOOL=OFF + + // Build a shared expat library +--- contrib/expat/configure.ac.orig ++++ contrib/expat/configure.ac +@@ -11,7 +11,7 @@ + dnl Copyright (c) 2000-2005 Fred L. Drake, Jr. + dnl Copyright (c) 2001-2003 Greg Stein + dnl Copyright (c) 2006-2012 Karl Waclawek +-dnl Copyright (c) 2016-2024 Sebastian Pipping ++dnl Copyright (c) 2016-2025 Sebastian Pipping + dnl Copyright (c) 2017 S. P. Zeidler + dnl Copyright (c) 2017 Stephen Groat + dnl Copyright (c) 2017-2020 Joe Orton +@@ -85,7 +85,7 @@ + dnl + + LIBCURRENT=11 # sync +-LIBREVISION=0 # with ++LIBREVISION=2 # with + LIBAGE=10 # CMakeLists.txt! + + AC_CONFIG_HEADERS([expat_config.h]) +--- contrib/expat/doc/reference.html.orig ++++ contrib/expat/doc/reference.html +@@ -14,7 +14,7 @@ + Copyright (c) 2000 Clark Cooper + Copyright (c) 2000-2004 Fred L. Drake, Jr. + Copyright (c) 2002-2012 Karl Waclawek +- Copyright (c) 2017-2024 Sebastian Pipping ++ Copyright (c) 2017-2025 Sebastian Pipping + Copyright (c) 2017 Jakub Wilk + Copyright (c) 2021 Tomas Korbar + Copyright (c) 2021 Nicolas Cavallari +@@ -52,7 +52,7 @@ +
+

+ The Expat XML Parser +- Release 2.6.4 ++ Release 2.7.1 +

+
+
+@@ -1267,6 +1267,11 @@ + XML_STATUS_ERROR otherwise. The possible error codes + are:

+
++
XML_ERROR_NOT_STARTED
++
++ when stopping or suspending a parser before it has started, ++ added in Expat 2.6.4. ++
+
XML_ERROR_SUSPENDED
+
when suspending an already suspended parser.
+
XML_ERROR_FINISHED
+--- contrib/expat/doc/xmlwf.1.orig ++++ contrib/expat/doc/xmlwf.1 +@@ -5,7 +5,7 @@ + \\$2 \(la\\$1\(ra\\$3 + .. + .if \n(.g .mso www.tmac +-.TH XMLWF 1 "November 6, 2024" "" "" ++.TH XMLWF 1 "March 27, 2025" "" "" + .SH NAME + xmlwf \- Determines if an XML document is well-formed + .SH SYNOPSIS +--- contrib/expat/doc/xmlwf.xml.orig ++++ contrib/expat/doc/xmlwf.xml +@@ -9,7 +9,7 @@ + Copyright (c) 2001 Scott Bronson + Copyright (c) 2002-2003 Fred L. Drake, Jr. + Copyright (c) 2009 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Ardo van Rangelrooij + Copyright (c) 2017 Rhodri James + Copyright (c) 2020 Joe Orton +@@ -21,7 +21,7 @@ + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + Scott"> + Bronson"> +- November 6, 2024"> ++ March 27, 2025"> + + 1"> + bronson@rinspin.com"> +--- /dev/null ++++ contrib/expat/fuzz/xml_lpm_fuzzer.cpp +@@ -0,0 +1,464 @@ ++/* ++ __ __ _ ++ ___\ \/ /_ __ __ _| |_ ++ / _ \\ /| '_ \ / _` | __| ++ | __// \| |_) | (_| | |_ ++ \___/_/\_\ .__/ \__,_|\__| ++ |_| XML parser ++ ++ Copyright (c) 2022 Mark Brand ++ Copyright (c) 2025 Sebastian Pipping ++ Licensed under the MIT license: ++ ++ Permission is hereby granted, free of charge, to any person obtaining ++ a copy of this software and associated documentation files (the ++ "Software"), to deal in the Software without restriction, including ++ without limitation the rights to use, copy, modify, merge, publish, ++ distribute, sublicense, and/or sell copies of the Software, and to permit ++ persons to whom the Software is furnished to do so, subject to the ++ following conditions: ++ ++ The above copyright notice and this permission notice shall be included ++ in all copies or substantial portions of the Software. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN ++ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, ++ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR ++ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ++ USE OR OTHER DEALINGS IN THE SOFTWARE. ++*/ ++ ++#if defined(NDEBUG) ++# undef NDEBUG // because checks below rely on assert(...) ++#endif ++ ++#include ++#include ++#include ++ ++#include "expat.h" ++#include "xml_lpm_fuzzer.pb.h" ++#include "src/libfuzzer/libfuzzer_macro.h" ++ ++static const char *g_encoding = nullptr; ++static const char *g_external_entity = nullptr; ++static size_t g_external_entity_size = 0; ++ ++void ++SetEncoding(const xml_lpm_fuzzer::Encoding &e) { ++ switch (e) { ++ case xml_lpm_fuzzer::Encoding::UTF8: ++ g_encoding = "UTF-8"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::UTF16: ++ g_encoding = "UTF-16"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::ISO88591: ++ g_encoding = "ISO-8859-1"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::ASCII: ++ g_encoding = "US-ASCII"; ++ break; ++ ++ case xml_lpm_fuzzer::Encoding::NONE: ++ g_encoding = NULL; ++ break; ++ ++ default: ++ g_encoding = "UNKNOWN"; ++ break; ++ } ++} ++ ++static int g_allocation_count = 0; ++static std::vector g_fail_allocations = {}; ++ ++void * ++MallocHook(size_t size) { ++ g_allocation_count += 1; ++ for (auto index : g_fail_allocations) { ++ if (index == g_allocation_count) { ++ return NULL; ++ } ++ } ++ return malloc(size); ++} ++ ++void * ++ReallocHook(void *ptr, size_t size) { ++ g_allocation_count += 1; ++ for (auto index : g_fail_allocations) { ++ if (index == g_allocation_count) { ++ return NULL; ++ } ++ } ++ return realloc(ptr, size); ++} ++ ++void ++FreeHook(void *ptr) { ++ free(ptr); ++} ++ ++XML_Memory_Handling_Suite memory_handling_suite ++ = {MallocHook, ReallocHook, FreeHook}; ++ ++void InitializeParser(XML_Parser parser); ++ ++// We want a parse function that supports resumption, so that we can cover the ++// suspend/resume code. ++enum XML_Status ++Parse(XML_Parser parser, const char *input, int input_len, int is_final) { ++ enum XML_Status status = XML_Parse(parser, input, input_len, is_final); ++ while (status == XML_STATUS_SUSPENDED) { ++ status = XML_ResumeParser(parser); ++ } ++ return status; ++} ++ ++// When the fuzzer is compiled with instrumentation such as ASan, then the ++// accesses in TouchString will fault if they access invalid memory (ie. detect ++// either a use-after-free or buffer-overflow). By calling TouchString in each ++// of the callbacks, we can check that the arguments meet the API specifications ++// in terms of length/null-termination. no_optimize is used to ensure that the ++// compiler has to emit actual memory reads, instead of removing them. ++static volatile size_t no_optimize = 0; ++static void ++TouchString(const XML_Char *ptr, int len = -1) { ++ if (! ptr) { ++ return; ++ } ++ ++ if (len == -1) { ++ for (XML_Char value = *ptr++; value; value = *ptr++) { ++ no_optimize += value; ++ } ++ } else { ++ for (int i = 0; i < len; ++i) { ++ no_optimize += ptr[i]; ++ } ++ } ++} ++ ++static void ++TouchNodeAndRecurse(XML_Content *content) { ++ switch (content->type) { ++ case XML_CTYPE_EMPTY: ++ case XML_CTYPE_ANY: ++ assert(content->quant == XML_CQUANT_NONE); ++ assert(content->name == NULL); ++ assert(content->numchildren == 0); ++ assert(content->children == NULL); ++ break; ++ ++ case XML_CTYPE_MIXED: ++ assert(content->quant == XML_CQUANT_NONE ++ || content->quant == XML_CQUANT_REP); ++ assert(content->name == NULL); ++ for (unsigned int i = 0; i < content->numchildren; ++i) { ++ assert(content->children[i].type == XML_CTYPE_NAME); ++ assert(content->children[i].quant == XML_CQUANT_NONE); ++ assert(content->children[i].numchildren == 0); ++ assert(content->children[i].children == NULL); ++ TouchString(content->children[i].name); ++ } ++ break; ++ ++ case XML_CTYPE_NAME: ++ assert((content->quant == XML_CQUANT_NONE) ++ || (content->quant == XML_CQUANT_OPT) ++ || (content->quant == XML_CQUANT_REP) ++ || (content->quant == XML_CQUANT_PLUS)); ++ assert(content->numchildren == 0); ++ assert(content->children == NULL); ++ TouchString(content->name); ++ break; ++ ++ case XML_CTYPE_CHOICE: ++ case XML_CTYPE_SEQ: ++ assert((content->quant == XML_CQUANT_NONE) ++ || (content->quant == XML_CQUANT_OPT) ++ || (content->quant == XML_CQUANT_REP) ++ || (content->quant == XML_CQUANT_PLUS)); ++ assert(content->name == NULL); ++ for (unsigned int i = 0; i < content->numchildren; ++i) { ++ TouchNodeAndRecurse(&content->children[i]); ++ } ++ break; ++ ++ default: ++ assert(false); ++ } ++} ++ ++static void XMLCALL ++ElementDeclHandler(void *userData, const XML_Char *name, XML_Content *model) { ++ TouchString(name); ++ TouchNodeAndRecurse(model); ++ XML_FreeContentModel((XML_Parser)userData, model); ++} ++ ++static void XMLCALL ++AttlistDeclHandler(void *userData, const XML_Char *elname, ++ const XML_Char *attname, const XML_Char *atttype, ++ const XML_Char *dflt, int isrequired) { ++ (void)userData; ++ TouchString(elname); ++ TouchString(attname); ++ TouchString(atttype); ++ TouchString(dflt); ++ (void)isrequired; ++} ++ ++static void XMLCALL ++XmlDeclHandler(void *userData, const XML_Char *version, ++ const XML_Char *encoding, int standalone) { ++ (void)userData; ++ TouchString(version); ++ TouchString(encoding); ++ (void)standalone; ++} ++ ++static void XMLCALL ++StartElementHandler(void *userData, const XML_Char *name, ++ const XML_Char **atts) { ++ (void)userData; ++ TouchString(name); ++ for (size_t i = 0; atts[i] != NULL; ++i) { ++ TouchString(atts[i]); ++ } ++} ++ ++static void XMLCALL ++EndElementHandler(void *userData, const XML_Char *name) { ++ (void)userData; ++ TouchString(name); ++} ++ ++static void XMLCALL ++CharacterDataHandler(void *userData, const XML_Char *s, int len) { ++ (void)userData; ++ TouchString(s, len); ++} ++ ++static void XMLCALL ++ProcessingInstructionHandler(void *userData, const XML_Char *target, ++ const XML_Char *data) { ++ (void)userData; ++ TouchString(target); ++ TouchString(data); ++} ++ ++static void XMLCALL ++CommentHandler(void *userData, const XML_Char *data) { ++ TouchString(data); ++ // Use the comment handler to trigger parser suspend, so that we can get ++ // coverage of that code. ++ XML_StopParser((XML_Parser)userData, XML_TRUE); ++} ++ ++static void XMLCALL ++StartCdataSectionHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++EndCdataSectionHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++DefaultHandler(void *userData, const XML_Char *s, int len) { ++ (void)userData; ++ TouchString(s, len); ++} ++ ++static void XMLCALL ++StartDoctypeDeclHandler(void *userData, const XML_Char *doctypeName, ++ const XML_Char *sysid, const XML_Char *pubid, ++ int has_internal_subset) { ++ (void)userData; ++ TouchString(doctypeName); ++ TouchString(sysid); ++ TouchString(pubid); ++ (void)has_internal_subset; ++} ++ ++static void XMLCALL ++EndDoctypeDeclHandler(void *userData) { ++ (void)userData; ++} ++ ++static void XMLCALL ++EntityDeclHandler(void *userData, const XML_Char *entityName, ++ int is_parameter_entity, const XML_Char *value, ++ int value_length, const XML_Char *base, ++ const XML_Char *systemId, const XML_Char *publicId, ++ const XML_Char *notationName) { ++ (void)userData; ++ TouchString(entityName); ++ (void)is_parameter_entity; ++ TouchString(value, value_length); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++ TouchString(notationName); ++} ++ ++static void XMLCALL ++NotationDeclHandler(void *userData, const XML_Char *notationName, ++ const XML_Char *base, const XML_Char *systemId, ++ const XML_Char *publicId) { ++ (void)userData; ++ TouchString(notationName); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++} ++ ++static void XMLCALL ++StartNamespaceDeclHandler(void *userData, const XML_Char *prefix, ++ const XML_Char *uri) { ++ (void)userData; ++ TouchString(prefix); ++ TouchString(uri); ++} ++ ++static void XMLCALL ++EndNamespaceDeclHandler(void *userData, const XML_Char *prefix) { ++ (void)userData; ++ TouchString(prefix); ++} ++ ++static int XMLCALL ++NotStandaloneHandler(void *userData) { ++ (void)userData; ++ return XML_STATUS_OK; ++} ++ ++static int XMLCALL ++ExternalEntityRefHandler(XML_Parser parser, const XML_Char *context, ++ const XML_Char *base, const XML_Char *systemId, ++ const XML_Char *publicId) { ++ int rc = XML_STATUS_ERROR; ++ TouchString(context); ++ TouchString(base); ++ TouchString(systemId); ++ TouchString(publicId); ++ ++ if (g_external_entity) { ++ XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, g_encoding); ++ rc = Parse(ext_parser, g_external_entity, g_external_entity_size, 1); ++ XML_ParserFree(ext_parser); ++ } ++ ++ return rc; ++} ++ ++static void XMLCALL ++SkippedEntityHandler(void *userData, const XML_Char *entityName, ++ int is_parameter_entity) { ++ (void)userData; ++ TouchString(entityName); ++ (void)is_parameter_entity; ++} ++ ++static int XMLCALL ++UnknownEncodingHandler(void *encodingHandlerData, const XML_Char *name, ++ XML_Encoding *info) { ++ (void)encodingHandlerData; ++ TouchString(name); ++ (void)info; ++ return XML_STATUS_ERROR; ++} ++ ++void ++InitializeParser(XML_Parser parser) { ++ XML_SetUserData(parser, (void *)parser); ++ XML_SetHashSalt(parser, 0x41414141); ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ XML_SetElementDeclHandler(parser, ElementDeclHandler); ++ XML_SetAttlistDeclHandler(parser, AttlistDeclHandler); ++ XML_SetXmlDeclHandler(parser, XmlDeclHandler); ++ XML_SetElementHandler(parser, StartElementHandler, EndElementHandler); ++ XML_SetCharacterDataHandler(parser, CharacterDataHandler); ++ XML_SetProcessingInstructionHandler(parser, ProcessingInstructionHandler); ++ XML_SetCommentHandler(parser, CommentHandler); ++ XML_SetCdataSectionHandler(parser, StartCdataSectionHandler, ++ EndCdataSectionHandler); ++ // XML_SetDefaultHandler disables entity expansion ++ XML_SetDefaultHandlerExpand(parser, DefaultHandler); ++ XML_SetDoctypeDeclHandler(parser, StartDoctypeDeclHandler, ++ EndDoctypeDeclHandler); ++ // Note: This is mutually exclusive with XML_SetUnparsedEntityDeclHandler, ++ // and there isn't any significant code change between the two. ++ XML_SetEntityDeclHandler(parser, EntityDeclHandler); ++ XML_SetNotationDeclHandler(parser, NotationDeclHandler); ++ XML_SetNamespaceDeclHandler(parser, StartNamespaceDeclHandler, ++ EndNamespaceDeclHandler); ++ XML_SetNotStandaloneHandler(parser, NotStandaloneHandler); ++ XML_SetExternalEntityRefHandler(parser, ExternalEntityRefHandler); ++ XML_SetSkippedEntityHandler(parser, SkippedEntityHandler); ++ XML_SetUnknownEncodingHandler(parser, UnknownEncodingHandler, (void *)parser); ++} ++ ++DEFINE_TEXT_PROTO_FUZZER(const xml_lpm_fuzzer::Testcase &testcase) { ++ g_external_entity = nullptr; ++ ++ if (! testcase.actions_size()) { ++ return; ++ } ++ ++ g_allocation_count = 0; ++ g_fail_allocations.clear(); ++ for (int i = 0; i < testcase.fail_allocations_size(); ++i) { ++ g_fail_allocations.push_back(testcase.fail_allocations(i)); ++ } ++ ++ SetEncoding(testcase.encoding()); ++ XML_Parser parser ++ = XML_ParserCreate_MM(g_encoding, &memory_handling_suite, "|"); ++ InitializeParser(parser); ++ ++ for (int i = 0; i < testcase.actions_size(); ++i) { ++ const auto &action = testcase.actions(i); ++ switch (action.action_case()) { ++ case xml_lpm_fuzzer::Action::kChunk: ++ if (XML_STATUS_ERROR ++ == Parse(parser, action.chunk().data(), action.chunk().size(), 0)) { ++ // Force a reset after parse error. ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ } ++ break; ++ ++ case xml_lpm_fuzzer::Action::kLastChunk: ++ Parse(parser, action.last_chunk().data(), action.last_chunk().size(), 1); ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ break; ++ ++ case xml_lpm_fuzzer::Action::kReset: ++ XML_ParserReset(parser, g_encoding); ++ InitializeParser(parser); ++ break; ++ ++ case xml_lpm_fuzzer::Action::kExternalEntity: ++ g_external_entity = action.external_entity().data(); ++ g_external_entity_size = action.external_entity().size(); ++ break; ++ ++ default: ++ break; ++ } ++ } ++ ++ XML_ParserFree(parser); ++} +--- /dev/null ++++ contrib/expat/fuzz/xml_lpm_fuzzer.proto +@@ -0,0 +1,58 @@ ++/* ++ __ __ _ ++ ___\ \/ /_ __ __ _| |_ ++ / _ \\ /| '_ \ / _` | __| ++ | __// \| |_) | (_| | |_ ++ \___/_/\_\ .__/ \__,_|\__| ++ |_| XML parser ++ ++ Copyright (c) 2022 Mark Brand ++ Copyright (c) 2025 Sebastian Pipping ++ Licensed under the MIT license: ++ ++ Permission is hereby granted, free of charge, to any person obtaining ++ a copy of this software and associated documentation files (the ++ "Software"), to deal in the Software without restriction, including ++ without limitation the rights to use, copy, modify, merge, publish, ++ distribute, sublicense, and/or sell copies of the Software, and to permit ++ persons to whom the Software is furnished to do so, subject to the ++ following conditions: ++ ++ The above copyright notice and this permission notice shall be included ++ in all copies or substantial portions of the Software. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN ++ NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, ++ DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR ++ OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ++ USE OR OTHER DEALINGS IN THE SOFTWARE. ++*/ ++ ++syntax = "proto2"; ++package xml_lpm_fuzzer; ++ ++enum Encoding { ++ UTF8 = 0; ++ UTF16 = 1; ++ ISO88591 = 2; ++ ASCII = 3; ++ UNKNOWN = 4; ++ NONE = 5; ++} ++ ++message Action { ++ oneof action { ++ string chunk = 1; ++ string last_chunk = 2; ++ bool reset = 3; ++ string external_entity = 4; ++ } ++} ++ ++message Testcase { ++ required Encoding encoding = 1; ++ repeated Action actions = 2; ++ repeated int32 fail_allocations = 3; ++} +--- contrib/expat/fuzz/xml_parse_fuzzer.c.orig ++++ contrib/expat/fuzz/xml_parse_fuzzer.c +@@ -5,7 +5,7 @@ + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * +- * http://www.apache.org/licenses/LICENSE-2.0 ++ * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, +--- contrib/expat/fuzz/xml_parsebuffer_fuzzer.c.orig ++++ contrib/expat/fuzz/xml_parsebuffer_fuzzer.c +@@ -5,7 +5,7 @@ + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * +- * http://www.apache.org/licenses/LICENSE-2.0 ++ * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, +--- contrib/expat/lib/expat.h.orig ++++ contrib/expat/lib/expat.h +@@ -11,7 +11,7 @@ + Copyright (c) 2000-2005 Fred L. Drake, Jr. + Copyright (c) 2001-2002 Greg Stein + Copyright (c) 2002-2016 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Cristian Rodríguez + Copyright (c) 2016 Thomas Beutlich + Copyright (c) 2017 Rhodri James +@@ -1067,8 +1067,8 @@ + See https://semver.org + */ + #define XML_MAJOR_VERSION 2 +-#define XML_MINOR_VERSION 6 +-#define XML_MICRO_VERSION 4 ++#define XML_MINOR_VERSION 7 ++#define XML_MICRO_VERSION 1 + + #ifdef __cplusplus + } +--- contrib/expat/lib/internal.h.orig ++++ contrib/expat/lib/internal.h +@@ -28,7 +28,7 @@ + Copyright (c) 2002-2003 Fred L. Drake, Jr. + Copyright (c) 2002-2006 Karl Waclawek + Copyright (c) 2003 Greg Stein +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2018 Yury Gribov + Copyright (c) 2019 David Loffredo + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow +@@ -127,6 +127,9 @@ + # elif ULONG_MAX == 18446744073709551615u // 2^64-1 + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "lu" ++# elif defined(EMSCRIPTEN) // 32bit mode Emscripten ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# define EXPAT_FMT_SIZE_T(midpart) "%" midpart "zu" + # else + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u" +--- contrib/expat/lib/xmlparse.c.orig ++++ contrib/expat/lib/xmlparse.c +@@ -1,4 +1,4 @@ +-/* c5625880f4bf417c1463deee4eb92d86ff413f802048621c57e25fe483eb59e4 (2.6.4+) ++/* d19ae032c224863c1527ba44d228cc34b99192c3a4c5a27af1f4e054d45ee031 (2.7.1+) + __ __ _ + ___\ \/ /_ __ __ _| |_ + / _ \\ /| '_ \ / _` | __| +@@ -13,7 +13,7 @@ + Copyright (c) 2002-2016 Karl Waclawek + Copyright (c) 2005-2009 Steven Solie + Copyright (c) 2016 Eric Rahm +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2016 Gaurav + Copyright (c) 2016 Thomas Beutlich + Copyright (c) 2016 Gustavo Grieco +@@ -39,7 +39,7 @@ + Copyright (c) 2022 Sean McBride + Copyright (c) 2023 Owain Davies + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow +- Copyright (c) 2024 Berkay Eren Ürün ++ Copyright (c) 2024-2025 Berkay Eren Ürün + Copyright (c) 2024 Hanno Böck + Licensed under the MIT license: + +@@ -325,6 +325,10 @@ + const XML_Char *publicId; + const XML_Char *notation; + XML_Bool open; ++ XML_Bool hasMore; /* true if entity has not been completely processed */ ++ /* An entity can be open while being already completely processed (hasMore == ++ XML_FALSE). The reason is the delayed closing of entities until their inner ++ entities are processed and closed */ + XML_Bool is_param; + XML_Bool is_internal; /* true if declared in internal subset outside PE */ + } ENTITY; +@@ -415,6 +419,12 @@ + int *scaffIndex; + } DTD; + ++enum EntityType { ++ ENTITY_INTERNAL, ++ ENTITY_ATTRIBUTE, ++ ENTITY_VALUE, ++}; ++ + typedef struct open_internal_entity { + const char *internalEventPtr; + const char *internalEventEndPtr; +@@ -422,6 +432,7 @@ + ENTITY *entity; + int startTagLevel; + XML_Bool betweenDecl; /* WFC: PE Between Declarations */ ++ enum EntityType type; + } OPEN_INTERNAL_ENTITY; + + enum XML_Account { +@@ -481,8 +492,8 @@ + const char *next, const char **nextPtr, + XML_Bool haveMore, XML_Bool allowClosingDoctype, + enum XML_Account account); +-static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, +- XML_Bool betweenDecl); ++static enum XML_Error processEntity(XML_Parser parser, ENTITY *entity, ++ XML_Bool betweenDecl, enum EntityType type); + static enum XML_Error doContent(XML_Parser parser, int startTagLevel, + const ENCODING *enc, const char *start, + const char *end, const char **endPtr, +@@ -513,18 +524,22 @@ + const char *ptr, const char *end, + STRING_POOL *pool, + enum XML_Account account); +-static enum XML_Error appendAttributeValue(XML_Parser parser, +- const ENCODING *enc, +- XML_Bool isCdata, const char *ptr, +- const char *end, STRING_POOL *pool, +- enum XML_Account account); ++static enum XML_Error ++appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, ++ const char *ptr, const char *end, STRING_POOL *pool, ++ enum XML_Account account, const char **nextPtr); + static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType); + #if XML_GE == 1 + static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end, +- enum XML_Account account); ++ enum XML_Account account, ++ const char **nextPtr); ++static enum XML_Error callStoreEntityValue(XML_Parser parser, ++ const ENCODING *enc, ++ const char *start, const char *end, ++ enum XML_Account account); + #else + static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity); + #endif +@@ -709,6 +724,10 @@ + const char *m_positionPtr; + OPEN_INTERNAL_ENTITY *m_openInternalEntities; + OPEN_INTERNAL_ENTITY *m_freeInternalEntities; ++ OPEN_INTERNAL_ENTITY *m_openAttributeEntities; ++ OPEN_INTERNAL_ENTITY *m_freeAttributeEntities; ++ OPEN_INTERNAL_ENTITY *m_openValueEntities; ++ OPEN_INTERNAL_ENTITY *m_freeValueEntities; + XML_Bool m_defaultExpandInternalEntities; + int m_tagLevel; + ENTITY *m_declEntity; +@@ -756,6 +775,7 @@ + ACCOUNTING m_accounting; + ENTITY_STATS m_entity_stats; + #endif ++ XML_Bool m_reenter; + }; + + #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s))) +@@ -1028,7 +1048,29 @@ + #if defined(XML_TESTING) + g_bytesScanned += (unsigned)have_now; + #endif +- const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr); ++ // Run in a loop to eliminate dangerous recursion depths ++ enum XML_Error ret; ++ *endPtr = start; ++ while (1) { ++ // Use endPtr as the new start in each iteration, since it will ++ // be set to the next start point by m_processor. ++ ret = parser->m_processor(parser, *endPtr, end, endPtr); ++ ++ // Make parsing status (and in particular XML_SUSPENDED) take ++ // precedence over re-enter flag when they disagree ++ if (parser->m_parsingStatus.parsing != XML_PARSING) { ++ parser->m_reenter = XML_FALSE; ++ } ++ ++ if (! parser->m_reenter) { ++ break; ++ } ++ ++ parser->m_reenter = XML_FALSE; ++ if (ret != XML_ERROR_NONE) ++ return ret; ++ } ++ + if (ret == XML_ERROR_NONE) { + // if we consumed nothing, remember what we had on this parse attempt. + if (*endPtr == start) { +@@ -1139,6 +1181,8 @@ + parser->m_freeBindingList = NULL; + parser->m_freeTagList = NULL; + parser->m_freeInternalEntities = NULL; ++ parser->m_freeAttributeEntities = NULL; ++ parser->m_freeValueEntities = NULL; + + parser->m_groupSize = 0; + parser->m_groupConnector = NULL; +@@ -1241,6 +1285,8 @@ + parser->m_eventEndPtr = NULL; + parser->m_positionPtr = NULL; + parser->m_openInternalEntities = NULL; ++ parser->m_openAttributeEntities = NULL; ++ parser->m_openValueEntities = NULL; + parser->m_defaultExpandInternalEntities = XML_TRUE; + parser->m_tagLevel = 0; + parser->m_tagStack = NULL; +@@ -1251,6 +1297,8 @@ + parser->m_unknownEncodingData = NULL; + parser->m_parentParser = NULL; + parser->m_parsingStatus.parsing = XML_INITIALIZED; ++ // Reentry can only be triggered inside m_processor calls ++ parser->m_reenter = XML_FALSE; + #ifdef XML_DTD + parser->m_isParamEntity = XML_FALSE; + parser->m_useForeignDTD = XML_FALSE; +@@ -1310,6 +1358,24 @@ + openEntity->next = parser->m_freeInternalEntities; + parser->m_freeInternalEntities = openEntity; + } ++ /* move m_openAttributeEntities to m_freeAttributeEntities (i.e. same task but ++ * for attributes) */ ++ openEntityList = parser->m_openAttributeEntities; ++ while (openEntityList) { ++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList; ++ openEntityList = openEntity->next; ++ openEntity->next = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = openEntity; ++ } ++ /* move m_openValueEntities to m_freeValueEntities (i.e. same task but ++ * for value entities) */ ++ openEntityList = parser->m_openValueEntities; ++ while (openEntityList) { ++ OPEN_INTERNAL_ENTITY *openEntity = openEntityList; ++ openEntityList = openEntity->next; ++ openEntity->next = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = openEntity; ++ } + moveToFreeBindingList(parser, parser->m_inheritedBindings); + FREE(parser, parser->m_unknownEncodingMem); + if (parser->m_unknownEncodingRelease) +@@ -1323,6 +1389,19 @@ + return XML_TRUE; + } + ++static XML_Bool ++parserBusy(XML_Parser parser) { ++ switch (parser->m_parsingStatus.parsing) { ++ case XML_PARSING: ++ case XML_SUSPENDED: ++ return XML_TRUE; ++ case XML_INITIALIZED: ++ case XML_FINISHED: ++ default: ++ return XML_FALSE; ++ } ++} ++ + enum XML_Status XMLCALL + XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) { + if (parser == NULL) +@@ -1331,8 +1410,7 @@ + XXX There's no way for the caller to determine which of the + XXX possible error cases caused the XML_STATUS_ERROR return. + */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return XML_STATUS_ERROR; + + /* Get rid of any previous encoding name */ +@@ -1569,7 +1647,34 @@ + entityList = entityList->next; + FREE(parser, openEntity); + } +- ++ /* free m_openAttributeEntities and m_freeAttributeEntities */ ++ entityList = parser->m_openAttributeEntities; ++ for (;;) { ++ OPEN_INTERNAL_ENTITY *openEntity; ++ if (entityList == NULL) { ++ if (parser->m_freeAttributeEntities == NULL) ++ break; ++ entityList = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = NULL; ++ } ++ openEntity = entityList; ++ entityList = entityList->next; ++ FREE(parser, openEntity); ++ } ++ /* free m_openValueEntities and m_freeValueEntities */ ++ entityList = parser->m_openValueEntities; ++ for (;;) { ++ OPEN_INTERNAL_ENTITY *openEntity; ++ if (entityList == NULL) { ++ if (parser->m_freeValueEntities == NULL) ++ break; ++ entityList = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = NULL; ++ } ++ openEntity = entityList; ++ entityList = entityList->next; ++ FREE(parser, openEntity); ++ } + destroyBindings(parser->m_freeBindingList, parser); + destroyBindings(parser->m_inheritedBindings, parser); + poolDestroy(&parser->m_tempPool); +@@ -1611,8 +1716,7 @@ + return XML_ERROR_INVALID_ARGUMENT; + #ifdef XML_DTD + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return XML_ERROR_CANT_CHANGE_FEATURE_ONCE_PARSING; + parser->m_useForeignDTD = useDTD; + return XML_ERROR_NONE; +@@ -1627,8 +1731,7 @@ + if (parser == NULL) + return; + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return; + parser->m_ns_triplets = do_nst ? XML_TRUE : XML_FALSE; + } +@@ -1897,8 +2000,7 @@ + if (parser == NULL) + return 0; + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return 0; + #ifdef XML_DTD + parser->m_paramEntityParsing = peParsing; +@@ -1915,8 +2017,7 @@ + if (parser->m_parentParser) + return XML_SetHashSalt(parser->m_parentParser, hash_salt); + /* block after XML_Parse()/XML_ParseBuffer() has been called */ +- if (parser->m_parsingStatus.parsing == XML_PARSING +- || parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parserBusy(parser)) + return 0; + parser->m_hash_secret_salt = hash_salt; + return 1; +@@ -2230,6 +2331,11 @@ + return parser->m_bufferEnd; + } + ++static void ++triggerReenter(XML_Parser parser) { ++ parser->m_reenter = XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) +@@ -2704,8 +2810,9 @@ + contentProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { + enum XML_Error result = doContent( +- parser, 0, parser->m_encoding, start, end, endPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT); ++ parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, start, end, ++ endPtr, (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); + if (result == XML_ERROR_NONE) { + if (! storeRawNames(parser)) + return XML_ERROR_NO_MEMORY; +@@ -2793,6 +2900,11 @@ + return XML_ERROR_NONE; + case XML_FINISHED: + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default: + start = next; + } +@@ -2966,7 +3078,7 @@ + reportDefault(parser, enc, s, next); + break; + } +- result = processInternalEntity(parser, entity, XML_FALSE); ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_INTERNAL); + if (result != XML_ERROR_NONE) + return result; + } else if (parser->m_externalEntityRefHandler) { +@@ -3092,7 +3204,9 @@ + } + if ((parser->m_tagLevel == 0) + && (parser->m_parsingStatus.parsing != XML_FINISHED)) { +- if (parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter)) + parser->m_processor = epilogProcessor; + else + return epilogProcessor(parser, next, end, nextPtr); +@@ -3153,7 +3267,9 @@ + } + if ((parser->m_tagLevel == 0) + && (parser->m_parsingStatus.parsing != XML_FINISHED)) { +- if (parser->m_parsingStatus.parsing == XML_SUSPENDED) ++ if (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter)) + parser->m_processor = epilogProcessor; + else + return epilogProcessor(parser, next, end, nextPtr); +@@ -3286,14 +3402,22 @@ + break; + /* LCOV_EXCL_STOP */ + } +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ *nextPtr = next; ++ return XML_ERROR_NONE; ++ } ++ /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +@@ -4210,14 +4334,21 @@ + /* LCOV_EXCL_STOP */ + } + +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +@@ -4549,7 +4680,7 @@ + } + /* found end of entity value - can store it now */ + return storeEntityValue(parser, parser->m_encoding, s, end, +- XML_ACCOUNT_DIRECT); ++ XML_ACCOUNT_DIRECT, NULL); + } else if (tok == XML_TOK_XML_DECL) { + enum XML_Error result; + result = processXmlDecl(parser, 0, start, next); +@@ -4676,7 +4807,7 @@ + break; + } + /* found end of entity value - can store it now */ +- return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT); ++ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL); + } + start = next; + } +@@ -5119,9 +5250,9 @@ + #if XML_GE == 1 + // This will store the given replacement text in + // parser->m_declEntity->textPtr. +- enum XML_Error result +- = storeEntityValue(parser, enc, s + enc->minBytesPerChar, +- next - enc->minBytesPerChar, XML_ACCOUNT_NONE); ++ enum XML_Error result = callStoreEntityValue( ++ parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar, ++ XML_ACCOUNT_NONE); + if (parser->m_declEntity) { + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen +@@ -5546,7 +5677,7 @@ + enum XML_Error result; + XML_Bool betweenDecl + = (role == XML_ROLE_PARAM_ENTITY_REF ? XML_TRUE : XML_FALSE); +- result = processInternalEntity(parser, entity, betweenDecl); ++ result = processEntity(parser, entity, betweenDecl, ENTITY_INTERNAL); + if (result != XML_ERROR_NONE) + return result; + handleDefault = XML_FALSE; +@@ -5751,6 +5882,12 @@ + return XML_ERROR_NONE; + case XML_FINISHED: + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ *nextPtr = next; ++ return XML_ERROR_NONE; ++ } ++ /* Fall through */ + default: + s = next; + tok = XmlPrologTok(enc, s, end, &next); +@@ -5818,28 +5955,58 @@ + default: + return XML_ERROR_JUNK_AFTER_DOC_ELEMENT; + } +- parser->m_eventPtr = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ parser->m_eventPtr = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ parser->m_eventPtr = next; + return XML_ERROR_ABORTED; ++ case XML_PARSING: ++ if (parser->m_reenter) { ++ return XML_ERROR_UNEXPECTED_STATE; // LCOV_EXCL_LINE ++ } ++ /* Fall through */ + default:; ++ parser->m_eventPtr = s = next; + } + } + } + + static enum XML_Error +-processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { +- const char *textStart, *textEnd; +- const char *next; +- enum XML_Error result; +- OPEN_INTERNAL_ENTITY *openEntity; ++processEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl, ++ enum EntityType type) { ++ OPEN_INTERNAL_ENTITY *openEntity, **openEntityList, **freeEntityList; ++ switch (type) { ++ case ENTITY_INTERNAL: ++ parser->m_processor = internalEntityProcessor; ++ openEntityList = &parser->m_openInternalEntities; ++ freeEntityList = &parser->m_freeInternalEntities; ++ break; ++ case ENTITY_ATTRIBUTE: ++ openEntityList = &parser->m_openAttributeEntities; ++ freeEntityList = &parser->m_freeAttributeEntities; ++ break; ++ case ENTITY_VALUE: ++ openEntityList = &parser->m_openValueEntities; ++ freeEntityList = &parser->m_freeValueEntities; ++ break; ++ /* default case serves merely as a safety net in case of a ++ * wrong entityType. Therefore we exclude the following lines ++ * from the test coverage. ++ * ++ * LCOV_EXCL_START ++ */ ++ default: ++ // Should not reach here ++ assert(0); ++ /* LCOV_EXCL_STOP */ ++ } + +- if (parser->m_freeInternalEntities) { +- openEntity = parser->m_freeInternalEntities; +- parser->m_freeInternalEntities = openEntity->next; ++ if (*freeEntityList) { ++ openEntity = *freeEntityList; ++ *freeEntityList = openEntity->next; + } else { + openEntity + = (OPEN_INTERNAL_ENTITY *)MALLOC(parser, sizeof(OPEN_INTERNAL_ENTITY)); +@@ -5847,55 +6014,34 @@ + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; ++ entity->hasMore = XML_TRUE; + #if XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + entity->processed = 0; +- openEntity->next = parser->m_openInternalEntities; +- parser->m_openInternalEntities = openEntity; ++ openEntity->next = *openEntityList; ++ *openEntityList = openEntity; + openEntity->entity = entity; ++ openEntity->type = type; + openEntity->startTagLevel = parser->m_tagLevel; + openEntity->betweenDecl = betweenDecl; + openEntity->internalEventPtr = NULL; + openEntity->internalEventEndPtr = NULL; +- textStart = (const char *)entity->textPtr; +- textEnd = (const char *)(entity->textPtr + entity->textLen); +- /* Set a safe default value in case 'next' does not get set */ +- next = textStart; +- +- if (entity->is_param) { +- int tok +- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); +- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_FALSE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- } else { +- result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding, +- textStart, textEnd, &next, XML_FALSE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- } + +- if (result == XML_ERROR_NONE) { +- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- entity->processed = (int)(next - textStart); +- parser->m_processor = internalEntityProcessor; +- } else if (parser->m_openInternalEntities->entity == entity) { +-#if XML_GE == 1 +- entityTrackingOnClose(parser, entity, __LINE__); +-#endif /* XML_GE == 1 */ +- entity->open = XML_FALSE; +- parser->m_openInternalEntities = openEntity->next; +- /* put openEntity back in list of free instances */ +- openEntity->next = parser->m_freeInternalEntities; +- parser->m_freeInternalEntities = openEntity; +- } ++ // Only internal entities make use of the reenter flag ++ // therefore no need to set it for other entity types ++ if (type == ENTITY_INTERNAL) { ++ triggerReenter(parser); + } +- return result; ++ return XML_ERROR_NONE; + } + + static enum XML_Error PTRCALL + internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + const char **nextPtr) { ++ UNUSED_P(s); ++ UNUSED_P(end); ++ UNUSED_P(nextPtr); + ENTITY *entity; + const char *textStart, *textEnd; + const char *next; +@@ -5905,68 +6051,67 @@ + return XML_ERROR_UNEXPECTED_STATE; + + entity = openEntity->entity; +- textStart = ((const char *)entity->textPtr) + entity->processed; +- textEnd = (const char *)(entity->textPtr + entity->textLen); +- /* Set a safe default value in case 'next' does not get set */ +- next = textStart; +- +- if (entity->is_param) { +- int tok +- = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); +- result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_TRUE, +- XML_ACCOUNT_ENTITY_EXPANSION); +- } else { +- result = doContent(parser, openEntity->startTagLevel, +- parser->m_internalEncoding, textStart, textEnd, &next, +- XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); +- } + +- if (result != XML_ERROR_NONE) +- return result; ++ // This will return early ++ if (entity->hasMore) { ++ textStart = ((const char *)entity->textPtr) + entity->processed; ++ textEnd = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ next = textStart; ++ ++ if (entity->is_param) { ++ int tok ++ = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); ++ result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, ++ tok, next, &next, XML_FALSE, XML_FALSE, ++ XML_ACCOUNT_ENTITY_EXPANSION); ++ } else { ++ result = doContent(parser, openEntity->startTagLevel, ++ parser->m_internalEncoding, textStart, textEnd, &next, ++ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); ++ } + +- if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- entity->processed = (int)(next - (const char *)entity->textPtr); ++ if (result != XML_ERROR_NONE) ++ return result; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed ++ if (textEnd != next ++ && (parser->m_parsingStatus.parsing == XML_SUSPENDED ++ || (parser->m_parsingStatus.parsing == XML_PARSING ++ && parser->m_reenter))) { ++ entity->processed = (int)(next - (const char *)entity->textPtr); ++ return result; ++ } ++ ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openInternalEntities during doProlog or doContent calls above) ++ entity->hasMore = XML_FALSE; ++ triggerReenter(parser); + return result; +- } ++ } // End of entity processing, "if" block will return here + ++ // Remove fully processed openEntity from open entity list. + #if XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif ++ // openEntity is m_openInternalEntities' head, as we set it at the start of ++ // this function and we skipped doProlog and doContent calls with hasMore set ++ // to false. This means we can directly remove the head of ++ // m_openInternalEntities ++ assert(parser->m_openInternalEntities == openEntity); + entity->open = XML_FALSE; +- parser->m_openInternalEntities = openEntity->next; ++ parser->m_openInternalEntities = parser->m_openInternalEntities->next; ++ + /* put openEntity back in list of free instances */ + openEntity->next = parser->m_freeInternalEntities; + parser->m_freeInternalEntities = openEntity; + +- // If there are more open entities we want to stop right here and have the +- // upcoming call to XML_ResumeParser continue with entity content, or it would +- // be ignored altogether. +- if (parser->m_openInternalEntities != NULL +- && parser->m_parsingStatus.parsing == XML_SUSPENDED) { +- return XML_ERROR_NONE; +- } +- +- if (entity->is_param) { +- int tok; +- parser->m_processor = prologProcessor; +- tok = XmlPrologTok(parser->m_encoding, s, end, &next); +- return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, +- XML_ACCOUNT_DIRECT); +- } else { +- parser->m_processor = contentProcessor; +- /* see externalEntityContentProcessor vs contentProcessor */ +- result = doContent(parser, parser->m_parentParser ? 1 : 0, +- parser->m_encoding, s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); +- if (result == XML_ERROR_NONE) { +- if (! storeRawNames(parser)) +- return XML_ERROR_NO_MEMORY; +- } +- return result; ++ if (parser->m_openInternalEntities == NULL) { ++ parser->m_processor = entity->is_param ? prologProcessor : contentProcessor; + } ++ triggerReenter(parser); ++ return XML_ERROR_NONE; + } + + static enum XML_Error PTRCALL +@@ -5982,8 +6127,70 @@ + storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *ptr, const char *end, STRING_POOL *pool, + enum XML_Account account) { +- enum XML_Error result +- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account); ++ const char *next = ptr; ++ enum XML_Error result = XML_ERROR_NONE; ++ ++ while (1) { ++ if (! parser->m_openAttributeEntities) { ++ result = appendAttributeValue(parser, enc, isCdata, next, end, pool, ++ account, &next); ++ } else { ++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openAttributeEntities; ++ if (! openEntity) ++ return XML_ERROR_UNEXPECTED_STATE; ++ ++ ENTITY *const entity = openEntity->entity; ++ const char *const textStart ++ = ((const char *)entity->textPtr) + entity->processed; ++ const char *const textEnd ++ = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ const char *nextInEntity = textStart; ++ if (entity->hasMore) { ++ result = appendAttributeValue( ++ parser, parser->m_internalEncoding, isCdata, textStart, textEnd, ++ pool, XML_ACCOUNT_ENTITY_EXPANSION, &nextInEntity); ++ if (result != XML_ERROR_NONE) ++ break; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed. A XML_SUSPENDED check here is not required as ++ // appendAttributeValue will never suspend the parser. ++ if (textEnd != nextInEntity) { ++ entity->processed ++ = (int)(nextInEntity - (const char *)entity->textPtr); ++ continue; ++ } ++ ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openAttributeEntities during appendAttributeValue) ++ entity->hasMore = XML_FALSE; ++ continue; ++ } // End of entity processing, "if" block skips the rest ++ ++ // Remove fully processed openEntity from open entity list. ++#if XML_GE == 1 ++ entityTrackingOnClose(parser, entity, __LINE__); ++#endif ++ // openEntity is m_openAttributeEntities' head, since we set it at the ++ // start of this function and because we skipped appendAttributeValue call ++ // with hasMore set to false. This means we can directly remove the head ++ // of m_openAttributeEntities ++ assert(parser->m_openAttributeEntities == openEntity); ++ entity->open = XML_FALSE; ++ parser->m_openAttributeEntities = parser->m_openAttributeEntities->next; ++ ++ /* put openEntity back in list of free instances */ ++ openEntity->next = parser->m_freeAttributeEntities; ++ parser->m_freeAttributeEntities = openEntity; ++ } ++ ++ // Break if an error occurred or there is nothing left to process ++ if (result || (parser->m_openAttributeEntities == NULL && end == next)) { ++ break; ++ } ++ } ++ + if (result) + return result; + if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20) +@@ -5996,7 +6203,7 @@ + static enum XML_Error + appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *ptr, const char *end, STRING_POOL *pool, +- enum XML_Account account) { ++ enum XML_Account account, const char **nextPtr) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + #ifndef XML_DTD + UNUSED_P(account); +@@ -6014,6 +6221,9 @@ + #endif + switch (tok) { + case XML_TOK_NONE: ++ if (nextPtr) { ++ *nextPtr = next; ++ } + return XML_ERROR_NONE; + case XML_TOK_INVALID: + if (enc == parser->m_encoding) +@@ -6154,21 +6364,11 @@ + return XML_ERROR_ATTRIBUTE_EXTERNAL_ENTITY_REF; + } else { + enum XML_Error result; +- const XML_Char *textEnd = entity->textPtr + entity->textLen; +- entity->open = XML_TRUE; +-#if XML_GE == 1 +- entityTrackingOnOpen(parser, entity, __LINE__); +-#endif +- result = appendAttributeValue(parser, parser->m_internalEncoding, +- isCdata, (const char *)entity->textPtr, +- (const char *)textEnd, pool, +- XML_ACCOUNT_ENTITY_EXPANSION); +-#if XML_GE == 1 +- entityTrackingOnClose(parser, entity, __LINE__); +-#endif +- entity->open = XML_FALSE; +- if (result) +- return result; ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_ATTRIBUTE); ++ if ((result == XML_ERROR_NONE) && (nextPtr != NULL)) { ++ *nextPtr = next; ++ } ++ return result; + } + } break; + default: +@@ -6197,7 +6397,7 @@ + static enum XML_Error + storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *entityTextPtr, const char *entityTextEnd, +- enum XML_Account account) { ++ enum XML_Account account, const char **nextPtr) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + STRING_POOL *pool = &(dtd->entityValuePool); + enum XML_Error result = XML_ERROR_NONE; +@@ -6215,8 +6415,9 @@ + return XML_ERROR_NO_MEMORY; + } + ++ const char *next; + for (;;) { +- const char *next ++ next + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +@@ -6278,16 +6479,8 @@ + } else + dtd->keepProcessing = dtd->standalone; + } else { +- entity->open = XML_TRUE; +- entityTrackingOnOpen(parser, entity, __LINE__); +- result = storeEntityValue( +- parser, parser->m_internalEncoding, (const char *)entity->textPtr, +- (const char *)(entity->textPtr + entity->textLen), +- XML_ACCOUNT_ENTITY_EXPANSION); +- entityTrackingOnClose(parser, entity, __LINE__); +- entity->open = XML_FALSE; +- if (result) +- goto endEntityValue; ++ result = processEntity(parser, entity, XML_FALSE, ENTITY_VALUE); ++ goto endEntityValue; + } + break; + } +@@ -6375,6 +6568,81 @@ + # ifdef XML_DTD + parser->m_prologState.inEntityValue = oldInEntityValue; + # endif /* XML_DTD */ ++ // If 'nextPtr' is given, it should be updated during the processing ++ if (nextPtr != NULL) { ++ *nextPtr = next; ++ } ++ return result; ++} ++ ++static enum XML_Error ++callStoreEntityValue(XML_Parser parser, const ENCODING *enc, ++ const char *entityTextPtr, const char *entityTextEnd, ++ enum XML_Account account) { ++ const char *next = entityTextPtr; ++ enum XML_Error result = XML_ERROR_NONE; ++ while (1) { ++ if (! parser->m_openValueEntities) { ++ result ++ = storeEntityValue(parser, enc, next, entityTextEnd, account, &next); ++ } else { ++ OPEN_INTERNAL_ENTITY *const openEntity = parser->m_openValueEntities; ++ if (! openEntity) ++ return XML_ERROR_UNEXPECTED_STATE; ++ ++ ENTITY *const entity = openEntity->entity; ++ const char *const textStart ++ = ((const char *)entity->textPtr) + entity->processed; ++ const char *const textEnd ++ = (const char *)(entity->textPtr + entity->textLen); ++ /* Set a safe default value in case 'next' does not get set */ ++ const char *nextInEntity = textStart; ++ if (entity->hasMore) { ++ result = storeEntityValue(parser, parser->m_internalEncoding, textStart, ++ textEnd, XML_ACCOUNT_ENTITY_EXPANSION, ++ &nextInEntity); ++ if (result != XML_ERROR_NONE) ++ break; ++ // Check if entity is complete, if not, mark down how much of it is ++ // processed. A XML_SUSPENDED check here is not required as ++ // appendAttributeValue will never suspend the parser. ++ if (textEnd != nextInEntity) { ++ entity->processed ++ = (int)(nextInEntity - (const char *)entity->textPtr); ++ continue; ++ } ++ ++ // Entity is complete. We cannot close it here since we need to first ++ // process its possible inner entities (which are added to the ++ // m_openValueEntities during storeEntityValue) ++ entity->hasMore = XML_FALSE; ++ continue; ++ } // End of entity processing, "if" block skips the rest ++ ++ // Remove fully processed openEntity from open entity list. ++# if XML_GE == 1 ++ entityTrackingOnClose(parser, entity, __LINE__); ++# endif ++ // openEntity is m_openValueEntities' head, since we set it at the ++ // start of this function and because we skipped storeEntityValue call ++ // with hasMore set to false. This means we can directly remove the head ++ // of m_openValueEntities ++ assert(parser->m_openValueEntities == openEntity); ++ entity->open = XML_FALSE; ++ parser->m_openValueEntities = parser->m_openValueEntities->next; ++ ++ /* put openEntity back in list of free instances */ ++ openEntity->next = parser->m_freeValueEntities; ++ parser->m_freeValueEntities = openEntity; ++ } ++ ++ // Break if an error occurred or there is nothing left to process ++ if (result ++ || (parser->m_openValueEntities == NULL && entityTextEnd == next)) { ++ break; ++ } ++ } ++ + return result; + } + +@@ -7983,7 +8251,7 @@ + (void *)rootParser, rootParser->m_entity_stats.countEverOpened, + rootParser->m_entity_stats.currentDepth, + rootParser->m_entity_stats.maximumDepthSeen, +- (rootParser->m_entity_stats.currentDepth - 1) * 2, "", ++ ((int)rootParser->m_entity_stats.currentDepth - 1) * 2, "", + entity->is_param ? "%" : "&", entityName, action, entity->textLen, + sourceLine); + } +@@ -8542,11 +8810,13 @@ + return "\\xFE"; + case 255: + return "\\xFF"; ++ // LCOV_EXCL_START + default: + assert(0); /* never gets here */ + return "dead code"; + } + assert(0); /* never gets here */ ++ // LCOV_EXCL_STOP + } + + #endif /* XML_GE == 1 */ +--- contrib/expat/tests/acc_tests.c.orig ++++ contrib/expat/tests/acc_tests.c +@@ -360,13 +360,16 @@ + START_TEST(test_helper_unsigned_char_to_printable) { + // Smoke test + unsigned char uc = 0; +- for (; uc < (unsigned char)-1; uc++) { ++ for (;; uc++) { + set_subtest("char %u", (unsigned)uc); + const char *const printable = unsignedCharToPrintable(uc); + if (printable == NULL) + fail("unsignedCharToPrintable returned NULL"); + else if (strlen(printable) < (size_t)1) + fail("unsignedCharToPrintable returned empty string"); ++ if (uc == (unsigned char)-1) { ++ break; ++ } + } + + // Two concrete samples +--- contrib/expat/tests/alloc_tests.c.orig ++++ contrib/expat/tests/alloc_tests.c +@@ -19,6 +19,7 @@ + Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Donghee Na + Copyright (c) 2023 Sony Corporation / Snild Dolkow ++ Copyright (c) 2025 Berkay Eren Ürün + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -450,6 +451,31 @@ + } + END_TEST + ++START_TEST(test_alloc_parameter_entity) { ++ const char *text = "\">" ++ "%param1;" ++ "]> &internal;content"; ++ int i; ++ const int alloc_test_max_repeats = 30; ++ ++ for (i = 0; i < alloc_test_max_repeats; i++) { ++ g_allocation_count = i; ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ break; ++ alloc_teardown(); ++ alloc_setup(); ++ } ++ g_allocation_count = -1; ++ if (i == 0) ++ fail("Parameter entity processed despite duff allocator"); ++ if (i == alloc_test_max_repeats) ++ fail("Parameter entity not processed at max allocation count"); ++} ++END_TEST ++ + /* Test the robustness against allocation failure of element handling + * Based on test_dtd_default_handling(). + */ +@@ -2079,6 +2105,7 @@ + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_external_entity); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_ext_entity_set_encoding); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_internal_entity); ++ tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_parameter_entity); + tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_dtd_default_handling); + tcase_add_test(tc_alloc, test_alloc_explicit_encoding); + tcase_add_test(tc_alloc, test_alloc_set_base); +--- contrib/expat/tests/basic_tests.c.orig ++++ contrib/expat/tests/basic_tests.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -19,6 +19,7 @@ + Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Donghee Na + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow ++ Copyright (c) 2024-2025 Berkay Eren Ürün + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -1191,6 +1192,22 @@ + } + END_TEST + ++START_TEST(test_entity_start_tag_level_greater_than_one) { ++ const char *const text = "\n" ++ "]>\n" ++ "\n" ++ " &e1;\n" ++ "\n"; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), ++ /*isFinal*/ XML_TRUE) ++ == XML_STATUS_OK); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + START_TEST(test_wfc_no_recursive_entity_refs) { + const char *text = "\n" +@@ -1202,6 +1219,93 @@ + } + END_TEST + ++START_TEST(test_no_indirectly_recursive_entity_refs) { ++ struct TestCase { ++ const char *doc; ++ bool usesParameterEntities; ++ }; ++ ++ const struct TestCase cases[] = { ++ // general entity + character data ++ {"\n" ++ " \n" ++ "]>&e2;\n", ++ false}, ++ ++ // general entity + attribute value ++ {"\n" ++ " \n" ++ "]>\n", ++ false}, ++ ++ // parameter entity ++ {"\n" ++ " \n" ++ " \">\n" ++ " %define_g;\n" ++ "]>\n" ++ "\n", ++ true}, ++ }; ++ const XML_Bool reset_or_not[] = {XML_TRUE, XML_FALSE}; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ for (size_t j = 0; j < sizeof(reset_or_not) / sizeof(reset_or_not[0]); ++ j++) { ++ const XML_Bool reset_wanted = reset_or_not[j]; ++ const char *const doc = cases[i].doc; ++ const bool usesParameterEntities = cases[i].usesParameterEntities; ++ ++ set_subtest("[%i,reset=%i] %s", (int)i, (int)j, doc); ++ ++#ifdef XML_DTD // both GE and DTD ++ const bool rejection_expected = true; ++#elif XML_GE == 1 // GE but not DTD ++ const bool rejection_expected = ! usesParameterEntities; ++#else // neither DTD nor GE ++ const bool rejection_expected = false; ++#endif ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++#ifdef XML_DTD ++ if (usesParameterEntities) { ++ assert_true( ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS) ++ == 1); ++ } ++#else ++ UNUSED_P(usesParameterEntities); ++#endif // XML_DTD ++ ++ const enum XML_Status status ++ = _XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc), ++ /*isFinal*/ XML_TRUE); ++ ++ if (rejection_expected) { ++ assert_true(status == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_RECURSIVE_ENTITY_REF); ++ } else { ++ assert_true(status == XML_STATUS_OK); ++ } ++ ++ if (reset_wanted) { ++ // This covers free'ing of (eventually) all three open entity lists by ++ // XML_ParserReset. ++ XML_ParserReset(parser, NULL); ++ } ++ ++ // This covers free'ing of (eventually) all three open entity lists by ++ // XML_ParserFree (unless XML_ParserReset has already done that above). ++ XML_ParserFree(parser); ++ } ++ } ++} ++END_TEST ++ + START_TEST(test_recursive_external_parameter_entity_2) { + struct TestCase { + const char *doc; +@@ -1417,7 +1521,9 @@ + + XML_SetCharacterDataHandler(g_parser, clearing_aborting_character_handler); + g_resumable = XML_TRUE; +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + xml_failure(g_parser); + if (XML_GetErrorCode(g_parser) != XML_ERROR_NONE) +@@ -1446,7 +1552,9 @@ + XML_SetCharacterDataHandler(g_parser, parser_stop_character_handler); + g_resumable = XML_TRUE; + g_abortable = XML_FALSE; +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + fail("Failed to double-suspend parser"); + +@@ -1830,12 +1938,19 @@ + + /* Test suspending the parser in cdata handler */ + START_TEST(test_suspend_parser_between_cdata_calls) { ++ if (g_chunkSize != 0) { ++ // this test does not use SINGLE_BYTES, because of suspension ++ return; ++ } ++ + const char *text = long_cdata_text; + enum XML_Status result; + + XML_SetCharacterDataHandler(g_parser, clearing_aborting_character_handler); + g_resumable = XML_TRUE; +- result = _XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE); ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ result = XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE); + if (result != XML_STATUS_SUSPENDED) { + if (result == XML_STATUS_ERROR) + xml_failure(g_parser); +@@ -2378,6 +2493,11 @@ + * entity. Exercises some obscure code in XML_ParserReset(). + */ + START_TEST(test_reset_in_entity) { ++ if (g_chunkSize != 0) { ++ // this test does not use SINGLE_BYTES, because of suspension ++ return; ++ } ++ + const char *text = "\n" + "\n" +@@ -2387,7 +2507,9 @@ + + g_resumable = XML_TRUE; + XML_SetCharacterDataHandler(g_parser, clearing_aborting_character_handler); +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + == XML_STATUS_ERROR) + xml_failure(g_parser); + XML_GetParsingStatus(g_parser, &status); +@@ -3634,7 +3756,9 @@ + XML_SetXmlDeclHandler(g_parser, entity_suspending_xdecl_handler); + XML_SetUserData(g_parser, g_parser); + g_resumable = XML_TRUE; +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + xml_failure(g_parser); + if (XML_GetErrorCode(g_parser) != XML_ERROR_NONE) +@@ -3830,13 +3954,20 @@ + + /* Test syntax error is caught at parse resumption */ + START_TEST(test_resume_entity_with_syntax_error) { ++ if (g_chunkSize != 0) { ++ // this test does not use SINGLE_BYTES, because of suspension ++ return; ++ } ++ + const char *text = "Hi'>\n" + "]>\n" + "&foo;\n"; + + XML_SetStartElementHandler(g_parser, start_element_suspender); +- if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ // can't use SINGLE_BYTES here, because it'll return early on suspension, and ++ // we won't know exactly how much input we actually managed to give Expat. ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) + != XML_STATUS_SUSPENDED) + xml_failure(g_parser); + if (XML_ResumeParser(g_parser) != XML_STATUS_ERROR) +@@ -3960,7 +4091,7 @@ + = {"\n" + "\n" + "%pe2;\n", +- external_entity_null_loader}; ++ external_entity_null_loader, NULL}; + + XML_SetUserData(g_parser, &test_data); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +@@ -3978,7 +4109,7 @@ + = {"\n" + "\n" + "%pe2;\n", +- NULL}; ++ NULL, NULL}; + + XML_SetUserData(g_parser, &test_data); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +@@ -5278,6 +5409,151 @@ + } + END_TEST + ++/* Test a possible early return location in internalEntityProcessor */ ++START_TEST(test_entity_ref_no_elements) { ++ const char *const text = "\n" ++ "]> &e1;"; // intentionally missing newline ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++/* Tests if chained entity references lead to unbounded recursion */ ++START_TEST(test_deep_nested_entity) { ++ const size_t N_LINES = 60000; ++ const size_t SIZE_PER_LINE = 50; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n", ++ (long unsigned)i, (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, "]> &s%lu;\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ const XML_Char *const expected = XCS("deepText"); ++ ++ CharData storage; ++ CharData_Init(&storage); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ XML_SetCharacterDataHandler(parser, accumulate_characters); ++ XML_SetUserData(parser, &storage); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ ++/* Tests if chained entity references in attributes ++lead to unbounded recursion */ ++START_TEST(test_deep_nested_attribute_entity) { ++ const size_t N_LINES = 60000; ++ const size_t SIZE_PER_LINE = 100; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, " \n", ++ (long unsigned)i, (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, "]> mainText\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}}; ++ ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}}; ++ info[0].attributes = doc_info; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ParserAndElementInfo parserPlusElemenInfo = {parser, info}; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserPlusElemenInfo); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ ++START_TEST(test_deep_nested_entity_delayed_interpretation) { ++ const size_t N_LINES = 70000; ++ const size_t SIZE_PER_LINE = 100; ++ ++ char *const text = (char *)malloc((N_LINES + 4) * SIZE_PER_LINE); ++ if (text == NULL) { ++ fail("malloc failed"); ++ } ++ ++ char *textPtr = text; ++ ++ // Create the XML ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ "\n"); ++ ++ for (size_t i = 1; i < N_LINES; ++i) { ++ textPtr += snprintf(textPtr, SIZE_PER_LINE, ++ " \n", (long unsigned)i, ++ (long unsigned)(i - 1)); ++ } ++ ++ snprintf(textPtr, SIZE_PER_LINE, ++ " \">\n" ++ " %%define_g;\n" ++ "]>\n" ++ "\n", ++ (long unsigned)(N_LINES - 1)); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++ free(text); ++} ++END_TEST ++ + START_TEST(test_nested_entity_suspend) { + const char *const text = "'>\n" +@@ -5308,6 +5584,35 @@ + } + END_TEST + ++START_TEST(test_nested_entity_suspend_2) { ++ const char *const text = "\n" ++ " \n" ++ " \n" ++ "]>\n" ++ "&ge3;"; ++ const XML_Char *const expected = XCS("head3") XCS("head2") XCS("head1") ++ XCS("Z") XCS("tail1") XCS("tail2") XCS("tail3"); ++ CharData storage; ++ CharData_Init(&storage); ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ParserPlusStorage parserPlusStorage = {parser, &storage}; ++ ++ XML_SetCharacterDataHandler(parser, accumulate_char_data_and_suspend); ++ XML_SetUserData(parser, &parserPlusStorage); ++ ++ enum XML_Status status = XML_Parse(parser, text, (int)strlen(text), XML_TRUE); ++ while (status == XML_STATUS_SUSPENDED) { ++ status = XML_ResumeParser(parser); ++ } ++ if (status != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for quadratic parsing on large tokens */ + START_TEST(test_big_tokens_scale_linearly) { + const struct { +@@ -5968,7 +6273,9 @@ + tcase_add_test(tc_basic, test_wfc_undeclared_entity_with_external_subset); + tcase_add_test(tc_basic, test_not_standalone_handler_reject); + tcase_add_test(tc_basic, test_not_standalone_handler_accept); ++ tcase_add_test(tc_basic, test_entity_start_tag_level_greater_than_one); + tcase_add_test__if_xml_ge(tc_basic, test_wfc_no_recursive_entity_refs); ++ tcase_add_test(tc_basic, test_no_indirectly_recursive_entity_refs); + tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_invalid_parse); + tcase_add_test__if_xml_ge(tc_basic, test_dtd_default_handling); + tcase_add_test(tc_basic, test_dtd_attr_handling); +@@ -6147,7 +6454,13 @@ + tcase_add_test(tc_basic, test_empty_element_abort); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_pool_integrity_with_unfinished_attr); ++ tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements); ++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity); ++ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity); ++ tcase_add_test__if_xml_ge(tc_basic, ++ test_deep_nested_entity_delayed_interpretation); + tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend); ++ tcase_add_test__if_xml_ge(tc_basic, test_nested_entity_suspend_2); + tcase_add_test(tc_basic, test_big_tokens_scale_linearly); + tcase_add_test(tc_basic, test_set_reparse_deferral); + tcase_add_test(tc_basic, test_reparse_deferral_is_inherited); +--- contrib/expat/tests/benchmark/benchmark.c.orig ++++ contrib/expat/tests/benchmark/benchmark.c +@@ -8,7 +8,7 @@ + + Copyright (c) 2003-2006 Karl Waclawek + Copyright (c) 2005-2007 Steven Solie +- Copyright (c) 2017-2023 Sebastian Pipping ++ Copyright (c) 2017-2025 Sebastian Pipping + Copyright (c) 2017 Rhodri James + Licensed under the MIT license: + +@@ -32,10 +32,18 @@ + USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + ++#define _POSIX_C_SOURCE 1 // fdopen ++ ++#if defined(_MSC_VER) ++# include // _open, _close ++#else ++# include // close ++#endif ++ ++#include // open + #include + #include + #include // ptrdiff_t +-#include + #include + #include + #include "expat.h" +@@ -52,17 +60,18 @@ + # define XML_FMT_STR "s" + #endif + +-static void ++static int + usage(const char *prog, int rc) { + fprintf(stderr, "usage: %s [-n] filename bufferSize nr_of_loops\n", prog); +- exit(rc); ++ return rc; + } + + int + main(int argc, char *argv[]) { + XML_Parser parser; + char *XMLBuf, *XMLBufEnd, *XMLBufPtr; +- FILE *fd; ++ int fd; ++ FILE *file; + struct stat fileAttr; + int nrOfLoops, bufferSize, i, isFinal; + size_t fileSize; +@@ -76,34 +85,48 @@ + ns = 1; + j = 1; + } else +- usage(argv[0], 1); ++ return usage(argv[0], 1); + } + } + + if (argc != j + 4) +- usage(argv[0], 1); ++ return usage(argv[0], 1); + +- if (stat(argv[j + 1], &fileAttr) != 0) { +- fprintf(stderr, "could not access file '%s'\n", argv[j + 1]); ++ fd = open(argv[j + 1], O_RDONLY); ++ if (fd == -1) { ++ fprintf(stderr, "could not open file '%s'\n", argv[j + 1]); + return 2; + } + +- fd = fopen(argv[j + 1], "r"); +- if (! fd) { +- fprintf(stderr, "could not open file '%s'\n", argv[j + 1]); +- exit(2); ++ if (fstat(fd, &fileAttr) != 0) { ++ close(fd); ++ fprintf(stderr, "could not fstat file '%s'\n", argv[j + 1]); ++ return 2; ++ } ++ ++ file = fdopen(fd, "r"); ++ if (! file) { ++ close(fd); ++ fprintf(stderr, "could not fdopen file '%s'\n", argv[j + 1]); ++ return 2; + } + + bufferSize = atoi(argv[j + 2]); + nrOfLoops = atoi(argv[j + 3]); + if (bufferSize <= 0 || nrOfLoops <= 0) { ++ fclose(file); // NOTE: this closes fd as well + fprintf(stderr, "buffer size and nr of loops must be greater than zero.\n"); +- exit(3); ++ return 3; + } + + XMLBuf = malloc(fileAttr.st_size); +- fileSize = fread(XMLBuf, sizeof(char), fileAttr.st_size, fd); +- fclose(fd); ++ if (XMLBuf == NULL) { ++ fclose(file); // NOTE: this closes fd as well ++ fprintf(stderr, "ouf of memory.\n"); ++ return 5; ++ } ++ fileSize = fread(XMLBuf, sizeof(char), fileAttr.st_size, file); ++ fclose(file); // NOTE: this closes fd as well + + if (ns) + parser = XML_ParserCreateNS(NULL, '!'); +@@ -132,7 +155,7 @@ + XML_GetCurrentColumnNumber(parser)); + free(XMLBuf); + XML_ParserFree(parser); +- exit(4); ++ return 4; + } + XMLBufPtr += bufferSize; + } while (! isFinal); +--- contrib/expat/tests/common.c.orig ++++ contrib/expat/tests/common.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -42,6 +42,8 @@ + */ + + #include ++#include ++#include // for SIZE_MAX + #include + #include + +@@ -202,6 +204,12 @@ + for (; len > chunksize; len -= chunksize, s += chunksize) { + enum XML_Status res = XML_Parse(parser, s, chunksize, XML_FALSE); + if (res != XML_STATUS_OK) { ++ if ((res == XML_STATUS_SUSPENDED) && (len > chunksize)) { ++ fail("Use of function _XML_Parse_SINGLE_BYTES with a chunk size " ++ "greater than 0 (from g_chunkSize) does not work well with " ++ "suspension. Please consider use of plain XML_Parse at this " ++ "place in your test, instead."); ++ } + return res; + } + } +@@ -294,3 +302,26 @@ + g_reallocation_count--; + return realloc(ptr, size); + } ++ ++// Portable remake of strndup(3) for C99; does not care about space efficiency ++char * ++portable_strndup(const char *s, size_t n) { ++ if ((s == NULL) || (n == SIZE_MAX)) { ++ errno = EINVAL; ++ return NULL; ++ } ++ ++ char *const buffer = (char *)malloc(n + 1); ++ if (buffer == NULL) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ ++ errno = 0; ++ ++ memcpy(buffer, s, n); ++ ++ buffer[n] = '\0'; ++ ++ return buffer; ++} +--- contrib/expat/tests/common.h.orig ++++ contrib/expat/tests/common.h +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -146,6 +146,8 @@ + + extern void *duff_reallocator(void *ptr, size_t size); + ++extern char *portable_strndup(const char *s, size_t n); ++ + #endif /* XML_COMMON_H */ + + #ifdef __cplusplus +--- contrib/expat/tests/handlers.c.orig ++++ contrib/expat/tests/handlers.c +@@ -1842,6 +1842,15 @@ + XML_FreeContentModel(g_parser, model); + } + ++void XMLCALL ++suspend_after_element_declaration(void *userData, const XML_Char *name, ++ XML_Content *model) { ++ UNUSED_P(name); ++ XML_Parser parser = (XML_Parser)userData; ++ assert_true(XML_StopParser(parser, /*resumable*/ XML_TRUE) == XML_STATUS_OK); ++ XML_FreeContentModel(parser, model); ++} ++ + void XMLCALL + accumulate_pi_characters(void *userData, const XML_Char *target, + const XML_Char *data) { +@@ -1882,6 +1891,20 @@ + CharData_AppendXMLChars(storage, XCS("\n"), 1); + } + ++void XMLCALL ++accumulate_char_data_and_suspend(void *userData, const XML_Char *s, int len) { ++ ParserPlusStorage *const parserPlusStorage = (ParserPlusStorage *)userData; ++ ++ CharData_AppendXMLChars(parserPlusStorage->storage, s, len); ++ ++ for (int i = 0; i < len; i++) { ++ if (s[i] == 'Z') { ++ XML_StopParser(parserPlusStorage->parser, /*resumable=*/XML_TRUE); ++ break; ++ } ++ } ++} ++ + void XMLCALL + accumulate_start_element(void *userData, const XML_Char *name, + const XML_Char **atts) { +--- contrib/expat/tests/handlers.h.orig ++++ contrib/expat/tests/handlers.h +@@ -325,6 +325,7 @@ + typedef struct ext_hdlr_data { + const char *parse_text; + XML_ExternalEntityRefHandler handler; ++ CharData *storage; + } ExtHdlrData; + + extern int XMLCALL external_entity_oneshot_loader(XML_Parser parser, +@@ -557,6 +558,10 @@ + extern void XMLCALL element_decl_suspender(void *userData, const XML_Char *name, + XML_Content *model); + ++extern void XMLCALL suspend_after_element_declaration(void *userData, ++ const XML_Char *name, ++ XML_Content *model); ++ + extern void XMLCALL accumulate_pi_characters(void *userData, + const XML_Char *target, + const XML_Char *data); +@@ -569,6 +574,10 @@ + const XML_Char *systemId, const XML_Char *publicId, + const XML_Char *notationName); + ++extern void XMLCALL accumulate_char_data_and_suspend(void *userData, ++ const XML_Char *s, ++ int len); ++ + extern void XMLCALL accumulate_start_element(void *userData, + const XML_Char *name, + const XML_Char **atts); +--- contrib/expat/tests/minicheck.h.orig ++++ contrib/expat/tests/minicheck.h +@@ -14,7 +14,7 @@ + + Copyright (c) 2004-2006 Fred L. Drake, Jr. + Copyright (c) 2006-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2022 Rhodri James + Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow + Licensed under the MIT license: +@@ -129,8 +129,10 @@ + * Prototypes for the actual implementation. + */ + +-# if defined(__GNUC__) ++# if defined(__has_attribute) ++# if __has_attribute(noreturn) + __attribute__((noreturn)) ++# endif + # endif + void + _fail(const char *file, int line, const char *msg); +--- contrib/expat/tests/misc_tests.c.orig ++++ contrib/expat/tests/misc_tests.c +@@ -10,7 +10,7 @@ + Copyright (c) 2003 Greg Stein + Copyright (c) 2005-2007 Steven Solie + Copyright (c) 2005-2012 Karl Waclawek +- Copyright (c) 2016-2024 Sebastian Pipping ++ Copyright (c) 2016-2025 Sebastian Pipping + Copyright (c) 2017-2022 Rhodri James + Copyright (c) 2017 Joe Orton + Copyright (c) 2017 José Gutiérrez de la Concha +@@ -59,6 +59,9 @@ + #include "handlers.h" + #include "misc_tests.h" + ++void XMLCALL accumulate_characters_ext_handler(void *userData, ++ const XML_Char *s, int len); ++ + /* Test that a failure to allocate the parser structure fails gracefully */ + START_TEST(test_misc_alloc_create_parser) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, realloc, free}; +@@ -208,7 +211,7 @@ + if (! versions_equal(&read_version, &parsed_version)) + fail("Version mismatch"); + +- if (xcstrcmp(version_text, XCS("expat_2.6.4"))) /* needs bump on releases */ ++ if (xcstrcmp(version_text, XCS("expat_2.7.1"))) /* needs bump on releases */ + fail("XML_*_VERSION in expat.h out of sync?\n"); + } + END_TEST +@@ -294,6 +297,7 @@ + parser = XML_ParserCreate(NULL); + XML_SetElementHandler(parser, start_element_issue_240, end_element_issue_240); + mydata = (DataIssue240 *)malloc(sizeof(DataIssue240)); ++ assert_true(mydata != NULL); + mydata->parser = parser; + mydata->deep = 0; + XML_SetUserData(parser, mydata); +@@ -315,6 +319,7 @@ + parser = XML_ParserCreate(NULL); + XML_SetElementHandler(parser, start_element_issue_240, end_element_issue_240); + mydata = (DataIssue240 *)malloc(sizeof(DataIssue240)); ++ assert_true(mydata != NULL); + mydata->parser = parser; + mydata->deep = 0; + XML_SetUserData(parser, mydata); +@@ -328,64 +333,119 @@ + END_TEST + + START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { +- const char *const inputOne = "'>\n" +- "\n" +- "%e;"; ++ const char *const inputOne ++ = "'>\n" ++ "%element_d;\n" ++ "'>\n" ++ "\n" ++ "%e;"; + const char *const inputTwo + = "'>\n" ++ "%element_d;\n" + "'>\n" + "\n" + "%e2;"; +- const char *const inputThree = "\n" +- "\n" +- "%e;/>"; +- const char *const inputIssue317 = "\n" +- "Hell'>\n" +- "%foo;\n" +- "]>\n" +- "Hello, world"; ++ const char *const inputThree ++ = "'>\n" ++ "%element_d;\n" ++ "\n" ++ "\n" ++ "%e;/>"; ++ const char *const inputIssue317 ++ = "'>\n" ++ "%element_doc;\n" ++ "\n" ++ "Hell'>\n" ++ "%foo;\n" ++ "]>\n" ++ "Hello, world"; + + const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317}; ++ const XML_Bool suspendOrNot[] = {XML_FALSE, XML_TRUE}; + size_t inputIndex = 0; + + for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) { +- set_subtest("%s", inputs[inputIndex]); +- XML_Parser parser; +- enum XML_Status parseResult; +- int setParamEntityResult; +- XML_Size lineNumber; +- XML_Size columnNumber; +- const char *const input = inputs[inputIndex]; +- +- parser = XML_ParserCreate(NULL); +- setParamEntityResult +- = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); +- if (setParamEntityResult != 1) +- fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); +- +- parseResult = _XML_Parse_SINGLE_BYTES(parser, input, (int)strlen(input), 0); +- if (parseResult != XML_STATUS_ERROR) { +- parseResult = _XML_Parse_SINGLE_BYTES(parser, "", 0, 1); ++ for (size_t suspendOrNotIndex = 0; ++ suspendOrNotIndex < sizeof(suspendOrNot) / sizeof(suspendOrNot[0]); ++ suspendOrNotIndex++) { ++ const char *const input = inputs[inputIndex]; ++ const XML_Bool suspend = suspendOrNot[suspendOrNotIndex]; ++ if (suspend && (g_chunkSize > 0)) { ++ // We cannot use _XML_Parse_SINGLE_BYTES below due to suspension, and ++ // so chunk sizes >0 would only repeat the very same test ++ // due to use of plain XML_Parse; we are saving upon that runtime: ++ return; ++ } ++ ++ set_subtest("[input=%d suspend=%s] %s", (int)inputIndex, ++ suspend ? "true" : "false", input); ++ XML_Parser parser; ++ enum XML_Status parseResult; ++ int setParamEntityResult; ++ XML_Size lineNumber; ++ XML_Size columnNumber; ++ ++ parser = XML_ParserCreate(NULL); ++ setParamEntityResult ++ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ if (setParamEntityResult != 1) ++ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS."); ++ ++ if (suspend) { ++ XML_SetUserData(parser, parser); ++ XML_SetElementDeclHandler(parser, suspend_after_element_declaration); ++ } ++ ++ if (suspend) { ++ // can't use SINGLE_BYTES here, because it'll return early on ++ // suspension, and we won't know exactly how much input we actually ++ // managed to give Expat. ++ parseResult = XML_Parse(parser, input, (int)strlen(input), 0); ++ ++ while (parseResult == XML_STATUS_SUSPENDED) { ++ parseResult = XML_ResumeParser(parser); ++ } ++ ++ if (parseResult != XML_STATUS_ERROR) { ++ // can't use SINGLE_BYTES here, because it'll return early on ++ // suspension, and we won't know exactly how much input we actually ++ // managed to give Expat. ++ parseResult = XML_Parse(parser, "", 0, 1); ++ } ++ ++ while (parseResult == XML_STATUS_SUSPENDED) { ++ parseResult = XML_ResumeParser(parser); ++ } ++ } else { ++ parseResult ++ = _XML_Parse_SINGLE_BYTES(parser, input, (int)strlen(input), 0); ++ ++ if (parseResult != XML_STATUS_ERROR) { ++ parseResult = _XML_Parse_SINGLE_BYTES(parser, "", 0, 1); ++ } ++ } ++ + if (parseResult != XML_STATUS_ERROR) { + fail("Parsing was expected to fail but succeeded."); + } +- } + +- if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) +- fail("Error code does not match XML_ERROR_INVALID_TOKEN"); ++ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN) ++ fail("Error code does not match XML_ERROR_INVALID_TOKEN"); + +- lineNumber = XML_GetCurrentLineNumber(parser); +- if (lineNumber != 4) +- fail("XML_GetCurrentLineNumber does not work as expected."); ++ lineNumber = XML_GetCurrentLineNumber(parser); ++ if (lineNumber != 6) ++ fail("XML_GetCurrentLineNumber does not work as expected."); + +- columnNumber = XML_GetCurrentColumnNumber(parser); +- if (columnNumber != 0) +- fail("XML_GetCurrentColumnNumber does not work as expected."); ++ columnNumber = XML_GetCurrentColumnNumber(parser); ++ if (columnNumber != 0) ++ fail("XML_GetCurrentColumnNumber does not work as expected."); + +- XML_ParserFree(parser); ++ XML_ParserFree(parser); ++ } + } + } + END_TEST +@@ -519,6 +579,105 @@ + } + END_TEST + ++/* Adaptation of accumulate_characters that takes ExtHdlrData input to work with ++ * test_renter_loop_finite_content below */ ++void XMLCALL ++accumulate_characters_ext_handler(void *userData, const XML_Char *s, int len) { ++ ExtHdlrData *const test_data = (ExtHdlrData *)userData; ++ CharData_AppendXMLChars(test_data->storage, s, len); ++} ++ ++/* Test that internalEntityProcessor does not re-enter forever; ++ * based on files tests/xmlconf/xmltest/valid/ext-sa/012.{xml,ent} */ ++START_TEST(test_renter_loop_finite_content) { ++ CharData storage; ++ CharData_Init(&storage); ++ const char *const text = "\n" ++ "\n" ++ "\n" ++ "\n" ++ "\n" ++ "\n" ++ "]>\n" ++ "&e1;\n"; ++ ExtHdlrData test_data = {"&e4;\n", external_entity_null_loader, &storage}; ++ const XML_Char *const expected = XCS("(e5)\n"); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ XML_SetUserData(parser, &test_data); ++ XML_SetExternalEntityRefHandler(parser, external_entity_oneshot_loader); ++ XML_SetCharacterDataHandler(parser, accumulate_characters_ext_handler); ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ CharData_CheckXMLChars(&storage, expected); ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++// Inspired by function XML_OriginalString of Perl's XML::Parser ++static char * ++dup_original_string(XML_Parser parser) { ++ const int byte_count = XML_GetCurrentByteCount(parser); ++ ++ assert_true(byte_count >= 0); ++ ++ int offset = -1; ++ int size = -1; ++ ++ const char *const context = XML_GetInputContext(parser, &offset, &size); ++ ++#if XML_CONTEXT_BYTES > 0 ++ assert_true(context != NULL); ++ assert_true(offset >= 0); ++ assert_true(size >= 0); ++ return portable_strndup(context + offset, byte_count); ++#else ++ assert_true(context == NULL); ++ return NULL; ++#endif ++} ++ ++static void ++on_characters_issue_980(void *userData, const XML_Char *s, int len) { ++ (void)s; ++ (void)len; ++ XML_Parser parser = (XML_Parser)userData; ++ ++ char *const original_string = dup_original_string(parser); ++ ++#if XML_CONTEXT_BYTES > 0 ++ assert_true(original_string != NULL); ++ assert_true(strcmp(original_string, "&draft.day;") == 0); ++ free(original_string); ++#else ++ assert_true(original_string == NULL); ++#endif ++} ++ ++START_TEST(test_misc_expected_event_ptr_issue_980) { ++ // NOTE: This is a tiny subset of sample "REC-xml-19980210.xml" ++ // from Perl's XML::Parser ++ const char *const doc = "\n" ++ "]>\n" ++ "&draft.day;\n"; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCharacterDataHandler(parser, on_characters_issue_980); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc), ++ /*isFinal=*/XML_TRUE) ++ == XML_STATUS_OK); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + void + make_miscellaneous_test_case(Suite *s) { + TCase *tc_misc = tcase_create("miscellaneous tests"); +@@ -545,4 +704,6 @@ + tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak); + tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); + tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); ++ tcase_add_test__if_xml_ge(tc_misc, test_renter_loop_finite_content); ++ tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980); + } +--- contrib/expat/tests/xmltest.sh.orig ++++ contrib/expat/tests/xmltest.sh +@@ -2,8 +2,8 @@ + # EXPAT TEST SCRIPT FOR W3C XML TEST SUITE + # + # This script can be used to exercise Expat against the +-# w3c.org xml test suite, available from +-# http://www.w3.org/XML/Test/xmlts20020606.zip. ++# w3c.org xml test suite, available from: ++# https://www.w3.org/XML/Test/xmlts20020606.zip + # + # To run this script, first set XMLWF below so that xmlwf can be + # found, then set the output directory with OUTPUT. +@@ -30,6 +30,7 @@ + # Copyright (c) 2002 Karl Waclawek + # Copyright (c) 2008-2019 Sebastian Pipping + # Copyright (c) 2017 Rhodri James ++# Copyright (c) 2025 Hanno Böck + # Licensed under the MIT license: + # + # Permission is hereby granted, free of charge, to any person obtaining +--- contrib/expat/xmlwf/readfilemap.c.orig ++++ contrib/expat/xmlwf/readfilemap.c +@@ -14,6 +14,7 @@ + Copyright (c) 2017 Rhodri James + Copyright (c) 2017 Franek Korta + Copyright (c) 2022 Sean McBride ++ Copyright (c) 2025 Hanno Böck + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -55,7 +56,7 @@ + # define EXPAT_read_count_t int + # define EXPAT_read_req_t unsigned int + #else /* POSIX */ +-/* http://pubs.opengroup.org/onlinepubs/009695399/functions/read.html */ ++/* https://pubs.opengroup.org/onlinepubs/009695399/functions/read.html */ + # define EXPAT_read read + # define EXPAT_read_count_t ssize_t + # define EXPAT_read_req_t size_t +--- lib/libexpat/expat_config.h.orig ++++ lib/libexpat/expat_config.h +@@ -89,7 +89,7 @@ + #define PACKAGE_NAME "expat" + + /* Define to the full name and version of this package. */ +-#define PACKAGE_STRING "expat 2.6.4" ++#define PACKAGE_STRING "expat 2.7.1" + + /* Define to the one symbol short name of this package. */ + #define PACKAGE_TARNAME "expat" +@@ -98,7 +98,7 @@ + #define PACKAGE_URL "" + + /* Define to the version of this package. */ +-#define PACKAGE_VERSION "2.6.4" ++#define PACKAGE_VERSION "2.7.1" + + /* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for +@@ -106,7 +106,7 @@ + #define STDC_HEADERS 1 + + /* Version number of package */ +-#define VERSION "2.6.4" ++#define VERSION "2.7.1" + + /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +--- lib/libexpat/libbsdxml.3.orig ++++ lib/libexpat/libbsdxml.3 +@@ -23,7 +23,7 @@ + .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + .\" SUCH DAMAGE. + .\"/ +-.Dd December 8, 2024 ++.Dd April 7, 2025 + .Dt LIBBSDXML 3 + .Os + .Sh NAME +@@ -34,7 +34,7 @@ + .Sh DESCRIPTION + The + .Nm +-library is a verbatim copy of the eXpat XML library version 2.6.4. ++library is a verbatim copy of the eXpat XML library version 2.7.1. + .Pp + The + .Nm diff --git a/website/static/security/patches/EN-25:05/expat-13.5.patch.asc b/website/static/security/patches/EN-25:05/expat-13.5.patch.asc new file mode 100644 index 0000000000..c0d608fb21 --- /dev/null +++ b/website/static/security/patches/EN-25:05/expat-13.5.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DcACgkQbljekB8A +Gu8I9BAA4vT4PA5fQSmgXmzBLEpyNm1HwRkE2Opl3nfy1nlVB9XIpcw1wIMksrv1 +Jj1bKO33q7JcunDZxgi+RIzhpNqO4G6fNLHdHtkMBjVKgkek1jmPOjPfi49Ca106 +mBRFphoPf+s6Fh8yvaSkCjOhIyOv+hUjLbOP34UxaxTX7wwkvRhkVKWCr+UHmi/Q +5JsEq3kq5TJhc90CsEI9QsY2F1znyWUaOlc8yCN2k3c0rnhTi5HhGJskC6tz0L7x +k/WcvC6hqDJeEyRtMaO3JZV7tbo5YsgsxiFzSCYlaVHEov3k47oA83RsZUWEAA3e +UAasBOxSMQnXpOpu9l3WYmmArmSFeDxfCrVBXn868J6K1voG5H5I6Yxh1gBykKqb +HQM1kS7IlTx5CEhmULHMKAeOkfUEXGgZQ05UeZKG6nwUNqD42nEtCFITDDl1Nghe +ymNDLMC0zhG+PBR4e/vYYmDso+GZloLsI624vwILmEmJWvPPV4M36qO8fQSrl7SR +iaV1JQtmdS2rXkRaB7/bfCmhYUnbYJm4uhG1YwUdNGAceUb+S6oGm/SyRM85x5V+ +Pp7cFGl7jD9Wyo+U1AQ/J9W7E/ab6egw/n0V+u9i3O2ZH8I5DlqLdIc2lZGsOWsJ +2VgcqdUah9Ixr56WkFw9NJa8tARzdekdHOtzDJKVIA+Diu+XYC4= +=BWsI +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:06/daemon.patch b/website/static/security/patches/EN-25:06/daemon.patch new file mode 100644 index 0000000000..2e6ae9ba7a --- /dev/null +++ b/website/static/security/patches/EN-25:06/daemon.patch @@ -0,0 +1,199 @@ +--- usr.sbin/daemon/daemon.c.orig ++++ usr.sbin/daemon/daemon.c +@@ -79,6 +79,7 @@ + enum daemon_mode mode; + int pid; + int keep_cur_workdir; ++ int kqueue_fd; + int restart_delay; + int stdmask; + int syslog_priority; +@@ -104,6 +105,7 @@ + static void daemon_exec(struct daemon_state *); + static bool daemon_is_child_dead(struct daemon_state *); + static void daemon_set_child_pipe(struct daemon_state *); ++static int daemon_setup_kqueue(void); + + static const char shortopts[] = "+cfHSp:P:ru:o:s:l:t:m:R:T:h"; + +@@ -322,6 +324,8 @@ + /* Write out parent pidfile if needed. */ + pidfile_write(state.parent_pidfh); + ++ state.kqueue_fd = daemon_setup_kqueue(); ++ + do { + state.mode = MODE_SUPERVISE; + daemon_eventloop(&state); +@@ -377,27 +381,13 @@ + err(1, "pipe"); + } + +- kq = kqueuex(KQUEUE_CLOEXEC); ++ kq = state->kqueue_fd; + EV_SET(&event, state->pipe_fd[0], EVFILT_READ, EV_ADD|EV_CLEAR, 0, 0, + NULL); + if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { + err(EXIT_FAILURE, "failed to register kevent"); + } + +- EV_SET(&event, SIGHUP, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); +- if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { +- err(EXIT_FAILURE, "failed to register kevent"); +- } +- +- EV_SET(&event, SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); +- if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { +- err(EXIT_FAILURE, "failed to register kevent"); +- } +- +- EV_SET(&event, SIGCHLD, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); +- if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { +- err(EXIT_FAILURE, "failed to register kevent"); +- } + memset(&event, 0, sizeof(struct kevent)); + + /* Spawn a child to exec the command. */ +@@ -490,28 +480,86 @@ + } + continue; + default: ++ assert(0 && "Unexpected kevent filter type"); + continue; + } + } + +- close(kq); ++ /* EVFILT_READ kqueue filter goes away here. */ + close(state->pipe_fd[0]); + state->pipe_fd[0] = -1; + } + ++/* ++ * Note that daemon_sleep() should not be called with anything but the signal ++ * events in the kqueue without further consideration. ++ */ + static void + daemon_sleep(struct daemon_state *state) + { +- struct timespec ts = { state->restart_delay, 0 }; ++ struct kevent event = { 0 }; ++ int ret; ++ ++ assert(state->pipe_fd[0] == -1); ++ assert(state->pipe_fd[1] == -1); + + if (!state->restart_enabled) { + return; + } +- while (nanosleep(&ts, &ts) == -1) { +- if (errno != EINTR) { +- err(1, "nanosleep"); ++ ++ EV_SET(&event, 0, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, ++ state->restart_delay, NULL); ++ if (kevent(state->kqueue_fd, &event, 1, NULL, 0, NULL) == -1) { ++ err(1, "failed to register timer"); ++ } ++ ++ for (;;) { ++ ret = kevent(state->kqueue_fd, NULL, 0, &event, 1, NULL); ++ if (ret == -1) { ++ if (errno != EINTR) { ++ err(1, "kevent"); ++ } ++ ++ continue; ++ } ++ ++ /* ++ * Any other events being raised are indicative of a problem ++ * that we need to investigate. Most likely being that ++ * something was not cleaned up from the eventloop. ++ */ ++ assert(event.filter == EVFILT_TIMER || ++ event.filter == EVFILT_SIGNAL); ++ ++ if (event.filter == EVFILT_TIMER) { ++ /* Break's over, back to work. */ ++ break; ++ } ++ ++ /* Process any pending signals. */ ++ switch (event.ident) { ++ case SIGTERM: ++ /* ++ * We could disarm the timer, but we'll be terminating ++ * promptly anyways. ++ */ ++ state->restart_enabled = false; ++ return; ++ case SIGHUP: ++ if (state->log_reopen && state->output_fd >= 0) { ++ reopen_log(state); ++ } ++ ++ break; ++ case SIGCHLD: ++ default: ++ /* Discard */ ++ break; + } + } ++ ++ /* SIGTERM should've returned immediately. */ ++ assert(state->restart_enabled); + } + + static void +@@ -701,6 +749,7 @@ + .restart_enabled = false, + .pid = 0, + .keep_cur_workdir = 1, ++ .kqueue_fd = -1, + .restart_delay = 1, + .stdmask = STDOUT_FILENO | STDERR_FILENO, + .syslog_enabled = false, +@@ -719,6 +768,9 @@ + { + assert(state != NULL); + ++ if (state->kqueue_fd >= 0) { ++ close(state->kqueue_fd); ++ } + if (state->output_fd >= 0) { + close(state->output_fd); + } +@@ -788,3 +840,32 @@ + /* The child gets dup'd pipes. */ + close(state->pipe_fd[0]); + } ++ ++static int ++daemon_setup_kqueue(void) ++{ ++ int kq; ++ struct kevent event = { 0 }; ++ ++ kq = kqueuex(KQUEUE_CLOEXEC); ++ if (kq == -1) { ++ err(EXIT_FAILURE, "kqueue"); ++ } ++ ++ EV_SET(&event, SIGHUP, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); ++ if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { ++ err(EXIT_FAILURE, "failed to register kevent"); ++ } ++ ++ EV_SET(&event, SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); ++ if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { ++ err(EXIT_FAILURE, "failed to register kevent"); ++ } ++ ++ EV_SET(&event, SIGCHLD, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL); ++ if (kevent(kq, &event, 1, NULL, 0, NULL) == -1) { ++ err(EXIT_FAILURE, "failed to register kevent"); ++ } ++ ++ return (kq); ++} diff --git a/website/static/security/patches/EN-25:06/daemon.patch.asc b/website/static/security/patches/EN-25:06/daemon.patch.asc new file mode 100644 index 0000000000..ea0b064829 --- /dev/null +++ b/website/static/security/patches/EN-25:06/daemon.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DkACgkQbljekB8A +Gu84tRAAk0cJpwSqC7Ci2D0kMQLOOE0vSBl5BZFTdXWuGcniIRWxdm70FVsLORRZ +Gsqcx8ewVBS26TskgPB6QICAFW6/MDGB+DYtNSpU2InZH7Grr8ESprNx5b7XuEsr +0HYdlwUI34GuEdqPbnwCTx3tA2pNk25t8/k416Y1FfnkiYLPfjihgiO+eB1vVb00 +Vvbwl0MqmrqFohR3Wo4NbjezLG2UglLpgI50PvFigwD6GNbodHbQejG6fRoU72j1 +gj70t2sVTdcrmFqSFz1efD9sRT/CieGSXHuiGtjqP6ZMJJ783ExEKU/8afs4r3Ut +QC/g8893Abab+tWCJg9FvakVdBemxZg+UtAdGofmcEWAqhV1/nMatOEG8pEVVG4U +Tu0eQRzEqlDn9mhd3+RWmNoEM3r4U947BS/u9GD9roykkuRPILN38aTL7lBu7k7Q +DJ2Oh/ZCy8xA0qNFGX68krYtKLmsdhJi7TaHLvJuat5p4kPM0Wz1pp1c/HdPEMhk +J3qd9B3ZfDtVf4nn+g4uf+HXgpgz+tlWlUUssZto6EaLOiQp5Ezlz2aBiDB9dOSV +sL/Ov4zyShKQw/+Vdx696QyyZrflXCH0F79dnyKMj+/RClT4UuBKfmn+twfy2SlD +e34y+OkSs3ZKJG5/5U63Nuf6UISUlaYWRqGBcfcDvx4UYaDYuUo= +=YkTE +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:07/openssl.patch b/website/static/security/patches/EN-25:07/openssl.patch new file mode 100644 index 0000000000..55254e21a6 --- /dev/null +++ b/website/static/security/patches/EN-25:07/openssl.patch @@ -0,0 +1,6544 @@ +--- crypto/openssl/CHANGES.md.orig ++++ crypto/openssl/CHANGES.md +@@ -28,6 +28,37 @@ + + [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod + ++### Changes between 3.0.15 and 3.0.16 [11 Feb 2025] ++ ++ * Fixed timing side-channel in ECDSA signature computation. ++ ++ There is a timing signal of around 300 nanoseconds when the top word of ++ the inverted ECDSA nonce value is zero. This can happen with significant ++ probability only for some of the supported elliptic curves. In particular ++ the NIST P-521 curve is affected. To be able to measure this leak, the ++ attacker process must either be located in the same physical computer or ++ must have a very fast network connection with low latency. ++ ++ ([CVE-2024-13176]) ++ ++ *Tomáš Mráz* ++ ++ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic ++ curve parameters. ++ ++ Use of the low-level GF(2^m) elliptic curve APIs with untrusted ++ explicit values for the field polynomial can lead to out-of-bounds memory ++ reads or writes. ++ Applications working with "exotic" explicit binary (GF(2^m)) curve ++ parameters, that make it possible to represent invalid field polynomials ++ with a zero constant term, via the above or similar APIs, may terminate ++ abruptly as a result of reading or writing outside of array bounds. Remote ++ code execution cannot easily be ruled out. ++ ++ ([CVE-2024-9143]) ++ ++ *Viktor Dukhovni* ++ + ### Changes between 3.0.14 and 3.0.15 [3 Sep 2024] + + * Fixed possible denial of service in X.509 name checks. +@@ -19922,6 +19953,8 @@ + + + ++[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 ++[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 + [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 + [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 + [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +--- crypto/openssl/Configurations/unix-Makefile.tmpl.orig ++++ crypto/openssl/Configurations/unix-Makefile.tmpl +@@ -1688,7 +1688,7 @@ + } elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) { + $recipe .= <<"EOF"; + $obj: $deps +- $cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs ++ $cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs + \@touch $dep.tmp + \@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\ + rm -f $dep.tmp; \\ +--- crypto/openssl/NEWS.md.orig ++++ crypto/openssl/NEWS.md +@@ -18,6 +18,20 @@ + OpenSSL 3.0 + ----------- + ++### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [11 Feb 2025] ++ ++OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this ++release is Low. ++ ++This release incorporates the following bug fixes and mitigations: ++ ++ * Fixed timing side-channel in ECDSA signature computation. ++ ([CVE-2024-13176]) ++ ++ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic ++ curve parameters. ++ ([CVE-2024-9143]) ++ + ### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024] + + OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this +@@ -1495,6 +1509,8 @@ + + + ++[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 ++[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 + [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 + [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 + [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 +--- crypto/openssl/NOTES-NONSTOP.md.orig ++++ crypto/openssl/NOTES-NONSTOP.md +@@ -119,12 +119,9 @@ + + `COMP_ROOT` needs to be in Windows form. + +-`Configure` must specify the `no-makedepend` option otherwise errors will +-result when running the build because the c99 cross-compiler does not support +-the `gcc -MT` option. An example of a `Configure` command to be run from the +-OpenSSL directory is: ++An example of a `Configure` command to be run from the OpenSSL directory is: + +- ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu ++ ./Configure nonstop-nsx_64 --with-rand-seed=rdcpu + + Do not forget to include any OpenSSL cross-compiling prefix and certificate + options when creating your libraries. +--- crypto/openssl/README.md.orig ++++ crypto/openssl/README.md +@@ -59,7 +59,7 @@ + ------------------ + + Source code tarballs of the official releases can be downloaded from +-[www.openssl.org/source](https://www.openssl.org/source). ++[openssl-library.org/source/](https://openssl-library.org/source/). + The OpenSSL project does not distribute the toolkit in binary form. + + However, for a large variety of operating systems precompiled versions +@@ -75,22 +75,18 @@ + the entire project history gives you much more insight into the + code base. + +-The official OpenSSL Git Repository is located at [git.openssl.org]. +-There is a GitHub mirror of the repository at [github.com/openssl/openssl], ++The main OpenSSL Git repository is private. ++There is a public GitHub mirror of it at [github.com/openssl/openssl], + which is updated automatically from the former on every commit. + +-A local copy of the Git Repository can be obtained by cloning it from +-the original OpenSSL repository using +- +- git clone git://git.openssl.org/openssl.git +- +-or from the GitHub mirror using ++A local copy of the Git repository can be obtained by cloning it from ++the GitHub mirror using + + git clone https://github.com/openssl/openssl.git + + If you intend to contribute to OpenSSL, either to fix bugs or contribute +-new features, you need to fork the OpenSSL repository openssl/openssl on +-GitHub and clone your public fork instead. ++new features, you need to fork the GitHub mirror and clone your public fork ++instead. + + git clone https://github.com/yourname/openssl.git + +@@ -166,7 +162,7 @@ + Copyright + ========= + +-Copyright (c) 1998-2024 The OpenSSL Project ++Copyright (c) 1998-2025 The OpenSSL Project + + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson + +@@ -178,14 +174,6 @@ + + "OpenSSL Homepage" + +-[git.openssl.org]: +- +- "OpenSSL Git Repository" +- +-[git.openssl.org]: +- +- "OpenSSL Git Repository" +- + [github.com/openssl/openssl]: + + "OpenSSL GitHub Mirror" +--- crypto/openssl/VERSION.dat.orig ++++ crypto/openssl/VERSION.dat +@@ -1,7 +1,7 @@ + MAJOR=3 + MINOR=0 +-PATCH=15 ++PATCH=16 + PRE_RELEASE_TAG= + BUILD_METADATA= +-RELEASE_DATE="3 Sep 2024" ++RELEASE_DATE="11 Feb 2025" + SHLIB_VERSION=3 +--- crypto/openssl/apps/asn1parse.c.orig ++++ crypto/openssl/apps/asn1parse.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -127,7 +127,8 @@ + dump = strtol(opt_arg(), NULL, 0); + break; + case OPT_STRPARSE: +- sk_OPENSSL_STRING_push(osk, opt_arg()); ++ if (sk_OPENSSL_STRING_push(osk, opt_arg()) <= 0) ++ goto end; + break; + case OPT_GENSTR: + genstr = opt_arg(); +--- crypto/openssl/apps/cms.c.orig ++++ crypto/openssl/apps/cms.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -494,13 +494,15 @@ + if (rr_from == NULL + && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(rr_from, opt_arg()); ++ if (sk_OPENSSL_STRING_push(rr_from, opt_arg()) <= 0) ++ goto end; + break; + case OPT_RR_TO: + if (rr_to == NULL + && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(rr_to, opt_arg()); ++ if (sk_OPENSSL_STRING_push(rr_to, opt_arg()) <= 0) ++ goto end; + break; + case OPT_PRINT: + noout = print = 1; +@@ -577,13 +579,15 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + if (keyfile == NULL) + keyfile = signerfile; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + keyfile = NULL; + } + signerfile = opt_arg(); +@@ -601,12 +605,14 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + signerfile = NULL; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + } + keyfile = opt_arg(); + break; +@@ -660,7 +666,8 @@ + key_param->next = nparam; + key_param = nparam; + } +- sk_OPENSSL_STRING_push(key_param->param, opt_arg()); ++ if (sk_OPENSSL_STRING_push(key_param->param, opt_arg()) <= 0) ++ goto end; + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) +@@ -749,12 +756,14 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (keyfile == NULL) + keyfile = signerfile; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + } + if (sksigners == NULL) { + BIO_printf(bio_err, "No signer certificate specified\n"); +@@ -1014,8 +1023,15 @@ + pwri_tmp = NULL; + } + if (!(flags & CMS_STREAM)) { +- if (!CMS_final(cms, in, NULL, flags)) ++ if (!CMS_final(cms, in, NULL, flags)) { ++ if (originator != NULL ++ && ERR_GET_REASON(ERR_peek_error()) ++ == CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) { ++ BIO_printf(bio_err, "Cannot use originator for encryption\n"); ++ goto end; ++ } + goto end; ++ } + } + } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { + cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key, +@@ -1261,6 +1277,7 @@ + X509_free(cert); + X509_free(recip); + X509_free(signer); ++ X509_free(originator); + EVP_PKEY_free(key); + EVP_CIPHER_free(cipher); + EVP_CIPHER_free(wrap_cipher); +--- crypto/openssl/apps/engine.c.orig ++++ crypto/openssl/apps/engine.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -352,10 +352,12 @@ + test_avail++; + break; + case OPT_PRE: +- sk_OPENSSL_STRING_push(pre_cmds, opt_arg()); ++ if (sk_OPENSSL_STRING_push(pre_cmds, opt_arg()) <= 0) ++ goto end; + break; + case OPT_POST: +- sk_OPENSSL_STRING_push(post_cmds, opt_arg()); ++ if (sk_OPENSSL_STRING_push(post_cmds, opt_arg()) <= 0) ++ goto end; + break; + } + } +--- crypto/openssl/apps/lib/http_server.c.orig ++++ crypto/openssl/apps/lib/http_server.c +@@ -220,14 +220,17 @@ + { + BIO *acbio = NULL, *bufbio; + int asock; ++ char name[40]; + ++ snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */ + bufbio = BIO_new(BIO_f_buffer()); + if (bufbio == NULL) + goto err; + acbio = BIO_new(BIO_s_accept()); + if (acbio == NULL +- || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0 +- || BIO_set_accept_port(acbio, port) < 0) { ++ || BIO_set_accept_ip_family(acbio, BIO_FAMILY_IPANY) <= 0 /* IPv4/6 */ ++ || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) <= 0 ++ || BIO_set_accept_name(acbio, name) <= 0) { + log_message(prog, LOG_ERR, "Error setting up accept BIO"); + goto err; + } +--- crypto/openssl/apps/lib/s_cb.c.orig ++++ crypto/openssl/apps/lib/s_cb.c +@@ -240,10 +240,10 @@ + return "ECDSA"; + + case NID_ED25519: +- return "Ed25519"; ++ return "ed25519"; + + case NID_ED448: +- return "Ed448"; ++ return "ed448"; + + case NID_id_GostR3410_2001: + return "gost2001"; +@@ -288,6 +288,26 @@ + SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash); + if (i) + BIO_puts(out, ":"); ++ switch (rsign | rhash << 8) { ++ case 0x0809: ++ BIO_puts(out, "rsa_pss_pss_sha256"); ++ continue; ++ case 0x080a: ++ BIO_puts(out, "rsa_pss_pss_sha384"); ++ continue; ++ case 0x080b: ++ BIO_puts(out, "rsa_pss_pss_sha512"); ++ continue; ++ case 0x081a: ++ BIO_puts(out, "ecdsa_brainpoolP256r1_sha256"); ++ continue; ++ case 0x081b: ++ BIO_puts(out, "ecdsa_brainpoolP384r1_sha384"); ++ continue; ++ case 0x081c: ++ BIO_puts(out, "ecdsa_brainpoolP512r1_sha512"); ++ continue; ++ } + sstr = get_sigtype(sign_nid); + if (sstr) + BIO_printf(out, "%s", sstr); +--- crypto/openssl/apps/lib/s_socket.c.orig ++++ crypto/openssl/apps/lib/s_socket.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -380,6 +380,12 @@ + BIO_closesocket(asock); + break; + } ++ ++ if (naccept != -1) ++ naccept--; ++ if (naccept == 0) ++ BIO_closesocket(asock); ++ + BIO_set_tcp_ndelay(sock, 1); + i = (*cb)(sock, type, protocol, context); + +@@ -410,11 +416,12 @@ + + BIO_closesocket(sock); + } else { ++ if (naccept != -1) ++ naccept--; ++ + i = (*cb)(asock, type, protocol, context); + } + +- if (naccept != -1) +- naccept--; + if (i < 0 || naccept == 0) { + BIO_closesocket(asock); + ret = i; +--- crypto/openssl/apps/lib/vms_term_sock.c.orig ++++ crypto/openssl/apps/lib/vms_term_sock.c +@@ -353,7 +353,7 @@ + /* + ** Get the binary (64-bit) time of the specified timeout value + */ +- sprintf (AscTimeBuff, "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE); ++ BIO_snprintf(AscTimeBuff, sizeof(AscTimeBuff), "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE); + AscTimeDesc.dsc$w_length = strlen (AscTimeBuff); + AscTimeDesc.dsc$a_pointer = AscTimeBuff; + status = sys$bintim (&AscTimeDesc, BinTimeBuff); +@@ -567,10 +567,10 @@ + /* + ** Format the message buffer + */ +- sprintf (MsgBuff, "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n", +- LocTime->tm_mday, Month[LocTime->tm_mon], +- (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min, +- LocTime->tm_sec, pid, msg); ++ BIO_snprintf(MsgBuff, sizeof(MsgBuff), "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n", ++ LocTime->tm_mday, Month[LocTime->tm_mon], ++ (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min, ++ LocTime->tm_sec, pid, msg); + + /* + ** Get any variable arguments and add them to the print of the message +--- crypto/openssl/apps/passwd.c.orig ++++ crypto/openssl/apps/passwd.c +@@ -589,7 +589,8 @@ + OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); + if (rounds_custom) { + char tmp_buf[80]; /* "rounds=999999999" */ +- sprintf(tmp_buf, "rounds=%u", rounds); ++ ++ BIO_snprintf(tmp_buf, sizeof(tmp_buf), "rounds=%u", rounds); + #ifdef CHARSET_EBCDIC + /* In case we're really on a ASCII based platform and just pretend */ + if (tmp_buf[0] != 0x72) /* ASCII 'r' */ +--- crypto/openssl/apps/pkcs12.c.orig ++++ crypto/openssl/apps/pkcs12.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -305,7 +305,8 @@ + if (canames == NULL + && (canames = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(canames, opt_arg()); ++ if (sk_OPENSSL_STRING_push(canames, opt_arg()) <= 0) ++ goto end; + break; + case OPT_IN: + infile = opt_arg(); +--- crypto/openssl/apps/pkeyutl.c.orig ++++ crypto/openssl/apps/pkeyutl.c +@@ -81,10 +81,11 @@ + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file - default stdout"}, +- {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"}, ++ {"asn1parse", OPT_ASN1PARSE, '-', ++ "parse the output as ASN.1 data to check its DER encoding and print errors"}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"verifyrecover", OPT_VERIFYRECOVER, '-', +- "Verify with public key, recover original data"}, ++ "Verify RSA signature, recovering original signature input data"}, + + OPT_SECTION("Signing/Derivation"), + {"digest", OPT_DIGEST, 's', +--- crypto/openssl/apps/rehash.c.orig ++++ crypto/openssl/apps/rehash.c +@@ -559,6 +559,11 @@ + } else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) { + char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' }; + m = OPENSSL_strdup(env); ++ if (m == NULL) { ++ BIO_puts(bio_err, "out of memory\n"); ++ errs = 1; ++ goto end; ++ } + for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc)) + errs += do_dir(e, h); + OPENSSL_free(m); +--- crypto/openssl/apps/smime.c.orig ++++ crypto/openssl/apps/smime.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -279,13 +279,15 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + if (keyfile == NULL) + keyfile = signerfile; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + keyfile = NULL; + } + signerfile = opt_arg(); +@@ -310,12 +312,14 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + signerfile = NULL; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + } + keyfile = opt_arg(); + break; +@@ -390,12 +394,14 @@ + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; +- sk_OPENSSL_STRING_push(sksigners, signerfile); ++ if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0) ++ goto end; + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!keyfile) + keyfile = signerfile; +- sk_OPENSSL_STRING_push(skkeys, keyfile); ++ if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0) ++ goto end; + } + if (sksigners == NULL) { + BIO_printf(bio_err, "No signer certificate specified\n"); +--- crypto/openssl/apps/speed.c.orig ++++ crypto/openssl/apps/speed.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the Apache License 2.0 (the "License"). You may not use +@@ -456,6 +456,14 @@ + #define COND(unused_cond) (run && count < INT_MAX) + #define COUNT(d) (count) + ++#define TAG_LEN 16 ++ ++static unsigned int mode_op; /* AE Mode of operation */ ++static unsigned int aead = 0; /* AEAD flag */ ++static unsigned char aead_iv[12]; /* For AEAD modes */ ++static unsigned char aad[EVP_AEAD_TLS1_AAD_LEN] = { 0xcc }; ++static int aead_ivlen = sizeof(aead_iv); ++ + typedef struct loopargs_st { + ASYNC_JOB *inprogress_job; + ASYNC_WAIT_CTX *wait_ctx; +@@ -464,6 +472,7 @@ + unsigned char *buf_malloc; + unsigned char *buf2_malloc; + unsigned char *key; ++ unsigned char tag[TAG_LEN]; + size_t buflen; + size_t sigsize; + EVP_PKEY_CTX *rsa_sign_ctx[RSA_NUM]; +@@ -727,12 +736,8 @@ + unsigned char *buf = tempargs->buf; + EVP_CIPHER_CTX *ctx = tempargs->ctx; + int outl, count, rc; +- unsigned char faketag[16] = { 0xcc }; + + if (decrypt) { +- if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) { +- (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag); +- } + for (count = 0; COND(c[D_EVP][testnum]); count++) { + rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); + if (rc != 1) { +@@ -757,74 +762,159 @@ + } + + /* ++ * To make AEAD benchmarking more relevant perform TLS-like operations, ++ * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as ++ * payload length is not actually limited by 16KB... + * CCM does not support streaming. For the purpose of performance measurement, + * each message is encrypted using the same (key,iv)-pair. Do not use this + * code in your application. + */ +-static int EVP_Update_loop_ccm(void *args) ++static int EVP_Update_loop_aead_enc(void *args) + { + loopargs_t *tempargs = *(loopargs_t **) args; + unsigned char *buf = tempargs->buf; ++ unsigned char *key = tempargs->key; + EVP_CIPHER_CTX *ctx = tempargs->ctx; +- int outl, count; +- unsigned char tag[12]; +- +- if (decrypt) { +- for (count = 0; COND(c[D_EVP][testnum]); count++) { +- (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(tag), +- tag); +- /* reset iv */ +- (void)EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv); +- /* counter is reset on every update */ +- (void)EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); ++ int outl, count, realcount = 0; ++ ++ for (count = 0; COND(c[D_EVP][testnum]); count++) { ++ /* Set length of iv (Doesn't apply to SIV mode) */ ++ if (mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ++ aead_ivlen, NULL)) { ++ BIO_printf(bio_err, "\nFailed to set iv length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } + } +- } else { +- for (count = 0; COND(c[D_EVP][testnum]); count++) { +- /* restore iv length field */ +- (void)EVP_EncryptUpdate(ctx, NULL, &outl, NULL, lengths[testnum]); +- /* counter is reset on every update */ +- (void)EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); ++ /* Set tag_len (Not for GCM/SIV at encryption stage) */ ++ if (mode_op != EVP_CIPH_GCM_MODE ++ && mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, ++ TAG_LEN, NULL)) { ++ BIO_printf(bio_err, "\nFailed to set tag length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, aead_iv, -1)) { ++ BIO_printf(bio_err, "\nFailed to set key and iv\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ /* Set total length of input. Only required for CCM */ ++ if (mode_op == EVP_CIPH_CCM_MODE) { ++ if (!EVP_EncryptUpdate(ctx, NULL, &outl, ++ NULL, lengths[testnum])) { ++ BIO_printf(bio_err, "\nCouldn't set input text length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } + } ++ if (aead) { ++ if (!EVP_EncryptUpdate(ctx, NULL, &outl, aad, sizeof(aad))) { ++ BIO_printf(bio_err, "\nCouldn't insert AAD when encrypting\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (!EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum])) { ++ BIO_printf(bio_err, "\nFailed to encrypt the data\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ if (EVP_EncryptFinal_ex(ctx, buf, &outl)) ++ realcount++; + } +- if (decrypt) +- (void)EVP_DecryptFinal_ex(ctx, buf, &outl); +- else +- (void)EVP_EncryptFinal_ex(ctx, buf, &outl); +- return count; ++ return realcount; + } + + /* + * To make AEAD benchmarking more relevant perform TLS-like operations, + * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as + * payload length is not actually limited by 16KB... ++ * CCM does not support streaming. For the purpose of performance measurement, ++ * each message is decrypted using the same (key,iv)-pair. Do not use this ++ * code in your application. ++ * For decryption, we will use buf2 to preserve the input text in buf. + */ +-static int EVP_Update_loop_aead(void *args) ++static int EVP_Update_loop_aead_dec(void *args) + { + loopargs_t *tempargs = *(loopargs_t **) args; + unsigned char *buf = tempargs->buf; ++ unsigned char *outbuf = tempargs->buf2; ++ unsigned char *key = tempargs->key; ++ unsigned char tag[TAG_LEN]; + EVP_CIPHER_CTX *ctx = tempargs->ctx; +- int outl, count; +- unsigned char aad[13] = { 0xcc }; +- unsigned char faketag[16] = { 0xcc }; ++ int outl, count, realcount = 0; ++ ++ for (count = 0; COND(c[D_EVP][testnum]); count++) { ++ /* Set the length of iv (Doesn't apply to SIV mode) */ ++ if (mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ++ aead_ivlen, NULL)) { ++ BIO_printf(bio_err, "\nFailed to set iv length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } + +- if (decrypt) { +- for (count = 0; COND(c[D_EVP][testnum]); count++) { +- (void)EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv); +- (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, +- sizeof(faketag), faketag); +- (void)EVP_DecryptUpdate(ctx, NULL, &outl, aad, sizeof(aad)); +- (void)EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); +- (void)EVP_DecryptFinal_ex(ctx, buf + outl, &outl); ++ /* Set the tag length (Doesn't apply to SIV mode) */ ++ if (mode_op != EVP_CIPH_SIV_MODE ++ && mode_op != EVP_CIPH_GCM_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, ++ TAG_LEN, NULL)) { ++ BIO_printf(bio_err, "\nFailed to set tag length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } + } +- } else { +- for (count = 0; COND(c[D_EVP][testnum]); count++) { +- (void)EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv); +- (void)EVP_EncryptUpdate(ctx, NULL, &outl, aad, sizeof(aad)); +- (void)EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); +- (void)EVP_EncryptFinal_ex(ctx, buf + outl, &outl); ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, aead_iv, -1)) { ++ BIO_printf(bio_err, "\nFailed to set key and iv\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ /* Set iv before decryption (Doesn't apply to SIV mode) */ ++ if (mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, aead_iv)) { ++ BIO_printf(bio_err, "\nFailed to set iv\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ memcpy(tag, tempargs->tag, TAG_LEN); ++ ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, ++ TAG_LEN, tag)) { ++ BIO_printf(bio_err, "\nFailed to set tag\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ /* Set the total length of cipher text. Only required for CCM */ ++ if (mode_op == EVP_CIPH_CCM_MODE) { ++ if (!EVP_DecryptUpdate(ctx, NULL, &outl, ++ NULL, lengths[testnum])) { ++ BIO_printf(bio_err, "\nCouldn't set cipher text length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (aead) { ++ if (!EVP_DecryptUpdate(ctx, NULL, &outl, aad, sizeof(aad))) { ++ BIO_printf(bio_err, "\nCouldn't insert AAD when decrypting\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (!EVP_DecryptUpdate(ctx, outbuf, &outl, buf, lengths[testnum])) { ++ BIO_printf(bio_err, "\nFailed to decrypt the data\n"); ++ ERR_print_errors(bio_err); ++ exit(1); + } ++ if (EVP_DecryptFinal_ex(ctx, outbuf, &outl)) ++ realcount++; + } +- return count; ++ return realcount; + } + + static long rsa_c[RSA_NUM][2]; /* # RSA iteration test */ +@@ -1370,11 +1460,11 @@ + OPTION_CHOICE o; + int async_init = 0, multiblock = 0, pr_header = 0; + uint8_t doit[ALGOR_NUM] = { 0 }; +- int ret = 1, misalign = 0, lengths_single = 0, aead = 0; ++ int ret = 1, misalign = 0, lengths_single = 0; + long count = 0; + unsigned int size_num = SIZE_NUM; + unsigned int i, k, loopargs_len = 0, async_jobs = 0; +- int keylen; ++ int keylen = 0; + int buflen; + BIGNUM *bn = NULL; + EVP_PKEY_CTX *genctx = NULL; +@@ -2001,15 +2091,14 @@ + if (doit[D_HMAC]) { + static const char hmac_key[] = "This is a key..."; + int len = strlen(hmac_key); ++ size_t hmac_name_len = sizeof("hmac()") + strlen(evp_mac_mdname); + OSSL_PARAM params[3]; + + mac = EVP_MAC_fetch(app_get0_libctx(), "HMAC", app_get0_propq()); + if (mac == NULL || evp_mac_mdname == NULL) + goto end; +- +- evp_hmac_name = app_malloc(sizeof("hmac()") + strlen(evp_mac_mdname), +- "HMAC name"); +- sprintf(evp_hmac_name, "hmac(%s)", evp_mac_mdname); ++ evp_hmac_name = app_malloc(hmac_name_len, "HMAC name"); ++ BIO_snprintf(evp_hmac_name, hmac_name_len, "hmac(%s)", evp_mac_mdname); + names[D_HMAC] = evp_hmac_name; + + params[0] = +@@ -2213,12 +2302,20 @@ + } + } + ++ /*- ++ * There are three scenarios for D_EVP: ++ * 1- Using authenticated encryption (AE) e.g. CCM, GCM, OCB etc. ++ * 2- Using AE + associated data (AD) i.e. AEAD using CCM, GCM, OCB etc. ++ * 3- Not using AE or AD e.g. ECB, CBC, CFB etc. ++ */ + if (doit[D_EVP]) { + if (evp_cipher != NULL) { +- int (*loopfunc) (void *) = EVP_Update_loop; ++ int (*loopfunc) (void *); ++ int outlen = 0; ++ unsigned int ae_mode = 0; + +- if (multiblock && (EVP_CIPHER_get_flags(evp_cipher) & +- EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) { ++ if (multiblock && (EVP_CIPHER_get_flags(evp_cipher) ++ & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) { + multiblock_speed(evp_cipher, lengths_single, &seconds); + ret = 0; + goto end; +@@ -2226,16 +2323,26 @@ + + names[D_EVP] = EVP_CIPHER_get0_name(evp_cipher); + +- if (EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_CCM_MODE) { +- loopfunc = EVP_Update_loop_ccm; +- } else if (aead && (EVP_CIPHER_get_flags(evp_cipher) & +- EVP_CIPH_FLAG_AEAD_CIPHER)) { +- loopfunc = EVP_Update_loop_aead; ++ mode_op = EVP_CIPHER_get_mode(evp_cipher); ++ ++ if (aead) { + if (lengths == lengths_list) { + lengths = aead_lengths_list; + size_num = OSSL_NELEM(aead_lengths_list); + } + } ++ if (mode_op == EVP_CIPH_GCM_MODE ++ || mode_op == EVP_CIPH_CCM_MODE ++ || mode_op == EVP_CIPH_OCB_MODE ++ || mode_op == EVP_CIPH_SIV_MODE) { ++ ae_mode = 1; ++ if (decrypt) ++ loopfunc = EVP_Update_loop_aead_dec; ++ else ++ loopfunc = EVP_Update_loop_aead_enc; ++ } else { ++ loopfunc = EVP_Update_loop; ++ } + + for (testnum = 0; testnum < size_num; testnum++) { + print_message(names[D_EVP], c[D_EVP][testnum], lengths[testnum], +@@ -2247,37 +2354,144 @@ + BIO_printf(bio_err, "\nEVP_CIPHER_CTX_new failure\n"); + exit(1); + } +- if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL, +- NULL, iv, decrypt ? 0 : 1)) { +- BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n"); ++ ++ /* ++ * For AE modes, we must first encrypt the data to get ++ * a valid tag that enables us to decrypt. If we don't ++ * encrypt first, we won't have a valid tag that enables ++ * authenticity and hence decryption will fail. ++ */ ++ if (!EVP_CipherInit_ex(loopargs[k].ctx, ++ evp_cipher, NULL, NULL, NULL, ++ ae_mode ? 1 : !decrypt)) { ++ BIO_printf(bio_err, "\nCouldn't init the context\n"); + ERR_print_errors(bio_err); + exit(1); + } + ++ /* Padding isn't needed */ + EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0); + + keylen = EVP_CIPHER_CTX_get_key_length(loopargs[k].ctx); + loopargs[k].key = app_malloc(keylen, "evp_cipher key"); + EVP_CIPHER_CTX_rand_key(loopargs[k].ctx, loopargs[k].key); +- if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL, +- loopargs[k].key, NULL, -1)) { +- BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n"); +- ERR_print_errors(bio_err); +- exit(1); +- } +- OPENSSL_clear_free(loopargs[k].key, keylen); + +- /* SIV mode only allows for a single Update operation */ +- if (EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_SIV_MODE) +- (void)EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, +- EVP_CTRL_SET_SPEED, 1, NULL); ++ if (!ae_mode) { ++ if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL, ++ loopargs[k].key, iv, -1)) { ++ BIO_printf(bio_err, "\nFailed to set the key\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } else if (mode_op == EVP_CIPH_SIV_MODE) { ++ EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, ++ EVP_CTRL_SET_SPEED, 1, NULL); ++ } ++ if (ae_mode && decrypt) { ++ /* Set length of iv (Doesn't apply to SIV mode) */ ++ if (mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, ++ EVP_CTRL_AEAD_SET_IVLEN, ++ aead_ivlen, NULL)) { ++ BIO_printf(bio_err, "\nFailed to set iv length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ /* Set tag_len (Not for SIV at encryption stage) */ ++ if (mode_op != EVP_CIPH_GCM_MODE ++ && mode_op != EVP_CIPH_SIV_MODE) { ++ if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, ++ EVP_CTRL_AEAD_SET_TAG, ++ TAG_LEN, NULL)) { ++ BIO_printf(bio_err, ++ "\nFailed to set tag length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL, ++ loopargs[k].key, aead_iv, -1)) { ++ BIO_printf(bio_err, "\nFailed to set the key\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ /* Set total length of input. Only required for CCM */ ++ if (mode_op == EVP_CIPH_CCM_MODE) { ++ if (!EVP_EncryptUpdate(loopargs[k].ctx, NULL, ++ &outlen, NULL, ++ lengths[testnum])) { ++ BIO_printf(bio_err, ++ "\nCouldn't set input text length\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (aead) { ++ if (!EVP_EncryptUpdate(loopargs[k].ctx, NULL, ++ &outlen, aad, sizeof(aad))) { ++ BIO_printf(bio_err, ++ "\nCouldn't insert AAD when encrypting\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ } ++ if (!EVP_EncryptUpdate(loopargs[k].ctx, loopargs[k].buf, ++ &outlen, loopargs[k].buf, ++ lengths[testnum])) { ++ BIO_printf(bio_err, ++ "\nFailed to to encrypt the data\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ ++ if (!EVP_EncryptFinal_ex(loopargs[k].ctx, ++ loopargs[k].buf, &outlen)) { ++ BIO_printf(bio_err, ++ "\nFailed finalize the encryption\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ ++ if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, ++ EVP_CTRL_AEAD_GET_TAG, ++ TAG_LEN, &loopargs[k].tag)) { ++ BIO_printf(bio_err, "\nFailed to get the tag\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ ++ EVP_CIPHER_CTX_free(loopargs[k].ctx); ++ loopargs[k].ctx = EVP_CIPHER_CTX_new(); ++ if (loopargs[k].ctx == NULL) { ++ BIO_printf(bio_err, ++ "\nEVP_CIPHER_CTX_new failure\n"); ++ exit(1); ++ } ++ if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, ++ NULL, NULL, NULL, 0)) { ++ BIO_printf(bio_err, ++ "\nFailed initializing the context\n"); ++ ERR_print_errors(bio_err); ++ exit(1); ++ } ++ ++ EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0); ++ ++ /* SIV only allows for one Update operation */ ++ if (mode_op == EVP_CIPH_SIV_MODE) ++ EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, ++ EVP_CTRL_SET_SPEED, 1, NULL); ++ } + } + + Time_F(START); + count = run_benchmark(async_jobs, loopfunc, loopargs); + d = Time_F(STOP); +- for (k = 0; k < loopargs_len; k++) ++ for (k = 0; k < loopargs_len; k++) { ++ OPENSSL_clear_free(loopargs[k].key, keylen); + EVP_CIPHER_CTX_free(loopargs[k].ctx); ++ } + print_result(D_EVP, testnum, count, d); + } + } else if (evp_md_name != NULL) { +@@ -2297,6 +2511,7 @@ + } + + if (doit[D_EVP_CMAC]) { ++ size_t len = sizeof("cmac()") + strlen(evp_mac_ciphername); + OSSL_PARAM params[3]; + EVP_CIPHER *cipher = NULL; + +@@ -2312,9 +2527,8 @@ + BIO_printf(bio_err, "\nRequested CMAC cipher with unsupported key length.\n"); + goto end; + } +- evp_cmac_name = app_malloc(sizeof("cmac()") +- + strlen(evp_mac_ciphername), "CMAC name"); +- sprintf(evp_cmac_name, "cmac(%s)", evp_mac_ciphername); ++ evp_cmac_name = app_malloc(len, "CMAC name"); ++ BIO_snprintf(evp_cmac_name, len, "cmac(%s)", evp_mac_ciphername); + names[D_EVP_CMAC] = evp_cmac_name; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_CIPHER, +@@ -3675,7 +3889,6 @@ + print_message(alg_name, 0, mblengths[j], seconds->sym); + Time_F(START); + for (count = 0; run && count < INT_MAX; count++) { +- unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; + size_t len = mblengths[j]; + int packlen; +--- crypto/openssl/configdata.pm.in.orig ++++ crypto/openssl/configdata.pm.in +@@ -145,7 +145,7 @@ + # defined in one template stick around for the + # next, making them combinable + PACKAGE => 'OpenSSL::safe') +- or die $Text::Template::ERROR; ++ or die $OpenSSL::Template::ERROR; + close BUILDFILE; + rename("$buildfile.new", $buildfile) + or die "Trying to rename $buildfile.new to $buildfile: $!"; +@@ -167,7 +167,7 @@ + # defined in one template stick around for the + # next, making them combinable + PACKAGE => 'OpenSSL::safe') +- or die $Text::Template::ERROR; ++ or die $OpenSSL::Template::ERROR; + close CONFIGURATION_H; + + # When using stat() on Windows, we can get it to perform better by +--- crypto/openssl/crypto/asn1/a_bitstr.c.orig ++++ crypto/openssl/crypto/asn1/a_bitstr.c +@@ -36,25 +36,30 @@ + if (a->data[len - 1]) + break; + } +- j = a->data[len - 1]; +- if (j & 0x01) ++ ++ if (len == 0) { + bits = 0; +- else if (j & 0x02) +- bits = 1; +- else if (j & 0x04) +- bits = 2; +- else if (j & 0x08) +- bits = 3; +- else if (j & 0x10) +- bits = 4; +- else if (j & 0x20) +- bits = 5; +- else if (j & 0x40) +- bits = 6; +- else if (j & 0x80) +- bits = 7; +- else +- bits = 0; /* should not happen */ ++ } else { ++ j = a->data[len - 1]; ++ if (j & 0x01) ++ bits = 0; ++ else if (j & 0x02) ++ bits = 1; ++ else if (j & 0x04) ++ bits = 2; ++ else if (j & 0x08) ++ bits = 3; ++ else if (j & 0x10) ++ bits = 4; ++ else if (j & 0x20) ++ bits = 5; ++ else if (j & 0x40) ++ bits = 6; ++ else if (j & 0x80) ++ bits = 7; ++ else ++ bits = 0; /* should not happen */ ++ } + } + } else + bits = 0; +--- crypto/openssl/crypto/asn1/a_strnid.c.orig ++++ crypto/openssl/crypto/asn1/a_strnid.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -39,10 +39,10 @@ + * This function sets the default to various "flavours" of configuration. + * based on an ASCII string. Currently this is: + * MASK:XXXX : a numerical mask value. +- * nobmp : Don't use BMPStrings (just Printable, T61). +- * pkix : PKIX recommendation in RFC2459. +- * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004). +- * default: the default value, Printable, T61, BMP. ++ * default : use Printable, IA5, T61, BMP, and UTF8 string types ++ * nombstr : any string type except variable-sized BMPStrings or UTF8Strings ++ * pkix : PKIX recommendation in RFC2459 ++ * utf8only : this is the default, use UTF8Strings + */ + + int ASN1_STRING_set_default_mask_asc(const char *p) +--- crypto/openssl/crypto/asn1/a_time.c.orig ++++ crypto/openssl/crypto/asn1/a_time.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -488,9 +488,9 @@ + int ossl_asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm, unsigned long flags) + { + char *v; +- int gmt = 0, l; ++ int l; + struct tm stm; +- const char upper_z = 0x5A, period = 0x2E; ++ const char period = 0x2E; + + /* ossl_asn1_time_to_tm will check the time type */ + if (!ossl_asn1_time_to_tm(&stm, tm)) +@@ -498,8 +498,6 @@ + + l = tm->length; + v = (char *)tm->data; +- if (v[l - 1] == upper_z) +- gmt = 1; + + if (tm->type == V_ASN1_GENERALIZEDTIME) { + char *f = NULL; +@@ -510,39 +508,36 @@ + * 'fraction point' in a GeneralizedTime string. + */ + if (tm->length > 15 && v[14] == period) { +- f = &v[14]; +- f_len = 1; +- while (14 + f_len < l && ossl_ascii_isdigit(f[f_len])) ++ /* exclude the . itself */ ++ f = &v[15]; ++ f_len = 0; ++ while (15 + f_len < l && ossl_ascii_isdigit(f[f_len])) + ++f_len; + } + +- if ((flags & ASN1_DTFLGS_TYPE_MASK) == ASN1_DTFLGS_ISO8601) { +- return BIO_printf(bp, "%4d-%02d-%02d %02d:%02d:%02d%.*s%s", +- stm.tm_year + 1900, stm.tm_mon + 1, +- stm.tm_mday, stm.tm_hour, +- stm.tm_min, stm.tm_sec, f_len, f, +- (gmt ? "Z" : "")) > 0; +- } +- else { +- return BIO_printf(bp, "%s %2d %02d:%02d:%02d%.*s %d%s", +- _asn1_mon[stm.tm_mon], stm.tm_mday, stm.tm_hour, +- stm.tm_min, stm.tm_sec, f_len, f, stm.tm_year + 1900, +- (gmt ? " GMT" : "")) > 0; ++ if (f_len > 0) { ++ if ((flags & ASN1_DTFLGS_TYPE_MASK) == ASN1_DTFLGS_ISO8601) { ++ return BIO_printf(bp, "%4d-%02d-%02d %02d:%02d:%02d.%.*sZ", ++ stm.tm_year + 1900, stm.tm_mon + 1, ++ stm.tm_mday, stm.tm_hour, ++ stm.tm_min, stm.tm_sec, f_len, f) > 0; ++ } else { ++ return BIO_printf(bp, "%s %2d %02d:%02d:%02d.%.*s %d GMT", ++ _asn1_mon[stm.tm_mon], stm.tm_mday, stm.tm_hour, ++ stm.tm_min, stm.tm_sec, f_len, f, ++ stm.tm_year + 1900) > 0; ++ } + } +- } else { +- if ((flags & ASN1_DTFLGS_TYPE_MASK) == ASN1_DTFLGS_ISO8601) { +- return BIO_printf(bp, "%4d-%02d-%02d %02d:%02d:%02d%s", ++ } ++ if ((flags & ASN1_DTFLGS_TYPE_MASK) == ASN1_DTFLGS_ISO8601) { ++ return BIO_printf(bp, "%4d-%02d-%02d %02d:%02d:%02dZ", + stm.tm_year + 1900, stm.tm_mon + 1, + stm.tm_mday, stm.tm_hour, +- stm.tm_min, stm.tm_sec, +- (gmt ? "Z" : "")) > 0; +- } +- else { +- return BIO_printf(bp, "%s %2d %02d:%02d:%02d %d%s", ++ stm.tm_min, stm.tm_sec) > 0; ++ } else { ++ return BIO_printf(bp, "%s %2d %02d:%02d:%02d %d GMT", + _asn1_mon[stm.tm_mon], stm.tm_mday, stm.tm_hour, +- stm.tm_min, stm.tm_sec, stm.tm_year + 1900, +- (gmt ? " GMT" : "")) > 0; +- } ++ stm.tm_min, stm.tm_sec, stm.tm_year + 1900) > 0; + } + } + +--- crypto/openssl/crypto/asn1/asn1_gen.c.orig ++++ crypto/openssl/crypto/asn1/asn1_gen.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2002-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -498,7 +498,8 @@ + static int asn1_str2tag(const char *tagstr, int len) + { + unsigned int i; +- static const struct tag_name_st *tntmp, tnst[] = { ++ const struct tag_name_st *tntmp; ++ static const struct tag_name_st tnst[] = { + ASN1_GEN_STR("BOOL", V_ASN1_BOOLEAN), + ASN1_GEN_STR("BOOLEAN", V_ASN1_BOOLEAN), + ASN1_GEN_STR("NULL", V_ASN1_NULL), +--- crypto/openssl/crypto/asn1/asn_mime.c.orig ++++ crypto/openssl/crypto/asn1/asn_mime.c +@@ -300,6 +300,8 @@ + + if (ctype_nid == NID_pkcs7_enveloped) { + msg_type = "enveloped-data"; ++ } else if (ctype_nid == NID_id_smime_ct_authEnvelopedData) { ++ msg_type = "authEnveloped-data"; + } else if (ctype_nid == NID_pkcs7_signed) { + if (econt_nid == NID_id_smime_ct_receipt) + msg_type = "signed-receipt"; +--- crypto/openssl/crypto/bio/bio_addr.c.orig ++++ crypto/openssl/crypto/bio/bio_addr.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -547,8 +547,13 @@ + *service = NULL; + } else { + *service = OPENSSL_strndup(p, pl); +- if (*service == NULL) ++ if (*service == NULL) { ++ if (h != NULL && host != NULL) { ++ OPENSSL_free(*host); ++ *host = NULL; ++ } + goto memerr; ++ } + } + } + +--- crypto/openssl/crypto/bio/bio_sock.c.orig ++++ crypto/openssl/crypto/bio/bio_sock.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -222,7 +222,7 @@ + return INVALID_SOCKET; + + if (BIO_sock_init() != 1) +- return INVALID_SOCKET; ++ goto err; + + if (BIO_lookup(h, p, BIO_LOOKUP_SERVER, AF_UNSPEC, SOCK_STREAM, &res) != 0) + goto err; +--- crypto/openssl/crypto/bio/bss_log.c.orig ++++ crypto/openssl/crypto/bio/bss_log.c +@@ -281,7 +281,7 @@ + break; + } + +- sprintf(pidbuf, "[%lu] ", GetCurrentProcessId()); ++ BIO_snprintf(pidbuf, sizeof(pidbuf), "[%lu] ", GetCurrentProcessId()); + lpszStrings[0] = pidbuf; + lpszStrings[1] = string; + +--- crypto/openssl/crypto/bn/asm/armv8-mont.pl.orig ++++ crypto/openssl/crypto/bn/asm/armv8-mont.pl +@@ -1,5 +1,5 @@ + #! /usr/bin/env perl +-# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the Apache License 2.0 (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -85,10 +85,12 @@ + cmp $num,#32 + b.le .Lscalar_impl + #ifndef __KERNEL__ ++#ifndef __AARCH64EB__ + adrp x17,OPENSSL_armv8_rsa_neonized + ldr w17,[x17,#:lo12:OPENSSL_armv8_rsa_neonized] + cbnz w17, bn_mul8x_mont_neon + #endif ++#endif + + .Lscalar_impl: + tst $num,#7 +--- crypto/openssl/crypto/bn/bn_exp.c.orig ++++ crypto/openssl/crypto/bn/bn_exp.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -606,7 +606,7 @@ + * out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) + { +@@ -623,10 +623,6 @@ + unsigned int t4 = 0; + #endif + +- bn_check_top(a); +- bn_check_top(p); +- bn_check_top(m); +- + if (!BN_is_odd(m)) { + ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; +@@ -1146,7 +1142,7 @@ + goto err; + } else + #endif +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) + goto err; + ret = 1; + err: +@@ -1160,6 +1156,19 @@ + return ret; + } + ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont) ++{ ++ bn_check_top(a); ++ bn_check_top(p); ++ bn_check_top(m); ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) ++ return 0; ++ bn_correct_top(rr); ++ return 1; ++} ++ + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { +--- crypto/openssl/crypto/bn/bn_gf2m.c.orig ++++ crypto/openssl/crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++# include + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1140,16 +1141,26 @@ + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1167,12 +1178,13 @@ + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +--- crypto/openssl/crypto/bn/rsaz_exp_x2.c.orig ++++ crypto/openssl/crypto/bn/rsaz_exp_x2.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2020, Intel Corporation. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use +@@ -495,11 +495,7 @@ + out_len--; + } + +- while (out_len > 0) { +- *out = 0; +- out_len--; +- out++; +- } ++ memset(out, 0, out_len * sizeof(BN_ULONG)); + } + + static ossl_inline void put_digit52(uint8_t *pStr, int strLen, uint64_t digit) +--- crypto/openssl/crypto/cmp/cmp_client.c.orig ++++ crypto/openssl/crypto/cmp/cmp_client.c +@@ -107,9 +107,12 @@ + ss = si->statusString; /* may be NULL */ + for (i = 0; i < sk_ASN1_UTF8STRING_num(ss); i++) { + ASN1_UTF8STRING *str = sk_ASN1_UTF8STRING_value(ss, i); ++ ASN1_UTF8STRING *dup = ASN1_STRING_dup(str); + +- if (!sk_ASN1_UTF8STRING_push(ctx->statusString, ASN1_STRING_dup(str))) ++ if (dup == NULL || !sk_ASN1_UTF8STRING_push(ctx->statusString, dup)) { ++ ASN1_UTF8STRING_free(dup); + return 0; ++ } + } + return 1; + } +--- crypto/openssl/crypto/cms/cms_asn1.c.orig ++++ crypto/openssl/crypto/cms/cms_asn1.c +@@ -51,6 +51,7 @@ + EVP_PKEY_free(si->pkey); + X509_free(si->signer); + EVP_MD_CTX_free(si->mctx); ++ EVP_PKEY_CTX_free(si->pctx); + } + return 1; + } +@@ -89,11 +90,21 @@ + ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1) + } static_ASN1_SEQUENCE_END(CMS_OriginatorInfo) + +-ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = { ++static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ++ void *exarg) ++{ ++ CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval; ++ ++ if (operation == ASN1_OP_FREE_POST) ++ OPENSSL_clear_free(ec->key, ec->keylen); ++ return 1; ++} ++ ++ASN1_NDEF_SEQUENCE_cb(CMS_EncryptedContentInfo, cms_ec_cb) = { + ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT), + ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR), + ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0) +-} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo) ++} ASN1_NDEF_SEQUENCE_END_cb(CMS_EncryptedContentInfo, CMS_EncryptedContentInfo) + + ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = { + ASN1_EMBED(CMS_KeyTransRecipientInfo, version, INT32), +@@ -317,6 +328,10 @@ + return 0; + break; + ++ case ASN1_OP_FREE_POST: ++ OPENSSL_free(cms->ctx.propq); ++ break; ++ + } + return 1; + } +--- crypto/openssl/crypto/cms/cms_dh.c.orig ++++ crypto/openssl/crypto/cms/cms_dh.c +@@ -34,7 +34,7 @@ + if (OBJ_obj2nid(aoid) != NID_dhpublicnumber) + goto err; + /* Only absent parameters allowed in RFC XXXX */ +- if (atype != V_ASN1_UNDEF && atype == V_ASN1_NULL) ++ if (atype != V_ASN1_UNDEF && atype != V_ASN1_NULL) + goto err; + + pk = EVP_PKEY_CTX_get0_pkey(pctx); +--- crypto/openssl/crypto/cms/cms_env.c.orig ++++ crypto/openssl/crypto/cms/cms_env.c +@@ -51,15 +51,6 @@ + return ret; + } + +-void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf) +-{ +- if (cms_get_enveloped_type_simple(cinf) != 0) { +- CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cinf); +- if (ec != NULL) +- OPENSSL_clear_free(ec->key, ec->keylen); +- } +-} +- + CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms) + { + if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) { +--- crypto/openssl/crypto/cms/cms_err.c.orig ++++ crypto/openssl/crypto/cms/cms_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -20,77 +20,79 @@ + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ATTRIBUTE_ERROR), "attribute error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT), +- "certificate already present"}, ++ "certificate already present"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID), +- "certificate has no keyid"}, ++ "certificate has no keyid"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), +- "certificate verify error"}, ++ "certificate verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_AEAD_SET_TAG_ERROR), +- "cipher aead set tag error"}, ++ "cipher aead set tag error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_GET_TAG), "cipher get tag"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_INITIALISATION_ERROR), +- "cipher initialisation error"}, ++ "cipher initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR), +- "cipher parameter initialisation error"}, ++ "cipher parameter initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_DATAFINAL_ERROR), +- "cms datafinal error"}, ++ "cms datafinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_LIB), "cms lib"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENTIDENTIFIER_MISMATCH), +- "contentidentifier mismatch"}, ++ "contentidentifier mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_NOT_FOUND), "content not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_MISMATCH), +- "content type mismatch"}, ++ "content type mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA), +- "content type not compressed data"}, ++ "content type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA), +- "content type not enveloped data"}, ++ "content type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA), +- "content type not signed data"}, ++ "content type not signed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_VERIFY_ERROR), +- "content verify error"}, ++ "content verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_ERROR), "ctrl error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_FAILURE), "ctrl failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_DECODE_ERROR), "decode error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_DECRYPT_ERROR), "decrypt error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_GETTING_PUBLIC_KEY), +- "error getting public key"}, ++ "error getting public key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE), +- "error reading messagedigest attribute"}, ++ "error reading messagedigest attribute"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_KEY), "error setting key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_RECIPIENTINFO), +- "error setting recipientinfo"}, ++ "error setting recipientinfo"}, ++ {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT), ++ "error unsupported static key agreement"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR), +- "ess signing certid mismatch error"}, ++ "ess signing certid mismatch error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH), +- "invalid encrypted key length"}, ++ "invalid encrypted key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER), +- "invalid key encryption parameter"}, ++ "invalid key encryption parameter"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_LENGTH), "invalid key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_LABEL), "invalid label"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_OAEP_PARAMETERS), +- "invalid oaep parameters"}, ++ "invalid oaep parameters"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_KDF_PARAMETER_ERROR), +- "kdf parameter error"}, ++ "kdf parameter error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MD_BIO_INIT_ERROR), "md bio init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH), +- "messagedigest attribute wrong length"}, ++ "messagedigest attribute wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_WRONG_LENGTH), +- "messagedigest wrong length"}, ++ "messagedigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_ERROR), "msgsigdigest error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE), +- "msgsigdigest verification failure"}, ++ "msgsigdigest verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_WRONG_LENGTH), +- "msgsigdigest wrong length"}, ++ "msgsigdigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NEED_ONE_SIGNER), "need one signer"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_A_SIGNED_RECEIPT), +- "not a signed receipt"}, ++ "not a signed receipt"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE), +- "not supported for this key type"}, ++ "not supported for this key type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CIPHER), "no cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT), "no content"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT_TYPE), "no content type"}, +@@ -100,9 +102,9 @@ + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_KEY_OR_CERT), "no key or cert"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_DIGEST), "no matching digest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_RECIPIENT), +- "no matching recipient"}, ++ "no matching recipient"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_SIGNATURE), +- "no matching signature"}, ++ "no matching signature"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MSGSIGDIGEST), "no msgsigdigest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PASSWORD), "no password"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PRIVATE_KEY), "no private key"}, +@@ -111,56 +113,56 @@ + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_SIGNERS), "no signers"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_PEER_KEY_ERROR), "peer key error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), +- "private key does not match certificate"}, ++ "private key does not match certificate"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECEIPT_DECODE_ERROR), +- "receipt decode error"}, ++ "receipt decode error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECIPIENT_ERROR), "recipient error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNER_CERTIFICATE_NOT_FOUND), +- "signer certificate not found"}, ++ "signer certificate not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNFINAL_ERROR), "signfinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SMIME_TEXT_ERROR), "smime text error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_STORE_INIT_ERROR), "store init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_COMPRESSED_DATA), +- "type not compressed data"}, ++ "type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DATA), "type not data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DIGESTED_DATA), +- "type not digested data"}, ++ "type not digested data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENCRYPTED_DATA), +- "type not encrypted data"}, ++ "type not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENVELOPED_DATA), +- "type not enveloped data"}, ++ "type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNABLE_TO_FINALIZE_CONTEXT), +- "unable to finalize context"}, ++ "unable to finalize context"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_CIPHER), "unknown cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM), +- "unknown digest algorithm"}, ++ "unknown digest algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), +- "unsupported compression algorithm"}, ++ "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM), +- "unsupported content encryption algorithm"}, ++ "unsupported content encryption algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), +- "unsupported content type"}, ++ "unsupported content type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE), +- "unsupported encryption type"}, ++ "unsupported encryption type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM), +- "unsupported kek algorithm"}, ++ "unsupported kek algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM), +- "unsupported key encryption algorithm"}, ++ "unsupported key encryption algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_LABEL_SOURCE), +- "unsupported label source"}, ++ "unsupported label source"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE), +- "unsupported recipientinfo type"}, ++ "unsupported recipientinfo type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENT_TYPE), +- "unsupported recipient type"}, ++ "unsupported recipient type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM), +- "unsupported signature algorithm"}, ++ "unsupported signature algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_TYPE), "unsupported type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_ERROR), "unwrap error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_FAILURE), "unwrap failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_VERIFICATION_FAILURE), +- "verification failure"}, ++ "verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_WRAP_ERROR), "wrap error"}, + {0, NULL} + }; +--- crypto/openssl/crypto/cms/cms_kari.c.orig ++++ crypto/openssl/crypto/cms/cms_kari.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -502,6 +502,13 @@ + oik->d.originatorKey = M_ASN1_new_of(CMS_OriginatorPublicKey); + if (!oik->d.originatorKey) + return 0; ++ } else { ++ /* ++ * Currently it is not possible to get public key as it is not stored ++ * during kari initialization. ++ */ ++ ERR_raise(ERR_LIB_CMS, CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT); ++ return 0; + } + /* Initialise KDF algorithm */ + if (!ossl_cms_env_asn1_ctrl(ri, 0)) +--- crypto/openssl/crypto/cms/cms_lib.c.orig ++++ crypto/openssl/crypto/cms/cms_lib.c +@@ -22,6 +22,7 @@ + static STACK_OF(CMS_CertificateChoices) + **cms_get0_certificate_choices(CMS_ContentInfo *cms); + ++IMPLEMENT_ASN1_ALLOC_FUNCTIONS(CMS_ContentInfo) + IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo) + + CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, +@@ -68,20 +69,6 @@ + return ci; + } + +-CMS_ContentInfo *CMS_ContentInfo_new(void) +-{ +- return CMS_ContentInfo_new_ex(NULL, NULL); +-} +- +-void CMS_ContentInfo_free(CMS_ContentInfo *cms) +-{ +- if (cms != NULL) { +- ossl_cms_env_enc_content_free(cms); +- OPENSSL_free(cms->ctx.propq); +- ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo)); +- } +-} +- + const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms) + { + return cms != NULL ? &cms->ctx : NULL; +--- crypto/openssl/crypto/cms/cms_local.h.orig ++++ crypto/openssl/crypto/cms/cms_local.h +@@ -368,6 +368,7 @@ + + DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) + DECLARE_ASN1_ITEM(CMS_SignerInfo) ++DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo) + DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber) + DECLARE_ASN1_ITEM(CMS_Attributes_Sign) + DECLARE_ASN1_ITEM(CMS_Attributes_Verify) +@@ -444,7 +445,6 @@ + int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain); + BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms); + int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio); +-void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf); + CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms); + CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms); + CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms); +--- crypto/openssl/crypto/cms/cms_rsa.c.orig ++++ crypto/openssl/crypto/cms/cms_rsa.c +@@ -223,7 +223,10 @@ + os = ossl_rsa_ctx_to_pss_string(pkctx); + if (os == NULL) + return 0; +- return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); ++ if (X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os)) ++ return 1; ++ ASN1_STRING_free(os); ++ return 0; + } + + params[0] = OSSL_PARAM_construct_octet_string( +--- crypto/openssl/crypto/cms/cms_sd.c.orig ++++ crypto/openssl/crypto/cms/cms_sd.c +@@ -482,8 +482,12 @@ + ossl_cms_ctx_get0_libctx(ctx), + ossl_cms_ctx_get0_propq(ctx), + pk, NULL) <= 0) { ++ si->pctx = NULL; + goto err; + } ++ else { ++ EVP_MD_CTX_set_flags(si->mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); ++ } + } + + if (!sd->signerInfos) +@@ -725,6 +729,7 @@ + unsigned int mdlen; + + pctx = si->pctx; ++ si->pctx = NULL; + if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) + goto err; + siglen = EVP_PKEY_get_size(si->pkey); +@@ -813,6 +818,7 @@ + ossl_cms_ctx_get0_propq(ctx), si->pkey, + NULL) <= 0) + goto err; ++ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); + si->pctx = pctx; + } + +@@ -884,9 +890,16 @@ + goto err; + } + mctx = si->mctx; ++ if (si->pctx != NULL) { ++ EVP_PKEY_CTX_free(si->pctx); ++ si->pctx = NULL; ++ } + if (EVP_DigestVerifyInit_ex(mctx, &si->pctx, EVP_MD_get0_name(md), libctx, +- propq, si->pkey, NULL) <= 0) ++ propq, si->pkey, NULL) <= 0) { ++ si->pctx = NULL; + goto err; ++ } ++ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); + + if (!cms_sd_asn1_ctrl(si, 1)) + goto err; +@@ -1003,8 +1016,11 @@ + if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) + goto err; + si->pctx = pkctx; +- if (!cms_sd_asn1_ctrl(si, 1)) ++ if (!cms_sd_asn1_ctrl(si, 1)) { ++ si->pctx = NULL; + goto err; ++ } ++ si->pctx = NULL; + r = EVP_PKEY_verify(pkctx, si->signature->data, + si->signature->length, mval, mlen); + if (r <= 0) { +--- crypto/openssl/crypto/cms/cms_smime.c.orig ++++ crypto/openssl/crypto/cms/cms_smime.c +@@ -236,7 +236,7 @@ + if (cms == NULL) + return NULL; + if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen)) +- return NULL; ++ goto err; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); +@@ -245,6 +245,7 @@ + || CMS_final(cms, in, NULL, flags)) + return cms; + ++ err: + CMS_ContentInfo_free(cms); + return NULL; + } +--- crypto/openssl/crypto/core_fetch.c.orig ++++ crypto/openssl/crypto/core_fetch.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -120,7 +120,8 @@ + * It is *expected* that the put function increments the refcnt + * of the passed method. + */ +- data->mcm->put(data->store, method, provider, algo->algorithm_names, ++ data->mcm->put(no_store ? data->store : NULL, ++ method, provider, algo->algorithm_names, + algo->property_definition, data->mcm_data); + + /* refcnt-- because we're dropping the reference */ +--- crypto/openssl/crypto/dso/dso_dl.c.orig ++++ crypto/openssl/crypto/dso/dso_dl.c +@@ -235,13 +235,12 @@ + ERR_raise(ERR_LIB_DSO, DSO_R_NAME_TRANSLATION_FAILED); + return NULL; + } +- if (transform) { +- if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0) +- sprintf(translated, "lib%s%s", filename, DSO_EXTENSION); +- else +- sprintf(translated, "%s%s", filename, DSO_EXTENSION); +- } else +- sprintf(translated, "%s", filename); ++ if (transform) ++ BIO_snprintf(translated, rsize, ++ (DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0 ++ ? "lib%s%s" : "%s%s", filename, DSO_EXTENSION); ++ else ++ BIO_snprintf(translated, rsize, "%s", filename); + return translated; + } + +--- crypto/openssl/crypto/dso/dso_dlfcn.c.orig ++++ crypto/openssl/crypto/dso/dso_dlfcn.c +@@ -271,11 +271,12 @@ + } + if (transform) { + if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0) +- sprintf(translated, "lib%s" DSO_EXTENSION, filename); ++ BIO_snprintf(translated, rsize, "lib%s" DSO_EXTENSION, filename); + else +- sprintf(translated, "%s" DSO_EXTENSION, filename); +- } else +- sprintf(translated, "%s", filename); ++ BIO_snprintf(translated, rsize, "%s" DSO_EXTENSION, filename); ++ } else { ++ BIO_snprintf(translated, rsize, "%s", filename); ++ } + return translated; + } + +--- crypto/openssl/crypto/dso/dso_win32.c.orig ++++ crypto/openssl/crypto/dso/dso_win32.c +@@ -454,24 +454,20 @@ + char *translated; + int len, transform; + +- len = strlen(filename); + transform = ((strstr(filename, "/") == NULL) && + (strstr(filename, "\\") == NULL) && + (strstr(filename, ":") == NULL)); ++ /* If transform != 0, then we convert to %s.dll, else just dupe filename */ ++ ++ len = strlen(filename) + 1; + if (transform) +- /* We will convert this to "%s.dll" */ +- translated = OPENSSL_malloc(len + 5); +- else +- /* We will simply duplicate filename */ +- translated = OPENSSL_malloc(len + 1); ++ len += strlen(".dll"); ++ translated = OPENSSL_malloc(len); + if (translated == NULL) { + ERR_raise(ERR_LIB_DSO, DSO_R_NAME_TRANSLATION_FAILED); + return NULL; + } +- if (transform) +- sprintf(translated, "%s.dll", filename); +- else +- sprintf(translated, "%s", filename); ++ BIO_snprintf(translated, len, "%s%s", filename, transform ? ".dll" : ""); + return translated; + } + +--- crypto/openssl/crypto/ec/ec_asn1.c.orig ++++ crypto/openssl/crypto/ec/ec_asn1.c +@@ -1161,7 +1161,7 @@ + size_t buf_len = 0; + int new_buffer = 0; + +- if (a == NULL) { ++ if (a == NULL || a->pub_key == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } +--- crypto/openssl/crypto/ec/ec_backend.c.orig ++++ crypto/openssl/crypto/ec/ec_backend.c +@@ -616,14 +616,8 @@ + || !EC_GROUP_copy(ret->group, src->group)) + goto err; + +- if (src->meth != NULL) { +-#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) +- if (src->engine != NULL && ENGINE_init(src->engine) == 0) +- goto err; +- ret->engine = src->engine; +-#endif ++ if (src->meth != NULL) + ret->meth = src->meth; +- } + } + + /* copy the public key */ +--- crypto/openssl/crypto/ec/ec_lib.c.orig ++++ crypto/openssl/crypto/ec/ec_lib.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the Apache License 2.0 (the "License"). You may not use +@@ -20,6 +20,7 @@ + #include + #include + #include "crypto/ec.h" ++#include "crypto/bn.h" + #include "internal/nelem.h" + #include "ec_local.h" + +@@ -1262,10 +1263,10 @@ + if (!BN_sub(e, group->order, e)) + goto err; + /*- +- * Exponent e is public. +- * No need for scatter-gather or BN_FLG_CONSTTIME. ++ * Although the exponent is public we want the result to be ++ * fixed top. + */ +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) + goto err; + + ret = 1; +--- crypto/openssl/crypto/ec/ec_oct.c.orig ++++ crypto/openssl/crypto/ec/ec_oct.c +@@ -74,6 +74,10 @@ + point_conversion_form_t form, unsigned char *buf, + size_t len, BN_CTX *ctx) + { ++ if (point == NULL) { ++ ERR_raise(ERR_LIB_EC, ERR_R_PASSED_NULL_PARAMETER); ++ return 0; ++ } + if (group->meth->point2oct == 0 + && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { + ERR_raise(ERR_LIB_EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); +--- crypto/openssl/crypto/encode_decode/encoder_pkey.c.orig ++++ crypto/openssl/crypto/encode_decode/encoder_pkey.c +@@ -186,9 +186,13 @@ + const OSSL_PROVIDER *e_prov = OSSL_ENCODER_get0_provider(encoder); + + if (k_prov != e_prov) { ++ int selection = data->selection; ++ ++ if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) ++ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY; + data->encoder_inst = encoder_inst; + +- if (!evp_keymgmt_export(pk->keymgmt, pk->keydata, data->selection, ++ if (!evp_keymgmt_export(pk->keymgmt, pk->keydata, selection, + &encoder_import_cb, data)) + return NULL; + data->obj = data->constructed_obj; +--- crypto/openssl/crypto/err/openssl.txt.orig ++++ crypto/openssl/crypto/err/openssl.txt +@@ -1,4 +1,4 @@ +-# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the Apache License 2.0 (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -307,6 +307,8 @@ + error reading messagedigest attribute + CMS_R_ERROR_SETTING_KEY:115:error setting key + CMS_R_ERROR_SETTING_RECIPIENTINFO:116:error setting recipientinfo ++CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT:196:\ ++ error unsupported static key agreement + CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR:183:ess signing certid mismatch error + CMS_R_INVALID_ENCRYPTED_KEY_LENGTH:117:invalid encrypted key length + CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER:176:invalid key encryption parameter +--- crypto/openssl/crypto/evp/ctrl_params_translate.c.orig ++++ crypto/openssl/crypto/evp/ctrl_params_translate.c +@@ -1210,6 +1210,8 @@ + /* The initial value for |ctx->action_type| must not be zero. */ + if (!ossl_assert(ctx->action_type != NONE)) + return 0; ++ } else if (state == POST_PARAMS_TO_CTRL && ctx->action_type == NONE) { ++ ctx->action_type = GET; + } + + if ((ret = default_check(state, translation, ctx)) <= 0) +@@ -1235,6 +1237,8 @@ + } + } else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == GET) { + ctx->p1 = -2; ++ } else if (state == POST_PARAMS_TO_CTRL && ctx->action_type == GET) { ++ ctx->p1 = ret; + } + + return ret; +@@ -2800,8 +2804,14 @@ + /* + * In POST, we pass the return value as p1, allowing the fixup_args + * function to put it to good use, or maybe affect it. ++ * ++ * NOTE: even though EVP_PKEY_CTX_ctrl return value is documented ++ * as return positive on Success and 0 or negative on falure. There ++ * maybe parameters (e.g. ecdh_cofactor), which actually return 0 ++ * as success value. That is why we do POST_PARAMS_TO_CTRL for 0 ++ * value as well + */ +- if (ret > 0) { ++ if (ret >= 0) { + ctx.p1 = ret; + fixup(POST_PARAMS_TO_CTRL, translation, &ctx); + ret = ctx.p1; +--- crypto/openssl/crypto/evp/m_sigver.c.orig ++++ crypto/openssl/crypto/evp/m_sigver.c +@@ -662,8 +662,12 @@ + { + EVP_PKEY_CTX *pctx = ctx->pctx; + +- if (pctx != NULL +- && pctx->operation == EVP_PKEY_OP_VERIFYCTX ++ if (pctx == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); ++ return -1; ++ } ++ ++ if (pctx->operation == EVP_PKEY_OP_VERIFYCTX + && pctx->op.sig.algctx != NULL + && pctx->op.sig.signature != NULL) { + if (pctx->op.sig.signature->digest_verify != NULL) +@@ -672,8 +676,8 @@ + tbs, tbslen); + } else { + /* legacy */ +- if (ctx->pctx->pmeth != NULL && ctx->pctx->pmeth->digestverify != NULL) +- return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen); ++ if (pctx->pmeth != NULL && pctx->pmeth->digestverify != NULL) ++ return pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen); + } + + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) +--- crypto/openssl/crypto/http/http_client.c.orig ++++ crypto/openssl/crypto/http/http_client.c +@@ -851,6 +851,20 @@ + + #ifndef OPENSSL_NO_SOCK + ++static const char *explict_or_default_port(const char *hostserv, const char *port, int use_ssl) ++{ ++ if (port == NULL) { ++ char *service = NULL; ++ ++ if (!BIO_parse_hostserv(hostserv, NULL, &service, BIO_PARSE_PRIO_HOST)) ++ return NULL; ++ if (service == NULL) /* implicit port */ ++ port = use_ssl ? OSSL_HTTPS_PORT : OSSL_HTTP_PORT; ++ OPENSSL_free(service); ++ } /* otherwise take the explicitly given port */ ++ return port; ++} ++ + /* set up a new connection BIO, to HTTP server or to HTTP(S) proxy if given */ + static BIO *http_new_bio(const char *server /* optionally includes ":port" */, + const char *server_port /* explicit server port */, +@@ -870,8 +884,7 @@ + port = proxy_port; + } + +- if (port == NULL && strchr(host, ':') == NULL) +- port = use_ssl ? OSSL_HTTPS_PORT : OSSL_HTTP_PORT; ++ port = explict_or_default_port(host, port, use_ssl); + + cbio = BIO_new_connect(host /* optionally includes ":port" */); + if (cbio == NULL) +@@ -958,8 +971,6 @@ + } + if (port != NULL && *port == '\0') + port = NULL; +- if (port == NULL && strchr(server, ':') == NULL) +- port = use_ssl ? OSSL_HTTPS_PORT : OSSL_HTTP_PORT; + proxy = OSSL_HTTP_adapt_proxy(proxy, no_proxy, server, use_ssl); + if (proxy != NULL + && !OSSL_HTTP_parse_url(proxy, NULL /* use_ssl */, NULL /* user */, +--- crypto/openssl/crypto/http/http_lib.c.orig ++++ crypto/openssl/crypto/http/http_lib.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -9,11 +9,18 @@ + + #include /* for sscanf() */ + #include ++#ifndef OPENSSL_NO_SOCK ++# include "../bio/bio_local.h" /* for NI_MAXHOST */ ++#endif + #include + #include + #include /* for BIO_snprintf() */ + #include + #include "internal/cryptlib.h" /* for ossl_assert() */ ++#ifndef NI_MAXHOST ++# define NI_MAXHOST 255 ++#endif ++#include "crypto/ctype.h" /* for ossl_isspace() */ + + static void init_pstring(char **pstr) + { +@@ -251,10 +258,17 @@ + { + size_t sl; + const char *found = NULL; ++ char host[NI_MAXHOST]; + + if (!ossl_assert(server != NULL)) + return 0; + sl = strlen(server); ++ if (sl >= 2 && sl < sizeof(host) + 2 && server[0] == '[' && server[sl - 1] == ']') { ++ /* strip leading '[' and trailing ']' from escaped IPv6 address */ ++ sl -= 2; ++ strncpy(host, server + 1, sl); ++ server = host; ++ } + + /* + * using environment variable names, both lowercase and uppercase variants, +@@ -268,8 +282,8 @@ + if (no_proxy != NULL) + found = strstr(no_proxy, server); + while (found != NULL +- && ((found != no_proxy && found[-1] != ' ' && found[-1] != ',') +- || (found[sl] != '\0' && found[sl] != ' ' && found[sl] != ','))) ++ && ((found != no_proxy && !ossl_isspace(found[-1]) && found[-1] != ',') ++ || (found[sl] != '\0' && !ossl_isspace(found[sl]) && found[sl] != ','))) + found = strstr(found + 1, server); + return found == NULL; + } +@@ -285,7 +299,7 @@ + if (proxy == NULL) + proxy = ossl_safe_getenv(use_ssl ? "https_proxy" : "http_proxy"); + if (proxy == NULL) +- proxy = ossl_safe_getenv(use_ssl ? OPENSSL_HTTP_PROXY : OPENSSL_HTTPS_PROXY); ++ proxy = ossl_safe_getenv(use_ssl ? OPENSSL_HTTPS_PROXY : OPENSSL_HTTP_PROXY); + + if (proxy == NULL || *proxy == '\0' || !use_proxy(no_proxy, server)) + return NULL; +--- crypto/openssl/crypto/pem/pem_pk8.c.orig ++++ crypto/openssl/crypto/pem/pem_pk8.c +@@ -173,7 +173,7 @@ + X509_SIG *p8 = NULL; + int klen; + EVP_PKEY *ret; +- char psbuf[PEM_BUFSIZE]; ++ char psbuf[PEM_BUFSIZE + 1]; /* reserve one byte at the end */ + + p8 = d2i_PKCS8_bio(bp, NULL); + if (p8 == NULL) +@@ -182,7 +182,7 @@ + klen = cb(psbuf, PEM_BUFSIZE, 0, u); + else + klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); +- if (klen < 0) { ++ if (klen < 0 || klen > PEM_BUFSIZE) { + ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ); + X509_SIG_free(p8); + return NULL; +--- crypto/openssl/crypto/pkcs12/p12_crt.c.orig ++++ crypto/openssl/crypto/pkcs12/p12_crt.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -210,8 +210,10 @@ + /* Make a PKCS#8 structure */ + if ((p8 = EVP_PKEY2PKCS8(key)) == NULL) + goto err; +- if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) ++ if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) { ++ PKCS8_PRIV_KEY_INFO_free(p8); + goto err; ++ } + if (nid_key != -1) { + /* This call does not take ownership of p8 */ + bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0, +--- crypto/openssl/crypto/pkcs7/pk7_doit.c.orig ++++ crypto/openssl/crypto/pkcs7/pk7_doit.c +@@ -1023,6 +1023,7 @@ + STACK_OF(X509_ATTRIBUTE) *sk; + BIO *btmp; + EVP_PKEY *pkey; ++ unsigned char *abuf = NULL; + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); + const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); +@@ -1072,7 +1073,7 @@ + + sk = si->auth_attr; + if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { +- unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; ++ unsigned char md_dat[EVP_MAX_MD_SIZE]; + unsigned int md_len; + int alen; + ASN1_OCTET_STRING *message_digest; +@@ -1114,8 +1115,6 @@ + } + if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen)) + goto err; +- +- OPENSSL_free(abuf); + } + + os = si->enc_digest; +@@ -1133,6 +1132,7 @@ + } + ret = 1; + err: ++ OPENSSL_free(abuf); + EVP_MD_CTX_free(mdc_tmp); + EVP_MD_free(fetched_md); + return ret; +--- crypto/openssl/crypto/pkcs7/pk7_lib.c.orig ++++ crypto/openssl/crypto/pkcs7/pk7_lib.c +@@ -28,6 +28,11 @@ + /* NOTE(emilia): does not support detached digested data. */ + case PKCS7_OP_SET_DETACHED_SIGNATURE: + if (nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) { ++ ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_CONTENT); ++ ret = 0; ++ break; ++ } + ret = p7->detached = (int)larg; + if (ret && PKCS7_type_is_data(p7->d.sign->contents)) { + ASN1_OCTET_STRING *os; +--- crypto/openssl/crypto/sm2/sm2_sign.c.orig ++++ crypto/openssl/crypto/sm2/sm2_sign.c +@@ -331,12 +331,10 @@ + OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + + ctx = BN_CTX_new_ex(libctx); +- pt = EC_POINT_new(group); +- if (ctx == NULL || pt == NULL) { ++ if (ctx == NULL) { + ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); + goto done; + } +- + BN_CTX_start(ctx); + t = BN_CTX_get(ctx); + x1 = BN_CTX_get(ctx); +@@ -345,6 +343,12 @@ + goto done; + } + ++ pt = EC_POINT_new(group); ++ if (pt == NULL) { ++ ERR_raise(ERR_LIB_SM2, ERR_R_MALLOC_FAILURE); ++ goto done; ++ } ++ + /* + * B1: verify whether r' in [1,n-1], verification failed if not + * B2: verify whether s' in [1,n-1], verification failed if not +--- crypto/openssl/crypto/srp/srp_vfy.c.orig ++++ crypto/openssl/crypto/srp/srp_vfy.c +@@ -216,6 +216,8 @@ + { + OPENSSL_free(vinfo->id); + OPENSSL_free(vinfo->info); ++ vinfo->id = NULL; ++ vinfo->info = NULL; + if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) + return 0; + return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); +--- crypto/openssl/crypto/threads_win.c.orig ++++ crypto/openssl/crypto/threads_win.c +@@ -212,7 +212,8 @@ + + int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) + { +- *ret = (int)InterlockedExchangeAdd((long volatile *)val, (long)amount) + amount; ++ *ret = (int)InterlockedExchangeAdd((LONG volatile *)val, (LONG)amount) ++ + amount; + return 1; + } + +--- crypto/openssl/crypto/trace.c.orig ++++ crypto/openssl/crypto/trace.c +@@ -473,7 +473,7 @@ + char *prefix = NULL; + + category = ossl_trace_get_category(category); +- if (category < 0) ++ if (category < 0 || !OSSL_trace_enabled(category)) + return NULL; + + channel = trace_channels[category].bio; +--- crypto/openssl/crypto/ui/ui_util.c.orig ++++ crypto/openssl/crypto/ui/ui_util.c +@@ -105,14 +105,18 @@ + switch (UI_get_string_type(uis)) { + case UIT_PROMPT: + { +- char result[PEM_BUFSIZE + 1]; ++ int len; ++ char result[PEM_BUFSIZE + 1]; /* reserve one byte at the end */ + const struct pem_password_cb_data *data = + UI_method_get_ex_data(UI_get_method(ui), ui_method_data_index); + int maxsize = UI_get_result_maxsize(uis); +- int len = data->cb(result, +- maxsize > PEM_BUFSIZE ? PEM_BUFSIZE : maxsize, +- data->rwflag, UI_get0_user_data(ui)); + ++ if (maxsize > PEM_BUFSIZE) ++ maxsize = PEM_BUFSIZE; ++ len = data->cb(result, maxsize, data->rwflag, ++ UI_get0_user_data(ui)); ++ if (len > maxsize) ++ return -1; + if (len >= 0) + result[len] = '\0'; + if (len < 0) +--- crypto/openssl/crypto/x509/v3_admis.c.orig ++++ crypto/openssl/crypto/x509/v3_admis.c +@@ -67,11 +67,10 @@ + NULL /* extension-specific data */ + }; + +- + static int i2r_NAMING_AUTHORITY(const struct v3_ext_method *method, void *in, + BIO *bp, int ind) + { +- NAMING_AUTHORITY * namingAuthority = (NAMING_AUTHORITY*) in; ++ NAMING_AUTHORITY *namingAuthority = (NAMING_AUTHORITY *) in; + + if (namingAuthority == NULL) + return 0; +@@ -81,14 +80,14 @@ + && namingAuthority->namingAuthorityUrl == NULL) + return 0; + +- if (BIO_printf(bp, "%*snamingAuthority: ", ind, "") <= 0) ++ if (BIO_printf(bp, "%*snamingAuthority:\n", ind, "") <= 0) + goto err; + + if (namingAuthority->namingAuthorityId != NULL) { + char objbuf[128]; + const char *ln = OBJ_nid2ln(OBJ_obj2nid(namingAuthority->namingAuthorityId)); + +- if (BIO_printf(bp, "%*s admissionAuthorityId: ", ind, "") <= 0) ++ if (BIO_printf(bp, "%*s namingAuthorityId: ", ind, "") <= 0) + goto err; + + OBJ_obj2txt(objbuf, sizeof(objbuf), namingAuthority->namingAuthorityId, 1); +@@ -130,9 +129,10 @@ + } + + for (i = 0; i < sk_ADMISSIONS_num(admission->contentsOfAdmissions); i++) { +- ADMISSIONS* entry = sk_ADMISSIONS_value(admission->contentsOfAdmissions, i); ++ ADMISSIONS *entry = sk_ADMISSIONS_value(admission->contentsOfAdmissions, i); + +- if (BIO_printf(bp, "%*sEntry %0d:\n", ind, "", 1 + i) <= 0) goto err; ++ if (BIO_printf(bp, "%*sEntry %0d:\n", ind, "", 1 + i) <= 0) ++ goto err; + + if (entry->admissionAuthority != NULL) { + if (BIO_printf(bp, "%*s admissionAuthority:\n", ind, "") <= 0 +@@ -143,12 +143,12 @@ + } + + if (entry->namingAuthority != NULL) { +- if (i2r_NAMING_AUTHORITY(method, entry->namingAuthority, bp, ind) <= 0) ++ if (i2r_NAMING_AUTHORITY(method, entry->namingAuthority, bp, ind + 2) <= 0) + goto err; + } + + for (j = 0; j < sk_PROFESSION_INFO_num(entry->professionInfos); j++) { +- PROFESSION_INFO* pinfo = sk_PROFESSION_INFO_value(entry->professionInfos, j); ++ PROFESSION_INFO *pinfo = sk_PROFESSION_INFO_value(entry->professionInfos, j); + + if (BIO_printf(bp, "%*s Profession Info Entry %0d:\n", ind, "", 1 + j) <= 0) + goto err; +@@ -161,7 +161,7 @@ + } + + if (pinfo->namingAuthority != NULL) { +- if (i2r_NAMING_AUTHORITY(method, pinfo->namingAuthority, bp, ind + 2) <= 0) ++ if (i2r_NAMING_AUTHORITY(method, pinfo->namingAuthority, bp, ind + 4) <= 0) + goto err; + } + +@@ -170,7 +170,7 @@ + if (BIO_printf(bp, "%*s Info Entries:\n", ind, "") <= 0) + goto err; + for (k = 0; k < sk_ASN1_STRING_num(pinfo->professionItems); k++) { +- ASN1_STRING* val = sk_ASN1_STRING_value(pinfo->professionItems, k); ++ ASN1_STRING *val = sk_ASN1_STRING_value(pinfo->professionItems, k); + + if (BIO_printf(bp, "%*s ", ind, "") <= 0 + || ASN1_STRING_print(bp, val) <= 0 +@@ -183,7 +183,7 @@ + if (BIO_printf(bp, "%*s Profession OIDs:\n", ind, "") <= 0) + goto err; + for (k = 0; k < sk_ASN1_OBJECT_num(pinfo->professionOIDs); k++) { +- ASN1_OBJECT* obj = sk_ASN1_OBJECT_value(pinfo->professionOIDs, k); ++ ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(pinfo->professionOIDs, k); + const char *ln = OBJ_nid2ln(OBJ_obj2nid(obj)); + char objbuf[128]; + +@@ -207,31 +207,29 @@ + return n->namingAuthorityId; + } + +-void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n, ASN1_OBJECT* id) ++void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n, ASN1_OBJECT *id) + { + ASN1_OBJECT_free(n->namingAuthorityId); + n->namingAuthorityId = id; + } + +-const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL( +- const NAMING_AUTHORITY *n) ++const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(const NAMING_AUTHORITY *n) + { + return n->namingAuthorityUrl; + } + +-void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n, ASN1_IA5STRING* u) ++void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n, ASN1_IA5STRING *u) + { + ASN1_IA5STRING_free(n->namingAuthorityUrl); + n->namingAuthorityUrl = u; + } + +-const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText( +- const NAMING_AUTHORITY *n) ++const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(const NAMING_AUTHORITY *n) + { + return n->namingAuthorityText; + } + +-void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n, ASN1_STRING* t) ++void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n, ASN1_STRING *t) + { + ASN1_IA5STRING_free(n->namingAuthorityText); + n->namingAuthorityText = t; +--- crypto/openssl/crypto/x509/v3_san.c.orig ++++ crypto/openssl/crypto/x509/v3_san.c +@@ -336,7 +336,7 @@ + + static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) + { +- GENERAL_NAMES *ialt; ++ GENERAL_NAMES *ialt = NULL; + GENERAL_NAME *gen; + X509_EXTENSION *ext; + int i, num; +@@ -371,6 +371,7 @@ + return 1; + + err: ++ sk_GENERAL_NAME_free(ialt); + return 0; + + } +--- crypto/openssl/crypto/x509/x509_cmp.c.orig ++++ crypto/openssl/crypto/x509/x509_cmp.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -196,6 +196,8 @@ + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } ++ if (cert == NULL) ++ return 0; + if ((flags & X509_ADD_FLAG_NO_DUP) != 0) { + /* + * not using sk_X509_set_cmp_func() and sk_X509_find() +--- crypto/openssl/crypto/x509/x_all.c.orig ++++ crypto/openssl/crypto/x509/x_all.c +@@ -92,11 +92,13 @@ + static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio, + int timeout, const ASN1_ITEM *it) + { ++ size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ? ++ OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN; + BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */, + bio, rbio, NULL /* cb */, NULL /* arg */, + 1024 /* buf_size */, NULL /* headers */, + NULL /* expected_ct */, 1 /* expect_asn1 */, +- OSSL_HTTP_DEFAULT_MAX_RESP_LEN, timeout); ++ max_resp_len, timeout); + ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL); + + BIO_free(mem); +--- crypto/openssl/demos/cipher/aesccm.c.orig ++++ crypto/openssl/demos/cipher/aesccm.c +@@ -94,7 +94,7 @@ + if ((cipher = EVP_CIPHER_fetch(libctx, "AES-192-CCM", propq)) == NULL) + goto err; + +- /* Set nonce length if default 96 bits is not appropriate */ ++ /* Default nonce length for AES-CCM is 7 bytes (56 bits). */ + params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, + &ccm_nonce_len); + /* Set tag length */ +--- crypto/openssl/doc/man1/openssl-ca.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-ca.pod.in +@@ -701,7 +701,7 @@ + + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL +- default_md = md5 # md to use ++ default_md = sha256 # md to use + + policy = policy_any # default policy + email_in_dn = no # Don't add the email into cert DN +--- crypto/openssl/doc/man1/openssl-cmp.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-cmp.pod.in +@@ -453,8 +453,11 @@ + + =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> + +-The DNS hostname or IP address and optionally port ++The I domain name or IP address and optionally I + of the CMP server to connect to using HTTP(S). ++IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. ++ + This option excludes I<-port> and I<-use_mock_srv>. + It is ignored if I<-rspin> is given with enough filename arguments. + +@@ -468,6 +471,7 @@ + + The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy> + applies, see below. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + The proxy port defaults to 80 or 443 if the scheme is C; apart from that + the optional C or C prefix is ignored (note that TLS may be + selected by B<-tls_used>), as well as any path, userinfo, and query, and fragment +@@ -969,8 +973,9 @@ + + =item B<-port> I + +-Act as HTTP-based CMP server mock-up listening on the given port. +-This excludes the B<-server> and B<-use_mock_srv> options. ++Act as HTTP-based CMP server mock-up listening on the given local port. ++The client may address the server via, e.g., C<127.0.0.1> or C<[::1]>. ++This option excludes the B<-server> and B<-use_mock_srv> options. + The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options + so far are not supported in this mode. + +--- crypto/openssl/doc/man1/openssl-cms.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-cms.pod.in +@@ -191,6 +191,10 @@ + Verify signed data. Expects a signed data on input and outputs + the signed data. Both clear text and opaque signing is supported. + ++By default, validation of signer certificates and their chain ++is done w.r.t. the S/MIME signing (C) purpose. ++For details see L. ++ + =item B<-resign> + + Resign a message: take an existing message and one or more new signers. +@@ -374,7 +378,8 @@ + =item B<-originator> I + + A certificate of the originator of the encrypted message. Necessary for +-decryption when Key Agreement is in use for a shared key. ++decryption when Key Agreement is in use for a shared key. Currently, not ++allowed for encryption. + + =item B<-recip> I + +@@ -902,7 +907,7 @@ + + =head1 COPYRIGHT + +-Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man1/openssl-fipsinstall.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-fipsinstall.pod.in +@@ -239,6 +239,10 @@ + L, + L + ++=head1 HISTORY ++ ++The B application was added in OpenSSL 3.0. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +--- crypto/openssl/doc/man1/openssl-ocsp.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-ocsp.pod.in +@@ -30,8 +30,8 @@ + [B<-respin> I] + [B<-url> I] + [B<-host> I:I] +-[B<-path>] +-[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>] ++[B<-path> I] ++[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] + [B<-no_proxy> I] + [B<-header>] + [B<-timeout> I] +@@ -160,24 +160,32 @@ + + =item B<-url> I + +-Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. ++Specify the responder host and optionally port and path via a URL. ++Both HTTP and HTTPS (SSL/TLS) URLs can be specified. + The optional userinfo and fragment components are ignored. + Any given query component is handled as part of the path component. ++For details, see the B<-host> and B<-path> options described next. + +-=item B<-host> I:I, B<-path> I ++=item B<-host> I:I, B<-path> I + + If the B<-host> option is present then the OCSP request is sent to the host +-I on port I. The B<-path> option specifies the HTTP pathname +-to use or "/" by default. This is equivalent to specifying B<-url> with scheme +-http:// and the given hostname, port, and pathname. ++I on port I. ++The I may be a domain name or an IP (v4 or v6) address, ++such as C<127.0.0.1> or C<[::1]> for localhost. ++If it is an IPv6 address, it must be enclosed in C<[> and C<]>. + +-=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]> ++The B<-path> option specifies the HTTP pathname to use or "/" by default. ++This is equivalent to specifying B<-url> with scheme ++http:// and the given I, I, and optional I. ++ ++=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> + + The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> + applies, see below. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + The proxy port defaults to 80 or 443 if the scheme is C; apart from that + the optional C or C prefix is ignored, +-as well as any userinfo and path components. ++as well as any userinfo, path, query, and fragment components. + Defaults to the environment variable C if set, else C + in case no TLS is used, otherwise C if set, else C. + +@@ -369,8 +377,8 @@ + + =item B<-port> I + +-Port to listen for OCSP requests on. The port may also be specified +-using the B option. ++Port to listen for OCSP requests on. Both IPv4 and IPv6 are possible. ++The port may also be specified using the B<-url> option. + A C<0> argument indicates that any available port shall be chosen automatically. + + =item B<-ignore_err> +--- crypto/openssl/doc/man1/openssl-pkeyutl.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-pkeyutl.pod.in +@@ -44,6 +44,8 @@ + This command can be used to perform low-level public key + operations using any supported algorithm. + ++By default the signing operation (see B<-sign> option) is assumed. ++ + =head1 OPTIONS + + =over 4 +@@ -59,20 +61,29 @@ + + =item B<-rawin> + +-This indicates that the input data is raw data, which is not hashed by any +-message digest algorithm. The user can specify a digest algorithm by using +-the B<-digest> option. This option can only be used with B<-sign> and +-B<-verify> and must be used with the Ed25519 and Ed448 algorithms. ++This indicates that the signature or verification input data is raw data, ++which is not hashed by any message digest algorithm. ++Except with EdDSA, ++the user can specify a digest algorithm by using the B<-digest> option. ++For signature algorithms like RSA, DSA and ECDSA, ++the default digest algorithm is SHA-256. For SM2, it is SM3. ++ ++This option can only be used with B<-sign> and B<-verify>. ++For EdDSA (the Ed25519 and Ed448 algorithms) this option is required. + + =item B<-digest> I + +-This specifies the digest algorithm which is used to hash the input data before +-signing or verifying it with the input key. This option could be omitted if the +-signature algorithm does not require one (for instance, EdDSA). If this option +-is omitted but the signature algorithm requires one, a default value will be +-used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the +-default digest algorithm. For SM2, it will be SM3. If this option is present, +-then the B<-rawin> option must be also specified. ++This option can only be used with B<-sign> and B<-verify>. ++It specifies the digest algorithm that is used to hash the input data ++before signing or verifying it with the input key. This option could be omitted ++if the signature algorithm does not require preprocessing the input through ++a pluggable hash function before signing (for instance, EdDSA). If this option ++is omitted but the signature algorithm requires one and the B<-rawin> option ++is given, a default value will be used (see B<-rawin> for details). ++If this option is present, then the B<-rawin> option is required. ++ ++At this time, HashEdDSA (the ph or "prehash" variant of EdDSA) is not supported, ++so the B<-digest> option cannot be used with EdDSA. + + =item B<-out> I + +@@ -81,7 +92,7 @@ + + =item B<-sigfile> I + +-Signature file, required for B<-verify> operations only ++Signature file, required and allowed for B<-verify> operations only + + =item B<-inkey> I|I + +@@ -117,21 +128,42 @@ + =item B<-rev> + + Reverse the order of the input buffer. This is useful for some libraries +-(such as CryptoAPI) which represent the buffer in little endian format. ++(such as CryptoAPI) which represent the buffer in little-endian format. ++This cannot be used in conjunction with B<-rawin>. + + =item B<-sign> + +-Sign the input data (which must be a hash) and output the signed result. This +-requires a private key. ++Sign the input data and output the signed result. This requires a private key. ++Using a message digest operation along with this is recommended, ++when applicable, see the B<-rawin> and B<-digest> options for details. ++Otherwise, the input data given with the B<-in> option is assumed to already ++be a digest, but this may then require an additional B<-pkeyopt> CI ++in some cases (e.g., RSA with the default PKCS#1 padding mode). ++Even for other algorithms like ECDSA, where the additional B<-pkeyopt> option ++does not affect signature output, it is recommended, as it enables ++checking that the input length is consistent with the intended digest. + + =item B<-verify> + +-Verify the input data (which must be a hash) against the signature file and +-indicate if the verification succeeded or failed. ++Verify the input data against the signature given with the B<-sigfile> option ++and indicate if the verification succeeded or failed. ++The input data given with the B<-in> option is assumed to be a hash value ++unless the B<-rawin> option is specified or implied. ++With raw data, when a digest algorithm is applicable, though it may be inferred ++from the signature or take a default value, it should also be specified. + + =item B<-verifyrecover> + +-Verify the input data (which must be a hash) and output the recovered data. ++Verify the given signature and output the recovered data (signature payload). ++For example, in case of RSA PKCS#1 the recovered data is the B ++DER encoding of the digest algorithm OID and value as specified in ++L. ++ ++Note that here the input given with the B<-in> option is not a signature input ++(as with the B<-sign> and B<-verify> options) but a signature output value, ++typically produced using the B<-sign> option. ++ ++This option is available only for use with RSA keys. + + =item B<-encrypt> + +@@ -175,8 +207,9 @@ + + =item B<-asn1parse> + +-Parse the ASN.1 output data, this is useful when combined with the +-B<-verifyrecover> option when an ASN1 structure is signed. ++Parse the ASN.1 output data to check its DER encoding and print any errors. ++When combined with the B<-verifyrecover> option, this may be useful only in case ++an ASN.1 DER-encoded structure had been signed directly (without hashing it). + + {- $OpenSSL::safe::opt_engine_item -} + +@@ -200,8 +233,8 @@ + The operations and options supported vary according to the key algorithm + and its implementation. The OpenSSL operations and options are indicated below. + +-Unless otherwise mentioned all algorithms support the BI option +-which specifies the digest in use for sign, verify and verifyrecover operations. ++Unless otherwise mentioned, all algorithms support the BI option, ++which specifies the digest in use for the signing and verification operations. + The value I should represent a digest name as used in the + EVP_get_digestbyname() function for example B. This value is not used to + hash the input data. It is used (by some algorithms) for sanity-checking the +--- crypto/openssl/doc/man1/openssl-req.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-req.pod.in +@@ -638,7 +638,7 @@ + attributes = req_attributes + req_extensions = v3_ca + +- dirstring_type = nobmp ++ dirstring_type = nombstr + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +@@ -778,7 +778,7 @@ + + =head1 COPYRIGHT + +-Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man1/openssl-s_client.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-s_client.pod.in +@@ -10,11 +10,11 @@ + B B + [B<-help>] + [B<-ssl_config> I
] +-[B<-connect> I] ++[B<-connect> I:I] + [B<-host> I] + [B<-port> I] +-[B<-bind> I] +-[B<-proxy> I] ++[B<-bind> I:I] ++[B<-proxy> I:I] + [B<-proxy_user> I] + [B<-proxy_pass> I] + [B<-unix> I] +@@ -157,6 +157,7 @@ + select the host and port using the optional target positional argument instead. + If neither this nor the target positional argument are specified then an attempt + is made to connect to the local host on port 4433. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + + =item B<-host> I + +@@ -166,17 +167,19 @@ + + Connect to the specified port; use B<-connect> instead. + +-=item B<-bind> I ++=item B<-bind> I:I + + This specifies the host address and or port to bind as the source for the + connection. For Unix-domain sockets the port is ignored and the host is + used as the source socket address. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + +-=item B<-proxy> I ++=item B<-proxy> I:I + + When used with the B<-connect> flag, the program uses the host and port + specified with this flag and issues an HTTP CONNECT command to connect + to the desired server. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + + =item B<-proxy_user> I + +@@ -260,7 +263,9 @@ + + =item B<-crl_download> + +-Download CRL from distribution points in the certificate. ++Download CRL from distribution points in the certificate. Note that this option ++is ignored if B<-crl_check> option is not provided. Note that the maximum size ++of CRL is limited by L function. + + =item B<-key> I|I + +@@ -282,14 +287,20 @@ + + The verify depth to use. This specifies the maximum length of the + server certificate chain and turns on server certificate verification. +-Currently the verify operation continues after errors so all the problems ++Unless the B<-verify_return_error> option is given, ++the verify operation continues after errors so all the problems + with a certificate chain can be seen. As a side effect the connection + will never fail due to a server certificate verify failure. + ++By default, validation of server certificates and their chain ++is done w.r.t. the (D)TLS Server (C) purpose. ++For details see L. ++ + =item B<-verify_return_error> + +-Return verification errors instead of continuing. This will typically +-abort the handshake with a fatal error. ++Turns on server certificate verification, like with B<-verify>, ++but returns verification errors instead of continuing. ++This will typically abort the handshake with a fatal error. + + =item B<-verify_quiet> + +@@ -799,10 +810,11 @@ + + =item I:I + +-Rather than providing B<-connect>, the target hostname and optional port may ++Rather than providing B<-connect>, the target host and optional port may + be provided as a single positional argument after all options. If neither this + nor B<-connect> are provided, falls back to attempting to connect to + I on port I<4433>. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + + =back + +@@ -881,6 +893,51 @@ + The B<-bind> option may be useful if the server or a firewall requires + connections to come from some particular address and or port. + ++=head2 Note on Non-Interactive Use ++ ++When B is run in a non-interactive environment (e.g., a cron job or ++a script without a valid I), it may close the connection prematurely, ++especially with TLS 1.3. To prevent this, you can use the B<-ign_eof> flag, ++which keeps B running even after reaching EOF from I. ++ ++For example: ++ ++ openssl s_client -connect :443 -tls1_3 ++ -sess_out /path/to/tls_session_params_file ++ -ign_eof can lead to issues if the server keeps ++the connection open, expecting the client to close first. In such cases, the ++client may hang indefinitely. This behavior is not uncommon, particularly with ++protocols where the server waits for a graceful disconnect from the client. ++ ++For example, when connecting to an SMTP server, the session may pause if the ++server expects a QUIT command before closing: ++ ++ $ openssl s_client -brief -ign_eof -starttls smtp ++ -connect :25 :25 ++ -starttls smtp -brief -ign_eof ++ ++Similarly, for HTTP/1.1 connections, including a `Connection: close` header ++ensures the server closes the connection after responding: ++ ++ printf 'GET / HTTP/1.1\r\nHost: \r\nConnection: close\r\n\r\n' ++ | openssl s_client -connect :443 -brief ++ ++These approaches help manage the connection closure gracefully and prevent ++hangs caused by the server waiting for the client to initiate the disconnect. ++ + =head1 BUGS + + Because this program has a lot of options and also because some of the +--- crypto/openssl/doc/man1/openssl-s_server.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-s_server.pod.in +@@ -74,7 +74,7 @@ + [B<-status>] + [B<-status_verbose>] + [B<-status_timeout> I] +-[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>] ++[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] + [B<-no_proxy> I] + [B<-status_url> I] + [B<-status_file> I] +@@ -202,6 +202,10 @@ + If the cipher suite cannot request a client certificate (for example an + anonymous cipher suite or PSK) this option has no effect. + ++By default, validation of any supplied client certificate and its chain ++is done w.r.t. the (D)TLS Client (C) purpose. ++For details see L. ++ + =item B<-cert> I + + The certificate to use, most servers cipher suites require the use of a +@@ -504,13 +508,14 @@ + + Sets the timeout for OCSP response to I seconds. + +-=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]> ++=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> + + The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> + applies, see below. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + The proxy port defaults to 80 or 443 if the scheme is C; apart from that + the optional C or C prefix is ignored, +-as well as any userinfo and path components. ++as well as any userinfo, path, query, and fragment components. + Defaults to the environment variable C if set, else C + in case no TLS is used, otherwise C if set, else C. + +--- crypto/openssl/doc/man1/openssl-s_time.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-s_time.pod.in +@@ -50,6 +50,7 @@ + =item B<-connect> I:I + + This specifies the host and optional port to connect to. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + + =item B<-www> I + +--- crypto/openssl/doc/man1/openssl-smime.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-smime.pod.in +@@ -394,9 +394,9 @@ + + Send encrypted mail using triple DES: + +- openssl smime -encrypt -in in.txt -from steve@openssl.org \ ++ openssl smime -encrypt -in in.txt -out mail.msg -from steve@openssl.org \ + -to someone@somewhere -subject "Encrypted message" \ +- -des3 user.pem -out mail.msg ++ -des3 user.pem + + Sign and encrypt mail: + +--- crypto/openssl/doc/man1/openssl-ts.pod.in.orig ++++ crypto/openssl/doc/man1/openssl-ts.pod.in +@@ -584,10 +584,12 @@ + -CAfile cacert.pem + + To verify a timestamp token against the original data file: ++ + openssl ts -verify -data design2.txt -in design2.tsr \ + -CAfile cacert.pem + + To verify a timestamp token against a message imprint: ++ + openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ + -in design2.tsr -CAfile cacert.pem + +--- crypto/openssl/doc/man1/openssl-verification-options.pod.orig ++++ crypto/openssl/doc/man1/openssl-verification-options.pod +@@ -24,8 +24,9 @@ + In a nutshell, a valid chain of certificates needs to be built up and verified + starting from the I that is to be verified + and ending in a certificate that due to some policy is trusted. +-Verification is done relative to the given I, which is the intended use +-of the target certificate, such as SSL server, or by default for any purpose. ++Certificate validation can be performed in the context of a I, which ++is a high-level specification of the intended use of the target certificate, ++such as C for TLS servers, or (by default) for any purpose. + + The details of how each OpenSSL command handles errors + are documented on the specific command page. +@@ -150,16 +151,17 @@ + The first step is to check that each certificate is well-formed. + Part of these checks are enabled only if the B<-x509_strict> option is given. + +-The second step is to check the extensions of every untrusted certificate +-for consistency with the supplied purpose. +-If the B<-purpose> option is not given then no such checks are done +-except for SSL/TLS connection setup, +-where by default C or C, are checked. +-The target or "leaf" certificate, as well as any other untrusted certificates, +-must have extensions compatible with the specified purpose. +-All certificates except the target or "leaf" must also be valid CA certificates. +-The precise extensions required are described in more detail in +-L. ++The second step is to check the X.509v3 extensions of every certificate ++for consistency with the intended specific purpose, if any. ++If the B<-purpose> option is not given then no such checks are done except for ++CMS signature checking, where by default C is checked, and SSL/(D)TLS ++connection setup, where by default C or C are checked. ++The X.509v3 extensions of the target or "leaf" certificate ++must be compatible with the specified purpose. ++All other certificates down the chain are checked to be valid CA certificates, ++and possibly also further non-standard checks are performed. ++The precise extensions required are described in detail ++in the L section below. + + The third step is to check the trust settings on the last certificate + (which typically is a self-signed root CA certificate). +@@ -455,13 +457,16 @@ + + =item B<-purpose> I + +-The intended use for the certificate. +-Currently defined purposes are C, C, C, ++A high-level specification of the intended use of the target certificate. ++Currently predefined purposes are C, C, C, + C, C, C, C, C, + and C. + If peer certificate verification is enabled, by default the TLS implementation +-as well as the commands B and B check for consistency +-with TLS server or TLS client use, respectively. ++and thus the commands L and L ++check for consistency with ++TLS server (C) or TLS client use (C), respectively. ++By default, CMS signature validation, which can be done via L, ++checks for consistency with S/MIME signing use (C). + + While IETF RFC 5280 says that B and B + are only for WWW use, in practice they are used for all kinds of TLS clients +@@ -491,19 +496,20 @@ + + =item B<-verify_name> I + +-Use default verification policies like trust model and required certificate +-policies identified by I. ++Use a set of verification parameters, also known as verification method, ++identified by I. The currently predefined methods are named C, ++C, C with alias C, and C. ++These mimic the combinations of purpose and trust settings used in SSL/(D)TLS, ++and CMS/PKCS7 (including S/MIME). ++ ++The verification parameters include the trust model, various flags that can ++partly be set also via other command-line options, and the verification purpose, ++which in turn implies certificate key usage and extended key usage requirements. ++ + The trust model determines which auxiliary trust or reject OIDs are applicable + to verifying the given certificate chain. + They can be given using the B<-addtrust> and B<-addreject> options + for L. +-Supported policy names include: B, B, B, +-B, B. +-These mimics the combinations of purpose and trust settings used in SSL, CMS +-and S/MIME. +-As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not +-specified, so the B<-verify_name> options are functionally equivalent to the +-corresponding B<-purpose> settings. + + =back + +@@ -548,9 +554,8 @@ + + =head2 Certificate Extensions + +-Options like B<-purpose> lead to checking the certificate extensions, +-which determine what the target certificate and intermediate CA certificates +-can be used for. ++Options like B<-purpose> and B<-verify_name> trigger the processing of specific ++certificate extensions, which determine what certificates can be used for. + + =head3 Basic Constraints + +@@ -574,87 +579,117 @@ + + =head3 Extended Key Usage + +-The extKeyUsage (EKU) extension places additional restrictions on the +-certificate uses. If this extension is present (whether critical or not) +-the key can only be used for the purposes specified. +- +-A complete description of each check is given below. The comments about ++The extKeyUsage (EKU) extension places additional restrictions on ++certificate use. If this extension is present (whether critical or not) ++in an end-entity certficiate, the key is allowed only for the uses specified, ++while the special EKU B allows for all uses. ++ ++Note that according to RFC 5280 section 4.2.1.12, ++the Extended Key Usage extension will appear only in end-entity certificates, ++and consequently the standard certification path validation described ++in its section 6 does not include EKU checks for CA certificates. ++The CA/Browser Forum requires for TLS server, S/MIME, and code signing use ++the presence of respective EKUs in subordinate CA certificates (while excluding ++them for root CA certificates), while taking over from RFC 5280 ++the certificate validity concept and certificate path validation. ++ ++For historic reasons, OpenSSL has its own way of interpreting and checking ++EKU extensions on CA certificates, which may change in the future. ++It does not require the presence of EKU extensions in CA certificates, ++but in case the verification purpose is ++C, C, C, C, or C, ++it checks that any present EKU extension (that does not contain ++B) contains the respective EKU as detailed below. ++Moreover, it does these checks even for trust anchor certificates. ++ ++=head3 Checks Implied by Specific Predefined Policies ++ ++A specific description of each check is given below. The comments about + basicConstraints and keyUsage and X.509v1 certificates above apply to B + CA certificates. + +- + =over 4 + +-=item B ++=item B<(D)TLS Client> (C) + +-The extended key usage extension must be absent or include the "web client +-authentication" OID. The keyUsage extension must be absent or it must have the +-digitalSignature bit set. The Netscape certificate type must be absent +-or it must have the SSL client bit set. ++Any given extended key usage extension must allow for C ++("TLS WWW client authentication"). + +-=item B ++For target certificates, ++the key usage must allow for C and/or C. ++The Netscape certificate type must be absent or have the SSL client bit set. + +-The extended key usage extension must be absent or include the "web client +-authentication" OID. +-The Netscape certificate type must be absent or it must have the SSL CA bit set. +-This is used as a work around if the basicConstraints extension is absent. ++For all other certificates the normal CA checks apply. In addition, ++the Netscape certificate type must be absent or have the SSL CA bit set. ++This is used as a workaround if the basicConstraints extension is absent. + +-=item B ++=item B<(D)TLS Server> (C) + +-The extended key usage extension must be absent or include the "web server +-authentication" and/or one of the SGC OIDs. The keyUsage extension must be +-absent or it +-must have the digitalSignature, the keyEncipherment set or both bits set. +-The Netscape certificate type must be absent or have the SSL server bit set. ++Any given extended key usage extension must allow for C ++("TLS WWW server authentication") and/or include one of the SGC OIDs. + +-=item B ++For target certificates, the key usage must ++allow for C, C, and/or C. ++The Netscape certificate type must be absent or have the SSL server bit set. + +-The extended key usage extension must be absent or include the "web server +-authentication" and/or one of the SGC OIDs. The Netscape certificate type must +-be absent or the SSL CA bit must be set. +-This is used as a work around if the basicConstraints extension is absent. ++For all other certificates the normal CA checks apply. In addition, ++the Netscape certificate type must be absent or have the SSL CA bit set. ++This is used as a workaround if the basicConstraints extension is absent. + +-=item B ++=item B (C) + +-For Netscape SSL clients to connect to an SSL server it must have the +-keyEncipherment bit set if the keyUsage extension is present. This isn't ++In addition to what has been described for B, for a Netscape ++SSL client to connect to an SSL server, its EE certficate must have the ++B bit set if the keyUsage extension is present. This isn't + always valid because some cipher suites use the key for digital signing. + Otherwise it is the same as a normal SSL server. + +-=item B ++=item B + +-The extended key usage extension must be absent or include the "email +-protection" OID. The Netscape certificate type must be absent or should have the +-S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type ++Any given extended key usage extension must allow for C. ++ ++For target certificates, ++the Netscape certificate type must be absent or should have the S/MIME bit set. ++If the S/MIME bit is not set in the Netscape certificate type + then the SSL client bit is tolerated as an alternative but a warning is shown. + This is because some Verisign certificates don't set the S/MIME bit. + +-=item B ++For all other certificates the normal CA checks apply. In addition, ++the Netscape certificate type must be absent or have the S/MIME CA bit set. ++This is used as a workaround if the basicConstraints extension is absent. ++ ++=item B (C) ++ ++In addition to the common S/MIME checks, for target certficiates ++the key usage must allow for C and/or B. ++ ++=item B (C) ++ ++In addition to the common S/MIME checks, for target certficiates ++the key usage must allow for C. + +-In addition to the common S/MIME client tests the digitalSignature bit or +-the nonRepudiation bit must be set if the keyUsage extension is present. ++=item B (C) + +-=item B ++For target certificates, the key usage must allow for C. + +-In addition to the common S/MIME tests the keyEncipherment bit must be set +-if the keyUsage extension is present. ++For all other certifcates the normal CA checks apply. ++Except in this case the basicConstraints extension must be present. + +-=item B ++=item B (C) + +-The extended key usage extension must be absent or include the "email +-protection" OID. The Netscape certificate type must be absent or must have the +-S/MIME CA bit set. +-This is used as a work around if the basicConstraints extension is absent. ++For target certificates, no checks are performed at this stage, ++but special checks apply; see L. + +-=item B ++For all other certifcates the normal CA checks apply. + +-The keyUsage extension must be absent or it must have the CRL signing bit +-set. ++=item B (C) + +-=item B ++For target certificates, if the key usage extension is present, it must include ++C and/or C and must not include other bits. ++The EKU extension must be present and contain C only. ++Moreover, it must be marked as critical. + +-The normal CA tests apply. Except in this case the basicConstraints extension +-must be present. ++For all other certifcates the normal CA checks apply. + + =back + +@@ -671,6 +706,7 @@ + =head1 SEE ALSO + + L, ++L, + L, + L, + L, +--- crypto/openssl/doc/man1/openssl.pod.orig ++++ crypto/openssl/doc/man1/openssl.pod +@@ -653,111 +653,22 @@ + + =head1 ENVIRONMENT + +-The OpenSSL library can be take some configuration parameters from the +-environment. Some of these variables are listed below. For information +-about specific commands, see L, +-L, and L. +- +-For information about the use of environment variables in configuration, +-see L. +- +-For information about querying or specifying CPU architecture flags, see +-L, and L. ++The OpenSSL libraries can take some configuration parameters from the ++environment. + + For information about all environment variables used by the OpenSSL libraries, ++such as B, B, and B, + see L. + +-=over 4 +- +-=item BI[,...] +- +-Enable tracing output of OpenSSL library, by name. +-This output will only make sense if you know OpenSSL internals well. +-Also, it might not give you any output at all, depending on how +-OpenSSL was built. +- +-The value is a comma separated list of names, with the following +-available: +- +-=over 4 +- +-=item B +- +-Traces the OpenSSL trace API itself. +- +-=item B +- +-Traces OpenSSL library initialization and cleanup. +- +-=item B +- +-Traces the TLS/SSL protocol. +- +-=item B +- +-Traces the ciphers used by the TLS/SSL protocol. +- +-=item B +- +-Show details about provider and engine configuration. +- +-=item B +- +-The function that is used by RSA, DSA (etc) code to select registered +-ENGINEs, cache defaults and functional references (etc), will generate +-debugging summaries. +- +-=item B +- +-Reference counts in the ENGINE structure will be monitored with a line +-of generated for each change. +- +-=item B +- +-Traces PKCS#5 v2 key generation. +- +-=item B +- +-Traces PKCS#12 key generation. +- +-=item B +- +-Traces PKCS#12 decryption. +- +-=item B +- +-Generates the complete policy tree at various points during X.509 v3 +-policy evaluation. +- +-=item B +- +-Traces BIGNUM context operations. +- +-=item B +- +-Traces CMP client and server activity. +- +-=item B +- +-Traces STORE operations. +- +-=item B +- +-Traces decoder operations. +- +-=item B +- +-Traces encoder operations. +- +-=item B +- +-Traces decrementing certain ASN.1 structure references. ++For information about the use of environment variables in configuration, ++see L. + +-=back ++For information about specific commands, see L, ++L, and L. + +-=back ++For information about querying or specifying CPU architecture flags, see ++L, and L. + +-=head1 SEE ALSO + + L, + L, +--- crypto/openssl/doc/man3/ASN1_TIME_set.pod.orig ++++ crypto/openssl/doc/man3/ASN1_TIME_set.pod +@@ -102,8 +102,8 @@ + + The ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() + functions print the time structure I to BIO I in human readable +-format. It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example +-"Feb 3 00:55:52 2015 GMT", which does not include a newline. ++format. It will be of the format MMM DD HH:MM:SS[.s*] YYYY GMT, for example ++"Feb E<32>3 00:55:52 2015 GMT", which does not include a newline. + If the time structure has invalid format it prints out "Bad time value" and + returns an error. The output for generalized time may include a fractional part + following the second. +@@ -179,6 +179,10 @@ + specific time format. The functions starting with B will operate on + either format. + ++Users familiar with RFC822 should note that when specifying the flag ++B the year will be formatted as documented above, ++i.e., using 4 digits, not 2 as specified in RFC822. ++ + =head1 BUGS + + ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() do +@@ -272,7 +276,7 @@ + + =head1 COPYRIGHT + +-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man3/ASN1_aux_cb.pod.orig ++++ crypto/openssl/doc/man3/ASN1_aux_cb.pod +@@ -87,7 +87,7 @@ + =item I + + A callback that will be invoked at various points during the processing of +-the the B. See below for further details. ++the B. See below for further details. + + =item I + +@@ -97,7 +97,7 @@ + =item I + + A callback that will be invoked at various points during the processing of +-the the B. This is used in preference to the I callback if ++the B. This is used in preference to the I callback if + the B flag is set. See below for further details. + + =back +@@ -274,7 +274,7 @@ + + =head1 COPYRIGHT + +-Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man3/BIO_s_accept.pod.orig ++++ crypto/openssl/doc/man3/BIO_s_accept.pod +@@ -169,16 +169,16 @@ + BIO_do_accept(), + BIO_set_accept_name(), BIO_set_accept_port(), BIO_set_nbio_accept(), + BIO_set_accept_bios(), BIO_set_accept_ip_family(), and BIO_set_bind_mode() +-return 1 for success and <=0 for failure. ++return 1 for success and <= 0 for failure. + + BIO_get_accept_name() returns the accept name or NULL on error. + BIO_get_peer_name() returns the peer name or NULL on error. + + BIO_get_accept_port() returns the accept port as a string or NULL on error. + BIO_get_peer_port() returns the peer port as a string or NULL on error. +-BIO_get_accept_ip_family() returns the IP family or <=0 on error. ++BIO_get_accept_ip_family() returns the IP family or <= 0 on error. + +-BIO_get_bind_mode() returns the set of B flags, or <=0 on failure. ++BIO_get_bind_mode() returns the set of B flags, or <= 0 on failure. + + BIO_new_accept() returns a BIO or NULL on error. + +--- crypto/openssl/doc/man3/BIO_s_connect.pod.orig ++++ crypto/openssl/doc/man3/BIO_s_connect.pod +@@ -59,7 +59,7 @@ + + BIO_set_conn_hostname() uses the string B to set the hostname. + The hostname can be an IP address; if the address is an IPv6 one, it +-must be enclosed with brackets C<[> and C<]>. ++must be enclosed in brackets C<[> and C<]>. + The hostname can also include the port in the form hostname:port; + see L and BIO_set_conn_port() for details. + +--- crypto/openssl/doc/man3/ECDSA_sign.pod.orig ++++ crypto/openssl/doc/man3/ECDSA_sign.pod +@@ -52,7 +52,7 @@ + + ECDSA_sign() computes a digital signature of the I bytes hash value + I using the private EC key I. The DER encoded signatures is +-stored in I and its length is returned in I. Note: I must ++stored in I and its length is returned in I. Note: I must + point to ECDSA_size(eckey) bytes of memory. The parameter I is currently + ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I + and I set to NULL. +@@ -82,7 +82,7 @@ + ECDSA_sign_ex() computes a digital signature of the I bytes hash value + I using the private EC key I and the optional pre-computed values + I and I. The DER encoded signature is stored in I and its +-length is returned in I. Note: I must point to ECDSA_size(eckey) ++length is returned in I. Note: I must point to ECDSA_size(eckey) + bytes of memory. The parameter I is ignored. + + ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is +--- crypto/openssl/doc/man3/EVP_EncryptInit.pod.orig ++++ crypto/openssl/doc/man3/EVP_EncryptInit.pod +@@ -1284,6 +1284,15 @@ + the authentication operation has failed and any output data B be used + as it is corrupted. + ++Please note that the number of authenticated bytes returned by ++EVP_CipherUpdate() depends on the cipher used. Stream ciphers, such as ChaCha20 ++or ciphers in GCM mode, can handle 1 byte at a time, resulting in an effective ++"block" size of 1. Conversely, ciphers in OCB mode must process data one block ++at a time, and the block size is returned. ++ ++Regardless of the returned size, it is safe to pass unpadded data to an ++EVP_CipherUpdate() call in a single operation. ++ + =head2 GCM and OCB Modes + + The following Is are supported in GCM and OCB modes. +@@ -1319,10 +1328,9 @@ + For OCB, this call is valid when decrypting data to set the expected tag, + and when encrypting to set the desired tag length. + +-In OCB mode, calling this when encrypting with C set to C sets the +-tag length. The tag length can only be set before specifying an IV. If this is +-not called prior to setting the IV during encryption, then a default tag length +-is used. ++In OCB mode, calling this with C set to C sets the tag length. ++The tag length can only be set before specifying an IV. If this is not called ++prior to setting the IV, then a default tag length is used. + + For OCB AES, the default tag length is 16 (i.e. 128 bits). It is also the + maximum tag length for OCB. +--- crypto/openssl/doc/man3/EVP_PKEY_decapsulate.pod.orig ++++ crypto/openssl/doc/man3/EVP_PKEY_decapsulate.pod +@@ -25,10 +25,13 @@ + The EVP_PKEY_decapsulate() function performs a private key decapsulation + operation using I. The data to be decapsulated is specified using the + I and I parameters. +-If I is NULL then the maximum size of the output secret buffer ++If I is NULL then the size of the output secret buffer + is written to I<*unwrappedlen>. If I is not NULL and the + call is successful then the decapsulated secret data is written to I +-and the amount of data written to I<*unwrappedlen>. ++and the amount of data written to I<*unwrappedlen>. Note that, if I ++is not NULL in this call, the value it points to must be initialised to the length of ++I, so that the call can validate it is of sufficient size to hold the ++result of the operation. + + =head1 NOTES + +@@ -57,7 +60,7 @@ + unsigned char *secret = NULL;; + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_priv_key, NULL); +- if (ctx = NULL) ++ if (ctx == NULL) + /* Error */ + if (EVP_PKEY_decapsulate_init(ctx, NULL) <= 0) + /* Error */ +--- crypto/openssl/doc/man3/EVP_PKEY_encapsulate.pod.orig ++++ crypto/openssl/doc/man3/EVP_PKEY_encapsulate.pod +@@ -35,7 +35,10 @@ + If I is not NULL and the call is successful then the + internally generated key is written to I and its size is written to + I<*genkeylen>. The encapsulated version of the generated key is written to +-I and its size is written to I<*wrappedkeylen>. ++I and its size is written to I<*wrappedkeylen>. Note that if ++I is not NULL, then the value it points to must initially hold the size of ++the I buffer so that its size can be validated by the call, ensuring ++it is large enough to hold the result written to I. + + =head1 NOTES + +@@ -63,7 +66,7 @@ + unsigned char *out = NULL, *secret = NULL; + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_pub_key, NULL); +- if (ctx = NULL) ++ if (ctx == NULL) + /* Error */ + if (EVP_PKEY_encapsulate_init(ctx, NULL) <= 0) + /* Error */ +--- crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod.orig ++++ crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod +@@ -355,8 +355,10 @@ + the environment variable C if set, else C. + Otherwise defaults to the value of C if set, else C. + An empty proxy string specifies not to use a proxy. +-Else the format is C<[http[s]://]address[:port][/path]>, +-where any path given is ignored. ++Otherwise the format is ++C<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>, ++where any given userinfo, path, query, and fragment is ignored. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + The default port number is 80, or 443 in case C is given. + + OSSL_CMP_CTX_set1_no_proxy() sets the list of server hostnames not to use +--- crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod.orig ++++ crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod +@@ -44,7 +44,7 @@ + as a trust anchor for the path verification of an 'acceptable' cert if it can be + used also to validate the issued certificate returned in the IP message. This is + according to TS 33.310 [Network Domain Security (NDS); Authentication Framework +-(AF)] document specified by the The 3rd Generation Partnership Project (3GPP). ++(AF)] document specified by The 3rd Generation Partnership Project (3GPP). + Note that using this option is dangerous as the certificate obtained this way + has not been authenticated (at least not at CMP level). + Taking it over as a trust anchor implements trust-on-first-use (TOFU). +@@ -77,7 +77,7 @@ + + =head1 COPYRIGHT + +-Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man3/OSSL_HTTP_parse_url.pod.orig ++++ crypto/openssl/doc/man3/OSSL_HTTP_parse_url.pod +@@ -42,20 +42,25 @@ + environment variable, or from C if I is nonzero. + If I is NULL, take any default exclusion value from the C + environment variable, or else from C. +-Return the determined proxy hostname unless the exclusion contains I. ++Return the determined proxy host unless the exclusion value, ++which is a list of proxy hosts separated by C<,> and/or whitespace, ++contains I. + Otherwise return NULL. ++When I is a string delimited by C<[> and C<]>, which are used for IPv6 ++addresses, the enclosing C<[> and C<]> are stripped prior to comparison. + + OSSL_parse_url() parses its input string I as a URL of the form + C<[scheme://][userinfo@]host[:port][/path][?query][#fragment]> and splits it up + into scheme, userinfo, host, port, path, query, and fragment components. + The host (or server) component may be a DNS name or an IP address +-where IPv6 addresses should be enclosed in square brackets C<[> and C<]>. ++where IPv6 addresses must be enclosed in square brackets C<[> and C<]>. + The port component is optional and defaults to C<0>. + If given, it must be in decimal form. If the I argument is not NULL + the integer value of the port number is assigned to I<*pport_num> on success. + The path component is also optional and defaults to C. + Each non-NULL result pointer argument I, I, I, I, + I, I, and I, is assigned the respective url component. ++Any IPv6 address in I<*phost> is enclosed in C<[> and C<]>. + On success, they are guaranteed to contain non-NULL string pointers, else NULL. + It is the responsibility of the caller to free them using L. + If I is NULL, any given query component is handled as part of the path. +@@ -70,7 +75,7 @@ + The port component is optional and defaults to C<443> if the scheme is C, + else C<80>. + Note that relative paths must be given with a leading C, +-otherwise the first path element is interpreted as the hostname. ++otherwise the first path element is interpreted as the host. + + Calling the deprecated function OCSP_parse_url(url, host, port, path, ssl) + is equivalent to +--- crypto/openssl/doc/man3/OSSL_HTTP_transfer.pod.orig ++++ crypto/openssl/doc/man3/OSSL_HTTP_transfer.pod +@@ -77,12 +77,14 @@ + if set, else C. + If I != 0 it defaults to C if set, else C. + An empty proxy string C<""> forbids using a proxy. +-Else the format is ++Otherwise, the format is + C<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>, + where any userinfo, path, query, and fragment given is ignored. ++If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. + The default proxy port number is 80, or 443 in case "https:" is given. + The HTTP client functions connect via the given proxy unless the I +-is found in the optional list I of proxy hostnames (if not NULL; ++is found in the optional list I of proxy hostnames or IP addresses ++separated by C<,> and/or whitespace (if not NULL; + default is the environment variable C if set, else C). + Proxying plain HTTP is supported directly, + while using a proxy for HTTPS connections requires a suitable callback function +--- crypto/openssl/doc/man3/OSSL_PARAM.pod.orig ++++ crypto/openssl/doc/man3/OSSL_PARAM.pod +@@ -11,7 +11,7 @@ + typedef struct ossl_param_st OSSL_PARAM; + struct ossl_param_st { + const char *key; /* the name of the parameter */ +- unsigned char data_type; /* declare what kind of content is in data */ ++ unsigned int data_type; /* declare what kind of content is in data */ + void *data; /* value being passed in or out */ + size_t data_size; /* data size */ + size_t return_size; /* returned size */ +--- crypto/openssl/doc/man3/OSSL_trace_enabled.pod.orig ++++ crypto/openssl/doc/man3/OSSL_trace_enabled.pod +@@ -88,9 +88,10 @@ + OSSL_trace_enabled() can be used to check if tracing for the given + I is enabled. + +-OSSL_trace_begin() is used to starts a tracing section, and get the +-channel for the given I in form of a BIO. ++OSSL_trace_begin() is used to start a tracing section, ++and get the channel for the given I in form of a BIO. + This BIO can only be used for output. ++The pointer returned is NULL if the category is invalid or not enabled. + + OSSL_trace_end() is used to end a tracing section. + +@@ -187,6 +188,9 @@ + + =head1 NOTES + ++It is not needed to guard trace output function calls like ++I by I. ++ + If producing the trace output requires carrying out auxiliary calculations, + this auxiliary code should be placed inside a conditional block which is + executed only if the trace category is enabled. +--- crypto/openssl/doc/man3/SSL_CTX_new.pod.orig ++++ crypto/openssl/doc/man3/SSL_CTX_new.pod +@@ -104,10 +104,12 @@ + This must be explicitly requested, typically using L. + For verifying peer certificates many options can be set using various functions + such as L and L. +-The L function can be used, also in conjunction +-with L, to set the intended purpose of the session. +-The default is B on the client side ++ ++The SSL/(D)TLS implementation uses the L ++function to prepare checks for B on the client side + and B on the server side. ++The L function can be used, also in conjunction ++with L, to override the default purpose of the session. + + The SSL_CTX object uses I as the connection method. + Three method variants are available: a generic method (for either client or +@@ -228,7 +230,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, L, + SSL_CTX_set_verify(3), L, L, + L, L, + L, L, L +--- crypto/openssl/doc/man3/SSL_get_shared_sigalgs.pod.orig ++++ crypto/openssl/doc/man3/SSL_get_shared_sigalgs.pod +@@ -64,7 +64,7 @@ + The raw values correspond to the on the wire form as defined by RFC5246 et al. + The NIDs are OpenSSL equivalents. For example if the peer sent sha256(4) and + rsa(1) then B<*rhash> would be 4, B<*rsign> 1, B<*phash> NID_sha256, B<*psig> +-NID_rsaEncryption and B<*psighash> NID_sha256WithRSAEncryption. ++NID_rsaEncryption and B<*psignhash> NID_sha256WithRSAEncryption. + + If a signature algorithm is not recognised the corresponding NIDs + will be set to B. This may be because the value is not supported, +--- crypto/openssl/doc/man3/SSL_set_bio.pod.orig ++++ crypto/openssl/doc/man3/SSL_set_bio.pod +@@ -23,6 +23,9 @@ + call to L (this includes the case where the B is set to + the same value as previously). + ++If using a custom BIO, B must implement either ++L or L. ++ + SSL_set0_wbio() works in the same as SSL_set0_rbio() except that it connects + the BIO B for the write operations of the B object. Note that if the + rbio and wbio are the same then SSL_set0_rbio() and SSL_set0_wbio() each take +@@ -30,6 +33,12 @@ + number of references available using L before calling the set0 + functions. + ++If using a custom BIO, B must implement ++L or L. It additionally must ++implement L using B and L. ++If flushing is unnecessary with B, L should return one and ++do nothing. ++ + SSL_set_bio() is similar to SSL_set0_rbio() and SSL_set0_wbio() except + that it connects both the B and the B at the same time, and + transfers the ownership of B and B to B according to +--- crypto/openssl/doc/man3/X509V3_set_ctx.pod.orig ++++ crypto/openssl/doc/man3/X509V3_set_ctx.pod +@@ -42,8 +42,7 @@ + + =head1 RETURN VALUES + +-X509V3_set_ctx() and X509V3_set_issuer_pkey() +-return 1 on success and 0 on error. ++X509V3_set_issuer_pkey() returns 1 on success and 0 on error. + + =head1 SEE ALSO + +@@ -57,7 +56,7 @@ + + =head1 COPYRIGHT + +-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man3/X509_STORE_CTX_new.pod.orig ++++ crypto/openssl/doc/man3/X509_STORE_CTX_new.pod +@@ -74,6 +74,12 @@ + is no longer valid. + If I is NULL nothing is done. + ++X509_STORE_CTX_init() sets up I for a subsequent verification operation. ++ ++X509_STORE_CTX_init() initializes the internal state and resources of the ++given I. Among others, it sets the verification parameters associcated ++with the method name C, which includes the C purpose, ++and takes over callback function pointers from I (unless NULL). + It must be called before each call to L or + L, i.e., a context is only good for one verification. + If you want to verify a further certificate or chain with the same I +@@ -144,12 +150,13 @@ + Ownership of the chain is transferred to I, + and so it should not be free'd by the caller. + +-X509_STORE_CTX_set_default() looks up and sets the default verification +-method to I. This uses the function X509_VERIFY_PARAM_lookup() to +-find an appropriate set of parameters from the purpose identifier I. +-Currently defined purposes are C, C, C, +-C, C, C, C, C, +-and C. ++X509_STORE_CTX_set_default() looks up and sets the default verification method. ++This uses the function X509_VERIFY_PARAM_lookup() to find ++the set of parameters associated with the given verification method I. ++Among others, the parameters determine the trust model and verification purpose. ++More detail, including the list of currently predefined methods, ++is described for the B<-verify_name> command-line option ++in L. + + X509_STORE_CTX_set_verify() provides the capability for overriding the default + verify function. This function is responsible for verifying chain signatures and +--- crypto/openssl/doc/man3/X509_add_cert.pod.orig ++++ crypto/openssl/doc/man3/X509_add_cert.pod +@@ -16,6 +16,7 @@ + =head1 DESCRIPTION + + X509_add_cert() adds a certificate I to the given list I. ++It is an error for the I argument to be NULL. + + X509_add_certs() adds a list of certificate I to the given list I. + The I argument may be NULL, which implies no effect. +@@ -66,7 +67,7 @@ + + =head1 COPYRIGHT + +-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/doc/man3/X509_load_http.pod.orig ++++ crypto/openssl/doc/man3/X509_load_http.pod +@@ -27,6 +27,9 @@ + X509_load_http() and X509_CRL_load_http() loads a certificate or a CRL, + respectively, in ASN.1 format using HTTP from the given B. + ++Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs ++and hard coded in the functions. ++ + If B is given and B is NULL then this BIO is used instead of an + internal one for connecting, writing the request, and reading the response. + If both B and B are given (which may be memory BIOs, for instance) +--- crypto/openssl/doc/man7/EVP_KDF-HKDF.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-HKDF.pod +@@ -15,6 +15,8 @@ + "expands" the key K into several additional pseudorandom keys (the output + of the KDF). + ++The output is considered to be keying material. ++ + =head2 Identity + + "HKDF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-KB.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-KB.pod +@@ -10,6 +10,8 @@ + (KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an + input secret (and other optional values). + ++The output is considered to be keying material. ++ + =head2 Identity + + "KBKDF" is the name for this implementation; it can be used with the +--- crypto/openssl/doc/man7/EVP_KDF-PBKDF2.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-PBKDF2.pod +@@ -13,6 +13,8 @@ + derivation function, as described in SP800-132; it derives a key from a password + using a salt and iteration count. + ++The output is considered to be a cryptographic key. ++ + =head2 Identity + + "PBKDF2" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-SS.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-SS.pod +@@ -11,6 +11,8 @@ + during the execution of a key establishment scheme) and fixedinfo. + SSKDF is also informally referred to as 'Concat KDF'. + ++The output is considered to be keying material. ++ + =head2 Auxiliary function + + The implementation uses a selectable auxiliary function H, which can be one of: +--- crypto/openssl/doc/man7/EVP_KDF-SSHKDF.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-SSHKDF.pod +@@ -15,6 +15,8 @@ + (for example SHA256), the Initial Key, the Exchange Hash, the Session ID, + and the derivation key type. + ++The output is considered to be keying material. ++ + =head2 Identity + + "SSHKDF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod +@@ -12,6 +12,8 @@ + The EVP_KDF-TLS13_KDF algorithm implements the HKDF key derivation function + as used by TLS 1.3. + ++The output is considered to be keying material. ++ + =head2 Identity + + "TLS13-KDF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod +@@ -11,6 +11,8 @@ + The EVP_KDF-TLS1_PRF algorithm implements the PRF used by TLS versions up to + and including TLS 1.2. + ++The output is considered to be keying material. ++ + =head2 Identity + + "TLS1-PRF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-X942-ASN1.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-X942-ASN1.pod +@@ -13,6 +13,8 @@ + "partyv-info", "supp-pubinfo" and "supp-privinfo". + This kdf is used by Cryptographic Message Syntax (CMS). + ++The output is considered to be keying material. ++ + =head2 Identity + + "X942KDF-ASN1" or "X942KDF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_KDF-X963.pod.orig ++++ crypto/openssl/doc/man7/EVP_KDF-X963.pod +@@ -10,6 +10,8 @@ + X963KDF is used by Cryptographic Message Syntax (CMS) for EC KeyAgreement, to + derive a key using input such as a shared secret key and shared info. + ++The output is considered to be keying material. ++ + =head2 Identity + + "X963KDF" is the name for this implementation; it +--- crypto/openssl/doc/man7/EVP_SIGNATURE-DSA.pod.orig ++++ crypto/openssl/doc/man7/EVP_SIGNATURE-DSA.pod +@@ -7,7 +7,9 @@ + + =head1 DESCRIPTION + +-Support for computing DSA signatures. ++Support for computing DSA signatures. The signature produced with ++L is DER encoded ASN.1 in the form described in ++RFC 3279, section 2.2.2. + See L for information related to DSA keys. + + =head2 Signature Parameters +--- crypto/openssl/doc/man7/openssl-env.pod.orig ++++ crypto/openssl/doc/man7/openssl-env.pod +@@ -51,6 +51,99 @@ + Specifies the directory from which cryptographic providers are loaded. + Equivalently, the generic B<-provider-path> command-line option may be used. + ++=item B ++ ++By default the OpenSSL trace feature is disabled statically. ++To enable it, OpenSSL must be built with tracing support, ++which may be configured like this: C<./config enable-trace> ++ ++Unless OpenSSL tracing support is generally disabled, ++enable trace output of specific parts of OpenSSL libraries, by name. ++This output usually makes sense only if you know OpenSSL internals well. ++ ++The value of this environment varialble is a comma-separated list of names, ++with the following available: ++ ++=over 4 ++ ++=item B ++ ++Traces the OpenSSL trace API itself. ++ ++=item B ++ ++Traces OpenSSL library initialization and cleanup. ++ ++=item B ++ ++Traces the TLS/SSL protocol. ++ ++=item B ++ ++Traces the ciphers used by the TLS/SSL protocol. ++ ++=item B ++ ++Show details about provider and engine configuration. ++ ++=item B ++ ++The function that is used by RSA, DSA (etc) code to select registered ++ENGINEs, cache defaults and functional references (etc), will generate ++debugging summaries. ++ ++=item B ++ ++Reference counts in the ENGINE structure will be monitored with a line ++of generated for each change. ++ ++=item B ++ ++Traces PKCS#5 v2 key generation. ++ ++=item B ++ ++Traces PKCS#12 key generation. ++ ++=item B ++ ++Traces PKCS#12 decryption. ++ ++=item B ++ ++Generates the complete policy tree at various points during X.509 v3 ++policy evaluation. ++ ++=item B ++ ++Traces BIGNUM context operations. ++ ++=item B ++ ++Traces CMP client and server activity. ++ ++=item B ++ ++Traces STORE operations. ++ ++=item B ++ ++Traces decoder operations. ++ ++=item B ++ ++Traces encoder operations. ++ ++=item B ++ ++Traces decrementing certain ASN.1 structure references. ++ ++=item B ++ ++Traces the HTTP client and server, such as messages being sent and received. ++ ++=back ++ + =item B + + If set, then L returns UTF-8 encoded strings, rather than +--- crypto/openssl/doc/man7/provider.pod.orig ++++ crypto/openssl/doc/man7/provider.pod +@@ -227,6 +227,18 @@ + Other aliases may exist for example where standards bodies or common practice + use alternative names or names that OpenSSL has used historically. + ++=head3 Provider dependencies ++ ++Providers may depend for their proper operation on the availability of ++(functionality implemented in) other providers. As there is no mechanism to ++express such dependencies towards the OpenSSL core, provider authors must ++take care that such dependencies are either completely avoided or made visible ++to users, e.g., by documentation and/or defensive programming, e.g., ++outputting error messages if required external dependencies are not available, ++e.g., when no provider implementing the required functionality has been ++activated. In particular, provider initialization should not depend on other ++providers already having been initialized. ++ + =head1 OPENSSL PROVIDERS + + OpenSSL provides a number of its own providers. These are the default, base, +--- crypto/openssl/engines/e_afalg.c.orig ++++ crypto/openssl/engines/e_afalg.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -165,7 +165,7 @@ + ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; + ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; + +- return syscall(__NR_io_getevents, ctx, min, max, events, ts32); ++ return syscall(__NR_io_getevents, ctx, min, max, events, &ts32); + } else { + return syscall(__NR_io_getevents, ctx, min, max, events, NULL); + } +--- crypto/openssl/engines/e_loader_attic.c.orig ++++ crypto/openssl/engines/e_loader_attic.c +@@ -988,7 +988,7 @@ + #ifdef _WIN32 + /* Windows file: URIs with a drive letter start with a / */ + if (p[0] == '/' && p[2] == ':' && p[3] == '/') { +- char c = tolower(p[1]); ++ char c = tolower((unsigned char)p[1]); + + if (c >= 'a' && c <= 'z') { + p++; +--- crypto/openssl/include/crypto/bn.h.orig ++++ crypto/openssl/include/crypto/bn.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -73,6 +73,9 @@ + */ + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont); + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, +--- crypto/openssl/include/crypto/cmserr.h.orig ++++ crypto/openssl/include/crypto/cmserr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/include/openssl/cmserr.h.orig ++++ crypto/openssl/include/openssl/cmserr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -49,6 +49,7 @@ + # define CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE 114 + # define CMS_R_ERROR_SETTING_KEY 115 + # define CMS_R_ERROR_SETTING_RECIPIENTINFO 116 ++# define CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT 196 + # define CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR 183 + # define CMS_R_INVALID_ENCRYPTED_KEY_LENGTH 117 + # define CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER 176 +--- crypto/openssl/include/openssl/http.h.orig ++++ crypto/openssl/include/openssl/http.h +@@ -33,8 +33,9 @@ + # define OPENSSL_HTTP_PROXY "HTTP_PROXY" + # define OPENSSL_HTTPS_PROXY "HTTPS_PROXY" + +-#define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024) +-#define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024) ++# define OSSL_HTTP_DEFAULT_MAX_LINE_LEN (4 * 1024) ++# define OSSL_HTTP_DEFAULT_MAX_RESP_LEN (100 * 1024) ++# define OSSL_HTTP_DEFAULT_MAX_CRL_LEN (32 * 1024 * 1024) + + /* Low-level HTTP API */ + OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int buf_size); +--- crypto/openssl/include/openssl/opensslv.h.orig ++++ crypto/openssl/include/openssl/opensslv.h +@@ -29,7 +29,7 @@ + */ + # define OPENSSL_VERSION_MAJOR 3 + # define OPENSSL_VERSION_MINOR 0 +-# define OPENSSL_VERSION_PATCH 15 ++# define OPENSSL_VERSION_PATCH 16 + + /* + * Additional version information +@@ -74,21 +74,21 @@ + * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and + * OPENSSL_VERSION_BUILD_METADATA_STR appended. + */ +-# define OPENSSL_VERSION_STR "3.0.15" +-# define OPENSSL_FULL_VERSION_STR "3.0.15" ++# define OPENSSL_VERSION_STR "3.0.16" ++# define OPENSSL_FULL_VERSION_STR "3.0.16" + + /* + * SECTION 3: ADDITIONAL METADATA + * + * These strings are defined separately to allow them to be parsable. + */ +-# define OPENSSL_RELEASE_DATE "3 Sep 2024" ++# define OPENSSL_RELEASE_DATE "11 Feb 2025" + + /* + * SECTION 4: BACKWARD COMPATIBILITY + */ + +-# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.15 3 Sep 2024" ++# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.16 11 Feb 2025" + + /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ + # ifdef OPENSSL_VERSION_PRE_RELEASE +--- crypto/openssl/providers/fips-sources.checksums.orig ++++ crypto/openssl/providers/fips-sources.checksums +@@ -4,71 +4,71 @@ + c1e674d08683a25bc053f6233f73a0d0b3a90aafe591ff57b702c7da1582e4a5 crypto/aes/aes_local.h + a2466f18da5847c7d9fbced17524633c10ce024671a72f53f9c9c55b9b9923dd crypto/aes/aes_misc.c + 6979c133f76f4623e62e6e970deae70fa025e713a72b71aead5a048d49e47f6f crypto/aes/asm/aes-586.pl +-2eef5f20f1410b48bdaaafa24ded24f56f34c4ca79db1d38fa6bf1b3b19535bf crypto/aes/asm/aes-armv4.pl +-38c2cf8ed3910efd89d8721e1b0763a8fde073b91f6529d251165a0496ef9555 crypto/aes/asm/aes-c64xplus.pl ++92be9ff608331a432e95247a8f4fb9e46897d0cb76f2b6db809b61d44287964a crypto/aes/asm/aes-armv4.pl ++953897f86e2de9fa27ef411155ab3aed133af94885f1507e76449c142da78656 crypto/aes/asm/aes-c64xplus.pl + 00196f01f5218ad731e6a058d406078f7228a9756d9d73f51c0d0c2a68f885af crypto/aes/asm/aes-ia64.S +-b4ef595194fe1692e1ab2b561f385da01b277cf004902e8fc99e8ac5389bbd35 crypto/aes/asm/aes-mips.pl +-123c4498c94040b70708fdd911cb08c6411b020b4cf3eb761d6fa22c583c3e6f crypto/aes/asm/aes-parisc.pl +-7a7f2f90791415ef4ffc1ba2a6f6b6fe994bfe0e03d3bf9dab6e428e6874695c crypto/aes/asm/aes-ppc.pl +-d139e5ad69560fd0ffd8aa2e72304e463650cea4c657be7a90e0d1eb782d580a crypto/aes/asm/aes-s390x.pl +-133ba35d77002abcd430414749c4e98c4a319630da898e45ff8dbc5800176df1 crypto/aes/asm/aes-sparcv9.pl +-c98690249d490d23e6fee84f672f1463ffc029427110a4329244a59e4e4aaed8 crypto/aes/asm/aes-x86_64.pl +-7ec99947b47e56595f0b085b8bda0b3113112f694e78b1f71b63ecd1f0fa2c67 crypto/aes/asm/aesfx-sparcv9.pl +-ab94a27e533e164bcf09898a6f6019f43609d51a3b374cf75482dcf2914d464e crypto/aes/asm/aesni-mb-x86_64.pl +-74939261340a0056eb9333fff1c843c8758b9f93de3d94650cd6d2899c6790d8 crypto/aes/asm/aesni-sha1-x86_64.pl +-ce91f0893a2a35fdf4c024ccb0fd8329b30fdbd955f0ae011ab948101ee14951 crypto/aes/asm/aesni-sha256-x86_64.pl ++88b6f8396cd9d86004743d5c3b0f72b7b8c3d5a2b00b0bbb761ba91ae5a7cdc8 crypto/aes/asm/aes-mips.pl ++7ff9c96ef3d591d45d776fa4b244601ea0d9328e289aeab1e1b92436ce7d02ad crypto/aes/asm/aes-parisc.pl ++f1244cdeadcb4e48f35bc5df19d4cfaf07e0086ad951b84f07ff6966501faa5b crypto/aes/asm/aes-ppc.pl ++ecbfe826f4c514810c3ee20e265f4f621149694c298554b2682e5de4f029f14f crypto/aes/asm/aes-s390x.pl ++ee4e8cacef972942d2a89c1a83c984df9cad87c61a54383403c5c4864c403ba1 crypto/aes/asm/aes-sparcv9.pl ++2b3b9ac56bf54334d053857a24bdb08592151e8a7a60b89b8195846b7f8ee7b5 crypto/aes/asm/aes-x86_64.pl ++c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm/aesfx-sparcv9.pl ++14359dc32b7f4e5c08227fb9ac8f9232c1287399463b233fec4a2ab0c19f68d1 crypto/aes/asm/aesni-mb-x86_64.pl ++2fe016e8098d1c959b6199ce98e91dfed9a3a543d6b068daf88d4c4c402701ec crypto/aes/asm/aesni-sha1-x86_64.pl ++1d3acabadedb88d1327eeb76201ea9b3f4814f44898018ffae6c73e3f400b89b crypto/aes/asm/aesni-sha256-x86_64.pl + 4ff74d4e629a88ef5a9e3d3f5b340fc0a4793d16d7cc7f1b70da62512a856248 crypto/aes/asm/aesni-x86.pl +-30103cfe3b29d06b34feff48a927e0fa649e9109d35a3db64b09cfeb15426fa2 crypto/aes/asm/aesni-x86_64.pl +-f3490c936a80e012c49e577ec6e1d4d36df324dfef6264e788e6225e20b5fd52 crypto/aes/asm/aesp8-ppc.pl +-a5807ed92ec8a16d123061487c385bf1f65e50878cee95c8e8096844454129f8 crypto/aes/asm/aest4-sparcv9.pl +-d34cf129a8c63e2b77a74117ed4440a4f35408dabd90e21e70eae92d208fa516 crypto/aes/asm/aesv8-armx.pl +-a0b578b7d2787c91013547df07dfa73d8d7a420446dd624c66f7c55159817eb2 crypto/aes/asm/bsaes-armv7.pl +-34accd08242a6bf4a751105f89b0c4de2cd7e54320753587815647abff7124de crypto/aes/asm/bsaes-x86_64.pl +-d9bc047db9b2f54f27fe0d6e2ede9239b4a1f57a14bf89fa3cfba6b836599386 crypto/aes/asm/vpaes-armv8.pl +-516421b1a321b842f879ad69e7b82ae3e1f3efc8288c83bb34d6577996e85787 crypto/aes/asm/vpaes-ppc.pl ++c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl ++0489a10fbb1a8ca3652848d5c1e14e519501e189bad3e5827a573c26df359691 crypto/aes/asm/aesp8-ppc.pl ++e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl ++e3955352a92d56905d63e68937e4758f13190a14a10a3dcb1e5c641c49913c0c crypto/aes/asm/aesv8-armx.pl ++5e8005fdb6641df465bdda20c3476f7176e6bcd63d5073044a0c02a327c7f172 crypto/aes/asm/bsaes-armv7.pl ++0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl ++1ff94d6bf6c8ae4809f64657eb89260fe3cb22137f649d3c73f72cb190258196 crypto/aes/asm/vpaes-armv8.pl ++c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl + 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl +-47bedbe6a04254eede121e71f11a657b1f1940aee1916bbfc04fa9fb8454f9b8 crypto/aes/asm/vpaes-x86_64.pl +-1c9a2a0e8cee4a1283c74b2e306f46f79890f6d236394de2a80d1994fd411d1d crypto/alphacpuid.pl +-7a37cadacdbecb50304228dfcb087ad7fbb6e31f6ab69c52dd161e79afb2f9ca crypto/arm64cpuid.pl ++060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl ++2bc67270155e2d6c7da87d9070e005ee79cea18311004907edfd6a078003532a crypto/alphacpuid.pl ++0255a480b78bdcc71f76676f496962a9828eb900f53b7be13be96ae3f67fe6db crypto/arm64cpuid.pl + e0daf54f72dd8fd1bc537d93f34e2a6a887a9ed6027bb33e15a327ef5ff37a42 crypto/armcap.c +-24cc7611225df0e20e414c14e80516c36d48bf99659946e85a876d8757356686 crypto/armv4cpuid.pl ++a43f2c1eef16146943745f684f2add7d186924932a47abf7fb0760cba02804e6 crypto/armv4cpuid.pl + 16739d54200fb81ca7835b5814f965022a2ab41589c7787e2697e3ea72d4fafa crypto/asn1_dsa.c +-155eff9d747eed808398cfa2af4b276dfc1f9aac8a0f9d801b314ab3f2bf5b56 crypto/bn/asm/alpha-mont.pl +-894cc71b2d783e4e1b54dbef45e9e9280165a2c43981ebdd03282f0e90914928 crypto/bn/asm/armv4-gf2m.pl +-0d2e31dc9cdce02c619adfc9ac720ccf7171384e76a84cdf0e686a805dd7006e crypto/bn/asm/armv4-mont.pl +-d7df31176f725c1ae7241fee8f681fdcf2ab9eb4d3cc6c80d49c2248ae40a56a crypto/bn/asm/armv8-mont.pl ++819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl ++0070595128b250b9ebdebe48ce53d2d27ca16ec4f7c6c8bd169ab2e4a913b2d1 crypto/bn/asm/armv4-gf2m.pl ++8c1c53a725b8a4f92b8a353bfeeb393be94198df41c912e3270f9e654417b250 crypto/bn/asm/armv4-mont.pl ++a0d926004bddb4613552ffa325fac57ab64b085255f2e72881d8478f55890f5a crypto/bn/asm/armv8-mont.pl + cb4ad7b7461fcb8e2a0d52881158d0211b79544842d4eae36fc566869a2d62c8 crypto/bn/asm/bn-586.pl +-10fb73a6cc1bc064ebdcf6d7fe3c7407ea1c28b0d65ad0123046f8b1518fa75a crypto/bn/asm/c64xplus-gf2m.pl ++636da7e2a66272a81f9c99e90b36c6f132ad6236c739e8b9f2e7315f30b72edd crypto/bn/asm/c64xplus-gf2m.pl + c86664fb974362ee52a454c83c2c4b23fd5b7d64b3c9e23ef1e0dfd130a46ee5 crypto/bn/asm/co-586.pl +-b88190d748056e6a64988bf1a3d19efc4c292e3d338a65f4505cf769a2041077 crypto/bn/asm/ia64-mont.pl ++199b9b100f194a2a128c14f2a71be5a04d50d069666d90ca5b69baee1318ccb7 crypto/bn/asm/ia64-mont.pl + a511aafbf76647a0c83705d4491c898a5584d300aa449fa6166c8803372946eb crypto/bn/asm/ia64.S +-fee42cabeeb87cdf0fa0a6ff3698b2fe98a8a47d10a756052df572097161a8b9 crypto/bn/asm/mips-mont.pl +-b197a8e1be79b8c21f8d26b34b9a282ca42ec4bcd1f3212fde3889747082a1f7 crypto/bn/asm/mips.pl +-13df09cee06a21669137294f92e5c31b4bf05a8035be6800c1cb4403d7cd8290 crypto/bn/asm/parisc-mont.pl +-25c96e545b4981d45557eb14ea5c83aa2d6375ae0df806cb6e6ded2f59ddfed3 crypto/bn/asm/ppc-mont.pl +-1c057083546fa1a3bb1b9819dc5110f5a3b11b7bf5a2fb275012323bd7412403 crypto/bn/asm/ppc.pl ++687c5d6606fdfd0e242005972d15db74a9cbac2b8a9a54a56fcb1e99d3880ff3 crypto/bn/asm/mips-mont.pl ++8aca83d2ec45a40af15e59cff1ac2dc33737a3d25f0a0b74d401fa778a5c5eb8 crypto/bn/asm/mips.pl ++b27ec5181e387e812925bb26823b830f49d7a6e4971b6d11ea583f5632a1504b crypto/bn/asm/parisc-mont.pl ++9973523b361db963eea4938a7a8a3adc692e1a4e1aec4fa1f1e57dc93da37921 crypto/bn/asm/ppc-mont.pl ++59cd27e1e10c4984b7fb684b27f491e7634473b1bcff197a07e0ca653124aa9a crypto/bn/asm/ppc.pl + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 crypto/bn/asm/ppc64-mont-fixed.pl +-fe9278a2504fb40257637a4718081775c29c4eb81f87a8528e5c85f8d0c6281a crypto/bn/asm/ppc64-mont.pl +-94b2d5cf0faf2efddeb5fb7c575dabc35c1791715cc9299d59a01d9f96cb2d6f crypto/bn/asm/rsaz-avx2.pl +-cd0861a565231f67252e172420f6914fe47a324b35916c29f6304491447fe84c crypto/bn/asm/rsaz-avx512.pl +-c19c717d87dd1ba74f138af05c044c05f5d025e26323637f46ba54a8c871a378 crypto/bn/asm/rsaz-x86_64.pl +-ae26becda9f6d30e9edde8bb89c251a0c40a9a6c879c4cdaec273d8c09af9cd6 crypto/bn/asm/s390x-gf2m.pl +-2700337ef133d6688047a1a8e1c671db06016aae777679923ce2b301896762cf crypto/bn/asm/s390x-mont.pl ++a25be64867ab837d93855af232e2bfa71b85b2c6f00e35e620fdc5618187fb6f crypto/bn/asm/ppc64-mont.pl ++231579e532443665020d4d522d9f11713d9c5d5c814b95b434b0f65452e16de4 crypto/bn/asm/rsaz-avx2.pl ++1657600d320ea549b527b2d878a7658533d60d26eeb38f42ea470fc612f9bb53 crypto/bn/asm/rsaz-avx512.pl ++31e84dc905b13e38850071528d3abbfcaf8910bbc8b46f38d19c2b386a5f838e crypto/bn/asm/rsaz-x86_64.pl ++30fedf48dfc5fec1c2044b6c226dd9fc42a92522cc589797a23a79d452bdd2cf crypto/bn/asm/s390x-gf2m.pl ++590388d69d7ac3a0e9af4014792f4f0fdb9552719e8fb48ebc7e5dfca2a491d4 crypto/bn/asm/s390x-mont.pl + aa02597f3dc09cfbc190aedb75711859ba0f3efff87067ebfba1ec78ebee40d7 crypto/bn/asm/s390x.S +-87d49e83a7df467097fdfc577aa206be9ee622c40fcbbbe5133b35d9783b7816 crypto/bn/asm/sparct4-mont.pl ++2f7cbc2c3d93b1bbc4953dda38b9ae0ab3a0a8331a0418d94d9b286183736c9e crypto/bn/asm/sparct4-mont.pl + ca21a9ccbc54e19fb7c2e6cdf286ce7cb08b0fba960c777c6edce5c57ccc2101 crypto/bn/asm/sparcv8.S + fbc93c8dbbecefe66086f58fe9719ed87b13b2cdc61454a10e841228296fecef crypto/bn/asm/sparcv8plus.S +-2ec1497fa06826f7bc574239e425dd8dda0d4a2743e1fe87669ede900291fcb6 crypto/bn/asm/sparcv9-gf2m.pl +-1f490fe184c7a51b2d0646a59e69aa659bfe51270ad21594951b8d7b785bac38 crypto/bn/asm/sparcv9-mont.pl +-277dcb7faa1913b25fd43946c50039bcdd45cb643fd9ddeedd6c207cefa4dd50 crypto/bn/asm/sparcv9a-mont.pl ++127832c1e3d298aad805236776488f5f8836b6a0fdbce3f6b42678163df3909f crypto/bn/asm/sparcv9-gf2m.pl ++1622f04a8918724ac0e8804baf285fdafa0eeaaecc36c7facd459d0ff13a8cac crypto/bn/asm/sparcv9-mont.pl ++b69083f78b4b4f7097de4462d16649532fb82c453a82cdd9cc1393122661d6e2 crypto/bn/asm/sparcv9a-mont.pl + d404375a21d33396824a3da212d6646d4f3150dd141ee4b4a250aefae3482efb crypto/bn/asm/via-mont.pl +-d632edf9b9bab7d2cd2d616512a98d15cf4b3ebba7a8e7b83650d654ceb52ecb crypto/bn/asm/vis3-mont.pl ++d24f3e97239c8eed5efc721521b025b7256c15e67a54ea6b5c4cf8f7cd0f89ea crypto/bn/asm/vis3-mont.pl + 89278854f44d95be916516609ce6f79dcd346bab52574b9b6336a9952aa94bee crypto/bn/asm/x86-gf2m.pl + 90d4ae234c08267adce9ed38d56e0edc223f7480cb9605f5d7399d0b3914c6be crypto/bn/asm/x86-mont.pl + d444ca73875e97e0ea88b20e4c02f2fcf3850e8b9311e3b67a2d04fe2796d543 crypto/bn/asm/x86_64-gcc.c +-a5481ca55d94dc7ebdc93173610d38ae2569cea1fe9b5180debe0ab94e455ce1 crypto/bn/asm/x86_64-gf2m.pl +-d8cc080824a72774cb3343a3d50ddf8f41a5b8321203d4c9a764762b62498b96 crypto/bn/asm/x86_64-mont.pl +-03788cb685268e6a50ddfa742ea1fe937570c9b86f2ebc88ee35f3304f67c045 crypto/bn/asm/x86_64-mont5.pl ++709ddee92e9222ee0ed27bfb90db556e85e2d302e4a9131afa25fdc14c4d858f crypto/bn/asm/x86_64-gf2m.pl ++da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/x86_64-mont.pl ++259fb8d7f40c0dba46920b1f169d5b37de03b0fda645463d19e3ae2b56de851d crypto/bn/asm/x86_64-mont5.pl + 0ea8185a037a2951bb3d1e590bbbdeac305176d5e618f3e43a04c09733a9de34 crypto/bn/bn_add.c + 759c2b9df808b3562fe8b0c7778dbadbf35f261e14fc2d5090d18c35b4181760 crypto/bn/bn_asm.c + 14bd5a35c05fcf454854b92fb30b356d7ac618c1eb699dd798f6ad2936d1f5ee crypto/bn/bn_blind.c +@@ -77,10 +77,10 @@ + 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c + d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c + 74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18 crypto/bn/bn_div.c +-49e59eac540db304ab0ca7bee3ba9d45f89548fff98155561bbdb6602d0aab1d crypto/bn/bn_exp.c ++46357d2d30109ae59482332adf604a5ef1bd64c7de08cc808db028c45190ba93 crypto/bn/bn_exp.c + ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c + baba7c8ae95af6aa36bc9f4be3a2eed33d500451e568ca4bfc6bc7cb48d4f7ea crypto/bn/bn_gcd.c +-5fbb1ab8463cd5544a1d95cf7996b6387ae634984a42256b7a21482ce3ac30a2 crypto/bn/bn_gf2m.c ++99325cf50bf72b5d77048c20d7fa4f80a179dc6357023745f9a58c8e914ae136 crypto/bn/bn_gf2m.c + 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c + 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c + 81a4afc27dd1e90c4bfa81c8d385214ce8a2b5884537752944a71ebebd91f4b0 crypto/bn/bn_lib.c +@@ -101,14 +101,14 @@ + 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c + be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c + c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h +-5b82cb8dbf3087c2e671871cb0a92e4039223a51af533a2ee996f3bfd47453a7 crypto/bn/rsaz_exp_x2.c ++9bc3bf8965f98915f9019d2f516345e73c435c5bd8ad94bb4b7057809a7d1383 crypto/bn/rsaz_exp_x2.c + 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c + c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c +-d2bfdfd96b182741d2d51f91478ffcc48491b0da44662bc1c32bc506b3eef1ba crypto/c64xpluscpuid.pl ++5f43844b5d8665de9ab895f93599150a327d73ec2674bbf7d7c512d30163022d crypto/c64xpluscpuid.pl + 0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c + 5113d8d12d884f845cad3d35d92f0a1ee20ebafd7a169273642f4e8178711de9 crypto/context.c + c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c +-f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c ++65ba41169f8fec7cb8466c3458721e3150057fb587db087a70752e5e08201381 crypto/core_fetch.c + 799c84d224639c6760c5c28e0e287500a973ca6d0c3d7c1bdcd61b0da4018b3c crypto/core_namemap.c + 469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3 crypto/cpuid.c + 71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4 crypto/cryptlib.c +@@ -138,15 +138,15 @@ + 196dc024873e413d92672c3a9b6c062ed6269250b0da6d41c0da1c03cfec9ef8 crypto/dsa/dsa_ossl.c + 9f501a59c09fc3cb3caafaff25abd44397a94d1062950a4d62e855d2c8986b5a crypto/dsa/dsa_sign.c + 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c +-786779d7014bc04846832f80638743784a3850c7ee36e4a8062fe8eb7ac31c9b crypto/ec/asm/ecp_nistp521-ppc64.pl +-2e3056ea14fab8b306b0281d6a6f4317a6e86dbf652a79ade726e716cd79bb1e crypto/ec/asm/ecp_nistz256-armv4.pl +-a02edef19d22c5aba196080942111ab0172fc2ebe6d6c40db2beb6a1a2d885c6 crypto/ec/asm/ecp_nistz256-armv8.pl +-729729f8233c95138158f4647b33a36cf175e707ce29563db0eedc811f324ec0 crypto/ec/asm/ecp_nistz256-ppc64.pl +-78a5b172f7c13ae8ac622439ffb9d99b240dbb4bbda3f5c88d1533ae74a445ad crypto/ec/asm/ecp_nistz256-sparcv9.pl ++d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl ++78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl ++4617351d2de4d0b2abfd358c58050cee00702d0b4c1acca09312ec870e351c7d crypto/ec/asm/ecp_nistz256-armv8.pl ++3715ddd921425f3018741037f01455ed26a840ace08691a800708170a66cf4d2 crypto/ec/asm/ecp_nistz256-ppc64.pl ++cfe7e75a2fddc87a7251684469a8808b9da82b2f5725eafad5806920f89932bd crypto/ec/asm/ecp_nistz256-sparcv9.pl + 922725c4761cfa567af6ed9ecab04f2c7729ae2595f2fc0fa46dc67879dc87b0 crypto/ec/asm/ecp_nistz256-x86.pl +-19ba01af58788e2873ebc1d5b503a76604bec0b9b6296fa794946e141fc945a4 crypto/ec/asm/ecp_nistz256-x86_64.pl +-e806141073aa3792e2748f6feeee6d3017124b3bc6059a9eca0d53a2f5785346 crypto/ec/asm/x25519-ppc64.pl +-a397592dc9fdb13016311db6184b4a3a4f2e198aacb03528f770f30ea4966cc4 crypto/ec/asm/x25519-x86_64.pl ++ac327475c7ec828d11aa05628b4e3b81ec3b1400f30fe7bec01daf3cf71f2dc9 crypto/ec/asm/ecp_nistz256-x86_64.pl ++cc727533130f5f1a29229929b3d4e8454585d647be25d6344f3c6a0240998368 crypto/ec/asm/x25519-ppc64.pl ++ee897e230964511baa0d1bf95fb938312407a40a88ebe01476879c2763e5f732 crypto/ec/asm/x25519-x86_64.pl + 340336e01aa04fcde9bfd56536f90c9bc0ad56a002b6cfa321a1e421f1e93ceb crypto/ec/curve25519.c + 9a95ec8366154bb20aeb24f4767a8cbb9953ca0380708eb2f39caca6078cd59e crypto/ec/curve448/arch_32/f_impl32.c + 063dac1e4a9573c47532123e9e03e3532a7473cc3e146521ba9ec6f486ddf3b1 crypto/ec/curve448/arch_64/arch_intrinsics.h +@@ -166,16 +166,16 @@ + ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c + 6bbbf570ce31f5b579f7e03ec9f8a774663c7c1eb5e475bd31f8fee94a021ffc crypto/ec/ec2_smpl.c + 2a71bd8dbe4f427c117d990581709a4ddce07fa8e530794b5a9574fef7c48a0c crypto/ec/ec_asn1.c +-69b1b3acb4295f5fff961b339e8ace913176ca63fcedf4af0da4c27171f24f94 crypto/ec/ec_backend.c ++e959960fe9a78ea67346048c9c02428203819d5b443d18fe7bb26cd1ca28fcdc crypto/ec/ec_backend.c + 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c + 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655 crypto/ec/ec_curve.c + 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c + 95ce53663ab8a1d05bd6f4999f30113e1edce771fb6d218a772fe02de7bdaf4d crypto/ec/ec_key.c + 7e40fc646863e0675bbb90f075b809f61bdf0600d8095c8366858d9533ab7700 crypto/ec/ec_kmeth.c +-bbd6f618c3dfe425ce0ba1c6710fe59418130e06351881162a590475e6438c44 crypto/ec/ec_lib.c ++fea5cd863cd94b4e543b72942ed8c23175359cfab99ca65203af4ebecb001a15 crypto/ec/ec_lib.c + a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h + fa901b996eb0e460359cd470843bdb03af7a77a2f1136c5e1d30daef70f3e4d2 crypto/ec/ec_mult.c +-129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c ++205b17b41e6678f40ec2a92e7856e87904e57121e7dc3120d14a4c4eeafb15b0 crypto/ec/ec_oct.c + c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c + b2cf8f052a5716137da7b0e857ed7a5df5fb513b6d14534199a05e32f2b5a866 crypto/ec/ecdh_ossl.c + 2e00c2e0e6f6d58b81fc23fe500f59e98793dc828ca87d64eba10cc0fddd0dc1 crypto/ec/ecdsa_ossl.c +@@ -228,19 +228,19 @@ + 7290d8d7ec31a98b17618f218d4f27b393501c7606c814a43db8af1975ad1d10 crypto/lhash/lhash.c + 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h + f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c +-78a20112586dbce2b8b6e509a0f46f6a36f2a4acf53c3f3511daf7932a71c391 crypto/modes/asm/aes-gcm-armv8_64.pl +-e482f02932d77d61142548ca4f3c8d5709d88ec14ab84723d82331444c0f57da crypto/modes/asm/aesni-gcm-x86_64.pl +-8fdcb4313fa3a6e541a697525856b9527a06ddf4c794f9393e843f86d67f543c crypto/modes/asm/ghash-alpha.pl +-ace8c376b394439301cecaf468d2a9a8adae21eff1d43191cefbf6765023452d crypto/modes/asm/ghash-armv4.pl +-c22f4945e7de3bd7bfef73447f09983e40a3e4dd0938244d902a1c44c98a8467 crypto/modes/asm/ghash-c64xplus.pl +-315a76491cdba48c88df6549c9efd96b50515400810b185a568b7a871681e03d crypto/modes/asm/ghash-ia64.pl +-25e9f494fcb6eb636c04af2f322736fae8aa339037e199332c96b8c9c3a50afa crypto/modes/asm/ghash-parisc.pl +-f22d5fa646b4fc2db008b6b05ec07c8790d3ad5485d2b10218fd11d0e81030ba crypto/modes/asm/ghash-s390x.pl +-de97107e0c19ff9dd4069f0761eccb00e0b3ced345e1f119ab3b918dd2f9c5f6 crypto/modes/asm/ghash-sparcv9.pl ++e14f48d4112c0efe3826b4aa390cc24045a85298cc551ec7f3f36ac4236d7d81 crypto/modes/asm/aes-gcm-armv8_64.pl ++1d686af304f94743038f916125effcb51790c025f3165d8d37b526bbeee781f0 crypto/modes/asm/aesni-gcm-x86_64.pl ++c2e874a8deb418b5d8c935b2e256370566a5150e040c9fa008cdb5b463c26904 crypto/modes/asm/ghash-alpha.pl ++6bc7d63569c73d7020ede481f2de05221ac92403c7cc11e7263ada7644f6aa9b crypto/modes/asm/ghash-armv4.pl ++097975df63370de7ebea012d17de14fc1f361fb83acf03b432a99ae7d5bceb24 crypto/modes/asm/ghash-c64xplus.pl ++fdde3bc48b37790c6e0006014da71e7a831bbb4fdbfcda2d01dbe0ceb0ba88fa crypto/modes/asm/ghash-ia64.pl ++e472d73d06933667a51a0af973479993eed333c71b43af03095450acb36dbeb4 crypto/modes/asm/ghash-parisc.pl ++6fb4332ac88113a20915ad4de1931ef88b0114b5379b16e1d967820e1229fbb0 crypto/modes/asm/ghash-s390x.pl ++6af1a05981e1d41e4dea51e58938360e3abc4a4f58e179908242466d032b1a8a crypto/modes/asm/ghash-sparcv9.pl + 26f55a57e77f774d17dfba93d757f78edfa3a03f68a71ffa37ccf3bfc468b1e2 crypto/modes/asm/ghash-x86.pl +-2a0d23a644083e46745c7cb1ca79de393af9336a2e8eab7c85ffeb3b7b1a286f crypto/modes/asm/ghash-x86_64.pl +-b407d9fc6ea65fe1a05edc2d139298d78391f3c165314fa6d56dd375b8e453cd crypto/modes/asm/ghashp8-ppc.pl +-d8436f6dc43a18d49b1a16999ecb513ccf4483f418f75edc01ce68e777c614a9 crypto/modes/asm/ghashv8-armx.pl ++72744131007d2389c09665a59a862f5f6bb61b64bd3456e9b400985cb56586b8 crypto/modes/asm/ghash-x86_64.pl ++a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/asm/ghashp8-ppc.pl ++69a13f423ca74c22543900c14aef4a848e3bc75504b65d2f51c6903aebcc17a7 crypto/modes/asm/ghashv8-armx.pl + 65112dfe63cd59487e7bdb1706b44acfcf48ecede12cc3ae51daa5b661f41f06 crypto/modes/cbc128.c + 1611e73dc1e01b5c2201f51756a7405b7673aa0bb872e2957d1ec80c3530486f crypto/modes/ccm128.c + d8c2f256532a4b94db6d03aea5cb609cccc938069f644b2fc77c5015648d148d crypto/modes/cfb128.c +@@ -257,7 +257,7 @@ + 4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c + b6cbfc8791b31587f32a3f9e4c117549793528ebddc34a361bad1ad8cf8d4c42 crypto/params_from_text.c + 97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c +-826a78afb376cbf1e87f12a2a67eef2ee47059a0fd3f9cba7ce7f035e34f8052 crypto/ppccpuid.pl ++3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl + b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c + c3709986fd2ab18f3c6136d8dd7705a4538986aa789ceafe770c3a376db3c569 crypto/property/property.c + 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h +@@ -288,50 +288,50 @@ + 3aba73dacebb046faf8d09dc279149b52c629004b524ec33e6d81c8ad0bc31a8 crypto/rsa/rsa_sp800_56b_gen.c + 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c + 0acbebed48f6242d595c21e3c1ad69da0daa960d62062e8970209deda144f337 crypto/s390xcap.c +-370d98549d4d98e04b60677b319b85904259359bd9401dd5385aa728278e6626 crypto/s390xcpuid.pl ++22205848cfb55116ebf999dced8331b575886a609ce29e6886e6267b2310c337 crypto/s390xcpuid.pl + 5fa59240ca885cbc0c1cd026934b226d44fc9c3fdf0c2e7e3a7bd7f4963ca2e5 crypto/self_test_core.c +-58a1a8aeb45421954fa0e4bc87157addb96d086ac4e6aade47da96523cecaa74 crypto/sha/asm/keccak1600-armv4.pl +-d6df6cfdd4e2fee52dc16fd31c91768c45c48c22700c486406d70ecb37e8a8bb crypto/sha/asm/keccak1600-armv8.pl +-81bfb4484d68a3a3e1d704855f76356090867fe10a75db7707b6f7364e8ee8da crypto/sha/asm/keccak1600-avx2.pl +-b7bb35d51d439abbf3810454ccb9bfb5a51e2111eaf389fb95796ad6220a61a0 crypto/sha/asm/keccak1600-avx512.pl +-37365dcc576f99006132271968bab990e2bebdab7f4168c726bd449a2fa51c6a crypto/sha/asm/keccak1600-avx512vl.pl +-2767ae2f379a7a3d0c6dd1471d4d90dd896545b456cb6efd6c230df29e511d70 crypto/sha/asm/keccak1600-c64x.pl ++05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl ++ca3b2b654f9a8c4bc2fa2538c1f19d17acd4a6b9e0df6a4b81df04efa697e67e crypto/sha/asm/keccak1600-armv8.pl ++12b7acce2fba0bc0e1ca07842ec84be6a022f141c86e077abb42c864af1d8d9c crypto/sha/asm/keccak1600-avx2.pl ++faf0cccb685d5abc807e08db194f847c67b940da2fc3c235c210dc31d73a5334 crypto/sha/asm/keccak1600-avx512.pl ++be1e7dd9998e3f31cfa6e1b17bc198aeec584a8b76820e38f71d51b05f8a9f2a crypto/sha/asm/keccak1600-avx512vl.pl ++33bdcc6f7668460c3bdf779633e43bfad62b937042a73acb007b462fc5b0a034 crypto/sha/asm/keccak1600-c64x.pl + 09fc831dd39bd90a701e9b16d9e9987cc215252a22e1e0355f5da6c495fca35a crypto/sha/asm/keccak1600-mmx.pl +-485dcc50a51705b86c6dc47e6f58d092fec05dfbfcdf4f2785e4235c67cfe742 crypto/sha/asm/keccak1600-ppc64.pl +-49535b60a1a981059a2a9636fdeeab22942d2a15e775b1ec9b5af8937a46aa76 crypto/sha/asm/keccak1600-s390x.pl +-093751655b460d33b2fa6aa4d63a86e902f7f20b2d2a02ed948b78e5698c0dd5 crypto/sha/asm/keccak1600-x86_64.pl +-e0a4a1df82716053a3f01ec0b096c735a0e3c4f6c9d9ec6b2006b37aaac64448 crypto/sha/asm/keccak1600p8-ppc.pl ++ce4a58129e5ee3ac4c9dfec5ecc010440570ebf7bf869e3e9977f2121a64b27a crypto/sha/asm/keccak1600-ppc64.pl ++a859fc8cb073b2d0012a93f3155a75fb6eb677441462b0de4f8cf8df1445e970 crypto/sha/asm/keccak1600-s390x.pl ++618dcd4891b4064d3b8aa6dcd74bea7ef55f4962a64957b05a05448f6e3e0f17 crypto/sha/asm/keccak1600-x86_64.pl ++831b8b02ab25d78ba6300ce960d96c13439bfba5844e13061e19c4e25cbacc3d crypto/sha/asm/keccak1600p8-ppc.pl + 75d832db9bf0e98e7a5c522169060a6dd276c5118cfb297fc3f1111f55cd4007 crypto/sha/asm/sha1-586.pl +-8d937771993f04407f5fdcca8ca8565f9f8a4d9c9a8f7bfd4e9f9121dd0450bb crypto/sha/asm/sha1-alpha.pl +-ab7ecd62896324393b1fd9020515b9c0d2b9cc34d559f2efafa35affc9a1485d crypto/sha/asm/sha1-armv4-large.pl +-0acc4e40f793d4d2b960af2baaecc91176ba6742ddd62dca0c33ddc838c58772 crypto/sha/asm/sha1-armv8.pl +-c36f51761e7f59bdd0f61230297fb802542ac5d2d1c6d2b1096ed937131bd583 crypto/sha/asm/sha1-c64xplus.pl +-4ab7c9153b085274a579b388ddff97a4ac7e11585e01811ca95b93a3ec786605 crypto/sha/asm/sha1-ia64.pl +-7a392c5ef7dc19c39d67c7080e0c5214e7a80572c85c022be7e7d4378a5f740d crypto/sha/asm/sha1-mb-x86_64.pl +-c0fea5a0d32001263c8bcf7fc0757aa68c6a7377f20fef8d28708e1b81de5dec crypto/sha/asm/sha1-mips.pl +-f11b75a54c5f42aa3a052de8091bfba47d7cac01920b2fe0ddcb637d4c9d0eb9 crypto/sha/asm/sha1-parisc.pl +-d46ef3fc166271a83144d90985034e2c514bd1020b84ec0fe5427ad593bfeb74 crypto/sha/asm/sha1-ppc.pl +-a48c7d9403fe99fbd4daec60e96eb22058da766ab9e606d084a63613962851a2 crypto/sha/asm/sha1-s390x.pl +-0e2951e0574c64ee055ffddf16ceefdec00823107d60362976605f139ad8ae68 crypto/sha/asm/sha1-sparcv9.pl +-5da48400d4fae85e205e95a2fa368e7bf525e51e274b1dd680dfb48645426c85 crypto/sha/asm/sha1-sparcv9a.pl +-04b73c902d36c28b5a7eab47cb85f743eb9c648ed5936f64f655524a1010a1b5 crypto/sha/asm/sha1-thumb.pl +-f36d7ec7464c932230585a754b91f13cea4cde5a381fc9f798d959256d07910e crypto/sha/asm/sha1-x86_64.pl ++c96e87d4f5311cd73bbdf499acc03418588be12426d878e157dd67e0099e0219 crypto/sha/asm/sha1-alpha.pl ++4ba6d1c7f12fe76bf39babea966f0a4b7f8769e0c0510cbfc2c46a65dd62d45c crypto/sha/asm/sha1-armv4-large.pl ++efc69cb0d867b7fac6b3fa8985c343d1f984d552bc8e75bbbbace0adf9ee5f15 crypto/sha/asm/sha1-armv8.pl ++11d332b4e058e9fa418d6633316d2e9f9bf520a08b2d933e877bdf38b2edefcf crypto/sha/asm/sha1-c64xplus.pl ++32ff0e701a7b8f25bcfe8477b20795de54f536527bd87d3ce694fd9aaae356d4 crypto/sha/asm/sha1-ia64.pl ++471c27efca685b2a82ad7fefe329ca54172df9f49b9785da6d706b913b75e693 crypto/sha/asm/sha1-mb-x86_64.pl ++0f5c63cf09e950d1b488935ab3b5562e3e9d5cd1a563fb88a41e3dae90a35e6d crypto/sha/asm/sha1-mips.pl ++b5ffd7b6dbb04c05de7efa2945adb67ea845e7e61a3bf163a532f7b6acdf4267 crypto/sha/asm/sha1-parisc.pl ++482cd23ca6ec38d6f62b90c68f9f20643579c50f2c0fbb0dab1c10a0e35efe77 crypto/sha/asm/sha1-ppc.pl ++28cf69efd53d7a5a8c32e0f8db32c193f41b91faf44f5f59944334bc3f5aa337 crypto/sha/asm/sha1-s390x.pl ++7fd355b412ddfa1c510e0ba3284f75b1c0d621b6db2ecb1d2a935d5cdb706628 crypto/sha/asm/sha1-sparcv9.pl ++24554e68b0e7b7db7b635ff149549015f623ca0bcd9ae90439586a2076f6ae80 crypto/sha/asm/sha1-sparcv9a.pl ++74d197cdd72400cabbff7e173f72c8976723081508b095dc995e8cd1abf3daa6 crypto/sha/asm/sha1-thumb.pl ++a59a86293e28f5600609dc8af2b39c5285580ae8636520990b000eeeb67bb889 crypto/sha/asm/sha1-x86_64.pl + c099059ef107f548ea2c2bab64a4eb8c277070ce6d74c4d32bb9808dc19c5fa3 crypto/sha/asm/sha256-586.pl +-3a8cf38dd398a7ab1d9c6701fa61c428b07c4431a0041ed3a2ddf937897825c1 crypto/sha/asm/sha256-armv4.pl +-c394bb5b0ff05595a9e6848b6602a0f29f73a79fc006593740f3ca645ad9d316 crypto/sha/asm/sha256-c64xplus.pl +-f33af8e2e2f57b7b63b8c8b35722d7d11ca6ef1f73fb6c4ccebdd3e86912f4b1 crypto/sha/asm/sha256-mb-x86_64.pl ++b9cee5c5a283f61f601d2dba68a7a76e7aba10bfafffc1a5c4987f9c0aa6f87d crypto/sha/asm/sha256-armv4.pl ++93ddc97651ee3e779144a3c6b3e46a1bc4aa81e75cd7b9df068a2aef8743d25f crypto/sha/asm/sha256-c64xplus.pl ++8be5c5d69733ecb16774aa8410b4bcb3623a9f060d2be103d8aa67bf6e4c5843 crypto/sha/asm/sha256-mb-x86_64.pl + dd82e1311703abb019975fc7b61fb87d67e1ed916dddd065aced051e851114b9 crypto/sha/asm/sha512-586.pl +-1f9ba79b1d591b7aa37b62382422cb025f5b45784d26cc5790c05cf4eb52b792 crypto/sha/asm/sha512-armv4.pl +-8136196fce18b736f671a4b4945cd4aa4ab25a28c90c6fc9ab31ff771e8e0d9f crypto/sha/asm/sha512-armv8.pl +-5b6796a9978b69fd78ee2ff1adc5cf35d44cad8194a38d1c2aba2023012cf252 crypto/sha/asm/sha512-c64xplus.pl +-e8df660671ba61aa2e8f51358baf5d8ca913093e2ee1a40c9cb46d9c2c0851f6 crypto/sha/asm/sha512-ia64.pl +-525f253ef8051bfb0e344ac2e40688ce359a42707fe360d23a03f522cc88c81a crypto/sha/asm/sha512-mips.pl +-3c3e03529d8514467f8d77c01978348636bb339315feb8041fbde7640565001e crypto/sha/asm/sha512-parisc.pl +-952ef1b10e8bbe3f638cc798b91ab9c5b47b66ed8fe94647b1beec9874f2e71e crypto/sha/asm/sha512-ppc.pl +-193a0ea240264b29dd68a425f604a6da4b18e28838dcf909dd7e711af880f782 crypto/sha/asm/sha512-s390x.pl +-dcb466a1e5938fb64ecb38b0533602192d61334da864ee8dfdcfa12d3cdfa273 crypto/sha/asm/sha512-sparcv9.pl +-bb6503967a58b767a3e73441cfabc77f15c8ac747f377e276d4aa63d05f2c3c4 crypto/sha/asm/sha512-x86_64.pl +-68d2f3b2dccb978ee42640f4fb4d2eae6b74d071017a3eedd9e7cb77762817dc crypto/sha/asm/sha512p8-ppc.pl ++8d84164f3cfd53290c0c14bb5655510b7a9238857866328c0604d64b4e76fe21 crypto/sha/asm/sha512-armv4.pl ++dadacb6d66b160913bffb4e1a6c3e5f7be6509b26e2c099701d8d3fdb92c1be0 crypto/sha/asm/sha512-armv8.pl ++6f548a088feae3b6faa179653ba449df9d3f5cda1e0561e5b5f120b32274d1eb crypto/sha/asm/sha512-c64xplus.pl ++9fa54fbc34fd881f4b344374b9b4f8fb15b641424be7af9a31c71af89ae5d577 crypto/sha/asm/sha512-ia64.pl ++fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm/sha512-mips.pl ++11548f06d213947104a80898e000218ec0d6ff3f6913f6582de498476482ce9f crypto/sha/asm/sha512-parisc.pl ++7c0c490ce6bb11a228853aecad5e164ce84e5bdabb8a6658ae7184782076c7d3 crypto/sha/asm/sha512-ppc.pl ++38e0455fd6a2b93a7a5385379ca92bc6526585ca1eb4af365fac4c78f7285c72 crypto/sha/asm/sha512-s390x.pl ++0611845c52091b0208dd41f22ddef9dd1e68d3d92fa4c4360738b840a6314de6 crypto/sha/asm/sha512-sparcv9.pl ++f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm/sha512-x86_64.pl ++8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl + 57f6cf54b1b5d2cac7a8f622b7b6bd1878f360fff3fa0f02352061c24162ebbb crypto/sha/keccak1600.c + 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb crypto/sha/sha1dgst.c + 4d8cf04f5806611e7586aab47fb28165ec1afb00168e2c9876bb36cb5c29bf8b crypto/sha/sha256.c +@@ -345,13 +345,13 @@ + 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c + a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c + 3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c +-88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c +-af0af59fe2cb8668a96751f343232d7faa3e7a937beb2bda09ed74fe60b9cb5f crypto/x86_64cpuid.pl ++f82715745b668297d71b66d05e6bfc3c817bf80bd967c0f33ca7ffbb6e347645 crypto/threads_win.c ++fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl + bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl + acbb841170d4d3eb91d969be1c0e4973b1babfd5fcd76440b0628f509f82fd76 e_os.h + 249a0e58e9692920eddc1ada2ac772a0cfd749cfbf618f2f5da08280df545d8f include/crypto/aes_platform.h + 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h +-2e8c284672c4e8e395b3da56a3abf3e65bb4346313fb6f7358e925d077a2e1e2 include/crypto/bn.h ++3bded0eaa7ccdebd0b4217b7fdb82676d5c0762a88aca462dbceaef851fafa99 include/crypto/bn.h + 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in + 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h + e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h +@@ -518,7 +518,7 @@ + 8ed4a100e4756c31c56147b4b0fab76a4c6e5292aa2f079045f37b5502fd41b9 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc + 4c6f3a2818754a5aa7b6db36dae53e248504f9e82cc5af2ed68c723903d4f9d5 providers/implementations/ciphers/cipher_aes_hw.c + 89de794c090192459d99d95bc4a422e7782e62192cd0fdb3bdef4128cfedee68 providers/implementations/ciphers/cipher_aes_hw_aesni.inc +-fac3a1878dc9c0c363d0ecdd9f74926157df54ca4f40adf8c479927395082008 providers/implementations/ciphers/cipher_aes_ocb.c ++0d77239f0cc1a9e1ecdeb45b6fae12cac2637771d29842199be08699e59f87fc providers/implementations/ciphers/cipher_aes_ocb.c + 88138a1aff9705e608c0557653be92eb4de65b152555a2b79ec8b2a8fae73e8f providers/implementations/ciphers/cipher_aes_ocb.h + 855869ab5a8d7a61a11674cfe5d503dfa67f59e7e393730835d1d8cf0ab85c70 providers/implementations/ciphers/cipher_aes_ocb_hw.c + 6a8782c728575d69c86b735c9f47acda5c0daa04e17f1e0faef2c963f23fab20 providers/implementations/ciphers/cipher_aes_wrp.c +@@ -557,7 +557,7 @@ + c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h + 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h + 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h +-d376c58489ae36fbece94bb88939845ced04a2a0bdd55d6a3562e45a56577ae1 providers/implementations/kdfs/hkdf.c ++6091dd22e716fbe6c7c94524cdee6ad4432a572f2d3c4d360dcafafa3902d692 providers/implementations/kdfs/hkdf.c + a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c + e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c + c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h +@@ -566,14 +566,14 @@ + 8571556d77d10e8edc98212473a38f09632e3f19e9995dde89ee6c95f2e84ccf providers/implementations/kdfs/sskdf.c + 589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c + 4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c +-6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c ++58acb0ff36bf7e463ba714b347b714eccab9fda77c4ca6bacc3a55e6d2ce5ad9 providers/implementations/kem/rsa_kem.c + 11a0d0fb88ed88e965f10b3a0ef6c880f60341df995128f57ad943053aaf15b2 providers/implementations/keymgmt/dh_kmgmt.c +-a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c ++9316fc619e8d8a1d841aa0936fc62c28eb2b4c60cc6c9b2d64b72f8641f28abb providers/implementations/keymgmt/dsa_kmgmt.c + 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c + 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc +-011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c ++d0c67b7fbddd51dcfebd96bf99794ca3bc437d50974ebcd56968fb8dd3627b0f providers/implementations/keymgmt/ecx_kmgmt.c + 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c +-1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c ++37e2f9f904eeabf94b1e4152b67ac236f872aa78dd7e47bf0de1b8f50ac19b6c providers/implementations/keymgmt/mac_legacy_kmgmt.c + 19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c + 5eb96ea2df635cf79c5aeccae270fbe896b5e6384a5b3e4b187ce8c10fe8dfc7 providers/implementations/macs/cmac_prov.c + e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c +@@ -588,7 +588,7 @@ + 04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed providers/implementations/rands/test_rng.c + cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/implementations/signature/dsa_sig.c + a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c +-02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c ++09647b736980ac3c762f1e7c10cbfee78e2c6ab327ac62e5039968cea034ff3b providers/implementations/signature/eddsa_sig.c + 3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c + 166d7e3a049b28ae2c6f94415070720d176a82e46af1613511c4b073ea705476 providers/implementations/signature/rsa_sig.c + a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c +--- crypto/openssl/providers/fips.checksum.orig ++++ crypto/openssl/providers/fips.checksum +@@ -1 +1 @@ +-101807560af8f62c064ad796dfa1e4c269d45aaf5303b47ad0b25fdd6cc92466 providers/fips-sources.checksums ++01b31117f96429fe4c8efbf7f4f10ef32efa2b11c69851fd227e4194db116b6f providers/fips-sources.checksums +--- crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c.orig ++++ crypto/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +@@ -369,12 +369,20 @@ + } + if (p->data == NULL) { + /* Tag len must be 0 to 16 */ +- if (p->data_size > OCB_MAX_TAG_LEN) ++ if (p->data_size > OCB_MAX_TAG_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); + return 0; ++ } + ctx->taglen = p->data_size; + } else { +- if (p->data_size != ctx->taglen || ctx->base.enc) ++ if (ctx->base.enc) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); ++ return 0; ++ } ++ if (p->data_size != ctx->taglen) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG_LENGTH); + return 0; ++ } + memcpy(ctx->tag, p->data, p->data_size); + } + } +--- crypto/openssl/providers/implementations/encode_decode/encode_key2text.c.orig ++++ crypto/openssl/providers/implementations/encode_decode/encode_key2text.c +@@ -112,7 +112,8 @@ + use_sep = 0; /* The first byte on the next line doesnt have a : */ + } + if (BIO_printf(out, "%s%c%c", use_sep ? ":" : "", +- tolower(p[0]), tolower(p[1])) <= 0) ++ tolower((unsigned char)p[0]), ++ tolower((unsigned char)p[1])) <= 0) + goto err; + ++bytes; + p += 2; +--- crypto/openssl/providers/implementations/kdfs/hkdf.c.orig ++++ crypto/openssl/providers/implementations/kdfs/hkdf.c +@@ -669,7 +669,7 @@ + EVP_MD_CTX_free(mctx); + + /* Generate the pre-extract secret */ +- if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen, ++ if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen, + prefix, prefixlen, label, labellen, + hash, mdlen, preextractsec, mdlen)) + return 0; +--- crypto/openssl/providers/implementations/kdfs/scrypt.c.orig ++++ crypto/openssl/providers/implementations/kdfs/scrypt.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -88,7 +88,9 @@ + KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; + + OPENSSL_free(ctx->salt); ++ ctx->salt = NULL; + OPENSSL_clear_free(ctx->pass, ctx->pass_len); ++ ctx->pass = NULL; + kdf_scrypt_init(ctx); + } + +@@ -128,7 +130,6 @@ + EVP_MD_free(ctx->sha256); + ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq); + if (ctx->sha256 == NULL) { +- OPENSSL_free(ctx); + ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256); + return 0; + } +--- crypto/openssl/providers/implementations/kem/rsa_kem.c.orig ++++ crypto/openssl/providers/implementations/kem/rsa_kem.c +@@ -264,6 +264,17 @@ + *secretlen = nlen; + return 1; + } ++ ++ /* ++ * If outlen is specified, then it must report the length ++ * of the out buffer on input so that we can confirm ++ * its size is sufficent for encapsulation ++ */ ++ if (outlen != NULL && *outlen < nlen) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); ++ return 0; ++ } ++ + /* + * Step (2): Generate a random byte string z of nlen bytes where + * 1 < z < n - 1 +@@ -285,15 +296,33 @@ + return ret; + } + +-/* +- * NIST.SP.800-56Br2 ++/** ++ * rsasve_recover - Recovers a secret value from ciphertext using an RSA ++ * private key. Once, recovered, the secret value is considered to be a ++ * shared secret. Algorithm is preformed as per ++ * NIST SP 800-56B Rev 2 + * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER). ++ * ++ * This function performs RSA decryption using the private key from the ++ * provided RSA context (`prsactx`). It takes the input ciphertext, decrypts ++ * it, and writes the decrypted message to the output buffer. ++ * ++ * @prsactx: The RSA context containing the private key. ++ * @out: The output buffer to store the decrypted message. ++ * @outlen: On input, the size of the output buffer. On successful ++ * completion, the actual length of the decrypted message. ++ * @in: The input buffer containing the ciphertext to be decrypted. ++ * @inlen: The length of the input ciphertext in bytes. ++ * ++ * Returns 1 on success, or 0 on error. In case of error, appropriate ++ * error messages are raised using the ERR_raise function. + */ + static int rsasve_recover(PROV_RSA_CTX *prsactx, + unsigned char *out, size_t *outlen, + const unsigned char *in, size_t inlen) + { + size_t nlen; ++ int ret; + + /* Step (1): get the byte length of n */ + nlen = RSA_size(prsactx->rsa); +@@ -307,13 +336,30 @@ + return 1; + } + +- /* Step (2): check the input ciphertext 'inlen' matches the nlen */ ++ /* ++ * Step (2): check the input ciphertext 'inlen' matches the nlen ++ * and that outlen is at least nlen bytes ++ */ + if (inlen != nlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); + return 0; + } ++ ++ /* ++ * If outlen is specified, then it must report the length ++ * of the out buffer, so that we can confirm that it is of ++ * sufficient size to hold the output of decapsulation ++ */ ++ if (outlen != NULL && *outlen < nlen) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); ++ return 0; ++ } ++ + /* Step (3): out = RSADP((n,d), in) */ +- return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0); ++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING); ++ if (ret > 0 && outlen != NULL) ++ *outlen = ret; ++ return ret > 0; + } + + static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen, +--- crypto/openssl/providers/implementations/keymgmt/dsa_kmgmt.c.orig ++++ crypto/openssl/providers/implementations/keymgmt/dsa_kmgmt.c +@@ -426,7 +426,7 @@ + gctx->hindex = 0; + } + if (!dsa_gen_set_params(gctx, params)) { +- OPENSSL_free(gctx); ++ dsa_gen_cleanup(gctx); + gctx = NULL; + } + return gctx; +--- crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c.orig ++++ crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c +@@ -487,7 +487,7 @@ + gctx->selection = selection; + } + if (!ecx_gen_set_params(gctx, params)) { +- OPENSSL_free(gctx); ++ ecx_gen_cleanup(gctx); + gctx = NULL; + } + return gctx; +--- crypto/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c.orig ++++ crypto/openssl/providers/implementations/keymgmt/mac_legacy_kmgmt.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -399,7 +399,7 @@ + struct mac_gen_ctx *gctx = mac_gen_init_common(provctx, selection); + + if (gctx != NULL && !mac_gen_set_params(gctx, params)) { +- OPENSSL_free(gctx); ++ mac_gen_cleanup(gctx); + gctx = NULL; + } + return gctx; +@@ -411,7 +411,7 @@ + struct mac_gen_ctx *gctx = mac_gen_init_common(provctx, selection); + + if (gctx != NULL && !cmac_gen_set_params(gctx, params)) { +- OPENSSL_free(gctx); ++ mac_gen_cleanup(gctx); + gctx = NULL; + } + return gctx; +--- crypto/openssl/providers/implementations/signature/eddsa_sig.c.orig ++++ crypto/openssl/providers/implementations/signature/eddsa_sig.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -133,6 +133,7 @@ + /* Should never happen */ + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + ossl_ecx_key_free(edkey); ++ WPACKET_cleanup(&pkt); + return 0; + } + if (ret && WPACKET_finish(&pkt)) { +--- crypto/openssl/providers/implementations/storemgmt/file_store.c.orig ++++ crypto/openssl/providers/implementations/storemgmt/file_store.c +@@ -238,7 +238,7 @@ + #ifdef _WIN32 + /* Windows file: URIs with a drive letter start with a / */ + if (p[0] == '/' && p[2] == ':' && p[3] == '/') { +- char c = tolower(p[1]); ++ char c = tolower((unsigned char)p[1]); + + if (c >= 'a' && c <= 'z') { + p++; +--- crypto/openssl/ssl/statem/extensions_srvr.c.orig ++++ crypto/openssl/ssl/statem/extensions_srvr.c +@@ -1083,7 +1083,7 @@ + + if (sesstmp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); +- return 0; ++ goto err; + } + SSL_SESSION_free(sess); + sess = sesstmp; +--- crypto/openssl/ssl/statem/statem_srvr.c.orig ++++ crypto/openssl/ssl/statem/statem_srvr.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. + * +@@ -2985,7 +2985,7 @@ + } + + if (!EVP_PKEY_set1_encoded_public_key(ckey, data, i)) { +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); + goto err; + } + +@@ -3039,7 +3039,7 @@ + } + + if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) { +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); ++ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); + goto err; + } + } +--- crypto/openssl/test/acvp_test.c.orig ++++ crypto/openssl/test/acvp_test.c +@@ -1251,7 +1251,7 @@ + BN_CTX *bn_ctx = NULL; + const struct rsa_decrypt_prim_st *tst = &rsa_decrypt_prim_data[id]; + +- if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", 2048)) ++ if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)2048)) + || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_N, &n, &n_len)) + || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_RSA_E, &e, &e_len)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, "")) +--- crypto/openssl/test/build.info.orig ++++ crypto/openssl/test/build.info +@@ -61,7 +61,7 @@ + keymgmt_internal_test hexstr_test provider_status_test defltfips_test \ + bio_readbuffer_test user_property_test pkcs7_test upcallstest \ + provfetchtest prov_config_test rand_test fips_version_test \ +- nodefltctxtest ++ nodefltctxtest bio_pw_callback_test + + IF[{- !$disabled{'deprecated-3.0'} -}] + PROGRAMS{noinst}=enginetest +@@ -943,6 +943,10 @@ + INCLUDE[ssl_ctx_test]=../include ../apps/include + DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a + ++ SOURCE[bio_pw_callback_test]=bio_pw_callback_test.c ++ INCLUDE[bio_pw_callback_test]=../include ../apps/include ++ DEPEND[bio_pw_callback_test]=../libcrypto libtestutil.a ++ + {- + use File::Spec::Functions; + use File::Basename; +--- crypto/openssl/test/cmactest.c.orig ++++ crypto/openssl/test/cmactest.c +@@ -196,13 +196,15 @@ + return ret; + } + ++#define OSSL_HEX_CHARS_PER_BYTE 2 + static char *pt(unsigned char *md, unsigned int len) + { + unsigned int i; +- static char buf[80]; ++ static char buf[81]; + +- for (i = 0; i < len; i++) +- sprintf(&(buf[i * 2]), "%02x", md[i]); ++ for (i = 0; i < len && (i + 1) * OSSL_HEX_CHARS_PER_BYTE < sizeof(buf); i++) ++ BIO_snprintf(buf + i * OSSL_HEX_CHARS_PER_BYTE, ++ OSSL_HEX_CHARS_PER_BYTE + 1, "%02x", md[i]); + return buf; + } + +--- crypto/openssl/test/conf_include_test.c.orig ++++ crypto/openssl/test/conf_include_test.c +@@ -158,7 +158,7 @@ + char max[(sizeof(long) * 8) / 3 + 3]; + char *p; + +- p = max + sprintf(max, "0%ld", LONG_MAX) - 1; ++ p = max + BIO_snprintf(max, sizeof(max), "0%ld", LONG_MAX) - 1; + setenv("FNORD", max, 1); + if (!TEST_true(NCONF_get_number(NULL, "missing", "FNORD", &val)) + || !TEST_long_eq(val, LONG_MAX)) +--- crypto/openssl/test/drbgtest.c.orig ++++ crypto/openssl/test/drbgtest.c +@@ -423,7 +423,7 @@ + + presult[0].pindex = presult[1].pindex = i; + +- sprintf(presult[0].name, "child %d", i); ++ BIO_snprintf(presult[0].name, sizeof(presult[0].name), "child %d", i); + strcpy(presult[1].name, presult[0].name); + + /* collect the random output of the children */ +--- crypto/openssl/test/ec_internal_test.c.orig ++++ crypto/openssl/test/ec_internal_test.c +@@ -155,6 +155,56 @@ + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -443,6 +493,7 @@ + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); +--- crypto/openssl/test/enginetest.c.orig ++++ crypto/openssl/test/enginetest.c +@@ -147,9 +147,9 @@ + + TEST_info("About to beef up the engine-type list"); + for (loop = 0; loop < NUMTOADD; loop++) { +- sprintf(buf, "id%d", loop); ++ BIO_snprintf(buf, sizeof(buf), "id%d", loop); + eid[loop] = OPENSSL_strdup(buf); +- sprintf(buf, "Fake engine type %d", loop); ++ BIO_snprintf(buf, sizeof(buf), "Fake engine type %d", loop); + ename[loop] = OPENSSL_strdup(buf); + if (!TEST_ptr(block[loop] = ENGINE_new()) + || !TEST_true(ENGINE_set_id(block[loop], eid[loop])) +--- crypto/openssl/test/evp_kdf_test.c.orig ++++ crypto/openssl/test/evp_kdf_test.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use +@@ -857,7 +857,7 @@ + #ifndef OPENSSL_NO_SCRYPT + static int test_kdf_scrypt(void) + { +- int ret; ++ int i, ret; + EVP_KDF_CTX *kctx; + OSSL_PARAM params[7], *p = params; + unsigned char out[64]; +@@ -883,15 +883,21 @@ + *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_MAXMEM, &maxmem); + *p = OSSL_PARAM_construct_end(); + +- ret = +- TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT)) +- && TEST_true(EVP_KDF_CTX_set_params(kctx, params)) +- /* failure test *//* +- && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0)*/ +- && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024)) +- && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1)) +- && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) +- && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); ++ ret = TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_SCRYPT)); ++ for (i = 0; ret && i < 2; ++i) { ++ ret = ret ++ && TEST_true(EVP_KDF_CTX_set_params(kctx, params)); ++ if (i == 0) ++ ret = ret ++ && TEST_int_le(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) ++ && TEST_true(OSSL_PARAM_set_uint(p - 1, 10 * 1024 * 1024)) ++ && TEST_true(EVP_KDF_CTX_set_params(kctx, p - 1)); ++ ret = ret ++ && TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0) ++ && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); ++ if (i == 0) ++ EVP_KDF_CTX_reset(kctx); ++ } + + EVP_KDF_CTX_free(kctx); + return ret; +--- crypto/openssl/test/evp_libctx_test.c.orig ++++ crypto/openssl/test/evp_libctx_test.c +@@ -501,7 +501,7 @@ + size_t len = 0; + OSSL_ENCODER_CTX *ectx = NULL; + +- if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", bits)) ++ if (!TEST_ptr(*priv = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)bits)) + || !TEST_ptr(ectx = + OSSL_ENCODER_CTX_new_for_pkey(*priv, + EVP_PKEY_PUBLIC_KEY, +@@ -536,6 +536,8 @@ + && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1) + && TEST_ptr(dctx = EVP_PKEY_CTX_dup(sctx)) ++ /* Test that providing a NULL wrappedlen fails */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, NULL, NULL, NULL), 0) + && TEST_int_eq(EVP_PKEY_encapsulate(dctx, NULL, &ctlen, NULL, + &secretlen), 1) + && TEST_int_eq(ctlen, secretlen) +@@ -545,11 +547,26 @@ + && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) + && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1) + && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1) ++ /* Test that providing a NULL unwrappedlen fails */ ++ && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, NULL, ct, ctlen), 0) + && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen, + ct, ctlen), 1) + && TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, + ct, ctlen), 1) + && TEST_mem_eq(unwrap, unwraplen, secret, secretlen); ++ ++ /* Test that providing a too short unwrapped/ctlen fails */ ++ if (fips_provider_version_match(libctx, ">=3.4.0")) { ++ ctlen = 1; ++ if (!TEST_int_eq(EVP_PKEY_encapsulate(dctx, ct, &ctlen, secret, ++ &secretlen), 0)) ++ ret = 0; ++ unwraplen = 1; ++ if (!TEST_int_eq(EVP_PKEY_decapsulate(rctx, unwrap, &unwraplen, ct, ++ ctlen), 0)) ++ ret = 0; ++ } ++ + EVP_PKEY_free(pub); + EVP_PKEY_free(priv); + EVP_PKEY_CTX_free(rctx); +@@ -596,59 +613,60 @@ + size_t ctlen = 0, secretlen = 0; + + ret = TEST_true(rsa_keygen(2048, &pub, &priv)) +- && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) +- && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) +- /* Test setting kem op before the init fails */ +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2) +- /* Test NULL ctx passed */ +- && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0) +- && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0) +- && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0) +- && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0) +- /* Test Invalid operation */ +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0) +- /* Wrong key component - no secret should be returned on failure */ +- && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1) +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) +- && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, +- sizeof(ct)), 0) +- && TEST_uchar_eq(secret[0], 0) +- /* Test encapsulate fails if the mode is not set */ +- && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) +- /* Test setting a bad kem ops fail */ +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0) +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0) +- /* Test secretlen is optional */ +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) +- /* Test outlen is optional */ +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1) +- /* test that either len must be set if out is NULL */ +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) +- /* Secret buffer should be set if there is an output buffer */ +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0) +- /* Test that lengths are optional if ct is not NULL */ +- && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1) +- /* Pass if secret or secret length are not NULL */ +- && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1) +- && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1) +- && TEST_int_eq(secretlen, 256) +- /* Fail if passed NULL arguments */ +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0) +- && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0); ++ && TEST_ptr(pubctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) ++ && TEST_ptr(privctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) ++ /* Test setting kem op before the init fails */ ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2) ++ /* Test NULL ctx passed */ ++ && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0) ++ && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0) ++ && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0) ++ && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0) ++ /* Test Invalid operation */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0) ++ /* Wrong key component - no secret should be returned on failure */ ++ && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) ++ && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct, ++ sizeof(ct)), 0) ++ && TEST_uchar_eq(secret[0], 0) ++ /* Test encapsulate fails if the mode is not set */ ++ && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2) ++ /* Test setting a bad kem ops fail */ ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0) ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, NULL), 0) ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, "RSASVE"), 0) ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(NULL, NULL), 0) ++ /* Test secretlen is optional */ ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) ++ /* Test outlen is optional */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, &secretlen), 1) ++ /* test that either len must be set if out is NULL */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), 0) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, &secretlen), 1) ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, &ctlen, NULL, &secretlen), 1) ++ /* Secret buffer should be set if there is an output buffer */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, NULL, NULL), 0) ++ /* Test that lengths are optional if ct is not NULL */ ++ && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1) ++ /* Pass if secret or secret length are not NULL */ ++ && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1) ++ && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1) ++ && TEST_int_eq(secretlen, 256) ++ /* Fail if passed NULL arguments */ ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, ct, sizeof(ct)), 0) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, 0), 0) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, NULL, sizeof(ct)), 0) ++ && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, &secretlen, ct, 0), 0); + + EVP_PKEY_free(pub); + EVP_PKEY_free(priv); +--- crypto/openssl/test/hmactest.c.orig ++++ crypto/openssl/test/hmactest.c +@@ -275,19 +275,21 @@ + return res; + } + +-# ifndef OPENSSL_NO_MD5 ++#ifndef OPENSSL_NO_MD5 ++# define OSSL_HEX_CHARS_PER_BYTE 2 + static char *pt(unsigned char *md, unsigned int len) + { + unsigned int i; +- static char buf[80]; ++ static char buf[201]; + + if (md == NULL) + return NULL; +- for (i = 0; i < len; i++) +- sprintf(&(buf[i * 2]), "%02x", md[i]); ++ for (i = 0; i < len && (i + 1) * OSSL_HEX_CHARS_PER_BYTE < sizeof(buf); i++) ++ BIO_snprintf(buf + i * OSSL_HEX_CHARS_PER_BYTE, ++ OSSL_HEX_CHARS_PER_BYTE + 1, "%02x", md[i]); + return buf; + } +-# endif ++#endif + + int setup_tests(void) + { +--- crypto/openssl/test/memleaktest.c.orig ++++ crypto/openssl/test/memleaktest.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -44,7 +44,7 @@ + */ + int exitcode = EXIT_FAILURE; + #endif +- char *lost; ++ char *volatile lost; + + lost = OPENSSL_malloc(3); + if (!TEST_ptr(lost)) +--- crypto/openssl/test/p_test.c.orig ++++ crypto/openssl/test/p_test.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -16,6 +16,8 @@ + #include + #include + ++#include ++ + /* + * When built as an object file to link the application with, we get the + * init function name through the macro PROVIDER_INIT_FUNCTION_NAME. If +@@ -46,6 +48,7 @@ + static OSSL_FUNC_core_new_error_fn *c_new_error; + static OSSL_FUNC_core_set_error_debug_fn *c_set_error_debug; + static OSSL_FUNC_core_vset_error_fn *c_vset_error; ++static OSSL_FUNC_BIO_vsnprintf_fn *c_BIO_vsnprintf; + + /* Tell the core what params we provide and what type they are */ + static const OSSL_PARAM p_param_types[] = { +@@ -60,6 +63,17 @@ + static OSSL_FUNC_provider_get_reason_strings_fn p_get_reason_strings; + static OSSL_FUNC_provider_teardown_fn p_teardown; + ++static int local_snprintf(char *buf, size_t n, const char *format, ...) ++{ ++ va_list args; ++ int ret; ++ ++ va_start(args, format); ++ ret = (*c_BIO_vsnprintf)(buf, n, format, args); ++ va_end(args); ++ return ret; ++} ++ + static void p_set_error(int lib, int reason, const char *file, int line, + const char *func, const char *fmt, ...) + { +@@ -114,11 +128,11 @@ + const char *versionp = *(void **)counter_request[0].data; + const char *namep = *(void **)counter_request[1].data; + +- sprintf(buf, "Hello OpenSSL %.20s, greetings from %s!", +- versionp, namep); ++ local_snprintf(buf, sizeof(buf), "Hello OpenSSL %.20s, greetings from %s!", ++ versionp, namep); + } + } else { +- sprintf(buf, "Howdy stranger..."); ++ local_snprintf(buf, sizeof(buf), "Howdy stranger..."); + } + + p->return_size = buf_l = strlen(buf) + 1; +@@ -216,12 +230,21 @@ + return reason_strings; + } + ++static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov, ++ int operation_id, ++ int *no_cache) ++{ ++ *no_cache = 1; ++ return NULL; ++} ++ + static const OSSL_DISPATCH p_test_table[] = { + { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params }, + { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, + (void (*)(void))p_get_reason_strings}, + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown }, ++ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query }, + { 0, NULL } + }; + +@@ -250,6 +273,9 @@ + case OSSL_FUNC_CORE_VSET_ERROR: + c_vset_error = OSSL_FUNC_core_vset_error(in); + break; ++ case OSSL_FUNC_BIO_VSNPRINTF: ++ c_BIO_vsnprintf = OSSL_FUNC_BIO_vsnprintf(in); ++ break; + default: + /* Just ignore anything we don't understand */ + break; +--- crypto/openssl/test/pkcs12_format_test.c.orig ++++ crypto/openssl/test/pkcs12_format_test.c +@@ -358,7 +358,8 @@ + char fname[80]; + PKCS12_BUILDER *pb; + +- sprintf(fname, "1key_ciph-%s_iter-%d.p12", OBJ_nid2sn(enc->nid), enc->iter); ++ BIO_snprintf(fname, sizeof(fname), "1key_ciph-%s_iter-%d.p12", ++ OBJ_nid2sn(enc->nid), enc->iter); + + pb = new_pkcs12_builder(fname); + +@@ -457,7 +458,8 @@ + char fname[80]; + PKCS12_BUILDER *pb; + +- sprintf(fname, "1cert_mac-%s_iter-%d.p12", OBJ_nid2sn(mac->nid), mac->iter); ++ BIO_snprintf(fname, sizeof(fname), "1cert_mac-%s_iter-%d.p12", ++ OBJ_nid2sn(mac->nid), mac->iter); + + pb = new_pkcs12_builder(fname); + +@@ -617,7 +619,8 @@ + char fname[80]; + PKCS12_BUILDER *pb; + +- sprintf(fname, "1secret_ciph-%s_iter-%d.p12", OBJ_nid2sn(enc->nid), enc->iter); ++ BIO_snprintf(fname, sizeof(fname), "1secret_ciph-%s_iter-%d.p12", ++ OBJ_nid2sn(enc->nid), enc->iter); + pb = new_pkcs12_builder(fname); + custom_nid = get_custom_oid(); + +--- crypto/openssl/test/property_test.c.orig ++++ crypto/openssl/test/property_test.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use +@@ -50,30 +50,37 @@ + + static int test_property_string(void) + { +- OSSL_METHOD_STORE *store; ++ OSSL_LIB_CTX *ctx; ++ OSSL_METHOD_STORE *store = NULL; + int res = 0; + OSSL_PROPERTY_IDX i, j; + +- if (TEST_ptr(store = ossl_method_store_new(NULL)) +- && TEST_int_eq(ossl_property_name(NULL, "fnord", 0), 0) +- && TEST_int_ne(ossl_property_name(NULL, "fnord", 1), 0) +- && TEST_int_ne(ossl_property_name(NULL, "name", 1), 0) ++ /*- ++ * Use our own library context because we depend on ordering from a ++ * pristine state. ++ */ ++ if (TEST_ptr(ctx = OSSL_LIB_CTX_new()) ++ && TEST_ptr(store = ossl_method_store_new(ctx)) ++ && TEST_int_eq(ossl_property_name(ctx, "fnord", 0), 0) ++ && TEST_int_ne(ossl_property_name(ctx, "fnord", 1), 0) ++ && TEST_int_ne(ossl_property_name(ctx, "name", 1), 0) + /* Property value checks */ +- && TEST_int_eq(ossl_property_value(NULL, "fnord", 0), 0) +- && TEST_int_ne(i = ossl_property_value(NULL, "no", 0), 0) +- && TEST_int_ne(j = ossl_property_value(NULL, "yes", 0), 0) ++ && TEST_int_eq(ossl_property_value(ctx, "fnord", 0), 0) ++ && TEST_int_ne(i = ossl_property_value(ctx, "no", 0), 0) ++ && TEST_int_ne(j = ossl_property_value(ctx, "yes", 0), 0) + && TEST_int_ne(i, j) +- && TEST_int_eq(ossl_property_value(NULL, "yes", 1), j) +- && TEST_int_eq(ossl_property_value(NULL, "no", 1), i) +- && TEST_int_ne(i = ossl_property_value(NULL, "illuminati", 1), 0) +- && TEST_int_eq(j = ossl_property_value(NULL, "fnord", 1), i + 1) +- && TEST_int_eq(ossl_property_value(NULL, "fnord", 1), j) ++ && TEST_int_eq(ossl_property_value(ctx, "yes", 1), j) ++ && TEST_int_eq(ossl_property_value(ctx, "no", 1), i) ++ && TEST_int_ne(i = ossl_property_value(ctx, "illuminati", 1), 0) ++ && TEST_int_eq(j = ossl_property_value(ctx, "fnord", 1), i + 1) ++ && TEST_int_eq(ossl_property_value(ctx, "fnord", 1), j) + /* Check name and values are distinct */ +- && TEST_int_eq(ossl_property_value(NULL, "cold", 0), 0) +- && TEST_int_ne(ossl_property_name(NULL, "fnord", 0), +- ossl_property_value(NULL, "fnord", 0))) ++ && TEST_int_eq(ossl_property_value(ctx, "cold", 0), 0) ++ && TEST_int_ne(ossl_property_name(ctx, "fnord", 0), ++ ossl_property_value(ctx, "fnord", 0))) + res = 1; + ossl_method_store_free(store); ++ OSSL_LIB_CTX_free(ctx); + return res; + } + +--- crypto/openssl/test/recipes/03-test_fipsinstall.t.orig ++++ crypto/openssl/test/recipes/03-test_fipsinstall.t +@@ -253,6 +253,10 @@ + SKIP: { + skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 + if disabled("rsa"); ++ run(test(["fips_version_test", "-config", $provconf, "<3.5.0"]), ++ capture => 1, statusvar => \my $exit); ++ skip "FIPS provider version is too new for Asymmetric RSA corruption test", 1 ++ if !$exit; + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-corrupt_desc', 'RSA_Encrypt', + '-corrupt_type', 'KAT_AsymmetricCipher'])), +--- crypto/openssl/test/recipes/04-test_encoder_decoder.t.orig ++++ crypto/openssl/test/recipes/04-test_encoder_decoder.t +@@ -25,9 +25,26 @@ + my $rsa_key = srctop_file("test", "certs", "ee-key.pem"); + my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem"); + +-plan tests => ($no_fips ? 0 : 1) + 2; # FIPS install test + test ++plan tests => ($no_fips ? 0 : 3) + 2; # FIPS install test + test + + my $conf = srctop_file("test", "default.cnf"); ++ ++# Check if the specified pattern occurs in the given file ++# Returns 1 if the pattern is found and 0 if not ++sub find_line_file { ++ my ($key, $file) = @_; ++ ++ open(my $in, $file) or return -1; ++ while (my $line = <$in>) { ++ if ($line =~ /$key/) { ++ close($in); ++ return 1; ++ } ++ } ++ close($in); ++ return 0; ++} ++ + ok(run(test(["endecode_test", "-rsa", $rsa_key, + "-pss", $pss_key, + "-config", $conf, +@@ -47,5 +64,13 @@ + "-pss", $pss_key, + "-config", $conf, + "-provider", "fips"]))); ++SKIP: { ++ skip "EC disabled", 2 if disabled("ec"); ++ ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'EC', ++ '-pkeyopt', 'group:P-256', '-text', ++ '-config', $conf, '-provider', 'fips', '-out', 'ec.txt' ])), ++ 'Print a FIPS provider EC private key'); ++ ok(find_line_file('NIST CURVE: P-256', 'ec.txt') == 1, ++ 'Printing an FIPS provider EC private key'); ++} + } +- +--- crypto/openssl/test/recipes/25-test_verify.t.orig ++++ crypto/openssl/test/recipes/25-test_verify.t +@@ -61,7 +61,7 @@ + ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), + "accept server purpose"); + ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), +- "fail client purpose"); ++ "fail client purpose"); # beware, questionable non-standard EKU check on trust anchor + ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), + "accept server trust"); + ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), +@@ -81,7 +81,7 @@ + ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), + "accept client mistrust with server purpose"); + ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), +- "fail client mistrust with client purpose"); ++ "fail client mistrust with client purpose"); # beware, questionable non-standard EKU check on trust anchor + # Inapplicable trust + ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), + "fail client trust"); +@@ -150,7 +150,7 @@ + ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), + "accept partial chain with server purpose"); + ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), +- "fail partial chain with client purpose"); ++ "fail partial chain with client purpose"); # beware, questionable non-standard EKU check on trust anchor + ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), + "accept server trust partial chain"); + ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), +@@ -188,7 +188,7 @@ + ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust and client purpose"); + ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), +- "fail client purpose"); ++ "fail client purpose intermediate trusted"); # beware, questionable non-standard EKU check on trust anchor + ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust"); + ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), +--- crypto/openssl/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt.orig ++++ crypto/openssl/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +@@ -4935,3 +4935,13 @@ + Ctrl.digest = digest:SHA256 + Result = KDF_CTRL_ERROR + ++# Test that salt of arbitrary length works ++FIPSversion = >=3.4.0 ++KDF = TLS13-KDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.digest = digest:SHA2-256 ++Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 ++Ctrl.salt = hexsalt:00010203040506070809000102030405060708090001020304050607080900010203040506070809 ++Ctrl.prefix = hexprefix:746c73313320 ++Ctrl.label = hexlabel:64657269766564 ++Output = ef0aa4925ab6f4588759e15dfadcf7602ca7aa39ebb092bd7ab48f6a68c54449 +--- crypto/openssl/test/recipes/80-test_cmp_http.t.orig ++++ crypto/openssl/test/recipes/80-test_cmp_http.t +@@ -1,5 +1,5 @@ + #! /usr/bin/env perl +-# Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. + # Copyright Nokia 2007-2019 + # Copyright Siemens AG 2015-2019 + # +@@ -270,7 +270,7 @@ + print "Current directory is ".getcwd()."\n"; + print "Launching mock server: $cmd\n"; + die "Invalid port: $server_port" unless $server_port =~ m/^\d+$/; +- my $pid = open($server_fh, "$cmd|") or die "Trying to $cmd"; ++ my $pid = open($server_fh, "$cmd 2>".result_dir()."/error.txt |") or die "Trying to $cmd"; + print "Pid is: $pid\n"; + if ($server_port == 0) { + # Find out the actual server port +--- crypto/openssl/test/recipes/80-test_cmp_http_data/test_connection.csv.orig ++++ crypto/openssl/test/recipes/80-test_cmp_http_data/test_connection.csv +@@ -2,8 +2,8 @@ + ,Message transfer options:,,,,,,,,,,,,,,,,,, + ,,,,,,,,,,,,,,,,,,, + 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK, +-TBD,Domain name, -section,, -server,_SERVER_CN:_SERVER_PORT,,,,,,,,,,,,,, +-TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,,,,,,,,,,,,,, ++1,disabled as not supported by some host IP configurations: server domain name, -section,, -server,localhost:_SERVER_PORT,,,,,,,,,,,,,, ++1,disabled as not supported by some host IP configurations: server IPv6 address, -section,, -server,[::1]:_SERVER_PORT,,,,,,,,,,,,,, + ,,,,,,,,,,,,,,,,,,, + 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, + 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, +--- crypto/openssl/test/recipes/80-test_cms.t.orig ++++ crypto/openssl/test/recipes/80-test_cms.t +@@ -1,5 +1,5 @@ + #! /usr/bin/env perl +-# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the Apache License 2.0 (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -25,6 +25,7 @@ + use lib bldtop_dir('.'); + + my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $old_fips = 0; + + plan skip_all => "CMS is not supported by this OpenSSL build" + if disabled("cms"); +@@ -50,13 +51,17 @@ + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 19; ++plan tests => 20; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + + unless ($no_fips) { +- @config = ( "-config", srctop_file("test", "fips-and-base.cnf") ); ++ my $provconf = srctop_file("test", "fips-and-base.cnf"); ++ @config = ( "-config", $provconf ); + $provname = 'fips'; ++ ++ run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]), ++ capture => 1, statusvar => $old_fips); + } + + $ENV{OPENSSL_TEST_LIBCTX} = "1"; +@@ -394,6 +399,13 @@ + "-out", "{output}.txt" ], + \&final_compare + ], ++ ++ [ "encrypted content test streaming PEM format -noout, 128 bit AES key", ++ [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", ++ "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", ++ "-stream", "-noout" ], ++ [ "{cmd2}", @prov, "-help" ] ++ ], + ); + + my @smime_cms_cades_tests = ( +@@ -604,6 +616,7 @@ + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smec1.pem"), "-aes128", + "-keyopt", "ecdh_kdf_md:sha256" ], ++ sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "enveloped-data"); }, + [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare +@@ -613,6 +626,7 @@ + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ], ++ sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "authEnveloped-data"); }, + [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare +@@ -626,18 +640,23 @@ + [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare +- ], +- +- [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, +- "-stream", "-out", "{output}.cms", +- "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), +- "-in", "{output}.cms", "-out", "{output}.txt" ], +- \&final_compare + ] + ); + ++if ($no_fips || $old_fips) { ++ # Only SHA1 supported in dh_cms_encrypt() ++ push(@smime_cms_param_tests, ++ [ "enveloped content test streaming S/MIME format, X9.42 DH", ++ [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ "-stream", "-out", "{output}.cms", ++ "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], ++ [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ "-in", "{output}.cms", "-out", "{output}.txt" ], ++ \&final_compare ++ ] ++ ); ++} ++ + my @contenttype_cms_test = ( + [ "signed content test - check that content type is added to additional signerinfo, RSA keys", + [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, +@@ -765,6 +784,28 @@ + return scalar(@c); + } + ++# Returns 1 if the smime-type matches the passed parameter, otherwise 0. ++sub smimeType_matches { ++ my ($in, $expected_smime_type) = @_; ++ ++ # Read the text file ++ open(my $fh, '<', $in) or die("open failed for $in : $!"); ++ local $/; ++ my $content = <$fh>; ++ close($fh); ++ ++ # Extract the Content-Type line with the smime-type attribute ++ if ($content =~ /Content-Type:\s*application\/pkcs7-mime.*smime-type=([^\s;]+)/) { ++ my $smime_type = $1; ++ ++ # Compare the extracted smime-type with the expected value ++ return ($smime_type eq $expected_smime_type) ? 1 : 0; ++ } ++ ++ # If no smime-type is found, return 0 ++ return 0; ++} ++ + sub rsapssSaltlen { + my ($in) = @_; + my $exit = 0; +@@ -986,6 +1027,22 @@ + ])), + "issue#19643"); + ++# Check that kari encryption with originator does not segfault ++with({ exit_checker => sub { return shift == 3; } }, ++ sub { ++ SKIP: { ++ skip "EC is not supported in this build", 1 if $no_ec; ++ ++ ok(run(app(['openssl', 'cms', '-encrypt', ++ '-in', srctop_file("test", "smcont.txt"), '-aes128', ++ '-recip', catfile($smdir, "smec1.pem"), ++ '-originator', catfile($smdir, "smec3.pem"), ++ '-inkey', catfile($smdir, "smec3.pem") ++ ])), ++ "Check failure for currently not supported kari encryption with static originator"); ++ } ++ }); ++ + # Check that we get the expected failure return code + with({ exit_checker => sub { return shift == 6; } }, + sub { +--- crypto/openssl/test/sslapitest.c.orig ++++ crypto/openssl/test/sslapitest.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -190,7 +190,7 @@ + return 1; + + for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) { +- sprintf(hexed, "%02x", raw[i]); ++ BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]); + if (!TEST_int_eq(hexed[0], hex_encoded[j]) + || !TEST_int_eq(hexed[1], hex_encoded[j + 1])) + return 1; +@@ -10918,6 +10918,7 @@ + return SSL_TLSEXT_ERR_OK; + + case 1: ++ *out = NULL; + *outlen = 0; + return SSL_TLSEXT_ERR_OK; + +--- crypto/openssl/test/testutil/tests.c.orig ++++ crypto/openssl/test/testutil/tests.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -146,6 +146,7 @@ + + void test_note(const char *fmt, ...) + { ++ test_flush_stdout(); + if (fmt != NULL) { + va_list ap; + +--- crypto/openssl/test/threadstest.c.orig ++++ crypto/openssl/test/threadstest.c +@@ -358,7 +358,7 @@ + * Therefore we use an insecure bit length where we can (512). + * In the FIPS module though we must use a longer length. + */ +- pkey = EVP_PKEY_Q_keygen(multi_libctx, NULL, "RSA", isfips ? 2048 : 512); ++ pkey = EVP_PKEY_Q_keygen(multi_libctx, NULL, "RSA", (size_t)(isfips ? 2048 : 512)); + if (!TEST_ptr(pkey)) + goto err; + +--- crypto/openssl/util/check-format-commit.sh.orig ++++ crypto/openssl/util/check-format-commit.sh +@@ -6,24 +6,21 @@ + # You can obtain a copy in the file LICENSE in the source distribution + # or at https://www.openssl.org/source/license.html + # +-# This script is a wrapper around check-format.pl. It accepts a commit sha +-# value as input, and uses it to identify the files and ranges that were +-# changed in that commit, filtering check-format.pl output only to lines that +-# fall into the commits change ranges. +-# +- +- +-# List of Regexes to use when running check-format.pl. +-# Style checks don't apply to any of these +-EXCLUDED_FILE_REGEX=("\.pod" \ +- "\.pl" \ +- "\.pm" \ +- "\.t" \ +- "\.yml" \ +- "\.sh") +- +-# Exit code for the script +-EXIT_CODE=0 ++# This script is a wrapper around check-format.pl. ++# It accepts the same commit revision range as 'git diff' as arguments, ++# or just a single commit id, and uses it to identify the files and line ranges ++# that were changed in that commit range, filtering check-format.pl output ++# only to lines that fall into the change ranges of the changed files. ++# examples: ++# check-format-commit.sh # check unstaged changes ++# check-format-commit.sh HEAD ++# check-format-commit.sh @~3.. ++# check-format-commit.sh f5981c9629667a5a5d6 ++# check-format-commit.sh f5981c9629667a5a5d6..ee0bf38e8709bf71888 ++ ++# Allowlist of files to scan ++# Currently this is any .c or .h file (with an optional .in suffix) ++FILE_NAME_END_ALLOWLIST=("\.[ch]\(.in\)\?") + + # Global vars + +@@ -45,94 +42,107 @@ + + trap cleanup EXIT + +-# Get the canonical sha256 sum for the commit we are checking ++# Get the list of ids of the commits we are checking, ++# or empty for unstaged changes. + # This lets us pass in symbolic ref names like master/etc and +-# resolve them to sha256 sums easily +-COMMIT=$(git rev-parse $1) ++# resolve them to commit ids easily ++COMMIT_RANGE="$@" ++[ -n $COMMIT_RANGE ] && COMMIT_LAST=$(git rev-parse $COMMIT_RANGE) + +-# Fail gracefully if git rev-parse doesn't produce a valid +-# commit ++# Fail gracefully if git rev-parse doesn't produce a valid commit + if [ $? -ne 0 ] + then +- echo "$1 is not a valid revision" ++ echo "$1 is not a valid commit range or commit id" + exit 1 + fi + +-# Create a iteratable list of files to check for a +-# given commit. It produces output of the format +-# , +-touch $TEMPDIR/ranges.txt +-git show $COMMIT | awk -v mycmt=$COMMIT ' ++# If the commit range is exactly one revision, ++# git rev-parse will output just the commit id of that one alone. ++# In that case, we must manipulate a little to get a desirable result, ++# as 'git diff' has a slightly different interpretation of a single commit id: ++# it takes that to mean all commits up to HEAD, plus any unstaged changes. ++if [ $(echo -n "$COMMIT_LAST" | wc -w) -ne 1 ]; then ++ COMMIT_LAST=$(echo "$COMMIT_LAST" | head -1) ++else ++ # $COMMIT_RANGE is just one commit, make it an actual range ++ COMMIT_RANGE=$COMMIT_RANGE^..$COMMIT_RANGE ++fi ++ ++# Create an iterable list of files to check formatting on, ++# including the line ranges that are changed by the commits ++# It produces output of this format: ++# , ++git diff -U0 $COMMIT_RANGE | awk ' + BEGIN {myfile=""} +- /+{3}/ { +- gsub(/b\//,"",$2); +- myfile=$2 +- } +- /@@/ { +- gsub(/+/,"",$3); +- printf mycmt " " myfile " " $3 "\n" +- }' >> $TEMPDIR/ranges.txt || true +- +-# filter out anything that matches on a filter regex +-for i in ${EXCLUDED_FILE_REGEX[@]} +-do +- touch $TEMPDIR/ranges.filter +- grep -v "$i" $TEMPDIR/ranges.txt >> $TEMPDIR/ranges.filter || true +- REMAINING_FILES=$(wc -l $TEMPDIR/ranges.filter | awk '{print $1}') +- if [ $REMAINING_FILES -eq 0 ] +- then +- echo "This commit has no files that require checking" +- exit 0 +- fi +- mv $TEMPDIR/ranges.filter $TEMPDIR/ranges.txt +-done ++ /^\+\+\+/ { sub(/^b./,"",$2); file=$2 } ++ /^@@/ { sub(/^\+/,"",$3); range=$3; printf file " " range "\n" } ++ ' > $TEMPDIR/ranges.txt + +-# check out the files from the commit level. +-# For each file name in ranges, we show that file at the commit +-# level we are checking, and redirect it to the same path, relative +-# to $TEMPDIR/check-format. This give us the full file to run +-# check-format.pl on with line numbers matching the ranges in the +-# $TEMPDIR/ranges.txt file +-for j in $(grep $COMMIT $TEMPDIR/ranges.txt | awk '{print $2}') ++# filter in anything that matches on a filter regex ++for i in ${FILE_NAME_END_ALLOWLIST[@]} + do +- FDIR=$(dirname $j) +- mkdir -p $TEMPDIR/check-format/$FDIR +- git show $COMMIT:$j > $TEMPDIR/check-format/$j ++ # Note the space after the $i below. This is done because we want ++ # to match on file name suffixes, but the input file is of the form ++ # , ++ # So we can't just match on end of line. The additional space ++ # here lets us match on suffixes followed by the expected space ++ # in the input file ++ grep "$i " $TEMPDIR/ranges.txt >> $TEMPDIR/ranges.filter || true + done + +-# Now for each file in $TEMPDIR/check-format run check-format.pl +-# Note that we use the %P formatter in the find utilty. This strips +-# off the $TEMPDIR/check-format path prefix, leaving $j with the +-# path to the file relative to the root of the source dir, so that +-# output from check-format.pl looks correct, relative to the root +-# of the git tree. +-for j in $(find $TEMPDIR/check-format -type f -printf "%P\n") ++REMAINING_FILES=$(wc -l <$TEMPDIR/ranges.filter) ++if [ $REMAINING_FILES -eq 0 ] ++then ++ echo "The given commit range has no C source file changes that require checking" ++ exit 0 ++fi ++ ++# unless checking the format of unstaged changes, ++# check out the files from the commit range. ++if [ -n "$COMMIT_RANGE" ] ++then ++ # For each file name in ranges, we show that file at the commit range ++ # we are checking, and redirect it to the same path, ++ # relative to $TEMPDIR/check-format. ++ # This give us the full file path to run check-format.pl on ++ # with line numbers matching the ranges in the $TEMPDIR/ranges.filter file ++ for j in $(awk '{print $1}' $TEMPDIR/ranges.filter | sort -u) ++ do ++ FDIR=$(dirname $j) ++ mkdir -p $TEMPDIR/check-format/$FDIR ++ git show $COMMIT_LAST:$j > $TEMPDIR/check-format/$j ++ done ++fi ++ ++# Now for each file in $TEMPDIR/ranges.filter, run check-format.pl ++for j in $(awk '{print $1}' $TEMPDIR/ranges.filter | sort -u) + do + range_start=() + range_end=() + + # Get the ranges for this file. Create 2 arrays. range_start contains + # the start lines for valid ranges from the commit. the range_end array +- # contains the corresponding end line (note, since diff output gives us ++ # contains the corresponding end line. Note, since diff output gives us + # a line count for a change, the range_end[k] entry is actually + # range_start[k]+line count +- for k in $(grep $COMMIT $TEMPDIR/ranges.txt | grep $j | awk '{print $3}') ++ for k in $(grep ^$j $TEMPDIR/ranges.filter | awk '{print $2}') + do +- RANGE=$k +- RSTART=$(echo $RANGE | awk -F',' '{print $1}') +- RLEN=$(echo $RANGE | awk -F',' '{print $2}') ++ RSTART=$(echo $k | awk -F',' '{print $1}') ++ RLEN=$(echo $k | awk -F',' '{print $2}') ++ # when the hunk is just one line, its length is implied ++ if [ -z "$RLEN" ]; then RLEN=1; fi + let REND=$RSTART+$RLEN + range_start+=($RSTART) + range_end+=($REND) + done + +- # Go to our checked out tree +- cd $TEMPDIR/check-format ++ # Go to our checked out tree, unless checking unstaged changes ++ [ -n "$COMMIT_RANGE" ] && cd $TEMPDIR/check-format + + # Actually run check-format.pl on the file, capturing the output +- # in a temporary file. Note the format of check-patch.pl output is +- # ::: +- $TOPDIR/util/check-format.pl $j > $TEMPDIR/format-results.txt ++ # in a temporary file. Note the format of check-format.pl output is ++ # ::: ++ $TOPDIR/util/check-format.pl $j > $TEMPDIR/results.txt + + # Now we filter the check-format.pl output based on the changed lines + # captured in the range_start/end arrays +@@ -146,26 +156,15 @@ + # Check here if any line in that output falls between any of the + # start/end ranges defined in the range_start/range_end array. + # If it does fall in that range, print the entire line to stdout +- # If anything is printed, have awk exit with a non-zero exit code + awk -v rstart=$RSTART -v rend=$REND -F':' ' +- BEGIN {rc=0} +- /:/ { +- if (($2 >= rstart) && ($2 <= rend)) { +- print $0; +- rc=1 +- } +- } +- END {exit rc;} +- ' $TEMPDIR/format-results.txt +- +- # If awk exited with a non-zero code, this script will also exit +- # with a non-zero code +- if [ $? -ne 0 ] +- then +- EXIT_CODE=1 +- fi ++ /:/ { if (rstart <= $2 && $2 <= rend) print $0 } ++ ' $TEMPDIR/results.txt >>$TEMPDIR/results-filtered.txt + done + done ++cat $TEMPDIR/results-filtered.txt + +-# Exit with the recorded exit code above +-exit $EXIT_CODE ++# If any findings were in range, exit with a different error code ++if [ -s $TEMPDIR/results-filtered.txt ] ++then ++ exit 2 ++fi +--- crypto/openssl/util/check-format.pl.orig ++++ crypto/openssl/util/check-format.pl +@@ -791,7 +791,7 @@ + # treat remaining blinded comments and string literal contents as (single) space during matching below + $intra_line =~ s/@+/ /g; # note that extra SPC has already been handled above + $intra_line =~ s/\s+$//; # strip any (resulting) space at EOL +- # replace ';;' or '; ;' by ';' in "for(;;)" and in "for (...)" unless "..." contains just SPC and ';' characters: ++ # replace ';;' or '; ;' by ';' in "for (;;)" and in "for (...)" unless "..." contains just SPC and ';' characters: + $intra_line =~ s/((^|\W)for\s*\()([^;]*?)(\s*)(;\s?);(\s*)([^;]*)(\))/ + "$1$3$4".("$3$4$5$6$7" eq ";" || $3 ne "" || $7 ne "" ? "" : $5).";$6$7$8"/eg; + # strip trailing ';' or '; ' in "for (...)" except in "for (;;)" or "for (;; )": +@@ -904,7 +904,7 @@ + # handle opening brace '{' after if/else/while/for/switch/do on line before + if ($hanging_offset > 0 && m/^[\s@]*{/ && # leading opening '{' + $line_before > 0 && +- $contents_before_ =~ m/(^|^.*\W)(if|else|while|for|switch|do)(\W.*$|$)/) { ++ $contents_before_ =~ m/(^|^.*\W)(if|else|while|for|(OSSL_)?LIST_FOREACH(_\w+)?|switch|do)(\W.*$|$)/) { + $keyword_opening_brace = $1; + $hanging_offset -= INDENT_LEVEL; # cancel newly hanging_offset + } +@@ -966,7 +966,7 @@ + + my $outermost_level = $block_indent - $preproc_offset == 0; + +- report("more than one stmt") if !m/(^|\W)for(\W.*|$)/ && # no 'for' - TODO improve matching ++ report("more than one stmt") if !m/(^|\W)(for|(OSSL_)?LIST_FOREACH(_\w+)?)(\W.*|$)/ && # no 'for' - TODO improve matching + m/;.*;/; # two or more terminators ';', so more than one statement + + # check for code block containing a single line/statement +@@ -1004,7 +1004,7 @@ + my $assignment_start = 0; + my $tmp = $_; + $tmp =~ s/[\!<>=]=/@@/g; # blind (in-)equality symbols like '<=' as '@@' to prevent matching them as '=' below +- if (m/^((^|.*\W)(if|while|for|switch))(\W.*|$)$/) { # (last) if/for/while/switch ++ if (m/^((^|.*\W)(if|while|for|(OSSL_)?LIST_FOREACH(_\w+)?|switch))(\W.*|$)$/) { # (last) if/for/while/switch + $paren_expr_start = 1; + } elsif (m/^((^|.*\W)(return|enum))(\W.*|$)/ # (last) return/enum + && !$in_expr && @nested_indents == 0 && parens_balance($1) == 0) { # not nested enum +@@ -1135,7 +1135,7 @@ + $line_body_start = $contents =~ m/LONG BODY/ ? 0 : $line if $line_function_start != 0; + } + } else { +- $line_opening_brace = $line if $keyword_opening_brace =~ m/if|do|while|for/; ++ $line_opening_brace = $line if $keyword_opening_brace =~ m/if|do|while|for|(OSSL_)?LIST_FOREACH(_\w+)?/; + # using, not assigning, $keyword_opening_brace here because it could be on an earlier line + $line_opening_brace = $line if $keyword_opening_brace eq "else" && $extended_1_stmt && + # TODO prevent false positives for if/else where braces around single-statement branches +@@ -1148,11 +1148,11 @@ + } + } + +- # check for opening brace after if/while/for/switch/do not on same line ++ # check for opening brace after if/while/for/switch/do missing on same line + # note that "missing '{' on same line after '} else'" is handled further below + if (/^[\s@]*{/ && # leading '{' + $line_before > 0 && !($contents_before_ =~ m/^\s*#/) && # not preprocessor directive '#if +- (my ($head, $mid, $tail) = ($contents_before_ =~ m/(^|^.*\W)(if|while|for|switch|do)(\W.*$|$)/))) { ++ (my ($head, $mid, $tail) = ($contents_before_ =~ m/(^|^.*\W)(if|while|for|(OSSL_)?LIST_FOREACH(_\w+)?|switch|do)(\W.*$|$)/))) { + my $brace_after = $tail =~ /^[\s@]*{/; # any whitespace or comments then '{' + report("'{' not on same line as preceding '$mid'") if !$brace_after; + } +--- crypto/openssl/util/mkbuildinf.pl.orig ++++ crypto/openssl/util/mkbuildinf.pl +@@ -1,5 +1,5 @@ + #! /usr/bin/env perl +-# Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the Apache License 2.0 (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -9,17 +9,21 @@ + use strict; + use warnings; + +-my ($cflags, $platform) = @ARGV; ++my $platform = pop @ARGV; ++my $cflags = join(' ', @ARGV); ++$cflags =~ s(\\)(\\\\)g; + $cflags = "compiler: $cflags"; + +-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC"; ++# Use the value of the envvar SOURCE_DATE_EPOCH, even if it's ++# zero or the empty string. ++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} // time()) . " UTC"; + + print <<"END_OUTPUT"; + /* + * WARNING: do not edit! + * Generated by util/mkbuildinf.pl + * +- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +--- crypto/openssl/util/perl/OpenSSL/Template.pm.orig ++++ crypto/openssl/util/perl/OpenSSL/Template.pm +@@ -42,6 +42,14 @@ + + our @ISA = qw(Text::Template); # parent + ++sub tmpl_error { ++ my (%err_dict) = @_; ++ ++ $ERROR = $err_dict{"error"}; ++ ++ return undef; ++} ++ + sub new { + my $class = shift; + +@@ -66,6 +74,7 @@ + output_on => sub { $self->output_on() }, + output_off => sub { $self->output_off() }, + %hash }, ++ BROKEN => \&tmpl_error, + %opts); + } + +--- secure/lib/libcrypto/Makefile.inc.orig ++++ secure/lib/libcrypto/Makefile.inc +@@ -2,8 +2,8 @@ + .include + + # OpenSSL version used for manual page generation +-OPENSSL_VER= 3.0.15 +-OPENSSL_DATE= 2024-09-03 ++OPENSSL_VER= 3.0.16 ++OPENSSL_DATE= 2025-02-11 + + LCRYPTO_SRC= ${SRCTOP}/crypto/openssl + LCRYPTO_DOC= ${LCRYPTO_SRC}/doc +--- sys/crypto/openssl/aarch64/armv8-mont.S.orig ++++ sys/crypto/openssl/aarch64/armv8-mont.S +@@ -17,10 +17,12 @@ + cmp x5,#32 + b.le .Lscalar_impl + #ifndef __KERNEL__ ++#ifndef __AARCH64EB__ + adrp x17,OPENSSL_armv8_rsa_neonized + ldr w17,[x17,#:lo12:OPENSSL_armv8_rsa_neonized] + cbnz w17, bn_mul8x_mont_neon + #endif ++#endif + + .Lscalar_impl: + tst x5,#7 diff --git a/website/static/security/patches/EN-25:07/openssl.patch.asc b/website/static/security/patches/EN-25:07/openssl.patch.asc new file mode 100644 index 0000000000..9c72c182a8 --- /dev/null +++ b/website/static/security/patches/EN-25:07/openssl.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DsACgkQbljekB8A +Gu/vAg/+OniAFvd5UYgBRkOfB9ljqpglqxgXZ36kS6/LW+s0I4RjkFUHnu1zv8ks +/QQKefcBxv94ZLOVl+nQcQcmvYVhh1HJ00bsscz4XBeC2KXlcmQ0VwrkXKTyVjpg +TDnBf+ZIl3FxkUbbXyQr+rFEL6I+mtSvn+IGdix4pKfTKnfBivXdktgi/R5NdoNK +s5NrSGv8UZislXEXsJ7gmSJqEE1p06x3PJ9v3jOf7WgGWsmjCPyv10GWPzH4RAIm +zmHM7QpC9+dsRii68fH3MvVNaE5gYG6qZgDmC2wx/p8aB3ozCCT3N0b8rm7JwFvT +FIW/8hUgcs2j3rFA6wZf0MlOq/GqC1CNq70Ldh+G9PWeDA3LQ9Bq5QtmRDBGcOgv +tt6j2RghYCcn7pJ8WKdbRYaSo+6T4pqMs4/jCm0ZN5DZpMNW/pXxzxjZrP/XjTSO +AmLAfhRcJCLIlacQSL1ZlKw3vR19hE1Ad5+klxF6w5kpZ2QalxkLyph++KqBNtX4 +ashiUs4NEbiLEP/rbQCBJ8+YmlGq0nQXxiNYSy8xtO2zquwa3xm5zCz11XQ5sb4s +qUdqqp+k2hLF5LAG6M9643H+Ku/13ezc6LuWE+r8t4wOeqvSjt02X+68ImfKgNwP +dep4JAcqcVDNt1k3yy+RLrdwc5HwSrczwHiwEpY1pyYeVIMvT0o= +=g5oS +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:08/caroot-13.4.patch b/website/static/security/patches/EN-25:08/caroot-13.4.patch new file mode 100644 index 0000000000..b18e427aab --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-13.4.patch @@ -0,0 +1,3374 @@ +--- ObsoleteFiles.inc.orig ++++ ObsoleteFiles.inc +@@ -51,6 +51,26 @@ + # xargs -n1 | sort | uniq -d; + # done + ++# 20250310: caroot bundle updated ++OLD_FILES+=usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_G4.pem ++OLD_FILES+=usr/share/certs/trusted/SecureSign_RootCA11.pem ++OLD_FILES+=usr/share/certs/trusted/Security_Communication_RootCA3.pem ++OLD_FILES+=usr/share/certs/trusted/SwissSign_Silver_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/blacklisted/Cybertrust_Global_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/DST_Root_CA_X3.pem ++OLD_FILES+=usr/share/certs/blacklisted/GlobalSign_Root_CA_-_R2.pem ++OLD_FILES+=usr/share/certs/blacklisted/QuoVadis_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Sonera_Class_2_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/E-Tugra_Certification_Authority.pem ++OLD_FILES+=usr/share/certs/blacklisted/Hongkong_Post_Root_CA_1.pem ++OLD_FILES+=usr/share/certs/blacklisted/Security_Communication_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem ++ + # 20240419: new clang import which bumps version from 17 to 18 + OLD_FILES+=usr/lib/clang/17/include/__clang_cuda_builtin_vars.h + OLD_FILES+=usr/lib/clang/17/include/__clang_cuda_cmath.h +--- secure/caroot/blacklisted/AddTrust_External_Root.pem.orig ++++ secure/caroot/blacklisted/AddTrust_External_Root.pem +@@ -1,99 +0,0 @@ +-## +-## AddTrust External Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Validity +- Not Before: May 30 10:48:38 2000 GMT +- Not After : May 30 10:48:38 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed: +- 1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97: +- a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f: +- cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db: +- 2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70: +- 56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6: +- 5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e: +- 87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c: +- 71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8: +- 69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df: +- ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee: +- 6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94: +- 37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8: +- 45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7: +- c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: +- a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65: +- b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34: +- 5a:27 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9: +- 84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41: +- 6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5: +- bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2: +- de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51: +- 14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85: +- 93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a: +- 63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: +- a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4: +- 45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9: +- 91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e: +- 8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76: +- 60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20: +- 0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7: +- 8f:4e:86:04 +-SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 +------BEGIN CERTIFICATE----- +-MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs +-IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 +-MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux +-FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h +-bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v +-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt +-H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 +-uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX +-mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX +-a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN +-E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 +-WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD +-VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 +-Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU +-cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx +-IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN +-AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH +-YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +-6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC +-Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX +-c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a +-mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +------END CERTIFICATE----- +--- secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem.orig ++++ secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem +@@ -1,98 +0,0 @@ +-## +-## AddTrust Low-Value Services Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Validity +- Not Before: May 30 10:38:31 2000 GMT +- Not After : May 30 10:38:31 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:96:96:d4:21:49:60:e2:6b:e8:41:07:0c:de:c4: +- e0:dc:13:23:cd:c1:35:c7:fb:d6:4e:11:0a:67:5e: +- f5:06:5b:6b:a5:08:3b:5b:29:16:3a:e7:87:b2:34: +- 06:c5:bc:05:a5:03:7c:82:cb:29:10:ae:e1:88:81: +- bd:d6:9e:d3:fe:2d:56:c1:15:ce:e3:26:9d:15:2e: +- 10:fb:06:8f:30:04:de:a7:b4:63:b4:ff:b1:9c:ae: +- 3c:af:77:b6:56:c5:b5:ab:a2:e9:69:3a:3d:0e:33: +- 79:32:3f:70:82:92:99:61:6d:8d:30:08:8f:71:3f: +- a6:48:57:19:f8:25:dc:4b:66:5c:a5:74:8f:98:ae: +- c8:f9:c0:06:22:e7:ac:73:df:a5:2e:fb:52:dc:b1: +- 15:65:20:fa:35:66:69:de:df:2c:f1:6e:bc:30:db: +- 2c:24:12:db:eb:35:35:68:90:cb:00:b0:97:21:3d: +- 74:21:23:65:34:2b:bb:78:59:a3:d6:e1:76:39:9a: +- a4:49:8e:8c:74:af:6e:a4:9a:a3:d9:9b:d2:38:5c: +- 9b:a2:18:cc:75:23:84:be:eb:e2:4d:33:71:8e:1a: +- f0:c2:f8:c7:1d:a2:ad:03:97:2c:f8:cf:25:c6:f6: +- b8:24:31:b1:63:5d:92:7f:63:f0:25:c9:53:2e:1f: +- bf:4d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 2c:6d:64:1b:1f:cd:0d:dd:b9:01:fa:96:63:34:32:48:47:99: +- ae:97:ed:fd:72:16:a6:73:47:5a:f4:eb:dd:e9:f5:d6:fb:45: +- cc:29:89:44:5d:bf:46:39:3d:e8:ee:bc:4d:54:86:1e:1d:6c: +- e3:17:27:43:e1:89:56:2b:a9:6f:72:4e:49:33:e3:72:7c:2a: +- 23:9a:bc:3e:ff:28:2a:ed:a3:ff:1c:23:ba:43:57:09:67:4d: +- 4b:62:06:2d:f8:ff:6c:9d:60:1e:d8:1c:4b:7d:b5:31:2f:d9: +- d0:7c:5d:f8:de:6b:83:18:78:37:57:2f:e8:33:07:67:df:1e: +- c7:6b:2a:95:76:ae:8f:57:a3:f0:f4:52:b4:a9:53:08:cf:e0: +- 4f:d3:7a:53:8b:fd:bb:1c:56:36:f2:fe:b2:b6:e5:76:bb:d5: +- 22:65:a7:3f:fe:d1:66:ad:0b:bc:6b:99:86:ef:3f:7d:f3:18: +- 32:ca:7b:c6:e3:ab:64:46:95:f8:26:69:d9:55:83:7b:2c:96: +- 07:ff:59:2c:44:a3:c6:e5:e9:a9:dc:a1:63:80:5a:21:5e:21: +- cf:53:54:f0:ba:6f:89:db:a8:aa:95:cf:8b:e3:71:cc:1e:1b: +- 20:44:08:c0:7a:b6:40:fd:c4:e4:35:e1:1d:16:1c:d0:bc:2b: +- 8e:d6:71:d9 +-SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D +------BEGIN CERTIFICATE----- +-MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +-b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw +-MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML +-QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD +-VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA +-A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul +-CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n +-tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl +-dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch +-PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC +-+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O +-BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E +-BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl +-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk +-ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB +-IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X +-7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz +-43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY +-eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl +-pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA +-WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Cybertrust_Global_Root.pem.orig ++++ secure/caroot/blacklisted/Cybertrust_Global_Root.pem +@@ -1,99 +0,0 @@ +-## +-## Cybertrust Global Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:85:aa:2d:48 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:f8:c8:bc:bd:14:50:66:13:ff:f0:d3:79:ec:23: +- f2:b7:1a:c7:8e:85:f1:12:73:a6:19:aa:10:db:9c: +- a2:65:74:5a:77:3e:51:7d:56:f6:dc:23:b6:d4:ed: +- 5f:58:b1:37:4d:d5:49:0e:6e:f5:6a:87:d6:d2:8c: +- d2:27:c6:e2:ff:36:9f:98:65:a0:13:4e:c6:2a:64: +- 9b:d5:90:12:cf:14:06:f4:3b:e3:d4:28:be:e8:0e: +- f8:ab:4e:48:94:6d:8e:95:31:10:5c:ed:a2:2d:bd: +- d5:3a:6d:b2:1c:bb:60:c0:46:4b:01:f5:49:ae:7e: +- 46:8a:d0:74:8d:a1:0c:02:ce:ee:fc:e7:8f:b8:6b: +- 66:f3:7f:44:00:bf:66:25:14:2b:dd:10:30:1d:07: +- 96:3f:4d:f6:6b:b8:8f:b7:7b:0c:a5:38:eb:de:47: +- db:d5:5d:39:fc:88:a7:f3:d7:2a:74:f1:e8:5a:a2: +- 3b:9f:50:ba:a6:8c:45:35:c2:50:65:95:dc:63:82: +- ef:dd:bf:77:4d:9c:62:c9:63:73:16:d0:29:0f:49: +- a9:48:f0:b3:aa:b7:6c:c5:a7:30:39:40:5d:ae:c4: +- e2:5d:26:53:f0:ce:1c:23:08:61:a8:94:19:ba:04: +- 62:40:ec:1f:38:70:77:12:06:71:a7:30:18:5d:25: +- 27:a5 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://www2.public-trust.com/crl/ct/ctroot.crl +- X509v3 Authority Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 56:ef:0a:23:a0:54:4e:95:97:c9:f8:89:da:45:c1:d4:a3:00: +- 25:f4:1f:13:ab:b7:a3:85:58:69:c2:30:ad:d8:15:8a:2d:e3: +- c9:cd:81:5a:f8:73:23:5a:a7:7c:05:f3:fd:22:3b:0e:d1:06: +- c4:db:36:4c:73:04:8e:e5:b0:22:e4:c5:f3:2e:a5:d9:23:e3: +- b8:4e:4a:20:a7:6e:02:24:9f:22:60:67:7b:8b:1d:72:09:c5: +- 31:5c:e9:79:9f:80:47:3d:ad:a1:0b:07:14:3d:47:ff:03:69: +- 1a:0c:0b:44:e7:63:25:a7:7f:b2:c9:b8:76:84:ed:23:f6:7d: +- 07:ab:45:7e:d3:df:b3:bf:e9:8a:b6:cd:a8:a2:67:2b:52:d5: +- b7:65:f0:39:4c:63:a0:91:79:93:52:0f:54:dd:83:bb:9f:d1: +- 8f:a7:53:73:c3:cb:ff:30:ec:7c:04:b8:d8:44:1f:93:5f:71: +- 09:22:b7:6e:3e:ea:1c:03:4e:9d:1a:20:61:fb:81:37:ec:5e: +- fc:0a:45:ab:d7:e7:17:55:d0:a0:ea:60:9b:a6:f6:e3:8c:5b: +- 29:c2:06:60:14:9d:2d:97:4c:a9:93:15:9d:61:c4:01:5f:48: +- d6:58:bd:56:31:12:4e:11:c8:21:e0:b3:11:91:65:db:b4:a6: +- 88:38:ce:55 +-SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +------BEGIN CERTIFICATE----- +-MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG +-A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh +-bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE +-ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS +-b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 +-7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS +-J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y +-HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP +-t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz +-FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY +-XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ +-MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw +-hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js +-MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA +-A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj +-Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx +-XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o +-omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc +-A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +-WL1WMRJOEcgh4LMRkWXbtKaIOM5V +------END CERTIFICATE----- +--- secure/caroot/blacklisted/DST_Root_CA_X3.pem.orig ++++ secure/caroot/blacklisted/DST_Root_CA_X3.pem +@@ -1,92 +0,0 @@ +-## +-## DST Root CA X3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Validity +- Not Before: Sep 30 21:12:19 2000 GMT +- Not After : Sep 30 14:01:15 2021 GMT +- Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: +- 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: +- c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: +- ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: +- 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: +- a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: +- 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: +- 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: +- 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: +- 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: +- 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: +- 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: +- 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: +- d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: +- eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: +- 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: +- 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: +- 02:5d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: +- 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: +- a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: +- 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: +- b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: +- 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: +- dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: +- e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: +- 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: +- 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: +- 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: +- 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: +- b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: +- 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: +- 82:35:35:10 +-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 +------BEGIN CERTIFICATE----- +-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +------END CERTIFICATE----- +--- secure/caroot/blacklisted/E-Tugra_Certification_Authority.pem.orig ++++ secure/caroot/blacklisted/E-Tugra_Certification_Authority.pem +@@ -1,140 +0,0 @@ +-## +-## E-Tugra Certification Authority +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Validity +- Not Before: Mar 5 12:09:48 2013 GMT +- Not After : Mar 3 12:09:48 2023 GMT +- Subject: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e2:f5:3f:93:05:51:1e:85:62:54:5e:7a:0b:f5: +- 18:07:83:ae:7e:af:7c:f7:d4:8a:6b:a5:63:43:39: +- b9:4b:f7:c3:c6:64:89:3d:94:2e:54:80:52:39:39: +- 07:4b:4b:dd:85:07:76:87:cc:bf:2f:95:4c:cc:7d: +- a7:3d:bc:47:0f:98:70:f8:8c:85:1e:74:8e:92:6d: +- 1b:40:d1:99:0d:bb:75:6e:c8:a9:6b:9a:c0:84:31: +- af:ca:43:cb:eb:2b:34:e8:8f:97:6b:01:9b:d5:0e: +- 4a:08:aa:5b:92:74:85:43:d3:80:ae:a1:88:5b:ae: +- b3:ea:5e:cb:16:9a:77:44:c8:a1:f6:54:68:ce:de: +- 8f:97:2b:ba:5b:40:02:0c:64:17:c0:b5:93:cd:e1: +- f1:13:66:ce:0c:79:ef:d1:91:28:ab:5f:a0:12:52: +- 30:73:19:8e:8f:e1:8c:07:a2:c3:bb:4a:f0:ea:1f: +- 15:a8:ee:25:cc:a4:46:f8:1b:22:ef:b3:0e:43:ba: +- 2c:24:b8:c5:2c:5c:d4:1c:f8:5d:64:bd:c3:93:5e: +- 28:a7:3f:27:f1:8e:1e:d3:2a:50:05:a3:55:d9:cb: +- e7:39:53:c0:98:9e:8c:54:62:8b:26:b0:f7:7d:8d: +- 7c:e4:c6:9e:66:42:55:82:47:e7:b2:58:8d:66:f7: +- 07:7c:2e:36:e6:50:1c:3f:db:43:24:c5:bf:86:47: +- 79:b3:79:1c:f7:5a:f4:13:ec:6c:f8:3f:e2:59:1f: +- 95:ee:42:3e:b9:ad:a8:32:85:49:97:46:fe:4b:31: +- 8f:5a:cb:ad:74:47:1f:e9:91:b7:df:28:04:22:a0: +- d4:0f:5d:e2:79:4f:ea:6c:85:86:bd:a8:a6:ce:e4: +- fa:c3:e1:b3:ae:de:3c:51:ee:cb:13:7c:01:7f:84: +- 0e:5d:51:94:9e:13:0c:b6:2e:a5:4c:f9:39:70:36: +- 6f:96:ca:2e:0c:44:55:c5:ca:fa:5d:02:a3:df:d6: +- 64:8c:5a:b3:01:0a:a9:b5:0a:47:17:ff:ef:91:40: +- 2a:8e:a1:46:3a:31:98:e5:11:fc:cc:bb:49:56:8a: +- fc:b9:d0:61:9a:6f:65:6c:e6:c3:cb:3e:75:49:fe: +- 8f:a7:e2:89:c5:67:d7:9d:46:13:4e:31:76:3b:24: +- b3:9e:11:65:86:ab:7f:ef:1d:d4:f8:bc:e7:ac:5a: +- 5c:b7:5a:47:5c:55:ce:55:b4:22:71:5b:5b:0b:f0: +- cf:dc:a0:61:64:ea:a9:d7:68:0a:63:a7:e0:0d:3f: +- a0:af:d3:aa:d2:7e:ef:51:a0:e6:51:2b:55:92:15: +- 17:53:cb:b7:66:0e:66:4c:f8:f9:75:4c:90:e7:12: +- 70:c7:45 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 05:37:3a:f4:4d:b7:45:e2:45:75:24:8f:b6:77:52:e8:1c:d8: +- 10:93:65:f3:f2:59:06:a4:3e:1e:29:ec:5d:d1:d0:ab:7c:e0: +- 0a:90:48:78:ed:4e:98:03:99:fe:28:60:91:1d:30:1d:b8:63: +- 7c:a8:e6:35:b5:fa:d3:61:76:e6:d6:07:4b:ca:69:9a:b2:84: +- 7a:77:93:45:17:15:9f:24:d0:98:13:12:ff:bb:a0:2e:fd:4e: +- 4c:87:f8:ce:5c:aa:98:1b:05:e0:00:46:4a:82:80:a5:33:8b: +- 28:dc:ed:38:d3:df:e5:3e:e9:fe:fb:59:dd:61:84:4f:d2:54: +- 96:13:61:13:3e:8f:80:69:be:93:47:b5:35:43:d2:5a:bb:3d: +- 5c:ef:b3:42:47:cd:3b:55:13:06:b0:09:db:fd:63:f6:3a:88: +- 0a:99:6f:7e:e1:ce:1b:53:6a:44:66:23:51:08:7b:bc:5b:52: +- a2:fd:06:37:38:40:61:8f:4a:96:b8:90:37:f8:66:c7:78:90: +- 00:15:2e:8b:ad:51:35:53:07:a8:6b:68:ae:f9:4e:3c:07:26: +- cd:08:05:70:cc:39:3f:76:bd:a5:d3:67:26:01:86:a6:53:d2: +- 60:3b:7c:43:7f:55:8a:bc:95:1a:c1:28:39:4c:1f:43:d2:91: +- f4:72:59:8a:b9:56:fc:3f:b4:9d:da:70:9c:76:5a:8c:43:50: +- ee:8e:30:72:4d:df:ff:49:f7:c6:a9:67:d9:6d:ac:02:11:e2: +- 3a:16:25:a7:58:08:cb:6f:53:41:9c:48:38:47:68:33:d1:d7: +- c7:8f:d4:74:21:d4:c3:05:90:7a:ff:ce:96:88:b1:15:29:5d: +- 23:ab:d0:60:a1:12:4f:de:f4:17:cd:32:e5:c9:bf:c8:43:ad: +- fd:2e:8e:f1:af:e2:f4:98:fa:12:1f:20:d8:c0:a7:0c:85:c5: +- 90:f4:3b:2d:96:26:b1:2c:be:4c:ab:eb:b1:d2:8a:c9:db:78: +- 13:0f:1e:09:9d:6d:8f:00:9f:02:da:c1:fa:1f:7a:7a:09:c4: +- 4a:e6:88:2a:97:9f:89:8b:fd:37:5f:5f:3a:ce:38:59:86:4b: +- af:71:0b:b4:d8:f2:70:4f:9f:32:13:e3:b0:a7:57:e5:da:da: +- 43:cb:84:34:f2:28:c4:ea:6d:f4:2a:ef:c1:6b:76:da:fb:7e: +- bb:85:3c:d2:53:c2:4d:be:71:e1:45:d1:fd:23:67:0d:13:75: +- fb:cf:65:67:22:9d:ae:b0:09:d1:09:ff:1d:34:bf:fe:23:97: +- 37:d2:39:fa:3d:0d:06:0b:b4:db:3b:a3:ab:6f:5c:1d:b6:7e: +- e8:b3:82:34:ed:06:5c:24 +-SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 +-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -0,0 +1,139 @@ ++## ++## Entrust Root Certification Authority - G4 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Validity ++ Not Before: May 27 11:11:16 2015 GMT ++ Not After : Dec 27 11:41:16 2037 GMT ++ Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: ++ c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: ++ 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: ++ fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: ++ 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: ++ b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: ++ 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: ++ 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: ++ d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: ++ 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: ++ b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: ++ db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: ++ c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: ++ a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: ++ 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: ++ d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: ++ ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: ++ 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: ++ 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: ++ b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: ++ 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: ++ e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: ++ fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: ++ 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: ++ 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: ++ 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: ++ a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: ++ 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: ++ 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: ++ 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: ++ 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: ++ ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: ++ 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: ++ 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: ++ 63:73:49 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: ++ ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: ++ 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: ++ d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: ++ 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: ++ c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: ++ ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: ++ 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: ++ 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: ++ 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: ++ bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: ++ 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: ++ 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: ++ 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: ++ ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: ++ 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: ++ 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: ++ 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: ++ 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: ++ 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: ++ 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: ++ c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: ++ 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: ++ 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: ++ a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: ++ 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: ++ 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: ++ 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: ++ 1f:8b:8f:53:dd:ff:ac:1f ++SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 ++-----BEGIN CERTIFICATE----- ++MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw ++gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL ++Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg ++MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw ++BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 ++MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT ++MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 ++c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ ++bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg ++Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B ++AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ ++2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E ++T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j ++5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM ++C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T ++DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX ++wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A ++2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm ++nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 ++dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl ++N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj ++c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD ++VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS ++5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS ++Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr ++hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ ++B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI ++AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw ++H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ ++b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk ++2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol ++IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk ++5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY ++n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/GeoTrust_Global_CA.pem.orig ++++ secure/caroot/blacklisted/GeoTrust_Global_CA.pem +@@ -1,90 +0,0 @@ +-## +-## GeoTrust Global CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 144470 (0x23456) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Validity +- Not Before: May 21 04:00:00 2002 GMT +- Not After : May 21 04:00:00 2022 GMT +- Subject: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: +- 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: +- 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: +- bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: +- 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: +- ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: +- 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: +- 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: +- 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: +- d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: +- d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: +- 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: +- 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: +- 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: +- fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: +- eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: +- 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: +- e4:f9 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- X509v3 Authority Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 35:e3:29:6a:e5:2f:5d:54:8e:29:50:94:9f:99:1a:14:e4:8f: +- 78:2a:62:94:a2:27:67:9e:d0:cf:1a:5e:47:e9:c1:b2:a4:cf: +- dd:41:1a:05:4e:9b:4b:ee:4a:6f:55:52:b3:24:a1:37:0a:eb: +- 64:76:2a:2e:2c:f3:fd:3b:75:90:bf:fa:71:d8:c7:3d:37:d2: +- b5:05:95:62:b9:a6:de:89:3d:36:7b:38:77:48:97:ac:a6:20: +- 8f:2e:a6:c9:0c:c2:b2:99:45:00:c7:ce:11:51:22:22:e0:a5: +- ea:b6:15:48:09:64:ea:5e:4f:74:f7:05:3e:c7:8a:52:0c:db: +- 15:b4:bd:6d:9b:e5:c6:b1:54:68:a9:e3:69:90:b6:9a:a5:0f: +- b8:b9:3f:20:7d:ae:4a:b5:b8:9c:e4:1d:b6:ab:e6:94:a5:c1: +- c7:83:ad:db:f5:27:87:0e:04:6c:d5:ff:dd:a0:5d:ed:87:52: +- b7:2b:15:02:ae:39:a6:6a:74:e9:da:c4:e7:bc:4d:34:1e:a9: +- 5c:4d:33:5f:92:09:2f:88:66:5d:77:97:c7:1d:76:13:a9:d5: +- e5:f1:16:09:11:35:d5:ac:db:24:71:70:2c:98:56:0b:d9:17: +- b4:d1:e3:51:2b:5e:75:e8:d5:d0:dc:4f:34:ed:c2:05:66:80: +- a1:cb:e6:33 +-SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12 +------BEGIN CERTIFICATE----- +-MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +-YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG +-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg +-R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9 +-9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq +-fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv +-iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU +-1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+ +-bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW +-MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA +-ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l +-uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn +-Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS +-tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF +-PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un +-hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV +-5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/GlobalSign_Root_CA_-_R2.pem.orig ++++ secure/caroot/blacklisted/GlobalSign_Root_CA_-_R2.pem +@@ -1,99 +0,0 @@ +-## +-## GlobalSign Root CA - R2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:86:26:e6:0d +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:a6:cf:24:0e:be:2e:6f:28:99:45:42:c4:ab:3e: +- 21:54:9b:0b:d3:7f:84:70:fa:12:b3:cb:bf:87:5f: +- c6:7f:86:d3:b2:30:5c:d6:fd:ad:f1:7b:dc:e5:f8: +- 60:96:09:92:10:f5:d0:53:de:fb:7b:7e:73:88:ac: +- 52:88:7b:4a:a6:ca:49:a6:5e:a8:a7:8c:5a:11:bc: +- 7a:82:eb:be:8c:e9:b3:ac:96:25:07:97:4a:99:2a: +- 07:2f:b4:1e:77:bf:8a:0f:b5:02:7c:1b:96:b8:c5: +- b9:3a:2c:bc:d6:12:b9:eb:59:7d:e2:d0:06:86:5f: +- 5e:49:6a:b5:39:5e:88:34:ec:bc:78:0c:08:98:84: +- 6c:a8:cd:4b:b4:a0:7d:0c:79:4d:f0:b8:2d:cb:21: +- ca:d5:6c:5b:7d:e1:a0:29:84:a1:f9:d3:94:49:cb: +- 24:62:91:20:bc:dd:0b:d5:d9:cc:f9:ea:27:0a:2b: +- 73:91:c6:9d:1b:ac:c8:cb:e8:e0:a0:f4:2f:90:8b: +- 4d:fb:b0:36:1b:f6:19:7a:85:e0:6d:f2:61:13:88: +- 5c:9f:e0:93:0a:51:97:8a:5a:ce:af:ab:d5:f7:aa: +- 09:aa:60:bd:dc:d9:5f:df:72:a9:60:13:5e:00:01: +- c9:4a:fa:3f:a4:ea:07:03:21:02:8e:82:ca:03:c2: +- 9b:8f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://crl.globalsign.net/root-r2.crl +- X509v3 Authority Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 99:81:53:87:1c:68:97:86:91:ec:e0:4a:b8:44:0b:ab:81:ac: +- 27:4f:d6:c1:b8:1c:43:78:b3:0c:9a:fc:ea:2c:3c:6e:61:1b: +- 4d:4b:29:f5:9f:05:1d:26:c1:b8:e9:83:00:62:45:b6:a9:08: +- 93:b9:a9:33:4b:18:9a:c2:f8:87:88:4e:db:dd:71:34:1a:c1: +- 54:da:46:3f:e0:d3:2a:ab:6d:54:22:f5:3a:62:cd:20:6f:ba: +- 29:89:d7:dd:91:ee:d3:5c:a2:3e:a1:5b:41:f5:df:e5:64:43: +- 2d:e9:d5:39:ab:d2:a2:df:b7:8b:d0:c0:80:19:1c:45:c0:2d: +- 8c:e8:f8:2d:a4:74:56:49:c5:05:b5:4f:15:de:6e:44:78:39: +- 87:a8:7e:bb:f3:79:18:91:bb:f4:6f:9d:c1:f0:8c:35:8c:5d: +- 01:fb:c3:6d:b9:ef:44:6d:79:46:31:7e:0a:fe:a9:82:c1:ff: +- ef:ab:6e:20:c4:50:c9:5f:9d:4d:9b:17:8c:0c:e5:01:c9:a0: +- 41:6a:73:53:fa:a5:50:b4:6e:25:0f:fb:4c:18:f4:fd:52:d9: +- 8e:69:b1:e8:11:0f:de:88:d8:fb:1d:49:f7:aa:de:95:cf:20: +- 78:c2:60:12:db:25:40:8c:6a:fc:7e:42:38:40:64:12:f7:9e: +- 81:e1:93:2e +-SHA1 Fingerprint=75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE +------BEGIN CERTIFICATE----- +-MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +-MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +-v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +-eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +-tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +-C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +-zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +-mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +-V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +-bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +-3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +-J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +-291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +-ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +-AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +-TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Hongkong_Post_Root_CA_1.pem.orig ++++ secure/caroot/blacklisted/Hongkong_Post_Root_CA_1.pem +@@ -1,89 +0,0 @@ +-## +-## Hongkong Post Root CA 1 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1000 (0x3e8) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Validity +- Not Before: May 15 05:13:14 2003 GMT +- Not After : May 15 04:52:29 2023 GMT +- Subject: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:ac:ff:38:b6:e9:66:02:49:e3:a2:b4:e1:90:f9: +- 40:8f:79:f9:e2:bd:79:fe:02:bd:ee:24:92:1d:22: +- f6:da:85:72:69:fe:d7:3f:09:d4:dd:91:b5:02:9c: +- d0:8d:5a:e1:55:c3:50:86:b9:29:26:c2:e3:d9:a0: +- f1:69:03:28:20:80:45:22:2d:56:a7:3b:54:95:56: +- 22:59:1f:28:df:1f:20:3d:6d:a2:36:be:23:a0:b1: +- 6e:b5:b1:27:3f:39:53:09:ea:ab:6a:e8:74:b2:c2: +- 65:5c:8e:bf:7c:c3:78:84:cd:9e:16:fc:f5:2e:4f: +- 20:2a:08:9f:77:f3:c5:1e:c4:9a:52:66:1e:48:5e: +- e3:10:06:8f:22:98:e1:65:8e:1b:5d:23:66:3b:b8: +- a5:32:51:c8:86:aa:a1:a9:9e:7f:76:94:c2:a6:6c: +- b7:41:f0:d5:c8:06:38:e6:d4:0c:e2:f3:3b:4c:6d: +- 50:8c:c4:83:27:c1:13:84:59:3d:9e:75:74:b6:d8: +- 02:5e:3a:90:7a:c0:42:36:72:ec:6a:4d:dc:ef:c4: +- 00:df:13:18:57:5f:26:78:c8:d6:0a:79:77:bf:f7: +- af:b7:76:b9:a5:0b:84:17:5d:10:ea:6f:e1:ab:95: +- 11:5f:6d:3c:a3:5c:4d:83:5b:f2:b3:19:8a:80:8b: +- 0b:87 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE, pathlen:3 +- X509v3 Key Usage: critical +- Digital Signature, Non Repudiation, Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 0e:46:d5:3c:ae:e2:87:d9:5e:81:8b:02:98:41:08:8c:4c:bc: +- da:db:ee:27:1b:82:e7:6a:45:ec:16:8b:4f:85:a0:f3:b2:70: +- bd:5a:96:ba:ca:6e:6d:ee:46:8b:6e:e7:2a:2e:96:b3:19:33: +- eb:b4:9f:a8:b2:37:ee:98:a8:97:b6:2e:b6:67:27:d4:a6:49: +- fd:1c:93:65:76:9e:42:2f:dc:22:6c:9a:4f:f2:5a:15:39:b1: +- 71:d7:2b:51:e8:6d:1c:98:c0:d9:2a:f4:a1:82:7b:d5:c9:41: +- a2:23:01:74:38:55:8b:0f:b9:2e:67:a2:20:04:37:da:9c:0b: +- d3:17:21:e0:8f:97:79:34:6f:84:48:02:20:33:1b:e6:34:44: +- 9f:91:70:f4:80:5e:84:43:c2:29:d2:6c:12:14:e4:61:8d:ac: +- 10:90:9e:84:50:bb:f0:96:6f:45:9f:8a:f3:ca:6c:4f:fa:11: +- 3a:15:15:46:c3:cd:1f:83:5b:2d:41:12:ed:50:67:41:13:3d: +- 21:ab:94:8a:aa:4e:7c:c1:b1:fb:a7:d6:b5:27:2f:97:ab:6e: +- e0:1d:e2:d1:1c:2c:1f:44:e2:fc:be:91:a1:9c:fb:d6:29:53: +- 73:86:9f:53:d8:43:0e:5d:d6:63:82:71:1d:80:74:ca:f6:e2: +- 02:6b:d9:5a +-SHA1 Fingerprint=D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58 +------BEGIN CERTIFICATE----- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/QuoVadis_Root_CA.pem.orig ++++ secure/caroot/blacklisted/QuoVadis_Root_CA.pem +@@ -1,116 +0,0 @@ +-## +-## QuoVadis Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 985026699 (0x3ab6508b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Validity +- Not Before: Mar 19 18:33:33 2001 GMT +- Not After : Mar 17 18:33:33 2021 GMT +- Subject: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:bf:61:b5:95:53:ba:57:fc:fa:f2:67:0b:3a:1a: +- df:11:80:64:95:b4:d1:bc:cd:7a:cf:f6:29:96:2e: +- 24:54:40:24:38:f7:1a:85:dc:58:4c:cb:a4:27:42: +- 97:d0:9f:83:8a:c3:e4:06:03:5b:00:a5:51:1e:70: +- 04:74:e2:c1:d4:3a:ab:d7:ad:3b:07:18:05:8e:fd: +- 83:ac:ea:66:d9:18:1b:68:8a:f5:57:1a:98:ba:f5: +- ed:76:3d:7c:d9:de:94:6a:3b:4b:17:c1:d5:8f:bd: +- 65:38:3a:95:d0:3d:55:36:4e:df:79:57:31:2a:1e: +- d8:59:65:49:58:20:98:7e:ab:5f:7e:9f:e9:d6:4d: +- ec:83:74:a9:c7:6c:d8:ee:29:4a:85:2a:06:14:f9: +- 54:e6:d3:da:65:07:8b:63:37:12:d7:d0:ec:c3:7b: +- 20:41:44:a3:ed:cb:a0:17:e1:71:65:ce:1d:66:31: +- f7:76:01:19:c8:7d:03:58:b6:95:49:1d:a6:12:26: +- e8:c6:0c:76:e0:e3:66:cb:ea:5d:a6:26:ee:e5:cc: +- 5f:bd:67:a7:01:27:0e:a2:ca:54:c5:b1:7a:95:1d: +- 71:1e:4a:29:8a:03:dc:6a:45:c1:a4:19:5e:6f:36: +- cd:c3:a2:b0:b7:fe:5c:38:e2:52:bc:f8:44:43:e6: +- 90:bb +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- Authority Information Access: +- OCSP - URI:https://ocsp.quovadisoffshore.com +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: 1.3.6.1.4.1.8024.0.1 +- User Notice: +- Explicit Text: Reliance on the QuoVadis Root Certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certification practices, and the QuoVadis Certificate Policy. +- CPS: http://www.quovadis.bm +- X509v3 Subject Key Identifier: +- 8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- X509v3 Authority Key Identifier: +- keyid:8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- DirName:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority +- serial:3A:B6:50:8B +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 8a:d4:14:b5:fe:f4:9a:92:a7:19:d4:a4:7e:72:18:8f:d9:68: +- 7c:52:24:dd:67:6f:39:7a:c4:aa:5e:3d:e2:58:b0:4d:70:98: +- 84:61:e8:1b:e3:69:18:0e:ce:fb:47:50:a0:4e:ff:f0:24:1f: +- bd:b2:ce:f5:27:fc:ec:2f:53:aa:73:7b:03:3d:74:6e:e6:16: +- 9e:eb:a5:2e:c4:bf:56:27:50:2b:62:ba:be:4b:1c:3c:55:5c: +- 41:1d:24:be:82:20:47:5d:d5:44:7e:7a:16:68:df:7d:4d:51: +- 70:78:57:1d:33:1e:fd:02:99:9c:0c:cd:0a:05:4f:c7:bb:8e: +- a4:75:fa:4a:6d:b1:80:8e:09:56:b9:9c:1a:60:fe:5d:c1:d7: +- 7a:dc:11:78:d0:d6:5d:c1:b7:d5:ad:32:99:03:3a:8a:cc:54: +- 25:39:31:81:7b:13:22:51:ba:46:6c:a1:bb:9e:fa:04:6c:49: +- 26:74:8f:d2:73:eb:cc:30:a2:e6:ea:59:22:87:f8:97:f5:0e: +- fd:ea:cc:92:a4:16:c4:52:18:ea:21:ce:b1:f1:e6:84:81:e5: +- ba:a9:86:28:f2:43:5a:5d:12:9d:ac:1e:d9:a8:e5:0a:6a:a7: +- 7f:a0:87:29:cf:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:36:23:8a: +- 4a:74:36:f9 +-SHA1 Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9 +------BEGIN CERTIFICATE----- +-MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC +-TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz +-MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw +-IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR +-dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG +-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp +-li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D +-rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ +-WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug +-F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU +-xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC +-Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv +-dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw +-ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl +-IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh +-c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy +-ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh +-Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI +-KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T +-KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq +-y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p +-dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD +-VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL +-MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk +-fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8 +-7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R +-cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y +-mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW +-xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK +-SnQ2+Q== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/SecureSign_RootCA11.pem +@@ -0,0 +1,92 @@ ++## ++## SecureSign RootCA11 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 1 (0x1) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Validity ++ Not Before: Apr 8 04:56:47 2009 GMT ++ Not After : Apr 8 04:56:47 2029 GMT ++ Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: ++ 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: ++ df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: ++ 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: ++ 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: ++ c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: ++ f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: ++ a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: ++ bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: ++ 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: ++ 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: ++ 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: ++ cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: ++ 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: ++ d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: ++ cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: ++ 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: ++ 3e:89 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: ++ 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: ++ 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: ++ 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: ++ 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: ++ 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: ++ 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: ++ 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: ++ b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: ++ 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: ++ d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: ++ a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: ++ c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: ++ 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: ++ d6:ba:03:f2 ++SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr ++MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG ++A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 ++MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp ++Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD ++QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz ++i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 ++h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV ++MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 ++UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni ++8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC ++h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD ++VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB ++AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm ++KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ ++X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr ++QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 ++pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN ++QSdJQO7e5iNEOdyhIta6A/I= ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/Security_Communication_RootCA3.pem +@@ -0,0 +1,135 @@ ++## ++## Security Communication RootCA3 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ e1:7c:37:40:fd:1b:fe:67 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Validity ++ Not Before: Jun 16 06:17:16 2016 GMT ++ Not After : Jan 18 06:17:16 2038 GMT ++ Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: ++ b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: ++ 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: ++ ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: ++ af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: ++ a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: ++ c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: ++ 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: ++ e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: ++ bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: ++ c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: ++ 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: ++ d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: ++ f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: ++ b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: ++ 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: ++ d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: ++ 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: ++ d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: ++ b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: ++ 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: ++ 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: ++ 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: ++ 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: ++ 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: ++ 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: ++ c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: ++ d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: ++ 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: ++ 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: ++ 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: ++ af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: ++ 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: ++ 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: ++ d1:d9:c7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: ++ 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: ++ b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: ++ f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: ++ e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: ++ bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: ++ 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: ++ 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: ++ c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: ++ b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: ++ 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: ++ b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: ++ cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: ++ 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: ++ 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: ++ 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: ++ 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: ++ 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: ++ f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: ++ 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: ++ e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: ++ 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: ++ c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: ++ 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: ++ 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: ++ 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: ++ 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: ++ 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: ++ 51:d7:af:fd:33:9d:4d:66 ++SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A ++-----BEGIN CERTIFICATE----- ++MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV ++BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw ++JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 ++MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc ++U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg ++Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC ++CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r ++CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA ++lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG ++TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 ++9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 ++8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 ++g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we ++GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +++3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M ++0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ ++T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw ++HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP ++BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS ++YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA ++FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd ++9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI ++UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ ++OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke ++gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf ++iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV ++nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD ++2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// ++1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad ++TdJ0MN1kURXbg4NR16/9M51NZg== ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/Security_Communication_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Security_Communication_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Security Communication Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 0 (0x0) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Validity +- Not Before: Sep 30 04:20:49 2003 GMT +- Not After : Sep 30 04:20:49 2023 GMT +- Subject: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b3:b3:fe:7f:d3:6d:b1:ef:16:7c:57:a5:0c:6d: +- 76:8a:2f:4b:bf:64:fb:4c:ee:8a:f0:f3:29:7c:f5: +- ff:ee:2a:e0:e9:e9:ba:5b:64:22:9a:9a:6f:2c:3a: +- 26:69:51:05:99:26:dc:d5:1c:6a:71:c6:9a:7d:1e: +- 9d:dd:7c:6c:c6:8c:67:67:4a:3e:f8:71:b0:19:27: +- a9:09:0c:a6:95:bf:4b:8c:0c:fa:55:98:3b:d8:e8: +- 22:a1:4b:71:38:79:ac:97:92:69:b3:89:7e:ea:21: +- 68:06:98:14:96:87:d2:61:36:bc:6d:27:56:9e:57: +- ee:c0:c0:56:fd:32:cf:a4:d9:8e:c2:23:d7:8d:a8: +- f3:d8:25:ac:97:e4:70:38:f4:b6:3a:b4:9d:3b:97: +- 26:43:a3:a1:bc:49:59:72:4c:23:30:87:01:58:f6: +- 4e:be:1c:68:56:66:af:cd:41:5d:c8:b3:4d:2a:55: +- 46:ab:1f:da:1e:e2:40:3d:db:cd:7d:b9:92:80:9c: +- 37:dd:0c:96:64:9d:dc:22:f7:64:8b:df:61:de:15: +- 94:52:15:a0:7d:52:c9:4b:a8:21:c9:c6:b1:ed:cb: +- c3:95:60:d1:0f:f0:ab:70:f8:df:cb:4d:7e:ec:d6: +- fa:ab:d9:bd:7f:54:f2:a5:e9:79:fa:d9:d6:76:24: +- 28:73 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 68:40:a9:a8:bb:e4:4f:5d:79:b3:05:b5:17:b3:60:13:eb:c6: +- 92:5d:e0:d1:d3:6a:fe:fb:be:9b:6d:bf:c7:05:6d:59:20:c4: +- 1c:f0:b7:da:84:58:02:63:fa:48:16:ef:4f:a5:0b:f7:4a:98: +- f2:3f:9e:1b:ad:47:6b:63:ce:08:47:eb:52:3f:78:9c:af:4d: +- ae:f8:d5:4f:cf:9a:98:2a:10:41:39:52:c4:dd:d9:9b:0e:ef: +- 93:01:ae:b2:2e:ca:68:42:24:42:6c:b0:b3:3a:3e:cd:e9:da: +- 48:c4:15:cb:e9:f9:07:0f:92:50:49:8a:dd:31:97:5f:c9:e9: +- 37:aa:3b:59:65:97:94:32:c9:b3:9f:3e:3a:62:58:c5:49:ad: +- 62:0e:71:a5:32:aa:2f:c6:89:76:43:40:13:13:67:3d:a2:54: +- 25:10:cb:f1:3a:f2:d9:fa:db:49:56:bb:a6:fe:a7:41:35:c3: +- e0:88:61:c9:88:c7:df:36:10:22:98:59:ea:b0:4a:fb:56:16: +- 73:6e:ac:4d:f7:22:a1:4f:ad:1d:7a:2d:45:27:e5:30:c1:5e: +- f2:da:13:cb:25:42:51:95:47:03:8c:6c:21:cc:74:42:ed:53: +- ff:33:8b:8f:0f:57:01:16:2f:cf:a6:ee:c9:70:22:14:bd:fd: +- be:6c:0b:03 +-SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 +------BEGIN CERTIFICATE----- +-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY +-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t +-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 +-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD +-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 +-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 +-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ +-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 +-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N +-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ +-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G +-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T +-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG +-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr +-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 +-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU +-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot +-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem +@@ -1,90 +0,0 @@ +-## +-## Sonera Class 2 Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 29 (0x1d) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = FI, O = Sonera, CN = Sonera Class2 CA +- Validity +- Not Before: Apr 6 07:29:40 2001 GMT +- Not After : Apr 6 07:29:40 2021 GMT +- Subject: C = FI, O = Sonera, CN = Sonera Class2 CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:90:17:4a:35:9d:ca:f0:0d:96:c7:44:fa:16:37: +- fc:48:bd:bd:7f:80:2d:35:3b:e1:6f:a8:67:a9:bf: +- 03:1c:4d:8c:6f:32:47:d5:41:68:a4:13:04:c1:35: +- 0c:9a:84:43:fc:5c:1d:ff:89:b3:e8:17:18:cd:91: +- 5f:fb:89:e3:ea:bf:4e:5d:7c:1b:26:d3:75:79:ed: +- e6:84:e3:57:e5:ad:29:c4:f4:3a:28:e7:a5:7b:84: +- 36:69:b3:fd:5e:76:bd:a3:2d:99:d3:90:4e:23:28: +- 7d:18:63:f1:54:3b:26:9d:76:5b:97:42:b2:ff:ae: +- f0:4e:ec:dd:39:95:4e:83:06:7f:e7:49:40:c8:c5: +- 01:b2:54:5a:66:1d:3d:fc:f9:e9:3c:0a:9e:81:b8: +- 70:f0:01:8b:e4:23:54:7c:c8:ae:f8:90:1e:00:96: +- 72:d4:54:cf:61:23:bc:ea:fb:9d:02:95:d1:b6:b9: +- 71:3a:69:08:3f:0f:b4:e1:42:c7:88:f5:3f:98:a8: +- a7:ba:1c:e0:71:71:ef:58:57:81:50:7a:5c:6b:74: +- 46:0e:83:03:98:c3:8e:a8:6e:f2:76:32:6e:27:83: +- c2:73:f3:dc:18:e8:b4:93:ea:75:44:6b:04:60:20: +- 71:57:87:9d:f3:be:a0:90:23:3d:8a:24:e1:da:21: +- db:c3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 4A:A0:AA:58:84:D3:5E:3C +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 5a:ce:87:f9:16:72:15:57:4b:1d:d9:9b:e7:a2:26:30:ec:93: +- 67:df:d6:2d:d2:34:af:f7:38:a5:ce:ab:16:b9:ab:2f:7c:35: +- cb:ac:d0:0f:b4:4c:2b:fc:80:ef:6b:8c:91:5f:36:76:f7:db: +- b3:1b:19:ea:f4:b2:11:fd:61:71:44:bf:28:b3:3a:1d:bf:b3: +- 43:e8:9f:bf:dc:31:08:71:b0:9d:8d:d6:34:47:32:90:c6:65: +- 24:f7:a0:4a:7c:04:73:8f:39:6f:17:8c:72:b5:bd:4b:c8:7a: +- f8:7b:83:c3:28:4e:9c:09:ea:67:3f:b2:67:04:1b:c3:14:da: +- f8:e7:49:24:91:d0:1d:6a:fa:61:39:ef:6b:e7:21:75:06:07: +- d8:12:b4:21:20:70:42:71:81:da:3c:9a:36:be:a6:5b:0d:6a: +- 6c:9a:1f:91:7b:f9:f9:ef:42:ba:4e:4e:9e:cc:0c:8d:94:dc: +- d9:45:9c:5e:ec:42:50:63:ae:f4:5d:c4:b1:12:dc:ca:3b:a8: +- 2e:9d:14:5a:05:75:b7:ec:d7:63:e2:ba:35:b6:04:08:91:e8: +- da:9d:9c:f6:66:b5:18:ac:0a:a6:54:26:34:33:d2:1b:c1:d4: +- 7f:1a:3a:8e:0b:aa:32:6e:db:fc:4f:25:9f:d9:32:c7:96:5a: +- 70:ac:df:4c +-SHA1 Fingerprint=37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27 +------BEGIN CERTIFICATE----- +-MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP +-MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx +-MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV +-BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o +-Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt +-5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s +-3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej +-vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu +-8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw +-DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG +-MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil +-zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ +-3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD +-FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 +-Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 +-ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem +@@ -1,134 +0,0 @@ +-## +-## Staat der Nederlanden EV Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000013 (0x98968d) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Validity +- Not Before: Dec 8 11:19:29 2010 GMT +- Not After : Dec 8 11:10:28 2022 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c7:7e:89:f9:24:4b:3a:d2:33:83:35:2c:69: +- ec:dc:09:a4:e3:51:a8:25:2b:79:b8:08:3d:e0:91: +- ba:84:85:c6:85:a4:ca:e6:c9:2e:53:a4:c9:24:1e: +- fd:55:66:71:5d:2c:c5:60:68:04:b7:d9:c2:52:26: +- 38:88:a4:d6:3b:40:a6:c2:cd:3f:cd:98:93:b3:54: +- 14:58:96:55:d5:50:fe:86:ad:a4:63:7f:5c:87:f6: +- 8e:e6:27:92:67:17:92:02:03:2c:dc:d6:66:74:ed: +- dd:67:ff:c1:61:8d:63:4f:0f:9b:6d:17:30:26:ef: +- ab:d2:1f:10:a0:f9:c5:7f:16:69:81:03:47:ed:1e: +- 68:8d:72:a1:4d:b2:26:c6:ba:6c:5f:6d:d6:af:d1: +- b1:13:8e:a9:ad:f3:5e:69:75:26:18:3e:41:2b:21: +- 7f:ee:8b:5d:07:06:9d:43:c4:29:0a:2b:fc:2a:3e: +- 86:cb:3c:83:3a:f9:c9:0d:da:c5:99:e2:bc:78:41: +- 33:76:e1:bf:2f:5d:e5:a4:98:50:0c:15:dd:e0:fa: +- 9c:7f:38:68:d0:b2:a6:7a:a7:d1:31:bd:7e:8a:58: +- 27:43:b3:ba:33:91:d3:a7:98:15:5c:9a:e6:d3:0f: +- 75:d9:fc:41:98:97:3e:aa:25:db:8f:92:2e:b0:7b: +- 0c:5f:f1:63:a9:37:f9:9b:75:69:4c:28:26:25:da: +- d5:f2:12:70:45:55:e3:df:73:5e:37:f5:21:6c:90: +- 8e:35:5a:c9:d3:23:eb:d3:c0:be:78:ac:42:28:58: +- 66:a5:46:6d:70:02:d7:10:f9:4b:54:fc:5d:86:4a: +- 87:cf:7f:ca:45:ac:11:5a:b5:20:51:8d:2f:88:47: +- 97:39:c0:cf:ba:c0:42:01:40:99:48:21:0b:6b:a7: +- d2:fd:96:d5:d1:be:46:9d:49:e0:0b:a6:a0:22:4e: +- 38:d0:c1:3c:30:bc:70:8f:2c:75:cc:d0:c5:8c:51: +- 3b:3d:94:08:64:26:61:7d:b9:c3:65:8f:14:9c:21: +- d0:aa:fd:17:72:03:8f:bd:9b:8c:e6:5e:53:9e:b9: +- 9d:ef:82:bb:e1:bc:e2:72:41:5b:21:94:d3:45:37: +- 94:d1:df:09:39:5d:e7:23:aa:9a:1d:ca:6d:a8:0a: +- 86:85:8a:82:be:42:07:d6:f2:38:82:73:da:87:5b: +- e5:3c:d3:9e:3e:a7:3b:9e:f4:03:b3:f9:f1:7d:13: +- 74:02:ff:bb:a1:e5:fa:00:79:1c:a6:66:41:88:5c: +- 60:57:a6:2e:09:c4:ba:fd:9a:cf:a7:1f:40:c3:bb: +- cc:5a:0a:55:4b:3b:38:76:51:b8:63:8b:84:94:16: +- e6:56:f3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- cf:77:2c:6e:56:be:4e:b3:b6:84:00:94:ab:47:c9:0d:d2:76: +- c7:86:9f:1d:07:d3:b6:b4:bb:08:78:af:69:d2:0b:49:de:33: +- c5:ac:ad:c2:88:02:7d:06:b7:35:02:c1:60:c9:bf:c4:e8:94: +- de:d4:d3:a9:13:25:5a:fe:6e:a2:ae:7d:05:dc:7d:f3:6c:f0: +- 7e:a6:8d:ee:d9:d7:ce:58:17:e8:a9:29:ae:73:48:87:e7:9b: +- ca:6e:29:a1:64:5f:19:13:f7:ae:06:10:ff:51:c6:9b:4d:55: +- 25:4f:93:99:10:01:53:75:f1:13:ce:c7:a6:41:41:d2:bf:88: +- a5:7f:45:fc:ac:b8:a5:b5:33:0c:82:c4:fb:07:f6:6a:e5:25: +- 84:5f:06:ca:c1:86:39:11:db:58:cd:77:3b:2c:c2:4c:0f:5e: +- 9a:e3:f0:ab:3e:61:1b:50:24:c2:c0:f4:f1:19:f0:11:29:b6: +- a5:18:02:9b:d7:63:4c:70:8c:47:a3:03:43:5c:b9:5d:46:a0: +- 0d:6f:ff:59:8e:be:dd:9f:72:c3:5b:2b:df:8c:5b:ce:e5:0c: +- 46:6c:92:b2:0a:a3:4c:54:42:18:15:12:18:bd:da:fc:ba:74: +- 6e:ff:c1:b6:a0:64:d8:a9:5f:55:ae:9f:5c:6a:76:96:d8:73: +- 67:87:fb:4d:7f:5c:ee:69:ca:73:10:fb:8a:a9:fd:9e:bd:36: +- 38:49:49:87:f4:0e:14:f0:e9:87:b8:3f:a7:4f:7a:5a:8e:79: +- d4:93:e4:bb:68:52:84:ac:6c:e9:f3:98:70:55:72:32:f9:34: +- ab:2b:49:b5:cd:20:62:e4:3a:7a:67:63:ab:96:dc:6d:ae:97: +- ec:fc:9f:76:56:88:2e:66:cf:5b:b6:c9:a4:b0:d7:05:ba:e1: +- 27:2f:93:bb:26:2a:a2:93:b0:1b:f3:8e:be:1d:40:a3:b9:36: +- 8f:3e:82:1a:1a:5e:88:ea:50:f8:59:e2:83:46:29:0b:e3:44: +- 5c:e1:95:b6:69:90:9a:14:6f:97:ae:81:cf:68:ef:99:9a:be: +- b5:e7:e1:7f:f8:fa:13:47:16:4c:cc:6d:08:40:e7:8b:78:6f: +- 50:82:44:50:3f:66:06:8a:ab:43:84:56:4a:0f:20:2d:86:0e: +- f5:d2:db:d2:7a:8a:4b:cd:a5:e8:4e:f1:5e:26:25:01:59:23: +- a0:7e:d2:f6:7e:21:57:d7:27:bc:15:57:4c:a4:46:c1:e0:83: +- 1e:0c:4c:4d:1f:4f:06:19:e2:f9:a8:f4:3a:82:a1:b2:79:43: +- 79:d6:ad:6f:7a:27:90:03:a4:ea:24:87:3f:d9:bd:d9:e9:f2: +- 5f:50:49:1c:ee:ec:d7:2e +-SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem.orig ++++ secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem +@@ -1,137 +0,0 @@ +-## +-## Staat der Nederlanden Root CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000012 (0x98968c) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Validity +- Not Before: Mar 26 11:18:17 2008 GMT +- Not After : Mar 25 11:03:10 2020 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c5:59:e7:6f:75:aa:3e:4b:9c:b5:b8:ac:9e:0b: +- e4:f9:d9:ca:ab:5d:8f:b5:39:10:82:d7:af:51:e0: +- 3b:e1:00:48:6a:cf:da:e1:06:43:11:99:aa:14:25: +- 12:ad:22:e8:00:6d:43:c4:a9:b8:e5:1f:89:4b:67: +- bd:61:48:ef:fd:d2:e0:60:88:e5:b9:18:60:28:c3: +- 77:2b:ad:b0:37:aa:37:de:64:59:2a:46:57:e4:4b: +- b9:f8:37:7c:d5:36:e7:80:c1:b6:f3:d4:67:9b:96: +- e8:ce:d7:c6:0a:53:d0:6b:49:96:f3:a3:0b:05:77: +- 48:f7:25:e5:70:ac:30:14:20:25:e3:7f:75:5a:e5: +- 48:f8:4e:7b:03:07:04:fa:82:61:87:6e:f0:3b:c4: +- a4:c7:d0:f5:74:3e:a5:5d:1a:08:f2:9b:25:d2:f6: +- ac:04:26:3e:55:3a:62:28:a5:7b:b2:30:af:f8:37: +- c2:d1:ba:d6:38:fd:f4:ef:49:30:37:99:26:21:48: +- 85:01:a9:e5:16:e7:dc:90:55:df:0f:e8:38:cd:99: +- 37:21:4f:5d:f5:22:6f:6a:c5:12:16:60:17:55:f2: +- 65:66:a6:a7:30:91:38:c1:38:1d:86:04:84:ba:1a: +- 25:78:5e:9d:af:cc:50:60:d6:13:87:52:ed:63:1f: +- 6d:65:7d:c2:15:18:74:ca:e1:7e:64:29:8c:72:d8: +- 16:13:7d:0b:49:4a:f1:28:1b:20:74:6b:c5:3d:dd: +- b0:aa:48:09:3d:2e:82:94:cd:1a:65:d9:2b:88:9a: +- 99:bc:18:7e:9f:ee:7d:66:7c:3e:bd:94:b8:81:ce: +- cd:98:30:78:c1:6f:67:d0:be:5f:e0:68:ed:de:e2: +- b1:c9:2c:59:78:92:aa:df:2b:60:63:f2:e5:5e:b9: +- e3:ca:fa:7f:50:86:3e:a2:34:18:0c:09:68:28:11: +- 1c:e4:e1:b9:5c:3e:47:ba:32:3f:18:cc:5b:84:f5: +- f3:6b:74:c4:72:74:e1:e3:8b:a0:4a:bd:8d:66:2f: +- ea:ad:35:da:20:d3:88:82:61:f0:12:22:b6:bc:d0: +- d5:a4:ec:af:54:88:25:24:3c:a7:6d:b1:72:29:3f: +- 3e:57:a6:7f:55:af:6e:26:c6:fe:e7:cc:40:5c:51: +- 44:81:0a:78:de:4a:ce:55:bf:1d:d5:d9:b7:56:ef: +- f0:76:ff:0b:79:b5:af:bd:fb:a9:69:91:46:97:68: +- 80:14:36:1d:b3:7f:bb:29:98:36:a5:20:fa:82:60: +- 62:33:a4:ec:d6:ba:07:a7:6e:c5:cf:14:a6:e7:d6: +- 92:34:d8:81:f5:fc:1d:5d:aa:5c:1e:f6:a3:4d:3b: +- b8:f7:39 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: X509v3 Any Policy +- CPS: http://www.pkioverheid.nl/policies/root-policy-G2 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- a8:41:4a:67:2a:92:81:82:50:6e:e1:d7:d8:b3:39:3b:f3:02: +- 15:09:50:51:ef:2d:bd:24:7b:88:86:3b:f9:b4:bc:92:09:96: +- b9:f6:c0:ab:23:60:06:79:8c:11:4e:51:d2:79:80:33:fb:9d: +- 48:be:ec:41:43:81:1f:7e:47:40:1c:e5:7a:08:ca:aa:8b:75: +- ad:14:c4:c2:e8:66:3c:82:07:a7:e6:27:82:5b:18:e6:0f:6e: +- d9:50:3e:8a:42:18:29:c6:b4:56:fc:56:10:a0:05:17:bd:0c: +- 23:7f:f4:93:ed:9c:1a:51:be:dd:45:41:bf:91:24:b4:1f:8c: +- e9:5f:cf:7b:21:99:9f:95:9f:39:3a:46:1c:6c:f9:cd:7b:9c: +- 90:cd:28:a9:c7:a9:55:bb:ac:62:34:62:35:13:4b:14:3a:55: +- 83:b9:86:8d:92:a6:c6:f4:07:25:54:cc:16:57:12:4a:82:78: +- c8:14:d9:17:82:26:2d:5d:20:1f:79:ae:fe:d4:70:16:16:95: +- 83:d8:35:39:ff:52:5d:75:1c:16:c5:13:55:cf:47:cc:75:65: +- 52:4a:de:f0:b0:a7:e4:0a:96:0b:fb:ad:c2:e2:25:84:b2:dd: +- e4:bd:7e:59:6c:9b:f0:f0:d8:e7:ca:f2:e9:97:38:7e:89:be: +- cc:fb:39:17:61:3f:72:db:3a:91:d8:65:01:19:1d:ad:50:a4: +- 57:0a:7c:4b:bc:9c:71:73:2a:45:51:19:85:cc:8e:fd:47:a7: +- 74:95:1d:a8:d1:af:4e:17:b1:69:26:c2:aa:78:57:5b:c5:4d: +- a7:e5:9e:05:17:94:ca:b2:5f:a0:49:18:8d:34:e9:26:6c:48: +- 1e:aa:68:92:05:e1:82:73:5a:9b:dc:07:5b:08:6d:7d:9d:d7: +- 8d:21:d9:fc:14:20:aa:c2:45:df:3f:e7:00:b2:51:e4:c2:f8: +- 05:b9:79:1a:8c:34:f3:9e:5b:e4:37:5b:6b:4a:df:2c:57:8a: +- 40:5a:36:ba:dd:75:44:08:37:42:70:0c:fe:dc:5e:21:a0:a3: +- 8a:c0:90:9c:68:da:50:e6:45:10:47:78:b6:4e:d2:65:c9:c3: +- 37:df:e1:42:63:b0:57:37:45:2d:7b:8a:9c:bf:05:ea:65:55: +- 33:f7:39:10:c5:28:2a:21:7a:1b:8a:c4:24:f9:3f:15:c8:9a: +- 15:20:f5:55:62:96:ed:6d:93:50:bc:e4:aa:78:ad:d9:cb:0a: +- 65:87:a6:66:c1:c4:81:a3:77:3a:58:1e:0b:ee:83:8b:9d:1e: +- d2:52:a4:cc:1d:6f:b0:98:6d:94:31:b5:f8:71:0a:dc:b9:fc: +- 7d:32:60:e6:eb:af:8a:01 +-SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16 +------BEGIN CERTIFICATE----- +-MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX +-DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl +-ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv +-b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291 +-qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp +-uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU +-Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE +-pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp +-5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M +-UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN +-GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy +-5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv +-6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK +-eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6 +-B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/ +-BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov +-L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG +-SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS +-CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen +-5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897 +-IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK +-gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL +-+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL +-vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm +-bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk +-N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC +-Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z +-ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/SwissSign_Silver_CA_-_G2.pem +@@ -0,0 +1,140 @@ ++## ++## SwissSign Silver CA - G2 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Validity ++ Not Before: Oct 25 08:32:46 2006 GMT ++ Not After : Oct 25 08:32:46 2036 GMT ++ Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: ++ bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: ++ 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: ++ 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: ++ b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: ++ a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: ++ d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: ++ 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: ++ bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: ++ 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: ++ 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: ++ 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: ++ 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: ++ 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: ++ 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: ++ b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: ++ a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: ++ cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: ++ 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: ++ 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: ++ be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: ++ ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: ++ 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: ++ 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: ++ e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: ++ 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: ++ fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: ++ 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: ++ ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: ++ 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: ++ f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: ++ a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: ++ b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: ++ 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: ++ ea:d6:1f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Authority Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Certificate Policies: ++ Policy: 2.16.756.1.89.1.3.1.1 ++ CPS: http://repository.swisssign.com/ ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: ++ 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: ++ 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: ++ 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: ++ c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: ++ 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: ++ 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: ++ 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: ++ ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: ++ 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: ++ e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: ++ 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: ++ 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: ++ 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: ++ 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: ++ f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: ++ 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: ++ 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: ++ 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: ++ a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: ++ d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: ++ ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: ++ da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: ++ 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: ++ 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: ++ f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: ++ 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: ++ 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: ++ 60:39:ce:ca:62:d8:2e:6e ++SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB ++-----BEGIN CERTIFICATE----- ++MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE ++BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu ++IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow ++RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY ++U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A ++MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv ++Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br ++YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF ++nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH ++6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt ++eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ ++c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ ++MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH ++HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf ++jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 ++5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB ++rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU ++F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c ++wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 ++cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB ++AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp ++WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 ++xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ ++2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ ++IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 ++aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X ++em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR ++dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ ++OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ ++hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy ++tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Trustis FPS Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Validity +- Not Before: Dec 23 12:14:06 2003 GMT +- Not After : Jan 21 11:36:54 2024 GMT +- Subject: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:c5:50:7b:9e:3b:35:d0:df:c4:8c:cd:8e:9b:ed: +- a3:c0:36:99:f4:42:ea:a7:3e:80:83:0f:a6:a7:59: +- 87:c9:90:45:43:7e:00:ea:86:79:2a:03:bd:3d:37: +- 99:89:66:b7:e5:8a:56:86:93:9c:68:4b:68:04:8c: +- 93:93:02:3e:30:d2:37:3a:22:61:89:1c:85:4e:7d: +- 8f:d5:af:7b:35:f6:7e:28:47:89:31:dc:0e:79:64: +- 1f:99:d2:5b:ba:fe:7f:60:bf:ad:eb:e7:3c:38:29: +- 6a:2f:e5:91:0b:55:ff:ec:6f:58:d5:2d:c9:de:4c: +- 66:71:8f:0c:d7:04:da:07:e6:1e:18:e3:bd:29:02: +- a8:fa:1c:e1:5b:b9:83:a8:41:48:bc:1a:71:8d:e7: +- 62:e5:2d:b2:eb:df:7c:cf:db:ab:5a:ca:31:f1:4c: +- 22:f3:05:13:f7:82:f9:73:79:0c:be:d7:4b:1c:c0: +- d1:15:3c:93:41:64:d1:e6:be:23:17:22:00:89:5e: +- 1f:6b:a5:ac:6e:a7:4b:8c:ed:a3:72:e6:af:63:4d: +- 2f:85:d2:14:35:9a:2e:4e:8c:ea:32:98:28:86:a1: +- 91:09:41:3a:b4:e1:e3:f2:fa:f0:c9:0a:a2:41:dd: +- a9:e3:03:c7:88:15:3b:1c:d4:1a:94:d7:9f:64:59: +- 12:6d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- X509v3 Subject Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 7e:58:ff:fd:35:19:7d:9c:18:4f:9e:b0:2b:bc:8e:8c:14:ff: +- 2c:a0:da:47:5b:c3:ef:81:2d:af:05:ea:74:48:5b:f3:3e:4e: +- 07:c7:6d:c5:b3:93:cf:22:35:5c:b6:3f:75:27:5f:09:96:cd: +- a0:fe:be:40:0c:5c:12:55:f8:93:82:ca:29:e9:5e:3f:56:57: +- 8b:38:36:f7:45:1a:4c:28:cd:9e:41:b8:ed:56:4c:84:a4:40: +- c8:b8:b0:a5:2b:69:70:04:6a:c3:f8:d4:12:32:f9:0e:c3:b1: +- dc:32:84:44:2c:6f:cb:46:0f:ea:66:41:0f:4f:f1:58:a5:a6: +- 0d:0d:0f:61:de:a5:9e:5d:7d:65:a1:3c:17:e7:a8:55:4e:ef: +- a0:c7:ed:c6:44:7f:54:f5:a3:e0:8f:f0:7c:55:22:8f:29:b6: +- 81:a3:e1:6d:4e:2c:1b:80:67:ec:ad:20:9f:0c:62:61:d5:97: +- ff:43:ed:2d:c1:da:5d:29:2a:85:3f:ac:65:ee:86:0f:05:8d: +- 90:5f:df:ee:9f:f4:bf:ee:1d:fb:98:e4:7f:90:2b:84:78:10: +- 0e:6c:49:53:ef:15:5b:65:46:4a:5d:af:ba:fb:3a:72:1d:cd: +- f6:25:88:1e:97:cc:21:9c:29:01:0d:65:eb:57:d9:f3:57:96: +- bb:48:cd:81 +-SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 +------BEGIN CERTIFICATE----- +-MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF +-MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL +-ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx +-MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc +-MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +-ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ +-AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH +-iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj +-vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA +-0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB +-OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ +-BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E +-FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 +-GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW +-zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 +-1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE +-f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F +-jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN +-ZetX2fNXlrtIzYE= +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_BR_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST BR Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Validity ++ Not Before: May 9 08:56:31 2023 GMT ++ Not After : May 9 08:56:30 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:ae:ff:09:59:91:80:0a:4a:68:e6:24:3f:b8:a7: ++ e4:c8:3a:0a:3a:16:cd:c9:23:61:a0:93:71:f2:ab: ++ 8b:73:8f:a0:67:65:60:d2:54:6b:63:51:6f:49:33: ++ e0:72:07:13:7d:38:cd:06:92:07:29:52:6b:4e:77: ++ 6c:04:d3:95:fa:dd:4c:8c:d9:5d:c1:61:7d:4b:e7: ++ 28:b3:44:81:7b:51:af:dd:33:b1:68:7c:d6:4e:4c: ++ fe:2b:68:b9:ca:66:69:c4:ec:5e:57:7f:f7:0d:c7: ++ 9c:36:36:e5:07:60:ac:c0:4c:ea:08:6c:ef:06:7c: ++ 4f:5b:28:7a:08:fc:93:5d:9b:f6:9c:b4:8b:86:ba: ++ 21:b9:f4:f0:e8:59:5a:28:a1:34:84:1a:25:91:b6: ++ b5:8f:ef:b2:f9:80:fa:f9:3d:3c:11:72:d8:e3:2f: ++ 86:76:c5:79:2c:c1:a9:90:93:46:98:67:cb:83:6a: ++ a0:50:23:a7:3b:f6:81:39:e0:ed:f0:b9:bf:65:f1: ++ d8:cb:7a:fb:ef:73:03:ce:00:f4:7d:d7:e0:5d:3b: ++ 66:b8:dc:8e:ba:83:cb:87:76:03:fc:25:d9:e7:23: ++ 6f:06:fd:67:f3:e0:ff:84:bc:47:bf:b5:16:18:46: ++ 69:14:cc:05:f7:db:d3:49:ac:6b:cc:ab:e4:b5:0b: ++ 43:24:5e:4b:6b:4d:67:df:d6:b5:3e:4f:78:1f:94: ++ 71:24:ea:de:70:fc:f1:93:fe:9e:93:5a:e4:94:5a: ++ 97:54:0c:35:7b:5f:6c:ee:00:1f:24:ec:03:ba:02: ++ f5:76:f4:9f:d4:9a:ed:85:2c:38:22:2f:c7:d8:2f: ++ 76:11:4f:fd:6c:5c:e8:f5:8e:27:87:7f:19:4a:21: ++ 47:90:1d:79:8d:1c:5b:f8:cf:4a:85:e4:ed:b3:5b: ++ 8d:be:c4:64:28:5d:41:c4:6e:ac:38:5a:4f:23:74: ++ 74:a9:12:c3:f6:d2:b9:11:15:33:07:91:d8:3b:37: ++ 3a:63:30:06:d1:c5:22:36:28:62:23:10:e0:46:cc: ++ 97:ac:d6:2b:5d:64:24:d5:ee:1c:0e:de:fb:08:5a: ++ 75:2a:f6:63:6d:ce:0b:42:be:d1:ba:70:1c:9c:21: ++ e5:0f:31:69:17:d7:fc:0a:b4:de:ed:80:9c:cb:92: ++ b4:8b:f5:de:59:a2:58:09:a5:63:47:0b:e1:41:32: ++ 34:41:d9:9a:b1:d9:a8:b0:1b:5a:de:0d:0d:f4:e2: ++ b2:5d:35:80:b9:81:d4:84:69:91:02:cb:75:d0:8d: ++ c5:b5:3d:09:91:09:8f:14:a1:14:74:79:3e:d6:c9: ++ 15:1d:a4:59:59:22:dc:f6:8a:45:3d:3c:12:d6:3e: ++ 5d:32:2f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 67:90:F0:D6:DE:B5:18:D5:46:29:7E:5C:AB:F8:9E:08:BC:64:95:10 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_br_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 34:f7:b3:77:53:db:30:16:b9:2d:a5:21:f1:40:21:75:eb:eb: ++ 48:16:81:3d:73:e0:9e:27:2a:eb:77:a9:13:a4:6a:0a:5a:5a: ++ 14:33:3d:68:1f:81:ae:69:fd:8c:9f:65:6c:34:42:d9:2d:d0: ++ 7f:78:16:b1:3a:ac:23:31:ad:5e:7f:ae:e7:ae:2b:fa:ba:fc: ++ 3c:97:95:40:93:5f:c3:2d:03:a3:ed:a4:6f:53:d7:fa:40:0e: ++ 30:f5:00:20:2c:00:4c:8c:3b:b4:a3:1f:b6:bf:91:32:ab:af: ++ 92:98:d3:16:e6:d4:d1:54:5c:43:5b:2e:ae:ef:57:2a:a8:b4: ++ 6f:a4:ef:0d:56:14:da:21:ab:20:76:9e:03:fc:26:b8:9e:3f: ++ 3e:03:26:e6:4c:db:9d:5f:42:84:3d:45:03:03:1c:59:88:ca: ++ dc:2e:61:24:5a:a4:ea:27:0b:73:12:be:52:b3:0a:cf:32:17: ++ e2:1e:87:1a:16:95:48:6d:5a:e0:d0:cf:09:92:26:66:91:d8: ++ a3:61:0e:aa:81:81:7f:e8:52:82:d1:42:e7:e0:1d:18:fa:a4: ++ 85:36:e7:86:e0:0d:eb:bc:d4:c9:d6:3c:43:f1:5d:49:6e:7e: ++ 81:9b:69:b5:89:62:8f:88:52:d8:d7:fe:27:c1:23:c5:cb:2b: ++ 02:bb:b1:5f:fe:fb:43:85:03:46:be:5d:c6:ca:21:26:ff:d7: ++ 02:9e:74:4a:dc:f8:13:15:b1:81:57:36:cb:65:5c:d1:1d:31: ++ 77:e9:25:c3:c3:b2:32:37:d5:f1:98:09:e4:6d:63:80:08:ab: ++ 06:92:81:d4:e9:70:8f:a7:3f:b2:ed:86:8c:82:6a:35:c8:42: ++ 5a:82:d1:52:1a:45:0f:15:a5:00:f0:94:7b:65:27:57:39:43: ++ cf:7c:7f:e6:bd:35:b3:7b:f1:19:4c:de:3a:96:cf:e9:76:ee: ++ 03:e7:c2:43:52:3c:6a:81:e8:c1:5a:80:bd:11:5d:93:6b:fb: ++ c7:e6:64:3f:bb:69:1c:e9:dd:25:8b:af:74:c9:54:40:ca:cb: ++ 93:13:0a:ed:fb:66:92:11:ca:f5:c0:fa:d8:83:55:03:7c:d3: ++ c5:22:46:75:70:6b:79:48:06:2a:82:9a:bf:e6:eb:16:0e:22: ++ 45:01:bc:dd:36:94:34:a9:35:26:8a:d7:97:b9:ee:08:72:bf: ++ 34:92:70:83:80:ab:38:aa:59:68:dd:40:a4:18:90:b2:f3:d5: ++ 03:ca:26:ca:ef:d5:c7:e0:8f:53:8e:f0:00:e3:a8:ed:9f:f9: ++ ad:77:e0:2b:63:4f:9e:c3:ee:37:bb:78:09:84:9e:b9:6e:fb: ++ 29:99:90:e8:80:d3:9f:24 ++SHA1 Fingerprint=2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEJSIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUw ++OTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCTcfKr ++i3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNE ++gXtRr90zsWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8 ++k12b9py0i4a6Ibn08OhZWiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCT ++Rphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl ++2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LULQyReS2tNZ9/WtT5PeB+U ++cSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIvx9gvdhFP ++/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bS ++uREVMweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+ ++0bpwHJwh5Q8xaRfX/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4N ++DfTisl01gLmB1IRpkQLLddCNxbU9CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+ ++XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZ5Dw1t61 ++GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tI ++FoE9c+CeJyrrd6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67n ++riv6uvw8l5VAk1/DLQOj7aRvU9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTR ++VFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4nj8+AybmTNudX0KEPUUDAxxZiMrc ++LmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdijYQ6qgYF/6FKC0ULn ++4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff/vtD ++hQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsG ++koHU6XCPpz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46 ++ls/pdu4D58JDUjxqgejBWoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aS ++Ecr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/5usWDiJFAbzdNpQ0qTUmiteXue4Icr80 ++knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jtn/mtd+ArY0+ew+43u3gJ ++hJ65bvspmZDogNOfJA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_EV_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST EV Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Validity ++ Not Before: May 9 09:10:33 2023 GMT ++ Not After : May 9 09:10:32 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:d8:8e:a3:89:80:0b:b2:57:52:dc:a9:53:4c:37: ++ b9:7f:63:17:13:ef:a7:5b:23:5b:69:75:b0:99:0a: ++ 17:c1:8b:c4:db:a8:e0:cc:31:ba:c2:f2:cd:5d:e9: ++ b7:f8:1d:af:6a:c4:95:87:d7:47:c9:95:d8:82:04: ++ 50:3d:81:08:ff:e4:3d:b3:b1:d6:c5:b2:fd:88:09: ++ db:9c:84:ec:25:17:14:87:7f:30:78:9b:6a:58:c9: ++ b6:73:28:3c:34:f7:99:f7:7f:d3:a6:f8:1c:45:7c: ++ ad:2c:8c:94:3f:d8:67:10:53:7e:22:cd:4e:25:51: ++ f0:25:24:35:11:5e:10:c6:ec:87:66:89:81:68:ba: ++ cc:2b:9d:47:73:1f:bd:cd:91:a4:72:6a:9c:a2:1b: ++ 18:a0:6f:ec:50:f4:7d:40:c2:a8:30:cf:bd:73:c8: ++ 13:2b:10:13:1e:8b:9a:a8:3a:94:73:d3:18:69:0a: ++ 4a:ff:c1:01:03:ff:79:7f:b5:48:7f:7b:ee:e8:29: ++ 6f:36:4c:95:61:86:d8:f9:a2:73:8a:ee:ae:2f:96: ++ ee:68:cd:3d:4d:28:42:f9:45:2b:32:1b:46:55:16: ++ 6a:a6:4b:29:f9:bb:95:56:bf:46:1d:ec:1d:93:1d: ++ c0:65:b2:1f:a1:43:ae:56:9e:a0:b1:8f:6b:12:b7: ++ 60:6d:78:0b:ca:8a:5c:ed:1e:96:0e:83:a6:48:95: ++ 8d:3b:a3:21:c4:ae:58:c6:00:b2:84:b4:23:a4:96: ++ 86:35:b8:d8:9e:d8:ac:34:49:98:63:95:c5:cb:6d: ++ 48:47:e2:f2:2e:18:1e:d0:31:ab:dd:74:ec:f9:dc: ++ 8c:b8:1c:8e:68:23:ba:d0:f3:50:dc:cf:65:8f:73: ++ 3a:32:c7:7c:fe:ca:82:22:4f:be:8e:62:47:66:e5: ++ cd:87:e2:e8:d5:0f:18:9f:e5:04:72:4b:46:3c:10: ++ f2:44:c2:64:56:71:4e:75:e8:9c:c9:26:74:c5:7d: ++ 59:d1:0a:5b:0f:6d:fe:9e:75:1c:18:c6:1a:3a:7c: ++ d8:0d:04:cc:cd:b7:45:65:7a:b1:8f:b8:ae:84:48: ++ 3e:b3:7a:4d:a8:03:e2:e2:7e:01:16:59:68:18:43: ++ 33:b0:d2:dc:b0:1a:43:35:ee:a5:da:a9:46:5c:ae: ++ 86:81:41:01:4a:74:26:ec:9f:06:bf:c2:05:37:64: ++ 75:78:29:68:fd:c5:f5:eb:fe:47:f9:e4:85:b0:e1: ++ 7b:31:9d:a6:7f:72:a3:b9:c4:2c:2e:cc:99:57:0e: ++ 21:0c:45:01:94:65:eb:65:09:c6:63:22:0b:33:49: ++ 92:48:3c:fc:cd:ce:b0:3e:8e:9e:8b:f8:fe:49:c5: ++ 35:72:47 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ AA:FC:91:10:1B:87:91:5F:16:B9:BF:4F:4B:91:5E:00:1C:B1:32:80 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_ev_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 93:cb:a5:1f:99:11:ec:9a:0d:5f:2c:15:93:c6:3f:be:10:8d: ++ 78:42:f0:6e:90:47:47:8e:a3:92:32:8d:70:8f:f6:5b:8d:be: ++ 89:ce:47:01:6a:1b:20:20:89:5b:c8:82:10:6c:e0:e7:99:aa: ++ 6b:c6:2a:a0:63:35:91:6a:85:25:ad:17:38:a5:9b:7e:50:f2: ++ 76:ea:85:05:2a:27:41:2b:b1:81:d1:a2:f6:40:75:a9:0e:cb: ++ f1:55:48:d8:ec:d1:ec:b3:e8:ce:14:a1:35:ec:c2:5e:35:1a: ++ ab:a6:16:01:06:8e:ea:dc:2f:a3:8a:ca:2c:91:eb:52:8e:5f: ++ 0c:9b:17:cf:cb:73:07:19:c4:6a:c2:73:54:ef:7c:43:52:63: ++ c1:11:ca:c2:45:b1:f4:3b:53:f5:69:ae:3c:e3:a5:de:ac:e8: ++ 54:b7:b2:91:fd:ac:a9:1f:f2:87:e4:17:c6:49:a8:7c:d8:0a: ++ 41:f4:f2:3e:e7:77:34:04:52:dd:e8:81:f2:4d:2f:54:45:9d: ++ 15:e1:4f:cc:e5:de:34:57:10:c9:23:72:17:70:8d:50:70:1f: ++ 56:6c:cc:b9:ff:3a:5a:4f:63:7a:c3:6e:65:07:1d:84:a1:ff: ++ a9:0c:63:89:6d:b2:40:88:39:d7:1f:77:68:b5:fc:9c:d5:d6: ++ 67:69:5b:a8:74:db:fc:89:f6:1b:32:f7:a4:24:a6:76:b7:47: ++ 53:ef:8d:49:8f:a9:b6:83:5a:a5:96:90:45:61:f5:de:03:4f: ++ 26:0f:a8:8b:f0:03:96:b0:ac:15:d0:71:5a:6a:7b:94:e6:70: ++ 93:da:f1:69:e0:b2:62:4d:9e:8f:ff:89:9d:9b:5d:cd:45:e9: ++ 94:02:22:8d:e0:35:7f:e8:f1:04:79:71:6c:54:83:f8:33:b9: ++ 05:32:1b:58:55:11:4f:d0:e5:27:47:71:ec:ed:da:67:d6:62: ++ a6:4b:4d:0f:69:a2:c9:bc:ec:22:4b:94:c7:68:94:17:7e:e2: ++ 8e:28:3e:b6:c6:ea:f5:34:6c:9f:37:88:07:38:db:86:71:fa: ++ cd:95:48:43:6e:a3:4f:82:87:d7:34:98:6e:4b:93:79:60:75: ++ 69:0f:f0:1a:d5:53:fa:21:0c:c2:3f:e9:3f:1f:18:8c:92:5d: ++ 78:a7:76:67:19:bb:b2:ea:7f:e9:70:09:56:56:a3:b0:0c:0b: ++ 2d:36:5e:c5:e9:c4:d5:83:cb:86:17:97:2c:6c:13:6f:87:5a: ++ af:49:a6:1d:db:cd:38:04:2e:5f:e2:4a:35:0e:2d:4b:f8:a2: ++ 24:04:8d:d8:e1:63:5e:02:92:34:da:98:61:5c:1c:6f:58:76: ++ 64:b3:fc:02:b8:f5:9d:0a ++SHA1 Fingerprint=A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEVWIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUw ++OTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1sJkK ++F8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE ++7CUXFId/MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFe ++EMbsh2aJgWi6zCudR3Mfvc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6 ++lHPTGGkKSv/BAQP/eX+1SH977ugpbzZMlWGG2Pmic4ruri+W7mjNPU0oQvlFKzIb ++RlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3YG14C8qKXO0elg6DpkiV ++jTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq9107PncjLgc ++jmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZx ++TnXonMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+ ++ARZZaBhDM7DS3LAaQzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nk ++hbDhezGdpn9yo7nELC7MmVcOIQxFAZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knF ++NXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUqvyREBuH ++kV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14 ++QvBukEdHjqOSMo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4 ++pZt+UPJ26oUFKidBK7GB0aL2QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q ++3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xDUmPBEcrCRbH0O1P1aa4846XerOhU ++t7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V4U/M5d40VxDJI3IX ++cI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuodNv8 ++ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT ++2vFp4LJiTZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs ++7dpn1mKmS00PaaLJvOwiS5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNP ++gofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAst ++Nl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L+KIkBI3Y4WNeApI02phh ++XBxvWHZks/wCuPWdCg== ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem.orig ++++ secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -1,139 +0,0 @@ +-## +-## Entrust Root Certification Authority - G4 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Validity +- Not Before: May 27 11:11:16 2015 GMT +- Not After : Dec 27 11:41:16 2037 GMT +- Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: +- c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: +- 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: +- fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: +- 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: +- b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: +- 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: +- 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: +- d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: +- 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: +- b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: +- db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: +- c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: +- a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: +- 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: +- d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: +- ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: +- 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: +- 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: +- b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: +- 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: +- e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: +- fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: +- 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: +- 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: +- 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: +- a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: +- 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: +- 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: +- 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: +- 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: +- ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: +- 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: +- 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: +- 63:73:49 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: +- ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: +- 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: +- d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: +- 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: +- c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: +- ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: +- 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: +- 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: +- 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: +- bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: +- 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: +- 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: +- 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: +- ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: +- 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: +- 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: +- 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: +- 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: +- 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: +- 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: +- c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: +- 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: +- 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: +- a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: +- 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: +- 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: +- 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: +- 1f:8b:8f:53:dd:ff:ac:1f +-SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw +-gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL +-Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg +-MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +-BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 +-MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 +-c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ +-bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg +-Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B +-AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ +-2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E +-T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j +-5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM +-C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T +-DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX +-wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A +-2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm +-nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 +-dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl +-N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj +-c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +-VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS +-5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS +-Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr +-hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ +-B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI +-AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw +-H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ +-b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk +-2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol +-IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk +-5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY +-n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/FIRMAPROFESIONAL_CA_ROOT-A_WEB.pem +@@ -0,0 +1,71 @@ ++## ++## FIRMAPROFESIONAL CA ROOT-A WEB ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Validity ++ Not Before: Apr 6 09:01:36 2022 GMT ++ Not After : Mar 31 09:01:36 2047 GMT ++ Subject: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:47:53:ea:2c:11:a4:77:c7:2a:ea:f3:d6:5f:7b: ++ d3:04:91:5c:fa:88:c6:22:b9:83:10:62:77:84:33: ++ 2d:e9:03:88:d4:e0:33:f7:ed:77:2c:4a:60:ea:e4: ++ 6f:ad:6d:b4:f8:4c:8a:a4:e4:1f:ca:ea:4f:38:4a: ++ 2e:82:73:2b:c7:66:9b:0a:8c:40:9c:7c:8a:f6:f2: ++ 39:60:b2:de:cb:ec:b8:e4:6f:ea:9b:5d:b7:53:90: ++ 18:32:55:c5:20:b7:94 ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Subject Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:30:1d:7c:a4:7b:c3:89:75:33:e1:3b:a9:45:bf:46: ++ e9:e9:a1:dd:c9:22:16:b7:47:11:0b:d8:9a:ba:f1:c8:0b:70: ++ 50:53:02:91:70:85:59:a9:1e:a4:e6:ea:23:31:a0:00:02:31: ++ 00:fd:e2:f8:b3:af:16:b9:1e:73:c4:96:e3:c1:30:19:d8:7e: ++ e6:c3:97:de:1c:4f:b8:89:2f:33:eb:48:0f:19:f7:87:46:5d: ++ 26:90:a5:85:c5:b9:7a:94:3e:87:a8:bd:00 ++SHA1 Fingerprint=A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 ++-----BEGIN CERTIFICATE----- ++MIICejCCAgCgAwIBAgIQMZch7a+JQn81QYehZ1ZMbTAKBggqhkjOPQQDAzBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwHhcNMjIwNDA2MDkwMTM2WhcNNDcwMzMxMDkwMTM2WjBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARHU+osEaR3xyrq89Zf ++e9MEkVz6iMYiuYMQYneEMy3pA4jU4DP37XcsSmDq5G+tbbT4TIqk5B/K6k84Si6C ++cyvHZpsKjECcfIr28jlgst7L7Ljkb+qbXbdTkBgyVcUgt5SjYzBhMA8GA1UdEwEB ++/wQFMAMBAf8wHwYDVR0jBBgwFoAUk+FDY1w8ndYn81LsF7Kpryz3dvgwHQYDVR0O ++BBYEFJPhQ2NcPJ3WJ/NS7Beyqa8s93b4MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO ++PQQDAwNoADBlAjAdfKR7w4l1M+E7qUW/Runpod3JIha3RxEL2Jq68cgLcFBTApFw ++hVmpHqTm6iMxoAACMQD94vizrxa5HnPEluPBMBnYfubDl94cT7iJLzPrSA8Z94dG ++XSaQpYXFuXqUPoeovQA= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/SecureSign_RootCA11.pem.orig ++++ secure/caroot/trusted/SecureSign_RootCA11.pem +@@ -1,92 +0,0 @@ +-## +-## SecureSign RootCA11 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Validity +- Not Before: Apr 8 04:56:47 2009 GMT +- Not After : Apr 8 04:56:47 2029 GMT +- Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: +- 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: +- df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: +- 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: +- 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: +- c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: +- f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: +- a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: +- bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: +- 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: +- 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: +- 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: +- cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: +- 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: +- d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: +- cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: +- 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: +- 3e:89 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: +- 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: +- 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: +- 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: +- 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: +- 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: +- 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: +- 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: +- b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: +- 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: +- d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: +- a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: +- c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: +- 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: +- d6:ba:03:f2 +-SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 +------BEGIN CERTIFICATE----- +-MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr +-MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG +-A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 +-MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp +-Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD +-QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz +-i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 +-h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV +-MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 +-UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni +-8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC +-h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD +-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +-AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm +-KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ +-X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr +-QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 +-pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN +-QSdJQO7e5iNEOdyhIta6A/I= +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA12.pem +@@ -0,0 +1,93 @@ ++## ++## SecureSign Root CA12 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 66:f9:c7:c1:af:ec:c2:51:b4:ed:53:97:e6:e6:82:c3:2b:1c:90:16 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Validity ++ Not Before: Apr 8 05:36:46 2020 GMT ++ Not After : Apr 8 05:36:46 2040 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:ba:39:c1:37:7a:68:45:2b:14:b4:eb:e4:13:eb: ++ 57:75:23:4d:8f:24:2d:16:e8:ae:8e:c9:7d:a4:57: ++ 3b:2a:76:25:33:83:6c:ea:32:8a:94:9b:4e:3c:96: ++ e4:fd:51:bf:99:c9:93:7e:bf:f9:ad:a7:b2:48:2b: ++ 07:1c:27:f5:4c:bc:70:12:77:a4:85:54:b5:fd:90: ++ 7a:e4:a3:e4:51:58:03:cd:10:79:79:ee:6b:93:1f: ++ 64:8e:6b:64:ab:a3:13:e3:71:fe:7d:ab:9c:dd:27: ++ 53:37:b3:aa:18:c2:59:26:ec:5b:1f:d2:e6:65:7c: ++ ef:93:bd:d8:58:5c:0b:c0:e3:65:6f:3c:c7:ca:59: ++ e3:fe:6e:5f:ac:83:be:fd:5d:25:4e:2a:29:3b:d6: ++ 0b:ab:17:32:78:a4:e1:3e:94:46:be:62:6e:9b:de: ++ 46:a8:b1:16:e7:85:6e:f4:08:40:45:11:a0:9e:54: ++ 44:84:f7:d8:36:ce:f5:50:47:dc:2c:30:9b:ee:c0: ++ f5:96:d2:fe:09:86:c7:06:59:ae:4f:ae:8e:11:98: ++ 7b:f3:0b:52:aa:62:26:aa:21:df:8e:25:33:79:97: ++ 16:49:8d:f5:3e:d5:47:9f:37:31:49:33:72:05:4d: ++ 0c:b6:55:8c:f1:57:8f:8a:87:d1:ad:c5:11:12:39: ++ a0:ad ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 57:34:F3:74:CF:04:4B:D5:25:E6:F1:40:B6:2C:4C:D9:2D:E9:A0:AD ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 3e:bb:db:17:16:d2:f2:14:01:20:2c:38:83:4b:ad:be:ca:85: ++ 7a:9a:b6:9b:6b:a6:e1:fc:a5:3a:ac:ad:b4:28:3a:af:d7:01: ++ 83:49:2b:63:a2:dd:9a:64:0e:98:5c:6f:dd:8e:bb:8a:54:22: ++ 2d:4a:13:f3:ae:40:43:db:4f:91:b7:86:1a:ec:00:b4:41:81: ++ a4:4f:fa:6a:8b:88:b3:76:08:72:2a:49:40:c3:d3:c3:85:89: ++ 98:10:a5:9d:6f:19:b7:bb:cf:7a:65:55:db:37:eb:3c:8a:72: ++ 32:97:1e:9a:29:3e:ad:8d:e6:a3:1b:6d:f5:75:1a:e6:b0:68: ++ b9:5b:a2:ee:69:47:27:35:a1:86:99:80:f3:33:4b:e1:6b:a4: ++ 26:c3:ef:74:59:6c:7a:a2:64:b6:1e:44:c3:50:e0:0f:39:3d: ++ a9:33:f1:a5:f3:d2:bd:62:84:ac:8e:1c:a9:cd:5a:bd:37:3b: ++ 6e:0a:22:b4:f4:15:e7:91:58:c5:3a:44:d3:95:28:d9:c0:65: ++ e9:72:ca:d0:0f:bd:1f:b3:15:d9:a9:e3:a4:47:09:9e:e0:cb: ++ 37:fb:fd:bd:97:d5:be:18:1a:69:a2:39:81:d9:1a:f5:ab:7f: ++ c8:e3:e2:67:0b:9d:f4:0c:ea:54:df:d2:b2:af:b1:22:f1:20: ++ df:bc:44:1c ++SHA1 Fingerprint=7A:22:1E:3D:DE:1B:06:AC:9E:C8:47:70:16:8E:3C:E5:F7:6B:06:F4 ++-----BEGIN CERTIFICATE----- ++MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExMjAeFw0yMDA0MDgw ++NTM2NDZaFw00MDA0MDgwNTM2NDZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6OcE3emhF ++KxS06+QT61d1I02PJC0W6K6OyX2kVzsqdiUzg2zqMoqUm048luT9Ub+ZyZN+v/mt ++p7JIKwccJ/VMvHASd6SFVLX9kHrko+RRWAPNEHl57muTH2SOa2SroxPjcf59q5zd ++J1M3s6oYwlkm7Fsf0uZlfO+TvdhYXAvA42VvPMfKWeP+bl+sg779XSVOKik71gur ++FzJ4pOE+lEa+Ym6b3kaosRbnhW70CEBFEaCeVESE99g2zvVQR9wsMJvuwPWW0v4J ++hscGWa5Pro4RmHvzC1KqYiaqId+OJTN5lxZJjfU+1UefNzFJM3IFTQy2VYzxV4+K ++h9GtxRESOaCtAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD ++AgEGMB0GA1UdDgQWBBRXNPN0zwRL1SXm8UC2LEzZLemgrTANBgkqhkiG9w0BAQsF ++AAOCAQEAPrvbFxbS8hQBICw4g0utvsqFepq2m2um4fylOqyttCg6r9cBg0krY6Ld ++mmQOmFxv3Y67ilQiLUoT865AQ9tPkbeGGuwAtEGBpE/6aouIs3YIcipJQMPTw4WJ ++mBClnW8Zt7vPemVV2zfrPIpyMpcemik+rY3moxtt9XUa5rBouVui7mlHJzWhhpmA ++8zNL4WukJsPvdFlseqJkth5Ew1DgDzk9qTPxpfPSvWKErI4cqc1avTc7bgoitPQV ++55FYxTpE05Uo2cBl6XLK0A+9H7MV2anjpEcJnuDLN/v9vZfVvhgaaaI5gdka9at/ ++yOPiZwud9AzqVN/Ssq+xIvEg37xEHA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA14.pem +@@ -0,0 +1,135 @@ ++## ++## SecureSign Root CA14 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 64:db:5a:0c:20:4e:e8:d7:29:77:c8:50:27:a2:5a:27:dd:2d:f2:cb ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Validity ++ Not Before: Apr 8 07:06:19 2020 GMT ++ Not After : Apr 8 07:06:19 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c5:d2:7a:a1:d6:8a:bf:16:31:d0:98:d1:3a:94: ++ fc:5a:b8:6e:22:c1:62:f7:a7:0a:27:ef:50:f6:2e: ++ b1:9e:68:12:f0:6c:24:63:39:f1:f0:df:10:c6:de: ++ b7:52:20:d5:52:5b:42:99:9e:f3:a0:be:52:1f:5f: ++ cc:67:6d:a7:2e:50:a2:c1:97:8d:b6:f8:95:f5:b0: ++ ba:dc:9d:e0:be:cb:df:f7:38:f2:47:f5:a6:9a:92: ++ 95:2a:62:59:50:0b:a2:b1:35:e7:65:b2:61:b2:ea: ++ 92:71:69:e4:29:f0:4f:81:81:04:3c:b2:a5:5b:d4: ++ c5:a8:59:67:7b:55:1c:49:ab:7a:9d:c2:e7:73:4d: ++ ef:cd:09:c2:c4:57:12:db:01:0e:23:79:09:07:3b: ++ a2:e8:fc:8a:cf:8f:c0:46:24:9c:38:27:e0:83:9d: ++ 1b:a0:bf:78:15:10:eb:86:4e:0a:5a:fd:df:da:2c: ++ 82:7e:ee:ca:f6:29:e1:fa:71:a1:f7:88:68:9c:9c: ++ f0:8d:be:0f:49:91:d8:ea:3a:f9:fd:d0:68:71:db: ++ e9:b5:2b:4e:82:92:6f:66:1f:e0:f0:dc:4c:ec:ca: ++ d1:ea:ba:74:06:f9:b3:84:90:94:d1:5f:8e:73:19: ++ 10:5d:02:e5:70:a5:c0:10:d0:10:7c:6f:c5:58:49: ++ b4:b0:6e:9a:da:7d:95:f5:cc:da:02:af:b8:2c:7d: ++ 79:8f:be:43:f1:f9:28:28:8d:09:43:f8:08:dd:6b: ++ c8:8b:2c:24:b1:8d:52:07:bd:78:9b:cb:ca:68:b2: ++ a4:dd:0c:4c:79:60:c6:99:d1:93:f1:30:1a:07:d3: ++ ae:22:c2:ea:ce:f1:84:09:cc:e0:14:6e:7f:3f:7e: ++ d2:82:85:ac:dc:a9:16:4e:85:a0:60:cb:f6:9c:d7: ++ c8:b3:8e:ed:c6:9b:98:75:0d:55:e8:5f:e5:95:8b: ++ 02:a4:ae:43:29:28:11:a4:e6:12:30:01:4b:75:6b: ++ 1e:66:9d:79:2f:a5:76:2f:1d:40:b4:6d:c9:7d:79: ++ 08:ec:d1:6a:b6:5d:2a:b2:a5:66:bd:6b:85:f4:74: ++ 56:c3:f5:e7:75:52:28:2c:a5:ff:66:47:a5:d4:fe: ++ fe:9e:54:bf:65:7e:01:d6:30:8f:a5:36:9c:a2:50: ++ 1c:ee:38:80:01:48:c6:c7:74:f4:c6:ac:c3:40:49: ++ 16:61:74:2c:af:8c:6f:35:ed:7b:18:00:5b:36:3c: ++ 9c:50:0d:ca:92:33:10:f1:26:49:6d:df:75:24:37: ++ 82:22:d7:e8:96:fd:15:4b:02:96:3e:07:72:95:7e: ++ ab:3d:4c:2e:d7:ca:f0:df:e0:58:3f:2d:2f:04:9a: ++ 38:a3:01 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 06:93:A3:0A:5E:28:69:37:AA:61:1D:EB:EB:FC:2D:6F:23:E4:F3:A0 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 96:80:72:09:06:7e:9c:cc:93:04:16:bb:a0:3a:8d:92:4e:b7: ++ 11:1a:0a:71:71:10:cd:04:ad:7f:a5:45:50:10:66:4e:4a:41: ++ a2:03:d9:11:4f:7a:37:b9:4b:e2:c6:8f:32:66:75:25:fb:eb: ++ ce:3f:03:29:26:8d:b8:16:1d:f6:1f:33:6e:48:e6:e8:f8:57: ++ b2:1b:79:df:3b:87:0a:e2:64:ba:00:ca:6c:ef:7e:d0:23:eb: ++ 78:8f:ff:64:9b:34:37:9f:35:65:a2:a4:00:3d:12:23:96:58: ++ 5d:ca:63:87:c6:a3:07:88:4d:e7:69:76:8a:53:cd:f1:4f:ec: ++ 42:f2:93:e3:99:a4:37:3c:87:b8:62:db:f0:ec:1f:37:3f:37: ++ 5f:43:cc:51:9d:b5:f0:97:c2:b7:85:6a:68:0b:44:1e:e5:51: ++ ee:93:ce:4b:6e:86:c1:d2:0c:24:59:36:1a:9f:2c:91:8f:e3: ++ 18:db:94:95:0a:ed:91:aa:0e:99:dc:96:53:e3:61:83:c6:16: ++ ba:23:ba:dc:dd:7e:1a:c6:7b:42:b6:d9:5a:05:dc:9a:5f:d5: ++ df:b8:da:47:7d:da:38:db:ac:39:d5:1e:6b:6c:2a:17:8c:61: ++ cd:b1:6d:72:01:c3:c3:20:00:62:68:16:31:d5:76:aa:86:bb: ++ 0e:aa:9e:c6:f9:f0:d9:f8:0d:21:02:e4:c5:28:16:59:11:b9: ++ d9:69:73:2a:92:78:b8:92:57:9b:08:f2:3a:e5:2f:95:b0:58: ++ b7:6b:20:14:6d:14:ef:0a:bc:7e:d8:55:d8:88:da:2f:fa:19: ++ a5:fb:8b:e0:7f:39:f5:72:2b:85:c4:2c:ac:ef:19:45:92:4c: ++ b3:61:07:dc:4d:1f:6e:d2:81:13:5c:9a:f3:12:67:83:cf:9b: ++ 3f:8b:9f:9d:a4:b9:a8:96:03:7a:c5:ee:20:de:33:da:2f:9e: ++ 1a:7a:74:1e:e1:ee:cc:5a:3a:04:dd:b3:1a:04:a8:14:63:ac: ++ b7:47:12:83:9a:6c:f5:e6:e9:15:15:91:1a:84:19:0e:94:44: ++ e7:12:8e:25:5b:80:67:19:dc:63:93:10:0b:65:2e:8a:fa:09: ++ 9a:4e:da:86:28:7d:aa:61:35:d8:0e:a7:28:1a:bb:52:e0:78: ++ f8:6c:ba:6c:b0:6e:b9:87:5e:e9:99:35:37:f1:3d:64:2b:a9: ++ a0:34:93:cf:63:2f:d5:81:df:ae:63:27:a5:1e:4e:8d:dc:29: ++ 78:59:f8:f9:a1:20:8c:a7:26:40:6e:82:72:cd:78:b2:c8:8f: ++ 3c:1e:73:e7:c1:1f:bf:cf:ce:a5:2a:9b:db:44:64:32:a0:bb: ++ 7f:5c:25:13:48:b5:7f:92 ++SHA1 Fingerprint=DD:50:C0:F7:79:B3:64:2E:74:A2:B8:9D:9F:D3:40:DD:BB:F0:F2:4F ++-----BEGIN CERTIFICATE----- ++MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNDAeFw0yMDA0MDgw ++NzA2MTlaFw00NTA0MDgwNzA2MTlaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF0nqh1oq/ ++FjHQmNE6lPxauG4iwWL3pwon71D2LrGeaBLwbCRjOfHw3xDG3rdSINVSW0KZnvOg ++vlIfX8xnbacuUKLBl422+JX1sLrcneC+y9/3OPJH9aaakpUqYllQC6KxNedlsmGy ++6pJxaeQp8E+BgQQ8sqVb1MWoWWd7VRxJq3qdwudzTe/NCcLEVxLbAQ4jeQkHO6Lo ++/IrPj8BGJJw4J+CDnRugv3gVEOuGTgpa/d/aLIJ+7sr2KeH6caH3iGicnPCNvg9J ++kdjqOvn90Ghx2+m1K06Ckm9mH+Dw3EzsytHqunQG+bOEkJTRX45zGRBdAuVwpcAQ ++0BB8b8VYSbSwbprafZX1zNoCr7gsfXmPvkPx+SgojQlD+Ajda8iLLCSxjVIHvXib ++y8posqTdDEx5YMaZ0ZPxMBoH064iwurO8YQJzOAUbn8/ftKChazcqRZOhaBgy/ac ++18izju3Gm5h1DVXoX+WViwKkrkMpKBGk5hIwAUt1ax5mnXkvpXYvHUC0bcl9eQjs ++0Wq2XSqypWa9a4X0dFbD9ed1Uigspf9mR6XU/v6eVL9lfgHWMI+lNpyiUBzuOIAB ++SMbHdPTGrMNASRZhdCyvjG817XsYAFs2PJxQDcqSMxDxJklt33UkN4Ii1+iW/RVL ++ApY+B3KVfqs9TC7XyvDf4Fg/LS8EmjijAQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD ++AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUBpOjCl4oaTeqYR3r6/wtbyPk ++86AwDQYJKoZIhvcNAQEMBQADggIBAJaAcgkGfpzMkwQWu6A6jZJOtxEaCnFxEM0E ++rX+lRVAQZk5KQaID2RFPeje5S+LGjzJmdSX7684/AykmjbgWHfYfM25I5uj4V7Ib ++ed87hwriZLoAymzvftAj63iP/2SbNDefNWWipAA9EiOWWF3KY4fGoweITedpdopT ++zfFP7ELyk+OZpDc8h7hi2/DsHzc/N19DzFGdtfCXwreFamgLRB7lUe6TzktuhsHS ++DCRZNhqfLJGP4xjblJUK7ZGqDpncllPjYYPGFrojutzdfhrGe0K22VoF3Jpf1d+4 ++2kd92jjbrDnVHmtsKheMYc2xbXIBw8MgAGJoFjHVdqqGuw6qnsb58Nn4DSEC5MUo ++FlkRudlpcyqSeLiSV5sI8jrlL5WwWLdrIBRtFO8KvH7YVdiI2i/6GaX7i+B/OfVy ++K4XELKzvGUWSTLNhB9xNH27SgRNcmvMSZ4PPmz+Ln52kuaiWA3rF7iDeM9ovnhp6 ++dB7h7sxaOgTdsxoEqBRjrLdHEoOabPXm6RUVkRqEGQ6UROcSjiVbgGcZ3GOTEAtl ++Lor6CZpO2oYofaphNdgOpygau1LgePhsumywbrmHXumZNTfxPWQrqaA0k89jL9WB ++365jJ6UeTo3cKXhZ+PmhIIynJkBugnLNeLLIjzwec+fBH7/PzqUqm9tEZDKgu39c ++JRNItX+S ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA15.pem +@@ -0,0 +1,67 @@ ++## ++## SecureSign Root CA15 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 16:15:c7:c3:d8:49:a7:be:69:0c:8a:88:ed:f0:70:f9:dd:b7:3e:87 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Validity ++ Not Before: Apr 8 08:32:56 2020 GMT ++ Not After : Apr 8 08:32:56 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:0b:50:74:8d:64:32:99:99:b3:d2:60:08:b8:22: ++ 8e:46:74:2c:78:c0:2b:44:2d:6d:5f:1d:c9:ae:4b: ++ 52:20:83:3d:b8:14:6d:53:87:60:9e:5f:6c:85:db: ++ 06:14:95:e0:c7:28:ff:9d:5f:e4:aa:f1:b3:8b:6d: ++ ed:4f:2f:4b:c9:4a:94:91:64:75:fe:01:ec:c1:d8: ++ eb:7a:94:78:56:18:43:5f:6b:81:cb:f6:bc:da:b4: ++ 0c:b6:29:93:08:69:8f ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ EB:41:C8:AE:FC:D5:9E:51:48:F5:BD:8B:F4:87:20:93:41:2B:D3:F4 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:31:00:d9:2e:89:7e:5e:4e:a4:11:07:bd:59:c2:07: ++ de:ab:32:38:53:2a:46:44:06:17:7a:ce:51:e9:e0:ff:66:2d: ++ 09:4e:e0:4f:f4:05:d1:85:f6:35:60:dc:f5:72:b3:46:7d:02: ++ 30:44:98:46:1a:82:85:1e:61:69:89:4b:07:4b:66:b5:9e:aa: ++ ba:a0:1e:41:d9:01:74:3a:6e:45:3a:89:80:19:7b:32:98:55: ++ 63:ab:eb:63:6e:93:6d:ab:1b:09:60:31:4e ++SHA1 Fingerprint=CB:BA:83:C8:C1:5A:5D:F1:F9:73:6F:CA:D7:EF:28:13:06:4A:07:7D ++-----BEGIN CERTIFICATE----- ++MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw ++UTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28uLCBM ++dGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNTAeFw0yMDA0MDgwODMy ++NTZaFw00NTA0MDgwODMyNTZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJl ++cnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290 ++IENBMTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQLUHSNZDKZmbPSYAi4Io5GdCx4 ++wCtELW1fHcmuS1Iggz24FG1Th2CeX2yF2wYUleDHKP+dX+Sq8bOLbe1PL0vJSpSR ++ZHX+AezB2Ot6lHhWGENfa4HL9rzatAy2KZMIaY+jQjBAMA8GA1UdEwEB/wQFMAMB ++Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT ++9DAKBggqhkjOPQQDAwNoADBlAjEA2S6Jfl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp ++4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJSwdLZrWeqrqgHkHZAXQ6 ++bkU6iYAZezKYVWOr62Nuk22rGwlgMU4= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Security_Communication_RootCA3.pem.orig ++++ secure/caroot/trusted/Security_Communication_RootCA3.pem +@@ -1,135 +0,0 @@ +-## +-## Security Communication RootCA3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- e1:7c:37:40:fd:1b:fe:67 +- Signature Algorithm: sha384WithRSAEncryption +- Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Validity +- Not Before: Jun 16 06:17:16 2016 GMT +- Not After : Jan 18 06:17:16 2038 GMT +- Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: +- b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: +- 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: +- ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: +- af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: +- a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: +- c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: +- 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: +- e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: +- bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: +- c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: +- 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: +- d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: +- f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: +- b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: +- 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: +- d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: +- 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: +- d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: +- b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: +- 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: +- 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: +- 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: +- 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: +- 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: +- 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: +- c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: +- d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: +- 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: +- 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: +- 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: +- af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: +- 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: +- 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: +- d1:d9:c7 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha384WithRSAEncryption +- Signature Value: +- dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: +- 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: +- b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: +- f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: +- e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: +- bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: +- 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: +- 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: +- c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: +- b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: +- 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: +- b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: +- cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: +- 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: +- 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: +- 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: +- 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: +- 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: +- f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: +- 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: +- e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: +- 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: +- c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: +- 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: +- 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: +- 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: +- 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: +- 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: +- 51:d7:af:fd:33:9d:4d:66 +-SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A +------BEGIN CERTIFICATE----- +-MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV +-BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +-JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 +-MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +-U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg +-Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +-CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r +-CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA +-lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG +-TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 +-9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 +-8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 +-g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we +-GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +-+3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M +-0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ +-T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw +-HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP +-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS +-YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA +-FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd +-9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI +-UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ +-OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke +-gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf +-iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV +-nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD +-2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// +-1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad +-TdJ0MN1kURXbg4NR16/9M51NZg== +------END CERTIFICATE----- +--- secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem.orig ++++ secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem +@@ -1,140 +0,0 @@ +-## +-## SwissSign Silver CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Validity +- Not Before: Oct 25 08:32:46 2006 GMT +- Not After : Oct 25 08:32:46 2036 GMT +- Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: +- bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: +- 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: +- 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: +- b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: +- a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: +- d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: +- 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: +- bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: +- 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: +- 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: +- 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: +- 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: +- 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: +- 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: +- b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: +- a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: +- cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: +- 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: +- 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: +- be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: +- ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: +- 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: +- 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: +- e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: +- 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: +- fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: +- 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: +- ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: +- 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: +- f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: +- a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: +- b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: +- 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: +- ea:d6:1f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Authority Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Certificate Policies: +- Policy: 2.16.756.1.89.1.3.1.1 +- CPS: http://repository.swisssign.com/ +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: +- 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: +- 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: +- 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: +- c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: +- 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: +- 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: +- 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: +- ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: +- 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: +- e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: +- 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: +- 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: +- 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: +- 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: +- f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: +- 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: +- 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: +- 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: +- a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: +- d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: +- ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: +- da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: +- 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: +- 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: +- f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: +- 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: +- 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: +- 60:39:ce:ca:62:d8:2e:6e +-SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB +------BEGIN CERTIFICATE----- +-MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE +-BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu +-IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow +-RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY +-U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +-MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv +-Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br +-YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF +-nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH +-6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt +-eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ +-c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ +-MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH +-HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf +-jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 +-5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB +-rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +-F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c +-wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 +-cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB +-AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp +-WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 +-xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ +-2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ +-IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 +-aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X +-em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR +-dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ +-OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ +-hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy +-tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/TWCA_CYBER_Root_CA.pem +@@ -0,0 +1,137 @@ ++## ++## TWCA CYBER Root CA ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 40:01:34:8c:c2:00:00:00:00:00:00:00:01:3c:f2:c6 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Validity ++ Not Before: Nov 22 06:54:29 2022 GMT ++ Not After : Nov 22 15:59:59 2047 GMT ++ Subject: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c6:f8:ca:1e:d9:09:20:7e:1d:6c:4e:ce:8f:e3: ++ 47:33:44:9c:c7:c9:69:aa:3a:5b:78:ee:70:d2:92: ++ f8:04:b3:52:52:1d:67:72:28:a1:df:8b:5d:95:0a: ++ fe:ea:cd:ed:f7:29:ce:f0:6f:7f:ac:cd:3d:ef:b3: ++ 1c:45:6a:f7:28:90:f1:61:57:c5:0c:c4:a3:50:5d: ++ de:d4:b5:cb:19:ca:80:b9:75:ce:29:ce:d2:85:22: ++ ec:02:63:cc:44:30:20:da:ea:91:5b:56:e6:1d:1c: ++ d5:9d:66:c7:3f:df:86:ca:4b:53:c4:d9:8d:b2:1d: ++ ea:f8:dc:27:53:a3:47:e1:61:cc:7d:b5:b0:f8:ee: ++ 73:91:c5:ce:73:6f:ce:ee:10:1f:1a:06:cf:e9:27: ++ 60:c5:4f:19:e4:eb:ce:22:26:45:d7:60:99:dd:ce: ++ 4f:37:e0:7f:e7:63:ad:b0:b8:59:b8:d0:06:68:35: ++ 60:d3:36:ae:71:43:04:f1:69:65:78:7c:f3:1f:f3: ++ ca:28:9f:5a:20:95:66:b4:cd:b7:ee:8f:78:a4:45: ++ 18:e9:26:2f:8d:9b:29:28:b1:a4:b7:3a:6d:b9:d4: ++ 1c:38:72:45:58:b1:5e:eb:f0:28:9b:b7:82:ca:fd: ++ cf:d6:33:0f:9f:fb:97:9e:b1:1c:9c:9e:ea:5f:5e: ++ db:aa:dd:54:e9:30:21:28:6d:8e:79:f3:75:92:8c: ++ 26:fe:dc:c5:f6:c3:b0:df:44:59:43:a3:b6:03:28: ++ f6:08:30:aa:0d:33:e1:ef:9c:a9:07:22:e3:59:5b: ++ 40:8f:da:88:b7:69:08:a8:b7:23:2e:44:09:59:37: ++ 5b:c7:e3:17:f2:22:eb:6e:39:52:c5:de:54:a7:98: ++ c9:4b:20:95:dc:46:89:5f:b4:12:f9:85:29:8e:eb: ++ c8:27:15:20:c0:4b:d4:cc:7c:0c:6c:34:0c:26:9b: ++ 26:31:a6:3c:a7:f6:d9:d0:4b:a2:64:ff:3b:99:41: ++ 72:c1:e0:70:97:f1:24:bb:2b:c4:74:22:b1:ac:6b: ++ 22:32:24:d3:78:2a:c0:c0:a1:2f:f1:52:05:c9:3f: ++ ef:76:66:e2:45:d8:0d:3d:ad:95:c8:c7:89:26:c8: ++ 0f:ae:a7:03:2e:fb:c1:5f:fa:20:e1:70:ad:b0:65: ++ 20:37:33:60:b0:d5:af:d7:0c:1c:c2:90:70:d7:4a: ++ 18:bc:7e:01:b0:b0:eb:15:1e:44:06:cd:a4:4f:e8: ++ 0c:d1:c3:20:10:e1:54:65:9e:b6:51:d0:1a:76:6b: ++ 42:5a:58:76:34:ea:b7:37:19:ae:2e:75:f9:96:e5: ++ c1:59:f7:94:57:29:25:8d:3a:4c:ab:4d:9a:41:d0: ++ 5f:26:03 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ X509v3 Subject Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 64:8f:7a:c4:62:0e:b5:88:cc:b8:c7:86:0e:a1:4a:16:cd:70: ++ 0b:b7:a7:85:0b:b3:76:b6:0f:a7:ff:08:8b:0b:25:cf:a8:d4: ++ 83:75:2a:b8:96:88:b6:fb:df:2d:2d:b4:69:53:21:35:57:d6: ++ 89:4d:73:bf:69:8f:70:a3:61:cc:9a:db:1e:9a:e0:20:f8:6c: ++ bb:9b:22:9d:5d:84:31:9a:2c:8a:dd:6a:a1:d7:28:69:ca:fe: ++ 76:55:7a:46:67:eb:cc:43:88:16:a2:03:d6:b9:17:f8:19:6c: ++ 6d:23:02:7f:f1:5f:d0:0a:29:23:3b:d1:aa:0a:ed:a9:17:26: ++ 54:0a:4d:c2:a5:4d:f8:c5:fd:b8:81:cf:2b:2c:78:a3:67:4c: ++ a9:07:9a:f3:df:5e:fb:7c:f5:89:cd:74:97:61:10:6a:07:2b: ++ 81:5a:d2:8e:b7:e7:20:d1:20:6e:24:a8:84:27:a1:57:ac:aa: ++ 55:58:2f:dc:d9:ca:fa:68:04:9e:ed:44:24:f9:74:40:3b:23: ++ 33:ab:83:5a:18:26:42:b6:6d:54:b5:16:60:30:6c:b1:a0:f8: ++ b8:41:a0:5d:49:49:d2:65:05:3a:ea:fe:9d:61:bc:86:d9:bf: ++ de:d3:ba:3a:b1:7f:7e:92:34:8e:c9:00:6e:dc:98:bd:dc:ec: ++ 80:05:ad:02:3d:df:65:ed:0b:03:f7:f7:16:84:04:31:ba:93: ++ 94:d8:f2:12:f8:8a:e3:bf:42:af:a7:d4:cd:11:17:16:c8:42: ++ 1d:14:a8:42:f6:d2:40:86:a0:4f:23:ca:96:45:56:60:06:cd: ++ b7:55:01:a6:01:94:65:fe:6e:05:09:ba:b4:a4:aa:e2:ef:58: ++ be:bd:27:56:d8:ef:73:71:5b:44:33:f2:9a:72:ea:b0:5e:3e: ++ 6e:a9:52:5b:ec:70:6d:b5:87:8f:37:5e:3c:8c:9c:ce:e4:f0: ++ ce:0c:67:41:cc:ce:f6:80:ab:4e:cc:4c:56:f5:c1:61:59:93: ++ b4:3e:a6:da:b8:37:12:9f:2a:32:e3:8b:b8:21:ec:c3:2b:65: ++ 0c:ef:22:de:88:29:3b:4c:d7:fa:fe:b7:e1:47:be:9c:3e:3e: ++ 83:fb:51:5d:f5:68:f7:2e:21:85:dc:bf:f1:5a:e2:7c:d7:c5: ++ e4:83:c1:6a:eb:ba:80:5a:de:5c:2d:70:76:f8:c8:e5:87:87: ++ ca:a0:9d:a1:e5:22:12:27:0f:44:3d:1d:6c:ea:d4:c2:8b:2f: ++ 6f:79:ab:7f:50:a6:c4:19:a7:a1:7a:b7:96:f9:c1:1f:62:5a: ++ a2:43:07:40:5e:26:c6:ac:ed:ae:70:16:c5:aa:ca:72:8a:4d: ++ b0:cf:01:8b:03:3f:6e:d7 ++SHA1 Fingerprint=F6:B1:1C:1A:83:38:E9:7B:DB:B3:A8:C8:33:24:E0:2D:9C:7F:26:66 ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ ++MQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FOLUNBMRAwDgYDVQQLEwdSb290 ++IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3QgQ0EwHhcNMjIxMTIyMDY1NDI5 ++WhcNNDcxMTIyMTU1OTU5WjBQMQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FO ++LUNBMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3Qg ++Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDG+Moe2Qkgfh1sTs6P ++40czRJzHyWmqOlt47nDSkvgEs1JSHWdyKKHfi12VCv7qze33Kc7wb3+szT3vsxxF ++avcokPFhV8UMxKNQXd7UtcsZyoC5dc4pztKFIuwCY8xEMCDa6pFbVuYdHNWdZsc/ ++34bKS1PE2Y2yHer43CdTo0fhYcx9tbD47nORxc5zb87uEB8aBs/pJ2DFTxnk684i ++JkXXYJndzk834H/nY62wuFm40AZoNWDTNq5xQwTxaWV4fPMf88oon1oglWa0zbfu ++j3ikRRjpJi+NmykosaS3Om251Bw4ckVYsV7r8Cibt4LK/c/WMw+f+5eesRycnupf ++Xtuq3VTpMCEobY5583WSjCb+3MX2w7DfRFlDo7YDKPYIMKoNM+HvnKkHIuNZW0CP ++2oi3aQiotyMuRAlZN1vH4xfyIutuOVLF3lSnmMlLIJXcRolftBL5hSmO68gnFSDA ++S9TMfAxsNAwmmyYxpjyn9tnQS6Jk/zuZQXLB4HCX8SS7K8R0IrGsayIyJNN4KsDA ++oS/xUgXJP+92ZuJF2A09rZXIx4kmyA+upwMu+8Ff+iDhcK2wZSA3M2Cw1a/XDBzC ++kHDXShi8fgGwsOsVHkQGzaRP6AzRwyAQ4VRlnrZR0Bp2a0JaWHY06rc3Ga4udfmW ++5cFZ95RXKSWNOkyrTZpB0F8mAwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD ++VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSdhWEUfMFib5do5E83QOGt4A1WNzAd ++BgNVHQ4EFgQUnYVhFHzBYm+XaORPN0DhreANVjcwDQYJKoZIhvcNAQEMBQADggIB ++AGSPesRiDrWIzLjHhg6hShbNcAu3p4ULs3a2D6f/CIsLJc+o1IN1KriWiLb73y0t ++tGlTITVX1olNc79pj3CjYcya2x6a4CD4bLubIp1dhDGaLIrdaqHXKGnK/nZVekZn ++68xDiBaiA9a5F/gZbG0jAn/xX9AKKSM70aoK7akXJlQKTcKlTfjF/biBzysseKNn ++TKkHmvPfXvt89YnNdJdhEGoHK4Fa0o635yDRIG4kqIQnoVesqlVYL9zZyvpoBJ7t ++RCT5dEA7IzOrg1oYJkK2bVS1FmAwbLGg+LhBoF1JSdJlBTrq/p1hvIbZv97Tujqx ++f36SNI7JAG7cmL3c7IAFrQI932XtCwP39xaEBDG6k5TY8hL4iuO/Qq+n1M0RFxbI ++Qh0UqEL20kCGoE8jypZFVmAGzbdVAaYBlGX+bgUJurSkquLvWL69J1bY73NxW0Qz ++8ppy6rBePm6pUlvscG21h483XjyMnM7k8M4MZ0HMzvaAq07MTFb1wWFZk7Q+ptq4 ++NxKfKjLji7gh7MMrZQzvIt6IKTtM1/r+t+FHvpw+PoP7UV31aPcuIYXcv/Fa4nzX ++xeSDwWrruoBa3lwtcHb4yOWHh8qgnaHlIhInD0Q9HWzq1MKLL295q39QpsQZp6F6 ++t5b5wR9iWqJDB0BeJsas7a5wFsWqynKKTbDPAYsDP27X ++-----END CERTIFICATE----- diff --git a/website/static/security/patches/EN-25:08/caroot-13.4.patch.asc b/website/static/security/patches/EN-25:08/caroot-13.4.patch.asc new file mode 100644 index 0000000000..aea0717152 --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-13.4.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38D0ACgkQbljekB8A +Gu81KQ//T9NNdh3W7wkf5DLTea2xH/llXSairhn17SBbhICPbMVSaJ6m0sSwKhDc +ITu4Wpy1z+qMGPbXeQlmWx0QGqj9WGnafYRnlXbcWHR7jHrVdGGEoLZ6FsHhEKcv +G2e8WAFyMGWHlxhJBPcLSRCxQI5CMrt/uPguUPLvKoEjZ0ycaFCPc0qJHefXHOLm +WA9QMxXpZnphzk1mOerKfpzBjLDCCO/PIfXHhrujrchSWXN0OXar57lXwxpzqbfO +f2MhmubMqB4BlHyTz+A6+zCFcvcobYxCMhEsvfKcXHfSW4WH+k6Y4+Odtk4gN5sA +Hqes8dsA2Y3UpCTkH53+nV3hBKqfZLNJjZvs3/uJFvZZwMcuwhMA14asw14RVbYZ +kAX1AgTyFY5tD4jU1eQZqZWs8DqkofXZA5ejGkE0w+hR4DopqoiF7VDJGKP5KKXV +4X1h1isjZJZpI1/Xw/UhuKxGdRebgqX4rXUyHDHN7UPWs4jEDjpNUYjUtF5pu+qi +gxn5G2ZKOU+1w6+HfNrMrySZQo8E4qGyinNoBMER5TH85Ezmkg9eM0SO9s3HPkEP +dyq58Z4HFb6iXnsWKk8Zu4Psk7vwTiYIKiKBWL2dpY386h9X6nGeQ5w9SOr1pXbJ +uzskSEHHfLyqFaYTwCpDfv/Jutb9//9Bs5Jvmhmc4ZqhTNMs5PA= +=8D4g +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:08/caroot-13.5.patch b/website/static/security/patches/EN-25:08/caroot-13.5.patch new file mode 100644 index 0000000000..f573cf1232 --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-13.5.patch @@ -0,0 +1,3374 @@ +--- ObsoleteFiles.inc.orig ++++ ObsoleteFiles.inc +@@ -51,6 +51,26 @@ + # xargs -n1 | sort | uniq -d; + # done + ++# 20250310: caroot bundle updated ++OLD_FILES+=usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_G4.pem ++OLD_FILES+=usr/share/certs/trusted/SecureSign_RootCA11.pem ++OLD_FILES+=usr/share/certs/trusted/Security_Communication_RootCA3.pem ++OLD_FILES+=usr/share/certs/trusted/SwissSign_Silver_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/blacklisted/Cybertrust_Global_Root.pem ++OLD_FILES+=usr/share/certs/blacklisted/DST_Root_CA_X3.pem ++OLD_FILES+=usr/share/certs/blacklisted/GlobalSign_Root_CA_-_R2.pem ++OLD_FILES+=usr/share/certs/blacklisted/QuoVadis_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Sonera_Class_2_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/E-Tugra_Certification_Authority.pem ++OLD_FILES+=usr/share/certs/blacklisted/Hongkong_Post_Root_CA_1.pem ++OLD_FILES+=usr/share/certs/blacklisted/Security_Communication_Root_CA.pem ++OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem ++ + # 20241201: new clang import which bumps version from 18 to 19 + OLD_FILES+=usr/lib/clang/18/include/__clang_cuda_builtin_vars.h + OLD_FILES+=usr/lib/clang/18/include/__clang_cuda_cmath.h +--- secure/caroot/blacklisted/AddTrust_External_Root.pem.orig ++++ secure/caroot/blacklisted/AddTrust_External_Root.pem +@@ -1,99 +0,0 @@ +-## +-## AddTrust External Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Validity +- Not Before: May 30 10:48:38 2000 GMT +- Not After : May 30 10:48:38 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed: +- 1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97: +- a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f: +- cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db: +- 2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70: +- 56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6: +- 5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e: +- 87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c: +- 71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8: +- 69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df: +- ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee: +- 6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94: +- 37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8: +- 45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7: +- c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: +- a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65: +- b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34: +- 5a:27 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9: +- 84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41: +- 6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5: +- bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2: +- de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51: +- 14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85: +- 93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a: +- 63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: +- a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4: +- 45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9: +- 91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e: +- 8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76: +- 60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20: +- 0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7: +- 8f:4e:86:04 +-SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 +------BEGIN CERTIFICATE----- +-MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs +-IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 +-MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux +-FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h +-bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v +-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt +-H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 +-uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX +-mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX +-a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN +-E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 +-WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD +-VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 +-Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU +-cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx +-IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN +-AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH +-YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +-6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC +-Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX +-c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a +-mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +------END CERTIFICATE----- +--- secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem.orig ++++ secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem +@@ -1,98 +0,0 @@ +-## +-## AddTrust Low-Value Services Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Validity +- Not Before: May 30 10:38:31 2000 GMT +- Not After : May 30 10:38:31 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:96:96:d4:21:49:60:e2:6b:e8:41:07:0c:de:c4: +- e0:dc:13:23:cd:c1:35:c7:fb:d6:4e:11:0a:67:5e: +- f5:06:5b:6b:a5:08:3b:5b:29:16:3a:e7:87:b2:34: +- 06:c5:bc:05:a5:03:7c:82:cb:29:10:ae:e1:88:81: +- bd:d6:9e:d3:fe:2d:56:c1:15:ce:e3:26:9d:15:2e: +- 10:fb:06:8f:30:04:de:a7:b4:63:b4:ff:b1:9c:ae: +- 3c:af:77:b6:56:c5:b5:ab:a2:e9:69:3a:3d:0e:33: +- 79:32:3f:70:82:92:99:61:6d:8d:30:08:8f:71:3f: +- a6:48:57:19:f8:25:dc:4b:66:5c:a5:74:8f:98:ae: +- c8:f9:c0:06:22:e7:ac:73:df:a5:2e:fb:52:dc:b1: +- 15:65:20:fa:35:66:69:de:df:2c:f1:6e:bc:30:db: +- 2c:24:12:db:eb:35:35:68:90:cb:00:b0:97:21:3d: +- 74:21:23:65:34:2b:bb:78:59:a3:d6:e1:76:39:9a: +- a4:49:8e:8c:74:af:6e:a4:9a:a3:d9:9b:d2:38:5c: +- 9b:a2:18:cc:75:23:84:be:eb:e2:4d:33:71:8e:1a: +- f0:c2:f8:c7:1d:a2:ad:03:97:2c:f8:cf:25:c6:f6: +- b8:24:31:b1:63:5d:92:7f:63:f0:25:c9:53:2e:1f: +- bf:4d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 2c:6d:64:1b:1f:cd:0d:dd:b9:01:fa:96:63:34:32:48:47:99: +- ae:97:ed:fd:72:16:a6:73:47:5a:f4:eb:dd:e9:f5:d6:fb:45: +- cc:29:89:44:5d:bf:46:39:3d:e8:ee:bc:4d:54:86:1e:1d:6c: +- e3:17:27:43:e1:89:56:2b:a9:6f:72:4e:49:33:e3:72:7c:2a: +- 23:9a:bc:3e:ff:28:2a:ed:a3:ff:1c:23:ba:43:57:09:67:4d: +- 4b:62:06:2d:f8:ff:6c:9d:60:1e:d8:1c:4b:7d:b5:31:2f:d9: +- d0:7c:5d:f8:de:6b:83:18:78:37:57:2f:e8:33:07:67:df:1e: +- c7:6b:2a:95:76:ae:8f:57:a3:f0:f4:52:b4:a9:53:08:cf:e0: +- 4f:d3:7a:53:8b:fd:bb:1c:56:36:f2:fe:b2:b6:e5:76:bb:d5: +- 22:65:a7:3f:fe:d1:66:ad:0b:bc:6b:99:86:ef:3f:7d:f3:18: +- 32:ca:7b:c6:e3:ab:64:46:95:f8:26:69:d9:55:83:7b:2c:96: +- 07:ff:59:2c:44:a3:c6:e5:e9:a9:dc:a1:63:80:5a:21:5e:21: +- cf:53:54:f0:ba:6f:89:db:a8:aa:95:cf:8b:e3:71:cc:1e:1b: +- 20:44:08:c0:7a:b6:40:fd:c4:e4:35:e1:1d:16:1c:d0:bc:2b: +- 8e:d6:71:d9 +-SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D +------BEGIN CERTIFICATE----- +-MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +-b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw +-MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML +-QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD +-VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA +-A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul +-CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n +-tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl +-dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch +-PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC +-+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O +-BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E +-BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl +-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk +-ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB +-IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X +-7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz +-43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY +-eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl +-pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA +-WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Cybertrust_Global_Root.pem.orig ++++ secure/caroot/blacklisted/Cybertrust_Global_Root.pem +@@ -1,99 +0,0 @@ +-## +-## Cybertrust Global Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:85:aa:2d:48 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:f8:c8:bc:bd:14:50:66:13:ff:f0:d3:79:ec:23: +- f2:b7:1a:c7:8e:85:f1:12:73:a6:19:aa:10:db:9c: +- a2:65:74:5a:77:3e:51:7d:56:f6:dc:23:b6:d4:ed: +- 5f:58:b1:37:4d:d5:49:0e:6e:f5:6a:87:d6:d2:8c: +- d2:27:c6:e2:ff:36:9f:98:65:a0:13:4e:c6:2a:64: +- 9b:d5:90:12:cf:14:06:f4:3b:e3:d4:28:be:e8:0e: +- f8:ab:4e:48:94:6d:8e:95:31:10:5c:ed:a2:2d:bd: +- d5:3a:6d:b2:1c:bb:60:c0:46:4b:01:f5:49:ae:7e: +- 46:8a:d0:74:8d:a1:0c:02:ce:ee:fc:e7:8f:b8:6b: +- 66:f3:7f:44:00:bf:66:25:14:2b:dd:10:30:1d:07: +- 96:3f:4d:f6:6b:b8:8f:b7:7b:0c:a5:38:eb:de:47: +- db:d5:5d:39:fc:88:a7:f3:d7:2a:74:f1:e8:5a:a2: +- 3b:9f:50:ba:a6:8c:45:35:c2:50:65:95:dc:63:82: +- ef:dd:bf:77:4d:9c:62:c9:63:73:16:d0:29:0f:49: +- a9:48:f0:b3:aa:b7:6c:c5:a7:30:39:40:5d:ae:c4: +- e2:5d:26:53:f0:ce:1c:23:08:61:a8:94:19:ba:04: +- 62:40:ec:1f:38:70:77:12:06:71:a7:30:18:5d:25: +- 27:a5 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://www2.public-trust.com/crl/ct/ctroot.crl +- X509v3 Authority Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 56:ef:0a:23:a0:54:4e:95:97:c9:f8:89:da:45:c1:d4:a3:00: +- 25:f4:1f:13:ab:b7:a3:85:58:69:c2:30:ad:d8:15:8a:2d:e3: +- c9:cd:81:5a:f8:73:23:5a:a7:7c:05:f3:fd:22:3b:0e:d1:06: +- c4:db:36:4c:73:04:8e:e5:b0:22:e4:c5:f3:2e:a5:d9:23:e3: +- b8:4e:4a:20:a7:6e:02:24:9f:22:60:67:7b:8b:1d:72:09:c5: +- 31:5c:e9:79:9f:80:47:3d:ad:a1:0b:07:14:3d:47:ff:03:69: +- 1a:0c:0b:44:e7:63:25:a7:7f:b2:c9:b8:76:84:ed:23:f6:7d: +- 07:ab:45:7e:d3:df:b3:bf:e9:8a:b6:cd:a8:a2:67:2b:52:d5: +- b7:65:f0:39:4c:63:a0:91:79:93:52:0f:54:dd:83:bb:9f:d1: +- 8f:a7:53:73:c3:cb:ff:30:ec:7c:04:b8:d8:44:1f:93:5f:71: +- 09:22:b7:6e:3e:ea:1c:03:4e:9d:1a:20:61:fb:81:37:ec:5e: +- fc:0a:45:ab:d7:e7:17:55:d0:a0:ea:60:9b:a6:f6:e3:8c:5b: +- 29:c2:06:60:14:9d:2d:97:4c:a9:93:15:9d:61:c4:01:5f:48: +- d6:58:bd:56:31:12:4e:11:c8:21:e0:b3:11:91:65:db:b4:a6: +- 88:38:ce:55 +-SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +------BEGIN CERTIFICATE----- +-MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG +-A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh +-bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE +-ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS +-b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 +-7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS +-J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y +-HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP +-t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz +-FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY +-XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ +-MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw +-hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js +-MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA +-A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj +-Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx +-XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o +-omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc +-A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +-WL1WMRJOEcgh4LMRkWXbtKaIOM5V +------END CERTIFICATE----- +--- secure/caroot/blacklisted/DST_Root_CA_X3.pem.orig ++++ secure/caroot/blacklisted/DST_Root_CA_X3.pem +@@ -1,92 +0,0 @@ +-## +-## DST Root CA X3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Validity +- Not Before: Sep 30 21:12:19 2000 GMT +- Not After : Sep 30 14:01:15 2021 GMT +- Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: +- 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: +- c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: +- ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: +- 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: +- a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: +- 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: +- 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: +- 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: +- 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: +- 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: +- 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: +- 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: +- d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: +- eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: +- 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: +- 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: +- 02:5d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: +- 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: +- a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: +- 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: +- b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: +- 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: +- dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: +- e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: +- 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: +- 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: +- 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: +- 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: +- b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: +- 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: +- 82:35:35:10 +-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 +------BEGIN CERTIFICATE----- +-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +------END CERTIFICATE----- +--- secure/caroot/blacklisted/E-Tugra_Certification_Authority.pem.orig ++++ secure/caroot/blacklisted/E-Tugra_Certification_Authority.pem +@@ -1,140 +0,0 @@ +-## +-## E-Tugra Certification Authority +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Validity +- Not Before: Mar 5 12:09:48 2013 GMT +- Not After : Mar 3 12:09:48 2023 GMT +- Subject: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e2:f5:3f:93:05:51:1e:85:62:54:5e:7a:0b:f5: +- 18:07:83:ae:7e:af:7c:f7:d4:8a:6b:a5:63:43:39: +- b9:4b:f7:c3:c6:64:89:3d:94:2e:54:80:52:39:39: +- 07:4b:4b:dd:85:07:76:87:cc:bf:2f:95:4c:cc:7d: +- a7:3d:bc:47:0f:98:70:f8:8c:85:1e:74:8e:92:6d: +- 1b:40:d1:99:0d:bb:75:6e:c8:a9:6b:9a:c0:84:31: +- af:ca:43:cb:eb:2b:34:e8:8f:97:6b:01:9b:d5:0e: +- 4a:08:aa:5b:92:74:85:43:d3:80:ae:a1:88:5b:ae: +- b3:ea:5e:cb:16:9a:77:44:c8:a1:f6:54:68:ce:de: +- 8f:97:2b:ba:5b:40:02:0c:64:17:c0:b5:93:cd:e1: +- f1:13:66:ce:0c:79:ef:d1:91:28:ab:5f:a0:12:52: +- 30:73:19:8e:8f:e1:8c:07:a2:c3:bb:4a:f0:ea:1f: +- 15:a8:ee:25:cc:a4:46:f8:1b:22:ef:b3:0e:43:ba: +- 2c:24:b8:c5:2c:5c:d4:1c:f8:5d:64:bd:c3:93:5e: +- 28:a7:3f:27:f1:8e:1e:d3:2a:50:05:a3:55:d9:cb: +- e7:39:53:c0:98:9e:8c:54:62:8b:26:b0:f7:7d:8d: +- 7c:e4:c6:9e:66:42:55:82:47:e7:b2:58:8d:66:f7: +- 07:7c:2e:36:e6:50:1c:3f:db:43:24:c5:bf:86:47: +- 79:b3:79:1c:f7:5a:f4:13:ec:6c:f8:3f:e2:59:1f: +- 95:ee:42:3e:b9:ad:a8:32:85:49:97:46:fe:4b:31: +- 8f:5a:cb:ad:74:47:1f:e9:91:b7:df:28:04:22:a0: +- d4:0f:5d:e2:79:4f:ea:6c:85:86:bd:a8:a6:ce:e4: +- fa:c3:e1:b3:ae:de:3c:51:ee:cb:13:7c:01:7f:84: +- 0e:5d:51:94:9e:13:0c:b6:2e:a5:4c:f9:39:70:36: +- 6f:96:ca:2e:0c:44:55:c5:ca:fa:5d:02:a3:df:d6: +- 64:8c:5a:b3:01:0a:a9:b5:0a:47:17:ff:ef:91:40: +- 2a:8e:a1:46:3a:31:98:e5:11:fc:cc:bb:49:56:8a: +- fc:b9:d0:61:9a:6f:65:6c:e6:c3:cb:3e:75:49:fe: +- 8f:a7:e2:89:c5:67:d7:9d:46:13:4e:31:76:3b:24: +- b3:9e:11:65:86:ab:7f:ef:1d:d4:f8:bc:e7:ac:5a: +- 5c:b7:5a:47:5c:55:ce:55:b4:22:71:5b:5b:0b:f0: +- cf:dc:a0:61:64:ea:a9:d7:68:0a:63:a7:e0:0d:3f: +- a0:af:d3:aa:d2:7e:ef:51:a0:e6:51:2b:55:92:15: +- 17:53:cb:b7:66:0e:66:4c:f8:f9:75:4c:90:e7:12: +- 70:c7:45 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 05:37:3a:f4:4d:b7:45:e2:45:75:24:8f:b6:77:52:e8:1c:d8: +- 10:93:65:f3:f2:59:06:a4:3e:1e:29:ec:5d:d1:d0:ab:7c:e0: +- 0a:90:48:78:ed:4e:98:03:99:fe:28:60:91:1d:30:1d:b8:63: +- 7c:a8:e6:35:b5:fa:d3:61:76:e6:d6:07:4b:ca:69:9a:b2:84: +- 7a:77:93:45:17:15:9f:24:d0:98:13:12:ff:bb:a0:2e:fd:4e: +- 4c:87:f8:ce:5c:aa:98:1b:05:e0:00:46:4a:82:80:a5:33:8b: +- 28:dc:ed:38:d3:df:e5:3e:e9:fe:fb:59:dd:61:84:4f:d2:54: +- 96:13:61:13:3e:8f:80:69:be:93:47:b5:35:43:d2:5a:bb:3d: +- 5c:ef:b3:42:47:cd:3b:55:13:06:b0:09:db:fd:63:f6:3a:88: +- 0a:99:6f:7e:e1:ce:1b:53:6a:44:66:23:51:08:7b:bc:5b:52: +- a2:fd:06:37:38:40:61:8f:4a:96:b8:90:37:f8:66:c7:78:90: +- 00:15:2e:8b:ad:51:35:53:07:a8:6b:68:ae:f9:4e:3c:07:26: +- cd:08:05:70:cc:39:3f:76:bd:a5:d3:67:26:01:86:a6:53:d2: +- 60:3b:7c:43:7f:55:8a:bc:95:1a:c1:28:39:4c:1f:43:d2:91: +- f4:72:59:8a:b9:56:fc:3f:b4:9d:da:70:9c:76:5a:8c:43:50: +- ee:8e:30:72:4d:df:ff:49:f7:c6:a9:67:d9:6d:ac:02:11:e2: +- 3a:16:25:a7:58:08:cb:6f:53:41:9c:48:38:47:68:33:d1:d7: +- c7:8f:d4:74:21:d4:c3:05:90:7a:ff:ce:96:88:b1:15:29:5d: +- 23:ab:d0:60:a1:12:4f:de:f4:17:cd:32:e5:c9:bf:c8:43:ad: +- fd:2e:8e:f1:af:e2:f4:98:fa:12:1f:20:d8:c0:a7:0c:85:c5: +- 90:f4:3b:2d:96:26:b1:2c:be:4c:ab:eb:b1:d2:8a:c9:db:78: +- 13:0f:1e:09:9d:6d:8f:00:9f:02:da:c1:fa:1f:7a:7a:09:c4: +- 4a:e6:88:2a:97:9f:89:8b:fd:37:5f:5f:3a:ce:38:59:86:4b: +- af:71:0b:b4:d8:f2:70:4f:9f:32:13:e3:b0:a7:57:e5:da:da: +- 43:cb:84:34:f2:28:c4:ea:6d:f4:2a:ef:c1:6b:76:da:fb:7e: +- bb:85:3c:d2:53:c2:4d:be:71:e1:45:d1:fd:23:67:0d:13:75: +- fb:cf:65:67:22:9d:ae:b0:09:d1:09:ff:1d:34:bf:fe:23:97: +- 37:d2:39:fa:3d:0d:06:0b:b4:db:3b:a3:ab:6f:5c:1d:b6:7e: +- e8:b3:82:34:ed:06:5c:24 +-SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 +-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -0,0 +1,139 @@ ++## ++## Entrust Root Certification Authority - G4 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Validity ++ Not Before: May 27 11:11:16 2015 GMT ++ Not After : Dec 27 11:41:16 2037 GMT ++ Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: ++ c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: ++ 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: ++ fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: ++ 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: ++ b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: ++ 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: ++ 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: ++ d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: ++ 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: ++ b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: ++ db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: ++ c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: ++ a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: ++ 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: ++ d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: ++ ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: ++ 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: ++ 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: ++ b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: ++ 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: ++ e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: ++ fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: ++ 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: ++ 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: ++ 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: ++ a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: ++ 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: ++ 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: ++ 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: ++ 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: ++ ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: ++ 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: ++ 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: ++ 63:73:49 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: ++ ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: ++ 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: ++ d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: ++ 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: ++ c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: ++ ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: ++ 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: ++ 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: ++ 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: ++ bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: ++ 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: ++ 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: ++ 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: ++ ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: ++ 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: ++ 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: ++ 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: ++ 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: ++ 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: ++ 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: ++ c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: ++ 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: ++ 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: ++ a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: ++ 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: ++ 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: ++ 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: ++ 1f:8b:8f:53:dd:ff:ac:1f ++SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 ++-----BEGIN CERTIFICATE----- ++MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw ++gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL ++Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg ++MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw ++BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 ++MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT ++MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 ++c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ ++bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg ++Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B ++AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ ++2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E ++T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j ++5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM ++C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T ++DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX ++wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A ++2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm ++nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 ++dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl ++N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj ++c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD ++VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS ++5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS ++Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr ++hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ ++B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI ++AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw ++H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ ++b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk ++2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol ++IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk ++5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY ++n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/GeoTrust_Global_CA.pem.orig ++++ secure/caroot/blacklisted/GeoTrust_Global_CA.pem +@@ -1,90 +0,0 @@ +-## +-## GeoTrust Global CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 144470 (0x23456) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Validity +- Not Before: May 21 04:00:00 2002 GMT +- Not After : May 21 04:00:00 2022 GMT +- Subject: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: +- 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: +- 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: +- bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: +- 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: +- ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: +- 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: +- 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: +- 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: +- d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: +- d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: +- 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: +- 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: +- 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: +- fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: +- eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: +- 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: +- e4:f9 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- X509v3 Authority Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 35:e3:29:6a:e5:2f:5d:54:8e:29:50:94:9f:99:1a:14:e4:8f: +- 78:2a:62:94:a2:27:67:9e:d0:cf:1a:5e:47:e9:c1:b2:a4:cf: +- dd:41:1a:05:4e:9b:4b:ee:4a:6f:55:52:b3:24:a1:37:0a:eb: +- 64:76:2a:2e:2c:f3:fd:3b:75:90:bf:fa:71:d8:c7:3d:37:d2: +- b5:05:95:62:b9:a6:de:89:3d:36:7b:38:77:48:97:ac:a6:20: +- 8f:2e:a6:c9:0c:c2:b2:99:45:00:c7:ce:11:51:22:22:e0:a5: +- ea:b6:15:48:09:64:ea:5e:4f:74:f7:05:3e:c7:8a:52:0c:db: +- 15:b4:bd:6d:9b:e5:c6:b1:54:68:a9:e3:69:90:b6:9a:a5:0f: +- b8:b9:3f:20:7d:ae:4a:b5:b8:9c:e4:1d:b6:ab:e6:94:a5:c1: +- c7:83:ad:db:f5:27:87:0e:04:6c:d5:ff:dd:a0:5d:ed:87:52: +- b7:2b:15:02:ae:39:a6:6a:74:e9:da:c4:e7:bc:4d:34:1e:a9: +- 5c:4d:33:5f:92:09:2f:88:66:5d:77:97:c7:1d:76:13:a9:d5: +- e5:f1:16:09:11:35:d5:ac:db:24:71:70:2c:98:56:0b:d9:17: +- b4:d1:e3:51:2b:5e:75:e8:d5:d0:dc:4f:34:ed:c2:05:66:80: +- a1:cb:e6:33 +-SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12 +------BEGIN CERTIFICATE----- +-MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +-YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG +-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg +-R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9 +-9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq +-fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv +-iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU +-1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+ +-bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW +-MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA +-ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l +-uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn +-Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS +-tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF +-PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un +-hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV +-5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/GlobalSign_Root_CA_-_R2.pem.orig ++++ secure/caroot/blacklisted/GlobalSign_Root_CA_-_R2.pem +@@ -1,99 +0,0 @@ +-## +-## GlobalSign Root CA - R2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:86:26:e6:0d +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:a6:cf:24:0e:be:2e:6f:28:99:45:42:c4:ab:3e: +- 21:54:9b:0b:d3:7f:84:70:fa:12:b3:cb:bf:87:5f: +- c6:7f:86:d3:b2:30:5c:d6:fd:ad:f1:7b:dc:e5:f8: +- 60:96:09:92:10:f5:d0:53:de:fb:7b:7e:73:88:ac: +- 52:88:7b:4a:a6:ca:49:a6:5e:a8:a7:8c:5a:11:bc: +- 7a:82:eb:be:8c:e9:b3:ac:96:25:07:97:4a:99:2a: +- 07:2f:b4:1e:77:bf:8a:0f:b5:02:7c:1b:96:b8:c5: +- b9:3a:2c:bc:d6:12:b9:eb:59:7d:e2:d0:06:86:5f: +- 5e:49:6a:b5:39:5e:88:34:ec:bc:78:0c:08:98:84: +- 6c:a8:cd:4b:b4:a0:7d:0c:79:4d:f0:b8:2d:cb:21: +- ca:d5:6c:5b:7d:e1:a0:29:84:a1:f9:d3:94:49:cb: +- 24:62:91:20:bc:dd:0b:d5:d9:cc:f9:ea:27:0a:2b: +- 73:91:c6:9d:1b:ac:c8:cb:e8:e0:a0:f4:2f:90:8b: +- 4d:fb:b0:36:1b:f6:19:7a:85:e0:6d:f2:61:13:88: +- 5c:9f:e0:93:0a:51:97:8a:5a:ce:af:ab:d5:f7:aa: +- 09:aa:60:bd:dc:d9:5f:df:72:a9:60:13:5e:00:01: +- c9:4a:fa:3f:a4:ea:07:03:21:02:8e:82:ca:03:c2: +- 9b:8f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://crl.globalsign.net/root-r2.crl +- X509v3 Authority Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 99:81:53:87:1c:68:97:86:91:ec:e0:4a:b8:44:0b:ab:81:ac: +- 27:4f:d6:c1:b8:1c:43:78:b3:0c:9a:fc:ea:2c:3c:6e:61:1b: +- 4d:4b:29:f5:9f:05:1d:26:c1:b8:e9:83:00:62:45:b6:a9:08: +- 93:b9:a9:33:4b:18:9a:c2:f8:87:88:4e:db:dd:71:34:1a:c1: +- 54:da:46:3f:e0:d3:2a:ab:6d:54:22:f5:3a:62:cd:20:6f:ba: +- 29:89:d7:dd:91:ee:d3:5c:a2:3e:a1:5b:41:f5:df:e5:64:43: +- 2d:e9:d5:39:ab:d2:a2:df:b7:8b:d0:c0:80:19:1c:45:c0:2d: +- 8c:e8:f8:2d:a4:74:56:49:c5:05:b5:4f:15:de:6e:44:78:39: +- 87:a8:7e:bb:f3:79:18:91:bb:f4:6f:9d:c1:f0:8c:35:8c:5d: +- 01:fb:c3:6d:b9:ef:44:6d:79:46:31:7e:0a:fe:a9:82:c1:ff: +- ef:ab:6e:20:c4:50:c9:5f:9d:4d:9b:17:8c:0c:e5:01:c9:a0: +- 41:6a:73:53:fa:a5:50:b4:6e:25:0f:fb:4c:18:f4:fd:52:d9: +- 8e:69:b1:e8:11:0f:de:88:d8:fb:1d:49:f7:aa:de:95:cf:20: +- 78:c2:60:12:db:25:40:8c:6a:fc:7e:42:38:40:64:12:f7:9e: +- 81:e1:93:2e +-SHA1 Fingerprint=75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE +------BEGIN CERTIFICATE----- +-MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +-MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +-v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +-eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +-tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +-C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +-zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +-mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +-V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +-bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +-3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +-J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +-291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +-ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +-AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +-TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Hongkong_Post_Root_CA_1.pem.orig ++++ secure/caroot/blacklisted/Hongkong_Post_Root_CA_1.pem +@@ -1,89 +0,0 @@ +-## +-## Hongkong Post Root CA 1 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1000 (0x3e8) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Validity +- Not Before: May 15 05:13:14 2003 GMT +- Not After : May 15 04:52:29 2023 GMT +- Subject: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:ac:ff:38:b6:e9:66:02:49:e3:a2:b4:e1:90:f9: +- 40:8f:79:f9:e2:bd:79:fe:02:bd:ee:24:92:1d:22: +- f6:da:85:72:69:fe:d7:3f:09:d4:dd:91:b5:02:9c: +- d0:8d:5a:e1:55:c3:50:86:b9:29:26:c2:e3:d9:a0: +- f1:69:03:28:20:80:45:22:2d:56:a7:3b:54:95:56: +- 22:59:1f:28:df:1f:20:3d:6d:a2:36:be:23:a0:b1: +- 6e:b5:b1:27:3f:39:53:09:ea:ab:6a:e8:74:b2:c2: +- 65:5c:8e:bf:7c:c3:78:84:cd:9e:16:fc:f5:2e:4f: +- 20:2a:08:9f:77:f3:c5:1e:c4:9a:52:66:1e:48:5e: +- e3:10:06:8f:22:98:e1:65:8e:1b:5d:23:66:3b:b8: +- a5:32:51:c8:86:aa:a1:a9:9e:7f:76:94:c2:a6:6c: +- b7:41:f0:d5:c8:06:38:e6:d4:0c:e2:f3:3b:4c:6d: +- 50:8c:c4:83:27:c1:13:84:59:3d:9e:75:74:b6:d8: +- 02:5e:3a:90:7a:c0:42:36:72:ec:6a:4d:dc:ef:c4: +- 00:df:13:18:57:5f:26:78:c8:d6:0a:79:77:bf:f7: +- af:b7:76:b9:a5:0b:84:17:5d:10:ea:6f:e1:ab:95: +- 11:5f:6d:3c:a3:5c:4d:83:5b:f2:b3:19:8a:80:8b: +- 0b:87 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE, pathlen:3 +- X509v3 Key Usage: critical +- Digital Signature, Non Repudiation, Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 0e:46:d5:3c:ae:e2:87:d9:5e:81:8b:02:98:41:08:8c:4c:bc: +- da:db:ee:27:1b:82:e7:6a:45:ec:16:8b:4f:85:a0:f3:b2:70: +- bd:5a:96:ba:ca:6e:6d:ee:46:8b:6e:e7:2a:2e:96:b3:19:33: +- eb:b4:9f:a8:b2:37:ee:98:a8:97:b6:2e:b6:67:27:d4:a6:49: +- fd:1c:93:65:76:9e:42:2f:dc:22:6c:9a:4f:f2:5a:15:39:b1: +- 71:d7:2b:51:e8:6d:1c:98:c0:d9:2a:f4:a1:82:7b:d5:c9:41: +- a2:23:01:74:38:55:8b:0f:b9:2e:67:a2:20:04:37:da:9c:0b: +- d3:17:21:e0:8f:97:79:34:6f:84:48:02:20:33:1b:e6:34:44: +- 9f:91:70:f4:80:5e:84:43:c2:29:d2:6c:12:14:e4:61:8d:ac: +- 10:90:9e:84:50:bb:f0:96:6f:45:9f:8a:f3:ca:6c:4f:fa:11: +- 3a:15:15:46:c3:cd:1f:83:5b:2d:41:12:ed:50:67:41:13:3d: +- 21:ab:94:8a:aa:4e:7c:c1:b1:fb:a7:d6:b5:27:2f:97:ab:6e: +- e0:1d:e2:d1:1c:2c:1f:44:e2:fc:be:91:a1:9c:fb:d6:29:53: +- 73:86:9f:53:d8:43:0e:5d:d6:63:82:71:1d:80:74:ca:f6:e2: +- 02:6b:d9:5a +-SHA1 Fingerprint=D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58 +------BEGIN CERTIFICATE----- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/QuoVadis_Root_CA.pem.orig ++++ secure/caroot/blacklisted/QuoVadis_Root_CA.pem +@@ -1,116 +0,0 @@ +-## +-## QuoVadis Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 985026699 (0x3ab6508b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Validity +- Not Before: Mar 19 18:33:33 2001 GMT +- Not After : Mar 17 18:33:33 2021 GMT +- Subject: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:bf:61:b5:95:53:ba:57:fc:fa:f2:67:0b:3a:1a: +- df:11:80:64:95:b4:d1:bc:cd:7a:cf:f6:29:96:2e: +- 24:54:40:24:38:f7:1a:85:dc:58:4c:cb:a4:27:42: +- 97:d0:9f:83:8a:c3:e4:06:03:5b:00:a5:51:1e:70: +- 04:74:e2:c1:d4:3a:ab:d7:ad:3b:07:18:05:8e:fd: +- 83:ac:ea:66:d9:18:1b:68:8a:f5:57:1a:98:ba:f5: +- ed:76:3d:7c:d9:de:94:6a:3b:4b:17:c1:d5:8f:bd: +- 65:38:3a:95:d0:3d:55:36:4e:df:79:57:31:2a:1e: +- d8:59:65:49:58:20:98:7e:ab:5f:7e:9f:e9:d6:4d: +- ec:83:74:a9:c7:6c:d8:ee:29:4a:85:2a:06:14:f9: +- 54:e6:d3:da:65:07:8b:63:37:12:d7:d0:ec:c3:7b: +- 20:41:44:a3:ed:cb:a0:17:e1:71:65:ce:1d:66:31: +- f7:76:01:19:c8:7d:03:58:b6:95:49:1d:a6:12:26: +- e8:c6:0c:76:e0:e3:66:cb:ea:5d:a6:26:ee:e5:cc: +- 5f:bd:67:a7:01:27:0e:a2:ca:54:c5:b1:7a:95:1d: +- 71:1e:4a:29:8a:03:dc:6a:45:c1:a4:19:5e:6f:36: +- cd:c3:a2:b0:b7:fe:5c:38:e2:52:bc:f8:44:43:e6: +- 90:bb +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- Authority Information Access: +- OCSP - URI:https://ocsp.quovadisoffshore.com +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: 1.3.6.1.4.1.8024.0.1 +- User Notice: +- Explicit Text: Reliance on the QuoVadis Root Certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certification practices, and the QuoVadis Certificate Policy. +- CPS: http://www.quovadis.bm +- X509v3 Subject Key Identifier: +- 8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- X509v3 Authority Key Identifier: +- keyid:8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- DirName:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority +- serial:3A:B6:50:8B +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 8a:d4:14:b5:fe:f4:9a:92:a7:19:d4:a4:7e:72:18:8f:d9:68: +- 7c:52:24:dd:67:6f:39:7a:c4:aa:5e:3d:e2:58:b0:4d:70:98: +- 84:61:e8:1b:e3:69:18:0e:ce:fb:47:50:a0:4e:ff:f0:24:1f: +- bd:b2:ce:f5:27:fc:ec:2f:53:aa:73:7b:03:3d:74:6e:e6:16: +- 9e:eb:a5:2e:c4:bf:56:27:50:2b:62:ba:be:4b:1c:3c:55:5c: +- 41:1d:24:be:82:20:47:5d:d5:44:7e:7a:16:68:df:7d:4d:51: +- 70:78:57:1d:33:1e:fd:02:99:9c:0c:cd:0a:05:4f:c7:bb:8e: +- a4:75:fa:4a:6d:b1:80:8e:09:56:b9:9c:1a:60:fe:5d:c1:d7: +- 7a:dc:11:78:d0:d6:5d:c1:b7:d5:ad:32:99:03:3a:8a:cc:54: +- 25:39:31:81:7b:13:22:51:ba:46:6c:a1:bb:9e:fa:04:6c:49: +- 26:74:8f:d2:73:eb:cc:30:a2:e6:ea:59:22:87:f8:97:f5:0e: +- fd:ea:cc:92:a4:16:c4:52:18:ea:21:ce:b1:f1:e6:84:81:e5: +- ba:a9:86:28:f2:43:5a:5d:12:9d:ac:1e:d9:a8:e5:0a:6a:a7: +- 7f:a0:87:29:cf:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:36:23:8a: +- 4a:74:36:f9 +-SHA1 Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9 +------BEGIN CERTIFICATE----- +-MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC +-TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz +-MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw +-IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR +-dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG +-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp +-li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D +-rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ +-WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug +-F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU +-xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC +-Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv +-dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw +-ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl +-IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh +-c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy +-ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh +-Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI +-KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T +-KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq +-y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p +-dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD +-VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL +-MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk +-fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8 +-7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R +-cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y +-mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW +-xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK +-SnQ2+Q== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/SecureSign_RootCA11.pem +@@ -0,0 +1,92 @@ ++## ++## SecureSign RootCA11 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 1 (0x1) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Validity ++ Not Before: Apr 8 04:56:47 2009 GMT ++ Not After : Apr 8 04:56:47 2029 GMT ++ Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: ++ 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: ++ df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: ++ 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: ++ 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: ++ c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: ++ f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: ++ a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: ++ bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: ++ 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: ++ 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: ++ 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: ++ cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: ++ 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: ++ d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: ++ cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: ++ 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: ++ 3e:89 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: ++ 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: ++ 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: ++ 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: ++ 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: ++ 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: ++ 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: ++ 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: ++ b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: ++ 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: ++ d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: ++ a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: ++ c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: ++ 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: ++ d6:ba:03:f2 ++SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr ++MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG ++A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 ++MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp ++Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD ++QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz ++i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 ++h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV ++MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 ++UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni ++8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC ++h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD ++VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB ++AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm ++KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ ++X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr ++QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 ++pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN ++QSdJQO7e5iNEOdyhIta6A/I= ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/Security_Communication_RootCA3.pem +@@ -0,0 +1,135 @@ ++## ++## Security Communication RootCA3 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ e1:7c:37:40:fd:1b:fe:67 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Validity ++ Not Before: Jun 16 06:17:16 2016 GMT ++ Not After : Jan 18 06:17:16 2038 GMT ++ Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: ++ b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: ++ 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: ++ ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: ++ af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: ++ a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: ++ c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: ++ 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: ++ e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: ++ bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: ++ c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: ++ 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: ++ d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: ++ f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: ++ b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: ++ 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: ++ d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: ++ 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: ++ d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: ++ b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: ++ 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: ++ 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: ++ 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: ++ 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: ++ 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: ++ 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: ++ c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: ++ d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: ++ 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: ++ 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: ++ 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: ++ af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: ++ 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: ++ 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: ++ d1:d9:c7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: ++ 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: ++ b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: ++ f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: ++ e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: ++ bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: ++ 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: ++ 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: ++ c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: ++ b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: ++ 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: ++ b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: ++ cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: ++ 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: ++ 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: ++ 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: ++ 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: ++ 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: ++ f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: ++ 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: ++ e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: ++ 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: ++ c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: ++ 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: ++ 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: ++ 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: ++ 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: ++ 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: ++ 51:d7:af:fd:33:9d:4d:66 ++SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A ++-----BEGIN CERTIFICATE----- ++MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV ++BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw ++JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 ++MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc ++U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg ++Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC ++CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r ++CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA ++lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG ++TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 ++9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 ++8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 ++g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we ++GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +++3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M ++0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ ++T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw ++HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP ++BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS ++YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA ++FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd ++9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI ++UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ ++OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke ++gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf ++iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV ++nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD ++2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// ++1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad ++TdJ0MN1kURXbg4NR16/9M51NZg== ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/Security_Communication_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Security_Communication_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Security Communication Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 0 (0x0) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Validity +- Not Before: Sep 30 04:20:49 2003 GMT +- Not After : Sep 30 04:20:49 2023 GMT +- Subject: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b3:b3:fe:7f:d3:6d:b1:ef:16:7c:57:a5:0c:6d: +- 76:8a:2f:4b:bf:64:fb:4c:ee:8a:f0:f3:29:7c:f5: +- ff:ee:2a:e0:e9:e9:ba:5b:64:22:9a:9a:6f:2c:3a: +- 26:69:51:05:99:26:dc:d5:1c:6a:71:c6:9a:7d:1e: +- 9d:dd:7c:6c:c6:8c:67:67:4a:3e:f8:71:b0:19:27: +- a9:09:0c:a6:95:bf:4b:8c:0c:fa:55:98:3b:d8:e8: +- 22:a1:4b:71:38:79:ac:97:92:69:b3:89:7e:ea:21: +- 68:06:98:14:96:87:d2:61:36:bc:6d:27:56:9e:57: +- ee:c0:c0:56:fd:32:cf:a4:d9:8e:c2:23:d7:8d:a8: +- f3:d8:25:ac:97:e4:70:38:f4:b6:3a:b4:9d:3b:97: +- 26:43:a3:a1:bc:49:59:72:4c:23:30:87:01:58:f6: +- 4e:be:1c:68:56:66:af:cd:41:5d:c8:b3:4d:2a:55: +- 46:ab:1f:da:1e:e2:40:3d:db:cd:7d:b9:92:80:9c: +- 37:dd:0c:96:64:9d:dc:22:f7:64:8b:df:61:de:15: +- 94:52:15:a0:7d:52:c9:4b:a8:21:c9:c6:b1:ed:cb: +- c3:95:60:d1:0f:f0:ab:70:f8:df:cb:4d:7e:ec:d6: +- fa:ab:d9:bd:7f:54:f2:a5:e9:79:fa:d9:d6:76:24: +- 28:73 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 68:40:a9:a8:bb:e4:4f:5d:79:b3:05:b5:17:b3:60:13:eb:c6: +- 92:5d:e0:d1:d3:6a:fe:fb:be:9b:6d:bf:c7:05:6d:59:20:c4: +- 1c:f0:b7:da:84:58:02:63:fa:48:16:ef:4f:a5:0b:f7:4a:98: +- f2:3f:9e:1b:ad:47:6b:63:ce:08:47:eb:52:3f:78:9c:af:4d: +- ae:f8:d5:4f:cf:9a:98:2a:10:41:39:52:c4:dd:d9:9b:0e:ef: +- 93:01:ae:b2:2e:ca:68:42:24:42:6c:b0:b3:3a:3e:cd:e9:da: +- 48:c4:15:cb:e9:f9:07:0f:92:50:49:8a:dd:31:97:5f:c9:e9: +- 37:aa:3b:59:65:97:94:32:c9:b3:9f:3e:3a:62:58:c5:49:ad: +- 62:0e:71:a5:32:aa:2f:c6:89:76:43:40:13:13:67:3d:a2:54: +- 25:10:cb:f1:3a:f2:d9:fa:db:49:56:bb:a6:fe:a7:41:35:c3: +- e0:88:61:c9:88:c7:df:36:10:22:98:59:ea:b0:4a:fb:56:16: +- 73:6e:ac:4d:f7:22:a1:4f:ad:1d:7a:2d:45:27:e5:30:c1:5e: +- f2:da:13:cb:25:42:51:95:47:03:8c:6c:21:cc:74:42:ed:53: +- ff:33:8b:8f:0f:57:01:16:2f:cf:a6:ee:c9:70:22:14:bd:fd: +- be:6c:0b:03 +-SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 +------BEGIN CERTIFICATE----- +-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY +-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t +-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 +-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD +-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 +-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 +-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ +-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 +-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N +-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ +-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G +-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T +-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG +-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr +-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 +-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU +-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot +-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Sonera_Class_2_Root_CA.pem +@@ -1,90 +0,0 @@ +-## +-## Sonera Class 2 Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 29 (0x1d) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = FI, O = Sonera, CN = Sonera Class2 CA +- Validity +- Not Before: Apr 6 07:29:40 2001 GMT +- Not After : Apr 6 07:29:40 2021 GMT +- Subject: C = FI, O = Sonera, CN = Sonera Class2 CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:90:17:4a:35:9d:ca:f0:0d:96:c7:44:fa:16:37: +- fc:48:bd:bd:7f:80:2d:35:3b:e1:6f:a8:67:a9:bf: +- 03:1c:4d:8c:6f:32:47:d5:41:68:a4:13:04:c1:35: +- 0c:9a:84:43:fc:5c:1d:ff:89:b3:e8:17:18:cd:91: +- 5f:fb:89:e3:ea:bf:4e:5d:7c:1b:26:d3:75:79:ed: +- e6:84:e3:57:e5:ad:29:c4:f4:3a:28:e7:a5:7b:84: +- 36:69:b3:fd:5e:76:bd:a3:2d:99:d3:90:4e:23:28: +- 7d:18:63:f1:54:3b:26:9d:76:5b:97:42:b2:ff:ae: +- f0:4e:ec:dd:39:95:4e:83:06:7f:e7:49:40:c8:c5: +- 01:b2:54:5a:66:1d:3d:fc:f9:e9:3c:0a:9e:81:b8: +- 70:f0:01:8b:e4:23:54:7c:c8:ae:f8:90:1e:00:96: +- 72:d4:54:cf:61:23:bc:ea:fb:9d:02:95:d1:b6:b9: +- 71:3a:69:08:3f:0f:b4:e1:42:c7:88:f5:3f:98:a8: +- a7:ba:1c:e0:71:71:ef:58:57:81:50:7a:5c:6b:74: +- 46:0e:83:03:98:c3:8e:a8:6e:f2:76:32:6e:27:83: +- c2:73:f3:dc:18:e8:b4:93:ea:75:44:6b:04:60:20: +- 71:57:87:9d:f3:be:a0:90:23:3d:8a:24:e1:da:21: +- db:c3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 4A:A0:AA:58:84:D3:5E:3C +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 5a:ce:87:f9:16:72:15:57:4b:1d:d9:9b:e7:a2:26:30:ec:93: +- 67:df:d6:2d:d2:34:af:f7:38:a5:ce:ab:16:b9:ab:2f:7c:35: +- cb:ac:d0:0f:b4:4c:2b:fc:80:ef:6b:8c:91:5f:36:76:f7:db: +- b3:1b:19:ea:f4:b2:11:fd:61:71:44:bf:28:b3:3a:1d:bf:b3: +- 43:e8:9f:bf:dc:31:08:71:b0:9d:8d:d6:34:47:32:90:c6:65: +- 24:f7:a0:4a:7c:04:73:8f:39:6f:17:8c:72:b5:bd:4b:c8:7a: +- f8:7b:83:c3:28:4e:9c:09:ea:67:3f:b2:67:04:1b:c3:14:da: +- f8:e7:49:24:91:d0:1d:6a:fa:61:39:ef:6b:e7:21:75:06:07: +- d8:12:b4:21:20:70:42:71:81:da:3c:9a:36:be:a6:5b:0d:6a: +- 6c:9a:1f:91:7b:f9:f9:ef:42:ba:4e:4e:9e:cc:0c:8d:94:dc: +- d9:45:9c:5e:ec:42:50:63:ae:f4:5d:c4:b1:12:dc:ca:3b:a8: +- 2e:9d:14:5a:05:75:b7:ec:d7:63:e2:ba:35:b6:04:08:91:e8: +- da:9d:9c:f6:66:b5:18:ac:0a:a6:54:26:34:33:d2:1b:c1:d4: +- 7f:1a:3a:8e:0b:aa:32:6e:db:fc:4f:25:9f:d9:32:c7:96:5a: +- 70:ac:df:4c +-SHA1 Fingerprint=37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27 +------BEGIN CERTIFICATE----- +-MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP +-MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx +-MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV +-BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o +-Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt +-5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s +-3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej +-vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu +-8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw +-DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG +-MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil +-zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ +-3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD +-FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 +-Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 +-ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Staat_der_Nederlanden_EV_Root_CA.pem +@@ -1,134 +0,0 @@ +-## +-## Staat der Nederlanden EV Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000013 (0x98968d) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Validity +- Not Before: Dec 8 11:19:29 2010 GMT +- Not After : Dec 8 11:10:28 2022 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c7:7e:89:f9:24:4b:3a:d2:33:83:35:2c:69: +- ec:dc:09:a4:e3:51:a8:25:2b:79:b8:08:3d:e0:91: +- ba:84:85:c6:85:a4:ca:e6:c9:2e:53:a4:c9:24:1e: +- fd:55:66:71:5d:2c:c5:60:68:04:b7:d9:c2:52:26: +- 38:88:a4:d6:3b:40:a6:c2:cd:3f:cd:98:93:b3:54: +- 14:58:96:55:d5:50:fe:86:ad:a4:63:7f:5c:87:f6: +- 8e:e6:27:92:67:17:92:02:03:2c:dc:d6:66:74:ed: +- dd:67:ff:c1:61:8d:63:4f:0f:9b:6d:17:30:26:ef: +- ab:d2:1f:10:a0:f9:c5:7f:16:69:81:03:47:ed:1e: +- 68:8d:72:a1:4d:b2:26:c6:ba:6c:5f:6d:d6:af:d1: +- b1:13:8e:a9:ad:f3:5e:69:75:26:18:3e:41:2b:21: +- 7f:ee:8b:5d:07:06:9d:43:c4:29:0a:2b:fc:2a:3e: +- 86:cb:3c:83:3a:f9:c9:0d:da:c5:99:e2:bc:78:41: +- 33:76:e1:bf:2f:5d:e5:a4:98:50:0c:15:dd:e0:fa: +- 9c:7f:38:68:d0:b2:a6:7a:a7:d1:31:bd:7e:8a:58: +- 27:43:b3:ba:33:91:d3:a7:98:15:5c:9a:e6:d3:0f: +- 75:d9:fc:41:98:97:3e:aa:25:db:8f:92:2e:b0:7b: +- 0c:5f:f1:63:a9:37:f9:9b:75:69:4c:28:26:25:da: +- d5:f2:12:70:45:55:e3:df:73:5e:37:f5:21:6c:90: +- 8e:35:5a:c9:d3:23:eb:d3:c0:be:78:ac:42:28:58: +- 66:a5:46:6d:70:02:d7:10:f9:4b:54:fc:5d:86:4a: +- 87:cf:7f:ca:45:ac:11:5a:b5:20:51:8d:2f:88:47: +- 97:39:c0:cf:ba:c0:42:01:40:99:48:21:0b:6b:a7: +- d2:fd:96:d5:d1:be:46:9d:49:e0:0b:a6:a0:22:4e: +- 38:d0:c1:3c:30:bc:70:8f:2c:75:cc:d0:c5:8c:51: +- 3b:3d:94:08:64:26:61:7d:b9:c3:65:8f:14:9c:21: +- d0:aa:fd:17:72:03:8f:bd:9b:8c:e6:5e:53:9e:b9: +- 9d:ef:82:bb:e1:bc:e2:72:41:5b:21:94:d3:45:37: +- 94:d1:df:09:39:5d:e7:23:aa:9a:1d:ca:6d:a8:0a: +- 86:85:8a:82:be:42:07:d6:f2:38:82:73:da:87:5b: +- e5:3c:d3:9e:3e:a7:3b:9e:f4:03:b3:f9:f1:7d:13: +- 74:02:ff:bb:a1:e5:fa:00:79:1c:a6:66:41:88:5c: +- 60:57:a6:2e:09:c4:ba:fd:9a:cf:a7:1f:40:c3:bb: +- cc:5a:0a:55:4b:3b:38:76:51:b8:63:8b:84:94:16: +- e6:56:f3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- cf:77:2c:6e:56:be:4e:b3:b6:84:00:94:ab:47:c9:0d:d2:76: +- c7:86:9f:1d:07:d3:b6:b4:bb:08:78:af:69:d2:0b:49:de:33: +- c5:ac:ad:c2:88:02:7d:06:b7:35:02:c1:60:c9:bf:c4:e8:94: +- de:d4:d3:a9:13:25:5a:fe:6e:a2:ae:7d:05:dc:7d:f3:6c:f0: +- 7e:a6:8d:ee:d9:d7:ce:58:17:e8:a9:29:ae:73:48:87:e7:9b: +- ca:6e:29:a1:64:5f:19:13:f7:ae:06:10:ff:51:c6:9b:4d:55: +- 25:4f:93:99:10:01:53:75:f1:13:ce:c7:a6:41:41:d2:bf:88: +- a5:7f:45:fc:ac:b8:a5:b5:33:0c:82:c4:fb:07:f6:6a:e5:25: +- 84:5f:06:ca:c1:86:39:11:db:58:cd:77:3b:2c:c2:4c:0f:5e: +- 9a:e3:f0:ab:3e:61:1b:50:24:c2:c0:f4:f1:19:f0:11:29:b6: +- a5:18:02:9b:d7:63:4c:70:8c:47:a3:03:43:5c:b9:5d:46:a0: +- 0d:6f:ff:59:8e:be:dd:9f:72:c3:5b:2b:df:8c:5b:ce:e5:0c: +- 46:6c:92:b2:0a:a3:4c:54:42:18:15:12:18:bd:da:fc:ba:74: +- 6e:ff:c1:b6:a0:64:d8:a9:5f:55:ae:9f:5c:6a:76:96:d8:73: +- 67:87:fb:4d:7f:5c:ee:69:ca:73:10:fb:8a:a9:fd:9e:bd:36: +- 38:49:49:87:f4:0e:14:f0:e9:87:b8:3f:a7:4f:7a:5a:8e:79: +- d4:93:e4:bb:68:52:84:ac:6c:e9:f3:98:70:55:72:32:f9:34: +- ab:2b:49:b5:cd:20:62:e4:3a:7a:67:63:ab:96:dc:6d:ae:97: +- ec:fc:9f:76:56:88:2e:66:cf:5b:b6:c9:a4:b0:d7:05:ba:e1: +- 27:2f:93:bb:26:2a:a2:93:b0:1b:f3:8e:be:1d:40:a3:b9:36: +- 8f:3e:82:1a:1a:5e:88:ea:50:f8:59:e2:83:46:29:0b:e3:44: +- 5c:e1:95:b6:69:90:9a:14:6f:97:ae:81:cf:68:ef:99:9a:be: +- b5:e7:e1:7f:f8:fa:13:47:16:4c:cc:6d:08:40:e7:8b:78:6f: +- 50:82:44:50:3f:66:06:8a:ab:43:84:56:4a:0f:20:2d:86:0e: +- f5:d2:db:d2:7a:8a:4b:cd:a5:e8:4e:f1:5e:26:25:01:59:23: +- a0:7e:d2:f6:7e:21:57:d7:27:bc:15:57:4c:a4:46:c1:e0:83: +- 1e:0c:4c:4d:1f:4f:06:19:e2:f9:a8:f4:3a:82:a1:b2:79:43: +- 79:d6:ad:6f:7a:27:90:03:a4:ea:24:87:3f:d9:bd:d9:e9:f2: +- 5f:50:49:1c:ee:ec:d7:2e +-SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +--- secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem.orig ++++ secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem +@@ -1,137 +0,0 @@ +-## +-## Staat der Nederlanden Root CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000012 (0x98968c) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Validity +- Not Before: Mar 26 11:18:17 2008 GMT +- Not After : Mar 25 11:03:10 2020 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c5:59:e7:6f:75:aa:3e:4b:9c:b5:b8:ac:9e:0b: +- e4:f9:d9:ca:ab:5d:8f:b5:39:10:82:d7:af:51:e0: +- 3b:e1:00:48:6a:cf:da:e1:06:43:11:99:aa:14:25: +- 12:ad:22:e8:00:6d:43:c4:a9:b8:e5:1f:89:4b:67: +- bd:61:48:ef:fd:d2:e0:60:88:e5:b9:18:60:28:c3: +- 77:2b:ad:b0:37:aa:37:de:64:59:2a:46:57:e4:4b: +- b9:f8:37:7c:d5:36:e7:80:c1:b6:f3:d4:67:9b:96: +- e8:ce:d7:c6:0a:53:d0:6b:49:96:f3:a3:0b:05:77: +- 48:f7:25:e5:70:ac:30:14:20:25:e3:7f:75:5a:e5: +- 48:f8:4e:7b:03:07:04:fa:82:61:87:6e:f0:3b:c4: +- a4:c7:d0:f5:74:3e:a5:5d:1a:08:f2:9b:25:d2:f6: +- ac:04:26:3e:55:3a:62:28:a5:7b:b2:30:af:f8:37: +- c2:d1:ba:d6:38:fd:f4:ef:49:30:37:99:26:21:48: +- 85:01:a9:e5:16:e7:dc:90:55:df:0f:e8:38:cd:99: +- 37:21:4f:5d:f5:22:6f:6a:c5:12:16:60:17:55:f2: +- 65:66:a6:a7:30:91:38:c1:38:1d:86:04:84:ba:1a: +- 25:78:5e:9d:af:cc:50:60:d6:13:87:52:ed:63:1f: +- 6d:65:7d:c2:15:18:74:ca:e1:7e:64:29:8c:72:d8: +- 16:13:7d:0b:49:4a:f1:28:1b:20:74:6b:c5:3d:dd: +- b0:aa:48:09:3d:2e:82:94:cd:1a:65:d9:2b:88:9a: +- 99:bc:18:7e:9f:ee:7d:66:7c:3e:bd:94:b8:81:ce: +- cd:98:30:78:c1:6f:67:d0:be:5f:e0:68:ed:de:e2: +- b1:c9:2c:59:78:92:aa:df:2b:60:63:f2:e5:5e:b9: +- e3:ca:fa:7f:50:86:3e:a2:34:18:0c:09:68:28:11: +- 1c:e4:e1:b9:5c:3e:47:ba:32:3f:18:cc:5b:84:f5: +- f3:6b:74:c4:72:74:e1:e3:8b:a0:4a:bd:8d:66:2f: +- ea:ad:35:da:20:d3:88:82:61:f0:12:22:b6:bc:d0: +- d5:a4:ec:af:54:88:25:24:3c:a7:6d:b1:72:29:3f: +- 3e:57:a6:7f:55:af:6e:26:c6:fe:e7:cc:40:5c:51: +- 44:81:0a:78:de:4a:ce:55:bf:1d:d5:d9:b7:56:ef: +- f0:76:ff:0b:79:b5:af:bd:fb:a9:69:91:46:97:68: +- 80:14:36:1d:b3:7f:bb:29:98:36:a5:20:fa:82:60: +- 62:33:a4:ec:d6:ba:07:a7:6e:c5:cf:14:a6:e7:d6: +- 92:34:d8:81:f5:fc:1d:5d:aa:5c:1e:f6:a3:4d:3b: +- b8:f7:39 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: X509v3 Any Policy +- CPS: http://www.pkioverheid.nl/policies/root-policy-G2 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- a8:41:4a:67:2a:92:81:82:50:6e:e1:d7:d8:b3:39:3b:f3:02: +- 15:09:50:51:ef:2d:bd:24:7b:88:86:3b:f9:b4:bc:92:09:96: +- b9:f6:c0:ab:23:60:06:79:8c:11:4e:51:d2:79:80:33:fb:9d: +- 48:be:ec:41:43:81:1f:7e:47:40:1c:e5:7a:08:ca:aa:8b:75: +- ad:14:c4:c2:e8:66:3c:82:07:a7:e6:27:82:5b:18:e6:0f:6e: +- d9:50:3e:8a:42:18:29:c6:b4:56:fc:56:10:a0:05:17:bd:0c: +- 23:7f:f4:93:ed:9c:1a:51:be:dd:45:41:bf:91:24:b4:1f:8c: +- e9:5f:cf:7b:21:99:9f:95:9f:39:3a:46:1c:6c:f9:cd:7b:9c: +- 90:cd:28:a9:c7:a9:55:bb:ac:62:34:62:35:13:4b:14:3a:55: +- 83:b9:86:8d:92:a6:c6:f4:07:25:54:cc:16:57:12:4a:82:78: +- c8:14:d9:17:82:26:2d:5d:20:1f:79:ae:fe:d4:70:16:16:95: +- 83:d8:35:39:ff:52:5d:75:1c:16:c5:13:55:cf:47:cc:75:65: +- 52:4a:de:f0:b0:a7:e4:0a:96:0b:fb:ad:c2:e2:25:84:b2:dd: +- e4:bd:7e:59:6c:9b:f0:f0:d8:e7:ca:f2:e9:97:38:7e:89:be: +- cc:fb:39:17:61:3f:72:db:3a:91:d8:65:01:19:1d:ad:50:a4: +- 57:0a:7c:4b:bc:9c:71:73:2a:45:51:19:85:cc:8e:fd:47:a7: +- 74:95:1d:a8:d1:af:4e:17:b1:69:26:c2:aa:78:57:5b:c5:4d: +- a7:e5:9e:05:17:94:ca:b2:5f:a0:49:18:8d:34:e9:26:6c:48: +- 1e:aa:68:92:05:e1:82:73:5a:9b:dc:07:5b:08:6d:7d:9d:d7: +- 8d:21:d9:fc:14:20:aa:c2:45:df:3f:e7:00:b2:51:e4:c2:f8: +- 05:b9:79:1a:8c:34:f3:9e:5b:e4:37:5b:6b:4a:df:2c:57:8a: +- 40:5a:36:ba:dd:75:44:08:37:42:70:0c:fe:dc:5e:21:a0:a3: +- 8a:c0:90:9c:68:da:50:e6:45:10:47:78:b6:4e:d2:65:c9:c3: +- 37:df:e1:42:63:b0:57:37:45:2d:7b:8a:9c:bf:05:ea:65:55: +- 33:f7:39:10:c5:28:2a:21:7a:1b:8a:c4:24:f9:3f:15:c8:9a: +- 15:20:f5:55:62:96:ed:6d:93:50:bc:e4:aa:78:ad:d9:cb:0a: +- 65:87:a6:66:c1:c4:81:a3:77:3a:58:1e:0b:ee:83:8b:9d:1e: +- d2:52:a4:cc:1d:6f:b0:98:6d:94:31:b5:f8:71:0a:dc:b9:fc: +- 7d:32:60:e6:eb:af:8a:01 +-SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16 +------BEGIN CERTIFICATE----- +-MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX +-DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl +-ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv +-b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291 +-qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp +-uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU +-Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE +-pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp +-5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M +-UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN +-GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy +-5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv +-6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK +-eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6 +-B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/ +-BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov +-L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG +-SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS +-CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen +-5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897 +-IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK +-gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL +-+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL +-vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm +-bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk +-N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC +-Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z +-ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/blacklisted/SwissSign_Silver_CA_-_G2.pem +@@ -0,0 +1,140 @@ ++## ++## SwissSign Silver CA - G2 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Validity ++ Not Before: Oct 25 08:32:46 2006 GMT ++ Not After : Oct 25 08:32:46 2036 GMT ++ Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: ++ bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: ++ 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: ++ 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: ++ b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: ++ a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: ++ d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: ++ 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: ++ bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: ++ 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: ++ 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: ++ 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: ++ 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: ++ 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: ++ 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: ++ b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: ++ a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: ++ cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: ++ 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: ++ 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: ++ be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: ++ ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: ++ 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: ++ 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: ++ e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: ++ 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: ++ fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: ++ 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: ++ ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: ++ 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: ++ f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: ++ a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: ++ b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: ++ 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: ++ ea:d6:1f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Authority Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Certificate Policies: ++ Policy: 2.16.756.1.89.1.3.1.1 ++ CPS: http://repository.swisssign.com/ ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: ++ 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: ++ 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: ++ 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: ++ c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: ++ 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: ++ 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: ++ 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: ++ ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: ++ 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: ++ e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: ++ 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: ++ 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: ++ 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: ++ 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: ++ f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: ++ 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: ++ 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: ++ 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: ++ a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: ++ d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: ++ ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: ++ da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: ++ 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: ++ 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: ++ f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: ++ 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: ++ 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: ++ 60:39:ce:ca:62:d8:2e:6e ++SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB ++-----BEGIN CERTIFICATE----- ++MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE ++BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu ++IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow ++RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY ++U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A ++MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv ++Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br ++YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF ++nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH ++6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt ++eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ ++c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ ++MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH ++HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf ++jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 ++5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB ++rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU ++F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c ++wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 ++cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB ++AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp ++WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 ++xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ ++2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ ++IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 ++aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X ++em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR ++dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ ++OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ ++hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy ++tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u ++-----END CERTIFICATE----- +--- secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem.orig ++++ secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Trustis FPS Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Validity +- Not Before: Dec 23 12:14:06 2003 GMT +- Not After : Jan 21 11:36:54 2024 GMT +- Subject: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:c5:50:7b:9e:3b:35:d0:df:c4:8c:cd:8e:9b:ed: +- a3:c0:36:99:f4:42:ea:a7:3e:80:83:0f:a6:a7:59: +- 87:c9:90:45:43:7e:00:ea:86:79:2a:03:bd:3d:37: +- 99:89:66:b7:e5:8a:56:86:93:9c:68:4b:68:04:8c: +- 93:93:02:3e:30:d2:37:3a:22:61:89:1c:85:4e:7d: +- 8f:d5:af:7b:35:f6:7e:28:47:89:31:dc:0e:79:64: +- 1f:99:d2:5b:ba:fe:7f:60:bf:ad:eb:e7:3c:38:29: +- 6a:2f:e5:91:0b:55:ff:ec:6f:58:d5:2d:c9:de:4c: +- 66:71:8f:0c:d7:04:da:07:e6:1e:18:e3:bd:29:02: +- a8:fa:1c:e1:5b:b9:83:a8:41:48:bc:1a:71:8d:e7: +- 62:e5:2d:b2:eb:df:7c:cf:db:ab:5a:ca:31:f1:4c: +- 22:f3:05:13:f7:82:f9:73:79:0c:be:d7:4b:1c:c0: +- d1:15:3c:93:41:64:d1:e6:be:23:17:22:00:89:5e: +- 1f:6b:a5:ac:6e:a7:4b:8c:ed:a3:72:e6:af:63:4d: +- 2f:85:d2:14:35:9a:2e:4e:8c:ea:32:98:28:86:a1: +- 91:09:41:3a:b4:e1:e3:f2:fa:f0:c9:0a:a2:41:dd: +- a9:e3:03:c7:88:15:3b:1c:d4:1a:94:d7:9f:64:59: +- 12:6d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- X509v3 Subject Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 7e:58:ff:fd:35:19:7d:9c:18:4f:9e:b0:2b:bc:8e:8c:14:ff: +- 2c:a0:da:47:5b:c3:ef:81:2d:af:05:ea:74:48:5b:f3:3e:4e: +- 07:c7:6d:c5:b3:93:cf:22:35:5c:b6:3f:75:27:5f:09:96:cd: +- a0:fe:be:40:0c:5c:12:55:f8:93:82:ca:29:e9:5e:3f:56:57: +- 8b:38:36:f7:45:1a:4c:28:cd:9e:41:b8:ed:56:4c:84:a4:40: +- c8:b8:b0:a5:2b:69:70:04:6a:c3:f8:d4:12:32:f9:0e:c3:b1: +- dc:32:84:44:2c:6f:cb:46:0f:ea:66:41:0f:4f:f1:58:a5:a6: +- 0d:0d:0f:61:de:a5:9e:5d:7d:65:a1:3c:17:e7:a8:55:4e:ef: +- a0:c7:ed:c6:44:7f:54:f5:a3:e0:8f:f0:7c:55:22:8f:29:b6: +- 81:a3:e1:6d:4e:2c:1b:80:67:ec:ad:20:9f:0c:62:61:d5:97: +- ff:43:ed:2d:c1:da:5d:29:2a:85:3f:ac:65:ee:86:0f:05:8d: +- 90:5f:df:ee:9f:f4:bf:ee:1d:fb:98:e4:7f:90:2b:84:78:10: +- 0e:6c:49:53:ef:15:5b:65:46:4a:5d:af:ba:fb:3a:72:1d:cd: +- f6:25:88:1e:97:cc:21:9c:29:01:0d:65:eb:57:d9:f3:57:96: +- bb:48:cd:81 +-SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 +------BEGIN CERTIFICATE----- +-MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF +-MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL +-ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx +-MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc +-MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +-ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ +-AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH +-iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj +-vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA +-0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB +-OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ +-BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E +-FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 +-GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW +-zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 +-1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE +-f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F +-jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN +-ZetX2fNXlrtIzYE= +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_BR_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST BR Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Validity ++ Not Before: May 9 08:56:31 2023 GMT ++ Not After : May 9 08:56:30 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:ae:ff:09:59:91:80:0a:4a:68:e6:24:3f:b8:a7: ++ e4:c8:3a:0a:3a:16:cd:c9:23:61:a0:93:71:f2:ab: ++ 8b:73:8f:a0:67:65:60:d2:54:6b:63:51:6f:49:33: ++ e0:72:07:13:7d:38:cd:06:92:07:29:52:6b:4e:77: ++ 6c:04:d3:95:fa:dd:4c:8c:d9:5d:c1:61:7d:4b:e7: ++ 28:b3:44:81:7b:51:af:dd:33:b1:68:7c:d6:4e:4c: ++ fe:2b:68:b9:ca:66:69:c4:ec:5e:57:7f:f7:0d:c7: ++ 9c:36:36:e5:07:60:ac:c0:4c:ea:08:6c:ef:06:7c: ++ 4f:5b:28:7a:08:fc:93:5d:9b:f6:9c:b4:8b:86:ba: ++ 21:b9:f4:f0:e8:59:5a:28:a1:34:84:1a:25:91:b6: ++ b5:8f:ef:b2:f9:80:fa:f9:3d:3c:11:72:d8:e3:2f: ++ 86:76:c5:79:2c:c1:a9:90:93:46:98:67:cb:83:6a: ++ a0:50:23:a7:3b:f6:81:39:e0:ed:f0:b9:bf:65:f1: ++ d8:cb:7a:fb:ef:73:03:ce:00:f4:7d:d7:e0:5d:3b: ++ 66:b8:dc:8e:ba:83:cb:87:76:03:fc:25:d9:e7:23: ++ 6f:06:fd:67:f3:e0:ff:84:bc:47:bf:b5:16:18:46: ++ 69:14:cc:05:f7:db:d3:49:ac:6b:cc:ab:e4:b5:0b: ++ 43:24:5e:4b:6b:4d:67:df:d6:b5:3e:4f:78:1f:94: ++ 71:24:ea:de:70:fc:f1:93:fe:9e:93:5a:e4:94:5a: ++ 97:54:0c:35:7b:5f:6c:ee:00:1f:24:ec:03:ba:02: ++ f5:76:f4:9f:d4:9a:ed:85:2c:38:22:2f:c7:d8:2f: ++ 76:11:4f:fd:6c:5c:e8:f5:8e:27:87:7f:19:4a:21: ++ 47:90:1d:79:8d:1c:5b:f8:cf:4a:85:e4:ed:b3:5b: ++ 8d:be:c4:64:28:5d:41:c4:6e:ac:38:5a:4f:23:74: ++ 74:a9:12:c3:f6:d2:b9:11:15:33:07:91:d8:3b:37: ++ 3a:63:30:06:d1:c5:22:36:28:62:23:10:e0:46:cc: ++ 97:ac:d6:2b:5d:64:24:d5:ee:1c:0e:de:fb:08:5a: ++ 75:2a:f6:63:6d:ce:0b:42:be:d1:ba:70:1c:9c:21: ++ e5:0f:31:69:17:d7:fc:0a:b4:de:ed:80:9c:cb:92: ++ b4:8b:f5:de:59:a2:58:09:a5:63:47:0b:e1:41:32: ++ 34:41:d9:9a:b1:d9:a8:b0:1b:5a:de:0d:0d:f4:e2: ++ b2:5d:35:80:b9:81:d4:84:69:91:02:cb:75:d0:8d: ++ c5:b5:3d:09:91:09:8f:14:a1:14:74:79:3e:d6:c9: ++ 15:1d:a4:59:59:22:dc:f6:8a:45:3d:3c:12:d6:3e: ++ 5d:32:2f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 67:90:F0:D6:DE:B5:18:D5:46:29:7E:5C:AB:F8:9E:08:BC:64:95:10 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_br_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 34:f7:b3:77:53:db:30:16:b9:2d:a5:21:f1:40:21:75:eb:eb: ++ 48:16:81:3d:73:e0:9e:27:2a:eb:77:a9:13:a4:6a:0a:5a:5a: ++ 14:33:3d:68:1f:81:ae:69:fd:8c:9f:65:6c:34:42:d9:2d:d0: ++ 7f:78:16:b1:3a:ac:23:31:ad:5e:7f:ae:e7:ae:2b:fa:ba:fc: ++ 3c:97:95:40:93:5f:c3:2d:03:a3:ed:a4:6f:53:d7:fa:40:0e: ++ 30:f5:00:20:2c:00:4c:8c:3b:b4:a3:1f:b6:bf:91:32:ab:af: ++ 92:98:d3:16:e6:d4:d1:54:5c:43:5b:2e:ae:ef:57:2a:a8:b4: ++ 6f:a4:ef:0d:56:14:da:21:ab:20:76:9e:03:fc:26:b8:9e:3f: ++ 3e:03:26:e6:4c:db:9d:5f:42:84:3d:45:03:03:1c:59:88:ca: ++ dc:2e:61:24:5a:a4:ea:27:0b:73:12:be:52:b3:0a:cf:32:17: ++ e2:1e:87:1a:16:95:48:6d:5a:e0:d0:cf:09:92:26:66:91:d8: ++ a3:61:0e:aa:81:81:7f:e8:52:82:d1:42:e7:e0:1d:18:fa:a4: ++ 85:36:e7:86:e0:0d:eb:bc:d4:c9:d6:3c:43:f1:5d:49:6e:7e: ++ 81:9b:69:b5:89:62:8f:88:52:d8:d7:fe:27:c1:23:c5:cb:2b: ++ 02:bb:b1:5f:fe:fb:43:85:03:46:be:5d:c6:ca:21:26:ff:d7: ++ 02:9e:74:4a:dc:f8:13:15:b1:81:57:36:cb:65:5c:d1:1d:31: ++ 77:e9:25:c3:c3:b2:32:37:d5:f1:98:09:e4:6d:63:80:08:ab: ++ 06:92:81:d4:e9:70:8f:a7:3f:b2:ed:86:8c:82:6a:35:c8:42: ++ 5a:82:d1:52:1a:45:0f:15:a5:00:f0:94:7b:65:27:57:39:43: ++ cf:7c:7f:e6:bd:35:b3:7b:f1:19:4c:de:3a:96:cf:e9:76:ee: ++ 03:e7:c2:43:52:3c:6a:81:e8:c1:5a:80:bd:11:5d:93:6b:fb: ++ c7:e6:64:3f:bb:69:1c:e9:dd:25:8b:af:74:c9:54:40:ca:cb: ++ 93:13:0a:ed:fb:66:92:11:ca:f5:c0:fa:d8:83:55:03:7c:d3: ++ c5:22:46:75:70:6b:79:48:06:2a:82:9a:bf:e6:eb:16:0e:22: ++ 45:01:bc:dd:36:94:34:a9:35:26:8a:d7:97:b9:ee:08:72:bf: ++ 34:92:70:83:80:ab:38:aa:59:68:dd:40:a4:18:90:b2:f3:d5: ++ 03:ca:26:ca:ef:d5:c7:e0:8f:53:8e:f0:00:e3:a8:ed:9f:f9: ++ ad:77:e0:2b:63:4f:9e:c3:ee:37:bb:78:09:84:9e:b9:6e:fb: ++ 29:99:90:e8:80:d3:9f:24 ++SHA1 Fingerprint=2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEJSIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUw ++OTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCTcfKr ++i3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNE ++gXtRr90zsWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8 ++k12b9py0i4a6Ibn08OhZWiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCT ++Rphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl ++2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LULQyReS2tNZ9/WtT5PeB+U ++cSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIvx9gvdhFP ++/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bS ++uREVMweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+ ++0bpwHJwh5Q8xaRfX/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4N ++DfTisl01gLmB1IRpkQLLddCNxbU9CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+ ++XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZ5Dw1t61 ++GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tI ++FoE9c+CeJyrrd6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67n ++riv6uvw8l5VAk1/DLQOj7aRvU9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTR ++VFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4nj8+AybmTNudX0KEPUUDAxxZiMrc ++LmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdijYQ6qgYF/6FKC0ULn ++4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff/vtD ++hQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsG ++koHU6XCPpz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46 ++ls/pdu4D58JDUjxqgejBWoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aS ++Ecr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/5usWDiJFAbzdNpQ0qTUmiteXue4Icr80 ++knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jtn/mtd+ArY0+ew+43u3gJ ++hJ65bvspmZDogNOfJA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_EV_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST EV Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Validity ++ Not Before: May 9 09:10:33 2023 GMT ++ Not After : May 9 09:10:32 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:d8:8e:a3:89:80:0b:b2:57:52:dc:a9:53:4c:37: ++ b9:7f:63:17:13:ef:a7:5b:23:5b:69:75:b0:99:0a: ++ 17:c1:8b:c4:db:a8:e0:cc:31:ba:c2:f2:cd:5d:e9: ++ b7:f8:1d:af:6a:c4:95:87:d7:47:c9:95:d8:82:04: ++ 50:3d:81:08:ff:e4:3d:b3:b1:d6:c5:b2:fd:88:09: ++ db:9c:84:ec:25:17:14:87:7f:30:78:9b:6a:58:c9: ++ b6:73:28:3c:34:f7:99:f7:7f:d3:a6:f8:1c:45:7c: ++ ad:2c:8c:94:3f:d8:67:10:53:7e:22:cd:4e:25:51: ++ f0:25:24:35:11:5e:10:c6:ec:87:66:89:81:68:ba: ++ cc:2b:9d:47:73:1f:bd:cd:91:a4:72:6a:9c:a2:1b: ++ 18:a0:6f:ec:50:f4:7d:40:c2:a8:30:cf:bd:73:c8: ++ 13:2b:10:13:1e:8b:9a:a8:3a:94:73:d3:18:69:0a: ++ 4a:ff:c1:01:03:ff:79:7f:b5:48:7f:7b:ee:e8:29: ++ 6f:36:4c:95:61:86:d8:f9:a2:73:8a:ee:ae:2f:96: ++ ee:68:cd:3d:4d:28:42:f9:45:2b:32:1b:46:55:16: ++ 6a:a6:4b:29:f9:bb:95:56:bf:46:1d:ec:1d:93:1d: ++ c0:65:b2:1f:a1:43:ae:56:9e:a0:b1:8f:6b:12:b7: ++ 60:6d:78:0b:ca:8a:5c:ed:1e:96:0e:83:a6:48:95: ++ 8d:3b:a3:21:c4:ae:58:c6:00:b2:84:b4:23:a4:96: ++ 86:35:b8:d8:9e:d8:ac:34:49:98:63:95:c5:cb:6d: ++ 48:47:e2:f2:2e:18:1e:d0:31:ab:dd:74:ec:f9:dc: ++ 8c:b8:1c:8e:68:23:ba:d0:f3:50:dc:cf:65:8f:73: ++ 3a:32:c7:7c:fe:ca:82:22:4f:be:8e:62:47:66:e5: ++ cd:87:e2:e8:d5:0f:18:9f:e5:04:72:4b:46:3c:10: ++ f2:44:c2:64:56:71:4e:75:e8:9c:c9:26:74:c5:7d: ++ 59:d1:0a:5b:0f:6d:fe:9e:75:1c:18:c6:1a:3a:7c: ++ d8:0d:04:cc:cd:b7:45:65:7a:b1:8f:b8:ae:84:48: ++ 3e:b3:7a:4d:a8:03:e2:e2:7e:01:16:59:68:18:43: ++ 33:b0:d2:dc:b0:1a:43:35:ee:a5:da:a9:46:5c:ae: ++ 86:81:41:01:4a:74:26:ec:9f:06:bf:c2:05:37:64: ++ 75:78:29:68:fd:c5:f5:eb:fe:47:f9:e4:85:b0:e1: ++ 7b:31:9d:a6:7f:72:a3:b9:c4:2c:2e:cc:99:57:0e: ++ 21:0c:45:01:94:65:eb:65:09:c6:63:22:0b:33:49: ++ 92:48:3c:fc:cd:ce:b0:3e:8e:9e:8b:f8:fe:49:c5: ++ 35:72:47 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ AA:FC:91:10:1B:87:91:5F:16:B9:BF:4F:4B:91:5E:00:1C:B1:32:80 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_ev_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 93:cb:a5:1f:99:11:ec:9a:0d:5f:2c:15:93:c6:3f:be:10:8d: ++ 78:42:f0:6e:90:47:47:8e:a3:92:32:8d:70:8f:f6:5b:8d:be: ++ 89:ce:47:01:6a:1b:20:20:89:5b:c8:82:10:6c:e0:e7:99:aa: ++ 6b:c6:2a:a0:63:35:91:6a:85:25:ad:17:38:a5:9b:7e:50:f2: ++ 76:ea:85:05:2a:27:41:2b:b1:81:d1:a2:f6:40:75:a9:0e:cb: ++ f1:55:48:d8:ec:d1:ec:b3:e8:ce:14:a1:35:ec:c2:5e:35:1a: ++ ab:a6:16:01:06:8e:ea:dc:2f:a3:8a:ca:2c:91:eb:52:8e:5f: ++ 0c:9b:17:cf:cb:73:07:19:c4:6a:c2:73:54:ef:7c:43:52:63: ++ c1:11:ca:c2:45:b1:f4:3b:53:f5:69:ae:3c:e3:a5:de:ac:e8: ++ 54:b7:b2:91:fd:ac:a9:1f:f2:87:e4:17:c6:49:a8:7c:d8:0a: ++ 41:f4:f2:3e:e7:77:34:04:52:dd:e8:81:f2:4d:2f:54:45:9d: ++ 15:e1:4f:cc:e5:de:34:57:10:c9:23:72:17:70:8d:50:70:1f: ++ 56:6c:cc:b9:ff:3a:5a:4f:63:7a:c3:6e:65:07:1d:84:a1:ff: ++ a9:0c:63:89:6d:b2:40:88:39:d7:1f:77:68:b5:fc:9c:d5:d6: ++ 67:69:5b:a8:74:db:fc:89:f6:1b:32:f7:a4:24:a6:76:b7:47: ++ 53:ef:8d:49:8f:a9:b6:83:5a:a5:96:90:45:61:f5:de:03:4f: ++ 26:0f:a8:8b:f0:03:96:b0:ac:15:d0:71:5a:6a:7b:94:e6:70: ++ 93:da:f1:69:e0:b2:62:4d:9e:8f:ff:89:9d:9b:5d:cd:45:e9: ++ 94:02:22:8d:e0:35:7f:e8:f1:04:79:71:6c:54:83:f8:33:b9: ++ 05:32:1b:58:55:11:4f:d0:e5:27:47:71:ec:ed:da:67:d6:62: ++ a6:4b:4d:0f:69:a2:c9:bc:ec:22:4b:94:c7:68:94:17:7e:e2: ++ 8e:28:3e:b6:c6:ea:f5:34:6c:9f:37:88:07:38:db:86:71:fa: ++ cd:95:48:43:6e:a3:4f:82:87:d7:34:98:6e:4b:93:79:60:75: ++ 69:0f:f0:1a:d5:53:fa:21:0c:c2:3f:e9:3f:1f:18:8c:92:5d: ++ 78:a7:76:67:19:bb:b2:ea:7f:e9:70:09:56:56:a3:b0:0c:0b: ++ 2d:36:5e:c5:e9:c4:d5:83:cb:86:17:97:2c:6c:13:6f:87:5a: ++ af:49:a6:1d:db:cd:38:04:2e:5f:e2:4a:35:0e:2d:4b:f8:a2: ++ 24:04:8d:d8:e1:63:5e:02:92:34:da:98:61:5c:1c:6f:58:76: ++ 64:b3:fc:02:b8:f5:9d:0a ++SHA1 Fingerprint=A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEVWIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUw ++OTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1sJkK ++F8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE ++7CUXFId/MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFe ++EMbsh2aJgWi6zCudR3Mfvc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6 ++lHPTGGkKSv/BAQP/eX+1SH977ugpbzZMlWGG2Pmic4ruri+W7mjNPU0oQvlFKzIb ++RlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3YG14C8qKXO0elg6DpkiV ++jTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq9107PncjLgc ++jmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZx ++TnXonMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+ ++ARZZaBhDM7DS3LAaQzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nk ++hbDhezGdpn9yo7nELC7MmVcOIQxFAZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knF ++NXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUqvyREBuH ++kV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14 ++QvBukEdHjqOSMo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4 ++pZt+UPJ26oUFKidBK7GB0aL2QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q ++3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xDUmPBEcrCRbH0O1P1aa4846XerOhU ++t7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V4U/M5d40VxDJI3IX ++cI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuodNv8 ++ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT ++2vFp4LJiTZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs ++7dpn1mKmS00PaaLJvOwiS5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNP ++gofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAst ++Nl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L+KIkBI3Y4WNeApI02phh ++XBxvWHZks/wCuPWdCg== ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem.orig ++++ secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -1,139 +0,0 @@ +-## +-## Entrust Root Certification Authority - G4 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Validity +- Not Before: May 27 11:11:16 2015 GMT +- Not After : Dec 27 11:41:16 2037 GMT +- Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: +- c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: +- 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: +- fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: +- 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: +- b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: +- 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: +- 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: +- d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: +- 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: +- b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: +- db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: +- c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: +- a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: +- 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: +- d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: +- ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: +- 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: +- 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: +- b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: +- 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: +- e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: +- fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: +- 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: +- 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: +- 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: +- a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: +- 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: +- 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: +- 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: +- 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: +- ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: +- 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: +- 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: +- 63:73:49 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: +- ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: +- 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: +- d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: +- 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: +- c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: +- ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: +- 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: +- 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: +- 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: +- bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: +- 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: +- 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: +- 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: +- ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: +- 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: +- 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: +- 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: +- 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: +- 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: +- 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: +- c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: +- 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: +- 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: +- a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: +- 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: +- 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: +- 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: +- 1f:8b:8f:53:dd:ff:ac:1f +-SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw +-gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL +-Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg +-MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +-BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 +-MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 +-c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ +-bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg +-Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B +-AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ +-2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E +-T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j +-5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM +-C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T +-DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX +-wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A +-2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm +-nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 +-dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl +-N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj +-c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +-VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS +-5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS +-Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr +-hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ +-B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI +-AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw +-H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ +-b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk +-2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol +-IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk +-5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY +-n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/FIRMAPROFESIONAL_CA_ROOT-A_WEB.pem +@@ -0,0 +1,71 @@ ++## ++## FIRMAPROFESIONAL CA ROOT-A WEB ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Validity ++ Not Before: Apr 6 09:01:36 2022 GMT ++ Not After : Mar 31 09:01:36 2047 GMT ++ Subject: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:47:53:ea:2c:11:a4:77:c7:2a:ea:f3:d6:5f:7b: ++ d3:04:91:5c:fa:88:c6:22:b9:83:10:62:77:84:33: ++ 2d:e9:03:88:d4:e0:33:f7:ed:77:2c:4a:60:ea:e4: ++ 6f:ad:6d:b4:f8:4c:8a:a4:e4:1f:ca:ea:4f:38:4a: ++ 2e:82:73:2b:c7:66:9b:0a:8c:40:9c:7c:8a:f6:f2: ++ 39:60:b2:de:cb:ec:b8:e4:6f:ea:9b:5d:b7:53:90: ++ 18:32:55:c5:20:b7:94 ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Subject Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:30:1d:7c:a4:7b:c3:89:75:33:e1:3b:a9:45:bf:46: ++ e9:e9:a1:dd:c9:22:16:b7:47:11:0b:d8:9a:ba:f1:c8:0b:70: ++ 50:53:02:91:70:85:59:a9:1e:a4:e6:ea:23:31:a0:00:02:31: ++ 00:fd:e2:f8:b3:af:16:b9:1e:73:c4:96:e3:c1:30:19:d8:7e: ++ e6:c3:97:de:1c:4f:b8:89:2f:33:eb:48:0f:19:f7:87:46:5d: ++ 26:90:a5:85:c5:b9:7a:94:3e:87:a8:bd:00 ++SHA1 Fingerprint=A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 ++-----BEGIN CERTIFICATE----- ++MIICejCCAgCgAwIBAgIQMZch7a+JQn81QYehZ1ZMbTAKBggqhkjOPQQDAzBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwHhcNMjIwNDA2MDkwMTM2WhcNNDcwMzMxMDkwMTM2WjBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARHU+osEaR3xyrq89Zf ++e9MEkVz6iMYiuYMQYneEMy3pA4jU4DP37XcsSmDq5G+tbbT4TIqk5B/K6k84Si6C ++cyvHZpsKjECcfIr28jlgst7L7Ljkb+qbXbdTkBgyVcUgt5SjYzBhMA8GA1UdEwEB ++/wQFMAMBAf8wHwYDVR0jBBgwFoAUk+FDY1w8ndYn81LsF7Kpryz3dvgwHQYDVR0O ++BBYEFJPhQ2NcPJ3WJ/NS7Beyqa8s93b4MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO ++PQQDAwNoADBlAjAdfKR7w4l1M+E7qUW/Runpod3JIha3RxEL2Jq68cgLcFBTApFw ++hVmpHqTm6iMxoAACMQD94vizrxa5HnPEluPBMBnYfubDl94cT7iJLzPrSA8Z94dG ++XSaQpYXFuXqUPoeovQA= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/SecureSign_RootCA11.pem.orig ++++ secure/caroot/trusted/SecureSign_RootCA11.pem +@@ -1,92 +0,0 @@ +-## +-## SecureSign RootCA11 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Validity +- Not Before: Apr 8 04:56:47 2009 GMT +- Not After : Apr 8 04:56:47 2029 GMT +- Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: +- 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: +- df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: +- 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: +- 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: +- c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: +- f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: +- a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: +- bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: +- 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: +- 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: +- 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: +- cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: +- 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: +- d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: +- cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: +- 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: +- 3e:89 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: +- 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: +- 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: +- 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: +- 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: +- 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: +- 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: +- 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: +- b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: +- 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: +- d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: +- a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: +- c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: +- 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: +- d6:ba:03:f2 +-SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 +------BEGIN CERTIFICATE----- +-MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr +-MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG +-A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 +-MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp +-Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD +-QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz +-i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 +-h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV +-MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 +-UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni +-8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC +-h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD +-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +-AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm +-KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ +-X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr +-QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 +-pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN +-QSdJQO7e5iNEOdyhIta6A/I= +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA12.pem +@@ -0,0 +1,93 @@ ++## ++## SecureSign Root CA12 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 66:f9:c7:c1:af:ec:c2:51:b4:ed:53:97:e6:e6:82:c3:2b:1c:90:16 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Validity ++ Not Before: Apr 8 05:36:46 2020 GMT ++ Not After : Apr 8 05:36:46 2040 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:ba:39:c1:37:7a:68:45:2b:14:b4:eb:e4:13:eb: ++ 57:75:23:4d:8f:24:2d:16:e8:ae:8e:c9:7d:a4:57: ++ 3b:2a:76:25:33:83:6c:ea:32:8a:94:9b:4e:3c:96: ++ e4:fd:51:bf:99:c9:93:7e:bf:f9:ad:a7:b2:48:2b: ++ 07:1c:27:f5:4c:bc:70:12:77:a4:85:54:b5:fd:90: ++ 7a:e4:a3:e4:51:58:03:cd:10:79:79:ee:6b:93:1f: ++ 64:8e:6b:64:ab:a3:13:e3:71:fe:7d:ab:9c:dd:27: ++ 53:37:b3:aa:18:c2:59:26:ec:5b:1f:d2:e6:65:7c: ++ ef:93:bd:d8:58:5c:0b:c0:e3:65:6f:3c:c7:ca:59: ++ e3:fe:6e:5f:ac:83:be:fd:5d:25:4e:2a:29:3b:d6: ++ 0b:ab:17:32:78:a4:e1:3e:94:46:be:62:6e:9b:de: ++ 46:a8:b1:16:e7:85:6e:f4:08:40:45:11:a0:9e:54: ++ 44:84:f7:d8:36:ce:f5:50:47:dc:2c:30:9b:ee:c0: ++ f5:96:d2:fe:09:86:c7:06:59:ae:4f:ae:8e:11:98: ++ 7b:f3:0b:52:aa:62:26:aa:21:df:8e:25:33:79:97: ++ 16:49:8d:f5:3e:d5:47:9f:37:31:49:33:72:05:4d: ++ 0c:b6:55:8c:f1:57:8f:8a:87:d1:ad:c5:11:12:39: ++ a0:ad ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 57:34:F3:74:CF:04:4B:D5:25:E6:F1:40:B6:2C:4C:D9:2D:E9:A0:AD ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 3e:bb:db:17:16:d2:f2:14:01:20:2c:38:83:4b:ad:be:ca:85: ++ 7a:9a:b6:9b:6b:a6:e1:fc:a5:3a:ac:ad:b4:28:3a:af:d7:01: ++ 83:49:2b:63:a2:dd:9a:64:0e:98:5c:6f:dd:8e:bb:8a:54:22: ++ 2d:4a:13:f3:ae:40:43:db:4f:91:b7:86:1a:ec:00:b4:41:81: ++ a4:4f:fa:6a:8b:88:b3:76:08:72:2a:49:40:c3:d3:c3:85:89: ++ 98:10:a5:9d:6f:19:b7:bb:cf:7a:65:55:db:37:eb:3c:8a:72: ++ 32:97:1e:9a:29:3e:ad:8d:e6:a3:1b:6d:f5:75:1a:e6:b0:68: ++ b9:5b:a2:ee:69:47:27:35:a1:86:99:80:f3:33:4b:e1:6b:a4: ++ 26:c3:ef:74:59:6c:7a:a2:64:b6:1e:44:c3:50:e0:0f:39:3d: ++ a9:33:f1:a5:f3:d2:bd:62:84:ac:8e:1c:a9:cd:5a:bd:37:3b: ++ 6e:0a:22:b4:f4:15:e7:91:58:c5:3a:44:d3:95:28:d9:c0:65: ++ e9:72:ca:d0:0f:bd:1f:b3:15:d9:a9:e3:a4:47:09:9e:e0:cb: ++ 37:fb:fd:bd:97:d5:be:18:1a:69:a2:39:81:d9:1a:f5:ab:7f: ++ c8:e3:e2:67:0b:9d:f4:0c:ea:54:df:d2:b2:af:b1:22:f1:20: ++ df:bc:44:1c ++SHA1 Fingerprint=7A:22:1E:3D:DE:1B:06:AC:9E:C8:47:70:16:8E:3C:E5:F7:6B:06:F4 ++-----BEGIN CERTIFICATE----- ++MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExMjAeFw0yMDA0MDgw ++NTM2NDZaFw00MDA0MDgwNTM2NDZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6OcE3emhF ++KxS06+QT61d1I02PJC0W6K6OyX2kVzsqdiUzg2zqMoqUm048luT9Ub+ZyZN+v/mt ++p7JIKwccJ/VMvHASd6SFVLX9kHrko+RRWAPNEHl57muTH2SOa2SroxPjcf59q5zd ++J1M3s6oYwlkm7Fsf0uZlfO+TvdhYXAvA42VvPMfKWeP+bl+sg779XSVOKik71gur ++FzJ4pOE+lEa+Ym6b3kaosRbnhW70CEBFEaCeVESE99g2zvVQR9wsMJvuwPWW0v4J ++hscGWa5Pro4RmHvzC1KqYiaqId+OJTN5lxZJjfU+1UefNzFJM3IFTQy2VYzxV4+K ++h9GtxRESOaCtAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD ++AgEGMB0GA1UdDgQWBBRXNPN0zwRL1SXm8UC2LEzZLemgrTANBgkqhkiG9w0BAQsF ++AAOCAQEAPrvbFxbS8hQBICw4g0utvsqFepq2m2um4fylOqyttCg6r9cBg0krY6Ld ++mmQOmFxv3Y67ilQiLUoT865AQ9tPkbeGGuwAtEGBpE/6aouIs3YIcipJQMPTw4WJ ++mBClnW8Zt7vPemVV2zfrPIpyMpcemik+rY3moxtt9XUa5rBouVui7mlHJzWhhpmA ++8zNL4WukJsPvdFlseqJkth5Ew1DgDzk9qTPxpfPSvWKErI4cqc1avTc7bgoitPQV ++55FYxTpE05Uo2cBl6XLK0A+9H7MV2anjpEcJnuDLN/v9vZfVvhgaaaI5gdka9at/ ++yOPiZwud9AzqVN/Ssq+xIvEg37xEHA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA14.pem +@@ -0,0 +1,135 @@ ++## ++## SecureSign Root CA14 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 64:db:5a:0c:20:4e:e8:d7:29:77:c8:50:27:a2:5a:27:dd:2d:f2:cb ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Validity ++ Not Before: Apr 8 07:06:19 2020 GMT ++ Not After : Apr 8 07:06:19 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c5:d2:7a:a1:d6:8a:bf:16:31:d0:98:d1:3a:94: ++ fc:5a:b8:6e:22:c1:62:f7:a7:0a:27:ef:50:f6:2e: ++ b1:9e:68:12:f0:6c:24:63:39:f1:f0:df:10:c6:de: ++ b7:52:20:d5:52:5b:42:99:9e:f3:a0:be:52:1f:5f: ++ cc:67:6d:a7:2e:50:a2:c1:97:8d:b6:f8:95:f5:b0: ++ ba:dc:9d:e0:be:cb:df:f7:38:f2:47:f5:a6:9a:92: ++ 95:2a:62:59:50:0b:a2:b1:35:e7:65:b2:61:b2:ea: ++ 92:71:69:e4:29:f0:4f:81:81:04:3c:b2:a5:5b:d4: ++ c5:a8:59:67:7b:55:1c:49:ab:7a:9d:c2:e7:73:4d: ++ ef:cd:09:c2:c4:57:12:db:01:0e:23:79:09:07:3b: ++ a2:e8:fc:8a:cf:8f:c0:46:24:9c:38:27:e0:83:9d: ++ 1b:a0:bf:78:15:10:eb:86:4e:0a:5a:fd:df:da:2c: ++ 82:7e:ee:ca:f6:29:e1:fa:71:a1:f7:88:68:9c:9c: ++ f0:8d:be:0f:49:91:d8:ea:3a:f9:fd:d0:68:71:db: ++ e9:b5:2b:4e:82:92:6f:66:1f:e0:f0:dc:4c:ec:ca: ++ d1:ea:ba:74:06:f9:b3:84:90:94:d1:5f:8e:73:19: ++ 10:5d:02:e5:70:a5:c0:10:d0:10:7c:6f:c5:58:49: ++ b4:b0:6e:9a:da:7d:95:f5:cc:da:02:af:b8:2c:7d: ++ 79:8f:be:43:f1:f9:28:28:8d:09:43:f8:08:dd:6b: ++ c8:8b:2c:24:b1:8d:52:07:bd:78:9b:cb:ca:68:b2: ++ a4:dd:0c:4c:79:60:c6:99:d1:93:f1:30:1a:07:d3: ++ ae:22:c2:ea:ce:f1:84:09:cc:e0:14:6e:7f:3f:7e: ++ d2:82:85:ac:dc:a9:16:4e:85:a0:60:cb:f6:9c:d7: ++ c8:b3:8e:ed:c6:9b:98:75:0d:55:e8:5f:e5:95:8b: ++ 02:a4:ae:43:29:28:11:a4:e6:12:30:01:4b:75:6b: ++ 1e:66:9d:79:2f:a5:76:2f:1d:40:b4:6d:c9:7d:79: ++ 08:ec:d1:6a:b6:5d:2a:b2:a5:66:bd:6b:85:f4:74: ++ 56:c3:f5:e7:75:52:28:2c:a5:ff:66:47:a5:d4:fe: ++ fe:9e:54:bf:65:7e:01:d6:30:8f:a5:36:9c:a2:50: ++ 1c:ee:38:80:01:48:c6:c7:74:f4:c6:ac:c3:40:49: ++ 16:61:74:2c:af:8c:6f:35:ed:7b:18:00:5b:36:3c: ++ 9c:50:0d:ca:92:33:10:f1:26:49:6d:df:75:24:37: ++ 82:22:d7:e8:96:fd:15:4b:02:96:3e:07:72:95:7e: ++ ab:3d:4c:2e:d7:ca:f0:df:e0:58:3f:2d:2f:04:9a: ++ 38:a3:01 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 06:93:A3:0A:5E:28:69:37:AA:61:1D:EB:EB:FC:2D:6F:23:E4:F3:A0 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 96:80:72:09:06:7e:9c:cc:93:04:16:bb:a0:3a:8d:92:4e:b7: ++ 11:1a:0a:71:71:10:cd:04:ad:7f:a5:45:50:10:66:4e:4a:41: ++ a2:03:d9:11:4f:7a:37:b9:4b:e2:c6:8f:32:66:75:25:fb:eb: ++ ce:3f:03:29:26:8d:b8:16:1d:f6:1f:33:6e:48:e6:e8:f8:57: ++ b2:1b:79:df:3b:87:0a:e2:64:ba:00:ca:6c:ef:7e:d0:23:eb: ++ 78:8f:ff:64:9b:34:37:9f:35:65:a2:a4:00:3d:12:23:96:58: ++ 5d:ca:63:87:c6:a3:07:88:4d:e7:69:76:8a:53:cd:f1:4f:ec: ++ 42:f2:93:e3:99:a4:37:3c:87:b8:62:db:f0:ec:1f:37:3f:37: ++ 5f:43:cc:51:9d:b5:f0:97:c2:b7:85:6a:68:0b:44:1e:e5:51: ++ ee:93:ce:4b:6e:86:c1:d2:0c:24:59:36:1a:9f:2c:91:8f:e3: ++ 18:db:94:95:0a:ed:91:aa:0e:99:dc:96:53:e3:61:83:c6:16: ++ ba:23:ba:dc:dd:7e:1a:c6:7b:42:b6:d9:5a:05:dc:9a:5f:d5: ++ df:b8:da:47:7d:da:38:db:ac:39:d5:1e:6b:6c:2a:17:8c:61: ++ cd:b1:6d:72:01:c3:c3:20:00:62:68:16:31:d5:76:aa:86:bb: ++ 0e:aa:9e:c6:f9:f0:d9:f8:0d:21:02:e4:c5:28:16:59:11:b9: ++ d9:69:73:2a:92:78:b8:92:57:9b:08:f2:3a:e5:2f:95:b0:58: ++ b7:6b:20:14:6d:14:ef:0a:bc:7e:d8:55:d8:88:da:2f:fa:19: ++ a5:fb:8b:e0:7f:39:f5:72:2b:85:c4:2c:ac:ef:19:45:92:4c: ++ b3:61:07:dc:4d:1f:6e:d2:81:13:5c:9a:f3:12:67:83:cf:9b: ++ 3f:8b:9f:9d:a4:b9:a8:96:03:7a:c5:ee:20:de:33:da:2f:9e: ++ 1a:7a:74:1e:e1:ee:cc:5a:3a:04:dd:b3:1a:04:a8:14:63:ac: ++ b7:47:12:83:9a:6c:f5:e6:e9:15:15:91:1a:84:19:0e:94:44: ++ e7:12:8e:25:5b:80:67:19:dc:63:93:10:0b:65:2e:8a:fa:09: ++ 9a:4e:da:86:28:7d:aa:61:35:d8:0e:a7:28:1a:bb:52:e0:78: ++ f8:6c:ba:6c:b0:6e:b9:87:5e:e9:99:35:37:f1:3d:64:2b:a9: ++ a0:34:93:cf:63:2f:d5:81:df:ae:63:27:a5:1e:4e:8d:dc:29: ++ 78:59:f8:f9:a1:20:8c:a7:26:40:6e:82:72:cd:78:b2:c8:8f: ++ 3c:1e:73:e7:c1:1f:bf:cf:ce:a5:2a:9b:db:44:64:32:a0:bb: ++ 7f:5c:25:13:48:b5:7f:92 ++SHA1 Fingerprint=DD:50:C0:F7:79:B3:64:2E:74:A2:B8:9D:9F:D3:40:DD:BB:F0:F2:4F ++-----BEGIN CERTIFICATE----- ++MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNDAeFw0yMDA0MDgw ++NzA2MTlaFw00NTA0MDgwNzA2MTlaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF0nqh1oq/ ++FjHQmNE6lPxauG4iwWL3pwon71D2LrGeaBLwbCRjOfHw3xDG3rdSINVSW0KZnvOg ++vlIfX8xnbacuUKLBl422+JX1sLrcneC+y9/3OPJH9aaakpUqYllQC6KxNedlsmGy ++6pJxaeQp8E+BgQQ8sqVb1MWoWWd7VRxJq3qdwudzTe/NCcLEVxLbAQ4jeQkHO6Lo ++/IrPj8BGJJw4J+CDnRugv3gVEOuGTgpa/d/aLIJ+7sr2KeH6caH3iGicnPCNvg9J ++kdjqOvn90Ghx2+m1K06Ckm9mH+Dw3EzsytHqunQG+bOEkJTRX45zGRBdAuVwpcAQ ++0BB8b8VYSbSwbprafZX1zNoCr7gsfXmPvkPx+SgojQlD+Ajda8iLLCSxjVIHvXib ++y8posqTdDEx5YMaZ0ZPxMBoH064iwurO8YQJzOAUbn8/ftKChazcqRZOhaBgy/ac ++18izju3Gm5h1DVXoX+WViwKkrkMpKBGk5hIwAUt1ax5mnXkvpXYvHUC0bcl9eQjs ++0Wq2XSqypWa9a4X0dFbD9ed1Uigspf9mR6XU/v6eVL9lfgHWMI+lNpyiUBzuOIAB ++SMbHdPTGrMNASRZhdCyvjG817XsYAFs2PJxQDcqSMxDxJklt33UkN4Ii1+iW/RVL ++ApY+B3KVfqs9TC7XyvDf4Fg/LS8EmjijAQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD ++AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUBpOjCl4oaTeqYR3r6/wtbyPk ++86AwDQYJKoZIhvcNAQEMBQADggIBAJaAcgkGfpzMkwQWu6A6jZJOtxEaCnFxEM0E ++rX+lRVAQZk5KQaID2RFPeje5S+LGjzJmdSX7684/AykmjbgWHfYfM25I5uj4V7Ib ++ed87hwriZLoAymzvftAj63iP/2SbNDefNWWipAA9EiOWWF3KY4fGoweITedpdopT ++zfFP7ELyk+OZpDc8h7hi2/DsHzc/N19DzFGdtfCXwreFamgLRB7lUe6TzktuhsHS ++DCRZNhqfLJGP4xjblJUK7ZGqDpncllPjYYPGFrojutzdfhrGe0K22VoF3Jpf1d+4 ++2kd92jjbrDnVHmtsKheMYc2xbXIBw8MgAGJoFjHVdqqGuw6qnsb58Nn4DSEC5MUo ++FlkRudlpcyqSeLiSV5sI8jrlL5WwWLdrIBRtFO8KvH7YVdiI2i/6GaX7i+B/OfVy ++K4XELKzvGUWSTLNhB9xNH27SgRNcmvMSZ4PPmz+Ln52kuaiWA3rF7iDeM9ovnhp6 ++dB7h7sxaOgTdsxoEqBRjrLdHEoOabPXm6RUVkRqEGQ6UROcSjiVbgGcZ3GOTEAtl ++Lor6CZpO2oYofaphNdgOpygau1LgePhsumywbrmHXumZNTfxPWQrqaA0k89jL9WB ++365jJ6UeTo3cKXhZ+PmhIIynJkBugnLNeLLIjzwec+fBH7/PzqUqm9tEZDKgu39c ++JRNItX+S ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA15.pem +@@ -0,0 +1,67 @@ ++## ++## SecureSign Root CA15 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 16:15:c7:c3:d8:49:a7:be:69:0c:8a:88:ed:f0:70:f9:dd:b7:3e:87 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Validity ++ Not Before: Apr 8 08:32:56 2020 GMT ++ Not After : Apr 8 08:32:56 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:0b:50:74:8d:64:32:99:99:b3:d2:60:08:b8:22: ++ 8e:46:74:2c:78:c0:2b:44:2d:6d:5f:1d:c9:ae:4b: ++ 52:20:83:3d:b8:14:6d:53:87:60:9e:5f:6c:85:db: ++ 06:14:95:e0:c7:28:ff:9d:5f:e4:aa:f1:b3:8b:6d: ++ ed:4f:2f:4b:c9:4a:94:91:64:75:fe:01:ec:c1:d8: ++ eb:7a:94:78:56:18:43:5f:6b:81:cb:f6:bc:da:b4: ++ 0c:b6:29:93:08:69:8f ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ EB:41:C8:AE:FC:D5:9E:51:48:F5:BD:8B:F4:87:20:93:41:2B:D3:F4 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:31:00:d9:2e:89:7e:5e:4e:a4:11:07:bd:59:c2:07: ++ de:ab:32:38:53:2a:46:44:06:17:7a:ce:51:e9:e0:ff:66:2d: ++ 09:4e:e0:4f:f4:05:d1:85:f6:35:60:dc:f5:72:b3:46:7d:02: ++ 30:44:98:46:1a:82:85:1e:61:69:89:4b:07:4b:66:b5:9e:aa: ++ ba:a0:1e:41:d9:01:74:3a:6e:45:3a:89:80:19:7b:32:98:55: ++ 63:ab:eb:63:6e:93:6d:ab:1b:09:60:31:4e ++SHA1 Fingerprint=CB:BA:83:C8:C1:5A:5D:F1:F9:73:6F:CA:D7:EF:28:13:06:4A:07:7D ++-----BEGIN CERTIFICATE----- ++MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw ++UTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28uLCBM ++dGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNTAeFw0yMDA0MDgwODMy ++NTZaFw00NTA0MDgwODMyNTZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJl ++cnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290 ++IENBMTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQLUHSNZDKZmbPSYAi4Io5GdCx4 ++wCtELW1fHcmuS1Iggz24FG1Th2CeX2yF2wYUleDHKP+dX+Sq8bOLbe1PL0vJSpSR ++ZHX+AezB2Ot6lHhWGENfa4HL9rzatAy2KZMIaY+jQjBAMA8GA1UdEwEB/wQFMAMB ++Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT ++9DAKBggqhkjOPQQDAwNoADBlAjEA2S6Jfl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp ++4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJSwdLZrWeqrqgHkHZAXQ6 ++bkU6iYAZezKYVWOr62Nuk22rGwlgMU4= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Security_Communication_RootCA3.pem.orig ++++ secure/caroot/trusted/Security_Communication_RootCA3.pem +@@ -1,135 +0,0 @@ +-## +-## Security Communication RootCA3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- e1:7c:37:40:fd:1b:fe:67 +- Signature Algorithm: sha384WithRSAEncryption +- Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Validity +- Not Before: Jun 16 06:17:16 2016 GMT +- Not After : Jan 18 06:17:16 2038 GMT +- Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: +- b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: +- 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: +- ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: +- af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: +- a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: +- c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: +- 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: +- e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: +- bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: +- c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: +- 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: +- d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: +- f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: +- b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: +- 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: +- d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: +- 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: +- d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: +- b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: +- 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: +- 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: +- 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: +- 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: +- 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: +- 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: +- c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: +- d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: +- 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: +- 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: +- 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: +- af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: +- 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: +- 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: +- d1:d9:c7 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha384WithRSAEncryption +- Signature Value: +- dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: +- 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: +- b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: +- f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: +- e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: +- bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: +- 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: +- 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: +- c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: +- b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: +- 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: +- b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: +- cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: +- 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: +- 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: +- 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: +- 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: +- 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: +- f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: +- 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: +- e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: +- 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: +- c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: +- 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: +- 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: +- 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: +- 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: +- 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: +- 51:d7:af:fd:33:9d:4d:66 +-SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A +------BEGIN CERTIFICATE----- +-MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV +-BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +-JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 +-MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +-U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg +-Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +-CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r +-CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA +-lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG +-TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 +-9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 +-8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 +-g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we +-GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +-+3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M +-0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ +-T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw +-HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP +-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS +-YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA +-FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd +-9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI +-UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ +-OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke +-gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf +-iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV +-nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD +-2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// +-1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad +-TdJ0MN1kURXbg4NR16/9M51NZg== +------END CERTIFICATE----- +--- secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem.orig ++++ secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem +@@ -1,140 +0,0 @@ +-## +-## SwissSign Silver CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Validity +- Not Before: Oct 25 08:32:46 2006 GMT +- Not After : Oct 25 08:32:46 2036 GMT +- Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: +- bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: +- 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: +- 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: +- b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: +- a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: +- d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: +- 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: +- bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: +- 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: +- 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: +- 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: +- 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: +- 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: +- 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: +- b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: +- a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: +- cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: +- 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: +- 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: +- be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: +- ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: +- 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: +- 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: +- e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: +- 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: +- fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: +- 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: +- ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: +- 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: +- f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: +- a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: +- b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: +- 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: +- ea:d6:1f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Authority Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Certificate Policies: +- Policy: 2.16.756.1.89.1.3.1.1 +- CPS: http://repository.swisssign.com/ +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: +- 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: +- 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: +- 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: +- c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: +- 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: +- 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: +- 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: +- ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: +- 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: +- e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: +- 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: +- 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: +- 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: +- 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: +- f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: +- 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: +- 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: +- 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: +- a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: +- d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: +- ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: +- da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: +- 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: +- 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: +- f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: +- 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: +- 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: +- 60:39:ce:ca:62:d8:2e:6e +-SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB +------BEGIN CERTIFICATE----- +-MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE +-BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu +-IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow +-RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY +-U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +-MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv +-Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br +-YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF +-nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH +-6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt +-eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ +-c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ +-MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH +-HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf +-jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 +-5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB +-rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +-F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c +-wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 +-cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB +-AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp +-WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 +-xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ +-2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ +-IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 +-aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X +-em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR +-dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ +-OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ +-hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy +-tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/TWCA_CYBER_Root_CA.pem +@@ -0,0 +1,137 @@ ++## ++## TWCA CYBER Root CA ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 40:01:34:8c:c2:00:00:00:00:00:00:00:01:3c:f2:c6 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Validity ++ Not Before: Nov 22 06:54:29 2022 GMT ++ Not After : Nov 22 15:59:59 2047 GMT ++ Subject: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c6:f8:ca:1e:d9:09:20:7e:1d:6c:4e:ce:8f:e3: ++ 47:33:44:9c:c7:c9:69:aa:3a:5b:78:ee:70:d2:92: ++ f8:04:b3:52:52:1d:67:72:28:a1:df:8b:5d:95:0a: ++ fe:ea:cd:ed:f7:29:ce:f0:6f:7f:ac:cd:3d:ef:b3: ++ 1c:45:6a:f7:28:90:f1:61:57:c5:0c:c4:a3:50:5d: ++ de:d4:b5:cb:19:ca:80:b9:75:ce:29:ce:d2:85:22: ++ ec:02:63:cc:44:30:20:da:ea:91:5b:56:e6:1d:1c: ++ d5:9d:66:c7:3f:df:86:ca:4b:53:c4:d9:8d:b2:1d: ++ ea:f8:dc:27:53:a3:47:e1:61:cc:7d:b5:b0:f8:ee: ++ 73:91:c5:ce:73:6f:ce:ee:10:1f:1a:06:cf:e9:27: ++ 60:c5:4f:19:e4:eb:ce:22:26:45:d7:60:99:dd:ce: ++ 4f:37:e0:7f:e7:63:ad:b0:b8:59:b8:d0:06:68:35: ++ 60:d3:36:ae:71:43:04:f1:69:65:78:7c:f3:1f:f3: ++ ca:28:9f:5a:20:95:66:b4:cd:b7:ee:8f:78:a4:45: ++ 18:e9:26:2f:8d:9b:29:28:b1:a4:b7:3a:6d:b9:d4: ++ 1c:38:72:45:58:b1:5e:eb:f0:28:9b:b7:82:ca:fd: ++ cf:d6:33:0f:9f:fb:97:9e:b1:1c:9c:9e:ea:5f:5e: ++ db:aa:dd:54:e9:30:21:28:6d:8e:79:f3:75:92:8c: ++ 26:fe:dc:c5:f6:c3:b0:df:44:59:43:a3:b6:03:28: ++ f6:08:30:aa:0d:33:e1:ef:9c:a9:07:22:e3:59:5b: ++ 40:8f:da:88:b7:69:08:a8:b7:23:2e:44:09:59:37: ++ 5b:c7:e3:17:f2:22:eb:6e:39:52:c5:de:54:a7:98: ++ c9:4b:20:95:dc:46:89:5f:b4:12:f9:85:29:8e:eb: ++ c8:27:15:20:c0:4b:d4:cc:7c:0c:6c:34:0c:26:9b: ++ 26:31:a6:3c:a7:f6:d9:d0:4b:a2:64:ff:3b:99:41: ++ 72:c1:e0:70:97:f1:24:bb:2b:c4:74:22:b1:ac:6b: ++ 22:32:24:d3:78:2a:c0:c0:a1:2f:f1:52:05:c9:3f: ++ ef:76:66:e2:45:d8:0d:3d:ad:95:c8:c7:89:26:c8: ++ 0f:ae:a7:03:2e:fb:c1:5f:fa:20:e1:70:ad:b0:65: ++ 20:37:33:60:b0:d5:af:d7:0c:1c:c2:90:70:d7:4a: ++ 18:bc:7e:01:b0:b0:eb:15:1e:44:06:cd:a4:4f:e8: ++ 0c:d1:c3:20:10:e1:54:65:9e:b6:51:d0:1a:76:6b: ++ 42:5a:58:76:34:ea:b7:37:19:ae:2e:75:f9:96:e5: ++ c1:59:f7:94:57:29:25:8d:3a:4c:ab:4d:9a:41:d0: ++ 5f:26:03 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ X509v3 Subject Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 64:8f:7a:c4:62:0e:b5:88:cc:b8:c7:86:0e:a1:4a:16:cd:70: ++ 0b:b7:a7:85:0b:b3:76:b6:0f:a7:ff:08:8b:0b:25:cf:a8:d4: ++ 83:75:2a:b8:96:88:b6:fb:df:2d:2d:b4:69:53:21:35:57:d6: ++ 89:4d:73:bf:69:8f:70:a3:61:cc:9a:db:1e:9a:e0:20:f8:6c: ++ bb:9b:22:9d:5d:84:31:9a:2c:8a:dd:6a:a1:d7:28:69:ca:fe: ++ 76:55:7a:46:67:eb:cc:43:88:16:a2:03:d6:b9:17:f8:19:6c: ++ 6d:23:02:7f:f1:5f:d0:0a:29:23:3b:d1:aa:0a:ed:a9:17:26: ++ 54:0a:4d:c2:a5:4d:f8:c5:fd:b8:81:cf:2b:2c:78:a3:67:4c: ++ a9:07:9a:f3:df:5e:fb:7c:f5:89:cd:74:97:61:10:6a:07:2b: ++ 81:5a:d2:8e:b7:e7:20:d1:20:6e:24:a8:84:27:a1:57:ac:aa: ++ 55:58:2f:dc:d9:ca:fa:68:04:9e:ed:44:24:f9:74:40:3b:23: ++ 33:ab:83:5a:18:26:42:b6:6d:54:b5:16:60:30:6c:b1:a0:f8: ++ b8:41:a0:5d:49:49:d2:65:05:3a:ea:fe:9d:61:bc:86:d9:bf: ++ de:d3:ba:3a:b1:7f:7e:92:34:8e:c9:00:6e:dc:98:bd:dc:ec: ++ 80:05:ad:02:3d:df:65:ed:0b:03:f7:f7:16:84:04:31:ba:93: ++ 94:d8:f2:12:f8:8a:e3:bf:42:af:a7:d4:cd:11:17:16:c8:42: ++ 1d:14:a8:42:f6:d2:40:86:a0:4f:23:ca:96:45:56:60:06:cd: ++ b7:55:01:a6:01:94:65:fe:6e:05:09:ba:b4:a4:aa:e2:ef:58: ++ be:bd:27:56:d8:ef:73:71:5b:44:33:f2:9a:72:ea:b0:5e:3e: ++ 6e:a9:52:5b:ec:70:6d:b5:87:8f:37:5e:3c:8c:9c:ce:e4:f0: ++ ce:0c:67:41:cc:ce:f6:80:ab:4e:cc:4c:56:f5:c1:61:59:93: ++ b4:3e:a6:da:b8:37:12:9f:2a:32:e3:8b:b8:21:ec:c3:2b:65: ++ 0c:ef:22:de:88:29:3b:4c:d7:fa:fe:b7:e1:47:be:9c:3e:3e: ++ 83:fb:51:5d:f5:68:f7:2e:21:85:dc:bf:f1:5a:e2:7c:d7:c5: ++ e4:83:c1:6a:eb:ba:80:5a:de:5c:2d:70:76:f8:c8:e5:87:87: ++ ca:a0:9d:a1:e5:22:12:27:0f:44:3d:1d:6c:ea:d4:c2:8b:2f: ++ 6f:79:ab:7f:50:a6:c4:19:a7:a1:7a:b7:96:f9:c1:1f:62:5a: ++ a2:43:07:40:5e:26:c6:ac:ed:ae:70:16:c5:aa:ca:72:8a:4d: ++ b0:cf:01:8b:03:3f:6e:d7 ++SHA1 Fingerprint=F6:B1:1C:1A:83:38:E9:7B:DB:B3:A8:C8:33:24:E0:2D:9C:7F:26:66 ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ ++MQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FOLUNBMRAwDgYDVQQLEwdSb290 ++IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3QgQ0EwHhcNMjIxMTIyMDY1NDI5 ++WhcNNDcxMTIyMTU1OTU5WjBQMQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FO ++LUNBMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3Qg ++Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDG+Moe2Qkgfh1sTs6P ++40czRJzHyWmqOlt47nDSkvgEs1JSHWdyKKHfi12VCv7qze33Kc7wb3+szT3vsxxF ++avcokPFhV8UMxKNQXd7UtcsZyoC5dc4pztKFIuwCY8xEMCDa6pFbVuYdHNWdZsc/ ++34bKS1PE2Y2yHer43CdTo0fhYcx9tbD47nORxc5zb87uEB8aBs/pJ2DFTxnk684i ++JkXXYJndzk834H/nY62wuFm40AZoNWDTNq5xQwTxaWV4fPMf88oon1oglWa0zbfu ++j3ikRRjpJi+NmykosaS3Om251Bw4ckVYsV7r8Cibt4LK/c/WMw+f+5eesRycnupf ++Xtuq3VTpMCEobY5583WSjCb+3MX2w7DfRFlDo7YDKPYIMKoNM+HvnKkHIuNZW0CP ++2oi3aQiotyMuRAlZN1vH4xfyIutuOVLF3lSnmMlLIJXcRolftBL5hSmO68gnFSDA ++S9TMfAxsNAwmmyYxpjyn9tnQS6Jk/zuZQXLB4HCX8SS7K8R0IrGsayIyJNN4KsDA ++oS/xUgXJP+92ZuJF2A09rZXIx4kmyA+upwMu+8Ff+iDhcK2wZSA3M2Cw1a/XDBzC ++kHDXShi8fgGwsOsVHkQGzaRP6AzRwyAQ4VRlnrZR0Bp2a0JaWHY06rc3Ga4udfmW ++5cFZ95RXKSWNOkyrTZpB0F8mAwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD ++VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSdhWEUfMFib5do5E83QOGt4A1WNzAd ++BgNVHQ4EFgQUnYVhFHzBYm+XaORPN0DhreANVjcwDQYJKoZIhvcNAQEMBQADggIB ++AGSPesRiDrWIzLjHhg6hShbNcAu3p4ULs3a2D6f/CIsLJc+o1IN1KriWiLb73y0t ++tGlTITVX1olNc79pj3CjYcya2x6a4CD4bLubIp1dhDGaLIrdaqHXKGnK/nZVekZn ++68xDiBaiA9a5F/gZbG0jAn/xX9AKKSM70aoK7akXJlQKTcKlTfjF/biBzysseKNn ++TKkHmvPfXvt89YnNdJdhEGoHK4Fa0o635yDRIG4kqIQnoVesqlVYL9zZyvpoBJ7t ++RCT5dEA7IzOrg1oYJkK2bVS1FmAwbLGg+LhBoF1JSdJlBTrq/p1hvIbZv97Tujqx ++f36SNI7JAG7cmL3c7IAFrQI932XtCwP39xaEBDG6k5TY8hL4iuO/Qq+n1M0RFxbI ++Qh0UqEL20kCGoE8jypZFVmAGzbdVAaYBlGX+bgUJurSkquLvWL69J1bY73NxW0Qz ++8ppy6rBePm6pUlvscG21h483XjyMnM7k8M4MZ0HMzvaAq07MTFb1wWFZk7Q+ptq4 ++NxKfKjLji7gh7MMrZQzvIt6IKTtM1/r+t+FHvpw+PoP7UV31aPcuIYXcv/Fa4nzX ++xeSDwWrruoBa3lwtcHb4yOWHh8qgnaHlIhInD0Q9HWzq1MKLL295q39QpsQZp6F6 ++t5b5wR9iWqJDB0BeJsas7a5wFsWqynKKTbDPAYsDP27X ++-----END CERTIFICATE----- diff --git a/website/static/security/patches/EN-25:08/caroot-13.5.patch.asc b/website/static/security/patches/EN-25:08/caroot-13.5.patch.asc new file mode 100644 index 0000000000..20a8231a22 --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-13.5.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38D4ACgkQbljekB8A +Gu9c+BAAsE+hIBQYd1QXGt5qeCqF/JWlI3Og2kRvtLjUQUAFFhwdtjJjL/IAvJyx +V9PKsl1EkcJzrmbv7V5wr1Nsvd33dK2ayrYtxdTwHQinppcJ0reCzcFpLmIAAJHM +nMQ67azoQuOtQ/U28yy7QBOBECKZwzI06ohONiQT8itDzn+G3RLpbGuuR+28LrVu +W9Q4eYZlEBDRKxlHyniBEBxrOHeixUNMAMAhUMYpmyT65mzDFwGk+aoJ0gmhWXvJ +qXklWbdnU5qQ0voaxEe280pH7tJM+rg9MbOdOZMYv1ofDOrdpz+w5S8RZEvuY8dh +6Ql7n7HJwJ+oOJ2vEaGvwhudyiRXqrBaZ9ZEsWaG1HejXOP5TxjR93Sf5ZGD9v3w +Edna1jBmB5gD64flmlhwos6FBwx5rvWeT98TbM8/2o3I337UQNDE9BoZPQZT/+ca +FzbSDdaEEQj+KBUFwPWRdgT3suP9NImPZd3NJCjBOfRnc4Clkm5+Rpxo70NzBkwl +YboNoyfIqBGrf7nmljWawXNe4E1jKPc4FRiaGSpmzz96j0K1yDm5M6drsUOO5bBr +8xOytTBfpgFQWx5H2ki2sSmDdbuk2kZmG3zRhi5ZRH/poN+xttAChM0PM1lOtixh +t+D7kroc3UJe20uPUi1Kj9Mip7cWgFy+AioeTdwv+I4OP6N6sDI= +=DgUN +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-25:08/caroot-14.2.patch b/website/static/security/patches/EN-25:08/caroot-14.2.patch new file mode 100644 index 0000000000..19c0807699 --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-14.2.patch @@ -0,0 +1,3374 @@ +--- ObsoleteFiles.inc.orig ++++ ObsoleteFiles.inc +@@ -51,6 +51,26 @@ + # xargs -n1 | sort | uniq -d; + # done + ++# 20250310: caroot bundle updated ++OLD_FILES+=usr/share/certs/trusted/Entrust_Root_Certification_Authority_-_G4.pem ++OLD_FILES+=usr/share/certs/trusted/SecureSign_RootCA11.pem ++OLD_FILES+=usr/share/certs/trusted/Security_Communication_RootCA3.pem ++OLD_FILES+=usr/share/certs/trusted/SwissSign_Silver_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/untrusted/AddTrust_External_Root.pem ++OLD_FILES+=usr/share/certs/untrusted/AddTrust_Low-Value_Services_Root.pem ++OLD_FILES+=usr/share/certs/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem ++OLD_FILES+=usr/share/certs/untrusted/Cybertrust_Global_Root.pem ++OLD_FILES+=usr/share/certs/untrusted/DST_Root_CA_X3.pem ++OLD_FILES+=usr/share/certs/untrusted/GlobalSign_Root_CA_-_R2.pem ++OLD_FILES+=usr/share/certs/untrusted/QuoVadis_Root_CA.pem ++OLD_FILES+=usr/share/certs/untrusted/Sonera_Class_2_Root_CA.pem ++OLD_FILES+=usr/share/certs/untrusted/GeoTrust_Global_CA.pem ++OLD_FILES+=usr/share/certs/untrusted/Staat_der_Nederlanden_EV_Root_CA.pem ++OLD_FILES+=usr/share/certs/untrusted/E-Tugra_Certification_Authority.pem ++OLD_FILES+=usr/share/certs/untrusted/Hongkong_Post_Root_CA_1.pem ++OLD_FILES+=usr/share/certs/untrusted/Security_Communication_Root_CA.pem ++OLD_FILES+=usr/share/certs/untrusted/Trustis_FPS_Root_CA.pem ++ + # 20240914 libpcap upgrade from 1.10.4 to 1.10.5 + OLD_FILES+=contrib/libpcap/pcap-haiku.cpp + OLD_FILES+=contrib/libpcap/pcap-rpcap-int.h +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_BR_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST BR Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Validity ++ Not Before: May 9 08:56:31 2023 GMT ++ Not After : May 9 08:56:30 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST BR Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:ae:ff:09:59:91:80:0a:4a:68:e6:24:3f:b8:a7: ++ e4:c8:3a:0a:3a:16:cd:c9:23:61:a0:93:71:f2:ab: ++ 8b:73:8f:a0:67:65:60:d2:54:6b:63:51:6f:49:33: ++ e0:72:07:13:7d:38:cd:06:92:07:29:52:6b:4e:77: ++ 6c:04:d3:95:fa:dd:4c:8c:d9:5d:c1:61:7d:4b:e7: ++ 28:b3:44:81:7b:51:af:dd:33:b1:68:7c:d6:4e:4c: ++ fe:2b:68:b9:ca:66:69:c4:ec:5e:57:7f:f7:0d:c7: ++ 9c:36:36:e5:07:60:ac:c0:4c:ea:08:6c:ef:06:7c: ++ 4f:5b:28:7a:08:fc:93:5d:9b:f6:9c:b4:8b:86:ba: ++ 21:b9:f4:f0:e8:59:5a:28:a1:34:84:1a:25:91:b6: ++ b5:8f:ef:b2:f9:80:fa:f9:3d:3c:11:72:d8:e3:2f: ++ 86:76:c5:79:2c:c1:a9:90:93:46:98:67:cb:83:6a: ++ a0:50:23:a7:3b:f6:81:39:e0:ed:f0:b9:bf:65:f1: ++ d8:cb:7a:fb:ef:73:03:ce:00:f4:7d:d7:e0:5d:3b: ++ 66:b8:dc:8e:ba:83:cb:87:76:03:fc:25:d9:e7:23: ++ 6f:06:fd:67:f3:e0:ff:84:bc:47:bf:b5:16:18:46: ++ 69:14:cc:05:f7:db:d3:49:ac:6b:cc:ab:e4:b5:0b: ++ 43:24:5e:4b:6b:4d:67:df:d6:b5:3e:4f:78:1f:94: ++ 71:24:ea:de:70:fc:f1:93:fe:9e:93:5a:e4:94:5a: ++ 97:54:0c:35:7b:5f:6c:ee:00:1f:24:ec:03:ba:02: ++ f5:76:f4:9f:d4:9a:ed:85:2c:38:22:2f:c7:d8:2f: ++ 76:11:4f:fd:6c:5c:e8:f5:8e:27:87:7f:19:4a:21: ++ 47:90:1d:79:8d:1c:5b:f8:cf:4a:85:e4:ed:b3:5b: ++ 8d:be:c4:64:28:5d:41:c4:6e:ac:38:5a:4f:23:74: ++ 74:a9:12:c3:f6:d2:b9:11:15:33:07:91:d8:3b:37: ++ 3a:63:30:06:d1:c5:22:36:28:62:23:10:e0:46:cc: ++ 97:ac:d6:2b:5d:64:24:d5:ee:1c:0e:de:fb:08:5a: ++ 75:2a:f6:63:6d:ce:0b:42:be:d1:ba:70:1c:9c:21: ++ e5:0f:31:69:17:d7:fc:0a:b4:de:ed:80:9c:cb:92: ++ b4:8b:f5:de:59:a2:58:09:a5:63:47:0b:e1:41:32: ++ 34:41:d9:9a:b1:d9:a8:b0:1b:5a:de:0d:0d:f4:e2: ++ b2:5d:35:80:b9:81:d4:84:69:91:02:cb:75:d0:8d: ++ c5:b5:3d:09:91:09:8f:14:a1:14:74:79:3e:d6:c9: ++ 15:1d:a4:59:59:22:dc:f6:8a:45:3d:3c:12:d6:3e: ++ 5d:32:2f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 67:90:F0:D6:DE:B5:18:D5:46:29:7E:5C:AB:F8:9E:08:BC:64:95:10 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_br_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 34:f7:b3:77:53:db:30:16:b9:2d:a5:21:f1:40:21:75:eb:eb: ++ 48:16:81:3d:73:e0:9e:27:2a:eb:77:a9:13:a4:6a:0a:5a:5a: ++ 14:33:3d:68:1f:81:ae:69:fd:8c:9f:65:6c:34:42:d9:2d:d0: ++ 7f:78:16:b1:3a:ac:23:31:ad:5e:7f:ae:e7:ae:2b:fa:ba:fc: ++ 3c:97:95:40:93:5f:c3:2d:03:a3:ed:a4:6f:53:d7:fa:40:0e: ++ 30:f5:00:20:2c:00:4c:8c:3b:b4:a3:1f:b6:bf:91:32:ab:af: ++ 92:98:d3:16:e6:d4:d1:54:5c:43:5b:2e:ae:ef:57:2a:a8:b4: ++ 6f:a4:ef:0d:56:14:da:21:ab:20:76:9e:03:fc:26:b8:9e:3f: ++ 3e:03:26:e6:4c:db:9d:5f:42:84:3d:45:03:03:1c:59:88:ca: ++ dc:2e:61:24:5a:a4:ea:27:0b:73:12:be:52:b3:0a:cf:32:17: ++ e2:1e:87:1a:16:95:48:6d:5a:e0:d0:cf:09:92:26:66:91:d8: ++ a3:61:0e:aa:81:81:7f:e8:52:82:d1:42:e7:e0:1d:18:fa:a4: ++ 85:36:e7:86:e0:0d:eb:bc:d4:c9:d6:3c:43:f1:5d:49:6e:7e: ++ 81:9b:69:b5:89:62:8f:88:52:d8:d7:fe:27:c1:23:c5:cb:2b: ++ 02:bb:b1:5f:fe:fb:43:85:03:46:be:5d:c6:ca:21:26:ff:d7: ++ 02:9e:74:4a:dc:f8:13:15:b1:81:57:36:cb:65:5c:d1:1d:31: ++ 77:e9:25:c3:c3:b2:32:37:d5:f1:98:09:e4:6d:63:80:08:ab: ++ 06:92:81:d4:e9:70:8f:a7:3f:b2:ed:86:8c:82:6a:35:c8:42: ++ 5a:82:d1:52:1a:45:0f:15:a5:00:f0:94:7b:65:27:57:39:43: ++ cf:7c:7f:e6:bd:35:b3:7b:f1:19:4c:de:3a:96:cf:e9:76:ee: ++ 03:e7:c2:43:52:3c:6a:81:e8:c1:5a:80:bd:11:5d:93:6b:fb: ++ c7:e6:64:3f:bb:69:1c:e9:dd:25:8b:af:74:c9:54:40:ca:cb: ++ 93:13:0a:ed:fb:66:92:11:ca:f5:c0:fa:d8:83:55:03:7c:d3: ++ c5:22:46:75:70:6b:79:48:06:2a:82:9a:bf:e6:eb:16:0e:22: ++ 45:01:bc:dd:36:94:34:a9:35:26:8a:d7:97:b9:ee:08:72:bf: ++ 34:92:70:83:80:ab:38:aa:59:68:dd:40:a4:18:90:b2:f3:d5: ++ 03:ca:26:ca:ef:d5:c7:e0:8f:53:8e:f0:00:e3:a8:ed:9f:f9: ++ ad:77:e0:2b:63:4f:9e:c3:ee:37:bb:78:09:84:9e:b9:6e:fb: ++ 29:99:90:e8:80:d3:9f:24 ++SHA1 Fingerprint=2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEJSIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUw ++OTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCTcfKr ++i3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNE ++gXtRr90zsWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8 ++k12b9py0i4a6Ibn08OhZWiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCT ++Rphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl ++2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LULQyReS2tNZ9/WtT5PeB+U ++cSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIvx9gvdhFP ++/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bS ++uREVMweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+ ++0bpwHJwh5Q8xaRfX/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4N ++DfTisl01gLmB1IRpkQLLddCNxbU9CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+ ++XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZ5Dw1t61 ++GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tI ++FoE9c+CeJyrrd6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67n ++riv6uvw8l5VAk1/DLQOj7aRvU9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTR ++VFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4nj8+AybmTNudX0KEPUUDAxxZiMrc ++LmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdijYQ6qgYF/6FKC0ULn ++4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff/vtD ++hQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsG ++koHU6XCPpz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46 ++ls/pdu4D58JDUjxqgejBWoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aS ++Ecr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/5usWDiJFAbzdNpQ0qTUmiteXue4Icr80 ++knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jtn/mtd+ArY0+ew+43u3gJ ++hJ65bvspmZDogNOfJA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/D-TRUST_EV_Root_CA_2_2023.pem +@@ -0,0 +1,139 @@ ++## ++## D-TRUST EV Root CA 2 2023 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f ++ Signature Algorithm: sha512WithRSAEncryption ++ Issuer: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Validity ++ Not Before: May 9 09:10:33 2023 GMT ++ Not After : May 9 09:10:32 2038 GMT ++ Subject: C = DE, O = D-Trust GmbH, CN = D-TRUST EV Root CA 2 2023 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:d8:8e:a3:89:80:0b:b2:57:52:dc:a9:53:4c:37: ++ b9:7f:63:17:13:ef:a7:5b:23:5b:69:75:b0:99:0a: ++ 17:c1:8b:c4:db:a8:e0:cc:31:ba:c2:f2:cd:5d:e9: ++ b7:f8:1d:af:6a:c4:95:87:d7:47:c9:95:d8:82:04: ++ 50:3d:81:08:ff:e4:3d:b3:b1:d6:c5:b2:fd:88:09: ++ db:9c:84:ec:25:17:14:87:7f:30:78:9b:6a:58:c9: ++ b6:73:28:3c:34:f7:99:f7:7f:d3:a6:f8:1c:45:7c: ++ ad:2c:8c:94:3f:d8:67:10:53:7e:22:cd:4e:25:51: ++ f0:25:24:35:11:5e:10:c6:ec:87:66:89:81:68:ba: ++ cc:2b:9d:47:73:1f:bd:cd:91:a4:72:6a:9c:a2:1b: ++ 18:a0:6f:ec:50:f4:7d:40:c2:a8:30:cf:bd:73:c8: ++ 13:2b:10:13:1e:8b:9a:a8:3a:94:73:d3:18:69:0a: ++ 4a:ff:c1:01:03:ff:79:7f:b5:48:7f:7b:ee:e8:29: ++ 6f:36:4c:95:61:86:d8:f9:a2:73:8a:ee:ae:2f:96: ++ ee:68:cd:3d:4d:28:42:f9:45:2b:32:1b:46:55:16: ++ 6a:a6:4b:29:f9:bb:95:56:bf:46:1d:ec:1d:93:1d: ++ c0:65:b2:1f:a1:43:ae:56:9e:a0:b1:8f:6b:12:b7: ++ 60:6d:78:0b:ca:8a:5c:ed:1e:96:0e:83:a6:48:95: ++ 8d:3b:a3:21:c4:ae:58:c6:00:b2:84:b4:23:a4:96: ++ 86:35:b8:d8:9e:d8:ac:34:49:98:63:95:c5:cb:6d: ++ 48:47:e2:f2:2e:18:1e:d0:31:ab:dd:74:ec:f9:dc: ++ 8c:b8:1c:8e:68:23:ba:d0:f3:50:dc:cf:65:8f:73: ++ 3a:32:c7:7c:fe:ca:82:22:4f:be:8e:62:47:66:e5: ++ cd:87:e2:e8:d5:0f:18:9f:e5:04:72:4b:46:3c:10: ++ f2:44:c2:64:56:71:4e:75:e8:9c:c9:26:74:c5:7d: ++ 59:d1:0a:5b:0f:6d:fe:9e:75:1c:18:c6:1a:3a:7c: ++ d8:0d:04:cc:cd:b7:45:65:7a:b1:8f:b8:ae:84:48: ++ 3e:b3:7a:4d:a8:03:e2:e2:7e:01:16:59:68:18:43: ++ 33:b0:d2:dc:b0:1a:43:35:ee:a5:da:a9:46:5c:ae: ++ 86:81:41:01:4a:74:26:ec:9f:06:bf:c2:05:37:64: ++ 75:78:29:68:fd:c5:f5:eb:fe:47:f9:e4:85:b0:e1: ++ 7b:31:9d:a6:7f:72:a3:b9:c4:2c:2e:cc:99:57:0e: ++ 21:0c:45:01:94:65:eb:65:09:c6:63:22:0b:33:49: ++ 92:48:3c:fc:cd:ce:b0:3e:8e:9e:8b:f8:fe:49:c5: ++ 35:72:47 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ AA:FC:91:10:1B:87:91:5F:16:B9:BF:4F:4B:91:5E:00:1C:B1:32:80 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 CRL Distribution Points: ++ Full Name: ++ URI:http://crl.d-trust.net/crl/d-trust_ev_root_ca_2_2023.crl ++ Signature Algorithm: sha512WithRSAEncryption ++ Signature Value: ++ 93:cb:a5:1f:99:11:ec:9a:0d:5f:2c:15:93:c6:3f:be:10:8d: ++ 78:42:f0:6e:90:47:47:8e:a3:92:32:8d:70:8f:f6:5b:8d:be: ++ 89:ce:47:01:6a:1b:20:20:89:5b:c8:82:10:6c:e0:e7:99:aa: ++ 6b:c6:2a:a0:63:35:91:6a:85:25:ad:17:38:a5:9b:7e:50:f2: ++ 76:ea:85:05:2a:27:41:2b:b1:81:d1:a2:f6:40:75:a9:0e:cb: ++ f1:55:48:d8:ec:d1:ec:b3:e8:ce:14:a1:35:ec:c2:5e:35:1a: ++ ab:a6:16:01:06:8e:ea:dc:2f:a3:8a:ca:2c:91:eb:52:8e:5f: ++ 0c:9b:17:cf:cb:73:07:19:c4:6a:c2:73:54:ef:7c:43:52:63: ++ c1:11:ca:c2:45:b1:f4:3b:53:f5:69:ae:3c:e3:a5:de:ac:e8: ++ 54:b7:b2:91:fd:ac:a9:1f:f2:87:e4:17:c6:49:a8:7c:d8:0a: ++ 41:f4:f2:3e:e7:77:34:04:52:dd:e8:81:f2:4d:2f:54:45:9d: ++ 15:e1:4f:cc:e5:de:34:57:10:c9:23:72:17:70:8d:50:70:1f: ++ 56:6c:cc:b9:ff:3a:5a:4f:63:7a:c3:6e:65:07:1d:84:a1:ff: ++ a9:0c:63:89:6d:b2:40:88:39:d7:1f:77:68:b5:fc:9c:d5:d6: ++ 67:69:5b:a8:74:db:fc:89:f6:1b:32:f7:a4:24:a6:76:b7:47: ++ 53:ef:8d:49:8f:a9:b6:83:5a:a5:96:90:45:61:f5:de:03:4f: ++ 26:0f:a8:8b:f0:03:96:b0:ac:15:d0:71:5a:6a:7b:94:e6:70: ++ 93:da:f1:69:e0:b2:62:4d:9e:8f:ff:89:9d:9b:5d:cd:45:e9: ++ 94:02:22:8d:e0:35:7f:e8:f1:04:79:71:6c:54:83:f8:33:b9: ++ 05:32:1b:58:55:11:4f:d0:e5:27:47:71:ec:ed:da:67:d6:62: ++ a6:4b:4d:0f:69:a2:c9:bc:ec:22:4b:94:c7:68:94:17:7e:e2: ++ 8e:28:3e:b6:c6:ea:f5:34:6c:9f:37:88:07:38:db:86:71:fa: ++ cd:95:48:43:6e:a3:4f:82:87:d7:34:98:6e:4b:93:79:60:75: ++ 69:0f:f0:1a:d5:53:fa:21:0c:c2:3f:e9:3f:1f:18:8c:92:5d: ++ 78:a7:76:67:19:bb:b2:ea:7f:e9:70:09:56:56:a3:b0:0c:0b: ++ 2d:36:5e:c5:e9:c4:d5:83:cb:86:17:97:2c:6c:13:6f:87:5a: ++ af:49:a6:1d:db:cd:38:04:2e:5f:e2:4a:35:0e:2d:4b:f8:a2: ++ 24:04:8d:d8:e1:63:5e:02:92:34:da:98:61:5c:1c:6f:58:76: ++ 64:b3:fc:02:b8:f5:9d:0a ++SHA1 Fingerprint=A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B ++-----BEGIN CERTIFICATE----- ++MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBI ++MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE ++LVRSVVNUIEVWIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUw ++OTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi ++MCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1sJkK ++F8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE ++7CUXFId/MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFe ++EMbsh2aJgWi6zCudR3Mfvc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6 ++lHPTGGkKSv/BAQP/eX+1SH977ugpbzZMlWGG2Pmic4ruri+W7mjNPU0oQvlFKzIb ++RlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3YG14C8qKXO0elg6DpkiV ++jTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq9107PncjLgc ++jmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZx ++TnXonMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+ ++ARZZaBhDM7DS3LAaQzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nk ++hbDhezGdpn9yo7nELC7MmVcOIQxFAZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knF ++NXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUqvyREBuH ++kV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG ++OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y ++XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14 ++QvBukEdHjqOSMo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4 ++pZt+UPJ26oUFKidBK7GB0aL2QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q ++3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xDUmPBEcrCRbH0O1P1aa4846XerOhU ++t7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V4U/M5d40VxDJI3IX ++cI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuodNv8 ++ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT ++2vFp4LJiTZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs ++7dpn1mKmS00PaaLJvOwiS5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNP ++gofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAst ++Nl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L+KIkBI3Y4WNeApI02phh ++XBxvWHZks/wCuPWdCg== ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem.orig ++++ secure/caroot/trusted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -1,139 +0,0 @@ +-## +-## Entrust Root Certification Authority - G4 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Validity +- Not Before: May 27 11:11:16 2015 GMT +- Not After : Dec 27 11:41:16 2037 GMT +- Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: +- c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: +- 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: +- fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: +- 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: +- b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: +- 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: +- 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: +- d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: +- 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: +- b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: +- db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: +- c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: +- a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: +- 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: +- d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: +- ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: +- 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: +- 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: +- b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: +- 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: +- e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: +- fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: +- 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: +- 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: +- 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: +- a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: +- 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: +- 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: +- 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: +- 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: +- ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: +- 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: +- 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: +- 63:73:49 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: +- ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: +- 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: +- d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: +- 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: +- c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: +- ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: +- 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: +- 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: +- 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: +- bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: +- 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: +- 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: +- 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: +- ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: +- 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: +- 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: +- 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: +- 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: +- 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: +- 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: +- c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: +- 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: +- 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: +- a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: +- 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: +- 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: +- 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: +- 1f:8b:8f:53:dd:ff:ac:1f +-SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw +-gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL +-Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg +-MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw +-BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 +-MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 +-c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ +-bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg +-Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B +-AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ +-2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E +-T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j +-5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM +-C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T +-DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX +-wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A +-2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm +-nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 +-dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl +-N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj +-c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +-VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS +-5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS +-Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr +-hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ +-B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI +-AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw +-H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ +-b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk +-2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol +-IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk +-5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY +-n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/FIRMAPROFESIONAL_CA_ROOT-A_WEB.pem +@@ -0,0 +1,71 @@ ++## ++## FIRMAPROFESIONAL CA ROOT-A WEB ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Validity ++ Not Before: Apr 6 09:01:36 2022 GMT ++ Not After : Mar 31 09:01:36 2047 GMT ++ Subject: C = ES, O = Firmaprofesional SA, organizationIdentifier = VATES-A62634068, CN = FIRMAPROFESIONAL CA ROOT-A WEB ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:47:53:ea:2c:11:a4:77:c7:2a:ea:f3:d6:5f:7b: ++ d3:04:91:5c:fa:88:c6:22:b9:83:10:62:77:84:33: ++ 2d:e9:03:88:d4:e0:33:f7:ed:77:2c:4a:60:ea:e4: ++ 6f:ad:6d:b4:f8:4c:8a:a4:e4:1f:ca:ea:4f:38:4a: ++ 2e:82:73:2b:c7:66:9b:0a:8c:40:9c:7c:8a:f6:f2: ++ 39:60:b2:de:cb:ec:b8:e4:6f:ea:9b:5d:b7:53:90: ++ 18:32:55:c5:20:b7:94 ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Subject Key Identifier: ++ 93:E1:43:63:5C:3C:9D:D6:27:F3:52:EC:17:B2:A9:AF:2C:F7:76:F8 ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:30:1d:7c:a4:7b:c3:89:75:33:e1:3b:a9:45:bf:46: ++ e9:e9:a1:dd:c9:22:16:b7:47:11:0b:d8:9a:ba:f1:c8:0b:70: ++ 50:53:02:91:70:85:59:a9:1e:a4:e6:ea:23:31:a0:00:02:31: ++ 00:fd:e2:f8:b3:af:16:b9:1e:73:c4:96:e3:c1:30:19:d8:7e: ++ e6:c3:97:de:1c:4f:b8:89:2f:33:eb:48:0f:19:f7:87:46:5d: ++ 26:90:a5:85:c5:b9:7a:94:3e:87:a8:bd:00 ++SHA1 Fingerprint=A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 ++-----BEGIN CERTIFICATE----- ++MIICejCCAgCgAwIBAgIQMZch7a+JQn81QYehZ1ZMbTAKBggqhkjOPQQDAzBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwHhcNMjIwNDA2MDkwMTM2WhcNNDcwMzMxMDkwMTM2WjBuMQsw ++CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE ++YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB ++IFJPT1QtQSBXRUIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARHU+osEaR3xyrq89Zf ++e9MEkVz6iMYiuYMQYneEMy3pA4jU4DP37XcsSmDq5G+tbbT4TIqk5B/K6k84Si6C ++cyvHZpsKjECcfIr28jlgst7L7Ljkb+qbXbdTkBgyVcUgt5SjYzBhMA8GA1UdEwEB ++/wQFMAMBAf8wHwYDVR0jBBgwFoAUk+FDY1w8ndYn81LsF7Kpryz3dvgwHQYDVR0O ++BBYEFJPhQ2NcPJ3WJ/NS7Beyqa8s93b4MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO ++PQQDAwNoADBlAjAdfKR7w4l1M+E7qUW/Runpod3JIha3RxEL2Jq68cgLcFBTApFw ++hVmpHqTm6iMxoAACMQD94vizrxa5HnPEluPBMBnYfubDl94cT7iJLzPrSA8Z94dG ++XSaQpYXFuXqUPoeovQA= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/SecureSign_RootCA11.pem.orig ++++ secure/caroot/trusted/SecureSign_RootCA11.pem +@@ -1,92 +0,0 @@ +-## +-## SecureSign RootCA11 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Validity +- Not Before: Apr 8 04:56:47 2009 GMT +- Not After : Apr 8 04:56:47 2029 GMT +- Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: +- 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: +- df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: +- 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: +- 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: +- c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: +- f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: +- a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: +- bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: +- 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: +- 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: +- 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: +- cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: +- 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: +- d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: +- cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: +- 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: +- 3e:89 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: +- 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: +- 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: +- 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: +- 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: +- 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: +- 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: +- 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: +- b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: +- 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: +- d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: +- a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: +- c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: +- 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: +- d6:ba:03:f2 +-SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 +------BEGIN CERTIFICATE----- +-MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr +-MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG +-A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 +-MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp +-Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD +-QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz +-i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 +-h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV +-MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 +-UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni +-8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC +-h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD +-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +-AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm +-KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ +-X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr +-QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 +-pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN +-QSdJQO7e5iNEOdyhIta6A/I= +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA12.pem +@@ -0,0 +1,93 @@ ++## ++## SecureSign Root CA12 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 66:f9:c7:c1:af:ec:c2:51:b4:ed:53:97:e6:e6:82:c3:2b:1c:90:16 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Validity ++ Not Before: Apr 8 05:36:46 2020 GMT ++ Not After : Apr 8 05:36:46 2040 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA12 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:ba:39:c1:37:7a:68:45:2b:14:b4:eb:e4:13:eb: ++ 57:75:23:4d:8f:24:2d:16:e8:ae:8e:c9:7d:a4:57: ++ 3b:2a:76:25:33:83:6c:ea:32:8a:94:9b:4e:3c:96: ++ e4:fd:51:bf:99:c9:93:7e:bf:f9:ad:a7:b2:48:2b: ++ 07:1c:27:f5:4c:bc:70:12:77:a4:85:54:b5:fd:90: ++ 7a:e4:a3:e4:51:58:03:cd:10:79:79:ee:6b:93:1f: ++ 64:8e:6b:64:ab:a3:13:e3:71:fe:7d:ab:9c:dd:27: ++ 53:37:b3:aa:18:c2:59:26:ec:5b:1f:d2:e6:65:7c: ++ ef:93:bd:d8:58:5c:0b:c0:e3:65:6f:3c:c7:ca:59: ++ e3:fe:6e:5f:ac:83:be:fd:5d:25:4e:2a:29:3b:d6: ++ 0b:ab:17:32:78:a4:e1:3e:94:46:be:62:6e:9b:de: ++ 46:a8:b1:16:e7:85:6e:f4:08:40:45:11:a0:9e:54: ++ 44:84:f7:d8:36:ce:f5:50:47:dc:2c:30:9b:ee:c0: ++ f5:96:d2:fe:09:86:c7:06:59:ae:4f:ae:8e:11:98: ++ 7b:f3:0b:52:aa:62:26:aa:21:df:8e:25:33:79:97: ++ 16:49:8d:f5:3e:d5:47:9f:37:31:49:33:72:05:4d: ++ 0c:b6:55:8c:f1:57:8f:8a:87:d1:ad:c5:11:12:39: ++ a0:ad ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 57:34:F3:74:CF:04:4B:D5:25:E6:F1:40:B6:2C:4C:D9:2D:E9:A0:AD ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 3e:bb:db:17:16:d2:f2:14:01:20:2c:38:83:4b:ad:be:ca:85: ++ 7a:9a:b6:9b:6b:a6:e1:fc:a5:3a:ac:ad:b4:28:3a:af:d7:01: ++ 83:49:2b:63:a2:dd:9a:64:0e:98:5c:6f:dd:8e:bb:8a:54:22: ++ 2d:4a:13:f3:ae:40:43:db:4f:91:b7:86:1a:ec:00:b4:41:81: ++ a4:4f:fa:6a:8b:88:b3:76:08:72:2a:49:40:c3:d3:c3:85:89: ++ 98:10:a5:9d:6f:19:b7:bb:cf:7a:65:55:db:37:eb:3c:8a:72: ++ 32:97:1e:9a:29:3e:ad:8d:e6:a3:1b:6d:f5:75:1a:e6:b0:68: ++ b9:5b:a2:ee:69:47:27:35:a1:86:99:80:f3:33:4b:e1:6b:a4: ++ 26:c3:ef:74:59:6c:7a:a2:64:b6:1e:44:c3:50:e0:0f:39:3d: ++ a9:33:f1:a5:f3:d2:bd:62:84:ac:8e:1c:a9:cd:5a:bd:37:3b: ++ 6e:0a:22:b4:f4:15:e7:91:58:c5:3a:44:d3:95:28:d9:c0:65: ++ e9:72:ca:d0:0f:bd:1f:b3:15:d9:a9:e3:a4:47:09:9e:e0:cb: ++ 37:fb:fd:bd:97:d5:be:18:1a:69:a2:39:81:d9:1a:f5:ab:7f: ++ c8:e3:e2:67:0b:9d:f4:0c:ea:54:df:d2:b2:af:b1:22:f1:20: ++ df:bc:44:1c ++SHA1 Fingerprint=7A:22:1E:3D:DE:1B:06:AC:9E:C8:47:70:16:8E:3C:E5:F7:6B:06:F4 ++-----BEGIN CERTIFICATE----- ++MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExMjAeFw0yMDA0MDgw ++NTM2NDZaFw00MDA0MDgwNTM2NDZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6OcE3emhF ++KxS06+QT61d1I02PJC0W6K6OyX2kVzsqdiUzg2zqMoqUm048luT9Ub+ZyZN+v/mt ++p7JIKwccJ/VMvHASd6SFVLX9kHrko+RRWAPNEHl57muTH2SOa2SroxPjcf59q5zd ++J1M3s6oYwlkm7Fsf0uZlfO+TvdhYXAvA42VvPMfKWeP+bl+sg779XSVOKik71gur ++FzJ4pOE+lEa+Ym6b3kaosRbnhW70CEBFEaCeVESE99g2zvVQR9wsMJvuwPWW0v4J ++hscGWa5Pro4RmHvzC1KqYiaqId+OJTN5lxZJjfU+1UefNzFJM3IFTQy2VYzxV4+K ++h9GtxRESOaCtAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD ++AgEGMB0GA1UdDgQWBBRXNPN0zwRL1SXm8UC2LEzZLemgrTANBgkqhkiG9w0BAQsF ++AAOCAQEAPrvbFxbS8hQBICw4g0utvsqFepq2m2um4fylOqyttCg6r9cBg0krY6Ld ++mmQOmFxv3Y67ilQiLUoT865AQ9tPkbeGGuwAtEGBpE/6aouIs3YIcipJQMPTw4WJ ++mBClnW8Zt7vPemVV2zfrPIpyMpcemik+rY3moxtt9XUa5rBouVui7mlHJzWhhpmA ++8zNL4WukJsPvdFlseqJkth5Ew1DgDzk9qTPxpfPSvWKErI4cqc1avTc7bgoitPQV ++55FYxTpE05Uo2cBl6XLK0A+9H7MV2anjpEcJnuDLN/v9vZfVvhgaaaI5gdka9at/ ++yOPiZwud9AzqVN/Ssq+xIvEg37xEHA== ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA14.pem +@@ -0,0 +1,135 @@ ++## ++## SecureSign Root CA14 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 64:db:5a:0c:20:4e:e8:d7:29:77:c8:50:27:a2:5a:27:dd:2d:f2:cb ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Validity ++ Not Before: Apr 8 07:06:19 2020 GMT ++ Not After : Apr 8 07:06:19 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA14 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c5:d2:7a:a1:d6:8a:bf:16:31:d0:98:d1:3a:94: ++ fc:5a:b8:6e:22:c1:62:f7:a7:0a:27:ef:50:f6:2e: ++ b1:9e:68:12:f0:6c:24:63:39:f1:f0:df:10:c6:de: ++ b7:52:20:d5:52:5b:42:99:9e:f3:a0:be:52:1f:5f: ++ cc:67:6d:a7:2e:50:a2:c1:97:8d:b6:f8:95:f5:b0: ++ ba:dc:9d:e0:be:cb:df:f7:38:f2:47:f5:a6:9a:92: ++ 95:2a:62:59:50:0b:a2:b1:35:e7:65:b2:61:b2:ea: ++ 92:71:69:e4:29:f0:4f:81:81:04:3c:b2:a5:5b:d4: ++ c5:a8:59:67:7b:55:1c:49:ab:7a:9d:c2:e7:73:4d: ++ ef:cd:09:c2:c4:57:12:db:01:0e:23:79:09:07:3b: ++ a2:e8:fc:8a:cf:8f:c0:46:24:9c:38:27:e0:83:9d: ++ 1b:a0:bf:78:15:10:eb:86:4e:0a:5a:fd:df:da:2c: ++ 82:7e:ee:ca:f6:29:e1:fa:71:a1:f7:88:68:9c:9c: ++ f0:8d:be:0f:49:91:d8:ea:3a:f9:fd:d0:68:71:db: ++ e9:b5:2b:4e:82:92:6f:66:1f:e0:f0:dc:4c:ec:ca: ++ d1:ea:ba:74:06:f9:b3:84:90:94:d1:5f:8e:73:19: ++ 10:5d:02:e5:70:a5:c0:10:d0:10:7c:6f:c5:58:49: ++ b4:b0:6e:9a:da:7d:95:f5:cc:da:02:af:b8:2c:7d: ++ 79:8f:be:43:f1:f9:28:28:8d:09:43:f8:08:dd:6b: ++ c8:8b:2c:24:b1:8d:52:07:bd:78:9b:cb:ca:68:b2: ++ a4:dd:0c:4c:79:60:c6:99:d1:93:f1:30:1a:07:d3: ++ ae:22:c2:ea:ce:f1:84:09:cc:e0:14:6e:7f:3f:7e: ++ d2:82:85:ac:dc:a9:16:4e:85:a0:60:cb:f6:9c:d7: ++ c8:b3:8e:ed:c6:9b:98:75:0d:55:e8:5f:e5:95:8b: ++ 02:a4:ae:43:29:28:11:a4:e6:12:30:01:4b:75:6b: ++ 1e:66:9d:79:2f:a5:76:2f:1d:40:b4:6d:c9:7d:79: ++ 08:ec:d1:6a:b6:5d:2a:b2:a5:66:bd:6b:85:f4:74: ++ 56:c3:f5:e7:75:52:28:2c:a5:ff:66:47:a5:d4:fe: ++ fe:9e:54:bf:65:7e:01:d6:30:8f:a5:36:9c:a2:50: ++ 1c:ee:38:80:01:48:c6:c7:74:f4:c6:ac:c3:40:49: ++ 16:61:74:2c:af:8c:6f:35:ed:7b:18:00:5b:36:3c: ++ 9c:50:0d:ca:92:33:10:f1:26:49:6d:df:75:24:37: ++ 82:22:d7:e8:96:fd:15:4b:02:96:3e:07:72:95:7e: ++ ab:3d:4c:2e:d7:ca:f0:df:e0:58:3f:2d:2f:04:9a: ++ 38:a3:01 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 06:93:A3:0A:5E:28:69:37:AA:61:1D:EB:EB:FC:2D:6F:23:E4:F3:A0 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 96:80:72:09:06:7e:9c:cc:93:04:16:bb:a0:3a:8d:92:4e:b7: ++ 11:1a:0a:71:71:10:cd:04:ad:7f:a5:45:50:10:66:4e:4a:41: ++ a2:03:d9:11:4f:7a:37:b9:4b:e2:c6:8f:32:66:75:25:fb:eb: ++ ce:3f:03:29:26:8d:b8:16:1d:f6:1f:33:6e:48:e6:e8:f8:57: ++ b2:1b:79:df:3b:87:0a:e2:64:ba:00:ca:6c:ef:7e:d0:23:eb: ++ 78:8f:ff:64:9b:34:37:9f:35:65:a2:a4:00:3d:12:23:96:58: ++ 5d:ca:63:87:c6:a3:07:88:4d:e7:69:76:8a:53:cd:f1:4f:ec: ++ 42:f2:93:e3:99:a4:37:3c:87:b8:62:db:f0:ec:1f:37:3f:37: ++ 5f:43:cc:51:9d:b5:f0:97:c2:b7:85:6a:68:0b:44:1e:e5:51: ++ ee:93:ce:4b:6e:86:c1:d2:0c:24:59:36:1a:9f:2c:91:8f:e3: ++ 18:db:94:95:0a:ed:91:aa:0e:99:dc:96:53:e3:61:83:c6:16: ++ ba:23:ba:dc:dd:7e:1a:c6:7b:42:b6:d9:5a:05:dc:9a:5f:d5: ++ df:b8:da:47:7d:da:38:db:ac:39:d5:1e:6b:6c:2a:17:8c:61: ++ cd:b1:6d:72:01:c3:c3:20:00:62:68:16:31:d5:76:aa:86:bb: ++ 0e:aa:9e:c6:f9:f0:d9:f8:0d:21:02:e4:c5:28:16:59:11:b9: ++ d9:69:73:2a:92:78:b8:92:57:9b:08:f2:3a:e5:2f:95:b0:58: ++ b7:6b:20:14:6d:14:ef:0a:bc:7e:d8:55:d8:88:da:2f:fa:19: ++ a5:fb:8b:e0:7f:39:f5:72:2b:85:c4:2c:ac:ef:19:45:92:4c: ++ b3:61:07:dc:4d:1f:6e:d2:81:13:5c:9a:f3:12:67:83:cf:9b: ++ 3f:8b:9f:9d:a4:b9:a8:96:03:7a:c5:ee:20:de:33:da:2f:9e: ++ 1a:7a:74:1e:e1:ee:cc:5a:3a:04:dd:b3:1a:04:a8:14:63:ac: ++ b7:47:12:83:9a:6c:f5:e6:e9:15:15:91:1a:84:19:0e:94:44: ++ e7:12:8e:25:5b:80:67:19:dc:63:93:10:0b:65:2e:8a:fa:09: ++ 9a:4e:da:86:28:7d:aa:61:35:d8:0e:a7:28:1a:bb:52:e0:78: ++ f8:6c:ba:6c:b0:6e:b9:87:5e:e9:99:35:37:f1:3d:64:2b:a9: ++ a0:34:93:cf:63:2f:d5:81:df:ae:63:27:a5:1e:4e:8d:dc:29: ++ 78:59:f8:f9:a1:20:8c:a7:26:40:6e:82:72:cd:78:b2:c8:8f: ++ 3c:1e:73:e7:c1:1f:bf:cf:ce:a5:2a:9b:db:44:64:32:a0:bb: ++ 7f:5c:25:13:48:b5:7f:92 ++SHA1 Fingerprint=DD:50:C0:F7:79:B3:64:2E:74:A2:B8:9D:9F:D3:40:DD:BB:F0:F2:4F ++-----BEGIN CERTIFICATE----- ++MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM ++BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u ++LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNDAeFw0yMDA0MDgw ++NzA2MTlaFw00NTA0MDgwNzA2MTlaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD ++eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS ++b290IENBMTQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF0nqh1oq/ ++FjHQmNE6lPxauG4iwWL3pwon71D2LrGeaBLwbCRjOfHw3xDG3rdSINVSW0KZnvOg ++vlIfX8xnbacuUKLBl422+JX1sLrcneC+y9/3OPJH9aaakpUqYllQC6KxNedlsmGy ++6pJxaeQp8E+BgQQ8sqVb1MWoWWd7VRxJq3qdwudzTe/NCcLEVxLbAQ4jeQkHO6Lo ++/IrPj8BGJJw4J+CDnRugv3gVEOuGTgpa/d/aLIJ+7sr2KeH6caH3iGicnPCNvg9J ++kdjqOvn90Ghx2+m1K06Ckm9mH+Dw3EzsytHqunQG+bOEkJTRX45zGRBdAuVwpcAQ ++0BB8b8VYSbSwbprafZX1zNoCr7gsfXmPvkPx+SgojQlD+Ajda8iLLCSxjVIHvXib ++y8posqTdDEx5YMaZ0ZPxMBoH064iwurO8YQJzOAUbn8/ftKChazcqRZOhaBgy/ac ++18izju3Gm5h1DVXoX+WViwKkrkMpKBGk5hIwAUt1ax5mnXkvpXYvHUC0bcl9eQjs ++0Wq2XSqypWa9a4X0dFbD9ed1Uigspf9mR6XU/v6eVL9lfgHWMI+lNpyiUBzuOIAB ++SMbHdPTGrMNASRZhdCyvjG817XsYAFs2PJxQDcqSMxDxJklt33UkN4Ii1+iW/RVL ++ApY+B3KVfqs9TC7XyvDf4Fg/LS8EmjijAQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD ++AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUBpOjCl4oaTeqYR3r6/wtbyPk ++86AwDQYJKoZIhvcNAQEMBQADggIBAJaAcgkGfpzMkwQWu6A6jZJOtxEaCnFxEM0E ++rX+lRVAQZk5KQaID2RFPeje5S+LGjzJmdSX7684/AykmjbgWHfYfM25I5uj4V7Ib ++ed87hwriZLoAymzvftAj63iP/2SbNDefNWWipAA9EiOWWF3KY4fGoweITedpdopT ++zfFP7ELyk+OZpDc8h7hi2/DsHzc/N19DzFGdtfCXwreFamgLRB7lUe6TzktuhsHS ++DCRZNhqfLJGP4xjblJUK7ZGqDpncllPjYYPGFrojutzdfhrGe0K22VoF3Jpf1d+4 ++2kd92jjbrDnVHmtsKheMYc2xbXIBw8MgAGJoFjHVdqqGuw6qnsb58Nn4DSEC5MUo ++FlkRudlpcyqSeLiSV5sI8jrlL5WwWLdrIBRtFO8KvH7YVdiI2i/6GaX7i+B/OfVy ++K4XELKzvGUWSTLNhB9xNH27SgRNcmvMSZ4PPmz+Ln52kuaiWA3rF7iDeM9ovnhp6 ++dB7h7sxaOgTdsxoEqBRjrLdHEoOabPXm6RUVkRqEGQ6UROcSjiVbgGcZ3GOTEAtl ++Lor6CZpO2oYofaphNdgOpygau1LgePhsumywbrmHXumZNTfxPWQrqaA0k89jL9WB ++365jJ6UeTo3cKXhZ+PmhIIynJkBugnLNeLLIjzwec+fBH7/PzqUqm9tEZDKgu39c ++JRNItX+S ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/SecureSign_Root_CA15.pem +@@ -0,0 +1,67 @@ ++## ++## SecureSign Root CA15 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 16:15:c7:c3:d8:49:a7:be:69:0c:8a:88:ed:f0:70:f9:dd:b7:3e:87 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Issuer: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Validity ++ Not Before: Apr 8 08:32:56 2020 GMT ++ Not After : Apr 8 08:32:56 2045 GMT ++ Subject: C = JP, O = "Cybertrust Japan Co., Ltd.", CN = SecureSign Root CA15 ++ Subject Public Key Info: ++ Public Key Algorithm: id-ecPublicKey ++ Public-Key: (384 bit) ++ pub: ++ 04:0b:50:74:8d:64:32:99:99:b3:d2:60:08:b8:22: ++ 8e:46:74:2c:78:c0:2b:44:2d:6d:5f:1d:c9:ae:4b: ++ 52:20:83:3d:b8:14:6d:53:87:60:9e:5f:6c:85:db: ++ 06:14:95:e0:c7:28:ff:9d:5f:e4:aa:f1:b3:8b:6d: ++ ed:4f:2f:4b:c9:4a:94:91:64:75:fe:01:ec:c1:d8: ++ eb:7a:94:78:56:18:43:5f:6b:81:cb:f6:bc:da:b4: ++ 0c:b6:29:93:08:69:8f ++ ASN1 OID: secp384r1 ++ NIST CURVE: P-384 ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ EB:41:C8:AE:FC:D5:9E:51:48:F5:BD:8B:F4:87:20:93:41:2B:D3:F4 ++ Signature Algorithm: ecdsa-with-SHA384 ++ Signature Value: ++ 30:65:02:31:00:d9:2e:89:7e:5e:4e:a4:11:07:bd:59:c2:07: ++ de:ab:32:38:53:2a:46:44:06:17:7a:ce:51:e9:e0:ff:66:2d: ++ 09:4e:e0:4f:f4:05:d1:85:f6:35:60:dc:f5:72:b3:46:7d:02: ++ 30:44:98:46:1a:82:85:1e:61:69:89:4b:07:4b:66:b5:9e:aa: ++ ba:a0:1e:41:d9:01:74:3a:6e:45:3a:89:80:19:7b:32:98:55: ++ 63:ab:eb:63:6e:93:6d:ab:1b:09:60:31:4e ++SHA1 Fingerprint=CB:BA:83:C8:C1:5A:5D:F1:F9:73:6F:CA:D7:EF:28:13:06:4A:07:7D ++-----BEGIN CERTIFICATE----- ++MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw ++UTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28uLCBM ++dGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNTAeFw0yMDA0MDgwODMy ++NTZaFw00NTA0MDgwODMyNTZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJl ++cnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290 ++IENBMTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQLUHSNZDKZmbPSYAi4Io5GdCx4 ++wCtELW1fHcmuS1Iggz24FG1Th2CeX2yF2wYUleDHKP+dX+Sq8bOLbe1PL0vJSpSR ++ZHX+AezB2Ot6lHhWGENfa4HL9rzatAy2KZMIaY+jQjBAMA8GA1UdEwEB/wQFMAMB ++Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT ++9DAKBggqhkjOPQQDAwNoADBlAjEA2S6Jfl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp ++4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJSwdLZrWeqrqgHkHZAXQ6 ++bkU6iYAZezKYVWOr62Nuk22rGwlgMU4= ++-----END CERTIFICATE----- +--- secure/caroot/trusted/Security_Communication_RootCA3.pem.orig ++++ secure/caroot/trusted/Security_Communication_RootCA3.pem +@@ -1,135 +0,0 @@ +-## +-## Security Communication RootCA3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- e1:7c:37:40:fd:1b:fe:67 +- Signature Algorithm: sha384WithRSAEncryption +- Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Validity +- Not Before: Jun 16 06:17:16 2016 GMT +- Not After : Jan 18 06:17:16 2038 GMT +- Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: +- b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: +- 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: +- ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: +- af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: +- a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: +- c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: +- 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: +- e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: +- bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: +- c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: +- 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: +- d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: +- f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: +- b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: +- 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: +- d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: +- 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: +- d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: +- b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: +- 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: +- 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: +- 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: +- 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: +- 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: +- 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: +- c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: +- d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: +- 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: +- 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: +- 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: +- af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: +- 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: +- 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: +- d1:d9:c7 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha384WithRSAEncryption +- Signature Value: +- dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: +- 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: +- b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: +- f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: +- e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: +- bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: +- 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: +- 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: +- c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: +- b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: +- 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: +- b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: +- cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: +- 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: +- 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: +- 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: +- 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: +- 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: +- f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: +- 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: +- e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: +- 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: +- c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: +- 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: +- 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: +- 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: +- 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: +- 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: +- 51:d7:af:fd:33:9d:4d:66 +-SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A +------BEGIN CERTIFICATE----- +-MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV +-BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +-JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 +-MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +-U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg +-Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +-CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r +-CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA +-lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG +-TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 +-9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 +-8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 +-g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we +-GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +-+3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M +-0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ +-T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw +-HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP +-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS +-YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA +-FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd +-9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI +-UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ +-OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke +-gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf +-iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV +-nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD +-2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// +-1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad +-TdJ0MN1kURXbg4NR16/9M51NZg== +------END CERTIFICATE----- +--- secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem.orig ++++ secure/caroot/trusted/SwissSign_Silver_CA_-_G2.pem +@@ -1,140 +0,0 @@ +-## +-## SwissSign Silver CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Validity +- Not Before: Oct 25 08:32:46 2006 GMT +- Not After : Oct 25 08:32:46 2036 GMT +- Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: +- bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: +- 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: +- 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: +- b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: +- a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: +- d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: +- 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: +- bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: +- 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: +- 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: +- 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: +- 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: +- 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: +- 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: +- b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: +- a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: +- cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: +- 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: +- 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: +- be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: +- ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: +- 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: +- 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: +- e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: +- 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: +- fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: +- 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: +- ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: +- 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: +- f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: +- a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: +- b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: +- 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: +- ea:d6:1f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Authority Key Identifier: +- 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 +- X509v3 Certificate Policies: +- Policy: 2.16.756.1.89.1.3.1.1 +- CPS: http://repository.swisssign.com/ +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: +- 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: +- 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: +- 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: +- c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: +- 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: +- 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: +- 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: +- ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: +- 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: +- e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: +- 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: +- 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: +- 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: +- 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: +- f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: +- 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: +- 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: +- 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: +- a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: +- d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: +- ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: +- da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: +- 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: +- 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: +- f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: +- 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: +- 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: +- 60:39:ce:ca:62:d8:2e:6e +-SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB +------BEGIN CERTIFICATE----- +-MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE +-BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu +-IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow +-RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY +-U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +-MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv +-Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br +-YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF +-nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH +-6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt +-eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ +-c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ +-MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH +-HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf +-jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 +-5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB +-rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +-F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c +-wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 +-cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB +-AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp +-WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 +-xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ +-2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ +-IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 +-aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X +-em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR +-dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ +-OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ +-hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy +-tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/trusted/TWCA_CYBER_Root_CA.pem +@@ -0,0 +1,137 @@ ++## ++## TWCA CYBER Root CA ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 40:01:34:8c:c2:00:00:00:00:00:00:00:01:3c:f2:c6 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Validity ++ Not Before: Nov 22 06:54:29 2022 GMT ++ Not After : Nov 22 15:59:59 2047 GMT ++ Subject: C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA CYBER Root CA ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c6:f8:ca:1e:d9:09:20:7e:1d:6c:4e:ce:8f:e3: ++ 47:33:44:9c:c7:c9:69:aa:3a:5b:78:ee:70:d2:92: ++ f8:04:b3:52:52:1d:67:72:28:a1:df:8b:5d:95:0a: ++ fe:ea:cd:ed:f7:29:ce:f0:6f:7f:ac:cd:3d:ef:b3: ++ 1c:45:6a:f7:28:90:f1:61:57:c5:0c:c4:a3:50:5d: ++ de:d4:b5:cb:19:ca:80:b9:75:ce:29:ce:d2:85:22: ++ ec:02:63:cc:44:30:20:da:ea:91:5b:56:e6:1d:1c: ++ d5:9d:66:c7:3f:df:86:ca:4b:53:c4:d9:8d:b2:1d: ++ ea:f8:dc:27:53:a3:47:e1:61:cc:7d:b5:b0:f8:ee: ++ 73:91:c5:ce:73:6f:ce:ee:10:1f:1a:06:cf:e9:27: ++ 60:c5:4f:19:e4:eb:ce:22:26:45:d7:60:99:dd:ce: ++ 4f:37:e0:7f:e7:63:ad:b0:b8:59:b8:d0:06:68:35: ++ 60:d3:36:ae:71:43:04:f1:69:65:78:7c:f3:1f:f3: ++ ca:28:9f:5a:20:95:66:b4:cd:b7:ee:8f:78:a4:45: ++ 18:e9:26:2f:8d:9b:29:28:b1:a4:b7:3a:6d:b9:d4: ++ 1c:38:72:45:58:b1:5e:eb:f0:28:9b:b7:82:ca:fd: ++ cf:d6:33:0f:9f:fb:97:9e:b1:1c:9c:9e:ea:5f:5e: ++ db:aa:dd:54:e9:30:21:28:6d:8e:79:f3:75:92:8c: ++ 26:fe:dc:c5:f6:c3:b0:df:44:59:43:a3:b6:03:28: ++ f6:08:30:aa:0d:33:e1:ef:9c:a9:07:22:e3:59:5b: ++ 40:8f:da:88:b7:69:08:a8:b7:23:2e:44:09:59:37: ++ 5b:c7:e3:17:f2:22:eb:6e:39:52:c5:de:54:a7:98: ++ c9:4b:20:95:dc:46:89:5f:b4:12:f9:85:29:8e:eb: ++ c8:27:15:20:c0:4b:d4:cc:7c:0c:6c:34:0c:26:9b: ++ 26:31:a6:3c:a7:f6:d9:d0:4b:a2:64:ff:3b:99:41: ++ 72:c1:e0:70:97:f1:24:bb:2b:c4:74:22:b1:ac:6b: ++ 22:32:24:d3:78:2a:c0:c0:a1:2f:f1:52:05:c9:3f: ++ ef:76:66:e2:45:d8:0d:3d:ad:95:c8:c7:89:26:c8: ++ 0f:ae:a7:03:2e:fb:c1:5f:fa:20:e1:70:ad:b0:65: ++ 20:37:33:60:b0:d5:af:d7:0c:1c:c2:90:70:d7:4a: ++ 18:bc:7e:01:b0:b0:eb:15:1e:44:06:cd:a4:4f:e8: ++ 0c:d1:c3:20:10:e1:54:65:9e:b6:51:d0:1a:76:6b: ++ 42:5a:58:76:34:ea:b7:37:19:ae:2e:75:f9:96:e5: ++ c1:59:f7:94:57:29:25:8d:3a:4c:ab:4d:9a:41:d0: ++ 5f:26:03 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Authority Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ X509v3 Subject Key Identifier: ++ 9D:85:61:14:7C:C1:62:6F:97:68:E4:4F:37:40:E1:AD:E0:0D:56:37 ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ 64:8f:7a:c4:62:0e:b5:88:cc:b8:c7:86:0e:a1:4a:16:cd:70: ++ 0b:b7:a7:85:0b:b3:76:b6:0f:a7:ff:08:8b:0b:25:cf:a8:d4: ++ 83:75:2a:b8:96:88:b6:fb:df:2d:2d:b4:69:53:21:35:57:d6: ++ 89:4d:73:bf:69:8f:70:a3:61:cc:9a:db:1e:9a:e0:20:f8:6c: ++ bb:9b:22:9d:5d:84:31:9a:2c:8a:dd:6a:a1:d7:28:69:ca:fe: ++ 76:55:7a:46:67:eb:cc:43:88:16:a2:03:d6:b9:17:f8:19:6c: ++ 6d:23:02:7f:f1:5f:d0:0a:29:23:3b:d1:aa:0a:ed:a9:17:26: ++ 54:0a:4d:c2:a5:4d:f8:c5:fd:b8:81:cf:2b:2c:78:a3:67:4c: ++ a9:07:9a:f3:df:5e:fb:7c:f5:89:cd:74:97:61:10:6a:07:2b: ++ 81:5a:d2:8e:b7:e7:20:d1:20:6e:24:a8:84:27:a1:57:ac:aa: ++ 55:58:2f:dc:d9:ca:fa:68:04:9e:ed:44:24:f9:74:40:3b:23: ++ 33:ab:83:5a:18:26:42:b6:6d:54:b5:16:60:30:6c:b1:a0:f8: ++ b8:41:a0:5d:49:49:d2:65:05:3a:ea:fe:9d:61:bc:86:d9:bf: ++ de:d3:ba:3a:b1:7f:7e:92:34:8e:c9:00:6e:dc:98:bd:dc:ec: ++ 80:05:ad:02:3d:df:65:ed:0b:03:f7:f7:16:84:04:31:ba:93: ++ 94:d8:f2:12:f8:8a:e3:bf:42:af:a7:d4:cd:11:17:16:c8:42: ++ 1d:14:a8:42:f6:d2:40:86:a0:4f:23:ca:96:45:56:60:06:cd: ++ b7:55:01:a6:01:94:65:fe:6e:05:09:ba:b4:a4:aa:e2:ef:58: ++ be:bd:27:56:d8:ef:73:71:5b:44:33:f2:9a:72:ea:b0:5e:3e: ++ 6e:a9:52:5b:ec:70:6d:b5:87:8f:37:5e:3c:8c:9c:ce:e4:f0: ++ ce:0c:67:41:cc:ce:f6:80:ab:4e:cc:4c:56:f5:c1:61:59:93: ++ b4:3e:a6:da:b8:37:12:9f:2a:32:e3:8b:b8:21:ec:c3:2b:65: ++ 0c:ef:22:de:88:29:3b:4c:d7:fa:fe:b7:e1:47:be:9c:3e:3e: ++ 83:fb:51:5d:f5:68:f7:2e:21:85:dc:bf:f1:5a:e2:7c:d7:c5: ++ e4:83:c1:6a:eb:ba:80:5a:de:5c:2d:70:76:f8:c8:e5:87:87: ++ ca:a0:9d:a1:e5:22:12:27:0f:44:3d:1d:6c:ea:d4:c2:8b:2f: ++ 6f:79:ab:7f:50:a6:c4:19:a7:a1:7a:b7:96:f9:c1:1f:62:5a: ++ a2:43:07:40:5e:26:c6:ac:ed:ae:70:16:c5:aa:ca:72:8a:4d: ++ b0:cf:01:8b:03:3f:6e:d7 ++SHA1 Fingerprint=F6:B1:1C:1A:83:38:E9:7B:DB:B3:A8:C8:33:24:E0:2D:9C:7F:26:66 ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ ++MQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FOLUNBMRAwDgYDVQQLEwdSb290 ++IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3QgQ0EwHhcNMjIxMTIyMDY1NDI5 ++WhcNNDcxMTIyMTU1OTU5WjBQMQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FO ++LUNBMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3Qg ++Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDG+Moe2Qkgfh1sTs6P ++40czRJzHyWmqOlt47nDSkvgEs1JSHWdyKKHfi12VCv7qze33Kc7wb3+szT3vsxxF ++avcokPFhV8UMxKNQXd7UtcsZyoC5dc4pztKFIuwCY8xEMCDa6pFbVuYdHNWdZsc/ ++34bKS1PE2Y2yHer43CdTo0fhYcx9tbD47nORxc5zb87uEB8aBs/pJ2DFTxnk684i ++JkXXYJndzk834H/nY62wuFm40AZoNWDTNq5xQwTxaWV4fPMf88oon1oglWa0zbfu ++j3ikRRjpJi+NmykosaS3Om251Bw4ckVYsV7r8Cibt4LK/c/WMw+f+5eesRycnupf ++Xtuq3VTpMCEobY5583WSjCb+3MX2w7DfRFlDo7YDKPYIMKoNM+HvnKkHIuNZW0CP ++2oi3aQiotyMuRAlZN1vH4xfyIutuOVLF3lSnmMlLIJXcRolftBL5hSmO68gnFSDA ++S9TMfAxsNAwmmyYxpjyn9tnQS6Jk/zuZQXLB4HCX8SS7K8R0IrGsayIyJNN4KsDA ++oS/xUgXJP+92ZuJF2A09rZXIx4kmyA+upwMu+8Ff+iDhcK2wZSA3M2Cw1a/XDBzC ++kHDXShi8fgGwsOsVHkQGzaRP6AzRwyAQ4VRlnrZR0Bp2a0JaWHY06rc3Ga4udfmW ++5cFZ95RXKSWNOkyrTZpB0F8mAwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD ++VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSdhWEUfMFib5do5E83QOGt4A1WNzAd ++BgNVHQ4EFgQUnYVhFHzBYm+XaORPN0DhreANVjcwDQYJKoZIhvcNAQEMBQADggIB ++AGSPesRiDrWIzLjHhg6hShbNcAu3p4ULs3a2D6f/CIsLJc+o1IN1KriWiLb73y0t ++tGlTITVX1olNc79pj3CjYcya2x6a4CD4bLubIp1dhDGaLIrdaqHXKGnK/nZVekZn ++68xDiBaiA9a5F/gZbG0jAn/xX9AKKSM70aoK7akXJlQKTcKlTfjF/biBzysseKNn ++TKkHmvPfXvt89YnNdJdhEGoHK4Fa0o635yDRIG4kqIQnoVesqlVYL9zZyvpoBJ7t ++RCT5dEA7IzOrg1oYJkK2bVS1FmAwbLGg+LhBoF1JSdJlBTrq/p1hvIbZv97Tujqx ++f36SNI7JAG7cmL3c7IAFrQI932XtCwP39xaEBDG6k5TY8hL4iuO/Qq+n1M0RFxbI ++Qh0UqEL20kCGoE8jypZFVmAGzbdVAaYBlGX+bgUJurSkquLvWL69J1bY73NxW0Qz ++8ppy6rBePm6pUlvscG21h483XjyMnM7k8M4MZ0HMzvaAq07MTFb1wWFZk7Q+ptq4 ++NxKfKjLji7gh7MMrZQzvIt6IKTtM1/r+t+FHvpw+PoP7UV31aPcuIYXcv/Fa4nzX ++xeSDwWrruoBa3lwtcHb4yOWHh8qgnaHlIhInD0Q9HWzq1MKLL295q39QpsQZp6F6 ++t5b5wR9iWqJDB0BeJsas7a5wFsWqynKKTbDPAYsDP27X ++-----END CERTIFICATE----- +--- secure/caroot/untrusted/AddTrust_External_Root.pem.orig ++++ secure/caroot/untrusted/AddTrust_External_Root.pem +@@ -1,99 +0,0 @@ +-## +-## AddTrust External Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Validity +- Not Before: May 30 10:48:38 2000 GMT +- Not After : May 30 10:48:38 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed: +- 1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97: +- a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f: +- cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db: +- 2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70: +- 56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6: +- 5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e: +- 87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c: +- 71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8: +- 69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df: +- ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee: +- 6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94: +- 37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8: +- 45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7: +- c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7: +- a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65: +- b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34: +- 5a:27 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9: +- 84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41: +- 6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5: +- bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2: +- de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51: +- 14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85: +- 93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a: +- 63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b: +- a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4: +- 45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9: +- 91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e: +- 8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76: +- 60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20: +- 0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7: +- 8f:4e:86:04 +-SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 +------BEGIN CERTIFICATE----- +-MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs +-IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 +-MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux +-FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h +-bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v +-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt +-H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 +-uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX +-mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX +-a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN +-E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 +-WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD +-VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 +-Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU +-cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx +-IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN +-AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH +-YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +-6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC +-Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX +-c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a +-mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +------END CERTIFICATE----- +--- secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem.orig ++++ secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem +@@ -1,98 +0,0 @@ +-## +-## AddTrust Low-Value Services Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1 (0x1) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Validity +- Not Before: May 30 10:38:31 2000 GMT +- Not After : May 30 10:38:31 2020 GMT +- Subject: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:96:96:d4:21:49:60:e2:6b:e8:41:07:0c:de:c4: +- e0:dc:13:23:cd:c1:35:c7:fb:d6:4e:11:0a:67:5e: +- f5:06:5b:6b:a5:08:3b:5b:29:16:3a:e7:87:b2:34: +- 06:c5:bc:05:a5:03:7c:82:cb:29:10:ae:e1:88:81: +- bd:d6:9e:d3:fe:2d:56:c1:15:ce:e3:26:9d:15:2e: +- 10:fb:06:8f:30:04:de:a7:b4:63:b4:ff:b1:9c:ae: +- 3c:af:77:b6:56:c5:b5:ab:a2:e9:69:3a:3d:0e:33: +- 79:32:3f:70:82:92:99:61:6d:8d:30:08:8f:71:3f: +- a6:48:57:19:f8:25:dc:4b:66:5c:a5:74:8f:98:ae: +- c8:f9:c0:06:22:e7:ac:73:df:a5:2e:fb:52:dc:b1: +- 15:65:20:fa:35:66:69:de:df:2c:f1:6e:bc:30:db: +- 2c:24:12:db:eb:35:35:68:90:cb:00:b0:97:21:3d: +- 74:21:23:65:34:2b:bb:78:59:a3:d6:e1:76:39:9a: +- a4:49:8e:8c:74:af:6e:a4:9a:a3:d9:9b:d2:38:5c: +- 9b:a2:18:cc:75:23:84:be:eb:e2:4d:33:71:8e:1a: +- f0:c2:f8:c7:1d:a2:ad:03:97:2c:f8:cf:25:c6:f6: +- b8:24:31:b1:63:5d:92:7f:63:f0:25:c9:53:2e:1f: +- bf:4d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +- DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root +- serial:01 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 2c:6d:64:1b:1f:cd:0d:dd:b9:01:fa:96:63:34:32:48:47:99: +- ae:97:ed:fd:72:16:a6:73:47:5a:f4:eb:dd:e9:f5:d6:fb:45: +- cc:29:89:44:5d:bf:46:39:3d:e8:ee:bc:4d:54:86:1e:1d:6c: +- e3:17:27:43:e1:89:56:2b:a9:6f:72:4e:49:33:e3:72:7c:2a: +- 23:9a:bc:3e:ff:28:2a:ed:a3:ff:1c:23:ba:43:57:09:67:4d: +- 4b:62:06:2d:f8:ff:6c:9d:60:1e:d8:1c:4b:7d:b5:31:2f:d9: +- d0:7c:5d:f8:de:6b:83:18:78:37:57:2f:e8:33:07:67:df:1e: +- c7:6b:2a:95:76:ae:8f:57:a3:f0:f4:52:b4:a9:53:08:cf:e0: +- 4f:d3:7a:53:8b:fd:bb:1c:56:36:f2:fe:b2:b6:e5:76:bb:d5: +- 22:65:a7:3f:fe:d1:66:ad:0b:bc:6b:99:86:ef:3f:7d:f3:18: +- 32:ca:7b:c6:e3:ab:64:46:95:f8:26:69:d9:55:83:7b:2c:96: +- 07:ff:59:2c:44:a3:c6:e5:e9:a9:dc:a1:63:80:5a:21:5e:21: +- cf:53:54:f0:ba:6f:89:db:a8:aa:95:cf:8b:e3:71:cc:1e:1b: +- 20:44:08:c0:7a:b6:40:fd:c4:e4:35:e1:1d:16:1c:d0:bc:2b: +- 8e:d6:71:d9 +-SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D +------BEGIN CERTIFICATE----- +-MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU +-MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +-b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw +-MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML +-QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD +-VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA +-A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul +-CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n +-tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl +-dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch +-PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC +-+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O +-BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E +-BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl +-MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk +-ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB +-IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X +-7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz +-43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY +-eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl +-pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA +-WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= +------END CERTIFICATE----- +--- secure/caroot/untrusted/Cybertrust_Global_Root.pem.orig ++++ secure/caroot/untrusted/Cybertrust_Global_Root.pem +@@ -1,99 +0,0 @@ +-## +-## Cybertrust Global Root +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:85:aa:2d:48 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: O = "Cybertrust, Inc", CN = Cybertrust Global Root +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:f8:c8:bc:bd:14:50:66:13:ff:f0:d3:79:ec:23: +- f2:b7:1a:c7:8e:85:f1:12:73:a6:19:aa:10:db:9c: +- a2:65:74:5a:77:3e:51:7d:56:f6:dc:23:b6:d4:ed: +- 5f:58:b1:37:4d:d5:49:0e:6e:f5:6a:87:d6:d2:8c: +- d2:27:c6:e2:ff:36:9f:98:65:a0:13:4e:c6:2a:64: +- 9b:d5:90:12:cf:14:06:f4:3b:e3:d4:28:be:e8:0e: +- f8:ab:4e:48:94:6d:8e:95:31:10:5c:ed:a2:2d:bd: +- d5:3a:6d:b2:1c:bb:60:c0:46:4b:01:f5:49:ae:7e: +- 46:8a:d0:74:8d:a1:0c:02:ce:ee:fc:e7:8f:b8:6b: +- 66:f3:7f:44:00:bf:66:25:14:2b:dd:10:30:1d:07: +- 96:3f:4d:f6:6b:b8:8f:b7:7b:0c:a5:38:eb:de:47: +- db:d5:5d:39:fc:88:a7:f3:d7:2a:74:f1:e8:5a:a2: +- 3b:9f:50:ba:a6:8c:45:35:c2:50:65:95:dc:63:82: +- ef:dd:bf:77:4d:9c:62:c9:63:73:16:d0:29:0f:49: +- a9:48:f0:b3:aa:b7:6c:c5:a7:30:39:40:5d:ae:c4: +- e2:5d:26:53:f0:ce:1c:23:08:61:a8:94:19:ba:04: +- 62:40:ec:1f:38:70:77:12:06:71:a7:30:18:5d:25: +- 27:a5 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://www2.public-trust.com/crl/ct/ctroot.crl +- X509v3 Authority Key Identifier: +- B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 56:ef:0a:23:a0:54:4e:95:97:c9:f8:89:da:45:c1:d4:a3:00: +- 25:f4:1f:13:ab:b7:a3:85:58:69:c2:30:ad:d8:15:8a:2d:e3: +- c9:cd:81:5a:f8:73:23:5a:a7:7c:05:f3:fd:22:3b:0e:d1:06: +- c4:db:36:4c:73:04:8e:e5:b0:22:e4:c5:f3:2e:a5:d9:23:e3: +- b8:4e:4a:20:a7:6e:02:24:9f:22:60:67:7b:8b:1d:72:09:c5: +- 31:5c:e9:79:9f:80:47:3d:ad:a1:0b:07:14:3d:47:ff:03:69: +- 1a:0c:0b:44:e7:63:25:a7:7f:b2:c9:b8:76:84:ed:23:f6:7d: +- 07:ab:45:7e:d3:df:b3:bf:e9:8a:b6:cd:a8:a2:67:2b:52:d5: +- b7:65:f0:39:4c:63:a0:91:79:93:52:0f:54:dd:83:bb:9f:d1: +- 8f:a7:53:73:c3:cb:ff:30:ec:7c:04:b8:d8:44:1f:93:5f:71: +- 09:22:b7:6e:3e:ea:1c:03:4e:9d:1a:20:61:fb:81:37:ec:5e: +- fc:0a:45:ab:d7:e7:17:55:d0:a0:ea:60:9b:a6:f6:e3:8c:5b: +- 29:c2:06:60:14:9d:2d:97:4c:a9:93:15:9d:61:c4:01:5f:48: +- d6:58:bd:56:31:12:4e:11:c8:21:e0:b3:11:91:65:db:b4:a6: +- 88:38:ce:55 +-SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +------BEGIN CERTIFICATE----- +-MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG +-A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh +-bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE +-ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS +-b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 +-7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS +-J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y +-HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP +-t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz +-FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY +-XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ +-MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw +-hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js +-MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA +-A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj +-Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx +-XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o +-omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc +-A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +-WL1WMRJOEcgh4LMRkWXbtKaIOM5V +------END CERTIFICATE----- +--- secure/caroot/untrusted/DST_Root_CA_X3.pem.orig ++++ secure/caroot/untrusted/DST_Root_CA_X3.pem +@@ -1,92 +0,0 @@ +-## +-## DST Root CA X3 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Validity +- Not Before: Sep 30 21:12:19 2000 GMT +- Not After : Sep 30 14:01:15 2021 GMT +- Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: +- 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: +- c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: +- ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: +- 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: +- a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: +- 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: +- 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: +- 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: +- 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: +- 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: +- 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: +- 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: +- d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: +- eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: +- 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: +- 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: +- 02:5d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: +- 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: +- a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: +- 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: +- b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: +- 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: +- dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: +- e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: +- 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: +- 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: +- 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: +- 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: +- b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: +- 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: +- 82:35:35:10 +-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 +------BEGIN CERTIFICATE----- +-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +------END CERTIFICATE----- +--- secure/caroot/untrusted/E-Tugra_Certification_Authority.pem.orig ++++ secure/caroot/untrusted/E-Tugra_Certification_Authority.pem +@@ -1,140 +0,0 @@ +-## +-## E-Tugra Certification Authority +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Validity +- Not Before: Mar 5 12:09:48 2013 GMT +- Not After : Mar 3 12:09:48 2023 GMT +- Subject: C = TR, L = Ankara, O = E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E., OU = E-Tugra Sertifikasyon Merkezi, CN = E-Tugra Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e2:f5:3f:93:05:51:1e:85:62:54:5e:7a:0b:f5: +- 18:07:83:ae:7e:af:7c:f7:d4:8a:6b:a5:63:43:39: +- b9:4b:f7:c3:c6:64:89:3d:94:2e:54:80:52:39:39: +- 07:4b:4b:dd:85:07:76:87:cc:bf:2f:95:4c:cc:7d: +- a7:3d:bc:47:0f:98:70:f8:8c:85:1e:74:8e:92:6d: +- 1b:40:d1:99:0d:bb:75:6e:c8:a9:6b:9a:c0:84:31: +- af:ca:43:cb:eb:2b:34:e8:8f:97:6b:01:9b:d5:0e: +- 4a:08:aa:5b:92:74:85:43:d3:80:ae:a1:88:5b:ae: +- b3:ea:5e:cb:16:9a:77:44:c8:a1:f6:54:68:ce:de: +- 8f:97:2b:ba:5b:40:02:0c:64:17:c0:b5:93:cd:e1: +- f1:13:66:ce:0c:79:ef:d1:91:28:ab:5f:a0:12:52: +- 30:73:19:8e:8f:e1:8c:07:a2:c3:bb:4a:f0:ea:1f: +- 15:a8:ee:25:cc:a4:46:f8:1b:22:ef:b3:0e:43:ba: +- 2c:24:b8:c5:2c:5c:d4:1c:f8:5d:64:bd:c3:93:5e: +- 28:a7:3f:27:f1:8e:1e:d3:2a:50:05:a3:55:d9:cb: +- e7:39:53:c0:98:9e:8c:54:62:8b:26:b0:f7:7d:8d: +- 7c:e4:c6:9e:66:42:55:82:47:e7:b2:58:8d:66:f7: +- 07:7c:2e:36:e6:50:1c:3f:db:43:24:c5:bf:86:47: +- 79:b3:79:1c:f7:5a:f4:13:ec:6c:f8:3f:e2:59:1f: +- 95:ee:42:3e:b9:ad:a8:32:85:49:97:46:fe:4b:31: +- 8f:5a:cb:ad:74:47:1f:e9:91:b7:df:28:04:22:a0: +- d4:0f:5d:e2:79:4f:ea:6c:85:86:bd:a8:a6:ce:e4: +- fa:c3:e1:b3:ae:de:3c:51:ee:cb:13:7c:01:7f:84: +- 0e:5d:51:94:9e:13:0c:b6:2e:a5:4c:f9:39:70:36: +- 6f:96:ca:2e:0c:44:55:c5:ca:fa:5d:02:a3:df:d6: +- 64:8c:5a:b3:01:0a:a9:b5:0a:47:17:ff:ef:91:40: +- 2a:8e:a1:46:3a:31:98:e5:11:fc:cc:bb:49:56:8a: +- fc:b9:d0:61:9a:6f:65:6c:e6:c3:cb:3e:75:49:fe: +- 8f:a7:e2:89:c5:67:d7:9d:46:13:4e:31:76:3b:24: +- b3:9e:11:65:86:ab:7f:ef:1d:d4:f8:bc:e7:ac:5a: +- 5c:b7:5a:47:5c:55:ce:55:b4:22:71:5b:5b:0b:f0: +- cf:dc:a0:61:64:ea:a9:d7:68:0a:63:a7:e0:0d:3f: +- a0:af:d3:aa:d2:7e:ef:51:a0:e6:51:2b:55:92:15: +- 17:53:cb:b7:66:0e:66:4c:f8:f9:75:4c:90:e7:12: +- 70:c7:45 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- 05:37:3a:f4:4d:b7:45:e2:45:75:24:8f:b6:77:52:e8:1c:d8: +- 10:93:65:f3:f2:59:06:a4:3e:1e:29:ec:5d:d1:d0:ab:7c:e0: +- 0a:90:48:78:ed:4e:98:03:99:fe:28:60:91:1d:30:1d:b8:63: +- 7c:a8:e6:35:b5:fa:d3:61:76:e6:d6:07:4b:ca:69:9a:b2:84: +- 7a:77:93:45:17:15:9f:24:d0:98:13:12:ff:bb:a0:2e:fd:4e: +- 4c:87:f8:ce:5c:aa:98:1b:05:e0:00:46:4a:82:80:a5:33:8b: +- 28:dc:ed:38:d3:df:e5:3e:e9:fe:fb:59:dd:61:84:4f:d2:54: +- 96:13:61:13:3e:8f:80:69:be:93:47:b5:35:43:d2:5a:bb:3d: +- 5c:ef:b3:42:47:cd:3b:55:13:06:b0:09:db:fd:63:f6:3a:88: +- 0a:99:6f:7e:e1:ce:1b:53:6a:44:66:23:51:08:7b:bc:5b:52: +- a2:fd:06:37:38:40:61:8f:4a:96:b8:90:37:f8:66:c7:78:90: +- 00:15:2e:8b:ad:51:35:53:07:a8:6b:68:ae:f9:4e:3c:07:26: +- cd:08:05:70:cc:39:3f:76:bd:a5:d3:67:26:01:86:a6:53:d2: +- 60:3b:7c:43:7f:55:8a:bc:95:1a:c1:28:39:4c:1f:43:d2:91: +- f4:72:59:8a:b9:56:fc:3f:b4:9d:da:70:9c:76:5a:8c:43:50: +- ee:8e:30:72:4d:df:ff:49:f7:c6:a9:67:d9:6d:ac:02:11:e2: +- 3a:16:25:a7:58:08:cb:6f:53:41:9c:48:38:47:68:33:d1:d7: +- c7:8f:d4:74:21:d4:c3:05:90:7a:ff:ce:96:88:b1:15:29:5d: +- 23:ab:d0:60:a1:12:4f:de:f4:17:cd:32:e5:c9:bf:c8:43:ad: +- fd:2e:8e:f1:af:e2:f4:98:fa:12:1f:20:d8:c0:a7:0c:85:c5: +- 90:f4:3b:2d:96:26:b1:2c:be:4c:ab:eb:b1:d2:8a:c9:db:78: +- 13:0f:1e:09:9d:6d:8f:00:9f:02:da:c1:fa:1f:7a:7a:09:c4: +- 4a:e6:88:2a:97:9f:89:8b:fd:37:5f:5f:3a:ce:38:59:86:4b: +- af:71:0b:b4:d8:f2:70:4f:9f:32:13:e3:b0:a7:57:e5:da:da: +- 43:cb:84:34:f2:28:c4:ea:6d:f4:2a:ef:c1:6b:76:da:fb:7e: +- bb:85:3c:d2:53:c2:4d:be:71:e1:45:d1:fd:23:67:0d:13:75: +- fb:cf:65:67:22:9d:ae:b0:09:d1:09:ff:1d:34:bf:fe:23:97: +- 37:d2:39:fa:3d:0d:06:0b:b4:db:3b:a3:ab:6f:5c:1d:b6:7e: +- e8:b3:82:34:ed:06:5c:24 +-SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 +-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/untrusted/Entrust_Root_Certification_Authority_-_G4.pem +@@ -0,0 +1,139 @@ ++## ++## Entrust Root Certification Authority - G4 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Validity ++ Not Before: May 27 11:11:16 2015 GMT ++ Not After : Dec 27 11:41:16 2037 GMT ++ Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d: ++ c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68: ++ 19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1: ++ fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3: ++ 00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29: ++ b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43: ++ 32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa: ++ 4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab: ++ d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51: ++ 4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5: ++ b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27: ++ db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01: ++ c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86: ++ a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a: ++ 65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4: ++ d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a: ++ ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa: ++ 04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3: ++ 57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b: ++ b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e: ++ 57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e: ++ e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96: ++ fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72: ++ 7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb: ++ 4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61: ++ 3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54: ++ a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48: ++ 36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3: ++ 08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12: ++ 97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67: ++ 74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c: ++ ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8: ++ 5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37: ++ 94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43: ++ 63:73:49 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Subject Key Identifier: ++ 9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67 ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e: ++ ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce: ++ 10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53: ++ d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76: ++ 77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3: ++ c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c: ++ ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9: ++ 97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb: ++ 7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85: ++ 16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de: ++ bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b: ++ 03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d: ++ 50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0: ++ 58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b: ++ ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56: ++ 6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49: ++ 7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae: ++ 06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68: ++ 57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1: ++ 80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4: ++ 83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08: ++ c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b: ++ 38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17: ++ 52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b: ++ a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46: ++ 8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa: ++ 43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b: ++ 38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08: ++ 1f:8b:8f:53:dd:ff:ac:1f ++SHA1 Fingerprint=14:88:4E:86:26:37:B0:26:AF:59:62:5C:40:77:EC:35:29:BA:96:01 ++-----BEGIN CERTIFICATE----- ++MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw ++gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL ++Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg ++MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw ++BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0 ++MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT ++MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1 ++c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ ++bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg ++Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B ++AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ ++2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E ++T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j ++5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM ++C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T ++DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX ++wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A ++2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm ++nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8 ++dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl ++N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj ++c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD ++VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS ++5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS ++Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr ++hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/ ++B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI ++AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw ++H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+ ++b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk ++2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol ++IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk ++5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY ++n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw== ++-----END CERTIFICATE----- +--- secure/caroot/untrusted/GeoTrust_Global_CA.pem.orig ++++ secure/caroot/untrusted/GeoTrust_Global_CA.pem +@@ -1,90 +0,0 @@ +-## +-## GeoTrust Global CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 144470 (0x23456) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Validity +- Not Before: May 21 04:00:00 2002 GMT +- Not After : May 21 04:00:00 2022 GMT +- Subject: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: +- 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: +- 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: +- bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: +- 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: +- ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: +- 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: +- 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: +- 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: +- d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: +- d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: +- 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: +- 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: +- 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: +- fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: +- eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: +- 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: +- e4:f9 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- X509v3 Authority Key Identifier: +- C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 35:e3:29:6a:e5:2f:5d:54:8e:29:50:94:9f:99:1a:14:e4:8f: +- 78:2a:62:94:a2:27:67:9e:d0:cf:1a:5e:47:e9:c1:b2:a4:cf: +- dd:41:1a:05:4e:9b:4b:ee:4a:6f:55:52:b3:24:a1:37:0a:eb: +- 64:76:2a:2e:2c:f3:fd:3b:75:90:bf:fa:71:d8:c7:3d:37:d2: +- b5:05:95:62:b9:a6:de:89:3d:36:7b:38:77:48:97:ac:a6:20: +- 8f:2e:a6:c9:0c:c2:b2:99:45:00:c7:ce:11:51:22:22:e0:a5: +- ea:b6:15:48:09:64:ea:5e:4f:74:f7:05:3e:c7:8a:52:0c:db: +- 15:b4:bd:6d:9b:e5:c6:b1:54:68:a9:e3:69:90:b6:9a:a5:0f: +- b8:b9:3f:20:7d:ae:4a:b5:b8:9c:e4:1d:b6:ab:e6:94:a5:c1: +- c7:83:ad:db:f5:27:87:0e:04:6c:d5:ff:dd:a0:5d:ed:87:52: +- b7:2b:15:02:ae:39:a6:6a:74:e9:da:c4:e7:bc:4d:34:1e:a9: +- 5c:4d:33:5f:92:09:2f:88:66:5d:77:97:c7:1d:76:13:a9:d5: +- e5:f1:16:09:11:35:d5:ac:db:24:71:70:2c:98:56:0b:d9:17: +- b4:d1:e3:51:2b:5e:75:e8:d5:d0:dc:4f:34:ed:c2:05:66:80: +- a1:cb:e6:33 +-SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12 +------BEGIN CERTIFICATE----- +-MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +-YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG +-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg +-R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9 +-9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq +-fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv +-iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU +-1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+ +-bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW +-MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA +-ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l +-uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn +-Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS +-tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF +-PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un +-hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV +-5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== +------END CERTIFICATE----- +--- secure/caroot/untrusted/GlobalSign_Root_CA_-_R2.pem.orig ++++ secure/caroot/untrusted/GlobalSign_Root_CA_-_R2.pem +@@ -1,99 +0,0 @@ +-## +-## GlobalSign Root CA - R2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 04:00:00:00:00:01:0f:86:26:e6:0d +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Validity +- Not Before: Dec 15 08:00:00 2006 GMT +- Not After : Dec 15 08:00:00 2021 GMT +- Subject: OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:a6:cf:24:0e:be:2e:6f:28:99:45:42:c4:ab:3e: +- 21:54:9b:0b:d3:7f:84:70:fa:12:b3:cb:bf:87:5f: +- c6:7f:86:d3:b2:30:5c:d6:fd:ad:f1:7b:dc:e5:f8: +- 60:96:09:92:10:f5:d0:53:de:fb:7b:7e:73:88:ac: +- 52:88:7b:4a:a6:ca:49:a6:5e:a8:a7:8c:5a:11:bc: +- 7a:82:eb:be:8c:e9:b3:ac:96:25:07:97:4a:99:2a: +- 07:2f:b4:1e:77:bf:8a:0f:b5:02:7c:1b:96:b8:c5: +- b9:3a:2c:bc:d6:12:b9:eb:59:7d:e2:d0:06:86:5f: +- 5e:49:6a:b5:39:5e:88:34:ec:bc:78:0c:08:98:84: +- 6c:a8:cd:4b:b4:a0:7d:0c:79:4d:f0:b8:2d:cb:21: +- ca:d5:6c:5b:7d:e1:a0:29:84:a1:f9:d3:94:49:cb: +- 24:62:91:20:bc:dd:0b:d5:d9:cc:f9:ea:27:0a:2b: +- 73:91:c6:9d:1b:ac:c8:cb:e8:e0:a0:f4:2f:90:8b: +- 4d:fb:b0:36:1b:f6:19:7a:85:e0:6d:f2:61:13:88: +- 5c:9f:e0:93:0a:51:97:8a:5a:ce:af:ab:d5:f7:aa: +- 09:aa:60:bd:dc:d9:5f:df:72:a9:60:13:5e:00:01: +- c9:4a:fa:3f:a4:ea:07:03:21:02:8e:82:ca:03:c2: +- 9b:8f +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- X509v3 CRL Distribution Points: +- Full Name: +- URI:http://crl.globalsign.net/root-r2.crl +- X509v3 Authority Key Identifier: +- 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 99:81:53:87:1c:68:97:86:91:ec:e0:4a:b8:44:0b:ab:81:ac: +- 27:4f:d6:c1:b8:1c:43:78:b3:0c:9a:fc:ea:2c:3c:6e:61:1b: +- 4d:4b:29:f5:9f:05:1d:26:c1:b8:e9:83:00:62:45:b6:a9:08: +- 93:b9:a9:33:4b:18:9a:c2:f8:87:88:4e:db:dd:71:34:1a:c1: +- 54:da:46:3f:e0:d3:2a:ab:6d:54:22:f5:3a:62:cd:20:6f:ba: +- 29:89:d7:dd:91:ee:d3:5c:a2:3e:a1:5b:41:f5:df:e5:64:43: +- 2d:e9:d5:39:ab:d2:a2:df:b7:8b:d0:c0:80:19:1c:45:c0:2d: +- 8c:e8:f8:2d:a4:74:56:49:c5:05:b5:4f:15:de:6e:44:78:39: +- 87:a8:7e:bb:f3:79:18:91:bb:f4:6f:9d:c1:f0:8c:35:8c:5d: +- 01:fb:c3:6d:b9:ef:44:6d:79:46:31:7e:0a:fe:a9:82:c1:ff: +- ef:ab:6e:20:c4:50:c9:5f:9d:4d:9b:17:8c:0c:e5:01:c9:a0: +- 41:6a:73:53:fa:a5:50:b4:6e:25:0f:fb:4c:18:f4:fd:52:d9: +- 8e:69:b1:e8:11:0f:de:88:d8:fb:1d:49:f7:aa:de:95:cf:20: +- 78:c2:60:12:db:25:40:8c:6a:fc:7e:42:38:40:64:12:f7:9e: +- 81:e1:93:2e +-SHA1 Fingerprint=75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE +------BEGIN CERTIFICATE----- +-MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +-MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +-v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +-eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +-tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +-C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +-zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +-mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +-V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +-bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +-3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +-J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +-291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +-ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +-AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +-TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +------END CERTIFICATE----- +--- secure/caroot/untrusted/Hongkong_Post_Root_CA_1.pem.orig ++++ secure/caroot/untrusted/Hongkong_Post_Root_CA_1.pem +@@ -1,89 +0,0 @@ +-## +-## Hongkong Post Root CA 1 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 1000 (0x3e8) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Validity +- Not Before: May 15 05:13:14 2003 GMT +- Not After : May 15 04:52:29 2023 GMT +- Subject: C = HK, O = Hongkong Post, CN = Hongkong Post Root CA 1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:ac:ff:38:b6:e9:66:02:49:e3:a2:b4:e1:90:f9: +- 40:8f:79:f9:e2:bd:79:fe:02:bd:ee:24:92:1d:22: +- f6:da:85:72:69:fe:d7:3f:09:d4:dd:91:b5:02:9c: +- d0:8d:5a:e1:55:c3:50:86:b9:29:26:c2:e3:d9:a0: +- f1:69:03:28:20:80:45:22:2d:56:a7:3b:54:95:56: +- 22:59:1f:28:df:1f:20:3d:6d:a2:36:be:23:a0:b1: +- 6e:b5:b1:27:3f:39:53:09:ea:ab:6a:e8:74:b2:c2: +- 65:5c:8e:bf:7c:c3:78:84:cd:9e:16:fc:f5:2e:4f: +- 20:2a:08:9f:77:f3:c5:1e:c4:9a:52:66:1e:48:5e: +- e3:10:06:8f:22:98:e1:65:8e:1b:5d:23:66:3b:b8: +- a5:32:51:c8:86:aa:a1:a9:9e:7f:76:94:c2:a6:6c: +- b7:41:f0:d5:c8:06:38:e6:d4:0c:e2:f3:3b:4c:6d: +- 50:8c:c4:83:27:c1:13:84:59:3d:9e:75:74:b6:d8: +- 02:5e:3a:90:7a:c0:42:36:72:ec:6a:4d:dc:ef:c4: +- 00:df:13:18:57:5f:26:78:c8:d6:0a:79:77:bf:f7: +- af:b7:76:b9:a5:0b:84:17:5d:10:ea:6f:e1:ab:95: +- 11:5f:6d:3c:a3:5c:4d:83:5b:f2:b3:19:8a:80:8b: +- 0b:87 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE, pathlen:3 +- X509v3 Key Usage: critical +- Digital Signature, Non Repudiation, Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 0e:46:d5:3c:ae:e2:87:d9:5e:81:8b:02:98:41:08:8c:4c:bc: +- da:db:ee:27:1b:82:e7:6a:45:ec:16:8b:4f:85:a0:f3:b2:70: +- bd:5a:96:ba:ca:6e:6d:ee:46:8b:6e:e7:2a:2e:96:b3:19:33: +- eb:b4:9f:a8:b2:37:ee:98:a8:97:b6:2e:b6:67:27:d4:a6:49: +- fd:1c:93:65:76:9e:42:2f:dc:22:6c:9a:4f:f2:5a:15:39:b1: +- 71:d7:2b:51:e8:6d:1c:98:c0:d9:2a:f4:a1:82:7b:d5:c9:41: +- a2:23:01:74:38:55:8b:0f:b9:2e:67:a2:20:04:37:da:9c:0b: +- d3:17:21:e0:8f:97:79:34:6f:84:48:02:20:33:1b:e6:34:44: +- 9f:91:70:f4:80:5e:84:43:c2:29:d2:6c:12:14:e4:61:8d:ac: +- 10:90:9e:84:50:bb:f0:96:6f:45:9f:8a:f3:ca:6c:4f:fa:11: +- 3a:15:15:46:c3:cd:1f:83:5b:2d:41:12:ed:50:67:41:13:3d: +- 21:ab:94:8a:aa:4e:7c:c1:b1:fb:a7:d6:b5:27:2f:97:ab:6e: +- e0:1d:e2:d1:1c:2c:1f:44:e2:fc:be:91:a1:9c:fb:d6:29:53: +- 73:86:9f:53:d8:43:0e:5d:d6:63:82:71:1d:80:74:ca:f6:e2: +- 02:6b:d9:5a +-SHA1 Fingerprint=D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58 +------BEGIN CERTIFICATE----- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +------END CERTIFICATE----- +--- secure/caroot/untrusted/QuoVadis_Root_CA.pem.orig ++++ secure/caroot/untrusted/QuoVadis_Root_CA.pem +@@ -1,116 +0,0 @@ +-## +-## QuoVadis Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 985026699 (0x3ab6508b) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Validity +- Not Before: Mar 19 18:33:33 2001 GMT +- Not After : Mar 17 18:33:33 2021 GMT +- Subject: C = BM, O = QuoVadis Limited, OU = Root Certification Authority, CN = QuoVadis Root Certification Authority +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:bf:61:b5:95:53:ba:57:fc:fa:f2:67:0b:3a:1a: +- df:11:80:64:95:b4:d1:bc:cd:7a:cf:f6:29:96:2e: +- 24:54:40:24:38:f7:1a:85:dc:58:4c:cb:a4:27:42: +- 97:d0:9f:83:8a:c3:e4:06:03:5b:00:a5:51:1e:70: +- 04:74:e2:c1:d4:3a:ab:d7:ad:3b:07:18:05:8e:fd: +- 83:ac:ea:66:d9:18:1b:68:8a:f5:57:1a:98:ba:f5: +- ed:76:3d:7c:d9:de:94:6a:3b:4b:17:c1:d5:8f:bd: +- 65:38:3a:95:d0:3d:55:36:4e:df:79:57:31:2a:1e: +- d8:59:65:49:58:20:98:7e:ab:5f:7e:9f:e9:d6:4d: +- ec:83:74:a9:c7:6c:d8:ee:29:4a:85:2a:06:14:f9: +- 54:e6:d3:da:65:07:8b:63:37:12:d7:d0:ec:c3:7b: +- 20:41:44:a3:ed:cb:a0:17:e1:71:65:ce:1d:66:31: +- f7:76:01:19:c8:7d:03:58:b6:95:49:1d:a6:12:26: +- e8:c6:0c:76:e0:e3:66:cb:ea:5d:a6:26:ee:e5:cc: +- 5f:bd:67:a7:01:27:0e:a2:ca:54:c5:b1:7a:95:1d: +- 71:1e:4a:29:8a:03:dc:6a:45:c1:a4:19:5e:6f:36: +- cd:c3:a2:b0:b7:fe:5c:38:e2:52:bc:f8:44:43:e6: +- 90:bb +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- Authority Information Access: +- OCSP - URI:https://ocsp.quovadisoffshore.com +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: 1.3.6.1.4.1.8024.0.1 +- User Notice: +- Explicit Text: Reliance on the QuoVadis Root Certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certification practices, and the QuoVadis Certificate Policy. +- CPS: http://www.quovadis.bm +- X509v3 Subject Key Identifier: +- 8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- X509v3 Authority Key Identifier: +- keyid:8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF +- DirName:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority +- serial:3A:B6:50:8B +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 8a:d4:14:b5:fe:f4:9a:92:a7:19:d4:a4:7e:72:18:8f:d9:68: +- 7c:52:24:dd:67:6f:39:7a:c4:aa:5e:3d:e2:58:b0:4d:70:98: +- 84:61:e8:1b:e3:69:18:0e:ce:fb:47:50:a0:4e:ff:f0:24:1f: +- bd:b2:ce:f5:27:fc:ec:2f:53:aa:73:7b:03:3d:74:6e:e6:16: +- 9e:eb:a5:2e:c4:bf:56:27:50:2b:62:ba:be:4b:1c:3c:55:5c: +- 41:1d:24:be:82:20:47:5d:d5:44:7e:7a:16:68:df:7d:4d:51: +- 70:78:57:1d:33:1e:fd:02:99:9c:0c:cd:0a:05:4f:c7:bb:8e: +- a4:75:fa:4a:6d:b1:80:8e:09:56:b9:9c:1a:60:fe:5d:c1:d7: +- 7a:dc:11:78:d0:d6:5d:c1:b7:d5:ad:32:99:03:3a:8a:cc:54: +- 25:39:31:81:7b:13:22:51:ba:46:6c:a1:bb:9e:fa:04:6c:49: +- 26:74:8f:d2:73:eb:cc:30:a2:e6:ea:59:22:87:f8:97:f5:0e: +- fd:ea:cc:92:a4:16:c4:52:18:ea:21:ce:b1:f1:e6:84:81:e5: +- ba:a9:86:28:f2:43:5a:5d:12:9d:ac:1e:d9:a8:e5:0a:6a:a7: +- 7f:a0:87:29:cf:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:36:23:8a: +- 4a:74:36:f9 +-SHA1 Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9 +------BEGIN CERTIFICATE----- +-MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC +-TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0 +-aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz +-MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw +-IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR +-dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG +-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp +-li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D +-rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ +-WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug +-F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU +-xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC +-Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv +-dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw +-ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl +-IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh +-c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy +-ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh +-Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI +-KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T +-KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq +-y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p +-dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD +-VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL +-MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk +-fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8 +-7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R +-cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y +-mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW +-xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK +-SnQ2+Q== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/untrusted/SecureSign_RootCA11.pem +@@ -0,0 +1,92 @@ ++## ++## SecureSign RootCA11 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 1 (0x1) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Validity ++ Not Before: Apr 8 04:56:47 2009 GMT ++ Not After : Apr 8 04:56:47 2029 GMT ++ Subject: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:fd:77:aa:a5:1c:90:05:3b:cb:4c:9b:33:8b:5a: ++ 14:45:a4:e7:90:16:d1:df:57:d2:21:10:a4:17:fd: ++ df:ac:d6:1f:a7:e4:db:7c:f7:ec:df:b8:03:da:94: ++ 58:fd:5d:72:7c:8c:3f:5f:01:67:74:15:96:e3:02: ++ 3c:87:db:ae:cb:01:8e:c2:f3:66:c6:85:45:f4:02: ++ c6:3a:b5:62:b2:af:fa:9c:bf:a4:e6:d4:80:30:98: ++ f3:0d:b6:93:8f:a9:d4:d8:36:f2:b0:fc:8a:ca:2c: ++ a1:15:33:95:31:da:c0:1b:f2:ee:62:99:86:63:3f: ++ bf:dd:93:2a:83:a8:76:b9:13:1f:b7:ce:4e:42:85: ++ 8f:22:e7:2e:1a:f2:95:09:b2:05:b5:44:4e:77:a1: ++ 20:bd:a9:f2:4e:0a:7d:50:ad:f5:05:0d:45:4f:46: ++ 71:fd:28:3e:53:fb:04:d8:2d:d7:65:1d:4a:1b:fa: ++ cf:3b:b0:31:9a:35:6e:c8:8b:06:d3:00:91:f2:94: ++ 08:65:4c:b1:34:06:00:7a:89:e2:f0:c7:03:59:cf: ++ d5:d6:e8:a7:32:b3:e6:98:40:86:c5:cd:27:12:8b: ++ cc:7b:ce:b7:11:3c:62:60:07:23:3e:2b:40:6e:94: ++ 80:09:6d:b6:b3:6f:77:6f:35:08:50:fb:02:87:c5: ++ 3e:89 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 5B:F8:4D:4F:B2:A5:86:D4:3A:D2:F1:63:9A:A0:BE:09:F6:57:B7:DE ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ a0:a1:38:16:66:2e:a7:56:1f:21:9c:06:fa:1d:ed:b9:22:c5: ++ 38:26:d8:4e:4f:ec:a3:7f:79:de:46:21:a1:87:77:8f:07:08: ++ 9a:b2:a4:c5:af:0f:32:98:0b:7c:66:29:b6:9b:7d:25:52:49: ++ 43:ab:4c:2e:2b:6e:7a:70:af:16:0e:e3:02:6c:fb:42:e6:18: ++ 9d:45:d8:55:c8:e8:3b:dd:e7:e1:f4:2e:0b:1c:34:5c:6c:58: ++ 4a:fb:8c:88:50:5f:95:1c:bf:ed:ab:22:b5:65:b3:85:ba:9e: ++ 0f:b8:ad:e5:7a:1b:8a:50:3a:1d:bd:0d:bc:7b:54:50:0b:b9: ++ 42:af:55:a0:18:81:ad:65:99:ef:be:e4:9c:bf:c4:85:ab:41: ++ b2:54:6f:dc:25:cd:ed:78:e2:8e:0c:8d:09:49:dd:63:7b:5a: ++ 69:96:02:21:a8:bd:52:59:e9:7d:35:cb:c8:52:ca:7f:81:fe: ++ d9:6b:d3:f7:11:ed:25:df:f8:e7:f9:a4:fa:72:97:84:53:0d: ++ a5:d0:32:18:51:76:59:14:6c:0f:eb:ec:5f:80:8c:75:43:83: ++ c3:85:98:ff:4c:9e:2d:0d:e4:77:83:93:4e:b5:96:07:8b:28: ++ 13:9b:8c:19:8d:41:27:49:40:ee:de:e6:23:44:39:dc:a1:22: ++ d6:ba:03:f2 ++SHA1 Fingerprint=3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr ++MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG ++A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0 ++MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp ++Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD ++QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz ++i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8 ++h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV ++MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9 ++UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni ++8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC ++h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD ++VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB ++AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm ++KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ ++X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr ++QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5 ++pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN ++QSdJQO7e5iNEOdyhIta6A/I= ++-----END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/untrusted/Security_Communication_RootCA3.pem +@@ -0,0 +1,135 @@ ++## ++## Security Communication RootCA3 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ e1:7c:37:40:fd:1b:fe:67 ++ Signature Algorithm: sha384WithRSAEncryption ++ Issuer: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Validity ++ Not Before: Jun 16 06:17:16 2016 GMT ++ Not After : Jan 18 06:17:16 2038 GMT ++ Subject: C = JP, O = "SECOM Trust Systems CO.,LTD.", CN = Security Communication RootCA3 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:e3:c9:72:49:f7:30:de:09:7c:a9:40:81:58:d3: ++ b4:3a:dd:ba:61:0f:93:50:6e:69:3c:35:c2:ee:5b: ++ 73:90:1b:67:4c:21:ec:5f:35:bb:39:3e:2b:0a:60: ++ ef:bb:6d:2b:86:fb:71:a2:c8:ac:e4:56:94:f9:c9: ++ af:b1:72:d4:20:ac:74:d2:b8:15:ad:51:fe:85:74: ++ a1:b9:10:fe:05:80:f9:52:93:b3:40:3d:75:10:ac: ++ c0:96:b7:a7:7e:76:bc:e3:1b:52:19:ce:11:1f:0b: ++ 04:34:f5:d8:f5:69:3c:77:f3:64:f4:0d:aa:85:de: ++ e0:09:50:04:17:96:84:b7:c8:8a:bc:4d:72:fc:1c: ++ bb:cf:f3:06:4d:f9:9f:64:f7:7e:a6:66:86:35:71: ++ c8:11:80:4c:c1:71:40:58:1e:be:a0:73:f6:fc:3e: ++ 50:e1:e0:2f:26:3d:7e:5c:23:b5:79:70:de:fa:e0: ++ d1:a5:d6:0c:41:71:7b:f7:ea:8c:1c:88:c7:ec:8b: ++ f5:d1:2f:55:96:46:7c:5a:3b:58:3b:fb:ba:d8:2d: ++ b5:25:da:7a:4e:cf:44:ae:21:a6:9e:98:ca:20:6e: ++ 7c:bb:88:85:5b:fb:c0:10:62:bb:f2:f9:27:47:ef: ++ d1:89:39:43:c4:df:de:e1:41:bf:54:73:20:97:2d: ++ 6c:da:f3:d4:07:a3:e6:b9:d8:6f:ae:fc:8c:19:2e: ++ d3:67:67:2b:95:db:58:5c:b5:6a:02:f3:b8:83:5e: ++ b4:6b:be:41:7e:57:09:75:44:50:55:cd:5a:11:61: ++ 21:0a:61:c2:a9:88:fd:13:bc:2d:89:2f:cd:61:e0: ++ 95:be:ca:b5:7b:e1:7b:34:67:0b:1f:b6:0c:c7:7c: ++ 1e:19:53:ca:a7:b1:4a:15:20:56:14:70:3d:2b:82: ++ 2c:0f:9d:15:1d:47:80:47:ff:78:99:0e:31:af:6f: ++ 3e:8f:ed:86:69:1e:7b:18:88:14:b2:c2:fc:82:33: ++ 2e:9c:4b:2d:fb:70:3b:71:aa:2b:7b:26:27:f3:1a: ++ c2:dc:fb:17:b8:a1:ea:cb:a0:b4:ae:d3:94:7e:7a: ++ d0:ab:c3:ec:38:2d:11:2e:88:bf:d4:3f:ad:12:3b: ++ 42:ac:8f:02:6e:7d:cc:d1:5f:61:be:a1:bc:3a:6a: ++ 48:ea:26:55:22:16:5d:5f:0d:ff:27:33:9f:18:03: ++ 74:8a:5b:52:20:47:6b:45:4d:22:77:8c:55:27:f0: ++ af:1e:8c:c9:83:22:54:b7:9a:d0:4f:d9:ce:fc:d9: ++ 2e:1c:96:28:b1:02:d3:03:bd:25:52:1c:34:66:4f: ++ 23:ab:f4:77:82:96:1d:d1:57:30:08:11:05:fd:57: ++ d1:d9:c7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha384WithRSAEncryption ++ Signature Value: ++ dc:02:23:08:e2:ef:21:3a:c7:0d:b7:26:d2:62:93:a7:a5:23: ++ 72:07:20:82:60:df:18:d7:54:ad:69:25:92:9e:d9:14:cf:99: ++ b9:52:81:cf:ae:6c:8a:3b:5a:39:c8:6c:01:43:c2:22:6d:02: ++ f0:62:cd:4e:63:43:c0:14:da:f4:63:f0:ea:f4:71:ee:4e:87: ++ e3:71:a9:f4:c9:57:e5:2e:5f:1c:79:bb:23:aa:87:44:57:e9: ++ bd:35:4d:41:bb:4b:28:a3:98:b2:1b:d9:0b:17:07:e5:f7:ea: ++ 9d:f5:76:d7:bf:c4:b6:81:58:ff:c8:ff:64:69:62:79:ad:6e: ++ 0e:1f:7f:ee:1d:69:e5:b7:72:71:b3:fe:a5:01:35:94:54:2b: ++ c0:52:6d:8f:55:c4:c9:d2:b8:cb:ca:34:08:51:85:a0:f5:bc: ++ b4:17:58:ea:0a:5c:7a:bd:63:c6:3a:2f:ff:96:49:19:84:ea: ++ 67:d8:04:b1:61:f4:00:5b:4a:b7:9c:71:37:19:85:79:bf:81: ++ b0:c7:13:0e:76:71:3e:3a:80:06:ae:06:16:a7:8d:b5:c2:c4: ++ cb:ff:40:a5:5c:8d:a5:c9:3a:ed:72:81:ca:5c:98:3c:d2:34: ++ 03:77:08:fd:f0:29:59:5d:21:08:c7:60:bf:a4:71:7b:b8:d9: ++ 1e:82:be:09:af:65:6f:28:ab:bf:4b:b5:ee:3e:08:47:27:a0: ++ 0f:6f:0f:8b:3f:ac:95:18:f3:b9:0e:dc:67:55:6e:62:9e:46: ++ 0e:d1:04:78:ca:72:ae:76:d9:a5:f8:b2:df:88:09:61:8b:ef: ++ 24:4e:d1:59:3f:5a:d4:3d:c9:93:3c:2b:64:f5:81:0d:16:96: ++ f7:92:c3:fe:31:6f:e8:2a:32:74:0e:f4:4c:98:4a:18:0e:30: ++ 54:d5:c5:eb:bc:c5:15:9e:e8:99:21:eb:27:2b:09:0a:db:f1: ++ e6:70:18:56:bb:0c:e4:be:f9:e8:10:a4:13:92:b8:1c:e0:db: ++ 67:1d:53:03:a4:22:a7:dc:5d:92:10:3c:ea:ff:fc:1b:10:1a: ++ c3:d8:d0:9c:9d:65:cb:d0:2b:27:31:03:1e:36:e1:3d:76:75: ++ 0c:ff:45:26:b9:dd:51:bc:23:c7:5f:d8:d8:87:10:40:12:0d: ++ 3d:38:37:e7:44:3c:18:c0:53:09:64:8f:ff:d5:9a:a6:7c:70: ++ 2e:73:55:21:e8:df:ff:83:b9:1d:3e:32:1e:d6:a6:7d:2c:f1: ++ 66:e9:5c:1d:a7:a3:ce:5e:25:32:2b:e3:95:ac:2a:07:ce:b4: ++ 28:78:86:3c:2d:a6:9d:4d:d2:74:30:dd:64:51:15:db:83:83: ++ 51:d7:af:fd:33:9d:4d:66 ++SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A ++-----BEGIN CERTIFICATE----- ++MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV ++BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw ++JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 ++MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc ++U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg ++Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC ++CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r ++CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA ++lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG ++TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 ++9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 ++8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 ++g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we ++GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst +++3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M ++0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ ++T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw ++HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP ++BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS ++YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA ++FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd ++9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI ++UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ ++OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke ++gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf ++iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV ++nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD ++2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// ++1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad ++TdJ0MN1kURXbg4NR16/9M51NZg== ++-----END CERTIFICATE----- +--- secure/caroot/untrusted/Security_Communication_Root_CA.pem.orig ++++ secure/caroot/untrusted/Security_Communication_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Security Communication Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 0 (0x0) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Validity +- Not Before: Sep 30 04:20:49 2003 GMT +- Not After : Sep 30 04:20:49 2023 GMT +- Subject: C = JP, O = SECOM Trust.net, OU = Security Communication RootCA1 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:b3:b3:fe:7f:d3:6d:b1:ef:16:7c:57:a5:0c:6d: +- 76:8a:2f:4b:bf:64:fb:4c:ee:8a:f0:f3:29:7c:f5: +- ff:ee:2a:e0:e9:e9:ba:5b:64:22:9a:9a:6f:2c:3a: +- 26:69:51:05:99:26:dc:d5:1c:6a:71:c6:9a:7d:1e: +- 9d:dd:7c:6c:c6:8c:67:67:4a:3e:f8:71:b0:19:27: +- a9:09:0c:a6:95:bf:4b:8c:0c:fa:55:98:3b:d8:e8: +- 22:a1:4b:71:38:79:ac:97:92:69:b3:89:7e:ea:21: +- 68:06:98:14:96:87:d2:61:36:bc:6d:27:56:9e:57: +- ee:c0:c0:56:fd:32:cf:a4:d9:8e:c2:23:d7:8d:a8: +- f3:d8:25:ac:97:e4:70:38:f4:b6:3a:b4:9d:3b:97: +- 26:43:a3:a1:bc:49:59:72:4c:23:30:87:01:58:f6: +- 4e:be:1c:68:56:66:af:cd:41:5d:c8:b3:4d:2a:55: +- 46:ab:1f:da:1e:e2:40:3d:db:cd:7d:b9:92:80:9c: +- 37:dd:0c:96:64:9d:dc:22:f7:64:8b:df:61:de:15: +- 94:52:15:a0:7d:52:c9:4b:a8:21:c9:c6:b1:ed:cb: +- c3:95:60:d1:0f:f0:ab:70:f8:df:cb:4d:7e:ec:d6: +- fa:ab:d9:bd:7f:54:f2:a5:e9:79:fa:d9:d6:76:24: +- 28:73 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Subject Key Identifier: +- A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48 +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- X509v3 Basic Constraints: critical +- CA:TRUE +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 68:40:a9:a8:bb:e4:4f:5d:79:b3:05:b5:17:b3:60:13:eb:c6: +- 92:5d:e0:d1:d3:6a:fe:fb:be:9b:6d:bf:c7:05:6d:59:20:c4: +- 1c:f0:b7:da:84:58:02:63:fa:48:16:ef:4f:a5:0b:f7:4a:98: +- f2:3f:9e:1b:ad:47:6b:63:ce:08:47:eb:52:3f:78:9c:af:4d: +- ae:f8:d5:4f:cf:9a:98:2a:10:41:39:52:c4:dd:d9:9b:0e:ef: +- 93:01:ae:b2:2e:ca:68:42:24:42:6c:b0:b3:3a:3e:cd:e9:da: +- 48:c4:15:cb:e9:f9:07:0f:92:50:49:8a:dd:31:97:5f:c9:e9: +- 37:aa:3b:59:65:97:94:32:c9:b3:9f:3e:3a:62:58:c5:49:ad: +- 62:0e:71:a5:32:aa:2f:c6:89:76:43:40:13:13:67:3d:a2:54: +- 25:10:cb:f1:3a:f2:d9:fa:db:49:56:bb:a6:fe:a7:41:35:c3: +- e0:88:61:c9:88:c7:df:36:10:22:98:59:ea:b0:4a:fb:56:16: +- 73:6e:ac:4d:f7:22:a1:4f:ad:1d:7a:2d:45:27:e5:30:c1:5e: +- f2:da:13:cb:25:42:51:95:47:03:8c:6c:21:cc:74:42:ed:53: +- ff:33:8b:8f:0f:57:01:16:2f:cf:a6:ee:c9:70:22:14:bd:fd: +- be:6c:0b:03 +-SHA1 Fingerprint=36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7 +------BEGIN CERTIFICATE----- +-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY +-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t +-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5 +-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD +-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3 +-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8 +-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ +-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9 +-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N +-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ +-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G +-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T +-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG +-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr +-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5 +-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU +-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot +-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw== +------END CERTIFICATE----- +--- secure/caroot/untrusted/Sonera_Class_2_Root_CA.pem.orig ++++ secure/caroot/untrusted/Sonera_Class_2_Root_CA.pem +@@ -1,90 +0,0 @@ +-## +-## Sonera Class 2 Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 29 (0x1d) +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = FI, O = Sonera, CN = Sonera Class2 CA +- Validity +- Not Before: Apr 6 07:29:40 2001 GMT +- Not After : Apr 6 07:29:40 2021 GMT +- Subject: C = FI, O = Sonera, CN = Sonera Class2 CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:90:17:4a:35:9d:ca:f0:0d:96:c7:44:fa:16:37: +- fc:48:bd:bd:7f:80:2d:35:3b:e1:6f:a8:67:a9:bf: +- 03:1c:4d:8c:6f:32:47:d5:41:68:a4:13:04:c1:35: +- 0c:9a:84:43:fc:5c:1d:ff:89:b3:e8:17:18:cd:91: +- 5f:fb:89:e3:ea:bf:4e:5d:7c:1b:26:d3:75:79:ed: +- e6:84:e3:57:e5:ad:29:c4:f4:3a:28:e7:a5:7b:84: +- 36:69:b3:fd:5e:76:bd:a3:2d:99:d3:90:4e:23:28: +- 7d:18:63:f1:54:3b:26:9d:76:5b:97:42:b2:ff:ae: +- f0:4e:ec:dd:39:95:4e:83:06:7f:e7:49:40:c8:c5: +- 01:b2:54:5a:66:1d:3d:fc:f9:e9:3c:0a:9e:81:b8: +- 70:f0:01:8b:e4:23:54:7c:c8:ae:f8:90:1e:00:96: +- 72:d4:54:cf:61:23:bc:ea:fb:9d:02:95:d1:b6:b9: +- 71:3a:69:08:3f:0f:b4:e1:42:c7:88:f5:3f:98:a8: +- a7:ba:1c:e0:71:71:ef:58:57:81:50:7a:5c:6b:74: +- 46:0e:83:03:98:c3:8e:a8:6e:f2:76:32:6e:27:83: +- c2:73:f3:dc:18:e8:b4:93:ea:75:44:6b:04:60:20: +- 71:57:87:9d:f3:be:a0:90:23:3d:8a:24:e1:da:21: +- db:c3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Subject Key Identifier: +- 4A:A0:AA:58:84:D3:5E:3C +- X509v3 Key Usage: +- Certificate Sign, CRL Sign +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 5a:ce:87:f9:16:72:15:57:4b:1d:d9:9b:e7:a2:26:30:ec:93: +- 67:df:d6:2d:d2:34:af:f7:38:a5:ce:ab:16:b9:ab:2f:7c:35: +- cb:ac:d0:0f:b4:4c:2b:fc:80:ef:6b:8c:91:5f:36:76:f7:db: +- b3:1b:19:ea:f4:b2:11:fd:61:71:44:bf:28:b3:3a:1d:bf:b3: +- 43:e8:9f:bf:dc:31:08:71:b0:9d:8d:d6:34:47:32:90:c6:65: +- 24:f7:a0:4a:7c:04:73:8f:39:6f:17:8c:72:b5:bd:4b:c8:7a: +- f8:7b:83:c3:28:4e:9c:09:ea:67:3f:b2:67:04:1b:c3:14:da: +- f8:e7:49:24:91:d0:1d:6a:fa:61:39:ef:6b:e7:21:75:06:07: +- d8:12:b4:21:20:70:42:71:81:da:3c:9a:36:be:a6:5b:0d:6a: +- 6c:9a:1f:91:7b:f9:f9:ef:42:ba:4e:4e:9e:cc:0c:8d:94:dc: +- d9:45:9c:5e:ec:42:50:63:ae:f4:5d:c4:b1:12:dc:ca:3b:a8: +- 2e:9d:14:5a:05:75:b7:ec:d7:63:e2:ba:35:b6:04:08:91:e8: +- da:9d:9c:f6:66:b5:18:ac:0a:a6:54:26:34:33:d2:1b:c1:d4: +- 7f:1a:3a:8e:0b:aa:32:6e:db:fc:4f:25:9f:d9:32:c7:96:5a: +- 70:ac:df:4c +-SHA1 Fingerprint=37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27 +------BEGIN CERTIFICATE----- +-MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP +-MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx +-MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV +-BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI +-hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o +-Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt +-5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s +-3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej +-vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu +-8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw +-DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG +-MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil +-zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ +-3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD +-FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 +-Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 +-ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M +------END CERTIFICATE----- +--- secure/caroot/untrusted/Staat_der_Nederlanden_EV_Root_CA.pem.orig ++++ secure/caroot/untrusted/Staat_der_Nederlanden_EV_Root_CA.pem +@@ -1,134 +0,0 @@ +-## +-## Staat der Nederlanden EV Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## It contains a certificate trusted for server authentication. +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000013 (0x98968d) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Validity +- Not Before: Dec 8 11:19:29 2010 GMT +- Not After : Dec 8 11:10:28 2022 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden EV Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:e3:c7:7e:89:f9:24:4b:3a:d2:33:83:35:2c:69: +- ec:dc:09:a4:e3:51:a8:25:2b:79:b8:08:3d:e0:91: +- ba:84:85:c6:85:a4:ca:e6:c9:2e:53:a4:c9:24:1e: +- fd:55:66:71:5d:2c:c5:60:68:04:b7:d9:c2:52:26: +- 38:88:a4:d6:3b:40:a6:c2:cd:3f:cd:98:93:b3:54: +- 14:58:96:55:d5:50:fe:86:ad:a4:63:7f:5c:87:f6: +- 8e:e6:27:92:67:17:92:02:03:2c:dc:d6:66:74:ed: +- dd:67:ff:c1:61:8d:63:4f:0f:9b:6d:17:30:26:ef: +- ab:d2:1f:10:a0:f9:c5:7f:16:69:81:03:47:ed:1e: +- 68:8d:72:a1:4d:b2:26:c6:ba:6c:5f:6d:d6:af:d1: +- b1:13:8e:a9:ad:f3:5e:69:75:26:18:3e:41:2b:21: +- 7f:ee:8b:5d:07:06:9d:43:c4:29:0a:2b:fc:2a:3e: +- 86:cb:3c:83:3a:f9:c9:0d:da:c5:99:e2:bc:78:41: +- 33:76:e1:bf:2f:5d:e5:a4:98:50:0c:15:dd:e0:fa: +- 9c:7f:38:68:d0:b2:a6:7a:a7:d1:31:bd:7e:8a:58: +- 27:43:b3:ba:33:91:d3:a7:98:15:5c:9a:e6:d3:0f: +- 75:d9:fc:41:98:97:3e:aa:25:db:8f:92:2e:b0:7b: +- 0c:5f:f1:63:a9:37:f9:9b:75:69:4c:28:26:25:da: +- d5:f2:12:70:45:55:e3:df:73:5e:37:f5:21:6c:90: +- 8e:35:5a:c9:d3:23:eb:d3:c0:be:78:ac:42:28:58: +- 66:a5:46:6d:70:02:d7:10:f9:4b:54:fc:5d:86:4a: +- 87:cf:7f:ca:45:ac:11:5a:b5:20:51:8d:2f:88:47: +- 97:39:c0:cf:ba:c0:42:01:40:99:48:21:0b:6b:a7: +- d2:fd:96:d5:d1:be:46:9d:49:e0:0b:a6:a0:22:4e: +- 38:d0:c1:3c:30:bc:70:8f:2c:75:cc:d0:c5:8c:51: +- 3b:3d:94:08:64:26:61:7d:b9:c3:65:8f:14:9c:21: +- d0:aa:fd:17:72:03:8f:bd:9b:8c:e6:5e:53:9e:b9: +- 9d:ef:82:bb:e1:bc:e2:72:41:5b:21:94:d3:45:37: +- 94:d1:df:09:39:5d:e7:23:aa:9a:1d:ca:6d:a8:0a: +- 86:85:8a:82:be:42:07:d6:f2:38:82:73:da:87:5b: +- e5:3c:d3:9e:3e:a7:3b:9e:f4:03:b3:f9:f1:7d:13: +- 74:02:ff:bb:a1:e5:fa:00:79:1c:a6:66:41:88:5c: +- 60:57:a6:2e:09:c4:ba:fd:9a:cf:a7:1f:40:c3:bb: +- cc:5a:0a:55:4b:3b:38:76:51:b8:63:8b:84:94:16: +- e6:56:f3 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- cf:77:2c:6e:56:be:4e:b3:b6:84:00:94:ab:47:c9:0d:d2:76: +- c7:86:9f:1d:07:d3:b6:b4:bb:08:78:af:69:d2:0b:49:de:33: +- c5:ac:ad:c2:88:02:7d:06:b7:35:02:c1:60:c9:bf:c4:e8:94: +- de:d4:d3:a9:13:25:5a:fe:6e:a2:ae:7d:05:dc:7d:f3:6c:f0: +- 7e:a6:8d:ee:d9:d7:ce:58:17:e8:a9:29:ae:73:48:87:e7:9b: +- ca:6e:29:a1:64:5f:19:13:f7:ae:06:10:ff:51:c6:9b:4d:55: +- 25:4f:93:99:10:01:53:75:f1:13:ce:c7:a6:41:41:d2:bf:88: +- a5:7f:45:fc:ac:b8:a5:b5:33:0c:82:c4:fb:07:f6:6a:e5:25: +- 84:5f:06:ca:c1:86:39:11:db:58:cd:77:3b:2c:c2:4c:0f:5e: +- 9a:e3:f0:ab:3e:61:1b:50:24:c2:c0:f4:f1:19:f0:11:29:b6: +- a5:18:02:9b:d7:63:4c:70:8c:47:a3:03:43:5c:b9:5d:46:a0: +- 0d:6f:ff:59:8e:be:dd:9f:72:c3:5b:2b:df:8c:5b:ce:e5:0c: +- 46:6c:92:b2:0a:a3:4c:54:42:18:15:12:18:bd:da:fc:ba:74: +- 6e:ff:c1:b6:a0:64:d8:a9:5f:55:ae:9f:5c:6a:76:96:d8:73: +- 67:87:fb:4d:7f:5c:ee:69:ca:73:10:fb:8a:a9:fd:9e:bd:36: +- 38:49:49:87:f4:0e:14:f0:e9:87:b8:3f:a7:4f:7a:5a:8e:79: +- d4:93:e4:bb:68:52:84:ac:6c:e9:f3:98:70:55:72:32:f9:34: +- ab:2b:49:b5:cd:20:62:e4:3a:7a:67:63:ab:96:dc:6d:ae:97: +- ec:fc:9f:76:56:88:2e:66:cf:5b:b6:c9:a4:b0:d7:05:ba:e1: +- 27:2f:93:bb:26:2a:a2:93:b0:1b:f3:8e:be:1d:40:a3:b9:36: +- 8f:3e:82:1a:1a:5e:88:ea:50:f8:59:e2:83:46:29:0b:e3:44: +- 5c:e1:95:b6:69:90:9a:14:6f:97:ae:81:cf:68:ef:99:9a:be: +- b5:e7:e1:7f:f8:fa:13:47:16:4c:cc:6d:08:40:e7:8b:78:6f: +- 50:82:44:50:3f:66:06:8a:ab:43:84:56:4a:0f:20:2d:86:0e: +- f5:d2:db:d2:7a:8a:4b:cd:a5:e8:4e:f1:5e:26:25:01:59:23: +- a0:7e:d2:f6:7e:21:57:d7:27:bc:15:57:4c:a4:46:c1:e0:83: +- 1e:0c:4c:4d:1f:4f:06:19:e2:f9:a8:f4:3a:82:a1:b2:79:43: +- 79:d6:ad:6f:7a:27:90:03:a4:ea:24:87:3f:d9:bd:d9:e9:f2: +- 5f:50:49:1c:ee:ec:d7:2e +-SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +--- secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem.orig ++++ secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem +@@ -1,137 +0,0 @@ +-## +-## Staat der Nederlanden Root CA - G2 +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $ +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 10000012 (0x98968c) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Validity +- Not Before: Mar 26 11:18:17 2008 GMT +- Not After : Mar 25 11:03:10 2020 GMT +- Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2 +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (4096 bit) +- Modulus: +- 00:c5:59:e7:6f:75:aa:3e:4b:9c:b5:b8:ac:9e:0b: +- e4:f9:d9:ca:ab:5d:8f:b5:39:10:82:d7:af:51:e0: +- 3b:e1:00:48:6a:cf:da:e1:06:43:11:99:aa:14:25: +- 12:ad:22:e8:00:6d:43:c4:a9:b8:e5:1f:89:4b:67: +- bd:61:48:ef:fd:d2:e0:60:88:e5:b9:18:60:28:c3: +- 77:2b:ad:b0:37:aa:37:de:64:59:2a:46:57:e4:4b: +- b9:f8:37:7c:d5:36:e7:80:c1:b6:f3:d4:67:9b:96: +- e8:ce:d7:c6:0a:53:d0:6b:49:96:f3:a3:0b:05:77: +- 48:f7:25:e5:70:ac:30:14:20:25:e3:7f:75:5a:e5: +- 48:f8:4e:7b:03:07:04:fa:82:61:87:6e:f0:3b:c4: +- a4:c7:d0:f5:74:3e:a5:5d:1a:08:f2:9b:25:d2:f6: +- ac:04:26:3e:55:3a:62:28:a5:7b:b2:30:af:f8:37: +- c2:d1:ba:d6:38:fd:f4:ef:49:30:37:99:26:21:48: +- 85:01:a9:e5:16:e7:dc:90:55:df:0f:e8:38:cd:99: +- 37:21:4f:5d:f5:22:6f:6a:c5:12:16:60:17:55:f2: +- 65:66:a6:a7:30:91:38:c1:38:1d:86:04:84:ba:1a: +- 25:78:5e:9d:af:cc:50:60:d6:13:87:52:ed:63:1f: +- 6d:65:7d:c2:15:18:74:ca:e1:7e:64:29:8c:72:d8: +- 16:13:7d:0b:49:4a:f1:28:1b:20:74:6b:c5:3d:dd: +- b0:aa:48:09:3d:2e:82:94:cd:1a:65:d9:2b:88:9a: +- 99:bc:18:7e:9f:ee:7d:66:7c:3e:bd:94:b8:81:ce: +- cd:98:30:78:c1:6f:67:d0:be:5f:e0:68:ed:de:e2: +- b1:c9:2c:59:78:92:aa:df:2b:60:63:f2:e5:5e:b9: +- e3:ca:fa:7f:50:86:3e:a2:34:18:0c:09:68:28:11: +- 1c:e4:e1:b9:5c:3e:47:ba:32:3f:18:cc:5b:84:f5: +- f3:6b:74:c4:72:74:e1:e3:8b:a0:4a:bd:8d:66:2f: +- ea:ad:35:da:20:d3:88:82:61:f0:12:22:b6:bc:d0: +- d5:a4:ec:af:54:88:25:24:3c:a7:6d:b1:72:29:3f: +- 3e:57:a6:7f:55:af:6e:26:c6:fe:e7:cc:40:5c:51: +- 44:81:0a:78:de:4a:ce:55:bf:1d:d5:d9:b7:56:ef: +- f0:76:ff:0b:79:b5:af:bd:fb:a9:69:91:46:97:68: +- 80:14:36:1d:b3:7f:bb:29:98:36:a5:20:fa:82:60: +- 62:33:a4:ec:d6:ba:07:a7:6e:c5:cf:14:a6:e7:d6: +- 92:34:d8:81:f5:fc:1d:5d:aa:5c:1e:f6:a3:4d:3b: +- b8:f7:39 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Certificate Policies: +- Policy: X509v3 Any Policy +- CPS: http://www.pkioverheid.nl/policies/root-policy-G2 +- X509v3 Key Usage: critical +- Certificate Sign, CRL Sign +- X509v3 Subject Key Identifier: +- 91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB +- Signature Algorithm: sha256WithRSAEncryption +- Signature Value: +- a8:41:4a:67:2a:92:81:82:50:6e:e1:d7:d8:b3:39:3b:f3:02: +- 15:09:50:51:ef:2d:bd:24:7b:88:86:3b:f9:b4:bc:92:09:96: +- b9:f6:c0:ab:23:60:06:79:8c:11:4e:51:d2:79:80:33:fb:9d: +- 48:be:ec:41:43:81:1f:7e:47:40:1c:e5:7a:08:ca:aa:8b:75: +- ad:14:c4:c2:e8:66:3c:82:07:a7:e6:27:82:5b:18:e6:0f:6e: +- d9:50:3e:8a:42:18:29:c6:b4:56:fc:56:10:a0:05:17:bd:0c: +- 23:7f:f4:93:ed:9c:1a:51:be:dd:45:41:bf:91:24:b4:1f:8c: +- e9:5f:cf:7b:21:99:9f:95:9f:39:3a:46:1c:6c:f9:cd:7b:9c: +- 90:cd:28:a9:c7:a9:55:bb:ac:62:34:62:35:13:4b:14:3a:55: +- 83:b9:86:8d:92:a6:c6:f4:07:25:54:cc:16:57:12:4a:82:78: +- c8:14:d9:17:82:26:2d:5d:20:1f:79:ae:fe:d4:70:16:16:95: +- 83:d8:35:39:ff:52:5d:75:1c:16:c5:13:55:cf:47:cc:75:65: +- 52:4a:de:f0:b0:a7:e4:0a:96:0b:fb:ad:c2:e2:25:84:b2:dd: +- e4:bd:7e:59:6c:9b:f0:f0:d8:e7:ca:f2:e9:97:38:7e:89:be: +- cc:fb:39:17:61:3f:72:db:3a:91:d8:65:01:19:1d:ad:50:a4: +- 57:0a:7c:4b:bc:9c:71:73:2a:45:51:19:85:cc:8e:fd:47:a7: +- 74:95:1d:a8:d1:af:4e:17:b1:69:26:c2:aa:78:57:5b:c5:4d: +- a7:e5:9e:05:17:94:ca:b2:5f:a0:49:18:8d:34:e9:26:6c:48: +- 1e:aa:68:92:05:e1:82:73:5a:9b:dc:07:5b:08:6d:7d:9d:d7: +- 8d:21:d9:fc:14:20:aa:c2:45:df:3f:e7:00:b2:51:e4:c2:f8: +- 05:b9:79:1a:8c:34:f3:9e:5b:e4:37:5b:6b:4a:df:2c:57:8a: +- 40:5a:36:ba:dd:75:44:08:37:42:70:0c:fe:dc:5e:21:a0:a3: +- 8a:c0:90:9c:68:da:50:e6:45:10:47:78:b6:4e:d2:65:c9:c3: +- 37:df:e1:42:63:b0:57:37:45:2d:7b:8a:9c:bf:05:ea:65:55: +- 33:f7:39:10:c5:28:2a:21:7a:1b:8a:c4:24:f9:3f:15:c8:9a: +- 15:20:f5:55:62:96:ed:6d:93:50:bc:e4:aa:78:ad:d9:cb:0a: +- 65:87:a6:66:c1:c4:81:a3:77:3a:58:1e:0b:ee:83:8b:9d:1e: +- d2:52:a4:cc:1d:6f:b0:98:6d:94:31:b5:f8:71:0a:dc:b9:fc: +- 7d:32:60:e6:eb:af:8a:01 +-SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16 +------BEGIN CERTIFICATE----- +-MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX +-DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl +-ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv +-b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291 +-qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp +-uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU +-Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE +-pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp +-5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M +-UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN +-GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy +-5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv +-6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK +-eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6 +-B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/ +-BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov +-L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV +-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG +-SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS +-CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen +-5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897 +-IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK +-gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL +-+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL +-vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm +-bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk +-N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC +-Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z +-ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ== +------END CERTIFICATE----- +--- /dev/null ++++ secure/caroot/untrusted/SwissSign_Silver_CA_-_G2.pem +@@ -0,0 +1,140 @@ ++## ++## SwissSign Silver CA - G2 ++## ++## This is a single X.509 certificate for a public Certificate ++## Authority (CA). It was automatically extracted from Mozilla's ++## root CA list (the file `certdata.txt' in security/nss). ++## ++## It contains a certificate trusted for server authentication. ++## ++## Extracted from nss ++## ++## @generated ++## ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 5700383053117599563 (0x4f1bd42f54bb2f4b) ++ Signature Algorithm: sha1WithRSAEncryption ++ Issuer: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Validity ++ Not Before: Oct 25 08:32:46 2006 GMT ++ Not After : Oct 25 08:32:46 2036 GMT ++ Subject: C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (4096 bit) ++ Modulus: ++ 00:c4:f1:87:7f:d3:78:31:f7:38:c9:f8:c3:99:43: ++ bc:c7:f7:bc:37:e7:4e:71:ba:4b:8f:a5:73:1d:5c: ++ 6e:98:ae:03:57:ae:38:37:43:2f:17:3d:1f:c8:ce: ++ 68:10:c1:78:ae:19:03:2b:10:fa:2c:79:83:f6:e8: ++ b9:68:b9:55:f2:04:44:a7:39:f9:fc:04:8b:1e:f1: ++ a2:4d:27:f9:61:7b:ba:b7:e5:a2:13:b6:eb:61:3e: ++ d0:6c:d1:e6:fb:fa:5e:ed:1d:b4:9e:a0:35:5b:a1: ++ 92:cb:f0:49:92:fe:85:0a:05:3e:e6:d9:0b:e2:4f: ++ bb:dc:95:37:fc:91:e9:32:35:22:d1:1f:3a:4e:27: ++ 85:9d:b0:15:94:32:da:61:0d:47:4d:60:42:ae:92: ++ 47:e8:83:5a:50:58:e9:8a:8b:b9:5d:a1:dc:dd:99: ++ 4a:1f:36:67:bb:48:e4:83:b6:37:eb:48:3a:af:0f: ++ 67:8f:17:07:e8:04:ca:ef:6a:31:87:d4:c0:b6:f9: ++ 94:71:7b:67:64:b8:b6:91:4a:42:7b:65:2e:30:6a: ++ 0c:f5:90:ee:95:e6:f2:cd:82:ec:d9:a1:4a:ec:f6: ++ b2:4b:e5:45:85:e6:6d:78:93:04:2e:9c:82:6d:36: ++ a9:c4:31:64:1f:86:83:0b:2a:f4:35:0a:78:c9:55: ++ cf:41:b0:47:e9:30:9f:99:be:61:a8:06:84:b9:28: ++ 7a:5f:38:d9:1b:a9:38:b0:83:7f:73:c1:c3:3b:48: ++ 2a:82:0f:21:9b:b8:cc:a8:35:c3:84:1b:83:b3:3e: ++ be:a4:95:69:01:3a:89:00:78:04:d9:c9:f4:99:19: ++ ab:56:7e:5b:8b:86:39:15:91:a4:10:2c:09:32:80: ++ 60:b3:93:c0:2a:b6:18:0b:9d:7e:8d:49:f2:10:4a: ++ 7f:f9:d5:46:2f:19:92:a3:99:a7:26:ac:bb:8c:3c: ++ e6:0e:bc:47:07:dc:73:51:f1:70:64:2f:08:f9:b4: ++ 47:1d:30:6c:44:ea:29:37:85:92:68:66:bc:83:38: ++ fe:7b:39:2e:d3:50:f0:1f:fb:5e:60:b6:a9:a6:fa: ++ 27:41:f1:9b:18:72:f2:f5:84:74:4a:c9:67:c4:54: ++ ae:48:64:df:8c:d1:6e:b0:1d:e1:07:8f:08:1e:99: ++ 9c:71:e9:4c:d8:a5:f7:47:12:1f:74:d1:51:9e:86: ++ f3:c2:a2:23:40:0b:73:db:4b:a6:e7:73:06:8c:c1: ++ a0:e9:c1:59:ac:46:fa:e6:2f:f8:cf:71:9c:46:6d: ++ b9:c4:15:8d:38:79:03:45:48:ef:c4:5d:d7:08:ee: ++ 87:39:22:86:b2:0d:0f:58:43:f7:71:a9:48:2e:fd: ++ ea:d6:1f ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Key Usage: critical ++ Certificate Sign, CRL Sign ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ X509v3 Subject Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Authority Key Identifier: ++ 17:A0:CD:C1:E4:41:B6:3A:5B:3B:CB:45:9D:BD:1C:C2:98:FA:86:58 ++ X509v3 Certificate Policies: ++ Policy: 2.16.756.1.89.1.3.1.1 ++ CPS: http://repository.swisssign.com/ ++ Signature Algorithm: sha1WithRSAEncryption ++ Signature Value: ++ 73:c6:81:e0:27:d2:2d:0f:e0:95:30:e2:9a:41:7f:50:2c:5f: ++ 5f:62:61:a9:86:6a:69:18:0c:74:49:d6:5d:84:ea:41:52:18: ++ 6f:58:ad:50:56:20:6a:c6:bd:28:69:58:91:dc:91:11:35:a9: ++ 3a:1d:bc:1a:a5:60:9e:d8:1f:7f:45:91:69:d9:7e:bb:78:72: ++ c1:06:0f:2a:ce:8f:85:70:61:ac:a0:cd:0b:b8:39:29:56:84: ++ 32:4e:86:bb:3d:c4:2a:d9:d7:1f:72:ee:fe:51:a1:22:41:b1: ++ 71:02:63:1a:82:b0:62:ab:5e:57:12:1f:df:cb:dd:75:a0:c0: ++ 5d:79:90:8c:1b:e0:50:e6:de:31:fe:98:7b:70:5f:a5:90:d8: ++ ad:f8:02:b6:6f:d3:60:dd:40:4b:22:c5:3d:ad:3a:7a:9f:1a: ++ 1a:47:91:79:33:ba:82:dc:32:69:03:96:6e:1f:4b:f0:71:fe: ++ e3:67:72:a0:b1:bf:5c:8b:e4:fa:99:22:c7:84:b9:1b:8d:23: ++ 97:3f:ed:25:e0:cf:65:bb:f5:61:04:ef:dd:1e:b2:5a:41:22: ++ 5a:a1:9f:5d:2c:e8:5b:c9:6d:a9:0c:0c:78:aa:60:c6:56:8f: ++ 01:5a:0c:68:bc:69:19:79:c4:1f:7e:97:05:bf:c5:e9:24:51: ++ 5e:d4:d5:4b:53:ed:d9:23:5a:36:03:65:a3:c1:03:ad:41:30: ++ f3:46:1b:85:90:af:65:b5:d5:b1:e4:16:5b:78:75:1d:97:7a: ++ 6d:59:a9:2a:8f:7b:de:c3:87:89:10:99:49:73:78:c8:3d:bd: ++ 51:35:74:2a:d5:f1:7e:69:1b:2a:bb:3b:bd:25:b8:9a:5a:3d: ++ 72:61:90:66:87:ee:0c:d6:4d:d4:11:74:0b:6a:fe:0b:03:fc: ++ a3:55:57:89:fe:4a:cb:ae:5b:17:05:c8:f2:8d:23:31:53:38: ++ d2:2d:6a:3f:82:b9:8d:08:6a:f7:5e:41:74:6e:c3:11:7e:07: ++ ac:29:60:91:3f:38:ca:57:10:0d:bd:30:2f:c7:a5:e6:41:a0: ++ da:ae:05:87:9a:a0:a4:65:6c:4c:09:0c:89:ba:b8:d3:b9:c0: ++ 93:8a:30:fa:8d:e5:9a:6b:15:01:4e:67:aa:da:62:56:3e:84: ++ 08:66:d2:c4:36:7d:a7:3e:10:fc:88:e0:d4:80:e5:00:bd:aa: ++ f3:4e:06:a3:7a:6a:f9:62:72:e3:09:4f:eb:9b:0e:01:23:f1: ++ 9f:bb:7c:dc:dc:6c:11:97:25:b2:f2:b4:63:14:d2:06:2a:67: ++ 8c:83:f5:ce:ea:07:d8:9a:6a:1e:ec:e4:0a:bb:2a:4c:eb:09: ++ 60:39:ce:ca:62:d8:2e:6e ++SHA1 Fingerprint=9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB ++-----BEGIN CERTIFICATE----- ++MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE ++BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu ++IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow ++RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY ++U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A ++MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv ++Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br ++YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF ++nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH ++6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt ++eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/ ++c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ ++MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH ++HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf ++jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6 ++5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB ++rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU ++F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c ++wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 ++cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB ++AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp ++WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9 ++xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ ++2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ ++IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8 ++aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X ++em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR ++dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/ ++OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+ ++hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy ++tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u ++-----END CERTIFICATE----- +--- secure/caroot/untrusted/Trustis_FPS_Root_CA.pem.orig ++++ secure/caroot/untrusted/Trustis_FPS_Root_CA.pem +@@ -1,91 +0,0 @@ +-## +-## Trustis FPS Root CA +-## +-## This is a single X.509 certificate for a public Certificate +-## Authority (CA). It was automatically extracted from Mozilla's +-## root CA list (the file `certdata.txt' in security/nss). +-## +-## Extracted from nss +-## +-## @generated +-## +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: +- 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 +- Signature Algorithm: sha1WithRSAEncryption +- Issuer: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Validity +- Not Before: Dec 23 12:14:06 2003 GMT +- Not After : Jan 21 11:36:54 2024 GMT +- Subject: C = GB, O = Trustis Limited, OU = Trustis FPS Root CA +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:c5:50:7b:9e:3b:35:d0:df:c4:8c:cd:8e:9b:ed: +- a3:c0:36:99:f4:42:ea:a7:3e:80:83:0f:a6:a7:59: +- 87:c9:90:45:43:7e:00:ea:86:79:2a:03:bd:3d:37: +- 99:89:66:b7:e5:8a:56:86:93:9c:68:4b:68:04:8c: +- 93:93:02:3e:30:d2:37:3a:22:61:89:1c:85:4e:7d: +- 8f:d5:af:7b:35:f6:7e:28:47:89:31:dc:0e:79:64: +- 1f:99:d2:5b:ba:fe:7f:60:bf:ad:eb:e7:3c:38:29: +- 6a:2f:e5:91:0b:55:ff:ec:6f:58:d5:2d:c9:de:4c: +- 66:71:8f:0c:d7:04:da:07:e6:1e:18:e3:bd:29:02: +- a8:fa:1c:e1:5b:b9:83:a8:41:48:bc:1a:71:8d:e7: +- 62:e5:2d:b2:eb:df:7c:cf:db:ab:5a:ca:31:f1:4c: +- 22:f3:05:13:f7:82:f9:73:79:0c:be:d7:4b:1c:c0: +- d1:15:3c:93:41:64:d1:e6:be:23:17:22:00:89:5e: +- 1f:6b:a5:ac:6e:a7:4b:8c:ed:a3:72:e6:af:63:4d: +- 2f:85:d2:14:35:9a:2e:4e:8c:ea:32:98:28:86:a1: +- 91:09:41:3a:b4:e1:e3:f2:fa:f0:c9:0a:a2:41:dd: +- a9:e3:03:c7:88:15:3b:1c:d4:1a:94:d7:9f:64:59: +- 12:6d +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: critical +- CA:TRUE +- X509v3 Authority Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- X509v3 Subject Key Identifier: +- BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 +- Signature Algorithm: sha1WithRSAEncryption +- Signature Value: +- 7e:58:ff:fd:35:19:7d:9c:18:4f:9e:b0:2b:bc:8e:8c:14:ff: +- 2c:a0:da:47:5b:c3:ef:81:2d:af:05:ea:74:48:5b:f3:3e:4e: +- 07:c7:6d:c5:b3:93:cf:22:35:5c:b6:3f:75:27:5f:09:96:cd: +- a0:fe:be:40:0c:5c:12:55:f8:93:82:ca:29:e9:5e:3f:56:57: +- 8b:38:36:f7:45:1a:4c:28:cd:9e:41:b8:ed:56:4c:84:a4:40: +- c8:b8:b0:a5:2b:69:70:04:6a:c3:f8:d4:12:32:f9:0e:c3:b1: +- dc:32:84:44:2c:6f:cb:46:0f:ea:66:41:0f:4f:f1:58:a5:a6: +- 0d:0d:0f:61:de:a5:9e:5d:7d:65:a1:3c:17:e7:a8:55:4e:ef: +- a0:c7:ed:c6:44:7f:54:f5:a3:e0:8f:f0:7c:55:22:8f:29:b6: +- 81:a3:e1:6d:4e:2c:1b:80:67:ec:ad:20:9f:0c:62:61:d5:97: +- ff:43:ed:2d:c1:da:5d:29:2a:85:3f:ac:65:ee:86:0f:05:8d: +- 90:5f:df:ee:9f:f4:bf:ee:1d:fb:98:e4:7f:90:2b:84:78:10: +- 0e:6c:49:53:ef:15:5b:65:46:4a:5d:af:ba:fb:3a:72:1d:cd: +- f6:25:88:1e:97:cc:21:9c:29:01:0d:65:eb:57:d9:f3:57:96: +- bb:48:cd:81 +-SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 +------BEGIN CERTIFICATE----- +-MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF +-MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL +-ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx +-MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc +-MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +-ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ +-AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH +-iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj +-vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA +-0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB +-OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ +-BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E +-FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 +-GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW +-zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 +-1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE +-f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F +-jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN +-ZetX2fNXlrtIzYE= +------END CERTIFICATE----- diff --git a/website/static/security/patches/EN-25:08/caroot-14.2.patch.asc b/website/static/security/patches/EN-25:08/caroot-14.2.patch.asc new file mode 100644 index 0000000000..eae98c798c --- /dev/null +++ b/website/static/security/patches/EN-25:08/caroot-14.2.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38D8ACgkQbljekB8A +Gu/gKxAA3eLXOyTgElAw1KQ//L0mmrYI//1uaEvaeaIb+xCwwD+J2Lh4T+rTWF5v +yH/rWw5nB1T5jh9WtJHgMZkgJcnDOYarpKiVXPJvzzYjPKjIKRU+m25wKLrADDhv +s3r7mljU14tuj2ajOlLMX6aRppZOsS73wqMs82JIMNHQDQer1W/Xx+DRtcf+Reim +y86d+se2AGKl5+uQXm8SxKN082Eqyr33sS7lUrB3vLRs5rciqQEawBIfygbUVXgB +ZNlxwqR5WmY9AsVxy5bG6UecSk2NJxyDtJibkJ7Iz5NqSiTx1eqCuQfDoKpmaISq +IlU8TKK0NLKVfcPufxPMC64Blykt7uSvwLPL5mya6CNQS9laDbEpb5Lt5NEYe6xE +uGI3JkLgVk5NJhWGP/Aln0w3G8u+LqC/bKTtfnQnPGgCXCH7ehTtqvKF3cpRk476 +dQa9jwixCQuS0eGy2PBW7D+f/7dXr2QkETBHhj0Xr73LGYVyH+FVCVDHbRJ15ZSx +pU83BUTMkmGDixApSNkudYw6m0kQEwvrM9XvpinKHk6DhCn/zQwQytIYGO6OTs13 +daJRAY1vS8cXp5MmYz6FwYZL+7KjNZJ3KdMs5yUT0u5ZkdJEclq98JY+8FkpAqpS +bPX4BfOVyPDs/2yEAZL9eykSeKZLbOSTJjI1EXf3qcXR0jOzTUQ= +=DGGw +-----END PGP SIGNATURE-----