Hostname verification (djarek#67)

jens-diewald · web-flow · commit 2d719a9ad79c · 2021-10-13T00:32:57.000+02:00
* Add failing Test

* Fix Testnames in Cmake Config

* Set Servername for OpenSSL in Tests

Makes the wrong hostname test work for system that do not need the native verification

* Set Verification Callback via SSL_CTX_set_verify

Also remove some unnecessary functions in verification_utils.hpp

This fixes hostname verification on systems that use the native implementations

* Update Github Test Chain

Test failed with "self signed certificate in certificate chain in function"

* Silence Conversion Warning size_t-&gt;DWORD

* Add missing openssl includes

* Fix error in appveyor build

X509_STORE_get0_param was only introduced in OpenSSL1.1.0
The Appveyor build uses OpenSSL 1.0.2
Use X509_STORE_CTX_get0_param from within store_ctx instead

* Fix spki digest test

I previously updated the old (expired) Github cert chain,
inadvertently breaking the test.

Re-add it to the fail_chains and adapt the test report_errors.
diff --git a/include/boost/certify/detail/keystore_windows.ipp b/include/boost/certify/detail/keystore_windows.ipp
@@ -96,7 +96,7 @@ BOOST_CERTIFY_DECL std::unique_ptr<::CERT_CONTEXT const, cert_context_deleter>
     if (!CertAddEncodedCertificateToStore(store.get(),
                                           X509_ASN_ENCODING,
                                           buffer.data(),
-                                          buffer.size(),
+                                          static_cast<DWORD>(buffer.size()),
                                           CERT_STORE_ADD_ALWAYS,
                                           &leaf_cert))
         return nullptr;
@@ -110,7 +110,7 @@ BOOST_CERTIFY_DECL std::unique_ptr<::CERT_CONTEXT const, cert_context_deleter>
         if (!CertAddEncodedCertificateToStore(store.get(),
                                               X509_ASN_ENCODING,
                                               buffer.data(),
-                                              buffer.size(),
+                                              static_cast<DWORD>(buffer.size()),
                                               CERT_STORE_ADD_ALWAYS,
                                               nullptr))
             return nullptr;
diff --git a/include/boost/certify/https_verification.hpp b/include/boost/certify/https_verification.hpp
@@ -22,7 +22,7 @@ set_server_hostname(::SSL* handle,
                     system::error_code& ec);
 
 extern "C" inline int
-verify_server_certificates(::X509_STORE_CTX* ctx, void*) noexcept;
+verify_server_certificates(int preverified, X509_STORE_CTX* ctx) noexcept;
 
 } // namespace detail
 } // namespace certify
diff --git a/include/boost/certify/impl/https_verification.ipp b/include/boost/certify/impl/https_verification.ipp
@@ -1,10 +1,11 @@
-#ifndef BOOST_CERTIFY_IMPL_RFC2818_VERIFICATION_IPP
-#define BOOST_CERTIFY_IMPL_RFC2818_VERIFICATION_IPP
+#ifndef BOOST_CERTIFY_IMPL_HTTPS_VERIFICATION_IPP
+#define BOOST_CERTIFY_IMPL_HTTPS_VERIFICATION_IPP
 
 #include <boost/certify/https_verification.hpp>
 
 #include <boost/asio/ip/address.hpp>
-#include <openssl/x509v3.h>
+#include <openssl/ssl.h>
+#include <openssl/x509_vfy.h>
 
 namespace boost
 {
@@ -14,9 +15,9 @@ namespace detail
 {
 
 extern "C" BOOST_CERTIFY_DECL int
-verify_server_certificates(::X509_STORE_CTX* ctx, void*) noexcept
+verify_server_certificates(int preverified, X509_STORE_CTX* ctx) noexcept
 {
-    if (::X509_verify_cert(ctx) == 1)
+    if (preverified == 1)
         return true;
 
     auto const err = ::X509_STORE_CTX_get_error(ctx);
@@ -33,9 +34,8 @@ verify_server_certificates(::X509_STORE_CTX* ctx, void*) noexcept
 }
 
 void
-set_server_hostname(::SSL* handle, string_view hostname, system::error_code& ec)
+set_server_hostname(::X509_VERIFY_PARAM* param, string_view hostname, system::error_code& ec)
 {
-    auto* param = ::SSL_get0_param(handle);
     ::X509_VERIFY_PARAM_set_hostflags(param,
                                       X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
     // TODO(djarek): OpenSSL doesn't report an error here?
@@ -46,16 +46,25 @@ set_server_hostname(::SSL* handle, string_view hostname, system::error_code& ec)
         ec = {};
 }
 
+void
+set_server_hostname(::SSL* handle, string_view hostname, system::error_code& ec)
+{
+    auto* param = ::SSL_get0_param(handle);
+    set_server_hostname(param, hostname, ec);
+}
+
+
 } // namespace detail
 
 BOOST_CERTIFY_DECL void
 enable_native_https_server_verification(asio::ssl::context& context)
 {
-    ::SSL_CTX_set_cert_verify_callback(
-      context.native_handle(), &detail::verify_server_certificates, nullptr);
+    ::SSL_CTX_set_verify(context.native_handle(),
+                         ::SSL_CTX_get_verify_mode(context.native_handle()),
+                         &detail::verify_server_certificates);
 }
 
 } // namespace certify
 } // namespace boost
 
-#endif // BOOST_CERTIFY_IMPL_RFC2818_VERIFICATION_IPP
+#endif // BOOST_CERTIFY_IMPL_HTTPS_VERIFICATION_IPP
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -11,5 +11,5 @@ function (certify_verify_add_test test_file)
              COMMAND ${target_name})
 endfunction(certify_verify_add_test)
 
-certify_verify_add_test(rfc2818_verification_success.cpp)
-certify_verify_add_test(rfc2818_verification_fail.cpp)
+certify_verify_add_test(https_verification_success.cpp)
+certify_verify_add_test(https_verification_fail.cpp)
diff --git a/tests/detail_spki_digest.cpp b/tests/detail_spki_digest.cpp
@@ -9,7 +9,7 @@ main()
     ::SSL_library_init();
 
     auto chain = boost::certify::certificate_chain::from_file(
-      "libs/certify/tests/res/success_chains/github.com.crt");
+      "libs/certify/tests/res/fail_chains/github.com.crt");
 
     std::array<std::array<unsigned char, 32>, 3> const expected = {
       {{{0xa3, 0x9a, 0x1a, 0xe4, 0x5e, 0x0b, 0x6d, 0x91, 0x1f, 0x79, 0x9d,
diff --git a/tests/extras/include/boost/certify/verification_utils.hpp b/tests/extras/include/boost/certify/verification_utils.hpp
@@ -1,9 +1,15 @@
+#ifndef BOOST_CERTIFY_VERIFICATION_UTILS_HPP
+#define BOOST_CERTIFY_VERIFICATION_UTILS_HPP
+
 #include <boost/certify/https_verification.hpp>
 
 #include <boost/asio/ssl/error.hpp>
 #include <boost/filesystem/operations.hpp>
 #include <boost/filesystem/path.hpp>
 #include <boost/system/error_code.hpp>
+#include <boost/utility/string_view.hpp>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
 
 namespace boost
 {
@@ -125,9 +131,6 @@ get_store_ctx_category()
     return instance;
 }
 
-extern "C" inline int
-verify_callback(int preverified, X509_STORE_CTX* ctx);
-
 class store_ctx
 {
 public:
@@ -154,6 +157,8 @@ class store_ctx
                   boost::asio::error::get_ssl_category()};
             boost::throw_exception(system::system_error{ec});
         }
+        ::X509_STORE_CTX_set_verify_cb(handle_.get(),
+                                       &detail::verify_server_certificates);
     }
 
     store_ctx(store_ctx const&) = delete;
@@ -164,25 +169,23 @@ class store_ctx
 
     ~store_ctx() = default;
 
-    template<typename T>
-    void set_verify_callback(T&& t)
+    native_handle_type native_handle() const
     {
-        callback_ = std::forward<T>(t);
-        ::X509_STORE_CTX_set_verify_cb(handle_.get(), &verify_callback);
-        auto const ret =
-          ::X509_STORE_CTX_set_ex_data(handle_.get(), get_ex_index(), this);
-        assert(ret == 1);
+        return handle_.get();
     }
 
-    native_handle_type native_handle() const
+    void set_server_hostname(string_view hostname)
     {
-        return handle_.get();
+        auto* param = ::X509_STORE_CTX_get0_param(handle_.get());
+        system::error_code ec;
+        detail::set_server_hostname(param, hostname, ec);
+        if (ec)
+            boost::throw_exception(system::system_error{ec});
     }
 
     void verify(system::error_code& ec)
     {
-        auto ret =
-          certify::detail::verify_server_certificates(handle_.get(), nullptr);
+        auto ret = ::X509_verify_cert(handle_.get());
         if (ret != 1)
         {
             auto const err = ::X509_STORE_CTX_get_error(handle_.get());
@@ -201,18 +204,6 @@ class store_ctx
     }
 
 private:
-    friend int verify_callback(int preverified, X509_STORE_CTX* ctx);
-
-    static int get_ex_index()
-    {
-        static int const index = []() {
-            return ::X509_STORE_CTX_get_ex_new_index(
-              0, nullptr, nullptr, nullptr, nullptr);
-        }();
-
-        return index;
-    }
-
     struct free
     {
         void operator()(native_handle_type h)
@@ -222,19 +213,8 @@ class store_ctx
     };
 
     std::unique_ptr<::X509_STORE_CTX, free> handle_;
-    std::function<int(bool, boost::asio::ssl::verify_context&)> callback_;
 };
 
-extern "C" inline int
-verify_callback(int preverified, X509_STORE_CTX* ctx)
-{
-    boost::asio::ssl::verify_context verify_ctx{ctx};
-    void* const p = X509_STORE_CTX_get_ex_data(ctx, store_ctx::get_ex_index());
-    BOOST_ASSERT(p != nullptr);
-    auto& sctx = *static_cast<store_ctx*>(p);
-    return sctx.callback_(preverified == 1, verify_ctx);
-}
-
 void
 verify_chain(boost::filesystem::path const& chain_path,
              boost::certify::certificate_store& store,
@@ -245,8 +225,12 @@ verify_chain(boost::filesystem::path const& chain_path,
 
     auto cert_chain = boost::certify::certificate_chain::from_file(chain_path);
     boost::certify::store_ctx ctx{cert_chain, store};
+    ctx.set_server_hostname(chain_path.stem().string());
     ctx.verify(ec);
 }
 
 } // namespace certify
 } // namespace boost
+
+#endif // BOOST_CERTIFY_VERIFICATION_UTILS_HPP
+
diff --git a/tests/res/fail_chains/github.com.crt b/tests/res/fail_chains/github.com.crt
@@ -0,0 +1,93 @@
+Old certificate chain, expired Jun 03, 2020.
+-----BEGIN CERTIFICATE-----
+MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
+IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
+MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
+BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
+Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
+A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
+VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
+w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
+/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
+sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
+xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
+fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
+re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
+A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
+oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
+LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
+dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
+FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
+BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
+BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
+U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
+MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
+BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
+Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
+U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
+AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
+vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
+CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
+8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
+eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
+ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
+HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
+Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
+myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
+WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
+YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
+uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
+LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
+/Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
+cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
+8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
+Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
+dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
+MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
+b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
+gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
+hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
+4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
+2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
+1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
+oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
+8TUoE6smftX3eg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
++OkuE6N36B9K
+-----END CERTIFICATE-----
diff --git a/tests/res/fail_chains/wrong.host.badssl.com.crt b/tests/res/fail_chains/wrong.host.badssl.com.crt
@@ -0,0 +1,65 @@
+-----BEGIN CERTIFICATE-----
+MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN
+MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
+VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s
+wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn
+n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8
+U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP
+R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn
+hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV
+HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp
+cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t
+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
+c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
+LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
+AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG
+AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
+MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
+cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
+AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
+HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7
+SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ
+VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi
+Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s
+GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U
+iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p
+vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG
+9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64
+xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4
+RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te
+uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz
+MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP
+CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
diff --git a/tests/res/success_chains/github.com.crt b/tests/res/success_chains/github.com.crt
