crypto: add cert check issued by StartCom/WoSign

When tls client connects to the server with certification issued by either StartCom or WoSign listed in StartComAndWoSignData.inc, check notBefore of the server certificate and CERT_REVOKED error returns if it is after 00:00:00 on October 21, 2016. See for details in https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/, https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html and https://support.apple.com/en-us/HT204132 Fixes: https://github.com/nodejs/node/issues/9434 PR-URL: https://github.com/nodejs/node/pull/9469 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
8 years ago · c6f6b029a1
24 changed files with 611 additions and 3 deletions
--- a/src/StartComAndWoSignData.inc
+++ b/src/StartComAndWoSignData.inc
@ -0,0 +1,89 @@
 // /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
 // Using a consistent naming convention, this would actually be called
 // 'CA沃通根证书DN', but since GCC 6.2.1 apparently can't handle UTF-8
 // identifiers, this will have to do.
 static const uint8_t CAWoSignRootDN[72] = {
  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
  0x0C, 0x12, 0x43, 0x41, 0x20, 0xE6, 0xB2, 0x83, 0xE9, 0x80, 0x9A, 0xE6, 0xA0,
  0xB9, 0xE8, 0xAF, 0x81, 0xE4, 0xB9, 0xA6,
 };
 // /C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
 static const uint8_t CAWoSignECCRootDN[72] = {
  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
  0x13, 0x12, 0x43, 0x41, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x45,
  0x43, 0x43, 0x20, 0x52, 0x6F, 0x6F, 0x74,
 };
 // /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
 static const uint8_t CertificationAuthorityofWoSignDN[87] = {
  0x30, 0x55, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
  0x69, 0x74, 0x65, 0x64, 0x31, 0x2A, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03,
  0x13, 0x21, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E,
 };
 // /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
 static const uint8_t CertificationAuthorityofWoSignG2DN[90] = {
  0x30, 0x58, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
  0x69, 0x74, 0x65, 0x64, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03,
  0x13, 0x24, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x47, 0x32,
 };
 // /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 static const uint8_t StartComCertificationAuthorityDN[127] = {
  0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
  0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x22, 0x53, 0x65,
  0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6C, 0x20,
  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53,
  0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55,
  0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20,
  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
  0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79,
 };
 // /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
 static const uint8_t StartComCertificationAuthorityG2DN[85] = {
  0x30, 0x53, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
  0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74,
  0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
  0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F,
  0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
 };
 struct DataAndLength {
  const uint8_t* data;
  uint32_t len;
 };
 static const DataAndLength StartComAndWoSignDNs[]= {
 { CAWoSignRootDN,
   sizeof(CAWoSignRootDN) },
 { CAWoSignECCRootDN,
   sizeof(CAWoSignECCRootDN) },
 { CertificationAuthorityofWoSignDN,
   sizeof(CertificationAuthorityofWoSignDN) },
 { CertificationAuthorityofWoSignG2DN,
   sizeof(CertificationAuthorityofWoSignG2DN) },
 { StartComCertificationAuthorityDN,
   sizeof(StartComCertificationAuthorityDN) },
 { StartComCertificationAuthorityG2DN,
   sizeof(StartComCertificationAuthorityG2DN) },
 };
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@ -17,6 +17,10 @@
 // https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/
 // certverifier/CNNICHashWhitelist.inc
 #include "CNNICHashWhitelist.inc"
 // StartCom and WoSign root CA list is taken from
 // https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/
 // StartComAndWoSignData.inc
 #include "StartComAndWoSignData.inc"
 #include <errno.h>
 #include <limits.h>  // INT_MAX
@ -2677,9 +2681,40 @@ inline X509* FindRoot(STACK_OF(X509)* sk) {
 }
-// Whitelist check for certs issued by CNNIC. See
+inline bool CertIsStartComOrWoSign(X509_NAME* name) {
  const unsigned char* startcom_wosign_data;
  X509_NAME* startcom_wosign_name;
  for (const auto& dn : StartComAndWoSignDNs) {
    startcom_wosign_data = dn.data;
    startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
                                         dn.len);
    if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
      return true;
  }
  return false;
 }
 // Revoke the certificates issued by StartCom or WoSign that has
 // notBefore after 00:00:00 on October 21, 2016 (1477008000 in epoch).
 inline bool CheckStartComOrWoSign(X509_NAME* root_name, X509* cert) {
  if (!CertIsStartComOrWoSign(root_name))
    return true;
  time_t october_21_2016 = static_cast<time_t>(1477008000);
  if (X509_cmp_time(X509_get_notBefore(cert), &october_21_2016) < 0)
    return true;
  return false;
 }
 // Whitelist check for certs issued by CNNIC, StartCom and WoSign. See
 // https://blog.mozilla.org/security/2015/04/02
-// /distrusting-new-cnnic-certificates/
+// /distrusting-new-cnnic-certificates/ and
 // https://blog.mozilla.org/security/2016/10/24/
 // distrusting-new-wosign-and-startcom-certificates
 inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
  unsigned char hash[CNNIC_WHITELIST_HASH_LEN];
  unsigned int hashlen = CNNIC_WHITELIST_HASH_LEN;
@ -2698,11 +2733,14 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
    root_name = X509_get_subject_name(root_cert);
  }
  X509* leaf_cert = sk_X509_value(chain, 0);
  if (!CheckStartComOrWoSign(root_name, leaf_cert))
    return CHECK_CERT_REVOKED;
  // When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
  // ROOT CA, check a hash of its leaf cert if it is in the whitelist.
  if (X509_NAME_cmp(root_name, cnnic_name) == 0 ||
      X509_NAME_cmp(root_name, cnnic_ev_name) == 0) {
    X509* leaf_cert = sk_X509_value(chain, 0);
    int ret = X509_digest(leaf_cert, EVP_sha256(), hash,
                          &hashlen);
    CHECK(ret);
--- a/test/fixtures/keys/Makefile
+++ b/test/fixtures/keys/Makefile
@ -57,6 +57,20 @@ fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
 	        -out fake-cnnic-root-cert.pem \
 	        -config fake-cnnic-root.cnf
 #
 # Create Fake StartCom Root Certificate Authority: fake-startcom-root
 #
 fake-startcom-root-key.pem:
 	openssl genrsa -out fake-startcom-root-key.pem 2048
 fake-startcom-root-cert.pem: fake-startcom-root.cnf \
 	fake-startcom-root-key.pem
 	openssl req -new -x509 -days 9999 -config \
 	fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \
 	fake-startcom-root-cert.pem
 	echo '01' > fake-startcom-root-serial
 	touch fake-startcom-root-database.txt
 #
 # agent1 is signed by ca1.
 #
@ -254,6 +268,60 @@ agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
 agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
 	openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem
 #
 # agent8 is signed by fake-startcom-root with notBefore
 # of Oct 20 23:59:59 2016 GMT
 #
 agent8-key.pem:
 	openssl genrsa -out agent8-key.pem 2048
 agent8-csr.pem: agent8.cnf agent8-key.pem
 	openssl req -new -config agent8.cnf -key agent8-key.pem \
 	-out agent8-csr.pem
 agent8-cert.pem: agent8-csr.pem
 	openssl ca \
 		-config fake-startcom-root.cnf \
 		-keyfile fake-startcom-root-key.pem \
 		-cert fake-startcom-root-cert.pem \
 		-batch \
 		-days 9999 \
 		-passin "pass:password" \
 		-in agent8-csr.pem \
 		-startdate 20161020235959Z \
 		-notext -out agent8-cert.pem
 agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem
 	openssl verify -CAfile fake-startcom-root-cert.pem \
 	agent8-cert.pem
 #
 # agent9 is signed by fake-startcom-root with notBefore
 # of Oct 21 00:00:01 2016 GMT
 #
 agent9-key.pem:
 	openssl genrsa -out agent9-key.pem 2048
 agent9-csr.pem: agent9.cnf agent9-key.pem
 	openssl req -new -config agent9.cnf -key agent9-key.pem \
 	-out agent9-csr.pem
 agent9-cert.pem: agent9-csr.pem
 	openssl ca \
 		-config fake-startcom-root.cnf \
 		-keyfile fake-startcom-root-key.pem \
 		-cert fake-startcom-root-cert.pem \
 		-batch \
 		-days 9999 \
 		-passin "pass:password" \
 		-in agent9-csr.pem \
 		-startdate 20161021000001Z \
 		-notext -out agent9-cert.pem
 ec-key.pem:
 	openssl ecparam -genkey -out ec-key.pem -name prime256v1
--- a/test/fixtures/keys/agent8-cert.pem
+++ b/test/fixtures/keys/agent8-cert.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
 ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
 QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw
 CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
 T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ
 qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F
 9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN
 N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB
 ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U
 C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB
 MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO
 6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr
 i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf
 +LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6
 LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ
 65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT
 -----END CERTIFICATE-----
--- a/test/fixtures/keys/agent8-csr.pem
+++ b/test/fixtures/keys/agent8-csr.pem
@ -0,0 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDgxEjAQBgNVBAMT
 CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5FUj+l
 8VqQZUo6qmr8Doaad+mhSaiyu30acUfn9D3UPViWowxInMcClhhakARPneQY6qwA
 +fS9kBmUNlThfVS2chc9xfUyJZHeMrfTndKhPfMiKLgwTVru1GarzcpwHuXGg+Yt
 TIMiFEKiFDp2cDNtYcKmDTfzhEn9/APE37r4dwC1J+8wRFclD1iFk2D4RR0gliLE
 tlEWf6gy5PBmr6YZKl3RQYot1fE4eZ4j7aSLERekIcIfEivrNM4ed6NKpJgjaVy3
 fzyUEAMAu9Fkau53C+A/lAtYJwy9I/Us6I10Lt9ZF7PFGU2u0RZ8ea/oA4gP4Bqy
 7OCIsAyYVRzMdJ0CAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
 YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAykAWr5pOZh1BMc7NZgc66J16VkjN
 KM2deMQNl7r3BFB336At+zmpudnjdT/tPaH34FT/Idh/DPfiSdpuDQWDA+E7xady
 S7KoKfNesPFjV4rR1WgNtoix0B5EaaNxdR8ljwL30N/LbsMDWxIK7rWyhvuw3DXr
 C90PbsOTCLbW1HGItgYCQFJnpXK1O1Vx0Bo55F//oxDGVTzkUqb0lsVGHLLCg0s2
 DxX3++FqFy/NjzZ5R/k1o+WIom1PzhLXJ+cqQsqYT9kBIVHTtvTAnDM70dZ8EeSW
 /O4w+gb+OSJjClz7p4DuX4idDG+0cISxBOYFPyTFlGrXQ0ZXULP4pihsUA==
 -----END CERTIFICATE REQUEST-----
--- a/test/fixtures/keys/agent8-key.pem
+++ b/test/fixtures/keys/agent8-key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJqLK7fRpxR+f0PdQ9WJaj
 DEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F9TIlkd4yt9Od0qE98yIo
 uDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYNN/OESf38A8Tfuvh3ALUn
 7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFBii3V8Th5niPtpIsRF6Qh
 wh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+UC1gnDL0j9SzojXQu31kX
 s8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQABAoIBAHHp5KdT3Ht4XQfm
 aDEXLGp3qhtzQDuTIWnQjZj5Z3Ax4wMmhbsF6tcY/Y1LjldjJL5QaGE/VMstWQRX
 Tr4HnXCIJW/iZI2p+Qean4XXr0QgWhcI2VYHDuFWHiTpYogW7WlV/YfDooqU6n12
 BxfWStaL5L5bd9dbe8ZlJqVqN2iISfqGNIz9YKM04rHycTcicNmf0J0smkHlnHJE
 ROQR73IXjDDOmkwdG75qyGRBQ0j0KEDu//n1axcOKf48F+8BQk2PFMq+RhkGGqJD
 zTQK3kB33HRWeNWbykLPzYGcPtSlvaecCTc/q9wbbxh5AFlvSrPz3VzdRHECocM3
 v/o2vqECgYEA/uZib1ZYczuihcvLKxo8e/IBNYUKUcyosHDqAmJ5q8Y+Vg35ACfM
 mJAhT1SXXAmm2tHuTnztfLDMQAOGVItuf5U8nuJYuWrvhMCtBT40XPeUVPD8b2D1
 9y5EipiB7huH8kMb1aAPUNgQhmqT93+4qcGf6PcNTkk6uHCCXFZEc7UCgYEAzyk1
 /T+Ah3p9+c1s+AjqkWj3Qa9lOKclJOT2O88AG+4fGQhSdUvkLDAMX3L6ri3gVZzr
 wH3DJIwJx1uCW4eNJFVmh8AyP4SkfzQp1FqsIzBMQuPz6Hqtclh/UPx1yOe3NseO
 xVM6Z5RbOOWyDaWxxbQHZnHkqSKcTB8K1lJ/XkkCgYAaStlMcrOc70HMW0ERqRsk
 DcpiIt71oQ6lZIA+zrmOJly3s6lDgtdvxS4qaKdULwqu94iFQA2fFv16fOKWReuX
 7WTbXq2YMpeSMe2m5Mux6ze5q0HemznDzVn0kdaVIPHc418zodbyl9bchpHMrbf2
 iqpb9V/B+3u7Gp/Xtm5JIQKBgBFrjr2wBFfgJg3Gh35ICamWoQwl+qYL8CStGEOp
 QYIXwQey2nRAoHxSwgeYvJm/A9lPK8fxC2LcX8oi2NBnkqfWgpuxvsf2mHqV4VqZ
 EVaYLiGF17HZ9xHhfTtLL4Boc9CocUoImKWzJQSg1BsvrsZIQEMOGsNaRLhl99xT
 7Z/5AoGBAIxgzOGLVVrIv8vRc4YouPf0OGBmUawnEZxYVD1Mo4Tt97XjxH93B1iz
 hof62zDCL7WEdKuwnOs1towBmLjC7qrAbkUgNVYmI5sG9c8+1NKClTOJGsHHiMLF
 n8GxnsNU5FVTmJ/PZfOU+eru7uDYZHTkii0tkaHWUzg13pkhka5E
 -----END RSA PRIVATE KEY-----
--- a/test/fixtures/keys/agent8.cnf
+++ b/test/fixtures/keys/agent8.cnf
@ -0,0 +1,17 @@
 [ req ]
 default_bits           = 2048
 days                   = 999
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 [ req_distinguished_name ]
 C                      = US
 ST                     = CA
 L                      = SF
 O                      = NODEJS
 OU                     = agent8
 CN                     = localhost
 [ req_attributes ]
 challengePassword              = A challenge password
--- a/test/fixtures/keys/agent9-cert.pem
+++ b/test/fixtures/keys/agent9-cert.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
 ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
 QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw
 CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
 T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o
 33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x
 TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga
 bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+
 4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2
 0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB
 MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD
 4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe
 iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0
 0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl
 QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/
 u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb
 -----END CERTIFICATE-----
--- a/test/fixtures/keys/agent9-csr.pem
+++ b/test/fixtures/keys/agent9-csr.pem
@ -0,0 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
 EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDkxEjAQBgNVBAMT
 CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKU+pwEk
 sfXtov7dGh0nfQcTEQ/dqN9/4mol1swTijCae48QlgIOkp6Y6xbMo08WgKoPntc5
 ZtdGAU+g4aJbLX380KitsUyhlTkCuI8V9t8CZa5+Zg5NH2oAbWOPS9ShcvA8Saio
 Le7sc+tRhlFsCllxu1Z4Gm5Kg3faN2Re2zqu5jEL3w8z68GCPLk408UfEdfbsTTT
 hrRzE58Lw3nM05rU6MfFPuDdoTdrHA2b0QceWkALZ10cmYQKJACTGKI4p8fYqpVR
 UIt3LediyIbHGuspqXw3NtMgOGklX6FuzZarJ760zleJ7d1G68RhqYhOxJvB3XMN
 hDBfo6gkyxrbKmECAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
 YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAKlz52i1TpqNFQQu2YCl2YlTKbu2s
 +92Qq+9b8wKoTweEFxDYtfq8d6rgYtetDbJDh+CDSjG3REINHtbPB0BjFdmZq/Q6
 7JHLjmWKacmhaZJIp6xtrAX93qXYfbqH2S/DNSAO1e1sUa/gKL+wuVcrM8My7mzo
 cMEgc7mHJCbSjYIcYPELas+rADoCE4mgiX8wwYQjFqxj/cdlcMzVS3ZuARAiPzA7
 60Zk3/NnbXd/OBOcf/FvbrYIQ45eV4JlMowtcdLtxP91N5/X3BBMFsXt4mPoXETC
 V78wipSWtfiKTox1Ze7PSJsYm9E9TOYYPh9kSGizIFzrgnk9H15+Iy5Ixg==
 -----END CERTIFICATE REQUEST-----
--- a/test/fixtures/keys/agent9-key.pem
+++ b/test/fixtures/keys/agent9-key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o33/iaiXWzBOKMJp7jxCW
 Ag6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2xTKGVOQK4jxX23wJlrn5m
 Dk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7VngabkqDd9o3ZF7bOq7mMQvf
 DzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+4N2hN2scDZvRBx5aQAtn
 XRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc20yA4aSVfoW7NlqsnvrTO
 V4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQABAoIBAE7FXAUOggry2hVW
 PuGQ9mfN7f87MgpAwyTInukvk1tx+N6NEIUwfzI9QSvgJyVHW9Q1mAmO4nhSdcOI
 tKaZgkkhoDIYgoE+MY04v9Ptq35JfUE+HdZJa2UziPHB2Gsm/0yH4LEWYrcXXnbZ
 qQbdUt2qepxQqoDS4nLawjcFhMom24ns24eMCsFW7yrxhyvQwFKqGOKXauCpClp2
 oPXhd2wljutuIGJjMmeqMw7CuyfZMee6BsuXNWWr/kso0NaQwxKoFnGlyaOl6oUV
 ypr5ADXv0NNaSqDgyfEfJedsGQul+WWnkjz6PFbWZtbG5SIKb5PCJ2aWD7mvcHdI
 85BL4jUCgYEA0yPogvmlK/hSpckk/AkRtHWwjUdkgdoZzxiJV/D01y8EtB+yL46t
 Gzl23Y1VtLXxn+CZdj2putS5z1Rg1LA0oMZ+TwhxGskURBPP7mym83Qn1huRcnWw
 df9flCg4IwRLqI6QfsQ2Q6j549j5u8P+tqVi/yZQY0V2SGcXTXaqIksCgYEAyFpy
 24+AW33ypNxr9sOIx2YQyn0UDK2K6LQYRmjwhpCZEtBdoUqKGP/9UUycM4TN9D32
 p0le+3TJVk9tVqyvwFeGBkguO/3dXD6KTsqrCfMFNj/R6QRYFEaLWjkG8EI5TXOK
 a/CbhtyGaRY5QzwLRjLdEYIph3r1d2uedVzwGoMCgYEAvPV59R2u8LcAYFavvs/v
 BG3/X7DxBjVGu8zdvdJrjNkLgJiNQ3qQ+bhn5MfEWEIsyESdkvCEoiwXTrHZJv+7
 WdfK2rhXYP1sIbEJefvLPj5KGJf7h1BEaJXv2AxWkSAbBfLw5kJ7vfnQClX4yk4R
 +yvweSC0+OMFhK6ecDku8hkCgYAJPRJ6yV0z2tTrgTaBRHb0KuKvU6EvDHmRTWyp
 IoGk0tocIfuPSm6fxH4b15qETaVpk8nh4OI+Wh5GmpcCHihkiCSn+YAYSBaDAGdE
 RtgoN0qQO9UkF40wMiiO2n5VadhWl/NUEt45E8Ym5l1xmj0y2XmUKxpbIvJatV2z
 L7vqnQKBgCuV47rGYLaPz+gVgwIz0PvNFgp2fdSBYYQUf70XsaEU1bQtim6q5jxd
 +ePUiT65k42Iw7oLWyGtxdyxmmKgQ18i5aDNjT2SLr3RAC2BSR5Fs1W1PLi24nV6
 QW7fepI9tOBTbwbLG8ARRzx2YXrBf9PqvmDbrMiTi0WGFGlVJatX
 -----END RSA PRIVATE KEY-----
--- a/test/fixtures/keys/agent9.cnf
+++ b/test/fixtures/keys/agent9.cnf
@ -0,0 +1,17 @@
 [ req ]
 default_bits           = 2048
 days                   = 999
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 [ req_distinguished_name ]
 C                      = US
 ST                     = CA
 L                      = SF
 O                      = NODEJS
 OU                     = agent9
 CN                     = localhost
 [ req_attributes ]
 challengePassword              = A challenge password
--- a/test/fixtures/keys/fake-startcom-root-cert.pem
+++ b/test/fixtures/keys/fake-startcom-root-cert.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDjTCCAnWgAwIBAgIJAKDrU4iaFPb+MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
 BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg
 RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD
 ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjExMDQwOTUwMTNaFw00NDAzMjEw
 OTUwMTNaMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
 KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD
 VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZI
 hvcNAQEBBQADggEPADCCAQoCggEBALvhAZtGU3u3uyB4lHn5X85XJdyPAnOY0hGc
 SVMzfQ/BBEvBPkcdhJvZPLqcWTnJplsJXH+GHz9q73DbyLekdF/f6dNVcRmDjvZq
 pZ6KgT8D4GmudNPMEuHs9+bqI+l5p7Mh1mEmot5JYtXvGD3UiN2ZUQ/trhf5xiJq
 MEaiQHBxhJESkY+RYV2GK0njCJ2ypmtAAzyGUlNgHqxBy1PrBBqh0xbSOa2pwRyz
 9u7EkYN4BCQKNCBJbOaX9rH+j836YlEHEymutjYDuYiHaOve0yJCHsQqsx7+p9aB
 UxCS9mTj9q9bz9GJR9tfT04+HmQRjtSZYt7fHIixgS0vT4/6QlsCAwEAAaMQMA4w
 DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAiIgJ9EGWepY/Qk6n6Kcj
 YQFZXeV6ugnWz96sxYc0xmo/XNkYQFLxVneyWanlUxAbvScEdC8rJ5rUrwVMhfaS
 goneP2Otjcg0XcMrsf5RaJk0H8uGUdvdgWUHO85pseMOFgqXxJgEux7wcFS41qhw
 thc/obZ5keOPJf3tsOffV5OJc6owwgaviz3RNFRJUleZU5r3swjWIEDK89sz9q+S
 qcwostbKRrEcjyltblhFKR9s4Qyn9FYWntPApFHq7M0/jA/4iiHRcltFfc19mslb
 lhRBZZ/vds3VEtfs7uPhcodXBTv5d5xUk6pybSSFhKTTtHc8OpdvbM+5LchzTc23
 pA==
 -----END CERTIFICATE-----
--- a/test/fixtures/keys/fake-startcom-root-csr.pem
+++ b/test/fixtures/keys/fake-startcom-root-csr.pem
@ -0,0 +1,18 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIIC5zCCAc8CAQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0
 ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
 KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAww1iG1Oq6uIEN5u4W0jWnDFvaKGp
 R6XSYPK3D1VJTqr7XUfzbVG2Acc5B7WTmerFsxOADXe8kpC3U6QxcyLvMv90Bpju
 dasttLnoBU2XqJxWTpmJyM8RfbSZEKfNIdKzG2uQQVHIJOV/bm6yhQIT2cDKNZDx
 M0OPiCeeQMezD4/Y98zFDyWjTI2zW6kyBzdjPSLJ3DMJs+4EC6LJhKrp9kBbJHhU
 QdIrQ1C3ycJ0lKv8uV8xWsgz/CsPkp92H/iUDxBnFgMcdFmgt/XgPDf1Q9ipfq7B
 5Ef8RlQuDsqer+/UPOXLHWHtE+5QbkL4hzCjJEszkl5QbSPdiK1rcIkEvQIDAQAB
 oCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3
 DQEBCwUAA4IBAQCwvK3cFAA9ShrFNhSuZ//xFgrXxqQXS4o571jDCLYh+QAgcRUU
 ATPM0GQ4CKUR3gWD14Ji922PiVZCpKgvkEVrvMYq6jgydT2urki0hL/po7msdnLQ
 2FWMwgpINaTmhmUNBxHBQbopW4HWDzcCfSQwGN/iCElNmawXGIN1LRcDAl08h/cW
 hTP9agZXpmoZ2wHg+ZRHcJwJm4QL4Rm7JfyNN3fZWUFgn3Pfkwgiu9PMhU92KRU/
 5PJ3tcyw9qSQJsw6CPuijRI9kaKdFIj6BsOGmsSyYq9OoqtlfqXqgXXv3XfKQmmh
 Hntg6KSQhReXDHCSTgtBZFa6+kwg3mgr8I7N
 -----END CERTIFICATE REQUEST-----
--- a/test/fixtures/keys/fake-startcom-root-database.txt
+++ b/test/fixtures/keys/fake-startcom-root-database.txt
@ -0,0 +1,2 @@
 V	440321100639Z		01	unknown	/C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost
 V	440321100702Z		02	unknown	/C=US/ST=CA/L=SF/O=NODEJS/OU=agent9/CN=localhost
--- a/test/fixtures/keys/fake-startcom-root-database.txt.attr
+++ b/test/fixtures/keys/fake-startcom-root-database.txt.attr
@ -0,0 +1 @@
 unique_subject = yes
--- a/test/fixtures/keys/fake-startcom-root-database.txt.attr.old
+++ b/test/fixtures/keys/fake-startcom-root-database.txt.attr.old
@ -0,0 +1 @@
 unique_subject = yes
--- a/test/fixtures/keys/fake-startcom-root-database.txt.old
+++ b/test/fixtures/keys/fake-startcom-root-database.txt.old
@ -0,0 +1 @@
 V	440321100639Z		01	unknown	/C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost
--- a/test/fixtures/keys/fake-startcom-root-issued-certs/01.pem
+++ b/test/fixtures/keys/fake-startcom-root-issued-certs/01.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
 ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
 QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw
 CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
 T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ
 qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F
 9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN
 N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB
 ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U
 C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB
 MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO
 6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr
 i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf
 +LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6
 LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ
 65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT
 -----END CERTIFICATE-----
--- a/test/fixtures/keys/fake-startcom-root-issued-certs/02.pem
+++ b/test/fixtures/keys/fake-startcom-root-issued-certs/02.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
 BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
 ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
 QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw
 CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
 T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o
 33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x
 TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga
 bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+
 4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2
 0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB
 MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD
 4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe
 iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0
 0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl
 QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/
 u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb
 -----END CERTIFICATE-----
--- a/test/fixtures/keys/fake-startcom-root-key.pem
+++ b/test/fixtures/keys/fake-startcom-root-key.pem
@ -0,0 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAu+EBm0ZTe7e7IHiUeflfzlcl3I8Cc5jSEZxJUzN9D8EES8E+
 Rx2Em9k8upxZOcmmWwlcf4YfP2rvcNvIt6R0X9/p01VxGYOO9mqlnoqBPwPgaa50
 08wS4ez35uoj6XmnsyHWYSai3kli1e8YPdSI3ZlRD+2uF/nGImowRqJAcHGEkRKR
 j5FhXYYrSeMInbKma0ADPIZSU2AerEHLU+sEGqHTFtI5ranBHLP27sSRg3gEJAo0
 IEls5pf2sf6PzfpiUQcTKa62NgO5iIdo697TIkIexCqzHv6n1oFTEJL2ZOP2r1vP
 0YlH219PTj4eZBGO1Jli3t8ciLGBLS9Pj/pCWwIDAQABAoIBAFOQL2O9stH7FTrL
 Btb9iJRBBLEF1oRNu1lj1uUvqHdCVUPQbn+47EtZIv6pHbJrMxeYoVCC+hD94gOj
 bbHobm5aLCj3/rbnYcXOB13torDBa6X1lzbAtMFR4a0OBO0KVAGDklNhmN0fbNtU
 XcbaagmN8JUSFPXK/Uo/SruP3PNldfPVtf/EnBlK4LOI5/WDyiwLQxlVf389poKp
 wXwhVgL9Kh0uzxD31HH0NOL+D1KOI6j7gNrOAOZFFGTwVAtQFI28wIwftKf3qicQ
 TZvV/O+Aw+oIZsOfX9Pg6dNehhEC25F6UcGrX7b7fI/Rbx6L/VxfjMHfbvsUtTxz
 iwW1H5ECgYEA85U2LiBicAB4QkclUHjLPrPl7W0bDvKFKJkxXJ44y/ziFjOhksuF
 J1xYXhVhP7mdXwGVlt2X9PSjkW06I+DFqi2IbGDBqJ/0hJrAr/+5J5OySCFlx2kC
 TwIAYJIud0Vgk8FdToijOKq8I3KFmUsc6k0UMmCdCy4HXz0Qy3RqsekCgYEAxXTZ
 3orr/ItfjVFz9bkcNUMutRVvsyewYJOemgaejdSHLYl8lTcLQDLSnA/Sd7JtXOyS
 3M7GVpiBZqW15UJry5fpkRNhqOXqXz6/Hp9E3hG9RnS2EkZDR2vIrRwa3o6zKq8P
 XYOOOzjdYq881khhRhafXCon0XvLdZAsOKfDQ6MCgYEAqsDw6Ej/eLB7nUqul8j2
 AZCvIE+Z5lKQkjNB7UFlY2p1O0cafwN45mzP7bRjJf8CmPVNXiMdQTS17V56oWgS
 aQfeWMtDNuhayxKI/Vfw/hOFqRbweGfenHA0v336YNYbq7ijpkgW08SsetTvXtTP
 AljiTaZ4sLulo1f1jAqiOPECgYA1CgJL6P0ixT1RdIO1iZeuJvGw6qUqdorGJmD/
 9q84YdI9xSSV4EdBY2V3Tji2tlLyFwoMDe7w6942eGS3xHO4KIIw2gftmnSuSOiF
 jTqufA1fk5IkroL7+FPbTCVbivFNkeCKuf/GoKu3CmNJHAAlF4aO9zPi7WHlnmiC
 f23QCQKBgET2u4cPsUAZJ8utCyQ+ZhKJUTcYDN/Nlpd/yVC+dS9BZAc2tH1EfRN2
 pxSzm9Qgd6Cjc7cVJ/T745b85nbPjd1MsOgvPCKr0TFARmlGpu4RtKEHrROSaahX
 7vR7HiYqhbeYlVRz9lZ5N+J1BT7sq7+Rond89UtL/O7g0wEs/N3V
 -----END RSA PRIVATE KEY-----
--- a/test/fixtures/keys/fake-startcom-root-serial
+++ b/test/fixtures/keys/fake-startcom-root-serial
@ -0,0 +1 @@
 03
--- a/test/fixtures/keys/fake-startcom-root-serial.old
+++ b/test/fixtures/keys/fake-startcom-root-serial.old
@ -0,0 +1 @@
 02
--- a/test/fixtures/keys/fake-startcom-root.cnf
+++ b/test/fixtures/keys/fake-startcom-root.cnf
@ -0,0 +1,46 @@
 [ ca ]
 default_ca      = CA_default
 [ CA_default ]
 dir = .
 name_opt = CA_default
 cert_opt = CA_default
 default_crl_days = 999
 default_md = sha256
 database = fake-startcom-root-database.txt
 serial = fake-startcom-root-serial
 private_key = fake-startcom-root-key.pem
 certificate = fake-startcom-root-cert.pem
 new_certs_dir = fake-startcom-root-issued-certs
 email_in_dn = no
 policy          = policy_anything
 [ policy_anything ]
 countryName             = optional
 stateOrProvinceName     = optional
 localityName            = optional
 organizationName        = optional
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 [ req ]
 default_bits           = 2048
 days                   = 999
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = password
 x509_extensions        = v3_ca
 [ req_distinguished_name ]
 C                      = IL
 O                      = StartCom Ltd.
 OU                     = Secure Digital Certificate Signing
 CN                     = StartCom Certification Authority
 [ req_attributes ]
 challengePassword              = A challenge password
 [ v3_ca ]
 basicConstraints = CA:TRUE
--- a/test/parallel/test-tls-startcom-wosign-whitelist.js
+++ b/test/parallel/test-tls-startcom-wosign-whitelist.js
@ -0,0 +1,91 @@
 'use strict';
 const common = require('../common');
 const assert = require('assert');
 if (!common.hasCrypto) {
  common.skip('missing crypto');
  return;
 }
 const tls = require('tls');
 const fs = require('fs');
 const path = require('path');
 let finished = 0;
 function filenamePEM(n) {
  return path.join(common.fixturesDir, 'keys', n + '.pem');
 }
 function loadPEM(n) {
  return fs.readFileSync(filenamePEM(n));
 }
 const testCases = [
  { // agent8 is signed by fake-startcom-root with notBefore of
    // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check.
    serverOpts: {
      key: loadPEM('agent8-key'),
      cert: loadPEM('agent8-cert')
    },
    clientOpts: {
      ca: loadPEM('fake-startcom-root-cert'),
      port: undefined,
      rejectUnauthorized: true
    },
    errorCode: 'CERT_OK'
  },
  { // agent9 is signed by fake-startcom-root with notBefore of
    // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check.
    serverOpts: {
      key: loadPEM('agent9-key'),
      cert: loadPEM('agent9-cert')
    },
    clientOpts: {
      ca: loadPEM('fake-startcom-root-cert'),
      port: undefined,
      rejectUnauthorized: true
    },
    errorCode: 'CERT_REVOKED'
  }
 ];
 function runNextTest(server, tindex) {
  server.close(function() {
    finished++;
    runTest(tindex + 1);
  });
 }
 function runTest(tindex) {
  const tcase = testCases[tindex];
  if (!tcase) return;
  const server = tls.createServer(tcase.serverOpts, function(s) {
    s.resume();
  }).listen(0, function() {
    tcase.clientOpts.port = this.address().port;
    const client = tls.connect(tcase.clientOpts);
    client.on('error', function(e) {
      assert.strictEqual(e.code, tcase.errorCode);
      runNextTest(server, tindex);
    });
    client.on('secureConnect', function() {
      // agent8 can pass StartCom/WoSign check so that the secureConnect
      // is established.
      assert.strictEqual(tcase.errorCode, 'CERT_OK');
      client.end();
      runNextTest(server, tindex);
    });
  });
 }
 runTest(0);
 process.on('exit', function() {
  assert.strictEqual(finished, testCases.length);
 });
	`@ -0,0 +1,2 @@`
					`V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost`
					`V 440321100702Z 02 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent9/CN=localhost`
	`@ -0,0 +1 @@`
					`V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost`