RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 10:48:11 +00:00
Code Issues Activity Actions

LibCrypto+LibTLS: Generalise the use of IV length

Browse source 
This is in preparation for the upcoming Galois/Counter mode, which
conventionally has 12 bytes of IV as opposed to CBC's 16 bytes.

...Also fixes a lot of style issues, since the author finally found the
project's clang config file in the repository root :^)
This commit is contained in:
AnotherTest 2020-04-23 02:53:11 +04:30 committed by Andreas Kling
parent 7384d58a0a
commit a1e1570552
7 changed files with 3110 additions and 3060 deletions
Download patch file Download diff file Expand all files Collapse all files

499
Libraries/LibTLS/TLSv12.cpp
View file

@ -60,137 +60,121 @@ namespace TLS {
// "for now" q&d implementation of ASN1
namespace {
static bool _asn1_is_field_present(const u32* fields, const u32* prefix)
{
size_t i = 0;
while (prefix[i]) {
if (fields[i] != prefix[i])
return false;
++i;
}
return true;
static bool _asn1_is_field_present(const u32* fields, const u32* prefix)
{
size_t i = 0;
while (prefix[i]) {
if (fields[i] != prefix[i])
return false;
++i;
}
return true;
}
static bool _asn1_is_oid(const u8* oid, const u8* compare, size_t length = 3)
{
size_t i = 0;
while (oid[i] && i < length) {
if (oid[i] != compare[i])
return false;
++i;
}
return true;
}
static void _set_algorithm(u32&, const u8* value, size_t length)
{
if (length != 9) {
dbg() << "unsupported algorithm " << value;
}
static bool _asn1_is_oid(const u8* oid, const u8* compare, size_t length = 3)
{
size_t i = 0;
while (oid[i] && i < length) {
if (oid[i] != compare[i])
return false;
++i;
}
return true;
}
dbg() << "FIXME: Set algorithm";
}
static void _set_algorithm(u32&, const u8* value, size_t length)
{
if (length != 9) {
dbg() << "unsupported algorithm " << value;
}
static size_t _get_asn1_length(const u8* buffer, size_t length, size_t& octets)
{
octets = 0;
if (length < 1)
return 0;
dbg() << "FIXME: Set algorithm";
}
static size_t _get_asn1_length(const u8* buffer, size_t length, size_t& octets)
{
octets = 0;
if (length < 1)
u8 size = buffer[0];
if (size & 0x80) {
octets = size & 0x7f;
if (octets > length - 1) {
return 0;
u8 size = buffer[0];
if (size & 0x80) {
octets = size & 0x7f;
if (octets > length - 1) {
return 0;
}
auto reference_octets = octets;
if (octets > 4)
reference_octets = 4;
size_t long_size = 0, coeff = 1;
for (auto i = reference_octets; i > 0; --i) {
long_size += buffer[i] * coeff;
coeff *= 0x100;
}
++octets;
return long_size;
}
auto reference_octets = octets;
if (octets > 4)
reference_octets = 4;
size_t long_size = 0, coeff = 1;
for (auto i = reference_octets; i > 0; --i) {
long_size += buffer[i] * coeff;
coeff *= 0x100;
}
++octets;
return size;
return long_size;
}
++octets;
return size;
}
static ssize_t _parse_asn1(Context& context, Certificate& cert, const u8* buffer, size_t size, int level, u32* fields, u8* has_key, int client_cert, u8* root_oid, OIDChain* chain)
{
OIDChain local_chain;
local_chain.root = chain;
size_t position = 0;
static ssize_t _parse_asn1(Context& context, Certificate& cert, const u8* buffer, size_t size, int level, u32* fields, u8* has_key, int client_cert, u8* root_oid, OIDChain* chain)
{
OIDChain local_chain;
local_chain.root = chain;
size_t position = 0;
// parse DER...again
size_t index = 0;
u8 oid[16] { 0 };
// parse DER...again
size_t index = 0;
u8 oid[16] { 0 };
local_chain.oid = oid;
if (has_key)
*has_key = 0;
local_chain.oid = oid;
if (has_key)
*has_key = 0;
u8 local_has_key = 0;
const u8* cert_data = nullptr;
size_t cert_length = 0;
while (position < size) {
size_t start_position = position;
if (size - position < 2) {
dbg() << "not enough data for certificate size";
return (i8)Error::NeedMoreData;
}
u8 first = buffer[position++];
u8 type = first & 0x1f;
u8 constructed = first & 0x20;
size_t octets = 0;
u32 temp;
index++;
u8 local_has_key = 0;
const u8* cert_data = nullptr;
size_t cert_length = 0;
while (position < size) {
size_t start_position = position;
if (size - position < 2) {
dbg() << "not enough data for certificate size";
return (i8)Error::NeedMoreData;
}
u8 first = buffer[position++];
u8 type = first & 0x1f;
u8 constructed = first & 0x20;
size_t octets = 0;
u32 temp;
index++;
if (level <= 0xff)
fields[level - 1] = index;
if (level <= 0xff)
fields[level - 1] = index;
size_t length = _get_asn1_length((const u8*)&buffer[position], size - position, octets);
size_t length = _get_asn1_length((const u8*)&buffer[position], size - position, octets);
if (octets > 4 || octets > size - position) {
dbg() << "could not read the certificate";
return position;
}
if (octets > 4 || octets > size - position) {
dbg() << "could not read the certificate";
return position;
}
position += octets;
if (size - position < length) {
dbg() << "not enough data for sequence";
return (i8)Error::NeedMoreData;
}
position += octets;
if (size - position < length) {
dbg() << "not enough data for sequence";
return (i8)Error::NeedMoreData;
}
if (length && constructed) {
switch (type) {
case 0x03:
break;
case 0x10:
if (level == 2 && index == 1) {
cert_length = length + position - start_position;
cert_data = buffer + start_position;
}
// public key data
if (!cert.version && _asn1_is_field_present(fields, Constants::priv_der_id)) {
temp = length + position - start_position;
if (cert.der.size() < temp) {
cert.der.grow(temp);
} else {
cert.der.trim(temp);
}
cert.der.overwrite(0, buffer + start_position, temp);
}
break;
default:
break;
if (length && constructed) {
switch (type) {
case 0x03:
break;
case 0x10:
if (level == 2 && index == 1) {
cert_length = length + position - start_position;
cert_data = buffer + start_position;
}
local_has_key = false;
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
if ((local_has_key && (!context.is_server || client_cert)) || (client_cert || _asn1_is_field_present(fields, Constants::pk_id))) {
// public key data
if (!cert.version && _asn1_is_field_present(fields, Constants::priv_der_id)) {
temp = length + position - start_position;
if (cert.der.size() < temp) {
cert.der.grow(temp);
@ -199,134 +183,150 @@ namespace {
}
cert.der.overwrite(0, buffer + start_position, temp);
}
} else {
switch (type) {
case 0x00:
return position;
break;
case 0x01:
temp = buffer[position];
break;
case 0x02:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
if (has_key)
*has_key = true;
break;
if (index == 1)
cert.public_key.set(
Crypto::UnsignedBigInteger::import_data(buffer + position, length),
cert.public_key.public_exponent());
else if (index == 2)
cert.public_key.set(
cert.public_key.modulus(),
Crypto::UnsignedBigInteger::import_data(buffer + position, length));
} else if (_asn1_is_field_present(fields, Constants::serial_id)) {
cert.serial_number = Crypto::UnsignedBigInteger::import_data(buffer + position, length);
}
if (_asn1_is_field_present(fields, Constants::version_id)) {
if (length == 1)
cert.version = buffer[position];
}
// print_buffer(ByteBuffer::wrap(buffer + position, length));
break;
case 0x03:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
if (has_key)
*has_key = true;
}
if (_asn1_is_field_present(fields, Constants::sign_id)) {
auto* value = buffer + position;
auto len = length;
if (!value[0] && len % 2) {
++value;
--len;
}
cert.sign_key = ByteBuffer::copy(value, len);
} else {
if (buffer[position] == 0 && length > 256) {
_parse_asn1(context, cert, buffer + position + 1, length - 1, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
} else {
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
}
}
break;
case 0x04:
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
break;
case 0x05:
break;
case 0x06:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
_set_algorithm(cert.key_algorithm, buffer + position, length);
}
if (_asn1_is_field_present(fields, Constants::algorithm_id)) {
_set_algorithm(cert.algorithm, buffer + position, length);
}
if (length < 16)
memcpy(oid, buffer + position, length);
else
memcpy(oid, buffer + position, 16);
if (root_oid)
memcpy(root_oid, oid, 16);
break;
case 0x09:
break;
case 0x17:
case 0x018:
// time
// ignore
break;
case 0x013:
case 0x0c:
case 0x14:
case 0x15:
case 0x16:
case 0x19:
case 0x1a:
case 0x1b:
case 0x1c:
case 0x1d:
case 0x1e:
// printable string and such
if (_asn1_is_field_present(fields, Constants::issurer_id)) {
if (_asn1_is_oid(oid, Constants::country_oid)) {
cert.issuer_country = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::state_oid)) {
cert.issuer_state = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::location_oid)) {
cert.issuer_location = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::entity_oid)) {
cert.issuer_entity = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::subject_oid)) {
cert.issuer_subject = String { (const char*)buffer + position, length };
}
} else if (_asn1_is_field_present(fields, Constants::owner_id)) {
if (_asn1_is_oid(oid, Constants::country_oid)) {
cert.country = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::state_oid)) {
cert.state = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::location_oid)) {
cert.location = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::entity_oid)) {
cert.entity = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::subject_oid)) {
cert.subject = String { (const char*)buffer + position, length };
}
}
break;
default:
// dbg() << "unused field " << type;
break;
}
default:
break;
}
local_has_key = false;
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
if ((local_has_key && (!context.is_server || client_cert)) || (client_cert || _asn1_is_field_present(fields, Constants::pk_id))) {
temp = length + position - start_position;
if (cert.der.size() < temp) {
cert.der.grow(temp);
} else {
cert.der.trim(temp);
}
cert.der.overwrite(0, buffer + start_position, temp);
}
} else {
switch (type) {
case 0x00:
return position;
break;
case 0x01:
temp = buffer[position];
break;
case 0x02:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
if (has_key)
*has_key = true;
if (index == 1)
cert.public_key.set(
Crypto::UnsignedBigInteger::import_data(buffer + position, length),
cert.public_key.public_exponent());
else if (index == 2)
cert.public_key.set(
cert.public_key.modulus(),
Crypto::UnsignedBigInteger::import_data(buffer + position, length));
} else if (_asn1_is_field_present(fields, Constants::serial_id)) {
cert.serial_number = Crypto::UnsignedBigInteger::import_data(buffer + position, length);
}
if (_asn1_is_field_present(fields, Constants::version_id)) {
if (length == 1)
cert.version = buffer[position];
}
// print_buffer(ByteBuffer::wrap(buffer + position, length));
break;
case 0x03:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
if (has_key)
*has_key = true;
}
if (_asn1_is_field_present(fields, Constants::sign_id)) {
auto* value = buffer + position;
auto len = length;
if (!value[0] && len % 2) {
++value;
--len;
}
cert.sign_key = ByteBuffer::copy(value, len);
} else {
if (buffer[position] == 0 && length > 256) {
_parse_asn1(context, cert, buffer + position + 1, length - 1, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
} else {
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
}
}
break;
case 0x04:
_parse_asn1(context, cert, buffer + position, length, level + 1, fields, &local_has_key, client_cert, root_oid, &local_chain);
break;
case 0x05:
break;
case 0x06:
if (_asn1_is_field_present(fields, Constants::pk_id)) {
_set_algorithm(cert.key_algorithm, buffer + position, length);
}
if (_asn1_is_field_present(fields, Constants::algorithm_id)) {
_set_algorithm(cert.algorithm, buffer + position, length);
}
if (length < 16)
memcpy(oid, buffer + position, length);
else
memcpy(oid, buffer + position, 16);
if (root_oid)
memcpy(root_oid, oid, 16);
break;
case 0x09:
break;
case 0x17:
case 0x018:
// time
// ignore
break;
case 0x013:
case 0x0c:
case 0x14:
case 0x15:
case 0x16:
case 0x19:
case 0x1a:
case 0x1b:
case 0x1c:
case 0x1d:
case 0x1e:
// printable string and such
if (_asn1_is_field_present(fields, Constants::issurer_id)) {
if (_asn1_is_oid(oid, Constants::country_oid)) {
cert.issuer_country = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::state_oid)) {
cert.issuer_state = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::location_oid)) {
cert.issuer_location = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::entity_oid)) {
cert.issuer_entity = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::subject_oid)) {
cert.issuer_subject = String { (const char*)buffer + position, length };
}
} else if (_asn1_is_field_present(fields, Constants::owner_id)) {
if (_asn1_is_oid(oid, Constants::country_oid)) {
cert.country = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::state_oid)) {
cert.state = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::location_oid)) {
cert.location = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::entity_oid)) {
cert.entity = String { (const char*)buffer + position, length };
} else if (_asn1_is_oid(oid, Constants::subject_oid)) {
cert.subject = String { (const char*)buffer + position, length };
}
}
break;
default:
// dbg() << "unused field " << type;
break;
}
position += length;
}
if (level == 2 && cert.sign_key.size() && cert_length && cert_data) {
dbg() << "FIXME: Cert.fingerprint";
}
return position;
position += length;
}
if (level == 2 && cert.sign_key.size() && cert_length && cert_data) {
dbg() << "FIXME: Cert.fingerprint";
}
return position;
}
}
Optional<Certificate> TLSv12::parse_asn1(const ByteBuffer& buffer, bool)
@ -520,7 +520,7 @@ bool TLSv12::expand_key()
auto key_size = key_length();
auto mac_size = mac_length();
auto iv_size = 16;
auto iv_size = iv_length();
pseudorandom_function(
key_buffer,
@ -769,9 +769,10 @@ void TLSv12::update_packet(ByteBuffer& packet)
auto buffer = ByteBuffer::create_zeroed(length);
size_t buffer_position = 0;
u16 aligned_length = length + block_size - length % block_size;
auto iv_size = iv_length();
// we need enough space for a header, 16 bytes of IV and whatever the packet contains
auto ct = ByteBuffer::create_zeroed(aligned_length + header_size + 16);
// we need enough space for a header, iv_length bytes of IV and whatever the packet contains
auto ct = ByteBuffer::create_zeroed(aligned_length + header_size + iv_size);
// copy the header over
ct.overwrite(0, packet.data(), header_size - 2);
@ -798,18 +799,15 @@ void TLSv12::update_packet(ByteBuffer& packet)
// throws a wrench into our plans
buffer.trim(buffer_position);
// make a random seed IV for this message
u8 record_iv[16] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
// arc4random_buf(record_iv, 16);
auto iv = ByteBuffer::wrap(record_iv, 16);
// FIXME: REALLY Should be filled with random bytes
auto iv = ByteBuffer::create_zeroed(iv_size);
// write it into the ciphertext portion of the message
ct.overwrite(header_size, record_iv, 16);
ct.overwrite(header_size, iv.data(), iv.size());
ct.trim(length + block_size - length % block_size + header_size + block_size - padding);
// get a block to encrypt into
auto view = ct.slice_view(header_size + 16, length + block_size - length % block_size + block_size - padding - 16);
auto view = ct.slice_view(header_size + iv_size, length + block_size - length % block_size + block_size - padding - iv_size);
// encrypt the message
m_aes_local->encrypt(buffer, view, iv);
@ -1346,11 +1344,12 @@ ssize_t TLSv12::handle_message(const ByteBuffer& buffer)
#endif
ASSERT(m_aes_remote);
auto iv_size = iv_length();
auto decrypted = m_aes_remote->create_aligned_buffer(length - 16);
auto iv = buffer.slice_view(header_size, 16);
auto decrypted = m_aes_remote->create_aligned_buffer(length - iv_size);
auto iv = buffer.slice_view(header_size, iv_size);
m_aes_remote->decrypt(buffer.slice_view(header_size + 16, length - 16), decrypted, iv);
m_aes_remote->decrypt(buffer.slice_view(header_size + iv_size, length - iv_size), decrypted, iv);
length = decrypted.size();

89
Libraries/LibTLS/TLSv12.h
View file

@ -92,8 +92,11 @@ enum class CipherSuite {
RSA_WITH_AES_128_CBC_SHA = 0x002F,
RSA_WITH_AES_256_CBC_SHA = 0x0035,
RSA_WITH_AES_128_CBC_SHA256 = 0x003C, // we support this
RSA_WITH_AES_256_CBC_SHA256 = 0x003D, //<- this is our guy
// We support these
RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
// TODO
RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
};
@ -360,8 +363,48 @@ private:
void pseudorandom_function(ByteBuffer& output, const ByteBuffer& secret, const u8* label, size_t label_length, const ByteBuffer& seed, const ByteBuffer& seed_b);
size_t key_length() const { return m_aes_local ? m_aes_local->cipher().key().length() : 16; } // FIXME: generalize
size_t mac_length() const { return Crypto::Authentication::HMAC<Crypto::Hash::SHA256>::DigestSize; } // FIXME: generalize
size_t key_length() const
{
switch (m_context.cipher) {
case CipherSuite::AES_128_CCM_8_SHA256:
case CipherSuite::AES_128_CCM_SHA256:
case CipherSuite::AES_128_GCM_SHA256:
case CipherSuite::Invalid:
case CipherSuite::RSA_WITH_AES_128_CBC_SHA256:
case CipherSuite::RSA_WITH_AES_128_CBC_SHA:
case CipherSuite::RSA_WITH_AES_128_GCM_SHA256:
default:
return 128 / 8;
case CipherSuite::AES_256_GCM_SHA384:
case CipherSuite::RSA_WITH_AES_256_CBC_SHA:
case CipherSuite::RSA_WITH_AES_256_CBC_SHA256:
case CipherSuite::RSA_WITH_AES_256_GCM_SHA384:
return 256 / 8;
}
}
size_t mac_length() const
{
return Crypto::Authentication::HMAC<Crypto::Hash::SHA256>::DigestSize;
} // FIXME: generalize
size_t iv_length() const
{
switch (m_context.cipher) {
case CipherSuite::AES_128_CCM_8_SHA256:
case CipherSuite::AES_128_CCM_SHA256:
case CipherSuite::Invalid:
case CipherSuite::RSA_WITH_AES_128_CBC_SHA256:
case CipherSuite::RSA_WITH_AES_128_CBC_SHA:
case CipherSuite::RSA_WITH_AES_256_CBC_SHA256:
case CipherSuite::RSA_WITH_AES_256_CBC_SHA:
default:
return 16;
case CipherSuite::AES_128_GCM_SHA256:
case CipherSuite::AES_256_GCM_SHA384:
case CipherSuite::RSA_WITH_AES_128_GCM_SHA256:
case CipherSuite::RSA_WITH_AES_256_GCM_SHA384:
return 12;
}
}
bool expand_key();
@ -375,27 +418,27 @@ private:
};
namespace Constants {
constexpr static const u32 version_id[] { 1, 1, 1, 0 };
constexpr static const u32 pk_id[] { 1, 1, 7, 0 };
constexpr static const u32 serial_id[] { 1, 1, 2, 1, 0 };
constexpr static const u32 issurer_id[] { 1, 1, 4, 0 };
constexpr static const u32 owner_id[] { 1, 1, 6, 0 };
constexpr static const u32 validity_id[] { 1, 1, 5, 0 };
constexpr static const u32 algorithm_id[] { 1, 1, 3, 0 };
constexpr static const u32 sign_id[] { 1, 3, 2, 1, 0 };
constexpr static const u32 priv_id[] { 1, 4, 0 };
constexpr static const u32 priv_der_id[] { 1, 3, 1, 0 };
constexpr static const u32 ecc_priv_id[] { 1, 2, 0 };
constexpr static const u32 version_id[] { 1, 1, 1, 0 };
constexpr static const u32 pk_id[] { 1, 1, 7, 0 };
constexpr static const u32 serial_id[] { 1, 1, 2, 1, 0 };
constexpr static const u32 issurer_id[] { 1, 1, 4, 0 };
constexpr static const u32 owner_id[] { 1, 1, 6, 0 };
constexpr static const u32 validity_id[] { 1, 1, 5, 0 };
constexpr static const u32 algorithm_id[] { 1, 1, 3, 0 };
constexpr static const u32 sign_id[] { 1, 3, 2, 1, 0 };
constexpr static const u32 priv_id[] { 1, 4, 0 };
constexpr static const u32 priv_der_id[] { 1, 3, 1, 0 };
constexpr static const u32 ecc_priv_id[] { 1, 2, 0 };
constexpr static const u8 country_oid[] { 0x55, 0x04, 0x06, 0x00 };
constexpr static const u8 state_oid[] { 0x55, 0x04, 0x08, 0x00 };
constexpr static const u8 location_oid[] { 0x55, 0x04, 0x07, 0x00 };
constexpr static const u8 entity_oid[] { 0x55, 0x04, 0x0A, 0x00 };
constexpr static const u8 subject_oid[] { 0x55, 0x04, 0x03, 0x00 };
constexpr static const u8 san_oid[] { 0x55, 0x1D, 0x11, 0x00 };
constexpr static const u8 ocsp_oid[] { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x00 };
constexpr static const u8 country_oid[] { 0x55, 0x04, 0x06, 0x00 };
constexpr static const u8 state_oid[] { 0x55, 0x04, 0x08, 0x00 };
constexpr static const u8 location_oid[] { 0x55, 0x04, 0x07, 0x00 };
constexpr static const u8 entity_oid[] { 0x55, 0x04, 0x0A, 0x00 };
constexpr static const u8 subject_oid[] { 0x55, 0x04, 0x03, 0x00 };
constexpr static const u8 san_oid[] { 0x55, 0x1D, 0x11, 0x00 };
constexpr static const u8 ocsp_oid[] { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x00 };
constexpr static const u8 TLS_RSA_SIGN_SHA256_OID[] { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x00 };
constexpr static const u8 TLS_RSA_SIGN_SHA256_OID[] { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x00 };
}