Parse individual X.509 name components on Windows, rather than parsing the stringified form

On Windows, rather than converting the entire certificate 
name to a string and attempting to parse out the components 
and values, iterate through the relativeDistinguishedName 
and AttributeTypeAndValue pairs to extract each name 
component.

This is to ensure that:
1) When multiple AVAs are present in an RDN, ALL AVAs are
   parsed.
2) When converting an AVA to a string, no extra escaping is
   applied.

This also fixes domainComponent parsing on OS X, so that
unittests with a domainComponent can pass.

BUG=101009, 102839
TEST=net_unittests:X509CertificateTest has two new regression
tests. Additionally, sample a variety of SSL sites and ensure no
regressions, paying attention to internationalized domains.


Review URL: http://codereview.chromium.org/8608003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112650 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 309 insertions, 91 deletions

diff --git a/net/base/x509_cert_types_mac.cc b/net/base/x509_cert_types_mac.cc
index 8fb0d8d..7647d93c 100644
--- a/net/base/x509_cert_types_mac.cc
+++ b/net/base/x509_cert_types_mac.cc
@@ -16,6 +16,25 @@ namespace net {
 
 namespace {
 
+// The BER encoding of 0.9.2342.19200300.100.1.25.
+// On 10.6 and later this is available as CSSMOID_DomainComponent, which is an
+// external symbol from Security.framework. However, it appears that Apple's
+// implementation improperly encoded this on 10.6+, and even still is
+// unavailable on 10.5, so simply including the raw BER here.
+//
+// Note: CSSM is allowed to store CSSM_OIDs in any arbitrary format desired,
+// as long as the symbols are properly exposed. The fact that Apple's
+// implementation stores it in BER is an internal implementation detail
+// observed by studying libsecurity_cssm.
+const uint8 kDomainComponentData[] = {
+  0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19
+};
+
+const CSSM_OID kDomainComponentOID = {
+    arraysize(kDomainComponentData),
+    const_cast<uint8*>(kDomainComponentData)
+};
+
 const CSSM_OID* kOIDs[] = {
     &CSSMOID_CommonName,
     &CSSMOID_LocalityName,
@@ -24,8 +43,8 @@ const CSSM_OID* kOIDs[] = {
     &CSSMOID_StreetAddress,
     &CSSMOID_OrganizationName,
     &CSSMOID_OrganizationalUnitName,
-    &CSSMOID_DNQualifier      // This should be "DC" but is undoubtedly wrong.
-};                            // TODO(avi): Find the right OID.
+    &kDomainComponentOID,
+};
 
 // The following structs and templates work with Apple's very arcane and under-
 // documented SecAsn1Parser API, which is apparently the same as NSS's ASN.1
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index f483362..686f20f 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -375,6 +375,56 @@ TEST(X509CertificateTest, ThawteCertParsing) {
 #endif
 }
 
+// Test that all desired AttributeAndValue pairs can be extracted when only
+// a single RelativeDistinguishedName is present. "Normally" there is only
+// one AVA per RDN, but some CAs place all AVAs within a single RDN.
+// This is a regression test for http://crbug.com/101009
+TEST(X509CertificateTest, MultivalueRDN) {
+  FilePath certs_dir = GetTestCertsDirectory();
+
+  scoped_refptr<X509Certificate> multivalue_rdn_cert =
+      ImportCertFromFile(certs_dir, "multivalue_rdn.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), multivalue_rdn_cert);
+
+  const CertPrincipal& subject = multivalue_rdn_cert->subject();
+  EXPECT_EQ("Multivalue RDN Test", subject.common_name);
+  EXPECT_EQ("", subject.locality_name);
+  EXPECT_EQ("", subject.state_or_province_name);
+  EXPECT_EQ("US", subject.country_name);
+  EXPECT_EQ(0U, subject.street_addresses.size());
+  ASSERT_EQ(1U, subject.organization_names.size());
+  EXPECT_EQ("Chromium", subject.organization_names[0]);
+  ASSERT_EQ(1U, subject.organization_unit_names.size());
+  EXPECT_EQ("Chromium net_unittests", subject.organization_unit_names[0]);
+  ASSERT_EQ(1U, subject.domain_components.size());
+  EXPECT_EQ("Chromium", subject.domain_components[0]);
+}
+
+// Test that characters which would normally be escaped in the string form,
+// such as '=' or '"', are not escaped when parsed as individual components.
+// This is a regression test for http://crbug.com/102839
+TEST(X509CertificateTest, UnescapedSpecialCharacters) {
+  FilePath certs_dir = GetTestCertsDirectory();
+
+  scoped_refptr<X509Certificate> unescaped_cert =
+      ImportCertFromFile(certs_dir, "unescaped.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), unescaped_cert);
+
+  const CertPrincipal& subject = unescaped_cert->subject();
+  EXPECT_EQ("127.0.0.1", subject.common_name);
+  EXPECT_EQ("Mountain View", subject.locality_name);
+  EXPECT_EQ("California", subject.state_or_province_name);
+  EXPECT_EQ("US", subject.country_name);
+  ASSERT_EQ(1U, subject.street_addresses.size());
+  EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]);
+  ASSERT_EQ(1U, subject.organization_names.size());
+  EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]);
+  ASSERT_EQ(2U, subject.organization_unit_names.size());
+  EXPECT_EQ("net_unittests", subject.organization_unit_names[0]);
+  EXPECT_EQ("Chromium", subject.organization_unit_names[1]);
+  EXPECT_EQ(0U, subject.domain_components.size());
+}
+
 TEST(X509CertificateTest, PaypalNullCertParsing) {
   scoped_refptr<X509Certificate> paypal_null_cert(
       X509Certificate::CreateFromBytes(
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 12acdaf..c04ff4d0 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -408,70 +408,6 @@ void GetCertPoliciesInfo(PCCERT_CONTEXT cert,
     output->reset(policies_info);
 }
 
-// Helper function to parse a principal from a WinInet description of that
-// principal.
-void ParsePrincipal(const std::string& description,
-                    CertPrincipal* principal) {
-  // The description of the principal is a string with each LDAP value on
-  // a separate line.
-  const std::string kDelimiters("\r\n");
-
-  std::vector<std::string> common_names, locality_names, state_names,
-      country_names;
-
-  // TODO(jcampan): add business_category and serial_number.
-  const std::string kPrefixes[] = { std::string("CN="),
-                                    std::string("L="),
-                                    std::string("S="),
-                                    std::string("C="),
-                                    std::string("STREET="),
-                                    std::string("O="),
-                                    std::string("OU="),
-                                    std::string("DC=") };
-
-  std::vector<std::string>* values[] = {
-      &common_names, &locality_names,
-      &state_names, &country_names,
-      &(principal->street_addresses),
-      &(principal->organization_names),
-      &(principal->organization_unit_names),
-      &(principal->domain_components) };
-  DCHECK(arraysize(kPrefixes) == arraysize(values));
-
-  StringTokenizer str_tok(description, kDelimiters);
-  while (str_tok.GetNext()) {
-    std::string entry = str_tok.token();
-    for (int i = 0; i < arraysize(kPrefixes); i++) {
-      if (!entry.compare(0, kPrefixes[i].length(), kPrefixes[i])) {
-        std::string value = entry.substr(kPrefixes[i].length());
-        // Remove enclosing double-quotes if any.
-        if (value.size() >= 2 &&
-            value[0] == '"' && value[value.size() - 1] == '"')
-          value = value.substr(1, value.size() - 2);
-        values[i]->push_back(value);
-        break;
-      }
-    }
-  }
-
-  // We don't expect to have more than one CN, L, S, and C. If there is more
-  // than one entry for CN, L, S, and C, we will use the first entry. Although
-  // RFC 2818 Section 3.1 says the "most specific" CN should be used, that term
-  // has been removed in draft-saintandre-tls-server-id-check, which requires
-  // that the Subject field contains only one CN. So it is fine for us to just
-  // use the first CN.
-  std::vector<std::string>* single_value_lists[4] = {
-      &common_names, &locality_names, &state_names, &country_names };
-  std::string* single_values[4] = {
-      &principal->common_name, &principal->locality_name,
-      &principal->state_or_province_name, &principal->country_name };
-  for (int i = 0; i < arraysize(single_value_lists); ++i) {
-    int length = static_cast<int>(single_value_lists[i]->size());
-    if (!single_value_lists[i]->empty())
-      *(single_values[i]) = (*(single_value_lists[i]))[0];
-  }
-}
-
 void AddCertsFromStore(HCERTSTORE store,
                        X509Certificate::OSCertHandles* results) {
   PCCERT_CONTEXT cert = NULL;
@@ -546,35 +482,119 @@ void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,
   }
 }
 
+// A list of OIDs to decode. Any OID not on this list will be ignored for
+// purposes of parsing.
+const char* kOIDs[] = {
+  szOID_COMMON_NAME,
+  szOID_LOCALITY_NAME,
+  szOID_STATE_OR_PROVINCE_NAME,
+  szOID_COUNTRY_NAME,
+  szOID_STREET_ADDRESS,
+  szOID_ORGANIZATION_NAME,
+  szOID_ORGANIZATIONAL_UNIT_NAME,
+  szOID_DOMAIN_COMPONENT
+};
+
+// Converts the value for |attribute| to an ASCII string, storing the result
+// in |value|. Returns false if the string cannot be converted.
+bool GetAttributeValue(PCERT_RDN_ATTR attribute,
+                       std::string* value) {
+  DWORD bytes_needed = CertRDNValueToStrA(attribute->dwValueType,
+                                          &attribute->Value, NULL, 0);
+  if (bytes_needed == 0)
+    return false;
+  if (bytes_needed == 1) {
+    // The value is actually an empty string (bytes_needed includes a single
+    // byte for a NULL value). Don't bother converting - just clear the
+    // string.
+    value->clear();
+    return true;
+  }
+  DWORD bytes_written = CertRDNValueToStrA(
+      attribute->dwValueType, &attribute->Value,
+      WriteInto(value, bytes_needed), bytes_needed);
+  if (bytes_written <= 1)
+    return false;
+  return true;
+}
+
+// Adds a type+value pair to the appropriate vector from a C array.
+// The array is keyed by the matching OIDs from kOIDS[].
+bool AddTypeValuePair(PCERT_RDN_ATTR attribute,
+                      std::vector<std::string>* values[]) {
+  for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
+    if (strcmp(attribute->pszObjId, kOIDs[oid]) == 0) {
+      std::string value;
+      if (!GetAttributeValue(attribute, &value))
+        return false;
+      values[oid]->push_back(value);
+      break;
+    }
+  }
+  return true;
+}
+
+// Stores the first string of the vector, if any, to *single_value.
+void SetSingle(const std::vector<std::string>& values,
+               std::string* single_value) {
+  // We don't expect to have more than one CN, L, S, and C.
+  LOG_IF(WARNING, values.size() > 1) << "Didn't expect multiple values";
+  if (!values.empty())
+    *single_value = values[0];
+}
+
+bool ParsePrincipal(CERT_NAME_BLOB* name, CertPrincipal* principal) {
+  CRYPT_DECODE_PARA decode_para;
+  decode_para.cbSize = sizeof(decode_para);
+  decode_para.pfnAlloc = MyCryptAlloc;
+  decode_para.pfnFree = MyCryptFree;
+  CERT_NAME_INFO* name_info = NULL;
+  DWORD name_info_size = 0;
+  BOOL rv;
+  rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                           X509_NAME, name->pbData, name->cbData,
+                           CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
+                           &decode_para,
+                           &name_info, &name_info_size);
+  if (!rv)
+    return false;
+  scoped_ptr_malloc<CERT_NAME_INFO> scoped_name_info(name_info);
+
+  std::vector<std::string> common_names, locality_names, state_names,
+      country_names;
+
+  std::vector<std::string>* values[] = {
+      &common_names, &locality_names,
+      &state_names, &country_names,
+      &(principal->street_addresses),
+      &(principal->organization_names),
+      &(principal->organization_unit_names),
+      &(principal->domain_components)
+  };
+  DCHECK(arraysize(kOIDs) == arraysize(values));
+
+  for (DWORD cur_rdn = 0; cur_rdn < name_info->cRDN; ++cur_rdn) {
+    PCERT_RDN rdn = &name_info->rgRDN[cur_rdn];
+    for (DWORD cur_ava = 0; cur_ava < rdn->cRDNAttr; ++cur_ava) {
+      PCERT_RDN_ATTR ava = &rdn->rgRDNAttr[cur_ava];
+      if (!AddTypeValuePair(ava, values))
+        return false;
+    }
+  }
+
+  SetSingle(common_names, &principal->common_name);
+  SetSingle(locality_names, &principal->locality_name);
+  SetSingle(state_names, &principal->state_or_province_name);
+  SetSingle(country_names, &principal->country_name);
+  return true;
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
-  std::wstring subject_info;
-  std::wstring issuer_info;
-  DWORD name_size;
   DCHECK(cert_handle_);
-  name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
-                            &cert_handle_->pCertInfo->Subject,
-                            CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
-                            NULL, 0);
-  if (name_size > 1) {
-    CertNameToStr(cert_handle_->dwCertEncodingType,
-                  &cert_handle_->pCertInfo->Subject,
-                  CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
-                  WriteInto(&subject_info, name_size), name_size);
-  }
-  name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
-                            &cert_handle_->pCertInfo->Issuer,
-                            CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
-                            NULL, 0);
-  if (name_size > 1) {
-    CertNameToStr(cert_handle_->dwCertEncodingType,
-                  &cert_handle_->pCertInfo->Issuer,
-                  CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
-                  WriteInto(&issuer_info, name_size), name_size);
-  }
-  ParsePrincipal(WideToUTF8(subject_info), &subject_);
-  ParsePrincipal(WideToUTF8(issuer_info), &issuer_);
+  ParsePrincipal(&cert_handle_->pCertInfo->Subject, &subject_);
+  ParsePrincipal(&cert_handle_->pCertInfo->Issuer, &issuer_);
 
   valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore);
   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 42e40e6..afc395b 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -64,3 +64,11 @@ unit tests.
      different intermediate CA certificates.  The two intermediate CA
      certificates actually represent the same intermediate CA but have
      different validity periods.
+
+- multivalue_rdn.pem : A regression test for http://crbug.com/101009. A
+     certificate with all of the AttributeTypeAndValues stored within a single
+     RelativeDistinguishedName, rather than one AVA per RDN as normally seen.
+
+- unescaped.pem : Regression test for http://crbug.com/102839. Contains
+     characters such as '=' and '"' that would normally be escaped when
+     converting a subject/issuer name to their stringized form.
\ No newline at end of file
diff --git a/net/data/ssl/certificates/multivalue_rdn.pem b/net/data/ssl/certificates/multivalue_rdn.pem
new file mode 100644
index 0000000..6ffe161
--- /dev/null
+++ b/net/data/ssl/certificates/multivalue_rdn.pem
@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:6c:2f:57:d9:fd:5a:0f
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Chromium, DC=Chromium, CN=Multivalue RDN Test, OU=Chromium net_unittests
+        Validity
+            Not Before: Dec  2 03:47:39 2011 GMT
+            Not After : Jan  1 03:47:39 2012 GMT
+        Subject: C=US, O=Chromium, DC=Chromium, CN=Multivalue RDN Test, OU=Chromium net_unittests
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:9d:23:10:ed:87:82:b0:eb:a4:fb:49:f5:db:c1:
+                    7b:4d:f0:ed:1b:f5:f8:f2:c1:b5:d2:84:de:eb:94:
+                    82:f0:de:8b:04:b7:e8:ed:86:22:41:99:56:54:71:
+                    33:8e:c1:69:6a:2b:f4:77:1e:24:70:81:5b:56:08:
+                    57:02:4c:bf:af:9a:a0:33:55:e2:00:6b:b3:cc:5c:
+                    3b:47:6e:dc:05:30:bd:0c:f9:51:c0:70:2b:3f:70:
+                    a2:10:a3:b7:8b:3f:22:fa:ab:bd:c7:48:a5:ff:d3:
+                    7b:d0:b7:12:48:0b:bf:90:62:f1:8a:40:db:1d:1a:
+                    0c:f5:dd:92:2a:1c:b6:2c:6b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                8D:5E:71:FA:2A:73:BA:9F:8E:63:32:1C:5D:AB:87:D0:AB:47:AB:B7
+            X509v3 Authority Key Identifier: 
+                keyid:8D:5E:71:FA:2A:73:BA:9F:8E:63:32:1C:5D:AB:87:D0:AB:47:AB:B7
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+        18:ac:0d:d3:50:38:ee:7c:55:1c:e9:30:c0:57:5b:4f:cb:7d:
+        14:59:18:de:92:20:e6:67:a8:a8:ed:da:01:33:5a:48:4c:e4:
+        66:85:25:8d:6b:56:81:67:f3:af:e9:f8:12:5c:19:07:17:98:
+        bf:d7:0f:ba:b5:64:6b:ec:17:ca:0c:d6:ce:c3:b3:09:43:0a:
+        04:8f:da:4b:c8:a3:45:ea:ef:ca:f8:7a:2e:91:a8:8c:f1:a7:
+        d4:7b:6d:9d:73:4b:9a:1c:be:04:b1:02:b3:b7:2a:e9:fd:19:
+        86:f2:26:ac:45:a1:0f:9b:99:1a:53:b1:69:99:3e:6c:51:23:
+        40:70
+-----BEGIN CERTIFICATE-----
+MIICsDCCAhmgAwIBAgIJAO9sL1fZ/VoPMA0GCSqGSIb3DQEBBQUAMHExbzAJBgNV
+BAYTAlVTMA8GA1UECgwIQ2hyb21pdW0wFgYKCZImiZPyLGQBGRYIQ2hyb21pdW0w
+GgYDVQQDDBNNdWx0aXZhbHVlIFJETiBUZXN0MB0GA1UECwwWQ2hyb21pdW0gbmV0
+X3VuaXR0ZXN0czAeFw0xMTEyMDIwMzQ3MzlaFw0xMjAxMDEwMzQ3MzlaMHExbzAJ
+BgNVBAYTAlVTMA8GA1UECgwIQ2hyb21pdW0wFgYKCZImiZPyLGQBGRYIQ2hyb21p
+dW0wGgYDVQQDDBNNdWx0aXZhbHVlIFJETiBUZXN0MB0GA1UECwwWQ2hyb21pdW0g
+bmV0X3VuaXR0ZXN0czCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnSMQ7YeC
+sOuk+0n128F7TfDtG/X48sG10oTe65SC8N6LBLfo7YYiQZlWVHEzjsFpaiv0dx4k
+cIFbVghXAky/r5qgM1XiAGuzzFw7R27cBTC9DPlRwHArP3CiEKO3iz8i+qu9x0il
+/9N70LcSSAu/kGLxikDbHRoM9d2SKhy2LGsCAwEAAaNQME4wHQYDVR0OBBYEFI1e
+cfoqc7qfjmMyHF2rh9CrR6u3MB8GA1UdIwQYMBaAFI1ecfoqc7qfjmMyHF2rh9Cr
+R6u3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAGKwN01A47nxVHOkw
+wFdbT8t9FFkY3pIg5meoqO3aATNaSEzkZoUljWtWgWfzr+n4ElwZBxeYv9cPurVk
+a+wXygzWzsOzCUMKBI/aS8ijRervyvh6LpGojPGn1HttnXNLmhy+BLECs7cq6f0Z
+hvImrEWhD5uZGlOxaZk+bFEjQHA=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/unescaped.pem b/net/data/ssl/certificates/unescaped.pem
new file mode 100644
index 0000000..33dbb40
--- /dev/null
+++ b/net/data/ssl/certificates/unescaped.pem
@@ -0,0 +1,62 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ed:cd:27:0f:4c:ca:cc:fc
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=127.0.0.1, L=Mountain View, ST=California/streetAddress=1600 Amphitheatre Parkway, C=US, O=Chromium = "net_unittests", OU=net_unittests, OU=Chromium
+        Validity
+            Not Before: Dec  2 03:56:43 2011 GMT
+            Not After : Jan  1 03:56:43 2012 GMT
+        Subject: CN=127.0.0.1, L=Mountain View, ST=California/streetAddress=1600 Amphitheatre Parkway, C=US, O=Chromium = "net_unittests", OU=net_unittests, OU=Chromium
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:ac:25:6c:de:22:4f:be:77:07:3a:6c:f9:5f:e6:
+                    0a:ce:69:f7:ca:c5:b8:08:2b:b8:b0:04:12:55:fe:
+                    65:4c:c2:aa:b9:3d:b2:87:f5:59:c3:72:ac:a9:d4:
+                    1e:0b:ec:7f:2e:df:4c:ad:e7:cc:52:93:b4:ed:0a:
+                    99:40:7e:6a:35:c3:b0:8b:93:c7:e5:97:54:b9:7f:
+                    68:26:04:17:a6:b4:50:9e:d6:d7:6b:19:a1:ce:0b:
+                    5e:73:80:a6:b9:ef:5d:34:8e:6f:f7:8c:de:cf:78:
+                    cd:16:93:30:23:c3:5c:8c:9f:78:ce:18:c6:0f:e1:
+                    32:76:8a:c4:c4:54:30:56:39
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                38:85:CF:3E:10:D5:47:FC:08:81:FA:85:7F:84:7A:2F:3D:69:2B:A6
+            X509v3 Authority Key Identifier: 
+                keyid:38:85:CF:3E:10:D5:47:FC:08:81:FA:85:7F:84:7A:2F:3D:69:2B:A6
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+        32:0a:90:29:b1:9f:c0:c7:55:da:37:8f:5b:b8:09:a0:97:65:
+        15:3a:79:d1:3e:24:f4:44:ad:3f:eb:84:b4:ae:e3:7a:ba:43:
+        8c:d4:df:ef:ca:46:c5:99:c4:99:b5:ae:7e:2c:a9:85:05:d0:
+        8f:07:d2:ee:9e:72:b0:e0:87:51:5c:e8:f4:5a:a1:44:25:a5:
+        47:6a:67:b3:79:2e:66:7d:93:7d:f7:cf:31:13:c1:fc:af:62:
+        c6:ec:22:14:50:7f:d2:38:ff:5d:11:d5:58:c8:5e:43:08:bb:
+        ca:9c:45:78:f4:28:08:cc:98:75:1d:4c:d2:43:a5:34:f0:86:
+        56:37
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAr2gAwIBAgIJAO3NJw9Mysz8MA0GCSqGSIb3DQEBBQUAMIHCMRIwEAYD
+VQQDDAkxMjcuMC4wLjExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAgM
+CkNhbGlmb3JuaWExIjAgBgNVBAkMGTE2MDAgQW1waGl0aGVhdHJlIFBhcmt3YXkx
+CzAJBgNVBAYTAlVTMSMwIQYDVQQKDBpDaHJvbWl1bSA9ICJuZXRfdW5pdHRlc3Rz
+IjEWMBQGA1UECwwNbmV0X3VuaXR0ZXN0czERMA8GA1UECwwIQ2hyb21pdW0wHhcN
+MTExMjAyMDM1NjQzWhcNMTIwMTAxMDM1NjQzWjCBwjESMBAGA1UEAwwJMTI3LjAu
+MC4xMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIDApDYWxpZm9ybmlh
+MSIwIAYDVQQJDBkxNjAwIEFtcGhpdGhlYXRyZSBQYXJrd2F5MQswCQYDVQQGEwJV
+UzEjMCEGA1UECgwaQ2hyb21pdW0gPSAibmV0X3VuaXR0ZXN0cyIxFjAUBgNVBAsM
+DW5ldF91bml0dGVzdHMxETAPBgNVBAsMCENocm9taXVtMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCsJWzeIk++dwc6bPlf5grOaffKxbgIK7iwBBJV/mVMwqq5
+PbKH9VnDcqyp1B4L7H8u30yt58xSk7TtCplAfmo1w7CLk8fll1S5f2gmBBemtFCe
+1tdrGaHOC15zgKa57100jm/3jN7PeM0WkzAjw1yMn3jOGMYP4TJ2isTEVDBWOQID
+AQABo1AwTjAdBgNVHQ4EFgQUOIXPPhDVR/wIgfqFf4R6Lz1pK6YwHwYDVR0jBBgw
+FoAUOIXPPhDVR/wIgfqFf4R6Lz1pK6YwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQAyCpApsZ/Ax1XaN49buAmgl2UVOnnRPiT0RK0/64S0ruN6ukOM1N/v
+ykbFmcSZta5+LKmFBdCPB9LunnKw4IdRXOj0WqFEJaVHamezeS5mfZN9988xE8H8
+r2LG7CIUUH/SOP9dEdVYyF5DCLvKnEV49CgIzJh1HUzSQ6U08IZWNw==
+-----END CERTIFICATE-----