aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-12-24 15:34:37 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-12-24 15:34:37 +0000
commit4b3710bb3cc9a1cabcde6b3ec6338a63236cdd8c (patch)
treef512e500d5aa8fae52a13d9ae248ec3e6f4360ef
parent7c940069fa58d8048d1a7f0688aee9d11280ab71 (diff)
downloadaports-4b3710bb3cc9a1cabcde6b3ec6338a63236cdd8c.tar.bz2
aports-4b3710bb3cc9a1cabcde6b3ec6338a63236cdd8c.tar.xz
community/lua-copas: fix tests
add fixes from upstream for tests
Diffstat
-rw-r--r--community/lua-copas/APKBUILD6
-rw-r--r--community/lua-copas/default-tls1.2.patch13
-rw-r--r--community/lua-copas/disable-https-tests.patch15
-rw-r--r--community/lua-copas/test-certs.patch3226
4 files changed, 3243 insertions, 17 deletions
diff --git a/community/lua-copas/APKBUILD b/community/lua-copas/APKBUILD
index e9fc5a6989..32c0571c2e 100644
--- a/community/lua-copas/APKBUILD
+++ b/community/lua-copas/APKBUILD
@@ -13,7 +13,8 @@ depends="lua-socket"
checkdepends="lua5.1-coxpcall lua-sec"
subpackages=""
source="$pkgname-$pkgver.tar.gz::https://github.com/keplerproject/$_pkgname/archive/v$_pkgver.tar.gz
- disable-https-tests.patch
+ default-tls1.2.patch
+ test-certs.patch
ipv4-only.patch"
builddir="$srcdir/$_pkgname-$_pkgver"
@@ -63,5 +64,6 @@ _subpackage() {
}
sha512sums="dd83a513fbddb2f0164c3573b417623f5cc556413c4937be7e362f4c1667bad83391143e1bf609480726730ce488c4080e810f2ce12a98a7abb5293993c10182 lua-copas-2.0.2.tar.gz
-eebded0a9accbc6b0a5ecd3c45e06710bf4b3279605b443fe3bfff40d9d9d23bdc0c508fb42506d14faa69a3c4cee0b8bef80ab8b721eac6d5aeab2aaa8c41e7 disable-https-tests.patch
+d65a2d26ff025ec4b7c652bdf179a9f18078f736ec8f9166df077a47ec34cc4731cdeaa984d25c9556f332b36bfd9b4a7e2069284f8b63a4344e8a81b5ad72bc default-tls1.2.patch
+f775cda7762f7924be8794ea2c77eb49740741a3cf9f67ca7b7e7563868d51f386ed473833e40b673af3aee5660a5e4767f43522bda1e0c38b2bf07c9df183df test-certs.patch
4fb2b65f41869b9729cc4672eebbfb2745a2d01af1cd54341b8306f57510f98e118eac77c77a980f4c8e8b181b6fda150061dc39819269e9ee64bf07656dfd54 ipv4-only.patch"
diff --git a/community/lua-copas/default-tls1.2.patch b/community/lua-copas/default-tls1.2.patch
new file mode 100644
index 0000000000..f6fd5433d7
--- /dev/null
+++ b/community/lua-copas/default-tls1.2.patch
@@ -0,0 +1,13 @@
+diff --git a/src/copas/http.lua b/src/copas/http.lua
+index d9767fe..8e8dc64 100644
+--- a/src/copas/http.lua
++++ b/src/copas/http.lua
+@@ -35,7 +35,7 @@ _M.USERAGENT = socket._VERSION
+
+ -- Default settings for SSL
+ _M.SSLPORT = 443
+-_M.SSLPROTOCOL = "tlsv1"
++_M.SSLPROTOCOL = "tlsv1_2"
+ _M.SSLOPTIONS = "all"
+ _M.SSLVERIFY = "none"
+
diff --git a/community/lua-copas/disable-https-tests.patch b/community/lua-copas/disable-https-tests.patch
deleted file mode 100644
index 5858048032..0000000000
--- a/community/lua-copas/disable-https-tests.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 5b383d3..9d8c749 100644
---- a/Makefile
-+++ b/Makefile
-@@ -24,8 +24,8 @@ install:
- test:
- $(LUA) $(PKGPATH) tests/largetransfer.lua
- $(LUA) $(PKGPATH) tests/request.lua 'http://www.google.com'
-- $(LUA) $(PKGPATH) tests/request.lua 'https://www.google.nl'
-- $(LUA) $(PKGPATH) tests/httpredirect.lua
-+# $(LUA) $(PKGPATH) tests/request.lua 'https://www.google.nl'
-+# $(LUA) $(PKGPATH) tests/httpredirect.lua
- $(LUA) $(PKGPATH) tests/limit.lua
- $(LUA) $(PKGPATH) tests/connecttwice.lua
- $(LUA) $(PKGPATH) tests/exit.lua
diff --git a/community/lua-copas/test-certs.patch b/community/lua-copas/test-certs.patch
new file mode 100644
index 0000000000..09769adc09
--- /dev/null
+++ b/community/lua-copas/test-certs.patch
@@ -0,0 +1,3226 @@
+From 2357ac46131ea86ce9c3c89ae67cd4557e527f35 Mon Sep 17 00:00:00 2001
+From: Thijs Schreijer <thijs@thijsschreijer.nl>
+Date: Mon, 16 Jul 2018 21:50:35 +0200
+Subject: [PATCH] update test certs
+
+---
+ .gitignore | 2 ++
+ src/copas.lua | 22 ++++++++---------
+ tests/certs/clientA.pem | 49 ++++++++++++++++++-------------------
+ tests/certs/clientAcert.pem | 22 ++++++++---------
+ tests/certs/clientAkey.pem | 28 ++++++++++-----------
+ tests/certs/clientAreq.pem | 14 +++++------
+ tests/certs/rootA.pem | 26 ++++++++++----------
+ tests/certs/rootAkey.pem | 28 ++++++++++-----------
+ tests/certs/rootAreq.pem | 14 +++++------
+ tests/certs/serverA.pem | 49 ++++++++++++++++++-------------------
+ tests/certs/serverAcert.pem | 22 ++++++++---------
+ tests/certs/serverAkey.pem | 28 ++++++++++-----------
+ tests/certs/serverAreq.pem | 14 +++++------
+ 13 files changed, 159 insertions(+), 159 deletions(-)
+
+diff --git a/.gitignore b/.gitignore
+index e69de29..5ca0973 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -0,0 +1,2 @@
++.DS_Store
++
+diff --git a/src/copas.lua b/src/copas.lua
+index e2d36fc..4452760 100644
+--- a/src/copas.lua
++++ b/src/copas.lua
+@@ -42,20 +42,20 @@ local function statusHandler(status, ...)
+ end
+
+ function socket.protect(func)
+-return function (...)
++ return function (...)
+ return statusHandler(pcall(func, ...))
+- end
++ end
+ end
+
+ function socket.newtry(finalizer)
+-return function (...)
+- local status = (...)
+- if not status then
++ return function (...)
++ local status = (...)
++ if not status then
+ pcall(finalizer, select(2, ...))
+- error({ (select(2, ...)) }, 0)
++ error({ (select(2, ...)) }, 0)
++ end
++ return ...
+ end
+- return ...
+- end
+ end
+
+ local copas = {}
+@@ -764,19 +764,19 @@ end
+ function copas.step(timeout)
+ _sleeping_t:tick(gettime())
+
+- -- Need to wake up the select call it time for the next sleeping event
++ -- Need to wake up the select call in time for the next sleeping event
+ local nextwait = _sleeping:getnext()
+ if nextwait then
+ timeout = timeout and math.min(nextwait, timeout) or nextwait
+ else
+ if copas.finished() then
+ return false
+- end
++ end
+ end
+
+ local err = _select (timeout)
+ if err then
+- if err == "timeout" then return false end
++ if err == "timeout" then return false end
+ return nil, err
+ end
+
+diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem
+index 2f09848..bdc18ed 100644
+--- a/tests/certs/clientA.pem
++++ b/tests/certs/clientA.pem
+@@ -1,44 +1,43 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+ A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/
+-vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f
+-6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC
+-u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
++bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
++BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
++e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
++aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+ hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+-FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O
+-gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF
+-ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF
+-yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0
+-J84qpYxH1TKE
++FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
++5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
++p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
++Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
++/1l1/fTpSY1i
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
+-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
+-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
+-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
+-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
+-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
++BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
++txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
++zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
++8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
++3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
++mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+ bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+ YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
+-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
+-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
+-g34jvD4v
++ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
++AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
++RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
++0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
++234dl4Tu
+ -----END CERTIFICATE-----
+-
+\ No newline at end of file
+diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem
+index 2092dff..10afc38 100644
+--- a/tests/certs/clientAcert.pem
++++ b/tests/certs/clientAcert.pem
+@@ -1,20 +1,20 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDNTCCAp6gAwIBAgIJAOIlTl6l0XV8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDlaFw0xODA2MjIxOTIxMDlaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+ A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmPCHWAHNKzTWUZk/
+-vMpErq3ZwKsbFHaUVj0pzLccTu16S+Y1veN8YxnqQRiimtQzzAVTAqGEOgsibi7f
+-6uvi4pgs0QSlemGBWdopqOSKYcHl6ZHIl1pDcjyEiGCFmXWAMl6WEIMoIizE5zJC
+-u9ADTI00QF+SNs+bQMwRy6fi3ysCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
++bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
++BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
++e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
++aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+ hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+-FDd+6wOlZBAyQV4dckc+8+sGc61LMB8GA1UdIwQYMBaAFFG/cjK0+S9u05oKZT1O
+-gsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBACAx4J2JCBEK8HDde1J/+pxEUktBczFF
+-ywymGOkpK5YSsqqCalILdXUxPT5XL/gXzAhzhzoFxlErQ7mwg5O9Gj7XCaJOVLxF
+-yt+RWxv33JsVwV7HJVHKmSZeyhzhhcNfry6QhqU8HY44B3uAt8O91XZ5J5ZytVn0
+-J84qpYxH1TKE
++FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
++5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
++p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
++Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
++/1l1/fTpSY1i
+ -----END CERTIFICATE-----
+diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem
+index 6768f54..651c8c4 100644
+--- a/tests/certs/clientAkey.pem
++++ b/tests/certs/clientAkey.pem
+@@ -1,16 +1,16 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAJjwh1gBzSs01lGZ
+-P7zKRK6t2cCrGxR2lFY9Kcy3HE7tekvmNb3jfGMZ6kEYoprUM8wFUwKhhDoLIm4u
+-3+rr4uKYLNEEpXphgVnaKajkimHB5emRyJdaQ3I8hIhghZl1gDJelhCDKCIsxOcy
+-QrvQA0yNNEBfkjbPm0DMEcun4t8rAgMBAAECgYEAiiH0nBBEdpmqWNjJMIKftgVf
+-fx0LwFe5coqbjkJ0VvU2WAb80xz746YsZc8STjUK82J7rwyimKol1s6Pf2a96/Vm
+-ibPFNNHXSpLPsMn5AvvnqaQEIB2PXk+loC3MrPXLYQk3VhlqjxAUD6jPoTKp6b1k
+-IM0o5dZOBf8mRGLASgECQQDLO99CwYq17astx6YDMtgEiTABUv/aBo8kD5SqFnZI
+-MyUZiEQcRjxbYqDKLvLYCC6+FgVhHti1VgS6kBQK1k7hAkEAwKXMcwsZm9EB+rSw
+-HJFvj7bd19AND9yUoO8WkuoOgrDFoR72b85htNxOywjGFkbEGJ28kAl7GapiYcsN
+-ak5riwJANQcuPfDaDJYy8AMD4hnGG4jgKbhKYc0MVFBsbeTmf/g4We0gOHBrFz0o
+-zxho7M1VxOtiA/FUghwrp7IoSJuagQJBAK/rN2Wer0XweIQ918xeqqdr7+0RWbww
+-S7EiY1TJU3LYhb/6DERRDDwiKfmSC4FwIcXw1K4bWkQ3qRtwVtHKxr0CQAX9r5hH
+-cbIpt6gYBV3ggGYo865oqJ3jipYqE12RrEsccjyKaDwSH2f6xCsfi4CdhKh3aqJE
+-KHaXPqk3+8RQXCM=
++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg
++xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf
++eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo
++YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU
++CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT
+++IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu
++54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN
++oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR
++YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO
++fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ
++iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY
++UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX
++EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD
++0ksTfouj7w/VR94=
+ -----END PRIVATE KEY-----
+diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem
+index bc5e56b..bdd77b3 100644
+--- a/tests/certs/clientAreq.pem
++++ b/tests/certs/clientAreq.pem
+@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+ YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+ U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+ IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQCY8IdYAc0rNNZRmT+8ykSurdnAqxsUdpRWPSnMtxxO7XpL5jW943xj
+-GepBGKKa1DPMBVMCoYQ6CyJuLt/q6+LimCzRBKV6YYFZ2imo5IphweXpkciXWkNy
+-PISIYIWZdYAyXpYQgygiLMTnMkK70ANMjTRAX5I2z5tAzBHLp+LfKwIDAQABoAAw
+-DQYJKoZIhvcNAQEFBQADgYEATV1z5nOIQ6HRkUJUG3Bli5mpUJibjn37DgVFBQsR
+-jI1VsoMywesGR3nUDUqY+TOTiPUG6tUImEb/69EPPN9O7KpiNEzvyWpmyCEBkoxT
+-hNiGzg9LFNCTA8AqU0bsYGwDQgNa1uRxlXnKx2v20uu7Euj3OOEk+5PR8dLKa/sp
+-DIc=
++ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg
++8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo
++vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw
++DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx
++0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid
++Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr
++U4w=
+ -----END CERTIFICATE REQUEST-----
+diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem
+index cbd837b..dac07a0 100644
+--- a/tests/certs/rootA.pem
++++ b/tests/certs/rootA.pem
+@@ -1,23 +1,23 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
+-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
+-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
+-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
+-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
+-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
++BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
++txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
++zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
++8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
++3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
++mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+ bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+ YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
+-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
+-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
+-g34jvD4v
++ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
++AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
++RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
++0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
++234dl4Tu
+ -----END CERTIFICATE-----
+diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem
+index 6c809b1..987a73e 100644
+--- a/tests/certs/rootAkey.pem
++++ b/tests/certs/rootAkey.pem
+@@ -1,16 +1,16 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALyqpWgcBH+dYZAg
+-d1oEOj/+WKcDl8bUMxqN4RNJFmgYATBFXACPwJhlO8HNIzlvlR6atNyfywvNdO/d
+-pw5McxD4OlRkIK63eQ4MRBK9yfDT5mr19BlLeS0UwhbPHA8C/ydd7Enhrnxm16Gj
+-wzDfQuWX3L4jMiupTpyxrm5Hr5j5AgMBAAECgYEAqfmD8/vqAZ8k2tilLrBIWoco
+-D7Ao+bUMJYxVjy51xWp7B6Y1cTwR5DqwT7YlWgWxb1UqROqh4AxGoiQr8bHmp4Jm
+-mmRFr8upCcglDsHSR4XsYkPJWjhtCkU9gGEDdurxz90INoqOWY/kgPiuBFzMX0rO
+-+lUBJc+3ge18ybBlelECQQDqgw4/5b6ilqD/w5OH2EQ4ENskUZ5L/ZpXpmJkOAZ+
+-rcMDC5X1pDhaaH15pdeCQc+pVaL63Jwt/0UyArFlnU2PAkEAzfQyTla0I2oPLvM+
+-Mll7zf2Wr5wAuN1/Vt9KxTsqL8AUh7n13Y4Jk1qNJ2VsC/3tyUhRyb9tYbBIMqf6
+-W9/89wJAKZ95N/4fB9yUVtDvrnzEHu9e9eNGpVYtvsDZVdBb1sAgjLnRs/ehyOoi
+-2ySES6pCoVuBweTGE6PrNCUmN1LkIQJAW473GkqDVMceruGmQd30IxRce/9fds/J
+-f4ZPCDWQQKAkwF4UhoVRjneQDvaQvRgLMRN8gLMgXnBu+E4jB9sg6wJAbT87IpPn
+-36kgbB+ARdmyfYwxJswCPggwbotmLPp0JtD3AHn+B5UUMRP676LQZnvElNV7Lv2g
+-V9rKcnclNnBLzA==
++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm
++V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq
++rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB
++K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH
++C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9
++vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW
++md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo
++D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I
++YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ
++aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn
++YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq
++qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh
++2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw
++u0M3347nbXdYj8c=
+ -----END PRIVATE KEY-----
+diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem
+index 27639cb..8d66597 100644
+--- a/tests/certs/rootAreq.pem
++++ b/tests/certs/rootAreq.pem
+@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+ YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR
+ U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0
+ ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQC8qqVoHAR/nWGQIHdaBDo//linA5fG1DMajeETSRZoGAEwRVwAj8CY
+-ZTvBzSM5b5UemrTcn8sLzXTv3acOTHMQ+DpUZCCut3kODEQSvcnw0+Zq9fQZS3kt
+-FMIWzxwPAv8nXexJ4a58Zteho8Mw30Lll9y+IzIrqU6csa5uR6+Y+QIDAQABoAAw
+-DQYJKoZIhvcNAQEFBQADgYEAjAS9/dtDcC345uUVpdZHDeF2yrNna6Lb9U2Mgy3S
+-Cqd8OsBwdOuOLmeR0GG+F/qP2YiRrXHbM522Dqt4xah84axmgpAo+7xl/YLMNTq2
+-I2lAgapnCfVOVA99bCloFFuJyXyt4w7A6YxMD9orjVdJdt4AYGb2mNeOB0AeKPRI
+-ZYQ=
++ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T
++YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD
++zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw
++DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f
++RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ
++fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj
++MKo=
+ -----END CERTIFICATE REQUEST-----
+diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem
+index 6b50c67..02324d0 100644
+--- a/tests/certs/serverA.pem
++++ b/tests/certs/serverA.pem
+@@ -1,44 +1,43 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+ A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk
+-/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe
+-asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh
+-mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
++ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
++uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
++Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
++L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+ SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud
+-IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2
+-FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl
+-GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq
+-aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP
++Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
++IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
++hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
++oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
++Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAMB4Jht1jkbcMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDVaFw0xODA2MjIxOTIxMDVaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvKqlaBwEf51hkCB3
+-WgQ6P/5YpwOXxtQzGo3hE0kWaBgBMEVcAI/AmGU7wc0jOW+VHpq03J/LC810792n
+-DkxzEPg6VGQgrrd5DgxEEr3J8NPmavX0GUt5LRTCFs8cDwL/J13sSeGufGbXoaPD
+-MN9C5ZfcviMyK6lOnLGubkevmPkCAwEAAaOCAQYwggECMB0GA1UdDgQWBBRRv3Iy
+-tPkvbtOaCmU9ToLHORGsUDCB0gYDVR0jBIHKMIHHgBRRv3IytPkvbtOaCmU9ToLH
+-ORGsUKGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
++BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
++txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
++zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
++8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
++3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
++mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+ bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+ YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDAeCYbdY5G3DAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBADx3k5hsOZkZZP/U3YVh3ieY9AXwhtB8r/vQ
+-ZZI9MSc3OD/PbgkrXt6u5ZVdsatul/5BN/uqapD7sBktXoWz9B3nCJ0AovwS4rwn
+-qZ9MB44engpEbZLvkXiUyqk3os2UaeKd3WhV6pUW2H+3V4xcmHbB90zNjnC+AU5b
+-g34jvD4v
++ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
++AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
++RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
++0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
++234dl4Tu
+ -----END CERTIFICATE-----
+-
+\ No newline at end of file
+diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem
+index 76295a1..72d2c87 100644
+--- a/tests/certs/serverAcert.pem
++++ b/tests/certs/serverAcert.pem
+@@ -1,20 +1,20 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDSjCCArOgAwIBAgIJAOIlTl6l0XV7MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
++MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+ JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xNzA2MjIxOTIxMDdaFw0xODA2MjIxOTIxMDdaMIGdMQswCQYD
++BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
+ VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+ IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+ A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsKyppd9LbWZZ8bAk
+-/WtRh5uWUqv14z6IKNloY+niDsfmipME3W4uK762jjSv3woCLBy9LU+i1UbxwnGe
+-asHb8ZykyvoFZqYllZOoC5m5jiBrI66iiBdkjOw0C4uXxsQ2Kz1NXfIigtTo+NOh
+-mLoGP45sAiWEEDWoP3kgp2A4d/sCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
++ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
++uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
++Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
++L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+ SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFKSuYfhndGCO5opzbDEdo0cac/1aMB8GA1Ud
+-IwQYMBaAFFG/cjK0+S9u05oKZT1Ogsc5EaxQMA0GCSqGSIb3DQEBBQUAA4GBAE/2
+-FVob8QI09FDHIYH2VOqT5UfvxuoSxz6okMVbmrDIgiTHdrtBZ1pHQv4+nCXvk/Yl
+-GUaVsYytIbKnEW6GYkMHaX5AibLqFA9r6bXAPpbuwQjxWVX6dyGVGe1WBTTZWytq
+-aMIP0TcYboF1e8zKNEl7Od6CnmjFnBGSdkS7RXNP
++Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
++IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
++hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
++oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
++Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
+ -----END CERTIFICATE-----
+diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem
+index 3fb8745..c9f6b65 100644
+--- a/tests/certs/serverAkey.pem
++++ b/tests/certs/serverAkey.pem
+@@ -1,16 +1,16 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALCsqaXfS21mWfGw
+-JP1rUYebllKr9eM+iCjZaGPp4g7H5oqTBN1uLiu+to40r98KAiwcvS1PotVG8cJx
+-nmrB2/GcpMr6BWamJZWTqAuZuY4gayOuoogXZIzsNAuLl8bENis9TV3yIoLU6PjT
+-oZi6Bj+ObAIlhBA1qD95IKdgOHf7AgMBAAECgYB0kafpmpgg2ZxU3Dy7vFhx2hVn
+-/K/jPPoHwdKfwcx2piyVmAVouG7cTBwVXewAhJEEW/3x7I5qnEGdYuv8UmZ0PThb
+-JMQT5l3Gf8iaA0J0e8munOfXI6bycVfAlLxuFi4yh7JWhN/zzcKwusQFHAPDEWyX
+-6/tddjvg3BOP/IolyQJBAOrhoBg4DT/aVPe/HPpChw6MuPW8uTojGj51u1LsLM1x
+-E0g1PCsTwG9VcddZLnUnxPsshYWjIslC6jZ6xly/lwcCQQDAj0MT3m5oewAdpZuL
+-R6SblIFht+5sKlovRczPtAVp9apeAkFQVDrrDXcHDassUwB2OokPR4MLNkQcBv1I
+-TQZtAkEAr4uj0JYL6P4v5N30NWKFeC1ai2badQYJNkddkrMrJPxu8de/uV5Qw6Tz
+-qYRgwXTQtvzmaiOr+wnE7KTEHkue/wJADDtNdH6lnsdpa3iwl7lWUHevfEiVwZMz
+-JVuWtf7mdSOgzdXw1ixzjajOTcllfSxMlDYFrM3LGjQ5QVqETkpuRQJATlYDDFv1
+-vFn6wCK+PT/JLZZoBD74iPskOUJ+raELWctAM6u3rRP9qzacv4gjXJ1IIxSrOlia
+-Z0EEKCmEu3XOkg==
++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M
++77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R
++nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D
++lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg
++XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8
++XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86
++bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT
++xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo
++RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW
++q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM
++RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2
++m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz
++uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h
++sbvrkWGXdyBD9y8=
+ -----END PRIVATE KEY-----
+diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem
+index ccf2778..bf93f3f 100644
+--- a/tests/certs/serverAreq.pem
++++ b/tests/certs/serverAreq.pem
+@@ -3,11 +3,11 @@ MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+ YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+ U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+ IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQCwrKml30ttZlnxsCT9a1GHm5ZSq/XjPogo2Whj6eIOx+aKkwTdbi4r
+-vraONK/fCgIsHL0tT6LVRvHCcZ5qwdvxnKTK+gVmpiWVk6gLmbmOIGsjrqKIF2SM
+-7DQLi5fGxDYrPU1d8iKC1Oj406GYugY/jmwCJYQQNag/eSCnYDh3+wIDAQABoAAw
+-DQYJKoZIhvcNAQELBQADgYEACr7TW7m5hDJlD5oz2bsM43RcOSzLJLv3UZiJbklN
+-pX3NqpSpWIqZRjlbppL+f1VPbIhvxuIGdjCKJ5IhMwiaI5+5bAVbT0m6GSLw47Vu
+-oidCX+Lhahv8bCQPP87WzXtBnx45igt4YNU9vthj4Ov1MiXN0S9i8JuqS1YCiw5l
+-Sxg=
++ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e
++oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN
++8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw
++DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I
++qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2
++f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA
++9mY=
+ -----END CERTIFICATE REQUEST-----
+From b84301acb0e7b60e9428b7f626b82d301869cf74 Mon Sep 17 00:00:00 2001
+From: Thijs Schreijer <thijs@thijsschreijer.nl>
+Date: Mon, 3 Dec 2018 10:38:48 +0100
+Subject: [PATCH] auto-generate test certificates through makefile
+
+---
+ .gitignore | 3 +-
+ Makefile | 39 +++--
+ src/copas/http.lua | 20 +--
+ tests/certs/_readme.md | 3 +
+ tests/certs/all.bat | 14 ++
+ tests/certs/all.sh | 13 ++
+ tests/certs/clientA.bat | 9 +
+ tests/certs/clientA.cnf | 316 ++++++++++++++++++++++++++++++++++++
+ tests/certs/clientA.pem | 43 -----
+ tests/certs/clientA.sh | 12 ++
+ tests/certs/clientAcert.pem | 20 ---
+ tests/certs/clientAkey.pem | 16 --
+ tests/certs/clientAreq.pem | 13 --
+ tests/certs/clientB.bat | 9 +
+ tests/certs/clientB.cnf | 316 ++++++++++++++++++++++++++++++++++++
+ tests/certs/clientB.sh | 12 ++
+ tests/certs/rootA.bat | 7 +
+ tests/certs/rootA.cnf | 315 +++++++++++++++++++++++++++++++++++
+ tests/certs/rootA.pem | 23 ---
+ tests/certs/rootA.sh | 7 +
+ tests/certs/rootAkey.pem | 16 --
+ tests/certs/rootAreq.pem | 13 --
+ tests/certs/rootB.bat | 7 +
+ tests/certs/rootB.cnf | 315 +++++++++++++++++++++++++++++++++++
+ tests/certs/rootB.sh | 7 +
+ tests/certs/serverA.bat | 9 +
+ tests/certs/serverA.cnf | 316 ++++++++++++++++++++++++++++++++++++
+ tests/certs/serverA.pem | 43 -----
+ tests/certs/serverA.sh | 12 ++
+ tests/certs/serverAcert.pem | 20 ---
+ tests/certs/serverAkey.pem | 16 --
+ tests/certs/serverAreq.pem | 13 --
+ tests/certs/serverB.bat | 9 +
+ tests/certs/serverB.cnf | 316 ++++++++++++++++++++++++++++++++++++
+ tests/certs/serverB.sh | 12 ++
+ 35 files changed, 2076 insertions(+), 258 deletions(-)
+ create mode 100644 tests/certs/_readme.md
+ create mode 100644 tests/certs/all.bat
+ create mode 100755 tests/certs/all.sh
+ create mode 100644 tests/certs/clientA.bat
+ create mode 100644 tests/certs/clientA.cnf
+ delete mode 100644 tests/certs/clientA.pem
+ create mode 100755 tests/certs/clientA.sh
+ delete mode 100644 tests/certs/clientAcert.pem
+ delete mode 100644 tests/certs/clientAkey.pem
+ delete mode 100644 tests/certs/clientAreq.pem
+ create mode 100644 tests/certs/clientB.bat
+ create mode 100644 tests/certs/clientB.cnf
+ create mode 100755 tests/certs/clientB.sh
+ create mode 100644 tests/certs/rootA.bat
+ create mode 100644 tests/certs/rootA.cnf
+ delete mode 100644 tests/certs/rootA.pem
+ create mode 100755 tests/certs/rootA.sh
+ delete mode 100644 tests/certs/rootAkey.pem
+ delete mode 100644 tests/certs/rootAreq.pem
+ create mode 100644 tests/certs/rootB.bat
+ create mode 100644 tests/certs/rootB.cnf
+ create mode 100755 tests/certs/rootB.sh
+ create mode 100644 tests/certs/serverA.bat
+ create mode 100644 tests/certs/serverA.cnf
+ delete mode 100644 tests/certs/serverA.pem
+ create mode 100755 tests/certs/serverA.sh
+ delete mode 100644 tests/certs/serverAcert.pem
+ delete mode 100644 tests/certs/serverAkey.pem
+ delete mode 100644 tests/certs/serverAreq.pem
+ create mode 100644 tests/certs/serverB.bat
+ create mode 100644 tests/certs/serverB.cnf
+ create mode 100755 tests/certs/serverB.sh
+
+diff --git a/.gitignore b/.gitignore
+index 5ca0973..18e0fea 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,2 +1,3 @@
+ .DS_Store
+-
++**/*.srl
++**/*.pem
+diff --git a/Makefile b/Makefile
+index 5b383d3..5580f9f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ # $Id: Makefile,v 1.3 2007/10/29 22:50:16 carregal Exp $
+
+-DESTDIR ?=
++DESTDIR ?=
+
+ # Default prefix
+ PREFIX ?= /usr/local
+@@ -8,11 +8,14 @@ PREFIX ?= /usr/local
+ # System's lua directory (where Lua libraries are installed)
+ LUA_DIR ?= $(PREFIX)/share/lua/5.1
+
++DELIM=-e "print(([[=]]):rep(70))"
+ PKGPATH=-e "package.path='src/?.lua;'..package.path"
+
+ # Lua interpreter
+ LUA=lua
+
++.PHONY: certs
++
+ install:
+ mkdir -p $(DESTDIR)$(LUA_DIR)/copas
+ cp src/copas.lua $(DESTDIR)$(LUA_DIR)/copas.lua
+@@ -21,16 +24,29 @@ install:
+ cp src/copas/http.lua $(DESTDIR)$(LUA_DIR)/copas/http.lua
+ cp src/copas/limit.lua $(DESTDIR)$(LUA_DIR)/copas/limit.lua
+
+-test:
+- $(LUA) $(PKGPATH) tests/largetransfer.lua
+- $(LUA) $(PKGPATH) tests/request.lua 'http://www.google.com'
+- $(LUA) $(PKGPATH) tests/request.lua 'https://www.google.nl'
+- $(LUA) $(PKGPATH) tests/httpredirect.lua
+- $(LUA) $(PKGPATH) tests/limit.lua
+- $(LUA) $(PKGPATH) tests/connecttwice.lua
+- $(LUA) $(PKGPATH) tests/exit.lua
+- $(LUA) $(PKGPATH) tests/exittest.lua
+- $(LUA) $(PKGPATH) tests/removeserver.lua
++tests/certs/clientA.pem:
++ cd ./tests/certs && \
++ ./rootA.sh && \
++ ./rootB.sh && \
++ ./serverA.sh && \
++ ./serverB.sh && \
++ ./clientA.sh && \
++ ./clientB.sh && \
++ cd ../..
++
++certs: tests/certs/clientA.pem
++
++test: certs
++ $(LUA) $(DELIM) $(PKGPATH) tests/largetransfer.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'http://www.google.com'
++ $(LUA) $(DELIM) $(PKGPATH) tests/request.lua 'https://www.google.nl'
++ $(LUA) $(DELIM) $(PKGPATH) tests/httpredirect.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/limit.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/connecttwice.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/exit.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/exittest.lua
++ $(LUA) $(DELIM) $(PKGPATH) tests/removeserver.lua
++ $(LUA) $(DELIM)
+
+ coverage:
+ $(RM) luacov.stats.out
+@@ -39,3 +55,4 @@ coverage:
+
+ clean:
+ $(RM) luacov.stats.out luacov.report.out
++ $(RM) tests/certs/*.pem tests/certs/*.srl
+diff --git a/src/copas/http.lua b/src/copas/http.lua
+index 8e8dc64..d6508e1 100644
+--- a/src/copas/http.lua
++++ b/src/copas/http.lua
+@@ -230,7 +230,7 @@ local function adjustheaders(reqt)
+ }
+ -- if we have authentication information, pass it along
+ if reqt.user and reqt.password then
+- lower["authorization"] =
++ lower["authorization"] =
+ "Basic " .. (mime.b64(reqt.user .. ":" .. reqt.password))
+ end
+ -- override with user headers
+@@ -254,7 +254,7 @@ local function adjustrequest(reqt)
+ -- explicit components override url
+ for i,v in base.pairs(reqt) do nreqt[i] = v end
+ if nreqt.port == "" then nreqt.port = 80 end
+- socket.try(nreqt.host and nreqt.host ~= "",
++ socket.try(nreqt.host and nreqt.host ~= "",
+ "invalid host '" .. base.tostring(nreqt.host) .. "'")
+ -- compute uri if user hasn't overriden
+ nreqt.uri = reqt.uri or adjusturi(nreqt)
+@@ -292,10 +292,10 @@ local trequest, tredirect
+ source = reqt.source,
+ sink = reqt.sink,
+ headers = reqt.headers,
+- proxy = reqt.proxy,
++ proxy = reqt.proxy,
+ nredirects = (reqt.nredirects or 0) + 1,
+ create = reqt.create
+- }
++ }
+ -- pass location header back as a hint we redirected
+ headers = headers or {}
+ headers.location = headers.location or location
+@@ -312,7 +312,7 @@ end
+ h:sendheaders(nreqt.headers)
+ -- if there is a body, send it
+ if nreqt.source then
+- h:sendbody(nreqt.headers, nreqt.source, nreqt.step)
++ h:sendbody(nreqt.headers, nreqt.source, nreqt.step)
+ end
+ local code, status = h:receivestatusline()
+ -- if it is an HTTP/0.9 server, simply get the body and we are done
+@@ -322,13 +322,13 @@ end
+ end
+ local headers
+ -- ignore any 100-continue messages
+- while code == 100 do
++ while code == 100 do
+ headers = h:receiveheaders()
+ code, status = h:receivestatusline()
+ end
+ headers = h:receiveheaders()
+ -- at this point we should have a honest reply from the server
+- -- we can't redirect if we already used the source, so we report the error
++ -- we can't redirect if we already used the source, so we report the error
+ if shouldredirect(nreqt, code, headers) and not nreqt.source then
+ h:close()
+ return tredirect(reqt, headers.location)
+@@ -361,7 +361,7 @@ local function tcp(params)
+ if not u.port then
+ u.port = _M.SSLPORT
+ reqt.url = url.build(u)
+- reqt.port = _M.SSLPORT
++ reqt.port = _M.SSLPORT
+ end
+ washttps = true
+ return conn
+@@ -371,7 +371,7 @@ local function tcp(params)
+ try(nil, "Unallowed insecure redirect https to http")
+ end
+ return copas.wrap(socket.tcp())
+- end
++ end
+ end
+ end
+
+@@ -395,7 +395,7 @@ _M.parseRequest = function(u, b)
+ end
+
+ _M.request = socket.protect(function(reqt, body)
+- if base.type(reqt) == "string" then
++ if base.type(reqt) == "string" then
+ reqt = _M.parseRequest(reqt, body)
+ local ok, code, headers, status = _M.request(reqt)
+
+diff --git a/tests/certs/_readme.md b/tests/certs/_readme.md
+new file mode 100644
+index 0000000..1cd8396
+--- /dev/null
++++ b/tests/certs/_readme.md
+@@ -0,0 +1,3 @@
++The certificate generation scripts here are copied from LuaSec
++
++
+diff --git a/tests/certs/all.bat b/tests/certs/all.bat
+new file mode 100644
+index 0000000..b1e03ca
+--- /dev/null
++++ b/tests/certs/all.bat
+@@ -0,0 +1,14 @@
++REM make sure the 'openssl.exe' commandline tool is in your path before starting!
++REM set the path below;
++set opensslpath=c:\program files (x86)\openssl-win32\bin
++
++
++
++setlocal
++set path=%opensslpath%;%path%
++call roota.bat
++call rootb.bat
++call servera.bat
++call serverb.bat
++call clienta.bat
++call clientb.bat
+diff --git a/tests/certs/all.sh b/tests/certs/all.sh
+new file mode 100755
+index 0000000..da6ac96
+--- /dev/null
++++ b/tests/certs/all.sh
+@@ -0,0 +1,13 @@
++#!/bin/sh
++
++CWD=$(PWD)
++cd $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
++
++./rootA.sh
++./rootB.sh
++./serverA.sh
++./serverB.sh
++./clientA.sh
++./clientB.sh
++
++cd $CWD
+diff --git a/tests/certs/clientA.bat b/tests/certs/clientA.bat
+new file mode 100644
+index 0000000..112cdef
+--- /dev/null
++++ b/tests/certs/clientA.bat
+@@ -0,0 +1,9 @@
++rem #!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
++
++openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
++
++copy clientAcert.pem + rootA.pem clientA.pem
++
++openssl x509 -subject -issuer -noout -in clientA.pem
+diff --git a/tests/certs/clientA.cnf b/tests/certs/clientA.cnf
+new file mode 100644
+index 0000000..0fea787
+--- /dev/null
++++ b/tests/certs/clientA.cnf
+@@ -0,0 +1,316 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Some-State
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Sao Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_default = Client A
++commonName_max = 64
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/clientA.pem b/tests/certs/clientA.pem
+deleted file mode 100644
+index bdc18ed..0000000
+--- a/tests/certs/clientA.pem
++++ /dev/null
+@@ -1,43 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
+-BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
+-e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
+-aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+-hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+-FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
+-5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
+-p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
+-Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
+-/1l1/fTpSY1i
+------END CERTIFICATE-----
+------BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+-234dl4Tu
+------END CERTIFICATE-----
+diff --git a/tests/certs/clientA.sh b/tests/certs/clientA.sh
+new file mode 100755
+index 0000000..0350ede
+--- /dev/null
++++ b/tests/certs/clientA.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
++ -nodes -config ./clientA.cnf -days 365 -batch
++
++openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
++ -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
++ -out clientAcert.pem -days 365
++
++cat clientAcert.pem rootA.pem > clientA.pem
++
++openssl x509 -subject -issuer -noout -in clientA.pem
+diff --git a/tests/certs/clientAcert.pem b/tests/certs/clientAcert.pem
+deleted file mode 100644
+index 10afc38..0000000
+--- a/tests/certs/clientAcert.pem
++++ /dev/null
+@@ -1,20 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDNTCCAp6gAwIBAgIJANemCVlJDxN9MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQyMzRaFw0xOTA3MTYxOTQyMzRaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+-bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqgmw9Lff2yb2Q+DE
+-BL5WP4vbhceAaKoAg0wd7x2LIW7jXyxEJsWIIPKYF0Fc62N51Xzu2/CFXFP9NF94
+-e5KuuO2hq347FExPjcAdFG/owyRs8tUQe7CcaL56drpRVIWd8NMdCGXyrr9JAShi
+-aqYUy22LuVDFMHFD1vfrKkmrYPcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+-hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+-FCDXAeKTRvjBgQrQnMm3V2xSx24DMB8GA1UdIwQYMBaAFJqLTBDdTkyou7inDtgb
+-5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBAMSqQyatsFCPwux6lqI04VLSgXTSmlaq
+-p22QcyLWTHHIyX0o+lyHXrrqmUsDJmHu73x0lFOMwvzLDwmb+N8rC3rjZGl/srtM
+-Hap5kI/8i9RNrFiCN1rid7bLvMSDILyIa1FNMQ+exSgkV8uRXaPKw0ahk8Uuqi5m
+-/1l1/fTpSY1i
+------END CERTIFICATE-----
+diff --git a/tests/certs/clientAkey.pem b/tests/certs/clientAkey.pem
+deleted file mode 100644
+index 651c8c4..0000000
+--- a/tests/certs/clientAkey.pem
++++ /dev/null
+@@ -1,16 +0,0 @@
+------BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKoJsPS339sm9kPg
+-xAS+Vj+L24XHgGiqAINMHe8diyFu418sRCbFiCDymBdBXOtjedV87tvwhVxT/TRf
+-eHuSrrjtoat+OxRMT43AHRRv6MMkbPLVEHuwnGi+ena6UVSFnfDTHQhl8q6/SQEo
+-YmqmFMtti7lQxTBxQ9b36ypJq2D3AgMBAAECgYB+U+jmR13HAfFgiLLZG1gUqiGU
+-CJ48JGFxKrHqnrZpRmsioE6Zx5PVdqbMUEFqmGNB2ynSuaU67SNnL67hkB7CCxfT
+-+IjOs9TwP8QeY8MGJo3B+aLgdgCISiFcmcvahWUHvRUR8rq7WTr5ThTQyo/IPUbu
+-54ED3PB8HjiEDh0RIQJBAN5BhTIb8ReXaVpSltpaEKwzG8RrWEZ9bB1v4fwd4KHN
+-oU27cX9WljSv+g+Ojl+f4qIoOOBicKkW6WudxDn+UbkCQQDD2pjZ82BBbzd6xHmR
+-YsY7AVEEO3euYeqff1SyjCOIyznGPJHH4+/5B6iWrTC6gLbMVuSF9sd9c1LcetBO
+-fWAvAkEAvzt25H+gOKFBt8KaI7Qc5l1vRdjq8nPWQ5nRwsDeV7n7UUu3w034HctQ
+-iHQrUmHaeZXMIlzw/LxHCR6NCS0mmQJAVXCRadNAVIteGpKHriL281q5qyz+IvbY
+-UchMfK+h+NUfWRmnRxpq36q1ozXeoh3woOfvPXnQwSuEJGb3ZKZRRQJBAMYqGioX
+-EZQNfBJ1kSnW1PoZaR/TCVOi2DJ13FQslQP1BUmVLCvm0Z21YbcKhlFDzBny4nCD
+-0ksTfouj7w/VR94=
+------END PRIVATE KEY-----
+diff --git a/tests/certs/clientAreq.pem b/tests/certs/clientAreq.pem
+deleted file mode 100644
+index bdd77b3..0000000
+--- a/tests/certs/clientAreq.pem
++++ /dev/null
+@@ -1,13 +0,0 @@
+------BEGIN CERTIFICATE REQUEST-----
+-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+-U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+-IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQCqCbD0t9/bJvZD4MQEvlY/i9uFx4BoqgCDTB3vHYshbuNfLEQmxYgg
+-8pgXQVzrY3nVfO7b8IVcU/00X3h7kq647aGrfjsUTE+NwB0Ub+jDJGzy1RB7sJxo
+-vnp2ulFUhZ3w0x0IZfKuv0kBKGJqphTLbYu5UMUwcUPW9+sqSatg9wIDAQABoAAw
+-DQYJKoZIhvcNAQEFBQADgYEAJXW12Ov1xFANtbru6GGVKzv42CQ53nruaVEltSmx
+-0TN1BljnkuVY5vCckv7LXC8ogGF2NCAOFzVBTuUWYeX8lBjV0wuN3qCZbChoDKid
+-Gvwszyj8xZr0Aof4eDPm6iKoxLQm23fvPvL00jIYqsqUe23gYoxWXFmAclmp4+vr
+-U4w=
+------END CERTIFICATE REQUEST-----
+diff --git a/tests/certs/clientB.bat b/tests/certs/clientB.bat
+new file mode 100644
+index 0000000..9f341f6
+--- /dev/null
++++ b/tests/certs/clientB.bat
+@@ -0,0 +1,9 @@
++rem #!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
++
++openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
++
++copy clientBcert.pem + rootB.pem clientB.pem
++
++openssl x509 -subject -issuer -noout -in clientB.pem
+diff --git a/tests/certs/clientB.cnf b/tests/certs/clientB.cnf
+new file mode 100644
+index 0000000..7de08de
+--- /dev/null
++++ b/tests/certs/clientB.cnf
+@@ -0,0 +1,316 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Some-State
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Sao Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_default = Client B
++commonName_max = 64
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/clientB.sh b/tests/certs/clientB.sh
+new file mode 100755
+index 0000000..94f8986
+--- /dev/null
++++ b/tests/certs/clientB.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
++ -nodes -config ./clientB.cnf -days 365 -batch
++
++openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
++ -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
++ -out clientBcert.pem -days 365
++
++cat clientBcert.pem rootB.pem > clientB.pem
++
++openssl x509 -subject -issuer -noout -in clientB.pem
+diff --git a/tests/certs/rootA.bat b/tests/certs/rootA.bat
+new file mode 100644
+index 0000000..6449bfa
+--- /dev/null
++++ b/tests/certs/rootA.bat
+@@ -0,0 +1,7 @@
++REM #!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
++
++openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
++
++openssl x509 -subject -issuer -noout -in rootA.pem
+diff --git a/tests/certs/rootA.cnf b/tests/certs/rootA.cnf
+new file mode 100644
+index 0000000..2dc39c8
+--- /dev/null
++++ b/tests/certs/rootA.cnf
+@@ -0,0 +1,315 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Santo Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_max = 64
++commonName_default = Root A
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/rootA.pem b/tests/certs/rootA.pem
+deleted file mode 100644
+index dac07a0..0000000
+--- a/tests/certs/rootA.pem
++++ /dev/null
+@@ -1,23 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+-234dl4Tu
+------END CERTIFICATE-----
+diff --git a/tests/certs/rootA.sh b/tests/certs/rootA.sh
+new file mode 100755
+index 0000000..7b588bf
+--- /dev/null
++++ b/tests/certs/rootA.sh
+@@ -0,0 +1,7 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
++
++openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
++
++openssl x509 -subject -issuer -noout -in rootA.pem
+diff --git a/tests/certs/rootAkey.pem b/tests/certs/rootAkey.pem
+deleted file mode 100644
+index 987a73e..0000000
+--- a/tests/certs/rootAkey.pem
++++ /dev/null
+@@ -1,16 +0,0 @@
+------BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO7g0Slvtdvb6ulm
+-V7cUkuvc58dvtDY1qWpq8Pw0SjXY6qgZVvbwbpNhX1b9getJHULitfHY1AmWKcWq
+-rs6t3UxGG2LlSOaXeSszU+Xms+ZeOgShqI6uJ8PMMqHLnEFWkVxS8jWdvPOC4pJB
+-K/IRujA7upM/9nxKB4s0VMgQ9FOxAgMBAAECgYEAlboIoEZK4PHpPj5NwI1+waQH
+-C3Syqj/cXr2FKy/DTBkYjCDF56YwSOSBk872PfnoA2KC1IIp9ZBPwnwHcbh8ufo9
+-vZP0rEpjSV5B7d81uoMOt4YaS1UOxv8GQCO3r+5dj/L/CVYsj13W1MaozYVmvTiW
+-md7Rz+N4JjHWYu60EqECQQD4SHAXsEJfi+cbadV5/+HTmiqoH3cUYnK34BNs4ulo
+-D+3QGIiaslyde97D+08EbVWWdyWcGwoSft0CJG4Gim09AkEA9k2L4GP6qa1Afn+I
+-YmkMRtyo/4taCc9QBWuNRfvd1UTarvrA4nLKyBjL9Y7walFv3q/DaLrCyg/Bg/ZQ
+-aV8PhQJBAJuRh+rP3kbP+ncK0WAoHO/hYWkGji6PoSHlnUZUx7sUgAYr2SxVJgLn
+-YqWaCeDUQRSOg1pU9vKv2vtEqEwg4GECQE1uRYoOhE/xWnQqLbsaYTSpzCtCKNUq
+-qnJ5xFj6/Fs+oS0fQaIvClbrjLsu65/Q6EVuphT3maMiXujYd6EYtG0CQHYvVroh
+-2jzj0VZaoWEIJgMXjV8+UVpP5cQMHltSZtzuQITKmAAEhcqXm26W940sRfMGRgrw
+-u0M3347nbXdYj8c=
+------END PRIVATE KEY-----
+diff --git a/tests/certs/rootAreq.pem b/tests/certs/rootAreq.pem
+deleted file mode 100644
+index 8d66597..0000000
+--- a/tests/certs/rootAreq.pem
++++ /dev/null
+@@ -1,13 +0,0 @@
+------BEGIN CERTIFICATE REQUEST-----
+-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR
+-U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0
+-ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQDu4NEpb7Xb2+rpZle3FJLr3OfHb7Q2NalqavD8NEo12OqoGVb28G6T
+-YV9W/YHrSR1C4rXx2NQJlinFqq7Ord1MRhti5Ujml3krM1Pl5rPmXjoEoaiOrifD
+-zDKhy5xBVpFcUvI1nbzzguKSQSvyEbowO7qTP/Z8SgeLNFTIEPRTsQIDAQABoAAw
+-DQYJKoZIhvcNAQEFBQADgYEA2QCr5Q66xJoE+CTbvhhneLCvpjU+KBIKOAQ28s3f
+-RfFMXvO4UOXdB+NU06hQDkeYZbACeikw/5Cl+Q2O5Kx57LteW+AWvP9T2Bvh9WnJ
+-fgjm+GArxuVSb2r9KwAF8Cn6r8O09L0C75hmQTVU+rjBghZ1lsl0dVtdn+ueoVHj
+-MKo=
+------END CERTIFICATE REQUEST-----
+diff --git a/tests/certs/rootB.bat b/tests/certs/rootB.bat
+new file mode 100644
+index 0000000..99f358a
+--- /dev/null
++++ b/tests/certs/rootB.bat
+@@ -0,0 +1,7 @@
++rem #!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
++
++openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
++
++openssl x509 -subject -issuer -noout -in rootB.pem
+diff --git a/tests/certs/rootB.cnf b/tests/certs/rootB.cnf
+new file mode 100644
+index 0000000..ee45752
+--- /dev/null
++++ b/tests/certs/rootB.cnf
+@@ -0,0 +1,315 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Sao Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_default = Root B
++commonName_max = 64
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/rootB.sh b/tests/certs/rootB.sh
+new file mode 100755
+index 0000000..53969b3
+--- /dev/null
++++ b/tests/certs/rootB.sh
+@@ -0,0 +1,7 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
++
++openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
++
++openssl x509 -subject -issuer -noout -in rootB.pem
+diff --git a/tests/certs/serverA.bat b/tests/certs/serverA.bat
+new file mode 100644
+index 0000000..78934d5
+--- /dev/null
++++ b/tests/certs/serverA.bat
+@@ -0,0 +1,9 @@
++rem #!/bin/sh
++
++openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
++
++openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
++
++copy serverAcert.pem + rootA.pem serverA.pem
++
++openssl x509 -subject -issuer -noout -in serverA.pem
+diff --git a/tests/certs/serverA.cnf b/tests/certs/serverA.cnf
+new file mode 100644
+index 0000000..b9c736f
+--- /dev/null
++++ b/tests/certs/serverA.cnf
+@@ -0,0 +1,316 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Some-State
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Sao Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_default = Server A
++commonName_max = 64
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/serverA.pem b/tests/certs/serverA.pem
+deleted file mode 100644
+index 02324d0..0000000
+--- a/tests/certs/serverA.pem
++++ /dev/null
+@@ -1,43 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
+-uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
+-Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
+-L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+-SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
+-IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
+-hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
+-oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
+-Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
+------END CERTIFICATE-----
+------BEGIN CERTIFICATE-----
+-MIIDwjCCAyugAwIBAgIJAPN164v+usx3MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQxNThaFw0xOTA3MTYxOTQxNThaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7uDRKW+129vq6WZX
+-txSS69znx2+0NjWpamrw/DRKNdjqqBlW9vBuk2FfVv2B60kdQuK18djUCZYpxaqu
+-zq3dTEYbYuVI5pd5KzNT5eaz5l46BKGojq4nw8wyocucQVaRXFLyNZ2884LikkEr
+-8hG6MDu6kz/2fEoHizRUyBD0U7ECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSai0wQ
+-3U5MqLu4pw7YG+aemj9hJTCB0gYDVR0jBIHKMIHHgBSai0wQ3U5MqLu4pw7YG+ae
+-mj9hJaGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+-bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+-YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+-ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQDzdeuL/rrMdzAMBgNVHRMEBTAD
+-AQH/MA0GCSqGSIb3DQEBBQUAA4GBACWoQT4vih0r11WXU+k9OngkaZEYqjIh8V2A
+-RwnsZBRJulKzPnLuZgmfXLUlj/0bTrWXA5ARBxm6Zb6Mw8uURt+qO5jxFu32LL5Z
+-0b/yS+gemnVefIq6VGBiqskvKDuX6UAqr4bKCJMs+imQwjzU64Oe0xXeMVazAXeA
+-234dl4Tu
+------END CERTIFICATE-----
+diff --git a/tests/certs/serverA.sh b/tests/certs/serverA.sh
+new file mode 100755
+index 0000000..7fa04e0
+--- /dev/null
++++ b/tests/certs/serverA.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
++ -config ./serverA.cnf -nodes -days 365 -batch
++
++openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
++ -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
++ -out serverAcert.pem -days 365
++
++cat serverAcert.pem rootA.pem > serverA.pem
++
++openssl x509 -subject -issuer -noout -in serverA.pem
+diff --git a/tests/certs/serverAcert.pem b/tests/certs/serverAcert.pem
+deleted file mode 100644
+index 72d2c87..0000000
+--- a/tests/certs/serverAcert.pem
++++ /dev/null
+@@ -1,20 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDSjCCArOgAwIBAgIJANemCVlJDxN8MA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+-JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+-BlJvb3QgQTAeFw0xODA3MTYxOTQyMjNaFw0xOTA3MTYxOTQyMjNaMIGdMQswCQYD
+-VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+-IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+-A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+-ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo41QhH/YvQQA/wzv
+-uPayMbSReq0LghCvSAFXPfeRLMEBoYA+hiF+HqByKRG/SRY1hZkTY1GrNn3XT5Gd
+-Dy0IyKXqZXsMAP9gKOe3meWpPdM5ibsenQywjfJJQJDDKRL4oS12Ir5vgu4lvQOU
+-L39S9P7W0YEhTK0Cw5PRnEZss2UCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+-SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+-Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIXCp7y4eaLeSSst0Yy7wFZ/dmS5MB8GA1Ud
+-IwQYMBaAFJqLTBDdTkyou7inDtgb5p6aP2ElMA0GCSqGSIb3DQEBBQUAA4GBACN0
+-hei2KY0AYe+TrwYq3UfyyskhNT7L48makxs/qHArXZCDf2BTctmY+95Nfgpj5kLi
+-oW+e/Wu92cbor/UJAYQ0cJYLNa4k55loL6hjm2PKo2eni3NEk6SxHRQFtuVowCtF
+-Kgbi29DkkQc7WRWDy2blZiIYb1oUOlktk1vp8CxY
+------END CERTIFICATE-----
+diff --git a/tests/certs/serverAkey.pem b/tests/certs/serverAkey.pem
+deleted file mode 100644
+index c9f6b65..0000000
+--- a/tests/certs/serverAkey.pem
++++ /dev/null
+@@ -1,16 +0,0 @@
+------BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKONUIR/2L0EAP8M
+-77j2sjG0kXqtC4IQr0gBVz33kSzBAaGAPoYhfh6gcikRv0kWNYWZE2NRqzZ910+R
+-nQ8tCMil6mV7DAD/YCjnt5nlqT3TOYm7Hp0MsI3ySUCQwykS+KEtdiK+b4LuJb0D
+-lC9/UvT+1tGBIUytAsOT0ZxGbLNlAgMBAAECgYBcMPYoGiDEOxOMsXAXpQfBOPWg
+-XxbTlDAZuJfC2GA/B/SxYqbb2NlMzkhLmjNnMVuuGSFypMCMENdjhMMxoMMH4HZ8
+-XFsecHE9OS2KrkNQJ7OxIa9RRtGwtm8QdVav2YsQQHwoG9qB4Q+vKTyUkofIEH86
+-bV2aX7lpY7b2E8jZgQJBANcJO2+GmTOKlV0KFWtvL7x+mULJCkrpLDHEPMyFCyQT
+-xkzWJ8ZeL0l0r8gbF91ykO2mnjm2X2pHC9XU6lkIDRUCQQDCtVWnvGF+QCwsmAIo
+-RnTZtSd0jCjQQWCA+ZvqAIRMXtIQ3gL60kuYCnVMIk4XvF2iZltpgxJsPoCysGnW
+-q8ERAkBHq4EOy8q1/gOITfsToqxDY+KK+tyeWRbsw14MQG+VJ64ZH+uD1xJlpimM
+-RVNv8GZTfwwPajRlBKbyLxOoduF9AkEAuzBWXuJO4G+ViHHDcTD7Weo9OmEdQ8n2
+-m0hdysQgbMOkNS8bskPHBS7Ywg8hANTJOD4rl+65IXOdiyzrM8T/4QJBAMzV6Bkz
+-uQYRFULqLjQnaS3wOyJtoPZChWBsKaJO8WJSp+zB5Fk75cmFkLdrkKdmf0zxZX9h
+-sbvrkWGXdyBD9y8=
+------END PRIVATE KEY-----
+diff --git a/tests/certs/serverAreq.pem b/tests/certs/serverAreq.pem
+deleted file mode 100644
+index bf93f3f..0000000
+--- a/tests/certs/serverAreq.pem
++++ /dev/null
+@@ -1,13 +0,0 @@
+------BEGIN CERTIFICATE REQUEST-----
+-MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+-YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+-U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+-IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+-ADCBiQKBgQCjjVCEf9i9BAD/DO+49rIxtJF6rQuCEK9IAVc995EswQGhgD6GIX4e
+-oHIpEb9JFjWFmRNjUas2fddPkZ0PLQjIpeplewwA/2Ao57eZ5ak90zmJux6dDLCN
+-8klAkMMpEvihLXYivm+C7iW9A5Qvf1L0/tbRgSFMrQLDk9GcRmyzZQIDAQABoAAw
+-DQYJKoZIhvcNAQELBQADgYEAFGv0sHAVvqDtEbW0afiFeuWwJqBf4lz+xNZt1x2I
+-qrxDX9iZ/EiIZNXubPZLsOAnYE9+BcfJ0tGC2p9b6+EmmtkwxytIlbaVAtleHTt2
+-f0xr27k4YqIIrB63N8seaawOtQebyq76BHBSpoRHnzrfelnrkTqH+yR4Ldee7mJA
+-9mY=
+------END CERTIFICATE REQUEST-----
+diff --git a/tests/certs/serverB.bat b/tests/certs/serverB.bat
+new file mode 100644
+index 0000000..294be57
+--- /dev/null
++++ b/tests/certs/serverB.bat
+@@ -0,0 +1,9 @@
++rem #!/bin/sh
++
++openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
++
++openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
++
++copy serverBcert.pem + rootB.pem serverB.pem
++
++openssl x509 -subject -issuer -noout -in serverB.pem
+diff --git a/tests/certs/serverB.cnf b/tests/certs/serverB.cnf
+new file mode 100644
+index 0000000..ec5d031
+--- /dev/null
++++ b/tests/certs/serverB.cnf
+@@ -0,0 +1,316 @@
++#
++# OpenSSL example configuration file.
++# This is mostly being used for generation of certificate requests.
++#
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++
++# Extra OBJECT IDENTIFIER info:
++#oid_file = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions =
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++
++# We can add new OIDs in here for use by 'ca' and 'req'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++####################################################################
++[ ca ]
++default_ca = CA_default # The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir = ./demoCA # Where everything is kept
++certs = $dir/certs # Where the issued certs are kept
++crl_dir = $dir/crl # Where the issued crl are kept
++database = $dir/index.txt # database index file.
++#unique_subject = no # Set to 'no' to allow creation of
++ # several ctificates with same subject.
++new_certs_dir = $dir/newcerts # default place for new certs.
++
++certificate = $dir/cacert.pem # The CA certificate
++serial = $dir/serial # The current serial number
++crlnumber = $dir/crlnumber # the current crl number
++ # must be commented out to leave a V1 CRL
++crl = $dir/crl.pem # The current CRL
++private_key = $dir/private/cakey.pem # The private key
++RANDFILE = $dir/private/.rand # private random number file
++
++x509_extensions = usr_cert # The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt = ca_default # Subject Name options
++cert_opt = ca_default # Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions = crl_ext
++
++default_days = 365 # how long to certify for
++default_crl_days= 30 # how long before next CRL
++default_md = sha1 # which md to use.
++preserve = no # keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy = policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName = match
++stateOrProvinceName = match
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName = optional
++stateOrProvinceName = optional
++localityName = optional
++organizationName = optional
++organizationalUnitName = optional
++commonName = supplied
++emailAddress = optional
++
++####################################################################
++[ req ]
++default_bits = 1024
++default_keyfile = privkey.pem
++distinguished_name = req_distinguished_name
++attributes = req_attributes
++x509_extensions = v3_ca # The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix : PrintableString, BMPString.
++# utf8only: only UTF8Strings.
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
++# so use this option with caution!
++string_mask = nombstr
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = Country Name (2 letter code)
++countryName_default = BR
++countryName_min = 2
++countryName_max = 2
++
++stateOrProvinceName = State or Province Name (full name)
++stateOrProvinceName_default = Some-State
++stateOrProvinceName_default = Espirito Santo
++
++localityName = Locality Name (eg, city)
++localityName_default = Santo Antonio do Canaa
++
++0.organizationName = Organization Name (eg, company)
++0.organizationName_default = Sao Tonico Ltda
++
++# we can do this but it is not needed normally :-)
++#1.organizationName = Second Organization Name (eg, company)
++#1.organizationName_default = World Wide Web Pty Ltd
++
++organizationalUnitName = Organizational Unit Name (eg, section)
++organizationalUnitName_default = Department of Computer Science
++
++commonName = Common Name (eg, YOUR name)
++commonName_default = Server B
++commonName_max = 64
++
++emailAddress = Email Address
++emailAddress_max = 64
++
++# SET-ex3 = SET extension number 3
++
++[ req_attributes ]
++challengePassword = A challenge password
++challengePassword_min = 4
++challengePassword_max = 20
++
++unstructuredName = An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer:always
++
++# This is what PKIX recommends but some broken software chokes on critical
++# extensions.
++#basicConstraints = critical,CA:true
++# So we do this instead.
++basicConstraints = CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Some might want this also
++# nsCertType = sslCA, emailCA
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always,issuer:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# Here are some examples of the usage of nsCertType. If it is omitted
++# the certificate can be used for anything *except* object signing.
++
++# This is OK for an SSL server.
++# nsCertType = server
++
++# For an object signing certificate this would be used.
++# nsCertType = objsign
++
++# For normal client use this is typical
++# nsCertType = client, email
++
++# and for everything including object signing:
++# nsCertType = client, email, objsign
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# This will be displayed in Netscape's comment listbox.
++nsComment = "OpenSSL Generated Certificate"
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer:always
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
++#nsBaseUrl
++#nsRevocationUrl
++#nsRenewalUrl
++#nsCaPolicyUrl
++#nsSslServerName
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+diff --git a/tests/certs/serverB.sh b/tests/certs/serverB.sh
+new file mode 100755
+index 0000000..c75b00a
+--- /dev/null
++++ b/tests/certs/serverB.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++
++openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
++ -config ./serverB.cnf -nodes -days 365 -batch
++
++openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
++ -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
++ -out serverBcert.pem -days 365
++
++cat serverBcert.pem rootB.pem > serverB.pem
++
++openssl x509 -subject -issuer -noout -in serverB.pem
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-18 05:40:30 +0000