tests: cert-callbacks check now checks the server-side callback operation as well

1 files changed, 112 insertions, 201 deletions

diff --git a/tests/mini-x509-cert-callback.c b/tests/mini-x509-cert-callback.c
index 814c2d1465..dde39ddff4 100644
--- a/tests/mini-x509-cert-callback.c
+++ b/tests/mini-x509-cert-callback.c
@@ -33,6 +33,7 @@
 #include <gnutls/x509.h>
 #include "utils.h"
 #include "eagain-common.h"
+#include "cert-common.h"
 
 /* This tests gnutls_certificate_set_x509_key() */
 
@@ -43,142 +44,6 @@ static void tls_log_func(int level, const char *str)
 	fprintf(stderr, "%s|<%d>| %s", side, level, str);
 }
 
-static unsigned char ca_cert_pem[] =
-"-----BEGIN CERTIFICATE-----\n"
-"MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwNDA5MDgwMjM0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuLSye8pe3yWKZ\n"
-"Yp7tLQ4ImwLqqh1aN7x9pc5spLDj6krVArzkyyYDcWvtQNDjErEfLUrZZrCc4aIl\n"
-"oU1Ghb92kI8ofZnHFbj3z5zdcWqiPppj5Y+hRdc4LszTWb+itrD9Ht/D67EK+m7W\n"
-"ev6xxUdyiBYUmb2O3CnPZpUVshMRtEe45EDGI5hUgL2n4Msj41htTq8hATYPXgoq\n"
-"gQUyXFpKAX5XDCyOG+FC6jmEys7UCRYv3SCl7TPWJ4cm+lHcFI2/OTOCBvMlKN2J\n"
-"mWCdfnudZldqthin+8fR9l4nbuutOfPNt1Dj9InDzWZ1W/o4LrjKa7fsvszj2Z5A\n"
-"Fn+xN/4zAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUwRHwbXyPosKNNkBiZduEwL5ZCwswDQYJKoZIhvcNAQELBQAD\n"
-"ggEBAEKr0b7WoJL+L8St/LEITU/i7FwFrCP6DkbaNo0kgzPmwnvNmw88MLI6UKwE\n"
-"JecnjFhurRBBZ4FA85ucNyizeBnuXqFcyJ20+XziaXGPKV/ugKyYv9KBoTYkQOCh\n"
-"nbOthmDqjvy2UYQj0BU2dOywkjUKWhYHEZLBpZYck0Orynxydwil5Ncsz4t3smJw\n"
-"ahzCW8SzBFTiO99qQBCH2RH1PbUYzfAnJxZS2VScpcqlu9pr+Qv7r8E3p9qHxnQM\n"
-"gO5laWO6lc13rNsbZRrtlCvacsiDSuDnS8EVXm0ih4fAntpRHacPbXZbOPQqJ/+1\n"
-"G7/qJ6cDC/9aW+fU80ogTkAoFg4=\n"
-"-----END CERTIFICATE-----\n";
-
-const gnutls_datum_t ca_cert = { ca_cert_pem,
-	sizeof(ca_cert_pem)
-};
-
-static unsigned char server_cert_pem[] =
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDOjCCAiKgAwIBAgIMU0T+mwoDu5uVLKeeMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
-"BgNVBAMTBENBLTEwIhgPMjAxNDA0MDkwODAyMzVaGA85OTk5MTIzMTIzNTk1OVow\n"
-"EzERMA8GA1UEAxMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
-"AoIBAQDXfvgsMWXHNf3iUaEoZSNztZZr6+UdBkoUhbdWJDR+GwR+GHfnYaYHsuqb\n"
-"bNEl/QFI+8Jeth0SmG7TNB+b/AlHFoBm8TwBt7H+Mn6AQIdo872Vs262UkHgbZN6\n"
-"dEQeRCgiXmlsOVe+MVpf79Xi32MYz1FZ/ueS6tr8sIDhECThIZkq2eulVjAV86N2\n"
-"zQ72Ml1k8rPw4SdK5OFhcXNdXr6CsAol8MmiORKDF0iAZxwtFVc00nBGqQC5rwrN\n"
-"3A8czH5TsvyvrcW0mwV2XOVvZM5kFM1T/X0jF6RQHiGGFBYK4s6JZxSSOhJMFYYh\n"
-"koPEKsuVZdmBJ2yTTdGumHZfG9LDAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAU\n"
-"BgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P\n"
-"AQH/BAUDAwegADAdBgNVHQ4EFgQURXiN5VD5vgqAprhd/37ldGKv4/4wHwYDVR0j\n"
-"BBgwFoAU8MUzmkotjSmVa5r1ejMkMQ6BiZYwDQYJKoZIhvcNAQELBQADggEBABSU\n"
-"cmMX0nGeg43itPnLjSTIUuYEamRhfsFDwgRYQn5w+BcFG1p0scBRxLAShUEb9A2A\n"
-"oEJV4rQDpCn9bcMrMHhTCR5sOlLh/2o9BROjK0+DjQLDkooQK5xa+1GYEiy6QYCx\n"
-"QjdCCnMhHh24oP2/vUggRKhevvD2QQFKcCDT6n13RFYm+HX82gIh6SAtRs0oahY5\n"
-"k9CM9TYRPzXy+tQqhZisJzc8BLTW/XA97kAJW6+hUhPir7AYR6BKJhNeIxcN/yMy\n"
-"jsHzWDLezip/8q+kzw658V5e40hne7ZaJycGUaUdLVnJcpNtBgGE82TRS/XZSQKF\n"
-"fpy8FLGcJynqlIOzdKs=\n"
-"-----END CERTIFICATE-----\n"
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwNDA5MDgwMjM0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZq3sA+mjFadII\n"
-"EMDHfj1fYh+UOUSa8c814E9NfCdYZ9Z11BmPpBeR5mXV12j1DKjkTlqTUL7s4lVR\n"
-"RKfyAdCpQIfeXHDeTYYUq2uBnbi5YMG5Y+WbCiYacgRU3IypYrSzaeh1mY7GiEFe\n"
-"U/NaImHLCf+TdAvTJ3Fo0QPe5QN2Lrv6l//cqOv7enZ91KRWxClDMM6EAr+C/7dk\n"
-"rOTXRrCuH/e/KVBXEJ/YeSYPmBIwolGktRrGdsVagdqYArr4dhJ7VThIVRUX1Ijl\n"
-"THCLstI/LuD8WkDccU3ZSdm47f2U43p/+rSO0MiNOXiaskeK56G/9DbJEeETUbzm\n"
-"/B2712MVAgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQU8MUzmkotjSmVa5r1ejMkMQ6BiZYwHwYDVR0jBBgwFoAUwRHw\n"
-"bXyPosKNNkBiZduEwL5ZCwswDQYJKoZIhvcNAQELBQADggEBACKxBPj9u1t52uIF\n"
-"eQ2JPb8/u+MBttvSLo0qPKXwpc4q8hNclh66dpqGWiF0iSumsKyKU54r6CIF9Ikm\n"
-"t1V1GR9Ll4iTnz3NdIt1w3ns8rSlU5O/dgKysK/1C/5xJWEUYtEO5mnyi4Zaf8FB\n"
-"hKmQ1aWF5dTB81PVAQxyCiFEnH7YumK7pJeIpnCOPIqLZLUHfrTUeL8zONF4i5Sb\n"
-"7taZ8SQ6b7IaioU+NJ50uT2wy34lsyvCWf76Azezv9bggkdNDo/7ktMgsfRrSyM8\n"
-"+MVob5ePGTjKx5yMy/sy2vUkkefwW3RiEss/y2JRb8Hw7nDlA9ttilYKFwGFwRvw\n"
-"KRsXqo8=\n"
-"-----END CERTIFICATE-----\n";
-
-const gnutls_datum_t server_cert = { server_cert_pem,
-	sizeof(server_cert_pem)
-};
-
-static unsigned char server_key_pem[] =
-"-----BEGIN RSA PRIVATE KEY-----\n"
-"MIIEpAIBAAKCAQEA1374LDFlxzX94lGhKGUjc7WWa+vlHQZKFIW3ViQ0fhsEfhh3\n"
-"52GmB7Lqm2zRJf0BSPvCXrYdEphu0zQfm/wJRxaAZvE8Abex/jJ+gECHaPO9lbNu\n"
-"tlJB4G2TenREHkQoIl5pbDlXvjFaX+/V4t9jGM9RWf7nkura/LCA4RAk4SGZKtnr\n"
-"pVYwFfOjds0O9jJdZPKz8OEnSuThYXFzXV6+grAKJfDJojkSgxdIgGccLRVXNNJw\n"
-"RqkAua8KzdwPHMx+U7L8r63FtJsFdlzlb2TOZBTNU/19IxekUB4hhhQWCuLOiWcU\n"
-"kjoSTBWGIZKDxCrLlWXZgSdsk03Rrph2XxvSwwIDAQABAoIBAB7trDS7ij4DM8MN\n"
-"sDGaAnKS91nZ63I0+uDjKCMG4znOKuDmJh9hVnD4bs+L2KC5JTwSVh09ygJnOlC5\n"
-"xGegzrwTMK6VpOUiNjujh6BkooqfoPAhZpxoReguEeKbWUN2yMPWBQ9xU3SKpMvs\n"
-"IiiDozdmWeiuuxHM/00REA49QO3Gnx2logeB+fcvXXD1UiZV3x0xxSApiJt1sr2r\n"
-"NmqSyGdNUgpmnTP8zbKnDaRe5Wj4tj1TCTLE/HZ0tzdRuwlkIqvcpGg1LMtKm5N8\n"
-"xIWjTGMFwGjG+OF8LGqHLH+28pI3iMB6QqO2YLwOp+WZKImKP3+Dp3s8lCw8t8cm\n"
-"q5/Qc9ECgYEA2xwxm+pFkrFmZNLCakP/6S5AZqpfSBRUlF/uX2pBKO7o6I6aOV9o\n"
-"zq2QWYIZfdyD+9MvAFUQ36sWfTVWpGA34WGtsGtcRRygKKTigpJHvBldaPxiuYuk\n"
-"xbS54nWUdix/JzyQAy22xJXlp4XJvtFJjHhA2td0XA7tfng9n8jmvEUCgYEA+8cA\n"
-"uFIQFbaZ2y6pnOvlVj8OH0f1hZa9M+3q01fWy1rnDAsLrIzJy8TZnBtpDwy9lAun\n"
-"Sa6wzu6qeHmF17xwk5U7BCyK2Qj/9KhRLg1mnDebQ/CiLSAaJVnrYFp9Du96fTkN\n"
-"ollvbFiGF92QwPTDf2f1gHZQEPwa+f/ox37ad2cCgYEAwMgXpfUD7cOEMeV2BQV7\n"
-"XnDBXRM97i9lE38sPmtAlYFPD36Yly4pCt+PCBH9181zmtf+nK47wG/Jw7RwXQQD\n"
-"ZpwItBZiArTi/Z/FY9jMoOU4WKznOBVzjjgq7ONDEo6n+Z/BnepUyraQb0q5bNi7\n"
-"e4o6ldHHoU/JCeNFZRbgXHkCgYA6vJU9at+XwS6phHxLQHkTIsivoYD0tlLTX4it\n"
-"30sby8wk8hq6GWomYHkHwxlCSo2bkRBozxkuXV1ll6wSxUJaG7FV6vJFaaUUtYOi\n"
-"w7uRbCOLuQKMlnWjCxQvOUz9g/7GYd39ZvHoi8pUnPrdGPzWpzEN1AwfukCs2/e5\n"
-"Oq3KtwKBgQCkHmDU8h0kOfN28f8ZiyjJemQMNoOGiJqnGexaKvsRd+bt4H+7DsWQ\n"
-"OnyKm/oR0wCCSmFM5aQc6GgzPD7orueKVYHChbY7HLTWKRHNs6Rlk+6hXJvOld0i\n"
-"Cl7KqL2x2ibGMtt4LtSntdzWqa87N7vCWMSTmvd8uLgflBs33xUIiQ==\n"
-"-----END RSA PRIVATE KEY-----\n";
-
-static unsigned char cert_pem[] =
-    "-----BEGIN CERTIFICATE-----\n"
-    "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
-    "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n"
-    "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n"
-    "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n"
-    "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n"
-    "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n"
-    "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n"
-    "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n"
-    "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n"
-    "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n"
-    "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n"
-    "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n";
-const gnutls_datum_t cli_cert = { cert_pem, sizeof(cert_pem) - 1};
-
-static unsigned char key_pem[] =
-    "-----BEGIN RSA PRIVATE KEY-----\n"
-    "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n"
-    "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n"
-    "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n"
-    "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n"
-    "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n"
-    "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n"
-    "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n"
-    "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n"
-    "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n"
-    "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n"
-    "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n"
-    "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n"
-    "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n"
-    "-----END RSA PRIVATE KEY-----\n";
-const gnutls_datum_t cli_key = { key_pem, sizeof(key_pem) - 1};
-
-const gnutls_datum_t server_key = { server_key_pem,
-	sizeof(server_key_pem)
-};
-
 static gnutls_privkey_t g_pkey = NULL;
 static gnutls_pcert_st *g_pcert = NULL;
 
@@ -199,11 +64,13 @@ cert_callback(gnutls_session_t session,
 	}
 
 	p = gnutls_malloc(sizeof(*p));
-	if (p==NULL)
+	if (p == NULL)
 		return -1;
 
 	if (g_pkey == NULL) {
-		ret = gnutls_pcert_import_x509_raw(p, &cli_cert, GNUTLS_X509_FMT_PEM, 0);
+		ret =
+		    gnutls_pcert_import_x509_raw(p, &cli_ca3_cert,
+						 GNUTLS_X509_FMT_PEM, 0);
 		if (ret < 0)
 			return -1;
 
@@ -211,7 +78,10 @@ cert_callback(gnutls_session_t session,
 		if (ret < 0)
 			return -1;
 
-		ret = gnutls_privkey_import_x509_raw(lkey, &cli_key, GNUTLS_X509_FMT_PEM, NULL, 0);
+		ret =
+		    gnutls_privkey_import_x509_raw(lkey, &cli_ca3_key,
+						   GNUTLS_X509_FMT_PEM, NULL,
+						   0);
 		if (ret < 0)
 			return -1;
 
@@ -225,10 +95,61 @@ cert_callback(gnutls_session_t session,
 		*pcert = g_pcert;
 		*pcert_length = 1;
 		if (gnutls_certificate_client_get_request_status(session) == 0) {
-		fail("gnutls_certificate_client_get_request_status failed\n");
-		return -1;
+			fail("gnutls_certificate_client_get_request_status failed\n");
+			return -1;
+		}
+		*pkey = g_pkey;
 	}
-	*pkey = g_pkey;
+
+	return 0;
+}
+
+static gnutls_privkey_t server_pkey = NULL;
+static gnutls_pcert_st *server_pcert = NULL;
+
+static int
+server_cert_callback(gnutls_session_t session,
+		     const gnutls_datum_t * req_ca_rdn, int nreqs,
+		     const gnutls_pk_algorithm_t * sign_algos,
+		     int sign_algos_length, gnutls_pcert_st ** pcert,
+		     unsigned int *pcert_length, gnutls_privkey_t * pkey)
+{
+	int ret;
+	gnutls_pcert_st *p;
+	gnutls_privkey_t lkey;
+
+	p = gnutls_malloc(sizeof(*p));
+	if (p == NULL)
+		return -1;
+
+	if (server_pkey == NULL) {
+		ret =
+		    gnutls_pcert_import_x509_raw(p, &server_ca3_localhost_cert,
+						 GNUTLS_X509_FMT_PEM, 0);
+		if (ret < 0)
+			return -1;
+
+		ret = gnutls_privkey_init(&lkey);
+		if (ret < 0)
+			return -1;
+
+		ret =
+		    gnutls_privkey_import_x509_raw(lkey, &server_ca3_key,
+						   GNUTLS_X509_FMT_PEM, NULL,
+						   0);
+		if (ret < 0)
+			return -1;
+
+		server_pcert = p;
+		server_pkey = lkey;
+
+		*pcert = p;
+		*pcert_length = 1;
+		*pkey = lkey;
+	} else {
+		*pcert = server_pcert;
+		*pcert_length = 1;
+		*pkey = server_pkey;
 	}
 
 	return 0;
@@ -246,10 +167,6 @@ void doit(void)
 	gnutls_certificate_credentials_t clientx509cred;
 	gnutls_session_t client;
 	int cret = GNUTLS_E_AGAIN;
-	gnutls_x509_crt_t *crts;
-	unsigned int crts_size;
-	unsigned i;
-	gnutls_x509_privkey_t pkey;
 
 	/* General init. */
 	global_init();
@@ -257,41 +174,16 @@ void doit(void)
 	if (debug)
 		gnutls_global_set_log_level(2);
 
-	ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM,
-			GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
-	if (ret < 0) {
-		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
-		exit(1);
-	}
-
-	ret = gnutls_x509_privkey_init(&pkey);
-	if (ret < 0) {
-		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
-		exit(1);
-	}
-
-	ret =
-	    gnutls_x509_privkey_import(pkey, &server_key,
-				       GNUTLS_X509_FMT_PEM);
-	if (ret < 0) {
-		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
-		exit(1);
-	}
-
 	/* Init server */
 	gnutls_certificate_allocate_credentials(&serverx509cred);
-	gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey);
-	gnutls_x509_privkey_deinit(pkey);
-	for (i=0;i<crts_size;i++)
-		gnutls_x509_crt_deinit(crts[i]);
-	gnutls_free(crts);
+
+	gnutls_certificate_set_retrieve_function2(serverx509cred,
+						  server_cert_callback);
 
 	gnutls_init(&server, GNUTLS_SERVER);
-	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
-			       serverx509cred);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
 	gnutls_priority_set_direct(server,
-				   "NORMAL:-CIPHER-ALL:+AES-128-GCM",
-				   NULL);
+				   "NORMAL:-CIPHER-ALL:+AES-128-GCM", NULL);
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
 	gnutls_transport_set_ptr(server, server);
@@ -303,18 +195,21 @@ void doit(void)
 	if (ret < 0)
 		exit(1);
 
-	ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
+	ret =
+	    gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca3_cert,
+						  GNUTLS_X509_FMT_PEM);
 	if (ret < 0)
 		exit(1);
 
-	gnutls_certificate_set_retrieve_function2(clientx509cred, cert_callback);
+	gnutls_certificate_set_retrieve_function2(clientx509cred,
+						  cert_callback);
 
 	ret = gnutls_init(&client, GNUTLS_CLIENT);
 	if (ret < 0)
 		exit(1);
 
 	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
-			       clientx509cred);
+				     clientx509cred);
 	if (ret < 0)
 		exit(1);
 
@@ -343,20 +238,25 @@ void doit(void)
 		}
 
 		gnutls_x509_crt_init(&crt);
-		ret = gnutls_x509_crt_import(crt, &server_cert, GNUTLS_X509_FMT_PEM);
+		ret =
+		    gnutls_x509_crt_import(crt, &server_ca3_localhost_cert,
+					   GNUTLS_X509_FMT_PEM);
 		if (ret < 0) {
-			fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret));
+			fail("gnutls_x509_crt_import: %s\n",
+			     gnutls_strerror(ret));
 			exit(1);
 		}
 
 		ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &scert);
 		if (ret < 0) {
-			fail("gnutls_x509_crt_export2: %s\n", gnutls_strerror(ret));
+			fail("gnutls_x509_crt_export2: %s\n",
+			     gnutls_strerror(ret));
 			exit(1);
 		}
 		gnutls_x509_crt_deinit(crt);
 
-		if (scert.size != mcert->size || memcmp(scert.data, mcert->data, mcert->size) != 0) {
+		if (scert.size != mcert->size
+		    || memcmp(scert.data, mcert->data, mcert->size) != 0) {
 			fail("gnutls_certificate_get_ours output doesn't match cert\n");
 			exit(1);
 		}
@@ -376,20 +276,25 @@ void doit(void)
 		}
 
 		gnutls_x509_crt_init(&crt);
-		ret = gnutls_x509_crt_import(crt, &cli_cert, GNUTLS_X509_FMT_PEM);
+		ret =
+		    gnutls_x509_crt_import(crt, &cli_ca3_cert,
+					   GNUTLS_X509_FMT_PEM);
 		if (ret < 0) {
-			fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret));
+			fail("gnutls_x509_crt_import: %s\n",
+			     gnutls_strerror(ret));
 			exit(1);
 		}
 
 		ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &ccert);
 		if (ret < 0) {
-			fail("gnutls_x509_crt_export2: %s\n", gnutls_strerror(ret));
+			fail("gnutls_x509_crt_export2: %s\n",
+			     gnutls_strerror(ret));
 			exit(1);
 		}
 		gnutls_x509_crt_deinit(crt);
 
-		if (ccert.size != mcert->size || memcmp(ccert.data, mcert->data, mcert->size) != 0) {
+		if (ccert.size != mcert->size
+		    || memcmp(ccert.data, mcert->data, mcert->size) != 0) {
 			fail("gnutls_certificate_get_ours output doesn't match cert\n");
 			exit(1);
 		}
@@ -406,20 +311,22 @@ void doit(void)
 
 		/* check with wrong hostname */
 		data[0].type = GNUTLS_DT_DNS_HOSTNAME;
-		data[0].data = (void*)"localhost1";
+		data[0].data = (void *)"localhost1";
 
 		data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
-		data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+		data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER;
 
 		gnutls_certificate_get_peers(client, &cert_list_size);
-		if (cert_list_size < 2) {
-			fprintf(stderr, "received a certificate list of %d!\n", cert_list_size);
+		if (cert_list_size != 1) {
+			fprintf(stderr, "received a certificate list of %d!\n",
+				cert_list_size);
 			exit(1);
 		}
 
 		ret = gnutls_certificate_verify_peers(client, data, 2, &status);
 		if (ret < 0) {
-			fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
+			fprintf(stderr, "could not verify certificate: %s\n",
+				gnutls_strerror(ret));
 			exit(1);
 		}
 
@@ -430,20 +337,22 @@ void doit(void)
 
 		/* check with wrong purpose */
 		data[0].type = GNUTLS_DT_DNS_HOSTNAME;
-		data[0].data = (void*)"localhost";
+		data[0].data = (void *)"localhost";
 
 		data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
-		data[1].data = (void*)GNUTLS_KP_TLS_WWW_CLIENT;
+		data[1].data = (void *)GNUTLS_KP_TLS_WWW_CLIENT;
 
 		gnutls_certificate_get_peers(client, &cert_list_size);
-		if (cert_list_size < 2) {
-			fprintf(stderr, "received a certificate list of %d!\n", cert_list_size);
+		if (cert_list_size != 1) {
+			fprintf(stderr, "received a certificate list of %d!\n",
+				cert_list_size);
 			exit(1);
 		}
 
 		ret = gnutls_certificate_verify_peers(client, data, 2, &status);
 		if (ret < 0) {
-			fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
+			fprintf(stderr, "could not verify certificate: %s\n",
+				gnutls_strerror(ret));
 			exit(1);
 		}
 
@@ -454,19 +363,21 @@ void doit(void)
 
 		/* check with correct purpose */
 		data[0].type = GNUTLS_DT_DNS_HOSTNAME;
-		data[0].data = (void*)"localhost";
+		data[0].data = (void *)"localhost";
 
 		data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
-		data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+		data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER;
 
 		ret = gnutls_certificate_verify_peers(client, data, 2, &status);
 		if (ret < 0) {
-			fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
+			fprintf(stderr, "could not verify certificate: %s\n",
+				gnutls_strerror(ret));
 			exit(1);
 		}
 
 		if (status != 0) {
-			fprintf(stderr, "could not verify certificate: %.4x\n", status);
+			fprintf(stderr, "could not verify certificate: %.4x\n",
+				status);
 			exit(1);
 		}
 	}