Replaced generic string check with initial 1.3.6.1.4.1.311.25.2 suppo…

…rt. Issue #4.
nemasu · Jul 24, 2023 · 61cf229 · 61cf229
1 parent c1930b8
commit 61cf229
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 89 deletions.
diff --git a/src/main/java/farm/puddle/certcheck/CertificateValidator.java b/src/main/java/farm/puddle/certcheck/CertificateValidator.java
@@ -23,6 +23,7 @@
 import javax.security.auth.x500.X500Principal;
 import java.io.*;
 import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.security.cert.*;
 import java.util.*;
@@ -31,6 +32,11 @@ public class CertificateValidator {
 
  private static final String CERTIFICATE_POLICY_OID = "2.5.29.32";
  private static final String CERTIFICATE_SUBJECT_KEY_IDENTIFIER_OID = "2.5.29.14";
+
+ //See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71
+ private static final String CERTIFICATE_NTDS_CA_SECURITY_EXT_OID = "1.3.6.1.4.1.311.25.2";
+ private static final String CERTIFICATE_NTDS_OBJECTSID_OID = "1.3.6.1.4.1.311.25.2.1";
+
  private static final Map<DNField, String> DNFieldToKey = new HashMap<DNField, String>() {{
  put(DNField.Email, "E");
  put(DNField.CommonName, "CN");
@@ -645,23 +651,48 @@ private CertificatePolicies getCertificatePolicy(int certificatePolicyPos)
  return new CertificatePolicies(PolicyInformation.getInstance(seq.getObjectAt(certificatePolicyPos)));
  }
 
- //This is used for arbitrary OIDs with String values
- public CertificateValidator hasOIDStringValue(String oid, String value)
- throws CertificateValidatorException {
-
- if (oid == null || value == null) {
- throw new CertificateValidatorException("null value provided.");
+ //https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71
+ public CertificateValidator hasMsObjectSid(String sid) {
+ if (sid == null) {
+ throw new CertificateValidatorException("sid is null");
  }
 
- byte[] extensionValue = x509Certificate.getExtensionValue(oid);
+ byte[] extensionValue = x509Certificate.getExtensionValue(CERTIFICATE_NTDS_CA_SECURITY_EXT_OID);
  if (extensionValue == null) {
- throw new CertificateValidatorException(oid + " does not exist.");
+ throw new CertificateValidatorException(CERTIFICATE_NTDS_CA_SECURITY_EXT_OID + " does not exist.");
+ }
+
+ DLTaggedObject dlTaggedObject;
+ try {
+ DEROctetString derOctetString = (DEROctetString) DEROctetString.fromByteArray(extensionValue);
+ DLSequence dlSequence = (DLSequence) ASN1Sequence.fromByteArray(derOctetString.getOctets());
+ dlTaggedObject = (DLTaggedObject) dlSequence.getObjectAt(0);
+ } catch (Exception e) {
+ throw new CertificateValidatorException("Invalid format", e);
+ }
+
+ DLSequence dlSequence1;
+ try {
+ dlSequence1 = (DLSequence) dlTaggedObject.getBaseObject();
+ ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier) dlSequence1.getObjectAt(0);
+
+ if (!oid.getId().equals(CERTIFICATE_NTDS_OBJECTSID_OID)) {
+ throw new CertificateValidatorException("OID_NTDS_OBJECTSID not found. Found: " + oid.getId());
+ }
+ } catch (Exception e) {
+ throw new CertificateValidatorException("OID_NTDS_OBJECTSID not found", e);
  }
 
- byte[] stringOctects = DEROctetString.getInstance(extensionValue).getOctets();
- String str = DERUTF8String.getInstance(stringOctects).getString();
- if (!value.equals(str)) {
- throw new CertificateValidatorException("provided value " + value + " does not equal " + str);
+ try {
+ DLTaggedObject sidObject = (DLTaggedObject) dlSequence1.getObjectAt(1);
+ DEROctetString derOctetStringSid = (DEROctetString) sidObject.getBaseObject();
+ String certSid = new String(derOctetStringSid.getOctets(), StandardCharsets.UTF_8);
+ if (!sid.equals(certSid)) {
+ throw new CertificateValidatorException(certSid + " does not match " + sid);
+ }
+
+ } catch (Exception e) {
+ throw new CertificateValidatorException("Cannot read SID string.", e);
  }
 
  return this;

diff --git a/src/test/java/farm/puddle/certcheck/CertificateValidatorTest.java b/src/test/java/farm/puddle/certcheck/CertificateValidatorTest.java
@@ -281,17 +281,17 @@ public void TestSurName() throws Exception {
  @Test
  public void TestSKID() throws Exception {
  new CertificateValidator(getExtTestPemFile())
- .hasSubjectKeyIdentifier("10d33da0e3ea3d8e3f16450d7e65ab0b005f4a66");
+ .hasSubjectKeyIdentifier("1525210937ae6a99bdb78c6e82e895476f8b3756");
  new CertificateValidator((getTestExtPemString()))
- .hasSubjectKeyIdentifier("10d33da0e3ea3d8e3f16450d7e65ab0b005f4a66");
+ .hasSubjectKeyIdentifier("1525210937ae6a99bdb78c6e82e895476f8b3756");
  }
 
  @Test
  public void TestSerialNumber() throws Exception {
  new CertificateValidator(getExtTestPemFile())
- .equalsSerialNumber(new BigInteger("314873837d23bca6294d1f01089c3d41b63537aa", 16));
+ .equalsSerialNumber(new BigInteger("314873837d23bca6294d1f01089c3d41b63537ac", 16));
  new CertificateValidator(getTestExtPemString())
- .equalsSerialNumber(new BigInteger("314873837d23bca6294d1f01089c3d41b63537aa", 16));
+ .equalsSerialNumber(new BigInteger("314873837d23bca6294d1f01089c3d41b63537ac", 16));
 
  new CertificateValidator(getTestPemFile())
  .equalsSerialNumber(new BigInteger("00aeb76a4c3d4631a0", 16));
@@ -358,11 +358,11 @@ public void TestCertificatePolicyQualifier() throws Exception {
  }
 
  @Test
- public void hasOIDStringValue() throws Exception {
+ public void hasMSObjectSid() throws Exception {
  new CertificateValidator(getExtTestPemFile())
- .hasOIDStringValue("1.3.6.1.4.1.311.25.2", "ABCDE-129824-usau08aeu80");
+ .hasMsObjectSid("S-1-5-21-1468012755-800561317-457473099-500");
  new CertificateValidator(getTestExtPemString())
- .hasOIDStringValue("1.3.6.1.4.1.311.25.2", "ABCDE-129824-usau08aeu80");
+ .hasMsObjectSid("S-1-5-21-1468012755-800561317-457473099-500");
  }
 
  private PublicKey getInvalidTestPublicKey() throws URISyntaxException, IOException, NoSuchAlgorithmException, InvalidKeySpecException {

diff --git a/src/test/resources/test-certs/ext_cert.conf b/src/test/resources/test-certs/ext_cert.conf
@@ -22,7 +22,7 @@ authorityKeyIdentifier = keyid,issuer
 keyUsage = digitalSignature,keyEncipherment
 extendedKeyUsage=serverAuth,clientAuth
 subjectAltName = otherName:msUPN;UTF8:[email protected], email: [email protected]
-1.3.6.1.4.1.311.25.2 = ASN1:UTF8String:ABCDE-129824-usau08aeu80
+1.3.6.1.4.1.311.25.2 = DER:30:3D:A0:3B:06:0A:2B:06:01:04:01:82:37:19:02:01:A0:2D:04:2B:53:2D:31:2D:35:2D:32:31:2D:31:34:36:38:30:31:32:37:35:35:2D:38:30:30:35:36:31:33:31:37:2D:34:35:37:34:37:33:30:39:39:2D:35:30:30
 certificatePolicies = 1.2.3.4, 1.5.6.7.8, @polsect
 
 [polsect]

diff --git a/src/test/resources/test-certs/ext_domain.tld.crt b/src/test/resources/test-certs/ext_domain.tld.crt
@@ -1,38 +1,39 @@
 -----BEGIN CERTIFICATE-----
-MIIGoTCCBgqgAwIBAgIUMUhzg30jvKYpTR8BCJw9QbY1N6owDQYJKoZIhvcNAQEL
+MIIGxjCCBi+gAwIBAgIUMUhzg30jvKYpTR8BCJw9QbY1N6wwDQYJKoZIhvcNAQEL
 BQAwgY0xCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UEBwwHU2hp
 YnV5YTEVMBMGA1UECgwMVGVzdENvbXBhbnkxMQ8wDQYDVQQLDAZEZXZTZWMxEzAR
 BgNVBAMMCmRvbWFpbi50bGQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGRvbWFpbi50
-bGQwHhcNMjMwNzIyMDUzODQ1WhcNMzMwNzE5MDUzODQ1WjCB3jELMAkGA1UEBhMC
+bGQwHhcNMjMwNzI0MDM0MTE2WhcNMzMwNzIxMDM0MTE2WjCB3jELMAkGA1UEBhMC
 VVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQKDAxUZXN0Q29tcGFueTExDzANBgNVBAsM
 BkRldlNlYzETMBEGA1UEAwwKZG9tYWluLnRsZDEUMBIGA1UEBAwLTGFzdG5hbWVz
 b24xFjAUBgNVBCoMDUZpcnN0bmFtZWJlcnQxHzAdBgkqhkiG9w0BCQEWEGFkbWlu
 QGRvbWFpbi50bGQxGzAZBgNVBGEMEk15IE9yZ2FuaXphdGlvbiBJRDEZMBcGA1UE
 BRMQTXkgU2VyaWFsIE51bWJlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
-ggIBANAvkcG3JF+4H7Zt6g/2a07nZumIsAolQoxnyURSWtnJivbCuPgtZb2cvxZN
-xJo7n+TFbVmugGJcjVjhp7gf8PjPyIp4v1Bflc/oEer/mQq7MN1HoeTN28HOfIvL
-+7Bd5mmkY4n7bp86D314aoJZBa6h5LpNjPA+f7BDoOQEDF83eMAbZhOUU2Pxv3H8
-LWdFS1VlXsM0VY4PTxaidfHC5v2iQN1e8d0VktrF5ooTB1KRUmmNmN5Ko0+T07yX
-inrJ51Dg55H8Rz8gSpaDUW0CRuRtcDqwN7deZzYvZQSl7TjRMm7b2VypAonf55ql
-flboSCAE0fFVTNu3tlPXaypvZW4FPSDeAQn6Iw1obrDbKsQptR7snXi9cY33Dgef
-GUJ8ni1w3DTRHrU1jKYYKhWV2x4Wxpu3fgpXXvr5BUP6UOYU3VsQhzx0nW03L5TN
-Ja6u9Z8u89D3iw4EtL0AHki2U8cP7W8mQW7YqJlc7d5tR/pPx3uxkBc0xNrFngQy
-ASdlL0JYdCRD9GkwQpw9ID5/sYg74MY0yCUa04DPwF2u6KYuecWSNpJC0ZQFdCmt
-c9u8Mt0Z211/+kHIQ6c8sZF+dsfWOMswOUCSmE8FBDyrPiVfvHUiml1+iWBbwQ0C
-kJn4l2FgOlzRkDgZcnZDxweaBWLEsnxuZLFBqCkVJNyder8DAgMBAAGjggIlMIIC
-ITAdBgNVHQ4EFgQUENM9oOPqPY4/FkUNfmWrCwBfSmYwgawGA1UdIwSBpDCBoaGB
+ggIBAMWUTW43BhlJVK6aM1dtI1QIjzw0GiHRNh5Npn0Jmt/P+LLF6vnvFQoNA0AT
+Q9dINkaS/kQPvvNHOrOHs/CVvvlCjQyn5xEJS9W1DNOao5yuQDGA4g4KgMHoldga
+uEp0eoSPd+cFimt6qg9ecWC9NEpWec27X0UuWAjzEJP3oMCxHTveVk0zXB1ZyBzv
+NBmWOqUmP44Dtf+d2rbAqnpJ1oal4a9lBUD+HluQpEPtJxuSH5FON2yhXSKKO1MG
+8AxglAdezVzeqijvUh8x7vmqEReyM9bVhXNNQxTu9e9NSvvUo8s13pkHEYgRj5ts
+W/6UFTygJmdYImcDgmc2KVqaCHx0eaOnRIzb+SbuIXQcy5xtsL0gqsk9G5Zyam1C
+ArKjfk3JlNSecVrxk1Ib0kaM2eGNdbvShDMfJkhI24ycXcQ7josuZ0uD1E/fhR9k
+ryMNQyGShwe6wEopPC+Nvg+46Ug+I91IVI2w7fQGTRvvhKMwVxQQFDAkxcsUlPd6
+Zt8+AFx5nzHRDtULwuDlEb95KYARIL1VYVaeh5KScXVuwymcFU1i3JzsQZJ2zD/9
+IFlddSjC/lzL0gvKqA5yesEtaIZB+uh9LLFSFjDvfma1nEbTFvLQgbGI30tLoDV4
+xzm/4qEkbZ7lHnYDkiTrhyK6xePiAP406X6G6yxGUCXoHwslAgMBAAGjggJKMIIC
+RjAdBgNVHQ4EFgQUFSUhCTeuapm9t4xuguiVR2+LN1YwgawGA1UdIwSBpDCBoaGB
 k6SBkDCBjTELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdT
 aGlidXlhMRUwEwYDVQQKDAxUZXN0Q29tcGFueTExDzANBgNVBAsMBkRldlNlYzET
 MBEGA1UEAwwKZG9tYWluLnRsZDEfMB0GCSqGSIb3DQEJARYQYWRtaW5AZG9tYWlu
 LnRsZIIJAK63akw9RjGgMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
 AQYIKwYBBQUHAwIwPQYDVR0RBDYwNKAgBgorBgEEAYI3FAIDoBIMEGFkbWluQGRv
-bWFpbi50bGSBEGFkbWluQGRvbWFpbi50bGQwJwYJKwYBBAGCNxkCBBoMGEFCQ0RF
-LTEyOTgyNC11c2F1MDhhZXU4MDCBvAYDVR0gBIG0MIGxMAUGAyoDBDAGBgQtBgcI
-MIGfBgMrBQgwgZcwJwYIKwYBBQUHAgEWG2h0dHA6Ly9teS5ob3N0LmV4YW1wbGUu
-Y29tLzAnBggrBgEFBQcCARYbaHR0cDovL215LnlvdXIuZXhhbXBsZS5jb20vMEMG
-CCsGAQUFBwICMDcwIRoRT3JnYW5pc2F0aW9uIE5hbWUwDAIBAQIBAgIBAwIBBBoS
-RXhwbGljaXQgVGV4dCBIZXJlMA0GCSqGSIb3DQEBCwUAA4GBAKBauPffv/AVKCpw
-bGEo2/dQ9xaZOT6R1zZFDB2IEgOmfgrjAfLXrmO847qG8FfCxsgk20J+3oii4tlA
-zjHz+evUOTDBw+J/wlU8t0wdA7FK8f/XoTPjgHAt1rhOAY5/fPH8K1q0BP8jRaPo
-f/3h1syLV2Jfx+iZFFAtSeGpR0rc
+bWFpbi50bGSBEGFkbWluQGRvbWFpbi50bGQwTAYJKwYBBAGCNxkCBD8wPaA7Bgor
+BgEEAYI3GQIBoC0EK1MtMS01LTIxLTE0NjgwMTI3NTUtODAwNTYxMzE3LTQ1NzQ3
+MzA5OS01MDAwgbwGA1UdIASBtDCBsTAFBgMqAwQwBgYELQYHCDCBnwYDKwUIMIGX
+MCcGCCsGAQUFBwIBFhtodHRwOi8vbXkuaG9zdC5leGFtcGxlLmNvbS8wJwYIKwYB
+BQUHAgEWG2h0dHA6Ly9teS55b3VyLmV4YW1wbGUuY29tLzBDBggrBgEFBQcCAjA3
+MCEaEU9yZ2FuaXNhdGlvbiBOYW1lMAwCAQECAQICAQMCAQQaEkV4cGxpY2l0IFRl
+eHQgSGVyZTANBgkqhkiG9w0BAQsFAAOBgQAcqNf5OV0EBlEePbC3vDlE8RD5Q2ag
+N091c97nS4C+BjsLVyn8are6C3sG6bstw+g9lYzsK/4XIG6q7152lw+1on/ZVZlO
+bOio0O2U4Ff8tZhzoXcFN7YoWZ21Wy419PZsxmsUVE6+nxQjGpUL4l9os4JCsQv8
+WzPXtXemJYLE1w==
 -----END CERTIFICATE-----
diff --git a/src/test/resources/test-certs/ext_domain.tld.csr b/src/test/resources/test-certs/ext_domain.tld.csr
@@ -4,27 +4,27 @@ CgwMVGVzdENvbXBhbnkxMQ8wDQYDVQQLDAZEZXZTZWMxEzARBgNVBAMMCmRvbWFp
 bi50bGQxFDASBgNVBAQMC0xhc3RuYW1lc29uMRYwFAYDVQQqDA1GaXJzdG5hbWVi
 ZXJ0MR8wHQYJKoZIhvcNAQkBFhBhZG1pbkBkb21haW4udGxkMRswGQYDVQRhDBJN
 eSBPcmdhbml6YXRpb24gSUQxGTAXBgNVBAUTEE15IFNlcmlhbCBOdW1iZXIwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQL5HBtyRfuB+2beoP9mtO52bp
-iLAKJUKMZ8lEUlrZyYr2wrj4LWW9nL8WTcSaO5/kxW1ZroBiXI1Y4ae4H/D4z8iK
-eL9QX5XP6BHq/5kKuzDdR6HkzdvBznyLy/uwXeZppGOJ+26fOg99eGqCWQWuoeS6
-TYzwPn+wQ6DkBAxfN3jAG2YTlFNj8b9x/C1nRUtVZV7DNFWOD08WonXxwub9okDd
-XvHdFZLaxeaKEwdSkVJpjZjeSqNPk9O8l4p6yedQ4OeR/Ec/IEqWg1FtAkbkbXA6
-sDe3Xmc2L2UEpe040TJu29lcqQKJ3+eapX5W6EggBNHxVUzbt7ZT12sqb2VuBT0g
-3gEJ+iMNaG6w2yrEKbUe7J14vXGN9w4HnxlCfJ4tcNw00R61NYymGCoVldseFsab
-t34KV176+QVD+lDmFN1bEIc8dJ1tNy+UzSWurvWfLvPQ94sOBLS9AB5ItlPHD+1v
-JkFu2KiZXO3ebUf6T8d7sZAXNMTaxZ4EMgEnZS9CWHQkQ/RpMEKcPSA+f7GIO+DG
-NMglGtOAz8BdruimLnnFkjaSQtGUBXQprXPbvDLdGdtdf/pByEOnPLGRfnbH1jjL
-MDlAkphPBQQ8qz4lX7x1IppdfolgW8ENApCZ+JdhYDpc0ZA4GXJ2Q8cHmgVixLJ8
-bmSxQagpFSTcnXq/AwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBABI5TdkWzvS7
-hc04wplKGRvRb6YQmWgQDvFJeIzbBQVtZi6bnecyn1DrOp63JRjwv2p8hJ+s11Pz
-KRQf4/JcDBECTEC/6EZoe/R5u36ZxDU8d8D7jVOTavyygg6J2zGu+KjSfS+9nBmK
-4fUE+DbOs5aBzqMNByS7k0iE/JY1tHYCeOczP+QllOgtyZIJFQgzF13iBGxLWnXG
-tZ3y4IgCgk7wdQ+dlKpbS242Z20n4N9MlmrD4Q1/XuX3bVzGQizz5lNbQBUuSbC6
-XdKDfRgw8WQ1EquoFtf0MRdarJSPlLJhdL41F4cF+49D6ErYKHbdcOMgyABDRW7m
-2pSOC6lXdfYY531ALxH4U7aVH3frp/SvmPEgqJMyGETURO4U170EXbmfvgctCNMS
-eenyK9mUVr6TqwM7q36cO1IaBAvIPdMd0RbKC0073xf/5oVkUg3VJwbRHpl3mjxl
-MKBTEGJxi0+mW8rOP+qH/Q+dSWnsbbfkOpLQ0hL13QO9b9j6flLHq+O/lvXryMwd
-3Vx02NPh7WKgnTZ8AaIj9cKyOur28FMsQnaX9y1ntehS+rmpTpV84ql9hkRIm90j
-2qyAAcuRH1ipfCH/DtWG9Nv4OvWGWp0Z+uQr++GsyXARq2zI9XA6D4kFktpI/ri7
-TyarPcKI8l923YVFNsOJiGV/BziHfs0i
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDFlE1uNwYZSVSumjNXbSNUCI88
+NBoh0TYeTaZ9CZrfz/iyxer57xUKDQNAE0PXSDZGkv5ED77zRzqzh7Pwlb75Qo0M
+p+cRCUvVtQzTmqOcrkAxgOIOCoDB6JXYGrhKdHqEj3fnBYpreqoPXnFgvTRKVnnN
+u19FLlgI8xCT96DAsR073lZNM1wdWcgc7zQZljqlJj+OA7X/ndq2wKp6SdaGpeGv
+ZQVA/h5bkKRD7Scbkh+RTjdsoV0iijtTBvAMYJQHXs1c3qoo71IfMe75qhEXsjPW
+1YVzTUMU7vXvTUr71KPLNd6ZBxGIEY+bbFv+lBU8oCZnWCJnA4JnNilamgh8dHmj
+p0SM2/km7iF0HMucbbC9IKrJPRuWcmptQgKyo35NyZTUnnFa8ZNSG9JGjNnhjXW7
+0oQzHyZISNuMnF3EO46LLmdLg9RP34UfZK8jDUMhkocHusBKKTwvjb4PuOlIPiPd
+SFSNsO30Bk0b74SjMFcUEBQwJMXLFJT3embfPgBceZ8x0Q7VC8Lg5RG/eSmAESC9
+VWFWnoeSknF1bsMpnBVNYtyc7EGSdsw//SBZXXUowv5cy9ILyqgOcnrBLWiGQfro
+fSyxUhYw735mtZxG0xby0IGxiN9LS6A1eMc5v+KhJG2e5R52A5Ik64ciusXj4gD+
+NOl+hussRlAl6B8LJQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAAIKllSmJX2S
+J2AUfSP5LSAneU5jF+HcaclsPMZQ5gX4VHenHNuDGVmgTYvV6WfE9cPop0UWbk1E
+D/PgWnptOJF8wW4Xlgiqxo5Hd/+qvHUYFm50F9hrQuu41jp/o6z2vhAqt8DJUnKO
+c0y8//jZtKkjgbhX+S7EjN7ZMQvGpEdObNVKiZUAAaQzlOsQ8/NQVWFNAN205ZRz
+WA63hEraV+hZCncChZNs4ewMYlzBFOW+Kq1OKL5LHJXw6Z04pLyE7pZMPpZNcOgK
+wbsIxx2h/J/OinighRwjUQ8uGh/qa7m8HtN4LoJKmipwvzPWVq/yNb9c8TKxzvke
+9pbA0dbIYHem9VnIz5s5UoRFYNzsaypWHTpfckxbOOyfN+eCx3FVwtulHwPfysgT
+uqufRVSF/f7cR9CEZv2uSey9tZwRT5zz3psYU7afneecN3bGkE6y7EhcJLWDNz0B
+MeU5aqxZ6FpbNqTGmqxnZiKLS2jRzy7b2yljRLhUU7Q7+rhU+fYNNLV18Zt4O80z
+NxvOitO1pbWCnZotunrvl/U71y8e6jIHnswP7y3bVU2U1+BV3lJJZF2Sx6N5sDdF
+uYoMRqSfpSzFfsQuZ6Pt2M1ifMWLTMmbVfAmvbrR+J0ce2gypaqtXCAmqR8GbM2X
+VsPhj0EqmxGSSD3gae236AEok7Df1ygg
 -----END CERTIFICATE REQUEST-----
diff --git a/src/test/resources/test-certs/ext_domain.tld.pem b/src/test/resources/test-certs/ext_domain.tld.pem
@@ -1,38 +1,39 @@
 -----BEGIN CERTIFICATE-----
-MIIGoTCCBgqgAwIBAgIUMUhzg30jvKYpTR8BCJw9QbY1N6owDQYJKoZIhvcNAQEL
+MIIGxjCCBi+gAwIBAgIUMUhzg30jvKYpTR8BCJw9QbY1N6wwDQYJKoZIhvcNAQEL
 BQAwgY0xCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UEBwwHU2hp
 YnV5YTEVMBMGA1UECgwMVGVzdENvbXBhbnkxMQ8wDQYDVQQLDAZEZXZTZWMxEzAR
 BgNVBAMMCmRvbWFpbi50bGQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGRvbWFpbi50
-bGQwHhcNMjMwNzIyMDUzODQ1WhcNMzMwNzE5MDUzODQ1WjCB3jELMAkGA1UEBhMC
+bGQwHhcNMjMwNzI0MDM0MTE2WhcNMzMwNzIxMDM0MTE2WjCB3jELMAkGA1UEBhMC
 VVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQKDAxUZXN0Q29tcGFueTExDzANBgNVBAsM
 BkRldlNlYzETMBEGA1UEAwwKZG9tYWluLnRsZDEUMBIGA1UEBAwLTGFzdG5hbWVz
 b24xFjAUBgNVBCoMDUZpcnN0bmFtZWJlcnQxHzAdBgkqhkiG9w0BCQEWEGFkbWlu
 QGRvbWFpbi50bGQxGzAZBgNVBGEMEk15IE9yZ2FuaXphdGlvbiBJRDEZMBcGA1UE
 BRMQTXkgU2VyaWFsIE51bWJlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
-ggIBANAvkcG3JF+4H7Zt6g/2a07nZumIsAolQoxnyURSWtnJivbCuPgtZb2cvxZN
-xJo7n+TFbVmugGJcjVjhp7gf8PjPyIp4v1Bflc/oEer/mQq7MN1HoeTN28HOfIvL
-+7Bd5mmkY4n7bp86D314aoJZBa6h5LpNjPA+f7BDoOQEDF83eMAbZhOUU2Pxv3H8
-LWdFS1VlXsM0VY4PTxaidfHC5v2iQN1e8d0VktrF5ooTB1KRUmmNmN5Ko0+T07yX
-inrJ51Dg55H8Rz8gSpaDUW0CRuRtcDqwN7deZzYvZQSl7TjRMm7b2VypAonf55ql
-flboSCAE0fFVTNu3tlPXaypvZW4FPSDeAQn6Iw1obrDbKsQptR7snXi9cY33Dgef
-GUJ8ni1w3DTRHrU1jKYYKhWV2x4Wxpu3fgpXXvr5BUP6UOYU3VsQhzx0nW03L5TN
-Ja6u9Z8u89D3iw4EtL0AHki2U8cP7W8mQW7YqJlc7d5tR/pPx3uxkBc0xNrFngQy
-ASdlL0JYdCRD9GkwQpw9ID5/sYg74MY0yCUa04DPwF2u6KYuecWSNpJC0ZQFdCmt
-c9u8Mt0Z211/+kHIQ6c8sZF+dsfWOMswOUCSmE8FBDyrPiVfvHUiml1+iWBbwQ0C
-kJn4l2FgOlzRkDgZcnZDxweaBWLEsnxuZLFBqCkVJNyder8DAgMBAAGjggIlMIIC
-ITAdBgNVHQ4EFgQUENM9oOPqPY4/FkUNfmWrCwBfSmYwgawGA1UdIwSBpDCBoaGB
+ggIBAMWUTW43BhlJVK6aM1dtI1QIjzw0GiHRNh5Npn0Jmt/P+LLF6vnvFQoNA0AT
+Q9dINkaS/kQPvvNHOrOHs/CVvvlCjQyn5xEJS9W1DNOao5yuQDGA4g4KgMHoldga
+uEp0eoSPd+cFimt6qg9ecWC9NEpWec27X0UuWAjzEJP3oMCxHTveVk0zXB1ZyBzv
+NBmWOqUmP44Dtf+d2rbAqnpJ1oal4a9lBUD+HluQpEPtJxuSH5FON2yhXSKKO1MG
+8AxglAdezVzeqijvUh8x7vmqEReyM9bVhXNNQxTu9e9NSvvUo8s13pkHEYgRj5ts
+W/6UFTygJmdYImcDgmc2KVqaCHx0eaOnRIzb+SbuIXQcy5xtsL0gqsk9G5Zyam1C
+ArKjfk3JlNSecVrxk1Ib0kaM2eGNdbvShDMfJkhI24ycXcQ7josuZ0uD1E/fhR9k
+ryMNQyGShwe6wEopPC+Nvg+46Ug+I91IVI2w7fQGTRvvhKMwVxQQFDAkxcsUlPd6
+Zt8+AFx5nzHRDtULwuDlEb95KYARIL1VYVaeh5KScXVuwymcFU1i3JzsQZJ2zD/9
+IFlddSjC/lzL0gvKqA5yesEtaIZB+uh9LLFSFjDvfma1nEbTFvLQgbGI30tLoDV4
+xzm/4qEkbZ7lHnYDkiTrhyK6xePiAP406X6G6yxGUCXoHwslAgMBAAGjggJKMIIC
+RjAdBgNVHQ4EFgQUFSUhCTeuapm9t4xuguiVR2+LN1YwgawGA1UdIwSBpDCBoaGB
 k6SBkDCBjTELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdT
 aGlidXlhMRUwEwYDVQQKDAxUZXN0Q29tcGFueTExDzANBgNVBAsMBkRldlNlYzET
 MBEGA1UEAwwKZG9tYWluLnRsZDEfMB0GCSqGSIb3DQEJARYQYWRtaW5AZG9tYWlu
 LnRsZIIJAK63akw9RjGgMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
 AQYIKwYBBQUHAwIwPQYDVR0RBDYwNKAgBgorBgEEAYI3FAIDoBIMEGFkbWluQGRv
-bWFpbi50bGSBEGFkbWluQGRvbWFpbi50bGQwJwYJKwYBBAGCNxkCBBoMGEFCQ0RF
-LTEyOTgyNC11c2F1MDhhZXU4MDCBvAYDVR0gBIG0MIGxMAUGAyoDBDAGBgQtBgcI
-MIGfBgMrBQgwgZcwJwYIKwYBBQUHAgEWG2h0dHA6Ly9teS5ob3N0LmV4YW1wbGUu
-Y29tLzAnBggrBgEFBQcCARYbaHR0cDovL215LnlvdXIuZXhhbXBsZS5jb20vMEMG
-CCsGAQUFBwICMDcwIRoRT3JnYW5pc2F0aW9uIE5hbWUwDAIBAQIBAgIBAwIBBBoS
-RXhwbGljaXQgVGV4dCBIZXJlMA0GCSqGSIb3DQEBCwUAA4GBAKBauPffv/AVKCpw
-bGEo2/dQ9xaZOT6R1zZFDB2IEgOmfgrjAfLXrmO847qG8FfCxsgk20J+3oii4tlA
-zjHz+evUOTDBw+J/wlU8t0wdA7FK8f/XoTPjgHAt1rhOAY5/fPH8K1q0BP8jRaPo
-f/3h1syLV2Jfx+iZFFAtSeGpR0rc
+bWFpbi50bGSBEGFkbWluQGRvbWFpbi50bGQwTAYJKwYBBAGCNxkCBD8wPaA7Bgor
+BgEEAYI3GQIBoC0EK1MtMS01LTIxLTE0NjgwMTI3NTUtODAwNTYxMzE3LTQ1NzQ3
+MzA5OS01MDAwgbwGA1UdIASBtDCBsTAFBgMqAwQwBgYELQYHCDCBnwYDKwUIMIGX
+MCcGCCsGAQUFBwIBFhtodHRwOi8vbXkuaG9zdC5leGFtcGxlLmNvbS8wJwYIKwYB
+BQUHAgEWG2h0dHA6Ly9teS55b3VyLmV4YW1wbGUuY29tLzBDBggrBgEFBQcCAjA3
+MCEaEU9yZ2FuaXNhdGlvbiBOYW1lMAwCAQECAQICAQMCAQQaEkV4cGxpY2l0IFRl
+eHQgSGVyZTANBgkqhkiG9w0BAQsFAAOBgQAcqNf5OV0EBlEePbC3vDlE8RD5Q2ag
+N091c97nS4C+BjsLVyn8are6C3sG6bstw+g9lYzsK/4XIG6q7152lw+1on/ZVZlO
+bOio0O2U4Ff8tZhzoXcFN7YoWZ21Wy419PZsxmsUVE6+nxQjGpUL4l9os4JCsQv8
+WzPXtXemJYLE1w==
 -----END CERTIFICATE-----