nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0201-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch

8e15ce
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8e15ce
From: Javier Martinez Canillas <javierm@redhat.com>
8e15ce
Date: Sat, 8 May 2021 02:27:58 +0200
8e15ce
Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage
8e15ce
 extension
8e15ce
8e15ce
Red Hat certificates have both Key Usage and Extended Key Usage extensions
8e15ce
present, but the appended signatures x509 parser doesn't handle the latter
8e15ce
and so buils due finding an unrecognised critical extension:
8e15ce
8e15ce
Error loading initial key:
8e15ce
../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37
8e15ce
8e15ce
Fix this by also parsing the Extended Key Usage extension and handle it by
8e15ce
verifying that the certificate has a single purpose, that is code signing.
8e15ce
8e15ce
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
8e15ce
Signed-off-by: Daniel Axtens <dja@axtens.net>
8e15ce
---
8e15ce
 grub-core/commands/appendedsig/x509.c     | 94 ++++++++++++++++++++++++++++++-
8e15ce
 grub-core/tests/appended_signature_test.c | 29 +++++++++-
8e15ce
 grub-core/tests/appended_signatures.h     | 81 ++++++++++++++++++++++++++
8e15ce
 3 files changed, 201 insertions(+), 3 deletions(-)
8e15ce
8e15ce
diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c
8e15ce
index 2b38b3670a2..42ec65c54aa 100644
8e15ce
--- a/grub-core/commands/appendedsig/x509.c
8e15ce
+++ b/grub-core/commands/appendedsig/x509.c
8e15ce
@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15";
8e15ce
  */
8e15ce
 const char *basicConstraints_oid = "2.5.29.19";
8e15ce
 
8e15ce
+/*
8e15ce
+ * RFC 5280 4.2.1.12 Extended Key Usage
8e15ce
+ */
8e15ce
+const char *extendedKeyUsage_oid = "2.5.29.37";
8e15ce
+const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3";
8e15ce
+
8e15ce
 /*
8e15ce
  * RFC 3279 2.3.1
8e15ce
  *
8e15ce
@@ -637,6 +643,77 @@ cleanup:
8e15ce
   return err;
8e15ce
 }
8e15ce
 
8e15ce
+/*
8e15ce
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
8e15ce
+ *
8e15ce
+ * KeyPurposeId ::= OBJECT IDENTIFIER
8e15ce
+ */
8e15ce
+static grub_err_t
8e15ce
+verify_extended_key_usage (grub_uint8_t * value, int value_size)
8e15ce
+{
8e15ce
+  asn1_node extendedasn;
8e15ce
+  int result, count;
8e15ce
+  grub_err_t err = GRUB_ERR_NONE;
8e15ce
+  char usage[MAX_OID_LEN];
8e15ce
+  int usage_size = sizeof (usage);
8e15ce
+
8e15ce
+  result =
8e15ce
+    asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax",
8e15ce
+			 &extendedasn);
8e15ce
+  if (result != ASN1_SUCCESS)
8e15ce
+    {
8e15ce
+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
8e15ce
+			 "Could not create ASN.1 structure for Extended Key Usage");
8e15ce
+    }
8e15ce
+
8e15ce
+  result = asn1_der_decoding2 (&extendedasn, value, &value_size,
8e15ce
+			       ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
8e15ce
+  if (result != ASN1_SUCCESS)
8e15ce
+    {
8e15ce
+      err =
8e15ce
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
8e15ce
+		    "Error parsing DER for Extended Key Usage: %s",
8e15ce
+		    asn1_error);
8e15ce
+      goto cleanup;
8e15ce
+    }
8e15ce
+
8e15ce
+  /*
8e15ce
+   * If EKUs are present, there must be exactly 1 and it must be a
8e15ce
+   * codeSigning usage.
8e15ce
+   */
8e15ce
+  result = asn1_number_of_elements(extendedasn, "", &count);
8e15ce
+  if (result != ASN1_SUCCESS)
8e15ce
+    {
8e15ce
+      err =
8e15ce
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
8e15ce
+		    "Error counting number of Extended Key Usages: %s",
8e15ce
+		    asn1_strerror (result));
8e15ce
+      goto cleanup;
8e15ce
+    }
8e15ce
+
8e15ce
+  result = asn1_read_value (extendedasn, "?1", usage, &usage_size);
8e15ce
+  if (result != ASN1_SUCCESS)
8e15ce
+    {
8e15ce
+      err =
8e15ce
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
8e15ce
+		    "Error reading Extended Key Usage: %s",
8e15ce
+		    asn1_strerror (result));
8e15ce
+      goto cleanup;
8e15ce
+    }
8e15ce
+
8e15ce
+  if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0)
8e15ce
+    {
8e15ce
+      err =
8e15ce
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
8e15ce
+		    "Unexpected Extended Key Usage OID, got: %s",
8e15ce
+		    usage);
8e15ce
+      goto cleanup;
8e15ce
+    }
8e15ce
+
8e15ce
+cleanup:
8e15ce
+  asn1_delete_structure (&extendedasn);
8e15ce
+  return err;
8e15ce
+}
8e15ce
 
8e15ce
 /*
8e15ce
  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
8e15ce
@@ -660,7 +737,7 @@ verify_extensions (asn1_node cert)
8e15ce
 {
8e15ce
   int result;
8e15ce
   int ext, num_extensions = 0;
8e15ce
-  int usage_present = 0, constraints_present = 0;
8e15ce
+  int usage_present = 0, constraints_present = 0, extended_usage_present = 0;
8e15ce
   char *oid_path, *critical_path, *value_path;
8e15ce
   char extnID[MAX_OID_LEN];
8e15ce
   int extnID_size;
8e15ce
@@ -754,6 +831,15 @@ verify_extensions (asn1_node cert)
8e15ce
 	    }
8e15ce
 	  constraints_present++;
8e15ce
 	}
8e15ce
+      else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0)
8e15ce
+	{
8e15ce
+	  err = verify_extended_key_usage (value, value_size);
8e15ce
+	  if (err != GRUB_ERR_NONE)
8e15ce
+	    {
8e15ce
+	      goto cleanup_value;
8e15ce
+	    }
8e15ce
+	  extended_usage_present++;
8e15ce
+	}
8e15ce
       else if (grub_strncmp ("TRUE", critical, critical_size) == 0)
8e15ce
 	{
8e15ce
 	  /*
8e15ce
@@ -785,6 +871,12 @@ verify_extensions (asn1_node cert)
8e15ce
 			 "Unexpected number of basic constraints extensions - expected 1, got %d",
8e15ce
 			 constraints_present);
8e15ce
     }
8e15ce
+  if (extended_usage_present > 1)
8e15ce
+    {
8e15ce
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
8e15ce
+			 "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d",
8e15ce
+			 extended_usage_present);
8e15ce
+    }
8e15ce
   return GRUB_ERR_NONE;
8e15ce
 
8e15ce
 cleanup_value:
8e15ce
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
8e15ce
index 88a485200d8..dbba0616621 100644
8e15ce
--- a/grub-core/tests/appended_signature_test.c
8e15ce
+++ b/grub-core/tests/appended_signature_test.c
8e15ce
@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = {
8e15ce
   .get_contents = get_certificate_printable_der
8e15ce
 };
8e15ce
 
8e15ce
+static char *
8e15ce
+get_certificate_eku_der (grub_size_t * sz)
8e15ce
+{
8e15ce
+  char *ret;
8e15ce
+  *sz = certificate_eku_der_len;
8e15ce
+  ret = grub_malloc (*sz);
8e15ce
+  if (ret)
8e15ce
+    grub_memcpy (ret, certificate_eku_der, *sz);
8e15ce
+  return ret;
8e15ce
+}
8e15ce
+
8e15ce
+static struct grub_procfs_entry certificate_eku_der_entry = {
8e15ce
+  .name = "certificate_eku.der",
8e15ce
+  .get_contents = get_certificate_eku_der
8e15ce
+};
8e15ce
+
8e15ce
 
8e15ce
 static void
8e15ce
 do_verify (const char *f, int is_valid)
8e15ce
@@ -149,6 +165,7 @@ appended_signature_test (void)
8e15ce
   char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
8e15ce
   char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
8e15ce
 				   NULL };
8e15ce
+  char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL };
8e15ce
   char *distrust_args[] = { (char *) "1", NULL };
8e15ce
   char *distrust2_args[] = { (char *) "2", NULL };
8e15ce
   grub_err_t err;
8e15ce
@@ -157,6 +174,7 @@ appended_signature_test (void)
8e15ce
   grub_procfs_register ("certificate2.der", &certificate2_der_entry);
8e15ce
   grub_procfs_register ("certificate_printable.der",
8e15ce
 			&certificate_printable_der_entry);
8e15ce
+  grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry);
8e15ce
 
8e15ce
   cmd_trust = grub_command_find ("trust_certificate");
8e15ce
   if (!cmd_trust)
8e15ce
@@ -266,16 +284,23 @@ appended_signature_test (void)
8e15ce
 
8e15ce
   /*
8e15ce
    * Lastly, check a certificate that uses printableString rather than
8e15ce
-   * utf8String loads properly.
8e15ce
+   * utf8String loads properly, and that a certificate with an appropriate
8e15ce
+   * extended key usage loads.
8e15ce
    */
8e15ce
   err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
8e15ce
   grub_test_assert (err == GRUB_ERR_NONE,
8e15ce
-		    "distrusting printable certificate failed: %d: %s",
8e15ce
+		    "trusting printable certificate failed: %d: %s",
8e15ce
+		    grub_errno, grub_errmsg);
8e15ce
+
8e15ce
+  err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku);
8e15ce
+  grub_test_assert (err == GRUB_ERR_NONE,
8e15ce
+		    "trusting certificate with extended key usage failed: %d: %s",
8e15ce
 		    grub_errno, grub_errmsg);
8e15ce
 
8e15ce
   grub_procfs_unregister (&certificate_der_entry);
8e15ce
   grub_procfs_unregister (&certificate2_der_entry);
8e15ce
   grub_procfs_unregister (&certificate_printable_der_entry);
8e15ce
+  grub_procfs_unregister (&certificate_eku_der_entry);
8e15ce
 }
8e15ce
 
8e15ce
 GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
8e15ce
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
8e15ce
index aa3dc6278e3..2e5ebd7d8bd 100644
8e15ce
--- a/grub-core/tests/appended_signatures.h
8e15ce
+++ b/grub-core/tests/appended_signatures.h
8e15ce
@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = {
8e15ce
   0xd2
8e15ce
 };
8e15ce
 unsigned int certificate_printable_der_len = 829;
8e15ce
+
8e15ce
+unsigned char certificate_eku_der[] = {
8e15ce
+  0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01,
8e15ce
+  0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45,
8e15ce
+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
8e15ce
+  0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
8e15ce
+  0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
8e15ce
+  0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
8e15ce
+  0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86,
8e15ce
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
8e15ce
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74,
8e15ce
+  0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32,
8e15ce
+  0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33,
8e15ce
+  0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a,
8e15ce
+  0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
8e15ce
+  0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63,
8e15ce
+  0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67,
8e15ce
+  0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20,
8e15ce
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
8e15ce
+  0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65,
8e15ce
+  0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
8e15ce
+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
8e15ce
+  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
8e15ce
+  0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15,
8e15ce
+  0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85,
8e15ce
+  0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06,
8e15ce
+  0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5,
8e15ce
+  0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76,
8e15ce
+  0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd,
8e15ce
+  0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c,
8e15ce
+  0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9,
8e15ce
+  0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78,
8e15ce
+  0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29,
8e15ce
+  0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb,
8e15ce
+  0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09,
8e15ce
+  0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6,
8e15ce
+  0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27,
8e15ce
+  0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7,
8e15ce
+  0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55,
8e15ce
+  0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68,
8e15ce
+  0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90,
8e15ce
+  0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62,
8e15ce
+  0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16,
8e15ce
+  0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b,
8e15ce
+  0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01,
8e15ce
+  0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
8e15ce
+  0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03,
8e15ce
+  0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
8e15ce
+  0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
8e15ce
+  0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03,
8e15ce
+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c,
8e15ce
+  0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f,
8e15ce
+  0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55,
8e15ce
+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab,
8e15ce
+  0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4,
8e15ce
+  0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
8e15ce
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
8e15ce
+  0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9,
8e15ce
+  0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef,
8e15ce
+  0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29,
8e15ce
+  0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b,
8e15ce
+  0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf,
8e15ce
+  0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32,
8e15ce
+  0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9,
8e15ce
+  0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74,
8e15ce
+  0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb,
8e15ce
+  0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0,
8e15ce
+  0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24,
8e15ce
+  0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06,
8e15ce
+  0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57,
8e15ce
+  0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61,
8e15ce
+  0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21,
8e15ce
+  0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1,
8e15ce
+  0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81,
8e15ce
+  0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3,
8e15ce
+  0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e,
8e15ce
+  0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd,
8e15ce
+  0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21,
8e15ce
+  0x89, 0xa0, 0x55, 0xf7
8e15ce
+};
8e15ce
+unsigned int certificate_eku_der_len = 916;