diff options
author | Robbie Harwood <rharwood@redhat.com> | 2017-09-05 18:16:56 +0000 |
---|---|---|
committer | Robbie Harwood <rharwood@redhat.com> | 2017-09-05 18:16:58 +0000 |
commit | f6b653fac2245f542c4370319f252498eff1e9e3 (patch) | |
tree | 4905876e168bf796f3f0949df949314545f85b09 | |
parent | 8f0349dc3ebd1e307b37ab0fe0f6e065bfe8291e (diff) | |
download | krb5-f6b653fac2245f542c4370319f252498eff1e9e3.tar.gz krb5-f6b653fac2245f542c4370319f252498eff1e9e3.tar.xz krb5-f6b653fac2245f542c4370319f252498eff1e9e3.zip |
Add hostname-based ccselect module
Also update certauth EKU stuff
Resolves: #1463665
-rw-r--r-- | Add-PKINIT-test-case-for-generic-client-cert.patch | 51 | ||||
-rw-r--r-- | Add-hostname-based-ccselect-module.patch | 293 | ||||
-rw-r--r-- | Add-test-cert-with-no-extensions.patch | 1120 | ||||
-rw-r--r-- | Convert-some-pkiDebug-messages-to-TRACE-macros.patch | 422 | ||||
-rw-r--r-- | Fix-certauth-built-in-module-returns.patch | 124 | ||||
-rw-r--r-- | Make-certauth-eku-module-restrictive-only.patch | 31 | ||||
-rw-r--r-- | krb5.spec | 15 |
7 files changed, 2023 insertions, 33 deletions
diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch new file mode 100644 index 0000000..e6fb895 --- /dev/null +++ b/Add-PKINIT-test-case-for-generic-client-cert.patch @@ -0,0 +1,51 @@ +From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 25 Aug 2017 12:39:14 -0400 +Subject: [PATCH] Add PKINIT test case for generic client cert + +In t_pkinit.py, add a test case where a client cert with no extensions +is authorized via subject and issuer using a pkinit_cert_match string +attribute. + +ticket: 8562 +(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898) +[rharwood@redhat.com: backport around dbmatch module] +--- + src/tests/t_pkinit.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index e943f4974..fa5c5199e 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12') + user_upn_p12 = os.path.join(certs, 'user-upn.p12') + user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') + user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') ++generic_p12 = os.path.join(certs, 'generic.p12') + path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') + path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') + +@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12 + p12_upn_identity = 'PKCS12:%s' % user_upn_p12 + p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 + p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 ++p12_generic_identity = 'PKCS12:%s' % generic_p12 + p12_enc_identity = 'PKCS12:%s' % user_enc_p12 + p11_identity = 'PKCS11:soft-pkcs11.so' + p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' +@@ -284,6 +286,14 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + ++# Authorize a client cert with no PKINIT extensions using subject and ++# issuer. (Relies on EKU checking being turned off.) ++rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) ++realm.klist(realm.user_princ) ++ + if not have_soft_pkcs11: + skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') + diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch new file mode 100644 index 0000000..87a83c1 --- /dev/null +++ b/Add-hostname-based-ccselect-module.patch @@ -0,0 +1,293 @@ +From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Wed, 23 Aug 2017 17:25:17 -0400 +Subject: [PATCH] Add hostname-based ccselect module + +The hostname module selects the ccache whose realm is the longest +parent domain tail of the uppercase server hostname. + +[ghudson@mit.edu: minor edits] + +ticket: 8613 (new) +(cherry picked from commit a4ddc6cf576b4155e6b994307902567f26f752b2) +--- + doc/admin/conf_files/krb5_conf.rst | 4 + + src/lib/krb5/ccache/Makefile.in | 3 + + src/lib/krb5/ccache/cc-int.h | 4 + + src/lib/krb5/ccache/ccselect.c | 5 ++ + src/lib/krb5/ccache/ccselect_hostname.c | 146 ++++++++++++++++++++++++++++++++ + src/tests/gssapi/t_ccselect.py | 9 ++ + 6 files changed, 171 insertions(+) + create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index c0e4349c0..5f1de2e50 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -744,6 +744,10 @@ disabled with the disable tag): + Uses the service realm to guess an appropriate cache from the + collection + ++**hostname** ++ If the service principal is host-based, uses the service hostname ++ to guess an appropriate cache from the collection ++ + .. _pwqual: + + pwqual interface +diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in +index 5ac870728..f84cf793e 100644 +--- a/src/lib/krb5/ccache/Makefile.in ++++ b/src/lib/krb5/ccache/Makefile.in +@@ -34,6 +34,7 @@ STLIBOBJS= \ + ccdefops.o \ + ccmarshal.o \ + ccselect.o \ ++ ccselect_hostname.o \ + ccselect_k5identity.o \ + ccselect_realm.o \ + cc_dir.o \ +@@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \ + $(OUTPRE)ccdefops.$(OBJEXT) \ + $(OUTPRE)ccmarshal.$(OBJEXT) \ + $(OUTPRE)ccselect.$(OBJEXT) \ ++ $(OUTPRE)ccselect_hostname.$(OBJEXT) \ + $(OUTPRE)ccselect_k5identity.$(OBJEXT) \ + $(OUTPRE)ccselect_realm.$(OBJEXT) \ + $(OUTPRE)cc_dir.$(OBJEXT) \ +@@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \ + $(srcdir)/ccdefops.c \ + $(srcdir)/ccmarshal.c \ + $(srcdir)/ccselect.c \ ++ $(srcdir)/ccselect_hostname.c \ + $(srcdir)/ccselect_k5identity.c \ + $(srcdir)/ccselect_realm.c \ + $(srcdir)/cc_dir.c \ +diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h +index ee9b5e0e9..d920367ce 100644 +--- a/src/lib/krb5/ccache/cc-int.h ++++ b/src/lib/krb5/ccache/cc-int.h +@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void); + krb5_error_code + krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id); + ++krb5_error_code ++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable); ++ + krb5_error_code + ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c +index ee4b83a9b..393d39733 100644 +--- a/src/lib/krb5/ccache/ccselect.c ++++ b/src/lib/krb5/ccache/ccselect.c +@@ -71,6 +71,11 @@ load_modules(krb5_context context) + if (ret != 0) + goto cleanup; + ++ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname", ++ ccselect_hostname_initvt); ++ if (ret != 0) ++ goto cleanup; ++ + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules); + if (ret != 0) + goto cleanup; +diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c +new file mode 100644 +index 000000000..475cfabae +--- /dev/null ++++ b/src/lib/krb5/ccache/ccselect_hostname.c +@@ -0,0 +1,146 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */ ++/* ++ * Copyright (C) 2017 by Red Hat, Inc. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ++ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "k5-int.h" ++#include "cc-int.h" ++#include <ctype.h> ++#include <krb5/ccselect_plugin.h> ++ ++/* Swap a and b, using tmp as an intermediate. */ ++#define SWAP(a, b, tmp) \ ++ tmp = a; \ ++ a = b; \ ++ b = tmp; ++ ++static krb5_error_code ++hostname_init(krb5_context context, krb5_ccselect_moddata *data_out, ++ int *priority_out) ++{ ++ *data_out = NULL; ++ *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC; ++ return 0; ++} ++ ++static krb5_error_code ++hostname_choose(krb5_context context, krb5_ccselect_moddata data, ++ krb5_principal server, krb5_ccache *ccache_out, ++ krb5_principal *princ_out) ++{ ++ krb5_error_code ret; ++ char *p, *host = NULL; ++ size_t hostlen; ++ krb5_cccol_cursor col_cursor; ++ krb5_ccache ccache, tmp_ccache, best_ccache = NULL; ++ krb5_principal princ, tmp_princ, best_princ = NULL; ++ krb5_data domain; ++ ++ *ccache_out = NULL; ++ *princ_out = NULL; ++ ++ if (server->type != KRB5_NT_SRV_HST || server->length < 2) ++ return KRB5_PLUGIN_NO_HANDLE; ++ ++ /* Compute upper-case hostname. */ ++ hostlen = server->data[1].length; ++ host = k5memdup0(server->data[1].data, hostlen, &ret); ++ if (host == NULL) ++ return ret; ++ for (p = host; *p != '\0'; p++) { ++ if (islower(*p)) ++ *p = toupper(*p); ++ } ++ ++ /* Scan the collection for a cache with a client principal whose realm is ++ * the longest tail of the server hostname. */ ++ ret = krb5_cccol_cursor_new(context, &col_cursor); ++ if (ret) ++ goto done; ++ ++ for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache); ++ ret == 0 && ccache != NULL; ++ ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret) { ++ krb5_cc_close(context, ccache); ++ break; ++ } ++ ++ /* Check for a longer match than we have. */ ++ domain = make_data(host, hostlen); ++ while (best_princ == NULL || ++ best_princ->realm.length < domain.length) { ++ if (data_eq(princ->realm, domain)) { ++ SWAP(best_ccache, ccache, tmp_ccache); ++ SWAP(best_princ, princ, tmp_princ); ++ break; ++ } ++ ++ /* Try the next parent domain. */ ++ p = memchr(domain.data, '.', domain.length); ++ if (p == NULL) ++ break; ++ domain = make_data(p + 1, hostlen - (p + 1 - host)); ++ } ++ ++ if (ccache != NULL) ++ krb5_cc_close(context, ccache); ++ krb5_free_principal(context, princ); ++ } ++ ++ krb5_cccol_cursor_free(context, &col_cursor); ++ ++ if (best_ccache != NULL) { ++ *ccache_out = best_ccache; ++ *princ_out = best_princ; ++ } else { ++ ret = KRB5_PLUGIN_NO_HANDLE; ++ } ++ ++done: ++ free(host); ++ return ret; ++} ++ ++krb5_error_code ++ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable) ++{ ++ krb5_ccselect_vtable vt; ++ ++ if (maj_ver != 1) ++ return KRB5_PLUGIN_VER_NOTSUPP; ++ vt = (krb5_ccselect_vtable)vtable; ++ vt->name = "hostname"; ++ vt->init = hostname_init; ++ vt->choose = hostname_choose; ++ return 0; ++} +diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py +index 668a2cc62..3503f9269 100755 +--- a/src/tests/gssapi/t_ccselect.py ++++ b/src/tests/gssapi/t_ccselect.py +@@ -33,6 +33,7 @@ host1 = 'p:' + r1.host_princ + host2 = 'p:' + r2.host_princ + foo = 'foo.krbtest.com' + foo2 = 'foo.krbtest2.com' ++foobar = "foo.bar.krbtest.com" + + # These strings specify the target as a GSS name. The resulting + # principal will have the host-based type, with the referral realm +@@ -42,6 +43,7 @@ foo2 = 'foo.krbtest2.com' + # single component. + gssserver = 'h:host@' + foo + gssserver2 = 'h:host@' + foo2 ++gssserver_bar = 'h:host@' + foobar + gsslocal = 'h:host@localhost' + + # refserver specifies the target as a principal in the referral realm. +@@ -77,10 +79,12 @@ r1.addprinc('host/localhost') + r2.addprinc('host/localhost') + r1.addprinc('host/' + foo) + r2.addprinc('host/' + foo2) ++r1.addprinc('host/' + foobar) + r1.extract_keytab('host/localhost', r1.keytab) + r2.extract_keytab('host/localhost', r2.keytab) + r1.extract_keytab('host/' + foo, r1.keytab) + r2.extract_keytab('host/' + foo2, r2.keytab) ++r1.extract_keytab('host/' + foobar, r1.keytab) + + # Get tickets for one user in each realm (zaphod will be primary). + r1.kinit(alice, password('alice')) +@@ -128,6 +132,11 @@ output = r2.run(['./t_ccselect', gsslocal]) + if output != (zaphod + '\n'): + fail('zaphod not chosen via default realm fallback') + ++# Check that realm ccselect fallback works correctly ++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) ++r2.kinit(zaphod, password('zaphod')) ++r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) ++ + # Get a second cred in r1 (bob will be primary). + r1.kinit(bob, password('bob')) + diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch new file mode 100644 index 0000000..3734700 --- /dev/null +++ b/Add-test-cert-with-no-extensions.patch @@ -0,0 +1,1120 @@ +From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 25 Aug 2017 12:33:33 -0400 +Subject: [PATCH] Add test cert with no extensions + +Add commands to make-certs.sh to generate a test client certificate +with no certificate extensions. Re-run make-certs.sh. + +ticket: 8562 +(cherry picked from commit 0d23835660ab131d244d395e4568969b5c0dc678) +--- + src/tests/dejagnu/pkinit-certs/ca.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes + src/tests/dejagnu/pkinit-certs/generic.pem | 21 ++++++++++ + src/tests/dejagnu/pkinit-certs/kdc.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++ + src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 ++++++++++++------------- + src/tests/dejagnu/pkinit-certs/privkey.pem | 50 ++++++++++++------------ + src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 2837 -> 2837 bytes + src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 2829 -> 2829 bytes + src/tests/dejagnu/pkinit-certs/user-upn.pem | 30 +++++++------- + src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 2813 -> 2813 bytes + src/tests/dejagnu/pkinit-certs/user-upn2.pem | 32 +++++++-------- + src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 -------- + src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 2829 -> 2829 bytes + src/tests/dejagnu/pkinit-certs/user-upn3.pem | 30 +++++++------- + src/tests/dejagnu/pkinit-certs/user.p12 | Bin 2837 -> 2837 bytes + src/tests/dejagnu/pkinit-certs/user.pem | 30 +++++++------- + 17 files changed, 174 insertions(+), 160 deletions(-) + create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12 + create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem + delete mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr + +diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem +index 44c917687..f7421ba02 100644 +--- a/src/tests/dejagnu/pkinit-certs/ca.pem ++++ b/src/tests/dejagnu/pkinit-certs/ca.pem +@@ -3,27 +3,27 @@ MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ + BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i + cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl + cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk + byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +-ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN +-l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC +-7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4 +-bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs +-Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM +-bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO +-fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c +-27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 ++ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId ++S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r ++rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps ++h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU ++OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO ++Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX ++VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp ++9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 + dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ + bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0 + IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE +-AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM +-TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80 +-83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e +-QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91 +-dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE +-AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m +-kMz4Jq4cnvpz ++AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY ++/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl ++k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU ++7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4 ++Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH ++Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk ++qlhbJdEcjHr2 + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8 +GIT binary patch +literal 2477 +zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@ +z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=hx$=L +z1<ixW0s;sCfPw?a(gHBV*LQ_7OvK|HbaN^W^@n_~M?&;UFQ(vuXBLc&;u~(t@2A_` +zN?~wJ?GFR6qa-(OLAF=pT)y15jOd>6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV +zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$ +z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Q<eKW?|>j#E{tn`2{H +zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#<UsfX*Vr)&0;G@6Mf89D! +zH$DPc!csOKzz?2oPfu?Y$m&s>V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR +z<Cze2yADgeOah3?RT8`UX$Mg(o}{pXQCI>E<@*23b5&ny_nUSu&QRYf<9<Br<4Sz} +zu(qTFtQT~xHNsSZ_{J7Zq~#p(OzhU`O|n5it<yUUL#qC?MmT=@8vZ6Ca<ocu-6Dr8 +z4-Z-4`bPGQD~=PUDJSLO;UOIpqzkR`B-1J^@U90uaBM9eQ6oWbIdBxD$^vC#oJIJ9 +zk#^*H8=MbfbHZC9l8dBrM`T(28TXvNeEC~K+UQhg#5_uyGA>ZS$K+zIxKS{-TDjaw +zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_ +zV#Eei3)wjY67{AC<7Jdb$1Dr<t;^O$#NnswD<9%3Loosj0sQS~YxCP@d^)K;FWe$3 +zJlGuiSqmn9lyw2@_(R%?dz(EjH#!JRSAk0hc;*ufrtQcRt0R@yV*5;Tz7&JL3|!y~ +z`Sj5k6pFX!?J25fU0e!Xyb-jrt%pq`TD8?dx$|;fgCHJ@Cx29TMN5(FR-Zccg^#tO +zarkYUa+_;I$sb=t-gWhqyW`132nt>skBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a +zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh +z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS= +zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$ +zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L +zNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg +z_YDCI0Ru1&1PE&M1&nJFpMC-Y2ml0v1js4*^UmfbY1m7h_actRaA;dGKozjwpW<*f +zLJMkle=~hq1K8<clzfxiE{Y$XU(^23k(PS;Z#$1b53eOu$H%4TBn-WT8P>i7=~UOR +zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q( +z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8 +z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp +z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC +zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{e<gY9n1P=zK^~MQD(Pb<NQ@ +z)$hO~Ydw`k5$aHcw4Y{UbEZ#qDNfqgn?l^o_Zm`mSjK{0!%3`4M>S4V-1zL#^Hl>} +zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`<v;BYz&F-+Y#-4VY%?rkV()Udk)B4K~q@ +z5|7$qS;nPsi%nISI2ytysTp#!J_~^sMWt)mxd$@4VU(>@TU5bt()(#ACb9{Y+&=*3 +z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)* +zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y +zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#<?yoDM3e$Lx9uekTVOc*%sW8kEM(_Fo+R +z>FU7a%regezQN#<IR5;9RwiRTB_fs_qlLhgjB6k4n1OItFvz)AtQvTQajQ74^GMk+ +zyv!~xR0*ak9$s!5EO;tFI&e>m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X +zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN +z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy +zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ& +z%}Cbjx7lK8O<X)~(Ayl=Q)OSdTE?AEfkl&l)>xbcYY6+T8eDcs^;Xvdw>6;}lnp8q +zOI2Bf<p>+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^Avux<n?`bX_-y*qM +z7-)bk6U4W0{#2(JPIO^XHVV5PUo$Cbs#&0nNI9sYiMd%^?HAW-8>K!KnnF`7+J)np +zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6 +z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt* +zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+ +zEh;f3Fe3&DDuzgg_YDCF6)_eB6o<o$W_TL6&4sv`u`-io>fmTa$1pK4AutIB1uG5% +r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be; + +literal 0 +HcmV?d00001 + +diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem +new file mode 100644 +index 000000000..706c2f341 +--- /dev/null ++++ b/src/tests/dejagnu/pkinit-certs/generic.pem +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD ++VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM ++A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex ++MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy ++d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT ++AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP ++TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ++AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7 ++Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W ++ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP ++XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo ++pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y ++2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ ++6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0 ++FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl ++HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee ++8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y ++lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO ++ebOF6zAD73Bpkw== ++-----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem +index 8820ad447..4eb811deb 100644 +--- a/src/tests/dejagnu/pkinit-certs/kdc.pem ++++ b/src/tests/dejagnu/pkinit-certs/kdc.pem +@@ -3,27 +3,27 @@ MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +-AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35 +-jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA +-wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7 +-uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl +-bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b +-TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ +-DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt +-HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl ++AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi ++HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u ++K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6 ++bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6 ++VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i ++jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg ++V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC ++qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl + dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg + SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p + dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E + BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL + S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG +-A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i +-Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b +-JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn +-7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz +-u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ +-fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq +-AC5jSAM= ++A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE ++hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR ++rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga ++JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK ++ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6 ++aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD ++GjaSlyc= + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh +index 0f07709b0..f77ac5813 100755 +--- a/src/tests/dejagnu/pkinit-certs/make-certs.sh ++++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh +@@ -164,5 +164,14 @@ SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ + openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ + -out user-upn3.p12 -passout pass: + ++# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions. ++SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ ++ -key privkey.pem -out generic.csr ++SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \ ++ -CAkey privkey.pem -out generic.pem -in generic.csr ++openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \ ++ -passout pass: ++ + # Clean up. + rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr ++rm -f generic.csr +diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem +index 837fd0b01..ee35e5cdc 100644 +--- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem ++++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem +@@ -1,30 +1,30 @@ + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED +-DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D ++DEK-Info: DES-EDE3-CBC,7DF54DB740F92845 + +-S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b +-/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA +-fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa +-v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V +-eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp +-nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv +-m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk +-MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/ +-WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C +-SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0 +-Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr +-LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw +-yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN +-6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz +-3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE +-qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK +-k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8 +-4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt +-Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo +-1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu +-rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te +-NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP +-vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk +-vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN +-p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA== ++3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j ++LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu ++hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu ++d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El ++N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T ++d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg ++q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ ++2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB ++rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee ++RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1 ++fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg ++B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG ++nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ ++zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa ++z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB ++RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw ++KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj ++swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN ++9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw ++U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+ ++y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF +++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7 ++XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab ++f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A ++OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj + -----END RSA PRIVATE KEY----- +diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem +index 7e9beb09a..548e5a8d5 100644 +--- a/src/tests/dejagnu/pkinit-certs/privkey.pem ++++ b/src/tests/dejagnu/pkinit-certs/privkey.pem +@@ -1,27 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE +-Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW +-1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV +-+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn +-FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv +-O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw +-EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8 +-Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr +-pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG +-hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY +-opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl +-bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx +-Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af +-RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu +-okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV +-n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D +-27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj +-1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL +-gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ +-hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp +-/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q +-ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw +-KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ +-S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I +-MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb ++MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC ++iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp ++guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj ++STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88 ++hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo ++AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX ++FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj ++a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo ++rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b ++vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I ++xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT ++NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ ++71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W ++64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN ++K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv ++SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx ++Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD ++vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l ++GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX ++0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI ++CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl ++OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4 ++t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl ++aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer ++6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg== + -----END RSA PRIVATE KEY----- +diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 +index 049602939def4be1fa9164649b39a801f417e74e..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644 +GIT binary patch +delta 2706 +zcmV;D3T^e37L^u|U4IAu_0R=Q$07m(2mpYB1u!tho?ixcuO0j=`>lGTs)`UgGm<_) +z<FRqmWn%pS)IcQqE4xmjt^GWpkjN3ilU?#<{lsF^SOD<gXN+Nnn&oDodfIZcOm95& +zxqOL=2<PpBiz1xlP2w^J?hU#tjG(#fYuRK)$hH|CSktq&rGM>pKPe)yNdVeYJWc`4 +zF|P^R?oh5stR*_(MT+TZR4{&W9qoqi)f&pBxOiQbYZZ1lmQ#Pc4q?TD!0ns{qlu}U +zz(Odv2K+dfougnpE_VouJ0!M7bt6;%w@&*9{%SfiDrvUdRZW6CSckeD^E--2MzmZD +zliS3w_y8kT@PFwptW_3@*xAKJ7u%{U_HfDf9jg*K{X<$ZK~Z=^`bq{K)M1SMGVQ^? +zv#j3vs0HG{<v$_fwY45d{sUgr3KaH!i5o@ZAMdT*w&mxF{Bd#6rGd;cFHuuC4QyuU +zWtK?T7HAci4IWSwBKqRZwD3!ugQY3y5-k`)`IBm*@PD&ZGo`zmy-UI%qVb9igw;ag +zu4B_@oyd4J7|V#YG43Y+vphe4A#je-(nTPkFo#R}taq_<^zK?vpm!XU`1Zp+!#lbp +zG%{BWDc<5rMW=rcNP_6N7a%mAel7zGbB`-%;P^1!*=KlsIsd0X<pM*pwtHLDlro<b +ze=s6MIDeG9)y*e15CDpUpMUn0Y)uJtr$>g~oN&R6F<awHk=!m#yDWlWY*|xM^~y!w +zP?NA5+*91PhZbIr?zRQ>PVPVchC^z{P@wq`t};KFoH0iPJC$e?G@1S`jv>DCV8RB0 +zmIsXlD|}<<BT(;Y4o7mvNXIChmBSuu`mA;5dVfJn@D&$8mxu!CY&vd%Yc63nwX|?Z +zW~9`V$iKUJy5eAfF0@Ib<d1V=>)cCDUm$lZ#mt_Z{Bv{YU=x+<ZS-0J{J!ZZQ(GK7 +z|1OjcR@xi#na~>YDXTvPmRZqmcS<j*C!aHkp8o-gk;)F1tJd};GD$jhMd$jX4!5ul +z`F}C|j}0uLhv2;q=pmiBZlALqVXC8E#FvvJCOpB<bNI@9?`RbDw%hQ0)QL&Arg;v) +zW%kK_{9q)7B|wZw*cGeYcY~GoEHFO>#sZMLcxp_X>UsXy*q9%5!2Sahq`0+O!z?}T +zi$jc*@c*4b82s)hz9gxO-sN=XmM&gwlz*+BOwds}(8bcfnOwG9>c4M41I>BdyIE6( +zXbn>T;bsx#*{293>WqA>Y^T8DHfefzJaoF~ZIQJHExS&`Tva3s7=r%MBNe?|IHadr +z<bYYwdzS90PBZb$HW->3;)tG~fkk%kK$~?KlYIw23fnj%9teHJ@ZW*2W?&0_g?~!F +zv4KH{ocV+%s=kSCbfuiTU@S3?HSk;9`=V>fXAVPQ5yJ-A3VGtMn$hyJjBL>)Xat*f +zk>LDwCgwH<7MZbk%enw@_RMCIr@ki6QHeb<ZSI2Tg_@M_F#R~{fk%G*ru^hD)YFXn +zog`24=6ZBt|My*tX%=$=_ORincz=V>;WK_J`RwaC8Mfd`O!Ox)RKq~fUu_iU>d?3o +z{a5i;hDvlYB>6O@o?_&bd+Lyi(>Q~@du=M6Hgdv6`ogLgF)<s{P=?1wq^3R3oyfZO +zbU&yzwLS?ml6xI2>jrfhJv2PHS&O?EAOq?#SMnKNcb&pBwlq5g^OegV?n;MEw^ee; +zNAm2zd3N1vCWnEDkE2q@f3WB!pgs=2pUxlBhb1$h(bH{Eh$P!rF3CGZuuACYydD<L +zW-1_YK;I*vlg7MZ@YgjGlbr=de@mz0j%31q%>n`l00e>r$h%Gmj<@&l(&Xw}Eidkz +zz@_D66&yL_Rt&B;1I)=kuf6ANgrS(5a+rcm&O0Um(1W@-qtpcTe1y@SR`1y2+!Bjk +zQw=o(lgh9Kq4o>zszLR*B2s9LY?-=8`IIV7);U#dMhstBw7oiDXdQhCe+i9pk0cnV +zMlgF0u95BdPI`jmlfO~!!}altl{kMJXBOyAE&JL=v<&Va3rMzRzEl_6c~VY?np>Zo +zc?iAu&Mt}Dt}KDnI_!(wF&W;btDeR~!+4GFOI$qsL2rSj&Nf1Z`%l4{qYJ4Qo$_}# +zJwxm6gK(!^XH`H3GDvYMf6ZXiHexfG^(D-Fhn88u;X368WggB2*>Np*Ni+Go9sUe9 +z{=o5{uwK>`NVcYMf4tOHNIsnqr!Hx^gA~eWZks4J^1j{2p{HG?g<?E~o6sHc!S~?s +zB+QE!wBL$pgL~a2`Gd}kZ`%uT`8xyOlaRtci4z_LBw0;Cy7Ixqf2yGApSm9WGwVIJ +zi?Uc7g_YO=6jlc7e*H748fFE(QJ*Y5Urg^XW-BvgmVe`wf%ezDyc~gX^?HDT6-}`6 +zU~C(o@sYuqEBql@`e*W4>@>qFF8lS7+k^J`&{T!%j#_zl8OmX0^a|L_Hb^Bf&;C%^ +zDRf4UJIncVpMKi6e_p<H-YD`KcD>tRh8&L~a0c+OZyUh4xk_H*ZiVT9oPj~^=?cH{ +zvVq3YVa|#w$>d?3-K=B$mSiz|5L=0aU%z0r5=NXvy%;*bv}`8zSe%or`$-|90;plD +zBMc35ZSO>Cs2V+WJaJ0#L+Y2{w9jWYmI~V$Xh0U}91I|Pf1})&1-$>cf4IK3av<t$ +zEFr$Z|IWHRHIHp=dKp<UZ=^0juJ@1V=q?z7cscNH6)ebp!&3X?FSvs`0>bmhiO_QH +zUzb|*rY0bBQH(2Dz0^m5V`6s!4}lu+2Z4sL!Z;_w`zlgnxe2p>);eKXeRgPbE8hM) +zh`oOs<_8p$e;6ws?`vcLw-*IKpOB*Ser86?AiRqkbxtkcVjVI7;D@#G#Zz{htm%|t +z{IL@z9azcPs?vP_JN_heR0Dg%Z|rV#jIu&Cz<+D|zX&(+Uz{)Hp2UasosM?7e~B}} +z@Uc>9Lbj7eqH5pI{>XB6W3)`4gbWgDP6bb^t$0U;e~hQjWsuc=W%5osyn#COy+0Wn +zfXyb`UV#nIfFOyKcTxpXT4y|ytF%_1G!x9h^LdFL>`qCd-xJuFe=Cka?oHZzMvv?F +z4Tv$#KpEY*>=SF~eJrHN-&}^_T`nbeQ#*zvBRah$g$#AJtiay_Dr(%Vf`f5yT3Wx4 +zPw9EGe{U+zCREP#EnqfSUY`b6m<cNYbVnYiGk^ZgQ|{(}5{>lSFbnd$rpIUC2?Bx* +z&*ahaHlnLZq_)8PFZU&7S##TPwtTI){S}rL@XarlH4%tMe*>vZ$pfl61)r>6REt#6 +zA1Tmhn;*&xXn8IimR;1v;fwKcbLt}hCu@0Ke_$`LZOuZ5IpYkzdoDeo7LH_jdX(6n +zI8<+LlcXr9=#AM@2Sx-NbWd|hrC&4HEsn(_cD0F-dOu17hU<54gBG6YK=4`U_l4`A +zqM(8cTN||R5H++bkzne?q5MIh^^GwlFe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 +zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00b00NU*E?J0(4Y+o=|f0;Fia+%K{O2)&NJ +M-JAb8(*gnr07yzcC;$Ke + +delta 2706 +zcmV;D3T^e37L^u|U4QCIImcZ#q51*>2mpYB1u)u~5}22I=HT-d(%(f9DXV18Kbvj` +z^Vtj&rJIy-KS(<%B=99oy)c{aYIfUfQ83DHHOZ|j5N)Uw`u|wFUxcIoSdpz_?)9%H +z4jelm#2iJczX|~|@JmP%-E7N|LSD%0aE|sR%YoM&yhB@K41Yz9lq-Pj*c;G_qu!n* +ztG256pZmHRbI1aKr&uCUv>WoW;LeiC%96yY!X+o@FzzAxrOHu)3g?VLl=`oYO=8u* +zFUXhf-E-pg$i=j~J5AnH&n@YvQR-2plWV!|u18vsOGavYQq$5K0c{Y)cD=>F@sB1~ +z#Ce~xs1%rGd4G(-!z|O%#O_xY2j{voND30(DGP7NkMXu3u$QVLc=<PneBErXD5iSP +z1|6E7Bv#I<og{^~mx=0aIaxKcopAy^OZwSjpjcq>J6%CHpuQKR%i~VGy#97gZKGgC +zQ)7)_hvF$URord*Z(4C$&;M+0oSafecrT1A>TOAXhJPO!S1Yy!|0t8mhQxU9F8H0X +z{bS7WoDJL|;>UbB#Q8kT45pQxG--}vOh}`IjL4HRI%JT7=!MOS_w{ZYQc1Wgh<|oe +z$UCUD%v2lcu!NkaS+WPMqtPJpP30!cLsAAZhJP@(6PFg+r~_<<Zrr;P9lEz#(%Z;m +zfv8p~D1VP2gMU#hP$>zPu>L)gER|-RptQ7t2T%-w$coS%U?y2ty)u$&%U58*x^dW7 +z`SK*%R6K^ppp&Wo_dd9jlUx<%Ga!U2uD9oPe){W-$sAC0PPA!QYj{>3|COVWx@pS^ +zdR%$)XWB=Qo{$wdCUX>$?lfD!Jxy3?UC2xmiGLhV`RaM#xn>#Hl~j;aRu7ujxtJdV +z5)OCd6$2Sv{U)1)H|`*tznwIA_Lu0xM(g7cYqXUD@0)zWD;@cM$iz>33hI&n$WKkI +z?VwZyL273la`IMNy;tYMRF(sMS(#LpN^yUMz<cm8)DJ#CU2=Ovvq80$W(1vTor%q$ +z=YM382?dMOVa9W2rx|t~XVS6#!zj1xPiZvjC=_qRIP5YSkS;dG|Dk7HU&p}?yDVSM +z`R1Wx-UX(PTmU0?Pk@qG7m>!Pw$N2vcnTC~i=mtZwXPXpou2Y*IPGGimihPbppn_& +zRXBY89ppNtTpqy$L5I&2jYQ23<2e0@(|?7`1y<Vp?bfDKgbA)4H>3bhH4C9A`JcTJ +zs*Mq{z>yu<Bqo>s8k4sR)=<1ex`9V?dYzv<wi?S|Yy$M~Wu8M{08LMR;2IR8^$Q$4 +zydz}Go@1Gkk2t4FKhBK{;oy-Q&lX{Zg04kgsMt;;CMI>H0P5C26D4493!(r1*M9|H +zKGdn}<Tf+n#Eg+khGTN%ac_3+cLthh9o{CEDk`9h*DId$kof@yIf2;x_*pQ5S6n7g +zlZFWx3AW0N;eW%x3z+E`pjETVWP9=tixcM6e^Bc!be?m`1Iu|KU%15>RlVi8Q0R29 +z1>lc3?jlMQ$F%QZs$yVaL}+TuF@LQ*|2oQf6gad;5|UIfZNwdOVy>MTwDGXK0pZYq +z^=+s6V0xCsmO-;{zxI2J?FM61!lojJcLxx`>wst*?}YyyRfPPHWL&x?0k-<<U1sv> +z*`9-8I`q-`7+Q?mYB$<2tLTxDr(QAj_V@HuB~m*PuA2~|AbRG>SaP0yE=us-t=HQY +zg~<|Cdt7j{a<D4aed{z$kCGud&s0Ag<x2wqd+jCl4*!B<oR6tMKo-wxjFc4Riwwkn +zyCwjj$)TSVL>8>OwxZuklbr=dfAs{AYygi_jsgM*00e>r$Ow~3k+rOeO>(s`grF?$ +zJG{bdqli57x@xMkpB<fy<Lo6cgh70L^STB_45P*Bn*Uq4Ha2~?hW?grDTiTyXon5m +z#K@XG&SjkQe5~|QJKu<skpZ4f`=^s;Trzq{o_7h;uJJvQBYF&UBTD1Ee*v&aj#+mt +zU${;-Cn53#vrQ+>3?9W>*jR4I((MPl$BvNhVhbw?_vgtkh{C4|j=)L!maakLdv;I? +zQAlp`ykIYDUK>4ac3hrzJuJgy{liWNPtKgm<L<)09Hty=HS9Q_F0`w8#txj=jh-ly +zra3p!xaGrtDfLxEySUiYf2#|TSjfBA^+g%9Z|7TMK}SV+du9lVmPc7)<Di-N%VlWO +zz3`)}m~zRj#a8xX23>w!Von2J<Sd2XS!mT)SfJVanq=#{TOt`4gYq)4>@L_?kwdzL +z*LC)1U0nZwV%P}Nl}uhfIo5hPM76mjv_P&mM&vHgsjqj|mewKje*}5b!(zjO+??#p +z^+fSxFa#sKMfh^V7pW(Q%@sfS$_a6jt%35LjT(p^IHot23x3e7QBt|q8Bx!}hMy)p +zjHIkywUCO1=vwR+a-j{-_L(+dG~7>h(22dhbKe&sw5W6hB_<hi<z63{^)|?nUX5;F +zCF^yMiAwXB^Uhhce;$`Aw|NJa1X>qBi~5%<dWS!%uj;AjRZV8jIy_*D)Y4Mjm*9n) +zotNkeZRN06)VQiJEK2Bbw9a*c!sVJ)edN}W(<8T;$<Ozxsafe-Tq0O&dT%66!3%wN +zM>rNy$JlVt9!<+)%x(%&o+O+@b0ergOVP5w6uAeaVE|mzfALIEdE(~%cE<pWNaBWa +z9BnWB1y((d({Pf9#6oq=2bTk<08butC+-0JC+PzSPgzCg3BhuzQvF`qFSTk;vHC6E +zUEk+xB+0d10>j*Nx1l?I)xNe5I~CB-XG7RdT=};;vL@W}qgN1X%CMMTb@z`j(^Hxg +z2+k}O+$v2Ie|Z5<UHNtJx<c;*;WQ}Qr`3^+V9N`?D1xWpr^Y~<r<a3A6E`%`iQNya +zV0!iz{z8I6m#3SF4BNh9=AnBYI7=0ht+{Wwp+Yr}ePB^T_i>?WpteEE^-jk3x*2kq +z{l#-|^i)J+)WGL>*FSJ+u}4ad5!Ni<Xq^EsWS5!qe*;!SD08O>RTj*bBOEz4N1ylP +z>^0wkW58HZsCHK&O*4YkvSMBQ2tO%OVIE`(y0uWHS!>4~{B#t&21e9&djORBw&Q`g +z2)Kc2)NTqH_|x#q1O6HWS5W|}5BOBUZ%Vo9Qw5NOKV&)yHS`wX<ZyU+nb{^7us0f( +zYJWJ8e@p0!{FL5ozk+<7*aJwo4aUCxiwU|)jVc0O!}g+b?Vin9Y$X){1#-TO^~QG} +zqQ@F+YJTLY+kC-~5fBJ+0JUz@M_P5JGWV@hPB#GZ5-jFX@L2863Nn@opQf6>9$DV8 +zZ6V?M9adFv7f3LmPCzozft%9ptIIDEtwklxf0b0u(0L&L4qp#ge@p=B*bmxjw(;PV +z;Cshn-XXPKyoA+FG;h}OQpsj+-)bhjhBs`0k|`c7DQ>1~Bt@|RjJJtP6KC(6#0L4m +zt*tS%Rdoj>M3SepE)k;MCOV%w_xv#>Fe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$ +zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b0Mw6Ml6`rPp>w1kFoo;UO4PXV|D2xTCM +Meh!`itO5cE0QPz^F#rGn + +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12 +index 7a184f651e50d1443e5fe907b5a11455d69bc0d1..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 100644 +GIT binary patch +delta 2698 +zcmV;53U&337L68=U4J7*Cd0h`aFqfA2mpYB1t^AZ29wx*eOgc}d`r>Q7K3iXfn7bI +z-h75b<#ho7#K*k@hvV0DY72<m7<CrkoDySrRb|_gU#{1l>cD-+GQbBx+_M+%n71zn +z#X29cB(NtFLejt8_}`1}u<)0Fa|N#PFrop1;9l4e3fW%n<bT90_cK%bgt1P9Hhsx` +zM^##Ak426pZRux=z(6>Am0812NzC2PWtG5Q-Le3SkbJQ8%$`CRQF5lvDMt^VA%Nf7 +z%gqA3e;};~*2a*2L2#V&7p#=9h0m8OkwZeltqP35E+5dzCHJJcdi2I@dxk4_kjEOT +zj0U8U0++mnH-9@Zh;5`5me2`GT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ih +zN<?fbl(V<zS^%h@BtBkhc3fh}AOQSATlDJ_tX)Q^v-mNr>^~x-hZKe}PsA-74%;xY +z%1B^HDt0=soP3^{EKJ)&_b-pfV8cwL_(1dml;Sji;(r9YP~QfvMIR=;$|FM4HE^b6 +zOll6EI_7z*5>D_vgiic>K%ddTL?+VkF!(XYy-glao-W+_2?bN*!b-%g<xEJ<fNF_H +zO+|QOI+nb%dDM;5^9atuOcBV!FGg>+(*LW1WU#<n%`jfOTx*nckodZ(;n0s5CP<`2 +zqZ95dX@6b??`GBID5A*hm06y8>4Df_kOw0G_-qaOq{v+SRpmK1m*tb3kPzLIGjVa^ +z2hUFOzaEpi%o&g2^lIMNwb&tG?#XFJz%l4U56fY<Ke<G*%C{41HO=~>`oz^klt?AK +zuXwGHf}vN7zq;z1mdw(fafua(ZnorQ`;=s@1b^+)-r`oP1|(c=7dWrTM*Y3X!S+-s +z6yvzsNy6{reSb#uzqXA*j?J{*SW(elo9x=4Tgvmk7340ZG;`lvBR3tL)<pYW%va@z +zkyRam5#4!yrgvAQTdV!Cv)`v9jNxm6cnrRnCOYS1`lNtbeMvwdY`$T%z2c2?KUYtH +zuz%y7Pl4UE=`AdyO-Bk(i@@FZ$jbcl4D`#{qivoo@^VWi^8*wNhWHBcM9aZ^hO!59 +zZ!na}k}61}C|dqCeZzOBk4C*LcK$Meqy0}?H22^^RdJ=i>)izIU+caHn$AdqnrQly +ze+yjHVauRy-|J4u6<7{TTLNDLr4%Jx7=JHGUoO1>1Jcfv{I7f>&cx$XLd+C6{T;$@ +z!JSbO;_3Sm(&oAtwAZTwA;<mi#zlL0dc8tNX$Jf+i?!St*hWr@1F>V25RbO9psZt* +zln}2yx+-<d?bPAfj--=;${{Kb@G`=-!S6}r7<)MjYa<;579RL^yjjX^${dY$6MrYr +zzlVM!*xX>4*YnuuI!9EkI82olCom|r^m3LOkVwF_AlZNQc;2PpCjjVZX)YexUPnw2 +z_$_(XXS$6%xZjS1<a2EF+>3_#*rgWL;?J<7vhZ&suuk^}1zTKrxKS~8Q14u?oGg}H +zlv+EHsJHLYhdzk>*1*x?GypZ%k$)pPwmu21v!s;VGk^k+YzPtgAL>R8DmBl>#+JNk +z9u*4ll2JG9`v}C4*CP{?T!#_a+ScwglwY1hLX}2-)3S}nNh}9HZ+}fv%zwfwr^~k! +z=rp+UoO0)meUalXvhV<156HPdXB0C2j3K;I>+=s(Buy-477<Fc{D0(9AwpuM`R9VR +z9PsG*j%Ivf^Frz#{2>MAi_(gcw~VJ;|J3AUk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0 +zTK$e}^K!@?la&QVe>VvCGU(Vo?g9b`00e>r$fO@bT)QV0_0<G^sZHmf3XvyfIRJab +z-ya4C4tq}JH{5aDiZ3>B1+RtRaRQU!+^G+F8ByUATuiqPku)}3=nLROGQxsSbkkY- +zasCODE@NO&{NkW~>X(G9%rXzSV@mm{^~LPTEK*0Wm{&=#e~+kA6Ku&p0j~W>F>f{_ +zePAde#=SNS#X0&z^HzqJYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8<?>XaNZw=|8qY +zljvN6gHeh`L<o8Y#K9sZF8`^13QskAk{EVWasuIliOF;Rt+{0Zt-~QW63s&JBO}#~ +zNvCYLXQM^*e~3p4N!}m0BWmT6;WjhA5*!&#*e7Gu&6XY=wvhDu(y%oVJ1s-PGX4ij +zXqr9zPp0<r?vuSR4TC4!uez)NW@`~s;F;ul=-M;eIElopsfJ}!`uQ>6q!)aIAW3M| +zku8zI<tH1aMM4vr_wv;<iz11{WcdW0o!2OJ-2+~ee*|4US~rc7Et<j{4+Y|KQD2F^ +z)s#-KF0s5@Oo}QU{5nBSMSmDA+p9p!yaBC-Oni&ehVY8&eYvnxxOmI<jY++!4od;c +zp3^d(-mSd9c-p-7P%5T;CFi2D5LnP0he&HzK2363zfQqt{#6>LVI$GTwtMdU?^96# +zg~=M+e>pl9)d2Z?X8#?o-z0==7jEP#m#A>bdA2062BlD8Lkw*A-P*PsR8T~|$qx;D +zg^_hvYQOo650pOQ9dBiuA#&WAk;<iQ=<ZsJY+tq8e+huVYS68}J0xYun`heXlCUm! +z%~fC?3MQi7{30qvjj89wxizI@w&NypE|_9)f6J->Ae&G*Kp;Mz#)6aM7P|YSDn6RK +z2FMmd^WV`rg9qo0*gPnx{M#w}w_jIXLt?Htq?997K%)maV%KC#Lbt!#l8-tKoQ$GB +zXi<lvE$Shpilmp#>H8|epkkQXRPYNxML#!2<!VRX2W<(5#5fRI2@pU+*QzOi49;)e +zf13&wDfc#|IiXNA?LuIP__A%wm@Zei=zp9W1Se0xrqGS%w;uT!na7^ABSo$q+jZ?= +zkswUneFd9q?_0r;>-7pL2YG28Kjpo|2b}kK?f)J1gPw({=3$W^com8c3Ye7dJ}RHz +z*vvJzwpsR6M44c_{jk~~Myb{^rc(sqe>x=O*QBRH4UGQB?z&_Bm@zH!#+>l)4pTGr +z&x}!IZ*t34iEdy8K1?hC686S+fvw2MM4b6|ovWo{VfySc*qk^hH|y;Ox->fB-fZW3 +z9P`l12ah8*RP<o{BW{s6Md!Ac8^2X*$0PHI3@`Q7+0!@Lu~mAMJxpi_YUFJ@f9J@3 +z#YV)cj%xne*F9=@-d;%rPLF}n`r}ShJe1f@1;2a0c$$41BVCZigvD1y<>-+LVYybf +z<$s@pM^MUhoQy-XmtfWe_GYFerm2qLg%H>?7HBLGv~=PBmQW8Ay#|QIkK#;jO;$81 +z;E<E=M^Gh-%%k7ms;lw4%QWZsfBvWa-S5l}Xst4(OaZ9=8{q4Rbz&hg7>c&>RSgW` +zXj?}J-UUPY8f7(HIC6UZ<GEgySt{jX(*D7pNm^+n7dc_aqbuKBoY22Ju~+3)gC!R3 +zvHL%*8`1)2{VwDdmeMgLFe3&DDuzgg_YDCF6)_eB6wYL{lSXe?0vR^VJTME7{?XMl +zFG(;lFd;Ar1_dh)0|FWa00b0v-Aj7Fz7H02I9qPM%e~Mkh#kxX2$T05m<n)RnF0a` +E0Gb6l-2eap + +delta 2698 +zcmV;53U&337L68=U4JX$u%YIJP8R|K2mpYB1t=Pbil%X<Mkmo}$31(V-T8%g@`1Yg +zyS#V2y$w(dF1u?n5MxMnkHAA#Yi4Ip(_Ly3`#cW|>GfOfO72c@ABwq8tiZ0?s3(7$ +zxM}RzJuAa0`@+dpgSHC=ye;ze6=fI5jLQm5(4O@ywKR%B(SKp;94zpF34Epw$elea +z9!~P+<xt!c=@hl@UE^-3pOZVIzB;kID~R5OI3Nfc6zVwOPO=O$_s<)Znw-6`&kX(p +z`%Jk~Y$k%11Gx37zK{thwwsZr>oiqK>Q_>yAd4Fbui&Gbz+?SuIr3+{gn2}D)4zKA +zw6q+|xyzFg{C~CJ<M--o&FZ5lwtwQXK{+>Xs@2^$asn4KAS;Hr!s53%;M>!4_lI!j +zE@siDP@6({Y?SkW5h+LdIH$!`_-XqxelFC+82Tg$<j0o^9h13)Y784=ZqHptd!}0} +zPzj01BTTUZ;@BJLa?c^27)lC(taoyo<V5wa69e1p;D6s=z^ogO1@>EY9PMt$UIeu5 +zj=iT7iUSA-e*52|0Dc!;kR<d1_~h=({X;9^L;cg%2R67LYPYhJa)c+M6F<6r&oSE$ +zK|Ni#jy(nHlZDA2x<D&>C(OF6vpH^HL(#b3W<tl;nps6YYu#s<BZ=oKcY|_|h(F?! +zU-Ux$=YN(JjE1T=TE~cRM_Med9N`gz&YFytCYAxO`}T!are#ftj)zT^@t^SspSuh^ +z8{uh?u})u{Gwu*zWiiQ1IPiRjycS3COl#sP@<)7TE)>r8xr5SNtP6{wfsN>aHEory +zZz-!@F_mMHzsyrd5SFu-?*f)-4@0fWC;9#&dw*SQ32o63t5Zm+f1C1bL*s$N7grel +z=O+Y!#o8f?VAUB9+;Hl3)PR91eu?p_GHL`ZzV(YKX%{M`k(!63Bb|Ob1gX^X;@_<m +zb`j%ps&g*AI1`uq693O>0swMf$S~y?O52J5Ow2Ei5EeZ0liT|CpLX3dRe|Y?h-)%* +z1Ahy_Q}w75-Y#V2+pavIB(a*V$3IEPg?T;;_;l~R>6v}Ls7>PH|CSU4@<t`nMjMCl +zMzYc`7mKbe>((!&99d`8mJ4VP6tfU(4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5 +z;~yqZdv|HCk0HHe6ELR7-?n<sIzH32Y=1+x$^6r}NKESJVXvEp_cP;jn&n7f5-nQF +z2(17UEfFK(G&xU?nR9(FgC}<}BXUB*Bf(#_mgjE>0PnLebvx^<h966*Y`cnwTB5J2 +zA1Qq`xQE^`OJC1pqd2ZLg(jajOKlt+=jOB4;YGDC3i={5$kr8||5{h7bNC+k&wuK{ +z@2;f1dQKs0H5dTWX0!fEh%hPAZ%KUxNvx^6FrBX4!fDCz*Ib`j^V(RPJ);etH)2EP +zwnpe|#|O+1dOty&!OLC+twa&wj~2kIbP8%+8YTU{0~aZC=;Q4hKFyIDg!b8YNvmyD +zeg$m5OjO21T@;)G=P{Cr(x0@}1Ap83<(fX4WP4YFr}QAA<({y=D+l3HU3$-ZbepE} +znco^}etn&swt`{-=!nS~oWBxwRe*26-Bk3rdFFGSyzOz#m1$*h`-$e(*znB2Pn^t@ +zH|U}yv}?Xo?#GsLp)Z%4LGOWGh!0b`#O>Hl$-REUwC2Ty#$UDZRB}HY213#mttD}( +zBu{Oz+8I6(k)MzWx<vf=T?jShy_Sc1lFtMVcgiL;CL?u8)sucr!T<VbVf)_^M7BU1 +zMOU0(qI)(3la&QVe{+!lJsuLct^xuG00e>r$ksqyo=hI1ZhXWX&Y5JiN0mzSsk}t- +zJJ%SucVFN6AEIBj6-I!tXQhuHr>X^w6cJM(yq|zYJ;?@eY;==f{|XXanx4vhND^Z_ +zVG0NghDtq_C2zj$Dz8C#|AZkOPjw>3G!iII-&;gSHv%p#e{RGu#nP4#fobQPcfv18 +zgrG+nAHI;bL{ylamN8W@<sUn{)JLO+HQd3kSKq1;PIxm=TEo?fEh)4az?P1F-fc|q +z<ksDIon+%vsmL?EC)bFO7YtLbi$60ojZjQZwOvTMyHO2=H=KoXp)D^YnEhOicZHX= +zhO1_r?~A<be`j#1aJG!UWWf4{wZ^bbdLA9|q@o<s;)Uv`@oT~k59I%F;vgBKpsQB7 +zXoLnO?`7Jh$RMG)YhFjlS%-VjOl3;9>lZ^DQ<CZa0;lJu4HOXyxh!ZT_98v+b<f(@ +z+bip=NIvILsH5E9t(-~iy%%Bzh!QF2*UAuZLA=|uf7prj`LWlcfDU_Z*#sW0)>(sR +zT%P@xq9c;o5?<kml8S??-*v89Cl3LkT){>_9TBIsOs|hcX>KKPL9C6IfhyjT9og;C +zTTYklra)`+#hT@j5b!vTCMRNv-&CN403}aafd@V%?CBOpZa@yL63{b_VYz#)84%BP +zfYP3we-mmC228v;c=3=b_ySr8pLt+9&oCknyR!6tdU*&t03h4#MVDePO!=PdJKgTE +zaHJvVh#iv(yLboW+T3TYbSszMmU_pnlTuRonrN;Bt0)GPvhsgs*~x?(<ED;GT$Pt3 +zW>edh&W?F?mzlkD$J3Hfwl`moP6Hg%s+6VJf4+~1Rx+6eBhwZUl;!=3s8jgC!;aQf +zD9Z@?L2PX$Ghgizq~7d-QhTd>iMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh% +zg!EqIPY9B0ewTqT;<AAM9}0U^5{V*H)w|J{-}bNJ(i;XK-5uP*z?b9(F?b~TP0%D2 +zfA1?#kvQS3?0*2J)@Th)QW&Yx5byCB4Ph@e+c{e>i1r~)!+l+G9oP%4++@@;Yo|$z +zMwTf3)yGj9S(sW_1-Kzi6+3#SgOCRWU*>*BPfO6cBnql?REk}m2!l~16V`K&3x=#~ +z05!gcR0QYhTv!?>tIt7C*)hIDp`l^Ge?{+>tH@RY7FrUffN~A>;tlE(3sD|7LUANB +zis>fX5un78BnY6sbwqF=OpLF_K}&sQ>&x9L3ga$y?=2hF63nby&K<Pt+fIvqdPv2S +znt*Al7R-?>n+_8fYj=Q%qs9^LzWtFszxdqjsR&mys<{B|EGHk9GANU8t_m0Fe?x$v +zpy|a!(Wp`ffAoA3^XaeEa(HpQ9c1?JtW^k>aa()*8q(TFBZbOowXt_)DRU3xiT^R= +z=F~RNdSDu1@)T$jO}aMmZ0Z-E9f!w814*M^g*;BUCL)C0s^{0*#IGyLz;78!^?dxg +zVlRVeg08jZ18}h9;65v{AH^?-f8aiTOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteM +zhqd!L(uO>k74-EEJMTAE*X9x#e!==1fh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W` +zOuQS?@DtZzW1f~nnyoP<Fe3&DDuzgg_YDCF6)_eB6wdDm#+m(k+gMMPJf_wWQ<kOR +z3=uFfFd;Ar1_dh)0|FWa00b0fzua<1!5W;Tx7DuQ&kThms@@d@2!~t}_X6767y<$a +E017TA_W%F@ + +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem +index 6ce095692..21960ea6e 100644 +--- a/src/tests/dejagnu/pkinit-certs/user-upn.pem ++++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem +@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd +-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R +-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA +-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 +-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN +-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA +-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM +-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz ++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri ++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu ++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 +++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD ++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv ++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S ++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm ++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz + ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM + IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu + aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P + BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM + EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B +-AQsFAAOCAQEADpj2VeHFvGVzb2o+qUL00+1RfpNsGRxrkXpolkjGn8LNIHoMfxAR +-utnL41Jd1wQQ0FpbgR1fIXgCDfdMNWWIE0SPO6WVHVUVaDb2kjgYZ2bvR3FvTIaQ +-thj3jyG5Qn/hJZ2WZdJ1kavUQzCcGKxcIQHObcX0x2wXWPKlO1S8XDS8olsi9KPj +-y1nWUvLgxhtp4vwRuVwKtgFusgaTJOOaJ+yKS8SHr1v89GRPmff/tQzMgf/nqRNP +-lmQ5uHLeo35DvS5akdw0Izi0m5zwMvOAGBY8lyHgpx8jshourr078Swy/SNdaMGd +-fwDCc7tFD2dw3jRC1O5jWBxOuDTmUL0cVw== ++AQsFAAOCAQEAceeR7lFXkEEjcMGK/mvNOT5zXcq27ipYuV5HBgGGNLqiawc7NTxF ++ocyZf9HujNOMvBNblTml2GJQ9wmyQesVTGgJFTGORS2sFizICq19jISxrv44cdeF ++X/KQxNmnviClkL9jfA/6oKU0uSpvUAUet3MmDuo8O7ebVXVEmQdvLrhP9ycHGq8u ++qG+5qjN4dpf/ejtCCMGGZdUdPxPosoXJzf17hpyt8/YQohKG2igLSy1O68tuHTXb ++L4yiB52JQdnJfOU1a+vUSk425zMI00MU1aLcDxcjI64kxYBpWflDqn9Ky0N6vA1i ++OoBZgRFeQSELxUp7SUsK4xO2gPM2w0zzvQ== + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12 +index 6691b8c72aa60d647c4993d3972a7bc39865901f..8f4c6b2d05d14b7d5fd4f161fe8c34d065c2e5e6 100644 +GIT binary patch +delta 2682 +zcmV-=3WfFk75x>EU4QEdRHRCfek}q52mpYB1sD{K_#Ii+3SG3sHqthXJUvY<=YDAc +z9#;0PWo-O>j);dWavz`vlnJdRTmaQEo(0cc+s7lXMT_ckx;wyC2|pOcNMhk2NQEoc +z(*6LSNK&b;J(R<Vu(TYjSE6e%?H}Pi?bKRoc#1J&fWQQ2N`FnZL}q@Rr)%Kqlqc35 +zt%d-0S8uDcF*ELxxHS)5_w}Gv&2fQq^Vh}$vsghL2ova~D2{otn#y$}+~M$K*|J<A +zTyHUST_o$xD9K6s^rh1e>KHcLgS$UbyOpsCkh&(Z&4JM6@2PAel3A~|!xb3Th5gvs +z+2ZyxIT3B%aetn&kjA>&caGx0pjK-&f8Q_X>G1awp^&srIY7Je-gw)mNU&6nAKeV@ +zDUyEhZo?kDw^KqVPWeWk-%0aRE+Wjuc3X9h@7jFk@Bt8^KtvL9oxdA)#3I|;*|BOo +z->lHL_8Whhtz?3eZXiK#wkl>sh(V2h>Rg}a(k;J|xPRt2O2Tj<96swuA_=jT#@8zR +zTsY*e-_N+_<&h_dPb%s`G69d~tdf<}E{REDc=M2s^y7fW{0hfw^3IhGV>@v#&Kq3} +zhwf5UAn^i(2RW!~epxan!iiQi1q9E*i^;IyPET${O0wgRN(&2aaM8OE5y7A05(S7? +zsYqm-b$@CJke2fvwgCDwtGEZSH5p4N)(<4?9_pX)FmKp#;CJk)fx47Q!Ji=>(`gLt +zB9<MdC#C)6a%y`}PyE@H#kE8AT2X8sw@=4oPHf;%#<~I?^K{Vt1IE~Flm9!pOkl_f +z$S~3JKS=4$f_+YmL$FBPG}nT}@8HyOvUMwCh<^viQmr==_wHldeUX_54mVbSH3oLw +z(#}i^H=kxTuS#*bOIwc}2av{A;$N8sDHLk+vm}jh{*F6vaPho_4y3G|ufE=hW7_*z +znnZvf7=n|)7@elZs1A0ci2%j=4dgS<zUsez@pP&*`GcW{fk1EJs8$*d*GobT7$~v5 +z%zrwFo+aD6=6hB;)Xxjvab7weca>@RMXeL6z=WsaVZG<xRe*|k*3I+TOb&%O@i3bT +z@M;X_;MD=b@!qQA!nL%Hp)_Y@*NkD|oFx?x?KL_-!XzLiHcM(t&a=5jy&}zQ)f&!h +z%}`U8&yN}?I2E&6;4vc7-M{jTVy&Qc=70Ba+E7gjQh2qZ-e9d!dp)q5mQ*~*O>DZy +zS;DhvL?nw<W5sSeHE{z)FOgE(Vxx{eoAH)z=*WU&{g5_<x3Y<K#UV^L6TR?R_mGou +zN`BK}$%#H$@6=q5!v9|hIb3;;+Qg3?vzvh}LQ0^cn_r!27>M{iQ)K<YM0d#!k$*2$ +z6=P<TXzK~xW|QSrx$qj0V43aV?CXKeRadtaR%t7hq>1<=B|aQg-X&IDSl$A~zKkYo +zhV&KKYp^vG$Xo#98^t%_%B6ouEDxE%5^=ljeyV}hvfW<w?F{HBp#rHav#^e@wYM_~ +zH`|gVj#q4ST^Z*RFxUS)fzMOEWq+dtVFXnwB3{dA23|GaO~Ve`$MjzmuaMQwgLQ~6 +za`rIJhUl5@D3~CBPlOnZC!rW6Q_MQlm9h?uKJ$*9`0jPPcSkSq9?^eM#T@KY=dmwH +zvLXu6AG3D~M)C(;@}RiLkI;Bx*@mLss#-y#9f!4>i+B(755(_<fF|h9(K24?0iu>^ +zyBq^D^D)}0ODnN{tCc;IJ~a0+z_Z4F{>vTLxtG7v-n?O6^jolP-ZweAlZ6FFe`>0B +zfhbF<9s&Xg00e>r$je4%i&omIruPaAML(chuA&9Npn@rycZovGBZ#}MmPoP7HFyS+ +z5YP1fO@E2>32IZ)3U7So39tUWihv|bt@|JD=G>W@vLbuh$`t2r-H%|(HA#7Z7W-_6 +zMx(N<y^1k^QnaZ9d$|Aj*cjo5e+%eSDgcD~^gkC?^p9V44e3ULhB16zAWivSoKg{Q +z<Pwuk4pTmA<*1>U&So_YHnXHr{(L?L$F@_~eG6X?q6S`WCfKOSVZ2DhB(;a-fB!!0 +zx12<g*$t}D4_u$Z-M*XrPP?LTuO-vS(zv%d*WkkEpXnWT0TBuyNtn|hf7I>RrgaWp +zY5qyxizI4x;ougu@A$3NK6q`unhku}7(r*IjuEbk_W?J+^#5)TU`GEu5)6)&$OQdF +z;-goaN}BKgkRb>#!sPGo0~l6y6J_wWv)T|RQ;IHAJzqBid4iXawd)P0rV6^HMLnb$ +z)*C7%K6%-JP9aAHs48ype~zwJly9JZ$}NYKx-Mp9`1s6RNNL#vLto*^@?m;nGW+I= +zWrFX-+Ya8`rQ6nHMD*!7*jvVb6y)NbtGwi4TGa~%?hH{~D+F~WCg$qzYa5~Jg_L|t +zRR4#x%vZ6tegWzpK5qbxOZlsQw9ed@cuy1?5hFwQI5x`5k*FI1f3=Bo6N?70(6E=! +z)=e3F8h{}lF=#L0^Xd)rP>R2*=*YJFpRmnBBqPdF6~Em{>vK>4KYMxGKc(f49lQR* +zpC5e;d4$#Ea4PR55SyjScaGF=qC5ad8W_NCb&1?YgbKORkd^;He$u%fp+PlI)X|mz +zVstj3!6b2+*r!Dke}#limlzF>9>fdN{BmbrZ}WBUCLIQZ!JJo(?`OTRR|!iY(4U7e +z$^v2Fxgs0I5*}XGJhGl7%`WX>-$vfL?F|tI;2f<lND4#7#w`Pf7W3Eo{XRcaT*4ho +zZX6Q;B*qu~x;S>Ai`BD5;7Bd#Vy+Sw;PxmH*ra_J0uID$f8R;tP|Zy-aDWv?@#W%h +zgadvFj)f%M9Vnn?e<pHbV*d_k1(hzMiX`!(S_@ipPL-H`J;`lh>UJrGfhc=2RDa9V +z>FxIlgkKyC(TX_6Co);|LM8Y_i725KU9m*^TC$^0OB)4Q@!qg|><#|?M~Ctb+P+hI +zkbMqX>Z6#Xe>34_&bOc2;_=J{oyk_Ny}nc=NryDiE!$)Q7+PK!i92EIEojc$?P96m +zc?iK(OD1K6|1g4R+r<@Y5|Jg!GwO8#LjQ})>Ni^dMDAw0p*0`d{zeV3zaLZ3oYpEw +zH%D+{4}P!wbSfTH=8xk$*K9Gx2wGly)4dY^K_bE!e@dLK94%Iux!t<z$nC`kP^sKk +zR*QvFUoU*mHaW4Kfy4}!s%tIW!{3X!$I%1JNM0ji{3QjfuoC|IE;C~ys-8J7Cex@y +z0R2&fPTB)@95&FOmNgwr2!gLr$<pRvyI;{@aNMOEPWh(1{>n5oCu>-ve@+_7Qen#! +zCcQI#e_G{j=hkznNe7#RtdAbEF26Pu?E0(v%|h1m<)!3M1d@Njft3yg;C}h;Dso!= +zfAFsv_<1EcnjXbW)|JR|FCL)ej`wM6w&%hWM}7Gk&X#(57o~9AdT@&Zbv}$<O+GOt +zFe3&DDuzgg_YDCF6)_eB6iXt7k}Mhzi{o+DJb5C^jWw?<uO=`tFd;Ar1_dh)0|FWa +o00b0i6#VZZJAs+UglBRp$z_Zurg6mt2uFE!9>YQU*8&0v05$6?i~s-t + +delta 2682 +zcmV-=3WfFk75x>EU4Nojn7^Afzuf`?2mpYB1sEA6cU;`CoS+7>CyWFQ$f+`W0i)xX +z1IMo8fFTH+Sz>3S>Uht|Eny;NP)?BG$3gXhG8NY)?NxVg6aGis7v1YDigSP`x?im@ +z`?Db1bRoQBgcP>Q+5v3SBB~A<eZ=^ElG7eAYvYlr3>yAzr+=xrsL^J*kw{1hZ5%a+ +zHc2Xg8*)=q>SP@L@CC{#w>L^Z+J&6pnI}#Mq2P6X*Nyqox5QLoU(Jpxpoq&?#cuXc +zXJAXQt}I!EzNSb2ejUPkjluI$|4N3SNcUzZvV&GsmZuciaq~<Q(B#T(CVW!El0Iv5 +znw6R|z9aiX>wn*p_S%?j(No_hj!&e-e>lt2Pg<@@fsC`72#frhb+0TlAJiVEMe+^V +zdV&&N)e5!qVh}cr=ge)HA7V6&5DHAbYHMo2Cwb?2_HFi@NgTia_2J9}>VmG;PF11h +zuX{^wYCwv%P3F#g<Sz|KksZ>(FX%|k23^bb3@-HU&VT%}IkJ8+A94z3vJox8pxZTm +zh96kU7&>62DbVf_jg>pF8CWC|H9xpweRbyo-+3m`BB;l^m|n5?F~-UAw2Eo|Upr51 +zfzm`i1<%YQFY4E;7^kKDXL(Z>fhax#kUom*Hj0_R>A-22fRZK89x=g|&JSE{W{2vI +z^w^gDgMa^gOhBw$Ca*O&b-vw=S<ExBo-Ji$T~@&@Dnce}`lVSxO%-brjIBoXO4Byn +z7`RwHhU*l6|KHy+xyy18Sij4dD~`osA6M9U@vny;H>;5yL^$nwu<O9K;|zf>8i^;~ +zmVO3ig006<Uc1F^a9mE?$S8SgQMZ2Jqye8jlz(0e#TV#Ey;BR8wSME94OLAWuWC|% +z#m-_R^7);_g{|3P%ONfn8>aRom{J8v_Oh6k7nJM^oOvgO$e?LIcUe@rCtq|s3&RB^ +zp*ri|HnLH%?bY0wu{FJ?nTgs5ZEh;!_`)$2#t+ZJDuWwlGEIQ!^sZWqrL^=L`giqm +z34aFCQ+hfGDFnHl9}q8BCSMbhWO{0LhibaOL`8zaZw)#kDfpVL!WS$Bf|Wp#SGs8z +zuMxe^2$FU%zGSVpNVe46cBmbY6hqiGm#PP&EQ$kq_W{$pm06H0I%gFf)9CYmtx{e` +zCJomci2D?Z;c$t;*d<k`?LA>S$k%-x!+$E95H>*!<g<&F!BT&0D*2yk%8xR0eKYmY +zW{f)DDsJ|(Spl%+Lx|3V4ANHwd7p8xVCsoSC|k5ZG69|H>vWXOLFkcWfP(8vvqEm^ +zD7?NEyE=lGE=5{3&E1qK?Pq*of+X=YNRd~ny(2zVQ$<$apcRzL@uGb_@^{?HAb*II +z$&EQT=ZqVQpB3Q~c_g!iYNSeNLJIbf9LS;cn*N*`225y4pWcO>;8=j3zmG!aoO6zN +zSv~SZC)THX1T9jO_hUY0^=Dn#Xf}@Po+cTbq?@TM`@ji}ttmn2n;Sr4S<{d4l2a2) +zPS}ZZea<H@=!X0&Ce3EXRoxw6rhl*zrl!p4?=A1KGR{*1v><ljGb>)SIItKpy^!VN +z+N<Q&jeDQ>>iElo8@M<j83$l2iOQD(@N_J$wq4FJYc!sT4VcZ8`{1XQJ5Rp9gIWpy +z79pPp!%3inQ&yV%GukeFd@wocLePuHx6(sLp;m7HKZT6XoL<rU`=K(4#xi;^aa<ng +z_LRP#J-(7D^#`uGTN8LcptJ9C2x<(?Z_DhIAZ<M-k3n0Lv}c&Uu5B@clZ6FFf2@dU +zWNWFK3IYNM00e>r$PrK`e)v)F{}y9KcSe}c^<wv12&M_3W3a*BN>NmRCcg8to5T>| +z))WBs=1!|VB#mFx`T^_p+=Pn>y_{Zw#nr0X{?<`094{ph7>-~kbq@olS=kAbC8n;u +zqo--UqoV^)&Jq=A_HU}Cbbqn(f6FcUJe4TRe&a}TeVj?vOMT*nA50LwT!xaLWC~?z +zuR;Q1O*uQ+^<P0=u+mrk2!xT+l~;7N)DFsZ{+$8ee@D?0>mH=6@E2eV!vRW8xN1V^ +z7CvAHrt*6lqf)z5mkVEybFjWWrp|)?J*)@-OENCPO5D86?t`Ru9vD!^e;eouy|I2+ +z)$WnuN?<+4|2P~77T6MX&E~%*V{m1X=w~b<4D1y6!fa8v^q-RT@mT(ydAbR9tx)Mg +za`UP#n<^-&N3T@x%5`|IYt`Dh8FG&3*k>3@<Gt?BpY%sjucPm8QhYcYB<K0nt~0bF +z%&}y6xqZPue~OQQ4Nl>-f8ZRSjJBYOX+8{Vp2tFEQl+0M92wn~XpZ4n$&REI$O|!A +z|C&upTLIlp;Cd-QTpjF8zK+*zVNtRL8TaU#8gXF2dW4AnLSjby@N|0|VUWjIwuzP7 +z2x<J~r_v!Fb$j!5J<Z>QObW)|z43v)#`5QOv~WpJ>Wxk#=te<$e*%Nh%31rZ;eP4F +zCW8>)<?fEC#boBWG$Asj@KCxBxYSsGU&EC2jvIh0Y?$vI1SFy-XEhjP!T3H({~&F< +za+!`An%2DwcW8<aA$R+(0J<;e`?D!6!J!yGp0YM_G-<DHH~<9uMtwh1L*@2!s1HLy +zUx^X562si$5aydae_y%R)&VZuQY*0Dyu`;(t0e!ackfGT6juJGWdIAY4+QpOkP!)w +zVsv{hMdi4cH~JZeT5ra4oA-D+Dt3nsni6!jm&v)k2r4r;LHlH;M!$4C@?p2xDjjW| +zzIVx3?aS0VC6s5lekQtsm85uRA_E3-RjXfF4X8WBc$eQCf2E7MX!k=2v|sShH6zeK +zi1o58FhEN2m%|5prw+2H5Se#<G)zqajtk-jNENhF47<RWh<Bs(_6ohh32^sXnw^tf +z!cg+WXJT7T(VTolpa;r4f<jPnN^pt8FzK~$_19HC*4TUr$c=v{HBMRS1XAyeCyZ}@ +zDbJLsHs`$qe@={>15kbf%VdCj6aFwL?c2SQo#n52WiFgQTPjU)KxSQV{S``6ngGtn +z|Lk(B1|^3OZUXEj6IkMTS+tQbc2JMX@jaF0-Y)3F&iIGWY3c-<&L!MH-FQs?2>rCo +zW)YfJ#J06pbph*0FRV?dVRUI9mZe(rkQ(0v9mAEpe?l>lDrmYvy^Rh&^F$bAg9aFx +zb;PX}B%WHxJK8;Gcqh-`?*P;qO4xaQT}m-W<AlGYGteZHW5V<P(0oSvUQZ+nrZ~Yq +z$ku61z3idEOU@0=u4c{hh1Ov+`dp7gd);|Qlh7Aa!vt13(Jv3V&8nu$F3MijZw@_+ +zEQtdDf7ik(+XUiyP?Scnu)^FDhqmbTk4+UJYFubHM}~%!Yl-1mQ#$v11cMltg2z8L +z^s&Ees<#yrfb=58x;mFxsVRkW$-Lwjr<!#B=8~bceN7}+DS&FB{wc*5_Z#t&;LkB7 +zFe3&DDuzgg_YDCF6)_eB6ln)at4(+g$vd;zJQdt9Ep@3;7*H@VFd;Ar1_dh)0|FWa +o00b0K$TDdahGTqXka$sZ7Bcf?CO2FJ2p3V0ev3xHmjVI^0G=Ei4*&oF + +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem +index 3a5094c84..37e123ade 100644 +--- a/src/tests/dejagnu/pkinit-certs/user-upn2.pem ++++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem +@@ -3,26 +3,26 @@ MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd +-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R +-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA +-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 +-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN +-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFGvA +-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM +-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz ++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri ++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu ++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 +++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD ++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv ++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFK8S ++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm ++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz + ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM + IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu + aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P + BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM +-BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAElYM +-786mUr91z82s6QC0TwP380ze8yJQiaWifHYXiqIPay19M+QG91PvSm7LLZw+ersC +-gEl/mPKrC89XlAFp8b+hJnGq6t6YmeC7OI+FapEMxpxX/X8eqAOQLrGnoq7Pm9/8 +-QtWaKgo09i7rmyykKl3xSU1VktBsmlhNPPNh3x+N4bxea9OIbZonPdDtr5/Yt87/ +-6kBPsGgvUUoIxLw03OmLu8AmKAwJja0FWyu93uCUP4UZWLEGpUhSYC1uUCpAZDNy +-2AtPnxfGUDtvI9eMmyeXVGYXTfkfGZyvB3m9lyIj3VVmhbvr7qLAGQn00dbOHz16 +-r6w2aye0Me0GcU0grg== ++BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAkYoU ++bTCe61BRrB1yw8mIpnXlRrVLV91M8YEr07Jzk4qGfRLXbWf9BnMpxzbU4YVzEifh ++w6+gYSWGjgq4kDmp6tcY3IDGvzXkglKMAZv2mpFnBa6ZooEQ96tgg9O9G5Lg8Sv0 ++kSkoySJq03xapucEZbhPrtGNHKwB/EDo3T0Iaby+Go9bqkObNfuIFXRXC6HqPBS4 ++khss6cJ+daEE3Yg21QZ1BUlncwYbkCzt+xp3YaHlY41gdaMdF0tn6iRJjANAM2Kg ++6J45M4GKKT3yo5hJAWIS4lSCZX92g/uiT7BcBhE+vDzi3JuEc1QKajgnza1BMZMG ++EEIPWkC+Lfg8scWS5g== + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.csr b/src/tests/dejagnu/pkinit-certs/user-upn3.csr +deleted file mode 100644 +index 958c1e043..000000000 +--- a/src/tests/dejagnu/pkinit-certs/user-upn3.csr ++++ /dev/null +@@ -1,16 +0,0 @@ +------BEGIN CERTIFICATE REQUEST----- +-MIICjzCCAXcCAQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 +-dHMxFDASBgNVBAoMC0tSQlRFU1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkq +-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJ +-w0Qmn/qs+lNLjRTEZp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7 +-LiwbB36btYyEFCBW1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2 +-j69wqhPZIeXqqveV+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT +-50CFuNkUrFE7m6KnFRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7 +-+ixNvQn86a+91DdvO+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABoAAw +-DQYJKoZIhvcNAQELBQADggEBAEMxNp5md+jV5dFC1iSKh2CYl3P4g3UMQ9NjLcyq +-upjJmFiEGkEg/LpH4CoXI03BaD885S7akKPA1J/sG2YIrbl3TpjUJKZoJ8BjNT0L +-tYc+JIODZJEONR34Fh6/1uRU7UkRcJ8Crc83+ML+71O2SRZRJDEOS3tVbdzjEOTj +-HIed6Ia3cu0XeAvhoqRSjh8J0ufoIv3CRRCtRU8ChkmMD64p3kOTlORxWspAF8sm +-Xa53bWIpyuyz/vWwpWfr+fL+Q+BQ1TU39xvy+46AYuQIIKzK9vKZdCElQwFXZs26 +-f53OyZpFjcsT9jJAM54XUxLv5rE3fqZQiBhatPZa2ThHt08= +------END CERTIFICATE REQUEST----- +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12 +index a9d4780c47d33cd4d409d6ee657a7911381fe753..da888f519d9112e3d15dc48ad38585cde98d5b47 100644 +GIT binary patch +delta 2698 +zcmV;53U&337L68=U4J{;58bgjeK7(82mpYB1t?D<^Vzr0meO{YpOc6TQFtkex1?x- +zehwJizz{VXGun&BAkZb<MIbl*jJg${R(|m0@1(utK-vxcZ{@g}mmPN-v?fcXh{~)# +z+_uOb?l*+A(^YI&1&U(CbIi0yg8U>6F`5&om0=1){V^dwH-A)3GtCm7iP)scf7`!^ +zpcfW<Hhq5fy$4Yw%z7HT+zupoL))aT*c1UqNoF159}V!gJmuU7rXQP<LiX#F-!~82 +zK|lHtDi}sPNv(p&<!V6m*wQ9&j3{9O!)<ao;IB<UUMc9<Kz$@YXz^bAVF-u|-sXiJ +z$@zC7-^33jF@KXyK>Dp<M3!29p*1@sEg|R5l#>n~znhuv+jW45rkqMPDQT}e67<m} +zC6O@UfefZ!E#!Jv>FE|w_ESX(LKd}_=1_wtRDk{{ei?VevL^v4)*gHc4wiT(y#HLe +z4qSa#+Lf4khNXr}4Pq3ujwKQ%=*c1>#@tMjIH6+JG=JUgo3n9hbV2@&`^09UzLsXx +z1Q0;yi%cyg>96()dg6wn_&qzl`iL-O?IPE57!Zi%GjLm9XfP6c3OXaDg?zmXl_m|- +zD#I>Xh}5fP8${o7N)c1RcdbKF?oNOY6SjNF1NxBu?Xn2B5^2_>uDznS=+!Ntgao5u +zB_17l5`Tuv-3}{<8W0>JB~ZN>!|Uw<Uo1K$BAyP{M7LP@$y-^t5HBMsJWRhRvpsF? +zb5Kc#4cNj?yC@@yH6O(;wZP$$6PCw<ILPK|6vMVVTn93&?_jYpDPVn|hMU2zYe86j +zYyqN>yTJ;p$j>5;?5;Y$w%BzS>?M_-N=&9H^M5*5VIABRGi2Gd*F0<%A61E4i|HUz +zX!OLlQeM2}Z={{ENfa0g*iW|uy6#x-f>|U_zzmuM>X>mvJm2MZn#=zwdTlT-NTv)n +z$gq@JThWUCy5?f5nUaHNcqc>Wi{@iB-%8J0m(YS!7p$&;U$Mx~#YgsS#hfS;=L)-0 +z4}bqab$|EYJ#yJjn${s(M^^4b`Y9ZM%%!e@ka;J&=%N+5kQpuV&Y*NQ6%bqqrp?0c +zvkASQ^E5U0TOV~zI*%0#ts88^z*()E+lgg{*<{;CjX2|_kR5t`3b)2*_|u7AS)zCI +zddqMp*eroBDYq6%$yo$Y{G=>O3TL-|_kTW!!P_2$POnW{>xFSfio_MXs0ww-mo~hi +z=(rSEzL&BlLd#CsC*oqs6C~Fo+9Hg8?ck})d&Mf}w3xopmhhLVP`QjiQyjND61#m- +z@Ti!l54-Aa1EIxMwvv%1+o8lC5XZ?$KpMOo<DogG>o;_Rth{0DdmNF=oifNM6@T>e +z7}*!D{OdLG!LDBZFZ#;gcf%2Gl4oOl6Fn~r8DNFFQ~AA?eY^)C|5Ly1pjk;wx&r6# +zDrVnH0^2DH(;P{I=T})*lyeFUa6%tU6RtX@SZ<2mTs?v7BL{(|rzuaK5kMkSf)x!P +zMII;x>m<OOR}4lVpY^^j$2vv!iGPR5nUy!?$NVWK$M5{RxZ?YHn6Kuch6grg?GbVk +zt=$_+5cp$0Ha()S2wc~W3ZOVzG4|KL&PPo);bGf&@iDa6xsaDb-8pq=RE1ivYkz}X +zAtoBO5iRIakLhuRk~oFqiqQtak%;1~P3|cu+ipkUQ_?Z(D;h&D22ulM!a^Mw-CvPZ +zMr+4upf+5VZ`oT|!&jXGwMYZKqlq5!9}+Z1dfSvlGPUQNS*=pg3d(uiE+E}+()ARb +zKDto+n8Th~la&QVf6ulEXjQ}6{sICB00e>r$R@xPVtr{^r7my}%1}E!A}WmbofvFM +zcS!kljv8Z%(&&Qf>ru913`}dK`R}b6!=OYQ|L5CpY15F!mbW2qYdr|JUF9YL8WSuf +ze*bNr&bN?B+Q@E1=uUeEjhQSIS?`<O-$^NdRRBbc?+&PEf1!4RexONx14IYgSFp`C +z09^qUk#qxIlOxwc5W9mwQ01fbXEo+i7Mj>-Af4;LXKn5N-XLq6xc|f%_#M%w-*Pn9 +z0f3p>$dACQCD|ZcE0T;i&hLLDWC+>2e_q0`-xh{n0FH%33ag~T<R29nuL-Bh7i+$q +zeO=N?KKWpwe_*{gKs^Y)oly$tRFp_Uq!TC%gFMS`in$Wr;m*7w=kGRT?4^1jipI<& +z>cZ@rg112tzut(cYLAtgLWrFG9P}7g>GqSjUx=*%5=Ei(wi;B#qD!D0DdHB=5ne3p +zz7X)28kw|s=IQ-C@X=`XBrP#XfrYOchw)SmxSL>Lf2fV;6VyWK+tGI0@;#9o`ML}b +z=Efu{JvtPd@rn|9u&5^X|3=^8Ur|_(J(G1WEIKJ0`^x9%VSj#?Nk6WwjXxRnu-6m( +zjd)VmBbBWvY@1~+Vw#!O<(3tv)oh)ricul3Rfwl%X8C3a+<33*fD-2-GI5{qDV75o +z>LqpWe?G2-@V5x^ez4WY)5Dk<WN?9G-J)5D8V;*)spcgeEQv*rF_YNZJ9;DV%%F8G +z&syN-6ttUEvr}Vn3+|HewTgx2UM{YhpwSb$RbHT-A`*{5AclpWM_xQF47U%t-UY#U +zVXA7Ty8@gJE!U$tNH1)JRREzYgxq2nOcdS^f228{e)6+3IC#b_ynkNbb;oCAQmz(h +z7h2c*qH;XtCgl_2uGM${DJLg*-tH^Som`ek{)Dat19_IO50TJX4SsyJ2RspN{H~;B +z+V0S(^O11wgH*SS6pSB%<M=A@x`=uJA=IH?bW){d%HoxDdPSevtbFilO-&FJYVyz1 +zf2sP6fg8#5D(P{5<D__zXl+?017n1!B&M|Pb_J;{gzf7LyVjx6?mCL%o`c|Jh2#}v +zyxWYbFsbYv>L6ZxDB*vBE9%u;E|A>H(s6n}9bH&KQb#zdIBW7MnaIzRarxL@n!O)O +zK=8REHm-D)+!QbFDD>eFGqQGle!kP6e|@)JpgdCP;~7UeyK0@F3NK#SJ0IUT4CA() +zo39%1U#tTOc@;VYuXNuOe?N1eS){UjB$ovmaX=}kj~2dJIL}s}NbDPCos#k!q0k~& +z6(yK2z2-dNY(yJA%`mY1gCo4XY$|Rb{VRvx>}p2VB)BS18|crUeYiOaX8I5uf9e;5 +z!Sp~;hom{dK*GcnV={{eZlquY3=K$u%N;dC3YcZ7Jwid9q$w720~h8_o0`r<W2EJE +z9ED(wCA4GukQP%KSJ?osP!B*EZ_PnpT`#3;PNgFROp@R;uRKQWg|I+UQiQ@}X3P<@ +z=;vz*VW}x>J<VW8lOv<Y$&>#+e>}#fXz~jOgIgpH5GUFmGfeNWtu%Y@mn$$D4=DMM +z<8V+G_ROuV$#I&3s%U2e{*tn{;XFo~vnDzTiDiOa;XL2_2q1G2#|Ib<`7((J_Ta?x +z6m<s7NYJ?4<44k7t~W6yFe3&DDuzgg_YDCF6)_eB6dj)5)|#)>a$u_FJom0HA=6G# +zp;0g~Fd;Ar1_dh)0|FWa00a~tK>i(z<@;kWV;*m?sLnLjiHbx72-=Fo1r5yv^#TG2 +E0EqGn4gdfE + +delta 2698 +zcmV;53U&337L68=U4OgPIH0Ma|Ih*g2mpYB1t^cgTby1_i4bV`ET($=&EQs+%VWU! +z7EL>iJi4Z78OaT9ubV}bGdi0`Ahw>yNtjoh(jz*K!b%&Ua)hJeCBb!FAt9G4(CLat +z`Rag4jFpnmFT)s@f*z8jt%jD9#v%N*$?L>k;p5=UEuP*lV}GdN&eI?0rjB?@WB}eY +zf)XxYT1q=>J<PmU4ev9mM?|n;U@bFOUYFbwrVSa|jflX9@F1-5yyd!w<zYcMs`rg> +zymMlumTAK2tc{81$;?wU?RVDyIg)}6Ru7Is8*D-idC>`arMh=W)oa9!1#zHlQH+C= +zxNFQiy$@%pUw>ciB6Pems-P<2y=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@t +zqWP;7pCfxOI}DZ9(iJy)rS*nL8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|Qk +zembO|Ujs3}!86C73mgV0q^5iPuZU!CsXRr9j$1G30DnT~&96xZ(_w+gVmP}nkT+9^ +zTnBG}hdQN2AJnve+R?%pEbv=8E5(bzWG-#u#DzEycabv3EOTQ^KP}Xh8CNH%dMrC| +zl_ZZqKVqcBMJt^u$Fh!)FjVOw&dWSYUg?omm_rDHAOgriM49P$d0+1``GCJ!ZsQwc +zIeSn5N`Ij~5U5@dvEBjG{TiDpjvP!%Bx(#V7yW^c5vbxvj?}{zE!H+*c6xgo=IhbX +z{ugXqn`P$jl!c&05S&~~#+%)!=U#Kbk5wVT)3ql;lTT$>=q+JLDX30eW_%PenT4Zp +z_goXztU1Ch8>MHCoD|K5H4(V-ja<hx8@YB0r+;@4i}mjt?20bEYPmt4?A+bA%21^X +zXRCd!kj=`r8UT2_QEtvftN2ls|9%4(Yd18``lD){hD=Y*oD0<z^0&Du<8diip-hyZ +zTgM0cXE=W-P%U+1kHCcEPFj@&9L9Xv`9v;Wfzs12ZiyTTwQhJ<8BROi#6${ukz9WZ +zXn*t$kjR$GQ+@~Nrzj3Op78qsDTByr87^>(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA +z-pr3<Vc+FcLJ>g54LF<k)IhGZk(A<ntCZ(JeUto0UD=4g0HwAcycywe@c>hpSdbUZ +z|IdewW&nX@Id-7N;;8dTYiF$bj&+Vzp?^hsO`e7M7OU$Gla=8Q4G^LnBF+hG_nBeb +zu}|$?y}&Ypv{-4`sZB4J84gG&-!sF!m9%?q;wc<-;0*nm{J3|%$s#f4g#v)CGLCU4 +z(Yc7zteW+0h{?ByycGWhd;fPj&Dn(4myw17)6pVR`dcE2`6M7x!wVsRwxjCdAb(Wf +z4D$@k@4>yr5z6XWYn7pBxh_HGbj9atGCo7126F9)ewn?kfa;&vg>e{5+wgb3)|=NA +z`o8_Sx*VNIakI&`^qCUyxWkzJM}b~6qYN&iv+v+c(UQ5=%<ubYh#LIxUMyJb%<p@d +zd|0|~HBPc$(8N{id_|HL#DrR<Ab%c2g5>{ok(ekXq$lZ@xKgBHx0Tl@87a+hB943i +zFD%RA(jSI%C|Xca<$+=*lWL`yEop8}Q{X%bQc-xA;u>Z)z-N*eV}?4frikpteC|{% +z^a!Dtv`0%$*x`Vxh#$niPcOGkf}NjScYXD!MU!uL497Oq;pCJOkrMUvRzj(C7>B7| +zirNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GUzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVD +zJEGu3Mj^N{la&QVe+@0G1;Pz3&jJDn00e>r$OX00Alr(atOG})P|bur<sYN#DxZs+ +zQ52$Jw-pZRd?0u{NUgpsp^GU=^+m!)wF=N!|4e6VkvUWSX}T~!=xNe<WX~Vq%6CeU +zj8!Iqi$<4p&eZraSk}j>1*6+0Wi&x_x{|YhpPm9aRrXy+e>w{XL@?~)eWqce&iDF0 +zqMSy`TNzT_)VB-&hdVeWjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOh +zQWJ^oEshJdhCpbB9?+gW%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl= +zj;AXtkvzSNf4>f%vSi6=NX>a2^%IT&;v29li&z4uXN8vz(uEM&T*Qo=&F?5rk#RQz +zC336+`bfFPsilPKn2a5|Np2S1s2;)B2v;glXVE<%O(u+#u~*}7ksKGB=)IwePkk!6 +zKOP3PmZY@6SqGV+fn{aX%cf@iNQisE!MeAT`8h7je{pcQ%DlZS83P&0<4$9^B?j!n +z0^s^w<lAKr!jqIvO8~CPKHl0p(MS~^?zBC<rfK#deu6NFrGWU2JAJ1fG;tnfw*$l| +z_yC5oEU(Ji${Y;ku(xEmo9P^{#uQRVIC>wN->E=~xLdD_)eKs$i$WQ?$&-S=N4)kY +z8sF-Ce>waid23??s6b(A4ogu;h++fH;y`e<U0&L<3*l4a4?2OC5>Evd@BSm#`s!Ry +z+6L`T@d*j+#(xh*)fPw%XJxi5_WgWEv1C&^jNYt_5ZCvbDlQ07M;HV(J|PE-03cDz +zI%m{><uUInH9re8G!?46yC!XB??9)Y;(!^%e>hShEl-wN=n~{2XZ{L*9dR&>p&O5P +zL~0ADX*&QcF)J*1tw=!<FTf=ac=UE7NsQ5{vqP4W8r}XA9?pHuwN%dw*+a(im+()K +zHVNY*kEjsu^!sS@;lfE*LW!Yzk~kdLN}|Bd62yeDNA7^Wgpu(CSO%C08)k!~fzCz5 +ze-kz9>e<$;FCS~Q>H`vQ6<^=_{tlE=R-j`1+-CyIrhMa^l@GsOkoi*b5gc{|O)u6y +z*Eybgfl##owFc|2DqiQ%>C%TLxKNZ2)Y8q^GKz)qUCCb^Y!~Ouk~utFj^%qDAD7$7 +z4|(O*(4Us`f{<2cXiaTtd7QygQM!6=e^+!{SnFm@Sce*pSUC_>Mud$loY2}d94m?| +z<^OOSjsAsDBC2thdNWvSgLi|B<-_+{K_gsBydMbNjR&C)N<giZ)rq9?LK2ZqUH@Q7 +z=lEDb?8D%FGK$cQ@EiJM*uLyGPV?`6KidTXos`w|t7P&vp6W&BO^dJ(zR4Avf6h9m +zYgy;HUJL?!T$);C3rzm)+D0a#pIdQ;plf0S;ipPSJ(nX58XdpbZTA9xT;$+u#1)OS +zt%%W;=NRR=+Qofxw0<7L-%oKg+WWxVUFjx_db}Xq-8IMqr(1}#|F5`<LfC<uu}7wk +zWPd2w`sTgYkIUhkr+$m2#^N?ve*|@-fyvmtstS0orV!Q7PL#g<h)rqZNEM!OYYn<n +z#QqAdg76EPW~eh!<11hngVaOx;{yqvKOAV}g7%4{<iW=Vy9*r=Z%u4?=O_i0#t33b +zJI<aCrhp|z;|OjRDAh3~Fe3&DDuzgg_YDCF6)_eB6u*lQxi}3No$KBvJX!2GE7$}i +z&Al)&Fd;Ar1_dh)0|FWa00b0p*u?3&er@hi<B`t~)wx-tCp*pr2<%yzfrt0G1p)#H +E0Pq?oS^xk5 + +diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem +index ffedb0d1a..754114f5d 100644 +--- a/src/tests/dejagnu/pkinit-certs/user-upn3.pem ++++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem +@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd +-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R +-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA +-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 +-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN +-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA +-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM +-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz ++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri ++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu ++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 +++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD ++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv ++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S ++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm ++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz + ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM + IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu + aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P + BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM + EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B +-AQsFAAOCAQEARVeLPouequn86P3LgOZQ9LpP6IHpY2ZQwvNviiA8Zk0hsqFXnmwx +-wr3JtESim3EPuwQtJ3jXp0rxQB02r5r8sg21OjCeAB+vOz3IoF/y6WEYlz67LjMB +-XCB6Fuq80IHhVXWRi7w8dVI8xcADwIOh6fgzwbbk8qV2Lgn2Giivstp+76PnRtEn +-tavWlWW7bQlXkiROYh6u3Y8IvYYoIdlDsXQBFSRE80Rc2jR2XGKAz5CDEZNC7RAH +-Z7ON9HH6IRBOX1ijmXhBl/39QQ5t+ZYgKk8OJpL1RAZlJZtGMBwJtA1aGiAFvqTr +-aCREHZfn9NAFE/szItH7hxWJv9RISUXYmA== ++AQsFAAOCAQEAurL26+vQNYFbJNAFJ3yHOt1nwAVO4/OlCtgqzOAq0nBs35HY10Qe ++y8eRcxrLmm4O/Wy+Rwre2v3pIP0AclvIytDzEm6K3Pgj4yJfUUM3VhnSOlXQP6UG ++D9Z9pVxNiDeykj5/SzxwOQAmJbPcMx9aRwP9wOLMwUxi5sKHQlL9YUTC1hffhuYY ++Yccc2dHWd5IyaKaLp9yBVXQryNdVTBYrGA2ZqcwETmcXqU/wCo/Rmf10Ra1sj88X ++VfTb4Sr0j9RaSKeXRZgbEu6kz9i2WK70dcDke08xRv4xVfrlbXrfIS+Va9WYKxrf ++Xb0XCkKp32Q0EHqapeJrCcuQtnDMGvncTQ== + -----END CERTIFICATE----- +diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12 +index 67c3fa2eb01c9fdd543af9172dc63a3955987ed6..e9c044c5b1d0d950ee2520770de2f8f64200cbf6 100644 +GIT binary patch +delta 2706 +zcmV;D3T^e37L^u|U4Pj<TzJWUzcvB_2mpYB1u$u|U(OiYZWaAdo&=0W(D-NHJ~J3Y +zI~rchE>Z%Y(>Bs|d@Ni&G^NWGp&(#5%4Z5twBV>={4~8{Uu<TgGho+eUPSehodq)G +zMtCIV{~=Q73CQa-OCbMz+w@wq(P4!Vj#tqP3^{;nxzSHzWPbr^w_(dkTU(SFJL&oQ +z7zL?S2x%2N_Q|C4e}CAberkP`3BLksF6_zM3KTSVk`X2!wi(j<c5Aq9+wm9GWZngW +z<Dbs@F>yO)#6}%;xPIHyY{h_i55`b4<${ihODv=^X_GvM2$(ip)-{scMp=K6z4NT0 +zh9qH{M2vDnA%B4RMJV4L3g&uG{}^y>U@_^&s079+Uw;8UwQZawTn!vsnczNryXER< +z^4t|;quLw`bl;E|eEKmn>RrwfXq1zSpT$o-918IoaQn0K1Qcv~32@A!!Yk9d$5)cI +zy{aB^id7jlNY5I{?KJ6dEI`cwQ;~`h@bsE-*#<oN>wn1qLARY;aK^Be3VEOF^3YZC +z@z)+dYJm7<$cmm$-`oMA4%n3L(y&2%bYK#IC-~*C61&8wgQwA^>q1bHC}EtDjtVc1 +zELlaHTmHT=Yj$uxFYs(>usRFRqQvn&Y=h-QA_vyh{d+oN#SEVcRq3G;MW*B4{9l6v +zq4IfK2!A=Q^+R+st9#jqW4=?osK-Q)K4Hq5%bbPzj&C#dO##MJ7oXFI1vcvc70Jw{ +zEv_S72+LnOnU;)4y)s1`vlaV>-0o^K1+!777`l65f<`flFo5nDa<3{ccfhQZ2?{|o +z7c|F5o2|#B%7Rj;vzYt{Mut5sSc(Fb-e#e^-GBAX_{?R+=$MOl)HiG~U+;&08^mvP +zHNfv;+m0CZZAMc)NCYtA@^kdgq@Aok`CYuV8^FZ~W1mpM$Y|0UcYycv$Rw~Uk-pz- +z!Dy26%)YpIB<5W?r3BX^eu*^fEgSl~ReH*mq<Od&#=uGpYlY6$wQWulKU}tsO+Y{0 +zSbyK^jZnw<Wk?;4G`3wO)J2BX-HAy$Q5bK{g1=%YrtPi_Gfz#E->G<*`wedGDz+{; +zx4kLMqty}CrlV-aA&gVt>cAAtAE|kT{Gl>@GBfH-*I9Ut$$mL}Z;Gm~5u@3~UH3u; +zu*RcYkh532p}cjA>7*oslZ7OgH8tToL4TJC&l=yANqs|aNom00jp9FBDbRbjK3>*1 +z%t%A$fhz|l3Z2Gti}<DCaW-|b-r=NDNxJi1H_xuj6pJ|LJHQ$(mJN7IN0$!G*Anpp +zccbwS+1jQrcGtjr%9x}yE7acF?Dh6)b?N~9Fl7@@s3U}jF)!lk@HI3Pv}ys9s((-* +z8#dFKFhw}!fRvCXG|3sxeIMc&S9G?cjEPQ^yGL>j5NxrXYzf=4jVC`TMPTZ<dQw-v +z5hI|CLwK)rv$U;lQ)|sSio785wW58C3VJ1u0Q@CJF!VMAXZ|0m4kB3VOiVy|)ZPrL +z#N}qgPGV&p9eY6#M&LO|2-{x2OMj*lG34GJ9E)|lteX1xgPLLhf&`)SK-2(8Z)w6- +zf`(A_WYlFm-I%bz+TR#$vcF&TqYu)C`;M;|`+MeJSU8Z#a{Jy$W@#J*`eM4b@B#@u +z#JA#r%%;>vUT-H%YSuYeGCOl)KMa1~`sWdLxxWOlH7Hp((U}SX!YNhgfJ)IPf=;Gx +zCA}LPUS!(0kh@$b!MG*{z<Op)Ezte4&$0g=sPoTvm1zlTJ)4F93M+nLmGGMxIa+vF +z>^TG9-c9BlhSqSqv`*cklbr=df9nY*n}fvB!vX>b00e>r$RI81nSv?+Yi!SD63Wi? +zTpz5uAf~z86j38B#-LJmrSIOk*?dx5rd<Z*3r--K%&NA>vPi*JcISr<oe+^au0!F> +z;GrMw4kJI_;L|8E<b2(~#RS|!7%$e>8I7#QK@8J%06j|~QeRT5YPYz2e~m|0eC*+N +z;tTbW&k|>^&OYIQAQZ)=e!ZR$EefvbbEa%e@aTI~@iZEV&h?kl_iWbBu8gqL22EWO +z9%e@s<ShBc-FD1uiaxXO=E3%qo-=vE(2O$HQE%20of;d}l+Q(2v%?CXSf&GtjM23Q +zqyLr&*RQ4?O2*yf8n{@gf0Lk9C^>!Ln9mn5gIkKyZEbno(BO|N92gh4zi>;+t!DB# +zUD*#wq%14Ws-EP3hBY-&Ihk~ywGtQqB8-6CEv895gq+Y?Ref!PVQoN$e}ep~l&{da +zqe>QuPg-wYhtPeEN!5YpIa21fnSW1kwM|Wu{MOd})a|@aJ<LBIe`uJL2<7MT1$-Kn +znNBU@f`qXiPdrro3U=5l)w0K1H{h$=535I5Rj5G3Tz}_!-fSvSxO<(>wy*geIt_-o +zf@_GTcauuKT26C<kH~ZiiIa~Qg;|CP2wh6v+it1wZ?wf)%<Cu2h#vyjys8f*2);+) +z1(Cc*1Xq0x7k~SdfAsH>ov}Jb>o;A$hT-*SD}c|OaKX(rQfx^MRmECJ-R!H{CDx2O +ztfI!lXTISDio|vGOxL+yF(#V^*FP|1>(VxK)_HV+LW+m+hM>6nHJtbPD8$YNAI`V} +zJxt8tv;~TeJ|us*$IFJ&gYiOXa5$hQD(6={4wTTv<(s?me|tUC1}n4%7sLR#^%2Z1 +z>wB$BQPVbOEZr-HbQu^qQZZDV0B=qKLSTk0OH6ViZg6t{x4jDwj>Q2g#8kQ3r>Eji +zoCHAsSfZI^gjaN%up<B^epM7RAvzIT;KRQ2X07C;wJ3%8{_AIpRI!(d8d(I1h9y@c +zbcAA3^>LrFe;LL-L(-_It&su|RC&en#x}vk5N84OPL*8oFVPE6rr}-0qN*#i8!ZNM +z-lMCaJq9;t`UH;WVM3PeWlDBk&GJ8MW!kV<E3~UD16Q>JPop~_JfAJz8Tv~1W~R=A +zf#mg1W3o+d#@#T-2&}3LjtVGn(SoOHnQi>T=yg_;f6ZBqH!1J@yw>z^@>NitY+5GG +z$_K1gfo*y_T~t97XgHe91xGJb>0;+13X;T-03Pf6IfLg53{}XapD=~I*1UWMmfQ!D +z7Ze1;SJ|?3B4j<BuWHsJc%O#7pP@0Ez=lAzqw~qnb{a@F`B{OmdIvYMG$dNQePmy5 +zuy#2qe}oqYXYN^bx8@9nYY#&dtWG6w_5b3Dw>g+a%x7qj<bZ`6ESTH^e+bHC!K!fa +zB+{$}lAR0oh%TlN-?41id-g5a(A-^)`A_f@pQwV6J>gRh1J9NxeFNvzi*YlS;ci9S +z#DRe^Z<FqJM(4_WwdFZzldwXZu~#d;GN9A*e}NnEf1x<zdIxpJRyDAeufFP`dC%(Y +zkzV?Ba}7CYC)<%^VizhoxpCKK^FA7`<--}tdAh>a5%?_JurFHR(9)uJQ)yN&4iz?H +zSw@t!Q))44>uN8OaX|V82359~wEHn7Fe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8 +zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00a~TEWhWcHtRjAj4t&h2$Cd#3qV%{2$+b8 +MPj+1S(*gnr0E_P~i~s-t + +delta 2706 +zcmV;D3T^e37L^u|U4L0@OZ+^lY6AiS2mpYB1u&$H6w%_X?Uh+pizOtCBD<t74x{ap +zYdgB*{3c2?wSWYyzjQvv;t-8trw6CO93J)AS>zx2lCMDmI_;E4nZypk7SId1QiiG% +zoX$R-HEZK1+~1}@RF*!aKybD>Uwe<osB$gLio}DI-~?kH$$uWFX-lJ)1HB<2t6pNW +z#kSFBm}bgYT16j3Ak6WseRe&B9QS_CwQ<`?IyF|;FV*zkN~Sf1b|#Gnd;abpNV1B< +z%NFoz)BziCR;QIyEp8MVNIVPF(tUQp+qHutk!KW<J+!p)Zxkn0F4S+vz(;X%s#Ae| +zh<zN+Y-}A%>VLW#TM}CG=Kw((`3EMgCgE%Wh7i5_PDshVd9Oz|EjKxtnoLw`TW#&7 +zQPy}=X-XKHcQwT5v|u~sb^Inq0<OveaKI($th{DmRGP`w`Ld>NJ4Lak7<6+3Ya}d< +zR^Uti{uWAJB7|b_QADZ~qF1trj0LGAR*qZ!4V-8U)PEs3HV=&h(r8ATc_D(AEnMV1 +zwuVIjs`^7H=|3CS`*aB@;CnPV&TlP!Yu&aLuDOS7Sg0Cqu0xGBQP5;o#gwP}e8{0B +z7jV-rq(ifyxm<=mq)wx^ScfIWLZ7^FtdIF5!b_#_SU{v)$6P6;3c{)K{n+@;OiiQ- +z)v(k`B7Y~QMMOz0exF+cpQ;~*F-}k8OW2c^cHxE_)brp6_t{vy8?fdPQ-ctCS#H(j +z$jQY05`;BJt5Y1_E&P`i?y7~+)+fF@I~p95YmggrA_kkXkLdVu+sQe~jV^LlG=Fp{ +zGMUwQ8FM7Kg20u!G&B)cCNQ!KA|~SY(%9(~dw)NYD5>AwQTYoOym#9ju3MlAj~yL! +z+9RAIsl?+#`6I<K{@zL$ADJ}oE3_yI+Lqstp&?8^HQMK^0xWV=hOR`CZSBB`G9be* +zP6_<L&Yf9?QqSqNpgTGGCEK*4<;E45C;Sxx8n3iV?MnsJ)$obYDc5lg06gexff@W) +z_<zx16s-r`SgbVaBm%7L>Q~$`6sGmR#$qABV!__lx-g(mg2@c}g0+B+myWGZ<W_R8 +zV6Of+sl7`kk2Auz5i6#i#0#o9|7|9IjgKkxUA^DFP$}0)w>@B1H-hdORvFBr11a5D +zD5mD8X#7lUgZJ09DQa34oE2MSOlRl*Pk;Loc@3DRHQ-tjjjDOpdmBQ1xk?t__INBb +zA2{y5_WewW14^G6WH^SY0hmJ8^Ng^zx=ZpuY7#VI+rLN#wJ0?Q;k^@dZ=X;S&RshD +zWP{?O$!sjtgM5;`y4Wj6`G$m`1OsXIXK)R(Jwf5Zy`3r9HV=gsO7Qi4jzaFFm49h7 +zfsyLIa}fYP4lU}*uw@gGo4t5v27iR`O@MAwyFq8%w;vNMFt1G(wBrYGlM@r4)ff!p +z>8Mmh-L?^v&W!qOH^7S@tzEEwdy!EuK#bBM?x4Wr`(bkkOsAP+#8TbjTL5J_=bS5) +za6olnR}(Db?FG0|<i0m(V2`w;fq!h}N1<|g3&}<REujk1TD8Tvd(M!PX7X>ejvnzj +zP}Lz{>_d&8$(MkIB`z>!MW@mnuqJ@W?8->i@)3)<Us_Y8J`|ad9V-cGBHf{69VHr& +zxEfh$@?ER?*&ZclvZu!5oFp};4I#Q4WDZ$rQiyY4QzGvhbBo?X-$65og-Xjt<lp(w +z#JY#8KF0XR``XJB@C}5IK6N~>j#DPAOs8q=yg6rJ-m=-Lk7xDaXe*1RV@>aTN~)U7 +zHjL@_ge{0Jt7~qq;qj^Jlbr=df11{|CuI2W<pKf-00e>r$kBFUM=%p0lc|48g~wmO +zlQm6cm$_s_2>(DlA9cyxg6bmmW)&QR$<PB#CxL?NzSNRGypG&F<c~$JCG4GuBaz89 +zv|qFbRiU<7T@!t1GvkvS%j=1+&xb`Bk$a9NUSfJ?Mo9UlI>peuE=vJIf2HTu-u#@{ +znFBj?5I#2g`5TG`?>T^VI($%BFj|uIDfc;L5->4jxZu(nSAc33NNkgSR!9J}GSx4y +z_4M@|c;BpN-D}R->!q&&aVy|T<rhZ0wJ!J=(Orz3D2_%8Tyy0GJZs?Y&Koh$Vy3tw +zM+tfu)7X-q2`7b*wKR<Ze<jFrnDrp;G0jEOUMTmHd_+pD41$Eyft0gcB1_Xbd|ZSd +zy*Evm5}t43m>U2Cb!tnn_pGykac3R{dXL<j3&f%yo^8c7d|5`=D<`ThDf)tN+1q2K +zMu;mj7zZtp;nDHuW+HDd{%>JEv0NPZVx+TTgAeJQji@`)5{<nTf5nyXdU7tASiiN# +zBxaM|9(Z)C$Fpqi#EuP-ulq*EnjWQ(KntqNSy;h5L=pE?@Ke)r=pxc{AgzgNw<>g< +zcJZ=w(L#L{pjXv2RjibOnkQN957ydC_9_$?NmM?Po^Q&34Z7W?1h2;S>~cDOE<sP( +z%^ZFVq&an45xt58e_p7#+bXI0``Yi=(VHP)qI1*wNe@$kV-*OzmA22+aq5_i&h}p6 +zKq0PmpcE)33^yC4<D=|(^!QJaa8{;pB@S0AE<=(4%z9<~zqg*M%^IxCVwD_MaN|$$ +z)T-nv)#_L`X{r5F3mEPB^jPy2>pIB3e3RmaS@`juU%CSke_Xs}bPG03Hd`AnWDQe0 +zDzTI!DRp&=;Lw}C)$l@}&C%0-vB~aHYq5NMeTEzqqd+JdVj_`U-$+46eP9-nM7?zc +z5Pgt-^k?oplhg<NP{NUahtIDuq+ST0TAc5}rtba3@#n&CH#HIsu!-RK!8S{J6;f*e +zA(`4kEj-vYe?hv`=vQ6x%+>%4^}fJ8S>3v%<7ynPniiv_Z|t!~Z%up1%zf`A$#gTl +z|Itn@fJi}H(elXg%0X;2+!%;)-lR)s0rXj$+}J!$F5z3_l55m6b2_*fC-NqxNFTql +zdv*Y;FP;Z6UFji4Uh@uDeNWtoP&b(ZdpU59uCOvye<+Qgi5uA#^8lnW?w_X5a(Zcq +zqur4>A_O|0nJ|NBvfV)Jmkk!X>5(vIem$?G-`>87E-&XqHpVEiV;~i$OoPodAQ$zu +zHfA}RyWpW+OJ@WK!YX*SO<(GZEW~rTpl2eq>|IbuqzzqN8t!)~kBi0<?pWFR4{KY} +zH#Vnxf89N}jtvqZyfhEvSIZA}V5)wYIN7TBc2n-hv)FhLVhP{hxD19E`DCbW$;I=% +zE%(UwRnabgo6oxaf-bdh-B0~6{LTmAlWWSm87CMVl+N7qheI+`bxnySyc{(4JP$-} +z=nH|Q!Ac8l0Vb4A{`w>rn7;jaAq#?4)^yQTe=NH@6SxT7)@@3!xd(1))7AABX12%e +zGo=U4kgSi_sg=#zEko}S``7Td_RokC%@eQ1Z`cc&&D0V7DMKQ8X_oz<ecqR81^K#V +z4NfEf-%Mm~j<XwPNqk^18S9IDz*;dSFe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$ +zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b1TlMd9czJNI=4Z7y~ApP3IZC*$O2%D)% +MVqdEZv;qPM03^{LzW@LL + +diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem +index f6d35f370..5b2853bc8 100644 +--- a/src/tests/dejagnu/pkinit-certs/user.pem ++++ b/src/tests/dejagnu/pkinit-certs/user.pem +@@ -3,26 +3,26 @@ MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx + FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG + A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz + dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +-b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG ++b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG + A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF + U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd +-+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R +-AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA +-O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6 +-ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN +-G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFGvA +-yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM +-rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz ++CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri ++oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu ++7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 +++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD ++OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv ++Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFK8S ++4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm ++wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz + ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM + IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu + aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P + BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b + C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF +-AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQAzbpwzIFJk3a1BsrL7KT3B6aYNs5Z4bnwm +-9dG3D2S1OFSQAbQt/ap5Tjz1RWabqWaSb6ufAKudQ6Ab2uKT8QhtmVByQYKDLYvn +-bIGgoSeAcvWHWsTeReSADr2b0E9+UT8znvBDQGED39C1AgiVUWHgIExYU0kBrP3G +-1CgWQLb7nZC5rKOkcK/Nm4XL7Oe+neiCr4j9adbGxeNHmt8HPuLuNL9TWkMAkcFo +-5INHHFzNmW2aHdvO+7lDbK8/E0QwiES6UbBvQOkTyhC4W5u2Yy7qbpsQleu6jOEz +-l8b05sf4FxhHevHtYUVuyhMOg8DPmfclnGX0Dms7aLf0s3oeSVt+ ++AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQClwfj6ACfmDie1YoKzr3zSWZJKZimv7wG1 ++iZMNPE6bw22ZmE+P+Vq6WrY5M5e4u7ZdvFmkVq3rUA0HoU6bk3YLGapgsEAG6W1R ++LVzxwoYDf4poOMqjCL34eLFdlVeRDADiulROE8bJGrPLJIiqeii0c7Kzxxuh5nxl ++QHDgNV0fHQQJlejgJssOqgGErsCXCq7k6kkqB8MnKVMErRjsYuY3YI2tpjxBq9nA ++A9dXgIU1zEUVzfpxzBjL9+2pMctbL1y4/ePpTP1+PlfI81TwrQNvMGYjxKNZM1ab ++lZt37n8GQUZQyZ2TacR4JyY+w20ivE/JPN0L3Ncmem6bO1CULpwO + -----END CERTIFICATE----- diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch new file mode 100644 index 0000000..e78029f --- /dev/null +++ b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch @@ -0,0 +1,422 @@ +From 4dcab7d706331b469678f3a516cd67fffd331058 Mon Sep 17 00:00:00 2001 +From: Matt Rogers <mrogers@redhat.com> +Date: Wed, 29 Mar 2017 10:35:13 -0400 +Subject: [PATCH] Convert some pkiDebug messages to TRACE macros + +ticket: 8568 (new) +(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++--------- + src/plugins/preauth/pkinit/pkinit_identity.c | 3 - + src/plugins/preauth/pkinit/pkinit_matching.c | 1 + + src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++---- + src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++- + 5 files changed, 97 insertions(+), 45 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 90c30dbf5..70e230ec2 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context, + + X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert), + buf, sizeof(buf)); +- pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf); + + if ((i = X509_get_ext_by_NID(reqctx->received_cert, + NID_ext_key_usage, -1)) >= 0) { +@@ -2354,7 +2353,6 @@ crypto_check_cert_eku(krb5_context context, + + if (found_eku) { + ASN1_BIT_STRING *usage = NULL; +- pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); + + /* check that digitalSignature KeyUsage is present */ + X509_check_ca(reqctx->received_cert); +@@ -2363,12 +2361,10 @@ crypto_check_cert_eku(krb5_context context, + + if (!ku_reject(reqctx->received_cert, + X509v3_KU_DIGITAL_SIGNATURE)) { +- pkiDebug("%s: found digitalSignature KU\n", +- __FUNCTION__); ++ TRACE_PKINIT_EKU(context); + *valid_eku = 1; + } else +- pkiDebug("%s: didn't find digitalSignature KU\n", +- __FUNCTION__); ++ TRACE_PKINIT_EKU_NO_KU(context); + } + ASN1_BIT_STRING_free(usage); + } +@@ -4317,8 +4313,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + + fp = fopen(idopts->cert_filename, "rb"); + if (fp == NULL) { +- pkiDebug("Failed to open PKCS12 file '%s', error %d\n", +- idopts->cert_filename, errno); ++ TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno); + goto cleanup; + } + set_cloexec_file(fp); +@@ -4326,8 +4321,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + p12 = d2i_PKCS12_fp(fp, NULL); + fclose(fp); + if (p12 == NULL) { +- pkiDebug("Failed to decode PKCS12 file '%s' contents\n", +- idopts->cert_filename); ++ TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename); + goto cleanup; + } + /* +@@ -4345,7 +4339,7 @@ pkinit_get_certs_pkcs12(krb5_context context, + char *p12name = reassemble_pkcs12_name(idopts->cert_filename); + const char *tmp; + +- pkiDebug("Initial PKCS12_parse with no password failed\n"); ++ TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context); + + if (id_cryptoctx->defer_id_prompt) { + /* Supply the identity name to be passed to the responder. */ +@@ -4386,14 +4380,14 @@ pkinit_get_certs_pkcs12(krb5_context context, + NULL, NULL, 1, &kprompt); + k5int_set_prompt_types(context, 0); + if (r) { +- pkiDebug("Failed to prompt for PKCS12 password"); ++ TRACE_PKINIT_PKCS_PROMPT_FAIL(context); + goto cleanup; + } + } + + ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); + if (ret == 0) { +- pkiDebug("Second PKCS12_parse with password failed\n"); ++ TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context); + goto cleanup; + } + } +@@ -4516,8 +4510,7 @@ pkinit_get_certs_fs(krb5_context context, + } + + if (idopts->key_filename == NULL) { +- pkiDebug("%s: failed to get user's private key location\n", +- __FUNCTION__); ++ TRACE_PKINIT_NO_PRIVKEY(context); + goto cleanup; + } + +@@ -4545,8 +4538,7 @@ pkinit_get_certs_dir(krb5_context context, + char *dirname, *suf; + + if (idopts->cert_filename == NULL) { +- pkiDebug("%s: failed to get user's certificate directory location\n", +- __FUNCTION__); ++ TRACE_PKINIT_NO_CERT(context); + return ENOENT; + } + +@@ -4590,8 +4582,7 @@ pkinit_get_certs_dir(krb5_context context, + retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx, + certname, keyname, i); + if (retval == 0) { +- pkiDebug("%s: Successfully loaded cert (and key) for %s\n", +- __FUNCTION__, dentry->d_name); ++ TRACE_PKINIT_LOADED_CERT(context, dentry->d_name); + i++; + } + else +@@ -4599,8 +4590,7 @@ pkinit_get_certs_dir(krb5_context context, + } + + if (!id_cryptoctx->defer_id_prompt && i == 0) { +- pkiDebug("%s: No cert/key pairs found in directory '%s'\n", +- __FUNCTION__, idopts->cert_filename); ++ TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename); + retval = ENOENT; + goto cleanup; + } +@@ -5370,9 +5360,7 @@ crypto_cert_select_default(krb5_context context, + goto errout; + } + if (cert_count != 1) { +- pkiDebug("%s: ERROR: There are %d certs to choose from, " +- "but there must be exactly one.\n", +- __FUNCTION__, cert_count); ++ TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count); + retval = EINVAL; + goto errout; + } +@@ -5520,7 +5508,7 @@ load_cas_and_crls(krb5_context context, + switch(catype) { + case CATYPE_ANCHORS: + if (sk_X509_num(ca_certs) == 0) { +- pkiDebug("no anchors in file, %s\n", filename); ++ TRACE_PKINIT_NO_CA_ANCHOR(context, filename); + if (id_cryptoctx->trustedCAs == NULL) + sk_X509_free(ca_certs); + } else { +@@ -5530,7 +5518,7 @@ load_cas_and_crls(krb5_context context, + break; + case CATYPE_INTERMEDIATES: + if (sk_X509_num(ca_certs) == 0) { +- pkiDebug("no intermediates in file, %s\n", filename); ++ TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename); + if (id_cryptoctx->intermediateCAs == NULL) + sk_X509_free(ca_certs); + } else { +@@ -5540,7 +5528,7 @@ load_cas_and_crls(krb5_context context, + break; + case CATYPE_CRLS: + if (sk_X509_CRL_num(ca_crls) == 0) { +- pkiDebug("no crls in file, %s\n", filename); ++ TRACE_PKINIT_NO_CRL(context, filename); + if (id_cryptoctx->revoked == NULL) + sk_X509_CRL_free(ca_crls); + } else { +@@ -5626,14 +5614,14 @@ crypto_load_cas_and_crls(krb5_context context, + int catype, + char *id) + { +- pkiDebug("%s: called with idtype %s and catype %s\n", +- __FUNCTION__, idtype2string(idtype), catype2string(catype)); + switch (idtype) { + case IDTYPE_FILE: ++ TRACE_PKINIT_LOAD_FROM_FILE(context); + return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, catype, id); + break; + case IDTYPE_DIR: ++ TRACE_PKINIT_LOAD_FROM_DIR(context); + return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, catype, id); + break; +diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c +index a897efa25..737552e85 100644 +--- a/src/plugins/preauth/pkinit/pkinit_identity.c ++++ b/src/plugins/preauth/pkinit/pkinit_identity.c +@@ -608,7 +608,6 @@ pkinit_identity_prompt(krb5_context context, + retval = pkinit_cert_matching(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx, princ); + if (retval) { +- pkiDebug("%s: No matching certificate found\n", __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; +@@ -621,8 +620,6 @@ pkinit_identity_prompt(krb5_context context, + retval = crypto_cert_select_default(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx); + if (retval) { +- pkiDebug("%s: Failed while selecting default certificate\n", +- __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index a50c50c8d..cad4c2b9a 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -812,6 +812,7 @@ pkinit_cert_matching(krb5_context context, + goto cleanup; + } + } else { ++ TRACE_PKINIT_NO_MATCHING_CERT(context); + retval = ENOENT; /* XXX */ + goto cleanup; + } +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 32ca122f2..9c6e96c9e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -188,6 +188,7 @@ verify_client_san(krb5_context context, + plgctx->opts->allow_upn ? &upns : NULL, + NULL); + if (retval == ENOENT) { ++ TRACE_PKINIT_SERVER_NO_SAN(context); + goto out; + } else if (retval) { + pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); +@@ -224,7 +225,7 @@ verify_client_san(krb5_context context, + krb5_free_unparsed_name(context, san_string); + #endif + if (cb->match_client(context, rock, princs[i])) { +- pkiDebug("%s: pkinit san match found\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context); + *valid_san = 1; + retval = 0; + goto out; +@@ -252,7 +253,7 @@ verify_client_san(krb5_context context, + krb5_free_unparsed_name(context, san_string); + #endif + if (cb->match_client(context, rock, upns[i])) { +- pkiDebug("%s: upn san match found\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context); + *valid_san = 1; + retval = 0; + goto out; +@@ -300,7 +301,7 @@ verify_client_eku(krb5_context context, + *eku_accepted = 0; + + if (plgctx->opts->require_eku == 0) { +- pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__); ++ TRACE_PKINIT_SERVER_EKU_SKIP(context); + *eku_accepted = 1; + retval = 0; + goto out; +@@ -364,6 +365,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules, + ret = KRB5_PLUGIN_NO_HANDLE; + for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { + h = certauth_modules[i]; ++ TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name); + ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, + &opts, db_ent, &ais); + if (ret == 0) +@@ -449,7 +451,7 @@ pkinit_server_verify_padata(krb5_context context, + + switch ((int)data->pa_type) { + case KRB5_PADATA_PK_AS_REQ: +- pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY(context); + retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); + if (retval) { + pkiDebug("decode_krb5_pa_pk_as_req failed\n"); +@@ -472,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context, + break; + case KRB5_PADATA_PK_AS_REP_OLD: + case KRB5_PADATA_PK_AS_REQ_OLD: +- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); + retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); + if (retval) { + pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); +@@ -500,7 +502,7 @@ pkinit_server_verify_padata(krb5_context context, + goto cleanup; + } + if (retval) { +- pkiDebug("pkcs7_signeddata_verify failed\n"); ++ TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); + goto cleanup; + } + if (is_signed) { +@@ -830,7 +832,7 @@ pkinit_server_return_padata(krb5_context context, + return ENOENT; + } + +- pkiDebug("pkinit_return_padata: entered!\n"); ++ TRACE_PKINIT_SERVER_RETURN_PADATA(context); + reqctx = (pkinit_kdc_req_context)modreq; + + if (encrypting_key->contents) { +@@ -1463,8 +1465,7 @@ pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata, + return ret; + + if (!valid_san) { +- pkiDebug("%s: did not find an acceptable SAN in user certificate\n", +- __FUNCTION__); ++ TRACE_PKINIT_SERVER_SAN_REJECT(context); + return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + } + +@@ -1490,8 +1491,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + return ret; + + if (!valid_eku) { +- pkiDebug("%s: did not find an acceptable EKU in user certificate\n", +- __FUNCTION__); ++ TRACE_PKINIT_SERVER_EKU_REJECT(context); + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + +@@ -1617,7 +1617,7 @@ pkinit_server_plugin_init(krb5_context context, + return ENOMEM; + + for (i = 0, j = 0; i < numrealms; i++) { +- pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]); ++ TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]); + retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx); + if (retval == 0 && plgctx != NULL) + realm_contexts[j++] = plgctx; +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 458d0961e..6abe28c0c 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -52,7 +52,7 @@ + #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ + TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \ + "received {cksum}", expected, received) +-#define TRACE_PKINIT_CLIENT_REP_DH(c) \ ++#define TRACE_PKINIT_CLIENT_REP_DH(c) \ + TRACE(c, "PKINIT client verified DH reply") + #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \ + TRACE(c, "PKINIT client could not verify DH reply") +@@ -91,6 +91,72 @@ + #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ + TRACE(c, "PKINIT OpenSSL error: {str}", msg) + ++#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \ ++ TRACE(c, "PKINIT server authorizing cert with module {str}", \ ++ modname) ++#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \ ++ TRACE(c, "PKINIT server found no acceptable EKU in client cert") ++#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \ ++ TRACE(c, "PKINIT server skipping EKU check due to configuration") ++#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \ ++ TRACE(c, "PKINIT server initializing realm {str}", realm) ++#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \ ++ TRACE(c, "PKINIT server found a matching UPN SAN in client cert") ++#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \ ++ TRACE(c, "PKINIT server found a matching SAN in client cert") ++#define TRACE_PKINIT_SERVER_NO_SAN(c) \ ++ TRACE(c, "PKINIT server found no SAN in client cert") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ ++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ ++ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") ++#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ ++ TRACE(c, "PKINIT server failed to verify PA data") ++#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ ++ TRACE(c, "PKINIT server returning PA data") ++#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \ ++ TRACE(c, "PKINIT server found no acceptable SAN in client cert") ++ ++#define TRACE_PKINIT_EKU(c) \ ++ TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU") ++#define TRACE_PKINIT_EKU_NO_KU(c) \ ++ TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU") ++#define TRACE_PKINIT_LOADED_CERT(c, name) \ ++ TRACE(c, "PKINIT loaded cert and key for {str}", name) ++#define TRACE_PKINIT_LOAD_FROM_FILE(c) \ ++ TRACE(c, "PKINIT loading CA certs and CRLs from FILE") ++#define TRACE_PKINIT_LOAD_FROM_DIR(c) \ ++ TRACE(c, "PKINIT loading CA certs and CRLs from DIR") ++#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \ ++ TRACE(c, "PKINIT no anchor CA in file {str}", file) ++#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \ ++ TRACE(c, "PKINIT no intermediate CA in file {str}", file) ++#define TRACE_PKINIT_NO_CERT(c) \ ++ TRACE(c, "PKINIT no certificate provided") ++#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \ ++ TRACE(c, "PKINIT no cert and key pair found in directory {str}", \ ++ dirname) ++#define TRACE_PKINIT_NO_CRL(c, file) \ ++ TRACE(c, "PKINIT no CRL in file {str}", file) ++#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \ ++ TRACE(c, "PKINIT error: There are {int} certs, but there must " \ ++ "be exactly one.", count) ++#define TRACE_PKINIT_NO_MATCHING_CERT(c) \ ++ TRACE(c, "PKINIT no matching certificate found") ++#define TRACE_PKINIT_NO_PRIVKEY(c) \ ++ TRACE(c, "PKINIT no private key provided") ++#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \ ++ TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name) ++#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \ ++ TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \ ++ name, err) ++#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \ ++ TRACE(c, "PKINIT initial PKCS12_parse with no password failed") ++#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \ ++ TRACE(c, "PKINIT second PKCS12_parse with password failed") ++#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \ ++ TRACE(c, "PKINIT failed to prompt for PKCS12 password") ++ + #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \ + TRACE(c, "certauth module failed to init vtable: {kerr}", ret) + #define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \ diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch new file mode 100644 index 0000000..0c6ac83 --- /dev/null +++ b/Fix-certauth-built-in-module-returns.patch @@ -0,0 +1,124 @@ +From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Thu, 24 Aug 2017 11:11:46 -0400 +Subject: [PATCH] Fix certauth built-in module returns + +The PKINIT certauth eku module should never authoritatively authorize +a certificate, because an extended key usage does not establish a +relationship between the certificate and any specific user; it only +establishes that the certificate was created for PKINIT client +authentication. Therefore, pkinit_eku_authorize() should return +KRB5_PLUGIN_NO_HANDLE on success, not 0. + +The certauth san module should pass if it does not find any SANs of +the types it can match against; the presence of other types of SANs +should not cause it to explicitly deny a certificate. Check for an +empty result from crypto_retrieve_cert_sans() in verify_client_san(), +instead of returning ENOENT from crypto_retrieve_cert_sans() when +there are no SANs at all. + +ticket: 8561 +(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------ + src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++--- + 2 files changed, 27 insertions(+), 26 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 70e230ec2..7fa2efd21 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context, + + if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { + pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); +- retval = ENOENT; + goto cleanup; + } + num_sans = sk_GENERAL_NAME_num(ialt); +@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context, + sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); + + retval = 0; +- if (princs) ++ if (princs != NULL && *princs != NULL) { + *princs_ret = princs; +- if (upns) ++ princs = NULL; ++ } ++ if (upns != NULL && *upns != NULL) { + *upn_ret = upns; +- if (dnss) ++ upns = NULL; ++ } ++ if (dnss != NULL && *dnss != NULL) { + *dns_ret = dnss; ++ dnss = NULL; ++ } + + cleanup: +- if (retval) { +- if (princs != NULL) { +- for (i = 0; princs[i] != NULL; i++) +- krb5_free_principal(context, princs[i]); +- free(princs); +- } +- if (upns != NULL) { +- for (i = 0; upns[i] != NULL; i++) +- krb5_free_principal(context, upns[i]); +- free(upns); +- } +- if (dnss != NULL) { +- for (i = 0; dnss[i] != NULL; i++) +- free(dnss[i]); +- free(dnss); +- } +- } ++ for (i = 0; princs != NULL && princs[i] != NULL; i++) ++ krb5_free_principal(context, princs[i]); ++ free(princs); ++ for (i = 0; upns != NULL && upns[i] != NULL; i++) ++ krb5_free_principal(context, upns[i]); ++ free(upns); ++ for (i = 0; dnss != NULL && dnss[i] != NULL; i++) ++ free(dnss[i]); ++ free(dnss); + return retval; + } + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 9c6e96c9e..8e77606f8 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -187,14 +187,18 @@ verify_client_san(krb5_context context, + &princs, + plgctx->opts->allow_upn ? &upns : NULL, + NULL); +- if (retval == ENOENT) { +- TRACE_PKINIT_SERVER_NO_SAN(context); +- goto out; +- } else if (retval) { ++ if (retval) { + pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); + retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + goto out; + } ++ ++ if (princs == NULL && upns == NULL) { ++ TRACE_PKINIT_SERVER_NO_SAN(context); ++ retval = ENOENT; ++ goto out; ++ } ++ + /* XXX Verify this is consistent with client side XXX */ + #if 0 + retval = call_san_checking_plugins(context, plgctx, reqctx, princs, +@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + +- return 0; ++ return KRB5_PLUGIN_NO_HANDLE; + } + + static krb5_error_code diff --git a/Make-certauth-eku-module-restrictive-only.patch b/Make-certauth-eku-module-restrictive-only.patch deleted file mode 100644 index 40c008d..0000000 --- a/Make-certauth-eku-module-restrictive-only.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2b1a91087b668ab1021f1ca461b8210e7e015c8a Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Thu, 24 Aug 2017 11:11:46 -0400 -Subject: [PATCH] Make certauth eku module restrictive-only - -The PKINIT certauth eku module should never authoritatively authorize -a certificate, because an extended key usage does not establish a -relationship between the certificate and any specific user; it only -establishes that the certificate was created for PKINIT client -authentication. Therefore, pkinit_eku_authorize() should return -KRB5_PLUGIN_NO_HANDLE on success, not 0. - -ticket: 8561 -(cherry picked from commit aca6fd6bc07934a90a18a70116ea3b620228950a) ---- - src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index 32ca122f2..d7a604c80 100644 ---- a/src/plugins/preauth/pkinit/pkinit_srv.c -+++ b/src/plugins/preauth/pkinit/pkinit_srv.c -@@ -1495,7 +1495,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, - return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; - } - -- return 0; -+ return KRB5_PLUGIN_NO_HANDLE; - } - - static krb5_error_code @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 # for prerelease, should be e.g., 0.3.beta2%{?dist} -Release: 25%{?dist} +Release: 27%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -91,7 +91,11 @@ Patch62: Fix-more-time-manipulations-for-y2038.patch Patch63: Use-krb5_timestamp-where-appropriate.patch Patch64: Add-KDC-policy-pluggable-interface.patch Patch65: Fix-bugs-in-kdcpolicy-commit.patch -Patch66: Make-certauth-eku-module-restrictive-only.patch +Patch66: Convert-some-pkiDebug-messages-to-TRACE-macros.patch +Patch67: Fix-certauth-built-in-module-returns.patch +Patch68: Add-test-cert-with-no-extensions.patch +Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch +Patch70: Add-hostname-based-ccselect-module.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -743,6 +747,13 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-27 +- Add hostname-based ccselect module +- Resolves: #1463665 + +* Tue Sep 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-26 +- Backport upstream certauth EKU fixes + * Fri Aug 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-25 - Backport certauth eku security fix |