[continued from previous message]
A1UdEQQCMAAwCQYDVR0SBAIwADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQC AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAKuuWlmhDFQPY PpHOlO3bERkL/RHXH+eUw8XLBl2Q4WTgO1gwYraPUQthCmrch1Z4UKzOrjafV1tE dUQi1MWprfBLLc5/8VoALRM5FQ+IPiop13RLrlVskdQIeGhLIt2Rwj3u4xZ/C91s BkB+PBxBanXTlM03DffOI5cXFA04KvCxkFqgQ1Y+aBrvNuaGizoAhrdCCu6pmJNK xMCbbng2Yyb9qs5gr5DB5j18z3nxpK3O1Kh4iATQZpVbtdY/K5b9dbUqxeoTaLb8 Dx45LrnbgFdmfFr2QEwrXsrn6CT/AMO3BdksXc8+rbZGqX/dyBxVcxY4x80HE4d8
yQBcW2FY6w==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness ---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_pss_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 2707 bytes and written 1613 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 49AEE773828387956A06C5226AACECFD941DFBD7A84F4A2675820F51DE0D30D3
Session-ID-ctx:
Resumption PSK: 80F84ADFBA8C10DDBBAD66FC18217E4F9B251514BF3077379238DD30E57C3F09EC434FE607E581AF03AC3E3840EC0ABB
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 58 e3 c9 f3 25 1a c9 73-29 14 99 b6 81 4c 3f 39 X...%..s)....L?9
0010 - 9a 28 39 2f 70 2c ac 6e-09 7e 09 6a 23 2b 0d 2b .(9/p,.n.~.j#+.+
0020 - bb 32 34 fa 3a ae 03 4a-aa 77 ab 25 85 f0 90 a3 .24.:..J.w.%....
0030 - 2a ea 09 87 87 df 60 63-7f 3e 24 78 93 f0 a3 54 *.....`c.>$x...T
0040 - d4 c0 d0 ae 83 2f 5b 0b-ab 61 1b df 9c 86 dd 7b ...../[..a.....{
0050 - 16 43 ed 05 a1 b2 b6 bc-d6 a4 a2 63 8d 88 9e 13 .C.........c....
0060 - 7e 17 24 35 9f 17 13 64-32 ef d8 66 aa 82 49 d4 ~.$5...d2..f..I.
0070 - c9 42 ac ab 8b 7a 02 43-f4 6c a7 fe 3a 22 05 7e .B...z.C.l..:".~
0080 - 2d d1 4c 18 07 3b 0c 98-45 0e 19 8e 93 cd b2 5b -.L..;..E......[
0090 - 05 2c 78 ea a2 01 17 09-32 54 4f ce b6 5f 1a d7 .,x.....2TO.._..
00a0 - 57 51 d8 c3 26 cd 03 34-20 19 a1 bc 66 4b af 82 WQ..&..4 ...fK..
00b0 - db d0 01 e8 3c 48 6f 42-d7 6a ef bd ef 4a 7f 51 ....<HoB.j...J.Q
00c0 - 0f 12 85 08 ca 0c a5 18-87 fd b7 fb c1 0b c1 54 ...............T
Start Time: 1744452409
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 85BFED1A87C0519A47217273711A6B45F73C4B4FF155536D3B7E7B6E7D3E5E70
Session-ID-ctx:
Resumption PSK: 4222E487E008A8F35F07F4A309DCB7E93DAEF7134FB93D129B9461D69EDFC98E24ED4AE1D0EA58050F9DC71824CB9682
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 58 e3 c9 f3 25 1a c9 73-29 14 99 b6 81 4c 3f 39 X...%..s)....L?9
0010 - 0f 85 bc 86 33 ed e9 94-2c 33 67 f2 03 cb 02 3a ....3...,3g....:
0020 - 23 a1 00 02 b4 b3 8c ac-e3 81 be 44 a4 ed 07 ac #..........D....
0030 - c7 c1 c2 c3 18 9c 70 44-b4 fa b8 5b 76 de 19 0d ......pD...[v...
0040 - 81 37 3d 9d 75 b3 67 83-e4 61 e5 41 e9 a1 a0 96 .7=.u.g..a.A....
0050 - 18 6e 58 cd e7 ab 69 ad-b2 21 3c f3 8d 39 bc 96 .nX...i..!<..9..
0060 - 56 9b 33 fd 38 b2 17 5f-1a 6d 3a af 0f 0e 44 7b V.3.8.._.m:...D{
0070 - 6a 74 a5 ed 23 95 3c dc-cc 44 98 f3 18 75 e6 e1 jt..#.<..D...u..
0080 - a4 b7 e1 b0 6d 28 71 e7-f2 78 0c da 6c e2 85 df ....m(q..x..l...
0090 - 3d 7f 37 76 18 a8 00 ed-92 32 e2 71 cf 2e 73 9b =.7v.....2.q..s.
00a0 - 53 74 cb 9b 9a 4f 7b 98-19 d1 5a e5 aa 6f a6 50 St...O{...Z..o.P
00b0 - 03 c8 64 ef 6e 1d 05 0a-ef 15 b5 f4 49 95 de 28 ..d.n.......I..(
00c0 - 9f df 40 27 7a 48 4c e7-a3 38 fc 0c ca 5e 2a bb ..@'zHL..8...^*.
Start Time: 1744452409
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
TLS SUCCESSFUL
4067A336C27F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%10 -cert /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/rsapss-default.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MIGDAgEBAgIDBAQCEwIEIJgoBHqRiBuAMKa3xsB+LmQrxd53O6sMzwGOM4QNxwLY BDBCIuSH4Aio818H9KMJ3LfpPa73E0+5PRKblGHWnt/JjiTtSuHQ6lgFD53HGCTL loKhBgIEZ/o7OaIEAgIcIKQGBAQBAAAArgYCBCWYbsuzBAICEew=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-
AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_
sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_
pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
Shared groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run sanity test with RSA-PSS and SHA256
## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%11
openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}
spawn openssl s_client -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness verify return:1
---
Certificate chain
0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
a:PKEY: RSA-PSS, 3092 (bit); sigalg: rsassaPss
v:NotBefore: Apr 12 10:06:49 2025 GMT; NotAfter: May 12 10:06:49 2025 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIIFKDCCA12gAwIBAgIUGiHGdjt+YGVYozj2Cev1xzL0hCAwPQYJKoZIhvcNAQEK MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0 aW5nIEhhcm5lc3MwHhcNMjUwNDEyMTAwNjQ5WhcNMjUwNTEyMTAwNjQ5WjBnMQsw CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy bmVzczCCAaIwCwYJKoZIhvcNAQEKA4IBkQAwggGMAoIBgwutLhvNeepdlghz7NR5 xm724Ie9f4G3EEvAoEBu5tNDIoEkEsueAZ58Hix7Y+px+QV++GEJ0gUrgGUo+n6O 7jPzmANX8MFH1VoSei+EiHUHwOh88cH6sCSVzpw5upAXSpmYQDolbaPTIR0AI9KO WEUUidHFYTOHjyhpSeNDa36pmYT1Tkk/T0eJWuv4nRLzWluzzH1H6Dpfxfth36D6 dpXw/ueMmHRoJR4DagUC1OdsVPiqiZ/tQRhRpN6VPOlPl1OsiNL+zdSA7YR9kIeN SaYmN6lbaIWUnT0tOW6I+lO4aXXXHW9bT7jokM75PB/zXighvZV23vUu8loxyk60 kaO9x+xs1niN+C4X6VQt5ykHQnfi/zUfY7EE11U2GWPLjGu+t5dX7U4wF8g55BWX sYirldJAh+a8AnOphhXukUa1uJYp87iW/8yQcHE2oIpugAW5mz8jYYtkggk26kTV 3StR3J1MYtuxmk/9OdzOfX/yHmS8cZUkxy2u5R+St3J1JuQZxQIDAQABo2kwZzAd BgNVHQ4EFgQUNinHnsLF47xghAzm488jPEpvutMwHwYDVR0jBBgwFoAUNinHnsLF 47xghAzm488jPEpvutMwDwYDVR0TAQH/BAUwAwEB/zAJBgNVHREEAjAAMAkGA1Ud EgQCMAAwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B AQgwCwYJYIZIAWUDBAIBogMCASADggGEAAHqmf45IGVjBNZ5k42aM8RAp3XrbDlU ock+wFDqo5BCIg1yTakpg35dbPLe7LLHmULfcySamzC2zyqgkW/Zo1iI9APv71Ge 6vp5Wza0A9BUiTgR/Tj3Imgaz30Dl8JHmsGjo1fIIecUD+XRsWuQHrMnZJ4aW7/6 XV8g5jxqfe0jaI85BDQIx4v6W+L/Y2YQE1DvydeWwBn6lKEA2J6ufXDSu0Iv4FP+ /1YP6KO1MOJXt7GzyztNp8RdVM4VuqaVWExk3rJ3D6CbZEimjlykyYNy3EtLSRGh fwnllakRG/8aG08SafmjqT+DZ72MWjfSrsjAu1jeixFuEYnNdfgir+EJIPR0AEy3 x3nX+iZPb/VxP62Ze2OZcsuwFq08PU86Xnf8ERSLvHJhMzcGK23lSp2FKdFwvDLP obL0ho6k+WYrV3kH313az/GTXO2s2K+vMnk1vIJyFiV3/YgdjMZKTdDYrSlWK9O2 ToWGhSFauEP5VvJIoRXN0UGK9esYEbsbHxNV6g==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness ---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_pss_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 3099 bytes and written 1613 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 3092 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 87018EB78A6EA5C514452F3C0DD61C0C7E920224A4ED6641CD7BD4D56C3D2773
Session-ID-ctx:
Resumption PSK: FF5DC54717CAF74CE77278FCB03B5AE73167F52360DF164F2E1AAD0B2C6C8D99883EC7185128662031FD0EDA0176A6F2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 8b fa 63 65 9b dc 8c bc-8b a1 b6 39 ec 00 1c 4a ..ce.......9...J
0010 - be 2d 5e 2c 49 38 79 28-21 b4 a8 25 eb 30 3f 2e .-^,I8y(!..%.0?.
0020 - 4d e2 05 1a a9 c6 12 ce-e6 7e c0 f1 50 2c d2 15 M........~..P,..
0030 - e3 3a ad 5a 4c 53 f5 9c-2f 18 58 c7 e0 7a 3c 8c .:.ZLS../.X..z<.
0040 - 83 8e fd 2f 9d 49 5a bd-46 ad 7b 2d 71 a0 78 a4 .../.IZ.F.{-q.x.
0050 - 3e 06 d4 1f 94 55 9a 2a-55 cf 9b 7c 35 67 29 68 >....U.*U..|5g)h
0060 - 82 e7 af ca 3c 0a ad 34-15 52 18 5f 66 ae 12 3a ....<..4.R._f..:
0070 - ba ea f1 d1 1d 6e 21 65-a5 5c b7 7e fe 4d e2 f6 .....n!e.\.~.M..
0080 - 89 d1 aa d9 bf eb 8d 35-69 3b 61 3b 2c e9 31 31 .......5i;a;,.11
0090 - e8 99 49 6b df 0d e3 dc-ec 05 0a 0d 2e 58 bc 83 ..Ik.........X..
00a0 - 30 83 a4 d6 8e 6c fd 7c-c6 8a 1c dc c2 b2 f6 53 0....l.|.......S
00b0 - 7c c9 13 b0 13 17 e0 87-f7 ef 05 ad 18 23 19 1d |............#..
00c0 - e2 b3 73 0e 70 6a de 81-a8 65 43 0d 18 3e f5 f2 ..s.pj...eC..>..
Start Time: 1744452409
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 533C8C5257ABEC484CB10CA18A063FDFA85C4C369C0ED134FEFC7099F2C7FFAB
Session-ID-ctx:
Resumption PSK: E7DFD0A5BD179894F1C5534E648AEC699E38E7CC91B0DD668133E6DB3F9958E6312E006743F82D5C8F1D0DBAA9E817D3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 8b fa 63 65 9b dc 8c bc-8b a1 b6 39 ec 00 1c 4a ..ce.......9...J
0010 - 95 fd 16 bf 34 ce 1d ac-e6 a3 ca f6 16 11 dd 71 ....4..........q
0020 - 89 f2 b4 38 bd 92 66 fc-49 4b 66 aa cf f4 8b 96 ...8..f.IKf.....
0030 - ac 50 dc 87 5a 8e a8 02-7b 4d 21 00 fe 89 e4 9e .P..Z...{M!.....
0040 - 0d 6b e5 93 18 32 f2 c2-b7 83 78 43 3d 1b 0a 8a .k...2....xC=...
0050 - cc bb f7 f2 41 37 a2 12-23 9e 77 0e 33 58 7d 4e ....A7..#.w.3X}N
0060 - 11 29 5a 9b 69 d3 1f 82-c1 af 3c 6b 45 48 80 72 .)Z.i.....<kEH.r
0070 - 6f 20 f9 61 27 49 13 2e-11 f4 5d d6 47 59 07 d4 o .a'I....].GY..
0080 - e5 74 3a 0e 57 30 9e a9-97 a2 a1 69 14 d8 34 31 .t:.W0.....i..41
0090 - 37 e4 2e 05 07 21 6f 98-ae 59 79 54 73 14 93 08 7....!o..YyTs...
00a0 - f2 c3 8d 90 3d 47 2a 77-6f b4 09 09 0a c5 9f 66 ....=G*wo......f
00b0 - 78 83 20 2a 01 52 1b 9b-70 1b 21 d5 74 f1 9a 8f x. *.R..p.!.t...
00c0 - 63 fc b7 b8 b0 a9 8f 5f-32 02 6d da 77 02 77 95 c......_2.m.w.w.
Start Time: 1744452409
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
TLS SUCCESSFUL
402711C7D57F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%11 -cert /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/rsapss-sha256.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MIGDAgEBAgIDBAQCEwIEIMUYlGrp7y4iGX190aSOfVcwklKffuEgPPetN5oiLEy7 BDDn39ClvReYlPHFU05kiuxpnjjnzJGw3WaBM+bbP5lY5jEuAGdD+C1cjx0Nuqno F9OhBgIEZ/o7OaIEAgIcIKQGBAQBAAAArgYCBBBsvvCzBAICEew=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-
AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_
sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_
pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
Shared groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run sanity test with default values (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My EC Cert
i:CN=Issuer
a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjAvMRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAATBhC6Bskae48wDIXJQXRNVcx3n7y90X+kO5StIXCuMPHy1 KKX00cXF6UXUHszjlvS2SMrVZQvJc2WTOiDTiv27o4GBMH8wDAYDVR0TAQH/BAIw ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC B4AwHQYDVR0OBBYEFL+L0nMF/mpdNL6bGu74hnxx2622MB8GA1UdIwQYMBaAFCyg 8iYK7eejABnMyB2/g2vveKgPMA0GCSqGSIb3DQEBCwUAA4IBAQA50M5wbeBoxn/E X6VGW6QqIvM6rSi+/1e4bPpF3QAWDQDe1dktyIuV+S845UEW0+evWQzNIvPuahXJ gqOHJyTVYJNK2UZHd1P0GMCbnNwAFPuJtbikTG0XXj5mCmDDGfjMDe7f4iB7yoho eXijLDEYcSu9EBSHTKMFl1KHYI59fKsFaG1/vblPeRiXYwGpynuWnS9hiRpM5Bng FVSuHPZaD/CsVje/tqIzp7dx+EVwAmCEbWSLuzM8SvOf7LPU8NJOfUHTKPnq9ul7 UbgGKwA4ITGLF6tuviJ+AXVkF6k/mlEGBU2AeEVrYxsJfIpZ9iUGLRw0DYHX9pXy
B4KikiF9
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 2088 bytes and written 1613 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: EBB2474E435FA40DB8C40B059562864D1DFC2310976036C0C029FBC61E214A16
Session-ID-ctx:
Resumption PSK: D9C40B5053939CFD50DF84B1FDB00337CC8524F8895B1D67D3C6426EE0C0280A1E3ED7E145E5938905306BFB308259C0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - da f1 3a f0 3f 79 35 ca-cc 7d 56 13 27 37 e4 d5 ..:.?y5..}V.'7..
0010 - b7 4d 64 56 ad c5 0f cc-47 eb af ef 29 f3 f6 a9 .MdV....G...)...
0020 - 52 83 26 68 e5 a8 80 a2-c1 e9 7e 16 ff 48 67 41 R.&h......~..HgA
0030 - 24 ea e3 db a3 df 79 85-5f ba 84 05 56 39 1f c2 $.....y._...V9..
0040 - dc 06 7c 7e e5 5f c3 24-0b cc 6d a5 eb ec 36 ad ..|~._.$..m...6.
0050 - 0b ed 2f c6 b2 fb dd 91-9b 16 3d 00 04 e7 cb 56 ../.......=....V
0060 - 67 a0 3c 11 f9 41 05 a0-7e 0e 67 f4 51 22 41 60 g.<..A..~.g.Q"A`
0070 - a3 10 70 3f 5c cc c0 92-a3 47 1d 42 ec 4a 78 a4 ..p?\....G.B.Jx.
0080 - 23 d6 48 7d bc cc 20 15-1e 40 45 7d aa 62 c4 54 #.H}.. ..@E}.b.T
0090 - 75 0b 84 49 a8 2d 93 eb-d8 db a2 97 a9 d0 e7 e8 u..I.-..........
00a0 - 8b a9 76 94 1b 6b f6 10-64 ed 78 1d 19 9b 7c e2 ..v..k..d.x...|.
00b0 - fa 5a b0 df 17 72 3e e9-a4 18 a7 da 75 70 d3 29 .Z...r>.....up.)
00c0 - 1c ce f6 40 21 3d 28 45-13 86 4a b9 e6 fc 8d c0 ...@!=(E..J.....
Start Time: 1744452410
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6C8136A47FC0FA829E29AEE6055DFFFF738EB21D0B3EE90348E9E3085C5D9232
Session-ID-ctx:
Resumption PSK: 9C354A895F317EB851A62378F002BDF09D8A7354A1A3F17EA7F62EECCA09E8BD0799CE9639AF492DA754D6970FFD7996
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - da f1 3a f0 3f 79 35 ca-cc 7d 56 13 27 37 e4 d5 ..:.?y5..}V.'7..
0010 - 25 47 0e b2 a2 e8 5a 61-6f b1 37 b4 25 20 86 59 %G....Zao.7.% .Y
0020 - d8 d9 ca 09 2d 31 d9 20-a5 9e 60 1b ff 11 8b ef ....-1. ..`.....
0030 - 66 93 84 55 46 a5 ab 7d-26 5d 4e de 8f ce d5 c8 f..UF..}&]N.....
0040 - bb 28 e2 0a 6a da 50 e9-d8 12 6d 51 e6 e7 78 cb .(..j.P...mQ..x.
0050 - c4 c6 1b 46 5d f3 21 df-7b be 75 46 48 ca 3c 62 ...F].!.{.uFH.<b
0060 - 0f 48 34 52 f8 24 c2 b1-52 f3 60 c5 b2 7f 94 1a .H4R.$..R.`.....
0070 - c4 2b 6e 75 c1 b0 24 45-2f cb 93 cd ad e0 57 e8 .+nu..$E/.....W.
0080 - ed 09 27 5a ab ee 76 d0-4d cf a2 6c e3 db 92 2c ..'Z..v.M..l...,
0090 - 6c dd ec 0c e8 a4 f1 fa-52 df 79 ce f8 21 e0 a0 l.......R.y..!..
00a0 - 13 01 09 4b d5 7d 2f 49-18 91 b3 59 5c 8d 5a d3 ...K.}/I...Y\.Z.
00b0 - ed c7 77 6f 93 78 39 41-40 40 5c 2f 07 40 75 07 ..wo.x9A@@\/.@u.
00c0 - fb e6 06 fc 2c 8d ee 37-9b 9d b5 30 01 63 58 12 ....,..7...0.cX.
Start Time: 1744452410
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
TLS SUCCESSFUL
4027ACC9587F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS----- MIGDAgEBAgIDBAQCEwIEIADO5L42UDrJWJ4rwoy74SOP5LLyD5TWuXyNtIiSHgju BDCcNUqJXzF+uFGmI3jwAr3wnYpzVKGj8X6n9i7sygnovQeZzpY5r0ktp1TWlw/9 eZahBgIEZ/o7OqIEAgIcIKQGBAQBAAAArgYCBF3p7l2zBAICEew=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-
POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-
AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_
sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: id-ml-dsa-65:id-ml-dsa-87:id-ml-dsa-44:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_
pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
Shared groups: X25519MLKEM768:x25519:secp256r1:x448:secp384r1:secp521r1:ffdhe2048:ffdhe3072
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
TLS SUCCESSFUL
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
## Run sanity test with default values (Ed25519)
spawn openssl s_client -connect localhost:23456 -CAfile /build/reproducible-path/pkcs11-provider-1.0/obj-x86_64-linux-gnu/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000005)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My ED25519 Cert
verify return:1
---
Certificate chain
0 s:O=PKCS11 Provider, CN=My ED25519 Cert
i:CN=Issuer
a:PKEY: ED25519, 256 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Apr 12 10:06:36 2025 GMT; NotAfter: Apr 12 10:06:36 2026 GMT ---
Server certificate
-----BEGIN CERTIFICATE----- MIICSDCCATCgAwIBAgIBBjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1 ZXIwHhcNMjUwNDEyMTAwNjM2WhcNMjYwNDEyMTAwNjM2WjA0MRgwFgYDVQQKEw9Q S0NTMTEgUHJvdmlkZXIxGDAWBgNVBAMTD015IEVEMjU1MTkgQ2VydDAqMAUGAytl cAMhAJ0WDl2Hl8UUb29HJ9UY3U5Pl2u7tIjX3NmrIUH2E3zSo4GBMH8wDAYDVR0T AQH/BAIwADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8B Af8EBAMCB4AwHQYDVR0OBBYEFPhxmjKvZMwiSEguzAjQfqTmyHwcMB8GA1UdIwQY MBaAFCyg8iYK7eejABnMyB2/g2vveKgPMA0GCSqGSIb3DQEBCwUAA4IBAQBzM6Z2 QALfpQ9ipxzETsdN6cb8XOaZlJZReV8dlzEApLWnrA9RnbOfGMYmSP8mwylnxENe ZGORRemijPJzIDvwmNrKhiLfarKRftVrQDNjytzn+CbYdYFaHjrT3JGvUrgh5Pe1 9jjvGscBDvgdYrW9W8IYU/8OJlMvkL0BA7SLD6nBgloIFxrCETu9oWJtxaSL7Lz8 lNypPpvHJB8PVCKjQV1uNNg85O9fIWVWMI49jeMCMVLk9NmgDb7lDuWthGHLpsCx PiIih/YHKSaXkq6bILdJq/yAjjfaBvz0aFEpqGwP+Mfp8BrvvuBWPVfpShocj+tW LopOfWDwnaI2oCko
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My ED25519 Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signature type: ed25519
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 2040 bytes and written 1613 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 77822B8CE4973B7EDC9FFD37C5D7C84335C20D5CF3A1C19CAEC4AD3A1EE5CC1C
Session-ID-ctx:
Resumption PSK: C88840F7A7EB4A39A443DAC070C0D9044C23FBCB35B005E0F7353CF2E96F37671D11151753A73489BB616E850E9AD878
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 1c 29 7e 9e f1 63 49 09-ee 5d 25 e0 df 0d 6e 36 .)~..cI..]%...n6
0010 - d7 9b 14 ad de f2 34 22-0b 2f 90 af 2c 13 06 5b ......4"./..,..[
0020 - dd 29 cb db 06 58 16 72-98 2d b1 01 30 3a 30 92 .)...X.r.-..0:0.
0030 - 94 b6 d7 8b d8 8f 95 60-c3 7c 6e 4d 82 dd 19 bb .......`.|nM....
0040 - 83 ef 3f 0b 70 57 64 a5-9b f8 6f 6e 7f c2 45 87 ..?.pWd...on..E.
0050 - 2b 81 98 e6 37 60 d8 05-5a 05 e8 83 24 a5 ba f4 +...7`..Z...$...
0060 - 9f d2 62 5c 24 ef 88 c2-54 a1 cd a9 a5 1e e0 b1 ..b\$...T.......
0070 - 57 73 d6 0b c2 db f5 53-0e 94 18 16 ce c2 ad ef Ws.....S........
0080 - 22 da af 45 04 2f d6 10-46 5c ea b8 c3 1d 13 54 "..E./..F\.....T
0090 - f6 4c 8d ce a5 87 2b 7f-73 cb 72 75 c7 39 2d 44 .L....+.s.ru.9-D
00a0 - 67 62 28 4f a1 92 39 3d-31 0a ea 6d ae 45 56 e2 gb(O..9=1..m.EV.
00b0 - ff 7b 96 fa a9 10 fd 65-63 ae c6 5f 21 9b 3a ad .{.....ec.._!.:.
00c0 - 5a f3 74 34 53 c7 e6 44-e1 bf 00 e9 6b e6 64 06 Z.t4S..D....k.d.
Start Time: 1744452410
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: ECA85EA81E63D9BECB127A36D6C59A876D13095273885781433760C5C2F40C9D
Session-ID-ctx:
Resumption PSK: 9AD31E167D912070D4A449E6DA011EACBDD3DEFB79573AE335C7AE4352D2610BDBF2DA905B35266DD8CFCCE9501EC5E3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 1c 29 7e 9e f1 63 49 09-ee 5d 25 e0 df 0d 6e 36 .)~..cI..]%...n6
0010 - a8 39 dc f3 61 05 e5 a0-2d a8 e2 2e 61 41 0a 40 .9..a...-...aA.@
0020 - de 38 27 90 e4 35 6f 14-9c a8 66 10 6f 5a 01 17 .8'..5o...f.oZ..
0030 - 18 5b bd 81 75 5a 56 74-ab ee 8a 11 65 d0 e4 06 .[..uZVt....e...
0040 - fb b5 6c 97 96 f4 9f 15-12 d4 9f b3 6d a9 f3 ae ..l.........m...
0050 - c5 1c 9b 69 05 a4 94 2d-1d cf 76 ca 96 30 b8 c4 ...i...-..v..0..
0060 - 61 c0 82 9f ed 1a 4d c9-38 1b 33 1d 93 d4 9f c1 a.....M.8.3.....
0070 - b9 6b 3a c0 16 5f 96 0a-0a 7e 4d 6c 68 ea 3d 48 .k:.._...~Mlh.=H
0080 - d0 b6 d3 97 17 1a 35 3c-3f 46 ef 9f 8a 8d ea 6a ......5<?F.....j
0090 - bf 14 bf fa 36 1f 35 da-aa b1 2e ec e5 fa cd ca ....6.5.........
00a0 - ac 4a 5e 94 6b ab 8e d2-e5 b6 96 bd 19 60 f9 5d .J^.k........`.]
00b0 - 4c 6a c4 4e 98 c4 3a 50-a3 f0 9c 5e 96 bb ea b0 Lj.N..:P...^....
00c0 - 09 7b 43 d5 1a ee cf 4d-ba f1 3f 55 e7 26 34 27 .{C....M..?U.&4'
Start Time: 1744452410
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
TLS SUCCESSFUL
40D76DC8EC7F0000:error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:691:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%04 -cert pkcs11:type=cert;object=edCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)