clean up handling of raw attributes

alandekok · alandekok · commit 9af50e3bd672 · 2025-03-02T21:11:55.000-05:00
we are able to decode mand encode raw options, while keeping the
class and option number.

Pretty much everything else is a gamble. :(

foo
diff --git a/src/protocols/der/decode.c b/src/protocols/der/decode.c
@@ -815,8 +815,18 @@ static ssize_t fr_der_decode_sequence(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_d
 
 				child = fr_dict_attr_child_by_num(parent, current_tag);
 				if (!child) {
+					fr_der_attr_flags_t *child_flags;
+
 					child = fr_dict_attr_unknown_raw_afrom_num(decode_ctx->tmp_ctx, parent, current_tag);
 					if (!child) goto error;
+
+					/*
+					 *	Save the option and class, so that we can encode it later.
+					 */
+					child_flags = fr_dict_attr_ext(child, FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC);
+					child_flags->is_option = true;
+					child_flags->option = current_tag;
+					child_flags->class = tag_byte & DER_TAG_CLASS_MASK;
 				}
 
 			} else if (unlikely(current_tag != flags->sequence_of)) {
diff --git a/src/protocols/der/encode.c b/src/protocols/der/encode.c
@@ -1351,17 +1351,10 @@ static ssize_t fr_der_encode_X509_extensions(fr_dbuff_t *dbuff, fr_dcursor_t *cu
 		fr_dbuff_marker(&length_start, &our_dbuff);
 		FR_DBUFF_ADVANCE_RETURN(&our_dbuff, 1);
 
-                /*
-		 *      Encode the data either as raw garbage, or as an OID pair.
-                 */
-               child = fr_dcursor_current(&child_cursor);
-               fr_assert(child != NULL);
-
-               if (child->da->flags.is_raw) {
-		       slen = fr_der_encode_octetstring(&our_dbuff, &child_cursor, encode_ctx);
-               } else {
-                       slen = encode_value(&our_dbuff, &child_cursor, encode_ctx);
-               }
+		/*
+		 *	Encode the data
+		 */
+		slen = encode_value(&our_dbuff, &child_cursor, encode_ctx);
 		if (slen < 0) {
 			fr_dbuff_marker_release(&length_start);
 			fr_dbuff_marker_release(&inner_seq_len_start);
@@ -1523,16 +1516,9 @@ static ssize_t fr_der_encode_oid_and_value(fr_dbuff_t *dbuff, fr_dcursor_t *curs
 	if (slen < 0) return slen;
 
 	/*
-	 *	Encode the data either as raw garbage, or as an OID pair.
+	 *	And then encode the actual data.
 	 */
-	child = fr_dcursor_current(&child_cursor);
-	fr_assert(child);
-
-	if (child->da->flags.is_raw) {
-		slen = fr_der_encode_octetstring(&our_dbuff, &child_cursor, encode_ctx);
-	} else {
-		slen = encode_value(&our_dbuff, &child_cursor, encode_ctx);
-	}
+	slen = encode_value(&our_dbuff, &child_cursor, encode_ctx);
 	if (slen < 0) return slen;
 
 	return fr_dbuff_set(dbuff, &our_dbuff);
@@ -1727,7 +1713,7 @@ static inline CC_HINT(always_inline) ssize_t
 static ssize_t encode_value(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
 {
 	fr_pair_t const	    *vp;
-	fr_dbuff_t	     our_dbuff = FR_DBUFF(dbuff);
+	fr_dbuff_t	     our_dbuff;
 	fr_dbuff_marker_t    marker;
 	fr_der_tag_encode_t const *func;
 	fr_der_tag_t         tag;
@@ -1754,6 +1740,21 @@ static ssize_t encode_value(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encod
 	flags = fr_der_attr_flags(vp->da);
 	fr_assert(flags != NULL);
 
+	/*
+	 *	Raw things get encoded as-is, so that we can encode the correct tag and class.
+	 */
+	if (unlikely(vp->da->flags.is_raw)) {
+		fr_assert(vp->vp_type == FR_TYPE_OCTETS);
+
+		slen = fr_der_encode_octetstring(dbuff, cursor, encode_ctx);
+		if (slen < 0) return 0;
+
+		fr_dcursor_next(cursor);
+		return slen;
+	}
+
+	our_dbuff = FR_DBUFF(dbuff);
+
 	/*
 	 *	ISO/IEC 8825-1:2021
 	 *	The structure of a DER encoding is as follows:
@@ -1850,13 +1851,10 @@ static ssize_t encode_value(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encod
 	fr_dbuff_marker(&marker, &our_dbuff);
 	FR_DBUFF_ADVANCE_RETURN(&our_dbuff, 1);
 
-	if (vp->da->flags.is_raw) {
-		slen = fr_der_encode_octetstring(&our_dbuff, cursor, uctx);
-
-	} else if (flags->is_extensions) {
+	if (flags->is_extensions) {
 		slen = fr_der_encode_X509_extensions(&our_dbuff, cursor, uctx);
-
 	} else {
+
 		slen = func->encode(&our_dbuff, cursor, uctx);
 	}
 	if (slen < 0) {
diff --git a/src/tests/unit/protocols/der/base.txt b/src/tests/unit/protocols/der/base.txt
@@ -183,7 +183,7 @@ match Boolean has incorrect length (2). Must be 1.: Failed decoding Bar
 encode-pair Test-Boolean = true
 match 01 01 ff
 
-encode-pair raw.Test-Boolean = 0x0001
+encode-pair raw.Test-Boolean = 0x01020001
 match 01 02 00 01
 
 proto-dictionary-root Foo-Bar
@@ -910,6 +910,12 @@ match 30 09 82 07 66 6f 6f 2e 62 61 72
 encode-pair Test-GeneralNames = { iPAddress = 10.0.5.4 }
 match 30 06 87 04 0a 00 05 04
 
+#
+#  Ignore raw.FOO when we know the subtypes.
+#
+encode-pair raw.Test-GeneralNames = { dNSName = "foo.bar" }
+match 30 09 82 07 66 6f 6f 2e 62 61 72
+
 proto-dictionary-root Test-GeneralNames
 
 decode-pair 30 09 82 07 66 6f 6f 2e 62 61 72
@@ -930,4 +936,4 @@ match c0 01 01 c1 01 02
 
 
 count
-match 558
+match 560
diff --git a/src/tests/unit/protocols/der/x509certs.txt b/src/tests/unit/protocols/der/x509certs.txt
@@ -28,5 +28,9 @@ match 30 82 06 22 30 82 05 0a a0 03 02 01 02 02 14 04 63 6f 8c 80 f7 fc f6 c2 53
 encode-pair Certificate = { tbsCertificate = { version = { number = 2 }, serialNumber = 0x0a0141420000015385736a0b85eca708, signature = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { sha256WithRSAEncryption = no } } } } } } }, issuer = { RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { organizationName = "Digital Signature Trust Co." } } } } }, RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { commonName = "DST Root CA X3" } } } } } }, validity = { notBefore = "2016-03-17T16:40:46Z", notAfter = "2021-03-17T16:40:46Z" }, subject = { RelativeDistinguishedName = { AttributeTypeandValue = { joint-iso-itu-t = { ds = { attributeType = { countryName = "US" } } } } }, RelativeDistinguishedName = { AttributeTypeandValue = { joint-iso-itu-t = { ds = { attributeType = { organizationName = "Let's Encrypt" } } } } }, RelativeDistinguishedName = { AttributeTypeandValue = { joint-iso-itu-t = { ds = { attributeType = { commonName = "Let's Encrypt Authority X3" } } } } } }, subjectPublicKeyInfo = { algorithm = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { rsaEncryption = no } } } } } } }, subjectPublicKey = 0x003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001 }, extensions = { Critical = { joint-iso-itu-t = { ds = { certificateExtension = { basicConstraints = { cA = yes, pathLenConstraint = 0 } } } }, joint-iso-itu-t = { ds = { certificateExtension = { keyUsage = { digitalSignature = yes, nonRepudation = no, keyEncipherment = no, dataEncipherment = no, keyAgreement = no, keyCertSign = yes, cRLSign = yes, encipherOnly = no } } } } }, iso = { identified-organization = { dod = { internet = { security = { mechanisms = { pkix = { pe = { authorityInfoAccess = { accessDescription = { accessMethod = "1.3.6.1.5.5.7.48.1", accessLocation = { uniformResourceIdentifier = "http://isrg.trustid.ocsp.identrust.com" } }, accessDescription = { accessMethod = "1.3.6.1.5.5.7.48.2", accessLocation = { uniformResourceIdentifier = "http://apps.identrust.com/roots/dstrootcax3.p7c" } } } } } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { authorityKeyIdentifier = { keyIdentifier = 0xc4a7b1a47b2c71fadbe14b9075ffc41560858910 } } } }, joint-iso-itu-t = { ds = { certificateExtension = { certificatePolicies = { policyInformation = { policyIdentifier = "2.23.140.1.2.1" }, policyInformation = { policyIdentifier = "1.3.6.1.4.1.44947.1.1.1", policyQualifiers = { policyQualifierInfo = { iso = { identified-organization = { dod = { internet = { security = { mechanisms = { pkix = { raw.2 = { raw.1 = 0x1622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267 } } } } } } } } } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { cRLDIstributionPoints = { distributionPoint = { distributionPointName = { fullName = { uniformResourceIdentifier = "http://crl.identrust.com/DSTROOTCAX3CRL.crl" } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { subjectKeyIdentifier = 0xa84a6a63047dddbae6d139b7a64565eff3a8eca1 } } } } }, signatureAlgorithm = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { sha256WithRSAEncryption = no } } } } } } }, signature = 0x00dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 }
 match 30 82 04 92 30 82 03 7a a0 03 02 01 02 02 10 0a 01 41 42 00 00 01 53 85 73 6a 0b 85 ec a7 08 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 3f 31 24 30 22 06 03 55 04 0a 13 1b 44 69 67 69 74 61 6c 20 53 69 67 6e 61 74 75 72 65 20 54 72 75 73 74 20 43 6f 2e 31 17 30 15 06 03 55 04 03 13 0e 44 53 54 20 52 6f 6f 74 20 43 41 20 58 33 30 1e 17 0d 31 36 30 33 31 37 31 36 34 30 34 36 5a 17 0d 32 31 30 33 31 37 31 36 34 30 34 36 5a 30 4a 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 4c 65 74 27 73 20 45 6e 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1a 4c 65 74 27 73 20 45 6e 63 72 79 70 74 20 41 75 74 68 6f 72 69 74 79 20 58 33 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c d3 0c f0 5a e5 2e 47 b7 72 5d 37 83 b3 68 63 30 ea d7 35 26 19 25 e1 bd be 35 f1 70 92 2f b7 b8 4b 41 05 ab a9 9e 35 08 58 ec b1 2a c4 68 87 0b a3 e3 75 e4 e6 f3 a7 62 71 ba 79 81 60 1f d7 91 9a 9f f3 d0 78 67 71 c8 69 0e 95 91 cf fe e6 99 e9 60 3c 48 cc 7e ca 4d 77 12 24 9d 47 1b 5a eb b9 ec 1e 37 00 1c 9c ac 7b a7 05 ea ce 4a eb bd 41 e5 36 98 b9 cb fd 6d 3c 96 68 df 23 2a 42 90 0c 86 74 67 c8 7f a5 9a b8 52 61 14 13 3f 65 e9 82 87 cb db fa 0e 56 f6 86 89 f3 85 3f 97 86 af b0 dc 1a ef 6b 0d 95 16 7d c4 2b a0 65 b2 99 04 36 75 80 6b ac 4a f3 1b 90 49 78 2f a2 96 4f 2a 20 25 29 04 c6 74 c0 d0 31 cd 8f 31 38 95 16 ba a8 33 b8 43 f1 b1 1f c3 30 7f a2 79 31 13 3d 2d 36 f8 e3 fc f2 33 6a b9 39 31 c5 af c4 8d 0d 1d 64 16 33 aa fa 84 29 b6 d4 0b c0 d8 7d c3 93 02 03 01 00 01 a3 82 01 7d 30 82 01 79 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 7f 06 08 2b 06 01 05 05 07 01 01 04 73 30 71 30 32 06 08 2b 06 01 05 05 07 30 01 86 26 68 74 74 70 3a 2f 2f 69 73 72 67 2e 74 72 75 73 74 69 64 2e 6f 63 73 70 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 30 3b 06 08 2b 06 01 05 05 07 30 02 86 2f 68 74 74 70 3a 2f 2f 61 70 70 73 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 2f 72 6f 6f 74 73 2f 64 73 74 72 6f 6f 74 63 61 78 33 2e 70 37 63 30 1f 06 03 55 1d 23 04 18 30 16 80 14 c4 a7 b1 a4 7b 2c 71 fa db e1 4b 90 75 ff c4 15 60 85 89 10 30 54 06 03 55 1d 20 04 4d 30 4b 30 08 06 06 67 81 0c 01 02 01 30 3f 06 0b 2b 06 01 04 01 82 df 13 01 01 01 30 30 30 2e 06 08 2b 06 01 05 05 07 02 01 16 22 68 74 74 70 3a 2f 2f 63 70 73 2e 72 6f 6f 74 2d 78 31 2e 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67 30 3c 06 03 55 1d 1f 04 35 30 33 30 31 a0 2f a0 2d 86 2b 68 74 74 70 3a 2f 2f 63 72 6c 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 2f 44 53 54 52 4f 4f 54 43 41 58 33 43 52 4c 2e 63 72 6c 30 1d 06 03 55 1d 0e 04 16 04 14 a8 4a 6a 63 04 7d dd ba e6 d1 39 b7 a6 45 65 ef f3 a8 ec a1 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 dd 33 d7 11 f3 63 58 38 dd 18 15 fb 09 55 be 76 56 b9 70 48 a5 69 47 27 7b c2 24 08 92 f1 5a 1f 4a 12 29 37 24 74 51 1c 62 68 b8 cd 95 70 67 e5 f7 a4 bc 4e 28 51 cd 9b e8 ae 87 9d ea d8 ba 5a a1 01 9a dc f0 dd 6a 1d 6a d8 3e 57 23 9e a6 1e 04 62 9a ff d7 05 ca b7 1f 3f c0 0a 48 bc 94 b0 b6 65 62 e0 c1 54 e5 a3 2a ad 20 c4 e9 e6 bb dc c8 f6 b5 c3 32 a3 98 cc 77 a8 e6 79 65 07 2b cb 28 fe 3a 16 52 81 ce 52 0c 2e 5f 83 e8 d5 06 33 fb 77 6c ce 40 ea 32 9e 1f 92 5c 41 c1 74 6c 5b 5d 0a 5f 33 cc 4d 9f ac 38 f0 2f 7b 2c 62 9d d9 a3 91 6f 25 1b 2f 90 b1 19 46 3d f6 7e 1b a6 7a 87 b9 a3 7a 6d 18 fa 25 a5 91 87 15 e0 f2 16 2f 58 b0 06 2f 2c 68 26 c6 4b 98 cd da 9f 0c f9 7f 90 ed 43 4a 12 44 4e 6f 73 7a 28 ea a4 aa 6e 7b 4c 7d 87 dd e0 c9 02 44 a7 87 af c3 34 5b b4 42
 
+proto-dictionary-root certificate
+decode-pair 30 82 04 92 30 82 03 7a a0 03 02 01 02 02 10 0a 01 41 42 00 00 01 53 85 73 6a 0b 85 ec a7 08 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 3f 31 24 30 22 06 03 55 04 0a 13 1b 44 69 67 69 74 61 6c 20 53 69 67 6e 61 74 75 72 65 20 54 72 75 73 74 20 43 6f 2e 31 17 30 15 06 03 55 04 03 13 0e 44 53 54 20 52 6f 6f 74 20 43 41 20 58 33 30 1e 17 0d 31 36 30 33 31 37 31 36 34 30 34 36 5a 17 0d 32 31 30 33 31 37 31 36 34 30 34 36 5a 30 4a 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 4c 65 74 27 73 20 45 6e 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1a 4c 65 74 27 73 20 45 6e 63 72 79 70 74 20 41 75 74 68 6f 72 69 74 79 20 58 33 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c d3 0c f0 5a e5 2e 47 b7 72 5d 37 83 b3 68 63 30 ea d7 35 26 19 25 e1 bd be 35 f1 70 92 2f b7 b8 4b 41 05 ab a9 9e 35 08 58 ec b1 2a c4 68 87 0b a3 e3 75 e4 e6 f3 a7 62 71 ba 79 81 60 1f d7 91 9a 9f f3 d0 78 67 71 c8 69 0e 95 91 cf fe e6 99 e9 60 3c 48 cc 7e ca 4d 77 12 24 9d 47 1b 5a eb b9 ec 1e 37 00 1c 9c ac 7b a7 05 ea ce 4a eb bd 41 e5 36 98 b9 cb fd 6d 3c 96 68 df 23 2a 42 90 0c 86 74 67 c8 7f a5 9a b8 52 61 14 13 3f 65 e9 82 87 cb db fa 0e 56 f6 86 89 f3 85 3f 97 86 af b0 dc 1a ef 6b 0d 95 16 7d c4 2b a0 65 b2 99 04 36 75 80 6b ac 4a f3 1b 90 49 78 2f a2 96 4f 2a 20 25 29 04 c6 74 c0 d0 31 cd 8f 31 38 95 16 ba a8 33 b8 43 f1 b1 1f c3 30 7f a2 79 31 13 3d 2d 36 f8 e3 fc f2 33 6a b9 39 31 c5 af c4 8d 0d 1d 64 16 33 aa fa 84 29 b6 d4 0b c0 d8 7d c3 93 02 03 01 00 01 a3 82 01 7d 30 82 01 79 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 7f 06 08 2b 06 01 05 05 07 01 01 04 73 30 71 30 32 06 08 2b 06 01 05 05 07 30 01 86 26 68 74 74 70 3a 2f 2f 69 73 72 67 2e 74 72 75 73 74 69 64 2e 6f 63 73 70 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 30 3b 06 08 2b 06 01 05 05 07 30 02 86 2f 68 74 74 70 3a 2f 2f 61 70 70 73 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 2f 72 6f 6f 74 73 2f 64 73 74 72 6f 6f 74 63 61 78 33 2e 70 37 63 30 1f 06 03 55 1d 23 04 18 30 16 80 14 c4 a7 b1 a4 7b 2c 71 fa db e1 4b 90 75 ff c4 15 60 85 89 10 30 54 06 03 55 1d 20 04 4d 30 4b 30 08 06 06 67 81 0c 01 02 01 30 3f 06 0b 2b 06 01 04 01 82 df 13 01 01 01 30 30 30 2e 06 08 2b 06 01 05 05 07 02 01 16 22 68 74 74 70 3a 2f 2f 63 70 73 2e 72 6f 6f 74 2d 78 31 2e 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67 30 3c 06 03 55 1d 1f 04 35 30 33 30 31 a0 2f a0 2d 86 2b 68 74 74 70 3a 2f 2f 63 72 6c 2e 69 64 65 6e 74 72 75 73 74 2e 63 6f 6d 2f 44 53 54 52 4f 4f 54 43 41 58 33 43 52 4c 2e 63 72 6c 30 1d 06 03 55 1d 0e 04 16 04 14 a8 4a 6a 63 04 7d dd ba e6 d1 39 b7 a6 45 65 ef f3 a8 ec a1 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 dd 33 d7 11 f3 63 58 38 dd 18 15 fb 09 55 be 76 56 b9 70 48 a5 69 47 27 7b c2 24 08 92 f1 5a 1f 4a 12 29 37 24 74 51 1c 62 68 b8 cd 95 70 67 e5 f7 a4 bc 4e 28 51 cd 9b e8 ae 87 9d ea d8 ba 5a a1 01 9a dc f0 dd 6a 1d 6a d8 3e 57 23 9e a6 1e 04 62 9a ff d7 05 ca b7 1f 3f c0 0a 48 bc 94 b0 b6 65 62 e0 c1 54 e5 a3 2a ad 20 c4 e9 e6 bb dc c8 f6 b5 c3 32 a3 98 cc 77 a8 e6 79 65 07 2b cb 28 fe 3a 16 52 81 ce 52 0c 2e 5f 83 e8 d5 06 33 fb 77 6c ce 40 ea 32 9e 1f 92 5c 41 c1 74 6c 5b 5d 0a 5f 33 cc 4d 9f ac 38 f0 2f 7b 2c 62 9d d9 a3 91 6f 25 1b 2f 90 b1 19 46 3d f6 7e 1b a6 7a 87 b9 a3 7a 6d 18 fa 25 a5 91 87 15 e0 f2 16 2f 58 b0 06 2f 2c 68 26 c6 4b 98 cd da 9f 0c f9 7f 90 ed 43 4a 12 44 4e 6f 73 7a 28 ea a4 aa 6e 7b 4c 7d 87 dd e0 c9 02 44 a7 87 af c3 34 5b b4 42
+match Certificate = { tbsCertificate = { version = { number = 2 }, serialNumber = 0x0a0141420000015385736a0b85eca708, signature = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { sha256WithRSAEncryption = no } } } } } } }, issuer = { RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { organizationName = "Digital Signature Trust Co." } } } } }, RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { commonName = "DST Root CA X3" } } } } } }, validity = { notBefore = "2016-03-17T16:40:46Z", notAfter = "2021-03-17T16:40:46Z" }, subject = { RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { countryName = "US" } } } } }, RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { organizationName = "Let's Encrypt" } } } } }, RelativeDistinguishedName = { AttributeTypeAndValue = { joint-iso-itu-t = { ds = { attributeType = { commonName = "Let's Encrypt Authority X3" } } } } } }, subjectPublicKeyInfo = { algorithm = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { rsaEncryption = no } } } } } } }, subjectPublicKey = 0x003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001 }, extensions = { Critical = { joint-iso-itu-t = { ds = { certificateExtension = { basicConstraints = { cA = yes, pathLenConstraint = 0 } } } }, joint-iso-itu-t = { ds = { certificateExtension = { keyUsage = { digitalSignature = yes, nonRepudation = no, keyEncipherment = no, dataEncipherment = no, keyAgreement = no, keyCertSign = yes, cRLSign = yes, encipherOnly = no } } } } }, iso = { identified-organization = { dod = { internet = { security = { mechanisms = { pkix = { pe = { authorityInfoAccess = { accessDescription = { accessMethod = "1.3.6.1.5.5.7.48.1", accessLocation = { uniformResourceIdentifier = "http://isrg.trustid.ocsp.identrust.com" } }, accessDescription = { accessMethod = "1.3.6.1.5.5.7.48.2", accessLocation = { uniformResourceIdentifier = "http://apps.identrust.com/roots/dstrootcax3.p7c" } } } } } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { authorityKeyIdentifier = { keyIdentifier = 0xc4a7b1a47b2c71fadbe14b9075ffc41560858910 } } } }, joint-iso-itu-t = { ds = { certificateExtension = { certificatePolicies = { policyInformation = { policyIdentifier = "2.23.140.1.2.1" }, policyInformation = { policyIdentifier = "1.3.6.1.4.1.44947.1.1.1", policyQualifiers = { policyQualifierInfo = { iso = { identified-organization = { dod = { internet = { security = { mechanisms = { pkix = { qualifier = { cpsuri = "http://cps.root-x1.letsencrypt.org" } } } } } } } } } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { CRLDIstributionPoints = { distributionPoint = { distributionPointName = { fullName = { uniformResourceIdentifier = "http://crl.identrust.com/DSTROOTCAX3CRL.crl" } } } } } } }, joint-iso-itu-t = { ds = { certificateExtension = { subjectKeyIdentifier = 0xa84a6a63047dddbae6d139b7a64565eff3a8eca1 } } } } }, signatureAlgorithm = { iso = { member-body = { us = { rsadsi = { pkcs = { pkcs-1 = { sha256WithRSAEncryption = no } } } } } } }, signature = 0x00dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 }
+
 count
-match 18
+match 21
