Blame SOURCES/0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch

6bd801
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
6bd801
From: Javier Martinez Canillas <javierm@redhat.com>
6bd801
Date: Sat, 8 May 2021 02:27:58 +0200
6bd801
Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage
6bd801
 extension
6bd801
6bd801
Red Hat certificates have both Key Usage and Extended Key Usage extensions
6bd801
present, but the appended signatures x509 parser doesn't handle the latter
6bd801
and so buils due finding an unrecognised critical extension:
6bd801
6bd801
Error loading initial key:
6bd801
../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37
6bd801
6bd801
Fix this by also parsing the Extended Key Usage extension and handle it by
6bd801
verifying that the certificate has a single purpose, that is code signing.
6bd801
6bd801
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
6bd801
Signed-off-by: Daniel Axtens <dja@axtens.net>
6bd801
---
6bd801
 grub-core/commands/appendedsig/x509.c     | 94 ++++++++++++++++++++++++++++++-
6bd801
 grub-core/tests/appended_signature_test.c | 29 +++++++++-
6bd801
 grub-core/tests/appended_signatures.h     | 81 ++++++++++++++++++++++++++
6bd801
 3 files changed, 201 insertions(+), 3 deletions(-)
6bd801
6bd801
diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c
b71686
index 652e4f168..34a2070a7 100644
6bd801
--- a/grub-core/commands/appendedsig/x509.c
6bd801
+++ b/grub-core/commands/appendedsig/x509.c
6bd801
@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15";
6bd801
  */
6bd801
 const char *basicConstraints_oid = "2.5.29.19";
6bd801
 
6bd801
+/*
6bd801
+ * RFC 5280 4.2.1.12 Extended Key Usage
6bd801
+ */
6bd801
+const char *extendedKeyUsage_oid = "2.5.29.37";
6bd801
+const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3";
6bd801
+
6bd801
 /*
6bd801
  * RFC 3279 2.3.1
6bd801
  *
6bd801
@@ -651,6 +657,77 @@ cleanup:
6bd801
   return err;
6bd801
 }
6bd801
 
6bd801
+/*
6bd801
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
6bd801
+ *
6bd801
+ * KeyPurposeId ::= OBJECT IDENTIFIER
6bd801
+ */
6bd801
+static grub_err_t
6bd801
+verify_extended_key_usage (grub_uint8_t * value, int value_size)
6bd801
+{
6bd801
+  asn1_node extendedasn;
6bd801
+  int result, count;
6bd801
+  grub_err_t err = GRUB_ERR_NONE;
6bd801
+  char usage[MAX_OID_LEN];
6bd801
+  int usage_size = sizeof (usage);
6bd801
+
6bd801
+  result =
6bd801
+    asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax",
6bd801
+			 &extendedasn);
6bd801
+  if (result != ASN1_SUCCESS)
6bd801
+    {
6bd801
+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,
6bd801
+			 "Could not create ASN.1 structure for Extended Key Usage");
6bd801
+    }
6bd801
+
6bd801
+  result = asn1_der_decoding2 (&extendedasn, value, &value_size,
6bd801
+			       ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
6bd801
+  if (result != ASN1_SUCCESS)
6bd801
+    {
6bd801
+      err =
6bd801
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
6bd801
+		    "Error parsing DER for Extended Key Usage: %s",
6bd801
+		    asn1_error);
6bd801
+      goto cleanup;
6bd801
+    }
6bd801
+
6bd801
+  /*
6bd801
+   * If EKUs are present, there must be exactly 1 and it must be a
6bd801
+   * codeSigning usage.
6bd801
+   */
6bd801
+  result = asn1_number_of_elements(extendedasn, "", &count);
6bd801
+  if (result != ASN1_SUCCESS)
6bd801
+    {
6bd801
+      err =
6bd801
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
6bd801
+		    "Error counting number of Extended Key Usages: %s",
6bd801
+		    asn1_strerror (result));
6bd801
+      goto cleanup;
6bd801
+    }
6bd801
+
6bd801
+  result = asn1_read_value (extendedasn, "?1", usage, &usage_size);
6bd801
+  if (result != ASN1_SUCCESS)
6bd801
+    {
6bd801
+      err =
6bd801
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
6bd801
+		    "Error reading Extended Key Usage: %s",
6bd801
+		    asn1_strerror (result));
6bd801
+      goto cleanup;
6bd801
+    }
6bd801
+
6bd801
+  if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0)
6bd801
+    {
6bd801
+      err =
6bd801
+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
6bd801
+		    "Unexpected Extended Key Usage OID, got: %s",
6bd801
+		    usage);
6bd801
+      goto cleanup;
6bd801
+    }
6bd801
+
6bd801
+cleanup:
6bd801
+  asn1_delete_structure (&extendedasn);
6bd801
+  return err;
6bd801
+}
6bd801
 
6bd801
 /*
6bd801
  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
6bd801
@@ -674,7 +751,7 @@ verify_extensions (asn1_node cert)
6bd801
 {
6bd801
   int result;
6bd801
   int ext, num_extensions = 0;
6bd801
-  int usage_present = 0, constraints_present = 0;
6bd801
+  int usage_present = 0, constraints_present = 0, extended_usage_present = 0;
6bd801
   char *oid_path, *critical_path, *value_path;
6bd801
   char extnID[MAX_OID_LEN];
6bd801
   int extnID_size;
6bd801
@@ -768,6 +845,15 @@ verify_extensions (asn1_node cert)
6bd801
 	    }
6bd801
 	  constraints_present++;
6bd801
 	}
6bd801
+      else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0)
6bd801
+	{
6bd801
+	  err = verify_extended_key_usage (value, value_size);
6bd801
+	  if (err != GRUB_ERR_NONE)
6bd801
+	    {
6bd801
+	      goto cleanup_value;
6bd801
+	    }
6bd801
+	  extended_usage_present++;
6bd801
+	}
6bd801
       else if (grub_strncmp ("TRUE", critical, critical_size) == 0)
6bd801
 	{
6bd801
 	  /*
6bd801
@@ -799,6 +885,12 @@ verify_extensions (asn1_node cert)
6bd801
 			 "Unexpected number of basic constraints extensions - expected 1, got %d",
6bd801
 			 constraints_present);
6bd801
     }
6bd801
+  if (extended_usage_present > 1)
6bd801
+    {
6bd801
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
6bd801
+			 "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d",
6bd801
+			 extended_usage_present);
6bd801
+    }
6bd801
   return GRUB_ERR_NONE;
6bd801
 
6bd801
 cleanup_value:
6bd801
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
b71686
index 88a485200..dbba06166 100644
6bd801
--- a/grub-core/tests/appended_signature_test.c
6bd801
+++ b/grub-core/tests/appended_signature_test.c
6bd801
@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = {
6bd801
   .get_contents = get_certificate_printable_der
6bd801
 };
6bd801
 
6bd801
+static char *
6bd801
+get_certificate_eku_der (grub_size_t * sz)
6bd801
+{
6bd801
+  char *ret;
6bd801
+  *sz = certificate_eku_der_len;
6bd801
+  ret = grub_malloc (*sz);
6bd801
+  if (ret)
6bd801
+    grub_memcpy (ret, certificate_eku_der, *sz);
6bd801
+  return ret;
6bd801
+}
6bd801
+
6bd801
+static struct grub_procfs_entry certificate_eku_der_entry = {
6bd801
+  .name = "certificate_eku.der",
6bd801
+  .get_contents = get_certificate_eku_der
6bd801
+};
6bd801
+
6bd801
 
6bd801
 static void
6bd801
 do_verify (const char *f, int is_valid)
6bd801
@@ -149,6 +165,7 @@ appended_signature_test (void)
6bd801
   char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
6bd801
   char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
6bd801
 				   NULL };
6bd801
+  char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL };
6bd801
   char *distrust_args[] = { (char *) "1", NULL };
6bd801
   char *distrust2_args[] = { (char *) "2", NULL };
6bd801
   grub_err_t err;
6bd801
@@ -157,6 +174,7 @@ appended_signature_test (void)
6bd801
   grub_procfs_register ("certificate2.der", &certificate2_der_entry);
6bd801
   grub_procfs_register ("certificate_printable.der",
6bd801
 			&certificate_printable_der_entry);
6bd801
+  grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry);
6bd801
 
6bd801
   cmd_trust = grub_command_find ("trust_certificate");
6bd801
   if (!cmd_trust)
6bd801
@@ -266,16 +284,23 @@ appended_signature_test (void)
6bd801
 
6bd801
   /*
6bd801
    * Lastly, check a certificate that uses printableString rather than
6bd801
-   * utf8String loads properly.
6bd801
+   * utf8String loads properly, and that a certificate with an appropriate
6bd801
+   * extended key usage loads.
6bd801
    */
6bd801
   err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
6bd801
   grub_test_assert (err == GRUB_ERR_NONE,
6bd801
-		    "distrusting printable certificate failed: %d: %s",
6bd801
+		    "trusting printable certificate failed: %d: %s",
6bd801
+		    grub_errno, grub_errmsg);
6bd801
+
6bd801
+  err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku);
6bd801
+  grub_test_assert (err == GRUB_ERR_NONE,
6bd801
+		    "trusting certificate with extended key usage failed: %d: %s",
6bd801
 		    grub_errno, grub_errmsg);
6bd801
 
6bd801
   grub_procfs_unregister (&certificate_der_entry);
6bd801
   grub_procfs_unregister (&certificate2_der_entry);
6bd801
   grub_procfs_unregister (&certificate_printable_der_entry);
6bd801
+  grub_procfs_unregister (&certificate_eku_der_entry);
6bd801
 }
6bd801
 
6bd801
 GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
6bd801
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
b71686
index aa3dc6278..2e5ebd7d8 100644
6bd801
--- a/grub-core/tests/appended_signatures.h
6bd801
+++ b/grub-core/tests/appended_signatures.h
6bd801
@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = {
6bd801
   0xd2
6bd801
 };
6bd801
 unsigned int certificate_printable_der_len = 829;
6bd801
+
6bd801
+unsigned char certificate_eku_der[] = {
6bd801
+  0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01,
6bd801
+  0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45,
6bd801
+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
6bd801
+  0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
6bd801
+  0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
6bd801
+  0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
6bd801
+  0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86,
6bd801
+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
6bd801
+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74,
6bd801
+  0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32,
6bd801
+  0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33,
6bd801
+  0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a,
6bd801
+  0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
6bd801
+  0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63,
6bd801
+  0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67,
6bd801
+  0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20,
6bd801
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
6bd801
+  0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65,
6bd801
+  0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
6bd801
+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
6bd801
+  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
6bd801
+  0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15,
6bd801
+  0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85,
6bd801
+  0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06,
6bd801
+  0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5,
6bd801
+  0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76,
6bd801
+  0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd,
6bd801
+  0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c,
6bd801
+  0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9,
6bd801
+  0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78,
6bd801
+  0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29,
6bd801
+  0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb,
6bd801
+  0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09,
6bd801
+  0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6,
6bd801
+  0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27,
6bd801
+  0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7,
6bd801
+  0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55,
6bd801
+  0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68,
6bd801
+  0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90,
6bd801
+  0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62,
6bd801
+  0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16,
6bd801
+  0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b,
6bd801
+  0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01,
6bd801
+  0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
6bd801
+  0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03,
6bd801
+  0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
6bd801
+  0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
6bd801
+  0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03,
6bd801
+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c,
6bd801
+  0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f,
6bd801
+  0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55,
6bd801
+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab,
6bd801
+  0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4,
6bd801
+  0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
6bd801
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
6bd801
+  0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9,
6bd801
+  0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef,
6bd801
+  0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29,
6bd801
+  0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b,
6bd801
+  0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf,
6bd801
+  0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32,
6bd801
+  0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9,
6bd801
+  0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74,
6bd801
+  0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb,
6bd801
+  0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0,
6bd801
+  0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24,
6bd801
+  0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06,
6bd801
+  0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57,
6bd801
+  0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61,
6bd801
+  0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21,
6bd801
+  0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1,
6bd801
+  0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81,
6bd801
+  0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3,
6bd801
+  0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e,
6bd801
+  0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd,
6bd801
+  0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21,
6bd801
+  0x89, 0xa0, 0x55, 0xf7
6bd801
+};
6bd801
+unsigned int certificate_eku_der_len = 916;