Skip to content

Commit 9fdb489

Browse files
certs: re-sign orphaned rsapss/mldsa leaves and add chain guard
1 parent 076dc5a commit 9fdb489

5 files changed

Lines changed: 241 additions & 75 deletions

File tree

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Check certificate chains
2+
3+
# START OF COMMON SECTION
4+
on:
5+
push:
6+
branches: [ 'release/**' ]
7+
pull_request:
8+
types: [opened, synchronize, reopened, ready_for_review]
9+
branches: [ '*' ]
10+
11+
concurrency:
12+
group: ${{ github.workflow }}-${{ github.ref }}
13+
cancel-in-progress: true
14+
# END OF COMMON SECTION
15+
16+
jobs:
17+
check-cert-chains:
18+
name: check-cert-chains
19+
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
20+
runs-on: ubuntu-24.04
21+
# A quick openssl-only check; no wolfSSL build required.
22+
timeout-minutes: 3
23+
steps:
24+
- uses: actions/checkout@v5
25+
name: Checkout wolfSSL
26+
27+
- name: Report openssl version
28+
run: openssl version
29+
30+
- name: Verify committed leaf certificates chain to their CA
31+
working-directory: certs
32+
run: ./check_cert_chains.sh

certs/check_cert_chains.sh

Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
#!/bin/sh
2+
3+
# Verify each committed leaf certificate still chains to its committed CA.
4+
#
5+
# This guards against the class of breakage where a CA is re-issued (for
6+
# example its subject DN or key is changed) without regenerating the leaf it
7+
# signed. Such a mismatch is otherwise invisible in the repository and only
8+
# surfaces later as a runtime TLS handshake failure in a narrow CI config
9+
# (a missing signer, reported as a fatal alert).
10+
#
11+
# Two tiers of checking are performed per pair:
12+
# 1. A signature-independent identity check (leaf issuer DN == CA subject DN,
13+
# and leaf AKID == CA SKID). This runs on any OpenSSL and catches the
14+
# DN/identity drift that has actually caused breakage.
15+
# 2. A cryptographic chain verification (openssl verify), performed only when
16+
# the local OpenSSL understands the CA's signature algorithm. ML-DSA needs
17+
# OpenSSL 3.5 or later, so on older toolchains the crypto step is skipped
18+
# (reported explicitly) while the identity check still runs.
19+
#
20+
# Exit status is 0 when every pair is consistent, non-zero otherwise.
21+
22+
# Run from the certs directory regardless of the caller's working directory.
23+
cd "$(dirname "$0")" || exit 1
24+
25+
# Pairs to check: "<leaf-pem> <ca-pem>" one per line.
26+
# Add a line here whenever a new pinned leaf/CA pair is committed.
27+
pairs="rsapss/ecc-leaf-rsapss.pem rsapss/ca-rsapss.pem
28+
mldsa/ecc-leaf-mldsa44.pem mldsa/mldsa44-cert.pem"
29+
30+
failed=0
31+
32+
# Report whether this OpenSSL can cryptographically verify the CA's signature
33+
# algorithm. Returns 0 (supported) or 1 (not supported).
34+
#
35+
# $1 Path to the CA certificate.
36+
crypto_supported() {
37+
ca=$1
38+
alg=`openssl x509 -in "$ca" -noout -text 2>/dev/null \
39+
| grep -i 'Public Key Algorithm' | head -1`
40+
case $alg in
41+
*ML-DSA*|*ml-dsa*|*mldsa*|*Dilithium*|*dilithium*)
42+
if openssl list -signature-algorithms 2>/dev/null \
43+
| grep -iq 'ML-DSA'; then
44+
return 0
45+
fi
46+
return 1
47+
;;
48+
*)
49+
# RSA, RSA-PSS and ECDSA are verifiable on any modern OpenSSL.
50+
return 0
51+
;;
52+
esac
53+
}
54+
55+
# Signature-independent identity check. Confirms the leaf names this CA as its
56+
# issuer and, when both are present, that the leaf's AKID matches the CA's SKID.
57+
# Returns 0 on match, 1 on mismatch.
58+
#
59+
# $1 Path to the leaf certificate.
60+
# $2 Path to the CA certificate.
61+
identity_matches() {
62+
leaf=$1
63+
ca=$2
64+
65+
iss=`openssl x509 -in "$leaf" -noout -issuer -nameopt RFC2253 \
66+
| sed 's/^issuer= *//'`
67+
sub=`openssl x509 -in "$ca" -noout -subject -nameopt RFC2253 \
68+
| sed 's/^subject= *//'`
69+
if [ "$iss" != "$sub" ]; then
70+
echo "MISMATCH (issuer/subject): $leaf"
71+
echo " leaf issuer : $iss"
72+
echo " ca subject : $sub"
73+
return 1
74+
fi
75+
76+
akid=`openssl x509 -in "$leaf" -noout -ext authorityKeyIdentifier 2>/dev/null \
77+
| grep -Eo '[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+' | tr -cd '0-9A-Fa-f'`
78+
skid=`openssl x509 -in "$ca" -noout -ext subjectKeyIdentifier 2>/dev/null \
79+
| grep -Eo '[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+' | tr -cd '0-9A-Fa-f'`
80+
if [ -n "$akid" ] && [ -n "$skid" ] && [ "$akid" != "$skid" ]; then
81+
echo "MISMATCH (AKID/SKID): $leaf vs $ca"
82+
echo " leaf AKID : $akid"
83+
echo " ca SKID : $skid"
84+
return 1
85+
fi
86+
87+
return 0
88+
}
89+
90+
# A here-document (not a pipe) feeds the loop so the body runs in this shell
91+
# and updates to "failed" survive after the loop, per POSIX.
92+
while read -r leaf ca
93+
do
94+
[ -z "$leaf" ] && continue
95+
96+
if [ ! -f "$leaf" ] || [ ! -f "$ca" ]; then
97+
echo "MISSING: $leaf or $ca"
98+
failed=1
99+
continue
100+
fi
101+
102+
if ! identity_matches "$leaf" "$ca"; then
103+
failed=1
104+
continue
105+
fi
106+
107+
if crypto_supported "$ca"; then
108+
if openssl verify -partial_chain -CAfile "$ca" "$leaf" >/dev/null 2>&1; then
109+
echo "OK (crypto): $leaf -> $ca"
110+
else
111+
echo "VERIFY FAILED (crypto): $leaf -> $ca"
112+
openssl verify -partial_chain -CAfile "$ca" "$leaf"
113+
failed=1
114+
fi
115+
else
116+
echo "OK (identity only, crypto skipped - openssl lacks algorithm): $leaf -> $ca"
117+
fi
118+
done <<EOF
119+
$pairs
120+
EOF
121+
122+
if [ "$failed" != "0" ]; then
123+
echo ""
124+
echo "One or more committed leaf certificates no longer chain to their CA."
125+
echo "Regenerate the affected leaf from certs/renewcerts.sh (or the matching"
126+
echo "renew-*.sh) so it is re-signed by the current CA, then re-run this check."
127+
fi
128+
129+
exit $failed

certs/mldsa/ecc-leaf-mldsa44.pem

Lines changed: 59 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -1,61 +1,61 @@
11
-----BEGIN CERTIFICATE-----
2-
MIIK4zCCAVmgAwIBAgIUWxTZmWEP7xd/6kP8yG6lrPoDI0EwCwYJYIZIAWUDBAMR
3-
MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
4-
bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNDQwHhcN
5-
MjYwNjI5MjA0MjExWhcNMzYwNjI2MjA0MjExWjAUMRIwEAYDVQQDDAlsb2NhbGhv
6-
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
7-
zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
8-
QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUswU7
9-
xg6AYh+iTpNtmT4TaDnG/DIwCwYJYIZIAWUDBAMRA4IJdQBRjK3IylTYl8c3Xr5o
10-
BPVm8ERo5JxgRVYWclOVjuTlVYjnBg1ldXnyhXDjrq9cWDzYAbsjDD8AF6n2KlWK
11-
YtQ+PDGt9owu4tYuHKHSE3KTsUEXLrZV0sUr1gR6SDGhbKaGTa3mHs+/qTOyh/5U
12-
e2uKuGCr6mVa6QNJnvomq31KcPh52RaBEtpP04zJ3PfR+XEToXLKDS8/q6tLtuAI
13-
5WBUiLMz2f5LW3/ShM5g4ANQNUjp2GgOZp5zx/en/1GyqVep7QJgdY//fj9LSRqP
14-
jkyVSVRf+kOdG5FK1du8pysnZRy5+hj7QVRcuFIcaXfs9ak2xd7A2tti486WzUIF
15-
vVDAhkxNRc6Kk5o0dm7uO+EyiPvtvPw94TOuXp6aPZJfBaYc+DeN2L+yNHDBJu22
16-
wR+1f4vKsRCcZE82J93RfWp86PO9OWFMdghX/GRHC+GF6bR9gvXjXLnYpl5rIQ6q
17-
Y68CNM1oWp6jCNW273X505pvijAoG3m/9JL8XkRbGuhXli/1fKWuo03Plbha9sbe
18-
zPpc/I6Srq3LUcvmbajt+rDzuFRPpweLimAToqtji6eqx/RGusdtROGROd1/e9PI
19-
PEWd9DxfQxttyo+maJ9+o4jB+MIRwCdVp+GYiEDalBXdUd5GmqY2Y64UnzxaATq7
20-
scLJWX3UKN0DPhAfJOQgXnExlkCTg7as3jQ7M3xmfEO1L+v91dRW4PT+yBQxfVm0
21-
1NCmQ058PT0udeqkuMdrEgkdxoRRPN4uoDj08U/0hCaJOLbE2WkgEekdCaIjrJz7
22-
rTpnOrJ9ey3KIUBJLm6uGkqc81na6kRlELU4/1g54O73plpn6+85NUU8sCSs9WqL
23-
uYHDyYskyL+1FbplOtpubCk8hAxQ+cls/uM7mkEms0bjFEej428HlGkVjp9iJP4v
24-
bYdjctEOSbebnujWHT8RnmkIhV68bAQWiNDEoHxvI8GBY4lDrllfXBhxCDVs2mJa
25-
MfTLBRI8ZyiBiDatT04aghySMMuJG2GSu3AoSNTilhpziMVrIYP62aopjSdmoUcH
26-
XLMcUrjtjx4ssINqzEqZXqeW+knaSNdeDtPk1ECiBG5amPpB18GOAAhBYrS+8SNZ
27-
gmyKs5S9l9qLhQZ/ZHWF4BT1BC29gQ863fobxrUd6XSu/WJSoOMCmY+tRFbeQ74U
28-
Q0lTJK995Mru7L7YZEsbYaZsa/pwK7lnaOD+XDmq5P9RV0KTI//zTrQHhnBonViW
29-
gbIoa21eJCvTbax0Jcczd7FvjbFf8zfYzKNq532ZTdzMiZ9Z15ic1EfSArQwy1BC
30-
lsuX8yQIVHt1SdbZFjW0JQycrbDdYC6A4UFA/Ce8SAOf3qMViIw8eGU2aNtwOf/Q
31-
YWfJ+dfhfE6QeQe3sj87j00Hp4k9DG/20zb4W2kMl043xsTa6DzMujSE7Af82zgt
32-
6x5rXhdDph63KQ1E35tiuPekoALnmgEZV5Jg/Ze459ugXlseGNeXIA+6he3iKO3J
33-
gqVLOQQSTXP6nUX4R4E/eI7FnaWFXk+wVWuOgBzLmvyZrjecC1vgnl2j0mvsXbVN
34-
cvIaezO0vB9WcudUs6d4RsnH/yGIvx05FfYWa5iVBhSbugGsn5QfeMBr6UQwQOoh
35-
MAqgSMrgB4UAgiR/zxai/Uyd82rpFaCHNa61j4G/TFHFYyTVCyl2Ru4fhTINF2wD
36-
IM4ZV1qX9Lt65G+/I80I2KZLs2j5huFqMhWApBFdJ2Mxhqg0T+zDgWtK64RxExKH
37-
bzcsiFjBaKBQV6HNxdfmL5K29vR59q4R/FxXmxtqZaZAEMY3rg1mdMNqmea6qO6Z
38-
LBaWytwugs5cSiJJjoyUEoBVGyxDj6kG0qyHCdZ376ryqDAimR/SZDLjfyr9WQdt
39-
/dZ462aaywPjvb+6D9NZHkronNqcOsEyct6O+n15E8j7c1lXc7G5SWGYz2bfgYvs
40-
1VSn+KNsYth9xp67Sx+x2WsGEB3jbR12HybkOBD4EGVIsNgnRW3N2SkJQP2i6UjW
41-
WCHWL0qJwdx/Umv08zo0ACApemUr3u5UWW+5twNiEjzk+oymsQ2Z8fbzA58qBuK4
42-
Yp3eepqozA3ELg9fizfo/+itibHVEHlepjttxbCVfLpAb2psRD/733ZAhV1hLrV8
43-
2Nvou8LqoJY2L01q06OPPgFYpb+e6AdtEv6n2pF0JMK4BVHTAIJIgBCaAoagkQtX
44-
4Nhk+90oA3WKkYkxRKI7dbExMa2wPo2EqS04D1GjFuvnvEhF+KXYUJlIlnyrLnpw
45-
UAJc8jN1v6U3yPwnOS2VMD1bEs/Dc1v97rgqk7lTNjJNJBub7jkLf4kc9wXsuGld
46-
YZPqpb51vgkG9+k/f31LMQ4uFNvPPg/TodUi//4smlTYkTiC20eIgp9hXU9YbRJ0
47-
aH2DcnADL1Zd+L5BUhSmgTSyaViIRUdUOO1G/cRV7MnRx72ufgyTv5yJHcRqS1Qb
48-
W98tnQPDKNb8RsYbvdRnOSpuxEIcfKv7zigdvXuIg4I+XJeBeuICjcLYWcvwJSLa
49-
ouilseTBoMhxFQsPSc/rRuRWWa9quwVwuhippKrXnadjcBD4d14nez6+ipiTlW4+
50-
Hu5JjqHTkBdzdgZCZ223eIobuzul3YNnHoYp15rL1Puphmefpw6ySJDWWLfMm3Wz
51-
4IlpnLoj7MdYRTnb6UP3Y/9uRxfb7LzTuvVKBXsZxLjKhxTL+uFyA0E7glPGypFs
52-
sDl2CErC+yfY7dCGFJIHr+JbegqKZyliIX/Zf1ZRNHg5eGtPrQrATIh96QoOKWKO
53-
T0eD1OWf/V3ySUhD5bW+2DHRLWp9vjxAGHI656nGJEfDaOyOpSkhTBBLPZM7n+0+
54-
Cu+dU/VZgaX+uVGmJLKlcQJUi+G90XGYysHzvjwWE4p04f2vOn1JvZGepOwDk+hA
55-
n1mMN1eHSyXf560GCh0uCzBqW26Faotfq6JNNGa6t5AGAtxaoL/gxLuH1aevaYJY
56-
fcb6hbfpVI35UqIwCqeNQz8afvBYN0zg1xoByfmHwcoOoPX4lAogW3jbAGWoLw52
57-
GTUqbdT76LW8hvTUYYzOA+o4vi9CXtIQl1YUS9cunynNgmrNlPtzOisWu1RvaXgW
58-
Fa3pAXLiYRAfAkIRwmElXIbnfxEXaJCWsrbn9/3+Bh4kKDNkb3a7y9Lf4/YJJ11s
59-
b4SPpMXO2N7o6/T4BxI1OkBKUVRspcXI1OPn6uzu9f7/AAAAAAAAAAAAAAAAAAAA
60-
AAAACxkpPg==
2+
MIIK4DCCAVagAwIBAgIUNZqvX/Vqhg0wdsf7iCcXabJGc24wCwYJYIZIAWUDBAMR
3+
MFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
4+
bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRIwEAYDVQQDDAlNTC1EU0EtNDQwHhcNMjYw
5+
NzAyMDA1NTIyWhcNMzYwNjI5MDA1NTIyWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
6+
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTq
7+
K/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0IwQDAd
8+
BgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUgAW3G7oi
9+
6/opc8YTbqfj8qN/eiEwCwYJYIZIAWUDBAMRA4IJdQARRDUjAx0+PlvvM3mauYDt
10+
VxDhPRvZdLxwU5mlgP4wgX9iSQOmtOETTz1CkM2xx3lrVonzEDwQAQXsWxK0dYkz
11+
Fl8jDRwU3vG1Pn0pLgppUCZZbPnqOSKazaRKuvjs5p/0WGKIoNxxpXDu5hwEqYwz
12+
eH+cip8GUT52c/g3k7A4Kg7DpJdBfxvRhYr03282y94MQt4FcOMkITxsTxlm7UKH
13+
TrhB/PYLE/m28GJBcXbNh02Ke5/tTrQT3c13/sMFDPBumMB4+5voz+BGwNJndinx
14+
axwfVnjKbNG1M245qmzq2aadT8XGKDWxWnm7IJBjbBpPfBadpGkYncTracTq434Q
15+
Yuz0BIt+hCXHt4PxNWRJip/0wF1H4BdnSqLyWrruSr9l/0yWe5f7SlkNzS4q/6AP
16+
XEwWB7ktJ06eFMG5zLHOODu0WCerOazKef6NcRt2NskYFqi9mwE45Q4f8V+LvbSf
17+
UDJ/6Nvh5vCPFAjB6UzxGyCZFZDH1rNxq7JSBdx4vxfxvRi1dSSjWmDdO0zxuLV1
18+
2G2R+M3Vy0rK/ETzNFoV8/Y2dbigE+u02V19Wr/bLRTPzEideWYQOQXQ9Mp0gVPz
19+
Rnxtz0XVJ5R08jmvP7iJQ8BtcNNTbcKJFdmV3/xKmiBRyH00qgVsTMD6Q03FKI/m
20+
m14SW5X3Q+Z2Cs0fL2Z1cm3EnqX5Eiw7miwiLHqmnxFBVVTph4drvwI1ZviRPYMq
21+
N7XN0cAmvkXDlbuoteZHBv2UxRncAbeHl04nb9tlyhNiHqmMnjMNkzeu3ceLYfEt
22+
wCTsF2HlARig54xiZZRTtXGwMRDv8TgB54Ph4PfXvGc8m9Y256ETQbsrWAF5K5Ui
23+
juhnXMMPiI5JNxksppR+InPTDVBpLPZ59iEzQy0tJ19WRFXvLzbEhfuRv/W54FSF
24+
hAyxRvz/dyW8RFqsd9HcHAqBngWy8ZrCT2MeMNvMJ5IyaL7hxH5CNTJEHN1dAFgy
25+
L2kERPdTtFwDW6CSrsmi9V6AsgvcZem9XrSMhskQS8wCA4aHLDo8uy5seoxfEX6u
26+
dTOU/29yK5a4RxFwazdetNCDelFDDlEd2P+J0NKLtmEpafL51ETdLpvIGEzu2Fp2
27+
l7GWrAkcDRCG5WphrCHHtuEBt/agDIvAMvfBIx2DprS/8l4kP/ELyo6O77dlXUXU
28+
qHpczYihqeB49teR5vB8VmJRz8E+I7qYwBOEiqTzqA7WL22Y916KYj99AmIsfwe5
29+
4gByywRaz+mN8ZVb8jcGaEQsTvl9pIjHRQHCLPRD+0mTZTtJj4Mpnakhi9QoGYbp
30+
8uzbl34w+0yNFDY45mV3Gdr+e94dnyH2dNQnddzjEeB+ZEi4BPZW3SN6GCZZivwy
31+
WrsJNc+WNera7ebAE8gU4a3Uwo5SLfMt1deRzTKN7+gdCxAxnLDSoW6m6PxL5/Oj
32+
lPeHlY8oWEKu/OqCbFXG7ZVjaCiwzN+kN8pJ5R8PMb8N6ho7AZon27XtU+CtsN+k
33+
1PiomPx5B08UlOcYnl2kD8wFX6frwc4qjOPU+EfG3hnDnkQig30N5b64Et6VP0Kt
34+
9GZ2hOXGi4jMp84+w7t+nvSpPL+ZnezJz0jS9dFG3H3pqBKdsDHneHDaScqq3ymX
35+
wAL0RbOAE53Vrr4T/hRzFWwm3gd/FRdblCY2YS4P1H5ybrTtp+WBuh2/NtTtUYUL
36+
D2+2Qba5m/tH5e7eH4CfHO+gkuR+qFL7pE3IV4bDxBCGeVFx6MHKIL3kc+zsp2nA
37+
BatYwThRtnUHcOHkfCNc3GIN2OtVkZ/nTCIyLPGh3QeE6kQho9ar0kMjzk4NAMmP
38+
VzOr6hy3/6iL+Q3YU3b/YMudD52rq4b1E+HfPl61HQvRKd+duiXLcWPIX902eXfV
39+
sK1xrorAM+oj4mNedBUEYgSf4P1sZx1CaztaPUeuY8V43OblQcAEHeWRoB//TpGP
40+
lTArxudn4JvSma9IcMZdI2GJ8vImQz3pYrJs/cNcfA234c9Jdmo7HGo08niQosjm
41+
pIUiKN/YsDv1F/uussS5gIg33PoqxgpcvH7yeMKO/WlopoOB6K2gYILQoanvUYbu
42+
unyAJX+EbugvF5U91BWnIBuTuYKoGRFKZODK6CQDDySQpi1kiaLZsAmhkv8fo8rz
43+
opzMOR6VNx/66DvV1xIJ3u46K08DvtJx+sshuMRGVyJ/NLiJCEiTd/aMOg6yOcFh
44+
fA0ogy+eQltO96NzpD7FzGNhhzhl21tF5VvvlKhaoADmphkVESf0jVgxdJpguQTM
45+
KmJXr+n7ywewXyZrt57rSz2KJQgnjhGDNPXiPUT5U5grWcFg4IwROt9rjM8I4Vkl
46+
UwnyomtZDutGK8z+/YxTBwEIoaUgC6CnQZ8GTX8Qcxr6DLROIQIGwjFB0746xMJP
47+
AKQYDiKV1ph9k9TgOJZS/rVEhX6NJB8M/Q5gBDqiEez7PjqLeiJYsx+Dlmu99SyK
48+
UJ/Bbo/xvz5WKQYO1RFB8VdKhTD7Mpl8NzvOHm/raU9W5bnr6i9mKwX83yST7Dfd
49+
AsmM0MyfHI3crneHDRzObiFgijZpQ85yPrCKZC2k0jTCkDFgsrIzd51dokuVypkv
50+
It8vrbaDpieBs3qXiwGdfHs//dEoAmDnXK0jbDFRM35LSZNcD4u123Q99v9VZWjU
51+
uUn3IUD5Sw3rL+PToiX6Xi1qsSEwm5J6/Stiw8AkBS5kHIbgXZim0AgPF7dCEF/i
52+
Nraea6hb0pURKH6U8tGi4g4Ptg5wrfDF84n6dgfqnN0X5wfZFsMtTrLX5WSpweEo
53+
r0eRqiJ/wtX6pJOBZSToA/LDy7AiORyycacTFYnreCVsQEIXwXCwzuw3iwEZsxOf
54+
hO3acNpkvPXjAHVhzjiDGu19ORZWNIbo+s7+yzfMQVU/V26EP81tLhk4JkIQZdIV
55+
KgRh+jKYzM9Y+An2jLiF0S80ToVTrYmv99XR4t/eopsa6Rvij3wcfnPf68+t3JpD
56+
BfxuA8H/YUK8J7o7LfuoLVnAUmdHXKt6gmY5H01rlmpuEaa4sCOK0Dl+wPbGI/0d
57+
UnaStdTKaCdZ9pbwTPRqx7fWVFV6AeCMqfhZexaIm3Y7uBGdmIKRzOVRhV+WnK9B
58+
jH+9a5KTDXf3OoebO5toEyEuaXh/iqi2ucfJ5OofKj9TaWyHiZCSnaKns8vP2dvi
59+
6RIUFjFUW19+f4uNtM7a8fkFBgwcISkqN0JEb32xuNYAAAAAAAAAAAAAAAAAAAAA
60+
DSExQA==
6161
-----END CERTIFICATE-----

certs/renewcerts.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1167,4 +1167,9 @@ cd ../ || exit 1
11671167
rm -f ./certs/wolfssl.cnf
11681168
rm -f certs/.rnd
11691169

1170+
# Confirm every pinned leaf still chains to its (possibly re-issued) CA before
1171+
# the refreshed certs are committed.
1172+
./certs/check_cert_chains.sh
1173+
check_result $? "check_cert_chains"
1174+
11701175
exit 0

certs/rsapss/ecc-leaf-rsapss.pem

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
-----BEGIN CERTIFICATE-----
2-
MIIDNDCCAeigAwIBAgIUcQ837WSJJkEpm5bqUbCnYmh4tPcwQQYJKoZIhvcNAQEK
2+
MIIDNTCCAemgAwIBAgIUMQDPVw1H0WUlU6ZyzsyE5SnWkukwQQYJKoZIhvcNAQEK
33
MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
4-
AKIDAgEgMIGyMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
4+
AKIDAgEgMIGzMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
55
BwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxEjAQBgNVBAsMCUNB
6-
LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
7-
FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y
8-
NjA2MjkyMDQyMTFaFw0zNjA2MjYyMDQyMTFaMBQxEjAQBgNVBAMMCWxvY2FsaG9z
9-
dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3O
10-
lOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIboIFgzC4A0idijQjBA
11-
MB0GA1UdDgQWBBRdXSbvrH42+Zt2FStKJQIj77KJMDAfBgNVHSMEGDAWgBSeDODT
12-
37ZL8xljXMpsk4aiFFORMTBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA
13-
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAFijyXPfkDdV
14-
J/cZg6W5e9pRHpeXlxHLbcX8tcsGE9/la9rLcUtqSi5pWgK4OehwlrKrzufFjkZr
15-
JfyLTjYMuYkkv4NStJZD3XOYRZ5/qIcZX3U2b2Xm3GKW/H7vnuLKrd3wKed315+z
16-
FCYkKPIS04fKTGqb03ZyClCAmzHv2YPpezHsIXJGSJh0YsVsdM/WDKEjuOlL0CRm
17-
UyTsrMNZjqlvMhgGP5GsyTOEbYM8KvfkPn9xyzw7Dmwz4+BAc1LvRoBkS+UAgiZB
18-
gLn9OK5d2mRlcwmgMGDJQm1vaSrXZ/eQBrdVLUGLChjWvw+rPouAZaZVbBhE8q1C
19-
UaqgwTLH/tY=
6+
LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMSAwHgYJKoZIhvcNAQkB
7+
FhFmYWN0c0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dvbGZTU0wwHhcN
8+
MjYwNzAyMDA1NDIyWhcNMzYwNjI5MDA1NDIyWjAUMRIwEAYDVQQDDAlsb2NhbGhv
9+
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
10+
zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
11+
QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUngzg
12+
09+2S/MZY1zKbJOGohRTkTEwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
13+
AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQBAyy+npLjP
14+
zpo/EaNoItOW4rUaxMUMuV0BBDlnKZh6HHnHEAeyfYc3ZDuZacOIUSfYx7snIHQn
15+
fUQ9EYEiLCshk8TX9tTY7nEGUw8DN847LbhYiPt8lAse946d7OfL7+/eFcAh64B/
16+
+YIQkUC/2DGXuhWLHI4z24F/7Zp1aNqJJGoLYvLKLnkZuUKevKtVqIyzEnd+mfj0
17+
2ryn06C0bh1OAlfGE5vh2OUHH3u8N1UOTmwiIVr3lLxdboTw0+uVvotTrdb+brmq
18+
DuP6gfdDjV7wufMuhDNk0SaZhp+Uk7E7rw1Uv050yvCb/4n8FWzJFq2SVa0XQg4b
19+
oqbCM+a8CiJV
2020
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)