- Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding

- Parsing PEM private keys encrypted with DES and AES are now supported (Fixes ticket #5) - Added tests for encrypted keyfiles
2024-10-18 12:21:04 +00:00 · 2011-02-12 14:30:57 +00:00 · 2011-02-12 14:30:57 +00:00 · 96743fc5f5
parent f17ed288ad
commit 96743fc5f5
15 changed files with 812 additions and 352 deletions
--- a/10
+++ b/10
@ -1,5 +1,15 @@
 PolarSSL ChangeLog

+= Version 0.99-pre2 released on XXXXXX
+Features
+   * Parsing PEM private keys encrypted with DES and AES
+     are now supported as well (Fixes ticket #5)
+
+Changes
+   * Parsing of PEM files moved to separate module (Fixes 
+     ticket #13). Also possible to remove PEM support for
+	 systems only using DER encoding
+
 = Version 0.99-pre1 released on 2011-01-30
 Features
 Note: Most of these features have been donated by Fox-IT
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -151,6 +151,7 @@
 *
 * Module:  library/aes.c
 * Caller:  library/ssl_tls.c
+ *          library/pem.c
 *
 * This module enables the following ciphersuites:
 *      SSL_RSA_AES_128_SHA
@ -370,6 +371,18 @@
 */
 #define POLARSSL_PADLOCK_C

+/**
+ * \def POLARSSL_PEM_C
+ *
+ * Enable PEM decoding
+ *
+ * Module:  library/pem.c
+ * Caller:  library/x509parse.c
+ *
+ * This modules adds support for decoding PEM files.
+ */
+#define POLARSSL_PEM_C
+
 /**
 * \def POLARSSL_RSA_C
 *
--- a/include/polarssl/pem.h
+++ b/include/polarssl/pem.h
@ -0,0 +1,98 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright (C) 2006-2010, Brainspark B.V.
+ *
+ *  This file is part of PolarSSL (http://www.polarssl.org)
+ *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ *  All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef POLARSSL_PEM_H
+#define POLARSSL_PEM_H
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+#define POLARSSL_ERR_PEM_NO_HEADER_PRESENT                 -0x0500  /**< No PEM header found. */
+#define POLARSSL_ERR_PEM_INVALID_DATA                      -0x0520  /**< PEM string is not as expected. */
+#define POLARSSL_ERR_PEM_MALLOC_FAILED                     -0x0540  /**< Failed to allocate memory. */
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV                    -0x0560  /**< RSA IV is not in hex-format. */
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG                   -0x0580  /**< Unsupported key encryption algorithm. */
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED                 -0x05A0  /**< Private key password can't be empty. */
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH                 -0x05C0  /**< Given private key password does not allow for correct decryption. */
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE               -0x05E0  /**< Unavailable feature, e.g. hashing/encryption combination. */
+/* \} name */
+
+/**
+ * \brief       PEM context structure
+ */
+typedef struct
+{
+    unsigned char *buf;     /*!< buffer for decoded data             */
+    int buflen;             /*!< length of the buffer                */
+    unsigned char *info;    /*!< buffer for extra header information */
+}
+pem_context;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void pem_init( pem_context *ctx );
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used
+ *
+ * \return          0 on success, ior a specific PEM error code
+ */
+int pem_read_buffer( pem_context *ctx, char *header, char *footer,
+                     const unsigned char *data,
+                     const unsigned char *pwd,
+                     int pwdlen, int *use_len );
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void pem_free( pem_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@ -69,13 +69,8 @@
 #define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG              -0x01C0  /**< Public key algorithm is unsupported (only RSA is supported). */
 #define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x01E0  /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
 #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x0200  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
-#define POLARSSL_ERR_X509_KEY_INVALID_PEM                  -0x0220  /**< PEM key string is not as expected. */
 #define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x0240  /**< Unsupported RSA key version */
 #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x0260  /**< Invalid RSA key tag or value. */
-#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV               -0x0280  /**< RSA IV is not in hex-format. */
-#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG              -0x02A0  /**< Unsupported key encryption algorithm. */
-#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED            -0x02C0  /**< Private key password can't be empty. */
-#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH            -0x02E0  /**< Given private key password does not allow for correct decryption. */
 #define POLARSSL_ERR_X509_POINT_ERROR                      -0x0300  /**< Not used. */
 #define POLARSSL_ERR_X509_VALUE_TO_LENGTH                  -0x0320  /**< Not used. */
 /* \} name */
@ -485,7 +480,7 @@ extern "C" {
 * \param buf      buffer holding the certificate data
 * \param buflen   size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen );

@ -497,7 +492,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen );
 * \param chain    points to the start of the chain
 * \param path     filename to read the certificates from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crtfile( x509_cert *chain, const char *path );

@ -510,7 +505,7 @@ int x509parse_crtfile( x509_cert *chain, const char *path );
 * \param buf      buffer holding the CRL data
 * \param buflen   size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen );

@ -522,7 +517,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen );
 * \param chain    points to the start of the chain
 * \param path     filename to read the CRLs from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_crlfile( x509_crl *chain, const char *path );

@ -536,7 +531,7 @@ int x509parse_crlfile( x509_crl *chain, const char *path );
 * \param pwd      password for decryption (optional)
 * \param pwdlen   size of the password
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_key( rsa_context *rsa,
                   const unsigned char *key, int keylen,
@ -550,7 +545,7 @@ int x509parse_key( rsa_context *rsa,
 * \param path     filename to read the private key from
 * \param password password to decrypt the file (can be NULL)
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_keyfile( rsa_context *rsa, const char *path,
                       const char *password );
@ -563,7 +558,7 @@ int x509parse_keyfile( rsa_context *rsa, const char *path,
 * \param dhmin    input buffer
 * \param dhminlen size of the buffer
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen );

@ -574,7 +569,7 @@ int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen );
 * \param dhm      DHM context to be initialized
 * \param path     filename to read the DHM Parameters from
 *
- * \return         0 if successful, or a specific X509 error code
+ * \return         0 if successful, or a specific X509 or PEM error code
 */
 int x509parse_dhmfile( dhm_context *dhm, const char *path );

--- a/library/pem.c
+++ b/library/pem.c
@ -0,0 +1,350 @@
+/*
+ *  Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright (C) 2006-2010, Brainspark B.V.
+ *
+ *  This file is part of PolarSSL (http://www.polarssl.org)
+ *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ *  All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "polarssl/config.h"
+
+#if defined(POLARSSL_PEM_C)
+
+#include "polarssl/pem.h"
+#include "polarssl/base64.h"
+#include "polarssl/des.h"
+#include "polarssl/aes.h"
+#include "polarssl/md5.h"
+#include "polarssl/cipher.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+void pem_init( pem_context *ctx )
+{
+    memset( ctx, 0, sizeof( pem_context ) );
+}
+
+#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv( const unsigned char *s, unsigned char *iv, int iv_len )
+{
+    int i, j, k;
+
+    memset( iv, 0, iv_len );
+
+    for( i = 0; i < iv_len * 2; i++, s++ )
+    {
+        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
+        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
+        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
+            return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
+
+        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
+
+        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
+    }
+
+    return( 0 );
+}
+
+static void pem_pbkdf1( unsigned char *key, int keylen,
+                        unsigned char *iv,
+                        const unsigned char *pwd, int pwdlen )
+{
+    md5_context md5_ctx;
+    unsigned char md5sum[16];
+    int use_len;
+
+    /*
+     * key[ 0..15] = MD5(pwd || IV)
+     */
+    md5_starts( &md5_ctx );
+    md5_update( &md5_ctx, pwd, pwdlen );
+    md5_update( &md5_ctx, iv,  8 );
+    md5_finish( &md5_ctx, md5sum );
+
+    if( keylen <= 16 )
+    {
+        memcpy( key, md5sum, keylen );
+
+        memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
+        memset( md5sum, 0, 16 );
+        return;
+    }
+
+    memcpy( key, md5sum, 16 );
+
+    /*
+     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+     */
+    md5_starts( &md5_ctx );
+    md5_update( &md5_ctx, md5sum,  16 );
+    md5_update( &md5_ctx, pwd, pwdlen );
+    md5_update( &md5_ctx, iv,  8 );
+    md5_finish( &md5_ctx, md5sum );
+
+    use_len = 16;
+    if( keylen < 32 )
+        use_len = keylen - 16;
+
+    memcpy( key + 16, md5sum, use_len );
+
+    memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
+    memset( md5sum, 0, 16 );
+}
+
+#if defined(POLARSSL_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static void pem_des_decrypt( unsigned char des_iv[8],
+                               unsigned char *buf, int buflen,
+                               const unsigned char *pwd, int pwdlen )
+{
+    des_context des_ctx;
+    unsigned char des_key[8];
+
+    pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen );
+
+    des_setkey_dec( &des_ctx, des_key );
+    des_crypt_cbc( &des_ctx, DES_DECRYPT, buflen,
+                     des_iv, buf, buf );
+
+    memset( &des_ctx, 0, sizeof( des_ctx ) );
+    memset( des_key, 0, 8 );
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static void pem_des3_decrypt( unsigned char des3_iv[8],
+                               unsigned char *buf, int buflen,
+                               const unsigned char *pwd, int pwdlen )
+{
+    des3_context des3_ctx;
+    unsigned char des3_key[24];
+
+    pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen );
+
+    des3_set3key_dec( &des3_ctx, des3_key );
+    des3_crypt_cbc( &des3_ctx, DES_DECRYPT, buflen,
+                     des3_iv, buf, buf );
+
+    memset( &des3_ctx, 0, sizeof( des3_ctx ) );
+    memset( des3_key, 0, 24 );
+}
+#endif /* POLARSSL_DES_C */
+
+#if defined(POLARSSL_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static void pem_aes_decrypt( unsigned char aes_iv[16], int keylen,
+                               unsigned char *buf, int buflen,
+                               const unsigned char *pwd, int pwdlen )
+{
+    aes_context aes_ctx;
+    unsigned char aes_key[32];
+
+    pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen );
+
+    aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 );
+    aes_crypt_cbc( &aes_ctx, AES_DECRYPT, buflen,
+                     aes_iv, buf, buf );
+
+    memset( &aes_ctx, 0, sizeof( aes_ctx ) );
+    memset( aes_key, 0, keylen );
+}
+#endif /* POLARSSL_AES_C */
+
+#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
+
+int pem_read_buffer( pem_context *ctx, char *header, char *footer, const unsigned char *data, const unsigned char *pwd, int pwdlen, int *use_len )
+{
+    int ret, len, enc;
+    unsigned char *buf;
+    unsigned char *s1, *s2;
+#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
+    unsigned char pem_iv[16];
+    cipher_type_t enc_alg = POLARSSL_CIPHER_NONE;
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
+
+    if( ctx == NULL )
+        return( POLARSSL_ERR_PEM_INVALID_DATA );
+
+    s1 = (unsigned char *) strstr( (char *) data, header );
+
+    if( s1 == NULL )
+        return( POLARSSL_ERR_PEM_NO_HEADER_PRESENT );
+
+    s2 = (unsigned char *) strstr( (char *) data, footer );
+
+    if( s2 == NULL || s2 <= s1 )
+        return( POLARSSL_ERR_PEM_INVALID_DATA );
+
+    s1 += strlen( header );
+    if( *s1 == '\r' ) s1++;
+    if( *s1 == '\n' ) s1++;
+    else return( POLARSSL_ERR_PEM_INVALID_DATA );
+
+    enc = 0;
+
+    if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    {
+#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
+        enc++;
+
+        s1 += 22;
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( POLARSSL_ERR_PEM_INVALID_DATA );
+
+
+#if defined(POLARSSL_DES_C)
+        if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        {
+            enc_alg = POLARSSL_CIPHER_DES_EDE3_CBC;
+
+            s1 += 23;
+            if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
+                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+        else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        {
+            enc_alg = POLARSSL_CIPHER_DES_CBC;
+
+            s1 += 18;
+            if( pem_get_iv( s1, pem_iv, 8) != 0 )
+                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+#endif /* POLARSSL_DES_C */
+
+#if defined(POLARSSL_AES_C)
+        if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        {
+            if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+                enc_alg = POLARSSL_CIPHER_AES_128_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
+                enc_alg = POLARSSL_CIPHER_AES_192_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
+                enc_alg = POLARSSL_CIPHER_AES_256_CBC;
+            else
+                return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
+
+            s1 += 22;
+            if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
+                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 32;
+        }
+#endif /* POLARSSL_AES_C */
+        
+        if( enc_alg == POLARSSL_CIPHER_NONE )
+            return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
+
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( POLARSSL_ERR_PEM_INVALID_DATA );
+#else
+        return( POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
+    }
+
+    len = 0;
+    ret = base64_decode( NULL, &len, s1, s2 - s1 );
+
+    if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
+        return( ret | POLARSSL_ERR_PEM_INVALID_DATA );
+
+    if( ( buf = (unsigned char *) malloc( len ) ) == NULL )
+        return( POLARSSL_ERR_PEM_MALLOC_FAILED );
+
+    if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 )
+    {
+        free( buf );
+        return( ret | POLARSSL_ERR_PEM_INVALID_DATA );
+    }
+    
+    if( enc != 0 )
+    {
+#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
+        if( pwd == NULL )
+        {
+            free( buf );
+            return( POLARSSL_ERR_PEM_PASSWORD_REQUIRED );
+        }
+
+#if defined(POLARSSL_DES_C)
+        if( enc_alg == POLARSSL_CIPHER_DES_EDE3_CBC )
+            pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
+        else if( enc_alg == POLARSSL_CIPHER_DES_CBC )
+            pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
+#endif /* POLARSSL_DES_C */
+
+#if defined(POLARSSL_AES_C)
+        if( enc_alg == POLARSSL_CIPHER_AES_128_CBC )
+            pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
+        else if( enc_alg == POLARSSL_CIPHER_AES_192_CBC )
+            pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
+        else if( enc_alg == POLARSSL_CIPHER_AES_256_CBC )
+            pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
+#endif /* POLARSSL_AES_C */
+
+        if( buf[0] != 0x30 || buf[1] != 0x82 ||
+            buf[4] != 0x02 || buf[5] != 0x01 )
+        {
+            free( buf );
+            return( POLARSSL_ERR_PEM_PASSWORD_MISMATCH );
+        }
+#else
+        return( POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif
+    }
+
+    ctx->buf = buf;
+    ctx->buflen = len;
+    s2 += strlen( footer );
+    if( *s2 == '\r' ) s2++;
+    if( *s2 == '\n' ) s2++;
+    *use_len = s2 - data;
+
+    return( 0 );
+}
+
+void pem_free( pem_context *ctx )
+{
+    if( ctx->buf )
+        free( ctx->buf );
+
+    if( ctx->info )
+        free( ctx->info );
+}
+
+#endif
--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -39,7 +39,7 @@
 #if defined(POLARSSL_X509_PARSE_C)

 #include "polarssl/x509.h"
-#include "polarssl/base64.h"
+#include "polarssl/pem.h"
 #include "polarssl/des.h"
 #include "polarssl/md2.h"
 #include "polarssl/md4.h"
@ -1045,10 +1045,12 @@ static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg )
 */
 int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )
 {
-    int ret, len;
-    const unsigned char *s1, *s2;
+    int ret, len, use_len;
    unsigned char *p, *end;
    x509_cert *crt;
+#if defined(POLARSSL_PEM_C)
+    pem_context pem;
+#endif

    crt = chain;

@ -1078,57 +1080,33 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )
        memset( crt, 0, sizeof( x509_cert ) );
    }

-    /*
-     * check if the certificate is encoded in base64
-     */
-    s1 = (unsigned char *) strstr( (char *) buf,
-        "-----BEGIN CERTIFICATE-----" );
+#if defined(POLARSSL_PEM_C)
+    pem_init( &pem );
+    ret = pem_read_buffer( &pem,
+                           "-----BEGIN CERTIFICATE-----",
+                           "-----END CERTIFICATE-----",
+                           buf, NULL, 0, &use_len );

-    if( s1 != NULL )
+    if( ret == 0 )
    {
-        s2 = (unsigned char *) strstr( (char *) buf,
-            "-----END CERTIFICATE-----" );
-
-        if( s2 == NULL || s2 <= s1 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
-
-        s1 += 27;
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-            else return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
+        /*
+         * Was PEM encoded
+         */
+        buflen -= use_len;
+        buf += use_len;

        /*
-         * get the DER data length and decode the buffer
+         * Steal PEM buffer
         */
-        len = 0;
-        ret = base64_decode( NULL, &len, s1, s2 - s1 );
-
-        if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM | ret );
-
-        if( ( p = (unsigned char *) malloc( len ) ) == NULL )
-            return( 1 );
-            
-        if( ( ret = base64_decode( p, &len, s1, s2 - s1 ) ) != 0 )
-        {
-            free( p );
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM | ret );
+        p = pem.buf;
+        pem.buf = NULL;
+        len = pem.buflen;
+        pem_free( &pem );
    }
-
-        /*
-         * update the buffer size and offset
-         */
-        s2 += 25;
-        if( *s2 == '\r' ) s2++;
-        if( *s2 == '\n' ) s2++;
-        else
+    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
    {
-            free( p );
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
-        }
-
-        buflen -= s2 - buf;
-        buf = s2;
+        pem_free( &pem );
+        return( ret );
    }
    else
    {
@ -1144,6 +1122,16 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )

        buflen = 0;
    }
+#else
+    p = (unsigned char *) malloc( len = buflen );
+
+    if( p == NULL )
+        return( 1 );
+
+    memcpy( p, buf, buflen );
+
+    buflen = 0;
+#endif

    crt->raw.p = p;
    crt->raw.len = len;
@ -1393,10 +1381,12 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )
 */
 int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen )
 {
-    int ret, len;
-    unsigned char *s1, *s2;
+    int ret, len, use_len;
    unsigned char *p, *end;
    x509_crl *crl;
+#if defined(POLARSSL_PEM_C)
+    pem_context pem;
+#endif

    crl = chain;

@ -1426,57 +1416,33 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen )
        memset( crl, 0, sizeof( x509_crl ) );
    }

-    /*
-     * check if the CRL is encoded in base64
-     */
-    s1 = (unsigned char *) strstr( (char *) buf,
-        "-----BEGIN X509 CRL-----" );
+#if defined(POLARSSL_PEM_C)
+    pem_init( &pem );
+    ret = pem_read_buffer( &pem,
+                           "-----BEGIN X509 CRL-----",
+                           "-----END X509 CRL-----",
+                           buf, NULL, 0, &use_len );

-    if( s1 != NULL )
+    if( ret == 0 )
    {
-        s2 = (unsigned char *) strstr( (char *) buf,
-            "-----END X509 CRL-----" );
-
-        if( s2 == NULL || s2 <= s1 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
-
-        s1 += 24;
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-            else return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
+        /*
+         * Was PEM encoded
+         */
+        buflen -= use_len;
+        buf += use_len;

        /*
-         * get the DER data length and decode the buffer
+         * Steal PEM buffer
         */
-        len = 0;
-        ret = base64_decode( NULL, &len, s1, s2 - s1 );
-
-        if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM | ret );
-
-        if( ( p = (unsigned char *) malloc( len ) ) == NULL )
-            return( 1 );
-            
-        if( ( ret = base64_decode( p, &len, s1, s2 - s1 ) ) != 0 )
-        {
-            free( p );
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM | ret );
+        p = pem.buf;
+        pem.buf = NULL;
+        len = pem.buflen;
+        pem_free( &pem );
    }
-
-        /*
-         * update the buffer size and offset
-         */
-        s2 += 22;
-        if( *s2 == '\r' ) s2++;
-        if( *s2 == '\n' ) s2++;
-        else
+    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
    {
-            free( p );
-            return( POLARSSL_ERR_X509_CERT_INVALID_PEM );
-        }
-
-        buflen -= s2 - buf;
-        buf = s2;
+        pem_free( &pem );
+        return( ret );
    }
    else
    {
@ -1492,6 +1458,16 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, int buflen )

        buflen = 0;
    }
+#else
+    p = (unsigned char *) malloc( len = buflen );
+
+    if( p == NULL )
+        return( 1 );
+
+    memcpy( p, buf, buflen );
+
+    buflen = 0;
+#endif

    crl->raw.p = p;
    crl->raw.len = len;
@ -1758,180 +1734,44 @@ int x509parse_crlfile( x509_crl *chain, const char *path )
    return( ret );
 }

-#if defined(POLARSSL_DES_C) && defined(POLARSSL_MD5_C)
-/*
- * Read a 16-byte hex string and convert it to binary
- */
-static int x509_get_iv( const unsigned char *s, unsigned char iv[8] )
-{
-    int i, j, k;
-
-    memset( iv, 0, 8 );
-
-    for( i = 0; i < 16; i++, s++ )
-    {
-        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
-        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
-        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
-            return( POLARSSL_ERR_X509_KEY_INVALID_ENC_IV );
-
-        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
-
-        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
-    }
-
-    return( 0 );
-}
-
-/*
- * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
- */
-static void x509_des3_decrypt( unsigned char des3_iv[8],
-                               unsigned char *buf, int buflen,
-                               const unsigned char *pwd, int pwdlen )
-{
-    md5_context md5_ctx;
-    des3_context des3_ctx;
-    unsigned char md5sum[16];
-    unsigned char des3_key[24];
-
-    /*
-     * 3DES key[ 0..15] = MD5(pwd || IV)
-     *      key[16..23] = MD5(pwd || IV || 3DES key[ 0..15])
-     */
-    md5_starts( &md5_ctx );
-    md5_update( &md5_ctx, pwd, pwdlen );
-    md5_update( &md5_ctx, des3_iv,  8 );
-    md5_finish( &md5_ctx, md5sum );
-    memcpy( des3_key, md5sum, 16 );
-
-    md5_starts( &md5_ctx );
-    md5_update( &md5_ctx, md5sum,  16 );
-    md5_update( &md5_ctx, pwd, pwdlen );
-    md5_update( &md5_ctx, des3_iv,  8 );
-    md5_finish( &md5_ctx, md5sum );
-    memcpy( des3_key + 16, md5sum, 8 );
-
-    des3_set3key_dec( &des3_ctx, des3_key );
-    des3_crypt_cbc( &des3_ctx, DES_DECRYPT, buflen,
-                     des3_iv, buf, buf );
-
-    memset(  &md5_ctx, 0, sizeof(  md5_ctx ) );
-    memset( &des3_ctx, 0, sizeof( des3_ctx ) );
-    memset( md5sum, 0, 16 );
-    memset( des3_key, 0, 24 );
-}
-#endif
-
 /*
 * Parse a private RSA key
 */
 int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,
                                     const unsigned char *pwd, int pwdlen )
 {
-    int ret, len, enc;
-    unsigned char *buf, *s1, *s2;
+    int ret, len;
    unsigned char *p, *end;
-#if defined(POLARSSL_DES_C) && defined(POLARSSL_MD5_C)
-    unsigned char des3_iv[8];
+#if defined(POLARSSL_PEM_C)
+    pem_context pem;
+
+    pem_init( &pem );
+    ret = pem_read_buffer( &pem,
+                           "-----BEGIN RSA PRIVATE KEY-----",
+                           "-----END RSA PRIVATE KEY-----",
+                           key, pwd, pwdlen, &len );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        keylen = pem.buflen;
+    }
+    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
+    {
+        pem_free( &pem );
+        return( ret );
+    }
+
+    p = ( ret == 0 ) ? pem.buf : (unsigned char *) key;
 #else
-    ((void) pwd);
-    ((void) pwdlen);
+    p = (unsigned char *) key;
 #endif
-
-    s1 = (unsigned char *) strstr( (char *) key,
-        "-----BEGIN RSA PRIVATE KEY-----" );
-
-    if( s1 != NULL )
-    {
-        s2 = (unsigned char *) strstr( (char *) key,
-            "-----END RSA PRIVATE KEY-----" );
-
-        if( s2 == NULL || s2 <= s1 )
-            return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        s1 += 31;
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-            else return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        enc = 0;
-
-        if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
-        {
-#if defined(POLARSSL_DES_C) && defined(POLARSSL_MD5_C)
-            enc++;
-
-            s1 += 22;
-            if( *s1 == '\r' ) s1++;
-            if( *s1 == '\n' ) s1++;
-                else return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-            if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) != 0 )
-                return( POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG );
-
-            s1 += 23;
-            if( x509_get_iv( s1, des3_iv ) != 0 )
-                return( POLARSSL_ERR_X509_KEY_INVALID_ENC_IV );
-
-            s1 += 16;
-            if( *s1 == '\r' ) s1++;
-            if( *s1 == '\n' ) s1++;
-                else return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-#else
-            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
-#endif
-        }
-
-        len = 0;
-        ret = base64_decode( NULL, &len, s1, s2 - s1 );
-
-        if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
-            return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        if( ( buf = (unsigned char *) malloc( len ) ) == NULL )
-            return( 1 );
-
-        if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 )
-        {
-            free( buf );
-            return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM );
-        }
-
-        keylen = len;
-
-        if( enc != 0 )
-        {
-#if defined(POLARSSL_DES_C) && defined(POLARSSL_MD5_C)
-            if( pwd == NULL )
-            {
-                free( buf );
-                return( POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED );
-            }
-
-            x509_des3_decrypt( des3_iv, buf, keylen, pwd, pwdlen );
-
-            if( buf[0] != 0x30 || buf[1] != 0x82 ||
-                buf[4] != 0x02 || buf[5] != 0x01 )
-            {
-                free( buf );
-                return( POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH );
-            }
-#else
-            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
-#endif
-        }
-    }
-    else
-    {
-        buf = NULL;
-    }
+    end = p + keylen;

    memset( rsa, 0, sizeof( rsa_context ) );

-    p = ( s1 != NULL ) ? buf : (unsigned char *) key;
-    end = p + keylen;
-
    /*
     *  RSAPrivateKey ::= SEQUENCE {
     *      version           Version,
@ -1949,9 +1789,9 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,
    if( ( ret = asn1_get_tag( &p, end, &len,
            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret );
    }
@ -1960,18 +1800,18 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,

    if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret );
    }

    if( rsa->ver != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( ret | POLARSSL_ERR_X509_KEY_INVALID_VERSION );
    }
@ -1985,9 +1825,9 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,
        ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 ||
        ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( ret | POLARSSL_ERR_X509_KEY_INVALID_FORMAT );
    }
@ -1996,9 +1836,9 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,

    if( p != end )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT |
                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
@ -2006,15 +1846,16 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, int keylen,

    if( ( ret = rsa_check_privkey( rsa ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        rsa_free( rsa );
        return( ret );
    }

-    if( s1 != NULL )
-        free( buf );
+#if defined(POLARSSL_PEM_C)
+    pem_free( &pem );
+#endif

    return( 0 );
 }
@ -2049,52 +1890,38 @@ int x509parse_keyfile( rsa_context *rsa, const char *path, const char *pwd )
 int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen )
 {
    int ret, len;
-    unsigned char *buf, *s1, *s2;
    unsigned char *p, *end;
+#if defined(POLARSSL_PEM_C)
+    pem_context pem;

-    s1 = (unsigned char *) strstr( (char *) dhmin,
-        "-----BEGIN DH PARAMETERS-----" );
+    pem_init( &pem );

-    if( s1 != NULL )
+    ret = pem_read_buffer( &pem, 
+                           "-----BEGIN DH PARAMETERS-----",
+                           "-----END DH PARAMETERS-----",
+                           dhmin, NULL, 0, &dhminlen );
+
+    if( ret == 0 )
    {
-        s2 = (unsigned char *) strstr( (char *) dhmin,
-            "-----END DH PARAMETERS-----" );
-
-        if( s2 == NULL || s2 <= s1 )
-            return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        s1 += 29;
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-            else return( POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        len = 0;
-        ret = base64_decode( NULL, &len, s1, s2 - s1 );
-
-        if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
-            return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM );
-
-        if( ( buf = (unsigned char *) malloc( len ) ) == NULL )
-            return( 1 );
-
-        if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 )
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    }
+    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT )
    {
-            free( buf );
-            return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM );
+        pem_free( &pem );
+        return( ret );
    }

-        dhminlen = len;
-    }
-    else
-    {
-        buf = NULL;
-    }
+    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif
+    end = p + dhminlen;

    memset( dhm, 0, sizeof( dhm_context ) );

-    p = ( s1 != NULL ) ? buf : (unsigned char *) dhmin;
-    end = p + dhminlen;
-
    /*
     *  DHParams ::= SEQUENCE {
     *      prime            INTEGER,  -- P
@ -2104,10 +1931,9 @@ int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen )
    if( ( ret = asn1_get_tag( &p, end, &len,
            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
-        dhm_free( dhm );
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret );
    }

@ -2116,25 +1942,26 @@ int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, int dhminlen )
    if( ( ret = asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
        ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        dhm_free( dhm );
        return( ret | POLARSSL_ERR_X509_KEY_INVALID_FORMAT );
    }

    if( p != end )
    {
-        if( s1 != NULL )
-            free( buf );
-
+#if defined(POLARSSL_PEM_C)
+        pem_free( &pem );
+#endif
        dhm_free( dhm );
        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT |
                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
    }

-    if( s1 != NULL )
-        free( buf );
+#if defined(POLARSSL_PEM_C)
+    pem_free( &pem );
+#endif

    return( 0 );
 }
--- a/tests/data_files/keyfile
+++ b/tests/data_files/keyfile
@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDMYfnvWtC8Id5bPKae5yXSxQTt+Zpul6AnnZWfI2TtIarvjHBF
+UtXRo96y7hoL4VWOPKGCsRqMFDkrbeUjRrx8iL914/srnyf6sh9c8Zk04xEOpK1y
+pvBz+Ks4uZObtjnnitf0NBGdjMKxveTq+VE7BWUIyQjtQ8mbDOsiLLvh7wIDAQAB
+AoGAefPIT8MPpAJNjIE/JrfkAMTgsSLrvCurO5gzDBbxhPE+7tsMrsDDpuix3HBo
+iEg3ZbzV3obQwV7b0gcr34W4t0CMuJf5b5irHRG8JcZuncmofDy6z7S5Vs75O85z
+fVzTIuVUyuHy1rM6rSBYKfsMLVyImUb4wtIXEMHPzdCL9LECQQD3ZfgGqudMWq8v
+3BlKhsQ4fsR0vxzNlMZfoRrZzcvBT339Bp1UQ8aUo8xBtHiRwuW1NaPNgYKX6XQ6
+ppuWuTiJAkEA030i493KnFPLRwWypqF/s6ZNlVye+euFN5NF/IeJcvb/GUDRYv9O
+pRozRS1jNx4ZB1K2xT7N9MwsPHD6j6K4twJBALdfHTfT9RzjGnae7SAQQ+CcFYFz
+JiY6386B2yUVJLFj+j5RaMvMcKQ7xGnvGm7vxtNJrt/j3qg6oavXUfulzgECQQDP
+CEVLhCd/+ZeZoz5MWPTGTRrOCKmoRqNW0FlG6PfpD1qSwh04KG44uflO0yu5HUGr
+JZG+bcj4x5bWZFMkoUrpAkEAyEgQzesKFqcbt1cqv3pLXJYQBBw6leFXgHk11a7k
+AkexhrPYyq/4tXFO2TLk2hs7tpYgNDOqZCvEu7jtN3RuA==
+-----END RSA PRIVATE KEY-----
--- a/tests/data_files/keyfile.3des
+++ b/tests/data_files/keyfile.3des
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,BE8274D6692AF2A7
+
+9ZXjoF55A9XgJpdaWmF/ZL1sJfbnE1M42N7HHRDwpq1/K+afC9poM0/AdCUbRL7w
+uvQERievbAYpNeLdah1EftM6033e1oTxUMivdL4orDKcbb3qDpSQ0o0UbjavbT+d
+aruilW8zVP4dz3mYMvGbkgoujgzdT+4wM0T1mTTuYcRKQsHlg7QDy2QrBILNuXA4
+Hmye4GlSXVUSON8vPXT12V4oeubEIZVlnkLTRFGRVA4qz5tby9GBymkeNCBu+LCw
+JwJLTbQwMFqozHvioq/2YBaHDcySpTD4X5AwrCjifUNO9BnLWLAmt8dOWr0z+48E
+P/yWr5xZl3DrKh9r9EGb9xbTxhum3yHV7bvXLoUH+t9gowmd4Lq3Qjjf8jQXle0P
+zoCOVxwN1E1IMhleEUPV7L8mbt26b0JyvrSS5ByrXahGu9vGQyy7qqx9ZANkzgXF
+3hPMDuzQXMJiUeG92VsMEdGdA1/8V5ro+ceB5c7Zca5MjMzvx2tihda7BUjj6dSE
+cA8Vvksy/NX/nqHSt0aSgphvBmZP8dN6GMcZ+hT7p0fhCq4mSFEykQqueKXiFUfz
+0xCUVZC6WzOoEkc8k7xiLWQDlsZZ13Z4yxU1IxJp7llZXpZ8GkwS+678/Nx8h54A
+mv5ZlSFWWQrvN5JPQJka7aU2ITu1LUK6mXBu+DoSDOfQuqR4vQytkjOqHK185iHs
+JQtBGkFFdElkWgubPX/S8/xxoT8MoQY/c+dr6iwcswyUnSJXh32KLPGNBoqWCCbY
+jp/VYmeb117gNpEJKJhcNbrP7DoQrC3/D7JFXnOvTA/z6FOtUmz0rQ==
+-----END RSA PRIVATE KEY-----
--- a/tests/data_files/keyfile.aes128
+++ b/tests/data_files/keyfile.aes128
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,B5FA3F70C2AF79EB9D3DD2C40E7AE61A
+
+iyfOvvyTPPR7on4XPFxu6CoCgTqh88ROlslM+RLJhwM/qGexbgDOzeI2CPf4XfzI
+tyevKD/pqCaCMesYJh/HDQCILdW2tGbwzPajg72xkfCD6+1NHOGoDbdQN8ahGVmg
+flAYU0iXDMvqs/jnucM7nlTGp8Istn7+zd9ARyrkQy+I8nvMh3chGKWzx/XtJR+z
+Iv8p+n/o+fCHzGvtj+LWYeUc4d0OTIjnF6QPTtPOexX28z0gXRODT/indgifNXv3
+j45KO2NYOaVTaCuiWIHj7wWBokoL4bCMFcFTJbdJx5BgfLmDkTEmB/6DEXu6UOsQ
+3lPzyJhIRxn7hNq2I47TzSAFvmcXwm84txpxtSwHTcl9LgsyIiEMmHv3lPPE1G94
+F5VrCzzFHyU7nFRdUC0mqLrCHcjDn5O4SQWfH7J/7G4OArU6lA4Z2NC03IPxEmsQ
+66Fu8GdMbmtFORdlZQtOjLi3zZwN9+NwhiUrNNdVvGNJIjIcZ4FZRZysbt7++hfQ
+/JOAKhVNC8dNROJUleEYIiqx23e5lze6wqcIosziq3tb6/SQ6fH533D8+PpcZKsC
+IlWKAQzsNV+nJvt7CI1ppWc6CtV7TKn0scZm2oOC4339gdR5xzxXe9EJDsMBpcg9
+drIdBr+3UxeC6Lc/rWM7IjSQ2YULBra3toEF6UYevngXdUD2YafrpoY5rK9IH90G
+Hjbf65IaHLTS0jA7lAvJsQEBuULQQoWENOjhp8v+UfkNM2ccyOuUk3xZJNeX19YP
+1Z09UMEKbf6ucoRCc01SBl206OAsq1NZEaodszT+mDg990I/9ACVi3LEU6XB5ZVs
+-----END RSA PRIVATE KEY-----
--- a/tests/data_files/keyfile.aes192
+++ b/tests/data_files/keyfile.aes192
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-192-CBC,72F869F41B989D71730B2983448251B8
+
+R6ST6H9oUyFWBavUO++azbn9ga87lgeuqNMVVScOcXjguqQZdnuZq9AzwQQETEv+
+ZbVPL9w2isuXKoavaPxYyCXbZ+l6JRfWiXi6CmnfNhx4MgYpbH9BEqGbIVxA3fvu
+zFutqi+Ru6QeERshDNke6HfFjJ91WkBjNjrXcfDmt0uRGqFSWd5DSEniyaPmxCYs
+mpRwr9XESFiBkCHL+/iSkW0EZBjwHW0//RNsZKtuqVJGW/dZhDxerOGRl0a1oWkb
+IvfED7afrXMlpHokMwtUduk2TBE1AoczZ6Dv7RZGipaBR4yb9kYgIkiqFk53lg5h
+7b3WQt6TYECI7X3Q2rDgPQtUChVud0uUQYmQ5328HRE8zhlWxHGmTQMWVBW6X+FM
+ikFLRUeYBeq0UJu20DmvklZV6iDxsULLu+Rb0b8NkT+V2feSXbrP976oCSUznvT6
+3e2EOH+KAqMy5JZhTsjM7HtkleMwYQ9v+Wnbnn1OsB9drYWUJuhQeXt6v8dkm/eD
+9m6dZzivc/h1UThIuuZPo+6S7FoluIlt5uv2UcnYYdYOgKSd1Vm0wztGaJn3CSGw
+JEbebucr+5ptOHxflV5Txgnfj63sJyVd/wy0T8sMRO2znk5uVLWxf855fNXev9M3
+gA3+MXC2eGaR9DYOxfakFRwL+Z30RlIktaqDK76BZRD4sWB6dIVw5JdCXpNMCuDH
+dxlTKcP59uPAEB2VyhDvm5CN3T+bM2K6WDZFO95hKKfEk5ea/UB7DA2ucfovdayE
+Hd46EUKC4/cdUFiSycgD01ztdda7hU7hFvOkHTK7O3G1yvEwH0+jxKNsudNfbbxc
+-----END RSA PRIVATE KEY-----
--- a/tests/data_files/keyfile.aes256
+++ b/tests/data_files/keyfile.aes256
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,53572EEEE794948AC48CB0E077CE075A
+
+p0YobpQmzHb3NgGlojpYoH+G5f1XX9snYv2GQe2tGTBQpoHh+ivHcOt85EZu9pC1
+1KRdALEwp7Cb4RYeQncV9Bfp5rItupS1TwfgKAlp7Plmb4vDcDVw+KL3PaYn52Bd
+qq5USLxCvKcl91hZXzitttH072lEj2MzW2QpX2/1hCRPgMDu9PJlBX2S+GOaYP+9
+sTWTCc1yvHMW4XGEM4P4yfRg9EOTxU5gIYWUE2JqmEGd+9I0hK2YevAPLNKHxzpy
+klCCBYqDplcVT5zEyCmdiBHIjzodlFuocZC8ncinVnsuJvpTeMQ+zOZ5rao8xm2j
+uCnnVRh7yZktfsf5B/ZKBMGyPYRyKN4CCYhF0GzbehTvBirgDELq4LHyDdnnOTwU
+YJiqo17x6S4FVNq6AubADVAbCOMFyfr+TFshI8spOwqfGFFDs8/WWL5OnBS85Pd1
+dgoqwzJAt55GyDUbGnp6hUFl9g96nvV3sE6Xe4xVE2Cpf1BtUl9Dt3UrrDrbS0dk
+pKxl2FA2H0BVKtfNBHXvWkORi+v+XZl34rZZ37B8snYIN2aOqLuvyM4fd1EabkyG
+ymMEUHJcrc5zl/7IECaHrCahqZIsLpLhGTd0MMGrkGSvRLiY5nQ4MN5tKI0fUw0S
+5KIjOA6ZX5nvh4rYgQcgN7K6dXNA2hOj5256Vv0HVwXsVhQFmCGnuo+h8XxudRVH
+RuIUaTUtl29a/2nPTzXB6MNZe7Wol8EkzuYEgyaizKr7nO0J1umg+lj7ipX/80Ji
+3ADi0yL4F831LsdAiTY60Lu2e3WABleZsvuLMWSodb9WzJXknsnFEDLGOM+HGj8Q
+-----END RSA PRIVATE KEY-----
--- a/tests/data_files/keyfile.des
+++ b/tests/data_files/keyfile.des
@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,F87FE1C0FB9B3E77
+
+1NbOyRx5kBWeXy93eCXyidDpR3pbfgGWIIgXVCVE4/ZXgEt14A23YndZeI5OSxvG
+JWhqZ+VuiRsxeKAjo+xf4bnKLArvbshhzUKCEVsCP1d2d1xfgjsnyr8tqNiJE0F6
+7Nimjcrpw/udCk2RBVyshN9kiPBbnA+XUdOHfEnbdkqDsS5DGjq7H1kBZuHhTQa8
+Xv6ta3kbI1BGiqKDhH2H9iJlZMwpVQuJs+HqcqNEhsPm0V4kp0S3PZMbYVKpEtDO
+vh9CHprQy/nlHfq7ZAs9/2HN4/OT/5kw4JM9qQy7eo/6FX2yh39Lyz8u7PXLaVgM
+pwOiFb+zvegYts5aCXyM1nBUu9NFPDQNDytjXOhbWL0hEr1RzgK67f5QYIxWgGCK
+St4moIn7J5BifViNdp7j/RXCoCmda3Zv5PiRw83yScSlzgDdTNpm/70jp8pGSxEn
+Ib768zYEcYeeKyPar210Nh9abySPpkFFaujN4do5wujboC0VPz73M6eTeZ6iOUgR
+cX9WwkfRj6G6VQfM6xAZdOkQ2cj6M4YRze1RKLhqo0+gre76FLn8Kzf/Hjrp/0iy
+0flr/6BwLxGV49vMUCesJ9oqE/frru9Y89cOwbgcHxKJ24Oz+64OUPyeSxDMElZ8
+lXiNk3aBEuLdBOKJ8B9kyKuxNqwDoqhCsrc77Gjio+q24w+G2+KAzBEup4S9cYgp
+FiSvK8sizKINfE14f9HA60MJJzyEjTUuL7+ioL7xHGtIkdWbs/Qp7KxliH6qoIUv
+VUsT6VS1nWLDyTyMbcjMx1odRsWrLwLqIsvNIcGGwe+P4sm4LivNnQ==
+-----END RSA PRIVATE KEY-----
--- a/tests/suites/test_suite_debug.data
+++ b/tests/suites/test_suite_debug.data
@ -1,4 +1,4 @@
 Debug print certificate #1
-depends_on:POLARSSL_DEBUG_C
+depends_on:POLARSSL_DEBUG_C:POLARSSL_PEM_C
 debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued  on    \: 2009-02-09 21\:12\:35\nMyFile(0999)\: expires on    \: 2011-02-09 21\:12\:35\nMyFile(0999)\: signed using  \: RSA+SHA1\nMyFile(0999)\: RSA key size  \: 2048 bits\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\:  ae 92 63 59 74 68 a4 aa 89 50 42 f2 e7 27 09 2c\nMyFile(0999)\:  a5 86 99 09 28 52 5d 6e 32 f5 93 18 35 0e 2b 28\nMyFile(0999)\:  6d 11 20 49 f2 21 0d d6 fc e6 dc de 40 93 7b 29\nMyFile(0999)\:  ee 4b 4c 28 4f e4 8c 38 12 de 10 69 f7 ba 40 e8\nMyFile(0999)\:  74 80 a6 19 36 63 e0 37 93 39 f6 00 8e 3c 5a fd\nMyFile(0999)\:  dc 8e 50 c1 41 7c bf ff c9 bb e2 ad 7c 8d b1 a4\nMyFile(0999)\:  1a 8b 3e 1f 1a 28 9b e6 93 4b 74 c3 e9 ab 2c c8\nMyFile(0999)\:  93 cf f6 02 a1 c9 4b 9e f9 f6 fa a6 95 98 6c 32\nMyFile(0999)\:  85 c0 f4 e7 b0 ec 50 af 17 52 49 21 80 9f 0d c8\nMyFile(0999)\:  37 73 74 42 3e 06 7f 29 29 1d 6a 9a 71 0f 70 ea\nMyFile(0999)\:  c8 49 0d d7 3b 7e c2 ed 9b 33 dd 64 e9 8f df 85\nMyFile(0999)\:  81 c3 b1 c5 50 b6 55 2c c8 88 ed fd c4 cf 14 4f\nMyFile(0999)\:  49 d8 76 5c 1d 95 ef 34 e8 d7 74 aa 1e d2 ff 1d\nMyFile(0999)\:  19 27 19 de af b5 7a 71 c3 fb 38 11 ca da 78 2c\nMyFile(0999)\:  9b 32 3e 5f 31 eb c9 6e 43 eb 3d a5 c1 36 e2 86\nMyFile(0999)\:  49 1c 68 d7 5b f1 01 d0 29 16 d0 3a 44 36 5c 77\nMyFile(0999)\: value of 'crt->rsa.E' (32 bits) is\:\nMyFile(0999)\:  00 01 00 01\n"

--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@ -1,176 +1,237 @@
 X509 Certificate information #1
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on    \: 2009-02-09 21\:12\:35\nexpires on    \: 2011-02-09 21\:12\:35\nsigned using  \: RSA+SHA1\nRSA key size  \: 2048 bits\n"

 X509 Certificate information #2
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/server2.crt":"cert. version \: 3\nserial number \: 09\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nissued  on    \: 2009-02-10 22\:15\:12\nexpires on    \: 2011-02-10 22\:15\:12\nsigned using  \: RSA+SHA1\nRSA key size  \: 2048 bits\n"

 X509 Certificate information #3
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/test-ca.crt":"cert. version \: 3\nserial number \: 00\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on    \: 2009-02-09 21\:12\:25\nexpires on    \: 2019-02-10 21\:12\:25\nsigned using  \: RSA+SHA1\nRSA key size  \: 2048 bits\n"

 X509 Certificate information MD2 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_md2.crt":"cert. version \: 3\nserial number \: 09\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+MD2\nRSA key size  \: 2048 bits\n"

 X509 Certificate information MD4 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_md4.crt":"cert. version \: 3\nserial number \: 0A\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+MD4\nRSA key size  \: 2048 bits\n"

 X509 Certificate information MD5 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 0B\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+MD5\nRSA key size  \: 2048 bits\n"

 X509 Certificate information SHA1 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_sha1.crt":"cert. version \: 3\nserial number \: 0C\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+SHA1\nRSA key size  \: 2048 bits\n"

 X509 Certificate information SHA224 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_sha224.crt":"cert. version \: 3\nserial number \: 0D\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+SHA224\nRSA key size  \: 2048 bits\n"

 X509 Certificate information SHA256 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_sha256.crt":"cert. version \: 3\nserial number \: 0E\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+SHA256\nRSA key size  \: 2048 bits\n"

 X509 Certificate information SHA384 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_sha384.crt":"cert. version \: 3\nserial number \: 0F\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued  on    \: 2009-07-12 10\:56\:59\nexpires on    \: 2011-07-12 10\:56\:59\nsigned using  \: RSA+SHA384\nRSA key size  \: 2048 bits\n"

 X509 Certificate information SHA512 Digest
+depends_on:POLARSSL_PEM_C
 x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 10\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued  on    \: 2009-07-12 10\:57\:00\nexpires on    \: 2011-07-12 10\:57\:00\nsigned using  \: RSA+SHA512\nRSA key size  \: 2048 bits\n"

 X509 CRL information #1
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_expired.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-02-09 21\:12\:36\nnext update   \: 2009-04-10 21\:12\:36\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA1\n"

 X509 CRL Information MD2 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_md2.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+MD2\n"

 X509 CRL Information MD4 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_md4.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+MD4\n"

 X509 CRL Information MD5 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_md5.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+MD5\n"

 X509 CRL Information SHA1 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_sha1.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA1\n"

 X509 CRL Information SHA224 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_sha224.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA224\n"

 X509 CRL Information SHA256 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_sha256.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA256\n"

 X509 CRL Information SHA384 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_sha384.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA384\n"

 X509 CRL Information SHA512 Digest
+depends_on:POLARSSL_PEM_C
 x509_crl_info:"data_files/crl_sha512.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2009-07-19 19\:56\:37\nnext update   \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using  \: RSA+SHA512\n"

 X509 Parse Key #1 (No password when required)
-depends_on:POLARSSL_MD5_C
-x509parse_keyfile:"data_files/test-ca.key":NULL:POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED
+depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/test-ca.key":NULL:POLARSSL_ERR_PEM_PASSWORD_REQUIRED

 X509 Parse Key #2 (Correct password)
-depends_on:POLARSSL_MD5_C
+depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C
 x509parse_keyfile:"data_files/test-ca.key":"PolarSSLTest":0

 X509 Parse Key #3 (Wrong password)
-depends_on:POLARSSL_MD5_C
-x509parse_keyfile:"data_files/test-ca.key":"PolarSSLWRONG":POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH
+depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/test-ca.key":"PolarSSLWRONG":POLARSSL_ERR_PEM_PASSWORD_MISMATCH
+
+X509 Parse Key #4 (DES Encrypted)
+depends_on:POLARSSL_MD5_C:POLARSSL_DES_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/keyfile.des":"testkey":0
+
+X509 Parse Key #5 (3DES Encrypted)
+depends_on:POLARSSL_MD5_C:POLARSSL_DES_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/keyfile.3des":"testkey":0
+
+X509 Parse Key #6 (AES-128 Encrypted)
+depends_on:POLARSSL_MD5_C:POLARSSL_AES_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/keyfile.aes128":"testkey":0
+
+X509 Parse Key #7 (AES-192 Encrypted)
+depends_on:POLARSSL_MD5_C:POLARSSL_AES_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/keyfile.aes192":"testkey":0
+
+X509 Parse Key #8 (AES-256 Encrypted)
+depends_on:POLARSSL_MD5_C:POLARSSL_AES_C:POLARSSL_PEM_C
+x509parse_keyfile:"data_files/keyfile.aes256":"testkey":0

 X509 Get Distinguished Name #1
+depends_on:POLARSSL_PEM_C
 x509_dn_gets:"data_files/server1.crt":subject:"C=NL, O=PolarSSL, CN=PolarSSL Server 1"

 X509 Get Distinguished Name #2
+depends_on:POLARSSL_PEM_C
 x509_dn_gets:"data_files/server1.crt":issuer:"C=NL, O=PolarSSL, CN=PolarSSL Test CA"

 X509 Get Distinguished Name #3
+depends_on:POLARSSL_PEM_C
 x509_dn_gets:"data_files/server2.crt":subject:"C=NL, O=PolarSSL, CN=localhost"

 X509 Get Distinguished Name #4
+depends_on:POLARSSL_PEM_C
 x509_dn_gets:"data_files/server2.crt":issuer:"C=NL, O=PolarSSL, CN=PolarSSL Test CA"

 X509 Time Expired #1
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/server1.crt":valid_from:1

 X509 Time Expired #2
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/server1.crt":valid_to:0

 X509 Time Expired #3
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/server2.crt":valid_from:1

 X509 Time Expired #4
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/server2.crt":valid_to:0

 X509 Time Expired #5
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/test-ca.crt":valid_from:1

 X509 Time Expired #6
+depends_on:POLARSSL_PEM_C
 x509_time_expired:"data_files/test-ca.crt":valid_to:0

 X509 Certificate verification #1 (Revoked Cert, Expired CRL)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:NULL

 X509 Certificate verification #2 (Revoked Cert, Expired CRL)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED:NULL

 X509 Certificate verification #3 (Revoked Cert, Expired CRL, CN Mismatch)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCRL_EXPIRED | BADCERT_CN_MISMATCH:NULL

 X509 Certificate verification #4 (Valid Cert, Expired CRL)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_EXPIRED:NULL

 X509 Certificate verification #5 (Revoked Cert)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL

 X509 Certificate verification #6 (Revoked Cert)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:NULL

 X509 Certificate verification #7 (Revoked Cert, CN Mismatch)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED | BADCERT_CN_MISMATCH:NULL

 X509 Certificate verification #8 (Valid Cert)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #9 (Not trusted Cert)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:NULL

 X509 Certificate verification #10 (Not trusted Cert, Expired CRL)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:NULL

 X509 Certificate verification #11 (Valid Cert MD2 Digest)
-depends_on:POLARSSL_MD2_C
+depends_on:POLARSSL_MD2_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_md2.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #12 (Valid Cert MD4 Digest)
-depends_on:POLARSSL_MD4_C
+depends_on:POLARSSL_MD4_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #13 (Valid Cert MD5 Digest)
-depends_on:POLARSSL_MD5_C
+depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #14 (Valid Cert SHA1 Digest)
-depends_on:POLARSSL_SHA1_C
+depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #15 (Valid Cert SHA224 Digest)
-depends_on:POLARSSL_SHA2_C
+depends_on:POLARSSL_SHA2_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #16 (Valid Cert SHA256 Digest)
-depends_on:POLARSSL_SHA2_C
+depends_on:POLARSSL_SHA2_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #17 (Valid Cert SHA384 Digest)
-depends_on:POLARSSL_SHA4_C
+depends_on:POLARSSL_SHA4_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #18 (Valid Cert SHA512 Digest)
-depends_on:POLARSSL_SHA4_C
+depends_on:POLARSSL_SHA4_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:0:0:NULL

 X509 Certificate verification #19 (Valid Cert, denying callback)
-depends_on:POLARSSL_SHA4_C
+depends_on:POLARSSL_SHA4_C:POLARSSL_PEM_C
 x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":NULL:POLARSSL_ERR_X509_CERT_VERIFY_FAILED:0:&verify_none

 X509 Certificate verification #20 (Not trusted Cert, allowing callback)
+depends_on:POLARSSL_PEM_C
 x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":NULL:0:0:&verify_all

 X509 Parse Selftest
-depends_on:POLARSSL_MD5_C
+depends_on:POLARSSL_MD5_C:POLARSSL_PEM_C
 x509_selftest:

 X509 Certificate ASN1 (Incorrect first tag)
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@ -1,6 +1,7 @@
 BEGIN_HEADER
 #include <polarssl/config.h>
 #include <polarssl/x509.h>
+#include <polarssl/pem.h>

 int verify_none( void *data, x509_cert *crt, int certificate_depth, int preverify_ok )
 {