././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.3045995 pyhanko_certvalidator-0.30.2/0000755000175100017510000000000015161577372015654 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/LICENSE0000644000175100017510000000217715161577363016670 0ustar00runnerrunnerMIT License Copyright (c) 2015-2018 Will Bond Copyright (c) 2020-2023 Matthias Valvekens Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/MANIFEST.in0000644000175100017510000000004515161577363017411 0ustar00runnerrunnergraft tests global-exclude *.py[cod] ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.304559 pyhanko_certvalidator-0.30.2/PKG-INFO0000644000175100017510000001144015161577372016751 0ustar00runnerrunnerMetadata-Version: 2.4 Name: pyhanko-certvalidator Version: 0.30.2 Summary: Validates X.509 certificates and paths; forked from wbond/certvalidator Author-email: Matthias Valvekens License-Expression: MIT Project-URL: Homepage, https://github.com/MatthiasValvekens/pyHanko/tree/master/pkgs/pyhanko-certvalidator Keywords: crypto,pki,x509,certificate,crl,ocsp Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.10 Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 Classifier: Programming Language :: Python :: 3.14 Classifier: Topic :: Security :: Cryptography Requires-Python: >=3.10 Description-Content-Type: text/markdown License-File: LICENSE Requires-Dist: asn1crypto>=1.5.1 Requires-Dist: oscrypto>=1.1.0 Requires-Dist: cryptography>=41.0.5 Requires-Dist: uritools>=3.0.1 Requires-Dist: requests>=2.31.0 Provides-Extra: async-http Requires-Dist: aiohttp<3.14,>=3.9; extra == "async-http" Dynamic: license-file # certvalidator This library started as a fork of [wbond/certvalidator](https://github.com/wbond/certvalidator) with patches for [pyHanko](https://github.com/MatthiasValvekens/pyHanko), but has since diverged considerably from its parent repository. GitHub issues are disabled on this repository. Bug reports regarding this library should be submitted to the [pyHanko issue tracker](https://github.com/MatthiasValvekens/pyHanko/issues). Similarly, questions regarding this library's usage can be asked in the [pyHanko discussion forum](https://github.com/MatthiasValvekens/pyHanko/discussions). `pyhanko-certvalidator` is a Python library for validating X.509 certificates paths. It supports various options, including: validation at a specific moment in time, whitelisting and revocation checks. - [Features](#features) - [Current Release](#current-release) - [Installation](#installation) - [License](#license) - [Documentation](#documentation) - [Continuous Integration](#continuous-integration) - [Testing](#testing) ## Features - X.509 path building - X.509 basic path validation - Signatures - RSA (including PSS padding), DSA, ECDSA and EdDSA algorithms. - Name chaining - Validity dates - Basic constraints extension - CA flag - Path length constraint - Key usage extension - Extended key usage extension - Certificate policies - Policy constraints - Policy mapping - Inhibit anyPolicy - Failure on unknown/unsupported critical extensions - Blacklisting hash algorithms - Revocation checks - CRLs - Indirect CRLs - Delta CRLs - OCSP checks - Delegated OCSP responders - Disable, require or allow soft failures - Caching of CRLs/OCSP responses - CRL and OCSP HTTP clients - Point-in-time validation - Name constraints - Attribute certificate support ## Current Release ![pypi](https://img.shields.io/pypi/v/pyhanko-certvalidator.svg) ## Dependencies - *asn1crypto* - *cryptography* - *uritools* - *oscrypto* - *requests* or *aiohttp* (use the latter for more efficient asyncio, requires resource management) - Python 3.7 or higher ### Note on compatibility Starting with `pyhanko-certvalidator` version `0.17.0`, the library has been refactored to use asynchronous I/O as much as possible. Most high-level API entrypoints can still be used synchronously, but have been deprecated in favour of their asyncio equivalents. As part of this move, the OCSP and CRL clients now have two separate implementations: a `requests`-based one, and an `aiohttp`-based one. The latter is probably more performant, but requires more resource management efforts on the caller's part, which was impossible to implement without making major breaking changes to the public API that would make the migration path more complicated. Therefore, the `requests`-based fetcher will remain the default for the time being. ## Installation ```bash pip install pyhanko-certvalidator ``` ## License *certvalidator* is licensed under the terms of the MIT license. See the [LICENSE](LICENSE) file for the exact license text. ## Testing ### Test framework Tests are written using `pytest` and require an asynchronous test case backend such as `pytest-asyncio`. ### Test cases The test cases for the library are comprised of: - [Public Key Interoperability Test Suite from NIST](http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html) - [OCSP tests from OpenSSL](https://github.com/openssl/openssl/blob/master/test/recipes/80-test_ocsp.t) - Various certificates generated for bespoke X.509 certificate validation scenarios Existing releases can be found at https://pypi.org/project/pyhanko-certvalidator. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/README.md0000644000175100017510000000721615161577363017141 0ustar00runnerrunner# certvalidator This library started as a fork of [wbond/certvalidator](https://github.com/wbond/certvalidator) with patches for [pyHanko](https://github.com/MatthiasValvekens/pyHanko), but has since diverged considerably from its parent repository. GitHub issues are disabled on this repository. Bug reports regarding this library should be submitted to the [pyHanko issue tracker](https://github.com/MatthiasValvekens/pyHanko/issues). Similarly, questions regarding this library's usage can be asked in the [pyHanko discussion forum](https://github.com/MatthiasValvekens/pyHanko/discussions). `pyhanko-certvalidator` is a Python library for validating X.509 certificates paths. It supports various options, including: validation at a specific moment in time, whitelisting and revocation checks. - [Features](#features) - [Current Release](#current-release) - [Installation](#installation) - [License](#license) - [Documentation](#documentation) - [Continuous Integration](#continuous-integration) - [Testing](#testing) ## Features - X.509 path building - X.509 basic path validation - Signatures - RSA (including PSS padding), DSA, ECDSA and EdDSA algorithms. - Name chaining - Validity dates - Basic constraints extension - CA flag - Path length constraint - Key usage extension - Extended key usage extension - Certificate policies - Policy constraints - Policy mapping - Inhibit anyPolicy - Failure on unknown/unsupported critical extensions - Blacklisting hash algorithms - Revocation checks - CRLs - Indirect CRLs - Delta CRLs - OCSP checks - Delegated OCSP responders - Disable, require or allow soft failures - Caching of CRLs/OCSP responses - CRL and OCSP HTTP clients - Point-in-time validation - Name constraints - Attribute certificate support ## Current Release ![pypi](https://img.shields.io/pypi/v/pyhanko-certvalidator.svg) ## Dependencies - *asn1crypto* - *cryptography* - *uritools* - *oscrypto* - *requests* or *aiohttp* (use the latter for more efficient asyncio, requires resource management) - Python 3.7 or higher ### Note on compatibility Starting with `pyhanko-certvalidator` version `0.17.0`, the library has been refactored to use asynchronous I/O as much as possible. Most high-level API entrypoints can still be used synchronously, but have been deprecated in favour of their asyncio equivalents. As part of this move, the OCSP and CRL clients now have two separate implementations: a `requests`-based one, and an `aiohttp`-based one. The latter is probably more performant, but requires more resource management efforts on the caller's part, which was impossible to implement without making major breaking changes to the public API that would make the migration path more complicated. Therefore, the `requests`-based fetcher will remain the default for the time being. ## Installation ```bash pip install pyhanko-certvalidator ``` ## License *certvalidator* is licensed under the terms of the MIT license. See the [LICENSE](LICENSE) file for the exact license text. ## Testing ### Test framework Tests are written using `pytest` and require an asynchronous test case backend such as `pytest-asyncio`. ### Test cases The test cases for the library are comprised of: - [Public Key Interoperability Test Suite from NIST](http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html) - [OCSP tests from OpenSSL](https://github.com/openssl/openssl/blob/master/test/recipes/80-test_ocsp.t) - Various certificates generated for bespoke X.509 certificate validation scenarios Existing releases can be found at https://pypi.org/project/pyhanko-certvalidator. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649078.0 pyhanko_certvalidator-0.30.2/pyproject.toml0000644000175100017510000000431115161577366020572 0ustar00runnerrunner[build-system] requires = ["setuptools>=80.8.0"] build-backend = "setuptools.build_meta" [project] name = "pyhanko-certvalidator" authors = [{name = "Matthias Valvekens", email = "dev@mvalvekens.be"}] license = "MIT" license-files = ["LICENSE"] description = "Validates X.509 certificates and paths; forked from wbond/certvalidator" keywords = [ "crypto", "pki", "x509", "certificate", "crl", "ocsp", ] classifiers = [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", "Programming Language :: Python :: 3.14", "Topic :: Security :: Cryptography", ] requires-python = ">=3.10" dependencies = [ "asn1crypto>=1.5.1", "oscrypto>=1.1.0", "cryptography>=41.0.5", "uritools>=3.0.1", "requests>=2.31.0", ] version = "0.30.2" [project.readme] file = "README.md" content-type = "text/markdown" [project.urls] Homepage = "https://github.com/MatthiasValvekens/pyHanko/tree/master/pkgs/pyhanko-certvalidator" [project.optional-dependencies] async-http = ["aiohttp>=3.9,<3.14"] [dependency-groups] testing-base = [ "pytest>=6.1.1", "pytest-cov>=4.0,<7.1", "freezegun>=1.1.0", "aiohttp>=3.9,<3.14", "pytest-aiohttp>=1.0.4,<1.2.0", "aiohttp>=3.9,<3.14", ] [tool.setuptools] include-package-data = false [tool.setuptools.package-data] pyhanko_certvalidator = ["py.typed"] [tool.mypy] files = 'pyhanko_certvalidator' [[tool.mypy.overrides]] module = [ "asn1crypto.*", "pkcs11.*", "oscrypto.*", "uritools.*", ] ignore_missing_imports = true [tool.pytest.ini_options] log_format = "%(asctime)s %(levelname)s %(message)s" log_date_format = "%Y-%m-%d %H:%M:%S" log_cli = true log_cli_level = "INFO" testpaths = "tests" asyncio_mode = "strict" norecursedirs = "tests/legacy_live_tests" asyncio_default_fixture_loop_scope="function" [tool.coverage.report] exclude_lines = ["pragma: no cover", "pragma: nocover", "raise AssertionError", "raise NotImplementedError", "TYPE_CHECKING", "^\\s*\\.\\.\\."] precision = 2 ././@PaxHeader0000000000000000000000000000003200000000000010210 xustar0026 mtime=1774649082.30508 pyhanko_certvalidator-0.30.2/setup.cfg0000644000175100017510000000004615161577372017475 0ustar00runnerrunner[egg_info] tag_build = tag_date = 0 ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.099235 pyhanko_certvalidator-0.30.2/src/0000755000175100017510000000000015161577372016443 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1148846 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/0000755000175100017510000000000015161577372023037 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/__init__.py0000644000175100017510000001552315161577363025156 0ustar00runnerrunnerfrom typing import Iterable, Optional from asn1crypto import x509 from .context import ValidationContext from .errors import InvalidCertificateError, PathBuildingError, ValidationError from .path import ValidationPath from .policy_decl import PKIXValidationParams from .util import CancelableAsyncIterator from .validate import async_validate_path, validate_usage from .version import __version__, __version_info__ __all__ = [ 'CertificateValidator', 'PKIXValidationParams', 'ValidationContext', '__version__', '__version_info__', 'find_valid_path', ] async def find_valid_path( certificate: x509.Certificate, paths: CancelableAsyncIterator[ValidationPath], validation_context: ValidationContext, pkix_validation_params: Optional[PKIXValidationParams] = None, ): exceptions = [] try: async for candidate_path in paths: try: await async_validate_path( validation_context, candidate_path, pkix_validation_params ) return candidate_path except ValidationError as e: exceptions.append(e) except PathBuildingError: if certificate.self_signed in {'yes', 'maybe'}: raise InvalidCertificateError( f'The X.509 certificate provided is self-signed - ' f'"{certificate.subject.human_friendly}"' ) raise finally: await paths.cancel() if len(exceptions) == 1: raise exceptions[0] non_signature_exception = None for exception in exceptions: if 'signature' not in str(exception): non_signature_exception = exception if non_signature_exception: raise non_signature_exception raise exceptions[0] class CertificateValidator: # A pyhanko_certvalidator.path.ValidationPath object - only set once validated _path = None def __init__( self, end_entity_cert: x509.Certificate, intermediate_certs: Optional[Iterable[x509.Certificate]] = None, validation_context: Optional[ValidationContext] = None, pkix_params: Optional[PKIXValidationParams] = None, ): """ :param end_entity_cert: An asn1crypto.x509.Certificate object X.509 end-entity certificate to validate :param intermediate_certs: None or a list of asn1crypto.x509.Certificate Used in constructing certificate paths for validation. :param validation_context: A pyhanko_certvalidator.context.ValidationContext() object that controls generic validation options and tracks revocation data. The same validation context will also be used in the validation of relevant certificates found in OCSP responses and/or CRLs. :param pkix_params: A pyhanko_certvalidator.context.PKIXValidationParams() object that controls advanced PKIX validation parameters used to validate the end-entity certificate. These can be used to constrain policy processing and names. Ancillary validation of CRLs and OCSP responses ignore these settings. """ if validation_context is None: validation_context = ValidationContext() if intermediate_certs is not None: certificate_registry = validation_context.certificate_registry for intermediate_cert in intermediate_certs: certificate_registry.register(intermediate_cert) self._context: ValidationContext = validation_context self._certificate: x509.Certificate = end_entity_cert self._params: Optional[PKIXValidationParams] = pkix_params async def async_validate_path(self) -> ValidationPath: """ Builds possible certificate paths and validates them until a valid one is found, or all fail. :raises: pyhanko_certvalidator.errors.PathBuildingError - when an error occurs building the path pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked """ if self._path is not None: return self._path certificate = self._certificate paths = self._context.path_builder.async_build_paths_lazy(certificate) self._path = candidate_path = await find_valid_path( certificate, paths, validation_context=self._context, pkix_validation_params=self._params, ) return candidate_path async def async_validate_usage( self, key_usage, extended_key_usage=None, extended_optional=False ): """ Validates the certificate path and that the certificate is valid for the key usage and extended key usage purposes specified. :param key_usage: A set of unicode strings of the required key usage purposes. Valid values include: - "digital_signature" - "non_repudiation" - "key_encipherment" - "data_encipherment" - "key_agreement" - "key_cert_sign" - "crl_sign" - "encipher_only" - "decipher_only" :param extended_key_usage: A set of unicode strings of the required extended key usage purposes. These must be either dotted number OIDs, or one of the following extended key usage purposes: - "server_auth" - "client_auth" - "code_signing" - "email_protection" - "ipsec_end_system" - "ipsec_tunnel" - "ipsec_user" - "time_stamping" - "ocsp_signing" - "wireless_access_points" An example of a dotted number OID: - "1.3.6.1.5.5.7.3.1" :param extended_optional: A bool - if the extended_key_usage extension may be ommited and still considered valid :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified :return: A pyhanko_certvalidator.path.ValidationPath object of the validated certificate validation path """ validated_path = await self.async_validate_path() validate_usage( self._certificate, key_usage, extended_key_usage, extended_optional, ) return validated_path ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/_state.py0000644000175100017510000000512115161577363024667 0ustar00runnerrunnerfrom typing import Optional from asn1crypto import x509 from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.util import ConsList class ValProcState: def __init__( self, *, cert_path_stack: ConsList[ValidationPath], ee_name_override: Optional[str] = None, is_side_validation: bool = False, init_index: int = 0, ): if cert_path_stack.head is None: raise ValueError("Empty path stack") self.index = init_index self.ee_name_override = ee_name_override self.is_side_validation = bool( is_side_validation or cert_path_stack.tail ) self.cert_path_stack = cert_path_stack @property def path_len(self): """ Length of the path being validated. .. note:: This is the path length in the sense of RFC 5280, i.e. the root doesn't count. """ from pyhanko_certvalidator.path import ValidationPath path = self.cert_path_stack.head assert isinstance(path, ValidationPath) return path.pkix_len @property def is_ee_cert(self) -> bool: return self.index == self.path_len def check_path_verif_recursion(self, ee_cert: x509.Certificate): """ Helper method to avoid recursion in indirect CRL validation. There are some questionable-but-technically-valid CA setups where a CRL issuer is authorised to assert its own revocation status, which could cause a naive implementation to recurse. """ from pyhanko_certvalidator.path import ValidationPath path: ValidationPath for path in self.cert_path_stack: cert = path.get_ee_cert_safe() if cert and cert.sha256 == ee_cert.sha256: return path return None def describe_cert(self, def_interm=False, never_def=False): """ :return: A unicode string describing the position of a certificate in the chain """ prefix = not never_def if self.index == 0 and self.ee_name_override is None: # can happen for trust anchors with qualifiers result = "trust anchor" elif not self.is_ee_cert: prefix &= def_interm result = f'intermediate certificate {self.index}' elif self.ee_name_override is not None: result = self.ee_name_override else: result = 'end-entity certificate' if prefix: return "the " + result else: return result ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/asn1_types.py0000644000175100017510000000553515161577363025507 0ustar00runnerrunnerfrom typing import Optional from asn1crypto import cms, core, x509 __all__ = [ 'AAControls', 'AttrSpec', 'SequenceOfTargets', 'Target', 'TargetCert', 'Targets', ] class TargetCert(core.Sequence): _fields = [ ('target_certificate', cms.IssuerSerial), ('target_name', x509.GeneralName, {'optional': True}), ('cert_digest_info', cms.ObjectDigestInfo, {'optional': True}), ] class Target(core.Choice): _alternatives = [ ('target_name', x509.GeneralName, {'explicit': 0}), ('target_group', x509.GeneralName, {'explicit': 1}), ('target_cert', TargetCert, {'explicit': 2}), ] class Targets(core.SequenceOf): _child_spec = Target # Blame X.509... class SequenceOfTargets(core.SequenceOf): _child_spec = Targets class AttrSpec(core.SequenceOf): _child_spec = cms.AttCertAttributeType class AAControls(core.Sequence): _fields = [ ('path_len_constraint', core.Integer, {'optional': True}), ('permitted_attrs', AttrSpec, {'optional': True, 'implicit': 0}), ('excluded_attrs', AttrSpec, {'optional': True, 'implicit': 1}), ('permit_unspecified', core.Boolean, {'default': True}), ] def accept(self, attr_id: cms.AttCertAttributeType) -> bool: attr_id_str = attr_id.native excluded = self['excluded_attrs'].native if excluded is not None: excluded = frozenset(excluded) if excluded is not None and attr_id_str in excluded: return False permitted = self['permitted_attrs'].native if permitted is not None: permitted = frozenset(permitted) if permitted is not None and attr_id_str in permitted: return True return bool(self['permit_unspecified']) @classmethod def read_extension_value( cls, cert: x509.Certificate ) -> Optional['AAControls']: # handle AA controls (not natively supported by asn1crypto, so # not available as an attribute). try: return next( ext['extn_value'].parsed for ext in cert['tbs_certificate']['extensions'] if ext['extn_id'].native == 'aa_controls' ) except StopIteration: return None # patch in attribute certificate extensions # Note: unlike in Certomancer, we don't do this one conditionally, since # we need the actual Python types to agree with what we export ext_map = x509.ExtensionId._map ext_specs = x509.Extension._oid_specs ext_map['2.5.29.55'] = 'target_information' ext_specs['target_information'] = SequenceOfTargets ext_map['2.5.29.56'] = 'no_rev_avail' ext_specs['no_rev_avail'] = core.Null ext_map['1.3.6.1.5.5.7.1.6'] = 'aa_controls' ext_specs['aa_controls'] = AAControls ext_map['1.3.6.1.5.5.7.1.4'] = 'audit_identity' ext_specs['audit_identity'] = core.OctetString ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/authority.py0000644000175100017510000002405115161577363025443 0ustar00runnerrunnerimport abc import enum from dataclasses import dataclass from datetime import datetime from typing import Optional from asn1crypto import keys, x509 from .name_trees import process_general_subtrees from .policy_decl import PKIXValidationParams class TrustedServiceType(enum.Enum): UNSPECIFIED = 0 """ Unspecified. If a trust manager designates a trust anchor with this service type, it will be considered trusted for any purpose. """ UNSUPPORTED = 1 """ Unsupported. If a trust manager designates a trust anchor with this service type, it will not be considered trusted for any purpose other than identifying itself. """ CERTIFICATE_AUTHORITY = 2 """ Certificate authority (CA). Only trust anchors with this designation can appear in a PKIX validation path as the issuer of another certificate. """ TIME_STAMPING_AUTHORITY = 3 """ Time stamping authority (TSA). """ @dataclass(frozen=True) class TrustQualifiers: """ .. versionadded 0.20.0 Parameters that allow a trust root to be qualified. """ standard_parameters: Optional['PKIXValidationParams'] = None """ Standard validation parameters that will apply when initialising the PKIX validation process. """ max_path_length: Optional[int] = None """ Maximal allowed path length for this trust root, excluding self-issued intermediate CA certificates. If ``None``, any path length will be accepted. """ max_aa_path_length: Optional[int] = None """ Maximal allowed path length for this trust root for the purposes of AAControls. If ``None``, any path length will be accepted. """ valid_from: Optional[datetime] = None """ Lower bound of the trust anchor's validity period, if any. """ valid_until: Optional[datetime] = None """ Upper bound of the trust anchor's validity period, if any. """ trusted_service_type: TrustedServiceType = TrustedServiceType.UNSPECIFIED """ Indicates the service provided by the trust root. """ class Authority(abc.ABC): """ .. versionadded:: 0.20.0 Abstract authority, i.e. a named key. """ @property def name(self) -> x509.Name: """ The authority's name. """ raise NotImplementedError @property def public_key(self) -> keys.PublicKeyInfo: """ The authority's public key. """ raise NotImplementedError @property def hashable(self): """ A hashable unique identifier of the authority, used in ``__eq__`` and ``__hash__``. """ raise NotImplementedError def __hash__(self): return hash(self.hashable) def __eq__(self, other): if not isinstance(other, Authority): return False return self.hashable == other.hashable @property def key_id(self) -> Optional[bytes]: """ Key ID as (potentially) referenced in an authorityKeyIdentifier extension. Only used to eliminate non-matching trust anchors, never to retrieve keys or to definitively identify trust anchors. """ raise NotImplementedError def is_potential_issuer_of(self, cert: x509.Certificate) -> bool: """ Function to determine whether this trust root could potentially be an issuer of a given certificate. This function is used during path building. :param cert: The certificate to evaluate. """ if cert.issuer != self.name: return False if cert.authority_key_identifier and self.key_id: if cert.authority_key_identifier != self.key_id: return False return True class TrustAnchor: """ Abstract trust root. A trust root is an authority with trust qualifiers. Equality of trust roots reduces to equality of authorities. """ def __init__( self, authority: Authority, quals: Optional[TrustQualifiers] = None ): self._authority = authority self._quals = quals @property def authority(self) -> Authority: return self._authority @property def trust_qualifiers(self) -> TrustQualifiers: """ Qualifiers for the trust root. """ return self._quals or TrustQualifiers() def __eq__(self, other): return ( isinstance(other, TrustAnchor) and other._authority == self._authority ) def __hash__(self): return hash(self._authority) def derive_quals_from_cert(cert: x509.Certificate) -> TrustQualifiers: """ Extract trust qualifiers from data and extensions of a certificate. .. note:: Recall that any property of a trust root other than its name and public key are in principle irrelevant to the PKIX validation algorithm itself. This function is merely a helper function that allows the certificate's other data to be conveniently gathered to populate the default validation parameters for paths deriving from that trust root. :param cert: The certificate from which to extract qualifiers (usually a self-signed one) :return: A :class:`TrustQualifiers` object with the extracted qualifiers. """ # TODO align with RFC 5937? ext_found = False permitted_subtrees = excluded_subtrees = None if cert.name_constraints_value is not None: ext_found = True nc_ext: x509.NameConstraints = cert.name_constraints_value permitted_val = nc_ext['permitted_subtrees'] if isinstance(permitted_val, x509.GeneralSubtrees): permitted_subtrees = process_general_subtrees(permitted_val) excluded_val = nc_ext['excluded_subtrees'] if isinstance(excluded_val, x509.GeneralSubtrees): excluded_subtrees = process_general_subtrees(excluded_val) acceptable_policies = None if cert.certificate_policies_value is not None: ext_found = True policies_val: x509.CertificatePolicies = cert.certificate_policies_value acceptable_policies = frozenset( [ pol_info['policy_identifier'].dotted for pol_info in policies_val if pol_info['policy_identifier'].native != 'any_policy' ] ) params = None if ext_found: params = PKIXValidationParams( user_initial_policy_set=( acceptable_policies or frozenset(['any_policy']) ), # For trust roots where the user asked for this derivation, # let's assume that they want the policies to be enforced. initial_explicit_policy=acceptable_policies is not None, initial_permitted_subtrees=permitted_subtrees, initial_excluded_subtrees=excluded_subtrees, ) return TrustQualifiers( max_path_length=cert.max_path_length, standard_parameters=params, valid_from=cert.not_valid_before, valid_until=cert.not_valid_after, trusted_service_type=( TrustedServiceType.CERTIFICATE_AUTHORITY if cert.ca else TrustedServiceType.UNSUPPORTED ), ) class AuthorityWithCert(Authority): """ .. versionadded:: 0.20.0 Authority provisioned as a certificate. :param cert: The certificate. """ def __init__(self, cert: x509.Certificate): self._cert = cert @property def name(self) -> x509.Name: return self._cert.subject @property def public_key(self): return self._cert.public_key @property def hashable(self): cert = self._cert return cert.subject.hashable, cert.public_key.dump() @property def key_id(self) -> Optional[bytes]: return self._cert.key_identifier @property def certificate(self) -> x509.Certificate: return self._cert def is_potential_issuer_of(self, cert: x509.Certificate): if not super().is_potential_issuer_of(cert): return False if cert.authority_issuer_serial: if cert.authority_issuer_serial != self._cert.issuer_serial: return False return True class CertTrustAnchor(TrustAnchor): """ .. versionadded:: 0.20.0 Trust anchor provisioned as a certificate. :param cert: The certificate, usually self-signed. :param quals: Explicit trust qualifiers. :param derive_default_quals_from_cert: Flag indicating to derive default trust qualifiers from the certificate content if explicit ones are not provided. Defaults to ``False``. """ def __init__( self, cert: x509.Certificate, quals: Optional[TrustQualifiers] = None, derive_default_quals_from_cert: bool = False, ): authority = AuthorityWithCert(cert) self._cert = cert super().__init__(authority, quals) self._derive = derive_default_quals_from_cert @property def certificate(self) -> x509.Certificate: return self._cert @property def trust_qualifiers(self) -> TrustQualifiers: if self._quals is not None: return self._quals elif self._derive: self._quals = quals = derive_quals_from_cert(self._cert) return quals else: return TrustQualifiers() class NamedKeyAuthority(Authority): """ Authority provisioned as a named key. :param entity_name: The name of the entity that controls the private key of the trust root. :param public_key: The trust root's public key. """ def __init__(self, entity_name: x509.Name, public_key: keys.PublicKeyInfo): self._name = entity_name self._public_key = public_key @property def name(self) -> x509.Name: return self._name @property def public_key(self): return self._public_key @property def key_id(self) -> Optional[bytes]: return None @property def hashable(self): return self._name.hashable, self._public_key.dump() ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/context.py0000644000175100017510000005563415161577363025112 0ustar00runnerrunnerfrom dataclasses import dataclass, field from datetime import datetime, timedelta from typing import Any, Dict, Iterable, List, Optional, Union from asn1crypto import crl, ocsp, x509 from asn1crypto.util import timezone from .authority import AuthorityWithCert from .fetchers import FetcherBackend, Fetchers, default_fetcher_backend from .fetchers.requests_fetchers import RequestsFetcherBackend from .ltv.poe import POEManager from .ltv.types import ValidationTimingInfo, ValidationTimingParams from .path import ValidationPath from .policy_decl import ( AlgorithmUsagePolicy, CertRevTrustPolicy, DisallowWeakAlgorithmsPolicy, NonRevokedStatusAssertion, PKIXValidationParams, RevocationCheckingPolicy, ) from .registry import ( CertificateRegistry, PathBuilder, SimpleTrustManager, TrustManager, TrustRootList, ) from .revinfo.archival import ( CRLContainer, OCSPContainer, process_legacy_crl_input, process_legacy_ocsp_input, ) from .revinfo.manager import RevinfoManager from .sig_validate import DefaultSignatureValidator, SignatureValidator @dataclass(frozen=True) class ACTargetDescription: """ Value type to guide attribute certificate targeting checks, for attribute certificates that use the target information extension. As stipulated in RFC 5755, an AC targeting check passes if the information in the relevant :class:`.AATargetDescription` matches at least one ``Target`` in the AC's target information extension. """ validator_names: List[x509.GeneralName] = field(default_factory=list) """ The validating entity's names. This value is matched directly against any ``Target``s that use the ``targetName`` alternative. """ group_memberships: List[x509.GeneralName] = field(default_factory=list) """ The validating entity's group memberships. This value is matched against any ``Target``s that use the ``targetGroup`` alternative. """ class ValidationContext: def __init__( self, trust_roots: Optional[TrustRootList] = None, extra_trust_roots: Optional[TrustRootList] = None, other_certs: Optional[Iterable[x509.Certificate]] = None, moment: Optional[datetime] = None, best_signature_time: Optional[datetime] = None, allow_fetching: bool = False, crls: Optional[Iterable[Union[bytes, crl.CertificateList]]] = None, ocsps: Optional[Iterable[Union[bytes, ocsp.OCSPResponse]]] = None, revocation_mode: str = "soft-fail", revinfo_policy: Optional[CertRevTrustPolicy] = None, weak_hash_algos: Optional[Iterable[str]] = None, time_tolerance: timedelta = timedelta(seconds=1), retroactive_revinfo: bool = False, fetcher_backend: Optional[FetcherBackend] = None, acceptable_ac_targets: Optional[ACTargetDescription] = None, poe_manager: Optional[POEManager] = None, revinfo_manager: Optional[RevinfoManager] = None, certificate_registry: Optional[CertificateRegistry] = None, trust_manager: Optional[TrustManager] = None, algorithm_usage_policy: Optional[AlgorithmUsagePolicy] = None, fetchers: Optional[Fetchers] = None, signature_validator: Optional[SignatureValidator] = None, ): """ :param trust_roots: If the operating system's trust list should not be used, instead pass a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. :param other_certs: A list of byte strings containing DER or PEM-encoded X.509 certificates, or a list of asn1crypto.x509.Certificate objects. These other certs are usually provided by the service/item being validated. In TLS, these would be intermediate chain certs. :param moment: If certificate validation should be performed based on a date and time other than right now. A datetime.datetime object with a tzinfo value. If this parameter is specified, then the only way to check OCSP and CRL responses is to pass them via the crls and ocsps parameters. Can not be combined with allow_fetching=True. :param best_signature_time: The presumptive time at which the certificate was used. Assumed equal to :class:`moment` if unspecified. .. note:: The difference is significant in some point-in-time validation models, where the signature is validated after a "cooldown period" of sorts. :param crls: None or a list/tuple of asn1crypto.crl.CertificateList objects of pre-fetched/cached CRLs to be utilized during validation of paths :param ocsps: None or a list/tuple of asn1crypto.ocsp.OCSPResponse objects of pre-fetched/cached OCSP responses to be utilized during validation of paths :param allow_fetching: A bool - if HTTP requests should be made to fetch CRLs and OCSP responses. If this is True and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking. :param revocation_mode: A unicode string of the revocation mode to use: "soft-fail" (the default), "hard-fail" or "require". In "soft-fail" mode, any sort of error in fetching or locating revocation information is ignored. In "hard-fail" mode, if a certificate has a known CRL or OCSP and it can not be checked, it is considered a revocation failure. In "require" mode, every certificate in the certificate path must have a CRL or OCSP. :param weak_hash_algos: A set of unicode strings of hash algorithms that should be considered weak. :param time_tolerance: Time delta tolerance allowed in validity checks. Defaults to one second. :param retroactive_revinfo: Treat revocation info as retroactively valid, i.e. ignore the ``this_update`` field in CRLs and OCSP responses. Defaults to ``False``. .. warning:: Be careful with this option, since it will cause incorrect behaviour for CAs that make use of certificate holds or other reversible revocation methods. :param revinfo_manager: Internal API, to be elaborated. :param trust_manager: Internal API, to be elaborated. :param certificate_registry: Internal API, to be elaborated. :param algorithm_usage_policy: Internal API, to be elaborated. """ if revinfo_policy is None: revinfo_policy = CertRevTrustPolicy( RevocationCheckingPolicy.from_legacy(revocation_mode), retroactive_revinfo=retroactive_revinfo, ) elif revinfo_policy.expected_post_expiry_revinfo_time is not None: raise NotImplementedError( "Dealing with post-expiry revocation info has not been " "implemented yet." ) self._revinfo_policy = revinfo_policy rev_essential = revinfo_policy.revocation_checking_policy.essential if ( not allow_fetching and not revinfo_manager and crls is None and ocsps is None and rev_essential ): raise ValueError( "revocation data is not optional and allow_fetching is False, " "however crls and ocsps are both None, meaning " "that no validation can happen" ) if moment is None: moment = datetime.now(timezone.utc) point_in_time_validation = False elif moment.utcoffset() is None: raise ValueError( "moment is a naive datetime object, meaning the tzinfo " "attribute is not set to a valid timezone" ) else: point_in_time_validation = True if best_signature_time is None: best_signature_time = moment elif best_signature_time.utcoffset() is None: raise ValueError( "best_signature_time is a naive datetime object, meaning the tzinfo " "attribute is not set to a valid timezone" ) if algorithm_usage_policy is None: if weak_hash_algos is not None: algorithm_usage_policy = DisallowWeakAlgorithmsPolicy( frozenset(weak_hash_algos) ) else: algorithm_usage_policy = DisallowWeakAlgorithmsPolicy() self.algorithm_policy = algorithm_usage_policy cert_fetcher = None if allow_fetching: # not None -> externally managed fetchers if fetchers is None: # fetcher managed by this validation context, # but backend possibly managed externally if fetcher_backend is None: # in this case, we load the default requests-based # backend, since the caller doesn't do any resource # management fetcher_backend = default_fetcher_backend() fetchers = fetcher_backend.get_fetchers() cert_fetcher = fetchers.cert_fetcher else: fetchers = None if certificate_registry is None: certificate_registry = CertificateRegistry.build( other_certs or (), cert_fetcher=cert_fetcher ) self.certificate_registry: CertificateRegistry = certificate_registry if trust_manager is None: trust_manager = SimpleTrustManager.build( trust_roots=trust_roots, extra_trust_roots=extra_trust_roots ) if isinstance(trust_manager, SimpleTrustManager): for root in trust_manager.iter_certs(): certificate_registry.register(root) self.path_builder = PathBuilder( trust_manager=trust_manager, registry=certificate_registry ) crls = process_legacy_crl_input(crls) if crls else () ocsps = process_legacy_ocsp_input(ocsps) if ocsps else () if revinfo_manager is None: revinfo_manager = RevinfoManager( certificate_registry=certificate_registry, poe_manager=poe_manager or POEManager(), crls=crls, ocsps=ocsps, fetchers=fetchers, ) self._revinfo_manager = revinfo_manager self._validate_map: Dict[bytes, ValidationPath] = {} self._soft_fail_exceptions: List[Exception] = [] time_tolerance = abs(time_tolerance) if time_tolerance else timedelta(0) self.timing_params = ValidationTimingParams( ValidationTimingInfo( validation_time=moment, best_signature_time=best_signature_time, point_in_time_validation=point_in_time_validation, ), time_tolerance=time_tolerance, ) self._acceptable_ac_targets = acceptable_ac_targets self.sig_validator = signature_validator or DefaultSignatureValidator() @property def revinfo_manager(self) -> RevinfoManager: return self._revinfo_manager @property def revinfo_policy(self) -> CertRevTrustPolicy: return self._revinfo_policy @property def retroactive_revinfo(self) -> bool: return self._revinfo_policy.retroactive_revinfo @property def time_tolerance(self) -> timedelta: return self.timing_params.time_tolerance @property def moment(self) -> datetime: return self.timing_params.validation_time @property def best_signature_time(self) -> datetime: return self.timing_params.best_signature_time @property def fetching_allowed(self) -> bool: return self.revinfo_manager.fetching_allowed @property def crls(self) -> List[crl.CertificateList]: """ A list of all cached :class:`crl.CertificateList` objects """ return self._revinfo_manager.crls @property def ocsps(self) -> List[ocsp.OCSPResponse]: """ A list of all cached :class:`ocsp.OCSPResponse` objects """ return self._revinfo_manager.ocsps @property def soft_fail_exceptions(self): """ A list of soft-fail exceptions that were ignored during checks """ return self._soft_fail_exceptions def _report_soft_fail(self, e: Exception): self._soft_fail_exceptions.append(e) async def async_retrieve_crls(self, cert): """ :param cert: An asn1crypto.x509.Certificate object :return: A list of asn1crypto.crl.CertificateList objects """ results = await self._revinfo_manager.async_retrieve_crls(cert) return [res.crl_data for res in results] async def async_retrieve_ocsps(self, cert, issuer): """ :param cert: An asn1crypto.x509.Certificate object :param issuer: An asn1crypto.x509.Certificate object of cert's issuer :return: A list of asn1crypto.ocsp.OCSPResponse objects """ results = await self._revinfo_manager.async_retrieve_ocsps( cert, AuthorityWithCert(issuer) ) return [res.ocsp_response_data for res in results] def record_validation(self, cert, path): """ Records that a certificate has been validated, along with the path that was used for validation. This helps reduce duplicate work when validating a certificate and related resources such as CRLs and OCSPs. :param cert: An ans1crypto.x509.Certificate object :param path: A pyhanko_certvalidator.path.ValidationPath object """ self._validate_map[cert.signature] = path def check_validation(self, cert): """ Checks to see if a certificate has been validated, and if so, returns the ValidationPath used to validate it. :param cert: An asn1crypto.x509.Certificate object :return: None if not validated, or a pyhanko_certvalidator.path.ValidationPath object of the validation path """ maybe_trust_anchor = self.path_builder.trust_manager.as_trust_anchor( AuthorityWithCert(cert) ) if maybe_trust_anchor and cert.signature not in self._validate_map: self._validate_map[cert.signature] = ValidationPath( trust_anchor=maybe_trust_anchor, interm=[], leaf=None, ) return self._validate_map.get(cert.signature) def clear_validation(self, cert): """ Clears the record that a certificate has been validated :param cert: An ans1crypto.x509.Certificate object """ if cert.signature in self._validate_map: del self._validate_map[cert.signature] @property def acceptable_ac_targets(self) -> Optional[ACTargetDescription]: return self._acceptable_ac_targets @dataclass(frozen=True) class ValidationDataHandlers: """ Value class to hold 'manager'/'registry' objects. These are responsible for accumulating and exposing various data collections that are relevant for certificate validation. """ revinfo_manager: RevinfoManager """ The revocation information manager. """ poe_manager: POEManager """ The proof-of-existence record manager. """ cert_registry: CertificateRegistry """ The certificate registry. .. note:: The certificate registry is a trustless construct. It only holds certificates, but does mark them as trusted or store information related to how the certificates fit together. """ def bootstrap_validation_data_handlers( fetchers: Union[Fetchers, FetcherBackend, None] = RequestsFetcherBackend(), crls: Iterable[CRLContainer] = (), ocsps: Iterable[OCSPContainer] = (), certs: Iterable[x509.Certificate] = (), poe_manager: Optional[POEManager] = None, nonrevoked_assertions: Iterable[NonRevokedStatusAssertion] = (), ) -> ValidationDataHandlers: """ Simple bootstrapping method for a :class:`.ValidationDataHandlers` instance with reasonable defaults. :param fetchers: Data fetcher implementation and/or backend to use. If ``None``, remote fetching is disabled. The ``requests``-based implementation is the default. :param crls: Initial collection of CRLs to feed to the revocation info manager. :param ocsps: Initial collection of OCSP responses to feed to the revocation info manager. :param certs: Initial collection of certificates to add to the certificate registry. :param poe_manager: Explicit POE manager. Will instantiate an empty one if left unspecified. :param nonrevoked_assertions: Assertions about the non-revoked status of certain certificates that will be taken as true by fiat. :return: A :class:`.ValidationDataHandlers` object. """ _fetchers: Optional[Fetchers] if isinstance(fetchers, FetcherBackend): _fetchers = fetchers.get_fetchers() elif isinstance(fetchers, Fetchers): _fetchers = fetchers else: _fetchers = None poe_manager = poe_manager or POEManager() cert_registry = CertificateRegistry( cert_fetcher=_fetchers.cert_fetcher if _fetchers is not None else None ) cert_registry.register_multiple(certs) revinfo_manager = RevinfoManager( certificate_registry=cert_registry, poe_manager=poe_manager, crls=crls, ocsps=ocsps, fetchers=_fetchers, assertions=nonrevoked_assertions, ) return ValidationDataHandlers( revinfo_manager=revinfo_manager, poe_manager=poe_manager, cert_registry=cert_registry, ) @dataclass(frozen=True) class CertValidationPolicySpec: """ Policy object describing how to validate certificates at a high level. .. note:: A certificate validation policy differs from a validation context in that :class:`ValidationContext` objects keep state as well. This is not the case for a certificate validation policy, which makes them suitable for reuse in complex validation workflows where the same policy needs to be applied independently in multiple steps. .. warning:: While a certification policy spec is intended to be stateless, some of its fields are abstract classes. As such, the true behaviour may depend on the underlying implementation. """ trust_manager: TrustManager """ The trust manager that defines this policy's trust anchors. """ revinfo_policy: CertRevTrustPolicy """ The policy describing how to handle certificate revocation and associated revocation information. """ time_tolerance: timedelta = timedelta(seconds=1) """ The time drift tolerated during validation. Defaults to one second. """ acceptable_ac_targets: Optional[ACTargetDescription] = None """ Targets to accept when evaluating the scope of an attribute certificate. """ algorithm_usage_policy: Optional[AlgorithmUsagePolicy] = field( default=DisallowWeakAlgorithmsPolicy() ) """ Policy on cryptographic algorithm usage. If left unspecified, a default will be used. """ pkix_validation_params: Optional[PKIXValidationParams] = None """ The PKIX validation parameters to use, as defined in :rfc:`5280`. """ signature_validator: SignatureValidator = DefaultSignatureValidator() """ Validator implementing the necessary cryptographic operations to validate signatures. """ def build_validation_context_kwargs( self, timing_info: ValidationTimingInfo, handlers: Optional[ValidationDataHandlers], ) -> Dict[str, Any]: """ Internal API to build the keyword arguments to pass to a :class:`ValidationContext` instance constructed from this policy, validation timing info and a set of validation data handlers. :param timing_info: Timing settings. :param handlers: Optionally specify validation data handlers. A reasonable default will be supplied if absent. :return: A dictionary of keyword arguments. """ if handlers is None: cert_registry = CertificateRegistry() poe_manager = POEManager() revinfo_manager = RevinfoManager( certificate_registry=cert_registry, poe_manager=poe_manager, crls=[], ocsps=[], ) else: cert_registry = handlers.cert_registry poe_manager = handlers.poe_manager revinfo_manager = handlers.revinfo_manager return dict( trust_manager=self.trust_manager, revinfo_policy=self.revinfo_policy, revinfo_manager=revinfo_manager, certificate_registry=cert_registry, poe_manager=poe_manager, algorithm_usage_policy=self.algorithm_usage_policy, moment=timing_info.validation_time, best_signature_time=timing_info.best_signature_time, time_tolerance=self.time_tolerance, acceptable_ac_targets=self.acceptable_ac_targets, allow_fetching=revinfo_manager.fetching_allowed, signature_validator=self.signature_validator, ) def build_validation_context( self, timing_info: ValidationTimingInfo, handlers: Optional[ValidationDataHandlers], ) -> ValidationContext: """ Build a validation context from this policy, validation timing info and a set of validation data handlers. :param timing_info: Timing settings. :param handlers: Optionally specify validation data handlers. A reasonable default will be supplied if absent. :return: A new :class:`ValidationContext` reflecting the parameters. """ kwargs = self.build_validation_context_kwargs( timing_info=timing_info, handlers=handlers, ) return ValidationContext(**kwargs) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/errors.py0000644000175100017510000001376515161577363024741 0ustar00runnerrunner# coding: utf-8 from datetime import datetime from typing import List, Optional, Type, TypeVar from asn1crypto.crl import CRLReason from cryptography.exceptions import InvalidSignature from pyhanko_certvalidator._state import ValProcState from pyhanko_certvalidator.path import ValidationPath class PathError(Exception): pass class PathBuildingError(PathError): pass class CertificateFetchError(PathBuildingError): pass class CRLValidationError(Exception): pass class CRLNoMatchesError(CRLValidationError): pass class CRLFetchError(CRLValidationError): pass class CRLValidationIndeterminateError(CRLValidationError): def __init__( self, msg: str, failures: List[str], suspect_stale: Optional[datetime] = None, ): self.msg = msg self.failures = failures self.suspect_stale = suspect_stale super().__init__(msg, failures) class OCSPValidationError(Exception): pass class OCSPNoMatchesError(OCSPValidationError): pass class OCSPValidationIndeterminateError(OCSPValidationError): def __init__( self, msg: str, failures: List[str], suspect_stale: Optional[datetime] = None, ): self.msg = msg self.failures = failures self.suspect_stale = suspect_stale super().__init__(msg, failures) class OCSPFetchError(OCSPValidationError): pass class ValidationError(Exception): def __init__(self, message: str): self.failure_msg = message super().__init__(message) TPathErr = TypeVar('TPathErr', bound='PathValidationError') class PathValidationError(ValidationError): @classmethod def from_state( cls: Type[TPathErr], msg: str, proc_state: ValProcState ) -> TPathErr: return cls(msg, proc_state=proc_state) def __init__(self, msg: str, *, proc_state: ValProcState): self.is_ee_cert = proc_state.is_ee_cert self.is_side_validation = proc_state.is_side_validation current = proc_state.cert_path_stack.head orig = proc_state.cert_path_stack.last assert current is not None and orig is not None self.current_path: ValidationPath = current self.original_path: ValidationPath = orig super().__init__(msg) class RevokedError(PathValidationError): @classmethod def format( cls, reason: CRLReason, revocation_dt: datetime, revinfo_type: str, proc_state: ValProcState, ): reason_str = reason.human_friendly date = revocation_dt.strftime('%Y-%m-%d') time = revocation_dt.strftime('%H:%M:%S') msg = ( f'{revinfo_type} indicates {proc_state.describe_cert()} ' f'was revoked at {time} on {date}, due to {reason_str}.' ) return RevokedError(msg, reason, revocation_dt, proc_state) def __init__( self, msg, reason: CRLReason, revocation_dt: datetime, proc_state: ValProcState, ): self.reason = reason self.revocation_dt = revocation_dt super().__init__(msg, proc_state=proc_state) class InsufficientRevinfoError(PathValidationError): pass class StaleRevinfoError(InsufficientRevinfoError): @classmethod def format( cls, msg: str, time_cutoff: datetime, proc_state: ValProcState, ): return StaleRevinfoError(msg, time_cutoff, proc_state) def __init__( self, msg: str, time_cutoff: datetime, proc_state: ValProcState ): self.time_cutoff = time_cutoff super().__init__(msg, proc_state=proc_state) class InsufficientPOEError(PathValidationError): pass class ExpiredError(PathValidationError): @classmethod def format( cls, *, expired_dt: datetime, proc_state: ValProcState, ): msg = ( f"The path could not be validated because " f"{proc_state.describe_cert()} expired " f"{expired_dt.strftime('%Y-%m-%d %H:%M:%SZ')}" ) return ExpiredError(msg, expired_dt, proc_state) def __init__(self, msg, expired_dt: datetime, proc_state: ValProcState): self.expired_dt = expired_dt super().__init__(msg, proc_state=proc_state) class NotYetValidError(PathValidationError): @classmethod def format( cls, *, valid_from: datetime, proc_state: ValProcState, ): msg = ( f"The path could not be validated because " f"{proc_state.describe_cert()} is not valid until " f"{valid_from.strftime('%Y-%m-%d %H:%M:%SZ')}" ) return NotYetValidError(msg, valid_from, proc_state) def __init__(self, msg, valid_from: datetime, proc_state: ValProcState): self.valid_from = valid_from super().__init__(msg, proc_state=proc_state) class InvalidCertificateError(ValidationError): pass class DisallowedAlgorithmError(PathValidationError): def __init__( self, *args, banned_since: Optional[datetime] = None, **kwargs ): self.banned_since = banned_since super().__init__(*args, **kwargs) @classmethod def from_state( cls, msg: str, proc_state: ValProcState, banned_since: Optional[datetime] = None, ) -> 'DisallowedAlgorithmError': return cls(msg, banned_since=banned_since, proc_state=proc_state) class InvalidAttrCertificateError(InvalidCertificateError): pass class PSSParameterMismatch(InvalidSignature): pass class DSAParametersUnavailable(InvalidSignature): # TODO Technically, such a signature isn't _really_ invalid # (we merely couldn't validate it). # However, this is only an issue for CRLs and OCSP responses that # make use of DSA parameter inheritance, which is pretty much a # completely irrelevant problem in this day and age, so treating those # signatures as invalid as a matter of course seems pretty much OK. pass class AlgorithmNotSupported(InvalidSignature): pass ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1189716 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/0000755000175100017510000000000015161577372024642 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/__init__.py0000644000175100017510000000111015161577363026744 0ustar00runnerrunnerfrom .api import ( CertificateFetcher, CRLFetcher, FetcherBackend, Fetchers, OCSPFetcher, ) __all__ = [ 'CRLFetcher', 'CertificateFetcher', 'FetcherBackend', 'Fetchers', 'OCSPFetcher', 'default_fetcher_backend', ] def default_fetcher_backend() -> FetcherBackend: """ Instantiate a default fetcher backend that doesn't require any resource management, but is less efficient than a fully asynchronous fetcher would be. """ from .requests_fetchers import RequestsFetcherBackend return RequestsFetcherBackend() ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1197224 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/0000755000175100017510000000000015161577372030175 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/__init__.py0000644000175100017510000000235115161577363032307 0ustar00runnerrunnerfrom typing import Optional import aiohttp from ..api import FetcherBackend, Fetchers from .cert_fetch_client import AIOHttpCertificateFetcher from .crl_client import AIOHttpCRLFetcher from .ocsp_client import AIOHttpOCSPFetcher from .util import LazySession __all__ = ['AIOHttpFetcherBackend'] class AIOHttpFetcherBackend(FetcherBackend): def __init__( self, session: Optional[aiohttp.ClientSession] = None, per_request_timeout=10, ): self.session = session or LazySession() self.per_request_timeout = per_request_timeout def get_fetchers(self) -> Fetchers: session = self.session to = self.per_request_timeout return Fetchers( ocsp_fetcher=AIOHttpOCSPFetcher(session, per_request_timeout=to), crl_fetcher=AIOHttpCRLFetcher(session, per_request_timeout=to), cert_fetcher=AIOHttpCertificateFetcher( session, per_request_timeout=to ), ) async def close(self): session = self.session # only close the session if it's a lazy session; # a session passed in by the caller is their own responsibility if isinstance(session, LazySession): await session.close() ././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/cert_fetch_client.py 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/cert_fetch_client.p0000644000175100017510000001152715161577363034030 0ustar00runnerrunnerimport logging from typing import Iterable, Union import aiohttp from asn1crypto import cms, x509 from ...errors import CertificateFetchError from ..api import CertificateFetcher from ..common_utils import ( ACCEPTABLE_CERT_DER_ALIASES, ACCEPTABLE_CERT_PEM_ALIASES, ACCEPTABLE_PKCS7_DER_ALIASES, ACCEPTABLE_STRICT_CERT_CONTENT_TYPES, complete_certificate_fetch_jobs, gather_aia_issuer_urls, unpack_cert_content, ) from .util import AIOHttpMixin, LazySession logger = logging.getLogger(__name__) class AIOHttpCertificateFetcher(CertificateFetcher, AIOHttpMixin): def __init__( self, session: Union[aiohttp.ClientSession, LazySession], user_agent=None, per_request_timeout=10, permit_pem=True, ): super().__init__(session, user_agent, per_request_timeout) self.permit_pem = permit_pem async def fetch_certs(self, url, url_origin_type): """ Fetch one or more certificates from a URL. :param url: URL to fetch. :param url_origin_type: Parameter indicating where the URL came from (e.g. 'CRL'), for error reporting purposes. :raises: CertificateFetchError - when a network I/O or decoding error occurs :return: An iterable of asn1crypto.x509.Certificate objects. """ async def task(): try: logger.info(f"Fetching certificates from {url}...") return await _grab_certs( url, permit_pem=self.permit_pem, timeout=self.per_request_timeout, user_agent=self.user_agent, session=await self.get_session(), url_origin_type=url_origin_type, ) except (ValueError, aiohttp.ClientError) as e: msg = f"Failed to fetch certificate(s) from url {url}." logger.debug(msg, exc_info=e) raise CertificateFetchError(msg) return await self._post_fetch_task(url, task) def fetch_cert_issuers( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ): fetch_jobs = [ self.fetch_certs(url, url_origin_type='certificate') for url in gather_aia_issuer_urls(cert) ] if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info(f"Retrieving issuer certs for {target}...") return complete_certificate_fetch_jobs(fetch_jobs) def fetch_crl_issuers(self, certificate_list): fetch_jobs = [ self.fetch_certs(url, url_origin_type='CRL') for url in certificate_list.issuer_cert_urls ] return complete_certificate_fetch_jobs(fetch_jobs) def fetched_certs(self) -> Iterable[x509.Certificate]: return self.get_results() async def _grab_certs( url, *, user_agent, session: aiohttp.ClientSession, url_origin_type, timeout, permit_pem=True, ): """ Grab one or more certificates from a caIssuers URL. We accept two types of content in the response: - A single DER-encoded X.509 certificate - A PKCS#7 'certs-only' SignedData message - PEM-encoded certificates (if permit_pem=True) Note: strictly speaking, you're not supposed to use PEM to serve certs for AIA purposes in PEM format, but people do it anyway. """ if permit_pem: acceptable_cts = ( ACCEPTABLE_STRICT_CERT_CONTENT_TYPES | ACCEPTABLE_CERT_PEM_ALIASES | ACCEPTABLE_CERT_DER_ALIASES | ACCEPTABLE_PKCS7_DER_ALIASES ) else: acceptable_cts = ACCEPTABLE_STRICT_CERT_CONTENT_TYPES headers = {'Accept': ','.join(acceptable_cts), 'User-Agent': user_agent} cl_timeout = aiohttp.ClientTimeout(timeout) async with session.get( url=url, headers=headers, timeout=cl_timeout, raise_for_status=True ) as response: response_data = await response.read() try: content_type = response.headers['Content-Type'].strip() if content_type not in acceptable_cts: ct_err = ( f"Unacceptable content type '{content_type!r}' " f"when fetching issuer certificate for {url_origin_type} " f"from URL {url}." ) raise aiohttp.ContentTypeError( response.request_info, response.history, message=ct_err, headers=response.headers, ) except KeyError: content_type = None certs = unpack_cert_content(response_data, content_type, url, permit_pem) return list(certs) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/crl_client.py0000644000175100017510000000736215161577363032675 0ustar00runnerrunnerimport logging from typing import Dict, Iterable, List, Union import aiohttp from asn1crypto import cms, crl, pem, x509 from ... import errors from ...util import get_relevant_crl_dps, issuer_serial from ..api import CRLFetcher from ..common_utils import ( crl_job_results_as_completed, enumerate_delivery_point_urls, ) from .util import AIOHttpMixin, LazySession logger = logging.getLogger(__name__) class AIOHttpCRLFetcher(CRLFetcher, AIOHttpMixin): def __init__( self, session: Union[aiohttp.ClientSession, LazySession], user_agent=None, per_request_timeout=10, ): super().__init__(session, user_agent, per_request_timeout) self._by_cert: Dict[bytes, List[crl.CertificateList]] = {} async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], *, use_deltas=True, ): iss_serial = issuer_serial(cert) try: return self._by_cert[iss_serial] except KeyError: pass results = [] async for fetched_crl in self._fetch(cert, use_deltas=use_deltas): results.append(fetched_crl) self._by_cert[iss_serial] = results return results async def _fetch(self, cert: x509.Certificate, *, use_deltas): sources = get_relevant_crl_dps(cert, use_deltas=use_deltas) if not sources: return if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info(f"Retrieving CRLs for {target}...") def _fetch_jobs(): for distribution_point in sources: for url in enumerate_delivery_point_urls(distribution_point): yield self._single_fetch(url) # when the issue with .crl_distribution_points is fixed, # we should handle at_least_one_success and last_e on a per-DP basis async for result in crl_job_results_as_completed(_fetch_jobs()): yield result async def _single_fetch(self, url): async def task(): return await _grab_crl( url, user_agent=self.user_agent, session=await self.get_session(), timeout=self.per_request_timeout, ) return await self._post_fetch_task(url, task) def fetched_crls(self) -> Iterable[crl.CertificateList]: return {crl_ for crl_ in self.get_results()} def fetched_crls_for_cert(self, cert) -> Iterable[crl.CertificateList]: return self._by_cert[issuer_serial(cert)] async def _grab_crl( url, *, user_agent, session: aiohttp.ClientSession, timeout ): """ Fetches a CRL and parses it :param url: A unicode string of the URL to fetch the CRL from :param user_agent: A unicode string of the user agent to use when fetching the URL :param session: ``aiohttp`` client session to use. :param timeout: Timeout in seconds. :return: An asn1crypto.crl.CertificateList object """ try: logger.info(f"Requesting CRL from {url}...") headers = {'Accept': 'application/pkix-crl', 'User-Agent': user_agent} cl_timeout = aiohttp.ClientTimeout(total=timeout) async with session.get( url=url, headers=headers, timeout=cl_timeout, raise_for_status=True ) as response: data = await response.read() if pem.detect(data): _, _, data = pem.unarmor(data) return crl.CertificateList.load(data) except (ValueError, aiohttp.ClientError) as e: raise errors.CRLFetchError( f"Failure to fetch CRL from URL {url}" ) from e ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/ocsp_client.py0000644000175100017510000001050415161577363033051 0ustar00runnerrunnerimport logging from typing import Iterable, Union import aiohttp from asn1crypto import cms, ocsp, x509 from ... import errors from ...authority import Authority from ...util import get_ocsp_urls, issuer_serial from ..api import OCSPFetcher from ..common_utils import ( format_ocsp_request, ocsp_job_get_earliest, process_ocsp_response_data, ) from .util import AIOHttpMixin, LazySession logger = logging.getLogger(__name__) class AIOHttpOCSPFetcher(OCSPFetcher, AIOHttpMixin): def __init__( self, session: Union[aiohttp.ClientSession, LazySession], user_agent=None, per_request_timeout=10, certid_hash_algo='sha1', request_nonces=True, ): super().__init__(session, user_agent, per_request_timeout) if certid_hash_algo not in ('sha1', 'sha256'): raise ValueError( f'certid_hash_algo must be one of "sha1", "sha256", not ' f'{certid_hash_algo!r}' ) self.certid_hash_algo = certid_hash_algo self.request_nonces = request_nonces async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, ) -> ocsp.OCSPResponse: tag = (issuer_serial(cert), authority.hashable) if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info(f"About to queue OCSP fetch for {target}...") async def task(): return await self._fetch(cert, authority) return await self._post_fetch_task(tag, task) async def _fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, ): ocsp_request = format_ocsp_request( cert, authority, certid_hash_algo=self.certid_hash_algo, request_nonces=self.request_nonces, ) # Try the OCSP responders in arbitrary order, and process the responses # as they come in ocsp_urls = get_ocsp_urls(cert) if not ocsp_urls: raise errors.OCSPFetchError("No URLs to fetch OCSP responses from") if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info( f"Fetching OCSP status for {target} from url(s) " f"{';'.join(ocsp_urls)}..." ) session = await self.get_session() fetch_jobs = ( _grab_ocsp( ocsp_request, ocsp_url, user_agent=self.user_agent, session=session, timeout=self.per_request_timeout, ) for ocsp_url in ocsp_urls ) return await ocsp_job_get_earliest(fetch_jobs) def fetched_responses(self) -> Iterable[ocsp.OCSPResponse]: return self.get_results() def fetched_responses_for_cert( self, cert: x509.Certificate ) -> Iterable[ocsp.OCSPResponse]: target_is = issuer_serial(cert) return { resp for (subj_is, _), resp in self._iter_results() if subj_is == target_is } async def _grab_ocsp( ocsp_request: ocsp.OCSPRequest, ocsp_url: str, *, user_agent, session: aiohttp.ClientSession, timeout, ): try: logger.info(f"Requesting OCSP response from {ocsp_url}...") headers = { 'Accept': 'application/ocsp-response', 'Content-Type': 'application/ocsp-request', 'User-Agent': user_agent, } cl_timeout = aiohttp.ClientTimeout(total=timeout) async with session.post( url=ocsp_url, headers=headers, data=ocsp_request.dump(), raise_for_status=True, timeout=cl_timeout, ) as response: response_data = await response.read() return process_ocsp_response_data( response_data, ocsp_request=ocsp_request, ocsp_url=ocsp_url ) except (aiohttp.ClientError, errors.OCSPValidationError) as e: raise errors.OCSPFetchError( f"Failed to fetch OCSP response from {ocsp_url}", ) from e ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/util.py0000644000175100017510000000324315161577363031526 0ustar00runnerrunnerimport asyncio from typing import Any, Dict, Union import aiohttp from ..api import DEFAULT_USER_AGENT from ..common_utils import queue_fetch_task __all__ = ['AIOHttpMixin', 'LazySession'] class LazySession: def __init__(self): self._session = None async def get_session(self): session = self._session if session is None: self._session = session = aiohttp.ClientSession() return session async def close(self): session = self._session if session is not None: await session.close() class AIOHttpMixin: def __init__( self, session: Union[aiohttp.ClientSession, LazySession], user_agent=None, per_request_timeout=10, ): self._session = session self.user_agent = user_agent or DEFAULT_USER_AGENT self.per_request_timeout = per_request_timeout self.__results: Dict[Any, Any] = {} self.__result_events: Dict[Any, asyncio.Event] = {} super().__init__() async def get_session(self) -> aiohttp.ClientSession: session = self._session if isinstance(session, LazySession): return await session.get_session() else: return session def get_results(self): return { v for v in self.__results.values() if not isinstance(v, Exception) } def _iter_results(self): for k, v in self.__results.items(): if not isinstance(v, Exception): yield k, v async def _post_fetch_task(self, tag, async_fun): return await queue_fetch_task( self.__results, self.__result_events, tag, async_fun ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/api.py0000644000175100017510000001473715161577363026001 0ustar00runnerrunner""" Asynchronous API for fetching OCSP responses, CRLs and certificates. """ import abc from dataclasses import dataclass from typing import AsyncGenerator, Iterable, Union from asn1crypto import cms, crl, ocsp, x509 from pyhanko_certvalidator.authority import Authority from pyhanko_certvalidator.version import __version__ __all__ = [ 'DEFAULT_USER_AGENT', 'CRLFetcher', 'CertificateFetcher', 'FetcherBackend', 'Fetchers', 'OCSPFetcher', ] DEFAULT_USER_AGENT = 'pyhanko_certvalidator %s' % __version__ class OCSPFetcher(abc.ABC): """Utility interface to fetch and cache OCSP responses.""" async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, ) -> ocsp.OCSPResponse: """ Fetch an OCSP response for a certificate. :param cert: The certificate for which an OCSP response has to be fetched. :param authority: The issuing authority. :raises: OCSPFetchError - Raised if an OCSP response could not be obtained. :return: An OCSP response. """ raise NotImplementedError def fetched_responses(self) -> Iterable[ocsp.OCSPResponse]: """ Return all responses fetched by this OCSP fetcher. """ raise NotImplementedError def fetched_responses_for_cert( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ) -> Iterable[ocsp.OCSPResponse]: """ Return all responses fetched by this OCSP fetcher that are relevant to determine the revocation status of the given certificate. """ raise NotImplementedError class CRLFetcher(abc.ABC): """Utility interface to fetch and cache CRLs.""" async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], *, use_deltas=None, ) -> Iterable[crl.CertificateList]: """ Fetches the CRLs for a certificate. :param cert: An asn1crypto.x509.Certificate object to get the CRL for :param use_deltas: A boolean indicating if delta CRLs should be fetched :raises: CRLFetchError - when a network/IO error or decoding error occurs :return: An iterable of CRLs fetched. """ # side note: we don't want this to be a generator, because in principle, # we always need to consider CRLs from all distribution points together # anyway, so there's no "stream processing" to speak of. # (this is currently not 100% efficient in the default implementation, # see comments below) raise NotImplementedError def fetched_crls(self) -> Iterable[crl.CertificateList]: """ Return all CRLs fetched by this CRL fetcher. """ raise NotImplementedError def fetched_crls_for_cert( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ) -> Iterable[crl.CertificateList]: """ Return all relevant fetched CRLs for the given certificate :param cert: A certificate. :return: An iterable of CRLs :raise KeyError: if no fetch operations have been performed for this certificate """ raise NotImplementedError class CertificateFetcher(abc.ABC): """Utility interface to fetch and cache certificates.""" def fetch_cert_issuers( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ) -> AsyncGenerator[x509.Certificate, None]: """ Fetches certificates from the authority information access extension of a certificate. :param cert: A certificate :raises: CertificateFetchError - when a network I/O or decoding error occurs :return: An asynchronous generator yielding asn1crypto.x509.Certificate objects that were fetched. """ raise NotImplementedError def fetch_crl_issuers( self, certificate_list ) -> AsyncGenerator[x509.Certificate, None]: """ Fetches certificates from the authority information access extension of an asn1crypto.crl.CertificateList. :param certificate_list: An asn1crypto.crl.CertificateList object :raises: CertificateFetchError - when a network I/O or decoding error occurs :return: An asynchronous generator yielding asn1crypto.x509.Certificate objects that were fetched. """ raise NotImplementedError def fetched_certs(self) -> Iterable[x509.Certificate]: """ Return all certificates retrieved by this certificate fetcher. """ raise NotImplementedError @dataclass(frozen=True) class Fetchers: """ Models a collection of fetchers to be used by a validation context. The intention is that these can share resources (like a connection pool) in a unified, controlled manner. See also :class:`.FetcherBackend`. """ ocsp_fetcher: OCSPFetcher crl_fetcher: CRLFetcher cert_fetcher: CertificateFetcher class FetcherBackend(abc.ABC): """ Generic, bare-bones interface to help abstract away instantiation logic for fetcher implementations. Intended to operate as an asynchronous context manager, with `async with backend_obj as fetchers: ...` putting the resulting :class:`.Fetchers` object in to the variable named `fetchers`. .. note:: The initialisation part of the API is necessarily synchronous, for backwards compatibility with the old ``ValidationContext`` API. If you need asynchronous resource management, handle it elsewhere, or use some form of lazy resource provisioning. Alternatively, you can pass :class:`Fetchers` objects to the validation context yourself, and forgo use of the :class:`.FetcherBackend` API altogether. """ def get_fetchers(self) -> Fetchers: """ Set up fetchers synchronously. .. note:: This is a synchronous method """ raise NotImplementedError async def close(self): """ Clean up the resources associated with this fetcher backend, asynchronously. """ pass async def __aenter__(self) -> Fetchers: return self.get_fetchers() async def __aexit__(self, exc_type, exc_val, exc_tb): return await self.close() ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/common_utils.py0000644000175100017510000002732115161577363027731 0ustar00runnerrunner""" Internal backend-agnostic utilities to help process fetched certificates, CRLs and OCSP responses. """ import asyncio import logging import os from typing import Awaitable, Callable, Dict, Optional, TypeVar, Union from asn1crypto import algos, cms, core, ocsp, pem, x509 from asn1crypto.x509 import DistributionPoint from .. import errors from ..authority import Authority from ..util import get_ac_extension_value __all__ = [ 'ACCEPTABLE_CERT_DER_ALIASES', 'ACCEPTABLE_CERT_PEM_ALIASES', 'ACCEPTABLE_PKCS7_DER_ALIASES', 'ACCEPTABLE_STRICT_CERT_CONTENT_TYPES', 'complete_certificate_fetch_jobs', 'crl_job_results_as_completed', 'enumerate_delivery_point_urls', 'format_ocsp_request', 'gather_aia_issuer_urls', 'ocsp_job_get_earliest', 'process_ocsp_response_data', 'queue_fetch_task', 'unpack_cert_content', ] logger = logging.getLogger(__name__) ACCEPTABLE_STRICT_CERT_CONTENT_TYPES = frozenset( [ 'application/pkix-cert', 'application/pkix-ca', 'application/pkcs7-mime', 'application/x-x509-ca-cert', 'application/x-pkcs7-certificates', ] ) ACCEPTABLE_CERT_PEM_ALIASES = frozenset( [ 'application/x-pem-file', 'text/plain', 'application/octet-stream', 'binary/octet-stream', ] ) ACCEPTABLE_CERT_DER_ALIASES = frozenset( [ 'application/pkix-cert', 'application/x-x509-ca-cert', 'application/octet-stream', 'binary/octet-stream', ] ) ACCEPTABLE_PKCS7_DER_ALIASES = frozenset( [ 'application/pkcs7-mime', 'application/x-pkcs7-certificates', 'application/octet-stream', 'binary/octet-stream', ] ) def unpack_cert_content( response_data: bytes, content_type: Optional[str], url: str, permit_pem: bool, ): is_pem = pem.detect(response_data) if ( content_type is None or content_type in ACCEPTABLE_CERT_DER_ALIASES ) and not is_pem: # sometimes we get DER over octet-stream if content_type is None: logger.warning( f"Response to certificate fetch request to {url} did not " f"include a content type, verifying it's sequence length to " f"check if it is a certificate or pkcs7." ) der_sequence_length = len(core.Sequence.load(response_data)) if der_sequence_length == 2: yield from _unpack_der_pkcs7(response_data, url) elif der_sequence_length == 3: yield x509.Certificate.load(response_data) else: raise ValueError( f"Failed to heuristically determine content of payload from source URL {url}" ) elif (content_type in ACCEPTABLE_PKCS7_DER_ALIASES) and not is_pem: yield from _unpack_der_pkcs7(response_data, url) elif permit_pem and is_pem: # technically, PEM is not allowed here, but of course some people don't # bother following the rules for type_name, _, data in pem.unarmor(response_data, multiple=True): if type_name == 'PKCS7': yield from _unpack_der_pkcs7(data, url) else: yield x509.Certificate.load(data) else: raise ValueError( f"Failed to extract certs from {content_type} payload. " f"Source URL: {url}." ) def _unpack_der_pkcs7(pkcs7_data: bytes, pkcs7_url: str): content_info: cms.ContentInfo = cms.ContentInfo.load(pkcs7_data) cms_ct = content_info['content_type'].native if cms_ct != 'signed_data': raise ValueError( "Expected CMS SignedData when extracting certs from " "application/pkcs7-mime payload, but content type was " f"'{cms_ct}'. Source URL: {pkcs7_url}." ) signed_data = content_info['content'] if isinstance(signed_data['certificates'], cms.CertificateSet): for cert_choice in signed_data['certificates']: if cert_choice.name == 'certificate': yield cert_choice.chosen def get_certid( cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, *, certid_hash_algo, ) -> ocsp.CertId: if isinstance(cert, x509.Certificate): serial_number = cert.serial_number else: serial_number = cert['ac_info']['serial_number'].native iss_name_hash = getattr(authority.name, certid_hash_algo) cert_id = ocsp.CertId( { 'hash_algorithm': algos.DigestAlgorithm( {'algorithm': certid_hash_algo} ), 'issuer_name_hash': iss_name_hash, 'issuer_key_hash': getattr(authority.public_key, certid_hash_algo), 'serial_number': serial_number, } ) return cert_id def format_ocsp_request( cert: x509.Certificate, authority: Authority, *, certid_hash_algo: str, request_nonces: bool, ): cert_id = get_certid(cert, authority, certid_hash_algo=certid_hash_algo) request = ocsp.Request( { 'req_cert': cert_id, } ) tbs_request = ocsp.TBSRequest( { 'request_list': ocsp.Requests([request]), } ) if request_nonces: nonce_extension = ocsp.TBSRequestExtension( { 'extn_id': 'nonce', 'critical': False, 'extn_value': core.OctetString(os.urandom(16)), } ) tbs_request['request_extensions'] = ocsp.TBSRequestExtensions( [nonce_extension] ) return ocsp.OCSPRequest({'tbs_request': tbs_request}) def process_ocsp_response_data( response_data: bytes, *, ocsp_request: ocsp.OCSPRequest, ocsp_url: str ): try: ocsp_response = ocsp.OCSPResponse.load(response_data) except ValueError: raise errors.OCSPFetchError('Failed to parse response from OCSP server') status = ocsp_response['response_status'].native if status != 'successful': raise errors.OCSPValidationError( 'OCSP server at %s returned an error. Status was \'%s\'.' % (ocsp_url, status) ) request_nonce = ocsp_request.nonce_value if request_nonce: response_nonce = ocsp_response.nonce_value # if the response did not contain the nonce extension, there's no # point in trying to enforce it, that's the CA's problem. # (I suppose we could give callers the option to mark the nonce # extension as critical in the request, but that's discouraged by the # specification) if response_nonce and (request_nonce.native != response_nonce.native): raise errors.OCSPValidationError( 'Unable to verify OCSP response since the request and ' 'response nonces do not match' ) return ocsp_response T = TypeVar('T') R = TypeVar('R') async def queue_fetch_task( results: Dict[T, Union[R, Exception]], running_jobs: Dict[T, asyncio.Event], tag: T, async_fun: Callable[[], Awaitable[R]], ) -> Union[R, Exception]: # use an asyncio events to make sure that we don't attempt to re-fetch # the same tag while the job is running # Note: this uses asyncio locking, so we only transfer control # on 'await'. # We use events instead of locks because we don't care about fairness, # and events are easier to reason about. try: result = results[tag] logger.debug( f"Result for fetch job with tag {tag!r} was available in cache." ) return _return_or_raise(result) except KeyError: pass try: wait_event: asyncio.Event = running_jobs[tag] logger.debug(f"Waiting for fetch job with tag {tag!r} to return...") # there's a fetch job running, wait for it to finish and then # return the result await wait_event.wait() logger.debug(f"Received completion signal for job with tag {tag!r}.") return _return_or_raise(results[tag]) except KeyError: logger.debug(f"Starting new fetch job with tag {tag!r}...") # no fetch job running, run the task and store the result running_jobs[tag] = wait_event = asyncio.Event() try: result = await async_fun() except Exception as e: logger.debug( f"New fetch job with tag {tag!r} threw an exception: {e}" ) result = e results[tag] = result logger.debug(f"New fetch job with tag {tag!r} returned.") # deregister event, notify waiters del running_jobs[tag] wait_event.set() return _return_or_raise(result) def _return_or_raise(result): if isinstance(result, Exception): raise result return result async def crl_job_results_as_completed(jobs): last_e = None at_least_one_success = False for crl_job in asyncio.as_completed(list(jobs)): try: fetched_crl = await crl_job at_least_one_success = True yield fetched_crl except errors.CRLFetchError as e: last_e = e if last_e is not None and not at_least_one_success: raise last_e async def cancel_all(pending_tasks): pending = asyncio.gather(*pending_tasks) pending.cancel() try: await pending except asyncio.CancelledError: pass async def ocsp_job_get_earliest(jobs): queue = [asyncio.create_task(coro) for coro in jobs] ocsp_resp = last_e = None while queue: done, queue = await asyncio.wait( queue, return_when=asyncio.FIRST_COMPLETED ) for ocsp_job in done: try: ocsp_resp = await ocsp_job break except errors.OCSPFetchError as e: last_e = e if ocsp_resp is not None: # cancel remaining fetch tasks await cancel_all(queue) return ocsp_resp raise last_e or errors.OCSPFetchError("No OCSP results") def gather_aia_issuer_urls( cert: Union[x509.Certificate, cms.AttributeCertificateV2], ): if isinstance(cert, x509.Certificate): aia_value = cert.authority_information_access_value else: aia_value = get_ac_extension_value(cert, 'authority_information_access') if aia_value is None: return for entry in aia_value: if entry['access_method'].native == 'ca_issuers': location = entry['access_location'] if location.name != 'uniform_resource_identifier': continue url = location.native if url.startswith('http'): yield url async def complete_certificate_fetch_jobs(fetch_jobs): for fetch_job in asyncio.as_completed(fetch_jobs): try: certs_fetched = await fetch_job except errors.CertificateFetchError as e: logger.warning( f'Error during certificate fetch job, skipping... (Error: {e})', ) continue for cert in certs_fetched: yield cert def enumerate_delivery_point_urls(distribution_point: DistributionPoint): name = distribution_point['distribution_point'] if name.name != 'full_name': logger.debug( f"Relative delivery point name {name.chosen.native!r} is not supported" ) # We don't support relative DPs # (esp. since we don't support directory-based lookups at all) return for general_name in name.chosen: if general_name.name == 'uniform_resource_identifier': url = general_name.native # Only fetch CRLs over http # (or https, but that doesn't really happen all that often) # In particular, don't attempt to grab CRLs over LDAP if url.lower().startswith(('http://', 'https://')): yield url ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1205316 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/0000755000175100017510000000000015161577372030400 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/__init__.py0000644000175100017510000000177315161577363032521 0ustar00runnerrunner""" Fetcher implementation using the ``requests`` library for backwards compatibility. This fetcher backend doesn't take advantage of asyncio, but has the advantage of not requiring any resource management on the caller's part. """ from ..api import FetcherBackend, Fetchers from .cert_fetch_client import RequestsCertificateFetcher from .crl_client import RequestsCRLFetcher from .ocsp_client import RequestsOCSPFetcher __all__ = ['RequestsFetcherBackend'] class RequestsFetcherBackend(FetcherBackend): def __init__(self, per_request_timeout=10): self.per_request_timeout = per_request_timeout def get_fetchers(self) -> Fetchers: to = self.per_request_timeout return Fetchers( ocsp_fetcher=RequestsOCSPFetcher(per_request_timeout=to), crl_fetcher=RequestsCRLFetcher(per_request_timeout=to), cert_fetcher=RequestsCertificateFetcher(per_request_timeout=to), ) async def close(self): # don't need to do anything return ././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.0000644000175100017510000001063215161577363034047 0ustar00runnerrunnerimport logging from typing import Iterable, Union import requests from asn1crypto import cms, x509 from ...errors import CertificateFetchError from ..api import CertificateFetcher from ..common_utils import ( ACCEPTABLE_CERT_DER_ALIASES, ACCEPTABLE_CERT_PEM_ALIASES, ACCEPTABLE_PKCS7_DER_ALIASES, ACCEPTABLE_STRICT_CERT_CONTENT_TYPES, complete_certificate_fetch_jobs, gather_aia_issuer_urls, unpack_cert_content, ) from .util import RequestsFetcherMixin logger = logging.getLogger(__name__) class RequestsCertificateFetcher(CertificateFetcher, RequestsFetcherMixin): """ Implementation of async CertificateFetcher API using requests, for backwards compatibility. This class does not require resource management. """ def __init__( self, user_agent=None, per_request_timeout=10, permit_pem=True ): super().__init__(user_agent, per_request_timeout) self.permit_pem = permit_pem async def fetch_certs(self, url, url_origin_type): """ Fetch one or more certificates from a URL. :param url: URL to fetch. :param url_origin_type: Parameter indicating where the URL came from (e.g. 'CRL'), for error reporting purposes. :raises: CertificateFetchError - when a network I/O or decoding error occurs :return: An iterable of asn1crypto.x509.Certificate objects. """ async def task(): try: logger.info(f"Fetching certificates from {url}...") results = await self._grab_certs( url, url_origin_type=url_origin_type ) except (ValueError, requests.RequestException) as e: msg = f"Failed to fetch certificate(s) from url {url}." logger.debug(msg, exc_info=e) raise CertificateFetchError(msg) return results return await self._perform_fetch(url, task) def fetch_cert_issuers( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ): fetch_jobs = [ self.fetch_certs(url, url_origin_type='certificate') for url in gather_aia_issuer_urls(cert) ] if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info(f"Retrieving issuer certs for {target}...") return complete_certificate_fetch_jobs(fetch_jobs) def fetch_crl_issuers(self, certificate_list): fetch_jobs = [ self.fetch_certs(url, url_origin_type='CRL') for url in certificate_list.issuer_cert_urls ] return complete_certificate_fetch_jobs(fetch_jobs) def fetched_certs(self) -> Iterable[x509.Certificate]: return self.get_results() async def _grab_certs(self, url, *, url_origin_type): """ Grab one or more certificates from a caIssuers URL. We accept two types of content in the response: - A single DER-encoded X.509 certificate - A PKCS#7 'certs-only' SignedData message - PEM-encoded certificates (if permit_pem=True) Note: strictly speaking, you're not supposed to use PEM to serve certs for AIA purposes in PEM format, but people do it anyway. """ permit_pem = self.permit_pem if permit_pem: acceptable_cts = ( ACCEPTABLE_STRICT_CERT_CONTENT_TYPES | ACCEPTABLE_CERT_PEM_ALIASES | ACCEPTABLE_CERT_DER_ALIASES | ACCEPTABLE_PKCS7_DER_ALIASES ) else: acceptable_cts = ACCEPTABLE_STRICT_CERT_CONTENT_TYPES response = await self._get(url, acceptable_content_types=acceptable_cts) try: content_type = response.headers['Content-Type'].strip() if content_type not in acceptable_cts: ct_err = ( f"Unacceptable content type '{content_type!r}' " f"when fetching issuer certificate for {url_origin_type} " f"from URL {url}." ) raise requests.RequestException(ct_err) except KeyError: content_type = None certs = unpack_cert_content( response.content, content_type, url, permit_pem ) return list(certs) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/crl_client.py0000644000175100017510000000461615161577363033077 0ustar00runnerrunnerimport logging from typing import Iterable, Union import requests from asn1crypto import cms, crl, pem, x509 from ... import errors from ...util import get_relevant_crl_dps, issuer_serial from ..api import CRLFetcher from ..common_utils import ( crl_job_results_as_completed, enumerate_delivery_point_urls, ) from .util import RequestsFetcherMixin logger = logging.getLogger(__name__) class RequestsCRLFetcher(CRLFetcher, RequestsFetcherMixin): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self._by_cert = {} async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], *, use_deltas=True, ): iss_serial = issuer_serial(cert) try: return self._by_cert[iss_serial] except KeyError: pass results = [] async for fetched_crl in self._fetch(cert, use_deltas=use_deltas): results.append(fetched_crl) self._by_cert[iss_serial] = results return results async def _fetch_single(self, url): async def task(): logger.info(f"Requesting CRL from {url}...") try: response = await self._get( url, acceptable_content_types=('application/pkix-crl',) ) data = response.content if pem.detect(data): _, _, data = pem.unarmor(data) return crl.CertificateList.load(data) except (ValueError, requests.RequestException) as e: raise errors.CRLFetchError( f"Failure to fetch CRL from URL {url}" ) from e return await self._perform_fetch(url, task) async def _fetch(self, cert: x509.Certificate, *, use_deltas): sources = get_relevant_crl_dps(cert, use_deltas=use_deltas) def _fetch_jobs(): for distribution_point in sources: for url in enumerate_delivery_point_urls(distribution_point): yield self._fetch_single(url) async for result in crl_job_results_as_completed(_fetch_jobs()): yield result def fetched_crls(self) -> Iterable[crl.CertificateList]: return {crl_ for crl_ in self.get_results()} def fetched_crls_for_cert(self, cert) -> Iterable[crl.CertificateList]: return self._by_cert[issuer_serial(cert)] ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/ocsp_client.py0000644000175100017510000000662615161577363033266 0ustar00runnerrunnerimport logging from typing import Iterable, Union import requests from asn1crypto import cms, ocsp, x509 from ... import errors from ...authority import Authority from ...util import get_ocsp_urls, issuer_serial from ..api import OCSPFetcher from ..common_utils import ( format_ocsp_request, ocsp_job_get_earliest, process_ocsp_response_data, ) from .util import RequestsFetcherMixin logger = logging.getLogger(__name__) class RequestsOCSPFetcher(OCSPFetcher, RequestsFetcherMixin): def __init__( self, user_agent=None, per_request_timeout=10, certid_hash_algo='sha1', request_nonces=True, ): super().__init__(user_agent, per_request_timeout) if certid_hash_algo not in ('sha1', 'sha256'): raise ValueError( f'certid_hash_algo must be one of "sha1", "sha256", not ' f'{certid_hash_algo!r}' ) self.certid_hash_algo = certid_hash_algo self.request_nonces = request_nonces async def fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, ) -> ocsp.OCSPResponse: tag = (issuer_serial(cert), authority.hashable) return await self._perform_fetch( tag, lambda: self._fetch(cert, authority) ) async def _fetch_single(self, ocsp_url, ocsp_request): try: logger.info(f"Requesting OCSP response from {ocsp_url}...") response = await self._post( url=ocsp_url, data=ocsp_request.dump(), content_type='application/ocsp-request', acceptable_content_types=('application/ocsp-response',), ) return process_ocsp_response_data( response.content, ocsp_request=ocsp_request, ocsp_url=ocsp_url ) except (ValueError, requests.RequestException) as e: raise errors.OCSPFetchError( f"Failed to fetch OCSP response from {ocsp_url}", ) from e async def _fetch( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2], authority: Authority, ): ocsp_request = format_ocsp_request( cert, authority, certid_hash_algo=self.certid_hash_algo, request_nonces=self.request_nonces, ) ocsp_urls = get_ocsp_urls(cert) if not ocsp_urls: raise errors.OCSPFetchError("No URLs to fetch OCSP responses from") if isinstance(cert, x509.Certificate): target = cert.subject.human_friendly else: # TODO log audit ID target = "attribute certificate" logger.info( f"Fetching OCSP status for {target} from url(s) " f"{';'.join(ocsp_urls)}..." ) ocsp_response = await ocsp_job_get_earliest( self._fetch_single(ocsp_url, ocsp_request) for ocsp_url in ocsp_urls ) return ocsp_response def fetched_responses(self) -> Iterable[ocsp.OCSPResponse]: return self.get_results() def fetched_responses_for_cert( self, cert: Union[x509.Certificate, cms.AttributeCertificateV2] ) -> Iterable[ocsp.OCSPResponse]: target_is = issuer_serial(cert) return { resp for (subj_is, _), resp in self._iter_results() if subj_is == target_is } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/fetchers/requests_fetchers/util.py0000644000175100017510000000435615161577363031737 0ustar00runnerrunnerfrom asyncio import to_thread from typing import Awaitable import requests from ..api import DEFAULT_USER_AGENT from ..common_utils import queue_fetch_task __all__ = ['RequestsFetcherMixin'] class RequestsFetcherMixin: def __init__(self, user_agent=None, per_request_timeout=10): self.user_agent = user_agent or DEFAULT_USER_AGENT self.per_request_timeout = per_request_timeout self.__results = {} self.__result_events = {} def get_results(self): return { v for v in self.__results.values() if not isinstance(v, Exception) } def _iter_results(self): for k, v in self.__results.items(): if not isinstance(v, Exception): yield k, v async def _perform_fetch(self, tag, fetch_fun): return await queue_fetch_task( self.__results, self.__result_events, tag, fetch_fun ) def _get( self, url, *, acceptable_content_types ) -> Awaitable[requests.Response]: def task(): headers = { 'Accept': ','.join(acceptable_content_types), 'User-Agent': self.user_agent, } response = requests.get( url=url, timeout=self.per_request_timeout, headers=headers ) if response.status_code != 200: raise requests.RequestException( f"status code {response.status_code}" ) return response return to_thread(task) def _post( self, url, data, *, content_type, acceptable_content_types ) -> Awaitable[requests.Response]: def task(): headers = { 'Accept': ','.join(acceptable_content_types), 'User-Agent': self.user_agent, 'Content-Type': content_type, } response = requests.post( url=url, timeout=self.per_request_timeout, headers=headers, data=data, ) if response.status_code != 200: raise requests.RequestException( f"status code {response.status_code}" ) return response return to_thread(task) ././@PaxHeader0000000000000000000000000000003200000000000010210 xustar0026 mtime=1774649082.12149 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/0000755000175100017510000000000015161577372023644 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/__init__.py0000644000175100017510000000000015161577363025743 0ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/ades_past.py0000644000175100017510000001373315161577363026170 0ustar00runnerrunnerimport dataclasses import logging from datetime import datetime, timezone from typing import Optional from pyhanko_certvalidator.context import ( CertValidationPolicySpec, ValidationDataHandlers, ) from pyhanko_certvalidator.errors import ValidationError from pyhanko_certvalidator.ltv.errors import ( PastValidatePrecheckFailure, TimeSlideFailure, ) from pyhanko_certvalidator.ltv.time_slide import time_slide from pyhanko_certvalidator.ltv.types import ValidationTimingInfo from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import ( NO_REVOCATION, AcceptAllAlgorithms, CertRevTrustPolicy, ) from pyhanko_certvalidator.validate import async_validate_path __all__ = ['past_validate'] logger = logging.getLogger(__name__) async def _past_validate_precheck( path: ValidationPath, validation_policy_spec: CertValidationPolicySpec, ): # The past validation algorithm requires us to run the "regular" # validation algorithm without regard for revocation and expiration # on a known-good time # Shell model: intersect the validity windows of all certs in the path certs = list(path.iter_certs(include_root=False)) lower_bound = max(c.not_valid_before for c in certs) upper_bound = min(c.not_valid_after for c in certs) if lower_bound >= upper_bound: raise PastValidatePrecheckFailure( "The intersection of the validity periods of the certificates " "in the path is empty or degenerate." ) ref_time = ValidationTimingInfo( validation_time=upper_bound, best_signature_time=upper_bound, point_in_time_validation=True, ) validation_context = dataclasses.replace( validation_policy_spec, revinfo_policy=CertRevTrustPolicy( revocation_checking_policy=NO_REVOCATION ), algorithm_usage_policy=AcceptAllAlgorithms(), ).build_validation_context(timing_info=ref_time, handlers=None) try: await async_validate_path( validation_context, path, validation_policy_spec.pkix_validation_params, ) except ValidationError as e: raise PastValidatePrecheckFailure( "Elementary path validation routine failed during pre-check " "for past point-in-time validation" ) from e async def past_validate( path: ValidationPath, validation_policy_spec: CertValidationPolicySpec, validation_data_handlers: ValidationDataHandlers, init_control_time: Optional[datetime] = None, best_signature_time: Optional[datetime] = None, ) -> datetime: """ Execute the ETSI EN 319 102-1 past certificate validation algorithm against the given path (ETSI EN 319 102-1, § 5.6.2.1). Instead of merely evaluating X.509 validation constraints, the algorithm will perform a full point-in-time reevaluation of the path at the control time mandated by the specification. This implies that a caller implementing the past signature validation algorithm no longer needs to explicitly reevaluate CA certificate revocation times and/or algorithm constraints based on POEs. .. warning:: This is incubating internal API. :param path: The prospective validation path against which to execute the algorithm. :param validation_policy_spec: The validation policy specification. :param validation_data_handlers: The handlers used to manage collected certificates,revocation information and proof-of-existence records. :param init_control_time: Initial control time; defaults to the current time. :param best_signature_time: Usage time to use in freshness computations. :return: The control time returned by the time sliding algorithm. Informally, the last time at which the certificate was known to be valid. """ if path.pkix_len > 0: await _past_validate_precheck( path, validation_policy_spec, ) try: # time slide init_control_time = init_control_time or datetime.now(tz=timezone.utc) control_time = await time_slide( path, init_control_time=init_control_time, rev_trust_policy=validation_policy_spec.revinfo_policy, algo_usage_policy=validation_policy_spec.algorithm_usage_policy, time_tolerance=validation_policy_spec.time_tolerance, revinfo_manager=validation_data_handlers.revinfo_manager, ) logger.info( "AdES time slide yields %s as the control time for path with " "leaf %s", control_time, path.describe_leaf(), ) except ValidationError as e: raise TimeSlideFailure( f"Failed to get control time for point-in-time validation for path " f"with leaf {path.describe_leaf()}" ) from e ref_time = ValidationTimingInfo( validation_time=control_time, best_signature_time=best_signature_time or control_time, point_in_time_validation=True, ) # -> validate validation_context = validation_policy_spec.build_validation_context( timing_info=ref_time, handlers=validation_data_handlers ) # Maintenance note: # Doing a full point-in-time re-validation of the path is much more # heavy-handed than what the AdES spec requires. We really only have to # evaluate the chain constraints here. # However, the past signature validation algorithm needs information about # revocations up the chain and algorithm usage for _all_ operations in # the validation process which is hard to pass on given the current # architecture of certvalidator. Reevaluating with a time in the past # is easier, and the POE enforcement is the same either way. await async_validate_path( validation_context, path, parameters=validation_policy_spec.pkix_validation_params, ) return control_time ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/errors.py0000644000175100017510000000035315161577363025533 0ustar00runnerrunnerfrom pyhanko_certvalidator.errors import ValidationError __all__ = ['PastValidatePrecheckFailure', 'TimeSlideFailure'] class PastValidatePrecheckFailure(ValidationError): pass class TimeSlideFailure(ValidationError): pass ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/poe.py0000644000175100017510000001560415161577363025007 0ustar00runnerrunnerimport enum import hashlib from dataclasses import dataclass from datetime import datetime, timezone from typing import Any, Dict, Iterator, Optional, Union from asn1crypto import core, x509 from pyhanko_certvalidator.revinfo.archival import CRLContainer, OCSPContainer __all__ = [ 'KnownPOE', 'POEManager', 'POEType', 'ValidationObject', 'ValidationObjectType', 'digest_for_poe', ] @enum.unique class ValidationObjectType(enum.Enum): """ Types of validation objects recognised by ETSI TS 119 102-2. """ CERTIFICATE = 'certificate' CRL = 'CRL' OCSP_RESPONSE = 'OCSPResponse' TIMESTAMP = 'timestamp' EVIDENCE_RECORD = 'evidencerecord' PUBLIC_KEY = 'publicKey' SIGNED_DATA = 'signedData' OTHER = 'other' def urn(self): return f'urn:etsi:019102:validationObject:{self.value}' KnownObjectType = Union[bytes, CRLContainer, OCSPContainer, x509.Certificate] def guess_validation_object_type( thing: object, ) -> Optional[ValidationObjectType]: if isinstance(thing, CRLContainer): return ValidationObjectType.CRL elif isinstance(thing, OCSPContainer): return ValidationObjectType.OCSP_RESPONSE elif isinstance(thing, x509.Certificate): return ValidationObjectType.CERTIFICATE return None @dataclass(frozen=True) class ValidationObject: """ A validation object used in the course of a validation operation for which proofs of existence can potentially be gathered. """ object_type: ValidationObjectType """ The type of validation object. """ value: Any """ The actual object. Currently, the following types are supported explicitly. Others must currently be supplied as :class:`bytes`. - :class:`.CRLContainer`: :attr:`.ValidationObjectType.CRL` - :class:`.OCSPContainer`: :attr:`.ValidationObjectType.OCSP_RESPONSE` - :class:`x509.Certificate`: :attr:`.ValidationObjectType.CERTIFICATE` """ @enum.unique class POEType(enum.Enum): PROVIDED = 'provided' VALIDATION = 'validation' POLICY = 'policy' @property def urn(self) -> str: return f'urn:etsi:019102:poetype:{self.value}' @dataclass(frozen=True) class KnownPOE: poe_type: POEType digest: bytes poe_time: datetime validation_object: Optional[ValidationObject] = None def digest_for_poe(data: bytes) -> bytes: return hashlib.sha256(data).digest() class POEManager: """ Class to manage proof-of-existence (POE) claims. :param current_dt_override: Override the current time. """ def __init__(self, current_dt_override: Optional[datetime] = None): self._poes: Dict[bytes, KnownPOE] = {} self._current_dt_override = current_dt_override def register( self, data: KnownObjectType, poe_type: POEType, dt: Optional[datetime] = None, ) -> KnownPOE: """ Register a new POE claim if no POE for an earlier time is available. :param data: Data to register a POE claim for. :param poe_type: The type of POE. :param dt: The POE time to register. If ``None``, assume the current time. :return: The oldest POE datetime available. """ if isinstance(data, bytes): b_data = data elif isinstance(data, core.Asn1Value): b_data = data.dump() elif isinstance(data, CRLContainer): b_data = data.crl_data.dump() elif isinstance(data, OCSPContainer): b_data = data.ocsp_response_data.dump() else: raise NotImplementedError digest = digest_for_poe(b_data) dt = dt or self._current_dt_override or datetime.now(timezone.utc) vo_type = guess_validation_object_type(data) vo = None if vo_type: vo = ValidationObject(object_type=vo_type, value=data) return self.register_known_poe( KnownPOE( poe_type=poe_type, digest=digest, poe_time=dt, validation_object=vo, ) ) def register_by_digest( self, digest: bytes, poe_type: POEType, dt: Optional[datetime] = None, ) -> KnownPOE: """ Register a new POE claim if no POE for an earlier time is available. :param digest: SHA-256 digest of the data to register a POE claim for. :param dt: The POE time to register. If ``None``, assume the current time. :param poe_type: The type of POE. :return: The oldest POE datetime available. """ dt = dt or self._current_dt_override or datetime.now(timezone.utc) return self.register_known_poe( KnownPOE( poe_type=poe_type, digest=digest, poe_time=dt, validation_object=None, ) ) def register_known_poe(self, known_poe: KnownPOE) -> KnownPOE: """ Register a new POE claim if no POE for an earlier time is available. :param known_poe: The POE object to register. :return: The oldest POE for the given digest. """ dt = known_poe.poe_time digest = known_poe.digest try: cur_poe = self._poes[digest] if cur_poe.poe_time <= dt: return cur_poe except KeyError: pass self._poes[digest] = known_poe return known_poe def __iter__(self) -> Iterator[KnownPOE]: """ Iterate over the current earliest known POE for all items currently being managed. Returns an iterator with :class:`KnownPOE` objects. """ return iter(self._poes.values()) def __getitem__(self, item: KnownObjectType) -> datetime: """ Return the earliest available POE for an item. .. note:: This is a wrapper around :meth:`register` with `dt=None`, and hence will register the current time as the POE time for the given item. This side effect is intentional. :param item: Item to get the current POE time for. :return: A datetime object representing the earliest available POE for the item. """ return self.register( item, poe_type=POEType.VALIDATION, dt=None ).poe_time def __ior__(self, other): """ Combine data in another POE manager with the POEs managed by this instance. """ if not isinstance(other, POEManager): raise TypeError for poe in iter(other): self.register_known_poe(poe) def __copy__(self): new_instance = POEManager(current_dt_override=self._current_dt_override) new_instance._poes = dict(self._poes) return new_instance ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/time_slide.py0000644000175100017510000004016415161577363026341 0ustar00runnerrunnerimport asyncio from datetime import datetime, timedelta from typing import Iterable, List, Optional, Set, Tuple from asn1crypto import algos, keys, x509 from pyhanko_certvalidator._state import ValProcState from pyhanko_certvalidator.errors import ( DisallowedAlgorithmError, InsufficientPOEError, InsufficientRevinfoError, RevokedError, ) from pyhanko_certvalidator.ltv.types import ( ValidationTimingInfo, ValidationTimingParams, ) from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import ( AlgorithmUsagePolicy, CertRevTrustPolicy, RevocationCheckingRule, ) from pyhanko_certvalidator.revinfo.archival import RevinfoContainer from pyhanko_certvalidator.revinfo.manager import RevinfoManager from pyhanko_certvalidator.revinfo.validate_crl import ( CRLOfInterest, _check_cert_on_crl_and_delta, _CRLErrs, collect_relevant_crls_with_paths, ) from pyhanko_certvalidator.revinfo.validate_ocsp import ( OCSPResponseOfInterest, _check_ocsp_status, collect_relevant_responses_with_paths, ) from pyhanko_certvalidator.util import ConsList __all__ = ['ades_gather_prima_facie_revinfo', 'time_slide'] async def ades_gather_prima_facie_revinfo( path: ValidationPath, revinfo_manager: RevinfoManager, control_time: datetime, revocation_checking_rule: RevocationCheckingRule, ) -> Tuple[List[CRLOfInterest], List[OCSPResponseOfInterest]]: """ Gather potentially relevant revocation information for the leaf certificate of a candidate validation path. Only the scope of the revocation information will be checked, no detailed validation will occur. :param path: The candidate validation path. :param revinfo_manager: The revocation info manager. :param control_time: The time horizon that serves as a relevance cutoff. :param revocation_checking_rule: Revocation info rule controlling which kind(s) of revocation information will be fetched. :return: A 2-element tuple containing a list of the fetched CRLs and OCSP responses, respectively. """ cert = path.leaf if revocation_checking_rule.ocsp_relevant: ocsp_result = await collect_relevant_responses_with_paths( cert, path, revinfo_manager, control_time ) ocsps = ocsp_result.responses else: ocsps = [] if revocation_checking_rule.crl_relevant: crl_result = await collect_relevant_crls_with_paths( cert, path, revinfo_manager, control_time ) crls = crl_result.crls else: crls = [] return crls, ocsps def _tails(path: ValidationPath): cur_path = path yield cur_path, True while cur_path.pkix_len > 1: cur_path = cur_path.copy_and_drop_leaf() yield cur_path, False def _apply_algo_policy( algo_policy: AlgorithmUsagePolicy, algo_used: algos.SignedDigestAlgorithm, control_time: datetime, public_key: keys.PublicKeyInfo, val_proc_state: ValProcState, ): sig_constraint = algo_policy.signature_algorithm_allowed( algo_used, control_time, public_key ) algo_name = algo_used['algorithm'].native if not sig_constraint.allowed: if sig_constraint.not_allowed_after: # rewind the clock up until the point where the algorithm # was actually permissible control_time = min(control_time, sig_constraint.not_allowed_after) else: msg = ( f"Algorithm {algo_name} is banned outright without " f"time constraints." ) if sig_constraint.failure_reason is not None: msg += f" Reason: {sig_constraint.failure_reason}" raise DisallowedAlgorithmError.from_state( msg, val_proc_state, banned_since=None, ) return control_time def _update_control_time_for_unrevoked( control_time: datetime, revinfo_container: RevinfoContainer, rev_trust_policy: CertRevTrustPolicy, time_tolerance: timedelta, ): # if the cert is not on the list, we need the freshness check usability = revinfo_container.usable_at( rev_trust_policy, ValidationTimingParams( timing_info=ValidationTimingInfo( validation_time=control_time, best_signature_time=control_time, point_in_time_validation=True, ), time_tolerance=time_tolerance, ), ) issuance_date = revinfo_container.issuance_date if not usability.rating.usable_ades: # set the control time to the issuance date / last usable date # (note: the TOO_NEW check is to prevent problems # with freshness policies involving cooldown periods, # which aren't really supported in the time sliding # algorithm, but hey) # NOTE: the spec mandates using the issuance date here, but I believe # that's wrong: the last date at which the revinfo is still considered # fresh should be used instead. This distinction matters, since # (especially when CRLs are used) the issuance date of the revinfo # is often before the signature time. cutoff_date = usability.last_usable_at or issuance_date if cutoff_date is not None: control_time = min(cutoff_date, control_time) return control_time def _update_control_time( revoked_date: Optional[datetime], control_time: datetime, revinfo_container: RevinfoContainer, algo_policy: Optional[AlgorithmUsagePolicy], issuer_public_key: keys.PublicKeyInfo, val_proc_state: ValProcState, ): if revoked_date: # this means we have to update control_time control_time = min(revoked_date, control_time) algo_used = revinfo_container.revinfo_sig_mechanism_used if algo_policy is not None and algo_used is not None: control_time = _apply_algo_policy( algo_policy, algo_used, control_time, issuer_public_key, val_proc_state, ) return control_time async def _time_slide( path: ValidationPath, init_control_time: datetime, revinfo_manager: RevinfoManager, rev_trust_policy: CertRevTrustPolicy, algo_usage_policy: Optional[AlgorithmUsagePolicy], # TODO use policy objects time_tolerance: timedelta, cert_stack: ConsList[bytes], path_stack: ConsList[ValidationPath], ) -> datetime: control_time = init_control_time checking_policy = rev_trust_policy.revocation_checking_policy # For zero-length paths, there is nothing to check if path.pkix_len == 0: return init_control_time # The ETSI algorithm requires us to collect revinfo for each # cert in the path, starting with the first (after the root). # Since our revinfo collection methods require paths instead of individual # certs, we instead loop over partial paths partial_paths = list(reversed(list(_tails(path)))) poe_manager = revinfo_manager.poe_manager for current_path, is_ee in partial_paths: crls, ocsps = await ades_gather_prima_facie_revinfo( current_path, revinfo_manager=revinfo_manager, control_time=control_time, revocation_checking_rule=( checking_policy.ee_certificate_rule if is_ee else checking_policy.intermediate_ca_cert_rule ), ) cert = current_path.leaf new_cert_stack = cert_stack.cons(cert.dump()) new_path_stack = path_stack.cons(path) proc_state = ValProcState(cert_path_stack=new_path_stack) if poe_manager[cert] > control_time: raise InsufficientPOEError.from_state( f"No proof of existence available for certificate " f"{cert.subject.human_friendly} at control time " f"{control_time.isoformat()}.", proc_state, ) if not crls and not ocsps: if isinstance(cert, x509.Certificate): ident = cert.subject.human_friendly else: ident = "attribute certificate" # don't raise an error for revo-exempt certs (OCSP responders) if cert.ocsp_no_check_value is None: raise InsufficientRevinfoError.from_state( f"No revocation info from before {control_time.isoformat()}" f" found for certificate {ident}.", proc_state, ) once_revoked = False most_recent_crl = None # We always take the chain of trust of a CRL/OCSP response # at face value for crl_of_interest in crls: # skip CRLs that are no longer relevant issued = crl_of_interest.crl.issuance_date if ( not issued or issued > control_time or poe_manager[crl_of_interest.crl] > control_time ): continue sub_paths = crl_of_interest.prov_paths # recurse into the paths associated with the CRL and adjust # the control time accordingly # don't bother checking issuers that already appear # in the chain of trust that we're currently looking into sub_path_skip_list: Set[bytes] = set(new_cert_stack) | set( cert.dump() for cert in current_path ) sub_path_control_times = await asyncio.gather( *( _time_slide( crl_path.path, control_time, revinfo_manager, rev_trust_policy, algo_usage_policy, time_tolerance, cert_stack=new_cert_stack, path_stack=new_path_stack, ) for crl_path in sub_paths if ( crl_path.path.leaf and crl_path.path.leaf.dump() not in sub_path_skip_list ) ) ) control_time = min([control_time, *sub_path_control_times]) for candidate_crl_path in sub_paths: revoked_date, revoked_reason = _check_cert_on_crl_and_delta( crl_issuer=candidate_crl_path.path.leaf, cert=cert, certificate_list_cont=crl_of_interest.crl, delta_certificate_list_cont=candidate_crl_path.delta, errs=_CRLErrs(), ) crl_iss_cert = candidate_crl_path.path.leaf assert isinstance(crl_iss_cert, x509.Certificate) once_revoked |= revoked_date is not None crl_container = crl_of_interest.crl if most_recent_crl is None: most_recent_crl = crl_container else: if ( most_recent_crl.issuance_date and crl_container.issuance_date and most_recent_crl.issuance_date < crl_container.issuance_date ): most_recent_crl = crl_container control_time = _update_control_time( revoked_date, control_time, revinfo_container=crl_container, algo_policy=algo_usage_policy, issuer_public_key=crl_iss_cert.public_key, val_proc_state=proc_state, ) most_recent_ocsp = None for ocsp_of_interest in ocsps: ocsp_container = ocsp_of_interest.ocsp_response issued = ocsp_container.issuance_date if ( not issued or issued > control_time or poe_manager[ocsp_of_interest.ocsp_response] > control_time ): continue control_time = await _time_slide( ocsp_of_interest.prov_path, control_time, revinfo_manager, rev_trust_policy, algo_usage_policy, time_tolerance, cert_stack=new_cert_stack, path_stack=new_path_stack, ) try: _check_ocsp_status( ocsp_response=ocsp_container, proc_state=ValProcState(cert_path_stack=new_path_stack), control_time=control_time, ) revoked_date = None except RevokedError as e: revoked_date = e.revocation_dt once_revoked |= revoked_date is not None ocsp_iss_cert = ocsp_of_interest.prov_path.leaf assert isinstance(ocsp_iss_cert, x509.Certificate) if most_recent_ocsp is None or ( most_recent_ocsp.issuance_date and most_recent_ocsp.issuance_date < issued ): most_recent_ocsp = ocsp_container control_time = _update_control_time( revoked_date, control_time, revinfo_container=ocsp_container, algo_policy=algo_usage_policy, issuer_public_key=ocsp_iss_cert.public_key, val_proc_state=proc_state, ) # check the algorithm constraints for the certificate itself if algo_usage_policy is not None: leaf_ca = list(current_path.iter_authorities())[-1] control_time = _apply_algo_policy( algo_usage_policy, cert['signature_algorithm'], control_time, leaf_ca.public_key, val_proc_state=proc_state, ) # (c) if the certificate was not marked as revoked -> update # based on the freshness of the most recent piece of revinfo if not once_revoked: revinfo_items: Iterable[RevinfoContainer] = [ x for x in (most_recent_ocsp, most_recent_crl) if x is not None ] most_recent_revinfo = max( revinfo_items, key=lambda x: x.issuance_date or control_time, default=None, ) if most_recent_revinfo is not None: control_time = _update_control_time_for_unrevoked( control_time=control_time, revinfo_container=most_recent_revinfo, rev_trust_policy=rev_trust_policy, time_tolerance=time_tolerance, ) return control_time async def time_slide( path: ValidationPath, init_control_time: datetime, revinfo_manager: RevinfoManager, rev_trust_policy: CertRevTrustPolicy, algo_usage_policy: Optional[AlgorithmUsagePolicy], time_tolerance: timedelta, ) -> datetime: """ Execute the ETSI EN 319 102-1 time slide algorithm against the given path. .. warning:: This is incubating internal API. .. note:: This implementation will also attempt to take into account chains of trust of indirect CRLs. This is not a requirement of the specification, but also somewhat unlikely to arise in practice in cases where AdES compliance actually matters. :param path: The prospective validation path against which to execute the time slide algorithm. :param init_control_time: The initial control time, typically the current time. :param revinfo_manager: The revocation info manager. :param rev_trust_policy: The trust policy for revocation information. :param algo_usage_policy: The algorithm usage policy. :param time_tolerance: The tolerance to apply when evaluating time-related constraints. :return: The resulting control time. """ return await _time_slide( path, init_control_time, revinfo_manager, rev_trust_policy, algo_usage_policy, time_tolerance, cert_stack=ConsList.empty(), path_stack=ConsList.empty(), ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/ltv/types.py0000644000175100017510000000267015161577363025367 0ustar00runnerrunnerimport abc from dataclasses import dataclass from datetime import datetime, timedelta, timezone, tzinfo from typing import Optional __all__ = [ 'IssuedItemContainer', 'ValidationTimingInfo', 'ValidationTimingParams', ] # TODO potentially re-home these at some point @dataclass(frozen=True) class ValidationTimingInfo: validation_time: datetime best_signature_time: datetime point_in_time_validation: bool @classmethod def now(cls, tz: Optional[tzinfo] = None) -> 'ValidationTimingInfo': now = datetime.now(tz=tz or timezone.utc) return ValidationTimingInfo( validation_time=now, best_signature_time=now, point_in_time_validation=False, ) @dataclass(frozen=True) class ValidationTimingParams: timing_info: ValidationTimingInfo time_tolerance: timedelta @property def validation_time(self): return self.timing_info.validation_time @property def best_signature_time(self): return self.timing_info.best_signature_time @property def point_in_time_validation(self): return self.timing_info.point_in_time_validation class IssuedItemContainer(abc.ABC): """ A container for some data object issued by an entity (e.g. a certificate). """ @property def issuance_date(self) -> Optional[datetime]: """ The issuance date of the item. """ raise NotImplementedError ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/name_trees.py0000644000175100017510000003155615161577363025545 0ustar00runnerrunnerimport enum import logging from dataclasses import dataclass from ipaddress import IPv4Address, IPv6Address from typing import Callable, Dict, Iterable, List, Optional, Set, Union from asn1crypto import x509 from uritools import urisplit logger = logging.getLogger(__name__) class NameConstraintError(ValueError): pass def host_tree_contains(base_host: str, other_host: str) -> bool: # if the constraint starts with '.', it specifies a domain, and must be # expanded with one or more labels, otherwise it refers to a single host. if base_host[0] == '.': pre, _, post = other_host.rpartition(base_host) return bool(pre) and not bool(post) else: return other_host == base_host def _host_regname(cand_uri): cand_host = urisplit(cand_uri).gethost() if not cand_host or isinstance(cand_host, (IPv4Address, IPv6Address)): host_err = ( f'has host {cand_host}.' if cand_host is not None else ('is not a well-formed URI.') ) msg = ( "URI constraints require URIs with a host specified as a FQDN; " f"URI '{cand_uri}' {host_err}." ) logger.warning(msg) raise NameConstraintError(msg) return cand_host def uri_tree_contains(base: str, other: str) -> bool: # The constraint applies to the host part other_host: str = _host_regname(other) return host_tree_contains(base, other_host) def dns_tree_contains(base: str, other: str): # check if 'other' consists of adding zero or more labels to 'base' # (from the left) base_labels = base.split('.') other_labels = other.split('.') if len(other_labels) < len(base_labels): return False return len(other_labels) >= len(base_labels) and all( x == y for x, y in zip(reversed(other_labels), reversed(base_labels)) ) def email_tree_contains(base: str, other: str): # use rpartition instead of rsplit to deal with the case where there's no @ # uniformly base_mailbox, _, base_host_or_domain = base.rpartition('@') other_mailbox, _, other_host_or_domain = other.rpartition('@') if base_mailbox: # only exact match return base == other else: return host_tree_contains(base_host_or_domain, other_host_or_domain) def dirname_tree_contains(base: x509.Name, other: x509.Name): base_rdn_sequence = base.chosen other_rdn_sequence = other.chosen return len(other_rdn_sequence) >= len(base_rdn_sequence) and all( x == y for x, y in zip(base_rdn_sequence, other_rdn_sequence) ) # TODO support IP address constraints as well class GeneralNameType(enum.Enum): OTHER_NAME = enum.auto() RFC822_NAME = enum.auto() DNS_NAME = enum.auto() X400_ADDRESS = enum.auto() DIRECTORY_NAME = enum.auto() EDI_PARTY_NAME = enum.auto() UNIFORM_RESOURCE_IDENTIFIER = enum.auto() IP_ADDRESS = enum.auto() REGISTERED_ID = enum.auto() @property def check_membership( self, ) -> Optional[ Callable[[Union[str, x509.Name], Union[str, x509.Name]], bool] ]: return _name_type_checkers.get(self, None) @classmethod def from_choice(cls, choice) -> 'GeneralNameType': return getattr(cls, choice.upper()) _name_type_checkers = { GeneralNameType.DIRECTORY_NAME: dirname_tree_contains, GeneralNameType.RFC822_NAME: email_tree_contains, GeneralNameType.DNS_NAME: dns_tree_contains, GeneralNameType.UNIFORM_RESOURCE_IDENTIFIER: uri_tree_contains, } class UnsupportedNameTypeError(NotImplementedError): def __init__(self, name_type: GeneralNameType): super().__init__(name_type.name.lower()) def _interpret_general_name(gname: x509.GeneralName): gname_type = GeneralNameType.from_choice(gname.name) value = gname.chosen # for directory names, we keep the Name object,but everything # else gets converted to a string representation if gname_type != GeneralNameType.DIRECTORY_NAME: value = value.native return gname_type, value def _enumerate_names_in_cert(cert: x509.Certificate): # start with the subject's distinguished name, if it is non-empty if len(cert.subject.chosen): yield GeneralNameType.DIRECTORY_NAME, cert.subject subject_alt_names: x509.GeneralNames = cert.subject_alt_name_value if subject_alt_names is None: # if the subject has email address component(s) and no subjectAltName # name constraints for rfc822Name-type names should also apply to those # addresses name_pair: x509.NameTypeAndValue for rdn in cert.subject.chosen: for name_pair in rdn: if name_pair['type'].native == 'email_address': yield GeneralNameType.RFC822_NAME, name_pair['value'].native else: for name in subject_alt_names: yield _interpret_general_name(name) class _StringOrName: # Wrapper class for hashing purposes. Not for external use. def __init__(self, value: Union[str, x509.Name]): self.value = value @property def _code(self): val = self.value if isinstance(val, x509.Name): return 0, val.dump() else: return 1, val def __hash__(self): return hash(self._code) def __eq__(self, other): return isinstance(other, _StringOrName) and self._code == other._code @dataclass(frozen=True) class NameSubtree: name_type: GeneralNameType tree_base: Optional[_StringOrName] min: int = 0 max: Optional[int] = None def __contains__(self, item: Union[str, x509.Name]) -> bool: if self.tree_base is None: # special value: accept all certs return True # TODO processing min / max for DNs and DNS names would make sense if self.min != 0 or self.max is not None: raise NotImplementedError( "The minimum/maximum fields on a name constraint are not " "meaningful in the PKIX (RFC 5280) profile --- not processing." ) checker = self.name_type.check_membership if checker is None: raise NotImplementedError( f"No containment checker available for {self.name_type}" ) return checker(self.tree_base.value, item) @classmethod def from_name(cls, name_type: GeneralNameType, name: Union[str, x509.Name]): return NameSubtree(name_type=name_type, tree_base=_StringOrName(name)) @classmethod def from_general_subtree(cls, subtree) -> 'NameSubtree': gname = subtree['base'] name_type, name_obj = _interpret_general_name(gname) return NameSubtree( name_type, _StringOrName(name_obj), min=subtree['minimum'].native, max=subtree['maximum'].native, ) @classmethod def universal_tree(cls, name_type: GeneralNameType) -> 'NameSubtree': """ Tree that contains all names of a given type. :param name_type: The name type to use. :return: """ return NameSubtree(name_type=name_type, tree_base=None) # a subtree collection as used in the PKIX validation algorithm PKIXSubtrees = Dict[GeneralNameType, Set[NameSubtree]] def x509_names_to_subtrees(names: Iterable[x509.Name]) -> PKIXSubtrees: def _subtree(name: x509.Name): return NameSubtree.from_name( name_type=GeneralNameType.DIRECTORY_NAME, name=name ) return {GeneralNameType.DIRECTORY_NAME: {_subtree(n) for n in names}} def _group_subtrees(trees: Iterable[NameSubtree]) -> PKIXSubtrees: # This should NOT be a defaultdict, because the semantics of a tree # type not being present vs. the set being empty are very different! # If necessary, the caller can do a setdefault() result: PKIXSubtrees = {} for tree in trees: try: result[tree.name_type].add(tree) except KeyError: result[tree.name_type] = {tree} return result def process_general_subtrees(subtrees: x509.GeneralSubtrees) -> PKIXSubtrees: return _group_subtrees( NameSubtree.from_general_subtree(subtree) for subtree in subtrees ) class NameConstraintValidationResult: def __init__( self, failing_name_type: Optional[GeneralNameType] = None, failing_name: Union[str, x509.Name, None] = None, ): self.failing_name_type: Optional[GeneralNameType] = failing_name_type self.failing_name: Union[str, x509.Name, None] = failing_name def __bool__(self): return self.failing_name_type is None @property def error_message(self): assert self.failing_name_type is not None name_str = self.failing_name if isinstance(name_str, x509.Name): name_str = name_str.human_friendly name_type = self.failing_name_type.name.lower() return f"The name '{name_str}' of type {name_type} is not allowed." class PermittedSubtrees: def __init__(self, initial_permitted_subtrees: PKIXSubtrees): # The structure of self._trees is name_type -> list[tree set] # where each tree set in the list denotes a generation # For each "generation", there must be at least one tree that accepts # the name (i.e. later certificates can only restrict existing # constraints). # note: if the set of applicable trees is empty, # we reject the cert. # However, initial-permitted-subtrees (by default) includes a # universal acceptor for each name type in our implementation, # which seems to be what most implementations do. # We deep-copy the initial permitted subtrees trees: Dict[GeneralNameType, List[Set[NameSubtree]]] = { name_type: [set(initial_permitted_subtrees.get(name_type, ()))] for name_type in GeneralNameType } self._trees = trees def intersect_with(self, trees: PKIXSubtrees): # only change the values that appear in the new tree set! for name_type, new_permitted in trees.items(): self._trees[name_type].append(new_permitted) def accept_name(self, name_type: GeneralNameType, name) -> bool: # make sure that name is contained in the intersection of all whitelist # filters we accumulated. # Run through the list in reverse order (newest first) to apply the # (generally) strictest conditions first try: return all( any(name in tree for tree in trees_in_generation) for trees_in_generation in reversed(self._trees[name_type]) ) except NameConstraintError: return False def accept_cert( self, cert: x509.Certificate ) -> NameConstraintValidationResult: try: failing_name_type, failing_name = next( (name_type, name) for name_type, name in _enumerate_names_in_cert(cert) if not self.accept_name(name_type, name) ) return NameConstraintValidationResult( failing_name_type=failing_name_type, failing_name=failing_name ) except StopIteration: return NameConstraintValidationResult() class ExcludedSubtrees: def __init__(self, initial_excluded_subtrees: PKIXSubtrees): # The situation is not fully symmetric with the whitelist case: # here, we don't need to remember individual generations of blacklists, # we can just take unions to strictify conditions as we move along the # path under scrutiny. self._trees: PKIXSubtrees = { name_type: set(tree_set) for name_type, tree_set in initial_excluded_subtrees.items() } def union_with(self, trees: PKIXSubtrees): # only change the values that appear in the new tree set! for name_type, new_excluded in trees.items(): self._trees[name_type].update(new_excluded) def reject_name(self, name_type: GeneralNameType, name) -> bool: try: return any(name in tree for tree in self._trees[name_type]) except NameConstraintError: return True def accept_cert( self, cert: x509.Certificate ) -> NameConstraintValidationResult: try: failing_name_type, failing_name = next( (name_type, name) for name_type, name in _enumerate_names_in_cert(cert) if self.reject_name(name_type, name) ) return NameConstraintValidationResult( failing_name_type=failing_name_type, failing_name=failing_name ) except StopIteration: return NameConstraintValidationResult() def default_permitted_subtrees() -> PKIXSubtrees: return { name_type: {NameSubtree.universal_tree(name_type)} for name_type in GeneralNameType } def default_excluded_subtrees() -> PKIXSubtrees: return {name_type: set() for name_type in GeneralNameType} ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/path.py0000644000175100017510000003025115161577363024346 0ustar00runnerrunner# coding: utf-8 import itertools from dataclasses import dataclass from typing import FrozenSet, Iterable, Iterator, Optional, Union from asn1crypto import cms, x509 from .asn1_types import AAControls from .authority import ( Authority, AuthorityWithCert, TrustAnchor, ) from .util import get_ac_extension_value, get_issuer_dn @dataclass(frozen=True) class QualifiedPolicy: issuer_domain_policy_id: str """ Policy OID in the issuer domain (i.e. as listed on the certificate). """ user_domain_policy_id: str """ Policy OID of the equivalent policy in the user domain. """ qualifiers: frozenset """ Set of x509.PolicyQualifierInfo objects. """ Leaf = Union[x509.Certificate, cms.AttributeCertificateV2] class ValidationPath: """ Represents a path going towards an end-entity certificate or attribute certificate. """ _qualified_policies: Optional[FrozenSet[QualifiedPolicy]] = None _path_aa_controls = None def __init__( self, trust_anchor: TrustAnchor, interm: Iterable[x509.Certificate], leaf: Optional[Leaf], ): if interm and not leaf: raise ValueError("Leafless paths cannot have intermediate certs") self._interm = list(interm) self._root = trust_anchor self._leaf = leaf @property def trust_anchor(self) -> TrustAnchor: return self._root @property def first(self): """ Returns the current beginning of the path - for a path to be complete, this certificate should be a trust root .. warning:: This is a compatibility property, and will return the first non-root certificate if the trust root is not provisioned as a certificate. If you want the trust root itself (even when it doesn't have a certificate), use :attr:`trust_anchor`. :return: The first asn1crypto.x509.Certificate object in the path """ root = self._root.authority if isinstance(root, AuthorityWithCert): return root.certificate elif self._interm: return self._interm[0] elif isinstance(self._leaf, x509.Certificate): return self._leaf @property def leaf(self) -> Optional[Leaf]: """ Returns the current leaf certificate (AC or public-key). The trust root's certificate will be returned if there is one and there are no other certificates in the path. If the trust root is certificate-less and there are no certificates, the result will be ``None``. """ if self._leaf is not None: return self._leaf elif not self._interm: root_authority = self.trust_anchor.authority if isinstance(root_authority, AuthorityWithCert): return root_authority.certificate # __init__ ensures that leaf None -> there are no intermediate certs return None def describe_leaf(self) -> Optional[str]: leaf = self.leaf if isinstance(leaf, x509.Certificate): return leaf.subject.human_friendly elif isinstance(leaf, cms.AttributeCertificateV2): return '' else: return None def get_ee_cert_safe(self) -> Optional[x509.Certificate]: """ Returns the current leaf certificate if it is an X.509 public-key certificate, and ``None`` otherwise. :return: """ leaf = self.leaf if isinstance(leaf, x509.Certificate): return leaf else: return None @property def last(self) -> x509.Certificate: """ Returns the last certificate in the path if it is an X.509 public-key certificate, and throws an error otherwise. :return: The last asn1crypto.x509.Certificate object in the path """ cert = self.get_ee_cert_safe() if cert: return cert else: raise LookupError def iter_authorities(self) -> Iterable[Authority]: """ Iterate over all authorities in the path, including the trust root. """ yield self._root.authority for cert in self._interm: yield AuthorityWithCert(cert) def find_issuing_authority(self, cert: Leaf): """ Return the issuer of the cert specified, as defined by this path :param cert: A certificate to get the issuer of :raises: LookupError - when the issuer of the certificate could not be found :return: An asn1crypto.x509.Certificate object of the issuer """ issuer_name = get_issuer_dn(cert) if isinstance(cert, x509.Certificate): aki = cert.authority_key_identifier else: aki_ext = get_ac_extension_value(cert, 'authority_key_identifier') aki = aki_ext['key_identifier'].native if aki_ext else None for authority in self.iter_authorities(): if authority.name == issuer_name: keyid = authority.key_id if keyid and aki and keyid != aki: continue return authority raise LookupError( 'Unable to find the issuer of the certificate specified' ) def truncate_to_and_append(self, cert: x509.Certificate, new_leaf: Leaf): """ Remove all certificates in the path after the cert specified and return them in a new path. Internal API. :param cert: An asn1crypto.x509.Certificate object to find :param new_leaf: A new leaf certificate to append. :raises: LookupError - when the certificate could not be found :return: The current ValidationPath object, for chaining """ root_authority = self._root.authority if isinstance(root_authority, AuthorityWithCert): if root_authority.certificate.issuer_serial == cert.issuer_serial: return ValidationPath(self._root, interm=[], leaf=new_leaf) certs = self._interm cert_index = None for index, entry in enumerate(certs): if entry.issuer_serial == cert.issuer_serial: cert_index = index break if cert_index is None: raise LookupError( f'Unable to find the specified certificate in the path: {cert.subject.human_friendly}' ) return ValidationPath( self._root, interm=certs[: cert_index + 1], leaf=new_leaf ) # TODO generalise this to ACs as well? def truncate_to_issuer_and_append(self, cert: x509.Certificate): """ Remove all certificates in the path after the issuer of the cert specified, as defined by this path, and append a new one. Internal API. :param cert: A new leaf certificate to append. :raises: LookupError - when the issuer of the certificate could not be found :return: The current ValidationPath object, for chaining """ issuer_index = None # check the trust root separately if self.trust_anchor.authority.is_potential_issuer_of(cert): # in case of a match, truncate everything if cert.self_signed == 'maybe': # if the candidate leaf is self-signed (according to metadata), # then it's actually the authority itself -> no need to append. return ValidationPath(self._root, interm=[], leaf=None) else: return ValidationPath(self._root, interm=[], leaf=cert) # now run through the rest of the path certs = self._interm for index, entry in enumerate(certs): if entry.subject == cert.issuer: if entry.key_identifier and cert.authority_key_identifier: if entry.key_identifier == cert.authority_key_identifier: issuer_index = index break else: issuer_index = index break if issuer_index is None: raise LookupError( 'Unable to find the issuer of the certificate specified' ) return ValidationPath(self._root, certs[: issuer_index + 1], leaf=cert) def copy_and_append(self, cert: Leaf): new_certs = self._interm[:] if self._leaf: new_certs.append(self._leaf) return ValidationPath( trust_anchor=self._root, interm=new_certs, leaf=cert ) def copy_and_drop_leaf(self) -> 'ValidationPath': """ Drop the leaf cert from this path and return a new path with the last intermediate certificate set as the leaf. """ if len(self._interm) == 0: raise IndexError new_interm, new_leaf = self._interm[:-1], self._interm[-1] return ValidationPath( trust_anchor=self._root, interm=new_interm, leaf=new_leaf ) def _set_qualified_policies(self, policies): self._qualified_policies = policies def qualified_policies(self) -> Optional[FrozenSet[QualifiedPolicy]]: return self._qualified_policies def aa_attr_in_scope(self, attr_id: cms.AttCertAttributeType) -> bool: aa_controls_extensions = [ AAControls.read_extension_value(cert) for cert in self ] aa_controls_used = any(x is not None for x in aa_controls_extensions) if not aa_controls_used: return True else: # the path validation code ensures that all non-anchor certs # have an AAControls extension, but we still enforce the root's # AAControls if there is one (since we might as well treat it # as a configuration setting/failsafe at that point) # This is appropriate in PKIX-land (see RFC 5280, § 6.2 as # updated in RFC 6818, § 4) return all( ctrl.accept(attr_id) for ctrl in aa_controls_extensions # None check for defensiveness (already enforced by validation # algorithm), and to (potentially) skip the root if ctrl is not None ) @property def pkix_len(self): return len(self._interm) + (1 if self._leaf else 0) def __len__(self): # backwards compat return 1 + self.pkix_len def __getitem__(self, key): # convoluted because of compatibility issues... authority = self._root.authority if key > 0: leaf_ix = len(self._interm) + 1 if key == leaf_ix and self._leaf is not None: return self._leaf return self._interm[key - 1] elif isinstance(authority, AuthorityWithCert): # backwards compat return authority.certificate else: # Throw an error instead of returning None, because we want this # to fail loudly. raise LookupError("Root has no certificate") def iter_certs(self, include_root: bool) -> Iterator[x509.Certificate]: """ Iterate over the certificates in the path. :param include_root: Include the root (if it is supplied as a certificate) :return: An iterator. """ root = self._root.authority from_root = ( (root.certificate,) if include_root and isinstance(root, AuthorityWithCert) else () ) leaf = self._leaf from_leaf = (leaf,) if isinstance(leaf, x509.Certificate) else () return itertools.chain(from_root, self._interm, from_leaf) def __iter__(self): # backwards compat, we iterate over all certs _including_ the root # if it is supplied as a cert return self.iter_certs(include_root=True) def __eq__(self, other): if not isinstance(other, ValidationPath): return False return ( self.trust_anchor == other.trust_anchor and self._interm == other._interm and self._leaf == other._leaf ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/policy_decl.py0000644000175100017510000004654315161577363025713 0ustar00runnerrunner""" .. versionadded:: 0.20.0 """ import abc import enum from dataclasses import dataclass from datetime import datetime, timedelta from typing import FrozenSet, Optional from asn1crypto import algos, keys from .name_trees import PKIXSubtrees __all__ = [ 'DEFAULT_WEAK_HASH_ALGOS', 'NO_REVOCATION', 'REQUIRE_REVINFO', 'AcceptAllAlgorithms', 'AlgorithmUsageConstraint', 'AlgorithmUsagePolicy', 'CertRevTrustPolicy', 'DisallowWeakAlgorithmsPolicy', 'FreshnessReqType', 'NonRevokedStatusAssertion', 'PKIXValidationParams', 'RevocationCheckingPolicy', 'RevocationCheckingRule', ] DEFAULT_WEAK_HASH_ALGOS = frozenset(['md2', 'md5', 'sha1']) """ Digest algorithms considered weak by default. """ FRESHNESS_FALLBACK_VALIDITY_DEFAULT = timedelta(minutes=30) """ Default freshness used by the default/legacy freshness policy when the revocation information does not specify a next update time. In practice this only applies to OCSP responses. """ @dataclass(frozen=True) class NonRevokedStatusAssertion: """ Assert that a certificate was not revoked at some given date. """ cert_sha256: bytes """ SHA-256 hash of the certificate. """ at: datetime """ Moment in time at which the assertion is to be considered valid. """ @enum.unique class RevocationCheckingRule(enum.Enum): """ Rules determining in what circumstances revocation data has to be checked, and what kind. """ # yes, this is consistently misspelled in all parts of the # ETSI TS 119 172 series... CRL_REQUIRED = "clrcheck" """ Check CRLs. """ OCSP_REQUIRED = "ocspcheck" """ Check OCSP. """ CRL_AND_OCSP_REQUIRED = "bothcheck" """ Check CRL and OCSP. """ CRL_OR_OCSP_REQUIRED = "eithercheck" """ Check CRL or OCSP. """ NO_CHECK = "nocheck" """ Do not check. """ CHECK_IF_DECLARED = "ifdeclaredcheck" """ Check revocation information if declared in the certificate. .. warning:: This is not an ESI check type, but is preserved for compatibility with the 'hard-fail' mode in certvalidator. .. note:: In this mode, cached CRLs will _not_ be checked if the certificate does not list any distribution points. """ CHECK_IF_DECLARED_SOFT = "ifdeclaredsoftcheck" """ Check revocation information if declared in the certificate, but do not fail validation if the check fails. .. warning:: This is not an ESI check type, but is preserved for compatibility with the 'soft-fail' mode in certvalidator. .. note:: In this mode, cached CRLs will _not_ be checked if the certificate does not list any distribution points. """ @property def strict(self) -> bool: # note that this is not quite the same as (not self.tolerant)! return self not in ( RevocationCheckingRule.CHECK_IF_DECLARED, RevocationCheckingRule.CHECK_IF_DECLARED_SOFT, RevocationCheckingRule.NO_CHECK, ) @property def tolerant(self) -> bool: return self in ( RevocationCheckingRule.CHECK_IF_DECLARED_SOFT, RevocationCheckingRule.NO_CHECK, ) @property def crl_mandatory(self) -> bool: return self in ( RevocationCheckingRule.CRL_REQUIRED, RevocationCheckingRule.CRL_AND_OCSP_REQUIRED, ) @property def crl_relevant(self) -> bool: return self not in ( RevocationCheckingRule.NO_CHECK, RevocationCheckingRule.OCSP_REQUIRED, ) @property def ocsp_mandatory(self) -> bool: return self in ( RevocationCheckingRule.OCSP_REQUIRED, RevocationCheckingRule.CRL_AND_OCSP_REQUIRED, ) @property def ocsp_relevant(self) -> bool: return self not in ( RevocationCheckingRule.NO_CHECK, RevocationCheckingRule.CRL_REQUIRED, ) @dataclass(frozen=True) class RevocationCheckingPolicy: """ Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. """ ee_certificate_rule: RevocationCheckingRule """ Revocation rule applied to end-entity certificates. """ intermediate_ca_cert_rule: RevocationCheckingRule """ Revocation rule applied to certificates further up the path. """ @classmethod def from_legacy(cls, policy: str): try: return LEGACY_POLICY_MAP[policy] except KeyError: raise ValueError(f"'{policy}' is not a valid revocation mode") @property def essential(self) -> bool: return not ( self.ee_certificate_rule.tolerant and self.ee_certificate_rule.tolerant ) REQUIRE_REVINFO = RevocationCheckingPolicy( RevocationCheckingRule.CRL_OR_OCSP_REQUIRED, RevocationCheckingRule.CRL_OR_OCSP_REQUIRED, ) """ Policy indicating that revocation information is always required, but either OCSP or CRL-based revocation information is OK. """ NO_REVOCATION = RevocationCheckingPolicy( ee_certificate_rule=RevocationCheckingRule.NO_CHECK, intermediate_ca_cert_rule=RevocationCheckingRule.NO_CHECK, ) """ Policy indicating that revocation information is never required. """ LEGACY_POLICY_MAP = { 'none': NO_REVOCATION, 'soft-fail': RevocationCheckingPolicy( RevocationCheckingRule.CHECK_IF_DECLARED_SOFT, RevocationCheckingRule.CHECK_IF_DECLARED_SOFT, ), 'hard-fail': RevocationCheckingPolicy( RevocationCheckingRule.CHECK_IF_DECLARED, RevocationCheckingRule.CHECK_IF_DECLARED, ), 'require': REQUIRE_REVINFO, } """ Mapping of legacy ``certvalidator`` revocation modes to :class:`RevocationCheckingPolicy` objects. """ @enum.unique class FreshnessReqType(enum.Enum): """ Freshness requirement type. """ DEFAULT = enum.auto() """ The default freshness policy, i.e. the ``certvalidator`` legacy policy. This policy considers revocation info valid between its ``thisUpdate`` and ``nextUpdate`` times, but not outside of that window. """ MAX_DIFF_REVOCATION_VALIDATION = enum.auto() """ Freshness policy requiring that the validation time, if later than the issuance date of the revocation info, be sufficiently close to that issuance date. """ TIME_AFTER_SIGNATURE = enum.auto() """ Freshness policy requiring that the revocation info be issued after a predetermined "cooldown period" after the certificate was used to produce a signature. """ @dataclass(frozen=True) class CertRevTrustPolicy: """ Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. """ revocation_checking_policy: RevocationCheckingPolicy """ The revocation checking policy requirements. """ freshness: Optional[timedelta] = None """ Freshness interval. If not specified, this defaults to the distance between ``thisUpdate`` and ``nextUpdate`` for the given piece of revocation information. If the ``nextUpdate`` field is not present, then the effective default is 30 minutes. """ freshness_req_type: FreshnessReqType = FreshnessReqType.DEFAULT """ Defines the methodology used to evaluate the freshness of revocation info. """ expected_post_expiry_revinfo_time: Optional[timedelta] = None """ Duration for which the issuing CA is expected to supply status information after a certificate expires. """ retroactive_revinfo: bool = False """ Treat revocation info as retroactively valid, i.e. ignore the ``this_update`` field in CRLs and OCSP responses. This parameter is not taken into account for freshness policies other than :attr:`FreshnessReqType.DEFAULT`, and is ``False`` by default in those cases. .. warning:: Be careful with this option, since it will cause incorrect behaviour for CAs that make use of certificate holds or other reversible revocation methods. """ def intersect_policy_sets( a_pols: FrozenSet[str], b_pols: FrozenSet[str] ) -> FrozenSet[str]: """ Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. """ a_any = 'any_policy' in a_pols b_any = 'any_policy' in b_pols if a_any and b_any: return frozenset(['any_policy']) elif a_any: return b_pols elif b_any: return b_pols else: return b_pols & a_pols @dataclass(frozen=True) class PKIXValidationParams: user_initial_policy_set: frozenset = frozenset(['any_policy']) """ Set of policies that the user is willing to accept. By default, any policy is acceptable. When setting this parameter to a non-default value, you probably want to set :attr:`initial_explicit_policy` as well. .. note:: These are specified in the policy domain of the trust root(s), and subject to policy mapping by intermediate certificate authorities. """ initial_policy_mapping_inhibit: bool = False """ Flag indicating whether policy mapping is forbidden along the entire certification chains. By default, policy mapping is permitted. .. note:: Policy constraints on intermediate certificates may force policy mapping to be inhibited from some point onwards. """ initial_explicit_policy: bool = False """ Flag indicating whether path validation must terminate with at least one permissible policy; see :attr:`user_initial_policy_set`. By default, no such requirement is imposed. .. note:: If :attr:`user_initial_policy_set` is set to its default value of ``{'any_policy'}``, the effect is that the path validation must accept at least one policy, without specifying which. .. warning:: Due to widespread mis-specification of policy extensions in the wild, many real-world certification chains terminate with an empty set (or rather, tree) of valid policies. Therefore, this flag is set to ``False`` by default. """ initial_any_policy_inhibit: bool = False """ Flag indicating whether ``anyPolicy`` should be left unprocessed when it appears in a certificate. By default, ``anyPolicy`` is always processed when it appears. """ initial_permitted_subtrees: Optional[PKIXSubtrees] = None """ Set of permitted subtrees for each name type, indicating restrictions to impose on subject names (and alternative names) in the certification path. By default, all names are permitted. This behaviour can be modified by name constraints on intermediate CA certificates. """ initial_excluded_subtrees: Optional[PKIXSubtrees] = None """ Set of excluded subtrees for each name type, indicating restrictions to impose on subject names (and alternative names) in the certification path. By default, no names are excluded. This behaviour can be modified by name constraints on intermediate CA certificates. """ def merge(self, other: 'PKIXValidationParams') -> 'PKIXValidationParams': """ Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. """ if 'any_policy' in self.user_initial_policy_set: init_policy_set = other.user_initial_policy_set elif 'any_policy' in other.user_initial_policy_set: init_policy_set = self.user_initial_policy_set else: init_policy_set = ( other.user_initial_policy_set & self.user_initial_policy_set ) initial_any_policy_inhibit = ( self.initial_any_policy_inhibit and other.initial_any_policy_inhibit ) initial_explicit_policy = ( self.initial_explicit_policy and other.initial_explicit_policy ) initial_policy_mapping_inhibit = ( self.initial_policy_mapping_inhibit and other.initial_policy_mapping_inhibit ) return PKIXValidationParams( user_initial_policy_set=init_policy_set, initial_any_policy_inhibit=initial_any_policy_inhibit, initial_explicit_policy=initial_explicit_policy, initial_policy_mapping_inhibit=initial_policy_mapping_inhibit, ) @dataclass(frozen=True) class AlgorithmUsageConstraint: """ Expression of a constraint on the usage of an algorithm (possibly with parameter choices). """ allowed: bool """ Flag indicating whether the algorithm can be used. """ not_allowed_after: Optional[datetime] = None """ Date indicating when the algorithm became unavailable (given the relevant choice of parameters, if applicable). """ failure_reason: Optional[str] = None """ A human-readable description of the failure reason, if applicable. """ def __bool__(self): return self.allowed class AlgorithmUsagePolicy(abc.ABC): """ Abstract interface defining a usage policy for cryptographic algorithms. """ def digest_algorithm_allowed( self, algo: algos.DigestAlgorithm, moment: Optional[datetime] ) -> AlgorithmUsageConstraint: """ Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. """ raise NotImplementedError def signature_algorithm_allowed( self, algo: algos.SignedDigestAlgorithm, moment: Optional[datetime], public_key: Optional[keys.PublicKeyInfo], ) -> AlgorithmUsageConstraint: """ Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. """ raise NotImplementedError class DisallowWeakAlgorithmsPolicy(AlgorithmUsagePolicy): """ Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. """ def __init__( self, weak_hash_algos=DEFAULT_WEAK_HASH_ALGOS, weak_signature_algos=frozenset(), rsa_key_size_threshold=2048, # TODO is this a reasonable default? dsa_key_size_threshold=3192, ): self.weak_hash_algos = weak_hash_algos self.weak_signature_algos = weak_signature_algos self.rsa_key_size_threshold = rsa_key_size_threshold self.dsa_key_size_threshold = dsa_key_size_threshold def digest_algorithm_allowed( self, algo: algos.DigestAlgorithm, moment: Optional[datetime] ) -> AlgorithmUsageConstraint: return AlgorithmUsageConstraint( algo['algorithm'].native not in self.weak_hash_algos ) def signature_algorithm_allowed( self, algo: algos.SignedDigestAlgorithm, moment: Optional[datetime], public_key: Optional[keys.PublicKeyInfo], ) -> AlgorithmUsageConstraint: algo_name = algo.signature_algo algo_allowed = algo_name not in self.weak_signature_algos is_rsa = algo_name.startswith('rsa') is_dsa = algo_name == 'dsa' if algo_allowed and public_key is not None and (is_rsa or is_dsa): key_sz = public_key.bit_size failed_threshold = None if is_rsa and key_sz < self.rsa_key_size_threshold: failed_threshold = self.rsa_key_size_threshold elif is_dsa and key_sz < self.dsa_key_size_threshold: failed_threshold = self.dsa_key_size_threshold if failed_threshold is not None: return AlgorithmUsageConstraint( allowed=False, failure_reason=( f"Key size {key_sz} for algorithm {algo_name} is " f"considered too small; " f"policy mandates >= {failed_threshold}" ), ) try: hash_algo = algo.hash_algo except ValueError: hash_algo = None if algo_allowed and hash_algo is not None: digest_allowed = self.digest_algorithm_allowed( algos.DigestAlgorithm({'algorithm': algo.hash_algo}), moment ) if not digest_allowed: return AlgorithmUsageConstraint( allowed=False, failure_reason=( f"Digest algorithm {digest_allowed} is not allowed, " f"which disqualifies the signature mechanism " f"{algo['algorithm'].native} as well." ), not_allowed_after=digest_allowed.not_allowed_after, ) return AlgorithmUsageConstraint(allowed=algo_allowed) class AcceptAllAlgorithms(AlgorithmUsagePolicy): def digest_algorithm_allowed( self, algo: algos.DigestAlgorithm, moment: Optional[datetime] ) -> AlgorithmUsageConstraint: return AlgorithmUsageConstraint(allowed=True) def signature_algorithm_allowed( self, algo: algos.SignedDigestAlgorithm, moment: Optional[datetime], public_key: Optional[keys.PublicKeyInfo], ) -> AlgorithmUsageConstraint: return AlgorithmUsageConstraint(allowed=True) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/policy_tree.py0000644000175100017510000002533215161577363025734 0ustar00runnerrunnerfrom collections import defaultdict from typing import Iterable, Optional, Set from asn1crypto import x509 from ._state import ValProcState from .errors import PathValidationError def update_policy_tree( certificate_policies, valid_policy_tree: 'PolicyTreeRoot', depth: int, any_policy_uninhibited: bool, ) -> Optional['PolicyTreeRoot']: """ Internal method to update the policy tree during RFC 5280 validation. """ cert_any_policy = None cert_policy_identifiers = set() # Step 2 d 1 for policy in certificate_policies: policy_identifier = policy['policy_identifier'].native if policy_identifier == 'any_policy': cert_any_policy = policy continue cert_policy_identifiers.add(policy_identifier) policy_qualifiers = policy['policy_qualifiers'] policy_id_match = False parent_any_policy = None # Step 2 d 1 i for node in valid_policy_tree.at_depth(depth - 1): if node.valid_policy == 'any_policy': parent_any_policy = node if policy_identifier not in node.expected_policy_set: continue policy_id_match = True node.add_child( policy_identifier, policy_qualifiers, {policy_identifier} ) # Step 2 d 1 ii if not policy_id_match and parent_any_policy: parent_any_policy.add_child( policy_identifier, policy_qualifiers, {policy_identifier} ) # Step 2 d 2 if cert_any_policy and any_policy_uninhibited: for node in valid_policy_tree.at_depth(depth - 1): for expected_policy_identifier in node.expected_policy_set: if expected_policy_identifier not in cert_policy_identifiers: node.add_child( expected_policy_identifier, cert_any_policy['policy_qualifiers'], {expected_policy_identifier}, ) # Step 2 d 3 valid_policy_tree = _prune_policy_tree(valid_policy_tree, depth - 1) return valid_policy_tree def _prune_policy_tree(valid_policy_tree, depth): for node in valid_policy_tree.walk_up(depth): if not node.children: node.parent.remove_child(node) if not valid_policy_tree.children: valid_policy_tree = None return valid_policy_tree def enumerate_policy_mappings( mappings: Iterable[x509.PolicyMapping], proc_state: ValProcState ): """ Internal function to process policy mapping extension values into a Python dictionary mapping issuer domain policies to the corresponding policies in the subject policy domain. """ policy_map = defaultdict(set) for mapping in mappings: issuer_domain_policy = mapping['issuer_domain_policy'].native subject_domain_policy = mapping['subject_domain_policy'].native policy_map[issuer_domain_policy].add(subject_domain_policy) # Step 3 a if ( issuer_domain_policy == 'any_policy' or subject_domain_policy == 'any_policy' ): raise PathValidationError.from_state( f"The path could not be validated because " f"{proc_state.describe_cert()} contains " f"a policy mapping for the \"any policy\"", proc_state, ) return policy_map def apply_policy_mapping( policy_map, valid_policy_tree, depth: int, policy_mapping_uninhibited: bool ): """ Internal function to apply the policy mapping to the current policy tree in accordance with the algorithm in RFC 5280. """ for issuer_domain_policy, subject_domain_policies in policy_map.items(): # Step 3 b 1 if policy_mapping_uninhibited: issuer_domain_policy_match = False cert_any_policy = None for node in valid_policy_tree.at_depth(depth): if node.valid_policy == 'any_policy': cert_any_policy = node if node.valid_policy == issuer_domain_policy: issuer_domain_policy_match = True node.expected_policy_set = subject_domain_policies if not issuer_domain_policy_match and cert_any_policy: cert_any_policy.parent.add_child( issuer_domain_policy, cert_any_policy.qualifier_set, subject_domain_policies, ) # Step 3 b 2 else: for node in valid_policy_tree.at_depth(depth): if node.valid_policy == issuer_domain_policy: node.parent.remove_child(node) valid_policy_tree = _prune_policy_tree(valid_policy_tree, depth - 1) return valid_policy_tree def prune_unacceptable_policies( path_length, valid_policy_tree, acceptable_policies ) -> Optional['PolicyTreeRoot']: # Step 4 g iii 1: compute nodes that branch off any_policy # In other words, find all policies that are valid and meaningful in # the trust root(s) namespace. We don't care about what policy mapping # transformed them into; that's taken care of by the validation # algorithm. # Note: set() consumes the iterator to avoid operating on the tree # while iterating over it. Performance is probably not a concern # anyhow. valid_policy_node_set = set(valid_policy_tree.nodes_in_current_domain()) # Step 4 g iii 2: eliminate unacceptable policies def _filter_acceptable(): for policy_node in valid_policy_node_set: policy_id = policy_node.valid_policy if policy_id == 'any_policy' or policy_id in acceptable_policies: yield policy_id else: policy_node.parent.remove_child(policy_node) # list of policies that were explicitly valid valid_and_acceptable = set(_filter_acceptable()) # Step 4 g iii 3: if the final layer contains an anyPolicy node # (there can be at most one), expand it out into acceptable policies # that are not explicitly qualified already try: final_any_policy: PolicyTreeNode = next( policy_node for policy_node in valid_policy_tree.at_depth(path_length) if policy_node.valid_policy == 'any_policy' ) wildcard_parent = final_any_policy.parent assert wildcard_parent is not None wildcard_quals = final_any_policy.qualifier_set for acceptable_policy in acceptable_policies - valid_and_acceptable: wildcard_parent.add_child( acceptable_policy, wildcard_quals, {acceptable_policy} ) # prune the anyPolicy node wildcard_parent.remove_child(final_any_policy) except StopIteration: pass # Step 4 g iii 4: prune the policy tree return _prune_policy_tree(valid_policy_tree, path_length - 1) class PolicyTreeRoot: """ A generic policy tree node, used for the root node in the tree """ @classmethod def init_policy_tree(cls, valid_policy, qualifier_set, expected_policy_set): """ Accepts values for a PolicyTreeNode that will be created at depth 0 :param valid_policy: A unicode string of a policy name or OID :param qualifier_set: An instance of asn1crypto.x509.PolicyQualifierInfos :param expected_policy_set: A set of unicode strings containing policy names or OIDs """ root = PolicyTreeRoot() root.add_child(valid_policy, qualifier_set, expected_policy_set) return root def __init__(self): self.parent = None self.children = [] def add_child(self, valid_policy, qualifier_set, expected_policy_set): """ Creates a new PolicyTreeNode as a child of this node :param valid_policy: A unicode string of a policy name or OID :param qualifier_set: An instance of asn1crypto.x509.PolicyQualifierInfos :param expected_policy_set: A set of unicode strings containing policy names or OIDs """ child = PolicyTreeNode(valid_policy, qualifier_set, expected_policy_set) child.parent = self self.children.append(child) def remove_child(self, child): """ Removes a child from this node :param child: An instance of PolicyTreeNode """ self.children.remove(child) def at_depth(self, depth) -> Iterable['PolicyTreeNode']: """ Returns a generator yielding all nodes in the tree at a specific depth :param depth: An integer >= 0 of the depth of nodes to yield :return: A generator yielding PolicyTreeNode objects """ for child in list(self.children): if depth == 0: yield child else: for grandchild in child.at_depth(depth - 1): yield grandchild def walk_up(self, depth): """ Returns a generator yielding all nodes in the tree at a specific depth, or above. Yields nodes starting with leaves and traversing up to the root. :param depth: An integer >= 0 of the depth of nodes to walk up from :return: A generator yielding PolicyTreeNode objects """ for child in list(self.children): if depth != 0: for grandchild in child.walk_up(depth - 1): yield grandchild yield child def nodes_in_current_domain(self) -> Iterable['PolicyTreeNode']: """ Returns a generator yielding all nodes in the tree that are children of an ``any_policy`` node. """ for child in self.children: yield child if child.valid_policy == 'any_policy': yield from child.nodes_in_current_domain() class PolicyTreeNode(PolicyTreeRoot): """ A policy tree node that is used for all nodes but the root """ def __init__( self, valid_policy: str, qualifier_set: x509.PolicyQualifierInfos, expected_policy_set: Set[str], ): """ :param valid_policy: A unicode string of a policy name or OID :param qualifier_set: An instance of asn1crypto.x509.PolicyQualifierInfos :param expected_policy_set: A set of unicode strings containing policy names or OIDs """ super().__init__() self.valid_policy = valid_policy self.qualifier_set = qualifier_set self.expected_policy_set = expected_policy_set def path_to_root(self): node = self while node is not None: yield node node = node.parent ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/py.typed0000644000175100017510000000000015161577363024524 0ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/registry.py0000644000175100017510000005775415161577363025303 0ustar00runnerrunner# coding: utf-8 import abc import asyncio from collections import defaultdict from typing import AsyncGenerator, Iterable, Iterator, List, Optional, Union from asn1crypto import x509 from oscrypto import trust_list from .authority import ( Authority, AuthorityWithCert, CertTrustAnchor, TrustAnchor, TrustedServiceType, ) from .errors import PathBuildingError from .fetchers import CertificateFetcher from .path import ValidationPath from .util import CancelableAsyncIterator, ConsList def _first_or_none(iterable): try: return next(iter(iterable)) except StopIteration: return None class CertificateCollection(abc.ABC): """ Abstract base class for read-only access to a collection of certificates. """ def retrieve_by_key_identifier(self, key_identifier: bytes): """ Retrieves a cert via its key identifier :param key_identifier: A byte string of the key identifier :return: None or an asn1crypto.x509.Certificate object """ return _first_or_none( self.retrieve_many_by_key_identifier(key_identifier) ) def retrieve_many_by_key_identifier(self, key_identifier: bytes): """ Retrieves possibly multiple certs via the corresponding key identifiers :param key_identifier: A byte string of the key identifier :return: A list of asn1crypto.x509.Certificate objects """ raise NotImplementedError def retrieve_by_key_hash(self, key_hash: bytes): """ Retrieves a cert via the SHA-1 hash of its public key (the standard way to compute the SubjectKeyIdentifier extension) :param key_hash: A byte string of the key identifier :return: None or an asn1crypto.x509.Certificate object """ return _first_or_none(self.retrieve_many_by_key_hash(key_hash)) def retrieve_many_by_key_hash(self, key_hash: bytes): """ Retrieves possibly multiple certs via the corresponding key identifiers :param key_hash: A byte string of the key identifier :return: A list of asn1crypto.x509.Certificate objects """ raise NotImplementedError def retrieve_by_name(self, name: x509.Name): """ Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :return: A list of asn1crypto.x509.Certificate objects """ raise NotImplementedError def retrieve_by_issuer_serial(self, issuer_serial): """ Retrieve a certificate by its ``issuer_serial`` value. :param issuer_serial: The ``issuer_serial`` value of the certificate. :return: The certificate corresponding to the ``issuer_serial`` key passed in. :return: None or an asn1crypto.x509.Certificate object """ raise NotImplementedError class CertificateStore(CertificateCollection, abc.ABC): def register(self, cert: x509.Certificate) -> bool: """ Register a single certificate. :param cert: Certificate to add. :return: ``True`` if the certificate was added, ``False`` if it already existed in this store. """ raise NotImplementedError def register_multiple(self, certs: Iterable[x509.Certificate]): """ Register multiple certificates. :param certs: Certificates to register. :return: ``True`` if at least one certificate was added, ``False`` if all certificates already existed in this store. """ added = False for cert in certs: added |= self.register(cert) return added def __iter__(self): raise NotImplementedError class SimpleCertificateStore(CertificateStore): """ Simple trustless certificate store. """ @classmethod def from_certs(cls, certs): result = cls() for cert in certs: result.register(cert) return result def __init__(self): self.certs = {} self._subject_map = defaultdict(list) self._key_identifier_map = defaultdict(list) self._key_hash_map = defaultdict(list) def register(self, cert: x509.Certificate) -> bool: """ Register a single certificate. :param cert: Certificate to add. :return: ``True`` if the certificate was added, ``False`` if it already existed in this store. """ if cert.issuer_serial in self.certs: return False self.certs[cert.issuer_serial] = cert key_hash = cert.public_key.sha1 self._subject_map[cert.subject.hashable].append(cert) self._key_hash_map[key_hash].append(cert) if cert.key_identifier: self._key_identifier_map[cert.key_identifier].append(cert) else: self._key_identifier_map[key_hash].append(cert) return True def __getitem__(self, item): return self.certs[item] def __iter__(self): return iter(self.certs.values()) def retrieve_many_by_key_identifier(self, key_identifier: bytes): return self._key_identifier_map[key_identifier] def retrieve_many_by_key_hash(self, key_hash: bytes): return self._key_hash_map[key_hash] def retrieve_by_name(self, name: x509.Name): return self._subject_map[name.hashable] def retrieve_by_issuer_serial(self, issuer_serial): try: return self[issuer_serial] except KeyError: return None TrustRootList = Iterable[Union[x509.Certificate, TrustAnchor]] class TrustManager: """ Abstract trust manager API. """ def is_root(self, cert: x509.Certificate) -> bool: """ Checks if a certificate is in the list of trust roots in this registry :param cert: An asn1crypto.x509.Certificate object :return: A boolean - if the certificate is in the CA list """ return self.as_trust_anchor(AuthorityWithCert(cert)) is not None def as_trust_anchor(self, authority: Authority) -> Optional[TrustAnchor]: """ If the authority is a trust anchor, return its identity as such (with qualifications as applicable). If the authority is not a trust anchor, return None. :param authority: An authority object. """ raise NotImplementedError def find_potential_issuers( self, cert: x509.Certificate ) -> Iterator[TrustAnchor]: """ Find potential issuers that might have (directly) issued a particular certificate. :param cert: Issued certificate. :return: An iterator with potentially relevant trust anchors. """ raise NotImplementedError class SimpleTrustManager(TrustManager): """ Trust manager backed by a list of trust roots, possibly in addition to the system trust list. """ def __init__(self): self._roots = set() self._root_subject_map = defaultdict(list) @classmethod def build( cls, trust_roots: Optional[TrustRootList] = None, extra_trust_roots: Optional[TrustRootList] = None, ) -> 'SimpleTrustManager': """ :param trust_roots: If the operating system's trust list should not be used, instead pass a list of asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of asn1crypto.x509.Certificate objects. :return: """ if trust_roots is None: trust_roots = [e[0] for e in trust_list.get_list()] else: trust_roots = list(trust_roots) if extra_trust_roots is not None: trust_roots.extend(extra_trust_roots) manager = SimpleTrustManager() for trust_root in trust_roots: manager._register_root(trust_root) return manager def _register_root(self, trust_root: Union[TrustAnchor, x509.Certificate]): if isinstance(trust_root, TrustAnchor): anchor = trust_root else: anchor = CertTrustAnchor(trust_root) if anchor not in self._roots: authority = anchor.authority self._roots.add(anchor) self._root_subject_map[authority.name.hashable].append(anchor) def is_root(self, cert: x509.Certificate): """ Checks if a certificate is in the list of trust roots in this registry :param cert: An asn1crypto.x509.Certificate object :return: A boolean - if the certificate is in the CA list """ return CertTrustAnchor(cert) in self._roots def as_trust_anchor(self, authority: Authority): # Take into account 'moment'? try: possible_matches = self._root_subject_map[authority.name.hashable] return next( anchor for anchor in possible_matches if anchor.authority == authority ) except (KeyError, StopIteration): return None def iter_certs(self) -> Iterator[x509.Certificate]: return ( root.authority.certificate for root in self._roots if isinstance(root.authority, AuthorityWithCert) ) def find_potential_issuers( self, cert: x509.Certificate ) -> Iterator[TrustAnchor]: issuer_hashable = cert.issuer.hashable root: TrustAnchor for root in self._root_subject_map[issuer_hashable]: svc_type = root.trust_qualifiers.trusted_service_type if svc_type not in ( TrustedServiceType.UNSPECIFIED, TrustedServiceType.CERTIFICATE_AUTHORITY, ): continue if root.authority.is_potential_issuer_of(cert): yield root class CertificateRegistry(SimpleCertificateStore): """ Contains certificate lists used to build validation paths, and is also capable of fetching missing certificates if a certificate fetcher is supplied. """ def __init__(self, *, cert_fetcher: Optional[CertificateFetcher] = None): super().__init__() self.fetcher = cert_fetcher @classmethod def build( cls, certs: Iterable[x509.Certificate] = (), *, cert_fetcher: Optional[CertificateFetcher] = None, ): """ Convenience method to set up a certificate registry and import certs into it. :param certs: Initial list of certificates to import. :param cert_fetcher: Certificate fetcher to handle retrieval of missing certificates (in situations where that is possible). :return: A populated certificate registry. """ result: CertificateRegistry = cls(cert_fetcher=cert_fetcher) for cert in certs: result.register(cert) result.fetcher = cert_fetcher return result def retrieve_by_name( self, name: x509.Name, first_certificate: Optional[x509.Certificate] = None, ): """ Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :param first_certificate: An asn1crypto.x509.Certificate object that if found, should be placed first in the result list :return: A list of asn1crypto.x509.Certificate objects """ output = [] first = None for cert in super().retrieve_by_name(name): if first_certificate and first_certificate.sha256 == cert.sha256: first = cert else: output.append(cert) if first: output.insert(0, first) return output def find_potential_issuers( self, cert: x509.Certificate, trust_manager: TrustManager ) -> Iterator[Union[TrustAnchor, x509.Certificate]]: issuer_hashable = cert.issuer.hashable # Info from the authority key identifier extension can be used to # eliminate possible options when multiple keys with the same # subject exist, such as during a transition, or with cross-signing. # go through matching trust roots first yield from trust_manager.find_potential_issuers(cert) for issuer in self._subject_map[issuer_hashable]: if trust_manager.is_root(issuer): continue # skip, we've had these in the previous step if cert.authority_key_identifier and issuer.key_identifier: if cert.authority_key_identifier != issuer.key_identifier: continue if cert.authority_issuer_serial: if cert.authority_issuer_serial != issuer.issuer_serial: continue yield issuer async def fetch_missing_potential_issuers(self, cert: x509.Certificate): if self.fetcher is None: return issuers = [ issuer async for issuer in self.fetcher.fetch_cert_issuers(cert) ] self.register_multiple(issuers) for issuer in issuers: yield issuer class PathBuilder: """ Class to handle path building. """ def __init__( self, trust_manager: TrustManager, registry: CertificateRegistry ): self.trust_manager = trust_manager self.registry = registry def build_paths(self, end_entity_cert): """ Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate .. note:: This is a synchronous equivalent of :meth:`async_build_paths` that calls the latter in a new event loop. As such, it can't be used from within asynchronous code. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. """ return asyncio.run(self.async_build_paths(end_entity_cert)) async def async_build_paths(self, end_entity_cert: x509.Certificate): """ Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, returning all paths in a single list. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. """ paths: List[ValidationPath] = [] async for result in self.async_build_paths_lazy(end_entity_cert): paths.append(result) return paths def async_build_paths_lazy( self, end_entity_cert: x509.Certificate ) -> CancelableAsyncIterator[ValidationPath]: """ Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, and emit them as an asynchronous generator. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: An asynchronous iterator that yields pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs, and raises PathBuildingError if no paths could be built """ walker = _PathWalker( self, path=ConsList.sing(end_entity_cert), certs_seen=ConsList.sing(end_entity_cert.issuer_serial), failed_paths=[], ) return LazyPathIterator(walker, end_entity_cert) class _IssuerFetcher: def __init__( self, path_builder: 'PathBuilder', cert: x509.Certificate, certs_seen: ConsList[bytes], ): self.cert = cert self.path_builder = path_builder self.certs_seen = certs_seen local_issuers = self.path_builder.registry.find_potential_issuers( cert, self.path_builder.trust_manager ) self.local_iss_iter = iter(local_issuers) self.local_issuers_found = 0 self.fetched_issuers_found = 0 self._fetched_cas: Optional[AsyncGenerator[x509.Certificate, None]] = ( None ) self._fetching_done = False @property def issuers_found(self): return self.local_issuers_found + self.fetched_issuers_found def __aiter__(self): return self def __iter__(self): return self def __next__(self) -> Union[TrustAnchor, x509.Certificate]: for issuer in self.local_iss_iter: if isinstance(issuer, x509.Certificate): cert_id = issuer.issuer_serial if cert_id in self.certs_seen: # no duplicates continue self.local_issuers_found += 1 return issuer raise StopIteration async def __anext__(self) -> Union[TrustAnchor, x509.Certificate]: try: return next(self) except StopIteration: pass if ( self._fetched_cas is None and not self.local_issuers_found and not self._fetching_done ): # attempt to download certs only if we didn't find anything locally self._fetched_cas = ( self.path_builder.registry.fetch_missing_potential_issuers( self.cert ) ) if self._fetched_cas is not None: async for issuer in self._fetched_cas: cert_id = issuer.issuer_serial if cert_id in self.certs_seen: continue self.fetched_issuers_found += 1 return issuer self._fetching_done = True raise StopAsyncIteration async def cancel(self): if self._fetched_cas is not None: await self._fetched_cas.aclose() self._fetched_cas = None self._fetching_done = True class _PathWalker: def __init__( self, path_builder: 'PathBuilder', path: ConsList[x509.Certificate], certs_seen: ConsList[bytes], failed_paths: List[ConsList[x509.Certificate]], ): self.path = path self.path_builder = path_builder self.certs_seen = certs_seen cert = path.head assert isinstance(cert, x509.Certificate) self._issuer_fetcher = _IssuerFetcher(path_builder, cert, certs_seen) self.failed_paths = failed_paths self._next_level: Optional[_PathWalker] = None async def cancel(self): if self._issuer_fetcher is not None: await self._issuer_fetcher.cancel() self._issuer_fetcher = None if self._next_level is not None: await self._next_level.cancel() self._next_level = None def __aiter__(self): return self async def __anext__(self): if self._issuer_fetcher is None: raise StopAsyncIteration # pragma: nocover next_path = None while next_path is None: if self._next_level is None: # Fetch the next candidate issuer in the list try: next_issuer = await self._issuer_fetcher.__anext__() except StopAsyncIteration as e: if not self._issuer_fetcher.issuers_found: self.failed_paths.append(self.path) self._issuer_fetcher = None raise e if isinstance(next_issuer, TrustAnchor): # We've reached a trust root -> emit path and stop certs = list(self.path) return ValidationPath(next_issuer, certs[:-1], certs[-1]) else: # if it's not a trust root, we need a new child _PathWalker self._next_level = _PathWalker( self.path_builder, self.path.cons(next_issuer), self.certs_seen.cons(next_issuer.issuer_serial), self.failed_paths, ) # check if next_level has any paths left, if not we clear it # and loop around to look at the next issuer try: next_path = await self._next_level.__anext__() except StopAsyncIteration: self._next_level = None return next_path class LazyPathIterator(CancelableAsyncIterator[ValidationPath]): _as_root: Optional[ValidationPath] = None def __init__(self, walker: _PathWalker, cert: x509.Certificate): # special case for root certs maybe_trust_anchor = walker.path_builder.trust_manager.as_trust_anchor( AuthorityWithCert(cert) ) if maybe_trust_anchor: self._as_root = ValidationPath(maybe_trust_anchor, [], None) self._walker: Optional[_PathWalker] = walker self.emitted_count = 0 self._name = cert.subject.human_friendly async def cancel(self): if self._walker is not None: await self._walker.cancel() def __aiter__(self): return self async def __anext__(self) -> ValidationPath: if self._walker is None: raise StopAsyncIteration elif self._as_root is not None: self.emitted_count += 1 self._walker = None return self._as_root try: next_path = await self._walker.__anext__() self.emitted_count += 1 return next_path except StopAsyncIteration: pass if self.emitted_count == 0: path_head = self._walker.failed_paths[0].head assert isinstance(path_head, x509.Certificate) missing_issuer_name = path_head.issuer.human_friendly self._walker = None raise PathBuildingError( f"Unable to build a validation path for the certificate " f"\"{self._name}\" - no issuer matching " f"\"{missing_issuer_name}\" was found" ) raise StopAsyncIteration class LayeredCertificateStore(CertificateCollection): """ Trustless certificate store that looks up certificates in other stores in a specific order. """ def __init__(self, stores: List[CertificateCollection]): self._stores = stores def _forall(self, method_name, search_term): for store in self._stores: yield from getattr(store, method_name)(search_term) def retrieve_many_by_key_identifier(self, key_identifier: bytes): return list( self._forall("retrieve_many_by_key_identifier", key_identifier) ) def retrieve_many_by_key_hash(self, key_hash: bytes): return list(self._forall("retrieve_many_by_key_hash", key_hash)) def retrieve_by_name(self, name: x509.Name): return list(self._forall("retrieve_by_name", name)) def retrieve_by_issuer_serial(self, issuer_serial): candidates = ( store.retrieve_by_issuer_serial(issuer_serial) for store in self._stores ) return _first_or_none(c for c in candidates if c is not None) ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.125346 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/0000755000175100017510000000000015161577372024507 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/__init__.py0000644000175100017510000000000015161577363026606 0ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/_err_gather.py0000644000175100017510000000131615161577363027343 0ustar00runnerrunnerfrom dataclasses import dataclass, field from datetime import datetime from typing import Any, Optional @dataclass class Errors: failures: list = field(default_factory=list) freshness_failures_only: bool = True stale_last_usable_at: Optional[datetime] = None def append(self, msg: str, revinfo: Any, is_freshness_failure=False): self.failures.append((msg, revinfo)) self.freshness_failures_only &= is_freshness_failure def update_stale(self, dt: Optional[datetime]): if dt is not None: self.stale_last_usable_at = ( dt if self.stale_last_usable_at is None else max(self.stale_last_usable_at, dt) ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/archival.py0000644000175100017510000003424015161577363026655 0ustar00runnerrunnerimport abc import enum from dataclasses import dataclass from datetime import datetime from typing import Iterable, List, Optional, TypeVar, Union from asn1crypto import algos, crl, ocsp from pyhanko_certvalidator.ltv.types import ( IssuedItemContainer, ValidationTimingParams, ) from pyhanko_certvalidator.policy_decl import ( FRESHNESS_FALLBACK_VALIDITY_DEFAULT, CertRevTrustPolicy, FreshnessReqType, ) __all__ = [ 'CRLContainer', 'OCSPContainer', 'RevinfoContainer', 'RevinfoUsability', 'RevinfoUsabilityRating', 'process_legacy_crl_input', 'process_legacy_ocsp_input', 'sort_freshest_first', ] class RevinfoUsabilityRating(enum.Enum): """ Description of whether a piece of revocation information is considered usable in the circumstances provided. """ OK = enum.auto() """ The revocation information is usable. """ STALE = enum.auto() """ The revocation information is stale/too old. """ TOO_NEW = enum.auto() """ The revocation information is too recent. .. note:: This is never an issue in the AdES validation model. """ UNCLEAR = enum.auto() """ The usability of the revocation information could not be assessed unambiguously. """ @property def usable_ades(self) -> bool: """ Boolean indicating whether the assigned rating corresponds to a "fresh" judgment in AdES. """ return self in ( RevinfoUsabilityRating.OK, RevinfoUsabilityRating.TOO_NEW, ) @dataclass(frozen=True) class RevinfoUsability: """ Usability rating and cutoff date for a particular piece of revocation information. """ rating: RevinfoUsabilityRating """ The rating assigned. """ last_usable_at: Optional[datetime] = None """ The last date at which the revocation information could have been considered usable, if applicable. """ compared_to: Optional[datetime] = None """ Time to which the ``last_usable_at`` time was compared. """ class RevinfoContainer(IssuedItemContainer, abc.ABC): """ A container for a piece of revocation information. """ def usable_at( self, policy: CertRevTrustPolicy, timing_params: ValidationTimingParams ) -> RevinfoUsability: """ Assess the usability of the revocation information given a revocation information trust policy and timing parameters. :param policy: The revocation information trust policy. :param timing_params: Timing-related information. :return: A :class:`.RevinfoUsability` judgment. """ raise NotImplementedError @property def revinfo_sig_mechanism_used( self, ) -> Optional[algos.SignedDigestAlgorithm]: """ Extract the signature mechanism used to guarantee the authenticity of the revocation information, if applicable. """ raise NotImplementedError RevInfoType = TypeVar('RevInfoType', bound=RevinfoContainer) def sort_freshest_first(lst: Iterable[RevInfoType]) -> List[RevInfoType]: """ Sort a list of revocation information containers in freshest-first order. Revocation information that does not have a well-defined issuance date will be grouped at the end. :param lst: A list of :class:`.RevinfoContainer` objects of the same type. :return: The same list sorted from fresh to stale. """ def _key(container: RevinfoContainer): dt = container.issuance_date # if dt is None ---> (0, None) # else ---> (1, dt) # This ensures that None is never compared to anything (which would # cause a TypeError), and that (0, None) gets sorted before everything # else. Since we sort reversed, the "unknown issuance date" ones # are dumped at the end of the list. return dt is not None, dt return sorted(lst, key=_key, reverse=True) def _freshness_delta(policy, this_update, next_update, time_tolerance): freshness_delta = policy.freshness if freshness_delta is None: if next_update is not None and next_update >= this_update: freshness_delta = next_update - this_update if freshness_delta is not None: freshness_delta = abs(freshness_delta) + time_tolerance return freshness_delta def _judge_revinfo( this_update: Optional[datetime], next_update: Optional[datetime], policy: CertRevTrustPolicy, timing_params: ValidationTimingParams, ) -> RevinfoUsability: if this_update is None: return RevinfoUsability(RevinfoUsabilityRating.UNCLEAR) validation_time = timing_params.validation_time time_tolerance = timing_params.time_tolerance # Revinfo issued after the validation time may need to be considered # in AdES point-in-time validation. # In the legacy "default" policy, this is controlled by the retroactive # revinfo switch. # see 5.2.5.4 in ETSI EN 319 102-1 if policy.freshness_req_type == FreshnessReqType.TIME_AFTER_SIGNATURE: # check whether the revinfo was generated sufficiently long _after_ # the (presumptive) signature time freshness_delta = _freshness_delta( policy, this_update, next_update, time_tolerance ) if freshness_delta is None: return RevinfoUsability(RevinfoUsabilityRating.UNCLEAR) signature_poe_time = timing_params.best_signature_time if this_update < freshness_delta + signature_poe_time - time_tolerance: return RevinfoUsability( RevinfoUsabilityRating.STALE, compared_to=signature_poe_time, last_usable_at=this_update - freshness_delta + time_tolerance, ) elif ( policy.freshness_req_type == FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION ): # check whether the difference between thisUpdate # and the validation time is small enough # add time_tolerance to allow for additional time drift freshness_delta = _freshness_delta( policy, this_update, next_update, time_tolerance ) if freshness_delta is None: return RevinfoUsability(RevinfoUsabilityRating.UNCLEAR) # See ETSI EN 319 102-1, § 5.2.5.4, item 2) # in particular, "too recent" doesn't seem to apply; # the result is pass/fail cutoff = this_update + freshness_delta + time_tolerance if validation_time > cutoff: return RevinfoUsability( RevinfoUsabilityRating.STALE, compared_to=validation_time, last_usable_at=cutoff, ) elif policy.freshness_req_type == FreshnessReqType.DEFAULT: # check whether the validation time falls within the # thisUpdate-nextUpdate window (non-AdES!!) if next_update is None: # OCSP semantics of nextUpdate = VOID is "please request # another update whenever you like". # In our default/legacy validation model this is difficult to # interpret. # for historical point-in-time validation, this is disqualifying next_update = this_update + FRESHNESS_FALLBACK_VALIDITY_DEFAULT retroactive = policy.retroactive_revinfo if not retroactive and validation_time < this_update - time_tolerance: return RevinfoUsability(RevinfoUsabilityRating.TOO_NEW) if validation_time > next_update + time_tolerance: return RevinfoUsability( RevinfoUsabilityRating.STALE, compared_to=validation_time, last_usable_at=next_update + time_tolerance, ) else: # pragma: nocover raise NotImplementedError return RevinfoUsability(RevinfoUsabilityRating.OK) def _extract_basic_ocsp_response( ocsp_response, ) -> Optional[ocsp.BasicOCSPResponse]: # Make sure that we get a valid response back from the OCSP responder status = ocsp_response['response_status'].native if status != 'successful': return None response_bytes = ocsp_response['response_bytes'] if response_bytes['response_type'].native != 'basic_ocsp_response': return None return response_bytes['response'].parsed @dataclass(frozen=True) class OCSPContainer(RevinfoContainer): """ Container for an OCSP response. """ ocsp_response_data: ocsp.OCSPResponse """ The OCSP response value. """ index: int = 0 """ The index of the ``SingleResponse`` payload in the original OCSP response object retrieved from the server, if applicable. """ @classmethod def load_multi( cls, ocsp_response: ocsp.OCSPResponse ) -> List['OCSPContainer']: """ Turn an OCSP response object into one or more :class:`.OCSPContainer` objects. If a :class:`.OCSPContainer` contains more than one ``SingleResponse``, then the same OCSP response will be duplicated into multiple containers, each with a different ``index`` value. :param ocsp_response: An OCSP response. :return: A list of :class:`.OCSPContainer` objects, one for each ``SingleResponse`` value. """ basic_ocsp_response = _extract_basic_ocsp_response(ocsp_response) if basic_ocsp_response is None: return [] tbs_response = basic_ocsp_response['tbs_response_data'] return [ OCSPContainer(ocsp_response_data=ocsp_response, index=ix) for ix in range(len(tbs_response['responses'])) ] @property def issuance_date(self) -> Optional[datetime]: cert_response = self.extract_single_response() if cert_response is None: return None return cert_response['this_update'].native def usable_at( self, policy: CertRevTrustPolicy, timing_params: ValidationTimingParams ) -> RevinfoUsability: cert_response = self.extract_single_response() if cert_response is None: return RevinfoUsability(RevinfoUsabilityRating.UNCLEAR) this_update = cert_response['this_update'].native next_update = cert_response['next_update'].native return _judge_revinfo( this_update, next_update, policy=policy, timing_params=timing_params, ) def extract_basic_ocsp_response(self) -> Optional[ocsp.BasicOCSPResponse]: """ Extract the ``BasicOCSPResponse``, assuming there is one (i.e. the OCSP response is a standard, non-error response). """ return _extract_basic_ocsp_response(self.ocsp_response_data) def extract_single_response(self) -> Optional[ocsp.SingleResponse]: """ Extract the unique ``SingleResponse`` value identified by the index. """ basic_ocsp_response = self.extract_basic_ocsp_response() if basic_ocsp_response is None: return None tbs_response = basic_ocsp_response['tbs_response_data'] if len(tbs_response['responses']) <= self.index: return None return tbs_response['responses'][self.index] @property def revinfo_sig_mechanism_used( self, ) -> Optional[algos.SignedDigestAlgorithm]: basic_resp = self.extract_basic_ocsp_response() return None if basic_resp is None else basic_resp['signature_algorithm'] @dataclass(frozen=True) class CRLContainer(RevinfoContainer): """ Container for a certificate revocation list (CRL). """ crl_data: crl.CertificateList """ The CRL data. """ def usable_at( self, policy: CertRevTrustPolicy, timing_params: ValidationTimingParams ) -> RevinfoUsability: tbs_cert_list = self.crl_data['tbs_cert_list'] this_update = tbs_cert_list['this_update'].native next_update = tbs_cert_list['next_update'].native return _judge_revinfo( this_update, next_update, policy=policy, timing_params=timing_params ) @property def issuance_date(self) -> Optional[datetime]: tbs_cert_list = self.crl_data['tbs_cert_list'] return tbs_cert_list['this_update'].native @property def revinfo_sig_mechanism_used(self) -> algos.SignedDigestAlgorithm: return self.crl_data['signature_algorithm'] LegacyCompatCRL = Union[bytes, crl.CertificateList, CRLContainer] LegacyCompatOCSP = Union[bytes, ocsp.OCSPResponse, OCSPContainer] def process_legacy_crl_input( crls: Iterable[LegacyCompatCRL], ) -> List[CRLContainer]: """ Internal function to process legacy CRL data into one or more :class:`.CRLContainer`. :param crls: Legacy CRL input data. :return: A list of :class:`.CRLContainer` objects. """ new_crls = [] for crl_ in crls: if isinstance(crl_, bytes): crl_ = crl.CertificateList.load(crl_) if isinstance(crl_, crl.CertificateList): crl_ = CRLContainer(crl_) if isinstance(crl_, CRLContainer): new_crls.append(crl_) else: raise TypeError( f"crls must be a list of byte strings or " f"asn1crypto.crl.CertificateList objects, " f"not {type(crl_).__name__}" ) return new_crls def process_legacy_ocsp_input( ocsps: Iterable[LegacyCompatOCSP], ) -> List[OCSPContainer]: """ Internal function to process legacy OCSP data into one or more :class:`.OCSPContainer`. :param ocsps: Legacy OCSP input data. :return: A list of :class:`.OCSPContainer` objects. """ new_ocsps = [] for ocsp_ in ocsps: if isinstance(ocsp_, bytes): ocsp_ = ocsp.OCSPResponse.load(ocsp_) if isinstance(ocsp_, ocsp.OCSPResponse): extr = OCSPContainer.load_multi(ocsp_) new_ocsps.extend(extr) elif isinstance(ocsp_, OCSPContainer): new_ocsps.append(ocsp_) else: raise TypeError( f"ocsps must be a list of byte strings or " f"asn1crypto.ocsp.OCSPResponse objects, " f"not {type(ocsp_).__name__}" ) return new_ocsps ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/constants.py0000644000175100017510000000106715161577363027101 0ustar00runnerrunnerKNOWN_CRL_EXTENSIONS = { 'issuer_alt_name', 'crl_number', 'delta_crl_indicator', 'issuing_distribution_point', 'authority_key_identifier', 'freshest_crl', 'authority_information_access', } VALID_REVOCATION_REASONS = { 'key_compromise', 'ca_compromise', 'affiliation_changed', 'superseded', 'cessation_of_operation', 'certificate_hold', 'privilege_withdrawn', 'aa_compromise', } KNOWN_CRL_ENTRY_EXTENSIONS = { 'crl_reason', 'hold_instruction_code', 'invalidity_date', 'certificate_issuer', } ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/manager.py0000644000175100017510000002403515161577363026477 0ustar00runnerrunnerfrom datetime import datetime from typing import ( Dict, Iterable, List, Optional, Set, ) from asn1crypto import crl, ocsp, x509 from pyhanko_certvalidator.authority import Authority from pyhanko_certvalidator.errors import CRLFetchError, OCSPFetchError from pyhanko_certvalidator.fetchers import Fetchers from pyhanko_certvalidator.ltv.poe import ( KnownPOE, POEManager, POEType, ValidationObject, ValidationObjectType, digest_for_poe, ) from pyhanko_certvalidator.policy_decl import NonRevokedStatusAssertion from pyhanko_certvalidator.registry import CertificateRegistry from pyhanko_certvalidator.revinfo.archival import ( CRLContainer, OCSPContainer, sort_freshest_first, ) class RevinfoManager: """ .. versionadded:: 0.20.0 Class to manage and potentially fetch revocation information. :param certificate_registry: The associated certificate registry. :param poe_manager: The proof-of-existence (POE) data manager. :param crls: CRL data. :param ocsps: OCSP response data. :param fetchers: Fetchers for collecting revocation information. If ``None``, no fetching will be performed. """ def __init__( self, certificate_registry: CertificateRegistry, poe_manager: POEManager, crls: Iterable[CRLContainer], ocsps: Iterable[OCSPContainer], assertions: Iterable[NonRevokedStatusAssertion] = (), fetchers: Optional[Fetchers] = None, ): self._certificate_registry = certificate_registry self._poe_manager = poe_manager self._revocation_certs: Dict[bytes, x509.Certificate] = {} self._crl_issuer_map: Dict[bytes, x509.Certificate] = {} self._crls: List[CRLContainer] = [] if crls: self._crls = sort_freshest_first(crls) self._ocsps: List[OCSPContainer] = [] if ocsps: self._ocsps = ocsps = sort_freshest_first(ocsps) for ocsp_response in ocsps: self._extract_ocsp_certs(ocsp_response) self._fetchers = fetchers self._assertions: Dict[bytes, NonRevokedStatusAssertion] = { assertion.cert_sha256: assertion for assertion in assertions } @property def poe_manager(self) -> POEManager: """ The proof-of-existence (POE) data manager. """ return self._poe_manager @property def certificate_registry(self) -> CertificateRegistry: """ The associated certificate registry. """ return self._certificate_registry @property def fetching_allowed(self) -> bool: """ Boolean indicating whether fetching is allowed. """ return self._fetchers is not None @property def crls(self) -> List[crl.CertificateList]: """ A list of all cached :class:`crl.CertificateList` objects """ raw_crls = [cont.crl_data for cont in self._crls] if not self._fetchers: return raw_crls return list(self._fetchers.crl_fetcher.fetched_crls()) + raw_crls @property def ocsps(self) -> List[ocsp.OCSPResponse]: """ A list of all cached :class:`ocsp.OCSPResponse` objects """ raw_ocsps = [cont.ocsp_response_data for cont in self._ocsps] if not self._fetchers: return raw_ocsps return list(self._fetchers.ocsp_fetcher.fetched_responses()) + raw_ocsps @property def new_revocation_certs(self) -> List[x509.Certificate]: """ A list of newly-fetched :class:`x509.Certificate` objects that were obtained from OCSP responses and CRLs """ return list(self._revocation_certs.values()) def _extract_ocsp_certs(self, ocsp_response: OCSPContainer): """ Extracts any certificates included with an OCSP response and adds them to the certificate registry :param ocsp_response: An asn1crypto.ocsp.OCSPResponse object to look for certs inside of """ poe_man = self._poe_manager ocsp_poe_time = poe_man[ocsp_response] registry = self._certificate_registry revo_certs = self._revocation_certs basic = ocsp_response.extract_basic_ocsp_response() if basic is not None and basic['certs']: for other_cert in basic['certs']: if registry.register(other_cert): revo_certs[other_cert.issuer_serial] = other_cert poe_man.register_known_poe( KnownPOE( poe_type=POEType.VALIDATION, digest=digest_for_poe(other_cert.dump()), # register with the same POE time as the OCSP # response poe_time=ocsp_poe_time, validation_object=ValidationObject( object_type=ValidationObjectType.CERTIFICATE, value=other_cert, ), ) ) def record_crl_issuer(self, certificate_list, cert): """ Records the certificate that issued a certificate list. Used to reduce processing code when dealing with self-issued certificates and multiple CRLs. :param certificate_list: An ans1crypto.crl.CertificateList object :param cert: An ans1crypto.x509.Certificate object """ self._crl_issuer_map[certificate_list.signature] = cert def check_crl_issuer(self, certificate_list) -> Optional[x509.Certificate]: """ Checks to see if the certificate that signed a certificate list has been found :param certificate_list: An ans1crypto.crl.CertificateList object :return: None if not found, or an asn1crypto.x509.Certificate object of the issuer """ return self._crl_issuer_map.get(certificate_list.signature) def currently_available_crls(self) -> List[CRLContainer]: """ .. versionadded:: 0.27.0 Return all currently available CRLs. :return: A list of :class:`CRLContainer` objects """ result = list(self._crls) if self._fetchers: crls = self._fetchers.crl_fetcher.fetched_crls() result.extend(CRLContainer(crl_data) for crl_data in crls) return result async def fetch_crls(self, cert) -> List[CRLContainer]: """ .. versionadded:: 0.27.0 Download all relevant CRLs for a given certificate. :param cert: An asn1crypto.x509.Certificate object :return: A list of :class:`CRLContainer` objects """ if not self._fetchers: raise CRLFetchError("No CRL fetcher available") fetchers = self._fetchers try: crls = fetchers.crl_fetcher.fetched_crls_for_cert(cert) except KeyError: crls = await fetchers.crl_fetcher.fetch(cert) conts = [CRLContainer(crl_data) for crl_data in crls] return conts async def async_retrieve_crls(self, cert) -> List[CRLContainer]: """ .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :return: A list of :class:`CRLContainer` objects """ crls = self.currently_available_crls() if self._fetchers: crls.extend(await self.fetch_crls(cert)) return crls async def async_retrieve_ocsps( self, cert, authority: Authority ) -> List[OCSPContainer]: """ .. versionadded:: 0.20.0 :param cert: An asn1crypto.x509.Certificate object :param authority: The issuing authority for the certificate :return: A list of :class:`OCSPContainer` objects """ if not self._fetchers: return self._ocsps fetchers = self._fetchers ocsps = [ OCSPContainer(resp) for resp in fetchers.ocsp_fetcher.fetched_responses_for_cert(cert) ] if not ocsps: ocsp_response_data = await fetchers.ocsp_fetcher.fetch( cert, authority ) ocsps = OCSPContainer.load_multi(ocsp_response_data) # Responses can contain certificates that are useful in # validating the response itself. We can use these since they # will be validated using the local trust roots. for resp in ocsps: try: self._extract_ocsp_certs(resp) except ValueError: raise OCSPFetchError( "Failed to extract certificates from " "fetched OCSP response" ) return ocsps + self._ocsps def evict_ocsps(self, hashes_to_evict: Set[bytes]): """ Internal API to eliminate local OCSP records from consideration. :param hashes_to_evict: A collection of OCSP response hashes; see :func:`.digest_for_poe`. """ def p(container: OCSPContainer): digest = digest_for_poe(container.ocsp_response_data.dump()) return digest not in hashes_to_evict self._ocsps = list(filter(p, self._ocsps)) def evict_crls(self, hashes_to_evict: Set[bytes]): """ Internal API to eliminate local CRLs from consideration. :param hashes_to_evict: A collection of CRL hashes; see :func:`.digest_for_poe`. """ def p(container: CRLContainer): digest = digest_for_poe(container.crl_data.dump()) return digest not in hashes_to_evict self._crls = list(filter(p, self._crls)) def check_asserted_unrevoked( self, cert: x509.Certificate, at: datetime ) -> bool: try: return at <= self._assertions[cert.sha256].at except KeyError: return False ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/validate_crl.py0000644000175100017510000013656315161577363027530 0ustar00runnerrunnerimport hashlib import logging from collections import defaultdict from dataclasses import dataclass, field from datetime import datetime from typing import Dict, List, Optional, Set, Tuple, Union from asn1crypto import cms, crl, keys, x509 from asn1crypto.crl import CRLEntryExtensionId from cryptography.exceptions import InvalidSignature from pyhanko_certvalidator._state import ValProcState from pyhanko_certvalidator.authority import Authority, AuthorityWithCert from pyhanko_certvalidator.context import ValidationContext from pyhanko_certvalidator.errors import ( CertificateFetchError, CRLNoMatchesError, CRLValidationError, CRLValidationIndeterminateError, PathValidationError, PSSParameterMismatch, RevokedError, ) from pyhanko_certvalidator.ltv.poe import POEManager from pyhanko_certvalidator.ltv.types import ValidationTimingParams from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import CertRevTrustPolicy from pyhanko_certvalidator.registry import CertificateRegistry from pyhanko_certvalidator.revinfo._err_gather import Errors from pyhanko_certvalidator.revinfo.archival import ( CRLContainer, RevinfoUsabilityRating, ) from pyhanko_certvalidator.revinfo.constants import ( KNOWN_CRL_ENTRY_EXTENSIONS, KNOWN_CRL_EXTENSIONS, VALID_REVOCATION_REASONS, ) from pyhanko_certvalidator.revinfo.manager import RevinfoManager from pyhanko_certvalidator.sig_validate import SignatureValidator from pyhanko_certvalidator.util import ( ConsList, get_ac_extension_value, get_issuer_dn, ) logger = logging.getLogger(__name__) @dataclass(frozen=True) class CRLWithPaths: """ A CRL with a number of candidate paths """ crl: CRLContainer paths: List[ValidationPath] async def _find_candidate_crl_issuer_certs( certificate_list: crl.CertificateList, *, cert_issuer_auth: Authority, cert_registry: CertificateRegistry, ) -> List[x509.Certificate]: # first, look for certs issued to the issuer named as the entity # that signed the CRL. # We prioritise the next-level issuer in the main path # if it matches the criteria. delegated_issuer = certificate_list.issuer cert_issuer_cert = None if isinstance(cert_issuer_auth, AuthorityWithCert): cert_issuer_cert = cert_issuer_auth.certificate candidates = cert_registry.retrieve_by_name( delegated_issuer, cert_issuer_cert ) if not candidates and cert_registry.fetcher is not None: candidates = [] # Try to download certificates from URLs in the AIA extension, # if there is one async for cert in cert_registry.fetcher.fetch_crl_issuers( certificate_list ): # filter by name if cert.subject == delegated_issuer: candidates.insert(0, cert) return candidates @dataclass class _CRLIssuerSearchErrs: candidate_issuers: int candidates_skipped: int = 0 signatures_failed: int = 0 unauthorized_certs: int = 0 path_building_failures: int = 0 explicit_errors: List[CRLValidationError] = field(default_factory=list) def get_exc(self): plural = self.candidate_issuers > 1 if ( not self.candidate_issuers or self.candidates_skipped == self.candidate_issuers ): return CRLNoMatchesError() elif self.signatures_failed == self.candidate_issuers: return CRLValidationError('CRL signature could not be verified') elif self.unauthorized_certs == self.candidate_issuers: return CRLValidationError( 'The CRL issuers that were identified are not authorized ' 'to sign CRLs' if plural else 'The CRL issuer that was identified is ' 'not authorized to sign CRLs' ) elif self.path_building_failures == self.candidate_issuers: return CRLValidationError( 'The chain of trust for the CRL issuers that were identified ' 'could not be determined' if plural else 'The chain of trust for the CRL issuer that was identified ' 'could not be determined' ) elif self.explicit_errors and len(self.explicit_errors) == 1: # if there's only one error, throw it return self.explicit_errors[0] else: msg = 'Unable to determine CRL trust status. ' msg += '; '.join(str(e) for e in self.explicit_errors) return CRLValidationError(msg) async def _validate_crl_issuer_path( *, candidate_crl_issuer_path: ValidationPath, validation_context: ValidationContext, issuing_authority_identical: bool, proc_state: ValProcState, ): # If we have a validation cached (from before, or because the CRL issuer # appears further up in the path) use it. # This is not just for efficiency, it also makes for clearer errors when # validation fails due to revocation info issues further up in the path if validation_context.check_validation(candidate_crl_issuer_path.last): return try: temp_override = proc_state.ee_name_override if not issuing_authority_identical: temp_override = ( proc_state.describe_cert(never_def=True) + ' CRL issuer' ) from pyhanko_certvalidator.validate import intl_validate_path new_stack = proc_state.cert_path_stack.cons(candidate_crl_issuer_path) await intl_validate_path( validation_context, candidate_crl_issuer_path, proc_state=ValProcState( ee_name_override=temp_override, cert_path_stack=new_stack ), ) except PathValidationError as e: iss_cert = candidate_crl_issuer_path.last logger.warning( f"Path for CRL issuer {iss_cert.subject.human_friendly} could not " f"be validated.", exc_info=e, ) raise CRLValidationError( f'The CRL issuer certificate path could not be validated. {e}' ) async def _find_candidate_crl_paths( certificate_list: crl.CertificateList, *, cert: Union[x509.Certificate, cms.AttributeCertificateV2], cert_issuer_auth: Authority, cert_path: ValidationPath, certificate_registry: CertificateRegistry, is_indirect: bool, proc_state: ValProcState, ) -> Tuple[List[ValidationPath], _CRLIssuerSearchErrs]: cert_sha256 = hashlib.sha256(cert.dump()).digest() candidate_crl_issuers = await _find_candidate_crl_issuer_certs( certificate_list, cert_issuer_auth=cert_issuer_auth, cert_registry=certificate_registry, ) cert_issuer_name = cert_issuer_auth.name errs = _CRLIssuerSearchErrs(candidate_issuers=len(candidate_crl_issuers)) candidate_paths = [] for candidate_crl_issuer in candidate_crl_issuers: direct_issuer = candidate_crl_issuer.subject == cert_issuer_name # In some cases an indirect CRL issuer is a certificate issued # by the certificate issuer. However, we need to ensure that # the candidate CRL issuer is not the certificate being checked, # otherwise we may be checking an incorrect CRL and produce # incorrect results. indirect_issuer = ( candidate_crl_issuer.issuer == cert_issuer_name and candidate_crl_issuer.sha256 != cert_sha256 ) if not direct_issuer and not indirect_issuer and not is_indirect: errs.candidates_skipped += 1 continue key_usage_value = candidate_crl_issuer.key_usage_value if key_usage_value and 'crl_sign' not in key_usage_value.native: errs.unauthorized_certs += 1 continue cand_path = proc_state.check_path_verif_recursion(candidate_crl_issuer) if not cand_path: try: cand_path = cert_path.truncate_to_issuer_and_append( candidate_crl_issuer ) except LookupError: errs.path_building_failures += 1 continue candidate_paths.append(cand_path) return candidate_paths, errs async def _find_crl_issuer( certificate_list: crl.CertificateList, *, cert: Union[x509.Certificate, cms.AttributeCertificateV2], cert_issuer_auth: Authority, cert_path: ValidationPath, validation_context: ValidationContext, is_indirect: bool, proc_state: ValProcState, ) -> ValidationPath: candidate_paths, errs = await _find_candidate_crl_paths( certificate_list, cert=cert, cert_issuer_auth=cert_issuer_auth, cert_path=cert_path, certificate_registry=validation_context.certificate_registry, is_indirect=is_indirect, proc_state=proc_state, ) for candidate_crl_issuer_path in candidate_paths: # TODO technically speaking this doesn't deal with the case where # the candidate CRL issuer is a TrustAnchor that does _not_ have # a cert (e.g. only a key / name pair). # This is probably not a big concern in practice. candidate_crl_issuer = candidate_crl_issuer_path.last # Skip path validation step if we're recursing # (necessary to process CRLs that have their own certificate in-scope, # which is questionable practice, but PKITS has a test case for this # specific wrinkle, and it's not contradicted by anything in RFC 5280, # so it's probably allowed in theory) if proc_state.check_path_verif_recursion(candidate_crl_issuer): validation_context.revinfo_manager.record_crl_issuer( certificate_list, candidate_crl_issuer ) return candidate_crl_issuer_path # Step f # Note: this is not the same as .truncate_to() if # candidate_crl_issuer doesn't appear in the path! candidate_crl_issuer_path = cert_path.truncate_to_issuer_and_append( candidate_crl_issuer ) try: # This check needs to know not only whether the names agree, # but also whether the keys are the same, in order to yield # the correct error message on failure. # (Scenario: CA with separate keys for CRL signing and for # certificate issuance, but with the same name on both certs) issuing_authority_identical = not is_indirect and ( cert_issuer_auth is not None and candidate_crl_issuer is not None and cert_issuer_auth.public_key.dump() == candidate_crl_issuer.public_key.dump() ) await _validate_crl_issuer_path( candidate_crl_issuer_path=candidate_crl_issuer_path, validation_context=validation_context, issuing_authority_identical=issuing_authority_identical, proc_state=proc_state, ) except CRLValidationError as e: errs.explicit_errors.append(e) continue try: # Step g # Verify the CRL signature _verify_crl_signature( certificate_list, candidate_crl_issuer.public_key, validation_context.sig_validator, ) validation_context.revinfo_manager.record_crl_issuer( certificate_list, candidate_crl_issuer ) return candidate_crl_issuer_path except CRLValidationError: errs.signatures_failed += 1 continue raise errs.get_exc() @dataclass class _CRLErrs(Errors): issuer_failures: int = 0 def _find_matching_delta_crl( delta_lists: List[CRLContainer], crl_authority_name: x509.Name, crl_idp: crl.IssuingDistributionPoint, parent_crl_aki: Optional[bytes], ) -> Optional[CRLContainer]: for candidate_delta_cl_cont in delta_lists: candidate_delta_cl = candidate_delta_cl_cont.crl_data # Step c 1 if candidate_delta_cl.issuer != crl_authority_name: continue # Step c 2 delta_crl_idp = candidate_delta_cl.issuing_distribution_point_value if (crl_idp is None and delta_crl_idp is not None) or ( crl_idp is not None and delta_crl_idp is None ): continue if crl_idp is not None and crl_idp.native != delta_crl_idp.native: continue # Step c 3 if parent_crl_aki != candidate_delta_cl.authority_key_identifier: continue return candidate_delta_cl_cont return None def _match_dps_idp_names( crl_idp: crl.IssuingDistributionPoint, crl_dps: Optional[x509.CRLDistributionPoints], crl_issuer: x509.Certificate, crl_authority_name: x509.Name, ) -> bool: # Step b 2 i has_idp_name = False has_dp_name = False idp_dp_match = False idp_general_names = [] idp_dp_name = crl_idp['distribution_point'] if idp_dp_name: has_idp_name = True if idp_dp_name.name == 'full_name': for general_name in idp_dp_name.chosen: idp_general_names.append(general_name) else: inner_extended_issuer_name = crl_issuer.subject.copy() inner_extended_issuer_name.chosen.append(idp_dp_name.chosen.untag()) idp_general_names.append( x509.GeneralName( name='directory_name', value=inner_extended_issuer_name ) ) if crl_dps: for dp in crl_dps: if idp_dp_match: break dp_name = dp['distribution_point'] if dp_name: has_dp_name = True if dp_name.name == 'full_name': for general_name in dp_name.chosen: if general_name in idp_general_names: idp_dp_match = True break else: inner_extended_issuer_name = crl_issuer.subject.copy() inner_extended_issuer_name.chosen.append( dp_name.chosen.untag() ) dp_extended_issuer_name = x509.GeneralName( name='directory_name', value=inner_extended_issuer_name ) if dp_extended_issuer_name in idp_general_names: idp_dp_match = True elif dp['crl_issuer']: has_dp_name = True for dp_crl_authority_name in dp['crl_issuer']: if dp_crl_authority_name in idp_general_names: idp_dp_match = True break else: # If there is no DP, we consider the CRL issuer name to be it has_dp_name = True general_name = x509.GeneralName( name='directory_name', value=crl_authority_name ) if general_name in idp_general_names: idp_dp_match = True return idp_dp_match or not has_idp_name or not has_dp_name def _handle_crl_idp_ext_constraints( cert: x509.Certificate, certificate_list: crl.CertificateList, crl_issuer: x509.Certificate, crl_idp: crl.IssuingDistributionPoint, crl_authority_name: x509.Name, errs: _CRLErrs, ) -> bool: match = _match_dps_idp_names( crl_idp=crl_idp, crl_dps=cert.crl_distribution_points_value, crl_issuer=crl_issuer, crl_authority_name=crl_authority_name, ) if not match: errs.append( "The CRL issuing distribution point extension does not " "share any names with the certificate CRL distribution " "point extension", certificate_list, ) errs.issuer_failures += 1 return False # Step b 2 ii if crl_idp['only_contains_user_certs'].native: if ( cert.basic_constraints_value and cert.basic_constraints_value['ca'].native ): errs.append( "CRL only contains end-entity certificates and " "certificate is a CA certificate", certificate_list, ) return False # Step b 2 iii if crl_idp['only_contains_ca_certs'].native: if ( not cert.basic_constraints_value or cert.basic_constraints_value['ca'].native is False ): errs.append( "CRL only contains CA certificates and certificate " "is an end-entity certificate", certificate_list, ) return False # Step b 2 iv if crl_idp['only_contains_attribute_certs'].native: errs.append( 'CRL only contains attribute certificates', certificate_list ) return False return True def _handle_attr_cert_crl_idp_ext_constraints( certificate_list: crl.CertificateList, crl_dps: Optional[x509.CRLDistributionPoints], crl_issuer: x509.Certificate, crl_idp: crl.IssuingDistributionPoint, crl_authority_name: x509.Name, errs: _CRLErrs, ) -> bool: match = _match_dps_idp_names( crl_idp=crl_idp, crl_dps=crl_dps, crl_issuer=crl_issuer, crl_authority_name=crl_authority_name, ) if not match: errs.append( "The CRL issuing distribution point extension does not " "share any names with the attribute certificate's " "CRL distribution point extension", certificate_list, ) errs.issuer_failures += 1 return False # Step b 2 ii pkc_only = ( crl_idp['only_contains_user_certs'].native or crl_idp['only_contains_ca_certs'].native ) if pkc_only: errs.append( "CRL only contains public-key certificates, but " "certificate is an attribute certificate", certificate_list, ) return False return True def _check_crl_freshness( certificate_list_cont: CRLContainer, revinfo_policy: CertRevTrustPolicy, timing_params: ValidationTimingParams, errs: _CRLErrs, is_delta: bool, ): freshness_result = certificate_list_cont.usable_at( policy=revinfo_policy, timing_params=timing_params, ) prefix = "Delta CRL" if is_delta else "CRL" rating = freshness_result.rating if rating != RevinfoUsabilityRating.OK: if rating == RevinfoUsabilityRating.STALE: msg = ( f'{prefix} is not recent enough ' f'({freshness_result.compared_to} > ' f'{freshness_result.last_usable_at})' ) errs.update_stale(freshness_result.last_usable_at) elif rating == RevinfoUsabilityRating.TOO_NEW: msg = f'{prefix} is too recent' else: msg = f'{prefix} freshness could not be established' errs.append(msg, certificate_list_cont, is_freshness_failure=True) return False return True async def _handle_single_crl( cert: Union[x509.Certificate, cms.AttributeCertificateV2], cert_issuer_auth: Authority, certificate_list_cont: CRLContainer, path: ValidationPath, validation_context: ValidationContext, delta_lists_by_issuer: Dict[str, List[CRLContainer]], use_deltas: bool, errs: _CRLErrs, proc_state: ValProcState, ) -> Optional[Set[str]]: certificate_list = certificate_list_cont.crl_data is_indirect = _is_indirect( certificate_list_cont, ) # check if we already know the issuer of this CRL crl_issuer = validation_context.revinfo_manager.check_crl_issuer( certificate_list ) # if not, attempt to determine it if not crl_issuer: try: crl_issuer_path = await _find_crl_issuer( certificate_list, cert=cert, cert_issuer_auth=cert_issuer_auth, cert_path=path, validation_context=validation_context, is_indirect=is_indirect, proc_state=proc_state, ) crl_issuer = crl_issuer_path.last except CRLNoMatchesError: # this no-match issue will be dealt with at a higher level later errs.issuer_failures += 1 return None except (CertificateFetchError, CRLValidationError) as e: errs.append(e.args[0], certificate_list) return None interim_reasons = _get_crl_scope_assuming_authority( crl_issuer=crl_issuer, cert=cert, certificate_list_cont=certificate_list_cont, is_indirect=is_indirect, errs=errs, ) if interim_reasons is None: return None if not _check_crl_freshness( certificate_list_cont, validation_context.revinfo_policy, validation_context.timing_params, errs, is_delta=False, ): return None # Step c if use_deltas: delta_certificate_list_cont = _maybe_get_delta_crl( certificate_list=certificate_list, crl_issuer=crl_issuer, policy=validation_context.revinfo_policy, timing_params=validation_context.timing_params, delta_lists_by_issuer=delta_lists_by_issuer, errs=errs, ) else: delta_certificate_list_cont = None if delta_certificate_list_cont: # Delta CRL validation Step h try: _verify_crl_signature( delta_certificate_list_cont.crl_data, crl_issuer.public_key, validation_context.sig_validator, ) except CRLValidationError: errs.append( 'Delta CRL signature could not be verified', delta_certificate_list_cont, ) return None try: revoked_date, revoked_reason = _check_cert_on_crl_and_delta( crl_issuer=crl_issuer, cert=cert, certificate_list_cont=certificate_list_cont, delta_certificate_list_cont=delta_certificate_list_cont, errs=errs, ) except NotImplementedError: # the subroutine already registered the failure, so just bail return None timing = validation_context.timing_params control_time = ( timing.validation_time if timing.point_in_time_validation else None ) if revoked_reason and (control_time is None or revoked_date < control_time): raise RevokedError.format( reason=revoked_reason, revocation_dt=revoked_date, revinfo_type='CRL', proc_state=proc_state, ) return interim_reasons def _is_indirect( certificate_list_cont: CRLContainer, ) -> bool: certificate_list = certificate_list_cont.crl_data crl_idp: crl.IssuingDistributionPoint = ( certificate_list.issuing_distribution_point_value ) return bool(crl_idp and crl_idp['indirect_crl'].native) def _maybe_get_delta_crl( certificate_list: crl.CertificateList, crl_issuer: x509.Certificate, delta_lists_by_issuer: Dict[str, List[CRLContainer]], errs: _CRLErrs, timing_params: Optional[ValidationTimingParams] = None, policy: Optional[CertRevTrustPolicy] = None, ) -> Optional[CRLContainer]: if ( not certificate_list.freshest_crl_value or len(certificate_list.freshest_crl_value) == 0 ): # nothing to do, return return None crl_authority_name = crl_issuer.subject crl_idp: crl.IssuingDistributionPoint = ( certificate_list.issuing_distribution_point_value ) candidate_delta_lists = delta_lists_by_issuer.get( crl_authority_name.hashable, [] ) delta_certificate_list_cont = _find_matching_delta_crl( delta_lists=candidate_delta_lists, crl_authority_name=crl_authority_name, crl_idp=crl_idp, parent_crl_aki=certificate_list.authority_key_identifier, ) if not delta_certificate_list_cont: raise CRLValidationIndeterminateError( "Delta CRL matching Freshest CRL extension not available", failures=[], suspect_stale=None, ) if not _verify_no_unknown_critical_extensions( delta_certificate_list_cont, errs, is_delta=True ): return None if policy and timing_params: if _check_crl_freshness( delta_certificate_list_cont, policy, timing_params, errs, is_delta=True, ): return delta_certificate_list_cont return None def _verify_no_unknown_critical_extensions( certificate_list_cont: CRLContainer, errs: _CRLErrs, is_delta: bool ): extensions = certificate_list_cont.crl_data.critical_extensions if extensions - KNOWN_CRL_EXTENSIONS: errs.append( f'One or more unrecognized critical extensions are present in ' f'the {"delta CRL" if is_delta else "CRL"}', certificate_list_cont, ) return False return True def _get_crl_scope_assuming_authority( crl_issuer: x509.Certificate, cert: Union[x509.Certificate, cms.AttributeCertificateV2], certificate_list_cont: CRLContainer, is_indirect: bool, errs: _CRLErrs, ) -> Optional[Set[str]]: certificate_list = certificate_list_cont.crl_data crl_idp: crl.IssuingDistributionPoint = ( certificate_list.issuing_distribution_point_value ) is_pkc = isinstance(cert, x509.Certificate) # Step b 1 has_dp_crl_issuer = False dp_match = False if is_pkc: crl_dps = cert.crl_distribution_points_value else: crl_dps = get_ac_extension_value(cert, 'crl_distribution_points') if crl_dps: crl_issuer_general_name = x509.GeneralName( name='directory_name', value=crl_issuer.subject ) for dp in crl_dps: if dp['crl_issuer']: has_dp_crl_issuer = True if crl_issuer_general_name in dp['crl_issuer']: dp_match = True crl_authority_name = crl_issuer.subject cert_issuer_name = get_issuer_dn(cert) same_issuer = crl_authority_name == cert_issuer_name indirect_match = has_dp_crl_issuer and dp_match and is_indirect missing_idp = has_dp_crl_issuer and (not dp_match or not is_indirect) indirect_crl_issuer = crl_issuer.issuer == cert_issuer_name if ( not same_issuer and not indirect_match and not indirect_crl_issuer ) or missing_idp: errs.issuer_failures += 1 return None # Step b 2 if crl_idp is not None: if is_pkc: crl_idp_match = _handle_crl_idp_ext_constraints( cert=cert, certificate_list=certificate_list, crl_issuer=crl_issuer, crl_idp=crl_idp, crl_authority_name=crl_authority_name, errs=errs, ) else: crl_idp_match = _handle_attr_cert_crl_idp_ext_constraints( crl_dps=crl_dps, certificate_list=certificate_list, crl_issuer=crl_issuer, crl_idp=crl_idp, crl_authority_name=crl_authority_name, errs=errs, ) # error reporting is taken care of in the delegated method if not crl_idp_match: return None # Step d idp_reasons = None if crl_idp and crl_idp['only_some_reasons'].native is not None: idp_reasons = crl_idp['only_some_reasons'].native reason_keys = None if idp_reasons: reason_keys = idp_reasons if reason_keys is None: interim_reasons = VALID_REVOCATION_REASONS.copy() else: interim_reasons = reason_keys # Step e # We don't skip a CRL if it only contains reasons already checked since # a certificate issuer can self-issue a new cert that is used for CRLs if not _verify_no_unknown_critical_extensions( certificate_list_cont, errs, is_delta=False ): return None return interim_reasons def _check_cert_on_crl_and_delta( crl_issuer: x509.Certificate, cert: Union[x509.Certificate, cms.AttributeCertificateV2], certificate_list_cont: CRLContainer, delta_certificate_list_cont: Optional[CRLContainer], errs: _CRLErrs, ): certificate_list = certificate_list_cont.crl_data # Step i revoked_reason = None revoked_date = None cert_issuer_name = get_issuer_dn(cert) if delta_certificate_list_cont: delta_certificate_list = delta_certificate_list_cont.crl_data try: revoked_date, revoked_reason = find_cert_in_list( cert, cert_issuer_name, delta_certificate_list, crl_issuer.subject, ) except NotImplementedError: errs.append( 'One or more unrecognized critical extensions are present in ' 'the CRL entry for the certificate', delta_certificate_list_cont, ) raise # Step j if revoked_reason is None: try: revoked_date, revoked_reason = find_cert_in_list( cert, cert_issuer_name, certificate_list, crl_issuer.subject ) except NotImplementedError: errs.append( 'One or more unrecognized critical extensions are present in ' 'the CRL entry for the certificate', certificate_list_cont, ) raise # Step k if revoked_reason and revoked_reason.native == 'remove_from_crl': revoked_reason = None revoked_date = None return revoked_date, revoked_reason async def _classify_relevant_crls( certificate_lists: List[CRLContainer], poe_manager: POEManager, errs: _CRLErrs, control_time: Optional[datetime] = None, ): # NOTE: the control_time parameter is only used in the time sliding # algorithm code path for AdES validation complete_lists_by_issuer = defaultdict(list) delta_lists_by_issuer = defaultdict(list) for certificate_list_cont in certificate_lists: certificate_list = certificate_list_cont.crl_data if control_time is not None: issued = certificate_list_cont.issuance_date if ( issued is None or issued > control_time or poe_manager[certificate_list_cont] > control_time ): # We don't care about stuff issued after control_time # or without the right POE continue try: issuer_hashable = certificate_list.issuer.hashable if certificate_list.delta_crl_indicator_value is None: complete_lists_by_issuer[issuer_hashable].append( certificate_list_cont ) else: delta_lists_by_issuer[issuer_hashable].append( certificate_list_cont ) except ValueError as e: msg = "Generic processing error while classifying CRL." logging.debug(msg, exc_info=e) errs.append(msg, certificate_list) return complete_lists_by_issuer, delta_lists_by_issuer def _process_crl_completeness( checked_reasons: Set[str], total_crls: int, errs: _CRLErrs, proc_state: ValProcState, ): # CRLs should not include this value, but at least one of the examples # from the NIST test suite does checked_reasons -= {'unused'} if checked_reasons != VALID_REVOCATION_REASONS: if total_crls == errs.issuer_failures: return CRLNoMatchesError( f"No CRLs were issued by the issuer of " f"{proc_state.describe_cert()}, or any indirect CRL " "issuer" ) if not errs.failures: errs.append( 'The available CRLs do not cover all revocation reasons', None ) return CRLValidationIndeterminateError( f"Unable to determine if {proc_state.describe_cert()} " f"is revoked due to insufficient information from known CRLs", failures=errs.failures, suspect_stale=( errs.stale_last_usable_at if errs.freshness_failures_only else None ), ) async def verify_crl( cert: Union[x509.Certificate, cms.AttributeCertificateV2], path: ValidationPath, validation_context: ValidationContext, use_deltas=True, proc_state: Optional[ValProcState] = None, ): """ Verifies a certificate against a list of CRLs, checking to make sure the certificate has not been revoked. Uses the algorithm from https://tools.ietf.org/html/rfc5280#section-6.3 as a basis, but the implementation differs to allow CRLs from unrecorded locations. :param cert: An asn1crypto.x509.Certificate or asn1crypto.cms.AttributeCertificateV2 object to check for in the CRLs :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param use_deltas: A boolean indicating if delta CRLs should be used :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.CRLNoMatchesError - when none of the CRLs match the certificate pyhanko_certvalidator.errors.CRLValidationError - when any error occurs trying to verify the CertificateList pyhanko_certvalidator.errors.RevokedError - when the CRL indicates the certificate has been revoked """ is_pkc = isinstance(cert, x509.Certificate) proc_state = proc_state or ValProcState( cert_path_stack=ConsList.sing(path), ee_name_override="attribute certificate" if not is_pkc else None, init_index=path.pkix_len, ) revinfo_manager = validation_context.revinfo_manager errs = _CRLErrs() try: cert_issuer_auth = path.find_issuing_authority(cert) except LookupError: raise CRLNoMatchesError( f"Could not determine issuer certificate for " f"{proc_state.describe_cert()} in path." ) # First, make an attempt to validate without downloading any extra CRLs certificate_lists = revinfo_manager.currently_available_crls() poe_manager = revinfo_manager.poe_manager ( complete_lists_by_issuer, delta_lists_by_issuer, ) = await _classify_relevant_crls(certificate_lists, poe_manager, errs) # In the main loop, only complete CRLs are processed, so delta CRLs are # weeded out of the to-do list crls_to_process = [] for issuer_crls in complete_lists_by_issuer.values(): crls_to_process.extend(issuer_crls) total_crls = len(crls_to_process) checked_reasons = set() async def _process(crl_container, deltas): nonlocal checked_reasons nonlocal errs try: interim_reasons = await _handle_single_crl( cert=cert, cert_issuer_auth=cert_issuer_auth, certificate_list_cont=crl_container, path=path, validation_context=validation_context, delta_lists_by_issuer=deltas, use_deltas=use_deltas, errs=errs, proc_state=proc_state, ) if interim_reasons is not None: # Step l checked_reasons |= interim_reasons except CRLValidationIndeterminateError as e: errs.append(e.msg, certificate_list_cont) except ValueError as e: msg = "Generic processing error while validating CRL." logging.debug(msg, exc_info=e) errs.append(msg, certificate_list_cont) for certificate_list_cont in crls_to_process: await _process(certificate_list_cont, delta_lists_by_issuer) exc = _process_crl_completeness( checked_reasons, total_crls, errs, proc_state ) if exc is None: return elif not revinfo_manager.fetching_allowed: raise exc # If we're not done checking CRLs, but we are allowed to fetch more, # let's go download some more CRLs... # TODO scan Freshest CRL extensions for delta CRLs? extra_certificate_lists = await revinfo_manager.fetch_crls(cert) ( extra_complete_lists_by_issuer, extra_delta_lists_by_issuer, ) = await _classify_relevant_crls( extra_certificate_lists, poe_manager, errs ) combined_deltas = { k: delta_lists_by_issuer.get(k, []) + extra_delta_lists_by_issuer.get(k, []) for k in set(delta_lists_by_issuer.keys()).union( extra_delta_lists_by_issuer.keys() ) } crls_to_process = [] for issuer, issuer_crls in complete_lists_by_issuer.items(): # some of the new deltas might complement CRLs that we already had if issuer in extra_delta_lists_by_issuer: crls_to_process.extend(issuer_crls) for issuer_crls in extra_complete_lists_by_issuer.values(): crls_to_process.extend(issuer_crls) for certificate_list_cont in crls_to_process: await _process(certificate_list_cont, combined_deltas) total_crls += len(crls_to_process) exc = _process_crl_completeness( checked_reasons, total_crls, errs, proc_state ) if exc is not None: raise exc @dataclass(frozen=True) class ProvisionalCRLTrust: """ A provisional CRL path, together with an optional delta CRL that may be relevant. """ path: ValidationPath """ A provisional validation path for the CRL. Requires path validation. """ delta: Optional[CRLContainer] """ A delta CRL that may be relevant to the parent CRL for which the path was put together. """ @dataclass(frozen=True) class CRLOfInterest: """ A CRL of interest. """ crl: CRLContainer """ The CRL data, packaged in a revocation info container. """ prov_paths: List[ProvisionalCRLTrust] """ Candidate validation paths for the CRL, together with relevant delta CRLs, if appropriate. """ is_indirect: bool """ Boolean indicating whether the CRL is an indirect one. """ @dataclass(frozen=True) class CRLCollectionResult: """ The result of a CRL collection operation for AdES point-in-time validation purposes. """ crls: List[CRLOfInterest] """ List of potentially relevant CRLs. """ failure_msgs: List[str] """ List of failure messages, for error reporting purposes. """ async def _assess_crl_relevance( cert: Union[x509.Certificate, cms.AttributeCertificateV2], cert_issuer_auth: Authority, certificate_list_cont: CRLContainer, path: ValidationPath, revinfo_manager: RevinfoManager, delta_lists_by_issuer: Dict[str, List[CRLContainer]], use_deltas: bool, errs: _CRLErrs, proc_state: ValProcState, ) -> Optional[CRLOfInterest]: certificate_list = certificate_list_cont.crl_data registry = revinfo_manager.certificate_registry is_indirect = _is_indirect(certificate_list_cont) try: candidate_paths, _ = await _find_candidate_crl_paths( certificate_list, cert=cert, cert_issuer_auth=cert_issuer_auth, cert_path=path, certificate_registry=registry, is_indirect=is_indirect, proc_state=proc_state, ) except CRLNoMatchesError: # this no-match issue will be dealt with at a higher level later errs.issuer_failures += 1 return None except (CertificateFetchError, CRLValidationError) as e: errs.append(e.args[0], certificate_list) return None provisional_results = [] for cand_path in candidate_paths: putative_issuer = cand_path.last interim_reasons = _get_crl_scope_assuming_authority( crl_issuer=putative_issuer, cert=cert, certificate_list_cont=certificate_list_cont, is_indirect=is_indirect, errs=errs, ) if interim_reasons is None: continue delta = None if use_deltas: try: delta = _maybe_get_delta_crl( certificate_list=certificate_list, crl_issuer=putative_issuer, delta_lists_by_issuer=delta_lists_by_issuer, errs=errs, ) except CRLValidationIndeterminateError as e: errs.append(e.msg, certificate_list) continue prov = ProvisionalCRLTrust(path=cand_path, delta=delta) provisional_results.append(prov) if not provisional_results: return None return CRLOfInterest( crl=certificate_list_cont, prov_paths=provisional_results, is_indirect=is_indirect, ) async def collect_relevant_crls_with_paths( cert: Union[x509.Certificate, cms.AttributeCertificateV2], path: ValidationPath, revinfo_manager: RevinfoManager, control_time: datetime, use_deltas=True, proc_state: Optional[ValProcState] = None, ) -> CRLCollectionResult: """ Collect potentially relevant CRLs with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param use_deltas: Whether to include delta CRLs. :param proc_state: The state of any prior validation process. :return: A :class:`.CRLCollectionResult`. """ proc_state = proc_state or ValProcState(cert_path_stack=ConsList.sing(path)) errs = _CRLErrs() candidate_crls = revinfo_manager.currently_available_crls() classify_job = _classify_relevant_crls( candidate_crls, revinfo_manager.poe_manager, errs, control_time=control_time, ) complete_lists_by_issuer, delta_lists_by_issuer = await classify_job # In the main loop, only complete CRLs are processed, so delta CRLs are # weeded out of the to-do list crls_to_process = [] for issuer_crls in complete_lists_by_issuer.values(): crls_to_process.extend(issuer_crls) try: cert_issuer_auth = path.find_issuing_authority(cert) except LookupError: raise CRLNoMatchesError( f"Could not determine issuer certificate for " f"{proc_state.describe_cert()} in path." ) relevant_crls = [] for certificate_list_cont in crls_to_process: try: result = await _assess_crl_relevance( cert=cert, cert_issuer_auth=cert_issuer_auth, certificate_list_cont=certificate_list_cont, path=path, delta_lists_by_issuer=delta_lists_by_issuer, use_deltas=use_deltas, revinfo_manager=revinfo_manager, errs=errs, proc_state=proc_state, ) if result is not None: relevant_crls.append(result) except ValueError as e: msg = "Generic processing error while validating CRL." logging.debug(msg, exc_info=e) errs.append(msg, certificate_list_cont) return CRLCollectionResult( crls=relevant_crls, failure_msgs=[f[0] for f in errs.failures], ) def _verify_crl_signature( certificate_list: crl.CertificateList, public_key: keys.PublicKeyInfo, sig_validator: SignatureValidator, ): """ Verifies the digital signature on an asn1crypto.crl.CertificateList object :param certificate_list: An asn1crypto.crl.CertificateList object :param public_key: The public key with which to validate the CRL's signature. :param sig_validator: The signature validator implementing the validation mechanism. :raises: pyhanko_certvalidator.errors.CRLValidationError - when the signature is invalid or uses an unsupported algorithm """ try: sig_validator.validate_signature( signature=certificate_list['signature'].native, signed_data=certificate_list['tbs_cert_list'].dump(), public_key_info=public_key, signature_algorithm=certificate_list['signature_algorithm'], ) except PSSParameterMismatch as e: raise CRLValidationError( 'Invalid signature parameters on CertificateList' ) from e except InvalidSignature: raise CRLValidationError( 'Unable to verify the signature of the CertificateList' ) def find_cert_in_list( cert: Union[x509.Certificate, cms.AttributeCertificateV2], cert_issuer_name: x509.Name, certificate_list: crl.CertificateList, crl_authority_name: x509.Name, ): """ Looks for a cert in the list of revoked certificates :param cert: An asn1crypto.x509.Certificate object of the cert being checked, or an asn1crypto.cms.AttributeCertificateV2 object in the case of an attribute certificate. :param cert_issuer_name: The certificate issuer's distinguished name :param certificate_list: An ans1crypto.crl.CertificateList object to look in for the cert :param crl_authority_name: The distinguished name of the default authority for which the CRL issues certificates. :return: A tuple of (None, None) if not present, otherwise a tuple of (asn1crypto.x509.Time object, asn1crypto.crl.CRLReason object) representing the date/time the object was revoked and why """ revoked_certificates = certificate_list['tbs_cert_list'][ 'revoked_certificates' ] if isinstance(cert, x509.Certificate): cert_serial = cert['tbs_certificate']['serial_number'].dump() else: cert_serial = cert['ac_info']['serial_number'].dump() last_issuer_name = crl_authority_name cert_issuer_extension_id = CRLEntryExtensionId('certificate_issuer').dump() for revoked_cert in revoked_certificates: # This looks like a hack, but we have to look up the certificate_issuer # extension for every entry, since its value remains in effect for # future entries as well! (and PKITS has a test case for that...) # Since parsing those extensions every time is expensive for large CRLs, # we guard it with a dumb heuristic check: does the binary encoding # of that extension's OID appear anywhere in the entry's payload? # If not, we move on. If it does appear, we parse the extensions. if cert_issuer_extension_id in revoked_cert.dump(): if revoked_cert.issuer_name: last_issuer_name = revoked_cert.issuer_name if revoked_cert['user_certificate'].dump() != cert_serial: continue if last_issuer_name != cert_issuer_name: continue if not revoked_cert.crl_reason_value: crl_reason = crl.CRLReason('unspecified') else: crl_reason = revoked_cert.crl_reason_value # If any unknown critical extensions, the entry can not be used if revoked_cert.critical_extensions - KNOWN_CRL_ENTRY_EXTENSIONS: raise NotImplementedError() return revoked_cert['revocation_date'].native, crl_reason return None, None ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/revinfo/validate_ocsp.py0000644000175100017510000005566415161577363027716 0ustar00runnerrunnerimport logging from dataclasses import dataclass from datetime import datetime from typing import List, Optional, Union from asn1crypto import cms, crl, x509 from asn1crypto.crl import CRLReason from asn1crypto.keys import PublicKeyInfo from cryptography.exceptions import InvalidSignature from pyhanko_certvalidator._state import ValProcState from pyhanko_certvalidator.authority import ( Authority, AuthorityWithCert, TrustAnchor, ) from pyhanko_certvalidator.context import ValidationContext from pyhanko_certvalidator.errors import ( OCSPNoMatchesError, OCSPValidationError, OCSPValidationIndeterminateError, PathValidationError, PSSParameterMismatch, RevokedError, ) from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import ( CertRevTrustPolicy, RevocationCheckingPolicy, RevocationCheckingRule, ) from pyhanko_certvalidator.registry import ( CertificateCollection, LayeredCertificateStore, SimpleCertificateStore, ) from pyhanko_certvalidator.revinfo._err_gather import Errors from pyhanko_certvalidator.revinfo.archival import ( OCSPContainer, RevinfoUsabilityRating, ) from pyhanko_certvalidator.revinfo.manager import RevinfoManager from pyhanko_certvalidator.sig_validate import SignatureValidator from pyhanko_certvalidator.util import ( ConsList, extract_ac_issuer_dir_name, ) OCSP_PROVENANCE_ERR = ( "Unable to verify OCSP response since response signing " "certificate could not be validated" ) def _delegated_ocsp_response_path( responder_cert: x509.Certificate, issuer: Authority, ee_path: ValidationPath ): if isinstance(issuer, AuthorityWithCert): responder_chain = ee_path.truncate_to_and_append( issuer.certificate, responder_cert ) else: responder_chain = ValidationPath( trust_anchor=TrustAnchor(issuer), interm=[], leaf=responder_cert ) return responder_chain async def _validate_delegated_ocsp_provenance( responder_cert: x509.Certificate, issuer: Authority, validation_context: ValidationContext, ee_path: ValidationPath, proc_state: ValProcState, ): if proc_state.check_path_verif_recursion(responder_cert): # we permit this for CRLs for historical reasons, but there's no # sane reason why this would make sense for OCSP responders, so # throw an error raise PathValidationError.from_state( "Recursion detected in OCSP responder authorisation check for " "responder certificate %s." % responder_cert.subject.human_friendly, proc_state, ) from pyhanko_certvalidator.validate import intl_validate_path # OCSP responder certs must be issued directly by the CA on behalf of # which they act. # Moreover, RFC 6960 says that we don't have to accept OCSP responses signed # with a different key than the one used to sign subscriber certificates. ocsp_ee_name_override = ( proc_state.describe_cert(never_def=True) + ' OCSP responder' ) if responder_cert.ocsp_no_check_value is not None: # we don't have to check the revocation of the OCSP responder, # so do a simplified check revinfo_policy = CertRevTrustPolicy( revocation_checking_policy=RevocationCheckingPolicy( ee_certificate_rule=RevocationCheckingRule.NO_CHECK, # this one should never trigger intermediate_ca_cert_rule=RevocationCheckingRule.NO_CHECK, ) ) vc = ValidationContext( trust_roots=[TrustAnchor(issuer)], allow_fetching=False, revinfo_policy=revinfo_policy, moment=validation_context.moment, algorithm_usage_policy=validation_context.algorithm_policy, time_tolerance=validation_context.time_tolerance, ) ocsp_trunc_path = ValidationPath( trust_anchor=TrustAnchor(issuer), interm=[], leaf=responder_cert ) ocsp_trunc_proc_state = ValProcState( cert_path_stack=proc_state.cert_path_stack.cons(ocsp_trunc_path), ee_name_override=ocsp_ee_name_override, ) try: # verify the truncated path await intl_validate_path( vc, path=ocsp_trunc_path, proc_state=ocsp_trunc_proc_state ) except PathValidationError as e: raise OCSPValidationError(OCSP_PROVENANCE_ERR) from e # record validation in the original VC # TODO maybe have an (issuer, [verified_responder]) cache? # caching OCSP responder validation results with everything else is # probably somewhat incorrect responder_chain = _delegated_ocsp_response_path( responder_cert, issuer, ee_path ) validation_context.record_validation(responder_cert, responder_chain) else: responder_chain = _delegated_ocsp_response_path( responder_cert, issuer, ee_path ) ocsp_proc_state = ValProcState( cert_path_stack=proc_state.cert_path_stack.cons(responder_chain), ee_name_override=ocsp_ee_name_override, ) try: await intl_validate_path( validation_context, path=responder_chain, proc_state=ocsp_proc_state, ) except PathValidationError as e: raise OCSPValidationError(OCSP_PROVENANCE_ERR) from e def _ocsp_allowed(responder_cert: x509.Certificate): extended_key_usage = responder_cert.extended_key_usage_value return ( extended_key_usage is not None and 'ocsp_signing' in extended_key_usage.native ) @dataclass class _OCSPErrs(Errors): mismatch_failures: int = 0 def _match_ocsp_certid( cert: Union[x509.Certificate, cms.AttributeCertificateV2], issuer: Authority, ocsp_response: OCSPContainer, errs: _OCSPErrs, ) -> bool: cert_response = ocsp_response.extract_single_response() if cert_response is None: errs.mismatch_failures += 1 return False response_cert_id = cert_response['cert_id'] issuer_hash_algo = response_cert_id['hash_algorithm']['algorithm'].native is_pkc = isinstance(cert, x509.Certificate) if is_pkc: cert_issuer_name_hash = getattr(cert.issuer, issuer_hash_algo) cert_serial_number = cert.serial_number else: iss_name = extract_ac_issuer_dir_name(cert) cert_issuer_name_hash = getattr(iss_name, issuer_hash_algo) cert_serial_number = cert['ac_info']['serial_number'].native cert_issuer_key_hash = getattr(issuer.public_key, issuer_hash_algo) key_hash_mismatch = ( response_cert_id['issuer_key_hash'].native != cert_issuer_key_hash ) name_mismatch = ( response_cert_id['issuer_name_hash'].native != cert_issuer_name_hash ) serial_mismatch = ( response_cert_id['serial_number'].native != cert_serial_number ) if (name_mismatch or serial_mismatch) and key_hash_mismatch: errs.mismatch_failures += 1 return False if name_mismatch: errs.append( 'OCSP response issuer name hash does not match', ocsp_response ) return False if serial_mismatch: errs.append( 'OCSP response certificate serial number does not match', ocsp_response, ) return False if key_hash_mismatch: errs.append( 'OCSP response issuer key hash does not match', ocsp_response ) return False return True def _identify_responder_cert( ocsp_response: OCSPContainer, cert_store: CertificateCollection, errs: _OCSPErrs, ) -> Optional[x509.Certificate]: # To verify the response as legitimate, the responder cert must be located # prioritise the certificates included with the response, if there # are any response = ocsp_response.extract_basic_ocsp_response() # should be ensured by successful extraction earlier assert response is not None if response['certs']: cert_store = LayeredCertificateStore( [SimpleCertificateStore.from_certs(response['certs']), cert_store] ) tbs_response = response['tbs_response_data'] if tbs_response['responder_id'].name == 'by_key': key_identifier = tbs_response['responder_id'].native responder_cert = cert_store.retrieve_by_key_hash(key_identifier) if responder_cert is None: # The OCSP spec says that we have to look up the cert by comparing # the KeyHash value to the SHA-1 of the public key, which happens # to be the standard way to populate the subject key identifier # extension, so this lookup is usually equivalent to the above. # We do another lookup by SKI just in case. responder_cert = cert_store.retrieve_by_key_identifier( key_identifier ) else: candidate_responder_certs = cert_store.retrieve_by_name( tbs_response['responder_id'].chosen ) responder_cert = ( candidate_responder_certs[0] if candidate_responder_certs else None ) if not responder_cert: errs.append( "Unable to verify OCSP response since response signing " "certificate could not be located", ocsp_response, ) return responder_cert def _precheck_ocsp_responder_auth( responder_cert: x509.Certificate, issuer: Authority, is_pkc: bool ) -> Optional[bool]: """ This function checks OCSP conditions that don't require path validation to pass. If ``None`` is returned, path validation is necessary to proceed. """ # If the cert signing the OCSP response is not the issuer, it must be # issued by the cert issuer and be valid for OCSP responses. # We currently do _not_ allow naked trust anchor keys to be used in OCSP # validation (but that may change in the future). This decision is based on # a conservative reading of RFC 6960. # First, check whether the certs are the same. if ( isinstance(issuer, AuthorityWithCert) and issuer.certificate.issuer_serial == responder_cert.issuer_serial ): issuer_cert = issuer.certificate # let's check whether the certs are actually the same # (by comparing the signatures as a proxy) # -> literal interpretation of 4.2.2.2 in RFC 6960 issuer_sig = bytes(issuer_cert['signature_value']) responder_sig = bytes(responder_cert['signature_value']) return issuer_sig == responder_sig # If OCSP is being delegated # check whether the relevant OCSP-related extensions are present. # Also, explicitly disallow delegation for attribute authorities # since they cannot act as CAs and hence can't issue responder certificates. # This would otherwise be detected during path validation or while checking # the basicConstraints on the AA certificate, but this is more explicit. elif not _ocsp_allowed(responder_cert) or not is_pkc: return False return None async def _check_ocsp_authorisation( responder_cert: x509.Certificate, issuer: Authority, cert_path: ValidationPath, ocsp_response: OCSPContainer, validation_context: ValidationContext, is_pkc: bool, errs: _OCSPErrs, proc_state: ValProcState, ) -> bool: simple_check = _precheck_ocsp_responder_auth(responder_cert, issuer, is_pkc) # we can take an early out in this case if simple_check is not None: auth_ok = simple_check else: try: await _validate_delegated_ocsp_provenance( responder_cert=responder_cert, issuer=issuer, validation_context=validation_context, ee_path=cert_path, proc_state=proc_state, ) auth_ok = True except OCSPValidationError as e: errs.append(e.args[0], ocsp_response) auth_ok = False if not auth_ok: errs.append( 'Unable to verify OCSP response since response was ' 'signed by an unauthorized certificate', ocsp_response, ) return auth_ok def _check_ocsp_status( ocsp_response: OCSPContainer, proc_state: ValProcState, control_time: Optional[datetime], ) -> bool: cert_response = ocsp_response.extract_single_response() if cert_response is None: return False # Finally check to see if the certificate has been revoked status = cert_response['cert_status'].name if status == 'good': return True if status == 'revoked': revocation_info = cert_response['cert_status'].chosen reason: CRLReason = revocation_info['revocation_reason'] if reason.native is None: reason = crl.CRLReason('unspecified') revocation_dt: datetime = revocation_info['revocation_time'].native if control_time is None or revocation_dt <= control_time: raise RevokedError.format( reason=reason, revocation_dt=revocation_dt, revinfo_type='OCSP response', proc_state=proc_state, ) return False def _verify_ocsp_signature( responder_key: PublicKeyInfo, ocsp_response: OCSPContainer, sig_validator: SignatureValidator, errs: _OCSPErrs, ) -> bool: response = ocsp_response.extract_basic_ocsp_response() if response is None: return False # Verify that the response was properly signed by the validated certificate tbs_response = response['tbs_response_data'] try: sig_validator.validate_signature( signature=response['signature'].native, signed_data=tbs_response.dump(), public_key_info=responder_key, signature_algorithm=response['signature_algorithm'], ) return True except PSSParameterMismatch: errs.append( 'The signature parameters on the OCSP response do not match ' 'the constraints on the public key', ocsp_response, ) except InvalidSignature: errs.append('Unable to verify OCSP response signature', ocsp_response) return False def _assess_ocsp_relevance( cert: Union[x509.Certificate, cms.AttributeCertificateV2], issuer: Authority, ocsp_response: OCSPContainer, cert_store: CertificateCollection, errs: _OCSPErrs, ) -> Optional[x509.Certificate]: matched = _match_ocsp_certid( cert, issuer=issuer, ocsp_response=ocsp_response, errs=errs ) if not matched: return None responder_cert = _identify_responder_cert( ocsp_response, cert_store=cert_store, errs=errs ) if not responder_cert: return None return responder_cert async def _handle_single_ocsp_resp( cert: Union[x509.Certificate, cms.AttributeCertificateV2], issuer: Authority, path: ValidationPath, ocsp_response: OCSPContainer, validation_context: ValidationContext, errs: _OCSPErrs, proc_state: ValProcState, ) -> bool: responder_cert = _assess_ocsp_relevance( cert=cert, issuer=issuer, ocsp_response=ocsp_response, cert_store=validation_context.certificate_registry, errs=errs, ) if responder_cert is None: return False freshness_result = ocsp_response.usable_at( policy=validation_context.revinfo_policy, timing_params=validation_context.timing_params, ) rating = freshness_result.rating if rating != RevinfoUsabilityRating.OK: if rating == RevinfoUsabilityRating.STALE: msg = ( f'OCSP response is not recent enough ' f'({freshness_result.compared_to} > ' f'{freshness_result.last_usable_at})' ) errs.update_stale(freshness_result.last_usable_at) elif rating == RevinfoUsabilityRating.TOO_NEW: msg = 'OCSP response is too recent' else: msg = 'OCSP response freshness could not be established' errs.append(msg, ocsp_response, is_freshness_failure=True) return False signature_ok = _verify_ocsp_signature( responder_key=responder_cert.public_key, ocsp_response=ocsp_response, sig_validator=validation_context.sig_validator, errs=errs, ) if not signature_ok: return False # check whether the responder cert is authorised authorised = await _check_ocsp_authorisation( responder_cert, issuer=issuer, cert_path=path, ocsp_response=ocsp_response, validation_context=validation_context, is_pkc=isinstance(cert, x509.Certificate), errs=errs, proc_state=proc_state, ) if not authorised: return False timing = validation_context.timing_params control_time = ( timing.validation_time if timing.point_in_time_validation else None ) return _check_ocsp_status(ocsp_response, proc_state, control_time) async def verify_ocsp_response( cert: Union[x509.Certificate, cms.AttributeCertificateV2], path: ValidationPath, validation_context: ValidationContext, proc_state: Optional[ValProcState] = None, ): """ Verifies an OCSP response, checking to make sure the certificate has not been revoked. Fulfills the requirements of https://tools.ietf.org/html/rfc6960#section-3.2. :param cert: An asn1cyrpto.x509.Certificate object or an asn1crypto.cms.AttributeCertificateV2 object to verify the OCSP response for :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.OCSPNoMatchesError - when none of the OCSP responses match the certificate pyhanko_certvalidator.errors.OCSPValidationIndeterminateError - when the OCSP response could not be verified pyhanko_certvalidator.errors.RevokedError - when the OCSP response indicates the certificate has been revoked """ proc_state = proc_state or ValProcState(cert_path_stack=ConsList.sing(path)) cert_description = proc_state.describe_cert() try: cert_issuer = path.find_issuing_authority(cert) except LookupError: raise OCSPNoMatchesError( 'Could not determine issuer certificate for %s in path.', proc_state.describe_cert(), ) errs = _OCSPErrs() ocsp_responses = ( await validation_context.revinfo_manager.async_retrieve_ocsps( cert, cert_issuer ) ) for ocsp_response in ocsp_responses: try: ocsp_good = await _handle_single_ocsp_resp( cert=cert, issuer=cert_issuer, path=path, ocsp_response=ocsp_response, validation_context=validation_context, errs=errs, proc_state=proc_state, ) if ocsp_good: return except ValueError as e: msg = "Generic processing error while validating OCSP response." logging.debug(msg, exc_info=e) errs.append(msg, ocsp_response) if errs.mismatch_failures == len(ocsp_responses): raise OCSPNoMatchesError( f"No OCSP responses were issued for {cert_description}." ) raise OCSPValidationIndeterminateError( f"Unable to determine if {cert_description} " f"is revoked due to insufficient information from OCSP responses.", failures=errs.failures, suspect_stale=( errs.stale_last_usable_at if errs.freshness_failures_only else None ), ) @dataclass(frozen=True) class OCSPResponseOfInterest: ocsp_response: OCSPContainer prov_path: ValidationPath @dataclass(frozen=True) class OCSPCollectionResult: """ The result of an OCSP collection operation for AdES point-in-time validation purposes. """ responses: List[OCSPResponseOfInterest] """ List of potentially relevant OCSP responses. """ failure_msgs: List[str] """ List of failure messages, for error reporting purposes. """ async def collect_relevant_responses_with_paths( cert: Union[x509.Certificate, cms.AttributeCertificateV2], path: ValidationPath, revinfo_manager: RevinfoManager, control_time: datetime, proc_state: Optional[ValProcState] = None, ) -> OCSPCollectionResult: """ Collect potentially relevant OCSP responses with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param proc_state: The state of any prior validation process. :return: A :class:`.OCSPCollectionResult`. """ proc_state = proc_state or ValProcState(cert_path_stack=ConsList.sing(path)) try: cert_issuer_auth = path.find_issuing_authority(cert) except LookupError: raise OCSPNoMatchesError( f"Could not determine issuer certificate " f"for {proc_state.describe_cert()} in path." ) relevant = [] ocsp_responses = await revinfo_manager.async_retrieve_ocsps( cert, cert_issuer_auth ) poe_manager = revinfo_manager.poe_manager errs = _OCSPErrs() for ocsp_response_cont in ocsp_responses: issued = ocsp_response_cont.issuance_date if ( issued is None or issued > control_time or poe_manager[ocsp_response_cont] > control_time ): # We don't care about responses issued after control_time continue try: responder_cert = _assess_ocsp_relevance( cert=cert, issuer=cert_issuer_auth, ocsp_response=ocsp_response_cont, cert_store=revinfo_manager.certificate_registry, errs=errs, ) if responder_cert is None: continue path = _delegated_ocsp_response_path( responder_cert, cert_issuer_auth, ee_path=path ) result = OCSPResponseOfInterest( ocsp_response=ocsp_response_cont, prov_path=path ) relevant.append(result) except ValueError as e: msg = "Generic processing error while validating OCSP response." logging.debug(msg, exc_info=e) errs.append(msg, ocsp_response_cont) return OCSPCollectionResult( responses=relevant, failure_msgs=[f[0] for f in errs.failures], ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/sig_validate.py0000644000175100017510000001345015161577363026047 0ustar00runnerrunnerfrom __future__ import annotations import abc from dataclasses import dataclass from typing import Optional from asn1crypto import algos from asn1crypto.keys import PublicKeyInfo from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import ( dsa, ec, ed448, ed25519, padding, rsa, ) from pyhanko_certvalidator.errors import ( AlgorithmNotSupported, DSAParametersUnavailable, PSSParameterMismatch, ) from pyhanko_certvalidator.util import ( get_pyca_cryptography_hash_for_signing, process_pss_params, ) __all__ = [ 'DefaultSignatureValidator', 'SignatureValidationContext', 'SignatureValidator', ] @dataclass(frozen=True) class SignatureValidationContext: """ Additional context about a signature that is crucial for executing the cryptographic validation process. """ contextual_md_algorithm: Optional[str] = None """ Digest algorithm inferred from context. Used when the digest algorithm cannot be derived from the ASN.1 data describing the signature algorithm. """ prehashed: bool = False """ Indicates whether the payload was pre-hashed (not always possible depending on the signature algorithm). """ class SignatureValidator(abc.ABC): """ Abstracts away cryptographic validation primitives. """ def validate_signature( self, signature: bytes, signed_data: bytes, public_key_info: PublicKeyInfo, signature_algorithm: algos.SignedDigestAlgorithm, context: SignatureValidationContext = SignatureValidationContext(), ): """ Validate a cryptographic signature over a piece of data. :param signature: The signature data. :param signed_data: The signed data. :param public_key_info: The public key with which to validate the signature. :param signature_algorithm: The algorithm to use when validating. :param context: Additional context that is crucial for executing the cryptographic validation process. :raises InvalidSignature: Raised if the signature is invalid. """ raise NotImplementedError() class DefaultSignatureValidator(SignatureValidator): def validate_signature( self, signature: bytes, signed_data: bytes, public_key_info: PublicKeyInfo, signature_algorithm: algos.SignedDigestAlgorithm, context: SignatureValidationContext = SignatureValidationContext(), ): return _validate_raw( signature, signed_data, public_key_info, signature_algorithm, context, ) def _validate_raw( signature: bytes, signed_data: bytes, public_key_info: PublicKeyInfo, signature_algorithm: algos.SignedDigestAlgorithm, context: SignatureValidationContext = SignatureValidationContext(), ): """ Validate a raw signature. Internal API. """ try: sig_algo = signature_algorithm.signature_algo except ValueError: sig_algo = signature_algorithm['algorithm'].native parameters = signature_algorithm['parameters'] if ( sig_algo == 'dsa' and public_key_info['algorithm']['parameters'].native is None ): raise DSAParametersUnavailable( "DSA public key parameters were not provided." ) # pyca/cryptography can't load PSS-exclusive keys without some help: if public_key_info.algorithm == 'rsassa_pss': public_key_info = public_key_info.copy() assert isinstance(parameters, algos.RSASSAPSSParams) pss_key_params = public_key_info['algorithm']['parameters'].native if pss_key_params is not None and pss_key_params != parameters.native: raise PSSParameterMismatch( "Public key info includes PSS parameters that do not match " "those on the signature" ) # set key type to generic RSA, discard parameters public_key_info['algorithm'] = {'algorithm': 'rsa'} pub_key = serialization.load_der_public_key(public_key_info.dump()) try: hash_algo = signature_algorithm.hash_algo except ValueError: hash_algo = context.contextual_md_algorithm if sig_algo == 'rsassa_pkcs1v15': assert isinstance(pub_key, rsa.RSAPublicKey) verify_md = get_pyca_cryptography_hash_for_signing( hash_algo, prehashed=context.prehashed ) pub_key.verify(signature, signed_data, padding.PKCS1v15(), verify_md) elif sig_algo == 'rsassa_pss': assert isinstance(pub_key, rsa.RSAPublicKey) pss_padding, verify_md = process_pss_params( signature_algorithm['parameters'], prehashed=context.prehashed ) pub_key.verify(signature, signed_data, pss_padding, verify_md) elif sig_algo == 'dsa': assert isinstance(pub_key, dsa.DSAPublicKey) verify_md = get_pyca_cryptography_hash_for_signing( hash_algo, prehashed=context.prehashed ) pub_key.verify(signature, signed_data, verify_md) elif sig_algo == 'ecdsa': assert isinstance(pub_key, ec.EllipticCurvePublicKey) verify_md = get_pyca_cryptography_hash_for_signing( hash_algo, prehashed=context.prehashed ) pub_key.verify(signature, signed_data, ec.ECDSA(verify_md)) elif sig_algo == 'ed25519': assert isinstance(pub_key, ed25519.Ed25519PublicKey) pub_key.verify(signature, signed_data) elif sig_algo == 'ed448': assert isinstance(pub_key, ed448.Ed448PublicKey) pub_key.verify(signature, signed_data) else: raise AlgorithmNotSupported( f"Signature mechanism {sig_algo} is not supported." ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/util.py0000644000175100017510000002163115161577363024371 0ustar00runnerrunnerfrom __future__ import annotations import abc import logging from dataclasses import dataclass from typing import AsyncIterator, Generic, List, Optional, TypeVar, Union from asn1crypto import algos, cms, core, x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ( padding, ) from cryptography.hazmat.primitives.asymmetric.utils import Prehashed logger = logging.getLogger(__name__) def extract_dir_name( names: x509.GeneralNames, err_msg_prefix: str ) -> x509.Name: try: name: x509.Name = next( gname.chosen for gname in names if gname.name == 'directory_name' ) except StopIteration: raise NotImplementedError( f"{err_msg_prefix}; only distinguished names are supported, " f"and none were found." ) return name.untag() def extract_ac_issuer_dir_name( attr_cert: cms.AttributeCertificateV2, ) -> x509.Name: issuer_rec = attr_cert['ac_info']['issuer'] if issuer_rec.name == 'v1_form': aa_names = issuer_rec.chosen else: issuerv2: cms.V2Form = issuer_rec.chosen if not isinstance(issuerv2['issuer_name'], core.Void): aa_names = issuerv2['issuer_name'] else: aa_names = x509.GeneralNames([]) return extract_dir_name(aa_names, "Could not extract AC issuer name") def get_issuer_dn( cert: Union[x509.Certificate, cms.AttributeCertificateV2], ) -> x509.Name: if isinstance(cert, x509.Certificate): return cert.issuer else: return extract_ac_issuer_dir_name(cert) def issuer_serial( cert: Union[x509.Certificate, cms.AttributeCertificateV2], ) -> bytes: if isinstance(cert, x509.Certificate): return cert.issuer_serial else: issuer_name = extract_ac_issuer_dir_name(cert) result_bytes = b'%s:%d' % ( issuer_name.sha256, cert['ac_info']['serial_number'].native, ) return result_bytes def get_ac_extension_value( attr_cert: cms.AttributeCertificateV2, ext_name: str ): try: return next( ext['extn_value'].parsed for ext in attr_cert['ac_info']['extensions'] if ext['extn_id'].native == ext_name ) except StopIteration: return None def _get_absolute_http_crls(dps: Optional[x509.CRLDistributionPoints]): # see x509._get_http_crl_distribution_points if dps is None: return for distribution_point in dps: distribution_point_name = distribution_point['distribution_point'] if isinstance(distribution_point_name, core.Void): continue # RFC 5280 indicates conforming CA should not use the relative form if distribution_point_name.name == 'name_relative_to_crl_issuer': continue # This library is currently only concerned with HTTP-based CRLs for general_name in distribution_point_name.chosen: if general_name.name == 'uniform_resource_identifier': yield distribution_point def _get_ac_crl_dps( attr_cert: cms.AttributeCertificateV2, ) -> List[x509.DistributionPoint]: dps_ext = get_ac_extension_value(attr_cert, 'crl_distribution_points') return list(_get_absolute_http_crls(dps_ext)) def _get_ac_delta_crl_dps( attr_cert: cms.AttributeCertificateV2, ) -> List[x509.DistributionPoint]: delta_dps_ext = get_ac_extension_value(attr_cert, 'freshest_crl') return list(_get_absolute_http_crls(delta_dps_ext)) def get_relevant_crl_dps( cert: Union[x509.Certificate, cms.AttributeCertificateV2], *, use_deltas ) -> List[x509.DistributionPoint]: is_pkc = isinstance(cert, x509.Certificate) if is_pkc: # FIXME: This utility property in asn1crypto is not precise enough. # More to the point, URLs attached to the same distribution point # are considered interchangeable, but URLs belonging to different # distribution points very much aren't---different distribution points # can differ in what reason codes they record, etc. # For the time being, we'll assume that people who care about that sort # of nuance will run in 'require' mode, in which case the validator # should complain if the available CRLs don't cover all reason codes. sources = list(cert.crl_distribution_points) else: sources = _get_ac_crl_dps(cert) if use_deltas: if is_pkc: sources.extend(cert.delta_crl_distribution_points) else: sources.extend(_get_ac_delta_crl_dps(cert)) return sources def _get_http_ocsp_urls(aia_ext): if aia_ext is None: return for entry in aia_ext: # compare x509.Certificate.ocsp_urls if entry['access_method'].native == 'ocsp': location = entry['access_location'] if location.name != 'uniform_resource_identifier': continue url = location.native if url.lower().startswith( ( 'http://', 'https://', ) ): yield url def get_ocsp_urls(cert: Union[x509.Certificate, cms.AttributeCertificateV2]): if isinstance(cert, x509.Certificate): aia = cert.authority_information_access_value else: aia = get_ac_extension_value(cert, 'authority_information_access') return list(_get_http_ocsp_urls(aia)) def get_declared_revinfo( cert: Union[x509.Certificate, cms.AttributeCertificateV2], ): if isinstance(cert, x509.Certificate): aia = cert.authority_information_access_value crl_dps = cert.crl_distribution_points_value else: aia = get_ac_extension_value(cert, 'authority_information_access') crl_dps = get_ac_extension_value(cert, 'crl_distribution_points') has_crl = crl_dps is not None # check if the AIA contains any OCSP entries (and here we include all # entries, including those that we can't query) if aia is not None: has_ocsp = any(entry['access_method'].native == 'ocsp' for entry in aia) else: has_ocsp = False return has_crl, has_ocsp def get_pyca_cryptography_hash(algorithm) -> Union[hashes.HashAlgorithm]: if algorithm.lower() in ('shake256', 'shake256_len'): # force the output length to 64 bytes = 512 bits. We don't # support any other lengths because those can't be valid in CMS return hashes.SHAKE256(digest_size=64) else: return getattr(hashes, algorithm.upper())() def get_pyca_cryptography_hash_for_signing( algorithm, prehashed=False ) -> Union[hashes.HashAlgorithm, Prehashed]: hash_algo = get_pyca_cryptography_hash(algorithm) return Prehashed(hash_algo) if prehashed else hash_algo def process_pss_params(params: algos.RSASSAPSSParams, prehashed: bool = False): """ Extract PSS padding settings and message digest from an ``RSASSAPSSParams`` value. Internal API. """ hash_algo: algos.DigestAlgorithm = params['hash_algorithm'] md_name = hash_algo['algorithm'].native mga: algos.MaskGenAlgorithm = params['mask_gen_algorithm'] if not mga['algorithm'].native == 'mgf1': raise NotImplementedError("Only MFG1 is supported") mgf_md_name = mga['parameters']['algorithm'].native if mgf_md_name != md_name: logger.warning( f"Message digest for MGF1 is {mgf_md_name}, and the one used for " f"signing is {md_name}. If these do not agree, some software may " f"refuse to validate the signature." ) salt_len: int = params['salt_length'].native mgf_md = get_pyca_cryptography_hash(mgf_md_name) md = get_pyca_cryptography_hash_for_signing(md_name, prehashed=prehashed) pss_padding = padding.PSS( mgf=padding.MGF1(algorithm=mgf_md), salt_length=salt_len ) return pss_padding, md ListElem = TypeVar('ListElem') @dataclass(frozen=True) class ConsList(Generic[ListElem]): head: Optional[ListElem] tail: Optional[ConsList[ListElem]] = None @staticmethod def empty() -> ConsList[ListElem]: return ConsList(head=None) @staticmethod def sing(value: ListElem) -> ConsList[ListElem]: return ConsList(value, ConsList.empty()) def __iter__(self): cur = self while cur.head is not None: yield cur.head cur = cur.tail @property def last(self) -> Optional[ListElem]: cur = self result = None while cur.tail is not None: result = cur.head cur = cur.tail return result def cons(self, head: ListElem) -> ConsList[ListElem]: return ConsList(head, self) def __repr__(self): # pragma: nocover return f"ConsList({list(reversed(list(self)))})" def __bool__(self): return self.head is not None T = TypeVar('T') class CancelableAsyncIterator(abc.ABC, AsyncIterator[T]): async def cancel(self): raise NotImplementedError ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/validate.py0000644000175100017510000015556615161577363025224 0ustar00runnerrunner# coding: utf-8 import asyncio import datetime import enum import logging from dataclasses import dataclass from typing import Dict, FrozenSet, Iterable, List, Optional, Set from asn1crypto import algos, cms, core, x509 from asn1crypto.x509 import Validity from cryptography.exceptions import InvalidSignature from ._state import ValProcState from .asn1_types import AAControls, Target from .authority import AuthorityWithCert, TrustAnchor from .context import ACTargetDescription, ValidationContext from .errors import ( CRLFetchError, CRLNoMatchesError, CRLValidationIndeterminateError, DisallowedAlgorithmError, ExpiredError, InsufficientRevinfoError, InvalidAttrCertificateError, InvalidCertificateError, NotYetValidError, OCSPFetchError, OCSPNoMatchesError, OCSPValidationError, OCSPValidationIndeterminateError, PathBuildingError, PathValidationError, PSSParameterMismatch, StaleRevinfoError, ValidationError, ) from .name_trees import ( ExcludedSubtrees, PermittedSubtrees, default_excluded_subtrees, default_permitted_subtrees, process_general_subtrees, ) from .path import QualifiedPolicy, ValidationPath from .policy_decl import ( AlgorithmUsagePolicy, PKIXValidationParams, RevocationCheckingRule, intersect_policy_sets, ) from .policy_tree import ( PolicyTreeNode, PolicyTreeRoot, apply_policy_mapping, enumerate_policy_mappings, prune_unacceptable_policies, update_policy_tree, ) from .registry import CertificateCollection from .revinfo.validate_crl import verify_crl from .revinfo.validate_ocsp import verify_ocsp_response from .sig_validate import SignatureValidator from .util import ( ConsList, extract_dir_name, get_ac_extension_value, get_declared_revinfo, ) logger = logging.getLogger(__name__) def validate_path( validation_context, path, parameters: Optional[PKIXValidationParams] = None ): """ Validates the path using the algorithm from https://tools.ietf.org/html/rfc5280#section-6.1. Critical extensions on the end-entity certificate are not validated and are left up to the consuming application to process and/or fail on. .. note:: This is a synchronous equivalent of :func:`.async_validate_path` that calls the latter in a new event loop. As such, it can't be used from within asynchronous code. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param path: A pyhanko_certvalidator.path.ValidationPath object of the path to validate :param parameters: Additional input parameters to the PKIX validation algorithm. These are not used when validating CRLs and OCSP responses. :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked :return: The final certificate in the path - an instance of asn1crypto.x509.Certificate """ result = asyncio.run( async_validate_path(validation_context, path, parameters=parameters) ) return result async def async_validate_path( validation_context: ValidationContext, path: ValidationPath, parameters: Optional[PKIXValidationParams] = None, ): """ Validates the path using the algorithm from https://tools.ietf.org/html/rfc5280#section-6.1. Critical extensions on the end-entity certificate are not validated and are left up to the consuming application to process and/or fail on. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param path: A pyhanko_certvalidator.path.ValidationPath object of the path to validate :param parameters: Additional input parameters to the PKIX validation algorithm. These are not used when validating CRLs and OCSP responses. :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked :return: The final certificate in the path - an instance of asn1crypto.x509.Certificate """ proc_state = ValProcState(cert_path_stack=ConsList.sing(path)) return await intl_validate_path( validation_context, path, parameters=parameters, proc_state=proc_state ) def validate_usage( cert: x509.Certificate, key_usage: Set[str], extended_key_usage: Set[str], extended_optional: bool, ): """ Validates the end-entity certificate from a pyhanko_certvalidator.path.ValidationPath object to ensure that the certificate is valid for the key usage and extended key usage purposes specified. THE CERTIFICATE PATH MUST BE VALIDATED SEPARATELY VIA validate_path()! :param cert: An asn1crypto.x509.Certificate object returned from validate_path() :param key_usage: A set of unicode strings of the required key usage purposes :param extended_key_usage: A set of unicode strings of the required extended key usage purposes :param extended_optional: A bool - if the extended_key_usage extension may be omitted and still considered valid :raises: pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified """ if key_usage is None: key_usage = set() if extended_key_usage is None: extended_key_usage = set() missing_key_usage = key_usage if cert.key_usage_value: missing_key_usage = key_usage - cert.key_usage_value.native missing_extended_key_usage = set() if extended_optional is False and not cert.extended_key_usage_value: missing_extended_key_usage = extended_key_usage elif cert.extended_key_usage_value is not None: missing_extended_key_usage = extended_key_usage - set( cert.extended_key_usage_value.native ) if missing_key_usage or missing_extended_key_usage: plural = ( 's' if len(missing_key_usage | missing_extended_key_usage) > 1 else '' ) friendly_purposes = [] for purpose in sorted(missing_key_usage | missing_extended_key_usage): friendly_purposes.append(purpose.replace('_', ' ')) raise InvalidCertificateError( f"The X.509 certificate provided is not valid for the " f"purpose{plural} of {', '.join(friendly_purposes)}" ) def validate_aa_usage( cert: x509.Certificate, extended_key_usage: Optional[Set[str]] = None, ): """ Validate AA certificate profile conditions in RFC 5755 § 4.5 :param cert: :param extended_key_usage: :return: """ # Check key usage requirements validate_usage( cert, key_usage={'digital_signature'}, extended_key_usage=extended_key_usage or set(), extended_optional=extended_key_usage is not None, ) # Check basic constraints: AA must not be a CA bc = cert.basic_constraints_value if bc is not None and bool(bc['ca']): raise InvalidCertificateError( "The X.509 certificate provided is a CA certificate, so " "it cannot be used to validate attribute certificates." ) def _validate_ac_targeting( attr_cert: cms.AttributeCertificateV2, acceptable_targets: ACTargetDescription, ): target_info = get_ac_extension_value(attr_cert, 'target_information') if target_info is None: return target: Target gen_name: x509.GeneralName for targets in target_info: for target in targets: if target.name == 'target_name': gen_name = target.chosen valid_names = acceptable_targets.validator_names elif target.name == 'target_group': gen_name = target.chosen valid_names = acceptable_targets.group_memberships else: logger.info( f"'{target.name}' is not supported as a targeting mode; " f"ignoring." ) continue try: target_ok = gen_name in valid_names except ValueError: # fall back to binary comparison in case the name type is not # supported by asn1crypto's comparison logic for GeneralName # (we could be more efficient here, but this is probably # rare, so let's follow YAGNI) target_ok = gen_name.dump() in {n.dump() for n in valid_names} if target_ok: return # TODO log audit identity raise InvalidAttrCertificateError("AC targeting check failed") SUPPORTED_AC_EXTENSIONS = frozenset( [ 'authority_information_access', 'authority_key_identifier', 'crl_distribution_points', 'freshest_crl', 'key_identifier', 'no_rev_avail', 'target_information', # NOTE: we don't actively process this extension, but we never log holder # identifying information, so the purpose of the audit identity # extension is still satisfied. # TODO actually use audit_identity for logging purposes, falling back # to holder info if audit_identity is not available. 'audit_identity', ] ) def _parse_iss_serial( iss_serial: cms.IssuerSerial, err_msg_prefix: str ) -> bytes: """ Render a cms.IssuerSerial value into something that matches x509.Certificate.issuer_serial output. """ issuer_names = iss_serial['issuer'] issuer_dirname = extract_dir_name(issuer_names, err_msg_prefix) result_bytes = b'%s:%d' % ( issuer_dirname.sha256, iss_serial['serial'].native, ) return result_bytes def _process_aki_ext(aki_ext: x509.AuthorityKeyIdentifier): aki = aki_ext['key_identifier'].native # could be None auth_iss_ser = auth_iss_dirname = None if not isinstance(aki_ext['authority_cert_issuer'], core.Void): auth_iss_dirname = extract_dir_name( aki_ext['authority_cert_issuer'], "Could not decode authority issuer in AKI extension", ) auth_ser = aki_ext['authority_cert_serial_number'].native if auth_ser is not None: auth_iss_ser = b'%s:%d' % (auth_iss_dirname.sha256, auth_ser) return aki, auth_iss_dirname, auth_iss_ser def _candidate_ac_issuers( attr_cert: cms.AttributeCertificateV2, registry: CertificateCollection ): # TODO support matching against subjectAltName? # Outside the scope of RFC 5755, but it might make sense issuer_rec = attr_cert['ac_info']['issuer'] aa_names: Optional[x509.GeneralNames] = None aa_iss_serial: Optional[bytes] = None if issuer_rec.name == 'v1_form': aa_names = issuer_rec.chosen else: issuerv2: cms.V2Form = issuer_rec.chosen if not isinstance(issuerv2['issuer_name'], core.Void): aa_names = issuerv2['issuer_name'] if not isinstance(issuerv2['base_certificate_id'], core.Void): # not allowed by RFC 5755, but let's parse it anyway if # we encounter it aa_iss_serial = _parse_iss_serial( issuerv2['base_certificate_id'], "Could not identify AA issuer in base_certificate_id", ) if not isinstance(issuerv2['object_digest_info'], core.Void): # TODO support objectdigestinfo? Also not allowed by RFC 5755 raise NotImplementedError( "Could not identify AA; objectDigestInfo is not supported." ) # Process the AKI extension if there is one aki_ext = get_ac_extension_value(attr_cert, 'authority_key_identifier') if aki_ext is not None: aki, aa_issuer, aki_aa_iss_serial = _process_aki_ext(aki_ext) if aki_aa_iss_serial is not None: if aa_iss_serial is not None and aa_iss_serial != aki_aa_iss_serial: raise InvalidAttrCertificateError( "AC's AKI extension and issuer include conflicting " "identifying information for the issuing AA" ) else: aa_iss_serial = aki_aa_iss_serial else: aki = None candidates: Iterable[x509.Certificate] = () aa_name = None if aa_names is not None: aa_name = extract_dir_name(aa_names, "Could not identify AA by name") if aa_iss_serial is not None: exact_cert = registry.retrieve_by_issuer_serial(aa_iss_serial) if exact_cert is not None: candidates = (exact_cert,) elif aa_name is not None: candidates = registry.retrieve_by_name(aa_name) for aa_candidate in candidates: if aa_name is not None and aa_candidate.subject != aa_name: continue if aki is not None and aa_candidate.key_identifier != aki: # AC's AKI doesn't match candidate's SKI continue yield aa_candidate def _check_ac_signature( attr_cert: cms.AttributeCertificateV2, aa_cert: x509.Certificate, validation_context: ValidationContext, ): sd_algo = attr_cert['signature_algorithm'] embedded_sd_algo = attr_cert['ac_info']['signature'] use_time = validation_context.best_signature_time digest_allowed = ( validation_context.algorithm_policy.signature_algorithm_allowed( sd_algo, use_time, public_key=aa_cert.public_key ) ) if sd_algo.native != embedded_sd_algo.native: raise InvalidAttrCertificateError( "Signature algorithm declaration in signed portion of AC does not " "match the signature algorithm declaration on the envelope." ) elif not digest_allowed: raise DisallowedAlgorithmError( "The attribute certificate could not be validated because " f"the signature uses the disallowed signature algorithm " f"{sd_algo['algorithm'].native}. ", is_ee_cert=True, is_side_validation=False, banned_since=digest_allowed.not_allowed_after, ) try: validation_context.sig_validator.validate_signature( signature=attr_cert['signature'].native, signed_data=attr_cert['ac_info'].dump(), # TODO support PK parameter inheritance? # (would have to remember the working public key from the # validation algo) # low-priority since this only affects DSA in practice public_key_info=aa_cert.public_key, signature_algorithm=sd_algo, ) except PSSParameterMismatch: raise InvalidAttrCertificateError( "The signature parameters for the attribute certificate " "do not match the constraints on the public key. " ) except InvalidSignature: raise InvalidAttrCertificateError( "The attribute certificate could not be validated because the " "signature could not be verified." ) def check_ac_holder_match(holder_cert: x509.Certificate, holder: cms.Holder): """ Match a candidate holder certificate against the holder entry of an attribute certificate. :param holder_cert: Candidate holder certificate. :param holder: Holder value to match against. :return: Return the parts of the holder entry that mismatched as a set. Possible values are `'base_certificate_id'`, `'entity_name'` and `'object_digest_info'`. If the returned set is empty, all entries in the holder entry matched the information in the certificate. """ base_cert_id = holder['base_certificate_id'] mismatches = set() # TODO what about subjectAltName matches? if not isinstance(base_cert_id, core.Void): # repurpose _parse_iss_serial since RFC 5755 restricts # baseCertificateID.issuer to a single DN designated_iss_serial = _parse_iss_serial( base_cert_id, "Could not identify holder certificate issuer" ) if designated_iss_serial != holder_cert.issuer_serial: mismatches.add('base_certificate_id') entity_name = holder['entity_name'] # TODO what about subjectAltName matches? if not isinstance(entity_name, core.Void): holder_dn = extract_dir_name( entity_name, "Could not identify AC holder DN" ) if holder_dn != holder_cert.subject: mismatches.add('entity_name') # TODO implement objectDigestInfo support obj_digest_info = holder['object_digest_info'] if not isinstance(obj_digest_info, core.Void): raise NotImplementedError( "Object digest info is currently not supported" ) return mismatches @dataclass(frozen=True) class ACValidationResult: """ The result of a successful attribute certificate validation. """ attr_cert: cms.AttributeCertificateV2 """ The attribute certificate that was validated. """ aa_cert: x509.Certificate """ The attribute authority that issued the certificate. """ aa_path: ValidationPath """ The validation path of the attribute authority's certificate. """ approved_attributes: Dict[str, cms.AttCertAttribute] """ Approved attributes in the attribute certificate, possibly filtered by AA controls. """ async def async_validate_ac( attr_cert: cms.AttributeCertificateV2, validation_context: ValidationContext, aa_pkix_params: PKIXValidationParams = PKIXValidationParams(), holder_cert: Optional[x509.Certificate] = None, ) -> ACValidationResult: """ Validate an attribute certificate with respect to a given validation context. :param attr_cert: The attribute certificate to validate. :param validation_context: The validation context to validate against. :param aa_pkix_params: PKIX validation parameters to supply to the path validation algorithm applied to the attribute authority's certificate. :param holder_cert: Certificate of the presumed holder to match against the AC's holder entry. If not provided, the holder check is left to the caller to perform. .. note:: This is a convenience option in case there's only one reasonable candidate holder certificate (e.g. when the attribute certificates are part of a CMS SignedData value with only a single signer). :return: An :class:`.ACValidationResult` detailing the validation result, if successful. """ # Process extensions # We do this first because all later steps may involve potentially slow # network IO, so this allows quicker failure. extensions_present = { ext['extn_id'].native: bool(ext['critical']) for ext in attr_cert['ac_info']['extensions'] } unsupported_critical_extensions = { ext for ext, crit in extensions_present.items() if crit and ext not in SUPPORTED_AC_EXTENSIONS } if unsupported_critical_extensions: raise InvalidCertificateError( "The AC could not be validated because it contains the " f"following unsupported critical extension" f"{'s' if len(unsupported_critical_extensions) != 1 else ''}: " f"{', '.join(sorted(unsupported_critical_extensions))}." ) if 'target_information' in extensions_present: targ_desc = validation_context.acceptable_ac_targets if targ_desc is None: raise InvalidAttrCertificateError( "The attribute certificate is targeted, but no targeting " "information is available in the validation context." ) _validate_ac_targeting(attr_cert, targ_desc) ac_holder = attr_cert['ac_info']['holder'] if len(ac_holder) == 0: raise InvalidAttrCertificateError("AC holder entry is empty") if holder_cert is not None: mismatches = check_ac_holder_match(holder_cert, ac_holder) if mismatches: raise InvalidAttrCertificateError( f"Could not match AC holder entry against supplied holder " f"certificate; mismatched entries: {', '.join(mismatches)}" ) path_builder = validation_context.path_builder aa_candidates = _candidate_ac_issuers( attr_cert, validation_context.certificate_registry ) exceptions: List[Exception] = [] aa_path: Optional[ValidationPath] = None for aa_candidate in aa_candidates: try: validate_aa_usage(aa_candidate) except InvalidAttrCertificateError as e: exceptions.append(e) continue try: paths = await path_builder.async_build_paths(aa_candidate) except PathBuildingError as e: exceptions.append(e) continue for candidate_path in paths: try: await intl_validate_path( validation_context, candidate_path, parameters=aa_pkix_params, proc_state=ValProcState( cert_path_stack=ConsList.sing(candidate_path), ee_name_override="AA certificate", ), cert_profile=EECertProfile.ATTRIBUTE_AUTHORITY, ) aa_path = candidate_path break except ValidationError as e: exceptions.append(e) if aa_path is None: # TODO log audit identifier if not exceptions: raise PathBuildingError( "Could not find a suitable AA for the attribute certificate" ) else: raise exceptions[0] # check the signature aa_cert = aa_path.last _check_ac_signature(attr_cert, aa_cert, validation_context) validity = attr_cert['ac_info']['att_cert_validity_period'] # NOTE: this is a bit of a hack, and the path in question is only used # for error reporting # TODO make paths with ACs at the end easier to handle ac_path = aa_path.copy_and_append(attr_cert) proc_state = ValProcState( cert_path_stack=ConsList.sing(ac_path), is_side_validation=False, ee_name_override="attribute certificate", init_index=len(ac_path), ) _check_validity( validity=Validity( { 'not_before': validity['not_before_time'], 'not_after': validity['not_after_time'], } ), moment=validation_context.moment, tolerance=validation_context.time_tolerance, proc_state=proc_state, ) if 'no_rev_avail' not in extensions_present: await _check_revocation( attr_cert, validation_context, ac_path, proc_state=proc_state ) ok_attrs = { attr['type'].native: attr for attr in attr_cert['ac_info']['attributes'] if aa_path.aa_attr_in_scope(attr['type']) } return ACValidationResult( attr_cert=attr_cert, aa_cert=aa_cert, aa_path=aa_path, approved_attributes=ok_attrs, ) @dataclass class _PathValidationState: """ State variables that need to be maintained while traversing a certification path """ valid_policy_tree: Optional['PolicyTreeRoot'] explicit_policy: int inhibit_any_policy: int policy_mapping: int max_path_length: int max_aa_path_length: int working_public_key: x509.PublicKeyInfo working_issuer_name: x509.Name permitted_subtrees: PermittedSubtrees excluded_subtrees: ExcludedSubtrees aa_controls_used: bool = False @staticmethod def init_pkix_validation_state( path_length, trust_anchor: TrustAnchor, parameters: Optional[PKIXValidationParams], ): trust_anchor_quals = trust_anchor.trust_qualifiers max_path_length = max_aa_path_length = path_length if trust_anchor_quals.max_path_length is not None: max_path_length = trust_anchor_quals.max_path_length if trust_anchor_quals.max_path_length is not None: max_aa_path_length = trust_anchor_quals.max_aa_path_length trust_anchor_params = trust_anchor_quals.standard_parameters if parameters is not None and trust_anchor_params is not None: # need to make sure both sets of parameters are respected acceptable_policies = intersect_policy_sets( parameters.user_initial_policy_set, trust_anchor_params.user_initial_policy_set, ) initial_any_policy_inhibit = ( parameters.initial_any_policy_inhibit and parameters.initial_any_policy_inhibit ) initial_explicit_policy = ( parameters.initial_explicit_policy and parameters.initial_explicit_policy ) initial_policy_mapping_inhibit = ( parameters.initial_policy_mapping_inhibit and parameters.initial_policy_mapping_inhibit ) initial_permitted_subtrees = PermittedSubtrees( parameters.initial_permitted_subtrees or default_permitted_subtrees() ) if trust_anchor_params.initial_permitted_subtrees is not None: initial_permitted_subtrees.intersect_with( trust_anchor_params.initial_permitted_subtrees ) initial_excluded_subtrees = ExcludedSubtrees( parameters.initial_excluded_subtrees or default_excluded_subtrees() ) if trust_anchor_params.initial_excluded_subtrees is not None: initial_excluded_subtrees.union_with( trust_anchor_params.initial_excluded_subtrees ) else: parameters = ( parameters or trust_anchor_params or PKIXValidationParams() ) acceptable_policies = parameters.user_initial_policy_set initial_explicit_policy = parameters.initial_explicit_policy initial_any_policy_inhibit = parameters.initial_any_policy_inhibit initial_policy_mapping_inhibit = ( parameters.initial_policy_mapping_inhibit ) initial_permitted_subtrees = PermittedSubtrees( parameters.initial_permitted_subtrees or default_permitted_subtrees() ) initial_excluded_subtrees = ExcludedSubtrees( parameters.initial_excluded_subtrees or default_excluded_subtrees() ) state = _PathValidationState( # Step 1 a valid_policy_tree=PolicyTreeRoot.init_policy_tree( 'any_policy', set(), {'any_policy'} ), # Steps 1 b-c permitted_subtrees=initial_permitted_subtrees, excluded_subtrees=initial_excluded_subtrees, # Steps 1 d-f explicit_policy=(0 if initial_explicit_policy else path_length + 1), inhibit_any_policy=( 0 if initial_any_policy_inhibit else path_length + 1 ), policy_mapping=( 0 if initial_policy_mapping_inhibit else path_length + 1 ), # Steps 1 g-j working_public_key=trust_anchor.authority.public_key, working_issuer_name=trust_anchor.authority.name, # Step 1 k max_path_length=max_path_length, # NOTE: the algorithm (for now) assumes that the AA CA of RFC 5755 # is trusted by fiat, and does not require chaining up to a distinct # CA. In particular, we assume that the AA CA is the trust anchor in # the path. This matches the validation model used in signature # policies (where there are separate trust trees for attributes) max_aa_path_length=max_aa_path_length, ) return state, acceptable_policies def update_policy_restrictions(self, cert: x509.Certificate): # Step 3 h if not cert.self_issued: # Step 3 h 1 if self.explicit_policy != 0: self.explicit_policy -= 1 # Step 3 h 2 if self.policy_mapping != 0: self.policy_mapping -= 1 # Step 3 h 3 if self.inhibit_any_policy != 0: self.inhibit_any_policy -= 1 # Step 3 i policy_constraints = cert.policy_constraints_value if policy_constraints: # Step 3 i 1 require_explicit_policy = policy_constraints[ 'require_explicit_policy' ].native if require_explicit_policy is not None: self.explicit_policy = min( self.explicit_policy, require_explicit_policy ) # Step 3 i 2 inhibit_policy_mapping = policy_constraints[ 'inhibit_policy_mapping' ].native if inhibit_policy_mapping is not None: self.policy_mapping = min( self.policy_mapping, inhibit_policy_mapping ) # Step 3 j if cert.inhibit_any_policy_value is not None: self.inhibit_any_policy = min( cert.inhibit_any_policy_value.native, self.inhibit_any_policy ) def process_policies( self, index: int, certificate_policies, any_policy_uninhibited, proc_state: ValProcState, ): if certificate_policies and self.valid_policy_tree is not None: self.valid_policy_tree = update_policy_tree( certificate_policies, self.valid_policy_tree, depth=index, any_policy_uninhibited=any_policy_uninhibited, ) # Step 2 e elif certificate_policies is None: self.valid_policy_tree = None # Step 2 f if self.valid_policy_tree is None and self.explicit_policy <= 0: raise PathValidationError.from_state( "The path could not be validated because there is no valid set " f"of policies for {proc_state.describe_cert()}", proc_state, ) def check_name_constraints(self, cert, proc_state: ValProcState): # name constraint processing whitelist_result = self.permitted_subtrees.accept_cert(cert) if not whitelist_result: raise PathValidationError.from_state( "The path could not be validated because not all names of " f"{proc_state.describe_cert()} are in the permitted namespace " f"of the issuing authority. {whitelist_result.error_message}", proc_state, ) blacklist_result = self.excluded_subtrees.accept_cert(cert) if not blacklist_result: raise PathValidationError.from_state( "The path could not be validated because some names of " f"{proc_state.describe_cert()} are excluded from the " f"namespace of the issuing authority. " f"{blacklist_result.error_message}", proc_state, ) def check_certificate_signature( self, cert: x509.Certificate, algorithm_policy: AlgorithmUsagePolicy, proc_state: ValProcState, moment: datetime.datetime, sig_validator: SignatureValidator, ): sd_algo: algos.SignedDigestAlgorithm = cert['signature_algorithm'] sd_algo_name = sd_algo['algorithm'].native sig_algo_allowed = algorithm_policy.signature_algorithm_allowed( sd_algo, moment, public_key=self.working_public_key ) if not sig_algo_allowed: msg = ( f"The path could not be validated because the signature " f"of {proc_state.describe_cert()} uses the disallowed " f"signature mechanism {sd_algo_name}." ) if sig_algo_allowed.failure_reason is not None: msg += f" Reason: {sig_algo_allowed.failure_reason}." raise DisallowedAlgorithmError.from_state( msg, proc_state, banned_since=sig_algo_allowed.not_allowed_after, ) try: sig_validator.validate_signature( signature=cert['signature_value'].native, signed_data=cert['tbs_certificate'].dump(), public_key_info=self.working_public_key, signature_algorithm=sd_algo, ) except PSSParameterMismatch: raise PathValidationError.from_state( f"The signature parameters for {proc_state.describe_cert()} do " f"not match the constraints on the public key.", proc_state, ) except InvalidSignature: raise PathValidationError.from_state( f"The path could not be validated because the signature of " f"{proc_state.describe_cert()} could not be verified", proc_state, ) # TODO allow delegation to calling library here? SUPPORTED_EXTENSIONS = frozenset( [ 'authority_information_access', 'authority_key_identifier', 'basic_constraints', 'crl_distribution_points', 'extended_key_usage', 'freshest_crl', 'key_identifier', 'key_usage', 'ocsp_no_check', 'certificate_policies', 'policy_mappings', 'policy_constraints', 'inhibit_any_policy', 'name_constraints', 'subject_alt_name', 'aa_controls', # Include the OID and human-readable name for the qcStatements # injection. ETSI EN 319 412-5 mandates that this extension _not_ # be marked critical, but some CAs do it anyway. '1.3.6.1.5.5.7.1.3', 'qc_statements', ] ) @enum.unique class EECertProfile(enum.Enum): REGULAR = 'regular' ATTRIBUTE_AUTHORITY = 'attribute_authority' async def intl_validate_path( validation_context: ValidationContext, path: ValidationPath, proc_state: ValProcState, parameters: Optional[PKIXValidationParams] = None, cert_profile: EECertProfile = EECertProfile.REGULAR, ): """ Internal copy of validate_path() that allows overriding the name of the end-entity certificate as used in exception messages. This functionality is used during chain validation when dealing with indirect CRLs issuer or OCSP responder certificates. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for configuring validation behavior :param path: A pyhanko_certvalidator.path.ValidationPath object of the path to validate :param proc_state: Internal state for error reporting and policy application decisions. :param parameters: Additional input parameters to the PKIX validation algorithm. These are not used when validating CRLs and OCSP responses. :param cert_profile: End-entity certificate profile to use. Currently, this is only used to decide whether to process the AAControls extension. :return: The final certificate in the path - an instance of asn1crypto.x509.Certificate """ moment = validation_context.moment qualifiers = path.trust_anchor.trust_qualifiers if qualifiers.valid_from is not None and qualifiers.valid_from > moment: raise NotYetValidError.format( valid_from=qualifiers.valid_from, proc_state=proc_state ) elif qualifiers.valid_until is not None and qualifiers.valid_until < moment: raise ExpiredError.format( expired_dt=qualifiers.valid_until, proc_state=proc_state ) # Inputs trust_anchor = path.trust_anchor path_length = path.pkix_len # Step 1: initialization ( state, acceptable_policies, ) = _PathValidationState.init_pkix_validation_state( path_length, trust_anchor, parameters ) # Step 2: basic processing completed_path: ValidationPath = ValidationPath( trust_anchor, interm=[], leaf=None ) cert: Optional[x509.Certificate] authority = trust_anchor.authority if isinstance(authority, AuthorityWithCert): # if the trust root has a cert, record it as validated. validation_context.record_validation( authority.certificate, completed_path ) cert = authority.certificate else: cert = None # TODO support this for attr certs leaf_asserted_nonrevoked = False revinfo_manager = validation_context.revinfo_manager if isinstance(path.leaf, x509.Certificate): leaf_asserted_nonrevoked = revinfo_manager.check_asserted_unrevoked( path.leaf, moment ) for index in range(1, path_length + 1): cert = path[index] proc_state.index += 1 # Step 2 a 1 state.check_certificate_signature( cert, validation_context.algorithm_policy, proc_state, validation_context.best_signature_time, validation_context.sig_validator, ) # Step 2 a 2 tolerance = validation_context.time_tolerance validity = cert['tbs_certificate']['validity'] _check_validity( validity=validity, moment=moment, tolerance=tolerance, proc_state=proc_state, ) # Step 2 a 3 - CRL/OCSP if ( not leaf_asserted_nonrevoked and not revinfo_manager.check_asserted_unrevoked(cert, moment) ): await _check_revocation( cert=cert, validation_context=validation_context, path=path, proc_state=proc_state, ) # Step 2 a 4 if cert.issuer != state.working_issuer_name: raise PathValidationError.from_state( f"The path could not be validated because " f"{proc_state.describe_cert()} issuer name " f"could not be matched", proc_state, ) # Steps 2 b-c if index == path_length or not cert.self_issued: state.check_name_constraints(cert, proc_state=proc_state) # Steps 2 d state.process_policies( index, cert.certificate_policies_value, # (see step 2 d 2) any_policy_uninhibited=( state.inhibit_any_policy > 0 or (index < path_length and cert.self_issued) ), proc_state=proc_state, ) if index < path_length: # Step 3: prepare for certificate index+1 _prepare_next_step(index, cert, state, proc_state=proc_state) if cert_profile == EECertProfile.ATTRIBUTE_AUTHORITY: _check_aa_controls(cert, state, index, proc_state=proc_state) # Step 3 o / 4 f # Check for critical unsupported extensions unsupported_critical_extensions = ( cert.critical_extensions - SUPPORTED_EXTENSIONS ) if unsupported_critical_extensions: raise PathValidationError.from_state( f"The path could not be validated because " f"{proc_state.describe_cert()} contains the " f"following unsupported critical extension" f"{'s' if len(unsupported_critical_extensions) != 1 else ''}" f": {', '.join(sorted(unsupported_critical_extensions))}", proc_state, ) if validation_context: # TODO I left this in from the original code, # but caching intermediate results might not be appropriate at all # times. For example, handling for self-issued certs is different # depending on whether they're treated as an end-entity or not. completed_path = completed_path.copy_and_append(cert) validation_context.record_validation(cert, completed_path) # Step 4: wrap-up procedure # Steps 4 c-e skipped since this method doesn't output it # Step 4 f skipped since this method defers that to the calling application # --> only policy processing remains if cert is not None: qualified_policies = _finish_policy_processing( state=state, cert=cert, acceptable_policies=acceptable_policies, path_length=path_length, proc_state=proc_state, ) path._set_qualified_policies(qualified_policies) # TODO cache valid policies on intermediate certs too? completed_path._set_qualified_policies(qualified_policies) return cert def _check_validity( validity: Validity, moment, tolerance, proc_state: ValProcState ): if moment < validity['not_before'].native - tolerance: raise NotYetValidError.format( valid_from=validity['not_before'].native, proc_state=proc_state ) if moment > validity['not_after'].native + tolerance: raise ExpiredError.format( expired_dt=validity['not_after'].native, proc_state=proc_state ) def _finish_policy_processing( state, cert, acceptable_policies, path_length, proc_state: ValProcState ): # Step 4 a if state.explicit_policy != 0: state.explicit_policy -= 1 # Step 4 b if cert.policy_constraints_value: if cert.policy_constraints_value['require_explicit_policy'].native == 0: state.explicit_policy = 0 # Step 4 g # Step 4 g i intersection: Optional[PolicyTreeRoot] if state.valid_policy_tree is None: intersection = None # Step 4 g ii elif acceptable_policies == {'any_policy'}: intersection = state.valid_policy_tree # Step 4 g iii else: intersection = prune_unacceptable_policies( path_length, state.valid_policy_tree, acceptable_policies ) qualified_policies: FrozenSet[QualifiedPolicy] = frozenset() if intersection is not None: # collect policies in a user-friendly format and attach them to the # path object def _enum_policies() -> Iterable[QualifiedPolicy]: accepted_policy: PolicyTreeNode assert intersection is not None for accepted_policy in intersection.at_depth(path_length): listed_pol = accepted_policy.valid_policy if listed_pol != 'any_policy': # the first ancestor that is a child of any_policy # will have an ID that makes sense in the user's policy # domain (here 'ancestor' includes the node itself) user_domain_policy_id = next( ancestor.valid_policy for ancestor in accepted_policy.path_to_root() if ancestor.parent.valid_policy == 'any_policy' ) else: # any_policy can't be mapped, so we don't have to do # any walking up the tree. This also covers the corner case # where the path length is 0 (in this case, PKIX validation # is pointless, but we have to deal with it gracefully) user_domain_policy_id = 'any_policy' yield QualifiedPolicy( user_domain_policy_id=user_domain_policy_id, issuer_domain_policy_id=listed_pol, qualifiers=frozenset(accepted_policy.qualifier_set), ) qualified_policies = frozenset(_enum_policies()) elif state.explicit_policy == 0: raise PathValidationError.from_state( f"The path could not be validated because there is no valid set of " f"policies for {proc_state.describe_cert()}.", proc_state, ) return qualified_policies async def _check_revocation( cert, validation_context: ValidationContext, path: ValidationPath, proc_state: ValProcState, ): ocsp_status_good = False revocation_check_failed = False ocsp_matched = False crl_matched = False soft_fail = False failures = [] cert_has_crl, cert_has_ocsp = get_declared_revinfo(cert) revinfo_declared = cert_has_crl or cert_has_ocsp rev_check_policy = ( validation_context.revinfo_policy.revocation_checking_policy ) rev_rule = ( rev_check_policy.ee_certificate_rule if proc_state.is_ee_cert else rev_check_policy.intermediate_ca_cert_rule ) ocsp_suspect_stale_since = None # for OCSP, we don't bother if there's nothing in the certificate's AIA if rev_rule.ocsp_relevant and cert_has_ocsp: try: await verify_ocsp_response( cert, path, validation_context, proc_state=proc_state ) ocsp_status_good = True ocsp_matched = True except OCSPValidationIndeterminateError as e: failures.extend([failure[0] for failure in e.failures]) revocation_check_failed = True ocsp_matched = True ocsp_suspect_stale_since = e.suspect_stale except OCSPNoMatchesError: pass except OCSPFetchError as e: if rev_rule.tolerant: soft_fail = True validation_context._report_soft_fail(e) else: failures.append(e.args[0]) revocation_check_failed = True except OCSPValidationError as e: failures.append(e.args[0]) revocation_check_failed = True ocsp_matched = True if not ocsp_status_good and rev_rule.ocsp_mandatory: if failures: err_str = '; '.join(str(f) for f in failures) else: err_str = 'an applicable OCSP response could not be found' msg = ( f"The path could not be validated because the mandatory OCSP " f"check(s) for {proc_state.describe_cert()} failed: {err_str}" ) if ocsp_suspect_stale_since: raise StaleRevinfoError.format( msg, ocsp_suspect_stale_since, proc_state ) else: raise InsufficientRevinfoError.from_state(msg, proc_state) status_good = ( ocsp_status_good and rev_rule != RevocationCheckingRule.CRL_AND_OCSP_REQUIRED ) crl_status_good = False crl_suspect_stale_since = None # do not attempt to check CRLs (even cached ones) if there are no # distribution points, unless we have to crl_required_by_policy = rev_rule.crl_mandatory or ( not status_good and rev_rule == RevocationCheckingRule.CRL_OR_OCSP_REQUIRED ) crl_fetchable = rev_rule.crl_relevant and cert_has_crl if crl_required_by_policy or (crl_fetchable and not status_good): try: await verify_crl( cert, path, validation_context, proc_state=proc_state ) revocation_check_failed = False crl_status_good = True crl_matched = True except CRLValidationIndeterminateError as e: failures.extend([failure[0] for failure in e.failures]) revocation_check_failed = True crl_matched = True crl_suspect_stale_since = e.suspect_stale except CRLNoMatchesError: pass except CRLFetchError as e: if rev_rule.tolerant: soft_fail = True validation_context._report_soft_fail(e) else: failures.append(e.args[0]) revocation_check_failed = True if not crl_status_good and rev_rule.crl_mandatory: if failures: err_str = '; '.join(str(f) for f in failures) else: err_str = 'an applicable CRL could not be found' msg = ( f"The path could not be validated because the mandatory CRL " f"check(s) for {proc_state.describe_cert()} failed: {err_str}" ) if crl_suspect_stale_since: raise StaleRevinfoError.format( msg, crl_suspect_stale_since, proc_state ) else: raise InsufficientRevinfoError.from_state( msg, proc_state, ) # If we still didn't find a match, the certificate has CRL/OCSP entries # but we couldn't query any of them. Let's check if this is disqualifying. # With 'strict' the fact that there's no match (irrespective # of certificate properties) is enough to cause a failure, # otherwise we have to check. expected_revinfo = rev_rule.strict or ( revinfo_declared and rev_rule == RevocationCheckingRule.CHECK_IF_DECLARED ) # Did we find any revinfo that "has jurisdiction"? matched = crl_matched or ocsp_matched expected_revinfo_not_found = not matched and expected_revinfo if not soft_fail: if not status_good and matched and revocation_check_failed: msg = ( f"The path could not be validated because " f"{proc_state.describe_cert(def_interm=True)} revocation " f"checks failed: {'; '.join(failures)}" ) maybe_stale_cutoff = ( ocsp_suspect_stale_since or crl_suspect_stale_since ) if maybe_stale_cutoff: stale_cutoff = ( max(ocsp_suspect_stale_since, crl_suspect_stale_since) if ocsp_suspect_stale_since and crl_suspect_stale_since else maybe_stale_cutoff ) raise StaleRevinfoError.format(msg, stale_cutoff, proc_state) else: raise InsufficientRevinfoError.from_state( msg, proc_state, ) if expected_revinfo_not_found: if isinstance(cert, x509.Certificate): subj = cert.subject.human_friendly else: subj = "" raise InsufficientRevinfoError.from_state( f"The path could not be validated because no revocation " f"information could be found for {proc_state.describe_cert()} " f"{subj}", proc_state, ) def _check_aa_controls( cert: x509.Certificate, state: _PathValidationState, index, proc_state: ValProcState, ): aa_controls = AAControls.read_extension_value(cert) if aa_controls is not None: if not state.aa_controls_used and index > 1: raise PathValidationError.from_state( f"AA controls extension only present on part of the " f"certificate chain: {proc_state.describe_cert()} has AA " f"controls while preceding certificates do not. ", proc_state, ) state.aa_controls_used = True # deal with path length new_max_aa_path_length = aa_controls['path_len_constraint'].native if ( new_max_aa_path_length is not None and new_max_aa_path_length < state.max_aa_path_length ): state.max_aa_path_length = new_max_aa_path_length elif state.aa_controls_used: raise PathValidationError.from_state( f"AA controls extension only present on part of the " f"certificate chain: {proc_state.describe_cert()} " f"has no AA controls ", proc_state, ) def _prepare_next_step( index, cert: x509.Certificate, state: _PathValidationState, proc_state: ValProcState, ): if cert.policy_mappings_value: policy_map = enumerate_policy_mappings( cert.policy_mappings_value, proc_state=proc_state ) # Step 3 b if state.valid_policy_tree is not None: state.valid_policy_tree = apply_policy_mapping( policy_map, state.valid_policy_tree, depth=index, policy_mapping_uninhibited=state.policy_mapping > 0, ) # Step 3 c state.working_issuer_name = cert.subject # Steps 3 d-f # Handle inheritance of DSA parameters from a signing CA to the # next in the chain # NOTE: we don't perform this step for RSASSA-PSS since there the # parameters are drawn form the signature parameters, where they # must always be present. copy_params = None if cert.public_key.algorithm == 'dsa' and cert.public_key.hash_algo is None: if state.working_public_key.algorithm == 'dsa': key_alg = state.working_public_key['algorithm'] copy_params = key_alg['parameters'].copy() if copy_params: working_public_key = cert.public_key.copy() working_public_key['algorithm']['parameters'] = copy_params state.working_public_key = working_public_key else: state.working_public_key = cert.public_key # Step 3 g nc_value: x509.NameConstraints = cert.name_constraints_value if nc_value is not None: new_permitted_subtrees = nc_value['permitted_subtrees'] if isinstance(new_permitted_subtrees, x509.GeneralSubtrees): state.permitted_subtrees.intersect_with( process_general_subtrees(new_permitted_subtrees) ) new_excluded_subtrees = nc_value['excluded_subtrees'] if isinstance(new_excluded_subtrees, x509.GeneralSubtrees): state.excluded_subtrees.union_with( process_general_subtrees(new_excluded_subtrees) ) # Step 3 h-j state.update_policy_restrictions(cert) # Step 3 k if not cert.ca: raise PathValidationError.from_state( f"The path could not be validated because " f"{proc_state.describe_cert()} is not a CA", proc_state, ) # Step 3 l if not cert.self_issued: if state.max_path_length == 0: raise PathValidationError.from_state( "The path could not be validated because it exceeds the " "maximum path length", proc_state, ) state.max_path_length -= 1 if state.max_aa_path_length == 0: raise PathValidationError.from_state( "The path could not be validated because it exceeds the " "maximum path length for an AA certificate", proc_state, ) state.max_aa_path_length -= 1 # Step 3 m if ( cert.max_path_length is not None and cert.max_path_length < state.max_path_length ): state.max_path_length = cert.max_path_length # Step 3 n if ( cert.key_usage_value and 'key_cert_sign' not in cert.key_usage_value.native ): raise PathValidationError.from_state( "The path could not be validated because " f"{proc_state.describe_cert()} is not allowed to sign certificates", proc_state, ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649078.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator/version.py0000644000175100017510000000006515161577366025102 0ustar00runnerrunner__version__ = '0.30.2' __version_info__ = (0, 30, 2) ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.3036487 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/0000755000175100017510000000000015161577372024531 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649082.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/PKG-INFO0000644000175100017510000001144015161577372025626 0ustar00runnerrunnerMetadata-Version: 2.4 Name: pyhanko-certvalidator Version: 0.30.2 Summary: Validates X.509 certificates and paths; forked from wbond/certvalidator Author-email: Matthias Valvekens License-Expression: MIT Project-URL: Homepage, https://github.com/MatthiasValvekens/pyHanko/tree/master/pkgs/pyhanko-certvalidator Keywords: crypto,pki,x509,certificate,crl,ocsp Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.10 Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 Classifier: Programming Language :: Python :: 3.14 Classifier: Topic :: Security :: Cryptography Requires-Python: >=3.10 Description-Content-Type: text/markdown License-File: LICENSE Requires-Dist: asn1crypto>=1.5.1 Requires-Dist: oscrypto>=1.1.0 Requires-Dist: cryptography>=41.0.5 Requires-Dist: uritools>=3.0.1 Requires-Dist: requests>=2.31.0 Provides-Extra: async-http Requires-Dist: aiohttp<3.14,>=3.9; extra == "async-http" Dynamic: license-file # certvalidator This library started as a fork of [wbond/certvalidator](https://github.com/wbond/certvalidator) with patches for [pyHanko](https://github.com/MatthiasValvekens/pyHanko), but has since diverged considerably from its parent repository. GitHub issues are disabled on this repository. Bug reports regarding this library should be submitted to the [pyHanko issue tracker](https://github.com/MatthiasValvekens/pyHanko/issues). Similarly, questions regarding this library's usage can be asked in the [pyHanko discussion forum](https://github.com/MatthiasValvekens/pyHanko/discussions). `pyhanko-certvalidator` is a Python library for validating X.509 certificates paths. It supports various options, including: validation at a specific moment in time, whitelisting and revocation checks. - [Features](#features) - [Current Release](#current-release) - [Installation](#installation) - [License](#license) - [Documentation](#documentation) - [Continuous Integration](#continuous-integration) - [Testing](#testing) ## Features - X.509 path building - X.509 basic path validation - Signatures - RSA (including PSS padding), DSA, ECDSA and EdDSA algorithms. - Name chaining - Validity dates - Basic constraints extension - CA flag - Path length constraint - Key usage extension - Extended key usage extension - Certificate policies - Policy constraints - Policy mapping - Inhibit anyPolicy - Failure on unknown/unsupported critical extensions - Blacklisting hash algorithms - Revocation checks - CRLs - Indirect CRLs - Delta CRLs - OCSP checks - Delegated OCSP responders - Disable, require or allow soft failures - Caching of CRLs/OCSP responses - CRL and OCSP HTTP clients - Point-in-time validation - Name constraints - Attribute certificate support ## Current Release ![pypi](https://img.shields.io/pypi/v/pyhanko-certvalidator.svg) ## Dependencies - *asn1crypto* - *cryptography* - *uritools* - *oscrypto* - *requests* or *aiohttp* (use the latter for more efficient asyncio, requires resource management) - Python 3.7 or higher ### Note on compatibility Starting with `pyhanko-certvalidator` version `0.17.0`, the library has been refactored to use asynchronous I/O as much as possible. Most high-level API entrypoints can still be used synchronously, but have been deprecated in favour of their asyncio equivalents. As part of this move, the OCSP and CRL clients now have two separate implementations: a `requests`-based one, and an `aiohttp`-based one. The latter is probably more performant, but requires more resource management efforts on the caller's part, which was impossible to implement without making major breaking changes to the public API that would make the migration path more complicated. Therefore, the `requests`-based fetcher will remain the default for the time being. ## Installation ```bash pip install pyhanko-certvalidator ``` ## License *certvalidator* is licensed under the terms of the MIT license. See the [LICENSE](LICENSE) file for the exact license text. ## Testing ### Test framework Tests are written using `pytest` and require an asynchronous test case backend such as `pytest-asyncio`. ### Test cases The test cases for the library are comprised of: - [Public Key Interoperability Test Suite from NIST](http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html) - [OCSP tests from OpenSSL](https://github.com/openssl/openssl/blob/master/test/recipes/80-test_ocsp.t) - Various certificates generated for bespoke X.509 certificate validation scenarios Existing releases can be found at https://pypi.org/project/pyhanko-certvalidator. ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649082.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/SOURCES.txt0000644000175100017510000014321015161577372026416 0ustar00runnerrunnerLICENSE MANIFEST.in README.md pyproject.toml src/pyhanko_certvalidator/__init__.py src/pyhanko_certvalidator/_state.py src/pyhanko_certvalidator/asn1_types.py src/pyhanko_certvalidator/authority.py src/pyhanko_certvalidator/context.py src/pyhanko_certvalidator/errors.py src/pyhanko_certvalidator/name_trees.py src/pyhanko_certvalidator/path.py src/pyhanko_certvalidator/policy_decl.py src/pyhanko_certvalidator/policy_tree.py src/pyhanko_certvalidator/py.typed src/pyhanko_certvalidator/registry.py src/pyhanko_certvalidator/sig_validate.py src/pyhanko_certvalidator/util.py src/pyhanko_certvalidator/validate.py src/pyhanko_certvalidator/version.py src/pyhanko_certvalidator.egg-info/PKG-INFO src/pyhanko_certvalidator.egg-info/SOURCES.txt src/pyhanko_certvalidator.egg-info/dependency_links.txt src/pyhanko_certvalidator.egg-info/requires.txt src/pyhanko_certvalidator.egg-info/top_level.txt src/pyhanko_certvalidator/fetchers/__init__.py src/pyhanko_certvalidator/fetchers/api.py src/pyhanko_certvalidator/fetchers/common_utils.py src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/__init__.py src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/cert_fetch_client.py src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/crl_client.py src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/ocsp_client.py src/pyhanko_certvalidator/fetchers/aiohttp_fetchers/util.py src/pyhanko_certvalidator/fetchers/requests_fetchers/__init__.py src/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py src/pyhanko_certvalidator/fetchers/requests_fetchers/crl_client.py src/pyhanko_certvalidator/fetchers/requests_fetchers/ocsp_client.py src/pyhanko_certvalidator/fetchers/requests_fetchers/util.py src/pyhanko_certvalidator/ltv/__init__.py src/pyhanko_certvalidator/ltv/ades_past.py src/pyhanko_certvalidator/ltv/errors.py src/pyhanko_certvalidator/ltv/poe.py src/pyhanko_certvalidator/ltv/time_slide.py src/pyhanko_certvalidator/ltv/types.py src/pyhanko_certvalidator/revinfo/__init__.py src/pyhanko_certvalidator/revinfo/_err_gather.py src/pyhanko_certvalidator/revinfo/archival.py src/pyhanko_certvalidator/revinfo/constants.py src/pyhanko_certvalidator/revinfo/manager.py src/pyhanko_certvalidator/revinfo/validate_crl.py src/pyhanko_certvalidator/revinfo/validate_ocsp.py tests/__init__.py tests/common.py tests/constants.py tests/test_ac_validate.py tests/test_ades_time_slide.py tests/test_certificate_validator.py tests/test_common_utils.py tests/test_freshness.py tests/test_policy_proc.py tests/test_registry.py tests/test_sig_validate.py tests/test_validate.py tests/fixtures/self-signed-with-policy.crt tests/fixtures/ades/time-slide/alice-2020-10-01.ors tests/fixtures/ades/time-slide/alice-2020-11-29.ors tests/fixtures/ades/time-slide/alice-2020-12-10.ors tests/fixtures/ades/time-slide/certomancer.yml tests/fixtures/ades/time-slide/generate tests/fixtures/ades/time-slide/interm-2020-10-01.crl tests/fixtures/ades/time-slide/interm-2020-11-29.crl tests/fixtures/ades/time-slide/interm-2020-12-10.crl tests/fixtures/ades/time-slide/root-2020-10-01.crl tests/fixtures/ades/time-slide/root-2020-11-29.crl tests/fixtures/ades/time-slide/root-2020-12-10.crl tests/fixtures/ades/time-slide/certs/alice.crt tests/fixtures/ades/time-slide/certs/interm-ocsp.crt tests/fixtures/ades/time-slide/certs/interm-revoked.crt tests/fixtures/ades/time-slide/certs/interm.crt tests/fixtures/ades/time-slide/certs/root.crt tests/fixtures/ades/time-slide/keys/alice.key.pem tests/fixtures/ades/time-slide/keys/bob.key.pem tests/fixtures/ades/time-slide/keys/interm-ocsp.key.pem tests/fixtures/ades/time-slide/keys/interm.key.pem tests/fixtures/ades/time-slide/keys/root.key.pem tests/fixtures/attribute-certs/certomancer.yml tests/fixtures/attribute-certs/regen.sh tests/fixtures/attribute-certs/basic-aa/alice-all-good.ors tests/fixtures/attribute-certs/basic-aa/alice-revoked.ors tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-all-good.crl tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-some-revoked.crl tests/fixtures/attribute-certs/basic-aa/role-aa-all-good.crl tests/fixtures/attribute-certs/basic-aa/role-aa-nonaligned-name.crl tests/fixtures/attribute-certs/basic-aa/role-aa-nonsensically-scoped.crl tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-all-good.crl tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-some-revoked.crl tests/fixtures/attribute-certs/basic-aa/role-aa-some-revoked.crl tests/fixtures/attribute-certs/basic-aa/aa/alice-norev-targeted.attr.crt tests/fixtures/attribute-certs/basic-aa/aa/alice-role-complex-crls.attr.crt tests/fixtures/attribute-certs/basic-aa/aa/alice-role-norev.attr.crt tests/fixtures/attribute-certs/basic-aa/aa/alice-role-with-rev.attr.crt tests/fixtures/attribute-certs/basic-aa/aa/badsig.attr.crt tests/fixtures/attribute-certs/basic-aa/inbetween/interm-pathlen-violation.crt tests/fixtures/attribute-certs/basic-aa/interm/aa-unrestricted.crt tests/fixtures/attribute-certs/basic-aa/interm/interm-all-good.crl tests/fixtures/attribute-certs/basic-aa/interm/interm-some-revoked.crl tests/fixtures/attribute-certs/basic-aa/interm/role-aa-crl-issuer.crt tests/fixtures/attribute-certs/basic-aa/interm/role-aa.crt tests/fixtures/attribute-certs/basic-aa/people-ca/alice.crt tests/fixtures/attribute-certs/basic-aa/people-ca/bob.crt tests/fixtures/attribute-certs/basic-aa/people-ca/people-ca.crt tests/fixtures/attribute-certs/basic-aa/root/inbetween-aa.crt tests/fixtures/attribute-certs/basic-aa/root/interm-role.crt tests/fixtures/attribute-certs/basic-aa/root/interm-unrestricted.crt tests/fixtures/attribute-certs/basic-aa/root/root-all-good.crl tests/fixtures/attribute-certs/basic-aa/root/root-some-revoked.crl tests/fixtures/attribute-certs/basic-aa/root/root.crt tests/fixtures/attribute-certs/keys/aa-crl-issuer.key.pem tests/fixtures/attribute-certs/keys/aa.key.pem tests/fixtures/attribute-certs/keys/alice.key.pem tests/fixtures/attribute-certs/keys/bob.key.pem tests/fixtures/attribute-certs/keys/inbetween.key.pem tests/fixtures/attribute-certs/keys/interm.key.pem tests/fixtures/attribute-certs/keys/people-ca.key.pem tests/fixtures/attribute-certs/keys/root.key.pem tests/fixtures/attribute-certs/oneoff/alice-aki-with-issuer-id-and-base-certificate-id.attr.crt tests/fixtures/attribute-certs/oneoff/alice-aki-with-issuer-id.attr.crt tests/fixtures/attribute-certs/oneoff/alice-misleading-aki.attr.crt tests/fixtures/attribute-certs/oneoff/alice-no-aki-with-base-certificate-id.attr.crt tests/fixtures/attribute-certs/oneoff/alice-v1form-issuer.attr.crt tests/fixtures/attribute-certs/oneoff/alice-v2form-issuer-aki-misaligned.attr.crt tests/fixtures/attribute-certs/oneoff/alice-v2form-only-base-cert-id.attr.crt tests/fixtures/attribute-certs/oneoff/alice-v2form-with-base-certificate-id.attr.crt tests/fixtures/attribute-certs/oneoff/alice-v2form-wrong-serial.attr.crt tests/fixtures/certs_to_unpack/many-certs.pem tests/fixtures/certs_to_unpack/test.p7b tests/fixtures/certs_to_unpack/test.p7b.pem tests/fixtures/freshness/alice-2020-10-01.ors tests/fixtures/freshness/alice-2020-11-29.ors tests/fixtures/freshness/alice-2020-12-10.ors tests/fixtures/freshness/certomancer.yml tests/fixtures/freshness/generate tests/fixtures/freshness/root-2020-10-01.crl tests/fixtures/freshness/root-2020-11-29.crl tests/fixtures/freshness/root-2020-12-10.crl tests/fixtures/freshness/certs/alice.crt tests/fixtures/freshness/certs/interm-ocsp.crt tests/fixtures/freshness/certs/interm-revoked.crt tests/fixtures/freshness/certs/interm.crt tests/fixtures/freshness/certs/root.crt tests/fixtures/freshness/keys/alice.key.pem tests/fixtures/freshness/keys/bob.key.pem tests/fixtures/freshness/keys/interm-ocsp.key.pem tests/fixtures/freshness/keys/interm.key.pem tests/fixtures/freshness/keys/root.key.pem tests/fixtures/multilayer/certomancer.yml tests/fixtures/multilayer/certs/alice.cert.pem tests/fixtures/multilayer/certs/interm1.cert.pem tests/fixtures/multilayer/certs/interm2.cert.pem tests/fixtures/multilayer/certs/root.cert.pem tests/fixtures/multilayer/keys/alice.key.pem tests/fixtures/multilayer/keys/bob.key.pem tests/fixtures/multilayer/keys/interm1.key.pem tests/fixtures/multilayer/keys/interm2.key.pem tests/fixtures/multilayer/keys/root.key.pem tests/fixtures/multitasking-ocsp/alice.cert.pem tests/fixtures/multitasking-ocsp/interm-ocsp.cert.pem tests/fixtures/multitasking-ocsp/interm.cert.pem tests/fixtures/multitasking-ocsp/ocsp-resp-alice.der tests/fixtures/multitasking-ocsp/ocsp-resp-interm.der tests/fixtures/multitasking-ocsp/root-ocsp.cert.pem tests/fixtures/multitasking-ocsp/root.cert.pem tests/fixtures/nist_pkits/pkits-user-notice.json tests/fixtures/nist_pkits/pkits.json tests/fixtures/nist_pkits/readme.md tests/fixtures/nist_pkits/certs/AllCertificatesNoPoliciesTest2EE.crt tests/fixtures/nist_pkits/certs/AllCertificatesSamePoliciesTest10EE.crt tests/fixtures/nist_pkits/certs/AllCertificatesSamePoliciesTest13EE.crt tests/fixtures/nist_pkits/certs/AllCertificatesanyPolicyTest11EE.crt tests/fixtures/nist_pkits/certs/AnyPolicyTest14EE.crt tests/fixtures/nist_pkits/certs/BadCRLIssuerNameCACert.crt tests/fixtures/nist_pkits/certs/BadCRLSignatureCACert.crt tests/fixtures/nist_pkits/certs/BadSignedCACert.crt tests/fixtures/nist_pkits/certs/BadnotAfterDateCACert.crt tests/fixtures/nist_pkits/certs/BadnotBeforeDateCACert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedCRLSigningKeyCACert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedNewKeyCACert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedOldKeyCACert.crt tests/fixtures/nist_pkits/certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt tests/fixtures/nist_pkits/certs/CPSPointerQualifierTest20EE.crt tests/fixtures/nist_pkits/certs/DSACACert.crt tests/fixtures/nist_pkits/certs/DSAParametersInheritedCACert.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest12EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest3EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest4EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest5EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest7EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest8EE.crt tests/fixtures/nist_pkits/certs/DifferentPoliciesTest9EE.crt tests/fixtures/nist_pkits/certs/GeneralizedTimeCRLnextUpdateCACert.crt tests/fixtures/nist_pkits/certs/GoodCACert.crt tests/fixtures/nist_pkits/certs/GoodsubCACert.crt tests/fixtures/nist_pkits/certs/GoodsubCAPanyPolicyMapping1to2CACert.crt tests/fixtures/nist_pkits/certs/InvalidBadCRLIssuerNameTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidBadCRLSignatureTest4EE.crt tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidCASignatureTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidCAnotAfterDateTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidCAnotBeforeDateTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidDNSnameConstraintsTest31EE.crt tests/fixtures/nist_pkits/certs/InvalidDNSnameConstraintsTest33EE.crt tests/fixtures/nist_pkits/certs/InvalidDNSnameConstraintsTest38EE.crt tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest28EE.crt tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest29EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest12EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest13EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest15EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest16EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest17EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest20EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest3EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest7EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest9EE.crt tests/fixtures/nist_pkits/certs/InvalidDSASignatureTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidEESignatureTest3EE.crt tests/fixtures/nist_pkits/certs/InvalidEEnotAfterDateTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidEEnotBeforeDateTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidIDPwithindirectCRLTest23EE.crt tests/fixtures/nist_pkits/certs/InvalidIDPwithindirectCRLTest26EE.crt tests/fixtures/nist_pkits/certs/InvalidLongSerialNumberTest18EE.crt tests/fixtures/nist_pkits/certs/InvalidMappingFromanyPolicyTest7EE.crt tests/fixtures/nist_pkits/certs/InvalidMappingToanyPolicyTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidMissingCRLTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidMissingbasicConstraintsTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidNameChainingOrderTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidNameChainingTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidNegativeSerialNumberTest15EE.crt tests/fixtures/nist_pkits/certs/InvalidOldCRLnextUpdateTest11EE.crt tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest4EE.crt tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest22EE.crt tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest24EE.crt tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest26EE.crt tests/fixtures/nist_pkits/certs/InvalidRevokedCATest2EE.crt tests/fixtures/nist_pkits/certs/InvalidRevokedEETest3EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt tests/fixtures/nist_pkits/certs/InvalidURInameConstraintsTest35EE.crt tests/fixtures/nist_pkits/certs/InvalidURInameConstraintsTest37EE.crt tests/fixtures/nist_pkits/certs/InvalidUnknownCRLEntryExtensionTest8EE.crt tests/fixtures/nist_pkits/certs/InvalidUnknownCRLExtensionTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidUnknownCRLExtensionTest9EE.crt tests/fixtures/nist_pkits/certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidWrongCRLTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidcAFalseTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidcAFalseTest3EE.crt tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest27EE.crt tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest31EE.crt tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest32EE.crt tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest34EE.crt tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest35EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLIndicatorNoBaseTest1EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest10EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest3EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest4EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest6EE.crt tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest9EE.crt tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest2EE.crt tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest3EE.crt tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest6EE.crt tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest8EE.crt tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest9EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest4EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest3EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt tests/fixtures/nist_pkits/certs/InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt tests/fixtures/nist_pkits/certs/InvalidonlyContainsAttributeCertsTest14EE.crt tests/fixtures/nist_pkits/certs/InvalidonlyContainsCACertsTest12EE.crt tests/fixtures/nist_pkits/certs/InvalidonlyContainsUserCertsTest11EE.crt tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest15EE.crt tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest16EE.crt tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest17EE.crt tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest20EE.crt tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest21EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest10EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest11EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest12EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest5EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest6EE.crt tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest9EE.crt tests/fixtures/nist_pkits/certs/Invalidpre2000CRLnextUpdateTest12EE.crt tests/fixtures/nist_pkits/certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt tests/fixtures/nist_pkits/certs/InvalidrequireExplicitPolicyTest3EE.crt tests/fixtures/nist_pkits/certs/InvalidrequireExplicitPolicyTest5EE.crt tests/fixtures/nist_pkits/certs/LongSerialNumberCACert.crt tests/fixtures/nist_pkits/certs/Mapping1to2CACert.crt tests/fixtures/nist_pkits/certs/MappingFromanyPolicyCACert.crt tests/fixtures/nist_pkits/certs/MappingToanyPolicyCACert.crt tests/fixtures/nist_pkits/certs/MissingbasicConstraintsCACert.crt tests/fixtures/nist_pkits/certs/NameOrderingCACert.crt tests/fixtures/nist_pkits/certs/NegativeSerialNumberCACert.crt tests/fixtures/nist_pkits/certs/NoCRLCACert.crt tests/fixtures/nist_pkits/certs/NoPoliciesCACert.crt tests/fixtures/nist_pkits/certs/NoissuingDistributionPointCACert.crt tests/fixtures/nist_pkits/certs/OldCRLnextUpdateCACert.crt tests/fixtures/nist_pkits/certs/OverlappingPoliciesTest6EE.crt tests/fixtures/nist_pkits/certs/P12Mapping1to3CACert.crt tests/fixtures/nist_pkits/certs/P12Mapping1to3subCACert.crt tests/fixtures/nist_pkits/certs/P12Mapping1to3subsubCACert.crt tests/fixtures/nist_pkits/certs/P1Mapping1to234CACert.crt tests/fixtures/nist_pkits/certs/P1Mapping1to234subCACert.crt tests/fixtures/nist_pkits/certs/P1anyPolicyMapping1to2CACert.crt tests/fixtures/nist_pkits/certs/PanyPolicyMapping1to2CACert.crt tests/fixtures/nist_pkits/certs/PoliciesP1234CACert.crt tests/fixtures/nist_pkits/certs/PoliciesP1234subCAP123Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP1234subsubCAP123P12Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP123CACert.crt tests/fixtures/nist_pkits/certs/PoliciesP123subCAP12Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP123subsubCAP12P1Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP123subsubCAP12P2Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP123subsubsubCAP12P2P1Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP12CACert.crt tests/fixtures/nist_pkits/certs/PoliciesP12subCAP1Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP12subsubCAP1P2Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP2subCA2Cert.crt tests/fixtures/nist_pkits/certs/PoliciesP2subCACert.crt tests/fixtures/nist_pkits/certs/PoliciesP3CACert.crt tests/fixtures/nist_pkits/certs/RFC3280MandatoryAttributeTypesCACert.crt tests/fixtures/nist_pkits/certs/RFC3280OptionalAttributeTypesCACert.crt tests/fixtures/nist_pkits/certs/RevokedsubCACert.crt tests/fixtures/nist_pkits/certs/RolloverfromPrintableStringtoUTF8StringCACert.crt tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCRLSigningCert.crt tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCertificateSigningCACert.crt tests/fixtures/nist_pkits/certs/TrustAnchorRootCertificate.crt tests/fixtures/nist_pkits/certs/TwoCRLsCACert.crt tests/fixtures/nist_pkits/certs/UIDCACert.crt tests/fixtures/nist_pkits/certs/UTF8StringCaseInsensitiveMatchCACert.crt tests/fixtures/nist_pkits/certs/UTF8StringEncodedNamesCACert.crt tests/fixtures/nist_pkits/certs/UnknownCRLEntryExtensionCACert.crt tests/fixtures/nist_pkits/certs/UnknownCRLExtensionCACert.crt tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest15EE.crt tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest16EE.crt tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest17EE.crt tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest18EE.crt tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest19EE.crt tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt tests/fixtures/nist_pkits/certs/ValidCertificatePathTest1EE.crt tests/fixtures/nist_pkits/certs/ValidDNSnameConstraintsTest30EE.crt tests/fixtures/nist_pkits/certs/ValidDNSnameConstraintsTest32EE.crt tests/fixtures/nist_pkits/certs/ValidDNandRFC822nameConstraintsTest27EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest11EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest14EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest18EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest19EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest1EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest4EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest5EE.crt tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest6EE.crt tests/fixtures/nist_pkits/certs/ValidDSAParameterInheritanceTest5EE.crt tests/fixtures/nist_pkits/certs/ValidDSASignaturesTest4EE.crt tests/fixtures/nist_pkits/certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotAfterDateTest8EE.crt tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt tests/fixtures/nist_pkits/certs/ValidIDPwithindirectCRLTest22EE.crt tests/fixtures/nist_pkits/certs/ValidIDPwithindirectCRLTest24EE.crt tests/fixtures/nist_pkits/certs/ValidIDPwithindirectCRLTest25EE.crt tests/fixtures/nist_pkits/certs/ValidLongSerialNumberTest16EE.crt tests/fixtures/nist_pkits/certs/ValidLongSerialNumberTest17EE.crt tests/fixtures/nist_pkits/certs/ValidNameChainingCapitalizationTest5EE.crt tests/fixtures/nist_pkits/certs/ValidNameChainingWhitespaceTest3EE.crt tests/fixtures/nist_pkits/certs/ValidNameChainingWhitespaceTest4EE.crt tests/fixtures/nist_pkits/certs/ValidNameUIDsTest6EE.crt tests/fixtures/nist_pkits/certs/ValidNegativeSerialNumberTest14EE.crt tests/fixtures/nist_pkits/certs/ValidNoissuingDistributionPointTest10EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest11EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest12EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest13EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest14EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest1EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest3EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest5EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest6EE.crt tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest9EE.crt tests/fixtures/nist_pkits/certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt tests/fixtures/nist_pkits/certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest21EE.crt tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest23EE.crt tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest25EE.crt tests/fixtures/nist_pkits/certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest15EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest17EE.crt tests/fixtures/nist_pkits/certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt tests/fixtures/nist_pkits/certs/ValidSeparateCertificateandCRLKeysTest19EE.crt tests/fixtures/nist_pkits/certs/ValidTwoCRLsTest7EE.crt tests/fixtures/nist_pkits/certs/ValidURInameConstraintsTest34EE.crt tests/fixtures/nist_pkits/certs/ValidURInameConstraintsTest36EE.crt tests/fixtures/nist_pkits/certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt tests/fixtures/nist_pkits/certs/ValidUTF8StringEncodedNamesTest9EE.crt tests/fixtures/nist_pkits/certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt tests/fixtures/nist_pkits/certs/ValidbasicConstraintsNotCriticalTest4EE.crt tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest28EE.crt tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest29EE.crt tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest30EE.crt tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest33EE.crt tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest2EE.crt tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest5EE.crt tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest7EE.crt tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest8EE.crt tests/fixtures/nist_pkits/certs/ValiddistributionPointTest1EE.crt tests/fixtures/nist_pkits/certs/ValiddistributionPointTest4EE.crt tests/fixtures/nist_pkits/certs/ValiddistributionPointTest5EE.crt tests/fixtures/nist_pkits/certs/ValiddistributionPointTest7EE.crt tests/fixtures/nist_pkits/certs/ValidinhibitAnyPolicyTest2EE.crt tests/fixtures/nist_pkits/certs/ValidinhibitPolicyMappingTest2EE.crt tests/fixtures/nist_pkits/certs/ValidinhibitPolicyMappingTest4EE.crt tests/fixtures/nist_pkits/certs/ValidkeyUsageNotCriticalTest3EE.crt tests/fixtures/nist_pkits/certs/ValidonlyContainsCACertsTest13EE.crt tests/fixtures/nist_pkits/certs/ValidonlySomeReasonsTest18EE.crt tests/fixtures/nist_pkits/certs/ValidonlySomeReasonsTest19EE.crt tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest13EE.crt tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest14EE.crt tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest7EE.crt tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest8EE.crt tests/fixtures/nist_pkits/certs/Validpre2000UTCnotBeforeDateTest3EE.crt tests/fixtures/nist_pkits/certs/ValidrequireExplicitPolicyTest1EE.crt tests/fixtures/nist_pkits/certs/ValidrequireExplicitPolicyTest2EE.crt tests/fixtures/nist_pkits/certs/ValidrequireExplicitPolicyTest4EE.crt tests/fixtures/nist_pkits/certs/WrongCRLCACert.crt tests/fixtures/nist_pkits/certs/anyPolicyCACert.crt tests/fixtures/nist_pkits/certs/basicConstraintsCriticalcAFalseCACert.crt tests/fixtures/nist_pkits/certs/basicConstraintsNotCriticalCACert.crt tests/fixtures/nist_pkits/certs/basicConstraintsNotCriticalcAFalseCACert.crt tests/fixtures/nist_pkits/certs/deltaCRLCA1Cert.crt tests/fixtures/nist_pkits/certs/deltaCRLCA2Cert.crt tests/fixtures/nist_pkits/certs/deltaCRLCA3Cert.crt tests/fixtures/nist_pkits/certs/deltaCRLIndicatorNoBaseCACert.crt tests/fixtures/nist_pkits/certs/distributionPoint1CACert.crt tests/fixtures/nist_pkits/certs/distributionPoint2CACert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA1Cert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA2Cert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA3Cert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA3cRLIssuerCert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA4Cert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA4cRLIssuerCert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA5Cert.crt tests/fixtures/nist_pkits/certs/indirectCRLCA6Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy0CACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1CACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCA1Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCA2Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCAIAP5Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subsubCA2Cert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy5CACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy5subCACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicy5subsubCACert.crt tests/fixtures/nist_pkits/certs/inhibitAnyPolicyTest3EE.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping0CACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping0subCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12CACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1CACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1subCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1subsubCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5CACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5subCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5subsubCACert.crt tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5subsubsubCACert.crt tests/fixtures/nist_pkits/certs/keyUsageCriticalcRLSignFalseCACert.crt tests/fixtures/nist_pkits/certs/keyUsageCriticalkeyCertSignFalseCACert.crt tests/fixtures/nist_pkits/certs/keyUsageNotCriticalCACert.crt tests/fixtures/nist_pkits/certs/keyUsageNotCriticalcRLSignFalseCACert.crt tests/fixtures/nist_pkits/certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN1CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN1SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN1subCA1Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN1subCA2Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN1subCA3Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN2CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN3CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN3subCA1Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN3subCA2Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN4CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDN5CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDNS1CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsDNS2CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsRFC822CA1Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsRFC822CA2Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsRFC822CA3Cert.crt tests/fixtures/nist_pkits/certs/nameConstraintsURI1CACert.crt tests/fixtures/nist_pkits/certs/nameConstraintsURI2CACert.crt tests/fixtures/nist_pkits/certs/onlyContainsAttributeCertsCACert.crt tests/fixtures/nist_pkits/certs/onlyContainsCACertsCACert.crt tests/fixtures/nist_pkits/certs/onlyContainsUserCertsCACert.crt tests/fixtures/nist_pkits/certs/onlySomeReasonsCA1Cert.crt tests/fixtures/nist_pkits/certs/onlySomeReasonsCA2Cert.crt tests/fixtures/nist_pkits/certs/onlySomeReasonsCA3Cert.crt tests/fixtures/nist_pkits/certs/onlySomeReasonsCA4Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint0CACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint0SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint0subCA2Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint0subCACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint1CACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint1SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint1SelfIssuedsubCACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint1subCACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6CACert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subCA0Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subCA1Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subCA4Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubCA00Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubCA11Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubCA41Cert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubsubCA11XCert.crt tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubsubCA41XCert.crt tests/fixtures/nist_pkits/certs/pre2000CRLnextUpdateCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy0CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subsubsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy10CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subsubsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy2CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy2subCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy4CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subsubsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy5CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subsubsubCACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy7CACert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subCARE2Cert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt tests/fixtures/nist_pkits/crls/BadCRLIssuerNameCACRL.crl tests/fixtures/nist_pkits/crls/BadCRLSignatureCACRL.crl tests/fixtures/nist_pkits/crls/BadSignedCACRL.crl tests/fixtures/nist_pkits/crls/BadnotAfterDateCACRL.crl tests/fixtures/nist_pkits/crls/BadnotBeforeDateCACRL.crl tests/fixtures/nist_pkits/crls/BasicSelfIssuedCRLSigningKeyCACRL.crl tests/fixtures/nist_pkits/crls/BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl tests/fixtures/nist_pkits/crls/BasicSelfIssuedNewKeyCACRL.crl tests/fixtures/nist_pkits/crls/BasicSelfIssuedOldKeyCACRL.crl tests/fixtures/nist_pkits/crls/BasicSelfIssuedOldKeySelfIssuedCertCRL.crl tests/fixtures/nist_pkits/crls/DSACACRL.crl tests/fixtures/nist_pkits/crls/DSAParametersInheritedCACRL.crl tests/fixtures/nist_pkits/crls/GeneralizedTimeCRLnextUpdateCACRL.crl tests/fixtures/nist_pkits/crls/GoodCACRL.crl tests/fixtures/nist_pkits/crls/GoodsubCACRL.crl tests/fixtures/nist_pkits/crls/GoodsubCAPanyPolicyMapping1to2CACRL.crl tests/fixtures/nist_pkits/crls/LongSerialNumberCACRL.crl tests/fixtures/nist_pkits/crls/Mapping1to2CACRL.crl tests/fixtures/nist_pkits/crls/MappingFromanyPolicyCACRL.crl tests/fixtures/nist_pkits/crls/MappingToanyPolicyCACRL.crl tests/fixtures/nist_pkits/crls/MissingbasicConstraintsCACRL.crl tests/fixtures/nist_pkits/crls/NameOrderCACRL.crl tests/fixtures/nist_pkits/crls/NegativeSerialNumberCACRL.crl tests/fixtures/nist_pkits/crls/NoPoliciesCACRL.crl tests/fixtures/nist_pkits/crls/NoissuingDistributionPointCACRL.crl tests/fixtures/nist_pkits/crls/OldCRLnextUpdateCACRL.crl tests/fixtures/nist_pkits/crls/P12Mapping1to3CACRL.crl tests/fixtures/nist_pkits/crls/P12Mapping1to3subCACRL.crl tests/fixtures/nist_pkits/crls/P12Mapping1to3subsubCACRL.crl tests/fixtures/nist_pkits/crls/P1Mapping1to234CACRL.crl tests/fixtures/nist_pkits/crls/P1Mapping1to234subCACRL.crl tests/fixtures/nist_pkits/crls/P1anyPolicyMapping1to2CACRL.crl tests/fixtures/nist_pkits/crls/PanyPolicyMapping1to2CACRL.crl tests/fixtures/nist_pkits/crls/PoliciesP1234CACRL.crl tests/fixtures/nist_pkits/crls/PoliciesP1234subCAP123CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP1234subsubCAP123P12CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP123CACRL.crl tests/fixtures/nist_pkits/crls/PoliciesP123subCAP12CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP123subsubCAP12P1CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP123subsubCAP2P2CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP123subsubsubCAP12P2P1CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP12CACRL.crl tests/fixtures/nist_pkits/crls/PoliciesP12subCAP1CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP12subsubCAP1P2CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP2subCA2CRL.crl tests/fixtures/nist_pkits/crls/PoliciesP2subCACRL.crl tests/fixtures/nist_pkits/crls/PoliciesP3CACRL.crl tests/fixtures/nist_pkits/crls/RFC3280MandatoryAttributeTypesCACRL.crl tests/fixtures/nist_pkits/crls/RFC3280OptionalAttributeTypesCACRL.crl tests/fixtures/nist_pkits/crls/RevokedsubCACRL.crl tests/fixtures/nist_pkits/crls/RolloverfromPrintableStringtoUTF8StringCACRL.crl tests/fixtures/nist_pkits/crls/SeparateCertificateandCRLKeysCA2CRL.crl tests/fixtures/nist_pkits/crls/SeparateCertificateandCRLKeysCRL.crl tests/fixtures/nist_pkits/crls/TrustAnchorRootCRL.crl tests/fixtures/nist_pkits/crls/TwoCRLsCABadCRL.crl tests/fixtures/nist_pkits/crls/TwoCRLsCAGoodCRL.crl tests/fixtures/nist_pkits/crls/UIDCACRL.crl tests/fixtures/nist_pkits/crls/UTF8StringCaseInsensitiveMatchCACRL.crl tests/fixtures/nist_pkits/crls/UTF8StringEncodedNamesCACRL.crl tests/fixtures/nist_pkits/crls/UnknownCRLEntryExtensionCACRL.crl tests/fixtures/nist_pkits/crls/UnknownCRLExtensionCACRL.crl tests/fixtures/nist_pkits/crls/WrongCRLCACRL.crl tests/fixtures/nist_pkits/crls/anyPolicyCACRL.crl tests/fixtures/nist_pkits/crls/basicConstraintsCriticalcAFalseCACRL.crl tests/fixtures/nist_pkits/crls/basicConstraintsNotCriticalCACRL.crl tests/fixtures/nist_pkits/crls/basicConstraintsNotCriticalcAFalseCACRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA1CRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA1deltaCRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA2CRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA2deltaCRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA3CRL.crl tests/fixtures/nist_pkits/crls/deltaCRLCA3deltaCRL.crl tests/fixtures/nist_pkits/crls/deltaCRLIndicatorNoBaseCACRL.crl tests/fixtures/nist_pkits/crls/distributionPoint1CACRL.crl tests/fixtures/nist_pkits/crls/distributionPoint2CACRL.crl tests/fixtures/nist_pkits/crls/indirectCRLCA1CRL.crl tests/fixtures/nist_pkits/crls/indirectCRLCA3CRL.crl tests/fixtures/nist_pkits/crls/indirectCRLCA3cRLIssuerCRL.crl tests/fixtures/nist_pkits/crls/indirectCRLCA4cRLIssuerCRL.crl tests/fixtures/nist_pkits/crls/indirectCRLCA5CRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy0CACRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1CACRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCA1CRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCA2CRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCAIAP5CRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subsubCA2CRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5CACRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5subCACRL.crl tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5subsubCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping0CACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping0subCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12CACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subCAIPM5CRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subsubCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subsubCAIPM5CRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1CACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1subCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1subsubCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5CACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5subCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5subsubCACRL.crl tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5subsubsubCACRL.crl tests/fixtures/nist_pkits/crls/keyUsageCriticalcRLSignFalseCACRL.crl tests/fixtures/nist_pkits/crls/keyUsageCriticalkeyCertSignFalseCACRL.crl tests/fixtures/nist_pkits/crls/keyUsageNotCriticalCACRL.crl tests/fixtures/nist_pkits/crls/keyUsageNotCriticalcRLSignFalseCACRL.crl tests/fixtures/nist_pkits/crls/keyUsageNotCriticalkeyCertSignFalseCACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN1CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN1subCA1CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN1subCA2CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN1subCA3CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN2CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN3CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN3subCA1CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN3subCA2CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN4CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDN5CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDNS1CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsDNS2CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsRFC822CA1CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsRFC822CA2CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsRFC822CA3CRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsURI1CACRL.crl tests/fixtures/nist_pkits/crls/nameConstraintsURI2CACRL.crl tests/fixtures/nist_pkits/crls/onlyContainsAttributeCertsCACRL.crl tests/fixtures/nist_pkits/crls/onlyContainsCACertsCACRL.crl tests/fixtures/nist_pkits/crls/onlyContainsUserCertsCACRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA1compromiseCRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA1otherreasonsCRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA2CRL1.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA2CRL2.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA3compromiseCRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA3otherreasonsCRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA4compromiseCRL.crl tests/fixtures/nist_pkits/crls/onlySomeReasonsCA4otherreasonsCRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint0CACRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint0subCA2CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint0subCACRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint1CACRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint1subCACRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6CACRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subCA0CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subCA1CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subCA4CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubCA00CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubCA11CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubCA41CRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubsubCA11XCRL.crl tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubsubCA41XCRL.crl tests/fixtures/nist_pkits/crls/pre2000CRLnextUpdateCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy0CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy0subCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy0subsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy0subsubsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy10CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy10subCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy10subsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy10subsubsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy2CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy2subCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy4CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy4subCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy4subsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy4subsubsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy5CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subsubsubCACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy7CACRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subCARE2CRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubCARE2RE4CRL.crl tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubsubCARE2RE4CRL.crl tests/fixtures/openssl-ocsp/D1.ors tests/fixtures/openssl-ocsp/D1_Cert_EE.pem tests/fixtures/openssl-ocsp/D1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/D2.ors tests/fixtures/openssl-ocsp/D2_Cert_ICA.pem tests/fixtures/openssl-ocsp/D2_Issuer_Root.pem tests/fixtures/openssl-ocsp/D3.ors tests/fixtures/openssl-ocsp/D3_Cert_EE.pem tests/fixtures/openssl-ocsp/D3_Issuer_Root.pem tests/fixtures/openssl-ocsp/ISDOSC_D1.ors tests/fixtures/openssl-ocsp/ISDOSC_D2.ors tests/fixtures/openssl-ocsp/ISDOSC_D3.ors tests/fixtures/openssl-ocsp/ISIC_D1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/ISIC_D2_Issuer_Root.pem tests/fixtures/openssl-ocsp/ISIC_D3_Issuer_Root.pem tests/fixtures/openssl-ocsp/ISIC_ND1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/ISIC_ND2_Issuer_Root.pem tests/fixtures/openssl-ocsp/ISIC_ND3_Issuer_Root.pem tests/fixtures/openssl-ocsp/ISOP_D1.ors tests/fixtures/openssl-ocsp/ISOP_D2.ors tests/fixtures/openssl-ocsp/ISOP_D3.ors tests/fixtures/openssl-ocsp/ISOP_ND1.ors tests/fixtures/openssl-ocsp/ISOP_ND2.ors tests/fixtures/openssl-ocsp/ISOP_ND3.ors tests/fixtures/openssl-ocsp/LICENSE tests/fixtures/openssl-ocsp/ND1.ors tests/fixtures/openssl-ocsp/ND1_Cert_EE.pem tests/fixtures/openssl-ocsp/ND1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/ND2.ors tests/fixtures/openssl-ocsp/ND2_Cert_ICA.pem tests/fixtures/openssl-ocsp/ND2_Issuer_Root.pem tests/fixtures/openssl-ocsp/ND3.ors tests/fixtures/openssl-ocsp/ND3_Cert_EE.pem tests/fixtures/openssl-ocsp/ND3_Issuer_Root.pem tests/fixtures/openssl-ocsp/R2.pem tests/fixtures/openssl-ocsp/WIKH_D1.ors tests/fixtures/openssl-ocsp/WIKH_D2.ors tests/fixtures/openssl-ocsp/WIKH_D3.ors tests/fixtures/openssl-ocsp/WIKH_ND1.ors tests/fixtures/openssl-ocsp/WIKH_ND2.ors tests/fixtures/openssl-ocsp/WIKH_ND3.ors tests/fixtures/openssl-ocsp/WINH_D1.ors tests/fixtures/openssl-ocsp/WINH_D2.ors tests/fixtures/openssl-ocsp/WINH_D3.ors tests/fixtures/openssl-ocsp/WINH_ND1.ors tests/fixtures/openssl-ocsp/WINH_ND2.ors tests/fixtures/openssl-ocsp/WINH_ND3.ors tests/fixtures/openssl-ocsp/WKDOSC_D1.ors tests/fixtures/openssl-ocsp/WKDOSC_D2.ors tests/fixtures/openssl-ocsp/WKDOSC_D3.ors tests/fixtures/openssl-ocsp/WKIC_D1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/WKIC_D2_Issuer_Root.pem tests/fixtures/openssl-ocsp/WKIC_D3_Issuer_Root.pem tests/fixtures/openssl-ocsp/WKIC_ND1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/WKIC_ND2_Issuer_Root.pem tests/fixtures/openssl-ocsp/WKIC_ND3_Issuer_Root.pem tests/fixtures/openssl-ocsp/WRID_D1.ors tests/fixtures/openssl-ocsp/WRID_D2.ors tests/fixtures/openssl-ocsp/WRID_D3.ors tests/fixtures/openssl-ocsp/WRID_ND1.ors tests/fixtures/openssl-ocsp/WRID_ND2.ors tests/fixtures/openssl-ocsp/WRID_ND3.ors tests/fixtures/openssl-ocsp/WSNIC_D1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/WSNIC_D2_Issuer_Root.pem tests/fixtures/openssl-ocsp/WSNIC_D3_Issuer_Root.pem tests/fixtures/openssl-ocsp/WSNIC_ND1_Issuer_ICA.pem tests/fixtures/openssl-ocsp/WSNIC_ND2_Issuer_Root.pem tests/fixtures/openssl-ocsp/WSNIC_ND3_Issuer_Root.pem tests/fixtures/openssl-ocsp/openssl-ocsp.json tests/fixtures/openssl-ocsp/readme.md tests/fixtures/testing-aia/with-ldap-urls.der tests/fixtures/testing-ca-ed25519/interm.cert.pem tests/fixtures/testing-ca-ed25519/ocsp.cert.pem tests/fixtures/testing-ca-ed25519/root.cert.pem tests/fixtures/testing-ca-ed25519/signer.cert.pem tests/fixtures/testing-ca-ed25519/signer2.cert.pem tests/fixtures/testing-ca-ed25519/tsa.cert.pem tests/fixtures/testing-ca-ed25519/tsa2.cert.pem tests/fixtures/testing-ca-ed448/interm.cert.pem tests/fixtures/testing-ca-ed448/ocsp.cert.pem tests/fixtures/testing-ca-ed448/root.cert.pem tests/fixtures/testing-ca-ed448/signer.cert.pem tests/fixtures/testing-ca-ed448/signer2.cert.pem tests/fixtures/testing-ca-ed448/tsa.cert.pem tests/fixtures/testing-ca-ed448/tsa2.cert.pem tests/fixtures/testing-ca-pss/interm.cert.pem tests/fixtures/testing-ca-pss/root.cert.pem tests/fixtures/testing-ca-pss/signer1.cert.pem tests/fixtures/testing-ca-pss-exclusive/interm.cert.pem tests/fixtures/testing-ca-pss-exclusive/root.cert.pem tests/fixtures/testing-ca-pss-exclusive/signer1.cert.pem././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649082.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/dependency_links.txt0000644000175100017510000000000115161577372030577 0ustar00runnerrunner ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649082.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/requires.txt0000644000175100017510000000017115161577372027130 0ustar00runnerrunnerasn1crypto>=1.5.1 oscrypto>=1.1.0 cryptography>=41.0.5 uritools>=3.0.1 requests>=2.31.0 [async-http] aiohttp<3.14,>=3.9 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649082.0 pyhanko_certvalidator-0.30.2/src/pyhanko_certvalidator.egg-info/top_level.txt0000644000175100017510000000002615161577372027261 0ustar00runnerrunnerpyhanko_certvalidator ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.127656 pyhanko_certvalidator-0.30.2/tests/0000755000175100017510000000000015161577372017016 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/__init__.py0000644000175100017510000000000015161577363021115 0ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/common.py0000644000175100017510000000321715161577363020663 0ustar00runnerrunnerimport base64 import os from asn1crypto import crl, ocsp, pem, x509 from pyhanko_certvalidator import authority from pyhanko_certvalidator.path import ValidationPath TESTS_ROOT = os.path.dirname(__file__) FIXTURES_DIR = os.path.join(TESTS_ROOT, 'fixtures') def load_cert_object(*path_components) -> x509.Certificate: with open(os.path.join(FIXTURES_DIR, *path_components), 'rb') as f: cert_bytes = f.read() if pem.detect(cert_bytes): _, _, cert_bytes = pem.unarmor(cert_bytes) cert = x509.Certificate.load(cert_bytes) return cert def load_path(base_dir, *cert_files) -> ValidationPath: certs_collected = [] for cert_file in cert_files: certs_collected.append(load_cert_object(base_dir, cert_file)) return ValidationPath( trust_anchor=authority.CertTrustAnchor(certs_collected[0]), interm=certs_collected[1:-1], leaf=certs_collected[-1], ) def load_nist_cert(filename): return load_cert_object('nist_pkits', 'certs', filename) def load_crl(*path_components) -> crl.CertificateList: with open(os.path.join(FIXTURES_DIR, *path_components), 'rb') as inf: return crl.CertificateList.load(inf.read()) def load_ocsp_response(*path_components) -> ocsp.OCSPResponse: with open(os.path.join(FIXTURES_DIR, *path_components), 'rb') as inf: return ocsp.OCSPResponse.load(inf.read()) def load_nist_crl(filename): return load_crl(FIXTURES_DIR, 'nist_pkits', 'crls', filename) def load_openssl_ors(filename): with open(os.path.join(FIXTURES_DIR, 'openssl-ocsp', filename), 'rb') as f: return ocsp.OCSPResponse.load(base64.b64decode(f.read())) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/constants.py0000644000175100017510000000003215161577363021377 0ustar00runnerrunnerTEST_REQUEST_TIMEOUT = 30 ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1279757 pyhanko_certvalidator-0.30.2/tests/fixtures/0000755000175100017510000000000015161577372020667 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1012998 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/0000755000175100017510000000000015161577372021603 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1305838 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/0000755000175100017510000000000015161577372023637 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/alice-2020-10-01.ors0000644000175100017510000000266415161577363026466 0ustar00runnerrunner0‚°  ‚©0‚¥ +0‚–0‚’0­¢ÔqFIíºûgü¾ð˜gÎÇf„£20201001000000Z000W0  `†He ÿ×ãÿu±µMia:KÛ1×qG†sJÿ§Ñ’m¬`Õ? ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyYc·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚ï8É•^ƒ}O©¸›+ó·Ñϳ ÖÉžR.g§>RQIÚszY.ÌŽ¹ÖUBîAÈç´Æ*ü%𽧚¼5QŒ{>S)YíQ¶l¸¬Qèùäw“2ËÑêÖ›vÍŽ¥ä—y–ðž#†Cí‡îf©U‰ vAjGõ7>± ä áÞ v3{7)Ëà6)™ß}¢[”Õ­ÒCïÔd“ŽSnçÉž3ˆðýœU•kcb”’Sƒ¦)”é`¤½3¶’Ñ­OöÝ\´oOÚ=$ˆÎ²û ‚NVÙá‰âš·®‚ïsdhJ¸!#uŒÓa[“d] 72F‡Qõ`MÇv././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/alice-2020-11-29.ors0000644000175100017510000000266415161577363026501 0ustar00runnerrunner0‚°  ‚©0‚¥ +0‚–0‚’0­¢ÔqFIíºûgü¾ð˜gÎÇf„£20201129000000Z000W0  `†He ÿ×ãÿu±µMia:KÛ1×qG†sJÿ§Ñ’m¬`Õ? ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyY“ÐŤ•?žÿ7¡>^ VVÁ/WVc—t¥ÏeðJ¨¾Œ„Hÿàf©ŠMŠû–EtØ'ñLƒ¥[#@ó§2º’=¸‘, VÚY†ƒ W¦ ‚Ê0‚Æ0‚Â0‚ª 0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0  000101000000Z21000101000000Z0l1 0 UXX10U Testing Authority10U Time-Slide Test1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚ï8É•^ƒ}O©¸›+ó·Ñϳ ÖÉžR.g§>RQIÚszY.ÌŽ¹ÖUBîAÈç´Æ*ü%𽧚¼5QŒ{>S)YíQ¶l¸¬Qèùäw“2ËÑêÖ›vÍŽ¥ä—y–ðž#†Cí‡îf©U‰ vAjGõ7>± ä áÞ v3{7)Ëà6)™ß}¢[”Õ­ÒCïÔd“ŽSnçÉž3ˆðýœU•kcb”’Sƒ¦)”é`¤½3¶’Ñ­OöÝ\´oOÚ=$ˆÎ²û ‚NVÙá‰âš·®‚ïsdhJ¸!#uŒÓa[“d] 72F‡Qõ`MÇv././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/alice-2020-12-10.ors0000644000175100017510000000271315161577363026463 0ustar00runnerrunner0‚Ç  ‚À0‚¼ +0‚­0‚©0Ä¢ÔqFIíºûgü¾ð˜gÎÇf„£20201210000000Z0˜0•0W0  `†He ÿ×ãÿu±µMia:KÛ1×qG†sJÿ§Ñ’m¬`Õ? ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyYº ‚Ê0‚Æ0‚Â0‚ª 0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0  000101000000Z21000101000000Z0l1 0 UXX10U Testing Authority10U Time-Slide Test1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚ï8É•^ƒ}O©¸›+ó·Ñϳ ÖÉžR.g§>RQIÚszY.ÌŽ¹ÖUBîAÈç´Æ*ü%𽧚¼5QŒ{>S)YíQ¶l¸¬Qèùäw“2ËÑêÖ›vÍŽ¥ä—y–ðž#†Cí‡îf©U‰ vAjGõ7>± ä áÞ v3{7)Ëà6)™ß}¢[”Õ­ÒCïÔd“ŽSnçÉž3ˆðýœU•kcb”’Sƒ¦)”é`¤½3¶’Ñ­OöÝ\´oOÚ=$ˆÎ²û ‚NVÙá‰âš·®‚ïsdhJ¸!#uŒÓa[“d] 72F‡Qõ`MÇv././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certomancer.yml0000644000175100017510000000544315161577363026672 0ustar00runnerrunnerexternal-url-prefix: "http://ca.example.com" keysets: testing-ca: path-prefix: keys keys: root: path: root.key.pem interm: path: interm.key.pem interm-ocsp: path: interm-ocsp.key.pem alice: path: alice.key.pem bob: path: bob.key.pem pki-architectures: time-slide-ca: keyset: testing-ca entity-defaults: country-name: XX organization-name: Testing Authority organizational-unit-name: Time-Slide Test entities: root: common-name: Root CA interm: common-name: Intermediate CA interm-ocsp: common-name: Intermediate CA OCSP Responder alice: common-name: Alice bob: common-name: Bob certs: root: subject: root issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2500-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: root interm: subject: interm issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: interm ocsp-service: interm max-path-len: 0 interm-revoked: subject: interm issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise profiles: - simple-ca interm-ocsp: issuer: interm issuer-cert: interm validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - ocsp-responder alice: subject: alice issuer: interm issuer-cert: interm validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature] services: ocsp: interm: for-issuer: interm issuer-cert: interm responder-cert: interm-ocsp signing-key: interm-ocsp crl-repo: root: for-issuer: root signing-key: root simulated-update-schedule: "P10D" interm: for-issuer: interm signing-key: interm issuer-cert: interm simulated-update-schedule: "P10D"././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.132029 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/0000755000175100017510000000000015161577372024757 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/alice.crt0000644000175100017510000000204015161577363026542 0ustar00runnerrunner0‚0‚ 0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0  000101000000Z21000101000000Z0S1 0 UXX10U Testing Authority10U Time-Slide Test10 U Alice0‚"0  *†H†÷ ‚0‚ ‚º¿åŸ/-| hbÑOúÒMiÊN>Y–DW_%·ÈñÑ#ÀG?pWuº½FG={ad«‘f< üˆÿÍ'a ¬uœuZáô5«ƒ×Kó"†Jªß¾×U|LŸx[ZƒãûÕEñ$Ú*½15›Ø1jÔŽè¹hYüצ–N¡•Ö ›ÿk%Œåx£àµ*}@‡éЛÕĺ·3kã†8;½ÖÉÄvÂÀ; >ßRÆà„—m›åpP¤T×xlé-Ùvªë@»ã¥hsª„}6ùæƒ8,úMFî=msœ, d¦`Ü|‰ÄÇŸ_þLëÕiÜ™þôáA„ÏØLzÙ£í0ê0UZDÔ[]ˆ{ðësx—6²ÀÙ¨0U#0€0ô=σÉvÃÚyh²mìâihÏU0KUD0B0@ > <†:http://ca.example.com/time-slide-ca/crls/interm/latest.crl0K+?0=0;+0†/http://ca.example.com/time-slide-ca/ocsp/interm0Uÿ€0  *†H†÷  ‚F!º´EÈŪ"…Á Ûѧ.)T€Y5ºÑ:íÛ4ßÍwà8ǧО”ê^å62«¦zã£'fÚ.åeKwB;×P0²¸VUTª³Ü}^!.1…H«\¤qè‰<„ê›â°Fi5µOÀð‘Ã’ÃÝs ||2—… xº´ÿ‰;Œ° VdWuÍÄlóGXÖ£½,ǃvVû1ZÌ#¡) `j¢ªp»œÖy³»æP„FÝZ,hÀÞ󜀎| ÿ^'¶òÌ0Y|nVFxýÔ—Þ÷¸q¢tåû²Gö‘i´îGbŸ8 U•nw,­BZŽ% ä¼kÏŸˆµ‡?JPd././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/interm-ocsp.crt0000644000175100017510000000170615161577363027735 0ustar00runnerrunner0‚Â0‚ª 0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0  000101000000Z21000101000000Z0l1 0 UXX10U Testing Authority10U Time-Slide Test1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚ï8É•^ƒ}O©¸›+ó·Ñϳ ÖÉžR.g§>RQIÚszY.ÌŽ¹ÖUBîAÈç´Æ*ü%𽧚¼5QŒ{>S)YíQ¶l¸¬Qèùäw“2ËÑêÖ›vÍŽ¥ä—y–ðž#†Cí‡îf©U‰ vAjGõ7>± ä áÞ v3{7)Ëà6)™ß}¢[”Õ­ÒCïÔd“ŽSnçÉž3ˆðýœU•kcb”’Sƒ¦)”é`¤½3¶’Ñ­OöÝ\´oOÚ=$ˆÎ²û ‚NVÙá‰âš·®‚ïsdhJ¸!#uŒÓa[“d] 72F‡Qõ`MÇv././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/interm-revoked.crt0000644000175100017510000000174415161577363030432 0ustar00runnerrunner0‚à0‚È 0  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA0  000101000000Z21000101000000Z0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£¯0¬0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0IUB0@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚pÌaPwÑaqà-ç§Øó#°v¨e½W] :ÁŠ3‰[Çfõ²Á°óèM‡þºÈ.r »y2cßàHEƒâJZU°Èü5ØóÊàLZ +>fÔ\¼vDAO_aš<ñHç§ÊT¤HŸÉc˪¾º ;&)Ї*òKí¦¦ScýÚg_nUóVݹÑÄеj}Ю•sCXˆ ~|,îgI–¾*ª"¦è•åzÏ€Íãâo¿.犫 ]_·öpeK€èó¾²ãÛ_^i¶äʼn2"ëÌÍ!…r&øQ¨c~³ÅÀXŠeGná=ºbº‘Ün]@RFÞ"÷Ö;././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/interm.crt0000644000175100017510000000174715161577363027000 0ustar00runnerrunner0‚ã0‚Ë 0  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA0  000101000000Z21000101000000Z0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£²0¯0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0IUB0@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚ ÇfáCgKiÒh=­Ws÷—të䌭/ÎR¿é<ìHu·/²ff¹«%Q³»h³‡pßîaragþUh†ÌÈþ¨)Þý#¢‰}pµ÷ÇqûÁ”G>rŽE4ä¹ý‰Ðәਨ^Y‘¹ðu +ççjÕÊ£††ó¤dp·Y†)"nì:“Keqü„Gï,Ý>:ð÷CmÊÂÛa{©kÐUiiž!»ÏnR3vñ×úG âfì°©Z…;ÇEIÇ%?uyÌ›8S›ÊÿïlÝê,ÜqèoÉŸƒ8!îÒH#;«ÌN³¸ o¤t"² Ùý?Î>ºÚаEÎ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/certs/root.crt0000644000175100017510000000173415161577363026461 0ustar00runnerrunner0‚Ø0‚À 0  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA0  000101000000Z25000101000000Z0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA0‚"0  *†H†÷ ‚0‚ ‚­3ÈBÁÄLRÝšû姿D'ÑE‡*=ëõÇ$o&Ûè¹T7>qkdb××ñ2gétWéPGå­ÿsêXŒoþÂÜ 7߶¤ç$‚Ý´a¬VüÕ2ˆ¡ú}@/™5+ô«!^f-7yê”çþóU¦œ/­{¶42´‡U~ oNxoä:aÀêá<ÔÎãîÈ¡Éæǵè'][1õ"G÷ÌÞ‹B×E"jº _‘ÝÏ•BŒöü(R’µÇr´¼±¤½o##k¾‚äo ‚Êx£pœv-‡ÖÄ¡ÆXÓeø_g„¢ÑÕ3­Zû”ÎŒÿµè<ï_f?êóst[£¯0¬0U½÷ÿHýXóÜÔ¡^6a ?0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0IUB0@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚›4½‚“a¥YÊêíhv¥ØdÚ´ g*»æºvÇô»oYµÑö¤è2?“gô°Lʹ³DĬ "}Ç£kÇkʬ»"•Éj¢yU™­WÞ˜ìæ½Å‡ð¸+&öŠ“é#«”]7OIï…½Evy¤8 Ëþòþ=§ÞbÊSNödÛô<6î‘`ÆÛV6#äËŽóß?Šû0ÿ£;³_Ihôq“âÞ°dg¤óa.B*~ü¼Ñw‘›ß–䧩  ‘Z?‰hßù»÷,qáh‘ £Æׯ®¨Šw76[ËÀJ]^ªBÕuÕ!DãÓºmŠB2Ÿ­øFåzH"ëø‹dº@Ë././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/generate0000755000175100017510000000137315161577363025363 0ustar00runnerrunner#!/bin/bash rm *.ors *.crl certs/*.crt alice_ocsp() { certomancer seance time-slide-ca alice interm "alice-$1.ors" \ --at-time "$1T00:00:00+0000" } root_crl() { certomancer necronomicon time-slide-ca root "root-$1.crl" \ --no-pem --at-time "$1T00:00:00+0000" } interm_crl() { certomancer necronomicon time-slide-ca interm "interm-$1.crl" \ --no-pem --at-time "$1T00:00:00+0000" } certomancer mass-summon time-slide-ca certs --flat --no-pfx --no-pem echo "OCSPs for Alice..." alice_ocsp "2020-10-01" alice_ocsp "2020-11-29" alice_ocsp "2020-12-10" echo "Root CRLs..." root_crl "2020-10-01" root_crl "2020-11-29" root_crl "2020-12-10" echo "Intermediate CA CRLs..." interm_crl "2020-10-01" interm_crl "2020-11-29" interm_crl "2020-12-10" ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/interm-2020-10-01.crl0000644000175100017510000000106115161577363026652 0ustar00runnerrunner0‚-0‚0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA20200922000000Z20201002000000Z0 ~0|0 Uõ0U#0€0ô=σÉvÃÚyh²mìâihÏU0LUÿB0@ > <†:http://ca.example.com/time-slide-ca/crls/interm/latest.crl0  *†H†÷  ‚1ÐÒRmêOåËjLªiŽEœãà¬MšôÀêœEé€R¶ùfXÛmo¶­¤ ¢Cëm!-B7I N¿ºŸyavUœ}oño9 ²_RS]ÌIe7!^óƒÌo)ªIþíÂM¾3¥S°a.úøšQùAýž\?˸$ñ"¬ÌwÙ [g`ÙPÓƒéBûÂèãzÒN”êÚ+*½]¹‚±³ï6·‚ ‡cñu;TM–4§3ÎTe«zAÂ!I9¢çÊ°] C'7^ñ*açšíÎI|í¢ˆ/ÇÁC@f­f$x(sÞ¦ãJý„^OoFñóBMà`5ÄŽº˜././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/interm-2020-11-29.crl0000644000175100017510000000106115161577363026665 0ustar00runnerrunner0‚-0‚0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA20201121000000Z20201201000000Z0 ~0|0 Uû0U#0€0ô=σÉvÃÚyh²mìâihÏU0LUÿB0@ > <†:http://ca.example.com/time-slide-ca/crls/interm/latest.crl0  *†H†÷  ‚´_'3ÉÛçÀЪä–ìG]˜%¦èÊ+u?>V•Arg#=ÉnR‚ÙÜi)î5÷Ü]n¦òÏ2ª¼XŽšƒÿUòéúÂB)’6[ J]åV¢€‘!“ß!B%6Œ~Ms-xE”ø±è ){ˆÌdI Dg¦ë:IçŽXú¯.{ÝÉj‹Æïþõ†Añ1[ §mø®Ô¸J™ßLKç!¼X;v¢¿ÜÅÒ´âUµ¿hß/Ï?2owÖ ˆó‚škôÿઆÛ3¹*÷‡%Ÿÿ_ €>įù qÌê·Tx¨¥´„‘Wäè„éYÐUð¾Ì"º¶ë:á‰Q././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/interm-2020-12-10.crl0000644000175100017510000000112615161577363026656 0ustar00runnerrunner0‚R0‚:0  *†H†÷  0]1 0 UXX10U Testing Authority10U Time-Slide Test10U Intermediate CA20201201000000Z20201211000000Z0%0#20201201000000Z0 0 U  ~0|0 Uü0U#0€0ô=σÉvÃÚyh²mìâihÏU0LUÿB0@ > <†:http://ca.example.com/time-slide-ca/crls/interm/latest.crl0  *†H†÷  ‚„Ýàý÷>Ä{t²*ß+E‚ƤC½/#±rÁ_s«¾¡ê~$T€´ŽYíÛ¼Û€d±XiBLÉÕ7ƒÖsÃïêÞàÈuŽ$ÖgC*вŸwœœ­A>•øã¨ç0kÔl§é—ŒÚW满 2–ÇY-?ÁéÿDH$ô IÙ­=ZÇÁd,Oå´âMRóÒ`Y40Ót-m¬™mÙK)kÈB¡·—Èñô•{ð”›ñÖvÛ%ÐÏ"{ÿœò“›P׳›‰q>¯Y‚ÑÇÄD]‘¹ðwen.îÌŽÑK¢q׳q­Ë~íß›ú¿8e<å²{×Á%B¢Â,././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1336334 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/0000755000175100017510000000000015161577372024612 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/alice.key.pem0000644000175100017510000000321315161577363027160 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAur/lny8tfApoYtFP+tJNacpOPlkOlkRXXyW3yPHRI8BHPxtw VwB1ur1GRz17gWFkHquRZjwfCRP8iP/NJ2EJrHWcdVrhAPQ1B6uD10vzIoZKqt++ 11V8HUyfeFtag+P71R5F8STaKhS9MTWb2DFq1I7ouWhZ/Nemlk6hldYKm/9rJRCM 5Xij4AiPtSp9QIfp0JvVxLoQtxIza+OGODu91snEdsLAOyA+31IQxuDChJdtm+Vw UKQeVNd4bOktBwQA2Qd2qutAu+OlaHOqhH02+eYdgzgs+k0HRu49bXOcLAlkGaYY YNx8icTHn1/+GUzrB9UeadyZ/vThQYTP2Ex62QIDAQABAoIBAHk+n2EjKx+uTili BdAte48khnoaLctHoYYnodO3k/XnHxqMwPnrVYQg4KDd/PJ5/Zuf/i1m+StWq41y ropTiQlL7oGOuCh7ZHaPV3CPYdJXZ+DalTeOy57mIV7tyK16dgTeu8AdEftiLZbm XEEXjGlmQxgk9M+gXwqVEHmMVqUCKm5vivVU6QYyYv4qyf0XiyhMdFs2MrynOn2N qdEMW588p5HHqsO/xU7YRxZG5HxIzix7y70SKe+lq6WHXPCpKdFoH/QeB5eNZHLp f+G8UUvSPcl18u57VherbdALsphcrcv4uQaLUv4Jes1ZWgHpA8TAyr//Zibubuna WrX9sjUCgYEA2zF1lEu0Pq5VJ2fm5Z0A9wmLVkdFfm3WrVmN/4Mml63tJAd4MryZ 3y+ZHbEpmjuxkePK2SDc89/hOfzMWkxYWrx8Qku/f3856AwW6HiBoCxCvcV6iXdK 35ZGG4pzYesQFqP/bPMtIw8QtW82MGaPPupyG+AE5rrR8XTsmWBYs9MCgYEA2hvF tF+NKSwGUinW8yVWg2Y946Z5IFUrbbALzXt17Y1Ljkex0XeaQ6hM7ArFenC1OrtA L9o6iLInK0eoLsPNlelRn6VqLDbpSXSPtrjf1yHAv9V+8Ya8si+cGKX9VGhWuKQp hkfIylxGT7JhJeNJ5Z9umdIntT/oyAD0k3umZyMCgYEAum+8IbGuku33UfgnRcAg NP8yO+WNL3c/dNzKUb180uDF5rJPw1/1xQcYRlANIbmKVJubSsmQBgKz8H2cV2W+ dRcC3eTN8iUF3OCDj6IIJ3PeJMnWaxxDXB/Wa9B8SZoFaix9sm64QqyqupfoUIy7 ZHlHK3yEzreyoJyiLebsK68CgYBWiCgy/KnTiNzlIiZehxTAwwKQ3A44TrIRLYQx POc3nRQ52aXpterlJtOF3mwkvKyaJYo8sfcBHrU9jYtjKlnZPR0eGpF6Azsg4nbW BpkAECsZsMlRZ6RbiVoDyW8tWsv1K2QyGy7FYkCfA+VZE8jQqiVGL8ODPFzNZNuj 263UQwKBgEXtI1kpfEGMp6EVO2v7Fh2cH50dQWxlSMpflz2VPY/2Trcm2aGrvCvf AObSlgx1Yh1nUu/pHJyAVLFnCyTuxYG+NSPcnUyvATginEtjgASdkcFouKUBdH5V gMHjwfe/P5gdoCgrhPx2w7GAuwT8Y4i5X8RbETPlY0a3ej51o8FD -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/bob.key.pem0000644000175100017510000000321715161577363026651 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3gs9cXiCWjzomXEU7BfCFQGmtssxHbvD2mrPgvuRXXQrHlTu x7BfwuDpXewGrzuIp8rqzU+EcPaLViVMqrBRyWhgOEJCwkB4T/7T9mQ1JLt9Shgz MAk6nbrMfUFtdYUIAzA5D9UVatwXzGPm7zhBlw+jhJKrwLdwM2j12U8KN/FOiMEV gxCpBKo3UP/3O1ESXl0cqKfiXPe9VZHguxYnmiXa88x5pAu9EXEDsOrBvRrw05qT Ai1s6xQkmUAMqlKnV7dpkLfupZZzCNJAhEst5HTYmi5BCs8V5qsiNZJEd7anr2se irmBxkT97/f4YI160Qn088Yr6wbyBih7NxHS5QIDAQABAoIBAQCXKKG4iKh80/Ao 3UG4A+h9MnWTBTq3miaXn5UK/0WTkEz2Ri2Txa87VK+p388hJe8/AzXbdSGdYUmz 6IqLvKLA8Qxn4DvgT9FX7AvSNZ+0FOsTMOxP7Eh6LjudnZftpBWzTfXaoF4HNDQD UZNaETsdomjYDJ1eAcMhTHfpaxRyxc/hbQ0LQZ2AkrSAKt3yKKd0iLar/jDTm+xV ivXHKgd8QH+L8wYkaDFGNb3QniV9LQWZFKR+6lyPCimxjcVzo53kTmAYwsbte+Ct zOe3MshUmH9y5FQ1yHLC2l3PSGcYEGMxpT604govbgOyOXob+OKthD5ZpY/jESan WONEgxVVAoGBAPHlMV3BY4OGDBuf+UsbNkTI+oJMHtV2bSc5C+lZE2EBapf5hB+j HjHf9W55+e3xmbgsOjPBJ/HOH0xVhaSsjbe3H6Oh7Nd2e1wnfn4G7hRx5hUVMGVH sTYAUhzJM8rI1bwwUikdfubTcquX6k/2n4xAr+5FCS7cXaza85TO+xmLAoGBAOr9 uQFvqlSbqvX4g3Gwjg7wJE9uTQmzLSe4sq46h2ZUMngmIn3qSK6QzU8MbCojYn7n QBHW9h4cEBoKaKbEpy0DPpLuzja8VIInUNMcrnvf6EgfOtXbbjQFyRAcBNWdRwaa PcntIr2Y9TmeHPQSfQWcbMFxZ8ykbwryyC9JwvNPAoGBAJ6lOHlK6l9KPQqpIrDV igQW4+Us01QgtXnx+hPyrbkDWsuNg8/UBWukfK0WJoqd17lomEt1NSNrki9YL6xO 1ytUWNXSzyiItmM8K8Ov+9lA0iull/X0zQ6jqzbh5qvqh/NCpb/9bkspBp3vpmcH UqCDlF7qvBkVwgIqH3LLRPf9AoGBAMygxrK+d1eX+saYcnXU5c+SRDw687DHq0GU r1vSscdk+FHx+0Ukd8gzZeU5DxOeno2deAhQ5R8RFuBmQf0+78jds2alt0Kouvpf nB1KM5LBRvdO4qAJpax9gTma/Ia7n3bbZ4ToD8GEab6TtejAFMiHD5lf1KC6a8vf 4Hx1QeM3AoGAGVyG0jTe7P5D7/RupaeY7rjTxXc9r6OL+BF2Z2NI3jtgUmDOonMd NzMQQcEbGO0qCc3ZZUCoBUnAAK6lAVfRBxxJAhA3NdPO2TFcpjDS5kVcxKGIr5jW g+T2EqCbIeMKkZFVBbrRBEb5XLKpNA1o2+pcuT2WU+y/xVbo/Q7M13Q= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/interm-ocsp.key.pem0000644000175100017510000000321315161577363030343 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAy4bwiAogsjoha2gFNvb26EHtep6u/N+THup/8MFAPc+itgFv QqhaY3HH0YKd4jwaJfX1QNyNPQY40aqRyo1t+o+LpEEoCIoqCn2SAwKem93sTUaa QDVzvR/fIumak19hEA/SuRFLE/uAFO3ErRTMPIqsKDz4RNUWk+7A64O+3dN0zglD mgmu4r5BP90AXhsQFYdyn5S7VZA2HaQt0tGB/snr3hHF5dwrzQuvg7kn04QK3Oyj C8Igtv7qwnMhYafHg1mhrpdLz4SD1hUZ5kPvV844raY+Y7dSEk4jVPHCI2DpOSGB e6H9XuwtmcJ+tch6qq5eO9GMexSZtA3GSCDH7QIDAQABAoIBADREHPTylN7wKrDo b55j4ZhXheLdaVarG57u3Zg4KIU3EzPmPmpBzaSIDaZyApWclaJ1/VuAyAyJ0oGV agc4NqwHvPabfOpkgNNc1+hJ/e1NGmfl36rpjyVcT/MpRnbeIZD8X0MDe+JPzd6S CNXh52kMu5VBwwf6KOgoggZ5OMTCGXNOXMCXXwPBQO14hg62KKEf8JrJqipqEPNN 4J/XkkGBbFcGVLwRqw0JlifLebDU3jAOTtG/QDsrgGmGl5jpEs7DWwfKxXghylya eFy6dtFkwktfzQJ1veapyhX8SRY+nPR/u222Czu5xbTODFwY//zghMxBzP3PRi7C RA3F3gECgYEA8C4GlJGuvp4Eq/exfMWl8VOh3T3xcme87wczi4R4iKbralnY+CmR ORDky+YvSV3w9M2ftfDbTa9ILen5rIbap+H0FrKzNkefNbEnIX8ihdeq5oVLVrCJ EpZfgx0jfEDkbFVURBRDgtSuuDaFcy7EBczv4JC31b4iSppyba+FXMECgYEA2O7d 5x21odLh2e7cFvh+/KKNurKtdjIO2nXzuRDcqzQZEgN3YpVoUZRhfnERQQ1Hp6UP TwB2x+t0uoSWCTMDtGVXZl5199sUksUeU48Xn4gs//Squek6mAFtkJ1whuNfggtu UyIq1qFn/zhogAp64zVKYCW4zRqkTrQ7/djb+i0CgYBdrBW06/yTK133E+uNFija Lhv7BaWdUQhG0TAxQcEgyrkWCWStpMiW0RfqziOzIYhQccHQW9esPKiR/6b4ur+c qmtgTuHGUbiuYCE61zLHsI1eyq3PaZqMPUmTAVJNq6Fq/vyWcLDD3d8myVzSx3J8 MKl9k/Oe0UDeh84JKWOCAQKBgQCCnbB2i+jk+riKI8vY+N5c9vMnSpYu6I0Q9Jw+ /ewgGUpPEk87yIH7PMBHBYVCCeDvC+9fvgPG8/pgo5xDBbhhUfOB67ZT+lE03gMY hLvQjompw4NYVRm2lIWH4YPzc8v53TAcViI9AQpBHZGuJqE/VMLniU7wD+6GhPbq LTymMQKBgA5ST+G30w51sFRJJULSfB2kXCeRs6dDDuLwZWLXAtBfyUHypx+OcLzR 49YBt8cE/IM6UvvMGCavucU9FOgfk3JQEg9uHd7ky3z5vc8g9XZ7f/cURbix2lPZ mhYZPLA+/xQdxIk/zOs8MV/QLja/YetW7kc657iRMnlbKBjgTeCT -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/interm.key.pem0000644000175100017510000000321315161577363027401 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAqUQg3xjXPS0Q+tNAcZ0GXf+sMfhVyxgBdeh6QowJmDdxIZZB fzSHH4Xjk1B603jHK0YZKsZ6XwdXVPKWhYKA6/vIgRmDJuFFB+/8p4W13TBC6H8m 8hmha9+ZYHV3G7Fmk8mPn0LgjZeGoKlCsiqxd5XMDwGwQZr1EwkvsQkZJkwXa4s7 mIqvdapC3ydw2bo1iJtK8BIf7ATcCOWKRdLcQEwg42RrIo9HOio4ngfx1K3EkuoK VbqiVPHqI9G8QtlmwySnlLmbXr8l5MBbGfNyEO3gcFuhtTSGOTJu9/1UIDu5lYi9 Mnhry2bqfgrQhLueE+BMuOtHUbWsET6mTNRHNQIDAQABAoIBAGcOoezzlOkcbUAq KwyBjITizBbImoPDI/CEERw/YwAYkXrfnxUyCCs7O6pPz9i9qpZAYcZXfd4p/BQu d1LmeFQ1wohH3kBn273PckcU8/uuDK697BpvXIbvZtUB7/kec9P7XsSa1VmgLknX hFIyCEdFHy7r2kK3dAuZBj6FyZg0snkPQcsNgocZGA9b6xqC/T0V0b504csmpz26 0SeP2NuBa1vDk8AnY5FXWWuBm4QV9U6qoE3dJG7gkNE2OvybksCPSEGnVXuFHEjB kCacMMQRUEnY0kuy7ZXb21z9bwCBNDgauR+kw8d2Uv2deb0cLxyEMHGaBAMivBvP r7KHw6kCgYEA0UDjHVnfU15iZyAWv6xNG/6grAPhN7KjtJ/1U8Gje5TvikO9aF2u YO78jb3wZAAARItXUoMArivdKG13OddvRtPBgJljaAYdNIM4mbfyQ8sm4FtzVOtE fwL9oMJgEnNH1iwSPSXh30nZ7uC44xSXgaFe/2ix19qNLPmer5xt/T8CgYEAzxRi ENwQcs+/c+lVBDuKR7F0XDKHakH5RKMxU6q8s0uPdaBdbPa4qXfM3LubC0XauNSR jpe0kAlhir5uPjCAd+gWBGu0SUUJAZnMEGxiD+YeVCvk7KO3vcJx0vBVDdmNrmjk a1L01oQuNPv5fAr6f1JkeffWpg5Lfh0UXFnkuosCgYAFNFXxvvB9BFXyNqwaLFDm p1ibrqUFW54Suf/CC4jjY/rpN3IYjGvv4UHKzLST6CQZkFWlqbh0nIatoLtcZu1P l6iyaB4+0hgb3D+mIxsVcJIQ9nVR4WAcwJhKTUtSaieZPhNeDfkmMpIHDPPMQhDa mobgV1xFAByOx86Yk41wxQKBgD2qWDmlDtDhxKWDymlkQZ1v3rLF6UVfOBeUcU/0 /BR4X9QrWSblob/1iPACff0xZBy+UEoiKwbphD6IztN+JgOO/V97o0heYnwzjG0n mVwartVp7NX7OvArQzIJl4p0Spixa7P6FCb9XbUxg+3IZygbJQidITJ590kq57FI o7BZAoGAI+JNLXIinUrFMhQYWxi4h0IDyI6nhVpazu2+Q6tnfHRKItP2e6X6W3Xs 7FqDqpHgr0b29m9fLXwGK5eZMtqZ26zrr2uNgKNsUhh9XeDq0F/KECh1aTdpUDeq /X1Ytv9OsTKyxpzXzP+Pj641jrgSgGCAaGIy9F2c4DkeFuHynOM= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/keys/root.key.pem0000644000175100017510000000321715161577363027072 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEArTPIQsHETFLdmvvlp79EJ9FFGhsHEocqPev1xyRvCCbbkOi5 VDc+cWtkYtfX8TJn6XRX6VBH5a3/cw/qWIyQbwP+wtwMN5DftqTnJILdtGEdrFb8 1TKIofoCfUAvBJk1K/SrIV6BZi03eeqU5/7zVaaBnC8ZrXu2NDK0h1V+Co8Cb054 b+Q6YcDq4Rw81M7jHu7Iocnmx7XoJ11bMQb1Ikcd9xrM3otC10UiaroKX5Hdf88I lUIHjPYZ/ChSH4GStcePcrS8saS9byMja76C5G8Lgsp4o3Ccdi2H1sShxp1Y02X4 X2eEotHVM61a+5TOjP+16DzvX2YPFT/q83N0WwIDAQABAoIBAG8fXOmvpcCOHc20 tWhFZ3XgZuRT2NrDS4/E1sA4mN/zBkXXeigU9YQRMavU7Z+7Bj4avdhcAHTUiKMK 4ACF1pjTSF0+jrwLv+xPqlibeaCj+kS63qXuMQky/OvdBQ1/OkUESdMz7fNfKUuX /IdH5FjcZiWNdnz+dSzSJ074w9ADWHIjEg9ixmw0xU2QbulOgJabuwuri20kVyuO cDrl1zW10e7iiog85HHEIFwTXfen+wb0QgH/mt1/BS+3ch0dmP0i8Dx6wZMqh7P9 RQU6N/947jwgHMP3HV4SDcHLSznIB+G/veaFotL0IDKHbhdQIZTGfIUJXIx5RTTD 4XTF9hkCgYEA2Eg/GNtOwtlQILGpkBLvEgq9dlttQYjBeSBnXbNhI5NHMuYq0piF xki+Io3zonLKMJ5LZCMLYesJm+WMGVLZ2d0F7NSfvngI1nApa70Nsux3EeZrcFTs u88vWJCCXR8++x21iUk1M0SHxdXfPc89l+a3C30XYTD3MTEgkdN3ChcCgYEAzQJI ZwYV1JH/jE6AIil472YIBQXBB+YI6Dx2V3H7XDzE7G6IKU7VuxrvZA1i/ODKzPSD tBeCrhnUdqTOwb/Ba7CRL/a935tYiOJRQb8fM0Kyy0cO33cPBsbjOeZRMNdyhVKF 8eg2qCMPuEYLVdumQQl2wNbKcEUbgxgd+Icxxl0CgYEAyp3EHrE1c+zJ2BcYVtSm CyzsmXjFPeOz/JmSvIFTu1Q6G0DtVSV2DXAQT6bUW5dWO33P+xupii36boX5Xa/0 Ttl0t43pqTIidWHWLAyMTNaiJa7LcAzfSoKqRDn9JugixHXsn5RptoG5AGmAHhOM DEYjrSufP3nz2a3AaVzF5DkCgYEAqpVvsWn62DnzrcfUDpj7rBf2LFexWuUqHDPT NMf/I6zdHu6KFfUnGt06vMH2z/wsQ4Zh4IR/lGahx2czMzxfsT/mT0a8j0cv0Bah Dlf9miWxqDukQIVM15K+l/rxK/bZr94O3k8ey6EA/5Ao9nQiTpOVYLhZEjouvlJe /eFgpXECgYAviXclHhkyJ4movlUrbwlkE5/ezS90jM/1Y0iinCxEfjzN+p0YmlGR rbtAahdSHVr5YeB2d5aBDWhFv4GJifhZPUR2Gy5Zqgnl0UQWyVSWx8wFDe36Cjku eDS/6nCP0f3M3ZHbRA/Xm0mBnc9uI4yD9bTG1ly2KE9Tpu+gggYEFA== -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/root-2020-10-01.crl0000644000175100017510000000104715161577363026343 0ustar00runnerrunner0‚#0‚ 0  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA20200922000000Z20201002000000Z0 |0z0 Uõ0U#0€½÷ÿHýXóÜÔ¡^6a ?0JUÿ@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚ª2Û š«DÛûÿK.ÊžúÉÙ&lÔŽŽ• tEätÕÕÚ‚óÿ‡_‰¿µ ŠuÓ¾ÄÙþÕPiTt¡Ž.¨É;ú3]½äÚ¼ê’ámlb`Gz¦)Õoß}E·¯žrÅÉa‡Ð#;€7É"ô¦³‹`ãJKßÜíûGHS×(>,±Êw;;ëQ8á°·€$# T¡¹Ëæ1š²mâ÷Ý;f‹žq$ͳÅkjàL˜S§f€_47‡s©åða$mh×ûGf%?VH SLÊ8aËRF9˜ÿ"´¯>ÝÁt8j¹róA¸X:6üüßýl¦g|GÎÆÝ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/root-2020-11-29.crl0000644000175100017510000000104715161577363026356 0ustar00runnerrunner0‚#0‚ 0  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA20201121000000Z20201201000000Z0 |0z0 Uû0U#0€½÷ÿHýXóÜÔ¡^6a ?0JUÿ@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚)úOš-ÐYp¿ž‘+Sð¸ <@b§§Üfú³¦_ì„F¾¹¤š_u= ÃöR×@‰â©Ît4=g"—Þ1A}Ð3>vÿù™Ýç±Ýå„b‹€<ñ–èû£^è›è¢Ë¾Ž€: .vpNš‡¶R¼tåý#àÑ–."ý¥}bÁý_颗6ÐQoßJIÙSyÙ¦”"k¶”©bZ½TÑlB€(òXLç Ï–¾^_”–ŸôÜÍÚ¾ep3””ÜX¸û|hZ£&Úƒ¼v§ ¤Šˆ+›©nÊÿŠ¼Eê#FÜÁIÈ­¤¼Â¯O$TI«Ä¾—¦¯././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/ades/time-slide/root-2020-12-10.crl0000644000175100017510000000111415161577363026340 0ustar00runnerrunner0‚H0‚00  *†H†÷  0U1 0 UXX10U Testing Authority10U Time-Slide Test10U Root CA20201201000000Z20201211000000Z0%0#20201201000000Z0 0 U  |0z0 Uü0U#0€½÷ÿHýXóÜÔ¡^6a ?0JUÿ@0> < :†8http://ca.example.com/time-slide-ca/crls/root/latest.crl0  *†H†÷  ‚Xt‚c 1LFRâ£5oáw½Þùƒw z’ÑdÛÇáÁ­Oÿc¤#w-ÌCÊŠÁaE5‚Áä™cä÷ǸÅÆÄÈÏôž³&ò¿÷m±È›wg—¯¥†"àƒÈ_ž›¶«'Ñö¥øÕbŸ†Ô¶wô$Ç뮵]œÚCmã-0Râ93]E9&rnrÛ¡ŽW$zDa·bþñhV/ B­ª“}(1àê¡ |ÑÕª©Ñ(ëâóÔ.Ù·ÇØZ5’ )y¼v­Ö ÀnS6t®$–|Æ”ÛI£M'h*]ælïè°3)ßhÑй9ð×°‘*ù Ù¶míH‰·././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1342897 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/0000755000175100017510000000000015161577372024010 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.136881 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/0000755000175100017510000000000015161577372025450 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.137699 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/0000755000175100017510000000000015161577372026031 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-norev-targeted.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-norev-targeted.attr.cr0000644000175100017510000000152415161577363033333 0ustar00runnerrunner0‚P0‚80X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0ð0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80ÁU7ÿ¶0³0° `¤^0\1 0 UXX1$0"U Testing Attribute Authority10U Validators10U Validator¡L¤J0H1 0 UXX1$0"U Testing Attribute Authority10U Validators0  *†H†÷  ‚®ãns‘öOz/Òò=}ùk"ùþè^ƒKwòÄPÛ±µðüŸfDƒƒUÐÕ|\ ¨_wOœ7ÅÙ0¡` Ã*y#Ll2"+ý”pJå¬-}½Z.s_¨‘GKàÀ~O¯®"%aø-‘±02›¬Í:oåq¨a Qˆw|]uÔ5”Õ¾îÐUýboE·œå}àDRÁìš+k¦I”ë¼gêò3‚:‘;ùÒà÷ÓŽ):)®œfgˆ\Èv… ÌuñôAäY…Öÿ‰‚J‚M¥²XqÊ—]-”ÓÛs楒Ïpµ†»²š‹Ñ`J§J'ó;{|«°ú°K././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-role-complex-crls.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-role-complex-crls.attr0000644000175100017510000000207215161577363033350 0ustar00runnerrunner0‚60‚0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0L0 UH10¡bigboss@example.com0(+ 100 Employees Team FooBar0‚ë0U#0€é—ÿF‡fô‚xXýû4Ô}L0‚vU‚m0‚i0x ¡0U AA compromise DP€¢T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer0z ¡0U AA other reasons DP¢T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer0q ¡0U AA nonsense DP¢T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer0N+B0@0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0  *†H†÷  ‚½¦¿*»&0:´%;'0L’ž:˜zRq¥"ýª4¾Ý ÷y%ÓjŸê.õ¼eÙs¬‡¬*ùé†/ÙîͶù…aU ÐÛºÖþ·› È ¯4ËéŒ}ÑÇú‹ ¹¶óoða.îÚÓjuyõºñFðiX É$Âx×ô-‹Û3ÉÕK1{4«Ÿ”®+­ˆÛ+F³lûÜ,µ8Ñ?Œ?œÛö‚]i³Y0À– % ŠyÝHñTTr¾Qϲ#­Vß“Z€#þ£øO~ǽ…ýñ6¥äÊŸz'o‘f K ×þjÇxI~ñ¿—Ó…ÝŠkæh…JI} ê”ªÎ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-role-norev.attr.crt0000644000175100017510000000121715161577363032660 0ustar00runnerrunner0‚‹0‚s0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚‹ž [žZsŒÂ]z÷DL«µ$¦'§õ§†G¬W‡ùÏAgY<­üéR»ë®úÍoF¨¡D¹ó+¢ž¡zJ*¶]\“Bù¾Èê)A¿*6}ÿh?÷ ¯•§ßa}dÄ­†'ðª7–²þ¢žø¢´[™›0'£d™ì]–Éfè6ÑÅžÑk®‹ï54H¸e¹‹{L2óLTÅFø”ûöâàè{²BÉ2ÝK7ìMÕ0–Œ˜ÒËýóÓ¥sL¥ôtŒI6të}‰$¬Ý+¸UÂïÝÜlunjΖ؛Á !ŽªÆ>¦|~PÜäPb/£8CÝ™ ‘u1n~„(›mÞäû././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/alice-role-with-rev.attr.crt0000644000175100017510000000143015161577363033271 0ustar00runnerrunner0‚0‚ü0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0"0 UH10¡bigboss@example.com0ô0U#0€é—ÿF‡fô‚xXýû4Ô}L0GU@0>0< : 8†6http://localhost:9000/basic-aa/crls/role-aa/latest.crl0‡+{0y07+0†+http://localhost:9000/basic-aa/ocsp/role-aa0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0  *†H†÷  ‚½ÝÏ#¸“P)¼Ù‡çkÜÔu×C1óozZ)ìN._}h´ 2h´´a¬¦c^:Üþ'ÇþÄùÏ…%<Äù+óìgupDtðñب½d\ãÃ`jòµèmx*Ù³µ òK0mÝ5!<=8³ÿª•b$ÖpÀFŸŒ½ôjÈüÒªø>J%xÕîcuf ×ëŒ^Qke’ý M±Ï\Ò··+7† ô‹çýãö’­µn–ûvº¥ÍPIqW ¶fð7Må% ¡ŒQwÏg–°Ñ—Ö¾$²JÀ×Eù®#µ&úÁýQê-ŸèMtë]›é‹/&ÛDV:<}¾û÷‰././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/aa/badsig.attr.crt0000644000175100017510000000121715161577363030746 0ustar00runnerrunner0‚‹0‚s0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚fåô˜FÔSmÐð,þ%-J³Qò6hk«Tç}»¥^±Yþ2ƒ·ò+=ù|ϱË V·Öóm(T—úÄï¨JâûE4žkéPëô¨óø‰çZpˆwå†û¯yËë†È—ö‡qœÒïe÷êæ †_öŒȺ@S¡ÊóêákÑlbJ“¢¬ë±Û-ØØŠiw^ÂVÃÏÉ@ŽZÃ4¢™tþé'=³½ÐWö–A4‰1;Ôÿ¹†FPæHE8MËó6zd`€]{Ý&gKÒx(­ë—ôYìp»t!ž"t³µÓHQy‘ TÉê}³ÎûFšZ.Ö$òšýÔ½³././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/alice-all-good.ors0000644000175100017510000000302015161577363030741 0ustar00runnerrunner0‚  ‚0‚ +0‚ò0‚î0­¢é—ÿF‡fô‚xXýû4Ô}L20191212000000Z000W0  `†He ´îyÁ\ÚÁï9&Wœvu[#ùÚ+]XÞ{±ýJ v‘JìàfóL¹·}vÞò'ôì©=:v½›ÞóùI€20191212000000Z 20191212001000Z0  *†H†÷  ‚ÍvÔ}–ÎRªHl*Ë `ÚyqÓl‹!k ƒý—ƒ»7P@ÀŠÌ ¨ˆ˸Ôw—Þ’à½.Ûn¢[6ïçYL°]‚rÖ¹ÒUœsÁ§M(rsZ/Æä¢Bì5Ô‰+ºªÿÞMïVMâ’[¬ ’_SºxÚ}Ýb5ÙýÕRíÝ>«°üC ’ar„™ß•çfŒ‚þKkBÍ+T¿n×3ÚÎeŠiïg†]x¯^º§œkX¿Â̵¸1@Iáµ{äüÐF3~4+µDiÿëKæ6û]ÏŽ/¶öÅ$éãJÍúlºšþë5S;‘¥{žöØš¯ØÉÕ`ð´3Mocë ‚&0‚"0‚0‚ 0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  000101000000Z21000101000000Z0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0‚"0  *†H†÷ ‚0‚ ‚×9I]+ct†¹‹:$öÇ’PÑíÛ1!䃳¥*ùSÓ—$¸€®˜ |ËåïŒù#… ~ုV-lnfŸNc¶þB–Þå–²¥Õé{àF ,!] _ªŠLú¾x¯!–íæáÕw®^ŸKÿM!m•&î¡ÑâÌþ˜Pd¥6—UzW˜ê!›y´“Ö¹÷G»tQëÿ]häŸû1²”Ê[PÁÓ=ë ~ᕇÖìÃm ‘g˜xeˆ¿¦£X˜é±‹5 ûé r¦Ü*oÃIU:Kò9(Š¥‡fû„öõ‡òl\Ê2ep)IÂ9Ý8NóšN³Ûô¨£‚ 0‚0Ué—ÿF‡fô‚xXýû4Ô}L0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ‚0FU?0=0; 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crl0N+B0@0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0+ÿ 0  UH0  *†H†÷  ‚:Jæà&•¡mZw) Õ(eËðþ,–zi$$ó‘ê[ì[—Øó;qvø§£‹Æ©`‘õz]%Ø‚¦éSšÂÎY¸¿-Ê°âcû äá7›‹.¬”òȽdÉßmëI-{¢Ú:%©PÒu/°fÁ‰¢;£è–W÷cÈ«iÿX^Éi¹ òI’ùŧe?H“yXýyH6:ÓñÓÊ; %0[Žý‚áy±” îtŽ³¾îïÚØpj%.›Ù=oy…¯õgA»@^ôœ§Å3®uÇËeÅ>š aÃ+¢ÅbÈö®}×þö«Ü€áÚœ»†´*¦¦™Yigªé´·4Q_SÜg†ÓÃ3%././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/alice-revoked.ors0000644000175100017510000000304715161577363030713 0ustar00runnerrunner0‚#  ‚0‚ +0‚ 0‚0Ä¢é—ÿF‡fô‚xXýû4Ô}L20211212000000Z0˜0•0W0  `†He ´îyÁ\ÚÁï9&Wœvu[#ùÚ+]XÞ{±ýJ v‘JìàfóL¹·}vÞò'ôì©=:v½›ÞóùI¡20201201000000Z  20211212000000Z 20211212001000Z0  *†H†÷  ‚¢§úÖÂø˜©ŠÀM5 M0DŒ(ò¾£l¡Yôö'ÊÑ0 Z‘deǃaBéœ9EÉvб‘Ö‚G[ QòÚêùÏ“ýa fÅÿBId§‚ó`ðgÆ<¿©7W³Tñ üSë ²p-zWT“oi´”vˆ±!ÔcÒ“Ì ÚÊžÿãÁu¨ƒ'x ¤©Q9„ˤÄ;àœrZK·Ï¢Ü œâ’ÆcšÝ?,?1VÌ#XDâ÷dÊHÑÏC[«œëàÞ¿¢¶¥âRh>¬áš°êVeeÙSÚSA»ÀSW8k©CKJe‡$>øm­½üÚÏó„–ºV$õÇ¡\ÁÛ_ ‚&0‚"0‚0‚ 0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  000101000000Z21000101000000Z0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0‚"0  *†H†÷ ‚0‚ ‚×9I]+ct†¹‹:$öÇ’PÑíÛ1!䃳¥*ùSÓ—$¸€®˜ |ËåïŒù#… ~ုV-lnfŸNc¶þB–Þå–²¥Õé{àF ,!] _ªŠLú¾x¯!–íæáÕw®^ŸKÿM!m•&î¡ÑâÌþ˜Pd¥6—UzW˜ê!›y´“Ö¹÷G»tQëÿ]häŸû1²”Ê[PÁÓ=ë ~ᕇÖìÃm ‘g˜xeˆ¿¦£X˜é±‹5 ûé r¦Ü*oÃIU:Kò9(Š¥‡fû„öõ‡òl\Ê2ep)IÂ9Ý8NóšN³Ûô¨£‚ 0‚0Ué—ÿF‡fô‚xXýû4Ô}L0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ‚0FU?0=0; 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crl0N+B0@0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0+ÿ 0  UH0  *†H†÷  ‚:Jæà&•¡mZw) Õ(eËðþ,–zi$$ó‘ê[ì[—Øó;qvø§£‹Æ©`‘õz]%Ø‚¦éSšÂÎY¸¿-Ê°âcû äá7›‹.¬”òȽdÉßmëI-{¢Ú:%©PÒu/°fÁ‰¢;£è–W÷cÈ«iÿX^Éi¹ òI’ùŧe?H“yXýyH6:ÓñÓÊ; %0[Žý‚áy±” îtŽ³¾îïÚØpj%.›Ù=oy…¯õgA»@^ôœ§Å3®uÇËeÅ>š aÃ+¢ÅbÈö®}×þö«Ü€áÚœ»†´*¦¦™Yigªé´·4Q_SÜg†ÓÃ3%././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1380935 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/inbetween/0000755000175100017510000000000015161577372027430 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/inbetween/interm-pathlen-violation.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/inbetween/interm-pathlen-violat0000644000175100017510000000176115161577363033603 0ustar00runnerrunner0‚í0‚Õ 0  *†H†÷  0Z1 0 UXX1$0"U Testing Attribute Authority1%0#U Inbetween Intermediate AA CA0  000101000000Z21000101000000Z0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£Ä0Á0U0ô=σÉvÃÚyh²mìâihÏU0U#0€e¾U(1Ñ]Qb§S’qjŒ ã0+ÿ 0 UH0Uÿ0ÿ0Uÿ†0DU=0;09 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl0  *†H†÷  ‚†úþE1ÄÊì>n ¡R"ÐJÎ(<αÝs JŽ[•ÕÐ .èPÓ `Ïûæõî ¹ï'÷ך­­‚õ6€µ $A #?õ¬LÄËd³z¤IÀ¸Ô%ÛGýcª¾L“Ábh í Ɉ+»=ëñÒýÓÀ¥^õ1:2øY|¡·ÒØ™Xù-Û—ã‡[RÌât0ÐC æë>êBŽøgWc¨‚ÉCÍ;Ø/>ÌíȈ¤9°&aîbìŒdz͹¿%p!h %»¡¿!Ê7Ó8\Æ™'–÷Fãþ–¿|Ê¥¬Ô.åª|D¿3×T PSki?Ñ&8þ$t 40d#êH././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1402466 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/interm/0000755000175100017510000000000015161577372026746 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/interm/aa-unrestricted.crt0000644000175100017510000000155115161577363032554 0ustar00runnerrunner0‚e0‚M 0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  000101000000Z21000101000000Z0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0‚"0  *†H†÷ ‚0‚ ‚×9I]+ct†¹‹:$öÇ’PÑíÛ1!䃳¥*ùSÓ—$¸€®˜ |ËåïŒù#… ~ုV-lnfŸNc¶þB–Þå–²¥Õé{àF ,!] _ªŠLú¾x¯!–íæáÕw®^ŸKÿM!m•&î¡ÑâÌþ˜Pd¥6—UzW˜ê!›y´“Ö¹÷G»tQëÿ]häŸû1²”Ê[PÁÓ=ë ~ᕇÖìÃm ‘g˜xeˆ¿¦£X˜é±‹5 ûé r¦Ü*oÃIU:Kò9(Š¥‡fû„öõ‡òl\Ê2ep)IÂ9Ý8NóšN³Ûô¨£R0P0Ué—ÿF‡fô‚xXýû4Ô}L0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ‚0  *†H†÷  ‚6U|b‡†ür½Êy.‰âs«ÎGç­ƒ¹7ã"ˆ!úp ”̽E‡ÉhmTœ‡ã“kײá¶1büì°Ë n7¹›™—³a4°×Qùæï!|¾ë‚A«¢Oa`²tñŒ»Çn;%¥.£fiäªOy«Œ^Ú sB;}j@zùJ…øžÃíjX[úYÆQR¹p'«"éG”â™á²B4ÜJv£Â3Zˆf3ª›GÊN2e5I–õ…à:™étô úp¡ìÛ½—­øE«¬BŒÕ€…"ç”Otݪø±øý÷’9«ÕXÀÁäæP 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crlÿ0  *†H†÷  ‚`ût˜íñâ]žËdÑÛGJT;vãöv붠·/c!y9ü7¾Pv´Y±ÐŽ¿f€Òž@šcè‘y}¿NíÏÏüç¢TÔ"G„ÍröÏÑçR*äe€fIù±Šã¡kX`Œ=î:%(Ë\·n(áMhÜ#!Â÷mבG¬LýIÉ  ‚Œ/=ûìêÆZlƒWÄIpÑÔRÑ~&·k9œBðëZ`ÇÅ¢äŽRöÚR{ð³]ß~¦£p|´ã­WI¢÷¦ õÅ%ÌôP÷ ÜÀ‘´:Ç2®þ/ĉhùÍKì·þ‹’”RB﹂Iµ}ýJ›bCþU…åa°"././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/interm/interm-some-revoked.crl0000644000175100017510000000104215161577363033341 0ustar00runnerrunner0‚0‚0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA20211206000000Z20220105000000Z0 |0z0 U 0U#0€0ô=σÉvÃÚyh²mìâihÏU0JUÿ@0> 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crlÿ0  *†H†÷  ‚#걧¡—¹Ê‘—}Èu^rÈ\w: øÂw)ÍñF¿µ¤–„Æ°Ìí…G,Le«'³"P€=ÂÕw¬r¨=mä”YjèW !ÍdfxÃm]Lý¯ˆd”ÚÂÞ&ëÀÊdÅA_äA­áéeœþÇGÌG91ù\e8xή Y§KBþ¢©ÂMÄ÷þESÿuôzxÃUN?Úú[?u¼Ôç[ è¹æ¬ýÅx›`çrѧ¿„ÙG ça)K˜W¦Ê§c / ´&Ç€·^Ö|í½ÃBêêþ/5Z Û'SáûüÐ CôJZ¸.@€nn&é xܱ$Õ!*qM././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/interm/role-aa-crl-issuer.crt0000644000175100017510000000201615161577363033065 0ustar00runnerrunner0‚ 0‚ò 0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  000101000000Z21000101000000Z0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer0‚"0  *†H†÷ ‚0‚ ‚¼œt"wfÑ $B½SóŒ¬n8.}ƒÝ"ØgÓ ÝçSã〫¼ú^Û³Ñò™%¼G:’¾J\euÙI7HR>P¾üÙn`8d¥‰¡q˜ÓO,=cù¬5;'Lú6Þ8ü`„Yp¶Ú™aâìÔºçwwÀ%ļ ÁsUðcÉ«—ËPâ‚í"€¾EvN§?0£‹ÝùôUù0åöª-tµIÖÕL&âƒ[»Ï¹™ Z¼û@æ!›,Žˆ¸¨zj;ÏÕ-Ö©5°a˜!²XÇT±¢ñ^b÷¼l®ÓÛ~Þ¤(0×ôØ*ÁxòÀNi)N‹ÿ]}ð(œð³+ù£ë0è0U©ÿÖœŠ t'znau“ZzÚ¦0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ‚0FU?0=0; 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crl0N+B0@0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0  *†H†÷  ‚Lˆr`â8Ó„÷Xû÷XÉkf¤y}ÚSíÿxÒ‰ìðKö9îCB…Km9~Ú¼ñhÞz£{Ó+V¦U6£áÔ*3ŒLu+pò„.Ð2ÕFSº†›á£WÜR®µ\Æï šÞ·ñ%KO°û×á<Àúœ#ñç”-„~gN˜†™L‡‘M3Q1ðVXß(O…“])}7jjŒw*©è~înZñÎwýÛ²q¸;˜r<Ãܵ˜!8+ÊmüÉdŠE2¬É’·eU]¦?öBEœƒ¹®Æ*–5Œ ³•sU-¾{ý=Aš œ@Œ3¿z¦—­ÇòþHiËÄ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/interm/role-aa.crt0000644000175100017510000000204215161577363030776 0ustar00runnerrunner0‚0‚ 0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  000101000000Z21000101000000Z0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0‚"0  *†H†÷ ‚0‚ ‚×9I]+ct†¹‹:$öÇ’PÑíÛ1!䃳¥*ùSÓ—$¸€®˜ |ËåïŒù#… ~ုV-lnfŸNc¶þB–Þå–²¥Õé{àF ,!] _ªŠLú¾x¯!–íæáÕw®^ŸKÿM!m•&î¡ÑâÌþ˜Pd¥6—UzW˜ê!›y´“Ö¹÷G»tQëÿ]häŸû1²”Ê[PÁÓ=ë ~ᕇÖìÃm ‘g˜xeˆ¿¦£X˜é±‹5 ûé r¦Ü*oÃIU:Kò9(Š¥‡fû„öõ‡òl\Ê2ep)IÂ9Ý8NóšN³Ûô¨£‚ 0‚0Ué—ÿF‡fô‚xXýû4Ô}L0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ‚0FU?0=0; 9 7†5http://localhost:9000/basic-aa/crls/interm/latest.crl0N+B0@0>+0†2http://localhost:9000/basic-aa/certs/interm/ca.crt0+ÿ 0  UH0  *†H†÷  ‚:Jæà&•¡mZw) Õ(eËðþ,–zi$$ó‘ê[ì[—Øó;qvø§£‹Æ©`‘õz]%Ø‚¦éSšÂÎY¸¿-Ê°âcû äá7›‹.¬”òȽdÉßmëI-{¢Ú:%©PÒu/°fÁ‰¢;£è–W÷cÈ«iÿX^Éi¹ òI’ùŧe?H“yXýyH6:ÓñÓÊ; %0[Žý‚áy±” îtŽ³¾îïÚØpj%.›Ù=oy…¯õgA»@^ôœ§Å3®uÇËeÅ>š aÃ+¢ÅbÈö®}×þö«Ü€áÚœ»†´*¦¦™Yigªé´·4Q_SÜg†ÓÃ3%././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.140727 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/people-ca/0000755000175100017510000000000015161577372027315 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/people-ca/alice.crt0000644000175100017510000000156415161577363031112 0ustar00runnerrunner0‚p0‚X 0  *†H†÷  0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA0  000101000000Z21000101000000Z0T1 0 UXX1$0"U Testing Attribute Authority10 U People10 U Alice0‚"0  *†H†÷ ‚0‚ ‚º¿åŸ/-| hbÑOúÒMiÊN>Y–DW_%·ÈñÑ#ÀG?pWuº½FG={ad«‘f< üˆÿÍ'a ¬uœuZáô5«ƒ×Kó"†Jªß¾×U|LŸx[ZƒãûÕEñ$Ú*½15›Ø1jÔŽè¹hYüצ–N¡•Ö ›ÿk%Œåx£àµ*}@‡éЛÕĺ·3kã†8;½ÖÉÄvÂÀ; >ßRÆà„—m›åpP¤T×xlé-Ùvªë@»ã¥hsª„}6ùæƒ8,úMFî=msœ, d¦`Ü|‰ÄÇŸ_þLëÕiÜ™þôáA„ÏØLzÙ£R0P0UZDÔ[]ˆ{ðësx—6²ÀÙ¨0U#0€ÔqFIíºûgü¾ð˜gÎÇf„£0Uÿ€0  *†H†÷  ‚GÐ&•ØÈò¿ÅUVHñŒR¦·~Š„Œ¿uÒ’ ‹À¢‰Ð¡g(Žö¨‚€û•:{×|â™ãqAG0}®+‚#¸5Ž=š%Š^ãî%{ŒvŒ tó’vÉ+fWFnѦ¬dLuÇU~¹ð ÆTj"Gx5Uâ¬Úüwð4àgA–b¨øÉPv5†ë]+9Û²Ušÿï¥ar©R—qk;Á‘_“V¸Þû©Ê\ùΡ·ÀîBù.þ9L'„äX?Â#Êô}E‡À……î²}ãšÂì&Aé SÛŽïQg||6Ú®?½7laÜqÇí7Íö%»%úòX\•Ác././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/people-ca/bob.crt0000644000175100017510000000156215161577363030575 0ustar00runnerrunner0‚n0‚V 0  *†H†÷  0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA0  000101000000Z21000101000000Z0R1 0 UXX1$0"U Testing Attribute Authority10 U People1 0 U Bob0‚"0  *†H†÷ ‚0‚ ‚Þ =qx‚Z<è™q즶Ë1»ÃÚjÏ‚û‘]t+TîÇ°_Âàé]ì¯;ˆ§ÊêÍO„pö‹V%Lª°QÉh`8BBÂ@xOþÓöd5$»}J30 :ºÌ}Amu…09ÕjÜÌcæï8A—£„’«À·p3hõÙO 7ñNˆÁƒ©ª7Pÿ÷;Q^]¨§â\÷½U‘à»'š%ÚóÌy¤ ½q°êÁ½ðÓš“-lë$™@ ªR§W·i·î¥–sÒ@„K-ätØš.A Ïæ«"5’Dw¶§¯kŠ¹ÆDýï÷ø`zÑ ôóÆ+ëò({7Òå£R0P0UýkÞXRÁ$ÈЗ©¥â±dÅ&€0U#0€ÔqFIíºûgü¾ð˜gÎÇf„£0Uÿ€0  *†H†÷  ‚_ Ô…±p©IÖãf?øºè(·:­ 5ãIgŽNÉ_﬈¦7‰9ÜóüØ8íý¸Ðª‘yfB!)Õ1÷…»7)´7Ûh÷É‘ÈK뮂:«­“mK<ð™ÙÝÒèêgçÊH®òý§Ázê€(³UÔ*PЀVÏæ×퉛“CtùsSŽšÛaðk~œX²'Es.fy…F I«û3ôÄ1ƒ'¼€.-Yqoþ¹;8›ÈØb¡tžL¶Ú«\¡ý|ªŠüQwæ"ǃÈr–îíÙãýÍ!V] Vå;á ІÿãË+z¼bQ½x¤¢—ùDðº.ü:././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/people-ca/people-ca.crt0000644000175100017510000000157515161577363031704 0ustar00runnerrunner0‚y0‚a 0  *†H†÷  0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA0  000101000000Z25000101000000Z0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£c0a0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€ÔqFIíºûgü¾ð˜gÎÇf„£0Uÿ0ÿ0Uÿ†0  *†H†÷  ‚¥…‘Â-_w;h?^g½^…¼Xûv"HEå%Í3ožó˜`Ô¥öQL¨tTÄ\”â’h¯t(˜×@gÔE^–+ù€ºº¢5átîÈïw£:ºI¢©x¡ætxÈŠó‡å[Xm–­t ž©ÕV€ Úß81ûfT3¸Ò)ªx˜•X)¯NDÑÐþ[¹ÛÑÉ!‘È=u…eK×Ö"~ÌzdeeIèw ?Ý4™™Ã[Ec—¬fµçá¶u¾^G0*»}OîAGeŸ£4-ª™·ðº5J<Þdµ>ýä6üQ}ÝŠäãhÚÃÂZÐ÷à¼ûª·>-%!·Î&´././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-all-good.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-all-good.0000644000175100017510000000101315161577363033212 0ustar00runnerrunner0‚0ð0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20191117000000Z20191217000000Z0 f0d0 Uò0U#0€©ÿÖœŠ t'znau“ZzÚ¦04Uÿ*0( ¡0U AA compromise DPƒ€„ÿ…ÿ0  *†H†÷  ‚CÝRýìWú“;Ã0;õJ¾ˆ{¾ÜæÝ/$úðt“b„ëžpÔ@¸Ecq ˆÌ½Èæ-7/‘= fJ¿B¾`kdËÐkÖüH×¹NuÅ€P1¦œß‚ЮÒ௱—=涛Á£¤´ÕË•åãû~©GêpÉP;Lïë Ì`míóáã ‚&5£x·Nz=ØTïÿÅ mÍå3' è©/«Öåðááíc|­m:ïò|êÑîëÙ­»µþô´³>à¿¥  Á/]!{[ Êà:^¦“ ›´TŽU°Ð³Ä‰õQ4Î;rÃä4 ù^t­^•d¿-–ÈÜïñÑ ê>!D"././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-some-revoked.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-aa-compromise-some-revo0000644000175100017510000000121015161577363033351 0ustar00runnerrunner0‚„0‚l0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20211206000000Z20220105000000Z0|0z20201201000000Z0c0UUÿK0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0 U   f0d0 U 0U#0€©ÿÖœŠ t'znau“ZzÚ¦04Uÿ*0( ¡0U AA compromise DPƒ€„ÿ…ÿ0  *†H†÷  ‚O¤@CcÛWöë'´$¸®‘ø ¤(ò1ƒŽÇ¦/ÉFml+{Q¼&‘ÁÓE<ì‹hŽQšõ‘uÇú¤#ž›r]—”ï¨"­u—ÔëogŠw`|#Ðñ[WL°+O8 Âº³•§e½á´úû-Äî_¨ÏÿIƒú°; ¯fÓ=mœ\ÕTÌîɺÙÖ³|gX¯ÙÇ5Œ9Ö["åÌOÿ€¯ØzÝ2” ÑjÞ‡ióDµÈØЙ%ë'w€Wp«·qWb‰§ÝÜ÷/1Ôm ‰2X5MaºIíôéXxÔËœXä«1óÈž:U^^ë‰Á1ÊÑoæ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-all-good.crl0000644000175100017510000000102715161577363031166 0ustar00runnerrunner0‚0ü0  *†H†÷  0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA20191117000000Z20191217000000Z0 }0{0 Uò0U#0€é—ÿF‡fô‚xXýû4Ô}L0KUÿA0? : 8†6http://localhost:9000/basic-aa/crls/role-aa/latest.crl…ÿ0  *†H†÷  ‚ï*6e2ãO‰Õï‚tÝ $Ãö ¹˜ó¢ Ε^ÆêÈʗĵÈ\ZfªVO!NÎ>‹ÌÀ§ZÙ˜íJ³P]^ùö/4!ª”ýí” ùÅçßá‰Δõxñ–oÕãìµ2jÒî¯âµ|>ÓINÙôýÄ֪âbWqáɔɋÙôñÀdˆÔG¤CÞÛb»w¦ %^ßK././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-nonaligned-name.crl0000644000175100017510000000101115161577363032515 0ustar00runnerrunner0‚0î0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20191117000000Z20191217000000Z0 d0b0 Uò0U#0€©ÿÖœŠ t'znau“ZzÚ¦02Uÿ(0& ¡0U A different DPƒ€„ÿ…ÿ0  *†H†÷  ‚¼ïÈMwð…1Œ6†;M!öÖ„-~ ×›áæù©mi¼êC寡u·L켬þ0Ç¿Û<Ù# ?ù&yP<¬zÍ3rëx˜î¢cŸ˜˜®pe­÷aª]»Û_…¦½§’/ðV…Z,88±=m†¥ü¶f''e[´v8g=í\6?ãºSXB/2ÙÝ"¥9t9-.RSŽì¹²”ÁqÖþ@êìˆCȇ0¾þè—érbv ƒG¾ŸÝ­Bãøäb]¨-ïO›ÃMdÜ)ZˉR#NsÝʽ\—ß´‡#¥Õ$)dËá"ISš°Ât3ºHqýÀˆ ‘ôÍÛ././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-nonsensically-scoped.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-nonsensically-scoped.cr0000644000175100017510000000100415161577363033443 0ustar00runnerrunner0‚0é0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20191117000000Z20191217000000Z0 _0]0 Uò0U#0€©ÿÖœŠ t'znau“ZzÚ¦0-Uÿ#0! ¡0U AA nonsense DPÿ„ÿ0  *†H†÷  ‚ƒÑ*û6Eµ€¹ôüGØ®ñŽW4^g#¾á¢Q¢Û píÐrZPµ²Æ0†dõ¿=DwíúáV(Í?°‰t’@Á“µ<ý+IDÑ+Úƒ>˜½›Ùñ¬°i7ÈPŸÊ1æßc‘^Ló9µ$\]:{o‡æ¤Š…I/øºÀ ¨Õ6B³N”?’/«lãW‘À’$Кa tìè8†þ÷ƒ;aóÓðn“Í©™ÚÉdÆ’%Üsɯb;¿‚ƒ)¼²)ß{Ý*ÒA~aÝ$˜_\€âèð¹ A &H^"šäŸ=‰ÞaØ×úW˜Âyþ”Á÷”÷.4–§féi»rœ././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-all-good.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-all-good.0000644000175100017510000000101515161577363033251 0ustar00runnerrunner0‚ 0ò0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20191117000000Z20191217000000Z0 h0f0 Uò0U#0€©ÿÖœŠ t'znau“ZzÚ¦06Uÿ,0* ¡0U AA other reasons DPƒ„ÿ…ÿ0  *†H†÷  ‚hÄT3b_y¸l' °íÖsŠW‘.øåLëÎ*ÌDRýàY–‚ßm ‚#â7ý¥³ÿ¦}—º )6¼Cwiƒï ¸²RØi¡1£©Záº^ÐP+¡ö÷ú×÷i¤ ‡˜lW¦@«÷º~º1( áÚFkëÿëñš…\“(`ÝŽ~]?‰c%lCîûÊ¡Ëàç]§wm |ú߶­¯jXlË*¶ç)­Zx$ÓÁùŽ×ròÀ´!õQtÿ ó*ï쮧©ø>¯/†4ïÕ¬‰Èc “IÓÉ¢5ñ á ­¼¡ ü\/<3æH­4j±qÖ§‰H<§s././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-some-revoked.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-other-reasons-some-revo0000644000175100017510000000121215161577363033410 0ustar00runnerrunner0‚†0‚n0  *†H†÷  0P1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA CRL issuer20211206000000Z20220105000000Z0|0z20201201000000Z0c0UUÿK0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0 U  h0f0 U 0U#0€©ÿÖœŠ t'znau“ZzÚ¦06Uÿ,0* ¡0U AA other reasons DPƒ„ÿ…ÿ0  *†H†÷  ‚£'GZñcÞ¹ÓtËHÌ’®ªÝI>n×(·P´‰'ÿMê¿£NìJÊdö6u*v¨ÑתôÑÙ¢<«Ò> NÄ9‹ð/Þy4A}UÄ”aO…Ž/ªç¦Gi8Ô×Ãçû†¨ã/á³ìFÚ”vDP‡ÚÎ H¼¤3—…~»µ\Ó;81áW•Ö‡o:€0ImŒ`Äd;ß¾zŽŠb› YÒ¥$éíûÚÞÁ #\HÕ#€û‰ç†>Ê("X£_Å»ÑÂÖ?\ Ëåªi8‰¯oþ“ßsgž-›!©„Žá“J<·%RØ÷”7®|ìaN8ÒzAQJ  $£ƒ}¢”././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/role-aa-some-revoked.crl0000644000175100017510000000114215161577363032066 0ustar00runnerrunner0‚^0‚F0  *†H†÷  0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA20211206000000Z20220105000000Z0J0#20201201000000Z0 0 U 0#20201201000000Z0 0 U   }0{0 U 0U#0€é—ÿF‡fô‚xXýû4Ô}L0KUÿA0? : 8†6http://localhost:9000/basic-aa/crls/role-aa/latest.crl…ÿ0  *†H†÷  ‚A;ŸÀ£Û6w\½¶ì:ìL¸÷ÀåA-Éñ6Üp¦‚‡ À‹ä³(c„–Òb#H£zç¤Ü§Þô–ëx¨oаÓ!S ¯ù­ÿž¶à³‰èl§yt/1ÿ·:rªL`Ïa`}Š¾ÑÑ |×1vºÇÿ¤f? &HRÊlÖJaWR¿\þ’¶ýk.Ù:ôùšcøú‚F·j»P`ß‘’J»£Î˜?f'ß¡SŸAfE!.ɳ6‰ÿ€™údßTÈJÊáµìV^æ”'ÞÜmÑM/„L]¥ØfÓ¯ÈÚ#¤äÃãdS.d~…(ÎÙë«ËQ¿­ í m…¥±‰©—k;Ê°././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1429167 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/0000755000175100017510000000000015161577372026433 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/inbetween-aa.crt0000644000175100017510000000175415161577363031513 0ustar00runnerrunner0‚è0‚Р0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA0  000101000000Z21000101000000Z0Z1 0 UXX1$0"U Testing Attribute Authority1%0#U Inbetween Intermediate AA CA0‚"0  *†H†÷ ‚0‚ ‚Ö¨ä7{ùšR›…ÄZþ)ÐyÄ‹¥N/†¿o#ÉKæ¸\³7þbÇ»a‡»ñžì0X'7& 0~à ³ÎŠ^²¯r§”Ÿ=ÄÒ8X=¶52¡kûœÀä…eâf¼Ó4| ã°TÚ¯Kµj0 à ø߉øgÁk[ÞŒüü£°¢mè蝹N.Ò½7–‘ðɘžî‹úilN%R˜è¯¾ÄÊ¥¸³òËä2L÷q`˜•CLZ/§Fà`”ó(…™ÅtGwžr’šãy¥þ2óÔ›¡È<Ñ „'`µL®gÉËøCV+êU\Þ¦I{æ3nç¤û¾†RØiC 2å£Ç0Ä0Ue¾U(1Ñ]Qb§S’qjŒ ã0U#0€½÷ÿHýXóÜÔ¡^6a ?0+ÿ 0  UH0Uÿ0ÿ0Uÿ†0DU=0;09 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl0  *†H†÷  ‚ œ‡µÇ0Ï Ù‘‚¾™4-ä_Av¾wöxZ—ÍÕ 4g’­01*6§5›5$ÆE™NÍç1W‚ª˜Çè¯åè…ÌÎ#C²n€þO²ëö&{þª7D¯#±ý;ƘYì¡cÖ&õaºwo:›ÙY§¬©-ÊjÏ‹4lŽ`xÌù9ݨ>sxMñç:ã…m’/ͱ߱wòÝl(´’Ð4t¤t'¿;)#Sâ/Á_•£Nw·‘• $wðŒ`Km‚u‡¦'[ÒϼsÐEÐ_Þºˆ^(¿nefîåu¼ãg·ä‚Ds+ ÉhOp±èÓñL´—¶À.÷m–Ó‰¥&8././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/interm-role.crt0000644000175100017510000000174215161577363031406 0ustar00runnerrunner0‚Þ0‚Æ 0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA0  000101000000Z21000101000000Z0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£Ç0Ä0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0+ÿ 0  UH0Uÿ0ÿ0Uÿ†0DU=0;09 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl0  *†H†÷  ‚U¢þ2rÛ—àóßù6ƒ•Y†%¿u,ÉŽæ €ý{ÀH¡ÿ-23ÔFúâYãaÊRÆã²ò¦6‡iÈ7‡/F%–]Y„F²÷ö•e »¼×Gº,Á–·³Í$U0' ƒ÷Æ‚<4ù[.Ú=;žxbi×Öæ^Ànƒ—õ©ê²åè¤_+²T×D¼n}[ïi ëækƒ]!j\¤jʧždfv²ß‹€ý©Báùi;&f’Wˆ{PÓÀ’æðtM)ÇP>D‹4SÍÕÿQŠ^cïÔ4çy@ÖÓ}´ÑëÂy'ÿ*#Bï{½[%t’Òþ¶äá±%././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/interm-unrestricted.crt0000644000175100017510000000170515161577363033157 0ustar00runnerrunner0‚Á0‚© 0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA0  000101000000Z21000101000000Z0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£ª0§0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0DU=0;09 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl0  *†H†÷  ‚ r=G<þ2=K\›ºàÞ;Z‰ZˆdM{§° kõNݾâ)ÛW]üí•×D¾Oíwà¤òÛ¦Ô,’Mô)¹b¶Úþ\é…‰g„>xW+I';¦T X(쇉¢¤|¦°Iô‰nñ~ Á×w= ZŠiu#Ú{˜´ŽJìîM²dCÍ<œ «k±JJ"Bv{¯N€6±bdÁïßß mHpKçηšj°œŽº{¸Sul]Q)°ŒV‘Ïë7ýàTêá­Hyÿ—"0ˆ€Ø©µ0ãDèÓxRŽí<þ½ÍTMÚø>RòÒ{'gæÎó²sí•#(žÅ¸õ¡Œèæ.././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/root-all-good.crl0000644000175100017510000000102615161577363031613 0ustar00runnerrunner0‚0û0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA20190918000000Z20191217000000Z0 y0w0 UP0U#0€½÷ÿHýXóÜÔ¡^6a ?0HUÿ>0< 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl‚ÿ0  *†H†÷  ‚#ËŠ ز?ùu—º­,Ñ5À/ôžŠRzU ”ažvþK-ðg7ê½ a;Οò»OóNWÜ×üU>°‡Œ©Ò‹ôk:A7É=2{-„tÏÂÄ)aá|N6Ür6ÂISüKi±Ž1§Mˆ³ªT=D'®REz2u6‡yÐè¡ÐZoÖ~ïd“#‡ò¶jy ÔNàå´ Ï {é8ëßrþQt¶ÍEåÙÞG—//ÇþM’Šã#];£±P8ˆaþ÷Ó*ó°ŽŠXäìýšÙùœ²Ãîy»¾'">›Eh‘¼Íø©ÇÜ‹¼ly¸bàöH‚Ý/•h././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/root-some-revoked.crl0000644000175100017510000000102615161577363032515 0ustar00runnerrunner0‚0û0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA20211206000000Z20220306000000Z0 y0w0 UY0U#0€½÷ÿHýXóÜÔ¡^6a ?0HUÿ>0< 7 5†3http://localhost:9000/basic-aa/crls/root/latest.crl‚ÿ0  *†H†÷  ‚|»OäG «›Ý[>æPÄdCXáÑôuô€Æ3ù7]ˆ†y&òGð·b]aZ‘k ,& e‘hüyšÚ/&:\Ģ県%Ññ¯ò žG¥70±^®cKÖøOÒL÷ö€¬:“FЯêëš’³±"e‚šÒ€‚!5r½_k²êQCÄ»£åæO³Î„Ôöã£"l7¿µf™öy—Ò³MËÙaû*?Üø˜5d— x×?ì«U.|Z ïý9US‘á¹ÔÓKÖöäqØâ6~uàðïFº›!5ߟ…@¯2Ñm´i8ÂY¼dL¨"¹ÄêÌu4ù1oo’Ð././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/basic-aa/root/root.crt0000644000175100017510000000156515161577363030137 0ustar00runnerrunner0‚q0‚Y 0  *†H†÷  0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA0  000101000000Z25000101000000Z0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA0‚"0  *†H†÷ ‚0‚ ‚­3ÈBÁÄLRÝšû姿D'ÑE‡*=ëõÇ$o&Ûè¹T7>qkdb××ñ2gétWéPGå­ÿsêXŒoþÂÜ 7߶¤ç$‚Ý´a¬VüÕ2ˆ¡ú}@/™5+ô«!^f-7yê”çþóU¦œ/­{¶42´‡U~ oNxoä:aÀêá<ÔÎãîÈ¡Éæǵè'][1õ"G÷ÌÞ‹B×E"jº _‘ÝÏ•BŒöü(R’µÇr´¼±¤½o##k¾‚äo ‚Êx£pœv-‡ÖÄ¡ÆXÓeø_g„¢ÑÕ3­Zû”ÎŒÿµè<ï_f?êóst[£c0a0U½÷ÿHýXóÜÔ¡^6a ?0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0  *†H†÷  ‚­ò×/‚qÍ™3MJ5£† ¯×ÜñY¼™£ék¾K£þ¤¶¯ü*¾ŠÝcëÒpÏ ªX Q %K³?ï21U³\ç0<‚Ÿì´epÙØ>`_¡Q#£åæ„£ x_7뽦ò¬²ÿiç{†%VBåaË°±=ÞñyÖ:∧&| õy”ñ3VŠ0©@)¹Ä•ñO0ëºLYäU³`ƒs{%4h‘MÊîHTô1Ô*Èñ…S.$¹—ÊF :èÊ-RëƒvôáÐŽÝDŠÌ7,7(‡ü÷ßâ(Qö~jC¤­œƒ*9"£;Ü%Èò žvj‰všÊò³\3M<././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/certomancer.yml0000644000175100017510000002776615161577363027057 0ustar00runnerrunnerexternal-url-prefix: "http://localhost:9000" keysets: testing-aa: path-prefix: keys keys: root: path: root.key.pem interm: path: interm.key.pem inbetween: path: inbetween.key.pem aa: path: aa.key.pem aa-crl-issuer: path: aa-crl-issuer.key.pem people-ca: path: people-ca.key.pem alice: path: alice.key.pem bob: path: bob.key.pem pki-architectures: basic-aa: keyset: testing-aa entity-defaults: country-name: XX organization-name: Testing Attribute Authority entities: root: common-name: Root AA CA inbetween: common-name: Inbetween Intermediate AA CA interm: common-name: Intermediate AA CA aa: common-name: Leaf AA aa-crl-issuer: common-name: Leaf AA CRL issuer people-ca: common-name: People Root CA alice: organizational-unit-name: People common-name: Alice bob: organizational-unit-name: People common-name: Bob validator: common-name: Validator organizational-unit-name: Validators validator-group: organizational-unit-name: Validators certs: root: subject: root issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2500-01-01T00:00:00+0000" extensions: - id: basic_constraints critical: true value: ca: true - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature, key_cert_sign, crl_sign] people-ca: template: root subject: people-ca issuer: people-ca alice: subject: alice issuer: people-ca validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature] bob: template: alice subject: bob interm-unrestricted: subject: interm issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" extensions: - id: basic_constraints critical: true value: ca: true - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature, key_cert_sign, crl_sign] - id: crl_distribution_points smart-value: schema: crl-dist-url params: {crl-repo-names: [root]} inbetween-aa: template: interm-unrestricted subject: inbetween extensions: - id: aa_controls critical: true value: path-len-constraint: 0 permitted-attrs: ['role'] interm-pathlen-violation: template: interm-unrestricted subject: interm issuer: inbetween issuer-cert: inbetween-aa extensions: - id: aa_controls critical: true value: permitted-attrs: ['role'] interm-role: template: interm-unrestricted subject: interm extensions: - id: aa_controls critical: true value: path-len-constraint: 0 permitted-attrs: ['role'] role-aa: subject: aa issuer: interm issuer-cert: interm-role validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature, crl_sign] - id: crl_distribution_points smart-value: schema: crl-dist-url params: {crl-repo-names: [interm]} - id: authority_information_access smart-value: schema: aia-urls params: ca-issuer-links: - repo: interm include-repo-authority: true - id: aa_controls critical: true value: permitted-attrs: ['role'] permit-unspecified: false role-aa-crl-issuer: subject: aa-crl-issuer issuer: interm issuer-cert: interm-role validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature,crl_sign] - id: crl_distribution_points smart-value: schema: crl-dist-url params: {crl-repo-names: [interm]} - id: authority_information_access smart-value: schema: aia-urls params: ca-issuer-links: - repo: interm include-repo-authority: true aa-unrestricted: subject: aa issuer: interm issuer-cert: interm-unrestricted validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature, crl_sign] attr-certs: alice-role-with-rev: holder: name: alice issuer: aa issuer-cert: role-aa attributes: - id: role smart-value: schema: role-syntax params: name: {type: email, value: bigboss@example.com} validity: valid-from: "2010-01-01T00:00:00+0000" valid-to: "2030-01-01T00:00:00+0000" extensions: - id: crl_distribution_points smart-value: schema: crl-dist-url params: crl-repo-names: [role-aa] - id: authority_information_access smart-value: schema: aia-urls params: ocsp-responder-names: [role-aa] ca-issuer-links: - repo: interm revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise alice-role-complex-crls: holder: name: alice issuer: aa issuer-cert: role-aa attributes: - id: role smart-value: schema: role-syntax params: name: {type: email, value: bigboss@example.com} - id: group smart-value: schema: ietf-attribute params: - "Employees" - "Team FooBar" validity: valid-from: "2010-01-01T00:00:00+0000" valid-to: "2030-01-01T00:00:00+0000" extensions: - id: crl_distribution_points smart-value: schema: crl-dist-url params: crl-repo-names: [role-aa-aa-compromise,role-aa-other-reasons,role-aa-nonsensically-scoped] - id: authority_information_access smart-value: schema: aia-urls params: ca-issuer-links: - repo: interm revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: aa_compromise alice-role-norev: holder: name: alice issuer: aa issuer-cert: role-aa attributes: - id: role multivalued: true smart-value: schema: role-syntax params: - name: {type: email, value: alice@example.com} - name: {type: email, value: alice2@example.com} - id: group smart-value: schema: ietf-attribute params: - "Employees" - "Team FooBar" validity: valid-from: "2010-01-01T00:00:00+0000" valid-to: "2030-01-01T00:00:00+0000" extensions: - id: no_rev_avail alice-norev-targeted: holder: name: alice issuer: aa issuer-cert: aa-unrestricted attributes: - id: role multivalued: true smart-value: schema: role-syntax params: - name: {type: email, value: alice@example.com} - name: {type: email, value: alice2@example.com} - id: group smart-value: schema: ietf-attribute params: - "Employees" - "Team FooBar" validity: valid-from: "2010-01-01T00:00:00+0000" valid-to: "2030-01-01T00:00:00+0000" extensions: - id: no_rev_avail - id: target_information critical: true smart-value: schema: ac-targets params: - {type: directory_name, value: validator} - {type: directory_name, is-group: true, value: validator-group} services: ocsp: role-aa: for-issuer: aa issuer-cert: role-aa responder-cert: role-aa signing-key: aa is-aa-responder: true crl-repo: root: for-issuer: root signing-key: root simulated-update-schedule: "P90D" crl-type: ca-only interm: for-issuer: interm signing-key: interm issuer-cert: interm-role simulated-update-schedule: "P30D" crl-type: user-only role-aa: for-issuer: aa signing-key: aa issuer-cert: role-aa simulated-update-schedule: "P30D" crl-type: ac-only role-aa-aa-compromise: for-issuer: aa crl-issuer: aa-crl-issuer signing-key: aa-crl-issuer issuer-cert: role-aa-crl-issuer simulated-update-schedule: "P30D" crl-type: ac-only covered-reasons: - aa_compromise distribution-point-name: relative-name: common_name: AA compromise DP role-aa-nonsensically-scoped: for-issuer: aa crl-issuer: aa-crl-issuer signing-key: aa-crl-issuer issuer-cert: role-aa-crl-issuer simulated-update-schedule: "P30D" crl-type: user-only distribution-point-name: relative-name: common_name: AA nonsense DP role-aa-nonaligned-name: for-issuer: aa crl-issuer: aa-crl-issuer signing-key: aa-crl-issuer issuer-cert: role-aa-crl-issuer simulated-update-schedule: "P30D" crl-type: ac-only covered-reasons: - aa_compromise distribution-point-name: relative-name: common_name: A different DP role-aa-other-reasons: for-issuer: aa crl-issuer: aa-crl-issuer signing-key: aa-crl-issuer issuer-cert: role-aa-crl-issuer simulated-update-schedule: "P30D" crl-type: ac-only covered-reasons: - key_compromise - ca_compromise - affiliation_changed - superseded - cessation_of_operation - certificate_hold - privilege_withdrawn distribution-point-name: relative-name: common_name: AA other reasons DP cert-repo: root: for-issuer: root publish-issued-certs: yes interm: for-issuer: interm issuer-cert: interm-role publish-issued-certs: no ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1446066 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/0000755000175100017510000000000015161577372024763 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/aa-crl-issuer.key.pem0000644000175100017510000000325015161577363030724 0ustar00runnerrunner-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8nHSQIndm0Qsk Qr1TG/MTjKx/bjgufYOB3SII2GfTDN3nU+PjgKu8+l7bs9HymSW8RzqSvhJKXGV1 2Uk3SFI+UL78B9luYIE4ZKWJoXGY008sPWP5rBE1OydMG/o2G944/GAFhFkXcLba mWEEHOLs1Lrnd3fAJcQHvKDBc1Uc8GPJq5fLUOKC7SKAvkV2Tqc/MKOL3fn0FFWd +TAOAOX2qi10tUkO1tVMJuKDHVu7z7mZIFq8+0DmIZssEY6IuKh6ajvP1RQt1oEF qTWwYRGYIbJYx1SxovFeYgT3vGyu09t+3qSdKDDX9BfYKsF48sBOaSlOi/9dffAo nPCzKxj5AgMBAAECggEALuKYkjTTKB6abazeedCmk+tB/Rplwl7GiEtzWK4M3xih d83xhh338w3s8yHn9G2wBPXS4GP50XzW5tz495JViXKSiz2bRfYc4SsZwFT+003h 7j4jgk7M50XZXrDMudMjIljQOMbdy7cj6UK77GUO3u8BuCTJQp1QtdikwHn+RCcq qTqvfyxq17tgFG3jA4d8c9gFwdQeTnHwPhnjkc9dvy5AL+I+1gbX2W+CQLk3zNF3 rsJRf0Eq957vktoaSvtCdkfQNrIwK2xlzyzMgZJh4EOB+be6O2jvlyZAkE2hTTDZ vV/dQwlOUG5CRvHCtQyELkCwiDC6f6LKZFZu6bbmRQKBgQD31d0tidUZKvek2Mzr 4cdeFT77R9Hwp+BiV4T9+i+iXNg89yRe3IZxLdzFA2G+7UGcaVKlDu7b8MJUpQh+ CkkdE7XV36DFkhpY7voega6/HZKVGmoFhwbY3PA9iVwtgbYR1jY1iyMjavdrrDBf rLwBltxJAzImcnvinsUiXjYdrQKBgQDC0x6opHWRRBfULBsEMR43+LVnitgiiohM w/yYENMvKAEBOkitoXO81sABmF1tN3EMDxNGeJdDUniVbTn0xOt7PR8If8C7p1Gs 18iASIc0MxgCrfc7b3c2DOuKCS3Qq6+bQoP9tiKe39PPHtAm/cCkpLAPJLnUQs0g uiN/BW15/QKBgQDacOH11VrCSCDmZ0CXV/WFc2yDxpXAa/dWNpW91dpOXU8qzRp9 khndf/Lqo0RwKGaAGkUBvtvBd7+RI7UMgrxWqJzI2ca23UPjxx8l7F+9i687RIDW RmE+m94UHxHj+kQkDI7TOsPJ3+ocOTSZ34IGVJXstKhrQtT2tcJDvI4uMQKBgQCb MrE2qKQbT4In++adpT8sWUyxKhLZGUBQ3sNmo+iHpTd/sd1Zq8bWBMC5xJWQPl0o vQ2e0su0zorOhk9n5EKuTtdc3uA63KQcq1zGjIBgHd+fqtPLHhV6EjrEIGHF3C6s 4QTiZGgZ5bYGRcaNeREwVx0FQz1hkMF1s7I5Kqq2RQKBgAfgSqmLBpdCIxAzPWb1 BSIVvIksWUzSMQ6A670E5/FWu7d8GjRyUcw4vdLDmYSXhVU2E7kulspYGXF6dLgh uYKy2nhSHoa8TgUpv5KVJKJkO2UQ6sTIpzYjxbNPA60gc+Csdup7xd8bYg/cYjUp xdjXHFwPBjoD5H6HZQJt+uCK -----END PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/aa.key.pem0000644000175100017510000000321315161577363026635 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1zlJXStjdIa5izok9seSUNHt2zEh5IOQsw+lKvlT0xYclyS4 E4CumAp8ywHl74z5I4UEoH7hgK8fVi1sbmafF05jto/+QgOW3o8e5ZaypdXpe+BG ICwhXQmBXxyqikz6vnivIZbt5uHVf3euXp9LHf9NIYFtlSbuodHij8z+gZhQZKUT NpdVelceDpjqIZt5ErST1rn3R7t0Uev/XQNo5B0Qn/sxspTKFB2BW1DB0z3rfwp+ 4ZWHwweW7MNtCpFnmHhliL+mo1iY6bGLNRQL++kLcqbcKm/DSVU6S/I5KIoZpYdm +4T29YfybFzKMmVwKUnCOd04TvOaTrPb9AWojQIDAQABAoIBAA6Y7xXnpHY50QnV Zr5qKM1cf7J3MaJLHhxW+k/g20Oc41GJBwcjmjPrui0Wst69hARZuEeec3MD7a8t o4YVZcLx6SdvusIFdk0gDetqfjFrQcvKGVeDRrwFsgWebx60O+mBS/eOQhJ/zLg5 iNUYHsMpFrUoDyOnoVXOY3x3XeeyKiEuSqUX77APICsXPrybCT+jnq7+A9Xho5E5 s7pp43siXvkTL5PSin2Hgb4eSGXkp9gKEuo0ce47MUNxkYpGR/DicQHjUvAOKATI ED3U1I/TyTDvCFRXyXz5xYTYArjLDkvB2bp7Cq29hJeckcIR84SAhpuDToKezXaR z9gi/00CgYEA7tz3whqlmacwrmEvWtuBHF1nuQ975ZpEBhhfepwNZtcNrcbwzSSp N8Xf6QVPpSrYj0YhvZ6He6UfCJrqVuM5mLjQ5v43UeuA4qzhjlJ/7IQTIuic8rYo ONqskIC7xxf96VFS6tN9plRfQHiSq/8ePCStOC4JCzcS1GMJj+0ARQsCgYEA5qom ngftFM5StkYRKiZEaczrvAvLlaDxCmyeQoPvRpXLP2cOKAYcC/AE2bmyLhko2Gjy Qqgqx0El698TQZZzJvspX06PMcuIsLZUGrllRv8Z3eaT1N84+sB7tl8F3LzgyZgZ NzLeh7NnkTts+Bg57EnzYgRYwOFvT30DfAFUF8cCgYB0APSCXBaYrM3DoocxBPGL KQG6qn5tX6Ixo5ybGzaW/1IxVzCTMH7OC1dW/7FScaCC1HiGcnsx3VtY/oNYdzn9 paQuyr9rFYiejX9tczuVTf9NMNMoPLcEBY9RDnQjmM9DhK9URCn9oXQxB12UEm5I nzdQ1Wqm+7Q1WXPHZj5/SQKBgQCbYyJSsTo4GunDWp4zi8XolCB19Gg4K0xV3mga nPBy13QtCQqTUdJRBGbwGVV8EnzelIwm9UykIDIgnI1HUMfQCcCMMMrsG5XAnYM4 4Y3lbvKI9sy9yYaD/WkZqRe05RR1Gd5avg0E04nAX4z/8KoMkKDBdfYoMXWf0bKo NejlfwKBgDlQY0X3oGyh8wHW852oEX8rE7tZ99n1SdQjVaRvOijzjv56haJ9tSvZ eQ6/s9/I6jhM5WKHgUUGwZ83aSsj7BqxwMbgO0+s/QOyb37ZN+YirbiPcSiyrIuz G2bdGb4ejY671K/6FaR+TRM+EhnU8pxpXl7Jh43nEV2rniqSBos2 -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/alice.key.pem0000644000175100017510000000321315161577363027331 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAur/lny8tfApoYtFP+tJNacpOPlkOlkRXXyW3yPHRI8BHPxtw VwB1ur1GRz17gWFkHquRZjwfCRP8iP/NJ2EJrHWcdVrhAPQ1B6uD10vzIoZKqt++ 11V8HUyfeFtag+P71R5F8STaKhS9MTWb2DFq1I7ouWhZ/Nemlk6hldYKm/9rJRCM 5Xij4AiPtSp9QIfp0JvVxLoQtxIza+OGODu91snEdsLAOyA+31IQxuDChJdtm+Vw UKQeVNd4bOktBwQA2Qd2qutAu+OlaHOqhH02+eYdgzgs+k0HRu49bXOcLAlkGaYY YNx8icTHn1/+GUzrB9UeadyZ/vThQYTP2Ex62QIDAQABAoIBAHk+n2EjKx+uTili BdAte48khnoaLctHoYYnodO3k/XnHxqMwPnrVYQg4KDd/PJ5/Zuf/i1m+StWq41y ropTiQlL7oGOuCh7ZHaPV3CPYdJXZ+DalTeOy57mIV7tyK16dgTeu8AdEftiLZbm XEEXjGlmQxgk9M+gXwqVEHmMVqUCKm5vivVU6QYyYv4qyf0XiyhMdFs2MrynOn2N qdEMW588p5HHqsO/xU7YRxZG5HxIzix7y70SKe+lq6WHXPCpKdFoH/QeB5eNZHLp f+G8UUvSPcl18u57VherbdALsphcrcv4uQaLUv4Jes1ZWgHpA8TAyr//Zibubuna WrX9sjUCgYEA2zF1lEu0Pq5VJ2fm5Z0A9wmLVkdFfm3WrVmN/4Mml63tJAd4MryZ 3y+ZHbEpmjuxkePK2SDc89/hOfzMWkxYWrx8Qku/f3856AwW6HiBoCxCvcV6iXdK 35ZGG4pzYesQFqP/bPMtIw8QtW82MGaPPupyG+AE5rrR8XTsmWBYs9MCgYEA2hvF tF+NKSwGUinW8yVWg2Y946Z5IFUrbbALzXt17Y1Ljkex0XeaQ6hM7ArFenC1OrtA L9o6iLInK0eoLsPNlelRn6VqLDbpSXSPtrjf1yHAv9V+8Ya8si+cGKX9VGhWuKQp hkfIylxGT7JhJeNJ5Z9umdIntT/oyAD0k3umZyMCgYEAum+8IbGuku33UfgnRcAg NP8yO+WNL3c/dNzKUb180uDF5rJPw1/1xQcYRlANIbmKVJubSsmQBgKz8H2cV2W+ dRcC3eTN8iUF3OCDj6IIJ3PeJMnWaxxDXB/Wa9B8SZoFaix9sm64QqyqupfoUIy7 ZHlHK3yEzreyoJyiLebsK68CgYBWiCgy/KnTiNzlIiZehxTAwwKQ3A44TrIRLYQx POc3nRQ52aXpterlJtOF3mwkvKyaJYo8sfcBHrU9jYtjKlnZPR0eGpF6Azsg4nbW BpkAECsZsMlRZ6RbiVoDyW8tWsv1K2QyGy7FYkCfA+VZE8jQqiVGL8ODPFzNZNuj 263UQwKBgEXtI1kpfEGMp6EVO2v7Fh2cH50dQWxlSMpflz2VPY/2Trcm2aGrvCvf AObSlgx1Yh1nUu/pHJyAVLFnCyTuxYG+NSPcnUyvATginEtjgASdkcFouKUBdH5V gMHjwfe/P5gdoCgrhPx2w7GAuwT8Y4i5X8RbETPlY0a3ej51o8FD -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/bob.key.pem0000644000175100017510000000321715161577363027022 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3gs9cXiCWjzomXEU7BfCFQGmtssxHbvD2mrPgvuRXXQrHlTu x7BfwuDpXewGrzuIp8rqzU+EcPaLViVMqrBRyWhgOEJCwkB4T/7T9mQ1JLt9Shgz MAk6nbrMfUFtdYUIAzA5D9UVatwXzGPm7zhBlw+jhJKrwLdwM2j12U8KN/FOiMEV gxCpBKo3UP/3O1ESXl0cqKfiXPe9VZHguxYnmiXa88x5pAu9EXEDsOrBvRrw05qT Ai1s6xQkmUAMqlKnV7dpkLfupZZzCNJAhEst5HTYmi5BCs8V5qsiNZJEd7anr2se irmBxkT97/f4YI160Qn088Yr6wbyBih7NxHS5QIDAQABAoIBAQCXKKG4iKh80/Ao 3UG4A+h9MnWTBTq3miaXn5UK/0WTkEz2Ri2Txa87VK+p388hJe8/AzXbdSGdYUmz 6IqLvKLA8Qxn4DvgT9FX7AvSNZ+0FOsTMOxP7Eh6LjudnZftpBWzTfXaoF4HNDQD UZNaETsdomjYDJ1eAcMhTHfpaxRyxc/hbQ0LQZ2AkrSAKt3yKKd0iLar/jDTm+xV ivXHKgd8QH+L8wYkaDFGNb3QniV9LQWZFKR+6lyPCimxjcVzo53kTmAYwsbte+Ct zOe3MshUmH9y5FQ1yHLC2l3PSGcYEGMxpT604govbgOyOXob+OKthD5ZpY/jESan WONEgxVVAoGBAPHlMV3BY4OGDBuf+UsbNkTI+oJMHtV2bSc5C+lZE2EBapf5hB+j HjHf9W55+e3xmbgsOjPBJ/HOH0xVhaSsjbe3H6Oh7Nd2e1wnfn4G7hRx5hUVMGVH sTYAUhzJM8rI1bwwUikdfubTcquX6k/2n4xAr+5FCS7cXaza85TO+xmLAoGBAOr9 uQFvqlSbqvX4g3Gwjg7wJE9uTQmzLSe4sq46h2ZUMngmIn3qSK6QzU8MbCojYn7n QBHW9h4cEBoKaKbEpy0DPpLuzja8VIInUNMcrnvf6EgfOtXbbjQFyRAcBNWdRwaa PcntIr2Y9TmeHPQSfQWcbMFxZ8ykbwryyC9JwvNPAoGBAJ6lOHlK6l9KPQqpIrDV igQW4+Us01QgtXnx+hPyrbkDWsuNg8/UBWukfK0WJoqd17lomEt1NSNrki9YL6xO 1ytUWNXSzyiItmM8K8Ov+9lA0iull/X0zQ6jqzbh5qvqh/NCpb/9bkspBp3vpmcH UqCDlF7qvBkVwgIqH3LLRPf9AoGBAMygxrK+d1eX+saYcnXU5c+SRDw687DHq0GU r1vSscdk+FHx+0Ukd8gzZeU5DxOeno2deAhQ5R8RFuBmQf0+78jds2alt0Kouvpf nB1KM5LBRvdO4qAJpax9gTma/Ia7n3bbZ4ToD8GEab6TtejAFMiHD5lf1KC6a8vf 4Hx1QeM3AoGAGVyG0jTe7P5D7/RupaeY7rjTxXc9r6OL+BF2Z2NI3jtgUmDOonMd NzMQQcEbGO0qCc3ZZUCoBUnAAK6lAVfRBxxJAhA3NdPO2TFcpjDS5kVcxKGIr5jW g+T2EqCbIeMKkZFVBbrRBEb5XLKpNA1o2+pcuT2WU+y/xVbo/Q7M13Q= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/inbetween.key.pem0000644000175100017510000000321715161577363030240 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1qjkN3v5mlIPm4XEWv4p0HnEi6VOL4a/b50jyUvmuFyzN/5i x7thHocRu/Ge7DBYJzcmoDB+4Amzzopesq9yp5SfPcQBAdI4WD22NTKhawj7AZzA 5IVl4ma80zQTfA3jsFTar0uNtWowoOAM+N+J+GfBa1vejPz8o7CibejvqrVOkC7S vTeWkfDJmJ7ukIv6aWxOJQRSmOivvsTKpbiz8svkMkz3H3FgmJVDTFovp0bgYJSd GhHzKIWZF8V0R3eecgCSmuN5pf4y89Sbocg80QwShBgnYI21TK5nyQjL+ENWK+pV XN4DB6YTDkl75jNu56QZ+76GFFLYgWlDDDID5QIDAQABAoIBABShuQWoMc5mUr+0 9LF2OliiS4TMh55DykSVCup/FBbmOgeIuL/Pv77qZob06zxyTRa/00OURa2M4S5Z 2E4+VLvMqh2KqDoflXDNxaSJUEB0ZYO7KEMOm0NOcpmuKK1EvHynOzmb/mvQYAom XrjQ63bnqgyCkPpmGnY1NPdxaw+yHjwrqrynnZmIEB1d2UZrNqF9o20OB8gV4AOF b3+upHh2+8eAnMXITOSj/ECgsmVGPwcokDY9T05KAdGlg+yMrSocBPvAabVzOsL7 m5tOE91ZryXLrpU3SogNJJYljxNUnzeaeV3P+2+Pen4UVNagK6XL0AXjah7aehH0 WK/ODoECgYEA/ir6fcoTEKGQZRqVxSo7oWuHamnlHZDaUV1yGs/X6GMFBicaksUR h29z8gfYpvWH8KowGD69mpWY6Cs2LNeu6E6mUtsF7wUjrRtlkovdSnjBdS9iP/vF QDPiN53cpQMRP6/oLAMNm2NmCPCzm1N/lSPHMZ2BYZI70u16Zml4n4UCgYEA2DUB +x6IiAF1qZCxENdmIR81hoMZe74kt6c1OJbBnfUomZV7x3YWv2V8zjcD3rFQN4zK 4SlMj7MuXPkaske6VgerFLg1bhqJUBF6rPSF/JGyBtD/sXd7sjUjTB4+G0xX0kdu WZ8DHX1cHtxSlBZ2JVwBaTai6IK3RhlNFUiXkOECgYEAxD4Y5BCnAbtNCtMo+m+u VOb6Sk5y6Y4TEqmM1WjO8o2prmN44AOqkiCarDAktlxzVn2A3udqa7W/ttrOXHc3 hARd5TFY9oDIV/sERM8a0EpGTJ2GRZK2bOjibEDFwN6Kbdr67yh4VBa+DH8UngQt SNC0FvnekKBg8m4LiJE84iUCgYAqdU5sSDS7sL2wjO+YxRQTUROr1Lb+a/q97iIv eLuRD4Hnl0l1hCU3dPCrdnZWFzAPmKCG0xtr5N4n9+tcM2XOWzcnnH0xoBhzFtum d2aQkPQLDqQH79TkzDagThgYOEfOzaRICUgNVH7wuIem+To+X/EO/mHDk1f2diWD FnxdQQKBgQCds3ZzDpVY86/94Xh+Saegw5SunpAkObp257Fp/X9s3ZBKApYoIlqo 7MIu3RAQ9H6jH6o+TmbVXsGm5QFZ+52QyGuN7txp9ZwpeHNnirauyseOreBT3vMi c9ahJWA9I4WV4aPogxh74fYUKLfhxfhsTTLzq8bBj2TpEKev0Bb7Lw== -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/interm.key.pem0000644000175100017510000000321315161577363027552 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAqUQg3xjXPS0Q+tNAcZ0GXf+sMfhVyxgBdeh6QowJmDdxIZZB fzSHH4Xjk1B603jHK0YZKsZ6XwdXVPKWhYKA6/vIgRmDJuFFB+/8p4W13TBC6H8m 8hmha9+ZYHV3G7Fmk8mPn0LgjZeGoKlCsiqxd5XMDwGwQZr1EwkvsQkZJkwXa4s7 mIqvdapC3ydw2bo1iJtK8BIf7ATcCOWKRdLcQEwg42RrIo9HOio4ngfx1K3EkuoK VbqiVPHqI9G8QtlmwySnlLmbXr8l5MBbGfNyEO3gcFuhtTSGOTJu9/1UIDu5lYi9 Mnhry2bqfgrQhLueE+BMuOtHUbWsET6mTNRHNQIDAQABAoIBAGcOoezzlOkcbUAq KwyBjITizBbImoPDI/CEERw/YwAYkXrfnxUyCCs7O6pPz9i9qpZAYcZXfd4p/BQu d1LmeFQ1wohH3kBn273PckcU8/uuDK697BpvXIbvZtUB7/kec9P7XsSa1VmgLknX hFIyCEdFHy7r2kK3dAuZBj6FyZg0snkPQcsNgocZGA9b6xqC/T0V0b504csmpz26 0SeP2NuBa1vDk8AnY5FXWWuBm4QV9U6qoE3dJG7gkNE2OvybksCPSEGnVXuFHEjB kCacMMQRUEnY0kuy7ZXb21z9bwCBNDgauR+kw8d2Uv2deb0cLxyEMHGaBAMivBvP r7KHw6kCgYEA0UDjHVnfU15iZyAWv6xNG/6grAPhN7KjtJ/1U8Gje5TvikO9aF2u YO78jb3wZAAARItXUoMArivdKG13OddvRtPBgJljaAYdNIM4mbfyQ8sm4FtzVOtE fwL9oMJgEnNH1iwSPSXh30nZ7uC44xSXgaFe/2ix19qNLPmer5xt/T8CgYEAzxRi ENwQcs+/c+lVBDuKR7F0XDKHakH5RKMxU6q8s0uPdaBdbPa4qXfM3LubC0XauNSR jpe0kAlhir5uPjCAd+gWBGu0SUUJAZnMEGxiD+YeVCvk7KO3vcJx0vBVDdmNrmjk a1L01oQuNPv5fAr6f1JkeffWpg5Lfh0UXFnkuosCgYAFNFXxvvB9BFXyNqwaLFDm p1ibrqUFW54Suf/CC4jjY/rpN3IYjGvv4UHKzLST6CQZkFWlqbh0nIatoLtcZu1P l6iyaB4+0hgb3D+mIxsVcJIQ9nVR4WAcwJhKTUtSaieZPhNeDfkmMpIHDPPMQhDa mobgV1xFAByOx86Yk41wxQKBgD2qWDmlDtDhxKWDymlkQZ1v3rLF6UVfOBeUcU/0 /BR4X9QrWSblob/1iPACff0xZBy+UEoiKwbphD6IztN+JgOO/V97o0heYnwzjG0n mVwartVp7NX7OvArQzIJl4p0Spixa7P6FCb9XbUxg+3IZygbJQidITJ590kq57FI o7BZAoGAI+JNLXIinUrFMhQYWxi4h0IDyI6nhVpazu2+Q6tnfHRKItP2e6X6W3Xs 7FqDqpHgr0b29m9fLXwGK5eZMtqZ26zrr2uNgKNsUhh9XeDq0F/KECh1aTdpUDeq /X1Ytv9OsTKyxpzXzP+Pj641jrgSgGCAaGIy9F2c4DkeFuHynOM= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/people-ca.key.pem0000644000175100017510000000321315161577363030121 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAy4bwiAogsjoha2gFNvb26EHtep6u/N+THup/8MFAPc+itgFv QqhaY3HH0YKd4jwaJfX1QNyNPQY40aqRyo1t+o+LpEEoCIoqCn2SAwKem93sTUaa QDVzvR/fIumak19hEA/SuRFLE/uAFO3ErRTMPIqsKDz4RNUWk+7A64O+3dN0zglD mgmu4r5BP90AXhsQFYdyn5S7VZA2HaQt0tGB/snr3hHF5dwrzQuvg7kn04QK3Oyj C8Igtv7qwnMhYafHg1mhrpdLz4SD1hUZ5kPvV844raY+Y7dSEk4jVPHCI2DpOSGB e6H9XuwtmcJ+tch6qq5eO9GMexSZtA3GSCDH7QIDAQABAoIBADREHPTylN7wKrDo b55j4ZhXheLdaVarG57u3Zg4KIU3EzPmPmpBzaSIDaZyApWclaJ1/VuAyAyJ0oGV agc4NqwHvPabfOpkgNNc1+hJ/e1NGmfl36rpjyVcT/MpRnbeIZD8X0MDe+JPzd6S CNXh52kMu5VBwwf6KOgoggZ5OMTCGXNOXMCXXwPBQO14hg62KKEf8JrJqipqEPNN 4J/XkkGBbFcGVLwRqw0JlifLebDU3jAOTtG/QDsrgGmGl5jpEs7DWwfKxXghylya eFy6dtFkwktfzQJ1veapyhX8SRY+nPR/u222Czu5xbTODFwY//zghMxBzP3PRi7C RA3F3gECgYEA8C4GlJGuvp4Eq/exfMWl8VOh3T3xcme87wczi4R4iKbralnY+CmR ORDky+YvSV3w9M2ftfDbTa9ILen5rIbap+H0FrKzNkefNbEnIX8ihdeq5oVLVrCJ EpZfgx0jfEDkbFVURBRDgtSuuDaFcy7EBczv4JC31b4iSppyba+FXMECgYEA2O7d 5x21odLh2e7cFvh+/KKNurKtdjIO2nXzuRDcqzQZEgN3YpVoUZRhfnERQQ1Hp6UP TwB2x+t0uoSWCTMDtGVXZl5199sUksUeU48Xn4gs//Squek6mAFtkJ1whuNfggtu UyIq1qFn/zhogAp64zVKYCW4zRqkTrQ7/djb+i0CgYBdrBW06/yTK133E+uNFija Lhv7BaWdUQhG0TAxQcEgyrkWCWStpMiW0RfqziOzIYhQccHQW9esPKiR/6b4ur+c qmtgTuHGUbiuYCE61zLHsI1eyq3PaZqMPUmTAVJNq6Fq/vyWcLDD3d8myVzSx3J8 MKl9k/Oe0UDeh84JKWOCAQKBgQCCnbB2i+jk+riKI8vY+N5c9vMnSpYu6I0Q9Jw+ /ewgGUpPEk87yIH7PMBHBYVCCeDvC+9fvgPG8/pgo5xDBbhhUfOB67ZT+lE03gMY hLvQjompw4NYVRm2lIWH4YPzc8v53TAcViI9AQpBHZGuJqE/VMLniU7wD+6GhPbq LTymMQKBgA5ST+G30w51sFRJJULSfB2kXCeRs6dDDuLwZWLXAtBfyUHypx+OcLzR 49YBt8cE/IM6UvvMGCavucU9FOgfk3JQEg9uHd7ky3z5vc8g9XZ7f/cURbix2lPZ mhYZPLA+/xQdxIk/zOs8MV/QLja/YetW7kc657iRMnlbKBjgTeCT -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/keys/root.key.pem0000644000175100017510000000321715161577363027243 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEArTPIQsHETFLdmvvlp79EJ9FFGhsHEocqPev1xyRvCCbbkOi5 VDc+cWtkYtfX8TJn6XRX6VBH5a3/cw/qWIyQbwP+wtwMN5DftqTnJILdtGEdrFb8 1TKIofoCfUAvBJk1K/SrIV6BZi03eeqU5/7zVaaBnC8ZrXu2NDK0h1V+Co8Cb054 b+Q6YcDq4Rw81M7jHu7Iocnmx7XoJ11bMQb1Ikcd9xrM3otC10UiaroKX5Hdf88I lUIHjPYZ/ChSH4GStcePcrS8saS9byMja76C5G8Lgsp4o3Ccdi2H1sShxp1Y02X4 X2eEotHVM61a+5TOjP+16DzvX2YPFT/q83N0WwIDAQABAoIBAG8fXOmvpcCOHc20 tWhFZ3XgZuRT2NrDS4/E1sA4mN/zBkXXeigU9YQRMavU7Z+7Bj4avdhcAHTUiKMK 4ACF1pjTSF0+jrwLv+xPqlibeaCj+kS63qXuMQky/OvdBQ1/OkUESdMz7fNfKUuX /IdH5FjcZiWNdnz+dSzSJ074w9ADWHIjEg9ixmw0xU2QbulOgJabuwuri20kVyuO cDrl1zW10e7iiog85HHEIFwTXfen+wb0QgH/mt1/BS+3ch0dmP0i8Dx6wZMqh7P9 RQU6N/947jwgHMP3HV4SDcHLSznIB+G/veaFotL0IDKHbhdQIZTGfIUJXIx5RTTD 4XTF9hkCgYEA2Eg/GNtOwtlQILGpkBLvEgq9dlttQYjBeSBnXbNhI5NHMuYq0piF xki+Io3zonLKMJ5LZCMLYesJm+WMGVLZ2d0F7NSfvngI1nApa70Nsux3EeZrcFTs u88vWJCCXR8++x21iUk1M0SHxdXfPc89l+a3C30XYTD3MTEgkdN3ChcCgYEAzQJI ZwYV1JH/jE6AIil472YIBQXBB+YI6Dx2V3H7XDzE7G6IKU7VuxrvZA1i/ODKzPSD tBeCrhnUdqTOwb/Ba7CRL/a935tYiOJRQb8fM0Kyy0cO33cPBsbjOeZRMNdyhVKF 8eg2qCMPuEYLVdumQQl2wNbKcEUbgxgd+Icxxl0CgYEAyp3EHrE1c+zJ2BcYVtSm CyzsmXjFPeOz/JmSvIFTu1Q6G0DtVSV2DXAQT6bUW5dWO33P+xupii36boX5Xa/0 Ttl0t43pqTIidWHWLAyMTNaiJa7LcAzfSoKqRDn9JugixHXsn5RptoG5AGmAHhOM DEYjrSufP3nz2a3AaVzF5DkCgYEAqpVvsWn62DnzrcfUDpj7rBf2LFexWuUqHDPT NMf/I6zdHu6KFfUnGt06vMH2z/wsQ4Zh4IR/lGahx2czMzxfsT/mT0a8j0cv0Bah Dlf9miWxqDukQIVM15K+l/rxK/bZr94O3k8ey6EA/5Ao9nQiTpOVYLhZEjouvlJe /eFgpXECgYAviXclHhkyJ4movlUrbwlkE5/ezS90jM/1Y0iinCxEfjzN+p0YmlGR rbtAahdSHVr5YeB2d5aBDWhFv4GJifhZPUR2Gy5Zqgnl0UQWyVSWx8wFDe36Cjku eDS/6nCP0f3M3ZHbRA/Xm0mBnc9uI4yD9bTG1ly2KE9Tpu+gggYEFA== -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1460524 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/0000755000175100017510000000000015161577372025264 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000023400000000000010214 xustar00134 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-aki-with-issuer-id-and-base-certificate-id.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-aki-with-issuer-id-and-base0000644000175100017510000000151115161577363033347 0ustar00runnerrunner0‚E0‚-0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA ©0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA \0Z0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0†0yU#r0p€é—ÿF‡fô‚xXýû4Ô}L¡T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA‚0 U80  *†H†÷  ‚¶²k&!s9}qÒ¯pqŸ·šv×ú. ÅBhïψWü#ãEÅÓ5ò¢7Âá%fiã—~(™ŽßTîŸïʶƒJ’[[ð¨#¦‰jQù¬¡ÓoM€Hþ“L ¸=ã‰^¢×*¥¾OhØ+¢7qx:ÇŠ-¹¹;bºyÙŠBÌ€u:þ²ÊFÅ&«† cö)i¶ò»nGcèÜtTÖ Ê æÒLÐmÁóCä:ùñe˜IÎUɨŽ»ó¤tŸò¸„Ÿ?› èù¬V(OðV?$t[¢Ç^íÇ€!PB¥y,]äyU#c¦ïûÇà–Å>^ê›êøŠêûøØ2×ó././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-aki-with-issuer-id.attr.crt0000644000175100017510000000135215161577363033442 0ustar00runnerrunner0‚æ0‚Î0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0†0yU#r0p€é—ÿF‡fô‚xXýû4Ô}L¡T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA‚0 U80  *†H†÷  ‚RVX¿²ïWçeÊvÅ oÂ%¦ô.ªHÔæÎ×pŠ|Ü~ˆñm‡©¥«UdCê h‡Ý|ÉPñŸ ÑD.Çï-Óñx3¨ež:ô L-¼¶$Õˆ»Ah–áyµJ=ù¬Œ+ ¡"êI+¤î,Xë‹ÍøO´EF|í|¹Š/À¡Â!»#,…{†¢|`æ„®ä=Ĉ WŸh…Ûhìuﳯì ÖA7¦5CÐç?Ÿ™ËåpûõÙlÑv×GœŠ‰…׆Ôjç—;·þú€[ä=Ðõ¤óÒ°òaPKŠœWØ&4gž÷î··Me \²8…¾Ì`G…Ý˃£3ì././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-misleading-aki.attr.crt0000644000175100017510000000134115161577363032677 0ustar00runnerrunner0‚Ý0‚Å0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA K0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0~0qU#j0h€é—ÿF‡fô‚xXýû4Ô}L¡L¤J0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA‚0 U80  *†H†÷  ‚Ïf¾5Wö|áûëQ% ³Lªôè4TË<µkwÊÍ×8=‡ê¦º‡¼-•ç¸ð‰…èšûÓ2¦—!~CéB¡çòDãWXm¸„H«1.æD¹VÛ¾kϺ)v5ºÈ µ¡ÄeEdç)×<© žljào“QK:›ƒÈ9ßœ¼Äõ)®Âowî‰Ó?M8ˆX~îTÒ?m¯Î«“rÖÛàTÆ+i=AÜíêÇA½ ÊËpz¦}ÃÞLG0¦±jGòârßÓ¨BÞË5)ϳðƒ©³7^<ÔwH9ýCêÃÕlnârÙ^²õ²qý¥GïoqàYl×âýÀQÊO././@PaxHeader0000000000000000000000000000022100000000000010210 xustar00123 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-no-aki-with-base-certificate-id.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-no-aki-with-base-certificat0000644000175100017510000000131515161577363033434 0ustar00runnerrunner0‚É0‚±0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA ©0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA \0Z0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0 0 U80  *†H†÷  ‚•ñªÎ+O©;xôßQ(£|÷¦ÿsÒTÈŸ#Â=þ$C°+@+{$H?=2k6^Æ{±¶þ1ÿ®ªn’ÿ¦¦ÉpîATˆx•ú PEÃf i«‡uc„]Îÿ_â¿Ùß £ÜÞ;Ð5BcŒKÀч‘¡šEª·|ôwü1›r MEór3Ï—–3GMé¼ÖWÕÏd7t,佧í1W\­ãc5a:½ð?劸­[Ž6;ß $E½ŸŸoÀgn’X§ Lñ^Y~`õ±îç $©4ƒ̬ʀ{/®!µ¦›ÌF—^¬C È(ħ‡ê|…Öù././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v1form-issuer.attr.crt0000644000175100017510000000121515161577363032543 0ustar00runnerrunner0‚‰0‚q0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚OaÂÃ)A?8ë?©ZµÝÙ¿À9Ç——~x¡'{ø9Ñ‚#“›ñ»XžŽÁk=·Ý+#·‰wÃÆŒ„X][#ú`b–ýLÎ µ kª`±<4÷[K#úéÑŸx$s¨ø²¥n²—áW©À“Íi²€[{¤™£ò'V^˜=³Üû&3§ÚáŸ]zÒ;‘UÂŽ9âR&¦åR‡Iî Q 6Ù’i…\çÕ (ºOŸ‚Ö¹²‚@)î°a–mEíS–§°\F4çîaŒ…9uKÛ¹'IÔé¾c ^SÈÝÏJª€Øi5ôIão*ª›%×3‡²D¢†w_˜!././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-issuer-aki-misaligned.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-issuer-aki-misaligne0000644000175100017510000000150015161577363033511 0ustar00runnerrunner0‚<0‚$0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA ©0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA \0Z0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0~0qU#j0h€é—ÿF‡fô‚xXýû4Ô}L¡L¤J0H1 0 UXX1$0"U Testing Attribute Authority10U Root AA CA‚0 U80  *†H†÷  ‚ÅÊ*~\”a¸a?Ee3¾§ãÏôb' ò¬Í÷Ei|©3úŠ:÷4 n[Æ-ÉcLý†ˆ÷fÌ;v¥†ÅÃä é¡ÈU¡¤:lM°«nŠ¾ëÐcwª¡&~åaäÄ~ 8xg¡PÙuù¾šk e׌]ÊŒ•AÒZ˜¾|˜FN‰]4¤oD±UyMàFüSP@ ÷ãÜ¿›gº‚öhžF"­žBô‚ñß0B@K‹em Ðà$¡ÕÎa¾'`¨ÑçKxî/=,Ím×þºáp$¹*)Ev1Öä7‹t.KgOÚhä¨Pµ;)]ÝÛÝ=ùÇ\Œ§'././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-only-base-cert-id.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-only-base-cert-id.at0000644000175100017510000000124215161577363033313 0ustar00runnerrunner0‚ž0‚†0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA ^ \0Z0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚]âÉåê¦spå¥È+µ§|ø_-æºøµTÓ:–ÒΤv)¡¸¡HW—n¦H?!¿îá9àc]ÒâØO¯ãµjÝ6Z¨; k_8œÓS¹ãŠCÍU­·Qxq}t ñUœ”' Ë*p¸,[%TÍ9Ž»†½³ei–¦¿koÜêWé¿ê†e¾,yü¼}„û ðWÃyE¹w•Û*‘•éý›8k9.} W:árwÖ‹…~¦çeÍ['UâÝôã”åE­sÿ³¬Z–Ë—À=£1ØJ¥fT‘üYø…8öë4roû.ÀcÊû\Ëàs»Åû4”˜‡17'k././@PaxHeader0000000000000000000000000000022100000000000010210 xustar00123 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-with-base-certificate-id.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-with-base-certificat0000644000175100017510000000135615161577363033476 0ustar00runnerrunner0‚ê0‚Ò0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA ©0I¤G0E1 0 UXX1$0"U Testing Attribute Authority10U Leaf AA \0Z0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚]­ö½ëÊÀä#!’ÑPc·ØšIÄVÈ•–æ7ëo„¾!N/„*.#‚íÞñ‹›²vÞ0·(ò¤ãMç›g/“ñ‹ò_ó)?«¨KlHèÚõm¸oUˉ®•ý®º_ì†ù¥7;‡¥(ŸÞ—ß”˜ÇãKRczø-Šõéi71Ó°7W¯t«[õ§Ÿ¸•ò‘u<Þ=ÿ#™§žn1É2Uéüþ"d-Ä’7I(° å³±%­É}rȈùUSo wРgí&Ï|È$Ï%¢ÙäÝy†•”././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-wrong-serial.attr.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/oneoff/alice-v2form-wrong-serial.attr.cr0000644000175100017510000000124315161577363033460 0ustar00runnerrunner0‚Ÿ0‚‡0X V0P¤N0L1 0 UXX1$0"U Testing Attribute Authority10U People Root CA _ ]0[0T¤R0P1 0 UXX1$0"U Testing Attribute Authority10U Intermediate AA CA†Ÿ0  *†H†÷  0"20100101000000Z20300101000000Z0b06UH1/0¡alice@example.com0¡alice2@example.com0(+ 100 Employees Team FooBar0,0U#0€é—ÿF‡fô‚xXýû4Ô}L0 U80  *†H†÷  ‚Çɧ¸Aý,õÖÜ­£äB䑉§Cf…,¨¿y•CnÅb©<¥ŸóãxvYª|¬)ójEž»&·|Š‰˜òÒÁÃóN?•uè÷Ç /‘z†u]4¨läÜ~…WÇ!7b•ˆd {@Vßü¡Gç`™T´·÷±–µUXäEÛóM¹0®0g^kÖ}äë÷iš»˜Î¿°¹»ïzI@~´0Ìý {¤O¹4åltÿ’žTœ¿â!ø¤™½XÇòµN&—SE}©óa<üødø•Š¾ð££Ñ¼í=q/9EØí‰[®þÚ Öuc^Ý&¬!¹¼A‰ìwGWŒµYÛ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/attribute-certs/regen.sh0000755000175100017510000000403115161577363025445 0ustar00runnerrunner#!/bin/sh certomancer mass-summon basic-aa basic-aa --no-pem --no-pfx certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa interm basic-aa/interm/interm-all-good.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa root basic-aa/root/root-all-good.crl certomancer necronomicon --no-pem --at-time '2021-12-12T00:00:00+0000' basic-aa root basic-aa/root/root-some-revoked.crl certomancer necronomicon --no-pem --at-time '2021-12-12T00:00:00+0000' basic-aa interm basic-aa/interm/interm-some-revoked.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa basic-aa/role-aa-all-good.crl certomancer necronomicon --no-pem --at-time '2021-12-12T00:00:00+0000' basic-aa role-aa basic-aa/role-aa-some-revoked.crl certomancer seance --at-time '2019-12-12T00:00:00+0000' basic-aa alice-role-with-rev role-aa basic-aa/alice-all-good.ors certomancer seance --at-time '2021-12-12T00:00:00+0000' basic-aa alice-role-with-rev role-aa basic-aa/alice-revoked.ors certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa-nonaligned-name basic-aa/role-aa-nonaligned-name.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa-nonsensically-scoped basic-aa/role-aa-nonsensically-scoped.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa-other-reasons basic-aa/role-aa-other-reasons-all-good.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa-aa-compromise basic-aa/role-aa-aa-compromise-all-good.crl certomancer necronomicon --no-pem --at-time '2019-12-01T00:00:00+0000' basic-aa role-aa-other-reasons basic-aa/role-aa-other-reasons-all-good.crl certomancer necronomicon --no-pem --at-time '2021-12-12T00:00:00+0000' basic-aa role-aa-aa-compromise basic-aa/role-aa-aa-compromise-some-revoked.crl certomancer necronomicon --no-pem --at-time '2021-12-12T00:00:00+0000' basic-aa role-aa-other-reasons basic-aa/role-aa-other-reasons-some-revoked.crl ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1465154 pyhanko_certvalidator-0.30.2/tests/fixtures/certs_to_unpack/0000755000175100017510000000000015161577372024052 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/certs_to_unpack/many-certs.pem0000644000175100017510000000274715161577363026651 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIBtzCCAWmgAwIBAgICEAAwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBaMFEx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwKjAFBgMrZXADIQAXWlpT uI49x/lQ+ejNPZoVBuw9z/qj+5NNs4lWzipO7aNjMGEwHQYDVR0OBBYEFG9Z4wcZ rFpSlbDGdg9diKu1lgD5MB8GA1UdIwQYMBaAFG9Z4wcZrFpSlbDGdg9diKu1lgD5 MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAUGAytlcANBAD0febBi r+7U45bbZ2jWjMP5nOOtWW7bk6cgcUyLgw3iG23ODi7AySnvPq/+VYSlCtY2bLRD bVZtSmCr0+cj0Qk= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICSjCCAfygAwIBAgICEAEwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDEwMTAxMDAwMDAwWhgPMjQwMDAxMDEwMDAwMDBaMFkx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAqMAUGAytl cAMhAJYsPbcVqzCuKDXU7QCkixsYlaCCYBRnGQGUMQ4MZ5/Ko4HtMIHqMB0GA1Ud DgQWBBTogPuh4ZuXJexOz4ZbWJWOsonA3jAfBgNVHSMEGDAWgBRvWeMHGaxaUpWw xnYPXYirtZYA+TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjBI BggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYS5leGFtcGxlLmNv bS9yb290L2NlcnRzL2NhLmNlcnQucGVtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6 Ly9jYS5leGFtcGxlLmNvbS9yb290L2NybC9jYS5jcmwucGVtMAUGAytlcANBAFoz 59Uvl68jDZa+nKT4BP1jawbtF/pCrR00DByDPxnOZb1B7bPu0mWIBn3AY8JEwY/U 1XN/JlIaYY+84kcBrAA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/certs_to_unpack/test.p7b0000644000175100017510000000207015161577363025442 0ustar00runnerrunner0‚4 *†H†÷  ‚%0‚!10  *†H†÷  ‚ 0‚·0‚i 0+ep0Q1 0 UBE10U Example Inc10U Testing Authority10U Root CA0  000101000000Z25000101000000Z0Q1 0 UBE10U Example Inc10U Testing Authority10U Root CA0*0+ep!ZZS¸Ž=ÇùPùèÍ=šì=Ïú£û“M³‰VÎ*Ní£c0a0UoYã¬ZR•°Æv]ˆ«µ–ù0U#0€oYã¬ZR•°Æv]ˆ«µ–ù0Uÿ0ÿ0Uÿ†0+epA=y°b¯îÔã–ÛghÖŒÃùœã­YnÛ“§ qL‹ƒ âmÎ.ÀÉ)ï>¯þU„¥ Ö6l´CmVmJ`«Óç#Ñ 0‚J0‚ü 0+ep0Q1 0 UBE10U Example Inc10U Testing Authority10U Root CA0  010101000000Z24000101000000Z0Y1 0 UBE10U Example Inc10U Testing Authority10U Intermediate CA0*0+ep!–,=·«0®(5Ôí¤‹• ‚`g”1 gŸÊ£í0ê0Uè€û¡á›—%ìNφ[X•Ž²‰ÀÞ0U#0€oYã¬ZR•°Æv]ˆ«µ–ù0Uÿ0ÿ0Uÿ†0H+<0:08+0†,http://ca.example.com/root/certs/ca.cert.pem0:U3010/ - +†)http://ca.example.com/root/crl/ca.crl.pem0+epAZ3çÕ/—¯# –¾œ¤øýckíúB­4 ƒ?Îe½Aí³îÒeˆ}ÀcÂDÁÔÕs&Ra¼âG¬1././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/certs_to_unpack/test.p7b.pem0000644000175100017510000000274115161577363026227 0ustar00runnerrunner-----BEGIN PKCS7----- MIIENAYJKoZIhvcNAQcCoIIEJTCCBCECAQExADALBgkqhkiG9w0BBwGgggQJMIIB tzCCAWmgAwIBAgICEAAwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtF eGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNVBAMM B1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBaMFExCzAJ BgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGlu ZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwKjAFBgMrZXADIQAXWlpTuI49 x/lQ+ejNPZoVBuw9z/qj+5NNs4lWzipO7aNjMGEwHQYDVR0OBBYEFG9Z4wcZrFpS lbDGdg9diKu1lgD5MB8GA1UdIwQYMBaAFG9Z4wcZrFpSlbDGdg9diKu1lgD5MA8G A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAUGAytlcANBAD0febBir+7U 45bbZ2jWjMP5nOOtWW7bk6cgcUyLgw3iG23ODi7AySnvPq/+VYSlCtY2bLRDbVZt SmCr0+cj0QkwggJKMIIB/KADAgECAgIQATAFBgMrZXAwUTELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMRowGAYDVQQLDBFUZXN0aW5nIEF1dGhvcml0 eTEQMA4GA1UEAwwHUm9vdCBDQTAgFw0wMTAxMDEwMDAwMDBaGA8yNDAwMDEwMTAw MDAwMFowWTELMAkGA1UEBhMCQkUxFDASBgNVBAoMC0V4YW1wbGUgSW5jMRowGAYD VQQLDBFUZXN0aW5nIEF1dGhvcml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENB MCowBQYDK2VwAyEAliw9txWrMK4oNdTtAKSLGxiVoIJgFGcZAZQxDgxnn8qjge0w geowHQYDVR0OBBYEFOiA+6Hhm5cl7E7PhltYlY6yicDeMB8GA1UdIwQYMBaAFG9Z 4wcZrFpSlbDGdg9diKu1lgD5MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/ BAQDAgGGMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcwAoYsaHR0cDovL2NhLmV4 YW1wbGUuY29tL3Jvb3QvY2VydHMvY2EuY2VydC5wZW0wOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NhLmV4YW1wbGUuY29tL3Jvb3QvY3JsL2NhLmNybC5wZW0wBQYD K2VwA0EAWjPn1S+XryMNlr6cpPgE/WNrBu0X+kKtHTQMHIM/Gc5lvUHts+7SZYgG fcBjwkTBj9TVc38mUhphj7ziRwGsADEA -----END PKCS7----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1486163 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/0000755000175100017510000000000015161577372022667 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/alice-2020-10-01.ors0000644000175100017510000000260015161577363025504 0ustar00runnerrunner0‚|  ‚u0‚q +0‚b0‚^0­¢ÔqFIíºûgü¾ð˜gÎÇf„£20201001000000Z000W0  `†He hFóRñ”%œy©„~ý-ÓŠ ƒe¤—8zróm ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyYäìa\Ñ T’îE?n²Ø´Xój§‰ L¾D‡ÔAD<ÅxÀrù05? ‚–0‚’0‚Ž0‚v 0  *†H†÷  0C1 0 UXX10U Testing Authority10U Intermediate CA0  000101000000Z21000101000000Z0R1 0 UXX10U Testing Authority1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚…K•c4Z «ÔjÊ"R£e’^ÿ53’Þ`7/áø%ö^0vm¬¹‘X$Ьþ÷Yñw!¢Ë›xêŒÄã@·àM☗b…+ÏV Påþ«øîšá‰ŸçÇ)Ú/‡MshŽ1ó7„M8‡/ü&)J軹°ØĽ-÷ÊËœ¶ù©áñ´›WUæ„ÔžŠ¥y€(ÉUÄB2ã#ÿžø M?î]øJj¬ùÇ;ÁÉ[È{]ƒñ3ÃÌÌ7`y#¡ÍΖÇY†Ó©Sðã¯"aøØMðfc–HࣅäE$ ÑYWhCE<)ȇpVpmïØÆ×åKDÂjFpþ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/alice-2020-11-29.ors0000644000175100017510000000260015161577363025517 0ustar00runnerrunner0‚|  ‚u0‚q +0‚b0‚^0­¢ÔqFIíºûgü¾ð˜gÎÇf„£20201129000000Z000W0  `†He hFóRñ”%œy©„~ý-ÓŠ ƒe¤—8zróm ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyY’£Ô:—ºQûÖ¬ËfǫιL¾„{á–sK§9]ʦ'Kç!œ 1Tý{ˆÚÂl‹SlJ#ƒ,a¾jºWаa»)ð… ‚–0‚’0‚Ž0‚v 0  *†H†÷  0C1 0 UXX10U Testing Authority10U Intermediate CA0  000101000000Z21000101000000Z0R1 0 UXX10U Testing Authority1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚…K•c4Z «ÔjÊ"R£e’^ÿ53’Þ`7/áø%ö^0vm¬¹‘X$Ьþ÷Yñw!¢Ë›xêŒÄã@·àM☗b…+ÏV Påþ«øîšá‰ŸçÇ)Ú/‡MshŽ1ó7„M8‡/ü&)J軹°ØĽ-÷ÊËœ¶ù©áñ´›WUæ„ÔžŠ¥y€(ÉUÄB2ã#ÿžø M?î]øJj¬ùÇ;ÁÉ[È{]ƒñ3ÃÌÌ7`y#¡ÍΖÇY†Ó©Sðã¯"aøØMðfc–HࣅäE$ ÑYWhCE<)ȇpVpmïØÆ×åKDÂjFpþ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/alice-2020-12-10.ors0000644000175100017510000000262715161577363025517 0ustar00runnerrunner0‚“  ‚Œ0‚ˆ +0‚y0‚u0Ä¢ÔqFIíºûgü¾ð˜gÎÇf„£20201210000000Z0˜0•0W0  `†He hFóRñ”%œy©„~ý-ÓŠ ƒe¤—8zróm ÙD;ÛWŽ—V³9bá:ðX¤Ý[ yyYXz†½“ñ‚ uHÓZøFÝ›cýYË50â® U¸Ì˜—3F:hÒIÿ TÈ—[@MñúB%…EîZ)æÒrãÜ팠‚–0‚’0‚Ž0‚v 0  *†H†÷  0C1 0 UXX10U Testing Authority10U Intermediate CA0  000101000000Z21000101000000Z0R1 0 UXX10U Testing Authority1'0%U Intermediate CA OCSP Responder0‚"0  *†H†÷ ‚0‚ ‚Ë†ðˆ ²:!kh6ööèAízž®üß“êðÁ@=Ï¢¶oB¨ZcqÇÑ‚â<%õõ@Ü=8Ѫ‘Êmú‹¤A(Š* }’ž›ÝìMFš@5s½ß"éš“_aÒ¹Kû€íÄ­Ì<Š¬(<øDÕ“îÀ냾ÝÓtÎ Cš ®â¾A?Ý^‡rŸ”»U6¤-ÒÑþÉëÞÅåÜ+Í ¯ƒ¹'Ó„ Üì£ Â ¶þêÂs!a§ÇƒY¡®—KÏ„ƒÖæCïWÎ8­¦>c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚…K•c4Z «ÔjÊ"R£e’^ÿ53’Þ`7/áø%ö^0vm¬¹‘X$Ьþ÷Yñw!¢Ë›xêŒÄã@·àM☗b…+ÏV Påþ«øîšá‰ŸçÇ)Ú/‡MshŽ1ó7„M8‡/ü&)J軹°ØĽ-÷ÊËœ¶ù©áñ´›WUæ„ÔžŠ¥y€(ÉUÄB2ã#ÿžø M?î]øJj¬ùÇ;ÁÉ[È{]ƒñ3ÃÌÌ7`y#¡ÍΖÇY†Ó©Sðã¯"aøØMðfc–HࣅäE$ ÑYWhCE<)ȇpVpmïØÆ×åKDÂjFpþ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certomancer.yml0000644000175100017510000000550415161577363025720 0ustar00runnerrunnerexternal-url-prefix: "http://ca.example.com" keysets: testing-ca: path-prefix: keys keys: root: path: root.key.pem interm: path: interm.key.pem interm-ocsp: path: interm-ocsp.key.pem alice: path: alice.key.pem bob: path: bob.key.pem pki-architectures: freshness-ca: keyset: testing-ca entity-defaults: country-name: XX organization-name: Testing Authority entities: root: common-name: Root CA interm: common-name: Intermediate CA interm-ocsp: common-name: Intermediate CA OCSP Responder alice: organizational-unit-name: People common-name: Alice bob: organizational-unit-name: People common-name: Bob certs: root: subject: root issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2500-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: root interm: subject: interm issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: interm ocsp-service: interm max-path-len: 0 interm-revoked: subject: interm issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise profiles: - simple-ca interm-ocsp: issuer: interm issuer-cert: interm validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - ocsp-responder alice: subject: alice issuer: interm issuer-cert: interm validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature] services: ocsp: interm: for-issuer: interm issuer-cert: interm responder-cert: interm-ocsp signing-key: interm-ocsp crl-repo: root: for-issuer: root signing-key: root simulated-update-schedule: "P10D" interm: for-issuer: interm signing-key: interm issuer-cert: interm simulated-update-schedule: "P10D"././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1496034 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certs/0000755000175100017510000000000015161577372024007 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certs/alice.crt0000644000175100017510000000177315161577363025606 0ustar00runnerrunner0‚÷0‚ß 0  *†H†÷  0C1 0 UXX10U Testing Authority10U Intermediate CA0  000101000000Z21000101000000Z0J1 0 UXX10U Testing Authority10 U People10 U Alice0‚"0  *†H†÷ ‚0‚ ‚º¿åŸ/-| hbÑOúÒMiÊN>Y–DW_%·ÈñÑ#ÀG?pWuº½FG={ad«‘f< üˆÿÍ'a ¬uœuZáô5«ƒ×Kó"†Jªß¾×U|LŸx[ZƒãûÕEñ$Ú*½15›Ø1jÔŽè¹hYüצ–N¡•Ö ›ÿk%Œåx£àµ*}@‡éЛÕĺ·3kã†8;½ÖÉÄvÂÀ; >ßRÆà„—m›åpP¤T×xlé-Ùvªë@»ã¥hsª„}6ùæƒ8,úMFî=msœ, d¦`Ü|‰ÄÇŸ_þLëÕiÜ™þôáA„ÏØLzÙ£ë0è0UZDÔ[]ˆ{ðësx—6²ÀÙ¨0U#0€0ô=σÉvÃÚyh²mìâihÏU0JUC0A0? = ;†9http://ca.example.com/freshness-ca/crls/interm/latest.crl0J+>0<0:+0†.http://ca.example.com/freshness-ca/ocsp/interm0Uÿ€0  *†H†÷  ‚h4á»'Äìß`ÉÕVæ‚g÷½ƒ]©EæŸeCßÖ´ÈÏwž\xRG7© “h¼ƒzÝÏ;ßs˜}e‘:ߢàqåÁÔî>§T¢zƒïßwÈT·o)ñ+0Ë8Ïæ,¦/.ö t?è=j~ÞNÂ(2Œ9↰\ž1êÐø)i9¯‡%aºFg1L–Yš„É–n×BØ&·q•O$»‘e£ð\ 4às¼Rm)¢*‰ŸbøEÚé8ÑcZ]ÕP¬ÖbÿÔè‹ÃŠ³'{LV½D„c·RN#TñÂ#`é9!{¡ý^ì-™Â~µÈzª®^;ÑŒ{™´ ÆH Çí£{0y0UÔqFIíºûgü¾ð˜gÎÇf„£0U#0€0ô=σÉvÃÚyh²mìâihÏU0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚…K•c4Z «ÔjÊ"R£e’^ÿ53’Þ`7/áø%ö^0vm¬¹‘X$Ьþ÷Yñw!¢Ë›xêŒÄã@·àM☗b…+ÏV Påþ«øîšá‰ŸçÇ)Ú/‡MshŽ1ó7„M8‡/ü&)J軹°ØĽ-÷ÊËœ¶ù©áñ´›WUæ„ÔžŠ¥y€(ÉUÄB2ã#ÿžø M?î]øJj¬ùÇ;ÁÉ[È{]ƒñ3ÃÌÌ7`y#¡ÍΖÇY†Ó©Sðã¯"aøØMðfc–HࣅäE$ ÑYWhCE<)ȇpVpmïØÆ×åKDÂjFpþ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certs/interm-revoked.crt0000644000175100017510000000165715161577363027465 0ustar00runnerrunner0‚«0‚“ 0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA0  000101000000Z21000101000000Z0C1 0 UXX10U Testing Authority10U Intermediate CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£®0«0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0HUA0?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚Ž‰åìÃmPHà—Kö&‰R°F!ò®ÄÛì“McÏÍop<ú·¬<ÖhÞ?é ˉoɈœ>M»EQ%‰ÒNËgeq›‘j]Z†áÍOÓ{‡¶Ìw`Â$ÂV[aN¡Ùú’Ùæ:÷NQ(¯"î÷Ú…xGšl-À‡Wtà¤(OÞGÑ×,p}XO–>0¨í×CxùòU"æ6'VÑ؛ۤT<Êéyæ®(•2™´dPÜwyœýyÆz¥™¿OSŒ„lœÅ9mž"Íäõúéõ5ÅÊñ ?–ʺ|']P®$ú) Oil8Ì&™HÄC×Rª././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certs/interm.crt0000644000175100017510000000166215161577363026024 0ustar00runnerrunner0‚®0‚– 0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA0  000101000000Z21000101000000Z0C1 0 UXX10U Testing Authority10U Intermediate CA0‚"0  *†H†÷ ‚0‚ ‚©D ß×=-úÓ@q]ÿ¬1øUËuèzBŒ ˜7q!–A4‡…ã“PzÓxÇ+F*Æz_WTò–…‚€ëûȃ&áEïü§…µÝ0Bè&ò¡kß™`uw±f“ÉŸBà—† ©B²*±w•Ì°Ašõ /± &Lk‹;˜Š¯uªBß'pÙº5ˆ›JðìÜåŠEÒÜ@L ãdk"G:*8žñÔ­Ä’ê Uº¢Tñê#ѼBÙfÃ$§”¹›^¿%äÀ[óríàp[¡µ4†92n÷ýT ;¹•ˆ½2xkËfê~ Є»žàL¸ëGQµ¬>¦LÔG5£±0®0U0ô=σÉvÃÚyh²mìâihÏU0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0HUA0?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚ï‚:͇„± r¿ñSmñ\Yfé-üq[(´Ë”Óv<ß@R†ð°XäšQ r’c´—jGAü”Kíb¡A‡GËòºD‘ºàN4ÌŠü¬÷yêÆ{zßODþ€lú-Pð›.¤ ª{ôëá(A'/8¡±£‰–Ýdçal^ å4ÿ¯‹MIþHE²ÉÎüEIŒ Ÿd¦U3löŽ Ö¤¹u1C‡£$,t’Z~^_&›ðÛÄŦ…YÍÛßDuûv"ˆ?&É&™FÉiŠ FPUg›RÌßnv¦åp;ß4pcDñBÛFä}Ç¥Œœ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/certs/root.crt0000644000175100017510000000164715161577363025514 0ustar00runnerrunner0‚£0‚‹ 0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA0  000101000000Z25000101000000Z0;1 0 UXX10U Testing Authority10U Root CA0‚"0  *†H†÷ ‚0‚ ‚­3ÈBÁÄLRÝšû姿D'ÑE‡*=ëõÇ$o&Ûè¹T7>qkdb××ñ2gétWéPGå­ÿsêXŒoþÂÜ 7߶¤ç$‚Ý´a¬VüÕ2ˆ¡ú}@/™5+ô«!^f-7yê”çþóU¦œ/­{¶42´‡U~ oNxoä:aÀêá<ÔÎãîÈ¡Éæǵè'][1õ"G÷ÌÞ‹B×E"jº _‘ÝÏ•BŒöü(R’µÇr´¼±¤½o##k¾‚äo ‚Êx£pœv-‡ÖÄ¡ÆXÓeø_g„¢ÑÕ3­Zû”ÎŒÿµè<ï_f?êóst[£®0«0U½÷ÿHýXóÜÔ¡^6a ?0U#0€½÷ÿHýXóÜÔ¡^6a ?0Uÿ0ÿ0Uÿ†0HUA0?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚y² ¤9ÉY[BžƒP°žÄpVªðYò,6Ž˜^3ÿxj™¼}ÃÿKø® Zó¬:~eÚi´®Ml‚r[Ž7Å¥ôŽ`o…÷ÓÏ_…ç‘$D&A7šö =Aùà.+ZšW D;wß“%ß0ôÝùøJh‡|ü@†7‰Œü²Ž˜‚vº“= Gĵù3é©)’î¢6<œU0&Û’‹Ëu>0Q žàd®AGͱÄÆrR0˜ýbã®qš9›úYˆ¿­Pž€ÏñˆïµÁ¹ˆ¤1æ+I|7[&EþÞÕ\!”¨ÊÙð"R[VË‚ÌåÙä°%á²À÷ö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/generate0000755000175100017510000000074315161577363024413 0ustar00runnerrunner#!/bin/bash rm *.ors *.crl certs/*.crt alice_ocsp() { certomancer seance freshness-ca alice interm "alice-$1.ors" \ --at-time "$1T00:00:00+0000" } root_crl() { certomancer necronomicon freshness-ca root "root-$1.crl" \ --no-pem --at-time "$1T00:00:00+0000" } certomancer mass-summon freshness-ca certs --flat --no-pfx --no-pem alice_ocsp "2020-10-01" alice_ocsp "2020-11-29" alice_ocsp "2020-12-10" root_crl "2020-10-01" root_crl "2020-11-29" root_crl "2020-12-10" ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.150379 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/0000755000175100017510000000000015161577372023642 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/alice.key.pem0000644000175100017510000000321315161577363026210 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAur/lny8tfApoYtFP+tJNacpOPlkOlkRXXyW3yPHRI8BHPxtw VwB1ur1GRz17gWFkHquRZjwfCRP8iP/NJ2EJrHWcdVrhAPQ1B6uD10vzIoZKqt++ 11V8HUyfeFtag+P71R5F8STaKhS9MTWb2DFq1I7ouWhZ/Nemlk6hldYKm/9rJRCM 5Xij4AiPtSp9QIfp0JvVxLoQtxIza+OGODu91snEdsLAOyA+31IQxuDChJdtm+Vw UKQeVNd4bOktBwQA2Qd2qutAu+OlaHOqhH02+eYdgzgs+k0HRu49bXOcLAlkGaYY YNx8icTHn1/+GUzrB9UeadyZ/vThQYTP2Ex62QIDAQABAoIBAHk+n2EjKx+uTili BdAte48khnoaLctHoYYnodO3k/XnHxqMwPnrVYQg4KDd/PJ5/Zuf/i1m+StWq41y ropTiQlL7oGOuCh7ZHaPV3CPYdJXZ+DalTeOy57mIV7tyK16dgTeu8AdEftiLZbm XEEXjGlmQxgk9M+gXwqVEHmMVqUCKm5vivVU6QYyYv4qyf0XiyhMdFs2MrynOn2N qdEMW588p5HHqsO/xU7YRxZG5HxIzix7y70SKe+lq6WHXPCpKdFoH/QeB5eNZHLp f+G8UUvSPcl18u57VherbdALsphcrcv4uQaLUv4Jes1ZWgHpA8TAyr//Zibubuna WrX9sjUCgYEA2zF1lEu0Pq5VJ2fm5Z0A9wmLVkdFfm3WrVmN/4Mml63tJAd4MryZ 3y+ZHbEpmjuxkePK2SDc89/hOfzMWkxYWrx8Qku/f3856AwW6HiBoCxCvcV6iXdK 35ZGG4pzYesQFqP/bPMtIw8QtW82MGaPPupyG+AE5rrR8XTsmWBYs9MCgYEA2hvF tF+NKSwGUinW8yVWg2Y946Z5IFUrbbALzXt17Y1Ljkex0XeaQ6hM7ArFenC1OrtA L9o6iLInK0eoLsPNlelRn6VqLDbpSXSPtrjf1yHAv9V+8Ya8si+cGKX9VGhWuKQp hkfIylxGT7JhJeNJ5Z9umdIntT/oyAD0k3umZyMCgYEAum+8IbGuku33UfgnRcAg NP8yO+WNL3c/dNzKUb180uDF5rJPw1/1xQcYRlANIbmKVJubSsmQBgKz8H2cV2W+ dRcC3eTN8iUF3OCDj6IIJ3PeJMnWaxxDXB/Wa9B8SZoFaix9sm64QqyqupfoUIy7 ZHlHK3yEzreyoJyiLebsK68CgYBWiCgy/KnTiNzlIiZehxTAwwKQ3A44TrIRLYQx POc3nRQ52aXpterlJtOF3mwkvKyaJYo8sfcBHrU9jYtjKlnZPR0eGpF6Azsg4nbW BpkAECsZsMlRZ6RbiVoDyW8tWsv1K2QyGy7FYkCfA+VZE8jQqiVGL8ODPFzNZNuj 263UQwKBgEXtI1kpfEGMp6EVO2v7Fh2cH50dQWxlSMpflz2VPY/2Trcm2aGrvCvf AObSlgx1Yh1nUu/pHJyAVLFnCyTuxYG+NSPcnUyvATginEtjgASdkcFouKUBdH5V gMHjwfe/P5gdoCgrhPx2w7GAuwT8Y4i5X8RbETPlY0a3ej51o8FD -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/bob.key.pem0000644000175100017510000000321715161577363025701 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3gs9cXiCWjzomXEU7BfCFQGmtssxHbvD2mrPgvuRXXQrHlTu x7BfwuDpXewGrzuIp8rqzU+EcPaLViVMqrBRyWhgOEJCwkB4T/7T9mQ1JLt9Shgz MAk6nbrMfUFtdYUIAzA5D9UVatwXzGPm7zhBlw+jhJKrwLdwM2j12U8KN/FOiMEV gxCpBKo3UP/3O1ESXl0cqKfiXPe9VZHguxYnmiXa88x5pAu9EXEDsOrBvRrw05qT Ai1s6xQkmUAMqlKnV7dpkLfupZZzCNJAhEst5HTYmi5BCs8V5qsiNZJEd7anr2se irmBxkT97/f4YI160Qn088Yr6wbyBih7NxHS5QIDAQABAoIBAQCXKKG4iKh80/Ao 3UG4A+h9MnWTBTq3miaXn5UK/0WTkEz2Ri2Txa87VK+p388hJe8/AzXbdSGdYUmz 6IqLvKLA8Qxn4DvgT9FX7AvSNZ+0FOsTMOxP7Eh6LjudnZftpBWzTfXaoF4HNDQD UZNaETsdomjYDJ1eAcMhTHfpaxRyxc/hbQ0LQZ2AkrSAKt3yKKd0iLar/jDTm+xV ivXHKgd8QH+L8wYkaDFGNb3QniV9LQWZFKR+6lyPCimxjcVzo53kTmAYwsbte+Ct zOe3MshUmH9y5FQ1yHLC2l3PSGcYEGMxpT604govbgOyOXob+OKthD5ZpY/jESan WONEgxVVAoGBAPHlMV3BY4OGDBuf+UsbNkTI+oJMHtV2bSc5C+lZE2EBapf5hB+j HjHf9W55+e3xmbgsOjPBJ/HOH0xVhaSsjbe3H6Oh7Nd2e1wnfn4G7hRx5hUVMGVH sTYAUhzJM8rI1bwwUikdfubTcquX6k/2n4xAr+5FCS7cXaza85TO+xmLAoGBAOr9 uQFvqlSbqvX4g3Gwjg7wJE9uTQmzLSe4sq46h2ZUMngmIn3qSK6QzU8MbCojYn7n QBHW9h4cEBoKaKbEpy0DPpLuzja8VIInUNMcrnvf6EgfOtXbbjQFyRAcBNWdRwaa PcntIr2Y9TmeHPQSfQWcbMFxZ8ykbwryyC9JwvNPAoGBAJ6lOHlK6l9KPQqpIrDV igQW4+Us01QgtXnx+hPyrbkDWsuNg8/UBWukfK0WJoqd17lomEt1NSNrki9YL6xO 1ytUWNXSzyiItmM8K8Ov+9lA0iull/X0zQ6jqzbh5qvqh/NCpb/9bkspBp3vpmcH UqCDlF7qvBkVwgIqH3LLRPf9AoGBAMygxrK+d1eX+saYcnXU5c+SRDw687DHq0GU r1vSscdk+FHx+0Ukd8gzZeU5DxOeno2deAhQ5R8RFuBmQf0+78jds2alt0Kouvpf nB1KM5LBRvdO4qAJpax9gTma/Ia7n3bbZ4ToD8GEab6TtejAFMiHD5lf1KC6a8vf 4Hx1QeM3AoGAGVyG0jTe7P5D7/RupaeY7rjTxXc9r6OL+BF2Z2NI3jtgUmDOonMd NzMQQcEbGO0qCc3ZZUCoBUnAAK6lAVfRBxxJAhA3NdPO2TFcpjDS5kVcxKGIr5jW g+T2EqCbIeMKkZFVBbrRBEb5XLKpNA1o2+pcuT2WU+y/xVbo/Q7M13Q= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/interm-ocsp.key.pem0000644000175100017510000000321315161577363027373 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAy4bwiAogsjoha2gFNvb26EHtep6u/N+THup/8MFAPc+itgFv QqhaY3HH0YKd4jwaJfX1QNyNPQY40aqRyo1t+o+LpEEoCIoqCn2SAwKem93sTUaa QDVzvR/fIumak19hEA/SuRFLE/uAFO3ErRTMPIqsKDz4RNUWk+7A64O+3dN0zglD mgmu4r5BP90AXhsQFYdyn5S7VZA2HaQt0tGB/snr3hHF5dwrzQuvg7kn04QK3Oyj C8Igtv7qwnMhYafHg1mhrpdLz4SD1hUZ5kPvV844raY+Y7dSEk4jVPHCI2DpOSGB e6H9XuwtmcJ+tch6qq5eO9GMexSZtA3GSCDH7QIDAQABAoIBADREHPTylN7wKrDo b55j4ZhXheLdaVarG57u3Zg4KIU3EzPmPmpBzaSIDaZyApWclaJ1/VuAyAyJ0oGV agc4NqwHvPabfOpkgNNc1+hJ/e1NGmfl36rpjyVcT/MpRnbeIZD8X0MDe+JPzd6S CNXh52kMu5VBwwf6KOgoggZ5OMTCGXNOXMCXXwPBQO14hg62KKEf8JrJqipqEPNN 4J/XkkGBbFcGVLwRqw0JlifLebDU3jAOTtG/QDsrgGmGl5jpEs7DWwfKxXghylya eFy6dtFkwktfzQJ1veapyhX8SRY+nPR/u222Czu5xbTODFwY//zghMxBzP3PRi7C RA3F3gECgYEA8C4GlJGuvp4Eq/exfMWl8VOh3T3xcme87wczi4R4iKbralnY+CmR ORDky+YvSV3w9M2ftfDbTa9ILen5rIbap+H0FrKzNkefNbEnIX8ihdeq5oVLVrCJ EpZfgx0jfEDkbFVURBRDgtSuuDaFcy7EBczv4JC31b4iSppyba+FXMECgYEA2O7d 5x21odLh2e7cFvh+/KKNurKtdjIO2nXzuRDcqzQZEgN3YpVoUZRhfnERQQ1Hp6UP TwB2x+t0uoSWCTMDtGVXZl5199sUksUeU48Xn4gs//Squek6mAFtkJ1whuNfggtu UyIq1qFn/zhogAp64zVKYCW4zRqkTrQ7/djb+i0CgYBdrBW06/yTK133E+uNFija Lhv7BaWdUQhG0TAxQcEgyrkWCWStpMiW0RfqziOzIYhQccHQW9esPKiR/6b4ur+c qmtgTuHGUbiuYCE61zLHsI1eyq3PaZqMPUmTAVJNq6Fq/vyWcLDD3d8myVzSx3J8 MKl9k/Oe0UDeh84JKWOCAQKBgQCCnbB2i+jk+riKI8vY+N5c9vMnSpYu6I0Q9Jw+ /ewgGUpPEk87yIH7PMBHBYVCCeDvC+9fvgPG8/pgo5xDBbhhUfOB67ZT+lE03gMY hLvQjompw4NYVRm2lIWH4YPzc8v53TAcViI9AQpBHZGuJqE/VMLniU7wD+6GhPbq LTymMQKBgA5ST+G30w51sFRJJULSfB2kXCeRs6dDDuLwZWLXAtBfyUHypx+OcLzR 49YBt8cE/IM6UvvMGCavucU9FOgfk3JQEg9uHd7ky3z5vc8g9XZ7f/cURbix2lPZ mhYZPLA+/xQdxIk/zOs8MV/QLja/YetW7kc657iRMnlbKBjgTeCT -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/interm.key.pem0000644000175100017510000000321315161577363026431 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAqUQg3xjXPS0Q+tNAcZ0GXf+sMfhVyxgBdeh6QowJmDdxIZZB fzSHH4Xjk1B603jHK0YZKsZ6XwdXVPKWhYKA6/vIgRmDJuFFB+/8p4W13TBC6H8m 8hmha9+ZYHV3G7Fmk8mPn0LgjZeGoKlCsiqxd5XMDwGwQZr1EwkvsQkZJkwXa4s7 mIqvdapC3ydw2bo1iJtK8BIf7ATcCOWKRdLcQEwg42RrIo9HOio4ngfx1K3EkuoK VbqiVPHqI9G8QtlmwySnlLmbXr8l5MBbGfNyEO3gcFuhtTSGOTJu9/1UIDu5lYi9 Mnhry2bqfgrQhLueE+BMuOtHUbWsET6mTNRHNQIDAQABAoIBAGcOoezzlOkcbUAq KwyBjITizBbImoPDI/CEERw/YwAYkXrfnxUyCCs7O6pPz9i9qpZAYcZXfd4p/BQu d1LmeFQ1wohH3kBn273PckcU8/uuDK697BpvXIbvZtUB7/kec9P7XsSa1VmgLknX hFIyCEdFHy7r2kK3dAuZBj6FyZg0snkPQcsNgocZGA9b6xqC/T0V0b504csmpz26 0SeP2NuBa1vDk8AnY5FXWWuBm4QV9U6qoE3dJG7gkNE2OvybksCPSEGnVXuFHEjB kCacMMQRUEnY0kuy7ZXb21z9bwCBNDgauR+kw8d2Uv2deb0cLxyEMHGaBAMivBvP r7KHw6kCgYEA0UDjHVnfU15iZyAWv6xNG/6grAPhN7KjtJ/1U8Gje5TvikO9aF2u YO78jb3wZAAARItXUoMArivdKG13OddvRtPBgJljaAYdNIM4mbfyQ8sm4FtzVOtE fwL9oMJgEnNH1iwSPSXh30nZ7uC44xSXgaFe/2ix19qNLPmer5xt/T8CgYEAzxRi ENwQcs+/c+lVBDuKR7F0XDKHakH5RKMxU6q8s0uPdaBdbPa4qXfM3LubC0XauNSR jpe0kAlhir5uPjCAd+gWBGu0SUUJAZnMEGxiD+YeVCvk7KO3vcJx0vBVDdmNrmjk a1L01oQuNPv5fAr6f1JkeffWpg5Lfh0UXFnkuosCgYAFNFXxvvB9BFXyNqwaLFDm p1ibrqUFW54Suf/CC4jjY/rpN3IYjGvv4UHKzLST6CQZkFWlqbh0nIatoLtcZu1P l6iyaB4+0hgb3D+mIxsVcJIQ9nVR4WAcwJhKTUtSaieZPhNeDfkmMpIHDPPMQhDa mobgV1xFAByOx86Yk41wxQKBgD2qWDmlDtDhxKWDymlkQZ1v3rLF6UVfOBeUcU/0 /BR4X9QrWSblob/1iPACff0xZBy+UEoiKwbphD6IztN+JgOO/V97o0heYnwzjG0n mVwartVp7NX7OvArQzIJl4p0Spixa7P6FCb9XbUxg+3IZygbJQidITJ590kq57FI o7BZAoGAI+JNLXIinUrFMhQYWxi4h0IDyI6nhVpazu2+Q6tnfHRKItP2e6X6W3Xs 7FqDqpHgr0b29m9fLXwGK5eZMtqZ26zrr2uNgKNsUhh9XeDq0F/KECh1aTdpUDeq /X1Ytv9OsTKyxpzXzP+Pj641jrgSgGCAaGIy9F2c4DkeFuHynOM= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/keys/root.key.pem0000644000175100017510000000321715161577363026122 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEArTPIQsHETFLdmvvlp79EJ9FFGhsHEocqPev1xyRvCCbbkOi5 VDc+cWtkYtfX8TJn6XRX6VBH5a3/cw/qWIyQbwP+wtwMN5DftqTnJILdtGEdrFb8 1TKIofoCfUAvBJk1K/SrIV6BZi03eeqU5/7zVaaBnC8ZrXu2NDK0h1V+Co8Cb054 b+Q6YcDq4Rw81M7jHu7Iocnmx7XoJ11bMQb1Ikcd9xrM3otC10UiaroKX5Hdf88I lUIHjPYZ/ChSH4GStcePcrS8saS9byMja76C5G8Lgsp4o3Ccdi2H1sShxp1Y02X4 X2eEotHVM61a+5TOjP+16DzvX2YPFT/q83N0WwIDAQABAoIBAG8fXOmvpcCOHc20 tWhFZ3XgZuRT2NrDS4/E1sA4mN/zBkXXeigU9YQRMavU7Z+7Bj4avdhcAHTUiKMK 4ACF1pjTSF0+jrwLv+xPqlibeaCj+kS63qXuMQky/OvdBQ1/OkUESdMz7fNfKUuX /IdH5FjcZiWNdnz+dSzSJ074w9ADWHIjEg9ixmw0xU2QbulOgJabuwuri20kVyuO cDrl1zW10e7iiog85HHEIFwTXfen+wb0QgH/mt1/BS+3ch0dmP0i8Dx6wZMqh7P9 RQU6N/947jwgHMP3HV4SDcHLSznIB+G/veaFotL0IDKHbhdQIZTGfIUJXIx5RTTD 4XTF9hkCgYEA2Eg/GNtOwtlQILGpkBLvEgq9dlttQYjBeSBnXbNhI5NHMuYq0piF xki+Io3zonLKMJ5LZCMLYesJm+WMGVLZ2d0F7NSfvngI1nApa70Nsux3EeZrcFTs u88vWJCCXR8++x21iUk1M0SHxdXfPc89l+a3C30XYTD3MTEgkdN3ChcCgYEAzQJI ZwYV1JH/jE6AIil472YIBQXBB+YI6Dx2V3H7XDzE7G6IKU7VuxrvZA1i/ODKzPSD tBeCrhnUdqTOwb/Ba7CRL/a935tYiOJRQb8fM0Kyy0cO33cPBsbjOeZRMNdyhVKF 8eg2qCMPuEYLVdumQQl2wNbKcEUbgxgd+Icxxl0CgYEAyp3EHrE1c+zJ2BcYVtSm CyzsmXjFPeOz/JmSvIFTu1Q6G0DtVSV2DXAQT6bUW5dWO33P+xupii36boX5Xa/0 Ttl0t43pqTIidWHWLAyMTNaiJa7LcAzfSoKqRDn9JugixHXsn5RptoG5AGmAHhOM DEYjrSufP3nz2a3AaVzF5DkCgYEAqpVvsWn62DnzrcfUDpj7rBf2LFexWuUqHDPT NMf/I6zdHu6KFfUnGt06vMH2z/wsQ4Zh4IR/lGahx2czMzxfsT/mT0a8j0cv0Bah Dlf9miWxqDukQIVM15K+l/rxK/bZr94O3k8ey6EA/5Ao9nQiTpOVYLhZEjouvlJe /eFgpXECgYAviXclHhkyJ4movlUrbwlkE5/ezS90jM/1Y0iinCxEfjzN+p0YmlGR rbtAahdSHVr5YeB2d5aBDWhFv4GJifhZPUR2Gy5Zqgnl0UQWyVSWx8wFDe36Cjku eDS/6nCP0f3M3ZHbRA/Xm0mBnc9uI4yD9bTG1ly2KE9Tpu+gggYEFA== -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/root-2020-10-01.crl0000644000175100017510000000101315161577363025364 0ustar00runnerrunner0‚0ð0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA20200922000000Z20201002000000Z0 {0y0 Uõ0U#0€½÷ÿHýXóÜÔ¡^6a ?0IUÿ?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚‡ŠßÆ@H ]Þ±Ó«7¹ÎÝv¤]ݬ6Éê¼7ú%Qµü{ÑU“SºMž4NŠW2Â…EÝ×î‹Õ‡F«ËÉ낲ÞücÌ?éå ¿å˜ËNÄ¡˶š’ß<Œ$ühαýÎ9¾ÒHƒ¬|‹‘ØYG&ËMHž{VZÎ|Qß8s´Þ„_ÅêÝp£KŠT0"²¢ ÍñN(l¹{t›’0biürVz÷˨À‚øQ"n„ªˆ´O ´´{iKÑ«˜ÚT¨}ûÛ»À3'æR¬Ôú²óZ·ŽS¼s(hO û•Bâ×-è >Ýs# >Sm9¿ï»././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/root-2020-11-29.crl0000644000175100017510000000101315161577363025377 0ustar00runnerrunner0‚0ð0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA20201121000000Z20201201000000Z0 {0y0 Uû0U#0€½÷ÿHýXóÜÔ¡^6a ?0IUÿ?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚vc˜Ê5ñßÁèø‰˜&Æ.Äù6â4,0«?\ž&?y_v,¸o7³óoÕÖN«((™{‰£r®º ${GîªäS¯ j÷I+ìò™bß— Vµž>ºKg ®&?º¾)æ>+Ps¾ÉbùËÍ“ŠßÆàI¸íÖ¡Õa¤}AÙë5êîãíôZ]q§n›ÙY¿ÌUkmÉX™4ÊhËâ4]˜±Üí®böˆ¸{?‘=‡Ç5 …<µ/èìˆe‚"_šÏþ´ïÛ߬]Pk û1­÷Bÿ[áÚWlX-rÄ}#/SJ¹õ_Ï«TGKÔêðQÜßs["‚ð­f././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/freshness/root-2020-12-10.crl0000644000175100017510000000106115161577363025371 0ustar00runnerrunner0‚-0‚0  *†H†÷  0;1 0 UXX10U Testing Authority10U Root CA20201201000000Z20201211000000Z0%0#20201201000000Z0 0 U  {0y0 Uü0U#0€½÷ÿHýXóÜÔ¡^6a ?0IUÿ?0= ; 9†7http://ca.example.com/freshness-ca/crls/root/latest.crl0  *†H†÷  ‚óÏ[bøXÜL‡³îµ ¼ÍÍlTZ—lN#7Llç/›VèÔ)§uê^bÂ*–·î¼„dò_¤g°ÛÉ Šî+„s52²™~Öd¯S®úÁA™°hFPàw)8B!PÓš³Ù6ímÝC,C[cЫ;ÀB@²‘O:^« I0Ý”nª¦ÕrÃØ“R¹b–F¨P» $kòàe£­ýÑöιÑ]øòõÑñµ–%Pþ™G ¹áKÊŸƒ/7â FbN-¾rÉØã/{ÜHâoµнo׶â%qM»NÅCQPh‡`ëx›—«ê¥îÎ)Mºß*©ð'././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.150523 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/0000755000175100017510000000000015161577372023056 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certomancer.yml0000644000175100017510000000612415161577363026106 0ustar00runnerrunnerexternal-url-prefix: "http://ca.example.com" keysets: testing-ca: path-prefix: keys keys: root: path: root.key.pem interm1: path: interm1.key.pem interm2: path: interm2.key.pem alice: path: alice.key.pem bob: path: bob.key.pem pki-architectures: multilayer-ca: keyset: testing-ca entity-defaults: country-name: XX organization-name: Testing Authority organizational-unit-name: Multilayer Test entities: root: common-name: Root CA interm1: common-name: Intermediate CA 1 interm2: common-name: Intermediate CA 2 alice: common-name: Alice bob: common-name: Bob certs: root: subject: root issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2500-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: root interm1: subject: interm1 issuer: root validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: interm1 max-path-len: 1 interm2: subject: interm2 issuer: interm1 validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" profiles: - id: simple-ca params: crl-repo: interm2 max-path-len: 0 extensions: - id: authority_information_access critical: false smart-value: schema: aia-urls params: ca-issuer-links: - repo: interm1 alice: subject: alice issuer: interm2 issuer-cert: interm2 validity: valid-from: "2000-01-01T00:00:00+0000" valid-to: "2100-01-01T00:00:00+0000" revocation: revoked-since: "2020-12-01T00:00:00+0000" reason: key_compromise extensions: - id: key_usage critical: true smart-value: schema: key-usage params: [digital_signature] - id: authority_information_access critical: false smart-value: schema: aia-urls params: ca-issuer-links: - repo: interm2 services: crl-repo: root: for-issuer: root signing-key: root simulated-update-schedule: "P10D" interm1: for-issuer: interm1 signing-key: interm1 issuer-cert: interm1 simulated-update-schedule: "P10D" interm2: for-issuer: interm2 signing-key: interm2 issuer-cert: interm2 simulated-update-schedule: "P10D" cert-repo: root: for-issuer: root interm1: for-issuer: interm1 interm2: for-issuer: interm2 ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1554742 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certs/0000755000175100017510000000000015161577372024176 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certs/alice.cert.pem0000644000175100017510000000273515161577363026721 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEKDCCAxCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCWFgx GjAYBgNVBAoMEVRlc3RpbmcgQXV0aG9yaXR5MRgwFgYDVQQLDA9NdWx0aWxheWVy IFRlc3QxGjAYBgNVBAMMEUludGVybWVkaWF0ZSBDQSAyMCAXDTAwMDEwMTAwMDAw MFoYDzIxMDAwMTAxMDAwMDAwWjBTMQswCQYDVQQGEwJYWDEaMBgGA1UECgwRVGVz dGluZyBBdXRob3JpdHkxGDAWBgNVBAsMD011bHRpbGF5ZXIgVGVzdDEOMAwGA1UE AwwFQWxpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6v+WfLy18 Cmhi0U/60k1pyk4+WQ6WRFdfJbfI8dEjwEc/G3BXAHW6vUZHPXuBYWQeq5FmPB8J E/yI/80nYQmsdZx1WuEA9DUHq4PXS/Mihkqq377XVXwdTJ94W1qD4/vVHkXxJNoq FL0xNZvYMWrUjui5aFn816aWTqGV1gqb/2slEIzleKPgCI+1Kn1Ah+nQm9XEuhC3 EjNr44Y4O73WycR2wsA7ID7fUhDG4MKEl22b5XBQpB5U13hs6S0HBADZB3aq60C7 46Voc6qEfTb55h2DOCz6TQdG7j1tc5wsCWQZphhg3HyJxMefX/4ZTOsH1R5p3Jn+ 9OFBhM/YTHrZAgMBAAGjgfcwgfQwHQYDVR0OBBYEFFpE1FtdiBV78OsEc3iXNrIT wNmoMB8GA1UdIwQYMBaAFNRxRkntuvsDZ/y+8JhnzsdmhKMdMEwGA1UdHwRFMEMw QaA/oD2GO2h0dHA6Ly9jYS5leGFtcGxlLmNvbS9tdWx0aWxheWVyLWNhL2NybHMv aW50ZXJtMi9sYXRlc3QuY3JsMA4GA1UdDwEB/wQEAwIHgDBUBggrBgEFBQcBAQRI MEYwRAYIKwYBBQUHMAKGOGh0dHA6Ly9jYS5leGFtcGxlLmNvbS9tdWx0aWxheWVy LWNhL2NlcnRzL2ludGVybTIvY2EuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQAHsD7v R2AaThlUcSec6mTUXtwKFtEJjJxJaqQheoOyu8p2bvd2sWUhO19PKzU2cpqDROb2 2bulo1QVZYQsJmX0TN+9Mgg8kTFMEd1R5ZKji12PUOwLfiv0zTKuE+w6dorH7UF7 umcClDovwD5qn/vK6dvYULoi5YdHtj/Abca4QyvHtkm4OybeTtdCw9Gri1HG1J7i H2QIXtmIKHgFXRpLgPPTNmIT2/OnyZpU6fKoSJxWJBvCmW5o2XaOy1L+ZFHAqNfw TjJrdGLKzCoGXSy1P2RidAu4xUTM0zxhxJYH0mRG8AcySMM/EmkW9nCdRrIQBcm8 6rhjAibHp1GiNzeD -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certs/interm1.cert.pem0000644000175100017510000000260315161577363027215 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID5TCCAs2gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCWFgx GjAYBgNVBAoMEVRlc3RpbmcgQXV0aG9yaXR5MRgwFgYDVQQLDA9NdWx0aWxheWVy IFRlc3QxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAx MDEwMDAwMDBaMF8xCzAJBgNVBAYTAlhYMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhv cml0eTEYMBYGA1UECwwPTXVsdGlsYXllciBUZXN0MRowGAYDVQQDDBFJbnRlcm1l ZGlhdGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKlEIN8Y 1z0tEPrTQHGdBl3/rDH4VcsYAXXoekKMCZg3cSGWQX80hx+F45NQetN4xytGGSrG el8HV1TyloWCgOv7yIEZgybhRQfv/KeFtd0wQuh/JvIZoWvfmWB1dxuxZpPJj59C 4I2XhqCpQrIqsXeVzA8BsEGa9RMJL7EJGSZMF2uLO5iKr3WqQt8ncNm6NYibSvAS H+wE3AjlikXS3EBMIONkayKPRzoqOJ4H8dStxJLqClW6olTx6iPRvELZZsMkp5S5 m16/JeTAWxnzchDt4HBbobU0hjkybvf9VCA7uZWIvTJ4a8tm6n4K0IS7nhPgTLjr R1G1rBE+pkzURzUCAwEAAaOBsjCBrzAdBgNVHQ4EFgQUMPQ9z4PJdsPaA3losm3s 4mloz1UwHwYDVR0jBBgwFoAUHr33/0j9BljzkNzUoV4SNhthCj8wEgYDVR0TAQH/ BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwSQYDVR0fBEIwQDA+oDygOoY4aHR0 cDovL2NhLmV4YW1wbGUuY29tL211bHRpbGF5ZXItY2EvY3Jscy9yb290L2xhdGVz dC5jcmwwDQYJKoZIhvcNAQELBQADggEBAAdNADqhiAOAdACQ9mxSsNlLFhV5Et2K ikixLnL5uN7eNeVIvUKFRsQEFFmngH2JW9PMAeiEwpBw0n3XzyAbjM7wh+4ACb5e 5bZTVjzj+NtVC7UukEU0u/WFVmhIUTffduPChT11gxpajbPVKYd3GCuZIsgJRLqw 4tTBc5sKZ4VJK+HySzCF7If6ojH9gEWiukbqmhFRk0e8MsFLk5hkkiDHlyalLvWX /PZDUNYGAyvOhyAlFO50Kj6IPF8ZwkTXxb+odkbvBGpuEuzT14z0W7OWqvIQMiqE YjN788TQAvRpxy3OEjlGUMZNMqCRnu6KPJoxTzlNaXfMvdspmSCYZpU= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certs/interm2.cert.pem0000644000175100017510000000301515161577363027214 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIESjCCAzKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCWFgx GjAYBgNVBAoMEVRlc3RpbmcgQXV0aG9yaXR5MRgwFgYDVQQLDA9NdWx0aWxheWVy IFRlc3QxGjAYBgNVBAMMEUludGVybWVkaWF0ZSBDQSAxMCAXDTAwMDEwMTAwMDAw MFoYDzIxMDAwMTAxMDAwMDAwWjBfMQswCQYDVQQGEwJYWDEaMBgGA1UECgwRVGVz dGluZyBBdXRob3JpdHkxGDAWBgNVBAsMD011bHRpbGF5ZXIgVGVzdDEaMBgGA1UE AwwRSW50ZXJtZWRpYXRlIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDLhvCICiCyOiFraAU29vboQe16nq7835Me6n/wwUA9z6K2AW9CqFpjccfR gp3iPBol9fVA3I09BjjRqpHKjW36j4ukQSgIiioKfZIDAp6b3exNRppANXO9H98i 6ZqTX2EQD9K5EUsT+4AU7cStFMw8iqwoPPhE1RaT7sDrg77d03TOCUOaCa7ivkE/ 3QBeGxAVh3KflLtVkDYdpC3S0YH+yeveEcXl3CvNC6+DuSfThArc7KMLwiC2/urC cyFhp8eDWaGul0vPhIPWFRnmQ+9Xzjitpj5jt1ISTiNU8cIjYOk5IYF7of1e7C2Z wn61yHqqrl470Yx7FJm0DcZIIMftAgMBAAGjggEMMIIBCDAdBgNVHQ4EFgQU1HFG Se26+wNn/L7wmGfOx2aEox0wHwYDVR0jBBgwFoAUMPQ9z4PJdsPaA3losm3s4mlo z1UwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwTAYDVR0fBEUw QzBBoD+gPYY7aHR0cDovL2NhLmV4YW1wbGUuY29tL211bHRpbGF5ZXItY2EvY3Js cy9pbnRlcm0xL2xhdGVzdC5jcmwwVAYIKwYBBQUHAQEESDBGMEQGCCsGAQUFBzAC hjhodHRwOi8vY2EuZXhhbXBsZS5jb20vbXVsdGlsYXllci1jYS9jZXJ0cy9pbnRl cm0xL2NhLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAn2dK763fPXy4p6VY2aUrY19+ M7FmW9ZWmyjD3WTrdhnNVpgYgFPXFhArr5dN5uIkDcsSh1SiWOOulzF/0xNOdRhM fxaupLUeJGn42M9ZjLrJwGR1gi8YTrfUeD+CtcSQtxdiVy0my4yM9qLl0sz+Y/xt 16sQzPCcQRy+Mw8NJv+tLI2w8Sx1XKNH7SRAzfjMZ0+lOKOrHlRbZ3uZV3FPYmDh x0pu2kFbvuKmt1Wqum6g9P8wzQVmeWl0o0Rix74KYODwywqm+Bq7O4TXjNRICrbz 671ne0cA87Hno6ZGFjIQELylF/Va0hT+IcOfhG32bhH+Ib2OYHXv9P1Uch4YWw== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/certs/root.cert.pem0000644000175100017510000000256315161577363026626 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID2DCCAsCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCWFgx GjAYBgNVBAoMEVRlc3RpbmcgQXV0aG9yaXR5MRgwFgYDVQQLDA9NdWx0aWxheWVy IFRlc3QxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAx MDEwMDAwMDBaMFUxCzAJBgNVBAYTAlhYMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhv cml0eTEYMBYGA1UECwwPTXVsdGlsYXllciBUZXN0MRAwDgYDVQQDDAdSb290IENB MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTPIQsHETFLdmvvlp79E J9FFGhsHEocqPev1xyRvCCbbkOi5VDc+cWtkYtfX8TJn6XRX6VBH5a3/cw/qWIyQ bwP+wtwMN5DftqTnJILdtGEdrFb81TKIofoCfUAvBJk1K/SrIV6BZi03eeqU5/7z VaaBnC8ZrXu2NDK0h1V+Co8Cb054b+Q6YcDq4Rw81M7jHu7Iocnmx7XoJ11bMQb1 Ikcd9xrM3otC10UiaroKX5Hdf88IlUIHjPYZ/ChSH4GStcePcrS8saS9byMja76C 5G8Lgsp4o3Ccdi2H1sShxp1Y02X4X2eEotHVM61a+5TOjP+16DzvX2YPFT/q83N0 WwIDAQABo4GvMIGsMB0GA1UdDgQWBBQevff/SP0GWPOQ3NShXhI2G2EKPzAfBgNV HSMEGDAWgBQevff/SP0GWPOQ3NShXhI2G2EKPzAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBhjBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY2EuZXhhbXBs ZS5jb20vbXVsdGlsYXllci1jYS9jcmxzL3Jvb3QvbGF0ZXN0LmNybDANBgkqhkiG 9w0BAQsFAAOCAQEAVfuArVQY1Z5t98dAJmQeEdEKASjlUtMlnFLlLbU2WdD33+3d 4Vpsc9XfsUs7la6i7zZ/dggPP19jPZGQHuTywaPSGAfkmFmTgKzBD5gXJ/PEk5Jy E0z6IIIKvjC7ulwTMmdCVmysEBs+bhlWt5ANeNkBjjtvCanIuIHcPA2X/o3n71Ut d7TJuiwRx+9xsIJzvu6/8mfGwBY84hptQqjBxKK5vHzDsS5NTBQNiGSHJ6bOyKGU RNxWStcq4GFU8E4Ih0e4nJOyU1Ve4Wih6P1zR1BweFwwllIrMx3JM5EBxVHMRr8R xWGL7PwK/R8UXDVuNXjks/KHqCgRRRAHLEPHRg== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1564155 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/0000755000175100017510000000000015161577372024031 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/alice.key.pem0000644000175100017510000000321315161577363026377 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAur/lny8tfApoYtFP+tJNacpOPlkOlkRXXyW3yPHRI8BHPxtw VwB1ur1GRz17gWFkHquRZjwfCRP8iP/NJ2EJrHWcdVrhAPQ1B6uD10vzIoZKqt++ 11V8HUyfeFtag+P71R5F8STaKhS9MTWb2DFq1I7ouWhZ/Nemlk6hldYKm/9rJRCM 5Xij4AiPtSp9QIfp0JvVxLoQtxIza+OGODu91snEdsLAOyA+31IQxuDChJdtm+Vw UKQeVNd4bOktBwQA2Qd2qutAu+OlaHOqhH02+eYdgzgs+k0HRu49bXOcLAlkGaYY YNx8icTHn1/+GUzrB9UeadyZ/vThQYTP2Ex62QIDAQABAoIBAHk+n2EjKx+uTili BdAte48khnoaLctHoYYnodO3k/XnHxqMwPnrVYQg4KDd/PJ5/Zuf/i1m+StWq41y ropTiQlL7oGOuCh7ZHaPV3CPYdJXZ+DalTeOy57mIV7tyK16dgTeu8AdEftiLZbm XEEXjGlmQxgk9M+gXwqVEHmMVqUCKm5vivVU6QYyYv4qyf0XiyhMdFs2MrynOn2N qdEMW588p5HHqsO/xU7YRxZG5HxIzix7y70SKe+lq6WHXPCpKdFoH/QeB5eNZHLp f+G8UUvSPcl18u57VherbdALsphcrcv4uQaLUv4Jes1ZWgHpA8TAyr//Zibubuna WrX9sjUCgYEA2zF1lEu0Pq5VJ2fm5Z0A9wmLVkdFfm3WrVmN/4Mml63tJAd4MryZ 3y+ZHbEpmjuxkePK2SDc89/hOfzMWkxYWrx8Qku/f3856AwW6HiBoCxCvcV6iXdK 35ZGG4pzYesQFqP/bPMtIw8QtW82MGaPPupyG+AE5rrR8XTsmWBYs9MCgYEA2hvF tF+NKSwGUinW8yVWg2Y946Z5IFUrbbALzXt17Y1Ljkex0XeaQ6hM7ArFenC1OrtA L9o6iLInK0eoLsPNlelRn6VqLDbpSXSPtrjf1yHAv9V+8Ya8si+cGKX9VGhWuKQp hkfIylxGT7JhJeNJ5Z9umdIntT/oyAD0k3umZyMCgYEAum+8IbGuku33UfgnRcAg NP8yO+WNL3c/dNzKUb180uDF5rJPw1/1xQcYRlANIbmKVJubSsmQBgKz8H2cV2W+ dRcC3eTN8iUF3OCDj6IIJ3PeJMnWaxxDXB/Wa9B8SZoFaix9sm64QqyqupfoUIy7 ZHlHK3yEzreyoJyiLebsK68CgYBWiCgy/KnTiNzlIiZehxTAwwKQ3A44TrIRLYQx POc3nRQ52aXpterlJtOF3mwkvKyaJYo8sfcBHrU9jYtjKlnZPR0eGpF6Azsg4nbW BpkAECsZsMlRZ6RbiVoDyW8tWsv1K2QyGy7FYkCfA+VZE8jQqiVGL8ODPFzNZNuj 263UQwKBgEXtI1kpfEGMp6EVO2v7Fh2cH50dQWxlSMpflz2VPY/2Trcm2aGrvCvf AObSlgx1Yh1nUu/pHJyAVLFnCyTuxYG+NSPcnUyvATginEtjgASdkcFouKUBdH5V gMHjwfe/P5gdoCgrhPx2w7GAuwT8Y4i5X8RbETPlY0a3ej51o8FD -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/bob.key.pem0000644000175100017510000000321715161577363026070 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3gs9cXiCWjzomXEU7BfCFQGmtssxHbvD2mrPgvuRXXQrHlTu x7BfwuDpXewGrzuIp8rqzU+EcPaLViVMqrBRyWhgOEJCwkB4T/7T9mQ1JLt9Shgz MAk6nbrMfUFtdYUIAzA5D9UVatwXzGPm7zhBlw+jhJKrwLdwM2j12U8KN/FOiMEV gxCpBKo3UP/3O1ESXl0cqKfiXPe9VZHguxYnmiXa88x5pAu9EXEDsOrBvRrw05qT Ai1s6xQkmUAMqlKnV7dpkLfupZZzCNJAhEst5HTYmi5BCs8V5qsiNZJEd7anr2se irmBxkT97/f4YI160Qn088Yr6wbyBih7NxHS5QIDAQABAoIBAQCXKKG4iKh80/Ao 3UG4A+h9MnWTBTq3miaXn5UK/0WTkEz2Ri2Txa87VK+p388hJe8/AzXbdSGdYUmz 6IqLvKLA8Qxn4DvgT9FX7AvSNZ+0FOsTMOxP7Eh6LjudnZftpBWzTfXaoF4HNDQD UZNaETsdomjYDJ1eAcMhTHfpaxRyxc/hbQ0LQZ2AkrSAKt3yKKd0iLar/jDTm+xV ivXHKgd8QH+L8wYkaDFGNb3QniV9LQWZFKR+6lyPCimxjcVzo53kTmAYwsbte+Ct zOe3MshUmH9y5FQ1yHLC2l3PSGcYEGMxpT604govbgOyOXob+OKthD5ZpY/jESan WONEgxVVAoGBAPHlMV3BY4OGDBuf+UsbNkTI+oJMHtV2bSc5C+lZE2EBapf5hB+j HjHf9W55+e3xmbgsOjPBJ/HOH0xVhaSsjbe3H6Oh7Nd2e1wnfn4G7hRx5hUVMGVH sTYAUhzJM8rI1bwwUikdfubTcquX6k/2n4xAr+5FCS7cXaza85TO+xmLAoGBAOr9 uQFvqlSbqvX4g3Gwjg7wJE9uTQmzLSe4sq46h2ZUMngmIn3qSK6QzU8MbCojYn7n QBHW9h4cEBoKaKbEpy0DPpLuzja8VIInUNMcrnvf6EgfOtXbbjQFyRAcBNWdRwaa PcntIr2Y9TmeHPQSfQWcbMFxZ8ykbwryyC9JwvNPAoGBAJ6lOHlK6l9KPQqpIrDV igQW4+Us01QgtXnx+hPyrbkDWsuNg8/UBWukfK0WJoqd17lomEt1NSNrki9YL6xO 1ytUWNXSzyiItmM8K8Ov+9lA0iull/X0zQ6jqzbh5qvqh/NCpb/9bkspBp3vpmcH UqCDlF7qvBkVwgIqH3LLRPf9AoGBAMygxrK+d1eX+saYcnXU5c+SRDw687DHq0GU r1vSscdk+FHx+0Ukd8gzZeU5DxOeno2deAhQ5R8RFuBmQf0+78jds2alt0Kouvpf nB1KM5LBRvdO4qAJpax9gTma/Ia7n3bbZ4ToD8GEab6TtejAFMiHD5lf1KC6a8vf 4Hx1QeM3AoGAGVyG0jTe7P5D7/RupaeY7rjTxXc9r6OL+BF2Z2NI3jtgUmDOonMd NzMQQcEbGO0qCc3ZZUCoBUnAAK6lAVfRBxxJAhA3NdPO2TFcpjDS5kVcxKGIr5jW g+T2EqCbIeMKkZFVBbrRBEb5XLKpNA1o2+pcuT2WU+y/xVbo/Q7M13Q= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/interm1.key.pem0000644000175100017510000000321315161577363026701 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAqUQg3xjXPS0Q+tNAcZ0GXf+sMfhVyxgBdeh6QowJmDdxIZZB fzSHH4Xjk1B603jHK0YZKsZ6XwdXVPKWhYKA6/vIgRmDJuFFB+/8p4W13TBC6H8m 8hmha9+ZYHV3G7Fmk8mPn0LgjZeGoKlCsiqxd5XMDwGwQZr1EwkvsQkZJkwXa4s7 mIqvdapC3ydw2bo1iJtK8BIf7ATcCOWKRdLcQEwg42RrIo9HOio4ngfx1K3EkuoK VbqiVPHqI9G8QtlmwySnlLmbXr8l5MBbGfNyEO3gcFuhtTSGOTJu9/1UIDu5lYi9 Mnhry2bqfgrQhLueE+BMuOtHUbWsET6mTNRHNQIDAQABAoIBAGcOoezzlOkcbUAq KwyBjITizBbImoPDI/CEERw/YwAYkXrfnxUyCCs7O6pPz9i9qpZAYcZXfd4p/BQu d1LmeFQ1wohH3kBn273PckcU8/uuDK697BpvXIbvZtUB7/kec9P7XsSa1VmgLknX hFIyCEdFHy7r2kK3dAuZBj6FyZg0snkPQcsNgocZGA9b6xqC/T0V0b504csmpz26 0SeP2NuBa1vDk8AnY5FXWWuBm4QV9U6qoE3dJG7gkNE2OvybksCPSEGnVXuFHEjB kCacMMQRUEnY0kuy7ZXb21z9bwCBNDgauR+kw8d2Uv2deb0cLxyEMHGaBAMivBvP r7KHw6kCgYEA0UDjHVnfU15iZyAWv6xNG/6grAPhN7KjtJ/1U8Gje5TvikO9aF2u YO78jb3wZAAARItXUoMArivdKG13OddvRtPBgJljaAYdNIM4mbfyQ8sm4FtzVOtE fwL9oMJgEnNH1iwSPSXh30nZ7uC44xSXgaFe/2ix19qNLPmer5xt/T8CgYEAzxRi ENwQcs+/c+lVBDuKR7F0XDKHakH5RKMxU6q8s0uPdaBdbPa4qXfM3LubC0XauNSR jpe0kAlhir5uPjCAd+gWBGu0SUUJAZnMEGxiD+YeVCvk7KO3vcJx0vBVDdmNrmjk a1L01oQuNPv5fAr6f1JkeffWpg5Lfh0UXFnkuosCgYAFNFXxvvB9BFXyNqwaLFDm p1ibrqUFW54Suf/CC4jjY/rpN3IYjGvv4UHKzLST6CQZkFWlqbh0nIatoLtcZu1P l6iyaB4+0hgb3D+mIxsVcJIQ9nVR4WAcwJhKTUtSaieZPhNeDfkmMpIHDPPMQhDa mobgV1xFAByOx86Yk41wxQKBgD2qWDmlDtDhxKWDymlkQZ1v3rLF6UVfOBeUcU/0 /BR4X9QrWSblob/1iPACff0xZBy+UEoiKwbphD6IztN+JgOO/V97o0heYnwzjG0n mVwartVp7NX7OvArQzIJl4p0Spixa7P6FCb9XbUxg+3IZygbJQidITJ590kq57FI o7BZAoGAI+JNLXIinUrFMhQYWxi4h0IDyI6nhVpazu2+Q6tnfHRKItP2e6X6W3Xs 7FqDqpHgr0b29m9fLXwGK5eZMtqZ26zrr2uNgKNsUhh9XeDq0F/KECh1aTdpUDeq /X1Ytv9OsTKyxpzXzP+Pj641jrgSgGCAaGIy9F2c4DkeFuHynOM= -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/interm2.key.pem0000644000175100017510000000321315161577363026702 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAy4bwiAogsjoha2gFNvb26EHtep6u/N+THup/8MFAPc+itgFv QqhaY3HH0YKd4jwaJfX1QNyNPQY40aqRyo1t+o+LpEEoCIoqCn2SAwKem93sTUaa QDVzvR/fIumak19hEA/SuRFLE/uAFO3ErRTMPIqsKDz4RNUWk+7A64O+3dN0zglD mgmu4r5BP90AXhsQFYdyn5S7VZA2HaQt0tGB/snr3hHF5dwrzQuvg7kn04QK3Oyj C8Igtv7qwnMhYafHg1mhrpdLz4SD1hUZ5kPvV844raY+Y7dSEk4jVPHCI2DpOSGB e6H9XuwtmcJ+tch6qq5eO9GMexSZtA3GSCDH7QIDAQABAoIBADREHPTylN7wKrDo b55j4ZhXheLdaVarG57u3Zg4KIU3EzPmPmpBzaSIDaZyApWclaJ1/VuAyAyJ0oGV agc4NqwHvPabfOpkgNNc1+hJ/e1NGmfl36rpjyVcT/MpRnbeIZD8X0MDe+JPzd6S CNXh52kMu5VBwwf6KOgoggZ5OMTCGXNOXMCXXwPBQO14hg62KKEf8JrJqipqEPNN 4J/XkkGBbFcGVLwRqw0JlifLebDU3jAOTtG/QDsrgGmGl5jpEs7DWwfKxXghylya eFy6dtFkwktfzQJ1veapyhX8SRY+nPR/u222Czu5xbTODFwY//zghMxBzP3PRi7C RA3F3gECgYEA8C4GlJGuvp4Eq/exfMWl8VOh3T3xcme87wczi4R4iKbralnY+CmR ORDky+YvSV3w9M2ftfDbTa9ILen5rIbap+H0FrKzNkefNbEnIX8ihdeq5oVLVrCJ EpZfgx0jfEDkbFVURBRDgtSuuDaFcy7EBczv4JC31b4iSppyba+FXMECgYEA2O7d 5x21odLh2e7cFvh+/KKNurKtdjIO2nXzuRDcqzQZEgN3YpVoUZRhfnERQQ1Hp6UP TwB2x+t0uoSWCTMDtGVXZl5199sUksUeU48Xn4gs//Squek6mAFtkJ1whuNfggtu UyIq1qFn/zhogAp64zVKYCW4zRqkTrQ7/djb+i0CgYBdrBW06/yTK133E+uNFija Lhv7BaWdUQhG0TAxQcEgyrkWCWStpMiW0RfqziOzIYhQccHQW9esPKiR/6b4ur+c qmtgTuHGUbiuYCE61zLHsI1eyq3PaZqMPUmTAVJNq6Fq/vyWcLDD3d8myVzSx3J8 MKl9k/Oe0UDeh84JKWOCAQKBgQCCnbB2i+jk+riKI8vY+N5c9vMnSpYu6I0Q9Jw+ /ewgGUpPEk87yIH7PMBHBYVCCeDvC+9fvgPG8/pgo5xDBbhhUfOB67ZT+lE03gMY hLvQjompw4NYVRm2lIWH4YPzc8v53TAcViI9AQpBHZGuJqE/VMLniU7wD+6GhPbq LTymMQKBgA5ST+G30w51sFRJJULSfB2kXCeRs6dDDuLwZWLXAtBfyUHypx+OcLzR 49YBt8cE/IM6UvvMGCavucU9FOgfk3JQEg9uHd7ky3z5vc8g9XZ7f/cURbix2lPZ mhYZPLA+/xQdxIk/zOs8MV/QLja/YetW7kc657iRMnlbKBjgTeCT -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multilayer/keys/root.key.pem0000644000175100017510000000321715161577363026311 0ustar00runnerrunner-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEArTPIQsHETFLdmvvlp79EJ9FFGhsHEocqPev1xyRvCCbbkOi5 VDc+cWtkYtfX8TJn6XRX6VBH5a3/cw/qWIyQbwP+wtwMN5DftqTnJILdtGEdrFb8 1TKIofoCfUAvBJk1K/SrIV6BZi03eeqU5/7zVaaBnC8ZrXu2NDK0h1V+Co8Cb054 b+Q6YcDq4Rw81M7jHu7Iocnmx7XoJ11bMQb1Ikcd9xrM3otC10UiaroKX5Hdf88I lUIHjPYZ/ChSH4GStcePcrS8saS9byMja76C5G8Lgsp4o3Ccdi2H1sShxp1Y02X4 X2eEotHVM61a+5TOjP+16DzvX2YPFT/q83N0WwIDAQABAoIBAG8fXOmvpcCOHc20 tWhFZ3XgZuRT2NrDS4/E1sA4mN/zBkXXeigU9YQRMavU7Z+7Bj4avdhcAHTUiKMK 4ACF1pjTSF0+jrwLv+xPqlibeaCj+kS63qXuMQky/OvdBQ1/OkUESdMz7fNfKUuX /IdH5FjcZiWNdnz+dSzSJ074w9ADWHIjEg9ixmw0xU2QbulOgJabuwuri20kVyuO cDrl1zW10e7iiog85HHEIFwTXfen+wb0QgH/mt1/BS+3ch0dmP0i8Dx6wZMqh7P9 RQU6N/947jwgHMP3HV4SDcHLSznIB+G/veaFotL0IDKHbhdQIZTGfIUJXIx5RTTD 4XTF9hkCgYEA2Eg/GNtOwtlQILGpkBLvEgq9dlttQYjBeSBnXbNhI5NHMuYq0piF xki+Io3zonLKMJ5LZCMLYesJm+WMGVLZ2d0F7NSfvngI1nApa70Nsux3EeZrcFTs u88vWJCCXR8++x21iUk1M0SHxdXfPc89l+a3C30XYTD3MTEgkdN3ChcCgYEAzQJI ZwYV1JH/jE6AIil472YIBQXBB+YI6Dx2V3H7XDzE7G6IKU7VuxrvZA1i/ODKzPSD tBeCrhnUdqTOwb/Ba7CRL/a935tYiOJRQb8fM0Kyy0cO33cPBsbjOeZRMNdyhVKF 8eg2qCMPuEYLVdumQQl2wNbKcEUbgxgd+Icxxl0CgYEAyp3EHrE1c+zJ2BcYVtSm CyzsmXjFPeOz/JmSvIFTu1Q6G0DtVSV2DXAQT6bUW5dWO33P+xupii36boX5Xa/0 Ttl0t43pqTIidWHWLAyMTNaiJa7LcAzfSoKqRDn9JugixHXsn5RptoG5AGmAHhOM DEYjrSufP3nz2a3AaVzF5DkCgYEAqpVvsWn62DnzrcfUDpj7rBf2LFexWuUqHDPT NMf/I6zdHu6KFfUnGt06vMH2z/wsQ4Zh4IR/lGahx2czMzxfsT/mT0a8j0cv0Bah Dlf9miWxqDukQIVM15K+l/rxK/bZr94O3k8ey6EA/5Ao9nQiTpOVYLhZEjouvlJe /eFgpXECgYAviXclHhkyJ4movlUrbwlkE5/ezS90jM/1Y0iinCxEfjzN+p0YmlGR rbtAahdSHVr5YeB2d5aBDWhFv4GJifhZPUR2Gy5Zqgnl0UQWyVSWx8wFDe36Cjku eDS/6nCP0f3M3ZHbRA/Xm0mBnc9uI4yD9bTG1ly2KE9Tpu+gggYEFA== -----END RSA PRIVATE KEY----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1577518 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/0000755000175100017510000000000015161577372024344 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/alice.cert.pem0000644000175100017510000000263015161577363027061 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID9TCCAt2gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFz a2luZyBPQ1NQIHJlc3BvbmRlcjEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMB4X DTIwMDEwMTAwMDAwMFoXDTIyMDEwMTAwMDAwMFowYTELMAkGA1UEBhMCQkUxFDAS BgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFza2lu ZyBPQ1NQIHJlc3BvbmRlcjEOMAwGA1UEAwwFQWxpY2UwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDhc4JuHi9+Lr1GK1+GpMhAYvrJ9IAmKPFDrYQKX5bs ReHHGhoQh3Y2WtT8EaVd2wxhUKVG4TbtI7ggZGG0RsWrEDp9QlAxewwgo87TRHe+ /VsEZQOXZ6ljBVOSI7aGr0mJfggNQLHtnncau1IxGa+JCJuwA5VFaXSsSyLSRRD+ EDo6r+bBDbohgiqTKm/yRpr5y8UXr8Q2UPISA1drNO5KwqIPIUQoYnt/ZgzZmf0R /yW4DBOphmPfWwwJ4bvMR+NYgaPBnphJphXrMfGD6zIr3Fx5N0Dbdi7CggBmZRud X7K7Ygt9e99ltPnXNPT6CE0tDTLz/P9/HUJqHd5LSQbrAgMBAAGjgawwgakwHQYD VR0OBBYEFF7Hp7rUCmetna56Pa0Uaji1cwq4MB8GA1UdIwQYMBaAFO+/elGLLqQu Sl3SzudheM5qNklPMA4GA1UdDwEB/wQEAwIGwDBXBggrBgEFBQcBAQRLMEkwRwYI KwYBBQUHMAGGO2h0dHA6Ly9jYS5leGFtcGxlLmNvbS9jYS13aXRoLW11bHRpdGFz a2luZy1vY3NwL29jc3AvaW50ZXJtMA0GCSqGSIb3DQEBCwUAA4IBAQCFJ0rhyGs1 BX+gE/JZeGXxMi437ZuprOfSv/uZiWYe1EKPztfKFHZqiFHfFLOMugmkhNKeEFjO RbHYeiiPCWT+2jdATPk6sbC06FR4epmkC2c+4XbGSGmShmlZ/crcS8objgGTbhZn btrqjEcgK0wMs/psm+hYrF2ZAymRwS5OoUncJEuvi72hpgpMtEuSb7yzZ1WiEwea erQUfcU/mQMmbVXO6NtyQWCxr+n1HJYaYTp43Fsqjqg/yR/RAtnBHmiT4C4iPf73 KMZ1MmoH1GEUb8xv9YwAyhw0RLJboFFqtHb0UWfnQDE5kRkGiHT9jENgHWuQRvin JlE7hW5d6/ku -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/interm-ocsp.cert.pem0000644000175100017510000000256715161577363030255 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID2zCCAsOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFz a2luZyBPQ1NQIHJlc3BvbmRlcjEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMCAX DTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjB3MQswCQYDVQQGEwJCRTEU MBIGA1UECgwLRXhhbXBsZSBJbmMxLDAqBgNVBAsMI0NBIHdpdGggbXVsdGl0YXNr aW5nIE9DU1AgcmVzcG9uZGVyMSQwIgYDVQQDDBtNdWx0aXRhc2tpbmcgT0NTUCBy ZXNwb25kZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4gXqgUVYZ +FZcPyXedGfVRyKdrrB3u/WFo39tSIdbabmR6kpHk/B5HFPPKbZn3kHmXXL7z7BH jNqN3sZMniAf6gVi870KVklAgcOXtjlBklnMHwV2yOZLKwiO/tIljggQ7pfQ79II qjQclKt3UlhlnVoAnBC+nNaGAbfrPuhadBlK+nm7H33xB9qsLFKexHmddOaP/A4c CCzXaMr+72mTMG4i2FIolWDNPNXJHBOfx7F9S3xBQcZAJ5Dt8hzv1pimOZCPKZie ctHKtxl21y63yinkqNEe9GFNgweuhX29Va6GwEyYH2+qe/6jJA7dh7VxZnUtr9fZ g+kWuhXh96O1AgMBAAGjezB5MB0GA1UdDgQWBBQ+8fy62NfWBdTHEttKUV8ebHN0 CjAfBgNVHSMEGDAWgBTvv3pRiy6kLkpd0s7nYXjOajZJTzAOBgNVHQ8BAf8EBAMC B4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDwYJKwYBBQUHMAEFBAIFADANBgkq hkiG9w0BAQsFAAOCAQEAGacwon6DYXP7lUFHrZ9NDC2YiqsFwjdv7HbmZQHPqsMB X/Eu3lBooTZjbyQR0LFVbDb9g7QjKyumIMYktwt+/EshGEf0fM3DRPnXght2X64a N36FgRFMCNlZkblmPyPfQSz7aCXjjjNZhtL72mOFHJnMlcfwzyTkGmcSmvMphydo zREIUkM5NMUNhDSGh13fwdG/7B5XgLLWizuQ2PuVE3HNBz2F6TvOK/tgbGMKrxb2 Cj7Bvk3/MSYsZYYeAQpbtdGt8ZLWDdr/efEiNF1LSYJFDyZ1/1nEaDJHeYGi2vRu 7t6ErYJgE44e1cCmJz6pDq6iGnJgPEFkZX9VaYlHVQ== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/interm.cert.pem0000644000175100017510000000267015161577363027306 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIECzCCAvOgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFz a2luZyBPQ1NQIHJlc3BvbmRlcjEQMA4GA1UEAwwHUm9vdCBDQTAgFw0wMDAxMDEw MDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowazELMAkGA1UEBhMCQkUxFDASBgNVBAoM C0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFza2luZyBPQ1NQ IHJlc3BvbmRlcjEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwenaz96IFfFJ2NmDNBkRD1AghHuxV/dOfznJ djI8j8od/72n+eNixkFnQtZn93zULDLtnammU8FEKyicCLNO0Fe69Z6MN6ylDRvG MhrXWXysreo4DrH2meSgeeLFLVhsuCyk+HD6tLxFp5vJRaPdZLyalToxV1qVEisE z2CVfq4gZioNuQvvA9i+aCnTM0MXfKPStJACNHwxdQj26rQgfxiM8DdgqttG1/Xa c022TpbyLp3QOIS2ATXH154oDy8pXN8d2McqaAaLUOS/TMSnHgYK79Un4LRAKsXm IFGXv1EHRBu40ctCSGBSkvxFrx3CeowF/r+uISniALJTv+u02wIDAQABo4G+MIG7 MB0GA1UdDgQWBBTvv3pRiy6kLkpd0s7nYXjOajZJTzAfBgNVHSMEGDAWgBTxtHmV ArK0Xzly/bCPwl+vW5pQtTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE AwIBhjBVBggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly9jYS5leGFt cGxlLmNvbS9jYS13aXRoLW11bHRpdGFza2luZy1vY3NwL29jc3Avcm9vdDANBgkq hkiG9w0BAQsFAAOCAQEApOiTiSklkQzyH7SVg7UFZ9G5ORr/rE3i/0cd8LTki1WX 44oM+oeuXmNYps7sRr2WLEkuPopT72/i/r35P8y4/ZMY3vEXH6uJnzFW+qiLmZBw jfDHaqDr4r9zRWwmkJ5icQoBITnq2f0el55UXs+crh69VN9Ud9v9vSnvekb4RQLN 4oIKLRUGdnK4LCz/IHaqNNJahO6z+L4uSlvBxSG5nwcwOJlEf7u1PfNd1Cg+fFSS br8CeQztq5TUBMFeU3FH/qLGLN994p/CH2b2D2WcJ/16gDTw7To2Z5ARiz7k7VWt 1I+ii8aXqPkCWS5ChrjNfGX0yf54Os8M9pTEPoz0Ww== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/ocsp-resp-alice.der0000644000175100017510000000275215161577363030034 0ustar00runnerrunner0‚æ  ‚ß0‚Û +0‚Ì0‚È0Ê¢>ñüºØ×ÖÔÇÛJQ_lst 20210819121804.364362Z0s0q0;0 +áßýýçù[*[¥KŽÂjðÉ] ®ï¿zQ‹.¤.J]ÒÎçaxÎj6IO€20210819121804.364362Z 20210819122804.364362Z¡#0!0 +0D=a!Mwäüq†¹nÌÔ0  *†H†÷  ‚:åÞØ0á’»ÿÈfÜþoa}SbÆÖðò­ÿ´ÊŠ‹Ê\3#ëÍ ›å‹„e#¡—ãA™º s0ÞqLóÖt·±ˆ9\\s$BÑŠÔý*{"‹§Úí„%׆Z‰V[XlâèZ>Žmê)#Û+O™mŠ c»Œ¥¢Š¬ß'3%ßYvR¨pë. Îý~Q]$Âzà±Dèñ‘VÃ?j7ñ; ìKv’ËÂö…”ñE‘®`Öá·¤¼hgš¶3áçÞ¿á~ìÞ’¤KrÊ¥mBÕð‰ä%uþhë ¦•m4žÑú31\ Wu€»Äj?b[a&ú3g¥ ‚ã0‚ß0‚Û0‚à0  *†H†÷  0k1 0 UBE10U Example Inc1,0*U #CA with multitasking OCSP responder10U Intermediate CA0  000101000000Z21000101000000Z0w1 0 UBE10U Example Inc1,0*U #CA with multitasking OCSP responder1$0"U Multitasking OCSP responder0‚"0  *†H†÷ ‚0‚ ‚¸z QVøV\?%ÞtgÕG"®°w»õ…£mH‡[i¹‘êJG“ðySÏ)¶gÞAæ]rûÏ°GŒÚÞÆLž êbó½ VI@׶9A’YÌvÈæK+ŽþÒ%Žî—ÐïÒª4”«wRXeZœ¾œÖ†·ë>èZtJúy»}ñÚ¬,RžÄytæü,×hÊþïi“0n"ØR(•`Í<ÕɟDZ}K|AAÆ@'íòïÖ˜¦9)˜žrÑÊ·v×.·Ê)ä¨ÑôaMƒ®…}½U®†ÀL˜oª{þ£$݇µqfu-¯×Ùƒéºá÷£µ£{0y0U>ñüºØ×ÖÔÇÛJQ_lst 0U#0€ï¿zQ‹.¤.J]ÒÎçaxÎj6IO0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚§0¢~ƒasû•AG­ŸM -˜Š«Â7oìvæeϪÃ_ñ.ÞPh¡6co$бUl6ýƒ´#++¦ Æ$· ~üK!Gô|ÍÃDùׂv_®7~…LÙY‘¹f?#ßA,ûh%ãŽ3Y†ÒûÚc…™Ì•ÇðÏ$ägšó)‡'hÍRC94Å „4†‡]ßÁÑ¿ìW€²Ö‹;Øû•qÍ=…é;Î+û`lc ¯ö >Á¾Mÿ1&,e† [µÑ­ñ’Ö Úÿyñ"4]KI‚E&uÿYÄh2Gy¢ÚônîÞ„­‚`ŽÕÀ¦'>©®¢r`ñüºØ×ÖÔÇÛJQ_lst 20210819121745.842539Z0s0q0;0 +ù+Û6ŸÕCÀÊ÷€Æ©…ÿÑñ´y•²´_9rý°Â_¯[šPµ€20210819121745.842539Z 20210819122745.842539Z¡#0!0 +0œß“:«WÜsd¸£xMdOÔ0  *†H†÷  ‚IÏQW!0É|1bé5H€wlåE$¦S%íÐðÓùƒñ¨Z†,Ïò’¹âº—w¦JúÙ¸}núI©f_Ï0€l³fsX²»~Ê› 2_zõñÍËþ¯¬ëRÚµ½àœaþAuÿ|Oç'Ü·âþæf€ì¶åN= lnÏ_Œj4iû­ ÉÍ­\NFC@Ï —þ(IUñv$) ‘ŒXä»_½Xø0~XÛ†ÏSí5×÷9¬h„ÊÃ+"·‰f6†ïϧ«é¯{èX•CC~ÍU†&ò^ M%OÃÿo8d(0/²|1hfÙ*fPx$ø¢Èñ=#èZtJúy»}ñÚ¬,RžÄytæü,×hÊþïi“0n"ØR(•`Í<ÕɟDZ}K|AAÆ@'íòïÖ˜¦9)˜žrÑÊ·v×.·Ê)ä¨ÑôaMƒ®…}½U®†ÀL˜oª{þ£$݇µqfu-¯×Ùƒéºá÷£µ£{0y0U>ñüºØ×ÖÔÇÛJQ_lst 0U#0€ñ´y•²´_9rý°Â_¯[šPµ0Uÿ€0U%ÿ 0 + 0 +00  *†H†÷  ‚U‚tFì m¬w™°)ÒéX…:³J8-¤ËÃ>™i:ÏûAí s¹~²E„Z¡¦8/Ño×­Ázßo מöÃeÍj¸€_¥UëúÑ”*JVð‹ÓZÕüý?oé½g µ ªêW“p”vº,â˜Èp5©/áVf(îÛ[¨oÛ‡¿jÛhà>lÑÞý°,îíffv™úùâ9{ü›¨k5[þܛƱ «§\ XZ*)(¼‰Ü#ré]ÌfÈ8;ú{ÑÈžT2Ç´_´îºñÜÖèT) Uv±x\°MEòR#»›#­ÒŸ<ùƒ B)’¨oÄ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/root-ocsp.cert.pem0000644000175100017510000000255315161577363027735 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID0zCCArugAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFz a2luZyBPQ1NQIHJlc3BvbmRlcjEQMA4GA1UEAwwHUm9vdCBDQTAgFw0wMDAxMDEw MDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowdzELMAkGA1UEBhMCQkUxFDASBgNVBAoM C0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFza2luZyBPQ1NQ IHJlc3BvbmRlcjEkMCIGA1UEAwwbTXVsdGl0YXNraW5nIE9DU1AgcmVzcG9uZGVy MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIF6oFFWGfhWXD8l3nRn 1Ucina6wd7v1haN/bUiHW2m5kepKR5PweRxTzym2Z95B5l1y+8+wR4zajd7GTJ4g H+oFYvO9ClZJQIHDl7Y5QZJZzB8FdsjmSysIjv7SJY4IEO6X0O/SCKo0HJSrd1JY ZZ1aAJwQvpzWhgG36z7oWnQZSvp5ux998QfarCxSnsR5nXTmj/wOHAgs12jK/u9p kzBuIthSKJVgzTzVyRwTn8exfUt8QUHGQCeQ7fIc79aYpjmQjymYnnLRyrcZdtcu t8op5KjRHvRhTYMHroV9vVWuhsBMmB9vqnv+oyQO3Ye1cWZ1La/X2YPpFroV4fej tQIDAQABo3sweTAdBgNVHQ4EFgQUPvH8utjX1gXUxxLbSlFfHmxzdAowHwYDVR0j BBgwFoAU8bR5lQKytF85cv2wj8Jfr1uaULUwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud JQEB/wQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEL BQADggEBAFWCdEbsDW2sd5mwKdLpWIU6s0o4LRmky8M+mWk6z/tB7SBzELl+skXC hFqhpjgv0ZAfHG/XrcF6328N1572w2XNariAGx1fpQVV6xP60ZQqSlbwi9NaABvV /P0/b8OpvWcMtSCdqgYfGOpXk3AHHpR2uizimI3IcDWpL+GdVmYo7ttbqG/bhwS/ D2rbEwho4D5s0d79sCzuER4a7WZmdpn6+eI5Env8m6hrNVv+GtybxrEdDaunXAkM WFoqKSgcvIncI3LpXcxmyDg7+nvRyBueVDLHtF8ftAjuuvHc1uhUKQIMVXaxeFyw TUXyUiMTux6bI63Snzz5gw1CKZKob8Q= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/multitasking-ocsp/root.cert.pem0000644000175100017510000000245615161577363026775 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDpzCCAo+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQkUx FDASBgNVBAoMC0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFz a2luZyBPQ1NQIHJlc3BvbmRlcjEQMA4GA1UEAwwHUm9vdCBDQTAgFw0wMDAxMDEw MDAwMDBaGA8yNTAwMDEwMTAwMDAwMFowYzELMAkGA1UEBhMCQkUxFDASBgNVBAoM C0V4YW1wbGUgSW5jMSwwKgYDVQQLDCNDQSB3aXRoIG11bHRpdGFza2luZyBPQ1NQ IHJlc3BvbmRlcjEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANB//m+farVsSmZXTNIJCmQcieVlbHkf0dXe+Vw27S2Op5Fi NkDuLNJCCNsqhE+HhITzPjiv+BsUlJTzOssGqm7WhuNQCaKmtuOH701HImMdoJ4E cLXWycg2rJiR3R83BsyT+FJaGuPFGDc3ljzrG6ChzT/ZrgmjIaSStWX3JQDJhK71 NUTWTzX1gzF+aitx5UZ5CewBQkeUD/EWcwhrBB6/xIrNMxsVPd6Ui6kOowfISQor usdnpxSaxeYeGY2f6Xdc5JtR9EIlY/ErJmAasmQlowXEVudFupX+YG1cGWK3p5NA oXGc1VS7jqNSyqXaJe+D4l6y5AhE4i5A+JcSrWkCAwEAAaNjMGEwHQYDVR0OBBYE FPG0eZUCsrRfOXL9sI/CX69bmlC1MB8GA1UdIwQYMBaAFPG0eZUCsrRfOXL9sI/C X69bmlC1MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 DQEBCwUAA4IBAQCxHeja9Ec3zsylwS0Cc+J9wz/zvaY18vT+gfvtywLhBUysqfCZ xHIGpkBnrGNl2wLlwCneeQEPP+HP4KZigtXG9uIz0ffAc8dIh7RRfPKfqIz+DQBz s0sK28/UP60WylBX4ToF9nJE2ImtJ0JE7u+YTZtW7lyQkoq5HrAt/3T6NK10b9WF 6U3lNOK5X7KobAJp28Or4f67lHsYp5dZ1y7etQgtR03bsmCNsdZQ7rRXvioYNtG7 D39yZcYdGzqmq7Y+WT/7Eg5/oyYEf2hDUNN1rILFwu/SNBdjQNq6D1KPT0S2n8Bc zrpU/PLWstS60n9mEleBIpB2hzLLSo8MsPtO -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.1583965 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/0000755000175100017510000000000015161577372023056 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.2477498 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/0000755000175100017510000000000015161577372024176 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/AllCertificatesNoPoliciesTest2EE.crt0000644000175100017510000000160215161577363033066 0ustar00runnerrunner0‚~0‚f 0  *†H†÷  0G1 0 UUS10U Test Certificates 201110UNo Policies CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1All Certificates No Policies EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚¾–!ñ„¶iˆ/<·ˆ97 E¯õož]WþwÖ ÁÐìú;£Ý>€jFÌÌŽ'ø€Ä¤PŸ*CätI59HÁùw› S¨m½øî!½LÑX©ÍÚ[ÐË0øL„»Ný“ °«µY¹}¸Äõ˜ ² 'ŒŒµÖ!¯®°]+Ö¹´/¾ÜŽEsìt)öÿT„¡ÿ.ý5®:ú ƒÄ%ìÉ´ºþÓýY¼ƒÝ£ÒÐ_×ÿô3hðmU\ÂY.¡ÜJ¬\ù £—+ä×CÊ6çw½NQqºòîA‹‘ogæ^Ø@MÊ+¯âJÖêçRR©šì7CìøHÜÇ£R0P0U#0€B$í¥Kvœ—˜\tê:ü5äœ0UÚM¯ô¾dYT±€X‡$XêÅš~0Uÿð0  *†H†÷  ‚Ó…:G‚·l¼,L)}“MêªhFrE€û¾f”érPí„Q@•yò¼yŠ1=Œ n ®M‰8ÔÓ‡¾Êôâc‡JÁ›±t_°eÊ÷L°VìQ$å  ŽÓFq¯d'Ú>ù½ ä>9ëÁ<$PÄ}Þ\‘<&¤»(‚ÿÓä’@#a©ÿÅŸÒŽ¥Ì!A™\· –õF´ ¤{Lñ“V¹"âvÝ@z(nuý!ýлƒ÷ñ51Ÿ„¯ ¥r-Àu§P¾ÿB{yv!ÏÔÐÍÖ˜ý>€Mœra"E'7!q‰Eãƒ,ìQrµÛÕÄc×ÎCÏ'³´K‰øw$x6/ ( gÍ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/AllCertificatesSamePoliciesTest10EE.crt0000644000175100017510000000165515161577363033466 0ustar00runnerrunner0‚©0‚‘ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UPolicies P12 CA0 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4All Certificates Same Policies EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚Ð"ûŒxØrÀƒ¥i½H“Jؼ3óþ¦ù\u¡¹öTN«):8¿´ýv×»á-º› k›³ ¶Ç2P 7E µŽ<ê1C2ÇÁÛïÇøão•Þk4Ú ¦Š1O½+Yl‘»@sO=moHY‹Ho¡Ÿ”jÕäÅ/0@p®eÖ?Çå㌄§î„ŽŒö¦}Ú*O˜ÄNçHóÄumon58ið0@öòÞŸd'B™;[™Ü!Ñ8e] j4µ9¨}ªúÇà…df¢-[‰\Í©ïMöܪÃÖgäçÌliÿˆœ=™‘²>ˆ\¦mòEžàƒeÀqÕSÛ£y0w0U#0€Ø_5âšÁ7*&΃Ìsp*:â10U –Þ`^EšÅG3µ8ôþ ·0Uÿð0%U 00  `†He00  `†He00  *†H†÷  ‚+¼’ )óK£p‡jøׂŸ‡¥TN¤sL²›A&ú)çD±>»ròã¹6Lpù°`yÔŒ?(grŸÒ0zÖå18÷†çŠ7r)wØ`Õf]Ê<úM5ÃÞàF¥öÚzV߃t 4ˆ!<\÷\” 3y„Ça™Äy¡ {S%Âýœv 7M¤¦2?(g÷r‘4Ž›»î ᙑ]œZï"ßœZFºì×n‡=*´™ûˆ†•³º.{2¤¼MTŠp˜Ú—Sds³ÂÒ’PDü‚ô:<*¦ß5›TÈ¡9£-2¸4ÔOí¨mh¾Mn?'UA¥W„‘Lµ‚7»9Ó°ò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/AllCertificatesSamePoliciesTest13EE.crt0000644000175100017510000000167615161577363033474 0ustar00runnerrunner0‚º0‚¢ 0  *†H†÷  0I1 0 UUS10U Test Certificates 201110UPolicies P123 CA0 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4All Certificates Same Policies EE Certificate Test130‚"0  *†H†÷ ‚0‚ ‚º‰ç|ßmá×OgèšÛ¤U˜Dì,¨!‡+‚‡Ï;7²ÑÓRó;ª‘ÅaÒ1W}Æ­ :¸ªÝ}l€“OÁäí³LÌEi üâlTEú `ûßD@8ÄãñgÜÔÕz-¯ëØ z·ý-X˜—Ûi>ù Âñ$·¯Œˆ Y/ã`rvúÈëÜ•­A¤æ•S]°×¬WŠÁá:R’j½U ² îÇéÜÈ{­Õ,RSwå7°Ž‚(ú-ÈSÆ*9÷¨ž‰ðËÑöŸ¯ š»N8å ®'ºˆ PjÈBo ²Ñ®m]k½ ¤Y&CûZ Ë^ÿZè‡Ã£ˆ0…0U#0€Œ( Ú bî==–¸q“‰êèc0UäˆôQZ¶a .6+FwÙ¨j0Uÿð03U ,0*0  `†He00  `†He00  `†He00  *†H†÷  ‚yµ ÿfþI̾›Âè:U’ËóS, …·ït¹½&Üæ.º3êKèðâº":§gn‰5h”(µ~Ñ¡‘Ñ?Ÿ/ÇšmhändtÙöjÝ}FÁ¼Ò¾ä<C dù±ý¯ õí-¤”Š»u¬ãdð<‡Ï®.ë-–ôÙ÷kÙVoáRåRÒäÇg ? ù’‰øPJÓ¼ÿëÑ+ gZ‘ö‰¨À#E{¡]ºÜ ßž¬x+R±‡$E¦9èôX/·ÑÖbeû!‘:ê¸Ö‡J"‰EF¦à¹ö0T" ‰¯Ž™>° áv3YïÖ‡ÂS;› ¡•³yw>Š ñ¢±B‘–dù¿ fŒ–2’^È\Ã7‰kô|W‘ç+ÑCZÙmâÞbãPq´'  ³ØJýò¿ÅÒÉíMÔš= ÐôÂÌ·Ô*WoЧfg…hŽ”*Fª¯´L¾¬¦tŠR?Ès·Ñ÷¦Y Â_qg™8«&“ î,+å2¶˜trÞˆü\yÑSõÌAfUŒ±ò5P4©£e0c0U#0€»ÉÞÈ•çB⢎®\«$`~…0Uý1î¨oò8H?ŒDË fm«Øé0Uÿð0U  00U 0  *†H†÷  ‚jP©\Y”ºâÈJ§B5nàë8Þ–Ç"«47^|Ƙ t\œJežu™ë1„±Á¨ä&%—Äe ›Ý9ðÃ7d¡š#½±˜UªCÙøó.ÜÍa5Éî‡#Níy嘢³Yp)jËÌŠòý¨Î™5­2BØÚÈ òþ’ø?]æë çA‰¾Å®/ œà8¦\|.™BÉ$T8ºO•<eÂZÖÀ³Ä<ÊØ{Úí¨j3â’ìsüIb6Ï9!!’¹uUØR’~¡´¹Šº"'ãØ…a@ÀÖ-ɧÞÔýzâØÞOòmCš ÍÇ¥›4dñ@ÆøoÕüŽ¤<ä \j././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/AnyPolicyTest14EE.crt0000644000175100017510000000160715161577363030042 0ustar00runnerrunner0‚ƒ0‚k 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U anyPolicy CA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UanyPolicy EE Certificate Test140‚"0  *†H†÷ ‚0‚ ‚ÊWŒ}a,b¢+yçÝ w PRr0¥ÃMå>f>Í·ڢº.øòQ?áOT*gV—Ø3†; œ ¡è;T·¸4.X3¹fõk,³ý£'iwyßÐnÕ-8¨m_g@9ñ† …=døˆ™_~q„ÛM ¦â îêæ7œÀ ‹ùîRŒ;£8õG$7‡¦. [‹¹øÙIvñw:×ùÙeÊ'ª–L–"áf½I#QEKõ‘ªwÓú"û)K././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BadCRLIssuerNameCACert.crt0000644000175100017510000000161715161577363030762 0ustar00runnerrunner0‚‹0‚s  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UBad CRL Issuer Name CA0‚"0  *†H†÷ ‚0‚ ‚Åìo 7aüÆ·©P¾µ_¶á‡'ayª'ñþ©GêA8h‚ª#¾ìä:aüäUöQD•Âõ,jÔ~„hÔ”g0Wˆ9„1ÑÍœ2 ­xûà ŽdŒ3åAÚœÏs¯ˆÎ3˜—ôF[zÎp±TîöpF'd3—/‘*Y ûûŠu¬¯¨gVŸ˜Uü« ¸-í·êî˜Í]*ßKÁzP9»×öÏŽ¯¢RX ³…šóÃÆ´Öàò0ÉÛÆæxZÖEºˆd‘¾_ 8 ϾqoÅ‹åÕK„‚Š¬#šw2×ç¢Å£jV÷’aÅåИ¹U_¤Ñ¸éRÔʺçBé ¸Mp í£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Urò5]ÕJ A(ý”pq0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚+,ô«ºØ‹ƒY«€×øÞ„u•²å­ó}4U£µÛörÓ»õª—̘y”ô¨…C;#ùÎô23 î±O&L³ŒK£‹gyÿ…^†½Â äjŸÅ¸8IŒ³hÓëOÕ.þø2¯ã³›ë è ͉Șj®?2âsìÎ+>L®¾X‚ó¡iØ÷¢././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BadCRLSignatureCACert.crt0000644000175100017510000000161515161577363030646 0ustar00runnerrunner0‚‰0‚q 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UBad CRL Signature CA0‚"0  *†H†÷ ‚0‚ ‚¢˜Â¯dxP÷€«C±Yü,NÞŠe+DÆÛÈBú(½¾è¼dä4£Á õuÓîFf-¦LÃuüBnXÊ>Ÿ”ÛÌ¿ôÐF\†/ƒ¥_ §ò8,ù„(›±=`ºnqÞRñÎA…û•É‘L,0@`ä6>5ÉI_ŽðY©rº[œ¸'m·¬9Òw K(ÖÀå‘Ÿ†týN= N©þm#ÿL×ÎwËîf^ûÞÞ €õý*`[ [ÁÕ;Ù§ŠVCªƒ¹tyñóNX)œ©«— ë>G=Ú©³8³…<3çºÀ¹ø‰n“É£ÃØÍ2zcm'œõÔÿ4HÞH>:­JSo£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U1‹5žDa0Þç .H$Ûù½0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚,4X@pæýŽIØU™;ÅÌá‘ôƒÿL^ ˆ†ñ°B *³­©pÉDZW&LS”¡Äãjoâù‰÷êí_`ŒyfÌo=é]‚Ø]: A:¾Ëžt¨åô›µ¦ôëÅy°–àŽ¥™uï^³fùM)&ÁQA½½þž¹VÝòÅ° Ÿ‹_´?©b@=ÔÐÏs$ISþò°Ív¹œÚïse& àˆ·ú${çì—tÞã¼,ɪ£%øàéŒØ‚S"àN(¬$¸AnA„@BÊÏwˆú—¸›ž¥@Ú D!/žeÿÇ{ÿÐŽNSIK˜N¡©æDö›uU A/././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BadSignedCACert.crt0000644000175100017510000000160615161577363027555 0ustar00runnerrunner0‚‚0‚j 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0F1 0 UUS10U Test Certificates 201110U Bad Signed CA0‚"0  *†H†÷ ‚0‚ ‚ßï¼ë«÷w¾z½‹ÊüN¹þlËàY$O°AÍRy:Bvwf/vö€Êþœ"JÒ½é%üöäpqmák*Î\E/÷÷)Àˆ h>§Nt(²è@„¨ÌXëÇE9÷´0¥ã ñ¦Â鶩çêAÑT3ªÂ„&Ø¢‡\ò8C< +Æòý™ÁA7àZœIˆÛ^Õö*_°Ñ„Äâ¨Ñól>k‘3•ØÄo~ÜI¹>Nå¾Z¬ì½À\Là»â´‚¸Y¨¥î±OÔz4ã¡™ 3‹å9×ÆÞ“ÉbCÚ¢©-Kê…ZñÙд"`Á!¾Eûb ™OÍ<pLÐ!+y£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U{Ý;JàÈÝD…Nˆ2'¶VÀ“¸(Íi£0eO–'¿k¬òF0e…v././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BadnotAfterDateCACert.crt0000644000175100017510000000161515161577363030724 0ustar00runnerrunner0‚‰0‚q 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 110101083000Z0M1 0 UUS10U Test Certificates 201110UBad notAfter Date CA0‚"0  *†H†÷ ‚0‚ ‚ʜʞ3 ô9Û ËvÔÞçŽJÙ±Õì©5Û»ž)úѨã >2ÑñšŒ$W¯§¼‚O–‹„4¿°i¹„nüeGw"q!`ãKjß<œ±V|×í”0`ã©V%J*4¹-yû«hÞÕUÜSÜÚ¤ÕÒÞ#qðƒ gùÉÐo\#-;Ê*}¾HOTÉÑl¸Ý<‰/[½ô˜Ü¨,ƒŸoSÒfÖ¹‹TšÆa‡H¼OuæÒP'^I¨{œ5û¼^N»©-3º¿7>úY˜JEIA„ìg§Ø)8 #.9‘SÙÅúvwÄŽV^Z‚ ¶„šè“½KÖ®FâAÁš&:t>$É“£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U,ý÷î<ó¤fì矈³âÏtFØ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚¦ˆÅYÃ"K‰9æÀ’ßžc}ظœ×'Km6ª5%â{øÝg¤ÝÊÈú”{ËÃíFû%ˆp-Lè/0 uŽé}z*mB (%ÁtªâÓ%îU”eyØÚJú¨É§r› ݳîhé5_X¸U1Ì^™;ºëÑ9Xd+Èaü¡¾Ä°úD7Ä ý}M±«ÂŸ;¡m•];ÁP—¢ôAXHj@¶Š9t¿`À²I/†õa×AÕ¸ øû”ö®/ÍÿìÔŸlιŽå ®©› ¨p"K8÷qhj£¸È%—òCÖâe•häÙÑàIm¥ëôN_¸góªfÞ"³§G(€Öžó{‚ªf´&././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BadnotBeforeDateCACert.crt0000644000175100017510000000161615161577363031066 0ustar00runnerrunner0‚Š0‚r 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 470101120100Z 490101120100Z0N1 0 UUS10U Test Certificates 201110UBad notBefore Date CA0‚"0  *†H†÷ ‚0‚ ‚§S—Z¡Ç˜Fà¯yuPuë-‹×å ù£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uc>¼žû¡òY¡/K•þæÞV¸†@0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚¶H,ÎÂë©!ÿœIÃË«FÀ7{Xè:¥WËxåHü£®·ƒ7h_¬# Æž×qÒF3ô–>\ùËk¿ª1\zûíö~H"Û—7Á½"6’³äâ¦oŠ­ÀC©(¥$¢W—¶Áã„ÝjÉïÚTy/g±é8—dÝÿL8¸*h›­¤úŘ߯áÿ2¢XU¡œ…ª¤v2`á¡c4ÌÒMZ>‡ÐE„ X6ÃYa=ßÛ#8V»£â¨T½“5ÈéÜøÂ-öå:ú‚ÅÜíP±k_5™÷øèÃÔƒµ6WК#°yl±’(®;íÀ_[ªÄNãÈï-Ú././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedCRLSigningKeyCACert.crt0000644000175100017510000000163515161577363033300 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0‚"0  *†H†÷ ‚0‚ ‚›Ë‡‘è[ɆG5ž%¨”.ÛÁ7£%Jì’¥ÞÖO:Óã¼ h³[”©°ž\ž0S;ûäv>nÆ° ü4á1ÄšK³ ®éóÞø,ÂËì¥fß*ÿy¥4>sâå‡õÿlQ+ÿˆF¦œžÝªYÅr‚ƒ×êZ2!)}Ç@½[Y$X’Y\ÌÂ¥Yº¼j:©KVE÷b%®)ÓøwQýØÜÌ &:mÞ*`çÇzDå¿ýyú%_T=­®À`\l\!*ÜH“õrë*ÉÖ8s¨PdÚ9˜ÁÇ…ü'Õ»œŽ/èmü"Ô¦¼ l»AfÁÔÏ_¾ÎÝ)÷£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U)šE.6•ìò^TœÕÙöD‘,0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚•†i;*s3ÛÉƯ†2¢Ÿ ¨ì]j>2“CAßÔÌI«aÂd¸Uðé•»?s°ùé=â‚ÆQ+á æ?‹„ÜkÑ0!Ü2_¨#¶‹RV¤¾×Yk#ÖNdƒÌðÓl è¤‚‰D/JJ³ß’º÷¥U Nþ¿?ì÷½WÉÉ/Òñ±·CÊÏQ»-Ž²÷i²®"»ÖG̽‘Ž'$8Î×O™CóÕªha‚$£Úñît… ÔjµQf,››Ž7ßšµ;ŒâªôE~Å @.eÚ9Šû‰UG³’ˆ6»§ †~gá—Iú—DMöÇ0#Pp—HQJJ0æzV././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt0000644000175100017510000000206215161577363033430 0ustar00runnerrunner0‚.0‚ 0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0 100101083000Z 301231083000Z0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0‚"0  *†H†÷ ‚0‚ ‚À{$ö:+¿±ï—bç¤`’òÉÜEj+ðÈA±fÁúéÅ•šÖ+½ì¾è8ˆíý%çñþS{øÓJ½´Ïpœ²µY†2KT÷/d¿šœl°é;æ²"Ž¸0$þ7\Ï@Ã#i4ÓÒžÛ+Á\Ÿq}ÖD7x\!éGøµUÒpS=×3SEÞ¼a =7†N ©p¡j9qH€±O$$ڎ;„›é†÷“OšÒõ…l°xXßuA=…¶Ê´Öùáu$ÏlS“ʸóñA ôA^Ø ‡.;“ƒì§Iœ V„?g©®Ì8æ Ÿv•}ZZŸ†!ùAX¡Ó\½âA£ø0õ0U#0€)šE.6•ìò^TœÕÙöD‘,0U$ÁUqúžá!…*ð­a§¹ÕMC0U 00  `†He00Uÿ0‰U00} { y¤w0u1 0 UUS10U Test Certificates 20111E0CUxkžV.åNYp@Á5é®ÚÀ-UÅ”Z!09ó M¡”6<ñ?DÎþ”;VÑ‚‹ÊVLœdvZ±»#†bŠEJ<6././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedNewKeyCACert.crt0000644000175100017510000000162515161577363032071 0ustar00runnerrunner0‚‘0‚y 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA0‚"0  *†H†÷ ‚0‚ ‚¹\Ñî>¢eckm>]Ó3lýR>ŠeÆêê $À]j“¥Ñ³ËTP"‘Ú}|1ë~N´©b4Ø0_€ÍÉiá|×H¾\ß¾Z(‡ŽDª£äÜ·+¤ülh.±˦@r=mï^ò]¼ÅNÄ›+ΰŽTsªÙ ™,PV[Ô»×ÚZWéÄDO±)½†,ÕŠÚþ Ç7yøî¿«€™œé±Ä4³IzÀO5Mg©‹PÐÚÐt+`Ä÷ðÈJ}IÎ a77¶ å¾Í}§^Yn<èï(Bú3ol7nüŠPŠ{gE\ÞÕV†'P¿KµYCG%zLâtZ;£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U üÀ,ëUî’l©é__¢Ÿb#•0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚Edû7ZÎfŽ±F“ÈSüÈ­®°Y $BJ–³boNnNo`ˆš±PÈùñ´üz6Q“×uÎT×BÎèî$õ¸=ßsm:¿®š'W+»Veµ¼ &»×©Sx}U¶ê“º¥úÞ`d!!Ñc´Û;ò©/·%kÁ Èò"ŠtéÍ£n«T†è„>È/-r`ÔÄn-ŽŒ–¯p}yèVDGw- >ÃKž±—Õ±^¬ 0ñ/Äl)†ÆÍJ˜x¨ò3I¯ÚËáÖ7èGsîpZ +ÄrÇþÅbGK¹Ú'Iib"Äx è®ù5Dõ—{`…E¶§&õs×Ô3§¥Æ././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedNewKeyOldWithNewCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedNewKeyOldWithNewCACert.c0000644000175100017510000000164515161577363033472 0ustar00runnerrunner0‚¡0‚‰ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA0‚"0  *†H†÷ ‚0‚ ‚ÊæZJª ¤6Øu8æ²,VE ›…eÏ;‘ƒíL¬iŽâ–ÑO^Ê•¬ Ï G€«¨¬îÞ÷‰‚‹7$\m¿ze§ ’?$´Î¥#ÊÝîÆŠ…šÞåR¤½9€'é‡ÄÙX4ëÚþl ‘F—ÞêÄ›‘ª]üW나'ˆÅ˜±æéGóçl'{ nüv!™‡>÷&‹Ü ½zy§<Ämª¯Ó'’º0z)±ôä¹/{¬½iì¼/ÎÂë—Vßnõ#6úÌÕƒkiƒØ %í䈧ßÂ7»PŠ!¶IÓÉÁ} <’/°Iˆ®ýî] e •£|0z0U#0€ üÀ,ëUî’l©é__¢Ÿb#•0Uv|Ød4 Oßq!t ›6¨‚×0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ «᭣qËv×bN…P£½Â6 ÃÑáÊÖ W½ÄøÍ”z‹æªc¼-;çGšô@^xqŠîMlb¹`ÞæwgX*HC˜c¿'?‚kî’ßúL¨ 1¥ißKÈãkY¡tXh#¯ž¥gØRQÝ Ø80g,ÿ…#¼z5šó:-j°|‹fÑCÑTŠ'Ó˜¨]5}5 ÛY˜'OîƒÚk2p&Ž:èµ´#u}H@,Ô Ž¯³X ¤[«hm8´ Qþ*°ÔV"$.`Iå ìáëø9÷V©ŽÕÙ 9Ç“úÈl-ãMÔ©D¼WÇ U¯lÌäi9õê{”././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedOldKeyCACert.crt0000644000175100017510000000162515161577363032056 0ustar00runnerrunner0‚‘0‚y 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0‚"0  *†H†÷ ‚0‚ ‚Î7ÿ¸… ¼ŸÜ§ÓìÎ Á†„è‰LilVñywv›¢¤{# ¢†hŒâ’_`æº {õ³Ý•Ò¯0¤\ÇîéîÈhö'Ž ,œÄçÖ½ Jõ&–imÜicuéj«Ø_þU6öÂ÷ltÎüw|BÕ†X^*×Ú+œÛZ@b`ã‹‘Šr\XYûˆ£0-†ûŠ–¾<@,!u®ñ6Üw£,×Õ$ÓôÑÄUÂà¥våá‘–Å.öš“ûŠÞ÷ à6±Ân8u%þAa¥&’lF&«§0}Ñoè‘VWþÅÔi¡žÈH z„ÿßõ£B׶_P1n-÷,Yæéè£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÝ uShÄË@À†0¡¾¯0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ p­7ubÚWáÖ!jÍä(7Ò|÷ݾ9l $(BÃCi¡{>ñªf\ÓšyàPT)]qžKø¿Fæ¬5ÐƆš…:AëжËÝr…_‹Åç8žH³°p±åú2fZ=—Ù¤{ f- LŸÈRs¤dèd?®‹‘ß/”ý¯bï@nWÏL=PçœCkÎßúx2a`™¿ð‚õ̧N€à0gÚ}½È<8l¢TKUÊIÖD+cÜÀNªïmgtDç>ÎM<Šæ5Ò÷'GÄÒa›Ä”O] ÄåXÒ*1Ù|DX¿ûÀh·±•j-ÕƒCW`)ðdz8È././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/BasicSelfIssuedOldKeyNewWithOldCACert.c0000644000175100017510000000205315161577363033451 0ustar00runnerrunner0‚'0‚ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0‚"0  *†H†÷ ‚0‚ ‚ÂpO0óͫňD¯<‰Ê´'j†8A1ɸÇÅÈ+%›H§ª( Ñcê‰ «qnO¥Y!$ë逗WK9Å[¹žDôp ŽB2bÒì0%µ4Ç»ÿIyÃUì}%D¯ó"w˜l©]‘€* sÞô-¦F÷or‡ÔT–$9$¬‘7ëŠøô± ݪX›D1ÿºßÑp5Ç)Þûß°”à-oÅü±Ì ®q´:å ô RÔ›üÏ»…¡L$“É Š¬yIÖ÷I‘°üã·‰Ú—¬áµšìnµ{dýyhj=qhÃ!—Çpu©47"!³ ¼«ëÓíßY £‚0ý0U#0€Ý uShÄË@À†0¡¾¯0Uˆ_¾?59fšëMÂ&&±*'µ*0Uÿ0U 00  `†He00Uÿ0ÿ0€Uy0w0u s q¤o0m1 0 UUS10U Test Certificates 20111=0;U4Self-Issued Cert DP for Basic Self-Issued Old Key CA0  *†H†÷  ‚k-ÂTMõßÿ(¨¾ñ#b ¢áˆ[’Œnc@§÷ÛFéw€œí‘6a{M¢N Ó3çPUM’`’7‡hȼÿ^)êÏ‚’Á•ð}[™þñìÜMk &NÄÔ²ìy“ñdW"ì „&“Âú`… ÔP¨º}Ä0R…g2ô :tZ>f}ýW*Øt #Ãà¢åþ§ü…ò0÷í˜ Ú›ÂÝYvŽt—µUr*Dq"[Í°‘)MF%íÇ~j&zìkr¥vE”ÚyŠ!±<úÙ;7¦ÉnÕ­›X\’+–‰ ë>dY™ƒWTŒíà%`P¿„5././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/CPSPointerQualifierTest20EE.crt0000644000175100017510000000176315161577363031763 0ustar00runnerrunner0‚ï0‚× 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+CPS Pointer Qualifier EE Certificate Test200‚"0  *†H†÷ ‚0‚ ‚Ƶs –5"ÃÅÜ«:,i$Î4_i²›…¤QšïtâÁ 9ð÷‹«_pl È&dv¡R£"®K¼öâ¬Äç „8ÓÐÂ8´ä *`°H#cÅO½æJð¦ýBêøV«óØpÖÇ«SDzÛù]Ý]Ïì.ðWsÅ°þŸ(A¤„^çŸgçÜ,4`ß‹aØg³>­;C³¬DáËû~I«LLø›¦ÃRHÁkÀç´Óñ¥ ®,TúR^ÚÜ+»gÑÙa‡ºRpß9 õ_j™¿Qß)Oî }ZUÀ±§zfx[EÅg p㢠ªMšS0‹8&d¥Gu¹8§ `³?£Ï0Ì0U#0€X„$¼+R”J=¥rQõ¯:É0UîBÐZv©fVˆÁ‡˜­ÄNH½Ãã0Uÿð0zU s0q0o `†He00a0_+Shttp://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/pki_registration.html#PKITest0  *†H†÷  ‚j?M¦äŸà*À´·=ô%¡‡i†¢˜.çSÇÍ|ÿÏ“­´;}ºPf¼sXrRÙÞ¦{cÄÿpÐ/–Ôþ›­Éïùñ†Ò+¾EÔɘ–H]ºûdqCÁºÃ0¼‹Ž{™ÆF‰ºca™È³¬$;›¡ôV©0d³Ú²+mØɤPÁàÄ"2‡áZÓã¾FÞáÅÿ¿‚F¿mO¹¾.ýá C^³ ßÆ ™ÇöÎ,ç:!ŒC_kÜÊž³¥.2¼W6cV¹:©ŸE«órDjf´~ò.ã4Ãú±”ˆ¡Ûü³¾Ÿÿ†(˜\ÜHr"áî•xx†././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/DSACACert.crt0000644000175100017510000000202515161577363026340 0ustar00runnerrunner0‚0‚ù Ñ0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0?1 0 UUS10U Test Certificates 201110 UDSA CA0‚·0‚,*†HÎ80‚ßå>Úé¶nÖêâ:°G½DÇVÈÌnÐ3„VG5=öTÈã­»ºuó/3 ¦ù1ìgãå™mü)nªWˆr4âŽà£¬dŽÀö<´ÈJH0^ªœv& Ûs3ƒ—Àųæ7õ>ÿ Ô¡.º1ø«‡Ø Ìw˜Bn¬“˜Â½.{4 ÏØÿ‹ëéö\–sý–e:/Ìá|°Î’_cì8»DºÝ’4¶^¾e{Øqwìf|;ζóRþ’UïN«]š./nVópìjí›"¸¨Ë œêÁ Ž!&D¥ ù ìbàp1Ìhõ …¤JnyôÁù6Z8oNï„SßgýÌ÷YbœœÍ\¤œ·ì`ó¾¯~9˜„€&ò¾¼F¹äy¸%s‘Ö,' ¨œÉïÚÎ]ò½;»"‚0¸Èù¡/aåÌZïÁKÏÑO§|kg߶©÷2raôǨ¨b´øðˆý»ã=kÛ¶Û]T:…¶÷=o‹7Gó͈ýlDRLXŠ·”Žqõ¡>*þp?%Ÿ@«q%@›§¹Ç£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÆŒtè{ ÈYÇ}<[TY`% ±0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚NBŸUƒht5¬â†¬´¹]*6œé^MÁˆ¢Ÿ”ÏD^âlÊHºë®£ûÊÿÈ 7™Ó·8Äq)cε 9ð\Vð¾F~,0¦¡eQ;ÈImô•”½$¡¯± .U3…ë@¦àQ{7­éè(Ëûežørü3j]ØíHw„òòžv†èÍ©RÖK…•Ó3›vó\öôÛÂÿ…Ë—<¡lI@Y/@{2j»’éI.W)/#[º¤“3*žXù'egó$møÌ|ëÙ†àÞ(‚ã•ÚLǨº_ÆLJ5ᶖŒJáõF%ˆQ '1| 8^¾œÌ‡ëãè5–gq™Tô5ÙÔæ%èQ£k0i0U#0€Ø«, ‹Ã’ÜÆ­j?¿óƘåÜý0UÃoU¬6NÄX `À¿"–È]û“Õ0Uÿð0U 00  `†He00  *†H†÷  ‚£â#Vbº2·/Þ¦³ß±Xfâ !!±&¬r’ƒY¢.Ãú,dl~Å=é4î(<ã1ú­!ÓJƇèž³VÌ2XÖ¥èÐܘ~’…ô^‘¨Æ§{q}Y_GVGcnkÜN Ò®7`õ^ÿxǼ*#›Á²×Úà®h_Sk†Æ øNý©ú}R˜ð­*øal£ËóÇq P²´yãq¯Ï䟽CϳÙKìÓ))N'JÆ]£7 £ì™J6ÁĤ ÕןVǧE¤‹ÇŽ/± a=(–‰è8ÉÿøŸ[0ÝÜËv0Uÿð0U 00  `†He00  *†H†÷  ‚bNP̬Pp»G)RçÉxÏ\§P¢˜ “[`Àý?±ç½Q‹1à·Ù$Ž¾âZŠ©°Û+Ö»yÌßØûáÏ,jkஃŽtŽ#ŽBîâBÓWîõx\áwh4yܲ¡H&ÏÁŠ:%÷ƒç=ˆÙMþ±QŒ¸¤?Å®së(Ç~dOJx§²[ѬUO è ª‡œ„ÝíXaþl„qô)¦†E(¹Š?ç|Û]°8A?éËi+%|Œ·¸ÙË’•€qPZ †$hÉ/¨írï\*>g‡{—å«4rk„’y˜öqñq,{åãµa#°÷././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/DifferentPoliciesTest5EE.crt0000644000175100017510000000162515161577363031451 0ustar00runnerrunner0‚‘0‚y 0  *†H†÷  0K1 0 UUS10U Test Certificates 201110UPolicies P2 subCA20 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Different Policies EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚×;ynÊ ®ÊQ£«ÖªVÍŒ–É×À¼J£—F‡é'C?Ú|14 ¹‡â(håaÇ$\¥Yœ þö±Sø$éw$\u †[ñäMíR¿¤‹¨(jÓ=¨¤Û œ¦Á_á›t‰ÑŒ5U“éèÞ·Øâü·F ¾“Æ2,_ßYÐ{à~3 óןVËP¢·'U/n†Ã'zCœ§‰ã˜9ˆÉU«äðñ>¿î = Õ½çBNÑ×PwŒº.š-‚ÃûÛ”×/©›[T½¶bkCö/}Aà d+|îíì̸õ÷ ,¶™¤ší^¾oý‰”—ˆpÚÚjÍŠŠ]õY£k0i0U#0€,ê¸w=e¥¿3ÌzÒ˜ü¾0U˜”˲:­ñFÄZ‹2+1µ-Rù0Uÿð0U 00  `†He00  *†H†÷  ‚¼ŒÌõî›üÛ =ê’a»dvXxË0OðÌž]DÜËg‹\¬ëjòâ9ROíà­–r¹N„û¬°UN.íe¼¿#±œ,™Õâ²h”ci™‘8öÈŽRûq˜ ^V|,È „±Î5c„«ŠÜö² ÂÚsm¼oŒµQ¢âÖÆÀÛàŽU†J¨ÜæpFíSÄ’ýsbigâçòçiíÇ«òàVGOÈxþè+Îí{YhÜ„öQ0—ÑlaÑ?èv”ûÓýú©áœr`.jµ<þ¤FÎM¥xïÒ纰«D(ËÂ7¸_]÷¨õ!t7ßú'VÓ8æAÐI././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/DifferentPoliciesTest7EE.crt0000644000175100017510000000165715161577363031460 0ustar00runnerrunner0‚«0‚“ 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UPolicies P123 subsubCAP12P10 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Different Policies EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚µù¨„*wõ0ìÄ`Ú#„Þï~3skl™€ $‹ãÙ^Ú¹Ætà°X5­f‰QrLj¥Û=;Å–»Xºî!0>ÖE5Ÿ;ÍŽ‰ñFýkà"ÕņÐÁøäø‘! f#V:=÷ 0ºë)gG&î'`oø '©[xŽC7N(Ú#Ħs,¢ËÄ´&…­W cêIAÎ$·Éõý„IOž³‘$hç 7§ù|x†ÿ'Ë>/Ú,¢¤7ër¦ó~Ûw¢¡‹øØ>rò”½½;±w´vߊ“ Ò{Œä ãô ø4€ï 1öuØ”oËàò?à,’^Ñ c.Å4jÏɨF·æÈ©ØíÑ3áñ]$Â0U™øzÅBÃÇs¸«d©â]5þŸr0Uÿ0ÿ0U 00  `†He00Uÿö0  *†H†÷  ‚6åÔç+  ûHgˆmá—çæ=bŠ&Ïé ôÔFR+¬quûËÕ‚kS–8ÍÊŠÐí©aë) óQ$áI1P(;<®¸Ùddˆ„iLˆ¦•Ï˜:HÙD®ïæ¼ê̾ëÝ÷ñ^*-Š¶¬±4p‰‚=Ùö—X=K÷¥§{qÒ-Uwó`ô¸Z °B„ ß·Ðþc×1#á¼@M|Ó§ë#ƒGU〈¡»¢AïüÐ¥w‘Ò&ÿHïI+þòmû,ɱÎ6¬ûHg(6€3øRu</’]2x î‚"çtXÞVP¥e%7°—”bª$8´ðí£ÕÙqxKiÇ%././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/DifferentPoliciesTest8EE.crt0000644000175100017510000000165515161577363031457 0ustar00runnerrunner0‚©0‚‘ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UPolicies P12 subsubCAP1P20 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Different Policies EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚Á™À’Xa]o,ä·ÙÖ…8Æ,M|šˆ|ž¥ëCÚÑì¦]ä;Š<‚cÓ8o—å!åìÄõ‹§'Q° jå< È\v½nœ?[“Ó‡¥.V'Ô”ïS=‹7Ö(¯*`dýÙÆ¢&&ž Ô¥˜« ž€ºÂï¼&™…ûôÆFfÌõ8¬ÆÙ?I2&ºq*Ý4“9v”nk ¥ 0»;ƒŸƒméÓ¥¡ñí¦ö¬ª)‚²ÆAKš¿8a°ý¦½ýÌË$atMÿ®!Lžò•»FQâ­4¡Ú2%Ôï~¦Ólaĵ‚„âjŒµ!wqŒ€ª‰Ç² Ê1½¹%‡£|0z0U#0€Ç¥7§Ðú$å|ßÛò]iÛîÊö™î0U¡oªlS ]ªìô–çô0Uÿ0ÿ0U 00  `†He00Uÿö0  *†H†÷  ‚€¤Ì†‰"#^5h,Ä4}PŽ1¤PDe¬#±O·#Ñ°µHv‘ BªU¼„ÏD0æ¼ `e7úß±Ämam95åSW±Ãö§ÞÅW]uý5†¬‹)nˆAF]ˆl¼–3vžâÍæHë¿¡†Ûr·à’´¢WM2ô†Ñ™|Í\ |æ|¸ƒYzºüÆ™¾¤Üî…êÍM8ÊI¹JG–}z5‘ºÖúX #ÎIßvëólxr¯9íÇ‹=òk 7F\ØJ†Ò+«­ó~B/ Ês$—7qíÅÁîíóàÍëT€úµU øú“ú‹^¸jú¶§‰¥œ ãdõV›¥kâ-././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/DifferentPoliciesTest9EE.crt0000644000175100017510000000164315161577363031455 0ustar00runnerrunner0‚Ÿ0‚‡ 0  *†H†÷  0Y1 0 UUS10U Test Certificates 20111)0'U Policies P123 subsubsubCAP12P2P10 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Different Policies EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚¾÷¬yÑK‚ÿ/–í,Ä$é—}î}6|}¦b„~AX‚86èAÕ!¹ë¬>©ê>/T *ûH]å H¾h§ ?´ˆˆQ-ûéÊ<5ù¨£YŒõƒ5`æI2À—Ö•GX’r]0ãšÀÐúê*vÓsÒºÝDßìÉtÏä`»1èÀ˜‚Å "wb÷ œ3L(ÙxªaÕ<€ çaŸÖŸ_HiZë<ÕXˆäV–nQ‚ßq Ro#¨Uø†[òƒøCÿ[UIyð×]rz¹+K­ŠéWü¯ S.wŽ£Yt ~BöV¤}°oñŒxÞÏNÝxˆ½£k0i0U#0€‰ „û¬» ×Þ^^žhö9P@ˆ0UãWwóT¾5-V˜ÁÏ©¥Sè0Uÿð0U 00  `†He00  *†H†÷  ‚;ÅÆs羃oŽaˆõ®æÈ)wšÒõK”û(è.®ø-4Šß®šd{Iáâ‘0É…F\jlh„S> ù×_zÁùkñláÚcS>Ñ-ó[ëîõ0Òf4b'„‹ó+FèAÓx!?N¿Hé}$wŹ‰¿`ꯂ‡Ó%¡µJ!,'BÞJ¡S¥y­p “ï‚`NË ¹ØølÝ.W¨]0—ÔÜø«"^ø[YÛ¬)’÷Ƈ´³§ZTˆœÖ Žž™Þá®Ä¸—M©e^žEÿšÉë#%³Í4HLãU@Ë}bRÍoà;‹õÏùoärC¯]|²µ“&¾Å././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/GeneralizedTimeCRLnextUpdateCACert.crt0000644000175100017510000000163015161577363033405 0ustar00runnerrunner0‚”0‚| 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UGenerizedTime CRL nextUpdate CA0‚"0  *†H†÷ ‚0‚ ‚ÈcÓ‘‚èÚ.'íöØ@šÒÚ–uŸ?œ@÷O¦ý Gˆ¨{„ ÙʨÅä,Ñghš¢—BÒwP 9}æ=P”üy`óòPûõŽxÑPœ!|Ȧ’—Ð×{Uy±‘[`óa.lqª’}ÆÇ\+šP¡Ëô¨Òû“Úýw›Ý @.Õ½ûá¡jú ¾Ãjˆ˜5v2oáÊ•–¥i+ƒÕÄZNvײ$âèŒ5ï íb¢ Í„™ÊŽ`ÄøÙ,”ªJ‡2F¸‡wŸÝ®“¼Ìü¬Çˆ’Póu‰¶UkÆN£Ô%ŒÓLcÝ’_9²pC¯vŽ‘ÿû7£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U~*uï 6ÇKç ÙaHGŽƒ,0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ªA~½W~ñ¦Œ\“c†¨Kð}<\"*Û‡DCßæñÿÖA,ÏŽCÂ6ˆn]x¥¯òú‰ºõctÚÛÆ(k%üqÐ7I ¯!ØvÍ8E(šÕ\ çü7Áó¢Xìã5 \·&†ö W* ÞÌÝArkðµí™3!â 3†j q)UÑèfÐzè”h»oðWƒ«™ìý‚ýó¥ý}Fìá.lö^ Ê\óö}G@7²¾Åq$!º‰ÿãoƒTò†¢£2üÉÜ^‡!?³ä’,qãzh˜¿xÚ~^.gå„”½ƒö%Òۭñ-0æQšNœªÎ(ll././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/GoodCACert.crt0000644000175100017510000000160015161577363026617 0ustar00runnerrunner0‚|0‚d 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0@1 0 UUS10U Test Certificates 201110UGood CA0‚"0  *†H†÷ ‚0‚ ‚XšGbû]öû ”{å¯}9s mµYÌÈÆÆ´¯æòg£ 4zsçÿ¤˜Dóœ #,^¯!æEÚj–+ëÒÀ?ÏΞN`jm^arØC´ %­§ä丢 óé=\b¬úô\’¬:N;FìÃèön¦®,׬Z-Z˜m@¶éGÓÁ©ž‚Í–RüI—ÃVYÝÞf3e¤ŠVÑçPiˆb—Põÿô}V2i #œ`¦ ‚ºe ÌŒ¥„”S”¯|û…g¨H_7¾VdIlYÆõƒPßtR]-,JK‚MÎWáU¹ýy8“©‚q‰² >e­×…]kc}ʳJ–‚FdÚ‹£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UX„$¼+R”J=¥rQõ¯:É0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚5‡—æu5ÍÀÿ–\!B¬'k2»-–±pAªOZ>æ¶ô>h±¼ÿsd®Ÿº6V|ô=|QG¼=î=Fú„ˆÖðÝȧ#˜ÆÊEN+“G¨ÝAÍ |*!W= ½²l•ûG øM:êøµË+êV(ôb©>P—À¶¸6Žv ^À®ÀPBu‚¼Ö S¦iý˜s2ffµíÌ\þSÕÄ°¾€ú¸’ Èþ%_!=lêPmtt–°ÕÂ]¨að/[þ¬ kÙ ^f'Tš¼âTÓø G— Ú$S¤ú§ÿÇ3QFAŒ6Œëé)­X$€èn c0*9$òtž‘Å«3././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/GoodsubCACert.crt0000644000175100017510000000161615161577363027340 0ustar00runnerrunner0‚Š0‚r 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0C1 0 UUS10U Test Certificates 201110U Good subCA0‚"0  *†H†÷ ‚0‚ ‚²˜–È#âqyBÐùâûžñýÝý¯>s•ÊŸÁg.˜òÔ8Ô“Ìg93Ý!C*“lOµ8k€ÕøÎÑRY퇯*Sº0y a> æhÙ›±1o·æˆYÛpÇq¤×¾c¥|—‚jí¬×ô‘j1j}˜ÞÏ dZ4Pô(‡&]+´`wÚe競ìò@Ž m*1 å¦Å-oe>~c·Y2td¬¬ã®ç¡\i»p¶BQàó& ZÂw¿Ÿ@ð<L³ò•¹ÇE§n+†•rþ¹º‘Ÿ žï>²Mé}eÝÀB¶µ`+qU/ßzŽjÁ P!Ü}"^ÿÄL+÷pG././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/GoodsubCAPanyPolicyMapping1to2CACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/GoodsubCAPanyPolicyMapping1to2CACert.cr0000644000175100017510000000171015161577363033405 0ustar00runnerrunner0‚Ä0‚¬ 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"Good subCA PanyPolicy Mapping 1to20‚"0  *†H†÷ ‚0‚ ‚Èr1.HÍS´Ü+‘BÆÁJ²Ó{‹röÔtžßA§óà]Uþ ¥û ~'àn™ó·5o€ó»}ŠéÃh í°€Þy¹yÄxFÎêã4Ò‰TcŠI4T8;QéY;âÐá•6>6šJã_s†OÏ_ŠìŒ±ÓM⪉±«ä;ßld¨|¶é^‘D00<.²[B ½X+;oÀb"0>"ÛIê„ÛÜx8ÿç=­_in£æ º7ÇÖoáúÅšÒªºÔRÌ!Ó|õÏ°÷nFŒäCÙ%`c°Øñ‰gãA2XLDŽ|™.aº/ðžºyà“¥…¶Ç·ùT“A£­0ª0U#0€X„$¼+R”J=¥rQõ¯:É0U[sy™ã®ÓŠ¦3Nxä ±äÉ0Uÿ0Uÿ0ÿ0 U$0€0U  00U 0&U!ÿ00 `†He0 `†He00  *†H†÷  ‚"#²[Œ4³±£ @µ†~ØK¥!³n ”Ðñ;§þºë=N²zéq®"­û?׶_&td?—= š†5}+o“]ŒÅu0Òm¨¢yß=xl,¾íÞ[¡$Bi !óù'ܯÛZúõNxýJ`_Èf¡6C¥´¬M¦¬2ô ²†žžþ2´yȶä^øDξD¢J†_6’¢¨âëÅìsGB¿‚ó£³uM!}ö ·rðQ‰ü0â"{uPIŠÀoÖJŸÝÈhha|D7Ìh‘M¯àcFåJKª¶Þwã^¶}4õf ; 1ñ«ÿ»°TsÁû±././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBadCRLIssuerNameTest5EE.crt0000644000175100017510000000164215161577363032404 0ustar00runnerrunner0‚ž0‚† 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UBad CRL Issuer Name CA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Invalid Bad CRL Issuer Name EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚ÛQ?h7ó£;‹óÌã¯Á·aâïÞÞOÁcª> FÔ«Ä D§l.¯Æ‡Ü’F_¡÷cŒOž)F$›vIE 9œúäm‰oÌ”f³¶E"×pd³/Ÿ ÈÐ×zϽàç´(ròˆ‘‡T>BÌ2ÕÒþ,šñø\x8íéˆOßîü,ÃhòwLaùìˆÎOfé%aÏôù¸?OŸq¾<©“Z;]x\Jd§ò*„Ý\À­eˆ"€>6 ¬%ôÑ—¬—ó3ËjIÅj—ÛVó+^[¿tÐH0w’|™*s}ËzÝ[ ‚â¡6Š¹;]}ÄÔ†Y¿Fʱã2­¿3£k0i0U#0€rò5]ÕJ A(ý”pq0UÉ0jymûé(ºhìÄTº`ÝVc0Uÿð0U 00  `†He00  *†H†÷  ‚RÞîÅý2ÙÌM DEâó”1øpÀ¤œíìtŸ¸ã7éŠóÞaª~òwéÝÈKCa¹øñçÙϧûe4l({ƒÚóx×ÚØë5‘5^,ÆÈôº›»ÈÓ³¢Vbð#ƒP—æ8¦Ã ‡ê/¶XÑHÿ|Pg £Çÿêæ,Èõ3+È€Û_É°Xf- ßNÓ‹¹ÜLµ¡—fíüDõyÈ7Ìá‡(ÕkБe |vÉ«›ô^PAÕÇž«Ö?×{üö%È=Ê‘ÎÆá‘,=g*ò¸­Nïf]uÏh¨o<@õVÁ»&발ɠ™EŸBÓÕÔ“ ^äÏáï6n KK(Œ³JI././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBadCRLSignatureTest4EE.crt0000644000175100017510000000163615161577363032274 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UBad CRL Signature CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid Bad CRL Signature EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚ª!ÚQkiÿãû&r- ^Ô\Piö c}nµ¬P©kE>Í×ÏùõvðÒÉ÷•±Ú: M˜g ûp¥ ÌÐÌCG~÷>Õð}™jIJ¹û® $¥^û(Á3ÉAC þJñŸ‘úÁÿ Ý5P‘`™š«A&)oç"ª:¥8Þý3é—æ±²ûÞOãØêέÔ}îÿ~´7·³|¼¯O^¾_w«^)×®C8šŠ¼gÐ žW±öã$jOäɈçñà zmšœŽ]pvvëI) UDé ¤ÿ)Åú6öZµd8Yâˆ÷­JK· ¿Òà6üÑÇŽ<ÀÏ/ï“ôE£k0i0U#0€1‹5žDa0Þç .H$Ûù½0U1mâ!~T Õ‘,Øí&± Å0Uÿð0U 00  `†He00  *†H†÷  ‚%ñÕ4¦ölp©XÙïYºªy,ÿ…8—.ÕŽº.á}µú2¡8jîJgm&þ횬ûx÷!Gw>DëçZ„¤å¾Ë±ã¿Ê)¡–%Ó gŒÕ!úÂV£ôŒµ®¼E2vÑ3fMúgxH2g*c3mGõNjè‚ åyYÉ̈8µˆŸû—õ#šzˆœíš@^D“ÍWÚëLÚ\«Ç¡tóš ¤O´‰qG^?nR5ùcu°•eÈ ¡Ä±~Q]»ER‚J¬ÙÿVÖuÞe~ëï$«ÐG̹|Æ"ìx½ÎMí¨~wÿò« ¤IkþPܶA‘¥=†“¹$././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest0000644000175100017510000000167615161577363033643 0ustar00runnerrunner0‚º0‚¢ 0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Basic Self-Issued CRL Signing Key EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚ÀMsäõþɇ¼xõ¯»Ç)GئÙXÜsAïé³Aú;KµÌ‡pj:‡o…µ”ì­%'ó§bâ¸}ÝæÕJôÊøÑMŸõléÙ²þ†GŠ¼ZïD1u ç^‘ÍÄGuËòAÌsGÍ©¥Õ¿¤}8·|è8…íäNÊ4%Dl4ÔÌ'å½î©;V×yE,‡r…¸Eør[¾cjœ²‹Ó¡úÐ猉°ã°žv<¶ÇMŠúþ$Q)y(°¿-.Aø„WxY0–®ð%_";·'}‡›Ç“·0]™‰¯ÅÍ•ø½Ã5ÄûhжÃÕ÷’¡A‘`æ«£k0i0U#0€)šE.6•ìò^TœÕÙöD‘,0UW‡êW0õÒv­V áÂ$'70Uÿð0U 00  `†He00  *†H†÷  ‚L§9‰VÜüÏ¢cîÎØ ˜,e8·º½Y1ŒÛ=–»©§zÌÖS¼1:Gèÿ~€GFV™Õ›[I½á52»Ì2awit1ÆBFp€?ÎœÕAf ÷®®†°Ís ¿NÝ“Ø—{•ïžsr9«è &Î?•ÝuUß½ …#Wžlƒ8xеƒ{¡Ò®Îg&€¬Ä @z ýô ½"± )ŒÓ3974ë™´¤ó·žÂ~{·Tö —$Ù././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedCRLSigningKeyTest0000644000175100017510000000167615161577363033643 0ustar00runnerrunner0‚º0‚¢ 0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Basic Self-Issued CRL Signing Key EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚¢^(üö¨Pwæ}«‰HÐnvš“%/Ô²dà¢Æõ7[ 0± ¨ÒA˵§\ÜVXéBÊ>×w'ŒOúN)ŸC»€¹›¯ŒåÝæÖ¥'èÚ Ä+š€Ãr_ÚÎz•C$‰Ö2Ò¸2‹©!#¼æÚ¶²ïÊÚÀÁúö.žŽµÙaíؽ$Æ0í­:š¹P¤P; +„á@i¢vªžuág”¦·•…IâĶ}¬BIW“ø ÇW ÷‰Â¡FĽ`©Þ:s”Ÿ°o¹1ÅPH¬ÏNÐïiÜÖ­²é±ÓÊ&؇Ä–m|òÜÉ¡'Gñ! 8öÐÁS5«£k0i0U#0€$ÁUqúžá!…*ð­a§¹ÕMC0UhÕNåTŽ&$k^¡œÆŽží0Uÿð0U 00  `†He00  *†H†÷  ‚˜$ŠÝ-ˆÊM7íúe’fx‡‹9ú!ûSRçts¨=ŸHG º³i~K«‰'š´)çã(r,6[]!žd~O{Ìo§ {Ýí§k¶Zbclu2ÞIÕöõq&õ†á«ž—íÔ•´¹­­ÚªîV"EîÕ‚6ÏØá^•šx×*ÎxNŠa÷Å(³0sªåçgFK œ·~ <ñ܃t@Á’–­r*1?³@øVÆIݹ¸ëد–‰méÃ7ªpiW‚ýd=Cl‚—µ­˜¸ŸŠI•×]“¢»D˜|mË­_mGR³‘p<Œ92HçT%ÔRªâ¥O¢þàçü././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedNewWithOldTest5EE0000644000175100017510000000166315161577363033552 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU;Invalid Basic Self-Issued New With Old EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚§A§ñÚŠtŠPŸ\YÌ¢kP¢ÍžYC¨Œ½)kL‡í\¡Ïì$ý‹†¿–ªøÌ£î¢e Pok >=o9©°‡r;2XŽ™¡"¶ã¬׿œN¿³Ë ””€Ÿ Ë˶mŽÓÅô¢8Pª ÃôÀîR‘ño¡Ñ~pÛ:‡Å2o´6ô8[Ô3ê€!r±› MZ>¬#k¶óž2Nw¶¤~æ¸6•"¸©[b ¨•bñÃ=yÀÛÒ“Ž"æÊÞõoäö+{Š·EÒà ä£qÉ¡GJ Í‘UËPßhœo˜—†¤> ‚¬ÌTåè˜<•a©õê=¼°·ôE ²À‚Ñ£k0i0U#0€Ý uShÄË@À†0¡¾¯0U´*Ú¼¦NH·\r ê¹`ïØÜ0Uÿð0U 00  `†He00  *†H†÷  ‚yk”gáÚ† ®þ¥½ž €É‚ ]±Þxò¬©ÈÒÈ»”Š?Š žh1,jñУÕ#ÿ²8°9”%?Éõt÷7ŸObåk  Й]’ÀyÚ–j¶ Œa²û5MÂÃ/ݳ¢‘š¸SÊÅv\¿BcÝW ¾b]þÒº\<‹!út“·3)ÐÒM«]Úâ²Òyý™è “ÚÎØŸËqEaÏ"=y6„ãÚýMc%å,>Ùý*\Vïal¶Ç_K‹5–Ô~ïÕâ½ú5•,iØ=öƒt[é©QéG =ƒy½›³MíÉæ~t‰1ø¨´]m6y®Á‘G Z¬ú¯././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidBasicSelfIssuedOldWithNewTest2EE0000644000175100017510000000166315161577363033547 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA0 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU;Invalid Basic Self-Issued Old With New EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ãEµ [æ?µý¶â·€`÷ÖY(HšÙFÉRŒzŠ‰91 IwÉ]ï%§Þ)iÖ~l áªG̓uå%F6p‹*Gvå|åóøVßÁ` ¥3|YÖ×?=àZó“¿ÿùìå3¡v˜  úeoÇù^7\=vŠϘ6»eŸ^ Ë½]ágìû?ØÙFu­Ÿµ@yQ5ES@xA3»þ²ã}Z &ˆfQ0ª®èbyE}"üëgŠ]NhGéËHÒoáOã„5 ”çž–ìG9$«5×"‘²ÔÙØ;dG€‡ImòBk!Y‡Æ%Àˆ£\xì:µíÎ×e=+÷$£Y£k0i0U#0€v|Ød4 Oßq!t ›6¨‚×0U`œÝvÆ ?÷³2’^Wƒò¯u0Uÿð0U 00  `†He00  *†H†÷  ‚<ú7xƒ›Ê¡¼ Uœ¿v¢;t;|$ºž+D„Ìë]g¸8yçî[†ˆ¼´€ÿšv|H=º°O_!ñY›?¡öÇÔ#þ•mÄ躳ÍÐwc70 Ú×ÿ w ­x4Ò <Ã<¿Ú®bõY$Ö„˜9Y¨-ö‰µxÌVkŒº§*˜ ¶"µBƒKöÌB™“ŠÒ³ª4—ý":ìAH/$Çõ Uq§¼× 2¾¬ úfæúPWœOÞWî@vb³sÄ#&“õG ÑÆðPY·+î¡´©|ª¹L'ÁC;~T€·@çô†¶ä¯³Ê5óÊù\’Pm^././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidCASignatureTest2EE.crt0000644000175100017510000000160315161577363031520 0ustar00runnerrunner0‚0‚g 0  *†H†÷  0F1 0 UUS10U Test Certificates 201110U Bad Signed CA0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UInvalid CA Signature Test20‚"0  *†H†÷ ‚0‚ ‚šm£¥þh¸Œ.áïòÔžýš/ÿL‰ØBš?p0æ»2¼ –ÄÙ…øúJKàêããêAÓ;&7ÔßðÕ@¬GÜGÀ«²/¼;U¬<ú#’ѱCðÁ¤qÓô¢ÒH¥´Ó*A“ Ýý_Ûâf‰+-àGZpx/¬ÄáÝ9þÖ‡Ç*Pâ*4P—ƈª?0>˸2UBâ9Òa4:ÀGzp à% qE¤h¶••æ•øö2R ûñ~éßèµê­CÎ K÷%Ô?Vô®Þ²v§¾BµQ-6¦¦Eìð’$?6‚Žð#6ûZý¶êþÒj³íiΧáÝ+NáÔFà’ YzVÊîk ‚~‰ká·ž§•0ÿ3•Ø!:<|¼8ÌÂ]û´à…vt š_ˆ X½áŸC׮ɞ´ð~r¹ÊÔ›Ïá!g.”ªÄ½Ì@'=¸ßnRl —ªü1øÇåE7à‘àD½5^:ö^bæjëÆ´ :˜YÚé¨;Õ­Ëû£ÝØûðÛGî]V›Û_8«· r‡³ýÎÚJŸ´z¾”‘"sdd’ÔQe8áÒƒ ÒwcåÏXk°†|Cw€F././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidCAnotAfterDateTest5EE.crt0000644000175100017510000000163515161577363032147 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UBad notAfter Date CA0 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid CA notAfter Date EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚Ü'Ð:„ôü:?B=÷7mçrèðó/®$†#e–fûXÿ—ž'ôÓ\äl2X%ìiè —¡×û¯¿° 0õ’‰þš77;‹J¯DGèÙ®HÐzÉ!³TÖP åG¦Q®ë­¤ÀwÖxq?£?VR× [[QNØ6ȃJ©}°E“ ðvuf¹[ôP¾Ã*O} ¡z]Ÿû_¬–ɉ‘²"ý8”aÓ±1±PÙÿ«H^µ©ƒ$D’'Ê ÂiM7=‚g­¯ÝåíüCÁJ¿, ¹˜¤2:1blÉ›áש@sv_êÌuQ.JRWÒ]‚W®^³âÜEpAƒyßvÛK_]@η™Yý_j–óŠ"zjÖ£Ø/&’qÃbnºãr8IçâøÌ93z!=ñ,ó-@tL(ÃM‘ïMa­¼îßOA¦:ò…ŠÑÅõÞÌݥч;ÏÆ6l„—r\w[gav§€Ž{Ôa6ðI„öÑ*å¾É”ž<Œªø¤ë.@î;g'zˆ¿ „ü儃¸ÿ£‘*ª‘¹Â»Ö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidCAnotBeforeDateTest1EE.crt0000644000175100017510000000163715161577363032306 0ustar00runnerrunner0‚›0‚ƒ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UBad notBefore Date CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid CA notBefore Date EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚¼ÛA Àåð™¦ÅR ³±·cq*>J­{%Š…¨Ì¢sŠ+SvŒqDq&ÌV(¢S§4ÂI€Ea'€x›!b*éof#œYö^öeö±´ÒɶR;ñl 'êó`ƒ"*¨8!&Û¬„WS<: Eïàݼ¿=É'1uËwp»ÍƒòœïÄÆqÔ~#ßNÊ+`$Ä>ªÿ§°ìÈhÓGMl_]ˆó›¢žÛÔÙjvwƒ•äçôÝ$ÖŒ¶x±uÙoVä,øX2ÀŽdÆÒ·\×^à«¡L`]ÐPËüû³Ø¶7U߶3Rþw‹¾’(¬ õZÛREå¿AZ÷4ÑÉ£k0i0U#0€c>¼žû¡òY¡/K•þæÞV¸†@0U©ø¸{Voqùÿ!ÙÏ=%H%÷¦0Uÿð0U 00  `†He00  *†H†÷  ‚J8–c˜jx±iÁCž5P« ̸_Ϙ£ÀòÑ© öc,ñ¿¼ð«Òh§¤o¢™Ý {)åüc‘Íí§JÃ3Aú²JkÀ`Ç¿Ž5ѾjMÕ\Ð=< ᆯB¯ìü¯‚,ª·`Qœ2Êuc¶ÒvøY®j­*ïPÛ)YvР9_7Ž…Š÷ØÒçó|ÏŽÍÈ0xqËT¯èQ L=æèá®ÎÜéc;Éz–nÅ¡kÛÎzüR›áåâ´¦»c ²¶[qd›­Àm©Åt5öÂÇvk*ðs`jIm7QþÎG^sÞ‹‡ð=Žä‚œ÷1î:¡q¾¤././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNSnameConstraintsTest31EE.crt0000644000175100017510000000172515161577363033157 0ustar00runnerrunner0‚Ñ0‚¹ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS1 CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid DNS nameConstraints EE Certificate Test310‚"0  *†H†÷ ‚0‚ ‚ų>L\úÓǑþÝ×eS`ïAž±ÊÄ“^O•ã@§Ñy°¬gl«å%y=.¢™§êÚ˜~ µÍt?Ó“¾èOnˆù„þäù è.BÈq kQ,ºKïò¹ÚÕ ±B "ãzSPSÕeýŽ‚tò ‘ú~Œç…($]¹FB3›H^$ƒ©ˆ,©µ Ïý÷é#R®ÍB”ú›g ~žç0 Ì×åõëôjûœÙ¸ésmxOƒ¢^è¶0•Ø$¢"™t¶«î­Oß`òl`UU>Ýœtq&Š ùÑø‹/&-OÈùëšt¶Ê¶”ñ NÞ¥{ 0ª­R=¤ù£›0˜0U#0€±ªðãÏÌÒ§‰¦ƒÝÿnÚãI0UrØw_éìÒu6(xNö*‚?ms0Uÿð0U 00  `†He00-U&0$‚"testserver.invalidcertificates.gov0  *†H†÷  ‚:ºòë:ç…oyü¦ÀP³TÁâ¼Kû<ùMbÂ<…9á’•ŽÈ’Û³\½@em}Í€'×­Þe“¿¦¬°u¶Ø$^rýLþ„…cem5Kõ;Œ¬#±â°'M|=¥Ì_<WFªTë㛸NÁç>fþL¢Â·Ñ£äÔ²ðaÎ7…úÛšq­ìïÃÈY‹rJJXFd6"°×¡¶¡À7µú’o…>¾8< žDÿÄÖ.JÕdXå”îJ}§1-ìø‹ZÊ+á>…£0·ø²*¾VLÖðz´D*ßZot–?H;r_Ht8²EQvs¢³»¶q*ÝfvÂËuñ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNSnameConstraintsTest33EE.crt0000644000175100017510000000171215161577363033155 0ustar00runnerrunner0‚Æ0‚® 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS2 CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid DNS nameConstraints EE Certificate Test330‚"0  *†H†÷ ‚0‚ ‚Æ[ý”Hýjér˜C'AµbSCM5Íæß Ê’;ÛíÄZç˜-à>–d"l:R'‘@üE6ÄÚÜçífÌ/«|õ3gյƓ5óÓlv†éíCü•¤Æ¥ãõ¨ùm‚°½ð¦ƒØžm|ôwòMÅ_8«oŒ÷â¢&|’¿± +qèàųÀè…:n{ä5¼Ã´0¶„xƒË[ ‚ÜSQZíeûïÕ8æDwE£0Œ0U#0€±ªðãÏÌÒ§‰¦ƒÝÿnÚãI0UÎ@'"¨Ö&;‘þñíPFÎKw0Uÿð0U 00  `†He00!U0‚mytestcertificates.gov0  *†H†÷  ‚EgSÍ{ÎáÇ aMs §Lž¡`ñ|Ùlý µ~_râÅy‡U½s2ñM¦ýܸïQtX\þ¾Ôj3KÆÕ³þ¶ÎDf·È‹‘à"|G„Ö+Ï9„Fœ:ÇÅš8äàjKÎt(Z’ÜZå€àzåzüf”‡äžLÄ»P!©Aß… Æa½Þ #s8gÀˆ‰É¾gùr²@°„cÕl²Ðgɧñ"Íß’K1útNúñ6€Ê›!§×®«*ÕÎ(šÈ{îõï.‡#^k  -ç<[ë°•Vè}–_¦d÷ØÍê«Ò¼@û¸²…m÷ՕЛlÙ;././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest28EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest280000644000175100017510000000203115161577363033302 0ustar00runnerrunner0‚0‚ý 0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA30 100101083000Z 301231083000Z01 0 UUS10U Test Certificates 201110U permittedSubtree11D0BU;Invalid DN and RFC822 nameConstraints EE Certificate Test280‚"0  *†H†÷ ‚0‚ ‚¸½ºP‡HÉ«sc‹yñá'Ýá¯D“†Æà~£/ c®Ì¿² ë,üžuÞÿH†þ‘¯>ö#yÏŸÕ#ªñÿP£éj-DHšDaÇœÊZC=Æîè°) §$0`&³Êï é‘ Înn·ƒ²9Ù1Õ#^¡¦Ù¾p1£›iXÉ‚ñ"Á,¹c$ç_øHli7K[œ¼–àÿSâÏiÑ‘juâ2´§ Ÿ©@i_?›Ú·µ[:L²# bLÃíи¹+§µøÍ :È–' Rò‚ð ìÓVWÌ^¡ö^cvI@œ‰ ">/½,ûÿ]À|^]VÁnA›£™0–0U#0€'IäÙEúl˜”lüí Ã$RmUD0U¯ ݪÜzq—)£S§G¦Tb0Uÿð0U 00  `†He00+U$0" Test28EE@invalidcertificates.gov0  *†H†÷  ‚†dæm!ôå‘yôòÔN¼hm㈒¦ø‡r#6&Å\*"…¤Sp(׉æ&L£Q·†*jžeĬ–§ æ¿Õsi¯&éù¿ë5FY 2ßðã U–h2‡Lþ'|X_Ë€*`ÂSqŸ‚ãZæwbŸnê±½í2acýÀ=äùVã¸ý“/nb<u÷Ï…çsd8}w»Èé˜Á ÖœVâ VmÞš³ÀSäU~ôšð¼ügh†®F–ôí¥¨¦÷%òõå§u˜íˆÀ¶YÇðèÝÜ2o[ø´ȇÍQ)B´Ô d«•}ˆ ³«HÏ/Ö‰?„ÑYãE¦˜Ï././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest29EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNandRFC822nameConstraintsTest290000644000175100017510000000203315161577363033305 0ustar00runnerrunner0‚0‚ÿ 0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA30 100101083000Z 301231083000Z0Á1 0 UUS10U Test Certificates 201110U permittedSubtree11D0BU;Invalid DN and RFC822 nameConstraints EE Certificate Test291/0- *†H†÷   Test29EE@invalidcertificates.gov0‚"0  *†H†÷ ‚0‚ ‚žÏPÝ›ƒ¬‹ pXLeE„Åî1oK¡ÖŒ‹yÊàNªÌãyæé„I L\|B>áø6ˆ…í¤-9z€?Ý!ê>ê)×Å™;Ô\R :°Jé5-ÔÊ„ôò×y—jËî.d8!8›M=Æ¡œW¤àî<"yXèlM—½Ø ììs X»4™W«–µ£/°ä¸KŽìÄüÞ¡¥k&¦-x©š(µ‹áf+ý.ë4|ýÙÁÅÌãvиRé?Úú]Ì ö[^kº+›ãü°Æ)ãևl€¹’ÒÖÏÆã.=—쮑°ì,>~tèqCÓ¿\š²~:c8@×£k0i0U#0€'IäÙEúl˜”lüí Ã$RmUD0U*ª(F¤Šz7¤¦DŸÜ`è#]ð˜0Uÿð0U 00  `†He00  *†H†÷  ‚ œÃ–g›f#ÎHOúc®vÖ’—±¤# W­Ää<à'‡Ü°Ê1Z¤oü4AÝØ}t´iÄÕOÇž Ècbè ø¢µ |Æk-§oƒ¥Ø]<€Á_]½œªéjçkDN蜧Bgçxdd€8.Ï£0v#@,qƒ™§ç¸ýŽbhîø}§å”pæx÷X¾~… †ÓhêæMæ·^"]{Â}Z!×%Ìä(2ïÒAEîÁùT 6Ã{nui¯ÔÓ¶m ùû€aÂo±wkOCß¡£•y‡z$MíŽsG¾ý»¸Ÿ«lPŠ'¸è*”2ϪTÇz€ ¡ûøÞ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest10EE.crt0000644000175100017510000000173215161577363033027 0ustar00runnerrunner0‚Ö0‚¾ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN5 CA0 100101083000Z 301231083000Z0 1 0 UUS10U Test Certificates 201110U permittedSubtree110U excludedSubtree11907U0Invalid DN nameConstraints EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚Ë\8‘?Fv•‚Ã}›G•HL×åÀa¾7eTi7y"«Ô.Ie‰Ô²•WIÿ>í;\LÝ£°—üš”ì0T`í³;SÓvÒ¤À®Iœ6ÞžÕˆL\Õ”ë@ÿÚz¥‘ª<\Ÿ,(‡·ÌŸ‰=LÊ%#¨²Ýå¼áž×•\¥$µŽfJ Ê.6×ý[yy ®„xÉ{Á4.‡ðiu]Ž;ŠÿSåÎxxSMËF«/¦ù1æ×ÿxþðÛÕæÄ=ü\\és–{"ämRróè¶ÖÍ"õò©æíÅdNyyª•Z±¥¸Wõ@Íq|Èë>} l|æk­FVH=ùnRI£k0i0U#0€ºŸ Ê9œNwZëû•¬Ó§J]'0Uø|÷ x2S‚×å˜߇ªûóeÒÐ0Uÿð0U 00  `†He00  *†H†÷  ‚ª¡sâ5 1–žÆõ‚¹‰³ñò×ÛßVßH[¨Ò%¨(‘Uçŧ©™˜ÜI]`Ýå)¦`—°¼ÌÝï ÀsÅLJ™ô%þÒ€)×–7„ãu¨F@×UP&‘–‰êCÌCÎE„‹˜Koâ×gvøš8?mXÆà•ÄH§ (øšU=Œ)ÜóN¯›g°‰Q¶CIu@F­^ÈЮ$>¤a{ž€ì€^ô¶ð¿¶Ô˜#+!Á¿Û6ÁìR® ¾ÍÛs[¼±4&&þ_1ޑͬÚË,Ûª˜í™dÌÂêß< ¢³ÑV¿ÃyÅù¡WÔ®f€y ïœ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest12EE.crt0000644000175100017510000000173715161577363033036 0ustar00runnerrunner0‚Û0‚à0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA10 100101083000Z 301231083000Z0…1 0 UUS10U Test Certificates 201110U permittedSubtree11907U0Invalid DN nameConstraints EE Certificate Test120‚"0  *†H†÷ ‚0‚ ‚±¦7böPÒÜ0I¼ .Á3§“èØÎ.ŒÉûQûØtÑËj_¡ 0Þ<­öþDkZœ®ÀÛÍ ­WbI LyŽkwÿó$¸’Í¥rQ‰Í€g2¹ÌUäú1Î2N vòÉô8î­ ^6<_g9õü‡xÅÁágòbA³LQïd¸‚|EK}W(ñÕZ9Y¹r0öÔ[ ~oÌXïEØÔ)5¿ƒ§›LjËÓ’9ªÚ5”>˜´UPÓ6§ð¡Ý *9´¿Î‚>h1?y¸¦íNŒ½lÙSSY‘µ˜ÖxÓêKeeòŠx62Ug„Ž¡Káv~MEש‡) sØDÉœÈý£k0i0U#0€á8C\ÎçKbÇÁ’öf‚ê0U… „ä²® K ÅA´‘½žþ90Uÿð0U 00  `†He00  *†H†÷  ‚}ˆšw¦v9[" ø<© ËS…°>?ôu¬ø4žò]ìÜhOÉøƯå¢ ©éŠ5>·zñl;ݧëM]2 ’?È&µž–ÏIÇôáažy<ŸÎ“š Øñ8"†áÜ$äã­ç•ÚgìÁ¾b9Û¼doö å6aã!è;D&åՅά˜ýEWÀöa Øô1D“Jé&ÇÑL(:~ú¾>ø†ƒêà¸`Ç·™Psøv"‚Ôãž·‡B¡{ ",¿Ò|±æTTÔ´–8%K././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest15EE.crt0000644000175100017510000000170215161577363033031 0ustar00runnerrunner0‚¾0‚¦ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA10 100101083000Z 301231083000Z0„1 0 UUS10U Test Certificates 201110U excludedSubtree11907U0Invalid DN nameConstraints EE Certificate Test150‚"0  *†H†÷ ‚0‚ ‚®ár; R$õû‚¡‘sº])èáYᦵ´b uTf^+¬n°CJÑå;†Ã·òŸ®ú”\›æô=h&3×Ú±:/­2.Z—þ_a=­J/ïxò)¾Q ²å¤Ç(î»–ÿ¶Î:ZF*¡„Á B@³êar¹ý™<‚pºõI_)çþ¿Ñ`ÙdpE¦ûtbë{´ɾ¬Ì>˜Úó‚V«˜Â¼ÎıٖexQ¾€ë©KZ§æ¨¶gá¦Î» О‚øÁ¢ δ×Ú £;™ëeSïÈ |%„ÙºÒÕ,fKÉo'Ämݬ¤èê¼wo^km9ÌYj±£k0i0U#0€€¼Ç.÷Žñ8{ô5ëÝéXÆq:”ªqæ¢TZ”ôRFÊnÚ¿x#Y[DX‹[!{›Ú1”»q¨Ö:[Og¡˜ h¼·]ƒ—è!Êú`ƇæíÁ`vó0eæpñ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest16EE.crt0000644000175100017510000000170215161577363033032 0ustar00runnerrunner0‚¾0‚¦ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA10 100101083000Z 301231083000Z0„1 0 UUS10U Test Certificates 201110U excludedSubtree21907U0Invalid DN nameConstraints EE Certificate Test160‚"0  *†H†÷ ‚0‚ ‚Ö`ðì^~¶r¶—ô;(Ñ­LÏÊ ›Þ^Y¸p{©pô*Öý9Smæ“»>è¬Fï4¨ä¶Gß”fHÚ]<ÙMj¥sf01`ð-9­KHrÉ?‹° ÑÌ&°ÞjîåŠÙ:¸S?¥DìYTsôCf„pN™‹¶0 ÿ¤Í)^Ûë²ÛZ OtËKµÞôÒõšþ÷}‰Ç¶"I̵Z> "¿íyV‰gÐM¿]-Ÿ Ú â‰Cî_gJ4Š$2j~ê¾yÉë×ÅlTií£dÅÉðû…-ÍL`Á„!D¯-m[þÅΔô°(ß±ù Xhëu­"ߣk0i0U#0€€¼Ç.÷Žñ8{ô5ëÝéXÆåLl[‡ý<öõ#e_Ej0Uÿð0U 00  `†He00  *†H†÷  ‚8ëâΕzD&qU]täóÈ@ÕÇ ÙjQ šO°–ÌÌn,(û7¨ÃD¹\T[ðeÚg=q{þ„±#0ÈïáÍ!œ&`DwUo•¦ØЂ< ¹¾®W¹ 4±fÖD…á· Ùü€}/ ºù¨Â£¼çJ Eüm/°I¨øZRN΢GžçØi"Ž:¨iýÿ6üc¬^¥£à qªzñhÇ$b,ñ'©,ñ-»!K’ŠfÌü=nƒ8I¤×»ßx)N0ÇòßôAEÙJšz¨bþ\äelâHwü!Ž’ŽêL· C-ÀDtPƒ¬þò¨fµ<’&¸š˜ËÿyÈ ±ÏÎ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest20EE.crt0000644000175100017510000000161015161577363033023 0ustar00runnerrunner0‚„0‚l  0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0‚"0  *†H†÷ ‚0‚ ‚ÔLo©†ôdÆ›ý*Ï pÚ­vI×›˜:W®òwÌröù2"Ï"e°` â=$¦…¦ÈrðôÞùqm(¾¸PE’ÙÔÇðJ¡. (!ðAÉfZ‰L_êHï;¿„Öy<,ö&°r×"[apšcø†Ù”õÒÖEÊI÷îQbx­™øŽK;¨siPêYÃŒüCÅßí‹-)h€È&ܔƓ6m?ß œ6C¦w2bÈ·ó5¬s!»Ï¼òéǘÉeœQ²˜RÈù±eo´y÷¸:IépÛ²&ÝŒj€G·Îþ.)5}‘f™¸˜Pø+ÞÉuïIh·2 ü9Æç£k0i0U#0€AxBFÍN¨‚çá9ß÷©À üï†0UXJºà€òÈC<–²÷J²•ÖÂ30Uÿð0U 00  `†He00  *†H†÷  ‚Jõå£f3.'JnU’Gű×%sC@Ÿ\“bD€ºE‹•ŠUШ~%_Wÿ –7}Ð~ÕQœ2zŸiÂÎÈœ‡,qY¿æÆlDiL;Þ_ €ÜlÚã"œï„l!mgR¬òS"ë%F¢©Ygþo`´ 휲zÿÙR¸wòæ´å$€*vŽ²£ùÒÐù¸Öz.8zï¦hsåê{É›8õ×ç¿üRê27±íDÒÔZZêÑÓí=¨:[4•Uú¼N­ºq0‡“jÃæ‡,W5pòzž èû[x÷~‡ Tè~©èÒޥʜdš–„d^í‚#3€Êµ‹-Å ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest2EE.crt0000644000175100017510000000167515161577363032756 0ustar00runnerrunner0‚¹0‚¡ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0ƒ1 0 UUS10U Test Certificates 201110U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚Ä„qí!’›K$Ù!QS[:G‹Y‚m-iû&uCƒ ì׶}F°@W¥+èkúC3@“oê 2LÙ|û`:0ç„~ÙÛÞ¸1¦O:_&\Xá£:Ýpg…¨¥vâ<ž2b¥ðŽ×ÒêŒç>P¡´e*NÓÚssÌ\…ãÇÚ wžíµ¶Œ‰=#—úí>zËÔºxE(áû8V{’ot® DÀÖSÈ$à5YªDÿG—€í•ÜçÛ’Õ0Õ"l›e¯ c¿B–òt.zšûOž…/:™‡ä»Iá8ë²ò憣K©6$L<ãµ\În0)jcreêÑð‘îì‡vê{£k0i0U#0€AxBFÍN¨‚çá9ß÷©À üï†0Uüsÿ¤âZ÷&˲B;ö µ§ÙÕ0Uÿð0U 00  `†He00  *†H†÷  ‚VêXñm\Zk®xBQA¬µšÝ°Üðµ–væFÖœäp†ìæ²gB\)Ë‹=HÖ§~¦ìn"¹„¦wfsS´pD2ª÷‡GÛßH<]ßôzSlWÚ×AÕ49¥*¸ØÈŠ¾ ZÒ«÷ª}ÖÚ' YlÓ}m÷oº¿Ÿ,w`ÅÄ´AûùP7'Õf½lhQõçs=/LÇBxÓŒW@s—¶H¹Zov[_2L¬—h¹ LJƜ³5e¾zZ½ÙŒjqg˜[‰‰ávD½E\ 6Õ_ øAõ6nT¥C-oÈüü¸˜^W&§áçÊ>µÁ¬æ\íuéQë+È2Ê~¨À~•6²8êw¥È#CK-EcÈÆÁ¹#ÞhN®]>tîJùCtPÞ@ö÷ ’lñ¶d£U"Ë•!·wªZ² È©ÓKÃxsQ¤ò:J¶[²=è‚iѬm»H¨Ü¥XY‹â‹ÌéëÁU6ÿ£‚0‚0U#0€AxBFÍN¨‚çá9ß÷©À üï†0U8©ÊâxK“ûR‚.TÝÙ®AÊ1´0Uÿð0U 00  `†He00”UŒ0‰¤†0ƒ1 0 UUS10U Test Certificates 201110U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test30  *†H†÷  ‚¾2ùÊ­}h¢“ÒCáLÜÍýKüC8Žn1 hÑŸÊ2ÏÄ4¤ùIZŠxá®4â-¢ù4¤ÚA~³«ò1®eµ¢UAR­Gîú”‘× Ï•©®´ÙA䯞eT=õò±AÿÍn^D„SmNVæÈYz=zyUîÅo˜+ ©¨jO›ÎátxßÆNºu£¹tߢÇIЋj³X9)¸¡J›f„BÅŽp¶•œƒé옾—ym*R1þ>¤3©Ó§¯_Ëf‡Ò¡–qãË´DÜæd• l]:†¸n¾ `“?|ðˆ}UíÒŽ"·l•ñÙJ8b –qk冋ÿÔyt¯}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest7EE.crt0000644000175100017510000000167515161577363032763 0ustar00runnerrunner0‚¹0‚¡ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN3 CA0 100101083000Z 301231083000Z0ƒ1 0 UUS10U Test Certificates 201110U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚žƒD8Ræ|ÿ˜lS³CÖhˆúl¸õ^¥IÀ× °™Q4ÑN”J†Œ¼v³µŠA þ×7^ÓÐç±ÿÖæÓe%i# äÒ…æbÆ®Þ8êû,Ø29}Âü!‹/Dê( â+½ö œXcÈö5´0bGÎñeùÝÏ[ö ™d¯Ä,ǺýšO&?5ÐB–9dÙ*¹MvÅ®ŒœÂv%ÔíË#É"@ÔQÇ#yü Oþ~/Ë2sÝï«¥¢ß¯òår”x•ou„\âÂ/¦2†kŸ×h‰KÛ‚u”°©J„<åôeRSô0îò-‹‡)«\$šœ¾Àâ4V¬U£k0i0U#0€Ü[¾Ç7Y¤Š@t| E¸í"Õh7]ñé5ó-±0Çùsí¨ÐcºäÚ^âX$±?gQZïÂh¦.b¬KbÑÿmGǺ$­§…ODg%1«¯¿nôÉò78ÈP,šë¹*Ã3Dë„=lú´ø×’- ½†HŒs„æÙÁ@ŽŠ&œ"Ñ×£k0i0U#0€lI6­.X‰6QA;TR&$ÓÊu0UˬÍywÓêê箋 È5¯?rd<0Uÿð0U 00  `†He00  *†H†÷  ‚&¼³’ÝuÅ}‡F:ª v¯`gRÀºÊðó²[”ìÒ¬u¯wp¿òLr6®v¢PM>ì:+–áDoo†ü- AÀ‡–Feÿ¤Ö}·¦q„߃âüqÚK´œSMO‚ÖN½îµÂBðXYc⺈|{ùío¼gîPX¦+!ú•mˆkŸK ÄÓc”þëýß3â‡6°~ða_S…D|Üú̘ﷷDÊú¼".q&UrW©T×…JGÖêqÌËŒo.›EWáœÿ”l././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDNnameConstraintsTest9EE.crt0000644000175100017510000000167515161577363032765 0ustar00runnerrunner0‚¹0‚¡ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN4 CA0 100101083000Z 301231083000Z0ƒ1 0 UUS10U Test Certificates 201110U excludedSubtree21806U/Invalid DN nameConstraints EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚²>bÏÓ¿Ž€ó¥gy²$·ª¹‘ÜðÂ)å&QƼuP®‰ŸWÂ~7Πçƒo •óB Ëò‰j¶ t\2îDâc<·¨Üþ„ïu~ ŒÉ/b†Á)ĬFèn2@§Þü¸íî4{Éñ†ea;÷ôr±,™a„àFª¦zÜ=Ø=Kioö—ˆéôNœ .›¬øÖ1‚0¼È(8yÊ`cØ°Rûñž÷ˆ¤8 åoø îW1é'ý.ü?ÃZ$ £c÷›éáþZü^™ú¥;ˆÕ¦}Ý(œé—ÛwXÊ4É…͉kRXâL]fè_níëe™ØPîA~Å£k0i0U#0€lI6­.X‰6QA;TR&$ÓÊu0UP¤16Ž×ÁÐÍ©àl«xν¬ï0Uÿð0U 00  `†He00  *†H†÷  ‚¨›”¦?ʬA)AÌ3IÎ2Æ >Õ_?“üTó_8í¸£…³I“PP©òstÆ –õÇ‘ü¾æKÂõò›<°º®ï7æà6±{hÆç伄G©J‹f9 ìjAã÷Á^•ž¶nÅã8BG˜='í¾UÅ7?A ¬"±\»›̵딾ïò!-~›ñ™?Ò,E6^Ã×5~aÎ\Ù ã7x Õš Üá#^öÁvíUOGù†ÔØ]/(å¿göýXûÊêq¤Æ”êé5àïœn®Ž+jò¨V»¤ðÏ11Ù›€Uš“&0 X.‡ÁöTŠ€ã„qY././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidDSASignatureTest6EE.crt0000644000175100017510000000152315161577363031651 0ustar00runnerrunner0‚O0‚ 0 *†HÎ80?1 0 UUS10U Test Certificates 201110 UDSA CA0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Invalid DSA Signature EE Certificate Test60‚¶0‚+*†HÎ80‚½°z<´I}æÉ‘Íc*ÏEhey%©e¹P˯j²ýÁsÞ™¬eÎ'óî> 1êØ¿{¶(ÿeFåÍ¥)ø/Á€uppA'6[:¡{K²¡VýªðÎBå6ï4Tw)š®cªI÷>®áÂùö‰2ÿ™h{ùÎ4]ñ|)d{4d­—c BÊŸ¸ ~:å3¤.[À`_mCF<‚ð~ŠÂF½:@ë§n-Õ„fxí0¬®M×hñ ønöó:¥•Ù)¼‘A¶n•õ¡;ò¦‘$Ttƒf NþKâ€"õÚ’¹ÉÍÜŠøû}©¬•øÉÌn"X±µ9,÷ljÂS÷hñŒ¸!ÌI“7ä/ó·XMJ„€Y¹¤Áú0þõMÞ&SçžZ—6ô‡RG6ÒÃ53êÔΣ´Àý_qÝAÏoúÌ¡É‘D®9ϵ<ëäß埓)RY†{´‡¾<ó)Oè1õÄyH‹q×Ý’|6]»°²‹çru¥©Äûø!÷/±u\òP„MÐÇìµààÎ\ø–£k0i0U#0€ÆŒtè{ ÈYÇ}<[TY`% ±0U†hú*IkIðE^¿b¥RÝ… `E0U 00  `†He00UÿÀ0 *†HÎ8>0-?¤ä똼s†Éu»±›?Së^vˆêö«}T ȨêÁsŸ˜¢././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidEESignatureTest3EE.crt0000644000175100017510000000157515161577363031537 0ustar00runnerrunner0‚y0‚a 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UInvalid EE Signature Test30‚"0  *†H†÷ ‚0‚ ‚½!+792±X9¸nå‹»kŸ2 ÜÚù‚ß:µÕÖËÔÆÚf„â­ŠgÅå˜w¹Ú“ð\±³cÆÑâ‡+ºtýOÁ(Ž*¸Úcƒpýžu°ëmA³n|{ãrPþ®>*ÄXéPøC4î!”/{Çà7=L­ŽÔ|öæ#±ÂÝh/žÁO?B©‡U"gQˆ5¿éX…¡Æ¨.×êŒZï ¾}}øB×ßæ^1ûënÂ.LoŠO0Š®¸Ð.p ”†n^lÚ~à¦Ñ¤¼5ͦÎ@¯fãîÒjè”/Í´ÄEÔ1¹Xk53QC“áIê,ï|áÿOg†¶£s£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0UÁƒÏ’A>ŸðRøáìnSÎd»â¼B0Uÿð0U 00  `†He00  *†H†÷  ‚³ðeÁÁ­(ò<…ýæÅt-uÂÿÓ€-ìñ·TŽi┪sw­ëOÎz÷þ¯V_žj“V{Û¸’ËÚ× cáã[ºÔè{üïž)T3í¦‘ô ÚüšxÉò%™Ð}èG°+W»ËlÌ+ ú@0ÎO‰Tž+Uµ· ‚&=âÆ‚áöwÃÛ´Kö ›Þx÷‘%¾Mº7qWwdLÉ਑°te&]÷mh¶ƒIöŸ“ý– i–Ò…^ñ‡h¢ë¹ˆ|¢G‹?1Xx(»8Ø¿F¦LtjjÝ5ËѹïÃERwÝ®Q¢‡‘ɤ» N¾Nà÷š<•k”Qâí;././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidEEnotAfterDateTest6EE.crt0000644000175100017510000000162015161577363032150 0ustar00runnerrunner0‚Œ0‚t 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 110101083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid EE notAfter Date EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Õ…Âq:ˆ J:¢Z#ú»üÀV»Ë,Ó"å.g ×iË–Àdz²šÏvëy6táƒI¾·¤¢B‘j%Ê)Xv‹ìüü5}ckÔ~’„ Îïî¥í¨æ”‰{—S¢|‚رË= FÄ+ËêÏïç1È€ö+ykŸÌíU"—#¨ÚœЬܱaíŒ\UY³ÙØ¥iÛ!%YBqQÕý­IÎaPx¥JˆU@VëýAž@ÏRVªÏ¯t ÃUu–Ø_ù![&$÷=U|T,jÛvÍËŒ3‘•x2X³yH›ºÈ£OÝìûË…UAi¬@£2/·Æk9â6Å@<ÎK£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U%èËwµÕ¶¯#_V#º¯­¤¡0Uÿð0U 00  `†He00  *†H†÷  ‚T_'éЧEUÓ}Uñ°=‚x3BÚÄ#N@kE[;÷oµJx‡ ÂÅ xØî%žaSJo>Ç åí»áñXo²Ù6 7ïã¡šìö®äþpj ù6ZY•¢ó)÷lÛøb9¿"ÅœGMc|äNÑq ¶,C:Ôc ÍÄEæ’†åÏæ~»³Z-n(`Œ­?q3ƒD|t$c ËïyO*êÖ€Â|HC¡jÁÿ8¡uVóZœ!ÿ Þ/™ÎÓ Ù­ìÀ@ØÔ,žJxýXø’Ý|B‹¿`ý¡©Rq“EÀ_«&ÒP싻ɛbP@ƒAïD‡(¬¯sˆ]ͺp9././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidEEnotBeforeDateTest2EE.crt0000644000175100017510000000162115161577363032306 0ustar00runnerrunner0‚0‚u 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 470101120100Z 490101120100Z0g1 0 UUS10U Test Certificates 20111705U.Invalid EE notBefore Date EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚µÍ´`ŸãÚ´”b'Úê³JÁ Ãùý¥ ÿrW©èÀË _‘)j*[oq¥¬xÕßÊèªÿSˆ¹m|ΠÚë7ÍJøV=ÿÿºN3?—ÁL*íRüùJéd ¥´ÚT‹ÈxçÓ¦õ«ö¥µ7Òuh}äVÁlw:Æsºãl;Ûݼöo)¤ ¡–Ø Wœh&"N‚á.`ÈjàmÔ4p AÀ×KÙbÿñÎÞùXÊ$X¿!g“·fåÄ6×ßæ¿9kÞ¬½“G®,Oû¸ g$ÿÙ!Þ¬lÃØJDrv½q9}ÇŒ aI{žý8:eÿßt¯.—£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U™t§=Bl/n1x•\tÕá\Áör0Uÿð0U 00  `†He00  *†H†÷  ‚=+³¥IA:òTógjfŠ9p/>™/ƒvNm6‰Ó¸ìÇr¥#@ÂYiJÿ‚ÉëÑÐËi.‰O4Ûò[.⌱“Ê †µNÖª=­ô æ]Aùkaö‚›ÊϨע´ÐÌ9ÙÕË3=غ†Ôªñƒk­,4²Òë¤Ë6uìK«¦ì·Ú¤pxÚõ)t ágDak8S3º07Ì(Œ%f-‚Õzh+}·úµ’ÝM)ð,Åv˜óúóâšàSpyxSù²µ<ÇÉÈ ÷OÐcz.TÇÆì}QÐc/à e&>”ûüô4‹7 ÚÖd<0“.î~ª././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidIDPwithindirectCRLTest23EE.crt0000644000175100017510000000163515161577363033036 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA10 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Invalid IDP with indirectCRL EE Certificate Test230‚"0  *†H†÷ ‚0‚ ‚¶nÜh}e¤Ð²nÐæ:ôõÖi D4ñÇIíè·B‡M¾Ä7Ô\áŠeô¦ Z]Jc]KËѪ™Ö@“Ÿv•…Ñ.¤J[¦Y HÇd€ÜŬsUÖåŽö°ÒnŸ…4<È¿øKÞì¶7É‚<%÷±´±w €Ãy3QÜÑåzuý#Ú²†jBøÂYò„'ëîÌý3[¢QèüÉveù\ÎÛqÄŽ•¶® ºÇè«g·ÿ½a9tÜoíkD·JÇÿQYlÔ½SXR&Wß÷¯}Û™?-œZ´‹ßfdŸõÜKmc‘û•;`8—Ï©‘ê§`+îD(šè#ç¯Ö¡ú÷mQ\à3²-0Ï£k0i0U#0€%ø¯ü¯¶©yKÛËd,‹K±Í0ULFe`ôbù#Nˆ#d´–¢{øCU0Uÿð0U 00  `†He00  *†H†÷  ‚ue»ƒâ|ÊA©xPqÄöœrGü÷¹ÕrN a¤v{.iExË sÇ â²4—+.w’½¾z™ºYÂè„ÂÁ"ƬªÇíR½ËPLJÂÛz•Û4j´»L‡8¥KIƒô\ÜR×+½ë²ï^ƒ¥€^Q¢1:Ù¦‹| ‹Òüø3rR!LÄÏ2˜£«Ü¯€šFÔ÷³ï}Wûz«í©Ä$9OôºÏOo—P³¢ƒ•&·È9Žòâ_Uë\©ũ˜RLV"qUkRÂw«16©™Cñ7ûLÜÂö÷1ö7 n¹„ºç†éëìIIÉ¿“A?"r§P³Â›”K@ï././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidIDPwithindirectCRLTest26EE.crt0000644000175100017510000000177315161577363033044 0ustar00runnerrunner0‚÷0‚ß 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA20 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Invalid IDP with indirectCRL EE Certificate Test260‚"0  *†H†÷ ‚0‚ ‚Ìš{2oC*[‡´ß‰Õ’f•k1Ð1„ŒÜ€{aì!âîÃ{?A“ŒI'ЭtÇ._,ÖÅSÓø~Åi@8!ÙNŸííуbß:ö¢g×ácá üxDíȦ®r±ôYçM©1¿¥Î*wû}|ö›Îd1£cÚ0{¿Û$½4{/>ÓTý}§÷Çô˜ú#ð~<“4»öhP©ŠÌ–z3mš ø„‡Î+·¯zzŠÏîH^TØy{6ü Ê !#~îÀ}1Ë Šêú,CÓÖØéõCÀX$ÆJ¤ì³ ê`»úÖgô/Ù¡Î;T0µ—«£È0Å0U#0€ˆ#á³³òlþ1©¾‹aª;’‡¤£0U›½Â)¨¯Æ µYƒtà¨2¸,0Uÿð0U 00  `†He00ZUS0Q0O¢M¤K0I1 0 UUS10U Test Certificates 201110UindirectCRL CA1x0  *†H†÷  ‚þ¸Ê·‡jÙÞÌÁåe¸5ô²žØ´G¦øò^]t ñ¡ù}WŠ3ðUõvBoù„<:z¡·úìÔšÀA ë/ŽÙp Œ›G[=‡< [pÎÚˆ+YÖ!¥¼ƒrlÂm7ë­©_ë'ZÚœð|óWмÀ2Ý…øsŒð¿5+8ƒ µ1v;0EécåS8pþÎ œKBÑ’E€¼g·XÑÎ/Oâbo]½•E®Ñ~xÚ «‰¨o2þjX‘]Úzµdf6JÙ¾‰ª£(/moÏo.·¯»´OôìÈSßÇx›VËŽ—_k=°>¶UFsw>P(¹T—m¾././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidLongSerialNumberTest18EE.crt0000644000175100017510000000166415161577363032661 0ustar00runnerrunner0‚°0‚˜  0  *†H†÷  0N1 0 UUS10U Test Certificates 201110ULong Serial Number CA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Invalid Long Serial Number EE Certificate Test180‚"0  *†H†÷ ‚0‚ ‚Æ3 ELÒ€ª.!®€ÞµDh·/\3Þ¡Êó+Š¼[ñwð9CÚóødð`5Ë I»>_›Ý«y“”g¡¤±EZ)—„ÅcA›b =Á¼Äj!„ç·˜ zœå}Ø»£užÊ@µqG‹´¥[È '<5žÊÙÿPwQJñüùÛ5*‘¦Æƒ`Ê­+¡vM§\ö #ëvAí×0M™GmQo)à½y!è"5#XµF‰?x)QíœI®^hû¦É^†sîó΋BÍTUBèéݹ®êU¹ôFcaN³ÈzÓvc‚ÍcvÎ8w×½êc6åº*ÞMÐð‹K‹ál">«ó¢£k0i0U#0€ c·G®Â2oã:¸ê ÿ×d¤0U¢ T~÷pµ†ºmVu<¶ÿX‰„t0Uÿð0U 00  `†He00  *†H†÷  ‚Yµ›ÿæÍŠ›m cvJ¥Va÷Ùü„È¢;ªp‰Ó?©l«ëSçà$›n«=÷Ö'¸’1ʯ›é2”œ3 `",ô¥¨Jký ×™;ßñ³ÌÓ6%‚„]U–%™s 'åÁ„†wC øK6 ©ÚWilòŽ}¼Ƕ͘žT†Ð¼HêÏ°|ýH™æ€õ>fÜ1Ž&ñž°š8Ìu0ÙÏl Õ«Æ¢}î ˜Ÿ Ã…Òž FÈKýGâ¿A^¤ç[`‘üž[¯Y„Ð<¿î °|yC¥µªAIqí¿:ÔY°îªC9Ã+í²ïyi0ªÙøSñKñ£`(xaâ±Au:Æ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidMappingFromanyPolicyTest7EE.crt0000644000175100017510000000165015161577363033471 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UMapping From anyPolicy CA0 100101083000Z 301231083000Z0l1 0 UUS10U Test Certificates 20111<0:U3Invalid Mapping From anyPolicy EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚Åõîj£ZµUHøçÅAmâ„«—pær°’sõ&ç8Šq¹þ,)s]`Å)Î{$D¢ndÔ47å¿Ê|‡ßY[(õY¼“þs † ÈV®½ÕÝÎ߈‰モÀÌ¡‘¦ Þ® ’ÚH_—ç™-½=p`Eˆ@«ðŽGg ²ò‹ð¦NºÚ bҜʹ§a÷X‡ J«íßÕ§¼žQ+–’ðb'Ð.ÄóG=ê< ã=;â®Ñµ/(‹û¹Œ1ý6˜Øê§]<¯‹¤+Ú”“aYÁ~Óù4^vmac#FŒY¨æ_³FAˆðº#ŸKôíC&Œ¹¥£k0i0U#0€hsà 4Ïr@Ú”–Ö«z¤o.Œ0U1‹ˆ“nwÎì»äG,«•¥,úÒ³u0Uÿð0U 00  `†He00  *†H†÷  ‚;ßD}`=©ìP¦dˈMæm‘B&Ë";µ0ÑúƤÑ>Á’®?YN¬ÙnNçîýapºKÄ6CBvYÔ y$ØË3 ¢rü},Œ©]q^fÜTî‚QÍÙ•4üS™ÉÏ€· ›«U‘歹Ø8a%˜W€¸{.mY—¬xk2yxé çuÈÏZ­¯ôOéF˯N“Óîúü©°®¿¤çÇ^Fù¯Ë§S}¥½*H¸¢±“(ÄpÞ€ÖÏ`èE‘úMW6T¹zab€2Ò‰d0 ÔZjÀxÌÿŒÿY«€f«Å,i…2ççáèåwDTC“ps_Å®+—15!ˆe././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidMappingToanyPolicyTest8EE.crt0000644000175100017510000000163615161577363033155 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UMapping To anyPolicy CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid Mapping To anyPolicy EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚ÊõÕêÏÃËÍç¿}ÚÑ5¬U¼Þ|ÆÖAçés I™‡I$;öQy8…¢ÝW‹âº>N˜fÜI.\¼VeP¤áò0¦´1M‰›.ha]áÚƒšÀT®€›†%9°ֿsW¦©>jy Ë°ÞÅWG0¬Z’銔ìÁÚA(FQoOÁr¿ ÛÙ&1±uUÍÆ=kèR¯*ÂX® ” ÏÙÓ¸m9ëÓÕÃgvfÇéÅn)Zp±†{ï)'€ÿU}4uxr ôkÂ: æ5äq×òÉ=sŵRë ÃéA‡|$ª4„•ªÑ ©ìd$]=›H“2=o…¶¬ðB<5£e0c0U#0€,í“ñp”‹-“´˜Ò·¬0U¢ä|Á:1QòJrn±ƒà^’KÚà¨0Uÿð0U  00U 0  *†H†÷  ‚M£'ãA‰wû~ >Ö0ZÔÕŒN/Å’»{‡~I‰Å¯¡†±ù’ïm”ì\ž«1›mšªí8‰]ön¯ç´ôP[ƒÃn…3zý°õÊEøèn~§{(¢‚—Þ{š“¦µöÌƃqÔ. & +æz‹,lnWó_P¡öF{ÔÙÕ5LŽZ(¹¼Ó´GŽFµg.¢!ñ w¢TÚÕÖÖß›gšïëòUÞÚ+à—Cø’ %i_ê ‘¡Û­Î-q¬ž%ÊÔ ÝgùŽQ.¾ZQ¸¦±YýÈ ú^Ñ^óÛ‚¸ ½x8œ6×EŠ¬ß× ¶«&OH%áÿŸjã¯Í†}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidMissingCRLTest1EE.crt0000644000175100017510000000161515161577363031327 0ustar00runnerrunner0‚‰0‚q 0  *†H†÷  0B1 0 UUS10U Test Certificates 201110U No CRL CA0 100101083000Z 301231083000Z0a1 0 UUS10U Test Certificates 2011110/U(Invalid Missing CRL EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚° žäГgãö6 ¶…{3‡®2‰ƒ¿°çmézàùy×’«{û+ &`¯ÿø–© ²èåa•dë‚–›Ò¶d„ëûz J˜Ñ"¼9:FÜûªrT„—*¹ö±e±èÐêÿ`ã7"N¦úÃöne\æ3*Ê[ÅÙ‡ÝÙVJr’xÛv®ŽžMÏ›2Úƒû¾©ôˆƒœF¥úß“ Sûô›˜äÆÛ FÒæûŸ[Itž!>}ëB¾«IZóû´U»æ“É Ÿº›ªO½vÛ WÔJOŠÏª­¬ñ¡\ìD9bX]žS¥ecÏ8À7m#–ºFVp³¡É£k0i0U#0€n®EÓùýÌ®ziý¸ÒLì0U€¤ÜÑ13çx)$Í™Ú0<U5Invalid Missing basicConstraints EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚ÏD;Uçü£õ/‰Ÿs'6BÌþ$5ņWijٕR¯”¸E»:E¿#á5wgß"Uƒªô¦onþG£*ËL\ZÉ0›½ƒ®nU[¤DCׯ" ñ%]±ÿŠ`î¡ÄÖ)=r(+… ÖUVäbyÓJDG¼Õ0Å2iúœä3ºø˯ÇsöÒ5±Bã?ºr“»Ã¸M†Êa[äî%¯M…¦È;iÉzðÖŸ¼Ðî%2‚Ëg¥;·9(¬¡­©“‚©+ùÅ ¶HT2 Ùq YšúlK¬ßšÕš±BŸQK,eÃÌÂå‰Ãí¹½çÙEJ»fÅ~š`¯b£k0i0U#0€0V¼OÆ&Ƶœ¡p’ÒùO y0UMððÈEPŽý(mmT¨$v„0Uÿð0U 00  `†He00  *†H†÷  ‚Vv p¬:¢+ƒ\³ÍÓÊýÔ’”ˆâÍ2?ÀZßNÝÛÂúEVͶ¿J+]8ØôÎܳådÜðÜ€Ó¢VJ}&ã­0™ä}Ì-ZGÕ—cξØá³i¤½ÚÏŽ6ƒq:xxºAYj…ý}:õ9<\Èé³÷¯á,Íly‘ O®Å././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidNameChainingOrderTest2EE.crt0000644000175100017510000000174715161577363032701 0ustar00runnerrunner0‚ã0‚Ë 0  *†H†÷  0“1 0 UUS10U Test Certificates 20111#0!U Organizational Unit Name 21#0!U Organizational Unit Name 110UName Ordering CA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Invalid Name Chaining Order EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚¦{dˆ­MJ· óe«e}ÅæaÊ[†ïUV¶ã{l®åü³IÚ° ­NÜ[ãr4¿»=f"{‚ð™œó|ø;¡4ï0ÄFï$ËŒa”Lÿqªý¾L|g6I#âLw#»!S£Á­†µ€ ›µ·œB|Óÿß‘Ô[ÎïVaré(gñ}ñ«ˆü&4f ;g²:b -æ?QÙó7âÿ ½»€¯5(jÂ^Æ€°²YX÷Ž{ïvŸÝUÐ(Ì—ÓÌLÇDuŽ¹Žp—È`j_KE"ÀÔ\ Ó×K,G }!´Æânê qr, ¶Cg ó*6hŠ»ÓDñ»Ï£k0i0U#0€¿J‹›MŒ1Œ[éÌÝ/èyQP0UW!&ß(„Á/¤Ý"FÛÎEØ(X0Uÿð0U 00  `†He00  *†H†÷  ‚2çê§ôԌѧFõ&wMþ€_rîÞZ<ÑÓî1“ù;€“L{–ßEáp™Ê2À{˜0Û¹Åa7v—›¯‰…ÓÔOÓêZOIe‹Åbå ª˜‘µÎ}ÈeüdÚœ¹œkgC‰f¶hž`e3&Jà!c\nêÇ‚ΗØ$§SË"6YqÞã©·ÇQd‹¿>$ôÞÔÍ:“ìüð¡ýoi3êr@¿w¿ `œ‡1ÄxÑ/…Rƒ†|Èx‡ДAYz2<Ø6ž˜)ÅOúáÅGlâÍ ¥ô±ElOÒ_ ßäΡiÁ:'ÒÎ7ªUy­y[ÿÔ㈘˜à././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidNameChainingTest1EE.crt0000644000175100017510000000162215161577363031674 0ustar00runnerrunner0‚Ž0‚v  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Good CA Root0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Invalid Name Chaining EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚¿§n`B`¯OƒÐá·ÄÁ¿˜uön#”dSï=âÍ\ò{gòÆŠ™™º:rX¡'¸¶^zñÿÇz¤9ˆuœÙ$Úç¶üV’Ÿ¿°Šï¢6r \Å  Aµ˜ƒ¿^²²Ï{b»«¹Õ°e®TÐŒªšNY}‹•¯v<® mñÎzR’§È»XþŽ©ònà‹Æ#-ÒTŧ-ùeŽܸ%pHJsžãƒCwnÏ@Ùäoµerû)/Î÷Á©å‚J[›o ó-g Ë a”ß[5<Þ\~ü-bŠÐHûëÛ‚ëηRž[;KÅîX–ü’ì%Ú2c]Ê‹£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0UÀ;zµù·~à*C‚½3~^uä0Uÿð0U 00  `†He00  *†H†÷  ‚y˜.'Œ=b€pƒ. }Jr?w§Â2…¯59w±‰a,Áö›)ÃòüÕQ!®”œ´Êý¹iß'4~+e!`ÍNû¨¹ÖRpŒ)¬ë4¥ 0<:]š-¾gfFÅ¡&ŽŠÃïúÓ@Òóíõgói‡ŸGH¬”œy¶ç¦9’þ»*y-åmuµ¬éÜpÚ{ÛS”¨8K‚A€¯kªw*b•§¶íhn‚—w•lÀÞú¼îÚ.ÚJÃþ›R!+ø^õi AÝJÃZ©)Ë™^–Ç^›SBrÆÏ>X©1­7š’Å././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidNegativeSerialNumberTest15EE.crt0000644000175100017510000000165115161577363033515 0ustar00runnerrunner0‚¥0‚ ÿ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UNegative Serial Number CA0 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4Invalid Negative Serial Number EE Certificate Test150‚"0  *†H†÷ ‚0‚ ‚ëb[ÔD}î¡Irâ_:Î5õ†˜¸zA÷€ØÍKHa©9å;~G+ä64AR‰ŽéšsS 9-ÚÇ7 còíò]·>´Gêµ[ç©mŠ¼¼Woe –h#GˆUŽþ±YË*N[<‚8å8Av51™èhâF–®YãÕ¼wÙ`çËSW¤Ç¦v÷MDxZÀýkNÿ$ž?¤2¿6ÙôÿB,Yˆ º&)¦î6´6Xÿ•ñÿѯü³ü,Ã'Cg¬(• ˆ°YómfܬÕά@†¼ÑM•uyKn$ÙÚÖ%u+*rÆ»XWÐÇË– ŠŒ/½"š©šœ~¤ÝT%öt+£k0i0U#0€bä.5ÆÅè‘Ð ÁÞ¶¯ÚˆÙ?0U‘ô1÷²â˜I”i[£r¿ -«&©0Uÿð0U 00  `†He00  *†H†÷  ‚Ij•U›õ2-¢½nP+œ< ŸZ‡1Ñ€"{FôÒäî)ìºb«F£;ðÛ` óšãymÂà®9åWÒ±µ¹íœÇ˜rK2±¢gû˜þót´>†éÊ/¼±6²Áªº@5¸kó5Bëpz?’‰@³’?ßÈ–0 Ѿë$Ï!— ÅMÙîV…•NS@j3ÞÈÌÊl”IYm=ñ¦,p¥¡ÆÄËÀˆFÅâ¸_r±j«4Û=Ÿf'é/4ç# ù;ƒX8~W3ðe‹ 8ù†>ËqxßY”¬~^¢uÊõh9+¥0g'ÿñÙ½"Ùäž—3§_­åÿn././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidOldCRLnextUpdateTest11EE.crt0000644000175100017510000000164115161577363032556 0ustar00runnerrunner0‚0‚… 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UOld CRL nextUpdate CA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Invalid Old CRL nextUpdate EE Certificate Test110‚"0  *†H†÷ ‚0‚ ‚ÅC¨mœÆ´gÖ#).y2göþçQ `b· mŠÉU¨ ヌP³e âÊtþxuÉ›•bÏt;”Ó“9„!`šÿ[Š!ã9UQ{-*¯Êdh]q Ÿ`œºmvú6Ê|i:ÈI/„Œ„lÐs}äT4ËXI³à¢Ì”tÊoªbÅ™˜QÀ¡)Ћ›]=$õdüÔlÇ=•Ôt,éæ2µrTÖ—ãFKÞ|.yÎâ1 ÷zzäàÿ¬¹­Ö„Z#ço¦¯’âõPøÎ oÄÅæŽ_Èàt`·þeVÃ]_ÕA·1‹#cþ¾K1:g]4?M´ƒ£k0i0U#0€ÎÚÚZÌŽ—ú )O¬–*Íx0UVvß  LÏL¦—LçhJT¥0Uÿð0U 00  `†He00  *†H†÷  ‚­hrŸ;H(äÿ°V}ÙÌìã êØ¢>׿•h Ôä9lûy»yçYªŸ»sdùV˜z3"ŽÞj}€±0òƞɗv‹AŸO>t°ƒ;%F¾˜Ó„CJ.@p pÁùñi;bº&Öè gnµá±á¯X×=§Qëó6Vd`BµÄoî9 Îʳ­P°)œ’ÆZ?²3Ò^ ÄÉ@‚"ôT툎D˜&YOMËa®z{ÖÊåG¥où3qdvB=Ï£0aÜ ìÃÂL€×líF¸zÓN·ÿx(”:D‹çªyû-ÀÓ;ü^Ü/Áˆò®Úÿy5ï÷ ÀTíŠ#©././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest10EE.crt0000644000175100017510000000165215161577363032211 0ustar00runnerrunner0‚¦0‚Ž 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"Good subCA PanyPolicy Mapping 1to20 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Invalid Policy Mapping EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚¨®Í›§jÃ¥>™]΀#1_–4ªH+÷Qëe ³4zÄÔü4.v"…˜øÎé a©Øk%ö›˜ÀסX‰á×ÜAð$a´ùV›Êm]åÔíÁ ‰/K½¡™®XT}´÷Ýrß…™5”Øׂô“èçÁ¸¿DAú¸î¹’%‹ËR¾áðEŽ6”~Û¥,cf¤Õ·GO˜|Ú%>E·ÕŸ\}4—ËL.`mš²k›>Nªaº{-a3”çàKè¢ì`A*§¨ê6U=µ`ú¼¨Œn`ÔRð~º4~v+¯š‹ÕÇ[6myöi—NÄü½ýÍ£k0i0U#0€[sy™ã®ÓŠ¦3Nxä ±äÉ0Uñ¿þèÝ臡Î8w‚6!P}$0Uÿð0U 00  `†He00  *†H†÷  ‚¯z—%âcÎsiIÿ퇟a¿&íýøˆ!(ªòÖâ·+*Ì–vºÐ/è³ìv;“!ËÎ(ÌÈà†Ÿ6]–R|˜ÈïŒ'ƒ“qÈMµyyVA,kM½½ó 1eŽË^‰ÕÌJØ™ëà~i8P{ûùæ1ìë 6z«n3èµâ& ,ÖŒ0€ $£#K¶Ð* œG˜ÏùK ×ßïê”ÊÁrs>®¶Žžè¿¹Cú;˜Ì@+܌ˆ÷G%îmúá¿L¥Œÿr+€‘Œ¸’Nf1ÒÉÃK=ç¬o£¢k›Xoç%åmP"C³ cá}0ZÅïnWÎm././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest2EE.crt0000644000175100017510000000162615161577363032133 0ustar00runnerrunner0‚’0‚z 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UMapping 1to2 CA0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+Invalid Policy Mapping EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ÏÑ™ÉÁRýTÝ9ÞW*Tò Õ“H s’ÿ]ÍJ÷AâŸ00™ñÓÊ2ís§lÉQÓ|œÃüø/Ï/Òì²l ð³1öIš ²ž–§Ÿpž…㕘fÑÅ1åºÈ%Þ´NÖò«  9U4ÄL)äû„&ð¶sÔ+O&P`¨/ìh÷ÍظèË¥–È›»qNYõiÁCdÇ›Ìô¾¨‡ïäŽTV7œï#¡&6å¢õþðËÂLåL+>1‰xfö §ŠÕÉ®1ÁæN¤=:rv)lú‰ú£Sü x„€Ò^2ˆ²Ò~’‚”d‹–:*SG’¶œ32ÀÚKʱðtŸMÃ<-£k0i0U#0€™ÅxiË=3v™¬Då°þ¹ôÛÇ0U÷z‘Ÿ°™7žtÇ0u¬KÖ!½µ0Uÿð0U 00  `†He00  *†H†÷  ‚ÆÅ ˜ÑšÎÜ<'K]lîù‹á(^cãñ'kÌKÏK† œ+·K ¤?i|TœB(tíÞW‚QyLs¨nò²Ó,R†ÍHãúyǂݦ[”7(Ðs†È/Ï^‚\­Ïqã¸7ës$QÚjx…ÂNžºzÆ3­K±ÒnÛ¬bY2ÁŸÐàÔ|p{›…À3è€ÛÏWŽç%t0Ê^KÙq­*—+tx§VT ‡aál:rõ9RuÉq§8 nK=™çgmBüF¯½Ÿ ¥—Œ/ë®"ï¡z…9ÖÝÌ ã%“…†{) ¶p­9€a‚1M¹Si• ÞÙ¾÷9@ Y¡]²././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidPolicyMappingTest4EE.crt0000644000175100017510000000164015161577363032131 0ustar00runnerrunner0‚œ0‚„ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UP12 Mapping 1to3 subsubCA0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+Invalid Policy Mapping EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚¸ç zý¯ñ–))OÅ1€œcÞ’"iCKDA ¤É’'¼z¸ÕÍŸ€Yäñ YùsèèC§jcSèî×€çÖØ?…ŠÝ}B¡íHÃߣOB|Û}NUI•’Æô“Ý'G ˜àe ŸK~ÖFê {¿—©LÚÝ‚àc}²ÔX}TóQÊ~öáÉ‹øKdþª»¯s½ä‚Á”­ù׊¶ êž>ì6DdÞ¡Ÿqü žðw<$ÔË‹†©!ß@j G³ oIÂ6Üøëw"ûñ!p=Ça˜¡º†Pú@åoó@뤆w›•/ÝVj௕dôk ht®Pg RÉòuÏ£k0i0U#0€]9>åª*^-ö®h*­3›=›s0UòžQÊ[ºÇ¶Ú̶zA®âR×40Uÿð0U 00  `†He00  *†H†÷  ‚muƒ ·;„–Þ¡bÜlï`W߶»cëÆœW¶~&­ ‰ný:*ÓÅ3™ÏÚ¦®AâUŸŒ—‘ÉaÈI°*Kkƒ5ÔŸõ 6kŸÓXš ¸kK¸¥s÷[¿Lü' î)Ò§Éu#ñFÅâr@¾B¨ŸZŒZ ”\`¡H¶ãó¯qÈ¥Èêj&Sú‰\"ÎB¾saÀ ëmýåvrÞ˜*‹Îéˆçv3yð[ñ÷A"C¢2././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest22EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest22EE.cr0000644000175100017510000000172615161577363033216 0ustar00runnerrunner0‚Ò0‚º 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA10 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4Invalid RFC822 nameConstraints EE Certificate Test220‚"0  *†H†÷ ‚0‚ ‚Òú›3}‘JíŠ'ŒiDÓO*ñ:äøA1zè*XdÔ ÿë¾QS9Œ5Ÿ Ä-|÷?š,”÷%åêw|„°.¸³ÞT’AmП”s`—i•8j8ªŒŒÔê·ßöT,F#÷µÛ2aÔmOÔN¤ßy ¾¬ˆI¶©V¶¯ˆœoX¯l‘ââ$ä{!ž`œ›ç¬þ¼‰°(*¸U¯EycÖá±+y. ¤Gr³xöø7Z‘4UaÜûªÀSkç—V°OøGŠå†ifîëè®@×Ûã Å/ìêÞ/3t:€ËcÊ?B7áDAd»f¬)ÁzI¯'½£–0“0U#0€ÈjŽ±Kª¥ˆ¸§‘Ûê3JèÕâ0UÏ„??þCÌ0v8ùŽ,žŠÁ0Uÿð0U 00  `†He00(U!0Test22EE@testcertificates.gov0  *†H†÷  ‚Oû-â³'ÇWÆ|ïVûµ‹iìPµÇ¯–…¢”Þî‹ìv ÆöIH{böø`¨à\ðœ²"û¼@²¨@ûKOÕ ©OÀ,¬­° Ô߃vjiN§ØØ°`¤Åo°lfxó£9ï*+óïFåEµùC›Z»n„Ôãæ³ûÐà_å#Õ=ªœ2ýôæ’þÓ›× *Õq{tœ]OÑ8·ó’ÚQZˆzJñŒ‹Vd…<”À`±µÕÖ07£°ÒFÈ¿Ñ9èÿØd@â>øîòφäKË‹ñ°L¶ø•ÑoÎïÏ3©¶SdÉÁä/¢ÁõdÆä)èUY ê././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest24EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRFC822nameConstraintsTest24EE.cr0000644000175100017510000000174115161577363033215 0ustar00runnerrunner0‚Ý0‚Å 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA20 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4Invalid RFC822 nameConstraints EE Certificate Test240‚"0  *†H†÷ ‚0‚ ‚íЮ+p5˯6‚¨‰]4@°¦,£5‚ ’¿ìmÆPžpÇ-5þ*ÓÓ&ä2:±u¦ed"X ý7žÐ—;›a¿WÙõ9y‰l*+ÄþìjÀ×b0B’³µ,ÆŸÃùÓ†NËù_ž~¯+Úºð'7ýŒð¨ÊÅ©æ&J‹B ºnî.ŒÈ·cWl”öà[éȶ†èÿ©øyz»Ð?Gé.; ¶“Û&½è—î=Þ)@ÂÜB¨\š:? <) O£mÅ¥ýèܨyAc›ÉpàØÛ¶F ¯Âì7ÈXq¦a#éG#ŒÜêQ{AJ‡©tÒ¶s™l«Â‰¼ž³£¡0ž0U#0€Q€ÍúIrH<íN ÎÎ@ep 0UŒ¤:£L·æM]÷ƒèrÁû8Ð0Uÿð0U 00  `†He003U,0*(Test24EE@mailserver.testcertificates.gov0  *†H†÷  ‚0øÞ‚Ö¡¥d} N¥5:45Œ%/N´.|ë鉼Í~($`´×r'Ϊ >É¡ãÏ&ì.{Jy%ÄaŠ„è'K/m4jc±gÎF2§›Ò Y½ö“Ô9\±”…WŠeùØ eɺ˜–¢þÞMwÇÇ TA–Á˜òRš°W4¾æ´qÊí.bòÝýAòHj×L­y¥xõ&Œ$¡˜ã©ßé1E–%NÔ š&ôWp)F}†ÄÀ¿)O¾rVK¾ª*Ê‘þç‹SIä²´$ö¿èë–û8® ªlSÑ2Nô#”:ƒ·>Ëöº·ìÅå¤#½£ ; ´Ž.ìôÍc Œ$LK÷‚;ð_u›yóÄÛ>ª² 8Io^ò'Ås\í’Gñ@µYò›¯ Ýལ–0“0U#0€šº9MÚ!u¯êAÃŒ±9"NÑÊ%Ïæ",ršiã  >öÈï”û×FŽyÊf­$#)wÞlÿF]ÍcC´´2˜¦þ¼ õÌÉʳ‚KÆ%~Ü"Aß}&,Ð*q½n«3c ŸT±”s[öȸ“¯V@…kƒ8å¾uÓ/êN“åNµ$ïÄ^! ?#; Z[­wCJ0Óm«á¾éO%<€¬ƒ‚-,€^¤Øbþp?PÓêÜüÃC—)êç#=ŸPé€u’WYi&<õGŸK_XûìÑh8CË././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRevokedCATest2EE.crt0000644000175100017510000000161515161577363031161 0ustar00runnerrunner0‚‰0‚q 0  *†H†÷  0F1 0 UUS10U Test Certificates 201110U Revoked subCA0 100101083000Z 301231083000Z0]1 0 UUS10U Test Certificates 20111-0+U$Invalid Revoked CA Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ÙõŽQ dÞÖGÑ@Í1ó[0æ…˜6!ŒÁRÐ~óP!žFþqùþP‹ì]…A  ¨˜9=lÚçð¬c#¬î"F¬LöE-|b‰E0˜”èîXA?7N[v¶döNhÇ@ªM{›B/>šL*¢Ú Œô‚¬²Î!&iqèW° 'Àï;5©O:"{,!y»—Þ4xeS”lùy@ý†?á¶!òŠ£Ò?|,ÞAS½…¢/D­J(¡/ ­®–¾6Á¶>O¥;f^tg ,Ó1|ƒ€Sû¥˜#Ên-AqÌá)FTÉÁüKÑK?qŸ®J,s‡ÛÑ–„äî£k0i0U#0€–o’™ évt»_ÔøûÙÏ ï0U¬ç&šÓM†ô`‰êä±ã‹hƒÆ0Uÿð0U 00  `†He00  *†H†÷  ‚rûw¹Žs÷%Ŧª/.HȈ¹H‡¦Ë .(o×ÓBèCèøTäSA1žˆ ˆøÕ‚¸@{Ó`}h¯ÌäEt8ÿ/î~Ð/Åź~!¿Š(ï|M!;Eý 7#‡í{fŽD¿KíK™ÿ|ÚôàÃû9u»ÅO´»¤¹i°„ËçœÞ5‚$”_Í–µÏ•.ŽÀ¸à1mz„ýüºûöï•Û3?Jr åcèN§W&„46‰{·–fËyr›÷NX’¥Ôà}ñ²Ì`A[^CHèkÊUê,r ú–»÷ë£/*¥ÃÕóöÈPAçKÏŒ¸ÿn9˜kùÀ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidRevokedEETest3EE.crt0000644000175100017510000000160715161577363031171 0ustar00runnerrunner0‚ƒ0‚k 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0]1 0 UUS10U Test Certificates 20111-0+U$Invalid Revoked EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚· ¢øÚ¡1ÔõŠ^ÞŸ`«SÛ"Xž†RÒ:‹}ý´Ù4¡jƒÉí]µ¤Ý•íÑ0 :žË¹èH͉6ÖA¥5DUaÂŽë/®Õ&]}dt‚2ãZá•vV¹ TªV\ÍKÙ¸€åbéáìÉDT‰A_ž+3ëü„Ý;^jÎ ÜîØÝLÉAÏ „ÅÌÍ7–HEkê/'yÛ4kêöû£ƒ<¡”ÀOe;Û‚~êE¡õï_e¡Àû Ècë»k,Û°{‘œý€=ïô¾æŒîcS”¼Ô¥¿fçÒ(æßwßƦÖ]™ÜÁ »¸bÞ¯5ßW\ÍÍòèŠëÖ¥3£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U¼½œÞ!õi ˜ÍhZË|0Uÿð0U 00  `†He00  *†H†÷  ‚‚]î& Ej½6Ê™Ç)` Â"1YhxYé}˜”€æ$”ô/;#ÄS Ü,MƒhÔ§Bzÿ)ÛÕ Ê;ÙžgD´ÃQèó õG}ܯ£BÞgq¯rYê¦~í»Œd2¶Tl™ÃQhR¥|È6MRP7¼ãP“Iö³Ù³Íy¡·¦º„ð Šo®ŒpT„H¹!GXNC´°mžBH^ë`eYi¸äk°Û«š‰Ê$âéÚP׼ȑè‘Nì2óÖÐH)6ªOŒÒÂõ± Ÿ*Õ·././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest100000644000175100017510000000162715161577363033704 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20‚"0  *†H†÷ ‚0‚ ‚±x`­ËZÒb%å9÷ü ¯Zñè¢TòÉ¡þ.Fž™ P0¼1§¼Œ]+DJï(9C€y‡ŠÄ^†zDଫ¦Ðð˜pÍIÎH6Ý3}Íý(Áðñ"¶‚, 0MYèX¬0§D¼÷€FÐêÈô.£a íɯä˜TûË“øé7§3+׌þ¨•U* ël¤7g½Ðïýo §`u¡"änµ*ú–]@¥–£ðò6€ëñ‘¶Õ¢8ƒVÔÁv˜\†Zôzá[Ç@ÐVOÖM³LüYyRÇJ’{_eºS€;¨*z}í|~ Ë•^G:¼ÉØ]+& übêÉM£v0t0U#0€ŒÜß~dÛb¾ÛKQdŒjfØ\££0UתãìxŽÓµÙ$ÄO©F‘8’0Uÿ0ÿ0U  00U 0Uÿö0  *†H†÷  ‚ÃìÖæv ì»¥©>ÏE§Þ¯rƒN–6[ù絨}³ìP¡Ü«‘Ù4u*aEá°côñÅ9lŠ¶ÑêJÆà#߇ƉâãR n¾¼¦A¸Þ áî*v§tã •œútVxo?f‚­'[¹\áî©¡q|Ÿtü·K¬áÿ‡µS£tבv´µ@H‡­rÎjsz`…b¶œˆ#{7˜›Ãªì¶d*P:IK§h~÷¨jø“€·µƒ_IXÙ†ñÐýaóLšÌßê®úPq4@Á¢ëý*wÍŽm§ƒìx‰†,ÍVðA ‡†Ê´ŸtÇ©Ï©U´¨{Žƒ”âvƒW;öŠ././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitAnyPolicyTest8E0000644000175100017510000000166015161577363033735 0ustar00runnerrunner0‚¬0‚” 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subsubCA20 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Invalid Self-Issued inhibitAnyPolicy EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚ÚÆ^ú}‹”Ué-›&H½`œ:¶‹)îÔ¾ ¡%Ï@ÊÿÏŇ™T%J®ò^Rs^Eö|Ð'¾zlMŒ‹À W FääÿµŠš&wZîxØž3 „ÉñQÓiêeiv¯4zÂü•ÃÌzWáMÅÍÂèßh×ßBeÒÝpI%`¹ô˜Ìù³¼Þ,žñ¾+õ:ÀŒÕ˜þo0Óå…52ö)o£¾×ñwÖ‹¸*5F–v©,‘$Í' (®F!õ±n”*c jI+c\,]ÒRÜX°:¯: åà½8hAÑàÅ°-ì•‚F¬2 y¢ÕÂË›" b° ÜXí¸¿D§e£k0i0U#0€}ÀœŠvùI3÷¤KŽ0u•;èˆ0UŸç2õ’f‡µ!(CË‘9×Øã>0Uÿð0U 00  `†He00  *†H†÷  ‚˜ëÓjþªn*ùq¿ :,GìßjCô¥ÀÆW Àz‡W¨º…ýöˆàÝO.ÍûqŸ[Îubu¢Sñ6×pÏóÉŒ –ü=­puæ“y’ÄÅš¼¤.RÉÌW^ JÉD©¼g^Å7€Mð0û…­´ýÔÓÛHÓÇŒ{²KÏÿÖNñ eÃÞíÐ0@ðmRõó›I°’<îSR¬Lv°B†´–¤µ#ÆE …ÕÑ3‚yäȮ䘬nñáÑ&X‡¾>H}ÅU…ªÊ€'*«³êIY¸ûº¿aÐ^V5{Ò4ã7ä~'~žˆïÜ)ù—ÐæÌPg78Ct±Þæfù×ã~7¶././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTe0000644000175100017510000000167015161577363034036 0ustar00runnerrunner0‚´0‚œ 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Self-Issued inhibitPolicyMapping EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚§”wë¿R‹;\™©#1Ke …øK±vgÅþ–„Dâ¾bfœÍ-01' Õâª'Ô¾{kØñ@ûèÅ#qÕÜK®Ãèðæ]Ùq-på±8ezŒm¢ÁÀ§UëÛ ŸÌ(+iŠ éńеÁýú€yöS$ R“I4ôÛÖÐaå ¾²æ`@qߘ“ð-~Z+i™Ü )Rê74Bv)ì­ ö7%Z¹#ÜZj l(´ÅÿÙtÎÏÒ¡Eƒ5óò´TuOaðy‹Ç–Aèå||]ò4ÇþB}ª­ÌàF»=º£k0i0U#0€Y¹ldêó®–ê¶Q\%;Ïíõ“0U*yxÈÆ#]ÔÁ0FZ:ž~ÏnŸ¬Xúê±ÔDMó¤û^>R•EÃ.âÚMtÖM)¬¢öŒŒgkÕ–°,Fƒ»;i“ñ ë¦ëÅÕ¢ÊTðr60È«2ñóÕpCí©TŠéK¤”¨óòe(÷Õ]Õ+þs úZJg¤ÌfEŠÊòORŠª­ªŒ8–'A©ŸZ§ì¡ýLj>–Ë”V57šY|Ö¼p‘ïÙµ&Í’$ÃhºO%HX3¦· ÅšµírÖzòÍhìTìÄD­WÕÙ ‘¬bmWß Žqš¾–B,‡././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTe0000644000175100017510000000167015161577363034036 0ustar00runnerrunner0‚´0‚œ 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Self-Issued inhibitPolicyMapping EE Certificate Test110‚"0  *†H†÷ ‚0‚ ‚íFëY?ã\̆ÚÊû§ë-åíñ¢ ÇÎMh%JyØ(å4Œ67b}X6æâ·Ö±» “];­MÖ €—pж ‡GëMh;‡Æ]NÞ› ]œr“j;BÌ«_%¼DŒ/š‡Þ ¼‰> w»²RÐ=áçÝKÇ'•M«{hùíIpMF¹­è'íVÁÕ Ü¨˜f ° ‡âFN·D¿×ÕÂf½‚©§†.™žü( Rk¼<4­‰Þ¦ñc%\4Ç{Q('%P+v_¾'öL̤óؽ¦Nš¾X9V+)¾ôƒÆu²8wi6ë›ÚY£k0i0U#0€Y¹ldêó®–ê¶Q\%;Ïíõ“0U°IŒì÷ÍT|pЗo0à«¡Ç0Uÿð0U 00  `†He00  *†H†÷  ‚J…ÛÁ'SjÜ‹ ™Ë<5ïrTqLÆ[Ã7tþXîŽÐôÄ"ƒc2ûd5™"jŽ(¼A…”UXd¿YFº\z’›ÂÿßÁÁÑëyƒ¯Äg´ä ÛË銀ŠŸo»ŒnýIDp\bÎöNµ„V¶ÎÉ ¾’-N¯†T  žÄׄ‰%c¾ ~úé+Kê] «çÄÙtLª ל>­Ãâ–@ºM¢¯ÿDnwVoOë+£Îé-þ¥”’Ö,ê¢×òî8Å=-ÎòT;âë´ÓF_ûÏËÓ(õ† ëçç¦é…ohåøo1 ’5‚ò<]Žõ¥(÷¹jd²¯ÈÙ»+././@PaxHeader0000000000000000000000000000021500000000000010213 xustar00119 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTe0000644000175100017510000000167215161577363034040 0ustar00runnerrunner0‚¶0‚ž 0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping1 P1 subsubCA0 100101083000Z 301231083000Z0v1 0 UUS10U Test Certificates 20111F0DU=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚¶ÔÕ›ÀŠÃ&˱pîM.F`/`x£§ˆÞ:K$#6¸ Ç0ÎЉ¿®I„t;ðÏÓJCóiö ‡W‚ÑŒÍùl#;J£Kj…÷¿Óbýð«Àd0³ó×%j6KeP¸÷ÿ!ó£­Ë;Û9Çp-câ¾F-Žû×Ä`Å|:5âCIs±À›EŒòÌ­qIS¢>/mì7Íqö'ª&¥pq&¢JW¨†°o\Íø¶R¤îÔ•k¼î9±|ª°Ý†GMQƒ„͈ÎåU ë$¢ÓÜÁ°Ä\4Ù×0tZÆ䆗o é„Ë’1A| ÊûÐøoþL*7ë£k0i0U#0€>Et¢‹ÒñVŒFfxp$Æ"Áž0U²IŸŒ_—ý¥@òU$Ce`º0Uÿð0U 00  `†He00  *†H†÷  ‚Ý×Ö´ tÍ[‰»È-ãC†ÇµZº*>‹þ—a6©ëߘ:ÒþåÂ8Ô\³¬%貃åþP|Èм*Dô Gµ=:÷âðõ4ç.ÝÙEЛ*¨6Y/õO°M?¿ÑOC¯jr7­v’nOêaÂô\Økï']RoD%pçmO¸|È_ jl%9ïËú9ËXç¡ÎxŽÂ1ª¬uÚj$Jº-žh|å{%¡I3,rèý˜´JqtÀžu”§ÿOε#¬+Õa¹9Ñ7¨ïl»„zY,ª+† ÔIzšP¿'ÊÁßÍè‡ØË¢8’.]šÿñÎ././@PaxHeader0000000000000000000000000000021500000000000010213 xustar00119 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedinhibitPolicyMappingTe0000644000175100017510000000167215161577363034040 0ustar00runnerrunner0‚¶0‚ž 0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping1 P1 subsubCA0 100101083000Z 301231083000Z0v1 0 UUS10U Test Certificates 20111F0DU=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚áì6ˆS´"¶˜%Àd0Txƒ8 ƒ e‹ø7Ð…¹¯\3=p´¿"€G+}ÛK±1 …êæGåD)Cúë2õ¹1Ã< 2 w«£ÝL{l³?"}#œ‰Bëß؀œôk£Æ¯øÏÿÿÊæmâ’‹$2a[£qŒ¡¸è| Dî£v0ý÷&C•ö3Gìwè5â¦öšÏÔA=Ìî­Š5ñ‘Eú.¥ IxïÞ&ž/¡ÜЩÄoï,!‘h¥ì±Éai‹á—Eè3•bK’*/l†ë"`¶¹á“UêôѯJY”{¥Ô³ËUÿvÀaÆ{u]‰tAÀŽã£k0i0U#0€>Et¢‹ÒñVŒFfxp$Æ"Áž0UP“ìÖÞGýwdi Éo†îd~f0Uÿð0U 00  `†He00  *†H†÷  ‚]áúkÐQ.é_æ§i¬§G¥pfx)V´IS“½@óGðm$'#C±èëò¦x¬ç9¾ó\˜ô¦ævU/94Ð;]BÄÅ­1á‹õ³ü)ÜULß$s•wÔP><ЊŌu¹M‘{–Ä„ÝáéÄ©%ïJ ‰ÙmÅTl±Ñ›_’ñPÊПY ¦súÕDIf˜ \Û ˆ³ˆ­ý(œMŸÂ¹åâT²]•µdbž.èZﳨî÷{É0ò-[Êíh鈎™ˆãÎVÂzŽxn×g{ߥU1ŸßÊ '[âée–¤))À;§ìù¹YC $QŸÊÕ/CHb{Š././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedpathLenConstraintTest16EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedpathLenConstraintTest10000644000175100017510000000166015161577363034003 0ustar00runnerrunner0‚¬0‚” 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint0 subCA20 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU;Invalid Self-Issued pathLenConstraint EE Certificate Test160‚"0  *†H†÷ ‚0‚ ‚Å%¤¬hdªª4¬dÀû¡òÁ[ I•8ÙûApkz¦9„ÿîˆ~-ÕX!ظ:¸*áFó£ñyp7!µü´b¤µÀSÓ¶ï{†*ÆK2Q-Œ¡/ëñÛû¶î$fLÞrWÚ{q/å<ŽËph@ßü‹\ÑWØáÁ#³{ùT¬~ðítÝKI~=•ðŒYsâ´Òx%»FYB~.£÷ÉJ‘)hÌ‚~‹Õ!xàð’ÙÚ-Æ%ÛÖ~Üæ 6Ýæ]ùUë]bv¥e.Š±Dà %µáôãÓHn âÖ³Ê7…y¹Änö\iv“¥sÞàA–â‚ÐCŒ éùxPA£k0i0U#0€Æ *û¸é>h`zǗγXQ{vÞ0U÷Ç›Žñ¤Lû¢t±ó{U”é‰õ0Uÿð0U 00  `†He00  *†H†÷  ‚F•êXgœ®âlfãEÙI]¨Ç‹´ö\‡ .¡U´ËôÕI^€òL Ÿ >º\æ9èã}„|q=\ld@J¾;4XQ-yÔZv¦±–}š?½JK¡êU§hwŒ¡¼~ăóRŸE¢MsøÛ˜´¼ª"U¼ïô‡“Pv°Þ{ÀņÕÝwÏÕPº·à:õÛ‘ÌS‰ ¾ü2üv¥ý퉀yr¼ZRò»›7i:Ë+(e„d‡¨\câÍÇ™Ôk¬pS¢æÀØ:V Ç»†‡ ¸Ü¡ñCp_VÃ<^+'º£±Qñ€ÏÉ91j¢»é|y ½bÎv˜ùêëÇûƒÜhÃûN././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyT0000644000175100017510000000163515161577363034106 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy2 subCA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Self-Issued requireExplicitPolicy EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚ÊGåŠhúù×$šáýfn|a‘^\?9¬%·Ÿ¬®×Ô5ýà€¤Îýuý?é!ѶgmÖã^% ÀÛsÒ@R%믪»Öß:ñ{Ü »¨ ؆!l éd?l!xÔ|æ5·ƒJêä]4ä¨ÊGéV¬Øhl#c_V̘ø¶þMœ©Ã”MÛ<ÙVÜ8s=gÐ_¸Nô(ê,Ðy 5uNíX÷ùŽ \nAm Ó O[c3†JŸ\ö÷ä΀è`?j3fFTÁ¡ ¶¦Ûã—3÷ÿw ·yQŒÎ0,öÇ ÄƼÓ±Púv6 SìÕ©¼~·Ãk‰gëÙÌ?A£+£R0P0U#0€ wþL0â³Q°÷ƒ˜G0UiÝ8<¿B9aBM÷‰¡d}`+0Uÿð0  *†H†÷  ‚½„Í, =¿¦÷·€¡4Š˜jW”«9H-'?Ã9¶UªCI £·S±,M- ¾×)ó·u|»sOá'¼Úza ¡CÙæ”q–pP£ëN)~mú²mŒ]fZ€Ë¡Ð?jŸçèá O’Ð ª”ì%’>0TEe¡ÐÓPœžSž$Gf”!s³óƒØûM'îðÑ)}RÊAH¢'Þ¸B/Œu”hêX Ú½V Sp©Qr.oåæ³n×›ž‘K„+Çhß|Ê)¶­ë®f?Åá£âUôè¢d8&ºŒådHå8ð×XæmÇÝç£ ¥ˆöH×(Õ|&#Í\w†ì„ž?¨ÌÀ§”././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSelfIssuedrequireExplicitPolicyT0000644000175100017510000000163515161577363034106 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy2 subCA0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Invalid Self-Issued requireExplicitPolicy EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚Ì¹é ®X¾3á?áZ÷TäTGƒxeoÖµr$¶\çXÌàˆTæ´Ë*0€¿MYr@•qqµ4 í5r¡\[VPãV} ÞÑö¼b ¥òÍ4#!QwòsäýÝì­äçe)(yvXñ´²8/uºvwÖ‚;Ý7Sí.שfx~ +øà V;Ý:6:_½˜~ õ$æ³çf2 4JýòóIëÈžž •_XJ£Þt™á"µQˆÂJç,a´ïÚkC=Ù6 C%¿ŽÃV€Öĵ€ }âLâ_•©‹È—¡½ó_|Ø bÃ7@ÔûznË„»NI¬¡£R0P0U#0€I gaVGÒY—¯"f0QwPªÜ¢0UÈ.•`´àâ`¢ù6Êz,Ìn¿«0Uÿð0  *†H†÷  ‚=xènàâc öšñü.n •ƒZ{Æñ)=£ã{P«#—ªŠ@òúá dyó|;lÆb(×͵÷Û)ð¸@Ђµé-¤§C•]Á«ÃepÑI¬ý$¾äEAÙîè¾gÒšþ¾ý:£V» ÅÚîÐ+a|`-jžÎ¤Ùq¶œ¶úü_£2áäI{pàø›Ñµ¸Øò-€‚Ô»Ããœ;¡QÕ‚t%‡É‡úd¢ªËšxëi_¡LªÎÓg_ºWê•÷©`Ù<×kÍð ¤Nÿ ;¨“:†Ÿ…ôÒ /»¨¥CÀW;8î FQçJ è]ÿF…S,vòÔóq(‚././@PaxHeader0000000000000000000000000000021500000000000010213 xustar00119 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTes0000644000175100017510000000170015161577363033671 0ustar00runnerrunner0‚¼0‚¤ 0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA10 100101083000Z 301231083000Z0x1 0 UUS10U Test Certificates 20111H0FU?Invalid Separate Certificate and CRL Keys EE Certificate Test200‚"0  *†H†÷ ‚0‚ ‚²öï;r&aÚ´˜ú9o­y}øâ¯F1Šèˆ5cRyCž÷RѲ5¼6ùu°.´O.Å.®»¯6¥=y`•Æ]@Õ®¾ü‚‡P5ξ…Ëø+ÊBP¿a/ä¿ÿ« ÖoW°)dûå‡qšûЦWÚïY ;3˜Ø—Ë‚µ¡[ٳğ©Û?°qùùOG¸9V\ӌ碛©‡ÞŠ¤ôåô#ÕņJɉ" $*?¿[Ò8q»g` ,KÏŒ%À5³"!>K^sÉ¢±¯÷_m°ì§ˆþ×…0b]óÐ6³?JSÉxð³.`I¯ÿ%%ÒÆg¡‡@:ؤC£k0i0U#0€ðeÚ?ZÞÕ¶H™;×L¤0U&©7Ñ<ÖzáK(84'BfÄyÔ|Ò0Uÿð0U 00  `†He00  *†H†÷  ‚få§ ‰ô ‚ÙJU-ûší¾"sG‹ªV/S€Ôd+K]:NE¶œ œ$YE„óÕ­'Îî ‘Þ@ž¥›²././@PaxHeader0000000000000000000000000000021500000000000010213 xustar00119 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidSeparateCertificateandCRLKeysTes0000644000175100017510000000170015161577363033671 0ustar00runnerrunner0‚¼0‚¤ 0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA20 100101083000Z 301231083000Z0x1 0 UUS10U Test Certificates 20111H0FU?Invalid Separate Certificate and CRL Keys EE Certificate Test210‚"0  *†H†÷ ‚0‚ ‚¸zÊ6Õnà£YIH”4«ÚsƳ6R¬s¦›éýL®„€°Ä·©Ê4]‚ıãHQ LÕý…•!ô‹†p8'¯9=Ä°jDQÓ´oL‡¦·¼x~#Î÷DHÉaö4Sã ÁYZÍFt•%² ËÐ: ]FtHGƒÖy7·C_׃5núáŸ%žPΣ«²ë7ç¼é5yl‹4&ígôé“ô(€âÄ-áÉIQjJIñ=ÚÓ7³B$˜@¬ÛŸ“€‰Q[+À{*\©‹`ß'¯œ È&™?í&êÞ™‚ÈcUKÜ—œƒÛ @Ê2_ägþ)ùËÉ«`:4§£k0i0U#0€8£8ŽNEö¢â@g›tà0U\|ÎP$¯¥wé+U½¹}0Uÿð0U 00  `†He00  *†H†÷  ‚S-Ïâj–žnµ¥ÄòOWv¥„Oçü¶N„°Úì,-ˆQk\j[ͱòPêìQÎà¸b‰š—ÿ|pT¯šSJsåÏäèîÈsªÉÕBkÁæ~êÞ7û/¥EO™ xgª³·~’&•͆@_BüæhÆ4KÑ[È ÜeG@‹%r/$nf¯L©©/ó›E;ÐpÕ-Ù…ÿ¹FÏÚ]«eAv®zUV0w— ÷o‘ê’wœ ÿ‹0«CÉf(Ãj:ðÙPP ÉuZ‘u`°òg÷mäû|¥b˜E-r«§7ï²v°Yb‡ø?VMB¶Íy»LX:Õþ‡ÕæÚ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidURInameConstraintsTest35EE.crt0000644000175100017510000000173315161577363033175 0ustar00runnerrunner0‚×0‚¿ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI1 CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid URI nameConstraints EE Certificate Test350‚"0  *†H†÷ ‚0‚ ‚°< ÑÏŠ.ßÃo–™¸}ÝJ×>¯8“ïê›Í'½gj 5¸°ÊçkùMÉiÁ•9 tÜ‘} ’ÎFh# nS ârx<äîÖâÀNçLVȃ3H&Ìtzã7=Ú—ÒÎsT­‘×Üe«´ÇŸK×SŸT´ï§è •9—~‹+dñIý¡,­ÓƒQÿ¼2Òl¦Ö@¡Å`º¨ì tá”ë&®OìZzØ‘ª¼1‹Jx¬ØäqVœåý]z@"o챌¯è8v*¸ÏEÙJæ3 \üÙ˜Vªs«a‰c! ™?)³Aê Elá½à…V£¡0ž0U#0€ú(­AÞ*hÈ#?&Þ0U¢Bà•2íåí¯ v¦}( æÓ0Uÿð0U 00  `†He003U,0*†(http://testcertificates.gov/invalid.html0  *†H†÷  ‚XúëZõ¡*êÓ2úCP¹/Ôã‡Þþ¿ööºH8¦À´í7ãÓäçè=° ¬-ÄM7\"WrûÄnâÜ»oæ£4|dñ;ê’ÞWMïïu%›÷¥üÌ»L¢ Á´¿üœfÿI Þy/67ó›4c * ˜Ä>£ª%†EÝNI¼‹Ý·ŽÌ€n®Öž"‹##™QuWÕwì³åï ź{k¦¶ú6Bº—Ö%°Ë$x‘2± î)ƒ¡&ä:L j:í™ä²ä"Õù?}¢_?ÎUH¬Ç„øó%y|´¦.é;¹fzîn¾Žé± kRG´ÆðûÖ*€­·ˆ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidURInameConstraintsTest37EE.crt0000644000175100017510000000173315161577363033177 0ustar00runnerrunner0‚×0‚¿ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI2 CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid URI nameConstraints EE Certificate Test370‚"0  *†H†÷ ‚0‚ ‚ͱºÓ¶+g»ï‚2‘ú¸þÃnm2ÍÏ®%Š¸líEØúwg¢·„…·™–O®Á§èã2¦ªïæ:úÇ›œ›õ¦«gGóB‡\~_Á3Ó 7…Þa8Œ(@¹¯E9ð» ðаHsrük&íë~ñëã{R­w@ ìâÄùÓ&+’dœõı÷:ÁŠ~òÕq³+Üżê÷ÚÌ\µl¥Œk¯#ê§Ïí ˜ø¿æ ¦3mví#úáÜÔZ©‚ÓöòÈ2®»æjìgõV_D2±Úû=5Ò¸[ štöD*/Óý†|Yo¼Ì5š9Ê~=Lç‰Y;I‘g´µ£¡0ž0U#0€Më‰qßð²úv:X±º`ÝŒÓÃ0U´ŸP6|ØT[yðŽv©%ò¤¹ 0Uÿð0U 00  `†He003U,0*†(ftp://invalidcertificates.gov:21/test37/0  *†H†÷  ‚Aö½”*Eê1V+…âÇ÷~þÑ ‘ü“­+ê%Ì>˜NÏ-lƒÎîoN%’ßÏI£ÂÒòº&ß÷6gÐÕÈQ?zguùðì=¾=i°S\áÂ}qGúYÏe€|T+€–K¨ZÝüÆøJÁ› …†B²Ri»I>½— ò„é0aTb×,^&¹Ï$b/Ç8@”zÁ— BžÁ|7=°¦—nƒ¨ÏŽ.Ê+Àn…'ÕÑþþ;ZÝaVüZÙa{øvgð§e/"J÷8¾x!¼O»Hp0¸^çs>2YGK0ýçêîîÚ53Çõ¸†æ1(ÐE¼¨EDÕÄ}././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCRLEntryExtensionTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCRLEntryExtensionTest8EE.0000644000175100017510000000166215161577363033574 0ustar00runnerrunner0‚®0‚– 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UUnknown CRL Entry Extension CA0 100101083000Z 301231083000Z0q1 0 UUS10U Test Certificates 20111A0?U8Invalid Unknown CRL Entry Extension EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚ò”$ÐŒ4FÚ2ù‹ù¶ÁÌQ ]~ˆž¬ù›±Z}˜æF.AÀzó¡6û§ R¼5áb\û4Fˆku°©Ä{=÷ñ¼ž8¢Ó|(I4Ç+F3ÈMç»-o´þ¨ €MÿîÄ›U{=þ™¯ºÞ¡_ø£…ƒ7À+jÿ Ñ‹è¦k7|ÂŒóv\ G!Ò¡´;wÚÖÓuXBûœ±°à˜ 6¨‚ä`3­)÷PT(þj,÷öD$(:m)§É²g…Ñ#‹.<âIÃ]]‹ »¨¸‰ieË€y­^5VÃO•/¾Â5f^ _ s¿ìðÓšD9u£k0i0U#0€¦Ë¡-M(/"óÒL7ÏÿL0Íê0UšáF%e†vZ›M"ÉóRWÀu7¬0Uÿð0U 00  `†He00  *†H†÷  ‚†‰»JÑ¡M‹.×ÃûN†Ž Ä­·©NúF- 7L³_”œÕ½ÑòÔxÌž‘ hœÁ«qï,×gñ×r#ùôÏ܉ũï·sƒS`€TÍ^Ž¹®ëÈiSPèÈ6Ö—X´Qq¡WátþŽÿdýìg–ñú}rò‹jÈz ) c=º¨âêz»ñ%–x‚fÌt¢W²<@ð*mKÄ‚*±Ú>·îË3å 2*Ês1ŠaÎÍA‹‡ÁûY(£Áôø£B ¡òcµD·ãî[ª7„=JïÔwvù¨Ì>UºåE‡“ó\Ÿ½˜¬¬Je? sD tëF;bö‡·ÇÚ×eal././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCRLExtensionTest10EE.crt0000644000175100017510000000164715161577363033337 0ustar00runnerrunner0‚£0‚‹ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UUnknown CRL Extension CA0 100101083000Z 301231083000Z0l1 0 UUS10U Test Certificates 20111<0:U3Invalid Unknown CRL Extension EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚¬oýÚ]©P Ãmƒû¸ ê0W.™ãbï%ãq\(àôîS:|ñ)ìvBüÌ\yƒ-èmIø‡Bšå{ìÛäÚOYÛÓéÿ$6Åçbf’,š ù-9Æ|Ä:ZXt.4`\,f¦œUܺÓí™g¾…êĹ'”å“<’5Oµ˜>‘Ṉº7ERz‡®ŸvLOŸß"òš¤†§vô¥Š-¯gÖïÐC¼HbµÑ%ùmˆyˆ^ˆçÉå5cjAݶÊö\C]žÊÚºÚxßyÄ ÜwâçýÓñ;Q€o·¿fï:Nê Ömì3'ÎjÂHÀtãk0i0U#0€ýÿþMÛ Å¢Ø‚Vë°Ùaã10UëéVw[³5ŽÀi¬Ï&TÛ@0Uÿð0U 00  `†He00  *†H†÷  ‚+Nqé³Ó¼ü^l×C˜¥I!W9ïl­Æ*øN°m­tâÙg¼(F,X&4‰®Y„‡¾•=î¶Uÿp[Ù’‚?V’i-AV^˜¹Pß®’³£”Ìn€R©¨ e+Äwo×”ÅÕ|–œ¨žI0ìNÎîmª~ì^dQ¼ÁƒØjr pꇔ×CÕÿ€G¦ø¥9J£»Cñg…Æ©þï×eþE¤ƒp’Á”u:çÍCT`9…ou0=+Ý]“.ÛÖ³ñ‡*o‡zE YòÞÎø°e#â£í†çUÛ²: l]Ö±é•ꪂ»™LyM¬J™ÜïÍÐ-././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCRLExtensionTest9EE.crt0000644000175100017510000000164615161577363033266 0ustar00runnerrunner0‚¢0‚Š 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UUnknown CRL Extension CA0 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Invalid Unknown CRL Extension EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚±—kÇ7 ‹BË\fÍ_q˜%¬­í…Z™»ñ(ŒÕÁˆæ®H›…'ñ£“¨§ .›vfžÈÈœ/ÿÌY‡4p–õ幤˧ãyÍü6ÏÚK‚ŒD_a7·÷䔳¬™…" Þ†Ð<ŠB³ÐÉ¢ýLÄ?(+ŠbwÍ$Õú(g-‘vmjcÚD6m ”'¢ZÎôØê°3i3ž¨îBnä¼”xc?¡hÇâ¹\Tô*Ø°w´Tªãt³ ‚e¦àtK(ªC»UߊM* ø3}#wC·¹o}bÄ‘áò‡–¾2H„™Z "cÈn°»K£k0i0U#0€ýÿþMÛ Å¢Ø‚Vë°Ùaã10U¨‰ééîÁ¦f_ Áoõ+ð¦X0Uÿð0U 00  `†He00  *†H†÷  ‚+B{rBm\ªª#<âZ©– ]ÈðÑè½ÇÎ÷!…]šAª] 9•sW9ÕÁ­ó\Ç —¤Â”P©ÞVÅÅÖcVvÁ&îñQRžó†øQ'kï©åÿnfo¥-ôÂJ.C…‚5gIê&J‰w³Z¤OIs{³W4œFx†—«ŸŒ7‹Õ2¹¿¤oiåÉÔ0Ù/°Ï†K>øo8¹Ù\i oKÖ)Gø³º-Z‹øµŽJb;óy->è=>¾¸…vgÔ”0Ò>oßéc<¸®Ä|ëñ²JBïÝž¨,ÏÕ@à/«1eTÆ„Ž^'&Ø‹†mÍΗ././@PaxHeader0000000000000000000000000000022200000000000010211 xustar00124 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidUnknownCriticalCertificateExtens0000644000175100017510000000167215161577363034102 0ustar00runnerrunner0‚¶0‚ž _0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0u1 0 UUS10U Test Certificates 20111E0CUì¦ÅÎ]&l[OéfO[~¥ôÏŠ6"àMÚ[>MÑùÅHø€°hpBûÄïtÙC°¯ÿèþM¤´/&OnŽNÖN›{ø¿QÌëâO¶„má³!÷|±—,JÆbålMMçÇ·WE—$Oû6;Ä29 Gb–eÓÖéý}¨óZ€Ó‹ÎîäóÊçKø` H´nñ"6t X³E£€0~0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U ÑŠØ·H§žÀ&6Ä«w+Uy¼ÚÌ0Uÿð0U 00  `†He00 `†He ÿ0  *†H†÷  ‚’ó+úùZÈVYsþ©'T©>Ö9øû…Ð |ГâÃkGFè9ºf^ìªBUVô` ±«Å6^2ŒCŽv<³ÿÜ3³O`ê‚vêWúú:)%2䚯ÃË£./ØI’œÑ- „­°-.ÿà+¹Jb?Ñ«r­É÷l®{Çi¦.íàÍk˜v½KaxHø$$Óˆ8äŸGUÈÊ/ÑÛàz6mûÓ鯎ޞʎîˆ*4RªÃÊ…udV´Ó)dàH(zzL~ÅÛ@Å Í/æÓNâsÀÙŒrþ¤ásý<=£a<©5‹ÍN¸Kœ*»š\»ï€D·YïdÓ£EÉJŸÓO‚õ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidWrongCRLTest6EE.crt0000644000175100017510000000161615161577363031020 0ustar00runnerrunner0‚Š0‚r 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Wrong CRL CA0 100101083000Z 301231083000Z0_1 0 UUS10U Test Certificates 20111/0-U&Invalid Wrong CRL EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Ä´”©$>}þ`oðõ†àÁGƒ’*cÍF½p_B+× Z{<Š“)td}1èBZ‡]Ø>íÜægtËÐÙðQÃLbµb)•4ÛNã×Ó¦9ŽéV`r-®Å8x­?í“D<5y._­X,ì¯ZnbÛ¿?¸a–9lðVÛr:|4‡‚(GíÇR¾ì_šeG4YFõËÞ +"5…N­¥þÓ·ëV~Þí jŽô6hIðî1Û##æÛŸ<Î@fN1—«-Ü/k×7™åçaûˆÙ>áGÚI¨c8÷ÜÐÒAÿíz"ùYÎÒ`Œ2©Ä8~t ”¬ŒgÎ×£k0i0U#0€ %Fà‰zQJ¯5¯ÍÄr·¨0Uƒf³H².}¬3¿ˆöÙ;ò p¼¡0Uÿð0U 00  `†He00  *†H†÷  ‚".U|ûèè 쥽#8 žMIˆÜQÒ‹iRŒšll¼ x3—j96¨'öIøŠ°}À)ûËápͺø—G;ß ¢ØÛÔvÁã¿eÞ–€Ñ ×Ù~€q”gdxàÜp©%Å2Dïl¥W£k0i0U#0€pßD/™sò6<4Ð Ñòí0U|¸{˜ì"ˆÊ‘PÚÄÂ.|R0Uÿð0U 00  `†He00  *†H†÷  ‚b¸PÐè­ÑS»ÛVhzìý½•ošDÉc¤^ËlxÞ(€Áß‹ëzó5“HŒÅLÈ{xóµëLUXâgJ6Ât±¸ó&Õ²äæt憩ú>’þ¡eÛ3À„ú.ÐöÒÙßw×:s*¤j»>çJ7ƒËÞU ùõl_·òFz"+QåwÞïŒÔg²-¨ï žaTÐäSâI,3ßcC¶† [ÂÀƒÏ×PíK J'Ä‚IB*ž õ}œ=OlÑbiµ` @X´á;LÀîŽ!Òͦ:•œÎ¥»)bàŽÇ&¼pÝÙƒL„wÄO(ã‚V±v‰în`0üÃHCfZƒ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcAFalseTest3EE.crt0000644000175100017510000000165215161577363030656 0ustar00runnerrunner0‚¦0‚Ž 0  *†H†÷  0b1 0 UUS10U Test Certificates 20111200U)basicConstraints Not Critical cA False CA0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Invalid cA False EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚ã*95Õºé4 m«™%¹53Ž[±ùXü€AÑß QØhµh:m:äb÷°t’Y#û V•î´}LA¾vnñz—åŠÐ{ÌÅå’šøLUÆfv JeôöÖ¾~æxM#èsµmeÿ­ø‡±kº™Š¼Â!*t}ÝõñhP€Ê±š‹§©GäP=v{U Ý8Î<ªˆíæ$‡ç „k aOžgq5éæW„£¢Ï¢YˆbªSÖsçÕÏÝZÕ‹¹.(®®¹Pj¯N ç¹£Ä&ÌZvŸ@¹†9Y“àtö›Ì'zGgä÷ˆY‰_ÂÒˆ­&VÚ½‘}ª×ÂÁ£k0i0U#0€9Л·O)7¾Ó°ŠvêjžÍïF¾X0Uø[hýˆ)mÉ¿J Ž›ò­uÂw0Uÿð0U 00  `†He00  *†H†÷  ‚m¶A 9&i‡¶¢ÃDð"$ÿˆŽÚFÊ#‚²!ÈbÖè¤óÇ#Ü^3Nº;Ô„Ý«a:á@«/§;uBƒu)­¨›¯uÅ9ç3Üä~IÝß“ªHÊæv$]k:ü[_À7‰Jјm˜§ø #lÝ‘(o}ÜNð!©ðòuI¹×M71Ä¿ ¦?ºÇ{5Ü-¡¹‡?§ÇÙµŒÐlÆc¬p°±.9®«},­Q¿Œ{?CKË' 7•fR=²WqJ39nß’+?Ý‘ehí+õZwn‚êæ¸ÓÕÇ0Ñá}å¿Ôçq_eÏs¾Jš¨‡Ç_4dÖŽÚ¶%áá‚]ûÙ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest27EE.crt0000644000175100017510000000174715161577363031326 0ustar00runnerrunner0‚ã0‚Ë 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA20 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Invalid cRLIssuer EE Certificate Test270‚"0  *†H†÷ ‚0‚ ‚»ÉT%úaW¾©Ä_}ÏJĈT䟳NEª;>^6d"é¢#Û†çg1ª©Û-b~-ÝÄûà Gå7?7t¨~×?g[pÄâÔµ‹²™–^yáÏ–:6ʘ ¹¿—™@´NþJ盼kL~{@nx3Ñ>13)'_×½| ’¼Ëó¯»oבy÷>“¯R¦XbL—7÷ƒØSt,GÌwN–ÅíX0†6g·Aº©þ'£EºoH3£h[–†$k ¬þQð3e¹´úrÁT`ú òÙµ¯¹gRÔ~÷–l ’ Çðõ0ÚÄ ŽRCm”ïMIU¢\Õ²·È>“£¿0¼0U#0€ˆ#á³³òlþ1©¾‹aª;’‡¤£0UU"pJöCÈéïÀÀRŽRv]Ïk0Uÿð0U 00  `†He00QUJ0H0F¢D¤B0@1 0 UUS10U Test Certificates 201110UGood CA0  *†H†÷  ‚_ßr§\u)ˆAp o#X¡düÎ ¶Ö¿õv }Zê/»à"iÌZz£ŸºÇAð{©<¹Ù–8Ò­ÙSˆ"W—è¸k„jDäÀeÒt ;gë׆ªÿmIÝV|†¢Ë‹¢L0þýïÑôò‚ÉbaéAÆ©hªûkK;5Ó1%D;EWyXªe朮™lø¾;rHÔv«ùàµ^½–D?ÈV €œònÅ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest31EE.crt0000644000175100017510000000216015161577363031307 0ustar00runnerrunner0‚l0‚T 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA60 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Invalid cRLIssuer EE Certificate Test310‚"0  *†H†÷ ‚0‚ ‚çY•„b%F§•˜]cT)¨B+Z».ÏFHk3VÆUßS±ÆkIV¸º,PñÜ/¾¥C¯ÇÜ2×v}G¦ë×Qpôw·a"züÛÖJÑàG¢ˆ{ò~m„ó³8™,Ð7Õ`ü(\ηìõ0ß°Ò;’tÖåÉ6AàŽèU4ÆY6Ry&¹hh"ð6PQqô´ ¿‰×ÑgæäåîIOÎÖ#Å?ëŠóg¼K*4a.±ožÅ¿ŽÂÒ»6œêîA"½æŒni$ƒv´ýM1R€t7<妩¹¾ÁÌðÊeƒiŒÿt%€Ïãµjìê×Ç'ç¤4µÆÚb¡£‚G0‚C0U#0€É £l-wOÞBô ¶Þ*v10U‘ªíu’M“V³—Ûr8©!æ0Uÿð0U 00  `†He00×UÏ0Ì0É y w¤u0s1 0 UUS10U Test Certificates 201110U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6¢L¤J0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50  *†H†÷  ‚²]É Z×S–¶#Ãõ²ö2î(®©±³9þÔán¬¶ö4ÁYKù ÿþÂtcÄ»àë‹Å/‚^Dy,žJõläÒ…A!-öB¤•eþÿwæžk„)AYÊ©Üè¨b~©õ¤k%ã5mäÅ¥Üß{õÙÉx áæJY¿°¦íEšVîöÀfÛgˆè5ÎPWJ“O #¿æhšhø‰ Y‚Ò^sÜ?·s— c²¯‡ÁšuƒkîDæN—Á\ðK&¬m€'’½Ÿ©ãbË~9‚ÒÆÛ#gnÎÓZ‰’æ^•œ¯Ñ—Nšª ¬qxÉ™ê„]â&Iýo¸±_¡÷ÅÜ"#././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest32EE.crt0000644000175100017510000000216015161577363031310 0ustar00runnerrunner0‚l0‚T  0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA60 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Invalid cRLIssuer EE Certificate Test320‚"0  *†H†÷ ‚0‚ ‚Ô‡*Pw–_d?ã§Òß‘³Í—›çŸÄ_ §F'^“'®˜ùùEºÁz ‹ ÃL–{’k*Ÿ#ÇQ ÛÖ\ ·èò5jìx!—å žà«© ¡Ór›5ØBÜNü£Èdºÿ:GNî €û¼¸éGèx¦Š†Ø{¦]rcUx%Ý„ÔzçÔŠ|ÜÝù¼ÙÖiÿX"ZT;¹³ƒq`ª‡|¦IG°†›70çjNÞTØäÉ{9±wK>¨ŠAò‘6LáäƒHö+z6ñÇ´'QGíGÆï{ÿ\Ô˜. %;Ŭ< ´ÅØ Ъ)³¹¬±× .ÈÊÛM¶Q„„+IÙ£‚G0‚C0U#0€É £l-wOÞBô ¶Þ*v10Uó,%1¬A@<Ÿ\üò+:¬Ÿ?¨10Uÿð0U 00  `†He00×UÏ0Ì0É y w¤u0s1 0 UUS10U Test Certificates 201110U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6¢L¤J0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50  *†H†÷  ‚~˜É¡Âe|~=es}#P$)iA³ÙÅ{®7Ñ ÑÍuêv5‡Þœ¢ ²ÿàˆÍÙØ Q&ýC2>a9ƒa­L-Lj‘¥I=uƒ…AÀ¨Œ~œ¯çi?¾8úì„æÆ{÷zc.»\‚wÕKcß»½v 5»g7élË… ñ¯UêŽ ‡»A˜åT¹÷UZýóV/[ýónO‘P”ëYéHQ}F˜HšJŒø<íMÌeDY(Ø{˜ -ÿ8ÉÓ”¨ûÄÄkìlmß KA›6ê>åx!*ë†Ö[k_Å®ÏV°É<áË$Ô6Q’ì4d‚ì¦3R¿â.9Ùœ&././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest34EE.crt0000644000175100017510000000202415161577363031311 0ustar00runnerrunner0‚0‚ø  0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Invalid cRLIssuer EE Certificate Test340‚"0  *†H†÷ ‚0‚ ‚¶LýH”<³‰Ñƒ2»ÐA±0åÇ d9"ÐàbF½“»zÌáZwôîakŒÓ+ÀwÄÕ 3Ý‘ óÑ×áº3˘¢Èv²–ïÙûö>÷9UYÀT±÷8â˜)°Y®!] áíI]ƒ"z¦a·Öqç»f©=Žk¶óD ׫ŽEÆuô û™²×¹eµO.d›fgþqc­G¥ûÈÐì#Ë 2´pŸ÷òŸÙeÇ>Ï[W“w µG8€nBíÔKbdRAØIÈn.î™`ôS«W¶ü®Ûý„‡«~…Ÿ¿'úÈž…ÅÜζ@•Ü°bÂ8^­±7 ,e£ì0é0U#0€÷ª½HuY€°Ïß#Ø“F‚³0UŠ#1ÙñÒÝ@E“AI&‚€þ0Uÿð0U 00  `†He00~Uw0u0s q o¤m0k1 0 UUS10U Test Certificates 201110U indirectCRL CA51!0UCRL1 for indirectCRL CA50  *†H†÷  ‚mTœWsœvk×ÇÛ²'?o`?¼˜ZµI×tëÈð®Á_iÓ­0q€d’øFÇÇ(Œ/œáh×—Ÿ»äÛdPÇ2ÚþT¬$]F„‘Ý\"¾FÚm³äÌc—jO‹Ùª‡ á>?]Ç«®d[3ó ¡_wJé÷|¤C ÜKXà:zØgz½Þ.ßéè_ÞÉ@ Zȉ\.MLºÙÕC7pòÒ°ö”ZÙºüÌÚùa•vEÃå+Æ¥÷Ò¢‘8º—ïR¤â)P<y³£é k@Õ#Ð ú”'iÏõ–w—ÃÀ‘Àç§h9°ËAèY½ƒ#Q0—?%W././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidcRLIssuerTest35EE.crt0000644000175100017510000000215015161577363031312 0ustar00runnerrunner0‚d0‚L  0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50 100101083000Z 301231083000Z0`1 0 UUS10U Test Certificates 2011100.U'Invalid cRLIssuer EE Certificate Test350‚"0  *†H†÷ ‚0‚ ‚ÁÞøÅ’~FÐø[ôkŒ»Ž¾½]–œŠA…Ù¢“>±“¸¼]Kj}‘úúÞ³$Hº cåÜmÁùÍÌ Ö¼%LB,»lL(µ^h®ˆL¾ýÄÒòM+AÿÀÿÛŠfú§ (U ­#…l¥wJ#³ö|ûw›ok¬Õ£)Ë«M6àôéÿ·«^ož´¡ Éþ›ç‘å9/ô*Áç´çâÉJ¡ÊÅÓK…t(ª˜HÔÖÿ¬nî€PoWyÒ£¶Nü»‘‹»÷Ž3xP=._£¾œ`”í²}ÀHXí™ËN‹Fá<`?‡È{.÷öèÇÇy"b–bm¹Š ª³˜øR(”×á¡p‡.)ÿ.o5ä–Ë]^;‚+ijª?Áú>o˜-JVÔ@¸W$ Û‰öGŒ'„"sÒ gV-&´¸ !ÝV¦././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLIndicatorNoBaseTest1EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLIndicatorNoBaseTest1EE.c0000644000175100017510000000165615161577363033373 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UdeltaCRLIndicator No Base CA0 100101083000Z 301231083000Z0o1 0 UUS10U Test Certificates 20111?0=U6Invalid deltaCRLIndicator No Base EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚›‡ ¨èâsIÌ£ê>ÓGUü'ªršâæw~Ý&ƒé4ö§Ñùb*Ë€.j•ôL—_Æᨘ÷úçáΈd¡Ê½›í«žYÙ=­ù¯7y×!ƒuýŽÍÖø÷°¢Íñv ,ä.‹)u’—Qùéú¸$ÿ¹ [§LÓÐO„ÛìAf Á^ÇBã¹W~Þ‡LLÜ?€šdi™•5°Üè!Â]/ÅÄú3Iv¸êë°¬8 XȪ&6¼.#‚Wz6ˆãöguö⤂í³ù¿‹Ò°ûc ‡§±ÀîBäÍfëΕ‘Âqö_›"”/q¯Œ@È ^"Y“4ÿ~ü¥(5ç£k0i0U#0€ô8v%«¤ãÀÈuŒkc#¶Š0U^^™Ü t€ }ö%Ê㲡¬çä0Uÿð0U 00  `†He00  *†H†÷  ‚Iýåo;'ï=n“!¶Bó~œõŠèqÖÉÜ~Eši8dCÊ¢«X.8fShG'1F]¼dûÐ3Ó)¡Õµïa;4ZUÏ ™i ô"{in/ˆ¿ê¯‰p­ãlü?­ìJÑ êÍà©?•PÑÌ,]B%§ËY¿<š÷8d”ð‹Ë…¯‚tì4CC05vÌü"¤@È„bVþ~õ®B»Û©†¹tÂFOš"@ͬî£v3 [†ŠIì,&}ž¼TmÜuéç“j¡¼ÀI"dÿßò¨¨Ü>'Gv›‚vÁù–ÇH€dÝ™øó8‚&ÊjxË‚˜®C̲ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest10EE.crt0000644000175100017510000000210615161577363031063 0ustar00runnerrunner0‚B0‚* 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA30 100101083000Z 301231083000Z0_1 0 UUS10U Test Certificates 20111/0-U&Invalid deltaCRL EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚¼@.xÚyCŸ\ eþñ1”ëç't¿“®W u’„™¼V#Ãy»BÙeÅr@¹D9¾µá0Õb {ì][÷*¡ÒÿÅ`œ[s1ñýn ¸‰k> ö÷¿ ¿,¸ÀâÞ€IFÑt­2­‰¾bêèÛTôÐ*ÑTÁpn-±¼I€ŒßÔ­/;jjb(°ßR·«ÖBŽ¥2U’´º²üÂ2O;%rYzŸd,èûí8£½’ÍÚùýãnµQ›‡J‚uT_a³"Žê9ÕÀŠ³ ÅΣFŸˆê}ŒUþûÌöEóµÉÚZ Š¦ˆLñ¶Á÷Ž«¯1§ZU?œÏ£‚!0‚0U#0€ïcÓ¨N±ùßaâ ã˜Ò“™ç0UÝYêXqt¿ÍçTЈšŸ”»0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA30XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA30  *†H†÷  ‚ªG—³õ jË,e?£î>!¯Ö4; •Ø’í²¶¯êxx æ\ö€W6sëùXj<6‹æøyT1›z³¥¨Æ)!²ñSi3ÿÝÁsüì¼0“œµÝ__-ÑÒ{[>€ E§ ¬Ý-4%ËDºˆu 0OS“v䔪 md)öx•Ï§•µ6Øç¿zk!á߯ŒXlètÈ”*6é·ýla~ÖãÓƒ`ÂRö1ñq7³‘DN.ÅïÆÖšRd³l[_çè*Ç;«iª .’ˆkñÙ¥¾Æð²ùȦ°?ËŒŸ!"@ÒÈmã8£&ê|¹ÜBÒ–1}GϬ½Ö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest3EE.crt0000644000175100017510000000210515161577363031004 0ustar00runnerrunner0‚A0‚) 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Invalid deltaCRL EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚´¶ö¸r—B)zAb…=´Wži|%5ï¬`Åñ8l_ëR¢ ¯T-à£íj«®ÎMžmw’¨XÌšJhÝÎô‚O|4mòžu7É‚§·ÉgxåUcä¼É÷1æÚê¾·ìÂ͹5,æ)Ò&kmdÞû³8eÍcBê—X}G~B­£äVXÆe|ÚNO‚Ù•ªÂœlÒ“ ªÔ?Rù1ÈÌÙ‘bæVÁà8æΰb˜(ˆ•_îé$tÔÒlù¢¹-ßë¯cЂ_†·'ëÝNx½YNpñÿ(Üкit$/ÐC.@ŽD8TŽO¡ËºHž&W[5Ûºßæ«£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30U¦Áå8e¥Å¾™ÖÆ}Yí¡à²Ø0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚`y 6áuºq[Á‡Ò« 3ØšMïmq^q3ËÐCØ™¢ôÅ ÄT¬Ó|õ2bÈ“ªuœ¶Ž­zr±ˆAÓ’w~‡U†ŒÛº€ËÉ+wI+¾¯i`ïã Sgyyù’ú_;ÈZ1/ ÝÇ%@%‘yÛŸ 1\É$Þ4?ïÇ­&·î¼:+*a³€&?oÀ8Ò&»pA]ã(zú æéŠá|à ò]·ûÖ.ÝQSÀD_£Òu½9u׎U¬_¬ Ø®·(Ú]wrxr+ŸS!€ÚHåEyV+[c´à É䈢ù3㣱÷Ï0ÔœÓè›ú././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest4EE.crt0000644000175100017510000000210515161577363031005 0ustar00runnerrunner0‚A0‚) 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Invalid deltaCRL EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚™ª$"ćNµRN‚¨ÂG[ÀAÈÓ!ù”è­lQ¹€œ˜W;T¹pV£µ°)‡ñlSä<å™Å››AVMul৑mcKÖóEsèB:3íh]¥T‹jÁk 5;fU ¡ºxù5£GSx7V¿/Ž¿þ|‘êæQ-í… ~›)Žýˆ†¡ Ÿ#°`„žnhÀ‹‡ÝâÇ5_Âjp¯… ÜÎÕ&GÖ¿ô‡èÙÎÙì†99b»sì0ù+C:"þä(aÓܨQâí¯ÙsÄqØtæ4ÒÎ2?G6-¶"­å 5øäô.o‘LFèOø§£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30UÈÅ…3ŠúÃX¾%zO`š6àœ0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚X†vœalü'i¼7<6]bÐ{ :öãøë5jS4Z¿æÀW–ÄÕñ®Vß¹ýH+h`o˜§Â뾶 Ô-#²í•¶d„H„äµÎ0ÒéΞjo6Ô{=«gH%pYÊ[s*¨}çéF›žŸ1Úï¾ÿBYɳ½–kÑnyîâ‰Iú+ºúØ\‰=øû@t_ǨHB#Źòl0׆Ž}xJy×ËHîWˆgìä †‘$yAA‡™ÐI¶QÛ«¦»–Tðd뎭 í ù0vBž-èÆ”S³ìŸµpéµDÓ1‡1ó¨÷ŒGWÍÀûÝáÿô>çx^LÐß´R“þ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddeltaCRLTest6EE.crt0000644000175100017510000000210515161577363031007 0ustar00runnerrunner0‚A0‚) 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Invalid deltaCRL EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚¡vWâ*$Te³Ô’Ï‘ÿgäA{ƒWHLÂK0Jýõ-,·tq¿ô]“c9ÐIÁõªiŸ#,'±õ—cÈW—Õ¼Ôîq üèªVln” f¶Ô‰:¿#šVHw3hQ€Å¾x+ÖÊÄ¥ßö>¨ :ú¹n½§•§¹h a§ ev9Y|z¾hŽËhW^!o¼£¢(Qήtî]{kïNw­Ê0à´ôÜÏ:¤báÎBŽa3jÃlÑ·(¼hfEòôïÇ¥‡Åk›/Ùsx% Yÿ*29ÓüGáCÎG¾µáP˜€&B.QåTL Zéa»ê|6¨~Q™£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30U²’)õ¸ëç ÓÆàkk°8„8?0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚52rï¤åà̓úÊYk;ÑÒnx@GrV5¬Ú¯¿CÙÙ8†/eý¹í }*ä_¤} IŸø  ~gåFÓ ÅMînúɆiâ·î¨p7}">íe`õ WŠÁ¢ÆIÛŒVm5=¸ã¨qµÂê3^9ÛŠ¢¯úƒN=s£ftê•K_×Bá#T­SúmtaK=X^«ƒã"˜÷…Äò>—UPÓ¸^*f¸û7 u/œÅžjW¥*6Aâ}hà ñ ;!¨î8 ²l L(€T)ùT¼¢–Šœ™ù'«’³óáH ¦ÄäáFª ,°ùvˆRˤRŸÚÉøÿ['öÝžR, åFÆç¿J'Ç‹pPÍBkF<ìË\–4™eoÊAŽ4QÉ 3gºÝ˜ys[vZf¬¤¥O÷§4Æ9yf¿…G?uŠÃ‚€J†=Ÿº0·ǘZ”ÉP|?4_ª¬&6’dŒÄóÅR(ø{(!gg˜ Ý&²ÖñB£H8Å<*Ócí@LÈj'é(3u©ÜTGÝúj 7ÅðŠº6Ñ„é#mæ€UÐef°—£…z‘ŽdÒ°4¼ü#MÊèKúÕ¿rê?Ö…?)Ó¾ö}ò )#n%!¿îá8íLŸÚ˜S«E£‚!0‚0U#0€|Øö¾LÎÏ·?¡»3«µ×ûÄ0U”w¤C±U¯›¢ Ùjn™$¹ *0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA20XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA20  *†H†÷  ‚I{=V@0<òýqƒðâ@—úÏÉò°f¬¦].êoIÖVî6!¸&qÏF¼MãEéJ8DŽ+<'Í2… Ù‡ˆŽdð ¨Ú˜ àÔìË}äƒà¥N«˜Õ<,Õ•¿Õø º­3AЛΪp®\ŸOcÕïâKp<Æ[î`̸îŽjýÉŒ ½¡²x×y…í(ïœ+¿þ}GÅ•SÒÃytÔ}’7¨ºwaÜvpþ-¸+Ó«rDákòΪ4Qì`ÿ¤€,@rØ+ËçhŸ<†_›Ÿ=H‘¢y¥ø‚r[Áª{ƒ‹sg&«‹W;ÂMíT‘ƒiì././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest2EE.crt0000644000175100017510000000205715161577363033110 0ustar00runnerrunner0‚+0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid distributionPoint EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚Ó`ﮊ9 ¸Pé?øÝ–Ÿ– gþo%ÿ7é>œ²ÊËV¹‹YD–i*7ñ‹´vÖ±¿† ¶5©VÑh Ý/Y6¼ÒbnEÏj,e;ºº5è8&fDÒùlq¢Å1ŽŸX#Ý'W9p•s_ö;XëÚèæû¢±ëpšOFE¯¢vÆÍ°ŠŽë0¾EÇ›0»Ä:Œ´H-jȶ.ÝSø!P18ݵ¥‰~¼›|É'µƒx)ÈoáNE&#ŸI¬ &¬t,ñ]4Ú¹”›Ô`"úz¿Ûîp7 : Yàƒ”t3gÀ9CîÉŠÛz£f5ç:§†ö'Ë'Ëh_EÅ?‰ þû.üwÓÿ‘«¬ûK$ê‰<'tp îþÛxâiyÇ’Iö¶ëqd7±¿–òXÃø~øQk¨Ù:2ÚmÐô¦ž1¯¯Á€›ž|>æIùÁüœ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest3EE.crt0000644000175100017510000000205715161577363033111 0ustar00runnerrunner0‚+0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid distributionPoint EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚ÂLGþø§xi&BG¬ÎÏO–¯†3é ô÷ÏõwªA:§µÀQxXjnCu Ã¥ÈD¢Ôºæü[ã$çÏ0kéÿ†½Så¼'ØGòͲË$6î4N ½ §7vò¾pTÃ\Éìá`ÌŽPQp·ì:Êß_Í‘8àÛ¥/,­Á*oÓâÂÀ×|uÚj\Æ€(L£LS 'H¶<ØûßÞ>Z?…ü—/×’À œó¢Éýkîð·Ž|‹Ç©8 6JÞ ôŸ ž×„nh¿ª¤SnDÑH›Uƈ#`÷;û;’ÑﻹZnõx¶mïeyøò©g°Â}ò£êÔu¨W£ú0÷0U#0€0s½p(‚ÒoÏÒ7íÍë#‘Ûï0Uf¤²$ãß´t±ÄëÁìR­çIé0Uÿð0U 00  `†He00‹Uƒ0€0~ | z¤x0v1 0 UUS10U Test Certificates 201110U distributionPoint1 CA1&0$UCRLx of distributionPoint1 CA0  *†H†÷  ‚j ‚b“*¸{>š3hÔ ôáX{³¶íiL0%aúy²Œ€ŽîUHýì¾Ñ<žÐ-h–_èIÆÚOÃAÊYQlµ¼~¸€Ëß:Z+™Ó¯£…ýHãDqüwìâ#‹§yŽÑFÙŽyp2Ám\¨p˜uÞ’Ê;ÊÓÀ­õìð"­¥{ЪfÌ!j³XìiÇGÓ‹ºØŽ Õj…OR€7Yx§in½•Ïç,¢5º•¨I%< §ã½§£7CoA ´¢lçëÆãy —ÑSß«$¨ qÙªLfí 1±¤´€˜µÀzÐãÒßE©^ÎaP_Ù3µn¡©D././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest6EE.crt0000644000175100017510000000173015161577363033111 0ustar00runnerrunner0‚Ô0‚¼ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid distributionPoint EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚•àˆ#~Y­ÕÎγ—!vNå9ïÏpª B%?VZ·¯°û?-¯aE£ŽÑ†¶ $µ‘’­B£g×ÎÖ[ ,Þ,œ2HÁøxd‚þA¡)§±—’r¨ÿ{eÂçm~”}cÊSò)*Ãǜֲ»wyf>‘~W/Bëö.gÔZŠÈ`/ø¿•Ï7M¾pg¦íb¨݀íŸm?ˆ7ßØÉÊà.þ¡·ŽÓF(ä†1’)ə˕‘Ü7£ƒ:pZÐ͈Mâp0&Iß”µàù(£O¾f€2¹ýZ¾flÇBÿÍB-F_“Œ–®—££0 0U#0€DlîÛoëNIxþÍå ì»`k0U{/§WÚE78N‰–õ§Ù³l<’T0Uÿð0U 00  `†He005U.0,0* (¡&0$UCRL1 of distributionPoint2 CA0  *†H†÷  ‚MêDæ&ÐäÝ9b!ŠÂqäW·Á@0,ær®”¶ \«äÓ}6Ú¥,ñS( Ê¥‘$é`<5tÜñQ:°k†×3(gDÚØ«õ±ù7ÏpÕ“½-  ø@©wö›ÕˆÇ¨Šâ²¿àyÔñ.Bb¹¶ÛWf–ÏÂÔ>˜ÔûÓqRnwŠ;\Ø:õ˜D©M_ëTº“´f㋬ŸcBðøŠ€¶+Ïð}Í™ MBY1§¨õÆjio§ë¥-©Ñnq“ª÷ó ìŒÒkXwa±êÂæŒ úÚ>FL6ŽêAȼEE‰qò㙨ûý/nˆ–ˆÃ¦›éøÏ9&z¦Z^K././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest8EE.crt0000644000175100017510000000200415161577363033106 0ustar00runnerrunner0‚0‚è 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid distributionPoint EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚¶ÓzNÂÁYƒ‹Ÿ¦ÄýÛc(ŠóÅ–ù„Àµ(§jPì)šÐ€W3þ)TõK¾ÍÑ+4‹r¶ße—7ƒŸ‚»õ`Ë_K-¸ÔÙØn-©x¡¸v%ïe‡>E¿©¡ú_ÜÏ»Ðm¨¤`¥*jG´?wû®Òi¥¦¢—E3?¢MDÅñI¢æ÷ K"Adfìö†û©¹zºo×þG‘ÓËiÚ¹…†¸=œÍg™î&! ÍFíж®n}«ÂóI$N¿8iëfªž¾pRµ9DÓVmOú®K›!Æ—'çA#¦ZçZã×óBƒcx)½õÅÙ-‡ïßh»^·ê8Yu’ÏÜÓW£Ï0Ì0U#0€DlîÛoëNIxþÍå ì»`k0U„#øx¨ùT¦:ìk½«®~ÅY0Uÿð0U 00  `†He00aUZ0X0V T R¤P0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0  *†H†÷  ‚Q^åÆcL*,[QnðuýY.š5ŹºÌ‘FúŸÄXtÙA‰Z;Ô,az}vÍÈ[”y¢ÇЄ B°J I”u«=ÜÀ Øãx´ì<ÑKaAˆ«ùˆ%”€»šÁb ‰^¼¾ Z$õG­Ûýä½{–‹1 î®™n ô+™4n%7‰úÎÅn¿ˆ‹'Ѻrw—Å^K°ïF#â&0 Æt>*1Ñh£ÒÇÔÏTIt|ÙL×±5ºE›såáÏ ˆÿÿQº¬å”îR(ÒLæç—ÅWÎHS7 ¿.ÈŽõD'«­jKOeìÕÓú†Š5Õ¤5] ¡ˆÂ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvaliddistributionPointTest9EE.crt0000644000175100017510000000163715161577363033122 0ustar00runnerrunner0‚›0‚ƒ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid distributionPoint EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚Ë+)<Nž=ÛA6}"BÃ>7þÛfíŽ*€´’û¥¶¹\rS§e‰!̳RTã¾ÓÆ ™›\DUC®Ì<æuEnbàù¶Ð‚_ùe`˜U îÝîË–âK=ßLÖË©üˆõâ«Æ&½z=!S[Ý'‚µ/EÁH:di÷¼nø»“fk–pù4ÉûRƒ‹³ÄJL'ÒE–»·bCø#M³ú‰e—…{PÒUɲs‚ÝJvDãè¡ÉgpÌñ©üN)‡Qº”i—ÖIò ¨i /A[ÝžÜ3ð;0U@×n¦‚#ÙÞsäÜ`U^«¦6Œ&U¿>+é Ð éåõ¤í£k0i0U#0€DlîÛoëNIxþÍå ì»`k0U„ª^#½0à-T.èõÈ‹ô 0Uÿð0U 00  `†He00  *†H†÷  ‚*Éx …jN¸ xKÆ.!z†gÆê!\¯ƒýq X²ôšÞ˜Ú³®ëK…l bÃ0uÛ ?Aݘ8ˆPÆÚ¥zãbçã¹T+ ø¤øݦy;ÃQ¡;ØÐö«Ëá–ç_í)iñR¹jëîÍ„îçÉ¿:-t‰Â#ùJÝž¯Î'Oã°Ê®±$M¢X›e„"XvÐ4þ•žK‹^`ì•<4es†@ú‰Xã;ËŠmå-K²< '|*Û-¸8”ȇUËS â•^´„å˸‘–!Êß~sôÏqˆÏ=ÔÿÔâ2ýðRཙyÖ,é„!kØs 2M././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest1EE.crt0000644000175100017510000000162715161577363032636 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy0 CA0 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid inhibitAnyPolicy EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚°ÕµÁ;b|ÕàKþÿèäÁöt›H¤°Øâ‰ÚÌó'аQ¾µf«É0êÒU.gÃ9*år¨ ‚æèSkŸ3þ ƹ-àŽÈñ^Æ"åÌU#’Ð㮇¥$4ß¿óÊ¿º™]%­÷¦¥D\Ûµù ð*c6ÚÀ¢_2°ŽÈ¶Ù9už§•L :É‚ü÷¿÷:ëžßŸÜžQ,ªûÉÑÿ5×ø–΋ØÙk2ü‘oºQçïK»út%u–˜úÚëõ&-&¯ c³w•úó›nkœäY[ “>?1Ûnîyú`ž±ÖâAù"¶!×ïc‘.*èŽòòÛ£e0c0U#0€  zjÿj…‚$ÍÃ&…ø¿Š70U¤³g®á(H>˜(öR8ý—0Uÿð0U  00U 0  *†H†÷  ‚D`÷’í“NèÓ^U©÷N:ôs‰—ï9ør ¸V©ûðεAWŽ&×Øg‚£Qt}Í¡Üðä!9•¶¡`€hL‹Ñ 8Šm&äµV¨e¢bÔá2OO~.êm±•DTÂgš)þ §/x÷1úÇ”…,PtT%”‚ÌR€ˆ#G—X'wÅ„æ{ß% l/õÇD`Œ}òÑADó‘B~G €:¦µ·d7ÛÇQwé˜ó`ÓùCà «Ö ÛÉ@µ3LçÅ;dóGDôV¦ñ­ÜP9aãM8F#„‘óò¾n±ôÃñ×ûzärz ¿€÷^þø©„á°%©@ æžýMkó4././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest4EE.crt0000644000175100017510000000163315161577363032636 0ustar00runnerrunner0‚—0‚ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA10 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid inhibitAnyPolicy EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚£³ok¬EªÌ„lL0+H—½+_I!É©y^ÆZÕÀY²ÅûŸ`TcSÞ{[»î~c×yc£¥¤5˜eß5FéèbÍtP×Ò ãl± ®¢¬_Ó¥þ àÜö†žÁǨ“ä>™Ù€,Lô¨Ý,O^=S0Þl×n±^ HíS‹:gxx TOL:j®\äõ§4èeä²ÅúúÇ…ŠrY T¸¢ð$ç%¯H7ûªÁæŸµËЂŠ—Vž-îšv_r.æ-Ê)mM0n†xÜ£³öuþÆYçlk°`­ê% g¨¾(¨*ð„Óÿ4TH<—7y¸öVB_ɇÕF£e0c0U#0€t ÕXÙ+SÒ+°Í]qÆ¡¿C§È0U$Ç°õ8ƒ~OÓ ^8gB²0Uÿð0U  00U 0  *†H†÷  ‚x[&UVöw#ƒÓ¹¶[&Tø ²W¾§4ÙòŪ!¹þ×°LÁˆ|>ž.ÿ]0õ)uIœd8Ð /¼ò™fm™u²¯®YRèí™ü »^ÖF¹v.XµàKÝqƒâOùù€¸©©ˆ'o’r‰æê\?£ÂOF½ UôS vX¤·é­ªÂ,ƒ*GrðmÇ9vï uúŠc_t¾Ó&8¶Ü0æNRu–Þ·#™ZZ=†÷’*c ’=a0aç;bÜâ-×"tÐîX^j ¹|’§ÙµH`•é±®¼´ÌÌÚÕý<1º[#"±2í0ÄMgcÚׇ«zΤ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest5EE.crt0000644000175100017510000000163515161577363032641 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UinhibitAnyPolicy5 subsubCA0 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid inhibitAnyPolicy EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚×ÞEŒÜö*jëó_' Ö…š<6ÿL„Z2û†‡øîÿžqÙ,q yÜÉ+0Ý-p¨Ÿ€ª#®QD s²ŽF}©Üä#‘Çæê4E…J)V¸ª´Š!.xºówÒBÃ>sîÃb9¸LÏYVc¨'cz~™QÂE~®žà–M#3” ¯'¾ïbQCÁóÊÑÂY¸à,dóÞþÝ1_fyÝÚ6ó’´ßÉÛÏí¸C»ÌxáYgå&Ë|WéðõtÚwvž©Ò†”ìÝLÊKžsûë-ó¼}£ÿR ÌÇ;¢&þÞVÕ¹Ã÷_ð˜ vZŒ:´º\Ê ‹ØFlE»é»£e0c0U#0€1á?übn€eÍ©y+n‰ZèÃ0UíìÅÙ^+šNwPw~—:{o”0Uÿð0U  00U 0  *†H†÷  ‚.ûHÏä/&Œ:{̾‡ {àFä<œy“4ÎN©zħuC(%•yBmäOÕªAÍK¹«ÙÆ.d¬û`{Ô T6ÕÍþ® ¯|á×(ʳ¾Ç4¡P:•€LIûS‹Î³e¬T2b_+@Wk¥tà»3(Âs$"J„†¯Œå ²%uþ|m‚ÀÕ©‡ÅHŠ]¹gŠ]ÝW˜}ûá*¿öÂŽê5gÄ=l‡:âr÷五ÁR‘î.™>gÎùß2ÚJàh·¿ünÔ©*Ë]"ߣJ`Ï1ÍèÆ•¤Wät0Ø ŒYëX›\IHÙ†A•Šã p¡././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitAnyPolicyTest6EE.crt0000644000175100017510000000163615161577363032643 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subCAIAP50 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid inhibitAnyPolicy EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Ä%YI%»»QmÃêüÊøpN^RÓÞÙ1qí{ÒX›*b-ë*/_6œå³ÊMTü19ÆN¡Þ³UåÍÐämþU{©­òprñÓ襟̇¡RŠT.(Aþ‚n1­¼ôÍ*TXRÑp!Ì´|(üÍ*„{`ÛK¸ºúCdÐ8îBÉòtµ ’NÀ+Á:wKŽ ,á„NŠÕJÖï4ˆ§dYÕÓqð›y{´)~Æ3*^Ì{e¶©r`øŒµì™yЉ4º=üÉ–”·B͹×DAª™Tl!û_neÖãóúBÜË·Ž²«°hkÇHx"obéî±B©£e0c0U#0€‰Tt`³÷n aŽû¾R&0U—ð¿›T–Qѽ!íT…ÁDÌìL0Uÿð0U  00U 0  *†H†÷  ‚Q]~ÿÀ9Ư Ut:¥0|ö>Ýdéé0ôWæÉ^;4«]X&•V»eY&í¨Ah.Ö|ìtBvGÞB4Ek†?ãä]Ttò®Ýì@å¤?øyºð:›k¶‘7ûÕÆ8òļ(myáÓHØ™ŒÂÕ²¯(ÃÞzéšIfÇÓ 4uÓSßø}«IË R¿7Öv†¥åâ v÷ŒaÃ/Ú<¤Ú!°,˜‡×ÐJ GlÄã.1ÆJ´¯²õÌ–}é… èc½¼Jš«ôü\Ã\Y¤èméM°3 (?Feöµ YáÖ¼½îÜö¢¬r¦‡èŽO .„ëìÂÛ+‰Ó././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest1EE.crt0000644000175100017510000000166615161577363033505 0ustar00runnerrunner0‚²0‚š 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping0 subCA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid inhibitPolicyMapping EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚ÍІ‘³•¶â>E L¹ß«k®·­¬Ž°G¥y¾ÿ@ä€ÛŒý×èÆ/J|i÷ª £¨âêHX¬+QÿäŠ"êÒó;‡øÜaè‘g]ˆnÔkÏñ)áÿ¹ÝÿÍ8€ô,["yîˆÿ¨t‹M¯'ë”ö¡ïUÅ“’{,Š¬h ™ Ûy´´ýQñ’:ûåÄE^@f³ ßö kæßÜ™»ó4»m臎¯ »7¨hDIÖ†%v›äöØ‹øÆ•##KÝùŽŠKV@å›uÍWØy(&ñ[k’Øç˜y@8Í×LAQRMõk>B×ÃàäÑ ÃÌÃAx}k¯£y0w0U#0€ÿ´sbR\–:Z®¼¸,‡äÞšltLÎÏ’Î4P\çŒ4²üë' ”|bm€òÒƒvßÉff€#¿“ZTÃûMÊ3+9h¯acvÀ2ó8ƒàhüÚ 0›ÜšYGˆ,A»Ä9½B™#óP&ÿhÃ&þLyª½Ñ6áþ?HŠÙ(UûQB\l_ Äš±øàn>дLåéXðH•ÙG`´"=Â8φäX-"Ï&Y03UÛœ“²ÿ¶Õ´Ñ@XÉhÞ“ÁÄéàäL‘oWð97Ø΢Ÿ K¬XÒPúÃú‡ÁéMz‘zZÿvÒoBé¯?tF^iÈZ(&Ö‚h, YZÑ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest3EE.crt0000644000175100017510000000165715161577363033507 0ustar00runnerrunner0‚«0‚“ 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"inhibitPolicyMapping1 P12 subsubCA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid inhibitPolicyMapping EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚¿a AYA+²¸·ã§îtH¡q¤ ×”×¥Ÿ°[Òa÷¢ë÷»b.¯AžwU¨VîŒy|1š?â]£Šdÿ-`Ú·õ]Þ&9®_÷Ñnu“»ó¢1ñF.§\Ïrêx‚¹8àäc"hu8 C@•Ã©MWª,wã.7,d’ç:'¹ÉwR…Ö‰\æpæ#qÆF¨ ¢¥œèxQwXÔ‡à?läÎ<7:Ñðò —wïö©Ìû@Ré†@Õä×{—Â4œÛmqÓ  äüwpjxN9!Ñoâö«…HÜö•ÀšzĤ+á~Ù 7µ Ö¿oô…UèÉýg ‹Ä½:>Ý|FÇüÈ#–¿ÒcBÚ¹ÏW†ýv¹fÅXÅ? £UÓ+„¼L§O==Ÿ¼½ë\²øcjf¸Í°}ýÁ¸]+Dc™"]ƒ¯€ð}Ò±VYn¤_,Él3N>,Q‘T:•j”4³ú£2L becÐO±qZahÆåþ /0w}8‹aééïá§ê-ø‚rJžò"“ÒÞ`‰ßhÔ¾Í4‚(AQ|­¾a}˜9­Ç€ô‚¿Èm:ÉŸ\fZË~aúïþßd"ò»:š}Řê†NòÌ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest5EE.crt0000644000175100017510000000165615161577363033510 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping5 subsubsubCA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid inhibitPolicyMapping EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚´‹wéùwÙ=A½ $êÿê9®¦Ã_©Dv9[±º\¨ ž*(¨p¤šà]ü’Œ%ÂP r¤´YöÿèÙø™¹UeLCÓy¨I ií#»Êÿ«Ú¾Øç1ÌX®»Jˆ‡og ЉÖ‡â®zŠü£>bq9´öܤûþpÇTˆ~¾D>@ým±ÖãD¯9BüµmBQ âÖÞÒ¢ébÍ5ÝD Ñÿ4»‘BØ3È`)~+€ÙEÍÉð6ÖÃÇ°@„ÞൂÓ<9àÇ·9ªvôI¦°ƒÝWÉx;nžp: sç"Û Ù¹E‚°<âå3™ÿ½K]QÌ¡£k0i0U#0€®cË×âÃqãôÎnü5ô›ÒM>Ü0U •N-óE ›Á¼îéë[­QŸ0Uÿð0U 00  `†He00  *†H†÷  ‚.l×R°. áp@æ¯Cïx-¸ä:2üÊk]„‡î” @Éhµ"ª’â)…ÒA¿kø= l|€,>"€ÇHÀï ï6[ ¯y(i³½´¥ Æ#¤ú—²¶N­˜ØX]ÉI(ÈAUÍh3šFnÐ'D?°E| L¤S2ªõú¤U,k=Ñ,ZGA Îo´×)!¹‰yØíë<|ÜuÄä*üT*íåk­¼KŠ ¯ò³(ª#Ô&Å©ç\Ñà $}2ï—C³ÜS¯Â>ÐÀdJ>·JóôÁøn&A<0`ªÂçCWÔÔšê¡ÕGißÚy]B=gÓK2sþ¶././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidinhibitPolicyMappingTest6EE.crt0000644000175100017510000000166315161577363033507 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0_1 0 UUS10U Test Certificates 20111/0-U&inhibitPolicyMapping1 P12 subsubCAIPM50 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid inhibitPolicyMapping EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Òô\OúA’Ëcø争6ê¶<òúy RxA÷`¾BÀüý ›‰éãRíºD›DbÖÁSßÀÞ®Y”oeÈøHìa! ½b¸Z¼ ¶ •ÀcDÞ[|â|ÜÑT²¾CjíͶ<ŠN AÐ}B?&3H:;Ø#zˆdÅêR°/«¾r0ѱîÂÝÂÐ8Í–dß9¢ób¸G'ÐgâÁG„‘Âø˜ß/[Ë¿€.èà¼^Z³ÉY('Ú1T—.ûÖ_›ƒž{ЛG~ÿ$×÷ÛÇ%Àr« SX)ØÃsëò(m;ÝH¿[ÐR6ð¦0§Ô+n7ŠxêÝ£k0i0U#0€‡5g𼡠6º¨)í›[p0U“œïv ¯¹-fR"xK±Gû±ª0Uÿð0U 00  `†He00  *†H†÷  ‚¥ Á1¯ÝÙ®e³’Ò7€UFÝ+` ãStNÏРùhM½‡‰ÒsvÐŽËï1ËÉôö­‘nPëcªiß—°;ø4„è—£7ÔçVó ÞÍ·6ïk@º@6*¦£öxïÚƒ^»•å »›_û³ÿÀÇÏÅmVD]-Ê“*k–ßËnÔi×°jøBÏ<)2ÅÜ3'Lø5äëÿÑ!- ž:ÁÜ»W€ûjŽ{]îWjOPyzÙ¯€+lq™©ý>½ÀP¿5’Ï°RAŸ0”Ùý.Ëÿ•ñØ!F§DîóÑQ-£X~â‹^0ÒYê'vÓŸ¾T铺!ÞˆL¡)././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageCriticalcRLSignFalseTest0000644000175100017510000000167215161577363033723 0ustar00runnerrunner0‚¶0‚ž 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"keyUsage Critical cRLSign False CA0 100101083000Z 301231083000Z0u1 0 UUS10U Test Certificates 20111E0CUÔ˜áT¤ÈaÇìÇÓRöPŠZ°Û"0Uÿð0U 00  `†He00  *†H†÷  ‚b†Gä(á'è¢I‰{Ò"¬°ë™N8»ë—ñ_±xÏدwÝKçvtüÌÁ> í®Äƒ> ¸ÒáºÿÈzb)ß–"Úòû&k_Ü4ÔÈ™¤ÂÉ»]£ìüØõÏóêi®»eØQNÙ@MWä¯å´É!¯—¨·¦Ò ‡/y$Yq@W%”Eäñwæ{s DÓ†UÞ ·•¾©[$$i[ݱXxt5’q[Ì.Py©¯´‹Vsœ^«·r= #PMQ÷ òˆj«ÀÚ_¥Æ’$/eœµß‚ý8¯Ï#ûtÅ“«dg ý)£k0i0U#0€4U gü±ÜÂr ðcéÔ›ðcù0U„$âº×Wò®Õœµ(*d0Uÿð0U 00  `†He00  *†H†÷  ‚™£­c´T椽 æª,ôª¥’ 3X¶5*~2riß2h¯d§Èð“) H­€¸¢Ÿ ³¢Å+éÒæÀ¹ ®PyW›æ5UJ¨Œ?¯7dˆÛõ·Ñu"LÛþóµÓÍõzì¼x¹8r·GwG©ET9‹D´üž6•½$õ´G¡ãæŸZ œ˜Y@XÜÎ6Êú=\| 0Ü“=4¶¸LH$bÕºuŠÒI:ǟˆ!øEÕÀ“à'÷Å唧á¬;—yâ/q‘„3t¯†¼Ñœ¸l$¸Ú/ªš»üÆ”ýÔinoE#ðWsÉ}–ï¾¹®m9•?и`)MŸŠ" ././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalcRLSignFalseT0000644000175100017510000000170215161577363033662 0ustar00runnerrunner0‚¾0‚¦ 0  *†H†÷  0_1 0 UUS10U Test Certificates 20111/0-U&keyUsage Not Critical cRLSign False CA0 100101083000Z 301231083000Z0y1 0 UUS10U Test Certificates 20111I0GU@Invalid keyUsage Not Critical cRLSign False EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚¾¤cÙÎð+ÉØøÀaÞ¯Þ— ¼øʸ‹‰ŽLIsZééÿü§¿Q­Z<,‘ˆj'Á÷<­–ÿ™Ô~ªSL˜Ùƒ(Û¦—÷z‘¬’/½¿Õ‰í2»­Ï­¢È4… Îy2˜+·ƒŸ…Wlh° tp«-FïpNAm¬±èØŒÌb뿱–Oüﺻ‘±¨O·eh8JÐêÕL¯ ¿Ç„HÜkŽ?²»íó/Ý#x£áŸ’G§ '`NX­û§ÈyD •[X²ñ\rQô°%˜Ä9ù+¥ÑeŸ¸8ø(æm+¯º†T)>ãÓÁÚ¯.À€ o£k0i0U#0€ù~R yfDeyÝæCñØ0UÿÎ2²{óVßvò S°6³f·Ú0Uÿð0U 00  `†He00  *†H†÷  ‚‹èÙ·|-zeØxF˜\k‘:£(ù–¦™õ!þÂ/,³’~:+öò¶aZ˜.y÷ÉÏJ½Á .i¿!·Ò5eÈ~ÅÓÄj­¤3u¾ÿ¾ê ‹dÇÄ8,UÞ»Vk þèùÜù€¡bÅzV@KG‰hò“¾­?éK„D6[v†vN„Ýv3€ 2±ÆÍàbâó sգ،žó›Bñ‹ÁM´šc-çå¬GÁÙ¾%æ:|¡ŠFÿ¥¶¹°¸E›ééVhg‡Œhb#nÏhèì„ì±.GÙbÂ[̬w‹«uþ{u £eÞ"g;×hwÑ+^²õÏd_©×yC¹¬¬“././@PaxHeader0000000000000000000000000000022200000000000010211 xustar00124 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidkeyUsageNotCriticalkeyCertSignFa0000644000175100017510000000170315161577363033761 0ustar00runnerrunner0‚¿0‚§ 0  *†H†÷  0c1 0 UUS10U Test Certificates 20111301U*keyUsage Not Critical keyCertSign False CA0 100101083000Z 301231083000Z0v1 0 UUS10U Test Certificates 20111F0DU=Invalid keyUsage Not Critical keyCertSign False EE Cert Test20‚"0  *†H†÷ ‚0‚ ‚œð3mmOXi¼G…ªG$q:ñT¿Á!=áÆܳâÛ$ºÝô§P˜l*Ãô¢2Ÿ¯ì©T1F/Í°ƒÍÚVL?Žð«ÇÚ‹‰6©c PáŠ.ñ8âº}2ûrýv#%¦ÇëÇfRt3¾Y·‡¡Hè½ß³íE:Lx¬ý²ˆò‚ >”ŽƒoV@ ò,0ö4’ÿk^–¨­Øû¤¹ÖEÓ® ×¹Hu^º§1ŠÁœeþþn¸vš£,C^¢Ì²’µ®[û0GGˆB^}xËƧµ¤¹ÐõwÖe2+Ù™üüzW@ËÒ‹d]HCŸÑŸ¥£k0i0U#0€²%Ò(0ÐUhnLµÂHóÊ›ò@E0Uó²NÕÉ\¹Wd ¶åÿï­Š·d0Uÿð0U 00  `†He00  *†H†÷  ‚xxYµŽA çvÍ %Î¥­•ˆðìXÝ>¶º¿1£/Ñ%n!fQ‚HCY+“}óbë0´p…ÎøÈ”à=¤üýyÇôTb‚–e{)|ýc1ôG„c:Rð^è²Ù‡Éóx¸±vwߧÉj~(yB0lÐĸ>Õî» ôR½Å]ü—BB«7‹(ˆ|;Øh «ëm— — 3xÁ§?•–Dªh»Ë*×ÛØtûG©êÖ¦8.­FþÆσ†´ò–²Ùt×÷ócªëHWÑ:‚³Ë‚_™xêùØÁàÎ8ý×_,qæ}]p˜ÄÙ‘\ó[ý ¸*â®óÙ ܘM/ì¢././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlyContainsAttributeCertsTest14EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlyContainsAttributeCertsTest140000644000175100017510000000166115161577363034006 0ustar00runnerrunner0‚­0‚• 0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UonlyContainsAttributeCerts CA0 100101083000Z 301231083000Z0q1 0 UUS10U Test Certificates 20111A0?U8Invalid onlyContainsAttirubteCerts EE Certificate Test140‚"0  *†H†÷ ‚0‚ ‚®¤o™@Vµøw¼¢ Ò&P¦¼n¥~'ðˆ#—#™7Ë® c3±”þ4…ãqË™Hò$§ÓbF¨&l«ÍZ‹N9Š¦Q(Kž‚ü­c}8•JÁ¤rÞ)ö‘…Š<è‘_ ‘çÏà‚1nÙn•Wþ®I­(Ñ!¬4kŒu3a6Czv˜eü’»O[ D—ë7¡€6(ý¾y„©Vk^×ÙÅ­áYÅ~Ç¢v˜@–2´(™2Æz/ –Ð1 V"ÐèGÿEÐtâ/~v=‹êá£'xÊ¢9hgË91{oã¨wO:M%qå“…O£k0i0U#0€Mþö-¼µPMß™zm3pN0UÿÑA4 A¾¥Nå$‡Ö¹¯Ã¾Íë0Uÿð0U 00  `†He00  *†H†÷  ‚Ž>J˜²È²A]Ž‰uË4þ¡á`"£Pk°HÍ1Wë¢ÿ]Qã_jM™CyQ$RqzÃ1ÚغïìP¹ÆqnxéÄ«ŠvÒ"rÞ䑘ð†äÎàgëY‰ }ðÔ<ÇŽ[G Sˆ~ÍÙ"íž@-'Q…1]pˆù·¯kñƒ6cðÃu×F‚ÜNÎp'\îhQ/ >Ø^³×¿iÝ?-cÙ—œCSóµÒå[uËÜ!qõ2Oa5¿.6L†ùãà4nþWC\åؤ)Ÿ°„Ö‚*fš@`;V÷BF®üÐýs)1l¥ V£†j4噶¸í«CT(Ë;V¤½wšö1i7CñT././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlyContainsCACertsTest12EE.crt0000644000175100017510000000164315161577363033325 0ustar00runnerrunner0‚Ÿ0‚‡ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UonlyContainsCACerts CA0 100101083000Z 301231083000Z0j1 0 UUS10U Test Certificates 20111:08U1Invalid onlyContainsCACerts EE Certificate Test120‚"0  *†H†÷ ‚0‚ ‚Ïþ Ó3hÍFYêà䮡;ïr¥j„퉩ûÙp$?îÛR¾ë»¬$ayœ_ñ2hßÜ݃4b^˜É Hº¼w¯ì”íLék× b„Ûj«\.f=‹šTªFVjp÷6ÂÇ%. ›OŒü›úµ=Ås»ú‹LSv½ ø›»¦vD†̯h«0L•#[FJùÐ%gñâí¸·#e‰Ä¦‰£ õ«Ç˜>¬nŸc)ÐU/jѺê—Ìs*ïG_N_“ÓMOâÔÙÅ£±ôøUyé’ý½9³É[†‡üØ0%@]ü‚ HÇŒ52¬µÀ`xž70HQ ³¬ì¸ÚZÎäöeñÚJ_2ôšjÖ Fã1Öiº¡º:$«+ïà٤ؘÜ#±Îë‘*°ÜãêµÃdy9g·É®áçZ±Š/«Lîèqt$¶1ªü3£+×—­û(“òÕ»?F././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest16EE.crt0000644000175100017510000000163415161577363032604 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA10 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid onlySomeReasons EE Certificate Test160‚"0  *†H†÷ ‚0‚ ‚ªð¨¯†´¹˜±N–·Š‘“Š=/°lÛ8 ÖÌW\sÆôrWê‰.?²ü‡‡EkÈpV˜t] [‘²è8äÎ`¤ã ÛýG´HŒŽVÆ¿×t0nÌ,óºj)½JZ Î Q~r,À O–f? M>X½¡lÀÂ9ÇìÂ-¬HÁà•Š³¸&ü¯‰ò6䟑µ²TžGÍMhôIÒ”E” S ¹¹®Á×ÙÎb t'LaQ¸Tpiecù}¬Þn5:ñ1ÓÕί†æ#Å«ûw¯½±¹bˆ›?lJÆFŒÝ2/¢ŒÂð0\_k‰œ€#ν ¼ú®D5†wï×ôwk£k0i0U#0€PhÑ A'‡ç N·xVûŽîq0U©™#bÒçûpA–ÀOM‡Pžcd0Uÿð0U 00  `†He00  *†H†÷  ‚q ŸÑL<þ&Q°©§k6•š¡‚+e%÷ÉU ±hÿR–°ÿpœÛßcINŒ=þ We £f‚j"ú/\1ù®=ð«Ãìbˆ<ÒÂ_ hR®†Õø'ê\È䢹4·8šS%õçKÿî¼P÷<‚û“ËéÆfQvLÜtº¿_CFÄs¨‰ÑÌRòTC§^!=ßKÓ>H{Ø8M@I›0ààB<‹o!àÎNgO”“¼>xHG‡Ì‡ :{íS1¸s`,'‘«iÒ|°Z"qU&¾X3ÿÜ£")C%N°‚‰¤ˆ°tt† ®î¦@¶PÅP“././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest17EE.crt0000644000175100017510000000163415161577363032605 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA20 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid onlySomeReasons EE Certificate Test170‚"0  *†H†÷ ‚0‚ ‚Élr´×#Ýå>=eÚc%Ž•Eƒn´CîÄÊ! ËK[³-Z&QöƒáŽœö»ý8bŠ2¿’€È£ý ‰=‹øŒ F ükp\¾ƒßpÈ® ûÎñ¦!~µ¡ –·iž€C/ú&“ ìV;ÂÖ6„SXžÌZ[5g.½`IFÚ´Õì¬x9ÛgdbšËdîgcT¸Y«CuM•2 6É,`Ü\| ÷E²ü}'g¾Ù9iÖUÞw ªûöÒÿ‡Iúh¿> ¢Q˜®¼« 9ÿ’­—SO£éŽïV#L SîyÜ¿Ýï‰)î¿d\Ää ‘ž‡%‡–:o—£k0i0U#0€`cßÒ#¤)ÖA¤¬Ê†y˜¦eH®0UsGíëûGêÔü©uÇÛŠc0Uÿð0U 00  `†He00  *†H†÷  ‚ÚS³JhÚ-c1 lsqýÆè ¦šöu±P'Ç‹GçÞ•JÙŽkIÓôã3y–€«cè ¼þ!¸«èj—oL´ðT(ñ\¢-ã×Ø$ü»²„®û`ÈP¸È}ñ)OµK?G4÷ÜÇ`­v%Z0ZpâM RYòò¡ó`ojT•ØWe€žÿ~3>_>;#zÏ—²g‘Õ!ÔµhQÜG¢^ÓÅ‹ëq>š”Ã-¹ 7?ä"e^þâL„/ß;6ÕÞ¿êò{ ‡ÔœÊØ5Ÿ¥”YIŽjK÷ºKéxø"÷ý8â…#iuæÎä0M66'—?sÁýP././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest20EE.crt0000644000175100017510000000220115161577363032566 0ustar00runnerrunner0‚}0‚e 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA40 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid onlySomeReasons EE Certificate Test200‚"0  *†H†÷ ‚0‚ ‚âDËDÙNº2p Y®C›¡3 ÛãÍ·äÇ„=-Ε"ñÍHa¬œû33)nm+NùZˆW†ÿ¬Ù*‰Ú¬y‡Ã œ×ˆd™SÕ…OO,gü?ÍDê±òmŸR¶KžX“ ×UÛëIQ2x:n°\¦“_Â¥n’ºÀjêìz–ŒÄÎ!\á0~µöÏ‚>ŸÏ"œÛO7§bR kƒÆ¶   u=ðû¸6QÒA˜ ¡)4q伃„›`¿tI1ï¢VØÇÖ)âíQ¤Uô¨B´’‚VÆ\M0· IÃë™ð5GLëq=+ºÈåOÔ@ùÈœôƒA­LíäÎFÞx*GZïÈè0ß ë°¸²D[ЈCf¨././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidonlySomeReasonsTest21EE.crt0000644000175100017510000000220115161577363032567 0ustar00runnerrunner0‚}0‚e 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA40 100101083000Z 301231083000Z0f1 0 UUS10U Test Certificates 20111604U-Invalid onlySomeReasons EE Certificate Test210‚"0  *†H†÷ ‚0‚ ‚è­/óΛ&Ï´†@,sb žì÷iLšì«Â˧ªû8ùáU«8$_Mô4ÛpWÁ§_r~Ù¾ü&_§ Ë˲†X¢²óááo{à¡s:’é‘â8˜©_Z¹7¼˜¨ÐfïCèCO¨V‰K‚ è .Ñg<±Ï½Ð.=a`šÅö %¢}ÑRh`Æ(Û¤öÕ2®Š—qÆ —  o¥€»:8žqËØ.êà1'^)}›òÆÌñC`Ìs7ÓB©…iÑbpœÍÉÑo™ |`ôUáéÿ€²©CÏ3•¢)tiuån[j‘,‘;³dž´F)£‚N0‚J0U#0€¾fÜ ;öÓˆ4‘S& hnÉ0U'7eïéÜö‘Á=ëš©züiº%0Uÿð0U 00  `†He00ÞUÖ0Ó0g a _¤]0[1 0 UUS10U Test Certificates 201110U onlySomeReasons CA41 0 UCRL1`0h a _¤]0[1 0 UUS10U Test Certificates 201110U onlySomeReasons CA41 0 UCRL2Ÿ€0  *†H†÷  ‚-ž³ÿ„«çÜŒ $ãg8þ¿ +EY–>u½cf죞\S#jeuœÎ1!üxG1êïRªO r6ô½æ*Ì€ï’_Q†(¨µ÷¸k!*Fu@ˆp¼toýŽÇ-tÁÉ R¥CA|FÏë“èyvö§UuÕ6<Ç ?J|èoUÓ‰”¡® wJ«|˜¿ÿ|þšÌ ~™à…“ç ñ¥¡éš T5Ë^ {­ 0-³P ŠYƒW·-MÏŽŸó=ÑÀ( ôié2á././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest10EE.crt0000644000175100017510000000167115161577363033077 0ustar00runnerrunner0‚µ0‚ 0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA000 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Invalid pathLenConstraint EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚—ªò_Ñ&íËV"†{<| Éå”Ðú)JÄ9·ßØÄOœÞƒsÃ$ׇIäÓšÜÀ°ªK%Æn¢YgáÞ» O³[(ùG¢Á´û+a¸'g¿÷Ç|EVô”¸Mëß]‰fø÷¼ÐÕD5*rààbRç6\È–’Ó•þÉܼøÙ8xg-"]Xd¯¿Šÿê¦Ðø˲°¡ù<X4×:k'”¯jŒ\ös·(fõ»Óg öÓy3õszñ.e1cArv]ÿϾ! oÁürä´#˜(eš…Ö#ˆƒ.<23¥è ! ¯ÞÓtbÑ$œuÎäÖVZ£|0z0U#0€º¹âˆ÷ÔY%Šã)ßO 8Ýqt‚0UØÄ“û@æô&|#Я®zÓ0U 00  `†He00Uÿ0ÿ0Uÿö0  *†H†÷  ‚õ« bÇqI|…P¤$:dŠ9+YÝú¨c,ož)ßì¶Ê®éÿJQG|6Û!ÎCjV8‘ée‘iAÍñ·HcÜ9[à‡« \Õ¶ÁZNæþÒ³‰GÜÅÓî£ÐœKµœ´à Mö8u K4æ¥c¼üÈ$8uÞªºñ©bg”•F…²­%$í—mÇÚÃ0ö"¿k)þ êV磆+`Oü¾_ÈlN00#µMïø5/#ÛñYF»¦‡ɽO;?ø©ŸRhúq™ó!„S)}s Kž»w¢mÿ%Öv­Ï†0U´´µs>Ó†ÆÏåíãåÀ­ÛaêKÑS+’öÁpuT–3{i}-y9÷GHº™1)¾£ÅPRQF³q`ŽQÛ¾ô¡\œå±F‡÷ Íê-ÜNšßŒ+9Éx, YùCËmÁNfœE­­¥„G˜ÌU $ëÓ}oÞ`¥;¿3çÉÎؽÁT`ì{0P˜üCHåÀÖΨ0?t¬\¿g=#W·R“OkbšÉx ßH3˜î„73V|†tƒ¤Íôê¼+éaGÄë£k0i0U#0€ƒÚ¸µÆÈ‹|‹?ír%â¯ê0U9Wùmû·Y£:/±t8Û¹§0Uÿð0U 00  `†He00  *†H†÷  ‚¤GUçÔk„HŽ}Uéˆ&9šæŒ»V½R³~°øÆ;:¢yÍÖ#“äýÀÖrßÅ“õþ‹½ù[<Ø×R¸*²ÜÔ5d~´òDòÇ E™®`ÒžNQ@ï¡ü£æ 2æ/ßíåðka¢rVêj –>¾k?å‰8‚.¹J“Œ9â7Å—ê»Gá}dËɱÆæÌGör„‹°ÍÕ»·0YYüÌÏm„œ@l¤ŒpŽ±õv%RJ,t2½”TˆëÉ‹‹˜¿k8e-½ˆû r)"\®¾)Óé HWZü}Mº÷à'^sMð ÏëèO'J°)Z¦æ¢Dñ¾¬ÂXQ¢`h././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest12EE.crt0000644000175100017510000000167515161577363033105 0ustar00runnerrunner0‚¹0‚¡ 0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!pathLenConstraint6 subsubsubCA11X0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Invalid pathLenConstraint EE Certificate Test120‚"0  *†H†÷ ‚0‚ ‚™Ym³sx¸soîQŽO‹h_­°ûÝÖëâEϪ!Ñéî¦M8ÕtL*ö*ße+Ó´ÍHµ!®²þŠ(*èV ŸͳÄD¡v£/zXxᵨUÁéC#Ê:å…F<®b„Åy¤(®d†ë(Nô˜-²gÎ $£-)nò+à2( Ô$þn幬٠n|s2y/¨—M/ç*&v.ûàA~Ù5=@u¿Ùaúqè€s Ëô…× ‚A‡Ê}I%RÜÜ© ¨8%F)ÜfŽ‚hêË'æ¥Ê¥ñf%mJp8rã`}·y*ÿ$W¥¯ò¨'ά™›£|0z0U#0€ƒÚ¸µÆÈ‹|‹?ír%â¯ê0Uö<= #ÀdŒ>3¦C ¬`»³0U 00  `†He00Uÿ0ÿ0Uÿö0  *†H†÷  ‚’E"k&ñ—´ÅMS/^ÑWc÷º0Ž }˱*w\}ô4(¬J¢­GÞ;\9™…ê˜Jd“>®«½lŠRÇÌpŸˆ\”¨…B&{q¶Š){…;0Þëú:C–º*);1ÿÐJÎL³G>? ñì Â,`õ:žÉBâk¦ u5¬2qcŠƒDE¤çïg¿Œ^ˆ¤«Õ.ƒÛE¦)Ö¼\嵬ýbœK-æ«Ë¬ü¯/ŽE®·Œ#‰ßži¬1 »Mr¦—GkÞ´85ihE)Øfpà"®À¸ÂË’å]!LæÈeÝÔâŠÕM¤`™÷Z…Éœt"Ù?ˆ·¿°Øj7‡*CL$‘™Qâdð O¢"{2ƒVÁ.â¦YÙã|»/Y¸¨pNƒh·vw`»,Ú†h’{(8skF ¬UÏ<Ä6³”艸!ˆ”Sážïí`Ù­9¢‚4¾B“£k0i0U#0€bg}Ò7ÅrÐ޵ʣs^0U§#ÁzÄ=¥ƒðª )ëâjãÏt€0Uÿð0U 00  `†He00  *†H†÷  ‚çÉ8)U]…i¤Èâ‘`eBÜ©Ã#s¬7dI¾{Åœñ^·'ìßôÀb‹bïÃSiK¬~ºÕµà ‡(\䇙<ÚÆ8½bt(ô1îCÖj@õÚ}ÈçÉ;¶-7¾Ñ«4F=ÖJÂæ¢n΃xcñâ¡V€ýaB΀þF®Ö©¦àQUc£ ËS4¦á§j+Üt¤l`À\.c¹Ž + '-J[ A6šBîº!ÒÐbïK úLþ_Œé̓–Cò7*óñŒ*ZSÕC¨—ðì¨q l̪~-fø5g‰¦#¹½ ·hà­ÞÂÈZ=R°ÞßÛÐ(!././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest6EE.crt0000644000175100017510000000166315161577363033025 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint0 subCA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid pathLenConstraint EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Æ Þ›¹5Žk¾–•S 7/ M’³M=ì)v¦Óû‘™q¯'‡šO´(8‹ µ^ÙÝ·qPÁ]Ä·Ÿddí­ åÚ3Yí.ì>ò=œAN¤î’ÖÒ‘=5vþ|@×z@¨þchÉ+ÀŸo2‰ñØú²#¾áNÓü„|Žã&i KLë`þÄÓµm‡ˆÀ¯-³ß\à_ÍH‰ KÈ鄆Ë^Ƀ×–áꌗPÒErcʸò·g™ïóÉ©Øs0Ò¨Ê 2Fˆ3ˆƒåµ\¦tvi% Ÿ\­þQÆ7 \ã4$‡ v êÖƒæ¯àMü3 Å Nm Wò££|0z0U#0€bg}Ò7ÅrÐ޵ʣs^0Uý‰éN¡¿„¿¤ÔBæ¬Ã¼'0U 00  `†He00Uÿ0ÿ0Uÿö0  *†H†÷  ‚ˆ„k¾ œ)ÏV51gM¤±:aPKxÍ ‚Á-x-·º[yÉJ•öñ‚ÌZC+-†vçWêGºÆÕmaÕýAˆ¡Àð𨠷¡ ºõ» 2a’i½¿Qãr•hˆ;€·«b¸XÍ|M8WUåÝuL|VÌóªC¡‡…4>àq‡Â«mÏDÜ‘µÆZD4¸û£ƒÿÄ*¹ RJŸd™ãnø²Ô åGž&’âöøòM–J€‰ÊØ!8ΔY”íG«Ý…î´\fî]qÏïd‹[‰Ð]ÈßM¿kÞ'BlÅÚ`ÕY?*DwA¶kË8ïé ¡¹•åO§¿†e¿bƒ±î(././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidpathLenConstraintTest9EE.crt0000644000175100017510000000164715161577363033032 0ustar00runnerrunner0‚£0‚‹ 0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA000 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Invalid pathLenConstraint EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚ÒÆoš×=ÑÕªÞwɯ\0Ë0`Q'¾Æ¿Z½ÓšA„öZŠ«, F°Åç‚G[®/Wø»w 4N\¤4q®ŽJMÅ3þ´´ãÍ"Pæ±s#|*b(½ðÀ¦ß£/Ë“a<`Ž¹ 煮¬¼«UàS­û9EeXœTB‰¾¿n¯À@€<©ó¥1³º4ºh&ÐÝJNb…3*ö™ú(>t,ÞðêçÅíßK£kž{ËX¤ôÍð"7«`Öj#yÔ”îV·›IÎïæ<=­ ê&¿FfXõZ ·kO³lxâ-…P™u\ÉûìºÐÍq®Ç5X ¨ä¦L©èåœàyTìÕóEk½£k0i0U#0€º¹âˆ÷ÔY%Šã)ßO 8Ýqt‚0Uy#Æ" õÿ„H8Ÿúb‰Û„"ùR0Uÿð0U 00  `†He00  *†H†÷  ‚PÔ­Ì}®­h+¶’*UN8`'ùDÀ%º,þéø>bD–l™zWŒ7aÁƒ—%qóP\Þ¼’.ïåAö›ž­pµbZ"ûâ$ª¿ ?*mKÐv‘ÖÞod_÷GäÜË·ÕZȶħ¥?‡DYcÊ$gùcÐ5âmÛÔ³Êïúu‘ôõɽÿq;f–!»Ã7±ç&+œsÒ*Ù¯,.Ÿl–B)³˜>–2h€r„˜ÝœZ /»ZmåÐàa»,‘¡—®3 ä þ *‚lDÝB›½4Õ£>F)˜¹ñEñh§Ú%7ɃÏz--a¶FÕ€:¸T'a=|././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/Invalidpre2000CRLnextUpdateTest12EE.crt0000644000175100017510000000165115161577363033132 0ustar00runnerrunner0‚¥0‚ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 Upre2000 CRL nextUpdate CA0 100101083000Z 301231083000Z0m1 0 UUS10U Test Certificates 20111=0;U4Invalid pre2000 CRL nextUpdate EE Certificate Test120‚"0  *†H†÷ ‚0‚ ‚É‚ gN'7ïýÄ eŒ=pälD*0ò[x—gKÔÅO§[Ƕʪá>ÈÏH•.íÆø×&àh⤬ÖÒ)Dõ6§ÃÀPRÑ_¹iapŒÂ?r‡îôHɪ”Ò7¤]Àº_`ÔÓ'SþtW-0x,ãŒg©ÁN—Ô|Sw…ã&E£Ñu§âà33 oEh€¢œï9ž% ¡¯?aN ðisŠ—$Nj|ÿ“ +QË€I_>à«XSle‰nxÎA)ëoBÄ 2pùKo×Ùg¸ºp·Ó‚Ð8oèhÀiN7«‹Zc‡èðC{Mm³Æ0ø§°»Y,ѶÌÒ‘}®Õ£k0i0U#0€¨Gœa€h(±Bš)Œæ()’Ì0U(,ŽQü·œˆ*kî,k?ø{by„0Uÿð0U 00  `†He00  *†H†÷  ‚¥Ô à‘ú™_𸅖a¥¹˜û$ÍžÕŽ(ÙúZ_N1¼Ã':8DéZk°&övxÏÖ6&©LI$a3 k—Üa¸ùŒõ]£‰Áïý §ßKéB09u*9õäíSª"u“¾eWá€<(î¶ÔÓþ[f˜í]Ú•-Îýa!ä¹c3.~rSnÛôÚ/’cNHN#tm6ˆù´§DK|ÃѦoëwGPÔ!éу£T6¯œ[Æ0>ÊÞ5ÄÉè—xýaí/…_C ˜7c”OHA^ßlâDu/ôÑôñŸf|hA£’U®°×æwn"èf=˜ÌDÝr:Êl{¹I ûU$ibTë»././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/Invalidpre2000UTCEEnotAfterDateTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/Invalidpre2000UTCEEnotAfterDateTest7EE.0000644000175100017510000000163615161577363033034 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 19970101120100Z 990101120100Z0r1 0 UUS10U Test Certificates 20111B0@U9Invalid pre2000 UTC EE notAfter Date EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚Ÿ$ç ÄïÂS¡É—1oß”bã^Ë«á¹0Ð@fò´k™)„ßí†!;¶0Åò:Ñ8`àeBÆl=DŽ ›Ú^,Ú¶Çí^Pô\Ç÷ECŒÊ¡{È!e¹»+5¦‚Œ©uC/ ñƒ|¬/i—üÎFjˆÞ†æzÚmDPtw¾#ë&qT±;Ó4b¬±ËN™ G›Xù›m쟬1Îpþ•ðx)-'n•¬ÐÐB°Œ7fY.ýÂ,‡‘0ü$ä’Ç tsÚ_1y_¸,¸Àglb0tb#âèºðš©T_— ëO=W|¼×Ý) Þø.-¸“£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0UÕ…žS0&Gˆ–~O#“d”ó¯0Uÿð0U 00  `†He00  *†H†÷  ‚‹(šÇú& <Ä›+ô‡›—ˆÚìÂ9¼ƒ‘¶ýG®Å°¯}I·Ç[ØnÜ·Ñ §ëX$À8v±ÔÕÂó„ÿ­56º¨ÌO:dâ–-‚;ÁIÌ| ÓL-9‚“F‡HUžc û n]û¡u„åÏ:5éfjò W<ðK3› ¨~½¬mhµé¾³íp o&î~!¯Þö;üÑ3BÖ6îŸí¬RËè)!¬Ý^¬óKÕ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidrequireExplicitPolicyTest3EE.crt0000644000175100017510000000162715161577363033720 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy4 subsubsubCA0 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Invalid requireExplicitPolicy EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚ÑéGö!,û.HTþB7R ¯vª÷ó Ù!•?MÓ“M·­µ‘?„ÐE%‰¼ö{^(vÿtA‹´ m­}5ªzÁYjóYƒÕÀºLÅ9 sü±tºÅ’T‹Eàd^óÒ'ÃdÞyÏÛÛÉÉ.Z…õÍzÞIŽUpí`.ûP~™RS"ÌíHù°ö3Å‹ï,¹˜Mç ˜)¡žÇ¨Æþgèqú‡ïCì­v!•Ô-(â²Ô{ž›Ã„[iuWçjßyáUýŒÓÕÍò¨ö¶Âvñ³iÖäQ„,D1aõÓ¤)±–¹[JÒiÿ7y9(ÙÛõ£R0P0U#0€»Ñ&ôž<‹ÏÙ{²,Ü£!0U²Jah©¯pù°/þâšr~0Uÿð0  *†H†÷  ‚W=ú¼ûÿQ̶ծ¬nEøö¦”~¨Ò J݆12ÝaŸfYב·<Ù)/3ÌÀD i±ºÂîù×mÑ¿éÜêí†Ñ¹â‰¬Öîêp¶†}øÛ·ÆtõëE”½ôE‘ ÈÇ]¦‚A¦E/ɧ+43.(ŽÁ1ŒBu„—¼g*˔ִÚ†Ö/T¬Æ̉Eó RüæÇöóso¨£QÌOâ4ö˜ª<èñ‘|f¼ìkwçú៖«4wŠî‚e*‚Cac†ç¿\ÄÕÅ`2…'u …q•¢tb ü[oòÞ²å®ú½?Ö]ÂA¿ÆK‘#b:›_vÈ|£–i;öI’././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/InvalidrequireExplicitPolicyTest5EE.crt0000644000175100017510000000163515161577363033721 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0a1 0 UUS10U Test Certificates 2011110/U(requireExplicitPolicy7 subsubsubCARE2RE40 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Invalid requireExplicitPolicy EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚⨃}íÇ/(·BÐàÇ¡sBÓÁÛ·÷‰ãÚ0e¿),ÓõxŠ¡žíÖÎÌ> | »f–¨íä’—4CžáûýåÓÐSݲ¸(9a‚Tâ1>ælï=±úì|›Ìç†W;È{$WãùŠÈ*C(N÷2[Z·hǾ«MB¶.ÅÎd¦Ød dJ­!KQÇyÐßÖNL`æ¡6RŸUâ…áuúöÁÿ¹ŒiÖy(0jaÂÞ¯}ë/Bà…ÏìeZ_¬"tûe°’;¾Ì_o^"º.ƒ¹›xNË$TÔ¦ ~>½ËÙ~— ½™õŽã (à³W±Ÿ£R0P0U#0€{,Qa1­¬,k©¾;;’ªD0U¼» n mÏè­Áêø$«0Uÿð0  *†H†÷  ‚ŒÂZ ¤ŸdÆï-¯¡€Û¹(Ëw^à5ÿvR:kôÐí‡)`§x5ün6¶½Ñì ¼ÛžFÒÑLÐXqÞ~ŠÀÔßÖr-» öÈ‹cCñÀº‘Îi¢½_)ÿ¦hÑ–©ˆ4¼Y¦¯hóÞá_ýô!S¥/’?T`2‰ÚVxäGì¿Z'pR—O‘Vk™s€hÏ+1+ÈÚ!¥¼y,—ųO“ñBV·ØMé åš†Nñ}ôvS&äVi!^%Ã/‰P×W`6œ[²`M€Ê7ÛnÉ—Ý‹‡U²C*\©ÒWE‘€}Ï9a«´Ú1Lt¹Í§Ø€¸®Á©%+ØQ# ÒFãÓä…ý¬$'b6^®FÒÓ d Nï¾÷ä[ ‰hºjÒd¡¶!MH#&(ßùÔè*:úç¦ʾï½'´ŽX§D¬ÉâÂŒöŒ_¼ù¶;Ù ˜yÒ(av‰zT0}Guž.Á €g:´ñ%¦)sAÍWyu'ÆÄ‹±ÝPyâ8þŠyßýÁM7Q]}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/Mapping1to2CACert.crt0000644000175100017510000000170015161577363030031 0ustar00runnerrunner0‚¼0‚¤ 00  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0H1 0 UUS10U Test Certificates 201110UMapping 1to2 CA0‚"0  *†H†÷ ‚0‚ ‚àks9çtž?uQ¾jÉehT¼µ,!°FG³›_K£p™3%]‚¹W¤GtMàEZ}ÎmjfgKÅöµ+D)®0‹“û^¸®”óLÀ]UI€ú!l¡r²HZоjÜ8Âù›©’šŒ¿áB>™²¥¼›Ðû]ðâËÖÆìØ ¢íìÈ÷Zã*1n÷ËÂœ[×®‘[<ÌžjÒÊ'üt’ß= ê-âˆÒ‘ ›“4Úe[¿â%… 0²NrŒ øL!î¦pÂøMípkž3½b¨Ò“Ý.|ètõy®¾~²7 ±o2g`·Æµº-/Ö€ÜCQÑÙo¢lTs£³0°0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U™ÅxiË=3v™¬Då°þ¹ôÛÇ0Uÿ0U 00  `†He00Uÿ0ÿ0 U$0€0&U!ÿ00 `†He0 `†He00  *†H†÷  ‚£¤½=$( æÿ»KÍ…ø®%4õÆ¿\*D‹Ã‘ø ³qx‰GåîB)hf?ο•¥Õ3/ÝN>müèêûÇù>£[9-;ãBKˆ¬¹3! ymÇ´ûQœ¡W´c°›^ÂF,\¹b¡pœU>+Ò®«RÂ"¥Éˆ{UîÈXHSI$Õ³¥3嬼׻á|Æô’€>}Ó=ÖŽ43¨óÓð ë桲ÍE°*ˆF,nÌ–^EYÇÜìvÒSßžv­<[¦‹²òº‘ÅÝ&+L4vé6—nu¬ƒ{././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/MappingFromanyPolicyCACert.crt0000644000175100017510000000170115161577363032040 0ustar00runnerrunner0‚½0‚¥ 30  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UMapping From anyPolicy CA0‚"0  *†H†÷ ‚0‚ ‚«§¢õ ª\ßÀð0Í?òeÊW* 0yÆ4X Ï Í ÂþÑD3PH±‹[H˜,›evµ»l¡bIjÄì’»6°Ký ^º\Íí ºt¥¼Ú£º·ØÚ¦k0gŸü—hS‰­ìþÍ“Ù\°âøxÍ ™‚V¥oø½õ§±lNÄ’Aùt êÅyy*Y,qNî¾Ä.m0f5¤°:ñ¢¤€^sÇr³Q·>Dšž…½€Y-&¨­§ZBüÄRmÛ«xzCÔþaCN{eg<5U½Œ^ù³Ò–u€ï’ƒí$©,Iy%ð<³ýAæ1•¡©[ ÐÉIîe¥ÕI3£ª0§0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uhsà 4Ïr@Ú”–Ö«z¤o.Œ0Uÿ0Uÿ0ÿ0U  00U 0 U!ÿ00U  `†He00U$ÿ0€0  *†H†÷  ‚ K”•NN.pOõtÐ,—BáÆv/RÛh+ÀDƒå•5S À|¾ÀèT ˜°ŸšPõ‡!‚»'1û“šžk~âDÖد{ùÄp›ùŘ,)”¸uERÉ'lÙYu´¼Jì1õž¸Ò¾'ƒ;Y:‡£â|võHÐ*Ï?èð¬÷T–Z}”Ûú#*ð;ˆe3V.ªq¬ ÀìPËÄ¿0nHÞµ‰ûU 7}¿!™Q¶ýìæÞæù—R×'TãÓ¶b°«rÚ½p1;>ÚdæØê èâohЋV!oH•›¥]£ʇQÝ£°0­0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U,í“ñp”‹-“´˜Ò·¬0Uÿ0U 00  `†He00Uÿ0ÿ0 U!ÿ00 `†He0U 0U$ÿ0€0  *†H†÷  ‚1îØiÉ€@]Í~='äË;ÀrÙ•zÖd´E¡Ýü¬ÂÓ@%<xºÍP+µ£Ò­;ë,VÏ7ws…æ]×¾C¸ŠQò½>‡ÏÆÇæ•ìÉ—©‹›¬’7•ççÁ¨„sr @Òñ¶ ·µO ÿ·ÅF„¼¢CP’w?òªþ„.ŠP{÷€L3üâz{®Äöáw,äñBexAÒ Á+ÁD~Å×c›x÷|¤B[I£‰^Ñ»Žn³êyc çëbÁ¢Â {§ø/¾±ÜMU·:ÃN"¸ªÙ¯B_ ¤9gê$`Ÿ9œ8ƒþ3!drúŽ´¼Zrè3öø#–º4à_›5././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/MissingbasicConstraintsCACert.crt0000644000175100017510000000160315161577363032575 0ustar00runnerrunner0‚0‚g 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UMissing basicConstraints CA0‚"0  *†H†÷ ‚0‚ ‚´VvZƒ”µª±(›ë ‚dq„ œÉ)ÌT¹ s6?2½ûÇ#éJšÁ/2KA'ÎÙ6„’·‹¡$ØñÀÀ«Uô:‡´–VdÔ–‡çG‚Á’t8ov=–CitwßJõHJYêÿÏ™pȉ$·¾Ñø§Û§ûpÌMÛ‚¼ñê&à°ëÆø:ú$+¯ùF|ŸÇåhÕ?OÔË‹b@…81u66xP¦­Í]Z¹˜a âÙí§û’~¾é«”Áþ5øûócDé3‹®ë‹†Ñ„Á´ÃfLõ»”¨NÂàÐ ¨] 'ð&‰æÞåˆA L/ ÷3£k0i0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U0V¼OÆ&Ƶœ¡p’ÒùO y0U 00  `†He00Uÿ0  *†H†÷  ‚X'>ÌÏQ³ût„¸û+ìø-Žð(æÑdx/”_ë¬m̤Fõlƒ ~wd™> ›q„:ƒP°ÓR÷÷Dú ]íû–@kÞI„Ûùv6b qÔè}¶ìÑ„ƒÙ·$Ÿ#H‹¹jPw¼GêâNRxé"ÄÕÝqsÒÀ Q‹wäQ.×ð01z¶ŠhNH¾ðëJó4“œ³ïYSeŒ6ƒÏ67ú<¹øá@û3"ØC&Ý‚ÆÏÌg»)½RÀý›¢{ˆ“¨?jîÂagêæ=©././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/NameOrderingCACert.crt0000644000175100017510000000172415161577363030310 0ustar00runnerrunner0‚Ð0‚¸ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0“1 0 UUS10U Test Certificates 20111#0!U Organizational Unit Name 11#0!U Organizational Unit Name 210UName Ordering CA0‚"0  *†H†÷ ‚0‚ ‚¸#96º‹?N\L@ŒÓo@®Ö%˜wHc Ø®ž —Ó‘Mò¢² ¼àœêÀ“þêè¢à­œ¾ƒ0ôLl}ôÀ¢]†tZjCùÊ eÉ9ºñ³ ê³·Ûç’}oî,(Ì=渇°¥*]žOÝö†?B ZsOùºf. HÍŒtÜ¢d|8|R 7 ŽlÑ÷ÐK®6˜ãAü|ûyÜpÇQÀT4 Oö¸ÿ‘`—a梬/ëà†E˜!}jptPrÝ%Õ׌ªzós˜¡;Шr!;(øçB'Vp‰swö´ýyì‘ÊÇEO²Bomö¶™ÏA]¸ÒŠÇR+£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¿J‹›MŒ1Œ[éÌÝ/èyQP0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚Q|ÒØÐøp¼ðŽI…|<À:=¯´ôçUÜâ•…µ+» Õ—:¯!ÆÌo¥ÚKÌ"VñXÐJ_ü;µC~ˆYêHÓŽØë‹0k ÛAäQ³>È6îhòÜ\óF<Ë,M¬jó´’NÉq¿Ù›ã:Î7|*N{¸´-ýê|øeØ>>†ÛÿyI0¾¾C3âÞÓÞ0¢ô´,Ó@Éc±…]Þàs¤Í;.cR"d` ü‚Q ^¨hŽ#cEø] îàUï~OmuÕgºB@ãñ ­“©ž¢o¡ñÂ*»{€—dº¤$ML9!Ñ]Ë#);×úMù¨–_µIbJ" Ÿöx‹? ÷Ð)W@¶D«§Ë~?‡=åE,ÖåÀ«'ÜÚ·þøu¼V^WFá0gÁ§níºU&\™f)§Q÷aŽõþY!¢S@æGß)^ˆ°ÔÄ¢§À?A¹Z20d2*7™6‡{£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Un®EÓùýÌ®ziý¸ÒLì0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚gÙµÃL a»ÛÄ/P¼<¿Î~G²ŠZ*†åPñæ˜G´,Õ/©¾>ÞJ«*ÿ.X_næ‹9éghrzIv³×¶+êÙì—Œü‚úW*•2§yPÙbøç!³¹‹ü\Ç{œ&æTî^b+#Ipà|>%œmUmL*>u%XíYjRl\©–©W”¤]·8üÀ8F¼{²ò_s|s%šˆAĬ†MKîšçù4¸eUëŽ07>5i×ùRãC•­K‚¥Å:7.̾úÙtî‰ÚOÄ—Ÿ-ДñÙ@²d€å[²ùþxˆ±O6ÙŽµ‰òIe›R Ž ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/NoPoliciesCACert.crt0000644000175100017510000000155615161577363030005 0ustar00runnerrunner0‚j0‚R "0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0G1 0 UUS10U Test Certificates 201110UNo Policies CA0‚"0  *†H†÷ ‚0‚ ‚Ö±‘FÙ%Ôd Ï#Ï=R+†ìøÚ©„…컺Kú è"Qp Î 1š…ªI²oºXƒÊïN g¢.V™&Õ=]1¸ùWU{X@ÓØã*fçôT [hÙ ÿú­Œ Ä‚ˆ‰¹:Fn pŠ¦PõN±IüÀ¤n íùÙ“f*K%@È= 4ÃØ$ÞƒÅC‘H•5þéãÔ* 8÷ÿû«¨]°ã¬º}}üw;Ìgã#éí¨ZG\BùÒÇ$Ì¥L;NEö¬ƒŸ¸kvË×t5ïTª!¥ò‡t¶RKÒ¦É\ÿ]Nh™Œž†V±yþA´t€Ú”q¨¨êæÎüZ¥£c0a0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UB$í¥Kvœ—˜\tê:ü5äœ0Uÿ0Uÿ0ÿ0  *†H†÷  ‚T€…~ûœÚ©O ÙR"®.M:>é5 û®ÏZK¨_\*†~TPç ôVø•¦«ôkbÏr1òú†?¨£š~›)']Õf©îµfàÐÈuäQ¨Hï—¥™yXÝ"÷ѧ¬lèwOW˜5 0‰àYV/FhÄ’á ‘5{4¿4ù#„g=Æ0Ì´,XÓï’ƒLö’0ð"B×Ø}“¨ÉøØv[ˆ" èe⧴»¨þúŠ{o[÷º…%×:ßœöx]ùŒïlî¯UXÓï»3Ð~ÊY³òI÷Ÿ4ØU.BÚ­dªPïS2r eâ¬-øòJ¥././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/NoissuingDistributionPointCACert.crt0000644000175100017510000000162715161577363033330 0ustar00runnerrunner0‚“0‚{ L0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0W1 0 UUS10U Test Certificates 20111'0%U No issuingDistributionPoint CA0‚"0  *†H†÷ ‚0‚ ‚À«ûuj÷Î^â ¶çÛÃ?±ÆWºøAÝŒE r#ÙÜgýú¦<´ð*ʘõ€~eY©'9$”uÿGÑ…YMïGkÅ*Aè¾ågÕ´ê)Vö¨³ÚE¹ú°÷Ïò=V}£ 9šéÖf̓¢[.;`ºxhï›iØͽîIºãê*•5ÈïzÂ)>–Y:‡\¹ô ­ ÷÷±4š³j%»õ»¦iô͵UùYŒîZ|›a ,Ñk#@Œ0°yæ2Rv„Z¦Dæͪx\ZRºy!Y»Øù¬‹Ïö±žaZþ_Ã8èKÎ,X(Vq®}w,¡è>&^ËâPÞ%£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U³ËT¿jüŸÇ1’ §Gk™Ÿ10Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ ܾ=óÉiž^„–!3Šzi+Å^-6§Âf—ÝDW¤fíáÂ Þ ÚLúõ7«ç#~½œª0ê_º¹O(Îà¸æføÊ¥€7:”–ÁòsÄî}#'!$ýô÷•g6æÛç[á?ø„$WǵË~9Qi4 ¼páæ¨Äâ5‘«‹2È`æùœ¶¤#©?h‡âW] ˜¿Ç5®ñ0jùuüºÎ̵ùÒAåß-Òú yŒaY„ýñÇÍ~Õκoù°¬‡ôïnUÝH]… ¢ýƒ%e«5•¡K lB–—È«ÂGt¥þÒÑ"„ ¸„”JÒ"zY̺»œ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/OldCRLnextUpdateCACert.crt0000644000175100017510000000161615161577363031057 0ustar00runnerrunner0‚Š0‚r 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UOld CRL nextUpdate CA0‚"0  *†H†÷ ‚0‚ ‚¿](㣞­zÛÚ¯ët WQj¯‹‹‘rWc)ìû?Ä‚ßÕÏuÒÌê„%QT¢<¤.Ú6µƒ´ †LøQ§Ÿ¦øßʬ^Gˆ=O–ý^6¨»2m&‰Oþ$¥ç3ø ¾ŠÿRhA»¬lTu­øTù­«WŒnw%@®’r½ŽÜú¸QÜg[VBûJå,ÇÔ#Ìþì24m‡ÎìSIÔús)®:¦t´"¨<9¼Ÿ{å”ÌFÛÕ@‘ ¤{ƉðI–ò7 {Ãð³ë hç‹ý3V_ü¶d–lF¥-ÿšÒà*ÍܯVÂ)Œ+$ýGó››N‘Q¨ÍÃ~aèÙ£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÎÚÚZÌŽ—ú )O¬–*Íx0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚¹$¶•ÇpóZÃ{HJüñX}†5þÂKÛY>×Òý£s.)ð)ÚwûÈÝ,æ4ëT‹ó{M&(4xŽØ 7‡•óÑdO¡qÄßÃÝJ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/OverlappingPoliciesTest6EE.crt0000644000175100017510000000166415161577363032035 0ustar00runnerrunner0‚°0‚˜ 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UPolicies P1234 subsubCAP123P120 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Overlapping Policies EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚ÃÑP·f†p;ÈíN6@*Œ€æá:I•‰J:”#Ò¾Ô.”© zj‰ÁÎb¼éãÌI=OÆ5j .ñ3£’?´¬â¦Ÿ5HÉÁ­Ä %`hü? ¶ñ*ýò.y²Y(Jþ0«¯%FœEà•”6¨áƒHTîÐcöTŠ8á÷‚©ö²`ä|ùfãoD²ò‘‘䗲钺ªª1IgÄ®¹ÓA%³µj'Œ¼0œ%ÃßjßåÚÑ¥Nˆ·¡ÃÌš+´3t¬vÏïî-5Áì"9ÙeÔ¢A”Ÿoý%¹€' Íw¨o´ä¶žQŸþ¥(Ï#ÿÖ"bÆÃ#‘£|0z0U#0€Nô^¡ù0{e¬’À ,Ó´–0U’¸3ÜuBpÍí£' ­ønçXmA0U 00  `†He00Uÿ0ÿ0Uÿö0  *†H†÷  ‚b%ÚHâˆa+1Ý4*é3D ½·öŠ‹=#p¸›ü,Uóù¼E«îñäl“Äfw(¸Ò© »º3¤_F.§‘$œ.]õÌëòÚê‚£HG“ðÉj,:­eþ¿UU9]Þž–{Þ0MÇ '¿l½Ì>èO^W2€¸Øv ,ø@ìr*`=“kžž¤¸wtjí eç–-Ϧ.È {sLt-D{§6í 𣠨dËJ}ãmO²ÿÙNI£J@*’ž÷R’g'5ùì¢[ýq>«¤xân¡Ù'!5È>RñK…ÖvõÈÁæîzMT¦ Ðþ5Q«Ö=ëQŽ°ûV²u<®‹× ³è®\»=£Á0¾0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uüôa32€|}5‡Þ_RûiñÁ0Uÿ0Uÿ0ÿ0 U$0€0%U 00  `†He00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚‹†(é(Þ mdþ^ÓÆœù¥Ú˜•| r¾¯ò~‘|#~ÔÚ ]µ×Ö-‹MÎBÅ> Ù¤Aûax×m7¶¼I+­*Ý>¢ë0½“Šß÷¬-@ÄŸÌ 3$ä‹ã‰îLÒ@‚/,…¬]˛顭F¤nÜ+ѧ1æ87Ý‚<2lözëpq;¿,û¯¿®[|ù{‡â¦ûûÄ»ß (¤‡ÞtÝ}P¥¬†‹u¬5ùØî…ðsM}};õ[éŒGŸ’émî©ðäÎ#>MWüÍ™›w›§M× ÄC@lÝÎjïzæ·‹Ûqß0ùúùüIˆ.²E­ð­././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/P12Mapping1to3subCACert.crt0000644000175100017510000000175015161577363031034 0ustar00runnerrunner0‚ä0‚Ì 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 CA0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 subCA0‚"0  *†H†÷ ‚0‚ ‚ÄD`ÏéR-6I±·û”OúÏœglϵ“”¯8”&¸£Dd]Ù…+6çùøΊjMGlOÒ–»¨¯JÄ?3Wán3]±_y”s.֛ŋÉæSUâ‰È!7ïÈ“dC"æëro>­‡[×ôÖçñKCûmÍ\çIŸChh·„O¡gÃdgÙ{¦üó°Šp ¶fyûìøÙBoÛô#jSäJ·]Z¹„EPrjGb 0‰Þá/óù<ÍÛ×€:>sRf¹+ŒçR;Ͳ™ªÇ±á/÷1(././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/P12Mapping1to3subsubCACert.crt0000644000175100017510000000172415161577363031547 0ustar00runnerrunner0‚Ð0‚¸ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 subCA0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UP12 Mapping 1to3 subsubCA0‚"0  *†H†÷ ‚0‚ ‚µ!…S‰e…åõ#¼GâA·€nº’á /7'e®5—š™UÖý‡p!­%l‡[H’Œ>hÿTbÖ¡‘“ì K¦WW’5š÷ÏŸ±ÉH XÙVVñyâöŒ¬ïܼ¤Í¾ÚBÙ! O;`@*l*Àvùaã?B˜ Ùt[G›y±Wl#Ç‚ÐÂÛR QÙ˜¾KÛÉêª(دµöl7,î^‹C•x¦ÂæÆÒÛ׎Ï;ùj×°Ê3mÁáQ”¯óD7N—%OÖ¡ ªsÒst U7†2ÀÚ,&½S¸ƒ–ºŽM{ÐdÊÃew¬±Uý{XR+£³0°0U#0€¾{“¡ä›Å'<0S×¥ÉæZ–z40U]9>åª*^-ö®h*­3›=›s0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚'£î°œ¬®Í*ï‘rz÷!ºûÑK,™¿²n‘ÂJ â;–ö¨áíG. Ph»€Öò‚iÁb ô¸¸RKeßÃRÈš–:[;( Æ@âÔšßH×Þú}ßG[©g*J¸ô£xC[`k‰ærnéw-ÅÒjà)tµ "ÜôçºÜ0ö¿JúZ‰b̦÷hê0Ydy‰cÂ~¬+úc€‘dWV‘‘pVm¥lí=×ZÆ Í‘U"Ê?ËnËæ×ùµó¦=¿u‘¨]Õt¢•"«GºCRÈvP¸ÙˆpLãa–˜ëÏT’G¦ «ÖˆP®Ûzàê·ÉJ"ÌjI././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/P1Mapping1to234CACert.crt0000644000175100017510000000177115161577363030411 0ustar00runnerrunner0‚õ0‚Ý 20  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UP1 Mapping 1to234 CA0‚"0  *†H†÷ ‚0‚ ‚èCË{~ê91¬T@Bòígÿ½¹ѶOÎã¡ Ÿ$[-UOùãÛP@{Á‘øÃÕι$sDzüµÇ»PSìEßm¤O6ñE¼NçÝ-žó‘x «æWýð Ï0K¬f¼ƒ­riH Då0,úŠ+ÔB=ÓKæ~IAv؈¶Ú†ùòËGÇ…•ÖMµ²<4v(áõ]YúÖzpbÆVž=Ð/ÖÌŸs?Nh¬q§Lì†yoýqZùDS¨7{ªö¢‰æÝ^Öî=qÒ‰DCqf`ˆ¥4ÆÀzØ‚eÕOÃàüQ¸£Yá÷å™øké:´gõ*`Þ•£ç0ä0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U• ©IxªvÚ ¬ˆùõ÷G’0Uÿ0U 00  `†He00Uÿ0ÿ0 U$0€0ZU!ÿP0N0 `†He0 `†He00 `†He0 `†He00 `†He0 `†He00  *†H†÷  ‚E ÊInq¥õ4Tj¢Mɪñç~!€”£©H÷aslqw;a`œf/ñ>ü,7-<í„v„¶Þ¼=à|vÜÃŽ3/vÆ€˜z˜ÍY÷Ù1Ô ÅCx`•Kˆí3Æóg7âçFéàÆy:¸§¸û (ˆéöátìc¼ÓðÔÄãa—vé‚©ì+„ìÒ€¯Ú؇°Åˆ_}ˆe–j2»”4zÚ¤–hk Û&ñÑç.±ÿqÆL¶#zò?Ä 5®Œ$“Kí¾•ß=SQæÀ¸†³‡udY=Û2•Ââøz"ˆ{1g¡¨Møš“ 2ѾR,aò厚«ñ—¶kKÍŸ ‹././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/P1Mapping1to234subCACert.crt0000644000175100017510000000175215161577363031122 0ustar00runnerrunner0‚æ0‚Π0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UP1 Mapping 1to234 CA0 100101083000Z 301231083000Z0P1 0 UUS10U Test Certificates 20111 0UP1 Mapping 1to234 subCA0‚"0  *†H†÷ ‚0‚ ‚ª߂¢¹.¹<ù%¹e_ý]ë®èÈ~‚ï îæÄÌÕRÈ÷}Rƒï!´ç¢|8¶šWeúvHä"9&Æy‚†€Á5‘࣠€AJµš¡Œîp³©>[E:3¯WV웉ÈÖM:JV PÎœ5¦Y$Žô¢”Ùµºþeš™Ê!y»kA PjjÒwpŃ"eöÚñµ  Ü òNüÆ™õë3EéL.œqŠÜYÁ;Pa¸{À™>ñör„?g}úxÕ½"bŒ¾Tyñ¶‹y;Ý`úµ6ÀõMHŒ[Äu¸æÁX2R§»Lž›Ε˜ÄÝ”¬C}èï…Œ[­%£Í0Ê0U#0€• ©IxªvÚ ¬ˆùõ÷G’0Uå•ý*9x¯ËFö@˜e í»0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00@U!ÿ6040 `†He0 `†He00 `†He0 `†He00  *†H†÷  ‚l_gæšÈÑ+¢£ÝjB7(—JF¸ÆÖn$Š[ ‘p|Ï]mƒð¾ä=puàäç»ér¹«ëzcóUp›)ês…ÀSIvM†¦*“Êm›Éó?{CëBŸ;µø·tx`¤Ç€V«8{K’¿ûStùötœÓþXi÷Òôs{Ny%Ä’rˆ&5ÄÉÒÆ 9Øo…Ž–ò:ÇaŠçFø[ŸÂ?ï•WÿËX <·`à1¾ŒWiŠVWÄü|»¯ÊI•&øAÅxgäÓMowB0€kš ]hsÊ£žâÎ.S»œ5,Á† í Ò"± õ{®¶ø P<ÇG„././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/P1anyPolicyMapping1to2CACert.crt0000644000175100017510000000246115161577363032127 0ustar00runnerrunner0‚-0‚ 60  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UP1anyPolicy Mapping 1to2 CA0‚"0  *†H†÷ ‚0‚ ‚ÜÛÿàõöd‘Ëk]åÕÝi7y@Ž›ßÞç¯Ï¥–À%¯ÐjÁ‡µßؘ÷ä`Nºè‹Â‘æZ^wX€ Sç…X ÷L­'[ê-¥þ[& ™Û»%¤RD Ø+¤´)ÛuÙ…dC­”b+½‚1™®àÀz“Ç÷ÃjuÿO^f˜æ¦¢ùÕíÂy(_¦ñÕ9 As“׺¥lçò¸ Ø3Zm}~ó¥Äõºö.‚oÏóýY꧑m]OšíåU(‰Ö0ÍœÀ Œ;<ø2”ß•)7ož°ÐÆ柖¿¿wœ©˜Ð$—SªíàfD![@Ö¤›¶ †ê÷5ƒ‘£‚0‚0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U((2ŽJ„ø¸‹Añ]{è%Rk†0Uÿ0Uÿ0ÿ0 U$0€0‚xU ‚o0‚k0¹ `†He00ª0§+0š—q9: This is the user notice from qualifier 9 associated with NIST-test-policy-1. This user notice should be displayed for Valid Policy Mapping Test130¬U 0£0 +0“q10: This is the user notice from qualifier 10 associated with anyPolicy. This user notice should be displayed for Valid Policy Mapping Test140&U!ÿ00 `†He0 `†He00  *†H†÷  ‚ ã;2ö¢õÐârýTdÔÐ9Ãí'p=d9s´#gJ :ÂÔ:#mÉ=ºÐß½¤¶÷AEù =QÇÇÜë½ùäØÂ}ÐÞ£ÝÈT ‰é¨,Š"ùqZ”GÔȉn^ø wH¥×;Áø8æ ¨Ìõ§eìg‚¼F‘E”`kÖ±~àïÁ#¶ƒÐ?OÅjõ5®ä~qècêw÷æE‹g vê3¼PÇ^ Öz±?~u%O9´qÍÔã–ŠhF¼©ŸNAur!VÙ– ÑhëêSs%˜2mˆ¼êó¤-œg÷eçé”æÞ ‰¡7Tç0í.|΄us[xuä@ Ýs„O/¥‹././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PanyPolicyMapping1to2CACert.crt0000644000175100017510000000170515161577363032046 0ustar00runnerrunner0‚Á0‚© 50  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UPanyPolicy Mapping 1to2 CA0‚"0  *†H†÷ ‚0‚ ‚î+y* ¥:näƒûÞ'lu³nY#ö².ŽêRŠe(óüÄGìʱº7Óög¤g©‚Ú‚Â6ÏZo]“ãÆ—æ4á:Ò§* tÐ*%” ôã%ç`X|u|Ê HèRè±'º'À9‚º§6!TªêNĵ2; ›,2+ÌË=L™½¥ó$àw¤À’žø,.Ã>­uÙa2zõ"Y~þßX†É¯žê ˆŠa<©.àj;d´m¦;'ÿàÓ*I«û³9€‡â¾[ʤ£ÐXêÐÖâAR{`ì…;è¼úu›¤š8u!RèSÂÁ1Œ·ÿmí)«ñL—†ë“#%ÜŸ;¥HŒ6àþdÍ£­0ª0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UG'/C=Å/Ù’¬ÇÒvÐ3Æùw»0Uÿ0Uÿ0ÿ0 U$0€0U  00U 0&U!ÿ00 `†He0 `†He00  *†H†÷  ‚Læs¯Ç8À›ðW^èÕ|½øÄuìC¡ï£b@p¢j`!a2k“peƒp~)Š 8Pƒ^õV² Hœ€ ðQÛ¼½í¬'M§Üs&±‚RŠ 1“NÉfêr¯ÑTq§3-é-q“­}£¤ôÕöÁæ—(/Ã&’Ü“E¼bFB$Ò’xNåÁÔ1ÈÚ0Zßß\ø*ÿϦ™ÊÂÙX–í7Á à$†§fÆ_J $ëv¹'½Uk SF‹Ø~åÒÆä;Êéš‘ô¸Ù.8üD¼[ág…5½î"*×y{ZNø„x“ã‡qmnPqûLš‰«úâ±Ó0ĺÎ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP1234CACert.crt0000644000175100017510000000170415161577363030135 0ustar00runnerrunner0‚À0‚¨ #0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0J1 0 UUS10U Test Certificates 201110UPolicies P1234 CA0‚"0  *†H†÷ ‚0‚ ‚å›0‰øcÙÔûYO6ë?SáVVÉÎ,‚Ñ)RìW°0ãGh§w„}$ò¯Þ³:aM÷¯ÿ—kÞItåjÅóÂäÏ‚®-!‘-M)eÓ&ñ“û²ÕBx³VSÀ"4B¢p›˜Ñà™Å²‚!}¥6Äþrá‡òi(¯ à9fÙn@^Î ˆªu"l 9Fü ½Äètÿ®ñ›þ2SYX„ƣÇorÄ®WâN6‚…¢Ó:.kcâ|U›°ÒVÌ%p⛵¢,w¬šõRæŠëH…„x³œŽ˜ŒòY1âY4 l|H4óÄõÉúãþé{êèÏ/ÿG ¸ÂÐkýȱ¹ëßUÅ£µ0²0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uöý©Œ&,´ÏÖÓëÔ­’j»$P0Uÿ0Uÿ0ÿ0 U$0€0AU :080  `†He00  `†He00  `†He00  `†He00  *†H†÷  ‚<,⥿é1ºÍ™lIavDªìE!»¨ÅÚÔ®ÄXʤ ñðÿÔ{¼B¶XPDp¸º2jÃÛ”æqÖßôî2Ò¤ý‘íXÎ}*šáír”£ì?p«ÇñvxéÎÉÝv2£¶ÙÝüÉ;†~ŠÇ ÉÐWά ,`Žö‡±ËÀÖ^=h:;žFÒ´4×OöœX¯ëZ°q»àËM‡œ5* ¬IÓ¬,‰lQ³âéJ‹ö›‡½iˆê­Ëë'Q^4mÊšZæ¨ìeü¤žŠÿÖè)¿Ûç1P;:ݧ vÿòlaÕ§;±ÆØ1N\y”MeÕm¹ÎÆée^ïÿ’^åjbr’®:чq­ 0±Ú† ö÷¬¢·‚3‹#yÊü›%®g™.ŒÎ{N^IÀÞž.\ ËGF˜Êa¥hš²y?÷ý+Ýv¡ ²/݈ûº}4n3âc–Q IÚ°µÏ06Óϲ‹¨üpý‚Æ.‰ç?#£™0–0U#0€öý©Œ&,´ÏÖÓëÔ­’j»$P0U¹ªP¦4fQhBî)ˆjìÈ|÷0Uÿ0Uÿ0ÿ03U ,0*0  `†He00  `†He00  `†He00  *†H†÷  ‚‡îÙ…!ïg ¯fÅa$mÍ'¨¢Éí<Þzý×ôeñ%À`®þÂœŸFr²ML <æÏ›I¢@'I 'xÒ}&ö8È$†’¹+â6‡³v‡ÐLJÊÿÿ‰ozñ£ŽÃlÕ¶Úi9gC€å'ÉÂÂDö˜×(yõ&7±Pp=NS½Ù‘ˆ œÜDÎþ°®ìêg¡L  €˜ÿCªjW"°¦Â¯LL«‹²Pìà]Þñâ¸$~¢‘Rò¸ZlÈ ´1Ù§‹G Jï´ðÄkÉ P׉ìûéüR%ƒóŠ“ÂèŒÑújˆl“9[>»././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP1234subsubCAP123P12Cert.crt0000644000175100017510000000166315161577363032216 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UPolicies P1234 subCAP1230 100101083000Z 301231083000Z0W1 0 UUS10U Test Certificates 20111'0%UPolicies P1234 subsubCAP123P120‚"0  *†H†÷ ‚0‚ ‚¢èÝF¶^üm¿Å™t7i’“Å<ßÔgk´Ný|5i=Ƀ#jGYà5p|˜/Žû¸¯.)1¸;dch–Ò¡nWGñUP%B‹ ûì#›:’[‘â[)®&¦øÚ¼B}·JÎ9xÁNùh"”ÿY¥ú'¤øÍÜ6cÃYÍ<íWÌÄÕPÇÁÀvá`g¿©#¬‘®òEý~ÄQµß—™´ø7Ë|>o'¥Ö„êt´yL7Ò—´Œ|í@.ÊÜb­Ä¤¶´V^ŠY¾:Î>$OÌå ÅÉsfÑàÖΩÀ :˜DÒ,Híh2æ(¹Ã¾H'ß(÷—eÿÐ×´<ÍÓ£‹0ˆ0U#0€¹ªP¦4fQhBî)ˆjìÈ|÷0UNô^¡ù0{e¬’À ,Ó´–0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00  *†H†÷  ‚¼¼¨ÖÇçöj™ßSªt¥‡fÕ°¿Ð£cÃeš{2ï€r82o‰ 6 Ôè_) 2ÓéÈ™÷šÛJcîO¤ qS7,06² ÇïDÌþ@®Bb„à‹2Mº0ü‘'Iò¦ [ҞűˣèuŽC‰Û}…Ž‰†v&°ifË¿ò‚·Ò× ”Çãi¬h‡Þã üÅ-wÂÐÕ×åÙŒïø(ÓBüD¯Â¦¸¤ µª--$ѵÏ>nèV'²Ñ°ñßêȽQf~ðÞn,®hßÓ(Â~ƒÊék°lVè£,ÙrW_‹íü.0N=/eż5Îß9m2././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP123CACert.crt0000644000175100017510000000166515161577363030057 0ustar00runnerrunner0‚±0‚™ $0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0I1 0 UUS10U Test Certificates 201110UPolicies P123 CA0‚"0  *†H†÷ ‚0‚ ‚Ÿ|àÆŠx{>¯°îhô¿$Ù‹af5ÿpâo­ß)ÖÖH˜¿nìè—VŸdù÷Åm‘ˆÎC£ý՚Ÿ˜µ[ 5hCiIFqÉxS D]hŒ3¢ÿ£!~1oc×ßÖ°–h®i!ÈÜ}.¨8o~ÎÞRyiu櫦è@uzæ’™v†c_?‡¡ž\%NÑ× »g{T`×Ñ2”ÒùÕ’q6Ø)pˆÞAD×e«Ö­²È V"Ã}dÃ8Òõž¥/©>nˆ¥ÔBí¯´”eaþ˜ü' âKòGãD¹cEVXÍVi=q‘ýOæÏÕXˇ£§0¤0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UŒ( Ú bî==–¸q“‰êèc0Uÿ0Uÿ0ÿ0 U$0€03U ,0*0  `†He00  `†He00  `†He00  *†H†÷  ‚+Eõ#nx‹9E­ke+ýv3®öNøAz@‹ÔEõX&•šÀâ g7É¥AÄG¶ùÚoSŸ¨“ÁþŒž4;Wã¥nûM¨¡î¶:ëŸâé”jùªºz™0{f-uÂùðñŠÁoÖGKœ#¡g¸¦·`^Í*›G bèhhìøGÉêu‡}WŸ«f®+ë˜ÑÊ¥yñláô»hjÜ9Ö÷þäQ=¬¹¼æ™I®Í¸™c½q>(Θ{†¸Õ6;Mí$ëSCÁÏÃÁ;îë)vô3ünñ>[EhߎÇ‹#æ,­üzá,)¿àIå™PÀ‹‰ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP123subCAP12Cert.crt0000644000175100017510000000164315161577363031050 0ustar00runnerrunner0‚Ÿ0‚‡ 0  *†H†÷  0I1 0 UUS10U Test Certificates 201110UPolicies P123 CA0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UPolicies P123 subCAP120‚"0  *†H†÷ ‚0‚ ‚­D­©Ò;vÀXó"Z‘ö¸'˜õº³9èðž‚Vn4wóLƱÁôF3®|7:ô„R|–À:p({p³)»"y ‡á´-ò‰|B’Zƒ9ƒ¼þúP~Ò%½7 ßoÏ e×@XjºçšP%µÇ éyàÿË„‰–¼êŽÔ 1ãY͵Íû$£CûÕh¶åÌ_~Ìñ’ud+A³ú…ñsâ…ûÞç@É¢Þ¾é¡}õ=pƒÄETúvF[šWÓL/@Åù…ÂútÄ-ˆc¾0¼9ÉR®Ê]{áËl £|0z0U#0€ÎÚýª“@øÀ y­ÁxÎ×'öž0Uä>F·æÈ©ØíÑ3áñ]$Â0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚‰rŠ_ÓÈΖšÌOŧ£ÑDUá ¢J“èQOçu€b,¦>ê­å äõ5Fž;T@¥¡Û¾µte$¨(Ê À@nDÁÚ;Ê’ç’p*ÏT‰ü;R;LëÃwZªë/GJ¥>#·ƒmpáê´à›åê Ó¡š/alýmÛÉ!y²žŒÓÞY€qm÷W"°´ß‰îº4ð×|˜ÒHr|y€ä •zaa  ´w*Uc[ýG ­öJœv~;§ßÞ“EX0 ÆÅ6$Ú{÷6Š¬¶ù»–½YþÒÛ…9Õ’€3¢›V¸ýX–Å».à]ß?_Žâ¦cü(X# '`././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP123subsubCAP12P2Cert.crt0000644000175100017510000000163615161577363031766 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UPolicies P123 subCAP120 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UPolicies P123 subsubCAP12P20‚"0  *†H†÷ ‚0‚ ‚®Ùr4§¯ô_ï+Lÿ2º‰*1BÙðÉ7«1…yhÁ1³%-~Wé£6¸Þ}±+œ>•ž{ç$u6A3 ûa‡ ÃE¶`ü‚uÙK1›ªõIzG²:ð5×í?y82y§¾Œ'tõne‹­™ÿAú–¦l[–P ½È)$_¼ä+*m±ÖßgŠàb Plk†mo¨Ì•éÐ`¬Ä¿šøDŠ›s&êeˆÕ]TSÑ@jHÃÒ£yÊcÒTÑóÑúmàThΑվáÁ î/;fYW+=vc<-ú­É27;sv §ž¨BÌÚ óªÉÎÒc'8YˆÎ\(E£|0z0U#0€ÎÚýª“@øÀ y­ÁxÎ×'öž0Uéü¶^VNÑ2ýˆ`køi0Uÿ0Uÿ0ÿ0U 00  `†He00  *†H†÷  ‚MœˆIÕ¥º Ø„>+3'ƒ°h×¾h•J þîrÄ]sƒ¿ÍÐè/V™q–(ŽÔ?ì¼ G¸VüâÕ†å¢(ÒÖpŠ¾ÝÉ¢_/ rH¶ß~ÒYX¯¥ÊA‰ýlÐNM9¤tN=0ºÐ%Ó›R¡’ðÙ¬l.%-ÐwØ*Î'´ Ü$.Âm3Ìü5i–¼çX¹^°•(›Ìï}Òn%<°ˆ©Ø¶ü³/NbÝÌ»ˆüü`‰ôàŸ)Vç·sãgš1òHôÍ ¾ä2MªcéÙOúœ™!=ø°ÜåÃCêN¼qÆéAXÃß]Æû£DC‘мüÓÂBp MøCîE././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP123subsubsubCAP12P2P1Cert.crt0000644000175100017510000000165015161577363032675 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UPolicies P123 subsubCAP12P20 100101083000Z 301231083000Z0Y1 0 UUS10U Test Certificates 20111)0'U Policies P123 subsubsubCAP12P2P10‚"0  *†H†÷ ‚0‚ ‚£Õü Úáö9±„E›o2÷e;²¢=÷–—‹™~u›H–^nH]N”oó}p¦`[ù鞦Ó_ˆ«EÒ‹n£Ãv} @‡ µ†œžøïùÁnJVÉÍùÉ}ï«4#îËKܘ@>‘šç®Ã!Ë”¬ŠÌ=ÚÆô{õ¨ªµE쓤xwCÅC^ǹ’˜t¾wQõd[<>ÿCòØ­gëIUƒ£%~ïwú;.ÀXÅH‘ßku±H’ìR×Þ¿V«rpÏŠa_c?MÝÔ”&Ф¿±að»’s­ÁTTpY…Ýóûæʼ) g|ëžÑF¿{ˆ)Õ«Ùg8™ŠCså‘£|0z0U#0€éü¶^VNÑ2ýˆ`køi0U‰ „û¬» ×Þ^^žhö9P@ˆ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚s?¨î„Xìü;‚¢üðå2¿\Ù”µ``á÷š¨ê¤ý+’U»™¤…›Â(Mºm¦êôä>[¦3eÝ¡p“€A:ȱìÛA,ÞÆ$úÅ©vä ,Ðé „ìñs‚ô5¿ îLM”ÒÐrƒP¬N`=[4¹æf[ÞœlÖÖ äCN,‹ó \Ô‘{€¢EMëzHR§Vè)lô©Ç±„›]Mn=.òg_Ç&W:ëò†>ð÷/§Ïú˜å“õ–÷ÚCÈ×­¢¬/mßî!?ƒõc¯² ƒ­âçàØöÁІG%jûçã/rwvþœq›¢¥§˜8ö7Þ^Ó¿;Ù ¶Ê¥>N././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP12CACert.crt0000644000175100017510000000164615161577363027773 0ustar00runnerrunner0‚¢0‚Š %0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0H1 0 UUS10U Test Certificates 201110UPolicies P12 CA0‚"0  *†H†÷ ‚0‚ ‚ÔmÈJ¾®_…„ïRN$ÝŽˆ0Ö7ghïF×FÒDÏ¡ÊÛÙšm C¾·:먞¯¿ç#'Ì6I|é²Ny—åW’Z6L_cv„ZïqLÍW! O¢YP‰dÜV—×lF\ºFw0˜WÑ«‘Õ§xâçØ-/´ =§ Nÿ­(ÔžhÝ3|>ý©OÔ…™¾R#–‹i¸Z?Â-]"tòMbËÁÎ,y}Ø`Ž7èÐîlž¶0²äãÒ‹ö¶µŠù…ªO±‚•8÷‡–Ç@(?;GEr¯P!4Âfn“æ €š @Þ:ý^÷\Þéñ¼‚‹ƒç8Çu£™0–0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UØ_5âšÁ7*&΃Ìsp*:â10Uÿ0Uÿ0ÿ0 U$0€0%U 00  `†He00  `†He00  *†H†÷  ‚’jXèjsòÛWq„Õ’q´~GYàÄ#=…›íŠ3ÔX:à¸û¦ð¢øª2$V >d8èj)ÞꨰöKy÷9³9ß " ~b5žFÌØJ¿#ˆ eƒâ|ǘˆt0¸Î7Ñùhâ‘=Šdv¾¬³ª¾`óìl }ZÝzÄTÞõ×­Z<éúÁS$—ÏÍ/±´¼ê¤\MuZÙŸíäù1º'‚þWþ`ªzE£Ü-ã—4ã€Ä6ãç±…‰)ù—<öýå¯7Ø´¾.šãl b/Š»¡úN©¸x¸ÈÉW ÜÀP˜QhtÕƒ@§-äx³#)I‡Syüê././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP12subCAP1Cert.crt0000644000175100017510000000162015161577363030676 0ustar00runnerrunner0‚Œ0‚t 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UPolicies P12 CA0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UPolicies P12 subCAP10‚"0  *†H†÷ ‚0‚ ‚ÃŽ6}ÔSƒ¢oøIB ZŠµä»¡èÙI  ‘ÛñÀ‹ˣɜ[ÕJ2¼ ÚËÚúêŽN àX;EÒDš:õ/8Œ]˜×ó< ÖýÀˆRÚÇN?œç‚ÌY %‚ ’X˜e–T‹ìÿ!_̶'1—¡¯ÔbÇ«Vïpx¼7h?»9õ,u˜­m¤>EÍlùÓ%Ó¿¬7Œ‹ûbàº{!`¨X-[Ø,@8 ©è€K}àNÍ'ŽÇYê‰hšn*)y˹¥÷ü@žb'…u0\§®¡íó›HËÖó¾ 7L÷T{nóà—õ;éÝ0\V‚ýë²J¹;îTÊŒ©†8p|•£|0z0U#0€Ø_5âšÁ7*&΃Ìsp*:â10U"ž×¸HÎ :]¾ÖMX#VËÖ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚Pb\ËÚz'G>ùÃÙg€ÃÑ’ "šþ2ã–¥•aÖ/ëQ'ØÞ!Œn›‡W3ùhl™CÜ»M| äÂÒ•ßûÆ”Fü¡‰åQƒ‡ù'Ç'€Rr‰~o®v pc>'°Šl *¹âË¢,$ÔˆTέÁ±ÁÅ)¬y¹ÜÕnïø‚ŒÊ}þKPrÝUf<_!­ÍäáÄvB¸Q†ŒrPŸÖ¶ë•,·WTVÐ!Ÿ$ÁI;À²xó5¹‡¹Øôü8€¹sà-î½IÜ¡› ¬>U=è _T?ž]ó›»¼œ™¥±¾nb‚Jj x·éF>¡®Î”¬ËŸ.É4h4dž]././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP12subsubCAP1P2Cert.crt0000644000175100017510000000163215161577363031615 0ustar00runnerrunner0‚–0‚~ 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UPolicies P12 subCAP10 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UPolicies P12 subsubCAP1P20‚"0  *†H†÷ ‚0‚ ‚·ӽ߿Ç9%Ýr0ðÃJM­ úëôЙšgraEÛ©¡ß mŠÄÅžnææÃ=*¥ÙÌOÐÍ÷¯ïÍ=jR ¿uÜR2ƃY©¤ï’d±`™®ø@«ý¿ðüUûÇ™3%M>YÉg/rU6l暤§DÿĤšÓcÑó=éuʦjk¦à³–¾Ý$nµÅ+gÅDZ~rfovˆ –ùÌ”øY~aC+ÛŠeá†eóäLI£\F°/!b<X z2—ôQ«Àõë L—,y÷¬ÉÛ›ñ¾ •ÕƒQ‚™I‡ñœyÀ¶xÝ%Ô>ÁC™6¹NÂÉ£|0z0U#0€"ž×¸HÎ :]¾ÖMX#VËÖ0UÇ¥7§Ðú$å|ßÛò]iÛîÊö™î0Uÿ0Uÿ0ÿ0U 00  `†He00  *†H†÷  ‚K¿Kš³ZB£DKžØXéÔåfµÏTÕ8DA¹þUX.&;¥1šuj‚: ’‰Ï*MÉ>¤ dè×7ÚÃ[&cLÛ‰WLsBQÖWé÷­"ö‚ýOböp©R´ÓçØà±õrÔ¥DŠ¬‘Qü; 3´.駼!;ö«6>)¸‘OûCø©ÒØY"øP’¦_¸4xtËEÐAJ³«ÿVˆ­’Yñ—¾t}ãKÌøûfÈ37P7À2VÔ©ZÙÙÓ•Sšv ñcÇœ÷[+ñ¼â<ÀyÖÔªgy·lß Ë[kðŸ÷·ù¥,Ù aCv"m«÷?ä:././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP2subCA2Cert.crt0000644000175100017510000000162615161577363030504 0ustar00runnerrunner0‚’0‚z 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0K1 0 UUS10U Test Certificates 201110UPolicies P2 subCA20‚"0  *†H†÷ ‚0‚ ‚ÀÕ|ôa\Ý|Ñ9ˆ|`Â%¬/¿°6ù?òÜIãì‡kac§3²íñ~G†BT€ƒÖðGîúõeyIØ,æ ÄÏm/v¡^<¿¬Í&:æTþ“Msµ¾2õ,KåÚpÎ>t»ªUí›Í‚^Ž¿b±QÀsÏ& —GÙÆœQ’àNYŠ„MX#^/ÚSŽ’uV ),YÊÙRq^iøØ"†¹Â‘™k _ovI|“l¢Â¯¡z9<Û5þ¨ë…P÷ë&3IJØ­hk·zß#I³sTJ‹"ÑUͼ!/Íw24ªïö`Pó4ç݇ÐÙ¥îÉÌl~O£‹0ˆ0U#0€X„$¼+R”J=¥rQõ¯:É0U,ê¸w=e¥¿3ÌzÒ˜ü¾0Uÿ0Uÿ0ÿ0U 00  `†He00 U$0€0  *†H†÷  ‚B‹š¤º¦sù[¾RŸ\ÃOˆ~0À$À?¬7/ ý2:h¡3sÕ½Õ8à(ùê~Ac;ˆýl¤l°(•Íàî?}Ô€o£—\ÙeU~½BñÍì\2òApx:duÐâ_3¿myôHsÞݯªšÐn–Ñ'¬:ˆt©xrO(8¨ˆL6c‘²ê#v暸S’Æõ5Å&”K ÆûR³"‡¯C¹o!5wøÇây®yú .Y6¸®Ï®;€¡0‡»;u@®êDæMùÑtŒ¥½Ñs^¯ìç½ .4DIЩõ5p©ÉM3·5‹O§‘&ºýMï>¼ú:³././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP2subCACert.crt0000644000175100017510000000160515161577363030417 0ustar00runnerrunner0‚0‚i 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0J1 0 UUS10U Test Certificates 201110UPolicies P2 subCA0‚"0  *†H†÷ ‚0‚ ‚ãX¥Ñç~I(½¡y l<6“+qñJql†Õz­Pi –ë°q†î“’ðJ]«óãÄ,ê/·µ<ΓJFM{Ûg õû3 En¤mëÓ¯grË‹>ÔÆûSAÃÇaÐk:k‰¿ãGÔ"{îÅö×—p !:>åœzæªÜGa– m$ªŠÛ€H9rA^*‡¾s yÇË8W-bèÉÅ h\LÙÅHˆè ©^@ælX«Ä8ñ´ÚA0dSíTju+ˆ·t©ÊÞäþf[ÅSoFžtßUу"±¹xTDhö`%¾g!šÉèÌ’˜•13ˆˆÂ§<àE’M#îM…JÑx9£|0z0U#0€X„$¼+R”J=¥rQõ¯:É0U^<„sž0prq˜®6Û"|¯0Uÿ0Uÿ0ÿ0U 00  `†He00  *†H†÷  ‚tkM ±å ² ½|KŒÃ¹">äY2ü=Ù ™ÿ6kVV ~3ªå×tj=éôª'./+á@%döáͳxÓJ„7KØr¨*ß9¬GŒùš„î81ŽfQµÜü%•årçß»¶%ŠÍfž®lÞ€èÌÆ®éY"XÝ·¥D9êç¬qܯ&l5àˆe—üÅƢ✭|9“Ư~.S§Þvùš*Õe‡>$;€ˆÉ¨òßòy…‹Ôy•“ ÄÀr{ô…Ù/,##¿ðp®}.ƒQm„YP|˜Øè}— ”Œ<Œ[¤uÌCÉ<&èz÷õÖÑlËÄ%ï»ÚL 0õ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/PoliciesP3CACert.crt0000644000175100017510000000162715161577363027712 0ustar00runnerrunner0‚“0‚{ '0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0G1 0 UUS10U Test Certificates 201110UPolicies P3 CA0‚"0  *†H†÷ ‚0‚ ‚àtÙڬХ…“Ïf:ü†þàêÉÎî!ÏÛ–ÐÃÒ´ƒw6cW ÙÊ.¾´ðJ¼ƒ#Úö½›Ñ2ç±å 4’'¤‚™j$(±Ne^SÇÀÃóìÒq.;á…û U^‰aã°Oؾà>êCBceù™ ¬I"¥Š¥oÔÔ.7C!Ù;ÉÜBé¤)e©î€ÒY.7ù&™íŽ}],P/“O:sûtÙõžÁsËŠN§4Ÿ1‚¶Ò±ÊÑQ­É1ÜÜâhæ«dŽ¿•ëŸ®#G79{×ïŽSÁ-ìPE<6ÀÌ]<µ‰ÙÅW<àeƒ[í8E*`>ˆ}ô‰óóÓLÓ“ƒ£‹0ˆ0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UØ«, ‹Ã’ÜÆ­j?¿óƘåÜý0Uÿ0Uÿ0ÿ0 U$0€0U 00  `†He00  *†H†÷  ‚]p¼C3À¼, )í×ZZìÙx#^CÌGzë[Va«Ùš48)Û¼dZ—É‹‹aÖ…'•~˳…^+çÄþŸdÆrÐ"a-˜h mNï.°Î0áQžä<Ø()6“öÓ&tÉÁ¾ÇÚaý8Ä¿ÙÔD;çÍÒ½‹›$Ùó;Ô?&WŒ«X >¸ú2ƒÞïŒ9%ã#V˧úWé9 4ªÊŒÊuVë@™IÒ w3õµYÌŸE¬–ìnÍË1ŸÙÎïøq°ï…²ž+•›1ª\øtºƒÔ[—¿]†PJ½@lCÆYƒ`ÿA°×Oe`©ãF_”'ÐÇ“ï€././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/RFC3280MandatoryAttributeTypesCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/RFC3280MandatoryAttributeTypesCACert.cr0000644000175100017510000000172415161577363033271 0ustar00runnerrunner0‚Ð0‚¸ `0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0“1 0 UUS10U Test Certificates 201110 ’&‰“ò,dgov1 0 ’&‰“ò,dtestcertificates10UMaryland1 0 U3451 0 U.CA0‚"0  *†H†÷ ‚0‚ ‚Ô41%0aÇüïá€,§W.Ùš‚Lª‚@_«Eô.Øns_2|¬²—¡ü‰ÙÚTH±`åì$„a>šQÍ·Lpþ‡¢öƒÌJ´vÓæMøzš'›8ÍÅ6r#š˜”ãÖ¢Lê¨"}Ü®ó"‹ýÁan%Òa ?ÞwQjz%®½ðÊɬO´mÛa­ «˜Œ¹§_ ëwr<¶ŒÞ®«6@̬[DZwá:(Ŧ­½Ÿ@ªa½©œý6©M“Ý*ÑŽÀó²ëÒi¶"ÇÏæê“)žw)]2êV‰²4;±|…3G̶ ®¿S „NÌ7²Äv‘lá/1~I £|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UðQbïÎAÇ·°gtk¼2 3™ë0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚'eY?vZ° ÏÚPhÈIïÿ8†ï Ý6²¿ œØ/»ÐÞÕ«uV H{‰Ãr‰ðŒûˆëRbfþ¤Kpl##V­. F`ÕM’/ß~1ž¦CÈV¿c®]QØTÕ 0(E4ÙU£gIDŒp-R[Ó ed 9<³>*²°&»‚— l©.§ßq.Ä^~ߥyKâ3<Cûÿ°5-°rê¿ÒþÄ´lJÈ¥+5¢UûäPråáRz*§×$pÝ–XçÈ‹¯#æ¢òÊIoÊz9c¤êˆÑJßÓg“`P¹®ESt ï Rjfd¶ÅL0ì͇á"?Š¢eƒÃ£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U›no?Š§ô経1[ΙK‘||½0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚úˆ0Âù¥Ku—¼ÿ‘*»e3iXö?ËÏÿ6³’¬œ‘hx·8#½Þm툞Iø-“½ cÉðG´.”‡:JmâÍWO.ø•àæò "ÕÕŠø>…:⢄…˜}8¢ö…RˆÔÁÚ¥REIfSȺÈd’̬‡èÇ1ÇGq"¼s>Z¼÷&ÿ,ßìëwUMðÑŸüÂÖx#RöÚAÍW’¥ê{‘DÈ,ö y"j#µؒjx 9(?üXSKËP>¶ÕqÓñ®2Œ¨üuö=y}—S}ruù>Ÿiq÷Ò´PZæå<»møK‚2¨h…*8‹P2óAÚW£././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/RevokedsubCACert.crt0000644000175100017510000000160115161577363030041 0ustar00runnerrunner0‚}0‚e 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0F1 0 UUS10U Test Certificates 201110U Revoked subCA0‚"0  *†H†÷ ‚0‚ ‚¥¥¢ ¬Ä½ Tõ|Ù)b^Y¹­4=è¼ùÁŽ°Æ®!æì íe*ܶcð ¹Xo„o^É$Ñr†·¹óÓö3Š|ÇjRPÍÕ‚F¹n7êH“‘gLîL±]) 0žÎêëTbó½ÿ_uÓHûÅwØKkÒ[é ÐbìÑêˆÿQn°üPprôvÂÐäç²âÑ,xx^¨y°¤wp(äB•hj©g–Eü~F^gJãR!J»iÍÍdùLË ÎÖ£úÈÜÒþH¯Dqsí¹ _’¯1„éÆ€¡—ŸðI‰_ ÃWò¡DCá”[Þž™’wƒmA5Î(ù£|0z0U#0€X„$¼+R”J=¥rQõ¯:É0U–o’™ évt»_ÔøûÙÏ ï0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚‡u" þ½nÈ›žC²³¡j>c[æêÇûÒôœ§EØú#sD©PNãùÅ6H¯Â-mN}²†“ľ©}uc½ œ ¶¶Å;?Ô?–ãƒf4ˆ–ˆÐ_L\Á 4pnO^÷,n‡Pp¢ç©×œ>~ÉEAQî“zée.£¸< RÏÀQ8wûÂz[ã0æõ[ž2þõ?ÀÔ&¶‡­—¨«9ÕD®õÅæG˜Ñˆk\=‚í“ ù¬aV6€á€Œ}3,x,¸ë|© p¤ÇSN‘ü"½¤è(6ÝY{< 4FŒÿ¶ ¶.åkžíPVi͈Z¤µÉ|././@PaxHeader0000000000000000000000000000021600000000000010214 xustar00120 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/RolloverfromPrintableStringtoUTF8StringCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/RolloverfromPrintableStringtoUTF8String0000644000175100017510000000164715161577363034052 0ustar00runnerrunner0‚£0‚‹ c0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Rollover from PrintableString to UTF8String CA0‚"0  *†H†÷ ‚0‚ ‚¸Aéûç$óÉLi˹!’¹Ô–=‡MŸb-¶¾’ äÚPÃ00²c)ú¦n/K;J -?ú,ƒLá»P†zÉ›;ÝnÑþ>ßOÔM0ÐôLœ èAºFxHÊYMþ(XЌƽA„ ƒWÊ6')0N×±«°È&ͶO0 Òè?­ P,ð6ÍnÔüóflX|;Õf7‘¤[:ÄTÃ"¨@-ôÿÙ˜ÕcLjæt3œò¾!ÅÁËXg|éÙ×f(«¯F +-Ò̪¡ “L­šîd.Ù•DÚvTˆ{ÇŸ¡“Tœá *„D¯£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UµmO(?Ç»±˜¤©¥Ð¨[^Jt³ç0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚B)0ˆŽyLÖÍyDLaK»2Ö¤qPN8åd¥NãV¾A)£¨[šÞ‰G‘{wmöaÊkoë­2ÍÞ8!y˜¿Äú~ÂÖ<åÄäåR±ëVÿ‚Ð pãv–Ãjý›S‡/ÇŠÀµ¡ Ú´ ~Ħ|à0™SümfJŠ h6™<µÚßÒ¨Y[·ÜLQ\rnN–ŸàA/¨X3¹ö–VTÚH`&Œ¹[«ZJ#Tf†þ¥oj̆˜¿Ð*yƒƒMØ`¦tíÚOzØ€›élêoÔÃ@nDkXvË}BáF˜å>©üfÁ4õ°ˆ€Y¤Í5š9l9ªc././@PaxHeader0000000000000000000000000000021700000000000010215 xustar00121 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2CRLSigningCert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2CRLSign0000644000175100017510000000161515161577363033363 0ustar00runnerrunner0‚‰0‚q h0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA20‚"0  *†H†÷ ‚0‚ ‚Ö˜},WMì”›Ìu†Ö‹fŽ^‡ vŽc>«p;Qšöðž›Þ/‹sDl=ªš(FQˆ´Ž}¹=À{Ö˜Pr,,ìêÒöñšÎ©˜VÛýÏë=ûýÁ×iüÌt ò’¬‡ß¯¦øØÑxùâ '¹IªJ{½µ–ðSÂOÁ¸kåÞÆ’‘"ÇåH©k=gú–¿_òCôÓ{;±L9"ÐG¹}Q=ü5}™š uSÆ7jíe½F;dŽH³»GÓ=xáƒ6: Òí1QXN¯*ÈJÔYv‘cbŠ¸â ¸™âQÙ®n†¼ù¦Ëa¨¢Gý<£k0i0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U„=„ª|w_1ÝÍ`ó——Ù±0U 00  `†He00Uÿ0  *†H†÷  ‚„›ii˱™Á÷–ª¤u‚°R‰;‘ ²£1ÕÏÑŠSüÖù·ö$å3ô¡ô²3Œ7pþÃ"gÒ„J…˦Oo £fGtòÕWäqoÌ#½guÍ®¨Fï½59 7^CKûhbܬϬO­è¶ùõÉÆyÍÌ×åP×Yf¤¸õwC•ò'¢…\o«êÇðÝšÿâWWðê8#Æ–?w Þ‚æ  ñQ‡r›À‰ŸAÜÎlåhjÂMÕ[´Î>@QÞ&º°>ü½oò,Òá^°0âOñÜ:Ì’ᥭòhá0e¢Uq+]wpeHSöDƃÖíÖ©È././@PaxHeader0000000000000000000000000000023100000000000010211 xustar00131 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCA2Certifi0000644000175100017510000000163615161577363033512 0ustar00runnerrunner0‚š0‚‚ g0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA20‚"0  *†H†÷ ‚0‚ ‚ÅbÆõkìÖÉœPµf¥?šµ l3^¼1šf{‹ÌŒ˜©Ëyi,¦!êœ3–Ñ¡ßÃkF‡í_#M(E[2Õ{{¶=y¶ðOãòp7½±¾ÿ5rY€~7;¤ó‡ZÑ i£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U8£8ŽNEö¢â@g›tà0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚@KçÈÑŸ0Ì’Å  ´Nl*;}9¶å•%AD`áR†,jJ Y]2P”^:Ã*û¿Oñ¾œäó¶b0ѬÀÏæ ÈÐ3Ü€ÒúÆ-»âw®U vwW¤™17B±|ùÉ8Õb#† ³ù¸–Ycúg††AZƒáyRfêg|†ún‰ÁVN0f_ÍQyQòšõ¹ÄŸÈ´B#èÆß—ŸêÁ@½H¦JLEí:1r˜ÚÎ, Þ(®”®ÓþG7¿× 8Ùu,{%À_m´£³E§z·«¢ôÆ£(XGOÌåyËjÀ l‚9Lù& Qÿo…»tn|L ././@PaxHeader0000000000000000000000000000021400000000000010212 xustar00118 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCRLSigningCert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCRLSigning0000644000175100017510000000161515161577363033573 0ustar00runnerrunner0‚‰0‚q f0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA10‚"0  *†H†÷ ‚0‚ ‚­ÜHs£y0fâV¹6æ™°«nÿºÁfô?àGT'»³¬IÜONůÆ[!§ˆù,<6™È"àeQwtÓ"õÒ+›˜›‰rÜ?id¡T÷p2P–þø EÚó>ùÜ{Æ—Äíçòmñm~¿æ^躦dûGP ]ÊSv‹› †] -i`(E¿Âܧ}#wŒª€×&þž lIhã\@u˱Ái·"hÚ@pÔ«}ÈAt&:BËx¡Æä†/Spl˜?E*;4¢{·ÈUÏtütawí‰Àb9ØJMÃG˜¶U—;ç/;Œn¾‰öÆ*ÐVþ%צäeū˶/a£k0i0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UrŠC [==ÄUáƒÆŸßÊê÷^0U 00  `†He00Uÿ0  *†H†÷  ‚!ôÁâuã-Ü4FzHÀö.]»b·Õ0í(Õi=VÂfLñÐþP7šj!» ùŠRÃÿM†i=L@/­þÆ'~ =³ˆåÏ…åߤ¢æK;›q¶w~@¥/âiå‡X_ Ž±ÓˆÄY£ 6Ð0—‡;»ÆXó¥(§ õ)Ñ[”“ªrè‚íZJS{àÕ•2Ÿ/‘ÉvÍ4îs¶êÿpËk³%[lêÜ{ bØ’ ¶e§žyŠÆ´w[¥MuþVùÁ-çcê*½íßÓÙú4ÅpV[„ª|0;}Ú;xï¯ò)T9²©ZÛázA›…¬^h Ô©EÉ|³ërjYÿ>ã7l././@PaxHeader0000000000000000000000000000022600000000000010215 xustar00128 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCertificateSigningCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/SeparateCertificateandCRLKeysCertificat0000644000175100017510000000163615161577363033714 0ustar00runnerrunner0‚š0‚‚ e0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA10‚"0  *†H†÷ ‚0‚ ‚Ð ;KÓÌ2ÚPê+½Ù­ûâ}]KÌ %9Ap($z˜]¸¬¸-N”JKrÕ¨Ð0•¨f Ö¯ì8UçÍJKýä· 8 =òýäB~iû¸¬‚û’ÏÜ/jaR³P!^RÞyWÚ=Û÷ÇáܾòV½‹²wÜs^ˆ“ñOÈvá5f3äË3ÑÌ:3Uhò‘¯±C«u”6tTóc-åó n-A·í0`ûo?Ùô‡­&»˜sÁfõ¥¦ô#Zˆv$kV¡2¯‰Só> ÍP"|Ë‚4Òi(³êz´D=€  Ë€YË:¦>+<Í_BËõ ã@Øí£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UðeÚ?ZÞÕ¶H™;×L¤0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚FJ‘BJV¤Ô±Ïõêi;Æ¡&öT…=Ÿ6ø¢8YΑè(¢âC¯á^Ü@ÏŽËŠ!Y%cæÓÍîØï:am&‚Ì$ˆ©öÒ|³["Š4Æ`[è:žBPþ,ôJ7X'ÿ9g+b¡ )@›‘˜Õâ,ö_«V¥àðÄÄ+ùºø+nÂ"&\$© Ëï ¬õ at†+b­º‰ª~aAVj®|(væ#|¨þ¡œÌÁër+וÌs")ÓYMÝÁLž òL}{£´4µôÈøÜ%m¹>}söÜvÔ`uÊàrƒÆT *ÄÇQ•Ô¼òO2T/q ’././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/TrustAnchorRootCertificate.crt0000644000175100017510000000151315161577363032173 0ustar00runnerrunner0‚G0‚/ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0E1 0 UUS10U Test Certificates 201110U Trust Anchor0‚"0  *†H†÷ ‚0‚ ‚¹™Q‰GàÍE¹„'‚ÍD9ª¬Û ÃÞâ,NÛ¤WŸ”5(5Âkdö[ mÿ'ãŠ#cΚéÅ \¨†XŒ”•µÉÔ€Ö±^¸e¾:ÏX âÔåH°M«Ö.>‹ºŠñƵøØm\1rêŸZc&ÛN<œ.Ï¡£WösÁk*Z£°Æáá²!è ³VÚjZQþYÍ")«ïþÝÉá¹ðã¿2æX>s !³ øŸ‡A35 î „Ñ{fÒ®)&uyÌóµpý5IPl7/:K –³Ïra•Ÿý¥|Å././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/TwoCRLsCACert.crt0000644000175100017510000000160415161577363027230 0ustar00runnerrunner0‚€0‚h  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0D1 0 UUS10U Test Certificates 201110U Two CRLs CA0‚"0  *†H†÷ ‚0‚ ‚½UpÞb ¼oH ÍŒiZBŒÒÍêôÒÐÅ÷æF¸]Cˆ¸ÉËw4Ï¢^\IÞ¿âÉŽ1r™h P"¡Ï®hZßjÜ ð0â _ÎP§ C¿`FŒo‡CË"|8âÄn ÚnÜ}ü_Âèzس·Æéyö*^ +”÷}1×7F¡¸öe5w'΀C†m¯oaöµþ8ëç0®háb#yˆ5"Ÿ!mÕ7¼‘v3{zlèlg›Í’ôW3\K#¬ÿF’v¦¬Ú7ב›&ƒ»[¿Ñºþm)ô5Ýžµ¨çjvãBnÉ mTøä"„Ï&æ¾YÊ£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¡Ö™€ãmýçîwK_ñIÙÆ”ZPgùæ䕱ž¨]…&ÐC͆‚ë‹n9°W©ÖxkÁ~Òl´­í]žÝ¨¢`z‚¶«mÔ^cG8¯hz#@å O˜Zg/ZõÐiÄúŸë×K$ji° ÜV¨“€ð6a¨>&þx4ã(~¨Ð¾éâ—ŒÒ_ÚqQä,ÛÇ™”àŽ¼ý!þ8Àt…›#‚˜˜*ÛñRnÛ–IRթʪ±Çj¤al‰|0vcˆ¯•ü©<óóMmn5Ïr\5ͬ¥././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UTF8StringEncodedNamesCACert.crt0000644000175100017510000000160615161577363032120 0ustar00runnerrunner0‚‚0‚j b0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0F1 0 UUS10U Test Certificates 201110U UTF8String CA0‚"0  *†H†÷ ‚0‚ ‚éÇhpØfÇÿ&^>ÜšDÌš°ãõµÓGPd͈ý÷yûZ÷@…±› }‘vÐ'ŽT‰ªL¨á†B—|Ä\å3£-þ+q 1ÿ#b¦¹7ìÈ`q!Yí0eŸ3åå«/"e‰8Çfrs—ZîÌì:{ºÞ£uæ@ Eþj-42VïªI¬ä _HJ¸Õ(ûQm©º¦xÑö×ÛLòÁlL‡—ݵŽ(œ•ð‹Í,ÈÙÜ+ÖªÑ.z>– Çc¤ï¾î߆¡IÇ÷¨y`±5þ½D ˆGG’/Ú'Å0Š½—fu=|N6.ÉêÿÌ°RÆR­£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U;g[Dò §H}s)Œ“ŸÕ$ã`&0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚þKÒ¥ö‡¸†:èúH9ä«2†¢©ZªÉIíþèQÔÁR†Ç¨q“_-P`‘âºüšK>Ÿ‚Ü| ­zþÞý–Oåú_Ô%%mѦ¢Â!ÁŸk‰4-ÒË †«·c7Égþìã¬V«Á,ee!ð¢‰'`Ê$ÄÊஂè2F°Ë˜H̲( ÅkIt!êþT±.{Þ×~–¸b¾OÑ z2¼ÅH‚žã%@0×–#µúnÐÒtE›.äÛµ×lCÌ.eGÜ£—œ_-~XõQ Ï]C û×­È”(éËNýo\?t:”ÒõŒ§_ ¸T*‘D„ˆ¶u’l²/­3ƒæ+U././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UnknownCRLEntryExtensionCACert.crt0000644000175100017510000000162715161577363032657 0ustar00runnerrunner0‚“0‚{  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0W1 0 UUS10U Test Certificates 20111'0%UUnknown CRL Entry Extension CA0‚"0  *†H†÷ ‚0‚ ‚š¶MXÆ!÷‚Е\èÆp ‚q Tn ô 86¿45ÞWMªƒ.0´§†÷³¸§/Í-Ü>¶Ø‘×fõA¬66™ßs’ EÓ<¢c͵¿Ÿ7Û$¨˜½SòA ì\¶íÅž¨¶Æa{+¦¯Àlvq°ý Ý.ù!`dP­ôÉ'ûáþ¸åìˆyâC²çî”Êpia€°ÌÄbNI¿[¢~Š|nÏǃ”Ø‚Nîõ¨Þ"+`Op¡ãª¼<%Ú“æ¥éw±)ÜŸbM¤RÝ\Û¨o¿]"[gáF,z¼œÂý.Ev °Zlp§£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¦Ë¡-M(/"óÒL7ÏÿL0Íê0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ŸåU¯.¼ìH¬’³——}ðÖ°SÛòT•&gÂÎ!F]Ó~·RÈÝ ýðU«4¹ó×K‚íaì”ZNåCãÝ¢F“Àjöß·óó泧M¢‰&nù]{Bhƒ°©Í-Z½;"¸ê|ÌæhׄP=IÔ{T¥5;ëýŒ0Nò+ʲ#R7âÐwî-I8B·qO”5vƒ#?._ªÕÿ[®¿…¡ãÜk¾ã÷±Îºë†—ÄÖš:˜ÃÄ£Ð-#†œ¨­vº¶K¤8L&¬´^–Ú ;-áÌ £§f°ý\:7³3V»pÕ^¿ˆï¢m?^F)a38././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UnknownCRLExtensionCACert.crt0000644000175100017510000000162115161577363031627 0ustar00runnerrunner0‚0‚u  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UUnknown CRL Extension CA0‚"0  *†H†÷ ‚0‚ ‚ÝþniS±€U’ñÕ\Ð>H }ój‹Œ†@½®Ðù\m»icyJ]Õ‘|ÜÔÀ™ê‰)ë¼’¢r˜£l´­â¸vUYkÀ1Ø’þDv™*&Ÿ/ˆÐÛ=P9*%Bp+ЉONõYûoÙYí:éѬäS@јä½aPL[ØoÙ‹RH“ûDÈm±]xÇrKš†XÛ–%6§[¤.æ›4Dj~ò»ù¦f•»c™õ ¢ä‡0›Gêyèµ,£ƒÔD–bæ*ÌÜÿÒ$põTp‰+óšÕrä“];.‰ƒ„1zb«Xj‘Ί¬èålÓ° éᶦ¥ º¸ÿˆýC‚¶âU£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UýÿþMÛ Å¢Ø‚Vë°Ùaã10Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚8ÆD©éJÕ²Ùª67Ÿâ¾ßóKqBeY¢Œ‚WdÁ¯PÚéå'O—×ÿ#D™"k3ŒìXê»Pžc)Ÿ¬ýëÌxØ©´%¹ëOÝŒD@«_µäœMÞ„ê›mgß›•)EB¢÷D”_—ËCoL—ÙSSH8uù³jãËÄV&¶ Nùâ A?M‚Žà¶ i®âäÓ6vÚÕ†ñ±žòø^ˆŠx>N|Ik-ì” Š¤—˜è)—Ž”g–»8{ÆYéÅURæ‡çÐøâ Þ7¤’Çè¡°WÇÍéF~¸õ´i…¡å_Q@ìbøN+Œ›ª[ü././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest15EE.crt0000644000175100017510000000200215161577363032044 0ustar00runnerrunner0‚þ0‚æ (0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+User Notice Qualifier EE Certificate Test150‚"0  *†H†÷ ‚0‚ ‚¤KÉÑü K3­Á<€sñÈdµ­ ÄM—ƒød‘|÷vìû%WJ»KcI!¿F'ÒÖS¾}¸yŒÁ¥aeµ·@ÉÝÚ“ê¼&‹Æi ´¹Ïô çnìésÇUc-b®+Ðôe2Gýt§¹Ù&Ä-”SØoF:v)£^·Øåšíò‘OÚ¿U  ³¨'ÿü…taÜÖž#§?Þ/ÙäÃÛ«x"™ùìûÇT-8ðßÉ+è³Ð§_eÅcë–¡0I¡Y”AÎ}j.èVr»qÂ6¥³\_›!TmÓ„Úg¥hbê<«÷p’»)ÔXÆß`ESWžØH?EdôÉè!˜Ù4J U%I½&DzÅË cP‡Ø7VtÚr@"Áó®O5òé6m8©— L`W˦nxÛ“C÷Qç…¦aÿÜ­/\NѺývÜ*ÐCXÁ OðZü¸^n‹FÕ…a×xßF~¤î 0„PvFâ—¬…h±„˜Âs©V©ƒ¬È¯VòÚ©J3‚Åú././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest16EE.crt0000644000175100017510000000217115161577363032054 0ustar00runnerrunner0‚u0‚] 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+User Notice Qualifier EE Certificate Test160‚"0  *†H†÷ ‚0‚ ‚ºVÞ¾Îî÷iÌœ ¯ÚŠp>|i¡«\(Sá¾zŽ]ç §³&}(.0ÍïݺœÙ1äjßÿ\÷óÀ‹½CºÛób“³Ã—\åe/% ¹„#¡‘À¨{Ìòá€?.î;¶]½ß®A!\ +j@ýÚå¦4+-tG –âEëé2ø…{³:Ö ¤˜D ŠßK ƃ9ïæ ®~üŸ¨/’¯ÑèAwÒÜXûø›šÝ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest18EE.crt0000644000175100017510000000233015161577363032053 0ustar00runnerrunner0‚Ô0‚¼ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UPolicies P12 CA0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+User Notice Qualifier EE Certificate Test180‚"0  *†H†÷ ‚0‚ ‚¼ðB²»ÐH&|  hL”|‘Ô:M>¹!àC¾Mtx5•`£^=ì)üÐMî£(PªN"†K:`8_Dd_dÙ¦O·ÌÃ]Boèì´Ü·ûbC—yËg¿"y$f2MV¥qr›| Ò`VI̹…$æJƒþçþ/Ëx žâ= ” ‚ÅÆk‹ÍV—8tb¬9SAPf‡ÒrdäI8Õ…rûñ u¹÷󩪾Õ}rN˜Stz55·VeÒãŒW¶Sv/Ø1RUoöùÒà‚“òW´Q‡•\øç„þø7œÜ_é±r 3F%|ßÑc-K+—V¤õk£øFÎ £‚«0‚§0U#0€Ø_5âšÁ7*&΃Ìsp*:â10Uà;ò“¨æŒ* vk ohq0Uÿð0‚SU ‚J0‚F0 `†He00Ž0‹+0}q4: This is the user notice from qualifier 4 associated with NIST-test-policy-1. This certificate is for test purposes only0£U 0š0—+0Š‡q5: This is the user notice from qualifier 5 associated with anyPolicy. This user notice should be associated with NIST-test-policy-20  *†H†÷  ‚ƒ6]I¼àÆ?æ9±o¼I'O\(/à›?ÇjÜ\lÑg dÌ䨘Hì¡°ásêé×™ /±ôÇ'`¦ÂÞür„¯º¸.{¦*¼8׿9ŒÏpšö$Êñ¶›pç–žŽÙ=Ô£E~—¬Iõ-F0hùŠàåŽF{ÒdT· >Òòz-0×O+öd·~PÊbë?ý¬39ì\á÷Ûì{lø.{¡aK>'k؉BŒòœKÔtŠEo›a5Ù–+Ÿaºvn¥¥DGÈY6rY!@¶#{rOvL¦lvvý͸){çÄ»;wœ^7ê ßR†8T././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/UserNoticeQualifierTest19EE.crt0000644000175100017510000000235715161577363032065 0ustar00runnerrunner0‚ë0‚Ó )0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+User Notice Qualifier EE Certificate Test190‚"0  *†H†÷ ‚0‚ ‚÷ó™ Ö¸EÂ%ËX¶ÿ(ƒ@µiIFDD|~j,µè^…äu7Ê £3î7­•<ªµ¡µ1'ín\QhgºñßÖIË•‡¢¨~ÿB•GÍ™C¡EÐÀWlp®‰xiº ô:±â…w,äØŒÿ¼u裊A±r>+†ü-é=̈˜œ×äöó–„ôDqº¤Ê‹O‡îùå Ú¾ó§+î¥ðG ž´²)™ÝÓh6iT[AÃ{Á˜&ùûâT®ê·Þq£b….r¯-j©iQ/”:¬Ñã\ÿ[@·ì;«NN ÎàÒñоH*G ¼Š+ðaI£‚Å0‚Á0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U M “;‘àÏà'×7[~é›0Uÿð0‚mU ‚d0‚`0‚\ `†He00‚L0‚H+0‚:‚6q6: Section 4.2.1.5 of RFC 3280 states the maximum size of explicitText is 200 characters, but warns that some non-conforming CAs exceed this limit. Thus RFC 3280 states that certificate users SHOULD gracefully handle explicitText with more than 200 characters. This explicitText is over 200 characters long0  *†H†÷  ‚k, ¾¹dûdg%D‰ïaH å/I2‰z»Žu©éÀÃUï~m-*­X,ëHeX­mX'Lß亜 ¯¥=RÄåu…Lvw!cóñfK´•Êê5dŒ•<Åyš)b>Ø0¥Ù±GýÓRc)kï›7dÛ›‡PÆ< æóyÅ鮶Ü;!˜R@ìûñ¹½Ø¤S”!Ïâí®nMuð»öP+¬ °Hî—˜¢3L•àqΖ ùÄšXÏQÛëÍ!içyå¿Øs~†cé›D½¸;ðpƒ AÍÞ­|”3k„Ú% PðÐSQâø} ì ‹K(././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedCRLSigningKeyTest6E0000644000175100017510000000167415161577363033505 0ustar00runnerrunner0‚¸0‚  0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA0 100101083000Z 301231083000Z0u1 0 UUS10U Test Certificates 20111E0CUÌÂi*,Šžîdò²›Ô÷Ö·lå-Qøÿa³ï½V$[‰Œ2ÕG üC€–RH/šØÆܬ"GLlÌn±¡  R°¯w”…íýŠ)æ«veØÛ­Ì*u,(?Jàý´ãõ5ë’'#NºGçò#š”ƒòFBñ£k0i0U#0€)šE.6•ìò^TœÕÙöD‘,0U2½°m`idvy5í8r¥¿ï=0Uÿð0U 00  `†He00  *†H†÷  ‚'ÕÁfï¤×DקΪN ŠF‰ùÈ˳{TF"ª;!nÕ!÷ù?Eš‰ÐÚ·»iyåߦMãDè HbƒNitz”€0—êgL€?±CÁŒÅ$i”;Ù¾¶Cþ¸åª0µŽ» ÊNÈ廢Ϩÿ¿çã#½Å?€‹8Æ '÷½©0ôF¥ «‘&ºO%Üâ}Ÿî5ËO»7_†X¿'±Ža4õI¬8šm@8ü¶¾;ˆH Þµ<ËKîÒ„Ôãç´‹ß®ÑÐõ«Ì&;êt`¹;VóñüØk%ϼ£×— MÖ'ZÄ H±‘‘™WGÄà»Y¥U././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest3EE.c0000644000175100017510000000166115161577363033440 0ustar00runnerrunner0‚­0‚• 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid Basic Self-Issued New With Old EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚¯Ññåúo²gòÅœ€»âU¹¹dl’dÒp•žg~Bìê•bÉŸ¢wÖCZDùPZýÝÛéX³Ó#E \nt @8•‚Dó·äÚ\ˆy=ÃimowªØ×N²Ø—nO]sêáº×IŸï¼F¨ ]cdDÊÖ½U=ÎÛL-äËË=*¥Ö©$Ržß ÿ®øÇ!Ü7мÄ=ïHjt2~ðÝÒä‹m“§Í™.uWák@ÌÒ\YFpÍ}hc¡Ÿéò^¸”û²_T—·ÈmI´ îQꃥº »_¨ÿÖ|ÞˆÜpˆMðü®½°hï^Â{Уk0i0U#0€ˆ_¾?59fšëMÂ&&±*'µ*0U&ê¢g´b¿¿ÔÌýdÛˆÒo'‹ë0Uÿð0U 00  `†He00  *†H†÷  ‚3âç\ÆV¯í”Ì+ÌðÏKZRY!ÊYM0̲* X÷3ï2=OhT¬»ë!“+I•=oêS>ªIóø:¡’)Ó ]° O` tÔžð™Ó#]Ù°èå~éî³P:)rŸóž}oz`ÄÁöÉhY.˜/lX†Í­U¼À§°CNHÇŸ<9º9"Źª¾¿B~‰‰w‚à‡ÍóL7O&mŠ&`,Œè¨¿a(ë"U§íxú›ßÖKÍÚq¹¼ÇØèžÿ³×‰¶œ 7‡¢0ÅÕ¡ÿoo’ßi׌¶{30*­3œû$or[¦þk¯Ñ&U£a„†§®GnÞ„çf— U././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest4EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedNewWithOldTest4EE.c0000644000175100017510000000166115161577363033441 0ustar00runnerrunner0‚­0‚• 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA0 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid Basic Self-Issued New With Old EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚µ†êE$„~|ñÇmÿ*»½ëOØçö­è•ªÍ.ë³\LÜü õgNš‘ÄÖØ+‚sރ‹q4ÆuîÌÚÆàsY Cóo¾eA®:Ì£íTæš{žvÚËÝc`tJNÇ#Z{//JŠÃ{û–ÓR7’…5çÏVd#ðÂÍ]°ûbÞcn|£Ñ¼›áÙ7»ecNô»a¦““ɧ•EuäÀßc¶n.sêäC÷'D £Ê¬¤dÝ?Èè‘þüòu™­ºœñáX+ÙÅ™&‘BÏoì ·ó5h׋ºŠñ™AŒû–f¦Fª"ON•$œgz(Ö…ŸtAi£k0i0U#0€Ý uShÄË@À†0¡¾¯0UtÄEóì50o“„Q—S‰H0Uÿð0U 00  `†He00  *†H†÷  ‚‰Jœ%œ+oª¥ÚAÃB`.G÷ÑcléÉ¢G‘‡"ôËÎZ ~!Œž/`ñ¡’øï·çìÔ²ryü™½|ö  ߘ+Ãy¿¢šÖ %®£™Œ[j#¯0¢Â±­ ƇåI2D(Ò…ÄtÏã…­çd§½½¯2—cÓì—ˆ»m#\L”v-@B‰L"¬ÛÒ \µ$Ä4‡ó,ŒƒlD¨dk XëêÆW簾kÕí+™•Í®L^í}¼s†¶Ýþùr¯þ¡0*—ïHeQ5¥„ÿ>À{ˆŠ¹ÙÙOðV|öÓd­b^T´ÎÅÌÀ5-é­¼íÛç_v‚=ÖD|././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidBasicSelfIssuedOldWithNewTest1EE.c0000644000175100017510000000166115161577363033436 0ustar00runnerrunner0‚­0‚• 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA0 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid Basic Self-Issued Old With New EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚Þ¿D-€2_¼÷Ï †µèê€I0 9·©á(¯~ éSâpš³ÿ§Qú½1¤g¤ix}ÅÓ¸Zž¡s•‰¯Þ†›€& ˜0@ÄArÕÊmN! ÛQš«»]îÿ8sèTwžCHù‘0™¶öæãŽp¥BrMÂ1L‡$¥.ã¤È¸ÎB Kkõîp$>·àcÎ7 ~Ù ›+ÐÆQ$7cÇ¥Ú0m×­29[põÙÀy…åFô‹j·iÁ„¿ï“s%–ŠÒþã4˜Cû’–ëH¹]\{›id}D{Jjöÿ2¢@8héD§ex‚™¶ú£k0i0U#0€v|Ød4 Oßq!t ›6¨‚×0Uݨä"÷=‚”KCw.ÄÏ'æÿC0Uÿð0U 00  `†He00  *†H†÷  ‚ qþv{ß8 ¿î„e$gª;!l œ¼á\¸êë¢ /fþ‹€ÕuÌB†~·°yn·ì~ü/×VBÿöÙŸÿg%C|ÏõoÄ|'”Ù¾gH˜rZòªìæ[Ö å4míeãeïµü®‘¥ÂœÕ&Å$}÷roQgÌwtAG'ZŠúòr¼@]ÿ[@«‰ãS““úp_ ¿á]ƒÝ6媲WfgCú4‰÷wKŸæúx­¬ýXàç ¦FŒ  Ì6S«€·ÜóÉá|†l²¢´¬K ÝjÉ[ætÁŸK?râ­´/Ga —q¦E,PCƒœƒ}†FIj dëe././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidCertificatePathTest1EE.crt0000644000175100017510000000157515161577363032072 0ustar00runnerrunner0‚y0‚a 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UValid EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚ÙÜw`Aûçxø„wpï-nU;¦™R?mô½¡—ú6nDBÈSþu†›^7ˆ¢}ÙqÔI5qÎFÏ[ÐYŽeëB=ÊÜLØTiÏ^8² `݃Q.ßÛÕ[8‘Z-Ïš3´o–åvbCi„ÏTAù5êžÔZ—^Y½àäÃY‰×Þòy°‡kÀY¡*‚okS4t=ôáÌVb¢äeè#±ƒXS²3-–¾å}3žZ'sSÝ]˜âKSX‘êrì»”ò P­òµ$1彪$±¬Ý Rð‹j«¸÷íßc´Î”h¿^–ÐD–ñøôz: yS£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U¨< göØGº¢ÐürVˆ@m••0Uÿð0U 00  `†He00  *†H†÷  ‚ZÙ¯b¥¹R¼¼ì aˆª  G£ž©²ø£Ù,Ò8¾;²ÏÔ1ˆÏÎiôŽÇ¹pQÀ‡Æ•´öjú1ž-ijíåzanŒÑäÚ›mlî,ÑyXØ„Í›AÓâþ‘Æ_'e{ú/½¨¿4Ž-ÏLX[0.ifE&&!˜Óó®)‡ZNƽè(~ ”æÿ\µ\OÝŠaYÒÿÅiÀÓ‰JÑÂåÈôÈÃý*#O„\,D-ƒŠÂ="Ç<`òŠxãFeÚ™øcÁÔz p¦z§›¬¾ðD#‡X¬èó ¿%Ë6«iZ®ÿÀn°Cžž<§0nÂ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNSnameConstraintsTest30EE.crt0000644000175100017510000000172015161577363032622 0ustar00runnerrunner0‚Ì0‚´ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS1 CA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid DNS nameConstraints EE Certificate Test300‚"0  *†H†÷ ‚0‚ ‚ÄÝçÄNL†1{NÏŠì“×#_>nO >h㦸;õ‚KÏ¥XÔ$y½²ØGjh¬ÓÚ6x¼+`¼D)H‹F;z+¦„ÍÇö ìf~¹>é=ý4 †šµ<èNF©yűUúnT‚XÔ•èßÜ'j€ƒz5ý¢NƒÎì]m*í{÷@¥Û›9QÁTwñ ÒFM¯àHqž«ö™Wðýà„qþÿÑ~)B‡±Všºîý ßà¹Ñ4F3bnóéòáû6[Í6–ø[B¥³XŠ§c™=Uø¨ÉwHŒð}”y…°º«Ú&>N†o<äù9\Ûz PýJß?† £˜0•0U#0€±ªðãÏÌÒ§‰¦ƒÝÿnÚãI0UE’Ïo“µn6‚飡ÄA:q°r 0Uÿð0U 00  `†He00*U#0!‚testserver.testcertificates.gov0  *†H†÷  ‚¦ ŒH¼oyŒâú{e­×‡.ä´`‰”¾Oϯñ&&O/"dåJómp¨£š`÷ÛÓZ_Ùì„·9âV_ªô1XÞ;[¦÷‹â™Œ‘4Åq ‹„Ç>ktF ÝŠÁOÛO|$T#w>y¥n €mº“n¶3& m{eS¢@JU­ÑaFrk\©Ù8k™F·qr2/‹º‚ª–l«_=ÙÆõÐc´F!Ëõ÷Þ(il%Å2ÎÞæJ˜kŠD’"q',ø*… ï|˜iÇ¥i`!±È«ôv·¡œ^¬+߉.²jŸdÌ2”¹;d&Ëöå|î1§úz&|EFáƒ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNSnameConstraintsTest32EE.crt0000644000175100017510000000172015161577363032624 0ustar00runnerrunner0‚Ì0‚´ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS2 CA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid DNS nameConstraints EE Certificate Test320‚"0  *†H†÷ ‚0‚ ‚ã;}P»X'#ȸөîÎî¬ÊÕôMy…¯/¶’æÛ,þKŒ wµ… :î ýþ¼½>ß퇭Ÿ\1ÿ°TfŠ,Ü×ßvô¶ˆ £ÒÏL¤e»G9š‹m¾Ý ?g¸JñM¤vÇÜFÖJâq†SÊ7‚=_Ñu°>o’æ‡Á #QbÀÇsÔ†kq»y£";Œæ,¼ýö2_ìBkÊA¤Øo¿d"b­wA(‘Ï¥ZÕ+ˆƒò98줻u@—iìVôwº.<+E ÐDÇ[A³êÆ÷ •Ž‚Út˜Bé$CkuRÉz ÛlDŒ4Ï¥ó·©O¼¹Û¤óñ·ù~íu¹¾L«Ù²#ÆÀ!2°`Ñøä¯ú¹¨cT͇Ï<4sC Ü_ƒÓñ?Œ& fH k80¦ZNý1‘·ríÒp×]å*“ؾ™fšÇâaÔŸQyׇ^Ê„-‘<÷Yïd7e\wK²‰D¹^ªK†././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNandRFC822nameConstraintsTest27EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNandRFC822nameConstraintsTest27EE0000644000175100017510000000202415161577363033166 0ustar00runnerrunner0‚0‚ø 0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA30 100101083000Z 301231083000Z0Ž1 0 UUS10U Test Certificates 201110U permittedSubtree11B0@U9Valid DN and RFC822 nameConstraints EE Certificate Test270‚"0  *†H†÷ ‚0‚ ‚ጠ¥®ˆÖÎ^ÊÙt‰ƒhü£÷á$«$„w%P]#Åm,îlD'‡×ªz NÛ ñ‹’Ö‡ÝÌ><†3,¬ÍÀ ¦ZjІHmQO €x¬U¶|©¾Ž5¦<Üa-g$@÷\IØÓŠG/7€/Ðz¤gîA¶Ÿ¶çü³(º‰Ô›'°6Ó!£¯úk Úm]^\ø‡H`ààS¦Râkì.¦yÙiÍQ—åÒd`·HÄ2}X:bך:B’-[öÆ&zº‰Û4 A"“’lldR̳Y%¸‹W™B sÊ?ÆCÜŠ´“žAlu’8øc búNO£–0“0U#0€'IäÙEúl˜”lüí Ã$RmUD0UÑL€FÊ=Ç>7cNËk35ä½Ãx¤0Uÿð0U 00  `†He00(U!0Test27EE@testcertificates.gov0  *†H†÷  ‚y+—B_ŸŽåÙ |³4°J ¢ÆHJB¹A&Çä<Ç6²yúÖ5E åo/É®8¿aHÓÁˆáÁ6uÂöl©£^ô#‘c.o V%©v†9~~´ä0g©ŸHÀÌ”÷¿L6ÂUSóóM©j²U2ÛŒè²ãa¡Ñõ •ÍÙL~Xã;ø TÜ[…§t¾H¨Äã‘H -3úæãðÍA%½ªtƒ¤Öý´³)ü¯Ö­ˆßþHÀJR}T{+ሾ1J3¨|­™# ~iBÚå&én°‹íÚ×=ìÚ\¿b‰Iæ|Ö7¡{±EjWðà;eȯ+ 梜yÙ³ŸjÇ– ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest11EE.crt0000644000175100017510000000173115161577363032500 0ustar00runnerrunner0‚Õ0‚½ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN5 CA0 100101083000Z 301231083000Z0Ÿ1 0 UUS10U Test Certificates 201110U permittedSubtree110U permittedSubtree21705U.Valid DN nameConstraints EE Certificate Test110‚"0  *†H†÷ ‚0‚ ‚ÓVŒ>›­õÓm€ úà¹ä¥AÚ}A‘·M6œŽ®¯^í‡&Ñâ!€¥r ·)Áä­M-xèLÜà¸ÝF¢‡çRëÿ¤ }{òÈ™~°#lnÏ y²_UÒÖv)w ÞB¸<ãü$˜;I/Rß_ŒE†HÉËa»øCRœ¯i-+B&$k9M–1)‹…jÈíx£ ²c›¦-”7¨·=¬©ŽæÇÒ«ª¤ÝÕ=h» †RHTë»h)gb0WÒ˜‰¥dDŠi¹±Æ4Èi©/GEס L‘ ü¡9]ñ8Ž0V#C8E t«¶]ºé°ayö‚ û÷£k0i0U#0€ºŸ Ê9œNwZëû•¬Ó§J]'0UËf9 ê³ÁØ$K¨¿Ëi(4 ¤0Uÿð0U 00  `†He00  *†H†÷  ‚Êg ½kFí|,.Ôc œˆÝ ½“Z¹ò*#îc¦#tè0ÔÀa-7¬Xr,LkPÙÀ†"¼\ô¹.› ž¤×#k/¨Âù¤A•öÜ ¢ùÔ[Å·w Ã©´VK«o™Ww׊IrpWݾðò¨g‡Žþ Nk¯eç5"¦-Á€mÛó,ì;¼nï¨ K@Ç@çµeIªÇ¯ :Ñ^X,ùÿŸ6)†€…·]SÌ#ÇdHßoEanøg×~Trú§á|¸nñ{ðó'ëç~aÒ‰e3§MÜæ’ <0ßð½¾WXtŽ‰N8 =S././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest14EE.crt0000644000175100017510000000163615161577363032507 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA20 100101083000Z 301231083000Z00‚"0  *†H†÷ ‚0‚ ‚Òøâ4ò®ÐW¢qª®YFe~ªN žFæjwF®–× Õ:f„´„Ö˜$6ÙVˆ"îþ!¢£r¡M,»ä[&æ ‡ˆþâ8¤Z‚»Ò'éIl>c¶RÜ0п wH÷n'½ì¡Þ‹Ø©a¦mM@ýD=‚)'R‰ò8ïe9ÊÛO+\´Ïf‰š`Š}—…ª ,‡UÜ©ëc5µ‚èzÄò““®Æ 9Dr• à´›Á­OBóᆠ“P`z’CÆ ê£%y=õÖ ¯‘£~.·Í"¬ËÛ±*…ÞcÔZM{j·ÂynKöhÒÄ~±ß¼ÔÈ”ß;…øÂ%1=‹Ížøø±_£¯0¬0U#0€¢/Xƒ[L•—·îö‡´—àà—0U_.•0ñL.€~óê­]y¢ð8·0Uÿð0U 00  `†He00AUÿ7053ValidDNnameConstraintsTest14EE@testcertificates.gov0  *†H†÷  ‚ÍôOIâ ÜöŒIN`¸¹È‚Ò€çÍ£Âøª¨Ê<†™–ì/†ÎŽ›÷ùï¿w’ä$ãÖò‚ߥ&ÀèœBŠ`ø/Hçæc w|Pû¼ÒþçR@uË3dï€ÓšÍ·?ˆ¨·³tFÀè²}…»Š¾ï°ÝwIbŸt]ø%[ZWX‚¼3 ðx_ßP >ÎaÚ¡‡+±„žlI:°BT ‹Êë!\l®‹îä£4ÉÀÇ°2dѺ‘…I ªàî—¡<ÔA= æCM*ï ÔA̧ô¯mÁ`"Î5½ Û›ð½0³+mÉ¥ÉöN3#¸Çã‹›×|æá7㟠¸UE././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest18EE.crt0000644000175100017510000000164415161577363032512 0ustar00runnerrunner0‚ 0‚ˆ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA20 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Valid DN nameConstraints EE Certificate Test180‚"0  *†H†÷ ‚0‚ ‚ÀœžAå•Þ¾ËkwTs1÷4`×<˜š“ª~ŸòMöÒ@¯gZ)•ÇâÕ÷fa:¼Yü—Ì_­~¤þúÌÐÅHP› o Â:3ó½ü¨3úôº‰ÚF TïŠÁ/ù6ÝÓK£FÜrWë"ÿ³7·ø8}e\Ý‹¼  ýŠw—zâÐ2† оÊ–ÆËZÐÛbÜji1…ñA%j}Í©f×^.ôÒþ0ÒEFÂi…2}t&ÂdöJû½טî;¦á†û"½#0?ƒëÐŽÈàºeÒMw*ÅNòäoÞO8ŒÛfº8ómîOí}FG§R µGךØ¿£k0i0U#0€Ìíj(~Þdêˆ*ìu¿¥.g0U´’¡ÏªtWó|8Gç5*…×x0Uÿð0U 00  `†He00  *†H†÷  ‚R&†eáëÜ2æ8’Ä3Á_\‹ãâ:PþǹÐuÚˆ²èö Ù‹v˜NÓ?£‡ÜÂЈ… M”OA(Ã\Or,^v_W¿î£Ò• Rño; Re>ù³™'˜+Õ*¯ø}EéË}2½üFlFÜu æóÞq|ͤˆ¦÷Fy‚Óáfe².úY¢Åòí{wØY£÷  ×zé<»¬.*›]íÔÎú+‘·uE‰p•-—äôﯗ [’å’øîo7мùôŽÂg_â~艚¤JD}+‹>Ò  äܬËìçâÉ´H~Eù24+'â  2ˆý÷åœFmüÒØ…è././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest19EE.crt0000644000175100017510000000167515161577363032517 0ustar00runnerrunner0‚¹0‚¡ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0ƒ1 0 UUS10U Test Certificates 201110U permittedSubtree11705U.Valid DN nameConstraints EE Certificate Test190‚"0  *†H†÷ ‚0‚ ‚Ù CxÚÍŸ·àÂpÔóc"[®â¾øž0”õØÜ• à ˆí¾yŸoi“ïrûZtp¡[¼ ¹½8MkqòüzÔÒr$Ș7J­²–[ì즚­Ð/œÜW6À’\UC7L£¾)ŸùªP¶’Ø­…C©¬ªeMw ±Àƒ¿1$Óž K•ë?€°ÜµK,9í¯v]¹ãˆ° (E¡Ãeðñ ÐÆõ²£ €3ï¦Ä®4ᤠՈ4¥K±ÍáµXzØÆü† #Ž>©J« u X½² üKþ±‹^sFç¯Ô£ Ôx¯±ê¦Ÿ S.êü.É ¼Þ3ÔNˆI£k0i0U#0€EîÅÿãÄÇ08L[Ç]T™rÀ¸0UYC×âµ’Š¸µ)­æZó?4:ú0Uÿð0U 00  `†He00  *†H†÷  ‚ƒÀv9ýæôJRÅ8Í™Õ&8Þðr~À”ôë JNíA½ï±Ù®‰]ÑîIÖ…aLV XzQúô€Içé_ ‹ ïuÜS›½9Di®²Ú 7ßQÀqÓ8¿‘å¿dкlóÓ+w5Éì2e¿ÿÜV‘Lßý:ª'P4ÿßBÔ>Ït§sáQæ°jTõü—:oóežJÇeaßÓà ç~ˆ˜r#ÆuL¨µVRãïµ½^ ñ­ÇP oÁ?¡K6¶,}pÞÓë3)Ú#Ž•X$]Ÿê8Óqè-2_²°þd°ƒq[´²õ¨ä– +¾ê¼öš;殥†›žª–{Ø¡}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest1EE.crt0000644000175100017510000000167415161577363032425 0ustar00runnerrunner0‚¸0‚  0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0‚1 0 UUS10U Test Certificates 201110U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚ÄUÍÇ›Ž‰=M¼»¥¿Ú÷™ÚDŽáL¹(Hác^I#ÇËc2‡BÔÎÅjh1˜ö]w€2“ù/ß¼ñHÅKt«]º©\‡@ƒÏÉ:ûFI©ê¹Ê7µ—Œª€Þóñ†‹sÂwùÍÜʞ׳¢ón™dˆÐž]ý!t”‡¥©WIéÖGÆ¢ž÷ᦂ©„ÿˆû†YW T;šW4i|b¾‡Æb8ÏÉf…Ö”Ôpºeþ 6^’™) ·ÚlŸ_„Žn•ÙÐ5,ÓC͈¬^ß(6 ˆPUiòÏ#¯Á]2jÎ%´Nª* ¾I¢¯·Û8Ø?MÅÁ£k0i0U#0€AxBFÍN¨‚çá9ß÷©À üï†0U]þ õ¨ò ”Q:94ÉE ™’0Uÿð0U 00  `†He00  *†H†÷  ‚LÞMC!A¡*yý‹,ÛãøÓV@ÁÐUr>ض/Dœ‹Að%¤KX¾þ {KÃ)jà› BïwV<’Ö¶E?çwöÓÊ1 –8 âì57ÖeYéŒÀ=îý+ŠÿÊg<à Û•ˆ³{ÊÔ‹´µ¶˜.Šÿª Æ ±õ|5+êð*U}Ä;èDº2Ä‘x"ß230^Eì"ÿéxÎŒ\ÃÐœuJu‹z³K.-ÌíKËÒ$¯ˆÓùIþ\]ÃÁZóÇ‹\Û^ø‘ô9Ì0À´ >$¤`®ó-Üû%÷}=úJ_æÖšL¡x:àÛwa¤f¬?Ó¸àÄÏs././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest4EE.crt0000644000175100017510000000177015161577363032425 0ustar00runnerrunner0‚ô0‚Ü 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0‚1 0 UUS10U Test Certificates 201110U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚ÌkPÈ"ë¿ö;ÆùPÕ+ ÉëäLâ¿œâJäk ±  MÏÅÁv~èJç#_9L*y½¢¡ùïß@¦VXœ¨ª:‰’àªR‚ãqŒÖSî2§Ã¤à’e‚sÓÝ ÂðlJ¼–v-´šÚ ÙQ9C „(Co[mI±w´ùöÂÓ5pØÀYâ,>Ôl£_}?ÉîÝ";¦¶¶;Ö —QCo æëDÑ{²-Æ=qÏR“üiœ‡oÀà« ¡S¤Z\•?(<û"G:†ëîå#²ËHÔ8⧽Ý0+îû&×öaf’ô¯ò̱™(·‡£¦0£0U#0€AxBFÍN¨‚çá9ß÷©À üï†0UÖª»(Ћ$‡¦=•¸…Óp0Uÿð0U 00  `†He008U10/-DNnameConstraintsTest4EE@testcertificates.gov0  *†H†÷  ‚Âí3—=Uy·¢Ò ¡b­‚F¤¤æ!~n”Îÿ&¨Ý!ÒµÚ€×G[Âw<°ä·ÀaPÜj/‹x¼1· m¨ßþN¢„=®ùH¶´o¬†HŸÕ=dˆu_í écg¡Ð ß«ƒ¾¨´¾2Á&جÅT~²=Þo¤î¡²æ!wdî±³‰#JÃg¼ªÙ‘ènzƈr¿ !6覄AdLN)_£UŽy?Tív‰Gáüœ²uî«wLz^»ÜKÐJŸ`(\˜ô¥$´dSÎ.–%šÌ“;ñ±Ô¤UëÒ{ÉáÌÖÀÙõÙVÍÿó–é:–H`AKÙaLSv³././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest5EE.crt0000644000175100017510000000212515161577363032421 0ustar00runnerrunner0‚Q0‚9 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN2 CA0 100101083000Z 301231083000Z0‚1 0 UUS10U Test Certificates 201110U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚ç}&ºQù]µ îÉB!—¨.Dvóýõ¨…ë!Ü㫱Oý©oâ|ü‡æ„N_n³Æ ¶{¯WцXÒ–Ù³“¸•â8 ¢ Ý™ó0ˆŸÕèد¬eþà–û½ZÁ+¢#]BébIö1aëëPñò·ƒ“3Ý»røßU­¢þˆªsÚßQL•ïJñ=«8S¨Gª âš÷‚zk*‰¦wTGó 6… ÜËt?ˆØ&*Vù×EÙ^àN¹Ò¹ª0×åµõwÛqr¬8)kC¨y7£ 1KŒP²‡­±u¬û6$RA»/~!ªtGk²²›½ J ‘å$• zô-£‚0ÿ0U#0€£WÙ[]³`ök‰Q+‚à s¨{0UÉÙ€–¯R+)~, GZ(Ã0Uÿð0U 00  `†He00“U‹0ˆ¤…0‚1 0 UUS10U Test Certificates 201110U permittedSubtree21604U-Valid DN nameConstraints EE Certificate Test50  *†H†÷  ‚~¼ÅqV¹ž§ß´ñ Ÿ9U$¡}Y®[VÅå$HG³D@ˆ—9 ã½½AR®¾ž‚”‰M¹s"½Á¸Ñ2—7ê§ÝP ÑzåfB \‹âÂ.dTd1‰+H~WmH$øÁ²27iÝh¸X'KïÚe6 ú`JÙ°ñËcH‡€TLÍÆ2þ*í›3¡}®0 )´&ïlA£ã“ƽ÷”°gŠ<¸ä$3â#âUäL“=ëjì„=üØ·˜/Fž³AB!õy‘w‹5’Ökµíû¤uT©é vD*MáÉ« ýÃòw‘Ù¸;ùYÚ0g Žõkî;¯0W¬îl././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDNnameConstraintsTest6EE.crt0000644000175100017510000000167415161577363032432 0ustar00runnerrunner0‚¸0‚  0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN3 CA0 100101083000Z 301231083000Z0‚1 0 UUS10U Test Certificates 201110U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚Ïø‹!÷Îô¤„¶U¡£4)ÄîáÑ4UŒ&¨^Ü‘Óè 7¡rZ¤²€ˆž•‚0©ó{Nütz ºšÛØW.?b|ͼñnS‚#Ýwù™-Ì„}¢X’2|~k<Üáÿ=¨{”UqBKî«Éh±:Kö^U튋_'ÊÉyšnŒ힊‚{wÿ[òwˆÐÍ?Ù¾wx ê%I¢'¨¾«, 6“éüà"¾éÁðÙæT,†üѬ%¢\_— |ÑñÐrPŸÑå8E»—Š^–'‰w Aɇóì9ê&-ħ… ´^BIWȘmË_áx…aþ'Ã[rôJGîLéY£k0i0U#0€Ü[¾Ç7Y¤Š@t| E;nÃõMƒ¿«§j×—9wþ#Rƒ’©N¿S‘*'<ìÛ„d…Ý"’§•/«õ‰Tle*‰ˆ SÖy{]üpÔ£¡-ÀÏø£ "€£ùó—LdÓªcy·Uy”®(@|c'\Ø£k0i0U#0€eŸp:Œ­öCÈçUŽèKÛ‡â0Uo¯pÓí $Þ9¼Öl²ØÌï0U 00  `†He00UÿÀ0 *†HÎ8/0,_Õ O\E&e1¹,‚s–v gK½nœ?ë’oô»É€=¹*ó«¦././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidDSASignaturesTest4EE.crt0000644000175100017510000000150315161577363031501 0ustar00runnerrunner0‚?0‚ÿ 0 *†HÎ80?1 0 UUS10U Test Certificates 201110 UDSA CA0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Valid DSA Signatures EE Certificate Test40‚¶0‚+*†HÎ80‚䋯@Œ×=|î–hÁ èÊžteKšT—*x3Ú¥Årê4³”hBÕýwð¨Bžd“¶Â1Fzi̘-V^#_(¿­Ði•b\*^ŒsI~ý"ŽUåVé®r)–‡'×wCð†¸ ¥ææEyMéúS_Á ½~ÅÀ?äüóLå>Ë *TlÐgl ;€fÔŠ ­þÑ2Ÿ¥§³Ðêw?ël¢ä)Øؼ!Ýš÷Ìå´wMßìÚ¢ŒœuZþfÓÂï„C쩈nLºL?5–Çgü™½™)‘NØ®þk¯PVª/µ*Èî"G%xk!Ý?Îð÷–œA»^D’].ƸÍiÈ?;>ÐO¢ÎÙ„€,¸ì‚4a·cn=í/&%ÈÂs>Õø‚ðÐ/„Y`RFS5¨Sd8ÖðM1^•±ÇLãå|mYW!°ÁÏj¾|¹_Ä_aôɯHިݺ㟘²{qDÑøslw[dSȘL6€"B—~2Q¨ˆê÷ª¬¡l£k0i0U#0€ÆŒtè{ ÈYÇ}<[TY`% ±0Uœ{ÂOXƒõ†\*àvm¨MÜ60U 00  `†He00UÿÀ0 *†HÎ8/0,yµÒûeßÛÕÀyb/Ô²d<ÖK‡ uO»”‡òº}¦È|’mè„././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimeCRLnextUpdateTest130000644000175100017510000000166515161577363033570 0ustar00runnerrunner0‚±0‚™ 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UGenerizedTime CRL nextUpdate CA0 100101083000Z 301231083000Z0s1 0 UUS10U Test Certificates 20111C0AU:Valid GeneralizedTime CRL nextUpdate EE Certificate Test130‚"0  *†H†÷ ‚0‚ ‚¹Ý¶ óÁ<¥"q«Ð ¹{ç-­¹iÖ°ô\h±hiÎy>{€<<¾n–ÊgpCá0î])´Ÿ~|y&âM’8ëª8j÷a4üHY~dË=ûû#É£PàØâÑë^åŒ4<©eÍ"q MQzZŸž:ç]d¸:yUˆ‹ov‰PX™¨¸ÖäØ©`™ÛÎó’êµå•6Û¸N¡Hh"ÞÁ çsòB«ß­Z' ‘¦ÍýZ¼OœVßÕÀ'Ô *¥êþ!‹zJèF¹ÅiBz<ù®¤óÆè^m¶, {Ah…Qí^̱Ùåˆx­{Aj`ØÄç@“Q˜Á€'Œ›¸eÄÖ_£k0i0U#0€~*uï 6ÇKç ÙaHGŽƒ,0Uãß{³½Oä¸ú±]ÞÙ© !Ð0Uÿð0U 00  `†He00  *†H†÷  ‚9¡ì-ÐT~`'èqt{çkâ¡hÄay1ÓlÏ}ñŃ£8 –ø¸¡¯=åÛ6wyûžÓ €ÜŽ¾‹úK-#ª}Ü>Ô·Ð`\îŸ,Yí+ï0Ã×Eº¦+Òút»'¾-i´ímÌU9çFL½ ࢜÷‡?¨ëpz|Cþ'=b­Ã80tx®Ö™B»¤»P%¬ÿÂ)ˆ†Ï$Eú`]eeÅÅ1é¯ MBû_[?4$éÆ$:~.òÖÃú­ÙUÛÚU=ä4fê¼>Œ–°/jÛ,Í€+JA,T.LcÛeyK‘7y£'WÊ././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotAfterDateTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotAfterDateTest8EE0000644000175100017510000000163515161577363033621 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0  100101083000Z20500101120100Z0q1 0 UUS10U Test Certificates 20111A0?U8Valid GeneralizedTime notAfter Date EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚Ü›*W<‹8.gB@æ#KùlÅÿ÷O(Ž¸è´Øv”jéøâ[ÙÁëýaífæ"NžâÓj\U>Rz%-ãáìP²Ÿ),-&wçª Ë£ ?A1›@'óÚÈ›ÿSzé™ÂE\\B÷/"”Ìî©‘•ÑC‡ß»UX£Ö¯(%Ú§BáTJ`S´–¬zë«lV–ñ{¤á ¯³/ÈÍ­©¦¥` z&…jÅíYJýŸcˆë{ÖŽ~ë½N2§xq’Q_/¦G¥C0Ë» ~¤fä¯êÉ€&Œ19s7×@âÇ­b‰•{'¿~Ë&ô‡§É£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U1=æÉ GëÀSÝ€Â;-¦¢Dî 0Uÿð0U 00  `†He00  *†H†÷  ‚p1/+øÿ‚ÄÓh2ÅÆô‰¹f2ÐÁ Î¬Ta§÷)_>;Z§}T1*“éò êQ\;¶xè[9i ”ÛÌ5öE¤Ë<ÙÖÚhà´£·ë¤Éºtvßân;³§·çù\£¢Èû`½W^í^™3bÛ wýÇ_”ux@ãôù¬:þ™‚}BGÐÿ|Ï4€üG7|„vÏ×zωEýÝÌSÊ5 Çô·©úâFï˜åÙÂ?IFBw†ä Þ‡üF³Fʤ:È Ò7³cg™åÚ#àÙ51¦˜fi¿fyüÝó-^ᜆ}ºbPÐßÜìÊœ„ä././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidGeneralizedTimenotBeforeDateTest4E0000644000175100017510000000163615161577363033652 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 20020101120100Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid GeneralizedTime notBefore Date EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚­^ ï0Uÿð0U 00  `†He00  *†H†÷  ‚uŸ%&^ø<J/ŸÃ/| ‚9mšë‘eäýß|ä$;Sk>5TD ׫$×o6ãÌåo¤'¥ÃÚ2o4$MCd|‡Ulm_!ð3Ï„FO/ÚŠ†-‡Ö­ˆ–u+ º‚RåÀqü$;$ 5JrŸd)=ŽíÆ3¯óÄ•ËOÛ¾‘þr¬»Üçôû)²Ø&?Š´Ìÿ…ûX´¤HlÏÔG‰?‹¡ž—Ÿ^rTCÅ—ƒ$è‰8L¥ÛW"•0Sëí  ܼ9©Ï¬×iP Q|OÝ7yþ‚ï·O9ƒÆpƒÙiA"s’¢«† þ˜A‹&å:=“êD]ŸÆŠæ®././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidIDPwithindirectCRLTest22EE.crt0000644000175100017510000000163315161577363032504 0ustar00runnerrunner0‚—0‚ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA10 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Valid IDP with indirectCRL EE Certificate Test220‚"0  *†H†÷ ‚0‚ ‚º‰ÚAWÞ¸]f”à?“®«¡Y5uTðwÑaã…*X+FþʆF5…Žà~ùq…QÝÆý–>«_>UƒOT$øz 2ûÝ£q|9tñõ«ªÓ”¤JºB±–‚«a‹Ïd{Ðn['ÜHvév©n«­¾ùk§  {¨uýzêê‚5D @®˜ŠÛ@aƒåµ'-K”б‹Æ?ìø\ßk’Ë?Ÿ=pZ4mL›–A>õ ¹ âß Ûj9v]ÙÜz‚ ñnRuªšøúQ‡»…„]¦4Æm£k0i0U#0€%ø¯ü¯¶©yKÛËd,‹K±Í0U ®Uµy÷ñê ]qKˆÃS0Uÿð0U 00  `†He00  *†H†÷  ‚RÉ¡ë(xZäζŸÓÌ{•N®Áåͽì…î$hÉ(Ÿ¿b!Ü•V¾)nÁÙýÑ‚S²Îy4\•3“ðû¥î°6è1¿ ¸y°}5fW˜ôZ½ã:jq•‚îc³ˆ cY ô]«Î„¡É•O„tõeò‘-ÁŸµêh ý£Ç0Ä0U#0€ˆ#á³³òlþ1©¾‹aª;’‡¤£0Uc³åæœObìf ªQÛþI0Uÿð0U 00  `†He00YUR0P0N¢L¤J0H1 0 UUS10U Test Certificates 201110UindirectCRL CA10  *†H†÷  ‚%—ˆI"MYw»3]ÿGµ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidIDPwithindirectCRLTest25EE.crt0000644000175100017510000000177015161577363032511 0ustar00runnerrunner0‚ô0‚Ü 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA20 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Valid IDP with indirectCRL EE Certificate Test250‚"0  *†H†÷ ‚0‚ ‚Ê{ ƒ9/Èþ=}#[xÚ:aTІ[þê‘ì¿ø#ÙJmØ7±ï‹ñMP¾øqðóY@‰ú×/ë!¿T‡ÐØ0ûo2Á°8«e–ïßý'NãÙÿÖrï·îÙ-£+OZ_]ÝùõÙ¾îü d/ÆrpÄ~Ò#ÆV†çŽ¹»iDêQvÖ«¾Û^Á8ïü؈pTÐ âYµ¬Ò0ú{§V>胑n¤6aw¦Y¶„ÌˇUW¥~Ñ4kU.‹‹RÜv¤,»6Ù[$æ2nÕÒ9?°qÚ7\®]ê§"|É£ðæeÛUçûaûådp8CËcAOS´N|€¨ ÒvZªðêfM‡^†Í£Ç0Ä0U#0€ˆ#á³³òlþ1©¾‹aª;’‡¤£0UµŽ@âfÃc¼£‚ê~º\Ý0Uÿð0U 00  `†He00YUR0P0N¢L¤J0H1 0 UUS10U Test Certificates 201110UindirectCRL CA10  *†H†÷  ‚N­ãŒžEÍý‚Lkó‰2S!;“ÌøÓx3½0ͳ¶”Ú4ñÙ[Ï–Ä™ùÛûšØi¡wNù+EÀ,ö¦zWÌÕòWŸ——Šã¿tZfKž(M+†Nƒï–=}︵ڕ‹šÑNÈLC5­)Á€2AËðÑ+° u‡¹Ùæà ¥”ñî7ã™hÒs$žŠ# hNjBŠ³ˆ`OO¶U• m©'fjTŽ´ß!‘_¥âÝI¡¬ÈßS jJ*òçwºðì¤]±ýˆA~²ÙÞÉǬÇâ„øê0ÑþãðUu€v"áž÷øÐé/Å5⻤Méa"././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidLongSerialNumberTest16EE.crt0000644000175100017510000000166215161577363032326 0ustar00runnerrunner0‚®0‚–  0  *†H†÷  0N1 0 UUS10U Test Certificates 201110ULong Serial Number CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Valid Long Serial Number EE Certificate Test160‚"0  *†H†÷ ‚0‚ ‚ëI~S?ÇήI”͉÷ùÀÞ¾¼zó53»Õ5ÞÇöYü:‡­4på3á½Ôd`êîgL©33{SqÂsÐU”C‡¿*4Úܤ e4¬R€ÅAvTýÿÒß¹:!ñ{NôJ_=3c9ìß+¢]Ûe½ÃÈm¤Œ[ra‚wä:J•§!¸—„ÿ«%t‘¾ád-Lù¹ÓXˆÇ8ß#"‘Uð™‘ÂU/脽öK?¤Òåƒ+ãnå¤> ”ÅÒ5«üe{-mæ*•ð›ãYÓ«iGÄÅè¤UD´8^øwØÈ­ê¶!†èZFs¹ŽˆÇ¹J¦Ã½ò>×pŒ¸;½ºúÔ¶2’dÃúJ k,Á²ð ¾À÷qe_&º7ûÅ»¿¥Oò£„”ëxÜ&JÁ|CÈÂx. v¨O¨g`Ø)w8Ì­[C,ŒŒ ý­×Kœ);Ù^Þ»†ág‘tðÓöï1Ý-0UÙZ- o"2dYŽ iį¼SQ¾!}Þàr’ó¢)ÃéD…+×û…EÙ¯Žl$™íö©Iúg Xæ®Ku”hOü` ´CzÉb ,¥././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidLongSerialNumberTest17EE.crt0000644000175100017510000000166215161577363032327 0ustar00runnerrunner0‚®0‚– ~ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110ULong Serial Number CA0 100101083000Z 301231083000Z0g1 0 UUS10U Test Certificates 20111705U.Valid Long Serial Number EE Certificate Test170‚"0  *†H†÷ ‚0‚ ‚¼Õaìáì·‹¼'D±/vÙÿ1Š5›-Þ9 Ñå}ÊÕ–ã­è£~q_ÀëqüÒÍh̺¯…mªýq=.(7E Ç/n£±µIäqÊEqõy¥Ç#-Q'1ÆÂ].˜G'¬9ÈA'C-‹~ú4P1ŸVÂ0²zåÓ¯l3_Ù lp&;×5G>†ÆR˸•ka¬+þ>€£Û#ž% ZÄt¯òlŠ_À Ž>KN¢›™[‡Ój N~ÏOÆBÀ˜i¸}4—£€ÁúîqV)*+m¹`ªjÊŽ¶É9…o0`^á¸8ö!7R~å5 •›ù+;£k0i0U#0€ c·G®Â2oã:¸ê ÿ×d¤0U LSE=¦”ÎÇ1tgºŠµ» w0Uÿð0U 00  `†He00  *†H†÷  ‚©ë  Š³‚þdÓhÒµºÖ¸etÁ ïî§%ÓÍzøiü;<^í7I3µeT€Ã; Êw©}œáÉ¿ù˜«ALhÊuÝxfë°Ò.VÆü¾çAèâƒà@c0ú0‡i<ª3q¤Ñ`eYôaˆõƒíEû00cdøçÊ:û˜PëÏ,›x= RŽ‡»‚•ì ¸ ”¤0(ÆúZË¥Hì­THzV–Þ–iŠý!Ã2Õ0ÂÈs©Á¨ ‚ Œ±URäÇ}í././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNameChainingCapitalizationTest5EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNameChainingCapitalizationTest5EE.0000644000175100017510000000163215161577363033535 0ustar00runnerrunner0‚–0‚~  0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGOOD CA0 100101083000Z 301231083000Z0p1 0 UUS10U Test Certificates 20111@0>U7Valid Name Chaining Capitalization EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚îàAm.,´z&ž/XbyÖܶ-b$º~˜ÜÐ#ZüBøðãBû ɆÉRt0»p.ÏÐÜ*±ÎZv¸Šx{aþ!'ЃâéÕâ*$'vuIò‚œ"í¨[‹(4¿f<ØÊeÙp uKµr÷Ïú-ä¶ÁÀSï< (ç£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0UxÞšC«gxR¬ àµ#“à'cÂ0Uÿð0U 00  `†He00  *†H†÷  ‚n©[ò ÔÚÃ×ióqÆÌã\EƒVÇ‹Ý@L­5ç€tP­ûõ_ÂÆ„þ*åë×¼²ÚS^¡ç8ìjîi#-Å2Ô—­CVýžÛëúx³s_}ˆ_Ñ3*¨²Ú´Ž·"&À)ñÇ‚MæùüˆÉ7Hx,úï6uššŽZÓºÔ˜]Aí~ öË šäì#n7Ý·ißêsñÔ}9 R«jnÚÇ«]«ÂN„²šÊò4:¯ÿ1‰ÉK¾Š+wÌO‚,ˆ„‰ê5¤>8v…Þ–h\ÿÍn.oN ³Ý¸ ö·Ư#b@àðZºz¨gT²^ŸS‚Í…š•ã././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNameChainingWhitespaceTest3EE.crt0000644000175100017510000000163315161577363033366 0ustar00runnerrunner0‚—0‚  0  *†H†÷  0E1 0 UUS1 0U Test Certificates 201110U Good CA0 100101083000Z 301231083000Z0l1 0 UUS10U Test Certificates 20111<0:U3Valid Name Chaining Whitespace EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚±ÃÈI¨­)OÛ¾.ÿ_P|Ê‘ÏR#?³Á3Ÿþ™Ë‘ùYVtˆøè·$)›Éቒèvb{#^ É•€$d”wƒ](Æ¢Ó×AÂ8Ž›VN(†ù£Sí¶Q¸9ãNÌ.‰mÄ,zˆÞ|tµ,“ôjqUi‹{*÷ó‡5¬SÛ?KjEPáÌëø‡s¡ýg/ÂÅÇ“»}@Ü¡ÑgØ¡0k°ev_f~ÇÐîTÅÛt„h>Ì †]½Êƽ¨ÍDˆXšHžDƒÆÊ$²á @×%È[oØì[ˆ>¾¾Mˆ&‡äµ´ÝlD~À …ºéúR¯õ£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0UϸŠìÝ ºOá™^ÇÚBÐQ|値 ïá:┸LJHÝ”¥¦qkˆØâ*ÓM>o¥uœßHºЮ§¯_\7¼ñ‚Pâ¥DÚǶèßüøy?ÞQù²8³Ýœ:/C'&Òm!5 »éoà wqP阾¸;œU ŒØG‘Çgêà £<ÇúÈ8ÒÿTï‡aúV‘^ÝÌ6pcÙ„ðÍŒïðàÈÆMøPŒûÌ[‹¬ÁgBÉö^`8ò‚bH2æn›~“ËþQ‹(ºwÖ³;!’›¸ðøOËÈ”\ Ñú£åp§ÛCé?ÊÛÌ17µÈÃþ‹v9ßw½Þ®¿+HåÖ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNameChainingWhitespaceTest4EE.crt0000644000175100017510000000163415161577363033370 0ustar00runnerrunner0‚˜0‚€  0  *†H†÷  0F1 0 UUS1"0 U Test Certificates 2011 10U Good CA0 100101083000Z 301231083000Z0l1 0 UUS10U Test Certificates 20111<0:U3Valid Name Chaining Whitespace EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚¸-¯óça˜¼ [Àð£†+ؤy[1kTîËÜòÐDG­­ëZâp·Ò-Ýp¨àˆÊ ÍþïŽb^Yã!AßB"&mNN>È=ýÁÊúDÆóéus°1Þ @a!HιÜ9–Å™VÌË×ì>„ÔàÐ(‘3úʇ'Q‹Ç—ø&ê*öeŒÛ|¶:Ÿi¢Îâ÷akoÂ=^Aˆ`z~³iË’>’ö¶‘v~D:{.‹¨i(òZôÙ ñúã£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U›+¬ýy­þ‹å—HÀΩf0Uÿð0U 00  `†He00  *†H†÷  ‚Œc3½ûÀLP­7‹ð F Œ©º¬Ày$oÑÞV5ÇËãs7µŠï®£•%¿¹44•vu;ÌúP~`-mÔÓà„OÛØ—5R¯rŒ ·ÔœqNK" öòãß~béDE.dèc›ºmb®ùt»´ÚD¹ä˜ÌhQ ð jdÉ¥U•ùŽüRYvIôÀ™5¨R‹År›éƒP žØÎuâûjÁ¯ÜTAÓ¿ uÙ* 6Ÿ•+lçæ«})Ö/™5ɱRKª-ªnvãÛj@ÆF“ü¾Èý@Õ’˜M¡Ñ’C­´UŸuÛZ¡¿ØožþD—+ȽÚ¸:i7ÝâN¦¼üÌ.*././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNameUIDsTest6EE.crt0000644000175100017510000000160515161577363030437 0ustar00runnerrunner0‚0‚i 0  *†H†÷  0?1 0 UUS10U Test Certificates 201110 UUID CA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UValid UIDs EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚¾5ÓNÕIÝ »+Èm(³ïõ° çÏj*;à“‰wü“è{zY©3¶.¬b~evUý½:Jc_‹o …ÔU‡hxó]{•“nŒGdΟ˜4ÎÐ¥@C€:Å)8íBt ~Í!%ÆË5 êu5RY@_ÕÚœPëS3¹Åq`ˆ€ ]aÏ$ö§–b",òãa:5xÉ’¶ªsþe¸/‹ºß³ØQZ¸Õ7™ø"£à¢PìÉÅ÷íñ7E^Q’#æ¾›õª]ùõbRÙðÝôÀ–ᙣEà,0š@SÊFó·x÷j°Í(Ò 4S3—x[E¬nÃî,4Ôi… £k0i0U#0€?Å0ñØC6…y\Œ‹î/©0Uµ"þ#÷|PøgOÑÕÅìúxK@™m0Uÿð0U 00  `†He00  *†H†÷  ‚U™®—Z5¢x¨F®Ì‡¼Ìg±wÍ>¼€F·Î×çgý ­úÚÕ¹.Uª§Ñë]ÿº2Ñ‹%LGCoÇ*ÉÍ4¾¨Cd7`Õ–µ(©Ìüÿ½ˆ /ze¦œê8žÃ@Ç`x„d~®Þ°éñµ_HÊËÚ ‰q1À­w ZX–ÆFGÿIÂ/âš8•Â Ùçe—b® y¦þÆ—z7ô¢ù á© ¥¹ÌsèÆíjy6ÑB‘§J›i´€â ¾Ñדbˆ»ú ­·5ßöjÄLç$Ó™CÍó¦7¡ñ´iNE˜=ŠGz–*µ…p÷T¾¿úÿÉö&×A‡–Ö‡o././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidNegativeSerialNumberTest14EE.crt0000644000175100017510000000165015161577363033164 0ustar00runnerrunner0‚¤0‚Œ ÿ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UNegative Serial Number CA0 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Valid Negative Serial Number EE Certificate Test140‚"0  *†H†÷ ‚0‚ ‚å!5§ÁÎçPÇ[=+÷Éy¨[ |÷zÎ=“ÉF–К á^6öz¶(®K½Ø;Ð n0’"§,î¡„¬‡wÇÔé?‚·Ï?YBBÜ#`U†%éÙ6ˆV=Þðbö[`Ã>:žéB©Çß‹ëÚ‡òelc¦ÀïC¡OÜJb!Ð3öÏ]¯%ŠÅ<1›l·«Ïî¼ e L2 °|N©"™ÎiTBö:ó´ žqÌj]‚ÓÖÕ“µªîöF?që\G#Ý9¥{ßÍ…ß,Á“‡´¦µ:¡;4óì&Ñy6²ÞoJi9I ·©¿ ãQú§Íœµfä±jLöÑJ£k0i0U#0€bä.5ÆÅè‘Ð ÁÞ¶¯ÚˆÙ?0UdŽã"ºÆPæ›™¨&Tt1¡0Uÿð0U 00  `†He00  *†H†÷  ‚:#³qìÂ@º;¦r>A—xgx·bŠáÂÂ#µ*ƒý6x5ZDxU7Valid No issuingDistributionPoint EE Certificate Test100‚"0  *†H†÷ ‚0‚ ‚Øœ`8¸#af°p‡/ u…O#rsÆ9‰Ì…;‹VŒ¦½Á ð&ÈrmÂ#-R‘–Ì^š¶#f%”A$Ñ[ÍÕ'"¼O Øk'´t‰ ó…êæp3ðÉR+/Ü_1¶gô_O•¯h Œò8¢…÷Êpf«m{GM­—‡ÄIÜJCSb“ƒá?fBRa™Ngûœ÷«Îèk››8–+‚òÁ«ìú>¼ñ[ Ëžìõ”;DJ‡<¿³F±ÕûÀžŒ•Gk././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest11EE.crt0000644000175100017510000000165015161577363031661 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"Good subCA PanyPolicy Mapping 1to20 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Valid Policy Mapping EE Certificate Test110‚"0  *†H†÷ ‚0‚ ‚¾Õß„ïHd@i£7~fÔHÒJž¤•È¨ÓNÛRÝW1kšW ©F—Âáعf¹ lù8>tºb$Ùú±j†#ÿÈîgG òDóÌ=ícgè(í÷®70`¤˜RÚm5ÿ¨ßà›,Œ¸m©zÏ·_­Ø>~Ç“*M‡úkh7g°zWLTXT_Ⱥø9Ý°1…N\KnÉ\(÷F©ÌYu3´¨rlk!';;Cñ7qÙsaÅÉ#²`$P°c6¹·’«ãT2à 0Æ*ì?Ž"ã¾^™gHˆß”PÃblwÑB=ðcÖÁjxr0‘ÀšŸ#n¦îÞ®ô_Å÷£k0i0U#0€[sy™ã®ÓŠ¦3Nxä ±äÉ0U7þ Oy×qÒãõ» ³L,Ï"}ª0Uÿð0U 00  `†He00  *†H†÷  ‚ªIuâkÀ½¢»èn H©—­bÑTŸîª`B¢ŠŸ-ì*=liÔ…3‰69õî`&Rû>‘.”ç”gM¨‡¥ŽháùÓÂHæ<…x,Îm*/¼àÜ ?zMç\“®R÷.?«*é2¥P²P«$f?;í£g™‹zQw½«û?ú{³¯Kó|•QS¿{{ÓÁ¶ÌÖØÁ—='W'³ÚÝ£Íq?¯#x¤g½ä²}QDŒ.tú¼–Ó(e<Ñ€ÿ—§I€¹ªa‰8gn(÷‡¸Í sG~¦(ÁÇ ¹¾êó_ˆÚ#–“,!œŽFµ³¤BB{œ=XÇ µÉB././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest12EE.crt0000644000175100017510000000247315161577363031666 0ustar00runnerrunner0‚70‚ 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 CA0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Valid Policy Mapping EE Certificate Test120‚"0  *†H†÷ ‚0‚ ‚¬Gë¦ÚÆva O$31=,¯OÎÚÝø •×¼ûŽ']èËÏ0a9ôõíô¨ ¦è¿ËŒÅ(Áïm’Ð<1#í/Ë1ª×-ûÚ y‘\?m(œ]}Çñ~¹¥_g6!£î”LÔ׌D Áç6^ ‘ \5k­×¿é¾vø7·Ø$ó’èÇtÀ´ozZ@HïßýBÚEš¯ª"(…kuŒ3ËìÌŠúÒµKm•êJ½3=D–h韫<Û"uÐ`mèô´³>e ññCI‡Ræ"æÉå>?[?ž ¡äQ…mŠ ´ŠÓÅžS¶W¹“?d³‚oí…rª¶½¨1K`„…„Æ{x¥ I‡Ü,щ‚žÏMàWš”ÁõŸ¿ûLZTÈýmЪ—Îò„Ôñ¢DÝ’h™7†dÁˆ46Žv+žû)±ÂñyG£÷éðÄ?JaÊ8zªþc_}ìÒö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest13EE.crt0000644000175100017510000000164115161577363031663 0ustar00runnerrunner0‚0‚… 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UP1anyPolicy Mapping 1to2 CA0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Valid Policy Mapping EE Certificate Test130‚"0  *†H†÷ ‚0‚ ‚¹é³ýfÝVŽ¹bT³3©ø –4HÀ—·ÉÐÿ+/6Bìnjj†y«§ Žg-µX‚ÄØú25@¶uR4ˆóô1ûsD[ÏÕ‚˜ÌbIô}NÅ©ä³Qòb9òä&ôE¤©2å#Æ ‚*AášH¤¥TÿJê]<á8rÖ¸¢‹çXê¡n+ šÑ„Çe<žUj+½›S}¼ò·‚‡1•ÞÝqòïüOŒlyÞ™Êu>ÓœÓÂ|Í—Ù®ÞeúÒWÑ·’Qã§}q¨¯,ò8w<ÆA¥Ý„y=¢_Ãß>ĸí+_ Û¯£©'ö÷ÔT8­l$1"ïIeê©íU¥£k0i0U#0€((2ŽJ„ø¸‹Añ]{è%Rk†0U<@CÏé ì•¢q¢qݦl}P0Uÿð0U 00  `†He00  *†H†÷  ‚Jí©·î|YDËŒöõ¥~%Cã`Šcñ~Ðuæ#Ù{LËþElRN”EÝkq-T Z9jĪ~U7‘‡s€ÅDvãlÞwä+É Y"†‹šŸIßëσõ€È`Ù“Ëúpª³‘DÌ…¥ýש#ÒÀÆõMy€±|¯PëLÁðlþôó6KÏ‹eEž¸…wlãX(sqxönåžÂƒõ³ ðèÕ}äÓâR»È,Ò䧙è3‡¶uz7ù™¾pýîóä\8›¸™&Ü»ho9Gж uQŒæüUn ÐÔÇy-Ï,ÙPxäÏÚÃsˆl厖üø ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest14EE.crt0000644000175100017510000000164115161577363031664 0ustar00runnerrunner0‚0‚… 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UP1anyPolicy Mapping 1to2 CA0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*Valid Policy Mapping EE Certificate Test140‚"0  *†H†÷ ‚0‚ ‚Òi\ÀÜHìÏTƒx"š°3„‰X§R²Î||4Ó#Jì}&20kœ‡>ÓËùèmÇgQÙÙçE(túÕ ì¿ *òúìx±•Í¢ Åâ|fHڱÿtê]«Të×= sCšéäÌ=áÐÿð§ uvÓØG^—'k¿q ! ‘Üë/%œgù&Ãq+ŸÔ.Z{ ·¯S†ËÕ ˜®ŸmÔ(}¥À¤Fð”éL—1§iþtbï—ÙÞì^ífžþ[¢l€îHƒN‰2£ ø++ŸèàÇ C¬ „Y[êlˆåùsÝê'lô¤Ð"¬Âp“5λ£˜ÐA6„i£k0i0U#0€((2ŽJ„ø¸‹Añ]{è%Rk†0UþÛhÊÂ3Þ=;@<âÝ ø ±®0Uÿð0U 00  `†He00  *†H†÷  ‚­øîÈ®oؿ̵Q­™!üR9£©7ô^ÊðÙ²ÝÚ20{Ôž“¡X•Â¼|ý¾W†¾j:il}Å+ÈêßÁP‰J•ÀÔö7ÓRàD‡jï†ï¶>ìiX鸲>ìUÐÃ*_\Ë–~iì 53SÍO‹úCÕ­ ?¢< ð’ˆV:³—Ë4~¼ó—½þÿE|"ò¹ÓîàIMJK˜'Þ*E/£ýä YžA÷X‡[ÊêSš‘K’ /n5ðNÀBVŠ68–üOdˆ°sË. eƒ©sÉ‹šRt…/Œò 8¨ûɧïA­†êF€§~SS, FÙü`ë¼ Àø3ž#îS././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest1EE.crt0000644000175100017510000000162415161577363031601 0ustar00runnerrunner0‚0‚x 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UMapping 1to2 CA0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Valid Policy Mapping EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚Ö¬8Ÿè`žÄf¤(oG' ×\ÁŸZþvy6Š6‰Œƒ_Mj) &?â=ÃõÁÒ#dG)Ó Ý;’”^ˆÕä¤^åWŸÎëx~ô0GSé¿tk M¸6$ö¼L†›{Þ{e~¬W€—éí:dXàæ‚r º—ØôGGØ-ÿ þÃ@oQÞÙ¶7Xºtï!L@È›Œ<±5{6f«éêäËÖ•0%Á´DœµàHµZ/DXÔê A»1Nú%¾ª*Ü”ª„…ä®yz3ØlžìÃHKïc/Ìm¼áaª×^F“–Þ]žr~¥énØ ý£k0i0U#0€™ÅxiË=3v™¬Då°þ¹ôÛÇ0U•¢<ŸÁÏŽh º|ª@?WXÞŠU0Uÿð0U 00  `†He00  *†H†÷  ‚«½¡+ðªQ >Ÿw$$™­R»³™Ôdz¼µï³ZBoÄXd].‡NŒHC cm3FGÍ|µQ*oõß;Ë©Û(5Oh$( *SâLËUy0õ«95x5ÊN-)qðÉè³îLsYô')”™ÌàúJ„)= ÿïTëÎY¹¡Y°ëô 硤²§êJ VbšÒ› p‚°gÃV´à?ºAÃC²V®bÉ_»HövEWöµ[«‡»þf!ÑÉÖB|kþÜêÞÝŸzüûURTž0.ŸÌžÅÓÀ@-瀜D™½ÚÚR先ѱ @xÊ• Y¤Ï}-ÁÀ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest3EE.crt0000644000175100017510000000163615161577363031606 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UP12 Mapping 1to3 subsubCA0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Valid Policy Mapping EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚Ðh~¢PÉ´2†ZëÅå– »÷œƒ\-ܹN×ÐÃa¯ Ãýê¢W.ÍÅÙE@†Hµâ—WXæ‚Z"ÉEmÝ r50 leïà»qâs¯®}iä‘6}Ú«kàxÌç¼ò‹øê§<š\?pü(¦Ù %czŽÿ£¼_œR#u f_¯Bžii,•sGtdNˆsTc;6 1¨ün² r|¹o×2“—È Xù¹véßNE-P XQ KB'6&e´ž| ×]ÂÐPŒM\Iƒçê®jÂãAÏS5ÖðwL!S”’ØÈÓþIùéï?GâÄrÀ£k0i0U#0€]9>åª*^-ö®h*­3›=›s0UWr¿^¬ÆxÀŸ”F¤þS¼Z0Uÿð0U 00  `†He00  *†H†÷  ‚M>ZIµ©Rhm.‹€.Úñ7Ø+„/Á÷:-ã½ôD!üÃ!db± ÙÕ×"ª1¦-¾|qëe5´ÂJÁpÇ`Cm‚· d5e÷EbócÝU×÷–Éád[²§ù(“¢“¬ñniÔ…÷õT(2 Úð •ÃÚi½(¯`G¤rPŸÌn4’°ê ·»°ñ²í¶Ê_¼ÞÞõsIp%*]Ú°Ø ÿË*­©ŽqGF:ÞaÜÐSª•jÍq‰åô9ÚÑ€`âYGO¹åæéÑ5 >«j!`‘³c /÷‰!0)U…6•ÿ…ÊGPòUmw†áô#±¼kŒAJõ¥ vã././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest5EE.crt0000644000175100017510000000163415161577363031606 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UP1 Mapping 1to234 subCA0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Valid Policy Mapping EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚¦ˆc p6Š0¹ŠÓ)%UÓluá‚àðe ¦q&9fvœûŽØiÚP:ÉA»|+±L§‚Öa’9èøÔüüÍ9%ÂýKC˽òBI³~9ž€#”Ÿ-ÙÓ)s:ÍL( œÁ[ö¯ûÀ»c*¦:4µ£k0i0U#0€å•ý*9x¯ËFö@˜e í»0UK‚0õ2©ýúö†Âmä×3¿ªíQ0Uÿð0U 00  `†He00  *†H†÷  ‚Rú…Þûâd’¿“Z'2 ÚšU«v ãH s/ûj.LëRÔÈke°-L>Ýê)OvOÆj`«VxóyX;™íc¯Ù././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidPolicyMappingTest6EE.crt0000644000175100017510000000163415161577363031607 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UP1 Mapping 1to234 subCA0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)Valid Policy Mapping EE Certificate Test60‚"0  *†H†÷ ‚0‚ ‚¯†â±W£¯À†¾ùò–‹nˆ|Wvhc t1Óýbã ÖÿùÒÝ&V)œ†A«¹u” È@X˜4†g©Ý#ðj™6Å·£ÑBýZîngÇ¿˜ž° §ûø#k»:~Q¯¶äcBmà Ý:¨ÄÔÕÖEþzôÎâìÝ€UVtÓX¹«OÊë«Ž,—#žmðž]—•bí Ë›i‡I–Ž $óÄלë\ðq/‰´¤UäÔpLƒÀ›¥R1f_óHA{Ë+ç.ZK qEK08mR·JÈÙT²Ù§5‹3 ÇHž){ )¡ø$ÄŸgš7%'ÊG´5\L¤f¦Ï£k0i0U#0€å•ý*9x¯ËFö@˜e í»0U³_ÛAž ÛQzÕŒ;ílÿ k0Uÿð0U 00  `†He00  *†H†÷  ‚iRy(DpfXFº`é`$sÁ®;$š˜¶ɉƫ"Q>™:§âdŘu!#Ÿ:Ûß‹Ð),Ø;åkØÍOw¹Ö}ÌÛYÉŠi­©ÃíÏëø¦Öî$7]2U¼MhÒI;l*Ž“mê Cçk$ì,fh›«¸œRYšºøB²èÌÞf%Ô<箌6±¨íê‹ Ö*a!“ 2‘|.Ï©õÊgs8µ-x«Ø ûC0) }²fkŽ¢»4¤s>¢ŸQÚ5R=†ÿª†s–ùãW•UÄ‹|&û:¸œôs¼.íÇ&Â=}J7}„Ëw§†TgÕÞÁǯIR𠞊‘à~~ߣk0i0U#0€G'/C=Å/Ù’¬ÇÒvÐ3Æùw»0UdN¡wrj9 žÈ½w|?Ê |0Uÿð0U 00  `†He00  *†H†÷  ‚LI¤¨ ‰¾Ç–š(£/ƒ»±™{Ò$c*}\HbºŽÔ3t=;=.$QHã¶?þF0$öIré5ô1š‡>„á™ý_¦ÅcÀ³dp!Å{ "êõ›çN“ZÔ5MØe ¬ yÉñêe¤\»¥ï—¹%÷ø®À|q”$Â÷ é}#øä!3†é®BÜtÝ.'þÆ(>a>Ô 5Ó3Á[Ÿs€¤¯“Ý´Q³‘]þ¾{ujÁæUó&Yõ¿ðÉV7Nnái¹*^ÆÆæ¢ruB÷8ÂÓlR_lÖjÙ@ Úð÷›©aÝ4+|kâ $/¸6· …#T³÷‘././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC3280MandatoryAttributeTypesTest0000644000175100017510000000176315161577363033467 0ustar00runnerrunner0‚ï0‚× 0  *†H†÷  0“1 0 UUS10U Test Certificates 201110 ’&‰“ò,dgov1 0 ’&‰“ò,dtestcertificates10UMaryland1 0 U3451 0 U.CA0 100101083000Z 301231083000Z0u1 0 UUS10U Test Certificates 20111E0CU"R›c³aÃÚÅú¦Õzð4h´ÇJÊoçIÉ~G - ÃS`ŒŒš ·:ªÌZÂœmJ舮¥p ÆR$1æ¾N±\&Üîã"ç ÍÓ ôóºrúh²–'ë5(¶Luýù=m¢.‚©7šÒWž™8Xþv Í·Ú˜ÓR×®ˆ·¡¸Vsl ñ^¼â,;qO q>›ºrõgÿCôFmQÚ‡£ÈA.5†µ §gkö´×à–Úk/!ƒÑSὓˆR'ƒ¼C¿ Ê‹Œ­ÇGi\O2././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC3280OptionalAttributeTypesTest80000644000175100017510000000177615161577363033412 0ustar00runnerrunner0‚ú0‚â 0  *†H†÷  0Ÿ1 0 UUS10U Test Certificates 201110U Gaithersburg1 0 U*John1 0U+Q10UA Fictitious1 0 UCA1 0 U,III1 0 U M.D.0 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU;Valid RFC3280 Optional Attribute Types EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚¹Öwj–¤Úùý}8±f0MŽþÃ_h$gÈóE­8¬Lmʈ.²ãE4Ÿ ÅsA3À‡V«l }úŽ!¦x›`QÉ°È£cmocÇë=m=×ߌ‰úOn@QD¿`7$àÁš„6P膾gM%Rs—÷²¸"ûD˳…´‘§–Þ]hR&(ðW NƒÂ«ó‹cÖ˜®ý3z–QWºC¤ÏÇŠü…ëN<ÔÉ=Ä£CòÁùd)$6FÅe¤ˆrÒ×õ>iZ·=&Xñ×SÒáÂ'  «÷*;Óqdz4Ý« ¾ðœ€Rûš‡Ú±îÖB—ZÅŒÆM£k0i0U#0€›no?Š§ô経1[ΙK‘||½0UZ5´‹eoñŽ­S`ª#ž¥e(C0Uÿð0U 00  `†He00  *†H†÷  ‚"ç, ²»çåÿ>‚ïuD—¡Öý}õÀóU¶6:­}§zòOC;eXUwʦ7†[LŽ•4È‚Ê]r…m}ÒÌ~ŒáæNb.ƒ¸l¸ëláñ›¿L©°rÅ!¨Ô‚øD;ߟ­‹­œ¬=DÃÍñ„éü¬ú‚|¨üqZs^_ç 9L‹`KøþV…1 ò\¼iÈ–]’Fè6Ú«£9¾ÙšÓ$’Ö½ž¨,Ö¬‹ ~î„Æ'VEMX*aMZ³õ8G¸Y{Ò…£\bèü‰dÃÇI í°Ä¸$µ¬Ä—²§ÒóÂLyhÏØÆÚV×¼1FO.RhßG÷G:Ò½././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest21EE.crt0000644000175100017510000000173715161577363033054 0ustar00runnerrunner0‚Û0‚à0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA10 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Valid RFC822 nameConstraints EE Certificate Test210‚"0  *†H†÷ ‚0‚ ‚¹Êý˜D!AýrŒþðýΈþZL+¦‚b’­áô€Ýuo½ÃRxf,Ù£¸ÌR·„’–~²j®,¢&pœÆÁý‡óIØ(?œ(J9¼X†ö©æîn¬£k >Xamp¬aÃ;z‰6\ÅÝ\3fþ»Rª'Œ¥Çø4 ^È' ./¯ëˆ€&Ø›¾¶@ Çñ‹ñ5£ürüBU¾‘;0Ì‘= =>óækÝEJ†ƒÐZÃSëÂE-Gx·ÉLÙá¤#ÓV­S‰k«Tøms¸Q,8YF ÔHô«Ó}A”‹ëZAåF¦ YÓkR¥ßJºõµà‡Ïp* “£¡0ž0U#0€ÈjŽ±Kª¥ˆ¸§‘Ûê3JèÕâ0Uf £/ è×Ê-ìî¢BÉgcÔ0Uÿð0U 00  `†He003U,0*(Test21EE@mailserver.testcertificates.gov0  *†H†÷  ‚=/‘{Ϙפì Nì¿DË*Ó…ªÖQ¢ ÑÚÅ¸—7Æg=!yhÀ8`?áÅZUªÐ8Ù7*ÅøDœ§ojz.TXf`~«ŒS‡k|Dó5­E¦v?n锓…£?¹ÍRŽÓ§ÓZ¯ü‹þEE‹±ãòõ ä*‚ I•<ê²>Å<Ôxxeq½‚b@ßкu¹Š_àâ&17ì¤oWU5}ŸˆmÕzÄÉæ2 ] Ú(ÿëÙ˜Hû^àiU1Ót[F ùóÍl‹ƒ‚´'íY"Á׶+áž´˜hÎQÒq;û8WÔºSüÑëd둺hÊ1ÌÞÙ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest23EE.crt0000644000175100017510000000172415161577363033052 0ustar00runnerrunner0‚Ð0‚¸ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA20 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Valid RFC822 nameConstraints EE Certificate Test230‚"0  *†H†÷ ‚0‚ ‚Ç÷³›‚í“\¼,é•ÓjÞéÈw7Ó-ú[·mNxŽÄk2í)jƒ¸Ç¼ 6w›GÅ †ð[š(–/&… pn'6¾»8£Ù›\xôøBW™î&®íæ/‡ÇØʤA±­é:Ö§¥¤ö¥Â¾ôòµDòbŠøKÁÐ]ƒ›¼Mtµï&–ïy<þŸwgxÐÞlòÃÀgS‰ÃÅw±øʱ¬Äw›¼ù¢€äMS–ÜéÎô“i¸R³FÊ ¾§|ÆK‡Õtª’6P@»ò¡†ùÒBbkö¹ù–9Ýiœ#²4£L ¢<úèb]LÕêÜ8êÔnvÚBi£–0“0U#0€Q€ÍúIrH<íN ÎÎ@ep 0U¤8nÁ/]®õÇÅîÖ IK0Uÿð0U 00  `†He00(U!0Test23EE@testcertificates.gov0  *†H†÷  ‚Ù4–H% Dž¡Ýï+¿ªeÂ1ÇqÕƒÜù=© §Šú~+Þà·FDÎ8ðæéx-¦È@RÒÚSÐ]cs‹c~)!3è°ÌžØ±[ ŽÞv÷_¿àHþA›îñ>™=y‘è 1j(©×o7³+ñŽ"9Êã:õ»ÜU:¡iÕwoCQ/'I¼Ê»Ó˜ägb>q=Ê×C,ù¹î¤¸³¿±Âq D°]ÐyÏ“-ˆpŠ;¼¨œñ¡U…IŽV³aÒÊeåD|Í™šß¹r¼œ†WÊOþ ¶F­³yÔþxFöÝ j!¡Égz í¦ÚæþWÅúG>°«!././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRFC822nameConstraintsTest25EE.crt0000644000175100017510000000173715161577363033060 0ustar00runnerrunner0‚Û0‚à0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA30 100101083000Z 301231083000Z0k1 0 UUS10U Test Certificates 20111;09U2Valid RFC822 nameConstraints EE Certificate Test250‚"0  *†H†÷ ‚0‚ ‚õàMŒðÏNAC02Fj‰µÜCsûöæ‚Š\7 à„åU+BXˆ°r«rB‰Ë¨×VµÕë#ý¸!ˆ` 2/륅Y«Ë0øMÜ>}9aÊfâ†éÓW°Fò!£ç=£ Ð~D¾µ\î«Ð S•²èï=Äg”“Ó ç¹+TRt2¶¶°Ïͪs7úH=)îføψ]Si9|G|ÈÖ!ÈŠaO–ᛨèS˜œ§^ÕÓV´ÈG|RÆZÛNßxd­hÀ¢7–/öÂáfgþ%£(”PûËõžK/·%ñÿà 7¶s”M”–2Úòrƒ}ú Ne£¡0ž0U#0€šº9MÚ!u¯êAø÷þ¸Ìí}\Z$œóß²t å`’6ž|X>(î%<¢ Ð@&vÅŽ1·x"Hgh«|Öá°yn”8As¸ýwoQ~@7)@ãB’e Iµë¯N“°ü!Á¶í&[u ­ÅƒEÉy*ån)ö7†öX´Á9-"i¦Ü././@PaxHeader0000000000000000000000000000022500000000000010214 xustar00127 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidRolloverfromPrintableStringtoUTF8S0000644000175100017510000000170515161577363033761 0ustar00runnerrunner0‚Á0‚© 0  *†H†÷  0g1 0 UUS10U Test Certificates 20111705U .Rollover from PrintableString to UTF8String CA0 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU ;Valid Rollover PrintableString to UTF8String EE Cert Test100‚"0  *†H†÷ ‚0‚ ‚ÓþÌ);M¤¶£nî? ;΋$BEÕ‹ð㊪¼Jû.µÑBÄ[¿«qdÝ_»Ü­éæ”û¬-M¹$µöŽˆIY¨#† uª4êD·ßƒðÔŠz¯(pýò/ïsVhÎá%̆&1õ¸ &‚ou7ç좉^¨¸ Aüp@L›¨‡/¢QIN®í¡èµŽÒy&Ãáž!˜³µvŠ\©¨WäF|²L.K}ìjÇ¡½ƒŒpH€½ ÃôÜ3“µm$ü‘úØÛ©܉Ý>ù#·—êØÌ ô‡[ߺ»S4GR0L‡ÃX¦iï+n E„ @-ÓiFÚϨ,× `ÁbÚß:ÿe©ßÆq-././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.0000644000175100017510000000165315161577363033572 0ustar00runnerrunner0‚§0‚ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20 100101083000Z 301231083000Z0p1 0 UUS10U Test Certificates 20111@0>U7Valid Self-Issued inhibitAnyPolicy EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚Ùô¸¯0òŸšþ×ïiÿ…Qçö’)³pV_KðçoØ2WšO!©V€*ü´<\æ^ú€åêÈB³TÒ ''ÅÖwX9¤¾ÆÎønÌæ禾U{¬ôWL94â ø>‚Òºú‡$á“™xO—äJkoÒüÔ‹­xäÖ‘ŽŒ¸(QW²íD‘-*ô þ‘û¡4Ú9LÚÈÔ1Tž¦Ž9Ÿ2ŒR³?Êõø`¥Q|§‘iøè×sóz(œ;,W‡»ìðõ—РÎç5³“²Zfõµ¾8Ò¿¨÷ásGžtqƒëª‡™zrrrïº#BÁë1§È1—ÏxJ1Ö*…£k0i0U#0€ŒÜß~dÛb¾ÛKQdŒjfØ\££0UÙ¥ Åé·ÑÎöC×N“\óXP0Uÿð0U 00  `†He00  *†H†÷  ‚#—Ï?•hïR=EÛŠ y^TºxôŸÛT¯ÖBfk|{=%Ñî«{Ç’ËôPþæVdòs6ÏÒ”¤­È6VŠW¹ Hëì“ ÃãÂ>»Ýò_2EŠ­ÌçšÕ(Éä Êß&×7eÄ‹`ì-:-¦èÖ`DV(-,ÌEŸƒ.×J2XS!!¨›uléhÞ9Ë…Ã=¹¾ýXEvýõ°UÃso+ûï*ErRɺÇ|é«èQ»@•¸‚Ës‰°³ûf˜¼jJžjÛâ` Ø…4©y8€]”d ‰.¹³XxK$‡Õü®TܼoSî_cÎ5Ù-T²˜èF././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.0000644000175100017510000000165315161577363033574 0ustar00runnerrunner0‚§0‚ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20 100101083000Z 301231083000Z0p1 0 UUS10U Test Certificates 20111@0>U7Valid Self-Issued inhibitAnyPolicy EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚ÒZOÅR Ûmð¾Í°y‹HÖUgh˜Þ®9=BV"›âÞ¸kߣ\2Т)2°µâ´‚1/¸-Uˆÿð·XÏÇY‰Qà¯,ﲑ%‚z1£ˆÝ¶V³2D(gü£k<ÆášoãÕ¼ŒžS\z£ÃÞ®çqéÙºf•åyÐ sã:óëÊÝO_âEݵ)Íq5äPqéUEŠgØῳó¬#¶¾î»%*XÕd‰ÞÉ]ÎÆÙ<ûÑ.as$b(=¥”ŒTÅ5žÇþª~iý÷n±ïŠF‘ŒØÝÄy²c0.(Ž÷ÖiœŽkE#Œ",ñ"âV uÃ~¥A‰ƒ¶Ïu—£k0i0U#0€ÉÌ?ú[ð¡ÚÕ7 ›Î˜Æz‰+Õë0Uå:Õº©™Õôª–ûÝ8yÿÐ{%m0Uÿð0U 00  `†He00  *†H†÷  ‚0Ùw(¨7Ã>Üv1¹„¾ªq‹:¼E÷…éNP ãÐTaù‰še¨ýð5ÙŽAÀà\ ;t0t¼ºj`‚ÆèsBËuøÎóNäþWv³°¡éuû7ââ÷B‹BhŒœ¶<ݬø™*dÚq?®ôþÚiç Ô2ÍÙ±è”ÞmËúoIÞìT—£¡Z`î”J~“ù¶¶…™¬(ÆdB$„ÖÂ< ¨×Ñ@D/âPÓß›³"?ÆËþNGpU\@ŠãÓ ¯¨=•OpcÛ0Ç•.w?Øë-Eî/Mp÷ÐÚ«¤þàýU¤Ì‘zŸs¹Þ÷²ñ-sóÉzîL././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitPolicyMappingTest7EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedinhibitPolicyMappingTest0000644000175100017510000000166515161577363034062 0ustar00runnerrunner0‚±0‚™ 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0 100101083000Z 301231083000Z0t1 0 UUS10U Test Certificates 20111D0BU;Valid Self-Issued inhibitPolicyMapping EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚ÎT Åä}™–v ûå°Û •úÊG\º–8}ȆêÀ½„AîÊšûyFêœÃž?õßÌöï9ºIøÀ,= ‹•úC—sõ¼±¶¿À²®›4pXžüîõR5ÍE—MƒŠbj¥¥`*Úo‡¾и¶C7f3ίpŽ¾+Z•œ³µÚÒ¥ yEÃôjNµW1HR­:Yù)”‡§:%Á!YNåý²5œ¥¢pÛßHÒ¾îþ/B²mÜu¬å Àâ'üÕ,B÷Ö<¾ˆmˆRæÊBD ¶M¯¦ci?°¼˜£ýGWI! mPäiÜ4÷Tä2sŸÑϲyq¶ßK'±4Õ¥_+£k0i0U#0€óÍ?ƒ0ÓÇbÚæÊl¥±¶€Ë0U-„„ÿl\‚D>S†GÓP2äý´0Uÿð0U 00  `†He00  *†H†÷  ‚D¥Ã¿BlŒ >²öÅRÉZ}ÅjWâ)oÙsãsnSÙŸwœÃæ¿}+™ßJèÂbö`YÖyCÞ/²çžDÌy#ûZü‘Iÿ~ ¶º³S‚jÐlÍCÕ#›í®-éfí£=K€•Ý£<›Åg‡MýËE½][Áz¸ 6J·ÙuáB·× bQ;Œøp%²DãccÇJ³ 4vÉaj窥ˆ™Ûüëó2ðÃ_ÎW"«).ÃáL†bG €ˆ ÑåTŽ.Ô÷"'ÚQ—6Ná*qKŽÙuë4ÄßPBOoÛQ×nƒK„i†Ü ÒÁŽ0Ò’Ã]Ë‚¡^[’³†°././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest15EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest15E0000644000175100017510000000165215161577363033647 0ustar00runnerrunner0‚¦0‚Ž 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid Self-Issued pathLenConstraint EE Certificate Test150‚"0  *†H†÷ ‚0‚ ‚´ÏÔé‡I/¢ô›ßZQbß^ƒ#¾w±*ôeHX™åL˜T aFp3ø·9æȺV~2gú𨃠ÉN[‘·å¹ÚÚ_VÿQÍd9´NAó  Zrne%c\L ²ˆÌÈAD®GX ×3>þ4ND6"4ùÊ1ßZT{l¯p+ ?–£·~ücµ(°µò:w—Î&ñ=& ˆ¾ —.äŸ[2m éÓå _ê WJëP•˜¦ª²Ó[ª¯G ?ˆ¥S¯ ÿÊÏ î%ÈêE°¢™ÚU©‚ê¡ý½­0YȧuªKfæ}ðÄ8…k¸AÆü£ßH/©¾MÎ-­Å™£k0i0U#0€€ës¾M™ž”½KZ÷ÏWwtÃ_w0UÈëÙXÀîëÂWmš}Ø¡·a›¸0Uÿð0U 00  `†He00  *†H†÷  ‚‚ªF;vgÓUÀZ÷î:zäodýœ ÷ÇîD*å'ØÈ[dIʤĺt29Ö‹y€®Ï·—°ð#Ôêðd¥NT2Ê^(¬¸½ìƒìIàyöÎL,Ë>Ê[”{8»Š<µaâ—2ž+KŒ‡šLCU ±þûÇu=ˆÓÅ™Ge7(öB8sfÉCøSA*yE+F®Vc¢±b.™k-`Ý¡¿Ö§¼½`jŸw¹5"w/xÃê kÍyHF%÷P;¼LMØ'%j¢Cx­ÌhèLê[íðQ”7‘ST"â[2“hoÊqùò¸L«xÙHø°././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest17EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedpathLenConstraintTest17E0000644000175100017510000000165515161577363033654 0ustar00runnerrunner0‚©0‚‘ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint1 subCA0 100101083000Z 301231083000Z0r1 0 UUS10U Test Certificates 20111B0@U9Valid Self-Issued pathLenConstraint EE Certificate Test170‚"0  *†H†÷ ‚0‚ ‚¦×]Cƒ©€¸|ó]=ÂûíbPÕ̺÷Ùø>íätU@î’³j›âÁ€`g†zÌL¨„˜þ:ÏáŽ#6sWSú¦ZúÇþjõϘ h‰f½¯Òß÷ b×Ǿ„ Ãñ;Ú öVH’QÉo§Œõ¶aVø•5¶f’”Ñ[î'RWË 6K%§ºÞT¶Î ø™ÈZ b58jCW±å`Ž}¤óßv†™¦~ùÕ›´ÄpµöË}j8'ðþIØŽÿn^ìbÛ@ÆP ¹Fï8ÂüàŸ{Ę–ó£“ÜÿÒjâ4ÌYñ’Öì¿Z‰@RÊýs¿¥†û9|ý£k0i0U#0€y‡S):¾èÔå4ƒ+ÇÖ0Uçß ðÐu© Ú¾-Ó¶6’Áù“0Uÿð0U 00  `†He00  *†H†÷  ‚VŠ!ågö¾I`š©­'ÿâ „dä>aŽœ‰¾RCݨrχ•iãe¯é,L^o•äì¡„&m5XÈ+Þn%ïÕ&|™?ò*Qø…c䂃…üljÓ°Z~ïVZc.:ç=O&ÅÖ(ÿ‰Å­OÔ@P;î‹Å›êoEQ9*įèV5 Mñt‚Â?ù]± îéƒxšôG´CÌ59îãº3ªØO¤âÀîÞÛEÏÖÇ,põ‘S¾°î¨ÑŠ8(“ý^‹âç5§q¹w«E· 3ú¸l ýåÉ‹˜@1}/!#ÞýJ·°¡w[_²Ï1WD A¯w†.././@PaxHeader0000000000000000000000000000021400000000000010212 xustar00118 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSelfIssuedrequireExplicitPolicyTes0000644000175100017510000000163015161577363034102 0ustar00runnerrunner0‚”0‚| 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy2 CA0 100101083000Z 301231083000Z0u1 0 UUS10U Test Certificates 20111E0CU2~DãmþO9E·¥Ñ^Aˆ]O~Ž ·t¿ˆÛá2j‹~!!É*±Žð¿ŸdÅ DþWÙQYÅKc<9C‹ôopC%•w-®µWPŠ"ÔõÓ*©’èåR½±õ¼y¡}_›ã– 0¤Vèí»àÛ8׫Á× ž¥)FÁb{MÆ7· î IÒÐ{v_î././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSeparateCertificateandCRLKeysTest19EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidSeparateCertificateandCRLKeysTest10000644000175100017510000000167615161577363033623 0ustar00runnerrunner0‚º0‚¢ 0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA10 100101083000Z 301231083000Z0v1 0 UUS10U Test Certificates 20111F0DU=Valid Separate Certificate and CRL Keys EE Certificate Test190‚"0  *†H†÷ ‚0‚ ‚èíh·âoä°£°›1D]¡u~àH¡7a}5kYæ¡õèž/ÿ0ª/bÉÏYRyg‡q÷üIÆÏ *­Õ=š&–†gO²scêà㘸kŒ­ú˜Fª±· á¥mµÑëìªö)û Ñ)‡ú°kÂШŸkjúƒuÖ¸.ÞµÔÀ)À¦×@CÔçLÆ¢ªSÎte™½|A^Ú™\Mæ'I™F8 fi´'úkYFWÚª_+«* íÄN4Lw<¬ i§ù tv*¨ÀX­½â7Þ¶,SZ°AÕë÷ôqé8™ eyÚ˜"mo8¤é©ËÂÑ–“à:`phoØ›h™£k0i0U#0€ðeÚ?ZÞÕ¶H™;×L¤0UëMÇ)2°ìW{¯—p äàAã0Uÿð0U 00  `†He00  *†H†÷  ‚ ˜aP·íjËÝöÄá¡ÆLË54ˆÐGA’ÔÐQÚF ì¯sÏzFëIÖÖ—ÍmꨙÑÔ©†õå%窥ëê)>G­:˜<™‹‹0bx7ÙŒWŒ??^NpÕ|ˆÊeÕ×¾êKCÙþ)[h0ï0Êë½8Á1ÞÐ0~ÊlâYL’ ™œ´ÌãüQ›6Ö9Ê(?»IœÏ›Ðpkâ*././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidTwoCRLsTest7EE.crt0000644000175100017510000000161215161577363030326 0ustar00runnerrunner0‚†0‚n 0  *†H†÷  0D1 0 UUS10U Test Certificates 201110U Two CRLs CA0 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#Valid Two CRLs EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚¹&ê* 9œ}%B Ÿ)·ªÔï®UÝ£‚5J>–Q?²¢`éÕ¯Vbp1àd£Oõåàmƒ•ýÕuž–»VDÌ ÁRxÑJ®%D:ט]0·ÉŸýÅkü¥1bZT½åäuI†È}/l 1J¬k•eÑäˆ ÉWòΔóÞMXÌüÂ’În”N²»"Zó"‰@ÂNì¦ Š$ƒß}ÉÝâ}›§€°í8u|J)½"pŒ†‹4üý¡@àÈ÷{ … #Ôe§<—Òx™À³LÑƦ̡§8—SÙö+ãµÇ¿`©Õ= ýnýT^œµÖpæÙÁ~¦Ú<Ö]lJ}< £k0i0U#0€¡Ö™€ãmýçîwK_ñIÙ aœdK¨ëªYÞSv«Âs·¯-—Ñkõºáe؆+au(³HŽ2„ê?:9}½g 87¿êÐtRK*Ÿ1“>¢? ÇÅSo£ª0§0U#0€ú(­AÞ*hÈ#?&Þ0UÖzì1Òš¬¸ÿzßÝ2/_”v©F0Uÿð0U 00  `†He00<U503†1http://testserver.testcertificates.gov/index.html0  *†H†÷  ‚PÀ,zà•nÁ³‘rå  ?$*\ÆS '¥áçÔ2€lðªà牔/„2~f¬àXþOÔwi<úm¤D;QþÁ<ÿLømÄËôæ~Xq¹èö¨e"¾ >`MMp7‘îÀÎÔŽÇ$÷¿ØÑÊT:*Sk-™=Ð}ÈiÈ ÔÍiÛJfÊ9M~Ç7cÅyV¨b7÷NBu籩ò+†~£hôèÂ/lJ3W# Æ‚%¨wn‹wב,ÉcØÖ§# *!ô­¼“3YQþÓÔŸ¥rö¢üðOsˆÈ»\fõ†«ö€MûÔÚ yòTE‹NáÏvl*¦&././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidURInameConstraintsTest36EE.crt0000644000175100017510000000174515161577363032652 0ustar00runnerrunner0‚á0‚É 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI2 CA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid URI nameConstraints EE Certificate Test360‚"0  *†H†÷ ‚0‚ ‚Ìl>뜒“§âéÛDÅõuÍ~¬R .›Öé‘Nì²ÀK B7|Ó3A35‹ém ˆ.$OÓ:¢þ‘2ð´ÙdÝßðoŠ ø°e¡Žb0`!T{óŪ8¬þ¾tÇ8ï{Æ·Ë`FÒ†íl!ƒÓy7k\îÜAú_¦W@syq`Á“ŸÑ¬ÝFû$îHSÚD€âqÚ*~å™53!¯š³Ü¬‡³‚Œ–2H zï­,EÅ=Ý.âJPÏíYp3~¨2FNQ±÷'. pýžU3„ÞQHlƬ"‰²åç7„CÄNe»‘PÍÑ]$„ŠWî`÷~¹¯üuŸ6’S‚£­0ª0U#0€Më‰qßð²úv:X±º`ÝŒÓÃ0U]ÜË“3š´"?¿CÀóÂ">ÕÆ7Å0Uÿð0U 00  `†He00?U806†4http://testserver.invalidcertificates.gov/index.html0  *†H†÷  ‚\u} Õ瘚…ˆd/± þ2Ö÷ÁOåmoìþ>uR-(* òpŽ±€AcÊ@ƒQßèÌ>%"”ĬI‡ç|2\¹çº™n sØj´Ì*ŸBPcýãºÑ.èàÓ‘ í\_zõŒõÄiPHiÌ0\ÙDQJþ>Fhâ¡öFÓKLƒ1ˆñ¤òf(-µ\t7¿|ìdøì0OmÝø ­½ Y' ¿øƒ|$ “zгD73Ì·¢´3@‡æ@½?(g°$­:1GhÐ)„.¯®â»*M—ÀMÿ'ù0!@–EÔ5§ßúoïùº©xZW.cw@Kã“)Ó././@PaxHeader0000000000000000000000000000021400000000000010212 xustar00118 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidUTF8StringCaseInsensitiveMatchTest0000644000175100017510000000170215161577363033650 0ustar00runnerrunner0‚¾0‚¦ 0  *†H†÷  0b1 0 UUS1#0!U  test certificates 2011 1.0,U %utf8string case insensitive match CA0 100101083000Z 301231083000Z0v1 0 UUS10U Test Certificates 20111F0DU =Valid UTF8String Case Insensitive Match EE Certificate Test110‚"0  *†H†÷ ‚0‚ ‚ݽ̒º„RFæp.Ê‚H³;]$V;‘B‹ µ‰Þ•äBÙ¨7“íc¶s9Ô9G)¨ëEžÉéÙ‰`Ôæ!óaŸ¼¡»”´Åÿvy½âÙ±ˆnªoò‹·•öæAõkà~çUÁIðu o^5Ï, V /%ŠòºÚ‰4‰÷U~Ax%¹öÊydsT­L'”2uØOn—Øe»Öm!Ÿ”lJ\k*6uT,‹y¢<†¡«B$Û7I&=r‰A<ü©„GÕ—Ö[à¯w- nÏÒ"cs˜ ÚT„Éýƒ,è4:ÈCßÖdªðÅó¦‚ ‰ÆëÕWX_@Hé‚”/Ú±¯@È{Ã¥£k0i0U#0€`ßÑÊ©P’!DÒwõj­¦¾x0U¬îut¢L#=ÜÒ˜¸@kôÇ‹6j0Uÿð0U 00  `†He00  *†H†÷  ‚Kú4Ê©¿Ÿ9Óš iÏõ»êÝV¥&©SœéQòÎXå#4|[ø4ÁdŒçk8yÙÖˆŽ¬DA¶¢:#ß‹%­r ­bó‚‹£^Ãø‡ñø¨¹î¢¨é%ïcüú„€ä™ä²4È^Ù³Ñì’œKŠé8e­tOñoçU)íŸAPÛõ@å;vRÀ#×*ñNæâ³6ç ‰Ïª }ÕÃFÏÁØà&æR“öMx»EßJ24ñÏ¢]¼Ûš¶¸.9(]–æ>úEª yU1ëHËœIãù÷§e·Wä¹ê<0¢OºÛµ( …*K‹¥BرßI\Z-ŽùJ˜€YÍXœpká£Î././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidUTF8StringEncodedNamesTest9EE.crt0000644000175100017510000000163415161577363033222 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0F1 0 UUS10U Test Certificates 201110U UTF8String CA0 100101083000Z 301231083000Z0l1 0 UUS10U Test Certificates 20111<0:U 3Valid UTF8String Encoded Names EE Certificate Test90‚"0  *†H†÷ ‚0‚ ‚âC!Þù pòFžŽ.uÕk¯ÏÀ5¹œÌ …5cÿRU³…ÙÃŽ´T¿¤l=A·8Û£I›Š?KD˜tJFeÊrŸe ­j%pè1¯Íâ¿ÀRþ:¼ææ\OråFóàõÃÑ쓪#ˆ°„w»Ñr3”ZÐ¥ Ÿ¼c.¥l1BZ"ÿ½ÿ”KÉǯÀÑ—|¢-5zû¢†‚<-ô/˜Að3F¬þ{Öd€ZÈÈl† ¶}¥ÓQ>%·óCÈÒlz~|lß"äc #Ž+QV8¡Ò ìgx"ØÒËd§cì+æw`ÁKÔëZîòCMµ£k0i0U#0€;g[Dò §H}s)Œ“ŸÕ$ã`&0U¸¨á½î!’¯M*œÛ#rÁš¿0Uÿð0U 00  `†He00  *†H†÷  ‚k"'eU»^†“ÔRkÍíÛ0ê¿À¢¡9ìêT™§r^LÁ´Ê>‡›F4»ƒ4ÌÜ|ß<¦$;±ûÍé\Y½ ÁÐvu“S„ܤÔ’7'}¢ àfþŸ! \h¾?b6´q âËó˜õwz.L Ì>µÞT#½ž ç/îåÒL§¢ M­˜•ŽFHá<oÖü…dêb3u碮£ÝÕAÐÔIv]lza×h²—'•m_CŒ/1DÙ¥wªq»´: Ít¢…žJZñ›Õ£­iÜgȔݤ¨ž–UëµÎvk3qÀxÂ÷!‰=F¡ÀÒe Àv././@PaxHeader0000000000000000000000000000022300000000000010212 xustar00125 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidUnknownNotCriticalCertificateExten0000644000175100017510000000167015161577363034047 0ustar00runnerrunner0‚´0‚œ ^0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0w1 0 UUS10U Test Certificates 20111G0EU>Valid Unknown Not Critical Certificate Extension EE Cert Test10‚"0  *†H†÷ ‚0‚ ‚Å»/ g¶@0øY“:X lGh†Âýêü>@•wz×ÜݼÀšZeÄùÞ©„£¯‘U”h¾“„†&©~6WÝ–-GLóqj•ÍNSôq¢ˆŒá ª´å•Kló¤Ö=ü„áÖTAR()üÚ7sá ¾µŒŠàq¶2Ñ=Îhõàvêø®^Ž†§‚!=•ÂTW“I¡ô®„Ø¿*¡Vb«cþ"*hñ|ؘ*D&zú™OE´‡ÁøËX …€l1ý°h…»a£}0{0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UN  ® Z2ÿÖX´“ò®®T0Uÿð0U 00  `†He00 `†He 0  *†H†÷  ‚0&½„ŸaöÒ´Hñ•#žËŠ›PĬôq£ßF+ÚH´å5 î™’d %^×ä ·Ü{AÈ[e"´¿ž·]I§¸þ÷ŽX•±«_ Åà¡«¦=Ò±ð˜ªSí&°Ä^;éªÇW¦LÉ"€¿U0íúlºL-”u5 ܯ¡{?^Å]ÉbKìM¼º[ßÆ¥?ØŠ’?È2nÄ)%3q°škBY»,®{Rè–cnÞ r•4anÑ_Ê8Î+Cû*¾Ñ¼]\$|xR‹¯ï°æøj‡…­3WÎØúsoÐô¿Ľ_ >ê¥ ©ªô2¶Äå+åqÎ#Â9@˜™ÊÒû:¾Ê„³³qPe -r)û¡‚«¢÷ “s¼¯Ë±ëžÆÞS‹èC)UÉLÆÝL·›X†õ.•¢@Žpß yH@RAC å¿ ¤¹ó»Á9†¹\À 6”‘'Ì"î®—£‚]0‚Y0U#0€H“T}Äm0ÿ-WEq$ßLŸJ-0Uƒ{™Sfd±¹iÊìšØ 8pË0Uÿð0U 00  `†He00íUå0â0ß „ ¤0}1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer1)0'U indirect CRL for indirectCRL CA3¢V¤T0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer0  *†H†÷  ‚m¨´€p¬ô±JQ3.4b¡e2”®JUÒgs–YEø/‚o^HËA òFr‚à‚pàd_ïrVüèoò¿¶ÁfíÁ­¥e Õ.öË?ƒ—Quûx8l6$&¢Œ €gú?Fñêuª( *\÷†ÿÇ 2(OßÊx8IÁ¬{<Ûˆ0E·é9šÍÃH¶n>Gò´ë„™r)Ñ—X¶ª"®‚æȦÑ@œg”»‰ƒ üsY! À­Ýˆ¢´­›"6•!‹r±¦$%šªLo›Z·éùÑæ´4í¸E¨!A‰ƒ’ïzu:é¬åÒÔd¿‰šôàØá?¹ƒ¥Âß$0^././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest29EE.crt0000644000175100017510000000205115161577363030766 0ustar00runnerrunner0‚%0‚  0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA30 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Valid cRLIssuer EE Certificate Test290‚"0  *†H†÷ ‚0‚ ‚«Ýá‘úÀX/ÎTLé9×øç.+¶%ÂH†J¢AÑÀòl4èÅKÓÁI)Ñ.ßÈè“ uñíWØ€¢–ô°±½ÁÑàÏ6¾ˆš·®™Ø:?ˆ¦ýû<4š±`sÇLÂôPšc 9Nüì^ì}Ù`ࡱn4Xÿk”œD[ÍN®â¾+—M‚ŸéÖµz˜EIüXtM"f˜ûó¬Ó‘Ê0Uÿð0U 00  `†He00“U‹0ˆ0… +¡)0'U indirect CRL for indirectCRL CA3¢V¤T0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer0  *†H†÷  ‚2ˆ;G$ÉÎN"ÃKHꙸô½: ÝûÅs£iä ¬?vtmŠ}—’̇ ×ùà`_ÿšß¹›ÌíQ¡šó€\¬Q%#ÿ¦ !v&¬16vÝóäR\cÞÆ7« ¾™89g¤‘zÙ:2o²ñŠii¢¾´M=ø 2Œ4ˆÂÏükÒòÙKFWá:{a¡GÊbì`eZpïÈõÁ¸÷„Yv«F[“Xˆ/ QâVéNÚîèµsÇ Ff0ûæþˆÄ‘çÅDÂ/Ü¥ü4CoŽeªŒ Ïj A Ä´Ë0˺Cj¬£Jã^ë† NcÖ>9Â(Ea °î=iòt뼦¾././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest30EE.crt0000644000175100017510000000220415161577363030756 0ustar00runnerrunner0‚€0‚h 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA40 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Valid cRLIssuer EE Certificate Test300‚"0  *†H†÷ ‚0‚ ‚ÒΊ în%ºë]»Ô @9cB%òzNÊ“”J¼"ââ©Ãc–…Dé?”<ùmè׬®¾Ç&° #¥{®.iÑ×;ýÉ•²k`©”sÈS4`á‹W‰è^HY»¹õà·XŠÊ.T;ß9£- c6¹xlÚ.ÿ:èLnÞw²:‚+|vg”–û«2V^@ú×Zšìé?ùPŒS@‘*ARCXsCE*i±§÷Æ| j)¬Ï sUøn.†TIþCÜ%Ÿ–ÍûûÆÃïgN˜ý1>¼ZìÜ ƒ>î stq—½ïäSF\œ«Šuw,{ËUè3$$sXq£‚]0‚Y0U#0€ Z2ê” ¨ª/Éã.A‚è·0U¤±E¶ ªá‹F^UåÓ|¨Hd,Ë0Uÿð0U 00  `†He00íUå0â0ß „ ¤0}1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer1)0'U indirect CRL for indirectCRL CA4¢V¤T0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer0  *†H†÷  ‚>Kžõ§ÒB÷ÎåŒl3vún£ÐéÒ¸„ªu~¾–${-$Aù’0ȯ ìc¼zäûctKÙ£HQ oL»hã[§O€×f@ï¨ Ñ{jccHË:œ J®…¿ðÂþâUƒÚjjõ º ¯g['¸È±˜O˜¼×Mg]' ÏŠy?€f.fâ8“ï‘‘þ©Û%]6Ó­…Í`@¾°wkµ“ÿOïÃÏžba^^/>‹†½Km/ñ‡7k0 ,¯F¥1ÿo vÙ/-Ú¹%íÇÅH%QüN$Ù3ÁvRÝÀå7J2ˆ=<Þj×Î1‹ië;§ØAâsС././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidcRLIssuerTest33EE.crt0000644000175100017510000000215615161577363030767 0ustar00runnerrunner0‚j0‚R 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA60 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%Valid cRLIssuer EE Certificate Test330‚"0  *†H†÷ ‚0‚ ‚½ó͵áÈu7QFÌÛøoç†i`6´ãZ Ó¹——W¯ÃêŽ#çúKHÜ$d¯D¤pÎtøשU}~{ŒBåš”@hj°£jŽ\’ÆJÛ¸Ä:ꧺ# ¯x8÷þ«;£0ÈÌH™Ù÷Ó|Í£Õ*ü¢˜m‘HåG\Þ)™0’ž_£Õ§ð …Í´N­»"/9D‹ê2+BãY…¯Pr}p*nÜÙÞ]Ó.5kàÅA)‘ðGó8–bÆÚüèšÞR~ÝJɆ ðà;ÏIUʱ@Üm$PøkÁsrá̼jžâÉx”æ—jd æ¼ó‚Aq˜dñyå+£‚G0‚C0U#0€É £l-wOÞBô ¶Þ*v10U–èsËÑyþ‰!¡,Ř˃'0Uÿð0U 00  `†He00×UÏ0Ì0É y w¤u0s1 0 UUS10U Test Certificates 201110U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6¢L¤J0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50  *†H†÷  ‚~ö¯“Fv)öG±Åu¶C/áS+ÌHùõñÃÑ}Š°y¥ñ‘#Ùƒ„¾{‹–6ô ÍTªr ì‘áö…« ‡´¸pÿ•/`„N‡ߨ­* §õ¯ŽkJâj ½ÃÐDUyÒµîWDî†%AG_À÷νw螣™‰¥e8+vO‚ÆÜÞö·22¹šø ¹i<_³ÒK×:}í“ØëœgÖµ„yØI lüXôKúEѤù©}³ÇOÕ33ô߀Èæ»#„ôœBÎèI›)]c’Q0º NÅ)RcWW=ú¸ýÇÞZÌù=ù¨=¯à././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest2EE.crt0000644000175100017510000000210315161577363030452 0ustar00runnerrunner0‚?0‚' 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#Valid deltaCRL EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ÁÝAC¿ð*0CpÿCæ>[ܽëIDLçJ!Ò?VVu¹ŒPÖ`Ï&Ú©p©´&«òB=T5ª:ôˆwL;º¤ˆV³ÛY5Ð'0@Òò¼]ÅÄó½Å˜‡­`~YKê‹Îg \0~®'p•Ì³žÕ/Üçš"[ÌWQ¨F‹5osÍ»+óÎ]€üö/‚¿žNù'€v—âÏZp]~ï°#É ·EB¸+~üU*õi5…Áf}—Ü-`ø£ï&”JñB¡U€',µÇ‡[Øé­ íó`ÒuDÛ!LÄ"Ub¾ˆô üA¶Ö…Ü‹ÀGh©¸¥œÕ]Vú+N¥46/gÞA£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30Uú¥@Ùîêß/åÝɇH$ 0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚£ï£»lPÔ9lžæTøFnª-_2ÀO\›…Pu. ؽ—áÝF¢ ó¨@]°Î49ZûßTÄ4Ó}š^¤6˜¦Oæ}ÍhÆ(Ÿ™xdÆC¶aRÃi*eKå7Ð6£ºè€ƒâNø°L­í˜R"¡š&ÿOSÿ[€ç˜Ô*ìé–RÕ,ùCùrBAÞù'zmc%+‰©AŒ(­¢‹¹t~áRjJ/¯ã¿óNeæA?£6Ã`ØæŠ{ÐYRá7O{ÌK÷œ@ù Rú,Mê•n ÐÞw*¯g¢#ë átDªé$z±aÊÔ ËJ7¹…"}å]EÆ1] ÚIÂðÃ;)ý»ú././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest5EE.crt0000644000175100017510000000210315161577363030455 0ustar00runnerrunner0‚?0‚' 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#Valid deltaCRL EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚¨‘D Uc¬¾ îrÓ‹…µ¤¶žº\¡Gïʦ=|©ús M¬t?ù1d<‹’"ÎýœGƒôŒ”¼Uˆ´µàû1Û W?(=ÁØÎ%ìD¿do™ûfŽdõˆan!j¯¨þã厔b~ž¦_˜ë©*½ÅN%–(ölJÂÑ_CÀ_«Í^ +;5á—+Ùc0#§¾«ï @hÐ"|¤e£nÄf#'„ e½S…/Àt~8]– Å%Oâƒ*:¯²e £¨•íÓ åÀ/áË-ÎϬX¸ C•}¸€.[$õš“¿xqZ\ ñGž$Û Ö‰ÌÉ==IÒ."£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30UIeùˆoYG“Œ»ëû•è‰ZÂZ0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚|éÜ´v)ðDHÎñ[ÍÓøÞ2Ù»¡†w6Äé÷Ò®C†yj ô¿ÞÆ€W«P2›÷\¢)qa?AX>СûQÑÅæå!Už¨[­ÂGêÌ逼Y‰Þ 6\ðÆeÓÒ4ÒbBxÊ–…Pq¢Æ*ËxžAçÍIß°ùY#Š¡Ù¯´–5ûu뎳ãÌÆPgöìŒ7øÏÎØl¸ÅJ©ÆŸ¬$ÑÞyŽÍûñWÜá¼gÈ0½ÉIðöcãTg¥2ÄêáÎÓÄÁEQ)®˜;ÆH€X™yŒ,_—m­÷ÄéngÂ,U2Ų·W—ŸùÝj,«*¹wÜW%Â$‘ܽÖ#—ÈƳ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest7EE.crt0000644000175100017510000000210315161577363030457 0ustar00runnerrunner0‚?0‚' 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#Valid deltaCRL EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚ÍÈŠPpR½² ]^;¬VNÿÖ˜Vúù• nÈ*ÿ|±EN#y&Cq˜Ì\“ײ´u„µç×$iVŽ’õšBæž|Ciý€HÓŸ`LÐBe…dEý@* šVy½]ö°$scrÜ4Wƒq1W;½|ŸKv…wP‹˜}ë™û8©}¥]iYíë„ÿ(ØLühr¤ûZ©¨puYs¼QHõ^¡­•„N§q7™œNsl‚ñÜý¤¿elCÙiþòà™BM”c>‘•ÝœÜk° éÆe÷ìý̆Õb’½çä§^³>¿º'åþMF.UbMA£‚!0‚0U#0€w#åv„È”?‚Ðêt±à¤/30Uå¶öL,—|¢„èX¯z ^@‘0Uÿð0U 00  `†He00XUQ0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10  *†H†÷  ‚ 4¡vÀñ;ëLÄÕàè.,˜¤K~²¢•DÀô9‰ø_ý¾1ëïd=n˜ì¨ª(| )ËKï.>À$\ ÕÈ©,ÎÔIé…7¦âIx«Fì D«$’ü\EÃÝ[Ž,ÆΫƒ­ì0:<~ÏØ^•‘ö+)rDµ¦áEUÐ¥‘#–‚GÞ)<’¨Ïk©Û×Ék -w\x…J7ÚÖo¦2ýš_Ùeö³r©•ß”U!1L·mÜ'E½Fü\s"$MÓæ·^¡øᎠˆíXÀS÷€a ÷HÍޚǔ§j¦ãñaê9u-—ä·eŸ»cØ33{ ÊÃÛN ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddeltaCRLTest8EE.crt0000644000175100017510000000210315161577363030460 0ustar00runnerrunner0‚?0‚' 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA20 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#Valid deltaCRL EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚ñÃv±a.Ÿ5p‹Êðv/ôQØ ßœœf’€ch8Š5…È^ŽR(†z`*ŧ+¨ GôÆœ°E‘t—ÅÅl›ô­õ*•Q3rxþùÿáý1ú1j+µ£kœ·%W&°÷:[Ò¶=xé ¸l—˜Åúñãá%[8ñ¬WX«`eð87¶Ð·TݪrR9„…WCQ«Ðj½¦KiºpN]Ø`šóÓsP›C`Ý)ó?4hÈkzªýÛì¾'uã}—˜¢‘{­”ç>¼ÿ7‡Mô…aXÛ`\WB©'¢O—Qºê1ÆÑ IL?0=*å˜f·œ7ý;ÿ£¤ }ÓFøÕL!¢  á¾VÞa:_\Æ£  Ô<$x­¯^ÅQÁT—Yð"É9üŠ>îÐnàí©AʉàGÑ")œð¦idåÀÙffÁêºk ð‘././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddistributionPointTest1EE.crt0000644000175100017510000000205515161577363032556 0ustar00runnerrunner0‚)0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid distributionPoint EE Certificate Test10‚"0  *†H†÷ ‚0‚ ‚ÒÃÓ“T¨O-7äeÉï\¹ ”GŸKTÙ(Th4ñ1Œ îÿX€ãá@^ì@ñ1R“©Ö‚ŸBçp’ø&¥úÒ…9¾Œ»6@%¤÷§3}T6|¨©«°¹ W1‡á‰BþEŸœ^ÞʇGM7ÚY±Ê ¾ì0‰ü ©´Zí¾è̹릴¾6à%;mfBzTx=¯îlZ ü˜\O*÷úÞ·eñ8רIg»iýpg¬& ·ü¡2žçW)A]mSÇô1Šf]À$§–s.n`´v ™”%JN†«Gr4Öpiȹò’t…æw\<Ë^µèÀ²‡ŸV>i‘£ú0÷0U#0€0s½p(‚ÒoÏÒ7íÍë#‘Ûï0U²è‘bo5Ãl*yâ3Þ ©†q~¼0Uÿð0U 00  `†He00‹Uƒ0€0~ | z¤x0v1 0 UUS10U Test Certificates 201110U distributionPoint1 CA1&0$UCRL1 of distributionPoint1 CA0  *†H†÷  ‚7ƒdä% ú¤ê¦Ð]äD« —äQ›Þ̪:³S3G7ÙÖxÊ(dÝ4€£¨z° Ïá›­U”v¾c©~qzkæŠ9 SÎ*Ü:;ü“2QN nïggIå-‘0ضôèôáÓ¿YD¿#3¶Ð å`‰’[ºŠ»Hõ¥à|’º¼ä$: ñCh„& YYìo{yC‰¾Lÿ¨:ñ‰<Ž¾x¸.¤³¼~œ+µf»R½e›2Á:AS¿ÛoŒÃçÌ~˜Bsru…§­ÅIÁ åcÆñÎ ˜_¾õ¤ÌÚS Lù Y~õ tr)žË£y«(v¸Žeâ/ÊEÕI././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddistributionPointTest4EE.crt0000644000175100017510000000172615161577363032565 0ustar00runnerrunner0‚Ò0‚º 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid distributionPoint EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚Ê¿+eP÷ê­8M>`ËŠ­Úw¡c®[ccŠÒ‰ÉÖ0z ôs„SøüìÇŒÎ_¼÷Å0Þ F ó[¿¯œt®9Ù3+DŒÝ¤Úˆ2ëÙà\è Ü|РªH½jù6}¯ÈO>ö˜¼%cMÄa̹±Üó÷B$c­ž”œRcñK•›ÓTxö€˜9ˆ'˜ _ªGÑñJ{,%p?MùhØ o’÷ßÒäíŽØO™±U1(Ë­M:U·=ÆB :j1‚"ñ³"A<§GÆÙ”_cáÁŒ¼ì_IˆöÊo™ÿC¨z—°Úx¢ʱVÔVÉTT»Kÿº)-3¬w½££0 0U#0€0s½p(‚ÒoÏÒ7íÍë#‘Ûï0U­¼®;ï "7"™E> ‚qÕŽ0Uÿð0U 00  `†He005U.0,0* (¡&0$UCRL1 of distributionPoint1 CA0  *†H†÷  ‚–+Êjé”­.QtLý0s.’÷çå û7JõQK‰7ßÝÀ¨1ùÐ;òâdüÞ@'ÞòDB*#ˆ½ñîv‘MH:,?k²,™€‰½æ\M¯VùçX,ŽÐqÝYxbÅÀ›neõ§ü¦SÀYdQWÌ @ÎÀPR €Ó˜„†g !ÐE ·FSQTH)b4Kž-$æ5‚ux?G€¯Þ:»u±ÚÃ)¶|ÀgŠ79.1‡†bŸ%Ü“hWªv9®³V/­ýírDÓ¡˜r’$z.Ô\¤a¢8fÓ ‡rcÙiÿËQò "¬vÆž£AdØ™IëöâG`´¥ƒ-7øH~././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddistributionPointTest5EE.crt0000644000175100017510000000172615161577363032566 0ustar00runnerrunner0‚Ò0‚º 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid distributionPoint EE Certificate Test50‚"0  *†H†÷ ‚0‚ ‚¡È/awÛ4T ¡ˆø;Ð¥gþ!OÌÎ’ ÃCvÉ0½Ÿ”P©êK|vλë=dFñ³î6+^KZ¤øÉÞ³ÿc6ƒŠâR‡Ý­~ˆù†ƒÌÊ& ßñiøkm*¹[[%çÌ~Ò]¯åNM Y}±*õ,iTËBŸ'ë¿ŸÀ¢Ç™›¯¨ŒÍêƒÏÍZŲ«^½Crgå¼™r,B¿xÔk;6Ð×-§!ì|d%r¤ýÝ`¥ /t¸¤ „‚˜G×ô†gkÅl=rÞtSŽ$®Jšú[&@ºWÁ4œQÞà@¨ç™Ûž n.¼C™= ܤ}Эù5Å£ë`¡óP¡ŠÓÖJK’V´˜&vÊi££;nrŸ!Ä|LÀ´s³ì‹$ä@öne®ˆd<徭i[渆A) ö·iømNË|u­yaå9Âü`œOAd^,ēѽXãFƒ3ÑœùØòžÉ² »ñm†ë¥U‡X­././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValiddistributionPointTest7EE.crt0000644000175100017510000000205515161577363032564 0ustar00runnerrunner0‚)0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid distributionPoint EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚ªµ¾™LºsqÅ=‹LfJ:ƒì‹ŸÒÏ Âÿ¶ò|äÒ?:à<å®Tæµë·ÍÒÑ–A…÷+á­¯ÎgóTxA#¾3‹z[ªn዇wYIJMÇ0ú%uó³­åÔÇù¨Â"Ää¬È#àa_\‚ÅYêwî f3kÍü; M¥xº;¾]Wˆ÷¥ý¯§ ZÚ:ðúÂæÞp÷Ì1Góß^¤·PÖŸ•Šu™ç:aGœkÕšW)N';#Ix«”éKÞ9-ŒG,üD;Û”½‰jÔ*‡XFX8jP'JÓÛ>ŠBèÿ‘ˆšsÒߣú0÷0U#0€DlîÛoëNIxþÍå ì»`k0U xg»a°jG·‘ý o“1È÷ì0Uÿð0U 00  `†He00‹Uƒ0€0~ | z¤x0v1 0 UUS10U Test Certificates 201110U distributionPoint2 CA1&0$UCRL1 of distributionPoint2 CA0  *†H†÷  ‚Z/ äw„â“xДò—\_Ù`öwDiøA‘<Sè›ÑšŽµV&æ¨õØø©°˜é÷z{pÒ̘Íp‡Z\ÔV¶Þ›9…D¡”üÓõ,ÎþbœI˜bX ‘Ú)CGâ<'»•[.Gš¬¤Š¢X]$ 9Ô¥—@fõÀñ‘úîhXèOûQ;õ`\®©Ä~%@â aô„v"ÂE6€·Õú:`¾‘PÁ¸+´ÍKJT`÷íŠQ·)]1_O•Ïê#/8JÛXûº˜Ü€™ù¡”Q3’Cçµ{ùÎ Ç{I?hRõ±'mt Œ¬sÁ<5 a&,´¼­Áæö«e/ü3ézTý>ÕÈ—ýO­EÚ¬Ïó£s0q0U#0€  zjÿj…‚$ÍÃ&…ø¿Š70UÎÁ& ŸÈŠw««‰'tå]‘,Ê0Uÿð0U 00U 0  `†He00  *†H†÷  ‚ŸÎÄZæ<ÓF±RÙTÒ]FÿÜãçÇW‹Ý|VŠc—ðp1Žñk¡Ä[,Î;´(_fzð¿Ç­ÏÔvcÛ“¤k>®A2É©,Ì"ªœcª£{'¼ÕÅï+gûW…òÅ\:¸‡X¯·§D“@évIîˬä½ÚKS“©Ï+žÝ•º$òߺM.¡*Ýë<é½é“ÄÑô@ ™Q´ÜŠ³¿”Šà@ü)Îê9Š“UÏIì.Ð_žÛ˜t/ÍÖÅøÆY/¶4» ¥K¾öebÍœÚj牒Y4Œó¯ÝÂÞQã G§ø/Ò¨Þ×)€Ý¥}Ÿ É·•®›Mõ—././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidinhibitPolicyMappingTest2EE.crt0000644000175100017510000000165215161577363033152 0ustar00runnerrunner0‚¦0‚Ž 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UinhibitPolicyMapping1 P12 subCA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid inhibitPolicyMapping EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ðÑ6‡#2š‰KÅ×}ŠyÒî%ËòÓZÖļ_[¦ R¢×ʹÐY•WIë-(ƒVlÒÌ„LÙU¢ûG,ú­ÑÓPKzÎã!0tVŽ>zBÐbLQ°RΪFX‡$Ÿ€g0:ƒ#°>¸0\N>Ü£½bÔ°l5ãõöR>d"¬g´æŸODkd5P Jš !ümði•¸0ßÛ‹÷*¿›ünqnW@N€!7;Gëì"!µw¯Y8qÊ©V}Ê6\_•%4]Æíɶ‚Ì€¡ýZ®&ݬnÐÞÊ¢Úå!S)ŒGB1SŒiáaíë^}ï»Ì4VÛ¹~Ú9£k0i0U#0€ª&”d~¼]`Wüp•flç0UÿsjC`Ó´¹F»ªÔ¯rÄ”Ù0Uÿð0U 00  `†He00  *†H†÷  ‚6ž–L#Y í®l¨±ªÖœ4©•Õ©#w!O÷7r¤ 0ÑÉ x‰ÜºÇöó;´veyKåP‡<™s¥ëüdg›º“wø;Ü,ÚƬkÆ=qˆåeƒ˜¦”…-î‚#&&é,5R¶v=Æ=`¯¿«š_Y%—Š ´"æ _(lUií©cÐ|é¹ZU|J·#GQ,bÉ ã Ó¨È»cWæ§ë—_—7 ¼DÖÅIÒÔ– —ª»(÷6je£¤õs¨´Û> Ù|Öé C'‡Ô“⌱ô÷µÚ.KçD¾Úê'æxÏÛ‰‡göô«` ªtƒ/‰9ŠÏJ)äzçS°././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidinhibitPolicyMappingTest4EE.crt0000644000175100017510000000165515161577363033157 0ustar00runnerrunner0‚©0‚‘ 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"inhibitPolicyMapping1 P12 subsubCA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid inhibitPolicyMapping EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚¦ ël®ïçÒc9£Ò}ðêá£;úØ„ü"ý@•Ž‰#ÜTú×æÜÉ; ¾ÉÆq̤|Ž ½¬hÔ”{ýå+UFàMÍȘǃ„㋯’¤Ç¡ÞvâX¸‡xN ºòL"Eþõ+‹¹G¬Ø«¿Ô¶6}¶¢çgU³,ì‘£ÓiÕ¨;3Ø‘$«ºW¤ôGR@B;HT8—'”ƒ¤t½Øç6.eï¡ µD©lôë·…E-dRU# Èt=jºvälÔâhˆËs/ºWfÛCcxu¹;JÞtKB_õÀé®Q™ÀOAˆ×šTpÝÏû~bð`_Š} ã¹£k0i0U#0€×€\‹ŽAvº µsqè£@€tÑ0Uw/z s†2Qqêis«8Âѧ ¢0Uÿð0U 00  `†He00  *†H†÷  ‚¹飈䳅oŒl`þH—µ ×âxE:‚hÇŽ˜W‹=U]¶®Ò=e©ÌM±¢8Dá ½®5 „·PЮ>Ɉ' Ãšåõ0+š÷3«ûdˆ¼²ÂûºK-stÎ)œ†âUwš^ .ýH_ÿ¯1J2ÃAÖõ! {ÆCU’“ sϪrÖ°øÆ0G_,^Te¢ѺOQ¥ªêÙ |A«xLçÿ3QcwÓ ¯‡E'ÍÃw»pt)ƒ/®¦²ÜöˆÉÑ¢QÆöDˆÍVãôðŸÄ~ÖÇVĬ^I÷sÑ)tŒÁU©bœåxxw¹KÇ-'­$ÉVì®ÁžD‘ícXò1SûU././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidkeyUsageNotCriticalTest3EE.crt0000644000175100017510000000164415161577363032743 0ustar00runnerrunner0‚ 0‚ˆ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UkeyUsage Not Critical CA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Valid keyUsage Not Critical EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚·³¼ÀAÌþsÍÍÄ[\ÜØ‚=ñÝ”(¦Ôç«”x]#Þ`œº(Î[ÓÌ\y@\œÎÞ!ú‹‚Eñþ,”øFW4í™xÃÿCuÿôÊ›4w‚¿Rñ~ÌéGâm©™Ëà?bê”VS¥V~…üÌL“u(O.HR‹ï­™ÝÈI à$¢Äl\øAY?mÅÉýÕV±ÒHÍN¥—$ÿ—ø—Æâ-@›(pD6×wCÚ\Ï:,Ó…÷þâZÄtqÕ»À|*®t“BaN‹Ò’|`™IØHu·ð2¢HÈö)³Ó¥f~d“+‘¼jšÄõ[¬Øù»£k0i0U#0€ÁJÙ´+Åp~ÎŒ;bXå»—+s0Už:ycÏ.Ëw%Úæ¥V‚àTKÑ«0Uÿð0U 00  `†He00  *†H†÷  ‚7Ù¤‹Îa3’pÉr¢ÜwP0,E ÆiÓ ª÷¤’!bpSŸ¼Yê+À=YJ)2à ÷}!$±Xë f7{5•ß~¤ª<•Ì,Ô¹rµ£z±;Ñ(AHP¯æÀ ÍfäE|.øVQb¿ë£|®EE%V¡$'lÐtÐkɨ=I Ü©ˆ }_ƒbÊæ+’8(YÀ´um; öue ¿üþ2'âÌMîÒAÌM:”¬‡ÕªËVA:gW&¸.´Y¡63ïdµ4(¯·0¢<\øÚ@ò¬ïF~¡ˆ‡ªzj«`@Î:üŠ#´dc¼0`°DL.b”M././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidonlyContainsCACertsTest13EE.crt0000644000175100017510000000166215161577363033000 0ustar00runnerrunner0‚®0‚– 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UonlyContainsCACerts CA0 100101083000Z 301231083000Z0h1 0 UUS10U Test Certificates 20111806U/Valid onlyContainsCACerts EE Certificate Test130‚"0  *†H†÷ ‚0‚ ‚Õõäk—8j‘Ô ùÿq2kîdþk3TdmÆÊ/ íà‚ÔÈèF°z°½†Æ:lâüÀà =K¢ñP”ZÃRùö¤V%ÇkLÉÈôœêsK}Y©Ì©¾ÂNùS@ß:ïJ¹œÜs¼`©ð;$±êåà×÷à,¸˜eÁqôä­,NZ³?O‰{©—t·¦¥@X“ØÇDQ0Uÿð0U 00  `†He00mUf0d0b ` ^¤\0Z1 0 UUS10U Test Certificates 201110U onlySomeReasons CA31 0 UCRL0  *†H†÷  ‚L"ßùˆÙÄïš7´È§½›ÊŠ³˜}”Ì Nk§Øˆ˜¦øàö+,ûw†5k×Heáÿ{ ]Ú£!òð¨V_¬4Å—ˆ£šøÞäýwrUõ-#Ó‡‘佸h˜Ý«¿ T¹Ô@ ø=×N}0&Õs$œ ½vr ¹þ¬p’·ž#Ap”\xnsè WÈÍQTÄë/† Q…a'V¶Û1íG£†} H´x?»O:ºv×U¨ ‘Q¿A]é¤+ÎK!Àa½T‡$Iœ‡Œ ,ùZ±™MUÊRC_^ÿ?'m Ž ~XIá]…7ږŤ̩y>hÇÙrB?†b././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidonlySomeReasonsTest19EE.crt0000644000175100017510000000217715161577363032263 0ustar00runnerrunner0‚{0‚c 0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA40 100101083000Z 301231083000Z0d1 0 UUS10U Test Certificates 20111402U+Valid onlySomeReasons EE Certificate Test190‚"0  *†H†÷ ‚0‚ ‚±†˜™ëíU|ÎIŠ Tc»n'’õƒNÞî<¤@NPeV¶Þú7t:KÚmÒ¤Âw‘bn>B‡¨o"$!Š™ ÄŽ÷.³)øBá¿Êw]Q¸%™È r<Àâæ|ÀÔ×]¬„V-Ä'ÿtÛ¯ÂCöÛ_ßÞ3¼¼ÛHeÓ:2'—÷÷ðk•¤@š¡9Œ$ŸM}âfÁ)ãw¥‚æiöZы߉|š€DÏl;Ê{ºýœNná)45ßtaeùÃâDÇ×ÊFü‰0ûa^—K¶>â8©vÞ¾lã/ÿ7±ÿî›|ûã‹%a"_ý^2FäVþA@8ñ1$œ‚¡¦^6bHf½¥£‚N0‚J0U#0€¾fÜ ;öÓˆ4‘S& hnÉ0UäCt¼ZÑ*fä,ž2“Ðl†nÊ0Uÿð0U 00  `†He00ÞUÖ0Ó0g a _¤]0[1 0 UUS10U Test Certificates 201110U onlySomeReasons CA41 0 UCRL1`0h a _¤]0[1 0 UUS10U Test Certificates 201110U onlySomeReasons CA41 0 UCRL2Ÿ€0  *†H†÷  ‚Ju¤uãHhêÔÞŽ{b‚N«ìMoÒ¤?Î1 È0S^HÚÄÂFyÉ[¹»é™ßI^=;‰Õ¶ë#ç¾nÈà)¶ó¡Ç x^ëÉfåü·åq\°v÷!3RŠ°föIžz©ï° X YŸn¡ÉëÇŠQLnMœÌû--P¢<×RX<’Æ«ÇKF»¨7Ž”ÅùëvÕ°»Oh¼ýMêY/´ôDð6EÁäÄà&+èà3qDž0ñ /ÄÐa]&Ô ŠµÍmñâ…_þ+rKÈ(ŽS¥&c=°ÿÀð} ×)Œ(Õå®Ý\ Xû(F0ÂÙ©Eðþ•J²r±ì¨¿ CæÀ×–ŠöÅ?£|0z0U#0€¡í¢ó5T¥Ÿ¼cæGjS$lJ r,0U–’ˆ·6-®&' † KðÐ|0U 00  `†He00Uÿ0ÿ0Uÿö0  *†H†÷  ‚VkæÄ4ó~ß`iö'0Þ `Ãø‡i*–ÍÍÜtÌ™Ãͧ¨¡Tå'>lŒ£’Ŷ}Ö…~š1BU‘#AÆ%Ø*{gÿA9aê(Íø÷"-ø¥6~Bn_c˜§OÖØôíNZS ª¡zŸB././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest7EE.crt0000644000175100017510000000163515161577363032476 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid pathLenConstraint EE Certificate Test70‚"0  *†H†÷ ‚0‚ ‚à\þïyËLÔ$çwõœ8ƒRÈk¹Ì5il’ó4)ãá.¨{;Öô^¦]œ©]Ìæ¸Q†‡oïbw"öUZ7HªÏ“fð$Ü:ö|°É’'…ðš·Î[›(gÀÆ…`èÜléu,Õ5ÂÍf]v¨6.,øÐ)ÅABéÓ–ÿ‹r€8°Høq5ZêˆÿâLk û%V°^¥<ÞÁ²5…Vô|ŠtÙÃ)½¤m87°k4”>Á¾5A«ë\#D «¶%¤¶•»’D¾{“IAQ!Flcø B¿±u-èAè.ç£ëN5ºWvx4ìÆ.:§ù¹A‹kßæUÐɱ|8Ÿ£k0i0U#0€›+²J<ÅnPÉ"½cÎ ñŒ=ú0Uy[_'6§®Gê¡Ý*ç’2+E50Uÿð0U 00  `†He00  *†H†÷  ‚n»ktºî2jE+ãjj³”òrv¬LQéGIUÔ˜Ã~®Ìoƒ«˜#®éÅfÏ¾Ä '/•U `àÊçŸj«õØÝu?µ;îÌpµàD(öÙòG€@ÌAJjÈå±ndyÏE§×e)ÿÚ1{}¤È@Ør–C[LíMõÛçÙjj£,0㑹hS•žHxb)’|S]óC©\Æ–ÔqoÒHjß´%âfXwõœžA˜)c•öÖM벱ʒÝæRl–ü«4Î=êdmb-?œW5^•»4^KÀ×)ξa ,…=£‡6\µŽB¶jï°$eÀç܄ɧ×ÅÉ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidpathLenConstraintTest8EE.crt0000644000175100017510000000165615161577363032502 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0e1 0 UUS10U Test Certificates 20111503U,Valid pathLenConstraint EE Certificate Test80‚"0  *†H†÷ ‚0‚ ‚½á?V«Ø3˜ˆ–"¤5•¶Ì¾-*›5´×ڂС$U<Ÿ,†}qurWRŽI ÊÃo…äVP(P-@)øþd6 øh<òc)cìàkZMjÕ¥"£íÞþvn¿b•xr½ð†ºÒ\Ò*Š!+'%¥Ùaiñ°¬Éú:.Zzòjâ•ñ{-ý謆Ê$ÇuM€œxññKðÁÅ3bQ‡ïµY œºŽ·¼å‡^cÔá×_@VÙÆ (“)ìTê°éýD\de—EIr¯aTgÓ­&™Dý`RƒŽ¥././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/Validpre2000UTCnotBeforeDateTest3EE.crt0000644000175100017510000000163015161577363033133 0ustar00runnerrunner0‚”0‚| 0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA0 500101120100Z 301231083000Z0n1 0 UUS10U Test Certificates 20111>0<U5Valid pre2000 UTC notBefore Date EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚³˜Ö-} »1ÅìQyKê‡,ôES‰åo_4)ƒÊn¹¬uëÍëÊŸ„ßÆLÌ.gxKùé›%ÖH(Ê„:N½#hh™Pbi£ÌGDB²VX{Òíˆh©7%€ó±hflÞIqF¦`ÜrÇÙòAY£åÓj”žG96òT…{sÄçŒÏ_Ðžë¹ #G¸Õa±u ;9œmÁañÏ,7yƒbE_É»kj“7ªC¢5}Š(àŸ`;:ïVÛ‹!BAceû³¤×Ú”Tè/ø6 5`Ûîz"¼ÓQGïéÏÂŽX^EÈåÑ <Ãi-ôô¶÷Lß]Ý­äÓ£k0i0U#0€X„$¼+R”J=¥rQõ¯:É0U@o¨¬ÐêüPÙ]ûVu%`Ä›0Uÿð0U 00  `†He00  *†H†÷  ‚ç´ÊÚ \Ò’5™Öá#éuÂ,ì M½7üx*ò˜ÃÄý•4ñ2õx`3‡h ­îžã ƒ0Õí4§‹ÑÞF#o™;bŒ!ä$˜ Ù ÙòmåÏX$Žª’Ð)ÚÌO2îß›ƒž¤:ce˜º+¨Wt&eÖEs1¶.+[>&%û–»3ÝdDDõ²u×È£~KŒgî¦:‹†Û…§qüU‰ÇõèÛÕZ=/Ä@„5ég”ßÃëŸP$lø@£¥5‡þìsçMâO1E]!LNÚí ¼¼0>2uIÖ¥W vkº»‡P^Ùq~ì/Ū¶ÆY¨–k¨è®Ë 1x <"{â¬ì7y…˜5!+¾Â(•ã8hI€â×9Q ••Þ$ß4^Üóž_F^Û™¸éxÏÕHËœKvEø¯Í7Á[ `S¿Ò¨Ë#òòz¾©qˆ“žàŒÅÿb•¯)û‡././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidrequireExplicitPolicyTest2EE.crt0000644000175100017510000000162515161577363033366 0ustar00runnerrunner0‚‘0‚y 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy5 subsubsubCA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Valid requireExplicitPolicy EE Certificate Test20‚"0  *†H†÷ ‚0‚ ‚ÎpnÃå¡Bç¨p X:Fé@¥(uoPiŽ5¦hÍÐz†9­~[£/ܪÞ±&̾çý¸éc…ŽŒ2Šƒí-ìÏKžAç˜ïù´IÂ¥†Ú"MÌrºÆ¦ÃšáÉU³Á{ÿ̾á÷&°)§ÁŒáß‚ qL­”·~©Ol½'°|Ý­)üFUp%TUP†u5þùŸòô LýÖ0FÊï¼ß=¤lËPõ‚ÆxGââÀî$Ȇ£5©V±yaMãÎÑ»î‰ WñôQ³Â‹::I©´×JG‚pÞD 4]ªy|-«ø¡ZŽ5}ÈZ7üL ÀýØo£R0P0U#0€úbº½~^_ߺ¾y7‚Üü(0UÓümô\KqÙfèµã:b'èÄ.{0Uÿð0  *†H†÷  ‚)ñX]fÉMXm¼ñ°í΋vFìD“Îr:DË;ÑïÊh,’ù{6 NÄûÄþV…¾]ÁŠ¶¬ÁiaÞVïÒ誻ÍÎÌmáê KíÉÍÕˆÁW“µ¤Þ ÞèÐqÂv¬„Ý´‘Ißâ–b^Dxj~¦2èê,FEžÎß³ù:!Ý„ù÷Ý}@*'®—¥†)Gó#:t0gä–‚ÅW$n¤Ì1·–Ì•4Ó23â„Çu¯a ²ª³ÕÌ*UŽ¥E`—Å2ÍEÄ͸ð轿²ÙÁé1`ç%ßN…v£˜­¶!½~o±u˜Œ$q'dh€MOÂ!4Ù(WÛ^././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/ValidrequireExplicitPolicyTest4EE.crt0000644000175100017510000000165615161577363033374 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy0 subsubsubCA0 100101083000Z 301231083000Z0i1 0 UUS10U Test Certificates 20111907U0Valid requireExplicitPolicy EE Certificate Test40‚"0  *†H†÷ ‚0‚ ‚ÞÜC,<¹œãöÅCý,e Ow±$k^NÈ f³© ;Ï©©Ï™ ßúÆ=o­[Š#WtçÆlú]æwx}â“ísÊQ&¬«ØëÜø—#Güú!· Zþ…=Ó°4Ú&¾ãæÙÓØV"©D8•àÐä;+-$kü­8R"é¨Y(Þ¿N‚ý9:~J?˜à02Æ_ vd€šsšŽ2x:è 8R.§LÈp­¯<;bîò•^®@*ŸP£Ô¶Å—穬:õ|íŸ?Ü­þ~Ј:)ÀS'‡.$ê~N¡U[o†ô Öò§i°¹™©Kcþ’Nå#ßI±£k0i0U#0€µÛÖÈ /ZAÇx£D‰ÚÎ.kº0UÒ(ž‰+€oôÈ›ÄÅâ«Ó 0Uÿð0U 00  `†He00  *†H†÷  ‚“C®¿$¹{מ¾Õ ²0.—Ïü6ŸûÊ3ȼµ îð¥ÿn9ˆ¨´¾½@ ½¼ì²bò®I¸¿ó=Xì h+ΰ7™h½ z·‚ÿÍf íU±áõ[AT+ªÇ²ª.1êZŸë—ïˆn+m^X\.x©‹€ï`ÉÐ;¥suô³©Pè´˜ý07àêb4á‰R.ìX[DÍÅ먛#¶ƒb‚ÚWyRÒ{}»ídäSƒí.Ò(‹²õn7¥XS¼ÎÚ¶ÛÔ¶É6½t•r›nÊÉSï—T©^ͪ¹&jtŸt"”ÜS»•Èkx‹j# uJÙË././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/WrongCRLCACert.crt0000644000175100017510000000160515161577363027371 0ustar00runnerrunner0‚0‚i  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0E1 0 UUS10U Test Certificates 201110U Wrong CRL CA0‚"0  *†H†÷ ‚0‚ ‚·Òv¥>}öÞ!B‡ó-xÔ{‚ÂÕt¤UÛA`<—‹¥£mý_´ßóŽ’W‡y·+½Nök¢ä+ºŽ­eµñµŽŠ•‰žZÿK‰ô%²!‡n„Àƒþ.É"ƒ µo÷lÞø÷ï/]‚»oÈdâá{Ë¢è ñíUi<ÒèÏL%šé˜f¿ÉTwYR³-dœ¨®`¨À×ÍÀ˜J4qÆt¹©îó–dF}_FÕä¯ÚÁÈÔz· \I¦wÉ_5 9¤ §¾4“jÐÔ#8y Bo¨¸È7=Κä-“$¨¹û¿V²H‘”Îò0ÖÊv[ég‘>Š¤X–ª-ùTÖíûÖÀ£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U %Fà‰zQJ¯5¯ÍÄr·¨0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚7HŒ’ß<-Öýâé°Äm Ö0šÓdŽ“´SC ·W—NÍ9}*ò¯xtbe;]\7?‚a½Øb·>/Á¦!WÂÌÜ ÆáúNR§ãó:¼Miï«n\2 5p§%{E¿Š»à‚ïZß–§‘öJÞç$úxéõI1™¡î„:ÙwG|ðšp¶©èéd÷A€O S(’…Ú'Ì]j…­Žó„4P¯Ë˜:––,B…šL “„±Ô. Û`(ª©~Êç¡üo‡SšúÁò ü Ìh·mÌ@Íä¢(çtá`Ì1Œ…2_ÀD=èÕËøšmº‡Ã2–;2âxÆÃ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/anyPolicyCACert.crt0000644000175100017510000000161715161577363027706 0ustar00runnerrunner0‚‹0‚s &0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0E1 0 UUS10U Test Certificates 201110U anyPolicy CA0‚"0  *†H†÷ ‚0‚ ‚¾è'ÝO4ÍÀ¼ñ^>)³, ç¿àQÁ«©§Á›ùáyuËVÓ­|Ô¨N V¢ŽnŠÆÉÅ1Ï9Y”A£á£ô–3b{¯¸N8¿‰&3Á˜B>LWŒ×4…È¢Vœi?Z^7ç< f‹HûÝY1¡âFê|ï(ÛƒÜ i{CMnz›C9©o›Â«ü::.û"ÔÑÕNC“i‡Üt?8v zvŠá>ÿœYqÙŒP¯œÍ{w8C'«7«)#™ñEqv6-&ƒž «J©¼ÞUËëãÍüÔëwëÜڳ巟$ÒãmN”B ð[T”D7WoÉ v[ Á{£…0‚0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U»ÉÞÈ•çB⢎®\«$`~…0Uÿ0Uÿ0ÿ0 U$0€0U  00U 0  *†H†÷  ‚=u ðNv¥ŒÌ9ù€\Æ,üxÎÿRdùìÙVÝãl6ú3%f¿Ø±|”£ÃnÜù©³½›ó}É‹®{‡­Ô£¹Ý£•UœþîìÏ üÏóÛ¾Â04Q‰Jjï€TÑyÕäXMéŽâÈþ[芸¾€nK«Ÿ]ÑѱS¡€£LS;›8{»áÌ¡Â@±äM°õƒñË[Fží¡_ =ô>‘ORG æ×VÿÊœz6ìÑú^¨•´ìð¯ÑÂK¡ãè³5Ð&Žò:ÁrÙûúŠÝ3sÒóK.WMjë°f[c:ªSv oˆ.ÌÀ°ÿw{ã°õÞЫ£i¶–ßÁ›üà././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/basicConstraintsCriticalcAFalseCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/basicConstraintsCriticalcAFalseCACert.c0000644000175100017510000000163315161577363033572 0ustar00runnerrunner0‚—0‚ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%basicConstraints Critical cA False CA0‚"0  *†H†÷ ‚0‚ ‚ÊÑ;—îU2q° Åög)È>G«ëYÒLö0ÖX`°É¶–-H¨ºˆ®Fé;½w„„Å-¦no¥jb9Æ‚–kx¿œc«óŽ-Ù1½eNÙþ©ý@ŠïÙ–Z·ÐÌyžåöÉ[Ú §ÆšÄI¬MeÙ¼ðæ‚M!7÷‡ôdMlâ?ܼ45â'ç¡Ò±O…Ÿ–gÛe¤á¹ Å›i 8:ðQ¶ ºÜ;]ï8Þâ<¤/E§œ’Áó´Þ å[ÆÃ:ò:ôßüÉ’ƒ’, à± qr}`fÝÊS«“@¿±w‘ ‹9öÙ?uíؤ×bƒ‘`À¿‘'þ­òšäg£y0w0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UpßD/™sò6<4Ð Ñòí0Uÿ0U 00  `†He00 Uÿ00  *†H†÷  ‚Kçn nqPPööî¿ÈÔS©õ üh5Ÿ5î$ñxÁéªú«þÖ]o÷PדöT¸ÇÈ[Çí¼']fv•†‘#(q³†]ã¨P9,ºé cmjWã½÷—dÚ³^ÿØ‘þ«Ø­› †½¨R}@´w±¥>¥Ÿx&µ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/basicConstraintsNotCriticalCACert.crt0000644000175100017510000000162615161577363033404 0ustar00runnerrunner0‚’0‚z 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0Y1 0 UUS10U Test Certificates 20111)0'U basicConstraints Not Critical CA0‚"0  *†H†÷ ‚0‚ ‚®Ä'òz¥É¿\°®swŒÆœOéS”ºO=sH~ñSHl ‰“kžø€ò„×RjáÝѳˆT5[ûÑOFo0÷c„‰í$\­‡q:[` w椺ôÂgMìÄ×um_T))ê¤ûbëÓ‘˜W`´g¾ ¾›f•éD™x Oe°òWŠZa‰¯Ed…þ°fKd¨1˜UøãUÅ€ÒMî…ÞA=!òTVÊÝ̵Êom8m"=™} Yƒe•¸¾™S Ú &W^ž^c#[6 ŒÜ^¹öxûyÑn‹ªyJV¿òŽ5!Õ¿1ò·Â/·/Õ§ßM²üˆ££y0w0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U ¤¹0C¬CÈ4ÏïUè¿pŸF¯0Uÿ0U 00  `†He00 U0ÿ0  *†H†÷  ‚R¦i>æYç$)‰ ;àVøÍ>§?g;V¸á†±á$÷¼ßn’pŒ+ïc´Ò FÞIDøNUA1ŒäNÇ>á÷†Þ  K ô ÐãYäx¸9ò°v9º«RšôòѦe3›RŽF‘÷·/¼àL^LMZÏâývÉæüé¾xSA©Û*}OÿH*/¯½Î–f¡Ak«µ-÷Ù¹\ØWž.&–cŸ¢‹ŸÙŠ%7©ô¢‰ŠYŸ5T-“jd—ÌÕE¦1Û!çÿ“†E…@xúÒªÐ9}¡å`w2ñð«Òé%Âô$ŠÔ¸kÈ!s¥ê£ˆ?ŠV././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/basicConstraintsNotCriticalcAFalseCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/basicConstraintsNotCriticalcAFalseCACer0000644000175100017510000000163415161577363033647 0ustar00runnerrunner0‚˜0‚€ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0b1 0 UUS10U Test Certificates 20111200U)basicConstraints Not Critical cA False CA0‚"0  *†H†÷ ‚0‚ ‚ŸA0¨{:§R§ÐÈT=+6L.€ £ucσ.tËHó¹Hg`B!Š×Úp£–ÍX?žì»ü¢ÈÆߦèËp9[~ÙT¦²áÐä_TdŠ]û_ à¢Xº¥˜&ß8<ŒÔ  yh‚P¼Ž*¿Ä%Dˆ-¶žEÉ ; …NLbôíúè°ª]Ñè~ìݵY&ó.Ü× Ö‚ú… Ô¾1€"Ï"çM³X/Í[î¡"l-‹æ]€¡âµjÐôÓ›æõ¾Ò@|‡ÈZè7v½¿ÛæЫ¢éŠm¨¸¬Cx™þÍÎDfpd;Y\D<ÓÂ]t†èLè¸$9 o£v0t0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U9Л·O)7¾Ó°ŠvêjžÍïF¾X0Uÿ0U 00  `†He00 U00  *†H†÷  ‚u¹?˜*ƒrk¨Æ98*€MMcæGÇ—zšÝgò8œXE:¥ƒwó~܇äý éx­)AbõÜÔáêxô­©“•æ‹“Ä#ù£±Þ]3ô¨Ó¿TÓâ½³Ý1Ï°¢RbàY"‡GžFí§¶¬¼»ä‰0~îHâ¹بÀ'ÎSøUØx³†@»TYÿ–Ç‚)ðô®ŒYgµ¼)U‹ ,Zðæ°gfì¨4‡%KGöâxºÐ˜¬€–,\SvŸ[±‰fd_z %ÿ”ÉË^I¾¯Ç*væÐÙNbâ~±j,c±/ûˆ^0ÉÞÔHŒfâÐ%É`#á././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/deltaCRLCA1Cert.crt0000644000175100017510000000160515161577363027447 0ustar00runnerrunner0‚0‚i [0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0E1 0 UUS10U Test Certificates 201110U deltaCRL CA10‚"0  *†H†÷ ‚0‚ ‚ÍC+G‘Cm #[mq#mª¦á~‚wc­ˆ–^ßm\‰\ßäÄG¼›ž]£XK§v«ˆÂØç0¥Õâ;Êp¾Víiº2îyñÛÆlä'ÒØAlÜ8¦˜ßÌá=†¿ÒŽÃ¡Š)hI‚¥¯ßÊ§Ô e©³„ºÛò¹D®³@s¶Î*Ʋž`«Ñ|˜š'뵌Ò"i ô®‰i4_cˆ%D\¨u—CÕëuä€ÕÅË*X™ àr~]íï^²!À§ž)œiZÉ»¯F+‘æ?0ïŠó¢H „g.á:ÔµÐo×<~F Šœ(w8|œæ¤ò…‰£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uw#åv„È”?‚Ðêt±à¤/30Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ŽIj˜/ªy ð|Δ?¢]ñš.KH6z˜Fì…ÿ¾Ô{Á‚sï7˜´TUã›-\Ô€µˆÞ“å1LPÅgȃ©?#þ0ÁT‡} Yi{l¡&íÞ"\Q›Vr¾pƒsîÐ`Ì&ð£RÕ¸“b ¨š@µ·² 2¾?HqyY3þÏâ¡Â/Vs¸x0þÓO¿ h£Š(Þ¼u¹µ ò@ÿÈÏJ™i_¶D“E”žƒüÿÜ-õÚ:ÆÚºÈGèðö» øû˳̥G©hW Þ3uGÆ;>þzã ‚rT™ñÊôôØç¿»Jdâ·ß0././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/deltaCRLCA2Cert.crt0000644000175100017510000000160515161577363027450 0ustar00runnerrunner0‚0‚i \0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0E1 0 UUS10U Test Certificates 201110U deltaCRL CA20‚"0  *†H†÷ ‚0‚ ‚ù†{*Šœ s9v=骫>pB³f×vÃj9amÂCôà~‹ÝhX¯1¼Hø€ž>×®WE¨‹P˜|Îê¨ËËqE7lrO&T{>!5µtz†Wµ€£S¾¾¬´•Ê··Èf ÎïyÀÍÓ%Qú%þt†Ì­¼ß bøl·üèäéØGq@jrß6Ïó:xf9`Yõz-]€Ìô7wXó€-ÛL¢¨ãôr~¢€åœ0‰Š3f—ò0½ey£)ìžúóWgiDf€9“ÆÖÐæv5rèìÆÀ¤¿j_{[@è‹Ê8q|¦ðp΀¿£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U|Øö¾LÎÏ·?¡»3«µ×ûÄ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ž‹}ïò¤ÞËZ+—­t÷!ÐTëÅL˜ ·Ú 6 ¿p‡~6A¦3ó¤•9DWi·¹šªLÛ•¸É·ÓMh©kî óÂ8CšÐß…L ùNé®A3ô¸$¶e˜¨6ÊÁ4£ùÿæ;W¸*îúá)ÁN^¬òJ†—_líõ‚óQú}~?@Ôg:Æ£iÓR-¼•Œé¢Ã?Üò´­Ò‡5¡}3›»«U»uš¦0ÌÐ éeä¹ zšÑ$ ãJð ä™Ñì⇚­–~é:G^ÂóÚLƒ«ñ‡ñº1HÑ‹¼ªµC½°Îòøjt ¼VÑ ¸ÝÒÌ2îÆAôŒ ¦Æ‡m}ºPÌIì”Fäzf Ãw温!l³ß©]¶]ªˆEàŽe(ªK¦¥Y2cy4›*û‹|!SzÙb»´ê1 ‹x„®hx‰³–£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uô8v%«¤ãÀÈuŒkc#¶Š0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚)ç}¤·ƒ—å¶z½lbéôé@ÍÄõDvõÕá<£ï¸J{3 _Ð֤߰ëM'?äv>½ÄWç! œ‰ø±®¾ÙB¿†=ð0¿k©Ò}‘*,Ú'Ä4”lú2¬1´Q¦`òí]NéÝ£êÀÊ[ŠÇj^%—Ü{9]†"¿é/jŸþr:3@ÒH/¡!Ô¾nföƧ—~¡úþ„óÀœ12ƒº–¯¦ûê´銺²©åh SŠt70ò¨)7D …. ÅrÅäŽbÝËSd—j¸öézhÿ¡a„»³¢u¯¨Í¹1•édtš2^jtðo././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/distributionPoint1CACert.crt0000644000175100017510000000161615161577363031550 0ustar00runnerrunner0‚Š0‚r J0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA0‚"0  *†H†÷ ‚0‚ ‚Á c)Ðë¡>&5Äìžii_äHÙ !+kˆÓÛ÷ç´áˆú ‚ òþz훲d_ò ù¤`,M‚Ö¹#Ñ–;­¶Ôj ¨Úë`ÜsUÚ(YUäûn·£°Îz‰$÷½8jÉœûíFf=ô†8ÎaÁARƒK[—÷äñEf|;8.ƒ‹¿É@„þOé×åBíBœ ×¥¤C*o]ðïÕjëi¦L.ü•SxL¨ÙÈo·_ý¶,èþÙ … ªúªUÞ:¾6Rô±-æšôj±“yèŠeèœØ—iŠ CvÈgû=4¢8þÚù>oºM_¦¼¾ „ÚêzÞ­£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U0s½p(‚ÒoÏÒ7íÍë#‘Ûï0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ªñ6‡ ÇèF«y'2˜í®î“q»zê‡8ÓÙŃ|Ö l§oA¥e9¬©ø&]QVlªÍ‚Š+ýÿíÚ5¦ ½Z‘%úäBxùþr¤ äŒEPB4iÿgYú²ìŽÖâ=O–ꆷ ZeªóØ„µ8é•ä_–®º¤|•ü–qŠÝ²Íñ£ÝÕkÃôÿÖ{ôjïÝn8Í´¦J/ì‚´•HçRÒõö«‘~ñ"ïÉÏ4gÆDãíý7üiûíž&ìuŒyfëÑJϨ¶æ~€® ;ž­-ƒ½UeÕSºC ÓúÒf›K`bá´57Ø Áýi®Ê3ñUèfµ` þ?5././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/distributionPoint2CACert.crt0000644000175100017510000000161615161577363031551 0ustar00runnerrunner0‚Š0‚r K0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA0‚"0  *†H†÷ ‚0‚ ‚´6,è ?)çùìÜ|õåçFT! .b‡(6ñ7^fýý )ˆ Û•Þ·]—äG4~°ò¬r¼¤q;ECfîñ•&y5¬¨<›6yoz)2lj×òíRÍÒzâ38ÛÖA¬:a¢Ò¶™+³ýU˜K@\*zjb'dõý_¯,N™õJ–Ô‹ÊÔzLJ“ íxå‚ìÓ…ãÊr=„û’©›©(¢ ìâº'mÂóĈ:Ò¶·õ/ÄExCv«ÑPæö¦ÌЂ{³ £ÏïaEÃä©IˆaÖFϧ¶:1éf€øÒcJbÁ9ï~†üÊâ×á™HÑ{£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UDlîÛoëNIxþÍå ì»`k0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚R6}—ëíuŽ;ŠTEóðÞA§kÃX’ ©H€"Ïýü:„,_’75fùU2ôÅ ÷àh¿¡¿ìübïÚ™‘!Äœ,"bN]@<ÊG°ëB& &óÁ+çÉjf‡U©˜TÃWVcߦ'­I0{í#ýÀÄÁ~¤½ƒ}ôÞÝìþ<îÛÊß¿ÐQxB â~7TSϹÒÙUÒ2Rt€e¾QÖ–3Ș*óZÅg!£A²NU3‡oZA@28qÔ蟑0‰ÔŒTT²‘öçf\|éð¯öSŠÜQ¾ kÖó”Ý£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U%ø¯ü¯¶©yKÛËd,‹K±Í0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚µ–/Àû¹y@.5eçXÉpCrÖ%YK+Ôºá#r€Ð@_‡ï0E±úfŽ¡„AÄ4E91}tôz€Ñxöã:y»#Ó ôeNÆ WضC[,Ä_Ó;Œc¢çbäÚóÒ\€ì_­Š›†‘í£åKùv²SÌn ï Šæˆ mut|øCòL¤H¦¼‘À{~÷Œ!MöÅãŽñS©7»=HVõyL”r` ‚·@2))N]ñ±då\ø$< ½´û®©®û XüM‡ö! YB«C"¨ÞUyQ}u~:NØI¯Oæwh¢CnëRç„ÅÂNuðU”}>Öž2O ªPnI8¿EîŒÐr././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/indirectCRLCA2Cert.crt0000644000175100017510000000161015161577363030154 0ustar00runnerrunner0‚„0‚l U0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0H1 0 UUS10U Test Certificates 201110UindirectCRL CA20‚"0  *†H†÷ ‚0‚ ‚¶ÆúùJ>Íjò¬„È… g˜òoʹED¢4ˆ¯rµÑìª2F¾—Q²H?ïòæHõV/$šßF«¹PÌ®ÙÕ˜ˆ2¸¡ÿó ½½ý#D¤NpË£uí7 ÷ÿ8VüÐà_õ€¬|dǨ†Á¢€{êmeë"R@7ð(…]Ê`ŸŒŽ£Š[x©åÂ5+ÏdhUoÇ<=P‡›ñÀꛜ  ÐKkæ¸_NÀ÷‹¤®¶xŽjî_Ü°­Gžö2¹]EÔ5?#eZ‰žIûÇÄßEÔ³~¢\u‘ñ‰¦ƒÒ°À¾ýYϪ„ ÀÐ$jé‹_¡»7ýæœ3A£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uˆ#á³³òlþ1©¾‹aª;’‡¤£0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚9wm=zhD+¸‘_S`*‰mb®‡½þ"D~±ã‚íkÆ5‘»_Çë ž£¤óÚ÷Õ¬U;F— #tv Í·Ê‹­?3E”…\¨ *)1¢b I|Ò#¯.T‚¹|¥%Œcˆ[A¿šî ëünÌS—6‰#Ü@=uèV:µÒrÏ›LD'š ½zÂ…·¤ ”=oÙа?®U3±µF*•P'”»[…&ž>­óÔ:&êp€Ù¬GºæËD_äfHöÀ¹„s#Êé95 CV$³˜®+ _ÖZìõ4jõ±Àü®ÍoK#4;çL±|#,6c°œÈ›Äç)0Þ‰ .././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/indirectCRLCA3Cert.crt0000644000175100017510000000161015161577363030155 0ustar00runnerrunner0‚„0‚l V0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0H1 0 UUS10U Test Certificates 201110U indirectCRL CA30‚"0  *†H†÷ ‚0‚ ‚Ø+yN(Ë;{q'ì;žæV˧O¦† ·ð«hsoAgs¼7%Ïy3}‚$Y/ìHѧÿ•Rk×í¦$ ‡Ö×BÐ*Z«lå: DUY[Ég­ìQñ :Kàæ°Àóþñôì=þ‚Ï`¬)“cqg!;ýXIAÒ£¶¿ 4®ZY½íKxÙNІòûè[ÛË?ï럈‡N<ØAèô9;,»HR´ÝÀ¶²«¶zºYøt®d=ð–RàlºЗíõöô‚›·qÇ|„ó¬njY†Ï.äo:à5eö¿ç.Û…eKR4ç‹èŽœØ—g¦4—éБ‰¤éÕ£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UH“T}Äm0ÿ-WEq$ßLŸJ-0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ÿkP¹òë>uZ [sÒNFÔªT×]6vø¡*‡ý ó®ì^[„Å‚Ï|¬å*ñÚÓõwES&ç d2C?ë $–ÔѨ¶’FÏôAÌ»¡©ª×jÐd²ß¯½åêþ?årÐÑô°s¶»‡‰£éeáôLm¢Æÿ›È ¬ÏiQž€1Áíy™ôœn\Ë`È‚óÌïq¦ôË1Ô~ÌõK–óx#>ëéïöîºuJƒ îúx¨Û}s b¦dóƒ» uxik‰6»¹Ž9ÛN‘lÆTV¾¿Zð²ÝFýÖ¢áÞ-sçe“W¢w¦ÏÅ Å?l././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/indirectCRLCA3cRLIssuerCert.crt0000644000175100017510000000176215161577363031761 0ustar00runnerrunner0‚î0‚Ö 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA30 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer0‚"0  *†H†÷ ‚0‚ ‚Äæ×䥱fÀæÚ:ét~@ ôÚY‘JÒa–nîB{XòFÆÆ{6+÷88ÐÏÙ¯#( Û°×¼fêð+Ò+ÂaÝ&=Æqg~6Ä.ñ»»lì¬9qöû<§Ò¾ò"Óa')ôX:©u^¡"§5F§ð¢ÍÝO¨‚½\ÚÎâ nhÏÊš¬8?kòÛ2û¹Kúš‚TAï «ÐL¢ J­áƒ¶ðpbõˆÎslÌûås4dÆÔxþÐ^2Ày6ÁpÞwÒ5„ä³ÕÔÚ]ú¤¹º'óÿù¡Òéó‰Ów¡qÆ,ˆq8MÎNVìÎA(NÂÉz[UPó£Ø0Õ0U#0€H“T}Äm0ÿ-WEq$ßLŸJ-0U‘Ñ9˜ÉïOTeŠR-| lw0U 00  `†He00Uÿ0jUc0a0_ ] [¤Y0W1 0 UUS10U Test Certificates 201110U indirectCRL CA31 0 UCRL10  *†H†÷  ‚>ã?*/øƒI†¨®Ý¬‹açý°Åyêp¼=±;1ÄIà½rÍõ¡»Á= Ñ‘ñw`ôhl00*R<"Ú?EG,†¿ðxJa©;›ÿ³Ó°ÔÃbq Æ~{œ¢†=Œo‹#Ä€J|‰ÉA*–&/Éðƒ¡$y{iÙH:œZv¯ªgAA‰MÂÿ =O—Æ!£?‘©²×Y¹p$ær³…,«É½4§‘¢Fg†8ë»4@×3K/¶yŒ—B²BÑè§2x¯ÏjÐzÓ¥(«&Ë ãß64þS“á¡öb„_8tO Så ³ûJÀâ'jÒÖÍ*4ŽÏ;2‚ O o'TÌ5ßRnè3¡{ÎÈÖ *áÈïž"^Ò€f‰’HïG77ÒÈDÎ,CB’¢W»õV8†ª8+ˆ–XDÚÔÞ+ˆEÚ&Б2Å=“k l•2O¾cm=3-Ίp«šÂ¤"Q4ž'ZHw“dÇw#ˆ•ï©£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U Z2ê” ¨ª/Éã.A‚è·0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚¦àoûïÍ¡!UzÅâ)%bì!7uΆ%‰{U‚þxá.=2#{å!»¨˜@œáeÐñm\Ùã¨&вaîù‹kb »V~b«ÈÆOJWɉh½m‹Ñ…ñÎë+¦u¢õ¸ç Zw|=Çe¦Ÿ'ûÜ< /ÐMFKúl¶K3ÏŽ„í-´F›öd‡<³«zǺͷjO\ 6 U»°Hc)` gÛM]‚Éžj×m8²-¡í¨­M`KžŠžTWÊ3˜ƒYPÕÿ©Xq½’øæ„$3·>ßAR’Ãÿ¥gøÊ©.„éU?]—éõ±g6†£Vã`>ìy _././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/indirectCRLCA4cRLIssuerCert.crt0000644000175100017510000000217015161577363031754 0ustar00runnerrunner0‚t0‚\ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA40 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer0‚"0  *†H†÷ ‚0‚ ‚½Åã®´™žûÎI8lÜ4•~± ­*âý„GA¯¡añ]7xüÀ¡[¾‹›IEŸ^?¦©{KE;ÛÆEÓ±(+.\ùqw‚dÉÝHbÐ|°æ¦%6çï;Û<ž\ž™ ½<š*â»ñ§šf`NV€w},N"I7Ÿ»÷²Æ“ãZÌÊ®N'8µ'oñKH>ûÖZÙ<ñªŸôeXQ‡ÌüÅ£‚]0‚Y0U#0€ Z2ê” ¨ª/Éã.A‚è·0Uóëm¹Å ¤ÚEÿ¯zG¯À¹0U 00  `†He00Uÿ0íUå0â0ß „ ¤0}1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer1)0'U indirect CRL for indirectCRL CA4¢V¤T0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer0  *†H†÷  ‚žNväö0¡Ð¥JNôÑrnµ’Jk|ÛVË ÷{h¶Ê1ÒGGëتX1mNK±ýã«1Š !oŸ i°÷Š„ÂÿžúÎi"ê¦5¬¬Ø×FîÖ”Ó0Ø¡F¦´è£-Y;8Ùý÷4(¼=Y©¥r°$Oþ"&(d~‹ßyÇ2®›o—¡5JDCýíàŠ’·Iž^…R•?8Ÿ jTs¼Ÿ$rGW–£yfZ:1j˜ÀóѺh 2àºqÀÍC/=§ó>Ÿ hÑö┚)Ž_|././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/indirectCRLCA5Cert.crt0000644000175100017510000000161015161577363030157 0ustar00runnerrunner0‚„0‚l X0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50‚"0  *†H†÷ ‚0‚ ‚Чœ‘Fá¾çŠZÎ.¾þcìßÆ3áòWÁÞHÑ-‰WtìpiMÒœ¦˜“L3³–’)Z¹û·M]©¿#uÏøfÓTräé¼Ó£8C†8ÙÁyœWËfúië|„ QZl ¥WºIÄ®f¿ïÒ@r…É 8æB‚·1FéT ^eXW‹*0_jyäŠnÉ¿ÇÅ·š‹MÞù"©´––Ô°¶än#N’/lŒ•ÃC¬]’¶L¢ÍN'#ÏÀ>u±Ì,1¨pï®À³MdÏTätËà»þR‘÷?ªÀs²’GK5×ÄqÈ©Ár‰ÎCkÁ¡úV‡_³ë«èVüæyÝ°ºdç»õ` yá“å.pñg¥—ª0(»ØúóÂ<ªì ¤RØŒ‘Ü~EA@°Ýظ۪üÏè }?G2Í•í|q£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÉ £l-wOÞBô ¶Þ*v10Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚XÀ¦N)êᦘŸÏE窖‡1n9¨Ë¹ëE1 êe¬\4TŠ ‡…Ê^ܬ+ò X¸‘Ì¡ÌêGë¨ÖOk)¯ï¦³bSA²‘z“«Ü4%ÊÒÞÏ6§Õ©äöæ:+S%Å¡TÁo؉¤<£ºòy¾KEÿÆhÝ.Enð«ÛÃÌÚóáP슰ez^ UýÏÎ °¥ìEþ>H[¿ÀþÕ[h.ˆ]nÄoŠ­?;ÇüSMjóìÛO›ð :,`æ–î!âŠôЛ‡Ýu4£Ïe†à O™“›††õ¡ã/#„R9&ÚJ¾H="¤*[ûûG,¿1././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy0CACert.crt0000644000175100017510000000165415161577363031276 0ustar00runnerrunner0‚¨0‚ ;0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy0 CA0‚"0  *†H†÷ ‚0‚ ‚Ânј£jÌÕAÖênõÃÔ{}ôVâB¼}ªÕ˜ì ˆ›-ÆÛkN£H4±Ý”;¬rCÔÙ·Õ[ŸXk”^WЫt.íÙ«á,ç_"ðŒAd%ìw`X¿Ñ‹vLÂÿfJò)µMÇ9áò¢&£›ù$óåë!úz­'/>ygþ?2Í[FÇáž —ŽaÈ//dLŸfi(hòTcSšb×aAÏ9£ ó¬Nç²³txY¨²PŠ‰#@ü“l͈þ8rºüA O ‹£•ái÷Öh/Jt·ÚÛþ/u:µa®&N‘'Yû]Ÿ—Š™ER¦$«ëŒ !X9<›\1ëû£š0—0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U  zjÿj…‚$ÍÃ&…ø¿Š70Uÿ0U 00  `†He00Uÿ0ÿ0 U$0€0 U6ÿ0  *†H†÷  ‚`²ClbÛøZ¦ŠmíÂ>Àñs&Ùöy,Í?édÉ)ñVín¤ß’IîKæÜÝ‚ŸBðÁ%ÈÌÂz ͬ»Õ&*Œ¦ÃÅ yæã/…­¦ìê´b×xUhÜ)Ÿv(t$€˜£Þv»E ÏKC3 48-q(å£ãîKÊóý£XJ~N|ÑÂÕ_ãâ$9ª¹ÏûA ³x¥/`Ñ,Á‚¡©ˆ b ÁÎ61éhn·cûUs} Ühwÿöhš5eZ v<ºyõwÆý“OûŠã6÷¦—³!¬£Ëb¿§¯ÓéºÈÊ¥!kl€ê½ICÊËÁ‚ª=êÎè} (l^C8ŸT././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1CACert.crt0000644000175100017510000000165415161577363031277 0ustar00runnerrunner0‚¨0‚ <0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0‚"0  *†H†÷ ‚0‚ ‚ë0o—\T@ÿ›dWÅœRšè&ø/<ÆP¯ö{úB,ßDQ=ºq 2´_5y€_±PÃúÏ/Œµº—ZwÿÉãï#Ëùš|¶0 oCæåH»Mù¯èóRa±½›&L½(ŠÅ¡M„aÙÒ⬆gÖ)¹]9ªÈUX]võÚÜ‹6ûÿñRMà'’:OBÖôR¤%$Þ¹r IÖJå/$s³”¯°$A—SÐ_#Òz2Ã,q2TH0y  üúÄ“i _8'—øNÉê²ño M‹Û‹…HÎgÉØn˜µX˜;]¬‘²þ bÔšãn.xÇØá¿•ö>èÙA&]O{£š0—0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uئž'—ÃŽÔ!× ¼œí¡{òÓ0Uÿ0U 00  `†He00Uÿ0ÿ0 U$0€0 U6ÿ0  *†H†÷  ‚4^.u{wj”¤û]«.ö]3<{ˆ=t‘ŽKÕÀ×OŽ•‘?ì3áó¢î…ô.ñª—64e4j㶠R¨üãO²Ú¬¢‹„«õ³tѪPYUf ÚŽ0†Z]Ì.ÙEG‰ Fc)ptq¸N_ s]H£ÔbïÿD èÔ•Œ&$íÇ t7½Y ²‘R9¸*Û|ÉNÆ¡[»>šl[ÃÅA\è®#\éÞ˜ˆ§ì¤I£êHõpáSN7Ó>‘Z‡/©ïOtõÊ°b0Á¸[ŸA—-&Á]¼HT;¾‡T¸úÐ{ë u¹I.„Eu½÷öxå¸ÈV././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1SelfIssuedCACert.crt0000644000175100017510000000162515161577363033264 0ustar00runnerrunner0‚‘0‚y 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0‚"0  *†H†÷ ‚0‚ ‚Âí'龆¥öߦ[õ÷:Â3ëR–eÓ.l2gj†œåi&ÜÙ£ §b¼ærÈ·x"Éø19®ÚÂPY呆ÃѤLäë÷- úÿ^"v¥á5’Õu9þ;k&“H$NªÄÓuj’šS£‘õQ‹—&ºåýÈC­óC¨t¿J“¤UÕ­–\=¼Ç&Ìô…Ô-ë"`«áÑYÅ ¦W¨6nÑ`ĈdŽoœYª§‘Ûd‹Kcdk‡¹{?°&4‚àÙ#ÝýOý÷Ñ*áOlÒ ÛYº&'…BNz‘$êÍ!lV£db¤ ×^Ãö qàÁƒ•š†^:‚9Ö )Y£|0z0U#0€ئž'—ÃŽÔ!× ¼œí¡{òÓ0U@©Èï²a4•Dla†©æA®_Æ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚v3lK¯—ë.#:%Ko$¢e¹1ÃûÿM@b*Ðð'óÀFÅ¥õÞÞq}Á§Q)'—$ß C§Ix´ñ,Ñ Ãˆ”Ë~ËXúëÃu€™:ê80c'ïT–€\=Ô¢Ô°›¸Op:ŽC&fHÆÇ'Æp=Uû½úev.š„ÂÑž”FŠzŸƒ{Â/‰™R}§P?C¾ 6PßÃÐtb~$?âd–€þpXaP‘4§K ßv=óªÂ¹q( ø‚ÌŽUÿ¬§®÷’k£/×—¤Cç@ªßHÀ1—¨ CæÀ0Òtý:\¾5u?ÀnÓ¬à…2rÌ1././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.c0000644000175100017510000000162715161577363033514 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20‚"0  *†H†÷ ‚0‚ ‚’@V‡ëUñìã›—+>€™È ÕžÚÌ_c`è©t½I¦éb—ÅQ¥®ØgDÃÊ NÉR²HÝöÃlù¡…¼ÚN1ýBâü¥Ãƒ MJQË_7Á.°m’Š.6 Á32báœ)£² `¬ƒ“ÍC½Àçid6.êN0ú;ÃÎ2ÚŠœŠŠÎúFcù"ÚØ®7• 8ͬS qV­ª˜ÈS’:†„éé¨RÓÊ„Ü3GI3õebTQ—×”}Πⳋ¿“ÿû%\æÚ´§¯‚¥ŠcIFxô¼ôÚÉ߆µØÛ›øŸLˆ`|w\ãÎZNVÉ–»å&ïS[ê>À7d¸‘cÔ!!SYùÇG½à®ËÌB‹Ó¾}Æug<\¨././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCA1Cert.crt0000644000175100017510000000162315161577363032066 0ustar00runnerrunner0‚0‚w 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA10‚"0  *†H†÷ ‚0‚ ‚É\e eqÕf“³h٘Ϫ×e )•þBÛãZTªü]Ýb¯#ˆesK&¦tÍ-¾ŽU~xŸò#ž¶)YóÆ(fÕÛ¤×-ŠZ1¯õµòœ#MEÂó–kŸ„!o‚*Cq BÒ…E_CHèàËâHéÜY·¼‹ëQÅA‘›ÌoqIÊ&;0L[³!û#Ÿdj¸1Ëï7„)ä }¹,2ÏZÐÔ¤ôæ®\ôgþÀ\)K>#MÖ³x1pª›Q¢+óÉ|ø ]0@{å|£ ÅyÈæî.ú+{ŸfoíªÄš:Äêuå©m×°ÎDÄša? £v0t0U#0€ئž'—ÃŽÔ!× ¼œí¡{òÓ0Ut ÕXÙ+SÒ+°Í]qÆ¡¿C§È0Uÿ0Uÿ0ÿ0U  00U 0  *†H†÷  ‚gÌÏ»G½ïŠÒŸ«õEÓ Â!¯øôr²Íʼޑ™ R¶:ËÝâšÞÖ]» ¦ íé‘Oߌ{†¬=—î}~zÌ·?NwL˜³Q®5 ™UäÇ@£ÀÅŒñ8ñ.Z¡(?B¾Ò»£å°‘qz‹/ñɶ-°®c(ªwü¢oò¨5#õ¯AñhR½‡{.C”•–äK·"££8fÈk‰fÛŠÿƒ¹’’ÑS­“öà£hX]2_uªaã¸ÅfÿÆ^Ñ$ñ×IJRÇ´¨Þ,äè¿ø‘Ü‹ gÿ訩† DlŸ Â%« !H~mèíß­d{ÔXÞeš93IYÑêB././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCA2Cert.crt0000644000175100017510000000162315161577363032067 0ustar00runnerrunner0‚0‚w 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20‚"0  *†H†÷ ‚0‚ ‚×™n!?ÊÄèkÑÀW1aˆXTÌñÙòÑá,~bNiÐÝ¥|5÷XS´þ‚j`NÍBË5á´op_Áשo0ðý,ÇÚ½z¥Gé&ÚÛÛ¹su~ñÜ@aÚæ€Ò½mHäNäüÖ7‰ä7ÎÆk³™¼³RÖÛôå¯1U<ÒNŽ[~HøÊ@çºN›¬ÆYÔ°¦Ä0@´]H¨‚¥ÿÒì‘àø5¾Q¯Ðc=î÷C™†ª×}Á] dÓÛ g7i‰µÚIsÑ8sŽ}J÷kÒç/B2m­á;Á ç…é•C“ç5-!kù»Ë˜³2R“Ò>bI5üt£v0t0U#0€@©Èï²a4•Dla†©æA®_Æ0UŒÜß~dÛb¾ÛKQdŒjfØ\££0Uÿ0Uÿ0ÿ0U  00U 0  *†H†÷  ‚Ufã*ë}·-&' ÷ 8¤ûÅX×FòI¾£©k¯øˆ«uY´'E4ÈßA­uí‰ ]­¿¥fù?ÀpW%þKè¦ùöÔnùÄmu¢àlyYO2l²¶]‘˘t¨S´#ݽ? ãÆP½ÊN2iãúΛƒžO?FZXÂ&ºbz.§¼N(æ GGø¢‚™ 8x^1'cUUU‹Ù©<ì…ƒö—®õò 7µRcÒ=«®À¸X_Vi;…™–o‡cñBHSÃR:,ò)›¾FõG¯K×$¤™(j`¤én&­˜åXï™SŒ ÓLÙî]äïL././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subCAIAP5Cert.crt0000644000175100017510000000165515161577363032431 0ustar00runnerrunner0‚©0‚‘ 0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subCAIAP50‚"0  *†H†÷ ‚0‚ ‚»]ÿ·e”†ÝPèAxÛè¶ÝQš½+SIQ•+ðâgZº1I”´&ÿ«1#ü‹Z°ø¸;•XÑ>²7iËÆ»cýY{÷eŽ­ªµÛ”õ71Ï ÒâÇgOöË[nõ£Œ0‰0U#0€ئž'—ÃŽÔ!× ¼œí¡{òÓ0U‰Tt`³÷n aŽû¾R&0Uÿ0U 00  `†He00Uÿ0ÿ0 U6ÿ0  *†H†÷  ‚"Ë.ñlàÀ ö” ïCn:ëÏùYœu»§°Ö®ŽïónƒìQÜu²§H âµã/+¸¶ú‡á©$ÂÉø@¤ˆ¤ä%j[²¾X¿MAóBÿ¦Ø‹øM°X‚1hfvÄ"mê0tG î} úšŸ‹ã¾)5kK 3žž³ÕÌðÏ”ë-逸nu–û§Ü[ÈÍÂsÚŠWÁt¶\–“Ù}ØdSXW®sÏ:O Ò亄ÍÒ×édâäØI7F6Ê:}+‘ ù íwÚdqQÑù>rCÓSÌ–·–Ÿ Y%tÀA˜Ï½q¹/M¤• 5Ïšë0ùÁxYª¶éEjW™^²././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy1subsubCA2Cert.crt0000644000175100017510000000163215161577363032601 0ustar00runnerrunner0‚–0‚~ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA20 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subsubCA20‚"0  *†H†÷ ‚0‚ ‚°åؽ°NÔÃ%Ê‹^ºˆá2…ئPä|ZbÐ@_³Õ‹à»“ NC&®kèuÛuBÊj|çŧõ=w$c†°"qÙoKˆÈ¡ ñd{‘wè´ì¡ ÅC@þŠü«èÈsÉ抜ÂçéYŸ7y(´Ø›Å 3ܧŠÂ¨ýõÚgfä^µØÚpœóÏ»CVü¢¦3Ey3/Ù0ìz¡Û07ש”rc]«·mˆ^]“1½› QˆœøPuEH"ï¥EJ…ÙtFz[RòQåÐjïÌ-ciBtN m*ûû9`Ʊ ñÉî"ž±ú‹‘WþHÉrƒ½}F°s£v0t0U#0€ŒÜß~dÛb¾ÛKQdŒjfØ\££0U}ÀœŠvùI3÷¤KŽ0u•;èˆ0Uÿ0Uÿ0ÿ0U  00U 0  *†H†÷  ‚³­Ï° Añ¬t$OŽÎTâ@\ö$üž°âÄAsº¼Ã 4A$GA@ö ‚ì]þÝ3/æä÷¹4<ÜîJÛ!€“{g*þ+ýªš¶Þ"–ÈßrϬ@<™qvÕ6„g¾þáxUuÎb¯;žò‹R%_tRuäßMÒêðÀwY„{ @üè“Žø2x£ØœÎј¢‚qŒ·eÕæ°ÉÓöÍYj«ðÙ˜zÅ©ø±a›A4˜îxÆ-Ê”Þ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy5CACert.crt0000644000175100017510000000165415161577363031303 0ustar00runnerrunner0‚¨0‚ =0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy5 CA0‚"0  *†H†÷ ‚0‚ ‚ÝH '¦+î˜X .çM À÷žuí5 ê Qï´ÒÈ¿¶Ð?è¼8™cí³·½býQÅ€Ìkº°fÉeÙ ®_aB*eÞfå™ sÞ  ¿W­œ4®Þ±áæGXݲ€€ –' &ò×4Œ¦»*RÓSÜkÝÓ+¦Z òW׬®<âexÄï£[€>°u$;êÛ åç·hð\öRò<$Àøq4' še(Yuiå¥$™­NCñè:j‹+ 3 ?¥õ†o‡ú=ðËúp߶­üØG4¿µ»)_æ¡"ÉîísªÑÄqäÄä]Á²,žýÛÞBÕðL·ÈÄ"…— Ç¿ye£š0—0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÀ&çiÖ|ð½ÕªSeùœË 0Uÿ0U 00  `†He00Uÿ0ÿ0 U$0€0 U6ÿ0  *†H†÷  ‚†Îæ08³Ô]pMsq Û8+ ÝúŸƒ:Œ®©;7Ã.Õ@m~òÄ…„&Y`C…ƒƒ× ƒã )±Ñ60çI‘¿œ7ñ'5ŸúëÙü ZS÷{ á[ë)ÚF(£ ²E–ѸÞÂ9P¦›§)øôº–B56F¡ÕŠš¸G qT%Ôöþ÷ä›ñšMùdc¼†‘Í•¯K@%y"K¬$ÖZÆ(ÂÈÍ Òm\Û£Œ0‰0U#0€À&çiÖ|ð½ÕªSeùœË 0Ul™©¶ë¾pI6LXš"舅/Û0Uÿ0U 00  `†He00Uÿ0ÿ0 U6ÿ0  *†H†÷  ‚w†‘ÚélÆ èÕàm-7‘q ž–:iM£íÞjÛä‘%G§“_:(ÉhË=Ü™õùs½ï7å Æ«-úW8ÿç6h‚›öËZPóÜ9Ê‚"ÔØyËi9@ìs9|ƨJìäј c0ÄÌaqéýÒî'O§GHò"A/ž{-äºnôFv/®ÅçÖF ÊU„´LúÐ#“`^“ÀT~†Çäp† Ø'°¶Hj[KÜ“ÍÙ‚¢%lŽæM',¸ÕŒVåv2w8k)iyVqSÀÿSãUãúóŠjð5£‰‡Æ8¸BKg€cŸªÏ5Ä´ÆâBœòL././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicy5subsubCACert.crt0000644000175100017510000000163615161577363032527 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UinhibitAnyPolicy5 subCA0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UinhibitAnyPolicy5 subsubCA0‚"0  *†H†÷ ‚0‚ ‚ÂDeþ!ÒÞ^[ºXãµ^€jöû|¼h}‘§‰›ØûXi<øùS5ó×nm¢üy ‹'ÆYtüÎú˜•)7>»[úžƒádv»«ç-¡—Ÿ/<¬Xz¿T¤E—$*èÝŒ"Çê¨Å&î8¤Bßæ?£}Ýp À#Å`µI!®ÄØùJi/¹’äO€Oür.ƒæìޅų€Ô] 0Ŭ¯íT'3”u RÝf†%DL¸)"Cµ–yø/“gX Ñý&ÀÊ;qé@ô,UÂ%å5/.WEå£|0z0U#0€l™©¶ë¾pI6LXš"舅/Û0U1á?übn€eÍ©y+n‰ZèÃ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚\O±fºÖþ`<+™^?–¨G×7G ׃õ‚((y©XM!+.‡u˜kr˜mú”¨xs­±¦' I¶”ÎÌ8./ÎûU17·¾?ÏO xã!ŠÜŒRE‹7µg¬r$@%×ɬ€qR˜½¦Ó5Ò6ÿ¸"ð§$Y¦‰âSÅ´L< ÙDÄIÙA l‹&2ò²•lMì21jÇÁ{±aõ¿£æÝÀñvt9îËu>Í /”|R…ªƒöÖþ¡î%óºÊu/aÄ# ™íÖ3 …ÄM¾ãÍ Ý±¦ R0ÚéË´Ä»e®€ E¨5^]Ô3'^˜ÊÑ:@ÆX4ìA–././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitAnyPolicyTest3EE.crt0000644000175100017510000000163115161577363031324 0ustar00runnerrunner0‚•0‚} 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA10 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%inhibitAnyPolicy EE Certificate Test30‚"0  *†H†÷ ‚0‚ ‚×\ùã¿ÄQ§ ‘“•Èc‘‰É¸R2¼n_M›`´@ õ𼳉¤;ÿ<$·ß¡KcªŸb`^ÉZé>ôäÃ"Ãä¼ܺ±ÏåL"‰Ú‡_¡Ús4kƒ ,IW%¤Ã+„TÀ6x<7…#é‘¥L9·LÙÛAˆ.iŠ*­5 OÐ0®Žû6½Æoì3y©:…k™Îhœ_x³<Õ Í¬ºÏ7å¥i~»v_æþëŠàïW9Ü€¶›$T©x¹š2LN Êã’E±WhÂÕsÛ(mxò…bAãN”ŠËñOy2ÃÚóŽíÛéÀ¨ý=ÒxbÂÍ=ˆ pm‡£k0i0U#0€t ÕXÙ+SÒ+°Í]qÆ¡¿C§È0U >^m+ í ãOAñcµÝÁ’0Uÿð0U 00  `†He00  *†H†÷  ‚űhÌÄ[âñ,¢Oà:*S!´¾” Ù, )ëoj3 ¹¨¸Mnï—w4a“«›ÿØ­Ï7;[µœÀ~†ää²*~6,ð-²¥¾_ß1$”x1,Š‡HLîº%D[«”*ÈMÀÌ)ll¬¥vÒeZB2ªüì‘”œd–™¥+üÿ—Û0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚\Ä“2†èˆ<¶y¨bÿÝF¹ª&Ã謼ò;d»»6dn¯Cñ‚ÿ”qkBÜûj#Ž’ÄF .ã;‡„±–ždêwQïE7¬././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping0subCACert.crt0000644000175100017510000000171215161577363032647 0ustar00runnerrunner0‚Æ0‚® 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitPolicyMapping0 CA0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping0 subCA0‚"0  *†H†÷ ‚0‚ ‚ìqýò´&–½§›Jð¾µú惱´àt‹jåx>ø–Ò#ß^º ¥¼¿¾¡%½Q™÷òød.Iù •ÃýôNc«E«fvéÉ CºÂ{pb ù ÚÙ\ùÐëÿ^¤khWªöFoò]8äŽÖ‹îOñ'¯'‹ØW wL¡ÖžnÕ+};?¤{á+å-äêq³XñKcg¼¼ògî}` s6ëíÊc¥3‡h nž×ezì­ÍuŠJȔႃ“bJ´ön/G^]ò³qÔ­oÓ…ãUGÉ*¸„ÖJ¼»z0ŠÀÖñ3Æ¢ôXôQüˆsJŒGŸsµ¹wŽ7­£¥0¢0U#0€X7&‘„`¬îö@>¥+üÿ—Û0Uÿ´sbR\–:Z®¼¸²°X`—”)Í%àæ^:c:¬w—T=ÊPÛÕÛÙmͶc‚óÍœ¿Êz\_£¶$Èîä¿îÈbµËÒ ÅÒb“þäpÌYùo$c"¸±­ÿxã©Ç/“4“©,·?Ú™ä¶-Flópú~4­›cjƶߡq#Š­ÿÁÍF˜wcü§Ox°&b•ƒ„ ´büI´^Gjè£7caSq[¶hv’¨…EOÃRíвaC¯}ÛBÊÁcØŽ&MJ}qª$îxZ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12CACert.crt0000644000175100017510000000167115161577363032425 0ustar00runnerrunner0‚µ0‚ 80  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UinhibitPolicyMapping1 P12 CA0‚"0  *†H†÷ ‚0‚ ‚õ#œñq㢱²Ž p"†¼mñžOZŸŠÄUö¬|.ƒ™8KW0ÎQ>Koµkˆ³°Æ«Ð0F §»w¾°=ø=#7gJ@ßq þ»ò#“-oávͲOtr£EnA$䜯Ñ‹¼–xW?VâZÅÐȇ|T9é“lŒñ‰J‰xJ7\¥¾æãö]Ï«Þ¾TÕlùڈРɽìÏ'Øœ ЛĒ䎃Dߘ¨J£ù‚Ï_áô¼œÏJ°¨å ÉT/½ò)–-d]AzOI!)^»jDj$dºUB+ÔÏÛ¥¡e!?¼!µùÙIéÏò©Þ9TÁOà ³;)o[D( £Ÿ0œ0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UMg~Ý9¯è&Þ4x±uÚ¤0Uÿ0Uÿ0ÿ0U$ÿ0€0%U 00  `†He00  `†He00  *†H†÷  ‚+25˜à›$dtu·Ê+órÿ£Ég5¤³]ç"’"úËaà‡¥Á¨dvž€2µ©ggMïþRy÷¢wMq§Î£n¼g]Îv#üd{ÕÃW¿º…ÝÃeJñ:S¼Gº¼µViÁŽ-÷p/•c/dÚ¿?[kÂr€rFCŠz;%1óöº±x ¦XTáyð1z›¯ö¦üƒI­±’.¥…k…Ù†pžð›ãü¤zb²aþÂI¤<åk.ÌSeIZ¬[iø:˜Ak5)CŽ`STpY»‹øá ‰<|µæ\¸.ˆ‰z¨Ê¦ÛmòŒ’Є‡îs¨U‚˜ÍÝ%Ï«´ŠÄk‰÷žm£Í0Ê0U#0€Mg~Ý9¯è&Þ4x±uÚ¤0Uª&”d~¼]`Wüp•flç0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00@U!ÿ6040 `†He0 `†He00 `†He0 `†He00  *†H†÷  ‚i‚íñãù…'BWfOxã×~~1~7èóÓŸï#x€Ô'Ô HŽßò žtVÂß)7Åàlìa(ê…›'wæûRŽêz"·6¢Ï!×!s½8 `ßÌQ¤ØR¤‹Ës¥et!`pŸ×îêódC|ªcÖ‡zÑ ÉbV×À E|㈣Lì”\ÿÑ^úXŒÌ[HÛ¬[H£šIëÁ¤•x ²ÚÚ ®Å5ñJÙä<-{ŠSÁx¯/:æ`Þúl\ ïídá°úq¹Î2/∵“Òìw›Àäª Ž3!¢ä*§ï:®¾˜S~/é ”"™© ·Ò ž¶¿¾!d././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subCAIPM5Cert.c0000644000175100017510000000171515161577363033223 0ustar00runnerrunner0‚É0‚± 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UinhibitPolicyMapping1 P12 CA0 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#inhibitPolicyMapping1 P12 subCAIPM50‚"0  *†H†÷ ‚0‚ ‚½ƒ®€Ìä‰ÁÔ+>cØ|Yr"ºpƒò]6 R‹*hø „)ÍÅäóýyˆC„VK?{%K2ªQ)k'ÝA4zµ¢/èÐÇrÌ›]Áæ…"x½ñPg%ãï]6Í´ó©Ó囎U ­YiK½FgmŸ.¤þj@sö¥¼ù¬¨T±!E‡Âè: ®%`_â|`dö(< 1qÅ$‹ïòÑH˜ó±µ¤Äõ­[=^¡e°óL„q#?ØQíŒùÈå嬚iCŸÓ/ˆí~Úr[/c£Rwôž‹—NAU‘gõðvj+ò[QKíz,M_Vh8hu“¤pöä ;ßÑ£œ0™0U#0€Mg~Ý9¯è&Þ4x±uÚ¤0UÏv'";Âô‚.îæÝ€{S0Uÿ0Uÿ0ÿ0U$ÿ00%U 00  `†He00  `†He00  *†H†÷  ‚>ÝW¡RÍVS;«4¶Öc>匢ò>;¾+Põ0 *5ÌtKñ%3¹ó“dŒS%ºýª[|M(Ö­ƒ¿Ë¢Á#=°}§-â›zjô N¶B5'RÁ“´ 𨸼è7÷kHå°Ëkbàëˆi«àbàÆ@§@àHSýAÁî!h_A ÄÐf5?ç¸IêìIˆº©©%jí¥Ù§„!®·wSÒÂU^Èöt1b¼âïN^ÞcËú«ècPÆ’•¡ê%Œ›÷H˜ÀÏ Ó|7³<  šÁ퓺ƒèí·¯£ò¯üq ŸÍÿh½ºÚ„àëü¼Ûå]AÐà,G+ ýJàºRû././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCACert.cr0000644000175100017510000000174615161577363033470 0ustar00runnerrunner0‚â0‚Ê 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UinhibitPolicyMapping1 P12 subCA0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"inhibitPolicyMapping1 P12 subsubCA0‚"0  *†H†÷ ‚0‚ ‚ãTAfÅRfÜ9o]Ç”ÈoÂlè¡¿¼9Ûy™ñïPOïóÿSôH$¤‹SømEu©Îºœ~6ý—úª4ÄuµÙžÑ]@¼wE»x|RLðæ^wö)¡‡®_ò¢7¬E›ô†M;‰N G¢â£ÒõÛLƒ…ýèZ¼ôeT¦D¡MCC2úàÒ¡ª#ÏÚ ýÞ‘óÙê‚5ÿZ2 Ñ.Ý(oqK]4°õ1WOÄ„ ß+B÷¢çIW!Eü~ع 7—·„ÛÐD«.®ý¤1S:%:᫶ð)q(ØdÄçúòŠ¸§q9Ú¤m ü °³V#<ú"•lh Fýö®z‡]£³0°0U#0€ª&”d~¼]`Wüp•flç0U×€\‹ŽAvº µsqè£@€tÑ0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚S&ÏÂåÊøÐ8¦CM:“ê£0}ä°TÇÆT:tÀÙY <>ÕÅsÀ¹f4R˜ÅdåAr¶–øY•G¤ÞÚàD=¬_ÿì`Q&Ѓ须Ž <˜fe~âÔ„ÇOÅï¶@zhá8k!§š;w.R+Âl&o¥Ópý~€˜ ½WP”RvÞ¥û¿·b÷’:_Ãìþ.òÖÂ:€†à]¾óöªœ¹däµ5ÂÌåå ›<—¼4KBrpçT0Q›ÊØæSyKÁ¶œàÕAq¾çÏôŸ+Kë(„Û¬\†i…es#Ÿ FÁ´ã8m‹F‚=Ž³s¼Es6šÙÑ././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P12subsubCAIPM5Cer0000644000175100017510000000175615161577363033335 0ustar00runnerrunner0‚ê0‚Ò 0  *†H†÷  0\1 0 UUS10U Test Certificates 20111,0*U#inhibitPolicyMapping1 P12 subCAIPM50 100101083000Z 301231083000Z0_1 0 UUS10U Test Certificates 20111/0-U&inhibitPolicyMapping1 P12 subsubCAIPM50‚"0  *†H†÷ ‚0‚ ‚ÌbvǼ«}麋$*aÄü„ú`þÜ0öˆµâñ5ÿø}¸èr'žó.8%¾<þÂë#âOéóÔy1h£"ÇÔ{=ör‡Ld|Aܦog0»Œjg.-ìÉ;¾É¥œæc½–Ý—CÇüìØòd{Ë‚te/‡'FGª´Éw}5ÅHÛƒn(¸(Ñvᵿ±pFQ¿¯#•f:ݤŒ—m€û¦?sZÇ>5ù£Ü¤EmW– ½k„s:^o³`¦[´­f¸8Eº¥Ú„v„”ùœ›¬N£¶~—A-¾¼'ác~&Z¥æOúú¼bóTÁI£³0°0U#0€Ïv'";Âô‚.îæÝ€{S0U‡5g𼡠6º¨)í›[p0Uÿ0Uÿ0ÿ0%U 00  `†He00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚$Ko Lž„5¢(›èŒ>¹éÖÅÝY$¼X¨½‰=Gnâºê×çǯ’–æèJ;‘¾Ò Ðfö³`Ð1`è /ðõC³¹¨0>˜Øk0nøõ„êË”à&éò6|o•³ÊY4fÐm;­T®gyî6þ½Ó°û7˜©tVµÌŽ¿¯9E=×Tà}1vÎE(c¥Ãê ?d®’f¡ ËÐmpæ!Á:mÄ´Š0Š?ši¢»Lñ†ðIL¥¡Äiz:,©ªà Jflìãòœ6µÂBà¯&üú8Z4LJ¨K9™‹¼hÒSxØëºEBøçxŠÈÃy =Egÿ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1CACert.crt0000644000175100017510000000165215161577363032342 0ustar00runnerrunner0‚¦0‚Ž :0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping1 P1 CA0‚"0  *†H†÷ ‚0‚ ‚Ósr•\[·<Þ•ywì·åè%þ|Úl\°Š€ÉrP„ªQŠ:áC_YAY§-,ô·@(›O;Í›¶Ä°ŒOí¶sŒr%y+4ÿ8 µÄj=%ã:í%eî/2ò.ÎfÉœŒÀ¨œœ–îN tnäüÅ3•ƒçKv_ó}”ƒÚ% j~GPáÙë™»¢.GK5ܼçÍ€Ço¢«žjæPÅŒ¸Tä*ËÁë:É^G7~äzOïh¶í›tc äš6Ç1–j«ü›ÁFg)'kÛ7½QLðÒÔa†LÊ‹ºšª*Û¼sSÂ˵ÿ$!¨ù ¼dÔÜᣑ0Ž0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¾¶½)¡Ù‹á¤€hƒ(­Jð0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚‰[f}\ÀŠ + /Kd¬[|\ÙÈ• “Ô(ù*Ò]y4gïøb0¬mÍá]¯abE´Í[~»ýùTR ûqwn´Ÿ˜3fêé—íÁ~€u«’Ë°–“+“ùzЀß$ßA&®–9ë±7 {Ôêb›r±Æ±]{Ðþ |˜¨HcsÄD+™oe˜Í¶ñ̉{´7‚ŸE LÞ Ù—ÂE˸\Àlšï,OªÍ/E88å:dUÙ A8cäÛÍ=ŒæŸTN~o=ŠÍrcAwhÀMê‡[.@ baš)$ CÐ/„‡0߸lcØ‘[™¤Tgé ·—½-ø‘ó././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedCACert0000644000175100017510000000164315161577363033542 0ustar00runnerrunner0‚Ÿ0‚‡ 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping1 P1 CA0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping1 P1 CA0‚"0  *†H†÷ ‚0‚ ‚¾!ºÅŠÆœO&¨¼¸«2¤×©L-Ü}3fx6TZF_1–·tê¢ C¯[¥ˆ“àW†eåIÐrAdÂLM-3Fö™±4Š›ÌÓw4\?Œ¢×Hûw†`x{†ÿ1 (‚°ìf!A²](òîpMê³¥#=®Y³G áþûž–)pë£zùYìËê¿çÇê#è€þ¢?3ÝÄlÀÑöžî%HÞšLuƒ¶iC/²uÃÉs§0,•r×Ý^½?¬C€ù¥¦Ñó!j¾Ò‘ä·ø÷5ì£Ð™¦•è…dBüyMÃß«VÜUhLÀ¹&ÛÉQôYþ)ë£|0z0U#0€¾¶½)¡Ù‹á¤€hƒ(­Jð0U—ÌB^×øD‹³—Q’Ýl;!Ø0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚(÷¿~8wÁX¯|ÐÕÎGu¹þ¸,Ÿ¶²‡c_ú)dì<)|óá,Üë=wôÁÓ?b<½8}T€ªj }+pÌq'Ë]áê! B•yG?Õjç¯uã“[Öž‘·mÌÐQè-‘VB–Å(E(ÂîEc‘ ùç¹Õ3Ä#öî¨_À„UdÍ•@j)E´:ÏO@R“ÓµþþC gÕ° Ec ×G7]Fh∸yM¾€qÝ®&µn4b#[gDÈŒ{˜Ì½‰(R„Rí7sôërG«²/¸¤uzµ»Ó¯^0é-õל[x~kä=Øý3kµI•m<ùiDaÍ0r././@PaxHeader0000000000000000000000000000021300000000000010211 xustar00117 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1SelfIssuedsubCAC0000644000175100017510000000172315161577363033540 0ustar00runnerrunner0‚Ï0‚· 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0 100101083000Z 301231083000Z0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0‚"0  *†H†÷ ‚0‚ ‚«µÎÿãöô«2ÒéùO!±¾dèÖ g ‰2K§a:ªæKéPli6 ^“¤ñ%ñlwˆœŒÁöŽÿÃv·õS‡©í-ÜåÉ¿H¸Ð|å{ý\$dõ•ô,ðÞÙK°0O«§©S1SïË9×{ã>ýu1æ6 Š.3º|j b¤¢Ÿa÷àå@SJ7hY^úlÑà°î/ËÅoç"3VÄ4¦CÈÖÐd%T%Õ[U¬+:LÒ-H¬B×Û$æÅ1< hT¶%ŠôfÁõ!.V/’Ò,Ó¦9.úTïJÕJœÖáJÁrú›[¼ë§ëÙàø¤£¥0¢0U#0€óÍ?ƒ0ÓÇbÚæÊl¥±¶€Ë0UY¹ldêó®–ê¶Q\%;Ïíõ“0Uÿ0Uÿ0ÿ0U 00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚L”|„zTKñ&ô’{æ7_8ƒ¥˜ ŽÔ#¨ÈÇÒ¶fþ×ÓRÿq%]/jKýì:èE)æi&¾Ú{ʾ¡Õ™áÑH€)‘óä{¼$¢’ŠGaq2žV3g*¯û«ç*w§ÇiÒm—Ï@3.þ°fê=°`¶÷Füî¸ÁiD mº’4U@™šË|ÛL²ðÒó|ž¬âR?Óg¤»,3›æQvðÏAk{G& –x´+¶[Y°Î«ûm(?xïåÉ?§é𧋠•"7F5IÀak¬Æ@$k½‹ >R0ÔðŸƒû¶ï QŒ"ï/âIu܈@WñÕŸ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1subCACert.crt0000644000175100017510000000172015161577363033050 0ustar00runnerrunner0‚Ì0‚´ 0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping1 P1 CA0 100101083000Z 301231083000Z0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0‚"0  *†H†÷ ‚0‚ ‚í±÷øLÂÆ71g2Ò?ø.ÍP£ úËŒ=ibCÊ¥âw”™—"O•Ÿ¡®Û¹æP9 Cß 0Gutqg–àë¢ÉO•¸~ÕÑ!—¾8Mjèh`—6…SXÞ3ó£uÕSô>b,¶~Ò´g4•h|÷:«ùÚÇ.^na€QÒ®Ýýª‚WJågԾǻv|Yß㺫·¯bP°^ò%ÖÍ@'ìbp_Ïkžsð!q„™ÿ6³»ªƒR{R™ëíé`Bøl»°RkqqœŸO™ +Ã?ˆz/ô¯ù_o1žàG¥9®Eehw’q,_ÙÅuÎõH¿©>{{€±šU-ñ£¥0¢0U#0€—ÌB^×øD‹³—Q’Ýl;!Ø0UóÍ?ƒ0ÓÇbÚæÊl¥±¶€Ë0Uÿ0U 00  `†He00Uÿ0ÿ0&U!ÿ00 `†He0 `†He00  *†H†÷  ‚YŒ´ÉA;‘G•ªÝ4—\矲ä³ý§3þƼ—vª£´c(é£ÙÌ ·Ð{€Ñ%=’º‹}ŸëSïÑÉ'CýÒ ´p’)]Û‡§™ÂˆÊVh—je6ªXö¡$‰€ Ø;lÒÿ·Žžå¡‹õÁC0a¤KêÈÍÿ”&¡ÎHÏò‹”Xå6Ä+À\\Ç[µ+±XüȈÎW\mPô‹ŠÒ¿›qÉŸÒñáØ© ´ïµt*m]ô@µ¯m\3Ã8µ3̼ªMUð ØzþfR'¼ \zyYn=ªgZ™ˆ(‰±Ì‹ ¥e*]ŠxUúDEš't¯ùNÊ'Wš«././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping1P1subsubCACert.crt0000644000175100017510000000172615161577363033570 0ustar00runnerrunner0‚Ò0‚º 0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA0 100101083000Z 301231083000Z0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping1 P1 subsubCA0‚"0  *†H†÷ ‚0‚ ‚’kCœômõ>¡ïäh“Ò{ˆEÞt8H%ù!§Àèu qƒ&T„˜l‡š,,9¹…%çq‡TÐ3`EùTƒ¤XÈ»Œ`ÒdW›æ(š0dg† Ú`Û;ÚÛ\cÓZšÑ>çÞOàá[Ír—‘¿b•±oÏlÕ(Ÿµi1 (—}ŒRNÃsäÔÊU¯¥…ú üš®›u•N©¤è`àRµÿDò6l°u¤³5X—ž)ǸÕõ€c”*+ÀâäÏÓædõ)•Ça“ͺ\òŒÄkÂã~˜åšÆ²é±&Ë¿îF†T÷ nL1õ¾ÖäëyÇg=º¹ýZ{£¥0¢0U#0€óÍ?ƒ0ÓÇbÚæÊl¥±¶€Ë0U>Et¢‹ÒñVŒFfxp$Æ"Áž0Uÿ0Uÿ0ÿ0U 00  `†He00&U!ÿ00 `†He0 `†He00  *†H†÷  ‚uø¯¸LM×!Xz‰Øwª‹WÝ8ƒl$‚:",ÿ­ HK¾Elš¼œÜT†mUh”dÍãÆìè,Ö1µÅ{÷G¬<Ý»K“¦zã°¨×РӲ88ýµ{ž‰›Æ[ÿvÛ¨Õ‘߀>40•ø˜Su×B”Ɖ,t'£þßÑkD÷Ó%ÇT ‡ÒRŒnL5ráLãû®ŸÄÈ€i¢â˜@éðe =¦Zðkþ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5CACert.crt0000644000175100017510000000164715161577363032151 0ustar00runnerrunner0‚£0‚‹ 90  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UinhibitPolicyMapping5 CA0‚"0  *†H†÷ ‚0‚ ‚Ög$1Ï`iƒ–ãm}–wȃ9ÌÞHêv)¢ÅòQÔ,^p6 Ü…2ùŒlšÃà]Ôµë9܈¹Ÿ“èi¦—G{‘¦ Ÿù?6 2ö5Å¥RÏÀ÷žüæÚšé»UåØŠMH¶ê ^F% Q. nð“ug/ð(ï=FàC^‘áÞ×ÒGæË Ý7à›)Ÿ”k¡y°e´`Å>”_ªm÷­ ØⲋU?î:úìåbmö»ãªø‹˜ÞæIU¿>áŠ{2»‹òe)ˆíiô_(í­4dm yÓëÏS/ˆõ€Î€\°³ß•‚Ñà”ž½Å¡e5±¡øG£‘0Ž0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÛ€¹b,ÅÃýóCâfQ%»ÛôÍ0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚ .×91G» ¾wµŒccîø¢•db©ú´½1ÅÅ+-E¶‚j%6ÞVÙTcj•»Öçź9Oª^Ûüû•9¯2c,É%²²g,§µ¬WeêÛvF’/à3ö˜ ’1ý©¬'â›Å;^@Õ(}·ÒÕ6Ã˾5³ÝL~c+@ ˜þ׊òÞÃÕ0D R‹Èœ°ô"ÙU²BÍ j¢'þÀuœ,þÆGruùŽÄÈ\¦I«Ð«Å‡õ ËŸÓ"§¬œ`UìjÙ®z\0âB|O±[—b¿.¸Ñ˜þ^\'±mŸ°:kã^¾C +A›-././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/inhibitPolicyMapping5subCACert.crt0000644000175100017510000000166315161577363032661 0ustar00runnerrunner0‚¯0‚— 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitPolicyMapping5 CA0 100101083000Z 301231083000Z0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping5 subCA0‚"0  *†H†÷ ‚0‚ ‚µ¡_Nû§0€L¥!.-uÑ#Vñ‘nÑ'ødÅ¥%š- ŠÕ Q)¶!(º ~5IfÒ.ë~8@„´¦Sa]‘Õfâ(~;C²xÉisƒÙ­Ù€û²hâIH5¨šÒ>G# 3 8^»Xœ¿·ãû‹^F¸€,Òl´ œ{ËÑ­c@ДÉýcXèn™‘ÏßG‘n —±£¥0¢0U#0€5§ÔáKtNU¨q´B2þɸ0U®cË×âÃqãôÎnü5ô›ÒM>Ü0Uÿ0U 00  `†He00Uÿ0ÿ0&U!ÿ00 `†He0 `†He00  *†H†÷  ‚‡…—Ö;-ªîBþ º@ÛÃÆw ÓuæL1g8 ~(üëm”G†*î¿vÿœÐk€´}ôÊQnø⚈õZ$áY7N#¾ûô«£wO+ðä¸.fŽÊµë7ž6ú꘬àåC@<^ÆDù/ÓĤ9ª¤M7‘±Ëϳ;ÕϬ\·|p¾Øáóx¸J_âЇ¢ Šu 䯾Ýu Mé¤P—.€øÁ-/Óc[‰üŽ‘Ç$‡¥¸ö㯲&þ¤üë–ZÀ–ƒ¹HðsÕV{Ç“Zeqrïï±'‡üa½­4^í3ý»<Ã’Æ]À¸×XÊæ »ÐW.n6f././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageCriticalcRLSignFalseCACert.crt0000644000175100017510000000163315161577363033362 0ustar00runnerrunner0‚—0‚  0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"keyUsage Critical cRLSign False CA0‚"0  *†H†÷ ‚0‚ ‚Õ\ZIfºßtažˆ'hE¹øþ@Ù•°ÑÉçîvvÉ »9PIq|‘B²ú ût '<`¾'©¹ù³¥_Šû"´ &Ö/îdšp?jÑ\²Ëp ÎÐIY’ÓëÞàhWñ$ûÞ×SäÎ~x$㻉c ªöÂC6¬¿‚ ´™T­‘€±-µ`€G¾0nkb¶‡¬ß~O” ý\#‰Œ‹uw€Ê¾s?ˆœV½Ò8¬» æl±j÷ìÕRlWG Ú€@šˆ¹`V–CÑkƒÔ˜tž'Üíä,ïȳ ÈÅôHÑìÐ?eø÷³žÉ!'È_ä?€ˆœqóë£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÂÊiõ´¯-ôœòUË*0³ÒZI0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚9ŸD[F N×Õ䱿3.™£1Žëµ±½# \$NßB¹ÂaÝ<÷¼Bq¯"ñ§9zZßX¢µP!x5ºÊ(h¸ôw_ÌZeçTß굑––Ú{¹Oe~ïÛÕ3Ç-Ø~Š(C:²Q®ý•„Ü®¬Žµ!¼ 9Gçsý|ä÷H…c2Ȉƒä»“å:0ÍÒo-| 1.Ö©R•ü6]ºÒE ÓêYCVô«= ÞÍ÷‡ÕMÒœ·ë¿)8å¿¡g+÷†›Eć„ò’ÏÇ$3¾@&zšÝ²8A÷ V…H÷$ê*c  ª„úq µ¥Œl5¥p¾ŸioFâ2 )N)Kd+u¡Buä­ç G¤À¹  Q³|áB§ÓȘ˜xßdSÿ<ò㱆Ñ43Úî bšu0Ùr÷Z¯Qk Å7Pç{›6Có$o÷@ i)yŒEþS¼3#m8Ìv!°3J^[Û!ihÅÉ•ºÕŸ<…^ á–ÉÛfŠ–á!£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U4U gü±ÜÂr ðcéÔ›ðcù0U 00  `†He00Uÿ0ÿ0Uÿ0  *†H†÷  ‚^w†hn\†goʘ9OZ“›Õ@àsÉx}< àÎržŸzª_m‹mú\Ýuùïrw®Nõ7 ¶¹Úғλ¿z.È”=×âxî|oF®óé²i»¾ 'Žyknƒÿ¾ñâeƒàt’7õä¦0.bj$”‘Çr5Ñú# Ýdå|\£­“û0´ã†£ýgQ|ÈÜzl“Ûœ')„Öî}nå7ýÁíºbÏ j2$¼9dÿ驤 î ĶF„Ú6OÏ&¢÷µ§ Y€á¯¡“õãøÀ"ºªeàÜPm3·„á#,¹KêMZMG>\Ó‘¢Ú¦å@ÀÂüý/ä././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageNotCriticalCACert.crt0000644000175100017510000000161615161577363031647 0ustar00runnerrunner0‚Š0‚r 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UkeyUsage Not Critical CA0‚"0  *†H†÷ ‚0‚ ‚¯Ú‘²ƒIO£É Ši\ˆ9,õx_ü “U÷ÁêÞ ëï|£ÎA¢™okùŠ¡u3fÁ ¦ˆu'Ü#-ü•ÅûDý±cÝ ¡ÃÚ^"¾Ö{ÝK} #¬]Ncª=W(ÆC(úZ)1wqI‹²ƸҫŒ'-´ìEüe憜üÃÁ-B£ôáE¹Ôò”ƒŽ…ÅÌ 'Bgó¥—çé,ö„ õŽn7ž^±åMÕ»a gëüÀêY%ÿ$Œ;ʉܾÚ'ØɲðüÁ =¼ºÝ>´s’ìŽ)P Â㻪yÊ=èã4—ýľáã÷Ñ£y0w0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÁJÙ´+Åp~ÎŒ;bXå»—+s0U 00  `†He00Uÿ0ÿ0 U0  *†H†÷  ‚›a[º=¶T¤>'+·ÄáͽÊçøD× œ÷—µ(3æòôŽÐý´»5(÷€\À¡Ž…ýDrŸ¼¯Ö;;÷iÈŒô”Zä’–àÐ4.P.†Àùˆ ¥ØàÚôI-0ÞO2q%7»O ýÚÛâ‡q€>w¾w¿n?…Håp‚#ÚêâóÒyå2_Mˆº]ÎÂçlˆµ±¦©º00Õ…áUÝà0Î1ó¡ÖÑÎÁ¼Ÿ˜›ºåíѤ…t{ %K Š7‹ŒQ¯~zW¯5(ÏÄ3™EŸA³ksœt-”Pßtç;iÿµn T$OÚ•÷%T–D¥ˆ„ƒàûŸÿ:žøwz á././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageNotCriticalcRLSignFalseCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageNotCriticalcRLSignFalseCACert.c0000644000175100017510000000163415161577363033476 0ustar00runnerrunner0‚˜0‚€ !0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0_1 0 UUS10U Test Certificates 20111/0-U&keyUsage Not Critical cRLSign False CA0‚"0  *†H†÷ ‚0‚ ‚á¨ä¬eŽKDÛîXg–¥\¢ÅÉöO%]wUôÍoíÐ觹/m|w 5Úæ?ßY¶×ñTÚ-?G—~³t#a]óCŽ˜ýØÞ¬Ïwñk0·°fwêÕÝóZûO7¥4¬‘£1lÊÎöbb,Àv[ó{€–ÕM)“Z ˆqö€Ë nuOLc)ÕRs¬’õ›%¶âÙ*£5nÝþÛ¢ âåL¾!Ü¢*ù2LyÚs‚‚9ÞU—¦¶º{¥M–›a¤x·õ„Xv^E÷Ž† ¬Ë˱âe)þ½A4.Y<Ê£fï>D%úÔzqÁAƒ¼*Ôk9v4:l7c&°ë-£y0w0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uù~R yfDeyÝæCñØ0U 00  `†He00Uÿ0ÿ0 U0  *†H†÷  ‚W6¾Ñ Ò{4~§{ÑÁ79ZÁ·oÚG{Cö Gœ9%ô,¬†uü ~w¾`vy¡EÈç€g›cuÑÕa…$!Y Õ˜s•´rès– F\ŸÜNì¢Öˆ»>nÉÞÀ6]ÿaQÁÞqz¶tÊd’Þg7]ÌiÛõ8V½ÖñV˜î*M§÷Ëú‡YÇßó(°ž/_‚Ê^[჋ÌCéMz©q˜,žúËX$I‹8!±Ôú§üÂS³6pwëD¶¨™\ζš¶7¢ª_ãPæú!eüâÖ›îq§yÌ\_V†M¢Ì>%­©‘38ÓüG·~ט+µiµM‹k¤{·<èX././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageNotCriticalkeyCertSignFalseCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/keyUsageNotCriticalkeyCertSignFalseCACe0000644000175100017510000000164015161577363033632 0ustar00runnerrunner0‚œ0‚„ 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0c1 0 UUS10U Test Certificates 20111301U*keyUsage Not Critical keyCertSign False CA0‚"0  *†H†÷ ‚0‚ ‚»–Û”]—VµÖ@'ÉXl dÚIðcžùû‘æ@®N“>’,÷Ö ãª¨ ÿT’÷¹ò-§¢7u Ôí+&“?4ï-¹úÝrI\b1JxªÚü8¶²æ¯!½ç•þGÖḢ£*¡q 8Óá¢úC]ºÿp“5ž¶D†sD­r|¨:\oÉ86æ¡ÐÛWø5Îú˜þù¡â&/樰ÜñQGÞë]Ç«sxèvîÄ¥1€lÚtpiìŽô®¿×DÔ(B$fŠ%Ûy¨ ŠŽ3¹dµ‚xè ræA—©t·fIÑz“xÚÀð-›¦˜ÆÅ wL¡Å©ä: /¤h»­Q£y0w0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U²%Ò(0ÐUhnLµÂHóÊ›ò@E0U 00  `†He00Uÿ0ÿ0 U0  *†H†÷  ‚,XpÈ&V¢aäÀ…@gÉ>Ü ‡ñµBü— ÿÄ­Õö?Эê’Þå‹-z_”ùo¼Ð9I–É,7ÄÝSŽb¶*À‘'›/{ôyÛ¼Èù;èÜ €XL·Z=§ßµ!ÇíPE°ñ”/°@op¨Šuü5Â$£©ÇŒì^¼ÿ8PdK†««ûŸãÛûˆ>"ˆÕkñPï1PΫüÒå7j¨-¾JZ«;GÞ¡®q{Ú™hBƒÑiÃ=aÊ œ^™|¾J’.sQ6…§~ê+ú§ëWÇÖò«;Ø»Î!0P.Ôv l!‚[.‡././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN1CACert.crt0000644000175100017510000000176115161577363031412 0ustar00runnerrunner0‚í0‚Õ >0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0‚"0  *†H†÷ ‚0‚ ‚È¡K…µÑáð§{&2µòN[¢0”ë«Gü,Lx­ê–úã6xÄ!íéEl÷¸¬ ÛŒŠ,)­ülrò ÿ¶.†„bŒwÚÇòz©ÞbêÓž,gTÿ~Æd”oçåù –òÒ+¸xé,‡!¶õ¦÷Rí8šv9¬™ ’GWH}U†‘bøpìMß ¯2¨Ñ³g¤È"PkF$e@æ„îu!éZÆ,š%EH°¥~54øÒn‚â4¸ „ÿ—ð%Á_tÄÚçÈ„:¹IÉ×®yàòÃ7Äî{ØûÔéÁù½R‹Ì#“Ê°:VqpL²œòÂØ(Wæ(Ñ ¶Ÿ£Ý0Ú0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UAxBFÍN¨‚çá9ß÷©À üï†0Uÿ0U 00  `†He00Uÿ0ÿ0^UÿT0R P0N¤L0J1 0 UUS10U Test Certificates 201110U permittedSubtree10  *†H†÷  ‚iL+½í®Û¨Ènq~ÊÜ Â„ýCñ?Â'9g‚ÿ"€pvé•÷¹lËçfI"‚‹%¤ûvp®/}Jßæå ˆ0¦n!Ö¾ó’6Z+áºÉ%l™–Ú¸ -›„³ Òø‚dm/‚Õ“›Ûèï ªæ·~s?Ñd-rc 6ÍÍXß…M~’‹¹gðîQ•’Aûê8áy"FÛçÑ2dñIîiùvpÄ 1T¥ãÎÒ¦ŽŽ]J‹öó<ö@b+ìÚ¾KFwMYØíÖ y‹j’#)ž°ðÙ ni&Ö Yé.–UfÁ$3·Ãœzx„¿ ç’òŸ_H{ùÒ@W¨Û././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN1SelfIssuedCACert.crt0000644000175100017510000000163115161577363033375 0ustar00runnerrunner0‚•0‚} 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0‚"0  *†H†÷ ‚0‚ ‚Ê"€6-vñr$9òL©áú1tw³Ðz4ŽP¢ËÆ•ìGNçº#à@"÷¸át2Âøx&¦vÄI„nVS¥î5ôZ#¶ëu¥.iÔÈó¼¶xŸ#D‘L'ó¾S‘ xL!µÐü<ï %åvÅå\zÜD²@.$”Þr/™\Ÿ#©Ÿýù¢$?ÌâȘ *'7ؤøÄ7ñ Ïäj%É»áVYà}橯åª7ä":•ljHFÒúü«fž>RžO2¸µQäX"·ÑrPÿsÆ{ÁjÊDg ^œåƨKϬ=Ä= Ýš|Á}P™}|‹àýÆs5£|0z0U#0€AxBFÍN¨‚çá9ß÷©À üï†0UEîÅÿãÄÇ08L[Ç]T™rÀ¸0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚´#w«tC j*Ù⬯%Ãváj—ëèÊŠÞø©²ìò¸@¹î¾³kòO ß >.ƒrÓ{…â¾'ÓDÛÓ®¸ÃÌBjrežL±üfkÍ…·8ÆîãÉsÁÀHgw‚=Ž+/«Œ9 Qô×2aUŸ.°ß’J?r,—"¢^Y#õý¢ÜٞȖAŠ?aÿˆhò:ب‘Xñ@—³ÎÚós£ ª\]PÊ“@UàØ`'Êà ªìµÐ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN1subCA1Cert.crt0000644000175100017510000000206715161577363032205 0ustar00runnerrunner0‚30‚ 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA10‚"0  *†H†÷ ‚0‚ ‚§“ Ü!APQ‰‡ÖG.f϶ږBýŠà›qúÓ{'÷…p§E\–[Uǹ6M”;©’,ÄFIŠEÛlá_ƒ>ßüâ–IkÜ>(‡.ž•óÖË|š¿e|^GÏ]íCË‹tÀ†TQî~–}à v¥õÂ`=@Ø9„±Œ*—½“z±“Ý€õGÎØŠ»ÛŽ82‰/úýªÕûx¿´Ä 0’QdùäzîîVîYDR†bàϧ®çøÿäœÏ_oÓBÒ Õ%n³`<°_ب0|t[éþ…©Pãb™Q­UÆÞ›MJ¶ÅlÉúÆHª£Të¼9F*é£ù0ö0U#0€AxBFÍN¨‚çá9ß÷©À üï†0Uá8C\ÎçKbÇÁ’öf‚ê0Uÿ0U 00  `†He00Uÿ0ÿ0zUÿp0n l0j¤h0f1 0 UUS10U Test Certificates 201110U permittedSubtree110U permittedSubtree20  *†H†÷  ‚f=íðzÇÒöY~ë»*ýCM!“z0œ KiþÀîóÀa8Ì _¢cÈ!R3ÖºÖ|ß“µþ™©q,ž©P—^÷?Å%v& Ê¢íÁÏüº‹Š­Ø\LXÎ̪8éŽL×¹{|…‡` óe=µöƒÉØ6ø/Îr²`?ÖojPeÓˆb+A kõ‡„zÆkÑõ*»•yì“O_ÞYÏÜ£Þ ÷Ý×v­whÉzÝÐ|Í~ÓíÑ'>mÙÝMŒ¨á"°˜ï$’zvò—Å£Ý0Ú0U#0€AxBFÍN¨‚çá9ß÷©À üï†0U¢/Xƒ[L•—·îö‡´—àà—0Uÿ0U 00  `†He00Uÿ0ÿ0^UÿT0R P0N¤L0J1 0 UUS10U Test Certificates 201110U permittedSubtree20  *†H†÷  ‚ÀLô–UbPó6EC€—ÿ§ qo-r–c&z¸yJÙü›¾NîT Bh/.u­¿-L¡S¿ˆÒbWU¤ÿR~MjŠB¸ˆ‡ã‚ëï?Ýh.Hû>ûQ+N¬ÕÆìcé»›ŸàÝ; Oå{¡poNñfí]“ìÙžYñq«6¹=éáà¨ÌŽ·ùĺù%˜i%·&¨ê(µ¢$h÷Ë–ùBxN—9ƒœR± Çuû[y|RZ0ôò•›QDöv¸Ïuf­·8L«vušþ{-‚|Þþ´¶>jV2G$Ör—ž'ïåÚ•ï¾s;Àu=úlMï±Ê¢Ë}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN1subCA3Cert.crt0000644000175100017510000000174315161577363032207 0ustar00runnerrunner0‚ß0‚Ç  0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA0 100101083000Z 301231083000Z0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA30‚"0  *†H†÷ ‚0‚ ‚Ä-T¿æ-Uƒ¬…êÓIø¢OÕ ÝlUóÙõÈçqô?§x( : -lÀŽv×k Ýg®›“-gTÄ ˆÝ¸ý§´ÜÞP~Yùišõx†])©…½®Jq`4èêÂtÂDªZ7/;A7Ä9dI’1.D“y{ô*áð(/â© 5ʸȯ 9ª%ÀEaò¢ô,"‰˜Ý5ʬ,ÙÙUÍ}0+¿§‹³‚Ž5NImÒ':°ìñÛ p X¼JŠ:8Ç`´}ûS~GKºÿaJ»‘®jïç$nVq=¨ w7¦oÊ+)å|ö8ï‘“ª‡aC”¬—£¥0¢0U#0€AxBFÍN¨‚çá9ß÷©À üï†0U'IäÙEúl˜”lüí Ã$RmUD0Uÿ0U 00  `†He00Uÿ0ÿ0&Uÿ0 0testcertificates.gov0  *†H†÷  ‚‘þp™Á!™û{z|käIÿ&ùÜৈ›4œ÷/ð„tIeiϬ?⧫Ï™¥ä·¤=‰¬Èdk á†x˜£õÁ‚ Mö,¶M¦l’Œ=Ú¨ JœWuƒŽh¸ö=€%›fSªOÙqk6I¬çÚ]úŸ:Ÿº\Çð~YѳÜ-ûa:QZ›ú=þ/y0,¬ÄO!G§-àÅùNÒiÏ[ùŠžƒ‹Éùp¹bIxÅpKÇÒÞ¤át©‚;‰KÊ:¥ý™5I­C8¨nÏÒ£{@àâÓŸ@WÍ Š7]XáO2kV‹h¦ÖuˆÃfË]Ã"€a…àE1£‚20‚.0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U£WÙ[]³`ök‰Q+‚à s¨{0Uÿ0U 00  `†He00Uÿ0ÿ0±Uÿ¦0£  0N¤L0J1 0 UUS10U Test Certificates 201110U permittedSubtree10N¤L0J1 0 UUS10U Test Certificates 201110U permittedSubtree20  *†H†÷  ‚—.±:Òëu h¦ X(,êÍ"Û”~õ"%S… yêNãnò”›«”®Ñ¨óSg±È_6ÖcÀ¿= ÏÊ!û¦!Ægø™"õGG<]½/â7ŸÐO‘îIÆXå·»<%r"¾o1þÑ@R—ÑnöIï’+c¼ú,«¢.~ÿKÒ·TE:¹@§Ï_ ¼Y¹Ã”<ðj½)¹Î2bº¬›Á|3~õŸóî6æê êtU?V;4Ù2Ú.à‰‚«RCoäUuˆ€Ï:ÉÛë2ˆ‡©%5·oQ惒}´xGíô£¨ú4——Q]+»Ø¨|QÙ$î”?w¨8././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN3CACert.crt0000644000175100017510000000176015161577363031413 0ustar00runnerrunner0‚ì0‚Ô @0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UnameConstraints DN3 CA0‚"0  *†H†÷ ‚0‚ ‚Æs² ó6"¬ÐVÊðí`Ý3X‹„Äĺ™NÒËà`P ýªËQüoñ†µêTg,íª‰×ˆÖ5I5¸;¦ÌÝþ‹6ˆïI‹« ­ÍÅíO†üÝ&ÎéàÖÈ1<Äó6 ¡U“—Bå*à;4wý[h$O†Â¦¸1à3+Aä‰By?DiÀ(ÿõòHöŒ‚nÆ¢|­½ZÍ´¼—«ºmݨü¢³%ï¯fA/rôòh$B`F5))€úDh!ðØYúrÅëL¸hО@øxrPF¸ˆ,£TԒѹ®q€§GÛEÙ"¯FŒ½©4¤éô>ºØ ï¼Y&sÔgâL¨è¢0v¨…Ó(xñ¹GÜdÞt²4ÏåaRøìsüX,Åáýä5ä/ Š ÔQ…•ÂÒŽí¾˜^Oä¥l/à]©ÆË㸫¢,5°“Üq6Ÿ8€úÕyÕN÷r4‰Žð*Åoòª\ýí¶././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDN3subCA2Cert.crt0000644000175100017510000000174315161577363032210 0ustar00runnerrunner0‚ß0‚Ç 0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN3 CA0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA20‚"0  *†H†÷ ‚0‚ ‚Äédßý•û¹ªt±¡ÏÒ ë¼ßÒv¢éHMnÒäjóÞ8>YÍViÓæK Ô·3È,†ê1  ³™¼”Rà~ÓÓóŠ9Zt1\âêZ¥ FË÷Žù g$9çú‚AûâìP(;L‹³ÐôfxÐÓhÑ1O°×ÊÆš~ý×jß?vð•Ê¥ '[R° 'ǤJ¥q×¥*¶ÎâÖ…ƒ:=…Ú§-ÛƦh¾áå¦iãÁ0¾0U#0€Ü[¾Ç7Y¤Š@t| E.C‰¦Û­Òù• ®€ ñVÞ(Ðt!Á3Ž.ðÒÌ€hš^eüŠs85\*ì$ûsØ 8ù÷ ¯tµQÕ«¦HnAàZ(ôõlïÛ$ñ¥w޵Ι*ãîwfÅh/–V…ÒE¦Ÿ^+h»‡¢1 –¸j[“$™£Ã¦`Ugéÿ:9›ÆCv+ô@);~^2ë././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDNS1CACert.crt0000644000175100017510000000167215161577363031536 0ustar00runnerrunner0‚¶0‚ž F0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS1 CA0‚"0  *†H†÷ ‚0‚ ‚Ç&H:ÜÀgÙþèZzP §R–X«+Â)+Ó·Eµ[ ¢u°ÉÌÐr¥ý•òþÿ i)A¸êeÚÀNj&žèâ/€V™tÕ]W$òòIåN©:*…¼â~Œ¾D*±w°¸@Á§-…Æ…ÏrH+É›+ú8NÇóÎÿ`4ôØ)t/‰è7÷L.·(Š>1ÇU¢}+0 ‡nàyw„øJ~Š¢&àŠµä7‡Š« px¢øzZ\PVB+E™bÃ¥°òn¶J/A)~G0iü³Ó#Âô >N–B½+:×vâI”𸖱yƒƒúýCÇü©„:m J©n@J@@WQ£¥0¢0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U±ªðãÏÌÒ§‰¦ƒÝÿnÚãI0Uÿ0U 00  `†He00Uÿ0ÿ0&Uÿ0 0‚testcertificates.gov0  *†H†÷  ‚6s’¾Ì»9sä |y‡Õ5ÖŠ€Æž¿±û¯Èú›$¨hÇîPßÜqßñ9ác+[P ®ÖM¡"ižà9š¶á@2×,mמ²|G—³ Ø¿žïÚ? FÔ?:Wæ­Sȧ3nÒŒ)[À!'{¬ôýõ{¦Qp½äÂì±þrŽ Zº•Dù‚p̺­0«EìCŸ§ÜÐ+èÒ}5®j´Ëh*~þUçc#u£ÿ³uO— |ôçG (I”R™”ÕU`ϼe&¥0¹k«ýR´ÏÓE—ÚÉßy‹ÿR—ý7ôŽ1øÖj- K e59Bƒ&µ\A…‡tÖtÕý²žµ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsDNS2CACert.crt0000644000175100017510000000167515161577363031542 0ustar00runnerrunner0‚¹0‚¡ G0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS2 CA0‚"0  *†H†÷ ‚0‚ ‚½ø¼5}N?HÝÙ½ÛJ‚22,UèO¿‘ÔkUDléE¶—‚bN^h_ö4w—¸n+wDsG“²Üi~V’½X”N§,DÂiÊìg ÔÉE¾“½>§ßÜ+Ý }0áÒ9-b…ö=öf;PƒrXÚÎEÿø¯q®Âçû•Wï|(¶,Ö(9Û“+K8Ö ÖLr»%N†ojgÇƔ䕌J«‘a§(š}Ã`‰×61Ï\Â>ÃûÁAc½E1»¡§²…¥?‘ˆLÀ1¡G{\8›-þÊQ ü%i.ÈB4ÑSe¿@ç©~Ótbxœñ5ÝΘ… w ,ÖuhãU£¨0¥0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UFHœB Ž]SpØàÁÉ5 0Uÿ0U 00  `†He00Uÿ0ÿ0)Uÿ0¡0‚invalidcertificates.gov0  *†H†÷  ‚†Ž=·ëmjKŒÎb¬`G±Í0EÙ­8¸xZvNVš$á+c8f§ç“I‡gñ”ì{#¦Yà#n¹bça‚½ÇÜ&â\’J‹#YC$ßRÕšhÿ@¾Ÿi±¾ õg*| L2_£ÜÍÅÃkËt‘¼.îmyÚ,Ð'°ÇI ¶©Ëª|múhc¥¢ì_çàÉÒüJŒ€ÒÔ¸Ï"Õ1$”DÖÚº2T;{}“Ï“åÍ>æ{ëÇ–ìØcŽÿ¾èˆµê»AI}{ H䎬Vtü8ø:æ1øÌí:Sÿ§V䥊UÈxw³,ž)È0iäMˆŸ47åÐW ÓlÅÁ¾Ç8Øùe|ÈŸ290"RázWé¶=ã%²Zh%IÇg›}ßLïw¯½Ìr™%Mñúxí¢•¬è‘$}|ÐTç¹—솊å_õ¥ÒïêÒÑG„z­ð è¨hC}+™zýM_ÿñÀ ¶É°™ç:8½¨2BÆ‚ëeZ>þa–œ¼?ÃÝô ‡SS€½ÑÔÑIY›õÝ7ge„2Ülzÿ6Nåú^ÜØRÖÓ6¯2††3çi././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsRFC822CA2Cert.crt0000644000175100017510000000167515161577363031764 0ustar00runnerrunner0‚¹0‚¡ D0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA20‚"0  *†H†÷ ‚0‚ ‚åfÜSáMçýâ\ÖN9P¨ìÙÉ`d2èÈš(å< o\”.9~àÕàšq^K±ÒTÊß(³½´ä”}…‰Ú8Lñ†^Øæ^A¬©'Õ˜€a_g©Yª¦ù ¯ªwwÌÓÛ9wu6I5Åxîæu6ë(¨Ì—(JQAE··åzvÄð‘sT"æDõí©ŽI¥—¦˜ùUg¹¶?=:säé/Ç,¥5Æ"ºÜ¥”|Ý2G˜î­Œ^;¿áƒÍE„èN™ë×½TÖdÏíõòqEE° n<‘ؘkÁ7:å1ЪÖw2g¢hNÔcª¤Ëmn…£¹²IÙj4Å=8þ3† y£¥0¢0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UQ€ÍúIrH<íN ÎÎ@ep 0Uÿ0U 00  `†He00Uÿ0ÿ0&Uÿ0 0testcertificates.gov0  *†H†÷  ‚$ôcùè .5tÎnɪ±Íð)+ãÕ%g×±ÝkX*ÞÒ×QÃj§H;ÿØ5tqñuñSØ^P#“G²KTî@1T·Ù'›·«`ût7“r¿¶,Pâ>År°³•Kºˆið +´¾Z&Ôªò dO‡%œ%‰÷‘#Ư‚u0 bf÷k¢ù,¨<ðT"IÓ' º»çâßÊÛ»½m?Iˆ5©ã6þ"’Ë;õ³=í¦*¨MÏì3ÇE——M’‹ £ ( ™Ú%­³'7hÔçÙ—ƒ¤AR†7w˦ûÌDïW t8ÍÁÒk°ü…ºâ§2~xNÛY_/åîDÕÓw2Tß\×ëç././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsRFC822CA3Cert.crt0000644000175100017510000000167515161577363031765 0ustar00runnerrunner0‚¹0‚¡ E0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA30‚"0  *†H†÷ ‚0‚ ‚¬t¾þ| àÃÞáçíxEŠ¦­n/xƒnµr[üd j ”ÜõTIL¡Pª`o¾…чm{µàÿçÓƈÅuȬH€Þ”Á8üsA…Îçͨ0ÔƒÍÜÐã r\cW‘ƒæʧ Ñ9|VžE HŸ¾C®)æ~ãuN7m)?¿¬‡½  ?$ëu3úUG¹\€å÷‹§£DŸÚhÞ£ÒZ¸™òæÜÕX2«vË4ŒËe0žÈ=x?büu8#h0öØ)Ž"Ü¸:ëvä›X"ªÞ¨ÉôdnH704K¥FqUQo|texjê1MAS…PDV§ñ>Ç£¥0¢0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Ušº9MÚ!u¯êAÃNâÉ•’[é#ŒEQ“ŽÄ)\$V¿¶¨œt³EêÐ>­ãøéØÏ~å[×6\0MŠ•c_Œ7X¸,¤Çú)¡˜] Þ~ü23n‘[øùÓqïPsæ_£H죧 H0ÆÖŠmÁ¿.È€)Ú) œkÈ‚E•W>ûjç½Qm5˜›¦ÕÕ¾îû™Ö;K|  TE5=ìˆÊeúÖ'µÿ2$!{¤Qñ_4ê_î§þäÿi¼öò—././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsURI1CACert.crt0000644000175100017510000000167315161577363031552 0ustar00runnerrunner0‚·0‚Ÿ H0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI1 CA0‚"0  *†H†÷ ‚0‚ ‚§ç,Ý«:9¹ÛHI—°?×,b^ªUÁ §ŒB Á0tjɸÛ‘”Cê:EûÓÐøÐÞ‚ª99¾ï~í Ž²t¥Õ2¨yŠêî“UÄmûèžQ)£Æé’ª Wˆ»›j|³úø¡!Ù"” gÏã•‚x¬Õ^©6œ|ùY–ZwÏðû¿n¶’mˆ‰Š3íUH±"è‰x0DÖîê£ï@Ê$ž,þ~‹Œ€‚¿‰4… ¾¿i={JLf«–O_2»jجœâ²±i·Ð€˜ „PM_Yc âÓåMp$“ ùSŒÇù{ÀQA3 Ø1ÏvkHcc8³£¦0£0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uú(­AÞ*hÈ#?&Þ0Uÿ0U 00  `†He00Uÿ0ÿ0'Uÿ0 0†.testcertificates.gov0  *†H†÷  ‚[麴yÏÖ%L]£÷lÝV O,eNª¥o¼A#¡€V€tù3è8Y‰óy(â>úêÔ׫aM8¿…¾Ú jû³ Ú®+NuDÚÁK‡„_Íúz—Ÿ‘’ʵ … ;Ū–.TPkøÌ¡»„¢9oZ«h¤~ˆýk(÷uz’ â|*Bë=[&µ|se|§.ÓXNÿo¬.eTxh«E2Ÿ Ý£Å5+~XVÙ®W Ó&Äåùžá9z©QKå)sncùÌ¡¸®äÆê{æh¼²{C¡©£zÛ#ÍÕØ›]’ßæ}öˆòpäì½în¶«R»­™¡àH…f././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/nameConstraintsURI2CACert.crt0000644000175100017510000000167515161577363031555 0ustar00runnerrunner0‚¹0‚¡ I0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI2 CA0‚"0  *†H†÷ ‚0‚ ‚¾_€'¬ÕcúhѶþý* øeêÒÄ-¡ü„X…ï8ÌC˜„-³f ±Ö›êhufˆ4[Æêå÷;t`@ýÑXóÉN0M(-ø Ft^Ë›/Žøœ äA¢!êÃ~׶øêlP5æÂôšæ“úöD¼ò){Zæ\l–`pvt~ìáÍ(C„Y¤¦bµ¬òz»˜–¯K -3%”… ˆÙéiødifŸs3¤ \@_:ƒh„ÿ&ÏÍiÐ].Uñ7"ä3·$?¹xL3ŽeÞ¤ÿ¹1 +fiP¶<'"qÁ)•éòHRê×oCýVÃT˜éäð#×J,¾Ž/£¨0¥0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UMë‰qßð²úv:X±º`ÝŒÓÃ0Uÿ0U 00  `†He00Uÿ0ÿ0)Uÿ0¡0†invalidcertificates.gov0  *†H†÷  ‚f­e¾JóLôøŠøjÁR‚ËŸŽ8øÓÅ; ¸­ˆ9$ûái¾£Ž’3¬s(¯ÖŸ»jÌá•Ãbkæ´Üëõp¼õùŸÞuW.J4Ɉ± ì…€âpÛ7áïPoné}S§gbfÑ…"ð.././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlyContainsAttributeCertsCACert.crt0000644000175100017510000000162615161577363033304 0ustar00runnerrunner0‚’0‚z O0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0V1 0 UUS10U Test Certificates 20111&0$UonlyContainsAttributeCerts CA0‚"0  *†H†÷ ‚0‚ ‚ØN‘Øâ{È(Ý÷M©dƒ{OˆEƒw$ÔÓZRßÜ[ úÍû?URû Ù"œÌ@ߊ~ÄÐQB¯+ß#¼tQP[ƒÌÜ}óE.}öl»÷Îq=Ê!³ú*'²e”3íseoP¿Cfiç‡Ây|€l,¸ß¤îvD:ϘPéo©‹íÝÅ}R)M<`38vD×}ˆhˆõ>S(ƒÄh&±¥¿ÍgQ‡!9Ð¥Fà£WƼý¤«vzÄŸ1_HÙÞÚ׉Øì>èö¶=ïågÑÔC2pq£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UMþö-¼µPMß™zm3pN0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚¼ÇŽ¹‘BÚt…ܦ ’ÎX®E7b”5<‡Â¼î¤ ë(a)Ýý‹ÈC›=?º×ÅîÕ,!àµmT5´šÝîÕ ))9g&þJWãnÃŒW0cgDoÏßêˆgEwŸf b*jÜ?¼ Àº} &A­òt¼Ø{½\_îî×[ÛÎòøòàô;VHÄô{½Ãƒ¶w_&€/+(·;–ƒB¬N‰4ÔEÉ«¼˜n:°¼ÕÌÁ.Á¥žª"x†—úµLȱEùQ`Úo¼ ½“=“-Q… Ÿœ R»G¾¢r ¢‡â¹ÿ¹ЦmŽ åmì_Ë·7?Œ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlyContainsCACertsCACert.crt0000644000175100017510000000161715161577363031624 0ustar00runnerrunner0‚‹0‚s N0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0O1 0 UUS10U Test Certificates 201110UonlyContainsCACerts CA0‚"0  *†H†÷ ‚0‚ ‚Ȭ—ÿ!’2! ½¸?ÆŠJû`eãe¶‹‘Íòs“}BòÄ™Q¹DT‰ïLmêNÐzâzÞPæõ]´dg•´YõÐCíKäãYŠa¥›º!T ¬ æ"?l€ø-/¢ ê‘Œ¸&óœaÃÛ§ƒ³—XecWË·ugßEŸŒJHÅÕÛ€L?ç–»€;Ó©™à¬ uý‰«r÷j£áÀä(²P`d9uD€ÔÜ$C3׿o33cÉ›ÿ¦%ŒÀ‰ÐÆ<øˆ\"’˜e`K©™«ƒòhÅ=Îk+`í#éÿ”=ÔJ[·²«ZNÖù‡Mœd;2øM¶éŒø<àD)±¾œÙ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlyContainsUserCertsCACert.crt0000644000175100017510000000162115161577363032252 0ustar00runnerrunner0‚0‚u M0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UonlyContainsUserCerts CA0‚"0  *†H†÷ ‚0‚ ‚©M½0BµœîN[UÞæÞd'ÆãGß•éÆŠâ@é}ny,+–c)Óäa;t2Í;+ ©÷ð<’¬rÁOXÇlØEߖƥ﫡ò(ÚùlÂúáW(IßýTÏg4ÙÓ*æ½cùè^ÛöC€`p{à¯Q}fYãQÝK­®Kx¦y £MÞÕíàN¡6 C¦Ý@3 'ôü»ÚõFz´5Ž&ÊÎXR" zi,Ç Äó7Œæ˜ŒÝ©¶%î,;ÞšÝ+/¹ 0€­· Îp§{ Îßäñ… K¯ÿJÀàÞœñz—HßêGEš´Hâ,'ÛK ݲ€A³JBº‚å£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¼©ÜÍþ–ˆ}µžO™Þ$Ò0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚òAʳ—¢¸höAš‹h{Sîõ꟥Ý8prãÿ˜ ú‚$÷4LŒ–tšNZ’DtKv[í®4r‹µnðÈâyÇ¥Qa `”ûœŽG5ä^WÈ9z(·Ô"ñÆà^‚áÛzVIòïFÚ@ö©ÿ©·ãqePuHïûkk¨ð¥w”þá]h=X· ™2 ŠLÊ™ØéI?+ª²ÜgXŠ6@ǯ½=ÈÀ%/÷8ÔXqiÖ(4‘"¨N£ñò%$ª£[Y¦hzPq1fL·¦aàs7È”ZAëc!3±Š ÉFÔÕgw˜`ˆ’l׉¶¦M4ÒŒóÌèš#././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlySomeReasonsCA1Cert.crt0000644000175100017510000000161415161577363031155 0ustar00runnerrunner0‚ˆ0‚p P0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA10‚"0  *†H†÷ ‚0‚ ‚Í ”S[»E¢ šñÐ6Q E.Òlº*NcNšÐ)œ¦çÜ6yå ÛÿÖ‰Õ”ar —½?FçíÎêùbÕÔÞì 3¤í®è€¨\¶¤ö˜†ààBç/ˆGâù¼ïä¨'°Gs‘>ê{F¸ì¬CîªRZ÷(µžA‡2ÑF£ïr˦°ŒÇuszûkG‚ Œå­¦‡CSè"„m Ì0KCˆ§HµF>Âr«±"³ùºvºá#u5§•z0Åç’ô3ùÓÏ´"“ÙÃX…˜®e[X}JÀ½Ô?¢Î†Uwy=‹du9Š<ûå¹\UƒS骞hö×]pcų–ÚŒ—£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UPhÑ A'‡ç N·xVûŽîq0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ žjZ µÆzl¬û4ê¥Bè5À×S§B$¤ËÂXmÇ-ócLLRˆnïu8jD|!Ê™XïÖdJUˆ."¤1nÃõìøÕ·/¨9§« ª€kvvK>’9hñÆašŒ¿UÔŸÃ} WsMÊ”´PÝ'ÿF\Êä'N^±u%z@nxGÅbýŠ©£ßhÚ^?Ö¸‘®#ªþ›†¼°ç-Œ9×ðð˜¦+!õÈÕêÓ"5o3?:º¯±öÓu¡ímÆF‚üu>zÿc—íÇéêSþaë©7 xzw±E줇€•²íö$ö24šâ6樞ÇÁ­æOor˜¹œó˜Ô././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlySomeReasonsCA2Cert.crt0000644000175100017510000000161415161577363031156 0ustar00runnerrunner0‚ˆ0‚p Q0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA20‚"0  *†H†÷ ‚0‚ ‚ÆA:T¬xg¿önwµïÙ¥ÀZÔŠf“<èîŠÐD(ùuv®Ð[*š ÉUÝlý}{ã'BŲ.9i8wòÓÕçö`NË˹Åè`ùò¼T†‡ŽÂê[ZÊŠgcáV•x 65šFÿ‘SÇí‡=ÓÌ‚ÿJ„`¡¥þ~ ¬{ý?Ä\eŒ.l6à@ï·é·©3£ðˆnmÀwŒµ?°¯(„) – øê«A‹KÈí}©»bôQ®E_ ¦k3™Ê/r˜`I,ι5« ÜÊö2hM ry…CW˜cÿ’œ7PùÏ›MÒšl”¶4}ù`èö>ÞVØg©“yf7}£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U`cßÒ#¤)ÖA¤¬Ê†y˜¦eH®0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚qƒ±–'ÝgaûÅïœ(¬rDŒ[¨—âj=?B[÷l/Ç)Å7’„«¸½9¿¯¿‘s¹ ûÒ5w_õ’ñH¸×ðÅHõ²}aÛñˉÿâAAó E 5¡º½¼B˪#n0¬†*ÒT^¢²è±œ|¦¢QQƒSø7Õ¥$ö² ïtü“·ÜñöÒ>ßëµí]ÁGtð ÍmF<ôóN`çWÌ @åÿÛ&£¢ ¥ý"–ņƒ^àïMÐÜÈ­°â«¢RþõÒ ¬æ^Á¾_¬¡=ÃâûmGÜ„¬l¸bõEŽ²[†u Ýαߛë3ɇ•.././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlySomeReasonsCA3Cert.crt0000644000175100017510000000161415161577363031157 0ustar00runnerrunner0‚ˆ0‚p R0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA30‚"0  *†H†÷ ‚0‚ ‚Öì£|ëà1t/Œ÷5‡ó¬ŒØo^)å´N.}(Tº×Ø*ÀÌÍ' ½'ì*<þ èMJ‰ºÍ–®'qnëjpb‡a%œrÏ¢:iÂÚŽ¡Õáˆ1,íx‹3kscÓ¨“Õt` ”˜'e§¾¨ãæL2rKd‰RŸÈul‚˜nßÏÔ5æÂñ‹:¦ó;)Ä„#›ƒ ‚S¡PÄIödz7¹š(%¼XœÈ“„XÝ+52¼ì]§šÂ`ܽ|v2íQlðؤY‡“¿ ·î®¡öèÐ4BóØõËñ;!Ý2z&¢×SnëÄ“‘"%Ùع.‰a¢é?!wüø1M£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U-$·—‡,îÚ¾Þ—„¯ ¾k0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚Vtզш™eW(B_­>Ai"µöÿ«È¾XÎS¢µåAQ¢ó·ËxgxF³6qR܈â*F«ö‹Tvã½n‰wð  v{êDƒ§yˆµEz—ÚÆK e›Sžïgè.!ó´ž­;5ÓôM Åsñ­‘e„ÿ`ß-Q©<Á.ÔDS¨¬p±ÎvLÅŸ€ Πï°÷Ìùùˆ×q šk>ÞϬh€<Æ=¶È€Œ^é[¡}3Vè=mî§3GÆÅŒN°’™{© …×z6Î÷,_;9N@£=¤×«*Õ/·ê—þ£"ÞD¸í§YÍæ/Îyb ³å.ßÁ²„¤“ -&&–Éà././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/onlySomeReasonsCA4Cert.crt0000644000175100017510000000161415161577363031160 0ustar00runnerrunner0‚ˆ0‚p S0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA40‚"0  *†H†÷ ‚0‚ ‚œR S?îöŠ ¸k²T”j¤ÝŸÎÛï;ÄWF4MøÍ»rrRSà$þŠÈÍ«#Ÿ9TÖêbR§kvðØh’¬Â ?„¯pÓ}3ƒ¢t ·˜Ø!RF0_Ì°Òâ>:xRWÚ”àŠp­®¸¢­-¾âì‘´ùמ>žFñƒD±Íœm‹GçX'Ô‘Bƒ¿ÄQ½Vé)£f%è=wv/IÒ6=K=βLðã W bKy1D?£°žxxÿJ Î°_Ó·Ë{£|0z0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¾fÜ ;öÓˆ4‘S& hnÉ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ ©´Ä>í#\ íä`R]ÚÖR‡•¬DOÈVƒcºã&ØNábíÏG<õ8꜒ÌSmW4n©0(¹¹…@Þ6mgŒS>£µ›k‘ÞÂN×I¨7 ôæõ u„×ÅÌøJoòHø‰WÛc×ÖJúaÇRl¼m¬Þâù)öbmò#á¸%âhiPœºÚÀF±Ê¢£O¦Ý?€ÛâÏ&·þr²É—ª ±rô/In÷ Íç­1»þú‘C=`(ÌÀgÙ‡ÈñǾÚ`»/ÊA6†ÿ½Ææzß3‹ šYñ!TÛ»+ÎàÇ^~ðLýp°‘%à뇖}çÛ¾ ÇDÁCî././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint0CACert.crt0000644000175100017510000000162115161577363031452 0ustar00runnerrunner0‚0‚u 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0‚"0  *†H†÷ ‚0‚ ‚ȼÓzµ²Aw®TK-ïT'-®Q ¦¤éï ?·k`V#K‹»ßN̤ìHîóð–”LQc‰< iM™x$´é„W@FZÉ)|Âÿ¹§6¶*¼à¢Æq¸ÔF!œ*Ê7µ!ž/åèÓÑÂéÜy§5qjÑ„–V•Žgœ±ìªT•ÞùøÊ”B,D‰åÜ>éã.ŒŒrP¹(æ(+pk¿=Á»Ö¨Ø$v©Øo^ß·¢HôT·¥L±"ƒh·9%X·ïšC%âø†ùQWæbåd!çdåÍPò†Ü@/lý„õpú>zÔ|+’ß:nî»u°? ÂRS^Œ:®]£0}0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U›+²J<ÅnPÉ"½cÎ ñŒ=ú0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚@Ê+æg4N%²ÓÒú)~ñBRjÿ~¹úªœ~Á¬Åí ×ZGtÈ€ð]4UZý”ó{+Sæ€Êä–  ö%µ¶-ߨ³4_èÃ.°¤ŒŠrxo½Gë¯n<5Dbµ«Ó'ˆïr¶ß•æf´¾zI9ç¬ÓWù•×l<ç¬ý;$~\™]Ãœ¡Ð½î þ½æ³KÈ!/”O\¬ˆç­ÌÈß A´¥±Ko¿ÙèÂ¥s¦Ø¬†$×”g(ÅŒ¯Ý`©YÑ’è\ûʵÊÛž+‹jP$g Á§é߃u2XwáøØú\o•bHÀ]Er¶¦]_jÌ8{«ŒüóŒ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint0SelfIssuedCACert.crt0000644000175100017510000000162715161577363033447 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0‚"0  *†H†÷ ‚0‚ ‚®¿0Ãþú.õØn½œÄë{÷M‚NÊ{/æ¡â$]ËdßØ…Üí’+·rÔ(J…›e#» ÎtÅ£kÀcòÆ›W—3´L\`l ý«Gê}©O{ );¸Üvôr…¦fhú€º÷fáÀ¼Ò9‚å8_Äl 5Qãh]wÞk/ þxšr†m’ÞÊ°§-C«B°œ¸L¥ÞxxÚY詨øeÔsìVRÊÄ~ =]¸¾¿8:­›Ö'kÖÝмlÈ—©[ÉqÉC!Q4µ„vV"¼¾2œSŽøçE™^×Ø^røVÝœA*ÊP ç66÷ŠÒ„<Ù£|0z0U#0€›+²J<ÅnPÉ"½cÎ ñŒ=ú0U€ës¾M™ž”½KZ÷ÏWwtÃ_w0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚=.LýpBÕÕÚ÷ÐîãcbÙ:Ò2ë Q’›Ë·hv>,ê ®sK§Ì(ŸhñO|ôµ¨5w³ÆR²ƒ§Ík!,ίeê5‘š1zݲGÃÎS]Ü~‘mÆaƒç°jkˆó7Mó£³ý§ç© TªDnä{ˆ:U߃ÞÒIÌW¦çAøì›lßôxkáOœQD&• µX¾2”Q„^Eä =ÿÅ«½›Z–;ËÉÞñ›&ªEWLIœ* Jš%¶ÓÁOË”¾P-Pi,'Ýëð#ð“Eæ,¸êbÄÝæp JÑòõV8÷“ÓQ¥.»‹æõœÓ‚qJî'¸././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint0subCA2Cert.crt0000644000175100017510000000163315161577363032251 0ustar00runnerrunner0‚—0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint0 subCA20‚"0  *†H†÷ ‚0‚ ‚ÃÂ;¶1~\–m¼t¥lš¨Í2©,”Ùq*\bžu¸2­ÇqÄ1»Ùuù´ ‹†;iB<†ŒõCûÇušóŸëµ»amå«U±Z¦¿KP‰¨•Œ‡Â!0Ž‘iø€3®ëx@,0fs:Ç3GtaµÉaß=µê^Ì' Ð1fVñ½½~¼‚—ÍNݦWæáÏ›,œ½á„Ûgä¹ud5@.C—´ê‚°‘$ IM¥Ñ:äjP+8v¿î,ue9Vá–ÿ¨4>gØ“r²:¶¸<í¸f¢§˜e ñƒxÅYú–®#©…ÜÄV¢áAôvõÄâ2E¹äÚüKï:Á¹£|0z0U#0€€ës¾M™ž”½KZ÷ÏWwtÃ_w0UÆ *û¸é>h`zǗγXQ{vÞ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚–`…˜N÷ µXlPEc¾4/ôy,cs¼{«Øê7gv0ßòzñJªØÙo`2]ñCx¯Ol.ð¹q«zôÀ.T£6öT+êñ/¡“oßçæØÕBÊhÛïGZsLiªíÕÄs"í·÷h/õ[4çP̨ø½öÑT îúÖ¿ ¿…ÀÕ]Ê´­‰Ü{"ˆmçÕ¿„l^°Óüf>’)?’õ\RA~z\”Úùï:)Ø쯜®gÁLײû)Ò–öÉ£9Rs9Kf¿^ã؈ÒôTóájÀÁ)2Á]Npd;\ÓS·Ç”QæÜ—¤šŠ»«B¬QÛñŽ—)á././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint0subCACert.crt0000644000175100017510000000163215161577363032166 0ustar00runnerrunner0‚–0‚~ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint0 subCA0‚"0  *†H†÷ ‚0‚ ‚­ôüMt$ÔOÞüCz¾?ê2 ÙÄ3èèL¸ò™žîÿƒÕ…ilF½'Œ ­¶ÌšMà«ß½º:ý˜VAjýø˾9 Á{\¬¼FàKÝ…2gœÔx„Yaf#”/ ßgC Ûò?e8o÷Vm|û^öaéìáÄ›…ÈŒÔö@&ìD*¤8\V.—m(V17×Kö¼g{µ¦Á‚¦ð#^¯]ûª$ä»c~«MS+(œ… (·÷«|§,²½Õ.B𧗠e’º1‘X'½3e=ÁðD‘ƒ×¢FìR+Äð¦†ÓpœÑ­£|0z0U#0€›+²J<ÅnPÉ"½cÎ ñŒ=ú0Ubg}Ò7ÅrÐ޵ʣs^0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚.˜æÌß‘LŒïæ42‰ ~Q ×õoÇ“xmÅÏЯ9ž¼tbH2½Š öz‘ãò–öa×R§ðl¾zÚ ¸ªëòòEºK œ©!E!'"‚K™¢JPÏe±‚YƒfÔ?0b˜Ç÷«—òÄdäùêRd4¿–›—|^°ÀÖ|w@3©Þª<ÔU*€šnØ,"d¶{íT_Žá|óÙ©ñ!çÂ.m> UdPIâ߻طã^7Ù®ë Ä;[…¤"4C././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint1CACert.crt0000644000175100017510000000162115161577363031453 0ustar00runnerrunner0‚0‚u 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UpathLenConstraint1 CA0‚"0  *†H†÷ ‚0‚ ‚ÃÌxâG°Ezo—Ú q@zּΕtwg7ƒfÆþ†Éq ½eAœ&Ì É…nââZDÚe`ùwûf·YR«µ0HI.±¦3l‚O <&ÓM‘hbéÝ”oРE¯ô 0ÛŒB,]òÛ0K=¥r<’‹‘ϲÜÑçqgP}›N[›‰ƒ"¨œK«=÷Q›ýÌÔ=µŠG¸GIâ÷"£—”·=׋]\?ÍwƪÝF”¬“ëH.Ö‘h nQ‹ûþoÝzc¹BùÙçáè)|”¿Ì‹þÈêÖ_êâç3™cØ5f ËÖ_#ª<¶îS£0}0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Uóäq`ÿÞ&…3~üÁGgúÁ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚6N*ˆ"(@J‚;{ÿèVŽJ×ÈX"˜¨®Tp±IÔ]½OùÞée`E‘¢z¨¡à²ãú‚Nø˜bk-¦ >:yÓ ÛZÌÁØ:ÈÿVäõjC^ÊåÓöüºÃÏÕC’f.Ù‡¡ \ÉŠKÜ}eëMaugŽ†F~4«Ø././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint1SelfIssuedCACert.crt0000644000175100017510000000162715161577363033450 0ustar00runnerrunner0‚“0‚{ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint1 CA0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UpathLenConstraint1 CA0‚"0  *†H†÷ ‚0‚ ‚»ûÄlÓ抧ó¾‰,eð6¶|×Z¦ˆõg´¼ÿ³Ð'ƒxªï\quÁÌãJÏt?NÓÐ(ÒH3½¸ ½G맼–—{¦>&ÙÖYÚ) kÅÝøFÃPøSxwÄ¥§‰ØƒÁñgî ö‚½I&Iy £_Ð$ó[¡‡¯ œß˜‡ÞxÚÊiÈ(1DŽÆÝȯ(ØcWB?Ç?)paùœúx4Yif¡Ú? ¯f‰uÂÙÔh‘)‘\y¤ˆÔºW€D”÷>d6•X/äFÚ¦XóÆw¿óaüÑ›![O’ ãÊ;'CÉu:–)§Ã¢Åj¬èM&jQ¯û»Â°ÿ¡ñÈê^— [PheÒr Þø¿óØìús=V`T°œèy¹M³0Véç [íåÁDyëN¶Â2Ûv¤— 6/ êIÖ³6y!\ÂW]ò®Cn™œJkh&a [P÷)“ÐŒ`¿ä“lOÀöÞTL\˜U„™Ñ†Îh6ï+1òp;/U././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint1SelfIssuedsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint1SelfIssuedsubCACert.c0000644000175100017510000000163515161577363033613 0ustar00runnerrunner0‚™0‚ 0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint1 subCA0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint1 subCA0‚"0  *†H†÷ ‚0‚ ‚¦Fޔϟä‰<ÈÂ-3-gØÎCþt0TH—wðç x, &kK8jv«¤+¡UC"ü€0Ó.ØÌMAXìŸÓ01T¤£LÛâÎm¬aà»x~Iù‡ûs^ýD‹kq°¸7ýÏ_3òšþkj³7%°2»J¤Pû·qêÿ\vt)ø€„ã{\¹!¸Z-R–ö&Ëâ‚Hž¼÷É*X¸qࡹ’Ü»ì{ç‹”x ŠÎˆi4Ê÷ZÿGR—”输³¸Â/’#ëd›"*Ë£8nðH3kÀäúpEEÂr_·s£@IôŸ–q'l+õ ‡Õˆ« ’4 ´°qU9Š¾¨å®jq£|0z0U#0€å™–µÇ}UB­ŽÇ%öͬy0Uy‡S):¾èÔå4ƒ+ÇÖ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ Ÿ¤ŒðBoµ>¶›}¼ÎR!°qTKZ¾s=\i¬è?U0¼”üÒ³Ž×c`„ä¢5ßG›ÔýËj+´Œ‹³ë}™ùBÖ ­6ø™‚=pd‡œ+ê=ßLe]é¨Ä¶æLƒÚ)rÄ›•deœ›r°ëŒãq‰¡UTHw]3z¨³ãØO­X«X´–”¿Ü8ä¦8ëýõγ”ð™nˆDØØaÙϤ¾½_'ˆiX^Sb—#q­Øi„¹ø Ðé'™—ŒÛÝlë¢Öp²fà“?91‘oBìW¤kD­Z=÷™F‹ëjÉ+”²TÜ wfˆ'iܺ¿././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint1subCACert.crt0000644000175100017510000000163215161577363032167 0ustar00runnerrunner0‚–0‚~ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint1 CA0 100101083000Z 301231083000Z0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint1 subCA0‚"0  *†H†÷ ‚0‚ ‚¾ì:o ïòšË¢íî’%¢­ÄÑùÒ&zS+°(?1†ixƒ¦Ï=_61D &ž Ÿ‚Yï>´$FÛe|E¦\΃¸%3H­‘–…ï<:Õ0ˆK¤ÁªíVÙÒT܉‚G;®Û¬:ø1·hî$‰'G`0c+ÐÊ2”!N4•w¦‹±ÚD·c±3mëû*Øõ.D[ÊA±ÐW¨!÷ÖÔÙwD‘’õ§¢BsËŒc4=¼3ŒìḎa½uoµ±|°¬öl ëšmŸ·-ì,Ý ÿû‰½³™ØFËëMP»S§¼…„1eí‡,CFGñÞ¿ž‡®w™éÔ«£|0z0U#0€4½d㟎n˜%Ûe6®4•ë0Uå™–µÇ}UB­ŽÇ%öͬy0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚K@<Ú}"à!sðýJ,hî+Ëüß„´} Ça¿ÌG3d•`8Õ)¹lîcMܬmhɯÕô´‘÷OÍ€/»¶¬tÑhͼ烈û0H9œ4—Ý?áÀ±uýžP*ašž‡/BgpG¥DˆòLßï×TÙk†Y¹Mˆs…©y­yd lrîW“Gk.ù«™ÂüµZ1Û Y Ä㇈¹Õø}Ùú¼}妹þã'Õ2þ7äûçþè?¿_8G…„%œñXn«1´YVgQQÓT:G<Åò;6lç·Su 5l;µNvXzZçìÞqùX‹@èÏ_3ù0yàÚZT$‘«Î{Êò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6CACert.crt0000644000175100017510000000162115161577363031460 0ustar00runnerrunner0‚0‚u 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0N1 0 UUS10U Test Certificates 201110UpathLenConstraint6 CA0‚"0  *†H†÷ ‚0‚ ‚Èk˜¥,Ò¶&u´Wá¢Ov”"Œâõ#>0Ƹ4™Ò+`Ô?i… ‡˜×ªÏ×ÃSë—ä²G4óÒlGpLâјÎ©ÚPT¾´6å–’§ewú¾¯ÿÕ‘ ³è*à¹%4ôõkG&¿[{vRçiíTLÿG‰PK4$ßi°ZLßy¿37w%Q™Á˜‘?š†! \2Ø^ꎡã“>Xó'wûtÐØ‹2®dÐÒBƒÿ|.lvœÅD:€—°"ôuT²÷óŸ÷lÔ*ÅÁðèîQ§a?Š†é^«Gè­»í¼E…IÙj9ˆï„fëêÝöw²üŸ^ÞgoncÊ“£0}0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U¯¼…®þL®á—#ˆÈ¥±` ºNØ0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚0«ïCz)=¸J„áý»uŽþCZ¢¢·9þcƒÈÌ‘‘²—†F8d—>Á§â>ÞÉ€–"S¿Ga8b?d׃Ňl…s<1ÞHŽÃ¡}7ö­gö÷/rxVwÔò]6­p°jŸÖGr÷i-rÓSB×Ú?­‡ˆØþˆ¿‰3Ý!Óîéõ’ÜP“dao[¸= [C©Höƒø&wZÒ;Z‘½YªYðßì&û ªÆË?ŽŸ£ïGf aÿl2_ÅMhL]Ê-q?j£©ÚÖæYrõâ£|%7ÄpAÕ±7ßa_ Iô7)j·j ð,ª–—ඊsƒ4ÊMºÊ¥x0‹././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subCA0Cert.crt0000644000175100017510000000163615161577363032260 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint6 CA0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA00‚"0  *†H†÷ ‚0‚ ‚é€d ¿¦mƨ¬m Û”1JÏY#à´e6‘‹©rŽAL•½aðá7Ci¶¹v²žà(«ã¾Žfu‡½Ùµ¥û˾q’ßö>põ£}Zqq=ò¤ä¥Å{NïÙ.œ2Aô§ƒæ«`Á<[g7Ík'  àæ;TØXòU•™¾Ä­Nóùˆõä8²ª.T¹G;¢7>ãŒF½'†7Ÿ•v'L8¥LÕ?öù§×A+ühwW,t ª•ˆÃw­‹È°Ñ#ð0òM¦½Án :%`èÁï)ÚoÿK1•p™Â¦«MÙQ³‡°ÿçÁ=ŠŒ£ŽÀ[ ×£0}0U#0€¯¼…®þL®á—#ˆÈ¥±` ºNØ0UÏvvƒs$Ç£mg|ëRÀÔÔíH0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚@ZÁ ½ÀF—]9ÝäâŒó¦|óe&6þô‚ë0¸Wœ•'è•ŸJ=£I)¡hªíÛ–lÕT0oU ®~”ˆP®ÿùBÓ‚‡ŽµêCÚRÉ •œÒ´«àµûÀ<õn×г™šØ-©rKạ̀şJ¸m©ÐŠ¹ÝÀÚ…n;›¼8p&¦qŸ ËÀnó"S:ÖìŠ4ïÈù”ȸ¬rè˜ÍLjå/á·rÛKüGAê…>ÉDJ*ç°ÊË(^Â¥oLnÎ ÷1`ãDšÓe€íê?7œ3êìÖs;gM‰\é3f§#ÖئdaÏ[Ôfj³"áƒK¿É.ò‰zL././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subCA1Cert.crt0000644000175100017510000000163615161577363032261 0ustar00runnerrunner0‚š0‚‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint6 CA0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA10‚"0  *†H†÷ ‚0‚ ‚Û—ÿñZCpçÔ›u?Š ŒkQÒSÙöº4c¥ùU9m mOT“E;8¬M°îîÄ'¸®%b!7Ei_siŒ:Ž,e >©4~E€j­t¨54ƒ¬Šèpðè=õôÒÇôþö%?EX>p ¥—«"#Ê}8š!Ü ?T8w‰§0Ñmül8¸½i 3ëòÍ;µnl+w»àfž ¨dQåÑ…•áÚ7÷N†Ê™{ÄT v:b\›®h‰Ë²~Y¢µqaˆ³rÉ𴆀Tý7PZ´ÒÑÈG;a G¿Cêv±©@9_ºäyåVMñVèqs_̶…-2æŠ×q4ž]¡Ð'£0}0U#0€¯¼…®þL®á—#ˆÈ¥±` ºNØ0U<š•ž“^Vbé[8lš:n’Û÷ 0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚´ùîDÍ„ã…ÏÑ Àå„!»ÕîœátI¨û¶^h [àŽ«æ0¤'Žâ7öØ¡W…Ϭ­Y.2-Þ¯Y!è¡ÓjæY׿ª à d 9}¥•¥eú‘;º¾æJÃÇ€ö)ö<²æQÆœÇò„²¼6€5-KD¦ ³¿ Ÿœ› Ö¿¡ÞÈf0ØŸH2i&tщ|hº­÷éíELš È0"µnw¶‹‡z/”Åz)èKÙt• ®ƒÝà8ü¬N×€6$”Í„¤$[_!Àùl2ÜÒO“¤k0‰ˆ‰gþ¤‡~ŽEŒ ç5 ‰ÕMA %¼”U„ËëZ%\Tû{U½o™1×u‹¸¿ªÖ¥}Èra LÏfàsª;W=Ù%§kE¯$»FmrÛñþ††‚ú|ÝZÝ^ßtzã0}0U#0€¯¼…®þL®á—#ˆÈ¥±` ºNØ0UI…ÛKûcÙ™(´ zžZw0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚fI…f—²ÕÅOËÅsü‘¶±1˯Ÿ"ÊüÊ~îƒ?J´jvÑ^ܪE½KxJ+ ,ÇînÙ`ŠÊE5w ùÖ{Jêx+ÄÖ41ˆ;¾šº»U ÓT@gKê=ˆ(õo|}¹?¸ÐâÞ{H¦íEZÉAG%Bsç€(%+/UISÆ“½ù0˜½Q_³geWþ°}î–æð`á÷~]%x¿¥DaÄý•Ò÷ðw¾}9®¤V­Ã¶ªºJÖ4ÜllÛ9„cäó‹m2þG XB¬¹‘Í'™ð Þ„m~3Xù_ ä\r¢$^i%"ëɤ·²¿ü\È8ƹ‹lÊè¢QLaæÄW“5¤g£0}0U#0€Ïvvƒs$Ç£mg|ëRÀÔÔíH0Uº¹âˆ÷ÔY%Šã)ßO 8Ýqt‚0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚BŠ;Šf.q2Wé˜Õ£*ÑJZÿ2ÏMÒú\XµµABy²?¤ØC sŽ²õCJw§Bö¥þUî†ï Boâ2hä RjW®‚¶-¹Å̲T2¦Ð°wæruvcFñ3¨ð'L÷gŽ¯#c›%Oþ³~þ»¡IõþW»Šr´!GïCÁòþÇþ[ù2 —Y #€ÃÈYšGTM¬‚ö±¤e^¨GƒÛçê 1]çа’ËÂQ|{ꪖä“BîÔ3$ÌfËþeh>ø—Œ§}üSÙF{¾>]ˆåþ¥J.¶DCrW1dÇSä{àYíŠÑâP—”0‡s}¦././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubCA11Cert.crt0000644000175100017510000000164615161577363033055 0ustar00runnerrunner0‚¢0‚Š 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA10 100101083000Z 301231083000Z0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA110‚"0  *†H†÷ ‚0‚ ‚»þ执óì„’ÈvMj%#ü¤Õ/KÇ QچѷÕ/,/{9‚ Ü—ä,ä.Ã3~&gKÄ|mMJÙ"ƒãÓäªt6ý$%ä¸%=á©ÕÝ1©þÌìôuYÝ÷§ÚO ¿€gzŸ±¤È~ƒ©çï{Ÿ£0†Î¹Ëi wÃ5Šü>éhî  œHålÙ딲 w±% *Ÿ¯Ã1ñ¶áÛóWœŒ=TÇòeØ·üoñ€ýé;ò¯¢ÕR8ÉL6Ðu Ì/\9Ø5[~.nq-…IÀù_ï6„0,6'’@¿>IÒ:¼à8YAö´ÑÈ"ôÇŸ‘ª"Ñ£0}0U#0€<š•ž“^Vbé[8lš:n’Û÷ 0UÓ¦E^g}”€s¹„Æ[µ1¾0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚O†çÔ·+õC8äêO)ýGŠ‘æâ`£óG6ù×Ajþ Ú£œµGC™·–€Ã”bÞ^˜ŠÚ†‚%„¥¶ÔÅhG¥qû$ËYêç!Š ²~~Á˜ÜsÞ.n÷€€ìË[ß«ïåždœ\Ê–ŒN~ÒAèM™¹zž+ß_ç¿J"< eçVpüÙŽZ »úŒVL×N¢Ucñ)Ö¾Ð$vºævùHdÎãkÈâ¿ç°eÎóêŒQ2˜$<çÇd˜ J”œ¯&][ÇLþÌò‹-š®ææ¡Ã°´HV/ô7•"¿á»7Hð{ßåeü«-u„ë ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubCA41Cert.crt0000644000175100017510000000164615161577363033060 0ustar00runnerrunner0‚¢0‚Š 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA40 100101083000Z 301231083000Z0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA410‚"0  *†H†÷ ‚0‚ ‚Øpl5¨JŸ”×ض‘‹E#p 7¿ÿ¸’àášz±ãRO¼ÇD³‘1zrýÌÓ&*è¾ ¿i—’Á­r»}u"DØÆ”!cýÇI¿å„ñ©ã4¾Á€2ïWç;Ë+Y¦éêù€:ýµ*˜vu¼Aóð-x5¶Ç–'2<®-«\?ô°/ô.Õ ƒ­¸9™Z [ì ÃQH¬çŒT8¾ÿb™^ï'Q™Ú¾UêpOy­+jöÊ 5‡u6³&ý–‘r:Èá©8ÕAÒ”““~4i *U»)‚võœ%ÂðUfŸªÿÜ$·+»þŸÖ#£0}0U#0€I…ÛKûcÙ™(´ zžZw0UDZ¦ÏöóÈÇFïd¡õ[Á?‚¼W0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚·?«‘3C¦ùÌŒ óšõe¶"ßDSÝÆŠ‘¨‘·cÏ@6Ôµu Ò#Pá×»üŶ4"à‰›ÆóëP#•Qâ,¬ßQÀ¯>M÷}q@qåÇ@y¾(j‰Ó‹*)D3©„¯Å•<8žárMë\Mˆ‹ÆM™˜>T‹- ¯Ñ}Ëqa½\ çdBŸ4~‡BÂ;9O°²7‰k[ªÞX–0=µ,µGi'@êÌH–QËðûƒ؆ç@ÓjJpŒ¹ÝÚ­p3D»µZ`d¯èq+3Ÿx!FP}`2Ë$é—p„FÑþšZ.æ€W¢¶ª6U_ ù 6l½././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubsubCA11XCert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pathLenConstraint6subsubsubCA11XCert.cr0000644000175100017510000000165315161577363033531 0ustar00runnerrunner0‚§0‚ 0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA110 100101083000Z 301231083000Z0Z1 0 UUS10U Test Certificates 20111*0(U!pathLenConstraint6 subsubsubCA11X0‚"0  *†H†÷ ‚0‚ ‚ΠÑFO~vËÃh§po)­Ù›oh½( cʲl Qiª´°ª©>ÖÖÂdpÅǯ˜Æ eX¿·\¯žß³QÜ,!„{¾i¿ðCæ‡ß@µÁ˜zN-­ ÿQèM¶Š³8H½l¸Q£|0z0U#0€DZ¦ÏöóÈÇFïd¡õ[Á?‚¼W0U¡í¢ó5T¥Ÿ¼cæGjS$lJ r,0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚LÿíO:¢…€šÂ7“xv1dPBÍr3?jø xëå?P§M¥ÅWf¨9€â\)Þ‚ø X…@¡Ü¸ˆzji*\Aß‚™|ío±oƒn»(BþÆ3?£ìB¾7Ž%­Í±‘ú5ø1 É®´i½=† ·.b$X&·ÛM§o Ѭ½.˜$Í >"ÉcÑg‰ªhgÉ£(¸F룪Ÿ ;`%ðªÖ‡ÅÂz3±€ —ê2ˆý¥NGL¦iÞ ¦©dg¿J–½øðÆzGã½+lKÖîgS ý†..húš þV–à£Sdèž(ñ–ðIˆ·áoù²™£././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/pre2000CRLnextUpdateCACert.crt0000644000175100017510000000162215161577363031426 0ustar00runnerrunner0‚Ž0‚v 0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 Upre2000 CRL nextUpdate CA0‚"0  *†H†÷ ‚0‚ ‚Éh¥½×‡} &àoعY;½ÄÑ !;n-ñÅ:n¸1×nŽ<ã^Ž×Ás :ð¼Í&bX‹ìöJ$X/T×J·¾¤&ó8Æ\x±zé¤RiðäÓ_nûé?»z¦j././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subCACert.crt0000644000175100017510000000164215161577363033065 0ustar00runnerrunner0‚ž0‚† 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy0 CA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy0 subCA0‚"0  *†H†÷ ‚0‚ ‚ÖBkéM=ÏêüiµFøHƒÐvvŽàÌ€‡4÷ÏâÑG©ã°¦ÅLUv2À¨X 6‚ÁºšEó®’–Yº3í1WaæZ0ÒoŽ50rtòå¶x†fTÙä80o!:»ß¹·þÍêѹ(MÈæêoǃ¹ý™‹.XÚëc?ÏÓÆOªøÛžH$XZ¢¡z?òd7ù­.°&âa7ÄDÕ…€Vâª%x“"_±Bw:óñÚM¥%Úý×›/)-Ð>ÏàL± ²<à$ C)a1yc†Lᜱq…Ø'1£áã"í»/‹"¬,’Œ•“1æÔ£|0z0U#0€¹ìߺR"¸¸¾j÷¢Õ' Ög50U¾bxý;½nœ 3ò;2ªAóå‰Z0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚µIŽü"ùqÁû§é_eº¸Ô—gõ`ÌHí¥êno—H9†¿IFºôÃ(J¨ÒÔg‘Ÿ“úŠtñê#±Hû'÷‹ÕOv'•AÞm[Í ¾Õ¶ hø<âåºè¡(§½&îå©aßÔh–ðüû”™uùÝ"oŸªÜ3b&œÿ4½åqÂg£ê'ÿ5üJòê `@î5éu DßYÁæ;Ž˜Ð˜™l ÈÿQ¡1gŸØèoK"€_I¼„Ì1Žª—¬özp÷q 7¨úñº#±ç˜ú‘þ¢€ÉnÞØ%¢=÷nq«‰.¨Ûê|ù— ‡S飸Δ댘2././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subsubCACert.crt0000644000175100017510000000165015161577363033576 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy0 subCA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy0 subsubCA0‚"0  *†H†÷ ‚0‚ ‚»bhL<Š€öÖ#\t¨2ñÝ1jê ÓÎÜ…àZú1h›=M2tí2S…¨ÔQëª=äKµx½å`ë@†FØâ?'MSFETœ7Åýìµf²¤¸va4P``õöêÆvgè àJ¹ôü0y·UDš¸È)ܾc*ëå”%(œ9r}Öû½Ÿ“§£Š(ƒÉŸ DÈ™EÜÄqm¼¾À„uŬA¥{_B )oV…V]TJN} ²ìü‹…uýIþœílGKÃL«”ÝŸ\¯Ù=˜rðlål¼¸9‰Û‚F ‘kõÄ6§7°1VMxOÅmëŒD:U£|0z0U#0€¾bxý;½nœ 3ò;2ªAóå‰Z0UëØ—zz#5äÏ—$'"Ìg§VI0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚• s÷àîÃ#Eõ™ ŒM>þ„\,틼.L•¼«õ2…s¡¼UÀ²HÄE(0‡-|_eXº…i@$ðuS¤õÃͽÆo,‚ñæ°ј›÷­ÌÌVAþa¦y°ÜÓÌæŽÑÐ@£bLåŠ ¸|ûÀ0fÝX×£þ¼' (ýbA=g€Uè4Á >þz=2Ý_Ì&‹u_í Ôhœ®´çB»Oö«Ù×Ñ®æzŒ\O¦&„KÁ­Ð°  AY¯AÀ#¢LÀxBÝ4í7=Xoów¡ùbÊ‘Š÷íª oæÞhêíÖ‘£ÔLXж$ÇŒt%Q././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subsubsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy0subsubsubCACert.c0000644000175100017510000000165615161577363033750 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy0 subsubCA0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy0 subsubsubCA0‚"0  *†H†÷ ‚0‚ ‚áß¼ÝИA)R)E×~®ÿ°öÒñÛÅåˆ<¨³ï2 þwGp¯É;«ä6xÙuu¨¾ŸÙD‚Ëû õ$[HÔiÈ3ín»¤—xOiC½P+ix*6ùÿ7É» "¤†ôþjÚš÷¶Æí|ÁM8lHÙrAè <‹E5x¸¼}zYÝ‚YŠ¶Wà(j“jËib[£EŒ¦üàk˜!„Šû+ëtðÌ‚ïkÂ-•ÃáÔäWÿŸèGt£íqÍz2Îw/U°»’ä“>à£#¶¹;iI\)^úZ¢Ý‡Ž #ã&1ýM4›ª(oA‘ÏùÓ#w?¢$~2mql#£|0z0U#0€ëØ—zz#5äÏ—$'"Ìg§VI0UµÛÖÈ /ZAÇx£D‰ÚÎ.kº0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚;Etá䓆ºjj=yÉÄ”ÉÑ?}úa¤{- L³™½J¿"ƒ€‡tS ÔŒCe}´&«{üøAq„¸Æ u’”EÿÖ'ÊsA´‡í û\rHžã6£fïHN2Bl<ªU‘?Ù[C‘îrÏ—ùmd)V3q WzœÊÀç6W —é4.°zri" ’>ul6iü])Dˆ}GQ^®G0A– Ðâ·_¦¬ß°)åg«?Âß­’¤ÖÅSH˜ŸßRÓ³ù±‡6Ðc8¯z`FÍÙ­Œë:0ÔW½bÿ ßycüº¶æ±”›eRx/DZËCY:ü’Bº¼ââ™Ü^Â././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy10CACert.crt0000644000175100017510000000164615161577363032440 0ustar00runnerrunner0‚¢0‚Š *0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0S1 0 UUS10U Test Certificates 20111#0!UrequireExplicitPolicy10 CA0‚"0  *†H†÷ ‚0‚ ‚óÚM…yþLF¥âuþ¢Pè‘WÀè÷¬ÌpW¬1ñ"ìÂÏÆ4½ÿ<šgo¿ÛþÓÙƒ›mF˜ñPíB‰,@«Vç³™ƒ Mµ#ÖõzTðÁSžqåš#ú^²#µú­WÏ9™’•¨(W@Â1ÌF7Z)î<¶û áÃ/ÐBá J¼žz ñãè†o¼­1-±g¯Ì|þ¡!É{DÚ.]e²AÃÎ;ŒÿuS Yá€â<ɇ÷3ãU4õt÷ôH_ýYË)™êºfÙgóF훵@šÅ×á”׺ÎXU2 wA—ÝII<ËÆðovb%ï,”&îlôäî MŸ}žV*㒺׺bP ƒwõ:–ðp e¯Ë©µÇsxf¦è9¤ÃÆðPö²ëŒ«\¸MîçF6kþq0¨­¼˜&¸UôNH}€@e¬Ì噊òô././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subCACert.crt0000644000175100017510000000164415161577363033150 0ustar00runnerrunner0‚ 0‚ˆ 0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UrequireExplicitPolicy10 CA0 100101083000Z 301231083000Z0V1 0 UUS10U Test Certificates 20111&0$UrequireExplicitPolicy10 subCA0‚"0  *†H†÷ ‚0‚ ‚Õ_@Š–~2ÎÜOŒ]ô"õ)r²í& !¯a¢¶æ:ÀŒRŽƒe—*cZËd’ºc’¾Ù§‡ÌüÜ®Ì]Ú87˜nxXá)t8';,}ð<5•™œ\Ÿ2óŠD…ë¢(ž,šJAJ’¾¿:.;ö¢ iòÇç,&ÂÑá[—ØQ?&kéÌ‘V\B+Ã7×/GÞ;©ÞDhMvÎw´/ T µ“JÛO亳3³G_,VàÛU‡ŒŸLhm¤Œ}r¸¢4*eÉùÌßû瀓æ#2 ÇÊKúŽ&D$¦!€ÖÛ…‘Æ…kâ²b~b±cŠÀ«M5…ËêA š(V)£|0z0U#0€óLÑ_Õ€Góø4,ä˜ÏkŸ0Un¦a$hÛ.–&7¯Éx)V0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚éä²ïŸ Ž¿7úà ƒ¾t÷Ø)²Nøœõ¾5uÖ)—xÌr¾‹°ìáóvCï«•piõÙ­ÅlXûfÞøÓ×"YgŸi&tÏl6kdž7’ßhó‘É?,³k‹”†)YOuY‚¿Jþ3z`©l€=&Í6$ƒQ‚×4U¡ilóä`hAðÉ…»ÔÎgê–†x浄/« ”"Ü iŒÎLW"(ïK­ ÛNÕT6z‚RÜkµTBqÔm(Ξ‰UÝSŲŽxhË_äˆÑmnŽ"ñQˆÅ›y0)ì±ã"DÿæörþQ¡¼áã„Óû././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subsubCACert.crt0000644000175100017510000000165215161577363033661 0ustar00runnerrunner0‚¦0‚Ž 0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UrequireExplicitPolicy10 subCA0 100101083000Z 301231083000Z0Y1 0 UUS10U Test Certificates 20111)0'U requireExplicitPolicy10 subsubCA0‚"0  *†H†÷ ‚0‚ ‚·C£¥)†ìaäûïpÄoi­oDéÎ÷…ä%ñöÜ I=¼´Ï2µ9,3^ofùŽÊ…R|«Ù[)6º•ŽÇíIi÷æÆÁÉJ¼ëñµW½¢›BÉëÿgñà[=zÓ-rÍôà*  ß¦°šþ½ï, +ãêQÈZúÎ84à ðù©*5»qÞÚö¶¼a_’ò±.á&¹H ÐU¿Q%T-תBD·üì ÕBo%¹&_wðƒfKl}¯áH¡ÁXõ¯¦ELùš¼U3¤/ G˜ÿ Åt­:•©oìIn°|®—ŸDÖfoŸ¼ôµW0Êvño< È_—ŠÒ1?­X±£|0z0U#0€n¦a$hÛ.–&7¯Éx)V0UXPOòþr$¤Ðw? –,wµ$è!0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ÎTÌ„ˆÔà‘Bû=£á¶w(ÙÚôÎ{aa쬘ãËgT¥gêjÝr*·‡oL^ˆçSJѾƒ°«DQ¾ë ¿;Ó<®ÿ5€×`©—ØÁ½×ÏÃù™úž÷Hj«F‘b9É’µ¢Ǹ©ë }²e=x…¯¨™Ñ½czõKá"òŪÆ`ÍïPиºèhfìÞ­Jù~Ö_8kG«‘±¦vË,oúÆÔ½"+}3t’Cîë}^×ñÈxÈlÅÆÊSl–BíZ¡¤ïVjÄ…KÐZM¤ä´¿%ÏëÖøèPµVC´R}:ª%ßkBC±qkZ#-ÉÊ1././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subsubsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy10subsubsubCACert.0000644000175100017510000000166015161577363033661 0ustar00runnerrunner0‚¬0‚” 0  *†H†÷  0Y1 0 UUS10U Test Certificates 20111)0'U requireExplicitPolicy10 subsubCA0 100101083000Z 301231083000Z0\1 0 UUS10U Test Certificates 20111,0*U#requireExplicitPolicy10 subsubsubCA0‚"0  *†H†÷ ‚0‚ ‚¶ ïyÕ:0_ü?V' ÁÊ{ŽæðCý˜Ñ$Té€G¥^hH“ÿjsbú6,@SÎ!cèý]ViÆ@áÖ!ÓùîÌ6Ô&S=}I}ª2€ \j程ebå¾qƤáŸfš­#þ²Ô§ìï´\n ‘o3DõØØ3¡E¦;7û¹åâ4\}H2è—™¥ÏÕÙ. €-¸4û'î$A¥ *óp¯vˆšœeÖzÕªŠí¼ôø4×[µà[Hž–&ÁúÏÀC쀾aÁ¬žËŸY€íÂë$ÿ¢MV#Ö oyONã<áÓxj9>¨Àgc¯%úTKt‘mC¶çò´y~ë“ôë¢ÔH'‚€´1¥T¼!-.å././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy2CACert.crt0000644000175100017510000000164515161577363032360 0ustar00runnerrunner0‚¡0‚‰ /0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy2 CA0‚"0  *†H†÷ ‚0‚ ‚³Åø¹ó‡…ókN…i m_÷9ZF­aõs;ŒÉª´ÏFyF²‹Ð¦¯»M¶×ò­xìÈ“­ãºíÉ]2iÈR`ž…¢î‹zcâìÜ(²Ò~Ýpw|1•x1Iú#ÖŸ-$Ûá©n’è~KØú©ãÛ]g~ ¹,ÉŠ£Kê‘ÈWâ[ŸTŒ½Ä×Í?¦nd·”m#ªÍý¾¾SJÜrõÀÜ¢k±è½Ú ÙÛÒo°›; ºþD(³Ê|ÁÎý%IÌnäYrÔ›¢ÀˆÑ²ìdî(Ǻ´‡-Ì4äÆÿøÈê®â%ƒ‰]™ücç•á (*ó£Ž0‹0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U6©Ùûª8/ ÷L;Ù…š£-©Ç0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚Ðý0‹in&Eò8(T+ŠîŽ\¢zŸ†Àeض{*Ùð!gµsÅÂA<¢Õ:Я€ˆÏÀDGGÙ•Råxã8&<…ȉVµµàO]»¯3±Ìæ”Sïñ#ÇNå¹/OUÛÓäòöÈÓ3HW–~†­¿„AÑ®Z…myÞ®€3”Èš 9ÄFF/KÄ4èSÈ løx× N'ÑOxÂz™ˆØ\,G_ÉyfÊNÍÄÙ¯õ¢ÒÉM÷î˜ —ZaŽ”̯ZÎÝjâßiàôßm€ñ‹¨O’È _RÛ$ŠJÝ—OaÁ¸ØŒÂLé,'jÆ'&Û™‰í;†Ô ä7åÓ././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedCACert.0000644000175100017510000000163715161577363033637 0ustar00runnerrunner0‚›0‚ƒ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy2 CA0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy2 CA0‚"0  *†H†÷ ‚0‚ ‚äŽ#£ÄO¨fx¥fa¾©¨£o=Ÿ—GÚÚ zôZó•ü8€ í¦øó$«½f]twÏà ¿¨ŒÒï•´]:s%NŽ®A)MjñD•ðf‡'`п‘Ãÿr™Þâ ³7rˈELôêqWNĤA!ÚöÇÜÞ8§ï—Aä‘Gå³TÙ-­&PÌT êébŒ„ª´R0M} ×ùR¤CŽ"‹-QÙÐ5³¢df¼/Ø9®ÆQÆ•sº›#Á [zƪsÛ.ÊoÖ“³Š¿ÊŽ:jb8ŸÇ›yñDBì1ýÓ-‘É /w³ó—íºú|ÁàPŒ4*ÏÛ£|0z0U#0€6©Ùûª8/ ÷L;Ù…š£-©Ç0Uï«ÚØá€1§CîÄv ¯ìmò`¡0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ h VkM“[/Go¶A³ï=t Í[~¡¬­ÍL‚}íIŒîåm¦0s‘`’‚õ’¾+ÚøÛ`3l.!¢Eüû5‘ m­Õ3@k°¶ÿËNÞ)9¶U—Ǻô|P˜Oüª[ÇígƒTØýg ÓE¡ ø¡í£ñ%f@Ê©\B±4%í"ÏÞÒ_ ÐÇ÷CQ0® XÆ£lGšùÁ@…Æ;†.dÏx ¡/\…c Ã9‰ó†›Ü’þKÅ]ÜDzŽtÍõµÂ:‚ëÉÏZ‘Î~ V žÐÌ,i芆‘Q7´Z ’³ñÝøl hÊQÄ÷PAìÝròu¬E É././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy2SelfIssuedsubCACe0000644000175100017510000000164515161577363033724 0ustar00runnerrunner0‚¡0‚‰ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy2 subCA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy2 subCA0‚"0  *†H†÷ ‚0‚ ‚Â|ÒR˜Sý 6—‚¬Îù]–Þμů.Åq•–!d4¦OË2‰ˆ|€âå‘ÚÒ3àv¨5õi¼¢¶Z§+ÊÚYÄhn?¿VjÛ_8 w”Š;{.²X€›WuM“4öZØÝ€5u¥Æ1[  UJ™ð3ÖRâS{,ÖjJKôFcwô¦M,Qjq¢»nõŽr %ìæXg~ûÝûºØÙµËͦài’³ƒ ˆ/@SzÜ2,mð1”OîxTâžF„ƒ|È•CÄ>Áb–"]~ô]6s=/ÄÉbÐX¼Pñ<Ò–¨¶8¨¼nê×xf‡Ã$¹ ÿ^ö‚ KÏŽ¹-£|0z0U#0€ wþL0â³Q°÷ƒ˜G0UI gaVGÒY—¯"f0QwPªÜ¢0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚tÛÎïØuvª>•¾5—õÕuiwë'ö Ms Ùà…|:]dt‰ñuxE©$Uä¬IPáP“`9﬇Û6éÍ‚j×Sµêr½økØù*\EÑâC¹NÑŒŠR_Ö•Ó"ÙUhþÌøµu,ñýYD7©ôЕ\À]£|0z0U#0€ï«ÚØá€1§CîÄv ¯ìmò`¡0U wþL0â³Q°÷ƒ˜G0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ªu¯#¤LÓCÙÅŠm'µœ¶úÚ3jgPöoü ¨ªç…_À² ¬©"¨’²ôYaÅDxÖGLÿsF¯ã¶á½­‘¹E«}æÇv¾çþÏ5ëSÖ ” D/II™{iÍ£·´ó¸ƒ#ƒIMžYØÁ¹§t; §ù¿·RuÄ|~‘‘¢Èòm{xKñGì's¬˜è,i•g8 A­]{þŒ#+¦|Iæ–¬h™/®1²³à†1R_þgdž&@}S• |‘rÇeo6¤*¦å”îýµÅ°Œ"Ìúøꣻfl[6  ý¸‹b}ÍEÆÝèMœØ¿“cX}Ÿk././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy4CACert.crt0000644000175100017510000000164515161577363032362 0ustar00runnerrunner0‚¡0‚‰ ,0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy4 CA0‚"0  *†H†÷ ‚0‚ ‚Úø%]'?#AG¦e°ƒ7üK•¤¶ˆ$Ù,H?¬4Mϯÿå ÀÁnT®|D…öᚬÖ!ÖÀÄ Fª1f )þ'I×[3Ó"÷;íÜÔBS Ø]Üžd¹{ƒPLz"a“ë ö V¥æ×è\ïË–¹EG²S5¦žºQpŠÎ]¨£Q¯sÞlŸ Î#¡\›zÌ>¯¾„?˯£Ž0‹0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0UÍÑÜÌÔ1c,]6±žu¾K^c0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚u~ßÑßø5TxŒ]Z²Zždø8¸•ðcKf8hþ`f„z÷²ÔÙ¤Lh,ÇÝ3'ß%Žrg¿ÇâÄ8?þV_äSªÀ¥ÎܬB§+9Wýâ€1sÚ¤2vÔå=ØKÀÅI»Ô©Ãçp$4õI/é-ãe˜Š¹3&ĪÈñ¶Bà§ÝÁÔ2*ÛÈP☀–RÝ¢Ÿ Ôã¢:.œãÊô*Álšµ\»6ƒÚ§€ÑòݶQ ‘ÆPE¦«r%P®Žß1hbp¬Ÿ›ÑÇs™¥3TÂ,°'w,á#³R9.}”‰(+'p/làÃhˆÒ&‚²¢–ržG¬Xsðsò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subCACert.crt0000644000175100017510000000164215161577363033071 0ustar00runnerrunner0‚ž0‚† 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy4 CA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy4 subCA0‚"0  *†H†÷ ‚0‚ ‚²<@™Q‰+ôßԥ܅ÀE|á¯LÖ‚<ŠÑ´ú ¹ÔÐU¥•P¶Õ9P”Û;SAÈ„h&ïSŠb™ª0LR1W¢ãò‰Â&’ûK.R‹ß’ÅÓé`¿}ênia„NÆ—Í^u˾-ùççqvýºeu$°¿N4®ûócMç¤òö‹ ¡±¿^(Rh•z5¢™'½vßÔ1MíD)©s.2Op9lù_wäg·ÝÑgª6±_÷ºšCaNyã){7ý÷#©;Èx°]Ëx[‰ÓÖ¸cg¬ÐÝ ßOòl¹>“ã†Bî>…:…*=qe®Be5Ö q/f&&Åx{£|0z0U#0€ÍÑÜÌÔ1c,]6±žu¾K^c0U}ï”»ö§—æØ"HCH¬³îº0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚hÔ^U¢Ñ~ÌdÞR,“À6ÇéÓy“õV±8dþ^lÇñÇa§Š*Ë2œhÿÒŒ;|kŽœ–w~Œs~Z– ‰‘ÀSY<­oÑr%6B½‰Î>/üLÞi9 6ds¥®Ò“_ñ¤tí8wg¨J³,7r‘º´S1j3Œ¶†^#«¬¡ _üò¶r†IXÁÓ§½æ.$ãøöQŠñõU¨Û§&}êèóVMÀø@cª½ÞyN‰#@Mfµ^¦o@êêcíþDù%]ó£,õ4Sëpký®¹÷–¯+à-Ù>{¨®Hz èL~¯!·Ðkx­BônYÈ:Ôžé軽ŽÐ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subsubCACert.crt0000644000175100017510000000165015161577363033602 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy4 subCA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy4 subsubCA0‚"0  *†H†÷ ‚0‚ ‚Êoe|”O\w#Îòyb}ËX”ÍÒ÷‘¨VgóÑõ$÷càÉKgaf€àÍòwoàº.HßÎvhk)ˆÏ;–¨ñfOpI˜]¬Ð‚ÕÒQ¹Ÿþ{¸2ïó)L£àë[¾Àv“Ë€0Õ¼>µÓêê‚”W ÙQ?Mê¤)` .ïlý˱1Š­[Á/ä¢Aå%z=0Œ{rvôÒÜÝL}Xou£¦Ô¬¶ë¨¹ ¹sÒ]©g°Î¹˜@ ˜F‹ß‘¨ê˜rQÌšCkgj‚Õæ"è ”Çrx±¾Ný¦yñ±œ*-‚"h”`Ò·(¡+|±f:üš6XüB!áÓû˜·nü'£|0z0U#0€}ï”»ö§—æØ"HCH¬³îº0U©êæÓž° —¯çþ.2¡gL†0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ª–¿íe§˜ø7ݯò`X5ñõÄ–† jˆóáåGíÓ@Œˆ±ÈÍ¥±ðÊêvet“ ÒlAÈöUw;d¼q.¸ðRŸ/FBþ hvX²U¦·«Êš I–h6/IÏmú¢Ú¦~â.øc¢Nœ’L·aˆt…Šˆ˜ø¤ŸIëÿ,uíWû^ ò?ÒzƒßtiÿîÐLàÊ|N ÄVŽº<`Hôãá#;Üæ:&¥?™ãI_Ÿæj†LMÌm¢ãæšEmwEnvlìçÛÙ˜T4` "Ådª›LPÆö1&tvMjÏý!rOí³œÂá”–4jòNüÍu¦ƒñ././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subsubsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy4subsubsubCACert.c0000644000175100017510000000165615161577363033754 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy4 subsubCA0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy4 subsubsubCA0‚"0  *†H†÷ ‚0‚ ‚ÙÓÄ¿¨ÀBªŽtv5óéó„æa¢`äCÊésü*¨Ä¤ù·3sü»SA¦ße3˜‹ YŸ·ÜuHòÒÒÏ£Š‘€TKŽPÉÔ§T7:_}ƒvÉ çuOd<dFYû ¾än=€MŸYßcÝ¢,E‚³™åÉítYD  ­H²‰ºy˜É¿å²^Ë&°Ì?—ŸÑÛ´¹ö±\4k£|0z0U#0€©êæÓž° —¯çþ.2¡gL†0U»Ñ&ôž<‹ÏÙ{²,Ü£!0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚xMÏ£þ[ÌZreª°¦5†Æ´È}§Ðh0p¢eÆ3PŸêU>À©E¼ÙY]®N‚¨zRQ "ÃZ¿ù`xuÍê¥2øè|ñ†–¡g«wáõ” Ó‡ËÚ†‘sà O`oE^×õX<ÔhÙvî¼€2 ¾“SzëÊ¿w7z!8Z8‹÷‡4l Ÿ&½Ú ¿üÙŒ$ÿ´¼ó¯V¶‘À‰v¨y~fÈ¥kžÒDbTÙà&Êl^ë*L¹>‰ÿ ÃÈŸ´l€è(}ò?nÄÜ´0-¦ ]³ót^^ê-Ìñ¥\¬­¨fœ¤¸cN"ÌÔfï-,././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy5CACert.crt0000644000175100017510000000164515161577363032363 0ustar00runnerrunner0‚¡0‚‰ +0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy5 CA0‚"0  *†H†÷ ‚0‚ ‚×ë†!Ð}ºÔ½Þ´Ëy½tq,ÎÎ4Þàñ†5ÇóÆ¢IÈýjtî~ÖÀ‡C3ŠìôGân®/J0 ¼RômÖcO¨Ä"Ž0|€$?ÀSÞ©Moñ­—ãc¢_{´ àŦ«Ë,pÏ1ˆ¹ÂÒ ‘õ¤œ+U+¯‡ÑqÅð¢ðS ØýDqÙ¡t×¹”Îf?¸£ƒl3v¸<葱µxˆ­à1ÓÝúóϦ#w¢Vt}àQƒ"þ@99B\µ#–å_ßG/Û/ÓQ™H5œLŽrß¹pd ©Òª¸ýșʊÄÑÈ»gílÅwîozfzðòa¿©bzÜÉ£Ž0‹0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0U»‘ƒ«®®Þ\Øàò<\úŸ.á9h0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚x– ÷ˆÝ4 T¿Ä®Ø»ÆÎÄ6ÏæÏ(°ÜbÉ€µW¦eH€—µ…T…6áA^V¥7ÓŸêq-m²v9#þiƒ* fQ˜v[16½ÀÁ%S¥k&J÷¸æOie˜]FÚfÖŽK]¾Oy>%P±¨jÊ€¶ÕÂ^ÍŽÏÖ‘{ôÔ VÓ<Í‹}l‚|GÑø‹ûÐæ&ŽÏÂå¿pÉAµY…ëB¶yÅH*¡è‚£¼pÿð7þ½5’êëaWOit^èP%eÖ~g–¡ù’ÖBûïDïx7âò²Ž‚#=§ Èh¬6g¥4œûïôæ¿}ÊòqA¼'ûHm9ÚˆB3>é././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subCACert.crt0000644000175100017510000000164215161577363033072 0ustar00runnerrunner0‚ž0‚† 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy5 CA0 100101083000Z 301231083000Z0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy5 subCA0‚"0  *†H†÷ ‚0‚ ‚Ó$Eˆü\ ®r123ñÇdZaiö3—¨lWè¾~¤?-¥Æ,Lai7pXܾÿ ÚQAâŠ]_ÒBÉ°¶‘/|õ½x¬ØÆH°²à5˜ªx¼'¡ö3º¡§ÊÉ. ç‡ö}xüä¥=òAIUkGŒã”45¾-A5V¿9ߥ¦P¢l«áž)Ì„ä,okܒâ®Lc²=&EGáydZ©æDHg»Ú´ÏŠ¾øðƒªD¦¨dóáÜŠG!’Û‡x]IèÕ ßÛ50è$zKŠÎŠ‰ ©ž·‘Ð&íy³ˆì.í£|0z0U#0€»‘ƒ«®®Þ\Øàò<\úŸ.á9h0U7Ó¿ÞÜPǯȊ蒰ÄHað:0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚ƧŒ‹JzAÂÝ0œÕ VL7“²¹øn¥xVñlÁÒüSYøPßgxúœQ‹ëŒÞSz‚÷Ío)íÌï«fÁòÕƒFOoøåÝÒäþO~$» n-gĉŸgÅO—-ciÞêyÁ}Ø]ˆôVê›ÅÓÇá M­oæ‚—$†)³æ€8r‰M©Ô{&ÉÑ'Eqp B]ªxz r—ƒ——ЉŽVêo,è…âŽÉ'ÿŠ| L]V¾ŸqæâKí~˜^¡ÞÝhƒ|ý´È¾i1 µ/7Êæ;=B:3~—%id&æH*<Âw q=4G`uÓ$œDYõ$ZŽY§o$ï././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subsubCACert.crt0000644000175100017510000000165015161577363033603 0ustar00runnerrunner0‚¤0‚Œ 0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy5 subCA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy5 subsubCA0‚"0  *†H†÷ ‚0‚ ‚æ‹#Ò“ìAÞÕ´ñö¯|dËç ¶iT*V¿¿bT{/áo5 r€)á„gå5q/K\iFUAúh|$ü«ÛmƒØ¸©Uœ"êá|¡ì½€.«6>áCkžPÏÙ#¯‹X¯äWÄwËdË^[Ä+8ïÕæ¶ðÖïK_‰d@K 8çgRXODrbµè@ÄL¦ ø",£Ïô? ådÚ®ñòbo£õQYBžÄ9çªûqŽ n58OKߦ6ãúÿ˜ 1†û}‚Á”´Ó:!CíJ n$W€uædWÿÖxŒ‰UÖU£|0z0U#0€7Ó¿ÞÜPǯȊ蒰ÄHað:0Uø‚/yÿ´~Û[¯2ä5aµl0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚7¶L¸Rëcû±¿kSj­˜*y$“ß=ÖXa•0F%Dš—à…«…ýŒCLkÝ?¾tá&Ƹp0ØéeÒXOš™àŸî^•éeÝCçe‡¾L_ùQdªÜ“Ÿð>€Q>ÿAl£·‹¼ŽÂ݉KðiW)_]ÇúÁ95ߥå2ÿm*Ý·–µjªÍÖ»ŒØï¡P_"¿íCE²Ãß5f®½Ì%½¾ mö [ñº;z¼n£Lm…Þñt@€fÔ˜"œ&„¢Rf3¾H;ƒÃÚ-†M´x¯e¼³èìô¸ëÉv’ ‚£ ¦«$®r„®—ªÍCú¢®öç././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subsubsubCACert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy5subsubsubCACert.c0000644000175100017510000000165615161577363033755 0ustar00runnerrunner0‚ª0‚’ 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy5 subsubCA0 100101083000Z 301231083000Z0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy5 subsubsubCA0‚"0  *†H†÷ ‚0‚ ‚•7õ{ f!àù‰ùP÷O·g¸˜úR‰÷XÁH„³äáÂЯ®åá8ód(`æ‰5®üF³—þ‹l½µ0Ì}žšdÙa_ÊÅž`,ôªû˜ER-±Íîõê¼ ‹oÐÒWÖò¨Æ; 8=0ïÀJt‡¡q=Öê´c’TÜN3 ÐÐr#!é Æ,ÃçhftôI~Ø_¶žj› ”6SÃmIm-'r»÷Ÿ…ûYpOO½¹»îÕZ<'Ù “3uÖìF½8»Ø—Оמó1ƒÓëWÜpTS*Êš2™#¨Iê½­Yhä[;eáiÿ-Äé:É jÓL}ÓoGÛ¦GÀ~3£|0z0U#0€ø‚/yÿ´~Û[¯2ä5aµl0Uúbº½~^_ߺ¾y7‚Üü(0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚Ât| y‘˜TU 7»ÂÓkuM1Ú3b3Â9dž‘t.!䘺,øN¬Òe‰¼æT*0 Ze8§âî6_ øBNi~®¡÷,¬cxds(†YOXèŸNàéhB JÁÑCLiÛx)>yÏ VQØw½6{]=×®`ïD•bæc6ìr£ø5ÈæÛ²¤/-à«>ItŒ­K€`*+Ý LMb[bÿ/µE¼úX?rzy¹†Ž‘\!ªõònNãÔÓhÔ {(‡ÂeoÄ^ˆ5ŸùKt83ˆ˜÷±Œz—lÑ÷“-ÍÇQD©gÈMã././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7CACert.crt0000644000175100017510000000164515161577363032365 0ustar00runnerrunner0‚¡0‚‰ .0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor0 100101083000Z 301231083000Z0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy7 CA0‚"0  *†H†÷ ‚0‚ ‚©TªG0ƒ™*Ñ¡Š…!€µ“]ö‹[gòEhO,âø-¡ÊÒÁT¼ŸˆP¡·Í1I¨¹ ø8«äI›w¯ƒ"¼4’ÿ;žÛ Þ#L5 ^°;[g‹œ… ‘ˆOb0‰Cu¬c»zSâXÐ\ÄzÞôªq6OÈ«hû¿–õ¿E«Y(^Åýà}ƒµ‚&lÑ-ߣâ2»eÛa¹ËGÝág8²ÑظªzýSkìzF%¿\²2ûTª´*:o Kî5çÐdég=Žäûû'œ^ëÙÖûÛ”-À¦bP®{–wfõäFÿê©ç ö¢20›+‚Œn¡V÷£Ž0‹0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0Ul1—5 ÞÛ5å iXYˆdÌ!ÎJ0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚t)‹“\U©>Ĉgø÷È]t7×c–)ªfêÁ Ï1¯3«®ÆTbØq(ù<hÝ.ÜnjÝë“í´¢{míÌZO5è¹ÝÖ/ºùÖŠÞ'ˆnûÛ!?¬ñ™ '€yQ1f÷*á$qçð”²4£E{}ßuœPÍ ¹Ñ4®NîÖ°ƒ¡å ºÿ…³ï;Bì¶Ég 3pj/L}.éÈSI¹½ØèØ0²/PÒ›I§"ÃúØ-a.W[•È=æ ï¸kcˆ'P|Pä‹üZIf{º¤‰„ ¥ 0æm†]Ò2Ž`ÿÄ•ÍeÿMvQû¹>0i*%É¡ñ®NJûœÌ¸, ¡f././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subCARE2Cert.crt0000644000175100017510000000167015161577363033406 0ustar00runnerrunner0‚´0‚œ 0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy7 CA0 100101083000Z 301231083000Z0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy7 subCARE20‚"0  *†H†÷ ‚0‚ ‚¬Ð‚‡ÎÛd³¾a'L.÷×$}¦z;Eó€°Bšˆú6‰ëÁiÙP^\¢×Ew*Y¾Yžä—¯vc IÑàQ«ý†ÕÏu k’1ÒëãßzT‰›è{ÂLÕ&„"N™'¨Ymd=|¾ñ°,»3ku˜ùŸݢÛtÛšLBÓI€:žŒÐôíåª:þ¯{ðŠßÝšÒ+Ñ™ô¹è¥p\ƒ½q3 MË‚óˆ)o0TiKÌÃÎTVºÈ:âð+wÜàRÓ¢Ì7žåj·KøG5¶ú§Jæ ÁÍò7rÄîÞÈáÛt +å(•#“ap/9šøgð¢ö“Õ£Ž0‹0U#0€l1—5 ÞÛ5å iXYˆdÌ!ÎJ0Uç\%Ž~ªLwƒ{ÃêiÖÇ¢4á4Y0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚¢IëË+k¢Œ³Ë¾»,u{ÁÑ^þ+°ƒ=½Îøçês±TÿÅPд ¯¬t¤Y0b. ˜¥I@Û¸OÖ÷ïÛY8}QxGe½ºú<¤¬"ÍùýÃÄ«ó{µkoÕˆb•Àõ?äÙ!K`°êÞ³¸Ô2è;[w»¯c‚-L¦F¼ëü“ÖörÒÖ/¯ã7ž_±Œ^5¿5—cóÛNuž‹\¶ÆÃ?¢ ЩS=ˆHçdv[Î#"ñCà—QÝcnBoN[v@ „2Æ>œ‘;ÎÆWÐ [Â7‘tã)z˜@ONS×ïÞ£ªÌ¹`B././@PaxHeader0000000000000000000000000000021100000000000010207 xustar00115 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubCARE2RE4Cer0000644000175100017510000000170415161577363033456 0ustar00runnerrunner0‚À0‚¨ 0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy7 subCARE20 100101083000Z 301231083000Z0^1 0 UUS10U Test Certificates 20111.0,U%requireExplicitPolicy7 subsubCARE2RE40‚"0  *†H†÷ ‚0‚ ‚°¢óªáµ[`íÓ‰®³×²ì+¡b\'Ú¸]Ê*<=`nÝ‹xü¬KP0ç9Ê+aßw!ÂqÉ˱ɜøô“e€-Ç(œ¢fÛ`d{Óu6ÂÅ–EOäµÙF€,bçᘣN"…nGà¨qî—/^¯(fÂãmf¼ÁM5÷™Ç'y¨ „`§ú÷þw¼¨Ã•ÀÂi”®3à/Þ½q篕¦äèß°®_)Tq/ï{£Ž0‹0U#0€ç\%Ž~ªLwƒ{ÃêiÖÇ¢4á4Y0Unÿ‹fþ›¥{ûd3eê•H”˜0Uÿ0U 00  `†He00Uÿ0ÿ0U$ÿ0€0  *†H†÷  ‚ôCýJßølw£é1¤jé˜ã°X:D{qŠ]ç,¢ÖÖGI\´,@餺ƒ”ãÑböb¥ù¶µ¯Çäqð ×ã&îúºP@]Ñ/ð-™Ý0Ÿ×Žüéj_èê+£¨$Y–ZïHXEÃ~Cók8O°2€›‚8ó‘(ê+ Z´<ÁÁšðËœ9Ê2šh[ÏðAd·|ÄcÖw DDcþ“-è›æœ‡Ô¦µ»tú+Ô³_´å á]ß›rTÅ:óØ\©¸Ðt8É0F[ËEt'“_ݯgÚ:å¯*C°ø)È•¬ôÑq¿Æ(©g6>aw(lè=¤ŒÏΆÛ®././@PaxHeader0000000000000000000000000000021400000000000010212 xustar00118 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubsubCARE2RE4Cert.crt 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/certs/requireExplicitPolicy7subsubsubCARE2RE40000644000175100017510000000167215161577363033542 0ustar00runnerrunner0‚¶0‚ž 0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%requireExplicitPolicy7 subsubCARE2RE40 100101083000Z 301231083000Z0a1 0 UUS10U Test Certificates 2011110/U(requireExplicitPolicy7 subsubsubCARE2RE40‚"0  *†H†÷ ‚0‚ ‚»¨ZÈ-”Ѐú°‰Xü¼b}•î;XH>íð¤pL›Ëˆ®}1‹÷=<Ø~¥\Æ f_o·ý8O±^YñKÆ¡Ï ;’›’ø¸¶·ó“ ˜ª/¹`:3 þ'5R Ø{îž}záàµq”œ1-àÈ^¢u¶&2Ρ¬¤µÔoâ¦[ª @É«²Ü– ;å‚VbÙ§Ÿ1j(_ðñSSœ%®­“·Zuxh¥Ê ¤Î— žaÙ*@˜HÏ+Æ£”–H ¤"µô}2¡ÌÞ&çøå æ•Cf™s`Ï<¾$«@Aßñ]I’,Õƒ>†xRt&Eû?b_ñZ’0‡£|0z0U#0€nÿ‹fþ›¥{ûd3eê•H”˜0U{,Qa1­¬,k©¾;;’ªD0Uÿ0U 00  `†He00Uÿ0ÿ0  *†H†÷  ‚œ™ osmó±žV±¡ºŠ×1Vk â…Z9LÂÂæœìäÅr" ÚÛ6°ÀçOœ®¥q6}7V^œh ‘”‚¤W}m@;¾ß‰/ú|·#ÿm}Fóñ2dCÀ~¹R‰uC-SÚÐpþc·‚06RìóôhjSù%¦·F‘¡¥u[ª 1Ïn%öÇ-–…èX¤ªó×'æ—ò¼*×óèW³7ÇÇ ŒôÍÎÉ^{¼˜ÓyaR½Â¾”€U~i·±ªÕ eQóÑcç¯ÚCÏØüÊ/kɤƒq "c0솃ÃÊ?˜lÚ¤g~[ìÈ€½ýËíl‚šÊ‡» =ˆs¦././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.2842772 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/0000755000175100017510000000000015161577372024021 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BadCRLIssuerNameCACRL.crl0000644000175100017510000000072015161577363030312 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UIncorrect CRL Issuer Name 100101083000Z 301231083000Z /0-0U#0€rò5]ÕJ A(ý”pq0 U0  *†H†÷  ‚‚$ÿî¾v¢ÿ"¦)€ÚVáÿ"Ödî.WYº9„R­×Úñª˜r „†ˆ!~:åP¤c¶,×WVç«& ”5š‰$J»¤Ñ†e4øsM ™šlÇϹ%ZLÍScx ,ÚúÇQ»uyføZhú¯ßK9ÁVÁ…(-§Å$pb]Çw-0EÉ’âʪm±½<2Î_ÔEÀØŸ­Y9§íœ@ Ú„®Î‘”×s´¿£þ¢KSnUµöBD¾x}ýö1âáeDû<gl…5Ž'‹0Äȹ.Ü A÷;?-oQ¨î>*†+ý½®(výD5¬eú•(D>ÔŸ<×././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BadCRLSignatureCACRL.crl0000644000175100017510000000071315161577363030202 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UBad CRL Signature CA 100101083000Z 301231083000Z /0-0U#0€1‹5žDa0Þç .H$Ûù½0 U0  *†H†÷  ‚l=ð!ÊŒ#és&f7÷¤ÈÂ}®l ‚oyS½v‹°ÓF®1Œ‰æÀ8¶Í.¤¶+ÍÛzÜæ³ñHêžZÃ_\pò¯þïàû BÊØì¨^B™Ùun!2šÿ•¦Ýa«åCà3Ùî «2rquüÞ¬¦ø¬ÄÈÚ‚Z0v³ž3áÄ ð8á@†`©ú8ávaªÖöñ,ó*TA³µ†‹Óõxo­’ŽŠ[XÆß9ð=8ñ‰ˆ@5°ëÔK*tËüçgQxŸ¡#I ’·}óÓHn@qT›¨þ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BadSignedCACRL.crl0000644000175100017510000000070415161577363027111 0ustar00runnerrunner0‚À0©0  *†H†÷  0F1 0 UUS10U Test Certificates 201110U Bad Signed CA 100101083000Z 301231083000Z /0-0U#0€{Ý;JàÈÝD…Nˆ¼žû¡òY¡/K•þæÞV¸†@0 U0  *†H†÷  ‚œÞ‡ß˜ .óc]Ïè…ŒS-Y°ˆÈ´Ñb©¼â5rÒa¶×2’lùýß¡ê$ ÂA¡jºÿdy„³ÚÍïŸ>–ƒõ?Tvï"r· FÓÓàS²ÝbÖDÅ YW¹BÜ“k‡ Gµ³óÈ×÷)àž1@`­N:œa*û6äµÌö±ÍØ/5œ±¾[HRÞ³º9@Ä7÷À’½©l™JÞÎF†üEV€%vP´«%[a×н<Õ%«XØ휈…X ­#{?Œ‹Ë,ÕùÉEU !óYŽXGõÉþ.V!$«,¼=7™Y)N6–GÅ­Â/ÂU/™GNúv5././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedCRLSigningKeyCACRL.crl0000644000175100017510000000077715161577363032644 0ustar00runnerrunner0‚û0ä0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  /0-0U#0€$ÁUqúžá!…*ð­a§¹ÕMC0 U0  *†H†÷  ‚ˆ?ó˜̃=M…q|`s°jùmV~°)nËœðÄds–’WŒ•œ¶b~gZVRÿ+ÆŽ[æúG‹ç75FÆ*r@»~[ºž8¯«€®¶ª–z¶œkMˆ^E‹6AUÌîõˬyXiÂÆŒ‹bøµÝòÝòÒŽ Á1—/À {ÐÝX…ö¬Õp ¯Ø~|‡hçä’ ÅeïlnJ‘ ÛZßóŠžT¹{¶8)nHëšÙåøˆù5¨ÛúéŒ_z¸‘°ðÔ@ØÚŽðļR©é¹™•×‘çÜ'‘&ï+Åì«m nZ…/kÝpÏÉ'­krãÕe:‚…ðòi ¿®././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedCRLSigningKeyCRLCertCRL.c0000644000175100017510000000115215161577363033245 0ustar00runnerrunner0‚f0‚N0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U$Basic Self-Issued CRL Signing Key CA 100101083000Z 301231083000Z ¼0¹0U#0€)šE.6•ìò^TœÕÙöD‘,0‰Uÿ0} { y¤w0u1 0 UUS10U Test Certificates 20111E0CUÄY;Ÿ‚‚a$`lÞ¢ž8Ã6ç.FõXù°óF—n§xN¿SÔôÜR{Áym3PQ\[’㪼B%Ux Àׇàúã<¸E„óõÎœ÷ªB}oÚ(t,Εeî/qÐÈcP–¸ò™yíaöÒ@Ñï1l=o§·AÚu²jŒœ¸~‘¤ þÙkT­ R£›tþ8HHúCZØFRd¸Ÿ×&„'='zžÝú,t…¾h© ‡‹÷üZ7·Î#;†’|Äßêuôäü¼Øo§¹‘ ÊY§3í›K(ãÁj1././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedNewKeyCACRL.crl0000644000175100017510000000076715161577363031435 0ustar00runnerrunner0‚ó0Ü0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued New Key CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  /0-0U#0€ üÀ,ëUî’l©é__¢Ÿb#•0 U0  *†H†÷  ‚p.{CõÃÕ`·ù¯†'^z"åÚéæ|´$ ˆç–^]ancq*ì„,ttLæèlñ5É"¸p¹/‡ÔšÆFj€”çXnF—w6×ÕÌ“Š4´#S7惓›à–Æ.šÀÝšÙ—Íʸî­ÖemœÁl½^É̱e…›ŸüÈ%ˆâœó Ö´7Û¦E:sSô—fÏÎùƒŠ²¬#ØŒ"nFЊfÈK uoøâŒó‚ +¢nR°|Ù‡`È÷CrÈšBoyA…Õß3"x¿)õôŒûm?&%P Çb´S©Üàà¢ÿüïB O§ œùÓ–RÕÿéVÛ0pø././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedOldKeyCACRL.crl0000644000175100017510000000076715161577363031422 0ustar00runnerrunner0‚ó0Ü0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  /0-0U#0€ˆ_¾?59fšëMÂ&&±*'µ*0 U0  *†H†÷  ‚²OŒà\¾³Iy®[M×iD~Þµ[<R7oQ'Ÿ² ùÌ„ˆ0 ƼÏB*œ÷O0û<ØT›yR›ºÓÏŽÎ"Ìo0xð>NF™cÊ£:Ùgq%Š§uô¬u…î²9ϤvzŠ¦ê¬²ÿ¬¤¾×Ýn4>z•ÜnÜ1 ŠÃ(ÝžïOîiʃ@ñJmÆ™x&=A¾Á¾¾µ‡ø|D“0?KÛr¢6-õK½‹›ÝhSª¤zæ†Ç¬û ~¿Öû\µ½ •c¶ÕŽ’ôb¡8ÙevÖ”±õ—³~|ýœ—ª  HF¬+œmLÎzÝ٬ⰶ3././@PaxHeader0000000000000000000000000000020600000000000010213 xustar00112 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedOldKeySelfIssuedCertCRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/BasicSelfIssuedOldKeySelfIssuedCertCRL.c0000644000175100017510000000113215161577363033450 0ustar00runnerrunner0‚V0‚>0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UBasic Self-Issued Old Key CA 100101083000Z 301231083000Z ´0±0U#0€Ý uShÄË@À†0¡¾¯0Uÿw0u s q¤o0m1 0 UUS10U Test Certificates 20111=0;U4Self-Issued Cert DP for Basic Self-Issued Old Key CA0 U0  *†H†÷  ‚À €ˆ¶;4}Xï›4ÁOCÝVuý”Ü£ ‰f> ý!+/9e ^ÎXcñÅ{0´Ÿ»Ñĺ|×!wvÙ®qNQ¥pÍ(¬M–!°Ú ›$pù£Âo£ Eð…^Š`~úÛï±'AÓ’À§ÒiT•­Y>`p ˆêŽÎB'º[TGN)2wÁ«_g ~/Õæ~?Ïñ¯L Ý`ä³Û—…aþ ±Ð=ï.\=BÖԃߗAè­' ‘™¤Llñ|ž c§íR`“3µ^Œ{JX=¥à£¾NHÄ3ÓÆÓáß«×ŽQÐ;ŠïèÏÄnŒ)˜I™åR‰`ýKÝx././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/DSACACRL.crl0000644000175100017510000000034115161577363025675 0ustar00runnerrunner0Þ0ž0 *†HÎ80?1 0 UUS10U Test Certificates 201110 UDSA CA 100101083000Z 301231083000Z /0-0U#0€ÆŒtè{ ÈYÇ}<[TY`% ±0 U0 *†HÎ800-2—œ’ní–¥p‡?½¨Ñ'jtË ®ºïN  $"QO#ñžç±ã././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/DSAParametersInheritedCACRL.crl0000644000175100017510000000036515161577363031563 0ustar00runnerrunner0ò0³0 *†HÎ80T1 0 UUS10U Test Certificates 20111$0"UDSA Parameters Inherited CA 100101083000Z 301231083000Z /0-0U#0€eŸp:Œ­öCÈçUŽèKÛ‡â0 U0 *†HÎ8/0,<Ð]-*uLäDî±+ªÎ¡€‡<€,ßµ«r=ÌAY©)ÞdxÑÉp·”././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/GeneralizedTimeCRLnextUpdateCACRL.crl0000644000175100017510000000073015161577363032743 0ustar00runnerrunner0‚Ô0½0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UGenerizedTime CRL nextUpdate CA 100101083000Z20500101120100Z /0-0U#0€~*uï 6ÇKç ÙaHGŽƒ,0 U0  *†H†÷  ‚—ÿ@{¥b!ïoiœ%Ek6rµ>|ʾ"ÒrìXLêÒÖ£~LL5{I7)2 –xþ|=ð¦xSz­ÝŒòKì/u&K{c ¯€¯X¥›/¹’P¤åÂA‘>~IP¸M\bG`vò#ÙÞ,ÞJê>¯3) ]f¨©Òn=ûfq¸¸\ôÌBc1¸/¾{“sÃG ë´ø§b/Ñý÷ŽÖ( ÁAR©aßôÝrÅÉÔËʲ!Ù3sÛÙˆ(‹™(Ëh4Mø—]¼zÑ éMg¸²“˜wÍ*Du^ù7ÝèÞÞ,B:û"vÓo¾8êÂúÃlÐÉ!03r././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/GoodCACRL.crl0000644000175100017510000000100415161577363026153 0ustar00runnerrunner0‚0é0  *†H†÷  0@1 0 UUS10U Test Certificates 201110UGood CA 100101083000Z 301231083000Z0D0  100101083000Z0 0 U 0  100101083001Z0 0 U  /0-0U#0€X„$¼+R”J=¥rQõ¯:É0 U0  *†H†÷  ‚=¼ó Š)ÃðnÅj„ì»ÄöJÓ‹S‹<|Jž¹A¬ÿxv¾Uu—ØähêÕÚMƒ6j ˆ3”>mJ íImÇåóolÀ¹ð ÙíþúNY2ԣϿéÜ2ž³Qïkúá&mã¥!¥+–zÖᶫM“_8F†P”Í9¤ÀåNyþ,=¨Ç7G¿UÞÎzäæ…²Ž‰«Ÿ¯íÊomx;/he9Û²õõ(÷4V2HP¢Š²Ëð®O1G•®‘aV/&äEæ¦Å­M’·"`­'uß°g_,BCg´õïPç ¼…K›«Øㅔ˳êBI²HI0KãÓVD././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/GoodsubCACRL.crl0000644000175100017510000000070115161577363026670 0ustar00runnerrunner0‚½0¦0  *†H†÷  0C1 0 UUS10U Test Certificates 201110U Good subCA 100101083000Z 301231083000Z /0-0U#0€2,žt]-])»±z;R´}Bx0 U0  *†H†÷  ‚FÉ´38`GJnê#øP;GƒaR“;Št xÎ —ho‚2JIÔÕ$ %µìl­ta"éò[Ádõ­^ׯí¤5_r±H Ø>8OõelìÏ»o”¹‰ùì Ð×–ýz†FÖlѫܼ¹=òÄ­› ðsiIi¯2üêÖ›Ê>Àå輪ìК>É®ñ¡kü“h¼dïäško­,T,Té¸=D$Ôd–o‚"S³æïféQv¢cðk`$•øÞÌsGÿ¾GRn<±kä¸ÿN›-Þÿ™u U6ór8J|lÕˆŠ›±ê$$êÛÜ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/GoodsubCAPanyPolicyMapping1to2CACRL.crl0000644000175100017510000000073115161577363033131 0ustar00runnerrunner0‚Õ0¾0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"Good subCA PanyPolicy Mapping 1to2 100101083000Z 301231083000Z /0-0U#0€[sy™ã®ÓŠ¦3Nxä ±äÉ0 U0  *†H†÷  ‚¢ŸL²ë†ù±ñb?çÜFx  …•HYv+-Çu¢•#¿:2'TpÀºo;êKçoîœúdR¤Údóî(µ¿sÙnìKE¢µaÎ@•€ï›œiË>¨*¯u´°ÿ6Ðx9×וìÏÔ³xˆüÈ|&Ÿd¿–Ò¢ ³}fŽæ¸ðÅ̽`ÌÇqÍTº§ú~ðÚ°ÐÉi÷D#n…­úð>ÒA Cc„+«JÚ›,§&$1ë!Râ¿Ú¹Úz}†±¼û•¶Xý36„¼¡übKµ’¾—¾kEfå_O6¼Úù—ãl@Rbc'òθ²6v»óÖ¶ûØ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/LongSerialNumberCACRL.crl0000644000175100017510000000100315161577363030472 0ustar00runnerrunner0‚ÿ0è0  *†H†÷  0N1 0 UUS10U Test Certificates 201110ULong Serial Number CA 100101083000Z 301231083000Z0503  100101083000Z0 0 U  /0-0U#0€ c·G®Â2oã:¸ê ÿ×d¤0 U0  *†H†÷  ‚÷ÂN‚»èâˆK¢e`A춱.±‡†ï+ú™›/s35SÔ)K»ŽÕà"Gqw¹ÆÓê‡8c›•2Ãó9œÒ“®æÄFôнˆM6Þ» ‚Â’øxØHʉÂZö|ú$48\˜|ȲòIr/JEœÑ.Âc+u°'ü©Ö®ïÉž%Lh¡ƒbºèH*ÏB¥äö°“Ư°¤ñd7S%Ë‘\îÅgA¬Ô4 tx»Z>Ýï­k•ZÔe¤›ïP4òêfœ§»úV $<~H.¼¦Ïç®@°§žé0œ[;̉C”`è*¾;0w< $e‰ôßš sàH‡¢Y././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/Mapping1to2CACRL.crl0000644000175100017510000000070615161577363027374 0ustar00runnerrunner0‚Â0«0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UMapping 1to2 CA 100101083000Z 301231083000Z /0-0U#0€™ÅxiË=3v™¬Då°þ¹ôÛÇ0 U0  *†H†÷  ‚0MbRžV»Ð¡Opt¸fhˆú“EÐt;ðI]Ž}ŸÃ_ Ë(2[ª|<ÈŠGë½Ï*W¯˜loËч™»<ڱ뛆X=À‘ͬôaY»fÈù澚…VG`UñT‘ð¢Öæ|J‰þÖy‡+à"ËWíî&º{Éæ<í¢f OEö6ôSáÒ©)õ4j<ºXâ†0hl^õC ªõ]¢X©Et­‚7•”7-øÊ$¥‚û™ë@òË8¥Ÿ†¶3†õ9ΊØÅÍaÜï­"9¸‚?¨S‚ö£¬”}*>%j<Y=Åñ.ºÙ~u£ &uJÖÒ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/MappingFromanyPolicyCACRL.crl0000644000175100017510000000072015161577363031376 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UMapping From anyPolicy CA 100101083000Z 301231083000Z /0-0U#0€hsà 4Ïr@Ú”–Ö«z¤o.Œ0 U0  *†H†÷  ‚¦rˆ6ÌÖ9X™2Ñ‹«É}L—xsÝ‘âæدƒ»lTêÞ1Çol ƒ›åcçuÛߨ»Ð”•'Úóð…ž~[¦{¢Ô¢ya¨ZKåcü”üwø©;LjÿÛ·¦ÛV0Júéνx"Ss9ÖN¨«®#ü®uò9*8¥‚EçoY½Y¥c;WŠ@!ˆ˜Æë9È;8€ƒŽÿ!г¶æñµl-WÈæwüâäO´ïåqrÊj63ç0½  ðºõqTô¸6›ôƒjÖ‚ÖiÖ ¡®¥®ƒÊ…Ó'…2þtÙ’¼%'³­p@=M‚fˆ¾¥ Sé3Ôý././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/MappingToanyPolicyCACRL.crl0000644000175100017510000000071615161577363031062 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UMapping To anyPolicy CA 100101083000Z 301231083000Z /0-0U#0€,í“ñp”‹-“´˜Ò·¬0 U0  *†H†÷  ‚ u•›}Œ( Ü+’=Ô¸ï¼øˆ]°LÃ…qµ,ªk3tŒãþˆC™*,>&\¾•MíVÜëî俹É$«Ÿ9k;ÜÌ%õ‰¥Ç¿Ì¨]µ¡ROW|D*Æcq¢šQ¶Mn‚jq³RßôÅ«¼8Åæcù.K$â2§•«HåxõK Zë-†¨¼¤ôœo»˜ßÚ|O¤É Wi;Ûl©íü+ÇPpiÔJ=¯Ç"³(Ô¼ÀV#–ºîkÝên™ÎftÚäPr àSªùm¦Ô¨±ŸÉó˘®o H j©}7÷u"ÎÈ:O釢fxŠÊkÑ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/MissingbasicConstraintsCACRL.crl0000644000175100017510000000072215161577363032134 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UMissing basicConstraints CA 100101083000Z 301231083000Z /0-0U#0€0V¼OÆ&Ƶœ¡p’ÒùO y0 U0  *†H†÷  ‚ Òu{uþ¶~%í–$ìÌ"‰gY¦¹XÉê‡ïËÿøú¾{dµB7ÎßÑùñ!¤Ù»6©;¶B̵\‘S]œ‹_:ˆ¼>”Á±NÇ¥úÇÒc¾WïÌ9}ä}ÈæZîéÊ †]ew¥âdiW_Ãú³‘ÿÝj3i®AîÊ &ÿ,'åÀŒRhvZèº)!v™ƒ„6"^Û£d.  ¸Jj­ËcÈ#¤›VíÑ,ìt(ßsž ‹6»Ä:OJIn—‹ºÆºe]9%oCŽ± ꫆•ƒBÓAÒ²ñ¸=ÿ¶ ò”ƒú#DØ 'f§é¬ƒÆ¢MÒË«_'././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/NameOrderCACRL.crl0000644000175100017510000000102215161577363027137 0ustar00runnerrunner0‚0÷0  *†H†÷  0“1 0 UUS10U Test Certificates 20111#0!U Organizational Unit Name 11#0!U Organizational Unit Name 210UName Ordering CA 100101083000Z 301231083000Z /0-0U#0€¿J‹›MŒ1Œ[éÌÝ/èyQP0 U0  *†H†÷  ‚2iÄ2 å†KØ­Ñþ·ïo;Š± "â^Z›ý2Å×±–_7ÿÔxçð!ÙáÄÇQž°ð HÜ™ö[q«+Uð^ñ©H”¥„pê Ò8ì&†…?€(càF“Ÿø ¼#ØÌÍÈ׿Ê<ø? ¸OBî£3ëGv•œË…e³çHΚü/Ë[9Æ0‡Tf,Ê)Ìh÷’ÂP±N²è,¨{ªÜ¯©‹²“JÙE‘ºÎUr=€.£yøbæÀù°™‰§ŠKP3Ê?ˈÐÈmt®çì ]Æ’s ãííQïó=’¶Ï™Wù0²±¿®[F?ÖÂWû././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/NegativeSerialNumberCACRL.crl0000644000175100017510000000076415161577363031352 0ustar00runnerrunner0‚ð0Ù0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UNegative Serial Number CA 100101083000Z 301231083000Z0"0 ÿ 100101083000Z0 0 U  /0-0U#0€bä.5ÆÅè‘Ð ÁÞ¶¯ÚˆÙ?0 U0  *†H†÷  ‚äAV Î"f½(`­×yÌŽ €åHô¡¯ëà¬aABœ¢üWYM2¢ßwÓ®?•‡ƒ4¼ܯ\òAʆOø[˜Ñ¿óÁ/»fu.-<êù&ß趡~ é’÷_é(ÌÃ..v½ íÕNŒt ô3>8£î×5çJ:?G½ûí‚•îDÔ `¤jÞ©ø*0jõŠaKó)PF;Òh¿—M¼¯¶/7cÉϪµHÏuQpnÆ,p&a½Üÿó3KòZN‡3”2„ð7äÜEkÌ•…˜£'Úhl@ø 7ÁÃì xG/ò^çã®h†¨¯Gè”e>*êGW„ÛS([áW!!Vü÷ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/NoPoliciesCACRL.crl0000644000175100017510000000070515161577363027336 0ustar00runnerrunner0‚Á0ª0  *†H†÷  0G1 0 UUS10U Test Certificates 201110UNo Policies CA 100101083000Z 301231083000Z /0-0U#0€B$í¥Kvœ—˜\tê:ü5äœ0 U0  *†H†÷  ‚n±¡·‡Ë4ý÷ºÂZÕ›]_GO¬à}O@Q5ö¤: bñd-¢f­)®{¢ å÷ÅØK݀Ēæ1ENÌlÃ&iW âIÇmhQÆð·:f¨tf×\·C9a)O¨dè £îÐ@ äǷ§ƭM-ämõÅéÎÕÿP_âî¶ÊQ諨Õà¢åZK DÜ?Ú(¿O3ÏݲJøgð›Ä_½â«¤£Fö=ž|ÝþáƒHÄw_Òf¬Æ¶déÃM1ƒ`ð—ñ{ÝÍ%)ýpVˆž—)um#ÂN'æÓ?)&¿ND>×6xË?žý<቙…Mú7¾ÀÓ*‹Mz·“¬vµ³ØÒÁKåÎ8?¢n§ÐCZu“œAçÚÆ‘^·’ê>ã,¦–Á.X&!JxÕ³¢[1hiŒlݤù¾þfT"™Ê| [,"rÜÍÀÐåI÷ÛÓ€ÏÍç®BeÆ$Ô:§ízÎì9ä§xÈ­MU;,ÀN9¿3PàKà­Ìd|©Ñê././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/OldCRLnextUpdateCACRL.crl0000644000175100017510000000071415161577363030413 0ustar00runnerrunner0‚È0±0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UOld CRL nextUpdate CA 100101083000Z 100102083000Z /0-0U#0€ÎÚÚZÌŽ—ú )O¬–*Íx0 U0  *†H†÷  ‚4´ãµ"õCvÛׇ!EÙDµÃEä#)!LoKw1ôGgÂâf_˜{!àz´[5{š€¯:^²Ó=sÊ”4㋤././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/P12Mapping1to3CACRL.crl0000644000175100017510000000071215161577363027655 0ustar00runnerrunner0‚Æ0¯0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 CA 100101083000Z 301231083000Z /0-0U#0€üôa32€|}5‡Þ_RûiñÁ0 U0  *†H†÷  ‚5…ܼT+§š ëÿÛ =}(^…¡òN^ë8ÏŽîMÿ†÷O. ¥EaØɇŒéK¼¢“I¨¦§‡ª@mÌ¥NzGÂÄ)' Ašpû’yŸ•hŸ¬ÿÝ2&º½³ŸD7šà'„;Gi*ÔñK0dz1Žà f‰òÓ_Ám‹Œ“././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/P12Mapping1to3subCACRL.crl0000644000175100017510000000071515161577363030372 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UP12 Mapping 1to3 subCA 100101083000Z 301231083000Z /0-0U#0€¾{“¡ä›Å'<0S×¥ÉæZ–z40 U0  *†H†÷  ‚²Ñà xÙòÚ“Â!¾+,«ÕFÍt–ÌƬ Vc†ë K#ÀÆZæ[S«¤ßØÀQd3”vç¢ÂÑ-¶äZ†· ëAéCÈ3&iФC@BKÔóÔ/?‘ü({ݘ8n p­vS?ÛãN<_ë•…Í’ß8õ3äÁ¿Þ!äž\&>CÓsæ$hÄBoçŸÓY®ÔA€ph6ÏÅÖþ·„…Ú6Qbæö.‘•g™4â3òyÀM`Ô,>%$fãD.ÙÄð©ôi9*¦ÄÒ¥;²˜ˆñ™Šà_£ØÌê{(OØ-–³’©r\“!\»viEÍô†½ÚUºZ²;ˆ~././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/P12Mapping1to3subsubCACRL.crl0000644000175100017510000000072015161577363031100 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UP12 Mapping 1to3 subsubCA 100101083000Z 301231083000Z /0-0U#0€]9>åª*^-ö®h*­3›=›s0 U0  *†H†÷  ‚«. [¶?õnå ÞDMß›{r­z L;°dBÛžÍ÷j20 à[zj‚˜HüÄݔ<ÓˆEii®$áJ¥q2 1Ù\ðÒÎΛàØÌnEÁ¦ëâ«ñ‡å´äž&Msu Þå__·¾“Hc™¨­â´ØFë“Š—·| QÛòM.‚cÎåtÌ|žp"hPÅš¡2ä@#€IöÝÀüÊø~ú>hÊwLáwšÀ… æK%dÂÀœúéa2mMo3ݪ$üN1kÃÅS'+fgÚ !IèN.²6‘2ï Xô$fÄÔ¡uHmà!®å7» Æ„ûÑùŸh././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/P1Mapping1to234CACRL.crl0000644000175100017510000000071315161577363027742 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UP1 Mapping 1to234 CA 100101083000Z 301231083000Z /0-0U#0€• ©IxªvÚ ¬ˆùõ÷G’0 U0  *†H†÷  ‚ªh!Uá4b// g«» ”¥ºÆÎMSíÂõѤÜ!Mžw5x¦ktc{@'$t…å©–ñ«§æý.TáŨ3­£“ƒók½ª$ÓN ­¥û¤O :– ÿ¢Ûi[Ùg`ŠG»ÖÂZ^ç¼ÅYÃ’;8²Ëú*’£µaK ÙÃ}„HÁñ·ðü)͆1W?‰6¥,7·9G,Hdë¨(4;œ‚v%Г“W­[À€G4 ³ ¦!5*Ãúœ‡Þc/:h¾U„Ì42•I1°{\'j¸qi*Uî¡ÇªÀ{TúÍÀÌ\GEpÛ¿ý1@«Ø×././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/P1Mapping1to234subCACRL.crl0000644000175100017510000000071615161577363030457 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UP1 Mapping 1to234 subCA 100101083000Z 301231083000Z /0-0U#0€å•ý*9x¯ËFö@˜e í»0 U0  *†H†÷  ‚ÂRoNµ/ëTeùé¡iF׊ŒAÇýiÂû“lu8 ÈÏ?6×æ* ÷¬F³½B%²–¹a././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP1234CACRL.crl0000644000175100017510000000071015161577363027467 0ustar00runnerrunner0‚Ä0­0  *†H†÷  0J1 0 UUS10U Test Certificates 201110UPolicies P1234 CA 100101083000Z 301231083000Z /0-0U#0€öý©Œ&,´ÏÖÓëÔ­’j»$P0 U0  *†H†÷  ‚ÕW 6?\;Ÿ¸·». ¼?B“jJ"¢áù®÷Øw¡43¿˜|ÀpB£“ Üv$¸!È°-Àø-<Ý@~ÕçæIUÀQ¸Òyȃœ,º}þh8¾f!“RF®Ìéf¿?{Ë%û»/KÉ­? ä|=6«.ÌZ¦Búå­s- ÐÎ[àèd %Ò+îà©8…‰d%}•¥dÊgÌÖ(tÁu›ËEV–ð+ĨYΖé׬uWù`&FÆó:„Jš…Ò wq>KB„/J/Bâz÷Z°1yüvyRpMçë˜ð ½žs~O›ež,ÙUo6538à././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP1234subCAP123CRL.crl0000644000175100017510000000071715161577363030556 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UPolicies P1234 subCAP123 100101083000Z 301231083000Z /0-0U#0€¹ªP¦4fQhBî)ˆjìÈ|÷0 U0  *†H†÷  ‚}]®ÈpŸ‚%ëÂMµB0ø˜ž^¬6AØwò3¡81°Á­¶¿{‹cºßc½&îíão šXIÂðP(~gÙ~ÃÞ B ÛpŽmÍ/õÊÏÚr½ `6è)Xí0 Û;HŒPÜKäµþÖe'¶ê)z”ãFøj[LsÑÜ»oü/`dÎ!½ Ó„GX+ør×AƒqbOÚÎâ"ƒ7D’YE%í÷º vïñÏÎœŽÍCñ•²¤’JŽÕ9YIt¿SÒˆ¿:¥ñ^3›ÖëŒRÁîµ·LçR:VD$„(Ý799ƒ aÎ7šî­=6Ì= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP1234subsubCAP123P12CRL.crl0000644000175100017510000000072515161577363031552 0ustar00runnerrunner0‚Ñ0º0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UPolicies P1234 subsubCAP123P12 100101083000Z 301231083000Z /0-0U#0€Nô^¡ù0{e¬’À ,Ó´–0 U0  *†H†÷  ‚;y”køsâïbwˆúÔ•®éÎ R_ÆÜ`T¯ÿDþÃ.ßO~¸Äj•8Ce࢔§r,ð×†Ä }©iù%Ô5 !om+UÆOÄL*ì]ö ¼­$‹ÄKdÎ9¼.ÏVðŠü²âg•»ŽØø³f&$wÒd>™ˆá {ÂòªÖFü?`1"°ñ†ÐCßÀµ 1÷5ü&굡ý°VÑ;µ¯·uq¨š¹#C "Ì诹½ås\öÝ‹Ð" )´«`Ú}(£ïíÉR;¾!…® 5]sò[‚ %9XÂ>‚í³D²“ñ áÙ9£I0œåp—‘^´°YysçoêRç„M7Bjžwš././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP123CACRL.crl0000644000175100017510000000070715161577363027411 0ustar00runnerrunner0‚Ã0¬0  *†H†÷  0I1 0 UUS10U Test Certificates 201110UPolicies P123 CA 100101083000Z 301231083000Z /0-0U#0€Œ( Ú bî==–¸q“‰êèc0 U0  *†H†÷  ‚_œ\fšíª Å|!)[þ:…¾9Báj9K¿ûÓ -È^µÛz‘ÝÑ9ý‹‰àTàš·¨8ÂjáDötÞCñ»ZzÈc­¯P­2YâÞL®8й×æ¯÷c÷I€uЄínÜUÛ-xöÓ{H‘—VFáìÿù¯¼#‹n!†Øò^€ 'Ð65 ·¼ààN)j¶ÛŒiW¯%±}-‡Û"Yü«uSO:œŠˆÞLÖVöÕßR„r…˜„ ¨™dd­ym³‘ºšIÐ+ÔÍp‰gøÕ.SÃ÷]å”ܳ’tÃŽç¡wí çä8t«IÎFØy_ë././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP123subCAP12CRL.crl0000644000175100017510000000071515161577363030405 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UPolicies P123 subCAP12 100101083000Z 301231083000Z /0-0U#0€ÎÚýª“@øÀ y­ÁxÎ×'öž0 U0  *†H†÷  ‚@^ Ôå‹Uå‘CsC,EßRð+ò+L½`0i.Þ©ƒ-!™ÞuèÔ tiºÇé~%‹ÿ ¿»£ßMÇtØ=‡®÷>Atþúr æ[·J‰ˆåWY]\RhØŸïosÀ&€bœÕmÄûßô(&ü„¦ÇK {8A)žrÃ-ºgtWP,±ÄFÍ8ï7FTédü¿£Ôê–)ép&¨-Tûü7-ºs3íÆ(joôór™$z|#RÎGa¬\‹Œ¦šWŠ‚òADð¯4«6”ÔL¤ø¨©Ì¥aã½$¸‹Lp9ÕÐåÎ>âQÕp7ÊKeM2ÜÛřՎ&Èô././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP123subsubCAP12P1CRL.crl0000644000175100017510000000072215161577363031316 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UPolicies P123 subsubCAP12P1 100101083000Z 301231083000Z /0-0U#0€ä>F·æÈ©ØíÑ3áñ]$Â0 U0  *†H†÷  ‚f j…ã/Diþ0kuªôˆKgH™:á—ˆ%IŒyhÊ(YËÀ´0ŠÄµÍ>£ê×Ùy¦x,Éê˜èЊ3ÝNœÆ« k~}Sùßò3‡Ø½v¡ëî}~s~¡”ríÜb×À"uÿ׺hàƒö)Úʹ]ú’§†{!CÝú/üt]Ï‘ù¾r“Éh×iuݬÇ&™»p¿~Û0…ø•jö°eí eŒpøMT¿3/©P$o²v„L.ÔŇޖ„Ó¬’Ó5]Íø8ˆÀ¤ÓÿŸ÷$r [ :™º†N` C4^²óPQ©«˜R-pº~8µ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP123subsubCAP2P2CRL.crl0000644000175100017510000000072215161577363031236 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UPolicies P123 subsubCAP12P2 100101083000Z 301231083000Z /0-0U#0€éü¶^VNÑ2ýˆ`køi0 U0  *†H†÷  ‚aÀ“´¢ò{üQOÁÓörØÈÈýW?s¾ëÑB}Rü3€À|ïb­Bå²—š|¹YUÂ`å/PJ›=ù˜=K]"6˨~FS§Þñ­[Y>Σ,„ìæt^6´ªX‰¥3åV 5^H7M‡5†|û©§0,áï?Å-œ;Ù-É­À °y,ç­,¿Ì"?÷ý ä\*KV‘VJ©Š¿ çÜyo5‹c–óP´Yv…„‰ \*:Ò ;™áKdä ±:ÂðkHGáÖ¾ÿ‰ñ:·Œ­ˆò˜oE¤µjùU`ÇIK:|s`”î¸ Ðö©îÄü././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP123subsubsubCAP12P2P1CRL.crl0000644000175100017510000000072715161577363032237 0ustar00runnerrunner0‚Ó0¼0  *†H†÷  0Y1 0 UUS10U Test Certificates 20111)0'U Policies P123 subsubsubCAP12P2P1 100101083000Z 301231083000Z /0-0U#0€‰ „û¬» ×Þ^^žhö9P@ˆ0 U0  *†H†÷  ‚KêŠvî\NíXÿ·õaÈ¿P±€µ~(bŒzжIzN—PsLÓ1P*wÐÝüÙØЃƒGËÑ:UW!ð<§ùŠÞí^àä2¯ÇsŸ\‘µì°É§ ^Ã^wäEPk¢í ¦Ãï`ÔW~‡1ýÑcM@#ã:xéÅOZR ª(¦À64}óLk¶­gè®Å:ˆÆ¨§Nî†*ŠY~mL¡„) u–ÉôM[•ía< Tù sW’"‰*hw¼þvòO›bö”iƒŽv é&!ºNü#pXÌ„"‹F÷4,ÌÚÎìcé½ÏpCê6¸ÝKº)oÔýG s0› ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP12CACRL.crl0000644000175100017510000000070615161577363027325 0ustar00runnerrunner0‚Â0«0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UPolicies P12 CA 100101083000Z 301231083000Z /0-0U#0€Ø_5âšÁ7*&΃Ìsp*:â10 U0  *†H†÷  ‚R Š}jfÄ\^ïeÖ©Û°Ö }°íGº;H³Ž²ß§4íÞíõP`GÿПÊtÕÚ}ðVâh!SvHŸOøç6°¯üƒê ½<& ´/ÒY-Áo8P´ãþpÞ*ü¬¨bŠ>=èØä`Vo®õ^ž†ü@ <Ê„ðs¶®½2Ù)­Ym‡à.§dhÔºêmÝXÛGt»ŸõðÌ’·‘Â|¬¨!ð;åÛ'¸¾Ñ%Qo®7Ä~4q{<û³•þºÁÒy`€¯ÄUá³ÅšP»|wR0¸25E ›Zæ"ƒ¿Eí¶öΗ5hªE»¦äت¤…NlÁH3¬6—"././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP12subCAP1CRL.crl0000644000175100017510000000071315161577363030236 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UPolicies P12 subCAP1 100101083000Z 301231083000Z /0-0U#0€"ž×¸HÎ :]¾ÖMX#VËÖ0 U0  *†H†÷  ‚ž#ÑMŒ/4í^˜ÚG¹çCFÜÝ„±ˆ&‡Õ»’7š}¦m¼°§Í üسx쨵ÏýŠZ¶‹In?ʧcŒ9Ôljë—û,ÛÌ¥"Ÿ”Ÿ¢¡ äÂàg 㱧@:‰^‰ÆÌD‡lfj™–…9W‘C{ãzoìqýò¹ûÚ„Ëëe(Á±% È{jì”dÁ(2Šž þßT[±ù9¬Hg,Ÿ#Χ4¬|5|Ü«Ä*{2Èu=&㵋rbdíja@]òd èBYùã,!ECùn «€®!k(ò˜qiâp!l¸¸nx‘D¾•j././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP12subsubCAP1P2CRL.crl0000644000175100017510000000072015161577363031150 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UPolicies P12 subsubCAP1P2 100101083000Z 301231083000Z /0-0U#0€Ç¥7§Ðú$å|ßÛò]iÛîÊö™î0 U0  *†H†÷  ‚¥®\¼L3±ø2FÀ±ÚÕ¸6äRòælíýK"uŠ±­"»½}}—®|/=Mʶæó&WÎÆHIý%ð‹R0¨å6AY'êrg]ƒô'G<@LñbV ðÇ 1–Ñöf‚.:Š3!>>ÛõÁ6­KYË×FáÂüÑ^*Æ¡Ð-^¥4Ëùö*@nºÉ÷\„¯4lÔK<ääÜ»tý|ºÑÅE%pd’+à¨ø-Æ­`\&v0@¿˜ r+bÂQ€Ä*<òÌ„`QH÷ϘU)Röˆk¼©,J’BÙ“ Æ/Õ?Öeíq¨Ô§?«ÛÈ‹?‹‰œ,mõU!È././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP2subCA2CRL.crl0000644000175100017510000000071115161577363030034 0ustar00runnerrunner0‚Å0®0  *†H†÷  0K1 0 UUS10U Test Certificates 201110UPolicies P2 subCA2 100101083000Z 301231083000Z /0-0U#0€,ê¸w=e¥¿3ÌzÒ˜ü¾0 U0  *†H†÷  ‚ICioòŠÒ n_ØìtqŽ£_$RF3±6± ¶ê¥ý‹œ®¤ ÍŸÆÍÀE=Õ»(Gvn”RIÖ &X#îù±Í¿Ò v슅âJÙCn\¦VoÒ„"uVOŽËжú>œžÚ¿€ãÎ㯕&ÿjcúð¨Z”i*ùˆß˜ýdñRÐ,߀ñ¨4V?Ùr{S³”¹Ì%'ÿeVu/Êš{õ‚xŽé6«OØ¥ ºU®u¶•_zw8´®Ê2È0)’‚A ôÿî>¦c˜øÄ=Ú÷ómBȘ•º¬ÀúvQ-!9n‰û¥à­Ë¢gƒ/ú¨Tí#øɃ3fÆÄzg././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP2subCACRL.crl0000644000175100017510000000071015161577363027751 0ustar00runnerrunner0‚Ä0­0  *†H†÷  0J1 0 UUS10U Test Certificates 201110UPolicies P2 subCA 100101083000Z 301231083000Z /0-0U#0€^<„sž0prq˜®6Û"|¯0 U0  *†H†÷  ‚‚78‰=KTå*ïR-˜1ôÊQá[w6·%ȉç3è»b ëÏ&ó÷jep±NK}%ƒÐXb1±¶£(ÆÚ7«rIç'åÇ“‚UÛ\ïH´ØHøëÀ®r­ÎN‘¥þéKt’å7]T èŒ3bhXkíR*í¾Qh¹7é ŸqÿrÚ0@:ÞwRçZîãLeŸ >1 šô 5DÒÛûä˜ ešÙÛIpðuÇ€[½¾ 1d/1PêŸóºW—7¼S™n°*£–ÍM¨ ÚO^âu#ˆd=‹´­ª®Æ0»Vƒ<-g¥Úö.òăîNÍøÐÝA#>:Ÿ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/PoliciesP3CACRL.crl0000644000175100017510000000070515161577363027244 0ustar00runnerrunner0‚Á0ª0  *†H†÷  0G1 0 UUS10U Test Certificates 201110UPolicies P3 CA 100101083000Z 301231083000Z /0-0U#0€Ø«, ‹Ã’ÜÆ­j?¿óƘåÜý0 U0  *†H†÷  ‚°Åª‰Z2ki:°Ó>v÷1Þà÷-…õ¢j*öSlÚ‹OmäíN¶©Å”ÏŸMFšç—J½iéˆóC$ýY8X ýÁäì;+W¬Ó á$á&þZ589)Te°dkVãV8Æ&s…+/u» ÃüRìz‰šC½&§²t´õY@¹fÝþ}<ž°irL3 ’³0ÈOg¹è”zVÝúçÖ¤Ôœ&`ÊYÍðtv 6ù­Ÿ†säí;âM×Wh3 ÷k•úxœUO% Šd;Í|¯á/hÞr¥rT­NÉ€›¥î"u΂ŃËÞT©IEW½©žwf”Q|Ž1Ù¯Nû<ԗܺk¸„ ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/RFC3280MandatoryAttributeTypesCACRL.crl0000644000175100017510000000102215161577363033002 0ustar00runnerrunner0‚0÷0  *†H†÷  0“1 0 UUS10U Test Certificates 201110 ’&‰“ò,dgov1 0 ’&‰“ò,dtestcertificates10UMaryland1 0 U3451 0 U.CA 100101083000Z 301231083000Z /0-0U#0€ðQbïÎAÇ·°gtk¼2 3™ë0 U0  *†H†÷  ‚Z“Kò3˜ªoˆï…¿ï€ŸÛñÆ è^¡*`6 ºUû•/O¡BZ^¯gºMBÊRS¶:Ug6¢JRa¶lЬ 5ÿDƒc<„ ° ›y0„ý²sèICí‰Hãø^ˆKNš 1Ï·ãY5ˆxp#C…ý×Tz°z ¹EW bœ«ñý/šäpÝdÂ?Šüh'ã¬ÃÀQaRM>̤áÉÁ±üž¹ü¼=k€­¿¬Õ”Ðó ·ë¾£Â3ì'—ÿ™€ÝÔˆ«åm¥J´ñ„ç¥:·f9!ñÊbd6‚³„kÕÀ‹././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/RevokedsubCACRL.crl0000644000175100017510000000070415161577363027402 0ustar00runnerrunner0‚À0©0  *†H†÷  0F1 0 UUS10U Test Certificates 201110U Revoked subCA 100101083000Z 301231083000Z /0-0U#0€–o’™ évt»_ÔøûÙÏ ï0 U0  *†H†÷  ‚…>­ ?4•Ù,Rí²ÔÑFÙb^ªüûf$¸-óŽšRÿ£dn s›}†ÎåÇ'jl]®mÜ:¿O†kÉrqýØDÈÝóÌvÂ+ÅŠ›h|‚¿´ZׯEÎxcß™ù¦òÉDG Cgíh+êíäòëRªVz>§‚(³ñZôv¹¨n„\`!ve%T•"CÆOë~µ,EC´^¼+ýŽ_J‡ü„E©/ñcŽ.¹ÆeA¢ÅWJŠ+ì*·Åƒ4ů.gŸñ¸½0S*‹Zªzww8Áì yB~>Ö‘Ûp¢"û³™­nÁq\~ÌÂ,I‹˜Q_’àz›©././@PaxHeader0000000000000000000000000000021400000000000010212 xustar00118 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/RolloverfromPrintableStringtoUTF8StringCACRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/RolloverfromPrintableStringtoUTF8StringC0000644000175100017510000000074515161577363033776 0ustar00runnerrunner0‚á0Ê0  *†H†÷  0g1 0 UUS10U Test Certificates 20111705U .Rollover from PrintableString to UTF8String CA 100101083000Z 301231083000Z /0-0U#0€µmO(?Ç»±˜¤©¥Ð¨[^Jt³ç0 U0  *†H†÷  ‚SÃ,ï&ÐìNóˆu—1KÎÆlµÒŠ€¶L4~máìJ˜e¶IØÁ,@Ñ,Šz»¼sÄU:íw·R ¥æ¦ ô!8 ×1m¹#ìY!¹˜"äÝœŠ3¸¡u t›,°W·;øÖL±$ãEf€.â˜ñ‹Yœ5€Êæ9øæ0vågŽøS›ÎÒŽE©öüéO•zÐ]ç¥b<›³ÐRÌ#Vç)Žû%¿jÏdCyWM‚¿[ú„–Ekéhb7‰É„_¶É'ÎßÖ ŸÌ.â“·ÉNý€S¤Þ×TfG pÍsúºÇ2LGhtÜÚ>¨4xЪmJ´Í”°ŒøIútd™././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/SeparateCertificateandCRLKeysCA2CRL.crl0000644000175100017510000000073415161577363033145 0ustar00runnerrunner0‚Ø0Á0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%Separate Certificate and CRL Keys CA2 100101083000Z 301231083000Z /0-0U#0€„=„ª|w_1ÝÍ`ó——Ù±0 U0  *†H†÷  ‚£yåkUDNföÔVWºB¢•LëáŸ%ʸ~*¥ò:QHf`?ìÇ_ ­ÍªÔ¡X;iIà›².îniÌÎÐ9V«¦ xJbyU¡ì`¬ò—LRé©á×.N›x6 ì\×Ȯ̃)kû`FÉ»p=$C&Ý*R‚Áó½‹úw•M3+;öÇ*^x@a©ÖÖ¬h·S‘AÿM6È`ki[ÄÍð»³:Žs›ô¶^ÝZÔÃ_Ÿ„ùy=úè½—O$ýس½wô­üúDÿÙŒ'£8à!ÉüÕI8/¸ZùIX"Ýts‘€ìžé šøðJ‘xr¢8C'Ù,í?¾ôÎìÓrï¤ } *­&Žt'ä†Çm4LÍã²ß‚^FH'¼ß8ûV õ¿¡±ùÎq’€Þšÿ Ëb.Ò‹ŽI@ɶº£t³N¡.ЧGý\;̽:¨^Úå:ÅÚs¾B^././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/TrustAnchorRootCRL.crl0000644000175100017510000000074715161577363030214 0ustar00runnerrunner0‚ã0Ì0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U Trust Anchor 100101083000Z 301231083000Z0"0 h 100101083000Z0 0 U  /0-0U#0€ä}_Ñ\•†,®¾u¶e§Ù]¨f0 U0  *†H†÷  ‚«µ»!k¶áLÍð·7ž•8ÑÔ€®ðûÙü64ì–¯y'7ª+GW©¸v¡ór%ÊÖ)¬â¸u­‘aŽ)CnøäåQKJû‚Ñk÷Æ}°ÛÕj¥ Z¼_'Âì·ÞvÒ—œ{¬|éð}/¥OáƒF"²Üû¸DŒ@À,›>¶ÓèÄÓWÀ)A¹Ç&D’ÅÐŽ´eÑÿ¯ÞeuPšíMŽUsµ0+™•d–©t-ÂÌMºqmcqÁS¬ÐãJ6äNGî±vvBm‚”qXR@gð–³cCÙš6J"¡–ø €(òq½&Otز˜ó7HþC,/"TêÜÇd‹J÷wæ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/TwoCRLsCABadCRL.crl0000644000175100017510000000076215161577363027201 0ustar00runnerrunner0‚î0×0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UBad CRL for Two CRLs CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  /0-0U#0€¡Ö™€ãmýçîwK_ñIÙ?¾=7Â" ‚éŽîYìí²? ¸ŸuðI„År¹Dì õ§S[žz/ŽÑ ¡m[ìÉóýÛ´¿»;@ú„ÄaK²º">¦Jh¼›=tæÖYlØœ{è’_爕qÜQÑ™!¼¨¢ ˆ1y*8Füdž6š¸r C@-FØTøŒãƒ¸ô¥.rx¶†·>ÚÌ9« k?åÑ8ìJ衵/]´4SÉLb8Tê™d8ð½v…‡qeеKînÌØËWPùJbQñ*\­ðRÛ–ƒ‹Q-<Ãø–cFwÄXb?G‰˜TÝŠ4GFvj•¦mUfÄÒPËèÀ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/TwoCRLsCAGoodCRL.crl0000644000175100017510000000070215161577363027375 0ustar00runnerrunner0‚¾0§0  *†H†÷  0D1 0 UUS10U Test Certificates 201110U Two CRLs CA 100101083000Z 301231083000Z /0-0U#0€¡Ö™€ãmýçîwK_ñIÙ³¢ë8 &gÓìBÝ*‡kIÑ M’äœ@¹±_#Ub(c‰fT„#”šÈî‘2PEHx;’vˆ³Ö¾ J4././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/UTF8StringCaseInsensitiveMatchCACRL.crl0000644000175100017510000000073315161577363033202 0ustar00runnerrunner0‚×0À0  *†H†÷  0]1 0 UUS10U Test Certificates 20111-0+U $UTF8String Case Insensitive Match CA 100101083000Z 301231083000Z /0-0U#0€`ßÑÊ©P’!DÒwõj­¦¾x0 U0  *†H†÷  ‚~r£ÓÆU €7)³9E¸Vù Ò¸©‹¤š|Т·¡mB8Œ³>±¿6í‘yb+kÒʼ®­öAäÜ$êúñ½ýRÕ»>?o_À•x/S,+2&—*µ¿t b~¾ô8!‚ü‚Á R $ÿŒSAš°¿ü~µsF=éòD߆’ôó”â(%Ê™àôWì¼Ù^±n&ñŸ¤îæG6iA0o²Í8}dVyª¯™Ž·€¤îÜdTDúý!6_‚*ð[Öè} :Ñ‹’Œê¶ÓèÄÓWÀ)A¹Ç&D’ÅÐŽ´eÑÿ¯ÞeuPšíMŽUsµ0+™•d–©t-ÂÌMºqmcqÁS¬ÐãJ6äNGî±vvBm‚”qXR@gð–³cCÙš6J"¡–ø €(òq½&Otز˜ó7HþC,/"TêÜÇd‹J÷wæ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/anyPolicyCACRL.crl0000644000175100017510000000070315161577363027237 0ustar00runnerrunner0‚¿0¨0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U anyPolicy CA 100101083000Z 301231083000Z /0-0U#0€»ÉÞÈ•çB⢎®\«$`~…0 U0  *†H†÷  ‚[¸ºÍÓë+F¦K¼‘‚ŸÙeqöÚˆ0X~¾÷‚Å‘ÿÚ6d^_¿û_E/E%7EV)›X5\ð„¬¯iÇ·F7ÃÚ€Êã\Ë€ ã»8 r6)À¾Û ðè[{5Wâ-²Ã}nD*»¿úÚGDULw2 *¼ ºÛ Ö• *Ùtà¯-4ª?6m+IŽÔtÓ„<·Ú§¨†DÐD3|n2<'ë‰Ù(•÷¡C¤ï”5ÄëýW•öÌtÄ :©’S缜¿(!¡›MŸ#ЈdxLâœF§ù¤‹‘/—qir®FKØV¤tå¢]././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/basicConstraintsCriticalcAFalseCACRL.crl0000644000175100017510000000073415161577363033477 0ustar00runnerrunner0‚Ø0Á0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%basicConstraints Critical cA False CA 100101083000Z 301231083000Z /0-0U#0€pßD/™sò6<4Ð Ñòí0 U0  *†H†÷  ‚VŠà¦!¬j?£ÒSó§dh%7‹êºàé¯WŽô”÷^Öò:® kŒ5¦ ].ª^æ1ê²V6Uåì9ó{KÆ»NšéýÓ9}ÒpÖXcßîÕTl_ÏòÞB”ƒo„AÚû½€£…"Ù"ê¤ ä»^t;}‘»ËóQŽ¥ý'œÈ"fס¿Ã×ÀãëgvÛÁ¾ðÈÁ‰þ,jì{— ‘®"Gà–ÎÂ#p {œ)áƒyüðÔ—¬‹+{RÈÕ€JzÈ©´é CÆÒ\u;EûŸç{Kú÷íDoñ´|5èä0M'½p£BRÈÉÐ6÷øµ '³Dƒß5Ž­ºÃÅf‘././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/basicConstraintsNotCriticalCACRL.crl0000644000175100017510000000072715161577363032743 0ustar00runnerrunner0‚Ó0¼0  *†H†÷  0Y1 0 UUS10U Test Certificates 20111)0'U basicConstraints Not Critical CA 100101083000Z 301231083000Z /0-0U#0€ ¤¹0C¬CÈ4ÏïUè¿pŸF¯0 U0  *†H†÷  ‚Xý•¤•‚S¡{¥ÎòjÆÞ&…Ú xC+@·ÿË9XË•Ýo á ¥C±0Äch`üª)$¿l2w@EŠú×PÿŽÓ×FSH,¨žfݾs” $ËÖàªÂÑ‚>šÎ¥î‹@—‚= {µ‹å,Bej“”½vˆšÜÕ9Kƒ‰¥Å„OØç-]Ú x‹§0ŠÔ䥶¢[ã°zŸE ¿h²ÝçÔœ‰o¥Û(솀[v¨£'Ær%p4 Ý٢₊ñ×è\ƒ]…R åÕ°Çm¿˜=Gxö%{£pÇìU}¡[V„ô‹Ç@\IÞ|ÎçÕsšuiÚ[Àâ././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/basicConstraintsNotCriticalcAFalseCACRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/basicConstraintsNotCriticalcAFalseCACRL.0000644000175100017510000000074015161577363033454 0ustar00runnerrunner0‚Ü0Å0  *†H†÷  0b1 0 UUS10U Test Certificates 20111200U)basicConstraints Not Critical cA False CA 100101083000Z 301231083000Z /0-0U#0€9Л·O)7¾Ó°ŠvêjžÍïF¾X0 U0  *†H†÷  ‚y½.ÂT«7¯Á»-LWÉN»@àòI÷Ó9öb->}ÿvË\ߧ2·1!_«Ú%("’¦‚ÂÓeUâøá~pŒèÓy'®u×ëFÿy[½_–²•0<0U#0€w#åv„È”?‚Ðêt±à¤/30 Uÿ0 U0  *†H†÷  ‚V}22ÖYÇ<‘Û¿ª÷€ö`¾Á ŽÊnî ïN%¿p2h6ø!Ä®âÀ†wc»—SƒvŠX×ÜÕdck(fg¯“‘uôÄíúø²é×}¶òÔñ¶M} ¶×ð¤`áó'ÎÕ!c‘Éf ÿÕÿ&®k¥%Ì¿±r¾Žü$sµ—'ÌË/€hö&oG8‘ú ç`2¶¸¯«¾¢\·Xdd…û²xIX3!Ý>µ€†Ýà-ŽÍÐÇ/Œ÷Tø^WÊæ-¼‚N¡7’)<_ W˜œñ`„|žœ‹I²bäƒèqÔäÿ¯ÑL-SÂ3T_´ÿu¨\¼mD././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/deltaCRLCA2CRL.crl0000644000175100017510000000110415161577363027000 0ustar00runnerrunner0‚@0‚(0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA2 100601083000Z 301231083000Z0"0  100101083000Z0 0 U  Š0‡0U#0€|Øö¾LÎÏ·?¡»3«µ×ûÄ0XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA20 U0  *†H†÷  ‚ç±²áuÄÌèø¡¶aÎ0ðx&_¿DEìÓÍ‹5‹’ÀZÀÜ>á &¾µ-¹vÅè¨û  TNÎNëù’)=èÌ”)j ®GÁ·sdº#xÎ'ñ8_1³Îÿ’‹åxbg *ßéÄIÙwWI»êÁù4²RN¸žWØ2gâw¾Ùgú›:)© §­Z >PÇ+7þvGÔÿ`k ‹æknÿÅ7ãk~âÁ[.n×þœƒpù)ö‰ö9 €F½Ð r- gÚO±>šå†$å&þ–pâ¨g$>³Òá¢~G9k9hMÊÀWRæú5Îv>ÏR¿‹Ûãµßš¶áPL././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/deltaCRLCA2deltaCRL.crl0000644000175100017510000000076615161577363030027 0ustar00runnerrunner0‚ò0Û0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA2 110101083000Z 301231083000Z0"0  100101083000Z0 0 U  >0<0U#0€|Øö¾LÎÏ·?¡»3«µ×ûÄ0 Uÿ0 U0  *†H†÷  ‚Y~oè~ª™(«£v`bKÈ‹…ƒ„ ¦3 \Ðî»>˜øÔö /øPEqɼÆÑq0~ôòÜÞo:@Ãa<¢\z’GViàÐÓ}Ã0’{ž†É(=æ[<üþœØÕŠ»Frâ½êÇÚZˆ)RÖ߉Ht  xŭ㎿™¥ ó½9h«.-jc¶éðQïT/÷9././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/deltaCRLCA3CRL.crl0000644000175100017510000000104015161577363027000 0ustar00runnerrunner0‚0‚0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA3 100101083000Z 100601083000Z Š0‡0U#0€ïcÓ¨N±ùßaâ ã˜Ò“™ç0XU.Q0O0M K I¤G0E1 0 UUS10U Test Certificates 201110U deltaCRL CA30 U0  *†H†÷  ‚\å 5 aJ­MÁÍùRNÙ¢ ®JÌÆk^æ¨{{úEŒCK^Ó²ù+|eŽpAIôÌæJ€¸?YÒ®dÅUMFæa½Sæâ cÒ³ÄQ›Ïûɑš®€ºHª5 o 4Šyµ &n`Ò·4èµF‰Ï˜€­©p,&à™À„a]攈T9@8ñl4Yé…(ôðô UÝDF¤ìë0– 8—ßЃ•Ü†Á'>Äp­l‘¸Å_¿Aí÷&'ù‡Au(Ð.ÓR¯ãœ¥uüº¶P§†UA÷9;8y½±D­Y>?W†+ýò&p£hQ¯2‡¿¸/ ]Þ ¸*yPƒ?𧇢././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/deltaCRLCA3deltaCRL.crl0000644000175100017510000000072215161577363030020 0ustar00runnerrunner0‚Î0·0  *†H†÷  0E1 0 UUS10U Test Certificates 201110U deltaCRL CA3 100601083000Z 301231083000Z >0<0U#0€ïcÓ¨N±ùßaâ ã˜Ò“™ç0 Uÿ0 U0  *†H†÷  ‚˼¥jÎy’ª3žZ–K×éÄ ·O‰’…á,éßn‹¨+8‘ÝzU¸·šûý¢(ÎÐ Z2y†Iƒ¥Ÿ4¶àú6TÕnX}d `@õÔà®'0—nᣢ™Æs|cß\fÞ8—åÐPÐ3Î/‘‰àì*Û}ɼBH]‘‹Á þuJ6Du—>ßÛ$ª—·j‹dCpëKýp¸nNeË(6rërï“NŸ2º åõ`Eï2„·¹í–ŽP„ó~=®Hb’ùÅX‡ÜÖËvÀk9£°¨U+e•ƒª±ÃÒah Ö‹!~Ä Ad!õ,„ÏÀWÁ¦è#Ìôò‹ÑÎ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/deltaCRLIndicatorNoBaseCACRL.crl0000644000175100017510000000074215161577363031652 0ustar00runnerrunner0‚Þ0Ç0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UdeltaCRLIndicator No Base CA 100501083000Z 301231083000Z >0<0U#0€ô8v%«¤ãÀÈuŒkc#¶Š0 Uÿ0 U0  *†H†÷  ‚“˜ûX&oØ>‡7#í¼ ;NìxÙ #è=¸3÷÷‚2Fƒ>«Ñ6; ~uØ#šî%èdKgÍÙJ0!D?ô”­>Û²P'[$‡´Ô%n–ñ­"À00ÙŠAOêªÏr .^SˆF…Äð¸4@qG@^|ø;9‘OÀ&¥½ú9Á¢„ÆýÁ{®%;Ò¹|©S›ú<0®üqÓ¬=;e˜ Çj®#›Å3Ó—·¦¥ g#þÅ6®Šz“!yŸ)!×õb.nŶæ‹8¬yq?ƒ™pD,ˆÊ´1ÏÑL8Ï„¨@Põóù¶†ßÏè¨ ÛTÉøª././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/distributionPoint1CACRL.crl0000644000175100017510000000120115161577363031074 0ustar00runnerrunner0‚}0‚e0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint1 CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  ¾0»0U#0€0s½p(‚ÒoÏÒ7íÍë#‘Ûï0‹Uÿ€0~ | z¤x0v1 0 UUS10U Test Certificates 201110U distributionPoint1 CA1&0$UCRL1 of distributionPoint1 CA0 U0  *†H†÷  ‚*ñéyïÖòóÔ ½­zbº7\ò}•{¿—Ç Bš˜Ÿ oS¥±o……Á Hlê©­´ìÞ|ÑAdªŠ%& î€r «È§òÀe Q]Ñ– ¸m»OD‰«CE´ÉYÕ`‰­Óªš›w5 —™œDÜŸ~[æ¢Àš¿„iW > ~Z°¹½$ƒ¥êŸpšáù¾Îsß%ýFþ'ëÞó%f1Z¿Ñ„†¿–v"5öWØ–v7>pÜŽ2ù¸Ó<¹p剥⋳8ÔÈáß1 ÿQ›Ø#2¦m´í·ÈÖî#¿¿Ó-/ÄèÚO8’Ü:°ZuR &b±Û`õ<M././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/distributionPoint2CACRL.crl0000644000175100017510000000105115161577363031100 0ustar00runnerrunner0‚%0‚ 0  *†H†÷  0N1 0 UUS10U Test Certificates 201110U distributionPoint2 CA 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  g0e0U#0€DlîÛoëNIxþÍå ì»`k06Uÿ,0* (¡&0$UCRL1 of distributionPoint2 CA0 U0  *†H†÷  ‚ž´F[JÌl ø·Ÿ£}Ÿåêã@ ü"5&ïPrïV^ÁµÔ*™;[4¤îÓæÌÇ]VSz‘!©Y˜im?Ç­q#ýцpÚbÆ[¯’Cev ëƒÐP(Ú“ & 6ΛJW¾P¬A0¦uc²þÀäz¨1.æ/ÕÙÜçêÇŸý&E¹/X6Î î„ò)–%®,»Sšf°qÚŒbê~Ãñ¢_DšÈ»ExÀ½únÿÓ"°m½=././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/indirectCRLCA1CRL.crl0000644000175100017510000000077315161577363027522 0ustar00runnerrunner0‚÷0à0  *†H†÷  0H1 0 UUS10U Test Certificates 201110UindirectCRL CA1 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  @0>0U#0€%ø¯ü¯¶©yKÛËd,‹K±Í0Uÿ0„ÿ0 U0  *†H†÷  ‚ ª%@•a¸YT·BT:”µú\h¯ /1*¡&áô¾céÛ€CÏ¥ñ¤&pg¡üi.:xo 1’LKóZ“¾ëÛ…æ®c=Úiks÷°5lËȸÀŸÃK´e7W³–{GM× Æn٘ʣ¹ï.WN´ÔÕS5‰Žt°Å…gXéÞG&:Mò›oõ‡­lZYD±¹¼™—¿é'!‹ëÆÊN|š=æ*m$žßòfèÛ†ÝÂÕ-¼Ï"®§ðZ¹¯Ú\š~]ÚàuÒ)K~5Ô¸Ö?6Xgð,)ÜÒWèüUÄÇCCZ‹@ó MÎO|ÔïìŠC Gb././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/indirectCRLCA3CRL.crl0000644000175100017510000000106615161577363027520 0ustar00runnerrunner0‚20‚0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA3 100101083000Z 301231083000Z 0š0U#0€H“T}Äm0ÿ-WEq$ßLŸJ-0kUÿa0_ ] [¤Y0W1 0 UUS10U Test Certificates 201110U indirectCRL CA31 0 UCRL10 U0  *†H†÷  ‚+óXô¦÷ÍÕ¼lå¾É3[Z†u4„¼Í$CÓ}ÈLÔvä>’EZ®=¿jYÍàNÜ1lå«Z¡s¾–G€)Œöf n3— ^km½ì×’ø&\LÚædÎfž}¯óC$$»[å¼ùktüå»÷Ã{—ñFbDxÀ µÙ盇Ķ Æà{²›Ñ%Ÿë(ŸäÜ¿nÂ!}`U±q2<ªßMÕàI­»\F궹nNB¡fwBD©LajÓía?q;KsëXøÈ~£Ó0.áÌè胉]ÚtT™e©dc u2„'G…®£§ÄsÏvá†"lÒ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/indirectCRLCA3cRLIssuerCRL.crl0000644000175100017510000000115615161577363031314 0ustar00runnerrunner0‚j0‚R0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer 100101083000Z 301231083000Z Ë0È0U#0€‘Ñ9˜ÉïOTeŠR-| lw0˜Uÿ0Š „ ¤0}1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA3 cRLIssuer1)0'U indirect CRL for indirectCRL CA3„ÿ0 U0  *†H†÷  ‚4Ùã¾›©Ãg¼‹bÄìl,ÜÜ÷Sá´åŠxÄÂÜâ(*?Öúhï±µó'k#SÀö{z‡»zt”‹?æW^âà!/ÞR A<þ“ÆÆÚ† )ÊFË]dú¶&ú¢±‘bx(JŽ½¼«Ó  ¸2D,Û¸#ÝÌ›“q¹|A¦¤NqWÛÖmÿ÷¿9UN¾OäCðSåeº‰E‘"ÑH ^6Ød‹Ê Gåë·M€Æ±õ Ú#Šÿ€ýƒ ò”*ðMŠ h“Ë?çMž†SÀÈD/€ÍíüÖôS‡(¦¬6ön ËÎ8kÅÕ_hÙó.†ˆ°©ÖòñN0Â././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/indirectCRLCA4cRLIssuerCRL.crl0000644000175100017510000000115615161577363031315 0ustar00runnerrunner0‚j0‚R0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer 100101083000Z 301231083000Z Ë0È0U#0€óëm¹Å ¤ÚEÿ¯zG¯À¹0˜Uÿ0Š „ ¤0}1 0 UUS10U Test Certificates 20111"0 U indirectCRL CA4 cRLIssuer1)0'U indirect CRL for indirectCRL CA4„ÿ0 U0  *†H†÷  ‚)ò¬ŠBôz›Ôò´¾1ºÊV”í‡=È‹ Ü>üµ~;N–Ï'P^ñ„Ÿèä™}j²¸ ÐwU¿9WõÉ‚z±¦¢^-(CsÞOJå ÙúîܺÅ™ý–œr©ú°ÖÜ ÑÖíëðP-ŠNEîz,ÖÑQƒfEÈž•8%At•ùXüÂê—/•Ž’ŽÁôzRGèw£¼¿#ð…I´UnÀÄóGþ¦êr’c2|7Às§’ËQô:¦I‚Eam¶µãϺ3s¡Ìé°Lyf—Þ“t:Æ4Wô&9 ,ò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/indirectCRLCA5CRL.crl0000644000175100017510000000305115161577363027516 0ustar00runnerrunner0‚%0‚ 0  *†H†÷  0H1 0 UUS10U Test Certificates 201110U indirectCRL CA5 100101083000Z 301231083000Z0‚Þ0  100101083000Z0 0 U 0z 100101083000Z0f0 U 0XUÿN0L¤J0H1 0 UUS10U Test Certificates 201110UindirectCRL CA60  100101083000Z0 0 U 0  100101083000Z0 0 U 0z 100101083000Z0f0 U 0XUÿN0L¤J0H1 0 UUS10U Test Certificates 201110UindirectCRL CA70  100101083000Z0 0 U 0  100101083000Z0 0 U 0z 100101083000Z0f0 U 0XUÿN0L¤J0H1 0 UUS10U Test Certificates 201110UindirectCRL CA60   100101083000Z0 0 U 0z  100101083000Z0f0 U 0XUÿN0L¤J0H1 0 UUS10U Test Certificates 201110U indirectCRL CA50   100101083000Z0 0 U  ‚­0‚©0U#0€÷ª½HuY€°Ïß#Ø“F‚³0‚xUÿ‚l0‚h ‚a ‚]¤u0s1 0 UUS10U Test Certificates 201110U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6¤u0s1 0 UUS10U Test Certificates 201110U indirectCRL CA51)0'U indirect CRL for indirectCRL CA7¤m0k1 0 UUS10U Test Certificates 201110U indirectCRL CA51!0UCRL1 for indirectCRL CA5„ÿ0 U0  *†H†÷  ‚·›•ŠFª÷ÞÚp€È0ŠªEK'ç΂p´\];½.8¢Ï’Íg{›u•ìé[cŽ¥áŽ ͧջîÒ.YiJn×j±:–…gÇ׫úbÜc·Æ¨ ‚i)”ú-T¸Àº¶ò&@ú+à‹ó_ySéÊ:y9 ¼kÿÝ™=S’æazÚÊ;,4hbÉ"@<ˆÅ‡º*w©„PuŽ¿ÿ8ƒœHüV¶¹²2ÑSñ6òæ8uÒÃ?£C+-Ñ"êHbª?YîF jíWieèG&eà Úy 1͈ qá«î]˜Üo IàïÉ@_*౉GãÝrÕ;¨þ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy0CACRL.crl0000644000175100017510000000071315161577363030627 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy0 CA 100101083000Z 301231083000Z /0-0U#0€  zjÿj…‚$ÍÃ&…ø¿Š70 U0  *†H†÷  ‚~xó'ßeРÆY&µëœIZŠ bz‘µ.9å%yš~Ü7–O¾=$H¥1*Û¯nç3nߣ0˜Sž ! ‡Û=ñ­!êJ%PàÒ$®vŸ£khßÖÚV¹¨Ñù$â›êi^‚m­ë(ûJåÃjé„Òî‹L¦õO2Ùµm¨’#J`NU'Bá{±¹”zóòï“õ›]ž0ÒTþ•á3šj jS\m¨@Nܳ¬l̦¹4F$ï¡gX7¿çWˆH™qà(ÒC›^°–æóá-sØ`ÚÅ©ZT:a—lG "dÆmmos´xq=|§•âaò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1CACRL.crl0000644000175100017510000000071315161577363030630 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy1 CA 100101083000Z 301231083000Z /0-0U#0€ئž'—ÃŽÔ!× ¼œí¡{òÓ0 U0  *†H†÷  ‚LÚ´cGJ_€2ï 8Ô•ÖÜ V³žKØR”«h1;Eý6ñZ  Wôl(&#Îð\§Ð°ŸÇ"/ d‹A5$ßàò“L„K/ÂÏD}Ýàž#l¾1žã|þŒ! 9åxŠRôchS˜s+ö¿µ`6´£™§£1azu ]g9¹MÍÄ»Ÿ®þ…EÞD9«KÜkqS+W9Ѹ F½ë#Ü0¢`'U¸~NÅ·b âPÌùÍàKO“}ì´aO~í$ß´€µÿIц&g`+¨'†ÈMš£r÷ê:¥‘ÏÒëhãõç:qÊQ©×ø(;&µ4¡J5'././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCA1CRL.crl0000644000175100017510000000071715161577363031427 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA1 100101083000Z 301231083000Z /0-0U#0€t ÕXÙ+SÒ+°Í]qÆ¡¿C§È0 U0  *†H†÷  ‚qÛ3*jÚQ iß;Ýä¡6€ Z}_ø›Å“ï¶\@«Ê/˜ìg”ÃëÔÇVÑØ€2aÇ*ô_,r`pnj‘ÁtßC‚®ß{Ö–G¸åBð\âä_ãmg 1} ¹2Jœ>Î’_QÂ5âô@¬þm|(º¨ž˜õ KËzV_ÀÒÒ9Õéd›zq¢©¨‰£9íy#¼çgôãÿ7Ÿ¨`2Ü9"»ú}4<ÈjŽ!¸á®hú°:"Ao÷x3 BŽæ†tÇQ™À«íÛI$& 3B̹ÚÒLßÈuYämé$c¶’!]Ö”ì³éšúB././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCA2CRL.crl0000644000175100017510000000071715161577363031430 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitAnyPolicy1 subCA2 100101083000Z 301231083000Z /0-0U#0€ŒÜß~dÛb¾ÛKQdŒjfØ\££0 U0  *†H†÷  ‚²³÷GöÓ¼ןÃDù+Ð*û:Z¯þ¹¼Ðü¾¾ÄQžOßí¼‚XLÖ3§ó@x½‡•¨ÂBfƒí?n‹’ýô°$XD?‘£=ïmZG°e¥,)™xHT[ÿȼ&ýQ·ÿhÀøÚo.v¡A×$[ÈB¬Ë›s¨ß@½Š 1!ÂálòŸ5#c—¸ÿªOO­ g#GléæD&Ò¥˜÷ 2#ÂãÛ¿‚v$«a6ýÆáS÷¹3(Vï²Où)‰ËÚâ÷…•+\ÿ¬sÍ5ª_—7éçOåŽQ÷´ŠÉùArŠ“Ç„ÎE¥zð.8ø!(ÒX0@>Ô€¯ó././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subCAIAP5CRL.crl0000644000175100017510000000072215161577363031761 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subCAIAP5 100101083000Z 301231083000Z /0-0U#0€‰Tt`³÷n aŽû¾R&0 U0  *†H†÷  ‚梺Ëi9Q ·šÑ©"Oo憃ÛÍCþ¼q¨\AÁYûO ^xhîòÖç‘6šs™¦0þ` 93U)¹™ŠÓƒ^}˜kf7(.9P/!”#œÙ—Ȧý·ù(xvÔŠ W£’ª [Š->wmgC4^ß-ï·¾e¡óØãÇÐJ …2(BÎ ‘ ëÚÅõ+‘Éù6×¥¥ßî;£´CÜE†&]Žp˜ê«`Cÿc»þ‘iv¼Ó•YK'V¢z¨ÕDù>"W ÉJ»˜f—œÈÔZmÔE*ɺ¢ú Ñ-ýPå;Rw»Æw½qr¾3NIó././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy1subsubCA2CRL.crl0000644000175100017510000000072215161577363032136 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitAnyPolicy1 subsubCA2 100101083000Z 301231083000Z /0-0U#0€}ÀœŠvùI3÷¤KŽ0u•;èˆ0 U0  *†H†÷  ‚¬MIqŽ1’ÈúIÙ½hEeéKc(-orÒß &Cx´ËŠ™Ãѯ°;Rv¸‡m¨‡ô,C¯¥~N‹FÕ64ã¶Äýs🺉^øeB\*†úÿ`é\´šÉCM/\ØðÎKé_±ëH¨èiïÌK‰ ‡'Žj äßkkדö ‚Qï×;ót€Ã£°ù!棆 ¨ ÷õð°@œÔÜq³S] 𸮼`¯1bj@ù`ÌB‘& UñyËö² òâ*ÉÓﶬR5YÕŠIŒïåô†E€£5Wq- ÃÖ†ýÃŽõ(àH0É' ®²EY[úM¹«­ø././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5CACRL.crl0000644000175100017510000000071315161577363030634 0ustar00runnerrunner0‚Ç0°0  *†H†÷  0M1 0 UUS10U Test Certificates 201110UinhibitAnyPolicy5 CA 100101083000Z 301231083000Z /0-0U#0€À&çiÖ|ð½ÕªSeùœË 0 U0  *†H†÷  ‚—!ÇÐ,Nr y›´=•¡õ÷ãOu³kBÝÝÍÌ‘%¨âQA±½Ï¿K÷¡0¢’&f‡Ñ#Mš×@ÔN…K—r‰ ã8?.õý6fr÷>$¹4ÌÈ¥ˆd¨í‘/ÁƒgmˆÝ¹i¡VÓlÇŒãæòÔ~“‰—Å*ßêwQµŒÑôôÞ<Åž£ÜH…PxàJ´–2?cÖýD¡üý…Úvv3¢þ i[ÂM»š–ôwËA‰=­"ŠbÛ()©¬ñ¹ˆq4ˬ”–ØÒ‰¯²æÆ3d1¢V°W©wñÌ¡u‚ëÈRÑò9¾ðÓ#1êÀéÆ|uÑÌ5±@ápÃÛV././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5subCACRL.crl0000644000175100017510000000071615161577363031351 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UinhibitAnyPolicy5 subCA 100101083000Z 301231083000Z /0-0U#0€l™©¶ë¾pI6LXš"舅/Û0 U0  *†H†÷  ‚ŸpŸúÛ©ðZþŸå ôPÑ_:nZARÄoW¨î4³»+³oˆ˜àLÕùX·Ó…ÓÃTx»ÄÞÁqØ¥ýÖ²þÿFŠÀ÷!¯*aÛrD&ô˽ê8•'QU¢S¹5ì9Õ£4 æt+æªû#Ø fç-s&`pã*³¤Ûy â3©_N²b7Û³\Bnæô×fû~¬¿ÅeÑZ˜/®‡ußL:¼*Ã6÷m7}gçm„WÂ7‰úî" í-Žˆ ðŽ4=Ógx¾91Ÿ…ë1o˜Ü"D¨KœkLMvŠÖ‹‚Ð{ˆBQ?FƒŸk£g#Ü%e3nk’}¼V¹¯ò././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitAnyPolicy5subsubCACRL.crl0000644000175100017510000000072115161577363032057 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UinhibitAnyPolicy5 subsubCA 100101083000Z 301231083000Z /0-0U#0€1á?übn€eÍ©y+n‰ZèÃ0 U0  *†H†÷  ‚A5q£>HÌÇ(˜£qy)æYØ0&òœyaR-âú’ͳ~ Ï·µj¨i€”ÀyÚaƒ¢Vo‹`ç¡)s§¦EÚ!Å ¼™ãû[£8w†¦9ämYg6q{#×úåÁÞ94‡T`Å Q “èô¼oQs4Ot2˜ö²ã–ññøêÉíwì˜ìåˆ)}Wg(léÚ˜’ˆ˜]Š%zöÜï½ ¹“tÛÒ…£žÊ7ÙåòÊ”›=6ñAuj«†ã±[?¸tÆQ—¸`öær–j3T×—Gü—òªœU~dé‹ix!Ϻ½ ˜š3,àZÛÑà´VXö¿Êè¿&úñ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping0CACRL.crl0000644000175100017510000000071715161577363031477 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UinhibitPolicyMapping0 CA 100101083000Z 301231083000Z /0-0U#0€X7&‘„`¬îö@>¥+üÿ—Û0 U0  *†H†÷  ‚½-{ùtÇIP4«+ôîæ“žÓ…62HR,µK`*èÇ«Îü [l $ªÉÿùÿTZ„w Ø0È]-ˆa›Ú„Ÿ‹I²°7óSý—ßRkž¯¾‰B¯·ïA€f<Æ·T8çU§Ã‚Ó:—Ó|ƒ­uª^[Bs±›(jeÚÑf~CÕ‹ÚÓØ a>ê8Cè÷á1™_¬ìCJ%„HÐÝAÄÌs~ZÖyçEÎÉšå#:™öºš!¤Ü>I÷CÝÅ2³` _ŸEÊžú‰=届OYL­žÞÞÐÚX±”ÆunVóûáÖ62$ÜÓ~M•þõ-ïªÅE@././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping0subCACRL.crl0000644000175100017510000000072215161577363032205 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping0 subCA 100101083000Z 301231083000Z /0-0U#0€ÿ´sbR\–:Z®¼¸‹~i4©Ÿ–I½›=¯ØÔ¬®Æð‡Ž`žA¹¥Ã³w_&kÍ N¦‘4º+ÒnSðrˆ3í[‹**A‹É~sP././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12CACRL.crl0000644000175100017510000000072315161577363031760 0ustar00runnerrunner0‚Ï0¸0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UinhibitPolicyMapping1 P12 CA 100101083000Z 301231083000Z /0-0U#0€Mg~Ý9¯è&Þ4x±uÚ¤0 U0  *†H†÷  ‚äÀ˜ÖàŒhÐîêãÒ¬#ì…õ:5™ÝÇØ…¡ÖZzš¿{° ˜€ëîø²ØWò6y‹D–φÿÝ×HøØr—+¡~ÛúÈÀÊì¦fšÉzãc“Óت³”€¡B˜ðf6µÛÚ„9úGŠQëÅÔnbÈèh¿aOéÅÿq3x|¨Ñfâëc $ÎB^íêÔ­”×c5r~S9´¾ç‹Ëß–\ÎSãkžåi-ÚÑ`‰ Må·­‰n\ô Gç‰w¡èý¶pR³i´¸*rçÝק†Aåè¸Ê^c°^R…Vkú…›î4œåíûP:Õ.—././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subCACRL.crl0000644000175100017510000000072615161577363032475 0ustar00runnerrunner0‚Ò0»0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UinhibitPolicyMapping1 P12 subCA 100101083000Z 301231083000Z /0-0U#0€ª&”d~¼]`Wüp•flç0 U0  *†H†÷  ‚hsG\½1æ<þ*:²ÁYu—#Êü:ƒèHù™¯Ù‚@6ÈÙØ›)í±=[°ó>æÐ$‘¬ƒ¯¢ÌLŒÑš«Ô¼[ghPŸù-i<2w:Q›Ð¤[æ%§ÝcW,“¥dìPl íÕV% níÛU ´ É`=ó¸Ì¿Œ©ãƒão P(VF²g¡–Ú®ÁR9¤@NFÓF^Át×,²¸}M3aˆ\aÐw‡µ)gI-¿J) -_¸A$w®âü½ç½i¸K?D°à[³¤IÛ:ÂõL:»f6|±vJ{µÄIç»°9pØèJ¾¹³6¦"}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P12subCAIPM5CRL.crl0000644000175100017510000000073215161577363033125 0ustar00runnerrunner0‚Ö0¿0  *†H†÷  0\1 0 UUS10U Test Certificates 20111,0*U#inhibitPolicyMapping1 P12 subCAIPM5 100101083000Z 301231083000Z /0-0U#0€Ïv'";Âô‚.îæÝ€{S0 U0  *†H†÷  ‚“÷¶Y÷ýñyR’ï)hv9²êgîÕ‰ìÈáĘ~ÜY8`|ÇŸ‚=zë‚ëë¢cþ†ù5,t#ÕÎiµ-Îa¦±"¿wg8—£ZŽÏÅ68î"{eU2a¿æÅCñŠIPìQ´EHäâäÆM¬xø’Q®±Œ÷Ã#LÿïÉ£„Of‹6"íaT³~úÅ<ˆÅL{¿ì"ƒ«7åÂçT~œdB–‹¼oûR.ÙÊÑzÏIkËVX*âýÿ$“¼µ¼ ¢ÆøϽîé{Êoµ¬1ñ§¶‡©ÓŸÖ<Òxä½ [†Û™ø3½åCG,¬³CY4 °BüÂ4' ÇC*êÜ.¶d4h÷´„vnÜ7ruämÅꦾtØ™ÙB¥Åð)Á,™Ú|:H è¼TôI*ømÇm¤R )§xªl²žöÍ—ÈÛGÅòO9nHójÖq<Í£ñÐ\›ï*™(¥-]•žœwùØ„£Ö-ºÃC·à 3…ji‹kcùz—xxrmó湯[ò‹¯„m®Õé././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1CACRL.crl0000644000175100017510000000072215161577363031675 0ustar00runnerrunner0‚Î0·0  *†H†÷  0T1 0 UUS10U Test Certificates 20111$0"UinhibitPolicyMapping1 P1 CA 100101083000Z 301231083000Z /0-0U#0€¾¶½)¡Ù‹á¤€hƒ(­Jð0 U0  *†H†÷  ‚Rÿ¯&RŠí2¥ÈïÓÿ*ßÛ p¤vºt‘Ñz¨Ë‡§¿‰t—= ×¾àëë‚ø£Ë<_œ»‡Ÿ¢½ɘ¶–z²>ùø‹‰ ÞwÝx*9®Æ¶iznWÐë™FC%ƒZƒ1‰MÜA*rš]gMò÷D¯Ãõ{[¿›ñåI˜}#¤ ”3Ž!¤z·D2æx”%-¨œ=‰›hcùg¼_Nó·+öE ~´ñ“ DÏ ¿K• ó ôÏq_p“­x£éœÖ°çéÔC"ºÂ­‹§äêlš¡§"ÿ”øJ,ÆU訜ÍÚ4®óC R»H““àÊbx././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1subCACRL.crl0000644000175100017510000000072515161577363032412 0ustar00runnerrunner0‚Ñ0º0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping1 P1 subCA 100101083000Z 301231083000Z /0-0U#0€óÍ?ƒ0ÓÇbÚæÊl¥±¶€Ë0 U0  *†H†÷  ‚á©pêš¡é îXøNÐ ÁÕù€›‹&7·®DÕÈv¶ZUݸ P[6ž7^ÀXO† Ùì•£^âÚ©«p¡‡ö-™GµçoÆN%Å1VèäTY†4¯+ÅSTLïIµoz"¨‹ùwƒøíy¡Uú4Ôïí>Çæ²ñÑ”‚xµ^w,@aõ·¨¹ë*«ÿòá_ÅŠj›kKËËt¿dÆ—š}ölÍHè@ÞX8 'æo1ë"ùí·‰0xÅdÃy¼ÓdvJx”µAv¤Ø;vÔmÕ(üªÞþâcAƒ€ºÂ)¼û/ú{¯ÁÔãqð°Âk«l(‹å˜qò‡ê ³VëúÖ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping1P1subsubCACRL.crl0000644000175100017510000000073015161577363033120 0ustar00runnerrunner0‚Ô0½0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping1 P1 subsubCA 100101083000Z 301231083000Z /0-0U#0€>Et¢‹ÒñVŒFfxp$Æ"Áž0 U0  *†H†÷  ‚tÌâ@CÍÑQ+:×yäàù0ó—Xô[æ.ŠQ0ƱÙëblHLýáÆ´u¼ö’ø&<ëÁº~I|ÿ;2zÉOBsаýÚî_;'ñø¢þû¨9WŸ0•¥Ù`ëÎòþVM!F?£T¾ «d‚†­Ê©[ÊƟ̬TœþøÝ£z–›'$Þ]¨Ò0ƧOì1Å2†ñbŒBØuw%fa iV Ä¥` ›Ž²,Hz\!(|ÅÒ¯ù³¶· ù¤ ½ÜmÏv‡¸£p›éhÒÔ£ÄÔ¢6o Ç]íûœÑ]D ËU¯ˆ…!mâ|D.ývæc@º) pgÜM>ƒ ù\2^—ù qFöô?Ü4 ­Óv ¼Ö½ÿucH‘¡W¢™÷Ì…$»¸l¤4û}*ß7%6Í%:½¸Ð#Á’˜ßÙôfŽâ‡hK’ ½´ââ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5subsubCACRL.crl0000644000175100017510000000072515161577363032727 0ustar00runnerrunner0‚Ñ0º0  *†H†÷  0W1 0 UUS10U Test Certificates 20111'0%UinhibitPolicyMapping5 subsubCA 100101083000Z 301231083000Z /0-0U#0€5§ÔáKtNU¨q´B2þɸ0 U0  *†H†÷  ‚m¬¡”}5K*7¢S ¼¨û…Aw˜uD†Š³Ù#°M0ó¨$ËʧívOŸ_loÅ7pÞžªö¢èuF]¦úKĨ〷j¹W¯„'ÑÒ `o\üH¨Vi cE* ˜ ;óŽLV€ÚltÌÚ½ LõaÁÓ6etŸ®à²m)v]gsbª0Ôœ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/inhibitPolicyMapping5subsubsubCACRL.crl0000644000175100017510000000073015161577363033435 0ustar00runnerrunner0‚Ô0½0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!inhibitPolicyMapping5 subsubsubCA 100101083000Z 301231083000Z /0-0U#0€®cË×âÃqãôÎnü5ô›ÒM>Ü0 U0  *†H†÷  ‚J£Ìä0MÅ€ƒròU˜+yCÔŠ—Ý|%G…Ë[ß7aÂh=–}†ŒÊ®©¾‰Û¢ùšôÞ*RÇÑf× 1'1{~1"ˆó–&¸ÿû…–+[<ó]¦›è¼Ršè«ë™-ߣŸˆó•–²$m´Ð¾þ8`«’Glš¼RÅl+µwK!Df[ðý'›‘‘©1[â>Z0±©àƒ“í’ì@Kúg@í€êùä]V‚Ž:XNf1r >DÀ™t’–Ä—zþ ¹¢‘Þã²ä¤¡W5ÍʦWO‹c6Ѻº´ïðW¡ b²£9»ø„x›ñøüf‰1././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageCriticalcRLSignFalseCACRL.crl0000644000175100017510000000073115161577363032716 0ustar00runnerrunner0‚Õ0¾0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"keyUsage Critical cRLSign False CA 100101083000Z 301231083000Z /0-0U#0€ÂÊiõ´¯-ôœòUË*0³ÒZI0 U0  *†H†÷  ‚™?S–½Éº‘¸F¹Ø¨KÜ—ÖóÞ©xˆe3™€<©Ì¼ÏDJª:Çu0pñ52ý%DA‘a›ýèê ')Ë\ðnø ǘ’÷¡Å€‹¯ Ì™ø?“Å Ž£N)¥ï‡­¡àrÚÈ(l†¨F:]Ì’_F«zìŒ@øêm7N0[®ûR{ 7á 3J‚¬=˜q|Ä:ÍÌ{$ª§kÁóïK – ¯Ÿ¸ì8ïKÞÙ|¹³äêʼnA©tý΢§zŠÚ¬·`7qˆ–*¤33Û#ÍÛI)°l"'™"yÜÎÚ)lÍæŽl‡@ Ê={m±ò2»;‚ü¢ð././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageCriticalkeyCertSignFalseCACRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageCriticalkeyCertSignFalseCACRL.cr0000644000175100017510000000073515161577363033474 0ustar00runnerrunner0‚Ù0Â0  *†H†÷  0_1 0 UUS10U Test Certificates 20111/0-U&keyUsage Critical keyCertSign False CA 100101083000Z 301231083000Z /0-0U#0€4U gü±ÜÂr ðcéÔ›ðcù0 U0  *†H†÷  ‚wmø¬3Uº Ja‡qfF ¥ì®3ÕÌô·o~Éì¢>ndÙ#®6ô%r_ÉFr©B´RïÙRBl¦ aKÕ³imÑ¿ühøÉ$²´>gÞkoKïîع2Z¦Çp–¦ x‡ãå]5€w7:O*+",_rßb[ Ÿçž·œ÷)2~óÙˆ[ÚðÖ…ÛP¡ƒ“‚ë0ä¤ï€ª~›²è‘Ê`ßvjÈ# dçæ£ÙrÙjÿ†ha‹Ý=Ò“ÁjQ¤ÓtÏY‰ªÌ“9ùxT^Ý-YL;ù$}üzÉ{áØ·ÄJDàDfõÕ±•ú#Êç././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageNotCriticalCACRL.crl0000644000175100017510000000071715161577363031206 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UkeyUsage Not Critical CA 100101083000Z 301231083000Z /0-0U#0€ÁJÙ´+Åp~ÎŒ;bXå»—+s0 U0  *†H†÷  ‚€®HÆBw»ºQ¦Á( p“à„«:Ëzï;æ¼Gï˜ÌË7% pºáö¡¤5ä6¾bžU@IÁ"Á„IS$1ã¤<¥-âx]c#ëÉ[è¤Á> X©Ïï%ê󭑈ҲÁÕWácô…×R¼ÁÝæ⢭•‰ã$'UÊò%ú=|´CâF÷:FÎëg¿t‰;`ìµ7‹ °Œ†eÃ’¤ r} êæ“ë#¾UjÛ'¨¤d·P”ƒ“GÎ"§"ØÜûì·S°ZÞ=÷´XÚ*Hšhþ|Šû¿Å0óvæ;v2ýéáÞŸIö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageNotCriticalcRLSignFalseCACRL.crl0000644000175100017510000000073515161577363033403 0ustar00runnerrunner0‚Ù0Â0  *†H†÷  0_1 0 UUS10U Test Certificates 20111/0-U&keyUsage Not Critical cRLSign False CA 100101083000Z 301231083000Z /0-0U#0€ù~R yfDeyÝæCñØ0 U0  *†H†÷  ‚šÜRêÆ×RØ×’Ác/ºØœtœ3ìRÑ”_ßA¾ZÃíš„go¾wZHe%–\‚X¥LkßA Ä„¤ïÔƒ%éŒ8ûJâÔ}7HOÄ)ÆLoç«o`{÷ÝŒâ$…yÁ’Ô2äÁòQ¤clÛCn’÷¥1"úî1v(¯–wJû3êÍ£ÚýVayofQMÕ™t|û®ómNíÑb íYdO$ÚÒlZžàDþEšTþ :ú7£„FPS§\'¾Z½w“5ЧZ»À|±;3¸e‡¡ƒf–I/PlË—8Ѿ›ç¿Âä+ÈË´Ÿ_Üg¼©‰³ÍBëÝt¨1ÆH././@PaxHeader0000000000000000000000000000021000000000000010206 xustar00114 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageNotCriticalkeyCertSignFalseCACRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/keyUsageNotCriticalkeyCertSignFalseCACRL0000644000175100017510000000074115161577363033547 0ustar00runnerrunner0‚Ý0Æ0  *†H†÷  0c1 0 UUS10U Test Certificates 20111301U*keyUsage Not Critical keyCertSign False CA 100101083000Z 301231083000Z /0-0U#0€²%Ò(0ÐUhnLµÂHóÊ›ò@E0 U0  *†H†÷  ‚´‡Š•}®·²…Ô®–Ê3n>\b…<êõé˜w]m:0Á¡­Z›~]y:“ê¿H¥Ò•öm%T÷³rædp7ß±LNÃfÑÈ9&tŸ,úáñÌ<6<1­­C©Å5¥ŽsÎ _Ã,Ùn™dOJ[aÈÜ4ÓÌ­Úd4K…ÿ5žÕ2â©~Ù£@éÌ%=÷°—ÊLYÏãÐ=@«ê©vÝW;ØM™Z{©©—¿²„X§…tPŸúãöjW=•‚û>òk¯[Lû././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN1CACRL.crl0000644000175100017510000000071515161577363030746 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN1 CA 100101083000Z 301231083000Z /0-0U#0€AxBFÍN¨‚çá9ß÷©À üï†0 U0  *†H†÷  ‚[\_±sµ…à•:'[$kÉA÷§Ì»þ.F­XjfäYó&,¸\àçYduzåMíâ[¦˜¤ÅÎtÑ«Æ,П­øÇ©jÄ É‰Y&¸áR?ó~냃±Òò@€“7Ç®ÜG ë´gúŒÕdïþ¥ÎÎ0ì”[é!Ò…Çc­'²x{4ø¿<Ñ›á $„Ò‡1V6ÝàœÃ)Bú{û- #ç–‘¿ÆÜùþY­R¬À³¿P r=HZ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN1subCA2CRL.crl0000644000175100017510000000075515161577363031546 0ustar00runnerrunner0‚é0Ò0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA2 100101083000Z 301231083000Z /0-0U#0€¢/Xƒ[L•—·îö‡´—àà—0 U0  *†H†÷  ‚È7,¦IÜ¥ôFìëÆw¥[ϳÀŸÜÍéœÂQÕÇËí•Ø¥ÃLO쾋\øþžä%4¤µñ:Âö;ÌrÎL< ö3O¦lçâÕF&"•û|J¢/×o@ŽÒ#ùZ¯Ç‘ ãÀ #îõØèZàO8y<mX 5¯NU>?-ýùy^ƒQÿ‹Ú `ØGÛŸ&Ç¡)A±rd>¹1zëy8’6Óõˆ—è%ÎËR|üá­™'Íj»éF*à¹Ð®£hƒ&u¥Î:ùþÑ«: ÿ5¾€¨¾7kéav›0©¤€f¤áªþª'nÓÅÿ2[çܧäíô–"°f )././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN1subCA3CRL.crl0000644000175100017510000000075515161577363031547 0ustar00runnerrunner0‚é0Ò0  *†H†÷  0o1 0 UUS10U Test Certificates 201110U permittedSubtree11#0!UnameConstraints DN1 subCA3 100101083000Z 301231083000Z /0-0U#0€'IäÙEúl˜”lüí Ã$RmUD0 U0  *†H†÷  ‚¸G®¹ðJõkôRõ³]±uè"˜9Sb´½0õ%$ŽGäPØ»ð¤™d7-¨ß>±°"¡0Ž‚'Ê_8´¶ÌÇD/a²ø2DO&_mx(ˆ9.=Ó¥Ìñ5÷üþyIxÔöð² ÐLOœrm¡àiTyúkGÃÒeÓˆr¬[ ¶©,p½¿=CËV3˜²I®Ø'µäâàÞ6ܬ ´O(_굶Æqö®µ©®¶Ç#zì{Y4)ûÜZHå6I€+ ãnÝ"W¢„’…4ðY”Ã5ÓÅ}[ÈËȇ‘ù¹ñvÉÐÌ`ÒO˜Éû›e¸<÷Œ&‘ƒ¼}j„Ö0˃lZ‹}././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN2CACRL.crl0000644000175100017510000000071515161577363030747 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN2 CA 100101083000Z 301231083000Z /0-0U#0€£WÙ[]³`ök‰Q+‚à s¨{0 U0  *†H†÷  ‚ 2é»VM¨@ÿñü¾ü»È[[È9`ü²EîT‘Ë¿BÝKgÏ97[¼¿š¢£°‡M–QTÚw~¶˜—h\—å/Un;gsširRÌE^ˆË­E™,óÍßíìg…æbœ×SëS?hª„‰•Bq„ÚœvÄ’3š£¤s…V±¨¬‹ÓÄ„M“aÁ? 3±sYR³‚²ó#7£.ÞÝü2r„Íþàa+ˆU»¦Îp•q .È Kiáý›7É{§SÂ0Ÿ6lê µ½"PÅiõUEz†“ð9ý©ePí–Ã]RÙÁ¥±j|½ˆ{ÁãJ‚¹Ÿ‰»³ü7¨ø././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN3CACRL.crl0000644000175100017510000000071515161577363030750 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN3 CA 100101083000Z 301231083000Z /0-0U#0€Ü[¾Ç7Y¤Š@t| EDëéCˆŽ÷007Ð9ãÒG¤î¯ö¬ÞQÚ›pKXÔò-ÌŸ¿ÆMeƒyí>h¤P0ø6dqžG};Æ-”ÙÚó+øG|¾././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN3subCA1CRL.crl0000644000175100017510000000072115161577363031540 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA1 100101083000Z 301231083000Z /0-0U#0€€¼Ç.÷Žñ8{ô5ëÝéXÆÿ0å#KažHn€ó›\d†; ÌØ`QÙ;¡°¹hî˜ôsâ©ß¡Š³2c¯Ís©{CœKH„%:Ž²Ïþ?šÒCÔ@ЦÑ'ò ҙȊn]¹¡Ö—%Q*ýò$@»Gþ•ªÃ‚<<²q¯Í?RvÞ3wï0MÌa JµvåšÎmÁÍл‰H8uÕQ®›ä8p¼ÅÌÙVâZ •Á òÀ‡.þlG´`òÎyÏsÀ%÷‘+$ª’m<ŽjF eéýoññ°ì|¿././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN3subCA2CRL.crl0000644000175100017510000000072115161577363031541 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints DN3 subCA2 100101083000Z 301231083000Z /0-0U#0€Ìíj(~Þdêˆ*ìu¿¥.g0 U0  *†H†÷  ‚RA¶½<'ŒÞÜ'Ÿõå°™_4µ'Ï ‹Y’3M¹¦röŒß0µvêYßéÔ±®%ä²öo*dod UTœmf‰H‹°MŽL´¢Â’Ú@HÀç$Р*/t¼#E;Ö øƒßð:1Z*W,îÀŒ§Y™~WÖ ?•[ƒ¦çΧꛌØhbsçy}ÿ6)Æ¿ÑÞ¨ý¬ªN²‘¼ÑÕï˜ÃÂkä¬ñ¬"”_.îi—@Îþ‘mOWìÁ-wV¨ÅšÆËKBe¢Áë¥Lxâ S.¾‹än3ýÍõ+ünõ g…Ò.©ëÈì@¤i¿ïé^—Ë‚ÜgîøÃ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN4CACRL.crl0000644000175100017510000000071515161577363030751 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN4 CA 100101083000Z 301231083000Z /0-0U#0€lI6­.X‰6QA;TR&$ÓÊu0 U0  *†H†÷  ‚~]néQaêV¥Å] ánô'ê´çÃõSùÕ°ã îÎ:¿æá̬ ¬Š/KçÆå¦ #yâ3¾c'^ÙHi™j¹†3F³!š#G[×Ùi6íòxñ¿pßð‚Ϋ0‡ÃU™2Ò ÉS7µ8÷lj(ôS§9?Íè#­lʲNΚӯ…Ê­ÀËyz5â—Ø›F È(6ÜΡš@ëÓj3Ò÷EbqÇ_›7~— xôƒ¦“\FDq*P/]*Obj÷[Tylî—nF½µS¶zdw¡Çˆ¼„/=É1š(°÷?570*Þà¡ÞÆLM¨././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDN5CACRL.crl0000644000175100017510000000071515161577363030752 0ustar00runnerrunner0‚É0²0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UnameConstraints DN5 CA 100101083000Z 301231083000Z /0-0U#0€ºŸ Ê9œNwZëû•¬Ó§J]'0 U0  *†H†÷  ‚„æf/eËO:¯Ì£iF,™­õ‚°Ê÷“Sê î‰Do¿´Ð5è;…#WVãÿˆ>Ñ+ƒA#j•[ƒ= ?uðî\Í ?^ $¸ÕNM‡ê!ñá½B uW_)¸ùúT·îØY›NZ‹ëå"%>ÖͪÌÑÖ S-¢ò"Dõ4·ZSŠ“fcˆ`+–Ež‡A}ÄpáÝôRœ'GÌâöò&ÓŽìauëÍ…‹ºLÅcª¿¹üâ7³‘y+.»MX fô¸±§¥ºá)Bþ WE+û½é–p/¤ý6I'i`©RòÊ• vÓèæ:ïËñV»ÅÅÊø nA././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDNS1CACRL.crl0000644000175100017510000000071615161577363031072 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS1 CA 100101083000Z 301231083000Z /0-0U#0€±ªðãÏÌÒ§‰¦ƒÝÿnÚãI0 U0  *†H†÷  ‚5èk#~ M4ź—Ähð<“˜×ä9õ(vMm%+™5 “Üÿ3Xðò±®*ZBЧUCÅ­ŒVaÈûU:5{ïoäA¿RªÌ~êÝ.ãíy^Iµv€€BÅtœœo@Y%`ׇÌ}L*_‡õ+†ÌáaÅ!ÕÛÄ·w6¼s´õÞòÇô»éý3„½7cµ°gÒL(› C W‰wÐÁ5qNå‹×È0TÞë ˜sL“L+‹Zè'5 R¹Ø-Š1ÔïùÛ'u’D7‚·-™À\%oh…®././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsDNS2CACRL.crl0000644000175100017510000000071615161577363031073 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints DNS2 CA 100101083000Z 301231083000Z /0-0U#0€FHœB Ž]SpØàÁÉ5 0 U0  *†H†÷  ‚&†E‹8ìÍ@ òå»ï‚ þ½€ÕÚLÚÀnŒVÂz[— ¤þ¤G ‰Å·6Úø‰ÂèFVò£êÌ÷‰¦2%ºí6OnDE&¦yFÇCM—è߶Tœ<:•a~7û)…ÂÞ“º"‚ön >ùf#RBÕ†ZfH²^}iî3WQ´‹#2¢^Ö†ÃáÎÄ#ò”@WsŸ ´zw/ÅãpG—Ï«]\Òéÿ¾~)YÙfG@®÷™À7—%TÛÌåo?Y™Ì¦àØr:M} ±Ô±ÅÖ;…QÜ°¡¦ýÏÅ:ƒçSb‡Ø¿ÇF~´¤7;~œïa!OY“üÚpò£‹•9ƒ)€!Ô ŽÌŠnw–ä &././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsRFC822CA2CRL.crl0000644000175100017510000000072115161577363031311 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA2 100101083000Z 301231083000Z /0-0U#0€Q€ÍúIrH<íN ÎÎ@ep 0 U0  *†H†÷  ‚0ðiEj;•¨O Ä8…¯7°“Ê%MçlÎ#÷¨í¸X¶±Wun`s_&\ÞyW:q8˜’Hƒùø‰¼]ÈÛQœ(ÖL6ô¦çBåCEk³s¡¶¤½péè1Ðí2ÙÀ'Ï}¬§ÜÎ$XB’äéÎÞŽ¸ZýÕ”¯ÎõQ BžÉ5Mórg]ƒ~#bøÓÂWÄblÃs̃\ZâýÚÁ&ÓOü¿®†”¤ÿg£Ýº¹½Ç§`ðc¸‹hçK¶pE>7E.æS<†%爽îh@0>¥ŽdÕ I˜©ÉÓŠy‹/QS@¥^e·DKãt%báý././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsRFC822CA3CRL.crl0000644000175100017510000000072115161577363031312 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UnameConstraints RFC822 CA3 100101083000Z 301231083000Z /0-0U#0€šº9MÚ!u¯êAÃL—è06}±ä(“­åY [Šé†ýozæÙÌ\xŠ¥¾¤ &*~DÏÈ¿z6=ƒ9ãóYô@ërØcÀy±Žý[Kÿš ¥ÓËìŽ×½././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsURI1CACRL.crl0000644000175100017510000000071615161577363031105 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI1 CA 100101083000Z 301231083000Z /0-0U#0€ú(­AÞ*hÈ#?&Þ0 U0  *†H†÷  ‚+ÜH¤IV‘d ¯Óð¦/ü¬-çfšÂ`^);39h/zŠ3 GÝë蕆ü²BìíX(8…ɪª-¹"ô¬k^]à;KObçÅbÒ³ˆšÃQÕ‹íà°Ò‡3)y5ì¶5‚|ÉaZpU º­ À`õIk\‹ÝSë8•w3}Þ²/b­«?Õþ)Õ$*5€{¥i Q&ú®1?1¢ü«tìÒD 3žÚ#¥ªœ"ÛFQÉw§nŽ®ó ¡Äßg\jäl‹ÜBj¤ÉÀ°êÆ‹™#TxU„Bô@"êü4waf±4‚òÆiæÄMÖ3¼6WU2Æ Xñ&wgÙø_$¦././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/nameConstraintsURI2CACRL.crl0000644000175100017510000000071615161577363031106 0ustar00runnerrunner0‚Ê0³0  *†H†÷  0P1 0 UUS10U Test Certificates 20111 0UnameConstraints URI2 CA 100101083000Z 301231083000Z /0-0U#0€Më‰qßð²úv:X±º`ÝŒÓÃ0 U0  *†H†÷  ‚dôá[ ÙÒXΨ /ƒ™ö=>~0 v.üBåEJkÏ<è··è:³ã0Ù°‹’#> íÒ%q–¯žbªÈ7š¿6¡]Ž]pÑKÍŠ÷.<ÈضG`ásÉ]ÇÆ ùÊmo yîY£ëéiRÅÑF#f>Û¤^$íEC.¾ :ŽÛ¿• É3Íì43epÇ™fO_ã¡í¯äÂú…¥1æ©kï¶-a-©ti­K'$Mo˜t×['*³¨kÃK7¡pwöú”Ýþ¼¶à¹ÌJ[Ñ/BTlû˜Ù[E”™0U#0€Mþö-¼µPMß™zm3pN0Uÿ0…ÿ0 U0  *†H†÷  ‚‚ËP;–mz„QWîb¢šâqD’*ª¨»a6 I$·Vc7þe¿˜tøI¬’LnÈ+V4ƒɳAÅ÷ƒ¸dÜ8*È—†Ð.yÆ4eJCÀ.#µeUDæüip“£a,ð /1U”®Ãý:Ö¨éCŠÙøÀÙ"Öu2ÿnMajƒ²¢Hv0œÝ?W¬Ys$=£KŽí1ÞÈƘôú‘ä!Ž O³m½"û¥×~u>ëÇ­ÌQq …¯¿ðHœU[1x¾Úð[«j=À…IsFݧUИ‰nYQÑ aŽ táð7²c-B­‘.@Áhdkû2ø(ªW°17ÁՉΠã././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlyContainsCACertsCACRL.crl0000644000175100017510000000073615161577363031163 0ustar00runnerrunner0‚Ú0Ã0  *†H†÷  0O1 0 UUS10U Test Certificates 201110UonlyContainsCACerts CA 100101083000Z 301231083000Z @0>0U#0€%8îÊ-uz[MÔÀ’ˆ"ÇlT0Uÿ0‚ÿ0 U0  *†H†÷  ‚0yåÁ|T"ýïñŸ£ðé‹t‚†-kœ”  E#beÉì!:ñì]bsÏ~ 0U#0€¼©ÜÍþ–ˆ}µžO™Þ$Ò0Uÿ0ÿ0 U0  *†H†÷  ‚‡[±LûéŸGéówö=ñ§ RƒŒ6”„¥4ú\»0~Ãk4ÛÖÏ#‹l€ªL¯jűݦñ½“à9¤øÞü¾gI{§~é *°ÞCpVQæUË5ó(›É4KOëézì?=]Nîßw¦·±G`~m;ãø|×"•@’Ÿ°O‡÷ —£…ñ–ó}ÿ~ûÙMZÙT×{oQÜìXÎÞvù‚PÂb¡•zíû²½êOCtòL\lÉš’\GϤ wô¾f»h|0ÙWsô¶¸Nk2)B_MÚzŠ±„9îÞLPÜm”©¼0}åÍöÂ$¶çáƒñƸX7æÞee././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA1compromiseCRL.crl0000644000175100017510000000100015161577363032576 0ustar00runnerrunner0‚ü0å0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA1 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  A0?0U#0€PhÑ A'‡ç N·xVûŽîq0Uÿ0ƒ`0 U0  *†H†÷  ‚a‚é¹å{ôb!y ¸oZš £ˆÄsCÑ?/LÜ:|¤šƒÔ^æܸs[CÀ™CtQc~Žó`K"b2Çãe´7ç»mÓ2ïõvÙÄu+i?¹ ¯²gÆ91¿ÎnÚÐ{tBÓ:«öëÕOo´s´TÉ^!¢ƒýX5vPŒÿõ¶º]öȤìI áFkº?h[;€¼¬,1ƒ€4o Q×:ßÕ¶†%Wiþ~|ÏnA 0Ä:›@s)f™ˆb –Ð:Þyø^ýïõfA´ƒÊfDû=áy“§æV׎ð-q¸uÎ *žDï(‹ÌÔò²?uÜ~οcQâYBWs3ÕA°ê¶sÇ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA1otherreasonsCRL.crl0000644000175100017510000000100115161577363033136 0ustar00runnerrunner0‚ý0æ0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA1 100101083001Z 301231083000Z0"0  100101083000Z0 0 U  B0@0U#0€PhÑ A'‡ç N·xVûŽîq0Uÿ0ƒŸ€0 U0  *†H†÷  ‚ßÓÄ…[‹}‚ÝW+”= ¥+ÍfΛ0ÁÆÕ-$cŽu¥ÖZðUÎ)•ÀUO`ŠDòá5 êÁ(ÊÈ„½iO6.ŠBðiÄeTÕ›6jbaÐÉÄò®V_¿ƒòTúóèOS¡;ó÷ðò™),Á\›ñŠgtjßQ¼ž+¸ÄtöôE·üc}±@¿c‡F=ÄÍ%ÍΑÊËîÝX)üýçEuz©MopvÞƒ“!ý‰ÜÞœhé ãñl$ñMšˆ;Ê©zÏöü2[u ée"ŒÝ*†Í:†žþÒž×YÁ;ÿÖ‡˜uºIéQ…LÊ—ÅI txm¯“ŸØŒ‘ ÛŽsyþh././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA2CRL1.crl0000644000175100017510000000073415161577363030577 0ustar00runnerrunner0‚Ø0Á0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA2 100101083000Z 301231083000Z A0?0U#0€`cßÒ#¤)ÖA¤¬Ê†y˜¦eH®0Uÿ0ƒ0 U0  *†H†÷  ‚NØ¿IlÙgÛ¾Ê@­SGí\-r¥Ž¢»!bzì„Ó¾S-·>ÕB'<´ßÝÔ+̆]›?¿­q±’À&Z°’£¨J,“•`_©— MgF÷—·ÈvªcI„Ž¥ù¬õ€4{„.TOœQ,ô”ƒnî 9Ù~m?™<4Ûè_0ü²´“¤ZBìûšKƒ«òB·©­ÿ ŒÝ´ ©9CëÏ¥„šÌ¢Æ³îcR¹žýô*D t3&O‘F•Ñhïe˜À)ÓéØÝGyÝžÀaIÖßܵꜩ:‹¿TÔ˜Ïj ɼaßæ‚EPÚ2dͧÿ²]././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA2CRL2.crl0000644000175100017510000000073415161577363030600 0ustar00runnerrunner0‚Ø0Á0  *†H†÷  0L1 0 UUS10U Test Certificates 201110UonlySomeReasons CA2 100101083001Z 301231083000Z A0?0U#0€`cßÒ#¤)ÖA¤¬Ê†y˜¦eH®0Uÿ0ƒ0 U0  *†H†÷  ‚Žü·„Ü"¥‚‡kÔÈÊ:õgéjNÔ‚"àvì(®`<0&{Ð? ¯ä”6h¹üfIIã'âŽç!9b$ModØ+Ù/^àZ&‰ìqiõÑŸzÈq5Ñ™ª¨‚kº4ÚkÓûè¨Z¢ð‚¡iIP ‚9!} <£åòr%… Åz8 V,,& x4­æù€wQËúx=†+ Â5ËþS©×¥®30.l¢ç šòS€µ /WÌ„Á½Iâ\ëL;èXý¬F¢9&üƒJ\بKç5ª¾¯í‘lT%©ÁY:O‡—yFˆí£û®áó†ávÐ-.–TY”"O&././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA3compromiseCRL.crl0000644000175100017510000000110115161577363032602 0ustar00runnerrunner0‚=0‚%0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA3 100101083000Z 301231083000Z ¤0¡0U#0€-$·—‡,îÚ¾Þ—„¯ ¾k0rUÿh0f ` ^¤\0Z1 0 UUS10U Test Certificates 201110U onlySomeReasons CA31 0 UCRLƒ`0 U0  *†H†÷  ‚uZö¶6ßæ×ÀÌÁ" )ÙE˜r±%à«ÃÜ:.Ñ4t‘  ¶¨}Ù¬p\ÚäK T*÷Ð Œå›ùv?aÆŽýº ¶e¨|M€²ùÇ$¶¦O ÉòxhX0‚&0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA3 100101083001Z 301231083000Z ¥0¢0U#0€-$·—‡,îÚ¾Þ—„¯ ¾k0sUÿi0g ` ^¤\0Z1 0 UUS10U Test Certificates 201110U onlySomeReasons CA31 0 UCRLƒŸ€0 U0  *†H†÷  ‚MönÁTm²ª6¤ˆî‚‡ƒÔ»ö][çœá“Ô·ýÚMÿ!°Ø2iÚpc²ÄŸÊ¨Å–Õ_°Œà©xã´c&®ÞýÙŽ37Ê-^RÆ·ˆƒh3—F?š ªa³k‹ÉâG*mþð"º¥°Hïsdl&¼ï"Þ¯! `ZïEhÃþù)ÊH¨¬¬ÜŠ°`O='¬úÍ‘GÚŽu·gßÈ;‡sÚÆíO|¿²üžÐ« ‡í°eÍíSœì½ 7§è“i¢¸ÝfK@—2À‘%+|;˜÷<`¿I*'®+¥üM]n™æñÐ=J>h*(Ê|Tjÿèàp¥X<././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/onlySomeReasonsCA4compromiseCRL.crl0000644000175100017510000000114615161577363032614 0ustar00runnerrunner0‚b0‚J0  *†H†÷  0L1 0 UUS10U Test Certificates 201110U onlySomeReasons CA4 100101083000Z 301231083000Z0"0  100101083000Z0 0 U  ¥0¢0U#0€¾fÜ ;öÓˆ4‘S& hnÉ0sUÿi0g a _¤]0[1 0 UUS10U Test Certificates 201110U onlySomeReasons CA41 0 UCRL1ƒ`0 U0  *†H†÷  ‚H7KGnÇ3ÅÃïéïdL”t}RÚ¿ÙE^»#XÎP±¨ôxç]46¯üÄ.ñÔ/bBVí(»p”Öeƒà8¨·ÀH_ꤕÙf<5o³CÆ]“ìî"Á?¶xï°»T—Ý÷—ê>EG:ߣtuL,²IŽVð!Ë.`çÌ|Ùu9¶î¶”¤jâÜQ2ZGhÓôêôŒE[™Vê]C•«ð[¿„Ê”åöÑ’Ixrô¡µ_C%üœLG"¬ïhQƒB q¢ÔDk/y¥S*¿Ð =¤ª³ZWwlÖ¥vy}·ÓÂgé=̯ÏYKÆã¶Na@ÜqE¡UH÷ÙѾŠ…Vk¯G"§IÇƵúKâ㙞&ÁÍ}£•·&öqyØvæ"J·fئ"-ÏK «y6ôJU»ý•ø5ÿŸœ&guW=uj¾äûwŠ£‘ƒÏCè|ÔÔaUñëK{­FØ“~va±«—èÉ»dd®ˆ×‚Ãê©´R'œéŸ^c)•ƒêìÝ‘ ¤PHGP¤@~iÉ2Ð+øÏ™­f«©-ÏxGŒÑøCZñ•øܼ¼Lð|’cØÜåíøüVJC[ø6 Ã`Ü2¹Š½././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint0CACRL.crl0000644000175100017510000000071415161577363031012 0ustar00runnerrunner0‚È0±0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint0 CA 100101083000Z 301231083000Z /0-0U#0€›+²J<ÅnPÉ"½cÎ ñŒ=ú0 U0  *†H†÷  ‚ ³j섺2ªÊwÓd!‡`ÐçùÐ ·ÁG= 1Î8K½%œÜ^è÷|v-í÷@¡°2®å‚KÈöµ2!Ø7Ž¦ šæ™6ŠRÀIˆ!2ö HTHf ã`^ @ªG/jÀÌŠéVçXº;ªC{àRñ¯Xð^×mÂeë`t±[p…6M;õÝ®1RU?gæWõ³|N$–°ócjXìá¤ü$ÈÑt0ÄñÀªv¨?,!ö‹/Ç#"¨»î£“z’˜ûò€Åß°Ä/Ô¹/U)HÛZÐ> º·2-u(Œßi« 94k9+9Ú÷–w0Qû’’ì’Šš„³@././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint0subCA2CRL.crl0000644000175100017510000000072015161577363031603 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint0 subCA2 100101083000Z 301231083000Z /0-0U#0€Æ *û¸é>h`zǗγXQ{vÞ0 U0  *†H†÷  ‚š„Ç&SƒÃ`‚{HÜFÒ %#±îÇ~öÚAͶÉü«'¨+ü›cÉDd<¥'ïíF\ ÚûÀôSv²ÈÒ jfr·àÔ%[Õ~¹‡;®³è¸YÔ1Þx3“[g™ï|%ª0iÝ]=xÚ_ô¹akþ\²ÎIgà/èDZ—®ŽF/°îŸØ£(Š/US ×¢iöNÝÁ¡Eî-ýõ+gFoú¬Cküÿ¯tRÑ?ÅÎÀl.ÙVã.ªÙº"c*ež® ˜H|­J{‹Ë|FRÿ¤,ßÝȼ}¢}6ÿ/Þd¼Æ ·ÇžúÑÌ*././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint0subCACRL.crl0000644000175100017510000000071715161577363031527 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint0 subCA 100101083000Z 301231083000Z /0-0U#0€bg}Ò7ÅrÐ޵ʣs^0 U0  *†H†÷  ‚œdFÖG~M–2ÿ ¨>‡dQsìÏÖ™/ŸŽ¬JB_ÅûS!*ùz`óxÖÜø5°ð`ƒ™ÿY1ßV€ûG½ÎAiÎÎÛŽ²#?“#ƒ=ó>ß “ ÅÒ%m­ Ó¡Ÿ¸Wܾ´™ãÚѧÞvÍäð–‚²0âG–¦ž¨\ åéúæ9ç5¶Áä5êºJi†Ï×x?G×ÈfødLRÃÔQ€®1­ôqõ÷·Ÿs##DÕ ùLé¸&ˆ3ñ+<÷SÄ&ôê7Ïàw9î^¶2ti*[Çy8mîqvÏyYS³ÜL&Y¸³~!ŃˆÝyîÚK݈‡qÅ©Ãhñ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint1CACRL.crl0000644000175100017510000000071415161577363031013 0ustar00runnerrunner0‚È0±0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint1 CA 100101083000Z 301231083000Z /0-0U#0€óäq`ÿÞ&…3~üÁGgúÁ0 U0  *†H†÷  ‚aAÀÜÔAªŽ !ÙŨ±d—æ Ú¦8¤_Ø£¢öøªq„ëæÀõTr2l7:Å&ûQºœýpbƒWykMßgà5®ÂÑLJ¶˜T‚nðT@e°v<(÷/•_]T_Ú‰Øa7ZZü¨¨ë6ÀÇþ€ëîÔ)›s&ýÌ¥ê{”A„ o"!Ù4óá3¤Úæh¾)koµ%*óY|yáäg@IOZc›D-¢Ó<û ¡‘1«?¢•_Æ#y.ìˆm•eí§T"1RJÄši—³‡†Â°®´Ôõ´½WNù²iŒ[ÈED ǨœoØct‰././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint1subCACRL.crl0000644000175100017510000000071715161577363031530 0ustar00runnerrunner0‚Ë0´0  *†H†÷  0Q1 0 UUS10U Test Certificates 20111!0UpathLenConstraint1 subCA 100101083000Z 301231083000Z /0-0U#0€å™–µÇ}UB­ŽÇ%öͬy0 U0  *†H†÷  ‚EõG'›>,+©}¢ ÖG=Ø+UÅ–}–EËÑéãçèC¥¦-:v /]BªªbbÔ“Æ( ú‡Ôp^‹Ê*´4´`B=‘|ÿ ‘äëFÜÀ«ˆÉS™bÎœÛì{¶.ñ¡‹ÆTŽ è1W¿ŽpŸû=}ɶ´ÔÚ{O^c£ø/p ¤ß™ßr³±pí‚ÉÞo¶¨„8®Ã"ƒYéh.Ve¿:¡gùB®ë˜¥Ðja­N£ZÀŸB¦:{Z•§ÒD÷¦€˜ø=oµ5µÙsè”-wqètüÄàõí;*/OŠßR™“›E›r™:¸É#ܘ»¾kY„/././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6CACRL.crl0000644000175100017510000000071415161577363031020 0ustar00runnerrunner0‚È0±0  *†H†÷  0N1 0 UUS10U Test Certificates 201110UpathLenConstraint6 CA 100101083000Z 301231083000Z /0-0U#0€¯¼…®þL®á—#ˆÈ¥±` ºNØ0 U0  *†H†÷  ‚˜w–ä±ûz$ÿhPtb§x•ÀÏœùØqÍX óú' ­/(°w§ì#’Ðaù¥àÖ`‘99Õ u´Ÿ¦ÄÑ#­Ë¶aþG#F×KõËù%u¢øÉVnìÍ×Gœ{¼¥·å®­ÅãüÛÔ:f™ƒèDžÿ3€€£ÆwbªÓå@øêü äû+˜ÀRå·ü„‘î¶P<Ñõ¼cˆpT,/' ³a“”O5åòÊM 32pý¦É|p7ÎÚŒ ï¶ìC.›d#%e¿#'bwdÌdmÿԤŇ*Ù•ÚºyÀÆJ:o/è©Ÿ‘Õ­0ù%˾7ôE././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6subCA0CRL.crl0000644000175100017510000000072015161577363031607 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA0 100101083000Z 301231083000Z /0-0U#0€Ïvvƒs$Ç£mg|ëRÀÔÔíH0 U0  *†H†÷  ‚\¨ …¿ýûîT3[É£‘ÀþykÌQÎ|]·Dl§»f9d>`SIÍöƒÁŠdËðel¢¡ûgÊáb¢rÈVbr+Íçî²£¥­õîØε(´ÌörLÒú†{HÃZ ÷Bnš2a«4OÛâ#ç ¬ùoV4UžT6¹èåñæ‡üá< ñ²±N(5 .&Ž¹7ñ_ùÅRÒ.'\þÓÏSÎó[ž¨Ìü’iùã¬C:†«X-û²ò˜Ù)Eî’™éîtaw¬ŸìK9ŽÓ Å8Ó¾F :ŽÉòŒ?Z㛾jT —œQFUõwwÒ†¹âV¬äƒÃÎÇ)7ÑÀûÂõ:„ö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6subCA4CRL.crl0000644000175100017510000000072015161577363031613 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UpathLenConstraint6 subCA4 100101083000Z 301231083000Z /0-0U#0€I…ÛKûcÙ™(´ zžZw0 U0  *†H†÷  ‚·”¯$ÁLx1¨þÇe†M6 ÿçâc/ ×Î4õøÛèÔrùÆf}( “I‰Ÿw?ª˜}õ#¥ YNvÕ«eBE£ðéN²&N- )K©¦µmX¸›&Û.?† ûËeù): ÑðæqU/Îå¨Ì7ðGÿmè•Ÿã5“á&[5Ô3ç´ó•«^Ï„ê̼¿¼œ#,á™{ÓJÃq ¹0ÆL`øæ1äRAš'$øÉäa%~'Dß b:X4:?ß^6ùr šâä~° ˜:_A3:Eõ[:¸Iì[¦˜*ôñSðK¬Õ… ŸÅ­]U{,|\›§././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubCA00CRL.crl0000644000175100017510000000072415161577363032405 0ustar00runnerrunner0‚Ð0¹0  *†H†÷  0V1 0 UUS10U Test Certificates 20111&0$UpathLenConstraint6 subsubCA00 100101083000Z 301231083000Z /0-0U#0€º¹âˆ÷ÔY%Šã)ßO 8Ýqt‚0 U0  *†H†÷  ‚½¶9=×&â;öy†lŒc s쵑Ýqs\H]'CtÎIGá •»ö⸀6w2ÈBÕƒ×Wç«xŸJƒÐΗ¿NÞçÆÔ¸å¬ÔÆ÷[ºOÃ[³éI”Ž+‡z…oÕ‘¶+þfç6uŽÅ³dž/ˆfðüXmq¸¹sÐDma¨–²¬ÐÕ^"ÈP—²Ž ?ytˆŸÛ Õ‚I˳ƒˆ!:D±š^Í:à2ƒuòeÜû…“…ldÑìl$bÔ² ræâ ÿÄ—‚S§èS]ùvùÎJׂQÝ%º±õ%çP_׎݈£ wÐï=£«ïF² ’ð§™sµäªd¹Y@3aÐädüÉÈ9…±r!^•'¤×Ü©…tÿä"%sófßÞ;ΧÍk‘?sk7C|Iýbbä¡›Ã4¾`j‚À¼Þ4âêS ªg™ÀÇÞJ;“tΔ#»#·úŒJz Q°ÄíL‰ Ýåbï|b–Œå%x/ȹóñ¤,°h«K,íxk‚¾ C•·›÷3V刑K†ÖC%.âÿLÛ»ÿáö„ï’ 3­0×Àà>"&4;0íU[hô6¬,Š•‡Í¾‘¬Rü±†IsmwýNâ¤Mx£././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubsubCA11XCRL.crl0000644000175100017510000000073015161577363033246 0ustar00runnerrunner0‚Ô0½0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!pathLenConstraint6 subsubsubCA11X 100101083000Z 301231083000Z /0-0U#0€ƒÚ¸µÆÈ‹|‹?ír%â¯ê0 U0  *†H†÷  ‚˜¬ZBç+\§€ãÍÂ!fÈÿLo{v&“!–…u†3çi6>® Ö° nžØ8”ù†æ}RG”[zp¶)¨ZÁδbÎ4ôÌü aÈS$v4¢ŒÎ®šåæÖ7ËË­‰ÂËÉ8™å®«Œí hqØ?8—ç¤ÆÌïS›§"ú9S¬ìËû£üd‘½Dy5ÊØ+žKv#ý¨šÍð^kÀâ¶"ŒÈÆSÒ{5àÉŸ}ÆÑO?GO9ú4Úƒêa¼6žfyˆ+yPgðåuS)+òâ¿m2s³Ü%=¥(iuyvf‰žÓ,et(•”YrÖŽ¿¦µž././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pathLenConstraint6subsubsubCA41XCRL.crl0000644000175100017510000000073015161577363033251 0ustar00runnerrunner0‚Ô0½0  *†H†÷  0Z1 0 UUS10U Test Certificates 20111*0(U!pathLenConstraint6 subsubsubCA41X 100101083000Z 301231083000Z /0-0U#0€¡í¢ó5T¥Ÿ¼cæGjS$lJ r,0 U0  *†H†÷  ‚Ù½wP9r¤ÉI·JKø)øÀ$; :¬Ÿ—T ^=¼2®7bRÛr†¢½m2/î8Îé›ÓfJ¯‹õ©Þí?” >ûþ iC·#Ç)­÷ˆî•_öKU?¯Ì ¹O˯¨daCÆ­‚­‚Öv”–Ùóò5×¢ÔÁkÓ^’´>Ÿ¿Z¼ö€jhË?µ¤ž¬ì®ÈT=ÿïë‹Ý‚²ä²YýUÂôùiÍNvÜCnÌ%t˜Ôàů¤>gHÍI,{®‚e´[Qm["+"H6\šŠ„2 N‹±v|&Å~1±³‹Zx²†à&dcÆ vÄK%8Y0(ˆ)EõôÕ>e././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/pre2000CRLnextUpdateCACRL.crl0000644000175100017510000000072015161577363030762 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 Upre2000 CRL nextUpdate CA 980101120100Z 990101120100Z /0-0U#0€¨Gœa€h(±Bš)Œæ()’Ì0 U0  *†H†÷  ‚^š]¼1ÊlkÑ1Uتjù¿;•Q"4v1~Ꚉž€æ“u÷)*["U…FŸÊM>ݬrØòäåw'É)|è–^ÿpuOZ=Û¸cüF7²Nè êp”å? ¸aþaÅ(!•ã'ŽÙôq­;7JÜ[;ò¶°mtŸ/ *Aÿú+†¤®¯jzÏM£«X\Ä ·ow´÷Ú«$9»oZ Ú±<¬ò˜,x’šH~ô¼mÎÿþXä{aà`ø;ï ,/¶®°8 õ"A=»m¢3™Ïzš¬¿)⥑ËBU³UmÊàHéOy¾ž{“G. oEù¤Fµ)././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy0CACRL.crl0000644000175100017510000000072015161577363031705 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy0 CA 100101083000Z 301231083000Z /0-0U#0€¹ìߺR"¸¸¾j÷¢Õ' Ög50 U0  *†H†÷  ‚JÙjùÄÉ8‡÷³Ð°{Xk¢$ 3=õiÔœúµÊSœn@,OZ²Fî±zìÃÅG!÷æñ°]è”]pý§´¶K1DæÉDulïZ«ÊÔóBƒYXƒÒtøt©î¸©ðSÑ ð7à´h^ÇñƒPàiù¦Z?­’Û¥¾RµPjuÍé°K]™°ÿû2û|Ä8;sSêí˵ Rá/‘¨mv)™%”ªfæ™@OÉ+é&:$²$ò Ø“'Hx Ôû././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy0subsubCACRL.crl0000644000175100017510000000072615161577363033137 0ustar00runnerrunner0‚Ò0»0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy0 subsubCA 100101083000Z 301231083000Z /0-0U#0€ëØ—zz#5äÏ—$'"Ìg§VI0 U0  *†H†÷  ‚6ˆ²HŽu?ù}8°ñàÌDŽç ×ÚE*Jü»ÒB¹¶·´˜¹Ý¦zïFD#j ma¹ÚüRâ³"»¥êïÐÏXºÝ)ÍñûTñÿtˆ‚§°th×Åž±~ × žV[aŸÁçQæ_…»ý,ÏGKsx6» ´¾µ½%*+u}µ§îæÀ$iø[K‹¼éDQ»8Š)uåeZUëía_+ “ÚkUær|•í~.,JPdi6é 5_­Çù£…'¡ªoøÎ@óújä‚GúKq#‡Àè+—fª3«ðF±/Õ¬õZÅC”.Ä;ðE5ÌßcãN‘¥î././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy0subsubsubCACRL.crl0000644000175100017510000000073115161577363033645 0ustar00runnerrunner0‚Õ0¾0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy0 subsubsubCA 100101083000Z 301231083000Z /0-0U#0€µÛÖÈ /ZAÇx£D‰ÚÎ.kº0 U0  *†H†÷  ‚(W[¹¯7Zëçö5gYþjÈWÁGz›#¦€NZb—Ç¿Eô£ÎCOÙ*Ê„h»(;2~ÅèË”j|1Ã[î¼qÝ>=%›ØD-¢ÆkSõÓuË_O¿“™Ÿ‹JùF*Ïy;¬WÆí]’Å    PFå_#üÆ”²´-ë !|TB2¹Œ@p¯Ë•bp+Ÿß“˜Õç`h„]ì§zNv¢ ~Bš*­rl¹ªÒŠ«ü§AÌÒÞ¸o`‰¿ºE‡0t~ ]qkçlÙÇ-™ñÓ{9` NÉ"ìœß­þOÈíÕº­ê!‚ñuÁV‹óyö././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy10CACRL.crl0000644000175100017510000000072115161577363031767 0ustar00runnerrunner0‚Í0¶0  *†H†÷  0S1 0 UUS10U Test Certificates 20111#0!UrequireExplicitPolicy10 CA 100101083000Z 301231083000Z /0-0U#0€óLÑ_Õ€Góø4,ä˜ÏkŸ0 U0  *†H†÷  ‚ 0ãëå¹B_]¿Âj‹(ár­ÂçBÊ4ÅyÖvr‹¾)ÖRš ÒÒØ'*zZô~àýðô”¼¦·íJÖØý}t·´t®¤_á~F‚¯[¼îGàAþpGñu"Ä;¨|‘HáŒ"p SþEŽ¨KÇë“cÎ%t²MÖhŠI¾=ßå˧÷•‰>Wzß[çÜÞCÚ¯ÿúμ—to|Ž´±@Ÿ(œ¦³þg¤ye7ðu+CÉU­=éÒxûWD6V¢_C¾M(TÄyÕ=¾Vâuÿºùz=E—d¼3Zú÷~†€mý+]ÞZc²“åF£Däëm+¾Œàhqg–¯P.¤Û´e>¾ø¾#ûb°FŸº±ÐoÌȪë‘ø`yÍ~(…‰[`Sá—gíïèfUˆåä p8RAÒŠNTò½å”E«Ê>oõk././@PaxHeader0000000000000000000000000000020500000000000010212 xustar00111 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy10subsubsubCACRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy10subsubsubCACRL.cr0000644000175100017510000000073215161577363033553 0ustar00runnerrunner0‚Ö0¿0  *†H†÷  0\1 0 UUS10U Test Certificates 20111,0*U#requireExplicitPolicy10 subsubsubCA 100101083000Z 301231083000Z /0-0U#0€–Œqü¨;ÎÙÄøÃÐ_iq|èK0 U0  *†H†÷  ‚s–¯¶îX¬Þ8º~6iŸsÍÒ-‹*mŽ%µy”°7¸®®„¯§ ahOþ¤=ÖÌ,ï«÷À+Iêˆ8"YSn*›º© ﱟX ¿.´ˆlŒ€Ðý M­²‚kq"}.~[Î(‚u±‚wAzƒ[ /ž;[ÆòˆÙCè«Yðç½=«ÖׯMkÖ$cÙ¸­÷0¬@R³!µzïØÉ맢š)aöñ;r+`dæŽ'«8›iµèjgõùp¿‰‰¼áUœÞŽ_<\)t«ÓØ#ª†û“¸«»HÉ¿ñÒ;á\)_¦‘¶C¤[¾ÝU‘Žê÷ˉ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy2CACRL.crl0000644000175100017510000000072015161577363031707 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy2 CA 100101083000Z 301231083000Z /0-0U#0€6©Ùûª8/ ÷L;Ù…š£-©Ç0 U0  *†H†÷  ‚?1NJ‘V…6Çv<úƒ\ˆ~ÂE6ìéI lœƒxÆß&àûá£Õ^SÒx‹æq¢š&O¯á*YnXUüƒ$ùN’Ctv|K´—o BSˆQõÒ‘å…ÿBG% ÝBÒ»ÁšOwLWÐ>Í€-Çàänm ±'ª‚ŸÈg­SǽuãÂêm½$Ø•Y‚yÏ’µ“þç£jãšû¸f¸Y#7Ý<,d™šå_ÓÔ}èU$b9³«LÒ±Ë-- ®c)zE7ƒüç¦6|³èß–šðÃ6ÑZÙ¿€3±… ¾ñøq+aÆ_J\€š‘½Ið¡†wïv¸­pj././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy2subCACRL.crl0000644000175100017510000000072315161577363032424 0ustar00runnerrunner0‚Ï0¸0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy2 subCA 100101083000Z 301231083000Z /0-0U#0€ wþL0â³Q°÷ƒ˜G0 U0  *†H†÷  ‚yäï?GèøßêïæÀ8X mZǵ`Ôô¬ÿu„:ú:ž¹‚ˆ_µ)Ù”N—ŸkÏBØôNDÐtëÍž @¨«¶éMm!ÌÇÏÁæ73 DªyeZW\Z3Hìl¢c£'ª,óZ'‡Ör !›!’Ï/áÙµóé\§rúâ ·‡ut¤|ç†&áq){¨‡¢úmÙ–³½ÆÒô£.tòdV0"YÙ.ëuвŒ$jeËqw×´]Z)¤ÖŸÞ7” 1£YçÛ¨Ø,&¡ÞÇÔ·³§Jùß 5nOï%ÔFÆ?¦ú"#Øù·{/•Š œ.Nb{œÄ𖦙 -§X 7ý1././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy4CACRL.crl0000644000175100017510000000072015161577363031711 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy4 CA 100101083000Z 301231083000Z /0-0U#0€ÍÑÜÌÔ1c,]6±žu¾K^c0 U0  *†H†÷  ‚#TÇR«·€™p×vJïó\:Ô€ºñTwã —DY)XbPšAˆ4~Ξ9LEÏÄÈ¥5âýt€íð›÷zaÓèdåh¬ÂûçÖN;×))ˆ“ÆRÔÄ)IÔÜQ’Oæ®B8AëyB“%Ùß—‰T^÷ˆ|ð³G#Ë>wy.Béu¢´8k‡õ!™Ë)Pœ…”²1¶¶>§üR0æÒkò® ¦e+0ðp¬xè4)ÐIÖ.‡ji²././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy4subCACRL.crl0000644000175100017510000000072315161577363032426 0ustar00runnerrunner0‚Ï0¸0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy4 subCA 100101083000Z 301231083000Z /0-0U#0€}ï”»ö§—æØ"HCH¬³îº0 U0  *†H†÷  ‚² Û*4 Cš jY`u=â¤3¶õšóî‹4äÚs…´¹òWµº5­63vÎ…aYíC'0"¼—£À=/$¤¢oCAH©)ž*N¯î£:›¡VËÞšÌ;™½‹UÞíê+&€›a0g w?uo³€r×6ÈǶˆ«|ÄÍè‰?2©þãÀW›ÅŠAQK›öò_ÁÞv§[o«`ÉÄ1@e#¼­OàqžV||‹óq@µ˜kQr4²WÖœBš fÈÿ]^=eŽT°Du`Åö!UÇåä~öp˜?Í4 ºjŽZŽÏ0^â©ÆÁl&‘9ùwÎ7‚xY£;+œ˜Âe=Ëö‡öÆ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy4subsubCACRL.crl0000644000175100017510000000072615161577363033143 0ustar00runnerrunner0‚Ò0»0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy4 subsubCA 100101083000Z 301231083000Z /0-0U#0€©êæÓž° —¯çþ.2¡gL†0 U0  *†H†÷  ‚=<('Nˆ!“3“ØÈQ>XhuVqˆ |'SQ&+ïÍÆ©kj³×‚E«W—¶ð¾ÂvÂy$O„3L^V_çDá›óüÖüUo0ݨ@þi¼BÜIÂCÊõSÕú9noq5s%™kôE¡¹ˆ¨- uE"j&·'mŠt!Ò4¢‡²S•ÏêúÁÿ(&|P4›Q_–÷¤¢}%¯Nß7¸RŒ–0§ÄŒVk_—G¨&…+ú­ØÎöIÄþ °ÛQsAy¬Î‡ŒÛ±­íê¢{{¾\é#Û1í\ëG‚|îg›nŽ#/ŸQžê¬ ò£§ír¯9å_ÅVL¬švkø¸/0‡cÁØzJ q[fç09+µDÓ ‹$’1öAà å>f¬cËç"”‚&²¼BÀ¥¾?,‹¦}º›Ô‚ýñì´Š)DÂþ×9\*wepѲ¼¼3Š§3n4ôó'þÎIþê×FT$)Šù__ÛMQM././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subCACRL.crl0000644000175100017510000000072315161577363032427 0ustar00runnerrunner0‚Ï0¸0  *†H†÷  0U1 0 UUS10U Test Certificates 20111%0#UrequireExplicitPolicy5 subCA 100101083000Z 301231083000Z /0-0U#0€7Ó¿ÞÜPǯȊ蒰ÄHað:0 U0  *†H†÷  ‚Ђ_kTÿ‹,F/_¨¢¸ºÑ´”~Ô°E"Ù)ìèw€–;•ê˜IÏé‹VŠTk‚ƒ»åÃ4¾þ{4šP‚ñ¥épwò€ ËõzÛT{osëø©D€ô+U~ðBfGCÓc^Œƒ(þIƒkõŽ„ßN‹¿± am¦È]ßYV³ XVñš}÷??½‹­ôd ¹®HòR^ CÓ}T}'‡cÇbм7~ù \U¸´ü$ˆÒbTÐnåלð0n\ÅÆvzDÅX%&á_ôå\ùW³Tbëå‹©¬4¼GCac" ªoɵs½˜¬×¹Þp—?+p´ù././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subsubCACRL.crl0000644000175100017510000000072615161577363033144 0ustar00runnerrunner0‚Ò0»0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy5 subsubCA 100101083000Z 301231083000Z /0-0U#0€ø‚/yÿ´~Û[¯2ä5aµl0 U0  *†H†÷  ‚©Ò­{–õãç›&°Nˆ·6‰;|*TôÉÃê<¨>Ä;©+H/ ø÷R9+ø‰ý”uÿW® äç;à ®þþBTtþd¤f)’/D9”"c¤¯”nýÎ[bmöˆ‡É· sx|Øw@D¢ø¡øŠ)ß¿O|œ§m:‰ÝƒÆ3ûešJKû–ÞÏw¿¡úä%Ï ê*Ü)Læg‹Ü{qеý®Vò8¼VlÞÎögÔÊløHßà²yeàzI*´M⠲ŠL)gªu ?¶fG¤]ýš5[KldƒZ©Î/™V³ ñýŠV ß>2€Ökê±uaËüo4Q“ÞLp/././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy5subsubsubCACRL.crl0000644000175100017510000000073115161577363033652 0ustar00runnerrunner0‚Õ0¾0  *†H†÷  0[1 0 UUS10U Test Certificates 20111+0)U"requireExplicitPolicy5 subsubsubCA 100101083000Z 301231083000Z /0-0U#0€úbº½~^_ߺ¾y7‚Üü(0 U0  *†H†÷  ‚d"‹K±¹I½¢O4KG MçéJÙ€U• úö;î2{|uD‡ßÊÌëš©èè³¢[d´”dknf(ÃÂO{Õß 9HH¡{ÈMŠ‡§rxÖÁþ0ÅDÓù­²œÀ’F©zßÇ\ã¢ÌsÌ™dÁ±Èý–+zŒÐ†UŸVÇ?aœC^îd˜¥%aU]¸íÙmãáàEê ôмn±=Wgj‡m‹é¢IÖ#z¢æHíãðÉÐ\¦ß!Æo d)dô´W+§Egï$9Æ»›ë ¨ BŽêφH(MZ;kW'ßsÃ:g«µ1çŸyÿô•…“ígÑ›ááSê ­././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7CACRL.crl0000644000175100017510000000072015161577363031714 0ustar00runnerrunner0‚Ì0µ0  *†H†÷  0R1 0 UUS10U Test Certificates 20111"0 UrequireExplicitPolicy7 CA 100101083000Z 301231083000Z /0-0U#0€l1—5 ÞÛ5å iXYˆdÌ!ÎJ0 U0  *†H†÷  ‚p¾9ßëç'[A“,Ì „€ŸøÉûáF ’¿³¼²Þ=bigÈAÑ5 g Ï ²ýýÒ´0¶n{ÏZ,t©IµW¼¿fü’ç$`£‰/kº\ ¨ £ÎµÏýîhËÁuq,S¢`œVú¡:ïÔ¸H¢Ö:Ç:ètE±Ô&¼!uý^OlÏ7°Üùº2mpåŠÚ°B-¨ÜúÏ W[A2®8ƒçf³1è½òƨ±'Jø*Hæèt ÖÚÇY8œ]þg ¶¤#a í'gnô{¯®Çê+Y?HeåзЗÆ™Œ§::7ùßúÇ=ÂÁñpi^–././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subCARE2CRL.crl0000644000175100017510000000072615161577363032745 0ustar00runnerrunner0‚Ò0»0  *†H†÷  0X1 0 UUS10U Test Certificates 20111(0&UrequireExplicitPolicy7 subCARE2 100101083000Z 301231083000Z /0-0U#0€ç\%Ž~ªLwƒ{ÃêiÖÇ¢4á4Y0 U0  *†H†÷  ‚(io õ‘࿯pŒï@(ô†[§Ê÷NDˆÜê£'1å„iÒèkl(X×(Äã•H„­Z2²W•­úèK÷ ôT0½1L<$Wž!ÊßϬ0aðbq:KœFÿú †íÖÐÃÑš›àè;«i¶t>œÒñÉu »åÿ)„‘£¬kŒ²QG\•å,¸y½¯¬Í·4;ö[ oß·Þd•ž†¥I5Ñl0˜¬Ë:¼ð‹÷q) Ì>(£4æHMYhin mtÆYZÚ¡ 27 LSä'ž‡2Ö¸ŽÝž™T™{˯'ÖÎÊ¢m1¿oœk"5ž././@PaxHeader0000000000000000000000000000020700000000000010214 xustar00113 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubCARE2RE4CRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubCARE2RE4CRL.0000644000175100017510000000073415161577363033270 0ustar00runnerrunner0‚Ø0Á0  *†H†÷  0^1 0 UUS10U Test Certificates 20111.0,U%requireExplicitPolicy7 subsubCARE2RE4 100101083000Z 301231083000Z /0-0U#0€nÿ‹fþ›¥{ûd3eê•H”˜0 U0  *†H†÷  ‚;‚bãRP£’¬ŒßHhê ÚúÜ l½5gV Rÿ3·dr‡÷Ⱥ±–”Dª\|vQ®³¼»ºí¤r®Ò…. ÊÂé¼eŒìFoÑ9Íy>µÜhûý"mðŽ,˜°ºõâ8Ú«‹HE×i™ˆ‰ÕÃÀð­wâ‡màÌ ¨º±Û=ÎG¸ÇøëŸ)YÙr„7™•uáæöË^Ó¥Gõ5‹ôíë=8ö.Xp"ö—’ªôÊc`Ѥ´ÉÁé`¿¿SÌŽÉJ·s;÷ÝZdIÒ>·¢±h‘ ÿ»]cGøOlAýI{öùAi?öD¨»ƒ’yo¬±±Á´././@PaxHeader0000000000000000000000000000021200000000000010210 xustar00116 path=pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubsubCARE2RE4CRL.crl 22 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/crls/requireExplicitPolicy7subsubsubCARE2RE4C0000644000175100017510000000073715161577363033471 0ustar00runnerrunner0‚Û0Ä0  *†H†÷  0a1 0 UUS10U Test Certificates 2011110/U(requireExplicitPolicy7 subsubsubCARE2RE4 100101083000Z 301231083000Z /0-0U#0€{,Qa1­¬,k©¾;;’ªD0 U0  *†H†÷  ‚ ´úgTÊÙÃömØ<Æù×Tšî|©ðkk·•—l¥ûÜ0¡ØëÓ›˜ ƒ­@’8!DÞÕWÇ¥ œê[+XyE+î«» þˆ>'Â!ëûßö±•-”»äÊÔvTl?TÒè,ú«{[já¨8[ºÞÙà|;$´iG b’5®ŸøõŽbýp@Å+lå°†³b] “Âsó•ÌSøþQ]¾bz5#žüm¥QõœD J¨Š&aÍÄü˜éPAd0;¹téB»AŸ°°pëV¦Þ^ò œuIr;›”’äFD–” ä|~&’O6ô‚LÝ*‘E,R:/pø././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/pkits-user-notice.json0000644000175100017510000000643315161577363027344 0ustar00runnerrunner[ { "id": "40815", "name": "user_notice_qualifier_test15", "cert": "UserNoticeQualifierTest15EE.crt", "notice": "q1: This is the user notice from qualifier 1. This certificate is for test purposes only" }, { "id": "40816", "name": "user_notice_qualifier_test16", "cert": "UserNoticeQualifierTest16EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "notice": "q1: This is the user notice from qualifier 1. This certificate is for test purposes only" }, { "id": "40817", "name": "user_notice_qualifier_test17", "cert": "UserNoticeQualifierTest17EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "notice": "q3: This is the user notice from qualifier 3. This certificate is for test purposes only" }, { "id": "40818", "name": "user_notice_qualifier_test18_q4", "cert": "UserNoticeQualifierTest18EE.crt", "other_certs": [ "PoliciesP12CACert.crt" ], "crls": [ "PoliciesP12CACRL.crl" ], "notice": "q4: This is the user notice from qualifier 4 associated with NIST-test-policy-1. This certificate is for test purposes only", "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40818", "name": "user_notice_qualifier_test18_q5", "cert": "UserNoticeQualifierTest18EE.crt", "other_certs": [ "PoliciesP12CACert.crt" ], "crls": [ "PoliciesP12CACRL.crl" ], "notice": "q5: This is the user notice from qualifier 5 associated with anyPolicy. This user notice should be associated with NIST-test-policy-2", "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40818", "name": "user_notice_qualifier_test19", "cert": "UserNoticeQualifierTest19EE.crt", "notice": "q6: Section 4.2.1.5 of RFC 3280 states the maximum size of explicitText is 200 characters, but warns that some non-conforming CAs exceed this limit. Thus RFC 3280 states that certificate users SHOULD gracefully handle explicitText with more than 200 characters. This explicitText is over 200 characters long" }, { "id": "41012", "name": "valid_policy_mapping_test12_with_testpol1", "cert": "ValidPolicyMappingTest12EE.crt", "other_certs": [ "P12Mapping1to3CACert.crt" ], "crls": [ "P12Mapping1to3CACRL.crl" ], "notice": "q7: This is the user notice from qualifier 7 associated with NIST-test-policy-3. This user notice should be displayed when NIST-test-policy-1 is in the user-constrained-policy-set", "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "41012", "name": "valid_policy_mapping_test12_with_testpol2", "cert": "ValidPolicyMappingTest12EE.crt", "other_certs": [ "P12Mapping1to3CACert.crt" ], "crls": [ "P12Mapping1to3CACRL.crl" ], "notice": "q8: This is the user notice from qualifier 8 associated with anyPolicy. This user notice should be displayed when NIST-test-policy-2 is in the user-constrained-policy-set", "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } } ] ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/pkits.json0000644000175100017510000032524415161577363025115 0ustar00runnerrunner[ { "id": "40101", "name": "valid_signatures_test1", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40102", "name": "invalid_ca_signature_test2", "cert": "InvalidCASignatureTest2EE.crt", "other_certs": [ "BadSignedCACert.crt" ], "crls": [ "BadSignedCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the signature of intermediate certificate 1 could not be verified" } }, { "id": "40103", "name": "invalid_ee_signature_test3", "cert": "InvalidEESignatureTest3EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the signature of the end-entity certificate could not be verified" } }, { "id": "40104", "name": "valid_dsa_signatures_test4", "cert": "ValidDSASignaturesTest4EE.crt", "other_certs": [ "DSACACert.crt" ], "crls": [ "DSACACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40105", "name": "valid_dsa_parameter_inheritance_test5", "cert": "ValidDSAParameterInheritanceTest5EE.crt", "other_certs": [ "DSACACert.crt", "DSAParametersInheritedCACert.crt" ], "crls": [ "DSAParametersInheritedCACRL.crl", "DSACACRL.crl" ], "path_len": 4, "revocation": false }, { "id": "40106", "name": "invalid_dsa_signature_test6", "cert": "InvalidDSASignatureTest6EE.crt", "other_certs": [ "DSACACert.crt" ], "crls": [ "DSACACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the signature of the end-entity certificate could not be verified" } }, { "id": "40201", "name": "invalid_ca_notbefore_date_test1", "cert": "InvalidCAnotBeforeDateTest1EE.crt", "other_certs": [ "BadnotBeforeDateCACert.crt" ], "crls": [ "BadnotBeforeDateCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not valid until 2047-01-01 12:01:00Z" } }, { "id": "40202", "name": "invalid_ee_notbefore_date_test2", "cert": "InvalidEEnotBeforeDateTest2EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate is not valid until 2047-01-01 12:01:00Z" } }, { "id": "40203", "name": "valid_pre2000_utc_notbefore_date_test3", "cert": "Validpre2000UTCnotBeforeDateTest3EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40204", "name": "valid_generalizedtime_notbefore_date_test4", "cert": "ValidGeneralizedTimenotBeforeDateTest4EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40205", "name": "invalid_ca_notafter_date_test5", "cert": "InvalidCAnotAfterDateTest5EE.crt", "other_certs": [ "BadnotAfterDateCACert.crt" ], "crls": [ "BadnotAfterDateCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 expired 2011-01-01 08:30:00Z" } }, { "id": "40206", "name": "invalid_ee_notafter_date_test6", "cert": "InvalidEEnotAfterDateTest6EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate expired 2011-01-01 08:30:00Z" } }, { "id": "40207", "name": "invalid_pre2000_utc_ee_notafter_date_test7", "cert": "Invalidpre2000UTCEEnotAfterDateTest7EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate expired 1999-01-01 12:01:00Z" } }, { "id": "40208", "name": "valid_generalizedtime_notbefore_date_test8", "cert": "ValidGeneralizedTimenotAfterDateTest8EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40301", "name": "invalid_name_chaining_ee_test1", "cert": "InvalidNameChainingTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "path_intermediates": [ "GoodCACert.crt" ], "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate issuer name could not be matched" } }, { "id": "40302", "name": "invalid_name_chaining_order_test2", "cert": "InvalidNameChainingOrderTest2EE.crt", "other_certs": [ "NameOrderingCACert.crt" ], "crls": [ "NameOrderCACRL.crl" ], "path_len": 3, "path_intermediates": [ "NameOrderingCACert.crt" ], "revocation": false, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate issuer name could not be matched" } }, { "id": "40303", "name": "valid_name_chaining_whitespace_test3", "cert": "ValidNameChainingWhitespaceTest3EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40304", "name": "valid_name_chaining_whitespace_test4", "cert": "ValidNameChainingWhitespaceTest4EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40305", "name": "valid_name_chaining_capitalization_test5", "cert": "ValidNameChainingCapitalizationTest5EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40306", "name": "valid_name_chaining_uids_test6", "cert": "ValidNameUIDsTest6EE.crt", "other_certs": [ "UIDCACert.crt" ], "crls": [ "UIDCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40307", "name": "valid_rfc3280_mandatory_attribute_types_test7", "cert": "ValidRFC3280MandatoryAttributeTypesTest7EE.crt", "other_certs": [ "RFC3280MandatoryAttributeTypesCACert.crt" ], "crls": [ "RFC3280MandatoryAttributeTypesCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40308", "name": "valid_rfc3280_optional_attribute_types_test8", "cert": "ValidRFC3280OptionalAttributeTypesTest8EE.crt", "other_certs": [ "RFC3280OptionalAttributeTypesCACert.crt" ], "crls": [ "RFC3280OptionalAttributeTypesCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40309", "name": "valid_utf8string_encoded_names_test9", "cert": "ValidUTF8StringEncodedNamesTest9EE.crt", "other_certs": [ "UTF8StringEncodedNamesCACert.crt" ], "crls": [ "UTF8StringEncodedNamesCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40310", "name": "valid_rollover_from_printablestring_to_utf8string_test10", "cert": "ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt", "other_certs": [ "RolloverfromPrintableStringtoUTF8StringCACert.crt" ], "crls": [ "RolloverfromPrintableStringtoUTF8StringCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40311", "name": "valid_utf8string_case_insensitive_match_test11", "cert": "ValidUTF8StringCaseInsensitiveMatchTest11EE.crt", "other_certs": [ "UTF8StringCaseInsensitiveMatchCACert.crt" ], "crls": [ "UTF8StringCaseInsensitiveMatchCACRL.crl" ], "path_len": 3, "revocation": false }, { "id": "40401", "name": "missing_crl_test1", "cert": "InvalidMissingCRLTest1EE.crt", "other_certs": [ "NoCRLCACert.crt" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "40402", "name": "invalid_revoked_ca_test2", "cert": "InvalidRevokedCATest2EE.crt", "other_certs": [ "RevokedsubCACert.crt", "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl", "RevokedsubCACRL.crl" ], "path_len": 4, "error": { "class": "RevokedError", "msg_regex": "CRL indicates intermediate certificate 2 was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40403", "name": "invalid_revoked_ee_test3", "cert": "InvalidRevokedEETest3EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:01 on 2010-01-01, due to a compromised key" } }, { "id": "40404", "name": "invalid_bad_crl_signature_test4", "cert": "InvalidBadCRLSignatureTest4EE.crt", "other_certs": [ "BadCRLSignatureCACert.crt" ], "crls": [ "BadCRLSignatureCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL signature could not be verified" } }, { "id": "40405", "name": "invalid_bad_crl_issuer_name_test5", "cert": "InvalidBadCRLIssuerNameTest5EE.crt", "other_certs": [ "BadCRLIssuerNameCACert.crt" ], "crls": [ "BadCRLIssuerNameCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "40406", "name": "invalid_wrong_crl_test6", "cert": "InvalidWrongCRLTest6EE.crt", "other_certs": [ "WrongCRLCACert.crt" ], "crls": [ "WrongCRLCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "40407", "name": "valid_two_crls_test7", "cert": "ValidTwoCRLsTest7EE.crt", "other_certs": [ "TwoCRLsCACert.crt" ], "crls": [ "TwoCRLsCAGoodCRL.crl", "TwoCRLsCABadCRL.crl" ], "path_len": 3 }, { "id": "40408", "name": "invalid_unknown_crl_entry_extension_test8", "cert": "InvalidUnknownCRLEntryExtensionTest8EE.crt", "other_certs": [ "UnknownCRLEntryExtensionCACert.crt" ], "crls": [ "UnknownCRLEntryExtensionCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: One or more unrecognized critical extensions are present in the CRL entry for the certificate" } }, { "id": "40409", "name": "invalid_unknown_crl_extension_test9", "cert": "InvalidUnknownCRLExtensionTest9EE.crt", "other_certs": [ "UnknownCRLExtensionCACert.crt" ], "crls": [ "UnknownCRLExtensionCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: One or more unrecognized critical extensions are present in the CRL" } }, { "id": "40410", "name": "invalid_unknown_crl_extension_test10", "cert": "InvalidUnknownCRLExtensionTest10EE.crt", "other_certs": [ "UnknownCRLExtensionCACert.crt" ], "crls": [ "UnknownCRLExtensionCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: One or more unrecognized critical extensions are present in the CRL" } }, { "id": "40411", "name": "invalid_old_crl_nextupdate_test11", "cert": "InvalidOldCRLnextUpdateTest11EE.crt", "other_certs": [ "OldCRLnextUpdateCACert.crt" ], "crls": [ "OldCRLnextUpdateCACRL.crl" ], "path_len": 3, "error": { "class": "StaleRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL is not recent enough" } }, { "id": "40412", "name": "invalid_pre2000_crl_nextupdate_test12", "cert": "Invalidpre2000CRLnextUpdateTest12EE.crt", "other_certs": [ "pre2000CRLnextUpdateCACert.crt" ], "crls": [ "pre2000CRLnextUpdateCACRL.crl" ], "path_len": 3, "error": { "class": "StaleRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL is not recent enough" } }, { "id": "40413", "name": "valid_generalizedtime_crl_nextupdate_test13", "cert": "ValidGeneralizedTimeCRLnextUpdateTest13EE.crt", "other_certs": [ "GeneralizedTimeCRLnextUpdateCACert.crt" ], "crls": [ "GeneralizedTimeCRLnextUpdateCACRL.crl" ], "path_len": 3 }, { "id": "40414", "name": "valid_negative_serial_number_test14", "cert": "ValidNegativeSerialNumberTest14EE.crt", "other_certs": [ "NegativeSerialNumberCACert.crt" ], "crls": [ "NegativeSerialNumberCACRL.crl" ], "path_len": 3 }, { "id": "40415", "name": "invalid_negative_serial_number_test15", "cert": "InvalidNegativeSerialNumberTest15EE.crt", "other_certs": [ "NegativeSerialNumberCACert.crt" ], "crls": [ "NegativeSerialNumberCACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40416", "name": "valid_long_serial_number_test16", "cert": "ValidLongSerialNumberTest16EE.crt", "other_certs": [ "LongSerialNumberCACert.crt" ], "crls": [ "LongSerialNumberCACRL.crl" ], "path_len": 3 }, { "id": "40417", "name": "valid_long_serial_number_test17", "cert": "ValidLongSerialNumberTest17EE.crt", "other_certs": [ "LongSerialNumberCACert.crt" ], "crls": [ "LongSerialNumberCACRL.crl" ], "path_len": 3 }, { "id": "40418", "name": "invalid_long_serial_number_test18", "cert": "InvalidLongSerialNumberTest18EE.crt", "other_certs": [ "LongSerialNumberCACert.crt" ], "crls": [ "LongSerialNumberCACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40419", "name": "valid_separate_certificate_and_crl_keys_test19", "cert": "ValidSeparateCertificateandCRLKeysTest19EE.crt", "other_certs": [ "SeparateCertificateandCRLKeysCertificateSigningCACert.crt", "SeparateCertificateandCRLKeysCRLSigningCert.crt" ], "crls": [ "SeparateCertificateandCRLKeysCRL.crl" ], "path_len": 3 }, { "id": "40420", "name": "invalid_separate_certificate_and_crl_keys_test20", "cert": "InvalidSeparateCertificateandCRLKeysTest20EE.crt", "other_certs": [ "SeparateCertificateandCRLKeysCertificateSigningCACert.crt", "SeparateCertificateandCRLKeysCRLSigningCert.crt" ], "crls": [ "SeparateCertificateandCRLKeysCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40421", "name": "invalid_separate_certificate_and_crl_keys_test21", "cert": "InvalidSeparateCertificateandCRLKeysTest21EE.crt", "other_certs": [ "SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt", "SeparateCertificateandCRLKeysCA2CRLSigningCert.crt" ], "crls": [ "SeparateCertificateandCRLKeysCA2CRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: The CRL issuer certificate path could not be validated. CRL indicates the end-entity certificate CRL issuer was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40501", "name": "valid_basic_self_issued_old_with_new_test1", "cert": "ValidBasicSelfIssuedOldWithNewTest1EE.crt", "other_certs": [ "BasicSelfIssuedNewKeyOldWithNewCACert.crt", "BasicSelfIssuedNewKeyCACert.crt" ], "crls": [ "BasicSelfIssuedNewKeyCACRL.crl" ], "path_len": 4 }, { "id": "40502", "name": "invalid_basic_self_issued_old_with_new_test2", "cert": "InvalidBasicSelfIssuedOldWithNewTest2EE.crt", "other_certs": [ "BasicSelfIssuedNewKeyOldWithNewCACert.crt", "BasicSelfIssuedNewKeyCACert.crt" ], "crls": [ "BasicSelfIssuedNewKeyCACRL.crl" ], "path_len": 4, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40503", "name": "valid_basic_self_issued_new_with_old_test3", "cert": "ValidBasicSelfIssuedNewWithOldTest3EE.crt", "other_certs": [ "BasicSelfIssuedOldKeyCACert.crt", "BasicSelfIssuedOldKeyNewWithOldCACert.crt" ], "crls": [ "BasicSelfIssuedOldKeySelfIssuedCertCRL.crl", "BasicSelfIssuedOldKeyCACRL.crl" ], "path_len": 4 }, { "id": "40504", "name": "valid_basic_self_issued_new_with_old_test4", "cert": "ValidBasicSelfIssuedNewWithOldTest4EE.crt", "other_certs": [ "BasicSelfIssuedOldKeyCACert.crt", "BasicSelfIssuedOldKeyNewWithOldCACert.crt" ], "crls": [ "BasicSelfIssuedOldKeySelfIssuedCertCRL.crl", "BasicSelfIssuedOldKeyCACRL.crl" ], "path_len": 3 }, { "id": "40505", "name": "invalid_basic_self_issued_new_with_old_test5", "cert": "InvalidBasicSelfIssuedNewWithOldTest5EE.crt", "other_certs": [ "BasicSelfIssuedOldKeyCACert.crt", "BasicSelfIssuedOldKeyNewWithOldCACert.crt" ], "crls": [ "BasicSelfIssuedOldKeySelfIssuedCertCRL.crl", "BasicSelfIssuedOldKeyCACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40506", "name": "valid_basic_self_issued_crl_signing_key_test6", "cert": "ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt", "other_certs": [ "BasicSelfIssuedCRLSigningKeyCACert.crt", "BasicSelfIssuedCRLSigningKeyCRLCert.crt" ], "crls": [ "BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl", "BasicSelfIssuedCRLSigningKeyCACRL.crl" ], "path_len": 3 }, { "id": "40507", "name": "invalid_basic_self_issued_crl_signing_key_test7", "cert": "InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt", "other_certs": [ "BasicSelfIssuedCRLSigningKeyCACert.crt", "BasicSelfIssuedCRLSigningKeyCRLCert.crt" ], "crls": [ "BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl", "BasicSelfIssuedCRLSigningKeyCACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "40508", "name": "invalid_basic_self_issued_crl_signing_key_test8", "cert": "InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt", "other_certs": [ "BasicSelfIssuedCRLSigningKeyCACert.crt", "BasicSelfIssuedCRLSigningKeyCRLCert.crt" ], "crls": [ "BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl", "BasicSelfIssuedCRLSigningKeyCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 2 is not a CA" } }, { "id": "40601", "name": "invalid_missing_basicconstraints_test1", "cert": "InvalidMissingbasicConstraintsTest1EE.crt", "other_certs": [ "MissingbasicConstraintsCACert.crt" ], "crls": [ "MissingbasicConstraintsCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not a CA" } }, { "id": "40602", "name": "invalid_ca_false_test2", "cert": "InvalidcAFalseTest2EE.crt", "other_certs": [ "basicConstraintsCriticalcAFalseCACert.crt" ], "crls": [ "basicConstraintsCriticalcAFalseCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not a CA" } }, { "id": "40603", "name": "invalid_ca_false_test3", "cert": "InvalidcAFalseTest3EE.crt", "other_certs": [ "basicConstraintsNotCriticalcAFalseCACert.crt" ], "crls": [ "basicConstraintsNotCriticalcAFalseCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not a CA" } }, { "id": "40604", "name": "valid_basicconstraints_not_critical_test4", "cert": "ValidbasicConstraintsNotCriticalTest4EE.crt", "other_certs": [ "basicConstraintsNotCriticalCACert.crt" ], "crls": [ "basicConstraintsNotCriticalCACRL.crl" ], "path_len": 3 }, { "id": "40605", "name": "invalid_pathlenconstraint_test5", "cert": "InvalidpathLenConstraintTest5EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt", "pathLenConstraint0subCACert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl", "pathLenConstraint0subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40606", "name": "invalid_pathlenconstraint_test6", "cert": "InvalidpathLenConstraintTest6EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt", "pathLenConstraint0subCACert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl", "pathLenConstraint0subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40607", "name": "valid_pathlenconstraint_test7", "cert": "ValidpathLenConstraintTest7EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl" ], "path_len": 3 }, { "id": "40608", "name": "valid_pathlenconstraint_test8", "cert": "ValidpathLenConstraintTest8EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl" ], "path_len": 3 }, { "id": "40609", "name": "invalid_pathlenconstraint_test9", "cert": "InvalidpathLenConstraintTest9EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA0Cert.crt", "pathLenConstraint6subsubCA00Cert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA0CRL.crl", "pathLenConstraint6subsubCA00CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40610", "name": "invalid_pathlenconstraint_test10", "cert": "InvalidpathLenConstraintTest10EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA0Cert.crt", "pathLenConstraint6subsubCA00Cert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA0CRL.crl", "pathLenConstraint6subsubCA00CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40611", "name": "invalid_pathlenconstraint_test11", "cert": "InvalidpathLenConstraintTest11EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA1Cert.crt", "pathLenConstraint6subsubCA11Cert.crt", "pathLenConstraint6subsubsubCA11XCert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA1CRL.crl", "pathLenConstraint6subsubCA11CRL.crl", "pathLenConstraint6subsubsubCA11XCRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40612", "name": "invalid_pathlenconstraint_test12", "cert": "InvalidpathLenConstraintTest12EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA1Cert.crt", "pathLenConstraint6subsubCA11Cert.crt", "pathLenConstraint6subsubsubCA11XCert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA1CRL.crl", "pathLenConstraint6subsubCA11CRL.crl", "pathLenConstraint6subsubsubCA11XCRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40613", "name": "valid_pathlenconstraint_test13", "cert": "ValidpathLenConstraintTest13EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA4Cert.crt", "pathLenConstraint6subsubCA41Cert.crt", "pathLenConstraint6subsubsubCA41XCert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA4CRL.crl", "pathLenConstraint6subsubCA41CRL.crl", "pathLenConstraint6subsubsubCA41XCRL.crl" ], "path_len": 6 }, { "id": "40614", "name": "valid_pathlenconstraint_test14", "cert": "ValidpathLenConstraintTest14EE.crt", "other_certs": [ "pathLenConstraint6CACert.crt", "pathLenConstraint6subCA4Cert.crt", "pathLenConstraint6subsubCA41Cert.crt", "pathLenConstraint6subsubsubCA41XCert.crt" ], "crls": [ "pathLenConstraint6CACRL.crl", "pathLenConstraint6subCA4CRL.crl", "pathLenConstraint6subsubCA41CRL.crl", "pathLenConstraint6subsubsubCA41XCRL.crl" ], "path_len": 6 }, { "id": "40615", "name": "valid_self_issued_pathlenconstraint_test15", "cert": "ValidSelfIssuedpathLenConstraintTest15EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt", "pathLenConstraint0SelfIssuedCACert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl" ], "path_len": 4 }, { "id": "40616", "name": "invalid_self_issued_pathlenconstraint_test16", "cert": "InvalidSelfIssuedpathLenConstraintTest16EE.crt", "other_certs": [ "pathLenConstraint0CACert.crt", "pathLenConstraint0SelfIssuedCACert.crt", "pathLenConstraint0subCA2Cert.crt" ], "crls": [ "pathLenConstraint0CACRL.crl", "pathLenConstraint0subCA2CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because it exceeds the maximum path length" } }, { "id": "40617", "name": "valid_self_issued_pathlenconstraint_test17", "cert": "ValidSelfIssuedpathLenConstraintTest17EE.crt", "other_certs": [ "pathLenConstraint1CACert.crt", "pathLenConstraint1SelfIssuedCACert.crt", "pathLenConstraint1subCACert.crt", "pathLenConstraint1SelfIssuedsubCACert.crt" ], "crls": [ "pathLenConstraint1CACRL.crl", "pathLenConstraint1subCACRL.crl" ], "path_len": 6 }, { "id": "40701", "name": "invalid_keyusage_critical_keycertsign_false_test1", "cert": "InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt", "other_certs": [ "keyUsageCriticalkeyCertSignFalseCACert.crt" ], "crls": [ "keyUsageCriticalkeyCertSignFalseCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not allowed to sign certificates" } }, { "id": "40702", "name": "invalid_keyusage_not_critical_keycertsign_false_test2", "cert": "InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt", "other_certs": [ "keyUsageNotCriticalkeyCertSignFalseCACert.crt" ], "crls": [ "keyUsageNotCriticalkeyCertSignFalseCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 is not allowed to sign certificates" } }, { "id": "40703", "name": "valid_keyusage_not_critical_test3", "cert": "ValidkeyUsageNotCriticalTest3EE.crt", "other_certs": [ "keyUsageNotCriticalCACert.crt" ], "crls": [ "keyUsageNotCriticalCACRL.crl" ], "path_len": 3 }, { "id": "40704", "name": "invalid_keyusage_critical_crlsign_false_test4", "cert": "InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt", "other_certs": [ "keyUsageCriticalcRLSignFalseCACert.crt" ], "crls": [ "keyUsageCriticalcRLSignFalseCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: The CRL issuer that was identified is not authorized to sign CRLs" } }, { "id": "40705", "name": "invalid_keyusage_not_critical_crlsign_false_test5", "cert": "InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt", "other_certs": [ "keyUsageNotCriticalcRLSignFalseCACert.crt" ], "crls": [ "keyUsageNotCriticalcRLSignFalseCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: The CRL issuer that was identified is not authorized to sign CRLs" } }, { "id": "40801", "name": "all_certs_same_policy_test1_norestr", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3 }, { "id": "40801", "name": "all_certs_same_policy_test1_explicit_policy", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "params": { "initial_explicit_policy": true } }, { "id": "40801", "name": "all_certs_same_policy_test1_with_constraints1", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ], "initial_explicit_policy": true } }, { "id": "40801", "name": "all_certs_same_policy_test1_with_constraint_mismatch", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ], "initial_explicit_policy": true } }, { "id": "40801", "name": "all_certs_same_policy_test1_with_constraint_mismatch_ignored", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40801", "name": "all_certs_same_policy_test1_with_constraints2", "cert": "ValidCertificatePathTest1EE.crt", "other_certs": [ "GoodCACert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40802", "name": "all_certificates_no_policies_test2", "cert": "AllCertificatesNoPoliciesTest2EE.crt", "other_certs": [ "NoPoliciesCACert.crt" ], "crls": [ "NoPoliciesCACRL.crl" ], "path_len": 3 }, { "id": "40802", "name": "all_certificates_no_policies_test2_force_explicit", "cert": "AllCertificatesNoPoliciesTest2EE.crt", "other_certs": [ "NoPoliciesCACert.crt" ], "crls": [ "NoPoliciesCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate \\d" }, "params": { "initial_explicit_policy": true } }, { "id": "40803", "name": "different_policies_test3", "cert": "DifferentPoliciesTest3EE.crt", "other_certs": [ "GoodCACert.crt", "PoliciesP2subCACert.crt" ], "crls": [ "GoodCACRL.crl", "PoliciesP2subCACRL.crl" ], "path_len": 4 }, { "id": "40803", "name": "different_policies_test3_force_explicit", "cert": "DifferentPoliciesTest3EE.crt", "other_certs": [ "GoodCACert.crt", "PoliciesP2subCACert.crt" ], "crls": [ "GoodCACRL.crl", "PoliciesP2subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate \\d" }, "params": { "initial_explicit_policy": true } }, { "id": "40803", "name": "different_policies_test3_force_explicit_with_user_set", "cert": "DifferentPoliciesTest3EE.crt", "other_certs": [ "GoodCACert.crt", "PoliciesP2subCACert.crt" ], "crls": [ "GoodCACRL.crl", "PoliciesP2subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate \\d" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2" ], "initial_explicit_policy": true } }, { "id": "40804", "name": "different_policies_test4", "cert": "DifferentPoliciesTest4EE.crt", "other_certs": [ "GoodCACert.crt", "GoodsubCACert.crt" ], "crls": [ "GoodCACRL.crl", "GoodsubCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40805", "name": "different_policies_test5", "cert": "DifferentPoliciesTest5EE.crt", "other_certs": [ "GoodCACert.crt", "PoliciesP2subCA2Cert.crt" ], "crls": [ "GoodCACRL.crl", "PoliciesP2subCA2CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40806", "name": "overlapping_policies_test6", "cert": "OverlappingPoliciesTest6EE.crt", "other_certs": [ "PoliciesP1234CACert.crt", "PoliciesP1234subCAP123Cert.crt", "PoliciesP1234subsubCAP123P12Cert.crt" ], "crls": [ "PoliciesP1234CACRL.crl", "PoliciesP1234subCAP123CRL.crl", "PoliciesP1234subsubCAP123P12CRL.crl" ], "path_len": 5 }, { "id": "40806", "name": "overlapping_policies_test6_with_testpol1", "cert": "OverlappingPoliciesTest6EE.crt", "other_certs": [ "PoliciesP1234CACert.crt", "PoliciesP1234subCAP123Cert.crt", "PoliciesP1234subsubCAP123P12Cert.crt" ], "crls": [ "PoliciesP1234CACRL.crl", "PoliciesP1234subCAP123CRL.crl", "PoliciesP1234subsubCAP123P12CRL.crl" ], "path_len": 5, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40806", "name": "overlapping_policies_test6_with_testpol2", "cert": "OverlappingPoliciesTest6EE.crt", "other_certs": [ "PoliciesP1234CACert.crt", "PoliciesP1234subCAP123Cert.crt", "PoliciesP1234subsubCAP123P12Cert.crt" ], "crls": [ "PoliciesP1234CACRL.crl", "PoliciesP1234subCAP123CRL.crl", "PoliciesP1234subsubCAP123P12CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40806", "name": "overlapping_policies_test6_with_testpol2_explicit", "cert": "OverlappingPoliciesTest6EE.crt", "other_certs": [ "PoliciesP1234CACert.crt", "PoliciesP1234subCAP123Cert.crt", "PoliciesP1234subsubCAP123P12Cert.crt" ], "crls": [ "PoliciesP1234CACRL.crl", "PoliciesP1234subCAP123CRL.crl", "PoliciesP1234subsubCAP123P12CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ], "initial_explicit_policy": true } }, { "id": "40807", "name": "different_policies_test7", "cert": "DifferentPoliciesTest7EE.crt", "other_certs": [ "PoliciesP123CACert.crt", "PoliciesP123subCAP12Cert.crt", "PoliciesP123subsubCAP12P1Cert.crt" ], "crls": [ "PoliciesP123CACRL.crl", "PoliciesP123subCAP12CRL.crl", "PoliciesP123subsubCAP12P1CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40808", "name": "different_policies_test8", "cert": "DifferentPoliciesTest8EE.crt", "other_certs": [ "PoliciesP12CACert.crt", "PoliciesP12subCAP1Cert.crt", "PoliciesP12subsubCAP1P2Cert.crt" ], "crls": [ "PoliciesP12CACRL.crl", "PoliciesP12subCAP1CRL.crl", "PoliciesP12subsubCAP1P2CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate 3" } }, { "id": "40809", "name": "different_policies_test9", "cert": "DifferentPoliciesTest9EE.crt", "other_certs": [ "PoliciesP123CACert.crt", "PoliciesP123subCAP12Cert.crt", "PoliciesP123subsubCAP12P2Cert.crt", "PoliciesP123subsubsubCAP12P2P1Cert.crt" ], "crls": [ "PoliciesP123CACRL.crl", "PoliciesP123subCAP12CRL.crl", "PoliciesP123subsubCAP2P2CRL.crl", "PoliciesP123subsubsubCAP12P2P1CRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate 4" } }, { "id": "40810", "name": "all_certificates_same_policies_test10", "cert": "AllCertificatesSamePoliciesTest10EE.crt", "other_certs": [ "PoliciesP12CACert.crt" ], "crls": [ "PoliciesP12CACRL.crl" ], "path_len": 3 }, { "id": "40810", "name": "all_certificates_same_policies_test10_with_testpol1", "cert": "AllCertificatesSamePoliciesTest10EE.crt", "other_certs": [ "PoliciesP12CACert.crt" ], "crls": [ "PoliciesP12CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40810", "name": "all_certificates_same_policies_test10_with_testpol2", "cert": "AllCertificatesSamePoliciesTest10EE.crt", "other_certs": [ "PoliciesP12CACert.crt" ], "crls": [ "PoliciesP12CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40811", "name": "all_certificates_any_policy_test11", "cert": "AllCertificatesanyPolicyTest11EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3 }, { "id": "40811", "name": "all_certificates_any_policy_test11_constrained", "cert": "AllCertificatesanyPolicyTest11EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40812", "name": "different_policies_test12", "cert": "DifferentPoliciesTest12EE.crt", "other_certs": [ "PoliciesP3CACert.crt" ], "crls": [ "PoliciesP3CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40813", "name": "all_certificates_same_policies_test13", "cert": "AllCertificatesSamePoliciesTest13EE.crt", "other_certs": [ "PoliciesP123CACert.crt" ], "crls": [ "PoliciesP123CACRL.crl" ], "path_len": 3 }, { "id": "40813", "name": "all_certificates_same_policies_test13_with_testpol1", "cert": "AllCertificatesSamePoliciesTest13EE.crt", "other_certs": [ "PoliciesP123CACert.crt" ], "crls": [ "PoliciesP123CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40813", "name": "all_certificates_same_policies_test13_with_testpol2", "cert": "AllCertificatesSamePoliciesTest13EE.crt", "other_certs": [ "PoliciesP123CACert.crt" ], "crls": [ "PoliciesP123CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40813", "name": "all_certificates_same_policies_test13_with_testpol3", "cert": "AllCertificatesSamePoliciesTest13EE.crt", "other_certs": [ "PoliciesP123CACert.crt" ], "crls": [ "PoliciesP123CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.3" ] } }, { "id": "40813", "name": "all_certificates_same_policies_test13_with_testpol1_2", "cert": "AllCertificatesSamePoliciesTest13EE.crt", "other_certs": [ "PoliciesP123CACert.crt" ], "crls": [ "PoliciesP123CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40814", "name": "any_policy_test14", "cert": "AnyPolicyTest14EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3 }, { "id": "40814", "name": "any_policy_test14_with_testpol1", "cert": "AnyPolicyTest14EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "40814", "name": "any_policy_test14_with_testpol1_2", "cert": "AnyPolicyTest14EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1", "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40814", "name": "any_policy_test14_with_testpol2", "cert": "AnyPolicyTest14EE.crt", "other_certs": [ "anyPolicyCACert.crt" ], "crls": [ "anyPolicyCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "40901", "name": "valid_require_explicit_policy_test1", "cert": "ValidrequireExplicitPolicyTest1EE.crt", "other_certs": [ "requireExplicitPolicy10CACert.crt", "requireExplicitPolicy10subCACert.crt", "requireExplicitPolicy10subsubCACert.crt", "requireExplicitPolicy10subsubsubCACert.crt" ], "crls": [ "requireExplicitPolicy10CACRL.crl", "requireExplicitPolicy10subCACRL.crl", "requireExplicitPolicy10subsubCACRL.crl", "requireExplicitPolicy10subsubsubCACRL.crl" ], "path_len": 6 }, { "id": "40902", "name": "valid_require_explicit_policy_test2", "cert": "ValidrequireExplicitPolicyTest2EE.crt", "other_certs": [ "requireExplicitPolicy5CACert.crt", "requireExplicitPolicy5subCACert.crt", "requireExplicitPolicy5subsubCACert.crt", "requireExplicitPolicy5subsubsubCACert.crt" ], "crls": [ "requireExplicitPolicy5CACRL.crl", "requireExplicitPolicy5subCACRL.crl", "requireExplicitPolicy5subsubCACRL.crl", "requireExplicitPolicy5subsubsubCACRL.crl" ], "path_len": 6 }, { "id": "40903", "name": "invalid_require_explicit_policy_test3", "cert": "InvalidrequireExplicitPolicyTest3EE.crt", "other_certs": [ "requireExplicitPolicy4CACert.crt", "requireExplicitPolicy4subCACert.crt", "requireExplicitPolicy4subsubCACert.crt", "requireExplicitPolicy4subsubsubCACert.crt" ], "crls": [ "requireExplicitPolicy4CACRL.crl", "requireExplicitPolicy4subCACRL.crl", "requireExplicitPolicy4subsubCACRL.crl", "requireExplicitPolicy4subsubsubCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40904", "name": "valid_require_explicit_policy_test4", "cert": "ValidrequireExplicitPolicyTest4EE.crt", "other_certs": [ "requireExplicitPolicy0CACert.crt", "requireExplicitPolicy0subCACert.crt", "requireExplicitPolicy0subsubCACert.crt", "requireExplicitPolicy0subsubsubCACert.crt" ], "crls": [ "requireExplicitPolicy0CACRL.crl", "requireExplicitPolicy0subCACRL.crl", "requireExplicitPolicy0subsubCACRL.crl", "requireExplicitPolicy0subsubsubCACRL.crl" ], "path_len": 6 }, { "id": "40905", "name": "invalid_require_explicit_policy_test5", "cert": "InvalidrequireExplicitPolicyTest5EE.crt", "other_certs": [ "requireExplicitPolicy7CACert.crt", "requireExplicitPolicy7subCARE2Cert.crt", "requireExplicitPolicy7subsubCARE2RE4Cert.crt", "requireExplicitPolicy7subsubsubCARE2RE4Cert.crt" ], "crls": [ "requireExplicitPolicy7CACRL.crl", "requireExplicitPolicy7subCARE2CRL.crl", "requireExplicitPolicy7subsubCARE2RE4CRL.crl", "requireExplicitPolicy7subsubsubCARE2RE4CRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40906", "name": "valid_self_issued_require_explicit_policy_test6", "cert": "ValidSelfIssuedrequireExplicitPolicyTest6EE.crt", "other_certs": [ "requireExplicitPolicy2CACert.crt", "requireExplicitPolicy2SelfIssuedCACert.crt" ], "crls": [ "requireExplicitPolicy2CACRL.crl" ], "path_len": 4 }, { "id": "40907", "name": "invalid_self_issued_require_explicit_policy_test7", "cert": "InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt", "other_certs": [ "requireExplicitPolicy2CACert.crt", "requireExplicitPolicy2SelfIssuedCACert.crt", "requireExplicitPolicy2subCACert.crt" ], "crls": [ "requireExplicitPolicy2CACRL.crl", "requireExplicitPolicy2subCACRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "40908", "name": "invalid_self_issued_require_explicit_policy_test8", "cert": "InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt", "other_certs": [ "requireExplicitPolicy2CACert.crt", "requireExplicitPolicy2SelfIssuedCACert.crt", "requireExplicitPolicy2subCACert.crt", "requireExplicitPolicy2SelfIssuedsubCACert.crt" ], "crls": [ "requireExplicitPolicy2CACRL.crl", "requireExplicitPolicy2subCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41001", "name": "valid_policy_mapping_test2_with_testpol1", "cert": "ValidPolicyMappingTest1EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "41001", "name": "valid_policy_mapping_test2_with_testpol2", "cert": "ValidPolicyMappingTest1EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "41001", "name": "valid_policy_mapping_test2_inhibit_mapping", "cert": "ValidPolicyMappingTest1EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "initial_policy_mapping_inhibit": true } }, { "id": "41001", "name": "valid_policy_mapping_test2_inhibit_mapping_testpol1", "cert": "ValidPolicyMappingTest1EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ], "initial_policy_mapping_inhibit": true } }, { "id": "41002", "name": "invalid_policy_mapping_test2", "cert": "InvalidPolicyMappingTest2EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41002", "name": "invalid_policy_mapping_test2_inhibit_mapping", "cert": "InvalidPolicyMappingTest2EE.crt", "other_certs": [ "Mapping1to2CACert.crt" ], "crls": [ "Mapping1to2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "initial_policy_mapping_inhibit": true } }, { "id": "41003", "name": "valid_policy_mapping_test3_with_testpol1", "cert": "ValidPolicyMappingTest3EE.crt", "other_certs": [ "P12Mapping1to3CACert.crt", "P12Mapping1to3subCACert.crt", "P12Mapping1to3subsubCACert.crt" ], "crls": [ "P12Mapping1to3CACRL.crl", "P12Mapping1to3subCACRL.crl", "P12Mapping1to3subsubCACRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "41003", "name": "valid_policy_mapping_test3_with_testpol2", "cert": "ValidPolicyMappingTest3EE.crt", "other_certs": [ "P12Mapping1to3CACert.crt", "P12Mapping1to3subCACert.crt", "P12Mapping1to3subsubCACert.crt" ], "crls": [ "P12Mapping1to3CACRL.crl", "P12Mapping1to3subCACRL.crl", "P12Mapping1to3subsubCACRL.crl" ], "path_len": 5, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.2" ] } }, { "id": "41004", "name": "invalid_policy_mapping_test4", "cert": "InvalidPolicyMappingTest4EE.crt", "other_certs": [ "P12Mapping1to3CACert.crt", "P12Mapping1to3subCACert.crt", "P12Mapping1to3subsubCACert.crt" ], "crls": [ "P12Mapping1to3CACRL.crl", "P12Mapping1to3subCACRL.crl", "P12Mapping1to3subsubCACRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41005", "name": "valid_policy_mapping_test5_with_testpol1", "cert": "ValidPolicyMappingTest5EE.crt", "other_certs": [ "P1Mapping1to234CACert.crt", "P1Mapping1to234subCACert.crt" ], "crls": [ "P1Mapping1to234CACRL.crl", "P1Mapping1to234subCACRL.crl" ], "path_len": 4, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "41005", "name": "valid_policy_mapping_test5_with_testpol6", "cert": "ValidPolicyMappingTest5EE.crt", "other_certs": [ "P1Mapping1to234CACert.crt", "P1Mapping1to234subCACert.crt" ], "crls": [ "P1Mapping1to234CACRL.crl", "P1Mapping1to234subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.6" ] } }, { "id": "41006", "name": "valid_policy_mapping_test6_with_testpol1", "cert": "ValidPolicyMappingTest6EE.crt", "other_certs": [ "P1Mapping1to234CACert.crt", "P1Mapping1to234subCACert.crt" ], "crls": [ "P1Mapping1to234CACRL.crl", "P1Mapping1to234subCACRL.crl" ], "path_len": 4, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.1" ] } }, { "id": "41006", "name": "valid_policy_mapping_test6_with_testpol6", "cert": "ValidPolicyMappingTest6EE.crt", "other_certs": [ "P1Mapping1to234CACert.crt", "P1Mapping1to234subCACert.crt" ], "crls": [ "P1Mapping1to234CACRL.crl", "P1Mapping1to234subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" }, "params": { "user_initial_policy_set": [ "2.16.840.1.101.3.2.1.48.6" ] } }, { "id": "41007", "name": "invalid_mapping_from_any_policy_test7", "cert": "InvalidMappingFromanyPolicyTest7EE.crt", "other_certs": [ "MappingFromanyPolicyCACert.crt" ], "crls": [ "MappingFromanyPolicyCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 contains a policy mapping for the \"any policy\"" } }, { "id": "41008", "name": "invalid_mapping_to_any_policy_test8", "cert": "InvalidMappingToanyPolicyTest8EE.crt", "other_certs": [ "MappingToanyPolicyCACert.crt" ], "crls": [ "MappingToanyPolicyCACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because intermediate certificate 1 contains a policy mapping for the \"any policy\"" } }, { "id": "41009", "name": "valid_policy_mapping_test9", "cert": "ValidPolicyMappingTest9EE.crt", "other_certs": [ "PanyPolicyMapping1to2CACert.crt" ], "crls": [ "PanyPolicyMapping1to2CACRL.crl" ], "path_len": 3 }, { "id": "41010", "name": "invalid_policy_mapping_test10", "cert": "InvalidPolicyMappingTest10EE.crt", "other_certs": [ "GoodCACert.crt", "GoodsubCAPanyPolicyMapping1to2CACert.crt" ], "crls": [ "GoodCACRL.crl", "GoodsubCAPanyPolicyMapping1to2CACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41011", "name": "valid_policy_mapping_test11", "cert": "ValidPolicyMappingTest11EE.crt", "other_certs": [ "GoodCACert.crt", "GoodsubCAPanyPolicyMapping1to2CACert.crt" ], "crls": [ "GoodCACRL.crl", "GoodsubCAPanyPolicyMapping1to2CACRL.crl" ], "path_len": 4 }, { "id": "41013", "name": "valid_policy_mapping_test13", "cert": "ValidPolicyMappingTest13EE.crt", "other_certs": [ "P1anyPolicyMapping1to2CACert.crt" ], "crls": [ "P1anyPolicyMapping1to2CACRL.crl" ], "path_len": 3 }, { "id": "41014", "name": "valid_policy_mapping_test14", "cert": "ValidPolicyMappingTest14EE.crt", "other_certs": [ "P1anyPolicyMapping1to2CACert.crt" ], "crls": [ "P1anyPolicyMapping1to2CACRL.crl" ], "path_len": 3 }, { "id": "41101", "name": "invalid_inhibit_policy_mapping_test1", "cert": "InvalidinhibitPolicyMappingTest1EE.crt", "other_certs": [ "inhibitPolicyMapping0CACert.crt", "inhibitPolicyMapping0subCACert.crt" ], "crls": [ "inhibitPolicyMapping0CACRL.crl", "inhibitPolicyMapping0subCACRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41102", "name": "valid_inhibit_policy_mapping_test2", "cert": "ValidinhibitPolicyMappingTest2EE.crt", "other_certs": [ "inhibitPolicyMapping1P12CACert.crt", "inhibitPolicyMapping1P12subCACert.crt" ], "crls": [ "inhibitPolicyMapping1P12CACRL.crl", "inhibitPolicyMapping1P12subCACRL.crl" ], "path_len": 4 }, { "id": "41103", "name": "invalid_inhibit_policy_mapping_test3", "cert": "InvalidinhibitPolicyMappingTest3EE.crt", "other_certs": [ "inhibitPolicyMapping1P12CACert.crt", "inhibitPolicyMapping1P12subCACert.crt", "inhibitPolicyMapping1P12subsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P12CACRL.crl", "inhibitPolicyMapping1P12subCACRL.crl", "inhibitPolicyMapping1P12subsubCACRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41104", "name": "valid_inhibit_policy_mapping_test4", "cert": "ValidinhibitPolicyMappingTest4EE.crt", "other_certs": [ "inhibitPolicyMapping1P12CACert.crt", "inhibitPolicyMapping1P12subCACert.crt", "inhibitPolicyMapping1P12subsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P12CACRL.crl", "inhibitPolicyMapping1P12subCACRL.crl", "inhibitPolicyMapping1P12subsubCACRL.crl" ], "path_len": 5 }, { "id": "41105", "name": "invalid_inhibit_policy_mapping_test5", "cert": "InvalidinhibitPolicyMappingTest5EE.crt", "other_certs": [ "inhibitPolicyMapping5CACert.crt", "inhibitPolicyMapping5subCACert.crt", "inhibitPolicyMapping5subsubCACert.crt", "inhibitPolicyMapping5subsubsubCACert.crt" ], "crls": [ "inhibitPolicyMapping5CACRL.crl", "inhibitPolicyMapping5subCACRL.crl", "inhibitPolicyMapping5subsubCACRL.crl", "inhibitPolicyMapping5subsubsubCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41106", "name": "invalid_inhibit_policy_mapping_test6", "cert": "InvalidinhibitPolicyMappingTest6EE.crt", "other_certs": [ "inhibitPolicyMapping1P12CACert.crt", "inhibitPolicyMapping1P12subCAIPM5Cert.crt", "inhibitPolicyMapping1P12subsubCAIPM5Cert.crt" ], "crls": [ "inhibitPolicyMapping1P12CACRL.crl", "inhibitPolicyMapping1P12subCAIPM5CRL.crl", "inhibitPolicyMapping1P12subsubCAIPM5CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41107", "name": "valid_self_issued_inhibit_policy_mapping_test7", "cert": "ValidSelfIssuedinhibitPolicyMappingTest7EE.crt", "other_certs": [ "inhibitPolicyMapping1P1CACert.crt", "inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1subCACert.crt" ], "crls": [ "inhibitPolicyMapping1P1CACRL.crl", "inhibitPolicyMapping1P1subCACRL.crl" ], "path_len": 5 }, { "id": "41108", "name": "invalid_self_issued_inhibit_policy_mapping_test8", "cert": "InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt", "other_certs": [ "inhibitPolicyMapping1P1CACert.crt", "inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1subCACert.crt", "inhibitPolicyMapping1P1subsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P1CACRL.crl", "inhibitPolicyMapping1P1subCACRL.crl", "inhibitPolicyMapping1P1subsubCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41109", "name": "invalid_self_issued_inhibit_policy_mapping_test9", "cert": "InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt", "other_certs": [ "inhibitPolicyMapping1P1CACert.crt", "inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1subCACert.crt", "inhibitPolicyMapping1P1subsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P1CACRL.crl", "inhibitPolicyMapping1P1subCACRL.crl", "inhibitPolicyMapping1P1subsubCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41110", "name": "invalid_self_issued_inhibit_policy_mapping_test10", "cert": "InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt", "other_certs": [ "inhibitPolicyMapping1P1CACert.crt", "inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1subCACert.crt", "inhibitPolicyMapping1P1SelfIssuedsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P1CACRL.crl", "inhibitPolicyMapping1P1subCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41111", "name": "invalid_self_issued_inhibit_policy_mapping_test11", "cert": "InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt", "other_certs": [ "inhibitPolicyMapping1P1CACert.crt", "inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1subCACert.crt", "inhibitPolicyMapping1P1SelfIssuedsubCACert.crt" ], "crls": [ "inhibitPolicyMapping1P1CACRL.crl", "inhibitPolicyMapping1P1subCACRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41201", "name": "invalid_inhibit_any_policy_test1", "cert": "InvalidinhibitAnyPolicyTest1EE.crt", "other_certs": [ "inhibitAnyPolicy0CACert.crt" ], "crls": [ "inhibitAnyPolicy0CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41202", "name": "valid_inhibit_any_policy_test2", "cert": "ValidinhibitAnyPolicyTest2EE.crt", "other_certs": [ "inhibitAnyPolicy0CACert.crt" ], "crls": [ "inhibitAnyPolicy0CACRL.crl" ], "path_len": 3 }, { "id": "41203", "name": "inhibit_any_policy_test3", "cert": "inhibitAnyPolicyTest3EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1subCA1Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA1CRL.crl" ], "path_len": 4 }, { "id": "41203", "name": "inhibit_any_policy_test3_initial_inhibit", "cert": "inhibitAnyPolicyTest3EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1subCA1Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA1CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate \\d" }, "params": { "initial_any_policy_inhibit": true } }, { "id": "41204", "name": "invalid_inhibit_any_policy_test4", "cert": "InvalidinhibitAnyPolicyTest4EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1subCA1Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA1CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41205", "name": "invalid_inhibit_any_policy_test5", "cert": "InvalidinhibitAnyPolicyTest5EE.crt", "other_certs": [ "inhibitAnyPolicy5CACert.crt", "inhibitAnyPolicy5subCACert.crt", "inhibitAnyPolicy5subsubCACert.crt" ], "crls": [ "inhibitAnyPolicy5CACRL.crl", "inhibitAnyPolicy5subCACRL.crl", "inhibitAnyPolicy5subsubCACRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41206", "name": "invalid_inhibit_any_policy_test6", "cert": "InvalidinhibitAnyPolicyTest6EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1subCAIAP5Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCAIAP5CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41207", "name": "valid_self_issued_inhibit_any_policy_test7", "cert": "ValidSelfIssuedinhibitAnyPolicyTest7EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1SelfIssuedCACert.crt", "inhibitAnyPolicy1subCA2Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA2CRL.crl" ], "path_len": 5 }, { "id": "41208", "name": "invalid_self_issued_inhibit_any_policy_test8", "cert": "InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1SelfIssuedCACert.crt", "inhibitAnyPolicy1subCA2Cert.crt", "inhibitAnyPolicy1subsubCA2Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA2CRL.crl", "inhibitAnyPolicy1subsubCA2CRL.crl" ], "path_len": 6, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for intermediate certificate 4" } }, { "id": "41209", "name": "valid_self_issued_inhibit_any_policy_test9", "cert": "ValidSelfIssuedinhibitAnyPolicyTest9EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1SelfIssuedCACert.crt", "inhibitAnyPolicy1subCA2Cert.crt", "inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA2CRL.crl" ], "path_len": 6 }, { "id": "41210", "name": "invalid_self_issued_inhibit_any_policy_test10", "cert": "InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt", "other_certs": [ "inhibitAnyPolicy1CACert.crt", "inhibitAnyPolicy1SelfIssuedCACert.crt", "inhibitAnyPolicy1subCA2Cert.crt" ], "crls": [ "inhibitAnyPolicy1CACRL.crl", "inhibitAnyPolicy1subCA2CRL.crl" ], "path_len": 5, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because there is no valid set of policies for the end-entity certificate" } }, { "id": "41301", "name": "valid_dn_nameconstraints_test1", "cert": "ValidDNnameConstraintsTest1EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3 }, { "id": "41302", "name": "invalid_dn_nameconstraints_test2", "cert": "InvalidDNnameConstraintsTest2EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41303", "name": "invalid_dn_nameconstraints_test3", "cert": "InvalidDNnameConstraintsTest3EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41303", "name": "invalid_dn_nameconstraints_test3", "cert": "InvalidDNnameConstraintsTest3EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41304", "name": "valid_dn_nameconstraints_test4", "cert": "ValidDNnameConstraintsTest4EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3 }, { "id": "41305", "name": "valid_dn_nameconstraints_test5", "cert": "ValidDNnameConstraintsTest5EE.crt", "other_certs": [ "nameConstraintsDN2CACert.crt" ], "crls": [ "nameConstraintsDN2CACRL.crl" ], "path_len": 3 }, { "id": "41306", "name": "valid_dn_nameconstraints_test6", "cert": "ValidDNnameConstraintsTest6EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl" ], "path_len": 3 }, { "id": "41307", "name": "invalid_dn_nameconstraints_test7", "cert": "InvalidDNnameConstraintsTest7EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41308", "name": "invalid_dn_nameconstraints_test8", "cert": "InvalidDNnameConstraintsTest8EE.crt", "other_certs": [ "nameConstraintsDN4CACert.crt" ], "crls": [ "nameConstraintsDN4CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41309", "name": "invalid_dn_nameconstraints_test9", "cert": "InvalidDNnameConstraintsTest9EE.crt", "other_certs": [ "nameConstraintsDN4CACert.crt" ], "crls": [ "nameConstraintsDN4CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41310", "name": "invalid_dn_nameconstraints_test10", "cert": "InvalidDNnameConstraintsTest10EE.crt", "other_certs": [ "nameConstraintsDN5CACert.crt" ], "crls": [ "nameConstraintsDN5CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41311", "name": "valid_dn_nameconstraints_test11", "cert": "ValidDNnameConstraintsTest11EE.crt", "other_certs": [ "nameConstraintsDN5CACert.crt" ], "crls": [ "nameConstraintsDN5CACRL.crl" ], "path_len": 3 }, { "id": "41312", "name": "invalid_dn_nameconstraints_test12", "cert": "InvalidDNnameConstraintsTest12EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA1Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA1CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41313", "name": "invalid_dn_nameconstraints_test13", "cert": "InvalidDNnameConstraintsTest13EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA2Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA2CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41314", "name": "valid_dn_nameconstraints_test14", "cert": "ValidDNnameConstraintsTest14EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA2Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA2CRL.crl" ], "path_len": 4 }, { "id": "41315", "name": "invalid_dn_nameconstraints_test15", "cert": "InvalidDNnameConstraintsTest15EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt", "nameConstraintsDN3subCA1Cert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl", "nameConstraintsDN3subCA1CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41316", "name": "invalid_dn_nameconstraints_test16", "cert": "InvalidDNnameConstraintsTest16EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt", "nameConstraintsDN3subCA1Cert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl", "nameConstraintsDN3subCA1CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41317", "name": "invalid_dn_nameconstraints_test17", "cert": "InvalidDNnameConstraintsTest17EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt", "nameConstraintsDN3subCA2Cert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl", "nameConstraintsDN3subCA2CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41318", "name": "valid_dn_nameconstraints_test18", "cert": "ValidDNnameConstraintsTest18EE.crt", "other_certs": [ "nameConstraintsDN3CACert.crt", "nameConstraintsDN3subCA2Cert.crt" ], "crls": [ "nameConstraintsDN3CACRL.crl", "nameConstraintsDN3subCA2CRL.crl" ], "path_len": 4 }, { "id": "41319", "name": "valid_self_issued_dn_nameconstraints_test19", "cert": "ValidDNnameConstraintsTest19EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1SelfIssuedCACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 4 }, { "id": "41320", "name": "invalid_self_issued_dn_nameconstraints_test20", "cert": "InvalidDNnameConstraintsTest20EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1SelfIssuedCACert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41321", "name": "valid_rfc822_nameconstraints_test21", "cert": "ValidRFC822nameConstraintsTest21EE.crt", "other_certs": [ "nameConstraintsRFC822CA1Cert.crt" ], "crls": [ "nameConstraintsRFC822CA1CRL.crl" ], "path_len": 3 }, { "id": "41322", "name": "invalid_rfc822_nameconstraints_test22", "cert": "InvalidRFC822nameConstraintsTest22EE.crt", "other_certs": [ "nameConstraintsRFC822CA1Cert.crt" ], "crls": [ "nameConstraintsRFC822CA1CRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41323", "name": "valid_rfc822_nameconstraints_test23", "cert": "ValidRFC822nameConstraintsTest23EE.crt", "other_certs": [ "nameConstraintsRFC822CA2Cert.crt" ], "crls": [ "nameConstraintsRFC822CA2CRL.crl" ], "path_len": 3 }, { "id": "41324", "name": "invalid_rfc822_nameconstraints_test24", "cert": "InvalidRFC822nameConstraintsTest24EE.crt", "other_certs": [ "nameConstraintsRFC822CA2Cert.crt" ], "crls": [ "nameConstraintsRFC822CA2CRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41325", "name": "valid_rfc822_nameconstraints_test25", "cert": "ValidRFC822nameConstraintsTest25EE.crt", "other_certs": [ "nameConstraintsRFC822CA3Cert.crt" ], "crls": [ "nameConstraintsRFC822CA3CRL.crl" ], "path_len": 3 }, { "id": "41326", "name": "invalid_rfc822_nameconstraints_test26", "cert": "InvalidRFC822nameConstraintsTest26EE.crt", "other_certs": [ "nameConstraintsRFC822CA3Cert.crt" ], "crls": [ "nameConstraintsRFC822CA3CRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41327", "name": "valid_dn_and_rfc822_nameconstraints_test27", "cert": "ValidDNandRFC822nameConstraintsTest27EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA3Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA3CRL.crl" ], "path_len": 4 }, { "id": "41328", "name": "invalid_dn_and_rfc822_nameconstraints_test28", "cert": "InvalidDNandRFC822nameConstraintsTest28EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA3Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA3CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41329", "name": "invalid_dn_and_rfc822_nameconstraints_test29", "cert": "InvalidDNandRFC822nameConstraintsTest29EE.crt", "other_certs": [ "nameConstraintsDN1CACert.crt", "nameConstraintsDN1subCA3Cert.crt" ], "crls": [ "nameConstraintsDN1CACRL.crl", "nameConstraintsDN1subCA3CRL.crl" ], "path_len": 4, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41330", "name": "valid_dns_nameconstraints_test30", "cert": "ValidDNSnameConstraintsTest30EE.crt", "other_certs": [ "nameConstraintsDNS1CACert.crt" ], "crls": [ "nameConstraintsDNS1CACRL.crl" ], "path_len": 3 }, { "id": "41331", "name": "invalid_dns_nameconstraints_test31", "cert": "InvalidDNSnameConstraintsTest31EE.crt", "other_certs": [ "nameConstraintsDNS1CACert.crt" ], "crls": [ "nameConstraintsDNS1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41332", "name": "valid_dns_nameconstraints_test32", "cert": "ValidDNSnameConstraintsTest32EE.crt", "other_certs": [ "nameConstraintsDNS2CACert.crt" ], "crls": [ "nameConstraintsDNS2CACRL.crl" ], "path_len": 3 }, { "id": "41333", "name": "invalid_dns_nameconstraints_test33", "cert": "InvalidDNSnameConstraintsTest33EE.crt", "other_certs": [ "nameConstraintsDNS2CACert.crt" ], "crls": [ "nameConstraintsDNS2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41334", "name": "valid_uri_nameconstraints_test34", "cert": "ValidURInameConstraintsTest34EE.crt", "other_certs": [ "nameConstraintsURI1CACert.crt" ], "crls": [ "nameConstraintsURI1CACRL.crl" ], "path_len": 3 }, { "id": "41335", "name": "invalid_uri_nameconstraints_test35", "cert": "InvalidURInameConstraintsTest35EE.crt", "other_certs": [ "nameConstraintsURI1CACert.crt" ], "crls": [ "nameConstraintsURI1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41336", "name": "valid_uri_nameconstraints_test36", "cert": "ValidURInameConstraintsTest36EE.crt", "other_certs": [ "nameConstraintsURI2CACert.crt" ], "crls": [ "nameConstraintsURI2CACRL.crl" ], "path_len": 3 }, { "id": "41337", "name": "invalid_uri_nameconstraints_test37", "cert": "InvalidURInameConstraintsTest37EE.crt", "other_certs": [ "nameConstraintsURI2CACert.crt" ], "crls": [ "nameConstraintsURI2CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because some names of the end-entity certificate are excluded from the namespace of the issuing authority." } }, { "id": "41338", "name": "invalid_dns_nameconstraints_test38", "cert": "InvalidDNSnameConstraintsTest38EE.crt", "other_certs": [ "nameConstraintsDNS1CACert.crt" ], "crls": [ "nameConstraintsDNS1CACRL.crl" ], "path_len": 3, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because not all names of the end-entity certificate are in the permitted namespace of the issuing authority." } }, { "id": "41401", "name": "valid_distributionpoint_test1", "cert": "ValiddistributionPointTest1EE.crt", "other_certs": [ "distributionPoint1CACert.crt" ], "crls": [ "distributionPoint1CACRL.crl" ], "path_len": 3 }, { "id": "41402", "name": "invalid_distributionpoint_test2", "cert": "InvaliddistributionPointTest2EE.crt", "other_certs": [ "distributionPoint1CACert.crt" ], "crls": [ "distributionPoint1CACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41403", "name": "invalid_distributionpoint_test3", "cert": "InvaliddistributionPointTest3EE.crt", "other_certs": [ "distributionPoint1CACert.crt" ], "crls": [ "distributionPoint1CACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41404", "name": "valid_distributionpoint_test4", "cert": "ValiddistributionPointTest4EE.crt", "other_certs": [ "distributionPoint1CACert.crt" ], "crls": [ "distributionPoint1CACRL.crl" ], "path_len": 3 }, { "id": "41405", "name": "valid_distributionpoint_test5", "cert": "ValiddistributionPointTest5EE.crt", "other_certs": [ "distributionPoint2CACert.crt" ], "crls": [ "distributionPoint2CACRL.crl" ], "path_len": 3 }, { "id": "41406", "name": "invalid_distributionpoint_test6", "cert": "InvaliddistributionPointTest6EE.crt", "other_certs": [ "distributionPoint2CACert.crt" ], "crls": [ "distributionPoint2CACRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41407", "name": "valid_distributionpoint_test7", "cert": "ValiddistributionPointTest7EE.crt", "other_certs": [ "distributionPoint2CACert.crt" ], "crls": [ "distributionPoint2CACRL.crl" ], "path_len": 3 }, { "id": "41408", "name": "invalid_distributionpoint_test8", "cert": "InvaliddistributionPointTest8EE.crt", "other_certs": [ "distributionPoint2CACert.crt" ], "crls": [ "distributionPoint2CACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41409", "name": "invalid_distributionpoint_test9", "cert": "InvaliddistributionPointTest9EE.crt", "other_certs": [ "distributionPoint2CACert.crt" ], "crls": [ "distributionPoint2CACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41410", "name": "valid_no_issuingdistributionpoint_test10", "cert": "ValidNoissuingDistributionPointTest10EE.crt", "other_certs": [ "NoissuingDistributionPointCACert.crt" ], "crls": [ "NoissuingDistributionPointCACRL.crl" ], "path_len": 3 }, { "id": "41411", "name": "invalid_onlycontainsusercerts_crl_test11", "cert": "InvalidonlyContainsUserCertsTest11EE.crt", "other_certs": [ "onlyContainsUserCertsCACert.crt" ], "crls": [ "onlyContainsUserCertsCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL only contains end-entity certificates and certificate is a CA certificate" } }, { "id": "41412", "name": "invalid_onlycontainscacerts_crl_test12", "cert": "InvalidonlyContainsCACertsTest12EE.crt", "other_certs": [ "onlyContainsCACertsCACert.crt" ], "crls": [ "onlyContainsCACertsCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL only contains CA certificates and certificate is an end-entity certificate" } }, { "id": "41413", "name": "valid_onlycontainscacerts_crl_test13", "cert": "ValidonlyContainsCACertsTest13EE.crt", "other_certs": [ "onlyContainsCACertsCACert.crt" ], "crls": [ "onlyContainsCACertsCACRL.crl" ], "path_len": 3 }, { "id": "41414", "name": "invalid_onlycontainsattributecerts_crl_test14", "cert": "InvalidonlyContainsAttributeCertsTest14EE.crt", "other_certs": [ "onlyContainsAttributeCertsCACert.crt" ], "crls": [ "onlyContainsAttributeCertsCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL only contains attribute certificates" } }, { "id": "41415", "name": "invalid_onlysomereasons_test15", "cert": "InvalidonlySomeReasonsTest15EE.crt", "other_certs": [ "onlySomeReasonsCA1Cert.crt" ], "crls": [ "onlySomeReasonsCA1compromiseCRL.crl", "onlySomeReasonsCA1otherreasonsCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41416", "name": "invalid_onlysomereasons_test16", "cert": "InvalidonlySomeReasonsTest16EE.crt", "other_certs": [ "onlySomeReasonsCA1Cert.crt" ], "crls": [ "onlySomeReasonsCA1compromiseCRL.crl", "onlySomeReasonsCA1otherreasonsCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a certificate hold" } }, { "id": "41417", "name": "invalid_onlysomereasons_test17", "cert": "InvalidonlySomeReasonsTest17EE.crt", "other_certs": [ "onlySomeReasonsCA2Cert.crt" ], "crls": [ "onlySomeReasonsCA2CRL1.crl", "onlySomeReasonsCA2CRL2.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: The available CRLs do not cover all revocation reasons" } }, { "id": "41418", "name": "valid_onlysomereasons_test18", "cert": "ValidonlySomeReasonsTest18EE.crt", "other_certs": [ "onlySomeReasonsCA3Cert.crt" ], "crls": [ "onlySomeReasonsCA3compromiseCRL.crl", "onlySomeReasonsCA3otherreasonsCRL.crl" ], "path_len": 3 }, { "id": "41419", "name": "valid_onlysomereasons_test19", "cert": "ValidonlySomeReasonsTest19EE.crt", "other_certs": [ "onlySomeReasonsCA4Cert.crt" ], "crls": [ "onlySomeReasonsCA4compromiseCRL.crl", "onlySomeReasonsCA4otherreasonsCRL.crl" ], "path_len": 3 }, { "id": "41420", "name": "invalid_onlysomereasons_test20", "cert": "InvalidonlySomeReasonsTest20EE.crt", "other_certs": [ "onlySomeReasonsCA4Cert.crt" ], "crls": [ "onlySomeReasonsCA4compromiseCRL.crl", "onlySomeReasonsCA4otherreasonsCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41421", "name": "invalid_onlysomereasons_test21", "cert": "InvalidonlySomeReasonsTest21EE.crt", "other_certs": [ "onlySomeReasonsCA4Cert.crt" ], "crls": [ "onlySomeReasonsCA4compromiseCRL.crl", "onlySomeReasonsCA4otherreasonsCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to an affiliation change" } }, { "id": "41422", "name": "valid_idp_with_indirectcrl_test22", "cert": "ValidIDPwithindirectCRLTest22EE.crt", "other_certs": [ "indirectCRLCA1Cert.crt" ], "crls": [ "indirectCRLCA1CRL.crl" ], "path_len": 3 }, { "id": "41423", "name": "invalid_idp_with_indirectcrl_test23", "cert": "InvalidIDPwithindirectCRLTest23EE.crt", "other_certs": [ "indirectCRLCA1Cert.crt" ], "crls": [ "indirectCRLCA1CRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41424", "name": "valid_idp_with_indirectcrl_test24", "cert": "ValidIDPwithindirectCRLTest24EE.crt", "other_certs": [ "indirectCRLCA1Cert.crt", "indirectCRLCA2Cert.crt" ], "crls": [ "indirectCRLCA1CRL.crl" ], "path_len": 3 }, { "id": "41425", "name": "valid_idp_with_indirectcrl_test25", "cert": "ValidIDPwithindirectCRLTest25EE.crt", "other_certs": [ "indirectCRLCA1Cert.crt", "indirectCRLCA2Cert.crt" ], "crls": [ "indirectCRLCA1CRL.crl" ], "path_len": 3 }, { "id": "41426", "name": "invalid_idp_with_indirectcrl_test26", "cert": "InvalidIDPwithindirectCRLTest26EE.crt", "other_certs": [ "indirectCRLCA1Cert.crt", "indirectCRLCA2Cert.crt" ], "crls": [ "indirectCRLCA1CRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41427", "name": "invalid_crlissuer_test27", "cert": "InvalidcRLIssuerTest27EE.crt", "other_certs": [ "GoodCACert.crt", "indirectCRLCA2Cert.crt" ], "crls": [ "GoodCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41428", "name": "valid_crlissuer_test28", "cert": "ValidcRLIssuerTest28EE.crt", "other_certs": [ "indirectCRLCA3Cert.crt", "indirectCRLCA3cRLIssuerCert.crt" ], "crls": [ "indirectCRLCA3CRL.crl", "indirectCRLCA3cRLIssuerCRL.crl" ], "path_len": 3 }, { "id": "41429", "name": "valid_crlissuer_test29", "cert": "ValidcRLIssuerTest29EE.crt", "other_certs": [ "indirectCRLCA3Cert.crt", "indirectCRLCA3cRLIssuerCert.crt" ], "crls": [ "indirectCRLCA3CRL.crl", "indirectCRLCA3cRLIssuerCRL.crl" ], "path_len": 3 }, { "id": "41430", "name": "valid_crlissuer_test30", "cert": "ValidcRLIssuerTest30EE.crt", "other_certs": [ "indirectCRLCA4Cert.crt", "indirectCRLCA4cRLIssuerCert.crt" ], "crls": [ "indirectCRLCA4cRLIssuerCRL.crl" ], "path_len": 3 }, { "id": "41431", "name": "invalid_crlissuer_test31", "cert": "InvalidcRLIssuerTest31EE.crt", "other_certs": [ "indirectCRLCA5Cert.crt", "indirectCRLCA6Cert.crt" ], "crls": [ "indirectCRLCA5CRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41432", "name": "invalid_crlissuer_test32", "cert": "InvalidcRLIssuerTest32EE.crt", "other_certs": [ "indirectCRLCA5Cert.crt", "indirectCRLCA6Cert.crt" ], "crls": [ "indirectCRLCA5CRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41433", "name": "valid_crlissuer_test33", "cert": "ValidcRLIssuerTest33EE.crt", "other_certs": [ "indirectCRLCA5Cert.crt", "indirectCRLCA6Cert.crt" ], "crls": [ "indirectCRLCA5CRL.crl" ], "path_len": 3 }, { "id": "41434", "name": "invalid_crlissuer_test34", "cert": "InvalidcRLIssuerTest34EE.crt", "other_certs": [ "indirectCRLCA5Cert.crt" ], "crls": [ "indirectCRLCA5CRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41435", "name": "invalid_crlissuer_test35", "cert": "InvalidcRLIssuerTest35EE.crt", "other_certs": [ "indirectCRLCA5Cert.crt" ], "crls": [ "indirectCRLCA5CRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41501", "name": "invalid_deltacrlindicator_no_base_set_test1", "cert": "InvaliddeltaCRLIndicatorNoBaseTest1EE.crt", "other_certs": [ "deltaCRLIndicatorNoBaseCACert.crt" ], "crls": [ "deltaCRLIndicatorNoBaseCACRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because no revocation information could be found for the end-entity certificate" } }, { "id": "41502", "name": "valid_deltacrl_test2", "cert": "ValiddeltaCRLTest2EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3 }, { "id": "41503", "name": "invalid_deltacrl_test3", "cert": "InvaliddeltaCRLTest3EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41504", "name": "invalid_deltacrl_test4", "cert": "InvaliddeltaCRLTest4EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-06-01, due to a compromised key" } }, { "id": "41505", "name": "valid_deltacrl_test5", "cert": "ValiddeltaCRLTest5EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3 }, { "id": "41506", "name": "invalid_deltacrl_test6", "cert": "InvaliddeltaCRLTest6EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41507", "name": "valid_deltacrl_test7", "cert": "ValiddeltaCRLTest7EE.crt", "other_certs": [ "deltaCRLCA1Cert.crt" ], "crls": [ "deltaCRLCA1CRL.crl", "deltaCRLCA1deltaCRL.crl" ], "path_len": 3 }, { "id": "41508", "name": "valid_deltacrl_test8", "cert": "ValiddeltaCRLTest8EE.crt", "other_certs": [ "deltaCRLCA2Cert.crt" ], "crls": [ "deltaCRLCA2CRL.crl", "deltaCRLCA2deltaCRL.crl" ], "path_len": 3 }, { "id": "41509", "name": "invalid_deltacrl_test9", "cert": "InvaliddeltaCRLTest9EE.crt", "other_certs": [ "deltaCRLCA2Cert.crt" ], "crls": [ "deltaCRLCA2CRL.crl", "deltaCRLCA2deltaCRL.crl" ], "path_len": 3, "error": { "class": "RevokedError", "msg_regex": "CRL indicates the end-entity certificate was revoked at 08:30:00 on 2010-01-01, due to a compromised key" } }, { "id": "41510", "name": "invalid_deltacrl_test10", "cert": "InvaliddeltaCRLTest10EE.crt", "other_certs": [ "deltaCRLCA3Cert.crt" ], "crls": [ "deltaCRLCA3CRL.crl", "deltaCRLCA3deltaCRL.crl" ], "path_len": 3, "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: CRL is not recent enough" } }, { "id": "41601", "name": "valid_unknown_not_critical_certificate_extension_test1", "cert": "ValidUnknownNotCriticalCertificateExtensionTest1EE.crt", "path_len": 2 }, { "id": "41602", "name": "invalid_unknown_critical_certificate_extension_test2", "cert": "InvalidUnknownCriticalCertificateExtensionTest2EE.crt", "path_len": 2, "error": { "class": "PathValidationError", "msg_regex": "The path could not be validated because the end-entity certificate contains the following unsupported critical extension: 2.16.840.1.101.2.1.12.2" } } ] ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/nist_pkits/readme.md0000644000175100017510000000014415161577363024634 0ustar00runnerrunnerPath validation fixtures from http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html. ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.298681 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/0000755000175100017510000000000015161577372023314 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D1.ors0000644000175100017510000000374415161577363024315 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBRf2uQDFpGg Ywh4P1y2H9bZ2/BQNBgPMjAxMjEwMjMxMDI1MzZaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDIzMDcwMDAwWqARGA8yMDEyMTAzMDA4 MDAwMFowCwYJKoZIhvcNAQEFA4IBAQAJU3hXN7NApN50/vlZTG2p8+QQJp4uaod3 wyBQ0Ux3DoQZQ9RG6/7Mm4qpOLCCSTh/lJjZ0fD+9eB3gcp/JupN1JrU+dgTyv/Y 9MOctJz7y+VoU9I+qB8knV4sQCwohAVm8GmA9s4p/rHq5Oymci0SuG/QCfkVxOub rI1bWjbHLvvXyvF3PoGMORVHG3SA+jJ9VkHWJyi6brHxY+QR/iYxer8lJsBtpyc7 q2itFgvax/OHwne3lxsck9q0QgKpmEdJu2LuGyWFIhrEwR3b7ASEu1G/nKClv3dR vyOXMm1XIwuUhCjAcpNEKiOMorFwnLS1F8LhfqFWTAFG0JbWpAi8oIID+DCCA/Qw ggPwMIIC2KADAgECAhIRISdENsrz1CSWG3VIBwfQERQwDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDA1MFoXDTEyMTIxOTA4NDA1MFowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDIxFzAVBgNV BAUTDjIwMTIwOTE5MDk0MDAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAnCgMsBO+IxIqCnXCOfXJoIC3wj+f0s4DV9h2gJBzisWXkaJD2DfNrd0kHUXK qVVPUxnA4G5iZu0Z385/KiOt1/P6vQ/Z2/AsEh/8Z/hIyeZCHL31wrSZW4yLeZwi M76wPiBHJxPun681HQlVs/OGKSHnbHc1XJAIeA/M8u+lLWqIKB+AJ82TrOqUMj1s LjGhQNs84xPliONN5K7DrEy+Y65X/rFxN77Smw+UtcH1GgH2NgaHH8dpt1m25sgm UxZWhdx66opB/lbRQwWdGt7MC0kJFaWHDZq64DTuYoekFYSxAFu0nd0EekEHEJEi 9mquB9cv/96SuEJl8BcUWU/1LwIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFF/a5AMWkaBjCHg/XLYf1tnb8FA0MB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCKRl1iXFmOQtLseDWP Y5icDDBGiRi17CGgvIzGJi/ha0PhbO+X0TmQIEnRX3Mu0Er/Mm4RZSjMtJ2iZRh3 tGf4Dn+jKgKOmgXC3oOG/l8RPHLf0yaPSdn/z0TXtA30vTFBLlFeWnhbfhovea4+ snPdBxLqWZdtxmiwojgqA7YATCWwavizrBr09YRyDwzgtpZ2BwMruGuFuV9FsEwL PCM53yFlrM32oFghyfyE5kYjgnnueKM+pw1kA0jgb1CnVJRrMEN1TXuXDAZLtHKG 5X/drah1JtkoZhCzxzZ3bYdVDQJ90OHFqM58lwGD6z3XuPKrHDKZKt+CPIsl5g7p 4J2l ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D1_Cert_EE.pem0000644000175100017510000000453215161577363025615 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIGujCCBaKgAwIBAgISESG8vx4IzALnkqQG05AvM+2bMA0GCSqGSIb3DQEBBQUA MFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYD VQQDEyZHbG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBHMjAeFw0x MjA4MTQxMjM1MDJaFw0xMzA4MTUxMDMxMjlaMIIBCjEdMBsGA1UEDwwUUHJpdmF0 ZSBPcmdhbml6YXRpb24xDzANBgNVBAUTBjU3ODYxMTETMBEGCysGAQQBgjc8AgED EwJVUzEeMBwGCysGAQQBgjc8AgECEw1OZXcgSGFtcHNoaXJlMQswCQYDVQQGEwJV UzEWMBQGA1UECAwNTmV3IEhhbXBzaGlyZTETMBEGA1UEBwwKUG9ydHNtb3V0aDEg MB4GA1UECRMXVHdvIEludGVybmF0aW9uYWwgRHJpdmUxDTALBgNVBAsMBC5DT00x GzAZBgNVBAoMEkdNTyBHbG9iYWxTaWduIEluYzEbMBkGA1UEAwwSd3d3Lmdsb2Jh bHNpZ24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqx/nHBP4 6s5KKMDlfZS4qFDiAWsoPSRn6WO4nrUF/G2S3I/AdJ0IcSDOHb48/3APj5alqbgo o4IzdG6KLAbENpHMl0L3pHBq/5tJPTi02SbiYUHfp2fhueMauRo8spfEk6fNRnDn QpyMFRkYd7Jz+KMerTO1xAcOH+xp0KkcP0i2jFTEuM3LwR0yTms1rry+RryjDDt5 7W0DLnNFWhyGd6YymzNkCPeL6weV8uk2uYRKKf2XOAzgIpNo3zU6iakZOzlQB9h9 qRuIks2AU/cZ89cBkDjHua0ezX5rG3/Url33jAT9cR5zCXHWtj7VzlOjDXXnn16b L9/AWsvGMNkYHQIDAQABo4ICxzCCAsMwDgYDVR0PAQH/BAQDAgWgMEwGA1UdIARF MEMwQQYJKwYBBAGgMgEBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh bHNpZ24uY29tL3JlcG9zaXRvcnkvMIIBKwYDVR0RBIIBIjCCAR6CEnd3dy5nbG9i YWxzaWduLmNvbYIVc3RhdHVzLmdsb2JhbHNpZ24uY29tghF0aC5nbG9iYWxzaWdu LmNvbYISZGV2Lmdsb2JhbHNpZ24uY29tghNpbmZvLmdsb2JhbHNpZ24uY29tghZh cmNoaXZlLmdsb2JhbHNpZ24uY29tghZzdGF0aWMxLmdsb2JhbHNpZ24uY29tghZz dGF0aWMyLmdsb2JhbHNpZ24uY29tghNibG9nLmdsb2JhbHNpZ24uY29tghdzc2xj aGVjay5nbG9iYWxzaWduLmNvbYIVc3lzdGVtLmdsb2JhbHNpZ24uY29tghhvcGVy YXRpb24uZ2xvYmFsc2lnbi5jb22CDmdsb2JhbHNpZ24uY29tMAkGA1UdEwQCMAAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD8GA1UdHwQ4MDYwNKAyoDCG Lmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3NleHRlbmR2YWxnMi5jcmww gYgGCCsGAQUFBwEBBHwwejBBBggrBgEFBQcwAoY1aHR0cDovL3NlY3VyZS5nbG9i YWxzaWduLmNvbS9jYWNlcnQvZ3NleHRlbmR2YWxnMi5jcnQwNQYIKwYBBQUHMAGG KWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2V4dGVuZHZhbGcyMB0GA1Ud DgQWBBSvMoTDlFB0aVgVrNkkS1QSmYfx1zAfBgNVHSMEGDAWgBSwsEr9HHUo+Bxh qhP2+sGQPWsWozANBgkqhkiG9w0BAQUFAAOCAQEAgnohm8IRw1ukfc0GmArK3ZLC DLGpsefwWMvNrclqwrgtVrBx4pfe5xGAjqyQ2QI8V8a8a1ytVMCSC1AMWiWxawvW fw48fHunqtpTYNDyEe1Q+7tTGZ0SQ3HljYY9toVEjAMDhiM0Szl6ERRO5S7BTCen mDpWZF8w3ScRRY2UJc8xwWFiYyGWDNzNL1O8R2Y95QIkHUgQpSD3cjl4YvF/Xx/o hBEzl884uNAggIyQRu0ImLEetEtHWB2w0pZG3nTAqjOAAAyH2Q8IHoJtjQzvg6fy IQEO1C5GoQ7isiKIjKBXVYOm+gKSQXlzwj1BlU/OW6kEe24IiERhAN9ILA24wA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D1_Issuer_ICA.pem0000644000175100017510000000313715161577363026275 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgILBAAAAAABL07hXdQwDQYJKoZIhvcNAQEFBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwNDEzMTAwMDAwWhcNMjIwNDEz MTAwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoUbMUpq4pbR/WNnN 2EugcgyXW6aIIMO5PUbc0FxSMPb6WU+FX7DbiLSpXysjSKyr9ZJ4FLYyD/tcaoVb AJDgu2X1WvlPZ37HbCnsk8ArysRe2LDb1r4/mwvAj6ldrvcAAqT8umYROHf+IyAl VRDFvYK5TLFoxuJwe4NcE2fBofN8C6iZmtDimyUxyCuNQPZSY7GgrVou9Xk2bTUs Dt0F5NDiB0i3KF4r1VjVbNAMoQFGAVqPxq9kx1UBXeHRxmxQJaAFrQCrDI1la93r wnJUyQ88ABeHIu/buYZ4FlGud9mmKE3zWI2DZ7k0JZscUYBR84OSaqOuR5rW5Isb wO2xAgMBAAGjggFaMIIBVjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUsLBK/Rx1KPgcYaoT9vrBkD1rFqMwRwYDVR0gBEAwPjA8 BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t L3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5uZXQvcm9vdC1yMi5jcmwwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB hihodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9FeHRlbmRlZFNTTENBMCkGA1Ud JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAW gBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAL0m28rZa pJWrnlrpK4KbzJBrfHRFIOde2Mcj7ig1sTVlKqVR4FU/9oNntOQ2KbDa7JeVqYoF o0X+Iy5SiLQfEICt0oufo1+oxetz3nmIQZgz7qdgGLFGyUAQB5yPClLJExoGbqCb LTr2rk/no1E1KlsYBRLlUdy2NmLz4aQP++TPw5S/EauhWTEB8MxT7I9j12yW00gq iiPtRVaoZkHqAblH7qFHDBTxI+Egc8p9UHxkOFejj0qcm+ltRc9Ea01gIEBxJbVG qmwIft/I+shWKpLLg7h5CZctXqEBzgbttJfJBNxB7+BPNk3kQHNG7BESfIhbNCYl TercGL7FG81kwA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D2.ors0000644000175100017510000000377415161577363024321 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTqlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMjMxMDI1MzZaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAEJN4FuPQPnizPIwEj4Q8Ht765gI6QqMNrvj3UykxYeu qUajKcqA+V1zaDHTaz+eCQthtmCNKC9T+zVkjGelVsd7Kn2fVKWqp+5wVPI8dVkm 6Gs/IGZ16HDnQ/siTrY3ILWCRz4Hf6lnHpIErQuQRQyjlGKNcE7RYmjGw4w0bxx8 vHN/baCMApBL0D0zeBqlpJCMUZqJJ3D1+87HxHYR1MkMZDC9rOPIhlpEP4yL17gx ckrPf+w+A/3kC++jVeA3b8Xtr+MaWOFH4xVn6BTxopczZKVl18tSYqgwITlx5/cL LpYEdllC0l83E8GRzsOp0SvFxo0NBotgFNZQQujpOzagggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+U= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D2_Cert_ICA.pem0000644000175100017510000000311215161577363025712 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEdzCCA1+gAwIBAgILBAAAAAABL07hRxAwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNjEyMTUwODAw MDBaFw0yODAxMjgxMjAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBD QSAtIFIyMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4h VJsL03+EcPoSs8u/h1/Gf4bTsjBc1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtK pspJpl6op4xaEbx6guu+jOmzrJYlB5dKmSoHL7Qed7+KD7UCfBuWuMW5Oiy81hK5 61l94tAGhl9eSWq1OV6INOy8eAwImIRsqM1LtKB9DHlN8LgtyyHK1WxbfeGgKYSh +dOUScskYpEgvN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2G/YZeoXgbfJh E4hcn+CTClGXilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLKA8Kb jwIDAQABo4IBTTCCAUkwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w HQYDVR0OBBYEFJviB1dnHB7AagbeWbSaLd/cGYYuMEcGA1UdIARAMD4wPAYEVR0g ADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBv c2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdsb2JhbHNpZ24u bmV0L3Jvb3QuY3JsMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDov L29jc3AuZ2xvYmFsc2lnbi5jb20vcm9vdHIxMCkGA1UdJQQiMCAGCCsGAQUFBwMB BggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAWgBRge2YaRQ2XyolQL30E zTSo//z9SzANBgkqhkiG9w0BAQUFAAOCAQEAOg/NJk04MAioxvxc2Ah67/ocKgPO Mq5EluFSA5UKUtZnr1uWfN0ZizBbNjprbqAVxoKhyzlmAFeLAqJuhfusVVq4FVAa kN4JSOyo9lccGDG9xn3IvevCpzlRbaL/HHjeHCcE4c8klegO5NUfsPn7UMrLbp5i JniG9cT1eI/dcq9uLtWe3c48y7jHLVRg1+WcAkuGRPBXUSvNCps8sfU6TB2KxfAw PmWHxA5fbkqsiqge5/rkM4AVhFZlJZv7njCIy5EWwQXDqSTsIdLVsPy3I0annff3 xlMSeDe0E3OPN5deBJv5mYuTPiZCl5/9HrXVy4hINKJmoPqsco/dRy+CdA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D2_Issuer_Root.pem0000644000175100017510000000235515161577363026626 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D3.ors0000644000175100017510000000455615161577363024321 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAyMzEwMzkzMFowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMjMwOTU5MTJaoBEYDzIwMTIxMDI1MTAzOTMwWjAN BgkqhkiG9w0BAQUFAAOCAQEAYaaAzW26JQGFRyawj9ROtnSdJ9QPJ6B/wfpJif8e QU9lmKx0zIDdTum3Mc5tfxML71W025UW9jzowAfQ5bZbqa4nwZlWX5Py3hKebeYo WiND4pvhS4BRkheSkycEok0bj1FJYWYiJVpnTqKAPnOKrlL4qvGC2IOHk2toS/Je iLyoUwxrPtqaXt4Caoa3I70HE3H1QqvPIGIY6V4bxV7Km/xv99QOutkbfANGiNsx W7EDB3TRNhldzMnjEwG58X5Pe3xwEVqjCiBL+wQ8JALn08bJzFn9E04aYrqCGc8s gw1dgaBoZt+0vbQUN71KEocwMj5mzJqottOyqNwo7FZnBaCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D3_Cert_EE.pem0000644000175100017510000000523415161577363025617 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFZDCCA0ygAwIBAgIDC7PGMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTEyMDUwNjE4NDY0MVoXDTE0MDUwNjE4NDY0MVowWzEL MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD VQQKEwtDQWNlcnQgSW5jLjEXMBUGA1UEAxMOd3d3LmNhY2VydC5vcmcwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeNSAxSFtymeN6rQD69eXIJEnCCP7Z 24/fdOgxRDSBhfQDUVhdmsuDOvuziOoWGqRxZPcWdMEMRcJ5SrA2aHIstvnaLhUl xp2fuaeXx9XMCJ9ZmzHZbH4wqLaU+UlhcSsdkPzapf3N3HaUAW8kT4bHEGzObYVC UBxxhpY01EoGRQmnFojzLNF3+0O1npQzXg5MeIWHW/Z+9jE+6odL6IXgg1bvrP4d FgoveTcG6BmJu+50RwHaUad7hQuNeS+pNsVzCiDdMF2qoCQXtAGhnEQ9/KHpBD2z ISBVIyEbYxdyU/WxnkaOof63Mf/TAgMNzVN9duqEtFyvvMrQY1XkBBwfAgMBAAGj ggERMIIBDTAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEF BQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEF BQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMIGE BgNVHREEfTB7gg53d3cuY2FjZXJ0Lm9yZ4IRc2VjdXJlLmNhY2VydC5vcmeCEnd3 d21haWwuY2FjZXJ0Lm9yZ4IKY2FjZXJ0Lm9yZ4IOd3d3LmNhY2VydC5uZXSCCmNh Y2VydC5uZXSCDnd3dy5jYWNlcnQuY29tggpjYWNlcnQuY29tMA0GCSqGSIb3DQEB BQUAA4ICAQA2+uCGX18kZD8gyfj44TlwV4TXJ5BrT0M9qogg2k5u057i+X2ePy3D iE2REyLkU+i5ekH5gvTl74uSJKtpSf/hMyJEByyPyIULhlXCl46z2Z60drYzO4ig apCdkm0JthVGvk6/hjdaxgBGhUvSTEP5nLNkDa+uYVHJI58wfX2oh9gqxf8VnMJ8 /A8Zi6mYCWUlFUobNd/ozyDZ6WVntrLib85sAFhds93nkoUYxgx1N9Xg/I31/jcL 6bqmpRAZcbPtvEom0RyqPLM+AOgySWiYbg1Nl8nKx25C2AuXk63NN4CVwkXpdFF3 q5qk1izPruvJ68jNW0pG7nrMQsiY2BCesfGyEzY8vfrMjeR5MLNv5r+obeYFnC1j uYp6JBt+thW+xPFzHYLjohKPwo/NbMOjIUM9gv/Pq3rVRPgWru4/8yYWhrmEK370 rtlYBUSGRUdR8xed1Jvs+4qJ3s9t41mLSXvUfwyPsT7eoloUAfw3RhdwOzXoC2P6 ftmniyu/b/HuYH1AWK+HFtFi9CHiMIqOJMhj/LnzL9udrQOpir7bVej/mlb3kSRo 2lZymKOvuMymMpJkvBvUU/QEbCxWZAkTyqL2qlcQhHv7W366DOFjxDqpthaTRD69 T8i/2AnsBDjYFxa47DisIvR57rLmE+fILjSvd94N/IpGs3lSOS5JeA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/D3_Issuer_Root.pem0000644000175100017510000001207315161577363026625 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 4GGSt/M3mMS+lqO3ig== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISDOSC_D1.ors0000644000175100017510000000374415161577363025361 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBSpTXftIZX0 lLT9zwVSQC5Jfp3pqhgPMjAxMjEwMTAxNDU0NDNaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDEwMTMwMDAwWqARGA8yMDEyMTAxNzEz MDAwMFowCwYJKoZIhvcNAQEFA4IBAQBw5Z+0ggEddRTIq7cXlMoxG9Nrx4HtutsH itIUoZp/rlLoxHsJTo/VmdZvTTGIc7Ok9XuoH61lY/x9glAKsGRjz4Myc9+5rx0O 675lwmOS+uaf3/hRkicVrVr7Pt2ug3R7OXm2MJrohjNKP8lqtLJ0hHP88a8rotKA r9uz/qHm7K4Uh7dRt/Pnu9MPG74tZeFNN4M1ONMEiRdG39FqzFDXWxwQ3NmyC0Wo DQn+NklZMknr8mm7IBWpzgU1fTD9R0yv0zdhUZGiEXxvdhm7GJrTET5jS30Ksm5j o+n39YVu/vGbjyyYx3+WdeQLEyipaGvldSuJpT+R684/RuFWNetcoIID+DCCA/Qw ggPwMIIC2KADAgECAhIRIcYjwu4UNkR1VGrDbSdFei8wDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDAzMVoXDTEyMTIxOTA4NDAzMVowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDExFzAVBgNV BAUTDjIwMTIwOTE5MDkzOTAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxkkb6QhDH3sEDj4zaysjVzYelq9lZ1cso4R2IyQxaoPaG6GkaCmHA4sz6KP+ m3ADqplibEUBa/mzCxHW8/oy3NhGMFdbezduZrnRFLbzakOTeIo8VEIM3JPfgREv CX8nj6Xu7ERD6JO/ZQ9Xr7YVzKKN+3cVZlcMHoGBnOPcO2Sz0AcYyk5m5IsGBRoT T86j6Cr9PhOPTVwXL6Wxy1KVHsUZXUwnRacV0O4SHWQ4zM9Sablus9fTbh1CgIqW sKDyzVB4yECXkBVeUlA+cuCaRRVHRiR+jPDSgbU62nnNudEpGG7dyoop6IOvXv2O ydncWzaukxIVvQ/Ij85kHqs7HQIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFKlNd+0hlfSUtP3PBVJALkl+nemqMB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCe4rZg61Dmwygl/Uae BJZog64/FvuB1sfCqKLJTjKOfLcugSTX1TT7bLJbzXRGPQuorI3TIZEOwldIw01d DTLlsOCHrfHd+bpxgijxPkUuaA4NYnpvqTEMJqPKOC8QYfKupNjAPSuHvwqvqCfO RCe3jY6xQDO0WCTZ8/xMsOkw+J/YEYqALETf2Ug7k5eRL/TvfLd8Sgi7vPfmUeiW ptlsbhMOWQoQc+JA3vCI01rrjNq+0kIZ/r8nPGvablRr0Aakk6eDuS2dcReaPwuK 0xE136pJYiXdQ3SA7uwmlorjxmejavyoPCr23TU74DQEt6hhc6uIcabsa4Y8KvJy RI4F ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISDOSC_D2.ors0000644000175100017510000000377415161577363025365 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTqlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMTEwOTE1MzNaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAF/9ByrCS+pCCK4qovqUAH/yoWckmpLFCzKJGHkErJeY FlUbAJuu/Gs0IdLmLp+2VbStjsL4vLtDU2Q4e417C1fm8+ixh+kP7qPRd8cxyMBx cmD2m1v0CgbrflCZEC71cTrrWpcW+6jg623lI4Ug3A4zlizbT/f9IrxuV9VB9/G5 6kPI5dYOVZM0ColIxmJsafuxfr6ONQLPHKTlZJK3SyWebs25006OmrSyfBi0j26j WU5d6B2NJZBKqvDVMXxZ0q6QOgKxOs8WD+6DaA1d1f7gTOl45XJZWz5KnRePyRxM Fp0ak6XYbE1y2vHE2RWp1w4lcVJ0BUQXWxx+g86F5W2gggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+Y= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISDOSC_D3.ors0000644000175100017510000000455615161577363025365 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMTEwMTAyMVowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTEwOTUyNDJaoBEYDzIwMTIxMDEzMTAxMDIxWjAN BgkqhkiG9w0BAQUFAAOCAQEAWX7faLDXkmIdOv/IKBh7awhPmGUhFPVSrMI4dc9/ fcPDOYhFwWr9evKT/QdXRGpZY493mfa4Z6eEDxRDTexOloaiaJzVpSeV9hoJUxoS 8NEWDyi33bDlIJH6zru4kk1LpuSMiSWsvLaeoRhHmW3EPDeadpCa5tYX2yNW5hdP iCfphDJ34/hWHHwHP6mLd1wEO1Rw6nymqeDbuLk1FviD/ZWXMGzK8Sv++tmsQ0Tg 7XrkIPcSrozPKOTCf/1iJVF5KeQVIb0Ju1PvGUKtGaVTX8IZQmer2WQ1D6OOUcsS cWA6NSpWmScX/0/uBpXdSDX0AnGUS9SNrPNEolz6rA5OUaCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/paw== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_D1_Issuer_ICA.pem0000644000175100017510000000313715161577363027104 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgILBAAAAAABL07hXdQwDQYJKoZIhvcNAQEFBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwNDEzMTAwMDAwWhcNMjIwNDEz MTAwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoUbMUpq4pbR/WNnN 2EugcgyXW6aIIMO5PUbc0FxSMPb6WU+FX7DbiLSpXysjSKyr9ZJ4FLYyD/tcaoVb AJDgu2X1WvlPZ37HbCnsk8ArysRe2LDb1r4/mwvAj6ldrvcAAqT8umYROHf+IyAl VRDFvYK5TLFoxuJwe4NcE2fBofN8C6iZmtDimyUxyCuNQPZSY7GgrVou9Xk2bTUs Dt0F5NDiB0i3KF4r1VjVbNAMoQFGAVqPxq9kx1UBXeHRxmxQJaAFrQCrDI1la93r wnJUyQ88ABeHIu/buYZ4FlGud9mmKE3zWI2DZ7k0JZscUYBR84OSaqOuR5rW5Isb wO2xAgMBAAGjggFaMIIBVjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUsLBK/Rx1KPgcYaoT9vrBkD1rFqMwRwYDVR0gBEAwPjA8 BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t L3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5uZXQvcm9vdC1yMi5jcmwwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB hihodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9FeHRlbmRlZFNTTENBMCkGA1Ud JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAW gBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAL0m28rZa pJWrnlrpK4KbzJBrfHRFIOde2Mcj7ig1sTVlKqVR4FU/9oNntOQ2KbDa7JeVqYoF o0X+Iy5SiLQfEICt0oufo1+oxetz3nmIQZgz7qdgGLFGyUAQB5yPClLJExoGbqCb LTr2rk/no1E1KlsYBRLlUdy2NmLz4aQP++TPw5S/EauhWTEB8MxT7I9j12yW00gq iiPtRVaoZkHqAblH7qFHDBTxI+Egc8p9UHxkOFejj0qcm+ltRc9Ea01gIEBxJbVG qmwIft/I+shWKpLLg7h5CZctXqEBzgbttJfJBNxB7+BPNk3kQHNG7BESfIhbNCYl TercGL7FG81kwQ== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_D2_Issuer_Root.pem0000644000175100017510000000235515161577363027435 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4Q== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_D3_Issuer_Root.pem0000644000175100017510000000501115161577363027426 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVE -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_ND1_Issuer_ICA.pem0000644000175100017510000000341115161577363027215 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf7 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_ND2_Issuer_Root.pem0000644000175100017510000000254715161577363027556 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3 UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI 2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp +2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8 t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug R1uUq27UlTMdphVx8fiUylQ5PsI= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISIC_ND3_Issuer_Root.pem0000644000175100017510000000276115161577363027555 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgU= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_D1.ors0000644000175100017510000000374415161577363025147 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBSpTXftIZX0 lLT9zwVSQC5Jfp3pqhgPMjAxMjEwMTAxMTU1NDVaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDEwMTAwMDAwWqARGA8yMDEyMTAxNzEw MDAwMFowCwYJKoZIhvcNAQEFA4IBAQCaiUf6TuPaSmZR2i3hUwqdEfhjcZkcCXPu 9diWuDZbaL6ubthfeTwx6OsZ0eM3Q+WPhBNlYQ9Sm8PDUQsQiq3YvuYu+QUisChx PN6BUEwFQZAGz+FX2h5+kAmK1M/xZeXMBCXJWJCClagiw5hOJfeV0ue7RUZRVuZv am0ZjyIeLsxsIrxghlcaJRosFmYNoM++euu5lvclutv1UQ5yyNxlYy0T/jA9gS07 WJ/i38+zxnXTuAPOm67p5N1IkEAEg/7OPRIG17Ig1C38NctN74vAOdTU1d/ay05V Bz4ZiI9PffkUkPgW2QRQCEjv50i80wYkKH5pIbT/mTk4t53DUK1UoIID+DCCA/Qw ggPwMIIC2KADAgECAhIRIcYjwu4UNkR1VGrDbSdFei8wDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDAzMVoXDTEyMTIxOTA4NDAzMVowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDExFzAVBgNV BAUTDjIwMTIwOTE5MDkzOTAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxkkb6QhDH3sEDj4zaysjVzYelq9lZ1cso4R2IyQxaoPaG6GkaCmHA4sz6KP+ m3ADqplibEUBa/mzCxHW8/oy3NhGMFdbezduZrnRFLbzakOTeIo8VEIM3JPfgREv CX8nj6Xu7ERD6JO/ZQ9Xr7YVzKKN+3cVZlcMHoGBnOPcO2Sz0AcYyk5m5IsGBRoT T86j6Cr9PhOPTVwXL6Wxy1KVHsUZXUwnRacV0O4SHWQ4zM9Sablus9fTbh1CgIqW sKDyzVB4yECXkBVeUlA+cuCaRRVHRiR+jPDSgbU62nnNudEpGG7dyoop6IOvXv2O ydncWzaukxIVvQ/Ij85kHqs7HQIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFKlNd+0hlfSUtP3PBVJALkl+nemqMB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCe4rZg61Dmwygl/Uae BJZog64/FvuB1sfCqKLJTjKOfLcugSTX1TT7bLJbzXRGPQuorI3TIZEOwldIw01d DTLlsOCHrfHd+bpxgijxPkUuaA4NYnpvqTEMJqPKOC8QYfKupNjAPSuHvwqvqCfO RCe3jY6xQDO0WCTZ8/xMsOkw+J/YEYqALETf2Ug7k5eRL/TvfLd8Sgi7vPfmUeiW ptlsbhMOWQoQc+JA3vCI01rrjNq+0kIZ/r8nPGvablRr0Aakk6eDuS2dcReaPwuK 0xE136pJYiXdQ3SA7uwmlorjxmejavyoPCr23TU74DQEt6hhc6uIcabsa4Y8KvJy RI4G ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_D2.ors0000644000175100017510000000377415161577363025153 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBT0zghPr/K8 jV5hpjGMML9Q+DwzShgPMjAxMjEwMTAxMjA5NTlaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAGZY28eFWl169g7puLnKSeEzi6Ma5/rErOveFRp052ck 785B83HWkNmW/Bgw7Ws6Y7jBJce6ZQ5TMhwgNP34HuG/mVyn2ZjtCe4KKFBVnZV7 mHGx93jgKkQvdp4pbNKxZ504eZDp8UOlR9+uwWOWHVObn7o+2N8iWKErSbZ2uX54 Ajk8Hg/XN5wI4RUtcK3QpZSf3Ren5iit4NInwCpmTOkDz/IVK96BWaEQICq4VlHG ziD0H0SlBQCdcSPzZndGoCtIhNyJEL3O2y3Grg4X1XH7VeeyGesuTLEIAEMHJPJD TOVNoe5YPRK9Tqb+6jsubw8X/1b72kw3xVgb6MfC0tqgggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXoveHMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMQY/h5DSRT24n mMtD19lrn8WZzOoIl+Z9qOsrLLjEQeTMDlL7JPZh5pLaHHb6kSWT+O/RcEwpw6Dq H9jtAgDOsGoN7gCK7wJbIvn4MdmkXZqVBcVl3uLuII3v1CPnlc/zoz5d9qXcZKb6 YuzseyzhDPecQ+7l2NVAUOFUj8GXOZi//bIveMsm+/zSLMfriIC84Uym2QY649SC aFNbtF/tR6upvLCLe0b2D1g+OBfGqZasi3QI5uX6lT0gHbCnPhRo3uxG2+S4KL3M 9sndMByrR5K6QuVf7UqA1vt0CfbA2OUXwcH5x3/TsHxtXDj2F/fWnC9QBBSN5n4I G8K7ZpYtAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBT0zghP r/K8jV5hpjGMML9Q+DwzSjBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAGU9HIQImzhTHkQLyA178dUdnF5E3DdzmNtwVV3cxGrFOLMpciMQLioQ/xp5 t6j5Mshlp59imFylqowRRxRy4aN5TtMCufNh7yHIxI2Dt4O6qpPM946t5CJkMy+k 63pXz2xFIxaJDzAmzpWzu70OY0jrh3dZa8NR4AvhtoZ8zFE6suva6ZGK7JIoINaA j5uyZ0qU+7vFwV1awdReNV6494z/HRjs1n956mNbalB9mKp9XXyfZlix/nN5mTJd NlJqz7QjnCzZRM/Gfamzk8L3/CPS3XmSblFyn6SeZ92Vms4PNqZiEUNa2TMKXQR1 EMiDRMkyfIIMI80VgRvvzCiOt0c= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_D3.ors0000644000175100017510000000455615161577363025153 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMDEzMjE1OVowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTAxMzA1MjBaoBEYDzIwMTIxMDEyMTMyMTU5WjAN BgkqhkiG9w0BAQUFAAOCAQEAH1auyXFf1fOdfShSnAFkg5JsRUvajrilUioTkPIn IGYV//huaPNZwZGCC2haZIdUuKB6G2OCXeZVskBTXPjt8/6JmoHgsZeI3x5xKXxZ vddLC0PgYp0cA3FqjXR2UCpdBF+GK37rnfZsdW2vD9JaEBXxTV4+ICDAg15ZphJW lLGmdP3mQqPURIwamcYam8tntARimgEpA0KgfVue2A+izjcxC7qk9BQYG72Fh3hC ZFxi5u6xKNUQ2EBF9KXZyP9d2i/bYCZAUeUSRtir+fsOXHlihYRih9npKyAPwpHd NqhwK9NhKed8gmkX3cSaK0arBx7ev7avhM4Dqem+BzppjKCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_ND1.ors0000644000175100017510000000117615161577363025262 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBSIRFH/UCpp Xi2I9CG62QzyzsvqfBgPMjAxMjEwMTAwODU0NDVaMHMwcTBJMAkGBSsOAwIaBQAE FEi2DTgjjfhFbk7lhD6jlBEYApefBBSIRFH/UCppXi2I9CG62QzyzsvqfAIQIuEz IiCgSN8psr+aMcKbB4AAGA8yMDEyMTAxMDA4NTQ0NVqgERgPMjAxMjEwMTQwODU0 NDVaMA0GCSqGSIb3DQEBBQUAA4IBAQDHKDxWTbAHRXY7HapfhE99T+OSa/AfRYqX H9yIeMRa5VftXMyvBFuvVm/qLRwK6mxhkiVIvF/Pk5yxMjbm7xPO26D+WHOdQML4 +M4OX9BO76FjZRin5x+4b0Xo5SuSU1ulqfvSZnx+nG+hMbt/3Y7ODCEUWCYFoXNp U+TXTbv2mwJ9AL8Q/zjL4P8NJHzFJBKjEs+AAVRxTY/5RHHKU9dcm7ux/gsWoDUM w677Xxzn6icd8mqn72/HmzPnMrLHKKJFe2escbJn7JlV6qbZ9EWbrr+3OH0IJy5I E3LcPIsNZ//QEc6vS6J+j8ljV8Xne6rS1EmiOwV9NgubvYwDCm4R ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_ND2.ors0000644000175100017510000000117615161577363025263 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBQLWOWLxkwV N6RAqTCpIb5HNlpW/xgPMjAxMjEwMTAwMDI1NTdaMHMwcTBJMAkGBSsOAwIaBQAE FOy+ZAvtiWulchtVZmfKU1ZI9ewTBBQLWOWLxkwVN6RAqTCpIb5HNlpW/wIQEaO0 0OyNt3+doM1dLVEvQoAAGA8yMDEyMTAxMDAwMjU1N1qgERgPMjAxMjEwMTQwMDI1 NTdaMA0GCSqGSIb3DQEBBQUAA4IBAQCJRXcrz4wJe7bqWBHULu/QDXVz74OhSNlu swI0J4h+UmzJuW1GpdhTwJcTG3ARVwCLKz3evvpvHSumcsop0G3NolryNLP/oGD0 Vf6PbLrJ8v+NxUNugPbtWM985Ti/B2a+XjbzYlH2vS3KOTL4X1zWSL07IQFNXc2h yHBscKpYgt0mZcFZFxN3NTCNpT6IjJzZzTG9xTYZ3hZdMQQ3DYO+/Hv4J+U1/Ybq CjuMWRak/0R/BiBDJdGhbThlvV7bNUxYY7DVaOiLER8ptpmhnzlB/vsTAxZqX48J mJdv2bxoTby98Pm/BMydEA9qcFqyP1XvqhzIY35ngoS/1XREyW7t ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ISOP_ND3.ors0000644000175100017510000000120215161577363025252 0ustar00runnerrunnerMIIB1AoBAKCCAc0wggHJBgkrBgEFBQcwAQEEggG6MIIBtjCBn6IWBBStvZh6NLQm 9/rEJlTvA73gJMtUGhgPMjAxMjEwMDkxNjAxNTNaMHQwcjBKMAkGBSsOAwIaBQAE FHyxZlScq9tE7mImFq30ZXv3etWUBBStvZh6NLQm9/rEJlTvA73gJMtUGgIRAKcN bJWejX5BTb8DmevkCauAABgPMjAxMjEwMDkxNjAxNTNaoBEYDzIwMTIxMDEzMTYw MTUzWjANBgkqhkiG9w0BAQUFAAOCAQEAFnJAzuT8P4KKyTI6sdj5HkQ352qEu5CN K9M2kU/eg9kPfwLv8z3yArobwgx+/IDRajbVAKrk8UPCGUqkDc0OiU5c0+jpn+nT 20VVCtWsBSWDfzKqYln/NGrblhv+/iuFZJpyfud5nWguW5nogPC8IAfgt9FMDMl6 wlQWLSWEkgAJWvhNR3nzgvyMnuDuMIVQgB9/+vAIxA7nlpEEh6KTswyGqE9+u1yC kvrz4PwKZQMT6r1eRCLs6NaagOZT84QHhZ6TAA+QHjfK406KL8F9mFgbGKbW+st2 QHm+giUhrgZMv+1Yaxe34BjDS439LCPjdZ29On8FeZr3F55T+s3VzA== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/LICENSE0000644000175100017510000002367715161577363024340 0ustar00runnerrunner Apache License Version 2.0, January 2004 https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND1.ors0000644000175100017510000000117615161577363024430 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBSIRFH/UCpp Xi2I9CG62QzyzsvqfBgPMjAxMjEwMTEwODQxMTNaMHMwcTBJMAkGBSsOAwIaBQAE FEi2DTgjjfhFbk7lhD6jlBEYApefBBSIRFH/UCppXi2I9CG62QzyzsvqfAIQIuEz IiCgSN8psr+aMcKbB4AAGA8yMDEyMTAxMTA4NDExM1qgERgPMjAxMjEwMTUwODQx MTNaMA0GCSqGSIb3DQEBBQUAA4IBAQCNnhlBMxxh9z5AKfzAxiKs90CfxUsqfYfk 8XlyF9VIfWRfEwzS6MF1pEzLnghRxTAmjrFgK+sxD9wk+S5Mdgw3nbED9DVFH2Hs RGKm/t9wkvrYOX6yRQqw6uRvU/5cibMjcyzKB/VQMwk4p4FwSUgBv88A5sTkKr2V eYdEm34hg2TZVkipPMBiyTyBLXs8D/9oALtnczg4xlTRSjDUvqoXL5haqY4QK2Pv mNwna6ACkwLmSuMe29UQ8IX2PUB4R5Etni5czyiKGxZLm+4NAhuEwWFNEzCyImPc 087gHGU1zx+qVSlajqMJ/9ZXYjbt7WiWdhOTGEv4VMn8dHhRUs32 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND1_Cert_EE.pem0000644000175100017510000000430415161577363025730 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIGTTCCBTWgAwIBAgIQIuEzIiCgSN8psr+aMcKbBzANBgkqhkiG9w0BAQUFADCB jjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNDAyBgNV BAMTK0NPTU9ETyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Ew HhcNMTEwMzMxMDAwMDAwWhcNMTMwNjI3MjM1OTU5WjCCAT8xETAPBgNVBAUTCDA0 MDU4NjkwMRMwEQYLKwYBBAGCNzwCAQMTAkdCMR0wGwYDVQQPExRQcml2YXRlIE9y Z2FuaXphdGlvbjELMAkGA1UEBhMCR0IxDzANBgNVBBETBk01IDNFUTEbMBkGA1UE CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRYwFAYDVQQJ Ew1UcmFmZm9yZCBSb2FkMRYwFAYDVQQJEw1FeGNoYW5nZSBRdWF5MSUwIwYDVQQJ ExwzcmQgRmxvb3IsIDI2IE9mZmljZSBWaWxsYWdlMRowGAYDVQQKExFDT01PRE8g Q0EgTGltaXRlZDEaMBgGA1UECxMRQ29tb2RvIEVWIFNHQyBTU0wxGjAYBgNVBAMT EXNlY3VyZS5jb21vZG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA168izw0zK6cChTGFuAwNARwTu1Ky/z+dXHkSmB0tQrAk3bq7mnUPtmQ+td8r G2hlhQPd+YXQVYEW3RuopydmdB9wMlEGCCfU2ZqohsC9uut+HenCVbYvn4sSB0KJ VdOXLPCEnfdk/FmcNWcYv73HmoJXZjT0THNQmnfpo6mMGAOerenMgNuCpq1buZ8c fFUeUY18ZGLZKZyRNM6GPgVA37Dm8Ru+9Cf8/rm7NSIoVWH4BDztM3Y1BZvZ0d4G 49jRA4MXbhsDEMYzaSCDmaRHSFhCtrGkN2S4A1ZxoSoxQVCLcnnInVd+J0X8J6pa Efio/aD6UQBQq29HyTsWVe6BewIDAQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUiERR /1AqaV4tiPQhutkM8s7L6nwwHQYDVR0OBBYEFKvAXKp4bYRmxU4SlM8k8FbWiXiL MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF BwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMEYGA1UdIAQ/MD0w OwYMKwYBBAGyMQECAQUBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNv bW9kby5jb20vQ1BTMFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY29tb2Rv Y2EuY29tL0NPTU9ET0V4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy bDCBhAYIKwYBBQUHAQEEeDB2ME4GCCsGAQUFBzAChkJodHRwOi8vY3J0LmNvbW9k b2NhLmNvbS9DT01PRE9FeHRlbmRlZFZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5j cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAzBgNVHREE LDAqghFzZWN1cmUuY29tb2RvLmNvbYIVd3d3LnNlY3VyZS5jb21vZG8uY29tMA0G CSqGSIb3DQEBBQUAA4IBAQC9SoVG+B40khDWAzlz+G0WDBM3OuqK5n8vY/XxdPS5 qyv6K05S4VRGR/6PQa1UVzMbnhfLh54OWrpnalRGabpTmKDu8Pa912pzDSzMxg4U Rff4/hVLd1n/58q+riLxdtkIigLUjtFfwUrE1H89QODOCb4nw7f9BQaDoug+ovM3 KO9rxVZ/3TshaxW0mPVM/cMbX+6RrQ7+d1y5fdX/fksCZhOW+P25+FPlaorQEWNa s0UZNQ6qVuxB7CPmnLqmLBfAKTbeKcQFxx//0eyyZqCkzIvYUNjeRR0Q7DnxXq4C Pj1Y6VcPJDmZOeogte5/vNIdU8Wq55IJJ1G/uKXztwVT -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND1_Issuer_ICA.pem0000644000175100017510000000341115161577363026406 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND2.ors0000644000175100017510000000117615161577363024431 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBQLWOWLxkwV N6RAqTCpIb5HNlpW/xgPMjAxMjEwMTAyMzAzMTlaMHMwcTBJMAkGBSsOAwIaBQAE FOy+ZAvtiWulchtVZmfKU1ZI9ewTBBQLWOWLxkwVN6RAqTCpIb5HNlpW/wIQEaO0 0OyNt3+doM1dLVEvQoAAGA8yMDEyMTAxMDIzMDMxOVqgERgPMjAxMjEwMTQyMzAz MTlaMA0GCSqGSIb3DQEBBQUAA4IBAQCHn2nGfEUX/EJruMkTgh7GgB0u9cpAepaD sPv9gtl3KLUZyR+NbGMIa5/bpoJp0yg1z5VL6CLMusy3AF6Cn2fyaioDxG+yc+gA PcPFdEqiIMr+TP8s7qcEiE6WZddSSCqCn90VZSCWkpDhnCjDRwJLBBPU3803fdMz oguvyr7y6Koxik8X/iUe8EpSzAvmm4GZL3veTI+x7IezJSrhCS9zM0ZHjySjoDxC +ljGH0EuWPTmFEqZVGIq3cuahIYzKItUbYnXU6ipi/2p42qbsFeok7eEN0EYsY1a vRATHGRmU7Q5HLCq4rQtZC1cis52Mvc9x1W4z/Gt5A3FtgElXXNA ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND2_Cert_ICA.pem0000644000175100017510000000341115161577363026032 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND2_Issuer_Root.pem0000644000175100017510000000254715161577363026747 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3 UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI 2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp +2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8 t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug R1uUq27UlTMdphVx8fiUylQ5PsE= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND3.ors0000644000175100017510000000120215161577363024420 0ustar00runnerrunnerMIIB1AoBAKCCAc0wggHJBgkrBgEFBQcwAQEEggG6MIIBtjCBn6IWBBStvZh6NLQm 9/rEJlTvA73gJMtUGhgPMjAxMjEwMTExMTM2NDdaMHQwcjBKMAkGBSsOAwIaBQAE FHyxZlScq9tE7mImFq30ZXv3etWUBBStvZh6NLQm9/rEJlTvA73gJMtUGgIRAKcN bJWejX5BTb8DmevkCauAABgPMjAxMjEwMTExMTM2NDdaoBEYDzIwMTIxMDE1MTEz NjQ3WjANBgkqhkiG9w0BAQUFAAOCAQEAfnj3nh6z+USW6VlDWRytWpNmC1ZRwWlg P2+G4UF4HE8bMJkuiFLcZEVYTxlTYv+xAEpSFxdInFM2Q5C+O6pWOZ9NbikeR4oZ FTI1kAZ0Uw+YMpVM4ztvKBIpUSqlbi69iNJ9WGF6qzxVeqobSOyrjjwtTsuglUbR +mshp/SP7Br2IIK+KM1vgsmVExPfGPYANyk7ki/Q8uUnjqkreeSa9WC2iJLGcybW YavDhYWALebUGukNeedkloYhdjPboPPxDkKNjakwIG8EkbJK7uXewMOHHOFvFTX3 K388me8u5iQf4f3fj6ilEgs6f5Szzmb+vklPX0zIny/TVk2+Az7HmA== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND3_Cert_EE.pem0000644000175100017510000000405615161577363025736 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIF3TCCBMWgAwIBAgIRAKcNbJWejX5BTb8DmevkCaswDQYJKoZIhvcNAQEFBQAw bzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1B ZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3Qg RXh0ZXJuYWwgQ0EgUm9vdDAeFw0xMDA1MDQwMDAwMDBaFw0xNTA1MDQyMzU5NTla MIIBCjELMAkGA1UEBhMCR0IxDzANBgNVBBETBk01IDNFUTEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRYwFAYDVQQJEw1UcmFm Zm9yZCBSb2FkMRYwFAYDVQQJEw1FeGNoYW5nZSBRdWF5MSUwIwYDVQQJExwzcmQg Rmxvb3IsIDI2IE9mZmljZSBWaWxsYWdlMRowGAYDVQQKExFDT01PRE8gQ0EgTGlt aXRlZDEaMBgGA1UECxMRQ29tb2RvIFByZW1pdW1TU0wxLDAqBgNVBAMTI2FkZHRy dXN0ZXh0ZXJuYWxjYXJvb3QuY29tb2RvY2EuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAz5MM/mco91yFJNtF3t9c0x/bGds+zGAqJlHBXCR43og+ 3vgsBkCcn5M3PAqmL6XxilpsrEfS6RqtNcLfxwDyl7rr3qpJSM537Km1ZGOTHs0C i0JA4YBZFOxBwPO2nHQGD+t9kJx3auFdBLnjJc5Q3jFUmnyJ8D2h3P9BrHgOoIbO KYOUc/3zcqE6NttdbiuUMzlad8guhnXlWPCh2NJtNtMLDQxG7DWWDEm/Kt+CdKAR jko6kEp7nqBKyujjJoGD2nEtEnuuqiB9n6sgSXR1NGtecJrW8IqIS7hkcsxhGTI9 jnY73+NiMV3nglejkNseTUdcEi6L94EdifXuVLgEAwIDAQABo4IB1TCCAdEwHwYD VR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYDVR0OBBYEFDXpt6NocCrd 7XZ2MLUa116TIesKMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEB AgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQ UzB7BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9BZGRU cnVzdEV4dGVybmFsQ0FSb290LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8u bmV0L0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMFcGA1UdEQRQME6C I2FkZHRydXN0ZXh0ZXJuYWxjYXJvb3QuY29tb2RvY2EuY29tgid3d3cuYWRkdHJ1 c3RleHRlcm5hbGNhcm9vdC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEFBQADggEB AF2TF6xg8ZoBICoiQvjD2Z0SKcJRw1Dhj3HpGzV9F+Y0e/MxCXhYA+340JZxnC2P VA968QKFrNwDWiS9Klc+cs4k3HIeiZp3uHw1ezElqXXNa+S1CrSS03FqWeeugSrB xpuXCWDJSfD4DJq835hlEuXgxmAjsbuRUjaq1lxwSWnNoBkfMCCAgVlHtFljTlqq nwfBZcnj73+yiERgTvhN4gEL59ZzjFliKEUuXHZoe8klhn73cnY+XoRV0e7wU+Xj PzLoAhjGkS35hfDQTHdCwNBaN3iI2Q+HBjhfffAYFdK+Jo3kSXq12s7CJD7utAho xxRhA0l1ziJgrEubLi6ItNg= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/ND3_Issuer_Root.pem0000644000175100017510000000276115161577363026746 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/R2.pem0000644000175100017510000000251115161577363024301 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG 3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO 291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== -----END CERTIFICATE-----././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_D1.ors0000644000175100017510000000374415161577363025137 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBRf2uQDFpGg Ywh4P1y2H9bZ2/BQNBgPMjAxMjEwMTExMzI5NDJaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSxsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDExMTAwMDAwWqARGA8yMDEyMTAxODEw MDAwMFowCwYJKoZIhvcNAQEFA4IBAQCX3gEX+JVfxuYmxBBxC9sNCi3o76ODIicr XMvm0DTO9VSyDBl7LDsMMgNMIDtO3flQSlBNZ2B9ikwyckXOSWXiXzybZVMdA/uq NchgkM9aChrlhG0AHZyYe/+dJSmEBFXkIomy+S6YQ7Mcs2s6WxCeWU7gB4XOy1zO /CvWjv0WQV1J2lZZ6pkvtECKAEjrVP275LA38HInFbYvVPXWzl4sDcX2TAxwUa4S xAJAfwl+B+oZSerZWGRo6KjZuB/OB31cB5n/lABmRez6Obi27D0UUCRv/eSbwOF4 Ofaa/XzJt7sF7WpVgoR41HI88W7aN4vtcw1zcVsBmfRMUNYZSqtfoIID+DCCA/Qw ggPwMIIC2KADAgECAhIRISdENsrz1CSWG3VIBwfQERQwDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDA1MFoXDTEyMTIxOTA4NDA1MFowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDIxFzAVBgNV BAUTDjIwMTIwOTE5MDk0MDAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAnCgMsBO+IxIqCnXCOfXJoIC3wj+f0s4DV9h2gJBzisWXkaJD2DfNrd0kHUXK qVVPUxnA4G5iZu0Z385/KiOt1/P6vQ/Z2/AsEh/8Z/hIyeZCHL31wrSZW4yLeZwi M76wPiBHJxPun681HQlVs/OGKSHnbHc1XJAIeA/M8u+lLWqIKB+AJ82TrOqUMj1s LjGhQNs84xPliONN5K7DrEy+Y65X/rFxN77Smw+UtcH1GgH2NgaHH8dpt1m25sgm UxZWhdx66opB/lbRQwWdGt7MC0kJFaWHDZq64DTuYoekFYSxAFu0nd0EekEHEJEi 9mquB9cv/96SuEJl8BcUWU/1LwIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFF/a5AMWkaBjCHg/XLYf1tnb8FA0MB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCKRl1iXFmOQtLseDWP Y5icDDBGiRi17CGgvIzGJi/ha0PhbO+X0TmQIEnRX3Mu0Er/Mm4RZSjMtJ2iZRh3 tGf4Dn+jKgKOmgXC3oOG/l8RPHLf0yaPSdn/z0TXtA30vTFBLlFeWnhbfhovea4+ snPdBxLqWZdtxmiwojgqA7YATCWwavizrBr09YRyDwzgtpZ2BwMruGuFuV9FsEwL PCM53yFlrM32oFghyfyE5kYjgnnueKM+pw1kA0jgb1CnVJRrMEN1TXuXDAZLtHKG 5X/drah1JtkoZhCzxzZ3bYdVDQJ90OHFqM58lwGD6z3XuPKrHDKZKt+CPIsl5g7p 4J2l ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_D2.ors0000644000175100017510000000377415161577363025143 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTqlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMTExMzMwMTBaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRhe2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAA0H7bvcULg1GayFtQVrYDyW0feOEMNGLmgaGuwRdrY3 KuWyNJLUUJKQZnOkdT8A4RpVX8xD4EgVyOqRACUahgdgp0g3QOn+vf2Zyf+NJIgW woF5qaJgCOeIOw5O6F4r1vUhp8NvqXHotswgG58Nzz6UMD+uyIgq5o8uzOjryEm6 wO2X+KvN9sMzkeZhNvAHkgBQL8CG4CggWnzn7At1DmhhsizfhDrosigM4Zr6Sm6z v1YfSPznD0b3TQ7RzvpbJPofF2aJXMIMxdKR5pemuevTDR2+JCXjVPsD/ZODFykc rsQeqx2vTOIg84PRKboXjCAwHn4rIN7JJtQqebLtD9egggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+U= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_D3.ors0000644000175100017510000000455615161577363025143 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMTE0MDYzNlowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBe1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTExMzU4MTBaoBEYDzIwMTIxMDEzMTQwNjM2WjAN BgkqhkiG9w0BAQUFAAOCAQEAjcryO6FUK5+TcPBxJKixVt9q07Xy3qv1e/VFuJ0f tnYDcu83Q5yCta49PXaA13nFDFZ445wCDivDBLolS6JKSh+JrLpAxSBzak7Ps8wz DPNAtexZz9/hPPzHnGOMlRtew07jk+NX5ZgCxDZGmBHIHOGyab2WoqmpRTll0oP4 b/DzI3mzrur5lm2NAT3ZJ8bVaWsAJBVTfUye3S4GRWlfGSRVAMk0QHnCkYP42okc psIKbvdIoS2gxo6kBTMevxciPV2lPIiSrIWH0IGm7AqGM5+Vz7IdbD6fOQd1I3uw O+1NugMYfScB6jCvSW2uESeRZ+qW/HMXQbU1eiH+x88UIKCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_ND1.ors0000644000175100017510000000117615161577363025252 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBSIRFH/UCpp Xi2I9CG62QzyzsvqfBgPMjAxMjEwMTEwODQxMTNaMHMwcTBJMAkGBSsOAwIaBQAE FEi2DTgjjfhFbk7lhD6jlBEYApefBBSJRFH/UCppXi2I9CG62QzyzsvqfAIQIuEz IiCgSN8psr+aMcKbB4AAGA8yMDEyMTAxMTA4NDExM1qgERgPMjAxMjEwMTUwODQx MTNaMA0GCSqGSIb3DQEBBQUAA4IBAQCNnhlBMxxh9z5AKfzAxiKs90CfxUsqfYfk 8XlyF9VIfWRfEwzS6MF1pEzLnghRxTAmjrFgK+sxD9wk+S5Mdgw3nbED9DVFH2Hs RGKm/t9wkvrYOX6yRQqw6uRvU/5cibMjcyzKB/VQMwk4p4FwSUgBv88A5sTkKr2V eYdEm34hg2TZVkipPMBiyTyBLXs8D/9oALtnczg4xlTRSjDUvqoXL5haqY4QK2Pv mNwna6ACkwLmSuMe29UQ8IX2PUB4R5Etni5czyiKGxZLm+4NAhuEwWFNEzCyImPc 087gHGU1zx+qVSlajqMJ/9ZXYjbt7WiWdhOTGEv4VMn8dHhRUs32 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_ND2.ors0000644000175100017510000000117615161577363025253 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBQLWOWLxkwV N6RAqTCpIb5HNlpW/xgPMjAxMjEwMTAyMzAzMTlaMHMwcTBJMAkGBSsOAwIaBQAE FOy+ZAvtiWulchtVZmfKU1ZI9ewTBBQMWOWLxkwVN6RAqTCpIb5HNlpW/wIQEaO0 0OyNt3+doM1dLVEvQoAAGA8yMDEyMTAxMDIzMDMxOVqgERgPMjAxMjEwMTQyMzAz MTlaMA0GCSqGSIb3DQEBBQUAA4IBAQCHn2nGfEUX/EJruMkTgh7GgB0u9cpAepaD sPv9gtl3KLUZyR+NbGMIa5/bpoJp0yg1z5VL6CLMusy3AF6Cn2fyaioDxG+yc+gA PcPFdEqiIMr+TP8s7qcEiE6WZddSSCqCn90VZSCWkpDhnCjDRwJLBBPU3803fdMz oguvyr7y6Koxik8X/iUe8EpSzAvmm4GZL3veTI+x7IezJSrhCS9zM0ZHjySjoDxC +ljGH0EuWPTmFEqZVGIq3cuahIYzKItUbYnXU6ipi/2p42qbsFeok7eEN0EYsY1a vRATHGRmU7Q5HLCq4rQtZC1cis52Mvc9x1W4z/Gt5A3FtgElXXNA ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WIKH_ND3.ors0000644000175100017510000000120215161577363025242 0ustar00runnerrunnerMIIB1AoBAKCCAc0wggHJBgkrBgEFBQcwAQEEggG6MIIBtjCBn6IWBBStvZh6NLQm 9/rEJlTvA73gJMtUGhgPMjAxMjEwMTExMTM2NDdaMHQwcjBKMAkGBSsOAwIaBQAE FHyxZlScq9tE7mImFq30ZXv3etWUBBSuvZh6NLQm9/rEJlTvA73gJMtUGgIRAKcN bJWejX5BTb8DmevkCauAABgPMjAxMjEwMTExMTM2NDdaoBEYDzIwMTIxMDE1MTEz NjQ3WjANBgkqhkiG9w0BAQUFAAOCAQEAfnj3nh6z+USW6VlDWRytWpNmC1ZRwWlg P2+G4UF4HE8bMJkuiFLcZEVYTxlTYv+xAEpSFxdInFM2Q5C+O6pWOZ9NbikeR4oZ FTI1kAZ0Uw+YMpVM4ztvKBIpUSqlbi69iNJ9WGF6qzxVeqobSOyrjjwtTsuglUbR +mshp/SP7Br2IIK+KM1vgsmVExPfGPYANyk7ki/Q8uUnjqkreeSa9WC2iJLGcybW YavDhYWALebUGukNeedkloYhdjPboPPxDkKNjakwIG8EkbJK7uXewMOHHOFvFTX3 K388me8u5iQf4f3fj6ilEgs6f5Szzmb+vklPX0zIny/TVk2+Az7HmA== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_D1.ors0000644000175100017510000000374415161577363025142 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBRf2uQDFpGg Ywh4P1y2H9bZ2/BQNBgPMjAxMjEwMTExMzI5NDJaMHUwczBLMAkGBSsOAwIaBQAE FKFyDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDExMTAwMDAwWqARGA8yMDEyMTAxODEw MDAwMFowCwYJKoZIhvcNAQEFA4IBAQCX3gEX+JVfxuYmxBBxC9sNCi3o76ODIicr XMvm0DTO9VSyDBl7LDsMMgNMIDtO3flQSlBNZ2B9ikwyckXOSWXiXzybZVMdA/uq NchgkM9aChrlhG0AHZyYe/+dJSmEBFXkIomy+S6YQ7Mcs2s6WxCeWU7gB4XOy1zO /CvWjv0WQV1J2lZZ6pkvtECKAEjrVP275LA38HInFbYvVPXWzl4sDcX2TAxwUa4S xAJAfwl+B+oZSerZWGRo6KjZuB/OB31cB5n/lABmRez6Obi27D0UUCRv/eSbwOF4 Ofaa/XzJt7sF7WpVgoR41HI88W7aN4vtcw1zcVsBmfRMUNYZSqtfoIID+DCCA/Qw ggPwMIIC2KADAgECAhIRISdENsrz1CSWG3VIBwfQERQwDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDA1MFoXDTEyMTIxOTA4NDA1MFowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDIxFzAVBgNV BAUTDjIwMTIwOTE5MDk0MDAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAnCgMsBO+IxIqCnXCOfXJoIC3wj+f0s4DV9h2gJBzisWXkaJD2DfNrd0kHUXK qVVPUxnA4G5iZu0Z385/KiOt1/P6vQ/Z2/AsEh/8Z/hIyeZCHL31wrSZW4yLeZwi M76wPiBHJxPun681HQlVs/OGKSHnbHc1XJAIeA/M8u+lLWqIKB+AJ82TrOqUMj1s LjGhQNs84xPliONN5K7DrEy+Y65X/rFxN77Smw+UtcH1GgH2NgaHH8dpt1m25sgm UxZWhdx66opB/lbRQwWdGt7MC0kJFaWHDZq64DTuYoekFYSxAFu0nd0EekEHEJEi 9mquB9cv/96SuEJl8BcUWU/1LwIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFF/a5AMWkaBjCHg/XLYf1tnb8FA0MB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCKRl1iXFmOQtLseDWP Y5icDDBGiRi17CGgvIzGJi/ha0PhbO+X0TmQIEnRX3Mu0Er/Mm4RZSjMtJ2iZRh3 tGf4Dn+jKgKOmgXC3oOG/l8RPHLf0yaPSdn/z0TXtA30vTFBLlFeWnhbfhovea4+ snPdBxLqWZdtxmiwojgqA7YATCWwavizrBr09YRyDwzgtpZ2BwMruGuFuV9FsEwL PCM53yFlrM32oFghyfyE5kYjgnnueKM+pw1kA0jgb1CnVJRrMEN1TXuXDAZLtHKG 5X/drah1JtkoZhCzxzZ3bYdVDQJ90OHFqM58lwGD6z3XuPKrHDKZKt+CPIsl5g7p 4J2l ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_D2.ors0000644000175100017510000000377415161577363025146 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTqlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMTExMzMwMTBaMG4wbDBEMAkGBSsOAwIaBQAE FLhXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAA0H7bvcULg1GayFtQVrYDyW0feOEMNGLmgaGuwRdrY3 KuWyNJLUUJKQZnOkdT8A4RpVX8xD4EgVyOqRACUahgdgp0g3QOn+vf2Zyf+NJIgW woF5qaJgCOeIOw5O6F4r1vUhp8NvqXHotswgG58Nzz6UMD+uyIgq5o8uzOjryEm6 wO2X+KvN9sMzkeZhNvAHkgBQL8CG4CggWnzn7At1DmhhsizfhDrosigM4Zr6Sm6z v1YfSPznD0b3TQ7RzvpbJPofF2aJXMIMxdKR5pemuevTDR2+JCXjVPsD/ZODFykc rsQeqx2vTOIg84PRKboXjCAwHn4rIN7JJtQqebLtD9egggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+U= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_D3.ors0000644000175100017510000000455615161577363025146 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMTE0MzkxOFowZjBkMDwwCQYF Kw4DAhoFAAQUjKTJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTExNDIzMjVaoBEYDzIwMTIxMDEzMTQzOTE4WjAN BgkqhkiG9w0BAQUFAAOCAQEAgdrf+v+BwEhG0ghTLMVmuxWprJr/9VFtpKpxQrTo egSoW+5JOPCUAStfw3R3u7QM8sJf9bnPorgoCoY1hPKcWNLhvf1Ng3QlVkNa6NcO EonbuI4KE9Rhoflpf//pD/3AFKzU+ecRs04KtYezKrUvC1RayGabd7bgtIpdFss4 ZCZ22riqjFtqD3+2//AHg7VaqiJMKlRt05CMmGe+HKn5PEN9HaeI52nsTf+L1Jeh ItnaDPfV76vFHHXyUhR3iIgnqQDCig0q3yj7BQqH50+K+myiMAY+p8cuVqebno1i BzXxxpZl/fw1KnTFdEa7p2jtmXw3KZiHAWAddwg1F1tHTaCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_ND1.ors0000644000175100017510000000117615161577363025255 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBSIRFH/UCpp Xi2I9CG62QzyzsvqfBgPMjAxMjEwMTEwODQxMTNaMHMwcTBJMAkGBSsOAwIaBQAE FEm2DTgjjfhFbk7lhD6jlBEYApefBBSIRFH/UCppXi2I9CG62QzyzsvqfAIQIuEz IiCgSN8psr+aMcKbB4AAGA8yMDEyMTAxMTA4NDExM1qgERgPMjAxMjEwMTUwODQx MTNaMA0GCSqGSIb3DQEBBQUAA4IBAQCNnhlBMxxh9z5AKfzAxiKs90CfxUsqfYfk 8XlyF9VIfWRfEwzS6MF1pEzLnghRxTAmjrFgK+sxD9wk+S5Mdgw3nbED9DVFH2Hs RGKm/t9wkvrYOX6yRQqw6uRvU/5cibMjcyzKB/VQMwk4p4FwSUgBv88A5sTkKr2V eYdEm34hg2TZVkipPMBiyTyBLXs8D/9oALtnczg4xlTRSjDUvqoXL5haqY4QK2Pv mNwna6ACkwLmSuMe29UQ8IX2PUB4R5Etni5czyiKGxZLm+4NAhuEwWFNEzCyImPc 087gHGU1zx+qVSlajqMJ/9ZXYjbt7WiWdhOTGEv4VMn8dHhRUs32 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_ND2.ors0000644000175100017510000000117615161577363025256 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBQLWOWLxkwV N6RAqTCpIb5HNlpW/xgPMjAxMjEwMTAyMzAzMTlaMHMwcTBJMAkGBSsOAwIaBQAE FO2+ZAvtiWulchtVZmfKU1ZI9ewTBBQLWOWLxkwVN6RAqTCpIb5HNlpW/wIQEaO0 0OyNt3+doM1dLVEvQoAAGA8yMDEyMTAxMDIzMDMxOVqgERgPMjAxMjEwMTQyMzAz MTlaMA0GCSqGSIb3DQEBBQUAA4IBAQCHn2nGfEUX/EJruMkTgh7GgB0u9cpAepaD sPv9gtl3KLUZyR+NbGMIa5/bpoJp0yg1z5VL6CLMusy3AF6Cn2fyaioDxG+yc+gA PcPFdEqiIMr+TP8s7qcEiE6WZddSSCqCn90VZSCWkpDhnCjDRwJLBBPU3803fdMz oguvyr7y6Koxik8X/iUe8EpSzAvmm4GZL3veTI+x7IezJSrhCS9zM0ZHjySjoDxC +ljGH0EuWPTmFEqZVGIq3cuahIYzKItUbYnXU6ipi/2p42qbsFeok7eEN0EYsY1a vRATHGRmU7Q5HLCq4rQtZC1cis52Mvc9x1W4z/Gt5A3FtgElXXNA ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WINH_ND3.ors0000644000175100017510000000120215161577363025245 0ustar00runnerrunnerMIIB1AoBAKCCAc0wggHJBgkrBgEFBQcwAQEEggG6MIIBtjCBn6IWBBStvZh6NLQm 9/rEJlTvA73gJMtUGhgPMjAxMjEwMTExMTM2NDdaMHQwcjBKMAkGBSsOAwIaBQAE FH2xZlScq9tE7mImFq30ZXv3etWUBBStvZh6NLQm9/rEJlTvA73gJMtUGgIRAKcN bJWejX5BTb8DmevkCauAABgPMjAxMjEwMTExMTM2NDdaoBEYDzIwMTIxMDE1MTEz NjQ3WjANBgkqhkiG9w0BAQUFAAOCAQEAfnj3nh6z+USW6VlDWRytWpNmC1ZRwWlg P2+G4UF4HE8bMJkuiFLcZEVYTxlTYv+xAEpSFxdInFM2Q5C+O6pWOZ9NbikeR4oZ FTI1kAZ0Uw+YMpVM4ztvKBIpUSqlbi69iNJ9WGF6qzxVeqobSOyrjjwtTsuglUbR +mshp/SP7Br2IIK+KM1vgsmVExPfGPYANyk7ki/Q8uUnjqkreeSa9WC2iJLGcybW YavDhYWALebUGukNeedkloYhdjPboPPxDkKNjakwIG8EkbJK7uXewMOHHOFvFTX3 K388me8u5iQf4f3fj6ilEgs6f5Szzmb+vklPX0zIny/TVk2+Az7HmA== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKDOSC_D1.ors0000644000175100017510000000374415161577363025367 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBSpTXftIZX0 lLT9zwVSQC5Jfp3pqhgPMjAxMjEwMTAxNDU0NDNaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDEwMTMwMDAwWqARGA8yMDEyMTAxNzEz MDAwMFowCwYJKoZIhvcNAQEFA4IBAQBw5Z+0ggEddRTIq7cXlMoxG9Nrx4HtutsH itIUoZp/rlLoxHsJTo/VmdZvTTGIc7Ok9XuoH61lY/x9glAKsGRjz4Myc9+5rx0O 675lwmOS+uaf3/hRkicVrVr7Pt2ug3R7OXm2MJrohjNKP8lqtLJ0hHP88a8rotKA r9uz/qHm7K4Uh7dRt/Pnu9MPG74tZeFNN4M1ONMEiRdG39FqzFDXWxwQ3NmyC0Wo DQn+NklZMknr8mm7IBWpzgU1fTD9R0yv0zdhUZGiEXxvdhm7GJrTET5jS30Ksm5j o+n39YVu/vGbjyyYx3+WdeQLEyipaGvldSuJpT+R684/RuFWNetcoIID+DCCA/Qw ggPwMIIC2KADAgECAhIRIcYjwu4UNkR1VGrDbSdFei8wDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDAzMVoXDTEyMTIxOTA4NDAzMVowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDExFzAVBgNV BAUTDjIwMTIwOTE5MDkzOTAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAx0kb6QhDH3sEDj4zaysjVzYelq9lZ1cso4R2IyQxaoPaG6GkaCmHA4sz6KP+ m3ADqplibEUBa/mzCxHW8/oy3NhGMFdbezduZrnRFLbzakOTeIo8VEIM3JPfgREv CX8nj6Xu7ERD6JO/ZQ9Xr7YVzKKN+3cVZlcMHoGBnOPcO2Sz0AcYyk5m5IsGBRoT T86j6Cr9PhOPTVwXL6Wxy1KVHsUZXUwnRacV0O4SHWQ4zM9Sablus9fTbh1CgIqW sKDyzVB4yECXkBVeUlA+cuCaRRVHRiR+jPDSgbU62nnNudEpGG7dyoop6IOvXv2O ydncWzaukxIVvQ/Ij85kHqs7HQIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFKlNd+0hlfSUtP3PBVJALkl+nemqMB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCe4rZg61Dmwygl/Uae BJZog64/FvuB1sfCqKLJTjKOfLcugSTX1TT7bLJbzXRGPQuorI3TIZEOwldIw01d DTLlsOCHrfHd+bpxgijxPkUuaA4NYnpvqTEMJqPKOC8QYfKupNjAPSuHvwqvqCfO RCe3jY6xQDO0WCTZ8/xMsOkw+J/YEYqALETf2Ug7k5eRL/TvfLd8Sgi7vPfmUeiW ptlsbhMOWQoQc+JA3vCI01rrjNq+0kIZ/r8nPGvablRr0Aakk6eDuS2dcReaPwuK 0xE136pJYiXdQ3SA7uwmlorjxmejavyoPCr23TU74DQEt6hhc6uIcabsa4Y8KvJy RI4G ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKDOSC_D2.ors0000644000175100017510000000377415161577363025373 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTqlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMTAxNDU0NDhaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBACkGyoGefA2WuktIerofBoPgeyT8Mry57DxF7IEvX8dI Adk+MZRo5suYIE2AJty8bohYYiIxS7sZ5nsUM+iyu5cIdmsIwt/YifYsSdHc6DKz l3Yh4bS27QX05/Vuok3HmEMsRBmensKATMfvGP+TOwhuFeHWAK8KHSCmUbGZFP3A WKtrhRh/qC4qetMt07z/OKZcqHUYegEpO3xqRJ4MdqRJpV1urjdL/852US0mWAOL /EPoexWiHiKJmsNy7HAEKFQ+daqdZYM1BTGbS2aj3go/BVqf0xEhRLT0fsdof4Is 1Cy2ZHGbaVEyOQpXsxUEAqEdJcFRcLFGhdgnUjcQ9lqgggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+U= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKDOSC_D3.ors0000644000175100017510000000455615161577363025373 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMDE1MTkzOVowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTAxNDU2MTdaoBEYDzIwMTIxMDEyMTUxOTM5WjAN BgkqhkiG9w0BAQUFAAOCAQEAH1Bs3glJoAvCHhgVtN4F/avlKA1St74v7yuD1DIu cBf/4YRJdxZATXMI8I0TPjSl8L+rRAiUTVd8sPhWQ9XD9WaYKkTEjuQSPp851/81 zDihz9Kj5Rzo5PYpFsbSps/ALMQSRkrtuX4DCm9fbK7xC+adpbhQDnWW/GXM1+Ob lv3pHDQXLh2GQbRsaJBgLeSUxIIE7RWJv1N+Ugi5zF8rja5qnJ9DnkilEqMeXQp8 SThaI+TOe+KHK+7wTp5QkFNIE5l/uKgvSNIOwLe9HDevlSl1wYF6e+mAz3uoQyJa Ucx8FIoV6CIr+wUd+P8CmNXiQ7M59I8gm3FCDiEvWDQGEaCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCdxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_D1_Issuer_ICA.pem0000644000175100017510000000313715161577363027112 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgILBAAAAAABL07hXdQwDQYJKoZIhvcNAQEFBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwNDEzMTAwMDAwWhcNMjIwNDEz MTAwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOoUbMUpq4pbR/WNnN 2EugcgyXW6aIIMO5PUbc0FxSMPb6WU+FX7DbiLSpXysjSKyr9ZJ4FLYyD/tcaoVb AJDgu2X1WvlPZ37HbCnsk8ArysRe2LDb1r4/mwvAj6ldrvcAAqT8umYROHf+IyAl VRDFvYK5TLFoxuJwe4NcE2fBofN8C6iZmtDimyUxyCuNQPZSY7GgrVou9Xk2bTUs Dt0F5NDiB0i3KF4r1VjVbNAMoQFGAVqPxq9kx1UBXeHRxmxQJaAFrQCrDI1la93r wnJUyQ88ABeHIu/buYZ4FlGud9mmKE3zWI2DZ7k0JZscUYBR84OSaqOuR5rW5Isb wO2xAgMBAAGjggFaMIIBVjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUsLBK/Rx1KPgcYaoT9vrBkD1rFqMwRwYDVR0gBEAwPjA8 BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t L3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5uZXQvcm9vdC1yMi5jcmwwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB hihodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9FeHRlbmRlZFNTTENBMCkGA1Ud JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAW gBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAL0m28rZa pJWrnlrpK4KbzJBrfHRFIOde2Mcj7ig1sTVlKqVR4FU/9oNntOQ2KbDa7JeVqYoF o0X+Iy5SiLQfEICt0oufo1+oxetz3nmIQZgz7qdgGLFGyUAQB5yPClLJExoGbqCb LTr2rk/no1E1KlsYBRLlUdy2NmLz4aQP++TPw5S/EauhWTEB8MxT7I9j12yW00gq iiPtRVaoZkHqAblH7qFHDBTxI+Egc8p9UHxkOFejj0qcm+ltRc9Ea01gIEBxJbVG qmwIft/I+shWKpLLg7h5CZctXqEBzgbttJfJBNxB7+BPNk3kQHNG7BESfIhbNCYl TercGL7FG81kwA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_D2_Issuer_Root.pem0000644000175100017510000000235515161577363027443 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_D3_Issuer_Root.pem0000644000175100017510000000501115161577363027434 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAzyLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_ND1_Issuer_ICA.pem0000644000175100017510000000341115161577363027223 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAM1KljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_ND2_Issuer_Root.pem0000644000175100017510000000254715161577363027564 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0UCLi3LjkRv3 UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI 2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp +2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8 t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug R1uUq27UlTMdphVx8fiUylQ5PsE= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WKIC_ND3_Issuer_Root.pem0000644000175100017510000000276115161577363027563 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALj3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_D1.ors0000644000175100017510000000374415161577363025142 0ustar00runnerrunnerMIIFzwoBAKCCBcgwggXEBgkrBgEFBQcwAQEEggW1MIIFsTCBoKIWBBRg2uQDFpGg Ywh4P1y2H9bZ2/BQNBgPMjAxMjEwMTExMTI1MjJaMHUwczBLMAkGBSsOAwIaBQAE FKByDqBqfGICVPKo9Z3Se6Tzty+kBBSwsEr9HHUo+BxhqhP2+sGQPWsWowISESG8 vx4IzALnkqQG05AvM+2bgAAYDzIwMTIxMDExMTAwMDAwWqARGA8yMDEyMTAxODEw MDAwMFowCwYJKoZIhvcNAQEFA4IBAQAHQBPHdHWNzaFs5bfBvQcvxBWsDnsCFXNs a1fECiWDFNt6Nz4MCBY4rC7n0nhQfvg4m1woNcTAZVO8lacYomwUU/5/XpeFM6yc NeFcVbfVXA48GWPANitNQCwyRL5hGfIqNy1I9T1BHlBqYusmJKy65r2iqpmld/hD 7S1dsCd4fXhjBQQORPmBqhKvWEU08Dh5aoaDAuaZoxRH8B1q+mUs0ODOIu34L84y JcxTKccd/HCwI8oxwLoBtyXSHb+dCzc7zSjFvQhbT5dOCvJNNe/fk6+EhMtQ6ybC D7p9EShCvU5jAdw54bZWk5wIQSvsWk9axUmYFFLYI3hAaoybpFVroIID+DCCA/Qw ggPwMIIC2KADAgECAhIRISdENsrz1CSWG3VIBwfQERQwDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExLzAtBgNV BAMTJkdsb2JhbFNpZ24gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDQSAtIEcyMB4XDTEy MDkxOTA3NDA1MFoXDTEyMTIxOTA4NDA1MFowgYUxCzAJBgNVBAYTAkJFMRkwFwYD VQQKExBHbG9iYWxTaWduIG52LXNhMUIwQAYDVQQDEzlHbG9iYWxTaWduIEV4dGVu ZGVkIFZhbGlkYXRpb24gQ0EgLSBHMiBPQ1NQIHJlc3BvbmRlciAtIDIxFzAVBgNV BAUTDjIwMTIwOTE5MDk0MDAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAnCgMsBO+IxIqCnXCOfXJoIC3wj+f0s4DV9h2gJBzisWXkaJD2DfNrd0kHUXK qVVPUxnA4G5iZu0Z385/KiOt1/P6vQ/Z2/AsEh/8Z/hIyeZCHL31wrSZW4yLeZwi M76wPiBHJxPun681HQlVs/OGKSHnbHc1XJAIeA/M8u+lLWqIKB+AJ82TrOqUMj1s LjGhQNs84xPliONN5K7DrEy+Y65X/rFxN77Smw+UtcH1GgH2NgaHH8dpt1m25sgm UxZWhdx66opB/lbRQwWdGt7MC0kJFaWHDZq64DTuYoekFYSxAFu0nd0EekEHEJEi 9mquB9cv/96SuEJl8BcUWU/1LwIDAQABo4GEMIGBMAkGA1UdEwQCMAAwDgYDVR0P AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GCSsGAQUFBzABBQQCBQAw HQYDVR0OBBYEFF/a5AMWkaBjCHg/XLYf1tnb8FA0MB8GA1UdIwQYMBaAFLCwSv0c dSj4HGGqE/b6wZA9axajMA0GCSqGSIb3DQEBBQUAA4IBAQCKRl1iXFmOQtLseDWP Y5icDDBGiRi17CGgvIzGJi/ha0PhbO+X0TmQIEnRX3Mu0Er/Mm4RZSjMtJ2iZRh3 tGf4Dn+jKgKOmgXC3oOG/l8RPHLf0yaPSdn/z0TXtA30vTFBLlFeWnhbfhovea4+ snPdBxLqWZdtxmiwojgqA7YATCWwavizrBr09YRyDwzgtpZ2BwMruGuFuV9FsEwL PCM53yFlrM32oFghyfyE5kYjgnnueKM+pw1kA0jgb1CnVJRrMEN1TXuXDAZLtHKG 5X/drah1JtkoZhCzxzZ3bYdVDQJ90OHFqM58lwGD6z3XuPKrHDKZKt+CPIsl5g7p 4J2l ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_D2.ors0000644000175100017510000000377415161577363025146 0ustar00runnerrunnerMIIF4AoBAKCCBdkwggXVBgkrBgEFBQcwAQEEggXGMIIFwjCBmaIWBBTrlwecTarB yVdbHxANRLCFYj1mqBgPMjAxMjEwMTExMTI1MjVaMG4wbDBEMAkGBSsOAwIaBQAE FLdXtbacB/gWIxOOkMkqDr4yAaoxBBRge2YaRQ2XyolQL30EzTSo//z9SwILBAAA AAABL07hRxCAABgPMjAxMjEwMDEwNjAwMDBaoBEYDzIwMTMwNDE1MDYwMDAwWjAL BgkqhkiG9w0BAQUDggEBAHThkPoy6eA7qX9y5C5b1ElRSwdjzsd15OJSqP2yjQbS Ol1K8DWtX0UhTfRH+CrIPoWL40g2HjXtIVeMD6s3hakYimZUenIJ/IRRSVWp+EXU MewgTVPz/wJN/9dJIkSbOI/BmpIGlaaBaLwcb39nJjZMq0sXj8jRI5i0isotOAFz Zc0R20viBEH099KuGktB2fKKEpVbbWPljTxKzkIBs9SXZBIqd/X2MWzQWcLKzhL0 oynkvqxTFqNVjjZKcKSXPS/XEUufLrv/E3xQZYAfTJr778kFkyA8JzrXiH6W5DX6 UbqsnO5DaPZvMDfvlQWETkoS1j+Qgu2mIWzdiw7sPrOgggQQMIIEDDCCBAgwggLw oAMCAQICCwQAAAAAAThXovYBMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRsw GQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNMTIwNzA1MTgwMDAwWhcNMTMw NzA1MTgwMDAwWjBZMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBPQ1NQIGZvciBSb290IFIxIC0gQnJh bmNoIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP2QF8p0+Fb7ID MwwD1gEr2oazjqbW28EZr3YEyMPk+7VFaGePSO1xjBGIE48Q7m7d6p6ZXCzlBZEi oudrHSr3WDqdIVKLDrZIDkgEgdjJE72Hq6Pf5CEGXyebbODm4sV96EfewSvOOYLL 866g3aoVhLDK02ny+Q5OsokW7nhnmGMMh10tZqR5VmdQTiw8MgeqUxBEaEO4WH2J ltgSsgNJBNBYuDgnn5ryzVqhvmCJvYZMYeN6qZFKy1MgHcR+wEpGLPlRL4ttu6e5 MJrVta7dVFobHUHoFog97LtQT1PY0Ubaihswjge5O04bYeCrgSSjr1e4xH/KDxRw yyhoscaFAgMBAAGjgdIwgc8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTqlwec TarByVdbHxANRLCFYj1mqDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJ BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdIwQYMBaAFGB7ZhpF DZfKiVAvfQTNNKj//P1LMA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQEFBQAD ggEBAHiC6N1uF29d7CmiVapA8Nr1xLSVeIkBd4A8yHsUTQ7ATI7bwT14QUV4awe7 8cvmO5ZND8YG1ViwN162WFm9ivSoWBzvWDbU2JhQFb+XzrzCcdn0YbNiTxJh/vYm uDuxto00dpBgujSOAQv8B90iDEJ+sZpYRzDRj62qStRey0zpq5eX+pA+gdppMUFb 4QvJf0El8TbLCWLN4TjrFe6ju7ZaN9zmgVYGQ2fMHKIGNScLuIA950nYwzRkIfHa YW6HqP1rCR1EiYmstEeCQyDxJx+RUlh+q8L1BKzaMYhS6s63MZzQuGseYStaCmbC fBIRKjnK621vAWvc7UR+0hqnZ+U= ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_D3.ors0000644000175100017510000000455615161577363025146 0ustar00runnerrunnerMIIG8AoBAKCCBukwggblBgkrBgEFBQcwAQEEggbWMIIG0jCB+aF+MHwxCzAJBgNV BAYTAlVTMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEUMBIGA1UEChML Q0FjZXJ0IEluYy4xHjAcBgNVBAsTFVNlcnZlciBBZG1pbmlzdHJhdGlvbjEYMBYG A1UEAxMPb2NzcC5jYWNlcnQub3JnGA8yMDEyMTAxMTEzMjE0MVowZjBkMDwwCQYF Kw4DAhoFAAQUi6TJyxcpGUU+u45zCZG5JfKDImUEFBa1MhvUx/Pg5o7zvdKwOu6y ORjRAgMLs8aAABgPMjAxMjEwMTExMjQyMTZaoBEYDzIwMTIxMDEzMTMyMTQxWjAN BgkqhkiG9w0BAQUFAAOCAQEAEWd9kKEfaurOXDV98OVtU27TmK4L4MeGEPdkg1i+ fbPMe1mouWlVm23W6yaM7mM2NMXLW+hTNzqfyMPM7rByXNaFAAniCPTXNO3eJRIA Zf0F10OSdBQ/ln4igHQCVZCnXR30/aP5/PMb4u3/LTuC9aW6K7mLXcuCvJztGnXO v3r64q/qTGG/b4eS65exykV9riSFuGp1rzLAy5fSYTBWTOBQ679PFjQnL60GkrZA Egtxw2ozEDwo+X0WamEouxN8mjX/VQlMdEbykUFDuPD3vZydZ04BV9f18RJZOU9j gCwMzd9gb4jUL4ykdWiLmO+YPDWFyNSYEIfnGgk1VvPHuaCCBL4wggS6MIIEtjCC Ap6gAwIBAgIDCpvzMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2Vy dCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTExMDgyMzAwMDI1NloXDTEzMDgyMjAwMDI1NlowfDELMAkGA1UE BhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYDVQQKEwtD QWNlcnQgSW5jLjEeMBwGA1UECxMVU2VydmVyIEFkbWluaXN0cmF0aW9uMRgwFgYD VQQDEw9vY3NwLmNhY2VydC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCcxtRv5CPHw3BLdR/k/K72YsRgodbP+UdAONmvBvWzhwm6B8h6O+M64sFr 2w6be7SYBECIyOQgNJ1flK4MoAWhdBA/H5NtxaDOKbAqA27tO9GaevcPp7c518O0 3hVnlPLvsN1f48nY0jQOXUTfv5nYXmD0OSSK/V3IRo0KsWB6T9UnMGCeEwb4Oqqz uzM0b4SBflzMEony/m6Tg/qL7qs2TLZAqe77+BZaVdFkDUnaBN7RyMruXySxeXiz mogT3WhROeloMa/X+E01bWBYBEK7VZIY9pgBpXQ7vDbbIGgYuIXUi20wh03WMy16 VDYdV0IUXHpidNUeK9W/BPP/7APBAgMBAAGjRDBCMAwGA1UdEwEB/wQCMAAwJwYD VR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDCTAJBgNVHREEAjAA MA0GCSqGSIb3DQEBBQUAA4ICAQAoT6p5f3cGprAcgrnzdenfTmDe9LCW7k2VnazA MAzpsD6gXcSlo4+3hoHem/SpKRH2tqi34DmImCiv/S6fxsKM4Gfn5rlkAFviuTvS r5Zrwh4ZKSfaoWv4bmbzmcAxvuxdMWHf/5PbjegjzFTbBMekVPZY/abYtD6kdHQZ VNgzwZVfTBfYhfa+Rg72I2zjKpMsjxMqWfTmUzW6wfK6LFudZqu0U1NnJw+IlnVU 6WtjL885ebQrmcRqWz3nMhVLIu5L3w/s+VTLvm7If6jcMDNUjz8s2BPcJeCXg3TE STsyl6tvk17RRz2+9JskxVOk11xIn96xR4FCERIid2ek9z1xi7oYOajQF50i/9Gj ReDEfRSyb4/LzoKDOY+h4Q6jryeHh7WIHFiK5qrBN2y8qOoRJ/OqQnqci/BJBNpe g9Q9PJRgGSzRndTXNHiYRbeLpq7eGo3sPqlR9qBQ3rd98XGOU0RCMnzjKhENC3qo 5PkSF2xs8RmjWktFSTDwjYo0qf1teo7CGHjgaPjQ7JE8Q4ysFOQndSWmLpqwDcI9 HfIvPwUIWArQrJRh9LCNSyvHVgLqY9kw8NW4TlMxV2WqaYCkiKi3XVRrSFR3ahS1 VBvRZ8KpplrV7rhXjVSSqqfLk1sX3l72Ck2F9ON+qbNFmvhgNjSiBY9neMgo804a wG/pag== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_ND1.ors0000644000175100017510000000117615161577363025255 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBSJRFH/UCpp Xi2I9CG62QzyzsvqfBgPMjAxMjEwMTEwODQxMTNaMHMwcTBJMAkGBSsOAwIaBQAE FEi2DTgjjfhFbk7lhD6jlBEYApefBBSIRFH/UCppXi2I9CG62QzyzsvqfAIQIuEz IiCgSN8psr+aMcKbB4AAGA8yMDEyMTAxMTA4NDExM1qgERgPMjAxMjEwMTUwODQx MTNaMA0GCSqGSIb3DQEBBQUAA4IBAQCNnhlBMxxh9z5AKfzAxiKs90CfxUsqfYfk 8XlyF9VIfWRfEwzS6MF1pEzLnghRxTAmjrFgK+sxD9wk+S5Mdgw3nbED9DVFH2Hs RGKm/t9wkvrYOX6yRQqw6uRvU/5cibMjcyzKB/VQMwk4p4FwSUgBv88A5sTkKr2V eYdEm34hg2TZVkipPMBiyTyBLXs8D/9oALtnczg4xlTRSjDUvqoXL5haqY4QK2Pv mNwna6ACkwLmSuMe29UQ8IX2PUB4R5Etni5czyiKGxZLm+4NAhuEwWFNEzCyImPc 087gHGU1zx+qVSlajqMJ/9ZXYjbt7WiWdhOTGEv4VMn8dHhRUs32 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_ND2.ors0000644000175100017510000000117615161577363025256 0ustar00runnerrunnerMIIB0woBAKCCAcwwggHIBgkrBgEFBQcwAQEEggG5MIIBtTCBnqIWBBQMWOWLxkwV N6RAqTCpIb5HNlpW/xgPMjAxMjEwMTAyMzAzMTlaMHMwcTBJMAkGBSsOAwIaBQAE FOy+ZAvtiWulchtVZmfKU1ZI9ewTBBQLWOWLxkwVN6RAqTCpIb5HNlpW/wIQEaO0 0OyNt3+doM1dLVEvQoAAGA8yMDEyMTAxMDIzMDMxOVqgERgPMjAxMjEwMTQyMzAz MTlaMA0GCSqGSIb3DQEBBQUAA4IBAQCHn2nGfEUX/EJruMkTgh7GgB0u9cpAepaD sPv9gtl3KLUZyR+NbGMIa5/bpoJp0yg1z5VL6CLMusy3AF6Cn2fyaioDxG+yc+gA PcPFdEqiIMr+TP8s7qcEiE6WZddSSCqCn90VZSCWkpDhnCjDRwJLBBPU3803fdMz oguvyr7y6Koxik8X/iUe8EpSzAvmm4GZL3veTI+x7IezJSrhCS9zM0ZHjySjoDxC +ljGH0EuWPTmFEqZVGIq3cuahIYzKItUbYnXU6ipi/2p42qbsFeok7eEN0EYsY1a vRATHGRmU7Q5HLCq4rQtZC1cis52Mvc9x1W4z/Gt5A3FtgElXXNA ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WRID_ND3.ors0000644000175100017510000000120215161577363025245 0ustar00runnerrunnerMIIB1AoBAKCCAc0wggHJBgkrBgEFBQcwAQEEggG6MIIBtjCBn6IWBBSuvZh6NLQm 9/rEJlTvA73gJMtUGhgPMjAxMjEwMTAxMzA3NDZaMHQwcjBKMAkGBSsOAwIaBQAE FHyxZlScq9tE7mImFq30ZXv3etWUBBStvZh6NLQm9/rEJlTvA73gJMtUGgIRAKcN bJWejX5BTb8DmevkCauAABgPMjAxMjEwMTAxMzA3NDZaoBEYDzIwMTIxMDE0MTMw NzQ2WjANBgkqhkiG9w0BAQUFAAOCAQEAA70+GYJoFuUBwIN9KHMqmOOtnmoLBBlm HL2Su70ZEqSmL4zTt3iHY3m2YaNYSPphgDlQ4lY8zGAkCSrZ3ulpJun3RRy+gD29 0ks155tChMbYNZrFm46vKWabBjh2p+623daymlcbgizi5Z+P4oJL68VrOqh+DArE MpHH16BTGaF+bAjzTRSbS90xUReqwnnEpRBrmcQVo4uKpSkbyrx7iMLqsJ2vGpgh xqj1kNPT9g3+gegmdU9QpFV0l9ZV8X/f0uz5nT4I0NL81d/KDHGx2rd+bftLODeL ZAWAzFbr5B5EMqPGoh/SQXpcuVOqMHjh8fi8PBXBcitlIFzdDKXDvA== ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_D1_Issuer_ICA.pem0000644000175100017510000000313715161577363027240 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIEhjCCA26gAwIBAgILBAAAAAABL07hXdQwDQYJKoZIhvcNAQEFBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwNDEzMTAwMDAwWhcNMjIwNDEz MTAwMDAwWjBZMQswCQYDVQQGEwJVUzEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z YTEvMC0GA1UEAxMmR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNoUbMUpq4pbR/WNnN 2EugcgyXW6aIIMO5PUbc0FxSMPb6WU+FX7DbiLSpXysjSKyr9ZJ4FLYyD/tcaoVb AJDgu2X1WvlPZ37HbCnsk8ArysRe2LDb1r4/mwvAj6ldrvcAAqT8umYROHf+IyAl VRDFvYK5TLFoxuJwe4NcE2fBofN8C6iZmtDimyUxyCuNQPZSY7GgrVou9Xk2bTUs Dt0F5NDiB0i3KF4r1VjVbNAMoQFGAVqPxq9kx1UBXeHRxmxQJaAFrQCrDI1la93r wnJUyQ88ABeHIu/buYZ4FlGud9mmKE3zWI2DZ7k0JZscUYBR84OSaqOuR5rW5Isb wO2xAgMBAAGjggFaMIIBVjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUsLBK/Rx1KPgcYaoT9vrBkD1rFqMwRwYDVR0gBEAwPjA8 BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t L3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5uZXQvcm9vdC1yMi5jcmwwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB hihodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9FeHRlbmRlZFNTTENBMCkGA1Ud JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzAfBgNVHSMEGDAW gBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAL0m28rZa pJWrnlrpK4KbzJBrfHRFIOde2Mcj7ig1sTVlKqVR4FU/9oNntOQ2KbDa7JeVqYoF o0X+Iy5SiLQfEICt0oufo1+oxetz3nmIQZgz7qdgGLFGyUAQB5yPClLJExoGbqCb LTr2rk/no1E1KlsYBRLlUdy2NmLz4aQP++TPw5S/EauhWTEB8MxT7I9j12yW00gq iiPtRVaoZkHqAblH7qFHDBTxI+Egc8p9UHxkOFejj0qcm+ltRc9Ea01gIEBxJbVG qmwIft/I+shWKpLLg7h5CZctXqEBzgbttJfJBNxB7+BPNk3kQHNG7BESfIhbNCYl TercGL7FG81kwA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_D2_Issuer_Root.pem0000644000175100017510000000235515161577363027571 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCVVMxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_D3_Issuer_Root.pem0000644000175100017510000000501115161577363027562 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdUZXN0 IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO BgNVBAoTB1Rlc3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ 8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_ND1_Issuer_ICA.pem0000644000175100017510000000341115161577363027351 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJVUzEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_ND2_Issuer_Root.pem0000644000175100017510000000254715161577363027712 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJVUzEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3 UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI 2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp +2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8 t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug R1uUq27UlTMdphVx8fiUylQ5PsE= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/WSNIC_ND3_Issuer_Root.pem0000644000175100017510000000276115161577363027711 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCVVMx FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/openssl-ocsp.json0000644000175100017510000003266115161577363026644 0ustar00runnerrunner[ { "name": "direct_with_intermediate_success", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ND1.ors", "ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00" }, { "name": "direct_success", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "ND3.ors" ], "path_len": 2, "moment": "2012-10-12T00:00:00+00:00" }, { "name": "delegated_with_intermediate_success", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "D1.ors" ], "path_len": 3, "moment": "2012-10-23T11:00:00+00:00" }, { "name": "delegated_success", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "D3.ors" ], "path_len": 2, "moment": "2012-10-23T11:00:00+00:00" }, { "name": "direct_with_intermediate_invalid_response_signature_ee", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ISOP_ND1.ors", "ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "direct_with_intermediate_invalid_response_signature_intermediate", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ND1.ors", "ISOP_ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the intermediate certificate 1 revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "direct_invalid_response_signature", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "ISOP_ND3.ors" ], "path_len": 2, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "delegated_with_intermediate_invalid_response_signature", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "ISOP_D1.ors" ], "path_len": 3, "moment": "2012-10-10T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "delegated_invalid_response_signature", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "ISOP_D3.ors" ], "path_len": 2, "moment": "2012-10-10T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "direct_with_intermediate_invalid_wrong_responder_id_ee", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "WRID_ND1.ors", "ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be located" } }, { "name": "direct_with_intermediate_invalid_wrong_responder_id_intermediate", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ND1.ors", "WRID_ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the intermediate certificate 1 revocation checks failed: Unable to verify OCSP response since response signing certificate could not be located" } }, { "name": "direct_invalid_wrong_responder_id", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "WRID_ND3.ors" ], "path_len": 2, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be located" } }, { "name": "delegated_with_intermediate_invalid_wrong_responder_id", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "WRID_D1.ors" ], "path_len": 3, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be located" } }, { "name": "delegated_invalid_wrong_responder_id", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "WRID_D3.ors" ], "path_len": 2, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be located" } }, { "name": "direct_with_intermediate_invalid_wrong_issuer_name_hash_ee", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "WINH_ND1.ors", "ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer name hash does not match" } }, { "name": "direct_with_intermediate_invalid_wrong_issuer_name_hash_intermediate", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ND1.ors", "WINH_ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the intermediate certificate 1 revocation checks failed: OCSP response issuer name hash does not match" } }, { "name": "direct_invalid_wrong_issuer_name_hash", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "WINH_ND3.ors" ], "path_len": 2, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer name hash does not match" } }, { "name": "delegated_with_intermediate_invalid_wrong_issuer_name_hash", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "WINH_D1.ors" ], "path_len": 3, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer name hash does not match" } }, { "name": "delegated_invalid_wrong_issuer_name_hash", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "WINH_D3.ors" ], "path_len": 2, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer name hash does not match" } }, { "name": "direct_with_intermediate_invalid_wrong_issuer_key_hash_ee", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "WIKH_ND1.ors", "ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer key hash does not match" } }, { "name": "direct_with_intermediate_invalid_wrong_issuer_key_hash_intermediate", "root": "ND2_Issuer_Root.pem", "other_certs": [ "ND1_Issuer_ICA.pem" ], "cert": "ND1_Cert_EE.pem", "ocsps": [ "ND1.ors", "WIKH_ND2.ors" ], "path_len": 3, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the intermediate certificate 1 revocation checks failed: OCSP response issuer key hash does not match" } }, { "name": "direct_invalid_wrong_issuer_key_hash", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "WIKH_ND3.ors" ], "path_len": 2, "moment": "2012-10-12T00:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer key hash does not match" } }, { "name": "delegated_with_intermediate_invalid_wrong_issuer_key_hash", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "WIKH_D1.ors" ], "path_len": 3, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer key hash does not match" } }, { "name": "delegated_invalid_wrong_issuer_key_hash", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "WIKH_D3.ors" ], "path_len": 2, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response issuer key hash does not match" } }, { "name": "delegated_with_intermediate_invalid_wrong_key_in_signing_cert", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "WKDOSC_D1.ors" ], "path_len": 3, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "delegated_invalid_wrong_key_in_signing_cert", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "WKDOSC_D3.ors" ], "path_len": 2, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response signature" } }, { "name": "delegated_with_intermediate_invalid_signature_on_signing_cert", "root": "R2.pem", "other_certs": [ "D1_Issuer_ICA.pem" ], "cert": "D1_Cert_EE.pem", "ocsps": [ "ISDOSC_D1.ors" ], "path_len": 3, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be validated" } }, { "name": "delegated_invalid_signature_on_signing_cert", "root": "D3_Issuer_Root.pem", "cert": "D3_Cert_EE.pem", "ocsps": [ "ISDOSC_D3.ors" ], "path_len": 2, "moment": "2012-10-11T14:00:00+00:00", "error": { "class": "InsufficientRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: Unable to verify OCSP response since response signing certificate could not be validated" } }, { "name": "direct_stale_otherwise_ok", "root": "ND3_Issuer_Root.pem", "cert": "ND3_Cert_EE.pem", "ocsps": [ "ND3.ors" ], "path_len": 2, "moment": "2013-10-12T00:00:00+00:00", "error": { "class": "StaleRevinfoError", "msg_regex": "The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is not recent enough" } } ] ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/openssl-ocsp/readme.md0000644000175100017510000000022515161577363025072 0ustar00runnerrunnerOCSP certificates and responses from https://github.com/openssl/openssl/tree/master/test/ocsp-tests. Used under the terms of the Apache 2.0 license.././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/self-signed-with-policy.crt0000644000175100017510000000161415161577363026051 0ustar00runnerrunner0‚ˆ0‚p 0  *†H†÷  0K1 0 UBE10U Testing Authority10U Signers10 U Alice0  000101000000Z25000101000000Z0K1 0 UBE10U Testing Authority10U Signers10 U Alice0‚"0  *†H†÷ ‚0‚ ‚ás‚n/~.½F+_†¤È@búÉô€&(ñC­„ _–ìEáLJv6ZÔü¥]Û aP¥Fá6í#¸ da´FÅ«:}BP1{ £ÎÓDw¾ý[e—g©cS’#¶†¯I‰~ @±ížw»R1¯‰›°•Eit¬K"ÒEþ::¯æÁ º!‚*“*oòFšùËůÄ6PòWk4îJ¢!D(b{f Ù™ýÿ%¸ ©†cß[ á»ÌGãX£Áž˜I¦ë1ñƒë2+Ü\y7@Ûv.‚fe_²»b }{ße´ù×4ôúM- 2óüÿBjÞKIë£t0r0U^ǧºÔ g­®z=­j8µs ¸0U#0€^ǧºÔ g­®z=­j8µs ¸0Uÿ0ÿ0Uÿ†0U 00ˆ70  *†H†÷  ‚k–rûôuÿ³ábçûnÅÓ$ËË-µ‘5¸„1ýIŠH˜)¥{pdhrÁd@z2BüÑgŘÝw¤-üV$GYÆA”kW>îß# ÷à˜åðˆ@ï&a$zhó”›Ë‹Fÿ—ª¸˜ÿ˜¶†Ê øŠ’@‡OþŒUž°g²¿îî‚ûØòq3ñ=œ…ix‰…uBAe¿aßK´ãña[ÅÌgªÍmVˆ2Qbi¤ìÚɯäL¬õy1†CÀÇñ*ù56känçøñ‹Okƒî‚oP’ ¡= ü¡UŠ×£,HÊK¿ô?Ä8ñ 9fÐœoá6–p[ªJo ø././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.2988863 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-aia/0000755000175100017510000000000015161577372023074 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-aia/with-ldap-urls.der0000644000175100017510000000111415161577363026441 0ustar00runnerrunner0‚H0‚ú  E„k„†´fó0+ep071 0 UBE10U PyHanko tests10U Some CA0 200401000000Z 250401000000Z0J1 0 UBE10U PyHanko tests1#0!U Cert with LDAP URLs in AIA0*0+ep!<·«»..7Â\3.ge÷ +¯Œ™¯ ’-­¢ ÙM£‚0‚ 0Uÿ0ÿ0Uÿ0U#0€Þ­¾ïÞ­¾ïÞ­¾ïÞ­¾ï0UÞ­¾ïÞ­¾ïÞ­¾ïÞ­¾ï0JUC0A0? = ;†ldap://ldap.example.com/blah†http://repo.ca.example.com/0`+T0R0(+0†ldap://ldap.example.com/blah0&+0†http://repo.ca.example.com0+epAYQãÁ¾iAŠÄPñý|»#'Íퟢ·(;ë; ?ø6^‚ zLmºŽÒ>µ@Œ'=¬F•9ö¹Ä1Ã././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.3001425 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/0000755000175100017510000000000015161577372023721 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/interm.cert.pem0000644000175100017510000000152715161577363026663 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICSjCCAfygAwIBAgICEAEwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDEwMTAxMDAwMDAwWhgPMjQwMDAxMDEwMDAwMDBaMFkx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAqMAUGAytl cAMhAJYsPbcVqzCuKDXU7QCkixsYlaCCYBRnGQGUMQ4MZ5/Ko4HtMIHqMB0GA1Ud DgQWBBTogPuh4ZuXJexOz4ZbWJWOsonA3jAfBgNVHSMEGDAWgBRvWeMHGaxaUpWw xnYPXYirtZYA+TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjBI BggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYS5leGFtcGxlLmNv bS9yb290L2NlcnRzL2NhLmNlcnQucGVtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6 Ly9jYS5leGFtcGxlLmNvbS9yb290L2NybC9jYS5jcmwucGVtMAUGAytlcANBAFoz 59Uvl68jDZa+nKT4BP1jawbtF/pCrR00DByDPxnOZb1B7bPu0mWIBn3AY8JEwY/U 1XN/JlIaYY+84kcBrAA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/ocsp.cert.pem0000644000175100017510000000147615161577363026334 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICNzCCAemgAwIBAgICEAAwBQYDK2VwMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAgFw0wMjAxMDEwMDAwMDBaGA8yMzAwMDEwMTAw MDAwMFowWDELMAkGA1UEBhMCQkUxFDASBgNVBAoMC0V4YW1wbGUgSW5jMRowGAYD VQQLDBFUZXN0aW5nIEF1dGhvcml0eTEXMBUGA1UEAwwOT0NTUCBSZXNwb25kZXIw KjAFBgMrZXADIQBSwRVXzaoB3g7FvovaspUDmO7YrlA3WjK/y0GFTczHpaOB0zCB 0DAJBgNVHRMEAjAAMB0GA1UdDgQWBBTN9HsEzR94TiAaqc70m44rlo94CjAfBgNV HSMEGDAWgBTogPuh4ZuXJexOz4ZbWJWOsonA3jAOBgNVHQ8BAf8EBAMCB4AwUAYI KwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vY2EuZXhhbXBsZS5jb20v aW50ZXJtZWRpYXRlL2NlcnRzL2NhLmNlcnQucGVtMCEGA1UdJQEB/wQXMBUGCCsG AQUFBwMJBgkrBgEFBQcwAQUwBQYDK2VwA0EAff6Vfd1HRo7PaG2S3TZamWploXH7 7dMp+CUbt/29b/i2bSJDe0sI0TFz5ydgOJ82yTg/HNKe3Dyi4Js3MZ/3AQ== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/root.cert.pem0000644000175100017510000000122015161577363026336 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIBtzCCAWmgAwIBAgICEAAwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBaMFEx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwKjAFBgMrZXADIQAXWlpT uI49x/lQ+ejNPZoVBuw9z/qj+5NNs4lWzipO7aNjMGEwHQYDVR0OBBYEFG9Z4wcZ rFpSlbDGdg9diKu1lgD5MB8GA1UdIwQYMBaAFG9Z4wcZrFpSlbDGdg9diKu1lgD5 MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAUGAytlcANBAD0febBi r+7U45bbZ2jWjMP5nOOtWW7bk6cgcUyLgw3iG23ODi7AySnvPq/+VYSlCtY2bLRD bVZtSmCr0+cj0Qk= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/signer.cert.pem0000644000175100017510000000177115161577363026655 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICwzCCAnWgAwIBAgICEAEwBQYDK2VwMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0yMTAxMDEwMDAw MDBaMHkxCzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UE CwwRVGVzdGluZyBBdXRob3JpdHkxFzAVBgNVBAMMDkxvcmQgVGVzdGVyaW5vMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMCowBQYDK2VwAyEAPLeruy4u NwHCXDMGFi5nZfcNK6+Mma8Mki0ZraIM2U2jggE/MIIBOzAJBgNVHRMEAjAAMB0G A1UdDgQWBBRC2CPBHO1RqGKDPEId1i1N6HtIHDAfBgNVHSMEGDAWgBTogPuh4ZuX JexOz4ZbWJWOsonA3jAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMEMIGCBggrBgEFBQcBAQR2MHQwMAYIKwYBBQUHMAGGJGh0dHA6 Ly9vY3NwLmV4YW1wbGUuY29tL2ludGVybWVkaWF0ZTBABggrBgEFBQcwAoY0aHR0 cDovL2NhLmV4YW1wbGUuY29tL2ludGVybWVkaWF0ZS9jZXJ0cy9jYS5jZXJ0LnBl bTA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY2EuZXhhbXBsZS5jb20vcm9vdC9j cmwvY2EuY3JsLnBlbTAFBgMrZXADQQAsiBZD/im/xLFNfEcZiIWYnRJbN1sdfAUn tGV+78sTTsJR8qTrdmAZShCilwD/PuzOTeRB1oIWtjUGsJNWNsgP -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/signer2.cert.pem0000644000175100017510000000176515161577363026742 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICvzCCAnGgAwIBAgICEAIwBQYDK2VwMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0yMTAxMDEwMDAw MDBaMHUxCzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UE CwwRVGVzdGluZyBBdXRob3JpdHkxFDASBgNVBAMMC0JvYiBSZXZva2VkMR4wHAYJ KoZIhvcNAQkBFg9ib2JAZXhhbXBsZS5jb20wKjAFBgMrZXADIQCEF5ZWFOHMYxFl Nz0L+mV+GnXysvDlukv8nK26s2Y/YKOCAT8wggE7MAkGA1UdEwQCMAAwHQYDVR0O BBYEFF2FnLPxjcXVkuDjQWe+6ay4stvrMB8GA1UdIwQYMBaAFOiA+6Hhm5cl7E7P hltYlY6yicDeMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwgYIGCCsGAQUFBwEBBHYwdDAwBggrBgEFBQcwAYYkaHR0cDovL29j c3AuZXhhbXBsZS5jb20vaW50ZXJtZWRpYXRlMEAGCCsGAQUFBzAChjRodHRwOi8v Y2EuZXhhbXBsZS5jb20vaW50ZXJtZWRpYXRlL2NlcnRzL2NhLmNlcnQucGVtMDoG A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jYS5leGFtcGxlLmNvbS9yb290L2NybC9j YS5jcmwucGVtMAUGAytlcANBABVww4W9Y2dsYTK3dC9QGmmCnjpT3BCXRkE82jgb njOTxZ8OZt8ZHe5lPRpLDH1RvBLJb18vZK6fpcf+ua/nwgQ= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/tsa.cert.pem0000644000175100017510000000156315161577363026154 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICXzCCAhGgAwIBAgICEAIwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwHhcNMDIwMTAxMDAwMDAwWhcNMzAwMTAxMDAwMDAwWjBhMQsw CQYDVQQGEwJCRTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxGjAYBgNVBAsMEVRlc3Rp bmcgQXV0aG9yaXR5MSAwHgYDVQQDDBdUaW1lIFN0YW1waW5nIEF1dGhvcml0eTAq MAUGAytlcAMhAFXPK2c1QCsvba9Yen5H92CnF+Wh08ZooCcceSBsDK5go4H8MIH5 MAkGA1UdEwQCMAAwHQYDVR0OBBYEFDMKRHcVwyBpDzH52uGLIXU+wbWqMB8GA1Ud IwQYMBaAFG9Z4wcZrFpSlbDGdg9diKu1lgD5MA4GA1UdDwEB/wQEAwIGwDAWBgNV HSUBAf8EDDAKBggrBgEFBQcDCDBIBggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKG LGh0dHA6Ly9jYS5leGFtcGxlLmNvbS9yb290L2NlcnRzL2NhLmNlcnQucGVtMDoG A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jYS5leGFtcGxlLmNvbS9yb290L2NybC9j YS5jcmwucGVtMAUGAytlcANBADaPSm0rabL0iesQRA/uplG9MoCoKufGjSy+utJ7 Ulef4qkkntBhNfnKxUW1dKtNn+g6xvMCq1y3AAbjuPgaSQQ= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed25519/tsa2.cert.pem0000644000175100017510000000156715161577363026242 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICYTCCAhOgAwIBAgICEAMwBQYDK2VwMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwHhcNMjgwMTAxMDAwMDAwWhcNNDAwMTAxMDAwMDAwWjBjMQsw CQYDVQQGEwJCRTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxGjAYBgNVBAsMEVRlc3Rp bmcgQXV0aG9yaXR5MSIwIAYDVQQDDBlUaW1lIFN0YW1waW5nIEF1dGhvcml0eSAy MCowBQYDK2VwAyEAYrpvOpjN0iNgya4r84CzxgfLpmcO1EubZczq1ZFnnM2jgfww gfkwCQYDVR0TBAIwADAdBgNVHQ4EFgQU01SpAT0EEnY7bMqzAw4ZXmLKGrYwHwYD VR0jBBgwFoAUb1njBxmsWlKVsMZ2D12Iq7WWAPkwDgYDVR0PAQH/BAQDAgbAMBYG A1UdJQEB/wQMMAoGCCsGAQUFBwMIMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcw AoYsaHR0cDovL2NhLmV4YW1wbGUuY29tL3Jvb3QvY2VydHMvY2EuY2VydC5wZW0w OgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NhLmV4YW1wbGUuY29tL3Jvb3QvY3Js L2NhLmNybC5wZW0wBQYDK2VwA0EAUPYox5PieCyTelDO1vYce96D/QXVyBP7CsYr eUljLAcFUoK5XnVSZ532ORBnGOnCDnimURy4z6+2hU9Ot9eFDQ== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.3019288 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/0000755000175100017510000000000015161577372023553 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/interm.cert.pem0000644000175100017510000000167415161577363026520 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIClTCCAhWgAwIBAgICEAEwBQYDK2VxMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDEwMTAxMDAwMDAwWhgPMjQwMDAxMDEwMDAwMDBaMFkx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTBDMAUGAytl cQM6ABX74q/NzkUg2G1jHsIvqsM2ENm7Gg0Ym46hp0Gaiv/JfT4Om8eY2rB2urPm bCb8+35NbWPDh9RXAKOB7TCB6jAdBgNVHQ4EFgQU9GxF3Mn9963NE7A/laPyqCFR LN4wHwYDVR0jBBgwFoAU2D4M0pCJXJKGvSBhFb9Bl/D6HEwwEgYDVR0TAQH/BAgw BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUF BzAChixodHRwOi8vY2EuZXhhbXBsZS5jb20vcm9vdC9jZXJ0cy9jYS5jZXJ0LnBl bTA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY2EuZXhhbXBsZS5jb20vcm9vdC9j cmwvY2EuY3JsLnBlbTAFBgMrZXEDcwBvnvVlLitQUbiSsB7lC+cVgi2jUFX2gNFG weJ6joN1KI/KHkttW6CL3PrAPreToJFELYNA1Q37pwCgdj2LRImalSmHQTTfuRQG L6EcSg2MWNIMkFVhOj6Mi3dgX9wfZ7gWvPenrQe+tYPfc1KmcuXlLAA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/ocsp.cert.pem0000644000175100017510000000164415161577363026163 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICgjCCAgKgAwIBAgICEAAwBQYDK2VxMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAgFw0wMjAxMDEwMDAwMDBaGA8yMzAwMDEwMTAw MDAwMFowWDELMAkGA1UEBhMCQkUxFDASBgNVBAoMC0V4YW1wbGUgSW5jMRowGAYD VQQLDBFUZXN0aW5nIEF1dGhvcml0eTEXMBUGA1UEAwwOT0NTUCBSZXNwb25kZXIw QzAFBgMrZXEDOgAupFAFYBpP8yLbZNgQpoI/EW4fXmzSl5FQpqz9G/s+ECxNXRDm MdKlOLlSNgHUG5jroXrdg1UB0YCjgdMwgdAwCQYDVR0TBAIwADAdBgNVHQ4EFgQU n00D2du7Z/7uQe/a4lJIqqKlZbkwHwYDVR0jBBgwFoAU9GxF3Mn9963NE7A/laPy qCFRLN4wDgYDVR0PAQH/BAQDAgeAMFAGCCsGAQUFBwEBBEQwQjBABggrBgEFBQcw AoY0aHR0cDovL2NhLmV4YW1wbGUuY29tL2ludGVybWVkaWF0ZS9jZXJ0cy9jYS5j ZXJ0LnBlbTAhBgNVHSUBAf8EFzAVBggrBgEFBQcDCQYJKwYBBQUHMAEFMAUGAytl cQNzAPZSZXgzH0eX3opFyw/WBh/9ERCeCJNNIQp0sfxPSvSm279ghFwhD//TpJTf 1HqnbMiKBfeKWRthgH4cZUs2Uk+Wsxa98biQd6CUABb+J/MNE+1J7/FZV+JrqEa4 h0zLLQm/xMjDHDFAaZtGZEYj3JcqAA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/root.cert.pem0000644000175100017510000000136515161577363026202 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICAjCCAYKgAwIBAgICEAAwBQYDK2VxMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBaMFEx CzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVz dGluZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwQzAFBgMrZXEDOgDcJxm7 /+zvrsQnkaHnfbpO4b6UBENMF8S6ypa4IqFIPvTWxl7n2ArzfeW6Nl29jeH8ma9y X0v+agCjYzBhMB0GA1UdDgQWBBTYPgzSkIlckoa9IGEVv0GX8PocTDAfBgNVHSME GDAWgBTYPgzSkIlckoa9IGEVv0GX8PocTDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBhjAFBgMrZXEDcwD/3LvVBPriAWqDaj4EmoNaN8OuyMalKx16QLGz aBPL6zKP0+/7Ll/com0L7qusWPsA6YRxfNlIJABsBLrHiIBIOguZBl9WJdZzr5kA fq+rK9jQezE85KEiu4LMTY8gC3Q+wRo1dP9E8FbMiDlnCfp2AgA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/signer.cert.pem0000644000175100017510000000213715161577363026504 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDDjCCAo6gAwIBAgICEAEwBQYDK2VxMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0yMTAxMDEwMDAw MDBaMHkxCzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UE CwwRVGVzdGluZyBBdXRob3JpdHkxFzAVBgNVBAMMDkxvcmQgVGVzdGVyaW5vMR8w HQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMEMwBQYDK2VxAzoAKKBhpr7T E7qE4EerMBdOHRIMlutZ+Gu+BwalewS3Qv0qPiCFOxKxSNTwFk/8pl6eyNjB8dub k/+Ao4IBPzCCATswCQYDVR0TBAIwADAdBgNVHQ4EFgQUFhacLqgbQ1nxTRo43QD9 1UpdHqgwHwYDVR0jBBgwFoAU9GxF3Mn9963NE7A/laPyqCFRLN4wDgYDVR0PAQH/ BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDCBggYIKwYBBQUH AQEEdjB0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5leGFtcGxlLmNvbS9pbnRl cm1lZGlhdGUwQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYS5leGFtcGxlLmNvbS9pbnRl cm1lZGlhdGUvY2VydHMvY2EuY2VydC5wZW0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0 cDovL2NhLmV4YW1wbGUuY29tL3Jvb3QvY3JsL2NhLmNybC5wZW0wBQYDK2VxA3MA iw4x4mMzxg4b04P3LwtLVBPq8dlheX0YlD20kvOQGe5NARqIpKWt8iNGGNj6QtEX YKiUeCrpn/SAJfDUhUDa8Qw/Br1/KOiLP/MEwUvEKXNwuvJbaMN8k2wDWKVTwn71 SHYUdo7o5OxblMAAP4OsNTcA -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/signer2.cert.pem0000644000175100017510000000213315161577363026562 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDCjCCAoqgAwIBAgICEAIwBQYDK2VxMFkxCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNV BAMMD0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0yMTAxMDEwMDAw MDBaMHUxCzAJBgNVBAYTAkJFMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEaMBgGA1UE CwwRVGVzdGluZyBBdXRob3JpdHkxFDASBgNVBAMMC0JvYiBSZXZva2VkMR4wHAYJ KoZIhvcNAQkBFg9ib2JAZXhhbXBsZS5jb20wQzAFBgMrZXEDOgBEZubNOwwK7Rg3 UXrqUSIUuQ9EG5JVJeg2DDKFG5jvQPqeQhWWhIG+Xbg8yz3Oh2ibQILTtRGxKoCj ggE/MIIBOzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQY7tiFRH6/cbRCHxVSPK3O7MxB 9zAfBgNVHSMEGDAWgBT0bEXcyf33rc0TsD+Vo/KoIVEs3jAOBgNVHQ8BAf8EBAMC BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIGCBggrBgEFBQcBAQR2 MHQwMAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmV4YW1wbGUuY29tL2ludGVybWVk aWF0ZTBABggrBgEFBQcwAoY0aHR0cDovL2NhLmV4YW1wbGUuY29tL2ludGVybWVk aWF0ZS9jZXJ0cy9jYS5jZXJ0LnBlbTA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v Y2EuZXhhbXBsZS5jb20vcm9vdC9jcmwvY2EuY3JsLnBlbTAFBgMrZXEDcwC/nXx+ js0rYgTFNdmSPY36boD0dge2EIO7ZPqHcyah6jpJe/rq/zSoZVMzFURnFNKRxQlc ZVoChgDzZruzWd55mYqLmWSxKsbM0el9I8+FbbC/2EkcfRlmdVrGQ5N0r1tiXidK pziQ1cyq3+5flOmGBgA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/tsa.cert.pem0000644000175100017510000000173115161577363026003 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICqjCCAiqgAwIBAgICEAIwBQYDK2VxMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwHhcNMDIwMTAxMDAwMDAwWhcNMzAwMTAxMDAwMDAwWjBhMQsw CQYDVQQGEwJCRTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxGjAYBgNVBAsMEVRlc3Rp bmcgQXV0aG9yaXR5MSAwHgYDVQQDDBdUaW1lIFN0YW1waW5nIEF1dGhvcml0eTBD MAUGAytlcQM6ABGNqV5M+7RvhdsOeJgBypOpY3abwulNU4QFTh/jx0+sNIjKFZOt mF2zjeux4WBeE1Z0lNHx4J92AKOB/DCB+TAJBgNVHRMEAjAAMB0GA1UdDgQWBBTy XhRqVrTDOhN4y3zWstMkCZdO7TAfBgNVHSMEGDAWgBTYPgzSkIlckoa9IGEVv0GX 8PocTDAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwSAYI KwYBBQUHAQEEPDA6MDgGCCsGAQUFBzAChixodHRwOi8vY2EuZXhhbXBsZS5jb20v cm9vdC9jZXJ0cy9jYS5jZXJ0LnBlbTA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v Y2EuZXhhbXBsZS5jb20vcm9vdC9jcmwvY2EuY3JsLnBlbTAFBgMrZXEDcwA0X/7l izFvy9nVVG5UBF55gNL2l1wFfRgxsHmIGhay0Z4YjExs0DOCz5ZJzOW3H40b+qRy z1JTFoAFAMGMA1Fzdnre2KpEg814h1JSw2LpIGJmU3dvFu9vzAWPl9VkA/mZygMi 07TLXQt3tPOVVrobMgA= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-ed448/tsa2.cert.pem0000644000175100017510000000173515161577363026071 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIICrDCCAiygAwIBAgICEAMwBQYDK2VxMFExCzAJBgNVBAYTAkJFMRQwEgYDVQQK DAtFeGFtcGxlIEluYzEaMBgGA1UECwwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNV BAMMB1Jvb3QgQ0EwHhcNMjgwMTAxMDAwMDAwWhcNNDAwMTAxMDAwMDAwWjBjMQsw CQYDVQQGEwJCRTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxGjAYBgNVBAsMEVRlc3Rp bmcgQXV0aG9yaXR5MSIwIAYDVQQDDBlUaW1lIFN0YW1waW5nIEF1dGhvcml0eSAy MEMwBQYDK2VxAzoAQtoB92i0vHyRvnegACtS+VAM020JLKDRrWf1qIOeOsm9eaSX HYu7T4Q5KsqvoIi3irgzTldsiyOAo4H8MIH5MAkGA1UdEwQCMAAwHQYDVR0OBBYE FAjKNFd+QOxgicgsdJmPUj/tuzrQMB8GA1UdIwQYMBaAFNg+DNKQiVyShr0gYRW/ QZfw+hxMMA4GA1UdDwEB/wQEAwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDBI BggrBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly9jYS5leGFtcGxlLmNv bS9yb290L2NlcnRzL2NhLmNlcnQucGVtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6 Ly9jYS5leGFtcGxlLmNvbS9yb290L2NybC9jYS5jcmwucGVtMAUGAytlcQNzAKjp WyQk25SQ1KEGFV2Q+oiKqRCxK+8QiXKWfYFgzLKKAXWmqhG3HhHx7WSTjxXmnp9C ZqM3jXFSANm+hZVeukum/NpLfryT87y51EiCwOD9dtOYNyFg9XpO7hnxzZCy/Ari MlUbpxgnnkamDMGukoQfAA== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000003300000000000010211 xustar0027 mtime=1774649082.302753 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss/0000755000175100017510000000000015161577372023530 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss/interm.cert.pem0000644000175100017510000000254315161577363026471 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDzDCCAoCgAwIBAgICEAEwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjBDMQswCQYDVQQG EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVy bWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHp2s/e iBXxSdjZgzQZEQ9QIIR7sVf3Tn85yXYyPI/KHf+9p/njYsZBZ0LWZ/d81Cwy7Z2p plPBRCsonAizTtBXuvWejDespQ0bxjIa11l8rK3qOA6x9pnkoHnixS1YbLgspPhw +rS8RaebyUWj3WS8mpU6MVdalRIrBM9glX6uIGYqDbkL7wPYvmgp0zNDF3yj0rSQ AjR8MXUI9uq0IH8YjPA3YKrbRtf12nNNtk6W8i6d0DiEtgE1x9eeKA8vKVzfHdjH KmgGi1Dkv0zEpx4GCu/VJ+C0QCrF5iBRl79RB0QbuNHLQkhgUpL8Ra8dwnqMBf6/ riEp4gCyU7/rtNsCAwEAAaNmMGQwHQYDVR0OBBYEFO+/elGLLqQuSl3SzudheM5q NklPMB8GA1UdIwQYMBaAFPG0eZUCsrRfOXL9sI/CX69bmlC1MBIGA1UdEwEB/wQI MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZI AWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAQEA cBP88oJDFzHF5n63taaY1AKVZKrphwTWdqn2UQH13F065qfxIZcxZJgQArTd0nc5 aVPsh/cXs5hv+bKsdsnkZeoEWSDmCdKh7rk5PcwFaX75ebWASrQ6JVSwJKlVI+3Y 99wsqQ56PPBFYQmr3iNlC4RW079UHek+e1BnTizyUzutdVRZPqTEUqAYWB2ksqDG ICGi6zuzsZMOJc13uV27SL4hrLueNQnOPu2HMBZ/DWBRbvtkQeeYItPYqjmSVain ggAylz2v84tCxAVZC1OKpIOt5vRJxrpA9vpMvT1SlReC3ZXtHM0HpB4+SXH2PKuF lPWqtS+yvu2uSiUderYZ/g== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss/root.cert.pem0000644000175100017510000000230415161577363026151 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDWTCCAkGgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCQkUx GjAYBgNVBAoMEVRlc3RpbmcgQXV0aG9yaXR5MRAwDgYDVQQDDAdSb290IENBMCIY DzIwMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBaMDsxCzAJBgNVBAYTAkJF MRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANB//m+farVsSmZXTNIJCmQc ieVlbHkf0dXe+Vw27S2Op5FiNkDuLNJCCNsqhE+HhITzPjiv+BsUlJTzOssGqm7W huNQCaKmtuOH701HImMdoJ4EcLXWycg2rJiR3R83BsyT+FJaGuPFGDc3ljzrG6Ch zT/ZrgmjIaSStWX3JQDJhK71NUTWTzX1gzF+aitx5UZ5CewBQkeUD/EWcwhrBB6/ xIrNMxsVPd6Ui6kOowfISQorusdnpxSaxeYeGY2f6Xdc5JtR9EIlY/ErJmAasmQl owXEVudFupX+YG1cGWK3p5NAoXGc1VS7jqNSyqXaJe+D4l6y5AhE4i5A+JcSrWkC AwEAAaNjMGEwHQYDVR0OBBYEFPG0eZUCsrRfOXL9sI/CX69bmlC1MB8GA1UdIwQY MBaAFPG0eZUCsrRfOXL9sI/CX69bmlC1MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQB6SxjdZP2EwTOdwvfyAI0JBp8G jD4MiOAt9y74jRFT/jTSZmFZVNBG38irOf2oS9hPyyTEPINjVHnZclVq7XZLiJy4 a0mG3AMicZuYeQxnBW9OJ+FMKrd3AgfoDozj3ta3i+Sbm6xqLu7ytT8P24L/ox9w 5FakVrSmN3kMdrdUzMuW/omzQVAmMeBTn819LAdQOFfAeq+iAOnYzXa5sIqAOXFK pWnCltHoERLjSlveUKso3OXsKHTk+7Ge0/x9vl/ojNey+q+o3+CIEGSx6dYEt9eB 27YqxYvkBbmNWoT8fhILhV5umt7gHbyf3/PN1ieebx+DKl7uQGZZ1Ab/9T05 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss/signer1.cert.pem0000644000175100017510000000253315161577363026542 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDyDCCAnygAwIBAgICEAAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMEMxCzAJBgNVBAYT AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEYMBYGA1UEAwwPSW50ZXJt ZWRpYXRlIENBMCIYDzIwMjAwMTAxMDAwMDAwWhgPMjAyMjAxMDEwMDAwMDBaMEsx CzAJBgNVBAYTAkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UE CwwHU2lnbmVyczEOMAwGA1UEAwwFQWxpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDhc4JuHi9+Lr1GK1+GpMhAYvrJ9IAmKPFDrYQKX5bsReHHGhoQ h3Y2WtT8EaVd2wxhUKVG4TbtI7ggZGG0RsWrEDp9QlAxewwgo87TRHe+/VsEZQOX Z6ljBVOSI7aGr0mJfggNQLHtnncau1IxGa+JCJuwA5VFaXSsSyLSRRD+EDo6r+bB DbohgiqTKm/yRpr5y8UXr8Q2UPISA1drNO5KwqIPIUQoYnt/ZgzZmf0R/yW4DBOp hmPfWwwJ4bvMR+NYgaPBnphJphXrMfGD6zIr3Fx5N0Dbdi7CggBmZRudX7K7Ygt9 e99ltPnXNPT6CE0tDTLz/P9/HUJqHd5LSQbrAgMBAAGjUjBQMB0GA1UdDgQWBBRe x6e61ApnrZ2uej2tFGo4tXMKuDAfBgNVHSMEGDAWgBTvv3pRiy6kLkpd0s7nYXjO ajZJTzAOBgNVHQ8BAf8EBAMCBsAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQME AgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQAnAmFy gQmr7zOB/4HV3LqY008M/bjvWDxv5h55k3cqmeGKomuwVYYRZs26ksGbrBu0+zlK RncSHEnKUggIItm0IZPNN6wLLiTc/jEIXGQ1v3JZZoufy8ujZdWdh3UFXzyRgbsq rjnEQPzTLD/kLtKjBqadqJI1c9MptnGh2wQl+wiUnO+y5c+wZjMykQT8bWZFeOFU wczQ3W8jhGW+c59dWc0Ka3gn5/U/pW6ZfAsYBfp7L7t6pnPBwkReYmyZHoNABIWb gmXmzpbAcHoXzSv3aIimof+BWEDxAKAs/Yo+kiqaADuG5T7Q6QJn+XtBqUUK/qZh y7N3NZ0Glj3Ygk+P -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000003400000000000010212 xustar0028 mtime=1774649082.3034403 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss-exclusive/0000755000175100017510000000000015161577372025535 5ustar00runnerrunner././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss-exclusive/interm.cert.pem0000644000175100017510000000253715161577363030501 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDyjCCAn6gAwIBAgICEAEwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjBDMQswCQYDVQQG EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVy bWVkaWF0ZSBDQTCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDPlhBn2wSd um440KB4vmb4RbFeo7C6YfAulLEEF4D8V0fgd6Rj2XKRk8WowNCmf+QPFA0xH6Ew ndIGT+i4haS04TsOt++Wkz/Dj8lyFTC50WW1ZVyDZl89mpJ5myyTbToke9fF/YLN K0QyH19BXoxNGqAGf/cDvraWpUWVwgcA+rGWwGZU4CRnOSs2WqBO2ESzaJ1xAqMJ bBZyQeCrS8p5+Wz6e1G0layjinNtAQdwe2UVzsOUtZ/errqb0t3If3wRWh2rf93c t/MGYBC4R0LeR7vn3ZwAdOgZ39+LyHz04mmUBsokT8P55p2wuxecw8YiFDoy0xFe bAq4NnzEzG6vAgMBAAGjZjBkMB0GA1UdDgQWBBRnXK/DvDkcd7dpfXcgnEV7tQAn ITAfBgNVHSMEGDAWgBRx8eBpesXpOEuTGzsVR4vzVq9i+zASBgNVHRMBAf8ECDAG AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFl AwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAFZH FG2TegyZGn5x/v4qOgDVGNxIDVbMPZ7vFAwfmDRu/JsNH3MynzhUjEIWq3OAbk4e acE5oJ2FsUCHkqVcLizqma89pltGDD/Aug1JWY3gKKuEMEFDUBggAy0V7i6VY6pw SoJRRxAi7YINwqHt4iytM98aLQJc6ceyMcRXA1cWzjjIDPMv90SdRha1kBnGTtjR nkJ2bteVSX6NAhj81GKbA+7PDGKbOCvzmM7k3punDgFL8vbJrkvpg/2F8f5vZaiP 29vHI9MwOS4L2MkjFV8AzssAc771P42ND9ns38iw04d5w1uM07voDe8pBKBRdMCF Z+KJicfjpfcXzNiUOQU= -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss-exclusive/root.cert.pem0000644000175100017510000000251715161577363030164 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDvzCCAnOgAwIBAgICEAAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzI1MDAwMTAxMDAwMDAwWjA7MQswCQYDVQQG EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3Qg Q0EwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAr6rUQReGwbWaufayDOPl Js/Gm1bDOPt8+3kC3Ejd1RXvilsKpdOfuP8s+4D7MmNfjrCEMnvlGYKrVuZHySHz 48qQlFUxb7jsuD5YS9KWClkV7xJ2FoFC2q57jgBrUhfBHhU/i+EWu5zuMlHWALjU rQIjAqheQAfaj5RG6W7fsufx7zgN9hWUDUClCXUauVdS6rIwMH3poyvixojQGgQF WUyWDOd1ZzCG33XaY4yPglppvRorDVVfajW7qnStbjW36s/ekCCit+w2JU699HuH 93B89nmCoylh1WhogT9WBqjjWcN7B6Q52jGx2N+A0lUvsk6DApEmCHUM48Sa3hO5 RwIDAQABo2MwYTAdBgNVHQ4EFgQUcfHgaXrF6ThLkxs7FUeL81avYvswHwYDVR0j BBgwFoAUcfHgaXrF6ThLkxs7FUeL81avYvswDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoG CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQAdouZlWC/t3mBBGdhG /UMzmA1+5OlOOAFszt2+LAqMj3lxLbAreDNNuSfxqmFaN+4CanZVELVacV5BUU4y tfLFLpf3zu7iWyGUXJTHlwknSvVS5ZXZIY3jw0JsdC0OCDtRVmnMxYcMlqjzQZ+V Gp8j6ce8qbvw5Vkky4k2hpnx79E/9+88uHGKZhhasU1yuEZgLwIfq04RwCc13tTg wfYo4ysEJ0TzsNuXUyC/V7xtpbKmH9ZgnyubspmIgMM0HGKnk6id7eHPe/SNyM5J f0qVOkh86mIMwaL2puQqE9wogp/vtsxNN1jI9eA5Q3h8YkTVUUm0q0SfkzUE+Yp1 6Lv2 -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/fixtures/testing-ca-pss-exclusive/signer1.cert.pem0000644000175100017510000000253315161577363030547 0ustar00runnerrunner-----BEGIN CERTIFICATE----- MIIDxjCCAnqgAwIBAgICEAAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMEMxCzAJBgNVBAYT AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEYMBYGA1UEAwwPSW50ZXJt ZWRpYXRlIENBMCIYDzIwMjAwMTAxMDAwMDAwWhgPMjAyMjAxMDEwMDAwMDBaMEsx CzAJBgNVBAYTAkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UE CwwHU2lnbmVyczEOMAwGA1UEAwwFQWxpY2UwggEgMAsGCSqGSIb3DQEBCgOCAQ8A MIIBCgKCAQEA54KAlKDeHceR3gNmgsWtBX5MjYg6PFd8rUI6mac+O+/LuoZvwLoR Wa59ivHJpJ/yLpUrKP9r3byNyEojAlJB5Em7YLhNR9uJcRc4nXPStyZhBGWO438s U6cCDJDF7NckD7E2vCBw6+sB4UhkpRCgFn8O8WEWtdt3QuJqchkdL1KB1bGH5dve NeJ+oW+rzuxqQ6SuDT5O2uztA2LM27poMxWdb250NvcuRELLFkvwWxgb6bZUiDIa HUPt1naZPGhH8VKt5ZhCuOhTnv2vJViQzbFPHX2sG7d2u1YhUYxqmOVtDIG84hzp JQRZ9xX+1oBFDIF6a14PSc/YyLw91X2C6wIDAQABo1IwUDAdBgNVHQ4EFgQUADv2 3DgWFu93XfHVtOrrhMGByfEwHwYDVR0jBBgwFoAUZ1yvw7w5HHe3aX13IJxFe7UA JyEwDgYDVR0PAQH/BAQDAgbAMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAQEAoo6uWgOd Dyo1FtsFWMylhjOUJ8TGN82ZEV2ZkXS7OxkXNES8yyY84jS72MjJEbcmSrV/Elb2 4+UOiYoZepwaClPtAypWI7YQCM3V7ZA6sW2F2yac7TNpAsngNR1ERAQA8BFg4WSH pvrm3I+w77jSzRM/hKxKlYcrdoE0+e3Oeb7o0DYqAlnN2axiozy74xUR8PkqUdfX CZwtvCqBHsP7U50dAKBxKRuZ150/BzgBAgAKjYtQXH6GhAiySjVnuMrAfrhbqMje 0H9fP5hrSjdtdsKWZxYckZ4yxOoWnswPfQTQZ7VDRmXnqaxXUe2LMG/FktiolEqE XJqkP0FPBIOtXg== -----END CERTIFICATE----- ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_ac_validate.py0000644000175100017510000006743215161577363022677 0ustar00runnerrunnerimport datetime import os import pytest from asn1crypto import cms, crl, ocsp, x509 from freezegun import freeze_time from pyhanko_certvalidator import PathBuildingError, validate from pyhanko_certvalidator.authority import CertTrustAnchor from pyhanko_certvalidator.context import ACTargetDescription, ValidationContext from pyhanko_certvalidator.errors import ( CRLValidationIndeterminateError, InsufficientRevinfoError, InvalidAttrCertificateError, InvalidCertificateError, PathValidationError, RevokedError, ) from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.revinfo.validate_crl import verify_crl from pyhanko_certvalidator.revinfo.validate_ocsp import verify_ocsp_response from .test_validate import FIXTURES_DIR attr_cert_dir = os.path.join(FIXTURES_DIR, 'attribute-certs') basic_aa_dir = os.path.join(attr_cert_dir, 'basic-aa') def load_cert(fname) -> x509.Certificate: with open(fname, 'rb') as inf: return x509.Certificate.load(inf.read()) def load_attr_cert(fname) -> cms.AttributeCertificateV2: with open(fname, 'rb') as inf: return cms.AttributeCertificateV2.load(inf.read()) def load_crl(fname) -> crl.CertificateList: with open(fname, 'rb') as inf: return crl.CertificateList.load(inf.read()) def load_ocsp_response(fname) -> ocsp.OCSPResponse: with open(fname, 'rb') as inf: return ocsp.OCSPResponse.load(inf.read()) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_aacontrols_norev(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) result = await validate.async_validate_ac(ac, vc) assert len(result.aa_path) == 3 assert 'role' in result.approved_attributes assert 'group' not in result.approved_attributes @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_bad_signature(): ac = load_attr_cert(os.path.join(basic_aa_dir, 'aa', 'badsig.attr.crt')) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) msg = 'signature could not be verified' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_validation_expired(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], moment=datetime.datetime(3000, 1, 1, tzinfo=datetime.timezone.utc), ) msg = 'intermediate certificate 1 expired' with pytest.raises(PathValidationError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_sig_algo_mismatch(): ac = load_attr_cert(os.path.join(basic_aa_dir, 'aa', 'badsig.attr.crt')) # manipulate the signature algorithm ac = cms.AttributeCertificateV2( { 'ac_info': ac['ac_info'], 'signature_algorithm': {'algorithm': 'md5_rsa'}, 'signature': ac['signature'], } ) ac.dump() root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) msg = 'algorithm declaration.*does not match' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_bad_aa_controls(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) # no AA controls on this one interm = load_cert( os.path.join(basic_aa_dir, 'root', 'interm-unrestricted.crt') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) msg = 'AA controls extension only present on part ' with pytest.raises(PathValidationError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_aa_controls_path_too_long(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) # no AA controls on this one interm = load_cert( os.path.join(basic_aa_dir, 'inbetween', 'interm-pathlen-violation.crt') ) inbetween = load_cert( os.path.join(basic_aa_dir, 'root', 'inbetween-aa.crt') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa, inbetween], ) msg = 'exceeds the maximum path length for an AA certificate' with pytest.raises(PathValidationError, match=msg): await validate.async_validate_ac(ac, vc) def _load_targeted_ac(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-norev-targeted.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert( os.path.join(basic_aa_dir, 'root', 'interm-unrestricted.crt') ) aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'aa-unrestricted.crt')) return root, interm, aa, ac @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_no_targeting(): root, interm, aa, ac = _load_targeted_ac() vc = ValidationContext( trust_roots=[root], other_certs=[interm, aa], ) msg = 'no targeting information' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_bad_targeting_name(): root, interm, aa, ac = _load_targeted_ac() vc = ValidationContext( trust_roots=[root], other_certs=[interm, aa], acceptable_ac_targets=ACTargetDescription( validator_names=[ x509.GeneralName( name='directory_name', value=x509.Name.build( { 'country_name': 'XX', 'organization_name': 'Testing Attribute Authority', 'organizational_unit_name': 'Validators', 'common_name': 'Not Validator', } ), ) ] ), ) msg = 'AC targeting' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_bad_targeting_group(): root, interm, aa, ac = _load_targeted_ac() vc = ValidationContext( trust_roots=[root], other_certs=[interm, aa], acceptable_ac_targets=ACTargetDescription( group_memberships=[ x509.GeneralName( name='directory_name', value=x509.Name.build( { 'country_name': 'XX', 'organization_name': 'Testing Attribute Authority', 'organizational_unit_name': 'Not Validators', } ), ) ] ), ) msg = 'AC targeting' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_good_targeting_name(): root, interm, aa, ac = _load_targeted_ac() vc = ValidationContext( trust_roots=[root], other_certs=[interm, aa], acceptable_ac_targets=ACTargetDescription( validator_names=[ x509.GeneralName( name='directory_name', value=x509.Name.build( { 'country_name': 'XX', 'organization_name': 'Testing Attribute Authority', 'organizational_unit_name': 'Validators', 'common_name': 'Validator', } ), ) ] ), ) result = await validate.async_validate_ac(ac, vc) assert len(result.aa_path) == 3 assert 'role' in result.approved_attributes assert 'group' in result.approved_attributes @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_basic_ac_validation_good_targeting_group(): root, interm, aa, ac = _load_targeted_ac() vc = ValidationContext( trust_roots=[root], other_certs=[interm, aa], acceptable_ac_targets=ACTargetDescription( group_memberships=[ x509.GeneralName( name='directory_name', value=x509.Name.build( { 'country_name': 'XX', 'organization_name': 'Testing Attribute Authority', 'organizational_unit_name': 'Validators', } ), ) ] ), ) result = await validate.async_validate_ac(ac, vc) assert len(result.aa_path) == 3 assert 'role' in result.approved_attributes assert 'group' in result.approved_attributes @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_match_holder_ac(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) alice = load_cert(os.path.join(basic_aa_dir, 'people-ca', 'alice.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) await validate.async_validate_ac(ac, vc, holder_cert=alice) @freeze_time('2022-05-01') @pytest.mark.asyncio @pytest.mark.parametrize( 'name', [ 'alice-aki-with-issuer-id.attr.crt', 'alice-v1form-issuer.attr.crt', 'alice-v2form-only-base-cert-id.attr.crt', 'alice-v2form-with-base-certificate-id.attr.crt', 'alice-no-aki-with-base-certificate-id.attr.crt', 'alice-aki-with-issuer-id-and-base-certificate-id.attr.crt', ], ) async def test_ac_issuer_search_nonstandard_forms(name): ac = load_attr_cert(os.path.join(attr_cert_dir, 'oneoff', name)) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) alice = load_cert(os.path.join(basic_aa_dir, 'people-ca', 'alice.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) await validate.async_validate_ac(ac, vc, holder_cert=alice) @freeze_time('2022-05-01') @pytest.mark.asyncio @pytest.mark.parametrize( 'name,err_type,err_str', [ ( 'alice-v2form-issuer-aki-misaligned.attr.crt', InvalidAttrCertificateError, 'conflicting', ), ('alice-misleading-aki.attr.crt', PathBuildingError, 'suitable AA'), ( 'alice-v2form-wrong-serial.attr.crt', PathBuildingError, 'suitable AA', ), ], ) async def test_ac_issuer_search_nonstandard_forms_failures( name, err_type, err_str ): ac = load_attr_cert(os.path.join(attr_cert_dir, 'oneoff', name)) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) alice = load_cert(os.path.join(basic_aa_dir, 'people-ca', 'alice.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) with pytest.raises(err_type, match=err_str): await validate.async_validate_ac(ac, vc, holder_cert=alice) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_match_holder_ac_mismatch(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-norev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) bob = load_cert(os.path.join(basic_aa_dir, 'people-ca', 'bob.crt')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ) msg = 'Could not match.*base_certificate_id' with pytest.raises(InvalidCertificateError, match=msg): await validate.async_validate_ac(ac, vc, holder_cert=bob) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_revoked_crl(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl( os.path.join(basic_aa_dir, 'root', 'root-some-revoked.crl') ) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-some-revoked.crl') ) role_aa_crl = load_crl( os.path.join(basic_aa_dir, 'role-aa-some-revoked.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], crls=[root_crl, interm_crl, role_aa_crl], moment=datetime.datetime( year=2021, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) ac_path = ValidationPath(CertTrustAnchor(root), [interm, role_aa], ac) with pytest.raises(RevokedError): await verify_crl(ac, ac_path, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_unrevoked_crl(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) role_aa_crl = load_crl(os.path.join(basic_aa_dir, 'role-aa-all-good.crl')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], crls=[root_crl, interm_crl, role_aa_crl], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) ac_path = ValidationPath(CertTrustAnchor(root), [interm, role_aa], ac) await verify_crl(ac, ac_path, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_revoked_full_path_validation_crl(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) root_crl = load_crl( os.path.join(basic_aa_dir, 'root', 'root-some-revoked.crl') ) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-some-revoked.crl') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) role_aa_crl = load_crl( os.path.join(basic_aa_dir, 'role-aa-some-revoked.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], crls=[root_crl, interm_crl, role_aa_crl], moment=datetime.datetime( year=2021, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) with pytest.raises(RevokedError): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_revoked_complex_crls_full_path_validation(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-complex-crls.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) crl_issuer = load_cert( os.path.join(basic_aa_dir, 'interm', 'role-aa-crl-issuer.crt') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl( os.path.join(basic_aa_dir, 'root', 'root-some-revoked.crl') ) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-some-revoked.crl') ) role_aa_aa_compromised = load_crl( os.path.join(basic_aa_dir, 'role-aa-aa-compromise-some-revoked.crl') ) role_aa_other_reasons = load_crl( os.path.join(basic_aa_dir, 'role-aa-other-reasons-some-revoked.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa, crl_issuer], crls=[ root_crl, interm_crl, role_aa_aa_compromised, role_aa_other_reasons, ], moment=datetime.datetime( year=2021, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) with pytest.raises(RevokedError): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_unrevoked_full_path_validation_crl(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) role_aa_crl = load_crl(os.path.join(basic_aa_dir, 'role-aa-all-good.crl')) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], crls=[root_crl, interm_crl, role_aa_crl], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_insufficient_revinfo_crl(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], crls=[root_crl, interm_crl], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) with pytest.raises(InsufficientRevinfoError): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_crls_out_of_scope(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-complex-crls.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) crl_issuer = load_cert( os.path.join(basic_aa_dir, 'interm', 'role-aa-crl-issuer.crt') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) role_aa_nonaligned_name = load_crl( os.path.join(basic_aa_dir, 'role-aa-nonaligned-name.crl') ) role_aa_nonsensically_scoped = load_crl( os.path.join(basic_aa_dir, 'role-aa-nonsensically-scoped.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa, crl_issuer], crls=[ root_crl, interm_crl, role_aa_nonaligned_name, role_aa_nonsensically_scoped, ], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) ac_path = ValidationPath(CertTrustAnchor(root), [interm, role_aa], ac) with pytest.raises( CRLValidationIndeterminateError, match="insufficient information from known CRLs", ): await verify_crl(ac, ac_path, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_unrevoked_complex_crls_full_path_validation(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-complex-crls.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) crl_issuer = load_cert( os.path.join(basic_aa_dir, 'interm', 'role-aa-crl-issuer.crt') ) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) role_aa_aa_compromised = load_crl( os.path.join(basic_aa_dir, 'role-aa-aa-compromise-all-good.crl') ) role_aa_other_reasons = load_crl( os.path.join(basic_aa_dir, 'role-aa-other-reasons-all-good.crl') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa, crl_issuer], crls=[ root_crl, interm_crl, role_aa_aa_compromised, role_aa_other_reasons, ], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_revoked_ocsp(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) ocsp_resp = load_ocsp_response( os.path.join(basic_aa_dir, 'alice-revoked.ors') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ocsps=[ocsp_resp], moment=datetime.datetime( year=2021, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) ac_path = ValidationPath(CertTrustAnchor(root), [interm, role_aa], ac) with pytest.raises(RevokedError): await verify_ocsp_response(ac, ac_path, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_unrevoked_oscp(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) ocsp_resp = load_ocsp_response( os.path.join(basic_aa_dir, 'alice-all-good.ors') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ocsps=[ocsp_resp], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) ac_path = ValidationPath(CertTrustAnchor(root), [interm, role_aa], ac) await verify_ocsp_response(ac, ac_path, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_revoked_full_path_validation(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl( os.path.join(basic_aa_dir, 'root', 'root-some-revoked.crl') ) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-some-revoked.crl') ) ocsp_resp = load_ocsp_response( os.path.join(basic_aa_dir, 'alice-revoked.ors') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ocsps=[ocsp_resp], crls=[root_crl, interm_crl], moment=datetime.datetime( year=2021, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) with pytest.raises(RevokedError): await validate.async_validate_ac(ac, vc) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_ac_unrevoked_full_path_validation_ocsp(): ac = load_attr_cert( os.path.join(basic_aa_dir, 'aa', 'alice-role-with-rev.attr.crt') ) root = load_cert(os.path.join(basic_aa_dir, 'root', 'root.crt')) interm = load_cert(os.path.join(basic_aa_dir, 'root', 'interm-role.crt')) role_aa = load_cert(os.path.join(basic_aa_dir, 'interm', 'role-aa.crt')) root_crl = load_crl(os.path.join(basic_aa_dir, 'root', 'root-all-good.crl')) interm_crl = load_crl( os.path.join(basic_aa_dir, 'interm', 'interm-all-good.crl') ) ocsp_resp = load_ocsp_response( os.path.join(basic_aa_dir, 'alice-all-good.ors') ) vc = ValidationContext( trust_roots=[root], other_certs=[interm, role_aa], ocsps=[ocsp_resp], crls=[root_crl, interm_crl], moment=datetime.datetime( year=2019, month=12, day=12, tzinfo=datetime.timezone.utc ), revocation_mode='require', ) await validate.async_validate_ac(ac, vc) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_ades_time_slide.py0000644000175100017510000003341515161577363023547 0ustar00runnerrunnerimport datetime import os import pytest from freezegun import freeze_time from pyhanko_certvalidator.context import ( CertValidationPolicySpec, ValidationDataHandlers, ) from pyhanko_certvalidator.errors import ( InsufficientPOEError, InsufficientRevinfoError, ) from pyhanko_certvalidator.ltv.ades_past import past_validate from pyhanko_certvalidator.ltv.errors import TimeSlideFailure from pyhanko_certvalidator.ltv.poe import POEManager, POEType, digest_for_poe from pyhanko_certvalidator.ltv.time_slide import time_slide from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import ( CertRevTrustPolicy, FreshnessReqType, RevocationCheckingPolicy, RevocationCheckingRule, ) from pyhanko_certvalidator.registry import ( CertificateRegistry, SimpleTrustManager, ) from pyhanko_certvalidator.revinfo.archival import CRLContainer, OCSPContainer from pyhanko_certvalidator.revinfo.manager import RevinfoManager from .common import load_cert_object, load_crl, load_ocsp_response, load_path BASE_DIR = os.path.join('ades', 'time-slide') def read_test_path(revoked_intermediate_ca=False) -> ValidationPath: return load_path( os.path.join(BASE_DIR, 'certs'), 'root.crt', 'interm-revoked.crt' if revoked_intermediate_ca else 'interm.crt', 'alice.crt', ) def load_cert_registry(revoked_intermediate_ca=False) -> CertificateRegistry: cert_files = ( 'root.crt', 'interm-revoked.crt' if revoked_intermediate_ca else 'interm.crt', 'interm-ocsp.crt', 'alice.crt', ) reg = CertificateRegistry() for cert_file in cert_files: reg.register(load_cert_object(BASE_DIR, 'certs', cert_file)) return reg def now() -> datetime.datetime: return datetime.datetime.now(tz=datetime.timezone.utc) DEFAULT_REV_CHECK_POLICY = RevocationCheckingPolicy( ee_certificate_rule=RevocationCheckingRule.CRL_OR_OCSP_REQUIRED, intermediate_ca_cert_rule=RevocationCheckingRule.CRL_OR_OCSP_REQUIRED, ) DEFAULT_TRUST_POLICY = CertRevTrustPolicy( revocation_checking_policy=DEFAULT_REV_CHECK_POLICY, ) DEFAULT_TOLERANCE = datetime.timedelta(minutes=10) @pytest.mark.asyncio @freeze_time("2020-11-29T00:05:00+00:00") async def test_time_slide_not_revoked(): test_path = read_test_path() alice_ocsp = load_ocsp_response(BASE_DIR, 'alice-2020-11-29.ors') root_crl = load_crl(BASE_DIR, 'root-2020-11-29.crl') revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(), poe_manager=POEManager(), crls=[CRLContainer(root_crl)], ocsps=[OCSPContainer(alice_ocsp)], ) control_time = await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=DEFAULT_TRUST_POLICY, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) assert control_time == now() @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_time_slide_revocation_ocsp(): test_path = read_test_path() alice_ocsp = load_ocsp_response(BASE_DIR, 'alice-2020-12-10.ors') root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(), poe_manager=POEManager(), crls=[CRLContainer(root_crl)], ocsps=[OCSPContainer(alice_ocsp)], ) control_time = await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=DEFAULT_TRUST_POLICY, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) assert control_time == datetime.datetime( 2020, 12, 1, tzinfo=datetime.timezone.utc ) @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_time_slide_revocation_crl(): test_path = read_test_path() root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') interm_crl = load_crl(BASE_DIR, 'interm-2020-12-10.crl') revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(), poe_manager=POEManager(), crls=[CRLContainer(root_crl), CRLContainer(interm_crl)], ocsps=[], ) control_time = await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=DEFAULT_TRUST_POLICY, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) assert control_time == datetime.datetime( 2020, 12, 1, tzinfo=datetime.timezone.utc ) VERY_LENIENT_FRESHNESS = CertRevTrustPolicy( revocation_checking_policy=DEFAULT_REV_CHECK_POLICY, freshness_req_type=FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION, freshness=datetime.timedelta(days=100), ) @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_time_slide_revoked_intermediate(): test_path = read_test_path(revoked_intermediate_ca=True) # the intermediate cert is listed as revoked on this CRL root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') # this CRL would be valid long enough to serve as non-revocation # evidence for the 'alice' cert # We set a ridiculous freshness window to ensure it's covered. poe_manager = POEManager() interm_crl = load_crl(BASE_DIR, 'interm-2020-11-29.crl') poe_date = datetime.datetime(2020, 11, 30, tzinfo=datetime.timezone.utc) poe_manager.register(test_path.leaf, dt=poe_date, poe_type=POEType.PROVIDED) # ...make sure to include some POE prior to the revocation date of the # intermediate cert poe_manager.register( CRLContainer(interm_crl), dt=poe_date, poe_type=POEType.PROVIDED ) revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(revoked_intermediate_ca=True), poe_manager=poe_manager, crls=[CRLContainer(root_crl), CRLContainer(interm_crl)], ocsps=[], ) control_time = await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=VERY_LENIENT_FRESHNESS, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) assert control_time == datetime.datetime( 2020, 12, 1, tzinfo=datetime.timezone.utc ) @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_time_slide_revoked_intermediate_enforce_cert_poe(): test_path = read_test_path(revoked_intermediate_ca=True) # the intermediate cert is listed as revoked on this CRL root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') poe_manager = POEManager() # No POE for the leaf cert at the control time # at which the intermediate cert was revoked => fail interm_crl = load_crl(BASE_DIR, 'interm-2020-11-29.crl') poe_date = datetime.datetime(2020, 11, 30, tzinfo=datetime.timezone.utc) poe_manager.register( CRLContainer(interm_crl), dt=poe_date, poe_type=POEType.PROVIDED ) revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(revoked_intermediate_ca=True), poe_manager=poe_manager, crls=[CRLContainer(root_crl), CRLContainer(interm_crl)], ocsps=[], ) with pytest.raises(InsufficientPOEError, match='for.*Alice'): await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=VERY_LENIENT_FRESHNESS, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_time_slide_revoked_intermediate_enforce_revinfo_poe(): test_path = read_test_path(revoked_intermediate_ca=True) # the intermediate cert is listed as revoked on this CRL root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') poe_manager = POEManager() poe_date = datetime.datetime(2020, 11, 30, tzinfo=datetime.timezone.utc) poe_manager.register(test_path.leaf, dt=poe_date, poe_type=POEType.PROVIDED) # This CRL issued by the intermediate CA predates its revocation date # so without POE, it should be treated as no longer valid # => no revinfo for the leaf cert => can't finish interm_crl = load_crl(BASE_DIR, 'interm-2020-11-29.crl') revinfo_manager = RevinfoManager( certificate_registry=load_cert_registry(revoked_intermediate_ca=True), poe_manager=poe_manager, crls=[CRLContainer(root_crl), CRLContainer(interm_crl)], ocsps=[], ) with pytest.raises(InsufficientRevinfoError, match='for.*Alice'): await time_slide( test_path, init_control_time=now(), revinfo_manager=revinfo_manager, rev_trust_policy=VERY_LENIENT_FRESHNESS, algo_usage_policy=None, time_tolerance=DEFAULT_TOLERANCE, ) VALIDATION_POLICY_SPEC = CertValidationPolicySpec( trust_manager=SimpleTrustManager.build( trust_roots=[load_cert_object(BASE_DIR, 'certs', 'root.crt')] ), revinfo_policy=DEFAULT_TRUST_POLICY, ) @pytest.mark.asyncio @freeze_time("2020-11-29T00:05:00+00:00") async def test_point_in_time_validation_not_revoked(): test_path = read_test_path() alice_ocsp = load_ocsp_response(BASE_DIR, 'alice-2020-11-29.ors') root_crl = load_crl(BASE_DIR, 'root-2020-11-29.crl') cert_registry = load_cert_registry() poe_manager = POEManager() revinfo_manager = RevinfoManager( certificate_registry=cert_registry, poe_manager=poe_manager, crls=[CRLContainer(root_crl)], ocsps=[OCSPContainer(alice_ocsp)], ) last_valid_time = await past_validate( test_path, validation_policy_spec=VALIDATION_POLICY_SPEC, init_control_time=now(), validation_data_handlers=ValidationDataHandlers( revinfo_manager=revinfo_manager, poe_manager=poe_manager, cert_registry=cert_registry, ), ) assert last_valid_time == now() @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_point_in_time_validation_revoked_intermediate(): # Same scenario as the time slide test w/ revoked intermediate cert & PoE # in this module test_path = read_test_path(revoked_intermediate_ca=True) # the intermediate cert is listed as revoked on this CRL root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') # this CRL would be valid long enough to serve as non-revocation # evidence for the 'alice' cert # We set a ridiculous freshness window to ensure it's covered. poe_date = datetime.datetime(2020, 11, 30, tzinfo=datetime.timezone.utc) poe_manager = POEManager() poe_manager.register(test_path.leaf, dt=poe_date, poe_type=POEType.PROVIDED) interm_crl = load_crl(BASE_DIR, 'interm-2020-11-29.crl') # ...make sure to include some POE prior to the revocation date of the # intermediate cert poe_manager.register( CRLContainer(interm_crl), dt=poe_date, poe_type=POEType.PROVIDED ) cert_registry = load_cert_registry(revoked_intermediate_ca=True) revinfo_manager = RevinfoManager( certificate_registry=cert_registry, poe_manager=poe_manager, crls=[CRLContainer(root_crl), CRLContainer(interm_crl)], ocsps=[], ) last_valid_time = await past_validate( test_path, validation_policy_spec=VALIDATION_POLICY_SPEC, init_control_time=now(), validation_data_handlers=ValidationDataHandlers( revinfo_manager=revinfo_manager, poe_manager=poe_manager, cert_registry=cert_registry, ), ) assert last_valid_time == datetime.datetime( 2020, 12, 1, tzinfo=datetime.timezone.utc ) @pytest.mark.asyncio @freeze_time("2020-12-10T00:05:00+00:00") async def test_point_in_time_validation_revinfo_insufficient_poe(): test_path = read_test_path(revoked_intermediate_ca=True) # the intermediate cert is listed as revoked on this CRL root_crl = load_crl(BASE_DIR, 'root-2020-12-10.crl') poe_manager = POEManager() cert_registry = load_cert_registry(revoked_intermediate_ca=True) revinfo_manager = RevinfoManager( certificate_registry=cert_registry, poe_manager=poe_manager, crls=[CRLContainer(root_crl)], ocsps=[], ) with pytest.raises(TimeSlideFailure): await past_validate( test_path, validation_policy_spec=VALIDATION_POLICY_SPEC, init_control_time=now(), validation_data_handlers=ValidationDataHandlers( revinfo_manager=revinfo_manager, poe_manager=poe_manager, cert_registry=cert_registry, ), ) def test_poe_manager_read_cert(): manager = POEManager() cert = load_cert_object(BASE_DIR, 'certs', 'root.crt') with freeze_time('2020-11-11'): manager.register(cert, poe_type=POEType.PROVIDED) assert manager[cert].date() == datetime.date(2020, 11, 11) def test_poe_manager_cert_by_digest(): manager = POEManager() cert = load_cert_object(BASE_DIR, 'certs', 'root.crt') with freeze_time('2020-11-11'): manager.register_by_digest( digest_for_poe(cert.dump()), poe_type=POEType.PROVIDED ) assert manager[cert].date() == datetime.date(2020, 11, 11) def test_poe_manager_read_bytes(): manager = POEManager() msg = b'deadbeef' with freeze_time('2020-11-11'): manager.register(msg, poe_type=POEType.PROVIDED) assert manager[msg].date() == datetime.date(2020, 11, 11) def test_poe_manager_read_bytes_by_digest(): manager = POEManager() msg = b'deadbeef' with freeze_time('2020-11-11'): manager.register_by_digest( digest_for_poe(msg), poe_type=POEType.PROVIDED ) assert manager[msg].date() == datetime.date(2020, 11, 11) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_certificate_validator.py0000644000175100017510000000450215161577363024757 0ustar00runnerrunner# coding: utf-8 import pytest from freezegun import freeze_time from pyhanko_certvalidator import ( CertificateValidator, PKIXValidationParams, ValidationContext, ) from .common import load_cert_object, load_nist_cert @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_certvalidator_with_params(): cert = load_nist_cert('ValidPolicyMappingTest12EE.crt') ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')] other_certs = [load_nist_cert('P12Mapping1to3CACert.crt')] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, revocation_mode="soft-fail", weak_hash_algos={'md2', 'md5'}, ) validator = CertificateValidator( cert, validation_context=context, pkix_params=PKIXValidationParams( user_initial_policy_set=frozenset(['2.16.840.1.101.3.2.1.48.1']) ), ) path = await validator.async_validate_usage(key_usage={'digital_signature'}) # check if we got the right policy processing # (i.e. if our params got through) qps = path.qualified_policies() (qp,) = qps assert 1 == len(qp.qualifiers) (qual_obj,) = qp.qualifiers assert qual_obj['policy_qualifier_id'].native == 'user_notice' assert qual_obj['qualifier']['explicit_text'].native == ( 'q7: This is the user notice from qualifier 7 associated with ' 'NIST-test-policy-3. This user notice should be displayed ' 'when NIST-test-policy-1 is in the user-constrained-policy-set' ) @pytest.mark.asyncio async def test_self_signed_with_policy(): # tests whether a corner case in the policy validation logic when the # path length is zero is handled gracefully cert = load_cert_object('self-signed-with-policy.crt') context = ValidationContext(trust_roots=[cert], allow_fetching=False) validator = CertificateValidator(cert, validation_context=context) path = await validator.async_validate_usage({'digital_signature'}) (qp,) = path.qualified_policies() # Note: the cert declares a concrete policy, but for the purposes # of PKIX validation, any policy is valid, since we're validating # a -signed certificate (so everything breaks down anyway) assert qp.user_domain_policy_id == 'any_policy' assert qp.issuer_domain_policy_id == 'any_policy' ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_common_utils.py0000644000175100017510000001607315161577363023146 0ustar00runnerrunnerimport os import pytest from asn1crypto import cms, core, x509 from pyhanko_certvalidator.fetchers.common_utils import ( ACCEPTABLE_CERT_DER_ALIASES, ACCEPTABLE_PKCS7_DER_ALIASES, enumerate_delivery_point_urls, gather_aia_issuer_urls, unpack_cert_content, ) TESTS_ROOT = os.path.dirname(__file__) FIXTURES_DIR = os.path.join(TESTS_ROOT, 'fixtures') ac_path = os.path.join( FIXTURES_DIR, 'attribute-certs', 'basic-aa', 'aa', 'alice-role-with-rev.attr.crt', ) with open(ac_path, 'rb') as inf: ATTRIBUTE_CERT = cms.AttributeCertificateV2.load(inf.read()) with open( os.path.join(FIXTURES_DIR, 'testing-aia', 'with-ldap-urls.der'), 'rb' ) as f: WITH_LDAP_URLS = x509.Certificate.load(f.read()) @pytest.mark.parametrize("content_type", (None, *ACCEPTABLE_CERT_DER_ALIASES)) def test_unpack_cert_content_der(content_type): certs_returned = unpack_cert_content( response_data=WITH_LDAP_URLS.dump(), content_type=content_type, permit_pem=False, url="http://example.com", ) assert len(list(certs_returned)) == 1 def test_unpack_content_unknown_der(): with pytest.raises(ValueError, match="Failed to heuristically"): next( unpack_cert_content( response_data=core.SequenceOf([]).dump(), content_type=None, permit_pem=False, url="http://example.com", ) ) def test_unpack_content_bad_pkcs7(): with pytest.raises(ValueError, match="Expected CMS SignedData"): next( unpack_cert_content( response_data=cms.ContentInfo( {'content_type': 'data', 'content': core.OctetString(b"")} ).dump(), content_type=None, permit_pem=False, url="http://example.com", ) ) def test_unpack_cert_content_pem(): with open( os.path.join(FIXTURES_DIR, 'testing-ca-ed25519', 'interm.cert.pem'), 'rb', ) as f: pem_bytes = f.read() certs_returned = unpack_cert_content( response_data=pem_bytes, content_type="anything/goes", permit_pem=True, url="http://example.com", ) assert len(list(certs_returned)) == 1 def test_unpack_cert_content_pem_multiple(): with open( os.path.join(FIXTURES_DIR, 'certs_to_unpack/many-certs.pem'), 'rb' ) as f: pem_bytes = f.read() certs_returned = unpack_cert_content( response_data=pem_bytes, content_type="any", permit_pem=True, url="http://example.com", ) assert len(list(certs_returned)) == 2 def test_unpack_cert_content_forbid_pem(): with open( os.path.join(FIXTURES_DIR, 'testing-ca-ed25519', 'interm.cert.pem'), 'rb', ) as f: pem_bytes = f.read() with pytest.raises(ValueError, match="Failed to extract"): next( unpack_cert_content( response_data=pem_bytes, content_type="anything/goes", permit_pem=False, url="http://example.com", ) ) @pytest.mark.parametrize("content_type", (None, *ACCEPTABLE_PKCS7_DER_ALIASES)) def test_unpack_cert_content_pkcs7(content_type): with open( os.path.join(FIXTURES_DIR, 'certs_to_unpack/test.p7b'), 'rb' ) as f: pkcs7_bytes = f.read() certs_returned = unpack_cert_content( response_data=pkcs7_bytes, content_type=content_type, permit_pem=True, url="http://example.com", ) assert len(list(certs_returned)) == 2 def test_unpack_cert_content_pkcs7_pem(): with open( os.path.join(FIXTURES_DIR, 'certs_to_unpack/test.p7b.pem'), 'rb' ) as f: pkcs7_bytes = f.read() certs_returned = unpack_cert_content( response_data=pkcs7_bytes, content_type="any", permit_pem=True, url="http://example.com", ) assert len(list(certs_returned)) == 2 def test_crl_distribution_point_enumeration_skip_ldap(): (dist_point,) = WITH_LDAP_URLS.crl_distribution_points_value (url,) = enumerate_delivery_point_urls(dist_point) assert url.startswith('http://') def test_crl_distribution_point_enumeration_skip_relative(): result = enumerate_delivery_point_urls( x509.DistributionPoint( { 'distribution_point': x509.DistributionPointName( name='name_relative_to_crl_issuer', value=WITH_LDAP_URLS.issuer.chosen[0], ) } ) ) assert len(list(result)) == 0 def test_crl_distribution_point_enumeration_skip_non_uri(): result = enumerate_delivery_point_urls( x509.DistributionPoint( { 'distribution_point': x509.DistributionPointName( name='full_name', value=[ x509.GeneralName( name='directory_name', value=WITH_LDAP_URLS.issuer, ) ], ) } ) ) assert len(list(result)) == 0 def test_gather_issuer_urls_cert(): urls = gather_aia_issuer_urls(WITH_LDAP_URLS) assert list(urls) == ['http://repo.ca.example.com'] def test_gather_issuer_urls_ac(): urls = gather_aia_issuer_urls(ATTRIBUTE_CERT) assert list(urls) == ['http://localhost:9000/basic-aa/certs/interm/ca.crt'] def test_gather_issuer_urls_ac_no_aia(): ac_norev_path = os.path.join( FIXTURES_DIR, 'attribute-certs', 'basic-aa', 'aa', 'alice-role-norev.attr.crt', ) with open(ac_norev_path, 'rb') as inf: ac = cms.AttributeCertificateV2.load(inf.read()) urls = gather_aia_issuer_urls(ac) assert list(urls) == [] @pytest.mark.parametrize( 'pkcs7_data', [ { 'version': 'v1', 'digest_algorithms': [], 'encap_content_info': { 'content_type': 'data', }, 'signer_infos': [], }, { 'version': 'v1', 'digest_algorithms': [], 'encap_content_info': { 'content_type': 'data', }, 'signer_infos': [], 'certificates': [], }, { 'version': 'v1', 'digest_algorithms': [], 'encap_content_info': { 'content_type': 'data', }, 'signer_infos': [], 'certificates': [ cms.CertificateChoices( name='v2_attr_cert', value=ATTRIBUTE_CERT ) ], }, ], ) def test_unpack_content_empty_pkcs7(pkcs7_data): certs_returned = unpack_cert_content( response_data=cms.ContentInfo( { 'content_type': 'signed_data', 'content': cms.SignedData(pkcs7_data), } ).dump(), content_type=None, permit_pem=False, url="http://example.com", ) assert len(list(certs_returned)) == 0 ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_freshness.py0000644000175100017510000001625015161577363022433 0ustar00runnerrunnerimport os from datetime import datetime, timedelta, timezone import pytest from pyhanko_certvalidator import ValidationContext from pyhanko_certvalidator.errors import PathValidationError, RevokedError from pyhanko_certvalidator.policy_decl import ( CertRevTrustPolicy, FreshnessReqType, RevocationCheckingPolicy, ) from pyhanko_certvalidator.validate import async_validate_path from .common import load_cert_object, load_crl, load_ocsp_response freshness_dir = 'freshness' certs = os.path.join('freshness', 'certs') @pytest.mark.asyncio async def test_cooldown_period_ok(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(days=3), freshness_req_type=FreshnessReqType.TIME_AFTER_SIGNATURE, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp = load_ocsp_response(freshness_dir, 'alice-2020-10-01.ors') root_crl = load_crl(freshness_dir, 'root-2020-10-01.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 10, 1, tzinfo=timezone.utc), best_signature_time=datetime(2020, 9, 18, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) await async_validate_path(vc, path) @pytest.mark.asyncio async def test_cooldown_period_too_early(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(days=3), freshness_req_type=FreshnessReqType.TIME_AFTER_SIGNATURE, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp = load_ocsp_response(freshness_dir, 'alice-2020-10-01.ors') root_crl = load_crl(freshness_dir, 'root-2020-10-01.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 10, 1, tzinfo=timezone.utc), best_signature_time=datetime(2020, 9, 30, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) with pytest.raises(PathValidationError, match='CRL.*recent enough'): await async_validate_path(vc, path) @pytest.mark.asyncio async def test_use_delta_ok(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(days=9), freshness_req_type=FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp = load_ocsp_response(freshness_dir, 'alice-2020-10-01.ors') root_crl = load_crl(freshness_dir, 'root-2020-10-01.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 10, 1, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) await async_validate_path(vc, path) @pytest.mark.asyncio async def test_use_delta_stale(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(hours=1), freshness_req_type=FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp = load_ocsp_response(freshness_dir, 'alice-2020-10-01.ors') root_crl = load_crl(freshness_dir, 'root-2020-10-01.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 10, 1, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) with pytest.raises(PathValidationError, match='CRL.*recent enough'): await async_validate_path(vc, path) @pytest.mark.asyncio async def test_use_most_recent(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(days=20), # some ridiculous value freshness_req_type=FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp_older = load_ocsp_response(freshness_dir, 'alice-2020-11-29.ors') alice_ocsp_recent = load_ocsp_response( freshness_dir, 'alice-2020-12-10.ors' ) root_crl = load_crl(freshness_dir, 'root-2020-12-10.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp_older, alice_ocsp_recent], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 12, 10, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) with pytest.raises(RevokedError): await async_validate_path(vc, path) # Double-check: the validator should be fooled if we don't include the # second OCSP response because of the very lenient time delta allowed vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp_older], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 12, 10, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) await async_validate_path(vc, path) @pytest.mark.asyncio async def test_discard_post_validation_time(): req_policy = RevocationCheckingPolicy.from_legacy('require') policy = CertRevTrustPolicy( revocation_checking_policy=req_policy, freshness=timedelta(days=20), # some ridiculous value freshness_req_type=FreshnessReqType.MAX_DIFF_REVOCATION_VALIDATION, ) root = load_cert_object(certs, 'root.crt') alice = load_cert_object(certs, 'alice.crt') interm = load_cert_object(certs, 'interm.crt') alice_ocsp_older = load_ocsp_response(freshness_dir, 'alice-2020-11-29.ors') alice_ocsp_recent = load_ocsp_response( freshness_dir, 'alice-2020-12-10.ors' ) root_crl = load_crl(freshness_dir, 'root-2020-11-29.crl') vc = ValidationContext( trust_roots=[root], other_certs=[interm], ocsps=[alice_ocsp_older, alice_ocsp_recent], crls=[root_crl], revinfo_policy=policy, moment=datetime(2020, 11, 29, tzinfo=timezone.utc), ) (path,) = await vc.path_builder.async_build_paths(alice) await async_validate_path(vc, path) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_policy_proc.py0000644000175100017510000001653415161577363022762 0ustar00runnerrunnerimport pytest from asn1crypto import x509 from freezegun import freeze_time from pyhanko_certvalidator.authority import ( CertTrustAnchor, NamedKeyAuthority, TrustAnchor, TrustQualifiers, ) from pyhanko_certvalidator.context import ValidationContext from pyhanko_certvalidator.errors import PathValidationError from pyhanko_certvalidator.name_trees import ( GeneralNameType, x509_names_to_subtrees, ) from pyhanko_certvalidator.path import ValidationPath from pyhanko_certvalidator.policy_decl import PKIXValidationParams from pyhanko_certvalidator.validate import async_validate_path from .common import load_nist_cert def test_extract_policy(): # I know this isn't a CA cert, but it's a convenient one to use crt = load_nist_cert('ValidCertificatePathTest1EE.crt') anchor = CertTrustAnchor(crt, derive_default_quals_from_cert=True) params = anchor.trust_qualifiers.standard_parameters nist_test_policy = '2.16.840.1.101.3.2.1.48.1' assert params.user_initial_policy_set == {nist_test_policy} def test_extract_permitted_subtrees(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') anchor = CertTrustAnchor(crt, derive_default_quals_from_cert=True) params = anchor.trust_qualifiers.standard_parameters dirname_trs = params.initial_permitted_subtrees[ GeneralNameType.DIRECTORY_NAME ] assert len(dirname_trs) == 1 (tree,) = dirname_trs expected_name = x509.Name.build( { 'organizational_unit_name': 'permittedSubtree1', 'organization_name': 'Test Certificates 2011', 'country_name': 'US', } ) assert tree.tree_base.value == expected_name @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_with_derived(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') anchor = CertTrustAnchor(crt, derive_default_quals_from_cert=True) ee = load_nist_cert('InvalidDNnameConstraintsTest2EE.crt') context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) (path,) = await context.path_builder.async_build_paths(ee) assert path.pkix_len == 1 with pytest.raises(PathValidationError, match='not all names.*permitted'): await async_validate_path(context, path) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_with_merged_permitted_subtrees(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') anchor = CertTrustAnchor(crt, derive_default_quals_from_cert=True) ee = load_nist_cert('ValidDNnameConstraintsTest1EE.crt') context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) (path,) = await context.path_builder.async_build_paths(ee) assert path.pkix_len == 1 # this should be OK await async_validate_path(context, path) # merge in an extra name constraint extra_name = x509.Name.build( { 'organizational_unit_name': 'someNameYouDontHave', 'organization_name': 'Test Certificates 2011', 'country_name': 'US', } ) extra_params = PKIXValidationParams( initial_permitted_subtrees=x509_names_to_subtrees([extra_name]) ) with pytest.raises(PathValidationError, match='not all names.*permitted'): await async_validate_path(context, path, parameters=extra_params) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_with_merged_excluded_subtrees(): crt = load_nist_cert('nameConstraintsDN3CACert.crt') anchor = CertTrustAnchor(crt, derive_default_quals_from_cert=True) ee = load_nist_cert('ValidDNnameConstraintsTest6EE.crt') context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) (path,) = await context.path_builder.async_build_paths(ee) assert path.pkix_len == 1 # this should be OK await async_validate_path(context, path) # merge in an extra name constraint extra_name = x509.Name.build( { 'organizational_unit_name': 'permittedSubtree1', 'organization_name': 'Test Certificates 2011', 'country_name': 'US', } ) extra_params = PKIXValidationParams( initial_excluded_subtrees=x509_names_to_subtrees([extra_name]) ) with pytest.raises(PathValidationError, match='some names.*excluded'): await async_validate_path(context, path, parameters=extra_params) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_with_certless_root(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') # manually build params permitted = x509.Name.build( { 'organizational_unit_name': 'permittedSubtree1', 'organization_name': 'Test Certificates 2011', 'country_name': 'US', } ) extra_params = PKIXValidationParams( initial_permitted_subtrees=x509_names_to_subtrees([permitted]) ) anchor = TrustAnchor( NamedKeyAuthority(crt.subject, crt.public_key), quals=TrustQualifiers(standard_parameters=extra_params), ) ee = load_nist_cert('ValidDNnameConstraintsTest1EE.crt') context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) (path,) = await context.path_builder.async_build_paths(ee) assert path.pkix_len == 1 assert isinstance(path.first, x509.Certificate) assert path.trust_anchor is anchor await async_validate_path(context, path, parameters=extra_params) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_with_certless_root_failure(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') # manually build params permitted = x509.Name.build( { 'organizational_unit_name': 'someNameYouDontHave', 'organization_name': 'Test Certificates 2011', 'country_name': 'US', } ) extra_params = PKIXValidationParams( initial_permitted_subtrees=x509_names_to_subtrees([permitted]) ) anchor = TrustAnchor( NamedKeyAuthority(crt.subject, crt.public_key), quals=TrustQualifiers(standard_parameters=extra_params), ) ee = load_nist_cert('ValidDNnameConstraintsTest1EE.crt') context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) (path,) = await context.path_builder.async_build_paths(ee) assert path.pkix_len == 1 assert isinstance(path.first, x509.Certificate) assert path.trust_anchor is anchor with pytest.raises(PathValidationError, match='not all names.*permitted'): await async_validate_path(context, path, parameters=extra_params) @freeze_time('2022-05-01') @pytest.mark.asyncio async def test_validate_empty_path_certless_root(): crt = load_nist_cert('nameConstraintsDN1CACert.crt') anchor = TrustAnchor( NamedKeyAuthority(crt.subject, crt.public_key), ) context = ValidationContext( trust_roots=[anchor], revocation_mode='soft-fail', ) trivial_path = ValidationPath(trust_anchor=anchor, interm=[], leaf=None) await async_validate_path(context, trivial_path) def test_trust_anchor_authority_consistency(): anchor = CertTrustAnchor(load_nist_cert('nameConstraintsDN1CACert.crt')) without_cert = NamedKeyAuthority( anchor.certificate.subject, anchor.certificate.public_key ) assert anchor.authority == without_cert ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_registry.py0000644000175100017510000002231015161577363022275 0ustar00runnerrunner# coding: utf-8 from datetime import datetime, timedelta, timezone import pytest from asn1crypto import core, x509 from pyhanko_certvalidator import PathBuildingError from pyhanko_certvalidator.authority import ( Authority, CertTrustAnchor, TrustedServiceType, TrustQualifiers, ) from pyhanko_certvalidator.registry import ( CertificateRegistry, LayeredCertificateStore, PathBuilder, SimpleTrustManager, TrustManager, ) from .common import load_cert_object def test_build_paths_custom_ca_certs(): cert = load_cert_object('testing-ca-ed25519', 'signer.cert.pem') other_certs = [load_cert_object('testing-ca-ed25519', 'interm.cert.pem')] builder = PathBuilder( trust_manager=SimpleTrustManager.build(trust_roots=other_certs), registry=CertificateRegistry.build(certs=other_certs), ) paths = builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 2 == len(path) assert [item.subject.sha1 for item in path] == [ b'Xm\xb3f\xac[T\x13\xbaP$\x13\xfb\x93L\xf0\x9ex\x83V', b'\x8d\x19\xc0\xcdx\x84[\x7f\xe3/$\x86B\xfc\x83\xd9Kzm\x97', ] def test_build_paths_qualified_root_with_wrong_type(): cert = load_cert_object('testing-ca-ed25519', 'signer.cert.pem') ca = load_cert_object('testing-ca-ed25519', 'interm.cert.pem') other_certs = [ca] builder = PathBuilder( trust_manager=SimpleTrustManager.build( trust_roots=[ CertTrustAnchor( ca, TrustQualifiers( trusted_service_type=TrustedServiceType.UNSUPPORTED ), ) ] ), registry=CertificateRegistry.build(certs=other_certs), ) with pytest.raises(PathBuildingError): builder.build_paths(cert) def _gen_issuer_candidate_cert(key_identifier, common_name, coords): dt = datetime(2019, 9, 10, tzinfo=timezone.utc) cert_in = load_cert_object('testing-ca-ed25519', 'interm.cert.pem') pubkey = cert_in.public_key extensions = [ x509.Extension( { 'extn_id': 'key_usage', 'critical': False, 'extn_value': x509.KeyUsage( {'key_cert_sign', 'digital_signature'} ), } ) ] if key_identifier: extensions.append( x509.Extension( { 'extn_id': 'key_identifier', 'critical': False, 'extn_value': core.OctetString(key_identifier), } ) ) tbs = x509.TbsCertificate( { 'version': 'v3', 'serial_number': coords[1], 'signature': {'algorithm': 'sha256_rsa'}, 'issuer': x509.Name.build({'common_name': coords[0]}), 'validity': { 'not_before': x509.Time({'utc_time': dt}), 'not_after': x509.Time({'utc_time': dt + timedelta(days=3650)}), }, 'subject': x509.Name.build({'common_name': common_name}), 'subject_public_key_info': pubkey, 'extensions': extensions, } ) cert = x509.Certificate( { 'tbs_certificate': tbs, 'signature_algorithm': {'algorithm': 'sha256_rsa'}, 'signature_value': core.OctetBitString(b""), } ) return cert def _gen_subject_candidate_cert(aki, iss_common_name, iss_coords, ski=None): iss_name = x509.Name.build({'common_name': iss_common_name}) dt = datetime(2019, 9, 10, tzinfo=timezone.utc) cert_in = load_cert_object('testing-ca-ed25519', 'signer.cert.pem') pubkey = cert_in.public_key extensions = [ x509.Extension( { 'extn_id': 'key_usage', 'critical': False, 'extn_value': x509.KeyUsage({'digital_signature'}), } ), x509.Extension( { 'extn_id': 'key_identifier', 'critical': False, 'extn_value': x509.OctetString(ski or pubkey.sha1), } ), ] if aki or iss_coords: vals = {} if aki: vals['key_identifier'] = aki if iss_coords: vals['authority_cert_issuer'] = x509.GeneralNames( [ x509.GeneralName( name='directory_name', value=x509.Name.build({'common_name': iss_coords[0]}), ) ] ) vals['authority_cert_serial_number'] = iss_coords[1] extensions.append( x509.Extension( { 'extn_id': 'authority_key_identifier', 'critical': False, 'extn_value': x509.AuthorityKeyIdentifier(vals), } ) ) tbs = x509.TbsCertificate( { 'version': 'v3', 'serial_number': 1, 'signature': {'algorithm': 'sha256_rsa'}, 'issuer': iss_name, 'validity': { 'not_before': x509.Time({'utc_time': dt}), 'not_after': x509.Time({'utc_time': dt + timedelta(days=3650)}), }, 'subject': x509.Name.build({'common_name': 'subject'}), 'subject_public_key_info': pubkey, 'extensions': extensions, } ) cert = x509.Certificate( { 'tbs_certificate': tbs, 'signature_algorithm': {'algorithm': 'sha256_rsa'}, 'signature_value': core.OctetBitString(b""), } ) return cert class DummyTrustManager(TrustManager): def find_potential_issuers(self, cert: x509.Certificate): return iter(()) def as_trust_anchor(self, authority: Authority): return None @pytest.mark.parametrize( "key_identifier,authority_cert_coords", [ # by key identifier (b"foo", None), # by auth cert coordinates (None, ("root", 0)), # both (b"foo", ("root", 0)), ], ) def test_disambiguate_issuer_by_authority_info( key_identifier, authority_cert_coords ): subject = _gen_subject_candidate_cert( key_identifier, "issuer", authority_cert_coords ) issuer1 = _gen_issuer_candidate_cert(b"foo", "issuer", ("root", 0)) issuer2 = _gen_issuer_candidate_cert(b"bar", "issuer", ("root", 1)) registry = CertificateRegistry.build([issuer1, issuer2]) found = list(registry.find_potential_issuers(subject, DummyTrustManager())) assert len(found) == 1 assert found[0].dump() == issuer1.dump() def test_partial_match_handling_aki_filter(): # corner case handling, not realistic in a sane PKI subject = _gen_subject_candidate_cert(b"foo", "issuer", ("root", 0)) issuer1 = _gen_issuer_candidate_cert(b"foo", "issuer", ("root", 0)) issuer2 = _gen_issuer_candidate_cert(b"bar", "issuer", ("root", 0)) issuer3 = _gen_issuer_candidate_cert(b"foo", "issuer", ("root", 1)) registry = CertificateRegistry.build([issuer1, issuer2, issuer3]) found = list(registry.find_potential_issuers(subject, DummyTrustManager())) assert len(found) == 1 assert found[0].dump() == issuer1.dump() def test_distinguish_ski_and_key_hash(): subject = _gen_subject_candidate_cert(b"foo", "issuer", ("root", 0), b"bar") issuer = _gen_issuer_candidate_cert(b"foo", "issuer", ("root", 0)) data1 = subject.dump() data2 = issuer.dump() registry = CertificateRegistry.build([subject, issuer]) assert ( registry.retrieve_by_key_hash(subject.public_key.sha1).dump() == data1 ) assert registry.retrieve_by_key_hash(issuer.public_key.sha1).dump() == data2 assert registry.retrieve_by_key_identifier(b"bar").dump() == data1 assert registry.retrieve_by_key_identifier(subject.public_key.sha1) is None def test_layered_prefer_first(): subject1 = _gen_subject_candidate_cert(b"foo", "issuer", ("root", 0)) subject2 = _gen_subject_candidate_cert(b"quux", "issuer", ("root", 0)) store1 = CertificateRegistry.build([subject1]) store2 = CertificateRegistry.build([subject2]) layered = LayeredCertificateStore([store1, store2]) expected = subject1.dump() assert subject1.issuer_serial == subject2.issuer_serial assert ( layered.retrieve_by_key_hash(subject1.public_key.sha1).dump() == expected ) assert ( layered.retrieve_by_key_identifier(subject1.public_key.sha1).dump() == expected ) assert ( layered.retrieve_by_issuer_serial(subject1.issuer_serial).dump() == expected ) def test_layered_fallthrough(): subject1 = _gen_subject_candidate_cert(b"foo", "issuer", ("root", 0)) store1 = CertificateRegistry.build([]) store2 = CertificateRegistry.build([subject1]) layered = LayeredCertificateStore([store1, store2]) expected = subject1.dump() assert ( layered.retrieve_by_key_hash(subject1.public_key.sha1).dump() == expected ) assert ( layered.retrieve_by_key_identifier(subject1.public_key.sha1).dump() == expected ) assert ( layered.retrieve_by_issuer_serial(subject1.issuer_serial).dump() == expected ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_sig_validate.py0000644000175100017510000000473315161577363023071 0ustar00runnerrunnerimport pytest from asn1crypto import algos, keys from pyhanko_certvalidator.errors import ( AlgorithmNotSupported, DSAParametersUnavailable, PSSParameterMismatch, ) from pyhanko_certvalidator.sig_validate import DefaultSignatureValidator from .common import load_cert_object, load_nist_cert def test_dsa_inheritance_missing_params(): pubkey = load_nist_cert('DSACACert.crt').public_key pubkey_stripped = keys.PublicKeyInfo( { 'algorithm': { 'algorithm': pubkey['algorithm']['algorithm'], }, 'public_key': pubkey['public_key'], } ) issued_cert = load_nist_cert('InvalidDSASignatureTest6EE.crt') payload = issued_cert['tbs_certificate'].dump() signature = issued_cert['signature_value'].native algo_stripped = algos.SignedDigestAlgorithm( {'algorithm': issued_cert['signature_algorithm']['algorithm']} ) with pytest.raises(DSAParametersUnavailable): DefaultSignatureValidator().validate_signature( signature, payload, pubkey_stripped, algo_stripped ) def test_pss_parameter_mismatch(): pubkey = load_cert_object('testing-ca-pss', 'root.cert.pem').public_key pubkey_mangled = keys.PublicKeyInfo( { 'algorithm': { 'algorithm': 'rsassa_pss', 'parameters': keys.RSASSAPSSParams( {'hash_algorithm': {'algorithm': 'sha3_256'}} ), }, 'public_key': pubkey['public_key'], } ) issued_cert = load_cert_object('testing-ca-pss', 'interm.cert.pem') payload = issued_cert['tbs_certificate'].dump() signature = issued_cert['signature_value'].native with pytest.raises(PSSParameterMismatch): DefaultSignatureValidator().validate_signature( signature, payload, pubkey_mangled, issued_cert['signature_algorithm'], ) def test_algorithm_not_supported(): pubkey = load_cert_object('testing-ca-pss', 'root.cert.pem').public_key issued_cert = load_cert_object('testing-ca-pss', 'interm.cert.pem') payload = issued_cert['tbs_certificate'].dump() signature = issued_cert['signature_value'].native algo = algos.SignedDigestAlgorithm( {'algorithm': algos.SignedDigestAlgorithmId('2.999')} ) with pytest.raises(AlgorithmNotSupported): DefaultSignatureValidator().validate_signature( signature, payload, pubkey, algo ) ././@PaxHeader0000000000000000000000000000002600000000000010213 xustar0022 mtime=1774649075.0 pyhanko_certvalidator-0.30.2/tests/test_validate.py0000644000175100017510000007320515161577363022227 0ustar00runnerrunner# coding: utf-8 import json import os from dataclasses import dataclass, field from datetime import datetime from typing import Iterable, List, Optional, Type import pytest from asn1crypto import crl, ocsp, x509 from asn1crypto.util import timezone from freezegun import freeze_time from pyhanko_certvalidator import PKIXValidationParams from pyhanko_certvalidator.authority import Authority, CertTrustAnchor from pyhanko_certvalidator.context import ValidationContext from pyhanko_certvalidator.errors import ( CertificateFetchError, CRLFetchError, ExpiredError, InsufficientRevinfoError, NotYetValidError, OCSPFetchError, OCSPValidationError, PathValidationError, RevokedError, StaleRevinfoError, ) from pyhanko_certvalidator.fetchers import ( CertificateFetcher, CRLFetcher, FetcherBackend, Fetchers, OCSPFetcher, requests_fetchers, ) from pyhanko_certvalidator.ltv.poe import POEManager from pyhanko_certvalidator.path import QualifiedPolicy, ValidationPath from pyhanko_certvalidator.policy_decl import ( CertRevTrustPolicy, DisallowWeakAlgorithmsPolicy, NonRevokedStatusAssertion, RevocationCheckingPolicy, RevocationCheckingRule, ) from pyhanko_certvalidator.registry import ( CertificateRegistry, PathBuilder, SimpleTrustManager, ) from pyhanko_certvalidator.revinfo.manager import RevinfoManager from pyhanko_certvalidator.validate import async_validate_path, validate_path from .common import ( FIXTURES_DIR, load_cert_object, load_crl, load_nist_cert, load_nist_crl, load_openssl_ors, ) class MockFetcher: def __init__(self, *args, **kwargs): self.calls = 0 super().__init__(*args, **kwargs) class MockOCSPFetcher(OCSPFetcher, MockFetcher): def fetched_responses(self) -> Iterable[ocsp.OCSPResponse]: return () def fetched_responses_for_cert( self, cert: x509.Certificate ) -> Iterable[ocsp.OCSPResponse]: self.calls += 1 return () async def fetch(self, cert: x509.Certificate, authority: Authority): self.calls += 1 raise OCSPFetchError("No connection") class MockOCSPFetcherWithValidationError(MockOCSPFetcher, MockFetcher): async def fetch(self, cert: x509.Certificate, authority: Authority): self.calls += 1 raise OCSPValidationError("Something went wrong") class MockCRLFetcher(CRLFetcher, MockFetcher): def fetched_crls_for_cert( self, cert: x509.Certificate ) -> Iterable[crl.CertificateList]: self.calls += 1 return () def fetched_crls(self) -> Iterable[crl.CertificateList]: return () async def fetch(self, cert: x509.Certificate, *, use_deltas=None): self.calls += 1 raise CRLFetchError("No connection") class MockCertFetcher(CertificateFetcher, MockFetcher): def fetched_certs(self) -> Iterable[x509.Certificate]: return () def fetch_cert_issuers(self, cert): self.calls += 1 return self def fetch_crl_issuers(self, certificate_list): self.calls += 1 return self def __aiter__(self): raise CertificateFetchError("No connection") class MockFetcherBackend(FetcherBackend): def get_fetchers(self) -> Fetchers: return Fetchers( ocsp_fetcher=MockOCSPFetcher(), crl_fetcher=MockCRLFetcher(), cert_fetcher=MockCertFetcher(), ) class MockFetcherBackendWithValidationError(FetcherBackend): def get_fetchers(self) -> Fetchers: return Fetchers( ocsp_fetcher=MockOCSPFetcherWithValidationError(), crl_fetcher=MockCRLFetcher(), cert_fetcher=MockCertFetcher(), ) ERR_CLASSES = { cls.__name__: cls for cls in ( PathValidationError, RevokedError, InsufficientRevinfoError, StaleRevinfoError, ) } @dataclass(frozen=True) class PKITSTestCaseErrorResult: err_class: Type[Exception] msg_regex: str def test_rsassa_pss(): cert = load_cert_object('testing-ca-pss', 'signer1.cert.pem') ca_certs = [load_cert_object('testing-ca-pss', 'root.cert.pem')] other_certs = [load_cert_object('testing-ca-pss', 'interm.cert.pem')] moment = datetime(2021, 5, 3, tzinfo=timezone.utc) context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, allow_fetching=False, moment=moment, revocation_mode='soft-fail', weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) def test_rsassa_pss_exclusive(): cert = load_cert_object('testing-ca-pss-exclusive', 'signer1.cert.pem') ca_certs = [load_cert_object('testing-ca-pss-exclusive', 'root.cert.pem')] other_certs = [ load_cert_object('testing-ca-pss-exclusive', 'interm.cert.pem') ] moment = datetime(2021, 5, 3, tzinfo=timezone.utc) context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, allow_fetching=False, moment=moment, revocation_mode='soft-fail', weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) def test_ed25519(): cert = load_cert_object('testing-ca-ed25519', 'signer.cert.pem') ca_certs = [load_cert_object('testing-ca-ed25519', 'root.cert.pem')] other_certs = [load_cert_object('testing-ca-ed25519', 'interm.cert.pem')] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, allow_fetching=False, revocation_mode='soft-fail', weak_hash_algos={'md2', 'md5'}, moment=datetime(2020, 11, 1, tzinfo=timezone.utc), ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) def test_ed448(): cert = load_cert_object('testing-ca-ed448', 'signer.cert.pem') ca_certs = [load_cert_object('testing-ca-ed448', 'root.cert.pem')] other_certs = [load_cert_object('testing-ca-ed448', 'interm.cert.pem')] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, allow_fetching=False, revocation_mode='soft-fail', weak_hash_algos={'md2', 'md5'}, moment=datetime(2020, 11, 1, tzinfo=timezone.utc), ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) def test_assert_no_revinfo_needed_by_fiat(): cert = load_cert_object('testing-ca-pss', 'signer1.cert.pem') ca_certs = [load_cert_object('testing-ca-pss', 'root.cert.pem')] other_certs = [load_cert_object('testing-ca-pss', 'interm.cert.pem')] moment = datetime(2021, 5, 3, tzinfo=timezone.utc) assertion = NonRevokedStatusAssertion(cert.sha256, moment) revinfo_manager = RevinfoManager( certificate_registry=CertificateRegistry.build(), poe_manager=POEManager(), crls=(), ocsps=(), assertions=(assertion,), ) context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, allow_fetching=False, moment=moment, revocation_mode='require', # turn on strict revinfovalidation revinfo_manager=revinfo_manager, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) def test_multitasking_ocsp(): # regression test for case where the same responder ID (name + key ID) # is used in OCSP responses for different issuers in the same chain of # trust ors_dir = os.path.join(FIXTURES_DIR, 'multitasking-ocsp') with open(os.path.join(ors_dir, 'ocsp-resp-alice.der'), 'rb') as ocspin: ocsp_resp_alice = ocsp.OCSPResponse.load(ocspin.read()) with open(os.path.join(ors_dir, 'ocsp-resp-interm.der'), 'rb') as ocspin: ocsp_resp_interm = ocsp.OCSPResponse.load(ocspin.read()) vc = ValidationContext( trust_roots=[ load_cert_object('multitasking-ocsp', 'root.cert.pem'), ], other_certs=[load_cert_object('multitasking-ocsp', 'interm.cert.pem')], revocation_mode='hard-fail', allow_fetching=False, ocsps=[ocsp_resp_interm, ocsp_resp_alice], moment=datetime(2021, 8, 19, 12, 20, 44, tzinfo=timezone.utc), ) cert = load_cert_object('multitasking-ocsp', 'alice.cert.pem') paths = vc.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(vc, path) @dataclass(frozen=True) class OCSPTestCase: name: str roots: List[x509.Certificate] cert: x509.Certificate ocsps: List[ocsp.OCSPResponse] path_len: int moment: datetime other_certs: List[x509.Certificate] = field(default_factory=list) expected_error: Optional[PKITSTestCaseErrorResult] = None @classmethod def from_json(cls, obj: dict): roots = [load_cert_object('openssl-ocsp', obj['root'])] kwargs = dict( name=obj['name'], cert=load_cert_object('openssl-ocsp', obj['cert']), path_len=int(obj['path_len']), moment=datetime.fromisoformat(obj['moment']), roots=roots, ) kwargs['ocsps'] = [ load_openssl_ors(filename) for filename in obj['ocsps'] ] if 'other_certs' in obj: kwargs['other_certs'] = [ load_cert_object('openssl-ocsp', filename) for filename in obj['other_certs'] ] if 'error' in obj: kwargs['expected_error'] = PKITSTestCaseErrorResult( ERR_CLASSES[obj['error']['class']], obj['error']['msg_regex'] ) return OCSPTestCase(**kwargs) def read_openssl_ocsp_test_params(): data_path = os.path.join(FIXTURES_DIR, 'openssl-ocsp', 'openssl-ocsp.json') with open(data_path, 'r') as inf: cases = json.load(inf) return [OCSPTestCase.from_json(obj) for obj in cases] @pytest.mark.parametrize( "test_case", read_openssl_ocsp_test_params(), ids=lambda case: case.name ) def test_openssl_ocsp(test_case: OCSPTestCase): context = ValidationContext( trust_roots=test_case.roots, other_certs=test_case.other_certs, moment=test_case.moment, ocsps=test_case.ocsps, weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(test_case.cert) assert 1 == len(paths) path = paths[0] assert test_case.path_len == len(path) err = test_case.expected_error if err: with pytest.raises(err.err_class, match=err.msg_regex): validate_path(context, path) else: validate_path(context, path) def parse_pkix_params(obj: dict): kwargs = {} if 'user_initial_policy_set' in obj: kwargs['user_initial_policy_set'] = frozenset( obj['user_initial_policy_set'] ) kwargs['initial_policy_mapping_inhibit'] = bool( obj.get('initial_policy_mapping_inhibit', False) ) kwargs['initial_explicit_policy'] = bool( obj.get('initial_explicit_policy', False) ) kwargs['initial_any_policy_inhibit'] = bool( obj.get('initial_any_policy_inhibit', False) ) return PKIXValidationParams(**kwargs) @dataclass(frozen=True) class CannedTestInfo: test_id: int test_name: str def __str__(self): return f"{self.test_id} ({self.test_name})" @dataclass(frozen=True) class PKITSTestCase: test_info: CannedTestInfo cert: x509.Certificate roots: List[x509.Certificate] crls: List[crl.CertificateList] path_len: int path: Optional[ValidationPath] = None check_revocation: bool = True other_certs: List[x509.Certificate] = field(default_factory=list) expected_error: Optional[PKITSTestCaseErrorResult] = None pkix_params: Optional[PKIXValidationParams] = None @classmethod def from_json(cls, obj: dict): root = load_nist_cert('TrustAnchorRootCertificate.crt') crls = [load_nist_crl('TrustAnchorRootCRL.crl')] if 'crls' in obj: crls.extend(load_nist_crl(crl_path) for crl_path in obj['crls']) cert = load_nist_cert(obj['cert']) kwargs = dict( test_info=CannedTestInfo( test_id=int(obj['id']), test_name=obj['name'], ), cert=cert, path_len=int(obj['path_len']), check_revocation=bool(obj.get('revocation', True)), roots=[root], crls=crls, ) kwargs['crls'] = crls if 'other_certs' in obj: kwargs['other_certs'] = [ load_nist_cert(cert_path) for cert_path in obj['other_certs'] ] if 'path_intermediates' in obj: # -> prebuild the path as indicated in the test spec kwargs['path'] = ValidationPath( trust_anchor=CertTrustAnchor(root), interm=( load_nist_cert(cert_path) for cert_path in obj['path_intermediates'] ), leaf=cert, ) if 'params' in obj: kwargs['pkix_params'] = parse_pkix_params(obj['params']) if 'error' in obj: kwargs['expected_error'] = PKITSTestCaseErrorResult( ERR_CLASSES[obj['error']['class']], obj['error']['msg_regex'] ) return PKITSTestCase(**kwargs) def read_pkits_test_params(): data_path = os.path.join(FIXTURES_DIR, 'nist_pkits', 'pkits.json') with open(data_path, 'r') as inf: cases = json.load(inf) return [PKITSTestCase.from_json(obj) for obj in cases] @freeze_time('2022-05-01') @pytest.mark.parametrize( 'test_case', read_pkits_test_params(), ids=lambda case: str(case.test_info) ) def test_nist_pkits(test_case: PKITSTestCase): revocation_mode = "require" if test_case.check_revocation else "hard-fail" context = ValidationContext( trust_roots=test_case.roots, other_certs=test_case.other_certs, crls=test_case.crls, revocation_mode=revocation_mode, # adjust default algo policy to pass NIST tests algorithm_usage_policy=DisallowWeakAlgorithmsPolicy( weak_hash_algos={'md2', 'md5'}, dsa_key_size_threshold=1024 ), ) if test_case.path is None: paths = context.path_builder.build_paths(test_case.cert) assert 1 == len(paths) path: ValidationPath = paths[0] else: path = test_case.path assert test_case.path_len == len(path) err = test_case.expected_error params = test_case.pkix_params if err is not None: with pytest.raises(err.err_class, match=err.msg_regex): validate_path(context, path, parameters=params) else: validate_path(context, path, parameters=params) # sanity check if params is not None and params.user_initial_policy_set != { 'any_policy' }: qps = path.qualified_policies() if qps is not None: for pol in qps: assert ( pol.user_domain_policy_id in params.user_initial_policy_set ) def nist_revocation_tests(): specs = read_pkits_test_params() return [spec for spec in specs if spec.check_revocation] class ReturnPredeterminedCRLs(CRLFetcher): def __init__(self, crls): self.crls = crls def fetched_crls_for_cert( self, cert: x509.Certificate ) -> Iterable[crl.CertificateList]: raise KeyError() def fetched_crls(self) -> Iterable[crl.CertificateList]: return () async def fetch(self, cert: x509.Certificate, *, use_deltas=None): return self.crls @freeze_time('2022-05-01') @pytest.mark.parametrize( 'test_case', nist_revocation_tests(), ids=lambda case: str(case.test_info) ) def test_nist_pkits_with_simulated_crl_downloads(test_case: PKITSTestCase): fetchers = Fetchers( ocsp_fetcher=MockOCSPFetcher(), crl_fetcher=ReturnPredeterminedCRLs(test_case.crls), cert_fetcher=MockCertFetcher(), ) # TODO rework failure messages and realign fixtures # so we can do message validations here. # Also consider having multiple variant runs with # slightly different revo policies policy = RevocationCheckingPolicy( RevocationCheckingRule.CRL_REQUIRED, RevocationCheckingRule.CRL_REQUIRED, ) context = ValidationContext( trust_roots=test_case.roots, other_certs=test_case.other_certs, allow_fetching=True, fetchers=fetchers, revinfo_policy=CertRevTrustPolicy( revocation_checking_policy=policy, ), # adjust default algo policy to pass NIST tests algorithm_usage_policy=DisallowWeakAlgorithmsPolicy( weak_hash_algos={'md2', 'md5'}, dsa_key_size_threshold=1024 ), ) if test_case.path is None: paths = context.path_builder.build_paths(test_case.cert) assert 1 == len(paths) path: ValidationPath = paths[0] else: path = test_case.path err = test_case.expected_error params = test_case.pkix_params if err is not None: with pytest.raises(err.err_class): validate_path(context, path, parameters=params) else: validate_path(context, path, parameters=params) @dataclass(frozen=True) class PKITSUserNoticeTestCase: test_info: CannedTestInfo cert: x509.Certificate roots: List[x509.Certificate] crls: List[crl.CertificateList] notice: str other_certs: List[x509.Certificate] = field(default_factory=list) pkix_params: Optional[PKIXValidationParams] = None @classmethod def from_json(cls, obj: dict): roots = [load_nist_cert('TrustAnchorRootCertificate.crt')] crls = [load_nist_crl('TrustAnchorRootCRL.crl')] if 'crls' in obj: crls.extend(load_nist_crl(crl_path) for crl_path in obj['crls']) kwargs = dict( test_info=CannedTestInfo( test_id=int(obj['id']), test_name=obj['name'], ), cert=load_nist_cert(obj['cert']), roots=roots, crls=crls, notice=obj['notice'], ) kwargs['crls'] = crls if 'other_certs' in obj: kwargs['other_certs'] = [ load_nist_cert(cert_path) for cert_path in obj['other_certs'] ] if 'params' in obj: kwargs['pkix_params'] = parse_pkix_params(obj['params']) return PKITSUserNoticeTestCase(**kwargs) def read_pkits_user_notice_test_params(): data_path = os.path.join( FIXTURES_DIR, 'nist_pkits', 'pkits-user-notice.json' ) with open(data_path, 'r') as inf: cases = json.load(inf) return [PKITSUserNoticeTestCase.from_json(obj) for obj in cases] @freeze_time('2022-05-01') @pytest.mark.parametrize( 'test_case', read_pkits_user_notice_test_params(), ids=lambda case: str(case.test_info), ) def test_nist_pkits_user_notice(test_case: PKITSUserNoticeTestCase): context = ValidationContext( trust_roots=test_case.roots, other_certs=test_case.other_certs, crls=test_case.crls, revocation_mode="require", weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(test_case.cert) assert 1 == len(paths) path: ValidationPath = paths[0] validate_path(context, path, parameters=test_case.pkix_params) qps = path.qualified_policies() assert 1 == len(qps) qp: QualifiedPolicy (qp,) = qps assert 1 == len(qp.qualifiers) (qual_obj,) = qp.qualifiers assert qual_obj['policy_qualifier_id'].native == 'user_notice' assert qual_obj['qualifier']['explicit_text'].native == test_case.notice @freeze_time('2022-05-01') def test_408020_cps_pointer_qualifier_test20(): cert = load_nist_cert('CPSPointerQualifierTest20EE.crt') ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')] other_certs = [load_nist_cert('GoodCACert.crt')] crls = [ load_nist_crl('GoodCACRL.crl'), load_nist_crl('TrustAnchorRootCRL.crl'), ] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, crls=crls, revocation_mode="require", weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path: ValidationPath = paths[0] validate_path(context, path) qps = path.qualified_policies() assert 1 == len(qps) qp: QualifiedPolicy (qp,) = qps assert 1 == len(qp.qualifiers) (qual_obj,) = qp.qualifiers assert ( qual_obj['policy_qualifier_id'].native == 'certification_practice_statement' ) assert qual_obj['qualifier'].native == ( 'http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/' 'pki_registration.html#PKITest' ) class MockRequestsCertificateFetcher( requests_fetchers.RequestsCertificateFetcher ): def __init__(self, *args, order, **kwargs): super().__init__(*args, **kwargs) self.order = order root_ca = load_cert_object('multilayer', 'certs', 'root.cert.pem') middle_ca = load_cert_object('multilayer', 'certs', 'interm1.cert.pem') end_ca = load_cert_object('multilayer', 'certs', 'interm2.cert.pem') self.certs = {'root': root_ca, 'middle': middle_ca, 'end': end_ca} async def fetch_certs(self, *args, **kwargs) -> Iterable[x509.Certificate]: return [ self.certs[self.order[0]], self.certs[self.order[1]], self.certs[self.order[2]], ] @pytest.mark.parametrize( 'cert_order', [ ('root', 'middle', 'end'), ('root', 'end', 'middle'), ('middle', 'root', 'end'), ('middle', 'end', 'root'), ('root', 'end', 'middle'), ('root', 'middle', 'end'), ], ) @pytest.mark.asyncio async def test_building_trust_path_fetched_in_different_orders(cert_order): trust_path = [ 'Root CA', 'Intermediate CA 1', 'Intermediate CA 2', ] root = load_cert_object('multilayer', 'certs', 'root.cert.pem') trust_manager = SimpleTrustManager.build( trust_roots=[root], ) cert = load_cert_object('multilayer', 'certs', 'alice.cert.pem') registry = CertificateRegistry.build( certs=(cert,), cert_fetcher=MockRequestsCertificateFetcher(order=cert_order), ) builder = PathBuilder(trust_manager=trust_manager, registry=registry) paths = await builder.async_build_paths(end_entity_cert=cert) paths_common_name = [ [ authority.name.native['common_name'] for authority in path.iter_authorities() ] for path in paths ] assert trust_path in paths_common_name @freeze_time('2020-11-29') def test_do_not_fetch_crl_if_cache_sufficient(): cert = load_cert_object('ades', 'time-slide', 'certs', 'alice.crt') ca_certs = [load_cert_object('ades', 'time-slide', 'certs', 'root.crt')] other_certs = [ load_cert_object('ades', 'time-slide', 'certs', 'interm.crt') ] crls = [ load_crl('ades', 'time-slide', 'interm-2020-10-01.crl'), load_crl('ades', 'time-slide', 'root-2020-10-01.crl'), ] moment = datetime(2020, 10, 2, tzinfo=timezone.utc) crl_fetcher = MockCRLFetcher() fetchers = Fetchers( ocsp_fetcher=MockOCSPFetcher(), crl_fetcher=crl_fetcher, cert_fetcher=MockCertFetcher(), ) context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, crls=crls, allow_fetching=True, fetchers=fetchers, moment=moment, revocation_mode='require', ) assert crl_fetcher.calls == 0 paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path = paths[0] assert 3 == len(path) validate_path(context, path) @freeze_time('2022-05-01') def test_41503_invalid_deltacrl_test3_combine_cache_with_fetched(): cert = load_nist_cert('InvaliddeltaCRLTest4EE.crt') ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')] other_certs = [load_nist_cert('deltaCRLCA1Cert.crt')] crls = [ load_nist_crl('deltaCRLCA1CRL.crl'), load_nist_crl('TrustAnchorRootCRL.crl'), # the delta CRL will only be returned later ] class DeltaCRLFetcher(CRLFetcher, MockFetcher): def fetched_crls_for_cert( self, cert: x509.Certificate ) -> Iterable[crl.CertificateList]: raise KeyError() def fetched_crls(self) -> Iterable[crl.CertificateList]: return () async def fetch(self, cert: x509.Certificate, *, use_deltas=None): self.calls += 1 return [load_nist_crl('deltaCRLCA1deltaCRL.crl')] fetchers = Fetchers( ocsp_fetcher=MockOCSPFetcher(), crl_fetcher=DeltaCRLFetcher(), cert_fetcher=MockCertFetcher(), ) context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, crls=crls, allow_fetching=True, fetchers=fetchers, revocation_mode="require", weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path: ValidationPath = paths[0] with pytest.raises(RevokedError, match=".*revoked at 08:30:00.*"): validate_path(context, path) @freeze_time('2022-05-01') def test_fail_validation_if_required_delta_crl_not_available(): cert = load_nist_cert('InvaliddeltaCRLTest4EE.crt') ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')] other_certs = [load_nist_cert('deltaCRLCA1Cert.crt')] crls = [ load_nist_crl('deltaCRLCA1CRL.crl'), load_nist_crl('TrustAnchorRootCRL.crl'), ] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, crls=crls, allow_fetching=False, revocation_mode="require", weak_hash_algos={'md2', 'md5'}, ) paths = context.path_builder.build_paths(cert) assert 1 == len(paths) path: ValidationPath = paths[0] with pytest.raises(InsufficientRevinfoError, match=".*Delta CRL.*"): validate_path(context, path) @pytest.mark.asyncio async def test_context_retrieve_all_crls(): cert = load_nist_cert('InvaliddeltaCRLTest4EE.crt') ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')] other_certs = [load_nist_cert('deltaCRLCA1Cert.crt')] crl1 = load_nist_crl('deltaCRLCA1CRL.crl') crl2 = load_nist_crl('TrustAnchorRootCRL.crl') crl3 = load_nist_crl('deltaCRLCA1deltaCRL.crl') crls = [crl1, crl2] context = ValidationContext( trust_roots=ca_certs, other_certs=other_certs, crls=crls, allow_fetching=True, fetchers=Fetchers( ocsp_fetcher=MockOCSPFetcher(), crl_fetcher=ReturnPredeterminedCRLs([crl3]), cert_fetcher=MockCertFetcher(), ), revocation_mode="require", weak_hash_algos={'md2', 'md5'}, ) retrieved_crls = await context.async_retrieve_crls(cert) assert {c.dump() for c in retrieved_crls} == { crl1.dump(), crl2.dump(), crl3.dump(), } @pytest.mark.asyncio async def test_root_time_bound(): ca = load_cert_object('testing-ca-ed25519', 'root.cert.pem') anchor = CertTrustAnchor(cert=ca, derive_default_quals_from_cert=True) moment = datetime(2019, 1, 1, 0, 0, 0, tzinfo=timezone.utc) context = ValidationContext( trust_manager=SimpleTrustManager.build([anchor]), moment=moment ) path = ValidationPath(trust_anchor=anchor, interm=[], leaf=None) await async_validate_path(context, path) @pytest.mark.asyncio async def test_root_expired(): ca = load_cert_object('testing-ca-ed25519', 'root.cert.pem') anchor = CertTrustAnchor(cert=ca, derive_default_quals_from_cert=True) moment = datetime(3124, 1, 1, 0, 0, 0, tzinfo=timezone.utc) context = ValidationContext( trust_manager=SimpleTrustManager.build([anchor]), moment=moment ) path = ValidationPath(trust_anchor=anchor, interm=[], leaf=None) with pytest.raises(ExpiredError, match='the trust anchor expired'): await async_validate_path(context, path) @pytest.mark.asyncio async def test_root_not_yet_valid(): ca = load_cert_object('testing-ca-ed25519', 'root.cert.pem') anchor = CertTrustAnchor(cert=ca, derive_default_quals_from_cert=True) moment = datetime(1999, 1, 1, 0, 0, 0, tzinfo=timezone.utc) context = ValidationContext( trust_manager=SimpleTrustManager.build([anchor]), moment=moment ) path = ValidationPath(trust_anchor=anchor, interm=[], leaf=None) with pytest.raises( NotYetValidError, match='the trust anchor is not valid until' ): await async_validate_path(context, path) @pytest.mark.asyncio @pytest.mark.parametrize( 'moment', [ datetime(1999, 1, 1, 0, 0, 0, tzinfo=timezone.utc), datetime(2019, 1, 1, 0, 0, 0, tzinfo=timezone.utc), datetime(3124, 1, 1, 0, 0, 0, tzinfo=timezone.utc), ], ) async def test_basic_certificate_validator_root_expiration_unquestioned(moment): ca = load_cert_object('testing-ca-ed25519', 'root.cert.pem') anchor = CertTrustAnchor(cert=ca, derive_default_quals_from_cert=False) context = ValidationContext( trust_manager=SimpleTrustManager.build([anchor]), moment=moment ) path = ValidationPath(trust_anchor=anchor, interm=[], leaf=None) await async_validate_path(context, path)