Fixes for OpenSSL compatibility layer

certs/intermediate/include.am

@@ -50,4 +50,18 @@ EXTRA_DIST += \
          certs/intermediate/ca_false_intermediate/test_int_not_cacert.pem \
          certs/intermediate/ca_false_intermediate/test_sign_bynoca_srv.pem \
          certs/intermediate/ca_false_intermediate/wolfssl_base.conf \
-         certs/intermediate/ca_false_intermediate/wolfssl_srv.conf
+         certs/intermediate/ca_false_intermediate/wolfssl_srv.conf \
+         certs/intermediate/untrusted_anchor/gen_certs.sh \
+         certs/intermediate/untrusted_anchor/root-ca-cert.pem \
+         certs/intermediate/untrusted_anchor/root-ca-key.pem \
+         certs/intermediate/untrusted_anchor/alt-ca-cert.pem \
+         certs/intermediate/untrusted_anchor/alt-ca-key.pem \
+         certs/intermediate/untrusted_anchor/int-ca-cert.pem \
+         certs/intermediate/untrusted_anchor/int-ca-key.pem \
+         certs/intermediate/untrusted_anchor/int-ca-tampered-cert.pem \
+         certs/intermediate/untrusted_anchor/int-ca2-cert.pem \
+         certs/intermediate/untrusted_anchor/int-ca2-key.pem \
+         certs/intermediate/untrusted_anchor/leaf-cert.pem \
+         certs/intermediate/untrusted_anchor/leaf-key.pem \
+         certs/intermediate/untrusted_anchor/leaf-deep-cert.pem \
+         certs/intermediate/untrusted_anchor/leaf-deep-key.pem

certs/intermediate/untrusted_anchor/alt-ca-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAfKgAwIBAgIJAJoLyjuEz+RhMA0GCSqGSIb3DQEBCwUAMDExLzAtBgNV
+BAMMJndvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IEFsdCBSb290MCAXDTI2
+MDYwMzA3Mzk0OVoYDzIwNTYwNjAyMDczOTQ5WjAxMS8wLQYDVQQDDCZ3b2xmU1NM
+IFVudHJ1c3RlZC1BbmNob3IgVGVzdCBBbHQgUm9vdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKnZcJxZ45wE5i7AiCdA6KoNZNvFi/4JqWsi+oVNZqiH
+H3D7uN4xSJNgaRu41syWD+qiVTwtwGKNTn5h6oF1PiZYAO0/qUJiGD7XX3RJl2qX
+xINixqeJkasTzndr1aIb9fGXtu7A1Kq8lohc8KABv6N+EIpOlfo2mo+L4RoP5ejJ
+g6iCGtTJrAGXLDCfJtutN1ufVCnOvx1sci4UXdscUT/NryqKEMimkF9SyqlL4W9l
+SwnS3P619PXKeY8W6O6a2TDVGBr3kKOkoeXyEJH4vkqYLnS5XJk6GNeudFMEbkKD
+rbUTrpisEwy8QDpxwRSFDqDwyyFTOdyFnO/EybIzI0sCAwEAAaMjMCEwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAHO6
+Ye/rbzYKhAdY0q96M3JtIjIowsg0t7WlabOmf2qu3LijhPutJl7m3d+AAOau9lmz
+uvn8vS8awGcIUwe3C+9JMiGqmxbCrhe+UseMfKt+lOJ7qrXdyohhSjHgonfr8mxb
+G5UaoSJpNQPf8p667SiUcY6UP5WS9oSjSr01anRqi0WDSwjLPce3v7gv9ZjxNKS5
+ssWfj8mOSIjMEl2BKc49k3H+52pzzh63Wd7mD2aaUYplG/RkelyaunnIaM2wAR6i
+03TQk7G9RFnppp5UAeswOaS9GEnD3euufIaT55T1o5hJvI/BCzWuBGe+Edn7OXDo
+64g1iCxA+aeoQhRmXUQ=
+-----END CERTIFICATE-----

certs/intermediate/untrusted_anchor/alt-ca-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqdlwnFnjnATmLsCIJ0Doqg1k28WL/gmpayL6hU1mqIcfcPu4
+3jFIk2BpG7jWzJYP6qJVPC3AYo1OfmHqgXU+JlgA7T+pQmIYPtdfdEmXapfEg2LG
+p4mRqxPOd2vVohv18Ze27sDUqryWiFzwoAG/o34Qik6V+jaaj4vhGg/l6MmDqIIa
+1MmsAZcsMJ8m2603W59UKc6/HWxyLhRd2xxRP82vKooQyKaQX1LKqUvhb2VLCdLc
+/rX09cp5jxbo7prZMNUYGveQo6Sh5fIQkfi+SpgudLlcmToY1650UwRuQoOttROu
+mKwTDLxAOnHBFIUOoPDLIVM53IWc78TJsjMjSwIDAQABAoIBAQCb9e+zgc7Aarc6
+YswizzVVQOtF6oV7hT+uAvZrBQGo6jpyspG0ZSixOywIqpeCUKDY4KrHkXNAi2Ry
+JFMDALdK2jAvqe8v54c/3N/nldOVqzplMoQbPvUlVBCYE8qdCnOxnY/6d9JP3M+U
+81J4emKQK6fgd/y7Pvx5pwXRuptwPmqlR2RQERANdP1nFPgjGQhxWBJwulUE13Dp
+VtbqJIJ8mpWLWBEk6t4ga4wEV4XboWeo7Bs7oPU1TF5AHZnRVGjMSvpLm4CQHnhX
+ccQ/xDWnpkGvIVs1kBRFt6kHepjhaPkUrJJZwjmGOFJXEZdDvJVB5B74jOVDjdyu
+ZK3vQ4NBAoGBANcwleVaSd1qxdyUAyye2t3c93d4VhnRbfVo2xV4HUaey4H66ZHA
+iVzodDSLXLoj4ecJFRW7IDPjZ/3dFxTlwgBvFzhXgkpIpbJmIUF3mx6ElRWPCtiT
+U5kZsupSZqL8vmNejWI7+B0KsHy38NIqUlPoXJUSQNtzAwbC1k8iDvORAoGBAMoP
+lnl+mCO+kk4N8apyysMnt8O+fm6pUUFSL9ig9GL/bUAOqxHX2Py57oDQKeapn9g/
+YP85DRf47idpfnaG006xaDh5kx7YcXpgks/UAqZIY/b4Mwt5+rTXjLfOHSrK+Vc/
+CzLnjXcDqcPepYZwNbP2rHSf4Ut/KrsmjZ8JmMMbAoGABd4aSD21A+eUa5ZRm9bd
+Cu2qhcRvPJb8U5O/XY9/5NwRmoK3+bRxSmpAOOqP5bdywnT58TTABQovXLm5lmVJ
+a++bh3rDX7kpY3rrbziOrz9YPVVAK3Wg8uzDdyY2DD2uB1Gds08FTe1rsIrncyOa
+SRVt6NatlA5Hx9hqNZAtLjECgYAxTxaAdZU4+9OGOr7jwnmaoEGnAgCmjqkmkKDe
+c4DP+9c0T6ANjagFHHaIdsQS5wf75JOOFOUOGZA8i/DxibtdM8vkJD7zwwwGOjT5
+hJpU68uBRFZokY7NvOA5JpJVlAy+7sKT3I/YIEu4YcfxA8cHMMYq+60mGFVcMG9V
+BSmDSwKBgAqhhym6R1RgquV5n6kqy1Y1UFwZhrb2tvn04rDg9FVTsAXdw7Bs276D
+daeDdUDTeMOfiAk+VYtmriG46TEexmrQmGDHomVVZsRov0Q/76hyR+KZc+8TEJYm
+gcauogYNIeeu+713QbfWq8LxlB1b/E8YQEVfAT+Tl+mG+Sg6WQXN
+-----END RSA PRIVATE KEY-----

certs/intermediate/untrusted_anchor/gen_certs.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+
+# Regenerate the certificate set used by test_X509_verify_cert_untrusted_inter
+# (tests/api/test_ossl_x509_str.c).
+#
+# The set lets the test verify an end-entity certificate together with
+# caller-supplied untrusted intermediates through the OpenSSL compatibility
+# path (X509_STORE_CTX_init "chain" argument + X509_verify_cert) and check that
+# such a chain is accepted only when it terminates at a trusted anchor.
+#
+# Two trust chains are produced (both end-entities use the same hostname so a
+# downstream hostname check is meaningful):
+#
+#   single intermediate : leaf      <- int-ca           <- root-ca
+#   two intermediates   : leaf-deep <- int-ca2 <- int-ca <- root-ca
+#
+# Plus:
+#   alt-ca               an unrelated self-signed root (a populated but wrong
+#                        trust anchor)
+#   int-ca-tampered      int-ca with the final byte of its signatureValue
+#                        flipped (valid TBSCertificate, broken outer signature)
+#
+# The certificates intentionally omit subjectKeyIdentifier /
+# authorityKeyIdentifier; the test relies on this, so the script aborts at the
+# end if they were added back.  OpenSSL 3.x adds them automatically with no
+# option to suppress them, so regenerate with a tool that does not (e.g.
+# OPENSSL=/usr/bin/openssl on macOS).
+#
+# RSA-2048 / SHA-256, ~30 year validity so the regression does not expire.
+#
+# Requires: openssl (or a compatible LibreSSL, see above) and python3 (used to
+# flip a signature byte for the tampered intermediate).  With set -e a missing
+# python3 aborts regeneration partway through, leaving a half-written fixture
+# set; install python3 (or replace the byte-flip step) before regenerating.
+
+set -e
+cd "$(dirname "$0")"
+
+OPENSSL="${OPENSSL:-openssl}"
+DAYS=10957
+RSA_BITS=2048
+
+CA_EXT=$(mktemp)
+LEAF_EXT=$(mktemp)
+trap 'rm -f "$CA_EXT" "$LEAF_EXT" *.csr *.srl' EXIT
+
+# No pathlen so the first intermediate can still issue the second one in the
+# two-intermediate positive control; no key identifiers (see header).
+cat > "$CA_EXT" <<'EOF'
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+EOF
+
+cat > "$LEAF_EXT" <<'EOF'
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:www.example.test
+EOF
+
+genkey() { "$OPENSSL" genrsa -out "$1" "$RSA_BITS" 2>/dev/null; }
+
+# Self-sign a root CA: genroot <key> <cert> <CN>
+genroot() {
+    "$OPENSSL" req -x509 -new -key "$1" -sha256 -subj "/CN=$3" -days "$DAYS" \
+        -extensions v3 \
+        -config <(printf '[req]\ndistinguished_name=dn\n[dn]\n[v3]\n%s' \
+            "$(cat "$CA_EXT")") \
+        -out "$2"
+}
+
+# Sign a CSR: signcert <csr> <cert> <issuer-cert> <issuer-key> <extfile>
+signcert() {
+    "$OPENSSL" x509 -req -in "$1" -CA "$3" -CAkey "$4" -CAcreateserial \
+        -sha256 -days "$DAYS" -extfile "$5" -out "$2" 2>/dev/null
+}
+
+# Roots ----------------------------------------------------------------------
+genkey root-ca-key.pem
+genroot root-ca-key.pem root-ca-cert.pem "wolfSSL Untrusted-Anchor Test Root"
+
+genkey alt-ca-key.pem
+genroot alt-ca-key.pem alt-ca-cert.pem "wolfSSL Untrusted-Anchor Test Alt Root"
+
+# Intermediate signed by the root --------------------------------------------
+genkey int-ca-key.pem
+"$OPENSSL" req -new -key int-ca-key.pem -sha256 \
+    -subj "/CN=wolfSSL Untrusted-Anchor Test Intermediate" -out int-ca.csr
+signcert int-ca.csr int-ca-cert.pem root-ca-cert.pem root-ca-key.pem "$CA_EXT"
+
+# Leaf signed by the intermediate (single-intermediate chain) ----------------
+genkey leaf-key.pem
+"$OPENSSL" req -new -key leaf-key.pem -sha256 \
+    -subj "/CN=www.example.test" -out leaf.csr
+signcert leaf.csr leaf-cert.pem int-ca-cert.pem int-ca-key.pem "$LEAF_EXT"
+
+# Second-level intermediate signed by the first intermediate -----------------
+genkey int-ca2-key.pem
+"$OPENSSL" req -new -key int-ca2-key.pem -sha256 \
+    -subj "/CN=wolfSSL Untrusted-Anchor Test Intermediate 2" -out int-ca2.csr
+signcert int-ca2.csr int-ca2-cert.pem int-ca-cert.pem int-ca-key.pem "$CA_EXT"
+
+# Leaf signed by the second-level intermediate (two-intermediate chain) ------
+genkey leaf-deep-key.pem
+"$OPENSSL" req -new -key leaf-deep-key.pem -sha256 \
+    -subj "/CN=www.example.test" -out leaf-deep.csr
+signcert leaf-deep.csr leaf-deep-cert.pem int-ca2-cert.pem int-ca2-key.pem \
+    "$LEAF_EXT"
+
+# Tampered intermediate: flip the final byte of the DER (last byte of the
+# signatureValue) so the TBSCertificate stays valid but the outer signature no
+# longer verifies.
+"$OPENSSL" x509 -in int-ca-cert.pem -outform DER -out int-ca.der
+python3 - <<'PY'
+d = open("int-ca.der", "rb").read()
+d = d[:-1] + bytes([d[-1] ^ 0x01])
+open("int-ca-tampered.der", "wb").write(d)
+PY
+"$OPENSSL" x509 -inform DER -in int-ca-tampered.der -out int-ca-tampered-cert.pem
+rm -f int-ca.der int-ca-tampered.der
+
+# Guard: these test certificates must not carry key identifiers (see header).
+for c in root-ca-cert.pem alt-ca-cert.pem int-ca-cert.pem int-ca2-cert.pem \
+         leaf-cert.pem leaf-deep-cert.pem; do
+    if "$OPENSSL" x509 -in "$c" -noout -text \
+            | grep -q "Key Identifier"; then
+        echo "ERROR: $c carries a subject/authority key identifier." >&2
+        echo "Use an OpenSSL/LibreSSL that does not auto-add them" >&2
+        echo "(e.g. OPENSSL=/usr/bin/openssl $0)." >&2
+        exit 1
+    fi
+done
+
+echo "Completed"

certs/intermediate/untrusted_anchor/int-ca-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAfKgAwIBAgIJAPTQ79oIkv6aMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNV
+BAMMIndvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IFJvb3QwIBcNMjYwNjAz
+MDczOTQ5WhgPMjA1NjA2MDIwNzM5NDlaMDUxMzAxBgNVBAMMKndvbGZTU0wgVW50
+cnVzdGVkLUFuY2hvciBUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANUAGLPvY/JtFj7JCaHHUafA7rCnvf/t143a8tFrrn79
+1QF9+4BBZlS3xLNEFVZl8LB90kHdT2ws6lX0W6Q98+xebix9L0uAIevoAn1dPXAV
+/aY6i8au5azybGRL86g4yoTSt4Jg+hRJzdirsoq/sBYTvQTVOfeZNimb9RCdEq66
+MyRtnTREYVWwS8AzxeanTnKC2Yw/m7CB5oPQ2TKNSOhQVdzqcEb3jyxL5JLPi47y
+AEAPvcqF/HONwDSvtHchzgCowFQOfCpicrJSRZKop1XDjdgN3+Bv9dYQscVGV9Mh
+TA7fduxMAIIcYSsiw4LSRijuenP5IY4C5t6FMLq/9Y0CAwEAAaMjMCEwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBADlM
+TxZoEdjtXQpju84oBxscHyhNJU2OqN93B1tgTUi3B9j2ciHrRKV89/OiPSMgxGZ9
+DmijQgvKV7SEB22eXJDb0l4sEspPQQcuxB1m0bLDPh7xpYxvXTPxI/HuAxBp95kt
+ke1t3/3NOhWIP44Evmmo1W5NZBdjPGJQSXHKS6HyENVu2vrTj3TmLuYg57nldxAg
+kAF2D14InFJJwIGKeNaP710bN2tUkN7npWvNl7vu1TrDgeWdF67uVu1f647IST5i
+9O1f4s4yvhLh5gDKuM3IEDt+3XP1qLegSKIwWrlxHcjhs5XO+52aLulSVkT6RR5G
+tL6izMt6DXTOy/LUBkM=
+-----END CERTIFICATE-----

certs/intermediate/untrusted_anchor/int-ca-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1QAYs+9j8m0WPskJocdRp8DusKe9/+3Xjdry0Wuufv3VAX37
+gEFmVLfEs0QVVmXwsH3SQd1PbCzqVfRbpD3z7F5uLH0vS4Ah6+gCfV09cBX9pjqL
+xq7lrPJsZEvzqDjKhNK3gmD6FEnN2Kuyir+wFhO9BNU595k2KZv1EJ0SrrozJG2d
+NERhVbBLwDPF5qdOcoLZjD+bsIHmg9DZMo1I6FBV3OpwRvePLEvkks+LjvIAQA+9
+yoX8c43ANK+0dyHOAKjAVA58KmJyslJFkqinVcON2A3f4G/11hCxxUZX0yFMDt92
+7EwAghxhKyLDgtJGKO56c/khjgLm3oUwur/1jQIDAQABAoIBAAKw6Z78W0rozesl
+JxYAKqvv6BQbSm89VgfYyFCVB7NbCaHnMZJBQUW4vKd3KL3as9vG+y0R2rsHJj7H
+w5Cjp71IxCOTwVE24TbVy5JB51DPNlEvVCzCcOxqc6wguYdakFR1RRREnWQ8OnmO
+Uccm/NaKkUzKVN0n9mM4MTRwh5flhG6K9YoDxk75g12+fD+DQKf61iqcUh9Hqy3y
+ZBFdgKzRowq0UNK8OmqkATkHIBkOOZRWXz7t1+TOq+DlNizkjmUQXQM5qQ4Vrf01
+jjt+PfnjPQcVYgvanXSFZbinjgTa4+E5QQTBkSyFaal0GbbRKX7bxAu7aHHCMd5P
+PqkSUYECgYEA+Di097OJZLNQDgx7RNUGSPFiPhuLEg6wVhmBAtz1DM6UKYD2el7N
+AQ1kmpHC0rGbzeQoJQ/fcuxXQ7w7S0ycvNNTYW+kcUrK0h0L64JnUC6UVVrB+ax+
+3CLfM+qVo1Z1gFr+teiadCS1AHXUlVzz4BkkVTBOZosEo6k+s4Ol9GkCgYEA26zW
+TWUd0vkASkyAPG6JeMGX56tMbU+kSC+zY2UvuEp9JNVZhGwrb411jbREBrjA+eok
+UxIe3M4mMmbNvdlJ7M+6I6g5uVQ8FmohbEo78HcyB4onr2et6bw0giqupEhyrfx+
+XDgSpu1Mu1bFKYknRKn9MIzNTdHyAr404A38w4UCgYEAynElVuf8ZD7CSdLwLkE2
+8QK9Rz4bfEyykGYYjAc9bIaG3Bqr6z2qIPOVW2MJ6+Ci25b7Ds8VRJtwyHOaQF1p
+b69Cz7LIAQYoyJicAiXGsORsYfi1PzXp+QwP0j2+cQqwplCQcDgW0Can4Io5KOA4
+nkqjET9mkcdLr1b3Jl12WhECgYEAp6jzauCI8bNP0GUw3m6zB3IiIRPxYeCODvYx
+IORilnJrrwgSqWnxgNNjbAKwhLzPtC5LCQfkfDvulTs3PfWwYUht1bcYT2WF8smP
+ttm1g6NFkNGV1l74MlONc+dloUcWF8qFGpdFTRgCH11rX3cpfFONRVfBfeqFnihT
+rMmgKA0CgYEA0a4G8rqeUBL/nU4ALLdnvhx4Qus3cJ7kCF+7ZBi+CCrFQun1kTTF
+23uOeAIabjAvm8ur8k73FzD9bg5EhlOsmWcAOSSWgq1ONr51sS+8IrmAx/95AvtP
+ztWQJywOMcA3mjIlJDuA+tkI9gQObtxnNOVy/OUk8aNE755UXLFG53k=
+-----END RSA PRIVATE KEY-----

certs/intermediate/untrusted_anchor/int-ca-tampered-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAfKgAwIBAgIJAPTQ79oIkv6aMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNV
+BAMMIndvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IFJvb3QwIBcNMjYwNjAz
+MDczOTQ5WhgPMjA1NjA2MDIwNzM5NDlaMDUxMzAxBgNVBAMMKndvbGZTU0wgVW50
+cnVzdGVkLUFuY2hvciBUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANUAGLPvY/JtFj7JCaHHUafA7rCnvf/t143a8tFrrn79
+1QF9+4BBZlS3xLNEFVZl8LB90kHdT2ws6lX0W6Q98+xebix9L0uAIevoAn1dPXAV
+/aY6i8au5azybGRL86g4yoTSt4Jg+hRJzdirsoq/sBYTvQTVOfeZNimb9RCdEq66
+MyRtnTREYVWwS8AzxeanTnKC2Yw/m7CB5oPQ2TKNSOhQVdzqcEb3jyxL5JLPi47y
+AEAPvcqF/HONwDSvtHchzgCowFQOfCpicrJSRZKop1XDjdgN3+Bv9dYQscVGV9Mh
+TA7fduxMAIIcYSsiw4LSRijuenP5IY4C5t6FMLq/9Y0CAwEAAaMjMCEwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBADlM
+TxZoEdjtXQpju84oBxscHyhNJU2OqN93B1tgTUi3B9j2ciHrRKV89/OiPSMgxGZ9
+DmijQgvKV7SEB22eXJDb0l4sEspPQQcuxB1m0bLDPh7xpYxvXTPxI/HuAxBp95kt
+ke1t3/3NOhWIP44Evmmo1W5NZBdjPGJQSXHKS6HyENVu2vrTj3TmLuYg57nldxAg
+kAF2D14InFJJwIGKeNaP710bN2tUkN7npWvNl7vu1TrDgeWdF67uVu1f647IST5i
+9O1f4s4yvhLh5gDKuM3IEDt+3XP1qLegSKIwWrlxHcjhs5XO+52aLulSVkT6RR5G
+tL6izMt6DXTOy/LUBkI=
+-----END CERTIFICATE-----

certs/intermediate/untrusted_anchor/int-ca2-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIJAIpSt1mJH/iOMA0GCSqGSIb3DQEBCwUAMDUxMzAxBgNV
+BAMMKndvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IEludGVybWVkaWF0ZTAg
+Fw0yNjA2MDMwNzM5NTBaGA8yMDU2MDYwMjA3Mzk1MFowNzE1MDMGA1UEAwwsd29s
+ZlNTTCBVbnRydXN0ZWQtQW5jaG9yIFRlc3QgSW50ZXJtZWRpYXRlIDIwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoVXfEVO7xHX3hjTbTdwD3YM7sOX3e
+BQvZQkmOxHYH4nr+3D8d0U9LNQPL+nQ07G9D71g6mW7fVScvoeyNIptknoS/MBKl
+g9ZfptEYbKJsggaSxw+CLVsprTtOXd2vq7OXNXJqlmuEEjiOn0lQxUF2JiS+cYqY
+N1+iNE8zYB0GXpQPFoSGudgl9lRFZTKtqR5O9Vs50I1r2JQfRybVN61W6QUdZMtv
+nfdcD0AcQxPnkdQ03h1X57DtIDKh2TjBXbR69wViMtDKhvAWRmgvH0AZFTQrUBIJ
+QAUiTYLyzOnedl+bY7Tl+h5EIUH7l5qu4O2HzxArQVz7O/Ad7uYLSxZrAgMBAAGj
+IzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+CwUAA4IBAQC1MBh4c9iTDKBHzR5IqDSASBtc8yBA/jxaX6aXYlNkgNv2Nnpz3uan
+mbi4uQuUycI63RfUPPNS28x7j90rVGPxHlM6vYRHarzvgKlGIlJhHAFmzNlALbSM
+yM94m9iXDELQV5f494PbyGsBcnI1qJQZXdwpRiukICTOr0E8AlVULxJAGks9L0tZ
+pJ3im3ay8yZPFVwhpDBXU2oeqNNsFQro8mZEzlYcyBlvf8uZbXy/7RHsRDr2CFyz
+ECZnGZUJ3GdFo8T0IfW7ztLP6kBS0qTXOKEbVoGo7vystiu6dw9VAXukIGFSI+Md
+tvdsR8KWuQeoWo/CfAI6MIyghQBGaCNg
+-----END CERTIFICATE-----

certs/intermediate/untrusted_anchor/int-ca2-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqFV3xFTu8R194Y0203cA92DO7Dl93gUL2UJJjsR2B+J6/tw/
+HdFPSzUDy/p0NOxvQ+9YOplu31UnL6HsjSKbZJ6EvzASpYPWX6bRGGyibIIGkscP
+gi1bKa07Tl3dr6uzlzVyapZrhBI4jp9JUMVBdiYkvnGKmDdfojRPM2AdBl6UDxaE
+hrnYJfZURWUyrakeTvVbOdCNa9iUH0cm1TetVukFHWTLb533XA9AHEMT55HUNN4d
+V+ew7SAyodk4wV20evcFYjLQyobwFkZoLx9AGRU0K1ASCUAFIk2C8szp3nZfm2O0
+5foeRCFB+5earuDth88QK0Fc+zvwHe7mC0sWawIDAQABAoIBAFuFnIhyZTdTAY4Q
+aS6wFSZqzBZDa9u6gqatE7E7v7CpwpWuyeI8WxBY0qeklGnx4szc5Ot3YICsm5Ga
+SDK0Dii2xxXr3TeAZp265RSSe/zi9Q/4isYMQvR16zjAcDeC8zHTLVImVm6IOZfR
+otr3ZJAITRH+SYxZDvXx2t3j8+Pxxlp6hzG3sXw8MWa2Ra3mIhDjzCBIaRXq25Mj
+8DUTi/8p5OupEd7mt6HZmaWk71KC6R4efNNBtl2p2WCiw0VQNZ+cFLPyYeL8+f32
+HrWPqTinzCR8LXkX2GTWdZuC8cJIKX/8olTJZaTKsmD73H2dGj+VsBjdx4SRr6aW
+SYp6boECgYEA1aZq8XofRXid7ZIKeDkmhWhMcrx+4QIqKU5YKMYocuFGeeRla0pz
+LGunt+bs2V/LuUVDiOvbQ8RuaDB4mmJiYnRag28iRBpoJPm5nGELv7h3vxiG5tKJ
+n52HCzvi2CI4dEXTH3cwhIis+Uu26Udhhiri08m6rl50/qE9STYr8WUCgYEAybN/
+iRNHcGSYyrBPfSfAcTEbbDI45C1NgFOjccBnnpBgaqatUSTgJDImCpH/v5efDXqk
+YxhCJ7tfbxhREmpWSNS1prvzih7T+xVOoWsdDSKIgF2PcsqeXFikQGh0ffu9UT0m
+lJ4tw7P615q9MNGlKrERmQsYyM4GmMyLGj2V048CgYBWzBpMakHEFoGKn7czKny0
+3C+auWuOfDOmvlZgkkiii1T3dkuhsAhkdoQX2XBFy35XkYUjXjahLG9yUqbcibXQ
+q9aN6RtxsYy34OCAYIjGZen4L722jrgsqXHQpY6+IgDvc+KWuPR0E5a6XQE9eqtr
+N4cZZa464tMDE3xzfteRZQKBgQCQZR0nP5MEBjBP4lp1ibC+F96+3VFXIIt8E+RN
+eeV0YX10vHAVSCXiI7iSFqUVPvFRj/wBKQurL/uJJ8paOaAdsZF9lM4rkhhFhqJs
+8qawkYlRBCm+jwlBqP+lUGIdEswcTX/CI1813DH2icNpIJxybKLhgk0y7DNSzhPD
+LFWHRwKBgQC67X7ZML+st35dOvPRg7djtcCQTr0lcywKLUUo2B3VZVZL7pObe/V3
+y+CK8HEvw9wTbsQ7VnqM8v/KfQmk8gHlOpppYg0LGeTDjz97TGlJGVE+w3zHkL3h
+QNEYZpApBmMiThPPsTb+5L7xJkuEmFVsUrVaJcr2cIXKCEnnKzDYag==
+-----END RSA PRIVATE KEY-----

certs/intermediate/untrusted_anchor/leaf-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIJAIpSt1mJH/iNMA0GCSqGSIb3DQEBCwUAMDUxMzAxBgNV
+BAMMKndvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IEludGVybWVkaWF0ZTAg
+Fw0yNjA2MDMwNzM5NTBaGA8yMDU2MDYwMjA3Mzk1MFowGzEZMBcGA1UEAwwQd3d3
+LmV4YW1wbGUudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIN
+u32XXq4VzV/WKmfgaLZlkPbtYG8Ic9LOYqE0/y/F34wkYLWThYSleLglbFG9Vtcx
+FhAPuutZSML8j3QGdvRPHF/w03+BZ4SVnHQiBvJSCyY0TYhgSHZaNuWR7VVhlTsg
+XQNfx1ZCYsBiAgaJnhC/O2id6qjS3bnnhme/gvoKMl1SolgJgPalqRfhlHXs68Q+
+P2Mj5TdhqcwxGfBRGuaavTwwYBJYHwD8FvXtfGuoVtZb2gNU64m0ZpVPPUT6yBEy
+PJwZnrfZIDW9IrByz0kVRqmlDbMvgOs8Rxh0kvuuAtdun02AyOyzIuupHSEMoJmi
+oxqj026GgqEYnDCuZD8CAwEAAaNSMFAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
+BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGwYDVR0RBBQwEoIQd3d3LmV4YW1w
+bGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAZLly5fb9QVkI6rb0MuzlGLr44Umq
+wI9bNzbd/EEt1vIymTpagf24PmvTtltQthhRWS5TK1P/mdfZEIhoX2lLU2k5xCOR
+pnCrgjJy9VSrW/gUfP0hnNR90Ig9OwUdQesJ4/7xcApox0BWD5P4M2HyRYmAkCop
+7Gho954vAuDpcNuXwudr1DwPlaK0EFvCOrFjeRhigYCI1EBVHrB6lgpOf1YXoA3d
+dlM9D/VOBj3FUta/brU5dDGpFYEhoOX62Z0RdTFIgGuvQm37UsbNEeEjqN7vL5EG
+Fyysmns+uGjkoNFufyJ7G53jvA7bG1N6f3+BLnFgYJk79Y0BGu2WrKtn/Q==
+-----END CERTIFICATE-----

certs/intermediate/untrusted_anchor/leaf-deep-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAhGgAwIBAgIJAPO6YaSaV9OBMA0GCSqGSIb3DQEBCwUAMDcxNTAzBgNV
+BAMMLHdvbGZTU0wgVW50cnVzdGVkLUFuY2hvciBUZXN0IEludGVybWVkaWF0ZSAy
+MCAXDTI2MDYwMzA3Mzk1MFoYDzIwNTYwNjAyMDczOTUwWjAbMRkwFwYDVQQDDBB3
+d3cuZXhhbXBsZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+3hHicb9tF7nQG1+cJ0S1mUaYAgl7tAxkrFKes1MFmVfkSyOf1neOmZqRQIY6NG7n
+W2gnmR+vM5/mtNwmaKZDOoVXS+EROX4JaPe588HQQVNaHd9gD69gAUjyhmW+vo06
+7DtYOI9IxIVBAQEkkBo3bEhTrkUKJut5bY2YLbjcpcmE39vtNcwfJCJHGFX4d0RG
+p2tvvKyGRnMiCQUBOkhkqL2iqEkq/E20WoVwkANaA7ZdnYufc5q6nRau8CWCyX2L
++l9ZYioExTf1KQ/kkb3oa2jNIF3murjIMhYQVGOwfXSgaQWD8imKAAETG7jAwKmr
+7wEcmXy63X0IZKIjX/y+MwIDAQABo1IwUDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB
+/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAbBgNVHREEFDASghB3d3cuZXhh
+bXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQARUfcAhA6W05FNevlk529AaMOa
+AEq24kOmFgYwYFn5+raia6fyDM1C5g4bT5eWsrOHN3PhchOiIZJ0s1Nq/vgdOBX9
+SK7grD4MKD1q9gD7DBdMM576gy64gDvBftJIxgYlDAU2PUU/oAjACCMLsb2mePhd
+HTopLABBWM0NMSiRXay+cizxxlbl/fafPDC1fPRq2TU8z4JCS6HCPR8ukjSCp+S5
+sEJmc3VV3kk3qd2tHcWXai8JZPxhtCaBrVRmk9lcp6Er/Jf9LCkLzhWZWcBaQRoQ
+s03H1GJHwbcDzVZrZzI05y3KZO5ZWl+d1f0RvIkHp/bsvz0d6qRCLe1O/WNj
+-----END CERTIFICATE-----