From: David Woodhouse Date: Fri, 4 May 2018 11:30:22 +0000 (+0100) Subject: Trust Amazon certificates X-Git-Tag: v0.91~7 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=b8f5a0047c9ac202ca4b77d271978a44ed26b84d;p=pidgin-chime.git Trust Amazon certificates Some of the media endpoints have certificates issued by the Amazon internal CA. Trust them. Might as well have the Amazon public trust roots too, just for good measure. --- diff --git a/Makefile.am b/Makefile.am index f7f8872..2ccd27d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -7,6 +7,14 @@ endif AM_CPPFLAGS = @WFLAGS@ +pkgdata_DATA = certs/Amazon.com_InfoSec_CA_G3.pem \ + certs/Amazon.com_Internal_Root_Certificate_Authority.pem \ + certs/Amazon_Root_CA_1.pem \ + certs/Amazon_Root_CA_2.pem \ + certs/Amazon_Root_CA_3.pem \ + certs/Amazon_Root_CA_4.pem \ + certs/SFS_Root_CA_G2.pem + purple_plugin_LTLIBRARIES = libchimeprpl.la PROTOBUF_SRCS = protobuf/auth_message.pb-c.c protobuf/auth_message.pb-c.h \ @@ -21,7 +29,7 @@ WEBSOCKET_SRCS = chime/chime-websocket-connection.c chime/chime-websocket-connec chime/chime-websocket.c CHIME_SRCS = chime/chime-connection.c chime/chime-connection.h \ - chime/chime-connection-private.h \ + chime/chime-connection-private.h chime/chime-certs.c \ chime/chime-contact.c chime/chime-contact.h \ chime/chime-room.c chime/chime-room.h \ chime/chime-conversation.c chime/chime-conversation.h \ @@ -42,7 +50,7 @@ chime_get_token_LDADD = libchime.la noinst_LTLIBRARIES = libchime.la libchime_la_SOURCES = $(CHIME_SRCS) $(WEBSOCKET_SRCS) $(PROTOBUF_SRCS) -libchime_la_CFLAGS = $(SOUP_CFLAGS) $(JSON_CFLAGS) $(LIBXML_CFLAGS) $(PROTOBUF_CFLAGS) $(GSTREAMER_CFLAGS) $(GSTRTP_CFLAGS) $(GSTAPP_CFLAGS) $(GSTVIDEO_CFLAGS) $(GNUTLS_CFLAGS) -Ichime +libchime_la_CFLAGS = $(SOUP_CFLAGS) $(JSON_CFLAGS) $(LIBXML_CFLAGS) $(PROTOBUF_CFLAGS) $(GSTREAMER_CFLAGS) $(GSTRTP_CFLAGS) $(GSTAPP_CFLAGS) $(GSTVIDEO_CFLAGS) $(GNUTLS_CFLAGS) -Ichime -DCHIME_DATADIR=\"$(pkgdatadir)\" libchime_la_LIBADD = $(SOUP_LIBS) $(JSON_LIBS) $(LIBXML_LIBS) $(PROTOBUF_LIBS) $(GSTREAMER_LIBS) $(GSTRTP_LIBS) $(GSTAPP_LIBS) $(GSTVIDEO_LIBS) $(GNUTLS_LIBS) libchime_la_LDFLAGS = -module -avoid-version -no-undefined diff --git a/certs/Amazon.com_InfoSec_CA_G3.pem b/certs/Amazon.com_InfoSec_CA_G3.pem new file mode 100644 index 0000000..2137f1f --- /dev/null +++ b/certs/Amazon.com_InfoSec_CA_G3.pem @@ -0,0 +1,103 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 61:25:1e:80:00:00:00:00:00:1c + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Amazon.com Internal Root Certificate Authority + Validity + Not Before: Feb 13 22:14:35 2015 GMT + Not After : Feb 13 22:24:35 2020 GMT + Subject: DC = com, DC = amazon, DC = ant, CN = Amazon.com InfoSec CA G3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b7:77:6e:93:ed:33:75:89:99:5e:eb:81:d4:98: + d6:b4:59:ee:37:a7:7d:75:73:37:19:a5:a6:18:27: + 80:7e:2e:ae:f4:0d:73:d2:ba:a7:0c:98:f0:5e:40: + 08:18:c0:3d:f6:4c:cc:cc:50:ba:7c:ea:51:93:46: + ef:75:63:38:57:29:20:1e:68:54:6c:9e:cf:c9:14: + bd:12:d3:43:22:12:ea:2c:66:a0:eb:9c:46:91:43: + 03:2e:a9:10:61:f2:6a:83:f0:b9:f2:26:05:e2:cd: + 33:ea:be:97:4d:3b:c0:b9:cf:33:b8:c1:66:c7:12: + 69:0d:d6:6a:c3:76:ec:a5:d4:f3:67:bd:3e:f1:96: + 42:40:95:2f:54:bd:39:2a:b3:37:9f:d9:b0:35:ad: + 7e:f2:4d:77:53:b9:ba:64:d8:2f:c9:d2:20:a9:a0: + d4:fd:c0:ba:08:ab:ed:43:0d:2e:59:c4:68:45:26: + 47:82:51:c8:ab:88:0b:95:3e:89:33:8c:56:8b:f3: + a7:49:4c:5a:c2:11:34:b7:ef:89:b2:f3:76:c1:25: + 3e:a5:01:05:98:94:d7:ea:c3:37:e4:ea:c9:39:64: + f5:f8:5d:41:fa:4d:41:dc:68:ed:9d:12:f1:b1:30: + cc:e2:b3:97:79:e6:c2:52:f7:8c:c8:91:85:54:31: + 5a:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + 1.3.6.1.4.1.311.21.1: + ..... + 1.3.6.1.4.1.311.21.2: + ..@....T..1...>....KEH + X509v3 Subject Key Identifier: + 82:5A:69:A8:49:9D:64:CB:14:36:B3:61:5B:93:71:A7:F0:11:C8:0C + 1.3.6.1.4.1.311.20.2: + . +.S.u.b.C.A + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:7F:8D:B1:4E:4C:A2:98:0A:DC:8B:27:BF:62:05:69:3C:25:12:B3:C2 + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://pki.amazon.com/crl/Amazon.com%20Internal%20Root%20Certificate%20Authority.crl + + Authority Information Access: + CA Issuers - URI:http://pki.amazon.com/crt/Amazon.com%20Internal%20Root%20Certificate%20Authority.crt + + Signature Algorithm: sha256WithRSAEncryption + ce:a5:e5:7d:fa:e7:94:54:93:b8:c9:7b:98:8c:f3:af:83:28: + 7d:1e:4a:76:1e:5b:dc:b6:50:54:82:6d:c3:e7:3d:8a:c3:8f: + 7f:81:58:5d:7d:86:50:f3:af:c8:17:ba:46:b7:62:cb:84:cc: + 0a:f3:51:1a:ce:83:f8:7a:a8:88:4c:31:1f:4c:8c:d3:54:46: + ab:56:e6:c3:81:bf:98:9e:a1:6f:a5:cf:a8:6c:92:0d:79:8b: + 6c:b1:f7:c3:e2:41:4f:db:a2:2a:34:57:90:41:4d:82:16:30: + 79:31:46:f0:47:e2:cf:73:99:67:c1:f5:48:82:09:65:1b:86: + e2:42:c1:81:5f:7d:23:5d:a2:aa:71:74:a0:4a:e7:a2:ac:17: + 5b:e7:1e:02:54:16:35:8b:df:14:6e:db:ff:6a:f1:8b:c9:ee: + af:b4:44:7e:8e:90:36:25:ab:e7:b2:da:b4:4a:84:08:5a:87: + 4d:8e:35:04:a8:46:31:8f:af:01:d2:10:be:73:aa:65:68:24: + 26:58:ad:cb:39:64:20:17:ca:5a:29:7b:1e:d0:84:f3:04:52: + b2:a6:08:49:01:f3:49:ec:98:c9:1b:5b:26:5e:86:45:49:85: + 47:c0:8a:09:a9:3d:44:52:0d:8e:04:71:03:eb:43:4e:b7:37: + 8b:c3:f3:40 +-----BEGIN CERTIFICATE----- +MIIEszCCA5ugAwIBAgIKYSUegAAAAAAAHDANBgkqhkiG9w0BAQsFADA5MTcwNQYD +VQQDEy5BbWF6b24uY29tIEludGVybmFsIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MB4XDTE1MDIxMzIyMTQzNVoXDTIwMDIxMzIyMjQzNVowZTETMBEGCgmSJomT +8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBmFtYXpvbjETMBEGCgmSJomT8ixk +ARkWA2FudDEhMB8GA1UEAxMYQW1hem9uLmNvbSBJbmZvU2VjIENBIEczMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3duk+0zdYmZXuuB1JjWtFnuN6d9 +dXM3GaWmGCeAfi6u9A1z0rqnDJjwXkAIGMA99kzMzFC6fOpRk0bvdWM4VykgHmhU +bJ7PyRS9EtNDIhLqLGag65xGkUMDLqkQYfJqg/C58iYF4s0z6r6XTTvAuc8zuMFm +xxJpDdZqw3bspdTzZ70+8ZZCQJUvVL05KrM3n9mwNa1+8k13U7m6ZNgvydIgqaDU +/cC6CKvtQw0uWcRoRSZHglHIq4gLlT6JM4xWi/OnSUxawhE0t++JsvN2wSU+pQEF +mJTX6sM35OrJOWT1+F1B+k1B3GjtnRLxsTDM4rOXeebCUveMyJGFVDFa0wIDAQAB +o4IBjzCCAYswEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUQJMa +85RU9cQxCLoZPo3aih1LRUgwHQYDVR0OBBYEFIJaaahJnWTLFDazYVuTcafwEcgM +MBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMB +Af8EBTADAQH/MB8GA1UdIwQYMBaAFH+NsU5MopgK3Isnv2IFaTwlErPCMGUGA1Ud +HwReMFwwWqBYoFaGVGh0dHA6Ly9wa2kuYW1hem9uLmNvbS9jcmwvQW1hem9uLmNv +bSUyMEludGVybmFsJTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5LmNy +bDBwBggrBgEFBQcBAQRkMGIwYAYIKwYBBQUHMAKGVGh0dHA6Ly9wa2kuYW1hem9u +LmNvbS9jcnQvQW1hem9uLmNvbSUyMEludGVybmFsJTIwUm9vdCUyMENlcnRpZmlj +YXRlJTIwQXV0aG9yaXR5LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzqXlffrnlFST +uMl7mIzzr4MofR5Kdh5b3LZQVIJtw+c9isOPf4FYXX2GUPOvyBe6Rrdiy4TMCvNR +Gs6D+HqoiEwxH0yM01RGq1bmw4G/mJ6hb6XPqGySDXmLbLH3w+JBT9uiKjRXkEFN +ghYweTFG8Efiz3OZZ8H1SIIJZRuG4kLBgV99I12iqnF0oErnoqwXW+ceAlQWNYvf +FG7b/2rxi8nur7REfo6QNiWr57LatEqECFqHTY41BKhGMY+vAdIQvnOqZWgkJlit +yzlkIBfKWil7HtCE8wRSsqYISQHzSeyYyRtbJl6GRUmFR8CKCak9RFINjgRxA+tD +Trc3i8PzQA== +-----END CERTIFICATE----- diff --git a/certs/Amazon.com_Internal_Root_Certificate_Authority.pem b/certs/Amazon.com_Internal_Root_Certificate_Authority.pem new file mode 100644 index 0000000..31693de --- /dev/null +++ b/certs/Amazon.com_Internal_Root_Certificate_Authority.pem @@ -0,0 +1,89 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 57:87:14:f0:8d:e1:d9:ab:4a:25:7a:e5:d7:ae:fe:21 + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN = Amazon.com Internal Root Certificate Authority + Validity + Not Before: Aug 30 18:02:25 2007 GMT + Not After : Aug 30 18:10:59 2027 GMT + Subject: CN = Amazon.com Internal Root Certificate Authority + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ee:81:87:46:9c:36:a3:16:05:1b:7e:be:9e:93: + 70:0f:9d:28:b2:ea:71:d4:59:41:1b:bf:12:8f:15: + ce:1e:89:66:96:70:60:60:7b:82:53:89:a9:b1:56: + 66:6e:df:21:61:f3:a9:25:14:66:01:c6:2c:70:27: + 7d:b3:a0:3e:7a:35:f5:a5:b9:b8:6f:d9:f7:8c:40: + 5c:71:28:a3:a2:2b:77:59:48:80:cb:6c:6a:82:32: + f2:0b:0d:6f:e1:60:72:c6:2f:af:eb:14:31:4f:61: + b4:9b:b3:b9:89:2f:11:41:99:67:72:08:5b:df:a4: + 31:44:30:37:0f:54:e1:4d:c3:81:04:40:be:d3:82: + 63:e7:e6:5a:16:be:d8:24:48:0b:9e:e4:42:20:a4: + 47:0a:c3:2f:3a:ca:5a:6f:ce:af:ce:8f:f1:84:5a: + a0:fc:b1:70:14:9e:15:8b:81:29:ba:af:58:ec:00: + a9:64:d6:d9:9a:2a:c6:96:06:33:02:e1:f8:92:83: + c6:6a:d4:92:3f:09:0f:85:72:46:79:9c:79:22:08: + 1c:ed:cd:61:18:a7:59:bb:b8:14:01:05:c6:7f:fa: + 5d:aa:77:3f:77:bb:fe:df:0f:19:b2:20:22:04:e1: + e9:c6:af:9c:53:59:2b:fd:30:33:70:41:07:7d:60: + b8:7d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 7F:8D:B1:4E:4C:A2:98:0A:DC:8B:27:BF:62:05:69:3C:25:12:B3:C2 + 1.3.6.1.4.1.311.21.1: + ... + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.4843.200.1.1.1 + User Notice: + Explicit Text: + CPS: http://pki.amazon.com/cps/ + + Signature Algorithm: sha1WithRSAEncryption + 74:01:6e:9e:3d:96:90:f3:79:9c:13:d1:2d:76:e7:35:69:2a: + 78:9e:f2:d4:a0:9d:8d:00:8d:6f:e1:40:c1:dc:0d:22:06:08: + 0d:a3:d5:df:12:c7:e2:9f:fb:49:a1:79:16:b8:7c:6d:07:9b: + 9c:64:d0:16:dd:99:5e:b5:74:1f:5b:70:c0:6d:65:6b:e6:40: + 19:4e:fe:21:fe:ef:fd:3a:a0:15:64:23:ae:c5:83:14:66:a7: + f0:26:23:f2:6e:6e:31:8f:d7:67:96:5e:85:f6:61:7b:52:be: + 48:ec:3f:8f:5f:e3:26:b8:93:6c:13:36:b7:32:a7:09:6b:17: + 1e:7e:b2:39:d1:74:e7:f6:e0:8c:83:1a:3a:ff:1e:7a:2e:a5: + 83:e3:a0:31:ad:80:5e:e1:88:c5:f0:54:3d:54:14:73:e1:2d: + 5c:4b:42:88:ee:60:38:d2:2e:5d:c8:e7:36:9e:69:c4:4f:a7: + be:88:84:0f:18:7c:d0:89:3b:9e:ad:e0:91:84:6c:9b:2e:42: + a2:df:20:a1:7b:85:30:e8:aa:90:e2:a4:95:54:06:1f:d6:72: + 63:ac:36:24:dd:15:07:1c:5f:79:25:c5:82:1f:24:e1:e2:c6: + 9f:4c:77:13:11:33:56:c7:c1:7d:31:65:a5:17:de:a0:67:80: + 7c:fc:e4:65 +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIQV4cU8I3h2atKJXrl167+ITANBgkqhkiG9w0BAQUFADA5 +MTcwNQYDVQQDEy5BbWF6b24uY29tIEludGVybmFsIFJvb3QgQ2VydGlmaWNhdGUg +QXV0aG9yaXR5MB4XDTA3MDgzMDE4MDIyNVoXDTI3MDgzMDE4MTA1OVowOTE3MDUG +A1UEAxMuQW1hem9uLmNvbSBJbnRlcm5hbCBSb290IENlcnRpZmljYXRlIEF1dGhv +cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO6Bh0acNqMWBRt+ +vp6TcA+dKLLqcdRZQRu/Eo8Vzh6JZpZwYGB7glOJqbFWZm7fIWHzqSUUZgHGLHAn +fbOgPno19aW5uG/Z94xAXHEoo6Ird1lIgMtsaoIy8gsNb+FgcsYvr+sUMU9htJuz +uYkvEUGZZ3IIW9+kMUQwNw9U4U3DgQRAvtOCY+fmWha+2CRIC57kQiCkRwrDLzrK +Wm/Or86P8YRaoPyxcBSeFYuBKbqvWOwAqWTW2ZoqxpYGMwLh+JKDxmrUkj8JD4Vy +RnmceSIIHO3NYRinWbu4FAEFxn/6Xap3P3e7/t8PGbIgIgTh6cavnFNZK/0wM3BB +B31guH0CAwEAAaOCAREwggENMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBR/jbFOTKKYCtyLJ79iBWk8JRKzwjAQBgkrBgEEAYI3FQEEAwIB +ADCBuwYDVR0gBIGzMIGwMIGtBgwrBgEEAaVrgUgBAQEwgZwwcgYIKwYBBQUHAgIw +Zh5kAEEAbQBhAHoAbwBuAC4AYwBvAG0AIABJAG4AdABlAHIAbgBhAGwAIABDAGUA +cgB0AGkAZgBpAGMAYQB0AGUAIABQAHIAYQBjAHQAaQBjAGUAIABTAHQAYQB0AGUA +bQBlAG4AdDAmBggrBgEFBQcCARYaaHR0cDovL3BraS5hbWF6b24uY29tL2Nwcy8w +DQYJKoZIhvcNAQEFBQADggEBAHQBbp49lpDzeZwT0S125zVpKnie8tSgnY0AjW/h +QMHcDSIGCA2j1d8Sx+Kf+0mheRa4fG0Hm5xk0BbdmV61dB9bcMBtZWvmQBlO/iH+ +7/06oBVkI67FgxRmp/AmI/JubjGP12eWXoX2YXtSvkjsP49f4ya4k2wTNrcypwlr +Fx5+sjnRdOf24IyDGjr/HnoupYPjoDGtgF7hiMXwVD1UFHPhLVxLQojuYDjSLl3I +5zaeacRPp76IhA8YfNCJO56t4JGEbJsuQqLfIKF7hTDoqpDipJVUBh/WcmOsNiTd +FQccX3klxYIfJOHixp9MdxMRM1bHwX0xZaUX3qBngHz85GU= +-----END CERTIFICATE----- diff --git a/certs/Amazon_Root_CA_1.pem b/certs/Amazon_Root_CA_1.pem new file mode 100644 index 0000000..5454eac --- /dev/null +++ b/certs/Amazon_Root_CA_1.pem @@ -0,0 +1,77 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = Amazon, CN = Amazon Root CA 1 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : Jan 17 00:00:00 2038 GMT + Subject: C = US, O = Amazon, CN = Amazon Root CA 1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b2:78:80:71:ca:78:d5:e3:71:af:47:80:50:74: + 7d:6e:d8:d7:88:76:f4:99:68:f7:58:21:60:f9:74: + 84:01:2f:ac:02:2d:86:d3:a0:43:7a:4e:b2:a4:d0: + 36:ba:01:be:8d:db:48:c8:07:17:36:4c:f4:ee:88: + 23:c7:3e:eb:37:f5:b5:19:f8:49:68:b0:de:d7:b9: + 76:38:1d:61:9e:a4:fe:82:36:a5:e5:4a:56:e4:45: + e1:f9:fd:b4:16:fa:74:da:9c:9b:35:39:2f:fa:b0: + 20:50:06:6c:7a:d0:80:b2:a6:f9:af:ec:47:19:8f: + 50:38:07:dc:a2:87:39:58:f8:ba:d5:a9:f9:48:67: + 30:96:ee:94:78:5e:6f:89:a3:51:c0:30:86:66:a1: + 45:66:ba:54:eb:a3:c3:91:f9:48:dc:ff:d1:e8:30: + 2d:7d:2d:74:70:35:d7:88:24:f7:9e:c4:59:6e:bb: + 73:87:17:f2:32:46:28:b8:43:fa:b7:1d:aa:ca:b4: + f2:9f:24:0e:2d:4b:f7:71:5c:5e:69:ff:ea:95:02: + cb:38:8a:ae:50:38:6f:db:fb:2d:62:1b:c5:c7:1e: + 54:e1:77:e0:67:c8:0f:9c:87:23:d6:3f:40:20:7f: + 20:80:c4:80:4c:3e:3b:24:26:8e:04:ae:6c:9a:c8: + aa:0d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08 + Signature Algorithm: sha256WithRSAEncryption + 98:f2:37:5a:41:90:a1:1a:c5:76:51:28:20:36:23:0e:ae:e6: + 28:bb:aa:f8:94:ae:48:a4:30:7f:1b:fc:24:8d:4b:b4:c8:a1: + 97:f6:b6:f1:7a:70:c8:53:93:cc:08:28:e3:98:25:cf:23:a4: + f9:de:21:d3:7c:85:09:ad:4e:9a:75:3a:c2:0b:6a:89:78:76: + 44:47:18:65:6c:8d:41:8e:3b:7f:9a:cb:f4:b5:a7:50:d7:05: + 2c:37:e8:03:4b:ad:e9:61:a0:02:6e:f5:f2:f0:c5:b2:ed:5b: + b7:dc:fa:94:5c:77:9e:13:a5:7f:52:ad:95:f2:f8:93:3b:de: + 8b:5c:5b:ca:5a:52:5b:60:af:14:f7:4b:ef:a3:fb:9f:40:95: + 6d:31:54:fc:42:d3:c7:46:1f:23:ad:d9:0f:48:70:9a:d9:75: + 78:71:d1:72:43:34:75:6e:57:59:c2:02:5c:26:60:29:cf:23: + 19:16:8e:88:43:a5:d4:e4:cb:08:fb:23:11:43:e8:43:29:72: + 62:a1:a9:5d:5e:08:d4:90:ae:b8:d8:ce:14:c2:d0:55:f2:86: + f6:c4:93:43:77:66:61:c0:b9:e8:41:d7:97:78:60:03:6e:4a: + 72:ae:a5:d1:7d:ba:10:9e:86:6c:1b:8a:b9:59:33:f8:eb:c4: + 90:be:f1:b9 +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- diff --git a/certs/Amazon_Root_CA_2.pem b/certs/Amazon_Root_CA_2.pem new file mode 100644 index 0000000..6916c07 --- /dev/null +++ b/certs/Amazon_Root_CA_2.pem @@ -0,0 +1,119 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 + Signature Algorithm: sha384WithRSAEncryption + Issuer: C = US, O = Amazon, CN = Amazon Root CA 2 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C = US, O = Amazon, CN = Amazon Root CA 2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:ad:96:9f:2d:9c:4a:4c:4a:81:79:51:99:ec:8a: + cb:6b:60:51:13:bc:4d:6d:06:fc:b0:08:8d:dd:19: + 10:6a:c7:26:0c:35:d8:c0:6f:20:84:e9:94:b1:9b: + 85:03:c3:5b:db:4a:e8:c8:f8:90:76:d9:5b:4f:e3: + 4c:e8:06:36:4d:cc:9a:ac:3d:0c:90:2b:92:d4:06: + 19:60:ac:37:44:79:85:81:82:ad:5a:37:e0:0d:cc: + 9d:a6:4c:52:76:ea:43:9d:b7:04:d1:50:f6:55:e0: + d5:d2:a6:49:85:e9:37:e9:ca:7e:ae:5c:95:4d:48: + 9a:3f:ae:20:5a:6d:88:95:d9:34:b8:52:1a:43:90: + b0:bf:6c:05:b9:b6:78:b7:ea:d0:e4:3a:3c:12:53: + 62:ff:4a:f2:7b:be:35:05:a9:12:34:e3:f3:64:74: + 62:2c:3d:00:49:5a:28:fe:32:44:bb:87:dd:65:27: + 02:71:3b:da:4a:f7:1f:da:cd:f7:21:55:90:4f:0f: + ec:ae:82:e1:9f:6b:d9:45:d3:bb:f0:5f:87:ed:3c: + 2c:39:86:da:3f:de:ec:72:55:eb:79:a3:ad:db:dd: + 7c:b0:ba:1c:ce:fc:de:4f:35:76:cf:0f:f8:78:1f: + 6a:36:51:46:27:61:5b:e9:9e:cf:f0:a2:55:7d:7c: + 25:8a:6f:2f:b4:c5:cf:84:2e:2b:fd:0d:51:10:6c: + fb:5f:1b:bc:1b:7e:c5:ae:3b:98:01:31:92:ff:0b: + 57:f4:9a:b2:b9:57:e9:ab:ef:0d:76:d1:f0:ee:f4: + ce:86:a7:e0:6e:e9:b4:69:a1:df:69:f6:33:c6:69: + 2e:97:13:9e:a5:87:b0:57:10:81:37:c9:53:b3:bb: + 7f:f6:92:d1:9c:d0:18:f4:92:6e:da:83:4f:a6:63: + 99:4c:a5:fb:5e:ef:21:64:7a:20:5f:6c:64:85:15: + cb:37:e9:62:0c:0b:2a:16:dc:01:2e:32:da:3e:4b: + f5:9e:3a:f6:17:40:94:ef:9e:91:08:86:fa:be:63: + a8:5a:33:ec:cb:74:43:95:f9:6c:69:52:36:c7:29: + 6f:fc:55:03:5c:1f:fb:9f:bd:47:eb:e7:49:47:95: + 0b:4e:89:22:09:49:e0:f5:61:1e:f1:bf:2e:8a:72: + 6e:80:59:ff:57:3a:f9:75:32:a3:4e:5f:ec:ed:28: + 62:d9:4d:73:f2:cc:81:17:60:ed:cd:eb:dc:db:a7: + ca:c5:7e:02:bd:f2:54:08:54:fd:b4:2d:09:2c:17: + 54:4a:98:d1:54:e1:51:67:08:d2:ed:6e:7e:6f:3f: + d2:2d:81:59:29:66:cb:90:39:95:11:1e:74:27:fe: + dd:eb:af + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + B0:0C:F0:4C:30:F4:05:58:02:48:FD:33:E5:52:AF:4B:84:E3:66:52 + Signature Algorithm: sha384WithRSAEncryption + aa:a8:80:8f:0e:78:a3:e0:a2:d4:cd:e6:f5:98:7a:3b:ea:00: + 03:b0:97:0e:93:bc:5a:a8:f6:2c:8c:72:87:a9:b1:fc:7f:73: + fd:63:71:78:a5:87:59:cf:30:e1:0d:10:b2:13:5a:6d:82:f5: + 6a:e6:80:9f:a0:05:0b:68:e4:47:6b:c7:6a:df:b6:fd:77:32: + 72:e5:18:fa:09:f4:a0:93:2c:5d:d2:8c:75:85:76:65:90:0c: + 03:79:b7:31:23:63:ad:78:83:09:86:68:84:ca:ff:f9:cf:26: + 9a:92:79:e7:cd:4b:c5:e7:61:a7:17:cb:f3:a9:12:93:93:6b: + a7:e8:2f:53:92:c4:60:58:b0:cc:02:51:18:5b:85:8d:62:59: + 63:b6:ad:b4:de:9a:fb:26:f7:00:27:c0:5d:55:37:74:99:c9: + 50:7f:e3:59:2e:44:e3:2c:25:ee:ec:4c:32:77:b4:9f:1a:e9: + 4b:5d:20:c5:da:fd:1c:87:16:c6:43:e8:d4:bb:26:9a:45:70: + 5e:a9:0b:37:53:e2:46:7b:27:fd:e0:46:f2:89:b7:cc:42:b6: + cb:28:26:6e:d9:a5:c9:3a:c8:41:13:60:f7:50:8c:15:ae:b2: + 6d:1a:15:1a:57:78:e6:92:2a:d9:65:90:82:3f:6c:02:af:ae: + 12:3a:27:96:36:04:d7:1d:a2:80:63:a9:9b:f1:e5:ba:b4:7c: + 14:b0:4e:c9:b1:1f:74:5f:38:f6:51:ea:9b:fa:2c:a2:11:d4: + a9:2d:27:1a:45:b1:af:b2:4e:71:0d:c0:58:46:d6:69:06:cb: + 53:cb:b3:fe:6b:41:cd:41:7e:7d:4c:0f:7c:72:79:7a:59:cd: + 5e:4a:0e:ac:9b:a9:98:73:79:7c:b4:f4:cc:b9:b8:07:0c:b2: + 74:5c:b8:c7:6f:88:a1:90:a7:f4:aa:f9:bf:67:3a:f4:1a:15: + 62:1e:b7:9f:be:3d:b1:29:af:67:a1:12:f2:58:10:19:53:03: + 30:1b:b8:1a:89:f6:9c:bd:97:03:8e:a3:09:f3:1d:8b:21:f1: + b4:df:e4:1c:d1:9f:65:02:06:ea:5c:d6:13:b3:84:ef:a2:a5: + 5c:8c:77:29:a7:68:c0:6b:ae:40:d2:a8:b4:ea:cd:f0:8d:4b: + 38:9c:19:9a:1b:28:54:b8:89:90:ef:ca:75:81:3e:1e:f2:64: + 24:c7:18:af:4e:ff:47:9e:07:f6:35:65:a4:d3:0a:56:ff:f5: + 17:64:6c:ef:a8:22:25:49:93:b6:df:00:17:da:58:7e:5d:ee: + c5:1b:b0:d1:d1:5f:21:10:c7:f9:f3:ba:02:0a:27:07:c5:f1: + d6:c7:d3:e0:fb:09:60:6c +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK +gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ +W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg +1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K +8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r +2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me +z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR +8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj +mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz +7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6 ++XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI +0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm +UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2 +LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY ++gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS +k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl +7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm +btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl +urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+ +fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63 +n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE +76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H +9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT +4PsJYGw= +-----END CERTIFICATE----- diff --git a/certs/Amazon_Root_CA_3.pem b/certs/Amazon_Root_CA_3.pem new file mode 100644 index 0000000..3b7dc73 --- /dev/null +++ b/certs/Amazon_Root_CA_3.pem @@ -0,0 +1,46 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, O = Amazon, CN = Amazon Root CA 3 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C = US, O = Amazon, CN = Amazon Root CA 3 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:29:97:a7:c6:41:7f:c0:0d:9b:e8:01:1b:56:c6: + f2:52:a5:ba:2d:b2:12:e8:d2:2e:d7:fa:c9:c5:d8: + aa:6d:1f:73:81:3b:3b:98:6b:39:7c:33:a5:c5:4e: + 86:8e:80:17:68:62:45:57:7d:44:58:1d:b3:37:e5: + 67:08:eb:66:de + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + AB:B6:DB:D7:06:9E:37:AC:30:86:07:91:70:C7:9C:C4:19:B1:78:C0 + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e0:85:92:a3:17:b7:8d:f9:2b:06:a5:93:ac: + 1a:98:68:61:72:fa:e1:a1:d0:fb:1c:78:60:a6:43:99:c5:b8: + c4:02:21:00:9c:02:ef:f1:94:9c:b3:96:f9:eb:c6:2a:f8:b6: + 2c:fe:3a:90:14:16:d7:8c:63:24:48:1c:df:30:7d:d5:68:3b +-----BEGIN CERTIFICATE----- +MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl +ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j +QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr +ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr +BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM +YyRIHN8wfdVoOw== +-----END CERTIFICATE----- diff --git a/certs/Amazon_Root_CA_4.pem b/certs/Amazon_Root_CA_4.pem new file mode 100644 index 0000000..ff626aa --- /dev/null +++ b/certs/Amazon_Root_CA_4.pem @@ -0,0 +1,51 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C = US, O = Amazon, CN = Amazon Root CA 4 + Validity + Not Before: May 26 00:00:00 2015 GMT + Not After : May 26 00:00:00 2040 GMT + Subject: C = US, O = Amazon, CN = Amazon Root CA 4 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:d2:ab:8a:37:4f:a3:53:0d:fe:c1:8a:7b:4b:a8: + 7b:46:4b:63:b0:62:f6:2d:1b:db:08:71:21:d2:00: + e8:63:bd:9a:27:fb:f0:39:6e:5d:ea:3d:a5:c9:81: + aa:a3:5b:20:98:45:5d:16:db:fd:e8:10:6d:e3:9c: + e0:e3:bd:5f:84:62:f3:70:64:33:a0:cb:24:2f:70: + ba:88:a1:2a:a0:75:f8:81:ae:62:06:c4:81:db:39: + 6e:29:b0:1e:fa:2e:5c + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + D3:EC:C7:3A:65:6E:CC:E1:DA:76:9A:56:FB:9C:F3:86:6D:57:E5:81 + Signature Algorithm: ecdsa-with-SHA384 + 30:65:02:30:3a:8b:21:f1:bd:7e:11:ad:d0:ef:58:96:2f:d6: + eb:9d:7e:90:8d:2b:cf:66:55:c3:2c:e3:28:a9:70:0a:47:0e: + f0:37:59:12:ff:2d:99:94:28:4e:2a:4f:35:4d:33:5a:02:31: + 00:ea:75:00:4e:3b:c4:3a:94:12:91:c9:58:46:9d:21:13:72: + a7:88:9c:8a:e4:4c:4a:db:96:d4:ac:8b:6b:6b:49:12:53:33: + ad:d7:e4:be:24:fc:b5:0a:76:d4:a5:bc:10 +-----BEGIN CERTIFICATE----- +MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5 +MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g +Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG +A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg +Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi +9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk +M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB +MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw +CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW +1KyLa2tJElMzrdfkviT8tQp21KW8EA== +-----END CERTIFICATE----- diff --git a/certs/SFS_Root_CA_G2.pem b/certs/SFS_Root_CA_G2.pem new file mode 100644 index 0000000..c4c0292 --- /dev/null +++ b/certs/SFS_Root_CA_G2.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 + Validity + Not Before: Sep 1 00:00:00 2009 GMT + Not After : Dec 31 23:59:59 2037 GMT + Subject: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:0c:3a:c4:2a:f9:4e:e2:f5:be:19:97:5f:8e: + 88:53:b1:1f:3f:cb:cf:9f:20:13:6d:29:3a:c8:0f: + 7d:3c:f7:6b:76:38:63:d9:36:60:a8:9b:5e:5c:00: + 80:b2:2f:59:7f:f6:87:f9:25:43:86:e7:69:1b:52: + 9a:90:e1:71:e3:d8:2d:0d:4e:6f:f6:c8:49:d9:b6: + f3:1a:56:ae:2b:b6:74:14:eb:cf:fb:26:e3:1a:ba: + 1d:96:2e:6a:3b:58:94:89:47:56:ff:25:a0:93:70: + 53:83:da:84:74:14:c3:67:9e:04:68:3a:df:8e:40: + 5a:1d:4a:4e:cf:43:91:3b:e7:56:d6:00:70:cb:52: + ee:7b:7d:ae:3a:e7:bc:31:f9:45:f6:c2:60:cf:13: + 59:02:2b:80:cc:34:47:df:b9:de:90:65:6d:02:cf: + 2c:91:a6:a6:e7:de:85:18:49:7c:66:4e:a3:3a:6d: + a9:b5:ee:34:2e:ba:0d:03:b8:33:df:47:eb:b1:6b: + 8d:25:d9:9b:ce:81:d1:45:46:32:96:70:87:de:02: + 0e:49:43:85:b6:6c:73:bb:64:ea:61:41:ac:c9:d4: + 54:df:87:2f:c7:22:b2:26:cc:9f:59:54:68:9f:fc: + be:2a:2f:c4:55:1c:75:40:60:17:85:02:55:39:8b: + 7f:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 9C:5F:00:DF:AA:01:D7:30:2B:38:88:A2:B8:6D:4A:9C:F2:11:91:83 + Signature Algorithm: sha256WithRSAEncryption + 4b:36:a6:84:77:69:dd:3b:19:9f:67:23:08:6f:0e:61:c9:fd: + 84:dc:5f:d8:36:81:cd:d8:1b:41:2d:9f:60:dd:c7:1a:68:d9: + d1:6e:86:e1:88:23:cf:13:de:43:cf:e2:34:b3:04:9d:1f:29: + d5:bf:f8:5e:c8:d5:c1:bd:ee:92:6f:32:74:f2:91:82:2f:bd: + 82:42:7a:ad:2a:b7:20:7d:4d:bc:7a:55:12:c2:15:ea:bd:f7: + 6a:95:2e:6c:74:9f:cf:1c:b4:f2:c5:01:a3:85:d0:72:3e:ad: + 73:ab:0b:9b:75:0c:6d:45:b7:8e:94:ac:96:37:b5:a0:d0:8f: + 15:47:0e:e3:e8:83:dd:8f:fd:ef:41:01:77:cc:27:a9:62:85: + 33:f2:37:08:ef:71:cf:77:06:de:c8:19:1d:88:40:cf:7d:46: + 1d:ff:1e:c7:e1:ce:ff:23:db:c6:fa:8d:55:4e:a9:02:e7:47: + 11:46:3e:f4:fd:bd:7b:29:26:bb:a9:61:62:37:28:b6:2d:2a: + f6:10:86:64:c9:70:a7:d2:ad:b7:29:70:79:ea:3c:da:63:25: + 9f:fd:68:b7:30:ec:70:fb:75:8a:b7:6d:60:67:b2:1e:c8:b9: + e9:d8:a8:6f:02:8b:67:0d:4d:26:57:71:da:20:fc:c1:4a:50: + 8d:b1:28:ba +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT +HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs +ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5 +MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy +ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy +dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p +OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2 +8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K +Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe +hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk +6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw +DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q +AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI +bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB +ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z +qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd +iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn +0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN +sSi6 +-----END CERTIFICATE----- diff --git a/chime/chime-call-transport.c b/chime/chime-call-transport.c index b174409..fdf7373 100644 --- a/chime/chime-call-transport.c +++ b/chime/chime-call-transport.c @@ -457,6 +457,8 @@ static void connect_dtls(ChimeCallAudio *audio, GSocket *s) if (!audio->dtls_cred) { gnutls_certificate_allocate_credentials(&audio->dtls_cred); gnutls_certificate_set_x509_system_trust(audio->dtls_cred); + gnutls_certificate_set_x509_trust_dir(audio->dtls_cred, + CHIME_DATADIR, GNUTLS_X509_FMT_PEM); } gnutls_credentials_set(audio->dtls_sess, GNUTLS_CRD_CERTIFICATE, audio->dtls_cred); diff --git a/chime/chime-certs.c b/chime/chime-certs.c new file mode 100644 index 0000000..7544a12 --- /dev/null +++ b/chime/chime-certs.c @@ -0,0 +1,59 @@ +/* + * Pidgin/libpurple Chime client plugin + * + * Copyright © 2018 Amazon.com, Inc. or its affiliates. + * + * Authors: David Woodhouse + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * version 2.1, as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + */ + +#include "chime-connection.h" +#include "chime-connection-private.h" + +#include + +#define NR_CERTS 7 + +static const char *cert_filenames[NR_CERTS] = { + "Amazon.com_InfoSec_CA_G3.pem", + "Amazon.com_Internal_Root_Certificate_Authority.pem", + "Amazon_Root_CA_1.pem", + "Amazon_Root_CA_2.pem", + "Amazon_Root_CA_3.pem", + "Amazon_Root_CA_4.pem", + "SFS_Root_CA_G2.pem", +}; + +static GTlsCertificate *certs[NR_CERTS]; + +GSList *chime_cert_list(void) +{ + int i; + GSList *ret = NULL; + + for (i=0; i < NR_CERTS; i++) { + if (certs[i]) { + g_object_ref(certs[i]); + } else { + GError *error = NULL; + gchar *filename = g_build_filename(CHIME_DATADIR, cert_filenames[i], NULL); + certs[i] = g_tls_certificate_new_from_file(filename, &error); + if (!certs[i]) { + chime_debug("Failed to load %s: %s\n", cert_filenames[1], error->message); + g_clear_error(&error); + continue; + } + g_object_add_weak_pointer(G_OBJECT(certs[i]), (gpointer *)&certs[i]); + } + ret = g_slist_prepend(ret, certs[i]); + } + return ret; +} diff --git a/chime/chime-connection-private.h b/chime/chime-connection-private.h index ee59412..478a011 100644 --- a/chime/chime-connection-private.h +++ b/chime/chime-connection-private.h @@ -99,6 +99,7 @@ struct chime_msg { typedef struct { ChimeConnectionState state; + GSList *amazon_cas; gchar *server; gchar *device_token; @@ -259,4 +260,7 @@ gboolean chime_call_participant_audio_stats(ChimeCall *call, const gchar *profil /* chime-login.c */ void chime_initial_login(ChimeConnection *cxn); +/* chime-certs.c */ +GSList *chime_cert_list(void); + #endif /* __CHIME_CONNECTION_PRIVATE_H__ */ diff --git a/chime/chime-connection.c b/chime/chime-connection.c index 68de2ad..4eec651 100644 --- a/chime/chime-connection.c +++ b/chime/chime-connection.c @@ -120,6 +120,8 @@ chime_connection_dispose(GObject *object) if (priv->state != CHIME_STATE_DISCONNECTED) chime_connection_disconnect(self); + g_slist_free_full(priv->amazon_cas, g_object_unref); + priv->amazon_cas = NULL; chime_connection_log(self, CHIME_LOGLVL_MISC, "Connection disposed: %p\n", self); G_OBJECT_CLASS(chime_connection_parent_class)->dispose(object); @@ -306,22 +308,71 @@ void chime_connection_fail(ChimeConnection *cxn, gint code, const gchar *format, g_error_free(error); } +static void +req_started_cb(SoupSession *sess, SoupMessage *msg, SoupSocket *sock, gpointer _cxn) +{ + ChimeConnection *cxn = CHIME_CONNECTION(_cxn); + ChimeConnectionPrivate *priv = CHIME_CONNECTION_GET_PRIVATE (cxn); + + if (!soup_socket_is_ssl(sock)) + return; + + GTlsCertificateFlags cert_errors; + g_object_get(sock, "tls-errors", &cert_errors, NULL); + if (!cert_errors) + return; + + /* If the problem was *only* an unknown CA (i.e. the hostname did + * match OK, it wasn't expired, etc.) then check if it's trusted + * by the Amazon internal CA. */ + if (cert_errors == G_TLS_CERTIFICATE_UNKNOWN_CA) { + /* The identity part shouldn't be needed but there's no + * real harm in being paranoid and checking it again. */ + SoupURI *uri = soup_message_get_uri(msg); + GSocketConnectable *ident = g_network_address_new(soup_uri_get_host(uri), + soup_uri_get_port(uri)); + + GTlsCertificate *cert; + g_object_get(sock, "tls-certificate", &cert, NULL); + + GSList *l = priv->amazon_cas; + while (l && cert_errors) { + cert_errors = g_tls_certificate_verify(cert, ident, G_TLS_CERTIFICATE(l->data)); + l = l->next; + } + g_object_unref(ident); + + if (!cert_errors) { + chime_debug("Allow Amazon CA for %s\n", soup_uri_get_host(uri)); + return; + } + } + + /* Don't like the server's cert. Fail the message. */ + soup_session_cancel_message(sess, msg, SOUP_STATUS_SSL_FAILED); +} + static void chime_connection_init(ChimeConnection *self) { ChimeConnectionPrivate *priv = CHIME_CONNECTION_GET_PRIVATE (self); priv->soup_sess = soup_session_new(); + priv->amazon_cas = chime_cert_list(); if (getenv("CHIME_DEBUG") && atoi(getenv("CHIME_DEBUG")) > 0) { SoupLogger *l = soup_logger_new(SOUP_LOGGER_LOG_BODY, -1); soup_session_add_feature(priv->soup_sess, SOUP_SESSION_FEATURE(l)); g_object_unref(l); - g_object_set(priv->soup_sess, "ssl-strict", FALSE, NULL); } const gchar *https_aliases[2] = { "wss", NULL }; g_object_set(priv->soup_sess, "https-aliases", https_aliases, NULL); + /* Unset ssl-strict and manually check, so that we can allow + * the Amazon internal CAs. The media endpoints may use those. */ + g_object_set(priv->soup_sess, "ssl-strict", FALSE, NULL); + g_signal_connect(G_OBJECT(priv->soup_sess), "request-started", G_CALLBACK(req_started_cb), self); + priv->msgs_pending_auth = g_queue_new(); priv->msgs_queued = g_queue_new(); priv->state = CHIME_STATE_DISCONNECTED; diff --git a/pidgin-chime.spec.in b/pidgin-chime.spec.in index bbae337..af38381 100644 --- a/pidgin-chime.spec.in +++ b/pidgin-chime.spec.in @@ -127,6 +127,9 @@ make %{?_smp_mflags} check %{_libdir}/purple-2/libchimeprpl.so %{_libdir}/farstream-0.2/libapp-transmitter.so %{_libdir}/gstreamer-1.0/libgstchime.so +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/*.pem + %defattr(-,root,root,-) %license LICENSE %doc README TODO