crypto/tls: support AES-GCM.

AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044

diff --git a/src/pkg/crypto/tls/cipher_suites.go b/src/pkg/crypto/tls/cipher_suites.go
index 8404974f28861ffd7cc43ca718e39e61e0c9f642..1dbda04a1d10531ece0ab685919b3077dd24d4bf 100644 (file)
--- a/src/pkg/crypto/tls/cipher_suites.go
+++ b/src/pkg/crypto/tls/cipher_suites.go
@@ -49,22 +49,25 @@ type cipherSuite struct {
        elliptic bool
        cipher   func(key, iv []byte, isRead bool) interface{}
        mac      func(version uint16, macKey []byte) macFunction
+       aead     func(key, fixedNonce []byte) cipher.AEAD
 }
 
 var cipherSuites = []*cipherSuite{
        // Ciphersuite order is chosen so that ECDHE comes before plain RSA
        // and RC4 comes before AES (because of the Lucky13 attack).
-       {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, true, cipherRC4, macSHA1},
-       {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, true, cipherRC4, macSHA1},
-       {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1},
-       {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1},
-       {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1},
-       {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1},
-       {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, false, cipherRC4, macSHA1},
-       {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, false, cipherAES, macSHA1},
-       {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, false, cipherAES, macSHA1},
-       {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, true, cipher3DES, macSHA1},
-       {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, false, cipher3DES, macSHA1},
+       {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, true, nil, nil, aeadAESGCM},
+       {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, true, nil, nil, aeadAESGCM},
+       {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, true, cipherRC4, macSHA1, nil},
+       {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, true, cipherRC4, macSHA1, nil},
+       {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1, nil},
+       {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1, nil},
+       {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1, nil},
+       {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1, nil},
+       {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, false, cipherRC4, macSHA1, nil},
+       {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, false, cipherAES, macSHA1, nil},
+       {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, false, cipherAES, macSHA1, nil},
+       {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, true, cipher3DES, macSHA1, nil},
+       {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, false, cipher3DES, macSHA1, nil},
 }
 
 func cipherRC4(key, iv []byte, isRead bool) interface{} {
@@ -106,6 +109,46 @@ type macFunction interface {
        MAC(digestBuf, seq, header, data []byte) []byte
 }
 
+// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
+// each call.
+type fixedNonceAEAD struct {
+       // sealNonce and openNonce are buffers where the larger nonce will be
+       // constructed. Since a seal and open operation may be running
+       // concurrently, there is a separate buffer for each.
+       sealNonce, openNonce []byte
+       aead                 cipher.AEAD
+}
+
+func (f *fixedNonceAEAD) NonceSize() int { return 8 }
+func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
+
+func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
+       copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
+       return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
+}
+
+func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
+       copy(f.openNonce[len(f.openNonce)-8:], nonce)
+       return f.aead.Open(out, f.openNonce, plaintext, additionalData)
+}
+
+func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
+       aes, err := aes.NewCipher(key)
+       if err != nil {
+               panic(err)
+       }
+       aead, err := cipher.NewGCM(aes)
+       if err != nil {
+               panic(err)
+       }
+
+       nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
+       copy(nonce1, fixedNonce)
+       copy(nonce2, fixedNonce)
+
+       return &fixedNonceAEAD{nonce1, nonce2, aead}
+}
+
 // ssl30MAC implements the SSLv3 MAC function, as defined in
 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
 type ssl30MAC struct {
@@ -197,15 +240,17 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
 // A list of the possible cipher suite ids. Taken from
 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 const (
-       TLS_RSA_WITH_RC4_128_SHA             uint16 = 0x0005
-       TLS_RSA_WITH_3DES_EDE_CBC_SHA        uint16 = 0x000a
-       TLS_RSA_WITH_AES_128_CBC_SHA         uint16 = 0x002f
-       TLS_RSA_WITH_AES_256_CBC_SHA         uint16 = 0x0035
-       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA     uint16 = 0xc007
-       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
-       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
-       TLS_ECDHE_RSA_WITH_RC4_128_SHA       uint16 = 0xc011
-       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  uint16 = 0xc012
-       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   uint16 = 0xc013
-       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   uint16 = 0xc014
+       TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
+       TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
+       TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
+       TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
+       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
+       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
+       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
+       TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
+       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
+       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
+       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
+       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
+       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
 )

diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index 287f81c1d59a1b7a7c9884b996c15a23a815e707..2e64b88a68971f35340b1db04facb63abf041674 100644 (file)
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -146,6 +146,9 @@ func (hc *halfConn) changeCipherSpec() error {
        hc.mac = hc.nextMac
        hc.nextCipher = nil
        hc.nextMac = nil
+       for i := range hc.seq {
+               hc.seq[i] = 0
+       }
        return nil
 }
 
@@ -255,6 +258,26 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
                switch c := hc.cipher.(type) {
                case cipher.Stream:
                        c.XORKeyStream(payload, payload)
+               case cipher.AEAD:
+                       explicitIVLen = 8
+                       if len(payload) < explicitIVLen {
+                               return false, 0, alertBadRecordMAC
+                       }
+                       nonce := payload[:8]
+                       payload = payload[8:]
+
+                       var additionalData [13]byte
+                       copy(additionalData[:], hc.seq[:])
+                       copy(additionalData[8:], b.data[:3])
+                       n := len(payload) - c.Overhead()
+                       additionalData[11] = byte(n >> 8)
+                       additionalData[12] = byte(n)
+                       var err error
+                       payload, err = c.Open(payload[:0], nonce, payload, additionalData[:])
+                       if err != nil {
+                               return false, 0, alertBadRecordMAC
+                       }
+                       b.resize(recordHeaderLen + explicitIVLen + len(payload))
                case cbcMode:
                        blockSize := c.BlockSize()
                        if hc.version >= VersionTLS11 {
@@ -305,13 +328,13 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
                b.resize(recordHeaderLen + explicitIVLen + n)
                remoteMAC := payload[n:]
                localMAC := hc.mac.MAC(hc.inDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], payload[:n])
-               hc.incSeq()
 
                if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 {
                        return false, 0, alertBadRecordMAC
                }
                hc.inDigestBuf = localMAC
        }
+       hc.incSeq()
 
        return true, recordHeaderLen + explicitIVLen, 0
 }
@@ -338,7 +361,6 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
        // mac
        if hc.mac != nil {
                mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], b.data[recordHeaderLen+explicitIVLen:])
-               hc.incSeq()
 
                n := len(b.data)
                b.resize(n + len(mac))
@@ -353,6 +375,20 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
                switch c := hc.cipher.(type) {
                case cipher.Stream:
                        c.XORKeyStream(payload, payload)
+               case cipher.AEAD:
+                       payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
+                       b.resize(len(b.data) + c.Overhead())
+                       nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+                       payload := b.data[recordHeaderLen+explicitIVLen:]
+                       payload = payload[:payloadLen]
+
+                       var additionalData [13]byte
+                       copy(additionalData[:], hc.seq[:])
+                       copy(additionalData[8:], b.data[:3])
+                       additionalData[11] = byte(payloadLen >> 8)
+                       additionalData[12] = byte(payloadLen)
+
+                       c.Seal(payload[:0], nonce, payload, additionalData[:])
                case cbcMode:
                        blockSize := c.BlockSize()
                        if explicitIVLen > 0 {
@@ -372,6 +408,7 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
        n := len(b.data) - recordHeaderLen
        b.data[3] = byte(n >> 8)
        b.data[4] = byte(n)
+       hc.incSeq()
 
        return true, 0
 }
@@ -660,6 +697,7 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
                        m = maxPlaintext
                }
                explicitIVLen := 0
+               explicitIVIsSeq := false
 
                var cbc cbcMode
                if c.out.version >= VersionTLS11 {
@@ -668,6 +706,18 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
                                explicitIVLen = cbc.BlockSize()
                        }
                }
+               if explicitIVLen == 0 {
+                       if _, ok := c.out.cipher.(cipher.AEAD); ok {
+                               explicitIVLen = 8
+                               // The AES-GCM construction in TLS has an
+                               // explicit nonce so that the nonce can be
+                               // random. However, the nonce is only 8 bytes
+                               // which is too small for a secure, random
+                               // nonce. Therefore we use the sequence number
+                               // as the nonce.
+                               explicitIVIsSeq = true
+                       }
+               }
                b.resize(recordHeaderLen + explicitIVLen + m)
                b.data[0] = byte(typ)
                vers := c.vers
@@ -682,8 +732,12 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
                b.data[4] = byte(m)
                if explicitIVLen > 0 {
                        explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
-                       if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
-                               break
+                       if explicitIVIsSeq {
+                               copy(explicitIV, c.out.seq[:])
+                       } else {
+                               if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
+                                       break
+                               }
                        }
                }
                copy(b.data[recordHeaderLen+explicitIVLen:], data)

diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go
index 01b244be1d56b99b9685a989c830d71fa7505f84..851df865ca6358d634fba854dd6f4ab041e50de3 100644 (file)
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@@ -308,8 +308,14 @@ func (c *Conn) clientHandshake() error {
        clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
                keysFromMasterSecret(c.vers, masterSecret, hello.random, serverHello.random, suite.macLen, suite.keyLen, suite.ivLen)
 
-       clientCipher := suite.cipher(clientKey, clientIV, false /* not for reading */)
-       clientHash := suite.mac(c.vers, clientMAC)
+       var clientCipher interface{}
+       var clientHash macFunction
+       if suite.cipher != nil {
+               clientCipher = suite.cipher(clientKey, clientIV, false /* not for reading */)
+               clientHash = suite.mac(c.vers, clientMAC)
+       } else {
+               clientCipher = suite.aead(clientKey, clientIV)
+       }
        c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
        c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
 
@@ -329,8 +335,14 @@ func (c *Conn) clientHandshake() error {
        finishedHash.Write(finished.marshal())
        c.writeRecord(recordTypeHandshake, finished.marshal())
 
-       serverCipher := suite.cipher(serverKey, serverIV, true /* for reading */)
-       serverHash := suite.mac(c.vers, serverMAC)
+       var serverCipher interface{}
+       var serverHash macFunction
+       if suite.cipher != nil {
+               serverCipher = suite.cipher(serverKey, serverIV, true /* for reading */)
+               serverHash = suite.mac(c.vers, serverMAC)
+       } else {
+               serverCipher = suite.aead(serverKey, serverIV)
+       }
        c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
        c.readRecord(recordTypeChangeCipherSpec)
        if err := c.error(); err != nil {

diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index 6c5e96c42ee6caadba381ce478d9b733f0122c6f..9aedd79d1472fc921bf1347fbde5e0556bb9be0c 100644 (file)
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -435,12 +435,20 @@ func (hs *serverHandshakeState) establishKeys() error {
        clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
                keysFromMasterSecret(c.vers, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
 
-       clientCipher := hs.suite.cipher(clientKey, clientIV, true /* for reading */)
-       clientHash := hs.suite.mac(c.vers, clientMAC)
-       c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
+       var clientCipher, serverCipher interface{}
+       var clientHash, serverHash macFunction
+
+       if hs.suite.aead == nil {
+               clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
+               clientHash = hs.suite.mac(c.vers, clientMAC)
+               serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
+               serverHash = hs.suite.mac(c.vers, serverMAC)
+       } else {
+               clientCipher = hs.suite.aead(clientKey, clientIV)
+               serverCipher = hs.suite.aead(serverKey, serverIV)
+       }
 
-       serverCipher := hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
-       serverHash := hs.suite.mac(c.vers, serverMAC)
+       c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
        c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
 
        return nil

diff --git a/src/pkg/crypto/tls/handshake_server_test.go b/src/pkg/crypto/tls/handshake_server_test.go
index 4f57e506dd7f4822033a10443e58cb44aee4ae16..27504ae74dd3440af7a9bb66d0ed80852f003633 100644 (file)
--- a/src/pkg/crypto/tls/handshake_server_test.go
+++ b/src/pkg/crypto/tls/handshake_server_test.go
@@ -309,6 +309,13 @@ func TestTLS11Server(t *testing.T) {
        testServerScript(t, "TLS11", tls11ECDHEAESServerScript, &config, nil)
 }
 
+func TestAESGCM(t *testing.T) {
+       var config = *testConfig
+       config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
+       config.MaxVersion = VersionTLS12
+       testServerScript(t, "AES-GCM", aesGCMServerScript, &config, nil)
+}
+
 // recordingConn is a net.Conn that records the traffic that passes through it.
 // WriteTo can be used to produce Go code that contains the recorded traffic.
 type recordingConn struct {
@@ -3483,3 +3490,238 @@ var clientauthECDSATests = []clientauthTest{
                },
        }},
 }
+
+var aesGCMServerScript = [][]byte{
+       {
+               0x16, 0x03, 0x01, 0x01, 0x1c, 0x01, 0x00, 0x01,
+               0x18, 0x03, 0x03, 0x52, 0x1e, 0x74, 0xf0, 0xb0,
+               0xc1, 0x8b, 0x16, 0xf9, 0x74, 0xfc, 0x16, 0xc4,
+               0x11, 0x18, 0x96, 0x08, 0x25, 0x38, 0x4f, 0x98,
+               0x98, 0xbe, 0xb5, 0x61, 0xdf, 0x94, 0x15, 0xcc,
+               0x9b, 0x61, 0xef, 0x00, 0x00, 0x80, 0xc0, 0x30,
+               0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
+               0xc0, 0x0a, 0x00, 0xa3, 0x00, 0x9f, 0x00, 0x6b,
+               0x00, 0x6a, 0x00, 0x39, 0x00, 0x38, 0xc0, 0x32,
+               0xc0, 0x2e, 0xc0, 0x2a, 0xc0, 0x26, 0xc0, 0x0f,
+               0xc0, 0x05, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
+               0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x13,
+               0xc0, 0x0d, 0xc0, 0x03, 0x00, 0x0a, 0xc0, 0x2f,
+               0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
+               0xc0, 0x09, 0x00, 0xa2, 0x00, 0x9e, 0x00, 0x67,
+               0x00, 0x40, 0x00, 0x33, 0x00, 0x32, 0xc0, 0x31,
+               0xc0, 0x2d, 0xc0, 0x29, 0xc0, 0x25, 0xc0, 0x0e,
+               0xc0, 0x04, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
+               0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c, 0xc0, 0x02,
+               0x00, 0x05, 0x00, 0x04, 0x00, 0x15, 0x00, 0x12,
+               0x00, 0x09, 0x00, 0x14, 0x00, 0x11, 0x00, 0x08,
+               0x00, 0x06, 0x00, 0x03, 0x00, 0xff, 0x01, 0x00,
+               0x00, 0x6f, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00,
+               0x01, 0x02, 0x00, 0x0a, 0x00, 0x34, 0x00, 0x32,
+               0x00, 0x0e, 0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b,
+               0x00, 0x0c, 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a,
+               0x00, 0x16, 0x00, 0x17, 0x00, 0x08, 0x00, 0x06,
+               0x00, 0x07, 0x00, 0x14, 0x00, 0x15, 0x00, 0x04,
+               0x00, 0x05, 0x00, 0x12, 0x00, 0x13, 0x00, 0x01,
+               0x00, 0x02, 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10,
+               0x00, 0x11, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d,
+               0x00, 0x22, 0x00, 0x20, 0x06, 0x01, 0x06, 0x02,
+               0x06, 0x03, 0x05, 0x01, 0x05, 0x02, 0x05, 0x03,
+               0x04, 0x01, 0x04, 0x02, 0x04, 0x03, 0x03, 0x01,
+               0x03, 0x02, 0x03, 0x03, 0x02, 0x01, 0x02, 0x02,
+               0x02, 0x03, 0x01, 0x01, 0x00, 0x0f, 0x00, 0x01,
+               0x01,
+       },
+       {
+               0x16, 0x03, 0x03, 0x00, 0x30, 0x02, 0x00, 0x00,
+               0x2c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0xc0, 0x2f, 0x00, 0x00,
+               0x04, 0x00, 0x23, 0x00, 0x00, 0x16, 0x03, 0x03,
+               0x02, 0xbe, 0x0b, 0x00, 0x02, 0xba, 0x00, 0x02,
+               0xb7, 0x00, 0x02, 0xb4, 0x30, 0x82, 0x02, 0xb0,
+               0x30, 0x82, 0x02, 0x19, 0xa0, 0x03, 0x02, 0x01,
+               0x02, 0x02, 0x09, 0x00, 0x85, 0xb0, 0xbb, 0xa4,
+               0x8a, 0x7f, 0xb8, 0xca, 0x30, 0x0d, 0x06, 0x09,
+               0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+               0x05, 0x05, 0x00, 0x30, 0x45, 0x31, 0x0b, 0x30,
+               0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+               0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+               0x55, 0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d,
+               0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31,
+               0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a,
+               0x13, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+               0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69,
+               0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c,
+               0x74, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30,
+               0x30, 0x34, 0x32, 0x34, 0x30, 0x39, 0x30, 0x39,
+               0x33, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
+               0x34, 0x32, 0x34, 0x30, 0x39, 0x30, 0x39, 0x33,
+               0x38, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09,
+               0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41,
+               0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+               0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d, 0x65,
+               0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21,
+               0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+               0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+               0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74,
+               0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74,
+               0x64, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09,
+               0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+               0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
+               0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xbb, 0x79,
+               0xd6, 0xf5, 0x17, 0xb5, 0xe5, 0xbf, 0x46, 0x10,
+               0xd0, 0xdc, 0x69, 0xbe, 0xe6, 0x2b, 0x07, 0x43,
+               0x5a, 0xd0, 0x03, 0x2d, 0x8a, 0x7a, 0x43, 0x85,
+               0xb7, 0x14, 0x52, 0xe7, 0xa5, 0x65, 0x4c, 0x2c,
+               0x78, 0xb8, 0x23, 0x8c, 0xb5, 0xb4, 0x82, 0xe5,
+               0xde, 0x1f, 0x95, 0x3b, 0x7e, 0x62, 0xa5, 0x2c,
+               0xa5, 0x33, 0xd6, 0xfe, 0x12, 0x5c, 0x7a, 0x56,
+               0xfc, 0xf5, 0x06, 0xbf, 0xfa, 0x58, 0x7b, 0x26,
+               0x3f, 0xb5, 0xcd, 0x04, 0xd3, 0xd0, 0xc9, 0x21,
+               0x96, 0x4a, 0xc7, 0xf4, 0x54, 0x9f, 0x5a, 0xbf,
+               0xef, 0x42, 0x71, 0x00, 0xfe, 0x18, 0x99, 0x07,
+               0x7f, 0x7e, 0x88, 0x7d, 0x7d, 0xf1, 0x04, 0x39,
+               0xc4, 0xa2, 0x2e, 0xdb, 0x51, 0xc9, 0x7c, 0xe3,
+               0xc0, 0x4c, 0x3b, 0x32, 0x66, 0x01, 0xcf, 0xaf,
+               0xb1, 0x1d, 0xb8, 0x71, 0x9a, 0x1d, 0xdb, 0xdb,
+               0x89, 0x6b, 0xae, 0xda, 0x2d, 0x79, 0x02, 0x03,
+               0x01, 0x00, 0x01, 0xa3, 0x81, 0xa7, 0x30, 0x81,
+               0xa4, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
+               0x04, 0x16, 0x04, 0x14, 0xb1, 0xad, 0xe2, 0x85,
+               0x5a, 0xcf, 0xcb, 0x28, 0xdb, 0x69, 0xce, 0x23,
+               0x69, 0xde, 0xd3, 0x26, 0x8e, 0x18, 0x88, 0x39,
+               0x30, 0x75, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
+               0x6e, 0x30, 0x6c, 0x80, 0x14, 0xb1, 0xad, 0xe2,
+               0x85, 0x5a, 0xcf, 0xcb, 0x28, 0xdb, 0x69, 0xce,
+               0x23, 0x69, 0xde, 0xd3, 0x26, 0x8e, 0x18, 0x88,
+               0x39, 0xa1, 0x49, 0xa4, 0x47, 0x30, 0x45, 0x31,
+               0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+               0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11,
+               0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x53,
+               0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74,
+               0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
+               0x04, 0x0a, 0x13, 0x18, 0x49, 0x6e, 0x74, 0x65,
+               0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64,
+               0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79,
+               0x20, 0x4c, 0x74, 0x64, 0x82, 0x09, 0x00, 0x85,
+               0xb0, 0xbb, 0xa4, 0x8a, 0x7f, 0xb8, 0xca, 0x30,
+               0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
+               0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06,
+               0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+               0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00,
+               0x08, 0x6c, 0x45, 0x24, 0xc7, 0x6b, 0xb1, 0x59,
+               0xab, 0x0c, 0x52, 0xcc, 0xf2, 0xb0, 0x14, 0xd7,
+               0x87, 0x9d, 0x7a, 0x64, 0x75, 0xb5, 0x5a, 0x95,
+               0x66, 0xe4, 0xc5, 0x2b, 0x8e, 0xae, 0x12, 0x66,
+               0x1f, 0xeb, 0x4f, 0x38, 0xb3, 0x6e, 0x60, 0xd3,
+               0x92, 0xfd, 0xf7, 0x41, 0x08, 0xb5, 0x25, 0x13,
+               0xb1, 0x18, 0x7a, 0x24, 0xfb, 0x30, 0x1d, 0xba,
+               0xed, 0x98, 0xb9, 0x17, 0xec, 0xe7, 0xd7, 0x31,
+               0x59, 0xdb, 0x95, 0xd3, 0x1d, 0x78, 0xea, 0x50,
+               0x56, 0x5c, 0xd5, 0x82, 0x5a, 0x2d, 0x5a, 0x5f,
+               0x33, 0xc4, 0xb6, 0xd8, 0xc9, 0x75, 0x90, 0x96,
+               0x8c, 0x0f, 0x52, 0x98, 0xb5, 0xcd, 0x98, 0x1f,
+               0x89, 0x20, 0x5f, 0xf2, 0xa0, 0x1c, 0xa3, 0x1b,
+               0x96, 0x94, 0xdd, 0xa9, 0xfd, 0x57, 0xe9, 0x70,
+               0xe8, 0x26, 0x6d, 0x71, 0x99, 0x9b, 0x26, 0x6e,
+               0x38, 0x50, 0x29, 0x6c, 0x90, 0xa7, 0xbd, 0xd9,
+               0x16, 0x03, 0x03, 0x01, 0x11, 0x0c, 0x00, 0x01,
+               0x0d, 0x03, 0x00, 0x19, 0x85, 0x04, 0x01, 0x39,
+               0xdc, 0xee, 0x44, 0x17, 0x5e, 0xdb, 0xd7, 0x27,
+               0xaf, 0xb6, 0x56, 0xd9, 0xb4, 0x43, 0x5a, 0x99,
+               0xcf, 0xaa, 0x31, 0x37, 0x0c, 0x6f, 0x3a, 0xa0,
+               0xf8, 0x53, 0xc4, 0x74, 0xd1, 0x91, 0x0a, 0x46,
+               0xf5, 0x38, 0x3b, 0x5c, 0x09, 0xd8, 0x97, 0xdc,
+               0x4b, 0xaa, 0x70, 0x26, 0x48, 0xf2, 0xd6, 0x0b,
+               0x31, 0xc9, 0xf8, 0xd4, 0x98, 0x43, 0xe1, 0x6c,
+               0xd5, 0xc7, 0xb2, 0x8e, 0x0b, 0x01, 0xe6, 0xb6,
+               0x00, 0x28, 0x80, 0x7b, 0xfc, 0x96, 0x8f, 0x0d,
+               0xa2, 0x4f, 0xb0, 0x79, 0xaf, 0xdc, 0x61, 0x28,
+               0x63, 0x33, 0x78, 0xf6, 0x31, 0x39, 0xfd, 0x8a,
+               0xf4, 0x15, 0x18, 0x11, 0xfe, 0xdb, 0xd5, 0x07,
+               0xda, 0x2c, 0xed, 0x49, 0xa0, 0x23, 0xbf, 0xd0,
+               0x3a, 0x38, 0x1d, 0x54, 0xae, 0x1c, 0x7b, 0xea,
+               0x29, 0xee, 0xd0, 0x38, 0xc1, 0x76, 0xa7, 0x7f,
+               0x2a, 0xf4, 0xce, 0x1e, 0xac, 0xcc, 0x94, 0x79,
+               0x90, 0x33, 0x04, 0x01, 0x00, 0x80, 0x0d, 0x8e,
+               0x79, 0xe6, 0x86, 0xf6, 0xb6, 0xfb, 0x6b, 0x6a,
+               0xcc, 0x55, 0xe4, 0x80, 0x4d, 0xc5, 0x0c, 0xc6,
+               0xa3, 0x9f, 0x1d, 0x39, 0xd2, 0x98, 0x57, 0x31,
+               0xa2, 0x90, 0x73, 0xe8, 0xd2, 0xcd, 0xb0, 0x93,
+               0x1a, 0x60, 0x0f, 0x38, 0x02, 0x3b, 0x1b, 0x25,
+               0x56, 0xec, 0x44, 0xab, 0xbe, 0x2e, 0x0c, 0xc0,
+               0x6e, 0x54, 0x91, 0x50, 0xd6, 0xb1, 0xa2, 0x98,
+               0x14, 0xa8, 0x35, 0x62, 0x9d, 0xca, 0xfb, 0x0f,
+               0x64, 0x2b, 0x05, 0xa0, 0xa0, 0x57, 0xef, 0xcd,
+               0x95, 0x45, 0x13, 0x5a, 0x9b, 0x3d, 0xdb, 0x42,
+               0x54, 0x7f, 0xb9, 0x17, 0x08, 0x7f, 0xb2, 0xf0,
+               0xb1, 0xc3, 0xdf, 0x67, 0x95, 0xe2, 0x73, 0xf2,
+               0x76, 0xa3, 0x97, 0xfd, 0x9c, 0x92, 0x4a, 0xdb,
+               0x95, 0x1e, 0x91, 0x95, 0xae, 0x3d, 0xae, 0x58,
+               0xb5, 0x03, 0x6f, 0x5c, 0x3a, 0x19, 0xab, 0x92,
+               0xa5, 0x09, 0x6b, 0x40, 0x61, 0xb0, 0x16, 0x03,
+               0x03, 0x00, 0x04, 0x0e, 0x00, 0x00, 0x00,
+       },
+       {
+               0x16, 0x03, 0x03, 0x00, 0x8a, 0x10, 0x00, 0x00,
+               0x86, 0x85, 0x04, 0x01, 0xba, 0xb8, 0xad, 0x69,
+               0x20, 0x5e, 0xc1, 0x61, 0xc3, 0x0f, 0xb4, 0x30,
+               0x64, 0x66, 0x70, 0x96, 0x33, 0x3c, 0x8e, 0x12,
+               0x56, 0xbf, 0x6d, 0xb8, 0x6d, 0xc6, 0xba, 0xea,
+               0xfc, 0x38, 0xc0, 0x8b, 0x87, 0xa8, 0xf3, 0x87,
+               0xa1, 0xd5, 0xb6, 0xb0, 0x72, 0xc7, 0xd4, 0x19,
+               0x56, 0xa0, 0x91, 0xe1, 0x45, 0xc7, 0xf1, 0x7d,
+               0xb0, 0x1d, 0x78, 0x18, 0xf6, 0x3d, 0xbf, 0x1a,
+               0x23, 0x93, 0x0b, 0x19, 0xb1, 0x00, 0x56, 0xc9,
+               0x5e, 0x89, 0xd4, 0x9d, 0xd9, 0x5b, 0xe0, 0xb8,
+               0xff, 0x2f, 0x7d, 0x93, 0xae, 0x5b, 0xa5, 0x1f,
+               0x1f, 0x2b, 0x09, 0xe5, 0xf6, 0x07, 0x26, 0xa3,
+               0xed, 0xcb, 0x6a, 0x1a, 0xd6, 0x14, 0x83, 0x9b,
+               0xd3, 0x9d, 0x47, 0x1b, 0xf3, 0x72, 0x5f, 0x69,
+               0x21, 0x8f, 0xfa, 0x09, 0x38, 0x1a, 0x6b, 0x91,
+               0xcf, 0x19, 0x32, 0x54, 0x58, 0x8e, 0xee, 0xaf,
+               0xeb, 0x06, 0x9b, 0x3a, 0x34, 0x16, 0x66, 0x14,
+               0x03, 0x03, 0x00, 0x01, 0x01, 0x16, 0x03, 0x03,
+               0x00, 0x28, 0xc6, 0x96, 0x67, 0x62, 0xcc, 0x47,
+               0x01, 0xb5, 0xbd, 0xb7, 0x24, 0xd3, 0xb6, 0xfd,
+               0xb8, 0x46, 0xce, 0x82, 0x6d, 0x31, 0x1f, 0x15,
+               0x11, 0x8f, 0xed, 0x62, 0x71, 0x5f, 0xae, 0xb6,
+               0xa9, 0x0c, 0x24, 0x1d, 0xe8, 0x26, 0x51, 0xca,
+               0x7c, 0x42,
+       },
+       {
+               0x16, 0x03, 0x03, 0x00, 0x72, 0x04, 0x00, 0x00,
+               0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65,
+               0xea, 0x8b, 0xfb, 0xef, 0xba, 0xc8, 0x88, 0x94,
+               0x44, 0x99, 0x5f, 0x02, 0x68, 0x3a, 0x12, 0x67,
+               0x7f, 0xb9, 0x39, 0x71, 0x84, 0xe0, 0x30, 0xe6,
+               0x90, 0x6c, 0xcf, 0x32, 0x29, 0x29, 0x5c, 0x5a,
+               0x8b, 0x7d, 0xaa, 0x11, 0x28, 0x26, 0xb5, 0xce,
+               0xd2, 0x88, 0xd5, 0xb0, 0x5f, 0x94, 0x37, 0xa2,
+               0x48, 0xd9, 0x53, 0xb2, 0xab, 0x59, 0x23, 0x3d,
+               0x81, 0x6e, 0x64, 0x89, 0xca, 0x1a, 0x84, 0x16,
+               0xdf, 0x31, 0x10, 0xde, 0x52, 0x7f, 0x50, 0xf3,
+               0xd9, 0x27, 0xa0, 0xe8, 0x34, 0x15, 0x9e, 0x11,
+               0xdd, 0xba, 0xce, 0x40, 0x17, 0xf3, 0x67, 0x14,
+               0x03, 0x03, 0x00, 0x01, 0x01, 0x16, 0x03, 0x03,
+               0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x00, 0x00, 0x35, 0xcb, 0x17, 0x66, 0xee, 0xfd,
+               0x27, 0xdb, 0xb8, 0xa8, 0x8a, 0xf1, 0x56, 0x67,
+               0x89, 0x0d, 0x13, 0xac, 0xe2, 0x31, 0xb9, 0xa2,
+               0x26, 0xbb, 0x1c, 0xcf, 0xd1, 0xb2, 0x48, 0x1d,
+               0x0d, 0xb1, 0x17, 0x03, 0x03, 0x00, 0x25, 0x00,
+               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0,
+               0x89, 0x7c, 0x58, 0x6a, 0x9b, 0x00, 0x05, 0x8c,
+               0x7f, 0x28, 0x54, 0x61, 0x44, 0x10, 0xee, 0x85,
+               0x26, 0xa8, 0x04, 0xcd, 0xca, 0x85, 0x60, 0xf2,
+               0xeb, 0x22, 0xbd, 0x9e, 0x15, 0x03, 0x03, 0x00,
+               0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+               0x02, 0x10, 0xe4, 0xe5, 0xf9, 0x85, 0xe3, 0xb0,
+               0xec, 0x84, 0x29, 0x91, 0x05, 0x7d, 0x86, 0xe3,
+               0x97, 0xeb, 0xb2,
+       },
+}