diff --git a/.gitignore b/.gitignore
index aa40d12c7688d2cdb2f4ddc86799765d4c004af3..55dfb01fffef95d9379e598bed2c0433d93d38af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
.vscode
servroot*
+nginx
\ No newline at end of file
diff --git a/README.md b/README.md
index 16e58bd4200609a3288799e51f02cf327492d721..c0a786dae94ae5bdb5d1bef9c71018bfae291cbb 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,9 @@
## Description
-_ngx_http_voms_module_ is a module for the [NGINX web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxies augmented with Attribute Certificates, typically obtained through a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS).
+_ngx_http_voms_module_ is a module for the [Nginx web server](https://www.nginx.org/) that enables client-side authentication based on X.509 proxy certificates augmented with VOMS Attribute Certificates, typically obtained from a [Virtual Organization Membership Service](https://italiangrid.github.io/voms/) (VOMS) server.
+
+The module defines a set of [_embedded_ variables](~embedded-variables), whose values are extracted from the first Attribute Certificate found in the certificate chain.
## Installation
@@ -19,16 +21,75 @@ A Docker image is available for use in the context of the StoRM2 project, where
% ./configure ${resty_config_options} --add-module=../ngx_http_voms_module
% make && make install
-## Variables
+## Embedded Variables
+
+The module makes the following embedded variables available for use in an Nginx configuration file:
+
+### voms_user
+
+The Subject of the End-Entity certificate, used to sign the proxy.
+
+_Example_: ``/C=IT/O=IGI/CN=test0``
+
+### voms_user_ca
+
+The Issuer (Certificate Authority) of the End-Entity certificate.
-The module makes the following variables available for use in an NGINX configuration file:
+_Example_: ``/C=IT/O=IGI/CN=Test CA``
### voms_fqans
-A comma-separated list of _Fully Qualified Attribute Names_
+A comma-separated list of Fully Qualified Attribute Names. See [The VOMS Attribute Certificate Format](http://ogf.org/documents/GFD.182.pdf) for more details.
-### voms_user
+_Example_: ``/test/exp1,/test/exp2,/test/exp3/Role=PIPPO``
+
+### voms_server
+
+The Subject of the VOMS server certificate, used to sign the Attribute Certificate.
+
+_Example_: ``/C=IT/O=IGI/CN=voms.example``
+
+### voms_server_ca
+
+The Issuer (Certificate Authority) of the VOMS server certificate.
+
+_Example_: ``/C=IT/O=IGI/CN=Test CA``
+
+### voms_vo
+
+The name of the Virtual Organization (VO) to which the End Entity belongs.
+
+_Example_: ``test.vo``
+
+### voms_server_uri
+
+The hostname and port of the VOMS network service that issued the Attribute Certificate, in the form _hostname_ :_port_.
+
+_Example_: ``voms.example:15000``
+
+### voms_not_before
+
+The date before which the Attribute Certificate is not yet valid, in the form _YYYYMMDDhhmmss_ ``Z``.
+
+_Example_: ``20180101000000Z``
+
+### voms_not_after
+
+The date after which the Attribute Certificate is not valid anymore, in the form _YYYYMMDDhhmmss_ ``Z``.
+
+_Example_: ``20180101120000Z``
+
+### voms_generic_attributes
+
+A comma-separated list of attributes, each defined by three properties and formatted as ``n=``_name_ ``v=``_value_ ``q=``_qualifier_. The qualifier typically coincides with the name of the VO.
+
+_Example_: ``n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo``
+
+### voms_serial
+
+The serial number of the Attribute Certificate in hexadecimal format.
+_Example_: ``7B``
## Testing
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index 7cfdebbc9c12142efed42334a8df6f0cf8a17784..bc3af266bfeb19fc7569d1f94adf235aeb30432d 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -63,29 +63,110 @@ ngx_module_t ngx_http_voms_module = {
static std::unique_ptr<vomsdata> vomsdata_ptr;
-static ngx_int_t get_voms_fqans( //
- ngx_http_request_t* r,
- ngx_http_variable_value_t* v,
- uintptr_t data);
-static ngx_int_t get_voms_user( //
+static ngx_int_t generic_getter( //
ngx_http_request_t* r,
ngx_http_variable_value_t* v,
uintptr_t data);
+using getter_t = std::string(VomsAc const& voms);
+static getter_t get_voms_user;
+static getter_t get_voms_user_ca;
+static getter_t get_voms_fqans;
+static getter_t get_voms_server;
+static getter_t get_voms_server_ca;
+static getter_t get_voms_vo;
+static getter_t get_voms_server_uri;
+static getter_t get_voms_not_before;
+static getter_t get_voms_not_after;
+static getter_t get_voms_generic_attributes;
+static getter_t get_voms_serial;
+
static ngx_http_variable_t variables[] = {
+ {
+ ngx_string("voms_user"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_user),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_user_ca"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_user_ca),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
{
ngx_string("voms_fqans"),
NULL,
- get_voms_fqans,
- 0,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_fqans),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
{
- ngx_string("voms_user"),
+ ngx_string("voms_server"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_server),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_server_ca"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_server_ca),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_vo"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_vo),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_server_uri"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_server_uri),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_not_before"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_not_before),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_not_after"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_not_after),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_generic_attributes"),
+ NULL,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_generic_attributes),
+ NGX_HTTP_VAR_NOCACHEABLE,
+ 0 //
+ },
+ {
+ ngx_string("voms_serial"),
NULL,
- get_voms_user,
- 0,
+ generic_getter,
+ reinterpret_cast<uintptr_t>(&get_voms_serial),
NGX_HTTP_VAR_NOCACHEABLE,
0 //
},
@@ -110,9 +191,13 @@ static ngx_int_t add_variables(ngx_conf_t* cf)
// return the first AC, if present
static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
if (!r->http_connection->ssl) {
+ ngx_log_error(NGX_LOG_ERR,
+ r->connection->log,
+ 0,
+ "SSL not enabled");
return boost::none;
}
@@ -122,7 +207,7 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
ngx_log_error(NGX_LOG_ERR,
r->connection->log,
0,
- "SSL_get_peer_certificate() failed");
+ "no SSL peer certificate available");
return boost::none;
}
@@ -139,13 +224,8 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
auto ok =
vomsdata_ptr->Retrieve(client_cert.get(), client_chain, RECURSE_CHAIN);
if (!ok) {
- // vd.error is not interpreted correctly by the logger, which probably uses
- // errno
- ngx_log_error(NGX_LOG_ERR,
- r->connection->log,
- vomsdata_ptr->error,
- "%s",
- vomsdata_ptr->ErrorMessage().c_str());
+ auto msg = vomsdata_ptr->ErrorMessage().c_str();
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "%s", msg);
return boost::none;
}
@@ -160,7 +240,7 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
static void clean_voms_ac(void* data)
{
auto r = static_cast<ngx_http_request_t*>(data);
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
auto p = static_cast<MaybeVomsAc*>(
ngx_http_get_module_ctx(r, ngx_http_voms_module));
@@ -188,7 +268,7 @@ static MaybeVomsAc* get_voms_ac_from_cache(ngx_http_request_t* r)
static MaybeVomsAc const& get_voms_ac(ngx_http_request_t* r)
{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
MaybeVomsAc* acp = get_voms_ac_from_cache(r);
@@ -200,11 +280,11 @@ static MaybeVomsAc const& get_voms_ac(ngx_http_request_t* r)
return *acp;
}
-static ngx_int_t get_voms_fqans(ngx_http_request_t* r,
+static ngx_int_t generic_getter(ngx_http_request_t* r,
ngx_http_variable_value_t* v,
- uintptr_t)
+ uintptr_t data)
{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
v->not_found = 1;
v->valid = 0;
@@ -216,52 +296,120 @@ static ngx_int_t get_voms_fqans(ngx_http_request_t* r,
return NGX_OK;
}
- auto fqans = boost::algorithm::join(ac->fqan, ",");
+ using getter_p = std::string (*)(VomsAc const& voms);
+ auto getter = reinterpret_cast<getter_p>(data);
+ std::string const value = getter(*ac);
- auto data = static_cast<u_char*>(ngx_pnalloc(r->pool, fqans.size()));
- if (!data) {
+ auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
+ if (!buffer) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
return NGX_OK;
}
- ngx_memcpy(data, fqans.c_str(), fqans.size());
+ ngx_memcpy(buffer, value.c_str(), value.size());
- v->data = data;
- v->len = fqans.size();
+ v->data = buffer;
+ v->len = value.size();
v->valid = 1;
v->not_found = 0;
v->no_cacheable = 0;
return NGX_OK;
}
-static ngx_int_t get_voms_user(ngx_http_request_t* r,
- ngx_http_variable_value_t* v,
- uintptr_t)
+std::string get_voms_user(VomsAc const& ac)
{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __FUNCTION__);
+ return ac.user;
+}
- v->not_found = 1;
- v->valid = 0;
+std::string get_voms_user_ca(VomsAc const& ac)
+{
+ return ac.userca;
+}
- auto& ac = get_voms_ac(r);
+std::string get_voms_fqans(VomsAc const& ac)
+{
+ return boost::algorithm::join(ac.fqan, ",");
+}
- if (!ac) {
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "get_voms_ac() failed");
- return NGX_OK;
+std::string get_voms_server(VomsAc const& ac)
+{
+ return ac.server;
+}
+
+std::string get_voms_server_ca(VomsAc const& ac)
+{
+ return ac.serverca;
+}
+
+std::string get_voms_vo(VomsAc const& ac)
+{
+ return ac.voname;
+}
+
+std::string get_voms_server_uri(VomsAc const& ac)
+{
+ return ac.uri;
+}
+
+std::string get_voms_not_before(VomsAc const& ac)
+{
+ return ac.date1;
+}
+
+std::string get_voms_not_after(VomsAc const& ac)
+{
+ return ac.date2;
+}
+
+static std::string escape_uri(std::string const& src)
+{
+ std::string result = src;
+
+ // the following just counts the number of characters that need escaping
+ auto const n_escape =
+ ngx_escape_uri(nullptr, // <--
+ reinterpret_cast<u_char*>(const_cast<char*>(src.data())),
+ src.size(),
+ NGX_ESCAPE_URI_COMPONENT);
+
+ if (n_escape > 0) {
+ result.resize(src.size() + 2 * n_escape);
+ ngx_escape_uri(reinterpret_cast<u_char*>(const_cast<char*>(result.data())),
+ reinterpret_cast<u_char*>(const_cast<char*>(src.data())),
+ src.size(),
+ NGX_ESCAPE_URI_COMPONENT);
}
- auto const& user = ac->user;
+ return result;
+}
- auto data = static_cast<u_char*>(ngx_pnalloc(r->pool, user.size()));
- if (!data) {
- ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
- return NGX_OK;
+static std::string encode(attribute const& a)
+{
+ return "n=" + a.name + " v=" + escape_uri(a.value) + " q=" + a.qualifier;
+}
+
+std::string get_voms_generic_attributes(VomsAc const& ac)
+{
+ std::string result;
+
+ // the GetAttributes method is not declared const
+ auto const attributes = const_cast<VomsAc&>(ac).GetAttributes();
+ if (!attributes.empty()) {
+ auto& gas = attributes.front().attributes;
+ bool first = true;
+ for (auto& a : gas) {
+ if (first) {
+ first = false;
+ } else {
+ result += ',';
+ }
+ result += encode(a);
+ }
}
- ngx_memcpy(data, user.c_str(), user.size());
- v->data = data;
- v->len = user.size();
- v->valid = 1;
- v->not_found = 0;
- v->no_cacheable = 0;
- return NGX_OK;
+ return result;
+}
+
+std::string get_voms_serial(VomsAc const& ac)
+{
+ return ac.serial;
}
diff --git a/t/README.md b/t/README.md
index 9cccd8c2b5e4775f114a3b0e0bb209c9fbdb31e3..436da548553ba71f88ec43ab938b26c73a45a3f2 100644
--- a/t/README.md
+++ b/t/README.md
@@ -27,3 +27,19 @@ Using the docker image provided to exploit Openresty in the Storm2 project (see
prove -v
A copy of the `t` folder is needed since the `prove` command creates a directory `servroot` in `t`.
+
+### Test coverage
+
+To enable test coverage pass the `--coverage` option to both the compiler and the linker. For example, if the build happens inside the ``storm2/nginx-voms-build`` image:
+
+```
+ % ./configure ${resty_config_options} --add-module=../ngx_http_voms_module --with-debug --with-cc-opt="-g -O0 --coverage" --with-ld-opt="--coverage"
+ % make && make install
+```
+
+Building in debug mode, with no optimizations, helps to better associate coverage information to source code.
+
+The above command generates data files aside the source files for all Nginx. To enable coverage only for ``ngx_http_voms_module`` the ``--coverage`` option should be passed only when compiling ``ngx_http_voms_module.cpp`` (to be done).
+
+The run the tests, e.g. with `prove`. This will create other data files with coverage information. To view that information, run `gcov <source of object file>`, e.g. `gcov /home/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/addon/src/ngx_http_voms_module.o`. This will produce files with the ``.gcov`` extension in the current directory.
+
diff --git a/t/certs/3.cert.pem b/t/certs/3.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..15be540efb76d6db892021e3b4ca4fb2d3e69f33
--- /dev/null
+++ b/t/certs/3.cert.pem
@@ -0,0 +1,74 @@
+-----BEGIN CERTIFICATE-----
+MIIJPDCCCCagAwIBAgIEZ/6+ljALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTY0NTE5WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc0NDc0ODE4MjCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAmS0/UqVrzzRvttdHu/v4y7Sfm5ceFJ4lQfBienwvS3F0oOtJ
+7sMqZNktJ2vhAK6ckt5C9PhdvgZa7HJTy1G8GZAbpxEDfAVMSVXFrN8KY7oybA4N
+mmr6jfuuXJCUe3DioxQuUHcH8ShXSiGXm/uoQVe7QfPHtHYtk1xmdA//L1kCAwEA
+AaOCBtkwggbVMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwggaiBgorBgEEAb5FZGQFBIIGkjCCBo4wggaKMIIGhjCCBW4CAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAXswIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBFowcAYKKwYBBAG+RWRkCwRi
+MGAwXjBcMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwOjAcBAhuaWNr
+bmFtZQQHbmV3bGFuZAQHdGVzdC52bzAaBAhuaWNrbmFtZQQFZ2lhY28EB3Rlc3Qu
+dm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIIDljCCAn6gAwIBAgICAxMw
+DQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4G
+A1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0yNzEyMDQwOTQ2MzdaMDIx
+CzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNVBAMMDHZvbXMuZXhhbXBs
+ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALx/yNoeDZNQtJgiGi+t
+I/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3VHaVJP0yyTNE+aSxgwI9f
+D3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathtadnZUBPPo12BrxlXZ1BLr
+e/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB5/d6TzwyQq/OLvgae7y1
+6yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrcdgkJ66++bEe5W0GGwVHA
+/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268QWWJsY0vX/qK2ois+Ms/
+6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQzjAnUSZQBztH7
+C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0lBDcwNQYIKwYBBQUHAwEG
+CCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEGCCsGAQUFBwMEMB8GA1Ud
+IwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1UdEQQQMA6CDHZvbXMuZXhh
+bXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkEZLmeySeCLJBMS/E8Gk3N
+9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRlqulug+HPINOYjz6ooYL4
+9W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvBIjdunx0sPuvQCVE7Cl+1
+GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhhEJ31KWURohUrivcUWkm4
+LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD7CYyv9dqqkJaLFApM123
+6Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO17KQgbnAd6TAJBgNVHTgE
+AgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZoBjoegcM+SPWiBU+qTtYDYRVuShZwzx6L/74iwVMYT5m
+waosJYZsMC9FvwdQUpuajrJ2B5LaQwe9iaEekukh/GGFJJme2WVrf6VBhwKBSUtV
+f9UMqqF8PSdDwkEwsqSJXFq1mT/izMm+kYy0gppkv3SXDznAYKTtv7+CBPwctbvi
+pcAF5b0KT/ET2vy6zpMbbyT/yUraHJ40Uq9/AwHSbUhsG+XDMVwcMdrdvRYVIpKW
+AUya8pyGAIOVN/YVtLZ+3l0Kt6Ku8dXMwm1Ym9Yk2xukq1jIGMfyEPKq0Rv2NICy
+M5aY7ROPiV+6g8yfTalguqk4RtItSLU+gCX9umv2MAsGCSqGSIb3DQEBBQOCAQEA
+iFx5+S5BFWIAZs7vSPFS3krpJKjjTVpF/QidXHhhNdWcyeO8NRalo1/UmaImRWHN
+JK+Nw8Io/ldHE9ZbytEnfSCI7ouwqWR3gz924LA9xqd8+8ue0avtrj0bCH2/qid8
+p3IN2HNHRTiPjIcg/0UgOxFcZEoliLhm4cSgKTeZFal7Z6wCADN4dgF5WpPsZ8l7
+gu4RPRfYBjxXLGZwLI0WD6yHKA1cEYe/HU/KXmszQjOCXffi9tB6p9UxCAFzJfGg
+U0LnSy+xWpR3sAeZgoUyqdw72ueGlOX0M4vkVmtOupursXW9mQackfeC31dE4pql
++pn63MqMKHqYIgDlIwbZzw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/3.key.pem b/t/certs/3.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..889603377138258d4da5ea465af424a790cd8b52
--- /dev/null
+++ b/t/certs/3.key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCZLT9SpWvPNG+210e7+/jLtJ+blx4UniVB8GJ6fC9LcXSg60nu
+wypk2S0na+EArpyS3kL0+F2+BlrsclPLUbwZkBunEQN8BUxJVcWs3wpjujJsDg2a
+avqN+65ckJR7cOKjFC5QdwfxKFdKIZeb+6hBV7tB88e0di2TXGZ0D/8vWQIDAQAB
+AoGAFA5VnTelnxLJkdIsRVPfpqR2xYOK3745OKIF8u2xr5oiYDOOkaGiOmQpQmEg
+q9sxCxXpBHREqe3hF9Z8XEHOdAIFqFt1MgwJB3OmtaXRwDDPJ3WRZFvxYde+/KII
+U3ca1tOmoLgVyto/7v+9Z7Rn7g4wFEDlK+r4I+zGtLO6xAECQQDkSRUxDw/w+BOR
+Rl2OOdLCgf8Xv+G7z5qd3tRN+UcvQ14EYkAqOnCFNoWZfaxx89qEIVmIAImTgI2N
+8EStzPOBAkEAq8XZeK9fbFXG0617odwr0NX6UiKVpl/pR2kxS53+XUxlDusb8Y6d
+mqllpDjcD/c28MYyf3wzrp1sSVszk7xH2QJAQrrONAH4IfMSHTQZYtqqLes7+uA/
+Btw/kQgyvPwx/7HMiLGDmhRtEbOHR//BaanjZR4ugp/Nl01Lk4L5QGiZgQJAKgZz
+2GT/sZ+iz3MoRkd5qNRRM/smJdhdWI1R9DApZWYla2r2ITlFMeuz5GPM41MWa/3x
+qOMYOeZl8eSQT9rGsQJBANxbeVGdg4D0qvgtFSzpclcQiTffW293DP84Bs6QKNW0
+Fkh3ZcFHHDEmeZuDOPBQDI+ZQxT7Yy+of31h2sehsX4=
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/3.pem b/t/certs/3.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d54e52a3b7da983a844847ef68d0bb39c014cb58
--- /dev/null
+++ b/t/certs/3.pem
@@ -0,0 +1,89 @@
+-----BEGIN CERTIFICATE-----
+MIIJPDCCCCagAwIBAgIEZ/6+ljALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTY0NTE5WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc0NDc0ODE4MjCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAmS0/UqVrzzRvttdHu/v4y7Sfm5ceFJ4lQfBienwvS3F0oOtJ
+7sMqZNktJ2vhAK6ckt5C9PhdvgZa7HJTy1G8GZAbpxEDfAVMSVXFrN8KY7oybA4N
+mmr6jfuuXJCUe3DioxQuUHcH8ShXSiGXm/uoQVe7QfPHtHYtk1xmdA//L1kCAwEA
+AaOCBtkwggbVMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwggaiBgorBgEEAb5FZGQFBIIGkjCCBo4wggaKMIIGhjCCBW4CAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAXswIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBFowcAYKKwYBBAG+RWRkCwRi
+MGAwXjBcMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwOjAcBAhuaWNr
+bmFtZQQHbmV3bGFuZAQHdGVzdC52bzAaBAhuaWNrbmFtZQQFZ2lhY28EB3Rlc3Qu
+dm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54wggOaMIIDljCCAn6gAwIBAgICAxMw
+DQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4G
+A1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2MzdaFw0yNzEyMDQwOTQ2MzdaMDIx
+CzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxFTATBgNVBAMMDHZvbXMuZXhhbXBs
+ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALx/yNoeDZNQtJgiGi+t
+I/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq6N1Wjx3VHaVJP0yyTNE+aSxgwI9f
+D3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+vtHvathtadnZUBPPo12BrxlXZ1BLr
+e/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3T4+Lp4AB5/d6TzwyQq/OLvgae7y1
+6yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQul7kFZBrcdgkJ66++bEe5W0GGwVHA
+/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4xY+2BH268QWWJsY0vX/qK2ois+Ms/
+6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQzjAnUSZQBztH7
+C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAwPgYDVR0lBDcwNQYIKwYBBQUHAwEG
+CCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgBhvhCBAEGCCsGAQUFBwMEMB8GA1Ud
+IwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMBcGA1UdEQQQMA6CDHZvbXMuZXhh
+bXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI5JKbJgkEZLmeySeCLJBMS/E8Gk3N
+9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCvEknM3qRlqulug+HPINOYjz6ooYL4
+9W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5SojWAcvBIjdunx0sPuvQCVE7Cl+1
+GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaUIepJ4dhhEJ31KWURohUrivcUWkm4
+LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8tKJ7G4opD7CYyv9dqqkJaLFApM123
+6Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6nXONQhDO17KQgbnAd6TAJBgNVHTgE
+AgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnGMA0GCSqG
+SIb3DQEBCwUAA4IBAQAZoBjoegcM+SPWiBU+qTtYDYRVuShZwzx6L/74iwVMYT5m
+waosJYZsMC9FvwdQUpuajrJ2B5LaQwe9iaEekukh/GGFJJme2WVrf6VBhwKBSUtV
+f9UMqqF8PSdDwkEwsqSJXFq1mT/izMm+kYy0gppkv3SXDznAYKTtv7+CBPwctbvi
+pcAF5b0KT/ET2vy6zpMbbyT/yUraHJ40Uq9/AwHSbUhsG+XDMVwcMdrdvRYVIpKW
+AUya8pyGAIOVN/YVtLZ+3l0Kt6Ku8dXMwm1Ym9Yk2xukq1jIGMfyEPKq0Rv2NICy
+M5aY7ROPiV+6g8yfTalguqk4RtItSLU+gCX9umv2MAsGCSqGSIb3DQEBBQOCAQEA
+iFx5+S5BFWIAZs7vSPFS3krpJKjjTVpF/QidXHhhNdWcyeO8NRalo1/UmaImRWHN
+JK+Nw8Io/ldHE9ZbytEnfSCI7ouwqWR3gz924LA9xqd8+8ue0avtrj0bCH2/qid8
+p3IN2HNHRTiPjIcg/0UgOxFcZEoliLhm4cSgKTeZFal7Z6wCADN4dgF5WpPsZ8l7
+gu4RPRfYBjxXLGZwLI0WD6yHKA1cEYe/HU/KXmszQjOCXffi9tB6p9UxCAFzJfGg
+U0LnSy+xWpR3sAeZgoUyqdw72ueGlOX0M4vkVmtOupursXW9mQackfeC31dE4pql
++pn63MqMKHqYIgDlIwbZzw==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCZLT9SpWvPNG+210e7+/jLtJ+blx4UniVB8GJ6fC9LcXSg60nu
+wypk2S0na+EArpyS3kL0+F2+BlrsclPLUbwZkBunEQN8BUxJVcWs3wpjujJsDg2a
+avqN+65ckJR7cOKjFC5QdwfxKFdKIZeb+6hBV7tB88e0di2TXGZ0D/8vWQIDAQAB
+AoGAFA5VnTelnxLJkdIsRVPfpqR2xYOK3745OKIF8u2xr5oiYDOOkaGiOmQpQmEg
+q9sxCxXpBHREqe3hF9Z8XEHOdAIFqFt1MgwJB3OmtaXRwDDPJ3WRZFvxYde+/KII
+U3ca1tOmoLgVyto/7v+9Z7Rn7g4wFEDlK+r4I+zGtLO6xAECQQDkSRUxDw/w+BOR
+Rl2OOdLCgf8Xv+G7z5qd3tRN+UcvQ14EYkAqOnCFNoWZfaxx89qEIVmIAImTgI2N
+8EStzPOBAkEAq8XZeK9fbFXG0617odwr0NX6UiKVpl/pR2kxS53+XUxlDusb8Y6d
+mqllpDjcD/c28MYyf3wzrp1sSVszk7xH2QJAQrrONAH4IfMSHTQZYtqqLes7+uA/
+Btw/kQgyvPwx/7HMiLGDmhRtEbOHR//BaanjZR4ugp/Nl01Lk4L5QGiZgQJAKgZz
+2GT/sZ+iz3MoRkd5qNRRM/smJdhdWI1R9DApZWYla2r2ITlFMeuz5GPM41MWa/3x
+qOMYOeZl8eSQT9rGsQJBANxbeVGdg4D0qvgtFSzpclcQiTffW293DP84Bs6QKNW0
+Fkh3ZcFHHDEmeZuDOPBQDI+ZQxT7Yy+of31h2sehsX4=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/4.cert.pem b/t/certs/4.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..8b2c062188be147b5c015f41c905ce3905154b7e
--- /dev/null
+++ b/t/certs/4.cert.pem
@@ -0,0 +1,74 @@
+-----BEGIN CERTIFICATE-----
+MIIJUTCCCDugAwIBAgIEaWasDzALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTYzNDM5WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc2ODMzNjM5OTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAsH+q/KhzMLzYimKXZ8MV9B81mqWwUNdfkyp3ZmnsZV1yQLJ8
+pLm/zEX6Z+dyVkTfi80qIOIsv+81UtwT+OFeAJ+TR3e432BrXrrPitQuCBYUaTef
+LH5iKmtCSiaJnY3BACjUdwRiIOzibcBY3obZR9RtrLZ9DpHR0W/0z1ShW8MCAwEA
+AaOCBu4wggbqMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwgga3BgorBgEEAb5FZGQFBIIGpzCCBqMwggafMIIGmzCCBYMCAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAQAwIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBG8wgYQGCisGAQQBvkVkZAsE
+djB0MHIwcDAehhx0ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwME4wHgQIbmlj
+a25hbWUECW5ld2xhbmQ4NgQHdGVzdC52bzAsBAV0aXRsZQQaYXNzZWduaXN0YSVk
+aSVyaWNlcmNhQENOQUYEB3Rlc3Qudm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54w
+ggOaMIIDljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMC
+SVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2
+MzdaFw0yNzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
+FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq
+6N1Wjx3VHaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+v
+tHvathtadnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3
+T4+Lp4AB5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQu
+l7kFZBrcdgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4x
+Y+2BH268QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAw
+PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
+hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnG
+MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI
+5JKbJgkEZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCv
+EknM3qRlqulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5
+SojWAcvBIjdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaU
+IepJ4dhhEJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8t
+KJ7G4opD7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6n
+XONQhDO17KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3Nnsu
+tGnzJ+q39giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQBHsP+LCvcSnQtb4DsD
+onUP1cRrjuxDptJUNXhPhmqw4dvLyir5Ea9hhRMzziCMKy8/COcQv6ECwni6xLLX
+PFTLHEyp+PEcVxwixGtBXF8W2fniEEkN6buHxykqUEhBxT0R4DS4OFKyNsA3m4WD
+TC2WAYx0n1yQTBqaMfOH9Q+/QAzTyWB1WNRfqxWcuZgyCFlw23X/ZzIXpPD7ZX3o
+gAIW++i13fa5QzT6uI/iM2vRo/eNvdVs+bGB1130EtKS1nba4CahoyoHJrLGjqiw
+58BUD8HqWKMF1UkDr4+UPdUo31xNE94UraZZO4n9bJrrvuQzKgJLfW/1JBjm+lCP
+ISVhMAsGCSqGSIb3DQEBBQOCAQEACTHB0rNOG9bv8rz40U7zb8XEkCOd96lOwfZk
+OIwSGE+dACn7K4c8c8iWTas6Gw8Ev0d1IbiQNY1Erc36Wy29kna9Qw5Ph81dhhkQ
+LMHjd6LO7oXf6jUE164hv1Rnqq8Hdae843pwlntn+eg3HuLYlI2ijUK/kjG5Tw38
+75aRAnJffBh61zcuV7GOrbOQVObaOQYLpon0Qr1tLlFso0MAMAuXK4sgNQtpUIbI
+zd2/oXGJwH1SXrcgg+NCRnFjZ5Do+ARzMB8W5/O+N0UiqOJOuaRiPp3sVPffLv0W
+UOcUdk1EOhVomM7nVlJzzg49Xvc4+a7a2UIyV3UaB9+VbkVSag==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/4.key.pem b/t/certs/4.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..3a3d4ba41dabb8c61e7653b4516981b2174e2a56
--- /dev/null
+++ b/t/certs/4.key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCwf6r8qHMwvNiKYpdnwxX0HzWapbBQ11+TKndmaexlXXJAsnyk
+ub/MRfpn53JWRN+LzSog4iy/7zVS3BP44V4An5NHd7jfYGteus+K1C4IFhRpN58s
+fmIqa0JKJomdjcEAKNR3BGIg7OJtwFjehtlH1G2stn0OkdHRb/TPVKFbwwIDAQAB
+AoGBAIAppJrlIwggCUmrv++r3LQxOXZ7nCWHzzIJIzyt6+fLTFyofxQKgbiuk9+B
+VChKyN02dMH+Gqqg4+KwRpxx4hRy03ahItP7/1bCw6MV9Kd+brj2Zk+QreFrUT+7
+DS8EgL5Hu96K/ksCL+eef9HOGlVWR1R+dfl8ciORRAqHAZ5pAkEA3YG7vG7Iu+nJ
+hiONUoTderqTlFpBAV1bDk7cYYUIkdTfLkDIVetFXJOIQUmk0MpVvkjpgXpDjw+1
+XcJb1S70HQJBAMv7tVqoKaNf8P/KTc/xcmp4+qW4gzK1+BWDqo4dwzX9JR+u4mvX
+ZBGR86A116wQDourRSchKlTVa+5v3QqSyV8CQCn7PZ6gDJF45MX0lQNPxT5OgEv8
+sxdUHz7d+WzOLuqcwtPcWVvXZGUAXTGqiH896fRPk1oD1ywVGRW1EXydEo0CQD/f
+FB1L9KXEf+kIRq8rEkGGmi1UBjjVw9WwwbH4XczE9F/kWd+ctSfPRLLQyTSGXpeb
+TG8BMokXvtENU/BgoA8CQQCWsTDPb1hWvL/GQA4wARlo+cQ73n1Uz6fzQJf2WBoV
+7HSTpTULFpCaUJLyD3fvA8ofGvzD1mmKgxgsyBe494RA
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/4.pem b/t/certs/4.pem
new file mode 100644
index 0000000000000000000000000000000000000000..7e55bacd0251ecd1c7a0efb22ff143ff133b1ad1
--- /dev/null
+++ b/t/certs/4.pem
@@ -0,0 +1,89 @@
+-----BEGIN CERTIFICATE-----
+MIIJUTCCCDugAwIBAgIEaWasDzALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTYzNDM5WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTc2ODMzNjM5OTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAsH+q/KhzMLzYimKXZ8MV9B81mqWwUNdfkyp3ZmnsZV1yQLJ8
+pLm/zEX6Z+dyVkTfi80qIOIsv+81UtwT+OFeAJ+TR3e432BrXrrPitQuCBYUaTef
+LH5iKmtCSiaJnY3BACjUdwRiIOzibcBY3obZR9RtrLZ9DpHR0W/0z1ShW8MCAwEA
+AaOCBu4wggbqMA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwgga3BgorBgEEAb5FZGQFBIIGpzCCBqMwggafMIIGmzCCBYMCAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQELBQACAQAwIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBG8wgYQGCisGAQQBvkVkZAsE
+djB0MHIwcDAehhx0ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwME4wHgQIbmlj
+a25hbWUECW5ld2xhbmQ4NgQHdGVzdC52bzAsBAV0aXRsZQQaYXNzZWduaXN0YSVk
+aSVyaWNlcmNhQENOQUYEB3Rlc3Qudm8wggOyBgorBgEEAb5FZGQKBIIDojCCA54w
+ggOaMIIDljCCAn6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMC
+SVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVzdCBDQTAeFw0xNzEyMDYwOTQ2
+MzdaFw0yNzEyMDQwOTQ2MzdaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
+FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALx/yNoeDZNQtJgiGi+tI/SSK3KREpvv4aOipgMEvcfCf3hReP2UBtOq
+6N1Wjx3VHaVJP0yyTNE+aSxgwI9fD3xtpMtYDG7eM2psMhG70+FNAxO1H5k1HR+v
+tHvathtadnZUBPPo12BrxlXZ1BLre/I93+ye2tTfEK/u3J2WxxSMYBbYksopjN/3
+T4+Lp4AB5/d6TzwyQq/OLvgae7y16yCn1SjBpNNU09zA3JZ7xAnFny/I23NhAeQu
+l7kFZBrcdgkJ66++bEe5W0GGwVHA/mUjK5SssIFGmZrCnm8LYgM001u12+esOA4x
+Y+2BH268QWWJsY0vX/qK2ois+Ms/6ysCAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBQzjAnUSZQBztH7C50ZXq3E1/WQxDAOBgNVHQ8BAf8EBAMCBeAw
+PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
+hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFJF3NnsutGnzJ+q39giLSiOiEUnG
+MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOCAQEA4MUI
+5JKbJgkEZLmeySeCLJBMS/E8Gk3N9lr+ilhrNkI7e9DgZiruLa3QKllSyESFtpCv
+EknM3qRlqulug+HPINOYjz6ooYL49W6Xc3i+RqdapxAwtwETz7QDxnT35LhRITN5
+SojWAcvBIjdunx0sPuvQCVE7Cl+1GbYaNWOVlPWZobwYvISqm3A6si3C7VAZIBaU
+IepJ4dhhEJ31KWURohUrivcUWkm4LVwP/Hcg5wM6FbghMdgz/I9wHKaQgISzrx8t
+KJ7G4opD7CYyv9dqqkJaLFApM1236Fgitsd7v6SsVTItUVga7p6A0k0kS2rjly6n
+XONQhDO17KQgbnAd6TAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFJF3Nnsu
+tGnzJ+q39giLSiOiEUnGMA0GCSqGSIb3DQEBCwUAA4IBAQBHsP+LCvcSnQtb4DsD
+onUP1cRrjuxDptJUNXhPhmqw4dvLyir5Ea9hhRMzziCMKy8/COcQv6ECwni6xLLX
+PFTLHEyp+PEcVxwixGtBXF8W2fniEEkN6buHxykqUEhBxT0R4DS4OFKyNsA3m4WD
+TC2WAYx0n1yQTBqaMfOH9Q+/QAzTyWB1WNRfqxWcuZgyCFlw23X/ZzIXpPD7ZX3o
+gAIW++i13fa5QzT6uI/iM2vRo/eNvdVs+bGB1130EtKS1nba4CahoyoHJrLGjqiw
+58BUD8HqWKMF1UkDr4+UPdUo31xNE94UraZZO4n9bJrrvuQzKgJLfW/1JBjm+lCP
+ISVhMAsGCSqGSIb3DQEBBQOCAQEACTHB0rNOG9bv8rz40U7zb8XEkCOd96lOwfZk
+OIwSGE+dACn7K4c8c8iWTas6Gw8Ev0d1IbiQNY1Erc36Wy29kna9Qw5Ph81dhhkQ
+LMHjd6LO7oXf6jUE164hv1Rnqq8Hdae843pwlntn+eg3HuLYlI2ijUK/kjG5Tw38
+75aRAnJffBh61zcuV7GOrbOQVObaOQYLpon0Qr1tLlFso0MAMAuXK4sgNQtpUIbI
+zd2/oXGJwH1SXrcgg+NCRnFjZ5Do+ARzMB8W5/O+N0UiqOJOuaRiPp3sVPffLv0W
+UOcUdk1EOhVomM7nVlJzzg49Xvc4+a7a2UIyV3UaB9+VbkVSag==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCwf6r8qHMwvNiKYpdnwxX0HzWapbBQ11+TKndmaexlXXJAsnyk
+ub/MRfpn53JWRN+LzSog4iy/7zVS3BP44V4An5NHd7jfYGteus+K1C4IFhRpN58s
+fmIqa0JKJomdjcEAKNR3BGIg7OJtwFjehtlH1G2stn0OkdHRb/TPVKFbwwIDAQAB
+AoGBAIAppJrlIwggCUmrv++r3LQxOXZ7nCWHzzIJIzyt6+fLTFyofxQKgbiuk9+B
+VChKyN02dMH+Gqqg4+KwRpxx4hRy03ahItP7/1bCw6MV9Kd+brj2Zk+QreFrUT+7
+DS8EgL5Hu96K/ksCL+eef9HOGlVWR1R+dfl8ciORRAqHAZ5pAkEA3YG7vG7Iu+nJ
+hiONUoTderqTlFpBAV1bDk7cYYUIkdTfLkDIVetFXJOIQUmk0MpVvkjpgXpDjw+1
+XcJb1S70HQJBAMv7tVqoKaNf8P/KTc/xcmp4+qW4gzK1+BWDqo4dwzX9JR+u4mvX
+ZBGR86A116wQDourRSchKlTVa+5v3QqSyV8CQCn7PZ6gDJF45MX0lQNPxT5OgEv8
+sxdUHz7d+WzOLuqcwtPcWVvXZGUAXTGqiH896fRPk1oD1ywVGRW1EXydEo0CQD/f
+FB1L9KXEf+kIRq8rEkGGmi1UBjjVw9WwwbH4XczE9F/kWd+ctSfPRLLQyTSGXpeb
+TG8BMokXvtENU/BgoA8CQQCWsTDPb1hWvL/GQA4wARlo+cQ73n1Uz6fzQJf2WBoV
+7HSTpTULFpCaUJLyD3fvA8ofGvzD1mmKgxgsyBe494RA
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/5.cert.pem b/t/certs/5.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..b25264afa65b40e8692a0e91e9b68edef0aa08d9
--- /dev/null
+++ b/t/certs/5.cert.pem
@@ -0,0 +1,73 @@
+-----BEGIN CERTIFICATE-----
+MIIJITCCCAugAwIBAgIEVBnC3jALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTcwNDE4WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTQxMDk3NDQzMDCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAjfmLCX/7rKN8l4qHZHtS/qbg1798BQFjhZzRE8gurDnXXYMJ
+6c/hHvUzWzF2J36gIa946TQ3H5Rxvv41XMO/wPnpG2fhFpi5s5GZDjXNFtC5Qrt+
+OUvqUQgRRvfm8K/MwlFm2p+/kLhnIMuk1SnBSPO1tTwWWCJsrn/L2rKfwy0CAwEA
+AaOCBr4wgga6MA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwggaHBgorBgEEAb5FZGQFBIIGdzCCBnMwggZvMIIGazCCBVMCAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQEFBQACAXswIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBD8wVAYKKwYBBAG+RWRkCwRG
+MEQwQjBAMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwHjAcBAhuaWNr
+bmFtZQQHbmV3bGFuZAQHdGVzdC52bzCCA7MGCisGAQQBvkVkZAoEggOjMIIDnzCC
+A5swggOXMIICf6ADAgECAgECMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNVBAYTAklU
+MQwwCgYDVQQKDANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjAeFw0xODAzMTQxNjE4
+MzRaFw0yODAzMTExNjE4MzRaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
+FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMoP18aRzBWhlzILIP2UEVdGWTp5Pu9Tq5soMGTavMULkCVn5UYGLc/d
+QhUI8R7ti+XJyz3MSneSY6+slKfmiQZkDLwoUtFQSAJUW1ttng/uifQBISXqrK8G
+pJLOMi8QVPY3An7g5yr9QpLI/1zx8oNim9l99gjLhD4DJqMBos6c3tk3Jn5sElAU
+iEe8aJFq9tUFcOb9EAVlVkVvlSLS1FV3zPX6CKQ2LPqyR5BsxIQ2rCT42aiZZuBe
+ljQeZUiGDxB76T0aP+pTn3AwDDCT0/ln0WZ8oEAo/msXct/VW6cPKLyS0cgxpmTg
+0cAd9t24A7ExndgNVFbfaTXxVcyEUtECAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBRf/uXVrKNs9BmoAn3wuJpn0KmhHzAOBgNVHQ8BAf8EBAMCBeAw
+PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
+hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFDcDy5ZCOhSPvVtyKu7wa6htT4xE
+MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQUFAAOCAQEA0nUh
+VJDGiBUleUht0bpax1iksDVeMBrPuj82/B6ckatUyqg+Kjx1RFUqJ97nD9jIN5Gx
+ZSq/gTdaD7Qx1ix94P/hNsTP17OjIL59uyau9lXfaEaDTJCD7m5dFkyrlAJhGLtI
+4HjDzo6HMM2CGYpq2ZCk2wD87v2xyPEPCMZHeNp+LzPxjxaA8JehcvlabjASKCrD
+ys2zx/Gr4du4FgFUt1+e315WJW7UcnikXcXqksBrpqq9BnNvX1cpONsT8X1RYK8h
+/nn6pYzMEjR2MpIknp5tUVYtBSgJm8rXjvMi6qWAgmuDXio1U2e8BVusDiRIGu+Y
+luWKfyhkHq7sERhmRTAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFDcDy5ZC
+OhSPvVtyKu7wa6htT4xEMA0GCSqGSIb3DQEBBQUAA4IBAQAesk/1rW0Umm15WUfM
+UcT6JwZfTDAoWGhhtPsHplDQg+VBonwJtn0S8CfaMFj2kPk+2QtRHFVT/cEiMrtC
+RrLEqhXBu5p20m3Cn9mWQRMflwqFTVa+j4cQG2m9ed6EBYtwP7NngWKWaGdcVdym
+Kq2zRpSiUKWUOMhJir4evO3+BDMUV6FPXxXYmnVtCNY1R7pYDm+QJHzt94WbCIfb
+jSS+f4Y7/a8veQLVVj1YFcCOWa/KxoQUE4KLCw8HCVGifE97L2MYU7G69o/Uf1YW
+vXDZRZUsPG/PxkdhYfooiPVdpAvmlhrbeTOcSnmImvsvXyJf/8RPRERpjN9lSrhC
+hAE9MAsGCSqGSIb3DQEBBQOCAQEAqstqHQSjeHfslXxCH4YMnb2FP2n7iCGqO8tB
+qxUqYVCcbBlLT+Dy8IngHVKpl4Nubmduw+0UY45TIT+9PG99UJM7jkQWB9V79CZ7
+ZPqGalQmTzl7SRZsPervhN8spKgcKhWMk9v3GioVGFDj+4ujtUzcCYKfLfH8LS24
+hES0fUIxJSM2wWwmRIHeD5skGtQNnGoggptWywTgemLq15V7wfU6YIbs8DLiBU1N
+a7b3ahC2ydHH/LrPO5D5wLKMmS7/btLk51Fs5Sj60kX1lhfzrmEPUortu5rqTV40
+gG9671U+lbzh4sMo1DNWEvN6Es/grnxWnPlwC7qYHk/DGTQZfQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/5.key.pem b/t/certs/5.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d9a7313fc32c890df3cf52e89644f9cab7ec26cf
--- /dev/null
+++ b/t/certs/5.key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCN+YsJf/uso3yXiodke1L+puDXv3wFAWOFnNETyC6sOdddgwnp
+z+Ee9TNbMXYnfqAhr3jpNDcflHG+/jVcw7/A+ekbZ+EWmLmzkZkONc0W0LlCu345
+S+pRCBFG9+bwr8zCUWban7+QuGcgy6TVKcFI87W1PBZYImyuf8vasp/DLQIDAQAB
+AoGBAIYeFGAXDNLbZhlp/djIP3DciE6HT0sTMsbHiyLa2mxL/80Qus6rWAj8rVUa
+dnl8vxzTPK9gaipk+sboMdS9/meB/I+o5MtkzW6QNvZc5N9gTB+tJoaYwTXi6Otr
+VGePoBjmHUENtUnR/eJ5IPyhjbzZJurX6EYXVwzF6J4DXiCpAkEA+7gzHS8rLm6e
+wHYqc8KKJDdDnI464GTZyD/UVa40S9QU6tX7aRNPBwyyC8Wo23ljnfc3qsiBXpdd
+l25YLXseRwJBAJBjmJqISXB1l5OTawpVQpxM75e4k79SoIZTT7Mq8A/RC4V8sClB
+5a7XIpP1vjqa1a8td3G/xpLi4wLS4QWxSOsCQAmq4GOtjRYCb5xqrWS2wwFzEeiw
+WbiGhwq20NvdjeqfoZIHV9mIQU+/ABONqteLCPVnKj8n5jgQzipjtYVBpj8CQFqG
+pwnUAr9IarUyyvyagf2+2sS0C6X7ZvtwxlpdxE8WUHPrvgLP9vIMnfhILXFO3ERN
+bELb6uLy70M49a38/esCQBNngfqmh4dxMWA811Nlw0eXu47CcFVY7T71rZBBEe+T
++1M/Du1Y5Qqj5wnvezmMdpGD9apHfmPnqAJRSKbYmoY=
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/5.pem b/t/certs/5.pem
new file mode 100644
index 0000000000000000000000000000000000000000..8bc2d80fa63d8ea975d727dc8e54baa0a5c9f6db
--- /dev/null
+++ b/t/certs/5.pem
@@ -0,0 +1,88 @@
+-----BEGIN CERTIFICATE-----
+MIIJITCCCAugAwIBAgIEVBnC3jALBgkqhkiG9w0BAQUwKzELMAkGA1UEBhMCSVQx
+DDAKBgNVBAoTA0lHSTEOMAwGA1UEAxMFdGVzdDAwHhcNMTgwMzE1MTcwNDE4WhcN
+MjIwOTI0MTUzOTM0WjBAMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYD
+VQQDEwV0ZXN0MDETMBEGA1UEAxMKMTQxMDk3NDQzMDCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAjfmLCX/7rKN8l4qHZHtS/qbg1798BQFjhZzRE8gurDnXXYMJ
+6c/hHvUzWzF2J36gIa946TQ3H5Rxvv41XMO/wPnpG2fhFpi5s5GZDjXNFtC5Qrt+
+OUvqUQgRRvfm8K/MwlFm2p+/kLhnIMuk1SnBSPO1tTwWWCJsrn/L2rKfwy0CAwEA
+AaOCBr4wgga6MA4GA1UdDwEB/wQEAwIF4DAdBggrBgEFBQcBDgEB/wQOMAwwCgYI
+KwYBBQUHFQEwggaHBgorBgEEAb5FZGQFBIIGdzCCBnMwggZvMIIGazCCBVMCAQEw
+NqA0MC+kLTArMQswCQYDVQQGEwJJVDEMMAoGA1UEChMDSUdJMQ4wDAYDVQQDEwV0
+ZXN0MAIBCaA4MDakNDAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUwEwYD
+VQQDDAx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQEFBQACAXswIhgPMjAxODAxMDEw
+MDAwMDBaGA8yMDMwMDEwMTAwMDAwMFowYzBhBgorBgEEAb5FZGQEMVMwUaAehhx0
+ZXN0LnZvOi8vdm9tcy5leGFtcGxlOjE1MDAwMC8ECi90ZXN0L2V4cDEECi90ZXN0
+L2V4cDIEFS90ZXN0L2V4cDMvUm9sZT1QSVBQTzCCBD8wVAYKKwYBBAG+RWRkCwRG
+MEQwQjBAMB6GHHRlc3Qudm86Ly92b21zLmV4YW1wbGU6MTUwMDAwHjAcBAhuaWNr
+bmFtZQQHbmV3bGFuZAQHdGVzdC52bzCCA7MGCisGAQQBvkVkZAoEggOjMIIDnzCC
+A5swggOXMIICf6ADAgECAgECMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNVBAYTAklU
+MQwwCgYDVQQKDANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjAeFw0xODAzMTQxNjE4
+MzRaFw0yODAzMTExNjE4MzRaMDIxCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kx
+FTATBgNVBAMMDHZvbXMuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMoP18aRzBWhlzILIP2UEVdGWTp5Pu9Tq5soMGTavMULkCVn5UYGLc/d
+QhUI8R7ti+XJyz3MSneSY6+slKfmiQZkDLwoUtFQSAJUW1ttng/uifQBISXqrK8G
+pJLOMi8QVPY3An7g5yr9QpLI/1zx8oNim9l99gjLhD4DJqMBos6c3tk3Jn5sElAU
+iEe8aJFq9tUFcOb9EAVlVkVvlSLS1FV3zPX6CKQ2LPqyR5BsxIQ2rCT42aiZZuBe
+ljQeZUiGDxB76T0aP+pTn3AwDDCT0/ln0WZ8oEAo/msXct/VW6cPKLyS0cgxpmTg
+0cAd9t24A7ExndgNVFbfaTXxVcyEUtECAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAA
+MB0GA1UdDgQWBBRf/uXVrKNs9BmoAn3wuJpn0KmhHzAOBgNVHQ8BAf8EBAMCBeAw
+PgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
+hvhCBAEGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFDcDy5ZCOhSPvVtyKu7wa6htT4xE
+MBcGA1UdEQQQMA6CDHZvbXMuZXhhbXBsZTANBgkqhkiG9w0BAQUFAAOCAQEA0nUh
+VJDGiBUleUht0bpax1iksDVeMBrPuj82/B6ckatUyqg+Kjx1RFUqJ97nD9jIN5Gx
+ZSq/gTdaD7Qx1ix94P/hNsTP17OjIL59uyau9lXfaEaDTJCD7m5dFkyrlAJhGLtI
+4HjDzo6HMM2CGYpq2ZCk2wD87v2xyPEPCMZHeNp+LzPxjxaA8JehcvlabjASKCrD
+ys2zx/Gr4du4FgFUt1+e315WJW7UcnikXcXqksBrpqq9BnNvX1cpONsT8X1RYK8h
+/nn6pYzMEjR2MpIknp5tUVYtBSgJm8rXjvMi6qWAgmuDXio1U2e8BVusDiRIGu+Y
+luWKfyhkHq7sERhmRTAJBgNVHTgEAgUAMCUGA1UdIwQeMByAGgQYMBaAFDcDy5ZC
+OhSPvVtyKu7wa6htT4xEMA0GCSqGSIb3DQEBBQUAA4IBAQAesk/1rW0Umm15WUfM
+UcT6JwZfTDAoWGhhtPsHplDQg+VBonwJtn0S8CfaMFj2kPk+2QtRHFVT/cEiMrtC
+RrLEqhXBu5p20m3Cn9mWQRMflwqFTVa+j4cQG2m9ed6EBYtwP7NngWKWaGdcVdym
+Kq2zRpSiUKWUOMhJir4evO3+BDMUV6FPXxXYmnVtCNY1R7pYDm+QJHzt94WbCIfb
+jSS+f4Y7/a8veQLVVj1YFcCOWa/KxoQUE4KLCw8HCVGifE97L2MYU7G69o/Uf1YW
+vXDZRZUsPG/PxkdhYfooiPVdpAvmlhrbeTOcSnmImvsvXyJf/8RPRERpjN9lSrhC
+hAE9MAsGCSqGSIb3DQEBBQOCAQEAqstqHQSjeHfslXxCH4YMnb2FP2n7iCGqO8tB
+qxUqYVCcbBlLT+Dy8IngHVKpl4Nubmduw+0UY45TIT+9PG99UJM7jkQWB9V79CZ7
+ZPqGalQmTzl7SRZsPervhN8spKgcKhWMk9v3GioVGFDj+4ujtUzcCYKfLfH8LS24
+hES0fUIxJSM2wWwmRIHeD5skGtQNnGoggptWywTgemLq15V7wfU6YIbs8DLiBU1N
+a7b3ahC2ydHH/LrPO5D5wLKMmS7/btLk51Fs5Sj60kX1lhfzrmEPUortu5rqTV40
+gG9671U+lbzh4sMo1DNWEvN6Es/grnxWnPlwC7qYHk/DGTQZfQ==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCN+YsJf/uso3yXiodke1L+puDXv3wFAWOFnNETyC6sOdddgwnp
+z+Ee9TNbMXYnfqAhr3jpNDcflHG+/jVcw7/A+ekbZ+EWmLmzkZkONc0W0LlCu345
+S+pRCBFG9+bwr8zCUWban7+QuGcgy6TVKcFI87W1PBZYImyuf8vasp/DLQIDAQAB
+AoGBAIYeFGAXDNLbZhlp/djIP3DciE6HT0sTMsbHiyLa2mxL/80Qus6rWAj8rVUa
+dnl8vxzTPK9gaipk+sboMdS9/meB/I+o5MtkzW6QNvZc5N9gTB+tJoaYwTXi6Otr
+VGePoBjmHUENtUnR/eJ5IPyhjbzZJurX6EYXVwzF6J4DXiCpAkEA+7gzHS8rLm6e
+wHYqc8KKJDdDnI464GTZyD/UVa40S9QU6tX7aRNPBwyyC8Wo23ljnfc3qsiBXpdd
+l25YLXseRwJBAJBjmJqISXB1l5OTawpVQpxM75e4k79SoIZTT7Mq8A/RC4V8sClB
+5a7XIpP1vjqa1a8td3G/xpLi4wLS4QWxSOsCQAmq4GOtjRYCb5xqrWS2wwFzEeiw
+WbiGhwq20NvdjeqfoZIHV9mIQU+/ABONqteLCPVnKj8n5jgQzipjtYVBpj8CQFqG
+pwnUAr9IarUyyvyagf2+2sS0C6X7ZvtwxlpdxE8WUHPrvgLP9vIMnfhILXFO3ERN
+bELb6uLy70M49a38/esCQBNngfqmh4dxMWA811Nlw0eXu47CcFVY7T71rZBBEe+T
++1M/Du1Y5Qqj5wnvezmMdpGD9apHfmPnqAJRSKbYmoY=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
diff --git a/t/certs/README.md b/t/certs/README.md
index b23d8ee80f41691f24b2d130d3b5419b7f963b0a..7b3f68a8821b5c8ba0e99a413b62f594956a6df3 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -6,11 +6,21 @@ Proxy certificates are generated using [VOMS client 3.3.0](http://italiangrid.gi
* 0.pem: long-lived proxy certificate, without Attribute Certificate (AC);
* 1.pem: long-lived proxy certificate, with an expired AC;
* 2.pem: expired proxy certificate.
+ * 3.pem: long-lived proxy with valid VOMS attributes
+ * 4.pem: long-lived proxy with VOMS generic attributes containing reserved characters
+ * 5.pem: long-lived proxy with VOMS AC signed by an untrusted CA
To obtain such certificates the following command is used:
VOMS_CLIENTS_JAVA_OPTIONS="-Dvoms.fake.vo=test.vo -Dvoms.fake=true -Dvoms.fake.aaCert=<path_to_cert>/voms_example.cert.pem -Dvoms.fake.aaKey=<path_to_key>/voms_example.key.pem" voms-proxy-init3 -voms test.vo -cert <path_to_test0>/test0.p12 --valid <validity>
+Once VOMS proxy certificates are generated in a `*.pem` format, they need to be split in certificates and key to be used in Openresty tests. `*.cert.pem` and `*.key.pem` files are obtained by simpling typing
+
+ awk '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/' <name>.pem > <name>.key.pem
+ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' <name>.pem > <name>.cert.pem
+
+in the `certs` folder, where `<name>` could be for instance `0,1,2` etc.
+
*voms\_example.cert.pem* and *voms\_example.ket.pem* can be found in the `certs` folder.
To perform correctly the VOMS AC validation, a \*.lsc or \*.pem file is needed in `/etc/grid-security/vomsdir`, see [VOMS client 3.3.0 User Guide](http://italiangrid.github.io/voms/documentation/voms-clients-guide/3.0.3/) for further details. An example of *voms.example.lsc* can be found in `vomsdir/test.vo`.
diff --git a/t/certs/voms_example_2.cert.pem b/t/certs/voms_example_2.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..cfca8b81c43bd9fbc77fff4efae89f8ad538c818
--- /dev/null
+++ b/t/certs/voms_example_2.cert.pem
@@ -0,0 +1,85 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=IT, O=IGI, CN=Test CA 2
+ Validity
+ Not Before: Mar 14 16:18:34 2018 GMT
+ Not After : Mar 11 16:18:34 2028 GMT
+ Subject: C=IT, O=IGI, CN=voms.example
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ca:0f:d7:c6:91:cc:15:a1:97:32:0b:20:fd:94:
+ 11:57:46:59:3a:79:3e:ef:53:ab:9b:28:30:64:da:
+ bc:c5:0b:90:25:67:e5:46:06:2d:cf:dd:42:15:08:
+ f1:1e:ed:8b:e5:c9:cb:3d:cc:4a:77:92:63:af:ac:
+ 94:a7:e6:89:06:64:0c:bc:28:52:d1:50:48:02:54:
+ 5b:5b:6d:9e:0f:ee:89:f4:01:21:25:ea:ac:af:06:
+ a4:92:ce:32:2f:10:54:f6:37:02:7e:e0:e7:2a:fd:
+ 42:92:c8:ff:5c:f1:f2:83:62:9b:d9:7d:f6:08:cb:
+ 84:3e:03:26:a3:01:a2:ce:9c:de:d9:37:26:7e:6c:
+ 12:50:14:88:47:bc:68:91:6a:f6:d5:05:70:e6:fd:
+ 10:05:65:56:45:6f:95:22:d2:d4:55:77:cc:f5:fa:
+ 08:a4:36:2c:fa:b2:47:90:6c:c4:84:36:ac:24:f8:
+ d9:a8:99:66:e0:5e:96:34:1e:65:48:86:0f:10:7b:
+ e9:3d:1a:3f:ea:53:9f:70:30:0c:30:93:d3:f9:67:
+ d1:66:7c:a0:40:28:fe:6b:17:72:df:d5:5b:a7:0f:
+ 28:bc:92:d1:c8:31:a6:64:e0:d1:c0:1d:f6:dd:b8:
+ 03:b1:31:9d:d8:0d:54:56:df:69:35:f1:55:cc:84:
+ 52:d1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 5F:FE:E5:D5:AC:A3:6C:F4:19:A8:02:7D:F0:B8:9A:67:D0:A9:A1:1F
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, E-mail Protection
+ X509v3 Authority Key Identifier:
+ keyid:37:03:CB:96:42:3A:14:8F:BD:5B:72:2A:EE:F0:6B:A8:6D:4F:8C:44
+
+ X509v3 Subject Alternative Name:
+ DNS:voms.example
+ Signature Algorithm: sha1WithRSAEncryption
+ d2:75:21:54:90:c6:88:15:25:79:48:6d:d1:ba:5a:c7:58:a4:
+ b0:35:5e:30:1a:cf:ba:3f:36:fc:1e:9c:91:ab:54:ca:a8:3e:
+ 2a:3c:75:44:55:2a:27:de:e7:0f:d8:c8:37:91:b1:65:2a:bf:
+ 81:37:5a:0f:b4:31:d6:2c:7d:e0:ff:e1:36:c4:cf:d7:b3:a3:
+ 20:be:7d:bb:26:ae:f6:55:df:68:46:83:4c:90:83:ee:6e:5d:
+ 16:4c:ab:94:02:61:18:bb:48:e0:78:c3:ce:8e:87:30:cd:82:
+ 19:8a:6a:d9:90:a4:db:00:fc:ee:fd:b1:c8:f1:0f:08:c6:47:
+ 78:da:7e:2f:33:f1:8f:16:80:f0:97:a1:72:f9:5a:6e:30:12:
+ 28:2a:c3:ca:cd:b3:c7:f1:ab:e1:db:b8:16:01:54:b7:5f:9e:
+ df:5e:56:25:6e:d4:72:78:a4:5d:c5:ea:92:c0:6b:a6:aa:bd:
+ 06:73:6f:5f:57:29:38:db:13:f1:7d:51:60:af:21:fe:79:fa:
+ a5:8c:cc:12:34:76:32:92:24:9e:9e:6d:51:56:2d:05:28:09:
+ 9b:ca:d7:8e:f3:22:ea:a5:80:82:6b:83:5e:2a:35:53:67:bc:
+ 05:5b:ac:0e:24:48:1a:ef:98:96:e5:8a:7f:28:64:1e:ae:ec:
+ 11:18:66:45
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADAvMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRIwEAYDVQQDDAlUZXN0IENBIDIwHhcNMTgwMzE0MTYxODM0
+WhcNMjgwMzExMTYxODM0WjAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUw
+EwYDVQQDDAx2b21zLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDKD9fGkcwVoZcyCyD9lBFXRlk6eT7vU6ubKDBk2rzFC5AlZ+VGBi3P3UIV
+CPEe7Yvlycs9zEp3kmOvrJSn5okGZAy8KFLRUEgCVFtbbZ4P7on0ASEl6qyvBqSS
+zjIvEFT2NwJ+4Ocq/UKSyP9c8fKDYpvZffYIy4Q+AyajAaLOnN7ZNyZ+bBJQFIhH
+vGiRavbVBXDm/RAFZVZFb5Ui0tRVd8z1+gikNiz6skeQbMSENqwk+NmomWbgXpY0
+HmVIhg8Qe+k9Gj/qU59wMAwwk9P5Z9FmfKBAKP5rF3Lf1VunDyi8ktHIMaZk4NHA
+HfbduAOxMZ3YDVRW32k18VXMhFLRAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIwADAd
+BgNVHQ4EFgQUX/7l1ayjbPQZqAJ98LiaZ9CpoR8wDgYDVR0PAQH/BAQDAgXgMD4G
+A1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4
+QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQ3A8uWQjoUj71bciru8GuobU+MRDAX
+BgNVHREEEDAOggx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQEFBQADggEBANJ1IVSQ
+xogVJXlIbdG6WsdYpLA1XjAaz7o/NvwenJGrVMqoPio8dURVKife5w/YyDeRsWUq
+v4E3Wg+0MdYsfeD/4TbEz9ezoyC+fbsmrvZV32hGg0yQg+5uXRZMq5QCYRi7SOB4
+w86OhzDNghmKatmQpNsA/O79scjxDwjGR3jafi8z8Y8WgPCXoXL5Wm4wEigqw8rN
+s8fxq+HbuBYBVLdfnt9eViVu1HJ4pF3F6pLAa6aqvQZzb19XKTjbE/F9UWCvIf55
++qWMzBI0djKSJJ6ebVFWLQUoCZvK147zIuqlgIJrg14qNVNnvAVbrA4kSBrvmJbl
+in8oZB6u7BEYZkU=
+-----END CERTIFICATE-----
diff --git a/t/certs/voms_example_2.key.pem b/t/certs/voms_example_2.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9496d59d8bcd54cb8bbb5ebc75109080f19490d9
--- /dev/null
+++ b/t/certs/voms_example_2.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAyg/XxpHMFaGXMgsg/ZQRV0ZZOnk+71OrmygwZNq8xQuQJWfl
+RgYtz91CFQjxHu2L5cnLPcxKd5Jjr6yUp+aJBmQMvChS0VBIAlRbW22eD+6J9AEh
+Jeqsrwakks4yLxBU9jcCfuDnKv1Cksj/XPHyg2Kb2X32CMuEPgMmowGizpze2Tcm
+fmwSUBSIR7xokWr21QVw5v0QBWVWRW+VItLUVXfM9foIpDYs+rJHkGzEhDasJPjZ
+qJlm4F6WNB5lSIYPEHvpPRo/6lOfcDAMMJPT+WfRZnygQCj+axdy39Vbpw8ovJLR
+yDGmZODRwB323bgDsTGd2A1UVt9pNfFVzIRS0QIDAQABAoIBAC16D1hTrBkaO0s6
+EfzAfH6mCKMOcsmujSroiqvIR0AZ8CFbFtEBxwHHjH3re0k4sYnQNvv7pK7wtZru
+Pq7jRee4UN1wPeN6LBrKHZ2gODjhuQ6/ylQcUy05U4Tu/4B0LosTqm4f9CdKxNcA
+gejLU4eag/UZUmx8UZEbaHC7h4b0hQxu0EKEYZGo34azLRBaBqREtm2FpVk9ycJk
++Ij4a+qUfwCDJl8Z61hh4BNT7tWJVy5R61qxlD5Y9+thG7p2pgLCAyXVskgYfwCV
+/AYOblWM9mEKpfnhEkhG0e2AO9/jOSsVaXWbiKC4tq59Lh3s6P5c0vlM4lMG4ZRS
+axWVRBkCgYEA6xU9AaW5sd8gtOk1zpKVga5PdcewkCMj4eABZvuXW4B2wJr3KDIi
+TYAZFqz6t7yy7VxhR75lXECbmyFB1uoHxt9yl+yY6R0IQEKsLA9xvEw2Xzqr7gch
+Tfv+sQsIoW+nl5Z4TTrNMRoBwvzTZNkBSUQXRhOOfWhQUKJ/ZrDvS6MCgYEA3Apx
+0YPQrb5r8V4hu6OyPhfUp3ZsoKvOyLVKKv7Yhx2u/yXCtsCXP+c5sNDFN3vxoWxX
+8uOgZUrwhKF5ieYSQB0uSZONzHGtItRtaAaSGdQ4s7UDbWFHEfxR9XE1ZP8m/A5Z
+wN0knnTQjve1ZyovTSGSs0zzRQoZaYmw6WFYzvsCgYEA1S46V48Y+WNVPpmpsL2f
+FK2k4zMGO3+SX5gKzX/j/xddGUauUWY9UziSB80vw4U8YSGAGlZfhqwUMDaVhTZP
+fRpOydTFycgJHnUXuxD6W/5k5DDJjx4qJpUZnyVZW0Rsn3vVdnuXbiqeZFtvvClK
+EE3OKT883R7Gjoj9rXtQVa8CgYEAkLtiACCGyzFcSMfUwlo67HK6UmgnrUs02Xm9
+TiiQfdc9et/4gkKNed/6Z136yrMAzV+5Pa8Rmm6/Y03e5qBpUrie8JBYjagb7LPz
+PqBLyyd3IGUo2vJIUAE6W4naSBM4LkS2LpCG/J7za4ZtUG1D7aTunHc58ChjbLK/
+pdJ9Gq8CgYEAmQHYXsVzjhxLDdYJGj4Dg2abaSL4y0e+76zP/AVfeNHfAoztm2w2
+WJm5Xdf1NFEP+aopuGl9D4ikGvZ5bHscAgj/L3rbrOCz1XAmIwAcpcPE782vV1Pe
+AEM7dszw7BXxvh5Fld1SJcC+/bUW7JTRzPRJmfz/jF/AF4SKkE9yk6Q=
+-----END RSA PRIVATE KEY-----
diff --git a/t/encoding.t b/t/encoding.t
new file mode 100644
index 0000000000000000000000000000000000000000..dfd9e4de6a6ebddeb6131d11d466a66b03aab362
--- /dev/null
+++ b/t/encoding.t
@@ -0,0 +1,37 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: valid AC, verification of VOMS generic attributes encoding
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $voms_generic_attributes;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/4.cert.pem;
+ proxy_ssl_certificate_key ../../certs/4.key.pem;
+ }
+--- request
+GET /
+--- response_body
+n=nickname v=newland86 q=test.vo,n=title v=assegnista%25di%25ricerca%40CNAF q=test.vo
+--- error_code: 200
diff --git a/t/expired_proxy.t b/t/expired.t
similarity index 100%
rename from t/expired_proxy.t
rename to t/expired.t
diff --git a/t/expired_ac_proxy.t b/t/expired_ac.t
similarity index 100%
rename from t/expired_ac_proxy.t
rename to t/expired_ac.t
diff --git a/t/empty_voms_proxy.t b/t/no_ac.t
similarity index 100%
rename from t/empty_voms_proxy.t
rename to t/no_ac.t
diff --git a/t/no_ssl.t b/t/no_ssl.t
new file mode 100644
index 0000000000000000000000000000000000000000..26c696a10b430331e155f4fd0f884ec86c18afa4
--- /dev/null
+++ b/t/no_ssl.t
@@ -0,0 +1,31 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: HTTP connection, no SSL
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443;
+ location = / {
+ default_type text/plain;
+ echo $voms_user;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass http://localhost:8443/;
+ }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+SSL not enabled
+--- error_code: 200
diff --git a/t/pippo b/t/pippo
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/t/ssl_no_client_authn.t b/t/ssl_no_client_authn.t
new file mode 100644
index 0000000000000000000000000000000000000000..e1042d60603ee70be8fb79af099ff1348365a497
--- /dev/null
+++ b/t/ssl_no_client_authn.t
@@ -0,0 +1,35 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: HTTPS with no X.509 client authentication
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ location = / {
+ default_type text/plain;
+ echo $voms_user;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass https://localhost:8443/;
+ }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+no SSL peer certificate available
+--- error_code: 200
diff --git a/t/trust-anchors/21ca5d6a.0 b/t/trust-anchors/21ca5d6a.0
new file mode 120000
index 0000000000000000000000000000000000000000..4d8fbd9ffc99a32048f97f8f1b3b1ebcb580631c
--- /dev/null
+++ b/t/trust-anchors/21ca5d6a.0
@@ -0,0 +1 @@
+igi-test-ca-2.pem
\ No newline at end of file
diff --git a/t/trust-anchors/7940b442.0 b/t/trust-anchors/7940b442.0
new file mode 120000
index 0000000000000000000000000000000000000000..4d8fbd9ffc99a32048f97f8f1b3b1ebcb580631c
--- /dev/null
+++ b/t/trust-anchors/7940b442.0
@@ -0,0 +1 @@
+igi-test-ca-2.pem
\ No newline at end of file
diff --git a/t/trust-anchors/d82942ab.0 b/t/trust-anchors/d82942ab.0
new file mode 120000
index 0000000000000000000000000000000000000000..b8991ae7113de419b1b4fda094099a3d53e4d0f6
--- /dev/null
+++ b/t/trust-anchors/d82942ab.0
@@ -0,0 +1 @@
+igi-test-ca.pem
\ No newline at end of file
diff --git a/t/trust-anchors/igi-test-ca-2.pem b/t/trust-anchors/igi-test-ca-2.pem
new file mode 100644
index 0000000000000000000000000000000000000000..d9b58c1dc2d78f67bfe2634fd3779cd3d4551b93
--- /dev/null
+++ b/t/trust-anchors/igi-test-ca-2.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgIJAMCV/2NZUk0YMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
+BAYTAklUMQwwCgYDVQQKDANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjAeFw0xNTAx
+MjcxMzM5MjFaFw0yNTAxMjQxMzM5MjFaMC8xCzAJBgNVBAYTAklUMQwwCgYDVQQK
+DANJR0kxEjAQBgNVBAMMCVRlc3QgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANgKnBTosmSk8MKmSaVNp2c1HJplrWAML/bx+X6wpvoC6RoxH+5G
+2VIHHZjdgUyBcyuYDI2piwE2ByTrD5F/ToDsLpUReAmZeRY5fURwP5Gp0DMszdRq
+uZR74I59BRSzuCpK7o4Oq01DubSisXrIfgpuOrFcAADl/Pe4L2M4dNrB5Ck/SaR+
+bRMN4CHBYAdlv3ncC3if31zwoMNMYoomhme0qmwWtRUzAlz8Hw5LM+Ngt43RiFWD
+DqPD8QL6wxBtCxXUYaOPLt4pRsda5wsARWKGuutppzDPBbKVNTNMccnuUnk1UnzR
+P4n6iRoPb8SR3P3uVx5dBdkI4xUpxEzNkn0CAwEAAaOBpDCBoTAdBgNVHQ4EFgQU
+NwPLlkI6FI+9W3Iq7vBrqG1PjEQwXwYDVR0jBFgwVoAUNwPLlkI6FI+9W3Iq7vBr
+qG1PjEShM6QxMC8xCzAJBgNVBAYTAklUMQwwCgYDVQQKDANJR0kxEjAQBgNVBAMM
+CVRlc3QgQ0EgMoIJAMCV/2NZUk0YMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCFbvyDXdzRPtlFpq0ZSh5IMNWy3V1N
+CwLa8vmEVwEBsgMQD4NTdefcJ/QkW3CvokhvfCt3Na83J1U9uSp98xiyWNi1esuM
+MG1kplM30uNOOZd0UK97VxX5A/IRawBZJoVzgla6rygQTG4SUaguXm1ZaPlGRwhn
+cJvbtusuiFa805O021g7+se8yu1E9457nMj5rLvPJ/b5UnwK0e2iRbbJje9VAp77
+/wcP2Ec/XfzDhfAksAsZAjg3+ngykvp4MDe56lExePOiIXDb7UMmnBSuQUpClsnB
+2qYc7yWYRN279UUtMB81lXZdsc0FiwhMj6C141RrqP2girdwiJERoP7s
+-----END CERTIFICATE-----
diff --git a/t/trust-anchors/voms_example_2.cert.pem b/t/trust-anchors/voms_example_2.cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..cfca8b81c43bd9fbc77fff4efae89f8ad538c818
--- /dev/null
+++ b/t/trust-anchors/voms_example_2.cert.pem
@@ -0,0 +1,85 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=IT, O=IGI, CN=Test CA 2
+ Validity
+ Not Before: Mar 14 16:18:34 2018 GMT
+ Not After : Mar 11 16:18:34 2028 GMT
+ Subject: C=IT, O=IGI, CN=voms.example
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ca:0f:d7:c6:91:cc:15:a1:97:32:0b:20:fd:94:
+ 11:57:46:59:3a:79:3e:ef:53:ab:9b:28:30:64:da:
+ bc:c5:0b:90:25:67:e5:46:06:2d:cf:dd:42:15:08:
+ f1:1e:ed:8b:e5:c9:cb:3d:cc:4a:77:92:63:af:ac:
+ 94:a7:e6:89:06:64:0c:bc:28:52:d1:50:48:02:54:
+ 5b:5b:6d:9e:0f:ee:89:f4:01:21:25:ea:ac:af:06:
+ a4:92:ce:32:2f:10:54:f6:37:02:7e:e0:e7:2a:fd:
+ 42:92:c8:ff:5c:f1:f2:83:62:9b:d9:7d:f6:08:cb:
+ 84:3e:03:26:a3:01:a2:ce:9c:de:d9:37:26:7e:6c:
+ 12:50:14:88:47:bc:68:91:6a:f6:d5:05:70:e6:fd:
+ 10:05:65:56:45:6f:95:22:d2:d4:55:77:cc:f5:fa:
+ 08:a4:36:2c:fa:b2:47:90:6c:c4:84:36:ac:24:f8:
+ d9:a8:99:66:e0:5e:96:34:1e:65:48:86:0f:10:7b:
+ e9:3d:1a:3f:ea:53:9f:70:30:0c:30:93:d3:f9:67:
+ d1:66:7c:a0:40:28:fe:6b:17:72:df:d5:5b:a7:0f:
+ 28:bc:92:d1:c8:31:a6:64:e0:d1:c0:1d:f6:dd:b8:
+ 03:b1:31:9d:d8:0d:54:56:df:69:35:f1:55:cc:84:
+ 52:d1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 5F:FE:E5:D5:AC:A3:6C:F4:19:A8:02:7D:F0:B8:9A:67:D0:A9:A1:1F
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, E-mail Protection
+ X509v3 Authority Key Identifier:
+ keyid:37:03:CB:96:42:3A:14:8F:BD:5B:72:2A:EE:F0:6B:A8:6D:4F:8C:44
+
+ X509v3 Subject Alternative Name:
+ DNS:voms.example
+ Signature Algorithm: sha1WithRSAEncryption
+ d2:75:21:54:90:c6:88:15:25:79:48:6d:d1:ba:5a:c7:58:a4:
+ b0:35:5e:30:1a:cf:ba:3f:36:fc:1e:9c:91:ab:54:ca:a8:3e:
+ 2a:3c:75:44:55:2a:27:de:e7:0f:d8:c8:37:91:b1:65:2a:bf:
+ 81:37:5a:0f:b4:31:d6:2c:7d:e0:ff:e1:36:c4:cf:d7:b3:a3:
+ 20:be:7d:bb:26:ae:f6:55:df:68:46:83:4c:90:83:ee:6e:5d:
+ 16:4c:ab:94:02:61:18:bb:48:e0:78:c3:ce:8e:87:30:cd:82:
+ 19:8a:6a:d9:90:a4:db:00:fc:ee:fd:b1:c8:f1:0f:08:c6:47:
+ 78:da:7e:2f:33:f1:8f:16:80:f0:97:a1:72:f9:5a:6e:30:12:
+ 28:2a:c3:ca:cd:b3:c7:f1:ab:e1:db:b8:16:01:54:b7:5f:9e:
+ df:5e:56:25:6e:d4:72:78:a4:5d:c5:ea:92:c0:6b:a6:aa:bd:
+ 06:73:6f:5f:57:29:38:db:13:f1:7d:51:60:af:21:fe:79:fa:
+ a5:8c:cc:12:34:76:32:92:24:9e:9e:6d:51:56:2d:05:28:09:
+ 9b:ca:d7:8e:f3:22:ea:a5:80:82:6b:83:5e:2a:35:53:67:bc:
+ 05:5b:ac:0e:24:48:1a:ef:98:96:e5:8a:7f:28:64:1e:ae:ec:
+ 11:18:66:45
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADAvMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRIwEAYDVQQDDAlUZXN0IENBIDIwHhcNMTgwMzE0MTYxODM0
+WhcNMjgwMzExMTYxODM0WjAyMQswCQYDVQQGEwJJVDEMMAoGA1UECgwDSUdJMRUw
+EwYDVQQDDAx2b21zLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDKD9fGkcwVoZcyCyD9lBFXRlk6eT7vU6ubKDBk2rzFC5AlZ+VGBi3P3UIV
+CPEe7Yvlycs9zEp3kmOvrJSn5okGZAy8KFLRUEgCVFtbbZ4P7on0ASEl6qyvBqSS
+zjIvEFT2NwJ+4Ocq/UKSyP9c8fKDYpvZffYIy4Q+AyajAaLOnN7ZNyZ+bBJQFIhH
+vGiRavbVBXDm/RAFZVZFb5Ui0tRVd8z1+gikNiz6skeQbMSENqwk+NmomWbgXpY0
+HmVIhg8Qe+k9Gj/qU59wMAwwk9P5Z9FmfKBAKP5rF3Lf1VunDyi8ktHIMaZk4NHA
+HfbduAOxMZ3YDVRW32k18VXMhFLRAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIwADAd
+BgNVHQ4EFgQUX/7l1ayjbPQZqAJ98LiaZ9CpoR8wDgYDVR0PAQH/BAQDAgXgMD4G
+A1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4
+QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQ3A8uWQjoUj71bciru8GuobU+MRDAX
+BgNVHREEEDAOggx2b21zLmV4YW1wbGUwDQYJKoZIhvcNAQEFBQADggEBANJ1IVSQ
+xogVJXlIbdG6WsdYpLA1XjAaz7o/NvwenJGrVMqoPio8dURVKife5w/YyDeRsWUq
+v4E3Wg+0MdYsfeD/4TbEz9ezoyC+fbsmrvZV32hGg0yQg+5uXRZMq5QCYRi7SOB4
+w86OhzDNghmKatmQpNsA/O79scjxDwjGR3jafi8z8Y8WgPCXoXL5Wm4wEigqw8rN
+s8fxq+HbuBYBVLdfnt9eViVu1HJ4pF3F6pLAa6aqvQZzb19XKTjbE/F9UWCvIf55
++qWMzBI0djKSJJ6ebVFWLQUoCZvK147zIuqlgIJrg14qNVNnvAVbrA4kSBrvmJbl
+in8oZB6u7BEYZkU=
+-----END CERTIFICATE-----
diff --git a/t/trust-anchors/voms_example_2.key.pem b/t/trust-anchors/voms_example_2.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9496d59d8bcd54cb8bbb5ebc75109080f19490d9
--- /dev/null
+++ b/t/trust-anchors/voms_example_2.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAyg/XxpHMFaGXMgsg/ZQRV0ZZOnk+71OrmygwZNq8xQuQJWfl
+RgYtz91CFQjxHu2L5cnLPcxKd5Jjr6yUp+aJBmQMvChS0VBIAlRbW22eD+6J9AEh
+Jeqsrwakks4yLxBU9jcCfuDnKv1Cksj/XPHyg2Kb2X32CMuEPgMmowGizpze2Tcm
+fmwSUBSIR7xokWr21QVw5v0QBWVWRW+VItLUVXfM9foIpDYs+rJHkGzEhDasJPjZ
+qJlm4F6WNB5lSIYPEHvpPRo/6lOfcDAMMJPT+WfRZnygQCj+axdy39Vbpw8ovJLR
+yDGmZODRwB323bgDsTGd2A1UVt9pNfFVzIRS0QIDAQABAoIBAC16D1hTrBkaO0s6
+EfzAfH6mCKMOcsmujSroiqvIR0AZ8CFbFtEBxwHHjH3re0k4sYnQNvv7pK7wtZru
+Pq7jRee4UN1wPeN6LBrKHZ2gODjhuQ6/ylQcUy05U4Tu/4B0LosTqm4f9CdKxNcA
+gejLU4eag/UZUmx8UZEbaHC7h4b0hQxu0EKEYZGo34azLRBaBqREtm2FpVk9ycJk
++Ij4a+qUfwCDJl8Z61hh4BNT7tWJVy5R61qxlD5Y9+thG7p2pgLCAyXVskgYfwCV
+/AYOblWM9mEKpfnhEkhG0e2AO9/jOSsVaXWbiKC4tq59Lh3s6P5c0vlM4lMG4ZRS
+axWVRBkCgYEA6xU9AaW5sd8gtOk1zpKVga5PdcewkCMj4eABZvuXW4B2wJr3KDIi
+TYAZFqz6t7yy7VxhR75lXECbmyFB1uoHxt9yl+yY6R0IQEKsLA9xvEw2Xzqr7gch
+Tfv+sQsIoW+nl5Z4TTrNMRoBwvzTZNkBSUQXRhOOfWhQUKJ/ZrDvS6MCgYEA3Apx
+0YPQrb5r8V4hu6OyPhfUp3ZsoKvOyLVKKv7Yhx2u/yXCtsCXP+c5sNDFN3vxoWxX
+8uOgZUrwhKF5ieYSQB0uSZONzHGtItRtaAaSGdQ4s7UDbWFHEfxR9XE1ZP8m/A5Z
+wN0knnTQjve1ZyovTSGSs0zzRQoZaYmw6WFYzvsCgYEA1S46V48Y+WNVPpmpsL2f
+FK2k4zMGO3+SX5gKzX/j/xddGUauUWY9UziSB80vw4U8YSGAGlZfhqwUMDaVhTZP
+fRpOydTFycgJHnUXuxD6W/5k5DDJjx4qJpUZnyVZW0Rsn3vVdnuXbiqeZFtvvClK
+EE3OKT883R7Gjoj9rXtQVa8CgYEAkLtiACCGyzFcSMfUwlo67HK6UmgnrUs02Xm9
+TiiQfdc9et/4gkKNed/6Z136yrMAzV+5Pa8Rmm6/Y03e5qBpUrie8JBYjagb7LPz
+PqBLyyd3IGUo2vJIUAE6W4naSBM4LkS2LpCG/J7za4ZtUG1D7aTunHc58ChjbLK/
+pdJ9Gq8CgYEAmQHYXsVzjhxLDdYJGj4Dg2abaSL4y0e+76zP/AVfeNHfAoztm2w2
+WJm5Xdf1NFEP+aopuGl9D4ikGvZ5bHscAgj/L3rbrOCz1XAmIwAcpcPE782vV1Pe
+AEM7dszw7BXxvh5Fld1SJcC+/bUW7JTRzPRJmfz/jF/AF4SKkE9yk6Q=
+-----END RSA PRIVATE KEY-----
diff --git a/t/untrusted_ac.t b/t/untrusted_ac.t
new file mode 100644
index 0000000000000000000000000000000000000000..dd93118364daec6290c2e7a1829207aca3f7c949
--- /dev/null
+++ b/t/untrusted_ac.t
@@ -0,0 +1,37 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: https with x509 client authentication, untrusted AC signature
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $voms_user;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/5.cert.pem;
+ proxy_ssl_certificate_key ../../certs/5.key.pem;
+ }
+--- request
+GET /
+--- error_log
+Cannot verify AC signature
+--- error_code: 200
diff --git a/t/valid_ac.t b/t/valid_ac.t
new file mode 100644
index 0000000000000000000000000000000000000000..f84fb9707bcb2ac6a1930d08d0de79eadc65d309
--- /dev/null
+++ b/t/valid_ac.t
@@ -0,0 +1,58 @@
+
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: valid AC, verification of valid VOMS attributes extracted by ngx_http_voms_module
+--- main_config
+ env OPENSSL_ALLOW_PROXY_CERTS=1;
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $voms_user;
+ echo $voms_user_ca;
+ echo $voms_fqans;
+ echo $voms_server;
+ echo $voms_server_ca;
+ echo $voms_vo;
+ echo $voms_server_uri;
+ echo $voms_not_before;
+ echo $voms_not_after;
+ echo $voms_generic_attributes;
+ echo $voms_serial;
+ }
+ }
+--- config
+ location = / {
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/3.cert.pem;
+ proxy_ssl_certificate_key ../../certs/3.key.pem;
+ }
+--- request
+GET /
+--- response_body
+/C=IT/O=IGI/CN=test0
+/C=IT/O=IGI/CN=Test CA
+/test/exp1,/test/exp2,/test/exp3/Role=PIPPO
+/C=IT/O=IGI/CN=voms.example
+/C=IT/O=IGI/CN=Test CA
+test.vo
+voms.example:15000
+20180101000000Z
+20300101000000Z
+n=nickname v=newland q=test.vo,n=nickname v=giaco q=test.vo
+7B
+--- error_code: 200
+