Add support for exporting OpenSSL's TRUSTED CERTIFICATE format

11 files changed, 1288 insertions, 0 deletions

diff --git a/tools/tests/Makefile.am b/tools/tests/Makefile.am
index bf1d32d..e50836d 100644
--- a/tools/tests/Makefile.am
+++ b/tools/tests/Makefile.am
@@ -37,10 +37,12 @@ libtestcommon_la_SOURCES = \
 	test.c test.h
 
 CHECK_PROGS = \
+	test-utf8 \
 	test-save \
 	test-extract \
 	test-x509 \
 	test-pem \
+	test-openssl \
 	$(NULL)
 
 noinst_PROGRAMS = \
@@ -72,4 +74,17 @@ test_pem_SOURCES = \
 	$(TOOLS)/save.c \
 	$(NULL)
 
+test_openssl_SOURCES = \
+	test-openssl.c \
+	$(TOOLS)/extract-info.c \
+	$(TOOLS)/extract-openssl.c \
+	$(TOOLS)/save.c \
+	$(TOOLS)/utf8.c \
+	$(NULL)
+
+test_utf8_SOURCES = \
+	test-utf8.c \
+	$(TOOLS)/utf8.c \
+	$(NULL)
+
 endif # WITH_ASN1
diff --git a/tools/tests/files/cacert3-distrust-all.pem b/tools/tests/files/cacert3-distrust-all.pem
new file mode 100644
index 0000000..ce5d887
--- /dev/null
+++ b/tools/tests/files/cacert3-distrust-all.pem
@@ -0,0 +1,44 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijBSoFAGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
+CCsGAQUFBwMEBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQcD
+CA==
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-distrusted-all.pem b/tools/tests/files/cacert3-distrusted-all.pem
new file mode 100644
index 0000000..4a04a39
--- /dev/null
+++ b/tools/tests/files/cacert3-distrusted-all.pem
@@ -0,0 +1,43 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijBIoEYGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
+CCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFBwMI
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-not-trusted.pem b/tools/tests/files/cacert3-not-trusted.pem
new file mode 100644
index 0000000..eaa2e54
--- /dev/null
+++ b/tools/tests/files/cacert3-not-trusted.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijACMAA=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-alias.pem b/tools/tests/files/cacert3-trusted-alias.pem
new file mode 100644
index 0000000..44601ea
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-alias.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-client-server-alias.pem b/tools/tests/files/cacert3-trusted-client-server-alias.pem
new file mode 100644
index 0000000..c767eff
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-client-server-alias.pem
@@ -0,0 +1,43 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAwMBQGCCsGAQUFBwMCBggrBgEFBQcDAaAKBggrBgEFBQcD
+BAwMQ3VzdG9tIExhYmVs
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-keyid.pem b/tools/tests/files/cacert3-trusted-keyid.pem
new file mode 100644
index 0000000..e652733
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-keyid.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAJBAcAAQIDBAUG
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-multiple.pem b/tools/tests/files/cacert3-trusted-multiple.pem
new file mode 100644
index 0000000..5f8071b
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-multiple.pem
@@ -0,0 +1,85 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAwMBQGCCsGAQUFBwMCBggrBgEFBQcDAaAKBggrBgEFBQcD
+BAwMQ3VzdG9tIExhYmVs
+-----END TRUSTED CERTIFICATE-----
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/test-openssl.c b/tools/tests/test-openssl.c
new file mode 100644
index 0000000..a48220d
--- /dev/null
+++ b/tools/tests/test-openssl.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (c) 2011, Collabora Ltd.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@collabora.co.uk>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include "attrs.h"
+#include "buffer.h"
+#include "compat.h"
+#include "debug.h"
+#include "dict.h"
+#include "extract.h"
+#include "library.h"
+#include "mock.h"
+#include "pkcs11.h"
+#include "pkcs11x.h"
+#include "oid.h"
+#include "test.h"
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+
+struct {
+	CK_FUNCTION_LIST module;
+	P11KitIter *iter;
+	p11_extract_info ex;
+	char *directory;
+} test;
+
+static void
+setup (CuTest *tc)
+{
+	CK_RV rv;
+
+	memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST));
+	rv = p11_kit_initialize_module (&test.module);
+	CuAssertIntEquals (tc, CKR_OK, rv);
+
+	mock_module_reset_objects (MOCK_SLOT_ONE_ID);
+
+	test.iter = p11_kit_iter_new (NULL);
+
+	p11_extract_info_init (&test.ex);
+
+	test.directory = strdup ("/tmp/test-extract.XXXXXX");
+	if (!mkdtemp (test.directory))
+		assert_not_reached ();
+}
+
+static void
+teardown (CuTest *tc)
+{
+	CK_RV rv;
+
+	if (rmdir (test.directory) < 0)
+		assert_not_reached ();
+	free (test.directory);
+
+	p11_extract_info_cleanup (&test.ex);
+	p11_kit_iter_free (test.iter);
+
+	rv = p11_kit_finalize_module (&test.module);
+	CuAssertIntEquals (tc, CKR_OK, rv);
+}
+
+static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE;
+static CK_OBJECT_CLASS extension_class = CKO_X_CERTIFICATE_EXTENSION;
+static CK_CERTIFICATE_TYPE x509_type = CKC_X_509;
+static CK_BBOOL vtrue = CK_TRUE;
+
+static CK_ATTRIBUTE cacert3_authority_attrs[] = {
+	{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+	{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+	{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+	{ CKA_LABEL, "Custom Label", 12 },
+	{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+	{ CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+	{ CKA_INVALID },
+};
+
+static CK_ATTRIBUTE extension_eku_client_server[] = {
+	{ CKA_CLASS, &extension_class, sizeof (extension_class) },
+	{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+	{ CKA_VALUE, (void *)test_eku_client_and_server, sizeof (test_eku_client_and_server) },
+	{ CKA_INVALID },
+};
+
+static CK_ATTRIBUTE extension_reject_email[] = {
+	{ CKA_CLASS, &extension_class, sizeof (extension_class) },
+	{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
+	{ CKA_VALUE, (void *)test_eku_email, sizeof (test_eku_email) },
+	{ CKA_INVALID },
+};
+
+static CK_ATTRIBUTE certificate_filter[] = {
+	{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+	{ CKA_INVALID },
+};
+
+static void
+setup_objects (const CK_ATTRIBUTE *attrs,
+               ...) GNUC_NULL_TERMINATED;
+
+static void
+setup_objects (const CK_ATTRIBUTE *attrs,
+               ...)
+{
+	static CK_ULONG id_value = 8888;
+
+	CK_ATTRIBUTE id = { CKA_ID, &id_value, sizeof (id_value) };
+	CK_ATTRIBUTE *copy;
+	va_list va;
+
+	va_start (va, attrs);
+	while (attrs != NULL) {
+		copy = p11_attrs_build (p11_attrs_dup (attrs), &id, NULL);
+		assert (copy != NULL);
+		mock_module_take_object (MOCK_SLOT_ONE_ID, copy);
+		attrs = va_arg (va, const CK_ATTRIBUTE *);
+	}
+	va_end (va);
+
+	id_value++;
+}
+
+static void
+test_file (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+
+	setup_objects (cacert3_authority_attrs,
+	               extension_eku_client_server,
+	               extension_reject_email,
+	               NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-trusted-client-server-alias.pem");
+
+	teardown (tc);
+}
+
+static void
+test_plain (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+	setup_objects (cacert3_authority_attrs, NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-trusted-alias.pem");
+
+	teardown (tc);
+}
+
+static void
+test_keyid (CuTest *tc)
+{
+	bool ret;
+
+	static CK_ATTRIBUTE cacert3_plain[] = {
+		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+		{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+		{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+		{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+		{ CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+		{ CKA_INVALID },
+	};
+
+	static unsigned char identifier[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+
+	static CK_ATTRIBUTE extension_subject_key_identifier[] = {
+		{ CKA_CLASS, &extension_class, sizeof (extension_class) },
+		{ CKA_OBJECT_ID, (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) },
+		{ CKA_VALUE, identifier, sizeof (identifier) },
+		{ CKA_INVALID },
+	};
+
+	setup (tc);
+	setup_objects (cacert3_plain, extension_subject_key_identifier, NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-trusted-keyid.pem");
+
+	teardown (tc);
+}
+
+static void
+test_not_authority (CuTest *tc)
+{
+	bool ret;
+
+	static CK_ATTRIBUTE cacert3_not_trusted[] = {
+		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+		{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+		{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+		{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+		{ CKA_INVALID },
+	};
+
+	setup (tc);
+	setup_objects (cacert3_not_trusted, NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-not-trusted.pem");
+
+	teardown (tc);
+}
+
+static void
+test_distrust_all (CuTest *tc)
+{
+	bool ret;
+
+	static CK_ATTRIBUTE cacert3_blacklist[] = {
+		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+		{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+		{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+		{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+		{ CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) },
+		{ CKA_INVALID },
+	};
+
+	setup (tc);
+
+	setup_objects (cacert3_blacklist, NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-distrust-all.pem");
+
+	teardown (tc);
+}
+
+static void
+test_file_multiple (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+
+	setup_objects (cacert3_authority_attrs,
+	               extension_eku_client_server,
+	               extension_reject_email,
+	               NULL);
+
+	setup_objects (cacert3_authority_attrs,
+	               NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_file (tc, test.directory, "extract.pem",
+	                 SRCDIR "/files/cacert3-trusted-multiple.pem");
+
+	teardown (tc);
+}
+
+static void
+test_file_without (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+		assert_not_reached ();
+
+	ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_data (tc, test.directory, "extract.pem", "", 0);
+
+	teardown (tc);
+}
+
+/* From extract-openssl.c */
+void p11_openssl_canon_string (char *str, long *len);
+
+static void
+test_canon_string (CuTest *tc)
+{
+	struct {
+		char *input;
+		int input_len;
+		char *output;
+		int output_len;
+	} fixtures[] = {
+		{ "A test", -1, "a test", -1 },
+		{ "   Strip spaces   ", -1, "strip spaces", -1 },
+		{ " Collapse \n\t spaces", -1, "collapse spaces", -1 },
+		{ "Ignore non-ASCII \303\204", -1, "ignore non-ascii \303\204", -1 },
+		{ "no-space", -1, "no-space", -1 },
+	};
+
+	char *str;
+	long len;
+	long out;
+	int i;
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		len = fixtures[i].input_len;
+		if (len < 0)
+			len = strlen (fixtures[i].input);
+		str = strndup (fixtures[i].input, len);
+
+		p11_openssl_canon_string (str, &len);
+
+		out = fixtures[i].output_len;
+		if (out < 0)
+			out = strlen (fixtures[i].output);
+		CuAssertIntEquals (tc, out, len);
+		CuAssertStrEquals (tc, fixtures[i].output, str);
+
+		free (str);
+	}
+}
+
+bool   p11_openssl_canon_string_der  (p11_buffer *der);
+
+static void
+test_canon_string_der (CuTest *tc)
+{
+	struct {
+		unsigned char input[100];
+		int input_len;
+		unsigned char output[100];
+		int output_len;
+	} fixtures[] = {
+		/* UTF8String */
+		{ { 0x0c, 0x0f, 0xc3, 0x84, ' ', 'U', 'T', 'F', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', ' ', }, 17,
+		  { 0x0c, 0x0e, 0xc3, 0x84, ' ', 'u', 't', 'f', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', }, 16,
+		},
+
+		/* NumericString */
+		{ { 0x12, 0x04, '0', '1', '2', '3', }, 6,
+		  { 0x0c, 0x04, '0', '1', '2', '3' }, 6,
+		},
+
+		/* IA5String */
+		{ { 0x16, 0x04, ' ', 'A', 'B', ' ', }, 6,
+		  { 0x0c, 0x02, 'a', 'b',  }, 4,
+		},
+
+		/* TeletexString */
+		{ { 0x14, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+		  { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8,
+		},
+
+		/* PrintableString */
+		{ { 0x13, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+		  { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8,
+		},
+
+		/* No change, not a known string type */
+		{ { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+		  { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9
+		},
+
+		/* UniversalString */
+		{ { 0x1c, 0x14, 0x00, 0x00, 0x00, 'F', 0x00, 0x00, 0x00, 'u',
+		    0x00, 0x00, 0x00, 'n', 0x00, 0x00, 0x00, ' ', 0x00, 0x01, 0x03, 0x19, }, 22,
+		  { 0x0c, 0x08, 'f', 'u', 'n', ' ', 0xf0, 0x90, 0x8c, 0x99 }, 10,
+		},
+
+		/* BMPString */
+		{ { 0x1e, 0x0a, 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 12,
+		  { 0x0c, 0x06, 'v', 0xc3, 0xb6, 'g', 'e', 'l' }, 8,
+		},
+	};
+
+	p11_buffer buf;
+	bool ret;
+	int i;
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+		                      fixtures[i].input_len, 0, realloc, free);
+
+		ret = p11_openssl_canon_string_der (&buf);
+		CuAssertIntEquals (tc, true, ret);
+
+		CuAssertIntEquals (tc, fixtures[i].output_len, buf.len);
+		CuAssertTrue (tc, memcmp (buf.data, fixtures[i].output, buf.len) == 0);
+
+		p11_buffer_uninit (&buf);
+	}
+}
+
+bool   p11_openssl_canon_name_der     (p11_dict *asn1_defs,
+                                       p11_buffer *der);
+
+static void
+test_canon_name_der (CuTest *tc)
+{
+	struct {
+		unsigned char input[100];
+		int input_len;
+		unsigned char output[100];
+		int output_len;
+	} fixtures[] = {
+		{ { '0', 'T', '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a,
+		    0x13, 0x0b, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'I', 'n',
+		    'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04,
+		    0x0b, 0x13, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w',
+		    'w', 'w', '.', 'C', 'A', 'c', 'e', 'r', 't', '.', 'o', 'r',
+		    'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x13,
+		    0x13, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'C', 'l', 'a', 's',
+		    's', 0x20, '3', 0x20, 'R', 'o', 'o', 't', }, 86,
+		  { '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a,
+		    0x0c, 0x0b, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'i', 'n',
+		    'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04,
+		    0x0b, 0x0c, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w',
+		    'w', 'w', '.', 'c', 'a', 'c', 'e', 'r', 't', '.', 'o', 'r',
+		    'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x0c,
+		    0x13, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'c', 'l', 'a', 's',
+		    's', 0x20, '3', 0x20, 'r', 'o', 'o', 't', }, 84,
+		},
+		{ { '0', 0x00, }, 2,
+		  { }, 0,
+		},
+	};
+
+	p11_buffer buf;
+	p11_dict *asn1_defs;
+	bool ret;
+	int i;
+
+	asn1_defs = p11_asn1_defs_load ();
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+		                      fixtures[i].input_len, 0, realloc, free);
+
+		ret = p11_openssl_canon_name_der (asn1_defs, &buf);
+		CuAssertIntEquals (tc, true, ret);
+
+		CuAssertIntEquals (tc, fixtures[i].output_len, buf.len);
+		CuAssertTrue (tc, memcmp (buf.data, fixtures[i].output, buf.len) == 0);
+
+		p11_buffer_uninit (&buf);
+	}
+
+	p11_dict_free (asn1_defs);
+}
+
+static void
+test_canon_string_der_fail (CuTest *tc)
+{
+	struct {
+		unsigned char input[100];
+		int input_len;
+	} fixtures[] = {
+		{ { 0x0c, 0x02, 0xc3, 0xc4 /* Invalid UTF-8 */ }, 4 },
+		{ { 0x1e, 0x01, 0x00 /* Invalid UCS2 */ }, 3 },
+		{ { 0x1c, 0x02, 0x00, 0x01 /* Invalid UCS4 */ }, 4 },
+	};
+
+	p11_buffer buf;
+	bool ret;
+	int i;
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+		                      fixtures[i].input_len, 0, realloc, free);
+
+		ret = p11_openssl_canon_string_der (&buf);
+		CuAssertIntEquals (tc, false, ret);
+
+		p11_buffer_uninit (&buf);
+	}
+}
+
+static void
+test_directory (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+
+	setup_objects (cacert3_authority_attrs,
+	               extension_eku_client_server,
+	               extension_reject_email,
+	               NULL);
+
+	setup_objects (cacert3_authority_attrs,
+	               NULL);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	/* Yes, this is a race, and why you shouldn't build software as root */
+	if (rmdir (test.directory) < 0)
+		assert_not_reached ();
+	test.ex.destination = test.directory;
+
+	ret = p11_extract_openssl_directory (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_directory (tc, test.directory, ("Custom_Label.pem", "Custom_Label.1.pem",
+	                                           "e5662767.1", "e5662767.0", "590d426f.1", "590d426f.0", NULL));
+	test_check_file (tc, test.directory, "Custom_Label.pem",
+	                 SRCDIR "/files/cacert3-trusted-client-server-alias.pem");
+	test_check_file (tc, test.directory, "Custom_Label.1.pem",
+	                 SRCDIR "/files/cacert3-trusted-alias.pem");
+	test_check_symlink (tc, test.directory, "e5662767.0", "Custom_Label.pem");
+	test_check_symlink (tc, test.directory, "e5662767.1", "Custom_Label.1.pem");
+	test_check_symlink (tc, test.directory, "590d426f.0", "Custom_Label.pem");
+	test_check_symlink (tc, test.directory, "590d426f.1", "Custom_Label.1.pem");
+	teardown (tc);
+}
+
+static void
+test_directory_empty (CuTest *tc)
+{
+	bool ret;
+
+	setup (tc);
+
+	p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+	p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+	p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+	/* Yes, this is a race, and why you shouldn't build software as root */
+	if (rmdir (test.directory) < 0)
+		assert_not_reached ();
+	test.ex.destination = test.directory;
+
+	ret = p11_extract_openssl_directory (test.iter, &test.ex);
+	CuAssertIntEquals (tc, true, ret);
+
+	test_check_directory (tc, test.directory, (NULL, NULL));
+
+	teardown (tc);
+}
+
+int
+main (void)
+{
+	CuString *output = CuStringNew ();
+	CuSuite* suite = CuSuiteNew ();
+	int ret;
+
+	putenv ("P11_KIT_STRICT=1");
+	p11_debug_init ();
+
+	SUITE_ADD_TEST (suite, test_file);
+	SUITE_ADD_TEST (suite, test_plain);
+	SUITE_ADD_TEST (suite, test_keyid);
+	SUITE_ADD_TEST (suite, test_not_authority);
+	SUITE_ADD_TEST (suite, test_distrust_all);
+	SUITE_ADD_TEST (suite, test_file_multiple);
+	SUITE_ADD_TEST (suite, test_file_without);
+
+	SUITE_ADD_TEST (suite, test_canon_string);
+	SUITE_ADD_TEST (suite, test_canon_string_der);
+	SUITE_ADD_TEST (suite, test_canon_string_der_fail);
+	SUITE_ADD_TEST (suite, test_canon_name_der);
+
+	SUITE_ADD_TEST (suite, test_directory);
+	SUITE_ADD_TEST (suite, test_directory_empty);
+
+	CuSuiteRun (suite);
+	CuSuiteSummary (suite, output);
+	CuSuiteDetails (suite, output);
+	printf ("%s\n", output->buffer);
+	ret = suite->failCount;
+	CuSuiteDelete (suite);
+	CuStringDelete (output);
+
+	return ret;
+}
diff --git a/tools/tests/test-utf8.c b/tools/tests/test-utf8.c
new file mode 100644
index 0000000..d34f597
--- /dev/null
+++ b/tools/tests/test-utf8.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2013, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@collabora.co.uk>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include "utf8.h"
+
+#include <stdio.h>
+
+#define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+
+static void
+test_ucs2be (CuTest *cu)
+{
+	char *output;
+	size_t length;
+	int i;
+
+	struct {
+		const char *output;
+		size_t output_len;
+		const unsigned char input[100];
+		size_t input_len;
+	} fixtures[] = {
+		{ "This is a test", 14,
+		  { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, 's', 0x00, ' ', 0x00, 'i', 0x00, 's', 0x00, ' ',
+		    0x00, 'a', 0x00, ' ', 0x00, 't', 0x00, 'e', 0x00, 's', 0x00, 't' }, 28,
+		},
+		{ "V\303\266gel", 6,
+		  { 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 10,
+		},
+		{ "M\303\244nwich \340\264\205", 12,
+		  { 0x00, 'M', 0x00, 0xE4, 0x00, 'n', 0x00, 'w', 0x00, 'i', 0x00, 'c', 0x00, 'h',
+		    0x00, ' ', 0x0D, 0x05 }, 18,
+		}
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		output = p11_utf8_for_ucs2be (fixtures[i].input,
+		                              fixtures[i].input_len,
+		                              &length);
+
+		CuAssertIntEquals (cu, fixtures[i].output_len, length);
+		CuAssertStrEquals (cu, fixtures[i].output, output);
+	}
+}
+
+static void
+test_ucs2be_fail (CuTest *cu)
+{
+	char *output;
+	size_t length;
+	int i;
+
+	struct {
+		const unsigned char input[100];
+		size_t input_len;
+	} fixtures[] = {
+		{ { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, }, 7 /* truncated */ }
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		output = p11_utf8_for_ucs2be (fixtures[i].input,
+		                              fixtures[i].input_len,
+		                              &length);
+		CuAssertPtrEquals (cu, NULL, output);
+	}
+}
+
+static void
+test_ucs4be (CuTest *cu)
+{
+	char *output;
+	size_t length;
+	int i;
+
+	struct {
+		const char *output;
+		size_t output_len;
+		const unsigned char input[100];
+		size_t input_len;
+	} fixtures[] = {
+		{ "This is a test", 14,
+		  { 0x00, 0x00, 0x00, 'T',
+		    0x00, 0x00, 0x00, 'h',
+		    0x00, 0x00, 0x00, 'i',
+		    0x00, 0x00, 0x00, 's',
+		    0x00, 0x00, 0x00, ' ',
+		    0x00, 0x00, 0x00, 'i',
+		    0x00, 0x00, 0x00, 's',
+		    0x00, 0x00, 0x00, ' ',
+		    0x00, 0x00, 0x00, 'a',
+		    0x00, 0x00, 0x00, ' ',
+		    0x00, 0x00, 0x00, 't',
+		    0x00, 0x00, 0x00, 'e',
+		    0x00, 0x00, 0x00, 's',
+		    0x00, 0x00, 0x00, 't',
+		  }, 56,
+		},
+		{ "Fun \360\220\214\231", 8,
+		  { 0x00, 0x00, 0x00, 'F',
+		    0x00, 0x00, 0x00, 'u',
+		    0x00, 0x00, 0x00, 'n',
+		    0x00, 0x00, 0x00, ' ',
+		    0x00, 0x01, 0x03, 0x19, /* U+10319: looks like an antenna */
+		  }, 20,
+		}
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		output = p11_utf8_for_ucs4be (fixtures[i].input,
+		                              fixtures[i].input_len,
+		                              &length);
+
+		CuAssertIntEquals (cu, fixtures[i].output_len, length);
+		CuAssertStrEquals (cu, fixtures[i].output, output);
+	}
+}
+
+static void
+test_ucs4be_fail (CuTest *cu)
+{
+	char *output;
+	size_t length;
+	int i;
+
+	struct {
+		const unsigned char input[100];
+		size_t input_len;
+	} fixtures[] = {
+		{ { 0x00, 0x00, 'T',
+		  }, 7 /* truncated */ },
+		{ { 0x00, 0x00, 0x00, 'F',
+		    0x00, 0x00, 0x00, 'u',
+		    0x00, 0x00, 0x00, 'n',
+		    0x00, 0x00, 0x00, ' ',
+		    0xD8, 0x00, 0xDF, 0x19,
+		  }, 20,
+		}
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		output = p11_utf8_for_ucs4be (fixtures[i].input,
+		                              fixtures[i].input_len,
+		                              &length);
+		CuAssertPtrEquals (cu, NULL, output);
+	}
+}
+
+static void
+test_utf8 (CuTest *cu)
+{
+	bool ret;
+	int i;
+
+	struct {
+		const char *input;
+		size_t input_len;
+	} fixtures[] = {
+		{ "This is a test", 14 },
+		{ "Good news everyone", -1 },
+		{ "Fun \360\220\214\231", -1 },
+		{ "Fun invalid here: \xfe", 4 }, /* but limited length */
+		{ "V\303\266gel", 6, },
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		ret = p11_utf8_validate (fixtures[i].input,
+		                         fixtures[i].input_len);
+		CuAssertIntEquals (cu, true, ret);
+	}
+}
+
+static void
+test_utf8_fail (CuTest *cu)
+{
+	bool ret;
+	int i;
+
+	struct {
+		const char *input;
+		size_t input_len;
+	} fixtures[] = {
+		{ "This is a test\x80", 15 },
+		{ "Good news everyone\x88", -1 },
+		{ "Bad \xe0v following chars should be |0x80", -1 },
+		{ "Truncated \xe0", -1 },
+	};
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		ret = p11_utf8_validate (fixtures[i].input,
+		                         fixtures[i].input_len);
+		CuAssertIntEquals (cu, false, ret);
+	}
+}
+
+int
+main (void)
+{
+	CuString *output = CuStringNew ();
+	CuSuite* suite = CuSuiteNew ();
+	int ret;
+
+	SUITE_ADD_TEST (suite, test_ucs2be);
+	SUITE_ADD_TEST (suite, test_ucs2be_fail);
+	SUITE_ADD_TEST (suite, test_ucs4be);
+	SUITE_ADD_TEST (suite, test_ucs4be_fail);
+	SUITE_ADD_TEST (suite, test_utf8);
+	SUITE_ADD_TEST (suite, test_utf8_fail);
+
+	CuSuiteRun (suite);
+	CuSuiteSummary (suite, output);
+	CuSuiteDetails (suite, output);
+	printf ("%s\n", output->buffer);
+	ret = suite->failCount;
+	CuSuiteDelete (suite);
+	CuStringDelete (output);
+
+	return ret;
+}
diff --git a/tools/tests/test.h b/tools/tests/test.h
index 2cc7c31..7cf2492 100644
--- a/tools/tests/test.h
+++ b/tools/tests/test.h
@@ -193,6 +193,15 @@ static const char test_eku_server_and_client[] = {
 	0x01, 0x05, 0x05, 0x07, 0x03, 0x02,
 };
 
+static const char test_eku_client_and_server[] = {
+	0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x08, 0x2b, 0x06,
+	0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
+};
+
+static const char test_eku_email[] = {
+	0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
+};
+
 static const char test_eku_none[] = {
 	0x30, 0x00,
 };