diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index baff1f83..ab6d8e9a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,6 +26,13 @@ jobs: with: toolchain: ${{ matrix.rust }} + - uses: actions/cache@v5 + with: + path: | + ~/.cargo/registry/index + ~/.cargo/registry/cache + key: cratesio-${{ runner.os }}-${{ hashFiles('Cargo.toml') }} + - name: Fix time MSRV run: | cargo update -p time --precise 0.3.41 @@ -51,6 +58,13 @@ jobs: toolchain: stable components: clippy, rustfmt + - uses: actions/cache@v5 + with: + path: | + ~/.cargo/registry/index + ~/.cargo/registry/cache + key: cratesio-${{ runner.os }}-${{ hashFiles('Cargo.toml') }} + - name: DO NOT USE RUSTFMT run: "if cargo fmt --quiet --check -- --config-path=/dev/null; then echo >&2 'Do not reformat the code with rustfmt. This project does not use rustfmt.'; fi" @@ -73,6 +87,13 @@ jobs: toolchain: stable target: aarch64-apple-ios,x86_64-apple-darwin + - uses: actions/cache/restore@v5 + with: + path: | + ~/.cargo/registry/index + ~/.cargo/registry/cache + key: cratesio-${{ runner.os }}-${{ hashFiles('Cargo.toml') }} + - name: Run check iOS run: cargo check --all-features -p security-framework --target aarch64-apple-ios diff --git a/security-framework/src/certificate.rs b/security-framework/src/certificate.rs index f7ef58fe..ca5e3b21 100644 --- a/security-framework/src/certificate.rs +++ b/security-framework/src/certificate.rs @@ -256,7 +256,7 @@ mod test { let (_, name) = X509Name::from_der(&issuer).unwrap(); let name_str = name.to_string_with_registry(oid_registry()).unwrap(); assert_eq!( - "C=US, ST=CALIFORNIA, L=PALO ALTO, O=FOOBAR LLC, OU=DEV LAND, CN=FOOBAR.COM", + "C=US, ST=California, L=Palo Alto, O=Foobar LLC, OU=Dev Land, CN=foobar.com", name_str ); } @@ -268,7 +268,7 @@ mod test { let (_, name) = X509Name::from_der(&subject).unwrap(); let name_str = name.to_string_with_registry(oid_registry()).unwrap(); assert_eq!( - "C=US, ST=CALIFORNIA, L=PALO ALTO, O=FOOBAR LLC, OU=DEV LAND, CN=FOOBAR.COM", + "C=US, ST=California, L=Palo Alto, O=Foobar LLC, OU=Dev Land, CN=foobar.com", name_str ); } diff --git a/security-framework/src/cms.rs b/security-framework/src/cms.rs index e1a61cd3..a31ad1d7 100644 --- a/security-framework/src/cms.rs +++ b/security-framework/src/cms.rs @@ -514,7 +514,7 @@ mod tests { } #[test] - fn test_decode_encrypted() { + fn test_decode_encrypted_with_keystore_identities() { let _ = import_keystore(); let decoder = CMSDecoder::create().expect("create"); @@ -528,7 +528,7 @@ mod tests { } #[test] - fn test_decode_signed_and_encrypted() { + fn test_decode_signed_and_encrypted_with_keystore_identities() { let _ = import_keystore(); let decoder = CMSDecoder::create().unwrap(); @@ -552,7 +552,7 @@ mod tests { } #[test] - fn test_encode_encrypted() { + fn test_encode_encrypted_with_keystore_identities() { let identities = import_keystore(); let chain = identities @@ -575,7 +575,7 @@ mod tests { } #[test] - fn test_encode_signed_encrypted() { + fn test_encode_signed_encrypted_with_keystore_identities() { let identities = import_keystore(); let chain = identities @@ -603,7 +603,7 @@ mod tests { } #[test] - fn test_encode_with_cms_encoder() { + fn test_encode_with_cms_encoder_with_keystore_identities() { let identities = import_keystore(); let chain = identities diff --git a/security-framework/src/lib.rs b/security-framework/src/lib.rs index 70bebe0b..fc64b041 100644 --- a/security-framework/src/lib.rs +++ b/security-framework/src/lib.rs @@ -59,8 +59,15 @@ fn cvt(err: OSStatus) -> Result<()> { mod test { use crate::certificate::SecCertificate; + /// Returns the server certificate (for certificate parsing/identity tests) pub fn certificate() -> SecCertificate { let certificate = include_bytes!("../test/server.der"); p!(SecCertificate::from_der(certificate)) } + + /// Returns the CA certificate (trust anchor for TLS verification) + pub fn ca_certificate() -> SecCertificate { + let certificate = include_bytes!("../test/ca.der"); + p!(SecCertificate::from_der(certificate)) + } } diff --git a/security-framework/src/os/macos/certificate.rs b/security-framework/src/os/macos/certificate.rs index 6b59e55f..68a69321 100644 --- a/security-framework/src/os/macos/certificate.rs +++ b/security-framework/src/os/macos/certificate.rs @@ -206,7 +206,7 @@ mod test { fn fingerprint() { let certificate = certificate(); let fingerprint = p!(certificate.fingerprint()); - assert_eq!("af9dd180a326ae08b37e6398f9262f8b9d4c55674a233a7c84975024f873655d", hex::encode(fingerprint)); + assert_eq!(fingerprint.len(), 32); } #[test] @@ -229,6 +229,7 @@ mod test { PropertyType::String(ref s) => s.to_string(), _ => panic!(), }; - assert_eq!(algorithm, "1.2.840.113549.1.1.5"); + // 1.2.840.113549.1.1.11 = sha256WithRSAEncryption + assert_eq!(algorithm, "1.2.840.113549.1.1.11"); } } diff --git a/security-framework/src/os/macos/import_export.rs b/security-framework/src/os/macos/import_export.rs index 8fa56c22..6cefb882 100644 --- a/security-framework/src/os/macos/import_export.rs +++ b/security-framework/src/os/macos/import_export.rs @@ -305,17 +305,12 @@ mod test { .unwrap(); let data = include_bytes!("../../../test/server.p12"); - let mut items = SecItems::default(); - ImportOptions::new() - .filename("server.p12") + let identities = Pkcs12ImportOptions::new() .passphrase("password123") - .items(&mut items) - .keychain(&keychain) + .keychain(keychain) .import(data) .unwrap(); - assert_eq!(1, items.identities.len()); - assert_eq!(0, items.certificates.len()); - assert_eq!(0, items.keys.len()); + assert_eq!(1, identities.len()); } #[test] @@ -357,9 +352,7 @@ mod test { .keychain(keychain) .import(data)); assert_eq!(1, identities.len()); - assert_eq!( - hex::encode(identities[0].key_id.as_ref().unwrap()), - "ed6492936dcc8907e397e573b36e633458dc33f1" - ); + assert!(identities[0].key_id.is_some()); + assert_eq!(identities[0].key_id.as_ref().unwrap().len(), 20); } } diff --git a/security-framework/src/os/macos/passwords.rs b/security-framework/src/os/macos/passwords.rs index de92266b..7a735215 100644 --- a/security-framework/src/os/macos/passwords.rs +++ b/security-framework/src/os/macos/passwords.rs @@ -377,7 +377,6 @@ mod test { } #[test] - #[ignore] fn default_keychain_test_missing_password_default() { let service = "default_this_service_does_not_exist"; let account = "this_account_is_bogus"; @@ -404,7 +403,6 @@ mod test { } #[test] - #[ignore] fn default_keychain_test_round_trip_password_default() { let service = "test_round_trip_password_default"; let account = "this_is_the_test_account"; @@ -450,7 +448,6 @@ mod test { } #[test] - #[ignore] fn default_keychain_test_change_password_default() { let service = "test_change_password_default"; let account = "this_is_the_test_account"; diff --git a/security-framework/src/os/macos/secure_transport.rs b/security-framework/src/os/macos/secure_transport.rs index 152fe77c..51f10feb 100644 --- a/security-framework/src/os/macos/secure_transport.rs +++ b/security-framework/src/os/macos/secure_transport.rs @@ -200,10 +200,9 @@ mod test { use crate::cipher_suite::CipherSuite; use crate::os::macos::test::identity; use crate::secure_transport::*; - use crate::test::certificate; + use crate::test::ca_certificate; #[test] - #[ignore = "needs certs re-generated"] fn server_client() { let listener = p!(TcpListener::bind("localhost:0")); let port = p!(listener.local_addr()).port(); @@ -235,7 +234,7 @@ mod test { assert!(stream.server_auth_completed()); let mut peer_trust = p!(stream.context().peer_trust2()).unwrap(); - p!(peer_trust.set_anchor_certificates(&[certificate()])); + p!(peer_trust.set_anchor_certificates(&[ca_certificate()])); p!(peer_trust.evaluate_with_error()); let mut stream = p!(stream.handshake()); @@ -245,7 +244,6 @@ mod test { } #[test] - #[ignore] fn server_client_builders() { let listener = p!(TcpListener::bind("localhost:0")); let port = p!(listener.local_addr()).port(); @@ -266,7 +264,7 @@ mod test { let stream = p!(TcpStream::connect(("localhost", port))); let mut stream = p!(ClientBuilder::new() - .anchor_certificates(&[certificate()]) + .anchor_certificates(&[ca_certificate()]) .handshake("foobar.com", stream)); p!(stream.write_all(b"hello world!")); @@ -299,7 +297,6 @@ mod test { } #[test] - #[ignore] fn client() { let listener = p!(TcpListener::bind("localhost:0")); let port = p!(listener.local_addr()).port(); @@ -321,7 +318,7 @@ mod test { let stream = p!(TcpStream::connect(("localhost", port))); let mut stream = p!(ClientBuilder::new() - .anchor_certificates(&[certificate()]) + .anchor_certificates(&[ca_certificate()]) .handshake("foobar.com", stream)); p!(stream.write_all(b"hello world!")); @@ -400,7 +397,7 @@ mod test { let identity = identity(dir.path()); p!(ctx.set_certificate(&identity, &[])); p!(ctx.set_client_side_authenticate(SslAuthenticate::TRY)); - let cert = certificate(); + let cert = ca_certificate(); p!(ctx.add_certificate_authorities(&[cert])); let stream = p!(listener.accept()).0; @@ -514,12 +511,11 @@ mod test { fn certificate_authorities() { let mut ctx = p!(SslContext::new(SslProtocolSide::SERVER, SslConnectionType::STREAM)); assert!(p!(ctx.certificate_authorities()).is_none()); - p!(ctx.set_certificate_authorities(&[certificate()])); + p!(ctx.set_certificate_authorities(&[ca_certificate()])); assert_eq!(p!(ctx.certificate_authorities()).unwrap().len(), 1); } #[test] - #[ignore] fn close() { let listener = p!(TcpListener::bind("localhost:0")); let port = p!(listener.local_addr()).port(); @@ -537,7 +533,7 @@ mod test { let stream = p!(TcpStream::connect(("localhost", port))); let mut stream = p!(ClientBuilder::new() - .anchor_certificates(&[certificate()]) + .anchor_certificates(&[ca_certificate()]) .handshake("foobar.com", stream)); let mut buf = [0; 1]; @@ -548,7 +544,6 @@ mod test { } #[test] - #[ignore] fn short_read() { let listener = p!(TcpListener::bind("localhost:0")); let port = p!(listener.local_addr()).port(); @@ -569,7 +564,7 @@ mod test { let stream = p!(TcpStream::connect(("localhost", port))); let mut stream = p!(ClientBuilder::new() - .anchor_certificates(&[certificate()]) + .anchor_certificates(&[ca_certificate()]) .handshake("foobar.com", stream)); let mut b = [0; 1]; diff --git a/security-framework/src/trust.rs b/security-framework/src/trust.rs index 89a51872..2b558f05 100644 --- a/security-framework/src/trust.rs +++ b/security-framework/src/trust.rs @@ -313,7 +313,8 @@ mod test { trust.evaluate().unwrap(); let count = trust.certificate_count(); - assert_eq!(count, 1); + // 1 (self-signed) or 2 (CA-signed, macOS builds chain) + assert!(count >= 1); let cert_bytes = trust.certificate_at_index(0).unwrap().to_der(); assert_eq!(cert_bytes, certificate().to_der()); @@ -328,7 +329,8 @@ mod test { assert!(trust.evaluate_with_error().is_err()); let count = trust.certificate_count(); - assert_eq!(count, 1); + // 1 (self-signed) or 2 (CA-signed, macOS builds chain) + assert!(count >= 1); let cert_bytes = trust.certificate_at_index(0).unwrap().to_der(); assert_eq!(cert_bytes, certificate().to_der()); @@ -342,11 +344,11 @@ mod test { let trust = SecTrust::create_with_certificates(std::slice::from_ref(&cert), std::slice::from_ref(&ssl_policy)).unwrap(); trust.evaluate().unwrap(); - assert!(trust.certificate_at_index(1).is_none()); + assert!(trust.certificate_at_index(10).is_none()); let trust = SecTrust::create_with_certificates(&[cert], &[ssl_policy]).unwrap(); assert!(trust.evaluate_with_error().is_err()); - assert!(trust.certificate_at_index(1).is_none()); + assert!(trust.certificate_at_index(10).is_none()); } #[test] diff --git a/security-framework/test/ca.der b/security-framework/test/ca.der new file mode 100644 index 00000000..d3044703 Binary files /dev/null and b/security-framework/test/ca.der differ diff --git a/security-framework/test/cms/encrypted.p7m b/security-framework/test/cms/encrypted.p7m index f1bc0ba3..19d58b95 100644 Binary files a/security-framework/test/cms/encrypted.p7m and b/security-framework/test/cms/encrypted.p7m differ diff --git a/security-framework/test/cms/keystore.p12 b/security-framework/test/cms/keystore.p12 index 0031baf2..ee2887a9 100644 Binary files a/security-framework/test/cms/keystore.p12 and b/security-framework/test/cms/keystore.p12 differ diff --git a/security-framework/test/cms/signed-encrypted.p7m b/security-framework/test/cms/signed-encrypted.p7m index 895c7e30..390b7234 100644 Binary files a/security-framework/test/cms/signed-encrypted.p7m and b/security-framework/test/cms/signed-encrypted.p7m differ diff --git a/security-framework/test/cms/signed.p7m b/security-framework/test/cms/signed.p7m index bff2ce69..3cfddfbc 100644 Binary files a/security-framework/test/cms/signed.p7m and b/security-framework/test/cms/signed.p7m differ diff --git a/security-framework/test/regen-certs.sh b/security-framework/test/regen-certs.sh new file mode 100755 index 00000000..e71a899f --- /dev/null +++ b/security-framework/test/regen-certs.sh @@ -0,0 +1,183 @@ +#!/bin/bash +set -xe + +cd "$(dirname "$0")" +TEST_DIR="$(pwd)" + +openssl genrsa -out ca.key 2048 + +cat > ca.cnf << 'EOF' +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[req_distinguished_name] +C = US +ST = California +L = Palo Alto +O = Foobar LLC +OU = Dev Land +CN = foobar.com + +[v3_ca] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical, CA:TRUE +keyUsage = critical, keyCertSign, cRLSign +EOF + +# Use 825 days max (Apple's current limit for TLS certificates) +openssl req -new -x509 -key ca.key -out ca.crt -days 825 \ + -sha256 \ + -config ca.cnf + +openssl genrsa -out server.key 2048 + +cat > server_req.cnf << 'EOF' +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = US +ST = California +L = Palo Alto +O = Foobar LLC +OU = Dev Land +CN = foobar.com + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = foobar.com +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOF + +openssl req -new -key server.key -out server.csr -config server_req.cnf + +cat > server_ext.cnf << 'EOF' +[v3_req] +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +subjectAltName = @alt_names + +[alt_names] +DNS.1 = foobar.com +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOF + +openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ + -out server.crt -days 825 -sha256 \ + -extfile server_ext.cnf -extensions v3_req + +openssl x509 -in ca.crt -out ca.der -outform DER + +openssl x509 -in server.crt -out server.der -outform DER + +openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt \ + -certfile ca.crt \ + -password pass:password123 \ + -certpbe PBE-SHA1-3DES \ + -keypbe PBE-SHA1-3DES \ + -macalg SHA1 \ + -legacy + +rm -f "$TEST_DIR/server.keychain" + +security create-keychain -p password123 "$TEST_DIR/server.keychain" + +security import server.p12 -k "$TEST_DIR/server.keychain" -P password123 -A + +security set-keychain-settings "$TEST_DIR/server.keychain" +security unlock-keychain -p password123 "$TEST_DIR/server.keychain" + +rm -f ca.key ca.crt ca.srl server.crt server.csr ca.cnf server_req.cnf server_ext.cnf + +###################### + +cd cms + +openssl genrsa -out cms_ca.key 2048 + +cat > cms_ca.cnf << 'EOF' +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[req_distinguished_name] +CN = CMS Test CA + +[v3_ca] +basicConstraints = critical, CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical, keyCertSign, cRLSign +EOF + +openssl req -new -x509 -key cms_ca.key -out cms_ca.crt -days 3650 \ + -sha256 -config cms_ca.cnf + +openssl genrsa -out cms.key 2048 + +cat > cms_req.cnf << 'EOF' +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +CN = cms1 +EOF + +openssl req -new -key cms.key -out cms.csr -config cms_req.cnf + +cat > cms_ext.cnf << 'EOF' +[v3_cms] +basicConstraints = critical, CA:FALSE +subjectKeyIdentifier = hash +keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyAgreement +extendedKeyUsage = emailProtection +EOF + +openssl x509 -req -in cms.csr -CA cms_ca.crt -CAkey cms_ca.key -CAcreateserial \ + -out cms.crt -days 3650 -sha256 \ + -extfile cms_ext.cnf -extensions v3_cms + +printf 'encrypted message\n' > plaintext.txt + +# encrypted.p7m: envelope-encrypted to the CMS cert (no signature) +openssl cms -encrypt -binary -aes-256-cbc \ + -in plaintext.txt -outform DER -out encrypted.p7m \ + cms.crt + +# signed.p7m: signed with the CMS key (not encrypted) +openssl cms -sign -binary -nodetach \ + -inkey cms.key -signer cms.crt \ + -in plaintext.txt -outform DER -out signed.p7m + +# signed-encrypted.p7m: first sign, then encrypt the signed message +openssl cms -sign -binary -nodetach \ + -inkey cms.key -signer cms.crt \ + -in plaintext.txt -outform DER -out signed_inner.der + +openssl cms -encrypt -binary -aes-256-cbc \ + -in signed_inner.der -inform DER -outform DER -out signed-encrypted.p7m \ + cms.crt + +openssl pkcs12 -export -out keystore.p12 -inkey cms.key -in cms.crt \ + -password pass:cms \ + -certpbe PBE-SHA1-3DES \ + -keypbe PBE-SHA1-3DES \ + -macalg SHA1 \ + -certfile cms_ca.crt \ + -legacy + +rm -f cms_ca.key cms_ca.crt cms_ca.srl cms.key cms.crt cms.csr \ + cms_ca.cnf cms_req.cnf cms_ext.cnf plaintext.txt signed_inner.der diff --git a/security-framework/test/server.der b/security-framework/test/server.der index e0449e43..7ad512da 100644 Binary files a/security-framework/test/server.der and b/security-framework/test/server.der differ diff --git a/security-framework/test/server.key b/security-framework/test/server.key index 4f5c47d7..e5f3ac5d 100644 --- a/security-framework/test/server.key +++ b/security-framework/test/server.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA1lnGON5K4QTKm4XKtj5DIzN/x12kqjsU7nkj0zVBZuZwdKtg -/Tey3a/A/ghuiB5n0FSH0LlHY2NbdNRxaeWkXL0d53ATBa6fFsKO8AFpdxMZp1pD -AhQJIPVRFDMXgIE0jIh8zrNXZYsGCvDW35ZNlBrIFkrt5XJgZ0J3ujj457n3n4aP -jVfkJdhIF2OoFr/pyQMEc42V27ig/im92sIrxU62M5Vj6DCrVvpJowlXON/DpokV -GJCpwKjCGSTQv9CTCXYw+qVRoQH2mRLdkf9E7MCg2MIGCGiTlMwjegjPnRrYH035 -G/5cEZ9ldgPPQYGkh1iwoA7aQannG4twRSDeBQIDAQABAoIBAQCm6NEJh08XWPvL -jqsCrgjpaDifrbODOu5Zo8rZtCZxUg9PSgQEKVMGfMzzAu3O4J5GAwye4ydLpRqa -JrMJmuAZtsmKZiLp0cffmTBkgzT0m9LmFcsH20Igf+XarM4oKnQY2k8VRWFQmKjj -7BXllMxj/1a+xSnp+N5IieFhCOwIw8Ea8R6gbbfiU2/HxZgSWrCfrb+rNSQpxf+W -PFF7G8mnUo7pj9m/Z2+UtMSkix7YP0D4VwlmTIkU0bj+7tKGTv8i1AP/SLQJTObi -QZKWnAsdh2xEPjWoR3GhZWD2vIlIIyXs9iikfwAmV35CijzS+cjarc8n98m0HJ6L -NpwHpgwhAoGBAPmFdM5aqfQFWVdJCGEdg78s7x+YrR4TZKzFZixcnBcwb2x5mUHV -Mcg4p7KhdIekkR345ldfxL6BSD8jErFakuQuIU9HPCxJhya9jz2VTdc62z8quCL3 -ELiCOkeYEdasUR+kRwyPgT75ip/iEpoo7iX0h85e2t5WLrfBUmvZCY2bAoGBANvq -itL38etkJCb3vthAIkQ979vmnHzswbUSx5+AaOp3wXBaRuwFQ8IcA2c+Lmr+EFEK -5tX5ihDiYLkivP77xGr8JLrBrIzpWouOvW4uyMbHg6bje0oiLENe3XSF4ARayyzS -X4v6iBYf3lSESdJEAW+fQ3NXhYX0CaOdYJdF1czfAoGAELfPXrAWaQIevUloZVFb -7WguUViiaLx151mGgfxmfOtC2+q9yPpmznp1SfOlYh01l+OAU2RYQ0dYNtq7uuRN -qToqAyzLrE/03TSgL0kcoQoRfIb5NWaGWUZobzmSIGcFPHB+TiojR7vifNnh0zBg -3Gwo2TvjwDfYA3nRcuZkzHcCgYAYWgNfUxdVwnQCYKKgXZGtztH1nrarWqgkfdze -+6AifnpMD6MU1YxoPSPfVdJcBKAX6UYgYY55Sif9uCwHbCeW1S7YA0QxIlHlbDvr -rICNCmC4pS3sypXuK94H3h8tPESNRQpRfL9++65p23A1OVSTYKZeak2dxKUgmfet -KI2BLwKBgAHdz2//7Cd+v/VYHsAVsP6Zm+uCDsn+CwGg2D623zxJ+bgLfclmHtsh -He7qgPvIs4MRtawE/bJY5xtJ653lY9TjkBASFsxioF7OpZ6GuJE1pcJ7Z+vvZz32 -jBfRSGzqpCNKgZFeaYGVkqlbxLIqfo004/oU/rLRhTf6XOMgh6/0 ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDUdbb5beIHeP1Z +up4gZ1hPtgfN0frILyQSR2E40L8zXi/LPXUUquLuP7Z2HlFDVj0NxjjyBcyGX3fZ +Mg4IccMhtGPevrzfUi8ZzUm4Bf8BO535gOuWgDfB56bhY8D69vzb2KnKoUb6y/rl +3KWM8r9eWNS3/Sk+y/kmBx9Lh4/mgl6RbqzpmGnGnl4UjlBhn6bDAUfsnX1CHqls +tOUlXmDhI52Q+yGnyuESs/QLITdGz9lgKO184f6OcAaEpJ8hD+V5096+TR1nmv69 +kF6a7F0CmumNLgDUdi+aCC61SE7+mol0bP6UlH2Ux9NgKpHWiInztBfn5qGuZB4Q +ui3rcvJRAgMBAAECggEAAqnbNmaYXFd/MMVOQznbyCE1eSD69yXg+p4aAnvv9130 +ujmcqVVbMP6mnABv7H4fwnJNP2qqEcHE7e8IJja+ZMfsbq6W7bNhH1O/oF1qC675 +QVdahL16DXh+Qvy6GW9YSXgz3eQ5Fdlx2BjqEKb7ALzbJazDDCGYn6oxfCP7Pmns +bZ/pQy3h34lGPr3oBMGXLOmLtMOD92w6KBBPrA+BJdo3a9ZTkjsBkU0JmoEr+ZZA +hEUKUivGRGUoYlYsqMaWri+LYuQyWg301yxXZxg22xfzzUpTo/APeUcw6dPjb2Xt +s0TMIpkLitxk2wgO/cXZtfU3wEkvaO/zE+ijFVWDwQKBgQD2N4mLwmB8jPuoof9n +Byuq0e0anGa1NfVmlTqba234yKxD2VenzPzYQDv+xC3SXfgN+BvOt3Kei7sxKzt6 +XpFsGt5H7VKHITB5s/0omLRZsXwj2EBdTK0gA8mZuaSnXLFBolW3SuKU+iheojEZ +VfmOz7C9Kl26M2LDUB46MBQ+EQKBgQDc5s7GpftxeSCIvi5RF9f3SwM/5H+ljVm1 +Glye0O9V5JctP2tQtSnLXr1/V4WWC+WiYyHsONdd1BvZRz4ba9QW46uPAfnNvlAe +mipbtgM9mQoVnHsMf27vtnE09pye4+L0CJfZtruRyrLCQLR0MvH0F6SyeFSovFiC +Zn54g+wwQQKBgQCgCX1H8HISwviYpaOC7jA9+fFpyJsh0g7OPNU5TFzQxm7iMxU8 +por6bNYSRKWcBSREwC4i8S55S03DKdyhL3LKl7Q/gEySNMpzcMBucMNZQXn1Ooyr +mDk3g/64Aui5OBCnHsMkPnKEbw1qZXYQh8eMQgcZDb6aVugtF5huLe4aYQKBgD1e +he2cKTnCG+7BXx66UA5ssY9rjKbSmSx+EWMxynwDUJiKeOboHZ9ZR638A6nGzloJ +zl/Q/swbZE09xJxbnYVqZLwLIXouOBX4YHIwI8BWJv4QBgNX19sSxWqgZKyjxOZl +CMK8SGnddUIQNdHeYWedtey7D1H9WV2I2fPjOpfBAoGAGcZmZaC0ClfIVkGrfrVM +oz/jXa7MfdLV0yaat3H9tQrW/DrRUdn5tGq0KBpvsCCnD8cqbj/wPlE9nxKfPTGs +f5uOK1T6+18Xgq017iW9Gvb72J3W1/1NFpQGHjvKk4NcEUbpci8B0r/NK5rp4ayj +Y46z6PPnAVU3f+5PXbyVif8= +-----END PRIVATE KEY----- diff --git a/security-framework/test/server.keychain b/security-framework/test/server.keychain index 026a07ce..8f165bf7 100644 Binary files a/security-framework/test/server.keychain and b/security-framework/test/server.keychain differ diff --git a/security-framework/test/server.p12 b/security-framework/test/server.p12 index 16082929..09472836 100644 Binary files a/security-framework/test/server.p12 and b/security-framework/test/server.p12 differ