tests: pkcs1-pad: moved to cert-tests

7 files changed, 553 insertions, 2 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 664ee347cc..5b520eb89c 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -48,7 +48,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	templates/template-tlsfeature.tmpl data/userid.pem \
 	data/template-tlsfeature.pem data/template-tlsfeature.csr \
 	templates/template-tlsfeature-crq.tmpl templates/arb-extensions.tmpl data/arb-extensions.pem \
-	data/arb-extensions.csr
+	data/arb-extensions.csr data/pkcs1-pad-ok.pem data/pkcs1-pad-broken.pem \
+	data/pkcs1-pad-ok2.pem data/pkcs1-pad-broken2.pem data/pkcs1-pad-broken3.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
@@ -64,7 +65,7 @@ endif
 
 if !WINDOWS
 dist_check_SCRIPTS += template-test pem-decoding othername-test krb5-test sha3-test md5-test \
-	tlsfeature-test template-exts-test
+	tlsfeature-test template-exts-test pkcs1-pad
 endif
 
 if ENABLE_DANE
diff --git a/tests/cert-tests/data/pkcs1-pad-broken.pem b/tests/cert-tests/data/pkcs1-pad-broken.pem
new file mode 100644
index 0000000000..62cb076757
--- /dev/null
+++ b/tests/cert-tests/data/pkcs1-pad-broken.pem
@@ -0,0 +1,118 @@
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 00:E4:A7:CC:4E:10:C7:61:FF
+Subject: C=JP,ST=Tokyo,O=TEST 2 CLIENT,CN=www2.example.jp
+Issuer: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Thu Sep  7 18:40:37 2006
+	Not After: Fri Sep  7 18:40:37 2007
+Subject Public Key Info:
+	Public Key Algorithm: RSA (1024 bits)
+modulus:
+	bd:2a:59:ea:28:3d:0e:97:8a:07:ad:21:ee:28:b5:
+	46:2b:4d:ba:f9:27:e0:83:4e:7c:45:e3:0a:33:d2:
+	17:09:88:6c:62:6a:9f:25:af:29:38:8c:2b:38:2e:
+	11:89:06:e8:26:40:6e:cc:78:e2:dd:e4:be:c5:43:
+	79:47:79:59:90:51:80:ca:1e:41:dd:6d:34:90:54:
+	e0:15:f1:38:0f:1b:57:37:70:b2:dc:da:3d:e7:ae:
+	7d:0b:59:0e:f2:9f:33:87:a3:f9:fa:3f:8f:d9:58:
+	1f:db:9d:0a:e8:35:86:e6:8d:c9:b7:02:b6:28:f3:
+	1a:89:e4:75:d5:f8:24:45:
+public exponent:
+	01:00:01:
+
+X.509 Extensions:
+	Basic Constraints:
+		CA:FALSE
+	Subject Key ID: 
+		2B:40:D9:B5:DF:0A:D4:FD:A2:8F:D8:15:29:43:5C:1E:5C:7B:B8:22
+	Authority Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+	2.16.840.1.113730.1.13: 
+		DER Data: 161d4f70656e53534c2047656e657261746564204365727469666963617465
+		ASCII: ..OpenSSL Generated Certificate
+
+Other information:
+	MD5 Fingerprint: D6:44:CE:F7:04:D3:24:3D:D5:14:54:AE:5D:88:C3:FA
+	SHA1 Fingerprint: FB:86:09:B7:E3:5C:D5:EF:D3:75:8B:84:82:A4:22:28:B5:16:72:2A
+	Public Key ID: 05:95:E0:8F:69:A2:59:92:3D:6B:2B:32:0C:88:C7:12:A1:09:16:8F
+
+
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIJAOSnzE4Qx2H/MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTY0MDM3WhcNMDcwOTA3MTY0MDM3WjBPMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xFjAUBgNVBAoTDVRFU1QgMiBDTElFTlQxGDAWBgNV
+BAMTD3d3dzIuZXhhbXBsZS5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vSpZ6ig9DpeKB60h7ii1RitNuvkn4INOfEXjCjPSFwmIbGJqnyWvKTiMKzguEYkG
+6CZAbsx44t3kvsVDeUd5WZBRgMoeQd1tNJBU4BXxOA8bVzdwstzaPeeufQtZDvKf
+M4ej+fo/j9lYH9udCug1huaNybcCtijzGonkddX4JEUCAwEAAaOBxjCBwzAJBgNV
+HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+Y2F0ZTAdBgNVHQ4EFgQUK0DZtd8K1P2ij9gVKUNcHlx7uCIwaQYDVR0jBGIwYIAU
+340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNVBAYTAkpQMRQwEgYDVQQK
+EwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAxLTSCCQDkp8xOEMdh/jAN
+BgkqhkiG9w0BAQUFAAOBgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAUKJ+eFJYSvXwGF2wxzDXj+x5YCItrHFmrEy4AXXAW+H0NgJVNvqRY/O
+Kw==
+-----END CERTIFICATE-----
+
+
+
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 00:E4:A7:CC:4E:10:C7:61:FE
+Subject: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Issuer: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Thu Sep  7 18:33:18 2006
+	Not After: Sat Oct  7 18:33:18 2006
+Subject Public Key Info:
+	Public Key Algorithm: RSA (1024 bits)
+modulus:
+	d9:7c:58:e4:3c:36:5e:a2:bc:56:aa:4e:ff:0c:a3:
+	36:77:ff:4d:6a:8d:bc:74:ce:93:e6:c6:f9:2f:8d:
+	61:0f:90:b5:91:75:7a:30:97:af:e4:02:c0:49:2c:
+	6d:23:a3:95:3a:66:4e:e2:07:ee:6e:7b:2f:72:3d:
+	0d:4d:93:b8:49:e1:75:c8:bd:6b:54:33:dd:c7:b8:
+	ee:40:8d:5c:6c:38:86:fc:4c:08:31:6d:bd:50:87:
+	63:f6:1d:39:d8:94:e6:11:ba:53:d1:1b:8f:ff:82:
+	56:98:05:ab:74:ee:54:13:8d:31:b9:ae:d2:cf:6f:
+	fa:f8:30:76:66:49:45:a1:
+public exponent:
+	03:
+
+X.509 Extensions:
+	Basic Constraints:
+		CA:TRUE
+	Subject Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+	Authority Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+
+Other information:
+	MD5 Fingerprint: CA:33:DC:62:CB:54:8E:59:DD:D2:E8:9D:F6:BA:90:5B
+	SHA1 Fingerprint: A4:E8:7D:0A:7D:D2:15:10:B0:AE:F7:24:58:F4:BE:AF:80:48:FE:AD
+	Public Key ID: E5:D1:FC:26:A8:4C:FC:15:59:AD:06:F1:46:D8:40:31:C0:49:4D:1F
+
+
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIJAOSnzE4Qx2H+MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTYzMzE4WhcNMDYxMDA3MTYzMzE4WjA5MQswCQYDVQQGEwJK
+UDEUMBIGA1UEChMLQ0EgVEVTVCAxLTQxFDASBgNVBAMTC0NBIFRFU1QgMS00MIGd
+MA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDZfFjkPDZeorxWqk7/DKM2d/9Nao28
+dM6T5sb5L41hD5C1kXV6MJev5ALASSxtI6OVOmZO4gfubnsvcj0NTZO4SeF1yL1r
+VDPdx7juQI1cbDiG/EwIMW29UIdj9h052JTmEbpT0RuP/4JWmAWrdO5UE40xua7S
+z2/6+DB2ZklFoQIBA6OBmzCBmDAdBgNVHQ4EFgQU340JbeYcg6V9zi8aozy48aIh
+tfgwaQYDVR0jBGIwYIAU340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTSCCQDkp8xOEMdh/jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABsH
+aJ/c/3cGHssi8IvVRci/aavqj607y7l22nKDtG1p4KAjnfNhBMOhRhFv00nJnokK
+y0uc4DIegAW1bxQjqcMNNEmGbzAeixH/cRCot8C1LobEQmxNWCY2DJLWoI3wwqr8
+uUSnI1CDZ5402etkCiNXsDy/eYDrF+2KonkIWRrr
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pkcs1-pad-broken2.pem b/tests/cert-tests/data/pkcs1-pad-broken2.pem
new file mode 100644
index 0000000000..b13cdf508c
--- /dev/null
+++ b/tests/cert-tests/data/pkcs1-pad-broken2.pem
@@ -0,0 +1,39 @@
+X.509 certificate info:
+
+Version: 1
+Serial Number (hex): 06
+Subject: C=AU,ST=Queensland,O=CryptSoft Pty Ltd,CN=Server test cert (512 bit)
+Issuer: C=AU,ST=Queensland,O=CryptSoft Pty Ltd,CN=Server test cert (512 bit)
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Tue Sep 12 01:58:55 2006
+	Not After: Thu Oct 12 01:58:55 2006
+Subject Public Key Info:
+	Public Key Algorithm: RSA (512 bits)
+modulus:
+	9f:b3:c3:84:27:95:ff:12:31:52:0f:15:ef:46:11:
+	c4:ad:80:e6:36:5b:0f:dd:80:d7:61:8d:e0:fc:72:
+	45:09:34:fe:55:66:45:43:4c:68:97:6a:fe:a8:a0:
+	a5:df:5f:78:ff:ee:d7:64:b8:3f:04:cb:6f:ff:2a:
+	fe:fe:b9:ed:
+public exponent:
+	01:00:01:
+
+Other information:
+	MD5 Fingerprint: B1:E2:B9:E7:00:7A:3D:29:B9:86:F8:EB:93:2D:B6:EF
+	SHA1 Fingerprint: 91:8F:41:F0:D0:E9:55:3B:AA:97:4B:93:BA:0D:B6:60:86:B9:5A:84
+	Public Key ID: 77:47:AD:43:02:5B:06:6E:B4:EF:29:DB:B2:AA:36:5D:01:7C:68:A1
+
+
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU4NTVa
+Fw0wNjEwMTEyMzU4NTVaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
+YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
+IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
+hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
+12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAbynCRIlUQgaqyNgU
+DF6P14yRKUtX8akOP2TwStaSiVf/akYqfLFm3UGka5XbPj4rifrZ0/sOoZEEBvHQ
+e20sRA==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pkcs1-pad-broken3.pem b/tests/cert-tests/data/pkcs1-pad-broken3.pem
new file mode 100644
index 0000000000..9c1d39d329
--- /dev/null
+++ b/tests/cert-tests/data/pkcs1-pad-broken3.pem
@@ -0,0 +1,126 @@
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 17
+Subject: CN=Hacker
+Issuer: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Sat Aug 19 18:51:30 2006
+	Not After: Wed Oct 18 18:51:30 2006
+Subject Public Key Info:
+	Public Key Algorithm: RSA (1024 bits)
+modulus:
+	a4:ae:e8:28:56:b6:d0:6c:3a:96:81:ad:87:f8:3f:
+	3c:82:18:d7:ba:0e:e1:3b:ae:6a:b8:08:cb:24:77:
+	3f:2e:88:02:77:c1:57:7c:8c:6b:23:75:e6:38:63:
+	3a:17:49:5a:7e:f6:61:05:e9:7a:8d:83:20:df:f1:
+	46:f7:90:d8:0f:63:1b:c9:db:c9:60:41:5a:5d:e5:
+	17:46:59:71:e8:d7:82:d6:05:30:f5:9a:d1:64:0a:
+	20:21:56:50:13:b1:53:48:fe:d8:ef:da:db:fb:26:
+	9f:04:b3:29:5b:0c:77:bb:86:c9:40:d2:b9:ec:46:
+	bd:9c:4b:d6:ef:a4:cd:37:
+public exponent:
+	01:00:01:
+
+X.509 Extensions:
+	Basic Constraints: (critical)
+		CA:TRUE
+
+Other information:
+	MD5 Fingerprint: 46:54:EC:0F:EF:70:BE:BE:22:57:90:BC:A1:FD:B8:AA
+	SHA1 Fingerprint: 73:FA:53:71:4A:F1:AB:C6:31:82:B5:4D:59:3C:BC:B6:36:87:0D:55
+	Public Key ID: 9E:A1:D8:56:93:79:0C:B3:E3:0B:D3:F4:A5:40:C8:7C:78:A8:49:82
+
+
+-----BEGIN CERTIFICATE-----
+MIICgzCCAWugAwIBAgIBFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
+MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
+U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYw
+ODE5MTY1MTMwWhcNMDYxMDE4MTY1MTMwWjARMQ8wDQYDVQQDEwZIYWNrZXIwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKSu6ChWttBsOpaBrYf4PzyCGNe6DuE7
+rmq4CMskdz8uiAJ3wVd8jGsjdeY4YzoXSVp+9mEF6XqNgyDf8Ub3kNgPYxvJ28lg
+QVpd5RdGWXHo14LWBTD1mtFkCiAhVlATsVNI/tjv2tv7Jp8EsylbDHe7hslA0rns
+Rr2cS9bvpM03AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADggEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADLL/Up63HkFWD15INcW
+Xd1nZGI+gO/whm58ICyJ1Js7ON6N4NyBTwe8513CvdOlOdG/Ctmy2gxEE47HhEed
+ST8AUooI0ey599t84P20gGRuOYIjr7c=
+-----END CERTIFICATE-----
+
+
+
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 00
+Subject: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
+Issuer: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Tue Jun 29 19:39:16 2004
+	Not After: Thu Jun 29 19:39:16 2034
+Subject Public Key Info:
+	Public Key Algorithm: RSA (2048 bits)
+modulus:
+	b7:32:c8:fe:e9:71:a6:04:85:ad:0c:11:64:df:ce:
+	4d:ef:c8:03:18:87:3f:a1:ab:fb:3c:a6:9f:f0:c3:
+	a1:da:d4:d8:6e:2b:53:90:fb:24:a4:3e:84:f0:9e:
+	e8:5f:ec:e5:27:44:f5:28:a6:3f:7b:de:e0:2a:f0:
+	c8:af:53:2f:9e:ca:05:01:93:1e:8f:66:1c:39:a7:
+	4d:fa:5a:b6:73:04:25:66:eb:77:7f:e7:59:c6:4a:
+	99:25:14:54:eb:26:c7:f3:7f:19:d5:30:70:8f:af:
+	b0:46:2a:ff:ad:eb:29:ed:d7:9f:aa:04:87:a3:d4:
+	f9:89:a5:34:5f:db:43:91:82:36:d9:66:3c:b1:b8:
+	b9:82:fd:9c:3a:3e:10:c8:3b:ef:06:65:66:7a:9b:
+	19:18:3d:ff:71:51:3c:30:2e:5f:be:3d:77:73:b2:
+	5d:06:6c:c3:23:56:9a:2b:85:26:92:1c:a7:02:b3:
+	e4:3f:0d:af:08:79:82:b8:36:3d:ea:9c:d3:35:b3:
+	bc:69:ca:f5:cc:9d:e8:fd:64:8d:17:80:33:6e:5e:
+	4a:5d:99:c9:1e:87:b4:9d:1a:c0:d5:6e:13:35:23:
+	5e:df:9b:5f:3d:ef:d6:f7:76:c2:ea:3e:bb:78:0d:
+	1c:42:67:6b:04:d8:f8:d6:da:6f:8b:f2:44:a0:01:
+	ab:
+public exponent:
+	03:
+
+X.509 Extensions:
+	Basic Constraints:
+		CA:TRUE
+	Subject Key ID: 
+		BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
+	Authority Key ID: 
+		BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
+
+Other information:
+	MD5 Fingerprint: 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
+	SHA1 Fingerprint: AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
+	Public Key ID: 8D:C9:49:57:76:CC:19:71:BC:E5:EA:17:70:0A:83:61:9D:C9:27:A7
+
+
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
+MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
+U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
+NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
+ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
+ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
+DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
+8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
++lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
+X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
+K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
+1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
+A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
+zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
+YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
+bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
+L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
+eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
+xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
+VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
+WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pkcs1-pad-ok.pem b/tests/cert-tests/data/pkcs1-pad-ok.pem
new file mode 100644
index 0000000000..ff19cb456e
--- /dev/null
+++ b/tests/cert-tests/data/pkcs1-pad-ok.pem
@@ -0,0 +1,118 @@
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 00:E4:A7:CC:4E:10:C7:61:FF
+Subject: C=JP,ST=Tokyo,O=TEST 2 CLIENT,CN=www2.example.jp
+Issuer: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Thu Sep  7 18:40:37 2006
+	Not After: Fri Sep  7 18:40:37 2007
+Subject Public Key Info:
+	Public Key Algorithm: RSA (1024 bits)
+modulus:
+	bd:2a:59:ea:28:3d:0e:97:8a:07:ad:21:ee:28:b5:
+	46:2b:4d:ba:f9:27:e0:83:4e:7c:45:e3:0a:33:d2:
+	17:09:88:6c:62:6a:9f:25:af:29:38:8c:2b:38:2e:
+	11:89:06:e8:26:40:6e:cc:78:e2:dd:e4:be:c5:43:
+	79:47:79:59:90:51:80:ca:1e:41:dd:6d:34:90:54:
+	e0:15:f1:38:0f:1b:57:37:70:b2:dc:da:3d:e7:ae:
+	7d:0b:59:0e:f2:9f:33:87:a3:f9:fa:3f:8f:d9:58:
+	1f:db:9d:0a:e8:35:86:e6:8d:c9:b7:02:b6:28:f3:
+	1a:89:e4:75:d5:f8:24:45:
+public exponent:
+	01:00:01:
+
+X.509 Extensions:
+	Basic Constraints:
+		CA:FALSE
+	Subject Key ID: 
+		2B:40:D9:B5:DF:0A:D4:FD:A2:8F:D8:15:29:43:5C:1E:5C:7B:B8:22
+	Authority Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+	2.16.840.1.113730.1.13: 
+		DER Data: 161d4f70656e53534c2047656e657261746564204365727469666963617465
+		ASCII: ..OpenSSL Generated Certificate
+
+Other information:
+	MD5 Fingerprint: 8C:D7:69:6A:E6:75:BD:E9:77:A7:86:43:F5:D1:89:C1
+	SHA1 Fingerprint: F5:EC:64:57:BD:BB:00:A1:45:26:ED:3B:FD:4D:8B:CA:FD:F1:1D:41
+	Public Key ID: 05:95:E0:8F:69:A2:59:92:3D:6B:2B:32:0C:88:C7:12:A1:09:16:8F
+
+
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIJAOSnzE4Qx2H/MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTY0MDM3WhcNMDcwOTA3MTY0MDM3WjBPMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xFjAUBgNVBAoTDVRFU1QgMiBDTElFTlQxGDAWBgNV
+BAMTD3d3dzIuZXhhbXBsZS5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vSpZ6ig9DpeKB60h7ii1RitNuvkn4INOfEXjCjPSFwmIbGJqnyWvKTiMKzguEYkG
+6CZAbsx44t3kvsVDeUd5WZBRgMoeQd1tNJBU4BXxOA8bVzdwstzaPeeufQtZDvKf
+M4ej+fo/j9lYH9udCug1huaNybcCtijzGonkddX4JEUCAwEAAaOBxjCBwzAJBgNV
+HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+Y2F0ZTAdBgNVHQ4EFgQUK0DZtd8K1P2ij9gVKUNcHlx7uCIwaQYDVR0jBGIwYIAU
+340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNVBAYTAkpQMRQwEgYDVQQK
+EwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAxLTSCCQDkp8xOEMdh/jAN
+BgkqhkiG9w0BAQUFAAOBgQCkGhwCDLRwWbDnDFReXkIZ1/9OhfiR8yL1idP9iYVU
+cSoWxSHPBWkv6LORFS03APcXCSzDPJ9pxTjFjGGFSI91fNrzkKdHU/+0WCF2uTh7
+Dz2blqtcmnJqMSn1xHxxfM/9e6M3XwFUMf7SGiKRAbDfsauPafEPTn83vSeKj1lg
+Dw==
+-----END CERTIFICATE-----
+
+
+
+X.509 certificate info:
+
+Version: 3
+Serial Number (hex): 00:E4:A7:CC:4E:10:C7:61:FE
+Subject: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Issuer: C=JP,O=CA TEST 1-4,CN=CA TEST 1-4
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Thu Sep  7 18:33:18 2006
+	Not After: Sat Oct  7 18:33:18 2006
+Subject Public Key Info:
+	Public Key Algorithm: RSA (1024 bits)
+modulus:
+	d9:7c:58:e4:3c:36:5e:a2:bc:56:aa:4e:ff:0c:a3:
+	36:77:ff:4d:6a:8d:bc:74:ce:93:e6:c6:f9:2f:8d:
+	61:0f:90:b5:91:75:7a:30:97:af:e4:02:c0:49:2c:
+	6d:23:a3:95:3a:66:4e:e2:07:ee:6e:7b:2f:72:3d:
+	0d:4d:93:b8:49:e1:75:c8:bd:6b:54:33:dd:c7:b8:
+	ee:40:8d:5c:6c:38:86:fc:4c:08:31:6d:bd:50:87:
+	63:f6:1d:39:d8:94:e6:11:ba:53:d1:1b:8f:ff:82:
+	56:98:05:ab:74:ee:54:13:8d:31:b9:ae:d2:cf:6f:
+	fa:f8:30:76:66:49:45:a1:
+public exponent:
+	03:
+
+X.509 Extensions:
+	Basic Constraints:
+		CA:TRUE
+	Subject Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+	Authority Key ID: 
+		DF:8D:09:6D:E6:1C:83:A5:7D:CE:2F:1A:A3:3C:B8:F1:A2:21:B5:F8
+
+Other information:
+	MD5 Fingerprint: CA:33:DC:62:CB:54:8E:59:DD:D2:E8:9D:F6:BA:90:5B
+	SHA1 Fingerprint: A4:E8:7D:0A:7D:D2:15:10:B0:AE:F7:24:58:F4:BE:AF:80:48:FE:AD
+	Public Key ID: E5:D1:FC:26:A8:4C:FC:15:59:AD:06:F1:46:D8:40:31:C0:49:4D:1F
+
+
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIJAOSnzE4Qx2H+MA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTQwHhcNMDYwOTA3MTYzMzE4WhcNMDYxMDA3MTYzMzE4WjA5MQswCQYDVQQGEwJK
+UDEUMBIGA1UEChMLQ0EgVEVTVCAxLTQxFDASBgNVBAMTC0NBIFRFU1QgMS00MIGd
+MA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDZfFjkPDZeorxWqk7/DKM2d/9Nao28
+dM6T5sb5L41hD5C1kXV6MJev5ALASSxtI6OVOmZO4gfubnsvcj0NTZO4SeF1yL1r
+VDPdx7juQI1cbDiG/EwIMW29UIdj9h052JTmEbpT0RuP/4JWmAWrdO5UE40xua7S
+z2/6+DB2ZklFoQIBA6OBmzCBmDAdBgNVHQ4EFgQU340JbeYcg6V9zi8aozy48aIh
+tfgwaQYDVR0jBGIwYIAU340JbeYcg6V9zi8aozy48aIhtfihPaQ7MDkxCzAJBgNV
+BAYTAkpQMRQwEgYDVQQKEwtDQSBURVNUIDEtNDEUMBIGA1UEAxMLQ0EgVEVTVCAx
+LTSCCQDkp8xOEMdh/jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABsH
+aJ/c/3cGHssi8IvVRci/aavqj607y7l22nKDtG1p4KAjnfNhBMOhRhFv00nJnokK
+y0uc4DIegAW1bxQjqcMNNEmGbzAeixH/cRCot8C1LobEQmxNWCY2DJLWoI3wwqr8
+uUSnI1CDZ5402etkCiNXsDy/eYDrF+2KonkIWRrr
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/pkcs1-pad-ok2.pem b/tests/cert-tests/data/pkcs1-pad-ok2.pem
new file mode 100644
index 0000000000..36548fa48f
--- /dev/null
+++ b/tests/cert-tests/data/pkcs1-pad-ok2.pem
@@ -0,0 +1,39 @@
+X.509 certificate info:
+
+Version: 1
+Serial Number (hex): 06
+Subject: C=AU,ST=Queensland,O=CryptSoft Pty Ltd,CN=Server test cert (512 bit)
+Issuer: C=AU,ST=Queensland,O=CryptSoft Pty Ltd,CN=Server test cert (512 bit)
+Signature Algorithm: RSA-SHA
+Validity:
+	Not Before: Tue Sep 12 01:59:02 2006
+	Not After: Thu Oct 12 01:59:02 2006
+Subject Public Key Info:
+	Public Key Algorithm: RSA (512 bits)
+modulus:
+	9f:b3:c3:84:27:95:ff:12:31:52:0f:15:ef:46:11:
+	c4:ad:80:e6:36:5b:0f:dd:80:d7:61:8d:e0:fc:72:
+	45:09:34:fe:55:66:45:43:4c:68:97:6a:fe:a8:a0:
+	a5:df:5f:78:ff:ee:d7:64:b8:3f:04:cb:6f:ff:2a:
+	fe:fe:b9:ed:
+public exponent:
+	01:00:01:
+
+Other information:
+	MD5 Fingerprint: A3:EB:02:BD:45:54:AD:A3:74:FC:CA:BE:31:A3:41:0A
+	SHA1 Fingerprint: FA:E0:71:22:53:6D:9E:F5:01:EF:89:93:1D:3B:A9:17:29:75:2C:F8
+	Public Key ID: 77:47:AD:43:02:5B:06:6E:B4:EF:29:DB:B2:AA:36:5D:01:7C:68:A1
+
+
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU5MDJa
+Fw0wNjEwMTEyMzU5MDJaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
+YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
+IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
+hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
+12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAc+fnj0rB2CYautG2
+4itiMOU4SN6JFTFDCTU/Gb5aR/Fiu7HJkuE5yGEnTdnwcId/T9sTW251yzCc1e2z
+rHX/kw==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/pkcs1-pad b/tests/cert-tests/pkcs1-pad
new file mode 100755
index 0000000000..fe10cf22d8
--- /dev/null
+++ b/tests/cert-tests/pkcs1-pad
@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# Copyright (C) 2004-2006, 2008-2010, 2012 Free Software Foundation,
+# Inc.
+#
+# Author: Simon Josefsson
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+
+export TZ="UTC"
+
+# Check for datefudge
+TSTAMP=`datefudge "2006-09-23" date -u +%s || true`
+if test "${TSTAMP}" != "1158969600"; then
+	echo "You need datefudge to run this test"
+	exit 77
+fi
+
+TMPFILE1=pkcs1-pad.$$.tmp
+TMPFILE2=pkcs1-pad-2.$$.tmp
+
+# Test 1, PKCS#1 pad digestAlgorithm.parameters
+
+EXPECT1=2002
+
+datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1
+datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1
+
+out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
+out1fails=`grep 'Not verified.' $TMPFILE1 | wc -l | tr -d " "`
+out2fails=`grep 'Not verified.' $TMPFILE2 | wc -l | tr -d " "`
+
+if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT1}"; then
+	echo "$TMPFILE1 oks ${out1oks} fails ${out1fails} $TMPFILE2 oks ${out2oks} fails ${out2fails}"
+	echo "expected ${EXPECT1}"
+	echo "PKCS1-PAD1 FAIL"
+	exit 1
+fi
+
+rm -f $TMPFILE1 $TMPFILE2
+
+echo "PKCS1-PAD1 OK"
+
+# Test 2, Bleichenbacher's Crypto 06 rump session
+
+EXPECT2=2002
+
+datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok2.pem" | tee $TMPFILE1 >/dev/null 2>&1
+datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken2.pem" | tee $TMPFILE2 >/dev/null 2>&1
+
+out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
+out1fails=`grep 'Not verified.' $TMPFILE1 | wc -l | tr -d " "`
+out2fails=`grep 'Not verified.' $TMPFILE2 | wc -l | tr -d " "`
+
+if test "${out1oks}${out2oks}${out1fails}${out2fails}" != "${EXPECT2}"; then
+	echo "$TMPFILE1 oks ${out1oks} fails ${out1fails} $TMPFILE2 oks ${out2oks} fails ${out2fails}"
+	echo "expected ${EXPECT2}"
+	echo "PKCS1-PAD2 FAIL"
+	exit 1
+fi
+
+rm -f $TMPFILE1 $TMPFILE2
+
+echo "PKCS1-PAD2 OK"
+
+# Test 3, forged Starfield certificate,
+# by Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann.
+
+
+EXPECT3=02
+
+datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken3.pem" | tee $TMPFILE1 >/dev/null 2>&1
+
+out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+out1fails=`grep 'Not verified.' $TMPFILE1 | wc -l | tr -d " "`
+
+if test "${out1oks}${out1fails}" != "${EXPECT3}"; then
+	echo "$TMPFILE1 oks ${out1oks} fails ${out1fails}"
+	echo "expected ${EXPECT3}"
+	echo "PKCS1-PAD3 FAIL"
+	exit 1
+fi
+
+rm -f $TMPFILE1
+
+echo "PKCS1-PAD3 OK"
+
+# We're done.
+exit 0