diff --git a/.gitignore b/.gitignore
index 8824ecea06..288c71b133 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,9 @@ massif-*
.project
/.settings
+# Unix-like build artifacts:
+*.o
+
# MSVC build artifacts:
*.exe
*.pdb
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
index cef07bf1cc..2b38c07e03 100644
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -12,8 +12,14 @@ build:
python: "3.9"
jobs:
pre_build:
- - make apidoc
- - breathe-apidoc -o docs/api apidoc/xml
+ - make apidoc
+ - breathe-apidoc -o docs/api apidoc/xml
+ post_build:
+ - |
+ # Work around Readthedocs bug: Command parsing fails if the 'if' statement is on the first line
+ if [ "$READTHEDOCS_VERSION" = "development" ]; then
+ "$READTHEDOCS_VIRTUALENV_PATH/bin/rtd" projects "Mbed TLS API" redirects sync --wet-run -f docs/redirects.yaml
+ fi
# Build documentation in the docs/ directory with Sphinx
sphinx:
diff --git a/3rdparty/everest/.gitignore b/3rdparty/everest/.gitignore
index 6eb25f66ad..f3c7a7c5da 100644
--- a/3rdparty/everest/.gitignore
+++ b/3rdparty/everest/.gitignore
@@ -1,2 +1 @@
-*.o
Makefile
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8d27a82bfd..6840295242 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,9 +34,9 @@ cmake_policy(SET CMP0011 NEW)
cmake_policy(SET CMP0012 NEW)
if(TEST_CPP)
- project("mbed TLS" C CXX)
+ project("mbed TLS" LANGUAGES C CXX)
else()
- project("mbed TLS" C)
+ project("mbed TLS" LANGUAGES C)
endif()
include(GNUInstallDirs)
diff --git a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
new file mode 100644
index 0000000000..9aa3ff91d1
--- /dev/null
+++ b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
@@ -0,0 +1,3 @@
+Features
+ * When parsing X.509 certificates, support the extensions
+ SignatureKeyIdentifier and AuthorityKeyIdentifier.
diff --git a/ChangeLog.d/add-psa_want_alg_some_pake.txt b/ChangeLog.d/add-psa_want_alg_some_pake.txt
new file mode 100644
index 0000000000..00b3002b67
--- /dev/null
+++ b/ChangeLog.d/add-psa_want_alg_some_pake.txt
@@ -0,0 +1,3 @@
+Features
+ * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
+ if no PAKE algorithms are requested
diff --git a/ChangeLog.d/add-subjectAltName-certs.txt b/ChangeLog.d/add-subjectAltName-certs.txt
new file mode 100644
index 0000000000..487e5c656e
--- /dev/null
+++ b/ChangeLog.d/add-subjectAltName-certs.txt
@@ -0,0 +1,6 @@
+Features
+ * It is now possible to generate certificates with SubjectAltNames.
+ Currently supported subtypes: DnsName, UniformResourceIdentifier,
+ IP address, OtherName, and DirectoryName, as defined in RFC 5280.
+ See mbedtls_x509write_crt_set_subject_alternative_name for
+ more information.
diff --git a/ChangeLog.d/basic-uri-verification.txt b/ChangeLog.d/basic-uri-verification.txt
new file mode 100644
index 0000000000..aa039ea299
--- /dev/null
+++ b/ChangeLog.d/basic-uri-verification.txt
@@ -0,0 +1,4 @@
+Features
+ * X.509 hostname verification now partially supports URI Subject Alternate
+ Names. Only exact matching, without any normalization procedures
+ described in 7.4 of RFC5280, will result in a positive URI verification.
diff --git a/ChangeLog.d/driver-ffdh.txt b/ChangeLog.d/driver-ffdh.txt
new file mode 100644
index 0000000000..1185133042
--- /dev/null
+++ b/ChangeLog.d/driver-ffdh.txt
@@ -0,0 +1,3 @@
+Features
+ * Add a driver dispatch layer for FFDH keys, enabling alternative
+ implementations of FFDH through the driver entry points.
diff --git a/ChangeLog.d/oid-parse-from-numeric-string.txt b/ChangeLog.d/oid-parse-from-numeric-string.txt
new file mode 100644
index 0000000000..82ed2fd713
--- /dev/null
+++ b/ChangeLog.d/oid-parse-from-numeric-string.txt
@@ -0,0 +1,3 @@
+Features
+ * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
+ string to a DER-encoded mbedtls_asn1_buf.
diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index 6aff42f1c1..a014b52733 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -25,7 +25,7 @@
#define MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME_DATE
-/* Mbed Crypto feature support */
+/* Mbed TLS feature support */
#define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_CIPHER_MODE_CFB
#define MBEDTLS_CIPHER_MODE_CTR
@@ -42,7 +42,7 @@
#define MBEDTLS_USE_PSA_CRYPTO
#define MBEDTLS_VERSION_FEATURES
-/* Mbed Crypto modules */
+/* Mbed TLS modules */
#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
diff --git a/configs/crypto_config_profile_medium.h b/configs/crypto_config_profile_medium.h
new file mode 100644
index 0000000000..939e2a33e3
--- /dev/null
+++ b/configs/crypto_config_profile_medium.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+/**
+ * \file psa/crypto_config.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+/**
+ * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
+ * this file determines which cryptographic mechanisms are enabled
+ * through the PSA Cryptography API (\c psa_xxx() functions).
+ *
+ * To enable a cryptographic mechanism, uncomment the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * To disable a cryptographic mechanism, comment out the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * The names of cryptographic mechanisms correspond to values
+ * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
+ * of \c PSA_.
+ *
+ * Note that many cryptographic mechanisms involve two symbols: one for
+ * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
+ * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
+ * additional symbols.
+ */
+#else
+/**
+ * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
+ * this file is not used, and cryptographic mechanisms are supported
+ * through the PSA API if and only if they are supported through the
+ * mbedtls_xxx API.
+ */
+#endif
+
+#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H
+#define PROFILE_M_PSA_CRYPTO_CONFIG_H
+
+/*
+ * CBC-MAC is not yet supported via the PSA API in Mbed TLS.
+ */
+//#define PSA_WANT_ALG_CBC_MAC 1
+//#define PSA_WANT_ALG_CBC_NO_PADDING 1
+//#define PSA_WANT_ALG_CBC_PKCS7 1
+#define PSA_WANT_ALG_CCM 1
+//#define PSA_WANT_ALG_CMAC 1
+//#define PSA_WANT_ALG_CFB 1
+//#define PSA_WANT_ALG_CHACHA20_POLY1305 1
+//#define PSA_WANT_ALG_CTR 1
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
+//#define PSA_WANT_ALG_ECB_NO_PADDING 1
+#define PSA_WANT_ALG_ECDH 1
+#define PSA_WANT_ALG_ECDSA 1
+//#define PSA_WANT_ALG_GCM 1
+#define PSA_WANT_ALG_HKDF 1
+#define PSA_WANT_ALG_HMAC 1
+//#define PSA_WANT_ALG_MD5 1
+//#define PSA_WANT_ALG_OFB 1
+/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_PBKDF2_HMAC 1
+//#define PSA_WANT_ALG_RIPEMD160 1
+//#define PSA_WANT_ALG_RSA_OAEP 1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
+//#define PSA_WANT_ALG_RSA_PSS 1
+//#define PSA_WANT_ALG_SHA_1 1
+#define PSA_WANT_ALG_SHA_224 1
+#define PSA_WANT_ALG_SHA_256 1
+//#define PSA_WANT_ALG_SHA_384 1
+//#define PSA_WANT_ALG_SHA_512 1
+//#define PSA_WANT_ALG_STREAM_CIPHER 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
+ * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+//#define PSA_WANT_ALG_XTS 1
+
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
+//#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
+//#define PSA_WANT_ECC_MONTGOMERY_255 1
+//#define PSA_WANT_ECC_MONTGOMERY_448 1
+//#define PSA_WANT_ECC_SECP_K1_192 1
+/*
+ * SECP224K1 is buggy via the PSA API in Mbed TLS
+ * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
+ * default.
+ */
+//#define PSA_WANT_ECC_SECP_K1_224 1
+//#define PSA_WANT_ECC_SECP_K1_256 1
+//#define PSA_WANT_ECC_SECP_R1_192 1
+//#define PSA_WANT_ECC_SECP_R1_224 1
+#define PSA_WANT_ECC_SECP_R1_256 1
+//#define PSA_WANT_ECC_SECP_R1_384 1
+//#define PSA_WANT_ECC_SECP_R1_521 1
+
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#define PSA_WANT_KEY_TYPE_AES 1
+//#define PSA_WANT_KEY_TYPE_ARIA 1
+//#define PSA_WANT_KEY_TYPE_CAMELLIA 1
+//#define PSA_WANT_KEY_TYPE_CHACHA20 1
+//#define PSA_WANT_KEY_TYPE_DES 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
+//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+
+#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */
diff --git a/configs/tfm_mbedcrypto_config_profile_medium.h b/configs/tfm_mbedcrypto_config_profile_medium.h
new file mode 100644
index 0000000000..b581f1f62a
--- /dev/null
+++ b/configs/tfm_mbedcrypto_config_profile_medium.h
@@ -0,0 +1,629 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+/*
+ * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PROFILE_M_MBEDTLS_CONFIG_H
+#define PROFILE_M_MBEDTLS_CONFIG_H
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aria.c
+ * library/timing.c
+ * include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_MD2_PROCESS_ALT
+ *
+ * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
+ *
+ * This replaces only one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
+ * no longer provide the mbedtls_sha1_process() function, but it will still provide
+ * the other function (using your mbedtls_sha1_process() function) and the definition
+ * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
+ * with this definition.
+ *
+ * \note Because of a signature change, the core AES encryption and decryption routines are
+ * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
+ * respectively. When setting up alternative implementations, these functions should
+ * be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ * must stay untouched.
+ *
+ * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
+ * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
+ * tables.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ *
+ * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ * constitutes a security risk. If possible, we recommend avoiding
+ * dependencies on them, and considering stronger message digests
+ * and ciphers instead.
+ *
+ */
+#define MBEDTLS_AES_SETKEY_DEC_ALT
+#define MBEDTLS_AES_DECRYPT_ALT
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ *
+ * Enable a dummy error function to make use of mbedtls_strerror() in
+ * third party libraries easier when MBEDTLS_ERROR_C is disabled
+ * (no effect when MBEDTLS_ERROR_C is enabled).
+ *
+ * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
+ * not using mbedtls_strerror() or error_strerror() in your application.
+ *
+ * Disable if you run into name conflicts and want to really remove the
+ * mbedtls_strerror()
+ */
+#define MBEDTLS_ERROR_STRERROR_DUMMY
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+//#define MBEDTLS_ENTROPY_NV_SEED
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * This is only meaningful when building the library as part of a
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
+ * you wish to support.
+ *
+ * Note that while this define has been removed from TF-M's copy of this config
+ * file, TF-M still passes this option to Mbed TLS during the build via CMake.
+ * Therefore we keep it in our copy. See discussion on PR #7426 for more info.
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_ERROR_C
+ *
+ * Enable error code to error string conversion.
+ *
+ * Module: library/error.c
+ * Caller:
+ *
+ * This module enables mbedtls_strerror().
+ */
+#define MBEDTLS_ERROR_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PK_C
+ *
+ * Enable the generic public (asymetric) key layer.
+ *
+ * Module: library/pk.c
+ *
+ * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define MBEDTLS_PK_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_C
+ *
+ * Enable the generic public (asymetric) key parser.
+ *
+ * Module: library/pkparse.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key parse functions.
+ */
+#define MBEDTLS_PK_PARSE_C
+
+/**
+ * \def MBEDTLS_PK_WRITE_C
+ *
+ * Enable the generic public (asymetric) key writer.
+ *
+ * Module: library/pkwrite.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key write functions.
+ */
+#define MBEDTLS_PK_WRITE_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+// This macro is enabled in TFM Medium but is disabled here because it is
+// incompatible with baremetal builds in Mbed TLS.
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an \#include directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an \#include line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an \#include directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an \#include line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an \#include directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an \#include line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an \#include directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an \#include line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* ECP options */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
+
+/* \} name SECTION: Customisation configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#ifdef CRYPTO_HW_ACCELERATOR
+#include "mbedtls_accelerator_config.h"
+#endif
+
+#endif /* PROFILE_M_MBEDTLS_CONFIG_H */
diff --git a/docs/architecture/Makefile b/docs/architecture/Makefile
index d8db2e067a..6252ab0f91 100644
--- a/docs/architecture/Makefile
+++ b/docs/architecture/Makefile
@@ -3,10 +3,18 @@ PANDOC = pandoc
default: all
all_markdown = \
- mbed-crypto-storage-specification.md \
- testing/driver-interface-test-strategy.md \
- testing/invasive-testing.md \
- testing/test-framework.md \
+ alternative-implementations.md \
+ mbed-crypto-storage-specification.md \
+ psa-crypto-implementation-structure.md \
+ psa-migration/psa-limitations.md \
+ psa-migration/strategy.md \
+ psa-migration/tasks-g2.md \
+ psa-migration/testing.md \
+ testing/driver-interface-test-strategy.md \
+ testing/invasive-testing.md \
+ testing/psa-storage-format-testing.md \
+ testing/test-framework.md \
+ tls13-support.md \
# This line is intentionally left blank
html: $(all_markdown:.md=.html)
diff --git a/docs/architecture/mbed-crypto-storage-specification.md b/docs/architecture/mbed-crypto-storage-specification.md
index d46139449d..3c8370d221 100644
--- a/docs/architecture/mbed-crypto-storage-specification.md
+++ b/docs/architecture/mbed-crypto-storage-specification.md
@@ -1,7 +1,9 @@
-Mbed Crypto storage specification
+Mbed TLS storage specification
=================================
-This document specifies how Mbed Crypto uses storage.
+This document specifies how Mbed TLS uses storage.
+Key storage was originally introduced in a product called Mbed Crypto, which was re-distributed via Mbed TLS and has since been merged into Mbed TLS.
+This document contains historical information both from before and after this merge.
Mbed Crypto may be upgraded on an existing device with the storage preserved. Therefore:
diff --git a/docs/architecture/psa-crypto-implementation-structure.md b/docs/architecture/psa-crypto-implementation-structure.md
index 6a0a0953c0..a5aac404c0 100644
--- a/docs/architecture/psa-crypto-implementation-structure.md
+++ b/docs/architecture/psa-crypto-implementation-structure.md
@@ -71,3 +71,105 @@ In case of any error occurring at step 3 or 4, psa_fail_key_creation() is called
A driver of the Mbed TLS PSA Cryptography API implementation (Mbed TLS PSA driver in the following) is a driver in the sense that it is compliant with the PSA driver interface specification. But it is not an actual driver that drives some hardware. It implements cryptographic operations purely in software.
An Mbed TLS PSA driver C file is named psa_crypto_.c and its associated header file psa_crypto_.h. The functions implementing a driver entry point as defined in the PSA driver interface specification are named as mbedtls_psa__(). As an example, the psa_crypto_rsa.c and psa_crypto_rsa.h are the files containing the Mbed TLS PSA driver implementing RSA cryptographic operations. This RSA driver implements among other entry points the "import_key" entry point. The function implementing this entry point is named mbedtls_psa_rsa_import_key().
+
+## How to implement a new cryptographic mechanism
+
+Summary of files to modify when adding a new algorithm or key type:
+
+* [ ] PSA Crypto API draft, if not already done — [PSA standardization](#psa-standardization)
+* [ ] `include/psa/crypto_values.h` or `include/psa/crypto_extra.h` — [New functions and macros](#new-functions-and-macros)
+* [ ] `include/psa/crypto_config.h`, `tests/include/test/drivers/crypto_config_test_driver_extension.h` — [Preprocessor symbols](#preprocessor-symbols)
+* Occasionally `library/check_crypto_config.h` — [Preprocessor symbols](#preprocessor-symbols)
+* [ ] `include/mbedtls/config_psa.h` — [Preprocessor symbols](#preprocessor-symbols)
+* [ ] `library/psa_crypto.c`, `library/psa_crypto_*.[hc]` — [Implementation of the mechanisms](#implementation-of-the-mechanisms)
+* [ ] `include/psa/crypto_builtin_*.h` — [Translucent data structures](#translucent-data-structures)
+* [ ] `tests/suites/test_suite_psa_crypto_metadata.data` — [New functions and macros](#new-functions-and-macros)
+* (If adding `PSA_IS_xxx`) `tests/suites/test_suite_psa_crypto_metadata.function` — [New functions and macros](#new-functions-and-macros)
+* [ ] `tests/suites/test_suite_psa_crypto*.data`, `tests/suites/test_suite_psa_crypto*.function` — [Unit tests](#unit-tests)
+* [ ] `scripts/mbedtls_dev/crypto_knowledge.py`, `scripts/mbedtls_dev/asymmetric_key_data.py` — [Unit tests](#unit-tests)
+* [ ] `ChangeLog.d/*.txt` — changelog entry
+
+Summary of files to modify when adding new API functions:
+
+* [ ] `include/psa/crypto.h` and `include/psa/crypto_sizes.h`, or `include/psa/crypto_extra.h` — [New functions and macros](#new-functions-and-macros)
+* [ ] `library/psa_crypto.c`, `scripts/data_files/driver_templates/*.jinja` — [Implementation of the mechanisms](#implementation-of-the-mechanisms)
+* [ ] If adding stateful functions: `include/psa/crypto_struct.h`, `include/psa/crypto_builtin_*.h`, `include/psa/crypto_driver_contexts_*.h` — [Translucent data structures](#translucent-data-structures)
+* [ ] `tests/suites/test_suite_psa_crypto.data`, `tests/suites/test_suite_psa_crypto.function`, `tests/suites/test_suite_psa_crypto_driver_wrappers.*` — [Unit tests](#unit-tests)
+
+Note that this is just a basic guide. In some cases, you won't need to change all the files listed here. In some cases, you may need to change other files.
+
+### PSA standardization
+
+Typically, if there's enough demand for a cryptographic mechanism in Mbed TLS, there's enough demand for it to be part of the official PSA Cryptography specification. Therefore the first step before implementing a new mechanism should be to approach the PSA Cryptography working group in Arm for standardization.
+
+At the time of writing, all cryptographic mechanisms that are accessible through `psa_xxx` APIs in in Mbed TLS are current or upcoming PSA standards. Mbed TLS implements some extensions to the PSA API that offer extra integration customization or extra key policies.
+
+Mbed TLS routinely implements cryptographic mechanisms that are not yet part of a published PSA standard, but that are scheduled to be part of a future version of the standard. The Mbed TLS implementation validates the feasibility of the upcoming PSA standard. The PSA Cryptography working group and the Mbed TLS development team communicate during the elaboration of the new interfaces.
+
+### New functions and macros
+
+If a mechanism requires new functions, they should follow the design guidelines in the PSA Cryptography API specification.
+
+Functions that are part of the current or upcoming API are declared in `include/psa/crypto.h`, apart from structure accessors defined in `include/psa/crypto_struct.h`. Functions that have output buffers have associated sufficient-output-size macros in `include/psa/crypto_sizes.h`.
+
+Constants (algorithm identifiers, key type identifiers, etc.) and associated destructor macros (e.g. `PSA_IS_xxx()`) are defined in `include/psa/crypto_values.h`.
+
+Functions and macros that are not intended for standardization, or that are at a stage where the draft standard might still evolve significantly, are declared in `include/psa/crypto_extra.h`.
+
+The PSA Cryptography API specification defines both names and values for certain kinds of constants: algorithms (`PSA_ALG_xxx`), key types (`PSA_KEY_TYPE_xxx`), ECC curve families (`PSA_ECC_FAMILY_xxx`), DH group families (`PSA_DH_FAMILY_xxx`). If Mbed TLS defines an algorithm or a key type that is not part of a current or upcoming PSA standard, pick a value with the `VENDOR` flag set. If Mbed TLS defines an ECC curve or DH group family that is not part of a current or upcoming PSA standard, define a vendor key type and use the family identifier only with this vendor key type.
+
+New constants must have a test case in `tests/suites/test_suite_psa_crypto_metadata.data` that verifies that `PSA_IS_xxx` macros behave properly with the new constant. New `PSA_IS_xxx` macros must be declared in `tests/suites/test_suite_psa_crypto_metadata.function`.
+
+### Preprocessor symbols
+
+Each cryptographic mechanism is optional and can be selected by the application at build time. For each feature `PSA_ttt_xxx`:
+
+* The feature is available to applications when the preprocessor symbol `PSA_WANT_ttt_xxx` is defined. These symbols are set:
+ * If `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled: based on the available mechanisms in Mbed TLS, deduced from `mbedtls/mbedtls_config.h` by code in `include/mbedtls/config_psa.h`.
+ * if `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled: in the application configuration file `include/psa/crypto_config.h` (or `MBEDTLS_PSA_CRYPTO_CONFIG_FILE`, plus `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE`), with code in `include/mbedtls/config_psa.h` deducing the necessary underlying `MBEDTLS_xxx` symbols.
+* For transparent keys (keys that are not in a secure element), the feature is implemented by Mbed TLS if `MBEDTLS_PSA_BUILTIN_ttt_xxx` is defined, and by an accelerator driver if `MBEDTLS_PSA_ACCEL_ttt_xxx` is defined. `MBEDTLS_PSA_BUILTIN_ttt_xxx` constants are set in `include/mbedtls/config_psa.h` based on the application requests `PSA_WANT_ttt_xxx` and the accelerator driver declarations `MBEDTLS_PSA_ACCEL_ttt_xxx`.
+* For the testing of the driver dispatch code, `tests/include/test/drivers/crypto_config_test_driver_extension.h` sets additional `MBEDTLS_PSA_ACCEL_xxx` symbols.
+
+For more details, see *[Conditional inclusion of cryptographic mechanism through the PSA API in Mbed TLS](../proposed/psa-conditional-inclusion-c.html)*.
+
+Some mechanisms require other mechanisms. For example, you can't do GCM without a block cipher, or RSA-PSS without RSA keys. When mechanism A requires mechanism B, `include/mbedtls/config_psa.h` ensures that B is enabled whenever A is enabled. When mechanism A requires at least one of a set {B1, B2, B3, ...} but there is no particular reason why enabling A would enable any of the specific Bi's, it's up to the application to choose Bi's and the file `library/check_crypto_config.h` contains compile-time constraints to ensure that at least one Bi is enabled.
+
+### Implementation of the mechanisms
+
+The general structure of a cryptographic operation function is:
+
+1. API function defined in `library/psa_crypto.c`. The entry point performs generic checks that don't depend on whether the mechanism is implemented in software or in a driver and looks up keys in the key store.
+2. Driver dispatch code in `scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja` or files included from there.
+3. Built-in implementation in `library/psa_crypto_*.c` (with function declarations in the corresponding `.h` file). These files typically contain the implementation of modes of operation over basic building blocks that are defined elsewhere. For example, HMAC is implemented in `library/psa_crypto_mac.c` but the underlying hash functions are implemented in `library/sha*.c` and `library/md*.c`.
+4. Basic cryptographic building blocks in `library/*.c`.
+
+When implementing a new algorithm or key type, there are typically things to change in `library/crypto.c` (e.g. buffer size calculations, algorithm/key-type compatibility) and in the built-in implementation, but not in the driver dispatch code.
+
+### Translucent data structures
+
+Some mechanisms require state to be kept between function calls. Keys and key-like data is kept in the key store, which PSA manages internally. Other state, for example the state of multipart operations, is kept in structures allocated by the caller.
+
+The size of operation structures needs to be known at compile time, since callers may allocate them on the stack. Therefore these structures are defined in a public header: `include/psa/crypto_struct.h` for the parts that are independent of the underlying implementation, `include/psa/crypto_builtin_*` for parts that are specific to the Mbed TLS built-in implementation, `include/psa/crypto_driver_*.h` for structures implemented by drivers.
+
+### Unit tests
+
+A number of unit tests are automatically generated by `tests/scripts/generate_psa_tests.py` based on the algorithms and key types declared in `include/psa/crypto_values.h` and `include/psa/crypto_extra.h`:
+
+* Attempt to create a key with a key type that is not supported.
+* Attempt to perform an operation with a combination of key type and algorithm that is not valid or not supported.
+* Storage and retrieval of a persistent key.
+
+When adding a new key type or algorithm:
+
+* `scripts/mbedtls_dev/crypto_knowledge.py` contains knowledge about the compatibility of key types, key sizes and algorithms.
+* `scripts/mbedtls_dev/asymmetric_key_data.py` contains valid key data for asymmetric key types.
+
+Other things need to be tested manually, either in `tests/suites/test_sutie_psa_crypto.data` or in another file. For example (this is not an exhaustive list):
+
+* Known answer tests.
+* Potential edge cases (e.g. data less/equal/more than the block size, number equal to zero in asymmetric cryptography).
+* Tests with invalid keys (e.g. wrong size or format).
+* Tests with invalid data (e.g. wrong size or format, output buffer too small, invalid padding).
+* For new functions: incorrect function call sequence, driver dispatch (in `tests/suites/test_suite_psa_crypto_driver_wrappers.*`).
+* For key derivation algorithms: variation on the sequence of input steps, variation on the output size.
+
diff --git a/docs/architecture/testing/driver-interface-test-strategy.md b/docs/architecture/testing/driver-interface-test-strategy.md
index a726c43eb3..380fd39c43 100644
--- a/docs/architecture/testing/driver-interface-test-strategy.md
+++ b/docs/architecture/testing/driver-interface-test-strategy.md
@@ -1,6 +1,6 @@
-# Mbed Crypto driver interface test strategy
+# Mbed TLS driver interface test strategy
-This document describes the test strategy for the driver interfaces in Mbed Crypto. Mbed Crypto has interfaces for secure element drivers, accelerator drivers and entropy drivers. This document is about testing Mbed Crypto itself; testing drivers is out of scope.
+This document describes the test strategy for the driver interfaces in Mbed TLS. Mbed TLS has interfaces for secure element drivers, accelerator drivers and entropy drivers. This document is about testing Mbed TLS itself; testing drivers is out of scope.
The driver interfaces are standardized through PSA Cryptography functional specifications.
@@ -16,9 +16,9 @@ Drivers exposing this interface need to be registered at compile time by declari
#### Dynamic secure element driver interface
-The dynamic secure element driver interface (SE interface for short) is defined by [`psa/crypto_se_driver.h`](../../../include/psa/crypto_se_driver.h). This is an interface between Mbed Crypto and one or more third-party drivers.
+The dynamic secure element driver interface (SE interface for short) is defined by [`psa/crypto_se_driver.h`](../../../include/psa/crypto_se_driver.h). This is an interface between Mbed TLS and one or more third-party drivers.
-The SE interface consists of one function provided by Mbed Crypto (`psa_register_se_driver`) and many functions that drivers must implement. To make a driver usable by Mbed Crypto, the initialization code must call `psa_register_se_driver` with a structure that describes the driver. The structure mostly contains function pointers, pointing to the driver's methods. All calls to a driver function are triggered by a call to a PSA crypto API function.
+The SE interface consists of one function provided by Mbed TLS (`psa_register_se_driver`) and many functions that drivers must implement. To make a driver usable by Mbed TLS, the initialization code must call `psa_register_se_driver` with a structure that describes the driver. The structure mostly contains function pointers, pointing to the driver's methods. All calls to a driver function are triggered by a call to a PSA crypto API function.
### SE driver interface unit tests
@@ -57,7 +57,7 @@ For each API function that can lead to a driver call (more precisely, for each d
#### SE driver outputs
-For each API function that leads to a driver call, call it with parameters that cause a driver to be invoked and check how Mbed Crypto handles the outputs.
+For each API function that leads to a driver call, call it with parameters that cause a driver to be invoked and check how Mbed TLS handles the outputs.
* Correct outputs.
* Incorrect outputs such as an invalid output length.
diff --git a/docs/architecture/testing/psa-storage-format-testing.md b/docs/architecture/testing/psa-storage-format-testing.md
index 5514dfabef..a5c1fd137d 100644
--- a/docs/architecture/testing/psa-storage-format-testing.md
+++ b/docs/architecture/testing/psa-storage-format-testing.md
@@ -47,7 +47,7 @@ The PSA subsystem provides storage on top of the PSA trusted storage interface.
* [Storage transaction file](#storage-transaction-resumption).
* [Driver state files](#driver-state-files).
-For a more detailed description, refer to the [Mbed Crypto storage specification](../mbed-crypto-storage-specification.md).
+For a more detailed description, refer to the [Mbed TLS storage specification](../mbed-crypto-storage-specification.md).
In addition, Mbed TLS includes an implementation of the PSA trusted storage interface on top of C stdio. This document addresses the test strategy for [PSA ITS over file](#psa-its-over-file) in a separate section below.
diff --git a/docs/proposed/psa-driver-interface.md b/docs/proposed/psa-driver-interface.md
index a3e3c76475..41f90c9dda 100644
--- a/docs/proposed/psa-driver-interface.md
+++ b/docs/proposed/psa-driver-interface.md
@@ -301,25 +301,289 @@ TODO
TODO
-#### Operation family `"key_derivation"`
+### Driver entry points for key derivation
-This family requires the following type and entry points:
+Key derivation is more complex than other multipart operations for several reasons:
-* Type `"key_derivation_operation_t"`: the type of a key derivation operation context.
-* `"key_derivation_setup"`: called by `psa_key_derivation_setup()`.
-* `"key_derivation_set_capacity"`: called by `psa_key_derivation_set_capacity()`. The core will always enforce the capacity, therefore this function does not need to do anything for algorithms where the output stream only depends on the effective generated length and not on the capacity.
-* `"key_derivation_input_bytes"`: called by `psa_key_derivation_input_bytes()` and `psa_key_derivation_input_key()`. For transparent drivers, when processing a call to `psa_key_derivation_input_key()`, the core always calls the applicable driver's `"key_derivation_input_bytes"` entry point.
-* `"key_derivation_input_integer"`: called by `psa_key_derivation_input_integer()`.
-* `"key_derivation_input_key"` (opaque drivers only)
-* `"key_derivation_output_bytes"`: called by `psa_key_derivation_output_bytes()`; also by `psa_key_derivation_output_key()` for transparent drivers.
-* `"key_derivation_output_key"`: called by `psa_key_derivation_output_key()` for transparent drivers when deriving an asymmetric key pair, and also for opaque drivers.
-* `"key_derivation_verify_bytes"` (opaque drivers only).
-* `"key_derivation_verify_key"` (opaque drivers only).
-* `"key_derivation_abort"`: called by all key derivation functions of the PSA Cryptography API.
+* There are multiple inputs and outputs.
+* Multiple drivers can be involved. This happens when an operation combines a key agreement and a subsequent symmetric key derivation, each of which can have independent drivers. This also happens when deriving an asymmetric key, where processing the secret input and generating the key output might involve different drivers.
+* When multiple drivers are involved, they are not always independent: if the secret input is managed by an opaque driver, it might not allow the core to retrieve the intermediate output and pass it to another driver.
+* The involvement of an opaque driver cannot be determined as soon as the operation is set up (since `psa_key_derivation_setup()` does not determine the key input).
-TODO: key input and output for opaque drivers; deterministic key generation for transparent drivers
+#### Key derivation driver dispatch logic
-TODO
+The core decides whether to dispatch a key derivation operation to a driver based on the location associated with the input step `PSA_KEY_DERIVATION_INPUT_SECRET`.
+
+1. If this step is passed via `psa_key_derivation_input_key()` for a key in a secure element:
+ * If the driver for this secure element implements the `"key_derivation"` family for the specified algorithm, the core calls that driver's `"key_derivation_setup"` and subsequent entry points.
+ Note that for all currently specified algorithms, the key type for the secret input does not matter.
+ * Otherwise the core calls the secure element driver's [`"export_key"`](#key-management-with-opaque-drivers) entry point.
+2. Otherwise ([or on fallback?](#fallback-for-key-derivation-in-opaque-drivers)), if there is a transparent driver for the specified algorithm, the core calls that driver's `"key_derivation_setup"` and subsequent entry points.
+3. Otherwise, or on fallback, the core uses its built-in implementation.
+
+#### Summary of entry points for the operation family `"key_derivation"`
+
+A key derivation driver has the following entry points:
+
+* `"key_derivation_setup"` (mandatory): always the first entry point to be called. This entry point provides the [initial inputs](#key-derivation-driver-initial-inputs). See [“Key derivation driver setup”](#key-derivation-driver-setup).
+* `"key_derivation_input_step"` (mandatory if the driver supports a key derivation algorithm with long inputs, otherwise ignored): provide an extra input for the key derivation. This entry point is only mandatory in drivers that support algorithms that have extra inputs. See [“Key derivation driver long inputs”](#key-derivation-driver-long-inputs).
+* `"key_derivation_output_bytes"` (mandatory): derive cryptographic material and output it. See [“Key derivation driver outputs”](#key-derivation-driver-outputs).
+* `"key_derivation_output_key"`, `"key_derivation_verify_bytes"`, `"key_derivation_verify_key"` (optional, opaque drivers only): derive key material which remains inside the same secure element. See [“Key derivation driver outputs”](#key-derivation-driver-outputs).
+* `"key_derivation_set_capacity"` (mandatory for opaque drivers that implement `"key_derivation_output_key"` for “cooked”, i.e. non-raw-data key types; ignored for other opaque drivers; not permitted for transparent drivers): update the capacity policy on the operation. See [“Key derivation driver operation capacity”](#key-derivation-driver-operation-capacity).
+* `"key_derivation_abort"` (mandatory): always the last entry point to be called.
+
+For naming purposes, here and in the following subsection, this specification takes the example of a driver with the prefix `"acme"` that implements the `"key_derivation"` entry point family with a capability that does not use the `"names"` property to declare different type and entry point names. Such a driver must implement the following type and functions, as well as the entry points listed above and described in the following subsections:
+```
+typedef ... acme_key_derivation_operation_t;
+psa_status_t acme_key_derivation_abort(acme_key_derivation_operation_t *operation);
+```
+
+#### Key derivation driver initial inputs
+
+The core conveys the initial inputs for a key derivation via an opaque data structure of type `psa_crypto_driver_key_derivation_inputs_t`.
+
+```
+typedef ... psa_crypto_driver_key_derivation_inputs_t; // implementation-specific type
+```
+
+A driver receiving an argument that points to a `psa_crypto_driver_key_derivation_inputs_t` can retrieve its contents by calling one of the type-specific functions below. To determine the correct function, the driver can call `psa_crypto_driver_key_derivation_get_input_type()`.
+
+```
+enum psa_crypto_driver_key_derivation_input_type_t {
+ PSA_KEY_DERIVATION_INPUT_TYPE_INVALID = 0,
+ PSA_KEY_DERIVATION_INPUT_TYPE_OMITTED,
+ PSA_KEY_DERIVATION_INPUT_TYPE_BYTES,
+ PSA_KEY_DERIVATION_INPUT_TYPE_KEY,
+ PSA_KEY_DERIVATION_INPUT_TYPE_INTEGER,
+ // Implementations may add other values, and may freely choose the
+ // numerical values for each identifer except as explicitly specified
+ // above.
+};
+psa_crypto_driver_key_derivation_input_type_t psa_crypto_driver_key_derivation_get_input_type(
+ const psa_crypto_driver_key_derivation_inputs_t *inputs,
+ psa_key_derivation_step_t step);
+```
+
+The function `psa_crypto_driver_key_derivation_get_input_type()` determines whether a given step is present and how to access its value:
+
+* `PSA_KEY_DERIVATION_INPUT_TYPE_INVALID`: the step is invalid for the algorithm of the operation that the inputs are for.
+* `PSA_KEY_DERIVATION_INPUT_TYPE_OMITTED`: the step is optional for the algorithm of the operation that the inputs are for, and has been omitted.
+* `PSA_KEY_DERIVATION_INPUT_TYPE_BYTES`: the step is valid and present and is a transparent byte string. Call `psa_crypto_driver_key_derivation_get_input_size()` to obtain the size of the input data. Call `psa_crypto_driver_key_derivation_get_input_bytes()` to make a copy of the input data (design note: [why a copy?](#key-derivation-inputs-and-buffer-ownership)).
+* `PSA_KEY_DERIVATION_INPUT_TYPE_KEY`: the step is valid and present and is a byte string passed via a key object. Call `psa_crypto_driver_key_derivation_get_input_key()` to obtain a pointer to the key context.
+* `PSA_KEY_DERIVATION_INPUT_TYPE_INTEGER`: the step is valid and present and is an integer. Call `psa_crypto_driver_key_derivation_get_input_integer()` to retrieve the integer value.
+
+```
+psa_status_t psa_crypto_driver_key_derivation_get_input_size(
+ const psa_crypto_driver_key_derivation_inputs_t *inputs,
+ psa_key_derivation_step_t step,
+ size_t *size);
+psa_status_t psa_crypto_driver_key_derivation_get_input_bytes(
+ const psa_crypto_driver_key_derivation_inputs_t *inputs,
+ psa_key_derivation_step_t step,
+ uint8_t *buffer, size_t buffer_size, size_t *buffer_length);
+psa_status_t psa_crypto_driver_key_derivation_get_input_key(
+ const psa_crypto_driver_key_derivation_inputs_t *inputs,
+ psa_key_derivation_step_t step,
+ const psa_key_attributes_t *attributes,
+ uint8_t** p_key_buffer, size_t *key_buffer_size);
+psa_status_t psa_crypto_driver_key_derivation_get_input_integer(
+ const psa_crypto_driver_key_derivation_inputs_t *inputs,
+ psa_key_derivation_step_t step,
+ uint64_t *value);
+```
+
+The get-data functions take the following parameters:
+
+* The first parameter `inputs` must be a pointer passed by the core to a key derivation driver setup entry point which has not returned yet.
+* The `step` parameter indicates the input step whose content the driver wants to retrieve.
+* On a successful invocation of `psa_crypto_driver_key_derivation_get_input_size`, the core sets `*size` to the size of the specified input in bytes.
+* On a successful invocation of `psa_crypto_driver_key_derivation_get_input_bytes`, the core fills the first *N* bytes of `buffer` with the specified input and sets `*buffer_length` to *N*, where *N* is the length of the input in bytes. The value of `buffer_size` must be at least *N*, otherwise this function fails with the status `PSA_ERROR_BUFFER_TOO_SMALL`.
+* On a successful invocation of `psa_crypto_driver_key_derivation_get_input_key`, the core sets `*key_buffer` to a pointer to a buffer containing the key context and `*key_buffer_size` to the size of the key context in bytes. The key context buffer remains valid for the duration of the driver entry point. If the driver needs to access the key context after the current entry point returns, it must make a copy of the key context.
+* On a successful invocation of `psa_crypto_driver_key_derivation_get_input_integer`, the core sets `*value` to the value of the specified input.
+
+These functions can return the following statuses:
+
+* `PSA_SUCCESS`: the call succeeded and the requested value has been copied to the output parameter (`size`, `buffer`, `value` or `p_key_buffer`) and if applicable the size of the value has been written to the applicable parameter (`buffer_length`, `key_buffer_size`).
+* `PSA_ERROR_DOES_NOT_EXIST`: the input step is valid for this particular algorithm, but it is not part of the initial inputs. This is not a fatal error. The driver will receive the input later as a [long input](#key-derivation-driver-long-inputs).
+* `PSA_ERROR_INVALID_ARGUMENT`: the input type is not compatible with this function or was omitted. Call `psa_crypto_driver_key_derivation_get_input_type()` to find out the actual type of this input step. This is not a fatal error and the driver can, for example, subsequently call the appropriate function on the same step.
+* `PSA_ERROR_BUFFER_TOO_SMALL` (`psa_crypto_driver_key_derivation_get_input_bytes` only): the output buffer is too small. This is not a fatal error and the driver can, for example, subsequently call the same function again with a larger buffer. Call `psa_crypto_driver_key_derivation_get_input_size` to obtain the required size.
+* The core may return other errors such as `PSA_ERROR_CORRUPTION_DETECTED` or `PSA_ERROR_COMMUNICATION_FAILURE` to convey implementation-specific error conditions. Portable drivers should treat such conditions as fatal errors.
+
+#### Key derivation driver setup
+
+A key derivation driver must implement the following entry point:
+```
+psa_status_t acme_key_derivation_setup(
+ acme_key_derivation_operation_t *operation,
+ psa_algorithm_t alg,
+ const psa_crypto_driver_key_derivation_inputs_t *inputs);
+```
+
+* `operation` is a zero-initialized operation object.
+* `alg` is the algorithm for the key derivation operation. It does not include a key agreement component.
+* `inputs` is an opaque pointer to the [initial inputs](#key-derivation-driver-initial-inputs) for the key derivation.
+
+#### Key derivation driver long inputs
+
+Some key derivation algorithms take long inputs which it would not be practical to pass in the [initial inputs](#key-derivation-driver-initial-inputs). A driver that implements a key derivation algorithm that takes such inputs must provide a `"key_derivation_input_step"` entry point. The core calls this entry point for all the long inputs after calling `"acme_key_derivation_setup"`. A long input step may be fragmented into multiple calls of `psa_key_derivation_input_bytes()`, and the core may reassemble or refragment those fragments before passing them to the driver. Calls to this entry point for different step values occur in an unspecified order and may be interspersed.
+
+```
+psa_status_t acme_key_derivation_input_step(
+ acme_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ const uint8_t *input, size_t input_length);
+```
+
+At the time of writing, no standard key derivation algorithm has long inputs. It is likely that such algorithms will be added in the future.
+
+#### Key derivation driver operation capacity
+
+The core keeps track of an operation's capacity and enforces it. The core guarantees that it will not request output beyond the capacity of the operation, with one exception: opaque drivers that support [`"key_derivation_output_key"`](#key-derivation-driver-outputs), i.e. for key types where the derived key material is not a direct copy of the key derivation's output stream.
+
+Such drivers must enforce the capacity limitation and must return `PSA_ERROR_INSUFFICIENT_CAPACITY` from any output request that exceeds the operation's capacity. Such drivers must provide the following entry point:
+```
+psa_status_t acme_key_derivation_set_capacity(
+ acme_key_derivation_operation_t *operation,
+ size_t capacity);
+```
+`capacity` is guaranteed to be less or equal to any value previously set through this entry point, and is guaranteed not to be `PSA_KEY_DERIVATION_UNLIMITED_CAPACITY`.
+
+If this entry point has not been called, the operation has an unlimited capacity.
+
+#### Key derivation driver outputs
+
+A key derivation driver must provide the following entry point:
+```
+psa_status_t acme_key_derivation_output_bytes(
+ acme_key_derivation_operation_t *operation,
+ uint8_t *output, size_t length);
+```
+
+An opaque key derivation driver may provide the following entry points:
+```
+psa_status_t acme_key_derivation_output_key(
+ const psa_key_attributes_t *attributes,
+ acme_key_derivation_operation_t *operation,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+psa_status_t acme_key_derivation_verify_bytes(
+ acme_key_derivation_operation_t *operation,
+ const uint8_t *expected output, size_t length);
+psa_status_t acme_key_derivation_verify_key(
+ acme_key_derivation_operation_t *operation,
+ uint8_t *key_buffer, size_t key_buffer_size);
+```
+
+The core calls a key derivation driver's output entry point when the application calls `psa_key_derivation_output_bytes()`, `psa_key_derivation_output_key()`, `psa_key_derivation_verify_bytes()` or `psa_key_derivation_verify_key()`.
+
+If the key derivation's `PSA_KEY_DERIVATION_INPUT_SECRET` input is in a secure element and the derivation operation is handled by that secure element, the core performs the following steps:
+
+* For a call to `psa_key_derivation_output_key()`:
+
+ 1. If the derived key is in the same secure element, if the driver has an `"key_derivation_output_key"` entry point, call that entry point. If the driver has no such entry point, or if that entry point returns `PSA_ERROR_NOT_SUPPORTED`, continue with the following steps, otherwise stop.
+ 1. If the driver's capabilities indicate that its `"import_key"` entry point does not support the derived key, stop and return `PSA_ERROR_NOT_SUPPORTED`.
+ 1. Otherwise proceed as for `psa_key_derivation_output_bytes()`, then import the resulting key material.
+
+* For a call to `psa_key_derivation_verify_key()`:
+ 1. If the driver has a `"key_derivation_verify_key"` entry point, call it and stop.
+ 1. Call the driver's `"export_key"` entry point on the key object that contains the expected value, then proceed as for `psa_key_derivation_verify_bytes()`.
+
+* For a call to `psa_key_derivation_verify_bytes()`:
+ 1. If the driver has a `"key_derivation_verify_bytes"` entry point, call that entry point on the expected output, then stop.
+ 1. Otherwise, proceed as for `psa_key_derivation_output_bytes()`, and compare the resulting output to the expected output inside the core.
+
+* For a call to `psa_key_derivation_output_bytes()`:
+ 1. Call the `"key_derivation_output_bytes"` entry point. The core may call this entry point multiple times to implement a single call from the application when deriving a cooked (non-raw) key as described below, or if the output size exceeds some implementation limit.
+
+If the key derivation operation is not handled by an opaque driver as described above, the core calls the `"key_derivation_output_bytes"` from the applicable transparent driver (or multiple drivers in succession if fallback applies). In some cases, the core then calls additional entry points in the same or another driver:
+
+* For a call to `psa_key_derivation_output_key()` for some key types, the core calls a transparent driver's `"derive_key"` entry point. See [“Transparent cooked key derivation”](#transparent-cooked-key-derivation).
+* For a call to `psa_key_derivation_output_key()` where the derived key is in a secure element, call that secure element driver's `"import_key"` entry point.
+
+#### Transparent cooked key derivation
+
+Key derivation is said to be *raw* for some key types, where the key material of a derived (8×*n*)-bit key consists of the next *n* bytes of output from the key derivation, and *cooked* otherwise. When deriving a raw key, the core only calls the driver's `"output_bytes"` entry point, except when deriving a key entirely inside a secure element as described in [“Key derivation driver outputs”](#key-derivation-driver-outputs). When deriving a cooked key, the core calls a transparent driver's `"derive_key"` entry point if available.
+
+A capability for cooked key derivation contains the following properties (this is not a subset of [the usual entry point properties](#capability-syntax)):
+
+* `"entry_points"` (mandatory, list of strings). Must be `["derive_key"]`.
+* `"derived_types"` (mandatory, list of strings). Each element is a [key type specification](#key-type-specifications). This capability only applies when deriving a key of the specified type.
+* `"derived_sizes"` (optional, list of integers). Each element is a size for the derived key, in bits. This capability only applies when deriving a key of the specified sizes. If absent, this capability applies to all sizes for the specified types.
+* `"memory"` (optional, boolean). If present and true, the driver must define a type `"derive_key_memory_t"` and the core will allocate an object of that type as specified below.
+* `"names"` (optional, object). A mapping from entry point names to C function and type names, as usual.
+* `"fallback"` (optional, boolean). If present and true, the driver may return `PSA_ERROR_NOT_SUPPORTED` if it only partially supports the specified mechanism, as usual.
+
+A transparent driver with the prefix `"acme"` that implements cooked key derivation must provide the following type and function:
+
+```
+typedef ... acme_derive_key_memory_t; // only if the "memory" property is true
+psa_status_t acme_derive_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *input, size_t input_length,
+ acme_derive_key_memory_t *memory, // if the "memory" property is false: void*
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+```
+
+* `attributes` contains the attributes of the specified key. Note that only the key type and the bit-size are guaranteed to be set.
+* `input` is a buffer of `input_length` bytes which contains the raw key stream, i.e. the data that `psa_key_derivation_output_bytes()` would return.
+* If `"memory"` property in the driver capability is true, `memory` is a data structure that the driver may use to store data between successive calls of the `"derive_key"` entry point to derive the same key. If the `"memory"` property is false or absent, the `memory` parameter is a null pointer.
+* `key_buffer` is a buffer for the output material, in the appropriate [export format](#key-format-for-transparent-drivers) for the key type. Its size is `key_buffer_size` bytes.
+* On success, `*key_buffer_length` must contain the number of bytes written to `key_buffer`.
+
+This entry point may return the following statuses:
+
+* `PSA_SUCCESS`: a key was derived successfully. The driver has placed the representation of the key in `key_buffer`.
+* `PSA_ERROR_NOT_SUPPORTED` (for the first call only) (only if fallback is enabled): the driver cannot fulfill this request, but a fallback driver might.
+* `PSA_ERROR_INSUFFICIENT_DATA`: the core must call the `"derive_key"` entry point again with the same `memory` object and with subsequent data from the key stream.
+* Any other error is a fatal error.
+
+The core calls the `"derive_key"` entry point in a loop until it returns a status other than `PSA_ERROR_INSUFFICIENT_DATA`. Each call has a successive fragment of the key stream. The `memory` object is guaranteed to be the same for successive calls, but note that its address may change between calls. Before the first call, `*memory` is initialized to all-bits-zero.
+
+For standard key types, the `"derive_key"` entry point is called with a certain input length as follows:
+
+* `PSA_KEY_TYPE_DES`: the length of the key.
+* `PSA_KEY_TYPE_ECC_KEY_PAIR(…)`, `PSA_KEY_TYPE_DH_KEY_PAIR(…)`: $m$ bytes, where the bit-size of the key $n$ satisfies $8 (m-1) < n \le 8 m$.
+* `PSA_KEY_TYPE_RSA_KEY_PAIR`: an implementation-defined length. A future version of this specification may specify a length.
+* Other key types: not applicable.
+
+See [“Open questions around cooked key derivation”](#open-questions-around-cooked-key-derivation) for some points that may not be fully settled.
+
+#### Key agreement
+
+The core always decouples key agreement from symmetric key derivation.
+
+To implement a call to `psa_key_derivation_key_agreement()` where the private key is in a secure element that has a `"key_agreement_to_key"` entry point which is applicable for the given key type and algorithm, the core calls the secure element driver as follows:
+
+1. Call the `"key_agreement_to_key"` entry point to create a key object containing the shared secret. The key object is volatile and has the type `PSA_KEY_TYPE_DERIVE`.
+2. Call the `"key_derivation_setup"` entry point, passing the resulting key object .
+3. Perform the rest of the key derivation, up to and including the call to the `"key_derivation_abort"` entry point.
+4. Call the `"destroy_key"` entry point to destroy the key containing the key object.
+
+In other cases, the core treats `psa_key_derivation_key_agreement()` as if it was a call to `psa_raw_key_agreement()` followed by a call to `psa_key_derivation_input_bytes()` on the shared secret.
+
+The entry points related to key agreement have the following prototypes for a driver with the prefix `"acme"`:
+```
+psa_status_t acme_key_agreement(psa_algorithm_t alg,
+ const psa_key_attributes_t *our_attributes,
+ const uint8_t *our_key_buffer,
+ size_t our_key_buffer_length,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+psa_status_t acme_key_agreement_to_key(psa_algorithm_t alg,
+ const psa_key_attributes_t *our_attributes,
+ const uint8_t *our_key_buffer,
+ size_t our_key_buffer_length,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ const psa_key_attributes_t *shared_secret_attributes,
+ uint8_t *shared_secret_key_buffer,
+ size_t shared_secret_key_buffer_size,
+ size_t *shared_secret_key_buffer_length);
+```
+
+Note that unlike most other key creation entry points, in `"acme_key_agreement_to_key"`, the attributes for the shared secret are not placed near the beginning, but rather grouped with the other parameters related to the shared secret at the end of the parameter list. This is to avoid potential confusion with the attributes of the private key that is passed as an input.
### Driver entry points for PAKE
@@ -506,8 +770,9 @@ psa_status_t acme_generate_key(const psa_key_attributes_t *attributes,
size_t key_buffer_size,
size_t *key_buffer_length);
```
+Additionally, opaque drivers can create keys through their [`"key_derivation_output_key"`](#key-derivation-driver-outputs) and [`"key_agreement_key"`](#key-agreement) entry points. Transparent drivers can create key material through their [`"derive_key"`](#transparent-cooked-key-derivation) entry point.
-TODO: derivation, copy
+TODO: copy
* The key attributes (`attributes`) have the same semantics as in the PSA Cryptography application interface.
* For the `"import_key"` entry point, the input in the `data` buffer is either the export format or an implementation-specific format that the core documents as an acceptable input format for `psa_import_key()`.
@@ -640,7 +905,7 @@ psa_status_t acme_import_key(const psa_key_attributes_t *attributes,
This entry point has several roles:
1. Parse the key data in the input buffer `data`. The driver must support the export format for the key types that the entry point is declared for. It may support additional formats as specified in the description of [`psa_import_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key) in the PSA Cryptography API specification.
-2. Validate the key data. The necessary validation is described in the section [“Key validation with transparent drivers”](#key-validation-with-transparent-drivers) above.
+2. Validate the key data. The necessary validation is described in the section [“Key validation”](#key-validation) above.
3. [Determine the key size](#key-size-determination-on-import) and output it through `*bits`.
4. Copy the validated key data from `data` to `key_buffer`. The output must be in the canonical format documented for [`psa_export_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key) or [`psa_export_public_key()`](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_public_key), so if the input is not in this format, the entry point must convert it.
@@ -830,7 +1095,7 @@ If the key is stored in wrapped form outside the secure element, and the wrapped
Opaque drivers may provide the following key management entry points:
-* `"export_key"`: called by `psa_export_key()`, or by `psa_copy_key()` when copying a key from or to a different [location](#lifetimes-and-locations).
+* `"export_key"`: called by `psa_export_key()`, or by `psa_copy_key()` when copying a key from or to a different [location](#lifetimes-and-locations), or [as a fallback for key derivation](#key-derivation-driver-dispatch-logic).
* `"export_public_key"`: called by the core to obtain the public key of a key pair. The core may call this entry point at any time to obtain the public key, which can be for `psa_export_public_key()` but also at other times, including during a cryptographic operation that requires the public key such as a call to `psa_verify_message()` on a key pair object.
* `"import_key"`: called by `psa_import_key()`, or by `psa_copy_key()` when copying a key from another location.
* `"generate_key"`: called by `psa_generate_key()`.
@@ -1101,6 +1366,12 @@ Should drivers really have to cope with overlap?
Should the core guarantee that the output buffer size has the size indicated by the applicable buffer size macro (which may be an overestimation)?
+#### Key derivation inputs and buffer ownership
+
+Why is `psa_crypto_driver_key_derivation_get_input_bytes` a copy, rather than giving a pointer?
+
+The main reason is to avoid complex buffer ownership. A driver entry point does not own memory after the entry point return. This is generally necessary because an API function does not own memory after the entry point returns. In the case of key derivation inputs, this could be relaxed because the driver entry point is making callbacks to the core: these functions could return a pointer that is valid until the driver entry point returns, which would allow the driver to process the data immediately (e.g. hash it rather than copy it).
+
### Partial computations in drivers
#### Substitution points
@@ -1144,6 +1415,18 @@ An example use case for updating the persistent state at arbitrary times is to r
`psa_crypto_driver_get_persistent_state` does not identify the calling driver, so the driver needs to remember which driver it's calling. This may require a thread-local variable in a multithreaded core. Is this ok?
+#### Open questions around cooked key derivation
+
+`"derive_key"` is not a clear name. Can we use a better one?
+
+For the `"derive_key"` entry point, how does the core choose `input_length`? Doesn't the driver know better? Should there be a driver entry point to determine the length, or should there be a callback that allows the driver to retrieve the input? Note that for some key types, it's impossible to predict the amount of input in advance, because it depends on some complex calculation or even on random data, e.g. if doing a randomized pseudo-primality test. However, for all key types except RSA, the specification mandates how the key is derived, which practically dictates how the pseudorandom key stream is consumed. So it's probably ok.
+
+#### Fallback for key derivation in opaque drivers
+
+Should [dispatch to an opaque driver](#key-derivation-driver-dispatch-logic) allow fallback, so that if `"key_derivation_setup"` returns `PSA_ERROR_NOT_SUPPORTED` then the core exports the key from the secure element instead?
+
+Should the ["`key_derivation_output_key`"](#key-derivation-driver-outputs) capability indicate which key types the driver can derive? How should fallback work? For example, consider a secure element that implements HMAC, HKDF and ECDSA, and that can derive an HMAC key from HKDF without exporting intermediate material but can only import or randomly generate ECC keys. How does this driver convey that it can't derive an ECC key with HKDF, but it can let the core do this and import the resulting key?
+
### Randomness
#### Input to `"add_entropy"`
diff --git a/docs/redirects.yaml b/docs/redirects.yaml
new file mode 100644
index 0000000000..7ea1d95504
--- /dev/null
+++ b/docs/redirects.yaml
@@ -0,0 +1,11 @@
+# Readthedocs redirects
+# See https://docs.readthedocs.io/en/stable/user-defined-redirects.html
+#
+# Changes to this file do not take effect until they are merged into the
+# 'development' branch. This is because the API token (RTD_TOKEN) is not
+# made available in PR jobs - preventing bad actors from crafting PRs to
+# expose it.
+
+- type: exact
+ from_url: /projects/api/en/latest/$rest
+ to_url: /projects/api/en/development/
diff --git a/docs/requirements.in b/docs/requirements.in
index a523188c38..14d618c793 100644
--- a/docs/requirements.in
+++ b/docs/requirements.in
@@ -1,2 +1,3 @@
-sphinx-rtd-theme
breathe
+readthedocs-cli
+sphinx-rtd-theme
diff --git a/docs/requirements.txt b/docs/requirements.txt
index 4b9f3a6b3f..a1bfd82377 100644
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -14,6 +14,8 @@ certifi==2022.12.7
# via requests
charset-normalizer==3.1.0
# via requests
+click==8.1.3
+ # via readthedocs-cli
docutils==0.17.1
# via
# breathe
@@ -27,14 +29,28 @@ importlib-metadata==6.0.0
# via sphinx
jinja2==3.1.2
# via sphinx
+markdown-it-py==2.2.0
+ # via rich
markupsafe==2.1.2
# via jinja2
+mdurl==0.1.2
+ # via markdown-it-py
packaging==23.0
# via sphinx
pygments==2.14.0
- # via sphinx
+ # via
+ # rich
+ # sphinx
+pyyaml==6.0
+ # via readthedocs-cli
+readthedocs-cli==4
+ # via -r requirements.in
requests==2.28.2
- # via sphinx
+ # via
+ # readthedocs-cli
+ # sphinx
+rich==13.3.5
+ # via readthedocs-cli
snowballstemmer==2.2.0
# via sphinx
sphinx==4.5.0
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index c5bbf2c44e..4053df807a 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -22,73 +22,10 @@
*/
/**
- * @mainpage mbed TLS v3.4.0 source code documentation
+ * @mainpage Mbed TLS v3.4.0 API Documentation
*
- * This documentation describes the internal structure of mbed TLS. It was
+ * This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
- * mbed TLS's source code using Doxygen. (See
- * http://www.stack.nl/~dimitri/doxygen/ for more information on Doxygen)
- *
- * mbed TLS has a simple setup: it provides the ingredients for an SSL/TLS
- * implementation. These ingredients are listed as modules in the
- * \ref mainpage_modules "Modules section". This "Modules section" introduces
- * the high-level module concepts used throughout this documentation.\n
- * Some examples of mbed TLS usage can be found in the \ref mainpage_examples
- * "Examples section".
- *
- * @section mainpage_modules Modules
- *
- * mbed TLS supports TLSv1.0 up to TLSv1.2 communication by providing the
- * following:
- * - TCP/IP communication functions: listen, connect, accept, read/write.
- * - SSL/TLS communication functions: init, handshake, read/write.
- * - X.509 functions: CRT, CRL and key handling
- * - Random number generation
- * - Hashing
- * - Encryption/decryption
- *
- * Above functions are split up neatly into logical interfaces. These can be
- * used separately to provide any of the above functions or to mix-and-match
- * into an SSL server/client solution that utilises a X.509 PKI. Examples of
- * such implementations are amply provided with the source code.
- *
- * Note that mbed TLS does not provide a control channel or (multiple) session
- * handling without additional work from the developer.
- *
- * @section mainpage_examples Examples
- *
- * Example server setup:
- *
- * \b Prerequisites:
- * - X.509 certificate and private key
- * - session handling functions
- *
- * \b Setup:
- * - Load your certificate and your private RSA key (X.509 interface)
- * - Setup the listening TCP socket (TCP/IP interface)
- * - Accept incoming client connection (TCP/IP interface)
- * - Initialise as an SSL-server (SSL/TLS interface)
- * - Set parameters, e.g. authentication, ciphers, CA-chain, key exchange
- * - Set callback functions RNG, IO, session handling
- * - Perform an SSL-handshake (SSL/TLS interface)
- * - Read/write data (SSL/TLS interface)
- * - Close and cleanup (all interfaces)
- *
- * Example client setup:
- *
- * \b Prerequisites:
- * - X.509 certificate and private key
- * - X.509 trusted CA certificates
- *
- * \b Setup:
- * - Load the trusted CA certificates (X.509 interface)
- * - Load your certificate and your private RSA key (X.509 interface)
- * - Setup a TCP/IP connection (TCP/IP interface)
- * - Initialise as an SSL-client (SSL/TLS interface)
- * - Set parameters, e.g. authentication mode, ciphers, CA-chain, session
- * - Set callback functions RNG, IO
- * - Perform an SSL-handshake (SSL/TLS interface)
- * - Verify the server certificate (SSL/TLS interface)
- * - Write/read data (SSL/TLS interface)
- * - Close and cleanup (all interfaces)
+ * Mbed TLS's source code using Doxygen. (See
+ * https://www.doxygen.nl for more information on Doxygen)
*/
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 5c2c8431b0..e7f3131740 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -594,6 +594,8 @@ int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
* \brief Perform a left-shift on an MPI: X <<= count
*
* \param X The MPI to shift. This must point to an initialized MPI.
+ * The MPI pointed by \p X may be resized to fit
+ * the resulting number.
* \param count The number of bits to shift by.
*
* \return \c 0 if successful.
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index ba5844fc63..c2c9dc9de4 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -87,6 +87,18 @@
#define MBEDTLS_MD_C
#endif
+/* PSA crypto specific configuration options
+ * - If config_psa.h reads a configuration option in preprocessor directive,
+ * this symbol should be set before its inclusion. (e.g. MBEDTLS_MD_C)
+ * - If config_psa.h writes a configuration option in conditional directive,
+ * this symbol should be consulted after its inclusion.
+ * (e.g. MBEDTLS_MD_LIGHT)
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
+ defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
+#include "mbedtls/config_psa.h"
+#endif
+
/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
* This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
*/
@@ -100,8 +112,12 @@
#if defined(MBEDTLS_ECJPAKE_C) || \
defined(MBEDTLS_PEM_PARSE_C) || \
defined(MBEDTLS_ENTROPY_C) || \
+ defined(MBEDTLS_PK_C) || \
defined(MBEDTLS_PKCS12_C) || \
- defined(MBEDTLS_RSA_C)
+ defined(MBEDTLS_RSA_C) || \
+ defined(MBEDTLS_SSL_TLS_C) || \
+ defined(MBEDTLS_X509_USE_C) || \
+ defined(MBEDTLS_X509_CREATE_C)
#define MBEDTLS_MD_LIGHT
#endif
@@ -185,11 +201,6 @@
/* Make sure all configuration symbols are set before including check_config.h,
* even the ones that are calculated programmatically. */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
- defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
-#include "mbedtls/config_psa.h"
-#endif
-
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_BUILD_INFO_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 20d4358f9b..3a2f06e450 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -148,6 +148,13 @@ extern "C" {
#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
#endif /* PSA_WANT_ALG_ECDSA */
+#if defined(PSA_WANT_ALG_FFDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
+#endif /* PSA_WANT_ALG_FFDH */
+
#if defined(PSA_WANT_ALG_HKDF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
@@ -261,6 +268,15 @@ extern "C" {
#define MBEDTLS_SHA512_C
#endif
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+
#if defined(PSA_WANT_ALG_TLS12_PRF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
@@ -287,6 +303,13 @@ extern "C" {
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR */
+
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
@@ -295,6 +318,13 @@ extern "C" {
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
+
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
@@ -651,6 +681,16 @@ extern "C" {
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_DHM_C)
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
+#define PSA_WANT_ALG_FFDH 1
+#define PSA_WANT_DH_FAMILY_RFC7919 1
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#endif /* MBEDTLS_DHM_C */
+
#if defined(MBEDTLS_GCM_C)
#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
#define PSA_WANT_ALG_GCM 1
@@ -877,6 +917,10 @@ extern "C" {
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+#if defined(PSA_WANT_ALG_JPAKE)
+#define PSA_WANT_ALG_SOME_PAKE 1
+#endif
+
/* These features are always enabled. */
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_PASSWORD 1
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index a142903687..d72b7fc2be 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -112,6 +112,9 @@
#define MBEDTLS_MD_CAN_SHA512
#define MBEDTLS_MD_SOME_LEGACY
#endif
+#if defined(MBEDTLS_SHA3_C)
+#define MBEDTLS_MD_CAN_SHA3
+#endif
#if defined(MBEDTLS_RIPEMD160_C)
#define MBEDTLS_MD_CAN_RIPEMD160
#define MBEDTLS_MD_SOME_LEGACY
@@ -155,6 +158,16 @@ typedef enum {
MBEDTLS_MD_SHA3_512, /**< The SHA3-512 message digest. */
} mbedtls_md_type_t;
+/* Note: this should always be >= PSA_HASH_MAX_SIZE
+ * in all builds with both CRYPTO_C and MD_LIGHT.
+ *
+ * This is to make things easier for modules such as TLS that may define a
+ * buffer size using MD_MAX_SIZE in a part of the code that's common to PSA
+ * and legacy, then assume the buffer's size is PSA_HASH_MAX_SIZE in another
+ * part of the code based on PSA.
+ *
+ * Currently both macros have the same value, avoiding such issues.
+ */
#if defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_SHA3_C)
#define MBEDTLS_MD_MAX_SIZE 64 /* longest known is SHA512 */
#elif defined(MBEDTLS_MD_CAN_SHA384)
@@ -168,7 +181,7 @@ typedef enum {
or smaller (MD5 and earlier) */
#endif
-#if defined(MBEDTLS_SHA3_C)
+#if defined(MBEDTLS_MD_CAN_SHA3)
#define MBEDTLS_MD_MAX_BLOCK_SIZE 144 /* the longest known is SHA3-224 */
#elif defined(MBEDTLS_MD_CAN_SHA512)
#define MBEDTLS_MD_MAX_BLOCK_SIZE 128
@@ -316,6 +329,20 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
*/
unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info);
+/**
+ * \brief This function gives the message-digest size associated to
+ * message-digest type.
+ *
+ * \param md_type The message-digest type.
+ *
+ * \return The size of the message-digest output in Bytes,
+ * or 0 if the message-digest type is not known.
+ */
+static inline unsigned char mbedtls_md_get_size_from_type(mbedtls_md_type_t md_type)
+{
+ return mbedtls_md_get_size(mbedtls_md_info_from_type(md_type));
+}
+
/**
* \brief This function extracts the message-digest type from the
* message-digest information structure.
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 1cbf968a71..ec36748cef 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -63,6 +63,11 @@
#define MBEDTLS_OID_X509_EXT_FRESHEST_CRL (1 << 14)
#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE (1 << 16)
+/*
+ * Maximum number of OID components allowed
+ */
+#define MBEDTLS_OID_MAX_COMPONENTS 128
+
/*
* Top level OID tuples
*/
@@ -478,6 +483,25 @@ typedef struct mbedtls_oid_descriptor_t {
*/
int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
+/**
+ * \brief Translate a string containing a dotted-decimal
+ * representation of an ASN.1 OID into its encoded form
+ * (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D").
+ * On success, this function allocates oid->buf from the
+ * heap. It must be freed by the caller using mbedtls_free().
+ *
+ * \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID
+ * \param oid_str string representation of the OID to parse
+ * \param size length of the OID string, not including any null terminator
+ *
+ * \return 0 if successful
+ * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not
+ * represent a valid OID
+ * \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to
+ * allocate oid->buf
+ */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid, const char *oid_str, size_t size);
+
/**
* \brief Translate an X.509 extension OID into local values
*
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index c579661b3f..ec99c8413a 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -40,7 +40,7 @@
#include "mbedtls/ecdsa.h"
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h"
#endif
@@ -202,6 +202,27 @@ typedef struct mbedtls_pk_rsassa_pss_options {
#define MBEDTLS_PK_CAN_ECDH
#endif
+/* Internal helper to define which fields in the pk_context structure below
+ * should be used for EC keys: legacy ecp_keypair or the raw (PSA friendly)
+ * format. It should be noticed that this only affect how data is stored, not
+ * which functions are used for various operations. The overall picture looks
+ * like this:
+ * - if ECP_C is defined then use legacy functions
+ * - if USE_PSA is defined and
+ * - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
+ * format and use PSA functions
+ * - if !ECP_C then use new raw data and PSA functions directly.
+ *
+ * The main reason for the "intermediate" (USE_PSA + ECP_C) above is that as long
+ * as ECP_C is defined mbedtls_pk_ec() gives the user a read/write access to the
+ * ecp_keypair structure inside the pk_context so he/she can modify it using
+ * ECP functions which are not under PK module's control.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_ECP_C) && \
+ defined(MBEDTLS_ECP_LIGHT)
+#define MBEDTLS_PK_USE_PSA_EC_DATA
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_ECP_C */
+
/**
* \brief Types for interfacing with the debug module
*/
@@ -209,6 +230,7 @@ typedef enum {
MBEDTLS_PK_DEBUG_NONE = 0,
MBEDTLS_PK_DEBUG_MPI,
MBEDTLS_PK_DEBUG_ECP,
+ MBEDTLS_PK_DEBUG_PSA_EC,
} mbedtls_pk_debug_type;
/**
@@ -232,12 +254,59 @@ typedef struct mbedtls_pk_debug_item {
*/
typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
/**
* \brief Public key container
*/
typedef struct mbedtls_pk_context {
const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info); /**< Public key information */
void *MBEDTLS_PRIVATE(pk_ctx); /**< Underlying public key context */
+ /* The following field is used to store the ID of a private key in the
+ * following cases:
+ * - opaque key when MBEDTLS_PSA_CRYPTO_C is defined
+ * - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
+ * - the pk_ctx above is not not used to store the private key anymore.
+ * Actually that field not populated at all in this case because also
+ * the public key will be stored in raw format as explained below
+ * - this ID is used for all private key operations (ex: sign, check
+ * key pair, key write, etc) using PSA functions
+ *
+ * Note: this private key storing solution only affects EC keys, not the
+ * other ones. The latters still use the pk_ctx to store their own
+ * context.
+ *
+ * Note: this priv_id is guarded by MBEDTLS_PSA_CRYPTO_C and not by
+ * MBEDTLS_PK_USE_PSA_EC_DATA (as the public counterpart below) because,
+ * when working with opaque keys, it can be used also in
+ * mbedtls_pk_sign_ext for RSA keys. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id); /**< Key ID for opaque keys */
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ /* The following fields are meant for storing the public key in raw format
+ * which is handy for:
+ * - easily importing it into the PSA context
+ * - reducing the ECP module dependencies in the PK one.
+ *
+ * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled:
+ * - the pk_ctx above is not used anymore for storing the public key
+ * inside the ecp_keypair structure
+ * - the following fields are used for all public key operations: signature
+ * verify, key pair check and key write.
+ * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
+ * ecp_keypair structure is used for storing the public key and performing
+ * all the operations.
+ *
+ * Note: This new public key storing solution only works for EC keys, not
+ * other ones. The latters still use pk_ctx to store their own
+ * context.
+ */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ uint8_t MBEDTLS_PRIVATE(pub_raw)[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN]; /**< Raw public key */
+ size_t MBEDTLS_PRIVATE(pub_raw_len); /**< Valid bytes in "pub_raw" */
+ psa_ecc_family_t MBEDTLS_PRIVATE(ec_family); /**< EC family of pk */
+ size_t MBEDTLS_PRIVATE(ec_bits); /**< Curve's bits of pk */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
} mbedtls_pk_context;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@@ -771,7 +840,7 @@ static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk)
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_ECP_C)
/**
* Quick access to an EC context inside a PK context.
*
@@ -794,7 +863,7 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
return NULL;
}
}
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_PK_PARSE_C)
/** \ingroup pk_module */
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index f651587193..768c756b9b 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -139,6 +139,8 @@ extern "C" {
#if defined(MBEDTLS_PLATFORM_MEMORY)
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#undef mbedtls_free
+#undef mbedtls_calloc
#define mbedtls_free MBEDTLS_PLATFORM_FREE_MACRO
#define mbedtls_calloc MBEDTLS_PLATFORM_CALLOC_MACRO
#else
@@ -160,6 +162,8 @@ int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
void (*free_func)(void *));
#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
#else /* !MBEDTLS_PLATFORM_MEMORY */
+#undef mbedtls_free
+#undef mbedtls_calloc
#define mbedtls_free free
#define mbedtls_calloc calloc
#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
@@ -184,6 +188,7 @@ extern int (*mbedtls_fprintf)(FILE *stream, const char *format, ...);
int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *stream, const char *,
...));
#else
+#undef mbedtls_fprintf
#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
#define mbedtls_fprintf MBEDTLS_PLATFORM_FPRINTF_MACRO
#else
@@ -208,6 +213,7 @@ extern int (*mbedtls_printf)(const char *format, ...);
*/
int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...));
#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#undef mbedtls_printf
#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
#define mbedtls_printf MBEDTLS_PLATFORM_PRINTF_MACRO
#else
@@ -243,6 +249,7 @@ extern int (*mbedtls_snprintf)(char *s, size_t n, const char *format, ...);
int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
const char *format, ...));
#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#undef mbedtls_snprintf
#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
#define mbedtls_snprintf MBEDTLS_PLATFORM_SNPRINTF_MACRO
#else
@@ -279,6 +286,7 @@ extern int (*mbedtls_vsnprintf)(char *s, size_t n, const char *format, va_list a
int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
const char *format, va_list arg));
#else /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#undef mbedtls_vsnprintf
#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
#define mbedtls_vsnprintf MBEDTLS_PLATFORM_VSNPRINTF_MACRO
#else
@@ -320,7 +328,9 @@ extern void (*mbedtls_setbuf)(FILE *stream, char *buf);
*/
int mbedtls_platform_set_setbuf(void (*setbuf_func)(
FILE *stream, char *buf));
-#elif defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
+#else
+#undef mbedtls_setbuf
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
/**
* \brief Macro defining the function for the library to
* call for `setbuf` functionality (changing the
@@ -334,7 +344,8 @@ int mbedtls_platform_set_setbuf(void (*setbuf_func)(
#define mbedtls_setbuf MBEDTLS_PLATFORM_SETBUF_MACRO
#else
#define mbedtls_setbuf setbuf
-#endif /* MBEDTLS_PLATFORM_SETBUF_ALT / MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
/*
* The function pointers for exit
@@ -353,6 +364,7 @@ extern void (*mbedtls_exit)(int status);
*/
int mbedtls_platform_set_exit(void (*exit_func)(int status));
#else
+#undef mbedtls_exit
#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
#define mbedtls_exit MBEDTLS_PLATFORM_EXIT_MACRO
#else
@@ -405,6 +417,8 @@ int mbedtls_platform_set_nv_seed(
int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len)
);
#else
+#undef mbedtls_nv_seed_read
+#undef mbedtls_nv_seed_write
#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
#define mbedtls_nv_seed_read MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index b750716a9e..528c0ab36e 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -29,6 +29,8 @@
#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h"
@@ -120,49 +122,6 @@ static inline psa_key_usage_t mbedtls_psa_translate_cipher_operation(
}
}
-/* Translations for hashing. */
-
-/* Note: this function should not be used from inside the library, use
- * mbedtls_hash_info_psa_from_md() from the internal hash_info.h instead.
- * It is kept only for compatibility in case applications were using it. */
-static inline psa_algorithm_t mbedtls_psa_translate_md(mbedtls_md_type_t md_alg)
-{
- switch (md_alg) {
-#if defined(MBEDTLS_MD5_C) || defined(PSA_WANT_ALG_MD5)
- case MBEDTLS_MD_MD5:
- return PSA_ALG_MD5;
-#endif
-#if defined(MBEDTLS_SHA1_C) || defined(PSA_WANT_ALG_SHA_1)
- case MBEDTLS_MD_SHA1:
- return PSA_ALG_SHA_1;
-#endif
-#if defined(MBEDTLS_SHA224_C) || defined(PSA_WANT_ALG_SHA_224)
- case MBEDTLS_MD_SHA224:
- return PSA_ALG_SHA_224;
-#endif
-#if defined(MBEDTLS_SHA256_C) || defined(PSA_WANT_ALG_SHA_256)
- case MBEDTLS_MD_SHA256:
- return PSA_ALG_SHA_256;
-#endif
-#if defined(MBEDTLS_SHA384_C) || defined(PSA_WANT_ALG_SHA_384)
- case MBEDTLS_MD_SHA384:
- return PSA_ALG_SHA_384;
-#endif
-#if defined(MBEDTLS_SHA512_C) || defined(PSA_WANT_ALG_SHA_512)
- case MBEDTLS_MD_SHA512:
- return PSA_ALG_SHA_512;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C) || defined(PSA_WANT_ALG_RIPEMD160)
- case MBEDTLS_MD_RIPEMD160:
- return PSA_ALG_RIPEMD160;
-#endif
- case MBEDTLS_MD_NONE:
- return 0;
- default:
- return 0;
- }
-}
-
/* Translations for ECC. */
static inline int mbedtls_psa_get_ecc_oid_from_id(
@@ -248,6 +207,22 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
}
break;
+ case PSA_ECC_FAMILY_MONTGOMERY:
+ switch (bits) {
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case 255:
+ *oid = MBEDTLS_OID_X25519;
+ *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_X25519);
+ return 0;
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case 448:
+ *oid = MBEDTLS_OID_X448;
+ *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_X448);
+ return 0;
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+ }
+ break;
}
(void) oid;
(void) oid_len;
@@ -345,11 +320,15 @@ extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
typedef struct {
- psa_status_t psa_status;
+ /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
+ int16_t psa_status;
+ /* Error codes used by Mbed TLS are in one of the ranges
+ * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
+ * code optionally added), fitting in 16 bits. */
int16_t mbedtls_error;
} mbedtls_error_pair_t;
-#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) || defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_MD_LIGHT)
extern const mbedtls_error_pair_t psa_to_md_errors[4];
#endif
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index 8dfd1f364c..df6d7623ac 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -243,6 +243,17 @@ typedef mbedtls_asn1_named_data mbedtls_x509_name;
*/
typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
+/*
+ * Container for the fields of the Authority Key Identifier object
+ */
+typedef struct mbedtls_x509_authority {
+ mbedtls_x509_buf keyIdentifier;
+ mbedtls_x509_sequence authorityCertIssuer;
+ mbedtls_x509_buf authorityCertSerialNumber;
+ mbedtls_x509_buf raw;
+}
+mbedtls_x509_authority;
+
/** Container for date and time (precision in seconds). */
typedef struct mbedtls_x509_time {
int year, mon, day; /**< Date. */
@@ -293,7 +304,7 @@ mbedtls_x509_san_other_name;
typedef struct mbedtls_x509_subject_alternative_name {
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
- mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+ mbedtls_x509_san_other_name other_name;
mbedtls_x509_name directory_name;
mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
}
@@ -301,6 +312,12 @@ typedef struct mbedtls_x509_subject_alternative_name {
}
mbedtls_x509_subject_alternative_name;
+typedef struct mbedtls_x509_san_list {
+ mbedtls_x509_subject_alternative_name node;
+ struct mbedtls_x509_san_list *next;
+}
+mbedtls_x509_san_list;
+
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
/**
@@ -390,7 +407,8 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
* of the subject alternative name encoded in \p san_raw.
*
* \note Supported GeneralName types, as defined in RFC 5280:
- * "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * "rfc822Name", "dnsName", "directoryName",
+ * "uniformResourceIdentifier" and "hardware_module_name"
* of type "otherName", as defined in RFC 4108.
*
* \note This function should be called on a single raw data of
@@ -470,6 +488,9 @@ int mbedtls_x509_get_key_usage(unsigned char **p,
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index a7951833ab..078781ca8f 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -75,7 +75,9 @@ typedef struct mbedtls_x509_crt {
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier, DirectoryName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
+ mbedtls_x509_buf subject_key_id; /**< Optional X.509 v3 extension subject key identifier. */
+ mbedtls_x509_authority authority_key_id; /**< Optional X.509 v3 extension authority key identifier. */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
@@ -239,6 +241,21 @@ typedef struct mbedtls_x509write_cert {
}
mbedtls_x509write_cert;
+/**
+ * \brief Set Subject Alternative Name
+ *
+ * \param ctx Certificate context to use
+ * \param san_list List of SAN values
+ *
+ * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note "dnsName", "uniformResourceIdentifier", "IP address",
+ * "otherName", and "DirectoryName", as defined in RFC 5280,
+ * are supported.
+ */
+int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
+ const mbedtls_x509_san_list *san_list);
+
/**
* Item in a verification chain: cert and flags for it
*/
@@ -559,6 +576,7 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
#endif /* MBEDTLS_FS_IO */
+
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the
@@ -638,8 +656,12 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
- * Subject name. DNS names and IP addresses are supported. This
- * may be \c NULL if the CN need not be verified.
+ * Subject name. DNS names and IP addresses are fully
+ * supported, while the URI subtype is partially supported:
+ * only exact matching, without any normalization procedures
+ * described in 7.4 of RFC5280, will result in a positive
+ * URI verification.
+ * This may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
* set to (uint32_t) -1.
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index f3f9e13a03..80adb1910c 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -60,7 +60,7 @@ typedef struct mbedtls_x509_csr {
unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
@@ -83,12 +83,6 @@ typedef struct mbedtls_x509write_csr {
}
mbedtls_x509write_csr;
-typedef struct mbedtls_x509_san_list {
- mbedtls_x509_subject_alternative_name node;
- struct mbedtls_x509_san_list *next;
-}
-mbedtls_x509_san_list;
-
#if defined(MBEDTLS_X509_CSR_PARSE_C)
/**
* \brief Load a Certificate Signing Request (CSR) in DER format
diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h
index 1913a9b548..d54291f819 100644
--- a/include/psa/crypto_builtin_key_derivation.h
+++ b/include/psa/crypto_builtin_key_derivation.h
@@ -105,5 +105,23 @@ typedef struct psa_tls12_prf_key_derivation_s {
} psa_tls12_prf_key_derivation_t;
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+typedef enum {
+ PSA_PBKDF2_STATE_INIT, /* no input provided */
+ PSA_PBKDF2_STATE_INPUT_COST_SET, /* input cost has been set */
+ PSA_PBKDF2_STATE_SALT_SET, /* salt has been set */
+ PSA_PBKDF2_STATE_PASSWORD_SET, /* password has been set */
+ PSA_PBKDF2_STATE_OUTPUT /* output has been started */
+} psa_pbkdf2_key_derivation_state_t;
+
+typedef struct {
+ psa_pbkdf2_key_derivation_state_t MBEDTLS_PRIVATE(state);
+ uint64_t MBEDTLS_PRIVATE(input_cost);
+ uint8_t *MBEDTLS_PRIVATE(salt);
+ size_t MBEDTLS_PRIVATE(salt_length);
+ uint8_t MBEDTLS_PRIVATE(password)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+ size_t MBEDTLS_PRIVATE(password_length);
+} psa_pbkdf2_key_derivation_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
#endif /* PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H */
diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h
index 3544f96327..70fa14e872 100644
--- a/include/psa/crypto_compat.h
+++ b/include/psa/crypto_compat.h
@@ -5,7 +5,7 @@
*
* This header declares alternative names for macro and functions.
* New application code should not use these names.
- * These names may be removed in a future version of Mbed Crypto.
+ * These names may be removed in a future version of Mbed TLS.
*
* \note This file may not be included directly. Applications must
* include psa/crypto.h.
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index e68fac8b44..48e20c2a30 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -65,6 +65,7 @@
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
#define PSA_WANT_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_ECDH 1
+#define PSA_WANT_ALG_FFDH 1
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_JPAKE 1
#define PSA_WANT_ALG_GCM 1
@@ -74,9 +75,7 @@
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_MD5 1
#define PSA_WANT_ALG_OFB 1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_PBKDF2_HMAC 1
+#define PSA_WANT_ALG_PBKDF2_HMAC 1
#define PSA_WANT_ALG_RIPEMD160 1
#define PSA_WANT_ALG_RSA_OAEP 1
#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
@@ -92,8 +91,7 @@
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+/* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_XTS 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
@@ -126,6 +124,8 @@
#define PSA_WANT_KEY_TYPE_DES 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
diff --git a/include/psa/crypto_driver_contexts_key_derivation.h b/include/psa/crypto_driver_contexts_key_derivation.h
index 39754cc010..5b4e4745d6 100644
--- a/include/psa/crypto_driver_contexts_key_derivation.h
+++ b/include/psa/crypto_driver_contexts_key_derivation.h
@@ -55,6 +55,9 @@ typedef union {
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ psa_pbkdf2_key_derivation_t MBEDTLS_PRIVATE(pbkdf2);
+#endif
} psa_driver_key_derivation_context_t;
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H */
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 232a83927e..cc70e6fe52 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -106,7 +106,7 @@ static inline psa_algorithm_t psa_get_key_enrollment_algorithm(
* indicates the slot number that contains it.
* \retval #PSA_ERROR_NOT_PERMITTED
* The caller is not permitted to query the slot number.
- * Mbed Crypto currently does not return this error.
+ * Mbed TLS currently does not return this error.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key is not located in a secure element.
*/
@@ -219,7 +219,7 @@ void mbedtls_psa_crypto_free(void);
* resource consumption related to the PSA keystore.
*
* \note The content of this structure is not part of the stable API and ABI
- * of Mbed Crypto and may change arbitrarily from version to version.
+ * of Mbed TLS and may change arbitrarily from version to version.
*/
typedef struct mbedtls_psa_stats_s {
/** Number of slots containing key material for a volatile key. */
@@ -248,7 +248,7 @@ typedef struct mbedtls_psa_stats_s {
/** \brief Get statistics about
* resource consumption related to the PSA keystore.
*
- * \note When Mbed Crypto is built as part of a service, with isolation
+ * \note When Mbed TLS is built as part of a service, with isolation
* between the application and the keystore, the service may or
* may not expose this function.
*/
@@ -956,7 +956,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(
* the official PSA Crypto API yet.
*
* \note The content of this section is not part of the stable API and ABI
- * of Mbed Crypto and may change arbitrarily from version to version.
+ * of Mbed TLS and may change arbitrarily from version to version.
* Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
* #PSA_ALG_JPAKE.
* @{
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index ee41c897f6..35a42f825a 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -83,7 +83,7 @@ static inline int mbedtls_key_owner_id_equal(mbedtls_key_owner_id_t id1,
*/
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
#define PSA_CRYPTO_SECURE 1
-#include "crypto_spe.h"
+#include "../tests/include/spe/crypto_spe.h"
#endif // MBEDTLS_PSA_CRYPTO_SPM
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
index 9ae631ffec..f39e2294cd 100644
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@@ -138,7 +138,7 @@ typedef psa_status_t (*psa_drv_se_init_t)(psa_drv_se_context_t *drv_context,
psa_key_location_t location);
#if defined(__DOXYGEN_ONLY__) || !defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed Crypto with secure element support enabled defines this type in
+/* Mbed TLS with secure element support enabled defines this type in
* crypto_types.h because it is also visible to applications through an
* implementation-specific extension.
* For the PSA Cryptography specification, this type is only visible
@@ -837,7 +837,7 @@ typedef enum {
* and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
* is no key with the specified slot number.
*
- * This is an Mbed Crypto extension.
+ * This is an Mbed TLS extension.
*/
PSA_KEY_CREATION_REGISTER,
#endif
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 37f72054f7..8cc965b09f 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -51,6 +51,8 @@
#define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
#define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
+#define PSA_MAX_OF_THREE(a, b, c) ((a) <= (b) ? (b) <= (c) ? \
+ (c) : (b) : (a) <= (c) ? (c) : (a))
#define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
(((length) + (block_size) - 1) / (block_size) * (block_size))
@@ -126,12 +128,23 @@
/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
* 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
* HMAC-SHA3-512. */
-#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
+/* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE,
+ * see the note on MBEDTLS_MD_MAX_SIZE for details. */
+#if defined(PSA_WANT_ALG_SHA_512)
#define PSA_HASH_MAX_SIZE 64
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
-#else
+#elif defined(PSA_WANT_ALG_SHA_384)
+#define PSA_HASH_MAX_SIZE 48
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
+#elif defined(PSA_WANT_ALG_SHA_256)
#define PSA_HASH_MAX_SIZE 32
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
+#elif defined(PSA_WANT_ALG_SHA_224)
+#define PSA_HASH_MAX_SIZE 28
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
+#else /* SHA-1 or smaller */
+#define PSA_HASH_MAX_SIZE 20
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
#endif
/** \def PSA_MAC_MAX_SIZE
@@ -195,6 +208,12 @@
* operations, and does not need to accept all key sizes up to the limit. */
#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
+/* The maximum size of an DH key on this implementation, in bits.
+ *
+ * Note that an implementation may set different size limits for different
+ * operations, and does not need to accept all key sizes up to the limit. */
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192
+
/* The maximum size of an ECC key on this implementation, in bits.
* This is a vendor-specific macro. */
#if defined(PSA_WANT_ECC_SECP_R1_521)
@@ -253,6 +272,10 @@
* curve. */
#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
+/* The maximum number of iterations for PBKDF2 on this implementation, in bits.
+ * This is a vendor-specific macro. This can be configured if necessary */
+#define PSA_VENDOR_PBKDF2_MAX_ITERATIONS 0xffffffff
+
/** The maximum size of a block cipher. */
#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
@@ -804,6 +827,18 @@
#define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) \
(PSA_BITS_TO_BYTES(key_bits))
+/* Maximum size of the export encoding of an DH key pair.
+ *
+ * An DH key pair is represented by the secret value.
+ */
+#define PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(key_bits) \
+ (PSA_BITS_TO_BYTES(key_bits))
+
+/* Maximum size of the export encoding of an DH public key.
+ */
+#define PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(key_bits) \
+ (PSA_BITS_TO_BYTES(key_bits))
+
/** Sufficient output buffer size for psa_export_key() or
* psa_export_public_key().
*
@@ -845,6 +880,7 @@
*/
#define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits) \
(PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
+ PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
(key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) : \
(key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
(key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) : \
@@ -901,6 +937,7 @@
#define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits) \
(PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+ PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
0)
/** Sufficient buffer size for exporting any asymmetric key pair.
@@ -911,11 +948,10 @@
*
* See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE \
- (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
- PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ? \
- PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) : \
- PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE \
+ PSA_MAX_OF_THREE(PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS), \
+ PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS), \
+ PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS))
/** Sufficient buffer size for exporting any asymmetric public key.
*
@@ -926,11 +962,11 @@
*
* See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE \
- (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
- PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ? \
- PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) : \
- PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE \
+ PSA_MAX_OF_THREE(PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS), \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS), \
+ PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS))
+
/** Sufficient output buffer size for psa_raw_key_agreement().
*
@@ -955,11 +991,9 @@
* If the parameters are not valid,
* the return value is unspecified.
*/
-/* FFDH is not yet supported in PSA. */
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits) \
- (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? \
- PSA_BITS_TO_BYTES(key_bits) : \
- 0)
+ ((PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) || \
+ PSA_KEY_TYPE_IS_DH_KEY_PAIR(key_type)) ? PSA_BITS_TO_BYTES(key_bits) : 0)
/** Maximum size of the output from psa_raw_key_agreement().
*
@@ -968,8 +1002,11 @@
*
* See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE \
- (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE \
+ (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) ? \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) : \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS))
/** The default IV size for a cipher algorithm, in bytes.
*
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 125a73dd0e..b309bc854c 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -35,8 +35,8 @@
* GCC and Clang initialize the whole structure to 0 (at the time of writing),
* but MSVC and CompCert don't.
*
- * In Mbed Crypto, multipart operation structures live independently from
- * the key. This allows Mbed Crypto to free the key objects when destroying
+ * In Mbed TLS, multipart operation structures live independently from
+ * the key. This allows Mbed TLS to free the key objects when destroying
* a key slot. If a multipart operation needs to remember the key after
* the setup function returns, the operation structure needs to contain a
* copy of the key.
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index a5154fcd6b..445657eb95 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -297,7 +297,7 @@ typedef uint32_t psa_key_id_t;
typedef psa_key_id_t mbedtls_svc_key_id_t;
#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-/* Implementation-specific: The Mbed Cryptography library can be built as
+/* Implementation-specific: The Mbed TLS library can be built as
* part of a multi-client service that exposes the PSA Cryptography API in each
* client and encodes the client identity in the key identifier argument of
* functions such as psa_open_key().
@@ -439,7 +439,7 @@ typedef struct psa_key_attributes_s psa_key_attributes_t;
#ifndef __DOXYGEN_ONLY__
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed Crypto defines this type in crypto_types.h because it is also
+/* Mbed TLS defines this type in crypto_types.h because it is also
* visible to applications through an implementation-specific extension.
* For the PSA Cryptography specification, this type is only visible
* via crypto_se_driver.h. */
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 39acd96c52..580e3ae80d 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2102,7 +2102,8 @@
*/
#define PSA_ALG_IS_PBKDF2_HMAC(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
-
+#define PSA_ALG_PBKDF2_HMAC_GET_HASH(pbkdf2_alg) \
+ (PSA_ALG_CATEGORY_HASH | ((pbkdf2_alg) & PSA_ALG_HASH_MASK))
/** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
*
* PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
diff --git a/library/.gitignore b/library/.gitignore
index 18cd305eb8..b4dc918912 100644
--- a/library/.gitignore
+++ b/library/.gitignore
@@ -1,4 +1,3 @@
-*.o
libmbed*
*.sln
*.vcxproj
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index b60728c439..8e70c46358 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -42,7 +42,6 @@ set(src_crypto
entropy_poll.c
error.c
gcm.c
- hash_info.c
hkdf.c
hmac_drbg.c
lmots.c
@@ -69,6 +68,7 @@ set(src_crypto
psa_crypto_client.c
psa_crypto_driver_wrappers.c
psa_crypto_ecp.c
+ psa_crypto_ffdh.c
psa_crypto_hash.c
psa_crypto_mac.c
psa_crypto_pake.c
diff --git a/library/Makefile b/library/Makefile
index 4e02bcd248..fafcdda8f7 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -107,7 +107,6 @@ OBJS_CRYPTO= \
entropy_poll.o \
error.o \
gcm.o \
- hash_info.o \
hkdf.o \
hmac_drbg.o \
lmots.o \
@@ -134,6 +133,7 @@ OBJS_CRYPTO= \
psa_crypto_client.o \
psa_crypto_driver_wrappers.o \
psa_crypto_ecp.o \
+ psa_crypto_ffdh.o \
psa_crypto_hash.o \
psa_crypto_mac.o \
psa_crypto_pake.o \
diff --git a/library/base64.c b/library/base64.c
index 4170610642..3eb9e7cc55 100644
--- a/library/base64.c
+++ b/library/base64.c
@@ -17,6 +17,8 @@
* limitations under the License.
*/
+#include
+
#include "common.h"
#if defined(MBEDTLS_BASE64_C)
@@ -31,8 +33,6 @@
#include "mbedtls/platform.h"
#endif /* MBEDTLS_SELF_TEST */
-#define BASE64_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
-
/*
* Encode a buffer into base64 format
*/
@@ -50,8 +50,8 @@ int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
n = slen / 3 + (slen % 3 != 0);
- if (n > (BASE64_SIZE_T_MAX - 1) / 4) {
- *olen = BASE64_SIZE_T_MAX;
+ if (n > (SIZE_MAX - 1) / 4) {
+ *olen = SIZE_MAX;
return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
}
diff --git a/library/bignum.c b/library/bignum.c
index 2421c1a3ec..36effaf8da 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -54,8 +54,6 @@
#define MPI_VALIDATE(cond) \
MBEDTLS_INTERNAL_VALIDATE(cond)
-#define MPI_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
-
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_mpi_zeroize(mbedtls_mpi_uint *v, size_t n)
{
@@ -416,7 +414,7 @@ int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
slen = strlen(s);
if (radix == 16) {
- if (slen > MPI_SIZE_T_MAX >> 2) {
+ if (slen > SIZE_MAX >> 2) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
@@ -750,13 +748,9 @@ int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i, v0, t1;
- mbedtls_mpi_uint r0 = 0, r1;
+ size_t i;
MPI_VALIDATE_RET(X != NULL);
- v0 = count / (biL);
- t1 = count & (biL - 1);
-
i = mbedtls_mpi_bitlen(X) + count;
if (X->n * biL < i) {
@@ -765,31 +759,7 @@ int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
ret = 0;
- /*
- * shift by count / limb_size
- */
- if (v0 > 0) {
- for (i = X->n; i > v0; i--) {
- X->p[i - 1] = X->p[i - v0 - 1];
- }
-
- for (; i > 0; i--) {
- X->p[i - 1] = 0;
- }
- }
-
- /*
- * shift by count % limb_size
- */
- if (t1 > 0) {
- for (i = v0; i < X->n; i++) {
- r1 = X->p[i] >> (biL - t1);
- X->p[i] <<= t1;
- X->p[i] |= r0;
- r0 = r1;
- }
- }
-
+ mbedtls_mpi_core_shift_l(X->p, X->n, count);
cleanup:
return ret;
diff --git a/library/bignum_core.c b/library/bignum_core.c
index b0ffa37d3c..de57cfc04c 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -366,6 +366,41 @@ void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
}
}
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count)
+{
+ size_t i, v0, v1;
+ mbedtls_mpi_uint r0 = 0, r1;
+
+ v0 = count / (biL);
+ v1 = count & (biL - 1);
+
+ /*
+ * shift by count / limb_size
+ */
+ if (v0 > 0) {
+ for (i = limbs; i > v0; i--) {
+ X[i - 1] = X[i - v0 - 1];
+ }
+
+ for (; i > 0; i--) {
+ X[i - 1] = 0;
+ }
+ }
+
+ /*
+ * shift by count % limb_size
+ */
+ if (v1 > 0) {
+ for (i = v0; i < limbs; i++) {
+ r1 = X[i] >> (biL - v1);
+ X[i] <<= v1;
+ X[i] |= r0;
+ r0 = r1;
+ }
+ }
+}
+
mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *B,
diff --git a/library/bignum_core.h b/library/bignum_core.h
index 158d2b3222..21a5a11c6a 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -281,7 +281,7 @@ int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
unsigned char *output,
size_t output_length);
-/** \brief Shift an MPI right in place by a number of bits.
+/** \brief Shift an MPI in-place right by a number of bits.
*
* Shifting by more bits than there are bit positions
* in \p X is valid and results in setting \p X to 0.
@@ -296,6 +296,21 @@ int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
size_t count);
+/**
+ * \brief Shift an MPI in-place left by a number of bits.
+ *
+ * Shifting by more bits than there are bit positions
+ * in \p X will produce an unspecified result.
+ *
+ * This function's execution time depends on the value
+ * of \p count (and of course \p limbs).
+ * \param[in,out] X The number to shift.
+ * \param limbs The number of limbs of \p X. This must be at least 1.
+ * \param count The number of bits to shift by.
+ */
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count);
+
/**
* \brief Add two fixed-size large unsigned integers, returning the carry.
*
diff --git a/library/debug.c b/library/debug.c
index 3969616f4f..0f0292915f 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -30,6 +30,7 @@
#include
#include
+/* DEBUG_BUF_SIZE must be at least 2 */
#define DEBUG_BUF_SIZE 512
static int debug_threshold = 0;
@@ -69,6 +70,8 @@ void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
char str[DEBUG_BUF_SIZE];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_STATIC_ASSERT(DEBUG_BUF_SIZE >= 2, "DEBUG_BUF_SIZE too small");
+
if (NULL == ssl ||
NULL == ssl->conf ||
NULL == ssl->conf->f_dbg ||
@@ -80,10 +83,15 @@ void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
ret = mbedtls_vsnprintf(str, DEBUG_BUF_SIZE, format, argp);
va_end(argp);
- if (ret >= 0 && ret < DEBUG_BUF_SIZE - 1) {
- str[ret] = '\n';
- str[ret + 1] = '\0';
+ if (ret < 0) {
+ ret = 0;
+ } else {
+ if (ret >= DEBUG_BUF_SIZE - 1) {
+ ret = DEBUG_BUF_SIZE - 2;
+ }
}
+ str[ret] = '\n';
+ str[ret + 1] = '\0';
debug_send_line(ssl, level, file, line, str);
}
@@ -195,6 +203,52 @@ void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_BIGNUM_C)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+void mbedtls_debug_print_psa_ec(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_pk_context *pk)
+{
+ char str[DEBUG_BUF_SIZE];
+ mbedtls_mpi mpi;
+ const uint8_t *mpi_start;
+ size_t mpi_len;
+ int ret;
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ /* For the description of pk->pk_raw content please refer to the description
+ * psa_export_public_key() function. */
+ mpi_len = (pk->pub_raw_len - 1)/2;
+
+ /* X coordinate */
+ mbedtls_mpi_init(&mpi);
+ mpi_start = pk->pub_raw + 1;
+ ret = mbedtls_mpi_read_binary(&mpi, mpi_start, mpi_len);
+ if (ret != 0) {
+ return;
+ }
+ mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
+ mbedtls_debug_print_mpi(ssl, level, file, line, str, &mpi);
+ mbedtls_mpi_free(&mpi);
+
+ /* Y coordinate */
+ mbedtls_mpi_init(&mpi);
+ mpi_start = mpi_start + mpi_len;
+ ret = mbedtls_mpi_read_binary(&mpi, mpi_start, mpi_len);
+ if (ret != 0) {
+ return;
+ }
+ mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
+ mbedtls_debug_print_mpi(ssl, level, file, line, str, &mpi);
+ mbedtls_mpi_free(&mpi);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_mpi *X)
@@ -277,6 +331,11 @@ static void debug_print_pk(const mbedtls_ssl_context *ssl, int level,
if (items[i].type == MBEDTLS_PK_DEBUG_ECP) {
mbedtls_debug_print_ecp(ssl, level, file, line, name, items[i].value);
} else
+#endif
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ if (items[i].type == MBEDTLS_PK_DEBUG_PSA_EC) {
+ mbedtls_debug_print_psa_ec(ssl, level, file, line, name, items[i].value);
+ } else
#endif
{ debug_send_line(ssl, level, file, line,
"should not happen\n"); }
diff --git a/library/ecjpake.c b/library/ecjpake.c
index 7d452bcd50..19ad2c6e0f 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -30,8 +30,6 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
-#include "hash_info.h"
-
#include
#if !defined(MBEDTLS_ECJPAKE_ALT)
@@ -217,7 +215,7 @@ static int ecjpake_hash(const mbedtls_md_type_t md_type,
unsigned char *p = buf;
const unsigned char *end = buf + sizeof(buf);
const size_t id_len = strlen(id);
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
/* Write things to temporary buffer */
MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
@@ -244,7 +242,7 @@ static int ecjpake_hash(const mbedtls_md_type_t md_type,
/* Turn it into an integer mod n */
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
- mbedtls_hash_info_get_size(md_type)));
+ mbedtls_md_get_size_from_type(md_type)));
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
cleanup:
@@ -780,7 +778,7 @@ int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
size_t x_bytes;
- *olen = mbedtls_hash_info_get_size(ctx->md_type);
+ *olen = mbedtls_md_get_size_from_type(ctx->md_type);
if (len < *olen) {
return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
}
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index f0a3e6e835..57ce39a45a 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -22,9 +22,12 @@
#if defined(MBEDTLS_ECP_LIGHT)
#include "mbedtls/ecp.h"
+#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+
#include "bn_mul.h"
#include "bignum_core.h"
#include "ecp_invasive.h"
@@ -4602,26 +4605,28 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
/* Additional forward declarations */
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
static int ecp_mod_p255(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
static int ecp_mod_p448(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448(mbedtls_mpi *);
+int mbedtls_ecp_mod_p448(mbedtls_mpi_uint *, size_t);
#endif
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
static int ecp_mod_p192k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1(mbedtls_mpi *);
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
static int ecp_mod_p224k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1(mbedtls_mpi *);
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
static int ecp_mod_p256k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1(mbedtls_mpi *);
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(ECP_LOAD_GROUP)
@@ -5415,27 +5420,57 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
*/
static int ecp_mod_p255(mbedtls_mpi *N)
{
- mbedtls_mpi_uint Mp[P255_WIDTH];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = 2 * P255_WIDTH;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p255_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
- /* Helper references for top part of N */
- mbedtls_mpi_uint * const NT_p = N->p + P255_WIDTH;
- const size_t NT_n = N->n - P255_WIDTH;
- if (N->n <= P255_WIDTH) {
- return 0;
- }
- if (NT_n > P255_WIDTH) {
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_Limbs)
+{
+
+ if (X_Limbs != 2 * P255_WIDTH) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
- /* Split N as N + 2^256 M */
- memcpy(Mp, NT_p, sizeof(mbedtls_mpi_uint) * NT_n);
- memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n);
+ mbedtls_mpi_uint *carry = mbedtls_calloc(P255_WIDTH, ciL);
+ if (carry == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ }
- /* N = A0 + 38 * A1 */
- mbedtls_mpi_core_mla(N->p, P255_WIDTH + 1,
- Mp, NT_n,
- 38);
+ /* Step 1: Reduction to P255_WIDTH limbs */
+ if (X_Limbs > P255_WIDTH) {
+ /* Helper references for top part of X */
+ mbedtls_mpi_uint * const A1 = X + P255_WIDTH;
+ const size_t A1_limbs = X_Limbs - P255_WIDTH;
+ /* X = A0 + 38 * A1, capture carry out */
+ *carry = mbedtls_mpi_core_mla(X, P255_WIDTH, A1, A1_limbs, 38);
+ /* Clear top part */
+ memset(A1, 0, sizeof(mbedtls_mpi_uint) * A1_limbs);
+ }
+
+ /* Step 2: Reduce to <2p
+ * Split as A0 + 2^255*c, with c a scalar, and compute A0 + 19*c */
+ *carry <<= 1;
+ *carry += (X[P255_WIDTH - 1] >> (biL - 1));
+ *carry *= 19;
+
+ /* Clear top bit */
+ X[P255_WIDTH - 1] <<= 1; X[P255_WIDTH - 1] >>= 1;
+ /* Since the top bit for X has been cleared 0 + 0 + Carry
+ * will not overflow.
+ *
+ * Furthermore for 2p = 2^256-38. When a carry propagation on the highest
+ * limb occurs, X > 2^255 and all the remaining bits on the limb are zero.
+ * - If X < 2^255 ==> X < 2p
+ * - If X > 2^255 ==> X < 2^256 - 2^255 < 2p */
+ (void) mbedtls_mpi_core_add(X, X, carry, P255_WIDTH);
+
+ mbedtls_free(carry);
return 0;
}
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
@@ -5453,71 +5488,108 @@ static int ecp_mod_p255(mbedtls_mpi *N)
static int ecp_mod_p448(mbedtls_mpi *N)
{
- return mbedtls_ecp_mod_p448(N);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = 2 * ((448 + biL - 1) / biL);
+
+ /* This is required as some tests and use cases do not pass in a Bignum of
+ * the correct size, and expect the growth to be done automatically, which
+ * will no longer happen. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+
+ ret = mbedtls_ecp_mod_p448(N->p, N->n);
+
+cleanup:
+ return ret;
}
/*
* Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
- * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
- * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
- * implementation of Curve448, which uses its own special 56-bit limbs rather
- * than a generic bignum library. We could squeeze some extra speed out on
- * 32-bit machines by splitting N up into 32-bit limbs and doing the
- * arithmetic using the limbs directly as we do for the NIST primes above,
- * but for 64-bit targets it should use half the number of operations if we do
- * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
+ * (B0 + B1) * 2^224. This is different to the reference implementation of
+ * Curve448, which uses its own special 56-bit limbs rather than a generic
+ * bignum library. We could squeeze some extra speed out on 32-bit machines by
+ * splitting N up into 32-bit limbs and doing the arithmetic using the limbs
+ * directly as we do for the NIST primes above, but for 64-bit targets it should
+ * use half the number of operations if we do the reduction with 224-bit limbs,
+ * since mpi_core_add will then use 64-bit adds.
*/
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448(mbedtls_mpi *N)
+int mbedtls_ecp_mod_p448(mbedtls_mpi_uint *X, size_t X_limbs)
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
- mbedtls_mpi M, Q;
- mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if (N->n <= P448_WIDTH) {
+ if (X_limbs <= P448_WIDTH) {
return 0;
}
- /* M = A1 */
- M.s = 1;
- M.n = N->n - (P448_WIDTH);
- if (M.n > P448_WIDTH) {
- /* Shouldn't be called with N larger than 2^896! */
+ size_t M_limbs = X_limbs - (P448_WIDTH);
+ const size_t Q_limbs = M_limbs;
+
+ if (M_limbs > P448_WIDTH) {
+ /* Shouldn't be called with X larger than 2^896! */
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
- M.p = Mp;
- memset(Mp, 0, sizeof(Mp));
- memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
- /* N = A0 */
- for (i = P448_WIDTH; i < N->n; i++) {
- N->p[i] = 0;
+ /* Extra limb for carry below. */
+ M_limbs++;
+
+ mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
+
+ if (M == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
}
- /* N += A1 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+ mbedtls_mpi_uint *Q = mbedtls_calloc(Q_limbs, ciL);
- /* Q = B1, N += B1 */
- Q = M;
- Q.p = Qp;
- memcpy(Qp, Mp, sizeof(Qp));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
+ if (Q == NULL) {
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ goto cleanup;
+ }
- /* M = (B0 + B1) * 2^224, N += M */
+ /* M = A1 */
+ memset(M, 0, (M_limbs * ciL));
+
+ /* Do not copy into the overflow limb, as this would read past the end of
+ * X. */
+ memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
+
+ /* X = A0 */
+ for (i = P448_WIDTH; i < X_limbs; i++) {
+ X[i] = 0;
+ }
+
+ /* X += A1 - Carry here dealt with by oversize M and X. */
+ (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+ /* Q = B1, X += B1 */
+ memcpy(Q, M, (Q_limbs * ciL));
+
+ mbedtls_mpi_core_shift_r(Q, Q_limbs, 224);
+
+ /* No carry here - only max 224 bits */
+ (void) mbedtls_mpi_core_add(X, X, Q, Q_limbs);
+
+ /* M = (B0 + B1) * 2^224, X += M */
if (sizeof(mbedtls_mpi_uint) > 4) {
- Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
+ M[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
}
- for (i = P224_WIDTH_MAX; i < M.n; ++i) {
- Mp[i] = 0;
+ for (i = P224_WIDTH_MAX; i < M_limbs; ++i) {
+ M[i] = 0;
}
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
- M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+
+ (void) mbedtls_mpi_core_add(M, M, Q, Q_limbs);
+
+ /* Shifted carry bit from the addition is dealt with by oversize M */
+ mbedtls_mpi_core_shift_l(M, M_limbs, 224);
+ (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+ ret = 0;
cleanup:
+ mbedtls_free(M);
+ mbedtls_free(Q);
+
return ret;
}
#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
@@ -5525,141 +5597,197 @@ cleanup:
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
/*
* Fast quasi-reduction modulo P = 2^s - R,
* with R about 33 bits, used by the Koblitz curves.
*
- * Write N as A0 + 2^224 A1, return A0 + R * A1.
- * Actually do two passes, since R is big.
+ * Write X as A0 + 2^224 A1, return A0 + R * A1.
*/
-#define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P
#define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R
-static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
- size_t adjust, size_t shift, mbedtls_mpi_uint mask)
-{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi M, R;
- mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
- if (N->n < p_limbs) {
- return 0;
+static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ mbedtls_mpi_uint *R,
+ size_t bits)
+{
+ int ret = 0;
+
+ /* Determine if A1 is aligned to limb bitsize. If not then the used limbs
+ * of P, A0 and A1 must be set accordingly and there is a middle limb
+ * which is shared by A0 and A1 and need to handle accordingly.
+ */
+ size_t shift = bits % biL;
+ size_t adjust = (shift + biL - 1) / biL;
+ size_t P_limbs = bits / biL + adjust;
+
+ mbedtls_mpi_uint *A1 = mbedtls_calloc(P_limbs, ciL);
+ if (A1 == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
}
- /* Init R */
- R.s = 1;
- R.p = Rp;
- R.n = P_KOBLITZ_R;
+ /* Create a buffer to store the value of `R * A1` */
+ size_t R_limbs = P_KOBLITZ_R;
+ size_t M_limbs = P_limbs + R_limbs;
+ mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
+ if (M == NULL) {
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ goto cleanup;
+ }
- /* Common setup for M */
- M.s = 1;
- M.p = Mp;
+ mbedtls_mpi_uint mask = 0;
+ if (adjust != 0) {
+ mask = ((mbedtls_mpi_uint) 1 << shift) - 1;
+ }
- for (size_t pass = 0; pass < 2; pass++) {
- /* M = A1 */
- M.n = N->n - (p_limbs - adjust);
- if (M.n > p_limbs + adjust) {
- M.n = p_limbs + adjust;
- }
- memset(Mp, 0, sizeof(Mp));
- memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
+ /* Two passes are needed to reduce the value of `A0 + R * A1` and then
+ * we need an additional one to reduce the possible overflow during
+ * the addition.
+ */
+ for (size_t pass = 0; pass < 3; pass++) {
+ /* Copy A1 */
+ memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
+
+ /* Shift A1 to be aligned */
if (shift != 0) {
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
+ mbedtls_mpi_core_shift_r(A1, P_limbs, shift);
}
- M.n += R.n; /* Make room for multiplication by R */
- /* N = A0 */
+ /* Zeroize the A1 part of the shared limb */
if (mask != 0) {
- N->p[p_limbs - 1] &= mask;
- }
- for (size_t i = p_limbs; i < N->n; i++) {
- N->p[i] = 0;
+ X[P_limbs - 1] &= mask;
}
- /* N = A0 + R * A1 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+ /* X = A0
+ * Zeroize the A1 part of X to keep only the A0 part.
+ */
+ for (size_t i = P_limbs; i < X_limbs; i++) {
+ X[i] = 0;
+ }
+
+ /* X = A0 + R * A1 */
+ mbedtls_mpi_core_mul(M, A1, P_limbs, R, R_limbs);
+ (void) mbedtls_mpi_core_add(X, X, M, P_limbs + R_limbs);
+
+ /* Carry can not be generated since R is a 33-bit value and stored in
+ * 64 bits. The result value of the multiplication is at most
+ * P length + 33 bits in length and the result value of the addition
+ * is at most P length + 34 bits in length. So the result of the
+ * addition always fits in P length + 64 bits.
+ */
}
cleanup:
+ mbedtls_free(M);
+ mbedtls_free(A1);
+
return ret;
}
+
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+
/*
* Fast quasi-reduction modulo p192k1 = 2^192 - R,
- * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
*/
static int ecp_mod_p192k1(mbedtls_mpi *N)
{
- return mbedtls_ecp_mod_p192k1(N);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = 2 * ((192 + biL - 1) / biL);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
}
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N)
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
- MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
- 0x00)
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
};
- return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
- 0);
+ if (X_limbs != 2 * ((192 + biL - 1) / biL)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 192);
}
+
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-static int ecp_mod_p224k1(mbedtls_mpi *N)
-{
- return mbedtls_ecp_mod_p224k1(N);
-}
-
/*
* Fast quasi-reduction modulo p224k1 = 2^224 - R,
* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
*/
+static int ecp_mod_p224k1(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = 2 * 224 / biL;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N)
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
- MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
- 0x00)
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
};
-#if defined(MBEDTLS_HAVE_INT64)
- return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
-#else
- return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
- 0);
-#endif
+ if (X_limbs != 2 * 224 / biL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 224);
}
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-static int ecp_mod_p256k1(mbedtls_mpi *N)
-{
- return mbedtls_ecp_mod_p256k1(N);
-}
-
/*
* Fast quasi-reduction modulo p256k1 = 2^256 - R,
* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
*/
+static int ecp_mod_p256k1(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = 2 * ((256 + biL - 1) / biL);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N)
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
- MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
- 0x00)
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
};
- return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
- 0);
+
+ if (X_limbs != 2 * ((256 + biL - 1) / biL)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 256);
}
+
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
#if defined(MBEDTLS_TEST_HOOKS)
diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h
index 68187acbc8..587b1737da 100644
--- a/library/ecp_invasive.h
+++ b/library/ecp_invasive.h
@@ -171,32 +171,101 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-/*
- * Fast quasi-reduction modulo p192k1 = 2^192 - R,
- * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
+/** Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 384-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (192 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
*/
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N);
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/** Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 448-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (224 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N);
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/** Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 512-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (256 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N);
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/** Fast quasi-reduction modulo p255 = 2^255 - 19
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 510-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
MBEDTLS_STATIC_TESTABLE
-int mbedtls_ecp_mod_p448(mbedtls_mpi *N);
+int mbedtls_ecp_mod_p448(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
diff --git a/library/hash_info.c b/library/hash_info.c
deleted file mode 100644
index 37e44c6bd2..0000000000
--- a/library/hash_info.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Hash information that's independent from the crypto implementation.
- *
- * (See the corresponding header file for usage notes.)
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "hash_info.h"
-#include "mbedtls/error.h"
-
-typedef struct {
- psa_algorithm_t psa_alg;
- mbedtls_md_type_t md_type;
- unsigned char size;
- unsigned char block_size;
-} hash_entry;
-
-static const hash_entry hash_table[] = {
-#if defined(MBEDTLS_MD_CAN_MD5)
- { PSA_ALG_MD5, MBEDTLS_MD_MD5, 16, 64 },
-#endif
-#if defined(MBEDTLS_MD_CAN_RIPEMD160)
- { PSA_ALG_RIPEMD160, MBEDTLS_MD_RIPEMD160, 20, 64 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA1)
- { PSA_ALG_SHA_1, MBEDTLS_MD_SHA1, 20, 64 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA224)
- { PSA_ALG_SHA_224, MBEDTLS_MD_SHA224, 28, 64 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA256)
- { PSA_ALG_SHA_256, MBEDTLS_MD_SHA256, 32, 64 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA384)
- { PSA_ALG_SHA_384, MBEDTLS_MD_SHA384, 48, 128 },
-#endif
-#if defined(MBEDTLS_MD_CAN_SHA512)
- { PSA_ALG_SHA_512, MBEDTLS_MD_SHA512, 64, 128 },
-#endif
- { PSA_ALG_NONE, MBEDTLS_MD_NONE, 0, 0 },
-};
-
-/* Get size from MD type */
-unsigned char mbedtls_hash_info_get_size(mbedtls_md_type_t md_type)
-{
- const hash_entry *entry = hash_table;
- while (entry->md_type != MBEDTLS_MD_NONE &&
- entry->md_type != md_type) {
- entry++;
- }
-
- return entry->size;
-}
-
-/* Get block size from MD type */
-unsigned char mbedtls_hash_info_get_block_size(mbedtls_md_type_t md_type)
-{
- const hash_entry *entry = hash_table;
- while (entry->md_type != MBEDTLS_MD_NONE &&
- entry->md_type != md_type) {
- entry++;
- }
-
- return entry->block_size;
-}
-
-/* Get PSA from MD */
-psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type)
-{
- const hash_entry *entry = hash_table;
- while (entry->md_type != MBEDTLS_MD_NONE &&
- entry->md_type != md_type) {
- entry++;
- }
-
- return entry->psa_alg;
-}
-
-/* Get MD from PSA */
-mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg)
-{
- const hash_entry *entry = hash_table;
- while (entry->md_type != MBEDTLS_MD_NONE &&
- entry->psa_alg != psa_alg) {
- entry++;
- }
-
- return entry->md_type;
-}
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_md_error_from_psa(psa_status_t status)
-{
- switch (status) {
- case PSA_SUCCESS:
- return 0;
- case PSA_ERROR_NOT_SUPPORTED:
- return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
- case PSA_ERROR_INVALID_ARGUMENT:
- return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
- case PSA_ERROR_INSUFFICIENT_MEMORY:
- return MBEDTLS_ERR_MD_ALLOC_FAILED;
- default:
- return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
- }
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/library/hash_info.h b/library/hash_info.h
deleted file mode 100644
index f984c82427..0000000000
--- a/library/hash_info.h
+++ /dev/null
@@ -1,101 +0,0 @@
-/**
- * Hash information that's independent from the crypto implementation.
- *
- * This can be used by:
- * - code based on PSA
- * - code based on the legacy API
- * - code based on either of them depending on MBEDTLS_USE_PSA_CRYPTO
- * - code based on either of them depending on what's available
- *
- * Note: this internal module will go away when everything becomes based on
- * PSA Crypto; it is a helper for the transition while hash algorithms are
- * still represented using mbedtls_md_type_t in most places even when PSA is
- * used for the actual crypto computations.
- *
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef MBEDTLS_HASH_INFO_H
-#define MBEDTLS_HASH_INFO_H
-
-#include "common.h"
-
-#include "mbedtls/md.h"
-#include "psa/crypto.h"
-#include "mbedtls/platform_util.h"
-
-/** \def MBEDTLS_HASH_MAX_SIZE
- *
- * Maximum size of a hash based on configuration.
- */
-#if defined(MBEDTLS_MD_C) && ( \
- !defined(MBEDTLS_PSA_CRYPTO_C) || \
- MBEDTLS_MD_MAX_SIZE >= PSA_HASH_MAX_SIZE)
-#define MBEDTLS_HASH_MAX_SIZE MBEDTLS_MD_MAX_SIZE
-#elif defined(MBEDTLS_PSA_CRYPTO_C) && ( \
- !defined(MBEDTLS_MD_C) || \
- PSA_HASH_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE)
-#define MBEDTLS_HASH_MAX_SIZE PSA_HASH_MAX_SIZE
-#endif
-
-/** Get the output length of the given hash type from its MD type.
- *
- * \note To get the output length from the PSA alg, use \c PSA_HASH_LENGTH().
- *
- * \param md_type The hash MD type.
- *
- * \return The output length in bytes, or 0 if not known.
- */
-unsigned char mbedtls_hash_info_get_size(mbedtls_md_type_t md_type);
-
-/** Get the block size of the given hash type from its MD type.
- *
- * \note To get the output length from the PSA alg, use
- * \c PSA_HASH_BLOCK_LENGTH().
- *
- * \param md_type The hash MD type.
- *
- * \return The block size in bytes, or 0 if not known.
- */
-unsigned char mbedtls_hash_info_get_block_size(mbedtls_md_type_t md_type);
-
-/** Get the PSA alg from the MD type.
- *
- * \param md_type The hash MD type.
- *
- * \return The corresponding PSA algorithm identifier,
- * or PSA_ALG_NONE if not known.
- */
-psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type);
-
-/** Get the MD type alg from the PSA algorithm identifier.
- *
- * \param psa_alg The PSA hash algorithm.
- *
- * \return The corresponding MD type,
- * or MBEDTLS_MD_NONE if not known.
- */
-mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/** Convert PSA status to MD error code.
- *
- * \param status PSA status.
- *
- * \return The corresponding MD error code,
- */
-int MBEDTLS_DEPRECATED mbedtls_md_error_from_psa(psa_status_t status);
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_HASH_INFO_H */
diff --git a/library/md.c b/library/md.c
index 993b006d21..ee7610e8d7 100644
--- a/library/md.c
+++ b/library/md.c
@@ -51,12 +51,15 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
-#if defined(MBEDTLS_SHA3_C)
#include "mbedtls/sha3.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include
+#include "md_psa.h"
+#include "mbedtls/psa_util.h"
#endif
#if defined(MBEDTLS_MD_SOME_PSA)
-#include
#include "psa_crypto_core.h"
#endif
@@ -68,6 +71,11 @@
#include
#endif
+/* See comment above MBEDTLS_MD_MAX_SIZE in md.h */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE
+#error "Internal error: MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE"
+#endif
+
#if defined(MBEDTLS_MD_CAN_MD5)
const mbedtls_md_info_t mbedtls_md5_info = {
"MD5",
@@ -131,25 +139,28 @@ const mbedtls_md_info_t mbedtls_sha512_info = {
};
#endif
-#if defined(MBEDTLS_SHA3_C)
+#if defined(MBEDTLS_MD_CAN_SHA3)
const mbedtls_md_info_t mbedtls_sha3_224_info = {
"SHA3-224",
MBEDTLS_MD_SHA3_224,
28,
144,
};
+
const mbedtls_md_info_t mbedtls_sha3_256_info = {
"SHA3-256",
MBEDTLS_MD_SHA3_256,
32,
136,
};
+
const mbedtls_md_info_t mbedtls_sha3_384_info = {
"SHA3-384",
MBEDTLS_MD_SHA3_384,
48,
104,
};
+
const mbedtls_md_info_t mbedtls_sha3_512_info = {
"SHA3-512",
MBEDTLS_MD_SHA3_512,
@@ -250,20 +261,6 @@ static int md_can_use_psa(const mbedtls_md_info_t *info)
return psa_can_do_hash(alg);
}
-
-static int mbedtls_md_error_from_psa(psa_status_t status)
-{
- switch (status) {
- case PSA_SUCCESS:
- return 0;
- case PSA_ERROR_NOT_SUPPORTED:
- return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
- case PSA_ERROR_INSUFFICIENT_MEMORY:
- return MBEDTLS_ERR_MD_ALLOC_FAILED;
- default:
- return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
- }
-}
#endif /* MBEDTLS_MD_SOME_PSA */
void mbedtls_md_init(mbedtls_md_context_t *ctx)
@@ -432,7 +429,12 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
{
- if (md_info == NULL || ctx == NULL) {
+#if defined(MBEDTLS_MD_C)
+ if (ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+ if (md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
@@ -519,9 +521,11 @@ int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info
int mbedtls_md_starts(mbedtls_md_context_t *ctx)
{
+#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
+#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@@ -578,9 +582,11 @@ int mbedtls_md_starts(mbedtls_md_context_t *ctx)
int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
{
+#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
+#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@@ -632,9 +638,11 @@ int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, siz
int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
{
+#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
+#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@@ -765,6 +773,87 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
return md_info->type;
}
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
+{
+ switch (md_type) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_MD_MD5:
+ return PSA_ALG_MD5;
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ case MBEDTLS_MD_RIPEMD160:
+ return PSA_ALG_RIPEMD160;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_MD_SHA1:
+ return PSA_ALG_SHA_1;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_MD_SHA224:
+ return PSA_ALG_SHA_224;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ return PSA_ALG_SHA_256;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ return PSA_ALG_SHA_384;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_MD_SHA512:
+ return PSA_ALG_SHA_512;
+#endif
+ default:
+ return PSA_ALG_NONE;
+ }
+}
+
+mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
+{
+ switch (psa_alg) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case PSA_ALG_MD5:
+ return MBEDTLS_MD_MD5;
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ return MBEDTLS_MD_RIPEMD160;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case PSA_ALG_SHA_1:
+ return MBEDTLS_MD_SHA1;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case PSA_ALG_SHA_224:
+ return MBEDTLS_MD_SHA224;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case PSA_ALG_SHA_256:
+ return MBEDTLS_MD_SHA256;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case PSA_ALG_SHA_384:
+ return MBEDTLS_MD_SHA384;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case PSA_ALG_SHA_512:
+ return MBEDTLS_MD_SHA512;
+#endif
+ default:
+ return MBEDTLS_MD_NONE;
+ }
+}
+
+int mbedtls_md_error_from_psa(psa_status_t status)
+{
+ return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
+ psa_generic_status_to_mbedtls);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+
/************************************************************************
* Functions above this separator are part of MBEDTLS_MD_LIGHT, *
* functions below are only available when MBEDTLS_MD_C is set. *
@@ -802,7 +891,8 @@ static const int supported_digests[] = {
#if defined(MBEDTLS_MD_CAN_MD5)
MBEDTLS_MD_MD5,
#endif
-#if defined(MBEDTLS_SHA3_C)
+
+#if defined(MBEDTLS_MD_CAN_SHA3)
MBEDTLS_MD_SHA3_224,
MBEDTLS_MD_SHA3_256,
MBEDTLS_MD_SHA3_384,
diff --git a/library/md_psa.h b/library/md_psa.h
new file mode 100644
index 0000000000..6645c832e6
--- /dev/null
+++ b/library/md_psa.h
@@ -0,0 +1,60 @@
+/**
+ * Translation between MD and PSA identifiers (algorithms, errors).
+ *
+ * Note: this internal module will go away when everything becomes based on
+ * PSA Crypto; it is a helper for the transition period.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_MD_PSA_H
+#define MBEDTLS_MD_PSA_H
+
+#include "common.h"
+
+#include "mbedtls/md.h"
+#include "psa/crypto.h"
+
+/**
+ * \brief This function returns the PSA algorithm identifier
+ * associated with the given digest type.
+ *
+ * \param md_type The type of digest to search for.
+ *
+ * \return The PSA algorithm identifier associated with \p md_type.
+ * \return PSA_ALG_NONE if the algorithm is not supported.
+ */
+psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type);
+
+/**
+ * \brief This function returns the given digest type
+ * associated with the PSA algorithm identifier.
+ *
+ * \param psa_alg The PSA algorithm identifier to search for.
+ *
+ * \return The MD type associated with \p psa_alg.
+ * \return MBEDTLS_MD_NONE if the algorithm is not supported.
+ */
+mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg);
+
+/** Convert PSA status to MD error code.
+ *
+ * \param status PSA status.
+ *
+ * \return The corresponding MD error code,
+ */
+int mbedtls_md_error_from_psa(psa_status_t status);
+
+#endif /* MBEDTLS_MD_PSA_H */
diff --git a/library/mps_common.h b/library/mps_common.h
index 4a10176bd5..33b518b0a8 100644
--- a/library/mps_common.h
+++ b/library/mps_common.h
@@ -169,7 +169,7 @@
*
*/
typedef size_t mbedtls_mps_stored_size_t;
-#define MBEDTLS_MPS_STORED_SIZE_MAX ((mbedtls_mps_stored_size_t) -1)
+#define MBEDTLS_MPS_STORED_SIZE_MAX (SIZE_MAX)
/** \brief The type of buffer sizes and offsets used in the MPS API
* and implementation.
@@ -183,7 +183,7 @@ typedef size_t mbedtls_mps_stored_size_t;
* so almost 10%.
*/
typedef size_t mbedtls_mps_size_t;
-#define MBEDTLS_MPS_SIZE_MAX ((mbedtls_mps_size_t) -1)
+#define MBEDTLS_MPS_SIZE_MAX (SIZE_MAX)
#if MBEDTLS_MPS_STORED_SIZE_MAX > MBEDTLS_MPS_SIZE_MAX
#error "Misconfiguration of mbedtls_mps_size_t and mbedtls_mps_stored_size_t."
diff --git a/library/oid.c b/library/oid.c
index 8e57fe46d1..a580992e0d 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -318,6 +318,18 @@ static const oid_x509_ext_t oid_x509_ext[] =
"Certificate Policies"),
MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
},
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+ "id-ce-subjectKeyIdentifier",
+ "Subject Key Identifier"),
+ MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+ "id-ce-authorityKeyIdentifier",
+ "Authority Key Identifier"),
+ MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
+ },
{
NULL_OID_DESCRIPTOR,
0,
@@ -921,4 +933,180 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size,
return (int) (size - n);
}
+static int oid_parse_number(unsigned int *num, const char **p, const char *bound)
+{
+ int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+
+ *num = 0;
+
+ while (*p < bound && **p >= '0' && **p <= '9') {
+ ret = 0;
+ if (*num > (UINT_MAX / 10)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ *num *= 10;
+ *num += **p - '0';
+ (*p)++;
+ }
+ return ret;
+}
+
+static size_t oid_subidentifier_num_bytes(unsigned int value)
+{
+ size_t num_bytes = 0;
+
+ do {
+ value >>= 7;
+ num_bytes++;
+ } while (value != 0);
+
+ return num_bytes;
+}
+
+static int oid_subidentifier_encode_into(unsigned char **p,
+ unsigned char *bound,
+ unsigned int value)
+{
+ size_t num_bytes = oid_subidentifier_num_bytes(value);
+
+ if ((size_t) (bound - *p) < num_bytes) {
+ return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+ }
+ (*p)[num_bytes - 1] = (unsigned char) (value & 0x7f);
+ value >>= 7;
+
+ for (size_t i = 2; i <= num_bytes; i++) {
+ (*p)[num_bytes - i] = 0x80 | (unsigned char) (value & 0x7f);
+ value >>= 7;
+ }
+ *p += num_bytes;
+
+ return 0;
+}
+
+/* Return the OID for the given x.y.z.... style numeric string */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid,
+ const char *oid_str, size_t size)
+{
+ int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ const char *str_ptr = oid_str;
+ const char *str_bound = oid_str + size;
+ unsigned int val = 0;
+ unsigned int component1, component2;
+ size_t encoded_len;
+ unsigned char *resized_mem;
+
+ /* Count the number of dots to get a worst-case allocation size. */
+ size_t num_dots = 0;
+ for (size_t i = 0; i < size; i++) {
+ if (oid_str[i] == '.') {
+ num_dots++;
+ }
+ }
+ /* Allocate maximum possible required memory:
+ * There are (num_dots + 1) integer components, but the first 2 share the
+ * same subidentifier, so we only need num_dots subidentifiers maximum. */
+ if (num_dots == 0 || (num_dots > MBEDTLS_OID_MAX_COMPONENTS - 1)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ /* Each byte can store 7 bits, calculate number of bytes for a
+ * subidentifier:
+ *
+ * bytes = ceil(subidentifer_size * 8 / 7)
+ */
+ size_t bytes_per_subidentifier = (((sizeof(unsigned int) * 8) - 1) / 7)
+ + 1;
+ size_t max_possible_bytes = num_dots * bytes_per_subidentifier;
+ oid->p = mbedtls_calloc(max_possible_bytes, 1);
+ if (oid->p == NULL) {
+ return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ }
+ unsigned char *out_ptr = oid->p;
+ unsigned char *out_bound = oid->p + max_possible_bytes;
+
+ ret = oid_parse_number(&component1, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if (component1 > 2) {
+ /* First component can't be > 2 */
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ if (str_ptr >= str_bound || *str_ptr != '.') {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ str_ptr++;
+
+ ret = oid_parse_number(&component2, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if ((component1 < 2) && (component2 > 39)) {
+ /* Root nodes 0 and 1 may have up to 40 children, numbered 0-39 */
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ if (str_ptr < str_bound) {
+ if (*str_ptr == '.') {
+ str_ptr++;
+ } else {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ }
+
+ if (component2 > (UINT_MAX - (component1 * 40))) {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ ret = oid_subidentifier_encode_into(&out_ptr, out_bound,
+ (component1 * 40) + component2);
+ if (ret != 0) {
+ goto error;
+ }
+
+ while (str_ptr < str_bound) {
+ ret = oid_parse_number(&val, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if (str_ptr < str_bound) {
+ if (*str_ptr == '.') {
+ str_ptr++;
+ } else {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ }
+
+ ret = oid_subidentifier_encode_into(&out_ptr, out_bound, val);
+ if (ret != 0) {
+ goto error;
+ }
+ }
+
+ encoded_len = out_ptr - oid->p;
+ resized_mem = mbedtls_calloc(encoded_len, 1);
+ if (resized_mem == NULL) {
+ ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ goto error;
+ }
+ memcpy(resized_mem, oid->p, encoded_len);
+ mbedtls_free(oid->p);
+ oid->p = resized_mem;
+ oid->len = encoded_len;
+
+ oid->tag = MBEDTLS_ASN1_OID;
+
+ return 0;
+
+error:
+ mbedtls_free(oid->p);
+ oid->p = NULL;
+ oid->len = 0;
+ return ret;
+}
+
#endif /* MBEDTLS_OID_C */
diff --git a/library/pem.c b/library/pem.c
index aed4788bfe..056c98c771 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -29,7 +29,6 @@
#include "mbedtls/cipher.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
-#include "hash_info.h"
#include
diff --git a/library/pk.c b/library/pk.c
index ae1966bee3..91796dec9d 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -23,8 +23,7 @@
#include "mbedtls/pk.h"
#include "pk_wrap.h"
#include "pkwrite.h"
-
-#include "hash_info.h"
+#include "pk_internal.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -41,13 +40,7 @@
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h"
-#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
-#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_pk_rsa_errors, \
- psa_pk_status_to_mbedtls)
-#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_pk_ecdsa_errors, \
- psa_pk_status_to_mbedtls)
+#include "md_psa.h"
#endif
#include
@@ -60,6 +53,15 @@ void mbedtls_pk_init(mbedtls_pk_context *ctx)
{
ctx->pk_info = NULL;
ctx->pk_ctx = NULL;
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
+ ctx->pub_raw_len = 0;
+ ctx->ec_family = 0;
+ ctx->ec_bits = 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}
/*
@@ -71,10 +73,18 @@ void mbedtls_pk_free(mbedtls_pk_context *ctx)
return;
}
- if (ctx->pk_info != NULL) {
+ if ((ctx->pk_info != NULL) && (ctx->pk_info->ctx_free_func != NULL)) {
ctx->pk_info->ctx_free_func(ctx->pk_ctx);
}
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ /* The ownership of the priv_id key for opaque keys is external of the PK
+ * module. It's the user responsibility to clear it after use. */
+ if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) {
+ psa_destroy_key(ctx->priv_id);
+ }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
}
@@ -140,7 +150,8 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
- if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
+ if ((info->ctx_alloc_func != NULL) &&
+ ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) {
return MBEDTLS_ERR_PK_ALLOC_FAILED;
}
@@ -158,7 +169,6 @@ int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
{
const mbedtls_pk_info_t *info = NULL;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- mbedtls_svc_key_id_t *pk_ctx;
psa_key_type_t type;
if (ctx == NULL || ctx->pk_info != NULL) {
@@ -179,19 +189,49 @@ int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
}
- if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
- return MBEDTLS_ERR_PK_ALLOC_FAILED;
- }
-
ctx->pk_info = info;
-
- pk_ctx = (mbedtls_svc_key_id_t *) ctx->pk_ctx;
- *pk_ctx = key;
+ ctx->priv_id = key;
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+int mbedtls_pk_update_public_key_from_keypair(mbedtls_pk_context *pk,
+ mbedtls_ecp_keypair *ecp_keypair)
+{
+ int ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+
+ if (pk == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ /* The raw public key storing mechanism is only supported for EC keys so
+ * we fail silently for other ones. */
+ if ((pk->pk_info->type != MBEDTLS_PK_ECKEY) &&
+ (pk->pk_info->type != MBEDTLS_PK_ECKEY_DH) &&
+ (pk->pk_info->type != MBEDTLS_PK_ECDSA)) {
+ return 0;
+ }
+
+ ret = mbedtls_ecp_point_write_binary(&ecp_keypair->grp, &ecp_keypair->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &pk->pub_raw_len,
+ pk->pub_raw,
+ MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN);
+ if (ret != 0) {
+ return ret;
+ }
+
+ pk->ec_family = mbedtls_ecc_group_to_psa(ecp_keypair->grp.id,
+ &pk->ec_bits);
+ if (pk->ec_family == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/*
* Initialize an RSA-alt context
@@ -315,12 +355,11 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
return (key_usage & usage) == usage;
}
- const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t key_alg, key_alg2;
psa_status_t status;
- status = psa_get_key_attributes(*key, &attributes);
+ status = psa_get_key_attributes(ctx->priv_id, &attributes);
if (status != PSA_SUCCESS) {
return 0;
}
@@ -378,7 +417,7 @@ static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
return 0;
}
- *hash_len = mbedtls_hash_info_get_size(md_alg);
+ *hash_len = mbedtls_md_get_size_from_type(md_alg);
if (*hash_len == 0) {
return -1;
@@ -527,7 +566,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
psa_status_t status = PSA_ERROR_DATA_CORRUPT;
psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
- psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
@@ -695,16 +734,15 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
}
#if defined(MBEDTLS_RSA_C)
- psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (psa_md_alg == 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
- const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
psa_status_t status;
- status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg),
+ status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg),
hash, hash_len,
sig, sig_size, sig_len);
return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
@@ -786,7 +824,8 @@ int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
return MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
} else {
- if (pub->pk_info != prv->pk_info) {
+ if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
+ (pub->pk_info != prv->pk_info)) {
return MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
}
@@ -873,24 +912,35 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
#else /* !MBEDTLS_ECP_LIGHT && !MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ec;
- unsigned char d[MBEDTLS_ECP_MAX_BYTES];
size_t d_len;
psa_ecc_family_t curve_id;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
size_t bits;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status;
/* export the private key material in the format PSA wants */
- ec = mbedtls_pk_ec(*pk);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ unsigned char d[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
+ status = psa_export_key(pk->priv_id, d, sizeof(d), &d_len);
+ if (status != PSA_SUCCESS) {
+ return psa_pk_status_to_mbedtls(status);
+ }
+
+ curve_id = pk->ec_family;
+ bits = pk->ec_bits;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ unsigned char d[MBEDTLS_ECP_MAX_BYTES];
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
d_len = PSA_BITS_TO_BYTES(ec->grp.nbits);
if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) {
return ret;
}
curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
/* prepare the key attributes */
diff --git a/library/pk_internal.h b/library/pk_internal.h
new file mode 100644
index 0000000000..388f94ac80
--- /dev/null
+++ b/library/pk_internal.h
@@ -0,0 +1,135 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: internal (i.e. library only) functions
+ * and definitions.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_PK_INTERNAL_H
+#define MBEDTLS_PK_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_ECP_LIGHT)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include "mbedtls/psa_util.h"
+#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
+#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
+ psa_to_pk_rsa_errors, \
+ psa_pk_status_to_mbedtls)
+#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
+ psa_to_pk_ecdsa_errors, \
+ psa_pk_status_to_mbedtls)
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+/**
+ * Public function mbedtls_pk_ec() can be used to get direct access to the
+ * wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
+ * ideal because it bypasses the PK module on the control of its internal
+ * structure (pk_context) fields.
+ * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but
+ * we provide 2 very similar functions when only ECP_LIGHT is enabled and not
+ * ECP_C.
+ * These variants embed the "ro" or "rw" keywords in their name to make the
+ * usage of the returned pointer explicit. Of course the returned value is
+ * const or non-const accordingly.
+ */
+static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk)
+{
+ switch (mbedtls_pk_get_type(&pk)) {
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+ default:
+ return NULL;
+ }
+}
+
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
+{
+ switch (mbedtls_pk_get_type(&pk)) {
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+ default:
+ return NULL;
+ }
+}
+
+static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_context *pk)
+{
+ mbedtls_ecp_group_id id;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t opaque_key_type;
+ psa_ecc_family_t curve;
+
+ if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+ return MBEDTLS_ECP_DP_NONE;
+ }
+ opaque_key_type = psa_get_key_type(&opaque_attrs);
+ curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
+ id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&opaque_attrs), 0);
+ psa_reset_key_attributes(&opaque_attrs);
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ id = mbedtls_pk_ec_ro(*pk)->grp.id;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ }
+
+ return id;
+}
+
+/* Helper for Montgomery curves */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_PK_HAVE_RFC8410_CURVES
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED || MBEDTLS_ECP_DP_CURVE448_ENABLED */
+#endif /* MBEDTLS_ECP_LIGHT */
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/**
+ * \brief Copy the public key content in raw format from "ctx->pk_ctx"
+ * (which is an ecp_keypair) into the internal "ctx->pub_raw" buffer.
+ *
+ * \note This is a temporary function that can be removed as soon as the pk
+ * module is free from ECP_C
+ *
+ * \param pk It is the pk_context which is going to be updated. It acts both
+ * as input and output.
+ */
+int mbedtls_pk_update_public_key_from_keypair(mbedtls_pk_context *pk,
+ mbedtls_ecp_keypair *ecp_keypair);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#endif /* MBEDTLS_PK_INTERNAL_H */
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 6c9f97bfe0..a4c2a3bfe0 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -23,7 +23,9 @@
#if defined(MBEDTLS_PK_C)
#include "pk_wrap.h"
+#include "pk_internal.h"
#include "mbedtls/error.h"
+#include "md_psa.h"
/* Even if RSA not activated, for the sake of RSA-alt */
#include "mbedtls/rsa.h"
@@ -42,18 +44,10 @@
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h"
-#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
-#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_pk_rsa_errors, \
- psa_pk_status_to_mbedtls)
-#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
- psa_to_pk_ecdsa_errors, \
- psa_pk_status_to_mbedtls)
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
-#include "hash_info.h"
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
#include "mbedtls/asn1write.h"
@@ -211,7 +205,7 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
int key_len;
unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
psa_algorithm_t psa_alg_md =
- PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg));
+ PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
size_t rsa_len = mbedtls_rsa_get_len(rsa);
if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
@@ -363,7 +357,7 @@ static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
((void) p_rng);
psa_algorithm_t psa_md_alg;
- psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (psa_md_alg == 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
@@ -653,8 +647,12 @@ static int eckey_can_do(mbedtls_pk_type_t type)
static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ return pk->ec_bits;
+#else
mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
return ecp->grp.pbits;
+#endif
}
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
@@ -724,11 +722,20 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len)
{
- mbedtls_ecp_keypair *ctx = pk->pk_ctx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_status_t status;
+ unsigned char *p;
+ psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
+ size_t signature_len;
+ ((void) md_alg);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ unsigned char buf[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
+ psa_ecc_family_t curve = pk->ec_family;
+ size_t curve_bits = pk->ec_bits;
+#else
+ mbedtls_ecp_keypair *ctx = pk->pk_ctx;
size_t key_len;
/* This buffer will initially contain the public key and then the signature
* but at different points in time. For all curves except secp224k1, which
@@ -736,13 +743,10 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
* (header byte + 2 numbers, while the signature is only 2 numbers),
* so use that as the buffer size. */
unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
- unsigned char *p;
- psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
size_t curve_bits;
psa_ecc_family_t curve =
mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
- const size_t signature_part_size = (ctx->grp.nbits + 7) / 8;
- ((void) md_alg);
+#endif
if (curve == 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
@@ -752,6 +756,11 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&attributes, psa_sig_md);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ status = psa_import_key(&attributes,
+ pk->pub_raw, pk->pub_raw_len,
+ &key_id);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
&key_len, buf, sizeof(buf));
@@ -762,27 +771,30 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
status = psa_import_key(&attributes,
buf, key_len,
&key_id);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (status != PSA_SUCCESS) {
ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup;
}
- /* We don't need the exported key anymore and can
- * reuse its buffer for signature extraction. */
- if (2 * signature_part_size > sizeof(buf)) {
+ signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
+ if (signature_len > sizeof(buf)) {
ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
goto cleanup;
}
p = (unsigned char *) sig;
+ /* extract_ecdsa_sig's last parameter is the size
+ * of each integer to be parsed, so it's actually half
+ * the size of the signature. */
if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf,
- signature_part_size)) != 0) {
+ signature_len/2)) != 0) {
goto cleanup;
}
status = psa_verify_hash(key_id, psa_sig_md,
hash, hash_len,
- buf, 2 * signature_part_size);
+ buf, signature_len);
if (status != PSA_SUCCESS) {
ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
goto cleanup;
@@ -913,23 +925,27 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
unsigned char *sig, size_t sig_size, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
- mbedtls_ecp_keypair *ctx = pk->pk_ctx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_status_t status;
- unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
psa_algorithm_t psa_sig_md =
- PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
+ PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
#else
psa_algorithm_t psa_sig_md =
- PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
+ PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
#endif
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_ecc_family_t curve = pk->ec_family;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *ctx = pk->pk_ctx;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
size_t curve_bits;
psa_ecc_family_t curve =
mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/* PSA has its own RNG */
((void) f_rng);
@@ -939,6 +955,12 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(pk->priv_id) == PSA_KEY_ID_NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ key_id = pk->priv_id;
+#else
if (key_len > sizeof(buf)) {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
@@ -958,6 +980,7 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup;
}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len,
sig, sig_size, sig_len);
@@ -969,8 +992,11 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size);
cleanup:
+
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
mbedtls_platform_zeroize(buf, sizeof(buf));
status = psa_destroy_key(key_id);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_PK_TO_MBEDTLS_ERR(status);
}
@@ -1110,28 +1136,43 @@ cleanup:
*/
static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
{
- psa_status_t status, destruction_status;
- psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
- mbedtls_ecp_keypair *prv_ctx = prv->pk_ctx;
- mbedtls_ecp_keypair *pub_ctx = pub->pk_ctx;
+ psa_status_t status;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- /* We are using MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH for the size of this
- * buffer because it will be used to hold the private key at first and
- * then its public part (but not at the same time). */
uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t prv_key_len;
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ mbedtls_svc_key_id_t key_id = prv->priv_id;
+
+ status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+ &prv_key_len);
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#else /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+ psa_status_t destruction_status;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t pub_key_len;
- mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
size_t curve_bits;
const psa_ecc_family_t curve =
- mbedtls_ecc_group_to_psa(prv_ctx->grp.id, &curve_bits);
+ mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
+ if (curve == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
- ret = mbedtls_mpi_write_binary(&prv_ctx->d, prv_key_buf, curve_bytes);
+ ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
+ prv_key_buf, curve_bytes);
if (ret != 0) {
return ret;
}
@@ -1154,7 +1195,8 @@ static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv
return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
}
- ret = mbedtls_ecp_point_write_binary(&pub_ctx->grp, &pub_ctx->Q,
+ ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
+ &mbedtls_pk_ec_rw(*pub)->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
&pub_key_len, pub_key_buf,
sizeof(pub_key_buf));
@@ -1165,6 +1207,7 @@ static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv
if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
return 0;
}
@@ -1187,6 +1230,7 @@ static int eckey_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
#endif
}
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static void *eckey_alloc_wrap(void)
{
void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
@@ -1203,13 +1247,20 @@ static void eckey_free_wrap(void *ctx)
mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
mbedtls_free(ctx);
}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ items->type = MBEDTLS_PK_DEBUG_PSA_EC;
+ items->name = "eckey.Q";
+ items->value = pk;
+#else
mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
items->type = MBEDTLS_PK_DEBUG_ECP;
items->name = "eckey.Q";
items->value = &(ecp->Q);
+#endif
}
const mbedtls_pk_info_t mbedtls_eckey_info = {
@@ -1234,8 +1285,13 @@ const mbedtls_pk_info_t mbedtls_eckey_info = {
NULL,
NULL,
eckey_check_pair,
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ NULL,
+ NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
eckey_alloc_wrap,
eckey_free_wrap,
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
eckey_rs_alloc,
eckey_rs_free,
@@ -1266,8 +1322,13 @@ const mbedtls_pk_info_t mbedtls_eckeydh_info = {
NULL,
NULL,
eckey_check_pair,
- eckey_alloc_wrap, /* Same underlying key structure */
- eckey_free_wrap, /* Same underlying key structure */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ NULL,
+ NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ eckey_alloc_wrap, /* Same underlying key structure */
+ eckey_free_wrap, /* Same underlying key structure */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
NULL,
NULL,
@@ -1356,8 +1417,13 @@ const mbedtls_pk_info_t mbedtls_ecdsa_info = {
NULL,
NULL,
eckey_check_pair, /* Compatible key structures */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ NULL,
+ NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
eckey_alloc_wrap, /* Compatible key structures */
eckey_free_wrap, /* Compatible key structures */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_rs_alloc,
ecdsa_rs_free,
@@ -1503,29 +1569,12 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-
-static void *pk_opaque_alloc_wrap(void)
-{
- void *ctx = mbedtls_calloc(1, sizeof(mbedtls_svc_key_id_t));
-
- /* no _init() function to call, as calloc() already zeroized */
-
- return ctx;
-}
-
-static void pk_opaque_free_wrap(void *ctx)
-{
- mbedtls_platform_zeroize(ctx, sizeof(mbedtls_svc_key_id_t));
- mbedtls_free(ctx);
-}
-
static size_t pk_opaque_get_bitlen(mbedtls_pk_context *pk)
{
- const mbedtls_svc_key_id_t *key = pk->pk_ctx;
size_t bits;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes)) {
+ if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
return 0;
}
@@ -1563,7 +1612,6 @@ static int pk_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
((void) p_rng);
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
#else /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */
- const mbedtls_svc_key_id_t *key = pk->pk_ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_key_type_t type;
@@ -1573,7 +1621,7 @@ static int pk_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
(void) f_rng;
(void) p_rng;
- status = psa_get_key_attributes(*key, &attributes);
+ status = psa_get_key_attributes(pk->priv_id, &attributes);
if (status != PSA_SUCCESS) {
return PSA_PK_TO_MBEDTLS_ERR(status);
}
@@ -1583,18 +1631,18 @@ static int pk_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
- alg = PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
+ alg = PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
} else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
#if defined(MBEDTLS_RSA_C)
if (PSA_KEY_TYPE_IS_RSA(type)) {
- alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg));
+ alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
} else
#endif /* MBEDTLS_RSA_C */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
/* make the signature */
- status = psa_sign_hash(*key, alg, hash, hash_len,
+ status = psa_sign_hash(pk->priv_id, alg, hash, hash_len,
sig, sig_size, sig_len);
if (status != PSA_SUCCESS) {
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@@ -1621,6 +1669,53 @@ static int pk_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
#endif /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */
}
+static int pk_opaque_ec_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ /* The main difference between this function and eckey_check_pair_psa() is
+ * that in the opaque case the private key is always stored in PSA side no
+ * matter if MBEDTLS_PK_USE_PSA_EC_DATA is enabled or not.
+ * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we can simply use the
+ * eckey_check_pair_psa(). */
+ (void) f_rng;
+ (void) p_rng;
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ return eckey_check_pair_psa(pub, prv);
+#elif defined(MBEDTLS_ECP_LIGHT)
+ psa_status_t status;
+ uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t exp_pub_key_len = 0;
+ uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t pub_key_len = 0;
+ int ret;
+
+ status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
+ &exp_pub_key_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_pk_status_to_mbedtls(status);
+ return ret;
+ }
+ ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
+ &(mbedtls_pk_ec_ro(*pub)->Q),
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &pub_key_len, pub_key, sizeof(pub_key));
+ if (ret != 0) {
+ return ret;
+ }
+ if ((exp_pub_key_len != pub_key_len) ||
+ memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ return 0;
+#else
+ (void) pub;
+ (void) prv;
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
MBEDTLS_PK_OPAQUE,
"Opaque",
@@ -1634,9 +1729,9 @@ const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
#endif
NULL, /* decrypt - not relevant */
NULL, /* encrypt - not relevant */
- NULL, /* check_pair - could be done later or left NULL */
- pk_opaque_alloc_wrap,
- pk_opaque_free_wrap,
+ pk_opaque_ec_check_pair,
+ NULL, /* alloc - no need to allocate new data dynamically */
+ NULL, /* free - as for the alloc, there is no data to free */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
NULL, /* restart alloc - not relevant */
NULL, /* restart free - not relevant */
@@ -1650,14 +1745,13 @@ static int pk_opaque_rsa_decrypt(mbedtls_pk_context *pk,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
- const mbedtls_svc_key_id_t *key = pk->pk_ctx;
psa_status_t status;
/* PSA has its own RNG */
(void) f_rng;
(void) p_rng;
- status = psa_asymmetric_decrypt(*key, PSA_ALG_RSA_PKCS1V15_CRYPT,
+ status = psa_asymmetric_decrypt(pk->priv_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
input, ilen,
NULL, 0,
output, osize, olen);
@@ -1687,8 +1781,8 @@ const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = {
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
NULL, /* encrypt - will be done later */
NULL, /* check_pair - could be done later or left NULL */
- pk_opaque_alloc_wrap,
- pk_opaque_free_wrap,
+ NULL, /* alloc - no need to allocate new data dynamically */
+ NULL, /* free - as for the alloc, there is no data to free */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
NULL, /* restart alloc - not relevant */
NULL, /* restart free - not relevant */
diff --git a/library/pkcs12.c b/library/pkcs12.c
index 515d9e1370..ce2dcf27ea 100644
--- a/library/pkcs12.c
+++ b/library/pkcs12.c
@@ -39,7 +39,6 @@
#include "mbedtls/des.h"
#endif
-#include "hash_info.h"
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
@@ -290,7 +289,7 @@ int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
unsigned char diversifier[128];
unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
- unsigned char hash_output[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
unsigned char *p;
unsigned char c;
int use_password = 0;
@@ -314,7 +313,7 @@ int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
use_password = (pwd && pwdlen != 0);
use_salt = (salt && saltlen != 0);
- hlen = mbedtls_hash_info_get_size(md_type);
+ hlen = mbedtls_md_get_size_from_type(md_type);
if (hlen <= 32) {
v = 64;
diff --git a/library/pkcs5.c b/library/pkcs5.c
index 0f4baf1bdb..94da9813e9 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -44,7 +44,6 @@
#include "mbedtls/platform.h"
-#include "hash_info.h"
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
diff --git a/library/pkparse.c b/library/pkparse.c
index ade8a04cab..07fce5c1c9 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -26,6 +26,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "pk_internal.h"
#include
@@ -36,6 +37,9 @@
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
#include "pkwrite.h"
#endif
+#if defined(MBEDTLS_ECP_LIGHT)
+#include "pk_internal.h"
+#endif
#if defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdsa.h"
#endif
@@ -59,6 +63,12 @@
#include "mbedtls/platform.h"
+/* Helper for Montgomery curves */
+#if defined(MBEDTLS_ECP_LIGHT) && defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \
+ ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
+#endif /* MBEDTLS_ECP_LIGHT && MBEDTLS_PK_HAVE_RFC8410_CURVES */
+
#if defined(MBEDTLS_FS_IO)
/*
* Load all data from a file into a given buffer.
@@ -454,6 +464,29 @@ cleanup:
}
#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/* Functions pk_use_ecparams() and pk_use_ecparams_rfc8410() update the
+ * ecp_keypair structure with proper group ID. The purpose of this helper
+ * function is to update ec_family and ec_bits accordingly. */
+static int pk_update_psa_ecparams(mbedtls_pk_context *pk,
+ mbedtls_ecp_group_id grp_id)
+{
+ psa_ecc_family_t ec_family;
+ size_t bits;
+
+ ec_family = mbedtls_ecc_group_to_psa(grp_id, &bits);
+
+ if ((pk->ec_family != 0) && (pk->ec_family != ec_family)) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ pk->ec_family = ec_family;
+ pk->ec_bits = bits;
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
/*
* Use EC parameters to initialise an EC group
*
@@ -462,7 +495,7 @@ cleanup:
* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
* -- implicitCurve NULL
*/
-static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
+static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_group_id grp_id;
@@ -481,43 +514,52 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *gr
#endif
}
- /*
- * grp may already be initialized; if so, make sure IDs match
- */
- if (grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id) {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ ret = pk_update_psa_ecparams(pk, grp_id);
+#else
+ /* grp may already be initialized; if so, make sure IDs match */
+ if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
+ mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
- if ((ret = mbedtls_ecp_group_load(grp, grp_id)) != 0) {
+ if ((ret = mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(*pk)->grp),
+ grp_id)) != 0) {
return ret;
}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
- return 0;
+ return ret;
}
-#if defined(MBEDTLS_ECP_LIGHT)
/*
* Helper function for deriving a public key from its private counterpart.
*/
-static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
+static int pk_derive_public_key(mbedtls_pk_context *pk,
const unsigned char *d, size_t d_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
int ret;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_status_t status, destruction_status;
- psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
- size_t curve_bits;
- psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
- /* This buffer is used to store the private key at first and then the
- * public one (but not at the same time). Therefore we size it for the
- * latter since it's bigger. */
+ psa_status_t status;
+ (void) f_rng;
+ (void) p_rng;
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ (void) d;
+ (void) d_len;
+
+ status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
+ &pk->pub_raw_len);
+ ret = psa_pk_status_to_mbedtls(status);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t key_len;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
-
- (void) f_rng;
- (void) p_rng;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ size_t curve_bits;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
+ psa_status_t destruction_status;
psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
@@ -528,8 +570,6 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
return ret;
}
- mbedtls_platform_zeroize(key_buf, sizeof(key_buf));
-
status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len);
ret = psa_pk_status_to_mbedtls(status);
destruction_status = psa_destroy_key(key_id);
@@ -538,9 +578,10 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
} else if (destruction_status != PSA_SUCCESS) {
return psa_pk_status_to_mbedtls(destruction_status);
}
-
ret = mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
+ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
(void) d;
(void) d_len;
@@ -556,13 +597,24 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
*/
static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
mbedtls_ecp_group_id grp_id,
- mbedtls_ecp_group *grp)
+ mbedtls_pk_context *pk)
{
+ int ret;
+
if (params->tag != 0 || params->len != 0) {
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
- return mbedtls_ecp_group_load(grp, grp_id);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ ret = pk_update_psa_ecparams(pk, grp_id);
+#else
+ mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);
+ ret = mbedtls_ecp_group_load(&(ecp->grp), grp_id);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+ return ret;
}
/*
@@ -570,7 +622,7 @@ static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
*
* CurvePrivateKey ::= OCTET STRING
*/
-static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
+static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk,
unsigned char *key, size_t keylen, const unsigned char *end,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
@@ -585,28 +637,87 @@ static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
+
+ status = psa_import_key(&attributes, key, len, &pk->priv_id);
+ if (status != PSA_SUCCESS) {
+ ret = psa_pk_status_to_mbedtls(status);
+ return ret;
+ }
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
+
if ((ret = mbedtls_mpi_read_binary_le(&eck->d, key, len)) != 0) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
- // pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
- // which never contain a public key. As such, derive the public key
- // unconditionally.
- if ((ret = pk_derive_public_key(eck, key, len, f_rng, p_rng)) != 0) {
+ /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
+ * which never contain a public key. As such, derive the public key
+ * unconditionally. */
+ if ((ret = pk_derive_public_key(pk, key, len, f_rng, p_rng)) != 0) {
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
mbedtls_ecp_keypair_free(eck);
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
return ret;
}
+ /* When MBEDTLS_PK_USE_PSA_EC_DATA the key is checked while importing it
+ * into PSA. */
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
mbedtls_ecp_keypair_free(eck);
return ret;
}
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
return 0;
}
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-#endif /* MBEDTLS_ECP_LIGHT */
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/*
+ * Create a temporary ecp_keypair for converting an EC point in compressed
+ * format to an uncompressed one
+ */
+static int pk_convert_compressed_ec(mbedtls_pk_context *pk,
+ const unsigned char *in_start, size_t in_len,
+ size_t *out_buf_len, unsigned char *out_buf,
+ size_t out_buf_size)
+{
+ mbedtls_ecp_keypair ecp_key;
+ mbedtls_ecp_group_id ecp_group_id;
+ int ret;
+
+ ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
+
+ mbedtls_ecp_keypair_init(&ecp_key);
+ ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
+ in_start, in_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ out_buf_len, out_buf, out_buf_size);
+
+exit:
+ mbedtls_ecp_keypair_free(&ecp_key);
+ return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* EC public key is an EC point
@@ -616,15 +727,61 @@ static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
* return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
*/
static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
- mbedtls_ecp_keypair *key)
+ mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q,
- (const unsigned char *) *p, end - *p)) == 0) {
- ret = mbedtls_ecp_check_pubkey(&key->grp, &key->Q);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ mbedtls_svc_key_id_t key;
+ psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
+ size_t len = (end - *p);
+
+ if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
+ /* Compressed point format are not supported yet by PSA crypto. As a
+ * consequence ecp functions are used to "convert" the point to
+ * uncompressed format */
+ if ((**p == 0x02) || (**p == 0x03)) {
+ ret = pk_convert_compressed_ec(pk, *p, len,
+ &(pk->pub_raw_len), pk->pub_raw,
+ PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
+ if (ret != 0) {
+ return ret;
+ }
+ } else {
+ /* Uncompressed format */
+ if ((end - *p) > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) {
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+ memcpy(pk->pub_raw, *p, (end - *p));
+ pk->pub_raw_len = end - *p;
+ }
+
+ /* Validate the key by trying to importing it */
+ psa_set_key_usage_flags(&key_attrs, 0);
+ psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY);
+ psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
+ psa_set_key_bits(&key_attrs, pk->ec_bits);
+
+ if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
+ &key) != PSA_SUCCESS) ||
+ (psa_destroy_key(key) != PSA_SUCCESS)) {
+ mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN);
+ pk->pub_raw_len = 0;
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ ret = 0;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q,
+ (const unsigned char *) *p,
+ end - *p)) == 0) {
+ ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
+ }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
/*
* We know mbedtls_ecp_point_read_binary consumed all bytes or failed
*/
@@ -794,15 +951,15 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
#if defined(MBEDTLS_ECP_LIGHT)
if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
- if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) {
- ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, &mbedtls_pk_ec(*pk)->grp);
+ if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+ ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, pk);
} else
#endif
{
- ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp);
+ ret = pk_use_ecparams(&alg_params, pk);
}
if (ret == 0) {
- ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk));
+ ret = pk_get_ecpubkey(p, end, pk);
}
} else
#endif /* MBEDTLS_ECP_LIGHT */
@@ -1013,7 +1170,7 @@ cleanup:
/*
* Parse a SEC1 encoded private EC key
*/
-static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
+static int pk_parse_key_sec1_der(mbedtls_pk_context *pk,
const unsigned char *key, size_t keylen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
@@ -1025,6 +1182,11 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
unsigned char *d;
unsigned char *end = p + keylen;
unsigned char *end2;
+ mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* RFC 5915, or SEC1 Appendix C.4
@@ -1057,10 +1219,13 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
d = p;
d_len = len;
+
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if ((ret = mbedtls_mpi_read_binary(&eck->d, p, len)) != 0) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
+#endif
p += len;
@@ -1073,7 +1238,7 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
0)) == 0) {
if ((ret = pk_get_ecparams(&p, p + len, ¶ms)) != 0 ||
- (ret = pk_use_ecparams(¶ms, &eck->grp)) != 0) {
+ (ret = pk_use_ecparams(¶ms, pk)) != 0) {
mbedtls_ecp_keypair_free(eck);
return ret;
}
@@ -1102,7 +1267,7 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
- if ((ret = pk_get_ecpubkey(&p, end2, eck)) == 0) {
+ if ((ret = pk_get_ecpubkey(&p, end2, pk)) == 0) {
pubkey_done = 1;
} else {
/*
@@ -1119,17 +1284,40 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
}
}
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
+ /* Setting largest masks for usage and key algorithms */
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_SIGN_MESSAGE |
+ PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE);
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ psa_set_key_algorithm(&attributes,
+ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH));
+#else
+ psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
+#endif
+ psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH);
+
+ status = psa_import_key(&attributes, d, d_len, &pk->priv_id);
+ if (status != PSA_SUCCESS) {
+ ret = psa_pk_status_to_mbedtls(status);
+ return ret;
+ }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
if (!pubkey_done) {
- if ((ret = pk_derive_public_key(eck, d, d_len, f_rng, p_rng)) != 0) {
+ if ((ret = pk_derive_public_key(pk, d, d_len, f_rng, p_rng)) != 0) {
mbedtls_ecp_keypair_free(eck);
return ret;
}
}
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
mbedtls_ecp_keypair_free(eck);
return ret;
}
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
return 0;
}
@@ -1230,11 +1418,11 @@ static int pk_parse_key_pkcs8_unencrypted_der(
#if defined(MBEDTLS_ECP_LIGHT)
if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
- if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) {
+ if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
if ((ret =
- pk_use_ecparams_rfc8410(¶ms, ec_grp_id, &mbedtls_pk_ec(*pk)->grp)) != 0 ||
+ pk_use_ecparams_rfc8410(¶ms, ec_grp_id, pk)) != 0 ||
(ret =
- pk_parse_key_rfc8410_der(mbedtls_pk_ec(*pk), p, len, end, f_rng,
+ pk_parse_key_rfc8410_der(pk, p, len, end, f_rng,
p_rng)) != 0) {
mbedtls_pk_free(pk);
return ret;
@@ -1242,8 +1430,8 @@ static int pk_parse_key_pkcs8_unencrypted_der(
} else
#endif
{
- if ((ret = pk_use_ecparams(¶ms, &mbedtls_pk_ec(*pk)->grp)) != 0 ||
- (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len, f_rng, p_rng)) != 0) {
+ if ((ret = pk_use_ecparams(¶ms, pk)) != 0 ||
+ (ret = pk_parse_key_sec1_der(pk, p, len, f_rng, p_rng)) != 0) {
mbedtls_pk_free(pk);
return ret;
}
@@ -1430,7 +1618,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
- (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
+ (ret = pk_parse_key_sec1_der(pk,
pem.buf, pem.buflen,
f_rng, p_rng)) != 0) {
mbedtls_pk_free(pk);
@@ -1554,18 +1742,18 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
#if defined(MBEDTLS_ECP_LIGHT)
pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
if (mbedtls_pk_setup(pk, pk_info) == 0 &&
- pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
+ pk_parse_key_sec1_der(pk,
key, keylen, f_rng, p_rng) == 0) {
return 0;
}
mbedtls_pk_free(pk);
#endif /* MBEDTLS_ECP_LIGHT */
- /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
+ /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_LIGHT isn't,
* it is ok to leave the PK context initialized but not
* freed: It is the caller's responsibility to call pk_init()
* before calling this function, and to call pk_free()
- * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
+ * when it fails. If MBEDTLS_ECP_LIGHT is defined but MBEDTLS_RSA_C
* isn't, this leads to mbedtls_pk_free() being called
* twice, once here and once by the caller, but this is
* also ok and in line with the mbedtls_pk_free() calls
diff --git a/library/pkwrite.c b/library/pkwrite.c
index b83a13e0a6..218d0c1abe 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -26,6 +26,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "pk_internal.h"
#include
@@ -37,7 +38,10 @@
#include "mbedtls/ecp.h"
#include "mbedtls/platform_util.h"
#endif
-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_LIGHT)
+#include "pk_internal.h"
+#endif
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_LIGHT)
#include "pkwrite.h"
#endif
#if defined(MBEDTLS_ECDSA_C)
@@ -53,6 +57,61 @@
#endif
#include "mbedtls/platform.h"
+/* Helper for Montgomery curves */
+#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
+{
+ mbedtls_ecp_group_id id = mbedtls_pk_get_group_id(pk);
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ if (id == MBEDTLS_ECP_DP_CURVE25519) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ if (id == MBEDTLS_ECP_DP_CURVE448) {
+ return 1;
+ }
+#endif
+ return 0;
+}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* It is assumed that the input key is opaque */
+static psa_ecc_family_t pk_get_opaque_ec_family(const mbedtls_pk_context *pk)
+{
+ psa_ecc_family_t ec_family = 0;
+ psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
+
+ if (psa_get_key_attributes(pk->priv_id, &key_attrs) != PSA_SUCCESS) {
+ return 0;
+ }
+ ec_family = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attrs));
+ psa_reset_key_attributes(&key_attrs);
+
+ return ec_family;
+}
+#endif /* MBETLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+#endif /* MBEDTLS_ECP_LIGHT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* It is assumed that the input key is opaque */
+static psa_key_type_t pk_get_opaque_key_type(const mbedtls_pk_context *pk)
+{
+ psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t opaque_key_type;
+
+ if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+ return 0;
+ }
+ opaque_key_type = psa_get_key_type(&opaque_attrs);
+ psa_reset_key_attributes(&opaque_attrs);
+
+ return opaque_key_type;
+}
+#endif /* MBETLS_USE_PSA_CRYPTO */
+
#if defined(MBEDTLS_RSA_C)
/*
* RSAPublicKey ::= SEQUENCE {
@@ -61,11 +120,12 @@
* }
*/
static int pk_write_rsa_pubkey(unsigned char **p, unsigned char *start,
- mbedtls_rsa_context *rsa)
+ const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
mbedtls_mpi T;
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
mbedtls_mpi_init(&T);
@@ -99,20 +159,20 @@ end_of_export:
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
-/*
- * EC public key is an EC point
- */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
- mbedtls_ecp_keypair *ec)
+ const mbedtls_pk_context *pk)
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
- unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+ uint8_t buf[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
- if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
- MBEDTLS_ECP_PF_UNCOMPRESSED,
- &len, buf, sizeof(buf))) != 0) {
- return ret;
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ } else {
+ len = pk->pub_raw_len;
+ memcpy(buf, pk->pub_raw, len);
}
if (*p < start || (size_t) (*p - start) < len) {
@@ -124,6 +184,47 @@ static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
return (int) len;
}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ uint8_t buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+#else
+ unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ *p -= len;
+ memcpy(*p, buf, len);
+ return (int) len;
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, buf, sizeof(buf))) != 0) {
+ return ret;
+ }
+ }
+
+ if (*p < start || (size_t) (*p - start) < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *p -= len;
+ memcpy(*p, buf, len);
+
+ return (int) len;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* ECParameters ::= CHOICE {
@@ -150,25 +251,97 @@ static int pk_write_ec_param(unsigned char **p, unsigned char *start,
/*
* privateKey OCTET STRING -- always of length ceil(log2(n)/8)
*/
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int pk_write_ec_private(unsigned char **p, unsigned char *start,
- mbedtls_ecp_keypair *ec)
+ const mbedtls_pk_context *pk)
{
+ size_t byte_length;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t byte_length = (ec->grp.pbits + 7) / 8;
- unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+ unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
+ psa_status_t status;
- ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
- if (ret != 0) {
- goto exit;
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+ } else {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
}
- ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+ ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
exit:
- mbedtls_platform_zeroize(tmp, byte_length);
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
return ret;
}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t byte_length;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
+ psa_status_t status;
+#else
+ unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+ byte_length = (ec->grp.pbits + 7) / 8;
+
+ ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+ ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+exit:
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#endif /* MBEDTLS_ECP_LIGHT */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int pk_write_opaque_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t buffer_size;
+ size_t len = 0;
+
+ if (*p < start) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ buffer_size = (size_t) (*p - start);
+ if (psa_export_public_key(pk->priv_id, start, buffer_size,
+ &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ *p -= len;
+ memmove(*p, start, len);
+
+ return (int) len;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
const mbedtls_pk_context *key)
{
@@ -177,31 +350,17 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
- MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, mbedtls_pk_rsa(*key)));
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, key));
} else
#endif
#if defined(MBEDTLS_ECP_LIGHT)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
- MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, mbedtls_pk_ec(*key)));
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, key));
} else
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
- size_t buffer_size;
- mbedtls_svc_key_id_t *key_id = (mbedtls_svc_key_id_t *) key->pk_ctx;
-
- if (*p < start) {
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- }
-
- buffer_size = (size_t) (*p - start);
- if (psa_export_public_key(*key_id, start, buffer_size, &len)
- != PSA_SUCCESS) {
- return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
- } else {
- *p -= len;
- memmove(*p, start, len);
- }
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_opaque_pubkey(p, start, key));
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
@@ -247,40 +406,22 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
pk_type = mbedtls_pk_get_type(key);
#if defined(MBEDTLS_ECP_LIGHT)
if (pk_type == MBEDTLS_PK_ECKEY) {
- ec_grp_id = mbedtls_pk_ec(*key)->grp.id;
+ ec_grp_id = mbedtls_pk_get_group_id(key);
}
#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (pk_type == MBEDTLS_PK_OPAQUE) {
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_type_t key_type;
- mbedtls_svc_key_id_t key_id;
- key_id = *((mbedtls_svc_key_id_t *) key->pk_ctx);
- if (PSA_SUCCESS != psa_get_key_attributes(key_id, &attributes)) {
- return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
- }
- key_type = psa_get_key_type(&attributes);
-
+ psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
#if defined(MBEDTLS_ECP_LIGHT)
- if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
- psa_ecc_family_t curve;
-
- curve = PSA_KEY_TYPE_ECC_GET_FAMILY(key_type);
- if (curve != 0) {
- ec_grp_id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&attributes), 0);
- if (ec_grp_id != MBEDTLS_ECP_DP_NONE) {
- /* The rest of the function works as for legacy EC contexts. */
- pk_type = MBEDTLS_PK_ECKEY;
- }
- }
- }
+ if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) {
+ pk_type = MBEDTLS_PK_ECKEY;
+ ec_grp_id = mbedtls_pk_get_group_id(key);
+ } else
#endif /* MBEDTLS_ECP_LIGHT */
- if (PSA_KEY_TYPE_IS_RSA(key_type)) {
+ if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) {
/* The rest of the function works as for legacy RSA contexts. */
pk_type = MBEDTLS_PK_RSA;
}
-
- psa_reset_key_attributes(&attributes);
}
/* `pk_type` will have been changed to non-opaque by here if this function can handle it */
if (pk_type == MBEDTLS_PK_OPAQUE) {
@@ -290,11 +431,13 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
#if defined(MBEDTLS_ECP_LIGHT)
if (pk_type == MBEDTLS_PK_ECKEY) {
- /* Some groups have their own AlgorithmIdentifier OID, others are handled by mbedtls_oid_get_oid_by_pk_alg() below */
+ /* Some groups have their own AlgorithmIdentifier OID, others are handled
+ * by mbedtls_oid_get_oid_by_pk_alg() below */
ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec_grp_id, &oid, &oid_len);
if (ret == 0) {
- /* Currently, none of the supported algorithms that have their own AlgorithmIdentifier OID have any parameters */
+ /* Currently, none of the supported algorithms that have their own
+ * AlgorithmIdentifier OID have any parameters */
has_par = 0;
} else if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec_grp_id));
@@ -324,7 +467,7 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
/*
- * RFC8410
+ * RFC8410 section 7
*
* OneAsymmetricKey ::= SEQUENCE {
* version Version,
@@ -335,24 +478,26 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
* [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
* ...
* }
- *
+ * ...
* CurvePrivateKey ::= OCTET STRING
*/
static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
- mbedtls_ecp_keypair *ec)
+ const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
size_t oid_len = 0;
const char *oid;
+ mbedtls_ecp_group_id grp_id;
/* privateKey */
- MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, ec));
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING));
+ grp_id = mbedtls_pk_get_group_id(pk);
/* privateKeyAlgorithm */
- if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec->grp.id, &oid, &oid_len)) != 0) {
+ if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(grp_id, &oid, &oid_len)) != 0) {
return ret;
}
MBEDTLS_ASN1_CHK_ADD(len,
@@ -368,24 +513,91 @@ static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
return (int) len;
}
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
-#endif /* MBEDTLS_ECP_LIGHT */
-int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+/*
+ * RFC 5915, or SEC1 Appendix C.4
+ *
+ * ECPrivateKey ::= SEQUENCE {
+ * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ * privateKey OCTET STRING,
+ * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ * publicKey [1] BIT STRING OPTIONAL
+ * }
+ */
+static int pk_write_ec_der(unsigned char **p, unsigned char *buf,
+ const mbedtls_pk_context *pk)
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *c;
size_t len = 0;
+ int ret;
+ size_t pub_len = 0, par_len = 0;
+ mbedtls_ecp_group_id grp_id;
- if (size == 0) {
+ /* publicKey */
+ MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(p, buf, pk));
+
+ if (*p - buf < 1) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
+ (*p)--;
+ **p = 0;
+ pub_len += 1;
- c = buf + size;
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING));
+
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 1));
+ len += pub_len;
+
+ /* parameters */
+ grp_id = mbedtls_pk_get_group_id(pk);
+ MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(p, buf, grp_id));
+ MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(p, buf, par_len));
+ MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0));
+ len += par_len;
+
+ /* privateKey */
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
+
+ /* version */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 1));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_RSA_C)
- if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
+static int pk_write_rsa_der(unsigned char **p, unsigned char *buf,
+ const mbedtls_pk_context *pk)
+{
+ size_t len = 0;
+ int ret;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
+ size_t tmp_len = 0;
+
+ if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ *p -= tmp_len;
+ memcpy(*p, tmp, tmp_len);
+ len += tmp_len;
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
mbedtls_mpi T; /* Temporary holding the exported parameters */
- mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*key);
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
/*
* Export the parameters one after another to avoid simultaneous copies.
@@ -395,21 +607,21 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export QP */
if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
/* Export DQ */
if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
/* Export DP */
if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -417,7 +629,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export Q */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
&T, NULL, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -425,7 +637,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export P */
if ((ret = mbedtls_rsa_export(rsa, NULL, &T,
NULL, NULL, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -433,7 +645,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export D */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
NULL, &T, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -441,7 +653,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export E */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
NULL, NULL, &T)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -449,7 +661,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export N */
if ((ret = mbedtls_rsa_export(rsa, &T, NULL,
NULL, NULL, NULL)) != 0 ||
- (ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
+ (ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@@ -461,73 +673,64 @@ end_of_export:
return ret;
}
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 0));
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c,
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p,
buf, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
+ }
+
+ return (int) len;
+}
+#endif /* MBEDTLS_RSA_C */
+
+int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+ unsigned char *c;
+ size_t len = 0;
+#if defined(MBEDTLS_RSA_C)
+ int is_rsa_opaque = 0;
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_LIGHT)
+ int is_ec_opaque = 0;
+#endif /* MBEDTLS_ECP_LIGHT */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_type_t opaque_key_type;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (size == 0) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ c = buf + size;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
+ opaque_key_type = pk_get_opaque_key_type(key);
+#if defined(MBEDTLS_RSA_C)
+ is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_LIGHT)
+ is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
+#endif /* MBEDTLS_ECP_LIGHT */
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_RSA_C)
+ if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
+ return pk_write_rsa_der(&c, buf, key);
} else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
- if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
- mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*key);
- size_t pub_len = 0, par_len = 0;
-
+ if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
- if (mbedtls_pk_is_rfc8410_curve(ec->grp.id)) {
- return pk_write_ec_rfc8410_der(&c, buf, ec);
+ if (mbedtls_pk_is_rfc8410(key)) {
+ return pk_write_ec_rfc8410_der(&c, buf, key);
}
-#endif
-
- /*
- * RFC 5915, or SEC1 Appendix C.4
- *
- * ECPrivateKey ::= SEQUENCE {
- * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
- * privateKey OCTET STRING,
- * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
- * publicKey [1] BIT STRING OPTIONAL
- * }
- */
-
- /* publicKey */
- MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(&c, buf, ec));
-
- if (c - buf < 1) {
- return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
- }
- *--c = 0;
- pub_len += 1;
-
- MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(&c, buf, pub_len));
- MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
-
- MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(&c, buf, pub_len));
- MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(&c, buf,
- MBEDTLS_ASN1_CONTEXT_SPECIFIC |
- MBEDTLS_ASN1_CONSTRUCTED | 1));
- len += pub_len;
-
- /* parameters */
- MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec->grp.id));
-
- MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(&c, buf, par_len));
- MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(&c, buf,
- MBEDTLS_ASN1_CONTEXT_SPECIFIC |
- MBEDTLS_ASN1_CONSTRUCTED | 0));
- len += par_len;
-
- /* privateKey */
- MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(&c, buf, ec));
-
- /* version */
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 1));
-
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE));
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+ return pk_write_ec_der(&c, buf, key);
} else
-#endif /* MBEDTLS_ECP_C */
+#endif /* MBEDTLS_ECP_LIGHT */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
return (int) len;
@@ -578,21 +781,50 @@ int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf,
unsigned char output_buf[PRV_DER_MAX_BYTES];
const char *begin, *end;
size_t olen = 0;
+#if defined(MBEDTLS_ECP_LIGHT)
+ int is_ec_opaque = 0;
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+ int is_montgomery_opaque = 0;
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+#endif /* MBEDTLS_ECP_LIGHT */
+#if defined(MBEDTLS_RSA_C)
+ int is_rsa_opaque = 0;
+#endif
if ((ret = mbedtls_pk_write_key_der(key, output_buf, sizeof(output_buf))) < 0) {
return ret;
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
+ psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
+
#if defined(MBEDTLS_RSA_C)
- if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
+ is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
+#endif
+#if defined(MBEDTLS_ECP_LIGHT)
+ is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+ if (pk_get_opaque_ec_family(key) == PSA_ECC_FAMILY_MONTGOMERY) {
+ is_montgomery_opaque = 1;
+ }
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+#endif /* MBEDTLS_ECP_LIGHT */
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_RSA_C)
+ if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
begin = PEM_BEGIN_PRIVATE_KEY_RSA;
end = PEM_END_PRIVATE_KEY_RSA;
} else
#endif
#if defined(MBEDTLS_ECP_LIGHT)
- if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
+ if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
- if (mbedtls_pk_is_rfc8410_curve(mbedtls_pk_ec(*key)->grp.id)) {
+ if (is_montgomery_opaque ||
+ ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) &&
+ (mbedtls_pk_is_rfc8410(key)))) {
begin = PEM_BEGIN_PRIVATE_KEY_PKCS8;
end = PEM_END_PRIVATE_KEY_PKCS8;
} else
diff --git a/library/pkwrite.h b/library/pkwrite.h
index 537bd0f8c8..8db2333738 100644
--- a/library/pkwrite.h
+++ b/library/pkwrite.h
@@ -73,7 +73,7 @@
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_LIGHT)
/*
* EC public keys:
* SubjectPublicKeyInfo ::= SEQUENCE { 1 + 2
@@ -98,34 +98,10 @@
*/
#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES (29 + 3 * MBEDTLS_ECP_MAX_BYTES)
-#else /* MBEDTLS_ECP_C */
+#else /* MBEDTLS_ECP_LIGHT */
#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES 0
#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES 0
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_ECP_LIGHT)
-#include "mbedtls/ecp.h"
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define MBEDTLS_PK_HAVE_RFC8410_CURVES
-
-static inline int mbedtls_pk_is_rfc8410_curve(mbedtls_ecp_group_id id)
-{
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
- if (id == MBEDTLS_ECP_DP_CURVE25519) {
- return 1;
- }
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
- if (id == MBEDTLS_ECP_DP_CURVE448) {
- return 1;
- }
-#endif
- return 0;
-}
-#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED || MBEDTLS_ECP_DP_CURVE448_ENABLED */
#endif /* MBEDTLS_ECP_LIGHT */
-
#endif /* MBEDTLS_PK_WRITE_H */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f7e91d606f..399e7f3879 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -35,6 +35,7 @@
#include "psa_crypto_invasive.h"
#include "psa_crypto_driver_wrappers.h"
#include "psa_crypto_ecp.h"
+#include "psa_crypto_ffdh.h"
#include "psa_crypto_hash.h"
#include "psa_crypto_mac.h"
#include "psa_crypto_rsa.h"
@@ -81,7 +82,7 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
-#include "hash_info.h"
+#include "md_psa.h"
#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
@@ -128,6 +129,21 @@ int psa_can_do_hash(psa_algorithm_t hash_alg)
(void) hash_alg;
return global_data.drivers_initialized;
}
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+ defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR)
+static int psa_is_dh_key_size_valid(size_t bits)
+{
+ if (bits != 2048 && bits != 3072 && bits != 4096 &&
+ bits != 6144 && bits != 8192) {
+ return 0;
+ }
+
+ return 1;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+ PSA_WANT_KEY_TYPE_DH_KEY_PAIR */
psa_status_t mbedtls_to_psa_error(int ret)
{
@@ -624,6 +640,20 @@ psa_status_t psa_import_key_into_slot(
return PSA_SUCCESS;
} else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+ if (PSA_KEY_TYPE_IS_DH(type)) {
+ if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ return mbedtls_psa_ffdh_import_key(attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length,
+ bits);
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
if (PSA_KEY_TYPE_IS_ECC(type)) {
@@ -1326,7 +1356,8 @@ psa_status_t psa_export_key_internal(
if (key_type_is_raw_bytes(type) ||
PSA_KEY_TYPE_IS_RSA(type) ||
- PSA_KEY_TYPE_IS_ECC(type)) {
+ PSA_KEY_TYPE_IS_ECC(type) ||
+ PSA_KEY_TYPE_IS_DH(type)) {
return psa_export_key_buffer_internal(
key_buffer, key_buffer_size,
data, data_size, data_length);
@@ -1392,47 +1423,59 @@ psa_status_t psa_export_public_key_internal(
{
psa_key_type_t type = attributes->core.type;
- if (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type)) {
- if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
- /* Exporting public -> public */
- return psa_export_key_buffer_internal(
- key_buffer, key_buffer_size,
- data, data_size, data_length);
- }
-
- if (PSA_KEY_TYPE_IS_RSA(type)) {
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+ (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
+ PSA_KEY_TYPE_IS_DH(type))) {
+ /* Exporting public -> public */
+ return psa_export_key_buffer_internal(
+ key_buffer, key_buffer_size,
+ data, data_size, data_length);
+ } else if (PSA_KEY_TYPE_IS_RSA(type)) {
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
- defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
- return mbedtls_psa_rsa_export_public_key(attributes,
- key_buffer,
- key_buffer_size,
- data,
- data_size,
- data_length);
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+ return mbedtls_psa_rsa_export_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length);
#else
- /* We don't know how to convert a private RSA key to public. */
- return PSA_ERROR_NOT_SUPPORTED;
+ /* We don't know how to convert a private RSA key to public. */
+ return PSA_ERROR_NOT_SUPPORTED;
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
- } else {
+ } else if (PSA_KEY_TYPE_IS_ECC(type)) {
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
- defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
- return mbedtls_psa_ecp_export_public_key(attributes,
- key_buffer,
- key_buffer_size,
- data,
- data_size,
- data_length);
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+ return mbedtls_psa_ecp_export_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length);
#else
- /* We don't know how to convert a private ECC key to public */
- return PSA_ERROR_NOT_SUPPORTED;
+ /* We don't know how to convert a private ECC key to public */
+ return PSA_ERROR_NOT_SUPPORTED;
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
- }
+ } else if (PSA_KEY_TYPE_IS_DH(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+ return mbedtls_psa_export_ffdh_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data, data_size,
+ data_length);
+#else
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
} else {
- /* This shouldn't happen in the reference implementation, but
- it is valid for a special-purpose implementation to omit
- support for exporting certain key types. */
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) data;
+ (void) data_size;
+ (void) data_length;
return PSA_ERROR_NOT_SUPPORTED;
}
}
@@ -3567,7 +3610,7 @@ psa_status_t mbedtls_psa_sign_hash_start(
operation->ctx->grp.nbits);
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
- operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
operation->alg = alg;
/* We only need to store the same length of hash as the private key size
@@ -4989,7 +5032,8 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
#if defined(BUILTIN_ALG_ANY_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
- defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
#define AT_LEAST_ONE_BUILTIN_KDF
#endif /* At least one builtin KDF */
@@ -5093,6 +5137,17 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
} else
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ if (operation->ctx.pbkdf2.salt != NULL) {
+ mbedtls_platform_zeroize(operation->ctx.pbkdf2.salt,
+ operation->ctx.pbkdf2.salt_length);
+ mbedtls_free(operation->ctx.pbkdf2.salt);
+ }
+
+ status = PSA_SUCCESS;
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) */
{
status = PSA_ERROR_BAD_STATE;
}
@@ -5472,6 +5527,15 @@ psa_status_t psa_key_derivation_output_bytes(
&operation->ctx.tls12_ecjpake_to_pms, output, output_length);
} else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ /* As output functionality is not added yet return
+ * PSA_ERROR_NOT_SUPPORTED for now if inputs are passed correctly.
+ * If input validation fails operation is aborted and output_bytes
+ * will return PSA_ERROR_BAD_STATE */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
{
(void) kdf_alg;
@@ -5889,6 +5953,11 @@ static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
return 1;
}
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ return 1;
+ }
#endif
return 0;
}
@@ -5957,6 +6026,11 @@ static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
if (alg == PSA_ALG_ECDH) {
return PSA_SUCCESS;
}
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (alg == PSA_ALG_FFDH) {
+ return PSA_SUCCESS;
+ }
#endif
(void) alg;
return PSA_ERROR_NOT_SUPPORTED;
@@ -6378,6 +6452,130 @@ static psa_status_t psa_tls12_ecjpake_to_pms_input(
return PSA_SUCCESS;
}
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+static psa_status_t psa_pbkdf2_set_input_cost(
+ psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_key_derivation_step_t step,
+ uint64_t data)
+{
+ if (step != PSA_KEY_DERIVATION_INPUT_COST) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (data == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ pbkdf2->input_cost = data;
+ pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (pbkdf2->state != PSA_PBKDF2_STATE_INPUT_COST_SET &&
+ pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
+ pbkdf2->salt = mbedtls_calloc(1, data_length);
+ if (pbkdf2->salt == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(pbkdf2->salt, data, data_length);
+ pbkdf2->salt_length = data_length;
+ } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
+ uint8_t *next_salt;
+
+ next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
+ if (next_salt == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
+ memcpy(next_salt + pbkdf2->salt_length, data, data_length);
+ pbkdf2->salt_length += data_length;
+ mbedtls_free(pbkdf2->salt);
+ pbkdf2->salt = next_salt;
+ }
+
+ pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
+ const uint8_t *input,
+ size_t input_len,
+ uint8_t *output,
+ size_t *output_len)
+{
+ psa_status_t status = PSA_SUCCESS;
+ if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
+ status = psa_hash_compute(hash_alg, input, input_len, output,
+ PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
+ } else {
+ memcpy(output, input, input_len);
+ *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
+ }
+ return status;
+}
+
+static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t kdf_alg,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status = PSA_SUCCESS;
+ if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length != 0) {
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
+ status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
+ pbkdf2->password,
+ &pbkdf2->password_length);
+ }
+ }
+
+ pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
+
+ return status;
+}
+
+static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t kdf_alg,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SALT:
+ return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
+ case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+ return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+
/** Check whether the given key type is acceptable for the given
* input step of a key derivation.
*
@@ -6419,6 +6617,17 @@ static int psa_key_derivation_check_input_type(
return PSA_SUCCESS;
}
break;
+ case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+ if (key_type == PSA_KEY_TYPE_PASSWORD) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_DERIVE) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return PSA_SUCCESS;
+ }
+ break;
}
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -6462,6 +6671,12 @@ static psa_status_t psa_key_derivation_input_internal(
&operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
} else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
+ step, data, data_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
{
/* This can't happen unless the operation object was not initialized */
(void) data;
@@ -6485,6 +6700,12 @@ static psa_status_t psa_key_derivation_input_integer_internal(
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ status = psa_pbkdf2_set_input_cost(
+ &operation->ctx.pbkdf2, step, value);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
{
(void) step;
(void) value;
@@ -6533,9 +6754,10 @@ psa_status_t psa_key_derivation_input_key(
return status;
}
- /* Passing a key object as a SECRET input unlocks the permission
- * to output to a key object. */
- if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
+ /* Passing a key object as a SECRET or PASSWORD input unlocks the
+ * permission to output to a key object. */
+ if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
+ step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
operation->can_output_key = 1;
}
@@ -6575,6 +6797,19 @@ psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attribute
shared_secret_size,
shared_secret_length);
#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+ case PSA_ALG_FFDH:
+ return mbedtls_psa_key_agreement_ffdh(attributes,
+ peer_key,
+ peer_key_length,
+ key_buffer,
+ key_buffer_size,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
default:
(void) attributes;
(void) key_buffer;
@@ -6956,6 +7191,14 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation(
return PSA_SUCCESS;
} else
#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR)
+ if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ if (psa_is_dh_key_size_valid(bits) == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR) */
{
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -7007,6 +7250,15 @@ psa_status_t psa_generate_key_internal(
key_buffer_length);
} else
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR)
+ if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ return mbedtls_psa_ffdh_generate_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) */
{
(void) key_buffer_length;
return PSA_ERROR_NOT_SUPPORTED;
@@ -7308,6 +7560,7 @@ psa_status_t psa_crypto_driver_pake_get_cipher_suite(
return PSA_SUCCESS;
}
+#if defined(PSA_WANT_ALG_SOME_PAKE)
psa_status_t psa_pake_setup(
psa_pake_operation_t *operation,
const psa_pake_cipher_suite_t *cipher_suite)
@@ -8024,5 +8277,6 @@ psa_status_t psa_pake_abort(
return status;
}
+#endif /* PSA_WANT_ALG_SOME_PAKE */
#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index f70d804b0f..488020882f 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -26,7 +26,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
#include "psa_crypto_random_impl.h"
-#include "hash_info.h"
+#include "md_psa.h"
#include
#include
@@ -366,7 +366,7 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash(
if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
- mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
&ecp->grp, &r, &s,
&ecp->d, hash,
diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c
new file mode 100644
index 0000000000..4550a72b96
--- /dev/null
+++ b/library/psa_crypto_ffdh.c
@@ -0,0 +1,299 @@
+/*
+ * PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include
+#include "psa_crypto_core.h"
+#include "psa_crypto_ffdh.h"
+#include "psa_crypto_random_impl.h"
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
+ mbedtls_mpi *P,
+ mbedtls_mpi *G)
+{
+ const unsigned char *dhm_P = NULL;
+ const unsigned char *dhm_G = NULL;
+ size_t dhm_size_P = 0;
+ size_t dhm_size_G = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (P == NULL && G == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ static const unsigned char dhm_P_2048[] =
+ MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
+ static const unsigned char dhm_P_3072[] =
+ MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
+ static const unsigned char dhm_P_4096[] =
+ MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
+ static const unsigned char dhm_P_6144[] =
+ MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
+ static const unsigned char dhm_P_8192[] =
+ MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
+ static const unsigned char dhm_G_2048[] =
+ MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
+ static const unsigned char dhm_G_3072[] =
+ MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
+ static const unsigned char dhm_G_4096[] =
+ MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
+ static const unsigned char dhm_G_6144[] =
+ MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
+ static const unsigned char dhm_G_8192[] =
+ MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
+
+ switch (key_size) {
+ case sizeof(dhm_P_2048):
+ dhm_P = dhm_P_2048;
+ dhm_G = dhm_G_2048;
+ dhm_size_P = sizeof(dhm_P_2048);
+ dhm_size_G = sizeof(dhm_G_2048);
+ break;
+ case sizeof(dhm_P_3072):
+ dhm_P = dhm_P_3072;
+ dhm_G = dhm_G_3072;
+ dhm_size_P = sizeof(dhm_P_3072);
+ dhm_size_G = sizeof(dhm_G_3072);
+ break;
+ case sizeof(dhm_P_4096):
+ dhm_P = dhm_P_4096;
+ dhm_G = dhm_G_4096;
+ dhm_size_P = sizeof(dhm_P_4096);
+ dhm_size_G = sizeof(dhm_G_4096);
+ break;
+ case sizeof(dhm_P_6144):
+ dhm_P = dhm_P_6144;
+ dhm_G = dhm_G_6144;
+ dhm_size_P = sizeof(dhm_P_6144);
+ dhm_size_G = sizeof(dhm_G_6144);
+ break;
+ case sizeof(dhm_P_8192):
+ dhm_P = dhm_P_8192;
+ dhm_G = dhm_G_8192;
+ dhm_size_P = sizeof(dhm_P_8192);
+ dhm_size_G = sizeof(dhm_G_8192);
+ break;
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (P != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
+ dhm_size_P));
+ }
+ if (G != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
+ dhm_size_G));
+ }
+
+cleanup:
+ if (ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+ MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+psa_status_t mbedtls_psa_export_ffdh_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi GX, G, X, P;
+ psa_key_type_t type = attributes->core.type;
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+ if (key_buffer_size > data_size) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ memcpy(data, key_buffer, key_buffer_size);
+ memset(data + key_buffer_size, 0,
+ data_size - key_buffer_size);
+ *data_length = key_buffer_size;
+ return PSA_SUCCESS;
+ }
+
+ mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
+
+ status = mbedtls_psa_ffdh_set_prime_generator(data_size, &P, &G);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+ key_buffer_size));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, data_size));
+
+ *data_length = data_size;
+
+ ret = 0;
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
+
+ if (status == PSA_SUCCESS && ret != 0) {
+ status = mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_ffdh_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+ mbedtls_mpi X, P;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
+ (void) attributes;
+
+ status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ /* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
+ secret exponent from the range [2, P-2].
+ Select random value in range [3, P-1] and decrease it by 1. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
+ *key_buffer_length = key_buffer_size;
+
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
+ if (status == PSA_SUCCESS && ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_ffdh_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits)
+{
+ (void) attributes;
+
+ if (key_buffer_size < data_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ memcpy(key_buffer, data, data_length);
+ *key_buffer_length = data_length;
+ *bits = PSA_BYTES_TO_BITS(data_length);
+
+ return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+psa_status_t mbedtls_psa_key_agreement_ffdh(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi P, G, X, GY, K;
+ const size_t calculated_shared_secret_size = peer_key_length;
+
+ if (peer_key_length != key_buffer_size ||
+ calculated_shared_secret_size > shared_secret_size) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
+ mbedtls_mpi_init(&K);
+
+ status = mbedtls_psa_ffdh_set_prime_generator(
+ PSA_BITS_TO_BYTES(attributes->core.bits), &P, &G);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+ key_buffer_size));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
+ peer_key_length));
+
+ /* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
+ calculated_shared_secret_size));
+
+ *shared_secret_length = calculated_shared_secret_size;
+
+ ret = 0;
+
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
+ mbedtls_mpi_free(&K);
+
+ if (status == PSA_SUCCESS && ret != 0) {
+ status = mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ffdh.h b/library/psa_crypto_ffdh.h
new file mode 100644
index 0000000000..5d7d951c70
--- /dev/null
+++ b/library/psa_crypto_ffdh.h
@@ -0,0 +1,144 @@
+/*
+ * PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_FFDH_H
+#define PSA_CRYPTO_FFDH_H
+
+#include
+#include
+
+/** Perform a key agreement and return the FFDH shared secret.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] peer_key The buffer containing the key context
+ * of the peer's public key.
+ * \param[in] peer_key_length Size of the \p peer_key buffer in
+ * bytes.
+ * \param[in] key_buffer The buffer containing the private key
+ * context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in
+ * bytes.
+ * \param[out] shared_secret The buffer to which the shared secret
+ * is to be written.
+ * \param[in] shared_secret_size Size of the \p shared_secret buffer in
+ * bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ * up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ * Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \p key_buffer_size, \p peer_key_length, \p shared_secret_size
+ * do not match
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t mbedtls_psa_key_agreement_ffdh(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length);
+
+/** Export a public key or the public part of a DH key pair in binary format.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data
+ *
+ * \retval #PSA_SUCCESS The public key was exported successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t mbedtls_psa_export_ffdh_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length);
+
+/**
+ * \brief Generate DH key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the key to generate.
+ * \param[out] key_buffer Buffer where the key data is to be written.
+ * \param[in] key_buffer_size Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length On success, the number of bytes written in
+ * \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was generated successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Key size in bits is invalid.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t mbedtls_psa_ffdh_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length);
+
+/**
+ * \brief Import DH key.
+ *
+ * \note The signature of the function is that of a PSA driver import_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the key to import.
+ * \param[in] data The buffer containing the key data in import
+ * format.
+ * \param[in] data_length Size of the \p data buffer in bytes.
+ * \param[out] key_buffer The buffer containing the key data in output
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
+ * size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ * \param[out] bits The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was generated successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ffdh_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits);
+
+#endif /* PSA_CRYPTO_FFDH_H */
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index 3ff589dc88..ab93146deb 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -28,6 +28,7 @@
#include "psa_crypto_random_impl.h"
#include "psa_crypto_rsa.h"
#include "psa_crypto_hash.h"
+#include "md_psa.h"
#include
#include
@@ -37,7 +38,6 @@
#include
#include
#include "pk_wrap.h"
-#include "hash_info.h"
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
@@ -318,7 +318,7 @@ static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
mbedtls_md_type_t *md_alg)
{
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
- *md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ *md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
/* The Mbed TLS RSA module uses an unsigned int for hash length
* parameters. Validate that it fits so that we don't risk an
@@ -332,7 +332,7 @@ static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
if (*md_alg == MBEDTLS_MD_NONE) {
return PSA_ERROR_NOT_SUPPORTED;
}
- if (mbedtls_hash_info_get_size(*md_alg) != hash_length) {
+ if (mbedtls_md_get_size_from_type(*md_alg) != hash_length) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
@@ -527,7 +527,7 @@ static int psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
mbedtls_rsa_context *rsa)
{
psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
- mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
return mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
}
diff --git a/library/psa_util.c b/library/psa_util.c
index 43a10a32c1..c354f34dbf 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -33,7 +33,7 @@
/* PSA_SUCCESS is kept at the top of each error table since
* it's the most common status when everything functions properly. */
-#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) || defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_MD_LIGHT)
const mbedtls_error_pair_t psa_to_md_errors[] =
{
{ PSA_SUCCESS, 0 },
diff --git a/library/rsa.c b/library/rsa.c
index 87b3311899..8126ae9cf0 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -46,7 +46,7 @@
#include "mbedtls/error.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
-#include "hash_info.h"
+#include "md_psa.h"
#include
@@ -478,7 +478,7 @@ int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
if ((padding == MBEDTLS_RSA_PKCS_V21) &&
(hash_id != MBEDTLS_MD_NONE)) {
/* Just make sure this hash is supported in this build. */
- if (mbedtls_hash_info_psa_from_md(hash_id) == PSA_ALG_NONE) {
+ if (mbedtls_md_info_from_type(hash_id) == NULL) {
return MBEDTLS_ERR_RSA_INVALID_PADDING;
}
}
@@ -1076,7 +1076,7 @@ static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
unsigned char *p;
unsigned int hlen;
size_t i, use_len;
- unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char mask[MBEDTLS_MD_MAX_SIZE];
int ret = 0;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
@@ -1229,7 +1229,7 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
- hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
+ hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -1380,7 +1380,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
size_t ilen, i, pad_len;
unsigned char *p, bad, pad_done;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
- unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen;
/*
@@ -1396,7 +1396,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
- hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
+ hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -1596,7 +1596,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
if (md_alg != MBEDTLS_MD_NONE) {
/* Gather length of hash to sign */
- size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
+ size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
if (exp_hashlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -1606,7 +1606,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
}
}
- hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
+ hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -1744,7 +1744,7 @@ static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
/* Are we signing hashed or raw data? */
if (md_alg != MBEDTLS_MD_NONE) {
- unsigned char md_size = mbedtls_hash_info_get_size(md_alg);
+ unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
if (md_size == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -1966,7 +1966,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
size_t siglen;
unsigned char *p;
unsigned char *hash_start;
- unsigned char result[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char result[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen;
size_t observed_salt_len, msb;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
@@ -1995,7 +1995,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
if (md_alg != MBEDTLS_MD_NONE) {
/* Gather length of hash to sign */
- size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
+ size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
if (exp_hashlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@@ -2005,7 +2005,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
}
}
- hlen = mbedtls_hash_info_get_size(mgf1_hash_id);
+ hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 9cef3fe79a..793ec6a1c8 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -28,6 +28,9 @@
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "md_psa.h"
+#endif
#include
@@ -1966,10 +1969,10 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return PSA_ALG_RSA_PKCS1V15_SIGN(
- mbedtls_hash_info_psa_from_md(info->mac));
+ mbedtls_md_psa_alg_from_type(info->mac));
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- return PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(info->mac));
+ return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(info->mac));
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index ba25389237..ae7a4204ca 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -36,6 +36,7 @@
#include
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "md_psa.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
@@ -114,7 +115,7 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
(void) f_rng;
(void) p_rng;
- alg = mbedtls_hash_info_psa_from_md(COOKIE_MD);
+ alg = mbedtls_md_psa_alg_from_type(COOKIE_MD);
if (alg == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@@ -364,10 +365,7 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
cur_time = ctx->serial;
#endif
- cookie_time = ((unsigned long) cookie[0] << 24) |
- ((unsigned long) cookie[1] << 16) |
- ((unsigned long) cookie[2] << 8) |
- ((unsigned long) cookie[3]);
+ cookie_time = (unsigned long) MBEDTLS_GET_UINT32_BE(cookie, 0);
if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout) {
ret = -1;
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index d7c47e661c..2d6d7bace5 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -30,7 +30,6 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
-#include "hash_info.h"
#endif
#if defined(MBEDTLS_MD_CAN_MD5)
@@ -55,6 +54,7 @@
#endif
#include "mbedtls/pk.h"
+#include "pk_internal.h"
#include "common.h"
/* Shorthand for restartable ECC */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 331bb79dbe..f0067f4b2d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -41,6 +41,7 @@
#include
#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "md_psa.h"
#include "mbedtls/psa_util.h"
#include "psa/crypto.h"
#endif
@@ -843,11 +844,11 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
#else
mbedtls_md_free(&ssl->handshake->fin_sha256);
@@ -868,11 +869,11 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
#else
mbedtls_md_free(&ssl->handshake->fin_sha384);
@@ -910,7 +911,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
#else
ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
@@ -923,7 +924,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
if (status != PSA_SUCCESS) {
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
}
#else
ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
@@ -940,8 +941,8 @@ static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return PSA_TO_MD_ERR(psa_hash_update(
- &ssl->handshake->fin_sha256_psa, buf, len));
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha256_psa, buf, len));
#else
return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
#endif
@@ -953,8 +954,8 @@ static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return PSA_TO_MD_ERR(psa_hash_update(
- &ssl->handshake->fin_sha384_psa, buf, len));
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha384_psa, buf, len));
#else
return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
#endif
@@ -1155,8 +1156,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
size_t length;
const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
- for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE) &&
- (length < MBEDTLS_ECP_DP_MAX); length++) {
+ for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
}
/* Leave room for zero termination */
@@ -4613,10 +4613,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- session_len = ((size_t) p[0] << 24) |
- ((size_t) p[1] << 16) |
- ((size_t) p[2] << 8) |
- ((size_t) p[3]);
+ session_len = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
/* This has been allocated by ssl_handshake_init(), called by
@@ -4711,10 +4708,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- ssl->badmac_seen = ((uint32_t) p[0] << 24) |
- ((uint32_t) p[1] << 16) |
- ((uint32_t) p[2] << 8) |
- ((uint32_t) p[3]);
+ ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@@ -4722,24 +4716,10 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- ssl->in_window_top = ((uint64_t) p[0] << 56) |
- ((uint64_t) p[1] << 48) |
- ((uint64_t) p[2] << 40) |
- ((uint64_t) p[3] << 32) |
- ((uint64_t) p[4] << 24) |
- ((uint64_t) p[5] << 16) |
- ((uint64_t) p[6] << 8) |
- ((uint64_t) p[7]);
+ ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
- ssl->in_window = ((uint64_t) p[0] << 56) |
- ((uint64_t) p[1] << 48) |
- ((uint64_t) p[2] << 40) |
- ((uint64_t) p[3] << 32) |
- ((uint64_t) p[4] << 24) |
- ((uint64_t) p[5] << 16) |
- ((uint64_t) p[6] << 8) |
- ((uint64_t) p[7]);
+ ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
@@ -4973,7 +4953,7 @@ static uint16_t ssl_preset_default_groups[] = {
MBEDTLS_SSL_IANA_TLS_GROUP_NONE
};
-static int ssl_preset_suiteb_ciphersuites[] = {
+static const int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
0
@@ -6647,7 +6627,7 @@ int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
exit:
psa_hash_abort(&sha256_psa);
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha256;
@@ -6709,7 +6689,7 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
exit:
psa_hash_abort(&sha384_psa);
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha384;
@@ -7388,13 +7368,12 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* and in the unlikely case the above assumption no longer holds
* we are making sure that pk_ec() here does not return a NULL
*/
- const mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
- if (ec == NULL) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec() returned NULL"));
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
-
- if (mbedtls_ssl_check_curve(ssl, ec->grp.id) != 0) {
+ if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
ssl->session_negotiate->verify_result |=
MBEDTLS_X509_BADCERT_BAD_KEY;
@@ -7763,7 +7742,7 @@ static int ssl_calc_finished_tls_sha256(
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort(&sha256_psa);
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
#else
mbedtls_md_free(&sha256);
return ret;
@@ -7852,7 +7831,7 @@ static int ssl_calc_finished_tls_sha384(
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort(&sha384_psa);
- return PSA_TO_MD_ERR(status);
+ return mbedtls_md_error_from_psa(status);
#else
mbedtls_md_free(&sha384);
return ret;
@@ -8314,9 +8293,9 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mac_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
+ mac_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
if (mac_alg == 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_info_psa_from_md for %u not found",
+ MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
(unsigned) ciphersuite_info->mac));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@@ -8763,7 +8742,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
{
psa_status_t status;
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
- psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
@@ -8892,7 +8871,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
psa_algorithm_t psa_hash_alg =
- mbedtls_hash_info_psa_from_md(hash_alg_received);
+ mbedtls_md_psa_alg_from_type(hash_alg_received);
if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
!mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
@@ -9102,14 +9081,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- start = ((uint64_t) p[0] << 56) |
- ((uint64_t) p[1] << 48) |
- ((uint64_t) p[2] << 40) |
- ((uint64_t) p[3] << 32) |
- ((uint64_t) p[4] << 24) |
- ((uint64_t) p[5] << 16) |
- ((uint64_t) p[6] << 8) |
- ((uint64_t) p[7]);
+ start = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
session->start = (time_t) start;
@@ -9132,10 +9104,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
memcpy(session->master, p, 48);
p += 48;
- session->verify_result = ((uint32_t) p[0] << 24) |
- ((uint32_t) p[1] << 16) |
- ((uint32_t) p[2] << 8) |
- ((uint32_t) p[3]);
+ session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
/* Immediately clear invalid pointer values that have been read, in case
@@ -9254,10 +9223,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- session->ticket_lifetime = ((uint32_t) p[0] << 24) |
- ((uint32_t) p[1] << 16) |
- ((uint32_t) p[2] << 8) |
- ((uint32_t) p[3]);
+ session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index d94d8295cd..fc96dae1e2 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -50,8 +50,6 @@
#include "mbedtls/platform_util.h"
#endif
-#include "hash_info.h"
-
#if defined(MBEDTLS_SSL_RENEGOTIATION)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
@@ -1986,7 +1984,6 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- const mbedtls_ecp_keypair *peer_key;
mbedtls_pk_context *peer_pk;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
@@ -2007,22 +2004,24 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
- peer_key = mbedtls_pk_ec(*peer_pk);
+#if defined(MBEDTLS_ECP_C)
+ const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t olen = 0;
uint16_t tls_id = 0;
psa_ecc_family_t ecc_family;
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
- if (mbedtls_ssl_check_curve(ssl, peer_key->grp.id) != 0) {
+ if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
- tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(peer_key->grp.id);
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
- peer_key->grp.id));
+ grp_id));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
@@ -2034,6 +2033,12 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family);
/* Store peer's public key in psa format. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ memcpy(ssl->handshake->ecdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
+ ssl->handshake->ecdh_psa_peerkey_len = peer_pk->pub_raw_len;
+ ret = 0;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ size_t olen = 0;
ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
ssl->handshake->ecdh_psa_peerkey,
@@ -2043,9 +2048,9 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
return ret;
}
-
ssl->handshake->ecdh_psa_peerkey_len = olen;
-#else
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
MBEDTLS_ECDH_THEIRS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
@@ -2056,7 +2061,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
-#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive
@@ -2284,7 +2289,7 @@ start_processing:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
size_t sig_len, hashlen;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
@@ -2401,7 +2406,7 @@ start_processing:
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
rsassa_pss_options.mgf1_hash_id = md_alg;
rsassa_pss_options.expected_salt_len =
- mbedtls_hash_info_get_size(md_alg);
+ mbedtls_md_get_size_from_type(md_alg);
if (rsassa_pss_options.expected_salt_len == 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 42f5fe92b4..30c35f3a45 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -30,7 +30,6 @@
#include "mbedtls/platform_util.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
-#include "hash_info.h"
#include
@@ -666,7 +665,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
uint16_t *curves_tls_id)
{
uint16_t *curr_tls_id = curves_tls_id;
- mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id;
mbedtls_ecp_group_id curr_grp_id;
while (*curr_tls_id != 0) {
@@ -1088,9 +1087,7 @@ read_record_header:
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
/* This couldn't be done in ssl_prepare_handshake_record() */
- unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
- ssl->in_msg[5];
-
+ unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
if (cli_msg_seq != ssl->handshake->in_msg_seq) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
"%u (expected %u)", cli_msg_seq,
@@ -1102,8 +1099,7 @@ read_record_header:
} else
#endif
{
- unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
- ssl->in_msg[5];
+ unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
ssl->handshake->out_msg_seq = cli_msg_seq;
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
}
@@ -2600,7 +2596,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
psa_ecc_family_t ecc_family;
size_t key_len;
mbedtls_pk_context *pk;
- mbedtls_ecp_keypair *key;
+ mbedtls_ecp_group_id grp_id;
pk = mbedtls_ssl_own_key(ssl);
@@ -2608,14 +2604,17 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ mbedtls_ecp_keypair *key = mbedtls_pk_ec_rw(*pk);
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+
switch (mbedtls_pk_get_type(pk)) {
case MBEDTLS_PK_OPAQUE:
if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
- ssl->handshake->ecdh_psa_privkey =
- *((mbedtls_svc_key_id_t *) pk->pk_ctx);
+ ssl->handshake->ecdh_psa_privkey = pk->priv_id;
/* Key should not be destroyed in the TLS library */
ssl->handshake->ecdh_psa_privkey_is_external = 1;
@@ -2637,12 +2636,11 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
- key = mbedtls_pk_ec(*pk);
- if (key == NULL) {
+ grp_id = mbedtls_pk_get_group_id(pk);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
-
- tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(key->grp.id);
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
/* This elliptic curve is not supported */
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@@ -2662,11 +2660,19 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type));
psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
ret = mbedtls_ecp_write_key(key, buf, key_len);
if (ret != 0) {
goto cleanup;
}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
status = psa_import_key(&key_attributes, buf, key_len,
&ssl->handshake->ecdh_psa_privkey);
@@ -2705,7 +2711,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
}
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
- mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)),
+ mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
MBEDTLS_ECDH_OURS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
@@ -3074,7 +3080,7 @@ curve_matching_done:
size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
size_t hashlen = 0;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index e1d0c6ced0..3dffc1df4a 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -33,6 +33,7 @@
#include "ssl_client.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
+#include "md_psa.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
@@ -672,7 +673,7 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
if (ciphersuite_info != NULL) {
- return mbedtls_psa_translate_md(ciphersuite_info->mac);
+ return mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
}
return PSA_ALG_NONE;
@@ -850,7 +851,7 @@ static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
/* Get current state of handshake transcript. */
ret = mbedtls_ssl_get_handshake_transcript(
- ssl, mbedtls_hash_info_md_from_psa(hash_alg),
+ ssl, mbedtls_md_type_from_psa_alg(hash_alg),
transcript, sizeof(transcript), &transcript_len);
if (ret != 0) {
return ret;
@@ -1126,7 +1127,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
return ret;
}
- if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac)
+ if (mbedtls_md_psa_alg_from_type(ssl->handshake->ciphersuite_info->mac)
!= hash_alg) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("Invalid ciphersuite for external psk."));
@@ -1696,7 +1697,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
cipher_suite, ciphersuite_info->name));
#if defined(MBEDTLS_HAVE_TIME)
- ssl->session_negotiate->start = time(NULL);
+ ssl->session_negotiate->start = mbedtls_time(NULL);
#endif /* MBEDTLS_HAVE_TIME */
/* ...
@@ -2844,7 +2845,7 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
- psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);
+ psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_length = PSA_HASH_LENGTH(psa_hash_alg);
if (hash_length == -1 ||
(size_t) hash_length > sizeof(session->resumption_key)) {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a00785b09b..a59f01c3e0 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -29,7 +29,7 @@
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
+#include "md_psa.h"
#include "ssl_misc.h"
#include "ssl_tls13_invasive.h"
@@ -274,7 +274,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
goto error;
}
- hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (hash_alg == 0) {
goto error;
}
@@ -1076,7 +1076,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
}
/* Hash verify buffer with indicated hash function */
- psa_algorithm = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
status = psa_hash_compute(psa_algorithm,
verify_buffer,
verify_buffer_len,
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 46caa45d3e..540f854a84 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -34,6 +34,7 @@
#include "ssl_tls13_invasive.h"
#include "psa/crypto.h"
+#include "md_psa.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
@@ -677,7 +678,7 @@ static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
+ psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
handshake->ciphersuite_info->mac);
/*
@@ -792,7 +793,7 @@ int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
- psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(
ssl->handshake->ciphersuite_info->mac);
size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
@@ -1163,7 +1164,7 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
md_type = ciphersuite_info->mac;
- hash_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
+ hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
@@ -1291,7 +1292,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
- hash_alg = mbedtls_hash_info_psa_from_md(handshake->ciphersuite_info->mac);
+ hash_alg = mbedtls_md_psa_alg_from_type(handshake->ciphersuite_info->mac);
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
@@ -1365,7 +1366,7 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
md_type = ciphersuite_info->mac;
- hash_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
+ hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
@@ -1472,7 +1473,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
- psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
+ psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
handshake->ciphersuite_info->mac);
unsigned char *shared_secret = NULL;
size_t shared_secret_len = 0;
@@ -1608,7 +1609,7 @@ static int ssl_tls13_generate_application_keys(
md_type = handshake->ciphersuite_info->mac;
- hash_alg = mbedtls_hash_info_psa_from_md(handshake->ciphersuite_info->mac);
+ hash_alg = mbedtls_md_psa_alg_from_type(handshake->ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
/* Compute current handshake transcript. It's the caller's responsibility
@@ -1766,7 +1767,7 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
}
ret = mbedtls_ssl_tls13_derive_resumption_master_secret(
- mbedtls_psa_translate_md(md_type),
+ mbedtls_md_psa_alg_from_type(md_type),
handshake->tls13_master_secrets.app,
transcript, transcript_len,
&ssl->session_negotiate->app_secrets);
@@ -1781,7 +1782,7 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_BUF(
4, "Resumption master secret",
ssl->session_negotiate->app_secrets.resumption_master_secret,
- PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type)));
+ PSA_HASH_LENGTH(mbedtls_md_psa_alg_from_type(md_type)));
MBEDTLS_SSL_DEBUG_MSG(
2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 33121afa73..cf61191877 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -25,6 +25,7 @@
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
+#include "md_psa.h"
#include "ssl_misc.h"
#include "ssl_tls13_keys.h"
@@ -332,7 +333,7 @@ static int ssl_tls13_offered_psks_check_binder_match(
/* Get current state of handshake transcript. */
ret = mbedtls_ssl_get_handshake_transcript(
- ssl, mbedtls_hash_info_md_from_psa(psk_hash_alg),
+ ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
transcript, sizeof(transcript), &transcript_len);
if (ret != 0) {
return ret;
@@ -406,7 +407,7 @@ static int ssl_tls13_select_ciphersuite_for_psk(
/* MAC of selected ciphersuite MUST be same with PSK binder if exist.
* Otherwise, client should reject.
*/
- if (psk_hash_alg == mbedtls_psa_translate_md(ciphersuite_info->mac)) {
+ if (psk_hash_alg == mbedtls_md_psa_alg_from_type(ciphersuite_info->mac)) {
*selected_ciphersuite = cipher_suite;
*selected_ciphersuite_info = ciphersuite_info;
return 0;
@@ -612,7 +613,7 @@ static int ssl_tls13_parse_pre_shared_key_ext(
ret = ssl_tls13_offered_psks_check_binder_match(
ssl, binder, binder_len, psk_type,
- mbedtls_psa_translate_md(ciphersuite_info->mac));
+ mbedtls_md_psa_alg_from_type(ciphersuite_info->mac));
if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
/* For security reasons, the handshake should be aborted when we
* fail to validate a binder value. See RFC 8446 section 4.2.11.2
@@ -1846,7 +1847,7 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SERVER_HELLO_RANDOM_LEN);
#if defined(MBEDTLS_HAVE_TIME)
- ssl->session_negotiate->start = time(NULL);
+ ssl->session_negotiate->start = mbedtls_time(NULL);
#endif /* MBEDTLS_HAVE_TIME */
return ret;
@@ -2783,7 +2784,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
ciphersuite_info =
(mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
- psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);
+ psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_length = PSA_HASH_LENGTH(psa_hash_alg);
if (hash_length == -1 ||
(size_t) hash_length > sizeof(session->resumption_key)) {
diff --git a/library/x509.c b/library/x509.c
index c9524c958e..8a4426478d 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1201,6 +1201,87 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
return 0;
}
+/* Check mbedtls_x509_get_subject_alt_name for detailed description.
+ *
+ * In some cases while parsing subject alternative names the sequence tag is optional
+ * (e.g. CertSerialNumber). This function is designed to handle such case.
+ */
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t tag_len;
+ mbedtls_asn1_sequence *cur = subject_alt_name;
+
+ while (*p < end) {
+ mbedtls_x509_subject_alternative_name tmp_san_name;
+ mbedtls_x509_buf tmp_san_buf;
+ memset(&tmp_san_name, 0, sizeof(tmp_san_name));
+
+ tmp_san_buf.tag = **p;
+ (*p)++;
+
+ if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ tmp_san_buf.p = *p;
+ tmp_san_buf.len = tag_len;
+
+ if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ /*
+ * Check that the SAN is structured correctly by parsing it.
+ * The SAN structure is discarded afterwards.
+ */
+ ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &tmp_san_name);
+ /*
+ * In case the extension is malformed, return an error,
+ * and clear the allocated sequences.
+ */
+ if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+ mbedtls_asn1_sequence_free(subject_alt_name->next);
+ subject_alt_name->next = NULL;
+ return ret;
+ }
+
+ mbedtls_x509_free_subject_alt_name(&tmp_san_name);
+ /* Allocate and assign next pointer */
+ if (cur->buf.p != NULL) {
+ if (cur->next != NULL) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+ }
+
+ cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+ if (cur->next == NULL) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+ }
+
+ cur = cur->next;
+ }
+
+ cur->buf = tmp_san_buf;
+ *p += tmp_san_buf.len;
+ }
+
+ /* Set final sequence entry's next pointer to NULL */
+ cur->next = NULL;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
/*
* SubjectAltName ::= GeneralNames
*
@@ -1234,8 +1315,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
mbedtls_x509_sequence *subject_alt_name)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t len, tag_len;
- mbedtls_asn1_sequence *cur = subject_alt_name;
+ size_t len;
/* Get main sequence tag */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
@@ -1248,71 +1328,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
- while (*p < end) {
- mbedtls_x509_subject_alternative_name dummy_san_buf;
- mbedtls_x509_buf tmp_san_buf;
- memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
-
- tmp_san_buf.tag = **p;
- (*p)++;
-
- if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
- }
-
- tmp_san_buf.p = *p;
- tmp_san_buf.len = tag_len;
-
- if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
- MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
- }
-
- /*
- * Check that the SAN is structured correctly.
- */
- ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf);
- /*
- * In case the extension is malformed, return an error,
- * and clear the allocated sequences.
- */
- if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
- mbedtls_asn1_sequence_free(subject_alt_name->next);
- subject_alt_name->next = NULL;
- return ret;
- }
-
- mbedtls_x509_free_subject_alt_name(&dummy_san_buf);
- /* Allocate and assign next pointer */
- if (cur->buf.p != NULL) {
- if (cur->next != NULL) {
- return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
- }
-
- cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
-
- if (cur->next == NULL) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_ALLOC_FAILED);
- }
-
- cur = cur->next;
- }
-
- cur->buf = tmp_san_buf;
- *p += tmp_san_buf.len;
- }
-
- /* Set final sequence entry's next pointer to NULL */
- cur->next = NULL;
-
- if (*p != end) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
- }
-
- return 0;
+ return mbedtls_x509_get_subject_alt_name_ext(p, end, subject_alt_name);
}
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
@@ -1424,7 +1440,7 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
break;
/*
- * RFC822 Name
+ * rfc822Name
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
{
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 874d8f607a..9b3414a49e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -47,9 +47,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
+#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#include "hash_info.h"
#include "x509_invasive.h"
+#include "pk_internal.h"
#include "mbedtls/platform.h"
@@ -237,7 +238,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
if (pk_alg == MBEDTLS_PK_ECDSA ||
pk_alg == MBEDTLS_PK_ECKEY ||
pk_alg == MBEDTLS_PK_ECKEY_DH) {
- const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id;
+ const mbedtls_ecp_group_id gid = mbedtls_pk_get_group_id(pk);
if (gid == MBEDTLS_ECP_DP_NONE) {
return -1;
@@ -591,6 +592,114 @@ static int x509_get_ext_key_usage(unsigned char **p,
return 0;
}
+/*
+ * SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ * KeyIdentifier ::= OCTET STRING
+ */
+static int x509_get_subject_key_id(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_buf *subject_key_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0u;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ subject_key_id->len = len;
+ subject_key_id->tag = MBEDTLS_ASN1_OCTET_STRING;
+ subject_key_id->p = *p;
+ *p += len;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * AuthorityKeyIdentifier ::= SEQUENCE {
+ * keyIdentifier [0] KeyIdentifier OPTIONAL,
+ * authorityCertIssuer [1] GeneralNames OPTIONAL,
+ * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ *
+ * KeyIdentifier ::= OCTET STRING
+ */
+static int x509_get_authority_key_id(unsigned char **p,
+ unsigned char *end,
+ mbedtls_x509_authority *authority_key_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0u;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+
+ /* KeyIdentifier is an OPTIONAL field */
+ if (ret == 0) {
+ authority_key_id->keyIdentifier.len = len;
+ authority_key_id->keyIdentifier.p = *p;
+ /* Setting tag of the keyIdentfier intentionally to 0x04.
+ * Although the .keyIdentfier field is CONTEXT_SPECIFIC ([0] OPTIONAL),
+ * its tag with the content is the payload of on OCTET STRING primitive */
+ authority_key_id->keyIdentifier.tag = MBEDTLS_ASN1_OCTET_STRING;
+
+ *p += len;
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p < end) {
+ /* Getting authorityCertIssuer using the required specific class tag [1] */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 1)) != 0) {
+ /* authorityCertIssuer and authorityCertSerialNumber MUST both
+ be present or both be absent. At this point we expect to have both. */
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ /* "end" also includes the CertSerialNumber field so "len" shall be used */
+ ret = mbedtls_x509_get_subject_alt_name_ext(p,
+ (*p+len),
+ &authority_key_id->authorityCertIssuer);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Getting authorityCertSerialNumber using the required specific class tag [2] */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ authority_key_id->authorityCertSerialNumber.len = len;
+ authority_key_id->authorityCertSerialNumber.p = *p;
+ authority_key_id->authorityCertSerialNumber.tag = MBEDTLS_ASN1_INTEGER;
+ *p += len;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ return 0;
+}
+
/*
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
*
@@ -889,8 +998,25 @@ static int x509_get_crt_ext(unsigned char **p,
}
break;
+ case MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER:
+ /* Parse subject key identifier */
+ if ((ret = x509_get_subject_key_id(p, end_ext_data,
+ &crt->subject_key_id)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER:
+ /* Parse authority key identifier */
+ if ((ret = x509_get_authority_key_id(p, end_ext_octet,
+ &crt->authority_key_id)) != 0) {
+ return ret;
+ }
+ break;
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
- /* Parse subject alt name */
+ /* Parse subject alt name
+ * SubjectAltName ::= GeneralNames
+ */
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
&crt->subject_alt_names)) != 0) {
return ret;
@@ -1550,6 +1676,27 @@ cleanup:
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#define PRINT_ITEM(i) \
+ do { \
+ ret = mbedtls_snprintf(p, n, "%s" i, sep); \
+ MBEDTLS_X509_SAFE_SNPRINTF; \
+ sep = ", "; \
+ } while (0)
+
+#define CERT_TYPE(type, name) \
+ do { \
+ if (ns_cert_type & (type)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
+#define KEY_USAGE(code, name) \
+ do { \
+ if (key_usage & (code)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
static int x509_info_ext_key_usage(char **buf, size_t *size,
const mbedtls_x509_sequence *extended_key_usage)
{
@@ -1877,7 +2024,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
const mbedtls_x509_crt_profile *profile)
{
int flags = 0;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_algorithm;
#else
@@ -1917,7 +2064,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_algorithm = mbedtls_hash_info_psa_from_md(crl_list->sig_md);
+ psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
if (psa_hash_compute(psa_algorithm,
crl_list->tbs.p,
crl_list->tbs.len,
@@ -1986,7 +2133,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
mbedtls_x509_crt_restart_ctx *rs_ctx)
{
size_t hash_len;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type(child->sig_md);
@@ -1997,7 +2144,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
return -1;
}
#else
- psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(child->sig_md);
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
status = psa_hash_compute(hash_alg,
@@ -2667,7 +2814,6 @@ static int x509_inet_pton_ipv6(const char *src, void *dst)
static int x509_inet_pton_ipv4(const char *src, void *dst)
{
- /* note: allows leading 0's, e.g. 000.000.000.000 */
const unsigned char *p = (const unsigned char *) src;
uint8_t *res = (uint8_t *) dst;
uint8_t digit, num_digits = 0;
@@ -2681,13 +2827,20 @@ static int x509_inet_pton_ipv4(const char *src, void *dst)
if (digit > 9) {
break;
}
+
+ /* Don't allow leading zeroes. These might mean octal format,
+ * which this implementation does not support. */
+ if (octet == 0 && num_digits > 0) {
+ return -1;
+ }
+
octet = octet * 10 + digit;
num_digits++;
p++;
} while (num_digits < 3);
if (octet >= 256 || num_digits > 3 || num_digits == 0) {
- break;
+ return -1;
}
*res++ = (uint8_t) octet;
num_octets++;
@@ -2758,6 +2911,21 @@ static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
return -1;
}
+static int x509_crt_check_san_uri(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
@@ -2765,23 +2933,38 @@ static int x509_crt_check_san(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len)
{
int san_ip = 0;
+ int san_uri = 0;
+ /* Prioritize DNS name over other subtypes due to popularity */
for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
- case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
+ case MBEDTLS_X509_SAN_DNS_NAME:
if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
return 0;
}
break;
- case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
san_ip = 1;
break;
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ san_uri = 1;
+ break;
/* (We may handle other types here later.) */
default: /* Unrecognized type */
break;
}
}
+ if (san_ip) {
+ if (x509_crt_check_san_ip(san, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
+ if (san_uri) {
+ if (x509_crt_check_san_uri(san, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
- return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
+ return -1;
}
/*
@@ -3049,6 +3232,7 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next);
mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
+ mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next);
if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 70d7e93db2..59fd589003 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -31,10 +31,12 @@
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
+#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/md.h"
#include
+#include
#if defined(MBEDTLS_PEM_WRITE_C)
#include "mbedtls/pem.h"
@@ -43,9 +45,18 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
+#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#include "hash_info.h"
+#define CHECK_OVERFLOW_ADD(a, b) \
+ do \
+ { \
+ if (a > SIZE_MAX - (b)) \
+ { \
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
+ } \
+ a += b; \
+ } while (0)
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
{
@@ -152,6 +163,137 @@ int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx,
return 0;
}
+int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
+ const mbedtls_x509_san_list *san_list)
+{
+ int ret = 0;
+ const mbedtls_x509_san_list *cur;
+ unsigned char *buf;
+ unsigned char *p;
+ size_t len;
+ size_t buflen = 0;
+
+ /* Determine the maximum size of the SubjectAltName list */
+ for (cur = san_list; cur != NULL; cur = cur->next) {
+ /* Calculate size of the required buffer */
+ switch (cur->node.type) {
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
+ /* length of value for each name entry,
+ * maximum 4 bytes for the length field,
+ * 1 byte for the tag/type.
+ */
+ CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+ break;
+ case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+ {
+ const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
+ while (chunk != NULL) {
+ // Max 4 bytes for length, +1 for tag,
+ // additional 4 max for length, +1 for tag.
+ // See x509_write_name for more information.
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
+ CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
+ CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
+ chunk = chunk->next;
+ }
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+ break;
+ }
+ default:
+ /* Not supported - return. */
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+ }
+
+ /* Add the extra length field and tag */
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+
+ /* Allocate buffer */
+ buf = mbedtls_calloc(1, buflen);
+ if (buf == NULL) {
+ return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ }
+ p = buf + buflen;
+
+ /* Write ASN.1-based structure */
+ cur = san_list;
+ len = 0;
+ while (cur != NULL) {
+ size_t single_san_len = 0;
+ switch (cur->node.type) {
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ {
+ const unsigned char *unstructured_name =
+ (const unsigned char *) cur->node.san.unstructured_name.p;
+ size_t unstructured_name_len = cur->node.san.unstructured_name.len;
+
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_raw_buffer(
+ &p, buf,
+ unstructured_name, unstructured_name_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
+ &p, buf, unstructured_name_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_tag(
+ &p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
+ }
+ break;
+ case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_x509_write_names(&p, buf,
+ (mbedtls_asn1_named_data *) &
+ cur->node
+ .san.directory_name));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_len(&p, buf, single_san_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_tag(&p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_X509_SAN_DIRECTORY_NAME));
+ break;
+ default:
+ /* Error out on an unsupported SAN */
+ ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+ cur = cur->next;
+ /* check for overflow */
+ if (len > SIZE_MAX - single_san_len) {
+ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+ len += single_san_len;
+ }
+
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
+ mbedtls_asn1_write_tag(&p, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ ret = mbedtls_x509write_crt_set_extension(
+ ctx,
+ MBEDTLS_OID_SUBJECT_ALT_NAME,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
+ 0,
+ buf + buflen - len,
+ len);
+
+cleanup:
+ mbedtls_free(buf);
+ return ret;
+}
+
+
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
const char *oid, size_t oid_len,
int critical,
@@ -426,7 +568,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char *c, *c2;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
size_t hash_length = 0;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t psa_algorithm;
@@ -585,7 +727,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/* Compute hash of CRT. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_algorithm = mbedtls_hash_info_psa_from_md(ctx->md_alg);
+ psa_algorithm = mbedtls_md_psa_alg_from_type(ctx->md_alg);
status = psa_hash_compute(psa_algorithm,
c,
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index deb66174b2..d792d34509 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -36,8 +36,8 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
+#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#include "hash_info.h"
#include
#include
@@ -243,13 +243,13 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
- unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_len;
- psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(ctx->md_alg);
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Write the CSR backwards starting from the end of buf */
diff --git a/programs/.gitignore b/programs/.gitignore
index 398152dcbc..d11db9e6b8 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -9,9 +9,6 @@
/psa/psa_constant_names_generated.c
/test/query_config.c
-*.o
-*.exe
-
aes/crypt_and_hash
cipher/cipher_aead_demo
hash/generic_sum
diff --git a/programs/psa/key_ladder_demo.sh b/programs/psa/key_ladder_demo.sh
index 67de085379..e21d1abf03 100755
--- a/programs/psa/key_ladder_demo.sh
+++ b/programs/psa/key_ladder_demo.sh
@@ -17,9 +17,27 @@
set -e -u
-program="${0%/*}"/key_ladder_demo
+program_name="key_ladder_demo"
+program="${0%/*}/$program_name"
files_to_clean=
+if [ ! -e "$program" ]; then
+ # Look for programs in the current directory and the directories above it
+ for dir in "." ".." "../.."; do
+ program="$dir/programs/psa/$program_name"
+ if [ -e "$program" ]; then
+ break
+ fi
+ done
+ if [ ! -e "$program" ]; then
+ echo "Could not find $program_name executable"
+
+ echo "If building out-of-tree, this script must be run" \
+ "from the project build directory."
+ exit 1
+ fi
+fi
+
run () {
echo
echo "# $1"
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 7cfcc9b319..5f8bea93ca 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -73,7 +73,7 @@ int main(void)
/* Size of memory to be allocated for the heap, when using the library's memory
* management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */
-#define MEMORY_HEAP_SIZE 120000
+#define MEMORY_HEAP_SIZE 180000
#define DFL_SERVER_ADDR NULL
#define DFL_SERVER_PORT "4433"
diff --git a/programs/test/dlopen_demo.sh b/programs/test/dlopen_demo.sh
index 2dde3ebeda..a6a9022fc8 100755
--- a/programs/test/dlopen_demo.sh
+++ b/programs/test/dlopen_demo.sh
@@ -20,8 +20,29 @@
set -e -u
+program_name="dlopen"
program_dir="${0%/*}"
-program="$program_dir/dlopen"
+program="$program_dir/$program_name"
+
+if [ ! -e "$program" ]; then
+ # Look for programs in the current directory and the directories above it
+ for dir in "." ".." "../.."; do
+ program_dir="$dir/programs/test"
+ program="$program_dir/$program_name"
+ if [ -e "$program" ]; then
+ break
+ fi
+ done
+ if [ ! -e "$program" ]; then
+ echo "Could not find $program_name program"
+
+ echo "Make sure that Mbed TLS is built as a shared library." \
+ "If building out-of-tree, this script must be run" \
+ "from the project build directory."
+ exit 1
+ fi
+fi
+
top_dir="$program_dir/../.."
library_dir="$top_dir/library"
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 1772f87d9b..fe060f3d92 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -66,7 +66,7 @@ int main(void)
" output_file=%%s default: cert.req\n" \
" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
" san=%%s default: (none)\n" \
- " Comma-separated-list of values:\n" \
+ " Semicolon-separated-list of values:\n" \
" DNS:value\n" \
" URI:value\n" \
" IP:value (Only IPv4 is supported)\n" \
@@ -119,7 +119,7 @@ struct options {
static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
{
for (int i = 0; i < maxBytes; i++) {
- bytes[i] = (uint8_t) strtoul(str, NULL, 16);
+ bytes[i] = (uint8_t) strtoul(str, NULL, 10);
str = strchr(str, '.');
if (str == NULL || *str == '\0') {
break;
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 51b09f3d65..e4f8886fe9 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -79,6 +79,7 @@ int main(void)
#define DFL_NOT_AFTER "20301231235959"
#define DFL_SERIAL "1"
#define DFL_SERIAL_HEX "1"
+#define DFL_EXT_SUBJECTALTNAME ""
#define DFL_SELFSIGN 0
#define DFL_IS_CA 0
#define DFL_MAX_PATHLEN -1
@@ -134,6 +135,13 @@ int main(void)
" subject_identifier=%%s default: 1\n" \
" Possible values: 0, 1\n" \
" (Considered for v3 only)\n" \
+ " san=%%s default: (none)\n" \
+ " Semicolon-separated-list of values:\n" \
+ " DNS:value\n" \
+ " URI:value\n" \
+ " RFC822:value\n" \
+ " IP:value (Only IPv4 is supported)\n" \
+ " DN:list of comma separated key=value pairs\n" \
" authority_identifier=%%s default: 1\n" \
" Possible values: 0, 1\n" \
" (Considered for v3 only)\n" \
@@ -188,6 +196,7 @@ struct options {
const char *issuer_pwd; /* password for the issuer key file */
const char *output_file; /* where to store the constructed CRT */
const char *subject_name; /* subject name for certificate */
+ mbedtls_x509_san_list *san_list; /* subjectAltName for certificate */
const char *issuer_name; /* issuer name for certificate */
const char *not_before; /* validity period not before */
const char *not_after; /* validity period not after */
@@ -207,6 +216,18 @@ struct options {
int format; /* format */
} opt;
+static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
+{
+ for (int i = 0; i < maxBytes; i++) {
+ bytes[i] = (uint8_t) strtoul(str, NULL, 10);
+ str = strchr(str, '.');
+ if (str == NULL || *str == '\0') {
+ break;
+ }
+ str++;
+ }
+}
+
int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
@@ -314,7 +335,9 @@ int main(int argc, char *argv[])
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "crt example app";
-
+ mbedtls_x509_san_list *cur, *prev;
+ mbedtls_asn1_named_data *ext_san_dirname = NULL;
+ uint8_t ip[4] = { 0 };
/*
* Set to sane values
*/
@@ -370,6 +393,7 @@ usage:
opt.authority_identifier = DFL_AUTH_IDENT;
opt.basic_constraints = DFL_CONSTRAINTS;
opt.format = DFL_FORMAT;
+ opt.san_list = NULL;
for (i = 1; i < argc; i++) {
@@ -526,6 +550,92 @@ usage:
*tail = ext_key_usage;
tail = &ext_key_usage->next;
+ q = r;
+ }
+ } else if (strcmp(p, "san") == 0) {
+ char *subtype_value;
+ prev = NULL;
+
+ while (q != NULL) {
+ char *semicolon;
+ r = q;
+
+ /* Find the first non-escaped ; occurrence and remove escaped ones */
+ do {
+ if ((semicolon = strchr(r, ';')) != NULL) {
+ if (*(semicolon-1) != '\\') {
+ r = semicolon;
+ break;
+ }
+ /* Remove the escape character */
+ size_t size_left = strlen(semicolon);
+ memmove(semicolon-1, semicolon, size_left);
+ *(semicolon + size_left - 1) = '\0';
+ /* r will now point at the character after the semicolon */
+ r = semicolon;
+ }
+
+ } while (semicolon != NULL);
+
+ if (semicolon != NULL) {
+ *r++ = '\0';
+ } else {
+ r = NULL;
+ }
+
+ cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list));
+ if (cur == NULL) {
+ mbedtls_printf("Not enough memory for subjectAltName list\n");
+ goto usage;
+ }
+
+ cur->next = NULL;
+
+ if ((subtype_value = strchr(q, ':')) != NULL) {
+ *subtype_value++ = '\0';
+ }
+ if (strcmp(q, "RFC822") == 0) {
+ cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
+ } else if (strcmp(q, "URI") == 0) {
+ cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ } else if (strcmp(q, "DNS") == 0) {
+ cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
+ } else if (strcmp(q, "IP") == 0) {
+ cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
+ ip_string_to_bytes(subtype_value, ip, 4);
+ cur->node.san.unstructured_name.p = (unsigned char *) ip;
+ cur->node.san.unstructured_name.len = sizeof(ip);
+ } else if (strcmp(q, "DN") == 0) {
+ cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
+ if ((ret = mbedtls_x509_string_to_names(&ext_san_dirname,
+ subtype_value)) != 0) {
+ mbedtls_strerror(ret, buf, sizeof(buf));
+ mbedtls_printf(
+ " failed\n ! mbedtls_x509_string_to_names "
+ "returned -0x%04x - %s\n\n",
+ (unsigned int) -ret, buf);
+ goto exit;
+ }
+ cur->node.san.directory_name = *ext_san_dirname;
+ } else {
+ mbedtls_free(cur);
+ goto usage;
+ }
+
+ if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME ||
+ cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER ||
+ cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) {
+ cur->node.san.unstructured_name.p = (unsigned char *) subtype_value;
+ cur->node.san.unstructured_name.len = strlen(subtype_value);
+ }
+
+ if (prev == NULL) {
+ opt.san_list = cur;
+ } else {
+ prev->next = cur;
+ }
+
+ prev = cur;
q = r;
}
} else if (strcmp(p, "ns_cert_type") == 0) {
@@ -833,6 +943,17 @@ usage:
mbedtls_printf(" ok\n");
}
+ if (opt.san_list != NULL) {
+ ret = mbedtls_x509write_crt_set_subject_alternative_name(&crt, opt.san_list);
+
+ if (ret != 0) {
+ mbedtls_printf(
+ " failed\n ! mbedtls_x509write_crt_set_subject_alternative_name returned %d",
+ ret);
+ goto exit;
+ }
+ }
+
if (opt.ext_key_usage) {
mbedtls_printf(" . Adding the Extended Key Usage extension ...");
fflush(stdout);
@@ -888,6 +1009,7 @@ exit:
#if defined(MBEDTLS_X509_CSR_PARSE_C)
mbedtls_x509_csr_free(&csr);
#endif /* MBEDTLS_X509_CSR_PARSE_C */
+ mbedtls_asn1_free_named_data_list(&ext_san_dirname);
mbedtls_x509_crt_free(&issuer_crt);
mbedtls_x509write_crt_free(&crt);
mbedtls_pk_free(&loaded_subject_key);
diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index 1ad983fa93..3ddc417051 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -10,3 +10,9 @@ pylint == 2.4.4
# Use the earliest version of mypy that works with our code base.
# See https://github.com/Mbed-TLS/mbedtls/pull/3953 .
mypy >= 0.780
+
+# Install cryptography to avoid import-error reported by pylint.
+# What we really need is cryptography >= 35.0.0, which is only
+# available for Python >= 3.6.
+cryptography >= 35.0.0; sys_platform == 'linux' and python_version >= '3.6'
+cryptography; sys_platform == 'linux' and python_version < '3.6'
diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py
index af6ddd4fcb..de5249a5e7 100755
--- a/scripts/code_size_compare.py
+++ b/scripts/code_size_compare.py
@@ -1,8 +1,6 @@
#!/usr/bin/env python3
"""
-Purpose
-
This script is for comparing the size of the library files from two
different Git revisions within an Mbed TLS repository.
The results of the comparison is formatted as csv and stored at a
@@ -29,18 +27,103 @@ import argparse
import os
import subprocess
import sys
+from enum import Enum
from mbedtls_dev import build_tree
+class SupportedArch(Enum):
+ """Supported architecture for code size measurement."""
+ AARCH64 = 'aarch64'
+ AARCH32 = 'aarch32'
+ ARMV8_M = 'armv8-m'
+ X86_64 = 'x86_64'
+ X86 = 'x86'
+
+CONFIG_TFM_MEDIUM_MBEDCRYPTO_H = "../configs/tfm_mbedcrypto_config_profile_medium.h"
+CONFIG_TFM_MEDIUM_PSA_CRYPTO_H = "../configs/crypto_config_profile_medium.h"
+class SupportedConfig(Enum):
+ """Supported configuration for code size measurement."""
+ DEFAULT = 'default'
+ TFM_MEDIUM = 'tfm-medium'
+
+DETECT_ARCH_CMD = "cc -dM -E - < /dev/null"
+def detect_arch() -> str:
+ """Auto-detect host architecture."""
+ cc_output = subprocess.check_output(DETECT_ARCH_CMD, shell=True).decode()
+ if "__aarch64__" in cc_output:
+ return SupportedArch.AARCH64.value
+ if "__arm__" in cc_output:
+ return SupportedArch.AARCH32.value
+ if "__x86_64__" in cc_output:
+ return SupportedArch.X86_64.value
+ if "__x86__" in cc_output:
+ return SupportedArch.X86.value
+ else:
+ print("Unknown host architecture, cannot auto-detect arch.")
+ sys.exit(1)
+
+class CodeSizeInfo: # pylint: disable=too-few-public-methods
+ """Gather information used to measure code size.
+
+ It collects information about architecture, configuration in order to
+ infer build command for code size measurement.
+ """
+
+ SupportedArchConfig = [
+ "-a " + SupportedArch.AARCH64.value + " -c " + SupportedConfig.DEFAULT.value,
+ "-a " + SupportedArch.AARCH32.value + " -c " + SupportedConfig.DEFAULT.value,
+ "-a " + SupportedArch.X86_64.value + " -c " + SupportedConfig.DEFAULT.value,
+ "-a " + SupportedArch.X86.value + " -c " + SupportedConfig.DEFAULT.value,
+ "-a " + SupportedArch.ARMV8_M.value + " -c " + SupportedConfig.TFM_MEDIUM.value,
+ ]
+
+ def __init__(self, arch: str, config: str, sys_arch: str) -> None:
+ """
+ arch: architecture to measure code size on.
+ config: configuration type to measure code size with.
+ make_command: command to build library (Inferred from arch and config).
+ """
+ self.arch = arch
+ self.config = config
+ self.sys_arch = sys_arch
+ self.make_command = self.set_make_command()
+
+ def set_make_command(self) -> str:
+ """Infer build command based on architecture and configuration."""
+
+ if self.config == SupportedConfig.DEFAULT.value and \
+ self.arch == self.sys_arch:
+ return 'make -j lib CFLAGS=\'-Os \' '
+ elif self.arch == SupportedArch.ARMV8_M.value and \
+ self.config == SupportedConfig.TFM_MEDIUM.value:
+ return \
+ 'make -j lib CC=armclang \
+ CFLAGS=\'--target=arm-arm-none-eabi -mcpu=cortex-m33 -Os \
+ -DMBEDTLS_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_MBEDCRYPTO_H + '\\\" \
+ -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_PSA_CRYPTO_H + '\\\" \''
+ else:
+ print("Unsupported combination of architecture: {} and configuration: {}"
+ .format(self.arch, self.config))
+ print("\nPlease use supported combination of architecture and configuration:")
+ for comb in CodeSizeInfo.SupportedArchConfig:
+ print(comb)
+ print("\nFor your system, please use:")
+ for comb in CodeSizeInfo.SupportedArchConfig:
+ if "default" in comb and self.sys_arch not in comb:
+ continue
+ print(comb)
+ sys.exit(1)
+
class CodeSizeComparison:
"""Compare code size between two Git revisions."""
- def __init__(self, old_revision, new_revision, result_dir):
+ def __init__(self, old_revision, new_revision, result_dir, code_size_info):
"""
- old_revision: revision to compare against
+ old_revision: revision to compare against.
new_revision:
- result_dir: directory for comparison result
+ result_dir: directory for comparison result.
+ code_size_info: an object containing information to build library.
"""
self.repo_path = "."
self.result_dir = os.path.abspath(result_dir)
@@ -52,7 +135,9 @@ class CodeSizeComparison:
self.old_rev = old_revision
self.new_rev = new_revision
self.git_command = "git"
- self.make_command = "make"
+ self.make_command = code_size_info.make_command
+ self.fname_suffix = "-" + code_size_info.arch + "-" +\
+ code_size_info.config
@staticmethod
def validate_revision(revision):
@@ -75,21 +160,25 @@ class CodeSizeComparison:
git_worktree_path, revision], cwd=self.repo_path,
stderr=subprocess.STDOUT
)
+
return git_worktree_path
def _build_libraries(self, git_worktree_path):
"""Build libraries in the specified worktree."""
my_environment = os.environ.copy()
- subprocess.check_output(
- [self.make_command, "-j", "lib"], env=my_environment,
- cwd=git_worktree_path, stderr=subprocess.STDOUT,
- )
+ try:
+ subprocess.check_output(
+ self.make_command, env=my_environment, shell=True,
+ cwd=git_worktree_path, stderr=subprocess.STDOUT,
+ )
+ except subprocess.CalledProcessError as e:
+ self._handle_called_process_error(e, git_worktree_path)
def _gen_code_size_csv(self, revision, git_worktree_path):
"""Generate code size csv file."""
- csv_fname = revision + ".csv"
+ csv_fname = revision + self.fname_suffix + ".csv"
if revision == "current":
print("Measuring code size in current work directory.")
else:
@@ -117,7 +206,7 @@ class CodeSizeComparison:
"""Generate code size csv file for the specified git revision."""
# Check if the corresponding record exists
- csv_fname = revision + ".csv"
+ csv_fname = revision + self.fname_suffix + ".csv"
if (revision != "current") and \
os.path.exists(os.path.join(self.csv_dir, csv_fname)):
print("Code size csv file for", revision, "already exists.")
@@ -132,16 +221,20 @@ class CodeSizeComparison:
old and new. Measured code size results of these two revisions
must be available."""
- old_file = open(os.path.join(self.csv_dir, self.old_rev + ".csv"), "r")
- new_file = open(os.path.join(self.csv_dir, self.new_rev + ".csv"), "r")
- res_file = open(os.path.join(self.result_dir, "compare-" + self.old_rev
- + "-" + self.new_rev + ".csv"), "w")
+ old_file = open(os.path.join(self.csv_dir, self.old_rev +
+ self.fname_suffix + ".csv"), "r")
+ new_file = open(os.path.join(self.csv_dir, self.new_rev +
+ self.fname_suffix + ".csv"), "r")
+ res_file = open(os.path.join(self.result_dir, "compare-" +
+ self.old_rev + "-" + self.new_rev +
+ self.fname_suffix +
+ ".csv"), "w")
res_file.write("file_name, this_size, old_size, change, change %\n")
print("Generating comparison results.")
old_ds = {}
- for line in old_file.readlines()[1:]:
+ for line in old_file.readlines():
cols = line.split(", ")
fname = cols[0]
size = int(cols[1])
@@ -149,7 +242,7 @@ class CodeSizeComparison:
old_ds[fname] = size
new_ds = {}
- for line in new_file.readlines()[1:]:
+ for line in new_file.readlines():
cols = line.split(", ")
fname = cols[0]
size = int(cols[1])
@@ -175,30 +268,50 @@ class CodeSizeComparison:
self._get_code_size_for_rev(self.new_rev)
return self.compare_code_size()
+ def _handle_called_process_error(self, e: subprocess.CalledProcessError,
+ git_worktree_path):
+ """Handle a CalledProcessError and quit the program gracefully.
+ Remove any extra worktrees so that the script may be called again."""
+
+ # Tell the user what went wrong
+ print("The following command: {} failed and exited with code {}"
+ .format(e.cmd, e.returncode))
+ print("Process output:\n {}".format(str(e.output, "utf-8")))
+
+ # Quit gracefully by removing the existing worktree
+ self._remove_worktree(git_worktree_path)
+ sys.exit(-1)
+
def main():
- parser = argparse.ArgumentParser(
- description=(
- """This script is for comparing the size of the library files
- from two different Git revisions within an Mbed TLS repository.
- The results of the comparison is formatted as csv, and stored at
- a configurable location.
- Note: must be run from Mbed TLS root."""
- )
- )
- parser.add_argument(
+ parser = argparse.ArgumentParser(description=(__doc__))
+ group_required = parser.add_argument_group(
+ 'required arguments',
+ 'required arguments to parse for running ' + os.path.basename(__file__))
+ group_required.add_argument(
+ "-o", "--old-rev", type=str, required=True,
+ help="old revision for comparison.")
+
+ group_optional = parser.add_argument_group(
+ 'optional arguments',
+ 'optional arguments to parse for running ' + os.path.basename(__file__))
+ group_optional.add_argument(
"-r", "--result-dir", type=str, default="comparison",
help="directory where comparison result is stored, \
- default is comparison",
- )
- parser.add_argument(
- "-o", "--old-rev", type=str, help="old revision for comparison.",
- required=True,
- )
- parser.add_argument(
+ default is comparison")
+ group_optional.add_argument(
"-n", "--new-rev", type=str, default=None,
help="new revision for comparison, default is the current work \
- directory, including uncommitted changes."
- )
+ directory, including uncommitted changes.")
+ group_optional.add_argument(
+ "-a", "--arch", type=str, default=detect_arch(),
+ choices=list(map(lambda s: s.value, SupportedArch)),
+ help="specify architecture for code size comparison, default is the\
+ host architecture.")
+ group_optional.add_argument(
+ "-c", "--config", type=str, default=SupportedConfig.DEFAULT.value,
+ choices=list(map(lambda s: s.value, SupportedConfig)),
+ help="specify configuration type for code size comparison,\
+ default is the current MbedTLS configuration.")
comp_args = parser.parse_args()
if os.path.isfile(comp_args.result_dir):
@@ -214,8 +327,13 @@ def main():
else:
new_revision = "current"
+ code_size_info = CodeSizeInfo(comp_args.arch, comp_args.config,
+ detect_arch())
+ print("Measure code size for architecture: {}, configuration: {}"
+ .format(code_size_info.arch, code_size_info.config))
result_dir = comp_args.result_dir
- size_compare = CodeSizeComparison(old_revision, new_revision, result_dir)
+ size_compare = CodeSizeComparison(old_revision, new_revision, result_dir,
+ code_size_info)
return_code = size_compare.get_comparision_results()
sys.exit(return_code)
diff --git a/scripts/config.py b/scripts/config.py
index 92a4aadc84..bc99d87a4d 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -2,7 +2,7 @@
"""Mbed TLS configuration file manipulation library and tool
-Basic usage, to read the Mbed TLS or Mbed Crypto configuration:
+Basic usage, to read the Mbed TLS configuration:
config = ConfigFile()
if 'MBEDTLS_RSA_C' in config: print('RSA is enabled')
"""
@@ -467,7 +467,7 @@ if __name__ == '__main__':
def main():
"""Command line mbedtls_config.h manipulation tool."""
parser = argparse.ArgumentParser(description="""
- Mbed TLS and Mbed Crypto configuration file manipulation tool.
+ Mbed TLS configuration file manipulation tool.
""")
parser.add_argument('--file', '-f',
help="""File to read (and modify if requested).
diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index d8ef4a84f5..51b25a3715 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -80,6 +80,23 @@ def hex_digits_for_limb(limbs: int, bits_in_limb: int) -> int:
""" Retrun the hex digits need for a number of limbs. """
return 2 * (limbs * bits_in_limb // 8)
+def hex_digits_max_int(val: str, bits_in_limb: int) -> int:
+ """ Return the first number exceeding maximum the limb space
+ required to store the input hex-string value. This method
+ weights on the input str_len rather than numerical value
+ and works with zero-padded inputs"""
+ n = ((1 << (len(val) * 4)) - 1)
+ l = limbs_mpi(n, bits_in_limb)
+ return bound_mpi_limbs(l, bits_in_limb)
+
+def zfill_match(reference: str, target: str) -> str:
+ """ Zero pad target hex-string to match the limb size of
+ the reference input """
+ lt = len(target)
+ lr = len(reference)
+ target_len = lr if lt < lr else lt
+ return "{:x}".format(int(target, 16)).zfill(target_len)
+
class OperationCommon(test_data_generation.BaseTest):
"""Common features for bignum binary operations.
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 5801caef59..ff3fd23e68 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -68,6 +68,68 @@ class BignumCoreShiftR(BignumCoreTarget, test_data_generation.BaseTest):
for count in counts:
yield cls(input_hex, descr, count).create_test_case()
+
+class BignumCoreShiftL(BignumCoreTarget, bignum_common.ModOperationCommon):
+ """Test cases for mbedtls_bignum_core_shift_l()."""
+
+ BIT_SHIFT_VALUES = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a',
+ '1f', '20', '21', '3f', '40', '41', '47', '48', '4f',
+ '50', '51', '58', '80', '81', '88']
+ DATA = ["0", "1", "40", "dee5ca1a7ef10a75", "a1055eb0bb1efa1150ff",
+ "002e7ab0070ad57001", "020100000000000000001011121314151617",
+ "1946e2958a85d8863ae21f4904fcc49478412534ed53eaf321f63f2a222"
+ "7a3c63acbf50b6305595f90cfa8327f6db80d986fe96080bcbb5df1bdbe"
+ "9b74fb8dedf2bddb3f8215b54dffd66409323bcc473e45a8fe9d08e77a51"
+ "1698b5dad0416305db7fcf"]
+ arity = 1
+ test_function = "mpi_core_shift_l"
+ test_name = "Core shift(L)"
+ input_style = "arch_split"
+ symbol = "<<"
+ input_values = BIT_SHIFT_VALUES
+ moduli = DATA
+
+ @property
+ def val_n_max_limbs(self) -> int:
+ """ Return the limb count required to store the maximum number that can
+ fit in a the number of digits used by val_n """
+ m = bignum_common.hex_digits_max_int(self.val_n, self.bits_in_limb) - 1
+ return bignum_common.limbs_mpi(m, self.bits_in_limb)
+
+ def arguments(self) -> List[str]:
+ return [bignum_common.quote_str(self.val_n),
+ str(self.int_a)
+ ] + self.result()
+
+ def description(self) -> str:
+ """ Format the output as:
+ #{count} {hex input} ({input bits} {limbs capacity}) << {bit shift} """
+ bits = "({} bits in {} limbs)".format(self.int_n.bit_length(), self.val_n_max_limbs)
+ return "{} #{} {} {} {} {}".format(self.test_name,
+ self.count,
+ self.val_n,
+ bits,
+ self.symbol,
+ self.int_a)
+
+ def format_result(self, res: int) -> str:
+ # Override to match zero-pading for leading digits between the output and input.
+ res_str = bignum_common.zfill_match(self.val_n, "{:x}".format(res))
+ return bignum_common.quote_str(res_str)
+
+ def result(self) -> List[str]:
+ result = (self.int_n << self.int_a)
+ # Calculate if there is space for shifting to the left(leading zero limbs)
+ mx = bignum_common.hex_digits_max_int(self.val_n, self.bits_in_limb)
+ # If there are empty limbs ahead, adjust the bitmask accordingly
+ result = result & (mx - 1)
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
+
+
class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
"""Test cases for mbedtls_mpi_core_ct_uint_table_lookup()."""
test_function = "mpi_core_ct_uint_table_lookup"
diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py
index f9f27faaa7..02db438a72 100644
--- a/scripts/mbedtls_dev/ecp.py
+++ b/scripts/mbedtls_dev/ecp.py
@@ -97,7 +97,7 @@ class EcpP192R1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
- def arguments(self):
+ def arguments(self)-> List[str]:
args = super().arguments()
return ["MBEDTLS_ECP_DP_SECP192R1"] + args
@@ -174,7 +174,7 @@ class EcpP224R1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
- def arguments(self):
+ def arguments(self)-> List[str]:
args = super().arguments()
return ["MBEDTLS_ECP_DP_SECP224R1"] + args
@@ -258,7 +258,7 @@ class EcpP256R1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
- def arguments(self):
+ def arguments(self)-> List[str]:
args = super().arguments()
return ["MBEDTLS_ECP_DP_SECP256R1"] + args
@@ -380,7 +380,7 @@ class EcpP384R1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
- def arguments(self):
+ def arguments(self)-> List[str]:
args = super().arguments()
return ["MBEDTLS_ECP_DP_SECP384R1"] + args
@@ -485,7 +485,7 @@ class EcpP521R1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
- def arguments(self):
+ def arguments(self)-> List[str]:
args = super().arguments()
return ["MBEDTLS_ECP_DP_SECP521R1"] + args
@@ -494,8 +494,8 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon,
EcpTarget):
"""Test cases for ECP P192K1 fast reduction."""
symbol = "-"
- test_function = "ecp_mod_p192k1"
- test_name = "ecp_mod_p192k1"
+ test_function = "ecp_mod_p_generic_raw"
+ test_name = "ecp_mod_p192k1_raw"
input_style = "fixed"
arity = 1
dependencies = ["MBEDTLS_ECP_DP_SECP192K1_ENABLED"]
@@ -518,6 +518,10 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon,
("fffffffffffffffffffffffffffffffffffffffdffffdc6c"
"0000000000000000000000000000000100002394013c7364"),
+ # Test case for overflow during addition
+ ("00000007ffff71b809e27dd832cfd5e04d9d2dbb9f8da217"
+ "0000000000000000000000000000000000000000520834f0"),
+
# First 8 number generated by random.getrandbits(384) - seed(2,2)
("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
"177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
@@ -553,13 +557,17 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
+ def arguments(self):
+ args = super().arguments()
+ return ["MBEDTLS_ECP_DP_SECP192K1"] + args
+
class EcpP224K1Raw(bignum_common.ModOperationCommon,
EcpTarget):
"""Test cases for ECP P224 fast reduction."""
symbol = "-"
- test_function = "ecp_mod_p224k1"
- test_name = "ecp_mod_p224k1"
+ test_function = "ecp_mod_p_generic_raw"
+ test_name = "ecp_mod_p224k1_raw"
input_style = "fixed"
arity = 1
dependencies = ["MBEDTLS_ECP_DP_SECP224K1_ENABLED"]
@@ -578,10 +586,14 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon,
# 2^224 - 1
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
- # Maximum canonical P224 multiplication result
+ # Maximum canonical P224K1 multiplication result
("fffffffffffffffffffffffffffffffffffffffffffffffdffffcad8"
"00000000000000000000000000000000000000010000352802c26590"),
+ # Test case for overflow during addition
+ ("0000007ffff2b68161180fd8cd92e1a109be158a19a99b1809db8032"
+ "0000000000000000000000000000000000000000000000000bf04f49"),
+
# First 8 number generated by random.getrandbits(448) - seed(2,2)
("da94e3e8ab73738fcf1822ffbc6887782b491044d5e341245c6e4337"
"15ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
@@ -618,13 +630,17 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
+ def arguments(self):
+ args = super().arguments()
+ return ["MBEDTLS_ECP_DP_SECP224K1"] + args
+
class EcpP256K1Raw(bignum_common.ModOperationCommon,
EcpTarget):
"""Test cases for ECP P256 fast reduction."""
symbol = "-"
- test_function = "ecp_mod_p256k1"
- test_name = "ecp_mod_p256k1"
+ test_function = "ecp_mod_p_generic_raw"
+ test_name = "ecp_mod_p256k1_raw"
input_style = "fixed"
arity = 1
dependencies = ["MBEDTLS_ECP_DP_SECP256K1_ENABLED"]
@@ -643,9 +659,17 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon,
# 2^256 - 1
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
- # Maximum canonical P256 multiplication result
- ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c0"
- "00000000000000000000000000000000000000000000001000007a4000e9844"),
+ # Maximum canonical P256K1 multiplication result
+ ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c"
+ "000000000000000000000000000000000000000000000001000007a4000e9844"),
+
+ # Test case for overflow during addition
+ ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562"
+ "00000000000000000000000000000000000000000000000000000000585674fd"),
+
+ # Test case for overflow during addition
+ ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562"
+ "00000000000000000000000000000000000000000000000000000000585674fd"),
# First 8 number generated by random.getrandbits(512) - seed(2,2)
("4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
@@ -672,8 +696,7 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon,
@property
def arg_a(self) -> str:
- hex_digits = bignum_common.hex_digits_for_limb(448 // self.bits_in_limb, self.bits_in_limb)
- return super().format_arg('{:x}'.format(self.int_a)).zfill(hex_digits)
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
def result(self) -> List[str]:
result = self.int_a % self.int_n
@@ -683,6 +706,79 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon,
def is_valid(self) -> bool:
return True
+ def arguments(self):
+ args = super().arguments()
+ return ["MBEDTLS_ECP_DP_SECP256K1"] + args
+
+
+class EcpP255Raw(bignum_common.ModOperationCommon,
+ EcpTarget):
+ """Test cases for ECP 25519 fast reduction."""
+ symbol = "-"
+ test_function = "ecp_mod_p_generic_raw"
+ test_name = "mbedtls_ecp_mod_p255_raw"
+ input_style = "fixed"
+ arity = 1
+ dependencies = ["MBEDTLS_ECP_DP_CURVE25519_ENABLED"]
+
+ moduli = [("7fffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffed")] # type: List[str]
+
+ input_values = [
+ "0", "1",
+
+ # Modulus - 1
+ ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"),
+
+ # Modulus + 1
+ ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee"),
+
+ # 2^255 - 1
+ ("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+
+ # Maximum canonical P255 multiplication result
+ ("3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"
+ "0000000000000000000000000000000000000000000000000000000000000190"),
+
+ # First 8 number generated by random.getrandbits(510) - seed(2,2)
+ ("1019f0d64ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
+ "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
+ ("20948fa1feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"
+ "ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd9b1f282e"),
+ ("3a1893ea5186ee32ee8d7ee9770348a05d300cb90706a045defc044a09325626"
+ "e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57ebf30b94fa"),
+ ("20a6923522fe99a22c70501e533c91352d3d854e061b90303b08c6e33c729578"
+ "2d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
+ ("3a248138e8168561867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"
+ "fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0"),
+ ("2f450feab714210c665d7435c1066932f4767f26294365b2721dea3bf63f23d0"
+ "dbe53fcafb2147df5ca495fa5a91c89b97eeab64ca2ce6bc5d3fd983c34c769f"),
+ ("1d199effe202849da9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e80371eb9"
+ "7f81375eecc1cb6347733e847d718d733ff98ff387c56473a7a83ee0761ebfd2"),
+ ("3423c6ec531d6460f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f25"
+ "8ebdbfe3eb9ac688b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a"),
+
+ # Next 2 number generated by random.getrandbits(255)
+ ("62f1243644a4a8f69dc8db48e86ec9c6e06f291b2a838af8d5c44a4eb3172062"),
+ ("6a606e54b4c9e755cc9c3adcf515a8234da4daeb4f3f87777ad1f45ae9500ec9"),
+ ]
+
+ @property
+ def arg_a(self) -> str:
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
+
+ def arguments(self)-> List[str]:
+ args = super().arguments()
+ return ["MBEDTLS_ECP_DP_CURVE25519"] + args
+
class EcpP448Raw(bignum_common.ModOperationCommon,
EcpTarget):
diff --git a/tests/.gitignore b/tests/.gitignore
index 40ad061c9f..6db65d1d38 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -17,9 +17,6 @@ include/alt-extra/psa/crypto_platform_alt.h
include/alt-extra/psa/crypto_struct_alt.h
include/test/instrument_record_status.h
-src/*.o
-src/test_helpers/*.o
-src/drivers/*.o
src/libmbed*
libtestdriver1/*
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index bf61706e0a..ea8e0c96ae 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -41,6 +41,10 @@ test_ca_key_file_rsa = test-ca.key
test_ca_pwd_rsa = PolarSSLTest
test_ca_config_file = test-ca.opensslconf
+$(test_ca_key_file_rsa):
+ $(OPENSSL) genrsa -aes-128-cbc -passout pass:$(test_ca_pwd_rsa) -out $@ 2048
+all_final += $(test_ca_key_file_rsa)
+
test-ca.req.sha256: $(test_ca_key_file_rsa)
$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_rsa) password=$(test_ca_pwd_rsa) subject_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" md=SHA256
all_intermediate += test-ca.req.sha256
@@ -167,7 +171,30 @@ all_intermediate += test-ca2.req.sha256
test-ca2.crt: $(test_ca_key_file_ec) test-ca2.req.sha256
$(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" issuer_key=$(test_ca_key_file_ec) not_before=20190210144400 not_after=20290210144400 md=SHA256 version=3 output_file=$@
-all_final += test-ca.crt
+all_final += test-ca2.crt
+
+test-ca2-future.crt: $(test_ca_key_file_ec) test-ca2.req.sha256
+ $(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 \
+ issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" issuer_key=$(test_ca_key_file_ec) \
+ not_before=20290210144400 not_after=20390210144400 md=SHA256 version=3 output_file=$@
+all_intermediate += test-ca2-future.crt
+
+test_ca_ec_cat := # files that concatenate different crt
+test-ca2_cat-future-invalid.crt: test-ca2-future.crt server6.crt
+test_ca_ec_cat += test-ca2_cat-future-invalid.crt
+test-ca2_cat-future-present.crt: test-ca2-future.crt test-ca2.crt
+test_ca_ec_cat += test-ca2_cat-future-present.crt
+test-ca2_cat-present-future.crt: test-ca2.crt test-ca2-future.crt
+test_ca_ec_cat += test-ca2_cat-present-future.crt
+test-ca2_cat-present-past.crt: test-ca2.crt test-ca2-expired.crt
+test_ca_ec_cat += test-ca2_cat-present-past.crt
+test-ca2_cat-past-invalid.crt: test-ca2-expired.crt server6.crt
+test_ca_ec_cat += test-ca2_cat-past-invalid.crt
+test-ca2_cat-past-present.crt: test-ca2-expired.crt test-ca2.crt
+test_ca_ec_cat += test-ca2_cat-past-present.crt
+$(test_ca_ec_cat):
+ cat $^ > $@
+all_final += $(test_ca_ec_cat)
test-ca-any_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@
@@ -225,10 +252,37 @@ all_final += $(test_ca_crt_cat21)
test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
-all_intermediate += test-int-ca.csr
+
+test-int-ca2.csr: test-int-ca2.key $(test_ca_config_file)
+ $(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca2.key \
+ -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate EC CA" -out $@
+
+test-int-ca3.csr: test-int-ca3.key $(test_ca_config_file)
+ $(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca3.key \
+ -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -out $@
+
+all_intermediate += test-int-ca.csr test-int-ca2.csr test-int-ca3.csr
+
+test-int-ca.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
+ $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca \
+ -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
+ -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
+
+test-int-ca2.crt: $(test_ca_key_file_rsa) $(test_ca_crt) $(test_ca_config_file) test-int-ca2.csr
+ $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt) \
+ -CAkey $(test_ca_key_file_rsa) -set_serial 15 -days 3653 -sha256 -in test-int-ca2.csr \
+ -passin "pass:$(test_ca_pwd_rsa)" -out $@
+
+# Note: This requests openssl version >= 3.x.xx
+test-int-ca3.crt: test-int-ca2.crt test-int-ca2.key $(test_ca_config_file) test-int-ca3.csr
+ $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions no_subj_auth_id \
+ -CA test-int-ca2.crt -CAkey test-int-ca2.key -set_serial 77 -days 3653 \
+ -sha256 -in test-int-ca3.csr -out $@
+
test-int-ca-exp.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
-all_final += test-int-ca-exp.crt
+
+all_final += test-int-ca-exp.crt test-int-ca.crt test-int-ca2.crt test-int-ca3.crt
enco-cert-utf8str.pem: rsa_pkcs1_1024_clear.pem
$(MBEDTLS_CERT_WRITE) subject_key=rsa_pkcs1_1024_clear.pem subject_name="CN=dw.yonan.net" issuer_crt=enco-ca-prstr.pem issuer_key=rsa_pkcs1_1024_clear.pem not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
@@ -267,23 +321,74 @@ cli-rsa.key.der: $(cli_crt_key_file_rsa)
all_final += cli-rsa.key.der
test_ca_int_rsa1 = test-int-ca.crt
+test_ca_int_ec = test-int-ca2.crt
+test_ca_int_key_file_ec = test-int-ca2.key
+
+# server7*
server7.csr: server7.key
$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
all_intermediate += server7.csr
+
+server7.crt: server7.csr $(test_ca_int_rsa1)
+ $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \
+ -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key \
+ -set_serial 16 -days 3653 -sha256 -in server7.csr > $@
+all_final += server7.crt
+
server7-expired.crt: server7.csr $(test_ca_int_rsa1)
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
all_final += server7-expired.crt
+
server7-future.crt: server7.csr $(test_ca_int_rsa1)
$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
all_final += server7-future.crt
+
server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
all_final += server7-badsign.crt
+
+server7_int-ca.crt: server7.crt $(test_ca_int_rsa1)
+ cat server7.crt $(test_ca_int_rsa1) > $@
+all_final += server7_int-ca.crt
+
+server7_pem_space.crt: server7.crt $(test_ca_int_rsa1)
+ cat server7.crt $(test_ca_int_rsa1) | sed '4s/\(.\)$$/ \1/' > $@
+all_final += server7_pem_space.crt
+
+server7_all_space.crt: server7.crt $(test_ca_int_rsa1)
+ { cat server7.crt | sed '4s/\(.\)$$/ \1/'; cat test-int-ca.crt | sed '4s/\(.\)$$/ \1/'; } > $@
+all_final += server7_all_space.crt
+
+server7_trailing_space.crt: server7.crt $(test_ca_int_rsa1)
+ cat server7.crt $(test_ca_int_rsa1) | sed 's/\(.\)$$/\1 /' > $@
+all_final += server7_trailing_space.crt
+
+server7_int-ca_ca2.crt: server7.crt $(test_ca_int_rsa1) $(test_ca_crt_file_ec)
+ cat server7.crt $(test_ca_int_rsa1) $(test_ca_crt_file_ec) > $@
+all_final += server7_int-ca_ca2.crt
+
server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
cat server7.crt test-int-ca-exp.crt > $@
all_final += server7_int-ca-exp.crt
+server7_spurious_int-ca.crt: server7.crt $(test_ca_int_ec) $(test_ca_int_rsa1)
+ cat server7.crt $(test_ca_int_ec) $(test_ca_int_rsa1) > $@
+all_final += server7_spurious_int-ca.crt
+
+# server8*
+
+server8.crt: server8.key
+ $(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL, O=PolarSSL, CN=localhost" serial=17 \
+ issuer_crt=$(test_ca_int_ec) issuer_key=$(test_ca_int_key_file_ec) \
+ not_before=20190210144406 not_after=20290210144406 \
+ md=SHA256 version=3 output_file=$@
+all_final += server8.crt
+
+server8_int-ca2.crt: server8.crt $(test_ca_int_ec)
+ cat $^ > $@
+all_final += server8_int-ca2.crt
+
cli2.req.sha256: cli2.key
$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Test Client 2" md=SHA256
@@ -344,6 +449,30 @@ server5-directoryname.crt.der: server5.key
server5-two-directorynames.crt.der: server5.key
$(OPENSSL) req -x509 -outform der -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS directoryName SAN" -set_serial 77 -config $(test_ca_config_file) -extensions two_directorynames -days 3650 -sha256 -key server5.key -out $@
+server5-der0.crt: server5.crt.der
+ cp $< $@
+server5-der1a.crt: server5.crt.der
+ cp $< $@
+ echo '00' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+server5-der1b.crt: server5.crt.der
+ cp $< $@
+ echo 'c1' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+server5-der2.crt: server5.crt.der
+ cp $< $@
+ echo 'b90a' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+server5-der4.crt: server5.crt.der
+ cp $< $@
+ echo 'a710945f' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+server5-der8.crt: server5.crt.der
+ cp $< $@
+ echo 'a4a7ff27267aaa0f' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+server5-der9.crt: server5.crt.der
+ cp $< $@
+ echo 'cff8303376ffa47a29' | xxd -r -p | dd of=$@ bs=1 seek=$$(wc -c <$<) conv=notrunc
+all_final += server5-der0.crt server5-der1b.crt server5-der4.crt \
+ server5-der9.crt server5-der1a.crt server5-der2.crt \
+ server5-der8.crt
+
# directoryname sequence tag malformed
server5-directoryname-seq-malformed.crt.der: server5-two-directorynames.crt.der
hexdump -ve '1/1 "%.2X"' $< | sed "s/62A4473045310B/62A4473145310B/" | xxd -r -p > $@
@@ -360,18 +489,37 @@ rsa_single_san_uri.crt.der: rsa_single_san_uri.key
rsa_multiple_san_uri.crt.der: rsa_multiple_san_uri.key
$(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
+test-int-ca3-badsign.crt: test-int-ca3.crt
+ { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
+all_final += test-int-ca3-badsign.crt
+
+# server10*
+
+server10.crt: server10.key test-int-ca3.crt test-int-ca3.key
+ $(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="CN=localhost" serial=75 \
+ issuer_crt=test-int-ca3.crt issuer_key=test-int-ca3.key \
+ subject_identifier=0 authority_identifier=0 \
+ not_before=20190210144406 not_after=20290210144406 \
+ md=SHA256 version=3 output_file=$@
+all_final += server10.crt
server10-badsign.crt: server10.crt
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += server10-badsign.crt
server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
cat server10-badsign.crt test-int-ca3.crt > $@
all_final += server10-bs_int3.pem
-test-int-ca3-badsign.crt: test-int-ca3.crt
- { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
-all_final += test-int-ca3-badsign.crt
server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
cat server10.crt test-int-ca3-badsign.crt > $@
all_final += server10_int3-bs.pem
+server10_int3_int-ca2.crt: server10.crt test-int-ca3.crt $(test_ca_int_ec)
+ cat $^ > $@
+all_final += server10_int3_int-ca2.crt
+server10_int3_int-ca2_ca.crt: server10.crt test-int-ca3.crt $(test_ca_int_ec) $(test_ca_crt)
+ cat $^ > $@
+all_final += server10_int3_int-ca2_ca.crt
+server10_int3_spurious_int-ca2.crt: server10.crt test-int-ca3.crt $(test_ca_int_rsa1) $(test_ca_int_ec)
+ cat $^ > $@
+all_final += server10_int3_spurious_int-ca2.crt
rsa_pkcs1_2048_public.pem: server8.key
$(OPENSSL) rsa -in $< -outform PEM -RSAPublicKey_out -out $@
@@ -389,6 +537,19 @@ rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem
$(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@
all_final += rsa_pkcs8_2048_public.der
+# Generate crl_cat_*.pem
+# - crt_cat_*.pem: (1+2) concatenations in various orders:
+# ec = crl-ec-sha256.pem, ecfut = crl-future.pem
+# rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
+
+crl_cat_ec-rsa.pem:crl-ec-sha256.pem crl.pem
+ cat $^ > $@
+
+crl_cat_rsa-ec.pem:crl.pem crl-ec-sha256.pem
+ cat $^ > $@
+
+all_final += crl_cat_ec-rsa.pem crl_cat_rsa-ec.pem
+
################################################################
#### Generate various RSA keys
################################################################
@@ -1007,32 +1168,32 @@ ec_x25519_prv.der:
$(OPENSSL) genpkey -algorithm X25519 -out $@ -outform DER
all_final += ec_x25519_prv.der
-ec_x25519_pub.der: ec_x25519_pub.der
- $(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER
+ec_x25519_pub.der: ec_x25519_prv.der
+ $(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER -pubout
all_final += ec_x25519_pub.der
-ec_x25519_prv.pem: ec_x25519_prv.pem
+ec_x25519_prv.pem: ec_x25519_prv.der
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_x25519_prv.pem
-ec_x25519_pub.pem: ec_x25519_pub.pem
- $(OPENSSL) pkey -in $< -inform DER -out $@
+ec_x25519_pub.pem: ec_x25519_prv.der
+ $(OPENSSL) pkey -in $< -inform DER -out $@ -pubout
all_final += ec_x25519_pub.pem
ec_x448_prv.der:
$(OPENSSL) genpkey -algorithm X448 -out $@ -outform DER
all_final += ec_x448_prv.der
-ec_x448_pub.der: ec_x448_pub.der
- $(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER
+ec_x448_pub.der: ec_x448_prv.der
+ $(OPENSSL) pkey -in $< -inform DER -out $@ -outform DER -pubout
all_final += ec_x448_pub.der
-ec_x448_prv.pem: ec_x448_prv.pem
+ec_x448_prv.pem: ec_x448_prv.der
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_x448_prv.pem
-ec_x448_pub.pem: ec_x448_pub.pem
- $(OPENSSL) pkey -in $< -inform DER -out $@
+ec_x448_pub.pem: ec_x448_prv.der
+ $(OPENSSL) pkey -in $< -inform DER -out $@ -pubout
all_final += ec_x448_pub.pem
################################################################
@@ -1169,11 +1330,39 @@ all_final += server2.key.enc
# server5*
+server5.csr: server5.key
+ $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
+ -key $< -out $@
+all_intermediate += server5.csr
+server5.crt: server5-sha256.crt
+ cp $< $@
+all_intermediate += server5-sha256.crt
+server5-sha%.crt: server5.csr $(test_ca_crt_file_ec) $(test_ca_key_file_ec) server5.crt.openssl.v3_ext
+ $(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
+ -extfile server5.crt.openssl.v3_ext -set_serial 9 -days 3650 \
+ -sha$(@:server5-sha%.crt=%) -in $< -out $@
+all_final += server5.crt server5-sha1.crt server5-sha224.crt server5-sha384.crt server5-sha512.crt
+
+server5-badsign.crt: server5.crt
+ { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
+all_final += server5-badsign.crt
+
# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
server5.req.ku.sha1: server5.key
$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
all_final += server5.req.ku.sha1
+# server6*
+
+server6.csr: server6.key
+ $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \
+ -key $< -out $@
+all_intermediate += server6.csr
+server6.crt: server6.csr $(test_ca_crt_file_ec) $(test_ca_key_file_ec)
+ $(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \
+ -extfile server5.crt.openssl.v3_ext -set_serial 10 -days 3650 -sha256 -in $< -out $@
+all_final += server6.crt
+
################################################################
### Generate certificates for CRT write check tests
################################################################
@@ -1194,6 +1383,8 @@ test_ca_server1_config_file = test-ca.server1.opensslconf
server1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
+server1.allSubjectAltNames.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+ $(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ san=URI:http://pki.example.com\;IP:1.2.3.4\;DN:C=UK,O="Mbed TLS",CN="SubjectAltName test"\;DNS:example.com\;RFC822:mail@example.com
server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
echo "112233445566778899aabbccddeeff0011223344" > test-ca.server1.tmp.serial
$(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
@@ -1320,6 +1511,24 @@ server2-sha256.crt: server2.req.sha256
$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@
all_final += server2-sha256.crt
+# server3*
+
+server3.crt: server3.key
+ $(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=13 \
+ issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \
+ not_before=20190210144406 not_after=20290210144406 \
+ md=SHA1 version=3 output_file=$@
+all_final += server3.crt
+
+# server4*
+
+server4.crt: server4.key
+ $(MBEDTLS_CERT_WRITE) subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=8 \
+ issuer_crt=$(test_ca_crt_file_ec) issuer_key=$(test_ca_key_file_ec) \
+ not_before=20190210144400 not_after=20290210144400 \
+ md=SHA256 version=3 output_file=$@
+all_final += server4.crt
+
# MD5 test certificate
cert_md_test_key = $(cli_crt_key_file_rsa)
@@ -1390,17 +1599,17 @@ all_final += pkcs7_data_1.bin
# Generate signing cert
pkcs7-rsa-sha256-1.crt:
- $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 3653 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt
cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem
all_final += pkcs7-rsa-sha256-1.crt
pkcs7-rsa-sha256-2.crt:
- $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 3653 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt
cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem
all_final += pkcs7-rsa-sha256-2.crt
pkcs7-rsa-sha256-3.crt:
- $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 3" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-3.key -out pkcs7-rsa-sha256-3.crt
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 3" -sha256 -nodes -days 3653 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-3.key -out pkcs7-rsa-sha256-3.crt
cat pkcs7-rsa-sha256-3.crt pkcs7-rsa-sha256-3.key > pkcs7-rsa-sha256-3.pem
all_final += pkcs7-rsa-sha256-3.crt
@@ -1515,17 +1724,17 @@ all_final += pkcs7_data_signed_badsigner1_fuzzbad.der
pkcs7_data_signed_badsigner2_badsize.der: pkcs7_data_3_signed.der
cp pkcs7_data_3_signed.der $@
echo '72'| xxd -p -r | dd of=$@ bs=1 seek=813 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_badsize
+all_final += pkcs7_data_signed_badsigner2_badsize.der
pkcs7_data_signed_badsigner2_badtag.der: pkcs7_data_3_signed.der
cp pkcs7_data_3_signed.der $@
echo 'a1'| xxd -p -r | dd of=$@ bs=1 seek=817 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_badtag
+all_final += pkcs7_data_signed_badsigner2_badtag.der
pkcs7_data_signed_badsigner2_fuzzbad.der: pkcs7_data_3_signed.der
cp pkcs7_data_3_signed.der $@
echo 'a1'| xxd -p -r | dd of=$@ bs=1 seek=925 conv=notrunc
-all_final += pkcs7_data_signed_badsigner2_fuzzbad
+all_final += pkcs7_data_signed_badsigner2_fuzzbad.der
# pkcs7 file with version 2
pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der
@@ -1598,3 +1807,5 @@ clean:
neat: clean
rm -f $(all_final)
.PHONY: clean neat
+
+.SECONDARY: $(all_intermediate)
diff --git a/tests/data_files/crl-ec-sha1.pem b/tests/data_files/crl-ec-sha1.pem
index 8358640a0d..f82d94674d 100644
--- a/tests/data_files/crl-ec-sha1.pem
+++ b/tests/data_files/crl-ec-sha1.pem
@@ -1,10 +1,10 @@
-----BEGIN X509 CRL-----
-MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ
-b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz
-MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G
+MIIBbjCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQ
+b2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMjMwNTE3MDcx
+NDM5WhcNMzMwNTE3MDcxNDM5WjAUMBICAQoXDTIzMDUxNzA3MTQzOVqgcjBwMG4G
A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
-TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg
-Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW
-svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm
-56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U=
+TDERMA8GA1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMg
+Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2gAMGUCMQCRAtXd7kXgijlMXHXr6m0B
+IzDbpAAwDwCJtgOzarF5hZKGDZeDp6vptGZK0y40NsoCMACxRrXIV+6KUBipFarI
+36yXDoBNol2xzst6p9fOg+prl6p7vO1sRYrIGg1WJGA5wQ==
-----END X509 CRL-----
diff --git a/tests/data_files/crl-ec-sha256.pem b/tests/data_files/crl-ec-sha256.pem
index adfd5f8937..b9fad50fc8 100644
--- a/tests/data_files/crl-ec-sha256.pem
+++ b/tests/data_files/crl-ec-sha256.pem
@@ -1,10 +1,10 @@
-----BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
+MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
+zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
+NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
-----END X509 CRL-----
diff --git a/tests/data_files/crl.pem b/tests/data_files/crl.pem
index df7417e8ee..5a1bdd35ab 100644
--- a/tests/data_files/crl.pem
+++ b/tests/data_files/crl.pem
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
-UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTE5MDIwNjE2MzQ0
-NloXDTI5MDIwNjE2MzQ0NlowKDASAgEBFw0xMTAyMTIxMjQ0MDdaMBICAQMXDTEx
-MDIxMjEyNDQwN1owDQYJKoZIhvcNAQEFBQADggEBAGHkRHGDz2HsoiXzfJDBpkfg
-I+yK34O9zoHMyGcDZbF9fj4NVyyNA6XCgY3IgQYe3boA1edO6+8ImjqiZjYK+GWt
-4ne7YhapRFAoFbKQY5hgy8mlpSRlNfmRVVCDDKannMac4tQff1LCFHN8msk/uG1b
-WHWAsL6dzLVojhbUFY6mZTb6nqjm5YgqcsNsz37n4dyrCDftB99FQdE/aAec2RXP
-Jgy9DnY5jMotPqHLZtMyfVNEoivDb7YJA5Vv6NSyiYVTjyWyTHNRsFEXRtHqjpqs
-oZdBgLZAAQsUvuVpMbDKQ4FrZjOaOW/xLtKPlh/HNA5p7hNtwIiCAIvp7uQti0w=
+UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
+OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
+MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
+CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
+e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
+pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
+C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
+7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
-----END X509 CRL-----
diff --git a/tests/data_files/crl_cat_ec-rsa.pem b/tests/data_files/crl_cat_ec-rsa.pem
index 3cda8ff03e..cafa1d4112 100644
--- a/tests/data_files/crl_cat_ec-rsa.pem
+++ b/tests/data_files/crl_cat_ec-rsa.pem
@@ -1,21 +1,21 @@
-----BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
+MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
+zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
+NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
-OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
-dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
-//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
-yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
-NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
-5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU=
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
+OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
+MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
+CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
+e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
+pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
+C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
+7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
-----END X509 CRL-----
diff --git a/tests/data_files/crl_cat_rsa-ec.pem b/tests/data_files/crl_cat_rsa-ec.pem
index ded369d897..92ecccc6df 100644
--- a/tests/data_files/crl_cat_rsa-ec.pem
+++ b/tests/data_files/crl_cat_rsa-ec.pem
@@ -1,21 +1,21 @@
-----BEGIN X509 CRL-----
-MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
-OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
-MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
-dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
-//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
-yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
-NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
-5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU=
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIzMDUxNzA3MTQz
+OFoXDTMzMDUxNzA3MTQzOFowKDASAgEBFw0yMzA1MTcwNzE0MzhaMBICAQMXDTIz
+MDUxNzA3MTQzOFowDQYJKoZIhvcNAQEFBQADggEBAEKGf/KYnv3EpFiEsPii5f3S
+CEgD0NL44rYIU7n9oBIqgqxP93tDeqwqvv/oDYBA41fugxU63nO5qKn4xszKN/w0
+e3GDg6ihFFz2wO6NE37Wfn3lVIvMbboNyMGqH1CTqTbNcsam8DhvILCMkG60kV66
+pSVGVIJftDzE+33mUundQMYz4wN4QJFGRSfHW745iowF9ejiPsfAn4gO9eLDrRmA
+C0oedNyRLj6jfGRtaQddlCjCAGwNlIJBe/IhixafW9g8deGPHJu8RSlJ/Q77pgjx
+7WccwCz+dWP+uqi8fwgerHYdTjiAvFVu1Yd4KA5WTndzI3wzJwbdZZ08OfDLmyU=
-----END X509 CRL-----
-----BEGIN X509 CRL-----
-MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
-UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
-MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTIzMDUxNzA3
+MTQ0MFoXDTMzMDUxNzA3MTQ0MFowFDASAgEKFw0yMzA1MTcwNzE0NDBaoHIwcDBu
BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
-TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
-IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
-S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
-g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+TkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAOFCq4tS7s27+KShmh4n
+zavpLBQUbqyjkH9dJk0jg862YXjirOu9oCOoWtZQz6/LhQIxAJbtOSwJNq0F/FTq
+NYhP7ibE1jad9Tbs6igtZ7Z9NN7V5upnnL4SVETU9pvy9zh+tw==
-----END X509 CRL-----
diff --git a/tests/data_files/bitstring-in-dn.pem b/tests/data_files/parse_input/bitstring-in-dn.pem
similarity index 100%
rename from tests/data_files/bitstring-in-dn.pem
rename to tests/data_files/parse_input/bitstring-in-dn.pem
diff --git a/tests/data_files/parse_input/cert_example_multi.crt b/tests/data_files/parse_input/cert_example_multi.crt
new file mode 100644
index 0000000000..0e3295dc71
--- /dev/null
+++ b/tests/data_files/parse_input/cert_example_multi.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYqgAwIBAgIBETANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwNzEwMTEyNzUyWhcNMjkwNzEwMTEyNzUyWjA6MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAxziSxcP0cBAIa/gTNezzARyKJQ+VgjYeqh6W
+ElUarPh7dTMLcFcznNmV8U1MRDfIvsSgP+RkPNPzyQJDPcN8W455qgmEroITNwq/
+hWm9KjVibLH+5KzgQrJBfHvknScUmywHa45DPT9sdjpGmhxwDSWdvAjHQPzYAjdi
+/33r/C0CAwEAAaM2MDQwMgYDVR0RBCswKYILZXhhbXBsZS5jb22CC2V4YW1wbGUu
+bmV0gg0qLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCJbFizurHz804x
+6NbsvsPPgLcESq0OcGOEXOCOe8seZqomhSYTXtHBzrFtRp2/gmtORq2oapoDDiq+
+I+xRLJYsUBut2NdkZmEIRSW4n4sXJwqb0fXTTkd7EAXBvGNWbERab5Sbf84oqd4t
+yjjz2u+Hvx8hZCHJG2V9qg3zaw5zJT1AfAsMbjXqi8CfU7U+Fcor+O3GeuUVgpJC
+QCXb2Qjj3ZmrCvGZA9x59XtnEN6m2O4pWkmqR/Z7MlQrZzQ80vcQMk9+qoKIr2EJ
+RcJhAtE+dLV19IlccwsDlGx5kT5N5zSYLK9nARV1/AjK48bUxGH353A1Y2MCfy0E
+dXDReJa1
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_example_multi_nocn.crt b/tests/data_files/parse_input/cert_example_multi_nocn.crt
new file mode 100644
index 0000000000..1634846e1b
--- /dev/null
+++ b/tests/data_files/parse_input/cert_example_multi_nocn.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAWagAwIBAgIJAPfGf/jpqWP5MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV
+BAYTAk5MMB4XDTE0MDEyMjEwMDQzM1oXDTI0MDEyMjEwMDQzM1owDTELMAkGA1UE
+BhMCTkwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2pt
+WZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNz
+UnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ
+81kybdHg6G3eUu1mtKkL2kCVAgMBAAGjZTBjMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgXgMEkGA1UdEQRCMECCHHd3dy5zaG90b2thbi1icmF1bnNjaHdlaWcuZGWCFHd3
+dy5tYXNzaW1vLWFiYXRlLmV1hwTAqAEBhwTAqEWQMA0GCSqGSIb3DQEBBQUAA4GB
+ABjx1ytrqCyFC5/0cjWnbLK9vsvLny2ZikDewfRxqJ5zAxGWLqHOr1SmUmu2DrvB
+bkT9g5z19+iMhPnzJz1x7Q2m7WTIJTuUPK+hKZJATDLNhZ86h5Nkw8k9YzKcOrPm
+EIqsy55CSgLU0ntljqSBvSb4ifrF1NnIWej2lSfN6r+3
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_md5.crt b/tests/data_files/parse_input/cert_md5.crt
new file mode 100644
index 0000000000..e514fd631c
--- /dev/null
+++ b/tests/data_files/parse_input/cert_md5.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC
+AQEAF4QcMshVtVbYgvvU7f2lWakubbAISM/k+FW/f7u63m0MSSoSFeYflBOC1Wf4
+imgDEnWcWTH5V7sxsLNogxfpfTuFUaKfHeQmRhAK4UgqbDEs4dZvgo3wZ/w92G0/
+QNntJefnqaFiITXZTn6J8hxeoEq4QbucbWgeY6fTAwXtIv40BvMOSakkuIFAyIvV
+90VY1j4vnx0/xv5lIBAxah1HdtXhqtDu/sUfdCtWX5SCcVUwwM3gZ4Q1ZdWQmlvF
+737ZG7XaINxsDaI04sJxc7qvuRYhLdCwUPnZL5TGEQJ8jNa/39eEbnkvs7hbTU98
+6qG8UAYsSI7aMe1j7DZpkoPL9w==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha1.crt b/tests/data_files/parse_input/cert_sha1.crt
new file mode 100644
index 0000000000..1e23585c55
--- /dev/null
+++ b/tests/data_files/parse_input/cert_sha1.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIBBzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA9MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGzAZBgNVBAMMElBvbGFyU1NMIENlcnQgU0hBMTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J
+v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB
+Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl
+XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk
+65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP
+cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA
+AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw
+HwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQAD
+ggEBAFAHuWfjOp+GaM5dP3NBaUayXmjbrsY5fo/ysfOVV9xipzbPWvE2Bu679iU1
+Eg+5hME9VlMmQejGzG09ReXE+30gyhtO3vWA8U21YrsL3ybvS6EREHGKk238bIBh
+yDP/b0VuoNsS3xRn9WyH3TRu5re0vK68OSkLIWPd01fgvcfl6YyUY+WuuSrpYcDv
+nrgKvFZws/EE4RNldtRC1Blwy497AtmWBQWs65zj5JkNdNnm4JJqXZAArNh2GSZo
+83C/1ZSFrNo9GONsCJ0GVGEt7IK7FPqXYW7rXi30BRse33ziU7RPWGDT13bh9Rdz
+RqsoZ5h5VjtHOnMUUD99gIWinBE=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha224.crt b/tests/data_files/parse_input/cert_sha224.crt
new file mode 100644
index 0000000000..c8a209d0c3
--- /dev/null
+++ b/tests/data_files/parse_input/cert_sha224.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIBCDANBgkqhkiG9w0BAQ4FADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjI0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
+Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
+1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
+gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
+LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
+pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
+AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
+pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ4F
+AAOCAQEATdo7p7dok8gcxS0dYGluXMOsAEALyHAgvAJSZUt0x8RxemJfpquv4XG/
+rppQmtA5aPf59Fo0z5GcS0zzYFLTQIcLHKnuuG0W6yjhx3e+5J1hjLbv///vvKGN
+jq55z+CANkragMk6XQ/t+iXkh/Fq00FS+zbf1JLaMXOLst5dfv3uPQaJHwzX/EaE
+VdognXxWudNQgIvemindk9TTQon27zBS/z6nwcBCIXMDfesAjcHuBCfxl6pofK6E
+28qs4up/JayptG2CX98LGsEyAgegwTMSYGLJoWcHhrUcbF0fNOcXPgQKGTcZO4Tg
+yPYGbkG9FjgaASc2gTrYVPRZ6mY19g==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha256.crt b/tests/data_files/parse_input/cert_sha256.crt
new file mode 100644
index 0000000000..e56d428530
--- /dev/null
+++ b/tests/data_files/parse_input/cert_sha256.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMjU2MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
+Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
+1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
+gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
+LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
+pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
+AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
+pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsF
+AAOCAQEAuo8kRDdQj3+rgqbz7bS3ZfBVCqgbQfruRZncP0s3IQJ6g7k6BNfCTO+N
+tIgnCDhnhjK9DS4l1LTkQJKfcd6sfuwBxjHKWGZUqTqHWFm/O5MJwfMpxI305xXE
+evDzh8LK1W3moX5OcT4bx3QsY9I4nqXQkOzjGidxhOXYA2v+X5OhRt3IJ2dzmQQu
+BVXnDbzuchUfP5aeCwW6l7VX+RJOE2zlqO5yt0ejT02E44qtC5sBf24V9ko5LORw
+1J7Zk34QwsKrSPSGxOuoWNwH3fJpgZQImKgJIQCsksJ+A45CK6iz0km8oTiI3Hoo
+2LpE6UNx2M8jiZWVzH1L4tkg4fcCoQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha384.crt b/tests/data_files/parse_input/cert_sha384.crt
new file mode 100644
index 0000000000..f8ec10b66d
--- /dev/null
+++ b/tests/data_files/parse_input/cert_sha384.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIBCjANBgkqhkiG9w0BAQwFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBMzg0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
+Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
+1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
+gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
+LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
+pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
+AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
+pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQwF
+AAOCAQEAeyHm+emo4/QHqEVKj/MYPOsPrrcr5MupNE7WmoUA7SilVUlceIy8ApWR
+MUdwnh7UPkCa6K1yvayknEbHzD2Lv9BLEf5A1/a+F/LmFXiV0kXIFue13u+z7laV
+N/s/jphPVgjPwZiC1ZtOoD7WvSkIInB53j4Q3VCH6EpZxZuDO/u8CGBQ0g+9Eqhn
+W3+4GFnxUPYeN17u/opt16mEPx6WFbRl9hs5wUvND/FCDEJ/9uVNiVYlPYyHKzzq
+e3WXCHLYUKGESQX+85IrnmlwbAb33bM+sAM6naFafXTZEimeEpX3iYrHzhoU7aR7
+piojwAE+Yb3Ac+Hu1fY4CRO4ZHL6Zg==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/cert_sha512.crt b/tests/data_files/parse_input/cert_sha512.crt
new file mode 100644
index 0000000000..b2254fa729
--- /dev/null
+++ b/tests/data_files/parse_input/cert_sha512.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIBCzANBgkqhkiG9w0BAQ0FADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA/MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHTAbBgNVBAMMFFBvbGFyU1NMIENlcnQgU0hBNTEyMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVh
+Xom/uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq
+1UFDd185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPht
+gSVfCrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1l
+LGTrlZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsu
+pk9wbp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQID
+AQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kC
+pjAfBgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQ0F
+AAOCAQEABnuq7gMU6EWqcmEcj2/wiqOFUBeH9ro0tni9JZzaDAKkBMwoeJ3RP/59
+wY92UZC/SoWPm0yLK25KTwxJhd645a5ZeRk+yi1SG+oXNgZFS03F1Orat0bM5u94
+RtzLRInGzTxhlVS8HPRya2+nEaPT9YNO25vORczPDjtrI82UnysaWiKx1OCPhdP3
+ZySAkX/zE1U8Te0+948C0vmg2aTWCSk5zutryFgHH5UojmmWAkBHpX3tIm8JMRG9
+tvp6fbIDan0LmSsVK8rq5OPSwAKMso6GF4Iuxou/jP2gI+NutenX26wrffSjlPiW
+KksLNj8oL6vIUap28Oh+Gwph02biSQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/cli-rsa-sha256-badalg.crt.der b/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der
similarity index 100%
rename from tests/data_files/cli-rsa-sha256-badalg.crt.der
rename to tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der
diff --git a/tests/data_files/parse_input/crl-ec-sha1.pem b/tests/data_files/parse_input/crl-ec-sha1.pem
new file mode 100644
index 0000000000..8358640a0d
--- /dev/null
+++ b/tests/data_files/parse_input/crl-ec-sha1.pem
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ
+b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz
+MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G
+A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
+TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg
+Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW
+svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm
+56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U=
+-----END X509 CRL-----
diff --git a/tests/data_files/crl-ec-sha224.pem b/tests/data_files/parse_input/crl-ec-sha224.pem
similarity index 100%
rename from tests/data_files/crl-ec-sha224.pem
rename to tests/data_files/parse_input/crl-ec-sha224.pem
diff --git a/tests/data_files/parse_input/crl-ec-sha256.pem b/tests/data_files/parse_input/crl-ec-sha256.pem
new file mode 100644
index 0000000000..adfd5f8937
--- /dev/null
+++ b/tests/data_files/parse_input/crl-ec-sha256.pem
@@ -0,0 +1,10 @@
+-----BEGIN X509 CRL-----
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
+MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
+TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
+S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
+g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+-----END X509 CRL-----
diff --git a/tests/data_files/crl-ec-sha384.pem b/tests/data_files/parse_input/crl-ec-sha384.pem
similarity index 100%
rename from tests/data_files/crl-ec-sha384.pem
rename to tests/data_files/parse_input/crl-ec-sha384.pem
diff --git a/tests/data_files/crl-ec-sha512.pem b/tests/data_files/parse_input/crl-ec-sha512.pem
similarity index 100%
rename from tests/data_files/crl-ec-sha512.pem
rename to tests/data_files/parse_input/crl-ec-sha512.pem
diff --git a/tests/data_files/crl-idp.pem b/tests/data_files/parse_input/crl-idp.pem
similarity index 100%
rename from tests/data_files/crl-idp.pem
rename to tests/data_files/parse_input/crl-idp.pem
diff --git a/tests/data_files/crl-idpnc.pem b/tests/data_files/parse_input/crl-idpnc.pem
similarity index 100%
rename from tests/data_files/crl-idpnc.pem
rename to tests/data_files/parse_input/crl-idpnc.pem
diff --git a/tests/data_files/crl-malformed-trailing-spaces.pem b/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem
similarity index 100%
rename from tests/data_files/crl-malformed-trailing-spaces.pem
rename to tests/data_files/parse_input/crl-malformed-trailing-spaces.pem
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha1.pem b/tests/data_files/parse_input/crl-rsa-pss-sha1.pem
new file mode 100644
index 0000000000..59ca4f703e
--- /dev/null
+++ b/tests/data_files/parse_input/crl-rsa-pss-sha1.pem
@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x
+NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4
+WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5
+1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM
+MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC
+AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS
+4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0
+MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo
+mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O
+7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa
+y6li0JzWNHtkKUlCv2+SESZbD3NU8GQZ
+-----END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha224.pem b/tests/data_files/parse_input/crl-rsa-pss-sha224.pem
new file mode 100644
index 0000000000..a51d5d9113
--- /dev/null
+++ b/tests/data_files/parse_input/crl-rsa-pss-sha224.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgShGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAIEogQCAgDiMDsxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
+MTM1NjA2WhcNMjQwMTE4MTM1NjA2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
+FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
+PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
+A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
+SAFlAwQCBKEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBAEJI
+i9sQOzMvvOTksN48+X+kk/wkLMKRGI222lqU6y6tP1LX3OE/+KN8gPXR+lCC+e0v
+TsRTJkpKEcmHZoP/8kOtZnLb9PdITKGMQnZ+dmn5MFEzZI/zyrYWuJTuK1Q83w0e
+Mc88cAhu8i4PTk/WnsWDphK1Q2YRupmmwWSUpp1Z2rpR+YSCedC01TVrtSUJUBw9
+NSqKDhyWYJIbS6/bFaERswC8xlMRhyLHUvikjmAK36TbIdhTnEffHOPW75sEOEEB
+f0A3VtlZ7y5yt2/a6vOauJCivxKt/PutdHfBqH43QQmoVLWC2FmT9ADTJwcsZB3D
+a6JSqCIMRCQY2JOUn0A=
+-----END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha256.pem b/tests/data_files/parse_input/crl-rsa-pss-sha256.pem
new file mode 100644
index 0000000000..f16a49118e
--- /dev/null
+++ b/tests/data_files/parse_input/crl-rsa-pss-sha256.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgGhGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeMDsxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
+MTM1NjE2WhcNMjQwMTE4MTM1NjE2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
+FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
+PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
+A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
+SAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAEZ4
+oqp9i5eXrN6aCSTaU1j07MVTFW/U1jQAq6GseB6bEvoEXFMUHJsgAObqCK9flfEC
+FEqXqWSo33hhPU7AKKttbDLjUYRNnQAPRUnRIl1/a1+UjqgKchWWD9ityeW8ICxo
+IdATX9reYmPDLIMqTC7zuflYkvrvdEOuBORQP5mn4j8t84MSQF/p4qzaU0XxLo4X
+ckzZCcHpa45AApCDjJMd9onhFVCYsykiYrF9NQFO8TI4lQ5jv79GoufEzvhY1SPB
+r1xz4sMpfyaoPaa3SM2/nD65E5jzXell2u2VWNGKv4zAQP0E5yGel+1rklBltadb
+XLdJyyak33CLBKu+nJc=
+-----END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha384.pem b/tests/data_files/parse_input/crl-rsa-pss-sha384.pem
new file mode 100644
index 0000000000..50f7e4cd24
--- /dev/null
+++ b/tests/data_files/parse_input/crl-rsa-pss-sha384.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgDOMDsxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
+MTM1NjI4WhcNMjQwMTE4MTM1NjI4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
+FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
+PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
+A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
+SAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBAAco
+SntUGDLBOAu0IIZaVea5Nt1NMsMcppC0hWPuH1LKAwyUODBqpT+0+AuALK0eIdYR
+a7mAB+cv2fFwmwxnQWJ1Fvx4ft/N2AAfB83VRKpSo3xR8bxloHfTWKmyxJHmH9j1
+EYmLS86rj3Nhjf4m/YlQQ3Im5HwOgSgBOE8glq5D+0Wmsi9LsNEZXEzMw7TMUgbs
+y9o/ghYF/shKU4mewK3DeM9gQiTcH5A4ISXR87hBQ08AKJRAG1CLvTyzqWiUUY+k
+q8iZDYF17sHrPi2yn8q9c4zdxiaWDGDdL0Lh90wXGTAageoGEq25TMuL5FpX+u1u
+KUH/xf1jEnNzbYNGiZw=
+-----END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl-rsa-pss-sha512.pem b/tests/data_files/parse_input/crl-rsa-pss-sha512.pem
new file mode 100644
index 0000000000..0f1d6510bc
--- /dev/null
+++ b/tests/data_files/parse_input/crl-rsa-pss-sha512.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgOhGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAIDogQCAgC+MDsxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw
+MTM1NjM4WhcNMjQwMTE4MTM1NjM4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB
+FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r
+PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG
+A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG
+SAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBAB9F
+ywBfxOjetxNbCFhOYoPY2jvFCFVdlowMGuxEhX/LktqiBXqRc2r5naQSzuHqO8Iq
+1zACtiDLri0CvgSHlravBNeY4c2wj//ueFE89tY5pK9E6vZp7cV+RfMx2YfGPAA2
+t7tWZ2rJWzELg8cZ8hpjSwFH7JmgJzjE5gi2gADhBYO6Vv5S3SOgqNjiN1OM31AU
+p6GHK5Y1jurF5Zwzs+w3wXoXgpOxxwEC4eiS86c9kNSudwTLvDTU0bYEQE1cF+K0
+sB8QWABFJfuO5kjD2w3rWgmAiOKsZoxd1xrda+WD3JhDXnoVq3oVBIVlWVz6YID8
+enMfMvwScA5AImzu9xA=
+-----END X509 CRL-----
diff --git a/tests/data_files/parse_input/crl_expired.pem b/tests/data_files/parse_input/crl_expired.pem
new file mode 100644
index 0000000000..cf60ae4d78
--- /dev/null
+++ b/tests/data_files/parse_input/crl_expired.pem
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjQx
+OVoXDTExMDIyMDExMjQxOVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKgP1XmCIPbfY1/UO+SVFQir
+jArZ94QnQdoan4tJ29d8DmTxJ+z9/KyWNoGeOwc9P/2GQQaZahQOBr0f6lYd67Ct
+wFVh/Q2zF8FgRcrQV7u/vJM33Q2yEsQkMGlM7rE5lC972vUKWu/NKq8bN9W/tWxZ
+SFbvTXpv024aI0IRudpOCALnIy8SFhVb2/52IN2uR6qrFizDexMEdSckgpHuJzGS
+IiANhIMn5LdQYJFjPgBzQU12tDdgzcpxtGhT10y4uQre+UbSjw+iVyml3issw59k
+OSmkWFb06LamRC215JAMok3YQO5RnxCR8EjqPcJr+7+O9a1O1++yiaitg4bUjEA=
+-----END X509 CRL-----
diff --git a/tests/data_files/crl_md5.pem b/tests/data_files/parse_input/crl_md5.pem
similarity index 100%
rename from tests/data_files/crl_md5.pem
rename to tests/data_files/parse_input/crl_md5.pem
diff --git a/tests/data_files/crl_sha1.pem b/tests/data_files/parse_input/crl_sha1.pem
similarity index 100%
rename from tests/data_files/crl_sha1.pem
rename to tests/data_files/parse_input/crl_sha1.pem
diff --git a/tests/data_files/crl_sha224.pem b/tests/data_files/parse_input/crl_sha224.pem
similarity index 100%
rename from tests/data_files/crl_sha224.pem
rename to tests/data_files/parse_input/crl_sha224.pem
diff --git a/tests/data_files/parse_input/crl_sha256.pem b/tests/data_files/parse_input/crl_sha256.pem
new file mode 100644
index 0000000000..c3ca25699f
--- /dev/null
+++ b/tests/data_files/parse_input/crl_sha256.pem
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIxMjE0NDQw
+N1oXDTExMDQxMzE0NDQwN1owKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQELBQADggEBAG4mBBgwfNynCYYL2CEnqore
+mgKpC32tB6WiUBu9figcvdN3nSX/1wrB8rpiE8R04C8oSFglwhotJCnlWsy42tjb
+0pk0Wuizln0PFMc/OypqRNNhwx31SHH42W4KzONiqvq3n/WkH3M1YniR1ZnMlyvi
+lJioQn6ZAoc6O6mMP1J9duKYYhiMAOV992PD1/iqXw+jYN31RwdIS8/mGzIs4ake
+EdviwhM3E4/sVbNOWCOnZFYV4m+yNAEe29HL1VKw6UXixBczct+brqXNVD3U6T0F
+5ovR6BTefZO17eT52Duke5RZGDUyQOGywxOYKI5W+FcOYdp+U5Idk399tAz2Mdw=
+-----END X509 CRL-----
diff --git a/tests/data_files/crl_sha384.pem b/tests/data_files/parse_input/crl_sha384.pem
similarity index 100%
rename from tests/data_files/crl_sha384.pem
rename to tests/data_files/parse_input/crl_sha384.pem
diff --git a/tests/data_files/crl_sha512.pem b/tests/data_files/parse_input/crl_sha512.pem
similarity index 100%
rename from tests/data_files/crl_sha512.pem
rename to tests/data_files/parse_input/crl_sha512.pem
diff --git a/tests/data_files/parse_input/keyUsage.decipherOnly.crt b/tests/data_files/parse_input/keyUsage.decipherOnly.crt
new file mode 100644
index 0000000000..7c379787a4
--- /dev/null
+++ b/tests/data_files/parse_input/keyUsage.decipherOnly.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAYCgAwIBAgIJAJsTzkylb95SMA0GCSqGSIb3DQEBBQUAMD8xCzAJBgNV
+BAYTAkdCMRIwEAYDVQQHDAlDYW1icmlkZ2UxHDAaBgNVBAoME0RlZmF1bHQgQ29t
+cGFueSBMdGQwHhcNMTUwNTEyMTAzNjU1WhcNMTgwNTExMTAzNjU1WjA/MQswCQYD
+VQQGEwJHQjESMBAGA1UEBwwJQ2FtYnJpZGdlMRwwGgYDVQQKDBNEZWZhdWx0IENv
+bXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9nxYOSbha/Ap4
+6rACrOMH7zfDD+0ZEHhbO0bgGRjc5ElvOaNuD321y9TnyAx+JrqPp/lFrAgNiVo1
+HPurPHfcJ+tNBUgBHboWGNENNaf9ovwFPawsBzEZraGnDaqVPEFcIsUQPVqO1lrQ
+CHLUjtqo1hMZDqe/Web0Mw9cZrqOaQIDAQABoxswGTAJBgNVHRMEAjAAMAwGA1Ud
+DwQFAwMH4IAwDQYJKoZIhvcNAQEFBQADgYEAJ0NS2wUbgRelK0qKxrR2Ts6jVYEH
+bmykx3GHjFyKpscDIn2vNyyB7ygfFglZPcw+2mn3xuVIwOV/mWxFvKHk+j2WrTQL
+tDqSC5BhFoR01veFu07JdEYvz+I+NCL5z0IGWXkUrk235Wl4w4WMZDnXTqncMNEk
+fLtpo9y79XD00QY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/multiple_san.crt b/tests/data_files/parse_input/multiple_san.crt
similarity index 100%
rename from tests/data_files/multiple_san.crt
rename to tests/data_files/parse_input/multiple_san.crt
diff --git a/tests/data_files/non-ascii-string-in-issuer.crt b/tests/data_files/parse_input/non-ascii-string-in-issuer.crt
similarity index 100%
rename from tests/data_files/non-ascii-string-in-issuer.crt
rename to tests/data_files/parse_input/non-ascii-string-in-issuer.crt
diff --git a/tests/data_files/rsa_multiple_san_uri.crt.der b/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der
similarity index 100%
rename from tests/data_files/rsa_multiple_san_uri.crt.der
rename to tests/data_files/parse_input/rsa_multiple_san_uri.crt.der
diff --git a/tests/data_files/parse_input/rsa_single_san_uri.crt.der b/tests/data_files/parse_input/rsa_single_san_uri.crt.der
new file mode 100644
index 0000000000..22308c6f45
Binary files /dev/null and b/tests/data_files/parse_input/rsa_single_san_uri.crt.der differ
diff --git a/tests/data_files/server1-ms.req.sha256 b/tests/data_files/parse_input/server1-ms.req.sha256
similarity index 100%
rename from tests/data_files/server1-ms.req.sha256
rename to tests/data_files/parse_input/server1-ms.req.sha256
diff --git a/tests/data_files/parse_input/server1.cert_type.crt b/tests/data_files/parse_input/server1.cert_type.crt
new file mode 100644
index 0000000000..34fe4f6a40
--- /dev/null
+++ b/tests/data_files/parse_input/server1.cert_type.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
+BkAwDQYJKoZIhvcNAQEFBQADggEBAElJPaCG6aFHoymoCrzckPfjENxgXW2czh5t
+TsMPshkzX5p2AU89GBGdy0gQwoPuMtcznsDe4adM6Na8f30YDffATsgDECMIWtV1
+XVYKQIwFmZzEt4B+5sUmyMOLtTuuZBThOLPwOw8e4RnILKOYPHnQNRf6Eap4lFDx
+lp2pAaiXMDWH88gmWoU5XrGTppllYV0IorzJ4xV9Sg3ittNwNO40ehVQDAseFwZH
+iyh9iHz4BqtWjElmQ3hL8N/Cbqp3iN15h2pUgIj8JIt9rCsIZrsG3K42iSlPzEn2
+DCzWQSj9cQNCRVJnwgJAWnC1Hx0YYFQMgQquVxnK15THTGQAeB8=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server1.crt b/tests/data_files/parse_input/server1.crt
new file mode 100644
index 0000000000..258da5e173
--- /dev/null
+++ b/tests/data_files/parse_input/server1.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
+AQEAf2k5OiORp60gBNqioC2mIqSXA0CU/qzllt8IvlcMv1V0PAP9f4IEm5mdkERr
+UXjnB1Tr3edrsvXLgZ9vEosbFpNMsKfsmBkpjgWG2ui8pdn8cJiws4k4h5fuueSw
+Ps1FLK5Tfpi+GJyPqk4ha9Ojp2p9opuA0aIfLuxI+0UzXH4wgrEW/Yydowv959gf
+gGSl766CRdUvJbXOeVryFjFTRfLFFNfTvrftZk1dl8tas1nim8xfWet+BZVvq2zY
+C7LeCI9nrfuAxfMJTrWFp17y72+hCDk7NEaB2ZLVuAM/ri7LWrr2V2hLFdIAhfC2
+nUaulRRpGt/ZTISw6uSIumNoNA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.crt.der b/tests/data_files/parse_input/server1.crt.der
similarity index 100%
rename from tests/data_files/server1.crt.der
rename to tests/data_files/parse_input/server1.crt.der
diff --git a/tests/data_files/server1.ext_ku.crt b/tests/data_files/parse_input/server1.ext_ku.crt
similarity index 100%
rename from tests/data_files/server1.ext_ku.crt
rename to tests/data_files/parse_input/server1.ext_ku.crt
diff --git a/tests/data_files/parse_input/server1.key_usage.crt b/tests/data_files/parse_input/server1.key_usage.crt
new file mode 100644
index 0000000000..9d70b0018f
--- /dev/null
+++ b/tests/data_files/parse_input/server1.key_usage.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
+DQYJKoZIhvcNAQEFBQADggEBAHM8eESmE8CQvuCw2/w1JSWKaU9cJIvrtpJXavRC
+yMEv6SQL0hxrNZBhFPM8vAiq6zBdic2HwuiZ9N/iEXuCf92SOcK4b/2/Flos0JI5
+quu4eGkwoNrOvfZUcO7SB8JHUvmJtTP+avF3QeRfHo9bHRtnyOs9GXqq+CMZiNgO
+Bw+/tAOml3tV1Uf+yjp6XroWLRNMbvY1Sor4UW6FFMpOii/vlJ4450OlpcJdRU70
+LpHfxjmPNvc9YOPWve75/+CNF9lMi29UoEUYslxMPylZ/L0vYxi+xuvQBTaLiZeP
+CJ59Mc63LEmJNSAwnnV8s2KXL/Okm32lf6sy0fjsrvAdoCc=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.req.commas.sha256 b/tests/data_files/parse_input/server1.req.commas.sha256
similarity index 100%
rename from tests/data_files/server1.req.commas.sha256
rename to tests/data_files/parse_input/server1.req.commas.sha256
diff --git a/tests/data_files/parse_input/server1.req.md5 b/tests/data_files/parse_input/server1.req.md5
new file mode 100644
index 0000000000..57714ede37
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.md5
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBAUA
+A4IBAQCEiv3QM4xyKhYTsoOjyzQdXMhsXK3Kpw+Rh874Hf6pXHxUaYy7xLUZUx6K
+x5Bvem1HMHAdmOqYTzsE9ZblAMZNRwv/CKGS3pvMkx/VZwXQhFGlHLFG//fPrgl3
+j4dt20QsWP8LnL4LweYSYI1wt1rjgYRHeF6bG/VIck6BIYQhKOGlzIwWUmfAGym6
+q4SYrd+ObZullSarGGSfNKjIUEpYtfQBz31f5tRsyzSps7oG4uc7Xba4qnl2o9FN
+lWOMEER79QGwr7+T41FTHFztFddfJ06CCjoRCfEn0Tcsg11tSMS0851oLkMm8RyY
+aozIzO82R3Em7aPhZBiBDy3wZC2l
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha1 b/tests/data_files/parse_input/server1.req.sha1
new file mode 100644
index 0000000000..578ec7f79a
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.sha1
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBQUA
+A4IBAQCiYQMOv2ALPUeg8wHKn9L5SdDbNxOzuMwhYsCYTw2TJMQO7NLUq6icEzxY
+pUIIFt60JUQjZHxQSY3y9cSivwKXQA7pPfaPaFC/aMA2GxG23t2eaIWNQX8MfcWf
+XAa8bl/vmC1MTov+mP2DGoXRiKYORrEInyDS2RaTathvHckcAv25nCIx7wYO9tC9
+LUwyoE9bhiQ7fo3KFlz4dK1HukyCM/FoPbJuL7NgdzmKVPyYCLh5Ah+TTD6+sltz
+dFc4fj28w1v3jsBXz+tLrgFQidzuUI2poxt5UwU9TKY0dAJaTCtfIRcXW3h6DGG7
+EDR6rim6sbIQkGzYvGqs4TNoJOR+
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha224 b/tests/data_files/parse_input/server1.req.sha224
new file mode 100644
index 0000000000..a4f2af4c1d
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.sha224
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDgUA
+A4IBAQArYR2mLKU5lsHyAyGHr4PlmC/cfePmCRyC/mj1riGTjDlNC2X3J1VZDqKb
+U/uUxLudP7sbuttRksIAREATT74Pa40bMWiPUlBfA/M2mFTmKb/91uXeIISW8DL3
+xM/5BCDrhnZ/cjP23gKDgJRk+IGBNhYZDGz50TIBbDJ2e4GDkFjzANngUW64UcCQ
+7hZOYtnYLBnoRvPwtal5jZqHwsgaPPePXu+SQ8mfuAJwJ78MOCAaKw0IP1h1OnPG
+iubdl34lSIaYWwbHTdjaqUSQG3SSs4oxEvluYymrpZ6XGKXtphJXEPdTRiLu9d9l
+A5NYVgvqHFQPmuXS92zrGzB788pV
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha256 b/tests/data_files/parse_input/server1.req.sha256
new file mode 100644
index 0000000000..6d21dc5d94
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.sha256
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
+A4IBAQCVlSU7qeKri7E3u8JCZbCyjsGJTH9iHYyeDZ/nDLig7iKGYvyNmyzJ76Qu
++EntSmL2OtL95Yqooc6h1AQHzoCs+SO2wPoTUs3Ypi9r7vNNVO3ZnnxVtGgqCRVA
+W+z9W4p2mHXQhgW1HkuLa5JD1SvJViyZbx9z3ie1BQ9NVKfv++ArPIv70zBtA7O3
+PZNG1JYN30Esz7RsCDRHbz6Npvu9ggUQL/U3mvQQ+Yo+xhwu1yFV+dRH7PebBeQv
+vjcD2fXDabeofK3zztIpUIyUULX0GGClM9jslgJ/ZHUlArWKpLZph0AgF1Dzts//
+M6c/sRw7gtjXmV0zq2tf2fL4+e2b
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha384 b/tests/data_files/parse_input/server1.req.sha384
new file mode 100644
index 0000000000..b857af7f15
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.sha384
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDAUA
+A4IBAQBy35zHYLiYaScq1niQkzQ/BScUbdiWd2V90isBsB5Q3NjVoJl/yCaMrla3
+2XfrutpFpdqwenl5jM0o6+enKCmfur+z2/ije69Dju2aBd6A62cx1AEvFiMq7lyF
+4DYJ32+2ty6KA8EhzE3NFs7zKXxmD5ybp+oXNEvXoeU3W8a+Ld5c1K/n+Ipa0TUy
+cFBs6dCsbYO9wI6npwWqC5Hc9r/0zziMFO+4N5VORdYUFqObq4vCYOMXETpl8ryu
+lGZorNUoJ7vV55T31CDqEtb0EE+nO+nT4agfDobncYjvc3WpQuLtUB4UwR5gpZl6
+ZI+j4uwikOgGO9gcx4IjaRP3q63F
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/parse_input/server1.req.sha512 b/tests/data_files/parse_input/server1.req.sha512
new file mode 100644
index 0000000000..85d52460db
--- /dev/null
+++ b/tests/data_files/parse_input/server1.req.sha512
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDQUA
+A4IBAQBb8jNpt0nkNVWstVoOCepQSF5R1R9hF0yEr7mk3HB9oO/nK07R1Oamgjw+
+CHQReTSjIKUX53o7ZwNZB5E+jBDsGz/2Yyj/vxNHJFk2exELtW30he8K2omVHE1F
+XESbftCssWLNpTSDq6ME12+llkEDtgCtkv69oRUkuuF5ESUSZRGIZN4Vledm8SM1
+uGFtaG/PXbBbtUaNwNISDeIWDKRtbuca5web+QEi1djiUH21ZWIGEpOy7mtkYmRs
+Qt1D32FoaqFNhafiaxNIXO11yd4lgpaDDlmrOSBsELcTIF9916o3DwMeVXy0GONW
+BrwaO8q8rg+C+xvMY7858Kk8kwjb
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1_pathlen_int_max-1.crt b/tests/data_files/parse_input/server1_pathlen_int_max-1.crt
similarity index 100%
rename from tests/data_files/server1_pathlen_int_max-1.crt
rename to tests/data_files/parse_input/server1_pathlen_int_max-1.crt
diff --git a/tests/data_files/server1_pathlen_int_max.crt b/tests/data_files/parse_input/server1_pathlen_int_max.crt
similarity index 100%
rename from tests/data_files/server1_pathlen_int_max.crt
rename to tests/data_files/parse_input/server1_pathlen_int_max.crt
diff --git a/tests/data_files/parse_input/server2.crt b/tests/data_files/parse_input/server2.crt
new file mode 100644
index 0000000000..074519676b
--- /dev/null
+++ b/tests/data_files/parse_input/server2.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
+owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
+NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
+tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
+hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
+HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
+VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
+FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4
+cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A
+O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc
+KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE
+iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp
+HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap
+Awgk0+4m0T25cNs=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server2.crt.der b/tests/data_files/parse_input/server2.crt.der
new file mode 100644
index 0000000000..9cfa9ab140
Binary files /dev/null and b/tests/data_files/parse_input/server2.crt.der differ
diff --git a/tests/data_files/parse_input/server3.crt b/tests/data_files/parse_input/server3.crt
new file mode 100644
index 0000000000..ed0d696b4a
--- /dev/null
+++ b/tests/data_files/parse_input/server3.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTMwODA5MDkxNzAzWhcNMjMwODA3MDkxNzAzWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG
+CCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5
+fQcsej6EFasvlTdJ/6OBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTkF2s2sgaJ
+OtleQ7bgZH2Hq33eNzBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/
+pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQ
+b2xhclNTTCBUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjmSIjGKD1eH5W
+4bl2MXfNIsTwc2vv/MAAhBzBEbTXd3T37+zAGPGjKncvTB+oufUVRGkoKbfoC6Jm
+DYSEUuxtnUZOko/C//XlCEtK0TuS2aLEqF3gJjBJTCfthEdAhJCtmPAQDCzeKsdx
+CoOtH0NQx6Xl64oDt2wYSQNWUTGLPfRpdsVEvBHhHYATQijkl2ZH8BDjsYcBicrS
+qmCeN+0T1B9vrOQVEZe+fwgzVL38n8lkJZNPIbdovA9WLHwXAEzPv4la3w0qh4Tb
+kSb8HtILl4I474QxrFywylyXR/p2znPleRIRgB5HtUp9tLSWkB0bwMlqQlg2EHXu
+CAQ1sXmQ
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server4.crt b/tests/data_files/parse_input/server4.crt
new file mode 100644
index 0000000000..96b1aa7729
--- /dev/null
+++ b/tests/data_files/parse_input/server4.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAnCgAwIBAgIBCDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKvXjL5VfYc7D/truqEpYcZcvlUhnuCNDJctYDJL
+vgYYj5uxDxLHBXvnEHLgO5K+lps42p+r/dd4oE64ttRoeZZUvr+7eBnW35n0EpPA
+Ik9Gwu+vg7GfxmifgIR8hZnOQkt2OjvvpChPCxvUailtB450Izh+mEK/hYFr+7Jl
+NnxR1XQlbbyDM7Ect1HwYcuS3MBlBqq048J+0KEkQXICSjKeHFga9eDCq+Jyfqe5
+bt0K30hl1N0164B7aoh08Eomme+aSuAsz+MsJ3m7AO2DUYdrDxlrky1QrvRWWfX0
+d8djTM+uHTo1DviRM6o9+P9DfoFd53/Z0Km03sVLQWvUrhECAwEAAaOBnTCBmjAJ
+BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTBuBgNVHSME
+ZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkA
+wUPifmJDzOgwCgYIKoZIzj0EAwIDaAAwZQIxAPWlxnMcjBaxaVieQYSLBqzizS3/
+O8Na6owRGPk0/UK+j5O9NTBHk+uXW/fQblKamQIwUQl4dl6gkRDE4rBR/yGjZZ1Z
+3dEpvL2Wimt3keD7AcLpYB2FJ1mVcY1XQUeK1Vfc
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-directoryname-seq-malformed.crt.der b/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der
similarity index 100%
rename from tests/data_files/server5-directoryname-seq-malformed.crt.der
rename to tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der
diff --git a/tests/data_files/server5-directoryname.crt.der b/tests/data_files/parse_input/server5-directoryname.crt.der
similarity index 100%
rename from tests/data_files/server5-directoryname.crt.der
rename to tests/data_files/parse_input/server5-directoryname.crt.der
diff --git a/tests/data_files/server5-fan.crt b/tests/data_files/parse_input/server5-fan.crt
similarity index 100%
rename from tests/data_files/server5-fan.crt
rename to tests/data_files/parse_input/server5-fan.crt
diff --git a/tests/data_files/server5-nonprintable_othername.crt b/tests/data_files/parse_input/server5-nonprintable_othername.crt
similarity index 100%
rename from tests/data_files/server5-nonprintable_othername.crt
rename to tests/data_files/parse_input/server5-nonprintable_othername.crt
diff --git a/tests/data_files/server5-othername.crt b/tests/data_files/parse_input/server5-othername.crt
similarity index 100%
rename from tests/data_files/server5-othername.crt
rename to tests/data_files/parse_input/server5-othername.crt
diff --git a/tests/data_files/server5-second-directoryname-oid-malformed.crt.der b/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der
similarity index 100%
rename from tests/data_files/server5-second-directoryname-oid-malformed.crt.der
rename to tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der
diff --git a/tests/data_files/parse_input/server5-sha1.crt b/tests/data_files/parse_input/server5-sha1.crt
new file mode 100644
index 0000000000..73e2d1745a
--- /dev/null
+++ b/tests/data_files/parse_input/server5-sha1.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHTCCAaSgAwIBAgIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x
+MzA5MjQxNjIxMjdaFw0yMzA5MjIxNjIxMjdaMDQxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDY
+IxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6OBnTCBmjAJBgNVHRMEAjAAMB0G
+A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjBuBgNVHSMEZzBlgBSdbSAkSQE/
+K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFy
+U1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH
+KoZIzj0EAQNoADBlAjEAyjvzRWtxbXvkoYTYSQY9gFBpP7/wTZ2q6FbRiAuZULFt
+lc0PMPDfVZChgA6iDH+BAjBdkOb73f2pOwZpMRqrOgqSynbt2uWY87mC5lRlNEoR
+WXEv1AzIeBCv+81DN1Iuu4w=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha224.crt b/tests/data_files/parse_input/server5-sha224.crt
new file mode 100644
index 0000000000..47b11688c6
--- /dev/null
+++ b/tests/data_files/parse_input/server5-sha224.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICIDCCAaWgAwIBAgIBEzAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
+BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
+clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMBA2kAMGYCMQCj0EyFUzDRmfokWzLVEWN0epR4/sZytfIeozp6BqWH
+qaTBdAR2vthIKC7dKuUkg34CMQD6YtB2O9Vso79gbzSen2qh7gK7VvGE+31EVPbR
+Ce/oNG/3OfhRSdn3FOvBBg2UErM=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha384.crt b/tests/data_files/parse_input/server5-sha384.crt
new file mode 100644
index 0000000000..5d6a79b2fe
--- /dev/null
+++ b/tests/data_files/parse_input/server5-sha384.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHzCCAaWgAwIBAgIBFDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
+BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
+clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMDA2gAMGUCMQCnsd/6VB2kLIqMRsWdkJvRaQROyAg78CQExFEY3CMv
+9t0kWRXPc4nCMH69RjQVvC4CMB4lk9A7hnX2zQy3bbUhOCOvXcsQdEe8AMgJBviz
+5Nob2wThRqsm1wjCF60fyzXWuA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server5-sha512.crt b/tests/data_files/parse_input/server5-sha512.crt
new file mode 100644
index 0000000000..16112ac54f
--- /dev/null
+++ b/tests/data_files/parse_input/server5-sha512.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHzCCAaWgAwIBAgIBFTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
+BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
+clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMEA2gAMGUCMFPL2OI8arcbRlKAbRb/YfGibo4Mwts8KX3fOuRCbXEn
+pDWeb82kBqfXwzPJwamFOwIxAPGzyhWrxn0qEynWV5nzFK02PYBnYFgClISyyudH
+HJGHtbEVRc5JA8ALnggaLVpuvg==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-two-directorynames.crt.der b/tests/data_files/parse_input/server5-two-directorynames.crt.der
similarity index 100%
rename from tests/data_files/server5-two-directorynames.crt.der
rename to tests/data_files/parse_input/server5-two-directorynames.crt.der
diff --git a/tests/data_files/server5-unsupported_othername.crt b/tests/data_files/parse_input/server5-unsupported_othername.crt
similarity index 100%
rename from tests/data_files/server5-unsupported_othername.crt
rename to tests/data_files/parse_input/server5-unsupported_othername.crt
diff --git a/tests/data_files/parse_input/server5.crt b/tests/data_files/parse_input/server5.crt
new file mode 100644
index 0000000000..4597428280
--- /dev/null
+++ b/tests/data_files/parse_input/server5.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
+BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
+clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S
+C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V
+fGa5kHvHARBPc8YAIVIqDvHH1Q==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.req.sha1 b/tests/data_files/parse_input/server5.req.sha1
similarity index 100%
rename from tests/data_files/server5.req.sha1
rename to tests/data_files/parse_input/server5.req.sha1
diff --git a/tests/data_files/server5.req.sha224 b/tests/data_files/parse_input/server5.req.sha224
similarity index 100%
rename from tests/data_files/server5.req.sha224
rename to tests/data_files/parse_input/server5.req.sha224
diff --git a/tests/data_files/server5.req.sha256 b/tests/data_files/parse_input/server5.req.sha256
similarity index 100%
rename from tests/data_files/server5.req.sha256
rename to tests/data_files/parse_input/server5.req.sha256
diff --git a/tests/data_files/server5.req.sha384 b/tests/data_files/parse_input/server5.req.sha384
similarity index 100%
rename from tests/data_files/server5.req.sha384
rename to tests/data_files/parse_input/server5.req.sha384
diff --git a/tests/data_files/server5.req.sha512 b/tests/data_files/parse_input/server5.req.sha512
similarity index 100%
rename from tests/data_files/server5.req.sha512
rename to tests/data_files/parse_input/server5.req.sha512
diff --git a/tests/data_files/server7_all_space.crt b/tests/data_files/parse_input/server7_all_space.crt
similarity index 100%
rename from tests/data_files/server7_all_space.crt
rename to tests/data_files/parse_input/server7_all_space.crt
diff --git a/tests/data_files/parse_input/server7_int-ca.crt b/tests/data_files/parse_input/server7_int-ca.crt
new file mode 100644
index 0000000000..d3ddc46a8b
--- /dev/null
+++ b/tests/data_files/parse_input/server7_int-ca.crt
@@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
+47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
+MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
+IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
+MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
+AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
+FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
+8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
++gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
+QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
+yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
+TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
+deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
+0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
+OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
+VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
+a8Si6UK5
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
+vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
+wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
+CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g
+Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q
+AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2
+qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM
+uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA
+kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P
+d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
+Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
+updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
+a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
+AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
+i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
+Af5cNR8KhzegznL6amRObGGKmX1F
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server7_pem_space.crt b/tests/data_files/parse_input/server7_pem_space.crt
similarity index 100%
rename from tests/data_files/server7_pem_space.crt
rename to tests/data_files/parse_input/server7_pem_space.crt
diff --git a/tests/data_files/server7_trailing_space.crt b/tests/data_files/parse_input/server7_trailing_space.crt
similarity index 100%
rename from tests/data_files/server7_trailing_space.crt
rename to tests/data_files/parse_input/server7_trailing_space.crt
diff --git a/tests/data_files/parse_input/server9-sha224.crt b/tests/data_files/parse_input/server9-sha224.crt
new file mode 100644
index 0000000000..1b05f313a4
--- /dev/null
+++ b/tests/data_files/parse_input/server9-sha224.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWzCCAhKgAwIBAgIBFzA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEa
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIwOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
+DTE0MDEyMDEzNTczNloXDTI0MDExODEzNTczNlowNDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
+uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
+i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
+AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
+36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
+BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
+VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBADJExjfWWvL28lgj+GGgviqo
+PHZLxI0pLQUnFJQ9Kpu6jxfICseBF00Z6BJE/RcYDpIie5GDt/8u/i6xB6Li29Pm
+g5nANgd/Y3fFnW7d0ydVjiSnetlPuf/jTlWQl6mQTH2xqYu8J8d3JRxQdRiDYbVm
+uywW2d6rksiqm6dPD5l4A5DcemcYo8f/1Ifj5WNDCV8/OHex+AnW2ccDvWAnVgSR
+B2VpOXJzVFuBsuf4tGVm/2TUMSB6NcvFc6TeJk1kzbZxii4QjKXtH1SfrVP59iEe
+l17NYAEWARjBpQWBiutRG+QM2et0sNiUBuWxTkvd0eSgencNysVAOsZqrqaX3CY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha256.crt b/tests/data_files/parse_input/server9-sha256.crt
new file mode 100644
index 0000000000..7d0aa39567
--- /dev/null
+++ b/tests/data_files/parse_input/server9-sha256.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
+DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
+uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
+i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
+AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
+36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
+BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
+VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAH0+knqkcLaxeDkenBQgd4Qg
+3ZyAhtpiLU689mw+3cXB/uzFrCIxEL5aGh1eSj+DszB+FtsZ06ux7JVQqVOA2Wm9
+yLxC6wF8OOYj0nBa91BWLhRAHLhmIdWsVk7Hl9KojZd4TwV2N+ZEV/BLxyoRvK4H
+V4xCpzgDSiTPe8Etk4r+0akbr6bsOUBayPb7MGLHubZKq8NsFAmmynp+fPmHd3SE
+0ooJdiZ1MmKPKLE5Og/hXCI8qeiXQUR6oQ7b2XONsrI2HIj2SA9dA5qmHwE5PbMu
+zqxQ3R83boqLXbkFORn+UiYLmffqdoWuNy00BHMCrxRA9DUv+WyN4npLMF8rOJw=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha384.crt b/tests/data_files/parse_input/server9-sha384.crt
new file mode 100644
index 0000000000..aaa63e6ed2
--- /dev/null
+++ b/tests/data_files/parse_input/server9-sha384.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWzCCAhKgAwIBAgIBGTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4wOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
+DTE0MDEyMDEzNTc1OFoXDTI0MDExODEzNTc1OFowNDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
+uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
+i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
+AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
+36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
+BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
+VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBABf8Gyq2VYuN1EBW1nOapDQp
+B/KuafNW2GEJ7FmQKNyA7MIj1Yqo2MtJ6/OQojRQ3F5rnO4yjmvIPsXeQaMxJBiI
+aaoAlLpH++F+oXMq/0aS0WSZrSLrsh2Fpay9cBDGwek2rDOX9kM+ZcPzGitVwWKX
+TnOW22hpcl7u95CpZH+JZTcto5nL3tTyV9pIy+tSKQQfjPB+G0TAZCsOkbCGPLug
+qdjvqFQwOf15VxQMj7NRiXjlqJvsx+I7B2AIhrs4DzQMEyiWq9S/PzpQuFU5v/Kg
+s2iMLJ5ygv5aN3PYqGlE1ZmvgyRp5h/LaTGI2L6lzRTnecOhtPv30N2tyaDAEfo=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9-sha512.crt b/tests/data_files/parse_input/server9-sha512.crt
new file mode 100644
index 0000000000..a211b921dc
--- /dev/null
+++ b/tests/data_files/parse_input/server9-sha512.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWzCCAhKgAwIBAgIBGjA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6Ea
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4wOzELMAkGA1UEBhMCTkwx
+ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X
+DTE0MDEyMDEzNTgxMloXDTI0MDExODEzNTgxMlowNDELMAkGA1UEBhMCTkwxETAP
+BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C
+uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI
+i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV
+AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy
+36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ
+BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
+VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6EaMBgGCSqG
+SIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBACdVozFq6rUiXo+ib5Y2oPsR
+6xxl4Ydn3LpUoYrPpTOrhcXJWW/tOLHGuCF/mSRfUzKaMIfL418cZHYnvumvuttu
+6z3tp5E1VsiZCU2MWJnzjKSxFBOss43AmpJHHoapGFZu2pxObBPqegAKHYkKWOLk
+tJDj47PurWgEek9j1nL7Pc1tVf59fm/ySp4fWkXLLvQiKid1516VioLyacUvK3zU
+6Egz8jMt7D5c9KpaExLRTANVsThqO5/dmR36bOwm3Hpbde7DNdgxru41tiLMqJs/
+5pX3ceaJ1XQ/l0idj5/9ipvqHHUguyk7H22HwQHQdSD9oIha8kEM3P6CjpfE7yY=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/parse_input/server9.crt b/tests/data_files/parse_input/server9.crt
new file mode 100644
index 0000000000..a6f9fbc76c
--- /dev/null
+++ b/tests/data_files/parse_input/server9.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG
+EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
+Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO
+TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g
+HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo
+r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0
+qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ
+wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w
+OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh
+clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR
+vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6
+te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW
+Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj
+88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw
+JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1
+o4Hl/lqjwCEG
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server9.req.sha1 b/tests/data_files/parse_input/server9.req.sha1
similarity index 100%
rename from tests/data_files/server9.req.sha1
rename to tests/data_files/parse_input/server9.req.sha1
diff --git a/tests/data_files/server9.req.sha224 b/tests/data_files/parse_input/server9.req.sha224
similarity index 100%
rename from tests/data_files/server9.req.sha224
rename to tests/data_files/parse_input/server9.req.sha224
diff --git a/tests/data_files/server9.req.sha256 b/tests/data_files/parse_input/server9.req.sha256
similarity index 100%
rename from tests/data_files/server9.req.sha256
rename to tests/data_files/parse_input/server9.req.sha256
diff --git a/tests/data_files/server9.req.sha384 b/tests/data_files/parse_input/server9.req.sha384
similarity index 100%
rename from tests/data_files/server9.req.sha384
rename to tests/data_files/parse_input/server9.req.sha384
diff --git a/tests/data_files/server9.req.sha512 b/tests/data_files/parse_input/server9.req.sha512
similarity index 100%
rename from tests/data_files/server9.req.sha512
rename to tests/data_files/parse_input/server9.req.sha512
diff --git a/tests/data_files/test-ca-any_policy.crt b/tests/data_files/parse_input/test-ca-any_policy.crt
similarity index 100%
rename from tests/data_files/test-ca-any_policy.crt
rename to tests/data_files/parse_input/test-ca-any_policy.crt
diff --git a/tests/data_files/test-ca-any_policy_ec.crt b/tests/data_files/parse_input/test-ca-any_policy_ec.crt
similarity index 100%
rename from tests/data_files/test-ca-any_policy_ec.crt
rename to tests/data_files/parse_input/test-ca-any_policy_ec.crt
diff --git a/tests/data_files/test-ca-any_policy_with_qualifier.crt b/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt
similarity index 100%
rename from tests/data_files/test-ca-any_policy_with_qualifier.crt
rename to tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt
diff --git a/tests/data_files/test-ca-any_policy_with_qualifier_ec.crt b/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt
similarity index 100%
rename from tests/data_files/test-ca-any_policy_with_qualifier_ec.crt
rename to tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt
diff --git a/tests/data_files/test-ca-multi_policy.crt b/tests/data_files/parse_input/test-ca-multi_policy.crt
similarity index 100%
rename from tests/data_files/test-ca-multi_policy.crt
rename to tests/data_files/parse_input/test-ca-multi_policy.crt
diff --git a/tests/data_files/test-ca-multi_policy_ec.crt b/tests/data_files/parse_input/test-ca-multi_policy_ec.crt
similarity index 100%
rename from tests/data_files/test-ca-multi_policy_ec.crt
rename to tests/data_files/parse_input/test-ca-multi_policy_ec.crt
diff --git a/tests/data_files/test-ca-unsupported_policy.crt b/tests/data_files/parse_input/test-ca-unsupported_policy.crt
similarity index 100%
rename from tests/data_files/test-ca-unsupported_policy.crt
rename to tests/data_files/parse_input/test-ca-unsupported_policy.crt
diff --git a/tests/data_files/test-ca-unsupported_policy_ec.crt b/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt
similarity index 100%
rename from tests/data_files/test-ca-unsupported_policy_ec.crt
rename to tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt
diff --git a/tests/data_files/parse_input/test-ca.crt b/tests/data_files/parse_input/test-ca.crt
new file mode 100644
index 0000000000..31790b5bb4
--- /dev/null
+++ b/tests/data_files/parse_input/test-ca.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
+mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
+50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
+YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
+R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
+KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
+A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
+hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
+8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
+zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
+0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
+mtxyUALj2pQxRitopORFQdn7AOY5
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.crt.der b/tests/data_files/parse_input/test-ca.crt.der
similarity index 100%
rename from tests/data_files/test-ca.crt.der
rename to tests/data_files/parse_input/test-ca.crt.der
diff --git a/tests/data_files/test_cert_rfc822name.crt.der b/tests/data_files/parse_input/test_cert_rfc822name.crt.der
similarity index 100%
rename from tests/data_files/test_cert_rfc822name.crt.der
rename to tests/data_files/parse_input/test_cert_rfc822name.crt.der
diff --git a/tests/data_files/test_csr_v3_all.csr.der b/tests/data_files/parse_input/test_csr_v3_all.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_len1.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_len2.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der
diff --git a/tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der b/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
rename to tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der
diff --git a/tests/data_files/test_csr_v3_keyUsage.csr.der b/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_keyUsage.csr.der
rename to tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der
diff --git a/tests/data_files/test_csr_v3_nsCertType.csr.der b/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_nsCertType.csr.der
rename to tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der
diff --git a/tests/data_files/test_csr_v3_subjectAltName.csr.der b/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der
similarity index 100%
rename from tests/data_files/test_csr_v3_subjectAltName.csr.der
rename to tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt
index 9e461cd0c6..fe282ab836 100644
--- a/tests/data_files/pkcs7-rsa-sha256-1.crt
+++ b/tests/data_files/pkcs7-rsa-sha256-1.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIUI2LNEq0VTrCDZpmJyvSG20rKV+MwDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+NyBDZXJ0IDEwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N
-Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4
-3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j
-9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra
-xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7
-y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC
-AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY
-MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8
-wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8
-1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51
-1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9
-SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H
-EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqiVc1m06wYnKshqXSoOFDl
+iFW6F/3I/vVmD6/kyTmsZ425tiCiunmSR2rlJc7/2aWbTH0P3ut3dinnooUsSws8
+EwRTjSdECDzF96QTCIUvhMHINQfpQuxSr9leK3AvoiCPi3XUefKhTuoF1A/bTQx2
+QcNzJluQPAzdvUDFBZLdLImjJ7gid1j7KSRZHjVxnFPnolr1EELXDJs29RVup1in
+8fOaBIlHEArWuSgV2aQ7uVLuBHM8Nz0Y810PElgUaOCMxGvo/Ew4TpBJfDipSD2l
+WFPisxnBzjmq3byi+mARpr+BHxETvbrZ1uRbaIA6bzGL1PZlw/vMcvuTHu3yKMkC
+AwEAAaNTMFEwHQYDVR0OBBYEFBvPc+YWbxPtP3MFjmyrL6lQkJJvMB8GA1UdIwQY
+MBaAFBvPc+YWbxPtP3MFjmyrL6lQkJJvMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAJK7huNJR+TlkZBHiCtb0KMfljHRWPuAL6fW0mGvBDeZyRTH
+OzGdqgjnYzgYZ538pG7TsMGomrSQwlATfICKsf8dNSlnPqOiIPo2fdd8gr/tO7yl
+FG/KvXk0v5Dfs4RGUs7UYdmzncEYC2JsToFsD4jja+5tnY//NJRxkJdswfn+wBqH
+wN+y4qELdq+AEBKymbQsIwOBt3UdeVUwBBjtqJXFtET9yhqkqVxnb/i0jHrhjyiS
+Q/Y+T9s35+A6XlI6nSiJLDxMfgJVCWa2OtGI//aAlzlw+6dHiiJVVBHpZbW0YTY4
+qE7kjhPrddJYlB6k4S3ub9j4e87k0P0IyFptxw8=
-----END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der
index 0d799ea335..ed29e40933 100644
Binary files a/tests/data_files/pkcs7-rsa-sha256-1.der and b/tests/data_files/pkcs7-rsa-sha256-1.der differ
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.key b/tests/data_files/pkcs7-rsa-sha256-1.key
index e31159d561..c6367fb29c 100644
--- a/tests/data_files/pkcs7-rsa-sha256-1.key
+++ b/tests/data_files/pkcs7-rsa-sha256-1.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIts9piZzR8Ou0
-ymRcBecODS7+3cxh0InL1RWjmjV5uSNDth7HUAYPtO03h2MyQA5CXx03bH51wpcz
-FO30uzDI+N0Dufz/lVokXUkTetbmAFbKwZVSqGXVIYcYfMBCycSePjqcF6U0tFPN
-q8DLETtPY/WzF0ue6ZArGRDRFJaieadDJq3P7hC/2efrr7s3e+m2OVkWXRPdV1EX
-HK2tPB062saLyAEdYbVM9gF4vjaDmomskatBnjyjfWuogdJVGMTbaLym98g2AvaZ
-qGsX+x53O8vnS7k6SbJRroZCi1dA4YaLsdb6ueKHEumOwxmtj8pNcwEMSwnEuARY
-lh588INTAgMBAAECggEBAIg+P1B+TurbRMQ11iX5A7wwCsSKPh/vdHneLJAfL0lu
-+JcP2piko1iqEZPt3NHRVVyMP8LNbJH3Ardz74p+PkFNXIkZCLlc4hFpGR+V9KWv
-eTqsaPXwxR8FYTSoCcHMQCDCUPp/um6qMXCcs4OkMMRVMATfPT+jf28h1p52AUJL
-aAoBJfn7gP3WiB0FWq0bRZgSZzNYowE/MhGAQ+DuBGTSASSK3YJcxE94044fBVE8
-EqYKrxoY/x56li5cZ0v9kaURCrvhqCeq2+U5kIkgtvp2l6wF0Mm1du3BLxo2LQEI
-Y2j+6BFEV74Mtv48GTwrZcyit787zyo9vVGcviSD5VECgYEA/mgLc5KfF/cQLmM/
-20T4k0edvktkRIJHFUBphowt5Hb0a0wM5C1VM4z3yN3b9ikQK+ZaQXETdPATBXIe
-LntX1D1xtbMxdcAfd1FSq8QxAuaPknJZBgtzlpCsx3ZvMnNuzKZN/TU8kR1biwPE
-9HaeEG3bouUu+CI/l/DqrBbQRacCgYEAyfiqsLWGhXQ7e3pLk47PDYlMOsjDWPjs
-SGcatH1/lIMWyZue4W2IUcFMbpbjA6QWibo3VnOavIRSTn97JNUWYvgc5MmaQ7iX
-Iss4m3vJ1LIqx30iUgw3EfDoWdpufEEYssZ/VxJPs3sdmZGALgd3CaqxHJuhuS+U
-eVhWzD6LonUCgYBRCbt8GRxsedrBrAPPSO0VnR52W3WZDRavglEa9tQ3jlzVQOhq
-VrZpMWJMrb8/bl0kXsApUGeuPDsS5QMQM2IKzXfHNUlwBL8BNvpqlJg4IFFjiOEq
-t8MeFv+ymdtZ6sNElUUKf0bHwt5CLfUzGgXHnfb0sKSBjgdL0wYtwyacyQKBgQDJ
-NcyG4zEy/srLhtiIFnu8Fo40+hFzL/nlX6JBMc3KHJa1Hy43krF+ET6d5gAffndd
-moDKxbzgFksRHPuHhCobSucuHpJq6RjYdvDcJYS7OwxXVRi9+KFcZE52RaBQdWGv
-qQTvr7RrMDoa5dN3B8TVgpGT2JBTN02JXjKKo7zkiQKBgCZwKDiXl7qsGidvlFZc
-4CEtFsCgnNgdRTzsTL/Pr8q9CBK3BhjZjNzQALF1iGFDC1FdFYFOwI1E3j+MRHJB
-rQMF8zbmmlZ6SC5QtqatCSCCKUyrUjD5J+4UfJqWFjiBBdwz+5VJojHw1yijEwl4
-LrS/V2yBrDJVczQQM4psonLF
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaolXNZtOsGJyr
+Ial0qDhQ5YhVuhf9yP71Zg+v5Mk5rGeNubYgorp5kkdq5SXO/9mlm0x9D97rd3Yp
+56KFLEsLPBMEU40nRAg8xfekEwiFL4TByDUH6ULsUq/ZXitwL6Igj4t11HnyoU7q
+BdQP200MdkHDcyZbkDwM3b1AxQWS3SyJoye4IndY+ykkWR41cZxT56Ja9RBC1wyb
+NvUVbqdYp/HzmgSJRxAK1rkoFdmkO7lS7gRzPDc9GPNdDxJYFGjgjMRr6PxMOE6Q
+SXw4qUg9pVhT4rMZwc45qt28ovpgEaa/gR8RE7262dbkW2iAOm8xi9T2ZcP7zHL7
+kx7t8ijJAgMBAAECggEACirXl611yERng7iPRO59InOPKOzXID6XpgDHkgYJ5ZcE
+iYzvENsGRhFUTQ7jUyafM8x/5V62ZnbYwAVdGiLJDeRtryyDtNPcM0vEfkcqmaA/
+20J72yjvF60RpyoSEtqs7zVlAvK9MHMDBm/q6z59BM9fQFfJSz6y9hkb1R8HQGpc
+ktIBxqANvQ3XYzPwxBdECB6YH12t1UkCEFNmOVup7M/TpMBu79h4cd69Q709iOqP
+9kIOxABrRE7evWpwYHFCI7QfbRpFeY7I9b94NQULmOLKJm8QfYfXumzfIQ3gqUW2
+WyIOJc5zAftQ/7Ddu5CKbqsL7yBiMGxI4IHQZ/gEcQKBgQDBE3Fl8XW7JpP9J0vw
+VvCBGJgPOU7tn9JG082RUr0pi7HRiEo23zL37PvwPwjn81SkWmh9WcIQFm8Ip4Oy
+9sUMR0oInjU3PaAI2oRQCOPynod23wC4tVmjLrNBek8T2AnTtkvSZalooACNumgD
+Ef/hpMYDa2O9dTbjtqNOp2AOuQKBgQDNB6UGzwY+HDG444Ir/Q2s2XjOD1cvG3q8
+3NaSnIHuxJeUhYlBXmWsygpGLrq4i5h4EWPz8qKWQwBDwsZIBGisJFQcQzsXS9/Z
++F8l555ikb/AsbZHrWw+miTauXT0xe1dbjkqqpAiiYfJFeDss32WqgaAUD28IK9P
+djR85p9ikQKBgHuRDPcYZKelFftjpfcoPP3yFodPvxLXQUVxElQaZtPrAp++IPkj
+OcRwWAE25mVEVvxknBD1W/zdzqv0QZZM1ml4SopfbmFvQDfKWfm65uAE01+hcx3D
+ep20KqcSNv/VONzVA4ug4p4CILiT/zNP1rq7sLrJhOjg1oNABR42goSJAoGAcs1N
+Ajr5a92tmbEKOkc/WQGMOxUr5Bym5QlivEUWG/PITElZSVjp5Y5bomCX/K1teg2C
+wh2iHDD3/PkavUh6s6jDz+91Lt41QX9pB3hhnx+tFuBrCEd6zLLS4AXoDwakmiQV
+rmZCvpPzjAzMHL2EHNCnQ0Gqz6QdhYjSav1XUYECgYBiv8t7WZFLIsi7Baa1oocv
+VU9WsohcqTGP8/i+J4fuRRVGDLl/jcBFm5dYzGVSbpBaM0qhfGIyaAmInHozxooR
++izbLM5nSAO3fXEsPROEx9RwLxQmrs2Ee5W4qDajTm3VOhfQXHQf/z5o3xsdnQJt
+mbHCXPhmMn9O6jmrDlGeMg==
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-1.pem b/tests/data_files/pkcs7-rsa-sha256-1.pem
index 3795b71887..deee4b2e6c 100644
--- a/tests/data_files/pkcs7-rsa-sha256-1.pem
+++ b/tests/data_files/pkcs7-rsa-sha256-1.pem
@@ -1,48 +1,48 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIUI2LNEq0VTrCDZpmJyvSG20rKV+MwDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+NyBDZXJ0IDEwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N
-Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4
-3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j
-9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra
-xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7
-y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC
-AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY
-MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8
-wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8
-1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51
-1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9
-SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H
-EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqiVc1m06wYnKshqXSoOFDl
+iFW6F/3I/vVmD6/kyTmsZ425tiCiunmSR2rlJc7/2aWbTH0P3ut3dinnooUsSws8
+EwRTjSdECDzF96QTCIUvhMHINQfpQuxSr9leK3AvoiCPi3XUefKhTuoF1A/bTQx2
+QcNzJluQPAzdvUDFBZLdLImjJ7gid1j7KSRZHjVxnFPnolr1EELXDJs29RVup1in
+8fOaBIlHEArWuSgV2aQ7uVLuBHM8Nz0Y810PElgUaOCMxGvo/Ew4TpBJfDipSD2l
+WFPisxnBzjmq3byi+mARpr+BHxETvbrZ1uRbaIA6bzGL1PZlw/vMcvuTHu3yKMkC
+AwEAAaNTMFEwHQYDVR0OBBYEFBvPc+YWbxPtP3MFjmyrL6lQkJJvMB8GA1UdIwQY
+MBaAFBvPc+YWbxPtP3MFjmyrL6lQkJJvMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAJK7huNJR+TlkZBHiCtb0KMfljHRWPuAL6fW0mGvBDeZyRTH
+OzGdqgjnYzgYZ538pG7TsMGomrSQwlATfICKsf8dNSlnPqOiIPo2fdd8gr/tO7yl
+FG/KvXk0v5Dfs4RGUs7UYdmzncEYC2JsToFsD4jja+5tnY//NJRxkJdswfn+wBqH
+wN+y4qELdq+AEBKymbQsIwOBt3UdeVUwBBjtqJXFtET9yhqkqVxnb/i0jHrhjyiS
+Q/Y+T9s35+A6XlI6nSiJLDxMfgJVCWa2OtGI//aAlzlw+6dHiiJVVBHpZbW0YTY4
+qE7kjhPrddJYlB6k4S3ub9j4e87k0P0IyFptxw8=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIts9piZzR8Ou0
-ymRcBecODS7+3cxh0InL1RWjmjV5uSNDth7HUAYPtO03h2MyQA5CXx03bH51wpcz
-FO30uzDI+N0Dufz/lVokXUkTetbmAFbKwZVSqGXVIYcYfMBCycSePjqcF6U0tFPN
-q8DLETtPY/WzF0ue6ZArGRDRFJaieadDJq3P7hC/2efrr7s3e+m2OVkWXRPdV1EX
-HK2tPB062saLyAEdYbVM9gF4vjaDmomskatBnjyjfWuogdJVGMTbaLym98g2AvaZ
-qGsX+x53O8vnS7k6SbJRroZCi1dA4YaLsdb6ueKHEumOwxmtj8pNcwEMSwnEuARY
-lh588INTAgMBAAECggEBAIg+P1B+TurbRMQ11iX5A7wwCsSKPh/vdHneLJAfL0lu
-+JcP2piko1iqEZPt3NHRVVyMP8LNbJH3Ardz74p+PkFNXIkZCLlc4hFpGR+V9KWv
-eTqsaPXwxR8FYTSoCcHMQCDCUPp/um6qMXCcs4OkMMRVMATfPT+jf28h1p52AUJL
-aAoBJfn7gP3WiB0FWq0bRZgSZzNYowE/MhGAQ+DuBGTSASSK3YJcxE94044fBVE8
-EqYKrxoY/x56li5cZ0v9kaURCrvhqCeq2+U5kIkgtvp2l6wF0Mm1du3BLxo2LQEI
-Y2j+6BFEV74Mtv48GTwrZcyit787zyo9vVGcviSD5VECgYEA/mgLc5KfF/cQLmM/
-20T4k0edvktkRIJHFUBphowt5Hb0a0wM5C1VM4z3yN3b9ikQK+ZaQXETdPATBXIe
-LntX1D1xtbMxdcAfd1FSq8QxAuaPknJZBgtzlpCsx3ZvMnNuzKZN/TU8kR1biwPE
-9HaeEG3bouUu+CI/l/DqrBbQRacCgYEAyfiqsLWGhXQ7e3pLk47PDYlMOsjDWPjs
-SGcatH1/lIMWyZue4W2IUcFMbpbjA6QWibo3VnOavIRSTn97JNUWYvgc5MmaQ7iX
-Iss4m3vJ1LIqx30iUgw3EfDoWdpufEEYssZ/VxJPs3sdmZGALgd3CaqxHJuhuS+U
-eVhWzD6LonUCgYBRCbt8GRxsedrBrAPPSO0VnR52W3WZDRavglEa9tQ3jlzVQOhq
-VrZpMWJMrb8/bl0kXsApUGeuPDsS5QMQM2IKzXfHNUlwBL8BNvpqlJg4IFFjiOEq
-t8MeFv+ymdtZ6sNElUUKf0bHwt5CLfUzGgXHnfb0sKSBjgdL0wYtwyacyQKBgQDJ
-NcyG4zEy/srLhtiIFnu8Fo40+hFzL/nlX6JBMc3KHJa1Hy43krF+ET6d5gAffndd
-moDKxbzgFksRHPuHhCobSucuHpJq6RjYdvDcJYS7OwxXVRi9+KFcZE52RaBQdWGv
-qQTvr7RrMDoa5dN3B8TVgpGT2JBTN02JXjKKo7zkiQKBgCZwKDiXl7qsGidvlFZc
-4CEtFsCgnNgdRTzsTL/Pr8q9CBK3BhjZjNzQALF1iGFDC1FdFYFOwI1E3j+MRHJB
-rQMF8zbmmlZ6SC5QtqatCSCCKUyrUjD5J+4UfJqWFjiBBdwz+5VJojHw1yijEwl4
-LrS/V2yBrDJVczQQM4psonLF
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaolXNZtOsGJyr
+Ial0qDhQ5YhVuhf9yP71Zg+v5Mk5rGeNubYgorp5kkdq5SXO/9mlm0x9D97rd3Yp
+56KFLEsLPBMEU40nRAg8xfekEwiFL4TByDUH6ULsUq/ZXitwL6Igj4t11HnyoU7q
+BdQP200MdkHDcyZbkDwM3b1AxQWS3SyJoye4IndY+ykkWR41cZxT56Ja9RBC1wyb
+NvUVbqdYp/HzmgSJRxAK1rkoFdmkO7lS7gRzPDc9GPNdDxJYFGjgjMRr6PxMOE6Q
+SXw4qUg9pVhT4rMZwc45qt28ovpgEaa/gR8RE7262dbkW2iAOm8xi9T2ZcP7zHL7
+kx7t8ijJAgMBAAECggEACirXl611yERng7iPRO59InOPKOzXID6XpgDHkgYJ5ZcE
+iYzvENsGRhFUTQ7jUyafM8x/5V62ZnbYwAVdGiLJDeRtryyDtNPcM0vEfkcqmaA/
+20J72yjvF60RpyoSEtqs7zVlAvK9MHMDBm/q6z59BM9fQFfJSz6y9hkb1R8HQGpc
+ktIBxqANvQ3XYzPwxBdECB6YH12t1UkCEFNmOVup7M/TpMBu79h4cd69Q709iOqP
+9kIOxABrRE7evWpwYHFCI7QfbRpFeY7I9b94NQULmOLKJm8QfYfXumzfIQ3gqUW2
+WyIOJc5zAftQ/7Ddu5CKbqsL7yBiMGxI4IHQZ/gEcQKBgQDBE3Fl8XW7JpP9J0vw
+VvCBGJgPOU7tn9JG082RUr0pi7HRiEo23zL37PvwPwjn81SkWmh9WcIQFm8Ip4Oy
+9sUMR0oInjU3PaAI2oRQCOPynod23wC4tVmjLrNBek8T2AnTtkvSZalooACNumgD
+Ef/hpMYDa2O9dTbjtqNOp2AOuQKBgQDNB6UGzwY+HDG444Ir/Q2s2XjOD1cvG3q8
+3NaSnIHuxJeUhYlBXmWsygpGLrq4i5h4EWPz8qKWQwBDwsZIBGisJFQcQzsXS9/Z
++F8l555ikb/AsbZHrWw+miTauXT0xe1dbjkqqpAiiYfJFeDss32WqgaAUD28IK9P
+djR85p9ikQKBgHuRDPcYZKelFftjpfcoPP3yFodPvxLXQUVxElQaZtPrAp++IPkj
+OcRwWAE25mVEVvxknBD1W/zdzqv0QZZM1ml4SopfbmFvQDfKWfm65uAE01+hcx3D
+ep20KqcSNv/VONzVA4ug4p4CILiT/zNP1rq7sLrJhOjg1oNABR42goSJAoGAcs1N
+Ajr5a92tmbEKOkc/WQGMOxUr5Bym5QlivEUWG/PITElZSVjp5Y5bomCX/K1teg2C
+wh2iHDD3/PkavUh6s6jDz+91Lt41QX9pB3hhnx+tFuBrCEd6zLLS4AXoDwakmiQV
+rmZCvpPzjAzMHL2EHNCnQ0Gqz6QdhYjSav1XUYECgYBiv8t7WZFLIsi7Baa1oocv
+VU9WsohcqTGP8/i+J4fuRRVGDLl/jcBFm5dYzGVSbpBaM0qhfGIyaAmInHozxooR
++izbLM5nSAO3fXEsPROEx9RwLxQmrs2Ee5W4qDajTm3VOhfQXHQf/z5o3xsdnQJt
+mbHCXPhmMn9O6jmrDlGeMg==
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.crt b/tests/data_files/pkcs7-rsa-sha256-2.crt
index a0df7d93db..2f0becb5c5 100644
--- a/tests/data_files/pkcs7-rsa-sha256-2.crt
+++ b/tests/data_files/pkcs7-rsa-sha256-2.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIULQiixEME/TOd8CzfFgp/HxWQOj4wDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+NyBDZXJ0IDIwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65
-lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y
-c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B
-g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89
-KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj
-j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC
-AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY
-MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka
-q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+
-ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB
-xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS
-IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+
-gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANarbCe4NkIbeBjAEKWuHhA7
+haz080iy8N1Xbdr0Xa6llOLKgsDVNxkzW+WHRgJNZAtN8XgT7IubIrno9ygcBK5B
+b1E4/Butpfnw5aSJhW2uI8Wl7/xCvonEDd3jBQUA4cO8x3ie+7WcGJC2mUXlgUuJ
+jdvX7/px5DQuJwy0R3Vul0IOSBvzXVo9UOTYkmoQI2e2UcAk6aU3zQKK8Db5dmlR
+cA+sVCb9j1tEmSXQAj0XfXv0Sqijwr7MUYB9vUt2wYexC3b0SosqNqg7MYx6eDUJ
+adVvPwHW4VQh5Rv9TVYr9Rpc1pyfgjtvlnouPU+yROJ9VO0irbMY5LI2rAIpQksC
+AwEAAaNTMFEwHQYDVR0OBBYEFOozYBd7pxAmsVUtJwSQvRGNvKO9MB8GA1UdIwQY
+MBaAFOozYBd7pxAmsVUtJwSQvRGNvKO9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAJmOMP3gVqP0/vFqPdMjIa5Pjtwy02z4Z4uLplo/4K8CQp6T
++XMfz+p/UDoglyAuZ34TQ/dnGMM9EFEBgm/O5dJHl442+FrortIEhzGo0QAf+XYK
+9HQKVk0a5ecVO9CZw2mduxMJ//r9GyFG0XSqpNqt2yi7UgcPsrq+2OqhzYngYmyr
+V5HtQzwBaIqwoXzhHIOX1pJg4GUxrhsaqInrhUM0VTdfpKcRlzFsimQ60LZ6GMcm
+rPy3oLs1ioVfYS7et0MnGhgSHIjBeocqYKchzfBk/NnF0eK+lJo+hrGk6F2rDJ4G
+ViNKP6MhMBzlZ73yTRTWZcYu6O+sg5cHwjlHhRc=
-----END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.der b/tests/data_files/pkcs7-rsa-sha256-2.der
index fc7a3eabf7..a101435991 100644
Binary files a/tests/data_files/pkcs7-rsa-sha256-2.der and b/tests/data_files/pkcs7-rsa-sha256-2.der differ
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key
index 659c015666..fe78b1130a 100644
--- a/tests/data_files/pkcs7-rsa-sha256-2.key
+++ b/tests/data_files/pkcs7-rsa-sha256-2.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of
-5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5
-ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2
-IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK
-OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp
-eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX
-oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM
-NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7
-73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD
-w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T
-i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB
-qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9
-ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH
-slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo
-in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D
-NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w
-+CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95
-0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG
-+fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ
-FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI
-xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9
-1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3
-kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa
-uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO
-0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ
-Qn6c/zyvMKSyrCVxo5pTd5Il
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDWq2wnuDZCG3gY
+wBClrh4QO4Ws9PNIsvDdV23a9F2upZTiyoLA1TcZM1vlh0YCTWQLTfF4E+yLmyK5
+6PcoHASuQW9ROPwbraX58OWkiYVtriPFpe/8Qr6JxA3d4wUFAOHDvMd4nvu1nBiQ
+tplF5YFLiY3b1+/6ceQ0LicMtEd1bpdCDkgb811aPVDk2JJqECNntlHAJOmlN80C
+ivA2+XZpUXAPrFQm/Y9bRJkl0AI9F3179Eqoo8K+zFGAfb1LdsGHsQt29EqLKjao
+OzGMeng1CWnVbz8B1uFUIeUb/U1WK/UaXNacn4I7b5Z6Lj1PskTifVTtIq2zGOSy
+NqwCKUJLAgMBAAECgf8TtKi4/K/+YYckvnzIuLMJymz684FhqwtxRhVPhB8VaR3B
+s9VM3kWwioZlC4XhsDj+0KjZ3PpZ1mPZrQkDJY9Ib7lIO3LpF4ek6fgqonUdHF8s
+RY9CGN5kxxp+w9gyHWKcFTg6Wl3AzhNzNU/cmrTDulzLUYc19j58i8AJ6oKkxNcT
+gie9c38wDjZr67cynARkS9N94WkMsOQzM59TzOfukldsbwYISZahR/L9hgQqzcFL
+hxsrQbZ0M5XFziOjuDGzJZswbbTvkupqt0EwEXcI1jnvOtKPC50RaIY9y9sQYRPX
+RXFzUaBGKHjLWtEYQd/bXWTtCLx6C4FDRkOsVQUCgYEA69z8xq8lp77lD2gNsh3x
+o8cnnx3xcwnj+9bEDDKXgA1RBwnXpQ/Gq5Jme7zm9552xJXDQwckuJQ9/Fd4L8Zy
+ZjyOuYC6Mdc4ncwo1yT9Rv6ipSq/dsVKQbMYaOxtQ6Lce1wPyF32slu2mPlwOgIo
+w0Adl3MqC+Gk3ANcPWyJha8CgYEA6P86jw8MfaA4qTn6Zy1YEq17+8Chd15PA2E7
+NWdEL75Jr+Im9kTY+niWcZo6q/JKa5FokxrSB988NMK6Qd20d2gZijc1yHprC1fq
+W3RP9C2qvEOs+4+w38F63JkBXOyqh6+bqclsEDk5COoe2EdIevF4PQheWuQtbNHv
+7G5yECUCgYEApNTDMnakch5OJf4p1BhpDnPXlLNwUVzQHudwCrYweiTUQ371XT0x
+MiYVyNOy9cmgZrHiy6zqVLQEvZzDOWAOArS/aZQ0izBFOMG8qN4Iwtyg/ZxqQa6O
+vmtS28Cee24Nd4hW30gLZ4oAideIPoHTyt+7zmOFNthyRe9zPtnjIbECgYAfnrOV
+wpcRXXMTFDk1U2QGdODEk6nWB0h1zvY4EyGf0RUy92AOP92qcD8Kf8HCoAkVfBBT
+Fmq2gscq6dpZIfth0RDWPxPfdy2bxnyZmLlZC/GFxzFsml2IoDtKQMF8mOmzrFNV
+wW4W7Y0d9pflBheCB88niUE02I6JnBwRXBPCuQKBgD01VJsGqgFvlvjK0KVpPVCB
+KK0GPI5TFNSDjYSIG25Vm4lYmiWwr54iaqWvlK9SFXH0C9R1VAuU+uaY+8tGM4o5
+RO9mk0AvIJ4BC0FZHS2fHDld/37WO3rh66Qym6zgp02ZPYDSLXT18sf0SVMAzU7h
+2j60FMMEJPr7clx+n6xU
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem
index b11a00a199..71004b5f83 100644
--- a/tests/data_files/pkcs7-rsa-sha256-2.pem
+++ b/tests/data_files/pkcs7-rsa-sha256-2.pem
@@ -1,48 +1,48 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIULQiixEME/TOd8CzfFgp/HxWQOj4wDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD
+NyBDZXJ0IDIwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65
-lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y
-c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B
-g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89
-KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj
-j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC
-AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY
-MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka
-q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+
-ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB
-xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS
-IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+
-gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANarbCe4NkIbeBjAEKWuHhA7
+haz080iy8N1Xbdr0Xa6llOLKgsDVNxkzW+WHRgJNZAtN8XgT7IubIrno9ygcBK5B
+b1E4/Butpfnw5aSJhW2uI8Wl7/xCvonEDd3jBQUA4cO8x3ie+7WcGJC2mUXlgUuJ
+jdvX7/px5DQuJwy0R3Vul0IOSBvzXVo9UOTYkmoQI2e2UcAk6aU3zQKK8Db5dmlR
+cA+sVCb9j1tEmSXQAj0XfXv0Sqijwr7MUYB9vUt2wYexC3b0SosqNqg7MYx6eDUJ
+adVvPwHW4VQh5Rv9TVYr9Rpc1pyfgjtvlnouPU+yROJ9VO0irbMY5LI2rAIpQksC
+AwEAAaNTMFEwHQYDVR0OBBYEFOozYBd7pxAmsVUtJwSQvRGNvKO9MB8GA1UdIwQY
+MBaAFOozYBd7pxAmsVUtJwSQvRGNvKO9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAJmOMP3gVqP0/vFqPdMjIa5Pjtwy02z4Z4uLplo/4K8CQp6T
++XMfz+p/UDoglyAuZ34TQ/dnGMM9EFEBgm/O5dJHl442+FrortIEhzGo0QAf+XYK
+9HQKVk0a5ecVO9CZw2mduxMJ//r9GyFG0XSqpNqt2yi7UgcPsrq+2OqhzYngYmyr
+V5HtQzwBaIqwoXzhHIOX1pJg4GUxrhsaqInrhUM0VTdfpKcRlzFsimQ60LZ6GMcm
+rPy3oLs1ioVfYS7et0MnGhgSHIjBeocqYKchzfBk/NnF0eK+lJo+hrGk6F2rDJ4G
+ViNKP6MhMBzlZ73yTRTWZcYu6O+sg5cHwjlHhRc=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of
-5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5
-ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2
-IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK
-OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp
-eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX
-oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM
-NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7
-73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD
-w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T
-i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB
-qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9
-ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH
-slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo
-in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D
-NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w
-+CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95
-0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG
-+fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ
-FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI
-xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9
-1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3
-kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa
-uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO
-0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ
-Qn6c/zyvMKSyrCVxo5pTd5Il
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDWq2wnuDZCG3gY
+wBClrh4QO4Ws9PNIsvDdV23a9F2upZTiyoLA1TcZM1vlh0YCTWQLTfF4E+yLmyK5
+6PcoHASuQW9ROPwbraX58OWkiYVtriPFpe/8Qr6JxA3d4wUFAOHDvMd4nvu1nBiQ
+tplF5YFLiY3b1+/6ceQ0LicMtEd1bpdCDkgb811aPVDk2JJqECNntlHAJOmlN80C
+ivA2+XZpUXAPrFQm/Y9bRJkl0AI9F3179Eqoo8K+zFGAfb1LdsGHsQt29EqLKjao
+OzGMeng1CWnVbz8B1uFUIeUb/U1WK/UaXNacn4I7b5Z6Lj1PskTifVTtIq2zGOSy
+NqwCKUJLAgMBAAECgf8TtKi4/K/+YYckvnzIuLMJymz684FhqwtxRhVPhB8VaR3B
+s9VM3kWwioZlC4XhsDj+0KjZ3PpZ1mPZrQkDJY9Ib7lIO3LpF4ek6fgqonUdHF8s
+RY9CGN5kxxp+w9gyHWKcFTg6Wl3AzhNzNU/cmrTDulzLUYc19j58i8AJ6oKkxNcT
+gie9c38wDjZr67cynARkS9N94WkMsOQzM59TzOfukldsbwYISZahR/L9hgQqzcFL
+hxsrQbZ0M5XFziOjuDGzJZswbbTvkupqt0EwEXcI1jnvOtKPC50RaIY9y9sQYRPX
+RXFzUaBGKHjLWtEYQd/bXWTtCLx6C4FDRkOsVQUCgYEA69z8xq8lp77lD2gNsh3x
+o8cnnx3xcwnj+9bEDDKXgA1RBwnXpQ/Gq5Jme7zm9552xJXDQwckuJQ9/Fd4L8Zy
+ZjyOuYC6Mdc4ncwo1yT9Rv6ipSq/dsVKQbMYaOxtQ6Lce1wPyF32slu2mPlwOgIo
+w0Adl3MqC+Gk3ANcPWyJha8CgYEA6P86jw8MfaA4qTn6Zy1YEq17+8Chd15PA2E7
+NWdEL75Jr+Im9kTY+niWcZo6q/JKa5FokxrSB988NMK6Qd20d2gZijc1yHprC1fq
+W3RP9C2qvEOs+4+w38F63JkBXOyqh6+bqclsEDk5COoe2EdIevF4PQheWuQtbNHv
+7G5yECUCgYEApNTDMnakch5OJf4p1BhpDnPXlLNwUVzQHudwCrYweiTUQ371XT0x
+MiYVyNOy9cmgZrHiy6zqVLQEvZzDOWAOArS/aZQ0izBFOMG8qN4Iwtyg/ZxqQa6O
+vmtS28Cee24Nd4hW30gLZ4oAideIPoHTyt+7zmOFNthyRe9zPtnjIbECgYAfnrOV
+wpcRXXMTFDk1U2QGdODEk6nWB0h1zvY4EyGf0RUy92AOP92qcD8Kf8HCoAkVfBBT
+Fmq2gscq6dpZIfth0RDWPxPfdy2bxnyZmLlZC/GFxzFsml2IoDtKQMF8mOmzrFNV
+wW4W7Y0d9pflBheCB88niUE02I6JnBwRXBPCuQKBgD01VJsGqgFvlvjK0KVpPVCB
+KK0GPI5TFNSDjYSIG25Vm4lYmiWwr54iaqWvlK9SFXH0C9R1VAuU+uaY+8tGM4o5
+RO9mk0AvIJ4BC0FZHS2fHDld/37WO3rh66Qym6zgp02ZPYDSLXT18sf0SVMAzU7h
+2j60FMMEJPr7clx+n6xU
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.crt b/tests/data_files/pkcs7-rsa-sha256-3.crt
index 5f22ce2f5f..03ce5b35df 100644
--- a/tests/data_files/pkcs7-rsa-sha256-3.crt
+++ b/tests/data_files/pkcs7-rsa-sha256-3.crt
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUYkdymHWejgRxiuVjFV81I8+4TNswDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIUT1tppAbQpx6vLbVzRx/54bi0ehowDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDMwHhcNMjMwMTMwMTkyMTQzWhcNMjQwMTMwMTkyMTQzWjA0MQswCQYD
+NyBDZXJ0IDMwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJ/vfx54ZcwX1ImcNW6ERqk
-XMUWzQnnNrfKBRkxebIq/NAu/5vVE6D2qAeNBiZO+O3dYcyJGiP6O+SfzyKKrG3z
-7O1v4ONY3A5P0ge3LJpj2MaUzPOANdQ8444IdWh1cP02uDhVJxgab6cSoFykK2bC
-lETgb5XrV9/42/qCrT+UTuuRFadRLtO7lcs4ZoVCUJ/hBN2Ad65rX6TAc1AmUV+K
-gO6b0ZvnVW1cevZ2rlpUqcoJyYtYE3Ysd/aVpqE19vS7gMXvFL616a4d+IUi2Rmu
-6uXBYGvzf7eLVLpdzwSurG0oEklfSjDHejxKX7QETlSLNwODK/W0Se+sQQt1t0kC
-AwEAAaNTMFEwHQYDVR0OBBYEFC7YxdBlJ9oR3H+KJt8toimNCyudMB8GA1UdIwQY
-MBaAFC7YxdBlJ9oR3H+KJt8toimNCyudMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAGqqNRMi6uJRCPFae7L+yOY09FtFjMCY/1cvHjnQzYk3i90u
-WiiZfOUD8js96SkdanaZEqxDNjx0VM3t0KDPrNHTMP2LDK58sktPRi62C2eHWI3C
-PfqmCxWjSKjOeUaJsVBU4rfQgvnMFlG9iVfhix3aB79GfBSQmLxLAOBVsphTLL6C
-AzJ60WjSM9WhILV4U5QnpTUuXFId+ub43jOHfLtJVk2nM5YSaZ0H9jM69FzOnqFE
-qUuJ7d0CW256aiAz3hs/y0wXImFUPCfoU45nw7fFcb/EMon5cqgx99IADLecHL8P
-uOX5xpJ64mBR5NuVdH2d4bld9vh3sOcCGebHaWw=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1SO1OUqWVMqINj+MZPgE5s
+8sdFrVyXlt/3EqXNs6zUBr12Kj4USt5tmVyF1FxYsw76U1ZpeUUBIrQ62CyQgZtD
+l96tipHbxFneWXV0COrp+2rjWUDz3bY0lM39JCrOxlBDx/QYOJHm4HAeWPkg0F1R
+26kKLNUYxg54gtjnauleWefrMcV3S69RTJGlf3hVJ1fltz/yw8N9XG8XxANZT0Cz
+JV31yzLMxCTm2iBXXALSkw5QDVT+SD0mbkYT26bwtAvXptPjbC7ZrOxYyrmnhk2U
+aPVewp5ncrDhZpfKCXVG6qtSQ3zHu6WwBCk3hdZ9RpBMDMOm+VFl+rGgD46p2osC
+AwEAAaNTMFEwHQYDVR0OBBYEFGNzo9wwEk9/t6xxxpby/NRmNJRlMB8GA1UdIwQY
+MBaAFGNzo9wwEk9/t6xxxpby/NRmNJRlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKJEmDyEmw8Q6mbaqREvmNScGrA60wONTQdlX3lny4VzqAzi
+MxIeCIfwSvR9Lho0lPmFMErdDPTUKzWmlAXUSlsyjnGrqP5uCixTUBZ9Ic1gaxDz
+Mere8nr7yow+I9euYNN1/dNJZP9mcrP269FGyTuM/8Woi+zaJHr0Y8K9TRRXudqP
+wu6X/qZ+OeQrW4WMeb1+eZ59FtRadamsQabxvtgkRJhmqNsGQ/i+S0SqGt2t2xvq
+lTxshA5p17bLQmTJsNKXbQeVPH99M+ecXvwN0hj3fDnQeDMTjdKOsyFupyZ+vxN+
+pFvT7lP0hrOuU07FFqt36B0xObB1QwZb2DPcEIw=
-----END CERTIFICATE-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.key b/tests/data_files/pkcs7-rsa-sha256-3.key
index 3cdc717b03..17c4eedb18 100644
--- a/tests/data_files/pkcs7-rsa-sha256-3.key
+++ b/tests/data_files/pkcs7-rsa-sha256-3.key
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSf738eeGXMF9S
-JnDVuhEapFzFFs0J5za3ygUZMXmyKvzQLv+b1ROg9qgHjQYmTvjt3WHMiRoj+jvk
-n88iiqxt8+ztb+DjWNwOT9IHtyyaY9jGlMzzgDXUPOOOCHVodXD9Nrg4VScYGm+n
-EqBcpCtmwpRE4G+V61ff+Nv6gq0/lE7rkRWnUS7Tu5XLOGaFQlCf4QTdgHeua1+k
-wHNQJlFfioDum9Gb51VtXHr2dq5aVKnKCcmLWBN2LHf2laahNfb0u4DF7xS+temu
-HfiFItkZrurlwWBr83+3i1S6Xc8ErqxtKBJJX0owx3o8Sl+0BE5UizcDgyv1tEnv
-rEELdbdJAgMBAAECggEANIkePRecNnQjriia67SjFS+lWaktpkWXEfqxGA8RjOaO
-r1SzhcyBuCAnYq8PNFtsZE1m3bnwFL+c2BwMgdXzYAPLg5zzFzqzvTytsjBEyQmX
-bkRv/Gvow14o+udgiiAZgZD5HFIgTjM2349WB5kPnfd9Ms2C+/s/NM5y9IxNufqR
-Toto9xwEviJDNVQUeamMbV1hYg0GkvYFNBg5JnGZw+2Sxdml3NFkaHjO+lOhC1VJ
-nhtP0OeOhEMJe9J/MlqkByeg4WQW+jgPo9ysOa+JsEYBokBTleAboNNUJz1SmZ2o
-CCLcMaEwA1IFZAbqjKzPb0xwjeZAtPsBzGFBwiuDyQKBgQDdCkiCeo+AuCdIK4Y3
-i8uf2Pv/eieN37pHBJZcRvNbwcrcnk4Tx0QAsiqnemLDurd+3Xp2BbPMKSNXNkaI
-X4KAtv3hh6sNCQZ2QwkSGYvSOrR4xaExbeuPlrDteLG6Z7W+Txl6iFR8r7sbdySD
-XIIB2yyyh/01gkphB1XPhPxAnQKBgQDzyqf8IccG/yoSm/luX7yKbsPsLMnV1CkR
-hKaPik9vA8wi4P460HqGSwjECubbx2LuGNijVRHqufu6Arm7/hMNya0gA4ToHN+i
-r7MiD8iGpKKYv7Dn1KVhw/Knwx3MHhFgB9V55EBn92MVL1ZC1S7cLq7tn1ggVHnC
-mlS0OW1DnQKBgDx679QjzNgfi0AICLVyHskiCfGhbuk26jU8YBfnofbdU7CB8EMh
-Js458cnZhuSfVk30M+nPLZ8TMoROaYYu+/pUF6t5/6eVbJs3RGgbbVKclXzmNnDb
-7rRfOxH/EEI81lG4OvR4EQX832lodCktSrVPTy+aXgIiIE/kPeqGLK9RAoGBAIdN
-4X/A62pJsfsUEBKfFdAq+5gXn4mKr6RmX97on394txJglxjjXi0sddgASPKPrauB
-pLK54zDIOhqZqqXYtJCBbxGGgnwkkkYDh8MOyXdY5lkqgq+YSJWDICjV1LLVuUT3
-9BYrhUdueNJoLFL5aIGRc0q0lj+TQuSrrPk9qhPNAoGADbbSa+iD3C+sladHkMAU
-u7CvM/0izVqokKnUTBzQh5oxfKQncMVyYrws/Orkcc7u30FeX6bkCoY6dP1+YXLh
-ZlmiSgDK6kebOCGRWjCGKGys4WU1QiFluEjRfXQIMW3Wj45vxB3xPrD1TTHcfWgJ
-7BT4C+yor7c/fL356athqxk=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDtUjtTlKllTKiD
+Y/jGT4BObPLHRa1cl5bf9xKlzbOs1Aa9dio+FErebZlchdRcWLMO+lNWaXlFASK0
+OtgskIGbQ5ferYqR28RZ3ll1dAjq6ftq41lA8922NJTN/SQqzsZQQ8f0GDiR5uBw
+Hlj5INBdUdupCizVGMYOeILY52rpXlnn6zHFd0uvUUyRpX94VSdX5bc/8sPDfVxv
+F8QDWU9AsyVd9csyzMQk5togV1wC0pMOUA1U/kg9Jm5GE9um8LQL16bT42wu2azs
+WMq5p4ZNlGj1XsKeZ3Kw4WaXygl1RuqrUkN8x7ulsAQpN4XWfUaQTAzDpvlRZfqx
+oA+OqdqLAgMBAAECggEAU51l9rBJsL2+H7Dw/VoUcE1Vip1Dk/x69YUVRmK/2/RG
+Pams/3th15WQ87bZWAIOcIgFJcx6pDPeuNaExMrTR1Oc5iGJ0ZM3TpyXM1lDLRVs
+dkAM+eQSKTjEdwEqJYT9/VisUhXYlJteV1Jx8bC8iSymspu5qQkV+xI9s9NxaTAd
+19U5NoozZRBS37lU3WxMhPCHCrbl6vwcfvtsZClEICA8YUKyS+wUh0wjzgkQrORT
+kaTxY8YyQ/ufSIkA3XKJX1flO1UdNFJcHhseiXWuuUTKUMvWNILUoFpbky5uYb5z
+VM7u57ZBF3uVHmvJNYS04iQdNkV1ZkpWH8opuQ1kyQKBgQD2jl6Y0qTy/s+g9aQ7
+ypZ0zi/lhIJaTBDqxwJA18e8+4kq3WEEBDD1X/eT44nVPhGy78ccJZCnw2PBHy1k
+6xVCfGAZVV850m9JGf4L/VEN6D5qdB2owJPVCEh7fa6hVvLKYFNCuvs0osKCVnyy
+PGq8ixAP5sJp8yoEnlUi0II3UwKBgQD2aU7xdQgba7uMu2rJo0bzDKfxv4q5nUYO
+XLBm7l+Mz6Uz68A/scLsKWmdvmdPKy83pmR/2RJ1pp0HNVfa8rL+0DHCqf1PApE+
+jFgcQIdnyzwRFHPDH/9zmrHUy32L5MdiQEWwqg9wP2HYbuv9VbN0Rn3HTFdRVarD
+hg36/hSA6QKBgBaH+iMTFNnT6Vt3NzPzln5EHWJnEpZ33w/lcdJFJc6iWe2d33DD
+hUnXJEPShlUDYBCvEs4CrM5375TFaZuQVBgIT6vg/lvFXEAc7Pdhhde0goet5sv2
+FUxhfmYynRPHY1aVKOavOaecvBO3HZwYI1TpjGU3nEqcWxmi8nrE/TFbAoGALGaD
+XAzLfi1maRBoSJcMNMVmCbCK7bFCK1pWSuXO/892pClpxdBhIC7CIjNp6CEO7Acm
+escBhYOVLfRVtVUgHbwkC0CYLUF4LH4bblPOUkyTsTwvM8yzOgB45LAaGjgKGVEd
+fZzXFVHGbrpl+YsUv/Hnvh6qaTR3ha3FHSHlTekCgYEA889EzlEOwmu69z06RJsZ
+mlYoR0/1xxiYmSNy+hXWoM64G99R94bc/bx/QSJAXu93HX4N0GHPmjjpZvk1IjHL
+zQGikdb2jvbKnRcR/4DiXQ1jggk59bCUDaQkpEbBvtCLj/LjMnwxAJAoCOGjuIxG
+hmSyoAlNQm47tGD3i+2erv0=
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7-rsa-sha256-3.pem b/tests/data_files/pkcs7-rsa-sha256-3.pem
index ee99782c3b..0dc2fe985a 100644
--- a/tests/data_files/pkcs7-rsa-sha256-3.pem
+++ b/tests/data_files/pkcs7-rsa-sha256-3.pem
@@ -1,48 +1,48 @@
-----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUYkdymHWejgRxiuVjFV81I8+4TNswDQYJKoZIhvcNAQEL
+MIIDSTCCAjGgAwIBAgIUT1tppAbQpx6vLbVzRx/54bi0ehowDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
-NyBDZXJ0IDMwHhcNMjMwMTMwMTkyMTQzWhcNMjQwMTMwMTkyMTQzWjA0MQswCQYD
+NyBDZXJ0IDMwHhcNMjMwNTA4MTAxOTExWhcNMzMwNTA4MTAxOTExWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJ/vfx54ZcwX1ImcNW6ERqk
-XMUWzQnnNrfKBRkxebIq/NAu/5vVE6D2qAeNBiZO+O3dYcyJGiP6O+SfzyKKrG3z
-7O1v4ONY3A5P0ge3LJpj2MaUzPOANdQ8444IdWh1cP02uDhVJxgab6cSoFykK2bC
-lETgb5XrV9/42/qCrT+UTuuRFadRLtO7lcs4ZoVCUJ/hBN2Ad65rX6TAc1AmUV+K
-gO6b0ZvnVW1cevZ2rlpUqcoJyYtYE3Ysd/aVpqE19vS7gMXvFL616a4d+IUi2Rmu
-6uXBYGvzf7eLVLpdzwSurG0oEklfSjDHejxKX7QETlSLNwODK/W0Se+sQQt1t0kC
-AwEAAaNTMFEwHQYDVR0OBBYEFC7YxdBlJ9oR3H+KJt8toimNCyudMB8GA1UdIwQY
-MBaAFC7YxdBlJ9oR3H+KJt8toimNCyudMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAGqqNRMi6uJRCPFae7L+yOY09FtFjMCY/1cvHjnQzYk3i90u
-WiiZfOUD8js96SkdanaZEqxDNjx0VM3t0KDPrNHTMP2LDK58sktPRi62C2eHWI3C
-PfqmCxWjSKjOeUaJsVBU4rfQgvnMFlG9iVfhix3aB79GfBSQmLxLAOBVsphTLL6C
-AzJ60WjSM9WhILV4U5QnpTUuXFId+ub43jOHfLtJVk2nM5YSaZ0H9jM69FzOnqFE
-qUuJ7d0CW256aiAz3hs/y0wXImFUPCfoU45nw7fFcb/EMon5cqgx99IADLecHL8P
-uOX5xpJ64mBR5NuVdH2d4bld9vh3sOcCGebHaWw=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO1SO1OUqWVMqINj+MZPgE5s
+8sdFrVyXlt/3EqXNs6zUBr12Kj4USt5tmVyF1FxYsw76U1ZpeUUBIrQ62CyQgZtD
+l96tipHbxFneWXV0COrp+2rjWUDz3bY0lM39JCrOxlBDx/QYOJHm4HAeWPkg0F1R
+26kKLNUYxg54gtjnauleWefrMcV3S69RTJGlf3hVJ1fltz/yw8N9XG8XxANZT0Cz
+JV31yzLMxCTm2iBXXALSkw5QDVT+SD0mbkYT26bwtAvXptPjbC7ZrOxYyrmnhk2U
+aPVewp5ncrDhZpfKCXVG6qtSQ3zHu6WwBCk3hdZ9RpBMDMOm+VFl+rGgD46p2osC
+AwEAAaNTMFEwHQYDVR0OBBYEFGNzo9wwEk9/t6xxxpby/NRmNJRlMB8GA1UdIwQY
+MBaAFGNzo9wwEk9/t6xxxpby/NRmNJRlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKJEmDyEmw8Q6mbaqREvmNScGrA60wONTQdlX3lny4VzqAzi
+MxIeCIfwSvR9Lho0lPmFMErdDPTUKzWmlAXUSlsyjnGrqP5uCixTUBZ9Ic1gaxDz
+Mere8nr7yow+I9euYNN1/dNJZP9mcrP269FGyTuM/8Woi+zaJHr0Y8K9TRRXudqP
+wu6X/qZ+OeQrW4WMeb1+eZ59FtRadamsQabxvtgkRJhmqNsGQ/i+S0SqGt2t2xvq
+lTxshA5p17bLQmTJsNKXbQeVPH99M+ecXvwN0hj3fDnQeDMTjdKOsyFupyZ+vxN+
+pFvT7lP0hrOuU07FFqt36B0xObB1QwZb2DPcEIw=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSf738eeGXMF9S
-JnDVuhEapFzFFs0J5za3ygUZMXmyKvzQLv+b1ROg9qgHjQYmTvjt3WHMiRoj+jvk
-n88iiqxt8+ztb+DjWNwOT9IHtyyaY9jGlMzzgDXUPOOOCHVodXD9Nrg4VScYGm+n
-EqBcpCtmwpRE4G+V61ff+Nv6gq0/lE7rkRWnUS7Tu5XLOGaFQlCf4QTdgHeua1+k
-wHNQJlFfioDum9Gb51VtXHr2dq5aVKnKCcmLWBN2LHf2laahNfb0u4DF7xS+temu
-HfiFItkZrurlwWBr83+3i1S6Xc8ErqxtKBJJX0owx3o8Sl+0BE5UizcDgyv1tEnv
-rEELdbdJAgMBAAECggEANIkePRecNnQjriia67SjFS+lWaktpkWXEfqxGA8RjOaO
-r1SzhcyBuCAnYq8PNFtsZE1m3bnwFL+c2BwMgdXzYAPLg5zzFzqzvTytsjBEyQmX
-bkRv/Gvow14o+udgiiAZgZD5HFIgTjM2349WB5kPnfd9Ms2C+/s/NM5y9IxNufqR
-Toto9xwEviJDNVQUeamMbV1hYg0GkvYFNBg5JnGZw+2Sxdml3NFkaHjO+lOhC1VJ
-nhtP0OeOhEMJe9J/MlqkByeg4WQW+jgPo9ysOa+JsEYBokBTleAboNNUJz1SmZ2o
-CCLcMaEwA1IFZAbqjKzPb0xwjeZAtPsBzGFBwiuDyQKBgQDdCkiCeo+AuCdIK4Y3
-i8uf2Pv/eieN37pHBJZcRvNbwcrcnk4Tx0QAsiqnemLDurd+3Xp2BbPMKSNXNkaI
-X4KAtv3hh6sNCQZ2QwkSGYvSOrR4xaExbeuPlrDteLG6Z7W+Txl6iFR8r7sbdySD
-XIIB2yyyh/01gkphB1XPhPxAnQKBgQDzyqf8IccG/yoSm/luX7yKbsPsLMnV1CkR
-hKaPik9vA8wi4P460HqGSwjECubbx2LuGNijVRHqufu6Arm7/hMNya0gA4ToHN+i
-r7MiD8iGpKKYv7Dn1KVhw/Knwx3MHhFgB9V55EBn92MVL1ZC1S7cLq7tn1ggVHnC
-mlS0OW1DnQKBgDx679QjzNgfi0AICLVyHskiCfGhbuk26jU8YBfnofbdU7CB8EMh
-Js458cnZhuSfVk30M+nPLZ8TMoROaYYu+/pUF6t5/6eVbJs3RGgbbVKclXzmNnDb
-7rRfOxH/EEI81lG4OvR4EQX832lodCktSrVPTy+aXgIiIE/kPeqGLK9RAoGBAIdN
-4X/A62pJsfsUEBKfFdAq+5gXn4mKr6RmX97on394txJglxjjXi0sddgASPKPrauB
-pLK54zDIOhqZqqXYtJCBbxGGgnwkkkYDh8MOyXdY5lkqgq+YSJWDICjV1LLVuUT3
-9BYrhUdueNJoLFL5aIGRc0q0lj+TQuSrrPk9qhPNAoGADbbSa+iD3C+sladHkMAU
-u7CvM/0izVqokKnUTBzQh5oxfKQncMVyYrws/Orkcc7u30FeX6bkCoY6dP1+YXLh
-ZlmiSgDK6kebOCGRWjCGKGys4WU1QiFluEjRfXQIMW3Wj45vxB3xPrD1TTHcfWgJ
-7BT4C+yor7c/fL356athqxk=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDtUjtTlKllTKiD
+Y/jGT4BObPLHRa1cl5bf9xKlzbOs1Aa9dio+FErebZlchdRcWLMO+lNWaXlFASK0
+OtgskIGbQ5ferYqR28RZ3ll1dAjq6ftq41lA8922NJTN/SQqzsZQQ8f0GDiR5uBw
+Hlj5INBdUdupCizVGMYOeILY52rpXlnn6zHFd0uvUUyRpX94VSdX5bc/8sPDfVxv
+F8QDWU9AsyVd9csyzMQk5togV1wC0pMOUA1U/kg9Jm5GE9um8LQL16bT42wu2azs
+WMq5p4ZNlGj1XsKeZ3Kw4WaXygl1RuqrUkN8x7ulsAQpN4XWfUaQTAzDpvlRZfqx
+oA+OqdqLAgMBAAECggEAU51l9rBJsL2+H7Dw/VoUcE1Vip1Dk/x69YUVRmK/2/RG
+Pams/3th15WQ87bZWAIOcIgFJcx6pDPeuNaExMrTR1Oc5iGJ0ZM3TpyXM1lDLRVs
+dkAM+eQSKTjEdwEqJYT9/VisUhXYlJteV1Jx8bC8iSymspu5qQkV+xI9s9NxaTAd
+19U5NoozZRBS37lU3WxMhPCHCrbl6vwcfvtsZClEICA8YUKyS+wUh0wjzgkQrORT
+kaTxY8YyQ/ufSIkA3XKJX1flO1UdNFJcHhseiXWuuUTKUMvWNILUoFpbky5uYb5z
+VM7u57ZBF3uVHmvJNYS04iQdNkV1ZkpWH8opuQ1kyQKBgQD2jl6Y0qTy/s+g9aQ7
+ypZ0zi/lhIJaTBDqxwJA18e8+4kq3WEEBDD1X/eT44nVPhGy78ccJZCnw2PBHy1k
+6xVCfGAZVV850m9JGf4L/VEN6D5qdB2owJPVCEh7fa6hVvLKYFNCuvs0osKCVnyy
+PGq8ixAP5sJp8yoEnlUi0II3UwKBgQD2aU7xdQgba7uMu2rJo0bzDKfxv4q5nUYO
+XLBm7l+Mz6Uz68A/scLsKWmdvmdPKy83pmR/2RJ1pp0HNVfa8rL+0DHCqf1PApE+
+jFgcQIdnyzwRFHPDH/9zmrHUy32L5MdiQEWwqg9wP2HYbuv9VbN0Rn3HTFdRVarD
+hg36/hSA6QKBgBaH+iMTFNnT6Vt3NzPzln5EHWJnEpZ33w/lcdJFJc6iWe2d33DD
+hUnXJEPShlUDYBCvEs4CrM5375TFaZuQVBgIT6vg/lvFXEAc7Pdhhde0goet5sv2
+FUxhfmYynRPHY1aVKOavOaecvBO3HZwYI1TpjGU3nEqcWxmi8nrE/TFbAoGALGaD
+XAzLfi1maRBoSJcMNMVmCbCK7bFCK1pWSuXO/892pClpxdBhIC7CIjNp6CEO7Acm
+escBhYOVLfRVtVUgHbwkC0CYLUF4LH4bblPOUkyTsTwvM8yzOgB45LAaGjgKGVEd
+fZzXFVHGbrpl+YsUv/Hnvh6qaTR3ha3FHSHlTekCgYEA889EzlEOwmu69z06RJsZ
+mlYoR0/1xxiYmSNy+hXWoM64G99R94bc/bx/QSJAXu93HX4N0GHPmjjpZvk1IjHL
+zQGikdb2jvbKnRcR/4DiXQ1jggk59bCUDaQkpEbBvtCLj/LjMnwxAJAoCOGjuIxG
+hmSyoAlNQm47tGD3i+2erv0=
-----END PRIVATE KEY-----
diff --git a/tests/data_files/pkcs7_data_3_signed.der b/tests/data_files/pkcs7_data_3_signed.der
index 92c0710753..23181ae820 100644
Binary files a/tests/data_files/pkcs7_data_3_signed.der and b/tests/data_files/pkcs7_data_3_signed.der differ
diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der
index b7b1c8331d..c3d8642833 100644
Binary files a/tests/data_files/pkcs7_data_cert_encrypted.der and b/tests/data_files/pkcs7_data_cert_encrypted.der differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha1.der b/tests/data_files/pkcs7_data_cert_signed_sha1.der
index fb1deb0fc6..878e9ecac0 100644
Binary files a/tests/data_files/pkcs7_data_cert_signed_sha1.der and b/tests/data_files/pkcs7_data_cert_signed_sha1.der differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der
index 8dc2f4c9cd..cc48123d45 100644
Binary files a/tests/data_files/pkcs7_data_cert_signed_sha256.der and b/tests/data_files/pkcs7_data_cert_signed_sha256.der differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der
index a4aa587587..75bdf0fa6b 100644
Binary files a/tests/data_files/pkcs7_data_cert_signed_sha512.der and b/tests/data_files/pkcs7_data_cert_signed_sha512.der differ
diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der
index 4f4cb047e0..950db20994 100644
Binary files a/tests/data_files/pkcs7_data_cert_signed_v2.der and b/tests/data_files/pkcs7_data_cert_signed_v2.der differ
diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der
index cb7d75103d..cb97b9b6f7 100644
Binary files a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der and b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der differ
diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der
index 4a237e9d14..63d7194c78 100644
Binary files a/tests/data_files/pkcs7_data_multiple_certs_signed.der and b/tests/data_files/pkcs7_data_multiple_certs_signed.der differ
diff --git a/tests/data_files/pkcs7_data_multiple_signed.der b/tests/data_files/pkcs7_data_multiple_signed.der
index 095b80ce1b..cc441fb7ce 100644
Binary files a/tests/data_files/pkcs7_data_multiple_signed.der and b/tests/data_files/pkcs7_data_multiple_signed.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badcert.der b/tests/data_files/pkcs7_data_signed_badcert.der
index ed00f65fa3..c74d69dc0d 100644
Binary files a/tests/data_files/pkcs7_data_signed_badcert.der and b/tests/data_files/pkcs7_data_signed_badcert.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der
index aa5447c44d..ba629dc4fe 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner.der and b/tests/data_files/pkcs7_data_signed_badsigner.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der b/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der
index da7f3a9910..dbe9320f8e 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der and b/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der b/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der
index 402b91050f..198b929876 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der and b/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der b/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der
index e19c54a05f..f613e3d82a 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der and b/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der b/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der
index 6b12b80ae6..0e647671ac 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der and b/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der b/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der
index 7929444662..caaa3050b0 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der and b/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der differ
diff --git a/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der b/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der
index b52bb78198..f7e0df4891 100644
Binary files a/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der and b/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der differ
diff --git a/tests/data_files/pkcs7_data_with_signature.der b/tests/data_files/pkcs7_data_with_signature.der
index cb9d1267fb..b98cab6bcf 100644
Binary files a/tests/data_files/pkcs7_data_with_signature.der and b/tests/data_files/pkcs7_data_with_signature.der differ
diff --git a/tests/data_files/pkcs7_data_without_cert_signed.der b/tests/data_files/pkcs7_data_without_cert_signed.der
index b47fe927e5..390361fe10 100644
Binary files a/tests/data_files/pkcs7_data_without_cert_signed.der and b/tests/data_files/pkcs7_data_without_cert_signed.der differ
diff --git a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der b/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der
index fe5539006c..0fbc65b026 100644
Binary files a/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der and b/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der differ
diff --git a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der b/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der
index 3a4287426c..4f059c2705 100644
Binary files a/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der and b/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der differ
diff --git a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der
index 898ca6777a..cd77545f34 100644
Binary files a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der and b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der differ
diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der
index f4b4e384db..5efa3a94f4 100644
Binary files a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der and b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der differ
diff --git a/tests/data_files/pkcs7_zerolendata_detached.der b/tests/data_files/pkcs7_zerolendata_detached.der
index 2a389ab484..5f9b62eda7 100644
Binary files a/tests/data_files/pkcs7_zerolendata_detached.der and b/tests/data_files/pkcs7_zerolendata_detached.der differ
diff --git a/tests/data_files/server1.allSubjectAltNames.crt b/tests/data_files/server1.allSubjectAltNames.crt
new file mode 100644
index 0000000000..13af873107
--- /dev/null
+++ b/tests/data_files/server1.allSubjectAltNames.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
+uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
+d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
+CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
+lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
+bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
+o4HaMIHXMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MIGJBgNVHREEgYEwf4EQ
+bWFpbEBleGFtcGxlLmNvbYILZXhhbXBsZS5jb22kQDA+MQswCQYDVQQGEwJVSzER
+MA8GA1UECgwITWJlZCBUTFMxHDAaBgNVBAMME1N1YmplY3RBbHROYW1lIHRlc3SH
+BAECAwSGFmh0dHA6Ly9wa2kuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADggEB
+AGPFB8YGpe6PRniPkYVlpCf5WwleYCpcP4AEvFHj5dD1UcBcqKjppJRGssg+S0fP
+nNwYRjaVjKuhWSGIMrk0nZqsiexnkCma0S8kdFvHtCfbR9c9pQSn44olVMbHx/t8
+dzv7Z48HqsqvG0hn3AwDlZ+KrnTZFzzpWzfLkbPdZko/oHoFmqEekEuyOK9vO3fj
+eNm5SzYtqOigw8TxkTb1+Qi9Cj66VEwVESW1y/TL9073Kx0lBoY8wj1Pvfdhplrg
+IwYIwrr0HM+7nlYEhEI++NAbZhjQoS2kF5i7xpomUkYH9ePbrwWYBcuN00pljXEm
+ioY0KKlx00fRehPH/6TBHZI=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server10-badsign.crt b/tests/data_files/server10-badsign.crt
index eca171f351..d4ac4b1708 100644
--- a/tests/data_files/server10-badsign.crt
+++ b/tests/data_files/server10-badsign.crt
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX10=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS0=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10-bs_int3.pem b/tests/data_files/server10-bs_int3.pem
index b84cee7c32..d824c43f35 100644
--- a/tests/data_files/server10-bs_int3.pem
+++ b/tests/data_files/server10-bs_int3.pem
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX10=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWfM=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg1A==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10.crt b/tests/data_files/server10.crt
index 96a4040cef..52b5ea0cec 100644
--- a/tests/data_files/server10.crt
+++ b/tests/data_files/server10.crt
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX1Q=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS4=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3-bs.pem b/tests/data_files/server10_int3-bs.pem
index a9e06150bd..9a82b1730d 100644
--- a/tests/data_files/server10_int3-bs.pem
+++ b/tests/data_files/server10_int3-bs.pem
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX1Q=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWf0=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg10==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_int-ca2.crt b/tests/data_files/server10_int3_int-ca2.crt
index 0df2c653bb..b5852927c2 100644
--- a/tests/data_files/server10_int3_int-ca2.crt
+++ b/tests/data_files/server10_int3_int-ca2.crt
@@ -1,40 +1,40 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX1Q=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWfM=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg1A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
+12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
+GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
+whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
+/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
+hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_int-ca2_ca.crt b/tests/data_files/server10_int3_int-ca2_ca.crt
index c25482b8b5..3601a20023 100644
--- a/tests/data_files/server10_int3_int-ca2_ca.crt
+++ b/tests/data_files/server10_int3_int-ca2_ca.crt
@@ -1,120 +1,60 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX1Q=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWfM=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg1A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
+12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
+GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
+whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
+/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
+hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
-----END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 0 (0x0)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
- Validity
- Not Before: Feb 12 14:44:00 2011 GMT
- Not After : Feb 12 14:44:00 2021 GMT
- Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
- 7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
- 58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
- 1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
- e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
- cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
- ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
- 71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
- c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
- 58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
- e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
- 69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
- 79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
- 58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
- e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
- 65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
- ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
- a2:d5
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:TRUE
- X509v3 Subject Key Identifier:
- B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
- X509v3 Authority Key Identifier:
- keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
- DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
- serial:00
-
- Signature Algorithm: sha1WithRSAEncryption
- b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
- 1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
- 32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
- 37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
- 09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
- 8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
- 2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
- e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
- e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
- 66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
- 35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
- 09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
- 08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
- e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
- f7:e0:e9:54
-----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
+UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
+x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
+BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
+hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
+G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
+7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
+9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
+hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
-----END CERTIFICATE-----
diff --git a/tests/data_files/server10_int3_spurious_int-ca2.crt b/tests/data_files/server10_int3_spurious_int-ca2.crt
index c9d6715f44..87cc476b18 100644
--- a/tests/data_files/server10_int3_spurious_int-ca2.crt
+++ b/tests/data_files/server10_int3_spurious_int-ca2.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
-MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
-A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
-YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
-VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
-oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
-Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
-rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
-AzO3pJx7WJAApZuBX1Q=
+MIIBXTCCAQKgAwIBAgIBSzAMBggqhkjOPQQDAgUAMEoxCzAJBgNVBAYTAlVLMREw
+DwYDVQQKDAhtYmVkIFRMUzEoMCYGA1UEAwwfbWJlZCBUTFMgVGVzdCBpbnRlcm1l
+ZGlhdGUgQ0EgMzAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMBQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxt9+na
+peqhnLJyGagJHHOt3hW73qbjs08F6G0QLjppN5eAOcF1/77OcAGsC19cFE1DPwBE
+h5gGaySvbauUqPKjDTALMAkGA1UdEwQCMAAwDAYIKoZIzj0EAwIFAANHADBEAiBw
+JW8c5xNiHIn83+Fx74JiW0IyRKe9TRN3w+MmfcFKwwIgWyjAp/xKOBaQ2ifRqXH6
+3mQUjQNFzHPFpWqjHCp0vS4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWfM=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg1A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -38,27 +38,27 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
+12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
+GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
+whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
+/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
+hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server3.crt b/tests/data_files/server3.crt
index ed0d696b4a..46987c3ef2 100644
--- a/tests/data_files/server3.crt
+++ b/tests/data_files/server3.crt
@@ -1,17 +1,15 @@
-----BEGIN CERTIFICATE-----
-MIICojCCAYqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwODA5MDkxNzAzWhcNMjMwODA3MDkxNzAzWjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG
+MIICXDCCAUSgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBJMBMGByqGSM49AgEG
CCqGSM49AwEBAzIABH0AoQyUhPABS38y67uEVs4O3RXmKKrBdUR7/L2QPB8EC2p5
-fQcsej6EFasvlTdJ/6OBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTkF2s2sgaJ
-OtleQ7bgZH2Hq33eNzBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/
-pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQ
-b2xhclNTTCBUZXN0IENBggEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjmSIjGKD1eH5W
-4bl2MXfNIsTwc2vv/MAAhBzBEbTXd3T37+zAGPGjKncvTB+oufUVRGkoKbfoC6Jm
-DYSEUuxtnUZOko/C//XlCEtK0TuS2aLEqF3gJjBJTCfthEdAhJCtmPAQDCzeKsdx
-CoOtH0NQx6Xl64oDt2wYSQNWUTGLPfRpdsVEvBHhHYATQijkl2ZH8BDjsYcBicrS
-qmCeN+0T1B9vrOQVEZe+fwgzVL38n8lkJZNPIbdovA9WLHwXAEzPv4la3w0qh4Tb
-kSb8HtILl4I474QxrFywylyXR/p2znPleRIRgB5HtUp9tLSWkB0bwMlqQlg2EHXu
-CAQ1sXmQ
+fQcsej6EFasvlTdJ/6NNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU5BdrNrIGiTrZ
+XkO24GR9h6t93jcwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJ
+KoZIhvcNAQEFBQADggEBAKSCuGCXcpDrVwRVgHVlUsxACRDUH2QirsLFAUk1CGsR
+SniBgWi+5KGK8fd3Tf+GkVeIZocaf7tnKm0YJg8W5QPDnwrMD2L1SjYFgc7r1G4f
+579FOo0qRKdJabTV0e022XFyN77JJHAm8RkjZEnzUuW7k8/RohY8NBzh+KACyHOi
+96DhGsBp9LG6QIKB1rxiNx4wq3WUygaMgImoaDRqgAFxJjwRBEhcsWtU2AmoOKdO
+hzQp+EzEjn04+ScJpMzMF4FY+kLaz9PlvEO61aQuZsC2fUmk+M6q8xcBNEdoFNvv
+0cOl5Liuewb32srAZWCMpbHFxaT9Nd3TxJwFxFCJpvc=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server4.crt b/tests/data_files/server4.crt
index 96b1aa7729..2b4134d66c 100644
--- a/tests/data_files/server4.crt
+++ b/tests/data_files/server4.crt
@@ -1,18 +1,17 @@
-----BEGIN CERTIFICATE-----
-MIIC6jCCAnCgAwIBAgIBCDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKvXjL5VfYc7D/truqEpYcZcvlUhnuCNDJctYDJL
-vgYYj5uxDxLHBXvnEHLgO5K+lps42p+r/dd4oE64ttRoeZZUvr+7eBnW35n0EpPA
-Ik9Gwu+vg7GfxmifgIR8hZnOQkt2OjvvpChPCxvUailtB450Izh+mEK/hYFr+7Jl
-NnxR1XQlbbyDM7Ect1HwYcuS3MBlBqq048J+0KEkQXICSjKeHFga9eDCq+Jyfqe5
-bt0K30hl1N0164B7aoh08Eomme+aSuAsz+MsJ3m7AO2DUYdrDxlrky1QrvRWWfX0
-d8djTM+uHTo1DviRM6o9+P9DfoFd53/Z0Km03sVLQWvUrhECAwEAAaOBnTCBmjAJ
-BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTBuBgNVHSME
-ZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAP
-BgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkA
-wUPifmJDzOgwCgYIKoZIzj0EAwIDaAAwZQIxAPWlxnMcjBaxaVieQYSLBqzizS3/
-O8Na6owRGPk0/UK+j5O9NTBHk+uXW/fQblKamQIwUQl4dl6gkRDE4rBR/yGjZZ1Z
-3dEpvL2Wimt3keD7AcLpYB2FJ1mVcY1XQUeK1Vfc
+MIICnTCCAiGgAwIBAgIBCDAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
+Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMDQxCzAJBgNVBAYTAk5MMREw
+DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq9eMvlV9hzsP+2u6oSlhxly+VSGe4I0Mly1g
+Mku+BhiPm7EPEscFe+cQcuA7kr6Wmzjan6v913igTri21Gh5llS+v7t4GdbfmfQS
+k8AiT0bC76+DsZ/GaJ+AhHyFmc5CS3Y6O++kKE8LG9RqKW0HjnQjOH6YQr+FgWv7
+smU2fFHVdCVtvIMzsRy3UfBhy5LcwGUGqrTjwn7QoSRBcgJKMp4cWBr14MKr4nJ+
+p7lu3QrfSGXU3TXrgHtqiHTwSiaZ75pK4CzP4ywnebsA7YNRh2sPGWuTLVCu9FZZ
+9fR3x2NMz64dOjUO+JEzqj34/0N+gV3nf9nQqbTexUtBa9SuEQIDAQABo00wSzAJ
+BgNVHRMEAjAAMB0GA1UdDgQWBBTAlAm1+0L41mhqYWjFiejsRVrGeTAfBgNVHSME
+GDAWgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDB
+ek00E3uHPwnUDBVAPRJThsj2mQr/MSCTwRMNXnNlki9Lux0qGd6uvhp5v31I7V0C
+MDiCHwEm55sU4gWrAxYVKVVV9qMTG2Moy4YnJDDlxwpyXPta5Ac2FV+0AbInBXSM
+Bg==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-badsign.crt b/tests/data_files/server5-badsign.crt
index 0c65072330..b641f70196 100644
--- a/tests/data_files/server5-badsign.crt
+++ b/tests/data_files/server5-badsign.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S
-C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V
-fGa5kHvHARBPc8YAIVIqDvHH1A==
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ
+qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN
+06jC+BLgOH1KQV9ArqEh3AhOhE0=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-der0.crt b/tests/data_files/server5-der0.crt
index 08d8dd311b..1e0a00894d 100644
Binary files a/tests/data_files/server5-der0.crt and b/tests/data_files/server5-der0.crt differ
diff --git a/tests/data_files/server5-der1a.crt b/tests/data_files/server5-der1a.crt
index 015017b17d..c143298828 100644
Binary files a/tests/data_files/server5-der1a.crt and b/tests/data_files/server5-der1a.crt differ
diff --git a/tests/data_files/server5-der1b.crt b/tests/data_files/server5-der1b.crt
index 6340d9e2ed..6989679094 100644
Binary files a/tests/data_files/server5-der1b.crt and b/tests/data_files/server5-der1b.crt differ
diff --git a/tests/data_files/server5-der2.crt b/tests/data_files/server5-der2.crt
index c6e320a369..56ad14c4a6 100644
Binary files a/tests/data_files/server5-der2.crt and b/tests/data_files/server5-der2.crt differ
diff --git a/tests/data_files/server5-der4.crt b/tests/data_files/server5-der4.crt
index 4af05cce1e..4ceed41c49 100644
Binary files a/tests/data_files/server5-der4.crt and b/tests/data_files/server5-der4.crt differ
diff --git a/tests/data_files/server5-der8.crt b/tests/data_files/server5-der8.crt
index 65be7dcaeb..07ffd2f746 100644
Binary files a/tests/data_files/server5-der8.crt and b/tests/data_files/server5-der8.crt differ
diff --git a/tests/data_files/server5-der9.crt b/tests/data_files/server5-der9.crt
index 4947f1f83f..aa8f9a193d 100644
Binary files a/tests/data_files/server5-der9.crt and b/tests/data_files/server5-der9.crt differ
diff --git a/tests/data_files/server5-sha1.crt b/tests/data_files/server5-sha1.crt
index 73e2d1745a..6c14183bd6 100644
--- a/tests/data_files/server5-sha1.crt
+++ b/tests/data_files/server5-sha1.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICHTCCAaSgAwIBAgIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x
-MzA5MjQxNjIxMjdaFw0yMzA5MjIxNjIxMjdaMDQxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
+MIICHjCCAaSgAwIBAgIBCTAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
+VQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0y
+MzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5MMREwDwYD
+VQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDY
IxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6OBnTCBmjAJBgNVHRMEAjAAMB0G
A1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjBuBgNVHSMEZzBlgBSdbSAkSQE/
-K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFy
-U1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH
-KoZIzj0EAQNoADBlAjEAyjvzRWtxbXvkoYTYSQY9gFBpP7/wTZ2q6FbRiAuZULFt
-lc0PMPDfVZChgA6iDH+BAjBdkOb73f2pOwZpMRqrOgqSynbt2uWY87mC5lRlNEoR
-WXEv1AzIeBCv+81DN1Iuu4w=
+K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFy
+U1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggkAwUPifmJDzOgwCQYH
+KoZIzj0EAQNpADBmAjEAnbhJ4O/x6bcBgB0FnX44q9j9pjBYHN9ZK59bHxqerhyJ
+12DlVbNoOonlkFYVUsgCAjEAmnUolKu+XUtS2is3d0M2V6cPwZxq5qI0+wBR79/p
+NRjFOlyP69OWs9CI2cyYLbGc
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha224.crt b/tests/data_files/server5-sha224.crt
index 47b11688c6..ad01b108d3 100644
--- a/tests/data_files/server5-sha224.crt
+++ b/tests/data_files/server5-sha224.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICIDCCAaWgAwIBAgIBEzAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDATA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMBA2kAMGYCMQCj0EyFUzDRmfokWzLVEWN0epR4/sZytfIeozp6BqWH
-qaTBdAR2vthIKC7dKuUkg34CMQD6YtB2O9Vso79gbzSen2qh7gK7VvGE+31EVPbR
-Ce/oNG/3OfhRSdn3FOvBBg2UErM=
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMBA2gAMGUCMQDlCvtvCAgJDiGQnqOYwzmeafyyNbpSRZwcpV84FSkm
+pwKw2jTv3WaXujSNu7B62GoCME97oLBGSgiOMD5QUEdOjABkCV4E2slyvk4Gk71c
+9e92VgA3rKPRXlvwACPsbFIQJQ==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha384.crt b/tests/data_files/server5-sha384.crt
index 5d6a79b2fe..7de6f8c5c5 100644
--- a/tests/data_files/server5-sha384.crt
+++ b/tests/data_files/server5-sha384.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBFDAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAzA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMDA2gAMGUCMQCnsd/6VB2kLIqMRsWdkJvRaQROyAg78CQExFEY3CMv
-9t0kWRXPc4nCMH69RjQVvC4CMB4lk9A7hnX2zQy3bbUhOCOvXcsQdEe8AMgJBviz
-5Nob2wThRqsm1wjCF60fyzXWuA==
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMDA2gAMGUCMQDPV3rbJX6rigR5SJQGNzqfreq8Y3O+mlAQkuo9sicU
+llVXjN3g41dOJmaEO2yHjMQCMCecXLQsYjQn2wPh/XyE+PL48Yp0+Y6+HEHCjLk3
+JOTQqo73a9xN+yhrud2ssT830w==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-sha512.crt b/tests/data_files/server5-sha512.crt
index 16112ac54f..8bea8c2bb2 100644
--- a/tests/data_files/server5-sha512.crt
+++ b/tests/data_files/server5-sha512.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBFTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTYyMTI3WhcNMjMwOTIyMTYyMTI3WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+MIICHjCCAaWgAwIBAgIBCTAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMEA2gAMGUCMFPL2OI8arcbRlKAbRb/YfGibo4Mwts8KX3fOuRCbXEn
-pDWeb82kBqfXwzPJwamFOwIxAPGzyhWrxn0qEynWV5nzFK02PYBnYFgClISyyudH
-HJGHtbEVRc5JA8ALnggaLVpuvg==
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMEA2cAMGQCMEekbPD8GQQmK1uJ3wXgC/VdRdfmEBM/urkmXYINcHrz
+E6xLpFE/jxZ0wb5SXteLtQIwZ8ZJIDLnxGciX/mtfx0dOII3bna72yRkGfT+0b/C
+sj9KvVuQ0y1oaP9Rbg35dbcH
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.crt b/tests/data_files/server5.crt
index 4597428280..2eab9998c4 100644
--- a/tests/data_files/server5.crt
+++ b/tests/data_files/server5.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
-MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S
-C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V
-fGa5kHvHARBPc8YAIVIqDvHH1Q==
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ
+qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN
+06jC+BLgOH1KQV9ArqEh3AhOhEg=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.crt.der b/tests/data_files/server5.crt.der
index 08d8dd311b..1e0a00894d 100644
Binary files a/tests/data_files/server5.crt.der and b/tests/data_files/server5.crt.der differ
diff --git a/tests/data_files/server5.crt.openssl.v3_ext b/tests/data_files/server5.crt.openssl.v3_ext
new file mode 100644
index 0000000000..594e90ad09
--- /dev/null
+++ b/tests/data_files/server5.crt.openssl.v3_ext
@@ -0,0 +1,3 @@
+basicConstraints = CA:false
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/tests/data_files/server6.crt b/tests/data_files/server6.crt
index 6df6716861..51e4393194 100644
--- a/tests/data_files/server6.crt
+++ b/tests/data_files/server6.crt
@@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4
-AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ
-Xj09kLboxuemP40IIqhQnpYptMg=
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
+ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
+KgfuCEF96BhSjLDXWKB4IFWaXUQ=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7-badsign.crt b/tests/data_files/server7-badsign.crt
index 954b53a5b5..e0d18b0a89 100644
--- a/tests/data_files/server7-badsign.crt
+++ b/tests/data_files/server7-badsign.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK0
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO0
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -39,9 +39,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7-expired.crt b/tests/data_files/server7-expired.crt
index a25ce4b07f..9c423c9618 100644
--- a/tests/data_files/server7-expired.crt
+++ b/tests/data_files/server7-expired.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTA3MDYwNTA4MTQwM1oXDTE3MDYwNTA4MTQwM1owNDELMAkG
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTEzMDUxNjA3MTAzN1oXDTIzMDUxNzA3MTAzN1owNDELMAkG
A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBv
-bGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBAHcG1ysT8yImc0x3Z2O0SOtSYYjCPS1Gc89j
-fWdBSoS5YhPHLgEjHQgDA6XdDNL0eUo3afhucEvSexhqLUABLu89cmi7ST+TsTEb
-/lu8qZUgpa1bcMOk1+whl0JllfcDEq2y0aclkO0/6M6JftNNJ3egq2qVBDEszTtY
-zcYZIr1o04TNp0fAtmPUH6zjpBkNB0DQyKFhgYPJNwTapj6ZDVi1zBK3wwFfZfgK
-s3QvwhWNNbHL4B0sPec/6TiF5dY3SeUM4L8oAGdT7/ELE6E74rFyS/EpjJdVzXDs
-FfQvUDPb6PJuWZbr4mNg/FANeGPa3VENcPz+4fj+Azi1vV3wD4OKT7W0zIkRZ+Wq
-1hLFuwa/JCSHsn1GWFyWd3+qHIoFJUSU3HNxWho+MZqta0Jx/PGvMdOxnJ2az1QX
-TaRwrilvN3KwvjGJ+cvGa7V9x8y9seRHZwfXXOx1ZZ0uEYquZ0jxKpBp/SdhRbA5
-zLmq088npt7tgi+LcrXydorgltBaGZA7P+/OJA2JkbIBBwdSjyfG6T07y4pgQ90h
-CeRqzu4jFcZE7mjpTdEyxAQRJa2dhHkhFB7Muq7ZTi3jlml5LZnlbUdPlR5iTgOU
-yueZsAAEb//A6EU008WmG/K+EY230JxEUzGNf2l1j1H94HcP9OwjY4bn2PJdVzcb
-B8PmaiMB
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBAHX0pu54c8rk2F76lxnMKuS+C3Kiwab0KxII
+ZkpAgpk5sj2KxiGrNLDhK0ZGjVlVuUjauySVuBUfrr8GfjQ1xE7RUrxwBrEU5fVs
+FHKscBF58AaIXIPf5xIuCdc2C487Leuu+LIbGsg9EvKq/pg7avIB9hSjvwn5W3m3
+3o8eL/ahD4t5rh8r7hKptY+7dqeraBrmCnitxsRQToMV+jy2RCGD3vYUDxyJc3x+
+m3o7nWGreyLCqPCRgeEh9RKbbhygcoBtdjojZABZmlGa9BO72hK5lhy2a1QiIOiL
+OoBgDFf8gVo81MX02RtSQISZLq/hJ8smtil8oaKgJ+VyGjfCR1uZY7RpaEfP4U+R
+tX8gqt/4TJ4mIJOv4xL12XsV65rZuB7+yhZ6rqWRlZx9Aa4/GqxIbALrQPs17uRX
+41TPIdz3Pjq3w3x3bdGxbyF0TvJRaeobB60KHlrm6DWltY7k2Ucju9oTko6bJLgp
+rCRC1JkTXzWS3jZDqULTVPxDsZjVRqwEl46PPe0gSloB+h/ulq8rNIG1snWTGdNQ
+Bovbko9lFHA8md8f7ZULQ6pB8SV/LH2qufSsWb5LY9ZfHUprwH2oBQ+A9eYkk5ZR
+LJC879ZC8w8LMQfBGT22fLnOJ2qS6GyguB+y17beF8RMgFpiFTzoD1nPQAd9cyGY
+b2ta+9o9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -39,9 +39,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7-future.crt b/tests/data_files/server7-future.crt
index eeb596fc29..b725eb7348 100644
--- a/tests/data_files/server7-future.crt
+++ b/tests/data_files/server7-future.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTI3MDYwNjA4MTQwM1oXDTM3MDYwNjA4MTQwM1owNDELMAkG
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTMzMDUxNzA3MTAzN1oXDTQzMDUxODA3MTAzN1owNDELMAkG
A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
-d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBv
-bGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggIBAHF4y9PmCUF1yOlBIUCUAAFMZmXJwOGsMNKI
-u0+At0sbs+W8J06PVyYt4UxL4TyIxHM6SOvKndFdCQxG7NQY0KU+HBdLVUM1iZy0
-Kopg7yHvEAZ0YWPptgCd10C/wmTz0b0R3cxhSb8FZjlBjNB7dJKhRQsh0za+GMx/
-LXunH/t0oP5an4yO3zTog+4+7bDGGEY7SymQJ9Z8t2gdZpn/r60j9IGhL5XI2BS/
-+cU96DMF3cMmFk24vAfduYicKc8KowhUpGCsIP0bl+TY8Vq6kepBA2lnj7/YOkDs
-/f+wIS/Id/hdw9KxRUPX+cQLUt0/C7JktDVudZ5zLt1y0A971R+23ARtJGUBJGSp
-5tkVX8+hK8sT6AVOkcvA51IOBsVxmuoWk/WcjBDdOjyIK2JFdbcJYvR8cpRbL+j8
-HdQEu+LorvGp28m3Q5mBTKZLKgyUeQWrbYDqeub1OvYYkuvZPZWFEDP2VYcS7AXN
-IoUSTcMyhLNuncQl/z0Jbkto59+il6cQ2HIqkubLBk2X8uwMw2tloROlmklweHqR
-ta6aRlLxBMgccJpK7cU5H8TMb6aR9GJGyzQJ2vET3jPBq/uEwbvK8HRVJ7Ld68k6
-ZMCwXGdTeYuDWt0ngAhf+i+GNexJRSLvzRGt18DOrpmj2X3naarNSTfRArm4EINW
-WKW7hd8h
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBAFgzS8NNGRayelUleAee5udbk9+fkkxvYA/p
+QEaD+UvuSmgJ7iEU0gx6cJ2RcEbg/NqgrMBni8ayiGptOZRTq4j8bPcrZZCrcsvO
+jFk/yXwWIv1hRofQ8wBynPOgbtPJ5J7zYkE0sqXbAPOWeNdya+R0CuSex5DW9kj/
++tiXGXdGiLKu/FOC9tedfsu67a+ZEK0Q3rbFqsWpHdQcKIEN4A18xPBXNtx/DJuq
+0+fcjtIsigpRvLbLSFuvSI5vWP1MFyuMDTLYVKN1PceRg2yxpKecKbsDpeSRX3R9
+Fs444mDSJs75i8fkdXS4GLXfJjJOft3HbRtEEznF5sITppjr40PszMvOj2njWPPn
+o3ECca7HbhuhtqIGfM5+2mCwPgmm7fEmYILVYgTihFfPKUhGUKN+4Qp75gOzMKds
+7t8NRFTKPEpFmicc1wKfEsp22UWC6azyTu6iVByWlt+fojFbdHjvxDY8iIqBFU6/
+44uLMTxu9r9gMSZK9sX7vGIgeER3RnArP0ZSxAvoxG3lu+QQXwItxnTKQnA3CDra
+MkmwSM5kMewO/Ub1bgkdQ3j/DD0uSwreEdg0fvxaAJIH2N/lOFUWPrzbg8TJR1Sb
+ohctT+uAKoPQrxsZuSdrz9QHOdgkPR6gp9bdnXkZSa9jGX7Pd5Ur5LDEXljol1ZL
+T97oaKB7
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -39,9 +39,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7.crt b/tests/data_files/server7.crt
index ed087ef613..c5c2cb8c58 100644
--- a/tests/data_files/server7.crt
+++ b/tests/data_files/server7.crt
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO3
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7_int-ca-exp.crt b/tests/data_files/server7_int-ca-exp.crt
index fc0051772e..a3a8f69dd1 100644
--- a/tests/data_files/server7_int-ca-exp.crt
+++ b/tests/data_files/server7_int-ca-exp.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MDcwNjI3MTAzODM3WhcNMTcwNjI3MTAzODM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwNTE2MDcxMDM3WhcNMjMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
@@ -39,9 +39,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPu/FDEPvIC/BnzPQDAr1bQakGiwBsE9zGKRgXgX
-Y3Q+XJKhMEKZ8h1m+S5c6taO0gIwNB14zmJ1gJ9X3+tPDfriWrVaNMG54Kr57/Ep
-773Ap7Gxpk168id1EFhvW22YabKs
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAJH0e4fySJI2nJt1Knd+yU7zn1jTFDAABJMbndhR
+07OSM6vwUaGSMVatSzr8ah+UDgIwaI/MBcorSxT92jAQb1W5dJkEudoYSg49fjAf
+z0BtLCVhFwQlrzCqgXC98SGfT6sZ
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7_int-ca.crt b/tests/data_files/server7_int-ca.crt
index d3ddc46a8b..cb108a46f2 100644
--- a/tests/data_files/server7_int-ca.crt
+++ b/tests/data_files/server7_int-ca.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -39,9 +39,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7_int-ca_ca2.crt b/tests/data_files/server7_int-ca_ca2.crt
index c289c0aadf..097447fd0a 100644
--- a/tests/data_files/server7_int-ca_ca2.crt
+++ b/tests/data_files/server7_int-ca_ca2.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -39,24 +39,22 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server7_spurious_int-ca.crt b/tests/data_files/server7_spurious_int-ca.crt
index 632c4fd13c..fdc1146231 100644
--- a/tests/data_files/server7_spurious_int-ca.crt
+++ b/tests/data_files/server7_spurious_int-ca.crt
@@ -1,49 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+MA8GA1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owNDELMAkG
+A1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m
47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS
-MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud
-IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC
-AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr
-FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr
-8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj
-+gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7
-QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm
-yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK
-TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e
-deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM
-0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b
-OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj
-VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp
-a8Si6UK5
+MB0GA1UdDgQWBBTSCtOldx/OVbBcRqKOc2y/oWAmuzBmBgNVHSMEXzBdgBQ4d9hr
+d5wod4KLTtgbqR73lBa3DqFCpEAwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBv
+bGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBggEOMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggIBADU9ZyZWfX1T1Pi0PRBeqpm52pehUX2wMsyi
+KudSpLeN++eS9p/R0hpNuB8WvZcsFy/qul0djPARKGpYgYTZQvOQ10VcY40jxttm
+ETScnnqKH2lMr0asOpM31kKt/ghJS0njUhI9NY6yAI2XhcDzItSpqOhn6YLC3mrW
+DIyBCksLKEu8x/KpRbvj3QK1ez3cHItoxCCe9gy8tMEwb8FE15dtDuL7G7iRb4Dh
+VyL6qzBRvJP9AcQKT4PTaOMwu8O+hClDvLllJzCkJX4qZmQr3jwO8Emi9dvQ87ZF
+cDpLbxqIgtRF8lkxn00UuhuugMgM8ldTd/aRxZrddIgFVNmEdWIWBu5ZTWmBM/FH
+aguuZr3mty7Jh4XZJ0RZ4H7XaYzoVnCK9cA5koRv/gtSQdDh8BiYlJwWx8adqygo
+fibinQnIOhZ4HcnlTDshsb5eY+GtkSLmc8735V5rtEt7zrtahFT5I7r2X6dDiPdD
+Blvb9/5gIMC3fy0NZigDueBOYF78kpxqMRknt6x86irVdbRXw1fpVux24cfTDc/u
+5Eat4YFfM1eKZnuOETumPOoa27jvcYTPMOsUN8+Q8Os6SDkJC8e2obedQoffQC06
+1Xzri3HOHzZrPHLGkwAFNYBynl1/wxGu0vPlmpzJDzc7y0e1FgKqD6YadAQM+APA
+ZKasihO3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBABN3b1ltNlBQ9PhwJhxBWENlMNdy1vyKBGH3EdZ7w4uHJJOm
+w8JS5p/B5+9fDIIOThDr80hLq4QOQVJhxAT1/Zsb2OzsTxc1BaCNbBv2Y+FyFcpL
+I8EjMF+gnSgbs46kGKce1EJNrZrkvpCngtNj7qqg9qnPXd1en0z349xHJPmYuWEb
+9sHdVlwnebPm1n9u1NzpktAChb28UFnBYTWraZCtMBMozuMhz6mo66XOEyH06Ypa
+QPOlBmbgW/e+fuXow41QUqP2tvVL6MsmSZFWk8hr45rNRzeTok1M5bW91sZ78We5
+95m3T6IE+qpj2/RILncwy7vWBlFzbuiIA3eSJa8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -57,9 +57,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/server8.crt b/tests/data_files/server8.crt
index b435b2deb5..515b17b3c1 100644
--- a/tests/data_files/server8.crt
+++ b/tests/data_files/server8.crt
@@ -1,18 +1,17 @@
-----BEGIN CERTIFICATE-----
-MIIC6zCCAnKgAwIBAgIBETAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTEzMDkyNDE2MTI1NloXDTIzMDkyMjE2MTI1NlowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbHH8uC82/ztF1EKCiuM59
-quIF4HrYRGOPtb3AsBm5N7gZSg7xXXSAZ0aHBt5bfwYDvcGNXgcV1Fv03OXPPfnB
-ESyuarmKvR1nZhfqTr3bFZqCh+TweMOjhYew/Z+pmV/jM+zM6gu1YV7xSX4/oy3q
-AQzMQpp2m8TQN9OxFwFhARZZfhwXw1P90XLLTGAV2n3i6q1Q747ii9Rqd1XWcNlr
-u/HuOQQ4o73i0eBma+KcR5npKOa2/C7KZ0OE6NWD1p2YawE+gdw8esr585z31igb
-J3h8w9DVY6eBNImtJWq98urt+lf85TTGwQ9xLdIIEButREHg/nmgY5OKsV3psO5v
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
-J2F2Dx0wYwYDVR0jBFwwWoAUD4m9Y0Hry14XKP9oMD3BiNCcWDmhP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBDzAKBggqhkjOPQQDAgNnADBkAjBkP1bGlZvxnYySZjdBq4m8lkyz
-2cjfqjYs8COEkRkONaVz7888HvFdGpL98uQeFvECMHCyCrHprkGzvq/L9kUnx9Bh
-2IHbCzbbi9moYC1XcOxgfsEKmhtVF/uQdf8+3VtGqA==
+MIICqTCCAi6gAwIBAgIBETAMBggqhkjOPQQDAgUAMEsxCzAJBgNVBAYTAk5MMREw
+DwYDVQQKDAhQb2xhclNTTDEpMCcGA1UEAwwgUG9sYXJTU0wgVGVzdCBJbnRlcm1l
+ZGlhdGUgRUMgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQsw
+CQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9z
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANscfy4Lzb/O0XUQoKK4
+zn2q4gXgethEY4+1vcCwGbk3uBlKDvFddIBnRocG3lt/BgO9wY1eBxXUW/Tc5c89
++cERLK5quYq9HWdmF+pOvdsVmoKH5PB4w6OFh7D9n6mZX+Mz7MzqC7VhXvFJfj+j
+LeoBDMxCmnabxNA307EXAWEBFll+HBfDU/3RcstMYBXafeLqrVDvjuKL1Gp3VdZw
+2Wu78e45BDijveLR4GZr4pxHmeko5rb8LspnQ4To1YPWnZhrAT6B3Dx6yvnznPfW
+KBsneHzD0NVjp4E0ia0lar3y6u36V/zlNMbBD3Et0ggQG61EQeD+eaBjk4qxXemw
+7m8CAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
+J2F2Dx0wHwYDVR0jBBgwFoAUD4m9Y0Hry14XKP9oMD3BiNCcWDkwDAYIKoZIzj0E
+AwIFAANnADBkAjA3KJ1/SvOZnpmtqturkt+0DhQIXGMRDPnPksCuy/wqGHR8DsWS
+dEa7PQEgrbA60HoCMCpH2fYtcAfhg5gGg+QxmVsUIt/9Gd9syQlnX7wNCfweUeSS
+MxG1isOdUiQTajM1TQ==
-----END CERTIFICATE-----
diff --git a/tests/data_files/server8_int-ca2.crt b/tests/data_files/server8_int-ca2.crt
index 7a8da717d4..e99727d369 100644
--- a/tests/data_files/server8_int-ca2.crt
+++ b/tests/data_files/server8_int-ca2.crt
@@ -1,36 +1,35 @@
-----BEGIN CERTIFICATE-----
-MIIC6zCCAnKgAwIBAgIBETAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTEzMDkyNDE2MTI1NloXDTIzMDkyMjE2MTI1NlowNDELMAkG
-A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbHH8uC82/ztF1EKCiuM59
-quIF4HrYRGOPtb3AsBm5N7gZSg7xXXSAZ0aHBt5bfwYDvcGNXgcV1Fv03OXPPfnB
-ESyuarmKvR1nZhfqTr3bFZqCh+TweMOjhYew/Z+pmV/jM+zM6gu1YV7xSX4/oy3q
-AQzMQpp2m8TQN9OxFwFhARZZfhwXw1P90XLLTGAV2n3i6q1Q747ii9Rqd1XWcNlr
-u/HuOQQ4o73i0eBma+KcR5npKOa2/C7KZ0OE6NWD1p2YawE+gdw8esr585z31igb
-J3h8w9DVY6eBNImtJWq98urt+lf85TTGwQ9xLdIIEButREHg/nmgY5OKsV3psO5v
-AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
-J2F2Dx0wYwYDVR0jBFwwWoAUD4m9Y0Hry14XKP9oMD3BiNCcWDmhP6Q9MDsxCzAJ
-BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg
-VGVzdCBDQYIBDzAKBggqhkjOPQQDAgNnADBkAjBkP1bGlZvxnYySZjdBq4m8lkyz
-2cjfqjYs8COEkRkONaVz7888HvFdGpL98uQeFvECMHCyCrHprkGzvq/L9kUnx9Bh
-2IHbCzbbi9moYC1XcOxgfsEKmhtVF/uQdf8+3VtGqA==
+MIICqTCCAi6gAwIBAgIBETAMBggqhkjOPQQDAgUAMEsxCzAJBgNVBAYTAk5MMREw
+DwYDVQQKDAhQb2xhclNTTDEpMCcGA1UEAwwgUG9sYXJTU0wgVGVzdCBJbnRlcm1l
+ZGlhdGUgRUMgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQsw
+CQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9z
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANscfy4Lzb/O0XUQoKK4
+zn2q4gXgethEY4+1vcCwGbk3uBlKDvFddIBnRocG3lt/BgO9wY1eBxXUW/Tc5c89
++cERLK5quYq9HWdmF+pOvdsVmoKH5PB4w6OFh7D9n6mZX+Mz7MzqC7VhXvFJfj+j
+LeoBDMxCmnabxNA307EXAWEBFll+HBfDU/3RcstMYBXafeLqrVDvjuKL1Gp3VdZw
+2Wu78e45BDijveLR4GZr4pxHmeko5rb8LspnQ4To1YPWnZhrAT6B3Dx6yvnznPfW
+KBsneHzD0NVjp4E0ia0lar3y6u36V/zlNMbBD3Et0ggQG61EQeD+eaBjk4qxXemw
+7m8CAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU4j/mLfTnuKaM3G0XpxhA
+J2F2Dx0wHwYDVR0jBBgwFoAUD4m9Y0Hry14XKP9oMD3BiNCcWDkwDAYIKoZIzj0E
+AwIFAANnADBkAjA3KJ1/SvOZnpmtqturkt+0DhQIXGMRDPnPksCuy/wqGHR8DsWS
+dEa7PQEgrbA60HoCMCpH2fYtcAfhg5gGg+QxmVsUIt/9Gd9syQlnX7wNCfweUeSS
+MxG1isOdUiQTajM1TQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
+12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
+GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
+whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
+/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
+hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.crt b/tests/data_files/test-ca.crt
index 31790b5bb4..ef7e4c7294 100644
--- a/tests/data_files/test-ca.crt
+++ b/tests/data_files/test-ca.crt
@@ -1,5 +1,5 @@
-----BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
@@ -9,12 +9,12 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
+UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
+x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
+BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
+hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
+G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
+7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
+9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
+hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.key b/tests/data_files/test-ca.key
index 1614e22bcd..de8be1ddfb 100644
--- a/tests/data_files/test-ca.key
+++ b/tests/data_files/test-ca.key
@@ -1,30 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B
+DEK-Info: AES-128-CBC,781840E6B804AE83D2AF71127C4CE314
-9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA
-7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq
-Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo
-PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb
-GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9
-gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq
-QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w
-PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x
-vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU
-WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X
-JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR
-KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe
-Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J
-9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2
-iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/
-tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT
-P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL
-1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb
-nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5
-X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq
-rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz
-L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l
-I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR
-wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde
-P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2
+etQ3xgGLbuYF9vR1km03TH5fwfly1hOlix0PtfQ+t9HG065vTtSEHYc/OyHwdy79
+NCLX5RUrPh06E/XlKzMNVHAXqkwFnIwNzRLsOozeP1L7iZEZb9QMeiN5Org+btCO
+bylXPB4YirfuE7GSJalWY/pq3FQtD33zTIKmNhXfVj3sbwGI/8D9XjaKUb8PODOB
+skOalmx6RvYRvg0lmRxB3+T3wejIsrrDPweYqte9B6dVHIVG1ZmvoA6/wnKZZZeV
+sjj8OpL3OwUBrjuGSknE9Rs6kCuSCbHOYVK8VzcZmCYpie0TFnb3Sk8M6vjfW+45
+U7WUMlSAPxKH6lJDzWdwHqLvsVJwuNnaAaBXg9/8U/rzQEWuq8Ar3s8fw2Jg3F1G
+L6N5ZAEfCz3Sa0N9WKafR/RSQj+rq8Z3w4POAafhbzk249uo5K8B1Z3cQwLxeXIl
+UbRQz1TZy4oNTfQzCahYruPNyvwgTkfwAFFvbLAdaiJd2ZtLBoqYE64TYakYnvcC
+itim1bmySIKoxlMfBGFmMuF03epT0pSx701jlGzGi0l0m16NEjoVxDwo5j93SmiM
+sQdjC1lOGk2iCLkphIQqHFjFJYWjvh1UUIqWZf+ZWOOxlf4x9a1pUVj6FvtECxNB
+/mA/m4Iq4LAuVXHE1MpHeq067lJ6wWlrsb2WVmiNGfQ2AC7fMtpcPuunBVT9NV1m
+1rbDzIgLIWAzqz/cy3N8Q8vfxnrFtmNUyM191Zyq+YF14hIKWX9J1qR4LXwWAzVV
+UrC8IL4pA2mtRkW4qFsB0EmHAxO/cedDTPjVFty5WSzhNuvYZxX45HAkGIfK6d21
+7WHPhHG+zaaUTWMUVixB0IcKp6RecjYPFzBHS0YeX88Ue2cyT/90jMiQ9ssOgRrG
+ZJRJvZAc3TSCnY9sNPYoGrJPiZuCnlUj3ENNurYVy12ai0WFxwnNUZjRUhDS6hjm
+cDHD5TlI9MZ6M+Mb/Bw4Ig8HuTHOtQBYD9vhtXsG+B7H/j6cS+1umaKjrnG/kK4W
+R6YXwM2faAi+DwgjjoMXSzRqSTF8PdTIWbAXo3bc2qsXPTMBA8PEp4nb5scHZ4Ts
+EcBNp2jv0j4gBkRmGIab17cWMrlagjFy89DhqZUFwKdeZs+yJ92A5xstWxOUfpEP
+90T/bsp1G5d7WW5fl2TRJvYJNDM+djkKIh0zCkduiZ36oVM6nDdbjmXqjQXopeSD
+gtOourBRF8g99W0fW8QT+yPhP0Pkyz6EG8eQO6Zwh439xdoVwu9jUzQAPmZ0uNeR
+xTXXihYyv72z27rInjLiIPXL25K9eDVLlcSR3RyG7YYgjdQAL2VJDLcBz5jox1uQ
+0guoD5wmfu2FWLqYE7HeTYntdY53lCflwq0GHRMjrrsVpx+5VDQ6Yi47Ny9SWLcp
+fPI3iBkXuGRWupzs6N4pQdSO0dU28KfpMM5QvFoLIn67brCHEQij4dgFrCTYEyBX
+9+jiNImUFYUhAFuxvUbfZt4O/ABLIElvHLfJs1oYCmI/nWpvLFqXB5rnzPNfEi0H
+PGGe1Hj/t+CJIp/6ios3yNy2QtXO754TZH2UVu51Ykyig5PFjZVoUkbRvHQYcWfU
-----END RSA PRIVATE KEY-----
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index a642b7379a..ff22cdbb49 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -12,6 +12,11 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
+[no_subj_auth_id]
+subjectKeyIdentifier=none
+authorityKeyIdentifier=none
+basicConstraints = CA:true
+
[othername_san]
subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
diff --git a/tests/data_files/test-ca.req.sha256 b/tests/data_files/test-ca.req.sha256
new file mode 100644
index 0000000000..1114338791
--- /dev/null
+++ b/tests/data_files/test-ca.req.sha256
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgDCCAWgCAQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwN83/Be74JadP4beljJ9RKUWoM0h8ZnU7OrLfBhYCJSl7JvFi98a
+Hpk4mYcee8CNOd84XXB4B9Oe2ZPouXJRxc6jMFKp8udAcBTLRKJyC8LlQPk+5aYO
+s/nsSmPAuCkAdJxXO6ilBJBx8b2D2T/WpeI8Ko/vJ2DDxp/LuuxgfbfmhDK+T/tY
+JiIDW9S01fv145YucMDkLr38Lu7iQVXANC59JHJpy0exFECDfWf0hvYxq/F5pLK1
+LhL5hBfwYm8nPhNYsVQNIZpzN6Ewz2+S3Pbp/KzbLijRfgJLI6AV8jhlZAnqDG6O
+Gxegccizm8mr6cPyz4eWj4ACMp6ZWG+i1QIDAQABoAAwDQYJKoZIhvcNAQELBQAD
+ggEBAKI+q840+CyPj6DJDJr9mP/aE8U+VyxbarQuZHxbiyS2HDuNQNFvP2TmCDRx
+juERTU8yDOj3F2p7JhFF4QkCP2TP4JFYjLlOE7ISxYegGdJNNO6W00btMHG1s0aW
+uPcPIIy9HxGiOFFmjYz7Jo8mcFl+bl4ET7zPoj21R4dOl7E3oYLtEZqTuiWnfW2H
++whurU13PYyog3jvJex99VIL8ZRliUSKgdmQ7A4GMvE6kf6Uk+441ynZ7RQr4jF9
+xsVIrR7cyt/SsVEYF+2SfJi0dO9pf6yV3PdwtpU2URTyZoitlneqEINXKi7Qx6E+
++f5fAI8FbCJtgKEKf2TfqiH6sCI=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca.req_ec.sha256 b/tests/data_files/test-ca.req_ec.sha256
new file mode 100644
index 0000000000..6d46b2ad84
--- /dev/null
+++ b/tests/data_files/test-ca.req_ec.sha256
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBOTCBvQIBADA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxHDAa
+BgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
+AATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjUUrSRlTkLI99fFyRiSPwalSnO
+LC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0X3WnR2/VGSlVaZpTOyC0ZhZg
+Mx6gADAMBggqhkjOPQQDAgUAA2kAMGYCMQDElef9+KfRbZOA29ZyU750fB3ob82E
+8R711+hk9HOsk0G9Uccp3tT+1nhCcMNhnWsCMQD6Y8e9jcEaKSPiWWfgCZ5NaQ5l
+pvPDUdcPV8sZt2cgNS8fcRIIHblQKvr6miHXl9Y=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca2.crt b/tests/data_files/test-ca2.crt
index 7ac79e440f..b974f4c5bc 100644
--- a/tests/data_files/test-ca2.crt
+++ b/tests/data_files/test-ca2.crt
@@ -1,13 +1,13 @@
-----BEGIN CERTIFICATE-----
-MIICBDCCAYigAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
-6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1AwTjAMBgNVHRMEBTADAQH/
-MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSdbSAk
-SQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMFHKrjAPpHB0BN1a
-LH8TwcJ3vh0AxeKZj30mRdOKBmg/jLS3rU3g8VQBHpn8sOTTBwIxANxPO5AerimZ
-hCjMe0d4CTHf1gFZMF70+IqEP+o5VHsIp2Cqvflb0VGWFC5l9a4cQg==
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2.crt.der b/tests/data_files/test-ca2.crt.der
index 2c8e217432..70d6abca4c 100644
Binary files a/tests/data_files/test-ca2.crt.der and b/tests/data_files/test-ca2.crt.der differ
diff --git a/tests/data_files/test-ca2.req.sha256 b/tests/data_files/test-ca2.req.sha256
new file mode 100644
index 0000000000..6d46b2ad84
--- /dev/null
+++ b/tests/data_files/test-ca2.req.sha256
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBOTCBvQIBADA+MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxHDAa
+BgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
+AATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjUUrSRlTkLI99fFyRiSPwalSnO
+LC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0X3WnR2/VGSlVaZpTOyC0ZhZg
+Mx6gADAMBggqhkjOPQQDAgUAA2kAMGYCMQDElef9+KfRbZOA29ZyU750fB3ob82E
+8R711+hk9HOsk0G9Uccp3tT+1nhCcMNhnWsCMQD6Y8e9jcEaKSPiWWfgCZ5NaQ5l
+pvPDUdcPV8sZt2cgNS8fcRIIHblQKvr6miHXl9Y=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/test-ca2_cat-future-invalid.crt b/tests/data_files/test-ca2_cat-future-invalid.crt
index b1cfbf0547..833e497faa 100644
--- a/tests/data_files/test-ca2_cat-future-invalid.crt
+++ b/tests/data_files/test-ca2_cat-future-invalid.crt
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE-----
+MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
+5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
+vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4
-AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ
-Xj09kLboxuemP40IIqhQnpYptMg=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
-qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
-+XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
+ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
+KgfuCEF96BhSjLDXWKB4IFWaXUQ=
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-future-present.crt b/tests/data_files/test-ca2_cat-future-present.crt
index 776e725cb6..649cca05a6 100644
--- a/tests/data_files/test-ca2_cat-future-present.crt
+++ b/tests/data_files/test-ca2_cat-future-present.crt
@@ -1,28 +1,26 @@
-----BEGIN CERTIFICATE-----
-MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
-qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
-+XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
+MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
+5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
+vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-past-invalid.crt b/tests/data_files/test-ca2_cat-past-invalid.crt
index febad74081..a0b0a2f868 100644
--- a/tests/data_files/test-ca2_cat-past-invalid.crt
+++ b/tests/data_files/test-ca2_cat-past-invalid.crt
@@ -13,15 +13,15 @@ l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE0MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
-PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
-clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
-CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4
-AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ
-Xj09kLboxuemP40IIqhQnpYptMg=
+PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
+clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
+CCqGSM49BAMCA2kAMGYCMQC7mlP+bq/c4hKB3zfJgPdwSnzzQOkXwdA2O6QumC2o
+ZuHyjUYV5/ZyU8QQ7cNnKnYCMQD9ByA7ddpVE2Gk+OVuBPGfwV4O2COgFrasfrTn
+KgfuCEF96BhSjLDXWKB4IFWaXUQ=
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-past-present.crt b/tests/data_files/test-ca2_cat-past-present.crt
index bc1ba9a2ef..24e05c6422 100644
--- a/tests/data_files/test-ca2_cat-past-present.crt
+++ b/tests/data_files/test-ca2_cat-past-present.crt
@@ -12,17 +12,15 @@ tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-future.crt b/tests/data_files/test-ca2_cat-present-future.crt
index d62ed09cd4..6539479e63 100644
--- a/tests/data_files/test-ca2_cat-present-future.crt
+++ b/tests/data_files/test-ca2_cat-present-future.crt
@@ -1,28 +1,26 @@
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
-Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
-DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
-MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
-WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
-w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
-FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
-vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
-qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
-+XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
+MIICBjCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTI5MDIxMDE0NDQwMFoXDTM5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2cAMGQCMCDwxpvV0mzZ
+5nyr3tpLILyaERGyVuSGHAJqd88fsWEiV6/xmiOTeIGlN8WLVL03FQIwJYnSIeCj
+vwuQaWzeIypEnGIT2A2eJ2IIrJrFr9xpafqN1vRDSK5VZuM1B4RtW2OU
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-past.crt b/tests/data_files/test-ca2_cat-present-past.crt
index a321d5dd78..08aeeea120 100644
--- a/tests/data_files/test-ca2_cat-present-past.crt
+++ b/tests/data_files/test-ca2_cat-present-past.crt
@@ -1,17 +1,15 @@
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
diff --git a/tests/data_files/test-ca_cat12.crt b/tests/data_files/test-ca_cat12.crt
index 8928144637..c54bcc178a 100644
--- a/tests/data_files/test-ca_cat12.crt
+++ b/tests/data_files/test-ca_cat12.crt
@@ -1,5 +1,5 @@
-----BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
@@ -9,27 +9,25 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
+UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
+x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
+BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
+hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
+G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
+7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
+9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
+hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca_cat21.crt b/tests/data_files/test-ca_cat21.crt
index 7234863c71..b090dc6eca 100644
--- a/tests/data_files/test-ca_cat21.crt
+++ b/tests/data_files/test-ca_cat21.crt
@@ -1,20 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
-Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
-QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
-ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
-aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
-JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
-t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
-uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE
+BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0
+IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO
+4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK
+6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD
+AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd
+bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq
+6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29
+N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
@@ -24,12 +22,12 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
-MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
-A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL
-hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm
-8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD
-zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ
-0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/
-mtxyUALj2pQxRitopORFQdn7AOY5
+UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68
+x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
+BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T
+hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/
+G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf
+7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH
+9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf
+hlf8qotOhNvFXpEsCGwZUywayo7c4DtO
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca-exp.crt b/tests/data_files/test-int-ca-exp.crt
index c549654b0f..835c7dbbfc 100644
--- a/tests/data_files/test-int-ca-exp.crt
+++ b/tests/data_files/test-int-ca-exp.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MDcwNjI3MTAzODM3WhcNMTcwNjI3MTAzODM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTMwNTE2MDcxMDM3WhcNMjMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
@@ -16,9 +16,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPu/FDEPvIC/BnzPQDAr1bQakGiwBsE9zGKRgXgX
-Y3Q+XJKhMEKZ8h1m+S5c6taO0gIwNB14zmJ1gJ9X3+tPDfriWrVaNMG54Kr57/Ep
-773Ap7Gxpk168id1EFhvW22YabKs
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAJH0e4fySJI2nJt1Knd+yU7zn1jTFDAABJMbndhR
+07OSM6vwUaGSMVatSzr8ah+UDgIwaI/MBcorSxT92jAQb1W5dJkEudoYSg49fjAf
+z0BtLCVhFwQlrzCqgXC98SGfT6sZ
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca.crt b/tests/data_files/test-int-ca.crt
index cbe99e0a62..8b2846d3b4 100644
--- a/tests/data_files/test-int-ca.crt
+++ b/tests/data_files/test-int-ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
-MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjBIMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxJjAkBgNVBAMMHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq
vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR
wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF
@@ -16,9 +16,9 @@ d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br
Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg
updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY
a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
-NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
-AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
-CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG
-i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9
-Af5cNR8KhzegznL6amRObGGKmX1F
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xhclNTTDEcMBoGA1UE
+AwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaAAwZQIxAOAch+gz4rHfI/pm8MIDssMtJCqzS6xtOvQHJZ9l
+fdgWfJV5cSHJpOIWGXeFKKR18wIwODTRnTIioy+bYacNq8TQPjzdVlT9XbYkWIYN
+JAuV9fLJJdB5nZUG3l85Dt27VNkT
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca2.crt b/tests/data_files/test-int-ca2.crt
index 9ce44c2310..80f39b9cf7 100644
--- a/tests/data_files/test-int-ca2.crt
+++ b/tests/data_files/test-int-ca2.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MjMwNTE3MDkyNzAyWhcNMzMwNTE3MDkyNzAyWjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl
WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8
ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW
BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV
-D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw
-FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6
-yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M
-ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf
-7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M
-CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut
-ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw=
+D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkw
+FwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHTN0URrP2MpwD8vODymjjq7iaB7WFZ4CWUjx9LWu3PPZbX2
+12MxzkyFaVR7rnPKZSFHJJEmNaPDJWwYhGQRXLCoD6NiJy6De4fa5gSYoXthRGFf
+GnFXZu3e37GDKoKP87TZ+VXcyx6PHvPxJB3/9N94Vj2Yh3hCs7F72GmwfDww6ooj
+whIqhxBYOhPleANs70FZ7Y7tjZV1RtQ1/9sRcbyv9OvdPuWvukBVq1KM6nqVHBZ3
+/4kHBWaFaWMq/AAxMxaTGFAOA8S2yU56jkB65viQrpQQWffBJWK+WfrcgxRWqR33
+hqG3yT1IWbJ5E11XL9TCKD+DReqeXHyYawx8fBU=
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca3-badsign.crt b/tests/data_files/test-int-ca3-badsign.crt
index 2087056e8e..8c363152b1 100644
--- a/tests/data_files/test-int-ca3-badsign.crt
+++ b/tests/data_files/test-int-ca3-badsign.crt
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWf0=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg10==
-----END CERTIFICATE-----
diff --git a/tests/data_files/test-int-ca3.crt b/tests/data_files/test-int-ca3.crt
index 7e724b241d..3aa64b137d 100644
--- a/tests/data_files/test-int-ca3.crt
+++ b/tests/data_files/test-int-ca3.crt
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
-YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
-A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+MIIBszCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxKTAnBgNVBAMMIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoMCG1iZWQgVExTMSgwJgYDVQQDDB9tYmVkIFRMUyBU
ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
-2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
-ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
-Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
-pz590JvGWfM=
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNn
+ADBkAjAZx8k0q+DtT/LJd1FjPcG/peoQDfMBL2jS/6PwxW+3+ZPMpHZn0r+JpCaF
++V/sM9kCMGqcxQwx/bsMaK0y9zqshC7/S5hVlA+WRVyMfEGJmXnfbdwh6CByKIwv
+1GRe86dg1A==
-----END CERTIFICATE-----
diff --git a/tests/include/spe/crypto_spe.h b/tests/include/spe/crypto_spe.h
index a79ce17385..de842642d4 100644
--- a/tests/include/spe/crypto_spe.h
+++ b/tests/include/spe/crypto_spe.h
@@ -19,13 +19,13 @@
/**
* \file crypto_spe.h
*
- * \brief When Mbed Crypto is built with the MBEDTLS_PSA_CRYPTO_SPM option
- * enabled, this header is included by all .c files in Mbed Crypto that
+ * \brief When Mbed TLS is built with the MBEDTLS_PSA_CRYPTO_SPM option
+ * enabled, this header is included by all .c files in Mbed TLS that
* use PSA Crypto function names. This avoids duplication of symbols
- * between TF-M and Mbed Crypto.
+ * between TF-M and Mbed TLS.
*
* \note This file should be included before including any PSA Crypto headers
- * from Mbed Crypto.
+ * from Mbed TLS.
*/
#ifndef CRYPTO_SPE_H
diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h
index ff2abfb372..f8b3a34a7e 100644
--- a/tests/include/test/drivers/crypto_config_test_driver_extension.h
+++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h
@@ -62,6 +62,14 @@
#endif
#endif
+#if defined(PSA_WANT_ALG_FFDH)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
+#undef MBEDTLS_PSA_ACCEL_ALG_FFDH
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_FFDH 1
+#endif
+#endif
+
#if defined(PSA_WANT_ALG_MD5)
#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
#undef MBEDTLS_PSA_ACCEL_ALG_MD5
@@ -198,6 +206,14 @@
#endif
#endif
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR
+#else
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR 1
+#endif
+#endif
+
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR
@@ -214,6 +230,7 @@
#endif
#endif
+
#if defined(PSA_WANT_ALG_TLS12_PRF)
#if defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
#undef MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF
@@ -275,3 +292,4 @@
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA 1
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY 1
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 572b6cb71e..2841691c9c 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -36,7 +36,6 @@
#include
#include
#include
-#include "hash_info.h"
#include "test/certs.h"
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 78666b41f2..7b0893b8fc 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2160,6 +2160,50 @@ component_test_psa_crypto_config_accel_ecdh () {
make test
}
+component_test_psa_crypto_config_accel_ffdh () {
+ msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated FFDH"
+
+ # Algorithms and key types to accelerate
+ loc_accel_list="ALG_FFDH KEY_TYPE_DH_KEY_PAIR KEY_TYPE_DH_PUBLIC_KEY"
+
+ # Configure and build the test driver library
+ # -------------------------------------------
+
+ # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having
+ # partial support for cipher operations in the driver test library.
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
+
+ loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
+ make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
+
+ # Configure and build the main libraries
+ # --------------------------------------
+
+ # Start from default config (no USE_PSA or TLS 1.3)
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+
+ # Disable the module that's accelerated
+ scripts/config.py unset MBEDTLS_DHM_C
+
+ # Disable things that depend on it
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+
+ # Build the main library
+ loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
+ make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
+
+ # Make sure this was not re-enabled by accident (additive config)
+ not grep mbedtls_dhm_ library/dhm.o
+
+ # Run the tests
+ # -------------
+
+ msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated FFDH"
+ make test
+}
+
component_test_psa_crypto_config_accel_pake() {
msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE"
@@ -2464,7 +2508,6 @@ psa_crypto_config_accel_all_curves_except_one () {
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
for ALG in $(sed -n 's/^#define \(PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
- echo $ALG
scripts/config.py -f include/psa/crypto_config.h unset $ALG
done
@@ -3793,7 +3836,7 @@ component_build_arm_none_eabi_gcc () {
make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
- ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
+ ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
}
component_build_arm_linux_gnueabi_gcc_arm5vte () {
@@ -3807,7 +3850,7 @@ component_build_arm_linux_gnueabi_gcc_arm5vte () {
make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te'
msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
- ${ARM_LINUX_GNUEABI_GCC_PREFIX}size library/*.o
+ ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o
}
support_build_arm_linux_gnueabi_gcc_arm5vte () {
type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
@@ -3822,7 +3865,7 @@ component_build_arm_none_eabi_gcc_arm5vte () {
make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
- ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
+ ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
}
component_build_arm_none_eabi_gcc_m0plus () {
@@ -3831,7 +3874,7 @@ component_build_arm_none_eabi_gcc_m0plus () {
make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
- ${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
+ ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
}
component_build_arm_none_eabi_gcc_no_udbl_division () {
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 293459b11f..0238555367 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -247,7 +247,21 @@ TASKS = {
'ECP test vectors secp256r1 rfc 5114',
'ECP test vectors secp384r1 rfc 5114',
'ECP test vectors secp521r1 rfc 5114',
- ]
+ ],
+ 'test_suite_pkparse': [
+ # This is a known difference for Montgomery curves: in
+ # reference component private keys are parsed using
+ # mbedtls_mpi_read_binary_le(), while in driver version they
+ # they are imported in PSA and there the parsing is done
+ # through mbedtls_ecp_read_key(). Unfortunately the latter
+ # fixes the errors which are intentionally set on the parsed
+ # key and therefore the following test case is not failing
+ # as expected.
+ # This cause the following test to be guarded by ECP_C and
+ # not being executed on the driver version.
+ ('Key ASN1 (OneAsymmetricKey X25519, doesn\'t match masking '
+ 'requirements, from RFC8410 Appendix A but made into version 0)'),
+ ],
}
}
},
diff --git a/tests/scripts/audit-validity-dates.py b/tests/scripts/audit-validity-dates.py
new file mode 100755
index 0000000000..5506e40e7f
--- /dev/null
+++ b/tests/scripts/audit-validity-dates.py
@@ -0,0 +1,513 @@
+#!/usr/bin/env python3
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Audit validity date of X509 crt/crl/csr.
+
+This script is used to audit the validity date of crt/crl/csr used for testing.
+It prints the information about X.509 objects excluding the objects that
+are valid throughout the desired validity period. The data are collected
+from tests/data_files/ and tests/suites/*.data files by default.
+"""
+
+import os
+import sys
+import re
+import typing
+import argparse
+import datetime
+import glob
+import logging
+import hashlib
+from enum import Enum
+
+# The script requires cryptography >= 35.0.0 which is only available
+# for Python >= 3.6.
+import cryptography
+from cryptography import x509
+
+from generate_test_code import FileWrapper
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_dev import build_tree
+
+def check_cryptography_version():
+ match = re.match(r'^[0-9]+', cryptography.__version__)
+ if match is None or int(match.group(0)) < 35:
+ raise Exception("audit-validity-dates requires cryptography >= 35.0.0"
+ + "({} is too old)".format(cryptography.__version__))
+
+class DataType(Enum):
+ CRT = 1 # Certificate
+ CRL = 2 # Certificate Revocation List
+ CSR = 3 # Certificate Signing Request
+
+
+class DataFormat(Enum):
+ PEM = 1 # Privacy-Enhanced Mail
+ DER = 2 # Distinguished Encoding Rules
+
+
+class AuditData:
+ """Store data location, type and validity period of X.509 objects."""
+ #pylint: disable=too-few-public-methods
+ def __init__(self, data_type: DataType, x509_obj):
+ self.data_type = data_type
+ # the locations that the x509 object could be found
+ self.locations = [] # type: typing.List[str]
+ self.fill_validity_duration(x509_obj)
+ self._obj = x509_obj
+ encoding = cryptography.hazmat.primitives.serialization.Encoding.DER
+ self._identifier = hashlib.sha1(self._obj.public_bytes(encoding)).hexdigest()
+
+ @property
+ def identifier(self):
+ """
+ Identifier of the underlying X.509 object, which is consistent across
+ different runs.
+ """
+ return self._identifier
+
+ def fill_validity_duration(self, x509_obj):
+ """Read validity period from an X.509 object."""
+ # Certificate expires after "not_valid_after"
+ # Certificate is invalid before "not_valid_before"
+ if self.data_type == DataType.CRT:
+ self.not_valid_after = x509_obj.not_valid_after
+ self.not_valid_before = x509_obj.not_valid_before
+ # CertificateRevocationList expires after "next_update"
+ # CertificateRevocationList is invalid before "last_update"
+ elif self.data_type == DataType.CRL:
+ self.not_valid_after = x509_obj.next_update
+ self.not_valid_before = x509_obj.last_update
+ # CertificateSigningRequest is always valid.
+ elif self.data_type == DataType.CSR:
+ self.not_valid_after = datetime.datetime.max
+ self.not_valid_before = datetime.datetime.min
+ else:
+ raise ValueError("Unsupported file_type: {}".format(self.data_type))
+
+
+class X509Parser:
+ """A parser class to parse crt/crl/csr file or data in PEM/DER format."""
+ PEM_REGEX = br'-{5}BEGIN (?P.*?)-{5}(?P.*?)-{5}END (?P=type)-{5}'
+ PEM_TAG_REGEX = br'-{5}BEGIN (?P.*?)-{5}\n'
+ PEM_TAGS = {
+ DataType.CRT: 'CERTIFICATE',
+ DataType.CRL: 'X509 CRL',
+ DataType.CSR: 'CERTIFICATE REQUEST'
+ }
+
+ def __init__(self,
+ backends:
+ typing.Dict[DataType,
+ typing.Dict[DataFormat,
+ typing.Callable[[bytes], object]]]) \
+ -> None:
+ self.backends = backends
+ self.__generate_parsers()
+
+ def __generate_parser(self, data_type: DataType):
+ """Parser generator for a specific DataType"""
+ tag = self.PEM_TAGS[data_type]
+ pem_loader = self.backends[data_type][DataFormat.PEM]
+ der_loader = self.backends[data_type][DataFormat.DER]
+ def wrapper(data: bytes):
+ pem_type = X509Parser.pem_data_type(data)
+ # It is in PEM format with target tag
+ if pem_type == tag:
+ return pem_loader(data)
+ # It is in PEM format without target tag
+ if pem_type:
+ return None
+ # It might be in DER format
+ try:
+ result = der_loader(data)
+ except ValueError:
+ result = None
+ return result
+ wrapper.__name__ = "{}.parser[{}]".format(type(self).__name__, tag)
+ return wrapper
+
+ def __generate_parsers(self):
+ """Generate parsers for all support DataType"""
+ self.parsers = {}
+ for data_type, _ in self.PEM_TAGS.items():
+ self.parsers[data_type] = self.__generate_parser(data_type)
+
+ def __getitem__(self, item):
+ return self.parsers[item]
+
+ @staticmethod
+ def pem_data_type(data: bytes) -> typing.Optional[str]:
+ """Get the tag from the data in PEM format
+
+ :param data: data to be checked in binary mode.
+ :return: PEM tag or "" when no tag detected.
+ """
+ m = re.search(X509Parser.PEM_TAG_REGEX, data)
+ if m is not None:
+ return m.group('type').decode('UTF-8')
+ else:
+ return None
+
+ @staticmethod
+ def check_hex_string(hex_str: str) -> bool:
+ """Check if the hex string is possibly DER data."""
+ hex_len = len(hex_str)
+ # At least 6 hex char for 3 bytes: Type + Length + Content
+ if hex_len < 6:
+ return False
+ # Check if Type (1 byte) is SEQUENCE.
+ if hex_str[0:2] != '30':
+ return False
+ # Check LENGTH (1 byte) value
+ content_len = int(hex_str[2:4], base=16)
+ consumed = 4
+ if content_len in (128, 255):
+ # Indefinite or Reserved
+ return False
+ elif content_len > 127:
+ # Definite, Long
+ length_len = (content_len - 128) * 2
+ content_len = int(hex_str[consumed:consumed+length_len], base=16)
+ consumed += length_len
+ # Check LENGTH
+ if hex_len != content_len * 2 + consumed:
+ return False
+ return True
+
+
+class Auditor:
+ """
+ A base class that uses X509Parser to parse files to a list of AuditData.
+
+ A subclass must implement the following methods:
+ - collect_default_files: Return a list of file names that are defaultly
+ used for parsing (auditing). The list will be stored in
+ Auditor.default_files.
+ - parse_file: Method that parses a single file to a list of AuditData.
+
+ A subclass may override the following methods:
+ - parse_bytes: Defaultly, it parses `bytes` that contains only one valid
+ X.509 data(DER/PEM format) to an X.509 object.
+ - walk_all: Defaultly, it iterates over all the files in the provided
+ file name list, calls `parse_file` for each file and stores the results
+ by extending the `results` passed to the function.
+ """
+ def __init__(self, logger):
+ self.logger = logger
+ self.default_files = self.collect_default_files()
+ self.parser = X509Parser({
+ DataType.CRT: {
+ DataFormat.PEM: x509.load_pem_x509_certificate,
+ DataFormat.DER: x509.load_der_x509_certificate
+ },
+ DataType.CRL: {
+ DataFormat.PEM: x509.load_pem_x509_crl,
+ DataFormat.DER: x509.load_der_x509_crl
+ },
+ DataType.CSR: {
+ DataFormat.PEM: x509.load_pem_x509_csr,
+ DataFormat.DER: x509.load_der_x509_csr
+ },
+ })
+
+ def collect_default_files(self) -> typing.List[str]:
+ """Collect the default files for parsing."""
+ raise NotImplementedError
+
+ def parse_file(self, filename: str) -> typing.List[AuditData]:
+ """
+ Parse a list of AuditData from file.
+
+ :param filename: name of the file to parse.
+ :return list of AuditData parsed from the file.
+ """
+ raise NotImplementedError
+
+ def parse_bytes(self, data: bytes):
+ """Parse AuditData from bytes."""
+ for data_type in list(DataType):
+ try:
+ result = self.parser[data_type](data)
+ except ValueError as val_error:
+ result = None
+ self.logger.warning(val_error)
+ if result is not None:
+ audit_data = AuditData(data_type, result)
+ return audit_data
+ return None
+
+ def walk_all(self,
+ results: typing.Dict[str, AuditData],
+ file_list: typing.Optional[typing.List[str]] = None) \
+ -> None:
+ """
+ Iterate over all the files in the list and get audit data. The
+ results will be written to `results` passed to this function.
+
+ :param results: The dictionary used to store the parsed
+ AuditData. The keys of this dictionary should
+ be the identifier of the AuditData.
+ """
+ if file_list is None:
+ file_list = self.default_files
+ for filename in file_list:
+ data_list = self.parse_file(filename)
+ for d in data_list:
+ if d.identifier in results:
+ results[d.identifier].locations.extend(d.locations)
+ else:
+ results[d.identifier] = d
+
+ @staticmethod
+ def find_test_dir():
+ """Get the relative path for the MbedTLS test directory."""
+ return os.path.relpath(build_tree.guess_mbedtls_root() + '/tests')
+
+
+class TestDataAuditor(Auditor):
+ """Class for auditing files in `tests/data_files/`"""
+
+ def collect_default_files(self):
+ """Collect all files in `tests/data_files/`"""
+ test_dir = self.find_test_dir()
+ test_data_glob = os.path.join(test_dir, 'data_files/**')
+ data_files = [f for f in glob.glob(test_data_glob, recursive=True)
+ if os.path.isfile(f)]
+ return data_files
+
+ def parse_file(self, filename: str) -> typing.List[AuditData]:
+ """
+ Parse a list of AuditData from data file.
+
+ :param filename: name of the file to parse.
+ :return list of AuditData parsed from the file.
+ """
+ with open(filename, 'rb') as f:
+ data = f.read()
+
+ results = []
+ # Try to parse all PEM blocks.
+ is_pem = False
+ for idx, m in enumerate(re.finditer(X509Parser.PEM_REGEX, data, flags=re.S), 1):
+ is_pem = True
+ result = self.parse_bytes(data[m.start():m.end()])
+ if result is not None:
+ result.locations.append("{}#{}".format(filename, idx))
+ results.append(result)
+
+ # Might be DER format.
+ if not is_pem:
+ result = self.parse_bytes(data)
+ if result is not None:
+ result.locations.append("{}".format(filename))
+ results.append(result)
+
+ return results
+
+
+def parse_suite_data(data_f):
+ """
+ Parses .data file for test arguments that possiblly have a
+ valid X.509 data. If you need a more precise parser, please
+ use generate_test_code.parse_test_data instead.
+
+ :param data_f: file object of the data file.
+ :return: Generator that yields test function argument list.
+ """
+ for line in data_f:
+ line = line.strip()
+ # Skip comments
+ if line.startswith('#'):
+ continue
+
+ # Check parameters line
+ match = re.search(r'\A\w+(.*:)?\"', line)
+ if match:
+ # Read test vectors
+ parts = re.split(r'(?[0-9a-fA-F]+)"', test_arg)
+ if not match:
+ continue
+ if not X509Parser.check_hex_string(match.group('data')):
+ continue
+ audit_data = self.parse_bytes(bytes.fromhex(match.group('data')))
+ if audit_data is None:
+ continue
+ audit_data.locations.append("{}:{}:#{}".format(filename,
+ data_f.line_no,
+ idx + 1))
+ audit_data_list.append(audit_data)
+
+ return audit_data_list
+
+
+def list_all(audit_data: AuditData):
+ for loc in audit_data.locations:
+ print("{}\t{:20}\t{:20}\t{:3}\t{}".format(
+ audit_data.identifier,
+ audit_data.not_valid_before.isoformat(timespec='seconds'),
+ audit_data.not_valid_after.isoformat(timespec='seconds'),
+ audit_data.data_type.name,
+ loc))
+
+
+def configure_logger(logger: logging.Logger) -> None:
+ """
+ Configure the logging.Logger instance so that:
+ - Format is set to "[%(levelname)s]: %(message)s".
+ - loglevel >= WARNING are printed to stderr.
+ - loglevel < WARNING are printed to stdout.
+ """
+ class MaxLevelFilter(logging.Filter):
+ # pylint: disable=too-few-public-methods
+ def __init__(self, max_level, name=''):
+ super().__init__(name)
+ self.max_level = max_level
+
+ def filter(self, record: logging.LogRecord) -> bool:
+ return record.levelno <= self.max_level
+
+ log_formatter = logging.Formatter("[%(levelname)s]: %(message)s")
+
+ # set loglevel >= WARNING to be printed to stderr
+ stderr_hdlr = logging.StreamHandler(sys.stderr)
+ stderr_hdlr.setLevel(logging.WARNING)
+ stderr_hdlr.setFormatter(log_formatter)
+
+ # set loglevel <= INFO to be printed to stdout
+ stdout_hdlr = logging.StreamHandler(sys.stdout)
+ stdout_hdlr.addFilter(MaxLevelFilter(logging.INFO))
+ stdout_hdlr.setFormatter(log_formatter)
+
+ logger.addHandler(stderr_hdlr)
+ logger.addHandler(stdout_hdlr)
+
+
+def main():
+ """
+ Perform argument parsing.
+ """
+ parser = argparse.ArgumentParser(description=__doc__)
+
+ parser.add_argument('-a', '--all',
+ action='store_true',
+ help='list the information of all the files')
+ parser.add_argument('-v', '--verbose',
+ action='store_true', dest='verbose',
+ help='show logs')
+ parser.add_argument('--from', dest='start_date',
+ help=('Start of desired validity period (UTC, YYYY-MM-DD). '
+ 'Default: today'),
+ metavar='DATE')
+ parser.add_argument('--to', dest='end_date',
+ help=('End of desired validity period (UTC, YYYY-MM-DD). '
+ 'Default: --from'),
+ metavar='DATE')
+ parser.add_argument('--data-files', action='append', nargs='*',
+ help='data files to audit',
+ metavar='FILE')
+ parser.add_argument('--suite-data-files', action='append', nargs='*',
+ help='suite data files to audit',
+ metavar='FILE')
+
+ args = parser.parse_args()
+
+ # start main routine
+ # setup logger
+ logger = logging.getLogger()
+ configure_logger(logger)
+ logger.setLevel(logging.DEBUG if args.verbose else logging.ERROR)
+
+ td_auditor = TestDataAuditor(logger)
+ sd_auditor = SuiteDataAuditor(logger)
+
+ data_files = []
+ suite_data_files = []
+ if args.data_files is None and args.suite_data_files is None:
+ data_files = td_auditor.default_files
+ suite_data_files = sd_auditor.default_files
+ else:
+ if args.data_files is not None:
+ data_files = [x for l in args.data_files for x in l]
+ if args.suite_data_files is not None:
+ suite_data_files = [x for l in args.suite_data_files for x in l]
+
+ # validity period start date
+ if args.start_date:
+ start_date = datetime.datetime.fromisoformat(args.start_date)
+ else:
+ start_date = datetime.datetime.today()
+ # validity period end date
+ if args.end_date:
+ end_date = datetime.datetime.fromisoformat(args.end_date)
+ else:
+ end_date = start_date
+
+ # go through all the files
+ audit_results = {}
+ td_auditor.walk_all(audit_results, data_files)
+ sd_auditor.walk_all(audit_results, suite_data_files)
+
+ logger.info("Total: {} objects found!".format(len(audit_results)))
+
+ # we filter out the files whose validity duration covers the provided
+ # duration.
+ filter_func = lambda d: (start_date < d.not_valid_before) or \
+ (d.not_valid_after < end_date)
+
+ sortby_end = lambda d: d.not_valid_after
+
+ if args.all:
+ filter_func = None
+
+ # filter and output the results
+ for d in sorted(filter(filter_func, audit_results.values()), key=sortby_end):
+ list_all(d)
+
+ logger.debug("Done!")
+
+check_cryptography_version()
+if __name__ == "__main__":
+ main()
diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py
index 839fccdddd..ff7f9b9976 100755
--- a/tests/scripts/generate_test_code.py
+++ b/tests/scripts/generate_test_code.py
@@ -163,7 +163,6 @@ __MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE
"""
-import io
import os
import re
import sys
@@ -227,43 +226,57 @@ class GeneratorInputError(Exception):
pass
-class FileWrapper(io.FileIO):
+class FileWrapper:
"""
- This class extends built-in io.FileIO class with attribute line_no,
+ This class extends the file object with attribute line_no,
that indicates line number for the line that is read.
"""
- def __init__(self, file_name):
+ def __init__(self, file_name) -> None:
"""
- Instantiate the base class and initialize the line number to 0.
+ Instantiate the file object and initialize the line number to 0.
:param file_name: File path to open.
"""
- super().__init__(file_name, 'r')
+ # private mix-in file object
+ self._f = open(file_name, 'rb')
self._line_no = 0
+ def __iter__(self):
+ return self
+
def __next__(self):
"""
- This method overrides base class's __next__ method and extends it
- method to count the line numbers as each line is read.
+ This method makes FileWrapper iterable.
+ It counts the line numbers as each line is read.
:return: Line read from file.
"""
- line = super().__next__()
- if line is not None:
- self._line_no += 1
- # Convert byte array to string with correct encoding and
- # strip any whitespaces added in the decoding process.
- return line.decode(sys.getdefaultencoding()).rstrip() + '\n'
- return None
+ line = self._f.__next__()
+ self._line_no += 1
+ # Convert byte array to string with correct encoding and
+ # strip any whitespaces added in the decoding process.
+ return line.decode(sys.getdefaultencoding()).rstrip()+ '\n'
- def get_line_no(self):
+ def __enter__(self):
+ return self
+
+ def __exit__(self, exc_type, exc_val, exc_tb):
+ self._f.__exit__(exc_type, exc_val, exc_tb)
+
+ @property
+ def line_no(self):
"""
- Gives current line number.
+ Property that indicates line number for the line that is read.
"""
return self._line_no
- line_no = property(get_line_no)
+ @property
+ def name(self):
+ """
+ Property that indicates name of the file that is read.
+ """
+ return self._f.name
def split_dep(dep):
diff --git a/tests/scripts/psa_collect_statuses.py b/tests/scripts/psa_collect_statuses.py
index b086793c40..f685bab8e0 100755
--- a/tests/scripts/psa_collect_statuses.py
+++ b/tests/scripts/psa_collect_statuses.py
@@ -1,13 +1,13 @@
#!/usr/bin/env python3
"""Describe the test coverage of PSA functions in terms of return statuses.
-1. Build Mbed Crypto with -DRECORD_PSA_STATUS_COVERAGE_LOG
+1. Build Mbed TLS with -DRECORD_PSA_STATUS_COVERAGE_LOG
2. Run psa_collect_statuses.py
The output is a series of line of the form "psa_foo PSA_ERROR_XXX". Each
function/status combination appears only once.
-This script must be run from the top of an Mbed Crypto source tree.
+This script must be run from the top of an Mbed TLS source tree.
The build command is "make -DRECORD_PSA_STATUS_COVERAGE_LOG", which is
only supported with make (as opposed to CMake or other build methods).
"""
@@ -46,7 +46,7 @@ class Statuses:
def collect_log(self, log_file_name):
"""Read logs from RECORD_PSA_STATUS_COVERAGE_LOG.
- Read logs produced by running Mbed Crypto test suites built with
+ Read logs produced by running Mbed TLS test suites built with
-DRECORD_PSA_STATUS_COVERAGE_LOG.
"""
with open(log_file_name) as log:
@@ -82,7 +82,7 @@ class Statuses:
def collect_status_logs(options):
"""Build and run unit tests and report observed function return statuses.
- Build Mbed Crypto with -DRECORD_PSA_STATUS_COVERAGE_LOG, run the
+ Build Mbed TLS with -DRECORD_PSA_STATUS_COVERAGE_LOG, run the
test suites and display information about observed return statuses.
"""
rebuilt = False
diff --git a/tests/src/certs.c b/tests/src/certs.c
index 8b6b988a7e..d2808d71c9 100644
--- a/tests/src/certs.c
+++ b/tests/src/certs.c
@@ -40,69 +40,69 @@
/* This is taken from tests/data_files/test-ca2.crt */
/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */
-#define TEST_CA_CRT_EC_PEM \
- "-----BEGIN CERTIFICATE-----\r\n" \
- "MIICBDCCAYigAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \
- "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
- "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n" \
- "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
- "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n" \
- "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n" \
- "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1AwTjAMBgNVHRMEBTADAQH/\r\n" \
- "MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSdbSAk\r\n" \
- "SQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMFHKrjAPpHB0BN1a\r\n" \
- "LH8TwcJ3vh0AxeKZj30mRdOKBmg/jLS3rU3g8VQBHpn8sOTTBwIxANxPO5AerimZ\r\n" \
- "hCjMe0d4CTHf1gFZMF70+IqEP+o5VHsIp2Cqvflb0VGWFC5l9a4cQg==\r\n" \
+#define TEST_CA_CRT_EC_PEM \
+ "-----BEGIN CERTIFICATE-----\r\n" \
+ "MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \
+ "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+ "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n" \
+ "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+ "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n" \
+ "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n" \
+ "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1MwUTAPBgNVHRMBAf8EBTAD\r\n" \
+ "AQH/MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSd\r\n" \
+ "bSAkSQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMQDpNWfBIlzq\r\n" \
+ "6xV2UwQD/1YGz9fQUM7AfNKzVa2PVBpf/QD1TAylTYTF4GI6qlb6EPYCMF/YVa29\r\n" \
+ "N5yC1mFAir19jb9Pl9iiIkRm17dM4y6m5VIMepEPm/VlWAa8H5p1+BPbGw==\r\n" \
"-----END CERTIFICATE-----\r\n"
/* END FILE */
/* This is generated from tests/data_files/test-ca2.crt.der using `xxd -i`. */
/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca2.crt.der */
-#define TEST_CA_CRT_EC_DER { \
- 0x30, 0x82, 0x02, 0x04, 0x30, 0x82, 0x01, 0x88, 0xa0, 0x03, 0x02, 0x01, \
- 0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, \
- 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, \
- 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
- 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
- 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
- 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
- 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
- 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, \
- 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17, \
- 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, \
- 0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
- 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
- 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
- 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
- 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
- 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, \
- 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, \
- 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, \
- 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, \
- 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, \
- 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, \
- 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, \
- 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, \
- 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, \
- 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, \
- 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0c, \
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, \
- 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, \
- 0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, \
- 0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, 0x06, 0x03, 0x55, \
- 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, \
- 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, \
- 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \
- 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, \
- 0x30, 0x51, 0xca, 0xae, 0x30, 0x0f, 0xa4, 0x70, 0x74, 0x04, 0xdd, 0x5a, \
- 0x2c, 0x7f, 0x13, 0xc1, 0xc2, 0x77, 0xbe, 0x1d, 0x00, 0xc5, 0xe2, 0x99, \
- 0x8f, 0x7d, 0x26, 0x45, 0xd3, 0x8a, 0x06, 0x68, 0x3f, 0x8c, 0xb4, 0xb7, \
- 0xad, 0x4d, 0xe0, 0xf1, 0x54, 0x01, 0x1e, 0x99, 0xfc, 0xb0, 0xe4, 0xd3, \
- 0x07, 0x02, 0x31, 0x00, 0xdc, 0x4f, 0x3b, 0x90, 0x1e, 0xae, 0x29, 0x99, \
- 0x84, 0x28, 0xcc, 0x7b, 0x47, 0x78, 0x09, 0x31, 0xdf, 0xd6, 0x01, 0x59, \
- 0x30, 0x5e, 0xf4, 0xf8, 0x8a, 0x84, 0x3f, 0xea, 0x39, 0x54, 0x7b, 0x08, \
- 0xa7, 0x60, 0xaa, 0xbd, 0xf9, 0x5b, 0xd1, 0x51, 0x96, 0x14, 0x2e, 0x65, \
- 0xf5, 0xae, 0x1c, 0x42 \
+#define TEST_CA_CRT_EC_DER { \
+ 0x30, 0x82, 0x02, 0x07, 0x30, 0x82, 0x01, 0x8b, 0xa0, 0x03, 0x02, 0x01, \
+ 0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, \
+ 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, \
+ 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
+ 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
+ 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
+ 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
+ 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
+ 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39, \
+ 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17, \
+ 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, \
+ 0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, \
+ 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, \
+ 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, \
+ 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, \
+ 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, \
+ 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, \
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, \
+ 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, \
+ 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, \
+ 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, \
+ 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, \
+ 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, \
+ 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, \
+ 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, \
+ 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, \
+ 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x0f, \
+ 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, \
+ 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, \
+ 0x04, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, \
+ 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, \
+ 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, \
+ 0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, \
+ 0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, \
+ 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, \
+ 0x30, 0x65, 0x02, 0x31, 0x00, 0xe9, 0x35, 0x67, 0xc1, 0x22, 0x5c, 0xea, \
+ 0xeb, 0x15, 0x76, 0x53, 0x04, 0x03, 0xff, 0x56, 0x06, 0xcf, 0xd7, 0xd0, \
+ 0x50, 0xce, 0xc0, 0x7c, 0xd2, 0xb3, 0x55, 0xad, 0x8f, 0x54, 0x1a, 0x5f, \
+ 0xfd, 0x00, 0xf5, 0x4c, 0x0c, 0xa5, 0x4d, 0x84, 0xc5, 0xe0, 0x62, 0x3a, \
+ 0xaa, 0x56, 0xfa, 0x10, 0xf6, 0x02, 0x30, 0x5f, 0xd8, 0x55, 0xad, 0xbd, \
+ 0x37, 0x9c, 0x82, 0xd6, 0x61, 0x40, 0x8a, 0xbd, 0x7d, 0x8d, 0xbf, 0x4f, \
+ 0x97, 0xd8, 0xa2, 0x22, 0x44, 0x66, 0xd7, 0xb7, 0x4c, 0xe3, 0x2e, 0xa6, \
+ 0xe5, 0x52, 0x0c, 0x7a, 0x91, 0x0f, 0x9b, 0xf5, 0x65, 0x58, 0x06, 0xbc, \
+ 0x1f, 0x9a, 0x75, 0xf8, 0x13, 0xdb, 0x1b \
}
/* END FILE */
@@ -350,33 +350,33 @@
#define TEST_CA_KEY_RSA_PEM \
"-----BEGIN RSA PRIVATE KEY-----\r\n" \
"Proc-Type: 4,ENCRYPTED\r\n" \
- "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n" \
+ "AES-128-CBC,781840E6B804AE83D2AF71127C4CE314\r\n" \
"\r\n" \
- "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n" \
- "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n" \
- "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n" \
- "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n" \
- "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n" \
- "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n" \
- "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n" \
- "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n" \
- "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n" \
- "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n" \
- "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n" \
- "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n" \
- "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n" \
- "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n" \
- "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n" \
- "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n" \
- "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n" \
- "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n" \
- "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n" \
- "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n" \
- "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n" \
- "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n" \
- "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n" \
- "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n" \
- "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" \
+ "etQ3xgGLbuYF9vR1km03TH5fwfly1hOlix0PtfQ+t9HG065vTtSEHYc/OyHwdy79\r\n" \
+ "NCLX5RUrPh06E/XlKzMNVHAXqkwFnIwNzRLsOozeP1L7iZEZb9QMeiN5Org+btCO\r\n" \
+ "bylXPB4YirfuE7GSJalWY/pq3FQtD33zTIKmNhXfVj3sbwGI/8D9XjaKUb8PODOB\r\n" \
+ "skOalmx6RvYRvg0lmRxB3+T3wejIsrrDPweYqte9B6dVHIVG1ZmvoA6/wnKZZZeV\r\n" \
+ "sjj8OpL3OwUBrjuGSknE9Rs6kCuSCbHOYVK8VzcZmCYpie0TFnb3Sk8M6vjfW+45\r\n" \
+ "U7WUMlSAPxKH6lJDzWdwHqLvsVJwuNnaAaBXg9/8U/rzQEWuq8Ar3s8fw2Jg3F1G\r\n" \
+ "L6N5ZAEfCz3Sa0N9WKafR/RSQj+rq8Z3w4POAafhbzk249uo5K8B1Z3cQwLxeXIl\r\n" \
+ "UbRQz1TZy4oNTfQzCahYruPNyvwgTkfwAFFvbLAdaiJd2ZtLBoqYE64TYakYnvcC\r\n" \
+ "itim1bmySIKoxlMfBGFmMuF03epT0pSx701jlGzGi0l0m16NEjoVxDwo5j93SmiM\r\n" \
+ "sQdjC1lOGk2iCLkphIQqHFjFJYWjvh1UUIqWZf+ZWOOxlf4x9a1pUVj6FvtECxNB\r\n" \
+ "/mA/m4Iq4LAuVXHE1MpHeq067lJ6wWlrsb2WVmiNGfQ2AC7fMtpcPuunBVT9NV1m\r\n" \
+ "1rbDzIgLIWAzqz/cy3N8Q8vfxnrFtmNUyM191Zyq+YF14hIKWX9J1qR4LXwWAzVV\r\n" \
+ "UrC8IL4pA2mtRkW4qFsB0EmHAxO/cedDTPjVFty5WSzhNuvYZxX45HAkGIfK6d21\r\n" \
+ "7WHPhHG+zaaUTWMUVixB0IcKp6RecjYPFzBHS0YeX88Ue2cyT/90jMiQ9ssOgRrG\r\n" \
+ "ZJRJvZAc3TSCnY9sNPYoGrJPiZuCnlUj3ENNurYVy12ai0WFxwnNUZjRUhDS6hjm\r\n" \
+ "cDHD5TlI9MZ6M+Mb/Bw4Ig8HuTHOtQBYD9vhtXsG+B7H/j6cS+1umaKjrnG/kK4W\r\n" \
+ "R6YXwM2faAi+DwgjjoMXSzRqSTF8PdTIWbAXo3bc2qsXPTMBA8PEp4nb5scHZ4Ts\r\n" \
+ "EcBNp2jv0j4gBkRmGIab17cWMrlagjFy89DhqZUFwKdeZs+yJ92A5xstWxOUfpEP\r\n" \
+ "90T/bsp1G5d7WW5fl2TRJvYJNDM+djkKIh0zCkduiZ36oVM6nDdbjmXqjQXopeSD\r\n" \
+ "gtOourBRF8g99W0fW8QT+yPhP0Pkyz6EG8eQO6Zwh439xdoVwu9jUzQAPmZ0uNeR\r\n" \
+ "xTXXihYyv72z27rInjLiIPXL25K9eDVLlcSR3RyG7YYgjdQAL2VJDLcBz5jox1uQ\r\n" \
+ "0guoD5wmfu2FWLqYE7HeTYntdY53lCflwq0GHRMjrrsVpx+5VDQ6Yi47Ny9SWLcp\r\n" \
+ "fPI3iBkXuGRWupzs6N4pQdSO0dU28KfpMM5QvFoLIn67brCHEQij4dgFrCTYEyBX\r\n" \
+ "9+jiNImUFYUhAFuxvUbfZt4O/ABLIElvHLfJs1oYCmI/nWpvLFqXB5rnzPNfEi0H\r\n" \
+ "PGGe1Hj/t+CJIp/6ios3yNy2QtXO754TZH2UVu51Ykyig5PFjZVoUkbRvHQYcWfU\r\n" \
"-----END RSA PRIVATE KEY-----\r\n"
/* END FILE */
@@ -503,72 +503,72 @@
/* This is taken from tests/data_files/server5.crt. */
/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */
-#define TEST_SRV_CRT_EC_PEM \
- "-----BEGIN CERTIFICATE-----\r\n" \
- "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
- "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
- "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
- "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
- "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
- "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
- "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
- "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" \
- "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
- "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" \
- "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" \
- "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n" \
+#define TEST_SRV_CRT_EC_PEM \
+ "-----BEGIN CERTIFICATE-----\r\n" \
+ "MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+ "A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+ "MjMwNTE3MDcxMDM2WhcNMzMwNTE0MDcxMDM2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+ "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
+ "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
+ "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
+ "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
+ "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh\r\n" \
+ "clNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
+ "CCqGSM49BAMCA2kAMGYCMQDg6p7PPfr2+n7nGvya3pU4ust3k7Obk4/tZX+uHHRQ\r\n" \
+ "qaccsyULeFNzkyRvWHFeT5sCMQCzDJX79Ii7hILYza/iXWJe/BjJEE8MteCRGXDN\r\n" \
+ "06jC+BLgOH1KQV9ArqEh3AhOhEg=\r\n" \
"-----END CERTIFICATE-----\r\n"
/* END FILE */
/* This is generated from tests/data_files/server5.crt.der using `xxd -i`. */
/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server5.crt.der */
-#define TEST_SRV_CRT_EC_DER { \
- 0x30, 0x82, 0x02, 0x1f, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01, \
- 0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \
- 0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
- 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
- 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, \
- 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, \
- 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
- 0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34, \
- 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35, \
- 0x32, 0x30, 0x34, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
- 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
- 0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, \
- 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59, \
- 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, \
- 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, \
- 0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, \
- 0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, \
- 0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, \
- 0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, \
- 0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, \
- 0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, \
- 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, \
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5, \
- 0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c, \
- 0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23, \
- 0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01, \
- 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb, \
- 0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, \
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, \
- 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, \
- 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, \
- 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, \
- 0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09, \
- 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06, \
- 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68, 0x00, \
- 0x30, 0x65, 0x02, 0x31, 0x00, 0x9a, 0x2c, 0x5c, 0xd7, 0xa6, 0xdb, 0xa2, \
- 0xe5, 0x64, 0x0d, 0xf0, 0xb9, 0x4e, 0xdd, 0xd7, 0x61, 0xd6, 0x13, 0x31, \
- 0xc7, 0xab, 0x73, 0x80, 0xbb, 0xd3, 0xd3, 0x73, 0x13, 0x54, 0xad, 0x92, \
- 0x0b, 0x5d, 0xab, 0xd0, 0xbc, 0xf7, 0xae, 0x2f, 0xe6, 0xa1, 0x21, 0x29, \
- 0x35, 0x95, 0xaa, 0x3e, 0x39, 0x02, 0x30, 0x21, 0x36, 0x7f, 0x9d, 0xc6, \
- 0x5d, 0xc6, 0x0b, 0xab, 0x27, 0xf2, 0x25, 0x1d, 0x3b, 0xf1, 0xcf, 0xf1, \
- 0x35, 0x25, 0x14, 0xe7, 0xe5, 0xf1, 0x97, 0xb5, 0x59, 0xe3, 0x5e, 0x15, \
- 0x7c, 0x66, 0xb9, 0x90, 0x7b, 0xc7, 0x01, 0x10, 0x4f, 0x73, 0xc6, 0x00, \
- 0x21, 0x52, 0x2a, 0x0e, 0xf1, 0xc7, 0xd5 \
+#define TEST_SRV_CRT_EC_DER { \
+ 0x30, 0x82, 0x02, 0x20, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01, \
+ 0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \
+ 0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
+ 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
+ 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
+ 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, \
+ 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, \
+ 0x32, 0x33, 0x30, 0x35, 0x31, 0x37, 0x30, 0x37, 0x31, 0x30, 0x33, 0x36, \
+ 0x5a, 0x17, 0x0d, 0x33, 0x33, 0x30, 0x35, 0x31, 0x34, 0x30, 0x37, 0x31, \
+ 0x30, 0x33, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, \
+ 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, \
+ 0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, \
+ 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59, \
+ 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, \
+ 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, \
+ 0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, \
+ 0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, \
+ 0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, \
+ 0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, \
+ 0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, \
+ 0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, \
+ 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, \
+ 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5, \
+ 0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c, \
+ 0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23, \
+ 0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01, \
+ 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb, \
+ 0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, \
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, \
+ 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, \
+ 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, \
+ 0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, \
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09, \
+ 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06, \
+ 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x69, 0x00, \
+ 0x30, 0x66, 0x02, 0x31, 0x00, 0xe0, 0xea, 0x9e, 0xcf, 0x3d, 0xfa, 0xf6, \
+ 0xfa, 0x7e, 0xe7, 0x1a, 0xfc, 0x9a, 0xde, 0x95, 0x38, 0xba, 0xcb, 0x77, \
+ 0x93, 0xb3, 0x9b, 0x93, 0x8f, 0xed, 0x65, 0x7f, 0xae, 0x1c, 0x74, 0x50, \
+ 0xa9, 0xa7, 0x1c, 0xb3, 0x25, 0x0b, 0x78, 0x53, 0x73, 0x93, 0x24, 0x6f, \
+ 0x58, 0x71, 0x5e, 0x4f, 0x9b, 0x02, 0x31, 0x00, 0xb3, 0x0c, 0x95, 0xfb, \
+ 0xf4, 0x88, 0xbb, 0x84, 0x82, 0xd8, 0xcd, 0xaf, 0xe2, 0x5d, 0x62, 0x5e, \
+ 0xfc, 0x18, 0xc9, 0x10, 0x4f, 0x0c, 0xb5, 0xe0, 0x91, 0x19, 0x70, 0xcd, \
+ 0xd3, 0xa8, 0xc2, 0xf8, 0x12, 0xe0, 0x38, 0x7d, 0x4a, 0x41, 0x5f, 0x40, \
+ 0xae, 0xa1, 0x21, 0xdc, 0x08, 0x4e, 0x84, 0x48 \
}
/* END FILE */
diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c
index b60c412031..6cfde20ad6 100644
--- a/tests/src/drivers/test_driver_key_agreement.c
+++ b/tests/src/drivers/test_driver_key_agreement.c
@@ -24,6 +24,7 @@
#include "psa/crypto.h"
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
+#include "psa_crypto_ffdh.h"
#include "test/drivers/key_agreement.h"
#include "test/drivers/test_driver.h"
@@ -33,6 +34,7 @@
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
#include "libtestdriver1/include/psa/crypto.h"
#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/library/psa_crypto_ffdh.h"
#endif
mbedtls_test_driver_key_agreement_hooks_t
@@ -93,6 +95,37 @@ psa_status_t mbedtls_test_transparent_key_agreement(
(void) shared_secret_size;
(void) shared_secret_length;
return PSA_ERROR_NOT_SUPPORTED;
+#endif
+ }
+ if (PSA_ALG_IS_FFDH(alg)) {
+#if (defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_FFDH))
+ return libtestdriver1_mbedtls_psa_key_agreement_ffdh(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ peer_key, peer_key_length,
+ key_buffer, key_buffer_size,
+ shared_secret, shared_secret_size,
+ shared_secret_length);
+#elif defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+ return mbedtls_psa_key_agreement_ffdh(
+ attributes,
+ peer_key,
+ peer_key_length,
+ key_buffer,
+ key_buffer_size,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length);
+#else
+ (void) attributes;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) peer_key;
+ (void) peer_key_length;
+ (void) shared_secret;
+ (void) shared_secret_size;
+ (void) shared_secret_length;
+ return PSA_ERROR_NOT_SUPPORTED;
#endif
} else {
return PSA_ERROR_INVALID_ARGUMENT;
diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c
index a3ff2ddea6..3ff1053e30 100644
--- a/tests/src/drivers/test_driver_key_management.c
+++ b/tests/src/drivers/test_driver_key_management.c
@@ -25,6 +25,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
#include "psa_crypto_rsa.h"
+#include "psa_crypto_ffdh.h"
#include "mbedtls/ecp.h"
#include "mbedtls/error.h"
@@ -36,6 +37,7 @@
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
#include "libtestdriver1/library/psa_crypto_ecp.h"
#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/library/psa_crypto_ffdh.h"
#endif
#include
@@ -239,6 +241,17 @@ psa_status_t mbedtls_test_transparent_generate_key(
#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
return mbedtls_psa_rsa_generate_key(
attributes, key, key_size, key_length);
+#endif
+ } else if (PSA_KEY_TYPE_IS_DH(psa_get_key_type(attributes))
+ && PSA_KEY_TYPE_IS_KEY_PAIR(psa_get_key_type(attributes))) {
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR)
+ return libtestdriver1_mbedtls_psa_ffdh_generate_key(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ key, key_size, key_length);
+#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR)
+ return mbedtls_psa_ffdh_generate_key(
+ attributes, key, key_size, key_length);
#endif
}
@@ -308,9 +321,25 @@ psa_status_t mbedtls_test_transparent_import_key(
data, data_length,
key_buffer, key_buffer_size,
key_buffer_length, bits);
+#endif
+ } else if (PSA_KEY_TYPE_IS_DH(type)) {
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY))
+ return libtestdriver1_mbedtls_psa_ffdh_import_key(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length, bits);
+#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+ return mbedtls_psa_ffdh_import_key(
+ attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length, bits);
#endif
}
-
(void) data;
(void) data_length;
(void) key_buffer;
@@ -559,6 +588,21 @@ psa_status_t mbedtls_test_transparent_export_public_key(
attributes,
key_buffer, key_buffer_size,
data, data_size, data_length);
+#endif
+ } else if (PSA_KEY_TYPE_IS_DH(key_type)) {
+#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
+ (defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY))
+ return libtestdriver1_mbedtls_psa_export_ffdh_public_key(
+ (const libtestdriver1_psa_key_attributes_t *) attributes,
+ key_buffer, key_buffer_size,
+ data, data_size, data_length);
+#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+ return mbedtls_psa_export_ffdh_public_key(
+ attributes,
+ key_buffer, key_buffer_size,
+ data, data_size, data_length);
#endif
}
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index 2656deb437..7f93496e7c 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -72,7 +72,7 @@ static int check_key_attributes_sanity(mbedtls_svc_key_id_t key)
psa_key_slot_number_t slot_number = 0xec94d4a5058a1a21;
psa_status_t status = psa_get_key_slot_number(&attributes, &slot_number);
if (lifetime_is_dynamic_secure_element(lifetime)) {
- /* Mbed Crypto currently always exposes the slot number to
+ /* Mbed TLS currently always exposes the slot number to
* applications. This is not mandated by the PSA specification
* and may change in future versions. */
TEST_EQUAL(status, 0);
@@ -295,7 +295,8 @@ static int exercise_signature_key(mbedtls_svc_key_id_t key,
psa_key_usage_t usage,
psa_algorithm_t alg)
{
- if (usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH)) {
+ if (usage & (PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH) &&
+ PSA_ALG_IS_SIGN_HASH(alg)) {
unsigned char payload[PSA_HASH_MAX_SIZE] = { 1 };
size_t payload_length = 16;
unsigned char signature[PSA_SIGNATURE_MAX_SIZE] = { 0 };
@@ -789,6 +790,12 @@ int mbedtls_test_psa_exported_key_sanity_check(
TEST_EQUAL(1 + 2 * PSA_BITS_TO_BYTES(bits), exported_length);
TEST_EQUAL(exported[0], 4);
}
+ } else
+ if (PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type) || PSA_KEY_TYPE_IS_DH_KEY_PAIR(type)) {
+ TEST_ASSERT(exported_length ==
+ PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(type, bits));
+ TEST_ASSERT(exported_length <=
+ PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
} else {
(void) exported;
TEST_ASSERT(!"Sanity check not implemented for this key type");
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index e79d152b6f..e8bbc78d1e 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -21,6 +21,7 @@
*/
#include
+#include "md_psa.h"
#if defined(MBEDTLS_SSL_TLS_C)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
@@ -595,8 +596,7 @@ static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
if (cert->pkey != NULL) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(cert->pkey) == MBEDTLS_PK_OPAQUE) {
- mbedtls_svc_key_id_t *key_slot = cert->pkey->pk_ctx;
- psa_destroy_key(*key_slot);
+ psa_destroy_key(cert->pkey->priv_id);
}
#endif
mbedtls_pk_free(cert->pkey);
@@ -1201,7 +1201,7 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type(hash_id);
CHK(md_info != NULL);
#endif
- maclen = mbedtls_hash_info_get_size(hash_id);
+ maclen = mbedtls_md_get_size_from_type(hash_id);
CHK(maclen != 0);
/* Pick hash keys */
CHK((md0 = mbedtls_calloc(1, maclen)) != NULL);
@@ -1210,7 +1210,7 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
memset(md1, 0x6, maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- alg = mbedtls_hash_info_psa_from_md(hash_id);
+ alg = mbedtls_md_psa_alg_from_type(hash_id);
CHK(alg != 0);
@@ -1502,7 +1502,7 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_algorithm_t psa_alg = mbedtls_hash_info_psa_from_md(
+ psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE);
size_t hash_size = 0;
psa_status_t status = psa_hash_compute(
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2bbd34a361..cfb0babb24 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11783,8 +11783,7 @@ run_test "TLS 1.3: Client authentication, client alg not in server list - ope
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "no suitable signature algorithm" \
- -C "unknown pk type"
+ -c "no suitable signature algorithm"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
@@ -11801,8 +11800,7 @@ run_test "TLS 1.3: Client authentication, client alg not in server list - gnu
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "no suitable signature algorithm" \
- -C "unknown pk type"
+ -c "no suitable signature algorithm"
# Test using an opaque private key for client authentication
requires_openssl_tls1_3
@@ -12055,8 +12053,7 @@ run_test "TLS 1.3: Client authentication - opaque key, client alg not in serv
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "no suitable signature algorithm" \
- -C "unkown pk type"
+ -c "no suitable signature algorithm"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
@@ -12074,8 +12071,7 @@ run_test "TLS 1.3: Client authentication - opaque key, client alg not in serv
-c "got a certificate request" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
-c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
- -c "no suitable signature algorithm" \
- -C "unkown pk type"
+ -c "no suitable signature algorithm"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function
index 53aa002ce6..81a3a45317 100644
--- a/tests/suites/test_suite_bignum_core.function
+++ b/tests/suites/test_suite_bignum_core.function
@@ -562,6 +562,26 @@ exit:
}
/* END_CASE */
+/* BEGIN_CASE */
+void mpi_core_shift_l(char *input, int count, char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *Y = NULL;
+ size_t limbs, n;
+
+ TEST_EQUAL(0, mbedtls_test_read_mpi_core(&X, &limbs, input));
+ TEST_EQUAL(0, mbedtls_test_read_mpi_core(&Y, &n, result));
+ TEST_EQUAL(limbs, n);
+
+ mbedtls_mpi_core_shift_l(X, limbs, count);
+ ASSERT_COMPARE(X, limbs * ciL, Y, limbs * ciL);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(Y);
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void mpi_core_add_and_add_if(char *input_A, char *input_B,
char *input_S, int carry)
diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function
index 985d482ebe..9ee372b5f9 100644
--- a/tests/suites/test_suite_constant_time_hmac.function
+++ b/tests/suites/test_suite_constant_time_hmac.function
@@ -3,7 +3,7 @@
#include
#include
#include
-#include
+#include "md_psa.h"
#include
/* END_HEADER */
@@ -28,7 +28,7 @@ void ssl_cf_hmac(int hash)
size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
unsigned char add_data[13];
- unsigned char ref_out[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char ref_out[MBEDTLS_MD_MAX_SIZE];
unsigned char *data = NULL;
unsigned char *out = NULL;
unsigned char rec_num = 0;
@@ -36,7 +36,7 @@ void ssl_cf_hmac(int hash)
USE_PSA_INIT();
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- alg = PSA_ALG_HMAC(mbedtls_hash_info_psa_from_md(hash));
+ alg = PSA_ALG_HMAC(mbedtls_md_psa_alg_from_type(hash));
out_len = PSA_HASH_LENGTH(alg);
block_size = PSA_HASH_BLOCK_LENGTH(alg);
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index da91f44546..b9610406bb 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -167,11 +167,11 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line,
mbedtls_ssl_config conf;
struct buffer_data buffer;
- MD_PSA_INIT();
-
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&crt);
+ MD_OR_USE_PSA_INIT();
+
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
@@ -193,7 +193,7 @@ exit:
mbedtls_x509_crt_free(&crt);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
- MD_PSA_DONE();
+ MD_OR_USE_PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function
index 60bb6c2d2b..f16a6d4134 100644
--- a/tests/suites/test_suite_ecdsa.function
+++ b/tests/suites/test_suite_ecdsa.function
@@ -1,6 +1,5 @@
/* BEGIN_HEADER */
#include "mbedtls/ecdsa.h"
-#include "hash_info.h"
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -15,7 +14,7 @@ void ecdsa_prim_zero(int id)
mbedtls_ecp_point Q;
mbedtls_mpi d, r, s;
mbedtls_test_rnd_pseudo_info rnd_info;
- unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char buf[MBEDTLS_MD_MAX_SIZE];
mbedtls_ecp_group_init(&grp);
mbedtls_ecp_point_init(&Q);
@@ -47,7 +46,7 @@ void ecdsa_prim_random(int id)
mbedtls_ecp_point Q;
mbedtls_mpi d, r, s;
mbedtls_test_rnd_pseudo_info rnd_info;
- unsigned char buf[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char buf[MBEDTLS_MD_MAX_SIZE];
mbedtls_ecp_group_init(&grp);
mbedtls_ecp_point_init(&Q);
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 1f6dfc11d4..030cd464c7 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -1026,3 +1026,747 @@ ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_C
ecp_setup_negative_test #28 Invalid Curve Type
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_NONE:MBEDTLS_ECP_MOD_SCALAR:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+# The following data be generated by random.getrandbits() in python must less than the named curves' modulus.
+# mbedtls_mpi_mod_residue_setup() can be used to check whether it satisfy the requirements.
+ecp_mul_inv #1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_mul_inv:"0000000000000000000000000000152d02c7e14af67fe0bf":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #2 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_mul_inv:"4acca2d7100bad687080217babfb490d23dd6460a0007f24":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #3 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_mul_inv:"c4fd9a06df9b4efa94531578af8b5886ec0ada82884199f7":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #4 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_mul_inv:"f9c4728bef9fba3e7d856a8e2ff62f20c2a57bf64f6d707f0829a8ff":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #5 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_mul_inv:"cee8071ade3e016fd47627782f6543814dd6ab7e6f432679ddacf9ed":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #6 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_mul_inv:"326258467dcbf4d1ab1665a4c5036cb35f4c9231199b58166b3966c6":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #7 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_mul_inv:"c36eadeab80f149cd51a1ed6311270ae2e4acc6734e787135f499c3a97f1edc3":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #8 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_mul_inv:"e384042f3130be8a796b221724cf1127a44290804cfbeb7fb6f57142a2a5cddd":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #9 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_mul_inv:"f1d356376f03b5dbf0fd08bde5c4293115f7c7911f7a3ec3f90557602eb20147":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #10 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_mul_inv:"a3137cd9b0c9e75a871f92e3ab6b284069ee06cd9c0afb2368fd8d381afcfecc553cb6b3f29216038d268a8d8fcd00f7":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #11 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_mul_inv:"a340ca2e1f39f89261f20a23881cde271e36b32add90cbc1801d2375d6db664df297df2364aaafbb9ba3d4672e4fd022":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #12 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_mul_inv:"491b1d169c9262fd737847c13bb7370d91825fe985cfa000d4b9bd3c22e7b63016122c53156fae4757943a819a1ced6d":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #13 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_mul_inv:"1477156c589f498b61beb35f57662410d8821f3a1ee4a5968a8009618dbe4afda408809822eb0e994fbf9da1659c1ea21b151db97cd1f1567fa4b9327967e0aa591":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_mul_inv:"158dd0fdd801513590d221009f2b6c212f2b30214cc3b1f80aaf9142dc9f328c8e2b0af83e1acdb102d85f287d77188c2b8e7911cf9452f5014966f28da330e1fa6":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #15 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_mul_inv:"1e53d580521a1cff4cd72576c13fecb2cbcf39453f2b437f0c8dc78d7982a37749f099942ce693751ec43407c3acf46315132ea2a9ae5fa9253408da2375d2b58fc":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #16 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"96e729c5c64b7f54375c2779f034acc1f32c26358a621ab421b9c4d4c11ddb28":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #17 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"7491ad896c2a0ec65950db5c91e9b573a77839fd576481da85f5a77c7ceccce0":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #18 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"8d9454c7494b6e08d068391c811cb23cbe9318246a6c021b0018745eb6918751":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #19 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"3aff86b1ee706d38e4995b76f6433d9173c5d3ec19b43ff0a3d53ac20965c911":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #20 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"8bcf768f2f7d6d22133de97f5e463337ff030e662d6f6724d5bad27e27be5dc0":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #21 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_mul_inv:"435ed5da780b83a0130fc8f03e8e224d5bb4ae2eeeba214b8156544c4ae85944":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #22 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"4003a648cfeda3a738a3e05933c6ce5098ab6dc943821cfc485f8991caaba99979ced9bb237c6b24997db8359a4a659f":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #23 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"62b4355dc4cc6d76fc1633c46222c6ad5efaf6de931f0d25217d3dcebfd443fec31eeba68688717275a039863d03a48b":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #24 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"80acca473c3fcee61d13a0a766ed0dcd5f50277f576ff6f3461664d436e2054ad7ecc8b7c0a9424fbda1d431c540c05a":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #25 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"371851bd69a5a1734b195c6ad6b041f51d94718cb437ab4a0a14ee5fa5fccd29328f3e77bfa2e4c58195ccb55cdc6a4":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #26 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"82b18c3794463edeb80760098f7d392569dde6ed5ec21753b66e4e9b79e2f3e89bfc9fea1a2ffda2c285a0cc4afeab0":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #27 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_mul_inv:"7c17dc9df00c870a701c07186bd74b752abb6a9e17ee1c6342403e75d6fa7431b32e2495eb3f5e67c6519b43c6f69e28":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #28 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"27e445caeb0d6752bd051f36a6d21ccdf67ba9b8238f2552aba237c3c72f3d384e7df2a25f95b779c7f38a4123741e2c691c4d5b87b231e4a98ecb9166a73674":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #29 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"7b1dc9c166abbcd7a1a6b1ec375a3125aa3257d1d40e781f1ac9023dba4248415aa0eaea6fa8ce460f85fdae3f62fbb4bdcb953328f5d5664b71f70f681c0f4e":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #30 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"8be202ecb80ae3f6fe07a17b03c14997668b37d029d38943245c8a6cd1cbce3d57cfc673886a22db7ab8686570881a5dc1d9855aa6618c52df55a04510e00bba":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_mul_inv #31 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"572a5522bc45566df4c7575b91fdbc74975fd59380339b5aa23cbce2204744793ca3255705f5d9ba48335f36baf462010680f1e35cca26468d7d8f4223988189":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #32 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"99c2751d157489ab961a7bf1be12c8575cc56c99c6db8e2273450f6332ecdd3cd9b33763acd0509d8b98250462319bfd7cfbfc87c99ce31c15cefab651bc088c":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #33 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_mul_inv:"3169122b79ab7add228eed5b4de336dcb5daae8136b5cb184c08752d727c954840f8e2ad6860245128f6931a4598578679a65aa6e4b138a349586c57d03d2216":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #34 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_mul_inv:"1000000000000000000000000000000014def9dea2079cd65812631a5cf5d3ed":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #35 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_mul_inv:"1000000000000000000000000000000010caf49570936f75d70f03efac6c1c19":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #36 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_mul_inv:"468de1bfdbb20b67371bc5ad0f2bc3e70705b6d85c14ad75daafdbd1502cfd1":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #37 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_mul_inv:"2228b202d612f2e66d8ca00b7e1c19a737ee7db2708d91cd":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #38 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_mul_inv:"40c0451d06b0d622c65b8336c4c9abe8828f6fd5d5c1abde":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #39 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_mul_inv:"d2a10413f48d7bcc18a9b7c53c7914c5302c9c9e48b2eb62":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+# Public values of secp224K1 have 225 bits, if we randomly generate only 224 bits, we should add the leading '0'
+# to make the limbs match with each other and make the function mbedtls_mpi_mod_residue_setup() happy.
+ecp_mul_inv #40 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"0cc154fe846d6b9f51d6166a8d1bb969ff634ab9af95cc89d01669c86":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #40.1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"1000000000000000000000000000075ea446a83291f5136799781cfbd":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #41 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"0614cf6b720cc9dcc6d3bb36bb46cf285e23a083b067be8c93b51cbb4":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #41.1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"1000000000000000000000000000059232050dc913da533ec71073ce3":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #42 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"071b3a40f3e2b8984e8cc238b7725870da10cb2de37f430da2da68645":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #42.1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_mul_inv:"10000000000000000000000000000aca628de662cdbd5cb4dc69efbb8":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #43 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_mul_inv:"9fd95fed98cc1c2ef91b5dc02fa84f63597e15a3326c07f2918afb3ffd093343":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #44 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_mul_inv:"5ddbd441c7037e11caaa9878216c5cfeae67864260429eab4529b56c2661f3de":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #45 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_mul_inv:"f8d3f3c02fd712f711d8e30d0d4c142eb106e5f75c25f55b3f983bc5c83c568a":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #46 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_mul_inv:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff11ca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #47 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_mul_inv:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff0169d3f35081924aeaf1beac2f2720557c9bdf6b42cdceb54c6160ba":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_mul_inv #48 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_mul_inv:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff01243a939d867d7e0a75a8568d4d66de88f3ecc1ad37f91a8f9d7d70":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library,
+# initialised with seed(2,2) and random.getrandbits(curve bits). Curve bits are 192,256,384,520.
+# They must be less than the named curves' modulus. mbedtls_mpi_mod_residue_setup()
+# can be used to check whether they satisfy the requirements.
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #1.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_add_sub:"ffffffffffffffffffffffff99def836146bc9b1b4d22830":"ffffffffffffffffffffffff99def836146bc9b1b4d2282f":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_add_sub:"177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973":"cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #2 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_add_sub:"3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f":"ffed9235288bc781ae66267594c9c9500925e4749b575bd1":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #3 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_add_sub:"dc38f519b91751dacdbd47d364be8049a372db8f6e405d93":"ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #4.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_add_sub:"ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3c":"ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3b":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #4 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_add_sub:"706a045defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2":"6c71c4a66148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb9":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #5 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_add_sub:"3c7295782d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c5055":"829a48d422fe99a22c70501e533c91352d3d854e061b90303b08c6e3":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #6 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_add_sub:"2e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f15c14bc4a829e07b0":"867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2fec3f6b3":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #7.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_add_sub:"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632550":"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #7 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_add_sub:"5ca495fa5a91c89b97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561":"665d7435c1066932f4767f26294365b2721dea3bf63f23d0dbe53fcafb2147df":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #8 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_add_sub:"47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2bd143fa9b714210c":"a9643a295a9ac6decbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #9 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_add_sub:"b9d39cca91551e8259cc60b17604e4b4e73695c3e652c71a74667bffe202849d":"f0caeef038c89b38a8acb5137c9260dc74e088a9b9492f258ebdbfe3eb9ac688":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #10.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_add_sub:"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52972":"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52971":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #10 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_add_sub:"7ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6e06f291b2a838af8d5c44a4eb3172062d08f1bb2531d6460":"9da59b74a6c3181c81e220df848b1df78feb994a81167346d4c0dca8b4c9e755cc9c3adcf515a8234da4daeb4f3f8777":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #11 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_add_sub:"e1cf4f589f8e4ce0af29d115ef24bd625dd961e6830b54fa7d28f93435339774bb1e386c4fd5079e681b8f5896838b76":"1b2d19a2beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd0227eeb7b9d7d01f5769da05d205bbfcc8c69069134bccd3":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #12 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_add_sub:"c11e60de1b343f52ea748db9e020307aaeb6db2c3a038a709779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a8":"e5e138e26c4454b90f756132e16dce72f18e859835e1f291d322a7353ead4efe440e2b4fda9c025a22f1a83185b98f5f":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #13.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_add_sub:"01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408":"01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386407":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #13 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_add_sub:"1ba0a76c196067cfdcb11457d9cf45e2fa01d7f4275153924800600571fac3a5b263fdf57cd2c0064975c3747465cc36c270e8a35b10828d569c268a20eb78ac332":"1cb0b0c995e96e6bc4d62b47204007ee4fab105d83e85e951862f0981aebc1b00d92838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da70569c018eb2b5693":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_add_sub:"177d1f71575653a45c49390aa51cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71581d8e830112ff0f0948eccaf8877acf26c377c13f719726fd70bdda":"1f5790813e32748dd1db4917fc09f20dbb0dcc93f0e66dfe717c17313394391b6e2e6eacb0f0bb7be72bd6d25009aeb7fa0c4169b148d2f527e72daf0a54ef25c07":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #15 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_add_sub:"164c7f3860895bfa81384ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1a1fe3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccd":"1f58ed5d1b7b310b730049dd332a73fa0b26b75196cf87eb8a09b27ec714307c68c425424a1574f1eedf5b0f16cdfdb839424d201e653f53d6883ca1c107ca6e706":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #16.0 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5376":"a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5375":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+# The following data was generated using python's standard random library,
+# initialised with seed(3,2) and random.getrandbits(curve bits). Curve bits are 256,384,512.
+ecp_add_sub #16 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"795b929e9a9a80fdea7b5bf55eb561a4216363698b529b4a97b750923ceb3ffd":"781f9c58d6645fa9e8a8529f035efa259b08923d10c67fd994b2b8fda02f34a6":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #17 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"8a7d43b578633074b7970386fee29476311624273bfd1d338d0038ec42650644":"3b5f3d86268ecc45dc6bf1e1a399f82a65aa9c8279f248b08cb4a0d7d6225675":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #18 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"3e0a813bdc2ae9963d2e49085ef3430ed038db4de38378426d0b944a2863a7f":"af438d297524d6af51e8722c21b609228ce6f2410645d51c6f8da3eabe19f58":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #19.0 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a6":"a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a5":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #19 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"984181177906159644f9794cdd933160d2d5844307f062cec7b317d94d1fe09f":"6d4b9adbebcd1f5ec9c18070b6d13089633a50eee0f9e038eb8f624fb804d820":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #20 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"2257989fef829c88f6ced90a71d2af7293b05a04cd085b71ba6676b3651c5253":"420b0ebe378c74dc7eb0adf422cedafb092fdddf18f2c41c5d92b243e0fd67dd":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #21 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_add_sub:"6bd0638b4d100d8fdaf0105ba06c05a1c76abf436fa84dcaac0ae4e2f729b4c8":"6856e45b95c76ab488bafad959d5450592f3277b62c82185d55ec1a581daad10":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #22.0 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec52":"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec51":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #22 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"4a5792b26aba54efa25994fc58aaac8176f7f138456bb11bd997c6f7cb3a88f684b5b4de4abcc4e46bd881fd21334eb0":"454608a5737b6ed79182c3c8e288b16437d02410a675a109bdf84ab55632a44614777e962b56363cf5efd434db045aae":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #23 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"439e7fa9987aa6bdd805f5d25e80dfffc2134f15500b2f292f6c48f65d2c29382d6b76db51ed2f1599f8eee797b9580f":"21a4cadebc344f4baf091db491bae46af8abffd606e44edfd0247e4cc5b3b5d31ad8df8e608d9499c98c9e514ce74654":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #24 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"7d500f7cbcefd0a747679714b4fab1019bde81635a427c37ead6b3cbade562bc5a58b185775c303c551b7f9da0996d52":"4c736db374d0df35a0c2995f40498cb35e819615f69b31ce0570ceeead0faadaf47076520f81f60c96e1689405adc011":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #25.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046564":"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046563":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #25 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"1aa4b64091b1078e926baeafe79a27e68ab12c32f6f22f41538e504edc52bdcab2d87d5e29c0e596b2109307abd8952c":"846008638daf051b79e4444ed6897d8fc5ab8f2f33dc30a8f1233c76f31b6928298956cfca65f8e9f66ad57e1464134":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #26 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"7b6471e2103ef3c21fdaf62548f2f8ed445fad2a92d3043afcf249f3d4e441c3a20ab57c360c4979a7cf94d7b6bcb64f":"897897da86640cb0051490eaa9b38f203d3221cc4cc576f280d0dfba2bfc7ffd1eeda989becbde017b25f34a035d7017":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #27 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_add_sub:"526ef7026988f4fe5a8181b691406be110d7c25ccf3d0b35815a3d516a91f397bc73a83fd63ed5ba385ac4bda9bf98c":"8a7db67fdc960f12f8d45cb940a230e6201a95cc5762e3571d140ed89cb6c63de9bfec51f06516210da1920569eb8cb4":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #28.0 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f2":"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f1":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #28 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"46150f34caab02c83d4d071b2bda77121e84949cd11a8404e33c37f188ddf9181f49e090328475a738868e9b5a124b1d0fb5d240c846756acfc1d5507a299d74":"4ca44e40943e5a2248d4a701f3d13a7bb243f13dd61005357b5f2ea9ac6cc64e1d76f9d1d80caa4d068508d51f0c6f07da305f2cd76ee016576b7da1060344bf":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #29 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"3f8de0e1457a46a7c1a9425a0cc8557466789723dcd06050922631c6a0ec66f37ccce34401ebd454ebb679b4d2d0d09720e469aace595c72e3bf018debf8e3d9":"a2fd39d9615906a78a943011c859e78da6782c0b9abc3e5b75f828935f8eec2c0aff87582db5db0591157d5f1474683acb984da361574803b9191d5cb74e9504":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_add_sub #30 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"125fdb0f50884d442833e1d550de93987d7015fc808aefcf83f18d61160c7c39b674c4f4dabd2a4c08736a21f985732a7b99a1261183c1860cc1e0331fe78154":"6b153e7ab1b20f01f34624556ba6cc6d50a078d8b3effcadc29237ff7f03ca9ea0a0304d5f56ed310d95a7016e7ceb10e2f416a79f781c980b1ed724cd18e1a9":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #31.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90068":"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90067":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #31 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"8da65a44ef3f7a401993edb1bfbc2a588df13f021b538e133d019261b7149706876cfe7c82e63e71904a896fc4758a8dff09f0150948f14b16baa014cc7ab32f":"731323ee13201b6215fa8a36d04d65c3974f6606cc57efacd9a68b4125321dc9703d20db1f69af34524ab0a892ca38f37f961cd3ebdc77a0496be3975f99ac4":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #32 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"3c3a447d80144a61601545c415508f3cf76060ee6b104fc58e7fdffb59ac3e68f052e38f658a2d349975c9765e129a3740bdcb7464cb7c6cf14fc8f2c0e836c4":"2331df8142351e6ec69ae2d6308b24cbe3e255b43df9ba79411171b4da97fa8037a5ae35f56e539311bb4e07ace3ca83c6ff46a4b7ba6c95a5f3b3fa3c1a7547":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #33 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_add_sub:"71bf2f08e9f7f9da70376bad2555e5ee6d966bcd5a91d4c949cc37677d2519b34ac7eb999581b2eb394c3b17ac666bfb292c157fdc0754a6b1d5f0224c3a235":"174907806c5d14842eea9771503c14af0b869300dd771fce2b72143f41483337ef0bfa78e656abc109691290dbcceb43acd62c6ab46977d09f355e742feb67af":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #34.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_add_sub:"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ec":"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3eb":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library,
+# initialised with seed(4,2) and random.getrandbits(curve bits). Curve bits are 128,254,192,256,448.
+ecp_add_sub #34 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_add_sub:"01710cf527ac435a7a97c643656412a9b8a1abcd1a6916c74da4f9fc3c6da5d7":"0fd72445ccea71ff4a14876aeaff1a098ca5996666ceab360512bd1311072231":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #35 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_add_sub:"10000000000000000000000000000000110a8010ce80c4b0a4042bb3d4341aad":"1000000000000000000000000000000010a8c61e3184ff27459142deccea2645":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #36 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_add_sub:"0c79d67946d4ac7a5c3902b38963dc6e8534f45738d048ec0f1099c6c3e1b258":"0690526ed6f0b09f165c8ce36e2f24b43000de01b2ed40ed3addccb2c33be0a":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #37.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_add_sub:"fffffffffffffffffffffffe26f2fc170f69466a74defd8c":"fffffffffffffffffffffffe26f2fc170f69466a74defd8b":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #37 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_add_sub:"f5ff0c03bb5d7385de08caa1a08179104a25e4664f5253a0":"f1cfd99216df648647adec26793d0e453f5082492d83a823":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #38 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_add_sub:"d8441b5616332aca5f552773e14b0190d93936e1daca3c06":"d7288ff68c320f89f1347e0cdd905ecfd160c5d0ef412ed6":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #39 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_add_sub:"3fb62d2c81862fc9634f806fabf4a07c566002249b191bf4":"b474c7e89286a1754abcb06ae8abb93f01d89a024cdce7a6":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #40.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_add_sub:"10000000000000000000000000001dce8d2ec6184caf0a971769fb1f6":"10000000000000000000000000001dce8d2ec6184caf0a971769fb1f5":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #40 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_add_sub:"069f85e3131f3b9238224b122c3e4a892d9196ada4fcfa583e1df8af9":"0a5e333cb88dcf94384d4cd1f47ca7883ff5a52f1a05885ac7671863c":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #41 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_add_sub:"03bb4a570294c4ea3738d243a6e58d5ca49c7b59b995253fd6c79a3de":"032111ac1ac7cc4a4ff4dab102522d53857c49391b36cc9aa78a330a1":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #42 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_add_sub:"00bdbc23a14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb38":"070ef55b1a1f65507a2909cb633e238b4e9dd38b869ace91311021c9e":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #42.1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_add_sub:"100000000000000000000000000006f985b17b9662f0733c846bbe9e8":"10000000000000000000000000000a26a52175b7a96b98b5fbf37a2be":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #43.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_add_sub:"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140":"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd036413f":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #43 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_add_sub:"5b69dc230af5ac870692b534758240df4a7a03052d733dcdef40af2e54c0ce68":"acdac615bc20f6264922b9ccf469aef8f6e7d078e55b85dd1525f363b281b888":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #44 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_add_sub:"b54a23020fc5b043d6e4a51519d9c9cc52d32377e78131c132decd6b8efbc170":"272515cdf74c381652595daf49fbac3652a3b18104a7f00753be4721f5b9e1f5":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #45 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_add_sub:"1f44ebd13cc75f3edcb285f89d8cf4d4950b16ffc3e1ac3b4708d9893a973000":"ae17584a9ed9c621de97faf0f17ca82cdc82f2526911c9dda6e46653c676176a":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+# Use the test data "modulus - 1" and "modulus - 2" to ensure the sum overflow case be tested.
+ecp_add_sub #46.0 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_add_sub:"00000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f2":"00000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f1":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #46 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_add_sub:"0000000000000003f28adf9f6396ae3994b971761b2ceba40031ad622ed93874ac034cf71b34e47e4e2aafd310096249e2387a54b1cef3913e7d611d163b764":"0000000000000003f924aec4a53583bff4788955cdb7f4ccde9d231c8a38e7b5d7d255f2b68beef746ccfcd0b77d43a5d02db430267ce8c92b607d554d08ce6":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #47 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_add_sub:"0000000000000003f9874f82b2df98dbcb3fd500e2637300fecf10e0f30e0051d1615ad353a09cfeaa1b2956c8826ec350d775dfb53e13d7077b81d18dbb0c1":"0000000000000003fd5b8c21f4d4cc5091b5ffbff651b9052496e1e3fc24ec0952989c17d9c649a8bd5bb710a77ec0c9b44baf5264ed787f87a7976ad448abd":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_add_sub #48 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_add_sub:"0000000000000003f7defb1691e8e3b705620733deaaddd33a760e17a4e9ba333445533fcd71d42a6d00e3468c946b0ff353728c6173d944afbfae4877c606f":"0000000000000003f96c1d081a3cfe300dc4c27fa2ebbc37396957d4bf81156d86b88de3a9312ca5be57d93fa3549b71895aa36bd5231f38146a2f0970425b":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library,
+# initialised with seed(6,2) and random.getrandbits(curve bits). Curve bits are 192,224,256,384,520.
+# They must be less than the named curves' modulus. mbedtls_mpi_mod_residue_setup()
+# can be used to check whether they satisfy the requirements.
+ecp_read_write #1 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_read_write:"c320a4737c2b3abe14a03569d26b949692e5dfe8cb1855fe":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #2 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_read_write:"9623d7cfa9ae7a34254499c7001d9a88096d373742f9a039":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #3 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_read_write:"df5ca32ebad5ccc232b7228fcd4a55577d24b39645cf8aa4059a91e1":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #4 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_read_write:"c527e27951c342505f877031bc1e3ac1c27db4ecf72c2c2678629522":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #7 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_read_write:"903c2ac9316774fe181e290aae9af1698a0c510089ce5ef7e91b4ad169fc5360":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #8 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_read_write:"9c2c0ac2cda95957a9b3d1a243f9300cba98666ace1c9c17b313fc7e8db9b92c":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #10 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_read_write:"401fe4fcce06294d68f22599ccdf540b5cb53ec017d7ab26fd80206055e8b3eb6cb9185ed822e2f9168e5087af895f5b":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #11 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_read_write:"bb1e330f38d2e6418f918e24a8b0188cbe19514a28a0aaab3642b1932793637c16cf5c51801fd9ab31a5bf371f970cf":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #13 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_read_write:"1477156c589f498b61beb35f57662410d8821f3a1ee4a5968a8009618dbe4afda408809822eb0e994fbf9da1659c1ea21b151db97cd1f1567fa4b9327967e0aa591":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_read_write:"158dd0fdd801513590d221009f2b6c212f2b30214cc3b1f80aaf9142dc9f328c8e2b0af83e1acdb102d85f287d77188c2b8e7911cf9452f5014966f28da330e1fa6":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library,
+# initialised with seed(7,2) and random.getrandbits(curve bits). Curve bits are 256,384,512.
+ecp_read_write #15 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_read_write:"6b4cb2424a23d5962217beaddbc496cb8e81973e0becd7b03898d190f9ebdacc":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #16 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_read_write:"36f675cc81e74ef5e8e25d940ed904759531985d5d9dc9f81818e811892f902b":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #17 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_read_write:"8d116ece1738f7d93d9c172411e20b8f6b0d549b6f03675a1600a35a099950d8":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #18 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_read_write:"a170b33839263059f28c105d1fb17c2390c192cfd3ac94af0f21ddb66cad4a26":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #19 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_read_write:"7f15052434b9b5df9e7769b10f4205b4907a70c31012f037b64ce4228c38fb2918f135d25f557203301850c5a38fd547":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #20 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_read_write:"3f98e2774cbd87ad5c90a9587403e430ec66a78795e761d17731af10506bf2efc6f877186d76b07e881ed162ae2eb154":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #21 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_read_write:"57ee05cde00902c77ebff206867347214cdd2055930d6eaf14f4733f3e7d1bfbc7a2ea20b2f14c942e05319acb5c7427":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #22 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_read_write:"5790f82ec1d3fcff2a3af4d46b0a18e8830e07bc1e398f1012bd4acefaecbd389be4bcfc49b64a0872e6cc3ababced20":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #23 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_read_write:"57ee05cde00902c77ebff206867347214cdd2055930d6eaf14f4733f3e7d1bfbc7a2ea20b2f14c942e05319acb5c74273f98e2774cbd87ad5c90a9587403e430":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #24 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_read_write:"6bf46c697d2caf82eeeacbe226e875555790f82ec1d3fcff2a3af4d46b0a18e8830e07bc1e398f1012bd4acefaecbd389be4bcfc49b64a0872e6cc3ababced20":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_read_write #25 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_read_write:"7f26144b98289fcd59a54a7bb1fee08f571242425051c1ccd17f9acae01f5057ca02135e92b1d3f28ede0d7ac3baea9e13deef86ab1031d0f646e1f40a097c97":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #26 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_read_write:"4f426dcbb394fb36bb2d420f0f88080b10a3d6b2aa05e11ab2715945795e8229451abd81f1d69ed617f5e837d70820fe119a72d174c9df6acc011cdd9474031b":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library,
+# initialised with seed(8,2) and random.getrandbits(252).
+ecp_read_write #27 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_read_write:"00b3510bb46ee1da317017a6205738d16018366cf658f7a75ed34fe53a096533":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated using python's standard random library random.getrandbits(252).
+ecp_read_write #28 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_read_write:"06694f22359b154881a0d5b3ffc6e35ccfaf00103f584ad4230824d215ceb3a1":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+# The least 122 bits were generated by random.getrandbits(122)
+ecp_read_write #29 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_read_write:"1000000000000000000000000000000011f319877589ca4a07c15471a4517d6c":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated by random.getrandbits(192).
+ecp_read_write #30 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_read_write:"e5b8063831360a4092b850ad7eb72f8263f65da874007cb4":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #31 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_read_write:"c24f6aa83bf36a147c2f7ad016edc5d467164890d49d0ac1":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated by random.getrandbits(224).
+ecp_read_write #32 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_read_write:"0e6edaf80796d3bc4685ca8af852a5fba444adf42b37f5722051e2670":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #33 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_read_write:"018dff3934223aa56a9b7e3ea1d1d784fb9db434b610b1631e941aa79":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+# The least 112 bits were generated by random.getrandbits(112)
+ecp_read_write #34 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_read_write:"1000000000000000000000000000162e910269470d0718c1afdd9a78d":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+# The following data was generated by random.getrandbits(256).
+ecp_read_write #35 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_read_write:"3c02e56756a3e9570edca4eca92d04a31b941f4360908405d45c39a39ec353c1":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #36 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_read_write:"353a0106e6c08269844dbc0ca65423a9e744b24e7f61701e1607b1c4b0f91306":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+# The least 440 bits were generated by random.getrandbits(440)
+ecp_read_write #37 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_read_write:"000000000000003fdc3d71f22ff5fd25f0f21231a06a7cb3aa75ab7d1944ff09974b85f2306d4a8a2ad16e107ac8069b51c6322463278ecef2d30194df943c":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_read_write #38 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_read_write:"000000000000003f9fbd8780ed55037ea03260d7ef27bba4d70dfcf3332eb05b6659eab3bfcd5d50545214b0afb81e8824918818fd64f799ef936ac3a8db56":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #1 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #2 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #3 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #4 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #5 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #6 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #7 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #8 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #9 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #10 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #11 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #12 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #13 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #15 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #16 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #17 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #18 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #19 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #20 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #21 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #22 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #23 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_COORDINATE
+
+ecp_random #24 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR
+
+ecp_random #25 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_random:MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_COORDINATE
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index f034d6fc81..bd0fcf2f18 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -7,6 +7,7 @@
#include "bignum_core.h"
#include "ecp_invasive.h"
#include "bignum_mod_raw_invasive.h"
+#include "constant_time_internal.h"
#define ECP_PF_UNKNOWN -1
@@ -1086,7 +1087,7 @@ exit:
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBBEDTLS_ECP_C */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBEDTLS_ECP_LIGHT */
void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected)
{
mbedtls_test_rnd_buf_info rnd_info;
@@ -1327,6 +1328,34 @@ void ecp_mod_p_generic_raw(int curve_id,
curve_bits = 522;
curve_func = &mbedtls_ecp_mod_p521_raw;
break;
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ limbs = 2 * limbs_N;
+ curve_bits = 192;
+ curve_func = &mbedtls_ecp_mod_p192k1_raw;
+ break;
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224K1:
+ limbs = 448 / biL;
+ curve_bits = 224;
+ curve_func = &mbedtls_ecp_mod_p224k1_raw;
+ break;
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ limbs = 2 * limbs_N;
+ curve_bits = 256;
+ curve_func = &mbedtls_ecp_mod_p256k1_raw;
+ break;
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ limbs = 2 * limbs_N;
+ curve_bits = 255;
+ curve_func = &mbedtls_ecp_mod_p255_raw;
+ break;
#endif
default:
mbedtls_test_fail("Unsupported curve_id", __LINE__, __FILE__);
@@ -1355,123 +1384,6 @@ exit:
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP192K1_ENABLED */
-void ecp_mod_p192k1(char *input_N,
- char *input_X,
- char *result)
-{
- mbedtls_mpi X;
- mbedtls_mpi N;
- mbedtls_mpi res;
-
- mbedtls_mpi_init(&X);
- mbedtls_mpi_init(&N);
- mbedtls_mpi_init(&res);
-
- TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0);
-
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n));
-
- size_t limbs = N.n;
- size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
-
- TEST_EQUAL(X.n, 2 * limbs);
- TEST_EQUAL(res.n, limbs);
-
- TEST_EQUAL(mbedtls_ecp_mod_p192k1(&X), 0);
- TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0);
- TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 192);
- ASSERT_COMPARE(X.p, bytes, res.p, bytes);
-
-exit:
- mbedtls_mpi_free(&X);
- mbedtls_mpi_free(&N);
- mbedtls_mpi_free(&res);
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP224K1_ENABLED */
-void ecp_mod_p224k1(char *input_N,
- char *input_X,
- char *result)
-{
- mbedtls_mpi X;
- mbedtls_mpi N;
- mbedtls_mpi res;
-
- mbedtls_mpi_init(&X);
- mbedtls_mpi_init(&N);
- mbedtls_mpi_init(&res);
-
- TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0);
-
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n));
-
- size_t limbs = N.n;
- size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
-
- TEST_LE_U(X.n, 448 / biL);
- TEST_EQUAL(res.n, limbs);
-
- TEST_EQUAL(mbedtls_ecp_mod_p224k1(&X), 0);
- TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0);
- TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 224);
- ASSERT_COMPARE(X.p, bytes, res.p, bytes);
-
-exit:
- mbedtls_mpi_free(&X);
- mbedtls_mpi_free(&N);
- mbedtls_mpi_free(&res);
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-void ecp_mod_p256k1(char *input_N,
- char *input_X,
- char *result)
-{
- mbedtls_mpi X;
- mbedtls_mpi N;
- mbedtls_mpi res;
-
- mbedtls_mpi_init(&X);
- mbedtls_mpi_init(&N);
- mbedtls_mpi_init(&res);
-
- TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0);
- TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0);
-
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n));
- TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n));
-
- size_t limbs = N.n;
- size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
-
- TEST_LE_U(X.n, 2 * limbs);
- TEST_EQUAL(res.n, limbs);
-
- TEST_EQUAL(mbedtls_ecp_mod_p256k1(&X), 0);
- TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0);
- TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 256);
- ASSERT_COMPARE(X.p, bytes, res.p, bytes);
-
-exit:
- mbedtls_mpi_free(&X);
- mbedtls_mpi_free(&N);
- mbedtls_mpi_free(&res);
-}
-/* END_CASE */
-
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_CURVE448_ENABLED */
void ecp_mod_p448(char *input_N,
char *input_X,
@@ -1499,7 +1411,7 @@ void ecp_mod_p448(char *input_N,
TEST_LE_U(X.n, 2 * limbs);
TEST_EQUAL(res.n, limbs);
- TEST_EQUAL(mbedtls_ecp_mod_p448(&X), 0);
+ TEST_EQUAL(mbedtls_ecp_mod_p448(X.p, X.n), 0);
TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0);
TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 448);
ASSERT_COMPARE(X.p, bytes, res.p, bytes);
@@ -1550,3 +1462,202 @@ exit:
mbedtls_free(p);
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_mul_inv(char *input_A, int id, int ctype)
+{
+ size_t limbs;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue rA; // For input
+ mbedtls_mpi_mod_residue rA_inverse; // For inverse input
+ mbedtls_mpi_mod_residue rX; // For result
+ mbedtls_mpi_uint *rX_raw = NULL;
+ mbedtls_mpi_uint *A_inverse = NULL;
+ mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *bufx = NULL;
+ const mbedtls_mpi_uint one[1] = { 1 };
+
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_ASSERT(mbedtls_ecp_modulus_setup(&m, id, ctype) == 0);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&A, &limbs, input_A), 0);
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rA, &m, A, limbs));
+
+ /* Test for limb sizes */
+ TEST_EQUAL(m.limbs, limbs);
+
+ ASSERT_ALLOC(A_inverse, limbs);
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rA_inverse, &m, A_inverse, limbs));
+
+ ASSERT_ALLOC(rX_raw, limbs);
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rX, &m, rX_raw, limbs));
+
+ /* Get inverse of A mode m, and multiply it with itself,
+ * to see whether the result equal to '1' */
+ TEST_EQUAL(0, mbedtls_mpi_mod_inv(&rA_inverse, &rA, &m));
+ TEST_EQUAL(mbedtls_mpi_mod_mul(&rX, &rA, &rA_inverse, &m), 0);
+
+ ASSERT_ALLOC(bufx, limbs);
+ TEST_EQUAL(mbedtls_mpi_mod_write(&rX, &m, (unsigned char *) bufx,
+ limbs * ciL,
+ MBEDTLS_MPI_MOD_EXT_REP_LE), 0);
+
+ ASSERT_COMPARE(bufx, ciL, one, ciL);
+ /*Borrow the buffer of A to compare the left lims with 0 */
+ memset(A, 0, limbs * ciL);
+ ASSERT_COMPARE(&bufx[1], (limbs - 1) * ciL, A, (limbs - 1) * ciL);
+
+exit:
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_mpi_mod_residue_release(&rA);
+ mbedtls_mpi_mod_residue_release(&rA_inverse);
+ mbedtls_mpi_mod_residue_release(&rX);
+ mbedtls_free(A);
+ mbedtls_free(A_inverse);
+ mbedtls_free(rX_raw);
+ mbedtls_free(bufx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_add_sub(char *input_A, char *input_B, int id, int ctype)
+{
+ size_t p_A_limbs;
+ size_t p_B_limbs;
+ size_t bytes;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue rA;
+ mbedtls_mpi_mod_residue rB;
+ mbedtls_mpi_mod_residue rS;
+ mbedtls_mpi_uint *p_A = NULL;
+ mbedtls_mpi_uint *p_B = NULL;
+ mbedtls_mpi_uint *p_S = NULL;
+
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&p_A, &p_A_limbs, input_A), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&p_B, &p_B_limbs, input_B), 0);
+
+ TEST_EQUAL(0, mbedtls_ecp_modulus_setup(&m, id, ctype));
+
+ /* Test for limb sizes for two input value and modulus */
+ TEST_EQUAL(p_A_limbs, p_B_limbs);
+ TEST_EQUAL(m.limbs, p_A_limbs);
+ bytes = p_A_limbs * ciL;
+
+ ASSERT_ALLOC(p_S, p_A_limbs);
+
+ TEST_EQUAL(mbedtls_mpi_mod_residue_setup(&rA, &m, p_A, p_A_limbs), 0);
+ TEST_EQUAL(mbedtls_mpi_mod_residue_setup(&rB, &m, p_B, p_B_limbs), 0);
+ TEST_EQUAL(mbedtls_mpi_mod_residue_setup(&rS, &m, p_S, p_A_limbs), 0);
+
+ /* Firstly add A and B to get the sum S, then subtract B,
+ * the difference should be equal to A*/
+ TEST_EQUAL(0, mbedtls_mpi_mod_add(&rS, &rA, &rB, &m));
+ TEST_EQUAL(0, mbedtls_mpi_mod_sub(&rS, &rS, &rB, &m));
+
+ /* Compare difference with rA byte-by-byte */
+ ASSERT_COMPARE(rA.p, bytes, rS.p, bytes);
+
+exit:
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_mpi_mod_residue_release(&rA);
+ mbedtls_mpi_mod_residue_release(&rB);
+ mbedtls_mpi_mod_residue_release(&rS);
+ mbedtls_free(p_A);
+ mbedtls_free(p_B);
+ mbedtls_free(p_S);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_read_write(char *input_A, int id, int ctype)
+{
+ size_t limbs;
+ size_t bytes;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue rA; // For input
+ mbedtls_mpi_mod_residue rX; // For read back
+ mbedtls_mpi_uint *rX_raw = NULL;
+ mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *bufx = NULL;
+
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(0, mbedtls_ecp_modulus_setup(&m, id, ctype));
+
+ TEST_EQUAL(0, mbedtls_test_read_mpi_core(&A, &limbs, input_A));
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rA, &m, A, limbs));
+
+ /* Test for limb sizes */
+ TEST_EQUAL(m.limbs, limbs);
+
+ ASSERT_ALLOC(rX_raw, limbs);
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rX, &m, rX_raw, limbs));
+
+ bytes = limbs * ciL;
+ ASSERT_ALLOC(bufx, limbs);
+ /* Write source mod residue to a buffer, then read it back to
+ * the destination mod residue, compare the two mod residues.
+ * Firstly test little endian write and read */
+ TEST_EQUAL(0, mbedtls_mpi_mod_write(&rA, &m, (unsigned char *) bufx,
+ bytes, MBEDTLS_MPI_MOD_EXT_REP_LE));
+
+ TEST_EQUAL(0, mbedtls_mpi_mod_read(&rX, &m, (unsigned char *) bufx,
+ bytes, MBEDTLS_MPI_MOD_EXT_REP_LE));
+
+ TEST_EQUAL(limbs, rX.limbs);
+ ASSERT_COMPARE(rA.p, bytes, rX.p, bytes);
+
+ memset(bufx, 0x00, bytes);
+ memset(rX_raw, 0x00, bytes);
+ /* Then test big endian write and read */
+ TEST_EQUAL(0, mbedtls_mpi_mod_write(&rA, &m, (unsigned char *) bufx,
+ bytes,
+ MBEDTLS_MPI_MOD_EXT_REP_BE));
+
+ TEST_EQUAL(0, mbedtls_mpi_mod_read(&rX, &m, (unsigned char *) bufx,
+ bytes,
+ MBEDTLS_MPI_MOD_EXT_REP_BE));
+
+ TEST_EQUAL(limbs, rX.limbs);
+ ASSERT_COMPARE(rA.p, bytes, rX.p, bytes);
+
+exit:
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_mpi_mod_residue_release(&rA);
+ mbedtls_mpi_mod_residue_release(&rX);
+ mbedtls_free(A);
+ mbedtls_free(rX_raw);
+ mbedtls_free(bufx);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_random(int id, int ctype)
+{
+ size_t limbs;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_residue rX; // For random data
+ mbedtls_mpi_uint *rX_raw = NULL;
+
+ mbedtls_mpi_mod_modulus_init(&m);
+ TEST_EQUAL(0, mbedtls_ecp_modulus_setup(&m, id, ctype));
+
+ limbs = m.limbs;
+
+ ASSERT_ALLOC(rX_raw, limbs);
+ TEST_EQUAL(0, mbedtls_mpi_mod_residue_setup(&rX, &m, rX_raw, limbs));
+
+ TEST_EQUAL(0, mbedtls_mpi_mod_random(&rX, 1, &m,
+ mbedtls_test_rnd_std_rand, NULL));
+
+ TEST_ASSERT(mbedtls_mpi_core_lt_ct(rX.p, m.p, limbs) == 1);
+
+exit:
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_mpi_mod_residue_release(&rX);
+ mbedtls_free(rX_raw);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function
index 4438fa1509..ac9516ab8d 100644
--- a/tests/suites/test_suite_md.function
+++ b/tests/suites/test_suite_md.function
@@ -61,7 +61,6 @@ void md_null_args()
TEST_EQUAL(mbedtls_md_setup(&ctx, NULL, 0), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
#if defined(MBEDTLS_MD_C)
TEST_EQUAL(mbedtls_md_setup(NULL, info, 0), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
-#endif
TEST_EQUAL(mbedtls_md_starts(NULL), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
TEST_EQUAL(mbedtls_md_starts(&ctx), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
@@ -71,6 +70,7 @@ void md_null_args()
TEST_EQUAL(mbedtls_md_finish(NULL, buf), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
TEST_EQUAL(mbedtls_md_finish(&ctx, buf), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
+#endif
TEST_EQUAL(mbedtls_md(NULL, buf, 1, buf), MBEDTLS_ERR_MD_BAD_INPUT_DATA);
diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data
index e7fbf1b1e1..00f6e0b4d7 100644
--- a/tests/suites/test_suite_oid.data
+++ b/tests/suites/test_suite_oid.data
@@ -137,3 +137,51 @@ oid_get_numeric_string:"8001":MBEDTLS_ERR_ASN1_INVALID_DATA:""
OID get numeric string - overlong encoding, second subidentifier
oid_get_numeric_string:"2B8001":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - hardware module name
+oid_from_numeric_string:"1.3.6.1.5.5.7.8.4":0:"2B06010505070804"
+
+OID from numeric string - multi-byte subidentifier
+oid_from_numeric_string:"1.1.2108":0:"29903C"
+
+OID from numeric string - second component greater than 39
+oid_from_numeric_string:"2.49.0.0.826.0":0:"81010000863A00"
+
+OID from numeric string - multi-byte first subidentifier
+oid_from_numeric_string:"2.999":0:"8837"
+
+OID from numeric string - empty string input
+oid_from_numeric_string:"":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - first component not a number
+oid_from_numeric_string:"abc.1.2":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - second component not a number
+oid_from_numeric_string:"1.abc.2":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - first component too large
+oid_from_numeric_string:"3.1":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - first component < 2, second > 39
+oid_from_numeric_string:"1.40":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - third component not a number
+oid_from_numeric_string:"1.2.abc":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - non-'.' separator between first and second
+oid_from_numeric_string:"1/2.3.4":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - non-'.' separator between second and third
+oid_from_numeric_string:"1.2/3.4":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - non-'.' separator between third and fourth
+oid_from_numeric_string:"1.2.3/4":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - OID greater than max length (129 components)
+oid_from_numeric_string:"1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1.2.3.4.5.6.7.8.1":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID from numeric string - OID with maximum subidentifier
+oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F"
+
+OID from numeric string - OID with overflowing subidentifier
+oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""
diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function
index 68b769fdbf..3adc6af0b5 100644
--- a/tests/suites/test_suite_oid.function
+++ b/tests/suites/test_suite_oid.function
@@ -119,3 +119,29 @@ void oid_get_numeric_string(data_t *oid, int error_ret, char *result_str)
}
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void oid_from_numeric_string(char *oid_str, int error_ret,
+ data_t *exp_oid_buf)
+{
+ mbedtls_asn1_buf oid = { 0, 0, NULL };
+ mbedtls_asn1_buf exp_oid = { 0, 0, NULL };
+ int ret;
+
+ exp_oid.tag = MBEDTLS_ASN1_OID;
+ exp_oid.p = exp_oid_buf->x;
+ exp_oid.len = exp_oid_buf->len;
+
+ ret = mbedtls_oid_from_numeric_string(&oid, oid_str, strlen(oid_str));
+
+ if (error_ret == 0) {
+ TEST_EQUAL(oid.len, exp_oid.len);
+ TEST_ASSERT(memcmp(oid.p, exp_oid.p, oid.len) == 0);
+ mbedtls_free(oid.p);
+ oid.p = NULL;
+ oid.len = 0;
+ } else {
+ TEST_EQUAL(ret, error_ret);
+ }
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 0591029254..78711404ac 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1,13 +1,13 @@
/* BEGIN_HEADER */
#include "mbedtls/pk.h"
+#include "pk_internal.h"
/* For error codes */
#include "mbedtls/asn1.h"
#include "mbedtls/base64.h"
#include "mbedtls/ecp.h"
#include "mbedtls/rsa.h"
-
-#include "hash_info.h"
+#include "pk_internal.h"
#include
#include
@@ -16,6 +16,7 @@
* but the test code generator requires test case data to be valid C code
* unconditionally (https://github.com/Mbed-TLS/mbedtls/issues/2023). */
#include "psa/crypto.h"
+#include "md_psa.h"
/* Used for properly sizing the key buffer in pk_genkey_ec() */
#include "mbedtls/psa_util.h"
@@ -23,55 +24,52 @@
#define RSA_KEY_SIZE 512
#define RSA_KEY_LEN 64
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECP_LIGHT)
-static int pk_genkey_ec(mbedtls_ecp_group *grp,
- mbedtls_mpi *d, mbedtls_ecp_point *Q)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
{
psa_status_t status;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
- mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
size_t curve_bits;
- psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp->id,
- &curve_bits);
- unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
- size_t key_len;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp_id, &curve_bits);
int ret;
+ if (curve == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
psa_set_key_bits(&key_attr, curve_bits);
- psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_SIGN_MESSAGE);
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ psa_set_key_algorithm(&key_attr, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH));
+#else
+ psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
+#endif
- status = psa_generate_key(&key_attr, &key_id);
+ status = psa_generate_key(&key_attr, &pk->priv_id);
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
}
- status = psa_export_key(key_id, key_buf, sizeof(key_buf), &key_len);
+ status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
+ &pk->pub_raw_len);
if (status != PSA_SUCCESS) {
ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
goto exit;
}
- ret = mbedtls_mpi_read_binary(d, key_buf, key_len);
- if (ret != 0) {
- goto exit;
- }
+ pk->ec_family = curve;
+ pk->ec_bits = curve_bits;
- status = psa_export_public_key(key_id, key_buf, sizeof(key_buf),
- &key_len);
- if (status != PSA_SUCCESS) {
- ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
- goto exit;
- }
-
- ret = mbedtls_ecp_point_read_binary(grp, Q, key_buf, key_len);
+ return 0;
exit:
- psa_destroy_key(key_id);
-
- return ret;
+ status = psa_destroy_key(pk->priv_id);
+ return (ret != 0) ? ret : psa_pk_status_to_mbedtls(status);
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/** Generate a key of the desired type.
*
@@ -101,22 +99,36 @@ static int pk_genkey(mbedtls_pk_context *pk, int parameter)
mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH ||
mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) {
int ret;
- if ((ret = mbedtls_ecp_group_load(&mbedtls_pk_ec(*pk)->grp,
- parameter)) != 0) {
+
+#if defined(MBEDTLS_ECP_C)
+ ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, parameter);
+ if (ret != 0) {
return ret;
}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- return pk_genkey_ec(&mbedtls_pk_ec(*pk)->grp,
- &mbedtls_pk_ec(*pk)->d,
- &mbedtls_pk_ec(*pk)->Q);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_ECP_C)
- return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec(*pk)->grp,
- &mbedtls_pk_ec(*pk)->d,
- &mbedtls_pk_ec(*pk)->Q,
+ return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp,
+ &mbedtls_pk_ec_rw(*pk)->d,
+ &mbedtls_pk_ec_rw(*pk)->Q,
mbedtls_test_rnd_std_rand, NULL);
#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ mbedtls_ecp_group grp;
+ /* Duplicating the mbedtls_ecp_group_load call to make this part
+ * more future future proof for when ECP_C will not be defined. */
+ mbedtls_ecp_group_init(&grp);
+ ret = mbedtls_ecp_group_load(&grp, parameter);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = pk_genkey_ec(pk, grp.id);
+ if (ret != 0) {
+ return ret;
+ }
+ mbedtls_ecp_group_free(&grp);
+
+ return 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
}
#endif /* MBEDTLS_ECP_LIGHT */
return -1;
@@ -549,6 +561,9 @@ exit:
void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
{
mbedtls_pk_context pub, prv, alt;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&pub);
mbedtls_pk_init(&prv);
@@ -562,7 +577,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
if (ret == MBEDTLS_ERR_ECP_BAD_INPUT_DATA) {
ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
TEST_ASSERT(mbedtls_pk_parse_public_keyfile(&pub, pub_file) == 0);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&prv, prv_file, NULL,
@@ -583,7 +598,20 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret)
== ret);
}
#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
+ TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
+ PSA_ALG_ANY_HASH,
+ PSA_KEY_USAGE_EXPORT, 0), 0);
+ TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
+ NULL), ret);
+ }
+#endif
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(opaque_key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_free(&pub);
mbedtls_pk_free(&prv);
mbedtls_pk_free(&alt);
@@ -701,7 +729,6 @@ void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash,
data_t *sig, int ret)
{
mbedtls_pk_context pk;
- mbedtls_ecp_keypair *eckey;
mbedtls_pk_init(&pk);
USE_PSA_INIT();
@@ -709,11 +736,23 @@ void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash,
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA));
- eckey = mbedtls_pk_ec(pk);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ mbedtls_ecp_keypair ecp;
+ mbedtls_ecp_keypair_init(&ecp);
+
+ TEST_ASSERT(mbedtls_ecp_group_load(&ecp.grp, id) == 0);
+ TEST_ASSERT(mbedtls_ecp_point_read_binary(&ecp.grp, &ecp.Q,
+ key->x, key->len) == 0);
+ TEST_ASSERT(mbedtls_pk_update_public_key_from_keypair(&pk, &ecp) == 0);
+
+ mbedtls_ecp_keypair_free(&ecp);
+#else
+ mbedtls_ecp_keypair *eckey = (mbedtls_ecp_keypair *) mbedtls_pk_ec(pk);
TEST_ASSERT(mbedtls_ecp_group_load(&eckey->grp, id) == 0);
TEST_ASSERT(mbedtls_ecp_point_read_binary(&eckey->grp, &eckey->Q,
key->x, key->len) == 0);
+#endif
// MBEDTLS_MD_NONE is used since it will be ignored.
TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE,
@@ -745,12 +784,12 @@ void pk_sign_verify_restart(int pk_type, int grp_id, char *d_str,
memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0);
- TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(prv)->grp, grp_id) == 0);
- TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec(prv)->d, d_str) == 0);
+ TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(prv)->grp, grp_id) == 0);
+ TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec_rw(prv)->d, d_str) == 0);
TEST_ASSERT(mbedtls_pk_setup(&pub, mbedtls_pk_info_from_type(pk_type)) == 0);
- TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(pub)->grp, grp_id) == 0);
- TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec(pub)->Q, 16, QX_str, QY_str) == 0);
+ TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(pub)->grp, grp_id) == 0);
+ TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec_rw(pub)->Q, 16, QX_str, QY_str) == 0);
mbedtls_ecp_set_max_ops(max_ops);
@@ -1316,8 +1355,8 @@ void pk_psa_sign(int parameter_arg,
/* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy;
#else
- ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec(pk)->grp),
- &(mbedtls_pk_ec(pk)->Q),
+ ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp),
+ &(mbedtls_pk_ec_ro(pk)->Q),
MBEDTLS_ECP_PF_UNCOMPRESSED,
&klen_legacy, pkey_legacy,
sizeof(pkey_legacy));
@@ -1379,10 +1418,10 @@ void pk_psa_sign(int parameter_arg,
TEST_EQUAL(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0);
TEST_EQUAL(mbedtls_ecp_group_load(
- &(mbedtls_pk_ec(pk)->grp),
+ &(mbedtls_pk_ec_rw(pk)->grp),
(mbedtls_ecp_group_id) parameter_arg), 0);
- TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp),
- &(mbedtls_pk_ec(pk)->Q),
+ TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp),
+ &(mbedtls_pk_ec_rw(pk)->Q),
pkey_legacy_start, klen_legacy), 0);
#endif
TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
@@ -1408,7 +1447,7 @@ void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
size_t sig_len;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char hash[PSA_HASH_MAX_SIZE];
- size_t hash_len = mbedtls_hash_info_get_size(md_alg);
+ size_t hash_len = mbedtls_md_get_size_from_type(md_alg);
void const *options = NULL;
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
memset(hash, 0x2a, sizeof(hash));
@@ -1451,7 +1490,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_al
unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
unsigned char *pkey_start;
unsigned char hash[PSA_HASH_MAX_SIZE];
- psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
+ psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
psa_algorithm_t psa_alg;
size_t hash_len = PSA_HASH_LENGTH(psa_md_alg);
void const *options = NULL;
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
index 1bd1af240c..978439ac33 100644
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@@ -1,13 +1,13 @@
Parse RSA Key #1 (No password when required)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C
+depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
pk_parse_keyfile_rsa:"data_files/test-ca.key":"NULL":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #2 (Correct password)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C
+depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0
Parse RSA Key #3 (Wrong password)
-depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_DES_C
+depends_on:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA :MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C
pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #4 (DES Encrypted)
@@ -1197,7 +1197,7 @@ depends_on:MBEDTLS_ECP_LIGHT
pk_parse_key:"30070201010400a000":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Key ASN1 (OneAsymmetricKey X25519, doesn't match masking requirements, from RFC8410 Appendix A but made into version 0)
-depends_on:MBEDTLS_ECP_LIGHT
+depends_on:MBEDTLS_ECP_C
pk_parse_key:"302e020100300506032b656e04220420f8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Key ASN1 (OneAsymmetricKey X25519, with invalid optional AlgorithIdentifier parameters)
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 838a7dba7f..6fa78c1498 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -3,6 +3,7 @@
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "mbedtls/ecp.h"
+#include "pk_internal.h"
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -83,10 +84,16 @@ void pk_parse_public_keyfile_ec(char *key_file, int result)
TEST_ASSERT(res == result);
if (res == 0) {
- mbedtls_ecp_keypair *eckey;
TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY));
- eckey = mbedtls_pk_ec(ctx);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ /* No need to check whether the parsed public point is on the curve or
+ * not because this is already done by the internal "pk_get_ecpubkey()"
+ * function */
+#else
+ const mbedtls_ecp_keypair *eckey;
+ eckey = mbedtls_pk_ec_ro(ctx);
TEST_ASSERT(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q) == 0);
+#endif
}
exit:
@@ -110,10 +117,13 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result)
TEST_ASSERT(res == result);
if (res == 0) {
- mbedtls_ecp_keypair *eckey;
TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY));
- eckey = mbedtls_pk_ec(ctx);
+#if defined(MBEDTLS_ECP_C)
+ const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec_ro(ctx);
TEST_ASSERT(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d) == 0);
+#else
+ /* PSA keys are already checked on import so nothing to do here. */
+#endif
}
exit:
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index c148c8a848..4820fbd439 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -28,6 +28,43 @@ static void fix_new_lines(unsigned char *in_str, size_t *len)
}
}
+static int pk_write_any_key(mbedtls_pk_context *pk, unsigned char **p,
+ size_t *buf_len, int is_public_key, int is_der)
+{
+ int ret = 0;
+
+ if (is_der) {
+ if (is_public_key) {
+ ret = mbedtls_pk_write_pubkey_der(pk, *p, *buf_len);
+ } else {
+ ret = mbedtls_pk_write_key_der(pk, *p, *buf_len);
+ }
+ if (ret <= 0) {
+ return ret;
+ }
+
+ *p = *p + *buf_len - ret;
+ *buf_len = ret;
+ } else {
+#if defined(MBEDTLS_PEM_WRITE_C)
+ if (is_public_key) {
+ ret = mbedtls_pk_write_pubkey_pem(pk, *p, *buf_len);
+ } else {
+ ret = mbedtls_pk_write_key_pem(pk, *p, *buf_len);
+ }
+ if (ret != 0) {
+ return ret;
+ }
+
+ *buf_len = strlen((char *) *p) + 1; /* +1 takes the string terminator into account */
+#else
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif
+ }
+
+ return 0;
+}
+
static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
{
mbedtls_pk_context key;
@@ -35,7 +72,11 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
unsigned char *check_buf = NULL;
unsigned char *start_buf;
size_t buf_len, check_buf_len;
- int ret;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ USE_PSA_INIT();
mbedtls_pk_init(&key);
USE_PSA_INIT();
@@ -62,42 +103,39 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der)
if (is_public_key) {
TEST_EQUAL(mbedtls_pk_parse_public_keyfile(&key, key_file), 0);
- if (is_der) {
- ret = mbedtls_pk_write_pubkey_der(&key, buf, check_buf_len);
- } else {
-#if defined(MBEDTLS_PEM_WRITE_C)
- ret = mbedtls_pk_write_pubkey_pem(&key, buf, check_buf_len);
-#else
- ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif
- }
} else {
TEST_EQUAL(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL), 0);
- if (is_der) {
- ret = mbedtls_pk_write_key_der(&key, buf, check_buf_len);
- } else {
-#if defined(MBEDTLS_PEM_WRITE_C)
- ret = mbedtls_pk_write_key_pem(&key, buf, check_buf_len);
-#else
- ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
-#endif
- }
}
- if (is_der) {
- TEST_LE_U(1, ret);
- buf_len = ret;
- start_buf = buf + check_buf_len - buf_len;
- } else {
- TEST_EQUAL(ret, 0);
- buf_len = strlen((char *) buf) + 1; /* +1 takes the string terminator into account */
- start_buf = buf;
- }
+ start_buf = buf;
+ buf_len = check_buf_len;
+ TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
+ is_der), 0);
ASSERT_COMPARE(start_buf, buf_len, check_buf, check_buf_len);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /* Verify that pk_write works also for opaque private keys */
+ if (!is_public_key) {
+ memset(buf, 0, check_buf_len);
+ TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id,
+ PSA_ALG_NONE,
+ PSA_KEY_USAGE_EXPORT,
+ PSA_ALG_NONE), 0);
+ start_buf = buf;
+ buf_len = check_buf_len;
+ TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
+ is_der), 0);
+
+ ASSERT_COMPARE(start_buf, buf_len, check_buf, check_buf_len);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(opaque_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_free(buf);
mbedtls_free(check_buf);
mbedtls_pk_free(&key);
diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data
index 39b423f3dd..4276b8fb77 100644
--- a/tests/suites/test_suite_platform.data
+++ b/tests/suites/test_suite_platform.data
@@ -4,6 +4,3 @@ time_get_milliseconds:
Time: get seconds
time_get_seconds:
-
-Time: delay milliseconds
-time_delay_milliseconds:1000
diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function
index 7453c32c9c..61681b8789 100644
--- a/tests/suites/test_suite_platform.function
+++ b/tests/suites/test_suite_platform.function
@@ -10,7 +10,8 @@
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
-#ifdef WIN32
+#if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
+ defined(__MINGW32__) || defined(_WIN64)
#include
#elif _POSIX_C_SOURCE >= 199309L
#include
@@ -19,7 +20,8 @@
#endif
void sleep_ms(int milliseconds)
{
-#ifdef WIN32
+#if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
+ defined(__MINGW32__) || defined(_WIN64)
Sleep(milliseconds);
#elif _POSIX_C_SOURCE >= 199309L
struct timespec ts;
@@ -64,6 +66,13 @@ void time_delay_milliseconds(int delay_ms)
mbedtls_ms_time_t current = mbedtls_ms_time();
mbedtls_ms_time_t elapsed_ms;
+ /*
+ * WARNING: DO NOT ENABLE THIS TEST. We keep the code here to document the
+ * reason.
+ *
+ * Windows CI reports random test fail on platform-suite. It might
+ * be caused by this case.
+ */
sleep_ms(delay_ms);
elapsed_ms = mbedtls_ms_time() - current;
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index fd35c8796d..a83140d7e1 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -506,6 +506,170 @@ PSA import/export RSA keypair: import PEM
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PEM_PARSE_C
import_export:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b2400":PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0:1024:0:PSA_SUCCESS:0
+PSA import/export FFDH RFC7919 2048 key pair: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 2048 public key: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 3072 key pair: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 3072 public key: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 4096 key pair: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 4096 public key: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 6144 key pair: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 6144 public key: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 8192 key pair: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 8192 public key: good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_SUCCESS:1
+
+PSA import/export FFDH RFC7919 2048 key pair: export not permitterd
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_NOT_PERMITTED:1
+
+PSA import/export FFDH RFC7919 2040 key pair: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_with_data:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 2040 public key: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_with_data:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):2048:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 3064 key pair: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_with_data:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E9":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 3064 public key: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_with_data:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C8":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):3072:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 4088 key pair: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_with_data:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C655":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 4088 public key: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_with_data:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):4096:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 6136 key pair: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_with_data:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF1852":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 6136 public key: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_with_data:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE688":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):6144:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 8184 key pair: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_with_data:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE38788122":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 8184 public key: import invalid key length
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_with_data:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F02811":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):8192:PSA_ERROR_INVALID_ARGUMENT
+
+PSA import/export FFDH RFC7919 2048 key pair: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 2048 public key: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:2048:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 3072 key pair: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"A13B0B091871DE0F21FA9031BFFB6F37C485F0553B0468169A04AC0E2710185C9D8B5C5FB01C2846CEBA007298CB0F208DA2CF551C5098281EB4490647B733636EE14F6F4540EA05434AC258090A575D10EF9523AA4B545D27851878FAA04361D9412E3B55645A52BE03EE2E6DF0F83DBA295363E68F7307B5A19E205B655E6CFE005217D69B2F521A61CE23C286426D11A09768B5657A32E9965A49AE2BF4476582A278B7515B3B46F70368F324724ED4A1F36364AB4D6E3ADCA53142834353A9EB37747D26680A4B8D9A30BADACD172872BC677212B328B47B117901B4EA22C8760D7B727FFF276FA4E36082A0605E590F732F24468201DD05BF4A5710C546FAE1B153F8668D6E1A9707340B82493CADCC0721032E627DB9AD3D04124FAA19BB7FBD38FFA4416C05741C688F21B11C63508F5A3F50C219D1A4F46F0D3CC74EBD762A241C328F20C7169566E5E8E60B8F4442497B92A65FE69CD12E57BB4F44ED11A6075541B50FD95BB0224621193779873711B6616F6D9E31DE7D7369E963":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 3072 public key: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"57214B78F3045CA8996F024B97AFCE32F3B8D24A0F1A6E37F83559C3B07270F830D9EEB40E22BE7D53C8215832C024DF8602815D087CFD546392EC338C2683FF2329BEA2236E94184037284C8A8FE6DC9F56BBEC47C887953FE2AF8700A96ED13B1DD50EA7065C2D102DE1CF037699C47A3A96CC561C5B7E1D5DCE028BB8CEB15EC9B6A8D7E12224B95D893DA596B0C198C0E07C566C7A008C2F260D358DA9D2C2EFD7182B6B03501321408791769D567FC61BE2F9BEF8D58A82AEEA857F088FF89075B0263074FF403EA94673AA2C4728ED966B23BDEB1A240BBEE9343548E02755579FFB158F9BBB11525C5081C0681A969BC6D828F74CF577FA27AEA68A5E56E8505688653590CB9CAA5D76B40BD113764141E1DD7BB09A24023C0EDE10D2C8826FACCD4EC7B2896FE6F2A1E9925C0DFBEB48A4501D57B23A2F6624772664472B5FA76AD952EEE3AABEE33897324DA167ABCD13504F85114A57CA038629437333F6B2D93F8776C8B4ACED82696BEFBE802B3281A2E1FB32A940A4A714C853":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:3072:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 4096 key pair: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"46EEB441AF38234285F3ED05BC650E370B051170543816366235B4460F6A45736145651F383B4C14AED4BC6E4A08AA1AFBEFBA457C2669362EFBF459F1447A64C25A502F8121362FF68D144BCE30592511FD902DD6338315447C21055DD9BC7AA8348445AF1E9B0C5B970500DABC792C004C897F32FD592CD383DC0B463A3E41E1357D6E5877CA1102A04C78EC3A8E5EACAFE04764D5003FFCA4D3510DF545679C104D53AA79904057FDEF019700081926A0F97686F8E45B8845827DE9FA4926071A1B0B7FD39648B72BA34B1917AC3855071A5EFCA7C45076F06833FD3B9E23ABC65F5DD1876E33D7F81750AB12E95C0385C85FAA7CF45BF14C271EE4BA454E02F4BE6DF3EC7316D0F5D32CAEA39F3558C27455CC9AA77EBC98E51CF4D2C1287714383F1396D51E8CD3C9419DB43136998EBA7A14194C3F86AF7B5CA1A8D50593ECE2073EDB1E28BABF813EE9F3FC653A83E37830B0EA71E62F9B09E549435601385925BE28B359915C2C3304BD210568A5A73582A95351E87767536B9966237696C767B86D3B00193D0659CE583C3D8508E37ED5D5EB75C22BFE65FC1C1B3EE96BC1144EFFC72799D14C7482FA7B0F631814672081C85023A35115F604F76E5E5CE778DD62D353DFF8F35498DFCA710D13BE45C6288F5E7D290E480E4B176B845142380E863A7B12083970ECF6E96D912F8E4CFA7FA0435790501107C65533":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 4096 public key: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:4096:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 6144 key pair: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 6144 public key: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:6144:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 8192 key pair: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export FFDH RFC7919 8192 public key: export buffer to small
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):0:PSA_ALG_FFDH:0:8192:0:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA import/export-public FFDH RFC7919 public key 2048 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export_public_key:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"2898897F34E672DAE8E629C6AD5D525A8ECCF88CEEB2F7D456DBC726D4E4A473A57F530BB6A7A67D58A560C2FDF51C9E4826DB48F408150CEAFBD32766C03D277D611139AA9F4017B0125EEA089ECD906EA0854AC0A435507DEC05C3CF2F37F98ED987E13E4795BB44051F231753C9BA3023D1A9E969FD98AC21091F704F6AD5B49B2F95DE7FA0CC1B6D9FC1DAD308EB2D1B021D8EA99959BD0BBA3CD5AD33C4B4A608A74B42B6C0342CBCFE3F41ED0752389D7A982DE512514EEC4C6D1165D3C52485A02EF310E2A4C0B5197FADE3D6F768E81AA01926FEAE92040706A621676200F6F80B51D0B4CAC38A406778D81EF3CB68EAC2E9DC06ED8E47363CE260E0"
+
+PSA import/export-public FFDH RFC7919 key pair 2048 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export_public_key:"2A45292441157B3C25572F76A5CDF960A7BDBF06731D783C5BF8920FB94CCC3D5DCCF86A3CB66B4E3AEDD23106222458ACF3F72C753CB67C2E19AD399566866FEBC16C3B4DC72773B4709047AE1AEC2D9107C2041B06B86A8F604465B26E0E753D6B10772798B3797232D950A36F2D4B33B04B36DE73AC6B8A7365015DF5745A1F892728B0CA947702C36E3BC646E72E23E80C345DBB014B7F93B36C80B4051F9A716D19B980861E86D62977466565462FBD3C1BB4EFD630DCCBEB351A7FA95602B7FE23903C7C7DC999950493BEC028AC42346858FAD969452DCF1DE9AD445F7F928D63B75FA86E8C1D722AB242D91995D3545A1791D72B0F384E74B45C7C01":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"AA396C4E08F47E499243FF17B3E0D019415A52FB6E31FCA71B2B9F46FE84E3A611757DD414A21E1BE8A8FFD60479348245918F7D771EC4A78733F627F72CE0FE1717EE3950B4DB7982577A332CC66C3F3EEB79CD604568644FD3EDAE35A08F3C75C7A99E1A24CB8B56CF7D102984568C0D93BAB9C760F22BB2AC3BEE62E532010E6EEB5A3FB2ABE1EEE1562C1C8D9AC8F781B7283C846B435F4BD4F437EE4D60B97B6EF6ECE675F199E6A40EEFFDC8C65F2973B662782FD2069AEFC026560FA57DE67474AD1A5C8837FF0644F6D0E79161DE5AC38B4837818A5EC38D335D6ECCCC1F9FC676D3548BA30635C5DB24C02BF86977E401E47C3262B81C84C340D729"
+
+PSA import/export-public FFDH RFC7919 public key 3072 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export_public_key:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"8B6C629D0251EAA04FF127A9E2D748D744813E6F158F7BA3E4BBC50F928F9EFD689A7DDDA44023F0177DBDA344B2A9B9FED648F911118EA3C4ADBB6D3B1A85880BA80DD28B6E6FBB766D1B6858618013AAFA5A8FD4290E7D52FFD75682CB0EDD99B7AD314F4F4780F00114C344BA0574AD59975DD4FB0A93A46F1BBE98A52C21735381BCB8D3886F0345C4ABDFAD2C1B877E910D64AB4F57CCB419E386E3C81BD09E5755F88E7EA724967AD1C2E8D7AC2B2417CD6B0EB9C1366B413A461BF3249316B71912496EBA269A38E90CB324BA06BEA3B555D5E0D62EF817B2503017AD3D120EAC0CD61FB0A5C71E1C50FEEC90F4CFB11890AF21C2F1EDB501B2BB44AE3CED3C64204033144F293F696FEE4468623B3EFA405C2C00B9CD040B52442DA32C3C23E33930E4129390A5BCD061198C75AFE7DA8FF0EADA0DE931A5233C7C46D36C02B855315084CCDA54BFD155CEEA2C0C17AFB80987C54680828E1B9B2F6D2BB5FA3F7E70455CE8B66AC2D54762BB6D76CF6CE345BCD6CD2AF6A56010F512"
+
+PSA import/export-public FFDH RFC7919 key pair 3072 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export_public_key:"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"c6dbc8151d22313ab19feea7be0f22f798ff9bec21e9da9b5020b6028395d4a3258f3db0cee7adda3f56864863d4c565498d59b205bcbcc3fc098d78efd4e6b4e09b97971c6fd00cd2fa63bb0b3c7380cc1c19fbb34d077fda61c4a71c254242aa5870786b5d0fd3cb179f64f737eb7ab83b57ca70f93955f49b43869ca2ea441650f48a516137229be2926b02129de4089c9d129df7d76848ecda1bcecda1cf95df195e8e388ee70fac0f1c4d9b38e745b067ee88b32e6d59cb159a95852f18b121f85fedfbb6a2c6962ed70cc1ae471813e1bdc053abacccd1eec79359a6f15ec55d92bbf3890b912fbbb2c029407e1493315394a290f4ce81c0d9dccfbab386b745145cb173b9e08f018d309200691b72acafb313cebf483ff8810080bce9516aa5382a18c3c10965a33176d93d8c51f83d6fca7f606200bb7c779a891fd65dd7ed6972f6835f4e94d928f89f1d0ee204b1ef073a761c65241a76f254695ac31842600aa0753c94e6c805c24ed101bbb26c96928db1166a91c7fea8bc3b90"
+
+PSA import/export-public FFDH RFC7919 public key 4096 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export_public_key:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"BF50F1FDD8B6B5332047A808088E669F06D6CA71A59CB7CA9FB48EB47E1F179C531B15382D2D0382D18CD77E1A517BAA4175D59795898DABECCA469981E4C69EBC62B35936791F6B03E37EF39945B80503113C97474967AB4832EBD7E30ED4EFA47B49080D69B88FD7BD33847B7E6A7D0024AAD08C829CDAA44EC7C6E4013E6321DD64975E323A9779EE99FA7B210232F20B198A3AB6A0FAC525785777A084AB71EB58367C04FE456EA3EF260C1091FDC94781485784D110CB0EBCF4ADE74FBED11D59FC53CD66B3743603B06587DC47D4DBBE46CAABA2EA3190D0D859D3B5B8AC604F069D178E551E85AC26AD2BEBD22A27E9D517DEF70DBE15ECB5679881D522228377BDFDAC76677B4AEC68853EBA16D72087184ECA46DB62D4DCAADFDB9BF0029CD6C7711DD94ADEC835FE7145F371DAE027711DAC6820720CDFA2A61C97CFE84576B8C462A1FBA5C15F4E3AB55E10285A4F64B7124ECFEB5F517A065A0F1F8D7AA0E5189BDE525A34E7B17B78F15BECCD02CFF8AFB3DDFCF8809B6FD34683D7E87F3810C9658F1A4BD8495C163FB2F012E82CF22183361ABE0035C9A974386DF07886348BFA1F69BA35A77E3903741B9BF8B300D4BF67AB4A25D26EF8ECBD8965A398A2D38538C6BF59636622A404DCA0CCABE06395D209E24FE9DE738152E3A049FADEF4FE9585F84197383DF7AAC40DE842B2333A4C29855C25D40B3B"
+
+PSA import/export-public FFDH RFC7919 key pair 4096 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export_public_key:"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"e0c2e35be32adb92560e6557d07ba9bab295792063a2724f9e381e9f2644423e73efeb074ddee70388444bc1a67edfe496a6c38eafff45ec500278f9b896a6fb1de4a59461e6fcf1de17867018e0c362876ae107fd4287383989a4ab41cd44844b103cf58085aa52b49527df433446fa5c4665037475e8f78c8d64d5d60a462603d292d02c539329e9d48c25e05083fa98fd6a513c84f0e2ced9121c2f5922559abb5e2fe3081e6bf2256d6043af211a70fe48e371bf683b953f199821fe0fbe924151dc772e72db53492ba5613bcf5661b7ed419fa02f332443be5f8b97908800077306abf6fd796afdbbdbc2badb21501ccee5ed67635b3cf37819f5d1db5370d77960ac0535a029b0af1bf634679367d35db0e7f38bbe0a022392efefc6b8ccf1e9f53bd7ac28012f6bf5e3701476606eb4649c64377b1e0c418840486bb4a286ebaf685449061ee375487e9e9164d0a7c9327c7b667b1933dc3adb11358e76457d594c19b88e8a689107c641d3503a7639159f3cdae7f58398204d29895e84fb82e192b796866c27d8373a36c5c062a445f6fd515e561d7c2328e7424057229689fe7851432f706f21e114f74d21ca3b01f1aa57d2743f28f8dbfa5ef5c584de2012d82ee978bb7cd713001237e76b5ee12e3cc51393cbcfe1717cefdf885022f18e66661097fe1ce91d0508e1931cf3774bd83d8f068711e09943b82355"
+
+PSA import/export-public FFDH RFC7919 public key 6144 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export_public_key:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D"
+
+PSA import/export-public FFDH RFC7919 key pair 6144 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export_public_key:"E4012A5FD17FB739867A475501A75212E2C1DA5376693759A1B5FC1523927D0DBF907037232C43416B4AA925D65A154FC1E13F72C7643E431C480A7799F09F66F8CA816E66E82E75B79A6D2C4DB6CB6D7532B020FBC69D7BBE80881A7778C66BEFD4F01450BD8E1DA05FFB59D8331C6E3281E67EDF3EF557A5800D4C1683105EB0BEAC112BFB5421172A637092808765A1648C7AB8DF5F06B612057360F5FC31DB0BA347215DAE18375012019CEDE239E8C1EC5B53981C7835DE8220E18C6E4AB9804B6DEC78F04C2E433A382FB3FB0DE73F8E48ECC3C252A62BC279D6147F5D3D815170468BBD53AF489B4B6F02386F25CAB22B54C9A8178585484DD5885F3D7FC4FD389DAFAB3D6809E72220298A33558F0B441E1CEC15811E8765319BAE0B3F799A2EB86E9966CD889145273B870A0B07B65E0367146608C8F554C587014CEFDF0433370B300DF43AFD59D71F937B23CFF25F9A66BF53AD34125960504450E0F17C275C7DAD24CF527C3F05BC2F53B046563C55D8C40CDA448F102F0B5475F287704A424E76335034DE2847177C0E606A6249D152650E78B22A1A9FE3FC7789C1FE74463BBC5FC71E840294C8B45349A2D045CFE679575950B61F3882D57806F2A9644D8BB3790FA268742AC19C44E7F1724DBDD67A4D8A11E114C7E3EF74195428725A645D54CC9F1F48CA9A7E2EAF3C2261A7E4AE58F9A5D223A1C4922BE932250C49DAB04CE8DB0E3A4A9D87551A2D165B618E3954E980844DA3EE1450A7C9F533B09F085038B7C923F06BC679808682279107804328EE9B7286782C0CDF92333D38900467B039C950C684A60AF5667F343B4BAA658E68967F0EBBA72695AF073A5A08B647D855265544EC291B01ED6420D2FBF878E5B0BC46EB1F8A2C1BD6A945CD8CCB0035BD11023603C0202E1B05551E3E964FD9F1D470D5E4FA08CFDD9E1F11A99E14C550C1024F642147A3B01E58EE3E5D75D5DC4D538243521526CF615C8616172448C8F81F1B36E110C161C109D6308F1F29F188375611C943313945670247AF0C9AFDF25E3226AA07D442A8057FAEAF251D463434EF18524A":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"201757BBAC6FF53E1966C29822B5154F56E332DCE1370D3A117B380D9C63FBD98F027F434EFBE530581BB1A0ACEDF30D749854F6BFC3E2E9F24A75B9109DB1FC787BB2D1DEF56414E6585757C5F84394AE9D7DB98AAADB5BCE0E4E55397B54E5DFAEDFB8CA87E6CAF0FC40E77421129F8D020287E7BD0330F60A7B01257FE36E1270B27D39F96AA464AF60C9DF47979517D7E9F0F68F93138BDC06E8F6F0AB39C90DA731925D26E48C24383425B22244D092BB9D6E3192467A91B27F0073C507D0615C3042F7432903E83494C2214089BACEF60A2D670E9D0EA0DC2F882E6AB90EC26A0CC4F9ED3DAF3912304079AA2447573AC51AAD69F4DFA07A03780922B4C7BACB286767EF758454526319C92F1486FA75E63E8EB2CBCA2A11938FE0BC5A9B50584505E16A3C8E2A599F8E2192BEC986DA602AD980190955B4AC8EF86EAF6EAFCFF7438ACD4DF64E407E675C0A114E04A9360A4431B6C0AB249B023BE89A41DA36FDFAB0FA3247DD9280EC538F724C6AF8CECD22DA87E91959AC12B690175937B7DB09B12FEE5D018802A4E561AE4F671C5569C73E928BBD66A494BBEF7F0DE8F00FED7546068E7F82F6317106885F0138AFD399DF9A8FB83C345840129B485EAD2C570BDAC992515663FCF86769808DFEFB9426D6938E5799104F197D3A3BDFFF8C4BF5E736E8B78FDB01D6C61DEAC56BC9BC8073FD4BABCCFC6D15253CA7F9FBD06F41D3F490965671F778812F5237791223FF9A1E6DBE2DD318570786051A74E58FCD0AA1BAC8CEF0656A1AD230E0578F6EC60C275C7FBAF01053DFE093DF049531282BFE7E459236D9B7315DFDB72105BD2A1509238F1CC488F3CE8907C4F931EF89FAC9D6C7D624D6BE70169A283C97E95E28DA1B90A2311733565BB082BA845BE97EDAB6698EE25E35988149B61ED64F1F41D54CD2EECB8224A22C118666551067F607B5B5C569DC8AF082D3CF0782FFC638F149765F9BE50CC52C157A58936B3E0CAA89891C71F5B960A46020AC8B7F449C8753561812B9CE313A932D3F7FD7AEF526E6BA47FE569A180CB96C5C3081A73407B52D53C6FEE6886D"
+
+PSA import/export-public FFDH RFC7919 public key 8192 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
+import_export_public_key:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187":PSA_KEY_TYPE_DH_PUBLIC_KEY(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187"
+
+PSA import/export-public FFDH RFC7919 key pair 8192 good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+import_export_public_key:"AE5FA06AE9400A03F48C0201F4BF53263185BA76D07AB16B74869F141AEB365EB162806840F7B97C12561F5C6B9EE27521009341E52672786E10CE1615447F30E4D17F1CA049643A8CFDAC3BF66FB93B6C5C4805287D4E63D5DC895535D993203F309908AC8ABC3A96F5EF4E72E7AF59B1DC9D014EECB5609E03045B5F3C3E6C372DC0639390065C53FC911269B27A5A630BB847C8823127839DB138146E3830087AEB2395F3D0147F0C1B26297A7E657A1A430DEE1CE93C3EBEFD155EECC2298E664D77CABBAA51555C7C65FAC2957CF238F9342A39063B2F9C291D3169923DD7C3C275C591196CA350421788A06077137ECF4C41544672E8DC9E634AAB8F30D4E44C4E3BD93076B35D0A0B37F00416035C621D37FBBB434B5E3D460BD64D41CCEE8C58CB6A586C3450CC264709D065B9874129720ECA3CA5F5920F47EE8E203CCA740EFA510F7541B1241D2E036E43258B1530704D4E3A5F6C0001FC4ED82535DF672602BD421884EF381D485D37734411890A6CCCD7009208C72318F6D558A8A508774666D12E50E6DA6EAB016B147D618D729B441835B7D7B85549501A4B66AF7021EB27857C9059EA301F37B24A5E364F39364F7D406625416B9A00C44730A18C35A7D66508C903320B552CA2651724B4422870320C517B7A0B4C031C692B2D7524D66AB3289460535C6F3EFE2E42378B2927691A008734D407EADC93206DCFEB2ED71AAF7696DEFE34EA307921735FC72B4DB6B70A3381936CD90E384D38DE3C07C4DA7D1DF945EA1796148C40FA29FB5D5F6B2B03311550082ACB87130742910BFA18821380F729791E66454E2289B41FD172A4046B6961374DB62944A7DD572DFFC9B413BCF42773EA14E3562633CF134429FC7AD4F176779302BB421B44AB716AD0752C7D3334648EA3721DB7862D37B1B4C75068B2AA6AF0646A3E758F456E61F894028679F67E6FB9404CC063C005B78E46079984C85FC7A55111B1A7C81A197CF258E60B975FD4307D3AEBEE965D5175F81621E7A67E92CCEE0A503FAD2ADEDBCE717CE1D16177727C3E2205CB6C51D348590A7537013D49765EBBA3BE0588A86B65CCECE87B732AEC3C395D3336349F9366638F567BAEEC782495972869E9084D7A1DA6B97055FBE86EA1979301B62A82501DA13A00523F5C1CD0A6742903ADD15F2670D956BB950B075422CA76485780554D62FA11A461772126334F47CA43CC731BD4F35F48381A341B17154D26492B6185819012D6BAD352AEF19646516E790E49E5BF0FE74ECA7C850D0D75AC74160B953B43211AA5355E967D6305B2E1FC1170A01E4D3715F706680C7F628D41594D8954532338B3F30B90EE2A2DB0C42C7AF348FF12E410F523F81BAD4F41ABF92488726C451E4FFC160BEFC518A44660256687164B2606DB65CA8F8B06EB08A75DFCC0AE387881224C":PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):PSA_ALG_FFDH:0:0:PSA_SUCCESS:"3D1EB2C023E54A123420B9587F6985AFFCF6FE75A2F1768866CBAA10ABD5B7448409EFCE8786C0BD1D325FBAC47119A846C63103DAA8BC5FAF427C69D07AFE2FA0064A8BE9C33E30E6926A57850248EAAD8F0FA887452FF1467064DBE4041950CBFF55763AB58E1F2300C9B133E5D0FBD18604B93EC16BEA9CE340AC92B18DC188629A5D7FEC64601334CDBFEBD8126BE4743440C9A48F03F37298548C2EF226D44C296F440EB1E5F1128F203120ACE6C45D3CA992998CCF68C301CC4A32CF852FA4C2968C62D4016AF526FCD61A56F2BF479743D1EB62AD21120563BC1CE0D0791920BB89D82473F4DE75BCF6A728490F071899F683FCA10DCF6D9605749810A901F1FAAF96DC6AA0AF1CAFCF61E8A51E9E7A1BF5D9E5FDD6D63ED824CFD4016EF0782946F44E44B1B72B4CF9D4CE5E57A93EB738AEC084F02BBA52C385BCC013C720B0B98B78580AFFA84B0D204866B3FA39D73EECF1E0E6921D5484D929C1ADC7975741A308BCB060A43DF556F278F56CBDBDCE07F7CC8292FB27B3CDDB286E4B5A92552308DD8001F4BABC67C56B8DC6E5C4ED8FC4724A89441433EDD58C68E513E1940F5E6DB512574D7A37974E5739E28C03FECA3134AD8817E1A52BEBDCF2EE1F7DC66B09742005902A977DB0D617B8F6CFD75508F00225BE362D53BCA0AF4BE0D2DAD0A64054CA1204E31217F82D4F95315E54AEBF3BF98E2667A35A0017799C5479F369D8692317CABBB78C07D8314153D22110EA7617091ED755041A6E201F1FD76BC258DF84260369BBB2A1A13B5D266844A25E9A8F1D1279C349E0113CAAAB0A3D4510367E754980328B937CF7BEAABDBA39F4EA3CDE5C9BB6ECDA5BC44CC9EB6BEE6F2FF3698FA393DD4F85507415622CD7C0802240F7CE22F75F2DBA7CB7217352B34C57921B975BF2E73B6DA6A34C11192338C80B986AA3707DA64324056FE7EE2C0754045C7BC596B68FFCB501C186F89D618A76144C9CB35B59370D1D3E668F10A9EF6C851F6AD3FA9FA776E9391F3F143D7928F816EE4F56F756BF450E1B4F87A7B19EFB02850C45F6F7BCC87AA8FF27C474269EB53F3F1E28DD4D6BF1C6B16AD97F10418596D1A3EC5F664773FCA1E93743005C7230D5F8549DAEE3472418A648B91834BA7A19834B48D7E6DB57F7BD92887C366D78532A2497D9B9F35D598E79026F586D4DC1577FDA2B9DD5877A521EB9F3C87DFD77F5EC690519E04E702CE3A5203920A7B891F764CB0B2DDEE7EB01CC55EB45F1BECD4514540F10F03ABBA3E4D627DCEF89F1FADF26034C2D7C36E6776C7163D99BF5CADEFDB142A6CD631D3B58269F0116B1016633B7CD4752E2F636614ABDD27592734B8BFF08E155C350808C6072C42E46F2AEDD83EA6FFBF3EA5AA809B0F9DABF6CD8E2E0E1BC998AAAA0698F44B1819B0D7A19C2067F071A932D10F0281187"
+
PSA import: reject raw data key of length 0
# The spec allows either INVALID_ARGUMENT or NOT_SUPPORTED
import_with_data:"":PSA_KEY_TYPE_RAW_DATA:0:PSA_ERROR_INVALID_ARGUMENT
@@ -1039,10 +1203,6 @@ PSA key policy: agreement + KDF, not permitted
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
agreement_key_policy:0:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_PERMITTED
-PSA key policy: agreement + KDF, wrong agreement algorithm
-depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
-agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_PERMITTED
-
PSA key policy: agreement + KDF, wrong KDF algorithm
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_224)):PSA_ERROR_NOT_PERMITTED
@@ -5307,6 +5467,79 @@ PSA key derivation: TLS12_ECJPAKE_TO_PMS, input too long
depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
derive_input:PSA_ALG_TLS12_ECJPAKE_TO_PMS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"04aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ERROR_INVALID_ARGUMENT:0:UNUSED:"":UNUSED:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+PSA key derivation: PBKDF2-HMAC-SHA256, good case, direct output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, good case, key output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, good case, DERIVE key as password, key output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_DERIVE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_DERIVE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, input cost greater than PSA_VENDOR_PBKDF2_MAX_ITERATIONS
+#Input cost is passed as hex number. Value of PSA_VENDOR_PBKDF2_MAX_ITERATIONS is 0xffffffff
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"0100000000":PSA_ERROR_NOT_SUPPORTED:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_DERIVE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, salt missing
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, password missing
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, salt and password before cost
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, password before cost
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, password bad key type
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_RAW_DATA:"706173737764":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, direct password, direct output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, direct empty password, direct output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, direct password, key output
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_SUCCESS:PSA_KEY_TYPE_RAW_DATA:PSA_ERROR_NOT_PERMITTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, DERIVE key as salt
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_DERIVE:"73616c74":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, duplicate cost step
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, duplicate salt step
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_SUCCESS:PSA_KEY_TYPE_NONE:PSA_ERROR_NOT_SUPPORTED
+
+PSA key derivation: PBKDF2-HMAC-SHA256, reject secret step
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_NONE:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, reject label step
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_LABEL:PSA_KEY_TYPE_NONE:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
+PSA key derivation: PBKDF2-HMAC-SHA256, reject seed step
+depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:PSA_KEY_TYPE_NONE:"":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
PSA key derivation over capacity: HKDF
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_over_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256)
@@ -6494,6 +6727,38 @@ PSA raw key agreement: X448 (RFC 7748: Bob)
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448
raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):"1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d":"9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0":"07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d"
+PSA raw key agreement: FFDH 2048 bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"718ab2b5da3bc6e7767a98fb2c172bd74003fae2acffbc9a53d9b358401c1c748da36cab277e9397bc5eeec3010321d0f882d959eb097adddc99745526b213e30dc0df9fb1e4cd3fc27bfb1d6e89c715373439a66b9a13aa1334c84799827c17be1c36c1bc02fe60ea698da790fe4d2af710a435a1aae7fb11cd2a90a17ad87dde4f154b325dc47d8ea107a29d10a3bfa17149a1f9e8a1f7b680bfdca90fb0913c0b681670d904de49d7d000d24060330d4d2e4a2381d78c49e272d313174218561ceeb37e2ef824905d0fa42d13d49a73018411aeb749f7f4fc765bdc6db58bcebd995d4c949b0061f20759e1263d8f9ba3fd56afda07c178997256bb7d5230"
+
+PSA raw key agreement: FFDH 2048 bits (shared secred with leading zeros)
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"9156de25da686a831ca0645bfb49df73e4a126ab864393e943b3d12b7ad32cbf21709268bf918c4e03e9a3b54bd230d88f1ceaa2810fae5fd4091d31e76153daaf0da9168a7b39fa85acf618622efd1f70d5866e518f256d0ff90a0c468c41a329fb1dd837b18a4300be0f25b108fe7210705cdc0436df84592c1a8b372c5028d67ed5231f846452c942a5f087b3830aa139b0b045a7ae38903497e4ddd0585ce20504ff70e13dbadf77a73d5514eb9c38feeae3cb773311b360f8304f67cf3f2282e4aad47f1494b5823ae2196a23ca426426bef427e4056df1f9144b20bf0b1f6da451f8eead38fdc5bb71074e4d43e21bc6fa787a681c0ef92c633d73b348":"8a73c0f5d874a2afb718efa66f78c80adf713562145a9f5a1df5f2bb9ead8827eb518a769dc089364768b27b2e49ca465ec7c0710b3054ae256aec25de72bd435b3ede0e17ab50cc8ed102fa6a83a9f09454e59e218b894ee130fbd772fb95a83aba29c6b270daba1f3842b2eae2ad1eafe7945888a55cb459547d6cb0b276d25218df8948a86e49f3fefae9c5b30ca8a7fd1bac1c3a5cb4dedfbcbb5c6e5bafbdf8ffcb37d245260d00658450fad1ced83b5afedc43def222c7196f0531e101b3a777e5f5141597fe8c093485d0c8cc752b03e7f551ef3648b1da330fe3ba5dbbb9f11c1a44ef6c0c9c492b6140391254abb7ae8d3e77b4655ab6dd155ba2a1":"00a376f5bed9c27cfa7fa6e01ecd4094b6a189a6184270ea22cb5b2649a6c4b33682e0625536f7d61722fe85381d8ead8b283496db84f8e6b2eb7c5b015eb15c9bfa5eae290612e2aef4014d6bdce902f5907f73f6722d827b73297d14aa677ed1b75bc26785bb32cf60bed1d9467b2ac069ebe48ee9196bdbaa4565f9cfbff3c31e812c58d65bd5b4c45751d1439930d2ea237030307623a0b149a21077397ec5e2c50610c01f76cdec43ff2f9177a0b3a2b18de2a787d42b6f8bdacdcce49a6884f38c5a729e54ce616da439fc9fd6d7d266188b79e40800f22b8c21adcb1f8ffd2f5225e3dc4c485dc4df8184c04f0dea3b2c3f9b04e42e229fe1a24a77ba"
+
+PSA raw key agreement: FFDH 3072 bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"ff5de4e90966aadab8299ddbf8169af2c0d8d0d99a17b4a2e62ff55b36a69fe4566a775970dd0c2904465884b75b67756b0d04b68838e80d8bc84a741cd67d735ba7aec9b55a30cce1df81203fd5deb57bbec027846eb010054b4d5b911041f721358fc8acfc9c5f06d76932f42103adcde97d5607d93303a94fa9f9caea7108ce67a9ce866ef11b2b4ea8c2acb27340735ee8c64e7516e17bff3cf3ede166767f30cada892997f6b5309fc2cca54364678b93d044b4d8e5570e1f64127fcc21d8724fff275290d803df5fa413ec2f5231ce75a58f14a467cb80cc3c4f1f0a4a62ecc17c65f2723d3f7f804b2a02c91adbfea1b2bbbc9cf9a38df29da92a71375447c81c55b8fb4086f71d57e3260da06e08393f6329aa35e673a75545dee66d01e0c7243412c6e2043a984849b67095be3fb3bf39fff291639c57e44fda5d7c1898327c40c1815e88efe0330b4481e462d30e235f607dc9e53d99521f527d65bf3edb4d0332d6d074e652e84a2ffc5d75d1734b55f3b446db122af2a502f8a0"
+
+PSA raw key agreement: FFDH 3072 bits (shared secred with leading zeros)
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"1c357f078144dbbf6815e798fbc6d98037a65bbd01961c6eb82d1f97bd0993132cfbba209e95e8a231e3bed2616b41119cc5a2f97d5da71ac2d6d0a6617a4e7b5d61857627cbfa57161de3aa6a2afac23f50e4a35dca1a82376879e695892a88323af1c0728eb1a76b2d3a1684df3f91ced0728f954d5349981cec5e309137f6d4e837d22f24a13fbd7985e2169b61aae812a68a1a4b3427b1e9f8612002b5fd711b9c9518c777c4e554a5109c9f079b929d5895df748a24d659d39e787076a1f1d9237a89b52c296644165d2625c541ff5052371093046f4b6abc28d3d2fbb4eb1cd2aa3d393a030f71c7050681b017febccd3bb947c6dbecf6fca28adb2a0f06e7cd9a6aa6eda160f0a3098bdd7a719f31beda56ffa0e26a212834d0da1f53e0739ef3ddbd119ff61b497d420585e3a8ea7cc3370829297da76edd3fb701d8efff6116dd87e6e542e82a76ab76cf5a75eb4638e817679fe06a5a3f04e67a101d154f4c2ccbf70b8bec0e5663fdd838ac0f4a4da02f0071e514b6c6d0ff3358":"17ec74c211f655be646c2f006056230208dcff38644efc429591562f3869f867e7b79cdfb3e426fef60ca77d9fc80ea39e21ec060321bab3c7820177eba4242d0cd9f0301e4da7146608409add169ed05dfda2702a437f3e2b8cd162a0e50da2682433d50c37cc1aeabc5c7cd8fdd359381a8d192af00d7f41b8c049b1e552b832224b40f9d85c4307f0b76b0e2605858fb33e594ac1d0c04d358209ad47133e76fa8dafd0f2370b1944a4780138618eaf66f6d4961c584aa7a34bcc1c78bbd15e7f5a2b8beaa8f66819dc04eabe08b24cabfe69e2b78a12470162ba6703bbbcf34890b8af761d36c33e3b72f631dbc5dd6f1fbafca18a8498623ea00bd9aa6b426da30e2ebc27075eb589b237d1dc54e215a6b6ec40220f14e320b72c5f702ee496b53a63edd5620294d9be88a862544c561b4e175ff3c094ab3adacc579334cb95fa2d29b17fa483ba50d6270b6478ce4f26b564bec6ae82a60e2c15456c4610b6567ba7d91218b59a670c517179d30d743751ae3c3e777ec1f29af890b2ec":"00abc3c15e3f8156a2785949d76c96c22fffb49b0701c29fb6711b51af0ce2851a8b469b4cb25750e2c35938f848f31f179470e3271eb6b8780ad5d757a2c1353f825baf55e5c76fbf4c73d2f0cdab409e8c4f85c3001da101cc97bea764c72e844cfad5f00cb8a81a5bfce5a4bf62b68ff2d13515064b17f23b7f6e6a65440856715d2696fa1957cc022b29e38fdbb8c2a0a54e22595ed66bc4c74c36d525b60900c7427274a9d60ea289a04715a677fb9c71eb1dbb38e30f30b2af8fa24f18a5a13e9f6ee83aeb4ec3f9452986399e2673ada70826b0a84cf446a21cce41e5119bf50798bc5fc9ffca9febe4ffc9d64f1b8abae11c7c8f5da0da2288b0f7a8aed286af03d06cdb1914fc50054bdd46c289c18b14297c4254b39ab5fd719264841b981c6531a80ebc8a59ebdfec9ae0413f3f9795622fad3bd34778e539ae104b8a85918401b10a3802a81db413bddac66f83b6428a33fe5c217a2d0feef50c8ef933d6e3d0f10d8b8630c52c89ae78385716efbfb855729ad0e5ef39828e6b"
+
+PSA raw key agreement: FFDH 4096 bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"262392693c8ca0da404d0195742df69a6b87d22984765c91e3c9dbbc0293960cf1f9deb7a25998a91f8c6b9756224435fc143f31690af35eb211acffec542c8f8fbea3c9112d666639d40a699467bb195815b8b816363ca44baa4df22eca425fa9ab1471ddf045f4e252090663c1c536dd29623c324c7e18b694f83a6c655fb3d95d5a9831ccc9978f66916e95aff49d973f322e2b43f5632a19d79d615a56539aa2ec8f4441bbf4f8016f8c23407e371e9de212c6f1d7d3ca4093c2648451eef68c03aa251547e94046d5fbdffb5cdc0f713bc390111d6727fc1d11243046203ad6632d91c1df3efa77ce530ff26376a208349f2b18628422c9ae13ef84f4a15c1e05ce5fb92ff55547943db4727d091308deb85f54acb94d14411049924b79da131e736a9af42a3fa7139d0357925f430c6cd4330b01ff66f5f8cca26f4230d562f45d5f75bd6d133114449205263c5631f3d561e2ed81e6aa54376094757cbb6f6857c03574e9f6042dc80ea78be470b836c5371a3fae8c119f67c28f856fe70c2affb46574a4356e995a45bdf35e50a6f3a2556d3d1d7c42db8e63430933ffc4783d571908a1270a3cd20d87678cc288ccc183c7cd7512587536a8e15267dd5af0ad3b501ecebc0ecd9ecfd410ce356f9305e4a32cfcafa676da5b5a9ed9b13a5e4cfc06e87310ccdc3ed988699610d7d3125de13a8ac0b59f782859f0b1"
+
+PSA raw key agreement: FFDH 4096 bits (shared secred with leading zeros)
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"d39cf86d9d81011fc48d3bd489decd4cd520ba87e469b5899fae777109ff7b43c8c809814521a8d66ac33099c9bd2a8567a202c21a8b5457603ac1ce95ea9ae705efd69fb7c514295059938d818bb65b7c881d1ef9541346be2131143f51db13109e9a4fdff1ef2208839c89eb1c1d52018c77c33f5b7e73a747002997c75f4a3dcf15e7cd73938ece0cdefc9fcfa2c4b1c3416eb2fecc00ce328b0b2bead58493b3e8c25d3c0a675bf6ce2363917d1e74a7987a464709fcfcd1b512b67dc1023ade2cc027109169ffcb51625fbb0c607946a6009811be07047024bb6e517f388a99a08f2c73b7e0b779d8469797eb3153f2e5ddde2931a8f97c586e20c5e521b84d015a52f8e13d5fa34c32bc118b62d34cf157f1db40423f384a16a78c7e1569a5d754db6216f6412abfa7c440586c506d5be88d5172a311b8f16f70a06162dbab6ee09fea55c47f6538d3775d236cfa50824f5c8bafa44bcd9424aa620ef17466413f35aa6e6eb5c8d8a26a7ffd6e8bda2dc5ada4b296885635fc8a73933de059ff403fb0a322bf6daba24330a7be204c307f44260b4d34000d2142f79654360af82179f9d5e18e8f47c7d94a10fd077f011bdef578a2b57d5a382ca404f67fd3c59d95a3481f1311c7454bb45acba1e1c30acb6a9fbda70aea30a9ca76471dc46e504abae9a06eb9a8cfed83143cffef3c530b03185609a55484aaf9f677":"b7baa37aca4cd56e4107c3e428a7a568adbf678e741ad89f157f66803370618abfd8ec7c159d84a741c276ea119eaf2ec1bc4431a073d92de3dbca1287a37522b2ca4ef8c0a0fa76c1dd5f665d498ae62e5e2925b6d921d797d76d86e27ac8286643c19a2a2b1361fe7dd772766e9511127fd0cf92ad98099a9e1760ad969be0a7df4936f1b37455cbfe3a1ac9b3b83205594f018bb5f64970371d4e5396f4c5e8cf0cffaa4525ee811b39632551af470efc435fab26e3cbd643feb0113bf56fd4bced3ad743e55be2eaefa7d36833f56af570ff773a3a3cf649b1ef62fb300c4c5a70d70e4d6ba1ca405483f036092f5b9f94960306515fcd4a0d8a086d826c105924d05ce5ee3dd7c62d61d1a460772b169fd943824e0efffdde3f27439e112766780bca7b4c82a2c8fac1d18894fcbd40ea5f7f23aa27024870404cf1832cfa025df193f31aa275fc685fb348c321a2186adf32c9cd203cb4b1c49b8afffbfe11e1d443711a5a1da302fa0e52b5143e6ae7aa40ed4828d03a17443f04061f56c2d3b83298d617cd3a78cd84233dda83c4e541e9b98f0f4e7fed504f888ac929f0f3e00e3569e0f0aa95dd811297efa8af84c645d59bb6c2e968c1ba77772d858ff2d7448b65c723f6a87604ce938b670b612b3eebaa795593be2cac1d631c1b7d9baccb2cbebda6019eb42469ae4209a953f48c3cd438cd1b7b06c8c54819":"0053ad8c14e1ec87d76bf9127e084beaead313bf93f0f241442316af144097077da91c83d68c78692dd952036731624ec8ea8bf8bf85f7a278289f667bd5d92a6aa2e41337ee9e6089f8ead48ff7e179c80bedc10fa6e6e0c1511f33afe96f0890e6ef9b6f981f8337e60ada56ce0ed30ab1f6f8b72a3234cbc77db017c470d549173ae203cf73b4a5901a4edf713a866069bc7790e799becde1a088e8c3e3c41ac8f9c9abf8561af51f738577e183197c85e5d3ea5bfc6471577e7daa5cd3ed53f7e72849890d2d1f8ff0a830a1ce6283dd61e5e04b25183b42074e193cfde4ed2e35b25fb57715f74290a612d21e404394d9bc4116952cf962c14149287cf71d7c8bc26a9eac0231a0dfc4ed68fad9ceb195f82ca0012c8c9ff4350bb0a2da913af26fb0f0940541dc3ad788d3cc8512e0dfdf7e5f9604437492ed8b52c5b0eabfa04231a90abbf1b29298f33b55c4e94fe7af4aa94b572d4a7f4cd67de41b90f3224b9ce57d6656835560a8c8d22496d8dd15ac37866dc1b04cdbc23847e5f2bd8d1a5639c6e91612ceba11bd1125a75dbed89f01ba738bd27ca0a788fddcec35b823f986d5be1acc037f56d236eebedf8ec50e831f532194a62740ef45b49511abbe51b7179ec04b1aa752c0182dbef3e099579fdfe2624848bfa1c389a06039bff756d4cc0cb9cb4cc2fd382336afce62a20975409e0fc5a45e7a83416c"
+
+PSA raw key agreement: FFDH 6144 bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"ede0361026e81a9ad960f674de49449f12ee33c2dda7028c6b7fad7f8f8a7edc495621a6d13e47847873a954adfe7bb6a2ed7c9bc21f3b57458d9116ff4ed06cfca40e2002a70bca91a9a9e0475dd74be7d58453d3cc155ee0b0be20197e14674a7a6f8d903e211cbdbdad1e3383d0d1ae6b4d56837671589d8f151acb34bb4d1cdda55a0f9d1f70e80c61553fd0152bc871e930054efe763fdcd1f8fd1702afa61b3471e7a504612c58ab05ed581b34e2a884c5dd8d2aa919855351719e2cb290d00f0b161c104415f5579731072c1382508421c8d674113b2fe25a0e979455c8f145285ed3d32b744153d3ffab7625a3173440f026ecc62d9dd1bbdff6136f5d9d5245ff307eabfa91f6a10e7cf62a889975c0afd2f707eb8a43c2499c05029ca613edae2741f8e56b186a6390fbb0962323ed6c492620c1c8a24f9a89f15c00bd7263423e714db0fe0381556a15a8e4d1b7383d52fd524425e0200f9d410833330253306b1c23c15c08310bfc12b48131c120db8444d34dd951c5fd6df44e0eecbe92ad5f13641600db68d1d2c7d8ff460058c09d89d4febf2fcaacb40c900e19e4dc868a24ec61361c452541a0fb13da53d61b59806e0598985031e161a2e887420e4c6ce217587c72cd3a7b3085d2383112e1066277ed63e82ec16ac6dc7ce0ade255f30275b9798d4476f31d8d237c4d79b13da9dc6ceed7fe626e4da6eb6cfd234b8fdec4fd4520898b13a77aa034361c0d63edef55595e3e638b48c1c00e8c683c8cffd9fac2a33f73e04aff1f4624669057c7faf51f996e3d64bea3097b4810f99c8f078887be2440f67b249467eb26a03210b4d2baeaa8dc9746a14a6cfb45297e121eef8540eb438270403105c11ef4fed87127545b81e37ee1f942605a5a46253752351dee91d0a171031defa9dd20cbb942e3940fa43542f6fbcb0980f6ef2b36297527f7c0d47e36ea203ab924e937ca10e9d9e64c6419a061a300f86ffed0e2e72a1f73310efc00118dd315a6b01e19406471e071e4c153e2216d525195357fedf3d1f12d2c1ca659bbd1a6d1fa28b6bfb648deec17f8a894"
+
+PSA raw key agreement: FFDH 6144 bits (shared secred with leading zeros)
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+raw_key_agreement:PSA_ALG_FFDH:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"8bc903e9b5b0742e86d657f64082205c1d50268b8d1d9260e5474e8b686e63adfab13484cc24e35b6f43f5e998fcd7d92c4aece9eb30b0f51b7a2200911e6d38b41da23f04e37697b6a7ac053d15676b75538aefb6693be8eda8b7d07b7611fbc9673e98d8580131cd3462d8851ab00f5831497cb89b4fdfd597a4fc84a9fe1a28ca3ceb17b70334af2414fff73584f2a21fda89c10e2b23a4b454ea4cd6d901312e52a557d45b9350dc8e8b08eb31a73095f014efebf1336ea2c4938fd477f90da212c92eeba483d784b377514c3afb7e34f8dbd6d4ca281aa0bb9167d6d96894b225deccfee7453739becb849c1f381720a59836df967d6525876509515014e46b0a8b27afd304b5db238dfdbe14afb8fb1433b05a00654abede04978f84116e4e3e3a6bdc9ef558dbc1a9cc5c5ba1ee4bd8654845f04106d3b1b48b3208d109aa96609cad246e543d94683b8963e13597dc4aec21b0959e7e6d73efc91ff2b9b52f0e9189f0619264b9893f9289dd8e9bd6d3cbccf079ab8fbd525151e704bd517ee8f29505046620048a684883e6fb858ce7b9e72ea35ae4ad7ded04f39e37a3056b6b695ef2032cb5cf99e22ce5500ba0315aff86516c42b1288c94b46dc0548c7ba07c2b2ca8423b9ba4782c1d4626589ae2b325917484f8eda07f2071276d3fb78bb71a5c501396302eacd1b07b28487c580c5ec5be236e1ad4fcc434325b24a2409c236a85f7b9e0e66f6548a1814c519919d8215b0370b9b3256aa10a28a05f0d2265f6fa7842dfbc67c8f32e9fe12d0df647665ba9809349e5ef6911a4755330d004de03e598cbd7e2b80c259d9d66050177df8984263a7c53abb5ea3157945b727fbf1866649260e321a7ad5eaea41639b35ed6e98b74ab679eab93e5873857342fbb55cda604f57222555631741aa97d74b5eff885aa45ce5a25d34841aa0ea4ea317267e86c45f713c81c3de81cd6eb252053544a5dcacd9f7388704bda8acf83276975f03bffd403eaf199a7a1367d2e6b40c7d94e23679b6520eb40b5d61f5f56c6939f21a4f1dc00f13b5cdcaaf827c760a6e4a9c5601961":"b3795eb1aead05ed8b950e0a00fa12ac0ce4679e6f7715ffd8b5df04e5b068c82210482d3a377b224dc7aec1dfb7e4d635b9fbc22a5534b6a4cb50d3c39cd0dd5e0ec45ea69a3296b83ce89b5cc0c5e15e4934212e8c33ed23939912d0cd738eaa949f763450d5a07fb1540207065f1159a55af7f80bc48c49f88164cd4492b0020902c78295dacfe593fedc1914ddefebf45b5eccd6830681a80c853a3f2389798c391aab3baafd578ad0bf0dfe5b63fd05835e215c6850c0f61e48698053fec9281f0a11b45cc4e259b310a9720456c481031e0467401afeade395ab9b664d9fdb42f953aaf9fb6501c2e105868201ef26d58d31d473c676c751bd892a84a59441f92f7b6ba49a7e385b3d13f806e701a7c339d37e5596414631ed95908c7118f45250acb68f6f2d9ea4bfcb85dc75d21a03a5dc2b86d41cc55753a72a185ce94d20cb897f8759b4ba41e56fe9cf6edf7ee733581589b319e85300b7f479b093030e2d345584e2934dafddda62701404b628b2f25a15992b7ded6271fecb37b817316a908ede803285da3b57986196d59b164692384d469c09b4551b37862d588294a022db7deca641ae90f9a96d75612d55b673213419a450f7ccf78a2fdad291f6c905b5e1a0bbe90baec1c2706d7d81ea8f6d68d350004ea00f24009f6121650547e84b3edb66d969af206f5011ededee736eafe4100e4625ced482caf2cdf6b4465927d8fb138bebaeff652d6afa0fbfd03ea03cf70e80bd95ade41443b85bfa1c56f770f123ba3666412cc2c6997de49e90d7d9fa1722894d6c4f7dfa349e9a9c400eb59b4ce4f6a64763359ed1bf2327f552052070bd4bd2fc1a816e8eddf72645e7fb0ef10bf9c5dee2b386ee2258c99f8ec5b91d8e043b9411870c6f02d2df7863359e46e732e3ffc398993a232d812f934737c503f9d3532d4126c72d5dabf8ff9d6da214fb9571ad180935cb6d01ec1404c85346d9ca858adff2a8ae87ae2d9b99c3ea1557a801703bade1d349410304dfaca488cd5b90086dbee91d60c7dba504721fd54b38fa0835cf70b2f48837430476d5fe8349ad1f2f38":"00e17befd66905acec575c87804c61c047abc9a724db6337e34975980eb0395cf4da8c956c823fa23c52b901bb58a9d26eff282dc6a0f588d71a1636bb919ca1d564f400d7a8e909cc9c59cbaf18f09d5a2101a7afd32687657a3cd1b00148cc84411ff3f07609acc8c07eed678162d1d69280f1072674dfc1d6819d45d8710e2be12402b06b846d68f4088895ce64243f24156c1be33031dac21fb60916ebfdc3939a6bcb012c66c7ef748e30f43bcc08e13c5dea85703a4928166501bb1eec25e61ba5c187531bd982fb310e56656cadfe4f7f756c8b71062388d50cbb70a7d07220912891c4c736ef1ec6390d4bc12803f20c8f1ffa7f41996ce3c8ab792753165fc25d2c1b373f5664c38ed688b4d096a34bf2669e8245bb55ad4c0ad51206fd082969bef351c271b103aa1592889536a2b9ed18e02035a457735317bdca6b7f7104af64d30270c732cfff302d7b82c1a602f16194ea62290c1ed35e93911a62743b3d1bee83c01669320408f2219f2d53c926acf014150ab47ddcee73c6159b368ab26f4da25c5440f79fb898473bdc2b7c333cff7cc5f8332b43ba1a49c327bc5b5ad9459afabf5e9c8421cee51ec0a6821e7af83af0ba2857ef2dd1417b250e2e1e14045883a26e3c70404c53998daf94d8452ade76e0e886324cc6301cdd40d04be33c59ba11bb7e5ef62186647d3891b221bd955e109f5b9b3dc625b44cbc3359e8b2dc4b90171d4a0a47537e095e0108827b3228e6ba325e935a2eb2eb82985443c7691ac208d55ca8d7200adef6c9b9e224190f672efbba75554a4c72af539c70d0bb7af67ada46a2c46311a91bd67d7ce724581695f6b4b2c0a58cd23b84873a76556bf573e447fcf583395895600aca30340ba327b44df33b1aa5c51f515c542c37fd9dba35534f94383300c23ceb8426e46ada509e03dd06fc2ea3fc6b973ef02dd6cb6adc36d76158c21dd8975c0eaa3d50082b53d328acd5894a1229c27aabd513ff6d8de6e2e780ef8342182182f85a89e6697452166f4e012a6f3f137c8d2a5e279e1f490995d9618f177acfac9f16f65bb89c2087e7b5"
+
PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
key_agreement_capacity:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":8160
@@ -6522,6 +6787,54 @@ PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 64+0
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"3bf511eebadf44c1f7b0282a1262fe4ddd9da23bb1555cfda591ac46b088c4417883c010f6e37cd6942c63bd8a65d8648c736bf8330b539760e18db13888d992":""
+PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 256+0
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada":""
+
+PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 255+1
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27a":"da"
+
+PSA key agreement: FFDH RFC7919 2048 key + HKDF-SHA256: read 1+255
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"4bd2bd426bda18aa94501942095ffe5a9affed1535b942f3449bce8e90f9e57f512c8fdda496c3ac051d951be206365fb5dd03a7d7db5236b98ddfa68237a45ef4513b381a82863cdb6521b44e10aa45de28d040326c5d95e9399ae25f6cad681f1cbf8c71934b91d5c8765f56d3978544784f297aa60afadd824e4b9525867fea33d873c379e3e7bd48528ec89aa01691b57df1c87c871b955331697e6a64db0837e1d24c80e2770179a98cae9da54d21cc5af4cc7b713b04554e2cdf417d78f12e8c749a2669e036a5b89eda7b087eb911c629f16128ab04f0ee7a3a9bec5772cfc68bbd0b492a781b36d26c2ec1f83953e192247e52714c3f32f0635f698c":"6d34e084b8d0e253a894237be9977e1a821b556ed4bc01cda691a927885979b59e55a30daa2a707769474b760e9f1c10544b2ce74b26efa4f069e05ce70471bf6b7e6c08a16fa880930790204e8b482478de0682ce3f58450a4e15abc14d05e13ef773a10a3e8bf2219f8ab556c88dc2a301b362c2d4e94bf2f0006bb36d15a5096ed1342f3f111ccf123ceae9bdc7bc0cde5edc9f0203f35f8a98aff6d75975357733a429364ed3aca32acaf9f857ef751e0e246140eebdfc2b403b644e42c48922f7f6cdaa6a2ef9ddfa54fb83657492f9f9a2c8aa4831601f9b11663e94d968d8be6e121aee2c79156e44aaa650bb26083983a76cc5883538d4794855ded1":"8f":"6f6b349b2c11a941882de0d6bd0dfde68d596c1f0b85d15cf94d651f99e1527e829d95fec5ffac32da6c5367785e735f126e1f2a326e8edcd6192452ce0ef7a11c541feb6b7b81bcb8c15a5db04ab407e8776426227ec335c2840c2a909d7914b158754dde8980dbdf607d63f0b9778f81df82836529b2e27f4a81a390bdbf848ee16817fa80d745bf93626ad0e19930fcde46a034a25f168c14e006a7d4e3cb2fce48797b5b2edb0a6c4995cf1ec0dc32d218a4b52d929ff1fa50b63af9b2c0e7045bbb7f7a0f976d1da8a2617294a67cd0f763e5bc50e1037ba5b49a02f3b1b5b6509bb0e2cfd67ff49da0e6fec01c06a219cb943151fa095bf5dda27ada"
+
+PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 256+0
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6":""
+
+PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 255+1
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73d":"c6"
+
+PSA key agreement: FFDH RFC7919 3072 key + HKDF-SHA256: read 1+255
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"c60a421e82deb778eb468760296ee4faa0b58ef058966fc457e8015185bb6c500677bf5a5a88bd8dedb5307ccc3c980a2bbe9a439c6b0c7af6c961e5b9c06f47212fc0e726da2f5bdd3542fba74e1dc2294caa1f363d942a92a391acd84aecd045a4a318db00785129ba171b31651b0e930eb8110a642dd63ef5ae1bb8c6e3b3971507c4057530d51ca14182e884974e20723dbfdd5778fa0ec78fbab26811c097f0dd291ccd7a6967caf5163fa04ba921448e1d3ec8de4ff3bc87dfdc35e53ba1bd4310fc9c98f68332ea0483ec051900e438fa3e5bcbf901771c740114922a7d9a74257befca7f9b62b2991ef6c58dbb1e516bb1ee18c8709f134ab7bb2077ec03356279a46f2978e6a89df22b0120223f6996c290607e98ecf14c36e2db62e80575329f4787ddc7b72856cbb0c4fa2dec9b391698832f559cbef49979c72e63cb3dad5d948f1c00219b47359fa75ec3fd352aa0223773e246c2fce492200b3a6e213e5e30d69cf3f56af43b0c09c0d647784b2f209c4fd1abb74b035d1ad4":"c9185bfe9b6379e0cbded54f23ed487b2a692c697cd1de74c739264ffb26a8d48aca7169c2b8716f493777e79e1a4517f79af50666e57fa821b5982a37aaf92d00805dc92df7afcd60256442264ff368e15012b847f85c7b4c3eacc4bf5c0c49f3018f19ec09a82c11c30cfcd60b07dd59e262e0387cd6473e2ec926af0bbf8d91f7b2dd6564cb5971dfaccf12c044f7c423f4e7309268925a03b51dde987906b40236046d2515e6be4524b27ee7675f2f58be2d2177f1624dab1118d265b8221969dc34686155d6c15390fd42c394ca2f7a3f403364a507b0a8c105c2f1022d321cf5621dfa7a28185856a26e952dc14ee4763fd1ea27b94284880fd86e2f1a6215aa3bff98bbe1b93d397a20647edcb38f043b9dd06f81c62e4caf74dae77b511977c07ccaac5fee2529e867b36bfa2e1488186bab1c7990fcd4c30ce7c9c536f6c3c2b9d2ac4065a4fa7577ff86dbb2df8eed95713e85457b4a52251aefe1bb1b4c8eda66002eeda7d28af37f00673dba3f9f57d1a416abdbeccf75a7a102":"d9":"f28018a351a7483e40752ef75085e44eddc029a61f8702e4f33a0ff6d5153696a01ce519e7489f19abb13417800e9daed64bb366e08c706b75025d57c4a1e29717d8d2f28ec23a59ea667863b9ab0e8e5a01140df46df7f36aed84852f9b09bb0a8552a2454c936b50f1a9db290a039336e431bf3b58eeb1b6ca7eaac7dfca12a5cec02a648807cf14a112fc47ca1201133a39e0d361308a76aa313ca1e7d5118e27c7f2ee4aac78b29eccb8888ef1cf6a389df7ae25daef1c8c89184d1cce78a7d61831920b43b08122996090a0e790070d002a56227be45a06c070632e832901a71b3515c77439b094321da0b4b5f37ecdbec3a9f6f8a1635c5beec73dc6"
+
+PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 256+0
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87":""
+
+PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 255+1
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de":"87"
+
+PSA key agreement: FFDH RFC7919 4096 key + HKDF-SHA256: read 1+255
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"f085888f40e34d91c989fadcb9c3e8be8f4a270d75b90d78c9b3d7569e09662b7767d90112a4a339bc42e661bd0e464b26ba4eb07dee300dfdc38373ec17a5a4e86f3f4b5ae6c9700f8381ac93b564bc0b1ce64e03bb825aa21a8e87e572ccb13a5a7b2942e4b91a321c5b5cf87b8bad4042c5b8ba971870061f7bb0869e57205bd64ed41026d5093227eb9fc4abca6160376b9b9ebbf431b6cc7a362726f553ffcca07ab3fed69a60c1a3d6d7caf989c57dad04eae71dc7e5da1bd6a65d3f4509959f61741ad91b6bdc98c0cae835cea940048d325f1db5e6217b8a0c977741511c967330819115d325a6da3ac003b66364e52351b34de0e954d5df7301ac0c2772c461872b72c9c3bc810789d16d22f57fd57338487ff66fd01434fa08a57eb7b089686cda86c9dc9220e11409c5ecd7b2988c151ee24e19a5c5685b4824c60a29ee363e75f783d97a57cda08a9e2152769957163272b3d5e82cdcda71300566356c411dc01a2c24507693c819755568ea461b755e89e9ab150e243ae97d5878f58ba87be9a6bab3726e962f92e2305999cafd65aa32f486ccf2edea46ab4b4cd7e3130f2e69102e6a4d7104db2f9a66d0ddb4faa3ae34b3bac6007bdfc66541bc3f45db3eb730ba80e102850604fd64e3cf047825246264ad8e1e716aa44a99275aab9ebf0b26f703af7460a8e502088a311d7c571bf0905031ea6561a928":"f614318e0c2cc96ef5b9cb576e411c7319f9ac4caa626307c110018ff7e5082894147a1989166983f181ffa0ed062d7561af3ad26ef7339faedbcc6d41d3b53bb71f21de285c83af911a9dfc68e6efe5e067b36a5e761dea0b243e5d9af351aea1cd22841062c6beaeac0e66138c9562e3efc922bddb2f2709075ee4356337597fe9bb16c5b21de3017d06a18e98b606931c6a1d96f60fd22c920dbf18210178f844c9c0646a779db31eed21c29dff3556fe6f608c6db80e86229fa05117c624094a7d0c106718e9534de55b469ed03dd545c80b2134f10a073fa1d6b366f46727f630685ca916c84d28417b1753af57248445f81573de06bfb17bf6f3f6e5e72723390719e881d54ce3a76a79e4c3cd78f293f5ca90ca31038c4ae0f6df379177a96ceb0e55a85669335dc634f67d138c40b58474dffa4695c017ff75db55b37d9627836fad1813a9dd13e61ad99b96a488cb49348e1e75aefbad5eac288387381e6d7908c16b42c8f071c24b518feb1b4d38a538e4346e0b88c526125ae5b2fcf8e0f42608f5c5ef47b6b225122d5b6c94c2cf42767ff3df1f29461d72b7fe4eb2273c857d18daf33ed0cce043a5c389d116ba02a9ba5c8140d11c52249019749417950f444529a635592b137d30ee6f15fee89695d99e5f322d2e94c00d43d24aa63e0e68c27566d19e211f7f24e1cb72940cc9dd0b0cf34f69f03ee32be7":"01":"ef64db547f29894000820395bbe27406c2c6482207d6bd3f517802b02726478627a4d965c9f062626ec5b6bea63abdfa71f6de07509edf1240d420d4f0ae3d439bfa6758d6831335688b5d78082f394ed26d171426ef7649363a951a789c463afe76d1cd55f58b4b7ab2db2ee8091e7b1f3148b2352fde97b9928bf417047e9eff62ad76ab117ba9fb35605a71973be36e71a4d2aec600255a75eba63983bd0750d5080d380d00d91248470b9850d3e8e5bb464732ddb838427c1685e337694774229a0d4ffec532220e75aa289bc9c62c0621851c4c4e7325a3eb02bd195ceb855dec066ed250238ee546fa45aa00661bbb8dddc006a40c976243af58de87"
+
+PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 256+0
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c":""
+
+PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 255+1
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"105d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce0":"8c"
+
+PSA key agreement: FFDH RFC7919 6144 key + HKDF-SHA256: read 1+255
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+key_agreement_output:PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):"bbaec0a6c20e67aa77bd9db1f682b20227d3e17944ccf9ea639e437202309c29dc876a8d209e81e59e1d7584284089c4ffb3356e28acca6c94164752e7e331cee7fccdb3d08604a5faaf91c02cab4ea6ad2926e28d1dee9fadd437b2b8a5116c689869c0972529e4c362aaa8427c95f42d8a60c1f38f9f672c837a097bcd1a8c068c11a33ce36517915dae1ba47e2646aef079e6c84b9656991ef0f6ceb9f7f95c97e7232cc5c41c0335aed99169133702cb8d95ef1e9eb5af583f3469a77277243fe61f16dd5b4f9f4972e3d30050f289f891daf8146ff87cf2845c419dfe2ca0525c5e2e8fc6566d7118fadaf0103b24319061f862e2584e5fba1063d55365b78379820d335ee924ac0871ceb3a2a339fba250011371b53426bab5f48e9704b7a9e77d14d5f6cafcfbdb45463e6935be31bc87eafd9b6d228a5b76c2baa6364f450a4ac557dd07ed4b1a13f5603e2b3bb270e831f0f2950f52c52d866fdaeb748a4cbb6f20b332795fffb8cf77a34ef75d8105973f1fdada6a3b050a28c12268104a8f1cce9a86ebce1749a97e9e5f00608229799aa5b7a356fca7b8bb5c7829cb18a136836bb37f5165deb89b33f0b69c473236025bc649d382d008fbc7c8c84390b9d86b173e45fa1e162e0eabd7914f2ec4c26d5350be064fc0d68bf16446188dd4a76ac1267a63b764070b48342a884891eeddbba95257348764c646aef160523af105a719aedb041a28b81516dbe89e80592f687eb341aff447a4165ac145889ae3e8a14c948c82b581b35d8f7d1c4f5e0f838773a472ad0025b1ca0b1c8bfe58c42079194b9aa9c5a1139472e7f917655a3ae297c9a8e3bfa6e108242a5ac01b92a9e94d7b51fbe2732d68f1ec5c12607add5e9bddbe5a4837e9fa16a66b5d83456df4f9febb14158dc5ea467b7cc288fe58f28cade38fa3d4c8864c3cb93bda6d39ad28f7dab8b8c0be34f675d268d82ba6a2e22ba49a5e7de5d08edae35ec17d1419288719a4f82dfb7aad6f7b68c4216c69b83af7438771622e48381841d1fcb6081d41b1b84eae37912b34dc8df1794bb47ad87f94d9c841aa98":"31b48495f611fd0205994fc523bfbc6b72949417f28392d30c1c98878bde0ca467ab6d6fe58522df9749154f95c9683f9590c295cd2b62ff9c59f2a71aaa3f7cb72761740cdcac8994c3623e8c07e2991dac60c2ccba818623013467cfca64f9a3b58523d4a4982571365db08aa9de048303c2a48d1c02c9aafc2ecd6eaae1c5bce8314503d0711d755b59134cbfc773250690121f58fc5171ea34fe88e753d5ab3da23e0557aa326b408c2f55aad2b6f40504509c2203f353bcb17e7b2c61fdcba04c3f8c136ef5d14c38ded6ff0455f59f3052b52b2d45f76a2c3b4b09af388a57ebd9d33393853b83b8033b6973cf662907e62380b66b4ce04b82ab8fcd35f40083a330587e27daa0f84c21fc5d04af03104785f85cb880ae61024cf6cfd1dc14149fdff6653968458fb5761cf2cbf8263e915099eb209d1d149bd7a5b4e48b108f07a1f7c17aa4cbf7b3aa25075956f93f127d46b6392834e7781e46f0e2d1ba14ce2f2d91f9db106bf94c7110ace1bf6105cd9351031e0ec7b52a599ae41256581c1379be5882c352c750709c1b8d37cd8d1442ae5547db0f5a1371eca211f028428572a0fcc4c0852ec1f9be4de14a32536087f520cdeaf54c52b203bb6ff0008b2099fb0e1dff4547563a71db416c5b97ef8e7677d8edd15a2ae75dc64b817117fe5e0478cfa1a18e15cb44cfcc990c5f01127b3906187c18562c876631a046a70015e84b6c553be23168e572cedb5912a6505ff8bb65722cc0e9556e967600711b8d8a8e414811c9809aa3e15f680fdbb2b2297e414824fda530b501b278c35f3f0f0ac61da3262de7b8aa44e31544c593c8521f8ce4921b8d7df7d7382c97718efd03650caa5620bc0e6fb9753dfe26c78b0b6a3231391b9324ee6b7c81b45e7e90e5573ab6cb263b114d78eaba7eb2bc668dd57b6eef126abcdf8355656beac58ddbaeb0551a4083fd5a2bd0e405d35737b7c3c6f0f0190403c13b57e3ef7b6b76206725758523ef98e4053fb8e05147a74577b61b0935dc5eb699945d3290e78bcc9015c9c3210ffed7d6e96c6c8202e46ad37155d07f3e8c2d9a":"10":"5d324ec021d57640dee474c442f3a25390de6ff13175f70fad977003bd78fcdfeda87d2a5cc8447b9729990b11e7949c6ebb37a2d3c2fa69a85d79d216a6a489c8c5186576c112ca94c1bce156b819fb010a4168e8c91e777b87dceb0de4f1828c45297e3b513f4ff57bfb874a7c0d3cd709332922394bcddbc0bf959668810ce1ec8dbff662ea620b9ee7186cdde9845185ea87ded242fbffb7f526d875b6b1dbd09a4008b4d2c1034621a75efd6140c7d6fc883d79f7c3b7f7ae21b74e62a9c26f682c9dd48cacdc7f0c4ec5eb32a5c505aa5949d4008ece502bca5612f84ae73164acd2d3399cc9aee5cf615de62dd31c63a407f5c988b5c61a124ce08c"
+
PSA generate random: 0 bytes
generate_random:0
@@ -6679,6 +6992,30 @@ generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT
PSA generate key: RSA, e=2
generate_key_rsa:512:"01":PSA_ERROR_INVALID_ARGUMENT
+PSA generate key: FFDH, 2048 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
+
+PSA generate key: FFDH, 3072 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):3072:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
+
+PSA generate key: FFDH, 4096 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
+
+PSA generate key: FFDH, 6144 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):6144:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
+
+PSA generate key: FFDH, 8192 bits, good
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):8192:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_SUCCESS:0
+
+PSA generate key: FFDH, 1024 bits, invalid bits
+depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR
+generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0
+
PSA import persistent key: raw data, 8 bits
depends_on:MBEDTLS_PK_C:MBEDTLS_PSA_CRYPTO_STORAGE_C
persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 98b1a334bb..b0123d9c8f 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1530,8 +1530,15 @@ void import_export(data_t *data,
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, type);
+ if (PSA_KEY_TYPE_IS_DH(type) &&
+ expected_export_status == PSA_ERROR_BUFFER_TOO_SMALL) {
+ /* Simulate that buffer is too small, by decreasing its size by 1 byte. */
+ export_size -= 1;
+ }
+
/* Import the key */
- PSA_ASSERT(psa_import_key(&attributes, data->x, data->len, &key));
+ TEST_EQUAL(psa_import_key(&attributes, data->x, data->len, &key),
+ PSA_SUCCESS);
/* Test the key information */
PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 6f9e544138..a8c714f391 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -7,8 +7,6 @@
#include
#include
-#include "hash_info.h"
-
#include
#include
@@ -1974,7 +1972,7 @@ void ssl_tls13_create_psk_binder(int hash_alg,
data_t *transcript,
data_t *binder_expected)
{
- unsigned char binder[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char binder[MBEDTLS_MD_MAX_SIZE];
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
@@ -2108,7 +2106,7 @@ void ssl_tls13_key_evolution(int hash_alg,
data_t *input,
data_t *expected)
{
- unsigned char secret_new[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char secret_new[MBEDTLS_MD_MAX_SIZE];
PSA_INIT();
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index db2fe56a5f..36f1df1ba0 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1,402 +1,402 @@
X509 CRT information #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information #1 (DER)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server1.crt.der":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server1.crt.der":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information #2
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information #2 (DER)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server2.crt.der":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server2.crt.der":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information #3
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/test-ca.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"data_files/parse_input/test-ca.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
X509 CRT information #3 (DER)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/test-ca.crt.der":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"data_files/parse_input/test-ca.crt.der":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
X509 CRT information MD5 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_MD5
-x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2000-01-01 12\:12\:12\nexpires on \: 2030-01-01 12\:12\:12\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2000-01-01 12\:12\:12\nexpires on \: 2030-01-01 12\:12\:12\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information RSA-PSS, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA224
-x509_cert_info:"data_files/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA384
-x509_cert_info:"data_files/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA512
-x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC, SHA256 Digest, hardware module name SAN
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n"
+x509_cert_info:"data_files/parse_input/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n"
X509 CRT information EC, SHA256 Digest, binary hardware module name SAN
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n"
+x509_cert_info:"data_files/parse_input/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n"
X509 CRT information EC, SHA256 Digest, directoryName SAN
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5-directoryname.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
+x509_cert_info:"data_files/parse_input/server5-directoryname.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n"
X509 CRT information EC, SHA256 Digest, two directoryName SANs
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5-two-directorynames.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n"
+x509_cert_info:"data_files/parse_input/server5-two-directorynames.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n"
X509 CRT information EC, SHA256 Digest, Wisun Fan device
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n"
+x509_cert_info:"data_files/parse_input/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n"
X509 CRT information, NS Cert Type
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n"
+x509_cert_info:"data_files/parse_input/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n"
X509 CRT information, Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"data_files/parse_input/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, Key Usage with decipherOnly
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n"
+x509_cert_info:"data_files/parse_input/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n"
X509 CRT information, Subject Alt Name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2019-07-10 11\:27\:52\nexpires on \: 2029-07-10 11\:27\:52\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
+x509_cert_info:"data_files/parse_input/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2019-07-10 11\:27\:52\nexpires on \: 2029-07-10 11\:27\:52\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
X509 CRT information, Multiple different Subject Alt Name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n"
+x509_cert_info:"data_files/parse_input/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n"
X509 CRT information, Subject Alt Name + Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"data_files/parse_input/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n \n \nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, Subject Alt Name with uniformResourceIdentifier
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"data_files/parse_input/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+x509_cert_info:"data_files/parse_input/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, RSA Certificate Policy any
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
X509 CRT information, ECDSA Certificate Policy any
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-any_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-03-25 09\:02\:45\nexpires on \: 2029-03-25 09\:02\:45\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-any_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-03-25 09\:02\:45\nexpires on \: 2029-03-25 09\:02\:45\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
X509 CRT information, RSA Certificate Policy any with qualifier
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-any_policy_with_qualifier.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:14\:31\nexpires on \: 2029-04-28 13\:14\:31\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:14\:31\nexpires on \: 2029-04-28 13\:14\:31\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
X509 CRT information, ECDSA Certificate Policy any with qualifier
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-any_policy_with_qualifier_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 10\:16\:05\nexpires on \: 2029-04-28 10\:16\:05\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 10\:16\:05\nexpires on \: 2029-04-28 10\:16\:05\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
X509 CRT information, RSA Certificate multiple Policies
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-multi_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 12\:59\:19\nexpires on \: 2029-04-28 12\:59\:19\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-multi_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 12\:59\:19\nexpires on \: 2029-04-28 12\:59\:19\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
X509 CRT information, ECDSA Certificate multiple Policies
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-multi_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 12\:59\:51\nexpires on \: 2029-04-28 12\:59\:51\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
+x509_cert_info:"data_files/parse_input/test-ca-multi_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 12\:59\:51\nexpires on \: 2029-04-28 12\:59\:51\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n"
X509 CRT information, RSA Certificate unsupported policy
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-unsupported_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:00\:13\nexpires on \: 2029-04-28 13\:00\:13\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
+x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:00\:13\nexpires on \: 2029-04-28 13\:00\:13\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
X509 CRT information, ECDSA Certificate unsupported policy
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
+x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n"
X509 CRT information, Key Usage + Extended Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n"
+x509_cert_info:"data_files/parse_input/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n"
X509 CRT information RSA signed by EC
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
-x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information EC signed by RSA
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
-x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/parse_input/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n"
X509 CRT information Bitstring in subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1
-x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n"
+x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n"
X509 CRT information Non-ASCII string in issuer name and subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nsubject name \: C=JP, ST=Tokyo, O=?????????????????? Ltd, CN=?????????????????? CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n"
X509 SAN parsing otherName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0
+x509_parse_san:"data_files/parse_input/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0
X509 SAN parsing binary otherName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0
+x509_parse_san:"data_files/parse_input/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0
X509 SAN parsing directoryName
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0
+x509_parse_san:"data_files/parse_input/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0
X509 SAN parsing directoryName, seq malformed
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_san:"data_files/parse_input/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 SAN parsing two directoryNames, second DN OID malformed
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_san:"data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 SAN parsing dNSName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
+x509_parse_san:"data_files/parse_input/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
X509 SAN parsing Multiple different types
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
+x509_parse_san:"data_files/parse_input/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0
X509 SAN parsing, no subject alt name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME
-x509_parse_san:"data_files/server4.crt":"":0
+x509_parse_san:"data_files/parse_input/server4.crt":"":0
X509 SAN parsing, unsupported otherName name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/server5-unsupported_othername.crt":"":0
+x509_parse_san:"data_files/parse_input/server5-unsupported_othername.crt":"":0
X509 SAN parsing rfc822Name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0
+x509_parse_san:"data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0
X509 CRL information #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
X509 CRL Information MD5 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_md5.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD5\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_md5.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD5\n"
X509 CRL Information SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_sha1.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_sha1.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
X509 CRL Information SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_sha224.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_sha224.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\n"
X509 CRL Information SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_sha256.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_sha256.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\n"
X509 CRL Information SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_sha384.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_sha384.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\n"
X509 CRL Information SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n"
X509 CRL information RSA-PSS, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n"
X509 CRL information RSA-PSS, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n"
X509 CRL information RSA-PSS, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n"
X509 CRL information RSA-PSS, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n"
X509 CRL information RSA-PSS, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n"
X509 CRL Information EC, SHA1 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n"
X509 CRL Information EC, SHA224 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n"
X509 CRL Information EC, SHA256 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n"
X509 CRL Information EC, SHA384 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n"
X509 CRL Information EC, SHA512 Digest
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n"
+mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n"
X509 CRL Malformed Input (trailing spaces at end of file)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_VERIFY
-mbedtls_x509_crl_parse:"data_files/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+mbedtls_x509_crl_parse:"data_files/parse_input/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
X509 CRL Unsupported critical extension (issuingDistributionPoint)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_crl_parse:"data_files/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_crl_parse:"data_files/parse_input/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CRL Unsupported non-critical extension (issuingDistributionPoint)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
-mbedtls_x509_crl_parse:"data_files/crl-idpnc.pem":0
+mbedtls_x509_crl_parse:"data_files/parse_input/crl-idpnc.pem":0
X509 CSR Information RSA with MD5
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA224
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA-256
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA384
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA512
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA-256, containing commas
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO
-mbedtls_x509_csr_info:"data_files/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information EC with SHA1
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA224
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA256
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA384
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information EC with SHA512
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA224
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA256
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA384
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA-PSS with SHA512
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CSR Information RSA with SHA-256 - Microsoft header
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
+mbedtls_x509_csr_info:"data_files/parse_input/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information v3 extensions #1 (all)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n"
+mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n"
X509 CSR Information v3 extensions #2 (nsCertType only)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n"
+mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n"
X509 CSR Information v3 extensions #3 (subjectAltName only)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
+mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n"
X509 CSR Information v3 extensions #4 (keyUsage only)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_info:"data_files/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n"
+mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n"
X509 Verify Information: empty
x509_verify_info:0:"":""
@@ -1043,9 +1043,31 @@ X509 CRT verification: mismatching IPv6 in SubjectAltName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
x509_verify:"data_files/server5-tricky-ip-san.crt":"data_files/server5-tricky-ip-san.crt":"data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+X509 CRT verification: matching URI in SubjectAltName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
+x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":0:0:"":"NULL"
+
+X509 CRT verification: URI with trailing data in SubjectAltName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
+x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609cz":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+
+X509 CRT verification: URI with preceding data in SubjectAltName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
+x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"zurn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+
+X509 CRT verification: URI with bad data in SubjectAltName
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C
+x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"bad\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL"
+
X509 CRT parse CN: IPv4 valid address
x509_crt_parse_cn_inet_pton:"10.10.10.10":"0A0A0A0A":4
+X509 CRT parse CN: IPv4 leading zeroes #1
+x509_crt_parse_cn_inet_pton:"010.10.10.10":"":0
+
+X509 CRT parse CN: IPv4 leading zeroes #2
+x509_crt_parse_cn_inet_pton:"10.10.10.001":"":0
+
X509 CRT parse CN: IPv4 excess 0s
x509_crt_parse_cn_inet_pton:"10.0000.10.10":"":0
@@ -2021,11 +2043,11 @@ x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b05003
X509 CRT ASN1 (inv extBasicConstraint, pathlen is INT_MAX)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509parse_crt_file:"data_files/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
+x509parse_crt_file:"data_files/parse_input/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
X509 CRT ASN1 (pathlen is INT_MAX-1)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1
-x509parse_crt_file:"data_files/server1_pathlen_int_max-1.crt":0
+x509parse_crt_file:"data_files/parse_input/server1_pathlen_int_max-1.crt":0
X509 CRT ASN1 (TBS, inv extBasicConstraint, pathlen inv length encoding)
depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256
@@ -2977,99 +2999,99 @@ mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSIO
# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files)
X509 CSR ASN.1 (attributes: invalid sequence tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid attribute id)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: not extension request)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0
X509 CSR ASN.1 (attributes: invalid extenstion request set tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (attributes: invalid len (len > data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (attributes: invalid len (len < data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CSR ASN.1 (attributes: extension request invalid len (len > data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (attributes: extension request invalid len (len < data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (extensions: invalid sequence tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension id tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension data tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension data len (len > data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (extensions: invalid extension data len (len < data))
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (extensions: duplicated extension)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA
X509 CSR ASN.1 (extensions: invalid extension type data)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-mbedtls_x509_csr_parse_file:"data_files/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0
+mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0
X509 File parse (no issues)
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509parse_crt_file:"data_files/server7_int-ca.crt":0
+x509parse_crt_file:"data_files/parse_input/server7_int-ca.crt":0
X509 File parse (extra space in one certificate)
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509parse_crt_file:"data_files/server7_pem_space.crt":1
+x509parse_crt_file:"data_files/parse_input/server7_pem_space.crt":1
X509 File parse (all certificates fail)
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_RSA_C
-x509parse_crt_file:"data_files/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER
+x509parse_crt_file:"data_files/parse_input/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER
X509 File parse (trailing spaces, OK)
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509parse_crt_file:"data_files/server7_trailing_space.crt":0
+x509parse_crt_file:"data_files/parse_input/server7_trailing_space.crt":0
X509 File parse (Algorithm Params Tag mismatch)
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
-x509parse_crt_file:"data_files/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH
+x509parse_crt_file:"data_files/parse_input/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH
X509 Get time (UTC no issues)
depends_on:MBEDTLS_X509_USE_C
@@ -3278,3 +3300,44 @@ x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_KEY_USAGE
X509 ext types accessor: ext type not present
depends_on:MBEDTLS_X509_CRT_PARSE_C
x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
+
+X509 CRT parse Subject Key Id - Correct Subject Key ID
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_subjectkeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":20:0
+
+X509 CRT parse Subject Key Id - Wrong OCTET_STRING tag
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_subjectkeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT parse Authority Key Id - Correct Authority Key ID
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":20:"NL/PolarSSL/PolarSSL Test CA/":1:0
+
+X509 CRT parse Authority Key Id - Wrong Length
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c30598014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+
+X509 CRT parse Authority Key Id - Wrong Sequence tag
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c005a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT parse Authority Key Id - Wrong KeyId Tag
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a0014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT parse Authority Key Id - Wrong KeyId Tag Length
+depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"3082039F30820287A00302010202142121EA5121F25E38DF2697F6851A9B43490DE495300D06092A864886F70D01010B0500303B310B3009060355040613024E4C3111300F060355040B0C08506F6C617253534C3119301706035504030C10506F6C617253534C2054657374204341301E170D3233303530363138333231315A170D3433303530313138333231315A303B310B3009060355040613024E4C3111300F060355040B0C08506F6C617253534C3119301706035504030C10506F6C617253534C205465737420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100C14DA3DDE7CD1DD104D74972B899AC0E78E43A3C4ACF3A1316D05AE4CDA30088A7EE1E6B96A752B490EF2D727A3E249AFCB634AC24F577E026648C9CB0287DA1DAEA8CE6C91C96BCFEC10452B336D4A3FAE1B176D890C161B4665236A22653AAAB745E077D1982DB2AD81FA0D90D1C2D4966F75B257346E80B8A4F690CB50090E1DA8210667DAE542B8B657991A1E261C3CD404908EE680CF18B86D246BFD0B8AA11031E7F56A81A1E44180F0F858BDA8B445EE218C6622FC7668DFA5DD87DF327892901C5900E3F27F130C84A0EEFD6DEC7C7276BC7053D7AC4023C9A1D3E0FE834985BCB734B5296D811A22C808869395AD30FB0DE592F11C7F7EA120130970203010001A3819A308197301D0603551D0E04160414A505E864B8DCDF600F50124D60A864AF4D8B439330760603551D23046F306D80FFA505E864B8DCDF600F50124D60A864AF4D8B4393A13FA43D303B310B3009060355040613024E4C3111300F060355040B0C08506F6C617253534C3119301706035504030C10506F6C617253534C205465737420434182142121EA5121F25E38DF2697F6851A9B43490DE495300D06092A864886F70D01010B05000382010100409122DCB6D31ABA0B65F2DD7A590F30E43864F9293B889223BF320177D24B50EE202D5A88406BE68D2BD0047B72016376F64D0420BE1D639159E9B54666587434966364EF855B37155D5891C68A02D90E44206F27C7D78DE2E3BF5373521F8BBA8390151814004D099D2B46080A9E0C467B1E0D8B93BAC1E1B3AE4FD20FD83E285BA7168DC81D80B468AEB21D645490F0B87A65DDE17DAD1AF46EDF9126565592291FE159434A9D93DFFFA65F658C6DBCD02D56E591CD4B9390878288B890497E56998C845D3ED4145DAAD6A16556C2FDEAE780BE297531842B2A565824BD85128D4E459B0F370DBEC9E190FABA7D88C1514B3B6935F421B4FBC393D733A785":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+X509 CRT parse Authority Key Id - Wrong Issuer Tag 1
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff003fa43d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT parse Authority Key Id - Wrong Issuer Tag 2
+depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308203873082026fa003020102020100300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3131303231323134343430305a170d3231303231323134343430305a303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c205465737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c0df37fc17bbe0969d3f86de96327d44a516a0cd21f199d4eceacb7c18580894a5ec9bc58bdf1a1e993899871e7bc08d39df385d707807d39ed993e8b97251c5cea33052a9f2e7407014cb44a2720bc2e540f93ee5a60eb3f9ec4a63c0b82900749c573ba8a5049071f1bd83d93fd6a5e23c2a8fef2760c3c69fcbbaec607db7e68432be4ffb582622035bd4b4d5fbf5e3962e70c0e42ebdfc2eeee24155c0342e7d247269cb47b11440837d67f486f631abf179a4b2b52e12f98417f0626f273e1358b1540d219a7337a130cf6f92dcf6e9fcacdb2e28d17e024b23a015f238656409ea0c6e8e1b17a071c8b39bc9abe9c3f2cf87968f8002329e99586fa2d50203010001a38195308192300c0603551d13040530030101ff301d0603551d0e04160414b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30630603551d23045c305a8014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdffa13f003d303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341820100300d06092a864886f70d01010505000382010100b8fd54d80054908b25b027dd95cda2f784071d87894ac47811d807b5d722508e48eb627a3289be634753ffb6bef12e8c54c0993fa0b93723725f0d46598fd847cd974c9f070c1262093a24e436d9e92cda38d0737561d7c16c268b9be0d5dc67ed8c6b33d774223c4cdbb58d2ace2c0d0859050905a6399fb3671be283e5e18f53f66793c7f96f76445812e83ad497e7e9c03ea87a723d87531fe52c8484e79a9e7f66d91f9bf51348b04d14d1deb224d9787df535cc5819d1d299ef4d73f81f89d45ad052ce09f5b146516a008e3bcc6f63010099ed9da60860cd3218d073e05871d9e5d253d78dd0cae95d2a0a0d5d55ec21501716e6064acd5edef7e0e954":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+# clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376: test for bad sequence of names in authorityCertIssuer
+X509 CRT parse Authority Key Id - Wrong Issuer sequence
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C
+x509_crt_parse_authoritykeyid:"308201883082016FA0030201020209202020202020202020300D06092A864886F70D010104050030233110300E0603202020130720202020202020310F300D06032020201306202020202020301E170D3131303530383230353934385A170D3134303530373230353934385A30233110300E0603202020130720202020202020310F300D06032020201306202020202020305C300D06092A864886F70D0101010500034B003048024120202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020FF02032020FFA38185308182301D060320202004162020202020202020202020202020202020202020202030530603551D23044C304A80142020202020202020202020202020202020202020A12AA42530233110300E0603202020130720202020202020310F300D0603202020130620202020202082002020202020202020202020202020202020202020202020202020202020202020202020202020202020202020":0:"":0:MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 73e6803556..f215a8069a 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1548,3 +1548,86 @@ exit:
USE_PSA_DONE();
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
+void x509_crt_parse_subjectkeyid(data_t *buf, int subjectKeyIdLength_arg, int ref_ret)
+{
+ size_t subjectKeyIdLength = subjectKeyIdLength_arg;
+ mbedtls_x509_crt crt;
+
+ mbedtls_x509_crt_init(&crt);
+
+ TEST_ASSERT(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len) == ref_ret);
+
+ if (ref_ret == 0) {
+ TEST_ASSERT(crt.subject_key_id.tag == MBEDTLS_ASN1_OCTET_STRING);
+ TEST_ASSERT(crt.subject_key_id.len == subjectKeyIdLength);
+ } else {
+ TEST_ASSERT(crt.subject_key_id.tag == 0);
+ TEST_ASSERT(crt.subject_key_id.len == 0);
+ }
+
+exit:
+ mbedtls_x509_crt_free(&crt);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
+void x509_crt_parse_authoritykeyid(data_t *buf,
+ int keyIdLength_arg,
+ char *authorityKeyId_issuer,
+ int serialLength_arg,
+ int ref_ret)
+{
+ mbedtls_x509_crt crt;
+ int bufferCounter = 0;
+ size_t issuerCounter = 0;
+ size_t keyIdLength = keyIdLength_arg;
+ size_t serialLength = serialLength_arg;
+ unsigned int result = 0;
+ mbedtls_x509_subject_alternative_name san;
+ mbedtls_x509_name *pname = NULL;
+
+ mbedtls_x509_crt_init(&crt);
+
+ TEST_ASSERT(mbedtls_x509_crt_parse_der(&crt, buf->x, buf->len) == ref_ret);
+
+ if (ref_ret == 0) {
+ /* KeyId test */
+ TEST_ASSERT(crt.authority_key_id.keyIdentifier.tag == MBEDTLS_ASN1_OCTET_STRING);
+ TEST_ASSERT(crt.authority_key_id.keyIdentifier.len == keyIdLength);
+
+ /* Issuer test */
+ mbedtls_x509_sequence *issuerPtr = &crt.authority_key_id.authorityCertIssuer;
+
+ TEST_ASSERT(mbedtls_x509_parse_subject_alt_name(&issuerPtr->buf, &san) == 0);
+
+ pname = &san.san.directory_name;
+
+ while (pname != NULL) {
+ for (issuerCounter = 0; issuerCounter < pname->val.len; issuerCounter++) {
+ result |=
+ (authorityKeyId_issuer[bufferCounter++] != pname->val.p[issuerCounter]);
+ }
+ bufferCounter++; /* Skipping the slash */
+ pname = pname->next;
+ }
+ mbedtls_x509_free_subject_alt_name(&san);
+ TEST_ASSERT(result == 0);
+
+ /* Serial test */
+ TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.tag ==
+ MBEDTLS_ASN1_INTEGER);
+ TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.len == serialLength);
+ } else {
+ TEST_ASSERT(crt.authority_key_id.keyIdentifier.tag == 0);
+ TEST_ASSERT(crt.authority_key_id.keyIdentifier.len == 0);
+
+ TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.tag == 0);
+ TEST_ASSERT(crt.authority_key_id.authorityCertSerialNumber.len == 0);
+ }
+
+exit:
+ mbedtls_x509_crt_free(&crt);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index cd1b0a3bd7..4eeeacdcc3 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -59,108 +59,112 @@ depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_DP_SECP25
x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
Certificate write check Server1 SHA1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, not before 1970
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, not after 2050
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, not before 1970, not after 2050
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, not before 2050, not after 2059
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, one ext_key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, two ext_key_usages
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, RSA_ALT
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, RSA_ALT, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, RSA_ALT, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, RSA_ALT, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, key_usage
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, ns_cert_type
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, version 1
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, CA
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Full length serial
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Serial starting with 0x80
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server1 SHA1, All 0xFF full length serial
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt"
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt":0
Certificate write check Server5 ECDSA
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt"
+x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt":0
Certificate write check Server5 ECDSA, Opaque
depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt"
+x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt":0
+
+Certificate write check Server1 SHA1, SubjectAltNames
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.allSubjectAltNames.crt":0:0:"data_files/test-ca.crt":1
X509 String to Names #1
mbedtls_x509_string_to_names:"C=NL,O=Offspark\\, Inc., OU=PolarSSL":"C=NL, O=Offspark\\, Inc., OU=PolarSSL":0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index b08555c9b8..ab4a2d0d35 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -7,8 +7,7 @@
#include "mbedtls/rsa.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/pk.h"
-
-#include "hash_info.h"
+#include "md_psa.h"
#if defined(MBEDTLS_RSA_C)
int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
@@ -47,7 +46,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
goto cleanup;
}
- psa_algorithm_t psa_alg = mbedtls_hash_info_psa_from_md(csr.sig_md);
+ psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(csr.sig_md);
size_t hash_size = 0;
psa_status_t status = psa_hash_compute(psa_alg, csr.cri.p, csr.cri.len,
hash, PSA_HASH_MAX_SIZE, &hash_size);
@@ -59,7 +58,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
}
if (mbedtls_pk_verify_ext(csr.sig_pk, csr.sig_opts, &csr.pk,
- csr.sig_md, hash, mbedtls_hash_info_get_size(csr.sig_md),
+ csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
csr.sig.p, csr.sig.len) != 0) {
ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
goto cleanup;
@@ -270,7 +269,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
- md_alg_psa = mbedtls_hash_info_psa_from_md((mbedtls_md_type_t) md_type);
+ md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
mbedtls_pk_init(&key);
@@ -326,7 +325,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
char *ext_key_usage,
int cert_type, int set_cert_type, int auth_ident,
int ver, char *cert_check_file, int pk_wrap, int is_ca,
- char *cert_verify_file)
+ char *cert_verify_file, int set_subjectAltNames)
{
mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
mbedtls_pk_context *key = &issuer_key;
@@ -348,6 +347,48 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
+ mbedtls_x509_san_list san_ip;
+ mbedtls_x509_san_list san_dns;
+ mbedtls_x509_san_list san_uri;
+ mbedtls_x509_san_list san_mail;
+ mbedtls_x509_san_list san_dn;
+ mbedtls_asn1_named_data *ext_san_dirname = NULL;
+ const char san_ip_name[] = { 0x01, 0x02, 0x03, 0x04 };
+ const char *san_dns_name = "example.com";
+ const char *san_dn_name = "C=UK,O=Mbed TLS,CN=SubjectAltName test";
+ const char *san_mail_name = "mail@example.com";
+ const char *san_uri_name = "http://pki.example.com";
+ mbedtls_x509_san_list *san_list = NULL;
+
+ if (set_subjectAltNames) {
+ san_mail.node.type = MBEDTLS_X509_SAN_RFC822_NAME;
+ san_mail.node.san.unstructured_name.p = (unsigned char *) san_mail_name;
+ san_mail.node.san.unstructured_name.len = strlen(san_mail_name);
+ san_mail.next = NULL;
+
+ san_dns.node.type = MBEDTLS_X509_SAN_DNS_NAME;
+ san_dns.node.san.unstructured_name.p = (unsigned char *) san_dns_name;
+ san_dns.node.san.unstructured_name.len = strlen(san_dns_name);
+ san_dns.next = &san_mail;
+
+ san_dn.node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
+ TEST_ASSERT(mbedtls_x509_string_to_names(&ext_san_dirname,
+ san_dn_name) == 0);
+ san_dn.node.san.directory_name = *ext_san_dirname;
+ san_dn.next = &san_dns;
+
+ san_ip.node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
+ san_ip.node.san.unstructured_name.p = (unsigned char *) san_ip_name;
+ san_ip.node.san.unstructured_name.len = sizeof(san_ip_name);
+ san_ip.next = &san_dn;
+
+ san_uri.node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ san_uri.node.san.unstructured_name.p = (unsigned char *) san_uri_name;
+ san_uri.node.san.unstructured_name.len = strlen(san_uri_name);
+ san_uri.next = &san_ip;
+
+ san_list = &san_uri;
+ }
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
@@ -386,7 +427,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
if (pk_wrap == 2) {
psa_algorithm_t alg_psa, md_alg_psa;
- md_alg_psa = mbedtls_hash_info_psa_from_md((mbedtls_md_type_t) md_type);
+ md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) {
@@ -465,6 +506,9 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
}
}
+ if (set_subjectAltNames) {
+ TEST_ASSERT(mbedtls_x509write_crt_set_subject_alternative_name(&crt, san_list) == 0);
+ }
ret = mbedtls_x509write_crt_pem(&crt, buf, sizeof(buf),
mbedtls_test_rnd_pseudo_rand, &rnd_info);
TEST_ASSERT(ret == 0);
@@ -573,6 +617,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
exit:
+ mbedtls_asn1_free_named_data_list(&ext_san_dirname);
mbedtls_x509write_crt_free(&crt);
mbedtls_pk_free(&issuer_key_alt);
mbedtls_pk_free(&subject_key);