zmap · mtgag · Feb 4, 2020 · Feb 4, 2020 · Aug 26, 2020 · Sep 1, 2021
diff --git a/v3/cmd/genTestCerts/go.sum b/v3/cmd/genTestCerts/go.sum
@@ -49,6 +49,7 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -65,6 +66,7 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -85,6 +87,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -93,6 +97,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

diff --git a/v3/go.sum b/v3/go.sum
@@ -51,6 +51,8 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -65,6 +67,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -83,19 +87,27 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

diff --git a/v3/integration/config.json b/v3/integration/config.json
@@ -817,6 +817,7 @@
       "ErrCount": 23
     },
     "e_cab_dv_subject_invalid_values": {},
+    "e_qcstatem_psd2_national_scheme": {},
     "e_aia_must_contain_permitted_access_method": {},
     "e_aia_ocsp_must_have_http_only": {},
     "e_aia_unique_access_locations": {},

diff --git a/v3/integration/small.config.json b/v3/integration/small.config.json
@@ -326,6 +326,7 @@
     "e_incorrect_ku_encoding": {
       "ErrCount": 239
     },
+    "e_qcstatem_psd2_national_scheme": {},
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 29
     },

diff --git a/v3/lints/etsi/lint_qcstatem_psd2_national_scheme.go b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme.go
@@ -0,0 +1,101 @@
+package etsi
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"regexp"
+
+	"github.com/zmap/zcrypto/encoding/asn1"
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type qcStatemPsd2NationalScheme struct{}
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_qcstatem_psd2_national_scheme",
+			Description:   "This lint applies if in a PSD2 certificate (i.e. featuring the PSD2 QcStatement) the subject:organizationIdentifier has a prefix of the form: 2 arbitrary initial characters followed by a colon. In this case it checks that the remainder of the string also fulfills the national scheme syntax.",
+			Citation:      "ETSI TS 119 495, '5.2.1 PSD2 Authorization Number or other recognized identifier'",
+			Source:        lint.EtsiEsi,
+			EffectiveDate: util.EtsiPSD2Date,
+		},
+		Lint: NewQcStatemPsd2NationalScheme,
+	})
+}
+
+func NewQcStatemPsd2NationalScheme() lint.LintInterface {
+	return &qcStatemPsd2NationalScheme{}
+}
+
+func (l *qcStatemPsd2NationalScheme) CheckApplies(c *x509.Certificate) bool {
+	_, isPresent := util.IsQcStatemPresent(c, &util.IdEtsiPsd2Statem)
+	if !isPresent {
+		return false
+	}
+
+	orgId := util.GetSubjectOrgId(c.RawSubject)
+	re := regexp.MustCompile(`^.{2}:`)
+	return re.MatchString(orgId.Value)
+}
+
+func (l *qcStatemPsd2NationalScheme) Execute(c *x509.Certificate) *lint.LintResult {
+
+	orgId := util.GetSubjectOrgId(c.RawSubject)
+	if !orgId.IsPresent {
+		return &lint.LintResult{Status: lint.Error, Details: "missing mandatory subject:OrganizationIdentifier"}
+	}
+	if orgId.ErrorString != "" {
+		return &lint.LintResult{Status: lint.Error, Details: orgId.ErrorString}
+	}
+	if !util.CheckNationalScheme(orgId.Value) {
+		return &lint.LintResult{Status: lint.Error, Details: "invalid format of subject:organizationIdentifier for national scheme"}
+	}
+	errStr, isPresent := util.IsQcStatemPresent(c, &util.IdQcsPkixQCSyntaxV2)
+	if errStr != "" {
+		return &lint.LintResult{Status: lint.Error, Details: "error parsing IdQcsPkixQCSyntaxV2 Qc Statement"}
+	}
+
+	if !isPresent {
+		return &lint.LintResult{Status: lint.Error, Details: "national scheme requires URI in IdQcsPkixQCSyntaxV2 Qc Statement, but this Qc Statement is not present"}
+	}
+	qcs2Generic := util.ParseQcStatem(util.GetQcStatemExtValue(c), util.IdQcsPkixQCSyntaxV2)
+	if qcs2Generic.GetErrorInfo() != "" {
+		return &lint.LintResult{Status: lint.Error, Details: qcs2Generic.GetErrorInfo()}
+	}
+	qcs2 := qcs2Generic.(util.DecodedQcS2)
+	for _, x := range qcs2.Decoded.NameRegAuthorities {
+		if len(x.FullBytes) < 3 { // have at least tag, length, value one byte each
+			continue
+		}
+		if x.FullBytes[0] != 0x86 {
+			continue
+		}
+		var decodedUri string //
+		rest, err := asn1.UnmarshalWithParams(x.FullBytes, &decodedUri, "tag:6")
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: err.Error()}
+		}
+		if len(rest) != 0 {
+			return &lint.LintResult{Status: lint.Error, Details: "Trailing bytes after URI"}
+		}
+		return &lint.LintResult{Status: lint.Pass}
+
+	}
+
+	return &lint.LintResult{Status: lint.Error, Details: "did not find URI element within IdQcsPkixQCSyntaxV2 Qc Statement, which is mandatory for the national scheme format of the subject:organizationIdentifier"}
+}
diff --git a/v3/lints/etsi/lint_qcstatem_psd2_national_scheme_test.go b/v3/lints/etsi/lint_qcstatem_psd2_national_scheme_test.go
@@ -0,0 +1,50 @@
+package etsi
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestQcStatemPsd2NationalScheme(t *testing.T) {
+	m := map[string]lint.LintStatus{
+		"QcStmtPsd2Cert01InvalidRoles.pem":              lint.NA,
+		"QcStmtPsd2Cert02Psd2ExtInvNcaId.pem":           lint.NA,
+		"QcStmtPsd2Cert05Valid.pem":                     lint.NA,
+		"QcStmtPsd2Cert07MissingRoleName.pem":           lint.NA,
+		"QcStmtPsd2Cert08NcaNameMissing.pem":            lint.NA,
+		"QcStmtPsd2Cert09NcaNameZeroLength.pem":         lint.NA,
+		"QcStmtPsd2Cert10RoleNameMissing.pem":           lint.NA,
+		"QcStmtPsd2Cert11RoleNameZeroLength.pem":        lint.NA,
+		"QcStmtPsd2Cert13Psd2ExtNcaIdZeroLength.pem":    lint.NA,
+		"QcStmtPsd2Cert14Valid.pem":                     lint.NA,
+		"QcStmtPsd2Cert16RoleIdAndNameInconsistent.pem": lint.NA,
+		"QcStmtPsd2Cert47MissingUri.pem":                lint.Error,
+		"QcStmtPsd2Cert48LegalPersonSyntaxViolated.pem": lint.NA,
+		"QcStmtPsd2Cert49ValidNationalScheme.pem":       lint.Pass,
+		"EvAltRegNumCert56JurCountryNotMatching.pem":    lint.NA,
+		"EvAltRegNumCert52NoOrgId.pem":                  lint.NA,
+	}
+	for inputPath, expected := range m {
+		out := test.TestLint("e_qcstatem_psd2_national_scheme", inputPath)
+
+		if out.Status != expected {
+			t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
+		}
+	}
+}
diff --git a/v3/testdata/EvAltRegNumCert52NoOrgId.pem b/v3/testdata/EvAltRegNumCert52NoOrgId.pem
@@ -0,0 +1,101 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0c:c5:96:7f:f3:7e:ac:5c:b4:e5:d3:89:2d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Test SubCA 2, OU = Test, O = MTG, C = DE
+        Validity
+            Not Before: Nov  1 08:03:01 2019 GMT
+            Not After : Nov  1 08:03:01 2020 GMT
+        Subject: O = MTG, L = Darmstadt, ST = Hessen, C = DE, businessCategory = Private Organization, serialNumber = HRB 123456, jurisdictionC = DE, jurisdictionST = Hessen
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c2:0d:81:71:b4:94:05:bc:cf:99:8a:aa:62:08:
+                    f2:2e:63:b2:1e:46:f9:2b:85:98:c3:83:d0:ce:26:
+                    ad:76:8f:5c:e7:5b:05:20:25:26:32:19:c2:24:8a:
+                    ba:69:a3:eb:ca:10:a4:f3:cf:b5:c6:1e:f6:70:58:
+                    96:5b:88:52:6a:88:42:33:85:b8:c6:16:48:4f:01:
+                    45:39:3f:e1:6a:b9:06:b5:ef:37:db:79:9e:50:90:
+                    57:43:5b:8b:c3:35:0d:b3:41:f4:1b:c2:4a:7f:18:
+                    3c:39:2d:4f:bf:2b:a5:71:07:73:33:00:e5:8d:36:
+                    9e:fe:8f:72:c5:72:56:08:cc:86:b6:ef:ba:e2:fd:
+                    9b:5c:c6:2d:94:ed:2d:64:24:77:e6:67:4d:62:db:
+                    94:2e:29:8e:dd:1d:7a:ca:bc:68:fb:15:2c:80:56:
+                    d3:dd:e7:3a:8f:98:18:14:4b:11:d9:c4:01:1f:b9:
+                    7a:d0:d9:ad:69:11:05:f6:0e:ae:5f:fc:cd:c6:b3:
+                    cb:4d:ae:8e:45:18:0a:a8:c0:40:11:28:dc:cd:9f:
+                    7a:26:67:5a:47:80:9b:d9:4c:f7:da:5f:6d:13:83:
+                    1a:91:92:d1:b9:44:f7:72:6b:97:47:74:71:70:80:
+                    d3:d6:73:bf:76:33:5c:70:b8:6f:87:37:3e:7e:8e:
+                    75:e5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:0C:5E:9C:FE:BA:4B:21:6C:04:1D:C2:5A:B7:E3:88:5F:59:DE:4C:12
+
+            X509v3 Subject Key Identifier: 
+                0E:6B:AA:83:A9:B2:4D:5C:85:CD:B1:D2:2F:87:F7:20:CB:36:43:3B
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Alternative Name: 
+                DNS:www.example.com
+            Authority Information Access: 
+                CA Issuers - URI:http://ca.example.com/ca.crt
+                OCSP - URI:http://ocsp.example.com/ocsp
+
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.1
+                Policy: 1.3.6.1.4.1.7879.13.24.1
+                  CPS: http://www.telesec.de/serverpass/cps.html
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+         2e:c6:ac:44:0a:17:61:4b:bc:98:30:95:86:86:6f:2d:c5:dc:
+         f1:73:91:ac:25:fc:84:61:11:18:a7:6e:ba:23:ff:db:6c:7e:
+         d8:e9:4d:7e:b5:05:2c:4f:7c:75:90:46:da:10:e6:21:4a:ed:
+         aa:77:2a:e2:00:8b:be:d4:28:df:c4:76:8d:4a:db:bb:8d:e8:
+         71:79:09:50:9a:da:ad:aa:6c:26:91:b1:90:df:19:65:15:f8:
+         3c:00:32:ea:d1:25:16:4f:9e:c3:ea:ed:bd:8e:f3:f4:84:5c:
+         98:d2:bb:08:06:12:d3:3c:20:f9:4d:e3:18:f2:57:08:eb:9b:
+         7b:53:3e:9f:12:e5:3a:82:78:b9:13:c2:9f:ce:61:aa:ea:f5:
+         4a:98:cc:f5:0a:3e:e8:bc:e5:1f:92:70:d9:54:47:53:6b:04:
+         7e:dc:53:a8:23:f7:02:16:14:88:a7:1c:9a:aa:78:22:10:52:
+         04:33:0f:1e:eb:59:f5:a0:12:e9:d6:6c:3b:56:68:e5:c5:ba:
+         95:f1:71:33:e9:63:e7:9d:6f:02:69:e7:96:08:f7:47:a9:cc:
+         27:39:0a:ae:71:c4:85:32:9f:f7:20:c3:8e:c8:32:d5:d9:fb:
+         1d:2f:80:e2:1e:13:3e:7c:2a:4a:f3:7d:0e:f5:cd:ee:3d:62:
+         1b:53:db:3e
+-----BEGIN CERTIFICATE-----
+MIIEyTCCA7GgAwIBAgINDMWWf/N+rFy05dOJLTANBgkqhkiG9w0BAQsFADBBMRUw
+EwYDVQQDDAxUZXN0IFN1YkNBIDIxDTALBgNVBAsMBFRlc3QxDDAKBgNVBAoMA01U
+RzELMAkGA1UEBhMCREUwHhcNMTkxMTAxMDgwMzAxWhcNMjAxMTAxMDgwMzAxWjCB
+ojEMMAoGA1UECgwDTVRHMRIwEAYDVQQHDAlEYXJtc3RhZHQxDzANBgNVBAgMBkhl
+c3NlbjELMAkGA1UEBhMCREUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u
+MRMwEQYDVQQFEwpIUkIgMTIzNDU2MRMwEQYLKwYBBAGCNzwCAQMMAkRFMRcwFQYL
+KwYBBAGCNzwCAQIMBkhlc3NlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMINgXG0lAW8z5mKqmII8i5jsh5G+SuFmMOD0M4mrXaPXOdbBSAlJjIZwiSK
+ummj68oQpPPPtcYe9nBYlluIUmqIQjOFuMYWSE8BRTk/4Wq5BrXvN9t5nlCQV0Nb
+i8M1DbNB9BvCSn8YPDktT78rpXEHczMA5Y02nv6PcsVyVgjMhrbvuuL9m1zGLZTt
+LWQkd+ZnTWLblC4pjt0desq8aPsVLIBW093nOo+YGBRLEdnEAR+5etDZrWkRBfYO
+rl/8zcazy02ujkUYCqjAQBEo3M2feiZnWkeAm9lM99pfbRODGpGS0blE93Jrl0d0
+cXCA09Zzv3YzXHC4b4c3Pn6OdeUCAwEAAaOCAVwwggFYMB8GA1UdIwQYMBaAFAxe
+nP66SyFsBB3CWrfjiF9Z3kwSMB0GA1UdDgQWBBQOa6qDqbJNXIXNsdIvh/cgyzZD
+OzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cu
+ZXhhbXBsZS5jb20wYgYIKwYBBQUHAQEEVjBUMCgGCCsGAQUFBzAChhxodHRwOi8v
+Y2EuZXhhbXBsZS5jb20vY2EuY3J0MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5l
+eGFtcGxlLmNvbS9vY3NwMFkGA1UdIARSMFAwBwYFZ4EMAQEwRQYKKwYBBAG9Rw0Y
+ATA3MDUGCCsGAQUFBwIBFilodHRwOi8vd3d3LnRlbGVzZWMuZGUvc2VydmVycGFz
+cy9jcHMuaHRtbDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZI
+hvcNAQELBQADggEBAC7GrEQKF2FLvJgwlYaGby3F3PFzkawl/IRhERinbroj/9ts
+ftjpTX61BSxPfHWQRtoQ5iFK7ap3KuIAi77UKN/Edo1K27uN6HF5CVCa2q2qbCaR
+sZDfGWUV+DwAMurRJRZPnsPq7b2O8/SEXJjSuwgGEtM8IPlN4xjyVwjrm3tTPp8S
+5TqCeLkTwp/OYarq9UqYzPUKPui85R+ScNlUR1NrBH7cU6gj9wIWFIinHJqqeCIQ
+UgQzDx7rWfWgEunWbDtWaOXFupXxcTPpY+edbwJp55YI90epzCc5Cq5xxIUyn/cg
+w47IMtXZ+x0vgOIeEz58KkrzfQ71ze49YhtT2z4=
+-----END CERTIFICATE-----