From c96f02aded4b0efd67ee29096cd17b2982d2dfb8 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Sat, 3 Jan 2026 13:55:58 +0000 Subject: [PATCH 1/3] update real world certificates --- admin/MAINTAINENCE.md | 2 +- .../aws_amazon_com_valid_1.crt | Bin 1632 -> 1620 bytes .../aws_amazon_com_valid_2.crt | Bin 1122 -> 1122 bytes .../letsencrypt_org_valid_1.crt | Bin 994 -> 1099 bytes .../letsencrypt_org_valid_2.crt | Bin 1115 -> 1114 bytes 5 files changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/MAINTAINENCE.md b/admin/MAINTAINENCE.md index 3db38dbe..1ac3d71a 100644 --- a/admin/MAINTAINENCE.md +++ b/admin/MAINTAINENCE.md @@ -10,7 +10,7 @@ on our mock CA and the certificates issued by it. As such, they will expire abou Thankfully, updating these has become easy: - If the `verification_real_world` tests are failing, do the following: - 1. Run `cargo run --example update-certs.rs` + 1. Run `cargo run --example update-certs` 2. Using your tool of choice, update the hardcoded time in `verification_time` to match the current datetime. 3. Commit your changes and push up a fix branch/PR. - If the `verification_mock` tests are failing, do the following: diff --git a/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_1.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_1.crt index 3ca3b8c2a3d3b59665aa14d87b1544118ecfe2ab..3e6174d29f680a71a70ca0e1d2d6b909c5699bcd 100644 GIT binary patch delta 1204 zcmaFBbA?CVpouNOpo!ID0W%XL6O#aQ`PSDHr>e>>%b&E;<<~NgiSj;DCI)iiyhf&m zh6ZK^U=Ri5ni(1xnon$Xu79XhCzC(zSe{5lpZoV-^=PO5mMOm-LN`b%?f8`Wd53nr zM~^~r{4=BFdcFQP_m#B9ap;&QDQ^e~$>X`W>C7{YA9|-BO=c`-h)eUko#AJE=G?aD zA+7d%Zu5xpEPNETtf0Jn;i0sTdjp?dnAAS$j6;OF)pqj@njKz`E}0tFsASexHt~rw zbuzWb?b4i}p}%UMneFa1OO~z7y}rj`>qf5&jc=}}>^T^#V*Yxjg7>o>6_fuy+O)aR zTH%`2A;nY8JlX<5i}RZg%KsAo>d+_c@sK}jt;PipSqVFiB_8I!cdBOyZ+NxrrM0H{ zk|Q@O5BdpTW?6f4iQ`VUL+c+lzI(rU?{xoXf=tYe42+ALnDY&qn6nM!*_cCRm02VV z#2Q58gC-@0HHFkSrrnUW#iZ+H(MvA4PR-%k_V@PN z7ZQ_2ndB!YF-c7}VG<^qF=>eigG^Ut;W6N1%L1khEtu0+L0{x)70i6TRfr zA_E?fHep7_|13-f361zDJ!1-c(in}3DDvxe$MT`-W+`2_*qg#ZG}WCs&>$S$M4)l+5gm40zc%wc0$|zVk9Na#4rWymR#)hCWcP zQ+xaJ*5+4^FH_0`U83App9uT>db`m66~}g#wO1WakaD-GzVT7_eD6WkFoPR<_v}|~ z%*tdqxiuzms}5sM=!4$>?mD|aG^U-jQAxkW%UOEF^OyP3ZSrb!=T3T<+I#-vgX?+* zdouRVd9?X~-kamO(vF)IFJ|3Zzc=Hd6;G!{i7 JFXj15Y5}>K@C*O| delta 1193 zcmcb@^MFU*pouNUpo!IG0W%XL6O#a+h3k)wlY1lmvzIbztm-tKDDNX>XdoxfYh-F* zZeU~p22nt+nSq&+#l%+U`XfoI{XX3)8aJA|{w8s-@Un7wL`{C@Eg>WLsp3pV#4TNg z$LHm>b}bdP_wQYB(A>AYOo(myheu5tpS|AAv1HEt=2m8oBW`+W^Vp{e_KQYtyt*db zsWk7@pPNo69=X(VnC-G+f4NO}&8oVj2duSQA0%BUmRVbWMfLKG%{OEA-LI?XzCTxC zUXR~fQB9FWavLizc3k@4op@fl{5i+Q-+CSEdW!nhxU)_AcQt9IR8)O()Lyjbtx<`_ zpHnr0SM^^Ul=WuU&|5p9>xrpN?6;c{AGg~rj#-__m9q8{^bzY1fHj{hQNCT2zk#>Gv{)do$>%%QT%ED{D{ z4I+&@_>#Lig(RN-vbGMGI{(?z3Bs)gvLFR~EMhDoz72ZWFGK_Cuiey{dG6s~yS|b+ z>61m758^XPF}%YQK`GMt{Yfh$0U>+wd(dX|a7c6C-WlXf}8M24NR zI6qq{-mjgZoFPT{;!v!G1-~RDJcUe^;4L)}H+UwYUUqv4?>h z(A0%{Gw+u6KGHwhr4(4qt z&fDV5#ASNXQmt$k!oOTq_5OGQXtU>>*_robYu@}ZyLYxdW!aAC^<3=@k{3gRe!qOJ zdH2U*sLfqSHt%CN_u~!UO zsj!0OAxsS&t^v#UwVnUrI6+Tv_k%4iJ{npclO0$^>dStq8lOGQo*VP^w^I7_-#^~& zH~crFdTNNa!es858S5)%%RVk`_n9jlxWd|3=IG1HAeX6mwVum!zZuV6c4bAi?HPsI zS!#+G#I3fT-7~LRp83j4?Gw|Krq1wK|3vp}N%!Wpvm*4k4YoBLGx~P*hnGaetVn@3 zFD~z!HM2Benod%F{ZFN$muj~rMV`;LOLVY!w6Rp9;nx4Dn->(^5cRyd;&<2mz56qA zJSSUp^4dI}!j3`^i2OD2~T+I?%pnAJewRP3e{a?M*taw=`@9JmLoDBfWjpv^L diff --git a/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/aws_amazon_com_valid_2.crt index f1e3552db0fb52791734986d9039fc0ea016e5f5..46289c19da4673c0f13859e5253e7824f0a2acab 100644 GIT binary patch delta 617 zcmV-v0+#*a2;vALFoFbLFoFX{paTK{0s<2Ua}rM~l`cNfiden4T^qp8Unh|wR}wZe zHCh)9GcYhXGBYwVGBz_ck&8Y7G?B_7f6eJt9)OhtspA*B@1b3I_40Z+0N=@&$67A; z`0J%!l74@`qM%BH2w3Uk>_BnQYbAjt&}YAev)`@iM2;6yA8f!8N!L{8XL9N|%g32& zw)$EC(F5%{_1!0D#{{~;u6Qjc@qyBwXp{w5ttMc-0guv0nNHdtC-s{JCID!{hxFE(U7)ZQgQprW z<20gg)gZE(YkdXvZ|m_0+K0Jq0vTD8>j7I7A5xNGR)SQ2fo9kpJqoHaT!-BVvswZO z0e?Q!?o_Y_jk#^*A2MyE(Xa+~UG)JN7Tjrw3CL+)Dgv3tOVfhGmQTVbyJ0CqWL|Q} zQ|uNM0@)94Bz8Xu6?JczNQhzd`>(L%_zH=QOj_lW@lYBjF>$`=Ozp4UeBF~H4OVxh zf|sTdip!^s1FJ~?uAZR01D-S_+?mvqgn!;OYHHoiWD%e;_@Q<^uw!k+rw6R8sF2P< z^P2RB>$BBcjGS!zwD5IVoE%x?+T|E;Tfua9eAL>{=ROiXoa71cBYLDbSQ3&A*zcDe z7e1*w`Xwvpw*su70n7ASJm!!y?gl$7xtPKnz`5#y_ZXQK+tA|LK549STfvyd)&eQi D@5U+F delta 617 zcmV-v0+#*a2;vALFoFbLFoFX{paTK{0s<2Ua}qcUoo0xmJ097;oXw_=4iAwcR}wKY zI9eACGcYhXGBYwVGBGkZk&8Y7F_Fq4f9r89smmXTD3UTTuZmX>c(*qtl~sqVXIz)l zBFNgJ6lZIE@MqfM11hst5?#i%NBL(6r;~b>k{A!P`S}nwntv~VwokefPRCtS9^l=U zGY25kmb?<=bWlQ}1ru|%Pn$#}{w;s)yds6{HX$>Ybq3BS7=qm6*~Nkfjb0`Je&oa7et$1Yos{alGJO|&L1$c6d{pxkM11N;r=xzs$&`^c%fmE__ZtQJh?~jzj zUg^Z7(2>9{B$1fP?z$z8)b??<`&(-`21qwYjfULv>IVCEH+`P}LQYLsf|JkUal&}9 zdaFxYlsAZhj7I7fw&H1iir{!<@!52P?ewN<&YDFvswZO z0e`Ik-U0<9E(S7Uv}>`H7UU5?-Yfc9!8PyTs*fu{xzY27IRG8A{-hT$-jGuFhpG`T1%FY=!orTGs$@ow|wtk4A z@5+P*i%_%*T&5gE@%_kQKw$D=C8`JX$HH@U4v4Jx_7^>ef>Q(VadT6bGjxf+ACNX$cghB znHm}zSQuKEm>8Kw0l8)dMh0eJuIa=E3y;E`cGdCH-=1rP-7(8Qbnbf4{u&#*O)HK1 zDj!aKmvG(A=Y-?_9n*6TdK_!8v;MGHOWi7UukO9Xyp6@_Hv50Qez>@a>4rfQ)0Ih# z9;VK*+e?ZMlpDVObBU|LYhT`kQi;K!MCi@(PMJka zdJKD3`)jaYkuz0a{p#OU=99H&KQJ&b&Pw^`x{85;g_*(Kz?DgnVF_P-J?CDFbqNt~ z&d=VvX_;NE+~m+*JJ*-n%(%U8k3nVvlS1uVHrbu~Ze*GXE1Q&du%}n=I-tMl?Hq}y zQ>v}*i*zFx${9{ud>8GkX<6tJAARud?~{3-W<{QL=gMSl-Edmuut>ynsKq~E}iFs4WyRPgS!HauE-aS6pC~jJ`zIwvW4-Hx;OM?Io3^fD* delta 671 zcmX@j@rYf~po#e&5T`6)W@2Pw5@OTQpW;5Co0-2m>I~4^BS2N zSQwZX8XB1xm_&iNhK2@4V6O4R1`CghEgbg*@1-5mKWXZhUAo}T*799(vi4l%cf_*$ zm%P4R_IKm-V#B5FuQMuMd=47K&12J&pop|Z*>5(Z)oB9qnKW-zY|%;=kO?TC}dZRPzD zQ!Y)eWmJUwgrJ zXvrdm@Y|b#7#L@ia?FfiU|?Zpa5HdWQV8z5&GEQi zf6wPXI&ZnI*c{!I)X_g@#!ls}4UImBZ#;Vck4Zu6<=F``y|16HPnF)@SGy*v$$9m@ zZ4XxR>|pozzc$H8lA(;@?wwO6Q?EZ1V|_l==-2W2KWt?J?%!sx5)mrn(pj_ngcj7^ z8nC_Y2Chts467Z~Wvq|AOmvKKxL#kw_%Hs}4wnPFmP`l{{IHW{%Bk)rObVjCN;g%e z&o^*+|Kv_ znI{`Wy8K}hoWDP{ul&hR$$G^r+vUGFPWbDrQBkr^BijAS)jwbM#eCK^yj1-X03*W= AegFUf diff --git a/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt b/rustls-platform-verifier/src/tests/verification_real_world/letsencrypt_org_valid_2.crt index 67d933a8327620d3db96399972e27b6dfe20c8e6..b187e36c701953011c794aac8f903d780efe9390 100644 GIT binary patch delta 713 zcmV;)0yh2I2-*lAFoFbDFoFU;paTK{0s;_Ym6Kz_PH=*8Ss1^=*X>r3AhUlsFm^By z1_vsJNX|V10R{ytfdl{|17ZLK(Pi>p+)K0!0-Vya`tIp$t2(YYq4d-_GBd?O)XXys zG{+$zkZ@e+VlNzVvqIN-zD5nf+ee`jpvT{VCSyC)jUDzqf-^Gq^egA}mO8W(XBc~H zK8;A(>fY_HZ9a!gqk;G^f%TJ80ZtT;4HKgFE`HHaY%>@*U0IGJa*@iDv;n7oXA?+9 zAkwS}g`&}Xb;=Aw=BS|(HgrUd?MR<5Lv_39vW=t3GRC&}yHDxCIcHKysN_jz3)HIMhS~3Am#Ht-LwrE?y9?f*0dU3 zxVtNX)0b)^l65ZdGb-hsA~f~1|0)WMQWN}Xiyt9hXKmgezmDkCfK$b1K^13AQpgig v7jqk+W@lk>RK}BIO=HTXr~@37CaSO;4rPg)%LQY2(z{rozjK}hes!Zsei>FR delta 714 zcmV;*0yX{G2-^rCFoFbEFoFU>!bR)>e?N-5~tKA*-;d+VSII# zzak4cAJx9m3P!3eJW2_KF1|pORp}W(H)eJ1GER2{N%(Mk!x-nz_i+&ZtaR7_)a`8? za~3lYoI0}VY-04ixTAsiFoE@xQ2|aAlP5-)1F2DHj+oZOLP*;qzgU#gld}P*e|?L4 zN+30|1%?QUZk|p$uYd%^gj_Qj3V}#Xmb&lM9kqn!mpA@qh);_-HtTX_KQr8~3!@cd zz4RE-XfMJcC&>K1vx}t0HrV6(ZKSo6)(o!D)0YBApl0&ZgyBs`feuR&^%$-m_?%{- zUUdgZ7p`e$=xKO21_i?6VXF|YfAJ3H3~{u)lbQ<$Naa!m!A_sqV861&2>QK?xt||- zsm2P?DJ(~%>KV|b%y1u}9_!_jQRlYz2-0H=LrI}xKB~0AQno>LMv#WwgWV$vRS62N z@MU|m%bSvPbF=Nj{28_N5l*5b=?+XU$k*?g4R~Hms;Hv5p`SB^J@$}Pe^8Sayt$OF zhlZ0PVR4dsxAz8t#DrH9h|0!LCPB^+j8(rAkd%nBwrDfTght8RdO=#Vq4S) zYkHoOx}gZc-d~S3{R5=|`-x0%aGIBy!h4i7w{-J`)47=h5ApL(}|9|MQ1K wS3r`D)PLD~nKOAQ%EXE;0QGRFg9G9bg5!e=7tZy}m?923zuASD1RL@nP9z0W+5i9m From 9970b4c69caa83db1e8489f68ff25d86aeb51826 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Sat, 3 Jan 2026 14:20:49 +0000 Subject: [PATCH 2/3] update fixed time --- rustls-platform-verifier/src/tests/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs index b2cf3c49..134a20f9 100644 --- a/rustls-platform-verifier/src/tests/mod.rs +++ b/rustls-platform-verifier/src/tests/mod.rs @@ -62,8 +62,8 @@ pub fn assert_cert_error_eq( /// we know the test certificates are valid. This must be updated if the mock certificates /// are regenerated. pub(crate) fn verification_time() -> pki_types::UnixTime { - // Wed, 13 August 2025 19:31:53 UTC - pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_755_113_506)) + // Sat, 3 January 2026 14:20:06 UTC + pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_767_450_006)) } fn test_provider() -> Arc { From 0818ce807e1ee1f733a723953acf68c33225f6a0 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Sat, 3 Jan 2026 14:32:02 +0000 Subject: [PATCH 3/3] fix aws name order --- .../src/tests/verification_real_world/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs index 6cec9763..eeb3deb6 100644 --- a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs @@ -69,12 +69,12 @@ const VALID_AWS_AMAZON_COM_CHAIN: &[&[u8]] = &[ fn valid_aws_chain_names() -> Vec { const VALID_AWS_NAMES: &[&str] = &[ "aws.amazon.com", - "www.aws.amazon.com", - "aws-us-east-1.amazon.com", "aws-us-west-2.amazon.com", + "www.aws.amazon.com", + "1.aws-lbr.amazonaws.com", "amazonaws-china.com", "www.amazonaws-china.com", - "1.aws-lbr.amazonaws.com", + "aws-us-east-1.amazon.com", ]; VALID_AWS_NAMES