Merge remote-tracking branch 'upstream-public/pr/916' into mbedtls-2.1
diff --git a/ChangeLog b/ChangeLog
index eb99ce2..a3e8715 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,11 +1,151 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS x.x.x branch released xxxx-xx-xx
+= mbed TLS 2.1.10 branch released xxxx-xx-xx
+
+Security
+ * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by
+ default enabled) maximum fragment length extension is disabled in the
+ config and the application data buffer passed to mbedtls_ssl_write
+ is larger than the internal message buffer (16384 bytes by default), the
+ latter overflows. The exploitability of this issue depends on whether the
+ application layer can be forced into sending such large packets. The issue
+ was independently reported by Tim Nordell via e-mail and by Florin Petriuc
+ and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
Bugfix
+ * Fix ssl_parse_record_header() to silently discard invalid DTLS records
+ as recommended in RFC 6347 Section 4.1.2.7.
+ * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
+ Found by projectgus and jethrogb, #836.
+ * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
+ * Parse signature algorithm extension when renegotiating. Previously,
+ renegotiated handshakes would only accept signatures using SHA-1
+ regardless of the peer's preferences, or fail if SHA-1 was disabled.
+ * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
+ dates on leap years with 100 and 400 intervals are handled correctly. Found
+ by Nicholas Wilson. #694
+ * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
+ Found independently by Florian in the mbed TLS forum and by Mishamax.
+ #878, #1019.
+ * Fix unchecked return codes from AES, DES and 3DES functions in
+ pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
+ If a call to one of the functions of the cryptographic primitive modules
+ failed, the error may not be noticed by the function
+ mbedtls_pem_read_buffer() causing it to return invalid values. Found by
+ Guido Vranken. #756
+ * Include configuration file in md.h, to fix compilation warnings.
+ Reported by aaronmdjones in #1001
+ * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
+ writing routines that prevented these functions to work with alternative
+ RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
+ * Don't print X.509 version tag for v1 CRT's, and omit extensions for
+ non-v3 CRT's.
+ * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
* Fix net_would_block to avoid modification by errno through fcntl call.
Found by nkolban. Fixes #845.
+Changes
+ * Extend cert_write example program by options to set the CRT version
+ and the message digest. Further, allow enabling/disabling of authority
+ identifier, subject identifier and basic constraints extensions.
+
+= mbed TLS 2.1.9 branch released 2017-08-10
+
+Security
+ * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
+ mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
+ X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
+ (default: 8) intermediates, even when it was not trusted. This could be
+ triggered remotely from either side. (With authmode set to 'required'
+ (the default), the handshake was correctly aborted).
+ * Reliably zeroize sensitive data after use in AES example applications
+ programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
+ Found by Laurent Simon.
+
+API Changes
+ * Certificate verification functions now set flags to -1 in case the full
+ chain was not verified due to an internal error (including in the verify
+ callback) or chain length limitations.
+ * With authmode set to optional, the TLS handshake is now aborted if the
+ verification of the peer's certificate failed due to an overlong chain or
+ a fatal error in the verify callback.
+
+Bugfix
+ * Add a check if iv_len is zero in GCM, and return an error if it is zero.
+ Reported by roberto. #716
+ * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
+ to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
+ always be implemented by pthread support. Fix for #696
+ * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
+ in the case of an error. Found by redplait. #590
+ * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
+ Reported and fix suggested by guidovranken in #740
+ * Fix a potential integer overflow in the version verification for DER
+ encoded X509 CRLs. The overflow would enable maliciously constructed CRLs
+ to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
+ KNOX Security, Samsung Research America
+ * Fix a potential integer overflow in the version verification for DER
+ encoded X509 certificates. The overflow would enable maliciously
+ constructed certificates to bypass the certificate verification check.
+ * Fix potential integer overflow in the version verification for DER
+ encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
+ to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
+ KNOX Security, Samsung Research America
+
+Changes
+ * Avoid shadowing of time and index functions through mbed TLS function
+ arguments. Found by inestlerode. Fixes #557.
+ * Improve documentation of PKCS1 decryption functions.
+
+= mbed TLS 2.1.8 branch released 2017-06-21
+
+Security
+ * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
+ The issue could only happen client-side with renegotiation enabled.
+ Could result in DoS (application crash) or information leak
+ (if the application layer sent data read from mbedtls_ssl_read()
+ back to the server or to a third party). Can be triggered remotely.
+ * Add exponent blinding to RSA private operations as a countermeasure
+ against side-channel attacks like the cache attack described in
+ https://arxiv.org/abs/1702.08719v2.
+ Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
+ Clémentine Maurice and Stefan Mangard.
+ * Wipe stack buffers in RSA private key operations
+ (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
+ Simon.
+ * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
+ certificate verification. SHA-1 can be turned back on with a compile-time
+ option if needed.
+ * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
+ detect it sometimes. Reported by Hugo Leisink. #810
+ * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+ potential Bleichenbacher/BERserk-style attack.
+
+Bugfix
+ * Remove macros from compat-1.3.h that correspond to deleted items from most
+ recent versions of the library. Found by Kyle Keen.
+ * Fixed issue in the Threading module that prevented mutexes from
+ initialising. Found by sznaider. #667 #843
+ * Fix insufficient support for signature-hash-algorithm extension,
+ resulting in compatibility problems with Chrome. Found by hfloyrd. #823
+ * Accept empty trusted CA chain in authentication mode
+ MBEDTLS_SSL_VERIFY_OPTIONAL. Found by jethrogb. #864
+ * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
+ fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
+ reflect bad EC curves within verification result.
+ * Fix bug that caused the modular inversion function to accept the invalid
+ modulus 1 and therefore to hang. Found by blaufish. #641.
+ * Fix incorrect sign computation in modular exponentiation when the base is
+ a negative MPI. Previously the result was always negative. Found by Guido
+ Vranken.
+ * Fix a numerical underflow leading to stack overflow in mpi_read_file()
+ that was triggered uppon reading an empty line. Found by Guido Vranken.
+
+Changes
+ * Clarify ECDSA documentation and improve the sample code to avoid
+ misunderstanding and potentially dangerous use of the API. Pointed out
+ by Jean-Philippe Aumasson.
+
= mbed TLS 2.1.7 branch released 2017-03-08
Security
@@ -119,9 +259,9 @@
= mbed TLS 2.1.5 branch released 2016-06-28
Security
- * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
+ * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
required by PKCS1 v2.2
- * Fix a potential integer underflow to buffer overread in
+ * Fix a potential integer underflow to buffer overread in
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
SSL/TLS.
* Fix potential integer overflow to buffer overflow in
@@ -1376,7 +1516,7 @@
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
- disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
+ disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
* Sending of security-relevant alert messages that do not break
interoperability can be switched on/off with the flag
POLARSSL_SSL_ALL_ALERT_MESSAGES
@@ -1405,7 +1545,7 @@
Changes
* Added p_hw_data to ssl_context for context specific hardware acceleration
data
- * During verify trust-CA is only checked for expiration and CRL presence
+ * During verify trust-CA is only checked for expiration and CRL presence
Bugfixes
* Fixed client authentication compatibility
@@ -1703,9 +1843,9 @@
with random data (Fixed ticket #10)
Changes
- * Debug print of MPI now removes leading zero octets and
+ * Debug print of MPI now removes leading zero octets and
displays actual bit size of the value.
- * x509parse_key() (and as a consequence x509parse_keyfile())
+ * x509parse_key() (and as a consequence x509parse_keyfile())
does not zeroize memory in advance anymore. Use rsa_init()
before parsing a key or keyfile!
@@ -1727,7 +1867,7 @@
printing of X509 CRLs from file
Changes
- * Parsing of PEM files moved to separate module (Fixes
+ * Parsing of PEM files moved to separate module (Fixes
ticket #13). Also possible to remove PEM support for
systems only using DER encoding
@@ -1870,7 +2010,7 @@
* Fixed HMAC-MD2 by modifying md2_starts(), so that the
required HMAC ipad and opad variables are not cleared.
(found by code coverage tests)
- * Prevented use of long long in bignum if
+ * Prevented use of long long in bignum if
POLARSSL_HAVE_LONGLONG not defined (found by Giles
Bathgate).
* Fixed incorrect handling of negative strings in
@@ -1911,7 +2051,7 @@
* Made definition of net_htons() endian-clean for big endian
systems (Found by Gernot).
* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
- padlock and timing code.
+ padlock and timing code.
* Fixed an off-by-one buffer allocation in ssl_set_hostname()
responsible for crashes and unwanted behaviour.
* Added support for Certificate Revocation List (CRL) parsing.
@@ -2085,4 +2225,3 @@
who maintains the Debian package :-)
= Version 0.1 released on 2006-11-01
-
diff --git a/configs/README.txt b/configs/README.txt
index e9867bc..933fa7f 100644
--- a/configs/README.txt
+++ b/configs/README.txt
@@ -8,7 +8,7 @@
them, you can pick one of the following methods:
1. Replace the default file include/mbedtls/config.h with the chosen one.
- (Depending on your compiler, you may need to ajust the line with
+ (Depending on your compiler, you may need to adjust the line with
#include "mbedtls/check_config.h" then.)
2. Define MBEDTLS_CONFIG_FILE and adjust the include path accordingly.
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 7ce5314..4dbd667 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -21,7 +21,7 @@
*/
/**
- * @mainpage mbed TLS v2.1.7 source code documentation
+ * @mainpage mbed TLS v2.1.9 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 57ac146..075e0c2 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.1.7"
+PROJECT_NAME = "mbed TLS v2.1.9"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h
index 082832c..e159e57 100644
--- a/include/mbedtls/asn1.h
+++ b/include/mbedtls/asn1.h
@@ -59,7 +59,7 @@
/**
* \name DER constants
- * These constants comply with DER encoded the ANS1 type tags.
+ * These constants comply with the DER encoded ASN.1 type tags.
* DER encoding uses hexadecimal representation.
* An example DER sequence is:\n
* - 0x02 -- tag indicating INTEGER
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index aa51556..1a5b4b6 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -340,7 +340,7 @@
#if defined(MBEDTLS_FS_IO)
/**
- * \brief Read X from an opened file
+ * \brief Read MPI from a line in an opened file
*
* \param X Destination MPI
* \param radix Input numeric base
@@ -349,6 +349,15 @@
* \return 0 if successful, MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if
* the file read buffer is too small or a
* MBEDTLS_ERR_MPI_XXX error code
+ *
+ * \note On success, this function advances the file stream
+ * to the end of the current line or to EOF.
+ *
+ * The function returns 0 on an empty line.
+ *
+ * Leading whitespaces are ignored, as is a
+ * '0x' prefix for radix 16.
+ *
*/
int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
@@ -665,8 +674,8 @@
*
* \return 0 if successful,
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is negative or nil
- MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N
+ * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is <= 1,
+ MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N.
*/
int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N );
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index af51b5f..50efb08 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -207,9 +207,6 @@
#if defined MBEDTLS_ERROR_C
#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
#endif
-#if defined MBEDTLS_ERROR_STRERROR_BC
-#define POLARSSL_ERROR_STRERROR_BC MBEDTLS_ERROR_STRERROR_BC
-#endif
#if defined MBEDTLS_ERROR_STRERROR_DUMMY
#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
#endif
@@ -318,9 +315,6 @@
#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
#endif
-#if defined MBEDTLS_MEMORY_C
-#define POLARSSL_MEMORY_C MBEDTLS_MEMORY_C
-#endif
#if defined MBEDTLS_MEMORY_DEBUG
#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
#endif
@@ -345,9 +339,6 @@
#if defined MBEDTLS_PADLOCK_C
#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
#endif
-#if defined MBEDTLS_PBKDF2_C
-#define POLARSSL_PBKDF2_C MBEDTLS_PBKDF2_C
-#endif
#if defined MBEDTLS_PEM_PARSE_C
#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
#endif
@@ -429,9 +420,6 @@
#if defined MBEDTLS_PLATFORM_STD_FREE
#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
#endif
-#if defined MBEDTLS_PLATFORM_STD_MALLOC
-#define POLARSSL_PLATFORM_STD_MALLOC MBEDTLS_PLATFORM_STD_MALLOC
-#endif
#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
#endif
@@ -492,12 +480,6 @@
#if defined MBEDTLS_SHA512_PROCESS_ALT
#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
#endif
-#if defined MBEDTLS_SSL_AEAD_RANDOM_IV
-#define POLARSSL_SSL_AEAD_RANDOM_IV MBEDTLS_SSL_AEAD_RANDOM_IV
-#endif
-#if defined MBEDTLS_SSL_ALERT_MESSAGES
-#define POLARSSL_SSL_ALERT_MESSAGES MBEDTLS_SSL_ALERT_MESSAGES
-#endif
#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
#endif
@@ -522,9 +504,6 @@
#if defined MBEDTLS_SSL_DEBUG_ALL
#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
#endif
-#if defined MBEDTLS_SSL_DISABLE_RENEGOTIATION
-#define POLARSSL_SSL_DISABLE_RENEGOTIATION MBEDTLS_SSL_DISABLE_RENEGOTIATION
-#endif
#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
#endif
@@ -752,7 +731,6 @@
#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
-#define MD_CONTEXT_T_INIT MBEDTLS_MD_CONTEXT_T_INIT
#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
@@ -1017,19 +995,13 @@
#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
-#define POLARSSL_DEBUG_LOG_FULL MBEDTLS_DEBUG_LOG_FULL
-#define POLARSSL_DEBUG_LOG_RAW MBEDTLS_DEBUG_LOG_RAW
#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
#define POLARSSL_DES_H MBEDTLS_DES_H
#define POLARSSL_DHM_H MBEDTLS_DHM_H
-#define POLARSSL_DHM_RFC2409_MODP_1024_G MBEDTLS_DHM_RFC2409_MODP_1024_G
-#define POLARSSL_DHM_RFC2409_MODP_1024_P MBEDTLS_DHM_RFC2409_MODP_1024_P
#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
-#define POLARSSL_DHM_RFC5114_MODP_1024_G MBEDTLS_DHM_RFC5114_MODP_1024_G
-#define POLARSSL_DHM_RFC5114_MODP_1024_P MBEDTLS_DHM_RFC5114_MODP_1024_P
#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
@@ -1117,9 +1089,6 @@
#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
-#define POLARSSL_ERR_MD2_FILE_IO_ERROR MBEDTLS_ERR_MD2_FILE_IO_ERROR
-#define POLARSSL_ERR_MD4_FILE_IO_ERROR MBEDTLS_ERR_MD4_FILE_IO_ERROR
-#define POLARSSL_ERR_MD5_FILE_IO_ERROR MBEDTLS_ERR_MD5_FILE_IO_ERROR
#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
@@ -1147,7 +1116,6 @@
#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
-#define POLARSSL_ERR_PBKDF2_BAD_INPUT_DATA MBEDTLS_ERR_PBKDF2_BAD_INPUT_DATA
#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
@@ -1179,7 +1147,6 @@
#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
-#define POLARSSL_ERR_RIPEMD160_FILE_IO_ERROR MBEDTLS_ERR_RIPEMD160_FILE_IO_ERROR
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
@@ -1189,9 +1156,6 @@
#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
-#define POLARSSL_ERR_SHA1_FILE_IO_ERROR MBEDTLS_ERR_SHA1_FILE_IO_ERROR
-#define POLARSSL_ERR_SHA256_FILE_IO_ERROR MBEDTLS_ERR_SHA256_FILE_IO_ERROR
-#define POLARSSL_ERR_SHA512_FILE_IO_ERROR MBEDTLS_ERR_SHA512_FILE_IO_ERROR
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
@@ -1305,7 +1269,6 @@
#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
-#define POLARSSL_MEMORY_H MBEDTLS_MEMORY_H
#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
@@ -1329,7 +1292,6 @@
#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
-#define POLARSSL_PBKDF2_H MBEDTLS_PBKDF2_H
#define POLARSSL_PEM_H MBEDTLS_PEM_H
#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
@@ -1712,7 +1674,6 @@
#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
-#define UL64 MBEDTLS_UL64
#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
@@ -1736,7 +1697,6 @@
#define _ssl_key_cert mbedtls_ssl_key_cert
#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
#define _ssl_session mbedtls_ssl_session
-#define _ssl_ticket_keys mbedtls_ssl_ticket_keys
#define _ssl_transform mbedtls_ssl_transform
#define _x509_crl mbedtls_x509_crl
#define _x509_crl_entry mbedtls_x509_crl_entry
@@ -1836,7 +1796,6 @@
#define cipher_definitions mbedtls_cipher_definitions
#define cipher_finish mbedtls_cipher_finish
#define cipher_free mbedtls_cipher_free
-#define cipher_free_ctx mbedtls_cipher_free_ctx
#define cipher_get_block_size mbedtls_cipher_get_block_size
#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
#define cipher_get_iv_size mbedtls_cipher_get_iv_size
@@ -1855,7 +1814,6 @@
#define cipher_mode_t mbedtls_cipher_mode_t
#define cipher_padding_t mbedtls_cipher_padding_t
#define cipher_reset mbedtls_cipher_reset
-#define cipher_self_test mbedtls_cipher_self_test
#define cipher_set_iv mbedtls_cipher_set_iv
#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
#define cipher_setkey mbedtls_cipher_setkey
@@ -1866,7 +1824,6 @@
#define ctr_drbg_context mbedtls_ctr_drbg_context
#define ctr_drbg_free mbedtls_ctr_drbg_free
#define ctr_drbg_init mbedtls_ctr_drbg_init
-#define ctr_drbg_init_entropy_len mbedtls_ctr_drbg_init_entropy_len
#define ctr_drbg_random mbedtls_ctr_drbg_random
#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
@@ -1877,14 +1834,12 @@
#define ctr_drbg_update mbedtls_ctr_drbg_update
#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
-#define debug_fmt mbedtls_debug_fmt
#define debug_print_buf mbedtls_debug_print_buf
#define debug_print_crt mbedtls_debug_print_crt
#define debug_print_ecp mbedtls_debug_print_ecp
#define debug_print_mpi mbedtls_debug_print_mpi
#define debug_print_msg mbedtls_debug_print_msg
#define debug_print_ret mbedtls_debug_print_ret
-#define debug_set_log_mode mbedtls_debug_set_log_mode
#define debug_set_threshold mbedtls_debug_set_threshold
#define des3_context mbedtls_des3_context
#define des3_crypt_cbc mbedtls_des3_crypt_cbc
@@ -1928,7 +1883,6 @@
#define ecdh_make_public mbedtls_ecdh_make_public
#define ecdh_read_params mbedtls_ecdh_read_params
#define ecdh_read_public mbedtls_ecdh_read_public
-#define ecdh_self_test mbedtls_ecdh_self_test
#define ecdh_side mbedtls_ecdh_side
#define ecdsa_context mbedtls_ecdsa_context
#define ecdsa_free mbedtls_ecdsa_free
@@ -1937,7 +1891,6 @@
#define ecdsa_info mbedtls_ecdsa_info
#define ecdsa_init mbedtls_ecdsa_init
#define ecdsa_read_signature mbedtls_ecdsa_read_signature
-#define ecdsa_self_test mbedtls_ecdsa_self_test
#define ecdsa_sign mbedtls_ecdsa_sign
#define ecdsa_sign_det mbedtls_ecdsa_sign_det
#define ecdsa_verify mbedtls_ecdsa_verify
@@ -1945,7 +1898,6 @@
#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
#define eckey_info mbedtls_eckey_info
#define eckeydh_info mbedtls_eckeydh_info
-#define ecp_add mbedtls_ecp_add
#define ecp_check_privkey mbedtls_ecp_check_privkey
#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
#define ecp_check_pubkey mbedtls_ecp_check_pubkey
@@ -1962,7 +1914,6 @@
#define ecp_group_free mbedtls_ecp_group_free
#define ecp_group_id mbedtls_ecp_group_id
#define ecp_group_init mbedtls_ecp_group_init
-#define ecp_group_read_string mbedtls_ecp_group_read_string
#define ecp_grp_id_list mbedtls_ecp_grp_id_list
#define ecp_is_zero mbedtls_ecp_is_zero
#define ecp_keypair mbedtls_ecp_keypair
@@ -1977,7 +1928,6 @@
#define ecp_point_write_binary mbedtls_ecp_point_write_binary
#define ecp_self_test mbedtls_ecp_self_test
#define ecp_set_zero mbedtls_ecp_set_zero
-#define ecp_sub mbedtls_ecp_sub
#define ecp_tls_read_group mbedtls_ecp_tls_read_group
#define ecp_tls_read_point mbedtls_ecp_tls_read_point
#define ecp_tls_write_group mbedtls_ecp_tls_write_group
@@ -2015,7 +1965,6 @@
#define hmac_drbg_context mbedtls_hmac_drbg_context
#define hmac_drbg_free mbedtls_hmac_drbg_free
#define hmac_drbg_init mbedtls_hmac_drbg_init
-#define hmac_drbg_init_buf mbedtls_hmac_drbg_init_buf
#define hmac_drbg_random mbedtls_hmac_drbg_random
#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
@@ -2031,14 +1980,8 @@
#define md mbedtls_md
#define md2 mbedtls_md2
#define md2_context mbedtls_md2_context
-#define md2_file mbedtls_md2_file
#define md2_finish mbedtls_md2_finish
#define md2_free mbedtls_md2_free
-#define md2_hmac mbedtls_md2_hmac
-#define md2_hmac_finish mbedtls_md2_hmac_finish
-#define md2_hmac_reset mbedtls_md2_hmac_reset
-#define md2_hmac_starts mbedtls_md2_hmac_starts
-#define md2_hmac_update mbedtls_md2_hmac_update
#define md2_info mbedtls_md2_info
#define md2_init mbedtls_md2_init
#define md2_process mbedtls_md2_process
@@ -2047,14 +1990,8 @@
#define md2_update mbedtls_md2_update
#define md4 mbedtls_md4
#define md4_context mbedtls_md4_context
-#define md4_file mbedtls_md4_file
#define md4_finish mbedtls_md4_finish
#define md4_free mbedtls_md4_free
-#define md4_hmac mbedtls_md4_hmac
-#define md4_hmac_finish mbedtls_md4_hmac_finish
-#define md4_hmac_reset mbedtls_md4_hmac_reset
-#define md4_hmac_starts mbedtls_md4_hmac_starts
-#define md4_hmac_update mbedtls_md4_hmac_update
#define md4_info mbedtls_md4_info
#define md4_init mbedtls_md4_init
#define md4_process mbedtls_md4_process
@@ -2063,14 +2000,8 @@
#define md4_update mbedtls_md4_update
#define md5 mbedtls_md5
#define md5_context mbedtls_md5_context
-#define md5_file mbedtls_md5_file
#define md5_finish mbedtls_md5_finish
#define md5_free mbedtls_md5_free
-#define md5_hmac mbedtls_md5_hmac
-#define md5_hmac_finish mbedtls_md5_hmac_finish
-#define md5_hmac_reset mbedtls_md5_hmac_reset
-#define md5_hmac_starts mbedtls_md5_hmac_starts
-#define md5_hmac_update mbedtls_md5_hmac_update
#define md5_info mbedtls_md5_info
#define md5_init mbedtls_md5_init
#define md5_process mbedtls_md5_process
@@ -2081,7 +2012,6 @@
#define md_file mbedtls_md_file
#define md_finish mbedtls_md_finish
#define md_free mbedtls_md_free
-#define md_free_ctx mbedtls_md_free_ctx
#define md_get_name mbedtls_md_get_name
#define md_get_size mbedtls_md_get_size
#define md_get_type mbedtls_md_get_type
@@ -2109,7 +2039,6 @@
#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
-#define memory_set_own mbedtls_memory_set_own
#define mpi mbedtls_mpi
#define mpi_add_abs mbedtls_mpi_add_abs
#define mpi_add_int mbedtls_mpi_add_int
@@ -2185,8 +2114,6 @@
#define padlock_supports mbedtls_padlock_has_support
#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
#define padlock_xcryptecb mbedtls_padlock_xcryptecb
-#define pbkdf2_hmac mbedtls_pbkdf2_hmac
-#define pbkdf2_self_test mbedtls_pbkdf2_self_test
#define pem_context mbedtls_pem_context
#define pem_free mbedtls_pem_free
#define pem_init mbedtls_pem_init
@@ -2246,13 +2173,11 @@
#define platform_entropy_poll mbedtls_platform_entropy_poll
#define platform_set_exit mbedtls_platform_set_exit
#define platform_set_fprintf mbedtls_platform_set_fprintf
-#define platform_set_malloc_free mbedtls_platform_set_malloc_free
#define platform_set_printf mbedtls_platform_set_printf
#define platform_set_snprintf mbedtls_platform_set_snprintf
#define polarssl_exit mbedtls_exit
#define polarssl_fprintf mbedtls_fprintf
#define polarssl_free mbedtls_free
-#define polarssl_malloc mbedtls_malloc
#define polarssl_mutex_free mbedtls_mutex_free
#define polarssl_mutex_init mbedtls_mutex_init
#define polarssl_mutex_lock mbedtls_mutex_lock
@@ -2262,14 +2187,8 @@
#define polarssl_strerror mbedtls_strerror
#define ripemd160 mbedtls_ripemd160
#define ripemd160_context mbedtls_ripemd160_context
-#define ripemd160_file mbedtls_ripemd160_file
#define ripemd160_finish mbedtls_ripemd160_finish
#define ripemd160_free mbedtls_ripemd160_free
-#define ripemd160_hmac mbedtls_ripemd160_hmac
-#define ripemd160_hmac_finish mbedtls_ripemd160_hmac_finish
-#define ripemd160_hmac_reset mbedtls_ripemd160_hmac_reset
-#define ripemd160_hmac_starts mbedtls_ripemd160_hmac_starts
-#define ripemd160_hmac_update mbedtls_ripemd160_hmac_update
#define ripemd160_info mbedtls_ripemd160_info
#define ripemd160_init mbedtls_ripemd160_init
#define ripemd160_process mbedtls_ripemd160_process
@@ -2283,12 +2202,10 @@
#define rsa_check_pubkey mbedtls_rsa_check_pubkey
#define rsa_context mbedtls_rsa_context
#define rsa_copy mbedtls_rsa_copy
-#define rsa_decrypt_func mbedtls_rsa_decrypt_func
#define rsa_free mbedtls_rsa_free
#define rsa_gen_key mbedtls_rsa_gen_key
#define rsa_info mbedtls_rsa_info
#define rsa_init mbedtls_rsa_init
-#define rsa_key_len_func mbedtls_rsa_key_len_func
#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
@@ -2306,19 +2223,12 @@
#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
#define rsa_self_test mbedtls_rsa_self_test
#define rsa_set_padding mbedtls_rsa_set_padding
-#define rsa_sign_func mbedtls_rsa_sign_func
#define safer_memcmp mbedtls_ssl_safer_memcmp
#define set_alarm mbedtls_set_alarm
#define sha1 mbedtls_sha1
#define sha1_context mbedtls_sha1_context
-#define sha1_file mbedtls_sha1_file
#define sha1_finish mbedtls_sha1_finish
#define sha1_free mbedtls_sha1_free
-#define sha1_hmac mbedtls_sha1_hmac
-#define sha1_hmac_finish mbedtls_sha1_hmac_finish
-#define sha1_hmac_reset mbedtls_sha1_hmac_reset
-#define sha1_hmac_starts mbedtls_sha1_hmac_starts
-#define sha1_hmac_update mbedtls_sha1_hmac_update
#define sha1_info mbedtls_sha1_info
#define sha1_init mbedtls_sha1_init
#define sha1_process mbedtls_sha1_process
@@ -2328,14 +2238,8 @@
#define sha224_info mbedtls_sha224_info
#define sha256 mbedtls_sha256
#define sha256_context mbedtls_sha256_context
-#define sha256_file mbedtls_sha256_file
#define sha256_finish mbedtls_sha256_finish
#define sha256_free mbedtls_sha256_free
-#define sha256_hmac mbedtls_sha256_hmac
-#define sha256_hmac_finish mbedtls_sha256_hmac_finish
-#define sha256_hmac_reset mbedtls_sha256_hmac_reset
-#define sha256_hmac_starts mbedtls_sha256_hmac_starts
-#define sha256_hmac_update mbedtls_sha256_hmac_update
#define sha256_info mbedtls_sha256_info
#define sha256_init mbedtls_sha256_init
#define sha256_process mbedtls_sha256_process
@@ -2345,14 +2249,8 @@
#define sha384_info mbedtls_sha384_info
#define sha512 mbedtls_sha512
#define sha512_context mbedtls_sha512_context
-#define sha512_file mbedtls_sha512_file
#define sha512_finish mbedtls_sha512_finish
#define sha512_free mbedtls_sha512_free
-#define sha512_hmac mbedtls_sha512_hmac
-#define sha512_hmac_finish mbedtls_sha512_hmac_finish
-#define sha512_hmac_reset mbedtls_sha512_hmac_reset
-#define sha512_hmac_starts mbedtls_sha512_hmac_starts
-#define sha512_hmac_update mbedtls_sha512_hmac_update
#define sha512_info mbedtls_sha512_info
#define sha512_init mbedtls_sha512_init
#define sha512_process mbedtls_sha512_process
@@ -2385,7 +2283,6 @@
#define ssl_cookie_setup mbedtls_ssl_cookie_setup
#define ssl_cookie_write mbedtls_ssl_cookie_write
#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
-#define ssl_curve_is_acceptable mbedtls_ssl_curve_is_acceptable
#define ssl_derive_keys mbedtls_ssl_derive_keys
#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
@@ -2475,8 +2372,6 @@
#define ssl_set_max_version mbedtls_ssl_conf_max_version
#define ssl_set_min_version mbedtls_ssl_conf_min_version
#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
-#define ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt
-#define ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa
#define ssl_set_psk mbedtls_ssl_conf_psk
#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
@@ -2485,7 +2380,6 @@
#define ssl_set_rng mbedtls_ssl_conf_rng
#define ssl_set_session mbedtls_ssl_set_session
#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
-#define ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime
#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
#define ssl_set_sni mbedtls_ssl_conf_sni
#define ssl_set_transport mbedtls_ssl_conf_transport
@@ -2493,7 +2387,6 @@
#define ssl_set_verify mbedtls_ssl_conf_verify
#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
#define ssl_states mbedtls_ssl_states
-#define ssl_ticket_keys mbedtls_ssl_ticket_keys
#define ssl_transform mbedtls_ssl_transform
#define ssl_transform_free mbedtls_ssl_transform_free
#define ssl_write mbedtls_ssl_write
@@ -2522,7 +2415,6 @@
#define test_cli_key mbedtls_test_cli_key
#define test_cli_key_ec mbedtls_test_cli_key_ec
#define test_cli_key_rsa mbedtls_test_cli_key_rsa
-#define test_dhm_params mbedtls_test_dhm_params
#define test_srv_crt mbedtls_test_srv_crt
#define test_srv_crt_ec mbedtls_test_srv_crt_ec
#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
@@ -2577,8 +2469,6 @@
#define x509_get_time mbedtls_x509_get_time
#define x509_key_size_helper mbedtls_x509_key_size_helper
#define x509_name mbedtls_x509_name
-#define x509_oid_get_description mbedtls_x509_oid_get_description
-#define x509_oid_get_numeric_string mbedtls_x509_oid_get_numeric_string
#define x509_self_test mbedtls_x509_self_test
#define x509_sequence mbedtls_x509_sequence
#define x509_serial_gets mbedtls_x509_serial_gets
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index c720cb9..0c51fea 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2065,7 +2065,8 @@
* library/ssl_tls.c
* library/x509write_crt.c
*
- * This module is required for SSL/TLS and SHA1-signed certificates.
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
*/
#define MBEDTLS_SHA1_C
@@ -2426,6 +2427,26 @@
/* X509 options */
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generte SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * for compatibility with existing peers.
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+
/* \} name SECTION: Module configuration options */
#if defined(TARGET_LIKE_MBED)
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 52827d8..a277715 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -69,6 +69,10 @@
* \param f_rng RNG function
* \param p_rng RNG parameter
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.3 step 5.
+ *
* \return 0 if successful,
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
*/
@@ -89,6 +93,10 @@
* \param blen Length of buf
* \param md_alg MD algorithm used to hash the message
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.3 step 5.
+ *
* \return 0 if successful,
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
*/
@@ -107,6 +115,10 @@
* \param r First integer of the signature
* \param s Second integer of the signature
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.4 step 3.
+ *
* \return 0 if successful,
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid
* or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
@@ -120,7 +132,7 @@
* serialized as defined in RFC 4492 page 20.
* (Not thread-safe to use same context in multiple threads)
*
- * \note The deterministice version (RFC 6979) is used if
+ * \note The deterministic version (RFC 6979) is used if
* MBEDTLS_ECDSA_DETERMINISTIC is defined.
*
* \param ctx ECDSA context
@@ -136,6 +148,10 @@
* size of the curve used, plus 9 (eg. 73 bytes if a 256-bit
* curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe.
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.3 step 5.
+ *
* \return 0 if successful,
* or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or
* MBEDTLS_ERR_ASN1_XXX error code
@@ -172,6 +188,10 @@
* size of the curve used, plus 9 (eg. 73 bytes if a 256-bit
* curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe.
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.3 step 5.
+ *
* \return 0 if successful,
* or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or
* MBEDTLS_ERR_ASN1_XXX error code
@@ -193,6 +213,10 @@
* \param sig Signature to read and verify
* \param slen Size of sig
*
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * prescribed by SEC1 4.1.4 step 3.
+ *
* \return 0 if successful,
* MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
* MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if the signature is
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 723e46c..ef65326 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -437,7 +437,7 @@
* \brief Set a group using well-known domain parameters
*
* \param grp Destination group
- * \param index Index in the list of well-known domain parameters
+ * \param id Index in the list of well-known domain parameters
*
* \return 0 if successful,
* MBEDTLS_ERR_MPI_XXX if initialization failed
@@ -446,7 +446,7 @@
* \note Index should be a value of RFC 4492's enum NamedCurve,
* usually in the form of a MBEDTLS_ECP_DP_XXX macro.
*/
-int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id index );
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
/**
* \brief Set a group from a TLS ECParameters record
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 5e549f6..31591e2 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -71,7 +71,7 @@
* Name ID Nr of Errors
* PEM 1 9
* PKCS#12 1 4 (Started from top)
- * X509 2 19
+ * X509 2 20
* PKCS5 2 4 (Started from top)
* DHM 3 9
* PK 3 14 (Started from top)
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index b902355..00b1e3a 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -27,6 +27,12 @@
#include <stddef.h>
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 /**< The selected feature is not available. */
#define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */
#define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index a324b69..6b2e54b 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -329,9 +329,15 @@
*
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
- * \note The output buffer must be as large as the size
- * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- * an error is thrown.
+ * \note The output buffer length \c output_max_len should be
+ * as large as the size ctx->len of ctx->N (eg. 128 bytes
+ * if RSA-1024 is used) to be able to hold an arbitrary
+ * decrypted message. If it is not large enough to hold
+ * the decryption of the particular ciphertext provided,
+ * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note The input buffer must be as large as the size
+ * of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
@@ -355,9 +361,15 @@
*
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
- * \note The output buffer must be as large as the size
- * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- * an error is thrown.
+ * \note The output buffer length \c output_max_len should be
+ * as large as the size ctx->len of ctx->N (eg. 128 bytes
+ * if RSA-1024 is used) to be able to hold an arbitrary
+ * decrypted message. If it is not large enough to hold
+ * the decryption of the particular ciphertext provided,
+ * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note The input buffer must be as large as the size
+ * of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
@@ -383,9 +395,15 @@
*
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
*
- * \note The output buffer must be as large as the size
- * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- * an error is thrown.
+ * \note The output buffer length \c output_max_len should be
+ * as large as the size ctx->len of ctx->N (eg. 128 bytes
+ * if RSA-1024 is used) to be able to hold an arbitrary
+ * decrypted message. If it is not large enough to hold
+ * the decryption of the particular ciphertext provided,
+ * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note The input buffer must be as large as the size
+ * of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1f885ee..12a98eb 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -414,6 +414,7 @@
/* Defined in ssl_internal.h */
typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
+typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
#endif
@@ -713,7 +714,9 @@
size_t in_hslen; /*!< current handshake message length,
including the handshake header */
int nb_zero; /*!< # of 0-length encrypted messages */
- int record_read; /*!< record is already present */
+
+ int keep_current_message; /*!< drop or reuse current message
+ on next call to record layer? */
/*
* Record layer (outgoing data)
@@ -917,7 +920,7 @@
*
* If set, the verify callback is called for each
* certificate in the chain. For implementation
- * information, please see \c x509parse_verify()
+ * information, please see \c mbedtls_x509_crt_verify()
*
* \param conf SSL configuration
* \param f_vrfy verification function
@@ -1576,14 +1579,23 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
- * \brief Set hostname for ServerName TLS extension
- * (client-side only)
+ * \brief Set or reset the hostname to check against the received
+ * server certificate. It sets the ServerName TLS extension,
+ * too, if that extension is enabled. (client-side only)
*
*
* \param ssl SSL context
- * \param hostname the server hostname
+ * \param hostname the server hostname, may be NULL to clear hostname
+
+ * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
*
- * \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ * allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ * too long input hostname.
+ *
+ * Hostname set to the one provided on success (cleared
+ * when NULL). On allocation failure hostname is cleared.
+ * On too long input failure, old hostname is unchanged.
*/
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 55fae0b..7a76031 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -257,6 +257,46 @@
#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
#endif
+/* Key exchanges allowing client certificate requests */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
+#endif
+
+/* Key exchanges involving server signature in ServerKeyExchange */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
+#endif
+
+/* Key exchanges using ECDH */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
+#endif
+
+/* Key exchanges that don't involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
+#endif
+
+/* Key exchanges that involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
+#endif
+
/* Key exchanges using a PSK */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
@@ -265,7 +305,13 @@
#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
#endif
-/* Key exchanges using a ECDHE */
+/* Key exchanges using DHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
+#endif
+
+/* Key exchanges using ECDHE */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@@ -306,11 +352,127 @@
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
#endif
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
#ifdef __cplusplus
}
#endif
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 712053e..0c93a74 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -152,6 +152,24 @@
extern "C" {
#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Abstraction for a grid of allowed signature-hash-algorithm pairs.
+ */
+struct mbedtls_ssl_sig_hash_set_t
+{
+ /* At the moment, we only need to remember a single suitable
+ * hash algorithm per signature algorithm. As long as that's
+ * the case - and we don't need a general lookup function -
+ * we can implement the sig-hash-set as a map from signatures
+ * to hash algorithms. */
+ mbedtls_md_type_t rsa;
+ mbedtls_md_type_t ecdsa;
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
/*
* This structure contains the parameters only needed during handshake.
*/
@@ -160,9 +178,14 @@
/*
* Handshake specific crypto variables
*/
- int sig_alg; /*!< Hash algorithm for signature */
int cert_type; /*!< Requested cert type */
int verify_sig_alg; /*!< Signature algorithm for verify */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
+#endif
+
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
#endif
@@ -183,7 +206,7 @@
mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
-#endif
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
@@ -206,7 +229,7 @@
resending messages */
unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
for resending messages */
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
/*
* Checksum contexts
@@ -317,6 +340,27 @@
};
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_pk_type_t sig_alg );
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_pk_type_t sig_alg,
+ mbedtls_md_type_t md_alg );
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_md_type_t md_alg );
+/* Setup an empty signature-hash set */
+static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
+{
+ mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
/**
* \brief Free referenced items in an SSL transform context and clear
@@ -343,6 +387,80 @@
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+/**
+ * \brief Update record layer
+ *
+ * This function roughly separates the implementation
+ * of the logic of (D)TLS from the implementation
+ * of the secure transport.
+ *
+ * \param ssl SSL context to use
+ *
+ * \return 0 or non-zero error code.
+ *
+ * \note A clarification on what is called 'record layer' here
+ * is in order, as many sensible definitions are possible:
+ *
+ * The record layer takes as input an untrusted underlying
+ * transport (stream or datagram) and transforms it into
+ * a serially multiplexed, secure transport, which
+ * conceptually provides the following:
+ *
+ * (1) Three datagram based, content-agnostic transports
+ * for handshake, alert and CCS messages.
+ * (2) One stream- or datagram-based transport
+ * for application data.
+ * (3) Functionality for changing the underlying transform
+ * securing the contents.
+ *
+ * The interface to this functionality is given as follows:
+ *
+ * a Updating
+ * [Currently implemented by mbedtls_ssl_read_record]
+ *
+ * Check if and on which of the four 'ports' data is pending:
+ * Nothing, a controlling datagram of type (1), or application
+ * data (2). In any case data is present, internal buffers
+ * provide access to the data for the user to process it.
+ * Consumption of type (1) datagrams is done automatically
+ * on the next update, invalidating that the internal buffers
+ * for previous datagrams, while consumption of application
+ * data (2) is user-controlled.
+ *
+ * b Reading of application data
+ * [Currently manual adaption of ssl->in_offt pointer]
+ *
+ * As mentioned in the last paragraph, consumption of data
+ * is different from the automatic consumption of control
+ * datagrams (1) because application data is treated as a stream.
+ *
+ * c Tracking availability of application data
+ * [Currently manually through decreasing ssl->in_msglen]
+ *
+ * For efficiency and to retain datagram semantics for
+ * application data in case of DTLS, the record layer
+ * provides functionality for checking how much application
+ * data is still available in the internal buffer.
+ *
+ * d Changing the transformation securing the communication.
+ *
+ * Given an opaque implementation of the record layer in the
+ * above sense, it should be possible to implement the logic
+ * of (D)TLS on top of it without the need to know anything
+ * about the record layer's internals. This is done e.g.
+ * in all the handshake handling functions, and in the
+ * application data reading function mbedtls_ssl_read.
+ *
+ * \note The above tries to give a conceptual picture of the
+ * record layer, but the current implementation deviates
+ * from it in some places. For example, our implementation of
+ * the update functionality through mbedtls_ssl_read_record
+ * discards datagrams depending on the current state, which
+ * wouldn't fall under the record layer's responsibility
+ * following the above definition.
+ *
+ */
+
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
@@ -368,6 +486,7 @@
#if defined(MBEDTLS_PK_C)
unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
#endif
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index a4b4559..118130a 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -39,16 +39,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 1
-#define MBEDTLS_VERSION_PATCH 7
+#define MBEDTLS_VERSION_PATCH 9
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02010700
-#define MBEDTLS_VERSION_STRING "2.1.7"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.1.7"
+#define MBEDTLS_VERSION_NUMBER 0x02010900
+#define MBEDTLS_VERSION_STRING "2.1.9"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.1.9"
#if defined(MBEDTLS_VERSION_C)
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index f219bf1..d7e318d 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -76,6 +76,7 @@
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 /**< Allocation of memory failed. */
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /**< Read/write of file failed. */
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 /**< Destination buffer is too small. */
+#define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */
/* \} name */
/**
@@ -246,12 +247,12 @@
* \note Intended usage is "if( is_past( valid_to ) ) ERROR".
* Hence the return value of 1 if on internal errors.
*
- * \param time mbedtls_x509_time to check
+ * \param to mbedtls_x509_time to check
*
* \return 1 if the given time is in the past or an error occured,
* 0 otherwise.
*/
-int mbedtls_x509_time_is_past( const mbedtls_x509_time *time );
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
/**
* \brief Check a given mbedtls_x509_time against the system time
@@ -260,12 +261,12 @@
* \note Intended usage is "if( is_future( valid_from ) ) ERROR".
* Hence the return value of 1 if on internal errors.
*
- * \param time mbedtls_x509_time to check
+ * \param from mbedtls_x509_time to check
*
* \return 1 if the given time is in the future or an error occured,
* 0 otherwise.
*/
-int mbedtls_x509_time_is_future( const mbedtls_x509_time *time );
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
/**
* \brief Checkup routine
@@ -294,7 +295,7 @@
mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
void **sig_opts );
int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
- mbedtls_x509_time *time );
+ mbedtls_x509_time *t );
int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *serial );
int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index fe821d1..bebb146 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -263,7 +263,13 @@
*
* All flags left after returning from the callback
* are also returned to the application. The function should
- * return 0 for anything but a fatal error.
+ * return 0 for anything (including invalid certificates)
+ * other than fatal error, as a non-zero return code
+ * immediately aborts the verification process. For fatal
+ * errors, a specific error code should be used (different
+ * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
+ * can be used if no better code is available.
*
* \note In case verification failed, the results can be displayed
* using \c mbedtls_x509_crt_verify_info()
@@ -280,12 +286,13 @@
* \param f_vrfy verification function
* \param p_vrfy verification parameter
*
- * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
- * in which case *flags will have one or more
- * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
- * set,
- * or another error in case of a fatal error encountered
- * during the verification process.
+ * \return 0 (and flags set to 0) if the chain was verified and valid,
+ * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
+ * but found to be invalid, in which case *flags will have one
+ * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
+ * flags set, or another error (and flags set to 0xffffffff)
+ * in case of a fatal error encountered during the
+ * verification process.
*/
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index fbafa8e..1a7b48f 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -138,15 +138,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.1.7 SOVERSION 0)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.1.9 SOVERSION 0)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.1.7 SOVERSION 0)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.1.9 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.1.7 SOVERSION 10)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.1.9 SOVERSION 10)
target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/library/bignum.c b/library/bignum.c
index 199b4f2..52edd3d 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -616,11 +616,11 @@
if( slen == sizeof( s ) - 2 )
return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
- if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
- if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
+ if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
+ if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
p = s + slen;
- while( --p >= s )
+ while( p-- > s )
if( mpi_get_digit( &d, radix, *p ) != 0 )
break;
@@ -1785,7 +1785,7 @@
*/
mpi_montred( X, N, mm, &T );
- if( neg )
+ if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{
X->s = -1;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
@@ -1888,7 +1888,7 @@
int ret;
mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
- if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 )
+ if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
diff --git a/library/certs.c b/library/certs.c
index ffe6bc9..5c01998 100644
--- a/library/certs.c
+++ b/library/certs.c
@@ -47,6 +47,7 @@
"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" \
"-----END CERTIFICATE-----\r\n"
const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
+const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
const char mbedtls_test_ca_key_ec[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
@@ -58,8 +59,10 @@
"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
"-----END EC PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
+const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
const char mbedtls_test_srv_crt_ec[] =
"-----BEGIN CERTIFICATE-----\r\n"
@@ -76,6 +79,7 @@
"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
const char mbedtls_test_srv_key_ec[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
@@ -83,6 +87,7 @@
"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
"-----END EC PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
const char mbedtls_test_cli_crt_ec[] =
"-----BEGIN CERTIFICATE-----\r\n"
@@ -99,6 +104,7 @@
"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
const char mbedtls_test_cli_key_ec[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
@@ -106,20 +112,12 @@
"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
"-----END EC PRIVATE KEY-----\r\n";
-
-const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
-const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
-const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
-const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
-const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
-const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
-#else
-#define TEST_CA_CRT_EC
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_RSA_C)
-#define TEST_CA_CRT_RSA \
+#if defined(MBEDTLS_SHA1_C)
+#define TEST_CA_CRT_RSA_SHA1 \
"-----BEGIN CERTIFICATE-----\r\n" \
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
@@ -141,7 +139,34 @@
"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" \
"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \
"-----END CERTIFICATE-----\r\n"
-const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA;
+static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#define TEST_CA_CRT_RSA_SHA256 \
+"-----BEGIN CERTIFICATE-----\r\n" \
+"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n" \
+"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n" \
+"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n" \
+"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n" \
+"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n" \
+"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n" \
+"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n" \
+"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n" \
+"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \
+"-----END CERTIFICATE-----\r\n"
+static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
+#endif
const char mbedtls_test_ca_key_rsa[] =
"-----BEGIN RSA PRIVATE KEY-----\r\n"
@@ -174,8 +199,10 @@
"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
"-----END RSA PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
+const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
const char mbedtls_test_srv_crt_rsa[] =
"-----BEGIN CERTIFICATE-----\r\n"
@@ -198,6 +225,7 @@
"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
"zhuYwjVuX6JHG0c=\r\n"
"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
const char mbedtls_test_srv_key_rsa[] =
"-----BEGIN RSA PRIVATE KEY-----\r\n"
@@ -227,27 +255,29 @@
"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
"-----END RSA PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
-const char mbedtls_test_cli_crt_rsa[] =
+static const char mbedtls_test_cli_crt_rsa_sha256[] =
"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDA3WhcNMjEwMjEyMTQ0NDA3WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
+"MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
+"MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
-"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"
-"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC\r\n"
-"AQEAAn86isAM8X+mVwJqeItt6E9slhEQbAofyk+diH1Lh8Y9iLlWQSKbw/UXYjx5\r\n"
-"LLPZcniovxIcARC/BjyZR9g3UwTHNGNm+rwrqa15viuNOFBchykX/Orsk02EH7NR\r\n"
-"Alw5WLPorYjED6cdVQgBl9ot93HdJogRiXCxErM7NC8/eP511mjq+uLDjLKH8ZPQ\r\n"
-"8I4ekHJnroLsDkIwXKGIsvIBHQy2ac/NwHLCQOK6mfum1pRx52V4Utu5dLLjD5bM\r\n"
-"xOBC7KU4xZKuMXXZM6/93Yb51K/J4ahf1TxJlTWXtnzDr9saEYdNy2SKY/6ZiDNH\r\n"
-"D+stpAKiQLAWaAusIWKYEyw9MQ==\r\n"
+"o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa\r\n"
+"gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV\r\n"
+"BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud\r\n"
+"EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom\r\n"
+"LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W\r\n"
+"iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK\r\n"
+"D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE\r\n"
+"ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj\r\n"
+"c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=\r\n"
"-----END CERTIFICATE-----\r\n";
const char mbedtls_test_cli_key_rsa[] =
@@ -278,28 +308,32 @@
"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
"-----END RSA PRIVATE KEY-----\r\n";
-
-const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
-const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
-const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
-const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
-const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
-#else
-#define TEST_CA_CRT_RSA
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PEM_PARSE_C)
/* Concatenation of all available CA certificates */
-const char mbedtls_test_cas_pem[] = TEST_CA_CRT_RSA TEST_CA_CRT_EC;
+const char mbedtls_test_cas_pem[] =
+#ifdef TEST_CA_CRT_RSA_SHA1
+ TEST_CA_CRT_RSA_SHA1
+#endif
+#ifdef TEST_CA_CRT_RSA_SHA256
+ TEST_CA_CRT_RSA_SHA256
+#endif
+#ifdef TEST_CA_CRT_EC
+ TEST_CA_CRT_EC
+#endif
+ "";
const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
#endif
/* List of all available CA certificates */
const char * mbedtls_test_cas[] = {
-#if defined(MBEDTLS_RSA_C)
- mbedtls_test_ca_crt_rsa,
+#if defined(TEST_CA_CRT_RSA_SHA1)
+ mbedtls_test_ca_crt_rsa_sha1,
+#endif
+#if defined(TEST_CA_CRT_RSA_SHA256)
+ mbedtls_test_ca_crt_rsa_sha256,
#endif
#if defined(MBEDTLS_ECDSA_C)
mbedtls_test_ca_crt_ec,
@@ -307,8 +341,11 @@
NULL
};
const size_t mbedtls_test_cas_len[] = {
-#if defined(MBEDTLS_RSA_C)
- sizeof( mbedtls_test_ca_crt_rsa ),
+#if defined(TEST_CA_CRT_RSA_SHA1)
+ sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
+#endif
+#if defined(TEST_CA_CRT_RSA_SHA256)
+ sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
#endif
#if defined(MBEDTLS_ECDSA_C)
sizeof( mbedtls_test_ca_crt_ec ),
@@ -317,19 +354,19 @@
};
#if defined(MBEDTLS_RSA_C)
-const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa;
+const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa_sha256;
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_rsa;
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_rsa;
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
-const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
+const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa_sha256;
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
-const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa );
+const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa_sha256 );
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_rsa );
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
-const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
+const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa_sha256 );
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_ec;
diff --git a/library/dhm.c b/library/dhm.c
index 0f4d316..dc72c53 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -162,7 +162,7 @@
*/
do
{
- mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
@@ -248,7 +248,7 @@
*/
do
{
- mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
@@ -321,7 +321,7 @@
count = 0;
do
{
- mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) );
while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
diff --git a/library/ecp.c b/library/ecp.c
index 4722599..1d4f5cb 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1072,7 +1072,7 @@
/* Generate l such that 1 < l < p */
do
{
- mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
@@ -1454,7 +1454,7 @@
/* Generate l such that 1 < l < p */
do
{
- mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
diff --git a/library/entropy.c b/library/entropy.c
index cdbd35c..b45384d 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -60,6 +60,9 @@
{
memset( ctx, 0, sizeof(mbedtls_entropy_context) );
+ /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+ * when adding more strong entropy sources here. */
+
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init( &ctx->mutex );
#endif
@@ -112,24 +115,24 @@
mbedtls_entropy_f_source_ptr f_source, void *p_source,
size_t threshold, int strong )
{
- int index, ret = 0;
+ int idx, ret = 0;
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
return( ret );
#endif
- index = ctx->source_count;
- if( index >= MBEDTLS_ENTROPY_MAX_SOURCES )
+ idx = ctx->source_count;
+ if( idx >= MBEDTLS_ENTROPY_MAX_SOURCES )
{
ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
goto exit;
}
- ctx->source[index].f_source = f_source;
- ctx->source[index].p_source = p_source;
- ctx->source[index].threshold = threshold;
- ctx->source[index].strong = strong;
+ ctx->source[idx].f_source = f_source;
+ ctx->source[idx].p_source = p_source;
+ ctx->source[idx].threshold = threshold;
+ ctx->source[idx].strong = strong;
ctx->source_count++;
diff --git a/library/error.c b/library/error.c
index debda1d..3854ab5 100644
--- a/library/error.c
+++ b/library/error.c
@@ -473,6 +473,8 @@
mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
+ if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
+ mbedtls_snprintf( buf, buflen, "X509 - A fatal error occured, eg the chain is too long or the vrfy callback failed" );
#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
// END generated code
diff --git a/library/gcm.c b/library/gcm.c
index f1210c5..fccb092 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -277,8 +277,10 @@
size_t use_len, olen = 0;
/* IV and AD are limited to 2^64 bits, so 2^61 bytes */
- if( ( (uint64_t) iv_len ) >> 61 != 0 ||
- ( (uint64_t) add_len ) >> 61 != 0 )
+ /* IV is not allowed to be zero length */
+ if( iv_len == 0 ||
+ ( (uint64_t) iv_len ) >> 61 != 0 ||
+ ( (uint64_t) add_len ) >> 61 != 0 )
{
return( MBEDTLS_ERR_GCM_BAD_INPUT );
}
diff --git a/library/pem.c b/library/pem.c
index 8dd86a4..87401ba 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -134,45 +134,55 @@
/*
* Decrypt with DES-CBC, using PBKDF1 for key derivation
*/
-static void pem_des_decrypt( unsigned char des_iv[8],
- unsigned char *buf, size_t buflen,
- const unsigned char *pwd, size_t pwdlen )
+static int pem_des_decrypt( unsigned char des_iv[8],
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen )
{
mbedtls_des_context des_ctx;
unsigned char des_key[8];
+ int ret;
mbedtls_des_init( &des_ctx );
pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen );
- mbedtls_des_setkey_dec( &des_ctx, des_key );
- mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+ if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 )
+ goto exit;
+ ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
des_iv, buf, buf );
+exit:
mbedtls_des_free( &des_ctx );
mbedtls_zeroize( des_key, 8 );
+
+ return( ret );
}
/*
* Decrypt with 3DES-CBC, using PBKDF1 for key derivation
*/
-static void pem_des3_decrypt( unsigned char des3_iv[8],
- unsigned char *buf, size_t buflen,
- const unsigned char *pwd, size_t pwdlen )
+static int pem_des3_decrypt( unsigned char des3_iv[8],
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen )
{
mbedtls_des3_context des3_ctx;
unsigned char des3_key[24];
+ int ret;
mbedtls_des3_init( &des3_ctx );
pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen );
- mbedtls_des3_set3key_dec( &des3_ctx, des3_key );
- mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+ if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 )
+ goto exit;
+ ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
des3_iv, buf, buf );
+exit:
mbedtls_des3_free( &des3_ctx );
mbedtls_zeroize( des3_key, 24 );
+
+ return( ret );
}
#endif /* MBEDTLS_DES_C */
@@ -180,23 +190,28 @@
/*
* Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
*/
-static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
- unsigned char *buf, size_t buflen,
- const unsigned char *pwd, size_t pwdlen )
+static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen )
{
mbedtls_aes_context aes_ctx;
unsigned char aes_key[32];
+ int ret;
mbedtls_aes_init( &aes_ctx );
pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen );
- mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 );
- mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+ if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 )
+ goto exit;
+ ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
aes_iv, buf, buf );
+exit:
mbedtls_aes_free( &aes_ctx );
mbedtls_zeroize( aes_key, keylen );
+
+ return( ret );
}
#endif /* MBEDTLS_AES_C */
@@ -345,22 +360,30 @@
return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
}
+ ret = 0;
+
#if defined(MBEDTLS_DES_C)
if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC )
- pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
+ ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
else if( enc_alg == MBEDTLS_CIPHER_DES_CBC )
- pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
+ ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
#endif /* MBEDTLS_DES_C */
#if defined(MBEDTLS_AES_C)
if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC )
- pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
+ ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC )
- pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
+ ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC )
- pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
+ ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
#endif /* MBEDTLS_AES_C */
+ if( ret != 0 )
+ {
+ mbedtls_free( buf );
+ return( ret );
+ }
+
/*
* The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
* length bytes (allow 4 to be sure) in all known use cases.
diff --git a/library/pkparse.c b/library/pkparse.c
index f0a12f9..2664fe9 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -844,6 +844,16 @@
/*
* Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ * responsibility of the caller to take care of zeroizing
+ * and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ * PK context on failure.
+ *
*/
static int pk_parse_key_pkcs8_unencrypted_der(
mbedtls_pk_context *pk,
@@ -859,7 +869,7 @@
const mbedtls_pk_info_t *pk_info;
/*
- * This function parses the PrivatKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+ * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
*
* PrivateKeyInfo ::= SEQUENCE {
* version Version,
@@ -932,16 +942,22 @@
/*
* Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
*/
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
static int pk_parse_key_pkcs8_encrypted_der(
mbedtls_pk_context *pk,
- const unsigned char *key, size_t keylen,
+ unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen )
{
int ret, decrypted = 0;
size_t len;
- unsigned char buf[2048];
+ unsigned char *buf;
unsigned char *p, *end;
mbedtls_asn1_buf pbe_alg_oid, pbe_params;
#if defined(MBEDTLS_PKCS12_C)
@@ -949,16 +965,14 @@
mbedtls_md_type_t md_alg;
#endif
- memset( buf, 0, sizeof( buf ) );
-
- p = (unsigned char *) key;
+ p = key;
end = p + keylen;
if( pwdlen == 0 )
return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
/*
- * This function parses the EncryptedPrivatKeyInfo object (PKCS#8)
+ * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
*
* EncryptedPrivateKeyInfo ::= SEQUENCE {
* encryptionAlgorithm EncryptionAlgorithmIdentifier,
@@ -970,6 +984,7 @@
* EncryptedData ::= OCTET STRING
*
* The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+ *
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
@@ -985,11 +1000,10 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
- if( len > sizeof( buf ) )
- return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+ buf = p;
/*
- * Decrypt EncryptedData with appropriate PDE
+ * Decrypt EncryptedData with appropriate PBE
*/
#if defined(MBEDTLS_PKCS12_C)
if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
@@ -1081,10 +1095,8 @@
if( ret == 0 )
{
- if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
- return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
-
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+ pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
pem.buf, pem.buflen ) ) != 0 )
{
@@ -1113,10 +1125,9 @@
key, pwd, pwdlen, &len );
if( ret == 0 )
{
- if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL )
- return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+ pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
pem.buf, pem.buflen ) ) != 0 )
{
@@ -1193,12 +1204,24 @@
* error
*/
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
- if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen,
- pwd, pwdlen ) ) == 0 )
{
- return( 0 );
+ unsigned char *key_copy;
+
+ if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
+ return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+ memcpy( key_copy, key, keylen );
+
+ ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
+ pwd, pwdlen );
+
+ mbedtls_zeroize( key_copy, keylen );
+ mbedtls_free( key_copy );
}
+ if( ret == 0 )
+ return( 0 );
+
mbedtls_pk_free( pk );
if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
@@ -1213,29 +1236,35 @@
mbedtls_pk_free( pk );
#if defined(MBEDTLS_RSA_C)
- if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
- return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
- ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) ) == 0 )
+ pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+ ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
+ key, keylen ) ) != 0 )
+ {
+ mbedtls_pk_free( pk );
+ }
+ else
{
return( 0 );
}
- mbedtls_pk_free( pk );
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
- if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) ) == NULL )
- return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
- if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
- ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), key, keylen ) ) == 0 )
+ pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+ if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+ ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+ key, keylen ) ) != 0 )
+ {
+ mbedtls_pk_free( pk );
+ }
+ else
{
return( 0 );
}
- mbedtls_pk_free( pk );
#endif /* MBEDTLS_ECP_C */
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
diff --git a/library/rsa.c b/library/rsa.c
index e831875..40ea642 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -23,6 +23,11 @@
*
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
+ * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ * Stefan Mangard
+ * https://arxiv.org/abs/1702.08719v2
+ *
*/
#if !defined(MBEDTLS_CONFIG_FILE)
@@ -55,6 +60,11 @@
#define mbedtls_free free
#endif
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
/*
* Initialize an RSA context
*/
@@ -351,6 +361,27 @@
}
/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on avarage.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on avarage.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
* Do an RSA private key operation
*/
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
@@ -362,12 +393,34 @@
int ret;
size_t olen;
mbedtls_mpi T, T1, T2;
+ mbedtls_mpi P1, Q1, R;
+#if defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi D_blind;
+ mbedtls_mpi *D = &ctx->D;
+#else
+ mbedtls_mpi DP_blind, DQ_blind;
+ mbedtls_mpi *DP = &ctx->DP;
+ mbedtls_mpi *DQ = &ctx->DQ;
+#endif
/* Make sure we have private key info, prevent possible misuse */
if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
+ mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );
+
+
+ if( f_rng != NULL )
+ {
+#if defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_init( &D_blind );
+#else
+ mbedtls_mpi_init( &DP_blind );
+ mbedtls_mpi_init( &DQ_blind );
+#endif
+ }
+
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
@@ -390,19 +443,60 @@
MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+
+ /*
+ * Exponent blinding
+ */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ /*
+ * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+ */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
+
+ D = &D_blind;
+#else
+ /*
+ * DP_blind = ( P - 1 ) * R + DP
+ */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
+ &ctx->DP ) );
+
+ DP = &DP_blind;
+
+ /*
+ * DQ_blind = ( Q - 1 ) * R + DQ
+ */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
+ &ctx->DQ ) );
+
+ DQ = &DQ_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
}
#if defined(MBEDTLS_RSA_NO_CRT)
- MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
#else
/*
- * faster decryption using the CRT
+ * Faster decryption using the CRT
*
* T1 = input ^ dP mod P
* T2 = input ^ dQ mod Q
*/
- MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );
/*
* T = (T1 - T2) * (Q^-1 mod P) mod P
@@ -438,6 +532,17 @@
#endif
mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
+ mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );
+
+ if( f_rng != NULL )
+ {
+#if defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_free( &D_blind );
+#else
+ mbedtls_mpi_free( &DP_blind );
+ mbedtls_mpi_free( &DQ_blind );
+#endif
+ }
if( ret != 0 )
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
@@ -491,6 +596,8 @@
dlen -= use_len;
}
+
+ mbedtls_zeroize( mask, sizeof( mask ) );
}
#endif /* MBEDTLS_PKCS1_V21 */
@@ -724,7 +831,7 @@
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
- return( ret );
+ goto cleanup;
/*
* Unmask data and generate lHash
@@ -733,7 +840,7 @@
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
- return( ret );
+ goto cleanup;
}
@@ -784,15 +891,26 @@
* the different error conditions.
*/
if( bad != 0 )
- return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+ {
+ ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+ goto cleanup;
+ }
if( ilen - ( p - buf ) > output_max_len )
- return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+ {
+ ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+ goto cleanup;
+ }
*olen = ilen - (p - buf);
memcpy( output, p, *olen );
+ ret = 0;
- return( 0 );
+cleanup:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+ mbedtls_zeroize( lhash, sizeof( lhash ) );
+
+ return( ret );
}
#endif /* MBEDTLS_PKCS1_V21 */
@@ -826,7 +944,7 @@
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
- return( ret );
+ goto cleanup;
p = buf;
bad = 0;
@@ -871,15 +989,25 @@
bad |= ( pad_count < 8 );
if( bad )
- return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+ {
+ ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+ goto cleanup;
+ }
if( ilen - ( p - buf ) > output_max_len )
- return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+ {
+ ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+ goto cleanup;
+ }
*olen = ilen - (p - buf);
memcpy( output, p, *olen );
+ ret = 0;
- return( 0 );
+cleanup:
+ mbedtls_zeroize( buf, sizeof( buf ) );
+
+ return( ret );
}
#endif /* MBEDTLS_PKCS1_V15 */
@@ -984,6 +1112,7 @@
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
+ /* No need to zeroize salt: we didn't use it. */
return( ret );
}
@@ -994,6 +1123,7 @@
mbedtls_md_update( &md_ctx, hash, hashlen );
mbedtls_md_update( &md_ctx, salt, slen );
mbedtls_md_finish( &md_ctx, p );
+ mbedtls_zeroize( salt, sizeof( salt ) );
// Compensate for boundary condition when applying mask
//
@@ -1343,7 +1473,7 @@
{
int ret;
size_t len, siglen, asn1_len;
- unsigned char *p, *end;
+ unsigned char *p, *p0, *end;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
mbedtls_md_type_t msg_md_alg;
const mbedtls_md_info_t *md_info;
@@ -1375,7 +1505,11 @@
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
p++;
}
- p++;
+ p++; /* skip 00 byte */
+
+ /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+ if( p - buf < 11 )
+ return( MBEDTLS_ERR_RSA_INVALID_PADDING );
len = siglen - ( p - buf );
@@ -1394,24 +1528,30 @@
end = p + len;
- // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
- //
+ /*
+ * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
+ * Insist on 2-byte length tags, to protect against variants of
+ * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
+ */
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
- if( asn1_len + 2 != len )
+ if( p != p0 + 2 || asn1_len + 2 != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
- if( asn1_len + 6 + hashlen != len )
+ if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 2 )
+ return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
oid.p = p;
p += oid.len;
@@ -1425,13 +1565,16 @@
/*
* assume the algorithm parameters must be NULL
*/
+ p0 = p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
-
- if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+ if( p != p0 + 2 )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
- if( asn1_len != hashlen )
+ p0 = p;
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+ return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 2 || asn1_len != hashlen )
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
if( memcmp( p, hash, hashlen ) != 0 )
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 8bad7ab..d4996b2 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1797,6 +1797,24 @@
return( MBEDTLS_PK_NONE );
}
}
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ return( MBEDTLS_PK_RSA );
+
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return( MBEDTLS_PK_ECDSA );
+
+ default:
+ return( MBEDTLS_PK_NONE );
+ }
+}
+
#endif /* MBEDTLS_PK_C */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 3d7283c..94c521d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -80,6 +80,13 @@
}
/*
+ * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+ *
+ * In order to provide any of the server names, clients MAY include an
+ * extension of type "server_name" in the (extended) client hello. The
+ * "extension_data" field of this extension SHALL contain
+ * "ServerNameList" where:
+ *
* struct {
* NameType name_type;
* select (name_type) {
@@ -96,6 +103,7 @@
* struct {
* ServerName server_name_list<1..2^16-1>
* } ServerNameList;
+ *
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
@@ -1304,6 +1312,8 @@
}
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+
+ ssl->keep_current_message = 1;
return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -1845,7 +1855,8 @@
if( (*p) + len > end )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
+ "(psk_identity_hint length)" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -1984,8 +1995,8 @@
*/
if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm "
- "that was not offered" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
+ *(p)[0] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2043,7 +2054,8 @@
static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
{
int ret;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
unsigned char *p, *end;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
@@ -2100,11 +2112,14 @@
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
{
- ssl->record_read = 1;
+ /* Current message is probably either
+ * CertificateRequest or ServerHelloDone */
+ ssl->keep_current_message = 1;
goto exit;
}
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
+ "not be skipped" ) );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -2170,12 +2185,8 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
{
size_t sig_len, hashlen;
unsigned char hash[64];
@@ -2344,9 +2355,7 @@
return( ret );
}
}
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
exit:
ssl->state++;
@@ -2356,22 +2365,15 @@
return( 0 );
}
-#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
- !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
- !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
- !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
- !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
- !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+ if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
ssl->state++;
@@ -2381,57 +2383,49 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
-#else
+#else /* ! MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
{
int ret;
unsigned char *buf, *p;
size_t n = 0, m = 0;
size_t cert_type_len = 0, dn_len = 0;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+ if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
ssl->state++;
return( 0 );
}
- if( ssl->record_read == 0 )
+ if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
- return( ret );
- }
-
- if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
- return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
- }
-
- ssl->record_read = 1;
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+ return( ret );
}
- ssl->client_auth = 0;
- ssl->state++;
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
- if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
- ssl->client_auth++;
+ ssl->state++;
+ ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
ssl->client_auth ? "a" : "no" ) );
if( ssl->client_auth == 0 )
+ {
+ /* Current message is probably the ServerHelloDone */
+ ssl->keep_current_message = 1;
goto exit;
-
- ssl->record_read = 0;
+ }
// TODO: handshake_failure alert for an anonymous server to request
// client authentication
@@ -2522,12 +2516,7 @@
return( 0 );
}
-#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
- !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
- !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
- !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
- !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
- !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
{
@@ -2535,21 +2524,17 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
- if( ssl->record_read == 0 )
+ if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
- return( ret );
- }
-
- if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
- return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
- }
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+ return( ret );
}
- ssl->record_read = 0;
+
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
@@ -2574,7 +2559,8 @@
{
int ret;
size_t i, n;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
@@ -2661,10 +2647,7 @@
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+ if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
{
/*
* opaque psk_identity<0..2^16-1>;
@@ -2809,7 +2792,8 @@
!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
int ret;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
@@ -2837,7 +2821,8 @@
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
size_t n = 0, offset = 0;
unsigned char hash[48];
unsigned char *hash_start = hash;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 6f80003..1002adf 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -186,15 +186,30 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t sig_alg_list_size;
+
const unsigned char *p;
const unsigned char *end = buf + len;
- const int *md_cur;
+ mbedtls_md_type_t md_cur;
+ mbedtls_pk_type_t sig_cur;
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len ||
@@ -204,29 +219,49 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
- /*
- * For now, ignore the SignatureAlgorithm part and rely on offered
- * ciphersuites only for that part. To be fixed later.
+ /* Currently we only guarantee signing the ServerKeyExchange message according
+ * to the constraints specified in this extension (see above), so it suffices
+ * to remember only one suitable hash for each possible signature algorithm.
*
- * So, just look at the HashAlgorithm part.
+ * This will change when we also consider certificate signatures,
+ * in which case we will need to remember the whole signature-hash
+ * pair list from the extension.
*/
- for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
- for( p = buf + 2; p < end; p += 2 ) {
- if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
- ssl->handshake->sig_alg = p[0];
- goto have_sig_alg;
- }
+
+ for( p = buf + 2; p < end; p += 2 )
+ {
+ /* Silently ignore unknown signature or hash algorithms. */
+
+ if( (sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
+ " unknown sig alg encoding %d", p[1] ) );
+ continue;
+ }
+
+ /* Check if we support the hash the user proposes */
+ md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
+ if( md_cur == MBEDTLS_MD_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+ " unknown hash alg encoding %d", p[0] ) );
+ continue;
+ }
+
+ if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+ {
+ mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+ " match sig %d and hash %d",
+ sig_cur, md_cur ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
+ "hash alg %d not supported", md_cur ) );
}
}
- /* Some key echanges do not need signatures at all */
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
- return( 0 );
-
-have_sig_alg:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
- ssl->handshake->sig_alg ) );
-
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
@@ -573,7 +608,8 @@
const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
{
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
- mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+ mbedtls_pk_type_t pk_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -676,6 +712,11 @@
{
const mbedtls_ssl_ciphersuite_t *suite_info;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ mbedtls_pk_type_t sig_type;
+#endif
+
suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
if( suite_info == NULL )
{
@@ -731,6 +772,25 @@
}
#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ /* If the ciphersuite requires signing, check whether
+ * a suitable hash algorithm is present. */
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
+ sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+ if( sig_type != MBEDTLS_PK_NONE &&
+ mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+ "for signature algorithm %d", sig_type ) );
+ return( 0 );
+ }
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@@ -1041,6 +1101,15 @@
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
int major, minor;
+ /* If there is no signature-algorithm extension present,
+ * we need to fall back to the default values for allowed
+ * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@@ -1160,7 +1229,8 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
- if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
+ if( ( ret = mbedtls_ssl_fetch_input( ssl,
+ mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
return( ret );
@@ -1533,15 +1603,13 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
case MBEDTLS_TLS_EXT_SIG_ALG:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
- break;
-#endif
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
if( ret != 0 )
return( ret );
+
+ sig_hash_alg_ext_present = 1;
break;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
@@ -1643,7 +1711,7 @@
#endif
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
- for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
+ for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
{
if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
@@ -1665,6 +1733,26 @@
}
#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+ /*
+ * Try to fall back to default hash SHA1 if the client
+ * hasn't provided any preferred signature-hash combinations.
+ */
+ if( sig_hash_alg_ext_present == 0 )
+ {
+ mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+ if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
+ md_default = MBEDTLS_MD_NONE;
+
+ mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
/*
* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
@@ -1676,7 +1764,8 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+ "during renegotiation" ) );
if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
@@ -1791,6 +1880,28 @@
mbedtls_ssl_recv_flight_completed( ssl );
#endif
+ /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+ {
+ mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+ if( sig_alg != MBEDTLS_PK_NONE )
+ {
+ mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+ sig_alg );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
+ mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
+ "%d - should not happen", sig_alg ) );
+ }
+ }
+#endif
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
return( 0 );
@@ -2345,7 +2456,8 @@
!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
@@ -2366,7 +2478,8 @@
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
size_t dn_size, total_dn_size; /* excluding length bytes */
size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p;
@@ -2563,52 +2676,54 @@
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->transform_negotiate->ciphersuite_info;
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
unsigned char *p = ssl->out_msg + 4;
+ size_t len;
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
unsigned char *dig_signed = p;
- size_t dig_signed_len = 0, len;
- ((void) dig_signed);
- ((void) dig_signed_len);
-#endif
+ size_t dig_signed_len = 0;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
- ssl->state++;
- return( 0 );
- }
-#endif
+ /*
+ *
+ * Part 1: Extract static ECDH parameters and abort
+ * if ServerKeyExchange not needed.
+ *
+ */
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+ /* For suites involving ECDH, extract DH parameters
+ * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
{
ssl_get_ecdh_params_from_cert( ssl );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+ /* Key exchanges not involving ephemeral keys don't use
+ * ServerKeyExchange, so end here. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+ if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
ssl->state++;
return( 0 );
}
-#endif
+#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
+ /*
+ * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+ * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+ * we use empty support identity hints here.
+ **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
{
- /* TODO: Support identity hints */
*(p++) = 0x00;
*(p++) = 0x00;
@@ -2617,10 +2732,11 @@
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+ /*
+ * - DHE key exchanges
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
{
if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
{
@@ -2652,8 +2768,10 @@
return( ret );
}
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
dig_signed = p;
dig_signed_len = len;
+#endif
p += len;
n += len;
@@ -2663,13 +2781,13 @@
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
+ /*
+ * - ECDHE key exchanges
+ */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+ if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
{
/*
* Ephemeral ECDH parameters:
@@ -2711,9 +2829,11 @@
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
return( ret );
}
-
- dig_signed = p;
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ dig_signed = p;
dig_signed_len = len;
+#endif
p += len;
n += len;
@@ -2722,29 +2842,44 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
- if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+ /*
+ *
+ * Part 3: For key exchanges involving the server signing the
+ * exchange parameters, compute and add the signature here.
+ *
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
{
size_t signature_len = 0;
unsigned int hashlen = 0;
unsigned char hash[64];
- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
/*
- * Choose hash algorithm. NONE means MD5 + SHA1 here.
+ * 3.1: Choose hash algorithm:
+ * A: For TLS 1.2, obey signature-hash-algorithm extension
+ * to choose appropriate hash.
+ * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
+ * (RFC 4492, Sec. 5.4)
+ * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
*/
+
+ mbedtls_md_type_t md_alg;
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ mbedtls_pk_type_t sig_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
-
- if( md_alg == MBEDTLS_MD_NONE )
+ /* A: For TLS 1.2, obey signature-hash-algorithm extension
+ * (RFC 5246, Sec. 7.4.1.4.1). */
+ if( sig_alg == MBEDTLS_PK_NONE ||
+ ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+ sig_alg ) ) == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ /* (... because we choose a cipher suite
+ * only if there is a matching hash.) */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
@@ -2752,19 +2887,23 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
- if( ciphersuite_info->key_exchange ==
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+ if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
{
+ /* B: Default hash SHA1 */
md_alg = MBEDTLS_MD_SHA1;
}
else
-#endif
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+ MBEDTLS_SSL_PROTO_TLS1_1 */
{
+ /* C: MD5 + SHA1 */
md_alg = MBEDTLS_MD_NONE;
}
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+
/*
- * Compute the hash to be signed
+ * 3.2: Compute the hash to be signed
*/
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
@@ -2789,6 +2928,7 @@
* SHA(ClientHello.random + ServerHello.random
* + ServerParams);
*/
+
mbedtls_md5_starts( &mbedtls_md5 );
mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
@@ -2850,7 +2990,7 @@
(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
/*
- * Make the signature
+ * 3.3: Compute and add the signature
*/
if( mbedtls_ssl_own_key( ssl ) == NULL )
{
@@ -2861,16 +3001,31 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- *(p++) = ssl->handshake->sig_alg;
- *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
+ /*
+ * For TLS 1.2, we need to specify signature and hash algorithm
+ * explicitly through a prefix to the signature.
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * struct {
+ * SignatureAndHashAlgorithm algorithm;
+ * opaque signature<0..2^16-1>;
+ * } DigitallySigned;
+ *
+ */
+
+ *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
+ *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
n += 2;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
- p + 2 , &signature_len,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
@@ -2884,9 +3039,9 @@
n += signature_len;
}
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+ /* Done with actual work; add header and send. */
ssl->out_msglen = 4 + n;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
@@ -3380,7 +3535,8 @@
!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
@@ -3409,7 +3565,8 @@
mbedtls_pk_type_t pk_alg;
#endif
mbedtls_md_type_t md_alg;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 43efe0c..79fb9a7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3458,7 +3458,6 @@
*/
static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
{
- int ret;
int major_ver, minor_ver;
MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
@@ -3480,12 +3479,13 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
- if( ( ret = mbedtls_ssl_send_alert_message( ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
- {
- return( ret );
- }
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ /* Silently ignore invalid DTLS records as recommended by RFC 6347
+ * Section 4.1.2.7 */
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
@@ -3716,31 +3716,123 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
- if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
+ if( ssl->keep_current_message == 1 )
{
- /*
- * Get next Handshake message in the current record
- */
- ssl->in_msglen -= ssl->in_hslen;
-
- memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
- ssl->in_msglen );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
- ssl->in_msg, ssl->in_msglen );
-
- if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
- return( ret );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+ ssl->keep_current_message = 0;
return( 0 );
}
- ssl->in_hslen = 0;
+ /*
+ * Step A
+ *
+ * Consume last content-layer message and potentially
+ * update in_msglen which keeps track of the contents'
+ * consumption state.
+ *
+ * (1) Handshake messages:
+ * Remove last handshake message, move content
+ * and adapt in_msglen.
+ *
+ * (2) Alert messages:
+ * Consume whole record content, in_msglen = 0.
+ *
+ * NOTE: This needs to be fixed, since like for
+ * handshake messages it is allowed to have
+ * multiple alerts witin a single record.
+ * Internal reference IOTSSL-1321.
+ *
+ * (3) Change cipher spec:
+ * Consume whole record content, in_msglen = 0.
+ *
+ * (4) Application data:
+ * Don't do anything - the record layer provides
+ * the application data as a stream transport
+ * and consumes through mbedtls_ssl_read only.
+ *
+ */
+
+ /* Case (1): Handshake messages */
+
+ if( ssl->in_hslen != 0 )
+ {
+ if( ssl->in_offt != NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ /*
+ * Get next Handshake message in the current record
+ */
+
+ /* Notes:
+ * (1) in_hslen is *NOT* necessarily the size of the
+ * current handshake content: If DTLS handshake
+ * fragmentation is used, that's the fragment
+ * size instead. Using the total handshake message
+ * size here is FAULTY and should be changed at
+ * some point. Internal reference IOTSSL-1414.
+ * (2) While it doesn't seem to cause problems, one
+ * has to be very careful not to assume that in_hslen
+ * is always <= in_msglen in a sensible communication.
+ * Again, it's wrong for DTLS handshake fragmentation.
+ * The following check is therefore mandatory, and
+ * should not be treated as a silently corrected assertion.
+ */
+ if( ssl->in_hslen < ssl->in_msglen )
+ {
+ ssl->in_msglen -= ssl->in_hslen;
+ memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+ ssl->in_msglen );
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
+ ssl->in_msg, ssl->in_msglen );
+
+ if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
+ return( ret );
+
+ return( 0 );
+ }
+ else
+ {
+ ssl->in_msglen = 0;
+ }
+
+ ssl->in_hslen = 0;
+ }
+ /* Case (4): Application data */
+ else if( ssl->in_offt != NULL )
+ {
+ return( 0 );
+ }
+ /* Everything else (CCS & Alerts) */
+ else
+ {
+ ssl->in_msglen = 0;
+ }
/*
- * Read the record header and parse it
+ * Step B
+ *
+ * Fetch and decode new record if current one is fully consumed.
+ *
*/
+
+ if( ssl->in_msglen > 0 )
+ {
+ /* There's something left to be processed in the current record. */
+ return( 0 );
+ }
+
+ /* Need to fetch a new record */
+
read_record_header:
+
+ /* Current record either fully processed or to be discarded. */
+
if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
@@ -3832,6 +3924,12 @@
}
#endif
+ /* As above, invalid records cause
+ * dismissal of the whole datagram. */
+
+ ssl->next_record_offset = 0;
+ ssl->in_left = 0;
+
MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
goto read_record_header;
}
@@ -4378,12 +4476,6 @@
ca_crl = ssl->conf->ca_crl;
}
- if( ca_chain == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
- return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED );
- }
-
/*
* Main check: verify certificate
*/
@@ -4412,6 +4504,8 @@
if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
{
+ ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
if( ret == 0 )
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
@@ -4420,8 +4514,8 @@
#endif /* MBEDTLS_ECP_C */
if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
- ciphersuite_info,
- ! ssl->conf->endpoint,
+ ciphersuite_info,
+ ! ssl->conf->endpoint,
&ssl->session_negotiate->verify_result ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
@@ -4429,8 +4523,36 @@
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
}
- if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+ /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+ * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+ * with details encoded in the verification flags. All other kinds
+ * of error codes, including those from the user provided f_vrfy
+ * functions, are treated as fatal and lead to a failure of
+ * ssl_parse_certificate even if verification was optional. */
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+ ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
+ {
ret = 0;
+ }
+
+ if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
+ ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ if( ssl->session_negotiate->verify_result != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
+ ssl->session_negotiate->verify_result ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
+ }
+#endif /* MBEDTLS_DEBUG_C */
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
@@ -5185,7 +5307,11 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
handshake->update_checksum = ssl_update_checksum_start;
- handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+ mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
+#endif
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_init( &handshake->dhm_ctx );
@@ -5424,7 +5550,7 @@
ssl->in_hslen = 0;
ssl->nb_zero = 0;
- ssl->record_read = 0;
+ ssl->keep_current_message = 0;
ssl->out_msg = ssl->out_buf + 13;
ssl->out_msgtype = 0;
@@ -5854,7 +5980,7 @@
{
conf->sig_hashes = hashes;
}
-#endif
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(MBEDTLS_ECP_C)
/*
@@ -5865,36 +5991,55 @@
{
conf->curve_list = curve_list;
}
-#endif
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
{
- size_t hostname_len;
+ /* Initialize to suppress unnecessary compiler warning */
+ size_t hostname_len = 0;
+
+ /* Check if new hostname is valid before
+ * making any change to current one */
+
+ if( hostname != NULL )
+ {
+ hostname_len = strlen( hostname );
+
+ if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
+ /* Now it's clear that we will overwrite the old hostname,
+ * so we can free it safely */
+
+ if( ssl->hostname != NULL )
+ {
+ mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+ mbedtls_free( ssl->hostname );
+ }
+
+ /* Passing NULL as hostname shall clear the old one */
if( hostname == NULL )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ {
+ ssl->hostname = NULL;
+ }
+ else
+ {
+ ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
- hostname_len = strlen( hostname );
+ if( ssl->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
- if( hostname_len + 1 == 0 )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ memcpy( ssl->hostname, hostname, hostname_len );
- if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-
- ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
-
- if( ssl->hostname == NULL )
- return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
-
- memcpy( ssl->hostname, hostname, hostname_len );
-
- ssl->hostname[hostname_len] = '\0';
+ ssl->hostname[hostname_len] = '\0';
+ }
return( 0 );
}
-#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
@@ -6411,7 +6556,7 @@
*/
int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
{
- int ret, record_read = 0;
+ int ret;
size_t n;
if( ssl == NULL || ssl->conf == NULL )
@@ -6434,8 +6579,22 @@
}
#endif
+ /*
+ * Check if renegotiation is necessary and/or handshake is
+ * in process. If yes, perform/continue, and fall through
+ * if an unexpected packet is received while the client
+ * is waiting for the ServerHello.
+ *
+ * (There is no equivalent to the last condition on
+ * the server-side as it is not treated as within
+ * a handshake while waiting for the ClientHello
+ * after a renegotiation request.)
+ */
+
#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+ ret = ssl_check_ctr_renegotiate( ssl );
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
@@ -6445,11 +6604,8 @@
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
ret = mbedtls_ssl_handshake( ssl );
- if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
- {
- record_read = 1;
- }
- else if( ret != 0 )
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
return( ret );
@@ -6465,16 +6621,13 @@
ssl_set_timer( ssl, ssl->conf->read_timeout );
}
- if( ! record_read )
+ if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
- {
- if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
- return( 0 );
+ if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+ return( 0 );
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
- return( ret );
- }
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+ return( ret );
}
if( ssl->in_msglen == 0 &&
@@ -6512,7 +6665,9 @@
#endif
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
{
@@ -6575,25 +6730,18 @@
}
#endif
ret = ssl_start_renegotiation( ssl );
- if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
- {
- record_read = 1;
- }
- else if( ret != 0 )
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
return( ret );
}
}
- /* If a non-handshake record was read during renego, fallthrough,
- * else tell the user they should call mbedtls_ssl_read() again */
- if( ! record_read )
- return( MBEDTLS_ERR_SSL_WANT_READ );
+ return( MBEDTLS_ERR_SSL_WANT_READ );
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
-
if( ssl->conf->renego_max_records >= 0 )
{
if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
@@ -6651,8 +6799,11 @@
ssl->in_msglen -= n;
if( ssl->in_msglen == 0 )
+ {
/* all bytes consumed */
ssl->in_offt = NULL;
+ ssl->keep_current_message = 0;
+ }
else
/* more data available */
ssl->in_offt += n;
@@ -6672,7 +6823,9 @@
int ret;
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
-
+#else
+ size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
if( len > max_len )
{
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -6687,7 +6840,6 @@
#endif
len = max_len;
}
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
if( ssl->out_left != 0 )
{
@@ -6718,7 +6870,7 @@
*
* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
* then the caller will call us again with the same arguments, so
- * remember wether we already did the split or not.
+ * remember whether we already did the split or not.
*/
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
static int ssl_write_split( mbedtls_ssl_context *ssl,
@@ -7039,7 +7191,7 @@
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA224,
#endif
-#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
MBEDTLS_MD_SHA1,
#endif
MBEDTLS_MD_NONE
@@ -7263,6 +7415,19 @@
return( MBEDTLS_SSL_SIG_ANON );
}
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
+{
+ switch( type ) {
+ case MBEDTLS_PK_RSA:
+ return( MBEDTLS_SSL_SIG_RSA );
+ case MBEDTLS_PK_ECDSA:
+ case MBEDTLS_PK_ECKEY:
+ return( MBEDTLS_SSL_SIG_ECDSA );
+ default:
+ return( MBEDTLS_SSL_SIG_ANON );
+ }
+}
+
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
{
switch( sig )
@@ -7281,6 +7446,57 @@
}
#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_pk_type_t sig_alg )
+{
+ switch( sig_alg )
+ {
+ case MBEDTLS_PK_RSA:
+ return( set->rsa );
+ case MBEDTLS_PK_ECDSA:
+ return( set->ecdsa );
+ default:
+ return( MBEDTLS_MD_NONE );
+ }
+}
+
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_pk_type_t sig_alg,
+ mbedtls_md_type_t md_alg )
+{
+ switch( sig_alg )
+ {
+ case MBEDTLS_PK_RSA:
+ if( set->rsa == MBEDTLS_MD_NONE )
+ set->rsa = md_alg;
+ break;
+
+ case MBEDTLS_PK_ECDSA:
+ if( set->ecdsa == MBEDTLS_MD_NONE )
+ set->ecdsa = md_alg;
+ break;
+
+ default:
+ break;
+ }
+}
+
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+ mbedtls_md_type_t md_alg )
+{
+ set->rsa = md_alg;
+ set->ecdsa = md_alg;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
/*
* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
*/
diff --git a/library/threading.c b/library/threading.c
index 83ec01a..0758675 100644
--- a/library/threading.c
+++ b/library/threading.c
@@ -32,7 +32,7 @@
#if defined(MBEDTLS_THREADING_PTHREAD)
static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex )
{
- if( mutex == NULL || mutex->is_valid )
+ if( mutex == NULL )
return;
mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0;
diff --git a/library/x509.c b/library/x509.c
index 844cd6d..3cfa1d1 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -491,29 +491,35 @@
return( 0 );
}
-static int x509_date_is_valid(const mbedtls_x509_time *time)
+static int x509_date_is_valid(const mbedtls_x509_time *t )
{
int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+ int month_len;
- CHECK_RANGE( 0, 9999, time->year );
- CHECK_RANGE( 0, 23, time->hour );
- CHECK_RANGE( 0, 59, time->min );
- CHECK_RANGE( 0, 59, time->sec );
+ CHECK_RANGE( 0, 9999, t->year );
+ CHECK_RANGE( 0, 23, t->hour );
+ CHECK_RANGE( 0, 59, t->min );
+ CHECK_RANGE( 0, 59, t->sec );
- switch( time->mon )
+ switch( t->mon )
{
case 1: case 3: case 5: case 7: case 8: case 10: case 12:
- CHECK_RANGE( 1, 31, time->day );
+ month_len = 31;
break;
case 4: case 6: case 9: case 11:
- CHECK_RANGE( 1, 30, time->day );
+ month_len = 30;
break;
case 2:
- CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
+ if( ( !( t->year % 4 ) && t->year % 100 ) ||
+ !( t->year % 400 ) )
+ month_len = 29;
+ else
+ month_len = 28;
break;
default:
return( ret );
}
+ CHECK_RANGE( 1, month_len, t->day );
return( 0 );
}
@@ -523,7 +529,7 @@
* field.
*/
static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
- mbedtls_x509_time *time )
+ mbedtls_x509_time *tm )
{
int ret;
@@ -537,26 +543,26 @@
/*
* Parse year, month, day, hour, minute
*/
- CHECK( x509_parse_int( p, yearlen, &time->year ) );
+ CHECK( x509_parse_int( p, yearlen, &tm->year ) );
if ( 2 == yearlen )
{
- if ( time->year < 50 )
- time->year += 100;
+ if ( tm->year < 50 )
+ tm->year += 100;
- time->year += 1900;
+ tm->year += 1900;
}
- CHECK( x509_parse_int( p, 2, &time->mon ) );
- CHECK( x509_parse_int( p, 2, &time->day ) );
- CHECK( x509_parse_int( p, 2, &time->hour ) );
- CHECK( x509_parse_int( p, 2, &time->min ) );
+ CHECK( x509_parse_int( p, 2, &tm->mon ) );
+ CHECK( x509_parse_int( p, 2, &tm->day ) );
+ CHECK( x509_parse_int( p, 2, &tm->hour ) );
+ CHECK( x509_parse_int( p, 2, &tm->min ) );
/*
* Parse seconds if present
*/
if ( len >= 2 )
{
- CHECK( x509_parse_int( p, 2, &time->sec ) );
+ CHECK( x509_parse_int( p, 2, &tm->sec ) );
len -= 2;
}
else
@@ -577,7 +583,7 @@
if ( 0 != len )
return ( MBEDTLS_ERR_X509_INVALID_DATE );
- CHECK( x509_date_is_valid( time ) );
+ CHECK( x509_date_is_valid( tm ) );
return ( 0 );
}
@@ -588,7 +594,7 @@
* generalTime GeneralizedTime }
*/
int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
- mbedtls_x509_time *time )
+ mbedtls_x509_time *tm )
{
int ret;
size_t len, year_len;
@@ -614,7 +620,7 @@
if( ret != 0 )
return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
- return x509_parse_time( p, len, year_len, time );
+ return x509_parse_time( p, len, year_len, tm );
}
int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
@@ -1030,7 +1036,7 @@
*/
int mbedtls_x509_self_test( int verbose )
{
-#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
int ret;
uint32_t flags;
mbedtls_x509_crt cacert;
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 3af10f6..a3ef8b4 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -352,14 +352,14 @@
return( ret );
}
- crl->version++;
-
- if( crl->version > 2 )
+ if( crl->version < 0 || crl->version > 1 )
{
mbedtls_x509_crl_free( crl );
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
}
+ crl->version++;
+
if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
&crl->sig_md, &crl->sig_pk,
&crl->sig_opts ) ) != 0 )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 84a2d4f..8cb1923 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -85,9 +85,11 @@
*/
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
- /* Hashes from SHA-1 and above */
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
+ /* Allow SHA-1 (weak, but still safe in controlled environments) */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+#endif
+ /* Only SHA-2 hashes */
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
@@ -749,14 +751,14 @@
return( ret );
}
- crt->version++;
-
- if( crt->version > 3 )
+ if( crt->version < 0 || crt->version > 2 )
{
mbedtls_x509_crt_free( crt );
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
}
+ crt->version++;
+
if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
&crt->sig_md, &crt->sig_pk,
&crt->sig_opts ) ) != 0 )
@@ -1143,7 +1145,10 @@
p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
- return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+ {
+ ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ goto cleanup;
+ }
w_ret = mbedtls_x509_crt_parse_file( chain, filename );
if( w_ret < 0 )
@@ -1156,6 +1161,7 @@
if( GetLastError() != ERROR_NO_MORE_FILES )
ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+cleanup:
FindClose( hFind );
#else /* _WIN32 */
int t_ret;
@@ -1167,13 +1173,13 @@
if( dir == NULL )
return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
-#if defined(MBEDTLS_THREADING_PTHREAD)
+#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
{
closedir( dir );
return( ret );
}
-#endif
+#endif /* MBEDTLS_THREADING_C */
while( ( entry = readdir( dir ) ) != NULL )
{
@@ -1200,10 +1206,10 @@
closedir( dir );
cleanup:
-#if defined(MBEDTLS_THREADING_PTHREAD)
+#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
-#endif
+#endif /* MBEDTLS_THREADING_C */
#endif /* _WIN32 */
@@ -2044,8 +2050,8 @@
/* path_cnt is 0 for the first intermediate CA */
if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
{
- *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
- return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
+ /* return immediately as the goal is to avoid unbounded recursion */
+ return( MBEDTLS_ERR_X509_FATAL_ERROR );
}
if( mbedtls_x509_time_is_past( &child->valid_to ) )
@@ -2189,11 +2195,14 @@
mbedtls_x509_sequence *cur = NULL;
mbedtls_pk_type_t pk_type;
- if( profile == NULL )
- return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
-
*flags = 0;
+ if( profile == NULL )
+ {
+ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ goto exit;
+ }
+
if( cn != NULL )
{
name = &crt->subject;
@@ -2267,7 +2276,7 @@
ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 )
- return( ret );
+ goto exit;
}
else
{
@@ -2282,17 +2291,30 @@
ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 )
- return( ret );
+ goto exit;
}
else
{
ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
pathlen, selfsigned, flags, f_vrfy, p_vrfy );
if( ret != 0 )
- return( ret );
+ goto exit;
}
}
+exit:
+ /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+ * the SSL module for authmode optional, but non-zero return from the
+ * callback means a fatal error so it shouldn't be ignored */
+ if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+ ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+
+ if( ret != 0 )
+ {
+ *flags = (uint32_t) -1;
+ return( ret );
+ }
+
if( *flags != 0 )
return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 60f66b3..c706dbd 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -168,14 +168,14 @@
return( ret );
}
- csr->version++;
-
- if( csr->version != 1 )
+ if( csr->version != 0 )
{
mbedtls_x509_csr_free( csr );
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
}
+ csr->version++;
+
/*
* subject Name
*/
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index d1d9a22..0af23d7 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -51,7 +51,7 @@
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
{
- memset( ctx, 0, sizeof(mbedtls_x509write_cert) );
+ memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
mbedtls_mpi_init( &ctx->serial );
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
@@ -65,7 +65,7 @@
mbedtls_asn1_free_named_data_list( &ctx->issuer );
mbedtls_asn1_free_named_data_list( &ctx->extensions );
- mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_cert) );
+ mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
}
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
@@ -193,14 +193,14 @@
{
int ret;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
- unsigned char *c = buf + sizeof(buf);
+ unsigned char *c = buf + sizeof( buf );
size_t len = 0;
memset( buf, 0, sizeof(buf) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
- mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 );
- c = buf + sizeof(buf) - 20;
+ mbedtls_sha1( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 );
+ c = buf + sizeof( buf ) - 20;
len = 20;
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
@@ -212,7 +212,7 @@
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
- 0, buf + sizeof(buf) - len, len );
+ 0, buf + sizeof( buf ) - len, len );
}
#endif /* MBEDTLS_SHA1_C */
@@ -264,7 +264,7 @@
}
static int x509_write_time( unsigned char **p, unsigned char *start,
- const char *time, size_t size )
+ const char *t, size_t size )
{
int ret;
size_t len = 0;
@@ -272,10 +272,10 @@
/*
* write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
*/
- if( time[0] == '2' && time[1] == '0' && time [2] < '5' )
+ if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
{
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
- (const unsigned char *) time + 2,
+ (const unsigned char *) t + 2,
size - 2 ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
@@ -283,7 +283,7 @@
else
{
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
- (const unsigned char *) time,
+ (const unsigned char *) t,
size ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
@@ -313,12 +313,18 @@
c = tmp_buf + sizeof( tmp_buf );
/* Signature algorithm needed in TBS, and later for actual signature */
- pk_alg = mbedtls_pk_get_type( ctx->issuer_key );
- if( pk_alg == MBEDTLS_PK_ECKEY )
+
+ /* There's no direct way of extracting a signature algorithm
+ * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+ if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
+ pk_alg = MBEDTLS_PK_RSA;
+ else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
pk_alg = MBEDTLS_PK_ECDSA;
+ else
+ return( MBEDTLS_ERR_X509_INVALID_ALG );
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
- &sig_oid, &sig_oid_len ) ) != 0 )
+ &sig_oid, &sig_oid_len ) ) != 0 )
{
return( ret );
}
@@ -326,13 +332,18 @@
/*
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*/
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
- MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+
+ /* Only for v3 */
+ if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
+ {
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+ }
/*
* SubjectPublicKeyInfo
@@ -384,16 +395,21 @@
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
- sub_len = 0;
- MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
- len += sub_len;
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
- MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+
+ /* Can be omitted for v1 */
+ if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
+ {
+ sub_len = 0;
+ MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+ len += sub_len;
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+ }
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_SEQUENCE ) );
/*
* Make signature
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index 8fd856b..2c91608 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -50,7 +50,7 @@
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
{
- memset( ctx, 0, sizeof(mbedtls_x509write_csr) );
+ memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
}
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
@@ -58,7 +58,7 @@
mbedtls_asn1_free_named_data_list( &ctx->subject );
mbedtls_asn1_free_named_data_list( &ctx->extensions );
- mbedtls_zeroize( ctx, sizeof(mbedtls_x509write_csr) );
+ mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
}
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
@@ -194,14 +194,21 @@
*/
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
- pk_alg = mbedtls_pk_get_type( ctx->key );
- if( pk_alg == MBEDTLS_PK_ECKEY )
- pk_alg = MBEDTLS_PK_ECDSA;
-
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
- f_rng, p_rng ) ) != 0 ||
- ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
- &sig_oid, &sig_oid_len ) ) != 0 )
+ f_rng, p_rng ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
+ pk_alg = MBEDTLS_PK_RSA;
+ else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
+ pk_alg = MBEDTLS_PK_ECDSA;
+ else
+ return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+ if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+ &sig_oid, &sig_oid_len ) ) != 0 )
{
return( ret );
}
diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c
index 0270624..de9d422 100644
--- a/programs/aes/aescrypt2.c
+++ b/programs/aes/aescrypt2.c
@@ -79,7 +79,9 @@
FILE *fkey, *fin = NULL, *fout = NULL;
char *p;
+
unsigned char IV[16];
+ unsigned char tmp[16];
unsigned char key[512];
unsigned char digest[32];
unsigned char buffer[1024];
@@ -123,10 +125,10 @@
}
mode = atoi( argv[1] );
- memset(IV, 0, sizeof(IV));
- memset(key, 0, sizeof(key));
- memset(digest, 0, sizeof(digest));
- memset(buffer, 0, sizeof(buffer));
+ memset( IV, 0, sizeof( IV ) );
+ memset( key, 0, sizeof( key ) );
+ memset( digest, 0, sizeof( digest ) );
+ memset( buffer, 0, sizeof( buffer ) );
if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
{
@@ -153,7 +155,7 @@
}
/*
- * Read the secret key and clean the command line.
+ * Read the secret key from file or command line
*/
if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
{
@@ -185,8 +187,6 @@
}
}
- memset( argv[4], 0, strlen( argv[4] ) );
-
#if defined(_WIN32_WCE)
filesize = fseek( fin, 0L, SEEK_END );
#else
@@ -272,7 +272,6 @@
mbedtls_md_finish( &sha_ctx, digest );
}
- memset( key, 0, sizeof( key ) );
mbedtls_aes_setkey_enc( &aes_ctx, digest, 256 );
mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
@@ -319,8 +318,6 @@
if( mode == MODE_DECRYPT )
{
- unsigned char tmp[16];
-
/*
* The encrypted file must be structured as follows:
*
@@ -374,7 +371,6 @@
mbedtls_md_finish( &sha_ctx, digest );
}
- memset( key, 0, sizeof( key ) );
mbedtls_aes_setkey_dec( &aes_ctx, digest, 256 );
mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
@@ -441,6 +437,15 @@
if( fout )
fclose( fout );
+ /* Zeroize all command line arguments to also cover
+ the case when the user has missed or reordered some,
+ in which case the key might not be in argv[4]. */
+ for( i = 0; i < argc; i++ )
+ memset( argv[i], 0, strlen( argv[i] ) );
+
+ memset( IV, 0, sizeof( IV ) );
+ memset( key, 0, sizeof( key ) );
+ memset( tmp, 0, sizeof( tmp ) );
memset( buffer, 0, sizeof( buffer ) );
memset( digest, 0, sizeof( digest ) );
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 02f57b3..5885bdb 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -187,7 +187,7 @@
mbedtls_md_setup( &md_ctx, md_info, 1 );
/*
- * Read the secret key and clean the command line.
+ * Read the secret key from file or command line
*/
if( ( fkey = fopen( argv[6], "rb" ) ) != NULL )
{
@@ -219,8 +219,6 @@
}
}
- memset( argv[6], 0, strlen( argv[6] ) );
-
#if defined(_WIN32_WCE)
filesize = fseek( fin, 0L, SEEK_END );
#else
@@ -298,8 +296,6 @@
}
- memset( key, 0, sizeof( key ) );
-
if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->key_bitlen,
MBEDTLS_ENCRYPT ) != 0 )
{
@@ -439,8 +435,6 @@
mbedtls_md_finish( &md_ctx, digest );
}
- memset( key, 0, sizeof( key ) );
-
if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->key_bitlen,
MBEDTLS_DECRYPT ) != 0 )
{
@@ -535,7 +529,16 @@
if( fout )
fclose( fout );
+ /* Zeroize all command line arguments to also cover
+ the case when the user has missed or reordered some,
+ in which case the key might not be in argv[6]. */
+ for( i = 0; i < argc; i++ )
+ memset( argv[i], 0, strlen( argv[i] ) );
+
+ memset( IV, 0, sizeof( IV ) );
+ memset( key, 0, sizeof( key ) );
memset( buffer, 0, sizeof( buffer ) );
+ memset( output, 0, sizeof( output ) );
memset( digest, 0, sizeof( digest ) );
mbedtls_cipher_free( &cipher_ctx );
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index 069d312..c3ce56a 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -37,6 +37,7 @@
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ecdsa.h"
+#include "mbedtls/sha256.h"
#include <string.h>
#endif
@@ -101,8 +102,10 @@
mbedtls_ecdsa_context ctx_sign, ctx_verify;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
- unsigned char hash[] = "This should be the hash of a message.";
- unsigned char sig[512];
+ mbedtls_sha256_context sha256_ctx;
+ unsigned char message[100];
+ unsigned char hash[32];
+ unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
size_t sig_len;
const char *pers = "ecdsa";
((void) argv);
@@ -110,8 +113,10 @@
mbedtls_ecdsa_init( &ctx_sign );
mbedtls_ecdsa_init( &ctx_verify );
mbedtls_ctr_drbg_init( &ctr_drbg );
+ mbedtls_sha256_init( &sha256_ctx );
- memset(sig, 0, sizeof( sig ) );
+ memset( sig, 0, sizeof( sig ) );
+ memset( message, 0x25, sizeof( message ) );
ret = 1;
if( argc != 1 )
@@ -155,9 +160,23 @@
dump_pubkey( " + Public key: ", &ctx_sign );
/*
- * Sign some message hash
+ * Compute message hash
*/
- mbedtls_printf( " . Signing message..." );
+ mbedtls_printf( " . Computing message hash..." );
+ fflush( stdout );
+
+ mbedtls_sha256_starts( &sha256_ctx, 0 );
+ mbedtls_sha256_update( &sha256_ctx, message, sizeof( message ) );
+ mbedtls_sha256_finish( &sha256_ctx, hash );
+
+ mbedtls_printf( " ok\n" );
+
+ dump_buf( " + Hash: ", hash, sizeof( hash ) );
+
+ /*
+ * Sign message hash
+ */
+ mbedtls_printf( " . Signing message hash..." );
fflush( stdout );
if( ( ret = mbedtls_ecdsa_write_signature( &ctx_sign, MBEDTLS_MD_SHA256,
@@ -170,7 +189,6 @@
}
mbedtls_printf( " ok (signature length = %u)\n", (unsigned int) sig_len );
- dump_buf( " + Hash: ", hash, sizeof hash );
dump_buf( " + Signature: ", sig, sig_len );
/*
@@ -224,6 +242,7 @@
mbedtls_ecdsa_free( &ctx_sign );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
+ mbedtls_sha256_free( &sha256_ctx );
return( ret );
}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c090db9..390ebae 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -60,6 +60,9 @@
#include <stdlib.h>
#include <string.h>
+#define MAX_REQUEST_SIZE 20000
+#define MAX_REQUEST_SIZE_STR "20000"
+
#define DFL_SERVER_NAME "localhost"
#define DFL_SERVER_ADDR NULL
#define DFL_SERVER_PORT "4433"
@@ -83,6 +86,7 @@
#define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 -1
+#define DFL_SHA1 -1
#define DFL_AUTH_MODE -1
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@@ -93,6 +97,7 @@
#define DFL_RECONNECT_HARD 0
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define DFL_ALPN_STRING NULL
+#define DFL_CURVES NULL
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
#define DFL_HS_TO_MIN 0
#define DFL_HS_TO_MAX 0
@@ -173,6 +178,17 @@
#define USAGE_ALPN ""
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_ECP_C)
+#define USAGE_CURVES \
+ " curves=a,b,c,d default: \"default\" (library default)\n" \
+ " example: \"secp521r1,brainpoolP512r1\"\n" \
+ " - use \"none\" for empty list\n" \
+ " - see mbedtls_ecp_curve_list()\n" \
+ " for acceptable curve names\n"
+#else
+#define USAGE_CURVES ""
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \
@@ -218,8 +234,8 @@
" server_addr=%%s default: given by name\n" \
" server_port=%%d default: 4433\n" \
" request_page=%%s default: \".\"\n" \
- " request_size=%%d default: about 34 (basic request)\n" \
- " (minimum: 0, max: 16384)\n" \
+ " request_size=%%d default: about 34 (basic request)\n" \
+ " (minimum: 0, max: " MAX_REQUEST_SIZE_STR " )\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" nbio=%%d default: 0 (blocking I/O)\n" \
" options: 1 (non-blocking), 2 (added delays)\n" \
@@ -247,10 +263,12 @@
USAGE_FALLBACK \
USAGE_EMS \
USAGE_ETM \
+ USAGE_CURVES \
USAGE_RECSPLIT \
USAGE_DHMLEN \
"\n" \
" arc4=%%d default: (library default: 0)\n" \
+ " allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
" max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
@@ -259,6 +277,9 @@
" force_ciphersuite=<name> default: all enabled\n"\
" acceptable ciphersuite names:\n"
+#define ALPN_LIST_SIZE 10
+#define CURVE_LIST_SIZE 20
+
/*
* global options
*/
@@ -288,6 +309,7 @@
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
int arc4; /* flag for arc4 suites support */
+ int allow_sha1; /* flag for SHA-1 support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* negotiate truncated hmac or not */
@@ -297,6 +319,7 @@
int reco_delay; /* delay in seconds before resuming session */
int reconnect_hard; /* unexpectedly reconnect from the same port */
int tickets; /* enable / disable session tickets */
+ const char *curves; /* list of supported elliptic curves */
const char *alpn_string; /* ALPN supported protocols */
int transport; /* TLS or DTLS? */
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
@@ -382,22 +405,48 @@
return( 0 );
}
+
+static int ssl_sig_hashes_for_test[] = {
+#if defined(MBEDTLS_SHA512_C)
+ MBEDTLS_MD_SHA512,
+ MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ /* Allow SHA-1 as we use it extensively in tests. */
+ MBEDTLS_MD_SHA1,
+#endif
+ MBEDTLS_MD_NONE
+};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, i, written, frags, retry_left;
mbedtls_net_context server_fd;
- unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
+
+ unsigned char buf[MAX_REQUEST_SIZE + 1];
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0;
#endif
#if defined(MBEDTLS_SSL_ALPN)
- const char *alpn_list[10];
+ const char *alpn_list[ALPN_LIST_SIZE];
#endif
+#if defined(MBEDTLS_ECP_C)
+ mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE];
+ const mbedtls_ecp_curve_info *curve_cur;
+#endif
+
const char *pers = "ssl_client2";
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
+#endif
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
@@ -477,6 +526,7 @@
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.arc4 = DFL_ARC4;
+ opt.allow_sha1 = DFL_SHA1;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
@@ -487,6 +537,7 @@
opt.reconnect_hard = DFL_RECONNECT_HARD;
opt.tickets = DFL_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
+ opt.curves = DFL_CURVES;
opt.transport = DFL_TRANSPORT;
opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX;
@@ -542,7 +593,8 @@
else if( strcmp( p, "request_size" ) == 0 )
{
opt.request_size = atoi( q );
- if( opt.request_size < 0 || opt.request_size > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( opt.request_size < 0 ||
+ opt.request_size > MAX_REQUEST_SIZE )
goto usage;
}
else if( strcmp( p, "ca_file" ) == 0 )
@@ -641,6 +693,8 @@
default: goto usage;
}
}
+ else if( strcmp( p, "curves" ) == 0 )
+ opt.curves = q;
else if( strcmp( p, "etm" ) == 0 )
{
switch( atoi( q ) )
@@ -689,6 +743,15 @@
default: goto usage;
}
}
+ else if( strcmp( p, "allow_sha1" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.allow_sha1 = 0; break;
+ case 1: opt.allow_sha1 = 1; break;
+ default: goto usage;
+ }
+ }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -889,6 +952,62 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+#if defined(MBEDTLS_ECP_C)
+ if( opt.curves != NULL )
+ {
+ p = (char *) opt.curves;
+ i = 0;
+
+ if( strcmp( p, "none" ) == 0 )
+ {
+ curve_list[0] = MBEDTLS_ECP_DP_NONE;
+ }
+ else if( strcmp( p, "default" ) != 0 )
+ {
+ /* Leave room for a final NULL in curve list */
+ while( i < CURVE_LIST_SIZE - 1 && *p != '\0' )
+ {
+ q = p;
+
+ /* Terminate the current string */
+ while( *p != ',' && *p != '\0' )
+ p++;
+ if( *p == ',' )
+ *p++ = '\0';
+
+ if( ( curve_cur = mbedtls_ecp_curve_info_from_name( q ) ) != NULL )
+ {
+ curve_list[i++] = curve_cur->grp_id;
+ }
+ else
+ {
+ mbedtls_printf( "unknown curve %s\n", q );
+ mbedtls_printf( "supported curves: " );
+ for( curve_cur = mbedtls_ecp_curve_list();
+ curve_cur->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_cur++ )
+ {
+ mbedtls_printf( "%s ", curve_cur->name );
+ }
+ mbedtls_printf( "\n" );
+ goto exit;
+ }
+ }
+
+ mbedtls_printf("Number of curves: %d\n", i );
+
+ if( i == CURVE_LIST_SIZE - 1 && *p != '\0' )
+ {
+ mbedtls_printf( "curves list too long, maximum %d",
+ CURVE_LIST_SIZE - 1 );
+ goto exit;
+ }
+
+ curve_list[i] = MBEDTLS_ECP_DP_NONE;
+ }
+ }
+#endif /* MBEDTLS_ECP_C */
+
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
@@ -896,7 +1015,7 @@
i = 0;
/* Leave room for a final NULL in alpn_list */
- while( i < (int) sizeof alpn_list - 1 && *p != '\0' )
+ while( i < ALPN_LIST_SIZE - 1 && *p != '\0' )
{
alpn_list[i++] = p;
@@ -1073,9 +1192,18 @@
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ /* The default algorithms profile disables SHA-1, but our tests still
+ rely on it heavily. */
+ if( opt.allow_sha1 > 0 )
+ {
+ crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
+ mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
+ mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
+ }
+
if( opt.debug_level > 0 )
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
-#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@@ -1169,6 +1297,14 @@
}
#endif
+#if defined(MBEDTLS_ECP_C)
+ if( opt.curves != NULL &&
+ strcmp( opt.curves, "default" ) != 0 )
+ {
+ mbedtls_ssl_conf_curves( &conf, curve_list );
+ }
+#endif
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
(const unsigned char *) opt.psk_identity,
@@ -1335,8 +1471,8 @@
mbedtls_printf( " > Write to server:" );
fflush( stdout );
- len = mbedtls_snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST,
- opt.request_page );
+ len = mbedtls_snprintf( (char *) buf, sizeof( buf ) - 1, GET_REQUEST,
+ opt.request_page );
tail_len = (int) strlen( GET_REQUEST_END );
/* Add padding to GET request to reach opt.request_size in length */
@@ -1347,7 +1483,7 @@
len += opt.request_size - len - tail_len;
}
- strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 );
+ strncpy( (char *) buf + len, GET_REQUEST_END, sizeof( buf ) - len - 1 );
len += tail_len;
/* Truncate if request size is smaller than the "natural" size */
@@ -1391,6 +1527,12 @@
frags = 1;
written = ret;
+
+ if( written < len )
+ {
+ mbedtls_printf( " warning\n ! request didn't fit into single datagram and "
+ "was truncated to size %u", (unsigned) written );
+ }
}
buf[written] = '\0';
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 20fec53..0271a8f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -119,6 +119,7 @@
#define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 -1
+#define DFL_SHA1 -1
#define DFL_AUTH_MODE -1
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@@ -128,6 +129,7 @@
#define DFL_CACHE_TIMEOUT -1
#define DFL_SNI NULL
#define DFL_ALPN_STRING NULL
+#define DFL_CURVES NULL
#define DFL_DHM_FILE NULL
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
#define DFL_COOKIES 1
@@ -298,10 +300,21 @@
#define USAGE_RENEGO ""
#endif
+#if defined(MBEDTLS_ECP_C)
+#define USAGE_CURVES \
+ " curves=a,b,c,d default: \"default\" (library default)\n" \
+ " example: \"secp521r1,brainpoolP512r1\"\n" \
+ " - use \"none\" for empty list\n" \
+ " - see mbedtls_ecp_curve_list()\n" \
+ " for acceptable curve names\n"
+#else
+#define USAGE_CURVES ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
- " server_addr=%%d default: (all interfaces)\n" \
+ " server_addr=%%s default: (all interfaces)\n" \
" server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" nbio=%%d default: 0 (blocking I/O)\n" \
@@ -331,8 +344,10 @@
USAGE_ALPN \
USAGE_EMS \
USAGE_ETM \
+ USAGE_CURVES \
"\n" \
" arc4=%%d default: (library default: 0)\n" \
+ " allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
" max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
@@ -345,6 +360,9 @@
" acceptable ciphersuite names:\n"
+#define ALPN_LIST_SIZE 10
+#define CURVE_LIST_SIZE 20
+
#define PUT_UINT64_BE(out_be,in_le,i) \
{ \
(out_be)[(i) + 0] = (unsigned char)( ( (in_le) >> 56 ) & 0xFF ); \
@@ -387,6 +405,7 @@
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
int arc4; /* flag for arc4 suites support */
+ int allow_sha1; /* flag for SHA-1 support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* accept truncated hmac? */
@@ -395,6 +414,7 @@
int cache_max; /* max number of session cache entries */
int cache_timeout; /* expiration delay of session cache entries */
char *sni; /* string describing sni information */
+ const char *curves; /* list of supported elliptic curves */
const char *alpn_string; /* ALPN supported protocols */
const char *dhm_file; /* the file with the DH parameters */
int extended_ms; /* allow negotiation of extended MS? */
@@ -782,6 +802,24 @@
}
#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static int ssl_sig_hashes_for_test[] = {
+#if defined(MBEDTLS_SHA512_C)
+ MBEDTLS_MD_SHA512,
+ MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ /* Allow SHA-1 as we use it extensively in tests. */
+ MBEDTLS_MD_SHA1,
+#endif
+ MBEDTLS_MD_NONE
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
@@ -799,6 +837,9 @@
mbedtls_ssl_cookie_ctx cookie_ctx;
#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
+#endif
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
@@ -830,8 +871,12 @@
#if defined(SNI_OPTION)
sni_entry *sni_info = NULL;
#endif
+#if defined(MBEDTLS_ECP_C)
+ mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE];
+ const mbedtls_ecp_curve_info * curve_cur;
+#endif
#if defined(MBEDTLS_SSL_ALPN)
- const char *alpn_list[10];
+ const char *alpn_list[ALPN_LIST_SIZE];
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
unsigned char alloc_buf[100000];
@@ -929,6 +974,7 @@
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.arc4 = DFL_ARC4;
+ opt.allow_sha1 = DFL_SHA1;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
@@ -938,6 +984,7 @@
opt.cache_timeout = DFL_CACHE_TIMEOUT;
opt.sni = DFL_SNI;
opt.alpn_string = DFL_ALPN_STRING;
+ opt.curves = DFL_CURVES;
opt.dhm_file = DFL_DHM_FILE;
opt.transport = DFL_TRANSPORT;
opt.cookies = DFL_COOKIES;
@@ -1014,6 +1061,8 @@
}
opt.force_ciphersuite[1] = 0;
}
+ else if( strcmp( p, "curves" ) == 0 )
+ opt.curves = q;
else if( strcmp( p, "version_suites" ) == 0 )
opt.version_suites = q;
else if( strcmp( p, "renegotiation" ) == 0 )
@@ -1097,6 +1146,15 @@
default: goto usage;
}
}
+ else if( strcmp( p, "allow_sha1" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.allow_sha1 = 0; break;
+ case 1: opt.allow_sha1 = 1; break;
+ default: goto usage;
+ }
+ }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1358,6 +1416,62 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+#if defined(MBEDTLS_ECP_C)
+ if( opt.curves != NULL )
+ {
+ p = (char *) opt.curves;
+ i = 0;
+
+ if( strcmp( p, "none" ) == 0 )
+ {
+ curve_list[0] = MBEDTLS_ECP_DP_NONE;
+ }
+ else if( strcmp( p, "default" ) != 0 )
+ {
+ /* Leave room for a final NULL in curve list */
+ while( i < CURVE_LIST_SIZE - 1 && *p != '\0' )
+ {
+ q = p;
+
+ /* Terminate the current string */
+ while( *p != ',' && *p != '\0' )
+ p++;
+ if( *p == ',' )
+ *p++ = '\0';
+
+ if( ( curve_cur = mbedtls_ecp_curve_info_from_name( q ) ) != NULL )
+ {
+ curve_list[i++] = curve_cur->grp_id;
+ }
+ else
+ {
+ mbedtls_printf( "unknown curve %s\n", q );
+ mbedtls_printf( "supported curves: " );
+ for( curve_cur = mbedtls_ecp_curve_list();
+ curve_cur->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_cur++ )
+ {
+ mbedtls_printf( "%s ", curve_cur->name );
+ }
+ mbedtls_printf( "\n" );
+ goto exit;
+ }
+ }
+
+ mbedtls_printf("Number of curves: %d\n", i );
+
+ if( i == CURVE_LIST_SIZE - 1 && *p != '\0' )
+ {
+ mbedtls_printf( "curves list too long, maximum %d",
+ CURVE_LIST_SIZE - 1 );
+ goto exit;
+ }
+
+ curve_list[i] = MBEDTLS_ECP_DP_NONE;
+ }
+ }
+#endif /* MBEDTLS_ECP_C */
+
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
@@ -1365,7 +1479,7 @@
i = 0;
/* Leave room for a final NULL in alpn_list */
- while( i < (int) sizeof alpn_list - 1 && *p != '\0' )
+ while( i < ALPN_LIST_SIZE - 1 && *p != '\0' )
{
alpn_list[i++] = p;
@@ -1615,6 +1729,18 @@
goto exit;
}
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ /* The default algorithms profile disables SHA-1, but our tests still
+ rely on it heavily. Hence we allow it here. A real-world server
+ should use the default profile unless there is a good reason not to. */
+ if( opt.allow_sha1 > 0 )
+ {
+ crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
+ mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
+ mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
+ }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@@ -1794,6 +1920,14 @@
mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info );
#endif
+#if defined(MBEDTLS_ECP_C)
+ if( opt.curves != NULL &&
+ strcmp( opt.curves, "default" ) != 0 )
+ {
+ mbedtls_ssl_conf_curves( &conf, curve_list );
+ }
+#endif
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )
{
@@ -1991,7 +2125,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
- * 5. Verify the server certificate
+ * 5. Verify the client certificate
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 66e5f1d..9cc582d 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -51,6 +51,7 @@
#include "mbedtls/x509_csr.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/md.h"
#include "mbedtls/error.h"
#include <stdio.h>
@@ -59,9 +60,9 @@
#if defined(MBEDTLS_X509_CSR_PARSE_C)
#define USAGE_CSR \
- " request_file=%%s default: (empty)\n" \
- " If request_file is specified, subject_key,\n" \
- " subject_pwd and subject_name are ignored!\n"
+ " request_file=%%s default: (empty)\n" \
+ " If request_file is specified, subject_key,\n" \
+ " subject_pwd and subject_name are ignored!\n"
#else
#define USAGE_CSR ""
#endif /* MBEDTLS_X509_CSR_PARSE_C */
@@ -83,50 +84,70 @@
#define DFL_MAX_PATHLEN -1
#define DFL_KEY_USAGE 0
#define DFL_NS_CERT_TYPE 0
+#define DFL_VERSION 3
+#define DFL_AUTH_IDENT 1
+#define DFL_SUBJ_IDENT 1
+#define DFL_CONSTRAINTS 1
+#define DFL_DIGEST MBEDTLS_MD_SHA256
#define USAGE \
"\n usage: cert_write param=<>...\n" \
"\n acceptable parameters:\n" \
USAGE_CSR \
- " subject_key=%%s default: subject.key\n" \
- " subject_pwd=%%s default: (empty)\n" \
- " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
+ " subject_key=%%s default: subject.key\n" \
+ " subject_pwd=%%s default: (empty)\n" \
+ " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
"\n" \
- " issuer_crt=%%s default: (empty)\n" \
- " If issuer_crt is specified, issuer_name is\n" \
- " ignored!\n" \
- " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
+ " issuer_crt=%%s default: (empty)\n" \
+ " If issuer_crt is specified, issuer_name is\n" \
+ " ignored!\n" \
+ " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
"\n" \
- " selfsign=%%d default: 0 (false)\n" \
- " If selfsign is enabled, issuer_name and\n" \
- " issuer_key are required (issuer_crt and\n" \
- " subject_* are ignored\n" \
- " issuer_key=%%s default: ca.key\n" \
- " issuer_pwd=%%s default: (empty)\n" \
- " output_file=%%s default: cert.crt\n" \
- " serial=%%s default: 1\n" \
- " not_before=%%s default: 20010101000000\n"\
- " not_after=%%s default: 20301231235959\n"\
- " is_ca=%%d default: 0 (disabled)\n" \
- " max_pathlen=%%d default: -1 (none)\n" \
- " key_usage=%%s default: (empty)\n" \
- " Comma-separated-list of values:\n" \
- " digital_signature\n" \
- " non_repudiation\n" \
- " key_encipherment\n" \
- " data_encipherment\n" \
- " key_agreement\n" \
- " key_cert_sign\n" \
- " crl_sign\n" \
- " ns_cert_type=%%s default: (empty)\n" \
- " Comma-separated-list of values:\n" \
- " ssl_client\n" \
- " ssl_server\n" \
- " email\n" \
- " object_signing\n" \
- " ssl_ca\n" \
- " email_ca\n" \
- " object_signing_ca\n" \
+ " selfsign=%%d default: 0 (false)\n" \
+ " If selfsign is enabled, issuer_name and\n" \
+ " issuer_key are required (issuer_crt and\n" \
+ " subject_* are ignored\n" \
+ " issuer_key=%%s default: ca.key\n" \
+ " issuer_pwd=%%s default: (empty)\n" \
+ " output_file=%%s default: cert.crt\n" \
+ " serial=%%s default: 1\n" \
+ " not_before=%%s default: 20010101000000\n"\
+ " not_after=%%s default: 20301231235959\n"\
+ " is_ca=%%d default: 0 (disabled)\n" \
+ " max_pathlen=%%d default: -1 (none)\n" \
+ " md=%%s default: SHA256\n" \
+ " Supported values:\n" \
+ " MD5, SHA1, SHA256, SHA512\n"\
+ " version=%%d default: 3\n" \
+ " Possible values: 1, 2, 3\n"\
+ " subject_identifier=%%s default: 1\n" \
+ " Possible values: 0, 1\n" \
+ " (Considered for v3 only)\n"\
+ " authority_identifier=%%s default: 1\n" \
+ " Possible values: 0, 1\n" \
+ " (Considered for v3 only)\n"\
+ " basic_constraints=%%d default: 1\n" \
+ " Possible values: 0, 1\n" \
+ " (Considered for v3 only)\n"\
+ " key_usage=%%s default: (empty)\n" \
+ " Comma-separated-list of values:\n" \
+ " digital_signature\n" \
+ " non_repudiation\n" \
+ " key_encipherment\n" \
+ " data_encipherment\n" \
+ " key_agreement\n" \
+ " key_cert_sign\n" \
+ " crl_sign\n" \
+ " (Considered for v3 only)\n"\
+ " ns_cert_type=%%s default: (empty)\n" \
+ " Comma-separated-list of values:\n" \
+ " ssl_client\n" \
+ " ssl_server\n" \
+ " email\n" \
+ " object_signing\n" \
+ " ssl_ca\n" \
+ " email_ca\n" \
+ " object_signing_ca\n" \
"\n"
/*
@@ -149,6 +170,11 @@
int selfsign; /* selfsign the certificate */
int is_ca; /* is a CA certificate */
int max_pathlen; /* maximum CA path length */
+ int authority_identifier; /* add authority identifier to CRT */
+ int subject_identifier; /* add subject identifier to CRT */
+ int basic_constraints; /* add basic constraints ext to CRT */
+ int version; /* CRT version */
+ mbedtls_md_type_t md; /* Hash used for signing */
unsigned char key_usage; /* key usage flags */
unsigned char ns_cert_type; /* NS cert type */
} opt;
@@ -163,7 +189,8 @@
size_t len = 0;
memset( output_buf, 0, 4096 );
- if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
+ if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
+ f_rng, p_rng ) ) < 0 )
return( ret );
len = strlen( (char *) output_buf );
@@ -207,7 +234,6 @@
* Set to sane values
*/
mbedtls_x509write_crt_init( &crt );
- mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 );
mbedtls_pk_init( &loaded_issuer_key );
mbedtls_pk_init( &loaded_subject_key );
mbedtls_mpi_init( &serial );
@@ -243,6 +269,11 @@
opt.max_pathlen = DFL_MAX_PATHLEN;
opt.key_usage = DFL_KEY_USAGE;
opt.ns_cert_type = DFL_NS_CERT_TYPE;
+ opt.version = DFL_VERSION - 1;
+ opt.md = DFL_DIGEST;
+ opt.subject_identifier = DFL_SUBJ_IDENT;
+ opt.authority_identifier = DFL_AUTH_IDENT;
+ opt.basic_constraints = DFL_CONSTRAINTS;
for( i = 1; i < argc; i++ )
{
@@ -286,23 +317,88 @@
{
opt.serial = q;
}
+ else if( strcmp( p, "authority_identifier" ) == 0 )
+ {
+ opt.authority_identifier = atoi( q );
+ if( opt.authority_identifier != 0 &&
+ opt.authority_identifier != 1 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
+ goto usage;
+ }
+ }
+ else if( strcmp( p, "subject_identifier" ) == 0 )
+ {
+ opt.subject_identifier = atoi( q );
+ if( opt.subject_identifier != 0 &&
+ opt.subject_identifier != 1 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
+ goto usage;
+ }
+ }
+ else if( strcmp( p, "basic_constraints" ) == 0 )
+ {
+ opt.basic_constraints = atoi( q );
+ if( opt.basic_constraints != 0 &&
+ opt.basic_constraints != 1 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
+ goto usage;
+ }
+ }
+ else if( strcmp( p, "md" ) == 0 )
+ {
+ if( strcmp( q, "SHA1" ) == 0 )
+ opt.md = MBEDTLS_MD_SHA1;
+ else if( strcmp( q, "SHA256" ) == 0 )
+ opt.md = MBEDTLS_MD_SHA256;
+ else if( strcmp( q, "SHA512" ) == 0 )
+ opt.md = MBEDTLS_MD_SHA512;
+ else if( strcmp( q, "MD5" ) == 0 )
+ opt.md = MBEDTLS_MD_MD5;
+ else
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
+ goto usage;
+ }
+ }
+ else if( strcmp( p, "version" ) == 0 )
+ {
+ opt.version = atoi( q );
+ if( opt.version < 1 || opt.version > 3 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
+ goto usage;
+ }
+ opt.version--;
+ }
else if( strcmp( p, "selfsign" ) == 0 )
{
opt.selfsign = atoi( q );
if( opt.selfsign < 0 || opt.selfsign > 1 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
+ }
}
else if( strcmp( p, "is_ca" ) == 0 )
{
opt.is_ca = atoi( q );
if( opt.is_ca < 0 || opt.is_ca > 1 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
+ }
}
else if( strcmp( p, "max_pathlen" ) == 0 )
{
opt.max_pathlen = atoi( q );
if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
+ }
}
else if( strcmp( p, "key_usage" ) == 0 )
{
@@ -326,7 +422,10 @@
else if( strcmp( q, "crl_sign" ) == 0 )
opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
else
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
+ }
q = r;
}
@@ -353,7 +452,10 @@
else if( strcmp( q, "object_signing_ca" ) == 0 )
opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
else
+ {
+ mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
+ }
q = r;
}
@@ -376,7 +478,8 @@
strlen( pers ) ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
+ ret, buf );
goto exit;
}
@@ -390,7 +493,8 @@
if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -409,7 +513,8 @@
if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -418,7 +523,8 @@
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -441,7 +547,8 @@
if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -450,7 +557,8 @@
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -474,7 +582,8 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -489,7 +598,8 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
+ "returned -x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -503,7 +613,8 @@
mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
{
- mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" );
+ mbedtls_printf( " failed\n ! issuer_key does not match "
+ "issuer certificate\n\n" );
ret = -1;
goto exit;
}
@@ -526,25 +637,31 @@
if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
mbedtls_printf( " . Setting certificate values ..." );
fflush( stdout );
+ mbedtls_x509write_crt_set_version( &crt, opt.version );
+ mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
+
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -552,55 +669,74 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
- mbedtls_printf( " . Adding the Basic Constraints extension ..." );
- fflush( stdout );
-
- ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
- opt.max_pathlen );
- if( ret != 0 )
+ if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
+ opt.basic_constraints != 0 )
{
- mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
- goto exit;
- }
+ mbedtls_printf( " . Adding the Basic Constraints extension ..." );
+ fflush( stdout );
- mbedtls_printf( " ok\n" );
+ ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
+ opt.max_pathlen );
+ if( ret != 0 )
+ {
+ mbedtls_strerror( ret, buf, 1024 );
+ mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
+ "returned -0x%04x - %s\n\n", -ret, buf );
+ goto exit;
+ }
+
+ mbedtls_printf( " ok\n" );
+ }
#if defined(MBEDTLS_SHA1_C)
- mbedtls_printf( " . Adding the Subject Key Identifier ..." );
- fflush( stdout );
-
- ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
- if( ret != 0 )
+ if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
+ opt.subject_identifier != 0 )
{
- mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
- goto exit;
+ mbedtls_printf( " . Adding the Subject Key Identifier ..." );
+ fflush( stdout );
+
+ ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
+ if( ret != 0 )
+ {
+ mbedtls_strerror( ret, buf, 1024 );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
+ "_key_identifier returned -0x%04x - %s\n\n",
+ -ret, buf );
+ goto exit;
+ }
+
+ mbedtls_printf( " ok\n" );
}
- mbedtls_printf( " ok\n" );
-
- mbedtls_printf( " . Adding the Authority Key Identifier ..." );
- fflush( stdout );
-
- ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
- if( ret != 0 )
+ if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
+ opt.authority_identifier != 0 )
{
- mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
- goto exit;
- }
+ mbedtls_printf( " . Adding the Authority Key Identifier ..." );
+ fflush( stdout );
- mbedtls_printf( " ok\n" );
+ ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
+ if( ret != 0 )
+ {
+ mbedtls_strerror( ret, buf, 1024 );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
+ "key_identifier returned -0x%04x - %s\n\n",
+ -ret, buf );
+ goto exit;
+ }
+
+ mbedtls_printf( " ok\n" );
+ }
#endif /* MBEDTLS_SHA1_C */
- if( opt.key_usage )
+ if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
+ opt.key_usage != 0 )
{
mbedtls_printf( " . Adding the Key Usage extension ..." );
fflush( stdout );
@@ -609,14 +745,16 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
}
- if( opt.ns_cert_type )
+ if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
+ opt.ns_cert_type != 0 )
{
mbedtls_printf( " . Adding the NS Cert Type extension ..." );
fflush( stdout );
@@ -625,7 +763,8 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
+ "returned -0x%04x - %s\n\n", -ret, buf );
goto exit;
}
@@ -642,7 +781,8 @@
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
- mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
+ mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
+ -ret, buf );
goto exit;
}
diff --git a/scripts/find-mem-leak.cocci b/scripts/find-mem-leak.cocci
index 5cfe452..8179e2b 100644
--- a/scripts/find-mem-leak.cocci
+++ b/scripts/find-mem-leak.cocci
@@ -2,8 +2,8 @@
expression x, y;
statement S;
@@
- x = mbedtls_malloc(...);
- y = mbedtls_malloc(...);
+ x = mbedtls_calloc(...);
+ y = mbedtls_calloc(...);
...
* if (x == NULL || y == NULL)
S
@@ -13,8 +13,8 @@
statement S;
@@
if (
-* (x = mbedtls_malloc(...)) == NULL
+* (x = mbedtls_calloc(...)) == NULL
||
-* (y = mbedtls_malloc(...)) == NULL
+* (y = mbedtls_calloc(...)) == NULL
)
S
diff --git a/scripts/malloc-init.pl b/scripts/malloc-init.pl
deleted file mode 100755
index b7d6fcf..0000000
--- a/scripts/malloc-init.pl
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/perl
-
-# Check for malloc calls not shortly followed by initialisation.
-#
-# Known limitations:
-# - false negative: can't see allocations spanning more than one line
-# - possible false negatives, see patterns
-# - false positive: malloc-malloc-init-init is not accepted
-# - false positives: "non-standard" init functions (eg, the things being
-# initialised is not the first arg, or initialise struct members)
-#
-# Since false positives are expected, the results must be manually reviewed.
-#
-# Typical usage: scripts/malloc-init.pl library/*.c
-
-use warnings;
-use strict;
-
-use utf8;
-use open qw(:std utf8);
-
-my $limit = 7;
-my $inits = qr/memset|memcpy|_init|fread|base64_..code/;
-
-# cases to bear in mind:
-#
-# 0. foo = malloc(...); memset( foo, ... );
-# 1. *foo = malloc(...); memset( *foo, ... );
-# 2. type *foo = malloc(...); memset( foo, ...);
-# 3. foo = malloc(...); foo_init( (type *) foo );
-# 4. foo = malloc(...); for(i=0..n) { init( &foo[i] ); }
-#
-# The chosen patterns are a bit relaxed, but unlikely to cause false positives
-# in real code (initialising *foo or &foo instead of foo will likely be caught
-# by functional tests).
-#
-my $id = qr/([a-zA-Z-0-9_\->\.]*)/;
-my $prefix = qr/\s(?:\*?|\&?|\([a-z_]* \*\))\s*/;
-
-my $name;
-my $line;
-my @bad;
-
-die "Usage: $0 file.c [...]\n" unless @ARGV;
-
-while (my $file = shift @ARGV)
-{
- open my $fh, "<", $file or die "read $file failed: $!\n";
- while (<$fh>)
- {
- if( /mbedtls_malloc\(/ ) {
- if( /$id\s*=.*mbedtls_malloc\(/ ) {
- push @bad, "$file:$line:$name" if $name;
- $name = $1;
- $line = $.;
- } else {
- push @bad, "$file:$.:???" unless /return mbedtls_malloc/;
- }
- } elsif( $name && /(?:$inits)\($prefix\Q$name\E\b/ ) {
- undef $name;
- } elsif( $name && $. - $line > $limit ) {
- push @bad, "$file:$line:$name";
- undef $name;
- undef $line;
- }
- }
- close $fh or die;
-}
-
-print "$_\n" for @bad;
diff --git a/scripts/rm-calloc-cast.cocci b/scripts/rm-calloc-cast.cocci
new file mode 100644
index 0000000..89481c0
--- /dev/null
+++ b/scripts/rm-calloc-cast.cocci
@@ -0,0 +1,7 @@
+@rm_calloc_cast@
+expression x, n, m;
+type T;
+@@
+ x =
+- (T *)
+ mbedtls_calloc(n, m)
diff --git a/scripts/rm-malloc-cast.cocci b/scripts/rm-malloc-cast.cocci
deleted file mode 100644
index 9337dc5..0000000
--- a/scripts/rm-malloc-cast.cocci
+++ /dev/null
@@ -1,7 +0,0 @@
-@rm_malloc_cast@
-expression x, n;
-type T;
-@@
- x =
-- (T *)
- mbedtls_malloc(n)
diff --git a/tests/compat.sh b/tests/compat.sh
index a333a19..6d79520 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -815,6 +815,11 @@
else
P_CLIENT_ARGS="$P_CLIENT_ARGS crt_file=none key_file=none"
fi
+
+ # Allow SHA-1. It's disabled by default for security reasons but
+ # our tests still use certificates signed with it.
+ P_SERVER_ARGS="$P_SERVER_ARGS allow_sha1=1"
+ P_CLIENT_ARGS="$P_CLIENT_ARGS allow_sha1=1"
;;
"PSK")
@@ -827,6 +832,11 @@
P_CLIENT_ARGS="$P_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70"
+
+ # Allow SHA-1. It's disabled by default for security reasons but
+ # our tests still use certificates signed with it.
+ P_SERVER_ARGS="$P_SERVER_ARGS allow_sha1=1"
+ P_CLIENT_ARGS="$P_CLIENT_ARGS allow_sha1=1"
;;
esac
}
diff --git a/tests/data_files/.gitignore b/tests/data_files/.gitignore
new file mode 100644
index 0000000..d16c04c
--- /dev/null
+++ b/tests/data_files/.gitignore
@@ -0,0 +1,3 @@
+cli-rsa.csr
+server2-rsa.csr
+test-ca.csr
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
new file mode 100644
index 0000000..d4aed67
--- /dev/null
+++ b/tests/data_files/Makefile
@@ -0,0 +1,428 @@
+## This file contains a record of how some of the test data was
+## generated. The final build products are committed to the repository
+## as well to make sure that the test data is identical. You do not
+## need to use this makefile unless you're extending mbed TLS's tests.
+
+## Many data files were generated prior to the existence of this
+## makefile, so the method of their generation was not recorded.
+
+## Note that in addition to depending on the version of the data
+## generation tool, many of the build outputs are randomized, so
+## running this makefile twice would not produce the same results.
+
+## Tools
+OPENSSL ?= openssl
+MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
+
+## Build the generated test data. Note that since the final outputs
+## are committed to the repository, this target should do nothing on a
+## fresh checkout. Furthermore, since the generation is randomized,
+## re-running the same targets may result in differing files. The goal
+## of this makefile is primarily to serve as a record of how the
+## targets were generated in the first place.
+default: all_final
+
+all_intermediate := # temporary files
+all_final := # files used by tests
+
+
+
+################################################################
+#### Generate certificates from existing keys
+################################################################
+
+test_ca_crt = test-ca.crt
+test_ca_key_file_rsa = test-ca.key
+test_ca_pwd_rsa = PolarSSLTest
+test_ca_config_file = test-ca.opensslconf
+
+test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
+ $(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
+all_intermediate += test-ca.csr
+test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
+ $(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
+all_final += test-ca-sha1.crt
+test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
+ $(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
+all_final += test-ca-sha256.crt
+
+cli_crt_key_file_rsa = cli-rsa.key
+cli_crt_extensions_file = cli.opensslconf
+
+cli-rsa.csr: $(cli_crt_key_file_rsa)
+ $(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
+all_intermediate += cli-rsa.csr
+cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
+ $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
+all_final += cli-rsa-sha1.crt
+cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
+ $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
+all_final += cli-rsa-sha256.crt
+
+server2-rsa.csr: server2.key
+ $(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
+all_intermediate += server2-rsa.csr
+server2-sha256.crt: server2-rsa.csr
+ $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
+all_final += server2-sha256.crt
+
+
+
+################################################################
+#### Generate various RSA keys
+################################################################
+
+### Password used for PKCS1-encoded encrypted RSA keys
+keys_rsa_basic_pwd = testkey
+
+### Password used for PKCS8-encoded encrypted RSA keys
+keys_rsa_pkcs8_pwd = PolarSSLTest
+
+### Basic 1024-, 2048- and 4096-bit unencrypted RSA keys from which
+### all other encrypted RSA keys are derived.
+rsa_pkcs1_1024_clear.pem:
+ $(OPENSSL) genrsa -out $@ 1024
+all_final += rsa_pkcs1_1024_clear.pem
+rsa_pkcs1_2048_clear.pem:
+ $(OPENSSL) genrsa -out $@ 2048
+all_final += rsa_pkcs1_2048_clear.pem
+rsa_pkcs1_4096_clear.pem:
+ $(OPENSSL) genrsa -out $@ 4096
+all_final += rsa_pkcs1_4096_clear.pem
+
+###
+### PKCS1-encoded, encrypted RSA keys
+###
+
+### 1024-bit
+rsa_pkcs1_1024_des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_1024_des.pem
+rsa_pkcs1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_1024_3des.pem
+rsa_pkcs1_1024_aes128.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_1024_aes128.pem
+rsa_pkcs1_1024_aes192.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_1024_aes192.pem
+rsa_pkcs1_1024_aes256.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_1024_aes256.pem
+keys_rsa_enc_basic_1024: rsa_pkcs1_1024_des.pem rsa_pkcs1_1024_3des.pem rsa_pkcs1_1024_aes128.pem rsa_pkcs1_1024_aes192.pem rsa_pkcs1_1024_aes256.pem
+
+# 2048-bit
+rsa_pkcs1_2048_des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_2048_des.pem
+rsa_pkcs1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_2048_3des.pem
+rsa_pkcs1_2048_aes128.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_2048_aes128.pem
+rsa_pkcs1_2048_aes192.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_2048_aes192.pem
+rsa_pkcs1_2048_aes256.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_2048_aes256.pem
+keys_rsa_enc_basic_2048: rsa_pkcs1_2048_des.pem rsa_pkcs1_2048_3des.pem rsa_pkcs1_2048_aes128.pem rsa_pkcs1_2048_aes192.pem rsa_pkcs1_2048_aes256.pem
+
+# 4096-bit
+rsa_pkcs1_4096_des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_4096_des.pem
+rsa_pkcs1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_4096_3des.pem
+rsa_pkcs1_4096_aes128.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_4096_aes128.pem
+rsa_pkcs1_4096_aes192.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_4096_aes192.pem
+rsa_pkcs1_4096_aes256.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
+all_final += rsa_pkcs1_4096_aes256.pem
+keys_rsa_enc_basic_4096: rsa_pkcs1_4096_des.pem rsa_pkcs1_4096_3des.pem rsa_pkcs1_4096_aes128.pem rsa_pkcs1_4096_aes192.pem rsa_pkcs1_4096_aes256.pem
+
+###
+### PKCS8-v1 encoded, encrypted RSA keys
+###
+
+### 1024-bit
+rsa_pkcs8_pbe_sha1_1024_3des.der: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_1024_3des.der
+rsa_pkcs8_pbe_sha1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_1024_3des.pem
+keys_rsa_enc_pkcs8_v1_1024_3des: rsa_pkcs8_pbe_sha1_1024_3des.pem rsa_pkcs8_pbe_sha1_1024_3des.der
+
+rsa_pkcs8_pbe_sha1_1024_2des.der: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_1024_2des.der
+rsa_pkcs8_pbe_sha1_1024_2des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_1024_2des.pem
+keys_rsa_enc_pkcs8_v1_1024_2des: rsa_pkcs8_pbe_sha1_1024_2des.pem rsa_pkcs8_pbe_sha1_1024_2des.der
+
+rsa_pkcs8_pbe_sha1_1024_rc4_128.der: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_1024_rc4_128.der
+rsa_pkcs8_pbe_sha1_1024_rc4_128.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_1024_rc4_128.pem
+keys_rsa_enc_pkcs8_v1_1024_rc4_128: rsa_pkcs8_pbe_sha1_1024_rc4_128.pem rsa_pkcs8_pbe_sha1_1024_rc4_128.der
+
+keys_rsa_enc_pkcs8_v1_1024: keys_rsa_enc_pkcs8_v1_1024_3des keys_rsa_enc_pkcs8_v1_1024_2des keys_rsa_enc_pkcs8_v1_1024_rc4_128
+
+### 2048-bit
+rsa_pkcs8_pbe_sha1_2048_3des.der: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_2048_3des.der
+rsa_pkcs8_pbe_sha1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_2048_3des.pem
+keys_rsa_enc_pkcs8_v1_2048_3des: rsa_pkcs8_pbe_sha1_2048_3des.pem rsa_pkcs8_pbe_sha1_2048_3des.der
+
+rsa_pkcs8_pbe_sha1_2048_2des.der: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_2048_2des.der
+rsa_pkcs8_pbe_sha1_2048_2des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_2048_2des.pem
+keys_rsa_enc_pkcs8_v1_2048_2des: rsa_pkcs8_pbe_sha1_2048_2des.pem rsa_pkcs8_pbe_sha1_2048_2des.der
+
+rsa_pkcs8_pbe_sha1_2048_rc4_128.der: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_2048_rc4_128.der
+rsa_pkcs8_pbe_sha1_2048_rc4_128.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_2048_rc4_128.pem
+keys_rsa_enc_pkcs8_v1_2048_rc4_128: rsa_pkcs8_pbe_sha1_2048_rc4_128.pem rsa_pkcs8_pbe_sha1_2048_rc4_128.der
+
+keys_rsa_enc_pkcs8_v1_2048: keys_rsa_enc_pkcs8_v1_2048_3des keys_rsa_enc_pkcs8_v1_2048_2des keys_rsa_enc_pkcs8_v1_2048_rc4_128
+
+### 4096-bit
+rsa_pkcs8_pbe_sha1_4096_3des.der: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_4096_3des.der
+rsa_pkcs8_pbe_sha1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
+all_final += rsa_pkcs8_pbe_sha1_4096_3des.pem
+keys_rsa_enc_pkcs8_v1_4096_3des: rsa_pkcs8_pbe_sha1_4096_3des.pem rsa_pkcs8_pbe_sha1_4096_3des.der
+
+rsa_pkcs8_pbe_sha1_4096_2des.der: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_4096_2des.der
+rsa_pkcs8_pbe_sha1_4096_2des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
+all_final += rsa_pkcs8_pbe_sha1_4096_2des.pem
+keys_rsa_enc_pkcs8_v1_4096_2des: rsa_pkcs8_pbe_sha1_4096_2des.pem rsa_pkcs8_pbe_sha1_4096_2des.der
+
+rsa_pkcs8_pbe_sha1_4096_rc4_128.der: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_4096_rc4_128.der
+rsa_pkcs8_pbe_sha1_4096_rc4_128.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
+all_final += rsa_pkcs8_pbe_sha1_4096_rc4_128.pem
+keys_rsa_enc_pkcs8_v1_4096_rc4_128: rsa_pkcs8_pbe_sha1_4096_rc4_128.pem rsa_pkcs8_pbe_sha1_4096_rc4_128.der
+
+keys_rsa_enc_pkcs8_v1_4096: keys_rsa_enc_pkcs8_v1_4096_3des keys_rsa_enc_pkcs8_v1_4096_2des keys_rsa_enc_pkcs8_v1_4096_rc4_128
+
+###
+### PKCS8-v2 encoded, encrypted RSA keys
+###
+
+### 1024-bit
+rsa_pkcs8_pbes2_pbkdf2_1024_3des.der: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
+rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
+keys_rsa_enc_pkcs8_v2_1024_3des: rsa_pkcs8_pbes2_pbkdf2_1024_3des.der rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
+
+rsa_pkcs8_pbes2_pbkdf2_1024_des.der: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.der
+rsa_pkcs8_pbes2_pbkdf2_1024_des.pem: rsa_pkcs1_1024_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
+keys_rsa_enc_pkcs8_v2_1024_des: rsa_pkcs8_pbes2_pbkdf2_1024_des.der rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
+
+keys_rsa_enc_pkcs8_v2_1024: keys_rsa_enc_pkcs8_v2_1024_3des keys_rsa_enc_pkcs8_v2_1024_des
+
+### 2048-bit
+rsa_pkcs8_pbes2_pbkdf2_2048_3des.der: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
+rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
+keys_rsa_enc_pkcs8_v2_2048_3des: rsa_pkcs8_pbes2_pbkdf2_2048_3des.der rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
+
+rsa_pkcs8_pbes2_pbkdf2_2048_des.der: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.der
+rsa_pkcs8_pbes2_pbkdf2_2048_des.pem: rsa_pkcs1_2048_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
+keys_rsa_enc_pkcs8_v2_2048_des: rsa_pkcs8_pbes2_pbkdf2_2048_des.der rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
+
+keys_rsa_enc_pkcs8_v2_2048: keys_rsa_enc_pkcs8_v2_2048_3des keys_rsa_enc_pkcs8_v2_2048_des
+
+### 4096-bit
+rsa_pkcs8_pbes2_pbkdf2_4096_3des.der: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
+rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
+keys_rsa_enc_pkcs8_v2_4096_3des: rsa_pkcs8_pbes2_pbkdf2_4096_3des.der rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
+
+rsa_pkcs8_pbes2_pbkdf2_4096_des.der: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.der
+rsa_pkcs8_pbes2_pbkdf2_4096_des.pem: rsa_pkcs1_4096_clear.pem
+ $(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
+all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
+keys_rsa_enc_pkcs8_v2_4096_des: rsa_pkcs8_pbes2_pbkdf2_4096_des.der rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
+
+keys_rsa_enc_pkcs8_v2_4096: keys_rsa_enc_pkcs8_v2_4096_3des keys_rsa_enc_pkcs8_v2_4096_des
+
+###
+### Rules to generate all RSA keys from a particular class
+###
+
+### Generate basic unencrypted RSA keys
+keys_rsa_unenc: rsa_pkcs1_1024_clear.pem rsa_pkcs1_2048_clear.pem rsa_pkcs1_4096_clear.pem
+
+### Generate PKCS1-encoded encrypted RSA keys
+keys_rsa_enc_basic: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
+
+### Generate PKCS8-v1 encrypted RSA keys
+keys_rsa_enc_pkcs8_v1: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096
+
+### Generate PKCS8-v2 encrypted RSA keys
+keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096
+
+### Generate all RSA keys
+keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
+
+
+
+################################################################
+### Generate certificates for CRT write check tests
+################################################################
+
+### The test files use the Mbed TLS generated certificates server1*.crt,
+### but for comparison with OpenSSL also rules for OpenSSL-generated
+### certificates server1*.crt.openssl are offered.
+###
+### Known differences:
+### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension
+### as unused bits, while Mbed TLS doesn't.
+
+test_ca_server1_db = test-ca.server1.db
+test_ca_server1_serial = test-ca.server1.serial
+test_ca_server1_config_file = test-ca.server1.opensslconf
+
+server1.csr: server1.key server1_csr.opensslconf
+ $(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new
+all_final += server1.csr
+
+server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
+server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
+server1.der: server1.crt
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server1.crt server1.noauthid.crt server1.der
+
+server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
+server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
+server1.key_usage.der: server1.key_usage.crt
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
+
+server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
+server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
+server1.cert_type.der: server1.cert_type.crt
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
+
+server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
+server1.v1.der: server1.v1.crt
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server1.v1.crt server1.v1.der
+
+# OpenSSL-generated certificates for comparison
+# Also provide certificates in DER format to allow
+# direct binary comparison using e.g. dumpasn1
+server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
+ echo "01" > $(test_ca_server1_serial)
+ rm -f $(test_ca_server1_db)
+ touch $(test_ca_server1_db)
+ $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@
+server1.der.openssl: server1.crt.openssl
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+server1.key_usage.der.openssl: server1.key_usage.crt.openssl
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+server1.cert_type.der.openssl: server1.cert_type.crt.openssl
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+
+server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
+ echo "01" > $(test_ca_server1_serial)
+ rm -f $(test_ca_server1_db)
+ touch $(test_ca_server1_db)
+ $(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@
+server1.v1.der.openssl: server1.v1.crt.openssl
+ $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+
+server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
+
+
+
+################################################################
+#### Meta targets
+################################################################
+
+all_final: $(all_final)
+all: $(all_intermediate) $(all_final)
+
+.PHONY: default all_final all
+.PHONY: keys_rsa_all
+.PHONY: keys_rsa_unenc keys_rsa_enc_basic
+.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
+.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
+.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024
+.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048
+.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096
+.PHONY: server1_all
+
+# These files should not be committed to the repository.
+list_intermediate:
+ @printf '%s\n' $(all_intermediate) | sort
+# These files should be committed to the repository so that the test data is
+# available upon checkout without running a randomized process depending on
+# third-party tools.
+list_final:
+ @printf '%s\n' $(all_final) | sort
+.PHONY: list_intermediate list_final
+
+## Remove intermediate files
+clean:
+ rm -f $(all_intermediate)
+## Remove all build products, even the ones that are committed
+neat: clean
+ rm -f $(all_final)
+.PHONY: clean neat
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
index 680d612..60b0fd4 100644
--- a/tests/data_files/Readme-x509.txt
+++ b/tests/data_files/Readme-x509.txt
@@ -6,6 +6,8 @@
There are two main CAs for use as trusted roots:
- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
uses a RSA-2048 key
+ test-ca-sha1.crt and test-ca-sha256.crt use the same key, signed with
+ different hashes.
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
uses an EC key with NIST P-384 (aka secp384r1)
variants used to test the keyUsage extension
@@ -53,6 +55,8 @@
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
- cli2.crt: 2 E: basic
+- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
+ the RSA test CA.
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
*CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
@@ -91,3 +95,13 @@
Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
crl-rsa-pss* would revoke server6.crt if signed by CA 2
+
+Generation
+----------
+
+Newer test files have been generated through commands in the Makefile. The
+resulting files are committed to the repository so that the tests can
+run without having to re-do the generation and so that the output is the
+same for everyone (the generation process is randomized).
+
+The origin of older certificates has not been recorded.
diff --git a/tests/data_files/cli-rsa-sha1.crt b/tests/data_files/cli-rsa-sha1.crt
new file mode 100644
index 0000000..906f6df
--- /dev/null
+++ b/tests/data_files/cli-rsa-sha1.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTcwNTA1MTMwNzEwWhcNMjcwNTA2MTMwNzEwWjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
+gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
+BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
+EwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAE/yq2fOqjI0jm52TwdVsTUvZ+B2s16u
+C4Qj/c89iZ7VfplpOAEV9+G6gHm/gf2O7Jgj0yXfFugQ2d+lR70cH64JFn9N1Rg9
+gCo5EDBLourI8R0Kkg9zdlShBv7giwqg667Qjsu+oEWVerICOqNQGolotYSZvmtJ
+7RiD8I4MXB4Qt0sSjxE897pvc4ODem10zXzvedv/q11q1mUn2L1fFc1dGIguk1fn
+I/XP87FCapRobUTYrF6IvdqFaUMQ7lF3GiUIvjDPb4Wt1CyHhi/tu/SfV3fmX3rs
+19UeGnvC7AdQ+OwLt3nEIlSpqVKPXHKfRKZg1WzZNgCQtNB1SrZAzFc=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa-sha256.crt b/tests/data_files/cli-rsa-sha256.crt
new file mode 100644
index 0000000..a0fc11e
--- /dev/null
+++ b/tests/data_files/cli-rsa-sha256.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
+gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
+BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
+EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom
+LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W
+iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK
+D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE
+ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj
+c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa.key b/tests/data_files/cli-rsa.key
new file mode 100644
index 0000000..eb1d3bc
--- /dev/null
+++ b/tests/data_files/cli-rsa.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF
+B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1
+bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9
+Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH
+7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v
+dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst
+yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz
+4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt
+ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA
+zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d
+l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf
+DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT
+VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL
+Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7
+wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys
+c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi
+33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60
+ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0
+BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW
+KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+
+UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc
+7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq
+gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu
+bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv
+8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/data_files/cli.opensslconf b/tests/data_files/cli.opensslconf
new file mode 100644
index 0000000..ae9ab9d
--- /dev/null
+++ b/tests/data_files/cli.opensslconf
@@ -0,0 +1,4 @@
+[cli-rsa]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:false
diff --git a/tests/data_files/dir-maxpath/00.crt b/tests/data_files/dir-maxpath/00.crt
new file mode 100644
index 0000000..c806648
--- /dev/null
+++ b/tests/data_files/dir-maxpath/00.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/00.key b/tests/data_files/dir-maxpath/00.key
new file mode 100644
index 0000000..b4d3315
--- /dev/null
+++ b/tests/data_files/dir-maxpath/00.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIARPaEIfROHkE9Y0ZgHh7Mc3ZU6LR9lCOIw1ksYTHp5EoAoGCCqGSM49
+AwEHoUQDQgAEVbjX+oDAA+nL5PF1zs8qbNmyr0I+K6MpTi+kXV6RecbHYc/jbRCh
+vAFVVaGTNGYvB1ugfaPrl1wIqNDua/93Eg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/01.crt b/tests/data_files/dir-maxpath/01.crt
new file mode 100644
index 0000000..0e9107a
--- /dev/null
+++ b/tests/data_files/dir-maxpath/01.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/01.key b/tests/data_files/dir-maxpath/01.key
new file mode 100644
index 0000000..7dd0643
--- /dev/null
+++ b/tests/data_files/dir-maxpath/01.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINSnxPqUNMba8F2KWNxU88heSs7vgas5BOzjRwQsQe6IoAoGCCqGSM49
+AwEHoUQDQgAEM55/cxx8CxjvFUeFvVe7zJcQnaKI8xDol+WOibT7RTs/Ournh2Os
+6DdP5ieg56p0l4pSSFFHlunhn6ppGu58ZA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/02.crt b/tests/data_files/dir-maxpath/02.crt
new file mode 100644
index 0000000..387b064
--- /dev/null
+++ b/tests/data_files/dir-maxpath/02.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/02.key b/tests/data_files/dir-maxpath/02.key
new file mode 100644
index 0000000..b5ac513
--- /dev/null
+++ b/tests/data_files/dir-maxpath/02.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPW9zE8cjiZ8w17jTAebb4xAmEg6heEEnEaG4lGCd38joAoGCCqGSM49
+AwEHoUQDQgAEFh6b9YupX8LzTzj+ZGuktJ+eRL86GmCuqW01z+sjDlv+F2UjyseW
+aKuBTHtHCsxiCBS9a849VdnM2Afqry4cog==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/03.crt b/tests/data_files/dir-maxpath/03.crt
new file mode 100644
index 0000000..7d90a5e
--- /dev/null
+++ b/tests/data_files/dir-maxpath/03.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/03.key b/tests/data_files/dir-maxpath/03.key
new file mode 100644
index 0000000..2bfa483
--- /dev/null
+++ b/tests/data_files/dir-maxpath/03.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBx2xwapGbHTy79IbpJkc/w9LJXPKNG7gGRLPOGPQFI6oAoGCCqGSM49
+AwEHoUQDQgAEEQ1wzSItaXq3rnYasGti7JV4LMZwetx7ucuZYPtVj67iGD8w/x6N
+AD73lXcxS1Y4tffmxOPrRT2C9UqbDdVn1g==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/04.crt b/tests/data_files/dir-maxpath/04.crt
new file mode 100644
index 0000000..1ddcf69
--- /dev/null
+++ b/tests/data_files/dir-maxpath/04.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/04.key b/tests/data_files/dir-maxpath/04.key
new file mode 100644
index 0000000..e836bbf
--- /dev/null
+++ b/tests/data_files/dir-maxpath/04.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIDQvTm0wfEAKoymv8ePBv7cRxrnM4g6LREnSll5ghQsXoAoGCCqGSM49
+AwEHoUQDQgAEFFw4HFFTU/YaL22RORy+q4zm+wuecBLlik4VfwnGeK1q18e1Vx2H
+Q/0d2gwOyUr2KZtrE6JOIrG5Q84WTPxgzQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/05.crt b/tests/data_files/dir-maxpath/05.crt
new file mode 100644
index 0000000..19de3a3
--- /dev/null
+++ b/tests/data_files/dir-maxpath/05.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/05.key b/tests/data_files/dir-maxpath/05.key
new file mode 100644
index 0000000..7f3095e
--- /dev/null
+++ b/tests/data_files/dir-maxpath/05.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIP3MTs0m9ssAAXQ94O6GYC3pckfpMUxQiPTG8hQYgA0WoAoGCCqGSM49
+AwEHoUQDQgAEBHU9DhX+RlHK4F9l5ZQsicz/eDWeOuBrIAeqbDS7A3i/o+wFPqCc
+u1S71v5R4dzg4JdPGfW4aixQZjY5x25vEA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/06.crt b/tests/data_files/dir-maxpath/06.crt
new file mode 100644
index 0000000..36f99d2
--- /dev/null
+++ b/tests/data_files/dir-maxpath/06.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/06.key b/tests/data_files/dir-maxpath/06.key
new file mode 100644
index 0000000..5b0bce2
--- /dev/null
+++ b/tests/data_files/dir-maxpath/06.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIESUhQgXWd8cVQnitNEpOD2JNMqH9ug/wYaY1xW3SaSGoAoGCCqGSM49
+AwEHoUQDQgAEgPalqAFB655/t5Mcja4zyZPNlgy4plttUTedbsaaG2nb/GIBhA0X
+T/jpPrkakElLAOmV3xd4hq9ho30N8DAx/A==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/07.crt b/tests/data_files/dir-maxpath/07.crt
new file mode 100644
index 0000000..5bb57f8
--- /dev/null
+++ b/tests/data_files/dir-maxpath/07.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/07.key b/tests/data_files/dir-maxpath/07.key
new file mode 100644
index 0000000..3f20131
--- /dev/null
+++ b/tests/data_files/dir-maxpath/07.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEi1oKInPLbiINj8OxdActVTgI+YQVSefdQfCu1ihbLRoAoGCCqGSM49
+AwEHoUQDQgAEjTo+HeDBAO6f95ooo6huE6BOKKSjwJvtwUyBqyU2E9ePvk0olCAp
+dAEl4/sXlHCzCGl0zdONrC7B8aUoc0Gi9A==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/08.crt b/tests/data_files/dir-maxpath/08.crt
new file mode 100644
index 0000000..bf1f33e
--- /dev/null
+++ b/tests/data_files/dir-maxpath/08.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/08.key b/tests/data_files/dir-maxpath/08.key
new file mode 100644
index 0000000..d1ee9c5
--- /dev/null
+++ b/tests/data_files/dir-maxpath/08.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIC8M2G7XcqeagYgt8SZJbuTh4tYchGvX3yDZJKTuBgFUoAoGCCqGSM49
+AwEHoUQDQgAEaUHkP2BkI55e0s6OlkrSdbu8bp0y+YwZFx/GgFUptKol+AA/+2D8
+WuRJxs2XS059ub0FZ30ABqTMfD9ZWIhmAg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/09.crt b/tests/data_files/dir-maxpath/09.crt
new file mode 100644
index 0000000..8f67e54
--- /dev/null
+++ b/tests/data_files/dir-maxpath/09.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/09.key b/tests/data_files/dir-maxpath/09.key
new file mode 100644
index 0000000..fe6a06f
--- /dev/null
+++ b/tests/data_files/dir-maxpath/09.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKkdxegP5yN840sBDxIPpiMftZss14uLaH7zoxOqrePDoAoGCCqGSM49
+AwEHoUQDQgAEe2QdevrehLH2oRsilBiVuZns5M43WmL3OJWyWijUcBUX3Nxf35jT
+krFBUoPxdDfr1BPnaCojwvMEcC875uLPuQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/10.crt b/tests/data_files/dir-maxpath/10.crt
new file mode 100644
index 0000000..72e699a
--- /dev/null
+++ b/tests/data_files/dir-maxpath/10.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/10.key b/tests/data_files/dir-maxpath/10.key
new file mode 100644
index 0000000..c5558f5
--- /dev/null
+++ b/tests/data_files/dir-maxpath/10.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPuPPMxo5e2doI7YfDp60qmEn4YwYs2sb5QlOpFQ3BIJoAoGCCqGSM49
+AwEHoUQDQgAEeo5RimyXeYYg8Te/PYJDnMKchyPcEcAqwAwDsDpDHjwT0ZcBnZu5
+sO2fxAJrtus0Zv4XMq7ODKpNi2mw4zyPVw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/11.crt b/tests/data_files/dir-maxpath/11.crt
new file mode 100644
index 0000000..e09e49f
--- /dev/null
+++ b/tests/data_files/dir-maxpath/11.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/11.key b/tests/data_files/dir-maxpath/11.key
new file mode 100644
index 0000000..b34bf8c
--- /dev/null
+++ b/tests/data_files/dir-maxpath/11.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHaMieH2/wn6lnsFUGzww43ymhN16Z0nhG5TyvNeY8U2oAoGCCqGSM49
+AwEHoUQDQgAE2cEfliujQRf+64hXTet3PIY2HXWUUeJa81TT8IgUMZ58cKT8qw/Q
+Omjz5i3OkqhjiVuGRlQnKCAc3vUSVXogfQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/12.crt b/tests/data_files/dir-maxpath/12.crt
new file mode 100644
index 0000000..91ef9b0
--- /dev/null
+++ b/tests/data_files/dir-maxpath/12.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/12.key b/tests/data_files/dir-maxpath/12.key
new file mode 100644
index 0000000..906bdc6
--- /dev/null
+++ b/tests/data_files/dir-maxpath/12.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAzhAcc1Yb2u4bsQDaYeRaRW8kJ/HzFTTfINV1k+TxZ/oAoGCCqGSM49
+AwEHoUQDQgAEwxPSz5Sz3IGd29AXIUfwJITRD/RwGr8GGnSSMs6D6OXnQlZ26EB+
+/Oo7GcGTWaAtIBwwIQphnCH0XpyEgKFbjw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/13.crt b/tests/data_files/dir-maxpath/13.crt
new file mode 100644
index 0000000..c23c165
--- /dev/null
+++ b/tests/data_files/dir-maxpath/13.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/13.key b/tests/data_files/dir-maxpath/13.key
new file mode 100644
index 0000000..c8a04ef
--- /dev/null
+++ b/tests/data_files/dir-maxpath/13.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKb966FXMh8cFQt3sVpmcrh2/3yaGiLMwz+/XGKGMJ+2oAoGCCqGSM49
+AwEHoUQDQgAE65MwiS854ZYZ7L9UVwfZH3mg/nCK7j0NHCLQQxqXbw/MWwVb0HIu
+PkRtkVVAklkYZBWI0rFEjNEBzEJwRZYcNg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/14.crt b/tests/data_files/dir-maxpath/14.crt
new file mode 100644
index 0000000..5ca323c
--- /dev/null
+++ b/tests/data_files/dir-maxpath/14.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/14.key b/tests/data_files/dir-maxpath/14.key
new file mode 100644
index 0000000..a526a18
--- /dev/null
+++ b/tests/data_files/dir-maxpath/14.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKEycJNLyYJ5JgECpCuZiFeXZIMC+XsMEKoMhRTx6xD+oAoGCCqGSM49
+AwEHoUQDQgAE0TGTdER8z3aJzZmbqvVz4c70Odk2qJMU9/aqULZRcr1LhBiqy6Db
+3XKQEWgNKxqbrekSwEDlVIjVZSdyKY+/PQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/15.crt b/tests/data_files/dir-maxpath/15.crt
new file mode 100644
index 0000000..bef923a
--- /dev/null
+++ b/tests/data_files/dir-maxpath/15.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/15.key b/tests/data_files/dir-maxpath/15.key
new file mode 100644
index 0000000..1d93908
--- /dev/null
+++ b/tests/data_files/dir-maxpath/15.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIL1c0zvh4Fx8aylrlHsOsK5Pcam7BWVHM2lDxGO26QIUoAoGCCqGSM49
+AwEHoUQDQgAEJSlIjKErLP4bE2rHnanQdgQjhiYU7dIYFBnlJ1jWdbLzuMp9BpBR
+2dPPvn5djCqo6Y/lV6tCUhRchlDoJoItxw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/16.crt b/tests/data_files/dir-maxpath/16.crt
new file mode 100644
index 0000000..d9d998d
--- /dev/null
+++ b/tests/data_files/dir-maxpath/16.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/16.key b/tests/data_files/dir-maxpath/16.key
new file mode 100644
index 0000000..70492de
--- /dev/null
+++ b/tests/data_files/dir-maxpath/16.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIM0YCnGkEG/TjBxrytP9Ztslm1yoQaWptBxegRzzBRDVoAoGCCqGSM49
+AwEHoUQDQgAEO1bKeyZgzZID4f/s5iD5He6NMaLf1jzBZ97gLBrbFN/OTBdH5oXx
+S4UW2x/YeCY2B4/MtLKVN27lF4X7bwGVWw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/17.crt b/tests/data_files/dir-maxpath/17.crt
new file mode 100644
index 0000000..1ee7849
--- /dev/null
+++ b/tests/data_files/dir-maxpath/17.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
+D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
+nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
+BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
+ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/17.key b/tests/data_files/dir-maxpath/17.key
new file mode 100644
index 0000000..eee33e8
--- /dev/null
+++ b/tests/data_files/dir-maxpath/17.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAiUS1dM3qrcOun8PjKe+rw40L2HG/Y8Dfxl0AfzyIVeoAoGCCqGSM49
+AwEHoUQDQgAEayEqtszvZg9vWAixweehXVP0SDbUYX3i7TPruaNx2gJ6KctEvfEc
+7hBhC46c6/GSOpJDDGbI/JxWUBfB37hNIA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/18.crt b/tests/data_files/dir-maxpath/18.crt
new file mode 100644
index 0000000..afd682e
--- /dev/null
+++ b/tests/data_files/dir-maxpath/18.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
+bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
+hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
+BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
+oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/18.key b/tests/data_files/dir-maxpath/18.key
new file mode 100644
index 0000000..4591d03
--- /dev/null
+++ b/tests/data_files/dir-maxpath/18.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJETLWqIZtnejCGzESDgMnknxqEx5evMGZfzBVPKMwKKoAoGCCqGSM49
+AwEHoUQDQgAErHPyZDXGH2zIKTn6y+ZCjhsTiWhkukkCHjTt91HgaU6HtW1NmnDe
+udsY73BqNHyRLcYNn3Dx0YU5xjAQ9btTdg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/19.crt b/tests/data_files/dir-maxpath/19.crt
new file mode 100644
index 0000000..a2220e5
--- /dev/null
+++ b/tests/data_files/dir-maxpath/19.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
+KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
+5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
+BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
+nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/19.key b/tests/data_files/dir-maxpath/19.key
new file mode 100644
index 0000000..bb6562b
--- /dev/null
+++ b/tests/data_files/dir-maxpath/19.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIDJyHSKbXEZVfkNftQF4eHeJVuXhGdaboa7w4RejL5uYoAoGCCqGSM49
+AwEHoUQDQgAECckQhzQ+/CsWR6Bx3Tk4z7g+h4xz5xCl/GqW5VKREwybi1u2Ed1f
+ENHU2nPiR4kentpeA5Q23+W04shaAM8Pcg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/20.crt b/tests/data_files/dir-maxpath/20.crt
new file mode 100644
index 0000000..c82a527
--- /dev/null
+++ b/tests/data_files/dir-maxpath/20.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGebrN8JxE
+heOdCxD+mhnQ4zMUxF1WUkmAAHIUw089BYiH9SAwYS/M5tnl+R8fbjvoGqSpR6Tk
+V9EU3CQyIoxwo4GJMIGGMB0GA1UdDgQWBBTZs6oChL1c2CSZXY2YFQkkqg+lzDBX
+BgNVHSMEUDBOgBRQMc94kTqW+zQO3lo2WMI/81k3c6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgRVGZReXKvdMHhwLbPvbrTVLeAGDqmqMH
+/WqD4u23QBgCID/QtFaiawjviNFEdtU7JK6v4ZY0PQ0a0+HLZIHLi9ah
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/20.key b/tests/data_files/dir-maxpath/20.key
new file mode 100644
index 0000000..2ec68de
--- /dev/null
+++ b/tests/data_files/dir-maxpath/20.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJHLciDhJcnlE5MhTrOfFlnRbpJQLOf4h72E6VDXxMM0oAoGCCqGSM49
+AwEHoUQDQgAExnm6zfCcRIXjnQsQ/poZ0OMzFMRdVlJJgAByFMNPPQWIh/UgMGEv
+zObZ5fkfH2476BqkqUek5FfRFNwkMiKMcA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/dir-maxpath/Readme.txt b/tests/data_files/dir-maxpath/Readme.txt
new file mode 100644
index 0000000..606ec6c
--- /dev/null
+++ b/tests/data_files/dir-maxpath/Readme.txt
@@ -0,0 +1,10 @@
+These certificates form a very long chain, used to test the
+MBEDTLS_X509_MAX_INT_CA limit.
+
+NN.key is the private key of certificate NN.crt.
+
+The root is 00.crt and N+1.crt is a child of N.crt.
+
+File cNN.pem contains the chain NN.crt to 00.crt.
+
+Those certificates were generated by tests/data_files/dir-maxpath/long.sh.
diff --git a/tests/data_files/dir-maxpath/c00.pem b/tests/data_files/dir-maxpath/c00.pem
new file mode 100644
index 0000000..c806648
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c00.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c01.pem b/tests/data_files/dir-maxpath/c01.pem
new file mode 100644
index 0000000..302fcbd
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c01.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c02.pem b/tests/data_files/dir-maxpath/c02.pem
new file mode 100644
index 0000000..77c2519
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c02.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c03.pem b/tests/data_files/dir-maxpath/c03.pem
new file mode 100644
index 0000000..d6c1a21
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c03.pem
@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c04.pem b/tests/data_files/dir-maxpath/c04.pem
new file mode 100644
index 0000000..613d7d8
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c04.pem
@@ -0,0 +1,60 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c05.pem b/tests/data_files/dir-maxpath/c05.pem
new file mode 100644
index 0000000..8009049
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c05.pem
@@ -0,0 +1,72 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c06.pem b/tests/data_files/dir-maxpath/c06.pem
new file mode 100644
index 0000000..e0fbf13
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c06.pem
@@ -0,0 +1,84 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c07.pem b/tests/data_files/dir-maxpath/c07.pem
new file mode 100644
index 0000000..c960d19
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c07.pem
@@ -0,0 +1,96 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c08.pem b/tests/data_files/dir-maxpath/c08.pem
new file mode 100644
index 0000000..78c2c4a
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c08.pem
@@ -0,0 +1,108 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c09.pem b/tests/data_files/dir-maxpath/c09.pem
new file mode 100644
index 0000000..269f4e3
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c09.pem
@@ -0,0 +1,120 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c10.pem b/tests/data_files/dir-maxpath/c10.pem
new file mode 100644
index 0000000..e293304
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c10.pem
@@ -0,0 +1,132 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c11.pem b/tests/data_files/dir-maxpath/c11.pem
new file mode 100644
index 0000000..56cbcbf
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c11.pem
@@ -0,0 +1,144 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c12.pem b/tests/data_files/dir-maxpath/c12.pem
new file mode 100644
index 0000000..77c8f3f
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c12.pem
@@ -0,0 +1,156 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c13.pem b/tests/data_files/dir-maxpath/c13.pem
new file mode 100644
index 0000000..d5039ba
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c13.pem
@@ -0,0 +1,168 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c14.pem b/tests/data_files/dir-maxpath/c14.pem
new file mode 100644
index 0000000..c6eca72
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c14.pem
@@ -0,0 +1,180 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c15.pem b/tests/data_files/dir-maxpath/c15.pem
new file mode 100644
index 0000000..220420d
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c15.pem
@@ -0,0 +1,192 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c16.pem b/tests/data_files/dir-maxpath/c16.pem
new file mode 100644
index 0000000..041a83b
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c16.pem
@@ -0,0 +1,204 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c17.pem b/tests/data_files/dir-maxpath/c17.pem
new file mode 100644
index 0000000..5bdbafd
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c17.pem
@@ -0,0 +1,216 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
+D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
+nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
+BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
+ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c18.pem b/tests/data_files/dir-maxpath/c18.pem
new file mode 100644
index 0000000..d863189
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c18.pem
@@ -0,0 +1,228 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
+bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
+hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
+BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
+oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
+D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
+nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
+BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
+ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c19.pem b/tests/data_files/dir-maxpath/c19.pem
new file mode 100644
index 0000000..b1e24e4
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c19.pem
@@ -0,0 +1,240 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
+KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
+5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
+BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
+nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
+bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
+hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
+BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
+oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
+D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
+nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
+BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
+ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/c20.pem b/tests/data_files/dir-maxpath/c20.pem
new file mode 100644
index 0000000..ff97472
--- /dev/null
+++ b/tests/data_files/dir-maxpath/c20.pem
@@ -0,0 +1,252 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGebrN8JxE
+heOdCxD+mhnQ4zMUxF1WUkmAAHIUw089BYiH9SAwYS/M5tnl+R8fbjvoGqSpR6Tk
+V9EU3CQyIoxwo4GJMIGGMB0GA1UdDgQWBBTZs6oChL1c2CSZXY2YFQkkqg+lzDBX
+BgNVHSMEUDBOgBRQMc94kTqW+zQO3lo2WMI/81k3c6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgRVGZReXKvdMHhwLbPvbrTVLeAGDqmqMH
+/WqD4u23QBgCID/QtFaiawjviNFEdtU7JK6v4ZY0PQ0a0+HLZIHLi9ah
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJyRCHND78
+KxZHoHHdOTjPuD6HjHPnEKX8apblUpETDJuLW7YR3V8Q0dTac+JHiR6e2l4DlDbf
+5bTiyFoAzw9yo4GJMIGGMB0GA1UdDgQWBBRQMc94kTqW+zQO3lo2WMI/81k3czBX
+BgNVHSMEUDBOgBSDbIpYntlhJ0GgIsyd75XRhlC18qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgIzGOZqJRmvygzvLm8zxZFyoNpcT7e26H
+nZd5xFIzEakCIHGYcUXzt+owSVlLmrlW8gQcB81ErQbxuBTAsvpaaKSS
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTcwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASsc/JkNcYf
+bMgpOfrL5kKOGxOJaGS6SQIeNO33UeBpToe1bU2acN652xjvcGo0fJEtxg2fcPHR
+hTnGMBD1u1N2o4GJMIGGMB0GA1UdDgQWBBSDbIpYntlhJ0GgIsyd75XRhlC18jBX
+BgNVHSMEUDBOgBSnjWvpWxZcFnfQ2KGtCg/u6fT/D6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAJo2NXfJU1sK6SVTu4OV21FKITlXntMi
+oenYMsBjzO8oAiEAidSELcLjjAHi3mfBARvCgKlRhmbNEMCHQT7Ha7ZQoRw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTYwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARrISq2zO9m
+D29YCLHB56FdU/RINtRhfeLtM+u5o3HaAnopy0S98RzuEGELjpzr8ZI6kkMMZsj8
+nFZQF8HfuE0go4GJMIGGMB0GA1UdDgQWBBSnjWvpWxZcFnfQ2KGtCg/u6fT/DzBX
+BgNVHSMEUDBOgBRTw3K0Psy3u/6+3KKSoaQqJnPvPqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgDgXjoc6FfMF5W0NziV6vx2BOPNWav01Z
+ynEP4h9ULnUCIQC1rU4sEId3UdjzTKhpSGTKtaOuPG+b0YdEMPimI4jmVw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTUwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7Vsp7JmDN
+kgPh/+zmIPkd7o0xot/WPMFn3uAsGtsU385MF0fmhfFLhRbbH9h4JjYHj8y0spU3
+buUXhftvAZVbo4GJMIGGMB0GA1UdDgQWBBRTw3K0Psy3u/6+3KKSoaQqJnPvPjBX
+BgNVHSMEUDBOgBR1mXlrdW5rx1VnqMMnUBXo0WWGWqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTE0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMJnGjE9v3SjuGfi0jNByrwyNfhlTHMh
+FhPQidNrDpXwAiEAqYtNiV8t9RrAa9GC6FWDuJpvIiU6FsE+lFq6uIq/J2E=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTQwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlKUiMoSss
+/hsTasedqdB2BCOGJhTt0hgUGeUnWNZ1svO4yn0GkFHZ08++fl2MKqjpj+VXq0JS
+FFyGUOgmgi3Ho4GJMIGGMB0GA1UdDgQWBBR1mXlrdW5rx1VnqMMnUBXo0WWGWjBX
+BgNVHSMEUDBOgBRNsJB++ccSBmbCCKBxi4CjXROBk6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKYOIo+fdCQRqpH4LN8qUK1aKzKmWGxS
+fGzEEkg/29bMAiAl95cmucoCDMq2Ab8Coc0dEqyJ6+rAPMLBCbGawyiW6A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTMwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRMZN0RHzP
+donNmZuq9XPhzvQ52TaokxT39qpQtlFyvUuEGKrLoNvdcpARaA0rGput6RLAQOVU
+iNVlJ3Ipj789o4GJMIGGMB0GA1UdDgQWBBRNsJB++ccSBmbCCKBxi4CjXROBkzBX
+BgNVHSMEUDBOgBTmVnUSF2MYwws/nCMv7b1wJVkDmqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgVfuLpjp08AaxKWf6cuZUUCRd7CojSS1I
+71hzeUyFS+sCIQDNJI6P/pBbiHgTaGlBAgfcEfmxmbY0n4xZndtxIkmyVA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTIwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATrkzCJLznh
+lhnsv1RXB9kfeaD+cIruPQ0cItBDGpdvD8xbBVvQci4+RG2RVUCSWRhkFYjSsUSM
+0QHMQnBFlhw2o4GJMIGGMB0GA1UdDgQWBBTmVnUSF2MYwws/nCMv7b1wJVkDmjBX
+BgNVHSMEUDBOgBTZTtbi+j0Sm/Zs/+gTkWdASpQzfqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTExggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgWsm+rHJgwUEyNm8EKbEds5yurpp5/3y5
+PsvXJVDqxogCIQDUP0Jcl3A907CE2tPVXSgD6LQ6CPu19mixemPw60yijA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTEwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATDE9LPlLPc
+gZ3b0BchR/AkhNEP9HAavwYadJIyzoPo5edCVnboQH786jsZwZNZoC0gHDAhCmGc
+IfRenISAoVuPo4GJMIGGMB0GA1UdDgQWBBTZTtbi+j0Sm/Zs/+gTkWdASpQzfjBX
+BgNVHSMEUDBOgBSOSt6ePyMRT6PGMaIi7FqNX9MKtKEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTEwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgYYF5AnRV7eh2hLD5Dz//pceMTKz9Ls46
+E6DxvbfDHikCIFttlGrOCZVyS4ocsjuKIELVUX5qfygI0sn4kU3qCTs2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMTAwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZwR+WK6NB
+F/7riFdN63c8hjYddZRR4lrzVNPwiBQxnnxwpPyrD9A6aPPmLc6SqGOJW4ZGVCco
+IBze9RJVeiB9o4GJMIGGMB0GA1UdDgQWBBSOSt6ePyMRT6PGMaIi7FqNX9MKtDBX
+BgNVHSMEUDBOgBQtxZSLJAkEz+2RKMQexM6EtsfgcqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA5ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgN//NqM0FrkrMjmxoeCY9DgxkH2R6sQ4d
+NgtwCZAIqEICIBs4vupaVcuvni9tltbP26wi7c0FR+blZuo5DPIA3SVe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDkwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMTAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR6jlGKbJd5
+hiDxN789gkOcwpyHI9wRwCrADAOwOkMePBPRlwGdm7mw7Z/EAmu26zRm/hcyrs4M
+qk2LabDjPI9Xo4GJMIGGMB0GA1UdDgQWBBQtxZSLJAkEz+2RKMQexM6EtsfgcjBX
+BgNVHSMEUDBOgBT6gyXHzPIPYc1Vr1aGiLLeMh4HpqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA4ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgP7S8vFstfUBdNe6ym5GYG5Q+aBVEKqRs
+fVW7HNUktSYCIQDo6Jua6o/DJbrpq4qYWq5gv4yGyzPTN+3IaKrEICdaaw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDgwHhcNMTcwNjIyMTE1MDMzWhcN
+MjcwNjIzMTE1MDMzWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7ZB16+t6E
+sfahGyKUGJW5mezkzjdaYvc4lbJaKNRwFRfc3F/fmNOSsUFSg/F0N+vUE+doKiPC
+8wRwLzvm4s+5o4GJMIGGMB0GA1UdDgQWBBT6gyXHzPIPYc1Vr1aGiLLeMh4HpjBX
+BgNVHSMEUDBOgBS40mLt93U8Sh8ZGiDVAhRSiBPcXqEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA3ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgO4el1ZPhlIli/qNR2SIEiuvs5Mmy868i
+N2Rv5X/VxIECIA/8rUALQxW38XSdBVX3e/jzu7ju47n1YwEqD9K9WdVv
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDcwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpQeQ/YGQj
+nl7Szo6WStJ1u7xunTL5jBkXH8aAVSm0qiX4AD/7YPxa5EnGzZdLTn25vQVnfQAG
+pMx8P1lYiGYCo4GJMIGGMB0GA1UdDgQWBBS40mLt93U8Sh8ZGiDVAhRSiBPcXjBX
+BgNVHSMEUDBOgBREq5J3toJPxZ3O+ssJ5vkkU0RJE6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA2ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANwGf+F4a+kmXWz8UjSpRkaToTV6EFWw
+/Tjzj0tQhDoAAiEA19RxeWOVBBpM6LOHg6v5Lf54YN1snkLf+sEXyZCuWQQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDYwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASNOj4d4MEA
+7p/3miijqG4ToE4opKPAm+3BTIGrJTYT14++TSiUICl0ASXj+xeUcLMIaXTN042s
+LsHxpShzQaL0o4GJMIGGMB0GA1UdDgQWBBREq5J3toJPxZ3O+ssJ5vkkU0RJEzBX
+BgNVHSMEUDBOgBSjovYaC/m6Li9Tp0V9iZRs9267Q6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA1ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKGcf+c442c/XiwubbaiQvsoZ7EoVxuM
+oKmia0gPyBNkAiEA83asjJ5FDXQuLyZpczviXrbmqgCPOfYadtvkc0cxMis=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDUwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASA9qWoAUHr
+nn+3kxyNrjPJk82WDLimW21RN51uxpobadv8YgGEDRdP+Ok+uRqQSUsA6ZXfF3iG
+r2GjfQ3wMDH8o4GJMIGGMB0GA1UdDgQWBBSjovYaC/m6Li9Tp0V9iZRs9267QzBX
+BgNVHSMEUDBOgBTXh06MAV9S4l4lG1TKOrKRBh4qn6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTA0ggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgcjZNFWJtlDmoPZbAxqsGczRYK0lfPgu6
+g1H7pp0ce+wCIDj9BRZM2OB9EF0e+MDKGjyZGfvfrL6Ir47x/KrM6H8T
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDQwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQEdT0OFf5G
+UcrgX2XllCyJzP94NZ464GsgB6psNLsDeL+j7AU+oJy7VLvW/lHh3ODgl08Z9bhq
+LFBmNjnHbm8Qo4GJMIGGMB0GA1UdDgQWBBTXh06MAV9S4l4lG1TKOrKRBh4qnzBX
+BgNVHSMEUDBOgBQox4F1NsZunlsduoGvzIgRSYfB36EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAzggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIW++zqDZlLLUk/emePohdNOp5JO3wS9
+XvkBJ6Wua7GBAiAdx+EKmdjVrwnzrQltTgnmSfGMXhKNYifK3uD83W3pcQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDMwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQUXDgcUVNT
+9hovbZE5HL6rjOb7C55wEuWKThV/CcZ4rWrXx7VXHYdD/R3aDA7JSvYpm2sTok4i
+sblDzhZM/GDNo4GJMIGGMB0GA1UdDgQWBBQox4F1NsZunlsduoGvzIgRSYfB3zBX
+BgNVHSMEUDBOgBQApzZdtBdD3dLxouQpr/aDiVttd6EzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAyggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgAkiNhqFAZXSUWEDK91OZvQGdeZOtd6mC
++Wv3fGk3t28CIEKOwidkUTUaiPdZ4efmAr+CEeGzdq27ob2S+nqqHqgV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDIwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRDXDNIi1p
+ereudhqwa2LslXgsxnB63Hu5y5lg+1WPruIYPzD/Ho0APveVdzFLVji19+bE4+tF
+PYL1SpsN1WfWo4GJMIGGMB0GA1UdDgQWBBQApzZdtBdD3dLxouQpr/aDiVttdzBX
+BgNVHSMEUDBOgBT5RCgQ0AlZTQbfFB2+6+w0XRvydaEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAxggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOnd+7bAofkHVa4KFNjv3TCegw1lrhuM
+8Of8wgvrTEGoAiEAsS8iKMpSfXH4D0egg4gLamE6akde965rDtySU+ve9lg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDEwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQWHpv1i6lf
+wvNPOP5ka6S0n55EvzoaYK6pbTXP6yMOW/4XZSPKx5Zoq4FMe0cKzGIIFL1rzj1V
+2czYB+qvLhyio4GJMIGGMB0GA1UdDgQWBBT5RCgQ0AlZTQbfFB2+6+w0XRvydTBX
+BgNVHSMEUDBOgBSh3uHkX5nj86yFEFwjscSWM40P+qEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggEBMAwGA1UdEwQF
+MAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAI7unGW/gr9tOc3i+dF5N815srgh+FrX
+oj9Et74EcSpTAiBubv+vOH0DE0gmYI11HeAIgutWqqMIC72dZlwTF/Vi3g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjAvMQswCQYDVQQGEwJVSzERMA8G
+A1UECgwIbWJlZCBUTFMxDTALBgNVBAMMBENBMDAwHhcNMTcwNjIyMTE1MDMyWhcN
+MjcwNjIzMTE1MDMyWjAvMQswCQYDVQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMx
+DTALBgNVBAMMBENBMDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQznn9zHHwL
+GO8VR4W9V7vMlxCdoojzEOiX5Y6JtPtFOz866ueHY6zoN0/mJ6DnqnSXilJIUUeW
+6eGfqmka7nxko4GRMIGOMB0GA1UdDgQWBBSh3uHkX5nj86yFEFwjscSWM40P+jBf
+BgNVHSMEWDBWgBQlFYvU5WboI4fcdPoiQs8/fPHZraEzpDEwLzELMAkGA1UEBhMC
+VUsxETAPBgNVBAoMCG1iZWQgVExTMQ0wCwYDVQQDDARDQTAwggkA/KCWhcqToHAw
+DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBasbuinP+pJTU4oDCVD8zQ
+1rJBDSOKIEyWu84/D6Hj6wIgVMPUoO01bPhzllAa/gW8Xk/daey09SBgN3AT9pWU
+TDA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUugAwIBAgIJAPygloXKk6BwMAoGCCqGSM49BAMCMC8xCzAJBgNVBAYT
+AlVLMREwDwYDVQQKDAhtYmVkIFRMUzENMAsGA1UEAwwEQ0EwMDAeFw0xNzA2MjIx
+MTUwMzJaFw0yNzA2MjMxMTUwMzJaMC8xCzAJBgNVBAYTAlVLMREwDwYDVQQKDAht
+YmVkIFRMUzENMAsGA1UEAwwEQ0EwMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BFW41/qAwAPpy+Txdc7PKmzZsq9CPiujKU4vpF1ekXnGx2HP420QobwBVVWhkzRm
+LwdboH2j65dcCKjQ7mv/dxKjUDBOMB0GA1UdDgQWBBQlFYvU5WboI4fcdPoiQs8/
+fPHZrTAfBgNVHSMEGDAWgBQlFYvU5WboI4fcdPoiQs8/fPHZrTAMBgNVHRMEBTAD
+AQH/MAoGCCqGSM49BAMCA0gAMEUCIQC7iRcVzwMyfVK5imirJ7MqJQ04euH4CLOt
+IZ+SNfaERAIgSU0MWFDosVEIpg8YMqIHeF7Mg4ZyH6+fGazJgVLttUY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir-maxpath/int.opensslconf b/tests/data_files/dir-maxpath/int.opensslconf
new file mode 100644
index 0000000..df28cab
--- /dev/null
+++ b/tests/data_files/dir-maxpath/int.opensslconf
@@ -0,0 +1,4 @@
+[int]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
diff --git a/tests/data_files/dir-maxpath/long.sh b/tests/data_files/dir-maxpath/long.sh
new file mode 100755
index 0000000..22f3bf5
--- /dev/null
+++ b/tests/data_files/dir-maxpath/long.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -eu
+
+: ${OPENSSL:=openssl}
+NB=20
+
+OPT="-days 3653 -sha256"
+
+# generate self-signed root
+$OPENSSL ecparam -name prime256v1 -genkey -out 00.key
+$OPENSSL req -new -x509 -subj "/C=UK/O=mbed TLS/CN=CA00" $OPT \
+ -key 00.key -out 00.crt
+
+# cXX.pem is the chain starting at XX
+cp 00.crt c00.pem
+
+# generate long chain
+i=1
+while [ $i -le $NB ]; do
+ UP=$( printf "%02d" $((i-1)) )
+ ME=$( printf "%02d" $i )
+
+ $OPENSSL ecparam -name prime256v1 -genkey -out ${ME}.key
+ $OPENSSL req -new -subj "/C=UK/O=mbed TLS/CN=CA${ME}" \
+ -key ${ME}.key -out ${ME}.csr
+ $OPENSSL x509 -req -CA ${UP}.crt -CAkey ${UP}.key -set_serial 1 $OPT \
+ -extfile int.opensslconf -extensions int \
+ -in ${ME}.csr -out ${ME}.crt
+
+ cat ${ME}.crt c${UP}.pem > c${ME}.pem
+
+ rm ${ME}.csr
+ i=$((i+1))
+done
diff --git a/tests/data_files/keyfile b/tests/data_files/keyfile
deleted file mode 100644
index f54d47a..0000000
--- a/tests/data_files/keyfile
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDMYfnvWtC8Id5bPKae5yXSxQTt+Zpul6AnnZWfI2TtIarvjHBF
-UtXRo96y7hoL4VWOPKGCsRqMFDkrbeUjRrx8iL914/srnyf6sh9c8Zk04xEOpK1y
-pvBz+Ks4uZObtjnnitf0NBGdjMKxveTq+VE7BWUIyQjtQ8mbDOsiLLvh7wIDAQAB
-AoGAefPIT8MPpAJNjIE/JrfkAMTgsSLrvCurO5gzDBbxhPE+7tsMrsDDpuix3HBo
-iEg3ZbzV3obQwV7b0gcr34W4t0CMuJf5b5irHRG8JcZuncmofDy6z7S5Vs75O85z
-fVzTIuVUyuHy1rM6rSBYKfsMLVyImUb4wtIXEMHPzdCL9LECQQD3ZfgGqudMWq8v
-3BlKhsQ4fsR0vxzNlMZfoRrZzcvBT339Bp1UQ8aUo8xBtHiRwuW1NaPNgYKX6XQ6
-ppuWuTiJAkEA030i493KnFPLRwWypqF/s6ZNlVye+euFN5NF/IeJcvb/GUDRYv9O
-pRozRS1jNx4ZB1K2xT7N9MwsPHD6j6K4twJBALdfHTfT9RzjGnae7SAQQ+CcFYFz
-JiY6386B2yUVJLFj+j5RaMvMcKQ7xGnvGm7vxtNJrt/j3qg6oavXUfulzgECQQDP
-CEVLhCd/+ZeZoz5MWPTGTRrOCKmoRqNW0FlG6PfpD1qSwh04KG44uflO0yu5HUGr
-JZG+bcj4x5bWZFMkoUrpAkEAyEgQzesKFqcbt1cqv3pLXJYQBBw6leFXgHk11a7k
-+AkexhrPYyq/4tXFO2TLk2hs7tpYgNDOqZCvEu7jtN3RuA==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/keyfile.3des b/tests/data_files/keyfile.3des
deleted file mode 100644
index 638c19a..0000000
--- a/tests/data_files/keyfile.3des
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,BE8274D6692AF2A7
-
-9ZXjoF55A9XgJpdaWmF/ZL1sJfbnE1M42N7HHRDwpq1/K+afC9poM0/AdCUbRL7w
-uvQERievbAYpNeLdah1EftM6033e1oTxUMivdL4orDKcbb3qDpSQ0o0UbjavbT+d
-aruilW8zVP4dz3mYMvGbkgoujgzdT+4wM0T1mTTuYcRKQsHlg7QDy2QrBILNuXA4
-Hmye4GlSXVUSON8vPXT12V4oeubEIZVlnkLTRFGRVA4qz5tby9GBymkeNCBu+LCw
-JwJLTbQwMFqozHvioq/2YBaHDcySpTD4X5AwrCjifUNO9BnLWLAmt8dOWr0z+48E
-P/yWr5xZl3DrKh9r9EGb9xbTxhum3yHV7bvXLoUH+t9gowmd4Lq3Qjjf8jQXle0P
-zoCOVxwN1E1IMhleEUPV7L8mbt26b0JyvrSS5ByrXahGu9vGQyy7qqx9ZANkzgXF
-3hPMDuzQXMJiUeG92VsMEdGdA1/8V5ro+ceB5c7Zca5MjMzvx2tihda7BUjj6dSE
-cA8Vvksy/NX/nqHSt0aSgphvBmZP8dN6GMcZ+hT7p0fhCq4mSFEykQqueKXiFUfz
-0xCUVZC6WzOoEkc8k7xiLWQDlsZZ13Z4yxU1IxJp7llZXpZ8GkwS+678/Nx8h54A
-mv5ZlSFWWQrvN5JPQJka7aU2ITu1LUK6mXBu+DoSDOfQuqR4vQytkjOqHK185iHs
-JQtBGkFFdElkWgubPX/S8/xxoT8MoQY/c+dr6iwcswyUnSJXh32KLPGNBoqWCCbY
-jp/VYmeb117gNpEJKJhcNbrP7DoQrC3/D7JFXnOvTA/z6FOtUmz0rQ==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/keyfile.aes128 b/tests/data_files/keyfile.aes128
deleted file mode 100644
index dd7443f..0000000
--- a/tests/data_files/keyfile.aes128
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,B5FA3F70C2AF79EB9D3DD2C40E7AE61A
-
-iyfOvvyTPPR7on4XPFxu6CoCgTqh88ROlslM+RLJhwM/qGexbgDOzeI2CPf4XfzI
-tyevKD/pqCaCMesYJh/HDQCILdW2tGbwzPajg72xkfCD6+1NHOGoDbdQN8ahGVmg
-flAYU0iXDMvqs/jnucM7nlTGp8Istn7+zd9ARyrkQy+I8nvMh3chGKWzx/XtJR+z
-Iv8p+n/o+fCHzGvtj+LWYeUc4d0OTIjnF6QPTtPOexX28z0gXRODT/indgifNXv3
-j45KO2NYOaVTaCuiWIHj7wWBokoL4bCMFcFTJbdJx5BgfLmDkTEmB/6DEXu6UOsQ
-3lPzyJhIRxn7hNq2I47TzSAFvmcXwm84txpxtSwHTcl9LgsyIiEMmHv3lPPE1G94
-F5VrCzzFHyU7nFRdUC0mqLrCHcjDn5O4SQWfH7J/7G4OArU6lA4Z2NC03IPxEmsQ
-66Fu8GdMbmtFORdlZQtOjLi3zZwN9+NwhiUrNNdVvGNJIjIcZ4FZRZysbt7++hfQ
-/JOAKhVNC8dNROJUleEYIiqx23e5lze6wqcIosziq3tb6/SQ6fH533D8+PpcZKsC
-IlWKAQzsNV+nJvt7CI1ppWc6CtV7TKn0scZm2oOC4339gdR5xzxXe9EJDsMBpcg9
-drIdBr+3UxeC6Lc/rWM7IjSQ2YULBra3toEF6UYevngXdUD2YafrpoY5rK9IH90G
-Hjbf65IaHLTS0jA7lAvJsQEBuULQQoWENOjhp8v+UfkNM2ccyOuUk3xZJNeX19YP
-1Z09UMEKbf6ucoRCc01SBl206OAsq1NZEaodszT+mDg990I/9ACVi3LEU6XB5ZVs
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/keyfile.aes192 b/tests/data_files/keyfile.aes192
deleted file mode 100644
index 96702d8..0000000
--- a/tests/data_files/keyfile.aes192
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,72F869F41B989D71730B2983448251B8
-
-R6ST6H9oUyFWBavUO++azbn9ga87lgeuqNMVVScOcXjguqQZdnuZq9AzwQQETEv+
-ZbVPL9w2isuXKoavaPxYyCXbZ+l6JRfWiXi6CmnfNhx4MgYpbH9BEqGbIVxA3fvu
-zFutqi+Ru6QeERshDNke6HfFjJ91WkBjNjrXcfDmt0uRGqFSWd5DSEniyaPmxCYs
-mpRwr9XESFiBkCHL+/iSkW0EZBjwHW0//RNsZKtuqVJGW/dZhDxerOGRl0a1oWkb
-IvfED7afrXMlpHokMwtUduk2TBE1AoczZ6Dv7RZGipaBR4yb9kYgIkiqFk53lg5h
-7b3WQt6TYECI7X3Q2rDgPQtUChVud0uUQYmQ5328HRE8zhlWxHGmTQMWVBW6X+FM
-ikFLRUeYBeq0UJu20DmvklZV6iDxsULLu+Rb0b8NkT+V2feSXbrP976oCSUznvT6
-3e2EOH+KAqMy5JZhTsjM7HtkleMwYQ9v+Wnbnn1OsB9drYWUJuhQeXt6v8dkm/eD
-9m6dZzivc/h1UThIuuZPo+6S7FoluIlt5uv2UcnYYdYOgKSd1Vm0wztGaJn3CSGw
-JEbebucr+5ptOHxflV5Txgnfj63sJyVd/wy0T8sMRO2znk5uVLWxf855fNXev9M3
-gA3+MXC2eGaR9DYOxfakFRwL+Z30RlIktaqDK76BZRD4sWB6dIVw5JdCXpNMCuDH
-dxlTKcP59uPAEB2VyhDvm5CN3T+bM2K6WDZFO95hKKfEk5ea/UB7DA2ucfovdayE
-Hd46EUKC4/cdUFiSycgD01ztdda7hU7hFvOkHTK7O3G1yvEwH0+jxKNsudNfbbxc
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/keyfile.aes256 b/tests/data_files/keyfile.aes256
deleted file mode 100644
index 5df09cf..0000000
--- a/tests/data_files/keyfile.aes256
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,53572EEEE794948AC48CB0E077CE075A
-
-p0YobpQmzHb3NgGlojpYoH+G5f1XX9snYv2GQe2tGTBQpoHh+ivHcOt85EZu9pC1
-1KRdALEwp7Cb4RYeQncV9Bfp5rItupS1TwfgKAlp7Plmb4vDcDVw+KL3PaYn52Bd
-qq5USLxCvKcl91hZXzitttH072lEj2MzW2QpX2/1hCRPgMDu9PJlBX2S+GOaYP+9
-sTWTCc1yvHMW4XGEM4P4yfRg9EOTxU5gIYWUE2JqmEGd+9I0hK2YevAPLNKHxzpy
-klCCBYqDplcVT5zEyCmdiBHIjzodlFuocZC8ncinVnsuJvpTeMQ+zOZ5rao8xm2j
-uCnnVRh7yZktfsf5B/ZKBMGyPYRyKN4CCYhF0GzbehTvBirgDELq4LHyDdnnOTwU
-YJiqo17x6S4FVNq6AubADVAbCOMFyfr+TFshI8spOwqfGFFDs8/WWL5OnBS85Pd1
-dgoqwzJAt55GyDUbGnp6hUFl9g96nvV3sE6Xe4xVE2Cpf1BtUl9Dt3UrrDrbS0dk
-pKxl2FA2H0BVKtfNBHXvWkORi+v+XZl34rZZ37B8snYIN2aOqLuvyM4fd1EabkyG
-ymMEUHJcrc5zl/7IECaHrCahqZIsLpLhGTd0MMGrkGSvRLiY5nQ4MN5tKI0fUw0S
-5KIjOA6ZX5nvh4rYgQcgN7K6dXNA2hOj5256Vv0HVwXsVhQFmCGnuo+h8XxudRVH
-RuIUaTUtl29a/2nPTzXB6MNZe7Wol8EkzuYEgyaizKr7nO0J1umg+lj7ipX/80Ji
-3ADi0yL4F831LsdAiTY60Lu2e3WABleZsvuLMWSodb9WzJXknsnFEDLGOM+HGj8Q
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/keyfile.des b/tests/data_files/keyfile.des
deleted file mode 100644
index f232305..0000000
--- a/tests/data_files/keyfile.des
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,F87FE1C0FB9B3E77
-
-1NbOyRx5kBWeXy93eCXyidDpR3pbfgGWIIgXVCVE4/ZXgEt14A23YndZeI5OSxvG
-JWhqZ+VuiRsxeKAjo+xf4bnKLArvbshhzUKCEVsCP1d2d1xfgjsnyr8tqNiJE0F6
-7Nimjcrpw/udCk2RBVyshN9kiPBbnA+XUdOHfEnbdkqDsS5DGjq7H1kBZuHhTQa8
-Xv6ta3kbI1BGiqKDhH2H9iJlZMwpVQuJs+HqcqNEhsPm0V4kp0S3PZMbYVKpEtDO
-vh9CHprQy/nlHfq7ZAs9/2HN4/OT/5kw4JM9qQy7eo/6FX2yh39Lyz8u7PXLaVgM
-pwOiFb+zvegYts5aCXyM1nBUu9NFPDQNDytjXOhbWL0hEr1RzgK67f5QYIxWgGCK
-St4moIn7J5BifViNdp7j/RXCoCmda3Zv5PiRw83yScSlzgDdTNpm/70jp8pGSxEn
-Ib768zYEcYeeKyPar210Nh9abySPpkFFaujN4do5wujboC0VPz73M6eTeZ6iOUgR
-cX9WwkfRj6G6VQfM6xAZdOkQ2cj6M4YRze1RKLhqo0+gre76FLn8Kzf/Hjrp/0iy
-0flr/6BwLxGV49vMUCesJ9oqE/frru9Y89cOwbgcHxKJ24Oz+64OUPyeSxDMElZ8
-lXiNk3aBEuLdBOKJ8B9kyKuxNqwDoqhCsrc77Gjio+q24w+G2+KAzBEup4S9cYgp
-FiSvK8sizKINfE14f9HA60MJJzyEjTUuL7+ioL7xHGtIkdWbs/Qp7KxliH6qoIUv
-VUsT6VS1nWLDyTyMbcjMx1odRsWrLwLqIsvNIcGGwe+P4sm4LivNnQ==
------END RSA PRIVATE KEY-----
diff --git a/tests/data_files/pkcs8_pbe_sha1_2des.key b/tests/data_files/pkcs8_pbe_sha1_2des.key
deleted file mode 100644
index 4ae7aec..0000000
--- a/tests/data_files/pkcs8_pbe_sha1_2des.key
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE6jAcBgoqhkiG9w0BDAEEMA4ECJUO+jJnTjpKAgIIAASCBMi9QFFLgKGYOSDR
-0zyRMc87RkrvSlyRi8BibyKvTNEDq77jTr6ZEuOF1OeZ9fvdZwJeI4GkTeKkWqTw
-XDjWATXHbgTX82I3T8R2iBnv6Za9uaFDtDH5gbUYSrSNzMaoyS90hc9PTJ2+TG/Y
-xUe99kSvzbhAatVQE+0TWpgH+8oACRvGelnHWofw4/CKJXJctUO8l6LdhLht1kwd
-YXNX0xjxpY/eLGlsUaiDBdb0D9WFjdi4fcZ46IHspqTfBUhYbpDj8IQT1vjH6yjm
-cPNPstEeyfFnirvgFuHg9LXTH0cf0mJgLzgiclgRVEOel87Lei5icEFI4hDAzWna
-s3YiTijc926mD5AqQ55QXPN9v6b/uAV1QyKenoYzIWC3Y4phTTeApCyV44f9oMMD
-wzcYWMZoHzEIiZj/iiCF1uOSamIjunCmpiBXTI7OGXbxXvSSJ3aU9nJHqVT88/ke
-nj//EzWVYAjMdNYl0bOsWoIONl3eEEnLaUrOYOTVMxGac6yy/oIKR7GP0R26N4V2
-c434y0aQpn6opT+JYa83N1RwES2/NxwrHs4pcx2WShbTjg1Cw1XMHk8nQYNnM4oJ
-kXWyns/k1Bay/SXgpl2NRsoWzxCR7BavB2mRcyMz3djbOYscuT4QwpB/Wf6kr6pN
-gszegRtwLmVBehwvGJwL2SEx2CDHvJNhvoD7vbNiWeTFo1wW1wF4aE7p/Ee7gSRX
-z14OC8NSbuYV660ntNQ9LB+Z7NDT2d6JTjSnhQHxxLBwy3OnM2/vu0eCd/5+MGjN
-C4svgFsAH9qnT1VQTzmpwGBJAbD29CVvUUeBF3+up+Mr+IQU9OWWEtUZ2Fm29gs4
-j4azYJUI4+RLw75yNLVgxS5r4Cc4cKGB/P7qVqdH2CmjrEk0jxyTFT/PE3Df1cz9
-F8eEprdml2ktrlQ3gCD9fw0kXBsp5vwecpQDS3r2v980vnMxb5Cm7kMTMFb4/hMY
-z1yaDkarkSHQk3qFYtO5DkEUXhF6fwATyqOgJYwcy/9ynzItqgbsCIYMjpXF7Yww
-FNa/GQlqIbYRCd4KT64Ahus7I00vVS3b3glcC+KlDkwCJJ0M+glzHrJs3L+PiJMi
-gm+YT/5FuSqJZ/JI5QP7VMovqSLEw6y6QQHSBCOxh/CGhAL/BZ9A9afvPTRiI9OF
-fyxAaf8KH1YPI3uKIuDcms0d0gJqQoDmLafdfggd6dwuLF3iQpDORgx80oPbjfl1
-FEbU8M5DqiH+eOxgEvIL0AhMnPa4mv1brVdlxS3CyojnqxPfecXyEXrhEYJWJdsF
-aYKR5bU1bY990aN6T3EDRblmHs25Fc328xS2ZJkHNxcJDruwi4EFpQVT+fukOz00
-hOW2BEMFJLRflE+372LNIgSRVNI536YhF8r4r7O1jrw9McX3hzbJGAtcsXqyIO/k
-hxC3x5ViqgZbDYgHz/CJJfP2RC8spp2RbZ/uDJu2YI8z8s9OXvcYv0EQmBAJxdt/
-lyfkzEr/n8oRtDIkrq7lR3rjMUz7AbCfNJpqrEBFol9+qH8+jnmowL8LWBlh0v/A
-pc3qWIulXOR1pbwXyAELo8wGhnJWL4WmY252S3i0Jn8Gf2kXewMRJsixStairjWD
-1m0wWUVGSm5CO8Rfon8=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/pkcs8_pbe_sha1_3des.der b/tests/data_files/pkcs8_pbe_sha1_3des.der
deleted file mode 100644
index f2ce029..0000000
--- a/tests/data_files/pkcs8_pbe_sha1_3des.der
+++ /dev/null
Binary files differ
diff --git a/tests/data_files/pkcs8_pbe_sha1_3des.key b/tests/data_files/pkcs8_pbe_sha1_3des.key
deleted file mode 100644
index f9c11ad..0000000
--- a/tests/data_files/pkcs8_pbe_sha1_3des.key
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE6jAcBgoqhkiG9w0BDAEDMA4ECGhNuQogiktrAgIIAASCBMhfcb+Jt0YOgGni
-IWnwmmtYT6Nvina/j3FCGzcHCDyUQDqh1rPUtZnmUdM3fyEGlUJdX9wmHh3gUkWx
-JE00QMzYDQsUbGrt8H3rCQ+aXegCicXAyBgDh0YUhO7bWmgJNSvZOduIeCJ81mnb
-xtl3CGgaYVOWspr458crtvn1Hlhq0EGs54EUHWBE89PHNxokGHqkFQcdp7QHO9Zm
-ZvjTn+kR0K5KQbeQwMf3LcboueDV71ueUZsHlTSZ5Qs7WZORRzMBoo2SWV+Mh7U/
-yAQv4i6CMauVifVqTMbLtfdTyZCts3N57sGstyqIruE1Jwg8m3i+cV/QIh9Fcgo8
-R+snSlbOZMzCpUIvcuVkEMBP8+89/BtIabXL8SoTsD6v/f/YJfcw9qpOH+AoA3JG
-UZT+0VxfIk0JUkX8QvM2qMQYY9efX+Dq+N0ODS1vsdP43pKxowOQlQUPKOsqoDch
-IXW9qDD3uV+clg5L6BqDbX1O98oegcg6L24ZK1yKVzotiTj/eaZVpzTtrNYzWB0+
-qO9FTwLqOmIRcduKKu5zctC7QlpFY3U2ikbkYpPsam/9GSXVe0LuMRLleiMPQUdU
-ZJlkZr221OGq5TVhyJ6zEwud26wExB16tLU26ZvEFwExoUPboH/UQwX8L9vd8BKp
-a32u35n5MOn+54Rfa4qfpU+uLB056CCKL8PwVLN9Xzeg+gJLfWqwEalPmSsylakO
-7+suOGaUKy1a/uszD97dKk3Abwfoyb0qvbdF131GR04NYIzkQl72CBlxuWqVUt9o
-pmwsUDAzwoJWi0sKy0dTm3KZHLJ+3OMIydod3beS9uS6Yro6NJBN5EPw3PoByBF5
-DUkOfW6tV0dlHyXOuwU+JzBd4iwJgO53GVPAap8a/eOGgNCiw72gYM4lcHnwShL0
-/v969VqntPXb7YF1hMs6ef3zTmLEB4xaXcARynnNkZnpQppxSPeHeXU+KxZCjkLE
-brzHFnUMr8UJOyra3C/iXfi/OKJcBIURc3oY29Q45GBcV0s/W3n8TVF4qEqtbv3c
-NbEmgcdzLGA28XiuyUH+pLxK3qP54jlqhd22q5qoN/gz4MKG+hJMMcO00Hj7+4Fb
-fnxxGE5far3zjHLaxfnRKIfseU9DrQVh6gTg8ibe0kdoUXrptIb51eRcukE7s/yc
-01Play8GYik4x+kcNAmQT29EslB/3RcrWH3tZExJjjDaC+Ty2atCMmlLGxt7VHOa
-C3k0QHYSE/TULBldB64S1vVFrZgzLFTlXKGm38mOGCG3t/lQQDTo3IAp0YE+atM3
-VG6ON3SSU0QRP1aEkZY8t9rf3+/J8Nl8oF4kF9ISzLNhlR/KJlNkmDvG/ic0skJK
-KYezuuYH8/eEr9ZFfBsb9mRsFCM9iBZl/XqebCCC5/kfXzL/Hpp4f0L7DH4C0f6L
-LbMCFhvsCNGh+1pdIjN9hbAkv/r2NN8+MaY2xFk0ukLfKgpLp0EfpkkcM0EZcvFn
-j1JpB7rshCLj4PzM77fLh99H4cffL2qyzXqFF2Y7iW28bW/RQFxYwpyEnowrcRH/
-11Qi525SdKWRkb9QlTJqFI6wsWe5kmYO/kDqGUpGPGK8+XTRTFjTci7NPLqN+s0w
-Z4/b5SMVucBKq9sUm6g=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/pkcs8_pbe_sha1_rc4_128.key b/tests/data_files/pkcs8_pbe_sha1_rc4_128.key
deleted file mode 100644
index d475ef4..0000000
--- a/tests/data_files/pkcs8_pbe_sha1_rc4_128.key
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE4zAcBgoqhkiG9w0BDAEBMA4ECCLhzdwnOXIZAgIIAASCBMG8Wgfn++CFRl37
-FdQZ90pI+u37yj8v0kFd3rDaDMurEftf10gWwTbm8R8J0eK1edIAHQabkgsF83gD
-yrxKFp1zhHI1t65gPKHcirhx0t9XuClxAOzEme//iMaw/yf/IKYo9NRqyvA6BKHW
-2h3J4+JSGLSaCsRUyzhoL6xOzF+VX8zE8PI11TcqfJe7TGs/9G0Pv2XxFpfrG7pz
-nz5mkAYdckYHcu7+CQGJ09ZUkblV3MYKEEbq5xXEo4Kku/n1YNrh6BEWMLo5XgOU
-YIAkzhSfnbTt6QrxM+90b4qwk5amrC4w1jUu73ZzaBQs7fhx01pR2y3zTPBD2Dpk
-G3iLprgEFqsoGCCOqqqEiEF/xDREZEPW0es2RruQ9Tn14LbgTj5XVFI/wBcvp9uZ
-pjS5chC0/CRbGcRi47A9vx9bjgwiGCDpxx0/Kn68uFCaCeGOAQ687XxAn1UHmBD3
-esjjb7S16ld9rSKV0oXWugUZKFdoq87AHY8Njhin++biuAEfySu3iH5ajzZV9dEj
-6JHVwotuL2diVu7NU8mIsfr1kCJoUxIAbWFvoglWNmTtaIBkc5ch+kUTsz9rDtSp
-lL9fT+wzjN7Q7lyRfIhNOheg2xF9huwF6mqnSlDfvwvEJ8NsQI9+CeooI2c1Zc0a
-Bh/vDvCzov8TE+1Ma8CnrbaM/aSZ0FIq6PcpWSBLXSDXbLwabEEOLoXQXogOZsc5
-0sz71l5c8jJPlzXxFYYW8CNuxTsUP+hN2oWvbmL5YLq8P+1tw68jcdbqhTqoqrW1
-pGEXd2iMRUfCTDuCM6Bn4iIN80qUqqBAuoTC+zCVHnI7+ygmovhf/ykfVzNaDSIW
-BkDsmZoH6bq3F9HpvOWggh0yK/l1b1E4PDQ6hq7qWNyJMyjYBJEbEdd9O3GW2qev
-3ARhb0yGulxYH/h3yp2mIfxL+UTfRMcUZD2SobL+phLR/9TMUi6IaHnBAF85snAb
-rbtAKCp9myFLwG1BujaQ18fKQFgcMjbJY3gLIz+3AC72irLSdgGti2drjP2hDGKp
-RITAEydZXIwf67JMKkvyuknVWMf9ri9tMOZEvohnU3bW4g9vkv89CUtCLWF8iejM
-fKIP5hjHOcKRLvvACFbgjYCPt8iPCcQckYe+FZI5T7zYsyQQ47fygS1f7MWZblPJ
-UKAm8jxWUyySvEzIMHkoZaHtC72OS/L3iCjJ7mkKSZKeCDAzSEJeeQcOl0klVCQ8
-0P+mXq5wtGakW9MKLhmsOjUIsyN2f3gCO0nESYhWD+3EKFLSW7ZsHbDmwqSDh6bn
-blFvlQd7cpfYFtlmbxZFcv/l2ijQWPHi93G/0VIhFHxI6LegKt00bIL5iwyF3NpW
-dNzuE69hweTSKvOPqRsRnWyGv9dVLIaQPwUS+eEfsGGNzM9rbty0j5Bw6KY/uDgt
-blTfN3yZBcyEsdPwyiVLdi65zMzN8g4VVQBHFhXWPa2N4gJQVq+6q9hQkgFFU7y3
-f8MX4BrKq8ifwWxsjL2FawcAoDcHUdCZjt/HZ+9/rL3iQvKeHbDbqu4kxlrE1FJn
-0LHIB21qZIo+6r3fdNMUFkuDRBT9eEh3Wxlg8G35FYCIiOuIwB2ED/Hdnqtnemxj
-kjRXU176HQ==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/pkcs8_pbes2_pbkdf2_3des.der b/tests/data_files/pkcs8_pbes2_pbkdf2_3des.der
deleted file mode 100644
index 75c5734..0000000
--- a/tests/data_files/pkcs8_pbes2_pbkdf2_3des.der
+++ /dev/null
Binary files differ
diff --git a/tests/data_files/pkcs8_pbes2_pbkdf2_3des.key b/tests/data_files/pkcs8_pbes2_pbkdf2_3des.key
deleted file mode 100644
index a303daa..0000000
--- a/tests/data_files/pkcs8_pbes2_pbkdf2_3des.key
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI4W7G1sVqHJMCAggA
-MBQGCCqGSIb3DQMHBAjXOQ/kHb9EVASCBMg68SwrdD/DLeKcPtCkE36wHvrK6wi7
-CjwFv2U/gIfNCUNXBZPI4G7voL1XOLJ8h0WWqlEraHo7zYWI5Ky98SI6wOpDGDzo
-URvavOVT3Ry/QfLtt0GZvELmJb6qO2AcL1qIDULx4xXqb3rI29xR/xVaCkB8CGSe
-JxU+1TbJJG0UdVDm28dhO8J4qgBpj9N6M/e8K1TIu8ty6IkFPFumTN9zMV9VXRIo
-Ajr1RDIiFXCZ4ayEnja2RIZwi89rn/iC/QzfsqQFr5axw58wz+0/EfD/i79gKoOX
-jKBEwWN44LsxJW/ucy3pm7xRurwZvOQZIeZcecVVecAaHmCRFfq+VpSnU5iDZEDL
-0GU+CKXW+zDnuIfUc/lx7LWjFyqR12OviS2CdrkaTKSVBAEYCFQdGPCp51WoZMnE
-uaKkLp0y58e5J0mHx4kmk2saAacdO/YolHjkh5zNe1Z+sORwPEo4ruZY/+wem/TG
-KFQsVjH/jAsyQFsyXaOrQ4QyOwxw52Vz6b7vrffaTdnKlyvJTvebEbhNiNmt2Ni+
-wac/1VcedkMpUrNmpJyal6lzWrVQmW1Q9qBinxHeGnNHk2QWTGZCQCClxDTfPoE1
-HC85cD4h91eBV4fiQm/ML/WmaGAQGUiTlX5vESJG1pKYXGqv1cr1pj+MTjqfjApl
-KOj93yAvx4ss42onWe9DPOBojSMuIzEVZOeq7mt7QeNpN9unjsDVrvq/fmsvIBb0
-t5HFVX4JlZoF2sfrwP0jEkyHxlk0pZZc5rbwtVI601MolDzjTNBcYbUB0IUlIj9f
-mM35IAFWZtrXXv3k5ZRFQU2jB7DFP9zHWsai7quhhduvt498rNxiWu7YlAQfhaU/
-wVK+3Fca7AGrlQ8YmzV0uOwoTMvKbLNwiiIG6QsgWRhmOIwHdNlRvhaZl6ybRLty
-ppMaqlOgDu88/8SMCce8yBderXW/0QxCZjQ3gEDufqxjC2IelOfEbChMLIs6p+9B
-qaPtji3TxOscQZMD9g4jYXUawHSq55B/MegD5sfvTl3ql+qsQnleXDUz2gJ+MBlH
-Qp6HZMs2woAbvFyxAXSUeKAOZrnW1TmRNmj6SwtE9aPmMwSYxZtTukesl+CpzEqi
-BdBZia3Yxu9Z5694Cg1eXoPIir6u6svZA5OIpEIUDIUPnMmG9pjxQ1xK40vyjdMZ
-+9uAVdGX118nuwZ6Al4bfrPOOmwII2X1xmfFGG3rbVHVD9dIGJ1HGWPZio4F/eai
-kfSYHr0410JRAOvd9G4vrH6rq/zE5QcLCmXyH5W9vF3RJDAK4ArcaLF5RPY8slEJ
-NcZ7XTcKUc/Tg6VCMo3agozuzrxKCX5x6rvn0COYgdU3ozTO72dJlFQY2KpJP0n2
-RWWjdl2r7XYVRoQJd5XaZ3/mgJ7FtL42Rh6+vjEJLezWgUTo3B4Z0WG8WIp4wfAw
-d4qbAa4lVWtP++HZvIqOPaL+nZgFS22ygtoIVyYDj7lcqH9cdMsaMrZFAxisVQK2
-z2DnysfLg4dkdDuJjFUI07QUPwqjfRVKC8Mec45j9zrpuzu82zQ8Fub7ldtECsby
-oq0smBG1vd+ozMPnr3yvU7X7jaaM4toW+dG3OQxnUO2GyB/BAEamOB4CWWbKSfy1
-tfM=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/pkcs8_pbes2_pbkdf2_des.key b/tests/data_files/pkcs8_pbes2_pbkdf2_des.key
deleted file mode 100644
index f3a2d0c..0000000
--- a/tests/data_files/pkcs8_pbes2_pbkdf2_des.key
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFCzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIE+lx5z79hVACAggA
-MBEGBSsOAwIHBAjrWP2/SiR7cwSCBMgUgnI4/ZG3jidt8TZShsbKzxQ9bt9D1URm
-8FBTFMk8JRowaXZyM2fx1/vEUlvKHIwpytOYO42py0lDf2qdn8iIe+8V2GLpyGcL
-ifWGbDt/ctEo2jVgWT01q2PfUEirwTPTUaDR5KBjfMjGM5V5c58fnTQztAFaXFmI
-VNkiQCC6AKCbmlblEcjFGBlRGgV8sOWCW+JaR5iJNdT6PhVJzJiQrfR819fGSISj
-0N0Wqpj3VA8V9BeATZAjvofBCwRABDNsDqRhjgx7ZEVz8C6pNK7Ck6ZXEjXaWc12
-ZvkzjLuufZ5B7klvgLzfxEtvZbQJmrQddDXZP9ICykP6D8W87EqEgk8yoxeFioOm
-0/edj7AVZ3rxbxpUUHJUiYDLNXaZTksfYhL0ZsB3cEL8VofUa1K+66N/0TismNDR
-4KSIjuRausXf1WJ1oh5B18zvnl2jkzCpwISf58d7UeOny3/ZR38B71EuaXO4r21e
-BrG6fi9VewuUg1DHSYLIJErVcfNnVXHuT0EzPTjr0vdTUguzDUv4/YFcpEDk5jnQ
-xJshBegjbt5W5gY3GTVRlyWqGKyOska3e2u4Cf7tZtP0kyy38JHLkQQXgj6dxseT
-lCIipBDJX3gU7yJHMiX/OpLcJuEMakRrpWLrB0vezX9oW0weE/dFzZeiYyo2K/DI
-TIFiL6FDuLUqpcYjeB1M+wbqs0f5ndXThVYi2/j73z0dwCI1WwKZH/WOdTrjYKxi
-0oiLz7pHHaPoMRymWCKTwQhYnqiOXZIpfeOFcUY4JKDzgyKdvU7XLPnbt4yxOlJD
-yAzX0i+bJjYjuG45XHTS8too0GFG2h6VFvOYAQsiq1qOnxVqVUvYphZBSz7D8Vql
-lHXWp954AhpfUQK4mLJq/exjUIGIZb/QxbNWNv7mTMkBQxGJ6B/1Vjkv9KC04KLe
-/JMnEZD+Sw5n+5j8qS6f7YOfVJ+Hqm04M1S8cc7JD4qMufLW/RvuKyBLb3sCn0Ue
-D+uiTedxoJR8nm6yI0uZ4d9RpRreca0PPt0o+DhbrDWyqH19kafN7I6SrDSbBNUO
-wiGBbgN4Ur9rPbzapATA/X95y+Q3CFLe/wcMLcLHJ3tnRCUo17Fx+APmrAsyBiYd
-9ulUq5WcZaw3pEDpTqN+0832UOyjIwpLyVDLU5jgW04vbW41o2SW7fCa7/QxT94p
-4PEAYi2MltPYQKRO7EOh+iUOHEsc8UDb6x4i75BcKhuLwZ7nmrwzg8ZO+TWMuzYb
-McJ11aZ42hN9U5H65FQzaZhAAcOqxTffQXIdARGlfvr3lTRnO/RQbxyObEqGeMHP
-XlDzvIMdB6b0RG4EBfpDFUpWf3Mhx4AG3bGHPjUXXhNICCMDdI49d0lNJ3nkF0nv
-JsehmIOY2U6fQBEnZhn5D0rjU+nUlHvgKQKhs9yIym/K+KVUznJW4ygwFiKXysVq
-QGqfn7hbBonYqLkGL99O9JyKgz/RhEMC0dKtgu6ELYJJVWnkJGTIMkp5a8ID48qW
-RmFJX+v5ryvM9ePSUbLizOUddsXycJpGsu+Am5H20cTPXkwxYtNcu49eLrGoXf7E
-/mD/zDqFryMK3oUBHnBJf0k/mMnzwfgHNveXApOSbflvRx39652Wugd7CxcOrIA=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/print_c.pl b/tests/data_files/print_c.pl
new file mode 100755
index 0000000..d0ec137
--- /dev/null
+++ b/tests/data_files/print_c.pl
@@ -0,0 +1,34 @@
+#!/usr/bin/env perl
+use strict;
+use warnings;
+
+if (!@ARGV || $ARGV[0] == '--help') {
+ print <<EOF;
+Usage: $0 mbedtls_test_foo <file.pem
+ $0 TEST_FOO mbedtls_test_foo <file.pem
+Print out a PEM file as C code defining a string constant.
+
+Used to include some of the test data in /library/certs.c for
+self-tests and sample programs.
+EOF
+ exit;
+}
+
+my $pp_name = @ARGV > 1 ? shift @ARGV : undef;
+my $name = shift @ARGV;
+
+my @lines = map {chomp; s/([\\"])/\\$1/g; "\"$_\\r\\n\""} <STDIN>;
+
+if (defined $pp_name) {
+ foreach ("#define $pp_name", @lines[0..@lines-2]) {
+ printf "%-72s\\\n", $_;
+ }
+ print "$lines[@lines-1]\n";
+ print "const char $name\[\] = $pp_name;\n";
+} else {
+ print "const char $name\[\] =";
+ foreach (@lines) {
+ print "\n$_";
+ }
+ print ";\n";
+}
diff --git a/tests/data_files/rsa_pkcs1_1024_3des.pem b/tests/data_files/rsa_pkcs1_1024_3des.pem
new file mode 100644
index 0000000..1bc87c9
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_3des.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,4A004A85A2D2D627
+
+Ls3vMslumxSeBR4o+oncq359q0k0rDTO5FIFxcw7psy6ggd9Vpr3AdIq9qvevmuB
+2t1KtlcHoI+Wi+PkpukHCpCvM0Kju19PQuNSvn6eFtR9VOwgk6x+j9x9ZeZp0Qks
+BgsGzGubqdN3ze7CEwYGM6CvVpoP3qNC9hR6IogZ9VPTjZ0vM92cm4foSDSABxGt
+Q37bLE1OKOfcCTvqx7/r+4U5Z47okeXvOS/Hf7yzayF9ZHuS0hCr+jGWl7qBWNyE
+Ze7ITQ19RA7YS2nlvCvq/8rfduQsJyZTV0gIultM3tZ9qNwr1i5yp7Iq4U6O8SGC
+cR/95R0Z8PMN2DSXoMJBsSRbK32r2GXJoGjvg+4R0UoTbc1MhUTtsoclIz98lsHk
+zVxgPMzk4mEmQGaKVp/wa1ji+9joTkcv3cALHxTtNcE/dElAHBYjjJ7r9V4uAv3t
+jay7R8SIPPh7iyuY4NTtDA5m8yyBKt7v6K5hb2WhT4aucWXHYTize+TxSTpekhrG
+J0EEz5zhWsrLhXHV1KcGDIHVXlMnu7LCGyVNFCWKRBXIbZaujed0xwWgjfXKbkYd
+MKePX76g5OyKFGGcv5KUknlQJhoRElrSz6pywbpwkl0Xqc1dusy1sZ9b5Uh6zjNc
+r5sBvj1k7iK27bzdEuL1I3DEcUdmXLNF3dehNo4v5WQL5iBePLoFSxyL8EJkMQOx
+fpwoutPzE7l71To1zmE3pmFdZbEXTfjcfqkRy9b4t57gUuo1UEhYYxoB0D0i+BkH
+T0ZmJl4Qp2euaaMqYYN2E9FJAyrmpwBMvtgs5oprXRR6geZweT+J9g==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes128.pem b/tests/data_files/rsa_pkcs1_1024_aes128.pem
new file mode 100644
index 0000000..f76290f
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_aes128.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,BF176C0F284E2E5F3D50F9C82D9CF950
+
+AS/03rvTNYSsPzqtLr13jwrSOVaTUYniMzj42/4psKVTmrI7Kaiujsa2bjI5Ae7S
+HDAumVDdRCDO/AV5qL7iJ0iJ+PqOh6aL89PktcYjkgx6XK8FDOq1wl+dPLjmrsYn
+oRyRcEllZigBZRbYpnuKZOQ25vnHxGeZ5A4dLm3zUXoMnNXs1h0rPDix/Yd2AbTh
+p371Ac6LC8i3KlOIvjlzCFaOWQNwCkffutXDb+TN86xF9+DkJ0bxHhWhHvf9+fI7
+XJFgLAeCpIUMCdhdqwVqr4Y5X0NBA3spmftK4iILn32+RHfLBshRwompMD1mo4Jd
+ueEY2P57z7fNxeCaHww7r+OUdZbySauuAmwWHEoA4NxDXAX7c/1/PoPKOI8Y1OPB
+00bKQtzGE+FSJQjRzK/n9mIZQFS0A+H54EZ1Iu/ojTpEzmzzE0TR+75lZyfqaf9D
+BhQcyjgkwnJpJ2S+u/ssJl0vpC4bKGqs/r3eWmLJQYvZuPKPqorCAUab/ta+dYfi
+gxD1DjBCdosbUOolIsjJfsejSuhEQulpaI61DWeMMap5UvzfZLLrQ5kJuibi8XqM
+oQioenXf8gPc/FOFiLAAzLKtNjmAgD4tNdA3exmkHwKj8ds+HHS/2FmF+oJ2LR3O
+tmO+cov3ZReOVp7wzR6lctG1b2WoVRu3kzwzoOik+SFBnR1v5z3uEggJV6/cyfKm
+U3KzhOkrghOjonAqw9+H+Q9hLO8d76cDAwyDB3KxLO9yzdpukB3f+wS+RgaTdrxc
+oMSiXklsO9Ro9NIYzYKABjQ1tDLeY8SOOidoLJrrXltJNDKZSVLR3edyk1rZEFXf
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes192.pem b/tests/data_files/rsa_pkcs1_1024_aes192.pem
new file mode 100644
index 0000000..c819c02
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_aes192.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-192-CBC,B83D6A5D09E192044299B9D06C41BDA7
+
+DQvNvAQflmShH/6aRopfKpdKCerQBAf4RYC7+MZLYaUxXUuUzFuIuUyEmNbgsvny
+ARfFtjCL07e+SGJ31hdR/BM8wWgv3v5P5+VyAnd64vUP0R2mFl92CZVxzcXw2TAf
+PbxDrgmiFxv9WfUsa2aDkDhQjKYb4qlLv1WFc1UM68jLiL8W5UBWKKQFnCivcORD
+GlsGTSxMq3YXW0QQQ5x47/4uWaXROLnIuRW7ZSeCi0wgG+RkBW1yUH6plhhSb/Aa
+EnHqsAlCMZDLwrkgeSnmsMSTpbUcCKfiZmJB5sJeJX3RVwZ6l04MHMBtWh9b5fIZ
+4ieSeDJfHqtUgJ9ie8JcLHuNsUxu5Crzjv6yuZ5su6P+YSMsNhHtOBUXAaSunRh1
+1brw1eG7E6qCnRYr7YyvtKhppDXLHf4sB8tdumTCHhBdxxUd49+SrmY8pznkNjAz
+Zhfky0/GKe+fTTMzHNjtw9/qhj0NllUpA6SyptMM1vWe62OkcQYSYeH81btdR22H
+Kubx1iYMx2hr6dsvM1+BWP8CmtD6wFEhIMBNKYcg/AWHA/NMpd7E2HTmviXBdEVA
+4xMh9fTx0cJ9YnNBuVgNNPGSJJLa7JGWdfdCUpTY6S0YEvTQw+1letrVbW3xumW2
+Tk/G/dS0t41QJuaW1sv9DkJJcl1696PSI4ysDJx9Y8LtV1+DzvdlxSyJdg3mJHEL
+qC6bCvj9IhjLsrTDWPuwXjIPl2ycG5FGtAn79pJhlDJzKJZKsbzmQJAvD5jj99l5
+ZiJ1UkmVdsFeQLxU9hsKD2Cvpl9/tdhUvLaZ0UPl43c5XaBSwcT9eztiLUXGivzc
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_aes256.pem b/tests/data_files/rsa_pkcs1_1024_aes256.pem
new file mode 100644
index 0000000..9450ec1
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_aes256.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,28A56EB102CAFF494BF4AFB55C4ED52A
+
+5yOXbxDDgomJtRFC9iBL819dU/vCOe0JlwdyQOQbagd1Efj7oErrMuVZJOl18d/o
+2G6OtjqlynzoeqkTwE0yJEyRMLz6CIZp0wHGoDMyT4Oe86uGh3ki9ZqIWlgxt+mA
+7e1RApFnZOCzmHCGZNCqdSNUV5G/cs7or6Gd9HvdKSCdxffPptE6FaaY8OX4737P
+pr7svylp569Secz6MO1Rds7eOPEjAZBJyDSah2AMIiEMJxGrZ662iFo/3S1MuDOY
+/xoDHtP/Vo3ep6D8Fp24PeJ4/iocu6hmhAIO4j+zLN6uow/Wu+D8kBKMhtrUtnHO
+AoP6sjkNOsMg7fbTEqTrXHkOw92PbZSBbwsgB5z6kKeTCYVDBHUaDDlOTbCxw+t8
+PH6IOrQXUIPl7dt2ilfLjqgzpw4T+RCYp1xgM1ZIsoCspUpizmMTPwtn7fuIjUHb
+copBjLOT4tUx7itVi2tTAMvtiW9mrHVI8xgpqSiTz2Hg4uMCFlxkglrwp1yIUClY
+BtMGL7qA/l/gmhHRYDpkzf+ewuTeOImyyfEnAawVT3+G6p3tf/Cs9RVgUCnCrFHa
+/BuYhGTtTV+R6F7+3yRk/XORp9R3K4BbgWHHma2dB0zYIFDXYtlrODUyQ362Tv1q
+JNFis2PbtNB7DRKrB/KtteWtg32mSaTL446a0HCF0VpFB/nq0wEPCvghed5KYHSR
+PzoegmnjkDikgid4O/RhcOC5+qEykNalddhQOY6CxJEwVTAviHbQAyW3eP1AnIa+
++Ifc2o67i57bkLLlg0pqHITlz1+g7SWDj7Aix2Y68zWZVL3n+e/wzqbdYqMVxiGz
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_clear.pem b/tests/data_files/rsa_pkcs1_1024_clear.pem
new file mode 100644
index 0000000..2d1a176
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_clear.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCvBX05buhPt1/btcKxPH/lplSqiqJHC1Qe4f6wsS0lx5cRUxJJ
+4RKWKAQtu7bBINFENSTvTA5uHYlW7rIHevEjSd3u5USDvAbCxhlIzQKyAueWrr2U
+06fL+FnCwYGcMky4K5zTTt4mOiq//kcz8HeGnoZg99aDTaU9aQ73mF9rwwIDAQAB
+AoGBAIdL8P/C8qcdFGcd3QFxyVTX/b9QKB5PbZnqDh68+C+qWOe1lf+yk9Gr4X8R
+CzfEjMDzbDfoTYdmIdMn9ku+CEV9PsQJi6L6CjGfukEcKEHte+gxlqjN+dql0AaU
+vDNfxMMiF/4EiLzpy3IC5ZRoserRGQAEd9ssp5f6wZ7aP1jBAkEA4qt2CEG7nTCo
+HSIt4etzgdgiFEB/G5dcu/5OGpRn/ZitvXj2B4Nspb4ZKLnRYNl/1FwS1rUuLJhx
+oXTGa0iBEwJBAMWrJ2AhWa59byDDwu6FHkbcES5onijV/Lv5kKme+KkLi7RP02Rn
+5/wXic62Y6vaM4ZSw8c/ERd0kC6EBWWScJECQQC2zb01T331eaY7SLNkPjU7hImH
+d7SLFflOC/wFZ6auWRHVetZAnPdke/liZOm9h+uV4mO3EQuaH5+UrM7Q+vpNAkBx
+GV7sN+jSV97PxnKweuY58Qy7mwxznQyAmWjWRKlOP9btkocHehRYPzeQWPdqiuzU
+PGLcjA9BdmZQ1yUnWsShAkEAuzLRM+3C4EjUYziLe+nLS+KfS2JQvmA+cONkdQHJ
+fd3iCk5xvpX9XnF4TiWspLryW+Vziq5Zu/4cmXeBRHorJA==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_1024_des.pem b/tests/data_files/rsa_pkcs1_1024_des.pem
new file mode 100644
index 0000000..9eafbb6
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_1024_des.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,B23EB871129DD92A
+
+F6S1xLJn+qc/BVv7/0RjykUUqvLR12OcChmOFo3hboC5omWrmPzhhy1IS9XuVZuy
+1gFiqMQwwLcvp5jtMvWTw2kW9zKVcnRiuzlc/wV07bpYS4YV7chi7aGp2+5oUhvV
+Ea9HgFQbx6ZYARk/bcFpejLsptiUBu2gNyy6FC+Bwov36H51y+f3tJIl51ImWnGQ
+R1HMDtLuzHTb31CmWvXCYf14IT3gowxvpO8smaqoYOIw4XeSzprBKMgqXL69/qjk
++et4W4/zG0p5R4WlKBaReXJ2C57xvSTmbaqbCjIYroshlPo9csPAwFtRrWi4Aqv5
+j9OELmZzgK745QnL3IkqsjQuS+Luqg8s4OFifcwBLSVpo2pWhdJnKk40cai8QLpr
+St8e3BHGZPdxacC04cTc8zN8Xr7r76lZ7h+ppksx0uoTV2U0+3caMqyyByuF5If+
+RUYXOJ0Y2jUMUYdid3k+C0bn5VbChFCxniv10LpJZ24Nt4RKEYy+2VhIQ+FuAbQ/
+dSMJdqBP4TTBu0DzCmqaGvgjjKLTFF635hzP+cFvaFWhVOY2v4tkV+4zkvBUKzss
+Ef3ZwhDses56/KTI54GUJqWxNK+a1ekor3tr1IUMPzeaApzUSRXusT62QMBOW0q9
+8lSNcAywvWrlcZ127J2zZMrk0SKo1jNNzYKWt0e9XpqMWAq07SlUL0MJCt/KYw6J
+1eXT+xE9H5FEZvQkBFCHYyAyq54P3yrWV9y01xi0y3ruBf50i7k/IrAtE9c1FZda
+2h5qh0GNAEiGRr8bbh3A3wugidwAVoHQeuMnAsShf+5gj8Np7W9kEQ==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_3des.pem b/tests/data_files/rsa_pkcs1_2048_3des.pem
new file mode 100644
index 0000000..ac7ef3c
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_3des.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3F3828FEA9BF197C
+
+30fgMPEIKER2VH64TsY5lk8ICdP0prc+UiW/tjbQL+2APptirB5SDRAtuwTvbFRc
+Da97zrRwrhhGxNVobJhhffQlyB6vhM6h5aq9dKwD3auOVFosOm0xdiAC/tv+DqAx
+DIZIhYUB5IeleQ5rlDJWoReUeOcnB+d7VP+Zlc1l7zDMx/3FgOyOhlq7dufNUGnY
+n0tZWKItiV7rOYWTjbDu79BpG52VyHf217v+DeDSugom4FIWQS+XwIKg7xvEnxn/
+vX9pgiaVfXlfZLfUMhKIP+azOIm5BdqB2rklCpa17/7aQ8gQid3qolOMObWfnBcr
+MWY2BAq7qSkebPydELB+ULgGP2F7Xdx41RfsAq8RNyVITx0G/NDkYELx02M30f0G
+8FGAP9ft1m5DMBbAYBUhZHlSFZ/9G/gWa/VskSmjniq83+RO24fXoTxYUx716z4S
+NmDV6QEv5V8ZgLtspoC003H6FWTPXuDim8UuwJeGJ719kXChT2imMeAUpITuoC81
+edv2Yf4sqAqg0EqFlsW6Sd/1k7+GZKfW0LgCRvTaqYoZp0ey4wxFoa8jqvz67jKA
+H4nywF2gyf17wk8CM01gXcGypyQcNHrqq7ai+Qr2pxyw8xNBIz5PgWmJ+3Etef0G
+hy/tHfQqgqerk/ghiAnDJH4pc048BjFdXfoIr/gMGDM5aHBDJpZuEAmhgC8PMDmV
+NjG5TxzRDlxTH1dKDI9SkMukURy9aYYVJgm0RA+Ehn6NnhZrdShv2G4MsLmEZSsm
+aik4l71NlDZlAJNYGYik7bXI16Ou9cfU1JNT9+xZ8NcYIMFH7CPRPaTcuW+SgsaM
+P7wVw5rUP9+rPwhcZCleRaR2vkD4MRK4r4+HqjIpPzlBagO8FHb5/wxhbRXUQrEW
+r7F1bMa0ZlxIGRf+Tq2mLr0suuL2Rlvth6WeVVi+Il0VllO88e4cwA2EbPRW0G+2
++yuOsb5PRf63BF3FFVhM4jGxYbC+uuGg0qC/RoI60A+098MlJZRoVV4qvvF5tOM6
+PHCqsxIijXHp4/Vvfu//E93AtVSnPxblXsUIYLx78NXMMl1j/i2PHJpTvxhGICwU
+j4WUKXT/TQISYrfNiaqc521vq1MeCeYRi5JnILxvMz5UJIQ5ehUQJ6aDxN0OzZk7
+qGFhKD5K91X2ApoE6fq38fxYkh+MN3mjD7uBArQE37TxtDdX3+l7kcxHAiILQUcS
+TIe4qYuyxHzuSlt07fkVWQg8ukDdHYBy/vL3HjDj+fuKATiSXbOLP3s5QgAiZQv5
+yzljGNvqtagxJMTjIeD8SUbg2kFwS6FR7q67S57jyyikSkeDKFXjOg56Zb8gEoBU
+nrzTkLICntwdZqFpITklGfF3tZDIWWgbYZMqEOVk+u6WQWv+rBlXfgyW1UbmcgOP
+yoiJRSvqtsVwY5cSyuiZcm4Py6VM33ad4/fd4E9W3HQL/axHfdUzN3YMGOsd/PfO
+AdgGl81+uIgttDOjj+X+HF17gq3jZA409MZEyyBXEI1QXOJE8EKOVnzjHd+nO3OZ
+GmXYWveeyMUrZba/VVoVB5S/wZntL64GHd+GqaXSuEgjmqYFTPgsehCUYoHHxxeA
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes128.pem b/tests/data_files/rsa_pkcs1_2048_aes128.pem
new file mode 100644
index 0000000..4b9578e
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_aes128.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,4D279F635142BFE952A71E8EE6D14B0D
+
+6+qW0XUu06eXe0jjSsmRGySu1KXnEjg+682sUbxOk//2YitaMx8wMQqRQvT9Uusp
+lW7tYOz47wiz2UrJXKo8Rxow3B38wW7vwjh/Xaw4m6DlcID8Ho3ubN1n9Or9goi9
+Kg3NYtrIWac5njywFzf17TIlxmbHg3wF98c0bKRInBGZxVcEtbcdRiM0ZSst4IAm
+xi7vEwHHyo7d3cBJoItJ/1kELqHmwFoWZj2wlXCVEHUU5pFfK5WY7uq5P9FQFBmI
+et0IeCCdysZyRmS8Y6BY5cWv2u9mccIvvazQev8H3W8hQ/LS418yYenqd8CAuvct
+N0tTpVhV+jXxPwV1+F29kpkburnHrbDN+ZUIVaAdea/yNMC+bcoEypnpT6D1m2ig
+ouV7jecJSOxhaDh4h1JccR6Pu2DOWTDpn6pxUrCIo4+2lVbLXOeDS8ClhFf5VzX0
+D+5ZOAdm/LSQIOBXBtqOJ2qDBJINZgpQlRDvo8wDHchslDChTNKdvzjgr/hxdPeE
+tAf33lXR0TgqX2vhwbpjqMX2Zi+7VL8ylcjWITdderiNDueDpy7UN45f+0DVhNfT
+JIleuqNl09tL34unugpM+QSzgJ0odHpZ1VXkr7zgSFOYau6/drlexS61KXsqk6x0
+rs+n9ssgVqS3HCne0l8I4VOejutBLAVGOXoz7EC9PtS+iYavetnEcqf4SBPHikrn
+j67x/wz7jlEsSCyYA8SfPJY1wcKgfKaSU+w2XxAo5bMBjb3QiBYRSvb67q+DtO8K
+hUnZMqdbvzFIyXfP4/5WGhBe7ho0dQrtVT+PcCxknMMQ+kyQp+f+jbddLCvcKQFa
+Dlvw4XpMR4Ee2ukkaWpXAc6ES301NnXoAwlvKAkThfRDHwGckGfiEIunEZN5l1TK
+0X1tp21gUZYE+o7SZNI98Sh2CjxIQSKdA212hI3A+2mOwqBNoZcoDBqrvd2cCoNR
+xDA65eV8l5HrDAtMHHt5wTHzcfMik1CTHwL0/O8izQH+fTHKw8xR+VEoGbbQRkAY
+PJzMvehkVkc7e4K22nXAs38LARUW0D77ppR78VV2d/D5FCIXrDn58pi4RjjnQOO4
+yoGv4snLhnMq8bYQ5En9403cbMCJBYp4gvC09xeNNkL6EKoBjpupSMrZNn19VsrO
+VkACjifittw08/g5ncuAAO98YHQKmNPTM6py707dMs4L5jTOcLHCqo+fo+Wnx9Nx
+v7JmWNuFwfG+gIBIYIKmW0om+pcxfYMsry8byIUGNj5SnaGtl5kLD67Lr+LLJwBJ
+TNbGd8auBVtroIjdGVnvwtS1oM6eNXogL++sD7NBY5GdJvOMVP9X0VjyfHd+byjL
+SfTAJq986dSO+5262mRY3fLsKCeQ/quIvxGsJ2sdRoTFXyKFUu5etuOH+40Yhivx
+SnyUd+mVH3MF2sWpuBRE3Ny87mmE8CzFBh+pDdVpdvb1I387wwhpcSfW/6ila16R
+1NSvAFwXMeZkxpZZ6hn1Avyc1VQi0fICjKCR0WYY7+Fl3Uv9uXznzuv9COHe2nmu
+Giom0TSsOhNeMq0N9AbnUEPAhhIEsaMSZAOODsrvtbRijCcrCkY31EI0O2pT0Vgg
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes192.pem b/tests/data_files/rsa_pkcs1_2048_aes192.pem
new file mode 100644
index 0000000..a9585bf
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_aes192.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-192-CBC,9253446D0CFFFA0AA50C251F129E6148
+
+CrtEJsyM72x0zqFnS3qGqTF8JtaUgKe7EkBRoDt5iEowPZFjPM6QILEsBQLAcG4J
+RKi3My1S2nBweRpEvTYZHHzHXsO4UyTCNfeIDl7F1lJ4lO+SB/kBkjAWUTcdT+h/
+x5F6F+dZDMKgYvDjvvZfQyl+x3aDd0y2ZqWQWJEvqH/uGQK921d7sdDFclwDVrUT
+YWjF91KNzycRaOvTHjX9X/bW4UZZif9KTZSKSr71zOX16YHU7aIWJH+OPD/DSylf
+dbhZAVwRBlCsUxckkReg7u13D93jlOlgP0ufvpDAeR1y+jumLOeWddiMBtRtFUPj
+IfS2RPcyP8NQnv09tru+ra6KqRJnT6SKRGS3/+cgXGIirwNz0PbYYN0BCIOh12Co
+sK7gzCbVrbLLLSLuENsC4NeihK4WBe0NqZDU9BMqZ/ardjwhiT2InM+hZC+HbltV
+4h2k/We2LSP3rAU9a7v6ve7U4OI1kFEGn+sNPuDb03C7IkIA3ThASh3gPq1nKs7O
+uWQ6SINnZiPXDvlqZiQHzFipF4OBRRxvlYyly7IBdbIfw46cT4dnQh9uBqSadVq7
+dUf25ouFP6uvnmaZ9gEWvpa5yEafb4+x4io4CLbHPp/pPIgOJKIv2Olh5biN8IhM
+BdO0surr+BHFogjjfh7p47yFNx3N4E+wc9wmEAzNgWijqq/btu6GxYkBltSwbh4X
+8SSwfWrRxmY9+n4zIyehFJ/Q4VCsVTz2meyAc1hCyi21XWm8uBSA55DHmGXrrxwh
+j4VQBzn6qYsWJPjvBfwluq0OOKjfniaoa8QiH3+Evmjyfs4wWaSDXOdxAZFvA8JG
+oqiuFPuQwmsFLxrVsL9UMPj8U++zHahqOWzCFzrd3LlUrEAE6NRrzLmB5RPcdACM
+cgoEgFRR6l81ZWOC+aM+vDyc1u15iOrYhbtgfeeUmj75nJQ3TLXDRv+BryRtP2Wd
+kI6lNUL9M8QzqYfJqfKzJ9mKEGa5iuDH1RcWr7cOv8xZtq+ZrzI3BvWMeYs3CTpg
+PFgKGg3uWvF6uwq6MQJIXU5K9AZtZE33oH0CQtDjSUVdrFyWgNmDgMGgMZlCeynC
+y/82/qCO3xiFUoK53sh7Qv9Qa0xtIeWsRrZyutyxQQv9Lq5xuiOnqL29TL+GVPJm
+/wztj2ElsxqPMgnDHJHjixBBC9POX3yHciDAiuXIukz3u6bsPhBfZKwZ6IhsKTVs
+R1XMadx8g4kHiv1GnbK0/jlZDC+ne1C5yJg5F0n3X9lx0KJ0tlNe2N2/mWeVd0Eu
+mIQq9fLYTrOguE6bSSp6sMzmtpm00Ef3GHSXsf3cWVOFRMEWGLJklDoPgPr/rSke
+QwLb0U/in/NOqmO1gfl9y70XM2zJDDDPrSN+SDf7zEu9Y7R6KmHsT4wbcC/LnSbM
+/TOodgWOBti4h9EybHc5udSMMSyQxBedAh7I0OkCyBDgXXyQv2g0ak3EgMMlaUHV
+8Gtf6y2g4Kwh5DPpJJIJ/kxgsicO6XbSGOm/Ya7i67MBaG3TBZ74B4T/urEYYc2X
+X2p8+n3RGXG6BKOQcXR195GWwwjxy+HI6hzXGO41Q7mrs1mOsUvk66VXYFFLpEcK
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_aes256.pem b/tests/data_files/rsa_pkcs1_2048_aes256.pem
new file mode 100644
index 0000000..2e396e1
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_aes256.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,44804F408DA69A39B0DF6B8E84F4F663
+
+zEIU+VIoZQIfjf55n7N2sCz7QOOZbVdvEacGnjOEh6NoZ41R4F+bio5HthVcq8qo
+hyKUcZaPm3+2AceL/xfdx00pq52GqYVl41MSDTiKwCBE8ulCiHmh9bMZHPToAysC
+sQlXWDP1FIcmILk+/OnorPLpsox2Is8CELgVfkd9j/ytCMA0TPVEqxqJzrmwp76p
+vP2MWS65MIoDFnLHcabHdZZQlTP5DdRj3AlNfHqUMIGygzs0vEmpHjHttOFW9mMF
+HIQ2x+Sznragg9ExjVgW4BgTD5SrXKAEDUcMv64w6VCE8Tox1QaWbKoWKEPMFBnZ
+HH7uVQJnptFFgJ7cKd6xu+TynEMe4X6iR5GAqPIqd1rhjWFxkQb7zCUy9PukFHlH
+uZ3kSLVGV2FDFWN0Hy1R0rfrEFOXc07dwg5lp6AXG7NziJoMChSS2ipAbXo2uE3G
+PdIw6nAR/abyZqtwlyZD1jO2R8WIXYiGUeeXhC0C7OO73J7IZnZox6bbVemFyZw1
+AKgDGjuaEbBC2jBEt3TE5/Aaefef+/nm7MENF9BJlPF465H1ZfFbE3PRf+2eVPf2
+Q/dsfxKFG+Ui86qcXjBjex5BvC2kfMqXumdoTlEx24FGFCRUHB5dmnWRUejglJ9Y
+QWfolL6ccre3LPYDSmGAnAzfSB8yCqtvsvT92NDFsSsO6KYBy6grhnvv0ieVcUh+
+iDQa5f80fB7ugitliOPPBzWjt5P9FDJJ7Ht2Fpbor0Ig/JKngyTfTRVjTh15PEMc
+kYHFFoeT9r5w/4wABsh6/REnuiahcJlcUadN8js/zrPPXAoAjZGfpvin0uv6haBL
+Qh9OHLSw/61J2EP7Jx1IL1TPBCBSsuNb4PLT4e3kqq6GVJNRHCMRpN35ytZr4pqj
+lkEgl1uVVeOgJYWr8jMDWrCh9ih6xBCxGCb7SSUmeRU7FUJ+ybBbvfsnMWn1TJZX
+Bee2PTac6JkXNdDgM/Pe+B/wCFR3clg0ptmr13hmLqmkbCMxkpCVCM+vPA01GNgc
+MjYIxTNxB470tKva3jWqC86ffsvvmZb9eTEog/cfCABscX3Y2ufYl71t49tIOs8X
+5AXE6GdJDCqJhyE9pDkt2prxeoDSh7tcDnxjb6JfAhvmNORrjv1hI9mmC+IT8F//
+QrqxIxBjgKszkFeG7dS5MHo16FCsawCJyl87Dyq+51KTyqeqsXBvODsNT7FnrBmg
+Hho96pEJQ4y0YqP/aXNo89fVfYM3hbdUS9XtN6xh4N4vXI6sNVS9NQzfZTcrtGAM
+H6IE/AEYp4htKeFUM+QQsPZI/EcgL5e5GP7BA7xrx5L4T94kHIjz69iKSd1zNKT6
+KhOWNsWzHZABOnpYQPvsjjDeIG9/u0ryXYGtH5dwX/z3VvIz2mQ0w14OIw2KzVYu
+KGUpGXRvSx+o7QYulVh1Q4BrA03bSaKtmYnCzpaKKslCBXxbQlTIvL2hlienA63T
+V9l9edsJCtzElSfJteqc2uh5oVDkGkgUkfmrY1b/8RHKKbjeEKHOEZB2ZxMTT3mk
+RGx6HBKoLSG5jC4TjjUcAIY0NAmJRLsabrBTDLBUqxnMZroF75Id9KaZHSa74x+Z
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_clear.pem b/tests/data_files/rsa_pkcs1_2048_clear.pem
new file mode 100644
index 0000000..d947634
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_clear.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqFVn+bKgHDTGFY6QU25+HlEP7ppDRC320hNPs91pri4VZrjL
+hOD4/N7sAoWTZiIOGCo5pJ+OztG7GA2B5tC9/cmdSN8UAXR8YO49+8ZqN4g9Ox6q
+91E42Rq5A9aCMkr7wm5Ym3cK9dZGXHVa4QsROdnoaIKpu3UbbjYOrmQSXXzEkTiX
+wMTIsXz8SclaRYNhHtnv6CKAIm1sTP4a3GyGeCzBW40zknNcgTqHo6J3FLw1AENY
+iaQEeXqTOxq3MFWm0HQFoJC4IND54RiARCo7+qJe+aqMGPwIIzQEXRIQVVcG3lvU
+8lUyTPpegYb2O4zdRrCE7GCpBBe137NmJcZMtQIDAQABAoIBABl8JKu3EWpzyvGE
+jfEzr0BjwWe8TybJVq7jYZO3l8JZE8BjhdxuOwP9s/mFw5UY3s1lxyhXR8WkFxFD
+KkGJpNoBZiCcNWkq+5GpQBUYKwiRRcPnlrauw06LLyuXlEqM86SyFBQlZ7FkaW6i
+Dco4ZLk/dmIsNgo9ZpO+92YLnIQumq5nAY4Mw6CVra54koDmLXorJzidAo2n0059
+K0hUUMgh4o1BEn5I+YPZOkmASsNUh6zbm26tyaiBnU47ueYE//+RPCTPTI4ePBG5
+8nGuRGebGpdOm9OO3IGgps80mADnVUI3QTjcwQlY1pEeaQ6FMf6WpfwFSzssD6WS
+lfEoVBkCgYEA0vRCLOvbhikfaKCnAkaBYlhna1BI32gPa4+bwCKupaI2Kl3uRhPT
+JB+I+fzWXjPZDq4JsuTcHCpP2EpfBi3ltXmjmmI742D4h20Cv9lPWItICn11HHcQ
+aV40Td2Lo96N8fSzwdgr0cH8fVvTEWaZiUMZpafypNIecf7UMMi7opMCgYEAzEdP
+e/zyTHUIUpYI4OlD/C+mCHGOGnDtVG5RIAPNOiXuDshGBetQf+GmCt88RjH5Gz4R
+LuYhOQIKObtMRzsgD8UbxBoRtmwTAtaX/e/rZiW6kEgplwA7ZV/7oADOBEqhf5Yz
+ublAtD1VS9zDXr6ZoTeJVmZ0VMlKXPd3wgnZ+JcCgYBgYQRS7bcwBl25OZzT5055
+lhY560Y/+5T/+W6ZS78rIX9Jv/x6u9f9awLz49Y0189Va6I2v2To4VP1Z5Ueh52p
+WderUzI1Yjpp9R4KdMhRleDmGgeFZ8hxu35+DLgduDJ11uzBpXfvr4ch5u/5xTxk
+f+mZy6+KKg2K23gqiatgTQKBgQCW2Amfmvco8jrFETlZK6ciL+VA0umGKOF3uUZ6
+h5QiXiPeEpFyiYMWC4BbAuE1TG2QalKx+QmLWTBH1UDMUKKqQnjwY/e0ZzXaoK/3
+uhRvh2iuZjsf3/H8N9ZNHosCrEF5P2bOvDdFYQz9SfWSntg/Lg1iGaHJgiJBaBOs
+2y1z3QKBgQDF1Fd/BqSCKA3WM0+3Bf7Mu4l40CKmzjFpVGALTQIscfE4kUiymXna
+DLWearAGdiGpWLD9Wq6/hBC+LLQXQ0zckITz3L2Lh5IJBoysOc2R+N2BHdSvVlti
+sF7IbcMbszEf8rtt2+ZosApwouLjqtb//15r8CfKiUKDRYNP3OBN2A==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_2048_des.pem b/tests/data_files/rsa_pkcs1_2048_des.pem
new file mode 100644
index 0000000..c296833
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_2048_des.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,A21ED2721C71226F
+
+KC/2MeXdBpU0LCzk1qh2ZkN4f/GNMR2iqyUYYqGdcXGe2tiw1ge21cH9+TPrwX9n
+oHFPLGstWmCZDpp6ogyDLR5YD4pcCYrVaqKtHVaNnkuGj2ShMef8ql7c+xcXpWDH
+ptya071WCyQO7yifUMj0KzSgN7evDjn7m94sbmBQ7T0hWhmKs9WiBDHqEG4zDsfC
+StmDtaXoILmmruCrVgvGWAlCTfye4mBaqXvFjNl4xATLn/Nksk0TgmFijrRP0ynm
++J2shgJGyHvwSgwiX7bkOqhJrEZqI9v/ob2slaG9Kod5NUXiHKxnZjdqcH6PC4i9
+ZCdJTLlNzBEGm4Pq5w5kqm5OxD9ScTfyYKyeXbWpkCJmU8HRkXm0m3DP8jRoF6Il
+QwMCY5ANRZ81sEzQQa6obdaXeioMaD1+CpvMVBCsu9EXVAmTiH5Jwj+xbtMXwjz1
+LNIGIlZg8YutLBfnMxnz9RFbz1+PBwJpKIDkK2Sp+Twh/3hbEfsxNrMl59urDyll
+9iO/u45sY6wVXomuHiPrclC32S8QW61hGB44aGwdYTDfpTQ4hRo03xuE3l6x3GFZ
+W8CPPReIsqv6m8bT2T8THgGDYmTJs/LOQFhZacTbnHi5LwVjNKyf/zq3TXBo8sTh
+O2mpmt0Qu7VWOlEqmwmAGdzgxmuPnJtbKpPhAQbqTo35usRd7EjWkgTRzTEd7yle
+t5ylUXQoA1DFO+H+VPmzzOo443BLhINJD8nhHKVfGj3VVpWFnZgDALhFB3pC+lpn
+5ESLfD1wnMSlSUmKCYbOF5zgmasTAAOi0gaFKW7FehbAPbDha5OyrmZWO6/USAqt
+3SrobdHX8XiEjrq83CWlTPDL98gL/LO2lv6lWoO9AA6t32Zur3oS6pjFEYTZtzT2
+sztUpGQbV5OSh7TSSoKRUHKl/0YqBeO/TBUBpM+H+rTtksdnUG9u+wKF7rZodMtS
+TsnIb4onpmmk2GZc5YkV36P2kDlsceZHRPte7Vi5zEZvelHUOmiamGtpXWMug9um
+lnRs6oryDFffoEZ3gHDetE0bG6f+pRtpnvMJ8VWOFXDnuei2Rv43HLtf5p02+ELq
+m0/HtvjFGDvro7ktYFNogpVgAfOwadBArSelmH71GJa/4KvUcM6Anx+yJm2adqE6
+5Ugm8JTaJTxBTHqv8dEKsyDN/5M4QcBC1AfTx3R8XGjqYeApHd0das7w8FdDZtNJ
+MK7Oqa2HEq3ChaV8OaiyHul34gR+NttskcQkgRfJX+LJ2j3IxVAqmUdid8LFJL28
+Rpx/pONcGJHjdubbZZ67Cldb/nUs0ST+HQ+BJbYZNqTeDDBSCIsye+MUKnqBIOl/
+30zEUz5WMe2w+c5BWw65aVL7F6gtKao+W93CQ4yZGbNRfiglX193BQYwR1+7QAWT
+78jf5WyYzFj3VU8iwZ/PQ3njCR9Fumm75xtIlAhHqliKg8C3Jfb8uZvSjvntkjWn
+ksgsLRF+/P1PdulaRYNcZAoYKTz9vYpVaWlSyOm3HnKpl2wSoJXrp/cHzd37FyqW
+z8CeXtMSvio2wXmadhBEEoc8QSY5s3/J6jDJaWUxkQNPdWZkDmVgDC0DUlfEdSqh
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_3des.pem b/tests/data_files/rsa_pkcs1_4096_3des.pem
new file mode 100644
index 0000000..6de58fb
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_3des.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,08A2EE4A627B9219
+
+BZXLuKYuOupeUZGJPIIiGd1dFXaBiFNmczkwjADQeQPb5rzf89n2d7N1442YkJ5q
+nIvyHoezi2er4bhxUX6ToftGdd9X/WeAbuW3QfzlLccf69RgLpKjWasKRlws27WE
+ighuRsgPK+UO2CzR1PSBi2OIRdAsUFhUx4IN1oSMPcx5eR3jglH+jrFwv7oOclmz
+KBWxAKBguVOFpYfbjy77Oa1sainVFIZMeXOqkOSggfX+kmHg9Vk+AgkCAhM7iy5m
+u/2uYjL1Fp3OUuMcnjWG3GAurKAfquWcifF3GSzH6lLyJllC/RnsUwB034J5PHB0
+KrfHipJyIqFSj+lOizDteA65EoT576+4VOpts0aCc5sZeouQS28nyOVKbOtaAXJL
+seQbR26RoAw6ngD8JZAFw4QrhekKRPKzkTq8s5E8QplW/Q+G2P4gmn7WeKDQGHW+
+8FJtBd3kmzIydaM8TkdgZOBaNPAvkRdJfPcce1xdhCOVfI+jM2ZrUjGNjGlVChLv
+P9cKwP1KgzUVb/jYEboD8d+ia3xwOfB2sfNS7mDoTWeJzle7zl3Np2IVNpND6zpy
+eP4sTjSMDJNGZI34aGkGQEBCznX/ssCT00CVLS4tikQQvHGGasHVqn12gTn+c4yl
+ranvfJ72h8DIpHenIQdvzRhTHG1wqIn1SpLOxxRzUCtGUuSWmbTk2Hxxk8xZUoNu
+n9n9mXv4DecGOmmaA2zHq9N/lmPv9ekRneMypD5sRjo9OUJVPeNkiHCzp8ud+Nr4
+PcKeZSsh9SBbGcgQXrGedntjualYq8/yoE0cLKOud3uq9PA7gtR6u3A+nT1NFMuD
+hnsnlDj5p+k1rWDt4GnYDSjRrbFMZ3K+s/OaJ0+Ul7WXBup+0X48zNXv+8FPxsxr
+4zMFpLuhxLAI6IJlqjM8TQhRmP79oGxolF/rNyOR+3K+HFjEFaBW/Cm6WZVKYV6N
+6kY4HBFsYFhdfPlIpKX2FfdH0WT3yzHLuMBsb1Cc3u8DSYThg/vxldwj1LZnTUJL
+ah/r94RjOXd2IDe3CvgxK8ofT5XdAPZHBKXosnMTBx0HZ/prwFXt4YvrwbSxHwT6
+Ekk+uqMZE73Ln5Qh4i1iEH0j6Gwyw+PekVsc5h++Et/7wHlvF1dv+RB1imQvZ09n
+Qst9uN6SYhhfHm7CbGpNjMFJGopEgA719QoWnzCefgnuiULWd1nvUTjsmAw+w3DR
+WbWVX88K62wE9g22uK/EB+yvyQjbOYDroTIlpL1Pndmj5R86Q84m6zgOsImmn7Jp
+fbG1CXlRCIlFCD87dxNSccMeUB5cE/qpxtaAntYqChgcbNdQATuO2YB77ZQyL9T+
+cxCOIXzhnxhqvfZ/Gb6kT4LjxYFzuY2dVIwiGAHtqASpbrB8qhsj5SOcGg+qdNwD
+LcN8nOIz90u9+odzilr5BZZIU/mFKzhPw4+Mv5QohAk4PUx50yz6NvFiCDwIhPxX
+9MvV6l1pr2Kx6nH0uzpC8H524zL2zhYmNhUdRUOCPApLv5a58t8QkgymFD7ZXQmz
+oYtIyuv0D7F5SfHcDCul0sQ/cOoVSLIX5lj23M1SLRVeUOCO1HGK1wLaZX7jLzbf
+sZUFFWclSehoyt3Z83M9/nbDq+b1Vlk/1qrxO6/AVYBneb3KKYXiYXIQHkGt6ClF
+yeAPRXunxm+R/qoXaIETcknyCOH3teePL0uC1aD4jJEwlFH3JvlSSA3ruAsrBuzQ
+Oy9VUq/Q1lK09SRT+EKzmVhvb3lVYkP99Du1BoIyD9IURGyxoT4Flfn2E+tfN2CS
+Jf/JQEtf5eI6jSM3xq9fslQORSNGWm+Gb8i1wH/Sl86d7OZMdma5fyfqA4dYAi+W
+2k5sPNomZ2z8kL8uixR8Bt/Bg8nkIKjLpZIu4cd0gP8BWbmJ6axfwbcmP78Qk1Tq
+kwW49WVg6Sc4sW3T+zPdV1wGm7DdW3KfJJOV+6i6q4GTf+4Idh0631lVC3L4wJ2v
+C0l6XgR/VZQ0O5NFGeRU0tdrqvck27BjOkngRvDjTkApngilLrggvIXSeYMku3q1
+2MuydcUFA3najp/F5v+jTiYIzJkuYsF4T49M8N7L0XLuzmhpYK7EU6E6VdsoABCY
+JWWzdZdfQ/dkGCbn1gIbSi92hG2YQ8nOJ8wOfm2fynO9iCu3o6h59sJ4zrplAyFs
+TTdK6yd0uDnp9glPmurcEXmYOGVjVfRCRRx3K9tE2QHub7lGew52KrcKt9FUPaGc
+iD/WQi6WdSVa+YvLopFBLzaau60QrwORYKBiZIOyZyVq4LVWcg1FIbni+1NTOpTO
+bo7/ymJVA8yPqlcexbYAUUL9zF9BfS+lE+MWygA83dWVogIpORu8Us4GtUf9Atq8
+Q+uxiIK6V2h3KQn20E3EHFmoRJJ7My3GPHxuG8/mczEAVMhfZJSXqGNiUOgc9EIz
+eFsfoyPiUoOkL0WCXYnt9GDPX+P5FZ2ycfLb7pQUCFqY/9Lr+0LzaEqqV/GLyBRH
+SR8j61eEV4ZlISLA10eWkkyVVHRA2OeAc2kmaVC2H7xBUY7owYDDtlUzKeKL0/al
+gvCqE7kcazHcoiBkQI8IzslFW2Q/plURJGkuiUPou36aFFTj77C2oeWT5hRxc+X3
+9frLSIRQItMhxIRxIccxuv46lHYGA/fiPLJ+L+GiuZZHYX11UIQ9wX+XB2eNLZFS
+hvJy7+u9hsYyi7KWYnXM+8I5+RO2NhXfKhPwW9IJ1aMWMUh/VEYlGOMJGSr5c6qy
+21qNuK0D5a6tKRkHxaUlLvPOlylqGINRZiupjXIrkbzNy5pEYqz3sJSv31FHUmc5
+EbrQJsI1ia1hEY5Zgq0eQc3k6HcfmfgIIZ2GB83N7AGrpMRyH9g5ZguxhdbSMjcR
+1ZgUxx3sXWPIIwlLTsxl4wY6CqTQG2ZNPya2PTW2X+Qsl78NhLqKUgXHsfQjViKO
+ZY/02FZEObhIfBprdq0HIu2sFKtqyzO14kVe4MX+ZrB+d7QmwPqDsKb9EpUWimFs
+HFPsOkJ0lc8EY5i+V5XecWOhQccjEzoqQzffnlWC+E08/G0MyngXfym/JPRJxYu4
+nFYfGzbdedXl7vYXisw2kbrrQW/EtkVfYyho4G06tszUccLGh9akU1ie6ekDQT2o
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes128.pem b/tests/data_files/rsa_pkcs1_4096_aes128.pem
new file mode 100644
index 0000000..c54c1be
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_aes128.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,2DBF602A00D044C2770D4CDA0D26E8F1
+
+945LBJrU1VrfEqmgyMSQmw0BtwxxjzegntS9iB/6XsTuRbyiOpj1YgiF8oHYhNXm
+8Ubgwe0WEkqYOxyWvrBDxFgFfcpHvmrNvPssKW7u2jFx+wKKDCIBHuXIIfm8TJ1t
+lhal/TpRAs0Zu6ub66UG6WNxtKIW8Na74OyHiBk74V0GCpNAnNNpWsJ4YW+M3wep
+rMXnySl0EJ8caZYCXVzcHQVVygCEHCtSr+cehCPSJl2jeWIwqqy6fiFWYDj6s03C
+eTylSyWFOMjpTmi593Dh8vwJ8bIC4aci3BP/+TYlvT6+91voYz/X8HtlNMen/nhP
+ZRYbfwH/Qy2FaEhHI9VzQu83Wok07K9TayDBkjh2HDIL/SugeLGqBEeVzVN4aM2O
+/QA8wg+gEBTOZH/uXim/81/pWAaYfXPH76/OxjgdrbKQx1CN9GR+h8stFrMnTlQV
+AycGUc83rnWEJM9t/3KyrDMSPwbm8lm2npdboh0iXi/OocXxrW9Mm8OpD1mXFOg2
+Lm84CCs+X7lwiDMbBNRSFiiUSzmzX8GWMkwh+jjAiTa98pbc7EKcTlYlkOkOTeVj
+rj8Xb9eBz/AfdrV52XnDBXhNmlpe41ceiw2aPmZ2UhfaHbm9wYL70GTrTvbVG/gC
+u8yYT/3BLZ6j9BAaS1QlA/sbJvlvc3TqQA7wGUd8RonG1rqEK39wBM6M9dHddre9
+XyCXAaHH4GbXTGFY9xYGcoL61HFrEl6HZ8vBOs41rYROPYIkWJXFmoDHY1aZo1Oa
+ofhJG2bvv6gZQdt2f5JKeWSCMpQFSP4PWj8Z8TXvHHYQm9e3dImVK0E2go6MjVrd
+ZS6WsJajlp0UB6ceLFX+NYP5YH4u+VJF1PQ2M6+yno0BJpjPBFhv2pEHLxPCQDXg
+L66ZgCiW5WPFfnm2PZOE4qtlK2msJGDzOez+nvOc/Pxv2BVhWKhOM9Jyc7c/at2M
+gGNV3DPGFlRnuCdHDQy3ncb30fQsjJqQU2Xrj5DMYDaWcLTjznwXO5GMfVAQufdg
+EJAYGa730fPudLsT/pDJUIj24Iz4Xfnd6ilj6C2Sbdl91JZP0JwFkEuQ43zo9Nr8
+vMcz+wzfkbq9gXKOM3WNjbHFX/BfS+/vM04Cu4m6dhLIFDw1sguI5yCaHOUiuk2E
+gwGHkE2rKo+/afymCXYas/INFr944eIfkK/dMyMZI16CZZtiowG1UoFzynNb9o8U
+NUMhy8Ba5qrbvx8LhaQkHbeiBZ2vKmyay5Y9FYZ0JiY/Jn3ngiec8zsgZG3as9XY
+3quTs9W8fa0HYTNvJ4o9xZembpWMj+HLGjwZ8uiSQUFDp4mcwltb7t4cnFfu1X9Z
+MPPKzHTrECAd8A1XH6HEmeZhUaMwtLt4vNm0daXe4LvgMAHk3pQO1flVrsRxl3K0
+VD5NhJCG1UTl3OUTV2WL5+WW76JkdZ4Mn1N8tTpyLmQraifG9yBhGMxUNl4x5brf
+uAQGzV/U09eEjU8pDVZEteaLAbFqH0xsp8Chz9dGM6pKy2t2H/ZFvk3g5YOKo7cX
+mMGf1wG8WRyiZTxM+XK+tpmUkuPgRjxdw7rFTTwKNG5VmBymIHGR7lwiv7fLPXo1
+0v3gCztnKBTfCdGUjdG8yRNGAKtT4VdRsCFeUYl3ZehQUXlO3ZU6bcVv8DGFmPli
+B566h8BPIkQ49MKbxX2E6ukw5hGzilAoY4VN8txXGtncvm0FUTt+ji+wjIDAKjZM
+DWMm4bN7/LCEfsx8f1+XivzqQY7hdVntkeUH6R9GMmJ7ldfR4DYVzGljB1xZmVNV
+FD+HihBMVCtvzXLax5zlrf4iunmSMPBW8cNTJCHXNu8HbxNnlhIQ55G77DDIn8RC
+sh2UDHEWfkXuhhCfdxOMCUIBTBMCgK4N4pRdxEmj+RFKJR1wHY3SyMrcU7ye5/nr
+mxBF0HZKmHm6+U/oASjHeycUi2sXbzu60H+rSQjXVnCuFMubQ7LzJzNddmRc346O
+6fNa+28RUAxdmWOD8co5N7f80GAGKh4VwD6Hi7KDFdXPNFclesjTKF8U6E/Q/hjm
+HkH+uVeOKZI+41qiNxIpqP+76h4u69ZgZlYVd0qkbRABLBPN69cgsR4EEcLX8JLD
+rwgPaLrLyX9muYsFf6I99DDjcqbW4BAu8gjzE5qGZWQnOXAfSihUBqE2VgUQttF1
+Lw+fEe34AqJFr3ARcQg8RsZLomtQbba8VxQBVMiPgi+53HSz9IHTApTQ2ukuFB6x
+h/uyVtBImLCEmBu5p2ZSBx1SWXM9A2pj1tg7CgS6l5F+VIFInkjBmSVvRooCj/eL
+kaEXz65E96Pq0tmRlw+Zg4Xo3RaU+Ah2Vt/6Je9ljD90wpso6QbQBNnJMDF01EKu
+KJvvxf60xXB8j/EZvYm/7wDItCRnSBFZnOQlIfzy4bvM/TLFWN1AgOsIuWjROe+n
+Daq5gnCBeTwNwiSkoM5WjjlGGl3K1ubm8t1dEbjgL0tUHEv/A+cD94SkqwdPiL+K
+uY3qmWni4ZfwD7V0l9cCkUpdhmmCuX5v3ylwmSvXJ70Ag6tABDSMZK5pj2GTVGno
+ggZYcO6eORb8iaiE5ZkJ3tRYjUtbXuqTharC2OqlwEvlOGF72SrQEiS12zgkGYnJ
+ZYDGz+wDA2CCpFXxNwL1ZZp6ABgH2rgL3RUqPGrXefdib2lNupvrm7s69//wJmpC
+yH4Hex8Y7zA9I1cumIPFARQIOgNbvnCoplRYNeX4TmIMY9uMGtFNRHvrk24bCdz+
+leOGPWFPrT2SbPb6ctGRwZmgXq9NLcea62ErzDHBwEvMxFVhKAGoRUR97YZv2y3F
+hkj/kdgQVg5TEQfYWINkDlGX8kpRcyHKYA/VPzupgI9g7dvP65O9Fo3sivJ3RM8N
+QJj1hcGn6disCHnw4PrgnxDkVELIAOD5xye5919AYj3j/MwIu7kGANNjJk34Tu6P
+gRxagTKQB5qyBMsYJl7k/D0RUPA8OsRH1Z1Vl1+ZXtaraQP95Ozoin74NPESKMnf
+8lhmetneI9kgnW7zDxZbz5On26/UnXB9FfJFPsHS60SVpUFihFudrpSB6CHxvYAm
+hN5EUekFEAgB7LJ0Tcgc49MbVdMKk7H2Umoovc1Th2DBeET0Q1yabaPG3SQF9lPH
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes192.pem b/tests/data_files/rsa_pkcs1_4096_aes192.pem
new file mode 100644
index 0000000..8f2af5a
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_aes192.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-192-CBC,3F70213897D2A537A35A891E5682E0BE
+
+cjhXvbgnfdO1KzCgWFTwBr0ga2bwtEhFIWSE2EeFXK4IWz413L9nfGyx4VGMcb4b
+j9f1XvJIM53bZ1lrqPkDd90qzq3GG1juNdAKUqUSATFUjo41/KLE/yCETMEhWCIr
+LdH51NvRGozU75SR+i3DlZGSepn2geDjdCrCQuwVOJlG3sXiyEKYvBpQDHYWhuH8
+isM6Vlh9sibC1WhYrvslY6M9l8C0WuKGkqZcJmIYC2q6uHTcq1g3vyZ7ZEwxSYe8
+qxGMJa9MwkmwAaT9d/FTLjXwfagl0Waz1dSBOegtqcTTjaougv+df0y9VcxVYcay
+lMhjo3wasTl1k8PW6tM1SEEXA+4QJsGWdQSqi9TqwiqwPcsxAZ5ycNmF+Kr7h3dY
+7yFzc1E3xMpH1zR2lOfvwKk+2aWEyeHrREd611Fpu4Dl0WEtxnTphswt+FHhmNqF
+J8OAm2Cyd+pzkPJOJXgbaYqM/ff7DTo9KQd+WJbizOVW9tIwz9benq3KCuL0NyJK
+r0Al9BI4ysc+3hmfPKhrGzvP/BaGPTAfE2Rk9qajPfyt1vYg6WzLrvvyPTuS14mC
+Ldbfzl/KBZz3ED3eqmW3/uMxIZcnRUL0jr7DPkdN5hoJyEbtu/kT4Cjke9IrOnOR
+rVHowECNOjiA+Z5cIW3HFK4jjQwUZKMrZNrN6gRbT/ZDa5CwgdmmFG49U+GwNHmu
+cXvNnaGY8PDPvXBG9nmJ7mDA8P/VFPYQVcPLlTbcA3QL8NUBWi95tp4FX0tdEouP
++nR08+UutUnifGDgScBeBvzI1eYP8Tb4jc/yQDT1L2qsk0bY9LNTgo5XMOuStM/d
+Hf1IH2vx5o4S71PtUClJ52dGSbdr1FGB7CNLOHugaX+D0FsjxsFiAnPAvOvZ64zR
+vILBa9G7pFxhP2cbo1jO6mAixN6pXoZTEYv2i0SpFvQzxAP98PZqWFdAFLPjEza/
+Q+OUs4xV7MdcRh/wycihFCCeGs0QFcmZtlinP7qkTpaXUKdcQmJHj5CTawu2GFZz
+4S53US3p8LqoBMOb5dgG8zzaCh85evrG6liKGtzpY3obsGZYej/Dvuht+Q2Pn9a9
+viln5g7al1KEz0cU1VTfB+SIunCMfNS36e0zl8PbSG231vEQqVbx8Xv5zgzSL5wg
+I+XtotQEgQE57miw0hjW+DCaDaBc7mpYzPBaqtC0qJUSOpFE/fig21H4uDBBZbk3
+Pf5fkLXrCuoT1EJQ1iYAuJo6KTdvIO//6h1lXu3ZeassNKS3k6yAmyy+mN9+SY4i
+RQR/tjyqbKRVoCLiNJ/h917NSa5jFJVM3DQD9ZNYR8KEzVFhullZd+MKeuVM4NoA
+H7K50+vCfIPetZfkamT6DQxcgqwRz10pfY02HmNwx5sPk+US7epVcBlEQofklLEq
+fUV3oVbnaID1FjcITwvL//MIYMyHa83e/WFkOLORxzRCOnCe5lZMRNNrWFZCCiqb
+X61aRfeGtEkEvxe4QYbUnk2jOJYsaBW08T0gOPKaIo6DpzzGKsotzYrTFs4sVr+p
+QfQvWVKq8yYwgBe+qCseNcbPFUd40xGSbZrYGLB/Btax5431A1KsRUlzo5gdDDoB
+fEGA9oFbVTZ93r+hK+zs6lWXeefe3m1wAetlLWpEneNe9V0mHZ/GiPY3cpE8dJNV
+OPucb0DQqJJdmCfC9ZXxgpXSppqB3jo+C75lgTyd2kepwf9uiVTz/ysnHvj7T5tF
+A05lfnQa30MdllCBaYisJa77Tpq8VoB1boogC/UNsCorsuXCDe4PvKPeElGokdwF
+Z32HdTWftm+9ZkiQBY7aKxPELnMaTEvxV7p3O45bqcLt2yuLejDSp64lPkX3I1Ze
+nPdEnYfOLacvDWxZAmqDmzCTwbLqeuqeXEy7SDELsOsLjJQorIcv+t4y175javpP
+8f9TNhteNhOTjg2com3KtyyApUPZHxEnFlq88zbWCqOg3pOLYXbm8qaHs2shlDoP
+Qi18GHQy8eu/mnju6UDASAY5xCCkfuh3GVQX9TqU63kK3j3+VNFmD8v8luStPFqZ
+Z41mebckvTPsdH1wzNSZ0yu1m0nTfGrbNbtG1gDEdnTBsLH4P1hm3DFVOLh1S4TK
+iVl0JUnGbWmSP5AJjbxLw4Y8KrKgKMC7SDGlSyWiEH+rPkVtqrJEwG0nnanstM8M
+Ddbf5YvpWXFYGzCERMm2WrpWVrXLwXdMW497cO+YeYviwGDTmAqFU8PoJkDCt3F/
+WbP7Sl8Y9r+a92eyoWlOh9iP1uEneNsT3z95wpqWlj9eYZlFNjD8aY/FXgfnjXey
+dehNvuCNor5+FI8fuOHj1C/2Z0PskmzoYuWmno5sPhNtE2GpWhUFejVF6QdbRbzm
+6WY9+sJeXaZcrd+AGH51ODgsliSPP48bCfkynkni6bVyURPYeTduhd9Ww8ZXpjNi
+ROUGA73edxzZffhAuqujKNE7+cs25kVchZ5zh3S9RYCW4iXfMsIyLv2bi6dqJPtD
+YW6emBTTHMYNE1EFyBVA/WLL75EDExJeCbIaCf7sh4lsVI6MMyU0TwTmZ+jNANqi
+Ciiys0AYSfRAs41m36h1Efy8G1bx946iShl/BYQS/6Bv0nr/LAOfaqo8mx9/jj/z
+Zx95oX8rKViAj/dtlH+/teW+i2zVVgjcvDr1pvekeb1n7xNLxMZs2bGHTeGFrqrB
+1rv9h9uVJP11YP7AuyAflAC3LOKOtxen8cxhvFWJGW/djyrEaETyKy7mG87v63ze
+OboJYP0F2005FS3xRZJGohcysp+CDZS/2r0DfiUi1b/yXeMf6yOdh3rXSVDDrxBZ
+ZOciIgadV2wwMgj3tMpHfA4kRuNWMdr2OUws3/Kl2vVo2sd7oh+Nrud+peSnWq1f
+0yhsbrEhxTFeSKxd39qkUg8ELMsO3mLjUVKC1bFZzd3cHulVJhBRC0vCrVAgfFye
+hy7E9sU4+cbbGGb30k8WODn7ciG146B4rv+ZXDTuDG/PJeDf5FLrJAg78RycF1Xb
+vRfMIcrygIczxKgd8sHuAk0/yYN8tM88+9wEzPr5F6Z2Dj6Giai8TH8p3t9SOpev
+JIFSVyPYxUWg5B0kCOLhihe2aBP2Gi3+VoWbNoRiqH7dV6refqZG1CPf4RzKJdT2
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_aes256.pem b/tests/data_files/rsa_pkcs1_4096_aes256.pem
new file mode 100644
index 0000000..e2fc2e2
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_aes256.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,52B3A521A4BE45F79E26667FB6F79A81
+
+m10sgThu0xP1wMx+664P/NHSZSjTW63ntAUwVsCfpWamzPLGWOQwGqhfTP7FF8Aj
+ckgoYL9Gryulm4/YLH4lh78/beGVYbY+dhOiQoJ284J28v1hGbwr7jRITuabKted
+PSqD8UEWqHRmJojDe9yznbfAKjdRyBapQg9qrbKsuumq9KKmEb/7kXKIy0eEe2lS
+U0/aGFlPh2jpyLuV16K5NbeIZBzyuowZWcF12AI6gc+axP33gpWPDoNqP1PLluT3
+LFx7o/1S0mMpVNQ9GUcxk8X3mngJi89AyUVoby1YIffGEQWKM/lqbl4/uztVRaH+
+ZL6d/loOmIV3FqDs4RlDTUGMbauvur3BroH/sFNNfsPv0L60U5ZqNVWpJSLdiyzT
+Baqm0jET+pQnwO5pNVMmC4lV7ZTIRcoSmXwautuoxAPoJKGjrU2nKGCFWvbYyq6f
+pIR7RUH39pz6ivzW6+cHbS5B/6X4BLGMrgk4Y+DNUWtDaPebocIZKPhUfvnqwb79
+oNyDmn3wIniyOYsZg3YzVOoZGanWfEfMc8AQf/MsHmSETRRG3+zGqfuF2grgLt5M
+6f3yz5ybKnMYC3U+Qug/R0xCw4r9PygCF9S1in2mPj4alyfgU7bfTSnyIeEEzA/e
+csEnv8c3BUrfu5Mr5H2miBByEnaE8LoW4e/fo9Rjjli5YYPyS0Gmj9dsp2Sxh6d0
+F6uwftnHWidmPjzlYYRaCnCd13cf7MzIgCAALKU6YyZgj6wHZ9UGHuPY/gmM3Tly
+rTxtaZ8RkQ63QLyC3rfed9/rScZLP3unnWrE8srxIBfkrdmF7q9F7GvpDLxjg+F/
+SPDXBU91sAVCLsV4uEVmx2uYBnCGQCvk/sESlsDWVHbIzhqQeeGOTFTwRi1L7dEb
+b4+/+t5AtWV2/Jqp57c+pi9MISB6dGRi8PwzVL5o18mRqQoqDMGazqiZrnkQ2HLl
+kpXAPaZiEC0B/nbHk1jvs7T8vyckNCo3u40Th0WWMWDBg2oMNkFg02Syp9suBfGv
+eof3G7qPKGZ42hrMt/niBhRhyK4hB5P8ZtcYs/TdJJVAK3oBHbwZb44j8efkng05
+3gGCvvRjCYqP7ijhHaIBatqsStuAoJqZTQsXed+5BenACYqGxT8mJl+JMqS2kjum
+Mt9WNK6EWV5uTe/8M/A4BMbR77/AOgLBYIWpOWcsjnTWDayZiapEwnKoMPUjePlr
+pbwSdPhP2VHHFKqNak+OEDsPm3ouYrCAowe/kU+WvGuyf/83BizJZ4cbnu4XE7JO
+jw5PHrfIW0HhdqNDM5CagQOOWQazCUB/uH+ehqt0tbDmx7ZHPtA35ZQy+tVYcvFE
+RMozwpEcDQHDyooWBIWXx8v8LYySH5kYUkwTySe0WQrPjFAQ4WOQDTaq98gm/q6b
+oUGQZeRwPAdUa1muj1xUELzbeok8h2uLFS3VEliLKMo9s3gK/GKcmyb3vhZpE+uW
+JHRR+MkvSHNOyV3eT0m6S8zTj+WxDAkrwA4OWN+pZndlIMzUuJ5OH4iyXBDIbozX
+OYZgHXN4hXLO2ThNFvud6JFj/pHurTVBIATSo4Bb+VCynRmtiV6OmHoDoNQPrv0J
+OtttwAbKEIUp0dQLMDzxiyqnurEkvwXJJA/hXbh7pxCVt8mlTzuVWLLxN+paF5Ro
+3BincBlVtPdWcx75TEXhewnF/JiM29iG5qx6NQmaIe4f0MGtPCFFnedhMJg/zKpf
+WRQiXWfsCCJWPM6NQdCxmFJkPuoFWGU3wpFepUFrYVwgnSnwYdmDphyo8IzMdZKJ
+HoC6TcfxoX3EaOOFYNPDrYqFU64gpfIX537Cunr4l11kmt9F2CpZSZ7SRT/b+fDn
+JDk8+Adm8bdisO2ap/Uktei8ibEXMcpB5I0/t6VDOGFLnvax+u+eGH77YK0zVExP
+5N6h8kuMFTLYSiDi01rOxB3EgAXYqiMNttM3XyKUiNvLRIuBqiAWjQ/i94PifQzG
+i1UeItRU6Dx4JlJhKnk5C174dGwv2cg6iZpKydHexRyKl+/+pmvYFsNOQxkLc/U8
+uxxHANzHRImndCsFiWfX5Wm5AuY9Rj5EbW3D5vsGiAT2wm9Ire+OkIgAzOpp+Y+b
+llT2q7aKV6ZRbGYxqy2b7crPhC1+OgvVapGdavCh1Kl28wZyW0z63KzwhKrfpzTG
+keJn9uokrNTo8i7kB9OYQnB+Yj4l+FpX0vF6mC80HWtpe8dN1fEa+nBhMg9NYaeW
+W/VBcd6HHsMUbI+LCxhJdJYm5ZcN7+7AkoIp1lkWb3hVDutKYKFE35o2PQaulVUw
+Tsya4tqVB4FpXZ703IkBXKf2rS+mUZLkBM0FD0NZcVFC9DbYFKhqArhPygP8Dp0b
+70eMENpvur+Y28Xi5nhgB5bYtb8AKuEPr2A+MQ2e0RNyS9ADf62Xnml1xKpPjtvP
+lz40QIZai03vR4jY60RRVYxiCfbAjdR7UDnuyNynGXgRYR17GAEssztuWszOuneF
+uZrUF+QqvjDnuX6TqUUzd7DR0tt9n5nWEeX94YEwkdnGMrPSDjYVBFrUzxb0C8EO
+YduXo/ZQVQy0egZNqiIYt9MnaLpnm61PNqYjNAJ+4Lu48q7R1x3mnJj2XcHOonpI
+gn3riWaDVOg5oS/M8T2Kog5QTfZXqYj4JYluWZjgPl1OwbxflAPvZ9SJwPnQoENA
+v3emZVeCZDH7aIbLVIXPOq5cZtstuqFCVzafY8Fc9WpAQ7Av1TiSvJb/xPeD0D9g
+Ka9q9E6K1Y+Y+4gdDkRnssG0ymLk+F164+6cuCAVALwGwW+VtDyc1e1cc+445siC
+6epL71QT94CfZMQ7A0ZkgusKrL3Yvwkjf6mBkOvKeh14rbdrAltzCSrf9PmEJtB8
+BRI+CWhsBGUwqqT41U5SFkRG2G1Kx7xILbZgJXJfE71esB77zvTSZRc6/IuvLUyH
+Lt+crv6L4NrN80dHYrdpcRKspIYOMpBSGGH8OMfSVU/kvAPVB2zqzHgFxA0oHkm9
+cLCLIPVZP8F2iA8Eghm9uGILxdUkR+YdAY2ZEr2N3722ZIMBBDIljdQEaRAGDh/H
+B5e3w69NVD9d8cKHz/M7ld5O9B0o+G+/yrDkAokJuGACHjqhEzhBfpDO1orNb7Sj
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_clear.pem b/tests/data_files/rsa_pkcs1_4096_clear.pem
new file mode 100644
index 0000000..96933cf
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_clear.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAzoPnqYh/7ETGmdNWcczq73FW++HfSm1PdeJqi9VlaQHvm4TZ
+hj3JZAp3iw/DyQFiKDRGwukLbroWrQ5tGnksEmuLWYiinaCnApVLqgw3crzCTBoO
+XoRwyj9mE7I8D2NyjBwak/Q3mnbqAouNVNtE2WAqBzEHNIBvub1BuIhh9MzqQViB
+4SFLyuOzfSPfuRWO0/7RkykoiYC0o12SY+fALP12PMSqwsSuzTXaPNUBI94ScwZO
+MAc8ey7jomUKPnEZRASBwCNaC+NYr5RlR4JP2hqozma0nbzndPwPdYZ2m4uZnTzP
++2Y9FbP2brRYCkMbPOmnt0g2CjiDdw1J0UHbFT9OOVXTmFYrGu/BlF3sX7akLz8l
++4EWQ97acGQ2goPk1wpiaoxFAujZsCGWGSdEWEM6LEmY6Jr/2cyX4Elw4+Q7Ljxp
+DRN6jc3QFoui62bkKqozqPs+1yu93vPe8GRHIHxCzNTa3oDsE4MVX+boc/CY12nK
+9uDkBjpwL4L8/FRFSMDbqiVlCnwqkQZhfutzgD64IMy0B2FhbvaPM+22OEEHVEb2
+hq/Gbs4y6aPQP4VtIWe+UrFh0FUIR0xayGnME+blxD2Px9oJ3KpJ2IEG9ulxtHXe
+Lzw5jgC584s4wFJz8R2DL/js1dbNXiSQZnNOau0J2srz7w2XFo1puGxY9UsCAwEA
+AQKCAgBp/PKRZNfah7WxzvAnuba9qtqsrVDvHsjQRKLQH3ZLfU3e8EC/j8hjSqft
+u+qMp+QbpDDI6dgPPPxUVvoRwyymS4GaMvDam0/7mGnb3Sc8ALprWlgTlD9a3Uzj
+QO9oKm7oj6foVUeQRAV3xu2DJoHgWmVXiYccH+q3VfV74qr7e4uie+00gOUoPNKq
+oBW7JOBH1xjyQQZoA6Ex0t1F3vQXYwIi0ACfs1fPRBs8a0mJgfjQBeVs6tnUks0L
+VHX8dAk2imWZGcumHEkw26VbHPskgdgvDjEWX5QeyxqYA6mtzOjK9SH88YzaLaGF
+UZN5uNUq3vRPsYTim/yExlIjTnxEL+dNAeI0kZQpHZK8G4yHbWQ0WRJGd73lxIUS
+fXiV4/MJNi/0pPfEklZ6TThUZI26im9QxRzGDxiIk5IfL4o9kF3JXdjNNd/rm62h
+/t9pQdb7UvXGzU2RkN9q/fOsdXF7n4xibAtUMzCDSnQwID5sI13gIxsIYpLP6x1x
+8Ew2s/4j4xVfyDt/TwimAgCdFQFZuO5IiHNVoAqa7mCcAJH5UFdtFkRvDhtk9/Il
+zF9XpG+Bf6vwloUw/NEczjYzNLjKAnl1fZJCgU16ct6VQ6ysR2DXRzNi9VLigWJY
+RC/+r4PvOTP0TB5Fid6MtPAakb1/YCP25zg7XZxRW1oAVS4n2QKCAQEA9DGty3ZL
+h4BruBSRmkZfGySKS3Wo/eXyrY7kv8/6+Er7DKoGzcVbOeQxBBzwJMgssRkxSTpO
+SedraYBA8mb8E1T3ZfuzS2eNPSMNci9ukWl7xSYUJh4BogmVqUDQPdtScgRdantP
+/lSFSXFSHoRvte2aeTP6YVIwa6nYICnTi/F10++LBJPHBTWDW/DVjn6zoV4WBlML
+zx8C3GAoXDMP38eJN+Yld9ApnlTfVv+yxKGJpJSCy7fDgjr6tVMMfMRlm9CJztqd
+hAEVFRhX0HbRYnuU/vcQH8lk9NYDCY57+8xazcc/NdYthZANdRVOX0MVWVhxRrGs
+QlBRKL7idcwEFwKCAQEA2H/i1q/oXXAsJ/HdCKVg4Y3dKG3XutDNJOHw7UTPOQdO
+Vr8LA6hit+D6zkRlLyGFY22XqlwY8ae0lWlj+dCAbfefdIoNQwXz/K0F1ofz9CCc
+qLBBccrvoB5+Lab9Sk7YEjxKAt8d/6UXk19OSKJFxxn/s2zwUtKIl+0gkKpbKLFp
+QjP01B45GhYxHvwDTn3odittlaFw0VilnqDb5gqm2ficWgt15NZo160p3+f0MpCu
+6f3umM0eRpLsvZxmHmVQmyQGR+STD5AlMHXAJjVoPP7iy8EOnrgGnJgY6uEVTEK/
+2hZ0qYaqU1rPveXSJ/g8su0sokarwKlOC7iXa8+07QKCAQBm75IdVE5eXioKPNFr
+wQJSRMLvMDf+XzI/Kx8OJDPc+m59VibsEqdz7dcjrrckKiV8uevmvGdIC/9hR6kZ
+BYR4+bYYDVP1Ez+cZ+xBF/F55odAAd84eimiDnxCDoo5qPxGB8UBH94GjcZpwRUm
+vBkDDZeyQ9DluWmj2MK8PCVqtmw+3JkzYr/gWEB5PzomiQ5blXefTt6Jfr8L+pTI
+2NV2NXyITcG5kcwZbBmBaOQIszd8YwYHrf0CJq6MROfcqEVUu0F8Kvd/L52deNd7
+jrqQ0xtppufrHlAqTRSWsLNe3zPfzn+8x/4EcUba9hJFYdfcA8YsULUWdxjfHigE
+E+4dAoIBAQCjXq2f75HaoIDRi7ONiK44xkJy9aBq+pEzGcQiZ2Av2pGE6Bi5o+EK
+fJ0F9ZqdHCB5zQM7rM+t2y1r6eFla67eTJNo75veTam1rCLRpjmyqMFOkeJwqgB0
+xU3VyUMtRZ3K9O+shw0uEjheHvcF3F3nRnkrvjMDbJdifa+rOsIbTPTu3iILxtq0
+ErbyeJ1OJ7i5I0BIP1DQyKIBt8T4LGWH6hCh6jAGhL0Ms0D8Ex604XT8YYAgkfgc
+rVY0JsbwfOd8ioyqx5MplU5a6SAcNQT5siUWOBJ+NsPWeveilkLqDxySx4s1Ocdh
+qw9Ebx5MxweWxV5+/fExKxEXyy2IT25pAoIBABGpeb93kYkzbycwkJl3wsqCPIby
+kHwxWFpc0B3w4ugZQAUYt5EiJtLCiKpBqjm+6/1Gdv9zAJTndKnKPeY43gSjTV3P
+bObZ3X7X8UuAI9yJ1TybGQKmqlPzMSViBMLu0JaOYCyan0CCSZUMB8Np9XSGkvwN
+dgG9jzxqj6XvY+z9ghj3ffhB8o43T/VPIUh4ncIHH6dCToaMWAzPWAbAaIEbAjnv
+zqGFToTirBHQguS9U5tmrUxgwdeZEXKt8UE1j/GVirAngnNiImigeUfNUlovmtv2
+CJuAkxzzREpVNdQUVn4+UnMNaaLs8lP+vVqL0ojBRGN3eZEQrvJi4LEbCDc=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs1_4096_des.pem b/tests/data_files/rsa_pkcs1_4096_des.pem
new file mode 100644
index 0000000..5bcc71e
--- /dev/null
+++ b/tests/data_files/rsa_pkcs1_4096_des.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,2B0C21459A0C9951
+
+KN6p9tJbTD9sZ8jVAp7fX8Sug6XqCi8YF+oy0SB9NeHO+YBDGJDNtWHSMSKzjbxk
+r5AN+75uV2pEoRrLyYaWVA22sbAJc766ZQX01tSkxUX96J++Do4zUxR+GJusIUnj
+RBVDZfz7vg/qa3xJy5x3cB0iqunrGGCQJ+CZsUtYnk26V3iMBjTu/WQ+vqt2RRIy
+dwzQNPy2LWkXQ7KIoh8yDGjGtWf3XYFYQU37jGlSoOG/AVxa7CrXdtATfa/kGLVP
+fOeT4wDLjKdawT4GUhUj5yt70SUSFtisNtTCKsLGLSpgvO4KWMYOsvo6uB4jxUEF
+X5pBJLz4978DJ4N4L09Qg2DxC2JIyxZ5L1dJiWSgMVnKtq4HM1J6VFNUseB0ZDB5
+X5/S8AWwfb7gtBRD8hZc+UBaBApgU/us3AZhkqczsa35j12op+mpLGnAWiQNqumn
+iHdcCOJT6ZL8dq57qmbEzzyrcdhYtFJmv+GLS6m4YMKk4CHf9lcD/8CmjxhxVZ+x
+OkeKF/MK6f1iUmXwZl28QIcoXrTzinyLjF2RbNQfhrgI2ZUTlbVgDVWhygB1eeXm
+sW9J4B1H3zGslbOcrqdh0NHdWKTvTp+lfzTtrUtd0TqgRXErFJ6e3pKDDCDgglrI
+7lyyrG9sOF2+BmYevLUe6R8XCBIFhbx0axClN19k2OnjvCbNpVlBeyUF/vbYzcBX
+1toINEauWM2J9noi0ysFs7vy9nBVlFcrNnSXNFSgbydn73fYk2WnO5myoBBapsKD
+Ph9sT48/E7xfgDmKJ+TLyz0Jfo94RMOQGgD8qNvZvAcxTpwZRY1q9c0crCihOdXE
+qavdYIzIDF8oh46/SGSU3RilE14uHHOtowzWKc2jzD/Ly5/cHTZy+DfPd1ezL0Ym
+w34jj952+FdMMXb9cmzS9Vw3zHNndWCMZ/9tPJMRoqGgbFxcXViwjWlkyNoGn2u2
+J4InmiIbxwvEt8JNfHC8qLLZkQbtdwLKP7viz2Lmyn2kSR7fWenTDr/bwgaLRhWK
+Ii4/BiZy+R0vjR64U/12+XtdYI69ijkwOITDLePY+4SYeZjHTe2BhihhfVlR8sLL
+xP0JW7MqnFs/eJy+xe+PU1MKG/WWpwhi+jGWPiYJq7cuIwz4l3x4GCuE7R+6EF9x
+SxvwD67EhI9myx/ilzdPiPJBwPWqEvd9jVEvqbTBJERiNGH8XXH1pjZ/gPdKxH7L
+QnJ+BcZrxxrNW+xKwvkABq12QhF60XkMik3o4XROY4mS9CGIOi7d+B1mrG69Hkg9
+BVVCwVibbYyX+7+Hb90x9x0e4CY9nm7h0PrGMj0vGFSY0oUKka1OPra3gqZVQzdN
+Vb+hG22Iw36VlbGbkoEezL+ic7Hpvrl4WwAcNz8Bq5iyQLbupp/rdkmYh/JL4rSh
+509YdEFAUV60eNPcGuSnxhxB2m6Oi5ViENMw/zU2po0oZkh5XUPCin+Q+Dg58z1D
+qeWg+ZVhLMucsWeXUQiNA3UQEJde/nayi1f2SxMWuvZxsaS5Wh6PrqutfwtOokuf
+DJzWJHiMavKP9nfIj9phlomZru1R/2fWEme89rCrUHv3Kl9qV4dwRMCDFsqL6iuh
+siD1BjJ2EFwm8sPnNL4GW0SZPsWZiF/ENasiVbUhvRB6gyj9YYomimIhOIjtn7As
+6dJpKFAYOFJDXFv9Ofj9sSdDQP/4GYwKTaYGbGYo/qIDPriiquA7CGBI/gksAmoL
+DqBsSXrUCaiPF7Xc8Lji5oCTH34WQd0TYLOXawWB+oiCCCUwnIt8fClGBmvbfMfu
+5oXoVPUFSDgKCylTedXJjkUXMREvNdQbSNb9osmp81WveLz3HVU7yYksuJK2Ungx
+R+QeINhN7wC6E8JJUYtn6AvxfhLpMBpjDfQ1zOqDitye4Z0YR/aI42d5ll2ZilL0
+giof2N7Spnu0g5f1twuW8rIl1BjykiJHAkIFoTHaQApQDtV/iDarJJJ05Og1lWGk
+4s5WMwXtVJiq4QIGheCW2ho9eKjcijoUzCDvK8pfb33jTd4/77h5M8DQwzyzVIqP
+ap5mVK8WTd7NJypw/VP00EoyKTgYiRY1jxCCYtVajukg6BvLnZijP2YA/E+ivpau
+lumYhCYJj/wZHxhBuL1qjjz74Eol6J81VPAgt3Dqmj4Did9XHl2K+OMzWlDfe+Ah
+eQFEK0xhkPyScYAE59dTV2Grf+abGBxYnH8RzwxUi3/F0DVWW0lLZx3tfjfJ2GVp
+dh54pdlN4DLIDcx6tuKMU/F0NC3l+esQy6sd+Cn62pj8IoJyOBStZuG9b3fJ5CfH
+dAkjlCJwtX6F+X/3MAMYLMsFL1L5BxXIdn7F+mJftndtDRX4PuKuW2wv5zM7UiWa
+oQSKofdQFI4w5jxup7SbYedLPFu22Gt8IpLWheEjxU6tOmWmp1F+SCFoM9vkv2+4
+hZjDexRp5jidGs8A3rzwQOpnWKD/HGtsJZAMYe1+UFwGJNpz7oNM2It4kfuvVqRE
+Kvesu5Ut+2FmRJ80Y5nZWY53mZHle9GTGlJeFTeueOE+aFzpj8ghWXY5swUlcNwc
+05J3fqom2j9Zt8PGt1yaVo6Hd/BbIdXJ3lWe63CnjlznSBKWn7XpgeiJ+sU+zqYE
+vclIczNVJL+FuOa9h38jn0yblMZQybStDPYpOCpb/AHxr14EFkZJKCs5zNn9RV/S
+ypllyB3DT9fBCWed8rxAH0PQ5iYc9UNeSkfmWapfJT4YCUmzNYU0C/f7blYet3xL
+1gOXpiISdTh7ilzFe/i5d1I1UegmtTSj/MmVtT8mw1gqc6NIaFIFY+VKU6am0z07
++aD5llI0Ok3/J2YMJKrW14u8VU6oAKfSqhZRdWnEemBJiAgKre9r+3qwg3pGgBCt
+sRYpXZaRLbzmtFjI5Mfy0uB2zhB0XuqVCCgqT7WqzfWilgLRPW1PLJoMxOykg9FW
+3EofQFJZ1/jHCm0Mxcy2a5edwgjIHevRQGGAWHaOnjiHXKBhpnRRTlxsv+ct13kH
+c8cT7E1vQ614hRluDfTeQmyHXerlkSwgZDsEaJpOJ2nWnes2k6u6hRLNEPMoQy5F
+dUdCwLvXxNEnClgx8IizMJmxzhvmAHF+9//WgJS+KxB002MnP4wX8ejpnCgM1/oe
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der
new file mode 100644
index 0000000..e064e86
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem
new file mode 100644
index 0000000..a809e03
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem
@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICojAcBgoqhkiG9w0BDAEEMA4ECAvRaVQoz78HAgIIAASCAoBiIDDzD49HEwvC
+COrRrODVgYMJ4+jy08j0yQoyjjcLRt2TCMdNZ6F6ATuc7YUQhcvJIVT8RLGxluJ9
+Biolgd5Ur3elFFl/8D4jSR7x9zmEFq6fxDjrkcbb1vK/1pth9Cqfh7FXQgD6Dlmp
+2Y1YTdrelZTQs0hRZye0YmQB/qpBs+1VY+zkSNvKtlJZqPYnKawMxD9Dif7glpDV
+ndpZvNXDbbRy3vLq8k0rKRIJQ7mLjmAA+3kgRRtUhCSTbvUs9oIGqgq7xm60mcAz
+yG4LfRQ2khZSQTK47PENsDoZrazioZ6F4d7qmB/peLWuvqVdpBY6gADecxJoGq5a
+4qvZy5srgYvOFfGi8T3L88mJc38U2WQ2s/eHsmSzC7EmXapNE3OE6qwDfn3bkOF4
+odksNaz0IoK+msaUc1eweExE97ERlNKo+XuJeO7Q3rjO4+JkFINONbpfFJoSmZEm
+XX15ZYFFkYZ5eI36zOpX4ilHmTFmXq7BOmNz8hHWwmKUSVx8JsdvpMDbl7bfTtxU
+sTzS5LIgbxpP1n/RdTRe03ALuCFIyD/bFdbjH0tzzKChV8Y9OIHFt9aLDMU/br5i
+tRQFh1D5baGV2atoXi080s4iiAm/ZN95btvLOs0C+ixHpolgHsVwrkJgKIzdQKCb
+4CSHYst3/4Q/3KTm4Cp4uslKgVD2fbnSWMmHnN70kERG2kTLkCexS/Hht7YDU3WV
+g0xSRKbmedpYJ0N4pSvpIwQKAaoBWpgUVjcWOnadLNFHz7rnpwDw5cfhWBKyOor+
+1YxRhpPCLzec7UG9dYu403ATh5nbhxnmz8JkUqumSt/fvfC7j8RSWhNIsBvoiWxh
+7SCrd1Z1
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der
new file mode 100644
index 0000000..5a35ea8
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem
new file mode 100644
index 0000000..ba60e47
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem
@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICojAcBgoqhkiG9w0BDAEDMA4ECFLoZ7dfvmefAgIIAASCAoCmLLB9OoXC5hH7
+nQ1+s4xBIk1CEfKAJGw0KRMaKsztHCB7hQwizu/pzJlGjDHlDVNkue79C0x3rhPU
+1+894yR7pcwToUeJGkv1WGKmxOJUFJjmhnsBPQw7VK/0LkJJtaMriAyoB/3goQ9w
+9itzzPBatbrc3t1omc0BQKvjl8T6qKoYOO7sKgKp8aKYxzf51fhlq7NPETnDK2Q0
+ib1L4cVeZS8MHsvl+rY37rrscTAIunEgx8hZj704ZjBMXb+wKvLNtWhpKdwyhwog
+zusj155WD/GmqfXQyaTNu3KGKZ+1CtzJ57LC6hQou3tVvqX5lxRv3mk6PdZMeI5Y
+vBaU4lBFUd7OEtVrpEegeMnKWAB6a5y83lhrK3t8yc2l7yzvkhLOK6iwF4OEjRXq
+lZLZCcKzdVOt2WodwmQ7Q+ul+unnnlaBD8A/mScX5GJQxy7g+aczcPerMbHE4Ndx
+H/ut6J4HM65TzVXl6EUGd1B5MkHa5nBqudqsyCAAYyZHlw2I3S4OF5MElsFJYlxE
+vv5qCOajPCowvND2vWi9oVntTsbC/c34/Tmxlott8zlSIj5c2sDeEfDi3vJ6nrMe
+W7tpAEyXe7Mh/Ya6jbJF64f9FLUHMwGjVsaHSTzMW89zp4H8Gw9ujiE5E8FwsVpJ
+NLF/KMRjARZEu+uuhrWbsDQ3B3iHZ94fOH8oQn4K7TPpbK8INj/JG5/FPjTKk9Lw
+1ji/zJFD4VfKuZdoRAoMRbC72i0i0h8ZBlZfpeG/pawaTJCE1SVLEvtHKB++2YHX
+ZeDqzL95FdQwnK3FgfqfNLGMlIbG2JSuCE9JBY+92RsvXjMJRZxkZjvYL+C3alHR
+VBkyv+4V
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.der b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.der
new file mode 100644
index 0000000..e7e32b0
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem
new file mode 100644
index 0000000..089945b
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem
@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICnjAcBgoqhkiG9w0BDAEBMA4ECHgR0/cyo14UAgIIAASCAnzDfJIvSkRQKqrV
+lAzAMnhd42XlhqWAJLh6aB76LIWVmepDkNnXRNX0W1R+XE27/uzgs4lcovW5hU40
+2HZlv3R0u9MEvMhadjL4ZWS94143p9y7P4vnYembOcc2WnlhFaGSMLFSwMI5vgnL
+8xz2P9+d8IuxGpFSgw8S8zchg4Ewzk+0nSdG0px4T5K21uhsFzjvZRLrG7XXuIee
+tKluUauy4diqA5jrJ1ShmrFmNTvtzAPfMX+QohuY8nhRUeH6bx9dEWpbIq/1K/25
+1uIdInZff850YKRQpK1IkinW0YfFxoA+sUGvxs+aDecbq8w3noaRIjJN7r7ipFEK
+dhdehOxD21Mq7iqsujV9RJxAbqkuoTfECHJP6N/Dmp9CY0wpnE1lnHOTZwCWqDPh
+aumtaFsMxJdNPZ3M5xmGInPWnT3JpW2hwtoOF0Vb0pP9VSfo+3yCm9b5ipFvcs8C
++c2MdK87zSqFvKc19cuv9tggguCzNjAcECHN7pgY4VId7cWMK/y3k4mk2C8hPQDw
+S7gm/n76BSxjZFjs9ZQn9n5meO/47ohgV1ua2WICPMuPmzz+IPJpT6mQrcPTbzm+
+nNGrBVRooPYwnHPYKGlPJWkfFzsWnQ6dRgEOcM3DJMfU29QLHmNHu0ucz2k2f2C2
+AHB1EFEIC5Rw2BxH1x/gqYlZAB7TCHZ86XWIzbYdJlyNjb+poXNczLvghpvoIBC6
+dxEEsxVVzRYCRbmLtNTdXa7XfQfEaRs5GR3qrKoNNDzms11btQWo8eiZUNIMA6sA
+i3Qhs73feJ5P3hup8Kl2P9N29MuAjYsS2oeZApjdiXAzf5IeFaqTQRHR6Vumvn65
+TLE=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der
new file mode 100644
index 0000000..9c33ac9
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem
new file mode 100644
index 0000000..534f109
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6jAcBgoqhkiG9w0BDAEEMA4ECA5GT+CJ7KU4AgIIAASCBMjIenQGGZ2PvUzA
+9D9eyOS6Tnry7U35p/WsQ+DOp6p1fniIWQmMj2s2dH5+rq1N7acCPEpmTLvDZb0e
++YFrRQU44WuwAR9itfpvr4/yR/NzyvlGlDqY2BiJJIRc9g2oQixBLcN66GMVS8YF
+Y9RadQYO3gMoR6adn3Of/6nxDvzy+4RHegXE2c6i15g563nObozLemnnThM6KiIa
++B4wOHbQD+ytp5D9oX9xbW7rK5v+SH834vlLtENres/Fr/DMV6rZGvYAPkJTxEcN
+5eTTKpeB45xAZ0DLd5OBrBtVQw/33NIHR6unWbQcD7/Tyb2UvJEwf3RvNQ8LlQ1P
+xwd85NBB1jNJ3cFMGZYCGL24m72KTanGdhuzBtXvaAEJe7fLdhtsDhJeD56yFMGX
+2KlEvzgvIQYBBIqIgOsnoBAqXg4QdDN8GRc43VmnVjd+zMmQyq30Y6S30SkAs1Wt
+lqoKw+HXSLVn3dt6fH/mwM4scau8r/qQxhsw/YkTXspGFvzjI34ejbh7kvlHe57o
+1TyJMDcKeGrpC253TJKd5xPnzY9vFQ3OuoLd4Xt2cDbhz+EB/A0IJzRRxPE0Yx0Y
+WRU5Y3I1EXI82Hv/DncGFuG91s+OIoWqB4ME9qByec8NQOH8h4Bz7Z6XuCINDBwN
+u1GMAsocVL7SwaYdBtmG3Vx3+tFHj7W9IdFBd80nDzavoY08BTJCbfC/P6KgMj87
+oVtl3iD2yecfozPg8ffA4oqTfAW4ACbq6rU9KyETOqNPlRYvqcs8yLK54MRT7hMN
+HeT32iOhMVdf/rqO2F3LasYUXY/MY3LFAlBaVWOuXvZ2sRHxDx36G0wyl5kA+Gea
+kUftk2h6VtzWywQOzDetbYkSgNW3L6SrrD//3C8Y8vN1s3WB61flF12hR388LPHW
+56KjT63/7fp58D94NotijYmXv1S1Vzu360hRmrj2+AsgInfFO2ldB0jxnSDJqyyK
+D6SSOEY4jr1BvtZT+FNYBPCJyWiEuDedN+BPpo3arlNRG5uxttSQrXhXA9mtGFBL
+wMxMdigt/+KKvZ/4yAmQjfm8JC3kDNC5w90t1Ky8Wb2SqCvW9tMK3whex8tJrER2
+UzAXyjSk3xngsbgopr1dsNVcfJPtMbPFW3X+pVqhwFgN0sVThkXLt2CRS7NTcOFL
+mRzDjUphbX1YI5jiERja2+SOvqHvBbzDCvftR46W6h2RZIVICqpULS1Zz32nro0g
+4fRBxOr4Ii3bL+wZx8uvYBDws/WjfWeOhDSyUEJx1pl3DnzspwP17JvdMvCoaxpA
+qA/+wjogVmyMTaUO2tseo+jKf7Tp5Nd8P3tMelFVI1VxARUV/KXo/gllwYW/aM5H
+8gzV5PXZXR3hKGNi+nrv5++JtddrmyisUEBVyBTDqwZHl1KCwmfZcFvsBbNOmdXd
+SKp8Tqd5QwmgcOmVeTl9YxHhL7/3zNQB5F8V0ZNDsEXiVy0+UEEjFj1yLfbsl+2D
+vWSl30AScCrIsa81iKk385wlAjftaO1XaR57ZxoDiHvG0ZJUtOV6YmW/RnkQUPZz
+9+kMTdCjmcSIh6eF7AW6XR3OQ3tTqxLStSH8BUNM9RYnkeBCn5YPnGmgA4rI/Oo5
+8Rsd8ZHYYP6EVbRqqV4=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der
new file mode 100644
index 0000000..28162fb
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem
new file mode 100644
index 0000000..bb9d227
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6jAcBgoqhkiG9w0BDAEDMA4ECMCMlAMpv/XoAgIIAASCBMhBuDiyb2dI7UGr
+SSjkSXankWDZDnnu9ctLQNh86M63CcomlJelhpPlYOGiE8d190awlciHVdd6bqTK
+TeMaeGGf2fG1oKrbXwTu/dhdVBXun82E6XYioHwaz574Cc4FE3zTX5AyiXQuEVpZ
+aiMnwwpH9QuurlxOPxWlsv2j1bWo1nkenM7itJ1UqprvXZQRZgvfyVzLrW7k/T4g
+MYzoowNNHzuS/IHaWXddpMsO/BGkaD376aSdQtmp89Xocq4ON2o4pjGs0r+iQ5rz
+/IjdbNl6vq0KOP5Lkwob7Cl3ROGVim08hYivCDgxFFuN444n9oRFa5HcPkTT2uI4
+JLkJ6UtFfziXkPkMJAbYYNtKFp6XLnQEZ7IZGttGBwuSF/b19e6WIjrhkmc4PtTN
+3GEtlnn8WeiohKz7zxINBAjGgH3QfL0SZnJctXXKArJTkpuMcbhvXIgR40ZlV12n
+sF9IexnKbhCANkUd09xsDYevxes//6kyXKBvfw9jDNpRqN5JE/dfLtWZz/VdPfGh
+z2ZNr/YCOpK6aum8GlPF3XGh0+5dXlRm6ODI5swGqLrJD28E0RBL+I580o7WLJKg
+JJCycK/Ny+Bg4GTtqA5jtYihP8oRARdTHaDplujiGdh743qn1dGTBJ+McYxrPUQ1
+wWyNvEfaosF6GmZtFI4Jtp8rleLUmzfB34u09hzf7LgzD2WI9akgtDVH+sIOfXr5
+2iQUdkXumM+TGzCHso8mHVBKAWFn4IpqbpImJcUUcg3NV07lqtwOR2bM0nYnCQTx
+ZSxtzs8dJxCGPPYPqmZukMSZfUHVN6zDmEpHbzbEgDbUTdmtVy80Zo7YTzec9fqE
+CKlfK+6i06YMncZV4uqMzWUtbENTCX77w99Q5pQTpVRsaV9dDCgn6m8T7zxt7JHC
+2uyH2H0Xk7aYQ3aeKqfwmHXkcGIexkxqJkR0JOcRa1wSEhMWnkoN1IPPA0HpcuWL
+/QBI+Y2ZoDBjQVcbtB/VlCe6lBTBw+4Pb+fOqdt9DXgqMhoBXeeLIA9UZHef2v8z
+cHT02+QpLZfdf8X8hcgca+kSvEiBrjUClivM5U1RcG7uE/Hqc0JE17B9LboRqzyk
+MUvaWntz9HR09Z3Dlrvz/rBcVYkgF+tiLESPlINqnRLUsN+/xn9+VezFizO0G39X
+95gO9W6lwc+CAA7iZL4+yVzfZa652Yg2eck8EOgZ2N9r+Vd/7rPsv6ysGpU/7p/z
+96zCPaZ5FRzVUrh2jQb9ne8SKr2C08XxAO6pqvDEJxHBYC1U8dvki3dfbyO/rNei
+GzXpJPnIvIkE1++XxPlWZz7xFOEP5qufivzm+P6cGCNbme3mY64NYhNsDox92S6h
+PtYYxdjGrp+de3+vRwQXFkt8WHxg3jxBk1H06832rdP5Nx4SOpPEhFv4xE46oVr+
+WcOi7h15De6dk+0pPZaBffBj2eZjs5lqdokSjyS4ScCgMUVHz/Emq6XLE51C2SOb
+c9Zo6w6/zxxfxoXJ+CF8Srmsn5H7cw/tqnTZZmOjsLw0Uh4LaHS5BIwvqfB4z1EU
+6RwXSVvjNdZ+7uBKtmE3rETgAneiNSt8JWvpSxV/deq1exseugi89soTc+ki1Swn
+UdVwFqkfgdODn/zZGp8=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.der b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.der
new file mode 100644
index 0000000..7ebca11
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem
new file mode 100644
index 0000000..ad926ad
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE5DAcBgoqhkiG9w0BDAEBMA4ECLSMnow3PFQjAgIIAASCBMKuiZ+kNidmdRCN
+EYHL8FVAAPRY3RFrjZfqNK8XHSxaZzLWjaCQj5Yv14ALjs2k34Ru/xvqRfamN4NY
+M1MrPt7sUSS2jnDwm/IQ80vYYgmH9zKexVTMsZQ2CoLEM3ZMLm6wCkEHuuFZkQX4
+Z0EbnXiWs8PpfrYxed8BMT5o8cW+yiixxMesyj1x8Bgp7r82ZpVZshhDXlnzpbnc
+IiSaqe0obzGZnNu5I+/bXTbyXiAccLj2BuNqX67Om9LBqh/igwNpHQpNIaxmvxqL
+MlqdPDjRYN0qe4d6JqqnFx1YzdTiRLlAnHDnK4G5mZwb50Nixy5mrgI6IhCrsTHQ
+09/yfo1jHR9ido41Sbu7PcVxn6/gzpNVXgwDOw8ia6Bxq0dDnLH8/1IawB69DiSD
+wuNSdQcBtJy8hCZN7wa6uNCzTclvXLwOtTJ6D//UmpFRv46ZYsK6uySwFwDOeDrW
+AyuSoKd9C9cedG30XAyVHFMffkZYCxT8RnQuLrouUwMdEd+7qeApQMBw3InyII+9
+ykhoO1qiH5wyehNFmxEjQUTIdOs8hcOic71FggJ/+bMTnji4ukdPPKHBSdwPjbnc
+qe/ch/KDfIUNyy/51uNMjSdOweJqG9SIIlfDG6Pd2bMFkao1Y7VsG4AM89mGYIWo
+AJDuBrl7AEsm0WSVENyDa+7qjKsS06pcFG0JsmeZb62SSds5+/Nq1Kn5//2ShpHd
+SA1NabnMn1fpCI02tc66igk5isjqp49o3MKguXwiIjo8nGM5dSy/qYSkVhLxVTzz
+ovYhOjMoHRFYqfK1wxT9CExLz9+CI8sWawh1/hDKha2tPlhm2S1OabPTIk3Qn36W
+aCbhGXYWchILReK0d9W6SJZ2v4uNuDjbye6qrSmCHBurCw17l84kBx0vFTDDW80q
+VB3PFUOL2+XYgk17qagMVJHJa5s8ER//MZ3QDO09RJktusaKClR4kE9xkZFUQHF/
++U4L7DyCtGr1ajdvudNXXYtlD3QoZukrsI1v9XGXPWloVRCU0+x8VCcIKLbwLmGD
+NCkeaQbOypRiPc0WRdJnwsjBlDC2Icd9zWLH8qnVBA0b2TGh3amalsUkEy9NSuGT
+yDIt05uQP0rX1T1rohMNOWHkColtcc6ZxlJuBReHWhF+9RJXPBtA3TmVgC6x0GVF
+FND8DKWHGG+7h/0DKD9r5lRNqhagmQnqwoUVtn56KtazUtrscAt6O3RsTU09Ys5A
+jsuzR+O7uTT0SHr/24YtrqNnXumJZZHayF6T0xpn8xIhWULoAjm1e4EQh/THcMYJ
+PwriuoXZVWZKLeSlomlaV6BD285eTjmjfT5SKv+Aqji3XA5PJXhUtEA7x4kue45G
+4sFWW9eCMpxXecJhO4Dwhk8/dP/3iOFTY5tHtT4OO0c3klI53O2U98D7781QIEkn
+dE3qsTXurM4arvsu7EYMM9ihrqeQbb1pEySfkdT15I4bCTFRykYI9ZIZ8iUgFtAg
+TUP66e7bkv8sxZLHKGpfOSUR+jbQLyahtWz7+EonSUYc9AbErXnnXmZH6mgQw4qd
+Dgi9i5PGWr8I2xz8l7+H9G2TbueSqLLH9ecMRfey70W0D/nX5k3B+SmpTSqQ3zvk
+k+pM9bWevlc=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der
new file mode 100644
index 0000000..6d654f4
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem
new file mode 100644
index 0000000..28008ad
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem
@@ -0,0 +1,53 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJajAcBgoqhkiG9w0BDAEEMA4ECPkUjozrjcILAgIIAASCCUh6qXN1usH9xFF1
+BGJOOudiy+TSxZXhEFx5BBhUo7QgeixZ8evDOsjiKXeFCaLszkdN6q0+a26G37Vz
+Pq6umDbE4lmwt4WSfvwTPEKmb1Z0e3EKiqJunjigvCASaxsnU6YebzvGAcCqiCHx
+PvHLME/5zWhrBWvsPapGZMIOplXuZneQz1wwtLeUtHdRE3DNbbBj43BhRtNu0HA/
+S3WtwBVn+pzeNuAt4c1skQzp4Vi5wZtVxbw4UZPesK5K3v3rw3irl3zI5MWb/Oav
+T8ZDcsGmOEnDJQCVD7LnKcXXwSCsvkFOAZ32UikX0g+htY0AX1691Dtjga5cNhnW
+Vo6kdAO9JzrYTPgzacldbUg9DdOB+Jf2fcUnFtQEG/t8jN1IroswiTkySQ8FEn4b
+ch9CFvMJmR9yQ/Xtb2E30CzIJZ8gcfbR+kIxtJaowSB7N9YEFcCehfxH+stFifU/
+O1MW1k6H+KQ4OFMChRJr4ZDQxGj6yK341G6sJn8KV1/YN6mAdjh0oYkWO1WTKIMs
+MEdVyrP6RU8r6tWppS8J3C91qHBp5Uq7QQ+S5cgYLB4C9Y11UuRCePdGx4rx//aA
+ibPWNvnI/0Y9+76KpWos+QgcRvkd1xUWN6lc2p8W6BNW5a7xGf0TggNaGy4PQ5Zu
+oQc9T6c1OKB00Z4CKXkLV31whq7UPcC3bi0VT3hRr0WBI8L128QhV00WqwKpyRsW
+HZb7tnkm3fU6hirLrSb/nmh/fQ8E2wTju5LvRqXNdjk7u69Tfs30qgYlDXUtGd4v
+MzM3Xpw6he1QirK2jYKGX0aNcarc5eWHm0hc4HelJO83cQCaWv+CHcNl96hix5Zs
+i+ME5L/C3nJ+5xRfsMdceIggwWL4ZRaH/8zMid9petOqmkYausQgbBZfdW6jvNxA
+BPjV+rJDD+o0SC82ZXBK2TDNRVPJ0TYGSjh4fUp4yRpM0I3UZV0eOl2tTu9xwBJu
+ErcklEDfu0Do2uD+w2dV9fU3fI5kZJQWNfhgMqUumbAl/pNpOAaU/WxX6GynaX6x
+NgntoNIO2m8hzev5ORdxcRm90cdrtc1gBqkX+cKfepDE0tr21/8J1cRcgGc+M5tX
+jpHCJWl3wgnfQUfJam8KRPYEzVFQg+NHHa0YnWLihAi/UwUegjekZbF8LNmqftEh
+OU+PfluF/kOecEFiXPlzejlnzZtgpDh9oev0fJQVkH+1zDCMJDmTAyYa/RofpVNh
+yslPPMVMvbrarrZUR13EcdHgq3h76+wrgr5afnQMkCduVuTrZv0UbJ87Bj8L1Q9l
+AcwCtuP9ADijvOGtyv3/TVFxVkwLhjMJrxd7rr5pZZ70O/zaZK7zponJ/ieaeu8Q
+YanLTkLKDXk8HXBcBV3J4FJ5s19JKMLOWFde/jE3/+FN6drUz4D/oKAKNzzAYmKA
+6TWmB1ICmyXubc/oPiwNFLc/KiNcIL6k30d0ezPOVCQ+Wvu4mM4vOCKm8hxg5rFm
+yn+KO3wLYi3T/iT6nUYGUpjTvEUGjvn5dwRcPIA2TgQNxJy+KswIpz0P9GbjRVLJ
++Wb/c+wbzLzM9KgmM6IYz1+Bzhmz/45iFhZBjGAILxu8G3hOmdoQJFePwqkehHgT
+6L49fJ9niPkc3cUsRCMiY3zoflV0mtiworxNgaHEq+J6bRcSSp4sRNH/AGrG6FHa
+dI/9FNgZwSE6rMvE3IxVCwlkF836DzRvlcELosS12KW69pNZokbONc/NZBsyuWq2
+g/rjVN7Iyx5TYt4DUgF38OtZexgJzgaZeKJh8q7nvThpZo0MzbfL1ony1uslmmpx
+sMjKqGIPtU/Gcj9eSAQqBY5cWbNOUXyC39Akoe+YVNg2BS46s1Oj+IU0d8yyMtGs
+SKGlsO7EuT0Ndn6ZrIXMhWvJzy4XuAGmhdpgeDkDHh6iwLEHZAqGZ8qbgO+UW+cb
+pn2o5PHyCiMjkX9M04GzVSKQ36ULapXlqEH6PP/rXz2aZftvMtWZjaygh3240gOH
+bZNkYKwe/yQMprb05wvMU+g4pKmz8g6GZ9/ddvSBxDuFc39iwiukZTUA/lfER+kS
+c1vC2Qo0/aPXUWXDPF2OMwPYzHdvRgZtd3y4no6lzl+Mmsx8v0l53+ErBWFvxX+b
+2jRwxJroalyZox9HD3XIb2nl5ZBDdGQ7C8WpSwlJvYDV7FsOh7ijz6UM9iQ8RKJv
+6HYoWLAZ6Tjx1KJQ7j51wUMMWtmy5ktPCCphLYlHTyhLGNAuYY1/y4dSVPHtsjqn
+bA5WGNwBILDvi8tJqSOgbkqQCd4zwZG4LgLp1yfrITX9Lq2spFnivRug0LySuTOd
+/htruYm7ArA1GX6xzihD03DiVnWU1IawzOmDhujFwkwlrI+zMFuVsoObocQkEPTr
+7Z1dQhafMQhHZ4LI4t9camcB3ytCEsGsURFnATqYsJGc83a5NhSoqSP4b4AWlMye
+vOILcaoOW+UpjMah7+MIahz0NOr9YKpCNvgM4WybKcsWVjer4fKh8GiWowoHEQKS
++RR9OqfGhIzcSoYE3yxURE5zUB7dbvRtWhIIP+NW03eL+kCLbKK8QY/jsTm8kKS/
+tKZIv63xaA+BX0o0Uchgf9bvf0Nra5+CLGb6Q8NWeCnw4YmwkANiv13eeOzepuYQ
+YldTRYAxxjGLJqxBDPb9MCVBB0G6cXvk7MUNL3MChG5bGZqlY/UkV7Yyp5nLiFRo
+1a/LQKGHtlbSaNgyGUwof72qfNQZshbPvT+v72YXF53NkzxZzjA/fxp6qUd/Xhoa
+HEXILcDRpUNEbdp1adnv8WMJh2q9X/D2qHiCxMJXsQZZEXjuILtZzjqj4cuVoPxZ
+qfzGHtaBZJymol95iqcYXpYW3OYDYUJDMby7mEENfyoYA+mYx/7qlVaLBPScWZwx
+NTOrntNRYrhLcabHsG6iT8jGYfpAw5Li7YlCMIzXo289fFKMxTUB5ynpPkRRxHeT
+AW1itLT3AOsg/E7CMF/4ePe8T7bx/2Mj6YlovE0L2n9lu3AIKZAkdlst4qS1gy0K
+2pYFJn6qIwBKVXC8RwQxX+nBOMFxTbrF0AxZ3Ff2IF1x0+JimljBFNr+ZN9I78sQ
+lJUtQrgooNSYZJ3wLAZ8DrHb11dg6EsT8B5dtt3EsnZZZ1IHFbedAP0JxVxTTe0+
+7+0jri5fFGtpGIDCl70=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der
new file mode 100644
index 0000000..b6c8249
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem
new file mode 100644
index 0000000..e4333e4
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem
@@ -0,0 +1,53 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJajAcBgoqhkiG9w0BDAEDMA4ECLM+ZvfOIzTqAgIIAASCCUjfmUnY9iRw1tT8
+WER9PHxdcq3hHQwc1NE31oae0fgzT7SDLrcQaoFsiieBa5DpCszjxErG3xlCOspm
+XPHD2zGdGu3tKfmf0ZhezMPfREg3OhQNDn82TIKEbs9bxvDkSuKjuDGGohWGNu1k
+8eE5MfkrWUwcz2mGhPjgM0vyBJkMeMioZLzoccwgSti6AAwo4f6ITnUjbUR65VQo
+l8Aj/JuuYmnWm7v/eh+I+4fkXHE/DpFRaIPrhzY4+EhgTLSHvkoEEnMGACS6AyQw
++n6IZ8Un3SkDPv8laZTUZIRRJVFmC1e6B2KW/Ky25EhnahDNvGALTanYdsvUFTXb
++dr7HAZjAQdWZGazifUNiqGBuSTXy81zK2NJBcztsAqaELWEufvGfBNngcXwgqN9
+vw4XHkK6mbAVCiVdIO5gx3z30LVdQLeXQE//pn4Cx0cmwXcoCw+5pIaTHQe5HMWe
+4+pqQ7igwr8zFAFi5ClEfQP0L2DlBI/Wg4mFEP6ROW9FxGg5+9Sy+l3A7ke3lh5d
+Ed3N0iqMAU0Ra9QXnqlArxwimuzLLleV0nMOL5jtG0qDWQhx5Aqb8QPkN4LGrZWI
+VG7LFfPxFXFe8LlwI2n68CXOwYWAS2v+8Z1m4Xe+0ZfNMk0UUWhigXDmgXihRkoY
+cDfVQxR+LBDoYcTXTVawP+YDyIeVz5X+EaRkN0m6bC8zG7/tYBEafdqjytUrtnZw
+za+CfYRNPT5DZfURL32yKOSJ25PXUGfMt+shITmVCJakkIpI5WzhOoXbFVSNrNDt
+3jhzgcSVOge0RCiS3iXQLOzhqLJHc7BkOkgRBw+HR3HIpmiXNm+GJJdVTxJYsdf4
+REIW3tGzC+77BXdgmI8bvOXTvOkA4aEYskNGzoslqpoIvcHVjliHbHcjQLkOc9uE
+B6TB2qebX3GUFw6PtaazBcCs/WmFooprn1k99+Tp1ZSNXdfXMaq4IAkrixJn2MRS
+T4vhzF7rrNQz/x3ky8QnFTvVKg+Ruo7bgJ83J3vuPTDZFO9RPTADjETA5FEHZTtP
+Fj9vcPDawNwl2ww0eeqhiM3Lx/nGzz0+8DRykWAX7TPQdHmSEF+F19nhMrdls1F2
+b//ULjF5z3eV/qE+Rvjl8u7SkylXPvKbtVl1MV0us4tbwEz9pOViKk8sViISj1Gg
+RzydfhpuCq5cFExDvHbUy0EvOZN6tq/FcuQa02jqVWybmqmQtVUhUX2Cgn9EVE5B
+KYGj2od5eRyx+1Nb9uaYz7WO9hX5U/zpGvZweGgz7+/vdt+Yb/zTvP6beyKbJVhy
+7gvBiuQcSV29bSUu6wn0IAN+34eMqkbhcS7F7e9/QVTNKaKF6Wx5jtoTUDp9iUlN
+C702/MghLNKp4g33MkxryxYgVTbD8YuLalwQqzmytE7AnWX/f6Z+px1Z5aPGEfPl
+R+DgvWWAptmb6NtcwYkue76dxy5PBdBsaq4K++W2CxdU0c0yj6I3X3ukzlPWz59R
+T6q1ArHXv4dkMfa6bV0db83nldsypXN05qP6CsMrycGQlYQHKlVRjCav9W2hCKyp
+nJvL3WTelGyDrC5cRNTZ3N8peMmWVazF49LhMZPpOyRKrvtynmRyB+oIQPe1ncOJ
+8VOszefTLpzaIvJsFcygDq8ukZQsLxhyZghC0rKltaeVNYrbf+c1yZc7Xc3CTigY
+YCZPNgIb2CVBwxCV+BhfpYAjCZ5h2lJqt32JwxJcc+c9+ZXO9hvYXY54Sv/ccK5D
+O5TRDlFmS+PPg6H96LoyOYKy8BGACgTAIQFSNpOQq+LCDLcdxpsUxtfdLTfHyu4k
+0+vNterIJ7NW5dZAU1rs5s2Kv/bIglMrYMUPV8gsewQTeHL4OwtcWgMWjgeASTdy
+PQZCHw0l7NZBugUYwlMh7JiYerLhiAn8CoqLay6SKpI0OFhSjFwc5AIsSsBPOX+o
+Y1kPWqzIBeaHOJYHyl/y4fvCz/8XC6nKD2wEem0i50RUMfZqAX/JHmEe2jxkECgI
+XDIWPPLjP4xmb30qTIO7zsOPCc6RUCcPfjaTWKdvlL6GE4mUeS8+U4P6KrwY0KzA
+yNKaGvm+QsET8f4YYma9h8Qtjmm9obr6eHIAOhw//qd4gniau/4xo8cROYJXOYzY
+WMinLRNwO2U8k2hIzzH4c2G6GQ2+4PBlJwjpDj3OX4wG2O86IlTgWC9R/qoWDVLr
+6uuzCtfc3hOQvBhscOBuwQdRH1h5Q8aznHzafovJhyuUi/HywcC+EQjuVnlEUDOH
+LQdPczisyByRn7tgZVflKsgsKGRWu38LiCYJTWNSgFTgS0r7vPXf9sGFEsyezHhK
+FFpUMga0NbQ+TgRv+7jDgjnmXu5fUrl/LdhuXEp8porhLd0QXNdfyd4xssNnHDAq
+nN9SlG/VXqZNe/FX8Nbg2dvaXAm2Xqnfss8NYSpHdlWQvMPAjzyqictqjP8lKCK2
+BQ+ryu3Shq9jP1LoKbxjR9A1gZUcDe6YIcAUn4vu/7ehmCvbZIMhDwGCbdrabtrk
+Y6V0/74a6lih0BoIAn5eF5em1wFlXxGVl+F/5O8IZv6FvpaH3DZTIwqUVRc08eai
+2zm5OPNLlBiapfLD4jOYi/RLWOEn0TVOjZCPLK+Ij9+I4zhKR14kGtjuwQf77Owh
+8t1pNW2kuxqtAR6XniQNlrzraeOA33TagSaBmFT0SuM3Mt6w5iwPTZ0GMnSAKCxg
+93Qi/g7GlNgNRbWEV7yW5BJcVuem9Zzq/nvUPHQ35MRhAb3LVf4JDX78ipKM5nuN
+nb1si+4lhxll3JK7HmTG9vW5VgRCdslfYmgLjVGGQizyoCsd/H3++7AUskDsptOG
+c9iJtXE2RbW/VW8e+4TvqNwDCrtXGbLtw3GGyRoPdrAYOpABkuFoP0yYtvwM16dp
+2kAvaIntN1aZbGVblJVNILv9SfmARchemI5Gl86RfyX9XyPAZ2Gma2QTXgm0f6An
+BOYpqHE/7E4tEL69cyzkJjtjES0KqZ2BH3UXQNtuewo0bx4u9FSt5GP1qdx5v0+I
+stI1KFTS4Pd97LdssbynNJsCex1ns6zXE60JlppXkTFInlor4bMi76PfjKYepQtJ
+qIw+cDvt/u1KVQh8KJv+c1xQuABJk18RERYC0os5tTR81UaBAiqNwttJ4vjcC7Ku
+yIu5YIqzVqms9uKNYNw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.der b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.der
new file mode 100644
index 0000000..f3bda63
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem
new file mode 100644
index 0000000..53867ac
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem
@@ -0,0 +1,53 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJaDAcBgoqhkiG9w0BDAEBMA4ECOJxEWpN/HEEAgIIAASCCUYouEt15A4DUZoG
+aJvr19vCKfGPErYDkh1fI9u04hDEKCdb+Z7oxaqXQ34rr0H1t8/SPdhpvqms9Bsz
+3nMIlgzEPnppyiRLCa4Ycev0jtA66xkxgGGXnA5uxZQcTOFsGDR4gpTn2hi7//BO
+gHhKVDbCd6nShZkNgNUe++tclNg65Fmazm2pwpnCPfY9TGnou8bynMrJrau0CPB+
+v+pI3NR39yxDcq6MNII542Ma8bZWE++WmqmSXjsnXyEV850Dw4j7khbevXlKIh3C
+fsf1mb1/lUc+8HtsjFLgBS3Iag2D/AfAbCDCY3wWG5KcMJk2CtNayOAmMetL7P1t
+S+i/zTmqAeNVaUF/6ciwY8JNA9YHnjV/0LH04I1Dn1emQVltcqKJahDSoxwGeLD0
+lv0EMQ9CBRHqdKKVaDjBJSqLkwQzLuiqye6ZREnoeIL2cYXDqWoxZzjtxr5t261F
+jl+gGBvAX5RRKz3+Vj7hb8y4n7npYJYXk+CanrsTblsBhOMaFhgup+Vd+UhHGQku
+FqHR28bHlJzxgUvlhYV/WdMUtHlGHvpax1Zo57ToC0JxlX/o+lPHiZvvpGZegYOe
+Mta5f4xI8PcfVrVbfpHaEnt+ffZPtDVZUfhfZwlMniUKX/kJgKGdtpnrgm0wefUR
+ymKmn4af2tY/nT828+pOBcRY8WV5G5EPthkA/EemXTor04bb9mglX9ZJ78vrv0n9
+XaOXkMGYuj698Rqkx5BtaVX8EjWKnknHn/GOLSINu38UelRDV+xf5GQyDQREHsuu
+Mkj6AcygD5eP0p4AZZaHw9H6nytoZ9SX/vhUmRTk2vbrgnAPwRBFnZy6S4mipfFc
+m82EyC4RHklbIriMRRY7EHamBrUTg+8axCqBWY1jtSvTXwm40ybpigsiphtbcaCN
+9hT13VfVkglyQIbmxvxeoo9McgKv2BoP+0i5xIdmstu63bcHxO/DaMXw9WPOGgdm
+kyFU4MwJZhvk57H4HwleIPXXJd93OJ0NNunDgBWxh3mnKqnM9hpit6ljjl8y41RC
+QvJTO5cR3cKuzPpzTqfpC8eYeXiYChuFDgXKXubGE/PSSzSmU7cnKUrHAOyrXlD0
+EdCZkQBFF0gnLksVSjaF/owORlc1KualcD9ahOgWoaup4MqlyW7A+BHJ+f3Iz22z
+oezU/B/FGPTcRc+kEpPyIHG+98nNeh2N5nmY1+piXkJCsq0WdcjB13t8MHLLGqQ8
+shUpiKtkwtO45DIP3xVykntZsPb2gHuj2JoHjXYnxmZ7MRVbTe+s1F3xpITNa+G2
+2Yorp0zqVrhNfvtsLG1i0XdOwockHo5k+dAFkNngJvQVTwsBUw/gqcDwgkoG0yKZ
+NZTZDRJDv3yfopbIvGxmXBj723/OcR0prKLHUc5qaCvK5y0rvM7G+Dg2/W1rzRGx
+9IjCOyZzkUVwE9vKZO+mdsa1zeVja1DtU1sjh3k3+Lw6P2+LcVZKWI7IjJ7vcNxt
+XRI6+jlaR3/ht++3+ADgBpZUVAzBwiKeaneanFoiu0kbXv+G74bVDXvKLTXXbynv
+0mabkp8cszm2wMehp9WuqnBKtAot5Q6sPg4i6E0si3LrdDzKgENgMAF8+ShG5r4w
+ULHQBwMpvNS6LnrY69TqAQp7MNS5JoCCHnQqXSgUQN53Zmcnmaz9qysHvbJLK/On
+Rp0akU5A+WHFNPvGqkF8ou5OZRrN9XQMk75RRgi1YYY+UddiaBAsxqFQBKq5ooxN
+0sE65WM76WU2/v10va4iCNPTFjB0MhGLrq08sgSNfHhePpBK+WANuzjWDUWS+ekC
+VCTNBAARzlPoxuF0YsUUhwYxqFw/VC4PW9WeT0kx8pvaIwhf7Xk++4TKbdayQehK
+ImH5vmvpeWxNa1O7nVyvaJfNvSoj49X1zNg4PKDAOm+kEAjGvWeWKEOiHTLIXbzu
+HztTw/pjNJ5NaCNVWeThYYduFuRZaqap5khpqP4s07zvDvkTyKiJj3MSFel/K7UV
+uy1e0HPymTFToeinLW0x3YaJnLcOKDmF0DSJB1gVwl55B3rEYb8tODF6BLjz149J
+BT91EXgj/Futj3YpPTcIjJXsBDElP/KaBtB6uZGkmXgnz8OvRgg7wJR3n1uHU6r+
+S+19ugY5I5hAFFMLAIg+zO2IqSXW1B+CiE94tr5z96VTyIckO2Ov6p5fcGpI1VkB
+KtcuXGUVuF9pqFRKkFChu90OiqxdcdKYqgjHy1z1jovuYm2pfCB4kvPLn57XVsmB
+T0ZcdHFBf+SwxuKdr8KsK2k4er5c4jTTIflWWktrD9JLcWLc1WUecL18lFByOOWh
+5fF7zX+NNsbMBES3F6TG+06NfgC6z24/h29zfnps75usEExBc7YHJsmWl3Aef6bF
+vcoS2ug8ZXaiefhlFkyx/frGpRnD57ZOvLCi/TUVf2G0cynEKvfsb21LN50eMKD2
+HiIBGoNj9f3vJdIhLTDFurf42ocY5EQzLGleIQ0Zpv6285LqwqKKl5v28o+A4qnp
+Xhkt/3pqZ6aJeSCNQd9Zg5tOd1tXpcTdzl/BmFIvmE+SIsYydLxrX1UEWfJfEL41
+J6qXTzebh7N16bGfxU09OT7puztuK+/vAHEvCGINddDaOJFayVdEaMVUux9nDkoz
+b1U/5UxzpzFdNUZBHg1JjkUWK8oTGmkJTlI1aKJKKA1RfmnzwOd4PeHI1hIuT8YQ
+8qwKY72mCCb4Sr+Xiw43CqJ9NgWCxYr0ua+hqm2xv43QMhSCNd7v1Dg0bi3ZgOi8
+1eSns5VZFww2JkYo7rrKz21EiFXjhZ4u8MF45M5/cbDqbaPVb6FMx7MqaKmnkpQ8
+xT4BC2M4xCiXnYrrjhugw2/FMkMchIN9jG47IQiACQ8pNqoTd2tLFCFpTZeeRCaP
+Dgd8rvaMXjY/Uu9zB+LgRlQ/c01hGL+/d8cNEFzTU9jajOLobi3pKQqLdvlo40Dl
+qH6eLTnYusrZnZySBuZD5c57BBW4GMuetvtqr2l8iV4BJnMvLZ9tB69eA1PhKXwq
+tHY7a0YkhLUUqKFyPvYcnHjU9Bvg9PnciXnoDFMP1Obkou27vpI6NVmIFKMX1OxQ
+A2IJ5YWaN6h8nJOV/THzKjMDmPbXLmtQDuaDPpDaNE+oDwto/UlSQPV8KtW/MR+s
+k3rLyN3KXoVl95gT
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
new file mode 100644
index 0000000..4f860bc
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
new file mode 100644
index 0000000..c7cf185
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIERyXk+8ULCgCAggA
+MBQGCCqGSIb3DQMHBAhUeao9yOi6uwSCAoDMyMGii0I2y8CvM8SrY9tRx+Zt8WsP
+vhEWhI1kbzWpZUdS1URWGZZz6oS33GnvUDmN1fZC3V/k9OcknZvfv8UtHj6RhK3a
+dBgLVjEkFfqz2/4cOfha9FrRUJXXwW5JmnNhn3e8WZTvbtEt0e89n4jZWjWnkeoJ
+rySKWuPn9SKzwFdPh7ur8N2BfjvwxdAZ1uShnj/Umik8o5wJZUz/7w0nd7JpcsOE
+r9wC446li8t3owkm81z5jFTQW9SYZmT0ecICF1CRJgsp060TQzBeAKAM2skiOZXr
+ldQBUqZBrYV2ZZ3+bepLrmsgobxDzhiNrRXjs+8lO3TGerc6ZD496Xv5XSJF3QuF
+aUjWnaW2YX46nRWY60Bq3IhAbuAGF3YGvk4O/+n90Y4NUXj8mwLq8sFMlXKMyxLy
+fHBfWKpwTFgtdBO4nSPrn310+xiPSxU61WGMZkBlgv5X75xiX5ZYktUxVlktvr1Z
++ZPeIMRzuoeK8J8iwzx1ADbOVPCAGnPuYbvUalGoGQkjCUEdL08XauaUdK0eDMTh
+5gh1amQg+PTb/ZmYAhaDjHsuzIIgfWtsfL+Xk9AsTimK/qwP6mQLT6Kb+PowX3mQ
+Tr4SkJH31Jp6mTxueoCtqPEC1BxhuDlqlTvmPdgIPCf4dbFtsEsSGbWRUYuZXgwg
+Qmhp6TC3YNPVtLusoCMwjXkUSxRhScAzb6RpEGJwL94grF1UvTfleTGfOppKxZdG
+yjzbJcUlcSCuw844HZDwHVzORQT3zxaguKuu/XcgINd5mU2STOopz3AkHhKLSFej
+UANon6Dke8NLp96JvX/NN8zqvauRHg/r7RgcSHQWRZpbAzX4bgsEX2Mc
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der
new file mode 100644
index 0000000..6f1eac2
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
new file mode 100644
index 0000000..9ffa511
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIn5qnCAJVLccCAggA
+MBEGBSsOAwIHBAi4cuNF2wB86gSCAoCiwf84D3eyaesCJsiUCgk7bakku/Y10456
+CzrvLgneXNCbksRuCb8iFtYtiHQJcUkAko9B4uVh/3u+L9dNMnBAEEfdW8E+40WM
+tJZcX2f+FMZPaXNnGkS6mGRJc12tRmg+1wZTlKWrk1hHzEom3SpPHsIvz+aWlXUO
+Vq0mYp+CQIRC311E+lxCT2acamfgyxrNHZpafUq2GwK3NjS55jBg5DYcp5uhMOvd
+sPTh72+ZXZq8qn6dqu//RD3L13px9GGsdFPcwT0BPdpKYLkJfdAXRY002DpjAU9R
+k3LVxl0O9Z9VDzjnwyJ1qSjmo+Ejz4WsDfwT2oLGrn+6UenTsHxAE2MXmC+mm4r1
+CJ6vdkgw4PTJGxgwVoXaskfzCyz5LjW3oyEQAQn0DHZ1kVS1s+pFSQo05S7wfjjR
+KcYwfkMjiTHzWQ5LQmt8/a7GdKSJNEi1I9cs3M/HjlUa3U/KOYrdYlQGp1eD7N5p
+mFqc16EdWaPjtVEZWWgprjLFA1SmqAnBtah9xSOHCOmqxbiUiUa1tQExglVYJfTT
+cy6HRMBEP4yflxPrONYiHFLigBrb+Er0IRx93BjxGXWOriPytiYWG/idjP10Rmmy
+3michch8jBYL+fGNiZs/sbK6+UVfHbAv5lMNvNVuntlnnCJkobBTdUww2YJKAamb
+m/URTp8k1xKenzCfc/oqj2zl0j/vxr5jsv30JL8ryHzsUKYnhy3aoFNpknyM6Kid
+UAaQtYX11+5tvnI+uKxzjW4AYi45PmLTul+bN4Zb/CysfGbWPtv5fiyM1mvSlyj/
+fI98jOK5GM2bALc1cj/ThK6RNtsRwCGohp6RO3wSlmfBdYye7OLk
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
new file mode 100644
index 0000000..eda37aa
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
new file mode 100644
index 0000000..27cfe33
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZdITGAo/50oCAggA
+MBQGCCqGSIb3DQMHBAjfWCAUwMOuFQSCBMg/StIx8CULnYk9CXeG/+Eg19XVKIko
+tb3HTIgC09NBXDMPZw1C47MOSo1i7PDuwD/i5QduKpWPDQMWck3sjf43k6Q2daRz
+7+dYLU5loKNRZ7HiYuODSL15/nhzwFmhsuPFm03/SCQqWfp6FtZvSDDXHtzPG4LG
+v+OaVo5X5N/AqvP5cdB2g4q2l/MDtY+/m19XqzAAWvmvZjZxOJ+xLk1jzK+uSi0B
+X/E+TdESGIseVWu8FXm+4WNkvwO4pFjJByzcskazUqvWVgmErMUv2lTLnZVsjjT3
+oM1wY55zsgg4YDpv8tBj3X8A6EmM9Bx9C3qxerZH3Xw2quNOcRUx3VmZ50p46nNh
+Og9v0OQKZiD7Z++L9quZ8PSmjcgq959Cwh8r/EFxDHM78gSTxA68UJfNxPjmvxmh
+9GkI3lQSp8ZD4dFUUujUtI0QmB4xNU95FHLRQmg+L6i+6vEH6FaqyE1UB11y+lks
+1it70NkMZx+aR0yd1UgE7RVZxXolNLaq5hMXcS32P57dqzIcluKGMcpAmOM1uaGh
+Bwk3rNX8CFSX/QJ6QdZjy6k0+WxmQD1dJ5bc0+WMeuT8rpGpqSvwXyeaikagU6sH
+JFgaLmWewd5xY9/+WCe0nPKJ9UqSCQ6Hod0+2BiiDgnfDWeBD/E0gPcVV9sdMeWi
+aaiIGd/a2YxB5yW0oAIBBFnm5koTWeKW/K+LDWOE67S2qSxIfr1goFxIDbe1Y2Mv
+tDfWzTVp/GxTpIxKxobCiEBWrk4e8vUMp25Jjne4fW1+/bwIZBjirpgBO9w/fIXU
+LuEEZgEyczGgGulij/7P9XhyMFEPmr43LpOo0poFpRHjvBCFKZuxw/+PbxRhSqC1
+Ov0d32XlNzOqtklQv4XZc13AOKJGdRqw/h5GXud1a05sgUuwQqX09kDjQuJ6hm9Z
+ftWihbzSUxRg6UMz8ZPAAzl56pKYREfVV/UNJ9u1PFDg0peQDdl0pl7ql+Di1v76
+wGjf3JQ7Yy+zGkWfnvSHOWJs5Kyyj3Dkl8fJA/AwYUvsd1JdfXHYVR1vxg4vIyWr
+d6YU6ZmEtYE7EeYEkD0xeKOtkeEwgFcIAuv39J71Er3CDwsMKJapD7ZWPG0u6Ni0
+CF2a9igYN+mPAostcVm4wBIXam/wZgDxTYX4eXtuVVc3VIr+XU3G3WeS3KCgigSU
+FtluJri02JsoSsTvTxGfa7pjYgr2IXrSeQYPZ03ikGDa+wGNSJliNhE4LLbbOKFp
+SStTO7yEXaWpYH4mVWK6rulw8AHQC45t8XHtW3UU+o3eE4XL+dzCvqlEjBwJAQ2J
+2yymxc4GArd32dDEuHZEEYwpm22cX0aQ3yJw+rhGa0h72fpZEaOrCN0cdw6m1UaN
+porEH2oYOeR6SE5qdu6+PyHwqVNgdxby+dqbn1D3NfsBWg9BnqOgBWUgIGKmRKHD
+rmD03c/2yqInzEEzmSzlQPS0CP49o0A8pIAP/43GwflT1wtDw80DsGmgqIRiyWfp
+u5n0Ocu6UrKxLdlpv9hLHTMbvUZMiLOef7IK+K+Bxc5dXttPe7rtBNhzJp00by8q
+CxJc5tYWb1yjznACC6hOsoLyGAbF7S0iKzjea3KcqnJC27oB4iCFpHITFRtwG2R1
++IQ=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der
new file mode 100644
index 0000000..c7c4c8d
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
new file mode 100644
index 0000000..50337f4
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFCzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIS9yo58mAF2wCAggA
+MBEGBSsOAwIHBAic2lQFfsyAzQSCBMgy5+fLYS4AjX8ayw5sJGpf75L+R8/AN0kK
++nr9nJUz2agr+XWGvNBkjA6XOhcsSNRym7j72g3uRNoqVjdVWI4mn4wEo9f9gWgo
+asGoPKvar3WkxgBvADSPyK5u2hD81ebel2maPwkpn2kDEfsXyWTDWxqnAUFthOCB
+2cWNzjij1g3l6RI9ADSf6X5IbgTfdNiDfQw/D+pneJVMc2L0vCGk1yZiu9pva8M5
+pLSp8sUGgzDDe3cX/h87JL4vb9De8zFgZ7hCfFXmr53BnULPzKrBgRyD6YD+UOSe
+XFMYGNR6yCYTCJiOEJTn5i0FzoFor40lzF7aigSqh7YVl8tFLPEzH51yGBIGlfMJ
+rruY5CA+T7RGP/kIUGw7LftVOs46vNjyNjvt4yXby9Jk18+0EV7Drk+bNJR7ACpm
+ViLWVIvnNF30gqCBJdXa+gU1/yDjsprVy7QfT47iZ5cQ5zUzSJpjRDxt8c8aEgOv
+48TWjtbBiWo0UiEnF48rf8VN47gS/FUxsQ3x9payA0KZnMQfqqLn2QfvBG6TW4ku
+MIOQuCHrFxEEk+XRQ7PLcKctzCwm+Au2vR21pdgQSTupiFnOalAbazsKOYweMPds
+ScvwZpfBnKIE8O7vi//hOsIilw3T8S1RCogvqJcWBAjHSrfKsLqhTR+vsLqYZkGY
+tkdoy29he7uHd2tFoTo5E5zRR1cNjCmt4dEmVR2HZOQ+6FIvk1c/ry14KJEZPUyJ
+YrVeyH2h3sija4snUMlB76UsYDka6QS6P62StxR/T922gbJqmEC9yA3QeMvn1x14
+p8tZxy2+ClzjrieyX+B+8DYFQ3dhvX72eFm5X0pQxK5XIZFOHzEdrff2169/++B7
+C3smjwPfrkajiAbWQixwrBZiSh2KwPMuAPFohfTXE9O2fNYN8I2iLnoRho4MuG7B
+3jTy1b4aySyMnS3I0T4nQKJyIFxRjRg9ovPcUlsu5xmFXRiXI5NqMwboDVk8pZxv
+ChMH+EL9hNmatf5Mth3GzOSC1CIE/rg/+2SkPK3BrNGwFD49JuP2b+4mocVYCjrm
+L2yoZkNq+mOUkpnXI4O3uR1rtQfALBQm3PDroqtKQHn4tCpav5BKgzuLIFyrr67D
+B2vN3KAIIBrVp8luI4/Jf77hrFTF8DMWSN801ig4pg+T5pKKYyVZe1C57UMk94Jp
+RjEzrASBSnEZof3hMvciudp/u4EsxrGKwSUx+Vy3vztQ/F3HpisuodKSErDkO0Sy
+8ycWmR8q4eNRMYyTOhT3c/650msdRbZB2lelwTl+fqg9oIUJNX4Z6FmBVfAPRM0S
+QTSEJu1i28qpVYiRSmnAGLvGETNWJnwXXKaOtoIpmX5kneEDOQ8ZCJHcigYENB25
+9SVdOP22DMJzivmwWdRvKqG4XHKgOT6t0oJ1LUNm/fB4KMoABMzfLjrslzJWSCDV
+CMNYSuZE0oMRVpj2VaDZxet8DQ0+rTJ+BszVJXXsaV3DLWXg8Iv9in/X3bQvZJLf
+ZHSEanldcmtrOY0K8jufh8Fk8XjD494a6t+vI8G/8oGWY4rDkBFG+seBNsnG9hDz
+wOBw/2fpHqwNz1FPDfwn/SBfIAuyLUsxe/w+KpOb91jXi48ifx64fzb4jr0Jm98=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
new file mode 100644
index 0000000..bca2ff8
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
new file mode 100644
index 0000000..c5113e7
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRkUpAqxZvr4CAggA
+MBQGCCqGSIb3DQMHBAjFyO62L4EIxwSCCUgDa+4NxmT4wXuKjxhe0+FV2qY41npE
+e6jBLdDQuqtSlB4M9A+AVtKWi1sncYzV8FLtPofX25HCciByddYaxsYFtVdmaY1p
+ckl9kBU2JIEZ9kvfBxcuHEVeesbvws4hJMO3ADf5CPS+vivEpYt4W6VUANZJTGwD
+jA3QBIjSdJlC4ievdcxOn0mUc8Y7X+RMmAhEV778vQoTMaoYKOpAa5aQsL5eN392
+GRexE5rzhI+jSctBnGL1t8IhUbceBnLjAIDRyNrQFnDypzAMrV/Wqtvf3H8o7m/G
+3YGSuGa4LbR32PAkT9MrZLIoaKBGxPu64UvxfBFm5RIubtrIgpQXHo5m84Jpwef4
+fD/0argZoh1DSlP/LMJ2s/Rhz6fM4bXohtpPJCqo55FLxjhfBrA180SNXwOWbUtp
+wsR5qIhy78REHGHjm7ClQBvy7zr20yFJn0+XGFF58W2+GTKstOg6o+L64Ad5byei
+VE0SxPhFUamiY2HGmLpBdbl7Rb5El57GJY6cDl9JRgLPoVZf0eYzScv58n1oLT4p
+jHkLZgi7RkoLf9SAyR+Pq8dg+j7b7KLVy3fgIPJxmqERm8kqU4KKs1G5oSmD0wI3
+YVWCB9knPTU7VFnvBvDxmD+02uY5lcKCHIllLSZNWJFjtsYU6MJcLC+6dBDHokF5
+76/h5g7oe++YJjut759NqxeKWpXyJLbHgPT9W0+Q2bODItERHF2d3abGDuo4oY/I
+28+ihesssWEfkRx4s7wY8KkbsT6FCXfR4uTxuYYeygsmN7F6rQhM97ErGeH9LtmW
+JNq6A/RCZaA4rYiAUzpIFZ8x61EhoQtuSgs8EBJo2W7JSJc35zaMFb6oL0Qqkq3w
+rMHlBXlTlf0phppJQxrEPqfCPfqdtAJVLk1SxpfW2RgQH0Gbl/VYbK3Fdu2kdnYA
+my3uuOqT5k5vG2rdBkvIZWMqB97CWQNBZmiV8hUYjqIJ4HipCY3ZTtnXIipQVS8M
+lnVFc+7nSTkzAQ5/RrTBAguiD+b4CvY0H+CVIp5FgaMuo2BaviqqLN8Nx2fUvCGl
+7KsXhWjztJgKPbLubUu2UcmOh4QaTrFQ7Lb+/yt3HHzaUWLV/I4hdOgH3VNdTDbh
+Y6+55ayW/gXzODhI21bDWRBa6RCyffRtYx+4fccpAz4mz58ho7QyvOoKnVzb6Len
+EAAAPJctuwMbY+thu2mBOICn+fni/AMTqTggY37Mk4BAi0641F/6RkujGlz9/2FA
+GFifDO/VSWO9OprlmYCr0HuuGdMaHB+VTEj5j+cwpJ5imUhQHaN1Q3masJmD+sdH
+27Du/O164hIdblbvUsS+9v3l+EgMbHqC61RQbBuNzs/1slxTz7uO61a5Snu8XYWP
+pibxyCaGznvyunCZGTiWuHNYR8OnEJAM4O/wU4ThCzb+fxKDMchs1LG0ptw54L/B
+86oMiScXlkCbdl9fjPRuHTuWBqFDm0Lz77POyXzJFpre2XDbQeSQyTzZFeAOFeGy
+P4mrLDMvxsrUU8U3EGeQtTvdiFjNS3Ba6k/VN7qjkBcETQHEmmOnO7EVDn9csybm
+q+voR7JpokjD2YKCp2MwUUO+rjuTl8LYxUPrmpofY0yH2c+0OqHA6txszkEXgGbz
+oXrgFKZqSM+kFGpaRCIPjkulCdC6IB9i0Qu8w1hCMVUPIN5HFoCkP+JC5jzdz08p
+s8m2ZgkVmcZQCmtq0IaRQH2nPS1n2V2dbEd12r4exfxXiiU7GZ42jszfopEhF2wl
+GCIjc/joTLGZ2M28tGVFDIg+kuCLiB/C97Uf3WGDTmDfqOY2aBfHcJ97rCHIyxpH
+ZVnn94IBvanuoA1DZvEs8tmG4dG/QPhstTVcYZg9wALzOURXZix2zRJca937sEoO
+PpVXOj5509lrQwOtbizl3zUcJNT9GJBYWQTpceNVY/1JhB6EKfnZ+Am+qVD8/rjg
+1ei/jndWOmX628CGuqhCPT7VUnC/0H4oIvYnf+QJlNqv6sbhStw/VPNpMzDiOhnN
+Kl/1aGktHth+IFdzTpmqFbRIxLkvvrAzjxLRGfOnH2N5V+sWBudq6PsQ38QbpdEd
+WlF37Xdq74wpQKmX165eE10hd42DJkDORPUycpVTr3y0zDVUjnu5Bo2xi2AZqBoH
+aylv9hae26ZYLzp2RmAQFkEFxcpuqUvuJq4MtCxmvXivttrBRqaFmBKojxJyOOon
+JQQo6aiof1Zd3inx7Prao/aWI77R/vdaS/j1IWqyOFu5BMi3tkdL7yAxLq/e5cbX
+KF+bJAvKvdjV48cPyMQ4i+SiJQtFBEj5l7ynrJ2XaOCh2jhxwyLJHG9/qGU5dF0M
+YuD4OY8gTxZDpi1jTU5Q6WUqaQBTUrLQqWXEhDLhyHe+f1mqb6IfAfrW8X/Kbp19
+KeOmyOESPIrfz75yG/nQ3IpEk4ufOmNwA9kXYveZOYtFNfZJcjYMIlC37ypg8+Ly
+dzvLpx8xuOplz8aMHtNLojkKKoKpc4KYZ+QZzj9FOB6r0mvc9Sqj2A3xFgntnZal
+soJwZmaonKT3kRQxDZ3woU+JDfw2Sdg0Fb0jWvoyPcYdnQoExR7uF9Q9O262oAPg
+r8g5UNtcKXpGz1x2/IfVNUQwIQfmz1Slty61ed7l+qNcd51jK9RAW8HGbx8Blukn
+izE152He9hrM6XhO3h3WaSw7qx7//5n+VNV0yqp3rQnQDr6V+zcfjgRiNWITXkHg
+a2Xvju81h5zT/RJD9jon3PBg88effiBF01UD+DxENNsJ2WKtc70HvhRgZoI6/e5b
+04YX6HBLSwdbUCLoiXFbXDFtRE0Krmba0tU/i0eRgzUipPDrQQUNt/6x3a7Ks48A
+OC3/EDfcCYzu12W9h0TR09YlfiNJnalxGSU2CgzdxWhXvqxu5lfswIgj6c759RnD
+v6676NRTlS6J+wn4S0ShNon1D/9siAGkLbhRKBc9TjRhxSGwHLRFYSbRD0ql0RLZ
+/8kIlsKSmX/wJo1k9g3MwEN+SddRkbFZwjgZy4vgTQhrH6r4WQzCUXcO9F1i4Acw
+rnMmV9fUJ/IZ22snbGny6yaBa5T9RcvPpCW81PXeFBZo0cK9xrs0t5eRqwmyKTpF
+FpldzwRoyFRjDnGVACMo/X1eaCwvew+1M8fcSs1p+qrBfrfRiI4tg8bNrYdL/0u1
+RoE=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der
new file mode 100644
index 0000000..f40c9c9
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der
Binary files differ
diff --git a/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
new file mode 100644
index 0000000..d4b6933
--- /dev/null
+++ b/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
@@ -0,0 +1,53 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJizA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQI8DHSrAxFTFACAggA
+MBEGBSsOAwIHBAi4/Xl5t4O13QSCCUgq3P508tXVUz0IuJ6CV41vd02FUQl6IxWU
+gk97TENxKooQ1EBuUYDWtiuSICJ/RTKt/y3JoYcYBpdjeEnkJG2L14DfgS+sdKfC
+18v1EDDiAssre//n9sZfUKBWHs8SqcPyNJvBWMLUW7QNtMhoMj1VEQzTH76v1ZvO
+ojy8akuZ+rqE+EnOPtuEOdJiDYW6yRRp4Y/MqUyx6PZPAHfIk/JJV6yulfGSEFLc
++gGI/CUfEfsi2JVIva7JpvfO3N5O1fyC3cx0BsT3gousOkacxcRb8pqgHbMY49Ss
+eR4XCQHwOItpc/tHtNOnZUWQzNxZ3d40vxVV+KuvKiT1nzB3sx/4GacS+ZWkCE8y
+qYvbtvi6XqCpGeZc0iZN2ER9hBucGPU14aNoB4ujFx0u8x01sWf9ARLICIAMAsck
+pMdLwTZ684NkyK7haFnS06f3AOn+LRI4G7mo5wlD6YeXg9dIk/OYUCjFI35uMB6H
+RGOdEqAncx92tPaQYMBBWbX+arqaNEsdrBnovItsnlMTCvoIxGQas3LNZPhYmS78
+bwhlXnZwjnifvRHVFM8c5JuOmvYkPgE6RYPaLMwbZkIhxbbOyQi+gkYJhJgZLrjD
+I9BDUEYReSCmWH8hwCDe6BHrUL40C27tL075hz4x8EBySJrG4udZ6RCwnUiM6bQO
+26nJ7gGjsuBcCN9GVcGsCJ+bfltOvsLUPjS3Ypus1RXKsoe2RL2NbGAVh3gLb4kY
+Lm5agI23g66yI7An+9YA4s1LbgeiE9M1pOgZgJ4MWSVjRjIoxC9aSiNfz+cyaNCK
+sd4l9CuH/pXid9aEluvZKDdu5fVC00ZuMRUzcC8CzVJ6tDq5a7ASqxC624bJYF2J
+nf1OYo4ctY3ExVdAyc0cohlIrarqO+cgdVxdQ9FOgKjZC9Z2xxZigetfQLFVROm2
+XMrD35iIFEi7wYRsUBCyy+ClSHtty2/r17PeE4jvLbNv5vvh1CEe6GD/J+vd3WXp
+meGPmSsYTTnlnM0861tBtfgqBmyKCeiKrPlzqNTsfppLoL4FtRF8WvxmbKvahDwN
+lQOnMhNKF5JoyYREGNAySljaWQaoliFMwO4ZhUR1OMqhC5jEmwp35dz2nZCaweMn
+t9+iuxOygOB7k8w8xRQ/p87/lVDDYLRg5dpCqyn0a+THOkCepD7yFi4+4CG7Qbso
+D1KYvoBe+QXheW/eqJQlGQaxhXB5pOwXfNbcYoByuClqyQ24WLBk6c6R+3qBSnzC
+uTarp5ne6vi8cAK3N4Ho9AOqgqb1NZmSQbu73InKKPDbn16pkFQlTa8g1f0+ktPd
+u+U71s2VtJKSGOGDD8yav9BrSYNXcJ4P2UROIdhQwuEh/9p4AcJWElMVufWDhOn0
+m65t1QB3emjVwHzcHweAuJZwBfap9SKduV3DbFd+BVLROlWT0H7/++p6FXcsZaFJ
+6rQBlSqWHBCHDB1UuNTLo6Pv9HfhxiS792L24LRqQkI2/1zcdT8jlQt91qtIwv23
+F7mGpBPGU05oKDVEPUFTI9K7NNx5CUUnQqVs8fDk/ihQlTQd03LSC3UWOB/gpaa9
+/NSw9qugLNAL6KTQVBJ3ZYfZc7VOJCz6g82Ys9wRmS3eJMacya+djtt0jW/rVlJp
+/VeuDGgrsWMVx9SuXqzoSMaQbfXUkWCMNlpbHJhxz3UQMKvvQrWN3Oz+Nm1azptD
+Gq0xQ+/L25Gax0x9Ks3HE6TKD81AKXmn4HO/g/kvMJxLXJzwyqEk0KpFUlFRXNQp
+PNfNxCz6HytdagFp/1IB9AmdLVznS0tD3hEDijm137pHY4XJwNWLn5/AlGzIRljn
+6iNubxNvJJXGayBrzQS7O9+OvWuqaIY5VeO+ZtNIVO3I2wice2NosHPj+JdtabG6
+z9oj6Of3B3clgudcbDVJ540JoBZa3VMG1qpsg5XOw1K/PUUr9+ky8erRwjUN66L0
+YXCfvi6u7Y85gwm7H+w3k99Q2KW3J2H9nmnRbLHzHDBIHNqcIAm1/idSm45hNBwZ
+P+NuaMuEPB1B7ST69JZfe/puGPnqpj33cZYejxwkdmK4MnqCUfe77rac/bxllp/k
+eGVZtlEVwdA4dpx3jFZll183uZxRH8D/gZAy7px8X8pskrdEq18JLlcnsgDGf/EB
+PDGjSLsBXWA1z3QS1Sp+elVqqsZj4RbzdrIKunq68wEBcVSccNZhR4dMMv9qL1FP
+YnCsnpOV9JuRtViEWgN0LYSJaqwPaf6CQBypmmC38S7Yk9gzjQ1Gj/oGPF89YHQZ
+F8mCIZOTT7MIvdPwDkiYC6zKw+oJU0l6Qc9jcB/JXwNajb2Z0jJ6L7GM5jScp+rU
+w7CYIHtHOPU7PF+ArZsLuSMRGptp+tPybzvoMg9zxG/uBJ1al5+OI+5Ok5xCNDT+
+FkuJboihFK5yTpLhzjvA7YsQMFLy1zU449gRK5DWqUrYw+YKS26mgzzB3fkS/yhD
+G4/Y96xIn76639uEPhGtQh7OCg0gu7/+mP1ZboeLY/vCqLgV/RzLAMqGH6934avR
+EXUuba75LQrqwZbPD4oB32yTjfapKO0uGCubnDRq620221h48dqejCqljKu95Jvh
+W3up/DAJRWnZ9JfNWubW8hzVZoF6BySTlACjXbU9rFPJuARchcXmM6RKrrSBPYlo
+vrF97Ym6RGUo7ozTgRDFTH0IUz5bGjtylR1qtzpvNsvD+254dYDfIKSCyrgOdnvB
+ZCNNS6OluegQbFr6Lu0Qd9F2PAtKer2djXDb1UDiceY2XXnPehAmlnkI27ljij5K
+0vo1j21E0ISc8VVeC5PwJ66yVqkQyPFq6OTHUCrOrnDvjqDGMqPj+dwIYGJPBAqS
+jDTpVlgB8OrvE7z23KOMrthdr7t4wWeTiu/9PEvfP5lODYZ6fLAko27O5W1i6az+
+2rPE/q9Ek25z/UaBr5xcUa9S/I+B3+gvJpg8/O72xHd1LV6fQu7LbWSUSmVw3NQo
+MNVQgyJ4oRrFA70QSLwpUIyD/Lac4RNPIIDnnPy4wZO74NdBkKkqBC0BOG0zAVNy
+650rSYn3/RexpTZV7HfFwBViO+s6l3UgRrE0UD6vK3BAkvZKMb19I34DUfYQdGB4
+YRyQzIsolhoy27ZxW6aSAvU4W5idjPJG9aWuHPB4qnhJyI9Y1+D2exGSa/WIanM=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/tests/data_files/server1.cert_type.crt.openssl.v3_ext b/tests/data_files/server1.cert_type.crt.openssl.v3_ext
new file mode 100644
index 0000000..bd225ff
--- /dev/null
+++ b/tests/data_files/server1.cert_type.crt.openssl.v3_ext
@@ -0,0 +1,5 @@
+[v3_ext]
+basicConstraints = CA:false
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+nsCertType=server
diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt
new file mode 100644
index 0000000..ed8b80b
--- /dev/null
+++ b/tests/data_files/server1.cert_type_noauthid.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
+BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz
+mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9
+FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy
+prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv
+9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS
+HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x
+jz0b2l4=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.crt.openssl.v3_ext b/tests/data_files/server1.crt.openssl.v3_ext
new file mode 100644
index 0000000..239d56a
--- /dev/null
+++ b/tests/data_files/server1.crt.openssl.v3_ext
@@ -0,0 +1,4 @@
+[v3_ext]
+basicConstraints = CA:false
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
diff --git a/tests/data_files/server1.csr b/tests/data_files/server1.csr
new file mode 100644
index 0000000..804c4a5
--- /dev/null
+++ b/tests/data_files/server1.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
+A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
++OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
+eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
+3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
+TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
+ox+ATHKxQ/XpRQP+2OTb9sw1kM59
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.key_usage.crt.openssl.v3_ext b/tests/data_files/server1.key_usage.crt.openssl.v3_ext
new file mode 100644
index 0000000..e255027
--- /dev/null
+++ b/tests/data_files/server1.key_usage.crt.openssl.v3_ext
@@ -0,0 +1,5 @@
+[v3_ext]
+basicConstraints = CA:false
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+keyUsage=critical, digitalSignature, nonRepudiation, keyEncipherment
diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt
new file mode 100644
index 0000000..d66e515
--- /dev/null
+++ b/tests/data_files/server1.key_usage_noauthid.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
+BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43
+shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+
+3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg
+q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o
+37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ
+VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF
+JTo=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.noauthid.crt b/tests/data_files/server1.noauthid.crt
new file mode 100644
index 0000000..99c004f
--- /dev/null
+++ b/tests/data_files/server1.noauthid.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN
+BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5
+UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH
+5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d
+avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm
+q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs
+1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.v1.crt b/tests/data_files/server1.v1.crt
index 0a4b2a5..b13be43 100644
--- a/tests/data_files/server1.v1.crt
+++ b/tests/data_files/server1.v1.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIC9DCCAdygAwIBAAIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
-uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
-d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
-CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
-lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
-bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
-owIwADANBgkqhkiG9w0BAQUFAAOCAQEAoZVuVi7bIslKgMJhejSFXiO+ICMz1fmK
-b0tPN68mRYhI/gsjRT0cmX6GUNrg+U5mcBWhMwHgyvx1CARU4YToKZxcXGNL0DPd
-Z1hF8nCrJCZBQvNuWE7s0ufw92xz5ZfuKkVxi94RYR529F6gzgl4rpX8UQVu2ym/
-9pTlHKr4MKi9LNppyJMS89uRcb2FJFMdhAKbhNtbIjI9qGZ7x//0belAaWhq389u
-6XWFnZt35PU6Zz6YbAQ5pjZYsTaohuufgrpOlFPUuc4uR+RfGHIQ6id12lZaQC2m
-OFIBDcU0x1cFfPfMgVdBLf6klPt/v/tD77mwx0eztSp28NIf+ACw8A==
+MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV
+BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx
+MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT
+CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb
+7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ
+BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw
+fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B
+Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y
+ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq
+hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB
+tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5
+T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh
+zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi
+U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay
+IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server1_csr.opensslconf b/tests/data_files/server1_csr.opensslconf
new file mode 100644
index 0000000..6e7075e
--- /dev/null
+++ b/tests/data_files/server1_csr.opensslconf
@@ -0,0 +1,10 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+# Restrict to non-UTF8 PrintableStrings.
+string_mask = nombstr
+
+[ req_distinguished_name ]
+C = NL
+O = PolarSSL
+CN = PolarSSL Server 1
diff --git a/tests/data_files/server2-sha256.crt b/tests/data_files/server2-sha256.crt
new file mode 100644
index 0000000..006d9db
--- /dev/null
+++ b/tests/data_files/server2-sha256.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTcwNTA5MTM1MTA1WhcNMjcwNTEwMTM1MTA1WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
+owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
+NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
+tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
+hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
+HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd
+BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe
+0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBADAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAQf85QSjAeP+l6hirPorUL+k/3BznAh/6RXdveBO3K
+uwtqK5qI59+3N+ZLXP7fr2Z5eO8qpchRgNNwT0LKglAEXGWn30PYI1GKSiqAaK0X
+CUNIrxV3qKqOLbtqP1dMdiwsmiHYrN8E9UdysObedE2yDNLpTMHPJBZ+k6FowTyZ
+IpUuabkxMBFxmLv+nOBDOiaCzintEcdJdY4F6p5j8jwMvVNVAXNfxAEwa0MoVRTt
+/GORvq4ZEfsatVA+HRi602m+dZETTWKSODrj8AuQcG8/i1AOhk3C1WNOFKj/ZSfB
+2P6EQmhLeRp4bO+3rG73T3R2yn0PZYQ7ZrjFPPKqgu+n
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-sha1.crt b/tests/data_files/test-ca-sha1.crt
new file mode 100644
index 0000000..7cb35d4
--- /dev/null
+++ b/tests/data_files/test-ca-sha1.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
+mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
+50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
+YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
+R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
+KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
+gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
+FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
+CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAfDd5khSv/+K3De9qmH/ID3CVapGS
+EN5MlXS5vvGCjZSA41MuXkUl11akKHXQ9aLlp85OZUdGbfQ5wwCoj/MymbT4fES2
+1dI8O1oI3PZI/0dqEvQETlIwSoZV2c/oaPRfh2E99v2+8FNIaZOfV2MX1n9+6AdO
+W2nlK2oklozXSYg6KWtISr8N8Ofew2LQ9+riFlrrdaxsr8CoJqPqMDTq7FUmkDmO
+oHize/h9bFksIunKoVQHa8P4w/W9bnR69nziyhZotbwOOkAWVnIyEM9QnaKWXeIy
+rP6ewcTQjNYkguHJ8RY9rW+5bdaSY4EljSqZ3P3F+zo8P6sVi3qSlai5lQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca-sha256.crt b/tests/data_files/test-ca-sha256.crt
new file mode 100644
index 0000000..b14e405
--- /dev/null
+++ b/tests/data_files/test-ca-sha256.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
+mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
+50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
+YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
+R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
+KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
+gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
+FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
+CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j
+4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w
+XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB
+G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57
+ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY
+n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
new file mode 100644
index 0000000..12835df
--- /dev/null
+++ b/tests/data_files/test-ca.opensslconf
@@ -0,0 +1,13 @@
+[req]
+x509_extensions = v3_ca
+distinguished_name = req_dn
+
+[req_dn]
+countryName = NL
+organizationalUnitName = PolarSSL
+commonName = PolarSSL Test CA
+
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true
diff --git a/tests/data_files/test-ca.server1.opensslconf b/tests/data_files/test-ca.server1.opensslconf
new file mode 100644
index 0000000..4a5072e
--- /dev/null
+++ b/tests/data_files/test-ca.server1.opensslconf
@@ -0,0 +1,18 @@
+ [ ca ]
+ default_ca = test-ca
+
+ [ test-ca ]
+ certificate = test-ca.crt
+ private_key = test-ca.key
+ serial = test-ca.server1.serial
+ default_md = sha1
+ default_startdate = 110212144406Z
+ default_enddate = 210212144406Z
+ new_certs_dir = ./
+ database = ./test-ca.server1.db
+ policy = policy_match
+
+ [policy_match]
+ countryName = supplied
+ organizationName = supplied
+ commonName = supplied
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a2eff08..f0594a2 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -261,6 +261,16 @@
msg "test: compat.sh (ASan build)" # ~ 6 min
tests/compat.sh
+msg "build: default config except MFL extension (ASan build)" # ~ 30s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: ssl-opt.sh, MFL-related tests"
+tests/ssl-opt.sh -f "Max fragment length"
+
msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
@@ -403,6 +413,15 @@
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
CC=armcc AR=armar WARNING_CFLAGS= make lib
+msg "build: allow SHA1 in certificates by default"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+CFLAGS='-Werror -Wall -Wextra' make
+msg "test: allow SHA1 in certificates by default"
+make test
+tests/ssl-opt.sh -f SHA-1
+
if which i686-w64-mingw32-gcc >/dev/null; then
msg "build: cross-mingw64, make" # ~ 30s
cleanup
@@ -476,4 +495,3 @@
msg "Done, cleaning up"
cleanup
-
diff --git a/tests/scripts/check-doxy-blocks.pl b/tests/scripts/check-doxy-blocks.pl
index abd27a8..b0fd696 100755
--- a/tests/scripts/check-doxy-blocks.pl
+++ b/tests/scripts/check-doxy-blocks.pl
@@ -19,6 +19,10 @@
# everything with a backslach except '\0' and backslash at EOL
my $doxy_re = qr/\\(?!0|\n)/;
+# Return an error code to the environment if a potential error in the
+# source code is found.
+my $exit_code = 0;
+
sub check_file {
my ($fname) = @_;
open my $fh, '<', $fname or die "Failed to open '$fname': $!\n";
@@ -32,6 +36,7 @@
if ($block_start and $line =~ m/$doxy_re/) {
print "$fname:$block_start: directive on line $.\n";
$block_start = 0; # report only one directive per block
+ $exit_code = 1;
}
}
@@ -45,13 +50,15 @@
}
}
-# locate root directory based on invocation name
-my $root = dirname($0) . '/..';
-chdir $root or die "Can't chdir to '$root': $!\n";
-
-# just do it
+# Check that the script is being run from the project's root directory.
for my $dir (@directories) {
- check_dir($dir)
+ if (! -d $dir) {
+ die "This script must be run from the mbed TLS root directory";
+ } else {
+ check_dir($dir)
+ }
}
+exit $exit_code;
+
__END__
diff --git a/tests/scripts/generate_code.pl b/tests/scripts/generate_code.pl
index 1c9cfc5..3491ece 100755
--- a/tests/scripts/generate_code.pl
+++ b/tests/scripts/generate_code.pl
@@ -194,7 +194,7 @@
# and make check code
my $dep_check_code;
-my @res = $test_data =~ /^depends_on:([\w:]+)/msg;
+my @res = $test_data =~ /^depends_on:([!:\w]+)/msg;
my %case_deps;
foreach my $deps (@res)
{
@@ -205,7 +205,23 @@
}
while( my ($key, $value) = each(%case_deps) )
{
- $dep_check_code .= << "END";
+ if( substr($key, 0, 1) eq "!" )
+ {
+ my $key = substr($key, 1);
+ $dep_check_code .= << "END";
+ if( strcmp( str, "!$key" ) == 0 )
+ {
+#if !defined($key)
+ return( 0 );
+#else
+ return( 1 );
+#endif
+ }
+END
+ }
+ else
+ {
+ $dep_check_code .= << "END";
if( strcmp( str, "$key" ) == 0 )
{
#if defined($key)
@@ -215,6 +231,7 @@
#endif
}
END
+ }
}
# Make mapping code
diff --git a/tests/scripts/tcp_client.pl b/tests/scripts/tcp_client.pl
new file mode 100755
index 0000000..11cbf1b
--- /dev/null
+++ b/tests/scripts/tcp_client.pl
@@ -0,0 +1,86 @@
+#!/usr/bin/env perl
+
+# A simple TCP client that sends some data and expects a response.
+# Usage: tcp_client.pl HOSTNAME PORT DATA1 RESPONSE1
+# DATA: hex-encoded data to send to the server
+# RESPONSE: regexp that must match the server's response
+
+use warnings;
+use strict;
+use IO::Socket::INET;
+
+# Pack hex digits into a binary string, ignoring whitespace.
+sub parse_hex {
+ my ($hex) = @_;
+ $hex =~ s/\s+//g;
+ return pack('H*', $hex);
+}
+
+## Open a TCP connection to the specified host and port.
+sub open_connection {
+ my ($host, $port) = @_;
+ my $socket = IO::Socket::INET->new(PeerAddr => $host,
+ PeerPort => $port,
+ Proto => 'tcp',
+ Timeout => 1);
+ die "Cannot connect to $host:$port: $!" unless $socket;
+ return $socket;
+}
+
+## Close the TCP connection.
+sub close_connection {
+ my ($connection) = @_;
+ $connection->shutdown(2);
+ # Ignore shutdown failures (at least for now)
+ return 1;
+}
+
+## Write the given data, expressed as hexadecimal
+sub write_data {
+ my ($connection, $hexdata) = @_;
+ my $data = parse_hex($hexdata);
+ my $total_sent = 0;
+ while ($total_sent < length($data)) {
+ my $sent = $connection->send($data, 0);
+ if (!defined $sent) {
+ die "Unable to send data: $!";
+ }
+ $total_sent += $sent;
+ }
+ return 1;
+}
+
+## Read a response and check it against an expected prefix
+sub read_response {
+ my ($connection, $expected_hex) = @_;
+ my $expected_data = parse_hex($expected_hex);
+ my $start_offset = 0;
+ while ($start_offset < length($expected_data)) {
+ my $actual_data;
+ my $ok = $connection->recv($actual_data, length($expected_data));
+ if (!defined $ok) {
+ die "Unable to receive data: $!";
+ }
+ if (($actual_data ^ substr($expected_data, $start_offset)) =~ /[^\000]/) {
+ printf STDERR ("Received \\x%02x instead of \\x%02x at offset %d\n",
+ ord(substr($actual_data, $-[0], 1)),
+ ord(substr($expected_data, $start_offset + $-[0], 1)),
+ $start_offset + $-[0]);
+ return 0;
+ }
+ $start_offset += length($actual_data);
+ }
+ return 1;
+}
+
+if (@ARGV != 4) {
+ print STDERR "Usage: $0 HOSTNAME PORT DATA1 RESPONSE1\n";
+ exit(3);
+}
+my ($host, $port, $data1, $response1) = @ARGV;
+my $connection = open_connection($host, $port);
+write_data($connection, $data1);
+if (!read_response($connection, $response1)) {
+ exit(1);
+}
+close_connection($connection);
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 24b0fff..5f47bb5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -17,11 +17,13 @@
: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
: ${GNUTLS_CLI:=gnutls-cli}
: ${GNUTLS_SERV:=gnutls-serv}
+: ${PERL:=perl}
O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
+TCP_CLIENT="$PERL scripts/tcp_client.pl"
TESTS=0
FAILS=0
@@ -74,6 +76,13 @@
fi
}
+# skip next test if the flag is enabled in config.h
+requires_config_disabled() {
+ if grep "^#define $1" $CONFIG_H > /dev/null; then
+ SKIP_NEXT="YES"
+ fi
+}
+
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@@ -561,6 +570,10 @@
G_SRV="$G_SRV -p $SRV_PORT"
G_CLI="$G_CLI -p +SRV_PORT localhost"
+# Allow SHA-1, because many of our test certificates use it
+P_SRV="$P_SRV allow_sha1=1"
+P_CLI="$P_CLI allow_sha1=1"
+
# Also pick a unique name for intermediate files
SRV_OUT="srv_out.$$"
CLI_OUT="cli_out.$$"
@@ -632,6 +645,54 @@
-S "SSL - None of the common ciphersuites is usable" \
-S "SSL - The server has no ciphersuites in common"
+# Tests for SHA-1 support
+
+requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+run_test "SHA-1 forbidden by default in server certificate" \
+ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
+ "$P_CLI debug_level=2 allow_sha1=0" \
+ 1 \
+ -c "The certificate is signed with an unacceptable hash"
+
+requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+run_test "SHA-1 forbidden by default in server certificate" \
+ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
+ "$P_CLI debug_level=2 allow_sha1=0" \
+ 0
+
+run_test "SHA-1 explicitly allowed in server certificate" \
+ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
+ "$P_CLI allow_sha1=1" \
+ 0
+
+run_test "SHA-256 allowed by default in server certificate" \
+ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
+ "$P_CLI allow_sha1=0" \
+ 0
+
+requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+run_test "SHA-1 forbidden by default in client certificate" \
+ "$P_SRV auth_mode=required allow_sha1=0" \
+ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
+ 1 \
+ -s "The certificate is signed with an unacceptable hash"
+
+requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+run_test "SHA-1 forbidden by default in client certificate" \
+ "$P_SRV auth_mode=required allow_sha1=0" \
+ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
+ 0
+
+run_test "SHA-1 explicitly allowed in client certificate" \
+ "$P_SRV auth_mode=required allow_sha1=1" \
+ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
+ 0
+
+run_test "SHA-256 allowed by default in client certificate" \
+ "$P_SRV auth_mode=required allow_sha1=0" \
+ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
+ 0
+
# Tests for Truncated HMAC extension
run_test "Truncated HMAC: client default, server default" \
@@ -898,6 +959,37 @@
-s "received FALLBACK_SCSV" \
-S "inapropriate fallback"
+## ClientHello generated with
+## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
+## then manually twiddling the ciphersuite list.
+## The ClientHello content is spelled out below as a hex string as
+## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
+## The expected response is an inappropriate_fallback alert.
+requires_openssl_with_fallback_scsv
+run_test "Fallback SCSV: beginning of list" \
+ "$P_SRV debug_level=2" \
+ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
+ 0 \
+ -s "received FALLBACK_SCSV" \
+ -s "inapropriate fallback"
+
+requires_openssl_with_fallback_scsv
+run_test "Fallback SCSV: end of list" \
+ "$P_SRV debug_level=2" \
+ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
+ 0 \
+ -s "received FALLBACK_SCSV" \
+ -s "inapropriate fallback"
+
+## Here the expected response is a valid ServerHello prefix, up to the random.
+requires_openssl_with_fallback_scsv
+run_test "Fallback SCSV: not in list" \
+ "$P_SRV debug_level=2" \
+ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
+ 0 \
+ -S "received FALLBACK_SCSV" \
+ -S "inapropriate fallback"
+
# Tests for CBC 1/n-1 record splitting
run_test "CBC Record splitting: TLS 1.2, no splitting" \
@@ -1126,7 +1218,23 @@
# Tests for Max Fragment Length extension
-run_test "Max fragment length: not used, reference" \
+MAX_CONTENT_LEN_EXPECT='16384'
+MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
+
+if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
+ printf "The ${CONFIG_H} file contains a value for the configuration of\n"
+ printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
+ printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
+ printf "\n"
+ printf "The tests assume this value and if it changes, the tests in this\n"
+ printf "script should also be adjusted.\n"
+ printf "\n"
+
+ exit 1
+fi
+
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test "Max fragment length: enabled, default" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
@@ -1137,6 +1245,55 @@
-S "server hello, max_fragment_length extension" \
-C "found max_fragment_length extension"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test "Max fragment length: enabled, default, larger message" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3 request_size=16385" \
+ 0 \
+ -c "Maximum fragment length is 16384" \
+ -s "Maximum fragment length is 16384" \
+ -C "client hello, adding max_fragment_length extension" \
+ -S "found max fragment length extension" \
+ -S "server hello, max_fragment_length extension" \
+ -C "found max_fragment_length extension" \
+ -c "16385 bytes written in 2 fragments" \
+ -s "16384 bytes read" \
+ -s "1 bytes read"
+
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test "Max fragment length, DTLS: enabled, default, larger message" \
+ "$P_SRV debug_level=3 dtls=1" \
+ "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+ 1 \
+ -c "Maximum fragment length is 16384" \
+ -s "Maximum fragment length is 16384" \
+ -C "client hello, adding max_fragment_length extension" \
+ -S "found max fragment length extension" \
+ -S "server hello, max_fragment_length extension" \
+ -C "found max_fragment_length extension" \
+ -c "fragment larger than.*maximum "
+
+requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test "Max fragment length: disabled, larger message" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3 request_size=16385" \
+ 0 \
+ -C "Maximum fragment length is 16384" \
+ -S "Maximum fragment length is 16384" \
+ -c "16385 bytes written in 2 fragments" \
+ -s "16384 bytes read" \
+ -s "1 bytes read"
+
+requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test "Max fragment length DTLS: disabled, larger message" \
+ "$P_SRV debug_level=3 dtls=1" \
+ "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+ 1 \
+ -C "Maximum fragment length is 16384" \
+ -S "Maximum fragment length is 16384" \
+ -c "fragment larger than.*maximum "
+
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: used by client" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=4096" \
@@ -1148,6 +1305,7 @@
-s "server hello, max_fragment_length extension" \
-c "found max_fragment_length extension"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: used by server" \
"$P_SRV debug_level=3 max_frag_len=4096" \
"$P_CLI debug_level=3" \
@@ -1159,6 +1317,7 @@
-S "server hello, max_fragment_length extension" \
-C "found max_fragment_length extension"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_gnutls
run_test "Max fragment length: gnutls server" \
"$G_SRV" \
@@ -1168,6 +1327,7 @@
-c "client hello, adding max_fragment_length extension" \
-c "found max_fragment_length extension"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: client, message just fits" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
@@ -1181,6 +1341,7 @@
-c "2048 bytes written in 1 fragments" \
-s "2048 bytes read"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: client, larger message" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
@@ -1195,6 +1356,7 @@
-s "2048 bytes read" \
-s "297 bytes read"
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: DTLS client, larger message" \
"$P_SRV debug_level=3 dtls=1" \
"$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
@@ -1248,6 +1410,40 @@
-s "=> renegotiate" \
-s "write hello request"
+# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
+# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
+# algorithm stronger than SHA-1 is enabled in config.h
+run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
+ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
+ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
+ 0 \
+ -c "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -s "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -c "=> renegotiate" \
+ -s "=> renegotiate" \
+ -S "write hello request" \
+ -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
+
+# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
+# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
+# algorithm stronger than SHA-1 is enabled in config.h
+run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
+ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
+ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
+ 0 \
+ -c "client hello, adding renegotiation extension" \
+ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
+ -s "found renegotiation extension" \
+ -s "server hello, secure renegotiation extension" \
+ -c "found renegotiation extension" \
+ -c "=> renegotiate" \
+ -s "=> renegotiate" \
+ -s "write hello request" \
+ -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
+
run_test "Renegotiation: double" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
@@ -1692,6 +1888,54 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+run_test "Authentication: server goodcert, client optional, no trusted CA" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
+ 0 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
+run_test "Authentication: server goodcert, client required, no trusted CA" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
+ 1 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "SSL - No CA Chain is set, but required to operate"
+
+# The purpose of the next two tests is to test the client's behaviour when receiving a server
+# certificate with an unsupported elliptic curve. This should usually not happen because
+# the client informs the server about the supported curves - it does, though, in the
+# corner case of a static ECDH suite, because the server doesn't check the curve on that
+# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
+# different means to have the server ignoring the client's supported curve list.
+
+requires_config_enabled MBEDTLS_ECP_C
+run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
+ "$P_SRV debug_level=1 key_file=data_files/server5.key \
+ crt_file=data_files/server5.ku-ka.crt" \
+ "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
+ 1 \
+ -c "bad certificate (EC key curve)"\
+ -c "! Certificate verification flags"\
+ -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
+
+requires_config_enabled MBEDTLS_ECP_C
+run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
+ "$P_SRV debug_level=1 key_file=data_files/server5.key \
+ crt_file=data_files/server5.ku-ka.crt" \
+ "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
+ 1 \
+ -c "bad certificate (EC key curve)"\
+ -c "! Certificate verification flags"\
+ -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
+
run_test "Authentication: server badcert, client none" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@@ -1808,6 +2052,64 @@
-C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed"
+run_test "Authentication: server max_int chain, client default" \
+ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
+ key_file=data_files/dir-maxpath/09.key" \
+ "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
+ 0 \
+ -C "X509 - A fatal error occured"
+
+run_test "Authentication: server max_int+1 chain, client default" \
+ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
+ 1 \
+ -c "X509 - A fatal error occured"
+
+run_test "Authentication: server max_int+1 chain, client optional" \
+ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
+ auth_mode=optional" \
+ 1 \
+ -c "X509 - A fatal error occured"
+
+run_test "Authentication: server max_int+1 chain, client none" \
+ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
+ auth_mode=none" \
+ 0 \
+ -C "X509 - A fatal error occured"
+
+run_test "Authentication: client max_int+1 chain, server default" \
+ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
+ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ 0 \
+ -S "X509 - A fatal error occured"
+
+run_test "Authentication: client max_int+1 chain, server optional" \
+ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
+ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ 1 \
+ -s "X509 - A fatal error occured"
+
+run_test "Authentication: client max_int+1 chain, server required" \
+ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
+ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
+ key_file=data_files/dir-maxpath/10.key" \
+ 1 \
+ -s "X509 - A fatal error occured"
+
+run_test "Authentication: client max_int chain, server required" \
+ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
+ "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
+ key_file=data_files/dir-maxpath/09.key" \
+ 0 \
+ -S "X509 - A fatal error occured"
+
# Tests for certificate selection based on SHA verson
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
@@ -2646,12 +2948,19 @@
# Test for ClientHello without extensions
requires_gnutls
-run_test "ClientHello without extensions" \
+run_test "ClientHello without extensions, SHA-1 allowed" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
+requires_gnutls
+run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
+ "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
+ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
+ 0 \
+ -s "dumping 'client hello extensions' (0 bytes)"
+
# Tests for mbedtls_ssl_get_bytes_avail()
run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
@@ -2827,6 +3136,7 @@
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@@ -2835,6 +3145,7 @@
"$P_CLI request_size=16384 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.0 BlockCipher" \
@@ -2842,6 +3153,7 @@
"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
@@ -2850,6 +3162,7 @@
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
@@ -2858,6 +3171,7 @@
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.1 BlockCipher" \
@@ -2865,6 +3179,7 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.1 StreamCipher" \
@@ -2872,6 +3187,7 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
@@ -2880,6 +3196,7 @@
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
@@ -2888,6 +3205,7 @@
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 BlockCipher" \
@@ -2895,6 +3213,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
@@ -2902,6 +3221,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
@@ -2910,6 +3230,7 @@
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 StreamCipher" \
@@ -2917,6 +3238,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
@@ -2925,6 +3247,7 @@
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
trunc_hmac=1" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 AEAD" \
@@ -2932,6 +3255,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
run_test "Large packet TLS 1.2 AEAD shorter tag" \
@@ -2939,6 +3263,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
0 \
+ -c "16384 bytes written in 1 fragments" \
-s "Read from client: 16384 bytes read"
# Tests for DTLS HelloVerifyRequest
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 6af918c..5c20f81 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -55,6 +55,17 @@
}
#endif
+/* Helper flags for complex dependencies */
+
+/* Indicates whether we expect mbedtls_entropy_init
+ * to initialize some strong entropy source. */
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \
+ ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \
+ defined(MBEDTLS_HAVEGE_C) || \
+ defined(MBEDTLS_ENTROPY_HARDWARE_ALT) )
+#define ENTROPY_HAVE_STRONG
+#endif
+
static int unhexify( unsigned char *obuf, const char *ibuf )
{
unsigned char c, c2;
diff --git a/tests/suites/test_suite_entropy.data b/tests/suites/test_suite_entropy.data
index 833eef5..42630cb 100644
--- a/tests/suites/test_suite_entropy.data
+++ b/tests/suites/test_suite_entropy.data
@@ -31,10 +31,10 @@
Entropy threshold #2
entropy_threshold:32:1:32
-Entropy thershold #3
+Entropy threshold #3
entropy_threshold:16:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
-Entropy thershold #4
+Entropy threshold #4
entropy_threshold:1024:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Entropy self test
diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function
index 3b739cc..19796a3 100644
--- a/tests/suites/test_suite_entropy.function
+++ b/tests/suites/test_suite_entropy.function
@@ -40,7 +40,7 @@
* END_DEPENDENCIES
*/
-/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:ENTROPY_HAVE_STRONG */
void entropy_seed_file( char *path, int ret )
{
mbedtls_entropy_context ctx;
@@ -80,7 +80,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */
void entropy_func_len( int len, int ret )
{
mbedtls_entropy_context ctx;
@@ -141,7 +141,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:ENTROPY_HAVE_STRONG */
void entropy_threshold( int threshold, int chunk_size, int result )
{
mbedtls_entropy_context ctx;
@@ -172,7 +172,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:ENTROPY_HAVE_STRONG */
void entropy_selftest( )
{
TEST_ASSERT( mbedtls_entropy_self_test( 0 ) == 0 );
diff --git a/tests/suites/test_suite_gcm.aes128_de.data b/tests/suites/test_suite_gcm.aes128_de.data
index 6eaa711..2a2e32f 100644
--- a/tests/suites/test_suite_gcm.aes128_de.data
+++ b/tests/suites/test_suite_gcm.aes128_de.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":0
+AES-GCM Bad IV (AES-128,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data
index d8bee9d..9453ffa 100644
--- a/tests/suites/test_suite_gcm.aes128_en.data
+++ b/tests/suites/test_suite_gcm.aes128_en.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"fe481476fce76efcfc78ed144b0756f1":"246e1f2babab8da98b17cc928bd49504d7d87ea2cc174f9ffb7dbafe5969ff824a0bcb52f35441d22f3edcd10fab0ec04c0bde5abd3624ca25cbb4541b5d62a3deb52c00b75d68aaf0504d51f95b8dcbebdd8433f4966c584ac7f8c19407ca927a79fa4ead2688c4a7baafb4c31ef83c05e8848ec2b4f657aab84c109c91c277":"1a2c18c6bf13b3b2785610c71ccd98ca":"b0ab3cb5256575774b8242b89badfbe0dfdfd04f5dd75a8e5f218b28d3f6bc085a013defa5f5b15dfb46132db58ed7a9ddb812d28ee2f962796ad988561a381c02d1cf37dca5fd33e081d61cc7b3ab0b477947524a4ca4cb48c36f48b302c440be6f5777518a60585a8a16cea510dbfc5580b0daac49a2b1242ff55e91a8eae8":"5587620bbb77f70afdf3cdb7ae390edd0473286d86d3f862ad70902d90ff1d315947c959f016257a8fe1f52cc22a54f21de8cb60b74808ac7b22ea7a15945371e18b77c9571aad631aa080c60c1e472019fa85625fc80ed32a51d05e397a8987c8fece197a566689d24d05361b6f3a75616c89db6123bf5902960b21a18bc03a":32:"bd4265a8":0
+AES-GCM Bad IV (AES-128,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes192_de.data b/tests/suites/test_suite_gcm.aes192_de.data
index 841c6fa..9e7bad0 100644
--- a/tests/suites/test_suite_gcm.aes192_de.data
+++ b/tests/suites/test_suite_gcm.aes192_de.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"e3dc64e3c02731fe6e6ec0e899183018da347bf8bd476aa7746d7a7729d83a95f64bb732ba987468d0cede154e28169f7bafa36559200795037ee38279e0e4ca40f9cfa85aa0c8035df9649345c8fdffd1c31528b485dfe443c1923180cc8fae5196d16f822be4ad07e3f1234e1d218e7c8fb37a0e4480dc6717c9c09ff5c45f":"ca362e615024a1fe11286668646cc1de":"237d95d86a5ad46035870f576a1757eded636c7234d5ed0f8039f6f59f1333cc31cb893170d1baa98bd4e79576de920120ead0fdecfb343edbc2fcc556540a91607388a05d43bdb8b55f1327552feed3b620614dfcccb2b342083896cbc81dc9670b761add998913ca813163708a45974e6d7b56dfd0511a72eb879f239d6a6d":32:"28d730ea":"dafde27aa8b3076bfa16ab1d89207d339c4997f8a756cc3eb62c0b023976de808ab640ba4467f2b2ea83d238861229c73387594cd43770386512ea595a70888b4c38863472279e06b923e7cf32438199b3e054ac4bc21baa8df39ddaa207ebb17fa4cad6e83ea58c3a92ec74e6e01b0a8979af145dd31d5df29750bb91b42d45":0
+AES-GCM Bad IV (AES-192,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes192_en.data b/tests/suites/test_suite_gcm.aes192_en.data
index 18e56e7..5ea1101 100644
--- a/tests/suites/test_suite_gcm.aes192_en.data
+++ b/tests/suites/test_suite_gcm.aes192_en.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"713358e746dd84ab27b8adb3b17ea59cd75fa6cb0c13d1a8":"35b8b655efdf2d09f5ed0233c9eeb0b6f85e513834848cd594dba3c6e64f78e7af4a7a6d53bba7b43764334d6373360ae3b73b1e765978dffa7dbd805fda7825b8e317e8d3f1314aa97f877be815439c5da845028d1686283735aefac79cdb9e02ec3590091cb507089b9174cd9a6111f446feead91f19b80fd222fc6299fd1c":"26ed909f5851961dd57fa950b437e17c":"c9469ad408764cb7d417f800d3d84f03080cee9bbd53f652763accde5fba13a53a12d990094d587345da2cdc99357b9afd63945ca07b760a2c2d4948dbadb1312670ccde87655a6a68edb5982d2fcf733bb4101d38cdb1a4942a5d410f4c45f5ddf00889bc1fe5ec69b40ae8aaee60ee97bea096eeef0ea71736efdb0d8a5ec9":"cc3f9983e1d673ec2c86ae4c1e1b04e30f9f395f67c36838e15ce825b05d37e9cd40041470224da345aa2da5dfb3e0c561dd05ba7984a1332541d58e8f9160e7e8457e717bab203de3161a72b7aedfa53616b16ca77fd28d566fbf7431be559caa1a129b2f29b9c5bbf3eaba594d6650c62907eb28e176f27c3be7a3aa24cef6":32:"5be7611b":0
+AES-GCM Bad IV (AES-192,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes256_de.data b/tests/suites/test_suite_gcm.aes256_de.data
index 0fe8489..9696a62 100644
--- a/tests/suites/test_suite_gcm.aes256_de.data
+++ b/tests/suites/test_suite_gcm.aes256_de.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"8d03cf6fac31182ad3e6f32e4c823e3b421aef786d5651afafbf70ef14c00524ab814bc421b1d4181b4d3d82d6ae4e8032e43a6c4e0691184425b37320798f865c88b9b306466311d79e3e42076837474c37c9f6336ed777f05f70b0c7d72bd4348a4cd754d0f0c3e4587f9a18313ea2d2bace502a24ea417d3041b709a0471f":"4763a4e37b806a5f4510f69fd8c63571":"07daeba37a66ebe15f3d6451d1176f3a7107a302da6966680c425377e621fd71610d1fc9c95122da5bf85f83b24c4b783b1dcd6b508d41e22c09b5c43693d072869601fc7e3f5a51dbd3bc6508e8d095b9130fb6a7f2a043f3a432e7ce68b7de06c1379e6bab5a1a48823b76762051b4e707ddc3201eb36456e3862425cb011a":32:"3105dddb":"FAIL":0
+AES-GCM Bad IV (AES-256,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.aes256_en.data b/tests/suites/test_suite_gcm.aes256_en.data
index 23d1689..0ff716d 100644
--- a/tests/suites/test_suite_gcm.aes256_en.data
+++ b/tests/suites/test_suite_gcm.aes256_en.data
@@ -670,6 +670,10 @@
depends_on:MBEDTLS_AES_C
gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"1477e189fb3546efac5cc144f25e132ffd0081be76e912e25cbce7ad63f1c2c4":"7bd3ea956f4b938ebe83ef9a75ddbda16717e924dd4e45202560bf5f0cffbffcdd23be3ae08ff30503d698ed08568ff6b3f6b9fdc9ea79c8e53a838cc8566a8b52ce7c21b2b067e778925a066c970a6c37b8a6cfc53145f24bf698c352078a7f0409b53196e00c619237454c190b970842bb6629c0def7f166d19565127cbce0":"c109f35893aff139db8ed51c85fee237":"8f7f9f71a4b2bb0aaf55fced4eb43c57415526162070919b5f8c08904942181820d5847dfd54d9ba707c5e893a888d5a38d0130f7f52c1f638b0119cf7bc5f2b68f51ff5168802e561dff2cf9c5310011c809eba002b2fa348718e8a5cb732056273cc7d01cce5f5837ab0b09b6c4c5321a7f30a3a3cd21f29da79fce3f3728b":"7841e3d78746f07e5614233df7175931e3c257e09ebd7b78545fae484d835ffe3db3825d3aa1e5cc1541fe6cac90769dc5aaeded0c148b5b4f397990eb34b39ee7881804e5a66ccc8d4afe907948780c4e646cc26479e1da874394cb3537a8f303e0aa13bd3cc36f6cc40438bcd41ef8b6a1cdee425175dcd17ee62611d09b02":32:"cb13ce59":0
+AES-GCM Bad IV (AES-256,128,0,0,32) #0
+depends_on:MBEDTLS_AES_C
+gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_DECRYPT:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT
+
AES-GCM Selftest
depends_on:MBEDTLS_AES_C
gcm_selftest:
diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function
index 9d841dc..128c59e 100644
--- a/tests/suites/test_suite_gcm.function
+++ b/tests/suites/test_suite_gcm.function
@@ -8,6 +8,49 @@
*/
/* BEGIN_CASE */
+void gcm_bad_parameters( int cipher_id, int direction,
+ char *hex_key_string, char *hex_src_string,
+ char *hex_iv_string, char *hex_add_string,
+ int tag_len_bits, int gcm_result )
+{
+ unsigned char key_str[128];
+ unsigned char src_str[128];
+ unsigned char dst_str[257];
+ unsigned char iv_str[128];
+ unsigned char add_str[128];
+ unsigned char tag_str[128];
+ unsigned char output[128];
+ unsigned char tag_output[16];
+ mbedtls_gcm_context ctx;
+ unsigned int key_len;
+ size_t pt_len, iv_len, add_len, tag_len = tag_len_bits / 8;
+
+ mbedtls_gcm_init( &ctx );
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( add_str, 0x00, sizeof( add_str ) );
+ memset( tag_str, 0x00, sizeof( tag_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ memset( tag_output, 0x00, sizeof( tag_output ) );
+
+ key_len = unhexify( key_str, hex_key_string );
+ pt_len = unhexify( src_str, hex_src_string );
+ iv_len = unhexify( iv_str, hex_iv_string );
+ add_len = unhexify( add_str, hex_add_string );
+
+ TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str, key_len * 8 ) == 0 );
+ TEST_ASSERT( mbedtls_gcm_crypt_and_tag( &ctx, direction, pt_len, iv_str, iv_len,
+ add_str, add_len, src_str, output, tag_len, tag_output ) == gcm_result );
+
+exit:
+ mbedtls_gcm_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void gcm_encrypt_and_tag( int cipher_id,
char *hex_key_string, char *hex_src_string,
char *hex_iv_string, char *hex_add_string,
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 0d4ee44..18a9fa0 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -521,7 +521,7 @@
mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0
Test mbedtls_mpi_exp_mod (Negative base)
-mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"99998":0
+mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"1":0
Test mbedtls_mpi_exp_mod (Negative base)
mbedtls_mpi_exp_mod:16:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":16:"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":16:"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":16:"":16:"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0
@@ -550,6 +550,9 @@
Base test mbedtls_mpi_inv_mod #4
mbedtls_mpi_inv_mod:10:"2":10:"4":10:"0":MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+Base test mbedtls_mpi_inv_mod #5
+mbedtls_mpi_inv_mod:10:"3":10:"1":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
Test mbedtls_mpi_inv_mod #1
mbedtls_mpi_inv_mod:16:"aa4df5cb14b4c31237f98bd1faf527c283c2d0f3eec89718664ba33f9762907c":16:"fffbbd660b94412ae61ead9c2906a344116e316a256fd387874c6c675b1d587d":16:"8d6a5c1d7adeae3e94b9bcd2c47e0d46e778bc8804a2cc25c02d775dc3d05b0c":0
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index 339b4d3..77546c5 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@@ -17,10 +17,22 @@
mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
PEM read (DES-EDE3-CBC + invalid iv)
-mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV
PEM read (DES-CBC + invalid iv)
-mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV
PEM read (unknown encryption algorithm)
-mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+
+PEM read (malformed PEM DES-CBC)
+depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+
+PEM read (malformed PEM DES-EDE3-CBC)
+depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+
+PEM read (malformed PEM AES-128-CBC)
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function
index 5e02210..c24595d 100644
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function
@@ -1,6 +1,8 @@
/* BEGIN_HEADER */
#include "mbedtls/base64.h"
#include "mbedtls/pem.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
/* END_HEADER */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
@@ -35,16 +37,19 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */
-void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret )
+void mbedtls_pem_read_buffer( char *header, char *footer, char *data,
+ char *pwd, int res )
{
mbedtls_pem_context ctx;
+ int ret;
size_t use_len = 0;
+ size_t pwd_len = strlen( pwd );
mbedtls_pem_init( &ctx );
- TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer,
- (const unsigned char *)data, NULL, 0,
- &use_len ) == ret );
+ ret = mbedtls_pem_read_buffer( &ctx, header, footer, (unsigned char *)data,
+ (unsigned char *)pwd, pwd_len, &use_len );
+ TEST_ASSERT( ret == res );
exit:
mbedtls_pem_free( &ctx );
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
index 8c27708..f6a206d 100644
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@@ -12,95 +12,355 @@
Parse RSA Key #4 (DES Encrypted)
depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/keyfile.des":"testkey":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_des.pem":"testkey":0
Parse RSA Key #5 (3DES Encrypted)
depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/keyfile.3des":"testkey":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_3des.pem":"testkey":0
Parse RSA Key #6 (AES-128 Encrypted)
depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/keyfile.aes128":"testkey":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes128.pem":"testkey":0
Parse RSA Key #7 (AES-192 Encrypted)
depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/keyfile.aes192":"testkey":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes192.pem":"testkey":0
Parse RSA Key #8 (AES-256 Encrypted)
depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/keyfile.aes256":"testkey":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes256.pem":"testkey":0
-Parse RSA Key #9 (PKCS#8 wrapped)
+Parse RSA Key #9 (2048-bit, DES Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_des.pem":"testkey":0
+
+Parse RSA Key #10 (2048-bit, 3DES Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_3des.pem":"testkey":0
+
+Parse RSA Key #11 (2048-bit, AES-128 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes128.pem":"testkey":0
+
+Parse RSA Key #12 (2048-bit, AES-192 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes192.pem":"testkey":0
+
+Parse RSA Key #13 (2048-bit, AES-256 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0
+
+Parse RSA Key #14 (4096-bit, DES Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_des.pem":"testkey":0
+
+Parse RSA Key #15 (4096-bit, 3DES Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_3des.pem":"testkey":0
+
+Parse RSA Key #16 (4096-bit, AES-128 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0
+
+Parse RSA Key #17 (4096-bit, AES-192 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0
+
+Parse RSA Key #18 (4096-bit, AES-256 Encrypted)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0
+
+Parse RSA Key #19 (PKCS#8 wrapped)
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C
pk_parse_keyfile_rsa:"data_files/format_gen.key":"":0
-Parse RSA Key #10 (PKCS#8 encrypted SHA1-3DES)
+Parse RSA Key #20 (PKCS#8 encrypted SHA1-3DES)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_3des.key":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTest":0
-Parse RSA Key #10.1 (PKCS#8 encrypted SHA1-3DES, wrong PW)
+Parse RSA Key #20.1 (PKCS#8 encrypted SHA1-3DES, wrong PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_3des.key":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-Parse RSA Key #10.2 (PKCS#8 encrypted SHA1-3DES, no PW)
+Parse RSA Key #20.2 (PKCS#8 encrypted SHA1-3DES, no PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_3des.key":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
-Parse RSA Key #11 (PKCS#8 encrypted SHA1-3DES DER)
+Parse RSA Key #21 (PKCS#8 encrypted SHA1-3DES, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTest":0
+
+Parse RSA Key #21.1 (PKCS#8 encrypted SHA1-3DES, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #21.2 (PKCS#8 encrypted SHA1-3DES, 2048-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0
+
+Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_3des.der":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.der":"PolarSSLTest":0
-Parse RSA Key #12 (PKCS#8 encrypted SHA1-2DES)
+Parse RSA Key #24 (PKCS#8 encrypted SHA1-3DES DER, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0
+
+Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0
+
+Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_2des.key":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSSLTest":0
-Parse RSA Key #12.1 (PKCS#8 encrypted SHA1-2DES, wrong PW)
+Parse RSA Key #26.1 (PKCS#8 encrypted SHA1-2DES, wrong PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_2des.key":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-Parse RSA Key #12.2 (PKCS#8 encrypted SHA1-2DES, no PW)
+Parse RSA Key #26.2 (PKCS#8 encrypted SHA1-2DES, no PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_2des.key":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
-Parse RSA Key #13 (PKCS#8 encrypted SHA1-RC4-128)
+Parse RSA Key #27 (PKCS#8 encrypted SHA1-2DES, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSSLTest":0
+
+Parse RSA Key #27.1 (PKCS#8 encrypted SHA1-2DES, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #27.2 (PKCS#8 encrypted SHA1-2DES, 2048-bit no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0
+
+Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.der":"PolarSSLTest":0
+
+Parse RSA Key #30 (PKCS#8 encrypted SHA1-2DES DER, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0
+
+Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0
+
+Parse RSA Key #32 (PKCS#8 encrypted SHA1-RC4-128)
depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_rc4_128.key":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem":"PolarSSLTest":0
-Parse RSA Key #13.1 (PKCS#8 encrypted SHA1-RC4-128, wrong PW)
+Parse RSA Key #32.1 (PKCS#8 encrypted SHA1-RC4-128, wrong PW)
depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_rc4_128.key":"PolarSSLTe":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem":"PolarSSLTe":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-Parse RSA Key #13.2 (PKCS#8 encrypted SHA1-RC4-128, no PW)
+Parse RSA Key #32.2 (PKCS#8 encrypted SHA1-RC4-128, no PW)
depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbe_sha1_rc4_128.key":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
-Parse RSA Key #14 (PKCS#8 encrypted v2 PBDFK2 3DES)
+Parse RSA Key #33 (PKCS#8 encrypted SHA1-RC4-128, 2048-bit)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem":"PolarSSLTest":0
+
+Parse RSA Key #33.1 (PKCS#8 encrypted SHA1-RC4-128, 2048-bit, wrong PW)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem":"PolarSSLTe":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #33.2 (PKCS#8 encrypted SHA1-RC4-128, 2048-bit, no PW)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #34 (PKCS#8 encrypted SHA1-RC4-128, 4096-bit)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem":"PolarSSLTest":0
+
+Parse RSA Key #34.1 (PKCS#8 encrypted SHA1-RC4-128, 4096-bit, wrong PW)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem":"PolarSSLTe":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #34.2 (PKCS#8 encrypted SHA1-RC4-128, 4096-bit, no PW)
+depends_on:MBEDTLS_ARC4_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #35 (PKCS#8 encrypted SHA1-RC4-128 DER)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_rc4_128.der":"PolarSSLTest":0
+
+Parse RSA Key #36 (PKCS#8 encrypted SHA1-RC4-128 DER, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_rc4_128.der":"PolarSSLTest":0
+
+Parse RSA Key #37 (PKCS#8 encrypted SHA1-RC4-128 DER, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_rc4_128.der":"PolarSSLTest":0
+
+Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.key":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTest":0
-Parse RSA Key #15 (PKCS#8 encrypted v2 PBDFK2 3DES, wrong PW)
+Parse RSA Key #38.1 (PKCS#8 encrypted v2 PBKDF2 3DES, wrong PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.key":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-Parse RSA Key #16 (PKCS#8 encrypted v2 PBDFK2 3DES, no PW)
+Parse RSA Key #38.2 (PKCS#8 encrypted v2 PBKDF2 3DES, no PW)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.key":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
-Parse RSA Key #17 (PKCS#8 encrypted v2 PBDFK2 3DES DER)
-depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.der":"PolarSSLTest":0
-
-Parse RSA Key #18 (PKCS#8 encrypted v2 PBDFK2 3DES DER, wrong PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-
-Parse RSA Key #19 (PKCS#8 encrypted v2 PBDFK2 3DES DER, no PW)
-depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-
-Parse RSA Key #20 (PKCS#8 encrypted v2 PBDFK2 DES)
+Parse RSA Key #39 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit)
depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
-pk_parse_keyfile_rsa:"data_files/pkcs8_pbes2_pbkdf2_des.key":"PolarSSLTest":0
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTest":0
+
+Parse RSA Key #39.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #39.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0
+
+Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTest":0
+
+Parse RSA Key #41.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #41.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #42 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTest":0
+
+Parse RSA Key #42.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #42.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0
+
+Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTest":0
+
+Parse RSA Key #44.1 (PKCS#8 encrypted v2 PBKDF2 DES, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #44.2 (PKCS#8 encrypted v2 PBKDF2 DES, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #45 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTest":0
+
+Parse RSA Key #45.1 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #45.2 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0
+
+Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+
+Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTest":0
+
+Parse RSA Key #47.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #47.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #48 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTest":0
+
+Parse RSA Key #48.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #48.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+
+Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0
+
+Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+
+Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C:MBEDTLS_PKCS5_C
+pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse Public RSA Key #1 (PKCS#8 wrapped)
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index af16880..5013ac8 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -134,6 +134,10 @@
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15
mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA512:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"11":"0b4d96f411c727a262d6d0ade34195b78603551061917d060f89add47b09dfe8715f4f9147d327dc25e91fe457e5d1a2f22cd8fe6fe8e29d2060658307c87a40640650fef3d4b289a6c3febc5a100b29a8b56623afb29fd3c13ea372bf3c638c1db25f8bd8c74c821beec7b5affcace1d05d056a6c2d3035926c7a268df4751a54bc20a6b8cfd729a7cba309ae817daccbef9950a482cf23950a8ca1d3a13ddb7d8d0f87ad5587d4d9ebe19fe93457597a7bdd056c2fd4cea7d31e4a0e595a7b":0
+RSA PKCS1 Verify v1.5 padding too short
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15
+mbedtls_rsa_pkcs1_verify:"AABBCC03020100FFFFFFFFFF1122330A0B0CCCDDDDDDDDDD":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:1024:16:"9292758453063D803DD603D5E777D7888ED1D5BF35786190FA2F23EBC0848AEADDA92CA6C3D80B32C4D109BE0F36D6AE7130B9CED7ACDF54CFC7555AC14EEBAB93A89813FBF3C4F8066D2D800F7C38A81AE31942917403FF4946B0A83D3D3E05EE57C6F5F5606FB5D4BC6CD34EE0801A5E94BB77B07507233A0BC7BAC8F90F79":16:"10001":"6edd56f397d9bc6d176bbe3d80946fc352ad6127b85b1d67d849c0a38cbde7222c5fafbb18dcef791178a8e15f5c8cd91869f8ca4b758c46ce3e229bf666d2e3e296544351bcb5db7e0004f6c0800f76a432071297e405759d4324d1cf1c412758be93a39f834e03dee59e28ac571ce2b0b3c8fe639979f516223b54027340a5":MBEDTLS_ERR_RSA_INVALID_PADDING
+
RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PKCS1_V15
mbedtls_rsa_pkcs1_sign:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA512:1536:16:"c8c67df894c882045ede26a9008ab09ea0672077d7bc71d412511cd93981ddde8f91b967da404056c39f105f7f239abdaff92923859920f6299e82b95bd5b8c959948f4a035cbd693ad83014294d349813d1ad57911a6355d0731fe3a034e9db":16:"f15147d0e7c04a1e3f37adde802cdc610999bf7ab0088434aaeda0c0ab3910b14d2ce56cb66bffd97552195fae8b061077e03920814d8b9cfb5a3958b3a82c2a7fc97e55db5978b47a922156eb8a3e55c06a54a45d1670abdfb995489c4d0051":16:"bd429bb7c3b00bbea19ba664c0f8172d1a73c3cfa05e2ed656d570c1590918bb7e372ed25e2cd71395ba0a9b1a30f3ee012ffb0546cab8e3581fe3e23f44ab57a8aee9717e71a936a580fa8572d450fb00339a6f6704b717df0c149a465bab768c61500cd93b61113ff3e4389167f7b2c8e3c0da2d4765286bee555b0bcb4998f59b14fad03180a17c8b4f69bcd1234f4ae85950137665ac2ba80b55cc9b1aafb454b83771aa755acd2a00e93ddb65e696dbed8bdca69fb5e0c5c2097b9cfe4b":16:"3":"93b6fa99485c116ca6efdd4202ea1cf49f4c6345fae692584413743ce5b65510e8e4690aee9a19ea1ff10d57f22aa3548d839f28a8525a34354e9e58e0f3947e056ce2554e21bf287e220b98db3b551258cd42b495e5d1a3bbc83c9d1a02f2a300ef6d866ea75108e44ebb3e16b47df2f6de28feb2be3874dbbf21599451082d86e9f2f462575a8185c69aa1f1fcb6a363c5d71aeba2103449eaf3845285291148d5f78d1646b8dc95cbcc4082f987d948b0e7d4e80b60595f8a7517584e1643":0
diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index b1bc19e..181eb0d 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -658,7 +658,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C */
+/* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */
void mbedtls_rsa_gen_key( int nrbits, int exponent, int result)
{
mbedtls_rsa_context ctx;
@@ -667,13 +667,12 @@
const char *pers = "test_suite_rsa";
mbedtls_ctr_drbg_init( &ctr_drbg );
-
mbedtls_entropy_init( &entropy );
+ mbedtls_rsa_init ( &ctx, 0, 0 );
+
TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers, strlen( pers ) ) == 0 );
- mbedtls_rsa_init( &ctx, 0, 0 );
-
TEST_ASSERT( mbedtls_rsa_gen_key( &ctx, mbedtls_ctr_drbg_random, &ctr_drbg, nrbits, exponent ) == result );
if( result == 0 )
{
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index a39f6f0..b92c1fe 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -54,3 +54,6 @@
SSL DTLS replay: big jump then just delayed
ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd123400ff":0
+
+SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice
+ssl_set_hostname_twice:"server0":"server1"
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8d3448c..60683af 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -40,3 +40,16 @@
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
+void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
+{
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_init( &ssl );
+
+ TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname0 ) == 0 );
+ TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname1 ) == 0 );
+
+ mbedtls_ssl_free( &ssl );
+}
+/* END_CASE */
\ No newline at end of file
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 6a6ca0c..345601b 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.1.7"
+check_compiletime_version:"2.1.9"
Check runtime library version
-check_runtime_version:"2.1.7"
+check_runtime_version:"2.1.9"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 5ea5164..5731677 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -357,375 +357,383 @@
X509 Certificate verification #1 (Revoked Cert, Expired CRL, no CN)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
X509 Certificate verification #1a (Revoked Cert, Future CRL, no CN)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"NULL"
+x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 Certificate verification #2 (Revoked Cert, Expired CRL)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
X509 Certificate verification #2a (Revoked Cert, Future CRL)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"NULL"
+x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 Certificate verification #3 (Revoked Cert, Future CRL, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #3a (Revoked Cert, Expired CRL, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #4 (Valid Cert, Expired CRL)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"NULL"
+x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
X509 Certificate verification #4a (Revoked Cert, Future CRL)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 Certificate verification #5 (Revoked Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #6 (Revoked Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #7 (Revoked Cert, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #8 (Valid Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #8a (Expired Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"NULL"
+x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
X509 Certificate verification #8b (Future Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"NULL"
+x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
X509 Certificate verification #9 (Not trusted Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #10 (Not trusted Cert, Expired CRL)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #12 (Valid Cert MD4 Digest)
depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
+x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
X509 Certificate verification #13 (Valid Cert MD5 Digest)
depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"NULL"
+x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
-X509 Certificate verification #14 (Valid Cert SHA1 Digest)
+X509 Certificate verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile)
depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
+
+X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile)
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"default":"NULL"
+
+X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile)
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"default":"NULL"
X509 Certificate verification #15 (Valid Cert SHA224 Digest)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #16 (Valid Cert SHA256 Digest)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #17 (Valid Cert SHA384 Digest)
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #18 (Valid Cert SHA512 Digest)
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #19 (Valid Cert, denying callback)
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"verify_none"
+x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
X509 Certificate verification #19 (Not trusted Cert, allowing callback)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"verify_all"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
X509 Certificate verification #21 (domain matching wildcard certificate, case insensitive)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"NULL"
+x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL"
X509 Certificate verification #22 (domain not matching wildcard certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #23 (domain not matching wildcard certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #24 (domain matching CN of multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #25 (domain matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL"
X509 Certificate verification #26 (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #27 (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #27 (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #28 (domain not matching wildcard in multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 Certificate verification #29 (domain matching wildcard in multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"NULL"
+x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL"
X509 Certificate verification #30 (domain matching multi certificate without CN)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #31 (domain not matching multi certificate without CN)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #32 (Valid, EC cert, RSA CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
-x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #33 (Valid, RSA cert, EC CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #34 (Valid, EC cert, EC CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #35 (Revoked, EC CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #36 (Valid, EC CA, SHA1 Digest)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
-x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #37 (Valid, EC CA, SHA224 Digest)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #40 (Valid, depth 0, RSA, CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
-x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #41 (Valid, depth 0, EC, CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
-x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #42 (Depth 0, not CA, RSA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #43 (Depth 0, not CA, EC)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #44 (Corrupted signature, EC)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #45 (Corrupted signature, RSA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #46 (Valid, depth 2, EC-RSA-EC)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
-x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #47 (Untrusted, depth 2, EC-RSA-EC)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #48 (Missing intermediate CA, EC-RSA-EC)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15
-x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #49 (Valid, depth 2, RSA-EC-RSA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
-x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #50 (Valid, multiple CAs)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #51 (Valid, multiple CAs, reverse order)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #52 (CA keyUsage valid)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #56 (CA keyUsage plain wrong)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #58 (Valid, RSASSA-PSS, SHA-224)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C
-x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #59 (Valid, RSASSA-PSS, SHA-256)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C
-x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #60 (Valid, RSASSA-PSS, SHA-384)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C
-x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #61 (Valid, RSASSA-PSS, SHA-512)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C
-x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #62 (Revoked, RSASSA-PSS, SHA-1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #64 (Valid, RSASSA-PSS, SHA-1, not top)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #65 (RSASSA-PSS, SHA1, bad cert signature)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #66 (RSASSA-PSS, SHA1, no RSA CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
+x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #67 (Valid, RSASSA-PSS, all defaults)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C
-x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #68 (RSASSA-PSS, wrong salt_len)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C
-x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #69 (RSASSA-PSS, wrong mgf_hash)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C
-x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #70 (v1 trusted CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
-x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #71 (v1 trusted CA, other)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
-x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #72 (v1 chain)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
-x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #73 (selfsigned trusted without CA bit)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
+x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #74 (signed by selfsigned trusted without CA bit)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
+x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 Certificate verification #75 (encoding mismatch)
-depends_on:MBEDTLS_PEM_PARSE_C
-x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #76 (multiple CRLs, not revoked)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #77 (multiple CRLs, revoked)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #78 (multiple CRLs, revoked by second)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #79 (multiple CRLs, revoked by future)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 Certificate verification #80 (multiple CRLs, first future, revoked by second)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 Certificate verification #81 (multiple CRLs, none relevant)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #82 (Not yet valid CA and valid CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #83 (valid CA and Not yet valid CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #84 (valid CA and Not yet valid CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #85 (Not yet valid CA and valid CA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 Certificate verification #86 (Not yet valid CA and invalid CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL"
X509 Certificate verification #87 (Expired CA and invalid CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
-x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"NULL"
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL"
X509 Certificate verification callback: trusted EE cert
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -1090,6 +1098,12 @@
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
x509parse_crt:"3081E430819F020104300D06092A864886F70D0101050500300F310D300B0603550403130454657374301E170D3133303731303135303233375A170D3233303730383135303233375A300F310D300B06035504031304546573743049301306072A8648CE3D020106082A8648CE3D03010103320004E962551A325B21B50CF6B990E33D4318FD16677130726357A196E3EFE7107BCB6BDC6D9DB2A4DF7C964ACFE81798433D300D06092A864886F70D01010505000331001A6C18CD1E457474B2D3912743F44B571341A7859A0122774A8E19A671680878936949F904C9255BDD6FFFDB33A7E6D8":"cert. version \: 1\nserial number \: 04\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 15\:02\:37\nexpires on \: 2023-07-08 15\:02\:37\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n":0
+X509 Certificate ASN1 (invalid version 3)
+x509parse_crt:"30173015a0030201038204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+
+X509 Certificate ASN1 (invalid version overflow)
+x509parse_crt:"301A3018a00602047FFFFFFF8204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+
X509 CRL ASN1 (Incorrect first tag)
x509parse_crl:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT
@@ -1144,6 +1158,12 @@
X509 CRL ASN1 (TBSCertList, no entries)
x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using \: RSA with SHA-224\n":0
+X509 CRL ASN1 (invalid version 2)
+x509parse_crl:"30463031020102300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+
+X509 CRL ASN1 (invalid version overflow)
+x509parse_crl:"3049303102047FFFFFFF300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+
X509 CRT parse path #2 (one cert)
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C
mbedtls_x509_crt_parse_path:"data_files/dir1":0:1
@@ -1156,6 +1176,18 @@
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
mbedtls_x509_crt_parse_path:"data_files/dir3":1:2
+X509 CRT verify long chain (max intermediate CA, trusted)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0
+
+X509 CRT verify long chain (max intermediate CA, untrusted)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED
+
+X509 CRT verify long chain (max intermediate CA + 1)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1
+
X509 CRT verify chain #1 (zero pathlen intermediate)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
mbedtls_x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED
@@ -1473,6 +1505,9 @@
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
mbedtls_x509_csr_parse:"308201193081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF9724300":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+X509 CSR ASN.1 (invalid version overflow)
+mbedtls_x509_csr_parse:"3008300602047FFFFFFF":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+
X509 File parse (no issues)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509parse_crt_file:"data_files/server7_int-ca.crt":0
@@ -1585,3 +1620,18 @@
depends_on:MBEDTLS_X509_USE_C
x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+X509 Get time (Generalized Time, year multiple of 100 but not 400 is not a leap year)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19000229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 Get time (Generalized Time, year multiple of 4 but not 100 is a leap year)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19920229000000Z":0:1992:2:29:0:0:0
+
+X509 Get time (Generalized Time, year multiple of 400 is a leap year)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0
+
+X509 Get time (Generalized Time invalid leap year not multiple of 4, 100 or 400)
+depends_on:MBEDTLS_X509_USE_C
+x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 89f4609..c69681d 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -7,6 +7,14 @@
#include "mbedtls/oid.h"
#include "mbedtls/base64.h"
+#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
+#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
+than the current threshold 19. To test larger values, please \
+adapt the script tests/data_files/dir-max/long.sh."
+#endif
+
+/* Profile for backward compatibility. Allows SHA-1, unlike the default
+ profile. */
const mbedtls_x509_crt_profile compat_profile =
{
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
@@ -221,6 +229,7 @@
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */
void x509_verify( char *crt_file, char *ca_file, char *crl_file,
char *cn_name_str, int result, int flags_result,
+ char *profile_str,
char *verify_callback )
{
mbedtls_x509_crt crt;
@@ -230,6 +239,7 @@
int res;
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
char * cn_name = NULL;
+ const mbedtls_x509_crt_profile *profile;
mbedtls_x509_crt_init( &crt );
mbedtls_x509_crt_init( &ca );
@@ -238,6 +248,13 @@
if( strcmp( cn_name_str, "NULL" ) != 0 )
cn_name = cn_name_str;
+ if( strcmp( profile_str, "default" ) == 0 )
+ profile = &mbedtls_x509_crt_profile_default;
+ else if( strcmp( profile_str, "compat" ) == 0 )
+ profile = &compat_profile;
+ else
+ TEST_ASSERT( "Unknown algorithm profile" == 0 );
+
if( strcmp( verify_callback, "NULL" ) == 0 )
f_vrfy = NULL;
else if( strcmp( verify_callback, "verify_none" ) == 0 )
@@ -251,7 +268,7 @@
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
- res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, &compat_profile, cn_name, &flags, f_vrfy, NULL );
+ res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL );
TEST_ASSERT( res == ( result ) );
TEST_ASSERT( flags == (uint32_t)( flags_result ) );
@@ -280,8 +297,10 @@
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
- ret = mbedtls_x509_crt_verify( &crt, &ca, NULL, NULL, &flags,
- verify_print, &vrfy_ctx );
+ ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL,
+ &compat_profile,
+ NULL, &flags,
+ verify_print, &vrfy_ctx );
TEST_ASSERT( ret == exp_ret );
TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 );
@@ -488,6 +507,45 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
+ int ret_chk, int flags_chk )
+{
+ char file_buf[128];
+ int ret;
+ uint32_t flags;
+ mbedtls_x509_crt trusted, chain;
+
+ /*
+ * We expect chain_dir to contain certificates 00.crt, 01.crt, etc.
+ * with NN.crt signed by NN-1.crt
+ */
+
+ mbedtls_x509_crt_init( &trusted );
+ mbedtls_x509_crt_init( &chain );
+
+ /* Load trusted root */
+ TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, ca_file ) == 0 );
+
+ /* Load a chain with nb_int intermediates (from 01 to nb_int),
+ * plus one "end-entity" cert (nb_int + 1) */
+ ret = mbedtls_snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir,
+ nb_int + 1 );
+ TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf );
+ TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
+
+ /* Try to verify that chain */
+ ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags,
+ NULL, NULL );
+ TEST_ASSERT( ret == ret_chk );
+ TEST_ASSERT( flags == (uint32_t) flags_chk );
+
+exit:
+ mbedtls_x509_crt_free( &chain );
+ mbedtls_x509_crt_free( &trusted );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result )
{
char* act;
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index d4d2a98..5b54d85 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -44,19 +44,35 @@
Certificate write check Server1 SHA1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:-1:"data_files/server1.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0
Certificate write check Server1 SHA1, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:-1:"data_files/server1.key_usage.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0
Certificate write check Server1 SHA1, ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:-1:"data_files/server1.cert_type.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0
Certificate write check Server1 SHA1, version 1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
+
+Certificate write check Server1 SHA1, RSA_ALT
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1
+
+Certificate write check Server1 SHA1, RSA_ALT, key_usage
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
+
+Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1
+
+Certificate write check Server1 SHA1, RSA_ALT, version 1
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
X509 String to Names #1
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 5120837..6a66b2f 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -3,6 +3,30 @@
#include "mbedtls/x509_csr.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+
+#if defined(MBEDTLS_RSA_C)
+int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len )
+{
+ return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen,
+ input, output, output_max_len ) );
+}
+int mbedtls_rsa_sign_func( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig )
+{
+ return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode,
+ md_alg, hashlen, hash, sig ) );
+}
+size_t mbedtls_rsa_key_len_func( void *ctx )
+{
+ return( ((const mbedtls_rsa_context *) ctx)->len );
+}
+#endif /* MBEDTLS_RSA_C */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -38,7 +62,7 @@
if( cert_type != 0 )
TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
- ret = mbedtls_x509write_csr_pem( &req, buf, sizeof(buf),
+ ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( ret == 0 );
@@ -67,10 +91,12 @@
char *subject_name, char *issuer_key_file,
char *issuer_pwd, char *issuer_name,
char *serial_str, char *not_before, char *not_after,
- int md_type, int key_usage, int cert_type, int ver,
- char *cert_check_file )
+ int md_type, int key_usage, int cert_type, int auth_ident,
+ int ver, char *cert_check_file, int rsa_alt )
{
- mbedtls_pk_context subject_key, issuer_key;
+ mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
+ mbedtls_pk_context *key = &issuer_key;
+
mbedtls_x509write_cert crt;
unsigned char buf[4000];
unsigned char check_buf[5000];
@@ -82,61 +108,83 @@
memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
mbedtls_mpi_init( &serial );
+
mbedtls_pk_init( &subject_key );
- mbedtls_pk_init( &issuer_key );
+ mbedtls_pk_init( &issuer_key );
+ mbedtls_pk_init( &issuer_key_alt );
+
+ mbedtls_x509write_crt_init( &crt );
TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
subject_pwd ) == 0 );
+
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
issuer_pwd ) == 0 );
+
+ /* For RSA PK contexts, create a copy as an alternative RSA context. */
+ if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
+ {
+ TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt,
+ mbedtls_pk_rsa( issuer_key ),
+ mbedtls_rsa_decrypt_func,
+ mbedtls_rsa_sign_func,
+ mbedtls_rsa_key_len_func ) == 0 );
+
+ key = &issuer_key_alt;
+ }
+
TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 );
- mbedtls_x509write_crt_init( &crt );
if( ver != -1 )
mbedtls_x509write_crt_set_version( &crt, ver );
+
TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 );
TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before,
- not_after ) == 0 );
+ not_after ) == 0 );
mbedtls_x509write_crt_set_md_alg( &crt, md_type );
TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 );
TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 );
mbedtls_x509write_crt_set_subject_key( &crt, &subject_key );
- mbedtls_x509write_crt_set_issuer_key( &crt, &issuer_key );
+
+ mbedtls_x509write_crt_set_issuer_key( &crt, key );
if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 )
{
TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 );
TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
- TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
+ if( auth_ident )
+ TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
if( key_usage != 0 )
TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
if( cert_type != 0 )
TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
}
- ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof(buf),
- rnd_pseudo_rand, &rnd_info );
+ ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ),
+ rnd_pseudo_rand, &rnd_info );
TEST_ASSERT( ret == 0 );
pem_len = strlen( (char *) buf );
f = fopen( cert_check_file, "r" );
TEST_ASSERT( f != NULL );
- olen = fread( check_buf, 1, sizeof(check_buf), f );
+ olen = fread( check_buf, 1, sizeof( check_buf ), f );
fclose( f );
- TEST_ASSERT( olen < sizeof(check_buf) );
+ TEST_ASSERT( olen < sizeof( check_buf ) );
TEST_ASSERT( olen >= pem_len - 1 );
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
ret = mbedtls_x509write_crt_der( &crt, buf, pem_len / 2,
rnd_pseudo_rand, &rnd_info );
+
TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
exit:
mbedtls_x509write_crt_free( &crt );
- mbedtls_pk_free( &issuer_key );
+ mbedtls_pk_free( &issuer_key_alt );
mbedtls_pk_free( &subject_key );
+ mbedtls_pk_free( &issuer_key );
mbedtls_mpi_free( &serial );
}
/* END_CASE */
diff --git a/yotta/data/module.json b/yotta/data/module.json
index 0068e72..076148f 100644
--- a/yotta/data/module.json
+++ b/yotta/data/module.json
@@ -1,6 +1,6 @@
{
"name": "mbedtls",
- "version": "2.1.7",
+ "version": "2.1.9",
"description": "The mbed TLS crypto/SSL/TLS library",
"licenses": [
{