summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobbie Harwood <rharwood@redhat.com>2017-09-05 18:16:56 +0000
committerRobbie Harwood <rharwood@redhat.com>2017-09-05 18:16:58 +0000
commitf6b653fac2245f542c4370319f252498eff1e9e3 (patch)
tree4905876e168bf796f3f0949df949314545f85b09
parent8f0349dc3ebd1e307b37ab0fe0f6e065bfe8291e (diff)
downloadkrb5-f6b653fac2245f542c4370319f252498eff1e9e3.tar.gz
krb5-f6b653fac2245f542c4370319f252498eff1e9e3.tar.xz
krb5-f6b653fac2245f542c4370319f252498eff1e9e3.zip
Add hostname-based ccselect module
Also update certauth EKU stuff Resolves: #1463665
Diffstat
-rw-r--r--Add-PKINIT-test-case-for-generic-client-cert.patch51
-rw-r--r--Add-hostname-based-ccselect-module.patch293
-rw-r--r--Add-test-cert-with-no-extensions.patch1120
-rw-r--r--Convert-some-pkiDebug-messages-to-TRACE-macros.patch422
-rw-r--r--Fix-certauth-built-in-module-returns.patch124
-rw-r--r--Make-certauth-eku-module-restrictive-only.patch31
-rw-r--r--krb5.spec15
7 files changed, 2023 insertions, 33 deletions
diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch
new file mode 100644
index 0000000..e6fb895
--- /dev/null
+++ b/Add-PKINIT-test-case-for-generic-client-cert.patch
@@ -0,0 +1,51 @@
+From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 25 Aug 2017 12:39:14 -0400
+Subject: [PATCH] Add PKINIT test case for generic client cert
+
+In t_pkinit.py, add a test case where a client cert with no extensions
+is authorized via subject and issuer using a pkinit_cert_match string
+attribute.
+
+ticket: 8562
+(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898)
+[rharwood@redhat.com: backport around dbmatch module]
+---
+ src/tests/t_pkinit.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+index e943f4974..fa5c5199e 100755
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
+@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12')
+ user_upn_p12 = os.path.join(certs, 'user-upn.p12')
+ user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
+ user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
++generic_p12 = os.path.join(certs, 'generic.p12')
+ path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
+ path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
+
+@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12
+ p12_upn_identity = 'PKCS12:%s' % user_upn_p12
+ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
+ p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
++p12_generic_identity = 'PKCS12:%s' % generic_p12
+ p12_enc_identity = 'PKCS12:%s' % user_enc_p12
+ p11_identity = 'PKCS11:soft-pkcs11.so'
+ p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
+@@ -284,6 +286,14 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
+ realm.klist(realm.user_princ)
+ realm.run([kvno, realm.host_princ])
+
++# Authorize a client cert with no PKINIT extensions using subject and
++# issuer. (Relies on EKU checking being turned off.)
++rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
++realm.kinit(realm.user_princ,
++ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
++realm.klist(realm.user_princ)
++
+ if not have_soft_pkcs11:
+ skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
+
diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch
new file mode 100644
index 0000000..87a83c1
--- /dev/null
+++ b/Add-hostname-based-ccselect-module.patch
@@ -0,0 +1,293 @@
+From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 23 Aug 2017 17:25:17 -0400
+Subject: [PATCH] Add hostname-based ccselect module
+
+The hostname module selects the ccache whose realm is the longest
+parent domain tail of the uppercase server hostname.
+
+[ghudson@mit.edu: minor edits]
+
+ticket: 8613 (new)
+(cherry picked from commit a4ddc6cf576b4155e6b994307902567f26f752b2)
+---
+ doc/admin/conf_files/krb5_conf.rst | 4 +
+ src/lib/krb5/ccache/Makefile.in | 3 +
+ src/lib/krb5/ccache/cc-int.h | 4 +
+ src/lib/krb5/ccache/ccselect.c | 5 ++
+ src/lib/krb5/ccache/ccselect_hostname.c | 146 ++++++++++++++++++++++++++++++++
+ src/tests/gssapi/t_ccselect.py | 9 ++
+ 6 files changed, 171 insertions(+)
+ create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c
+
+diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
+index c0e4349c0..5f1de2e50 100644
+--- a/doc/admin/conf_files/krb5_conf.rst
++++ b/doc/admin/conf_files/krb5_conf.rst
+@@ -744,6 +744,10 @@ disabled with the disable tag):
+ Uses the service realm to guess an appropriate cache from the
+ collection
+
++**hostname**
++ If the service principal is host-based, uses the service hostname
++ to guess an appropriate cache from the collection
++
+ .. _pwqual:
+
+ pwqual interface
+diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
+index 5ac870728..f84cf793e 100644
+--- a/src/lib/krb5/ccache/Makefile.in
++++ b/src/lib/krb5/ccache/Makefile.in
+@@ -34,6 +34,7 @@ STLIBOBJS= \
+ ccdefops.o \
+ ccmarshal.o \
+ ccselect.o \
++ ccselect_hostname.o \
+ ccselect_k5identity.o \
+ ccselect_realm.o \
+ cc_dir.o \
+@@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \
+ $(OUTPRE)ccdefops.$(OBJEXT) \
+ $(OUTPRE)ccmarshal.$(OBJEXT) \
+ $(OUTPRE)ccselect.$(OBJEXT) \
++ $(OUTPRE)ccselect_hostname.$(OBJEXT) \
+ $(OUTPRE)ccselect_k5identity.$(OBJEXT) \
+ $(OUTPRE)ccselect_realm.$(OBJEXT) \
+ $(OUTPRE)cc_dir.$(OBJEXT) \
+@@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \
+ $(srcdir)/ccdefops.c \
+ $(srcdir)/ccmarshal.c \
+ $(srcdir)/ccselect.c \
++ $(srcdir)/ccselect_hostname.c \
+ $(srcdir)/ccselect_k5identity.c \
+ $(srcdir)/ccselect_realm.c \
+ $(srcdir)/cc_dir.c \
+diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h
+index ee9b5e0e9..d920367ce 100644
+--- a/src/lib/krb5/ccache/cc-int.h
++++ b/src/lib/krb5/ccache/cc-int.h
+@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void);
+ krb5_error_code
+ krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id);
+
++krb5_error_code
++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
++ krb5_plugin_vtable vtable);
++
+ krb5_error_code
+ ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
+index ee4b83a9b..393d39733 100644
+--- a/src/lib/krb5/ccache/ccselect.c
++++ b/src/lib/krb5/ccache/ccselect.c
+@@ -71,6 +71,11 @@ load_modules(krb5_context context)
+ if (ret != 0)
+ goto cleanup;
+
++ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname",
++ ccselect_hostname_initvt);
++ if (ret != 0)
++ goto cleanup;
++
+ ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules);
+ if (ret != 0)
+ goto cleanup;
+diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c
+new file mode 100644
+index 000000000..475cfabae
+--- /dev/null
++++ b/src/lib/krb5/ccache/ccselect_hostname.c
+@@ -0,0 +1,146 @@
++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
++/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */
++/*
++ * Copyright (C) 2017 by Red Hat, Inc.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * * Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "k5-int.h"
++#include "cc-int.h"
++#include <ctype.h>
++#include <krb5/ccselect_plugin.h>
++
++/* Swap a and b, using tmp as an intermediate. */
++#define SWAP(a, b, tmp) \
++ tmp = a; \
++ a = b; \
++ b = tmp;
++
++static krb5_error_code
++hostname_init(krb5_context context, krb5_ccselect_moddata *data_out,
++ int *priority_out)
++{
++ *data_out = NULL;
++ *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC;
++ return 0;
++}
++
++static krb5_error_code
++hostname_choose(krb5_context context, krb5_ccselect_moddata data,
++ krb5_principal server, krb5_ccache *ccache_out,
++ krb5_principal *princ_out)
++{
++ krb5_error_code ret;
++ char *p, *host = NULL;
++ size_t hostlen;
++ krb5_cccol_cursor col_cursor;
++ krb5_ccache ccache, tmp_ccache, best_ccache = NULL;
++ krb5_principal princ, tmp_princ, best_princ = NULL;
++ krb5_data domain;
++
++ *ccache_out = NULL;
++ *princ_out = NULL;
++
++ if (server->type != KRB5_NT_SRV_HST || server->length < 2)
++ return KRB5_PLUGIN_NO_HANDLE;
++
++ /* Compute upper-case hostname. */
++ hostlen = server->data[1].length;
++ host = k5memdup0(server->data[1].data, hostlen, &ret);
++ if (host == NULL)
++ return ret;
++ for (p = host; *p != '\0'; p++) {
++ if (islower(*p))
++ *p = toupper(*p);
++ }
++
++ /* Scan the collection for a cache with a client principal whose realm is
++ * the longest tail of the server hostname. */
++ ret = krb5_cccol_cursor_new(context, &col_cursor);
++ if (ret)
++ goto done;
++
++ for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache);
++ ret == 0 && ccache != NULL;
++ ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) {
++ ret = krb5_cc_get_principal(context, ccache, &princ);
++ if (ret) {
++ krb5_cc_close(context, ccache);
++ break;
++ }
++
++ /* Check for a longer match than we have. */
++ domain = make_data(host, hostlen);
++ while (best_princ == NULL ||
++ best_princ->realm.length < domain.length) {
++ if (data_eq(princ->realm, domain)) {
++ SWAP(best_ccache, ccache, tmp_ccache);
++ SWAP(best_princ, princ, tmp_princ);
++ break;
++ }
++
++ /* Try the next parent domain. */
++ p = memchr(domain.data, '.', domain.length);
++ if (p == NULL)
++ break;
++ domain = make_data(p + 1, hostlen - (p + 1 - host));
++ }
++
++ if (ccache != NULL)
++ krb5_cc_close(context, ccache);
++ krb5_free_principal(context, princ);
++ }
++
++ krb5_cccol_cursor_free(context, &col_cursor);
++
++ if (best_ccache != NULL) {
++ *ccache_out = best_ccache;
++ *princ_out = best_princ;
++ } else {
++ ret = KRB5_PLUGIN_NO_HANDLE;
++ }
++
++done:
++ free(host);
++ return ret;
++}
++
++krb5_error_code
++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
++ krb5_plugin_vtable vtable)
++{
++ krb5_ccselect_vtable vt;
++
++ if (maj_ver != 1)
++ return KRB5_PLUGIN_VER_NOTSUPP;
++ vt = (krb5_ccselect_vtable)vtable;
++ vt->name = "hostname";
++ vt->init = hostname_init;
++ vt->choose = hostname_choose;
++ return 0;
++}
+diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
+index 668a2cc62..3503f9269 100755
+--- a/src/tests/gssapi/t_ccselect.py
++++ b/src/tests/gssapi/t_ccselect.py
+@@ -33,6 +33,7 @@ host1 = 'p:' + r1.host_princ
+ host2 = 'p:' + r2.host_princ
+ foo = 'foo.krbtest.com'
+ foo2 = 'foo.krbtest2.com'
++foobar = "foo.bar.krbtest.com"
+
+ # These strings specify the target as a GSS name. The resulting
+ # principal will have the host-based type, with the referral realm
+@@ -42,6 +43,7 @@ foo2 = 'foo.krbtest2.com'
+ # single component.
+ gssserver = 'h:host@' + foo
+ gssserver2 = 'h:host@' + foo2
++gssserver_bar = 'h:host@' + foobar
+ gsslocal = 'h:host@localhost'
+
+ # refserver specifies the target as a principal in the referral realm.
+@@ -77,10 +79,12 @@ r1.addprinc('host/localhost')
+ r2.addprinc('host/localhost')
+ r1.addprinc('host/' + foo)
+ r2.addprinc('host/' + foo2)
++r1.addprinc('host/' + foobar)
+ r1.extract_keytab('host/localhost', r1.keytab)
+ r2.extract_keytab('host/localhost', r2.keytab)
+ r1.extract_keytab('host/' + foo, r1.keytab)
+ r2.extract_keytab('host/' + foo2, r2.keytab)
++r1.extract_keytab('host/' + foobar, r1.keytab)
+
+ # Get tickets for one user in each realm (zaphod will be primary).
+ r1.kinit(alice, password('alice'))
+@@ -128,6 +132,11 @@ output = r2.run(['./t_ccselect', gsslocal])
+ if output != (zaphod + '\n'):
+ fail('zaphod not chosen via default realm fallback')
+
++# Check that realm ccselect fallback works correctly
++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
++r2.kinit(zaphod, password('zaphod'))
++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
++
+ # Get a second cred in r1 (bob will be primary).
+ r1.kinit(bob, password('bob'))
+
diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch
new file mode 100644
index 0000000..3734700
--- /dev/null
+++ b/Add-test-cert-with-no-extensions.patch
@@ -0,0 +1,1120 @@
+From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 25 Aug 2017 12:33:33 -0400
+Subject: [PATCH] Add test cert with no extensions
+
+Add commands to make-certs.sh to generate a test client certificate
+with no certificate extensions. Re-run make-certs.sh.
+
+ticket: 8562
+(cherry picked from commit 0d23835660ab131d244d395e4568969b5c0dc678)
+---
+ src/tests/dejagnu/pkinit-certs/ca.pem | 32 +++++++--------
+ src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes
+ src/tests/dejagnu/pkinit-certs/generic.pem | 21 ++++++++++
+ src/tests/dejagnu/pkinit-certs/kdc.pem | 32 +++++++--------
+ src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++
+ src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 ++++++++++++-------------
+ src/tests/dejagnu/pkinit-certs/privkey.pem | 50 ++++++++++++------------
+ src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 2837 -> 2837 bytes
+ src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 2829 -> 2829 bytes
+ src/tests/dejagnu/pkinit-certs/user-upn.pem | 30 +++++++-------
+ src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 2813 -> 2813 bytes
+ src/tests/dejagnu/pkinit-certs/user-upn2.pem | 32 +++++++--------
+ src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 --------
+ src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 2829 -> 2829 bytes
+ src/tests/dejagnu/pkinit-certs/user-upn3.pem | 30 +++++++-------
+ src/tests/dejagnu/pkinit-certs/user.p12 | Bin 2837 -> 2837 bytes
+ src/tests/dejagnu/pkinit-certs/user.pem | 30 +++++++-------
+ 17 files changed, 174 insertions(+), 160 deletions(-)
+ create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12
+ create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem
+ delete mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr
+
+diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem
+index 44c917687..f7421ba02 100644
+--- a/src/tests/dejagnu/pkinit-certs/ca.pem
++++ b/src/tests/dejagnu/pkinit-certs/ca.pem
+@@ -3,27 +3,27 @@ MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ
+ BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
+ cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl
+ cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk
+ byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+-ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN
+-l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC
+-7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4
+-bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs
+-Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM
+-bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO
+-fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c
+-27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
++ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId
++S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r
++rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps
++h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU
++OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO
++Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX
++VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp
++9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
+ dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ
+ bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0
+ IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE
+-AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM
+-TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80
+-83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e
+-QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91
+-dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE
+-AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m
+-kMz4Jq4cnvpz
++AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY
++/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl
++k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU
++7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4
++Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH
++Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk
++qlhbJdEcjHr2
+ -----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8
+GIT binary patch
+literal 2477
+zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@
+z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=hx$=L
+z1<ixW0s;sCfPw?a(gHBV*LQ_7OvK|HbaN^W^@n_~M?&;UFQ(vuXBLc&;u~(t@2A_`
+zN?~wJ?GFR6qa-(OLAF=pT)y15jOd>6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV
+zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$
+z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Q<eKW?|>j#E{tn`2{H
+zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#<UsfX*Vr)&0;G@6Mf89D!
+zH$DPc!csOKzz?2oPfu?Y$m&s>V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR
+z<Cze2yADgeOah3?RT8`UX$Mg(o}{pXQCI>E<@*23b5&ny_nUSu&QRYf<9<Br<4Sz}
+zu(qTFtQT~xHNsSZ_{J7Zq~#p(OzhU`O|n5it<yUUL#qC?MmT=@8vZ6Ca<ocu-6Dr8
+z4-Z-4`bPGQD~=PUDJSLO;UOIpqzkR`B-1J^@U90uaBM9eQ6oWbIdBxD$^vC#oJIJ9
+zk#^*H8=MbfbHZC9l8dBrM`T(28TXvNeEC~K+UQhg#5_uyGA>ZS$K+zIxKS{-TDjaw
+zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_
+zV#Eei3)wjY67{AC<7Jdb$1Dr<t;^O$#NnswD<9%3Loosj0sQS~YxCP@d^)K;FWe$3
+zJlGuiSqmn9lyw2@_(R%?dz(EjH#!JRSAk0hc;*ufrtQcRt0R@yV*5;Tz7&JL3|!y~
+z`Sj5k6pFX!?J25fU0e!Xyb-jrt%pq`TD8?dx$|;fgCHJ@Cx29TMN5(FR-Zccg^#tO
+zarkYUa+_;I$sb=t-gWhqyW`132nt>skBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a
+zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh
+z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS=
+zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$
+zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L
+zNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg
+z_YDCI0Ru1&1PE&M1&nJFpMC-Y2ml0v1js4*^UmfbY1m7h_actRaA;dGKozjwpW<*f
+zLJMkle=~hq1K8<clzfxiE{Y$XU(^23k(PS;Z#$1b53eOu$H%4TBn-WT8P>i7=~UOR
+zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q(
+z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8
+z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp
+z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC
+zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{e<gY9n1P=zK^~MQD(Pb<NQ@
+z)$hO~Ydw`k5$aHcw4Y{UbEZ#qDNfqgn?l^o_Zm`mSjK{0!%3`4M>S4V-1zL#^Hl>}
+zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`<v;BYz&F-+Y#-4VY%?rkV()Udk)B4K~q@
+z5|7$qS;nPsi%nISI2ytysTp#!J_~^sMWt)mxd$@4VU(>@TU5bt()(#ACb9{Y+&=*3
+z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)*
+zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y
+zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#<?yoDM3e$L&#5x9uekTVOc*%sW8kEM(_Fo+R
+z>FU7a%regezQN#<IR5;9RwiRTB_fs_qlLhgjB6k4n1OItFvz)AtQvTQajQ74^GMk+
+zyv!~xR0*ak9$s!5EO;tFI&e>m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X
+zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN
+z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy
+zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ&
+z%}Cbjx7lK8O<X)~(Ayl=Q)OSdTE?AEfkl&l)>xbcYY6+T8eDcs^;Xvdw>6;}lnp8q
+zOI2Bf<p>+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^Avux<n?`bX_-y*qM
+z7-)bk6U4W0{#2(JPIO^XHVV5PUo$Cbs#&0nNI9sYiMd%^?HAW-8>K!KnnF`7+J)np
+zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6
+z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt*
+zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+
+zEh;f3Fe3&DDuzgg_YDCF6)_eB6o<o$W_TL6&4sv`u`-io>fmTa$1pK4AutIB1uG5%
+r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be;
+
+literal 0
+HcmV?d00001
+
+diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem
+new file mode 100644
+index 000000000..706c2f341
+--- /dev/null
++++ b/src/tests/dejagnu/pkinit-certs/generic.pem
+@@ -0,0 +1,21 @@
++-----BEGIN CERTIFICATE-----
++MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD
++VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM
++A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex
++MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy
++d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT
++AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP
++TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
++AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7
++Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W
++ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP
++XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo
++pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y
++2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ
++6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0
++FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl
++HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee
++8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y
++lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO
++ebOF6zAD73Bpkw==
++-----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem
+index 8820ad447..4eb811deb 100644
+--- a/src/tests/dejagnu/pkinit-certs/kdc.pem
++++ b/src/tests/dejagnu/pkinit-certs/kdc.pem
+@@ -3,27 +3,27 @@ MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG
+ A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+ U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+-AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35
+-jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA
+-wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7
+-uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl
+-bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b
+-TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ
+-DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt
+-HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
++AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi
++HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u
++K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6
++bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6
++VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i
++jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg
++V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC
++qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
+ dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg
+ SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p
+ dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E
+ BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL
+ S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG
+-A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i
+-Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b
+-JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn
+-7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz
+-u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ
+-fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq
+-AC5jSAM=
++A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE
++hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR
++rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga
++JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK
++ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6
++aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD
++GjaSlyc=
+ -----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh
+index 0f07709b0..f77ac5813 100755
+--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh
++++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh
+@@ -164,5 +164,14 @@ SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
+ openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
+ -out user-upn3.p12 -passout pass:
+
++# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
++SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
++ -key privkey.pem -out generic.csr
++SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \
++ -CAkey privkey.pem -out generic.pem -in generic.csr
++openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \
++ -passout pass:
++
+ # Clean up.
+ rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr
++rm -f generic.csr
+diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
+index 837fd0b01..ee35e5cdc 100644
+--- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
++++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
+@@ -1,30 +1,30 @@
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+-DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D
++DEK-Info: DES-EDE3-CBC,7DF54DB740F92845
+
+-S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b
+-/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA
+-fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa
+-v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V
+-eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp
+-nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv
+-m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk
+-MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/
+-WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C
+-SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0
+-Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr
+-LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw
+-yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN
+-6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz
+-3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE
+-qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK
+-k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8
+-4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt
+-Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo
+-1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu
+-rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te
+-NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP
+-vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk
+-vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN
+-p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA==
++3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j
++LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu
++hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu
++d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El
++N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T
++d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg
++q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ
++2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB
++rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee
++RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1
++fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg
++B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG
++nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ
++zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa
++z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB
++RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw
++KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj
++swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN
++9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw
++U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+
++y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF
+++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7
++XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab
++f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A
++OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj
+ -----END RSA PRIVATE KEY-----
+diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem
+index 7e9beb09a..548e5a8d5 100644
+--- a/src/tests/dejagnu/pkinit-certs/privkey.pem
++++ b/src/tests/dejagnu/pkinit-certs/privkey.pem
+@@ -1,27 +1,27 @@
+ -----BEGIN RSA PRIVATE KEY-----
+-MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE
+-Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW
+-1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV
+-+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn
+-FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv
+-O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw
+-EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8
+-Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr
+-pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG
+-hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY
+-opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl
+-bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx
+-Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af
+-RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu
+-okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV
+-n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D
+-27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj
+-1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL
+-gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ
+-hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp
+-/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q
+-ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw
+-KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ
+-S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I
+-MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb
++MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC
++iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp
++guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj
++STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88
++hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo
++AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX
++FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj
++a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo
++rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b
++vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I
++xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT
++NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ
++71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W
++64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN
++K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv
++SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx
++Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD
++vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l
++GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX
++0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI
++CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl
++OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4
++t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl
++aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer
++6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg==
+ -----END RSA PRIVATE KEY-----
+diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12
+index 049602939def4be1fa9164649b39a801f417e74e..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644
+GIT binary patch
+delta 2706
+zcmV;D3T^e37L^u|U4IAu_0R=Q$07m(2mpYB1u!tho?ixcuO0j=`>lGTs)`UgGm<_)
+z<FRqmWn%pS)IcQqE4xmjt^GWpkjN3ilU?#<{lsF^SOD<gXN+Nnn&oDodfIZcOm95&
+zxqOL=2<PpBiz1xlP2w^J?hU#tjG(#fYuRK)$hH|CSktq&rGM>pKPe)yNdVeYJWc`4
+zF|P^R?oh5stR*_(MT+TZR4{&W9qoqi)f&pBxOiQbYZZ1lmQ#Pc4q?TD!0ns{qlu}U
+zz(Odv2K+dfougnpE_VouJ0!M7bt6;%w@&*9{%SfiDrvUdRZW6CSckeD^E--2MzmZD
+zliS3w_y8kT@PFwptW_3@*xAKJ7u%{U_HfDf9jg*K{X<$ZK~Z=^`bq{K)M1SMGVQ^?
+zv#j3vs0HG{<v$_fwY45d{sUgr3KaH!i5o@ZAMdT*w&mxF{Bd#6rGd;cFHuuC4QyuU
+zWtK?T7HAci4IWSwBKqRZwD3!ugQY3y5-k`)`IBm*@PD&ZGo`zmy-UI%qVb9igw;ag
+zu4B_@oyd4J7|V#YG43Y+vphe4A#je-(nTPkFo#R}taq_<^zK?vpm!XU`1Zp+!#lbp
+zG%{BWDc<5rMW=rcNP_6N7a%mAel7zGbB`-%;P^1!*=KlsIsd0X<pM*pwtHLDlro<b
+ze=s6MIDeG9)y*e15CDpUpMUn0Y)uJtr$>g~oN&R6F<awHk=!m#yDWlWY*|xM^~y!w
+zP?NA5+*91PhZbIr?zRQ>PVPVchC^z{P@wq`t};KFoH0iPJC$e?G@1S`jv>DCV8RB0
+zmIsXlD|}<<BT(;Y4o7mvNXIChmBSuu`mA;5dVfJn@D&$8mxu!CY&vd%Yc63nwX|?Z
+zW~9`V$iKUJy5eAfF0@Ib<d1V=>)cCDUm$lZ#mt_Z{Bv{YU=x+<ZS-0J{J!ZZQ(GK7
+z|1OjcR@xi#na~>YDXTvPmRZqmcS<j*C!aHkp8o-gk;)F1tJd};GD$jhMd$jX4!5ul
+z`F}C|j}0uLhv2;q=pmiBZlALqVXC8E#FvvJCOpB<bNI@9?`RbDw%hQ0)QL&Arg;v)
+zW%kK_{9q)7B|wZw*cGeYcY~GoEHFO>#sZMLcxp_X>UsXy*q9%5!2Sahq`0+O!z?}T
+zi$jc*@c*4b82s)hz9gxO-sN=XmM&gwlz*+BOwds}(8bcfnOwG9>c4M41I>BdyIE6(
+zXbn>T;bsx#*{293>WqA>Y^T8DHfefzJaoF~ZIQJHExS&`Tva3s7=r%MBNe?|IHadr
+z<bYYwdzS90PBZb$HW->3;)tG~fkk%kK$~?KlYIw23fnj%9teHJ@ZW*2W?&0_g?~!F
+zv4KH{ocV+%s=kSCbfuiTU@S3?HSk;9`=V>fXAVPQ5yJ-A3VGtMn$hyJjBL>)Xat*f
+zk>LDwCgwH<7MZbk%enw@_RMCIr@ki6QHeb<ZSI2Tg_@M_F#R~{fk%G*ru^hD)YFXn
+zog`24=6ZBt|My*tX%=$=_ORincz=V>;WK_J`RwaC8Mfd`O!Ox)RKq~fUu_iU>d?3o
+z{a5i;hDvlYB>6O@o?_&bd+Lyi(>Q~@du=M6Hgdv6`ogLgF)<s{P=?1wq^3R3oyfZO
+zbU&yzwLS?ml6xI2>jrfhJv2PHS&O?EAOq?#SMnKNcb&pBwlq5g^OegV?n;MEw^ee;
+zNAm2zd3N1vCWnEDkE2q@f3WB!pgs=2pUxlBhb1$h(bH{Eh$P!rF3CGZuuACYydD<L
+zW-1_YK;I*vlg7MZ@YgjGlbr=de@mz0j%31q%>n`l00e>r$h%Gmj<@&l(&Xw}Eidkz
+zz@_D66&yL_Rt&B;1I)=kuf6ANgrS(5a+rcm&O0Um(1W@-qtpcTe1y@SR`1y2+!Bjk
+zQw=o(lgh9Kq4o>zszLR*B2s9LY?-=8`IIV7);U#dMhstBw7oiDXdQhCe+i9pk0cnV
+zMlgF0u95BdPI`jmlfO~!!}altl{kMJXBOyAE&JL=v<&Va3rMzRzEl_6c~VY?np>Zo
+zc?iAu&Mt}Dt}KDnI_!(wF&W;btDeR~!+4GFOI$qsL2rSj&Nf1Z`%l4{qYJ4Qo$_}#
+zJwxm6gK(!^XH`H3GDvYMf6ZXiHexfG^(D-Fhn88u;X368WggB2*>Np*Ni+Go9sUe9
+z{=o5{uwK>`NVcYMf4tOHNIsnqr!Hx^gA~eWZks4J^1j{2p{HG?g<?E~o6sHc!S~?s
+zB+QE!wBL$pgL~a2`Gd}kZ`%uT`8xyOlaRtci4z_LBw0;Cy7Ixqf2yGApSm9WGwVIJ
+zi?Uc7g_YO=6jlc7e*H748fFE(QJ*Y5Urg^XW-BvgmVe`wf%ezDyc~gX^?HDT6-}`6
+zU~C(o@sYuqEBql@`e*W4>@>qFF8lS7+k^J`&{T!%j#_zl8OmX0^a|L_Hb^Bf&;C%^
+zDRf4UJIncVpMKi6e_p<H-YD`KcD>tRh8&L~a0c+OZyUh4xk_H*ZiVT9oPj~^=?cH{
+zvVq3YVa|#w$>d?3-K=B$mSiz|5L=0aU%z0r5=NXvy%;*bv}`8zSe%or`$-|90;plD
+zBMc35ZSO>Cs2V+WJaJ0#L+Y2{w9jWYmI~V$Xh0U}91I|Pf1})&1-$>cf4IK3av<t$
+zEFr$Z|IWHRHIHp=dKp<UZ=^0juJ@1V=q?z7cscNH6)ebp!&3X?FSvs`0>bmhiO_QH
+zUzb|*rY0bBQH(2Dz0^m5V`6s!4}lu+2Z4sL!Z;_w`zlgnxe2p>);eKXeRgPbE8hM)
+zh`oOs<_8p$e;6ws?`vcLw-*IKpOB*Ser86?AiRqkbxtkcVjVI7;D@#G#Zz{htm%|t
+z{IL@z9azcPs?vP_JN_heR0Dg%Z|rV#jIu&Cz<+D|zX&(+Uz{)Hp2UasosM?7e~B}}
+z@Uc>9Lbj7eqH5pI{>XB6W3)`4gbWgDP6bb^t$0U;e~hQjWsuc=W%5osyn#COy+0Wn
+zfXyb`UV#nIfFOyKcTxpXT4y|ytF%_1G!x9h^LdFL>`qCd-xJuFe=Cka?oHZzMvv?F
+z4Tv$#KpEY*>=SF~eJrHN-&}^_T`nbeQ#*zvBRah$g$#AJtiay_Dr(%Vf`f5yT3Wx4
+zPw9EGe{U+zCREP#EnqfSUY`b6m<cNYbVnYiGk^ZgQ|{(}5{>lSFbnd$rpIUC2?Bx*
+z&*ahaHlnLZq_)8PFZU&7S##TPwtTI){S}rL@XarlH4%tMe*>vZ$pfl61)r>6REt#6
+zA1Tmhn;*&xXn8IimR;1v;fwKcbLt}hCu@0Ke_$`LZOuZ5IpYkzdoDeo7LH_jdX(6n
+zI8<+LlcXr9=#AM@2Sx-NbWd|hrC&4HEsn(_cD0F-dOu17hU<54gBG6YK=4`U_l4`A
+zqM(8cTN||R5H++bkzne?q5MIh^^GwlFe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8
+zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00b00NU*E?J0(4Y+o=|f0;Fia+%K{O2)&NJ
+M-JAb8(*gnr07yzcC;$Ke
+
+delta 2706
+zcmV;D3T^e37L^u|U4QCIImcZ#q51*>2mpYB1u)u~5}22I=HT-d(%(f9DXV18Kbvj`
+z^Vtj&rJIy-KS(<%B=99oy)c{aYIfUfQ83DHHOZ|j5N)Uw`u|wFUxcIoSdpz_?)9%H
+z4jelm#2iJczX|~|@JmP%-E7N|LSD%0aE|sR%YoM&yhB@K41Yz9lq-Pj*c;G_qu!n*
+ztG256pZmHRbI1aKr&uCUv>WoW;LeiC%96yY!X+o@FzzAxrOHu)3g?VLl=`oYO=8u*
+zFUXhf-E-pg$i=j~J5AnH&n@YvQR-2plWV!|u18vsOGavYQq$5K0c{Y)cD=>F@sB1~
+z#Ce~xs1%rGd4G(-!z|O%#O_xY2j{voND30(DGP7NkMXu3u$QVLc=<PneBErXD5iSP
+z1|6E7Bv#I<og{^~mx=0aIaxKcopAy^OZwSjpjcq>J6%CHpuQKR%i~VGy#97gZKGgC
+zQ)7)_hvF$URord*Z(4C$&;M+0oSafecrT1A>TOAXhJPO!S1Yy!|0t8mhQxU9F8H0X
+z{bS7WoDJL|;>UbB#Q8kT45pQxG--}vOh}`IjL4HRI%JT7=!MOS_w{ZYQc1Wgh<|oe
+z$UCUD%v2lcu!NkaS+WPMqtPJpP30!cLsAAZhJP@(6PFg+r~_<<Zrr;P9lEz#(%Z;m
+zfv8p~D1VP2gMU#hP$>zPu>L)gER|-RptQ7t2T%-w$coS%U?y2ty)u$&%U58*x^dW7
+z`SK*%R6K^ppp&Wo_dd9jlUx<%Ga!U2uD9oPe){W-$sAC0PPA!QYj{>3|COVWx@pS^
+zdR%$)XWB=Qo{$wdCUX>$?lfD!Jxy3?UC2xmiGLhV`RaM#xn>#Hl~j;aRu7ujxtJdV
+z5)OCd6$2Sv{U)1)H|`*tznwIA_Lu0xM(g7cYqXUD@0)zWD;@cM$iz>33hI&n$WKkI
+z?VwZyL273la`IMNy;tYMRF(sMS(#LpN^yUMz<cm8)DJ#CU2=Ovvq80$W(1vTor%q$
+z=YM382?dMOVa9W2rx|t~XVS6#!zj1xPiZvjC=_qRIP5YSkS;dG|Dk7HU&p}?yDVSM
+z`R1Wx-UX(PTmU0?Pk@qG7m>!Pw$N2vcnTC~i=mtZwXPXpou2Y*IPGGimihPbppn_&
+zRXBY89ppNtTpqy$L5I&2jYQ23<2e0@(|?7`1y<Vp?bfDKgbA)4H>3bhH4C9A`JcTJ
+zs*Mq{z>yu<Bqo>s8k4sR)=<1ex`9V?dYzv<wi?S|Yy$M~Wu8M{08LMR;2IR8^$Q$4
+zydz}Go@1Gkk2t4FKhBK{;oy-Q&lX{Zg04kgsMt;;CMI>H0P5C26D4493!(r1*M9|H
+zKGdn}<Tf+n#Eg+khGTN%ac_3+cLthh9o{CEDk`9h*DId$kof@yIf2;x_*pQ5S6n7g
+zlZFWx3AW0N;eW%x3z+E`pjETVWP9=tixcM6e^Bc!be?m`1Iu|KU%15>RlVi8Q0R29
+z1>lc3?jlMQ$F%QZs$yVaL}+TuF@LQ*|2oQf6gad;5|UIfZNwdOVy>MTwDGXK0pZYq
+z^=+s6V0xCsmO-;{zxI2J?FM61!lojJcLxx`>wst*?}YyyRfPPHWL&x?0k-<<U1sv>
+z*`9-8I`q-`7+Q?mYB$<2tLTxDr(QAj_V@HuB~m*PuA2~|AbRG>SaP0yE=us-t=HQY
+zg~<|Cdt7j{a<D4aed{z$kCGud&s0Ag<x2wqd+jCl4*!B<oR6tMKo-wxjFc4Riwwkn
+zyCwjj$)TSVL>8>OwxZuklbr=dfAs{AYygi_jsgM*00e>r$Ow~3k+rOeO>(s`grF?$
+zJG{bdqli57x@xMkpB<fy<Lo6cgh70L^STB_45P*Bn*Uq4Ha2~?hW?grDTiTyXon5m
+z#K@XG&SjkQe5~|QJKu<skpZ4f`=^s;Trzq{o_7h;uJJvQBYF&UBTD1Ee*v&aj#+mt
+zU${;-Cn53#vrQ+>3?9W>*jR4I((MPl$BvNhVhbw?_vgtkh{C4|j=)L!maakLdv;I?
+zQAlp`ykIYDUK>4ac3hrzJuJgy{liWNPtKgm<L<)09Hty=HS9Q_F0`w8#txj=jh-ly
+zra3p!xaGrtDfLxEySUiYf2#|TSjfBA^+g%9Z|7TMK}SV+du9lVmPc7)<Di-N%VlWO
+zz3`)}m~zRj#a8xX23>w!Von2J<Sd2XS!mT)SfJVanq=#{TOt`4gYq)4>@L_?kwdzL
+z*LC)1U0nZwV%P}Nl}uhfIo5hPM76mjv_P&mM&vHgsjqj|mewKje*}5b!(zjO+??#p
+z^+fSxFa#sKMfh^V7pW(Q%@sfS$_a6jt%35LjT(p^IHot23x3e7QBt|q8Bx!}hMy)p
+zjHIkywUCO1=vwR+a-j{-_L(+dG~7>h(22dhbKe&sw5W6hB_<hi<z63{^)|?nUX5;F
+zCF^yMiAwXB^Uhhce;$`Aw|NJa1X>qBi~5%<dWS!%uj;AjRZV8jIy_*D)Y4Mjm*9n)
+zotNkeZRN06)VQiJEK2Bbw9a*c!sVJ)edN}W(<8T;$<Ozxsafe-Tq0O&dT%66!3%wN
+zM>rNy$JlVt9!<+)%x(%&o+O+@b0ergOVP5w6uAeaVE|mzfALIEdE(~%cE<pWNaBWa
+z9BnWB1y((d({Pf9#6oq=2bTk<08butC+-0JC+PzSPgzCg3BhuzQvF`qFSTk;vHC6E
+zUEk+xB+0d10>j*Nx1l?I)xNe5I~CB-XG7RdT=};;vL@W}qgN1X%CMMTb@z`j(^Hxg
+z2+k}O+$v2Ie|Z5<UHNtJx<c;*;WQ}Qr`3^+V9N`?D1xWpr^Y~<r<a3A6E`%`iQNya
+zV0!iz{z8I6m#3SF4BNh9=AnBYI7=0ht+{Wwp+Yr}ePB^T_i>?WpteEE^-jk3x*2kq
+z{l#-|^i)J+)WGL>*FSJ+u}4ad5!Ni<Xq^EsWS5!qe*;!SD08O>RTj*bBOEz4N1ylP
+z>^0wkW58HZsCHK&O*4YkvSMBQ2tO%OVIE`(y0uWHS!>4~{B#t&21e9&djORBw&Q`g
+z2)Kc2)NTqH_|x#q1O6HWS5W|}5BOBUZ%Vo9Qw5NOKV&)yHS`wX<ZyU+nb{^7us0f(
+zYJWJ8e@p0!{FL5ozk+<7*aJwo4aUCxiwU|)jVc0O!}g+b?Vin9Y$X){1#-TO^~QG}
+zqQ@F+YJTLY+kC-~5fBJ+0JUz@M_P5JGWV@hPB#GZ5-jFX@L2863Nn@opQf6>9$DV8
+zZ6V?M9adFv7f3LmPCzozft%9ptIIDEtwklxf0b0u(0L&L4qp#ge@p=B*bmxjw(;PV
+z;Cshn-XXPKyoA+FG;h}OQpsj+-)bhjhBs`0k|`c7DQ>1~Bt@|RjJJtP6KC(6#0L4m
+zt*tS%Rdoj>M3SepE)k;MCOV%w_xv#>Fe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$
+zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b0Mw6Ml6`rPp>w1kFoo;UO4PXV|D2xTCM
+Meh!`itO5cE0QPz^F#rGn
+
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12
+index 7a184f651e50d1443e5fe907b5a11455d69bc0d1..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 100644
+GIT binary patch
+delta 2698
+zcmV;53U&337L68=U4J7*Cd0h`aFqfA2mpYB1t^AZ29wx*eOgc}d`r>Q7K3iXfn7bI
+z-h75b<#ho7#K*k@hvV0DY72<m7<CrkoDySrRb|_gU#{1l>cD-+GQbBx+_M+%n71zn
+z#X29cB(NtFLejt8_}`1}u<)0Fa|N#PFrop1;9l4e3fW%n<bT90_cK%bgt1P9Hhsx`
+zM^##Ak426pZRux=z(6>Am0812NzC2PWtG5Q-Le3SkbJQ8%$`CRQF5lvDMt^VA%Nf7
+z%gqA3e;};~*2a*2L2#V&7p#=9h0m8OkwZeltqP35E+5dzCHJJcdi2I@dxk4_kjEOT
+zj0U8U0++mnH-9@Zh;5`5me2`GT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ih
+zN<?fbl(V<zS^%h@BtBkhc3fh}AOQSATlDJ_tX)Q^v-mNr>^~x-hZKe}PsA-74%;xY
+z%1B^HDt0=soP3^{EKJ)&_b-pfV8cwL_(1dml;Sji;(r9YP~QfvMIR=;$|FM4HE^b6
+zOll6EI_7z*5>D_vgiic>K%ddTL?+VkF!(XYy-glao-W+_2?bN*!b-%g<xEJ<fNF_H
+zO+|QOI+nb%dDM;5^9atuOcBV!FGg>+(*LW1WU#<n%`jfOTx*nckodZ(;n0s5CP<`2
+zqZ95dX@6b??`GBID5A*hm06y8>4Df_kOw0G_-qaOq{v+SRpmK1m*tb3kPzLIGjVa^
+z2hUFOzaEpi%o&g2^lIMNwb&tG?#XFJz%l4U56fY<Ke<G*%C{41HO=~>`oz^klt?AK
+zuXwGHf}vN7zq;z1mdw(fafua(ZnorQ`;=s@1b^+)-r`oP1|(c=7dWrTM*Y3X!S+-s
+z6yvzsNy6{reSb#uzqXA*j?J{*SW(elo9x=4Tgvmk7340ZG;`lvBR3tL)<pYW%va@z
+zkyRam5#4!yrgvAQTdV!Cv)`v9jNxm6cnrRnCOYS1`lNtbeMvwdY`$T%z2c2?KUYtH
+zuz%y7Pl4UE=`AdyO-Bk(i@@FZ$jbcl4D`#{qivoo@^VWi^8*wNhWHBcM9aZ^hO!59
+zZ!na}k}61}C|dqCeZzOBk4C*LcK$Meqy0}?H22^^RdJ=i>)izIU+caHn$AdqnrQly
+ze+yjHVauRy-|J4u6<7{TTLNDLr4%Jx7=JHGUoO1>1Jcfv{I7f>&cx$XLd+C6{T;$@
+z!JSbO;_3Sm(&oAtwAZTwA;<mi#zlL0dc8tNX$Jf+i?!St*hWr@1F>V25RbO9psZt*
+zln}2yx+-<d?bPAfj--=;${{Kb@G`=-!S6}r7<)MjYa<;579RL^yjjX^${dY$6MrYr
+zzlVM!*xX>4*YnuuI!9EkI82olCom|r^m3LOkVwF_AlZNQc;2PpCjjVZX)YexUPnw2
+z_$_(XXS$6%xZjS1<a2EF+>3_#*rgWL;?J<7vhZ&suuk^}1zTKrxKS~8Q14u?oGg}H
+zlv+EHsJHLYhdzk>*1*x?GypZ%k$)pPwmu21v!s;VGk^k+YzPtgAL>R8DmBl>#+JNk
+z9u*4ll2JG9`v}C4*CP{?T!#_a+ScwglwY1hLX}2-)3S}nNh}9HZ+}fv%zwfwr^~k!
+z=rp+UoO0)meUalXvhV<156HPdXB0C2j3K;I>+=s(Buy-477<Fc{D0(9AwpuM`R9VR
+z9PsG*j%Ivf^Frz#{2>MAi_(gcw~VJ;|J3AUk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0
+zTK$e}^K!@?la&QVe>VvCGU(Vo?g9b`00e>r$fO@bT)QV0_0<G^sZHmf3XvyfIRJab
+z-ya4C4tq}JH{5aDiZ3>B1+RtRaRQU!+^G+F8ByUATuiqPku)}3=nLROGQxsSbkkY-
+zasCODE@NO&{NkW~>X(G9%rXzSV@mm{^~LPTEK*0Wm{&=#e~+kA6Ku&p0j~W>F>f{_
+zePAde#=SNS#X0&z^HzqJYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8<?>XaNZw=|8qY
+zljvN6gHeh`L<o8Y#K9sZF8`^13QskAk{EVWasuIliOF;Rt+{0Zt-~QW63s&JBO}#~
+zNvCYLXQM^*e~3p4N!}m0BWmT6;WjhA5*!&#*e7Gu&6XY=wvhDu(y%oVJ1s-PGX4ij
+zXqr9zPp0<r?vuSR4TC4!uez)NW@`~s;F;ul=-M;eIElopsfJ}!`uQ>6q!)aIAW3M|
+zku8zI<tH1aMM4vr_wv;<iz11{WcdW0o!2OJ-2+~ee*|4US~rc7Et<j{4+Y|KQD2F^
+z)s#-KF0s5@Oo}QU{5nBSMSmDA+p9p!yaBC-Oni&ehVY8&eYvnxxOmI<jY++!4od;c
+zp3^d(-mSd9c-p-7P%5T;CFi2D5LnP0he&HzK2363zfQqt{#6>LVI$GTwtMdU?^96#
+zg~=M+e>pl9)d2Z?X8#?o-z0==7jEP#m#A>bdA2062BlD8Lkw*A-P*PsR8T~|$qx;D
+zg^_hvYQOo650pOQ9dBiuA#&WAk;<iQ=<ZsJY+tq8e+huVYS68}J0xYun`heXlCUm!
+z%~fC?3MQi7{30qvjj89wxizI@w&NypE|_9)f6J->Ae&G*Kp;Mz#)6aM7P|YSDn6RK
+z2FMmd^WV`rg9qo0*gPnx{M#w}w_jIXLt?Htq?997K%)maV%KC#Lbt!#l8-tKoQ$GB
+zXi<lvE$Shpilmp#>H8|epkkQXRPYNxML#!2<!VRX2W<(5#5fRI2@pU+*QzOi49;)e
+zf13&wDfc#|IiXNA?LuIP__A%wm@Zei=zp9W1Se0xrqGS%w;uT!na7^ABSo$q+jZ?=
+zkswUneFd9q?_0r;>-7pL2YG28Kjpo|2b}kK?f)J1gPw({=3$W^com8c3Ye7dJ}RHz
+z*vvJzwpsR6M44c_{jk~~Myb{^rc(sqe>x=O*QBRH4UGQB?z&_Bm@zH!#+>l)4pTGr
+z&x}!IZ*t34iEdy8K1?hC686S+fvw2MM4b6|ovWo{VfySc*qk^hH|y;Ox->fB-fZW3
+z9P`l12ah8*RP<o{BW{s6Md!Ac8^2X*$0PHI3@`Q7+0!@Lu~mAMJxpi_YUFJ@f9J@3
+z#YV)cj%xne*F9=@-d;%rPLF}n`r}ShJe1f@1;2a0c$$41BVCZigvD1y<>-+LVYybf
+z<$s@pM^MUhoQy-XmtfWe_GYFerm2qLg%H>?7HBLGv~=PBmQW8Ay#|QIkK#;jO;$81
+z;E<E=M^Gh-%%k7ms;lw4%QWZsfBvWa-S5l}Xst4(OaZ9=8{q4Rbz&hg7>c&>RSgW`
+zXj?}J-UUPY8f7(HIC6UZ<GEgySt{jX(*D7pNm^+n7dc_aqbuKBoY22Ju~+3)gC!R3
+zvHL%*8`1)2{VwDdmeMgLFe3&DDuzgg_YDCF6)_eB6wYL{lSXe?0vR^VJTME7{?XMl
+zFG(;lFd;Ar1_dh)0|FWa00b0v-Aj7Fz7H02I9qPM%e~Mkh#kxX2$T05m<n)RnF0a`
+E0Gb6l-2eap
+
+delta 2698
+zcmV;53U&337L68=U4JX$u%YIJP8R|K2mpYB1t=Pbil%X<Mkmo}$31(V-T8%g@`1Yg
+zyS#V2y$w(dF1u?n5MxMnkHAA#Yi4Ip(_Ly3`#cW|>GfOfO72c@ABwq8tiZ0?s3(7$
+zxM}RzJuAa0`@+dpgSHC=ye;ze6=fI5jLQm5(4O@ywKR%B(SKp;94zpF34Epw$elea
+z9!~P+<xt!c=@hl@UE^-3pOZVIzB;kID~R5OI3Nfc6zVwOPO=O$_s<)Znw-6`&kX(p
+z`%Jk~Y$k%11Gx37zK{thwwsZr>oiqK>Q_>yAd4Fbui&Gbz+?SuIr3+{gn2}D)4zKA
+zw6q+|xyzFg{C~CJ<M--o&FZ5lwtwQXK{+>Xs@2^$asn4KAS;Hr!s53%;M>!4_lI!j
+zE@siDP@6({Y?SkW5h+LdIH$!`_-XqxelFC+82Tg$<j0o^9h13)Y784=ZqHptd!}0}
+zPzj01BTTUZ;@BJLa?c^27)lC(taoyo<V5wa69e1p;D6s=z^ogO1@>EY9PMt$UIeu5
+zj=iT7iUSA-e*52|0Dc!;kR<d1_~h=({X;9^L;cg%2R67LYPYhJa)c+M6F<6r&oSE$
+zK|Ni#jy(nHlZDA2x<D&>C(OF6vpH^HL(#b3W<tl;nps6YYu#s<BZ=oKcY|_|h(F?!
+zU-Ux$=YN(JjE1T=TE~cRM_Med9N`gz&YFytCYAxO`}T!are#ftj)zT^@t^SspSuh^
+z8{uh?u})u{Gwu*zWiiQ1IPiRjycS3COl#sP@<)7TE)>r8xr5SNtP6{wfsN>aHEory
+zZz-!@F_mMHzsyrd5SFu-?*f)-4@0fWC;9#&dw*SQ32o63t5Zm+f1C1bL*s$N7grel
+z=O+Y!#o8f?VAUB9+;Hl3)PR91eu?p_GHL`ZzV(YKX%{M`k(!63Bb|Ob1gX^X;@_<m
+zb`j%ps&g*AI1`uq693O>0swMf$S~y?O52J5Ow2Ei5EeZ0liT|CpLX3dRe|Y?h-)%*
+z1Ahy_Q}w75-Y#V2+pavIB(a*V$3IEPg?T;;_;l~R>6v}Ls7>PH|CSU4@<t`nMjMCl
+zMzYc`7mKbe>((!&99d`8mJ4VP6tfU(4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5
+z;~yqZdv|HCk0HHe6ELR7-?n<sIzH32Y=1+x$^6r}NKESJVXvEp_cP;jn&n7f5-nQF
+z2(17UEfFK(G&xU?nR9(FgC}<}BXUB*Bf(#_mgjE>0PnLebvx^<h966*Y`cnwTB5J2
+zA1Qq`xQE^`OJC1pqd2ZLg(jajOKlt+=jOB4;YGDC3i={5$kr8||5{h7bNC+k&wuK{
+z@2;f1dQKs0H5dTWX0!fEh%hPAZ%KUxNvx^6FrBX4!fDCz*Ib`j^V(RPJ);etH)2EP
+zwnpe|#|O+1dOty&!OLC+twa&wj~2kIbP8%+8YTU{0~aZC=;Q4hKFyIDg!b8YNvmyD
+zeg$m5OjO21T@;)G=P{Cr(x0@}1Ap83<(fX4WP4YFr}QAA<({y=D+l3HU3$-ZbepE}
+znco^}etn&swt`{-=!nS~oWBxwRe*26-Bk3rdFFGSyzOz#m1$*h`-$e(*znB2Pn^t@
+zH|U}yv}?Xo?#GsLp)Z%4LGOWGh!0b`#O>Hl$-REUwC2Ty#$UDZRB}HY213#mttD}(
+zBu{Oz+8I6(k)MzWx<vf=T?jShy_Sc1lFtMVcgiL;CL?u8)sucr!T<VbVf)_^M7BU1
+zMOU0(qI)(3la&QVe{+!lJsuLct^xuG00e>r$ksqyo=hI1ZhXWX&Y5JiN0mzSsk}t-
+zJJ%SucVFN6AEIBj6-I!tXQhuHr>X^w6cJM(yq|zYJ;?@eY;==f{|XXanx4vhND^Z_
+zVG0NghDtq_C2zj$Dz8C#|AZkOPjw>3G!iII-&;gSHv%p#e{RGu#nP4#fobQPcfv18
+zgrG+nAHI;bL{ylamN8W@<sUn{)JLO+HQd3kSKq1;PIxm=TEo?fEh)4az?P1F-fc|q
+z<ksDIon+%vsmL?EC)bFO7YtLbi$60ojZjQZwOvTMyHO2=H=KoXp)D^YnEhOicZHX=
+zhO1_r?~A<be`j#1aJG!UWWf4{wZ^bbdLA9|q@o<s;)Uv`@oT~k59I%F;vgBKpsQB7
+zXoLnO?`7Jh$RMG)YhFjlS%-VjOl3;9>lZ^DQ<CZa0;lJu4HOXyxh!ZT_98v+b<f(@
+z+bip=NIvILsH5E9t(-~iy%%Bzh!QF2*UAuZLA=|uf7prj`LWlcfDU_Z*#sW0)>(sR
+zT%P@xq9c;o5?<kml8S??-*v89Cl3LkT){>_9TBIsOs|hcX>KKPL9C6IfhyjT9og;C
+zTTYklra)`+#hT@j5b!vTCMRNv-&CN403}aafd@V%?CBOpZa@yL63{b_VYz#)84%BP
+zfYP3we-mmC228v;c=3=b_ySr8pLt+9&oCknyR!6tdU*&t03h4#MVDePO!=PdJKgTE
+zaHJvVh#iv(yLboW+T3TYbSszMmU_pnlTuRonrN;Bt0)GPvhsgs*~x?(<ED;GT$Pt3
+zW>edh&W?F?mzlkD$J3Hfwl`moP6Hg%s+6VJf4+~1Rx+6eBhwZUl;!=3s8jgC!;aQf
+zD9Z@?L2PX$Ghgizq~7d-QhTd>iMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh%
+zg!EqIPY9B0ewTqT;<AAM9}0U^5{V*H)w|J{-}bNJ(i;XK-5uP*z?b9(F?b~TP0%D2
+zfA1?#kvQS3?0*2J)@Th)QW&Yx5byCB4Ph@e+c{e>i1r~)!+l+G9oP%4++@@;Yo|$z
+zMwTf3)yGj9S(sW_1-Kzi6+3#SgOCRWU*>*BPfO6cBnql?REk}m2!l~16V`K&3x=#~
+z05!gcR0QYhTv!?>tIt7C*)hIDp`l^Ge?{+>tH@RY7FrUffN~A>;tlE(3sD|7LUANB
+zis>fX5un78BnY6sbwqF=OpLF_K}&sQ>&x9L3ga$y?=2hF63nby&K<Pt+fIvqdPv2S
+znt*Al7R-?>n+_8fYj=Q%qs9^LzWtFszxdqjsR&mys<{B|EGHk9GANU8t_m0Fe?x$v
+zpy|a!(Wp`ffAoA3^XaeEa(HpQ9c1?JtW^k>aa()*8q(TFBZbOowXt_)DRU3xiT^R=
+z=F~RNdSDu1@)T$jO}aMmZ0Z-E9f!w814*M^g*;BUCL)C0s^{0*#IGyLz;78!^?dxg
+zVlRVeg08jZ18}h9;65v{AH^?-f8aiTOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteM
+zhqd!L(uO>k74-EEJMTAE*X9x#e!==1fh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W`
+zOuQS?@DtZzW1f~nnyoP<Fe3&DDuzgg_YDCF6)_eB6wdDm#+m(k+gMMPJf_wWQ<kOR
+z3=uFfFd;Ar1_dh)0|FWa00b0fzua<1!5W;Tx7DuQ&kThms@@d@2!~t}_X6767y<$a
+E017TA_W%F@
+
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem
+index 6ce095692..21960ea6e 100644
+--- a/src/tests/dejagnu/pkinit-certs/user-upn.pem
++++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem
+@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+ A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+ U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
+-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
+-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
+-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
+-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
+-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
+-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
+-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
+++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+ IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+ aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+ BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
+ EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
+-AQsFAAOCAQEADpj2VeHFvGVzb2o+qUL00+1RfpNsGRxrkXpolkjGn8LNIHoMfxAR
+-utnL41Jd1wQQ0FpbgR1fIXgCDfdMNWWIE0SPO6WVHVUVaDb2kjgYZ2bvR3FvTIaQ
+-thj3jyG5Qn/hJZ2WZdJ1kavUQzCcGKxcIQHObcX0x2wXWPKlO1S8XDS8olsi9KPj
+-y1nWUvLgxhtp4vwRuVwKtgFusgaTJOOaJ+yKS8SHr1v89GRPmff/tQzMgf/nqRNP
+-lmQ5uHLeo35DvS5akdw0Izi0m5zwMvOAGBY8lyHgpx8jshourr078Swy/SNdaMGd
+-fwDCc7tFD2dw3jRC1O5jWBxOuDTmUL0cVw==
++AQsFAAOCAQEAceeR7lFXkEEjcMGK/mvNOT5zXcq27ipYuV5HBgGGNLqiawc7NTxF
++ocyZf9HujNOMvBNblTml2GJQ9wmyQesVTGgJFTGORS2sFizICq19jISxrv44cdeF
++X/KQxNmnviClkL9jfA/6oKU0uSpvUAUet3MmDuo8O7ebVXVEmQdvLrhP9ycHGq8u
++qG+5qjN4dpf/ejtCCMGGZdUdPxPosoXJzf17hpyt8/YQohKG2igLSy1O68tuHTXb
++L4yiB52JQdnJfOU1a+vUSk425zMI00MU1aLcDxcjI64kxYBpWflDqn9Ky0N6vA1i
++OoBZgRFeQSELxUp7SUsK4xO2gPM2w0zzvQ==
+ -----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12
+index 6691b8c72aa60d647c4993d3972a7bc39865901f..8f4c6b2d05d14b7d5fd4f161fe8c34d065c2e5e6 100644
+GIT binary patch
+delta 2682
+zcmV-=3WfFk75x>EU4QEdRHRCfek}q52mpYB1sD{K_#Ii+3SG3sHqthXJUvY<=YDAc
+z9#;0PWo-O>j);dWavz`vlnJdRTmaQEo(0cc+s7lXMT_ckx;wyC2|pOcNMhk2NQEoc
+z(*6LSNK&b;J(R<Vu(TYjSE6e%?H}Pi?bKRoc#1J&fWQQ2N`FnZL}q@Rr)%Kqlqc35
+zt%d-0S8uDcF*ELxxHS)5_w}Gv&2fQq^Vh}$vsghL2ova~D2{otn#y$}+~M$K*|J<A
+zTyHUST_o$xD9K6s^rh1e>KHcLgS$UbyOpsCkh&(Z&4JM6@2PAel3A~|!xb3Th5gvs
+z+2ZyxIT3B%aetn&kjA>&caGx0pjK-&f8Q_X>G1awp^&srIY7Je-gw)mNU&6nAKeV@
+zDUyEhZo?kDw^KqVPWeWk-%0aRE+Wjuc3X9h@7jFk@Bt8^KtvL9oxdA)#3I|;*|BOo
+z->lHL_8Whhtz?3eZXiK#wkl>sh(V2h>Rg}a(k;J|xPRt2O2Tj<96swuA_=jT#@8zR
+zTsY*e-_N+_<&h_dPb%s`G69d~tdf<}E{REDc=M2s^y7fW{0hfw^3IhGV>@v#&Kq3}
+zhwf5UAn^i(2RW!~epxan!iiQi1q9E*i^;IyPET${O0wgRN(&2aaM8OE5y7A05(S7?
+zsYqm-b$@CJke2fvwgCDwtGEZSH5p4N)(<4?9_pX)FmKp#;CJk)fx47Q!Ji=>(`gLt
+zB9<MdC#C)6a%y`}PyE@H#kE8AT2X8sw@=4oPHf;%#<~I?^K{Vt1IE~Flm9!pOkl_f
+z$S~3JKS=4$f_+YmL$FBPG}nT}@8HyOvUMwCh<^viQmr==_wHldeUX_54mVbSH3oLw
+z(#}i^H=kxTuS#*bOIwc}2av{A;$N8sDHLk+vm}jh{*F6vaPho_4y3G|ufE=hW7_*z
+znnZvf7=n|)7@elZs1A0ci2%j=4dgS<zUsez@pP&*`GcW{fk1EJs8$*d*GobT7$~v5
+z%zrwFo+aD6=6hB;)Xxjvab7weca>@RMXeL6z=WsaVZG<xRe*|k*3I+TOb&%O@i3bT
+z@M;X_;MD=b@!qQA!nL%Hp)_Y@*NkD|oFx?x?KL_-!XzLiHcM(t&a=5jy&}zQ)f&!h
+z%}`U8&yN}?I2E&6;4vc7-M{jTVy&Qc=70Ba+E7gjQh2qZ-e9d!dp)q5mQ*~*O>DZy
+zS;DhvL?nw<W5sSeHE{z)FOgE(Vxx{eoAH)z=*WU&{g5_<x3Y<K#UV^L6TR?R_mGou
+zN`BK}$%#H$@6=q5!v9|hIb3;;+Qg3?vzvh}LQ0^cn_r!27>M{iQ)K<YM0d#!k$*2$
+z6=P<TXzK~xW|QSrx$qj0V43aV?CXKeRadtaR%t7hq>1<=B|aQg-X&IDSl$A~zKkYo
+zhV&KKYp^vG$Xo#98^t%_%B6ouEDxE%5^=ljeyV}hvfW<w?F{HBp#rHav#^e@wYM_~
+zH`|gVj#q4ST^Z*RFxUS)fzMOEWq+dtVFXnwB3{dA23|GaO~Ve`$MjzmuaMQwgLQ~6
+za`rIJhUl5@D3~CBPlOnZC!rW6Q_MQlm9h?uKJ$*9`0jPPcSkSq9?^eM#T@KY=dmwH
+zvLXu6AG3D~M)C(;@}RiLkI;Bx*@mLss#-y#9f!4>i+B(755(_<fF|h9(K24?0iu>^
+zyBq^D^D)}0ODnN{tCc;IJ~a0+z_Z4F{>vTLxtG7v-n?O6^jolP-ZweAlZ6FFe`>0B
+zfhbF<9s&Xg00e>r$je4%i&omIruPaAML(chuA&9Npn@rycZovGBZ#}MmPoP7HFyS+
+z5YP1fO@E2>32IZ)3U7So39tUWihv|bt@|JD=G>W@vLbuh$`t2r-H%|(HA#7Z7W-_6
+zMx(N<y^1k^QnaZ9d$|Aj*cjo5e+%eSDgcD~^gkC?^p9V44e3ULhB16zAWivSoKg{Q
+z<Pwuk4pTmA<*1>U&So_YHnXHr{(L?L$F@_~eG6X?q6S`WCfKOSVZ2DhB(;a-fB!!0
+zx12<g*$t}D4_u$Z-M*XrPP?LTuO-vS(zv%d*WkkEpXnWT0TBuyNtn|hf7I>RrgaWp
+zY5qyxizI4x;ougu@A$3NK6q`unhku}7(r*IjuEbk_W?J+^#5)TU`GEu5)6)&$OQdF
+z;-goaN}BKgkRb>#!sPGo0~l6y6J_wWv)T|RQ;IHAJzqBid4iXawd)P0rV6^HMLnb$
+z)*C7%K6%-JP9aAHs48ype~zwJly9JZ$}NYKx-Mp9`1s6RNNL#vLto*^@?m;nGW+I=
+zWrFX-+Ya8`rQ6nHMD*!7*jvVb6y)NbtGwi4TGa~%?hH{~D+F~WCg$qzYa5~Jg_L|t
+zRR4#x%vZ6tegWzpK5qbxOZlsQw9ed@cuy1?5hFwQI5x`5k*FI1f3=Bo6N?70(6E=!
+z)=e3F8h{}lF=#L0^Xd)rP>R2*=*YJFpRmnBBqPdF6~Em{>vK>4KYMxGKc(f49lQR*
+zpC5e;d4$#Ea4PR55SyjScaGF=qC5ad8W_NCb&1?YgbKORkd^;He$u%fp+PlI)X|mz
+zVstj3!6b2+*r!Dke}#limlzF>9>fdN{BmbrZ}WBUCLIQZ!JJo(?`OTRR|!iY(4U7e
+z$^v2Fxgs0I5*}XGJhGl7%`WX>-$vfL?F|tI;2f<lND4#7#w`Pf7W3Eo{XRcaT*4ho
+zZX6Q;B*qu~x;S>Ai`BD5;7Bd#Vy+Sw;PxmH*ra_J0uID$f8R;tP|Zy-aDWv?@#W%h
+zgadvFj)f%M9Vnn?e<pHbV*d_k1(hzMiX`!(S_@ipPL-H`J;`lh>UJrGfhc=2RDa9V
+z>FxIlgkKyC(TX_6Co);|LM8Y_i725KU9m*^TC$^0OB)4Q@!qg|><#|?M~Ctb+P+hI
+zkbMqX>Z6#Xe>34_&bOc2;_=J{oyk_Ny}nc=NryDiE!$)Q7+PK!i92EIEojc$?P96m
+zc?iK(OD1K6|1g4R+r<@Y5|Jg!GwO8#LjQ})>Ni^dMDAw0p*0`d{zeV3zaLZ3oYpEw
+zH%D+{4}P!wbSfTH=8xk$*K9Gx2wGly)4dY^K_bE!e@dLK94%Iux!t<z$nC`kP^sKk
+zR*QvFUoU*mHaW4Kfy4}!s%tIW!{3X!$I%1JNM0ji{3QjfuoC|IE;C~ys-8J7Cex@y
+z0R2&fPTB)@95&FOmNgwr2!gLr$<pRvyI;{@aNMOEPWh(1{>n5oCu>-ve@+_7Qen#!
+zCcQI#e_G{j=hkznNe7#RtdAbEF26Pu?E0(v%|h1m<)!3M1d@Njft3yg;C}h;Dso!=
+zfAFsv_<1EcnjXbW)|JR|FCL)ej`wM6w&%hWM}7Gk&X#(57o~9AdT@&Zbv}$<O+GOt
+zFe3&DDuzgg_YDCF6)_eB6iXt7k}Mhzi{o+DJb5C^jWw?<uO=`tFd;Ar1_dh)0|FWa
+o00b0i6#VZZJAs+UglBRp$z_Zurg6mt2uFE!9>YQU*8&0v05$6?i~s-t
+
+delta 2682
+zcmV-=3WfFk75x>EU4Nojn7^Afzuf`?2mpYB1sEA6cU;`CoS+7>CyWFQ$f+`W0i)xX
+z1IMo8fFTH+Sz>3S>Uht|Eny;NP)?BG$3gXhG8NY)?NxVg6aGis7v1YDigSP`x?im@
+z`?Db1bRoQBgcP>Q+5v3SBB~A<eZ=^ElG7eAYvYlr3>yAzr+=xrsL^J*kw{1hZ5%a+
+zHc2Xg8*)=q>SP@L@CC{#w>L^Z+J&6pnI}#Mq2P6X*Nyqox5QLoU(Jpxpoq&?#cuXc
+zXJAXQt}I!EzNSb2ejUPkjluI$|4N3SNcUzZvV&GsmZuciaq~<Q(B#T(CVW!El0Iv5
+znw6R|z9aiX>wn*p_S%?j(No_hj!&e-e>lt2Pg<@@fsC`72#frhb+0TlAJiVEMe+^V
+zdV&&N)e5!qVh}cr=ge)HA7V6&5DHAbYHMo2Cwb?2_HFi@NgTia_2J9}>VmG;PF11h
+zuX{^wYCwv%P3F#g<Sz|KksZ>(FX%|k23^bb3@-HU&VT%}IkJ8+A94z3vJox8pxZTm
+zh96kU7&>62DbVf_jg>pF8CWC|H9xpweRbyo-+3m`BB;l^m|n5?F~-UAw2Eo|Upr51
+zfzm`i1<%YQFY4E;7^kKDXL(Z>fhax#kUom*Hj0_R>A-22fRZK89x=g|&JSE{W{2vI
+z^w^gDgMa^gOhBw$Ca*O&b-vw=S<ExBo-Ji$T~@&@Dnce}`lVSxO%-brjIBoXO4Byn
+z7`RwHhU*l6|KHy+xyy18Sij4dD~`osA6M9U@vny;H>;5yL^$nwu<O9K;|zf>8i^;~
+zmVO3ig006<Uc1F^a9mE?$S8SgQMZ2Jqye8jlz(0e#TV#Ey;BR8wSME94OLAWuWC|%
+z#m-_R^7);_g{|3P%ONfn8>aRom{J8v_Oh6k7nJM^oOvgO$e?LIcUe@rCtq|s3&RB^
+zp*ri|HnLH%?bY0wu{FJ?nTgs5ZEh;!_`)$2#t+ZJDuWwlGEIQ!^sZWqrL^=L`giqm
+z34aFCQ+hfGDFnHl9}q8BCSMbhWO{0LhibaOL`8zaZw)#kDfpVL!WS$Bf|Wp#SGs8z
+zuMxe^2$FU%zGSVpNVe46cBmbY6hqiGm#PP&EQ$kq_W{$pm06H0I%gFf)9CYmtx{e`
+zCJomci2D?Z;c$t;*d<k`?LA>S$k%-x!+$E95H>*!<g<&F!BT&0D*2yk%8xR0eKYmY
+zW{f)DDsJ|(Spl%+Lx|3V4ANHwd7p8xVCsoSC|k5ZG69|H>vWXOLFkcWfP(8vvqEm^
+zD7?NEyE=lGE=5{3&E1qK?Pq*of+X=YNRd~ny(2zVQ$<$apcRzL@uGb_@^{?HAb*II
+z$&EQT=ZqVQpB3Q~c_g!iYNSeNLJIbf9LS;cn*N*`225y4pWcO>;8=j3zmG!aoO6zN
+zSv~SZC)THX1T9jO_hUY0^=Dn#Xf}@Po+cTbq?@TM`@ji}ttmn2n;Sr4S<{d4l2a2)
+zPS}ZZea<H@=!X0&Ce3EXRoxw6rhl*zrl!p4?=A1KGR{*1v><ljGb>)SIItKpy^!VN
+z+N<Q&jeDQ>>iElo8@M<j83$l2iOQD(@N_J$wq4FJYc!sT4VcZ8`{1XQJ5Rp9gIWpy
+z79pPp!%3inQ&yV%GukeFd@wocLePuHx6(sLp;m7HKZT6XoL<rU`=K(4#xi;^aa<ng
+z_LRP#J-(7D^#`uGTN8LcptJ9C2x<(?Z_DhIAZ<M-k3n0Lv}c&Uu5B@clZ6FFf2@dU
+zWNWFK3IYNM00e>r$PrK`e)v)F{}y9KcSe}c^<wv12&M_3W3a*BN>NmRCcg8to5T>|
+z))WBs=1!|VB#mFx`T^_p+=Pn>y_{Zw#nr0X{?<`094{ph7>-~kbq@olS=kAbC8n;u
+zqo--UqoV^)&Jq=A_HU}Cbbqn(f6FcUJe4TRe&a}TeVj?vOMT*nA50LwT!xaLWC~?z
+zuR;Q1O*uQ+^<P0=u+mrk2!xT+l~;7N)DFsZ{+$8ee@D?0>mH=6@E2eV!vRW8xN1V^
+z7CvAHrt*6lqf)z5mkVEybFjWWrp|)?J*)@-OENCPO5D86?t`Ru9vD!^e;eouy|I2+
+z)$WnuN?<+4|2P~77T6MX&E~%*V{m1X=w~b<4D1y6!fa8v^q-RT@mT(ydAbR9tx)Mg
+za`UP#n<^-&N3T@x%5`|IYt`Dh8FG&3*k>3@<Gt?BpY%sjucPm8QhYcYB<K0nt~0bF
+z%&}y6xqZPue~OQQ4Nl>-f8ZRSjJBYOX+8{Vp2tFEQl+0M92wn~XpZ4n$&REI$O|!A
+z|C&upTLIlp;Cd-QTpjF8zK+*zVNtRL8TaU#8gXF2dW4AnLSjby@N|0|VUWjIwuzP7
+z2x<J~r_v!Fb$j!5J<Z>QObW)|z43v)#`5QOv~WpJ>Wxk#=te<$e*%Nh%31rZ;eP4F
+zCW8>)<?fEC#boBWG$Asj@KCxBxYSsGU&EC2jvIh0Y?$vI1SFy-XEhjP!T3H({~&F<
+za+!`An%2DwcW8<aA$R+(0J<;e`?D!6!J!yGp0YM_G-<DHH~<9uMtwh1L*@2!s1HLy
+zUx^X562si$5aydae_y%R)&VZuQY*0Dyu`;(t0e!ackfGT6juJGWdIAY4+QpOkP!)w
+zVsv{hMdi4cH~JZeT5ra4oA-D+Dt3nsni6!jm&v)k2r4r;LHlH;M!$4C@?p2xDjjW|
+zzIVx3?aS0VC6s5lekQtsm85uRA_E3-RjXfF4X8WBc$eQCf2E7MX!k=2v|sShH6zeK
+zi1o58FhEN2m%|5prw+2H5Se#<G)zqajtk-jNENhF47<RWh<Bs(_6ohh32^sXnw^tf
+z!cg+WXJT7T(VTolpa;r4f<jPnN^pt8FzK~$_19HC*4TUr$c=v{HBMRS1XAyeCyZ}@
+zDbJLsHs`$qe@={>15kbf%VdCj6aFwL?c2SQo#n52WiFgQTPjU)KxSQV{S``6ngGtn
+z|Lk(B1|^3OZUXEj6IkMTS+tQbc2JMX@jaF0-Y)3F&iIGWY3c-<&L!MH-FQs?2>rCo
+zW)YfJ#J06pbph*0FRV?dVRUI9mZe(rkQ(0v9mAEpe?l>lDrmYvy^Rh&^F$bAg9aFx
+zb;PX}B%WHxJK8;Gcqh-`?*P;qO4xaQT}m-W<AlGYGteZHW5V<P(0oSvUQZ+nrZ~Yq
+z$ku61z3idEOU@0=u4c{hh1Ov+`dp7gd);|Qlh7Aa!vt13(Jv3V&8nu$F3MijZw@_+
+zEQtdDf7ik(+XUiyP?Scnu)^FDhqmbTk4+UJYFubHM}~%!Yl-1mQ#$v11cMltg2z8L
+z^s&Ees<#yrfb=58x;mFxsVRkW$-Lwjr<!#B=8~bceN7}+DS&FB{wc*5_Z#t&;LkB7
+zFe3&DDuzgg_YDCF6)_eB6ln)at4(+g$vd;zJQdt9Ep@3;7*H@VFd;Ar1_dh)0|FWa
+o00b0K$TDdahGTqXka$sZ7Bcf?CO2FJ2p3V0ev3xHmjVI^0G=Ei4*&oF
+
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
+index 3a5094c84..37e123ade 100644
+--- a/src/tests/dejagnu/pkinit-certs/user-upn2.pem
++++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
+@@ -3,26 +3,26 @@ MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+ A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+ U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
+-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
+-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
+-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
+-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
+-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFGvA
+-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
+-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
+++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFK8S
++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+ IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+ aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+ BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM
+-BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAElYM
+-786mUr91z82s6QC0TwP380ze8yJQiaWifHYXiqIPay19M+QG91PvSm7LLZw+ersC
+-gEl/mPKrC89XlAFp8b+hJnGq6t6YmeC7OI+FapEMxpxX/X8eqAOQLrGnoq7Pm9/8
+-QtWaKgo09i7rmyykKl3xSU1VktBsmlhNPPNh3x+N4bxea9OIbZonPdDtr5/Yt87/
+-6kBPsGgvUUoIxLw03OmLu8AmKAwJja0FWyu93uCUP4UZWLEGpUhSYC1uUCpAZDNy
+-2AtPnxfGUDtvI9eMmyeXVGYXTfkfGZyvB3m9lyIj3VVmhbvr7qLAGQn00dbOHz16
+-r6w2aye0Me0GcU0grg==
++BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAkYoU
++bTCe61BRrB1yw8mIpnXlRrVLV91M8YEr07Jzk4qGfRLXbWf9BnMpxzbU4YVzEifh
++w6+gYSWGjgq4kDmp6tcY3IDGvzXkglKMAZv2mpFnBa6ZooEQ96tgg9O9G5Lg8Sv0
++kSkoySJq03xapucEZbhPrtGNHKwB/EDo3T0Iaby+Go9bqkObNfuIFXRXC6HqPBS4
++khss6cJ+daEE3Yg21QZ1BUlncwYbkCzt+xp3YaHlY41gdaMdF0tn6iRJjANAM2Kg
++6J45M4GKKT3yo5hJAWIS4lSCZX92g/uiT7BcBhE+vDzi3JuEc1QKajgnza1BMZMG
++EEIPWkC+Lfg8scWS5g==
+ -----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.csr b/src/tests/dejagnu/pkinit-certs/user-upn3.csr
+deleted file mode 100644
+index 958c1e043..000000000
+--- a/src/tests/dejagnu/pkinit-certs/user-upn3.csr
++++ /dev/null
+@@ -1,16 +0,0 @@
+------BEGIN CERTIFICATE REQUEST-----
+-MIICjzCCAXcCAQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
+-dHMxFDASBgNVBAoMC0tSQlRFU1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkq
+-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJ
+-w0Qmn/qs+lNLjRTEZp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7
+-LiwbB36btYyEFCBW1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2
+-j69wqhPZIeXqqveV+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT
+-50CFuNkUrFE7m6KnFRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7
+-+ixNvQn86a+91DdvO+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABoAAw
+-DQYJKoZIhvcNAQELBQADggEBAEMxNp5md+jV5dFC1iSKh2CYl3P4g3UMQ9NjLcyq
+-upjJmFiEGkEg/LpH4CoXI03BaD885S7akKPA1J/sG2YIrbl3TpjUJKZoJ8BjNT0L
+-tYc+JIODZJEONR34Fh6/1uRU7UkRcJ8Crc83+ML+71O2SRZRJDEOS3tVbdzjEOTj
+-HIed6Ia3cu0XeAvhoqRSjh8J0ufoIv3CRRCtRU8ChkmMD64p3kOTlORxWspAF8sm
+-Xa53bWIpyuyz/vWwpWfr+fL+Q+BQ1TU39xvy+46AYuQIIKzK9vKZdCElQwFXZs26
+-f53OyZpFjcsT9jJAM54XUxLv5rE3fqZQiBhatPZa2ThHt08=
+------END CERTIFICATE REQUEST-----
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12
+index a9d4780c47d33cd4d409d6ee657a7911381fe753..da888f519d9112e3d15dc48ad38585cde98d5b47 100644
+GIT binary patch
+delta 2698
+zcmV;53U&337L68=U4J{;58bgjeK7(82mpYB1t?D<^Vzr0meO{YpOc6TQFtkex1?x-
+zehwJizz{VXGun&BAkZb<MIbl*jJg${R(|m0@1(utK-vxcZ{@g}mmPN-v?fcXh{~)#
+z+_uOb?l*+A(^YI&1&U(CbIi0yg8U>6F`5&om0=1){V^dwH-A)3GtCm7iP)scf7`!^
+zpcfW<Hhq5fy$4Yw%z7HT+zupoL))aT*c1UqNoF159}V!gJmuU7rXQP<LiX#F-!~82
+zK|lHtDi}sPNv(p&<!V6m*wQ9&j3{9O!)<ao;IB<UUMc9<Kz$@YXz^bAVF-u|-sXiJ
+z$@zC7-^33jF@KXyK>Dp<M3!29p*1@sEg|R5l#>n~znhuv+jW45rkqMPDQT}e67<m}
+zC6O@UfefZ!E#!Jv>FE|w_ESX(LKd}_=1_wtRDk{{ei?VevL^v4)*gHc4wiT(y#HLe
+z4qSa#+Lf4khNXr}4Pq3ujwKQ%=*c1>#@tMjIH6+JG=JUgo3n9hbV2@&`^09UzLsXx
+z1Q0;yi%cyg>96()dg6wn_&qzl`iL-O?IPE57!Zi%GjLm9XfP6c3OXaDg?zmXl_m|-
+zD#I>Xh}5fP8${o7N)c1RcdbKF?oNOY6SjNF1NxBu?Xn2B5^2_>uDznS=+!Ntgao5u
+zB_17l5`Tuv-3}{<8W0>JB~ZN>!|Uw<Uo1K$BAyP{M7LP@$y-^t5HBMsJWRhRvpsF?
+zb5Kc#4cNj?yC@@yH6O(;wZP$$6PCw<ILPK|6vMVVTn93&?_jYpDPVn|hMU2zYe86j
+zYyqN>yTJ;p$j>5;?5;Y$w%BzS>?M_-N=&9H^M5*5VIABRGi2Gd*F0<%A61E4i|HUz
+zX!OLlQeM2}Z={{ENfa0g*iW|uy6#x-f>|U_zzmuM>X>mvJm2MZn#=zwdTlT-NTv)n
+z$gq@JThWUCy5?f5nUaHNcqc>Wi{@iB-%8J0m(YS!7p$&;U$Mx~#YgsS#hfS;=L)-0
+z4}bqab$|EYJ#yJjn${s(M^^4b`Y9ZM%%!e@ka;J&=%N+5kQpuV&Y*NQ6%bqqrp?0c
+zvkASQ^E5U0TOV~zI*%0#ts88^z*()E+lgg{*<{;CjX2|_kR5t`3b)2*_|u7AS)zCI
+zddqMp*eroBDYq6%$yo$Y{G=>O3TL-|_kTW!!P_2$POnW{>xFSfio_MXs0ww-mo~hi
+z=(rSEzL&BlLd#CsC*oqs6C~Fo+9Hg8?ck})d&Mf}w3xopmhhLVP`QjiQyjND61#m-
+z@Ti!l54-Aa1EIxMwvv%1+o8lC5XZ?$KpMOo<DogG>o;_Rth{0DdmNF=oifNM6@T>e
+z7}*!D{OdLG!LDBZFZ#;gcf%2Gl4oOl6Fn~r8DNFFQ~AA?eY^)C|5Ly1pjk;wx&r6#
+zDrVnH0^2DH(;P{I=T})*lyeFUa6%tU6RtX@SZ<2mTs?v7BL{(|rzuaK5kMkSf)x!P
+zMII;x>m<OOR}4lVpY^^j$2vv!iGPR5nUy!?$NVWK$M5{RxZ?YHn6Kuch6grg?GbVk
+zt=$_+5cp$0Ha()S2wc~W3ZOVzG4|KL&PPo);bGf&@iDa6xsaDb-8pq=RE1ivYkz}X
+zAtoBO5iRIakLhuRk~oFqiqQtak%;1~P3|cu+ipkUQ_?Z(D;h&D22ulM!a^Mw-CvPZ
+zMr+4upf+5VZ`oT|!&jXGwMYZKqlq5!9}+Z1dfSvlGPUQNS*=pg3d(uiE+E}+()ARb
+zKDto+n8Th~la&QVf6ulEXjQ}6{sICB00e>r$R@xPVtr{^r7my}%1}E!A}WmbofvFM
+zcS!kljv8Z%(&&Qf>ru913`}dK`R}b6!=OYQ|L5CpY15F!mbW2qYdr|JUF9YL8WSuf
+ze*bNr&bN?B+Q@E1=uUeEjhQSIS?`<O-$^NdRRBbc?+&PEf1!4RexONx14IYgSFp`C
+z09^qUk#qxIlOxwc5W9mwQ01fbXEo+i7Mj>-Af4;LXKn5N-XLq6xc|f%_#M%w-*Pn9
+z0f3p>$dACQCD|ZcE0T;i&hLLDWC+>2e_q0`-xh{n0FH%33ag~T<R29nuL-Bh7i+$q
+zeO=N?KKWpwe_*{gKs^Y)oly$tRFp_Uq!TC%gFMS`in$Wr;m*7w=kGRT?4^1jipI<&
+z>cZ@rg112tzut(cYLAtgLWrFG9P}7g>GqSjUx=*%5=Ei(wi;B#qD!D0DdHB=5ne3p
+zz7X)28kw|s=IQ-C@X=`XBrP#XfrYOchw)SmxSL>Lf2fV;6VyWK+tGI0@;#9o`ML}b
+z=Efu{JvtPd@rn|9u&5^X|3=^8Ur|_(J(G1WEIKJ0`^x9%VSj#?Nk6WwjXxRnu-6m(
+zjd)VmBbBWvY@1~+Vw#!O<(3tv)oh)ricul3Rfwl%X8C3a+<33*fD-2-GI5{qDV75o
+z>LqpWe?G2-@V5x^ez4WY)5Dk<WN?9G-J)5D8V;*)spcgeEQv*rF_YNZJ9;DV%%F8G
+z&syN-6ttUEvr}Vn3+|HewTgx2UM{YhpwSb$RbHT-A`*{5AclpWM_xQF47U%t-UY#U
+zVXA7Ty8@gJE!U$tNH1)JRREzYgxq2nOcdS^f228{e)6+3IC#b_ynkNbb;oCAQmz(h
+z7h2c*qH;XtCgl_2uGM${DJLg*-tH^Som`ek{)Dat19_IO50TJX4SsyJ2RspN{H~;B
+z+V0S(^O11wgH*SS6pSB%<M=A@x`=uJA=IH?bW){d%HoxDdPSevtbFilO-&FJYVyz1
+zf2sP6fg8#5D(P{5<D__zXl+?017n1!B&M|Pb_J;{gzf7LyVjx6?mCL%o`c|Jh2#}v
+zyxWYbFsbYv>L6ZxDB*vBE9%u;E|A>H(s6n}9bH&KQb#zdIBW7MnaIzRarxL@n!O)O
+zK=8REHm-D)+!QbFDD>eFGqQGle!kP6e|@)JpgdCP;~7UeyK0@F3NK#SJ0IUT4CA()
+zo39%1U#tTOc@;VYuXNuOe?N1eS){UjB$ovmaX=}kj~2dJIL}s}NbDPCos#k!q0k~&
+z6(yK2z2-dNY(yJA%`mY1gCo4XY$|Rb{VRvx>}p2VB)BS18|crUeYiOaX8I5uf9e;5
+z!Sp~;hom{dK*GcnV={{eZlquY3=K$u%N;dC3YcZ7Jwid9q$w720~h8_o0`r<W2EJE
+z9ED(wCA4GukQP%KSJ?osP!B*EZ_PnpT`#3;PNgFROp@R;uRKQWg|I+UQiQ@}X3P<@
+z=;vz*VW}x>J<VW8lOv<Y$&>#+e>}#fXz~jOgIgpH5GUFmGfeNWtu%Y@mn$$D4=DMM
+z<8V+G_ROuV$#I&3s%U2e{*tn{;XFo~vnDzTiDiOa;XL2_2q1G2#|Ib<`7((J_Ta?x
+z6m<s7NYJ?4<44k7t~W6yFe3&DDuzgg_YDCF6)_eB6dj)5)|#)>a$u_FJom0HA=6G#
+zp;0g~Fd;Ar1_dh)0|FWa00a~tK>i(z<@;kWV;*m?sLnLjiHbx72-=Fo1r5yv^#TG2
+E0EqGn4gdfE
+
+delta 2698
+zcmV;53U&337L68=U4OgPIH0Ma|Ih*g2mpYB1t^cgTby1_i4bV`ET($=&EQs+%VWU!
+z7EL>iJi4Z78OaT9ubV}bGdi0`Ahw>yNtjoh(jz*K!b%&Ua)hJeCBb!FAt9G4(CLat
+z`Rag4jFpnmFT)s@f*z8jt%jD9#v%N*$?L>k;p5=UEuP*lV}GdN&eI?0rjB?@WB}eY
+zf)XxYT1q=>J<PmU4ev9mM?|n;U@bFOUYFbwrVSa|jflX9@F1-5yyd!w<zYcMs`rg>
+zymMlumTAK2tc{81$;?wU?RVDyIg)}6Ru7Is8*D-idC>`arMh=W)oa9!1#zHlQH+C=
+zxNFQiy$@%pUw>ciB6Pems-P<2y=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@t
+zqWP;7pCfxOI}DZ9(iJy)rS*nL8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|Qk
+zembO|Ujs3}!86C73mgV0q^5iPuZU!CsXRr9j$1G30DnT~&96xZ(_w+gVmP}nkT+9^
+zTnBG}hdQN2AJnve+R?%pEbv=8E5(bzWG-#u#DzEycabv3EOTQ^KP}Xh8CNH%dMrC|
+zl_ZZqKVqcBMJt^u$Fh!)FjVOw&dWSYUg?omm_rDHAOgriM49P$d0+1``GCJ!ZsQwc
+zIeSn5N`Ij~5U5@dvEBjG{TiDpjvP!%Bx(#V7yW^c5vbxvj?}{zE!H+*c6xgo=IhbX
+z{ugXqn`P$jl!c&05S&~~#+%)!=U#Kbk5wVT)3ql;lTT$>=q+JLDX30eW_%PenT4Zp
+z_goXztU1Ch8>MHCoD|K5H4(V-ja<hx8@YB0r+;@4i}mjt?20bEYPmt4?A+bA%21^X
+zXRCd!kj=`r8UT2_QEtvftN2ls|9%4(Yd18``lD){hD=Y*oD0<z^0&Du<8diip-hyZ
+zTgM0cXE=W-P%U+1kHCcEPFj@&9L9Xv`9v;Wfzs12ZiyTTwQhJ<8BROi#6${ukz9WZ
+zXn*t$kjR$GQ+@~Nrzj3Op78qsDTByr87^>(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA
+z-pr3<Vc+FcLJ>g54LF<k)IhGZk(A<ntCZ(JeUto0UD=4g0HwAcycywe@c>hpSdbUZ
+z|IdewW&nX@Id-7N;;8dTYiF$bj&+Vzp?^hsO`e7M7OU$Gla=8Q4G^LnBF+hG_nBeb
+zu}|$?y}&Ypv{-4`sZB4J84gG&-!sF!m9%?q;wc<-;0*nm{J3|%$s#f4g#v)CGLCU4
+z(Yc7zteW+0h{?ByycGWhd;fPj&Dn(4myw17)6pVR`dcE2`6M7x!wVsRwxjCdAb(Wf
+z4D$@k@4>yr5z6XWYn7pBxh_HGbj9atGCo7126F9)ewn?kfa;&vg>e{5+wgb3)|=NA
+z`o8_Sx*VNIakI&`^qCUyxWkzJM}b~6qYN&iv+v+c(UQ5=%<ubYh#LIxUMyJb%<p@d
+zd|0|~HBPc$(8N{id_|HL#DrR<Ab%c2g5>{ok(ekXq$lZ@xKgBHx0Tl@87a+hB943i
+zFD%RA(jSI%C|Xca<$+=*lWL`yEop8}Q{X%bQc-xA;u>Z)z-N*eV}?4frikpteC|{%
+z^a!Dtv`0%$*x`Vxh#$niPcOGkf}NjScYXD!MU!uL497Oq;pCJOkrMUvRzj(C7>B7|
+zirNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GUzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVD
+zJEGu3Mj^N{la&QVe+@0G1;Pz3&jJDn00e>r$OX00Alr(atOG})P|bur<sYN#DxZs+
+zQ52$Jw-pZRd?0u{NUgpsp^GU=^+m!)wF=N!|4e6VkvUWSX}T~!=xNe<WX~Vq%6CeU
+zj8!Iqi$<4p&eZraSk}j>1*6+0Wi&x_x{|YhpPm9aRrXy+e>w{XL@?~)eWqce&iDF0
+zqMSy`TNzT_)VB-&hdVeWjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOh
+zQWJ^oEshJdhCpbB9?+gW%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl=
+zj;AXtkvzSNf4>f%vSi6=NX>a2^%IT&;v29li&z4uXN8vz(uEM&T*Qo=&F?5rk#RQz
+zC336+`bfFPsilPKn2a5|Np2S1s2;)B2v;glXVE<%O(u+#u~*}7ksKGB=)IwePkk!6
+zKOP3PmZY@6SqGV+fn{aX%cf@iNQisE!MeAT`8h7je{pcQ%DlZS83P&0<4$9^B?j!n
+z0^s^w<lAKr!jqIvO8~CPKHl0p(MS~^?zBC<rfK#deu6NFrGWU2JAJ1fG;tnfw*$l|
+z_yC5oEU(Ji${Y;ku(xEmo9P^{#uQRVIC>wN->E=~xLdD_)eKs$i$WQ?$&-S=N4)kY
+z8sF-Ce>waid23??s6b(A4ogu;h++fH;y`e<U0&L<3*l4a4?2OC5>Evd@BSm#`s!Ry
+z+6L`T@d*j+#(xh*)fPw%XJxi5_WgWEv1C&^jNYt_5ZCvbDlQ07M;HV(J|PE-03cDz
+zI%m{><uUInH9re8G!?46yC!XB??9)Y;(!^%e>hShEl-wN=n~{2XZ{L*9dR&>p&O5P
+zL~0ADX*&QcF)J*1tw=!<FTf=ac=UE7NsQ5{vqP4W8r}XA9?pHuwN%dw*+a(im+()K
+zHVNY*kEjsu^!sS@;lfE*LW!Yzk~kdLN}|Bd62yeDNA7^Wgpu(CSO%C08)k!~fzCz5
+ze-kz9>e<$;FCS~Q>H`vQ6<^=_{tlE=R-j`1+-CyIrhMa^l@GsOkoi*b5gc{|O)u6y
+z*Eybgfl##owFc|2DqiQ%>C%TLxKNZ2)Y8q^GKz)qUCCb^Y!~Ouk~utFj^%qDAD7$7
+z4|(O*(4Us`f{<2cXiaTtd7QygQM!6=e^+!{SnFm@Sce*pSUC_>Mud$loY2}d94m?|
+z<^OOSjsAsDBC2thdNWvSgLi|B<-_+{K_gsBydMbNjR&C)N<giZ)rq9?LK2ZqUH@Q7
+z=lEDb?8D%FGK$cQ@EiJM*uLyGPV?`6KidTXos`w|t7P&vp6W&BO^dJ(zR4Avf6h9m
+zYgy;HUJL?!T$);C3rzm)+D0a#pIdQ;plf0S;ipPSJ(nX58XdpbZTA9xT;$+u#1)OS
+zt%%W;=NRR=+Qofxw0<7L-%oKg+WWxVUFjx_db}Xq-8IMqr(1}#|F5`<LfC<uu}7wk
+zWPd2w`sTgYkIUhkr+$m2#^N?ve*|@-fyvmtstS0orV!Q7PL#g<h)rqZNEM!OYYn<n
+z#QqAdg76EPW~eh!<11hngVaOx;{yqvKOAV}g7%4{<iW=Vy9*r=Z%u4?=O_i0#t33b
+zJI<aCrhp|z;|OjRDAh3~Fe3&DDuzgg_YDCF6)_eB6u*lQxi}3No$KBvJX!2GE7$}i
+z&Al)&Fd;Ar1_dh)0|FWa00b0p*u?3&er@hi<B`t~)wx-tCp*pr2<%yzfrt0G1p)#H
+E0Pq?oS^xk5
+
+diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
+index ffedb0d1a..754114f5d 100644
+--- a/src/tests/dejagnu/pkinit-certs/user-upn3.pem
++++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
+@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+ A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+ U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
+-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
+-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
+-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
+-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
+-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
+-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
+-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
+++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+ IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+ aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+ BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
+ EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
+-AQsFAAOCAQEARVeLPouequn86P3LgOZQ9LpP6IHpY2ZQwvNviiA8Zk0hsqFXnmwx
+-wr3JtESim3EPuwQtJ3jXp0rxQB02r5r8sg21OjCeAB+vOz3IoF/y6WEYlz67LjMB
+-XCB6Fuq80IHhVXWRi7w8dVI8xcADwIOh6fgzwbbk8qV2Lgn2Giivstp+76PnRtEn
+-tavWlWW7bQlXkiROYh6u3Y8IvYYoIdlDsXQBFSRE80Rc2jR2XGKAz5CDEZNC7RAH
+-Z7ON9HH6IRBOX1ijmXhBl/39QQ5t+ZYgKk8OJpL1RAZlJZtGMBwJtA1aGiAFvqTr
+-aCREHZfn9NAFE/szItH7hxWJv9RISUXYmA==
++AQsFAAOCAQEAurL26+vQNYFbJNAFJ3yHOt1nwAVO4/OlCtgqzOAq0nBs35HY10Qe
++y8eRcxrLmm4O/Wy+Rwre2v3pIP0AclvIytDzEm6K3Pgj4yJfUUM3VhnSOlXQP6UG
++D9Z9pVxNiDeykj5/SzxwOQAmJbPcMx9aRwP9wOLMwUxi5sKHQlL9YUTC1hffhuYY
++Yccc2dHWd5IyaKaLp9yBVXQryNdVTBYrGA2ZqcwETmcXqU/wCo/Rmf10Ra1sj88X
++VfTb4Sr0j9RaSKeXRZgbEu6kz9i2WK70dcDke08xRv4xVfrlbXrfIS+Va9WYKxrf
++Xb0XCkKp32Q0EHqapeJrCcuQtnDMGvncTQ==
+ -----END CERTIFICATE-----
+diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12
+index 67c3fa2eb01c9fdd543af9172dc63a3955987ed6..e9c044c5b1d0d950ee2520770de2f8f64200cbf6 100644
+GIT binary patch
+delta 2706
+zcmV;D3T^e37L^u|U4Pj<TzJWUzcvB_2mpYB1u$u|U(OiYZWaAdo&=0W(D-NHJ~J3Y
+zI~rchE>Z%Y(>Bs|d@Ni&G^NWGp&(#5%4Z5twBV>={4~8{Uu<TgGho+eUPSehodq)G
+zMtCIV{~=Q73CQa-OCbMz+w@wq(P4!Vj#tqP3^{;nxzSHzWPbr^w_(dkTU(SFJL&oQ
+z7zL?S2x%2N_Q|C4e}CAberkP`3BLksF6_zM3KTSVk`X2!wi(j<c5Aq9+wm9GWZngW
+z<Dbs@F>yO)#6}%;xPIHyY{h_i55`b4<${ihODv=^X_GvM2$(ip)-{scMp=K6z4NT0
+zh9qH{M2vDnA%B4RMJV4L3g&uG{}^y>U@_^&s079+Uw;8UwQZawTn!vsnczNryXER<
+z^4t|;quLw`bl;E|eEKmn>RrwfXq1zSpT$o-918IoaQn0K1Qcv~32@A!!Yk9d$5)cI
+zy{aB^id7jlNY5I{?KJ6dEI`cwQ;~`h@bsE-*#<oN>wn1qLARY;aK^Be3VEOF^3YZC
+z@z)+dYJm7<$cmm$-`oMA4%n3L(y&2%bYK#IC-~*C61&8wgQwA^>q1bHC}EtDjtVc1
+zELlaHTmHT=Yj$uxFYs(>usRFRqQvn&Y=h-QA_vyh{d+oN#SEVcRq3G;MW*B4{9l6v
+zq4IfK2!A=Q^+R+st9#jqW4=?osK-Q)K4Hq5%bbPzj&C#dO##MJ7oXFI1vcvc70Jw{
+zEv_S72+LnOnU;)4y)s1`vlaV>-0o^K1+!777`l65f<`flFo5nDa<3{ccfhQZ2?{|o
+z7c|F5o2|#B%7Rj;vzYt{Mut5sSc(Fb-e#e^-GBAX_{?R+=$MOl)HiG~U+;&08^mvP
+zHNfv;+m0CZZAMc)NCYtA@^kdgq@Aok`CYuV8^FZ~W1mpM$Y|0UcYycv$Rw~Uk-pz-
+z!Dy26%)YpIB<5W?r3BX^eu*^fEgSl~ReH*mq<Od&#=uGpYlY6$wQWulKU}tsO+Y{0
+zSbyK^jZnw<Wk?;4G`3wO)J2BX-HAy$Q5bK{g1=%YrtPi_Gfz#E->G<*`wedGDz+{;
+zx4kLMqty}CrlV-aA&gVt>cAAtAE|kT{Gl>@GBfH-*I9Ut$$mL}Z;Gm~5u@3~UH3u;
+zu*RcYkh532p}cjA>7*oslZ7OgH8tToL4TJC&l=yANqs|aNom00jp9FBDbRbjK3>*1
+z%t%A$fhz|l3Z2Gti}<DCaW-|b-r=NDNxJi1H_xuj6pJ|LJHQ$(mJN7IN0$!G*Anpp
+zccbwS+1jQrcGtjr%9x}yE7acF?Dh6)b?N~9Fl7@@s3U}jF)!lk@HI3Pv}ys9s((-*
+z8#dFKFhw}!fRvCXG|3sxeIMc&S9G?cjEPQ^yGL>j5NxrXYzf=4jVC`TMPTZ<dQw-v
+z5hI|CLwK)rv$U;lQ)|sSio785wW58C3VJ1u0Q@CJF!VMAXZ|0m4kB3VOiVy|)ZPrL
+z#N}qgPGV&p9eY6#M&LO|2-{x2OMj*lG34GJ9E)|lteX1xgPLLhf&`)SK-2(8Z)w6-
+zf`(A_WYlFm-I%bz+TR#$vcF&TqYu)C`;M;|`+MeJSU8Z#a{Jy$W@#J*`eM4b@B#@u
+z#JA#r%%;>vUT-H%YSuYeGCOl)KMa1~`sWdLxxWOlH7Hp((U}SX!YNhgfJ)IPf=;Gx
+zCA}LPUS!(0kh@$b!MG*{z<Op)Ezte4&$0g=sPoTvm1zlTJ)4F93M+nLmGGMxIa+vF
+z>^TG9-c9BlhSqSqv`*cklbr=df9nY*n}fvB!vX>b00e>r$RI81nSv?+Yi!SD63Wi?
+zTpz5uAf~z86j38B#-LJmrSIOk*?dx5rd<Z*3r--K%&NA>vPi*JcISr<oe+^au0!F>
+z;GrMw4kJI_;L|8E<b2(~#RS|!7%$e>8I7#QK@8J%06j|~QeRT5YPYz2e~m|0eC*+N
+z;tTbW&k|>^&OYIQAQZ)=e!ZR$EefvbbEa%e@aTI~@iZEV&h?kl_iWbBu8gqL22EWO
+z9%e@s<ShBc-FD1uiaxXO=E3%qo-=vE(2O$HQE%20of;d}l+Q(2v%?CXSf&GtjM23Q
+zqyLr&*RQ4?O2*yf8n{@gf0Lk9C^>!Ln9mn5gIkKyZEbno(BO|N92gh4zi>;+t!DB#
+zUD*#wq%14Ws-EP3hBY-&Ihk~ywGtQqB8-6CEv895gq+Y?Ref!PVQoN$e}ep~l&{da
+zqe>QuPg-wYhtPeEN!5YpIa21fnSW1kwM|Wu{MOd})a|@aJ<LBIe`uJL2<7MT1$-Kn
+znNBU@f`qXiPdrro3U=5l)w0K1H{h$=535I5Rj5G3Tz}_!-fSvSxO<(>wy*geIt_-o
+zf@_GTcauuKT26C<kH~ZiiIa~Qg;|CP2wh6v+it1wZ?wf)%<Cu2h#vyjys8f*2);+)
+z1(Cc*1Xq0x7k~SdfAsH>ov}Jb>o;A$hT-*SD}c|OaKX(rQfx^MRmECJ-R!H{CDx2O
+ztfI!lXTISDio|vGOxL+yF(#V^*FP|1>(VxK)_HV+LW+m+hM>6nHJtbPD8$YNAI`V}
+zJxt8tv;~TeJ|us*$IFJ&gYiOXa5$hQD(6={4wTTv<(s?me|tUC1}n4%7sLR#^%2Z1
+z>wB$BQPVbOEZr-HbQu^qQZZDV0B=qKLSTk0OH6ViZg6t{x4jDwj>Q2g#8kQ3r>Eji
+zoCHAsSfZI^gjaN%up<B^epM7RAvzIT;KRQ2X07C;wJ3%8{_AIpRI!(d8d(I1h9y@c
+zbcAA3^>LrFe;LL-L(-_It&su|RC&en#x}vk5N84OPL*8oFVPE6rr}-0qN*#i8!ZNM
+z-lMCaJq9;t`UH;WVM3PeWlDBk&GJ8MW!kV<E3~UD16Q>JPop~_JfAJz8Tv~1W~R=A
+zf#mg1W3o+d#@#T-2&}3LjtVGn(SoOHnQi>T=yg_;f6ZBqH!1J@yw>z^@>NitY+5GG
+z$_K1gfo*y_T~t97XgHe91xGJb>0;+13X;T-03Pf6IfLg53{}XapD=~I*1UWMmfQ!D
+z7Ze1;SJ|?3B4j<BuWHsJc%O#7pP@0Ez=lAzqw~qnb{a@F`B{OmdIvYMG$dNQePmy5
+zuy#2qe}oqYXYN^bx8@9nYY#&dtWG6w_5b3Dw>g+a%x7qj<bZ`6ESTH^e+bHC!K!fa
+zB+{$}lAR0oh%TlN-?41id-g5a(A-^)`A_f@pQwV6J>gRh1J9NxeFNvzi*YlS;ci9S
+z#DRe^Z<FqJM(4_WwdFZzldwXZu~#d;GN9A*e}NnEf1x<zdIxpJRyDAeufFP`dC%(Y
+zkzV?Ba}7CYC)<%^VizhoxpCKK^FA7`<--}tdAh>a5%?_JurFHR(9)uJQ)yN&4iz?H
+zSw@t!Q))44>uN8OaX|V82359~wEHn7Fe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8
+zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00a~TEWhWcHtRjAj4t&h2$Cd#3qV%{2$+b8
+MPj+1S(*gnr0E_P~i~s-t
+
+delta 2706
+zcmV;D3T^e37L^u|U4L0@OZ+^lY6AiS2mpYB1u&$H6w%_X?Uh+pizOtCBD<t74x{ap
+zYdgB*{3c2?wSWYyzjQvv;t-8trw6CO93J)AS>zx2lCMDmI_;E4nZypk7SId1QiiG%
+zoX$R-HEZK1+~1}@RF*!aKybD>Uwe<osB$gLio}DI-~?kH$$uWFX-lJ)1HB<2t6pNW
+z#kSFBm}bgYT16j3Ak6WseRe&B9QS_CwQ<`?IyF|;FV*zkN~Sf1b|#Gnd;abpNV1B<
+z%NFoz)BziCR;QIyEp8MVNIVPF(tUQp+qHutk!KW<J+!p)Zxkn0F4S+vz(;X%s#Ae|
+zh<zN+Y-}A%>VLW#TM}CG=Kw((`3EMgCgE%Wh7i5_PDshVd9Oz|EjKxtnoLw`TW#&7
+zQPy}=X-XKHcQwT5v|u~sb^Inq0<OveaKI($th{DmRGP`w`Ld>NJ4Lak7<6+3Ya}d<
+zR^Uti{uWAJB7|b_QADZ~qF1trj0LGAR*qZ!4V-8U)PEs3HV=&h(r8ATc_D(AEnMV1
+zwuVIjs`^7H=|3CS`*aB@;CnPV&TlP!Yu&aLuDOS7Sg0Cqu0xGBQP5;o#gwP}e8{0B
+z7jV-rq(ifyxm<=mq)wx^ScfIWLZ7^FtdIF5!b_#_SU{v)$6P6;3c{)K{n+@;OiiQ-
+z)v(k`B7Y~QMMOz0exF+cpQ;~*F-}k8OW2c^cHxE_)brp6_t{vy8?fdPQ-ctCS#H(j
+z$jQY05`;BJt5Y1_E&P`i?y7~+)+fF@I~p95YmggrA_kkXkLdVu+sQe~jV^LlG=Fp{
+zGMUwQ8FM7Kg20u!G&B)cCNQ!KA|~SY(%9(~dw)NYD5>AwQTYoOym#9ju3MlAj~yL!
+z+9RAIsl?+#`6I<K{@zL$ADJ}oE3_yI+Lqstp&?8^HQMK^0xWV=hOR`CZSBB`G9be*
+zP6_<L&Yf9?QqSqNpgTGGCEK*4<;E45C;Sxx8n3iV?MnsJ)$obYDc5lg06gexff@W)
+z_<zx16s-r`SgbVaBm%7L>Q~$`6sGmR#$qABV!__lx-g(mg2@c}g0+B+myWGZ<W_R8
+zV6Of+sl7`kk2Auz5i6#i#0#o9|7|9IjgKkxUA^DFP$}0)w>@B1H-hdORvFBr11a5D
+zD5mD8X#7lUgZJ09DQa34oE2MSOlRl*Pk;Loc@3DRHQ-tjjjDOpdmBQ1xk?t__INBb
+zA2{y5_WewW14^G6WH^SY0hmJ8^Ng^zx=ZpuY7#VI+rLN#wJ0?Q;k^@dZ=X;S&RshD
+zWP{?O$!sjtgM5;`y4Wj6`G$m`1OsXIXK)R(Jwf5Zy`3r9HV=gsO7Qi4jzaFFm49h7
+zfsyLIa}fYP4lU}*uw@gGo4t5v27iR`O@MAwyFq8%w;vNMFt1G(wBrYGlM@r4)ff!p
+z>8Mmh-L?^v&W!qOH^7S@tzEEwdy!EuK#bBM?x4Wr`(bkkOsAP+#8TbjTL5J_=bS5)
+za6olnR}(Db?FG0|<i0m(V2`w;fq!h}N1<|g3&}<REujk1TD8Tvd(M!PX7X>ejvnzj
+zP}Lz{>_d&8$(MkIB`z>!MW@mnuqJ@W?8->i@)3)<Us_Y8J`|ad9V-cGBHf{69VHr&
+zxEfh$@?ER?*&ZclvZu!5oFp};4I#Q4WDZ$rQiyY4QzGvhbBo?X-$65og-Xjt<lp(w
+z#JY#8KF0XR``XJB@C}5IK6N~>j#DPAOs8q=yg6rJ-m=-Lk7xDaXe*1RV@>aTN~)U7
+zHjL@_ge{0Jt7~qq;qj^Jlbr=df11{|CuI2W<pKf-00e>r$kBFUM=%p0lc|48g~wmO
+zlQm6cm$_s_2>(DlA9cyxg6bmmW)&QR$<PB#CxL?NzSNRGypG&F<c~$JCG4GuBaz89
+zv|qFbRiU<7T@!t1GvkvS%j=1+&xb`Bk$a9NUSfJ?Mo9UlI>peuE=vJIf2HTu-u#@{
+znFBj?5I#2g`5TG`?>T^VI($%BFj|uIDfc;L5->4jxZu(nSAc33NNkgSR!9J}GSx4y
+z_4M@|c;BpN-D}R->!q&&aVy|T<rhZ0wJ!J=(Orz3D2_%8Tyy0GJZs?Y&Koh$Vy3tw
+zM+tfu)7X-q2`7b*wKR<Ze<jFrnDrp;G0jEOUMTmHd_+pD41$Eyft0gcB1_Xbd|ZSd
+zy*Evm5}t43m>U2Cb!tnn_pGykac3R{dXL<j3&f%yo^8c7d|5`=D<`ThDf)tN+1q2K
+zMu;mj7zZtp;nDHuW+HDd{%>JEv0NPZVx+TTgAeJQji@`)5{<nTf5nyXdU7tASiiN#
+zBxaM|9(Z)C$Fpqi#EuP-ulq*EnjWQ(KntqNSy;h5L=pE?@Ke)r=pxc{AgzgNw<>g<
+zcJZ=w(L#L{pjXv2RjibOnkQN957ydC_9_$?NmM?Po^Q&34Z7W?1h2;S>~cDOE<sP(
+z%^ZFVq&an45xt58e_p7#+bXI0``Yi=(VHP)qI1*wNe@$kV-*OzmA22+aq5_i&h}p6
+zKq0PmpcE)33^yC4<D=|(^!QJaa8{;pB@S0AE<=(4%z9<~zqg*M%^IxCVwD_MaN|$$
+z)T-nv)#_L`X{r5F3mEPB^jPy2>pIB3e3RmaS@`juU%CSke_Xs}bPG03Hd`AnWDQe0
+zDzTI!DRp&=;Lw}C)$l@}&C%0-vB~aHYq5NMeTEzqqd+JdVj_`U-$+46eP9-nM7?zc
+z5Pgt-^k?oplhg<NP{NUahtIDuq+ST0TAc5}rtba3@#n&CH#HIsu!-RK!8S{J6;f*e
+zA(`4kEj-vYe?hv`=vQ6x%+>%4^}fJ8S>3v%<7ynPniiv_Z|t!~Z%up1%zf`A$#gTl
+z|Itn@fJi}H(elXg%0X;2+!%;)-lR)s0rXj$+}J!$F5z3_l55m6b2_*fC-NqxNFTql
+zdv*Y;FP;Z6UFji4Uh@uDeNWtoP&b(ZdpU59uCOvye<+Qgi5uA#^8lnW?w_X5a(Zcq
+zqur4>A_O|0nJ|NBvfV)Jmkk!X>5(vIem$?G-`>87E-&XqHpVEiV;~i$OoPodAQ$zu
+zHfA}RyWpW+OJ@WK!YX*SO<(GZEW~rTpl2eq>|IbuqzzqN8t!)~kBi0<?pWFR4{KY}
+zH#Vnxf89N}jtvqZyfhEvSIZA}V5)wYIN7TBc2n-hv)FhLVhP{hxD19E`DCbW$;I=%
+zE%(UwRnabgo6oxaf-bdh-B0~6{LTmAlWWSm87CMVl+N7qheI+`bxnySyc{(4JP$-}
+z=nH|Q!Ac8l0Vb4A{`w>rn7;jaAq#?4)^yQTe=NH@6SxT7)@@3!xd(1))7AABX12%e
+zGo=U4kgSi_sg=#zEko}S``7Td_RokC%@eQ1Z`cc&&D0V7DMKQ8X_oz<ecqR81^K#V
+z4NfEf-%Mm~j<XwPNqk^18S9IDz*;dSFe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$
+zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b1TlMd9czJNI=4Z7y~ApP3IZC*$O2%D)%
+MVqdEZv;qPM03^{LzW@LL
+
+diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem
+index f6d35f370..5b2853bc8 100644
+--- a/src/tests/dejagnu/pkinit-certs/user.pem
++++ b/src/tests/dejagnu/pkinit-certs/user.pem
+@@ -3,26 +3,26 @@ MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+ FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
+ A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
+ dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
+-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
+ A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
+ U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
+-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
+-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
+-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
+-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
+-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFGvA
+-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
+-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
+++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFK8S
++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
+ ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
+ IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
+ aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
+ BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b
+ C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF
+-AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQAzbpwzIFJk3a1BsrL7KT3B6aYNs5Z4bnwm
+-9dG3D2S1OFSQAbQt/ap5Tjz1RWabqWaSb6ufAKudQ6Ab2uKT8QhtmVByQYKDLYvn
+-bIGgoSeAcvWHWsTeReSADr2b0E9+UT8znvBDQGED39C1AgiVUWHgIExYU0kBrP3G
+-1CgWQLb7nZC5rKOkcK/Nm4XL7Oe+neiCr4j9adbGxeNHmt8HPuLuNL9TWkMAkcFo
+-5INHHFzNmW2aHdvO+7lDbK8/E0QwiES6UbBvQOkTyhC4W5u2Yy7qbpsQleu6jOEz
+-l8b05sf4FxhHevHtYUVuyhMOg8DPmfclnGX0Dms7aLf0s3oeSVt+
++AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQClwfj6ACfmDie1YoKzr3zSWZJKZimv7wG1
++iZMNPE6bw22ZmE+P+Vq6WrY5M5e4u7ZdvFmkVq3rUA0HoU6bk3YLGapgsEAG6W1R
++LVzxwoYDf4poOMqjCL34eLFdlVeRDADiulROE8bJGrPLJIiqeii0c7Kzxxuh5nxl
++QHDgNV0fHQQJlejgJssOqgGErsCXCq7k6kkqB8MnKVMErRjsYuY3YI2tpjxBq9nA
++A9dXgIU1zEUVzfpxzBjL9+2pMctbL1y4/ePpTP1+PlfI81TwrQNvMGYjxKNZM1ab
++lZt37n8GQUZQyZ2TacR4JyY+w20ivE/JPN0L3Ncmem6bO1CULpwO
+ -----END CERTIFICATE-----
diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
new file mode 100644
index 0000000..e78029f
--- /dev/null
+++ b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
@@ -0,0 +1,422 @@
+From 4dcab7d706331b469678f3a516cd67fffd331058 Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Wed, 29 Mar 2017 10:35:13 -0400
+Subject: [PATCH] Convert some pkiDebug messages to TRACE macros
+
+ticket: 8568 (new)
+(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33)
+---
+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++---------
+ src/plugins/preauth/pkinit/pkinit_identity.c | 3 -
+ src/plugins/preauth/pkinit/pkinit_matching.c | 1 +
+ src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++----
+ src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++-
+ 5 files changed, 97 insertions(+), 45 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 90c30dbf5..70e230ec2 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context,
+
+ X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert),
+ buf, sizeof(buf));
+- pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf);
+
+ if ((i = X509_get_ext_by_NID(reqctx->received_cert,
+ NID_ext_key_usage, -1)) >= 0) {
+@@ -2354,7 +2353,6 @@ crypto_check_cert_eku(krb5_context context,
+
+ if (found_eku) {
+ ASN1_BIT_STRING *usage = NULL;
+- pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
+
+ /* check that digitalSignature KeyUsage is present */
+ X509_check_ca(reqctx->received_cert);
+@@ -2363,12 +2361,10 @@ crypto_check_cert_eku(krb5_context context,
+
+ if (!ku_reject(reqctx->received_cert,
+ X509v3_KU_DIGITAL_SIGNATURE)) {
+- pkiDebug("%s: found digitalSignature KU\n",
+- __FUNCTION__);
++ TRACE_PKINIT_EKU(context);
+ *valid_eku = 1;
+ } else
+- pkiDebug("%s: didn't find digitalSignature KU\n",
+- __FUNCTION__);
++ TRACE_PKINIT_EKU_NO_KU(context);
+ }
+ ASN1_BIT_STRING_free(usage);
+ }
+@@ -4317,8 +4313,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
+
+ fp = fopen(idopts->cert_filename, "rb");
+ if (fp == NULL) {
+- pkiDebug("Failed to open PKCS12 file '%s', error %d\n",
+- idopts->cert_filename, errno);
++ TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno);
+ goto cleanup;
+ }
+ set_cloexec_file(fp);
+@@ -4326,8 +4321,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
+ p12 = d2i_PKCS12_fp(fp, NULL);
+ fclose(fp);
+ if (p12 == NULL) {
+- pkiDebug("Failed to decode PKCS12 file '%s' contents\n",
+- idopts->cert_filename);
++ TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename);
+ goto cleanup;
+ }
+ /*
+@@ -4345,7 +4339,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
+ char *p12name = reassemble_pkcs12_name(idopts->cert_filename);
+ const char *tmp;
+
+- pkiDebug("Initial PKCS12_parse with no password failed\n");
++ TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context);
+
+ if (id_cryptoctx->defer_id_prompt) {
+ /* Supply the identity name to be passed to the responder. */
+@@ -4386,14 +4380,14 @@ pkinit_get_certs_pkcs12(krb5_context context,
+ NULL, NULL, 1, &kprompt);
+ k5int_set_prompt_types(context, 0);
+ if (r) {
+- pkiDebug("Failed to prompt for PKCS12 password");
++ TRACE_PKINIT_PKCS_PROMPT_FAIL(context);
+ goto cleanup;
+ }
+ }
+
+ ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
+ if (ret == 0) {
+- pkiDebug("Second PKCS12_parse with password failed\n");
++ TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context);
+ goto cleanup;
+ }
+ }
+@@ -4516,8 +4510,7 @@ pkinit_get_certs_fs(krb5_context context,
+ }
+
+ if (idopts->key_filename == NULL) {
+- pkiDebug("%s: failed to get user's private key location\n",
+- __FUNCTION__);
++ TRACE_PKINIT_NO_PRIVKEY(context);
+ goto cleanup;
+ }
+
+@@ -4545,8 +4538,7 @@ pkinit_get_certs_dir(krb5_context context,
+ char *dirname, *suf;
+
+ if (idopts->cert_filename == NULL) {
+- pkiDebug("%s: failed to get user's certificate directory location\n",
+- __FUNCTION__);
++ TRACE_PKINIT_NO_CERT(context);
+ return ENOENT;
+ }
+
+@@ -4590,8 +4582,7 @@ pkinit_get_certs_dir(krb5_context context,
+ retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx,
+ certname, keyname, i);
+ if (retval == 0) {
+- pkiDebug("%s: Successfully loaded cert (and key) for %s\n",
+- __FUNCTION__, dentry->d_name);
++ TRACE_PKINIT_LOADED_CERT(context, dentry->d_name);
+ i++;
+ }
+ else
+@@ -4599,8 +4590,7 @@ pkinit_get_certs_dir(krb5_context context,
+ }
+
+ if (!id_cryptoctx->defer_id_prompt && i == 0) {
+- pkiDebug("%s: No cert/key pairs found in directory '%s'\n",
+- __FUNCTION__, idopts->cert_filename);
++ TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename);
+ retval = ENOENT;
+ goto cleanup;
+ }
+@@ -5370,9 +5360,7 @@ crypto_cert_select_default(krb5_context context,
+ goto errout;
+ }
+ if (cert_count != 1) {
+- pkiDebug("%s: ERROR: There are %d certs to choose from, "
+- "but there must be exactly one.\n",
+- __FUNCTION__, cert_count);
++ TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count);
+ retval = EINVAL;
+ goto errout;
+ }
+@@ -5520,7 +5508,7 @@ load_cas_and_crls(krb5_context context,
+ switch(catype) {
+ case CATYPE_ANCHORS:
+ if (sk_X509_num(ca_certs) == 0) {
+- pkiDebug("no anchors in file, %s\n", filename);
++ TRACE_PKINIT_NO_CA_ANCHOR(context, filename);
+ if (id_cryptoctx->trustedCAs == NULL)
+ sk_X509_free(ca_certs);
+ } else {
+@@ -5530,7 +5518,7 @@ load_cas_and_crls(krb5_context context,
+ break;
+ case CATYPE_INTERMEDIATES:
+ if (sk_X509_num(ca_certs) == 0) {
+- pkiDebug("no intermediates in file, %s\n", filename);
++ TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename);
+ if (id_cryptoctx->intermediateCAs == NULL)
+ sk_X509_free(ca_certs);
+ } else {
+@@ -5540,7 +5528,7 @@ load_cas_and_crls(krb5_context context,
+ break;
+ case CATYPE_CRLS:
+ if (sk_X509_CRL_num(ca_crls) == 0) {
+- pkiDebug("no crls in file, %s\n", filename);
++ TRACE_PKINIT_NO_CRL(context, filename);
+ if (id_cryptoctx->revoked == NULL)
+ sk_X509_CRL_free(ca_crls);
+ } else {
+@@ -5626,14 +5614,14 @@ crypto_load_cas_and_crls(krb5_context context,
+ int catype,
+ char *id)
+ {
+- pkiDebug("%s: called with idtype %s and catype %s\n",
+- __FUNCTION__, idtype2string(idtype), catype2string(catype));
+ switch (idtype) {
+ case IDTYPE_FILE:
++ TRACE_PKINIT_LOAD_FROM_FILE(context);
+ return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx, catype, id);
+ break;
+ case IDTYPE_DIR:
++ TRACE_PKINIT_LOAD_FROM_DIR(context);
+ return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx, catype, id);
+ break;
+diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
+index a897efa25..737552e85 100644
+--- a/src/plugins/preauth/pkinit/pkinit_identity.c
++++ b/src/plugins/preauth/pkinit/pkinit_identity.c
+@@ -608,7 +608,6 @@ pkinit_identity_prompt(krb5_context context,
+ retval = pkinit_cert_matching(context, plg_cryptoctx,
+ req_cryptoctx, id_cryptoctx, princ);
+ if (retval) {
+- pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
+ crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx);
+ goto errout;
+@@ -621,8 +620,6 @@ pkinit_identity_prompt(krb5_context context,
+ retval = crypto_cert_select_default(context, plg_cryptoctx,
+ req_cryptoctx, id_cryptoctx);
+ if (retval) {
+- pkiDebug("%s: Failed while selecting default certificate\n",
+- __FUNCTION__);
+ crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx);
+ goto errout;
+diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
+index a50c50c8d..cad4c2b9a 100644
+--- a/src/plugins/preauth/pkinit/pkinit_matching.c
++++ b/src/plugins/preauth/pkinit/pkinit_matching.c
+@@ -812,6 +812,7 @@ pkinit_cert_matching(krb5_context context,
+ goto cleanup;
+ }
+ } else {
++ TRACE_PKINIT_NO_MATCHING_CERT(context);
+ retval = ENOENT; /* XXX */
+ goto cleanup;
+ }
+diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
+index 32ca122f2..9c6e96c9e 100644
+--- a/src/plugins/preauth/pkinit/pkinit_srv.c
++++ b/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -188,6 +188,7 @@ verify_client_san(krb5_context context,
+ plgctx->opts->allow_upn ? &upns : NULL,
+ NULL);
+ if (retval == ENOENT) {
++ TRACE_PKINIT_SERVER_NO_SAN(context);
+ goto out;
+ } else if (retval) {
+ pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
+@@ -224,7 +225,7 @@ verify_client_san(krb5_context context,
+ krb5_free_unparsed_name(context, san_string);
+ #endif
+ if (cb->match_client(context, rock, princs[i])) {
+- pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
++ TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context);
+ *valid_san = 1;
+ retval = 0;
+ goto out;
+@@ -252,7 +253,7 @@ verify_client_san(krb5_context context,
+ krb5_free_unparsed_name(context, san_string);
+ #endif
+ if (cb->match_client(context, rock, upns[i])) {
+- pkiDebug("%s: upn san match found\n", __FUNCTION__);
++ TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context);
+ *valid_san = 1;
+ retval = 0;
+ goto out;
+@@ -300,7 +301,7 @@ verify_client_eku(krb5_context context,
+ *eku_accepted = 0;
+
+ if (plgctx->opts->require_eku == 0) {
+- pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__);
++ TRACE_PKINIT_SERVER_EKU_SKIP(context);
+ *eku_accepted = 1;
+ retval = 0;
+ goto out;
+@@ -364,6 +365,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
+ ret = KRB5_PLUGIN_NO_HANDLE;
+ for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
+ h = certauth_modules[i];
++ TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name);
+ ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
+ &opts, db_ent, &ais);
+ if (ret == 0)
+@@ -449,7 +451,7 @@ pkinit_server_verify_padata(krb5_context context,
+
+ switch ((int)data->pa_type) {
+ case KRB5_PADATA_PK_AS_REQ:
+- pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n");
++ TRACE_PKINIT_SERVER_PADATA_VERIFY(context);
+ retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp);
+ if (retval) {
+ pkiDebug("decode_krb5_pa_pk_as_req failed\n");
+@@ -472,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context,
+ break;
+ case KRB5_PADATA_PK_AS_REP_OLD:
+ case KRB5_PADATA_PK_AS_REQ_OLD:
+- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n");
++ TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context);
+ retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9);
+ if (retval) {
+ pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n");
+@@ -500,7 +502,7 @@ pkinit_server_verify_padata(krb5_context context,
+ goto cleanup;
+ }
+ if (retval) {
+- pkiDebug("pkcs7_signeddata_verify failed\n");
++ TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context);
+ goto cleanup;
+ }
+ if (is_signed) {
+@@ -830,7 +832,7 @@ pkinit_server_return_padata(krb5_context context,
+ return ENOENT;
+ }
+
+- pkiDebug("pkinit_return_padata: entered!\n");
++ TRACE_PKINIT_SERVER_RETURN_PADATA(context);
+ reqctx = (pkinit_kdc_req_context)modreq;
+
+ if (encrypting_key->contents) {
+@@ -1463,8 +1465,7 @@ pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata,
+ return ret;
+
+ if (!valid_san) {
+- pkiDebug("%s: did not find an acceptable SAN in user certificate\n",
+- __FUNCTION__);
++ TRACE_PKINIT_SERVER_SAN_REJECT(context);
+ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+ }
+
+@@ -1490,8 +1491,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
+ return ret;
+
+ if (!valid_eku) {
+- pkiDebug("%s: did not find an acceptable EKU in user certificate\n",
+- __FUNCTION__);
++ TRACE_PKINIT_SERVER_EKU_REJECT(context);
+ return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
+ }
+
+@@ -1617,7 +1617,7 @@ pkinit_server_plugin_init(krb5_context context,
+ return ENOMEM;
+
+ for (i = 0, j = 0; i < numrealms; i++) {
+- pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]);
++ TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
+ retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
+ if (retval == 0 && plgctx != NULL)
+ realm_contexts[j++] = plgctx;
+diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
+index 458d0961e..6abe28c0c 100644
+--- a/src/plugins/preauth/pkinit/pkinit_trace.h
++++ b/src/plugins/preauth/pkinit/pkinit_trace.h
+@@ -52,7 +52,7 @@
+ #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \
+ TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \
+ "received {cksum}", expected, received)
+-#define TRACE_PKINIT_CLIENT_REP_DH(c) \
++#define TRACE_PKINIT_CLIENT_REP_DH(c) \
+ TRACE(c, "PKINIT client verified DH reply")
+ #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \
+ TRACE(c, "PKINIT client could not verify DH reply")
+@@ -91,6 +91,72 @@
+ #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \
+ TRACE(c, "PKINIT OpenSSL error: {str}", msg)
+
++#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \
++ TRACE(c, "PKINIT server authorizing cert with module {str}", \
++ modname)
++#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \
++ TRACE(c, "PKINIT server found no acceptable EKU in client cert")
++#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \
++ TRACE(c, "PKINIT server skipping EKU check due to configuration")
++#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \
++ TRACE(c, "PKINIT server initializing realm {str}", realm)
++#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \
++ TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
++#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \
++ TRACE(c, "PKINIT server found a matching SAN in client cert")
++#define TRACE_PKINIT_SERVER_NO_SAN(c) \
++ TRACE(c, "PKINIT server found no SAN in client cert")
++#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \
++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ")
++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \
++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD")
++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \
++ TRACE(c, "PKINIT server failed to verify PA data")
++#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \
++ TRACE(c, "PKINIT server returning PA data")
++#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \
++ TRACE(c, "PKINIT server found no acceptable SAN in client cert")
++
++#define TRACE_PKINIT_EKU(c) \
++ TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU")
++#define TRACE_PKINIT_EKU_NO_KU(c) \
++ TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU")
++#define TRACE_PKINIT_LOADED_CERT(c, name) \
++ TRACE(c, "PKINIT loaded cert and key for {str}", name)
++#define TRACE_PKINIT_LOAD_FROM_FILE(c) \
++ TRACE(c, "PKINIT loading CA certs and CRLs from FILE")
++#define TRACE_PKINIT_LOAD_FROM_DIR(c) \
++ TRACE(c, "PKINIT loading CA certs and CRLs from DIR")
++#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \
++ TRACE(c, "PKINIT no anchor CA in file {str}", file)
++#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \
++ TRACE(c, "PKINIT no intermediate CA in file {str}", file)
++#define TRACE_PKINIT_NO_CERT(c) \
++ TRACE(c, "PKINIT no certificate provided")
++#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \
++ TRACE(c, "PKINIT no cert and key pair found in directory {str}", \
++ dirname)
++#define TRACE_PKINIT_NO_CRL(c, file) \
++ TRACE(c, "PKINIT no CRL in file {str}", file)
++#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \
++ TRACE(c, "PKINIT error: There are {int} certs, but there must " \
++ "be exactly one.", count)
++#define TRACE_PKINIT_NO_MATCHING_CERT(c) \
++ TRACE(c, "PKINIT no matching certificate found")
++#define TRACE_PKINIT_NO_PRIVKEY(c) \
++ TRACE(c, "PKINIT no private key provided")
++#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \
++ TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name)
++#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \
++ TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \
++ name, err)
++#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \
++ TRACE(c, "PKINIT initial PKCS12_parse with no password failed")
++#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \
++ TRACE(c, "PKINIT second PKCS12_parse with password failed")
++#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \
++ TRACE(c, "PKINIT failed to prompt for PKCS12 password")
++
+ #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \
+ TRACE(c, "certauth module failed to init vtable: {kerr}", ret)
+ #define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \
diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch
new file mode 100644
index 0000000..0c6ac83
--- /dev/null
+++ b/Fix-certauth-built-in-module-returns.patch
@@ -0,0 +1,124 @@
+From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Thu, 24 Aug 2017 11:11:46 -0400
+Subject: [PATCH] Fix certauth built-in module returns
+
+The PKINIT certauth eku module should never authoritatively authorize
+a certificate, because an extended key usage does not establish a
+relationship between the certificate and any specific user; it only
+establishes that the certificate was created for PKINIT client
+authentication. Therefore, pkinit_eku_authorize() should return
+KRB5_PLUGIN_NO_HANDLE on success, not 0.
+
+The certauth san module should pass if it does not find any SANs of
+the types it can match against; the presence of other types of SANs
+should not cause it to explicitly deny a certificate. Check for an
+empty result from crypto_retrieve_cert_sans() in verify_client_san(),
+instead of returning ENOENT from crypto_retrieve_cert_sans() when
+there are no SANs at all.
+
+ticket: 8561
+(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
+---
+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------
+ src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++---
+ 2 files changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 70e230ec2..7fa2efd21 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,
+
+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
+- retval = ENOENT;
+ goto cleanup;
+ }
+ num_sans = sk_GENERAL_NAME_num(ialt);
+@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,
+ sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
+
+ retval = 0;
+- if (princs)
++ if (princs != NULL && *princs != NULL) {
+ *princs_ret = princs;
+- if (upns)
++ princs = NULL;
++ }
++ if (upns != NULL && *upns != NULL) {
+ *upn_ret = upns;
+- if (dnss)
++ upns = NULL;
++ }
++ if (dnss != NULL && *dnss != NULL) {
+ *dns_ret = dnss;
++ dnss = NULL;
++ }
+
+ cleanup:
+- if (retval) {
+- if (princs != NULL) {
+- for (i = 0; princs[i] != NULL; i++)
+- krb5_free_principal(context, princs[i]);
+- free(princs);
+- }
+- if (upns != NULL) {
+- for (i = 0; upns[i] != NULL; i++)
+- krb5_free_principal(context, upns[i]);
+- free(upns);
+- }
+- if (dnss != NULL) {
+- for (i = 0; dnss[i] != NULL; i++)
+- free(dnss[i]);
+- free(dnss);
+- }
+- }
++ for (i = 0; princs != NULL && princs[i] != NULL; i++)
++ krb5_free_principal(context, princs[i]);
++ free(princs);
++ for (i = 0; upns != NULL && upns[i] != NULL; i++)
++ krb5_free_principal(context, upns[i]);
++ free(upns);
++ for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
++ free(dnss[i]);
++ free(dnss);
+ return retval;
+ }
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
+index 9c6e96c9e..8e77606f8 100644
+--- a/src/plugins/preauth/pkinit/pkinit_srv.c
++++ b/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,
+ &princs,
+ plgctx->opts->allow_upn ? &upns : NULL,
+ NULL);
+- if (retval == ENOENT) {
+- TRACE_PKINIT_SERVER_NO_SAN(context);
+- goto out;
+- } else if (retval) {
++ if (retval) {
+ pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
+ retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+ goto out;
+ }
++
++ if (princs == NULL && upns == NULL) {
++ TRACE_PKINIT_SERVER_NO_SAN(context);
++ retval = ENOENT;
++ goto out;
++ }
++
+ /* XXX Verify this is consistent with client side XXX */
+ #if 0
+ retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
+@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
+ return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
+ }
+
+- return 0;
++ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
+ static krb5_error_code
diff --git a/Make-certauth-eku-module-restrictive-only.patch b/Make-certauth-eku-module-restrictive-only.patch
deleted file mode 100644
index 40c008d..0000000
--- a/Make-certauth-eku-module-restrictive-only.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2b1a91087b668ab1021f1ca461b8210e7e015c8a Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 24 Aug 2017 11:11:46 -0400
-Subject: [PATCH] Make certauth eku module restrictive-only
-
-The PKINIT certauth eku module should never authoritatively authorize
-a certificate, because an extended key usage does not establish a
-relationship between the certificate and any specific user; it only
-establishes that the certificate was created for PKINIT client
-authentication. Therefore, pkinit_eku_authorize() should return
-KRB5_PLUGIN_NO_HANDLE on success, not 0.
-
-ticket: 8561
-(cherry picked from commit aca6fd6bc07934a90a18a70116ea3b620228950a)
----
- src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index 32ca122f2..d7a604c80 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -1495,7 +1495,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
- return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
- }
-
-- return 0;
-+ return KRB5_PLUGIN_NO_HANDLE;
- }
-
- static krb5_error_code
diff --git a/krb5.spec b/krb5.spec
index f990581..c4c5b49 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 25%{?dist}
+Release: 27%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@@ -91,7 +91,11 @@ Patch62: Fix-more-time-manipulations-for-y2038.patch
Patch63: Use-krb5_timestamp-where-appropriate.patch
Patch64: Add-KDC-policy-pluggable-interface.patch
Patch65: Fix-bugs-in-kdcpolicy-commit.patch
-Patch66: Make-certauth-eku-module-restrictive-only.patch
+Patch66: Convert-some-pkiDebug-messages-to-TRACE-macros.patch
+Patch67: Fix-certauth-built-in-module-returns.patch
+Patch68: Add-test-cert-with-no-extensions.patch
+Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch
+Patch70: Add-hostname-based-ccselect-module.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -743,6 +747,13 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-27
+- Add hostname-based ccselect module
+- Resolves: #1463665
+
+* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-26
+- Backport upstream certauth EKU fixes
+
* Fri Aug 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-25
- Backport certauth eku security fix
generated by cgit (git 2.34.1) at 2024-04-26 04:17:15 +0000