jruby-openssl 0.5.2 → 0.6

data/History.txt

@@ -1,3 +1,30 @@
+== 0.6
+
+- This is a recommended upgrade to jruby-openssl. A security problem
+  involving peer certificate verification was found where failed
+  verification silently did nothing, making affected applications
+  vulnerable to attackers. Attackers could lead a client application
+  to believe that a secure connection to a rogue SSL server is
+  legitimate. Attackers could also penetrate client-validated SSL
+  server applications with a dummy certificate. Your application would
+  be vulnerable if you're using the 'net/https' library with
+  OpenSSL::SSL::VERIFY_PEER mode and any version of jruby-openssl
+  prior to 0.6. Thanks to NaHi (NAKAMURA Hiroshi) for finding the
+  problem and providing the fix. See
+  http://www.jruby.org/2009/12/07/vulnerability-in-jruby-openssl.html
+  for details.
+- This release addresses CVE-2009-4123 which was reserved for the
+  above vulnerability.
+- Many fixes from NaHi, including issues related to certificate
+  verification and certificate store purpose verification.
+  - implement OpenSSL::X509::Store#set_default_paths
+  - MRI compat. fix: OpenSSL::X509::Store#add_file
+  - Fix nsCertType handling.
+  - Fix Cipher#key_len for DES-EDE3: 16 should be 24.
+  - Modified test expectations around Cipher#final.
+- Public keys are lazily instantiated when the
+  X509::Certificate#public_key method is called (Dave Garcia)
+
 == 0.5.2
 
 * Multiple bugs fixed:

data/Manifest.txt

@@ -0,0 +1,100 @@
+Rakefile
+History.txt
+Manifest.txt
+README.txt
+License.txt
+lib/jopenssl.jar
+lib/bcmail-jdk14-139.jar
+lib/bcprov-jdk14-139.jar
+lib/jopenssl
+lib/jopenssl.jar
+lib/openssl
+lib/openssl.rb
+lib/jopenssl/version.rb
+lib/openssl/bn.rb
+lib/openssl/buffering.rb
+lib/openssl/cipher.rb
+lib/openssl/digest.rb
+lib/openssl/dummy.rb
+lib/openssl/dummyssl.rb
+lib/openssl/ssl.rb
+lib/openssl/x509.rb
+test/cert_with_ec_pk.cer
+test/fixture
+test/openssl
+test/pkcs7_mime_enveloped.message
+test/pkcs7_mime_signed.message
+test/pkcs7_multipart_signed.message
+test/ref
+test/test_cipher.rb
+test/test_integration.rb
+test/test_java.rb
+test/test_java_attribute.rb
+test/test_java_bio.rb
+test/test_java_mime.rb
+test/test_java_pkcs7.rb
+test/test_java_smime.rb
+test/test_openssl.rb
+test/test_openssl_x509.rb
+test/test_parse_certificate.rb
+test/test_pkey.rb
+test/test_x509store.rb
+test/ut_eof.rb
+test/fixture/ca_path
+test/fixture/cacert.pem
+test/fixture/cert_localhost.pem
+test/fixture/common.pem
+test/fixture/localhost_keypair.pem
+test/fixture/max.pem
+test/fixture/purpose
+test/fixture/verisign.pem
+test/fixture/verisign_c3.pem
+test/fixture/ca_path/72fa7371.0
+test/fixture/ca_path/verisign.pem
+test/fixture/purpose/b70a5bc1.0
+test/fixture/purpose/ca
+test/fixture/purpose/cacert.pem
+test/fixture/purpose/scripts
+test/fixture/purpose/sslclient
+test/fixture/purpose/sslclient.pem
+test/fixture/purpose/sslserver
+test/fixture/purpose/sslserver.pem
+test/fixture/purpose/ca/ca_config.rb
+test/fixture/purpose/ca/cacert.pem
+test/fixture/purpose/ca/newcerts
+test/fixture/purpose/ca/PASSWD_OF_CA_KEY_IS_1234
+test/fixture/purpose/ca/private
+test/fixture/purpose/ca/serial
+test/fixture/purpose/ca/newcerts/2_cert.pem
+test/fixture/purpose/ca/newcerts/3_cert.pem
+test/fixture/purpose/ca/private/cakeypair.pem
+test/fixture/purpose/scripts/gen_cert.rb
+test/fixture/purpose/scripts/gen_csr.rb
+test/fixture/purpose/scripts/init_ca.rb
+test/fixture/purpose/sslclient/csr.pem
+test/fixture/purpose/sslclient/keypair.pem
+test/fixture/purpose/sslclient/sslclient.pem
+test/fixture/purpose/sslserver/csr.pem
+test/fixture/purpose/sslserver/keypair.pem
+test/fixture/purpose/sslserver/sslserver.pem
+test/openssl/ssl_server.rb
+test/openssl/test_asn1.rb
+test/openssl/test_cipher.rb
+test/openssl/test_digest.rb
+test/openssl/test_hmac.rb
+test/openssl/test_ns_spki.rb
+test/openssl/test_pair.rb
+test/openssl/test_pkcs7.rb
+test/openssl/test_pkey_rsa.rb
+test/openssl/test_ssl.rb
+test/openssl/test_x509cert.rb
+test/openssl/test_x509crl.rb
+test/openssl/test_x509ext.rb
+test/openssl/test_x509name.rb
+test/openssl/test_x509req.rb
+test/openssl/test_x509store.rb
+test/openssl/utils.rb
+test/ref/a.out
+test/ref/compile.rb
+test/ref/pkcs1
+test/ref/pkcs1.c

data/Rakefile

@@ -0,0 +1,71 @@
+require 'rake'
+require 'rake/testtask'
+
+MANIFEST = FileList["Rakefile", "History.txt", "Manifest.txt", "README.txt", "License.txt", "lib/jopenssl.jar", "lib/**/*", "test/**/*"]
+BC_JARS = FileList["lib/bc*.jar"]
+
+task :default => [:java_compile, :test]
+
+def java_classpath_arg # myriad of ways to discover JRuby classpath
+  begin
+    cpath  = Java::java.lang.System.getProperty('java.class.path').split(File::PATH_SEPARATOR)
+    cpath += Java::java.lang.System.getProperty('sun.boot.class.path').split(File::PATH_SEPARATOR)
+    jruby_cpath = cpath.compact.join(File::PATH_SEPARATOR)
+  rescue => e
+  end
+  unless jruby_cpath
+    jruby_cpath = ENV['JRUBY_PARENT_CLASSPATH'] || ENV['JRUBY_HOME'] &&
+      FileList["#{ENV['JRUBY_HOME']}/lib/*.jar"].join(File::PATH_SEPARATOR)
+  end
+  bc_jars = BC_JARS.join(File::PATH_SEPARATOR)
+  jruby_cpath ? "-cp #{jruby_cpath}#{File::PATH_SEPARATOR}#{bc_jars}" : "-cp #{bc_jars}"
+end
+
+desc "Compile the native Java code."
+task :java_compile do
+  mkdir_p "pkg/classes"
+
+  File.open("pkg/compile_options", "w") do |f|
+    f << "-target 1.5 -source 1.5 -Xlint:unchecked -Xlint:deprecation -d pkg/classes"
+  end
+
+  File.open("pkg/compile_classpath", "w") do |f|
+    f << java_classpath_arg
+  end
+
+  File.open("pkg/compile_sourcefiles", "w") do |f|
+    f << FileList['src/java/**/*.java'].join(' ')
+  end
+
+  sh "javac @pkg/compile_options @pkg/compile_classpath @pkg/compile_sourcefiles"
+  File.open("pkg/classes/manifest.mf", "w") {|f| f.puts "Class-Path: #{BC_JARS.map{|f| File.basename(f) }.join(' ')}"}
+  sh "jar cfm lib/jopenssl.jar pkg/classes/manifest.mf -C pkg/classes/ ."
+end
+file "lib/jopenssl.jar" => :java_compile
+
+task :more_clean do
+  rm_f FileList['lib/jopenssl.jar']
+end
+task :clean => :more_clean
+
+File.open("Manifest.txt", "w") {|f| MANIFEST.each {|n| f.puts n } }
+
+require File.dirname(__FILE__) + "/lib/jopenssl/version"
+begin
+  require 'hoe'
+  Hoe.spec("jruby-openssl") do |p|
+    p.version = Jopenssl::Version::VERSION
+    p.rubyforge_name = "jruby-extras"
+    p.url = "http://jruby-extras.rubyforge.org/jruby-openssl"
+    p.author = "Ola Bini and JRuby contributors"
+    p.email = "ola.bini@gmail.com"
+    p.summary = "OpenSSL add-on for JRuby"
+    p.changes = p.paragraphs_of('History.txt', 0..1).join("\n\n")
+    p.description = p.paragraphs_of('README.txt', 0...1).join("\n\n")
+    p.test_globs = ENV["TEST"] || ["test/test_*.rb"]
+  end.spec.dependencies.delete_if { |dep| dep.name == "hoe" }
+rescue LoadError
+  puts "You really need Hoe installed to be able to package this gem"
+rescue => e
+  puts "ignoring error while loading hoe: #{e.to_s}"
+end

data/lib/jopenssl/version.rb

@@ -1,5 +1,5 @@
 module Jopenssl
   module Version
-    VERSION = "0.5.2"
+    VERSION = "0.6"
   end
 end

data/lib/openssl/bn.rb

@@ -14,9 +14,7 @@
   $Id: bn.rb,v 1.1 2003/07/23 16:11:30 gotoyuzo Exp $
 =end
 
-##
-# Should we care what if somebody require this file directly?
-#require 'openssl'
+require 'openssl'
 
 module OpenSSL
   class BN

data/lib/openssl/cipher.rb

@@ -14,12 +14,24 @@
   $Id: cipher.rb,v 1.1.2.2 2006/06/20 11:18:15 gotoyuzo Exp $
 =end
 
-##
-# Should we care what if somebody require this file directly?
-#require 'openssl'
+require 'openssl'
 
 module OpenSSL
   module Cipher
+    class Cipher
+      def random_key
+        str = OpenSSL::Random.random_bytes(self.key_len)
+        self.key = str
+        return str
+      end
+
+      def random_iv
+        str = OpenSSL::Random.random_bytes(self.iv_len)
+        self.iv = str
+        return str
+      end
+    end
+    
     %w(AES CAST5 BF DES IDEA RC2 RC4 RC5).each{|name|
       klass = Class.new(Cipher){
         define_method(:initialize){|*args|
@@ -40,19 +52,5 @@ module OpenSSL
       }
       const_set("AES#{keylen}", klass)
     }
-
-    class Cipher
-      def random_key
-        str = OpenSSL::Random.random_bytes(self.key_len)
-        self.key = str
-        return str
-      end
-
-      def random_iv
-        str = OpenSSL::Random.random_bytes(self.iv_len)
-        self.iv = str
-        return str
-      end
-    end
   end # Cipher
 end # OpenSSL

data/lib/openssl/digest.rb

@@ -14,9 +14,7 @@
   $Id: digest.rb,v 1.1.2.2 2006/06/20 11:18:15 gotoyuzo Exp $
 =end
 
-##
-# Should we care what if somebody require this file directly?
-#require 'openssl'
+require 'openssl'
 
 module OpenSSL
   module Digest

data/test/cert_with_ec_pk.cer

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgTCCA2mgAwIBAgIDBbhmMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR4wHAYDVQQLDBVhLXNpZ24tUHJl
+bWl1bS1TaWctMDIxHjAcBgNVBAMMFWEtc2lnbi1QcmVtaXVtLVNpZy0wMjAeFw0w
+OTA2MjYwOTExMzdaFw0xNDA2MjYwOTExMzdaMGAxCzAJBgNVBAYTAkFUMRcwFQYD
+VQQDDA5NYXggTXVzdGVybWFubjETMBEGA1UEBAwKTXVzdGVybWFubjEMMAoGA1UE
+KgwDTWF4MRUwEwYDVQQFEww3NTkzNjIxNTE2MTYwSTATBgcqhkjOPQIBBggqhkjO
+PQMBAQMyAARbbFo9QvtuaQ5asz4LNXYpSq7Ey/AbNswno8CDMKD+tP39MfSUEjuY
+7yZ8T3XVYjejggHlMIIB4TATBgNVHSMEDDAKgAhN3+H/S9nJ3zAnBggrBgEFBQcB
+AwEB/wQYMBYwCAYGBACORgEBMAoGCCsGAQUFBwsBMHsGCCsGAQUFBwEBBG8wbTBC
+BggrBgEFBQcwAoY2aHR0cDovL3d3dy5hLXRydXN0LmF0L2NlcnRzL2Etc2lnbi1Q
+cmVtaXVtLVNpZy0wMmEuY3J0MCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5hLXRy
+dXN0LmF0L29jc3AwWQYDVR0gBFIwUDBEBgYqKAARAQswOjA4BggrBgEFBQcCARYs
+aHR0cDovL3d3dy5hLXRydXN0LmF0L2RvY3MvY3AvYS1zaWduLVByZW1pdW0wCAYG
+BACLMAEBMIGaBgNVHR8EgZIwgY8wgYyggYmggYaGgYNsZGFwOi8vbGRhcC5hLXRy
+dXN0LmF0L291PWEtc2lnbi1QcmVtaXVtLVNpZy0wMixvPUEtVHJ1c3QsYz1BVD9j
+ZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2Vy
+dGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQIR1fr2jRYTEUwDgYDVR0PAQH/
+BAQDAgbAMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAHsrgU7+M1jpofom
+DCx1sZHOX8yPodS2hJuSf0pE7TkazV7i0sZG92P5UPWhh+FdyK7Nrn07tGrLLbGG
+occclVUf8wVsRipKfBjLTYXFZPddzQ/Urtf0zvUFH7wYnMaVX1k32V6R/C/mLC0l
+qmn+1htPnNks/+I4uHcPKLhcXatDPfOdLjLZGLI63B6Azxsf2/gMKEOr2hvdqDIX
++bGTdwU5r/8+oPlaTbq6xLVhyr6dKSqaXOBZDk8I7lSxDC/YwOfC6yyC2gxyiZP+
+LPcGEzWnwX+9oz9gwfFKTH83i1ifHEI24NGTeJeeEPqP47XSLJf7bX264Vxtq2yf
+xcxpndk=
+-----END CERTIFICATE-----

data/test/fixture/ca_path/72fa7371.0

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
+oJ2daZH9
+-----END CERTIFICATE-----

data/test/fixture/ca_path/verisign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
+oJ2daZH9
+-----END CERTIFICATE-----

data/test/fixture/common.pem

@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIIgTCCB2mgAwIBAgICGuwwDQYJKoZIhvcNAQEFBQAwgeAxCzAJBgNVBAYTAkVT
+MS4wLAYJKoZIhvcNAQkBFh9hY19jYW1lcmZpcm1hX2NjQGNhbWVyZmlybWEuY29t
+MUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh
+bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGTAXBgNV
+BAoTEEFDIENhbWVyZmlybWEgU0ExLTArBgNVBAMTJEFDIENhbWVyZmlybWEgQ2Vy
+dGlmaWNhZG9zIENhbWVyYWxlczAeFw0wNTA0MDgxMDUxMDBaFw0wOTA0MDcxMDUx
+MDBaMIIBsDELMAkGA1UEBhMCRVMxHzAdBgNVBAMTFkNlcnRpZmljYWRvIGRlIFBy
+dWViYXMxIjAgBgkqhkiG9w0BCQEWE2luZm9AY2FtZXJmaXJtYS5jb20xEjAQBgNV
+BAUTCTEyMzQ1Njc4WjETMBEGA1UEBBMKZGUgUHJ1ZWJhczEUMBIGA1UEKhMLQ2Vy
+dGlmaWNhZG8xTjBMBgorBgEEAYGHLh4CEz5DSUYgSVZBIChWQVQgbnVtYmVyIGFz
+IGJ5IGFydGljbGUgMjhoIG9mIERpcmVjdGl2ZSA3Ny8zODgvRUVDKTEbMBkGCisG
+AQQBgYcuHgMTC0VTQTAwMTIzNDU2MR0wGwYDVQQKExRPIERFTU8gQUMgQ2FtZXJm
+aXJtYTEeMBwGA1UECxMVT1UgREVNTyBBQyBDYW1lcmZpcm1hMR0wGwYDVQQMExRU
+IERFTU8gQUMgQ2FtZXJmaXJtYTFSMFAGA1UEDRNJQ2hhbWJlcnMgb2YgQ29tbWVy
+Y2UgUXVhbGlmaWVkIENlcnRpZmljYXRlOiBOYXR1cmFsIFBlcnNvbiBDQU0tUEYt
+U1ctS1BTQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwmt+Ul58DwnCmPvZ
+NiLJ7nXSIGBfb5hFEph7sP4NRFCVzLDOGpzIYTJ9CR+m0LVaUVTXgeLANjw1DEPC
+kplWfpQejO4/nPVfRalg2GosrmqnaN3Y1lurnpQGdCz7nLOYJdS1ME52mzau8OFZ
+1fSuM+/jHfLvABuwaLXb0OvWlVMCAwEAAaOCA/QwggPwMAwGA1UdEwEB/wQCMAAw
+DgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAR
+BglghkgBhvhCAQEEBAMCBaAwQgYJYIZIAYb4QgEDBDUWM1VSSTpodHRwOi8vY3Js
+LmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY2dpPzBGBglghkgBhvhC
+AQgEORY3VVJJOmh0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3BzL2FjX2NhbWVy
+ZmlybWFfY2MuaHRtbDA5BglghkgBhvhCAQ0ELBYqQ2VydGlmaWNhZG8gZGUgcHJ1
+ZWJhcyBzaW4gcmVzcG9uc2FiaWxpZGFkMB0GA1UdDgQWBBS0rINdIfvWilZ+sklt
+abvkb9harDB4BggrBgEFBQcBAQRsMGowQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cu
+Y2FtZXJmaXJtYS5jb20vY2VydHMvYWNfY2FtZXJmaXJtYV9jYy5jcnQwJgYIKwYB
+BQUHMAGGGmh0dHA6Ly9vY3NwLmNhbWVyZmlybWEuY29tMIGrBgNVHSMEgaMwgaCA
+FLYfTp0caJEuN3Jg4UaPWqUqMTG5oYGEpIGBMH8xCzAJBgNVBAYTAkVVMScwJQYD
+VQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBBODI3NDMyODcxIzAhBgNVBAsTGmh0
+dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIwIAYDVQQDExlDaGFtYmVycyBvZiBD
+b21tZXJjZSBSb290ggEFMHYGA1UdHwRvMG0wNKAyoDCGLmh0dHA6Ly9jcmwuY2Ft
+ZXJmaXJtYS5jb20vYWNfY2FtZXJmaXJtYV9jYy5jcmwwNaAzoDGGL2h0dHA6Ly9j
+cmwxLmNhbWVyZmlybWEuY29tL2FjX2NhbWVyZmlybWFfY2MuY3JsMB4GA1UdEQQX
+MBWBE2luZm9AY2FtZXJmaXJtYS5jb20wKgYDVR0SBCMwIYEfYWNfY2FtZXJmaXJt
+YV9jY0BjYW1lcmZpcm1hLmNvbTCBmgYDVR0gBIGSMIGPMIGMBg0rBgEEAYGHLgoJ
+AgEBMHswPwYIKwYBBQUHAgEWM2h0dHA6Ly9jcHMuY2FtZXJmaXJtYS5jb20vY3Bz
+L2FjX2NhbWVyZmlybWFfY2MuaHRtbDA4BggrBgEFBQcCAjAsGipDZXJ0aWZpY2Fk
+byBkZSBwcnVlYmFzIHNpbiByZXNwb25zYWJpbGlkYWQwLwYIKwYBBQUHAQMEIzAh
+MAgGBgQAjkYBATAVBgYEAI5GAQIwCxMDRVVSAgEAAgEBMA0GCSqGSIb3DQEBBQUA
+A4IBAQBBfXUkreSi+Zr696+HxCpZmwhko/JmF25C3rECXvZ7L2OXEBELxiygOBpm
+hs3EgRRTVA6tdWliPbI9m0Vp61qOYD566ilQspBS7MeGvNQoyyuk43EQakSCNZcl
+dE6mqjXl3OT4At57vvJOnlzeidqmrPM2ULfFMBD2K6oce3PelRdOvM8stYEwqpCu
+7/jC/F+Y8ZKJTroqOYv5saHozKSooq4QP9Xd1YOFrZlh5oP7B5lpfUmphQwi/+M5
+dUJywr3f+s5aaHlhkoPhNEmuhDK834PT6OekkSFCt3P/MBs71ERvSWgf1GcG+Vcm
+f9cJTANAF/i6XDLRAJPsvFkNpMfc
+-----END CERTIFICATE-----

data/test/fixture/max.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE4zCCA8ugAwIBAgIDBbhlMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR4wHAYDVQQLDBVhLXNpZ24tUHJl
+bWl1bS1FbmMtMDIxHjAcBgNVBAMMFWEtc2lnbi1QcmVtaXVtLUVuYy0wMjAeFw0w
+OTA2MjYwOTExMzZaFw0xNDA2MjYwOTExMzZaMGAxCzAJBgNVBAYTAkFUMRcwFQYD
+VQQDDA5NYXggTXVzdGVybWFubjETMBEGA1UEBAwKTXVzdGVybWFubjEMMAoGA1UE
+KgwDTWF4MRUwEwYDVQQFEww3NTkzNjIxNTE2MTYwgd8wDQYJKoZIhvcNAQEBBQAD
+gc0AMIHJAoHBAO+1eEcrMoYJ2S2iybcqUEzIxKQ9yJJL0XRNQSrKo/bDOBibfQ3H
+E/TExiivgdXG2p0UjuPO1NEFgxhT5gtdaLthV2Kuokb+vbp3mWoUGz+uHIILT2zJ
+TG6Yz6sooi/ppNIagFx3qAdFes8QMAereZQp0zzphK/a21FTLk0GVHpw+DWn7NRn
+ynDVY0XgFkHXS4uHSfZDhzMGXVef3+SJLQzsV8R1ThMYQeoizA7tj6hT3YeBID2E
+lh86V1Z8XuznUQIDAQABo4IBsDCCAawwEwYDVR0jBAwwCoAIRyFHjpdh4x4wewYI
+KwYBBQUHAQEEbzBtMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LmEtdHJ1c3QuYXQv
+Y2VydHMvYS1zaWduLVByZW1pdW0tRW5jLTAyYS5jcnQwJwYIKwYBBQUHMAGGG2h0
+dHA6Ly9vY3NwLmEtdHJ1c3QuYXQvb2NzcDBNBgNVHSAERjBEMEIGBiooABEBDDA4
+MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmEtdHJ1c3QuYXQvZG9jcy9jcC9hLXNp
+Z24tdG9rZW4wgZoGA1UdHwSBkjCBjzCBjKCBiaCBhoaBg2xkYXA6Ly9sZGFwLmEt
+dHJ1c3QuYXQvb3U9YS1zaWduLVByZW1pdW0tRW5jLTAyLG89QS1UcnVzdCxjPUFU
+P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/YmFzZT9vYmplY3RjbGFzcz1laWRD
+ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBEGA1UdDgQKBAhMueHceqw1zzAOBgNVHQ8B
+Af8EBAMCBLAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEASLyAbafKFN5h
+0Mkk0QQoUl4Uvl+yy2ECe/QWNmDQpd7UCw1UAKrMvR8p6OcBiTnvbvg1HnbWI3Hy
+BaEhGAhb1tziWkbV93z1NQCIt8hmdqE7GEp58ptYSuzwev6rgO/RZIxI9FCQn9kJ
+ruGTM8hOIkh3QEy7Mq6utquMOEO0hQSUOvZkJdaSqHAoh2I3SzsxGr3juAa61x+0
+K8kW1ZgIsc0jhhb3NOyso48AqDK6oqwfiC6fp/HzSB5gycLllWrgUnMeae6Axbag
+dImyOtaoxhIwZCr1tjTaQmaNK49kpvDGlIuDIQHf8uZgAoyduQfAvwiQ0llu5Ns2
+AOs41se+Gg==
+-----END CERTIFICATE-----

data/test/fixture/purpose/b70a5bc1.0

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJKUDEa
+MBgGA1UECgwRd3d3LnJ1YnktbGFuZy5vcmcxFDASBgNVBAsMC2RldmVsb3BtZW50
+MQswCQYDVQQDDAJDQTAeFw0wOTExMTkxMDI5MjBaFw0yOTExMTQxMDI5MjBaMEwx
+CzAJBgNVBAYTAkpQMRowGAYDVQQKDBF3d3cucnVieS1sYW5nLm9yZzEUMBIGA1UE
+CwwLZGV2ZWxvcG1lbnQxCzAJBgNVBAMMAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA2nXhXZxXUs1Sfxqi8sReyzPHRcAHQM9RqDAGG9Nt1zYrLXwg
+MmUhOr4yBeW2KAxJGxdRQSzI38jyT6mrDRBpTl/OeU9zBG4p6AtFGkoMnRvUonB3
+CvgYJXhmrFjnHn34JNaRSORjaZDBmI9/fMGvaYndEM3wJ2b3jEOeizDIG60kZxA6
+XQ+X7ral+aABsjomubvjEQ9dlcDhQlssKjbjaN3NZ/kL/i/75jc6rzT05XYYkj+Z
+9rPRfT+HH3c5EYLtxcRTEHVWXMC8/of7oOFgZwwI3Cx9/v1s2Z6gdJ8J0kIkEoUL
+ziYsLIOmVB2tx0rKkmeivJB4PTM5QyHb7d1xUwIDAQABo4HsMIHpMA8GA1UdEwEB
+/wQFMAMBAf8wMQYJYIZIAYb4QgENBCQWIlJ1YnkvT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBOZGvHkAfn+0Ct33rQ6tW2UmF5TMA4GA1Ud
+DwEB/wQEAwIBBjB0BgNVHSMEbTBrgBQTmRrx5AH5/tArd960OrVtlJheU6FQpE4w
+TDELMAkGA1UEBhMCSlAxGjAYBgNVBAoMEXd3dy5ydWJ5LWxhbmcub3JnMRQwEgYD
+VQQLDAtkZXZlbG9wbWVudDELMAkGA1UEAwwCQ0GCAQEwDQYJKoZIhvcNAQEFBQAD
+ggEBACfgSl3pA+e3JyjgS/zscaJHHNDwXIIoH0KY6pcrZnl7Zh8CW+Gdba621Lek
+aAy0YhAAM9bF87QZG1+sL7B2H1oSTt7F67SwQfq079oNWjhEdV5dxBKk6XaU0R31
+KXSsmLR4pMxcFdPzGM0FTiSj9FNKk2pydVySsa5jJeG0qvXVFMqsRUUwklQHl9Kx
+9GZiknt4PEGj/ThUwarhRbRjV5z7ZxXKexkangBlRWPX7TjvlpZPgLzAODG4fiRW
+ZUo8Ng7QolTJuPAhlVxhdi9n5hItm6mt21RTpQcP49KoGe8x+T4EzPO0PPdCMliD
+fH3udDO+bq2F8H4ts6ZJAYWFo8U=
+-----END CERTIFICATE-----