Release 2.6

Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>
Check X509_ATTRIBUTE_get0_data() return value
2025-07-02 19:22:47 -05:00 · 2023-05-29 23:10:39 +02:00 · 2023-05-26 15:07:03 +02:00 · 2023-05-26 15:07:03 +02:00 · 2023-05-26 15:07:03 +02:00 · 2023-05-25 15:45:52 +02:00
84 changed files with 12942 additions and 5040 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,177 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+env:
+  # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+  BUILD_TYPE: Release
+  version: osslsigncode-2.6-dev
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - id: ubuntu-22.04
+            triplet: x64-linux
+            compiler: gcc
+            os: ubuntu-22.04
+            generator: Unix Makefiles
+            vcpkg_root:
+          - id: ubuntu-20.04
+            triplet: x64-linux
+            compiler: gcc
+            os: ubuntu-20.04
+            generator: Unix Makefiles
+            vcpkg_root:
+          - id: macOS
+            triplet: x64-osx
+            compiler: clang
+            os: macOS-latest
+            generator: Unix Makefiles
+            vcpkg_root: /usr/local/share/vcpkg
+            cache: /Users/runner/.cache/vcpkg/archives
+          - id: windows-x64-vs
+            triplet: x64-windows
+            compiler: vs
+            arch: x64
+            os: windows-latest
+            generator: Ninja
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+          - id: windows-x86-vs
+            triplet: x86-windows
+            compiler: vs
+            arch: x86
+            os: windows-latest
+            generator: Ninja
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+          - id: windows-x64-static-vs
+            triplet: x64-windows-static
+            compiler: vs
+            arch: x64
+            os: windows-latest
+            generator: Ninja
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+          - id: windows-x64-mingw
+            triplet: x64-windows
+            compiler: mingw
+            os: windows-latest
+            generator: Ninja
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+
+    runs-on: ${{matrix.os}}
+
+    env:
+      VCPKG_ROOT: ${{matrix.vcpkg_root}}
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Cache the vcpkg archives
+      if: matrix.cache != ''
+      uses: actions/cache@v3
+      with:
+        path: ${{matrix.cache}}
+        key: ${{matrix.id}}-${{hashFiles('vcpkg.json')}}
+        restore-keys: |
+          ${{matrix.id}}-${{hashFiles('vcpkg.json')}}
+          ${{matrix.id}}-
+
+    - name: Configure Visual Studio
+      if: matrix.compiler == 'vs'
+      uses: ilammy/msvc-dev-cmd@v1
+      with:
+        arch: ${{matrix.arch}}
+
+    - name: Install apt dependencies (Linux)
+      if: runner.os == 'Linux'
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssl-dev libcurl4-openssl-dev faketime
+
+    - name: Install Xcode (macOS)
+      if: runner.os == 'macOS'
+      uses: maxim-lobanov/setup-xcode@v1
+      with:
+        xcode-version: latest-stable
+
+    - name: Setup the oldest supported version of cmake (macOS)
+      if: runner.os == 'macOS'
+      uses: jwlawson/actions-setup-cmake@v1.12
+      with:
+        cmake-version: '3.17.0'
+
+    - name: Show OpenSSL version
+      run: openssl version -a
+
+    - name: Configure CMake
+      run: cmake
+        -G "${{matrix.generator}}"
+        -S ${{github.workspace}}
+        -B ${{github.workspace}}/build
+        -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+        -DCMAKE_INSTALL_PREFIX=${{github.workspace}}/dist
+        -DVCPKG_TARGET_TRIPLET=${{matrix.triplet}}
+
+    - name: Build
+      run: cmake
+        --build ${{github.workspace}}/build
+        --config ${{env.BUILD_TYPE}}
+
+    - name: Start HTTP server (macOS)
+      working-directory: ${{github.workspace}}/build
+      if: runner.os == 'macOS'
+      run: |
+        python3 --version
+        python3 ./Testing/server_http.py --port 19254
+        while test ! -s ./Testing/logs/port.log; do sleep 1; done
+
+    - name: Start HTTP server (Windows)
+      working-directory: ${{github.workspace}}\build
+      if: runner.os == 'Windows'
+      run: |
+        python.exe --version
+        $Args = '.\Testing\server_http.pyw --port 19254'
+        $File = '.\Testing\logs\port.log'
+        Start-Process -FilePath pythonw.exe -ArgumentList $Args
+        while(-not(Test-Path -Path $File -PathType Leaf) -or [String]::IsNullOrWhiteSpace((Get-Content $File))) {Start-Sleep -Seconds 1}
+        Get-Content '.\Testing\logs\server.log'
+
+    - name: List files (Linux/macOS)
+      if: runner.os != 'Windows'
+      run: find .. -ls
+
+    - name: List files (Windows)
+      if: runner.os == 'Windows'
+      run: Get-ChildItem -Recurse -Name ..
+
+    - name: Test
+      working-directory: ${{github.workspace}}/build
+      run: ctest -C ${{env.BUILD_TYPE}}
+
+    - name: Upload the errors
+      uses: actions/upload-artifact@v3
+      if: failure()
+      with:
+        name: errors-${{matrix.id}}
+        path: |
+          ${{github.workspace}}/build/Testing/Temporary/LastTest.log
+          ${{github.workspace}}/build/Testing/conf/makecerts.log
+          ${{github.workspace}}/build/Testing/logs/server.log
+          ${{github.workspace}}/build/Testing/logs/port.log
+
+    - name: Install
+      run: cmake --install ${{github.workspace}}/build
+
+    - name: Upload the executables
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{env.version}}-${{matrix.id}}
+        path: ${{github.workspace}}/dist
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,59 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '45 1 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+        
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -0,0 +1,26 @@
+name: Coverity Scan
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  coverity:
+    runs-on: ubuntu-latest
+    env:
+      token: ${{secrets.COVERITY_SCAN_TOKEN}}
+    steps:
+    - uses: actions/checkout@v3
+      if: env.token
+    - name: Get ready for scanning
+      if: env.token
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssl-dev libcurl4-openssl-dev
+        cmake -S ${{github.workspace}} -B ${{github.workspace}}/build
+    - uses: vapier/coverity-scan-action@v1
+      if: env.token
+      with:
+        email: ${{secrets.COVERITY_SCAN_EMAIL}}
+        token: ${{secrets.COVERITY_SCAN_TOKEN}}
+        command: make -C ${{github.workspace}}/build
--- a/.gitignore
+++ b/.gitignore
@ -1,20 +1,19 @@
-.deps
-Makefile
-Makefile.in
-aclocal.m4
-autom4te.cache/
-compile
+build/
+CMakeFiles/
+_CPack_Packages/
+Testing/
+.vs/
+
+CMakeCache.txt
+cmake_install.cmake
 config.h
-config.h.in
-config.h.in~
-config.log
-config.status
-configure
-depcomp
-install-sh
-missing
+CPackConfig.cmake
+CPackSourceConfig.cmake
+CTestTestfile.cmake
+install_manifest.txt
+Makefile
 osslsigncode
-osslsigncode.o
+osslsigncode.exe
 stamp-h1

 .#*#
@ -23,20 +22,20 @@ stamp-h1
 .*.rej
 .*~
 #*#
+*.asc
 *.bak
+*.bz2
 *.d
 *.def
 *.dll
-*.exe
+*.gz
 *.la
 *.lib
 *.lo
 *.orig
+*.pc
 *.pdb
 *.rej
 *.u
 *.rc
-*.pc
 *~
-*.gz
-*.bz2
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -0,0 +1,103 @@
+# required cmake version
+cmake_minimum_required(VERSION 3.17)
+
+# autodetect vcpkg CMAKE_TOOLCHAIN_FILE if VCPKG_ROOT is defined
+# this needs to be configured before the project() directive
+if(DEFINED ENV{VCPKG_ROOT} AND NOT $ENV{VCPKG_ROOT} STREQUAL "" AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+    set(CMAKE_TOOLCHAIN_FILE "$ENV{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake" CACHE STRING "")
+endif(DEFINED ENV{VCPKG_ROOT} AND NOT $ENV{VCPKG_ROOT} STREQUAL "" AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+set(BUILTIN_SOCKET ON CACHE BOOL "") # for static Python
+
+# configure basic project information
+project(osslsigncode
+    VERSION 2.6
+    DESCRIPTION "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files"
+    HOMEPAGE_URL "https://github.com/mtrojnar/osslsigncode"
+    LANGUAGES C)
+
+# force nonstandard version format for development packages
+set(DEV "")
+set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}${DEV}")
+
+# version and contact information
+set(PACKAGE_STRING "${PROJECT_NAME} ${PROJECT_VERSION}")
+set(PACKAGE_BUGREPORT "Michal.Trojnara@stunnel.org")
+
+# specify the C standard
+set(CMAKE_C_STANDARD 11)
+set(CMAKE_C_STANDARD_REQUIRED ON)
+
+# load CMake library modules
+include(FindOpenSSL)
+include(FindCURL)
+
+# load CMake project modules
+set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
+include(SetBashCompletion)
+include(FindHeaders)
+
+# define the target
+add_executable(osslsigncode)
+
+# add compiler/linker flags
+include(SetCompilerFlags)
+
+# create and use config.h
+configure_file(Config.h.in config.h)
+target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1)
+
+# set sources
+target_sources(osslsigncode PRIVATE osslsigncode.c helpers.c msi.c pe.c cab.c cat.c)
+if(NOT UNIX)
+    target_sources(osslsigncode PRIVATE applink.c)
+endif(NOT UNIX)
+
+# set include directories
+target_include_directories(osslsigncode PRIVATE "${PROJECT_BINARY_DIR}")
+
+# set OpenSSL includes/libraries
+if(NOT OPENSSL_FOUND)
+    message(FATAL_ERROR "OpenSSL library not found")
+endif(NOT OPENSSL_FOUND)
+target_include_directories(osslsigncode PRIVATE ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(osslsigncode PRIVATE ${OPENSSL_LIBRARIES})
+
+# set cURL includes/libraries
+if(CURL_FOUND)
+    target_compile_definitions(osslsigncode PRIVATE ENABLE_CURL=1)
+    target_include_directories(osslsigncode PRIVATE ${CURL_INCLUDE_DIRS})
+    target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES})
+    message(STATUS "cURL support enabled")
+else(CURL_FOUND)
+    message(STATUS "cURL support disabled (library not found)")
+endif(CURL_FOUND)
+
+# add paths to linker search and installed rpath
+set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE)
+
+# testing with CTest
+include(CMakeTest)
+
+# installation rules for a project
+set(BINDIR "${CMAKE_INSTALL_PREFIX}/bin")
+install(TARGETS osslsigncode RUNTIME DESTINATION ${BINDIR})
+if(UNIX)
+    include(CMakeDist)
+else(UNIX)
+    install(
+        DIRECTORY ${PROJECT_BINARY_DIR}/ DESTINATION ${BINDIR}
+        FILES_MATCHING
+        PATTERN "*.dll"
+        PATTERN "vcpkg_installed" EXCLUDE
+        PATTERN "CMakeFiles" EXCLUDE
+        PATTERN "Testing" EXCLUDE)
+endif(UNIX)
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@ -0,0 +1,50 @@
+{
+  "configurations": [
+    {
+      "name": "x86-Debug",
+      "generator": "Ninja",
+      "configurationType": "Debug",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x86" ]
+    },
+    {
+      "name": "x86-Release",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x86" ]
+    },
+    {
+      "name": "x64-Debug",
+      "generator": "Ninja",
+      "configurationType": "Debug",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x64_x64" ],
+      "variables": []
+    },
+    {
+      "name": "x64-Release",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x64_x64" ],
+      "variables": []
+    }
+  ]
+}
--- a/Config.h.in
+++ b/Config.h.in
@ -0,0 +1,10 @@
+/* the configured options and settings for osslsigncode */
+#define VERSION_MAJOR "@osslsigncode_VERSION_MAJOR@"
+#define VERSION_MINOR "@osslsigncode_VERSION_MINOR@"
+#cmakedefine PACKAGE_STRING "@PACKAGE_STRING@"
+#cmakedefine PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
+#cmakedefine HAVE_TERMIOS_H
+#cmakedefine HAVE_GETPASS
+#cmakedefine HAVE_SYS_MMAN_H
+#cmakedefine HAVE_MMAP
+#cmakedefine HAVE_MAPVIEWOFFILE
--- a/INSTALL.W32.md
+++ b/INSTALL.W32.md
@ -0,0 +1,122 @@
+# osslsigncode Windows install notes
+
+### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl.
+```
+  pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl
+```
+   mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
+
+2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
+    -lcrypto -lssl -lcurl \
+    -D 'PACKAGE_STRING="osslsigncode x.y"' \
+    -D 'PACKAGE_BUGREPORT="Your.Email@example.com"' \
+    -D ENABLE_CURL
+```
+
+3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
+```
+  path=%path%;c:\msys64\mingw64\bin
+  cd osslsigncode-folder
+  osslsigncode.exe -v
+  osslsigncode 2.4, using:
+        OpenSSL 1.1.1g  21 Apr 2020 (Library: OpenSSL 1.1.1g  21 Apr 2020)
+        libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
+        libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0
+```
+
+
+### Building OpenSSL, Curl and osslsigncode sources with MSYS2 MinGW 64-bit:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even: perl make autoconf automake libtool pkg-config.
+```
+  pacman -S perl make autoconf automake libtool pkg-config
+```
+   Make sure there are no curl, brotli, libpsl, libidn2 and nghttp2 packages installed:
+```
+  pacman -R mingw-w64-x86_64-curl \
+    mingw-w64-x86_64-brotli \
+    mingw-w64-x86_64-libpsl \
+    mingw-w64-x86_64-libidn2 \
+    mingw-w64-x86_64-nghttp2
+```
+
+   Run "MSYS2 MinGW 64-bit" in the administrator mode.
+
+2) Build and install OpenSSL.
+```
+  cd openssl-(version)
+  ./config --prefix='C:/OpenSSL' --openssldir='C:/OpenSSL'
+  make && make install
+```
+ 3) Build and install curl.
+```
+  cd curl-(version)
+  ./buildconf
+  ./configure --prefix='C:/curl' --with-ssl='C:/OpenSSL' \
+    --disable-ftp --disable-tftp --disable-file --disable-dict \
+    --disable-telnet --disable-imap --disable-smb --disable-smtp \
+    --disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
+    --disable-ldap --disable-ldaps --disable-unix-sockets \
+    --disable-pthreads --without-zstd --without-zlib
+  make && make install
+```
+
+3) Build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
+    -L 'C:/OpenSSL/lib/' -lcrypto -lssl \
+    -I 'C:/OpenSSL/include/' \
+    -L 'C:/curl/lib' -lcurl \
+    -I 'C:/curl/include' \
+    -D 'PACKAGE_STRING="osslsigncode x.y"' \
+    -D 'PACKAGE_BUGREPORT="Your.Email@example.com"' \
+    -D ENABLE_CURL
+```
+
+4) Run "Command prompt" and copy required libraries.
+```
+  cd osslsigncode-folder
+  copy C:\OpenSSL\bin\libssl-1_1-x64.dll
+  copy C:\OpenSSL\bin\libcrypto-1_1-x64.dll
+  copy C:\curl\bin\libcurl-4.dll
+
+  osslsigncode.exe -v
+  osslsigncode 2.4, using:
+        OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1k  25 Mar 2021)
+        libcurl/7.78.0 OpenSSL/1.1.1k
+```
+
+### Building OpenSSL, Curl and osslsigncode sources with Microsoft Visual Studio:
+
+1) Install and integrate vcpkg: https://vcpkg.io/en/getting-started.html
+
+2) Git clone osslsigncode: https://github.com/mtrojnar/osslsigncode/
+
+3) Build osslsigncode with GUI or cmake.
+  Navigate to the build directory and run CMake to configure the osslsigncode project
+  and generate a native build system:
+```
+mkdir build && cd build && cmake -S .. -G Ninja -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=[installation directory] -DCMAKE_TOOLCHAIN_FILE=[path to vcpkg]/scripts/buildsystems/vcpkg.cmake
+```
+  Then call that build system to actually compile/link the osslsigncode project:
+```
+  cmake --build .
+```
+
+4) Make tests.
+```
+  ctest -C Release
+```
+
+5) Make install (with administrative privileges if necessary).
+```
+  cmake --install .
+```
--- a/LICENSE.txt
+++ b/LICENSE.txt
@ -1,7 +1,7 @@
 OpenSSL based Authenticode signing for PE/MSI/Java CAB files.

 Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
-Copyright (C) 2018 Michał Trojnara <Michal.Trojnara@stunnel.org>
+Copyright (C) 2018-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>

 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
--- a/Makefile.am
+++ b/Makefile.am
@ -1,16 +0,0 @@
-AUTOMAKE_OPTIONS = foreign 1.10
-MAINTAINERCLEANFILES = \
-	config.log config.status \
-	$(srcdir)/Makefile.in \
-	$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
-	$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
-	$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/ylwrap \
-	$(srcdir)/config.guess $(srcdir)/config.sub
-EXTRA_DIST = .gitignore
-
-AM_CFLAGS = $(GSF_CFLAGS) $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
-
-bin_PROGRAMS = osslsigncode
-
-osslsigncode_SOURCES = osslsigncode.c
-osslsigncode_LDADD = $(GSF_LIBS) $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,75 @@
+# osslsigncode change log
+
+### 2.6 (2023.05.29)
+
+- modular architecture implemented to simplify adding file formats
+- added verification of CRLs specified in the signing certificate
+- added MSI DIFAT sectors support (by Max Bagryantsev)
+- added legacy provider support for OpenSSL 3.0.0 and later
+- fixed numerous bugs
+
+### 2.5 (2022.08.12)
+
+- fixed the Unix executable install path
+- fixed the hardcoded "pkcs11" engine id
+- fixed building with MinGW
+- fixed testing with the python3 distributed with Ubuntu 18.04
+
+### 2.4 (2022.08.02)
+
+- migrated the build system from GNU Autoconf to CMake
+- added the "-h" option to set the cryptographic hash function
+  for the "attach -signature" and "add" commands
+- set the default hash function to "sha256"
+- added the "attach-signature" option to compute and compare the
+  leaf certificate hash for the "add" command
+- renamed the "-st" option "-time" (the old name is accepted for
+  compatibility)
+- updated the "-time" option to also set explicit verification time
+- added the "-ignore-timestamp" option to disable timestamp server
+  signature verification
+- removed the "-timestamp-expiration" option
+- fixed several bugs
+- updated the included documentation
+- enabled additional compiler/linker hardening options
+- added CI based on GitHub Actions
+
+### 2.3 (2022.03.06)
+
+**CRITICAL SECURITY VULNERABILITIES**
+
+This release fixes several critical memory corruption vulnerabilities.
+A malicious attacker could create a file, which, when processed with
+osslsigncode, triggers arbitrary code execution.  Any previous version
+of osslsigncode should be immediately upgraded if the tool is used for
+processing of untrusted files.
+
+- fixed several memory safety issues
+- fixed non-interactive PVK (MSBLOB) key decryption
+- added a bash completion script
+- added CA bundle path auto-detection
+
+### 2.2 (2021.08.15)
+
+- CAT files support (thanks to James McKenzie)
+- MSI support rewritten without libgsf dependency, which allows
+  for handling of all the needed MSI metadata, such as dates
+- "-untrusted" option renamed to "-TSA-CAfile"
+- "-CRLuntrusted" option renamed to "-TSA-CRLfile"
+- numerous bug fixes and improvements
+
+### 2.1 (2020-10-11)
+
+- certificate chain verification support
+- timestamp verification support
+- CRL verification support ("-CRLfile" option)
+- improved CAB signature support
+- nested signatures support
+- user-specified signing time ("-st" option) by vszakats
+- added more tests
+- fixed numerous bugs
+- dropped OpenSSL 1.1.0 support
+
 ### 2.0 (2018-12-04)

 - orphaned project adopted by Michał Trojnara
--- a/README.md
+++ b/README.md
@ -1,6 +1,10 @@
 osslsigncode
 ============

+## BUILD STATUS
+
+[![CI](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml/badge.svg)](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml)
+
 ## WHAT IS IT?

 osslsigncode is a small tool that implements part of the functionality
@ -19,19 +23,61 @@ tool  would fail. And, so, osslsigncode was born.

 ## WHAT CAN IT DO?

-It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
-the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
-valid signature for a CAB file containing Java files. It supports getting
-the timestamp through a proxy as well. It also supports signature verification,
-removal and extraction.
+It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files.
+It supports the equivalent of signtool.exe's "-j javasign.dll -jp low",
+i.e. add a valid signature for a CAB file containing Java files.
+It supports getting the timestamp through a proxy as well. It also
+supports signature verification, removal and extraction.

-## INSTALLATION
+## BUILDING

-The usual way:
+This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.
+See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.
+We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead of cloning from a git repository.
+
+### Configure, build, make tests and install osslsigncode
+
+* Install prerequisites on a Debian-based distributions, such as Ubuntu:
 ```
-  ./configure
-  make
-  make install
+  sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev
+```
+* Install prerequisites on macOS with Homebrew:
+```
+  brew install cmake pkg-config openssl@1.1
+  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
+```
+**NOTE:** osslsigncode requires CMake 3.6 or newer.
+
+You may need to use `cmake3` instead of `cmake` to complete the following steps on your system.
+* Navigate to the build directory and run CMake to configure the osslsigncode project
+  and generate a native build system:
+```
+  mkdir build && cd build && cmake -S ..
+```
+  optional CMake parameters:
+```
+  -DCMAKE_BUILD_TYPE=Debug
+  -DCMAKE_C_COMPILER=clang
+  -DCMAKE_PREFIX_PATH=[openssl directory];[curl directory]
+  -DCMAKE_INSTALL_PREFIX=[installation directory]
+  -DBASH_COMPLETION_USER_DIR=[bash completion installation directory]
+
+```
+* Then call that build system to actually compile/link the osslsigncode project (alias `make`):
+```
+  cmake --build .
+```
+* Make test:
+```
+  ctest -C Release
+```
+* Make install:
+```
+  sudo cmake --install .
+```
+* Make tarball (simulate autotools' `make dist`):
+```
+  cmake --build . --target package_source
 ```

 ## USAGE
@ -67,7 +113,7 @@ or if you want to add a timestamp as well:
 ```
  osslsigncode sign -certs <cert-file> -key <key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
-    -t http://timestamp.verisign.com/scripts/timstamp.dll \
+    -t http://timestamp.digicert.com \
    -in yourapp.exe -out yourapp-signed.exe
 ```
 You can use a certificate and key stored in a PKCS#12 container:
@ -85,51 +131,63 @@ To sign a CAB file containing java class files:
 ```
 Only the 'low' parameter is currently supported.

+If you want to use PKCS11 token, you should indicate PKCS11 engine and module.
+An example of using osslsigncode with SoftHSM:
+```
+  osslsigncode sign \
+    -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
+    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
+    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
+    -key 'pkcs11:token=softhsm-token;object=key' \
+    -in yourapp.exe -out yourapp-signed.exe
+```
+
 You can check that the signed file is correct by right-clicking
 on it in Windows and choose Properties --> Digital Signatures,
 and then choose the signature from the list, and click on
 Details. You should then be presented with a dialog that says
 amongst other things that "This digital signature is OK".

-## CONVERTING FROM PVK TO DER
+## UNAUTHENTICATED BLOBS

-(This guide was written by Ryan Rubley)
+The "-addUnauthenticatedBlob" parameter adds a 1024-byte unauthenticated blob
+of data to the signature in the same area as the timestamp.  This can be used
+while signing, while timestamping, after a file has been code signed, or by
+itself.  This technique (but not this project) is used by Dropbox, GoToMeeting,
+and Summit Route.

-If you've managed to finally find osslsigncode from some searches,
-you're most likely going to have a heck of a time getting your SPC
-and PVK files into the formats osslsigncode wants.
+### Example 1. Sign and add blob to unsigned file

-On the computer where you originally purchased your certificate, you
-probably had to use IE to get it. Run IE and select Tools/Internet
-Options from the menu, then under the Content tab, click the Certificates
-button. Under the Personal tab, select your certificate and click the
-Export button. On the second page of the wizard, select the PKCS #7
-Certificate (.P7B) format. This file you export as a *.p7b is what you
-use instead of your *.spc file. It's the same basic thing, in a different format.
-
-For your PVK file, you will need to download a little utility called
-PVK.EXE. This can currently be downloaded at
-
-  http://support.globalsign.net/en/objectsign/PVK.zip
-
-Run:
-```
-  pvk -in foo.pvk -nocrypt -out foo.pem
+```shell
+osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi
 ```

-This will convert your PVK file to a PEM file.
-From there, you can copy the PEM file to a Linux box, and run:
-```
-  openssl rsa -outform der -in foo.pem -out foo.der
-```
-This will convert your PEM file to a DER file.
+### Example 2. Timestamp and add blob to signed file

-You need the *.p7b and *.der files to use osslsigncode, instead of your
-*.spc and *.pvk files.
+```shell
+osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe
+```
+
+### Example 3. Add blob to signed and time-stamped file
+
+```shell
+osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe
+```
+
+### WARNING
+
+This feature allows for doing dumb things.  Be very careful with what you put
+in the unauthenticated blob, as an attacker could modify this.  Do NOT, under
+any circumstances, put a URL here that you will use to download an additional
+file.  If you do do that, you would need to check the newly downloaded file is
+code signed AND that it has been signed with your cert AND that it is the
+version you expect.

 ## BUGS, QUESTIONS etc.

-Send an email to pallansson@gmail.com
+Check whether your your question or suspected bug was already
+discussed on https://github.com/mtrojnar/osslsigncode/issues.
+Otherwise, open a new issue.

 BUT, if you have questions related to generating spc files,
 converting between different formats and so on, *please*
--- a/README.unauthblob.md
+++ b/README.unauthblob.md
@ -1,58 +0,0 @@
-# This is NOT the official repo for osslsigncode
-
-This project was copied from osslsigncode 1.7.1 to apply some patches for compiling with cygwin and being able to add unauthenticated blobs.  The official source for the project is at: http://sourceforge.net/projects/osslsigncode/
-
-## Features added
-
-Adds the argument "-addUnauthenticatedBlob" to add a 1024 byte unauthenticated blob of data to the signature in the same area as the timestamp.  This can be used while signing, while timestamping (new `add` command added to allow just time-stamping, after a file has been code signed, or by itself.
-
-Examples:
-```
-# Example 1. Sign and add blob to unsigned file
-osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi
-```
-
-```
-# Example 2. Timestamp and add blob to signed file 
-osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.verisign.com/scripts/timstamp.dll -in your_signed_file.exe -out out.exe
-```
-
-```
-# Example 3. Add blob to signed and time-stamped file 
-osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe
-```
-
-```
-# Example 4. Sign, timestamp, and add blob
-# Technically you can do this, but this would mean your signing certificate 
-# is on a computer that is connected the Internet, 
-# which means you are doing something wrong, 
-# so I'm not going to show how to do that.
-
-```
-
-This technique (but not this project) is used by Dropbox, GoToMeeting, and Summit Route.  You can read more about this technique here:
-
- https://tech.dropbox.com/2014/08/tech-behind-dropboxs-new-user-experience-for-mobile/
- http://blogs.msdn.com/b/ieinternals/archive/2014/09/04/personalizing-installers-using-unauthenticated-data-inside-authenticode-signed-binaries.aspx
-
-## WARNING
-
-The capability this adds can allow you to do dumb things.  Be very careful with what you put in the unauthenticated blob, as an attacker could modify this.  Do NOT under any circumstances put a URL here that you will use to download an additional file.  If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.  You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data.  Basically, be VERY careful.
-
-## Compiling under cygwin
-
- Ensure you install the development libraries for openssl, libgfs, and curl.
- Install pkg-config
- Run
-```
-export SHELLOPTS
-set -o igncr
-./configure
-make
-```
-
-## Download
-
- Compiled binary for cygwin: https://summitroute.com/downloads/osslsigncode.exe
- Compiled binary plus all the required DLL's (self-extracting exe): https://summitroute.com/downloads/osslsigncode-cygwin_files.exe
--- a/TODO.md
+++ b/TODO.md
@ -1,8 +1,5 @@
 - signature extraction/removal/verificaton on MSI/CAB files
- improved signature verification on PE files
 - clean up / untangle code
 - separate timestamping
- man page
 - remove mmap usage to increase portability
- tests
 - fix other stuff marked 'XXX'
--- a/applink.c
+++ b/applink.c
@ -0,0 +1,145 @@
+/*
+ * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#define APPLINK_STDIN   1
+#define APPLINK_STDOUT  2
+#define APPLINK_STDERR  3
+#define APPLINK_FPRINTF 4
+#define APPLINK_FGETS   5
+#define APPLINK_FREAD   6
+#define APPLINK_FWRITE  7
+#define APPLINK_FSETMOD 8
+#define APPLINK_FEOF    9
+#define APPLINK_FCLOSE  10      /* should not be used */
+
+#define APPLINK_FOPEN   11      /* solely for completeness */
+#define APPLINK_FSEEK   12
+#define APPLINK_FTELL   13
+#define APPLINK_FFLUSH  14
+#define APPLINK_FERROR  15
+#define APPLINK_CLEARERR 16
+#define APPLINK_FILENO  17      /* to be used with below */
+
+#define APPLINK_OPEN    18      /* formally can't be used, as flags can vary */
+#define APPLINK_READ    19
+#define APPLINK_WRITE   20
+#define APPLINK_LSEEK   21
+#define APPLINK_CLOSE   22
+#define APPLINK_MAX     22      /* always same as last macro */
+
+#ifndef APPMACROS_ONLY
+# include <stdio.h>
+# include <io.h>
+# include <fcntl.h>
+
+# ifdef __BORLANDC__
+   /* _lseek in <io.h> is a function-like macro so we can't take its address */
+#  undef _lseek
+#  define _lseek lseek
+# endif
+
+static void *app_stdin(void)
+{
+    return stdin;
+}
+
+static void *app_stdout(void)
+{
+    return stdout;
+}
+
+static void *app_stderr(void)
+{
+    return stderr;
+}
+
+static int app_feof(FILE *fp)
+{
+    return feof(fp);
+}
+
+static int app_ferror(FILE *fp)
+{
+    return ferror(fp);
+}
+
+static void app_clearerr(FILE *fp)
+{
+    clearerr(fp);
+}
+
+static int app_fileno(FILE *fp)
+{
+    return _fileno(fp);
+}
+
+static int app_fsetmod(FILE *fp, char mod)
+{
+    return _setmode(_fileno(fp), mod == 'b' ? _O_BINARY : _O_TEXT);
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+__declspec(dllexport)
+void **
+# if defined(__BORLANDC__)
+/*
+ * __stdcall appears to be the only way to get the name
+ * decoration right with Borland C. Otherwise it works
+ * purely incidentally, as we pass no parameters.
+ */
+__stdcall
+# else
+__cdecl
+# endif
+#pragma warning(push, 2)
+OPENSSL_Applink(void)
+{
+    static int once = 1;
+    static void *OPENSSL_ApplinkTable[APPLINK_MAX + 1] =
+        { (void *)APPLINK_MAX };
+
+    if (once) {
+        OPENSSL_ApplinkTable[APPLINK_STDIN] = app_stdin;
+        OPENSSL_ApplinkTable[APPLINK_STDOUT] = app_stdout;
+        OPENSSL_ApplinkTable[APPLINK_STDERR] = app_stderr;
+        OPENSSL_ApplinkTable[APPLINK_FPRINTF] = fprintf;
+        OPENSSL_ApplinkTable[APPLINK_FGETS] = fgets;
+        OPENSSL_ApplinkTable[APPLINK_FREAD] = fread;
+        OPENSSL_ApplinkTable[APPLINK_FWRITE] = fwrite;
+        OPENSSL_ApplinkTable[APPLINK_FSETMOD] = app_fsetmod;
+        OPENSSL_ApplinkTable[APPLINK_FEOF] = app_feof;
+        OPENSSL_ApplinkTable[APPLINK_FCLOSE] = fclose;
+
+        OPENSSL_ApplinkTable[APPLINK_FOPEN] = fopen;
+        OPENSSL_ApplinkTable[APPLINK_FSEEK] = fseek;
+        OPENSSL_ApplinkTable[APPLINK_FTELL] = ftell;
+        OPENSSL_ApplinkTable[APPLINK_FFLUSH] = fflush;
+        OPENSSL_ApplinkTable[APPLINK_FERROR] = app_ferror;
+        OPENSSL_ApplinkTable[APPLINK_CLEARERR] = app_clearerr;
+        OPENSSL_ApplinkTable[APPLINK_FILENO] = app_fileno;
+
+        OPENSSL_ApplinkTable[APPLINK_OPEN] = _open;
+        OPENSSL_ApplinkTable[APPLINK_READ] = _read;
+        OPENSSL_ApplinkTable[APPLINK_WRITE] = _write;
+        OPENSSL_ApplinkTable[APPLINK_LSEEK] = _lseek;
+        OPENSSL_ApplinkTable[APPLINK_CLOSE] = _close;
+
+        once = 0;
+    }
+
+    return OPENSSL_ApplinkTable;
+}
+#pragma warning(pop)
+#ifdef __cplusplus
+}
+#endif
+#endif
--- a/autogen.sh
+++ b/autogen.sh
--- a/cab.c
+++ b/cab.c
@ -0,0 +1,930 @@
+/*
+ * CAB file support library
+ *
+ * Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ *
+ * Reference specifications:
+ * https://www.file-recovery.com/cab-signature-format.htm
+ * https://learn.microsoft.com/en-us/previous-versions/ms974336(v=msdn.10)
+ */
+
+#include "osslsigncode.h"
+#include "helpers.h"
+
+/*
+ * FLAG_PREV_CABINET is set if the cabinet file is not the first in a set
+ * of cabinet files. When this bit is set, the szCabinetPrev and szDiskPrev
+ * fields are present in this CFHEADER.
+ */
+#define FLAG_PREV_CABINET 0x0001
+/*
+ * FLAG_NEXT_CABINET is set if the cabinet file is not the last in a set of
+ * cabinet files. When this bit is set, the szCabinetNext and szDiskNext
+* fields are present in this CFHEADER.
+*/
+#define FLAG_NEXT_CABINET 0x0002
+/*
+ * FLAG_RESERVE_PRESENT is set if the cabinet file contains any reserved
+ * fields. When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData
+ * fields are present in this CFHEADER.
+ */
+#define FLAG_RESERVE_PRESENT 0x0004
+
+
+struct cab_ctx_st {
+    uint32_t header_size;
+    uint32_t sigpos;
+    uint32_t siglen;
+    uint32_t fileend;
+    uint16_t flags;
+};
+
+/* FILE_FORMAT method prototypes */
+static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
+static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
+static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached);
+static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md);
+static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7);
+static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx);
+static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
+static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
+static BIO *cab_bio_free(BIO *hash, BIO *outdata);
+static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+
+FILE_FORMAT file_format_cab = {
+    .ctx_new = cab_ctx_new,
+    .data_blob_get = cab_obsolete_link_get,
+    .check_file = cab_check_file,
+    .digest_calc = cab_digest_calc,
+    .verify_digests = cab_verify_digests,
+    .pkcs7_extract = cab_pkcs7_extract,
+    .remove_pkcs7 = cab_remove_pkcs7,
+    .pkcs7_prepare = cab_pkcs7_prepare,
+    .append_pkcs7 = cab_append_pkcs7,
+    .update_data_size = cab_update_data_size,
+    .bio_free = cab_bio_free,
+    .ctx_cleanup = cab_ctx_cleanup
+};
+
+/* Prototypes */
+static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize);
+static int cab_add_jp_attribute(PKCS7 *p7, int jp);
+static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t len, uint16_t flags);
+static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+
+/*
+ * FILE_FORMAT method definitions
+ */
+
+/*
+ * Allocate and return a CAB file format context.
+ * [in, out] options: structure holds the input data
+ * [out] hash: message digest BIO
+ * [in] outdata: outdata file BIO
+ * [returns] pointer to CAB file format context
+ */
+static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata)
+{
+    FILE_FORMAT_CTX *ctx;
+    CAB_CTX *cab_ctx;
+    uint32_t filesize;
+
+    filesize = get_file_size(options->infile);
+    if (filesize == 0)
+        return NULL; /* FAILED */
+
+    options->indata = map_file(options->infile, filesize);
+    if (!options->indata) {
+        return NULL; /* FAILED */
+    }
+    if (memcmp(options->indata, "MSCF", 4)) {
+        unmap_file(options->infile, filesize);
+        return NULL; /* FAILED */
+    }
+    cab_ctx = cab_ctx_get(options->indata, filesize);
+    if (!cab_ctx) {
+        unmap_file(options->infile, filesize);
+        return NULL; /* FAILED */
+    }
+    ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX));
+    ctx->format = &file_format_cab;
+    ctx->options = options;
+    ctx->cab_ctx = cab_ctx;
+
+    /* Push hash on outdata, if hash is NULL the function does nothing */
+    BIO_push(hash, outdata);
+
+    if (options->pagehash == 1)
+        printf("Warning: -ph option is only valid for PE files\n");
+    if (options->add_msi_dse == 1)
+        printf("Warning: -add-msi-dse option is only valid for MSI files\n");
+    return ctx;
+}
+
+/*
+ * Allocate and return SpcLink object.
+ * [out] p: SpcLink data
+ * [out] plen: SpcLink data length
+ * [in] ctx: structure holds input and output data (unused)
+ * [returns] pointer to ASN1_OBJECT structure corresponding to SPC_CAB_DATA_OBJID
+ */
+static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx)
+{
+    ASN1_OBJECT *dtype;
+    SpcLink *link = spc_link_obsolete_get();
+
+    /* squash the unused parameter warning */
+    (void)ctx;
+
+    *plen = i2d_SpcLink(link, NULL);
+    *p = OPENSSL_malloc((size_t)*plen);
+    i2d_SpcLink(link, p);
+    *p -= *plen;
+    dtype = OBJ_txt2obj(SPC_CAB_DATA_OBJID, 1);
+    SpcLink_free(link);
+    return dtype; /* OK */
+}
+
+/*
+ * Check if the signature exists.
+ * [in, out] ctx: structure holds input and output data
+ * [in] detached: embedded/detached PKCS#7 signature switch
+ * [returns] 0 on error or 1 on success
+ */
+static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached)
+{
+    if (!ctx) {
+        printf("Init error\n\n");
+        return 0; /* FAILED */
+    }
+    if (detached) {
+        printf("Checking the specified catalog file\n\n");
+        return 1; /* OK */
+    }
+    if (ctx->cab_ctx->header_size != 20) {
+        printf("No signature found\n\n");
+        return 0; /* FAILED */
+    }
+    if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0
+        || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) {
+        printf("No signature found\n\n");
+        return 0; /* FAILED */
+    }
+    return 1; /* OK */
+}
+
+/*
+ * Compute a message digest value of the signed or unsigned CAB file.
+ * [in] ctx: structure holds input and output data
+ * [in] md: message digest algorithm
+ * [returns] pointer to calculated message digest
+ */
+static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md)
+{
+    uint32_t idx, fileend, coffFiles;
+    u_char *mdbuf = NULL;
+    BIO *bhash = BIO_new(BIO_f_md());
+
+    if (!BIO_set_md(bhash, md)) {
+        printf("Unable to set the message digest of BIO\n");
+        BIO_free_all(bhash);
+        return 0;  /* FAILED */
+    }
+    BIO_push(bhash, BIO_new(BIO_s_null()));
+
+    /* u1 signature[4] 4643534D MSCF: 0-3 */
+    BIO_write(bhash, ctx->options->indata, 4);
+    /* u4 reserved1 00000000: 4-7 skipped */
+    if (ctx->cab_ctx->sigpos) {
+        uint16_t nfolders, flags;
+
+        /*
+         * u4 cbCabinet - size of this cabinet file in bytes: 8-11
+         * u4 reserved2 00000000: 12-15
+         */
+        BIO_write(bhash, ctx->options->indata + 8, 8);
+         /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
+        coffFiles = GET_UINT32_LE(ctx->options->indata + 16);
+        BIO_write(bhash, ctx->options->indata + 16, 4);
+        /*
+         * u4 reserved3 00000000: 20-23
+         * u1 versionMinor 03: 24
+         * u1 versionMajor 01: 25
+         */
+        BIO_write(bhash, ctx->options->indata + 20, 6);
+        /* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 */
+        nfolders = GET_UINT16_LE(ctx->options->indata + 26);
+        BIO_write(bhash, ctx->options->indata + 26, 2);
+        /* u2 cFiles - number of CFFILE entries in this cabinet: 28-29 */
+        BIO_write(bhash, ctx->options->indata + 28, 2);
+        /* u2 flags: 30-31 */
+        flags = GET_UINT16_LE(ctx->options->indata + 30);
+        BIO_write(bhash, ctx->options->indata + 30, 2);
+        /* u2 setID must be the same for all cabinets in a set: 32-33 */
+        BIO_write(bhash, ctx->options->indata + 32, 2);
+        /*
+        * u2 iCabinet - number of this cabinet file in a set: 34-35 skipped
+        * u2 cbCFHeader: 36-37 skipped
+        * u1 cbCFFolder: 38 skipped
+        * u1 cbCFData: 39 skipped
+        * u22 abReserve: 40-55 skipped
+        * - Additional data offset: 44-47 skipped
+        * - Additional data size: 48-51 skipped
+        */
+        /* u22 abReserve: 56-59 */
+        BIO_write(bhash, ctx->options->indata + 56, 4);
+        idx = 60;
+        fileend = ctx->cab_ctx->sigpos;
+        /* TODO */
+        if (flags & FLAG_PREV_CABINET) {
+            uint8_t byte;
+            /* szCabinetPrev */
+            do {
+                byte = GET_UINT8_LE(ctx->options->indata + idx);
+                BIO_write(bhash, ctx->options->indata + idx, 1);
+                idx++;
+            } while (byte && idx < fileend);
+            /* szDiskPrev */
+            do {
+                byte = GET_UINT8_LE(ctx->options->indata + idx);
+                BIO_write(bhash, ctx->options->indata + idx, 1);
+                idx++;
+            } while (byte && idx < fileend);
+        }
+        if (flags & FLAG_NEXT_CABINET) {
+            uint8_t byte;
+            /* szCabinetNext */
+            do {
+                byte = GET_UINT8_LE(ctx->options->indata + idx);
+                BIO_write(bhash, ctx->options->indata + idx, 1);
+                idx++;
+            } while (byte && idx < fileend);
+            /* szDiskNext */
+            do {
+                byte = GET_UINT8_LE(ctx->options->indata + idx);
+                BIO_write(bhash, ctx->options->indata + idx, 1);
+                idx++;
+            } while (byte && idx < fileend);
+        }
+        /*
+         * (u8 * cFolders) CFFOLDER - structure contains information about
+         * one of the folders or partial folders stored in this cabinet file
+         */
+        while (nfolders && idx < fileend) {
+            BIO_write(bhash, ctx->options->indata + idx, 8);
+            idx += 8;
+            nfolders--;
+        }
+        if (idx != coffFiles) {
+            printf("Corrupt coffFiles value: 0x%08X\n", coffFiles);
+            BIO_free_all(bhash);
+            return 0;  /* FAILED */
+        }
+    } else {
+        /* read what's left of the unsigned CAB file */
+        idx = 8;
+        fileend = ctx->cab_ctx->fileend;
+    }
+    /* (variable) ab - the compressed data bytes */
+    if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) {
+        printf("Unable to calculate digest\n");
+        BIO_free_all(bhash);
+        return 0;  /* FAILED */
+    }
+    mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md));
+    BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md));
+    BIO_free_all(bhash);
+    return mdbuf; /* OK */
+}
+
+/*
+ * Calculate message digest and compare to value retrieved from PKCS#7 signedData.
+ * [in] ctx: structure holds input and output data
+ * [in] p7: PKCS#7 signature
+ * [returns] 0 on error or 1 on success
+ */
+static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
+{
+    int mdtype = -1;
+    const EVP_MD *md;
+    u_char mdbuf[EVP_MAX_MD_SIZE];
+    u_char *cmdbuf;
+
+    if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
+        ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
+        const u_char *p = content_val->data;
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        if (idc) {
+            if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
+                mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+                memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
+            }
+            SpcIndirectDataContent_free(idc);
+        }
+    }
+    if (mdtype == -1) {
+        printf("Failed to extract current message digest\n\n");
+        return 0; /* FAILED */
+    }
+    md = EVP_get_digestbynid(mdtype);
+    cmdbuf = cab_digest_calc(ctx, md);
+    if (!cmdbuf) {
+        printf("Failed to calculate message digest\n\n");
+        return 0; /* FAILED */
+    }
+    if (!compare_digests(mdbuf, cmdbuf, mdtype)) {
+        printf("Signature verification: failed\n\n");
+        OPENSSL_free(cmdbuf);
+        return 0; /* FAILED */
+    }
+    OPENSSL_free(cmdbuf);
+    return 1; /* OK */
+}
+
+/*
+ * Extract existing signature in DER format.
+ * [in] ctx: structure holds input and output data
+ * pointer to PKCS#7 structure
+ */
+static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx)
+{
+    if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0
+        || ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) {
+        return NULL; /* FAILED */
+    }
+    return pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen);
+}
+
+/*
+ * Remove existing signature.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO (unused)
+ * [out] outdata: outdata file BIO
+ * [returns] 1 on error or 0 on success
+ */
+static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    size_t i, written, len;
+    uint32_t tmp;
+    uint16_t nfolders, flags;
+    char *buf = OPENSSL_malloc(SIZE_64K);
+
+    /* squash the unused parameter warning */
+    (void)hash;
+
+    /*
+     * u1 signature[4] 4643534D MSCF: 0-3
+     * u4 reserved1 00000000: 4-7
+     */
+    BIO_write(outdata, ctx->options->indata, 8);
+    /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
+    tmp = GET_UINT32_LE(ctx->options->indata + 8) - 24;
+    PUT_UINT32_LE(tmp, buf);
+    BIO_write(outdata, buf, 4);
+    /* u4 reserved2 00000000: 12-15 */
+    BIO_write(outdata, ctx->options->indata + 12, 4);
+    /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
+    tmp = GET_UINT32_LE(ctx->options->indata + 16) - 24;
+    PUT_UINT32_LE(tmp, buf);
+    BIO_write(outdata, buf, 4);
+    /*
+     * u4 reserved3 00000000: 20-23
+     * u1 versionMinor 03: 24
+     * u1 versionMajor 01: 25
+     * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
+     * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
+     */
+    BIO_write(outdata, ctx->options->indata + 20, 10);
+    /* u2 flags: 30-31 */
+    flags = GET_UINT16_LE(ctx->options->indata + 30);
+    /* coverity[result_independent_of_operands] only least significant byte is affected */
+    PUT_UINT16_LE(flags & (FLAG_PREV_CABINET | FLAG_NEXT_CABINET), buf);
+    BIO_write(outdata, buf, 2);
+    /*
+     * u2 setID must be the same for all cabinets in a set: 32-33
+     * u2 iCabinet - number of this cabinet file in a set: 34-35
+     */
+    BIO_write(outdata, ctx->options->indata + 32, 4);
+    i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags);
+    /*
+     * (u8 * cFolders) CFFOLDER - structure contains information about
+     * one of the folders or partial folders stored in this cabinet file
+     */
+    nfolders = GET_UINT16_LE(ctx->options->indata + 26);
+    while (nfolders) {
+        tmp = GET_UINT32_LE(ctx->options->indata + i);
+        tmp -= 24;
+        PUT_UINT32_LE(tmp, buf);
+        BIO_write(outdata, buf, 4);
+        BIO_write(outdata, ctx->options->indata + i + 4, 4);
+        i+=8;
+        nfolders--;
+    }
+    OPENSSL_free(buf);
+    /* Write what's left - the compressed data bytes */
+    len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - i;
+    while (len > 0) {
+        if (!BIO_write_ex(outdata, ctx->options->indata + i, len, &written))
+            return 1; /* FAILED */
+        len -= written;
+        i += written;
+    }
+    return 0; /* OK */
+}
+
+/*
+ * Obtain an existing signature or create a new one.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO
+ * [out] outdata: outdata file BIO
+ * [returns] pointer to PKCS#7 structure
+ */
+static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    PKCS7 *cursig = NULL, *p7 = NULL;
+
+    /* Strip current signature and modify header */
+    if (ctx->cab_ctx->header_size == 20) {
+        if (!cab_modify_header(ctx, hash, outdata))
+            return NULL; /* FAILED */
+    } else {
+        if (!cab_add_header(ctx, hash, outdata))
+            return NULL; /* FAILED */
+    }
+    /* Obtain a current signature from previously-signed file */
+    if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest)
+        || (ctx->options->cmd == CMD_ATTACH && ctx->options->nest)
+        || ctx->options->cmd == CMD_ADD) {
+        cursig = pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen);
+        if (!cursig) {
+            printf("Unable to extract existing signature\n");
+            return NULL; /* FAILED */
+        }
+        if (ctx->options->cmd == CMD_ADD)
+            p7 = cursig;
+    }
+    if (ctx->options->cmd == CMD_ATTACH) {
+        /* Obtain an existing PKCS#7 signature */
+        p7 = pkcs7_get_sigfile(ctx);
+        if (!p7) {
+            printf("Unable to extract valid signature\n");
+            PKCS7_free(cursig);
+            return NULL; /* FAILED */
+        }
+    } else if (ctx->options->cmd == CMD_SIGN) {
+        /* Create a new PKCS#7 signature */
+        p7 = pkcs7_create(ctx);
+        if (!p7) {
+            printf("Creating a new signature failed\n");
+            return NULL; /* FAILED */
+        }
+        if (ctx->options->jp >= 0 && !cab_add_jp_attribute(p7, ctx->options->jp)) {
+            printf("Adding jp attribute failed\n");
+            PKCS7_free(p7);
+            return NULL; /* FAILED */
+        }
+        if (!add_indirect_data_object(p7, hash, ctx)) {
+            printf("Adding SPC_INDIRECT_DATA_OBJID failed\n");
+            PKCS7_free(p7);
+            return NULL; /* FAILED */
+        }
+    }
+    if (ctx->options->nest)
+        ctx->options->prevsig = cursig;
+    return p7;
+}
+
+/*
+ * Append signature to the outfile.
+ * [in, out] ctx: structure holds input and output data (unused)
+ * [out] outdata: outdata file BIO
+ * [in] p7: PKCS#7 signature
+ * [returns] 1 on error or 0 on success
+ */
+static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
+{
+    u_char *p = NULL;
+    int len;       /* signature length */
+    int padlen;    /* signature padding length */
+
+    /* squash the unused parameter warning */
+    (void)ctx;
+
+    if (((len = i2d_PKCS7(p7, NULL)) <= 0)
+        || (p = OPENSSL_malloc((size_t)len)) == NULL) {
+        printf("i2d_PKCS memory allocation failed: %d\n", len);
+        return 1; /* FAILED */
+    }
+    i2d_PKCS7(p7, &p);
+    p -= len;
+    padlen = len % 8 ? 8 - len % 8 : 0;
+    BIO_write(outdata, p, len);
+    /* pad (with 0's) asn1 blob to 8 byte boundary */
+    if (padlen > 0) {
+        memset(p, 0, (size_t)padlen);
+        BIO_write(outdata, p, padlen);
+    }
+    OPENSSL_free(p);
+    return 0; /* OK */
+}
+
+/*
+ * Update additional data size.
+ * Additional data size is located at offset 0x30 (from file beginning)
+ * and consist of 4 bytes (little-endian order).
+ * [in, out] ctx: structure holds input and output data
+ * [out] outdata: outdata file BIO
+ * [in] p7: PKCS#7 signature
+ * [returns] none
+ */
+static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
+{
+    int len, padlen;
+    u_char buf[] = {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+
+    /* squash the unused parameter warning */
+    (void)ctx;
+
+    if (!p7) {
+        /* CMD_REMOVE
+         * additional header does not exist so additional data size is unused */
+        return;
+    }
+    (void)BIO_seek(outdata, 0x30);
+    len = i2d_PKCS7(p7, NULL);
+    padlen = len % 8 ? 8 - len % 8 : 0;
+    PUT_UINT32_LE(len + padlen, buf);
+    BIO_write(outdata, buf, 4);
+}
+
+/*
+ * Free up an entire message digest BIO chain.
+ * [out] hash: message digest BIO
+ * [out] outdata: outdata file BIO (unused)
+ * [returns] none
+ */
+static BIO *cab_bio_free(BIO *hash, BIO *outdata)
+{
+    /* squash the unused parameter warning */
+    (void)outdata;
+
+    BIO_free_all(hash);
+    return NULL;
+}
+
+/*
+ * Deallocate a FILE_FORMAT_CTX structure and CAB format specific structure,
+ * unmap indata file, unlink outfile.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO
+ * [in] outdata: outdata file BIO
+ * [returns] none
+ */
+static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    if (outdata) {
+        BIO_free_all(hash);
+        if (ctx->options->outfile) {
+#ifdef WIN32
+            _unlink(ctx->options->outfile);
+#else
+            unlink(ctx->options->outfile);
+#endif /* WIN32 */
+        }
+    }
+    unmap_file(ctx->options->indata, ctx->cab_ctx->fileend);
+    OPENSSL_free(ctx->cab_ctx);
+    OPENSSL_free(ctx);
+}
+
+/*
+ * CAB helper functions
+ */
+
+/*
+ * Verify mapped CAB file and create CAB format specific structure.
+ * [in] indata: mapped CAB file
+ * [in] filesize: size of CAB file
+ * [returns] pointer to CAB format specific structure
+ */
+static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize)
+{
+    CAB_CTX *cab_ctx;
+    uint32_t reserved, header_size = 0, sigpos = 0, siglen = 0;
+    uint16_t flags;
+
+    if (filesize < 44) {
+        printf("CAB file is too short\n");
+        return NULL; /* FAILED */
+    }
+    reserved = GET_UINT32_LE(indata + 4);
+    if (reserved) {
+        printf("Reserved1: 0x%08X\n", reserved);
+        return NULL; /* FAILED */
+    }
+    /* flags specify bit-mapped values that indicate the presence of optional data */
+    flags = GET_UINT16_LE(indata + 30);
+    if (flags & FLAG_PREV_CABINET) {
+        /* FLAG_NEXT_CABINET works */
+        printf("Multivolume cabinet file is unsupported: flags 0x%04X\n", flags);
+        return NULL; /* FAILED */
+    }
+    if (flags & FLAG_RESERVE_PRESENT) {
+        /*
+        * Additional headers is located at offset 36 (cbCFHeader, cbCFFolder, cbCFData);
+        * size of header (4 bytes, little-endian order) must be 20 (checkpoint).
+        */
+        header_size = GET_UINT32_LE(indata + 36);
+        if (header_size != 20) {
+            printf("Additional header size: 0x%08X\n", header_size);
+            return NULL; /* FAILED */
+        }
+        reserved = GET_UINT32_LE(indata + 40);
+        if (reserved != 0x00100000) {
+            printf("abReserved: 0x%08X\n", reserved);
+            return NULL; /* FAILED */
+        }
+        /*
+        * File size is defined at offset 8, however if additional header exists, this size is not valid.
+        * sigpos - additional data offset is located at offset 44 (from file beginning)
+        * and consist of 4 bytes (little-endian order)
+        * siglen - additional data size is located at offset 48 (from file beginning)
+        * and consist of 4 bytes (little-endian order)
+        * If there are additional headers, size of the CAB archive file is calcualted
+        * as additional data offset plus additional data size.
+        */
+        sigpos = GET_UINT32_LE(indata + 44);
+        siglen = GET_UINT32_LE(indata + 48);
+        if ((sigpos < filesize && sigpos + siglen != filesize) || (sigpos >= filesize)) {
+            printf("Additional data offset:\t%u bytes\nAdditional data size:\t%u bytes\n",
+                sigpos, siglen);
+            printf("File size:\t\t%u bytes\n", filesize);
+            return NULL; /* FAILED */
+        }
+        if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) {
+            printf("Corrupt signature\n");
+            return NULL; /* FAILED */
+        }
+    }
+    cab_ctx = OPENSSL_zalloc(sizeof(CAB_CTX));
+    cab_ctx->header_size = header_size;
+    cab_ctx->sigpos = sigpos;
+    cab_ctx->siglen = siglen;
+    cab_ctx->fileend = filesize;
+    cab_ctx->flags = flags;
+    return cab_ctx; /* OK */
+}
+
+/*
+ * Add level of permissions in Microsoft Internet Explorer 4.x for CAB files,
+ * only low level is supported.
+ * [in, out] p7: PKCS#7 signature
+ * [in] jp: low (0) level
+ * [returns] 0 on error or 1 on success
+ */
+static int cab_add_jp_attribute(PKCS7 *p7, int jp)
+{
+    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
+    PKCS7_SIGNER_INFO *si;
+    ASN1_STRING *astr;
+    const u_char *attrs = NULL;
+    const u_char java_attrs_low[] = {
+        0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00
+    };
+
+    signer_info = PKCS7_get_signer_info(p7);
+    if (!signer_info)
+        return 0; /* FAILED */
+    si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
+    if (!si)
+        return 0; /* FAILED */
+    switch (jp) {
+        case 0:
+            attrs = java_attrs_low;
+            break;
+        case 1:
+            /* XXX */
+        case 2:
+            /* XXX */
+        default:
+            break;
+        }
+    if (attrs) {
+        astr = ASN1_STRING_new();
+        ASN1_STRING_set(astr, attrs, sizeof java_attrs_low);
+        return PKCS7_add_signed_attribute(si, OBJ_txt2nid(MS_JAVA_SOMETHING),
+                V_ASN1_SEQUENCE, astr);
+    }
+    return 1; /* OK */
+}
+
+/*
+ * Write name of previous and next cabinet file.
+ * Multivolume cabinet file is unsupported TODO.
+ * [out] outdata: outdata file BIO
+ * [in] indata: mapped CAB file
+ * [in] len: offset
+ * [in] flags: FLAG_PREV_CABINET, FLAG_NEXT_CABINET
+ * [returns] offset
+ */
+static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t i, uint16_t flags)
+{
+    if (flags & FLAG_PREV_CABINET) {
+        /* szCabinetPrev */
+        while (GET_UINT8_LE(indata + i)) {
+            BIO_write(outdata, indata + i, 1);
+            i++;
+        }
+        BIO_write(outdata, indata + i, 1);
+        i++;
+        /* szDiskPrev */
+        while (GET_UINT8_LE(indata + i)) {
+            BIO_write(outdata, indata + i, 1);
+            i++;
+        }
+        BIO_write(outdata, indata + i, 1);
+        i++;
+    }
+    if (flags & FLAG_NEXT_CABINET) {
+        /* szCabinetNext */
+        while (GET_UINT8_LE(indata + i)) {
+            BIO_write(outdata, indata + i, 1);
+            i++;
+        }
+        BIO_write(outdata, indata + i, 1);
+        i++;
+        /* szDiskNext */
+        while (GET_UINT8_LE(indata + i)) {
+            BIO_write(outdata, indata + i, 1);
+            i++;
+        }
+        BIO_write(outdata, indata + i, 1);
+        i++;
+    }
+    return i;
+}
+
+/*
+ * Modify CAB header.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO
+ * [out] outdata: outdata file BIO
+ * [returns] 0 on error or 1 on success
+ */
+static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    size_t i, written, len;
+    uint16_t nfolders, flags;
+    u_char buf[] = {0x00, 0x00};
+
+    /* u1 signature[4] 4643534D MSCF: 0-3 */
+    BIO_write(hash, ctx->options->indata, 4);
+    /* u4 reserved1 00000000: 4-7 */
+    BIO_write(outdata, ctx->options->indata + 4, 4);
+    /*
+     * u4 cbCabinet - size of this cabinet file in bytes: 8-11
+     * u4 reserved2 00000000: 12-15
+     * u4 coffFiles - offset of the first CFFILE entry: 16-19
+     * u4 reserved3 00000000: 20-23
+     * u1 versionMinor 03: 24
+     * u1 versionMajor 01: 25
+     * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
+     * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
+     */
+    BIO_write(hash, ctx->options->indata + 8, 22);
+    /* u2 flags: 30-31 */
+    flags = GET_UINT16_LE(ctx->options->indata + 30);
+    PUT_UINT16_LE(flags, buf);
+    BIO_write(hash, buf, 2);
+    /* u2 setID must be the same for all cabinets in a set: 32-33 */
+    BIO_write(hash, ctx->options->indata + 32, 2);
+    /*
+     * u2 iCabinet - number of this cabinet file in a set: 34-35
+     * u2 cbCFHeader: 36-37
+     * u1 cbCFFolder: 38
+     * u1 cbCFData: 39
+     * u16 abReserve: 40-55
+     * - Additional data offset: 44-47
+     * - Additional data size: 48-51
+     */
+    BIO_write(outdata, ctx->options->indata + 34, 22);
+    /* u4 abReserve: 56-59 */
+    BIO_write(hash, ctx->options->indata + 56, 4);
+
+    i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags);
+    /*
+     * (u8 * cFolders) CFFOLDER - structure contains information about
+     * one of the folders or partial folders stored in this cabinet file
+     */
+    nfolders = GET_UINT16_LE(ctx->options->indata + 26);
+    while (nfolders) {
+        BIO_write(hash, ctx->options->indata + i, 8);
+        i += 8;
+        nfolders--;
+    }
+    /* Write what's left - the compressed data bytes */
+    len = ctx->cab_ctx->sigpos - i;
+    while (len > 0) {
+        if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written))
+            return 0; /* FAILED */
+        len -= written;
+        i += written;
+    }
+    return 1; /* OK */
+}
+
+/*
+ * Add signed CAB header.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO
+ * [out] outdata: outdata file BIO
+ * [returns] 0 on error or 1 on success
+ */
+static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    size_t i, written, len;
+    uint32_t tmp;
+    uint16_t nfolders, flags;
+    u_char cabsigned[] = {
+        0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
+        0xde, 0xad, 0xbe, 0xef, /* size of cab file */
+        0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    char *buf = OPENSSL_malloc(SIZE_64K);
+    memset(buf, 0, SIZE_64K);
+
+    /* u1 signature[4] 4643534D MSCF: 0-3 */
+    BIO_write(hash, ctx->options->indata, 4);
+    /* u4 reserved1 00000000: 4-7 */
+    BIO_write(outdata, ctx->options->indata + 4, 4);
+    /* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
+    tmp = GET_UINT32_LE(ctx->options->indata + 8) + 24;
+    PUT_UINT32_LE(tmp, buf);
+    BIO_write(hash, buf, 4);
+    /* u4 reserved2 00000000: 12-15 */
+    BIO_write(hash, ctx->options->indata + 12, 4);
+    /* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
+    tmp = GET_UINT32_LE(ctx->options->indata + 16) + 24;
+    PUT_UINT32_LE(tmp, buf + 4);
+    BIO_write(hash, buf + 4, 4);
+    /*
+     * u4 reserved3 00000000: 20-23
+     * u1 versionMinor 03: 24
+     * u1 versionMajor 01: 25
+     * u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
+     * u2 cFiles - number of CFFILE entries in this cabinet: 28-29
+     */
+    memcpy(buf + 4, ctx->options->indata + 20, 10);
+    flags = GET_UINT16_LE(ctx->options->indata + 30);
+    buf[4+10] = (char)flags | FLAG_RESERVE_PRESENT;
+    /* u2 setID must be the same for all cabinets in a set: 32-33 */
+    memcpy(buf + 16, ctx->options->indata + 32, 2);
+    BIO_write(hash, buf + 4, 14);
+    /* u2 iCabinet - number of this cabinet file in a set: 34-35 */
+    BIO_write(outdata, ctx->options->indata + 34, 2);
+    memcpy(cabsigned + 8, buf, 4);
+    BIO_write(outdata, cabsigned, 20);
+    BIO_write(hash, cabsigned+20, 4);
+
+    i = cab_write_optional_names(outdata, ctx->options->indata, 36, flags);
+    /*
+     * (u8 * cFolders) CFFOLDER - structure contains information about
+     * one of the folders or partial folders stored in this cabinet file
+     */
+    nfolders = GET_UINT16_LE(ctx->options->indata + 26);
+    while (nfolders) {
+        tmp += 24;
+        PUT_UINT32_LE(tmp, buf);
+        BIO_write(hash, buf, 4);
+        BIO_write(hash, ctx->options->indata + i + 4, 4);
+        i += 8;
+        nfolders--;
+    }
+    OPENSSL_free(buf);
+    /* Write what's left - the compressed data bytes */
+    len = ctx->cab_ctx->fileend - i;
+    while (len > 0) {
+        if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written))
+            return 0; /* FAILED */
+        len -= written;
+        i += written;
+    }
+    return 1; /* OK */
+}
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: nil
+End:
+
+  vim: set ts=4 expandtab:
+*/
--- a/cat.c
+++ b/cat.c
@ -0,0 +1,263 @@
+/*
+ * CAT file support library
+ *
+ * Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ *
+ * Catalog files are a bit odd, in that they are only a PKCS7 blob.
+ */
+
+#include "osslsigncode.h"
+#include "helpers.h"
+
+const u_char pkcs7_signed_data[] = {
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+    0x01, 0x07, 0x02,
+};
+
+struct cat_ctx_st {
+    uint32_t sigpos;
+    uint32_t siglen;
+    uint32_t fileend;
+};
+
+/* FILE_FORMAT method prototypes */
+static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
+static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx);
+static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
+static BIO *cat_bio_free(BIO *hash, BIO *outdata);
+static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+
+FILE_FORMAT file_format_cat = {
+    .ctx_new = cat_ctx_new,
+    .pkcs7_extract = cat_pkcs7_extract,
+    .pkcs7_prepare = cat_pkcs7_prepare,
+    .append_pkcs7 = cat_append_pkcs7,
+    .bio_free = cat_bio_free,
+    .ctx_cleanup = cat_ctx_cleanup,
+};
+
+/* Prototypes */
+static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize);
+
+/*
+ * FILE_FORMAT method definitions
+ */
+
+/*
+ * Allocate and return a CAT file format context.
+ * [in, out] options: structure holds the input data
+ * [out] hash: message digest BIO (unused)
+ * [in] outdata: outdata file BIO (unused)
+ * [returns] pointer to CAT file format context
+ */
+static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata)
+{
+    FILE_FORMAT_CTX *ctx;
+    CAT_CTX *cat_ctx;
+    uint32_t filesize;
+
+    /* squash unused parameter warnings */
+    (void)outdata;
+    (void)hash;
+
+    if (options->cmd == CMD_REMOVE || options->cmd==CMD_ATTACH) {
+        printf("Unsupported command\n");
+        return NULL; /* FAILED */
+    }
+    if (options->cmd == CMD_VERIFY) {
+        printf("Use -catalog option\n");
+        return NULL; /* FAILED */
+    }
+    filesize = get_file_size(options->infile);
+    if (filesize == 0)
+        return NULL; /* FAILED */
+
+    options->indata = map_file(options->infile, filesize);
+    if (!options->indata) {
+        return NULL; /* FAILED */
+    }
+    /* the maximum size of a supported cat file is (2^24 -1) bytes */
+    if (memcmp(options->indata + ((GET_UINT8_LE(options->indata+1) == 0x82) ? 4 : 5),
+            pkcs7_signed_data, sizeof pkcs7_signed_data)) {
+        unmap_file(options->infile, filesize);
+        return NULL; /* FAILED */
+    }
+    cat_ctx = cat_ctx_get(options->indata, filesize);
+    if (!cat_ctx) {
+        unmap_file(options->infile, filesize);
+        return NULL; /* FAILED */
+    }
+    ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX));
+    ctx->format = &file_format_cat;
+    ctx->options = options;
+    ctx->cat_ctx = cat_ctx;
+
+    /* Push hash on outdata, if hash is NULL the function does nothing */
+    BIO_push(hash, outdata);
+
+    if (options->nest)
+        /* I've not tried using set_nested_signature as signtool won't do this */
+        printf("Warning: CAT files do not support nesting\n");
+    if (options->jp >= 0)
+        printf("Warning: -jp option is only valid for CAB files\n");
+    if (options->pagehash == 1)
+        printf("Warning: -ph option is only valid for PE files\n");
+    if (options->add_msi_dse == 1)
+        printf("Warning: -add-msi-dse option is only valid for MSI files\n");
+    return ctx;
+}
+
+/*
+ * Extract existing signature in DER format.
+ * [in] ctx: structure holds input and output data
+ * [returns] pointer to PKCS#7 structure
+ */
+static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx)
+{
+    return pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen);
+}
+
+/*
+ * Obtain an existing signature or create a new one.
+ * [in, out] ctx: structure holds input and output data
+ * [out] hash: message digest BIO (unused)
+ * [out] outdata: outdata file BIO (unused)
+ * [returns] pointer to PKCS#7 structure
+ */
+static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    PKCS7 *cursig = NULL, *p7 = NULL;
+
+    /* squash unused parameter warnings */
+    (void)outdata;
+    (void)hash;
+
+    /* Obtain an existing signature */
+    cursig = pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen);
+    if (!cursig) {
+        printf("Unable to extract existing signature\n");
+        return NULL; /* FAILED */
+    }
+    if (ctx->options->cmd == CMD_ADD || ctx->options->cmd == CMD_ATTACH) {
+        p7 = cursig;
+    } else if (ctx->options->cmd == CMD_SIGN) {
+        /* Create a new signature */
+        p7 = pkcs7_create(ctx);
+        if (!p7) {
+            printf("Creating a new signature failed\n");
+            PKCS7_free(cursig);
+            return NULL; /* FAILED */
+        }
+        if (!add_ms_ctl_object(p7, cursig)) {
+            printf("Adding MS_CTL_OBJID failed\n");
+            PKCS7_free(p7);
+            PKCS7_free(cursig);
+            return NULL; /* FAILED */
+        }
+        PKCS7_free(cursig);
+    }
+    return p7; /* OK */
+}
+
+/*
+ * Append signature to the outfile.
+ * [in, out] ctx: structure holds input and output data (unused)
+ * [out] outdata: outdata file BIO
+ * [in] p7: PKCS#7 signature
+ * [returns] 1 on error or 0 on success
+ */
+static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
+{
+    u_char *p = NULL;
+    int len; /* signature length */
+
+    /* squash the unused parameter warning */
+    (void)ctx;
+
+    if (((len = i2d_PKCS7(p7, NULL)) <= 0)
+        || (p = OPENSSL_malloc((size_t)len)) == NULL) {
+        printf("i2d_PKCS memory allocation failed: %d\n", len);
+        return 1; /* FAILED */
+    }
+    i2d_PKCS7(p7, &p);
+    p -= len;
+    i2d_PKCS7_bio(outdata, p7);
+    OPENSSL_free(p);
+    return 0; /* OK */
+}
+
+/*
+ * Free up an entire message digest BIO chain.
+ * [out] hash: message digest BIO
+ * [out] outdata: outdata file BIO (unused)
+ * [returns] none
+ */
+static BIO *cat_bio_free(BIO *hash, BIO *outdata)
+{
+    /* squash the unused parameter warning */
+    (void)outdata;
+
+    BIO_free_all(hash);
+    return NULL;
+}
+
+/*
+ * Deallocate a FILE_FORMAT_CTX structure and CAT format specific structure,
+ * unmap indata file, unlink outfile.
+ * [in, out] ctx: structure holds all input and output data
+ * [out] hash: message digest BIO
+ * [in] outdata: outdata file BIO
+ * [returns] none
+ */
+static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
+{
+    if (outdata) {
+        BIO_free_all(hash);
+        if (ctx->options->outfile) {
+#ifdef WIN32
+            _unlink(ctx->options->outfile);
+#else
+            unlink(ctx->options->outfile);
+#endif /* WIN32 */
+        }
+    }
+    unmap_file(ctx->options->indata, ctx->cat_ctx->fileend);
+    OPENSSL_free(ctx->cat_ctx);
+    OPENSSL_free(ctx);
+}
+
+/*
+ * CAT helper functions
+ */
+
+/*
+ * Verify mapped CAT file TODO and create CAT format specific structure.
+ * [in] indata: mapped CAT file (unused)
+ * [in] filesize: size of CAT file
+ * [returns] pointer to CAT format specific structure
+ */
+static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize)
+{
+    CAT_CTX *cat_ctx;
+
+    /* squash the unused parameter warning */
+    (void)indata;
+
+    cat_ctx = OPENSSL_zalloc(sizeof(CAT_CTX));
+    cat_ctx->sigpos = 0;
+    cat_ctx->siglen = filesize;
+    cat_ctx->fileend = filesize;
+    return cat_ctx; /* OK */
+}
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: nil
+End:
+
+  vim: set ts=4 expandtab:
+*/
--- a/cmake/CMakeDist.cmake
+++ b/cmake/CMakeDist.cmake
@ -0,0 +1,36 @@
+# make dist
+# cmake --build . --target package_source
+
+set(CPACK_PACKAGE_NAME ${PROJECT_NAME})
+set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files")
+set(CPACK_PACKAGE_INSTALL_DIRECTORY ${CPACK_PACKAGE_NAME})
+set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_SOURCE_DIR}/README.md")
+set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/COPYING.txt")
+set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
+set(CPACK_SOURCE_GENERATOR "TGZ")
+set(CPACK_SOURCE_IGNORE_FILES "\.git/;\.gitignore")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "Makefile")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeCache.txt")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeFiles")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackConfig.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackSourceConfig.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CTestTestfile.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "cmake_install.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "config.h")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/CMakeFiles/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/Testing/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/_CPack_Packages/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/build/")
+
+include(CPack)
+add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source)
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/cmake/CMakeTest.cmake
+++ b/cmake/CMakeTest.cmake
@ -0,0 +1,618 @@
+# make test
+# ctest -C Release
+
+########## Configure ##########
+
+option(STOP_SERVER "Stop HTTP server after tests" ON)
+
+include(FindPython3)
+
+set(TEST_DIR "${PROJECT_BINARY_DIR}/Testing")
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/tests/files"
+    "${CMAKE_CURRENT_SOURCE_DIR}/tests/conf"
+    "${CMAKE_CURRENT_SOURCE_DIR}/tests/client_http.py"
+    DESTINATION "${TEST_DIR}/")
+
+file(MAKE_DIRECTORY "${TEST_DIR}/logs")
+
+set(FILES "${TEST_DIR}/files")
+set(CERTS "${TEST_DIR}/certs")
+set(CONF "${TEST_DIR}/conf")
+set(LOGS "${TEST_DIR}/logs")
+set(CLIENT_HTTP "${TEST_DIR}/client_http.py")
+
+if(UNIX)
+    file(COPY
+        "${CMAKE_CURRENT_SOURCE_DIR}/tests/server_http.py"
+        DESTINATION "${TEST_DIR}/")
+    set(SERVER_HTTP "${TEST_DIR}/server_http.py")
+else(UNIX)
+    file(COPY
+        "${CMAKE_CURRENT_SOURCE_DIR}/tests/server_http.pyw"
+        DESTINATION "${TEST_DIR}/")
+    set(SERVER_HTTP "${TEST_DIR}/server_http.pyw")
+endif(UNIX)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs/ca-bundle.crt"
+    DESTINATION "${CONF}")
+
+if(WIN32 OR APPLE)
+    if(WIN32)
+        message(STATUS "Use pythonw to start HTTP server: \"pythonw.exe Testing\\server_http.pyw\"")
+    else(WIN32)
+        message(STATUS "Use python3 to start HTTP server: \"python3 Testing/server_http.py --port 19254\"")
+    endif(WIN32)
+    set(default_certs 1)
+else(WIN32 OR APPLE)
+    if(Python3_FOUND)
+        if(EXISTS ${LOGS}/port.log)
+            # Stop HTTP server if running
+            message(STATUS "Try to kill HTTP server")
+            execute_process(
+                COMMAND ${Python3_EXECUTABLE} "${CLIENT_HTTP}"
+                WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+                OUTPUT_VARIABLE client_output
+                RESULT_VARIABLE client_result)
+            if(NOT client_result)
+                # Successfully closed
+                message(STATUS "${client_output}")
+            endif(NOT client_result)
+        endif(EXISTS ${LOGS}/port.log)
+
+        # Start Time Stamping Authority and CRL distribution point HTTP server
+        execute_process(
+            COMMAND ${Python3_EXECUTABLE} "${SERVER_HTTP}"
+            WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
+            OUTPUT_FILE ${LOGS}/server.log
+            ERROR_FILE ${LOGS}/server.log
+            RESULT_VARIABLE server_error)
+        if(server_error)
+            message(STATUS "HTTP server failed: ${server_error}")
+        else(server_error)
+            # Check if file exists and is no-empty
+            while(NOT EXISTS ${LOGS}/port.log)
+                execute_process(COMMAND sleep 1)
+            endwhile(NOT EXISTS ${LOGS}/port.log)
+            file(READ ${LOGS}/port.log PORT)
+            while(NOT PORT)
+                execute_process(COMMAND sleep 1)
+                file(READ ${LOGS}/port.log PORT)
+            endwhile(NOT PORT)
+            file(STRINGS ${LOGS}/server.log server_log)
+            message(STATUS "${server_log}")
+
+            # Generate new cTest certificates
+            if(NOT SED_EXECUTABLE)
+                find_program(SED_EXECUTABLE sed)
+                mark_as_advanced(SED_EXECUTABLE)
+            endif(NOT SED_EXECUTABLE)
+            execute_process(
+                COMMAND ${SED_EXECUTABLE}
+                    -i.bak s/:19254/:${PORT}/ "${CONF}/openssl_intermediate_crldp.cnf"
+                COMMAND ${SED_EXECUTABLE}
+                    -i.bak s/:19254/:${PORT}/ "${CONF}/openssl_tsa_root.cnf")
+            execute_process(
+                COMMAND "${CONF}/makecerts.sh"
+                WORKING_DIRECTORY ${CONF}
+                OUTPUT_VARIABLE makecerts_output
+                RESULT_VARIABLE default_certs)
+            message(STATUS "${makecerts_output}")
+        endif(server_error)
+    endif(Python3_FOUND)
+
+endif(WIN32 OR APPLE)
+
+# Copy the set of default certificates
+if(default_certs)
+    message(STATUS "Default certificates used by cTest")
+    set(PORT 19254)
+    file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs"
+        DESTINATION "${TEST_DIR}")
+endif(default_certs)
+
+# Compute a SHA256 hash of the leaf certificate (in DER form)
+execute_process(
+    COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der"
+    OUTPUT_VARIABLE sha256sum)
+string(SUBSTRING ${sha256sum} 0 64 leafhash)
+
+
+########## Testing ##########
+
+enable_testing()
+
+set(extensions_4 "exe" "ex_" "msi" "cat")
+set(extensions_3 "exe" "ex_" "msi")
+
+# Test 1
+# Print osslsigncode version
+add_test(NAME version
+    COMMAND osslsigncode --version)
+
+### Sign ###
+
+# Tests 2-5
+# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
+foreach(ext ${extensions_4})
+    add_test(
+        NAME legacy_${ext}
+        COMMAND osslsigncode "sign"
+        "-pkcs12" "${CERTS}/legacy.p12"
+        "-readpass" "${CERTS}/password.txt"
+        "-ac" "${CERTS}/crosscert.pem"
+        "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+        "-add-msi-dse"
+        "-comm"
+        "-ph"
+        "-jp" "low"
+        "-h" "sha512" "-i" "https://www.osslsigncode.com/"
+        "-n" "osslsigncode"
+        "-in" "${FILES}/unsigned.${ext}"
+        "-out" "${FILES}/legacy.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 6-9
+# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
+# Disable legacy mode and don't automatically load the legacy provider
+# Option "-nolegacy" requires OpenSSL 3.0.0 or later
+# This tests are expected to fail
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
+    foreach(ext ${extensions_4})
+        add_test(
+            NAME nolegacy_${ext}
+            COMMAND osslsigncode "sign"
+            "-pkcs12" "${CERTS}/legacy.p12"
+            "-readpass" "${CERTS}/password.txt"
+            "-nolegacy" # Disable legacy mode
+            "-ac" "${CERTS}/crosscert.pem"
+            "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+            "-add-msi-dse"
+            "-comm"
+            "-ph"
+            "-jp" "low"
+            "-h" "sha512" "-i" "https://www.osslsigncode.com/"
+            "-n" "osslsigncode"
+            "-in" "${FILES}/unsigned.${ext}"
+            "-out" "${FILES}/nolegacy.${ext}")
+        set_tests_properties(
+            nolegacy_${ext}
+            PROPERTIES
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_4})
+endif(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
+
+# Tests 10-13
+# Sign with PKCS#12 container with AES-256-CBC private key and certificate encryption algorithm
+foreach(ext ${extensions_4})
+    add_test(
+        NAME signed_${ext}
+        COMMAND osslsigncode "sign"
+        "-pkcs12" "${CERTS}/cert.p12"
+        "-readpass" "${CERTS}/password.txt"
+        "-ac" "${CERTS}/crosscert.pem"
+        "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+        "-add-msi-dse"
+        "-comm"
+        "-ph"
+        "-jp" "low"
+        "-h" "sha512" "-i" "https://www.osslsigncode.com/"
+        "-n" "osslsigncode"
+        "-in" "${FILES}/unsigned.${ext}"
+        "-out" "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 14-17
+# Sign with revoked certificate
+foreach(ext ${extensions_4})
+    add_test(
+        NAME revoked_${ext}
+        COMMAND osslsigncode "sign"
+        "-certs" "${CERTS}/revoked.pem"
+        "-key" "${CERTS}/keyp.pem"
+        "-readpass" "${CERTS}/password.txt"
+        "-ac" "${CERTS}/crosscert.pem"
+        "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+        "-add-msi-dse"
+        "-comm"
+        "-ph"
+        "-jp" "low"
+        "-h" "sha512" "-i" "https://www.osslsigncode.com/"
+        "-n" "osslsigncode"
+        "-in" "${FILES}/unsigned.${ext}"
+        "-out" "${FILES}/revoked.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 18-20
+# Remove signature
+# Unsupported command for CAT files
+foreach(ext ${extensions_3})
+    add_test(
+        NAME removed_${ext}
+        COMMAND osslsigncode "remove-signature"
+        "-in" "${FILES}/signed.${ext}"
+        "-out" "${FILES}/removed.${ext}")
+    set_tests_properties(
+        removed_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_3})
+
+# Tests 21-24
+# Extract PKCS#7 signature in PEM format
+foreach(ext ${extensions_4})
+    add_test(
+        NAME extract_pem_${ext}
+        COMMAND osslsigncode "extract-signature"
+        "-pem" # PEM format
+        "-in" "${FILES}/signed.${ext}"
+        "-out" "${FILES}/${ext}.pem")
+    set_tests_properties(
+        extract_pem_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 25-28
+# Extract PKCS#7 signature in default DER format
+foreach(ext ${extensions_4})
+    add_test(
+        NAME extract_der_${ext}
+        COMMAND osslsigncode "extract-signature"
+        "-in" "${FILES}/signed.${ext}"
+        "-out" "${FILES}/${ext}.der")
+    set_tests_properties(
+        extract_der_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 29-34
+# Attach signature in PEM or DER format
+# Unsupported command for CAT files
+set(formats "pem" "der")
+foreach(ext ${extensions_3})
+    foreach(format ${formats})
+        add_test(
+            NAME attached_${format}_${ext}
+            COMMAND osslsigncode "attach-signature"
+            # sign options
+            "-time" "1567296000" # Signing and signature verification time: Sep  1 00:00:00 2019 GMT
+            "-require-leaf-hash" "SHA256:${leafhash}"
+            "-add-msi-dse"
+            "-h" "sha512"
+            "-nest"
+            "-sigin" "${FILES}/${ext}.${format}"
+            "-in" "${FILES}/signed.${ext}"
+            "-out" "${FILES}/attached_${format}.${ext}"
+            # verify options
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-CRLfile" "${CERTS}/CACertCRL.pem")
+        set_tests_properties(
+            attached_${format}_${ext}
+            PROPERTIES
+            DEPENDS "signed_${ext}:extract_${format}_${ext}"
+            REQUIRED_FILES "${FILES}/signed.${ext}"
+            REQUIRED_FILES "${FILES}/${ext}.${format}")
+    endforeach(format ${formats})
+endforeach(ext ${extensions_3})
+
+# Tests 35-38
+# Add an unauthenticated blob to a previously-signed file
+foreach(ext ${extensions_4})
+    add_test(
+        NAME added_${ext}
+        COMMAND osslsigncode "add"
+        "-addUnauthenticatedBlob"
+        "-add-msi-dse" "-h" "sha512"
+        "-in" "${FILES}/signed.${ext}"
+        "-out" "${FILES}/added.${ext}")
+    set_tests_properties(
+        added_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_4})
+
+# Tests 39-42
+# Add the new nested signature instead of replacing the first one
+foreach(ext ${extensions_4})
+    add_test(
+        NAME nested_${ext}
+        COMMAND osslsigncode "sign"
+        "-nest"
+        "-certs" "${CERTS}/cert.pem"
+        "-key" "${CERTS}/key.der"
+        "-pass" "passme"
+        "-ac" "${CERTS}/crosscert.pem"
+        "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+        "-add-msi-dse"
+        "-comm"
+        "-ph"
+        "-jp" "low"
+        "-h" "sha512"
+        "-i" "https://www.osslsigncode.com/"
+        "-n" "osslsigncode"
+        "-in" "${FILES}/signed.${ext}"
+        "-out" "${FILES}/nested.${ext}")
+    set_tests_properties(
+        nested_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.${ext}")
+endforeach(ext ${extensions_4})
+
+
+### Verify signature ###
+
+# Tests 43-45
+# Verify PE/MSI/CAB files signed in the catalog file
+foreach(ext ${extensions_3})
+    add_test(
+        NAME verify_catalog_${ext}
+        COMMAND osslsigncode "verify"
+        "-catalog" "${FILES}/signed.cat" # catalog file
+        "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+        "-require-leaf-hash" "SHA256:${leafhash}"
+        "-CAfile" "${CERTS}/CACert.pem"
+        "-CRLfile" "${CERTS}/CACertCRL.pem"
+        "-in" "${FILES}/unsigned.${ext}")
+    set_tests_properties(
+        verify_catalog_${ext}
+        PROPERTIES
+        DEPENDS "signed_${ext}"
+        REQUIRED_FILES "${FILES}/signed.cat"
+        REQUIRED_FILES "${FILES}/unsigned.${ext}")
+endforeach(ext ${extensions_3})
+
+# Tests 46-69
+# Verify signature
+set(files "legacy" "signed" "nested" "added" "removed" "revoked" "attached_pem" "attached_der")
+foreach(file ${files})
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_${file}_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-CRLfile" "${CERTS}/CACertCRL.pem"
+            "-in" "${FILES}/${file}.${ext}")
+        set_tests_properties(
+            verify_${file}_${ext}
+            PROPERTIES
+            DEPENDS "${file}_${ext}"
+            REQUIRED_FILES "${FILES}/${file}.${ext}")
+    endforeach(ext ${extensions_3})
+endforeach(file ${files})
+
+# "Removed" and "revoked" tests are expected to fail
+set(files "removed" "revoked")
+foreach(file ${files})
+    foreach(ext ${extensions_3})
+        set_tests_properties(
+            verify_${file}_${ext}
+            PROPERTIES
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_3})
+endforeach(file ${files})
+
+if(Python3_FOUND OR server_error)
+
+### Sign with Time-Stamp Authority ###
+
+    # Tests 70-89
+    # Sign with the RFC3161 Time-Stamp Authority
+    # Use "cert" "expired" "revoked" without X509v3 CRL Distribution Points extension
+    # and "cert_crldp" "revoked_crldp" contain X509v3 CRL Distribution Points extension
+    set(pem_certs "cert" "expired" "revoked" "cert_crldp" "revoked_crldp")
+    foreach(ext ${extensions_4})
+        foreach(cert ${pem_certs})
+            add_test(
+                NAME sign_ts_${cert}_${ext}
+                COMMAND osslsigncode "sign"
+                "-certs" "${CERTS}/${cert}.pem"
+                "-key" "${CERTS}/key.pem"
+                "-ac" "${CERTS}/crosscert.pem"
+                "-comm"
+                "-ph"
+                "-jp" "low"
+                "-h" "sha384"
+                "-i" "https://www.osslsigncode.com/"
+                "-n" "osslsigncode"
+                "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+                "-ts" "http://127.0.0.1:${PORT}"
+                "-in" "${FILES}/unsigned.${ext}"
+                "-out" "${FILES}/ts_${cert}.${ext}")
+            set_tests_properties(
+                sign_ts_${cert}_${ext}
+                PROPERTIES
+                REQUIRED_FILES "${LOGS}/port.log")
+        endforeach(cert ${pem_certs})
+    endforeach(ext ${extensions_4})
+
+
+### Verify Time-Stamp Authority ###
+
+    # Tests 90-92
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_ts_cert_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-TSA-CAfile" "${CERTS}/TSACA.pem"
+            "-in" "${FILES}/ts_cert.${ext}")
+        set_tests_properties(
+            verify_ts_cert_${ext}
+            PROPERTIES
+            DEPENDS "sign_ts_cert_${ext}"
+            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+            REQUIRED_FILES "${LOGS}/port.log")
+    endforeach(ext ${extensions_3})
+
+    # Tests 93-95
+    # Signature verification time: Jan  1 00:00:00 2035 GMT
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_ts_future_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "2051222400" # Signature verification time: Jan  1 00:00:00 2035 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-TSA-CAfile" "${CERTS}/TSACA.pem"
+            "-in" "${FILES}/ts_cert.${ext}")
+        set_tests_properties(
+            verify_ts_future_${ext}
+            PROPERTIES
+            DEPENDS "sign_ts_cert_${ext}"
+            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+            REQUIRED_FILES "${LOGS}/port.log")
+    endforeach(ext ${extensions_3})
+
+    # Tests 96-98
+    # Verify with ignored timestamp
+    # This tests are expected to fail
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_ts_ignore_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "2051222400" # Signature verification time: Jan  1 00:00:00 2035 GMT
+            "-ignore-timestamp"
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-TSA-CAfile" "${CERTS}/TSACA.pem"
+            "-in" "${FILES}/ts_cert.${ext}")
+        set_tests_properties(
+            verify_ts_ignore_${ext}
+            PROPERTIES
+            DEPENDS "sign_ts_cert_${ext}"
+            REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+            REQUIRED_FILES "${LOGS}/port.log"
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_3})
+
+
+### Verify CRL Distribution Points ###
+
+    # Tests 99-101
+    # Verify file signed with X509v3 CRL Distribution Points extension
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_ts_cert_crldp_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-TSA-CAfile" "${CERTS}/TSACA.pem"
+            "-in" "${FILES}/ts_cert_crldp.${ext}")
+        set_tests_properties(
+            verify_ts_cert_crldp_${ext}
+            PROPERTIES
+            DEPENDS "sign_ts_cert_crldp_${ext}"
+            REQUIRED_FILES "${FILES}/ts_cert_crldp.${ext}"
+            REQUIRED_FILES "${LOGS}/port.log")
+    endforeach(ext ${extensions_3})
+
+    # Tests 102-107
+    # Verify with expired or revoked certificate without X509v3 CRL Distribution Points extension
+    # This tests are expected to fail
+    set(failed_certs "expired" "revoked")
+    foreach(ext ${extensions_3})
+        foreach(cert ${failed_certs})
+            add_test(
+                NAME verify_ts_${cert}_${ext}
+                COMMAND osslsigncode "verify"
+                "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+                "-CAfile" "${CERTS}/CACert.pem"
+                "-CRLfile" "${CERTS}/CACertCRL.pem"
+                "-TSA-CAfile" "${CERTS}/TSACA.pem"
+                "-in" "${FILES}/ts_${cert}.${ext}")
+            set_tests_properties(
+                verify_ts_${cert}_${ext}
+                PROPERTIES
+                DEPENDS "sign_ts_${cert}_${ext}"
+                REQUIRED_FILES "${FILES}/ts_${cert}.${ext}"
+                REQUIRED_FILES "${LOGS}/port.log"
+                WILL_FAIL TRUE)
+        endforeach(cert ${failed_certs})
+    endforeach(ext ${extensions_3})
+
+    # Tests 108-110
+    # Verify with revoked certificate contains X509v3 CRL Distribution Points extension
+    # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
+    # This test is expected to fail
+    foreach(ext ${extensions_3})
+        add_test(
+            NAME verify_ts_revoked_crldp_${ext}
+            COMMAND osslsigncode "verify"
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
+            "-CAfile" "${CERTS}/CACert.pem"
+            "-TSA-CAfile" "${CERTS}/TSACA.pem"
+            "-in" "${FILES}/ts_revoked_crldp.${ext}")
+        set_tests_properties(
+            verify_ts_revoked_crldp_${ext}
+            PROPERTIES
+            DEPENDS "sign_ts_revoked_crldp_${ext}"
+            REQUIRED_FILES "${FILES}/ts_revoked_crldp.${ext}"
+            REQUIRED_FILES "${LOGS}/port.log"
+            WILL_FAIL TRUE)
+    endforeach(ext ${extensions_3})
+
+
+### Cleanup ###
+
+    # Test 111
+    # Stop HTTP server
+    if(STOP_SERVER)
+        add_test(NAME stop_server
+        COMMAND ${Python3_EXECUTABLE} "${CLIENT_HTTP}")
+        set_tests_properties(
+            stop_server
+            PROPERTIES
+            REQUIRED_FILES "${LOGS}/port.log")
+    else(STOP_SERVER)
+        message(STATUS "Keep HTTP server after tests")
+    endif(STOP_SERVER)
+
+else(Python3_FOUND OR server_error)
+    message(STATUS "CTest skips some tests")
+endif(Python3_FOUND OR server_error)
+
+
+# Test 112
+# Delete test files
+foreach(ext ${extensions_4})
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/legacy.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed_crldp.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/revoked.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
+    foreach(cert ${pem_certs})
+        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
+    endforeach(cert ${pem_certs})
+    foreach(format ${formats})
+        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
+        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
+        set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}")
+    endforeach(format ${formats})
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
+endforeach(ext ${extensions_4})
+
+add_test(NAME remove_files
+    COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/cmake/FindHeaders.cmake
+++ b/cmake/FindHeaders.cmake
@ -0,0 +1,26 @@
+include(CheckIncludeFile)
+include(CheckFunctionExists)
+
+if(UNIX)
+    check_function_exists(getpass HAVE_GETPASS)
+    check_include_file(termios.h HAVE_TERMIOS_H)
+    check_include_file(sys/mman.h HAVE_SYS_MMAN_H)
+    if(HAVE_SYS_MMAN_H)
+        check_function_exists(mmap HAVE_MMAP)
+    endif(HAVE_SYS_MMAN_H)
+else(UNIX)
+    check_include_file(windows.h HAVE_MAPVIEWOFFILE)
+endif(UNIX)
+
+if(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
+    message(FATAL_ERROR "Error: Need file mapping function to build.")
+endif(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/cmake/SetBashCompletion.cmake
+++ b/cmake/SetBashCompletion.cmake
@ -0,0 +1,32 @@
+# This list describes the default variables included in the bash-completion package:
+# BASH_COMPLETION_VERSION "@VERSION@"
+# BASH_COMPLETION_PREFIX "@prefix@"
+# BASH_COMPLETION_COMPATDIR "@sysconfdir@/bash_completion.d"
+# BASH_COMPLETION_COMPLETIONSDIR "@datadir@/@PACKAGE@/completions"
+# BASH_COMPLETION_HELPERSDIR "@datadir@/@PACKAGE@/helpers"
+# BASH_COMPLETION_FOUND "TRUE"
+# https://github.com/scop/bash-completion/blob/master/bash-completion-config.cmake.in
+
+if(NOT MSVC)
+    if(BASH_COMPLETION_USER_DIR)
+        set(BASH_COMPLETION_COMPLETIONSDIR "${BASH_COMPLETION_USER_DIR}/bash-completion/completions")
+    else(BASH_COMPLETION_USER_DIR)
+        find_package(bash-completion QUIET)
+        if(NOT BASH_COMPLETION_FOUND)
+            set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share")
+            set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions")
+        endif(NOT BASH_COMPLETION_FOUND)
+    endif(BASH_COMPLETION_USER_DIR)
+
+    message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}")
+    install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR})
+endif(NOT MSVC)
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/cmake/SetCompilerFlags.cmake
+++ b/cmake/SetCompilerFlags.cmake
@ -0,0 +1,123 @@
+include(CheckCCompilerFlag)
+
+set(CMAKE_REQUIRED_QUIET ON)
+
+function(add_debug_flag_if_supported flagname targets)
+    check_c_compiler_flag("${flagname}" HAVE_FLAG_${flagname})
+    if (HAVE_FLAG_${flagname})
+        foreach(target ${targets})
+            target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:${flagname}>)
+        endforeach(target ${targets})
+    endif(HAVE_FLAG_${flagname})
+endfunction(add_debug_flag_if_supported flagname targets)
+
+function(add_compile_flag_to_targets targets)
+    set(CHECKED_DEBUG_FLAGS
+        "-ggdb"
+        "-g"
+        "-O2"
+        "-pedantic"
+        "-Wall"
+        "-Wextra"
+        "-Wno-long-long"
+        "-Wconversion"
+        "-D_FORTIFY_SOURCE=2"
+        "-Wformat=2"
+        "-Wredundant-decls"
+        "-Wcast-qual"
+        "-Wnull-dereference"
+        "-Wno-deprecated-declarations"
+        "-Wmissing-declarations"
+        "-Wmissing-prototypes"
+        "-Wmissing-noreturn"
+        "-Wmissing-braces"
+        "-Wparentheses"
+        "-Wstrict-aliasing=3"
+        "-Wstrict-overflow=2"
+        "-Wlogical-op"
+        "-Wwrite-strings"
+        "-Wcast-align=strict"
+        "-Wdisabled-optimization"
+        "-Wshift-overflow=2"
+        "-Wundef"
+        "-Wshadow"
+        "-Wmisleading-indentation"
+        "-Wabsolute-value"
+        "-Wunused-parameter"
+        "-Wunused-function")
+    foreach(flag ${CHECKED_DEBUG_FLAGS})
+        add_debug_flag_if_supported(${flag} ${targets})
+    endforeach(flag ${CHECKED_DEBUG_FLAGS})
+endfunction(add_compile_flag_to_targets targets)
+
+function(add_compile_flags target)
+    if(MSVC)
+        # Enable parallel builds
+        target_compile_options(${target} PRIVATE /MP)
+        # Use address space layout randomization, generate PIE code for ASLR (default on)
+        target_link_options(${target} PRIVATE /DYNAMICBASE)
+        # Create terminal server aware application (default on)
+        target_link_options(${target} PRIVATE /TSAWARE)
+        # Mark the binary as compatible with Intel Control-flow Enforcement Technology (CET) Shadow Stack
+        target_link_options(${target} PRIVATE /CETCOMPAT)
+        # Enable compiler generation of Control Flow Guard security checks
+        target_compile_options(${target} PRIVATE /guard:cf)
+        target_link_options(${target} PRIVATE /guard:cf)
+        # Buffer Security Check
+        target_compile_options(${target} PRIVATE /GS)
+        # Suppress startup banner
+        target_link_options(${target} PRIVATE /NOLOGO)
+        # Generate debug info
+        target_link_options(${target} PRIVATE /DEBUG)
+        if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+            # High entropy ASLR for 64 bits targets (default on)
+            target_link_options(${target} PRIVATE /HIGHENTROPYVA)
+            # Enable generation of EH Continuation (EHCONT) metadata by the compiler
+            #target_compile_options(${target} PRIVATE /guard:ehcont)
+            #target_link_options(${target} PRIVATE /guard:ehcont)
+        else("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+            # Can handle addresses larger than 2 gigabytes
+            target_link_options(${target} PRIVATE /LARGEADDRESSAWARE)
+            # Safe structured exception handlers (x86 only)
+            target_link_options(${target} PRIVATE /SAFESEH)
+        endif("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+        target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/D_FORTIFY_SOURCE=2>)
+        # Unrecognized compiler options are errors
+        target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/options:strict>)
+    else(MSVC)
+        check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
+        if(HAVE_STACK_PROTECTOR_ALL)
+            target_link_options(${target} PRIVATE -fstack-protector-all)
+        else(HAVE_STACK_PROTECTOR_ALL)
+            check_c_compiler_flag("-fstack-protector" HAVE_STACK_PROTECTOR)
+            if(HAVE_STACK_PROTECTOR)
+                target_link_options(${target} PRIVATE -fstack-protector)
+            else(HAVE_STACK_PROTECTOR)
+                message(WARNING "No stack protection supported")
+            endif(HAVE_STACK_PROTECTOR)
+        endif(HAVE_STACK_PROTECTOR_ALL)
+        # Support address space layout randomization (ASLR)
+        if(NOT (MINGW OR CYGWIN OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"
+            OR ((CMAKE_SYSTEM_NAME MATCHES Darwin) AND (CMAKE_C_COMPILER_ID MATCHES Clang))))
+            target_compile_options(${target} PRIVATE -fPIE)
+            target_link_options(${target} PRIVATE -fPIE -pie)
+            target_link_options(${target} PRIVATE -Wl,-z,relro)
+            target_link_options(${target} PRIVATE -Wl,-z,now)
+            target_link_options(${target} PRIVATE -Wl,-z,noexecstack)
+        endif(NOT (MINGW OR CYGWIN OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"
+            OR ((CMAKE_SYSTEM_NAME MATCHES Darwin) AND (CMAKE_C_COMPILER_ID MATCHES Clang))))
+        target_link_options(${target} PRIVATE -fstack-check)
+        add_compile_flag_to_targets(${target})
+    endif(MSVC)
+endfunction(add_compile_flags target)
+
+add_compile_flags(osslsigncode)
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]
--- a/configure.ac
+++ b/configure.ac
@ -1,136 +0,0 @@
-AC_PREREQ(2.60)
-
-AC_INIT([osslsigncode], [1.7.1], [pallansson@gmail.com])
-AC_CONFIG_AUX_DIR([.])
-AC_CONFIG_HEADERS([config.h])
-AM_INIT_AUTOMAKE
-
-AC_CONFIG_SRCDIR([osslsigncode.c])
-
-dnl Checks for programs.
-AC_PROG_CC
-AC_USE_SYSTEM_EXTENSIONS
-
-AC_ARG_ENABLE(
-	[strict],
-	[AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])],
-	,
-	[enable_strict="no"]
-)
-
-AC_ARG_ENABLE(
-	[pedantic],
-	[AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])],
-	,
-	[enable_pedantic="no"]
-)
-
-AC_ARG_WITH(
-	[curl],
-	[AS_HELP_STRING([--with-curl],[enable curl @<:@enabled@:>@])],
-	,
-	[with_curl="yes"]
-)
-
-if test "${enable_pedantic}" = "yes"; then
-	enable_strict="yes";
-	CFLAGS="${CFLAGS} -pedantic"
-fi
-if test "${enable_strict}" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall -Wextra"
-fi
-
-PKG_PROG_PKG_CONFIG
-AC_PROG_CPP
-AC_PROG_INSTALL
-AC_PROG_LN_S
-AC_PROG_MKDIR_P
-AC_PROG_SED
-AC_PROG_MAKE_SET
-
-AC_C_CONST
-AC_HEADER_STDC
-AC_HEADER_TIME
-AC_CHECK_HEADERS(
-	[sys/mman.h],
-	[AC_CHECK_FUNC(
-		[mmap],
-		[AC_DEFINE(HAVE_MMAP, [1], [Define to 1 if you have mmap])],
-		[AC_MSG_ERROR([Need mmap to build.])]
-	)],
-	[have_mmap=no]
-)
-AC_CHECK_HEADERS(
-	[windows.h],
-	[],
-	[have_MapViewOfFile=no]
-)
-AS_IF([test "x$have_mmap$have_MapViewOfFile" = "xnono"],
-	[AC_MSG_ERROR([Need file mapping function to buid.])])
-
-AC_CHECK_LIB(
-	[dl],
-	[dlopen],
-	[DL_LIBS="-ldl"]
-)
-
-AC_CHECK_HEADERS([termios.h])
-AC_CHECK_FUNCS(getpass)
-
-AC_ARG_WITH([gsf],
-        AS_HELP_STRING([--without-gsf], [Ignore presence of libgsf and disable it])
-)
-AS_IF([test "x$with_gsf" != "xno"],
-        [PKG_CHECK_MODULES([GSF], [libgsf-1], [have_gsf=yes], [have_gsf=no])],
-        [have_gsf=no]
-)
-AS_IF([test "x$have_gsf" = "xyes"],
-        [AC_DEFINE([WITH_GSF], 1, [Have libgsf?])],
-        [AS_IF([test "x$with_gsf" = "xyes"],
-                [AC_MSG_ERROR([libgsf requested but not found])])]
-)
-
-
-PKG_CHECK_MODULES(
-	[OPENSSL],
-	[libcrypto >= 1.1.0],
-	,
-	[PKG_CHECK_MODULES(
-		[OPENSSL],
-		[openssl >= 1.1.0],
-		,
-		[AC_CHECK_LIB(
-			[crypto],
-			[RSA_verify],
-			[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
-			[AC_MSG_ERROR([OpenSSL 1.1.0 or later is required. http://www.openssl.org/])],
-			[${DL_LIBS}]
-		)]
-	)]
-)
-
-PKG_CHECK_MODULES(
-	[LIBCURL],
-	[libcurl >= 7.12.0],
-	,
-	[AC_CHECK_LIB(
-		[curl],
-		[curl_easy_strerror],
-		[LIBCURL_LIBS="-lcurl"],
-		,
-		[${DL_LIBS}]
-	)]
-)
-
-if test "${with_curl}" = "yes"; then
-	test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR([Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/])
-	OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
-	OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
-	AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
-fi
-
-AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
-AC_SUBST([OPTIONAL_LIBCURL_LIBS])
-
-AC_CONFIG_FILES([Makefile])
-AC_OUTPUT
--- a/helpers.c
+++ b/helpers.c
@ -0,0 +1,658 @@
+/*
+ * osslsigncode support library
+ *
+ * Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ */
+
+#include "osslsigncode.h"
+#include "helpers.h"
+
+/* Prototypes */
+static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig);
+static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx);
+static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx);
+static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len);
+static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
+static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
+
+/*
+ * Common functions
+ */
+
+/*
+ * [in] infile
+ * [returns] file size
+ */
+uint32_t get_file_size(const char *infile)
+{
+    int ret;
+#ifdef _WIN32
+    struct _stat64 st;
+    ret = _stat64(infile, &st);
+#else
+    struct stat st;
+    ret = stat(infile, &st);
+#endif
+    if (ret) {
+        printf("Failed to open file: %s\n", infile);
+        return 0;
+    }
+
+    if (st.st_size < 4) {
+        printf("Unrecognized file type - file is too short: %s\n", infile);
+        return 0;
+    }
+    if (st.st_size > UINT32_MAX) {
+        printf("Unsupported file - too large: %s\n", infile);
+        return 0;
+    }
+    return (uint32_t)st.st_size;
+}
+
+/*
+ * [in] infile: starting address for the new mapping
+ * [returns] pointer to the mapped area
+ */
+char *map_file(const char *infile, const size_t size)
+{
+    char *indata = NULL;
+#ifdef WIN32
+    HANDLE fhandle, fmap;
+    (void)size;
+    fhandle = CreateFile(infile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
+    if (fhandle == INVALID_HANDLE_VALUE) {
+        return NULL;
+    }
+    fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL);
+    CloseHandle(fhandle);
+    if (fmap == NULL) {
+        return NULL;
+    }
+    indata = (char *)MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0);
+    CloseHandle(fmap);
+#else
+#ifdef HAVE_SYS_MMAN_H
+    int fd = open(infile, O_RDONLY);
+    if (fd < 0) {
+        return NULL;
+    }
+    indata = mmap(0, size, PROT_READ, MAP_PRIVATE, fd, 0);
+    if (indata == MAP_FAILED) {
+        close(fd);
+        return NULL;
+    }
+    close(fd);
+#else
+    printf("No file mapping function\n");
+    return NULL;
+#endif /* HAVE_SYS_MMAN_H */
+#endif /* WIN32 */
+    return indata;
+}
+
+/*
+ * [in] indata: starting address space
+ * [in] size: mapped area length
+ * [returns] none
+ */
+void unmap_file(char *indata, const size_t size)
+{
+    if (!indata)
+        return;
+#ifdef WIN32
+    (void)size;
+    UnmapViewOfFile(indata);
+#else
+    munmap(indata, size);
+#endif /* WIN32 */
+}
+
+/*
+ * [in, out] si: PKCS7_SIGNER_INFO structure
+ * [in] ctx: FILE_FORMAT_CTX structure
+ * [returns] 0 on error or 1 on success
+ */
+static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
+{
+    SpcSpOpusInfo *opus;
+    ASN1_STRING *astr;
+    int len;
+    u_char *p = NULL;
+
+    opus = spc_sp_opus_info_create(ctx);
+    if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0
+        || (p = OPENSSL_malloc((size_t)len)) == NULL) {
+        SpcSpOpusInfo_free(opus);
+        return 0; /* FAILED */
+    }
+    i2d_SpcSpOpusInfo(opus, &p);
+    p -= len;
+    astr = ASN1_STRING_new();
+    ASN1_STRING_set(astr, p, len);
+    OPENSSL_free(p);
+    SpcSpOpusInfo_free(opus);
+    return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID),
+            V_ASN1_SEQUENCE, astr);
+}
+
+/*
+ * [in, out] si: PKCS7_SIGNER_INFO structure
+ * [in] ctx: structure holds input and output data
+ * [returns] 0 on error or 1 on success
+ */
+static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
+{
+    static const u_char purpose_ind[] = {
+        0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04,
+        0x01, 0x82, 0x37, 0x02, 0x01, 0x15
+    };
+    static const u_char purpose_comm[] = {
+        0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04,
+        0x01, 0x82, 0x37, 0x02, 0x01, 0x16
+    };
+    ASN1_STRING *purpose = ASN1_STRING_new();
+
+    if (ctx->options->comm) {
+        ASN1_STRING_set(purpose, purpose_comm, sizeof purpose_comm);
+    } else {
+        ASN1_STRING_set(purpose, purpose_ind, sizeof purpose_ind);
+    }
+    return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID),
+            V_ASN1_SEQUENCE, purpose);
+}
+
+/*
+ * Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
+ * adding the _current_ time. This allows to create a deterministic signature
+ * when no trusted timestamp server was specified, making osslsigncode
+ * behaviour closer to signtool.exe (which doesn't include any non-trusted
+ * time in this case.)
+ * [in, out] si: PKCS7_SIGNER_INFO structure
+ * [in] ctx: structure holds input and output data
+ * [returns] 0 on error or 1 on success
+ */
+int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
+{
+    if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
+        return 1; /* SUCCESS */
+    return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
+        ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
+}
+
+/*
+ * Retrieve a decoded PKCS#7 structure corresponding to the signature
+ * stored in the "sigin" file
+ * CMD_ATTACH command specific
+ * [in] ctx: structure holds input and output data
+ * [returns] pointer to PKCS#7 structure
+ */
+PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx)
+{
+    PKCS7 *p7 = NULL;
+    uint32_t filesize;
+    char *indata;
+    BIO *bio;
+    const char pemhdr[] = "-----BEGIN PKCS7-----";
+
+    filesize = get_file_size(ctx->options->sigfile);
+    if (!filesize) {
+        return NULL; /* FAILED */
+    }
+    indata = map_file(ctx->options->sigfile, filesize);
+    if (!indata) {
+        printf("Failed to open file: %s\n", ctx->options->sigfile);
+        return NULL; /* FAILED */
+    }
+    bio = BIO_new_mem_buf(indata, (int)filesize);
+    if (filesize >= sizeof pemhdr && !memcmp(indata, pemhdr, sizeof pemhdr - 1)) {
+        /* PEM format */
+        p7 = PEM_read_bio_PKCS7(bio, NULL, NULL, NULL);
+    } else { /* DER format */
+        p7 = d2i_PKCS7_bio(bio, NULL);
+    }
+    BIO_free_all(bio);
+    unmap_file(indata, filesize);
+    return p7;
+}
+
+/*
+ * Allocate, set type, add content and return a new PKCS#7 signature
+ * [in] ctx: structure holds input and output data
+ * [returns] pointer to PKCS#7 structure
+ */
+PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx)
+{
+    int i, signer = -1;
+    PKCS7 *p7;
+    PKCS7_SIGNER_INFO *si = NULL;
+
+    p7 = PKCS7_new();
+    PKCS7_set_type(p7, NID_pkcs7_signed);
+
+    if (ctx->options->cert != NULL) {
+        /*
+         * the private key and corresponding certificate are parsed from the PKCS12
+         * structure or loaded from the security token, so we may omit to check
+         * the consistency of a private key with the public key in an X509 certificate
+         */
+        si = PKCS7_add_signature(p7, ctx->options->cert, ctx->options->pkey,
+            ctx->options->md);
+        if (si == NULL)
+            return NULL; /* FAILED */
+    } else {
+        /* find the signer's certificate located somewhere in the whole certificate chain */
+        for (i=0; i<sk_X509_num(ctx->options->certs); i++) {
+            X509 *signcert = sk_X509_value(ctx->options->certs, i);
+            if (X509_check_private_key(signcert, ctx->options->pkey)) {
+                si = PKCS7_add_signature(p7, signcert, ctx->options->pkey, ctx->options->md);
+                signer = i;
+                break;
+            }
+        }
+        if (si == NULL) {
+            printf("Failed to checking the consistency of a private key: %s\n",
+                ctx->options->keyfile);
+            printf("          with a public key in any X509 certificate: %s\n\n",
+                ctx->options->certfile);
+            return NULL; /* FAILED */
+        }
+    }
+    pkcs7_signer_info_add_signing_time(si, ctx);
+
+    if (!pkcs7_signer_info_add_purpose(si, ctx))
+        return NULL; /* FAILED */
+
+    if ((ctx->options->desc || ctx->options->url) &&
+            !pkcs7_signer_info_add_spc_sp_opus_info(si, ctx)) {
+        printf("Couldn't allocate memory for opus info\n");
+        return NULL; /* FAILED */
+    }
+    PKCS7_content_new(p7, NID_pkcs7_data);
+
+    /* add the signer's certificate */
+    if (ctx->options->cert != NULL)
+        PKCS7_add_certificate(p7, ctx->options->cert);
+    if (signer != -1)
+        PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, signer));
+
+    /* add the certificate chain */
+    for (i=0; i<sk_X509_num(ctx->options->certs); i++) {
+        if (i == signer)
+            continue;
+        PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, i));
+    }
+    /* add all cross certificates */
+    if (ctx->options->xcerts) {
+        for (i=0; i<sk_X509_num(ctx->options->xcerts); i++)
+            PKCS7_add_certificate(p7, sk_X509_value(ctx->options->xcerts, i));
+    }
+    /* add crls */
+    if (ctx->options->crls) {
+        for (i=0; i<sk_X509_CRL_num(ctx->options->crls); i++)
+            PKCS7_add_crl(p7, sk_X509_CRL_value(ctx->options->crls, i));
+    }
+    return p7; /* OK */
+}
+
+/*
+ * [in, out] p7: new PKCS#7 signature
+ * [in] hash: message digest BIO
+ * [returns] 0 on error or 1 on success
+ */
+int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
+{
+    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
+    PKCS7_SIGNER_INFO *si;
+
+    signer_info = PKCS7_get_signer_info(p7);
+    if (!signer_info)
+        return 0; /* FAILED */
+    si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
+    if (!si)
+        return 0; /* FAILED */
+    if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
+        V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1)))
+        return 0; /* FAILED */
+    if (!pkcs7_set_data_content(p7, hash, ctx)) {
+        printf("Signing failed\n");
+        return 0; /* FAILED */
+    }
+    return 1; /* OK */
+}
+
+/*
+ * [in, out] p7: new PKCS#7 signature
+ * [in] cursig: current PKCS#7 signature
+ * [returns] 0 on error or 1 on success
+ */
+int add_ms_ctl_object(PKCS7 *p7, PKCS7 *cursig)
+{
+    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
+    PKCS7_SIGNER_INFO *si;
+
+    signer_info = PKCS7_get_signer_info(p7);
+    if (!signer_info)
+        return 0; /* FAILED */
+    si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
+    if (!si)
+        return 0; /* FAILED */
+    if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
+        V_ASN1_OBJECT, OBJ_txt2obj(MS_CTL_OBJID, 1)))
+        return 0; /* FAILED */
+    if (!pkcs7_set_content_blob(p7, cursig)) {
+        printf("Signing failed\n");
+        return 0; /* FAILED */
+    }
+    return 1; /* OK */
+}
+
+static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig)
+{
+    PKCS7 *contents;
+    u_char *content;
+    int seqhdrlen, content_length;
+    BIO *sigbio;
+
+    contents = cursig->d.sign->contents;
+    seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data,
+        contents->d.other->value.sequence->length);
+    content = contents->d.other->value.sequence->data + seqhdrlen;
+    content_length = contents->d.other->value.sequence->length - seqhdrlen;
+
+    if ((sigbio = PKCS7_dataInit(sig, NULL)) == NULL) {
+        printf("PKCS7_dataInit failed\n");
+        return 0; /* FAILED */
+    }
+    BIO_write(sigbio, content, content_length);
+    (void)BIO_flush(sigbio);
+    if (!PKCS7_dataFinal(sig, sigbio)) {
+        printf("PKCS7_dataFinal failed\n");
+        return 0; /* FAILED */
+    }
+    BIO_free_all(sigbio);
+    if (!PKCS7_set_content(sig, PKCS7_dup(contents))) {
+        printf("PKCS7_set_content failed\n");
+        return 0; /* FAILED */
+    }
+    return 1; /* OK */
+}
+
+/* Return the header length (tag and length octets) of the ASN.1 type
+ * [in] p: ASN.1 data
+ * [in] len: ASN.1 data length
+ * [returns] header length
+ */
+int asn1_simple_hdr_len(const u_char *p, int len)
+{
+    if (len <= 2 || p[0] > 0x31)
+        return 0;
+    return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2;
+}
+
+/*
+ * [in, out] hash: BIO with message digest method
+ * [in] indata: starting address space
+ * [in] idx: offset
+ * [in] fileend: the length of the hashed area
+ * [returns] 0 on error or 1 on success
+ */
+int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend)
+{
+    while (idx < fileend) {
+        size_t want, written;
+        want = fileend - idx;
+        if (want > SIZE_64K)
+            want = SIZE_64K;
+        if (!BIO_write_ex(hash, indata + idx, want, &written))
+            return 0; /* FAILED */
+        idx += written;
+    }
+    return 1; /* OK */
+}
+
+/*
+ * [in] descript1, descript2: descriptions
+ * [in] mdbuf: message digest
+ * [in] len: message digest length
+ * [returns] none
+ */
+void print_hash(const char *descript1, const char *descript2, const u_char *mdbuf, int len)
+{
+    char *hexbuf = NULL;
+    int size, i, j = 0;
+
+    size = 2 * len + 1;
+    hexbuf = OPENSSL_malloc((size_t)size);
+    for (i = 0; i < len; i++) {
+#ifdef WIN32
+        j += sprintf_s(hexbuf + j, size - j, "%02X", mdbuf[i]);
+#else
+        j += sprintf(hexbuf + j, "%02X", mdbuf[i]);
+#endif /* WIN32 */
+    }
+    printf("%s: %s %s\n", descript1, hexbuf, descript2);
+    OPENSSL_free(hexbuf);
+}
+
+/*
+ * [in] p7: new PKCS#7 signature
+ * [in] objid: Microsoft OID Authenticode
+ * [returns] 0 on error or 1 on success
+ */
+int is_content_type(PKCS7 *p7, const char *objid)
+{
+    ASN1_OBJECT *indir_objid;
+    int ret;
+
+    indir_objid = OBJ_txt2obj(objid, 1);
+    ret = p7 && PKCS7_type_is_signed(p7) &&
+        !OBJ_cmp(p7->d.sign->contents->type, indir_objid) &&
+        (p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE ||
+        p7->d.sign->contents->d.other->type == V_ASN1_OCTET_STRING);
+    ASN1_OBJECT_free(indir_objid);
+    return ret;
+}
+
+/*
+ * [out] p7: new PKCS#7 signature
+ * [in] hash: message digest BIO
+ * [in] ctx: structure holds input and output data
+ * [returns] 0 on error or 1 on success
+ */
+int pkcs7_set_data_content(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
+{
+    u_char *p = NULL;
+    int len = 0;
+    u_char *buf;
+
+    if (!spc_indirect_data_content_get(&p, &len, ctx))
+        return 0; /* FAILED */
+    buf = OPENSSL_malloc(SIZE_64K);
+    memcpy(buf, p, (size_t)len);
+    OPENSSL_free(p);
+    if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len)) {
+        OPENSSL_free(buf);
+        return 0; /* FAILED */
+    }
+    OPENSSL_free(buf);
+
+    return 1; /* OK */
+}
+
+/*
+ * PE and CAB format specific
+ * [in] none
+ * [returns] pointer to SpcLink
+ */
+SpcLink *spc_link_obsolete_get(void)
+{
+    const u_char obsolete[] = {
+        0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f,
+        0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c,
+        0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e,
+        0x00, 0x3e, 0x00, 0x3e
+    };
+    SpcLink *link = SpcLink_new();
+    link->type = 2;
+    link->value.file = SpcString_new();
+    link->value.file->type = 0;
+    link->value.file->value.unicode = ASN1_BMPSTRING_new();
+    ASN1_STRING_set(link->value.file->value.unicode, obsolete, sizeof obsolete);
+    return link;
+}
+
+/*
+ * Retrieve a decoded PKCS#7 structure
+ * [in] indata: mapped file
+ * [in] sigpos: signature data offset
+ * [in] siglen: signature data size
+ * [returns] pointer to PKCS#7 structure
+ */
+PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen)
+{
+    PKCS7 *p7 = NULL;
+    const u_char *blob;
+
+    blob = (u_char *)indata + sigpos;
+    p7 = d2i_PKCS7(NULL, &blob, siglen);
+    return p7;
+}
+
+/*
+ * [in] mdbuf, cmdbuf: message digests
+ * [in] mdtype: message digest algorithm type
+ * [returns] 0 on error or 1 on success
+ */
+int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype)
+{
+    int mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype));
+    int mdok = !memcmp(mdbuf, cmdbuf, (size_t)mdlen);
+    printf("Message digest algorithm  : %s\n", OBJ_nid2sn(mdtype));
+    print_hash("Current message digest    ", "", mdbuf, mdlen);
+    print_hash("Calculated message digest ", mdok ? "\n" : "    MISMATCH!!!\n", cmdbuf, mdlen);
+    return mdok;
+}
+
+/*
+ * Helper functions
+ */
+
+/*
+ * [in] ctx: FILE_FORMAT_CTX structure
+ * [returns] pointer to SpcSpOpusInfo structure
+ */
+static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx)
+{
+    SpcSpOpusInfo *info = SpcSpOpusInfo_new();
+
+    if (ctx->options->desc) {
+        info->programName = SpcString_new();
+        info->programName->type = 1;
+        info->programName->value.ascii = ASN1_IA5STRING_new();
+        ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
+                ctx->options->desc, (int)strlen(ctx->options->desc));
+    }
+    if (ctx->options->url) {
+        info->moreInfo = SpcLink_new();
+        info->moreInfo->type = 0;
+        info->moreInfo->value.url = ASN1_IA5STRING_new();
+        ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
+                ctx->options->url, (int)strlen(ctx->options->url));
+    }
+    return info;
+}
+
+/*
+ * [out] blob: SpcIndirectDataContent data
+ * [out] len: SpcIndirectDataContent data length
+ * [in] ctx: FILE_FORMAT_CTX structure
+ * [returns] 0 on error or 1 on success
+ */
+static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx)
+{
+    u_char *p = NULL;
+    int hashlen, l = 0;
+    void *hash;
+    SpcIndirectDataContent *idc = SpcIndirectDataContent_new();
+
+    idc->data->value = ASN1_TYPE_new();
+    idc->data->value->type = V_ASN1_SEQUENCE;
+    idc->data->value->value.sequence = ASN1_STRING_new();
+    idc->data->type = ctx->format->data_blob_get(&p, &l, ctx);
+    idc->data->value->value.sequence->data = p;
+    idc->data->value->value.sequence->length = l;
+    idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(ctx->options->md));
+    idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new();
+    idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL;
+
+    hashlen = EVP_MD_size(ctx->options->md);
+    hash = OPENSSL_malloc((size_t)hashlen);
+    memset(hash, 0, (size_t)hashlen);
+    ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
+    OPENSSL_free(hash);
+
+    *len  = i2d_SpcIndirectDataContent(idc, NULL);
+    *blob = OPENSSL_malloc((size_t)*len);
+    p = *blob;
+    i2d_SpcIndirectDataContent(idc, &p);
+    SpcIndirectDataContent_free(idc);
+    *len -= EVP_MD_size(ctx->options->md);
+    return 1; /* OK */
+}
+
+/*
+ * Replace the data part with the MS Authenticode spcIndirectDataContent blob
+ * [out] p7: new PKCS#7 signature
+ * [in] hash: message digest BIO
+ * [in] blob: SpcIndirectDataContent data
+ * [in] len: SpcIndirectDataContent data length
+ * [returns] 0 on error or 1 on success
+ */
+static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len)
+{
+    u_char mdbuf[EVP_MAX_MD_SIZE];
+    int mdlen, seqhdrlen;
+    BIO *bio;
+    PKCS7 *td7;
+
+    mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE);
+    memcpy(buf+len, mdbuf, (size_t)mdlen);
+    seqhdrlen = asn1_simple_hdr_len(buf, len);
+
+    if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) {
+        printf("PKCS7_dataInit failed\n");
+        return 0; /* FAILED */
+    }
+    BIO_write(bio, buf + seqhdrlen, len - seqhdrlen + mdlen);
+    (void)BIO_flush(bio);
+
+    if (!PKCS7_dataFinal(p7, bio)) {
+        printf("PKCS7_dataFinal failed\n");
+        return 0; /* FAILED */
+    }
+    BIO_free_all(bio);
+
+    td7 = PKCS7_new();
+    td7->type = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1);
+    td7->d.other = ASN1_TYPE_new();
+    td7->d.other->type = V_ASN1_SEQUENCE;
+    td7->d.other->value.sequence = ASN1_STRING_new();
+    ASN1_STRING_set(td7->d.other->value.sequence, buf, len+mdlen);
+    if (!PKCS7_set_content(p7, td7)) {
+        PKCS7_free(td7);
+        printf("PKCS7_set_content failed\n");
+        return 0; /* FAILED */
+    }
+    return 1; /* OK */
+}
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: nil
+End:
+
+  vim: set ts=4 expandtab:
+*/
--- a/helpers.h
+++ b/helpers.h
@ -0,0 +1,35 @@
+/*
+ * osslsigncode support library
+ *
+ * Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ */
+
+/* Common functions */
+uint32_t get_file_size(const char *infile);
+char *map_file(const char *infile, const size_t size);
+void unmap_file(char *indata, const size_t size);
+int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
+PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
+PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx);
+void add_content_type(PKCS7 *p7);
+int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx);
+int add_ms_ctl_object(PKCS7 *p7, PKCS7 *cursig);
+int asn1_simple_hdr_len(const u_char *p, int len);
+int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend);
+void print_hash(const char *descript1, const char *descript2, const u_char *hashbuf, int length);
+int is_content_type(PKCS7 *p7, const char *objid);
+int pkcs7_set_data_content(PKCS7 *sig, BIO *hash, FILE_FORMAT_CTX *ctx);
+SpcLink *spc_link_obsolete_get(void);
+PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen);
+int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype);
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: nil
+End:
+
+  vim: set ts=4 expandtab:
+*/
--- a/msi.c
+++ b/msi.c
--- a/osslsigncode.bash
+++ b/osslsigncode.bash
@ -0,0 +1,76 @@
+# bash completion for osslsigncode                         -*- shell-script -*-
+# Copyright (C) 2021-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
+# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+
+bind 'set show-all-if-ambiguous on'
+bind 'set completion-ignore-case on'
+COMP_WORDBREAKS=${COMP_WORDBREAKS//:}
+
+_comp_cmd_osslsigncode()
+{
+    local cur prev words cword
+    _init_completion || return
+
+    local commands command options timestamps rfc3161
+
+    commands="--help --version -v
+        sign add attach-signature extract-signature remove-signature verify"
+
+    timestamps="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.sectigo.com
+        http://timestamp.globalsign.com/?signature=sha2"
+
+    rfc3161="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.entrust.net/TSS/RFC3161sha2TS
+        http://tss.accv.es:8318/tsa
+        http://kstamp.keynectis.com/KSign/
+        http://sha256timestamp.ws.symantec.com/sha256/timestamp"
+
+
+    if ((cword == 1)); then
+        COMPREPLY=($(compgen -W "${commands}" -- ${cur}))
+    else
+        command=${words[1]}
+        case $prev in
+            -ac | -c | -catalog | -certs | -spc | -key | -pkcs12 | -pass | \
+            -readpass | -pkcs11engine | -pkcs11module | -in | -out | -sigin | \
+            -n | -CAfile | -CRLfile  | -TSA-CAfile | -TSA-CRLfile)
+                _filedir
+                return
+                ;;
+            -h | -require-leaf-hash)
+                COMPREPLY=($(compgen -W 'md5 sha1 sha2 sha256 sha384 sha512' \
+                    -- "$cur"))
+                return
+                ;;
+            -jp)
+                COMPREPLY=($(compgen -W 'low medium high' -- "$cur"))
+                return
+                ;;
+            -t)
+                COMPREPLY=($(compgen -W "${timestamps}" -- "$cur"))
+                return
+                ;;
+            -ts)
+                COMPREPLY=($(compgen -W "${rfc3161}" -- "$cur"))
+                return
+                ;;
+            -i | -p)
+                _known_hosts_real -- "$cur"
+                return
+                ;;
+        esac
+
+        if [[ $cur == -* ]]; then
+            # possible options for the command
+            options=$(_parse_help "$1" "$command --help" 2>/dev/null)
+            COMPREPLY=($(compgen -W "${options}" -- ${cur}))
+        fi
+    fi
+
+} &&
+    complete -F _comp_cmd_osslsigncode osslsigncode
+
+# ex: filetype=sh
--- a/osslsigncode.c
+++ b/osslsigncode.c
--- a/osslsigncode.h
+++ b/osslsigncode.h
@ -0,0 +1,502 @@
+/*
+ * Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ */
+
+#define OPENSSL_API_COMPAT 0x10100000L
+#define OPENSSL_NO_DEPRECATED
+
+#if defined(_MSC_VER) || defined(__MINGW32__)
+#define HAVE_WINDOWS_H
+#endif /* _MSC_VER || __MINGW32__ */
+
+#ifdef HAVE_WINDOWS_H
+#define NOCRYPT
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#endif /* HAVE_WINDOWS_H */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#ifndef _WIN32
+#include <unistd.h>
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif /* HAVE_SYS_MMAN_H */
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif /* HAVE_TERMIOS_H */
+#endif /* _WIN32 */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/cms.h>
+#include <openssl/conf.h>
+#include <openssl/crypto.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif /* OPENSSL_NO_ENGINE */
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pkcs12.h>
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+#include <openssl/provider.h>
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+#include <openssl/safestack.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h> /* X509_PURPOSE */
+
+#ifdef ENABLE_CURL
+#ifdef __CYGWIN__
+#ifndef SOCKET
+#define SOCKET UINT_PTR
+#endif /* SOCKET */
+#endif /* __CYGWIN__ */
+#include <curl/curl.h>
+
+#define MAX_TS_SERVERS 256
+#endif /* ENABLE_CURL */
+
+#if defined (HAVE_TERMIOS_H) || defined (HAVE_GETPASS)
+#define PROVIDE_ASKPASS 1
+#endif
+
+#ifdef _WIN32
+#define FILE_CREATE_MODE "w+b"
+#else
+#define FILE_CREATE_MODE "w+bx"
+#endif
+
+
+#define GET_UINT8_LE(p) ((const u_char *)(p))[0]
+
+#define GET_UINT16_LE(p) (uint16_t)(((const u_char *)(p))[0] | \
+                                   (((const u_char *)(p))[1] << 8))
+
+#define GET_UINT32_LE(p) (uint32_t)(((const u_char *)(p))[0] | \
+                                   (((const u_char *)(p))[1] << 8) | \
+                                   (((const u_char *)(p))[2] << 16) | \
+                                   (((const u_char *)(p))[3] << 24))
+
+#define PUT_UINT8_LE(i, p) ((u_char *)(p))[0] = (u_char)((i) & 0xff);
+
+#define PUT_UINT16_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
+                           ((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff)
+
+#define PUT_UINT32_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
+                           ((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff); \
+                           ((u_char *)(p))[2] = (u_char)(((i) >> 16) & 0xff); \
+                           ((u_char *)(p))[3] = (u_char)(((i) >> 24) & 0xff)
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#define SIZE_64K 65536       /* 2^16 */
+#define SIZE_16M 16777216    /* 2^24 */
+
+/*
+ * Macro names:
+ * linux:  __BYTE_ORDER == __LITTLE_ENDIAN | __BIG_ENDIAN
+ *           BYTE_ORDER == LITTLE_ENDIAN | BIG_ENDIAN
+ * bsd:     _BYTE_ORDER == _LITTLE_ENDIAN | _BIG_ENDIAN
+ *           BYTE_ORDER == LITTLE_ENDIAN | BIG_ENDIAN
+ * solaris: _LITTLE_ENDIAN | _BIG_ENDIAN
+ */
+
+#ifndef BYTE_ORDER
+#define LITTLE_ENDIAN    1234
+#define BIG_ENDIAN       4321
+#define BYTE_ORDER       LITTLE_ENDIAN
+#endif /* BYTE_ORDER */
+
+#if !defined(BYTE_ORDER) || !defined(LITTLE_ENDIAN) || !defined(BIG_ENDIAN)
+#error "Cannot determine the endian-ness of this platform"
+#endif
+
+#ifndef LOWORD
+#define LOWORD(x) ((x) & 0xFFFF)
+#endif /* LOWORD */
+#ifndef HIWORD
+#define HIWORD(x) (((x) >> 16) & 0xFFFF)
+#endif /* HIWORD */
+
+#if BYTE_ORDER == BIG_ENDIAN
+#define LE_UINT16(x) ((((x) >> 8) & 0x00FF) | \
+                     (((x) << 8) & 0xFF00))
+#define LE_UINT32(x) (((x) >> 24) | \
+                     (((x) & 0x00FF0000) >> 8) | \
+                     (((x) & 0x0000FF00) << 8) | \
+                     ((x) << 24))
+#else
+#define LE_UINT16(x) (x)
+#define LE_UINT32(x) (x)
+#endif /* BYTE_ORDER == BIG_ENDIAN */
+
+#define MIN(a,b) ((a) < (b) ? a : b)
+#define INVALID_TIME ((time_t)-1)
+
+/* Microsoft OID Authenticode */
+#define SPC_INDIRECT_DATA_OBJID      "1.3.6.1.4.1.311.2.1.4"
+#define SPC_STATEMENT_TYPE_OBJID     "1.3.6.1.4.1.311.2.1.11"
+#define SPC_SP_OPUS_INFO_OBJID       "1.3.6.1.4.1.311.2.1.12"
+#define SPC_PE_IMAGE_DATA_OBJID      "1.3.6.1.4.1.311.2.1.15"
+#define SPC_CAB_DATA_OBJID           "1.3.6.1.4.1.311.2.1.25"
+#define SPC_SIPINFO_OBJID            "1.3.6.1.4.1.311.2.1.30"
+#define SPC_PE_IMAGE_PAGE_HASHES_V1  "1.3.6.1.4.1.311.2.3.1" /* SHA1 */
+#define SPC_PE_IMAGE_PAGE_HASHES_V2  "1.3.6.1.4.1.311.2.3.2" /* SHA256 */
+#define SPC_NESTED_SIGNATURE_OBJID   "1.3.6.1.4.1.311.2.4.1"
+/* Microsoft OID Time Stamping */
+#define SPC_TIME_STAMP_REQUEST_OBJID "1.3.6.1.4.1.311.3.2.1"
+#define SPC_RFC3161_OBJID            "1.3.6.1.4.1.311.3.3.1"
+/* Microsoft OID Crypto 2.0 */
+#define MS_CTL_OBJID                 "1.3.6.1.4.1.311.10.1"
+/* Microsoft OID Microsoft_Java */
+#define MS_JAVA_SOMETHING            "1.3.6.1.4.1.311.15.1"
+
+#define SPC_UNAUTHENTICATED_DATA_BLOB_OBJID  "1.3.6.1.4.1.42921.1.2.1"
+
+/* Public Key Cryptography Standards PKCS#9 */
+#define PKCS9_MESSAGE_DIGEST         "1.2.840.113549.1.9.4"
+#define PKCS9_SIGNING_TIME           "1.2.840.113549.1.9.5"
+#define PKCS9_COUNTER_SIGNATURE      "1.2.840.113549.1.9.6"
+
+/* WIN_CERTIFICATE structure declared in Wintrust.h */
+#define WIN_CERT_REVISION_2_0           0x0200
+#define WIN_CERT_TYPE_PKCS_SIGNED_DATA  0x0002
+
+/*
+ * FLAG_PREV_CABINET is set if the cabinet file is not the first in a set
+ * of cabinet files. When this bit is set, the szCabinetPrev and szDiskPrev
+ * fields are present in this CFHEADER.
+ */
+#define FLAG_PREV_CABINET 0x0001
+/*
+ * FLAG_NEXT_CABINET is set if the cabinet file is not the last in a set of
+ * cabinet files. When this bit is set, the szCabinetNext and szDiskNext
+* fields are present in this CFHEADER.
+*/
+#define FLAG_NEXT_CABINET 0x0002
+/*
+ * FLAG_RESERVE_PRESENT is set if the cabinet file contains any reserved
+ * fields. When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData
+ * fields are present in this CFHEADER.
+ */
+#define FLAG_RESERVE_PRESENT 0x0004
+
+#define DO_EXIT_0(x) { printf(x); goto err_cleanup; }
+#define DO_EXIT_1(x, y) { printf(x, y); goto err_cleanup; }
+#define DO_EXIT_2(x, y, z) { printf(x, y, z); goto err_cleanup; }
+
+typedef enum {
+    CMD_SIGN,
+    CMD_EXTRACT,
+    CMD_REMOVE,
+    CMD_VERIFY,
+    CMD_ADD,
+    CMD_ATTACH,
+    CMD_HELP,
+    CMD_DEFAULT
+} cmd_type_t;
+
+typedef unsigned char u_char;
+
+typedef struct {
+    char *infile;
+    char *outfile;
+    char *sigfile;
+    char *certfile;
+    char *xcertfile;
+    char *keyfile;
+    char *pvkfile;
+    char *pkcs12file;
+    int output_pkcs7;
+#ifndef OPENSSL_NO_ENGINE
+    char *p11engine;
+    char *p11module;
+    char *p11cert;
+#endif /* OPENSSL_NO_ENGINE */
+    int askpass;
+    char *readpass;
+    char *pass;
+    int comm;
+    int pagehash;
+    char *desc;
+    const EVP_MD *md;
+    char *url;
+    time_t time;
+#ifdef ENABLE_CURL
+    char *turl[MAX_TS_SERVERS];
+    int nturl;
+    char *tsurl[MAX_TS_SERVERS];
+    int ntsurl;
+    char *proxy;
+    int noverifypeer;
+#endif /* ENABLE_CURL */
+    int addBlob;
+    int nest;
+    int ignore_timestamp;
+    int verbose;
+    int add_msi_dse;
+    char *catalog;
+    char *cafile;
+    char *crlfile;
+    char *tsa_cafile;
+    char *tsa_crlfile;
+    char *leafhash;
+    int jp;
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+    int legacy;
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+    EVP_PKEY *pkey;
+    X509 *cert;
+    STACK_OF(X509) *certs;
+    STACK_OF(X509) *xcerts;
+    STACK_OF(X509_CRL) *crls;
+    cmd_type_t cmd;
+    char *indata;
+    PKCS7 *prevsig;
+} GLOBAL_OPTIONS;
+
+/*
+ * ASN.1 definitions (more or less from official MS Authenticode docs)
+ */
+typedef struct {
+    int type;
+    union {
+        ASN1_BMPSTRING *unicode;
+        ASN1_IA5STRING *ascii;
+    } value;
+} SpcString;
+
+DECLARE_ASN1_FUNCTIONS(SpcString)
+
+typedef struct {
+    ASN1_OCTET_STRING *classId;
+    ASN1_OCTET_STRING *serializedData;
+} SpcSerializedObject;
+
+DECLARE_ASN1_FUNCTIONS(SpcSerializedObject)
+
+typedef struct {
+    int type;
+    union {
+        ASN1_IA5STRING *url;
+        SpcSerializedObject *moniker;
+        SpcString *file;
+    } value;
+} SpcLink;
+
+DECLARE_ASN1_FUNCTIONS(SpcLink)
+
+typedef struct {
+    SpcString *programName;
+    SpcLink   *moreInfo;
+} SpcSpOpusInfo;
+
+DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo)
+
+typedef struct {
+    ASN1_OBJECT *type;
+    ASN1_TYPE *value;
+} SpcAttributeTypeAndOptionalValue;
+
+DECLARE_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue)
+
+typedef struct {
+    ASN1_OBJECT *algorithm;
+    ASN1_TYPE *parameters;
+} AlgorithmIdentifier;
+
+DECLARE_ASN1_FUNCTIONS(AlgorithmIdentifier)
+
+typedef struct {
+    AlgorithmIdentifier *digestAlgorithm;
+    ASN1_OCTET_STRING *digest;
+} DigestInfo;
+
+DECLARE_ASN1_FUNCTIONS(DigestInfo)
+
+typedef struct {
+    SpcAttributeTypeAndOptionalValue *data;
+    DigestInfo *messageDigest;
+} SpcIndirectDataContent;
+
+DECLARE_ASN1_FUNCTIONS(SpcIndirectDataContent)
+
+typedef struct CatalogAuthAttr_st {
+    ASN1_OBJECT *type;
+    ASN1_TYPE *contents;
+} CatalogAuthAttr;
+
+DEFINE_STACK_OF(CatalogAuthAttr)
+DECLARE_ASN1_FUNCTIONS(CatalogAuthAttr)
+
+typedef struct {
+    AlgorithmIdentifier *digestAlgorithm;
+    ASN1_OCTET_STRING *digest;
+} MessageImprint;
+
+DECLARE_ASN1_FUNCTIONS(MessageImprint)
+
+#ifdef ENABLE_CURL
+
+typedef struct {
+    ASN1_OBJECT *type;
+    ASN1_OCTET_STRING *signature;
+} TimeStampRequestBlob;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampRequestBlob)
+
+typedef struct {
+    ASN1_OBJECT *type;
+    TimeStampRequestBlob *blob;
+} TimeStampRequest;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
+
+/* RFC3161 Time stamping */
+
+typedef struct {
+    ASN1_INTEGER *status;
+    STACK_OF(ASN1_UTF8STRING) *statusString;
+    ASN1_BIT_STRING *failInfo;
+} PKIStatusInfo;
+
+DECLARE_ASN1_FUNCTIONS(PKIStatusInfo)
+
+typedef struct {
+    PKIStatusInfo *status;
+    PKCS7 *token;
+} TimeStampResp;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampResp)
+
+typedef struct {
+    ASN1_INTEGER *version;
+    MessageImprint *messageImprint;
+    ASN1_OBJECT *reqPolicy;
+    ASN1_INTEGER *nonce;
+    ASN1_BOOLEAN certReq;
+    STACK_OF(X509_EXTENSION) *extensions;
+} TimeStampReq;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampReq)
+
+#endif /* ENABLE_CURL */
+
+typedef struct {
+    ASN1_INTEGER *seconds;
+    ASN1_INTEGER *millis;
+    ASN1_INTEGER *micros;
+} TimeStampAccuracy;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampAccuracy)
+
+typedef struct {
+    ASN1_INTEGER *version;
+    ASN1_OBJECT *policy_id;
+    MessageImprint *messageImprint;
+    ASN1_INTEGER *serial;
+    ASN1_GENERALIZEDTIME *time;
+    TimeStampAccuracy *accuracy;
+    ASN1_BOOLEAN ordering;
+    ASN1_INTEGER *nonce;
+    GENERAL_NAME *tsa;
+    STACK_OF(X509_EXTENSION) *extensions;
+} TimeStampToken;
+
+DECLARE_ASN1_FUNCTIONS(TimeStampToken)
+
+typedef struct {
+    ASN1_OCTET_STRING *digest;
+    STACK_OF(CatalogAuthAttr) *attributes;
+} CatalogInfo;
+
+DEFINE_STACK_OF(CatalogInfo)
+DECLARE_ASN1_FUNCTIONS(CatalogInfo)
+
+typedef struct {
+    /* 1.3.6.1.4.1.311.12.1.1 MS_CATALOG_LIST */
+    SpcAttributeTypeAndOptionalValue *type;
+    ASN1_OCTET_STRING *identifier;
+    ASN1_UTCTIME *time;
+    /* 1.3.6.1.4.1.311.12.1.2 CatalogVersion = 1
+     * 1.3.6.1.4.1.311.12.1.3 CatalogVersion = 2 */
+    SpcAttributeTypeAndOptionalValue *version;
+    STACK_OF(CatalogInfo) *header_attributes;
+    /* 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID */
+    ASN1_TYPE *filename;
+} MsCtlContent;
+
+DECLARE_ASN1_FUNCTIONS(MsCtlContent)
+
+typedef struct file_format_st FILE_FORMAT;
+typedef struct msi_ctx_st MSI_CTX;
+typedef struct pe_ctx_st PE_CTX;
+typedef struct cab_ctx_st CAB_CTX;
+typedef struct cat_ctx_st CAT_CTX;
+
+typedef struct {
+    FILE_FORMAT *format;
+    GLOBAL_OPTIONS *options;
+    union {
+        MSI_CTX *msi_ctx;
+        PE_CTX *pe_ctx;
+        CAB_CTX *cab_ctx;
+        CAT_CTX *cat_ctx;
+    };
+} FILE_FORMAT_CTX;
+
+extern FILE_FORMAT file_format_msi;
+extern FILE_FORMAT file_format_pe;
+extern FILE_FORMAT file_format_cab;
+extern FILE_FORMAT file_format_cat;
+
+struct file_format_st {
+    FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata);
+    ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
+    int (*check_file) (FILE_FORMAT_CTX *ctx, int detached);
+    u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md);
+    int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7);
+    int (*verify_indirect_data) (FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOptionalValue *obj);
+    PKCS7 *(*pkcs7_extract) (FILE_FORMAT_CTX *ctx);
+    int (*remove_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+    PKCS7 *(*pkcs7_prepare) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+    int (*append_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
+    void (*update_data_size) (FILE_FORMAT_CTX *data, BIO *outdata, PKCS7 *p7);
+    BIO *(*bio_free) (BIO *hash, BIO *outdata);
+    void (*ctx_cleanup) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
+};
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: nil
+End:
+
+  vim: set ts=4 expandtab:
+*/
--- a/pe.c
+++ b/pe.c
--- a/tests/certs/CACert.pem
+++ b/tests/certs/CACert.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIUfuEVHNA/1VLDJI9mhANrBndIj6swDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTcwMTAxMDAwMDAwWhcNMjYxMTEwMDAwMDAwWjBYMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMRykK9mZCSpkVUbCq1r12OXvIDkcjj+g4JpyZOrmPpz5RvmLvYBBgeV
+IsUcqHm3/uSLpOFu/pwFJ2CBZVPJ1d49Y9DVnNR1dUbneWX9tE7A6NV9IG1kVagM
+veI/ANLuRi0H51aAZS9L8c6WxlR4+pxJoCZp1tyTGmfjxzBEXUWvyUrIMrW/r9TH
+u5gGgR6k86EbH7q71XRLhLeEi9QGCG24gobngYNZa5mb8DgLCkUeFtRsrYGEUT0G
+HTpAGXUrpAb3U7+4LkGaS6mc0NPTW4lz06Z3VhyYwwAbgU2DZQjMpqYWv6UctOP+
+5elPDc/PrTAdHAgbOhgvt1HUlqgn7lUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQUWIpzlJI+vefcJwcNGHwwRms/2ncwHwYDVR0jBBgwFoAUWIpz
+lJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
+A4IBAQAl+G1nXXW5u3notmAG5y8kwufFqNi5Jn1HVbT08w4IiteWMw3D9GEOCueM
+g5A03bC/Xv1PRvMatXQSARRvvVl3y1l98sA+97SP/FFUla3W5Rn91OsWd4qkcXhv
+CtPKHpz0SCjKLv3HG/C7fBJPG9XHMgkGZarM2KsQUlkn7DjdBccYcp/zJvtvm+be
+nR5ZqE6LI52WCXg0w/KlJlildU5LE/bvHbfmRUVm/4GhUNN8ko8eG67ueuftkeTD
+banKmnuSay02I42A0th2w8Hz7oaOUEpl8S9TfqeFuqLhtUP0FzUNMPAg0o5YTpe4
+xAArbPbFvH2l3plEaYccKYvbAGT/
+-----END CERTIFICATE-----
--- a/tests/certs/CACertCRL.der
+++ b/tests/certs/CACertCRL.der
--- a/tests/certs/CACertCRL.pem
+++ b/tests/certs/CACertCRL.pem
@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJQTDEVMBMGA1UE
+CgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBFw0xOTAxMDEwMDAwMDBaFw00MzAx
+MDEwMDAwMDBaMCcwJQIUSXAaPeUatfheDTFo77LnMBHgyeMXDTIzMDQyODEyMzMz
+OVqgMDAuMB8GA1UdIwQYMBaAFOP6v42ECbVR/AiLDZ7f2WKtYXILMAsGA1UdFAQE
+AgIQATANBgkqhkiG9w0BAQsFAAOCAQEARMWBcG6sanX3nwoSPGcUNEkYG2+qB8/w
+wlcWWY7RfOGQWVHqbVvklJdTYFDw+mA6RuATMOd5S6hXa8tms4L2YQUmYyfNOyJu
+INPDnqueQshFZ8PqBTaP6O/NRI/LOLpcIIohgemwfPYPrbd/JqcLlQ2Vbgb9Lnb
+CYZWGOF7AKC0ugTTvLuWr9LPwmWFdORtmm3UJfFOPDX6zmHPAPhBUuyrxl8UoNZB
+ZPvgeBjbyQy3MaJsbaniwoOahmT+MbYV/0/YRwI5XDxjiOdJSBz3Wd5YDNDozvG6
+zZMHtF9TkUZjmLUe3Jm0GnS33gU8SB6YdYpnnPg+Up4w5sye90pk9A==
+-----END X509 CRL-----
--- a/tests/certs/CACertCRL_crldp.pem
+++ b/tests/certs/CACertCRL_crldp.pem
@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICMzCCARsCAQEwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCUEwxFTATBgNV
+BAoMDG9zc2xzaWduY29kZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkxHzAdBgNVBAMMFkludGVybWVkaWF0ZSBDQSBDUkwgRFAXDTE5MDEwMTAwMDAw
+MFoXDTQzMDEwMTAwMDAwMFowTjAlAhQxdzwUXgMSEn/RzOwbdKtxlLgYJhcNMjMw
+NDI4MTIzMzQwWjAlAhRJcBo95Rq1+F4NMWjvsucwEeDJ4xcNMjMwNDI4MTIzMzM5
+WqAwMC4wHwYDVR0jBBgwFoAUYbtAOknHjmiu3l8ONAUY387kFi8wCwYDVR0UBAQC
+AhACMA0GCSqGSIb3DQEBCwUAA4IBAQBOPbjiBQ1jOEjfQ1Q3/DBfzFKxeL7Cdoiq
+6l1psqamZRTmU0a+1qRH/qokB0gA1XeeYIZRcruthHDk87F+WZPCKIr5cqfH2RFA
+xjDEkwgA8OZSdSMh+ZhBLBoGjZhFdnX/FknMcA23cLnzuv4RmsbiokwWrysebDNY
+DbTQpa/OFvqmHmgXbhrBqUinF7gl1ppzXs/d+FjSg1aAre/lx3KEXCgc126kldS9
+9+c//UPmltYB17ipVWBmVOyVHNphnHtqPElD9Gz1DooVZ1opsqRBh0APu7fqmm6A
+5d/lvNlPrlu835/fgUF3YmyU+w4x5sQCBjprTD6QIbIzCXDXfpBj
+-----END X509 CRL-----
--- a/tests/certs/TSA.key
+++ b/tests/certs/TSA.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDhMfTdugKYNDCN
+opsz9rTpYF710kq3fDN3JdmEFPoZfhZ58CBm+iZBJRCc8KoXMbKAgAZsFaUyU63M
+07fYIxJeu3CTOi7kFQRy5bfGrEOnTBMKUqR+KcOZNeNYtfkv4eca25AtTyziJeBV
+TOqDoVG5x75ad0+Ab4xA9bhbN4+7m5jS1aJeHtj8eDBkJOIOKGbZ0WEstffAIzWO
+qCC+YFqxsXLO2hOxRgxgpsY9Va4bynn6HW0FZUcUQGEDH0Y17o2KInSyYASad7VI
+F5jjiJnAzzvU701URZ7kjJFGbT9W7523Ljytl/Mvg+5qTG5JNQjVDsWHte6j1Kq8
+bAHpZ6NjAgMBAAECggEBAKDpXmv1FxeE61C5aSc3WMwNxaznZ+Y2RFwV2phrmM4Q
+b6UP9Uc/5YfVIUrTGObb5w207WHcEZ+ldWIPwqUZYm34h5dcEtd9QSGMjcXTn7/y
+NwTASrOvygk3HU1tMjKJu+ZQD3Sgx5SMtgCdplEKO2iBlr3z1QYULubX7bSYPgcx
+7sOOpEpITayd8HdOkqkqUvLKxAW5xhL2AzBQHaJiGL/zaW0uKEoOVuTrhNw4+Lnw
+2IYGrdXpGLAd6hno4kOg2ZkJKWA4Yd+adroeV3BjJ2G1hLJAbPDtS/uB4ZnT1zQx
+OlkqiPgnoH+16I+aLOs7MvIwQ7VRdF46Exk/9qIdHEECgYEA/sUoOQya1/JgPpbd
+QeAViTvu9vCFJCnJMkyobG/CVHRDIsNwE/CpaQE+vCn/LpUeKD1KCHIjTOvLF4HM
+CHt9SECApJESIdexKGP6DVoW+xnomojN/k0YW1JkrnXqmvDw5u/nvFz/JPncKZzB
+Ahx6ocORz+t10V8IRn6SlN0E4MCgYEA4khANwZ0Ys0CwVJkx5+mX3ukgXGsLDcB
+p1bGrnXhbZOiZxxeWjbR/7b4PyAzsoqxiC/F3RGnU5TEPGnUUeGWv8UFsVsgd8tG
+QvTOC5iEio6fs/IPZK4Asy4a5ByX6bXjbqSnypN+vf+9lFOvI/+yZ9zKejdoD5Xw
+k150XRhWyqECfzDDi+9fekPbIJDaT39MZNLfpd2eK93AIcJ+6b3XplqD5lXBErK+
+Xa67jkZ1w2InKJ6LHKCBOECA4V6eeW8mM9Sgg/77xXy0zDPu7u2fUMa/LsZlaQhD
+uWXBX4QFDeKaO4H4aWKkajGpoXpVhsry0tsQ/qqkhaGuqxOq5T1Uu+MCgYEAhz2J
+a5mm+9ntmJ9m7kxDwnOCWX8X2QEzMtFRQ7nedoAzIw84cRCsp/myGwBjBYWRH4T1
+6+9+Ix0Zv8W8iQeb8peNlHeTSyWpo6DueM26AZnGZ2T3wEOi1XRrzAQu4xa7jEhK
+pG9M47+yjbEKTyimdx7lwO/WeOIze9CLGYzPaqECgYBfgaE2HpG0SYKfDy0ipyxe
+p5ZoGQUXksi7WHSWSTl3tA/0NTtYKCHKb1/hRezjmdRgTuqBaV3y2nF1XmlKw9EX
+nYx/xAfhnyh9K7EZEMtDP2zL6tV1sp6b4Jd7sbFvM/bMJBY6KtKx59Y0u4nkgcH2
+gt3jad7Axl6C3faOfjzeyw==
+-----END PRIVATE KEY-----
--- a/tests/certs/TSA.pem
+++ b/tests/certs/TSA.pem
@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMzCCAxugAwIBAgIUBxGrWWn+gk2O0nxUeOQvpcu0HUQwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
+dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA4TH03boCmDQwjaKbM/a06WBe9dJKt3wzdyXZhBT6GX4WefAg
+ZvomQSUQnPCqFzGygIAGbBWlMlOtzNO32CMSXrtwkzou5BUEcuW3xqxDp0wTClKk
+finDmTXjWLX5L+HnGtuQLU8s4iXgVUzqg6FRuce+WndPgG+MQPW4WzePu5uY0tWi
+Xh7Y/HgwZCTiDihm2dFhLLX3wCM1jqggvmBasbFyztoTsUYMYKbGPVWuG8p5+h1t
+BWVHFEBhAx9GNe6NiiJ0smAEmne1SBeY44iZwM871O9NVEWe5IyRRm0/Vu+dty48
+rZfzL4PuakxuSTUI1Q7Fh7Xuo9SqvGwB6WejYwIDAQABo4HvMIHsMAwGA1UdEwEB
+/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFHnEl41jHza4
+2tqVE1fctzcQRFMNMB8GA1UdIwQYMBaAFE6fD2uX/Q6n9KjFBO5tB++jGixmMC0G
+A1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvVFNBQ0EwVQYD
+VR0eBE4wTKAYMAqCCHRlc3QuY29tMAqCCHRlc3Qub3JnoTAwCocIAAAAAAAAAAAw
+IocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEL
+BQADggEBAKMnM+tX2AM6g9SSAbgAz25vHRs+/hzZN2EMZOz+ZsNZufRwRbDH4eC5
+mm+s9PKw99vk/67vJk+IxfOLsZSleRX6h7DqXKhh5j8S/IPfOuIxWUfQGMlnfHNt
+IdePg1vIQCwcj998e0NIdnioSnGrKRay0A1Y+7zY+9B8/sRCAamyAFyqjG5UG70q
+NOZcuG52+ZHYfA3poW4MTBWTi+k9tK786RpRWj+I1ORBAJIFZ1SRzPQ5QL4XqE14
+iKowHAJbo1/X6Xr/SW2B+oC+p5jmONRi/rwHnUEqWbkbi+CKWdlI+7HTApncofLi
+JVHLUWz0r6IIp0mHrMwoI94yZBVXje0=
+-----END CERTIFICATE-----
--- a/tests/certs/TSACA.pem
+++ b/tests/certs/TSACA.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIUf2df9lAckuBxsAT7UktJTpH8H3EwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
+dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH7Zl2oFIq75eVCHtPSH5apYifPyFvIAnB
+J8D3/ylM+Ll5X0/mBkyU5yR7CN0T+WsroWmkkGLuDbrqRrGG30Zs6/DIgHnLn25l
+rM/6C4B3TApIoBPLqLWaYd0EUwn5hyh5vJdolzCwZtr3swS1BZ23WlPXXWIO8F+m
+E5QZiFWqjufoHWECyoa3OwJ+U/UcR+Tr/HnlBXaZswTJdr91R9imWZgAE6EF6qM5
+ZnzNqgsjKPIN62FIcL3SD57CcR8fYvOAHGlY9r/CoDMuAs64wp/+oovC4J8WHvqV
+xg/z32V7osNq4ko9IArTDESj1ZlL33uVGy/GnTAMZv1CKFMrCfMNAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE6fD2uX/Q6n9KjFBO5tB++jGixm
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEArE8W97mfL9a8NcaX
+UmJwiBsoA8zGQ1uWV051JHuW+YbC1az2pRR0kXOLkXeCNhwHfxb8pvEjOToa341K
+5NYFSRPJVkR09AaF7KjuLzZO821roxbZPPbS8GsFGJ5GbLe6F8EW06rCyLN03Y2q
+bOAQvAof421193HIO0baBWE13QsLk2wQEYyB/Yld3919ub9plQLxapojRdK2s+cY
+Juftt8hE3UDlfQkpnVbIpU4Q/LFtPztfxkcd9rkz/kujH+juBd2UnirjK3n86ReU
+1MM2QvtnMlXyZiXHujrOkWGS57KaYdkDAV98zWk9Bx7g6K97cy0JPdBq2cnucUJw
+0mCOiQ==
+-----END CERTIFICATE-----
--- a/tests/certs/TSACertCRL.der
+++ b/tests/certs/TSACertCRL.der
--- a/tests/certs/TSACertCRL.pem
+++ b/tests/certs/TSACertCRL.pem
@ -0,0 +1,15 @@
+-----BEGIN X509 CRL-----
+MIICUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCUEwxFTATBgNV
+BAoMDG9zc2xzaWduY29kZTEkMCIGA1UECwwbVGltZXN0YW1wIEF1dGhvcml0eSBS
+b290IENBMRQwEgYDVQQDDAtUU0EgUm9vdCBDQRcNMTkwMTAxMDAwMDAwWhcNNDMw
+MTAxMDAwMDAwWjB1MCUCFDF3PBReAxISf9HM7Bt0q3GUuBgmFw0yMzA0MjgxMjMz
+NDBaMCUCFElwGj3lGrX4Xg0xaO+y5zAR4MnjFw0yMzA0MjgxMjMzMzlaMCUCFFcV
+Ys5TRUZVMGFWN3Et/yQQme62Fw0yMzA0MjgxMjMzNDBaoDAwLjAfBgNVHSMEGDAW
+gBROnw9rl/0Op/SoxQTubQfvoxosZjALBgNVHRQEBAICEAMwDQYJKoZIhvcNAQEL
+BQADggEBAEu9tNvUMHJ69vCPdJH3FUuGPHuTyC32aLBoV/g/t9OD+95fDwwijKbX
+QcypdgGEp4KEH4WQQ8JyhScgxd3gjnNoB9ITIZ14eZ9uslIZPaQztMDqvzLZcsLf
+PXWWvCs8GO1K30VVqVual+OT8ojWBAgF49rg2OZX4JUAhXyaP360MtWEWVNghRwk
+FhK7q6HOaNtxrIar1ZuDkvqEvmaEexJ/3HOGAM0DWmhneO2hIpCAfpYnGic66I69
+17FQWE6WLTS+Hjc8qQEDPeGsSK3NWhGiOKDr1Zpjae5PknghxzfxE8u56t6pMBHj
+DWYGMc57TpovDpTdla7YipkVxSrTkhI=
+-----END X509 CRL-----
--- a/tests/certs/TSA_revoked.key
+++ b/tests/certs/TSA_revoked.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDPPtqTsdzCK99B
+5zSNIiu429Tbc/S4Aa9eSsbjcefTy7NkCPankl8QeBIvQ75P98qH828iDlSH2u3N
+Rp121r9wjEaM3qmkkyP0oWwjoK0du6y3hI59rHhOt3FqO0ec40Rf1yxrCKE+pCMd
+TI+Ifozlxe/T7FhwxLjOIBIt4gDF6sOn06ToTC1CoVi/nd9E5vgKjuQW0F1Y7Hey
+Ft64YStUXxvLB03mw8+bciZI3BQGrgOD9CCTWZVK7OO147qc8TEoQle1xKISM5wh
+vaHbNUuhMRJG4qVyrZ54BICRW7r5cJZBBDVc5i1XD50Nup4wIjJtBAnPZDAwEwac
+XZ53hHAPAgMBAAECggEAeGmume3XtEHFYAcz82SNPsULcc53u4nPGNwdnv0Jk3dh
+bZf/p/FVpr384tVbeB8i38bDJWhqGN1NGd4Tk37GkGAQhbzBmEudsn8v06uBqirm
+WHdYIubAzF2hiCXRUKO8ZiVyEKlXT4E4Psg0k+lEcPlyp4h7LOAJNNhfKM5i8QF
+3K7Pp/VcFqtwJSmu0vSycJOJWyUfqRLxgWS95r2EG1rwD46KFBCoHOa50kiZFdiI
+q2h1XOiXtdaG1yn6HRS75gV4CR+MCGkczs9onSl4IpwNlq595NMCujhFcHjjKzwV
+F4E/83ehtj7WruyNFwrFbabNAvLSY8nVBHabn/3L4QKBgQDrYHKn0njihjbaPT5v
+1yoJyz/1eX/fscvDhQFvhQoirk/A3iSwOd1jszGvvYxRnfRnLDOszTCq/+CRSv09
+sU7ECDcJPFJY8GzDMLjoBJRDtHdsFjU6tliHgyXFVpu46sIt0Z03Wglowyytc9ws
+9e5uf3xolNbhdLTWfovoRp5LJwKBgQDhZ2qWOyGkVyuPn0GSVJVnOgK/PUd9b7Ze
+R77i/P6sgp9d3eAXK46oYJM+6TPnQwZYE9CHUMMqHmtCm2iHqCEitZ9mvZgPt6p+
+sR8HxJ/JAowDB8mOQ8usd/1S0M5e8SwSpuRajkYw0cndvwn+ezAlKsZyCN6sm73B
+3ruQvVjk2QKBgAJG6pUJCjZWyg0Obp4yXKu/lZzQUhZd5/S6QqtLhC+VtBvPildS
+F/ww7Zgfo03e01B0MwPG8GOXGhsNuKlyH6rx0WZ7eOh3WvYAcKl98dk907Ht/RHW
+VcDp2eGw1szRKJO85WJ1soWa7cG3zzd4IZhcD14LopCHyoAQtVXH6RwdAoGAddQM
+yNnCXVlgIST8LxVeQGb31qae/3htWd2hcKEWNHHYA0agBRy051oMvv9DLapA37wD
+7yiNzS+3nEsHGpsOL0nIOPn1SooVa0MF2Ja1fGuDa3Yfq+nOx6q11xvmNYVXJ6zs
+hFYJZS3Vm8Bo5gnZgiRZNnViidKkIHthi2kf1gkCgYBzaNgT4fbNPpgia/Vz3rd9
+UIYpVzMEP6HkTVYXQH+qLzRpjl4HG6LanMbxtf/0MBHBwtEyVftKopgvkcJCDUCS
+Ls+BYieF547/2W+pnV7lbz7eD6w2o7zNPNj/l+RB2PXgBZGQv1N4HgLsz+yk7eyI
+s3UnnC/9NhgSMwB82OPX3g==
+-----END PRIVATE KEY-----
--- a/tests/certs/TSA_revoked.pem
+++ b/tests/certs/TSA_revoked.pem
@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIUVxVizlNFRlUwYVY3cS3/JBCZ7rYwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMEQxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA1RTQTEQMA4GA1UE
+AwwHUmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8+2pOx
+3MIr30HnNI0iK7jb1Ntz9LgBr15KxuNx59PLs2QI9qeSXxB4Ei9Dvk/3yofzbyIO
+VIfa7c1GnXbWv3CMRozeqaSTI/ShbCOgrR27rLeEjn2seE63cWo7R5zjRF/XLGsI
+oT6kIx1Mj4h+jOXF79PsWHDEuM4gEi3iAMXqw6fTpOhMLUKhWL+d30Tm+AqO5BbQ
+XVjsd7IW3rhhK1RfG8sHTebDz5tyJkjcFAauA4P0IJNZlUrs47XjupzxMShCV7XE
+ohIznCG9ods1S6ExEkbipXKtnngEgJFbuvlwlkEENVzmLVcPnQ26njAiMm0ECc9k
+MDATBpxdnneEcA8CAwEAAaOB7zCB7DAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQM
+MAoGCCsGAQUFBwMIMB0GA1UdDgQWBBRWRawwlcW57baAiuBVmi0WFKIZqjAfBgNV
+HSMEGDAWgBROnw9rl/0Op/SoxQTubQfvoxosZjAtBgNVHR8EJjAkMCKgIKAehhxo
+dHRwOi8vMTI3LjAuMC4xOjE5MjU0L1RTQUNBMFUGA1UdHgROMEygGDAKggh0ZXN0
+LmNvbTAKggh0ZXN0Lm9yZ6EwMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAMA0GCSqGSIb3DQEBCwUAA4IBAQCQbgXQtFr5lWjs
+tzlGJAuZfIq1f1arWWrJNSHrha9RUtm6uMoh2aMYByfEcopB9StqMo8QH4yS4LGZ
+/6B81EF+dugIIb9BrE00ASgXxZ6aGGAe79VwqdG8DXp+VgRbBQA87S2KeSN8wfm+
+G2AGRZF0JWS4iW5kGgrqeC14IN1FajHklrh7rOIwo/h7uVIOINWtQnHyBjlCQ6N4
+OTFFgtIOY5KXtYM1A+Gx2nt3uZnEh/U/ZxHslUb55O017Qfkbf11JXFil4+ZfqMx
+QuRuwMAWlyEg+1UfNae4Sg3XqPheshBzZ7ykwKGZZPeA/8kKfbXoE6Kdy5HmT/El
+8e7rP/mN
+-----END CERTIFICATE-----
--- a/tests/certs/ca-bundle.crt
+++ b/tests/certs/ca-bundle.crt
@ -0,0 +1,47 @@
+# Certum Trusted Network CA
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
+
+# DigiCert Assured ID Root CA
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
+JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
+mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
+VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
+AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
+AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
+pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
+dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
+fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
+NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
+H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
+-----END CERTIFICATE-----
--- a/tests/certs/cert.der
+++ b/tests/certs/cert.der
--- a/tests/certs/cert.p12
+++ b/tests/certs/cert.p12
--- a/tests/certs/cert.pem
+++ b/tests/certs/cert.pem
@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIID7jCCAtagAwIBAgIULWwn/gLcPMAO/7oGqx5A306mxckwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMIGdMQswCQYDVQQG
+EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
+MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEUMBIGA1UEAwwL
+Q2VydGlmaWNhdGUxJzAlBgkqhkiG9w0BCQEWGG9zc2xzaWduY29kZUBleGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64qSULdxvTp7A4
+2dl/JbLq7GJ4ZcPbtfUyvVTB5WuntN08bpgnxljON0Ig9lFpN2OOlms/SnodlE6Z
+O8GY8kYu/aK3zHIHp3EykzRP1glf7ukcCMpcSaS5VUho0QQ9PVvvMHVNtaQ00r2i
+34m8DbGj4aRUNI5eA6Xlzz8QnhvCgtRTVbp5ZRjxo1ZNq2eEZxa6UnFshlx6i0/o
+kYPrdKTIvUv2zoRFd9H/7+B2Xwse+qppcZe0BiKSa4l6PrL2iHteYE29ggLLSqe+
+zavGN7Ev7jP+bZLU/5eq58SBy8uFBDkh1FvZEPAnJ2X/vwNzySi6KTliCPc9Jf5G
+wSJr+5MCAwEAAaNiMGAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUVeUILLpF5PWz5rAD
+iWzV/2oEP3UwHwYDVR0jBBgwFoAU4/q/jYQJtVH8CIsNnt/ZYq1hcgswEwYDVR0l
+BAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAHckjLcj9mswr08aF7MV
+EZTKKh0IOaHj7oh6vLR5Yg2n+E+9Gog/+ulbKXNe/5A9QU2R1NdwZKEeUeSuF4qW
+P3JB79BepgR6/VYKyVWH7St4ixy1GtNEFrHWsID212Jd0Rr3+kc9OJUO0aw3nvg7
+Apsr1dztjwlUN2ugLzVoDJ2wMqlu5ZQW8pINIYet127cX5knW/acPCPcqPVD7jmm
+C40xgqeKD2a6OafSS5hjO4UeCoeHnXlJ4Sep8wz8VDlu39Hr4dwFm8v9MuvBusCr
+/sdwzTRAc6mhBL/4PyJrBRhibbTxSaDKBHeWcKpmNp4DIk1vc8h6yhDUb1fgafgX
+7nI=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
+LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
+CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
+nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
+0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
+ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
+HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
+JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
+FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
+Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
+xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
+yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
+-----END CERTIFICATE-----
--- a/tests/certs/cert.spc
+++ b/tests/certs/cert.spc
--- a/tests/certs/cert_crldp.pem
+++ b/tests/certs/cert_crldp.pem
@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIEPTCCAyWgAwIBAgIUZp72ahjzVryMA56ev7+Z8Rxyo2kwDQYJKoZIhvcNAQEL
+BQAwZzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMMFkludGVybWVkaWF0
+ZSBDQSBDUkwgRFAwHhcNMTgwMTAxMDAwMDAwWhcNMjQxMjMxMDAwMDAwWjCBqzEL
+MAkGA1UEBhMCUEwxGTAXBgNVBAgMEE1hem92aWEgUHJvdmluY2UxDzANBgNVBAcM
+BldhcnNhdzEVMBMGA1UECgwMb3NzbHNpZ25jb2RlMQwwCgYDVQQLDANDU1AxIjAg
+BgNVBAMMGUNlcnRpZmljYXRlIFg1MDl2MyBDUkwgRFAxJzAlBgkqhkiG9w0BCQEW
+GG9zc2xzaWduY29kZUBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAL64qSULdxvTp7A42dl/JbLq7GJ4ZcPbtfUyvVTB5WuntN08bpgn
+xljON0Ig9lFpN2OOlms/SnodlE6ZO8GY8kYu/aK3zHIHp3EykzRP1glf7ukcCMpc
+SaS5VUho0QQ9PVvvMHVNtaQ00r2i34m8DbGj4aRUNI5eA6Xlzz8QnhvCgtRTVbp5
+ZRjxo1ZNq2eEZxa6UnFshlx6i0/okYPrdKTIvUv2zoRFd9H/7+B2Xwse+qppcZe0
+BiKSa4l6PrL2iHteYE29ggLLSqe+zavGN7Ev7jP+bZLU/5eq58SBy8uFBDkh1FvZ
+EPAnJ2X/vwNzySi6KTliCPc9Jf5GwSJr+5MCAwEAAaOBmzCBmDAJBgNVHRMEAjAA
+MB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJbNX/agQ/dTAfBgNVHSMEGDAWgBRhu0A6
+SceOaK7eXw40BRjfzuQWLzATBgNVHSUEDDAKBggrBgEFBQcDAzA2BgNVHR8ELzAt
+MCugKaAnhiVodHRwOi8vMTI3LjAuMC4xOjE5MjU0L2ludGVybWVkaWF0ZUNBMA0G
+CSqGSIb3DQEBCwUAA4IBAQC2yNGXw1VZqBWY7cnJtiZpupKYCifRC1dEFlKcozpd
+dhWHDKpGDCzqaL/WKpqFjOIrCbG6gsfB+nu2VQv4nE8lwwelMgpeVB+v197A1SvE
+wLl71R5a7sxF0x5aBdUyWeCTeBLu6KuWQrpPcZVM3uMqhqCJ8CiSUtS1cKn1K1K0
+KRSgFTs4AFUc0rOa3wYvytps4cw/TyDXArlvGVMlDHNLffEsx3vElZafaGvyEK0J
+TsBM2dakcpP/ceuJU1gd8hLadzjfKOFml7z+qHfUa/mky+veK2M5vKn1ph55qYHc
+WtEY/wwBjgqE2VseqMLb06J3tXmTKgESGXISAnqoau+t
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
+nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
+UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
+n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
+J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
+W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
+Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
+AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
+RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
+4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
+QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
+Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
+CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
+-----END CERTIFICATE-----
--- a/tests/certs/crosscert.pem
+++ b/tests/certs/crosscert.pem
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAragAwIBAgIUKUVnRllbtypXICoznroWil39jU4wDQYJKoZIhvcNAQEL
+BQAwbzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEMMAoGA1UE
+CwwDQ1NQMRIwEAYDVQQDDAljcm9zc2NlcnQxJzAlBgkqhkiG9w0BCQEWGG9zc2xz
+aWduY29kZUBleGFtcGxlLmNvbTAeFw0xODAxMDEwMDAwMDBaFw0yMDA2MTkwMDAw
+MDBaMG8xCzAJBgNVBAYTAlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNV
+BAsMA0NTUDESMBAGA1UEAwwJY3Jvc3NjZXJ0MScwJQYJKoZIhvcNAQkBFhhvc3Ns
+c2lnbmNvZGVAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDFCjBrTLeh9wyMb6tJi1SMz+Pe6Eb8SCg4+soxBAu1EEVo4Ao810j2NVdc
+aoQ2Ki097hl9LHcA0DMT8AFRHfXMXHSSHoYHsPcwHO6RJHXcDE4fSgkl41GtCnf+
+qUOA+QZUqNNKNOELUHboydFMytNGjuSaO29BObkiHCRB8gnfKuqGZn9YrfU8AoGu
+xv7RzKgD+uC/dTZSONAW+h7TuRn4/qtqTqfk5SnmTeEDbW3lyYLToRRKUKcYR68a
+lT/IZ2cHCrZMqvykR2cCMCARbTyI8ZQ6ogzXS/tncJYu/RTtEoKiN1EweG5R0cgU
+G0xQISw5RXMUSgWkWUL8rYpFcmahAgMBAAGjYjBgMAkGA1UdEwQCMAAwHQYDVR0O
+BBYEFBt9u2LhSzaQrQLcja2QtFexM2tKMB8GA1UdIwQYMBaAFBt9u2LhSzaQrQLc
+ja2QtFexM2tKMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
+AQATfeXQ2kj+97IHUOtFZTjcIH47U6k8Po11WD+Af4PRmacOKaSv+rlmgpgHfQJV
+nM90mxUvKzaoJeId/yR++U86rcu8a87njHoyDzx2HMcc47P/2VkErT9W4gyJE0Ws
+JyIR0k0XZiYJ+pJOSjnd7SY2gs1oBT3+Go5TyClAfzAP+U10fK52q802XNPw5MY0
+LEyRqCH4QYb71Hd4kGqROVy1EPv18d26apD9vK/zZuvOsbz23l0mdochYrtmfAA0
+LuNwefIgxzki22+bZe7lJyuV5WsqSNGVty+fvqmw9JUfzeOpIzVK/SxqANJnZBBI
+kapgFmTwk4JEfB3n2WTmbs9C
+-----END CERTIFICATE-----
--- a/tests/certs/expired.pem
+++ b/tests/certs/expired.pem
@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIID6jCCAtKgAwIBAgIUW4SefwoiLUfTBaHpZyd8knsGVBswDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0xOTAxMDEwMDAwMDBaMIGZMQswCQYDVQQG
+EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
+MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UEAwwH
+RXhwaXJlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvripJQt3G9OnsDjZ2X8l
+sursYnhlw9u19TK9VMHla6e03TxumCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7wZjy
+Ri79orfMcgencTKTNE/WCV/u6RwIylxJpLlVSGjRBD09W+8wdU21pDTSvaLfibwN
+saPhpFQ0jl4DpeXPPxCeG8KC1FNVunllGPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0
+pMi9S/bOhEV30f/v4HZfCx76qmlxl7QGIpJriXo+svaIe15gTb2CAstKp77Nq8Y3
+sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ8CcnZf+/A3PJKLopOWII9z0l/kbBImv7
+kwIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJbNX/
+agQ/dTAfBgNVHSMEGDAWgBTj+r+NhAm1UfwIiw2e39lirWFyCzATBgNVHSUEDDAK
+BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAp06uHnxO63Ecn+knaXkfrNGg
+pr+4WCc0onXYOE37+IwsCFaUqCIr1UsnnKWSzSlSR07FHI+VaV9r3knT6VPMVsUU
+L89jHC2vLUvyJJOtuTpuOVGIzzCquYWvYRZrp2wmTceMSNhLcO1VGs28uwQojWEQ
+ZsEdFvkYeWFInUQ1mF0dLnfQjh7RcTxMJ0CxZblJ086j3AbyzM6ZF6XAVPAqBH/S
+gsBfLVGnZnMOwvKwsxViG1ikRusO6GtcIy6yxmNCUhWbIL+R59EYy++x3xLVUU90
+YnScDN+xM9A2wHO1hQpLK6DIiHpbAzAgll5xD0JWh+efRWHEtGN5JTybowG9yA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
+LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
+CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
+nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
+0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
+ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
+HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
+JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
+FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
+Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
+xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
+yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
+-----END CERTIFICATE-----
--- a/tests/certs/intermediateCA.pem
+++ b/tests/certs/intermediateCA.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
+LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
+CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
+nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
+0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
+ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
+HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
+JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
+FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
+Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
+xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
+yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
+-----END CERTIFICATE-----
--- a/tests/certs/intermediateCA_crldp.pem
+++ b/tests/certs/intermediateCA_crldp.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
+nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
+UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
+n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
+J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
+W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
+Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
+AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
+RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
+4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
+QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
+Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
+CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
+-----END CERTIFICATE-----
--- a/tests/certs/key.der
+++ b/tests/certs/key.der
--- a/tests/certs/key.pem
+++ b/tests/certs/key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvripJQt3G9OnsDjZ2X8lsursYnhlw9u19TK9VMHla6e03Txu
+mCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7wZjyRi79orfMcgencTKTNE/WCV/u6RwI
+ylxJpLlVSGjRBD09W+8wdU21pDTSvaLfibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNV
+unllGPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0pMi9S/bOhEV30f/v4HZfCx76qmlx
+l7QGIpJriXo+svaIe15gTb2CAstKp77Nq8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHU
+W9kQ8CcnZf+/A3PJKLopOWII9z0l/kbBImv7kwIDAQABAoIBAQCEsjqNWcLPi53a
+kFOSblKuf6FkidxUP2QEa/8rH5UeKBtA6rEQEGyCkUgFLKX00r4E+MpTaD/LYxUy
+8o6PDnlSt5MlSbhnhkfMDKI6/WkwMJ0rd6PuF/PtNj3OGY+D4Y/1jSAsHZtJ2q7d
+3pqlXEAy3pE6IpRGkcb8AD8H4+n96U4sNnytll6//5uD55PRbxZwB0mmNJOVoZJK
+CbW0wV3rKS0UslFot/b/jNvmCQym3UmWz3elShRTZTA7cdQt2YtKaFO5zFxbbh/
+L0+Rija2tVyUPswSbeGxiyfF2RRt++91S6RONfc9B0JKwkNkbQEcM+dPIfIe/nIc
+8CgSCUThAoGBAOUMBWLhxE6QW1KeR59d00wtnWzN7x1CQ43LciIRMz3C8BQLpRmX
+DmTDASxy9B19tEhdVHzYhq/+1x+vM7TWiPeLg2IhvFZEhpIdN7J1n0iUI3P08dHn
+KmvHSu1XGQfngIMT/Ey9xdMpAxsZVJsScuT3sUxnUKxzFpCvTuiCP4ibAoGBANUq
+FyAywSsGCrl77BaQh9GDsrL3i67owfpWMs6JjywfEFdpfGZnJTCvlfKtv/Jrp4jB
+p5PM5IOil63RqQXa8/pv9pQr2DUGmKegNhDGgflK5+BcbTpkAYIcGHekhoTy2TXU
+BnlKaNy5Te80yEFVfFRejK1rQ2ZqHqZP3WtzBBxpAoGBAOGhAOFSg13dKIjvcKCV
+/aLKQIzBJG6PKxrQMeNLTE3n7TXh7saRnlU2H77Yko9GmES845CEf9F5WhNVNLtM
+puor3cXac7wLjwD6lTZQVhNaEr6UqW5bqNc5IB9DMF4v99Gn617xhqGnge68+jI0
+b0gMk/QuxjLKwIzQlQvH2qxHAoGAaFYXx6zQHAzzBuL/JfRMZmK9/xdniY9oEu5K
+JAn0yDXUO9ToDP+Dlpb7IDOndjL3Z9rR+WgamcvlzjCHONR5AyX2XYQwaZP2+GVU
+0VU4nRrq8EiNNj1o95Rk7XrcVQrBArXrDUc8mH0jBmihdEkxd+JnnSKZdPGQWvtQ
+d51ub7ECgYBHbn8uyl4sHLj6y5L2KjsVFpLJp7OFNv3UUN9TrY+rd+CjmTFBSE52
+XaV7v8Ul5nDRom5D5R/z8iFK+3Nx7PJq+WesEAPfNPc+BJFkRdJW6ysp/jHnpRV/
+rUTaWgQp5/em1GAvBHa8KAoPAS5WAY/lxByruBSTbUSNuC5gz52xzg==
+-----END RSA PRIVATE KEY-----
--- a/tests/certs/key.pvk
+++ b/tests/certs/key.pvk
--- a/tests/certs/keyp.pem
+++ b/tests/certs/keyp.pem
@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,B9C24663685D6009
+
+GMA8W6sGC+xtNYoPzX2j0driKlngRIbmABYMbm8TSac8du7/S8uBcG2i6z/d0Plu
+pHr06uIcZDjCN0iWkhMGS7ai40ddBjxjDS/f9ppUZdOtTX4MzGfqb/d9LGVi1P8W
+zYSuz7BI0B2ttcbpmMIhxdGMtRz8A/MDPm8eBnEmIYjRiW/ES2HfHlrm7CFlrd72
+vgiAmFPtx9P5AE+KMFiSJDkSVMKX52yvLfBQAeBU2aQI7z5BTfwIpGgVKBT5qhq4
+EwL24FrEJ1+20Q/Resd/nfqv6lzNPl6SQLhCgY25Yz0Ke9u8Xnhn1aoz1BCDtw8u
+fnzmaqexf6w70rC1qX+CyrHLxO19lRUn5wChyPYaU2oAt3a0iKktQWdqHUIAGi+d
+Q3DpgsXlQXuXHDeBh5KKePz6g1f7pjacpjH8t8Y3VqurQop8Ku5KiVln+WyVklbS
+9ipr4Btf8NnWWD+kAvdo01ObRRGYxZwj/mlr9ePQ2d2vd9wNLe8zS0FZSzBE7cZH
+OPMuZnjU9Ruub0GJpHzsNBhMNIl6M6c2DSphrUTZBG6Sogx/aVSxe3Z5sojULfNT
+aifhUP/qR94nFokwRs77zXwWJlIF02g6caL8P/fPAcxIaItl+Q3DFo0wEZOzDI2X
+7ijPoEj/TReVajulxCcISJs5F6gaPKhNW8FKxvFH+3LnMLW/BeHNSGgnIFftkI3Z
+GqwcLN+X76qhPzS1UFF12fW9wYXjhMnR6bvVaadP6+XadZonyE+eGdRjZH0M2IIF
+Jv6si9Zxw+sesmmFXzjU0jzv825rD0NtPpYKWaCdtX1x5fkk+A4T28Yu1uLWfJcs
+4LhEkfhgILjLY02idjX4OKmwKm4w+QqBeajBCZiGTl6Fk2mvC0wCy53AEH3UTu8I
+KRkEAcl1CxsYAHZb9B00ymk3iyGTQ/1luLZfPkGS6CMJPXjSjR0i8NmOaYa+Xhe7
+bsCPYWeGT1ttJh+A5Dh39K00lSrIuQS9m3lKzdlHhZ8YL8DdeUAMBM6JKI3p8V9s
+xeb/w9Vf7iZRLsL6yDqj4zm5HFifRpFDpD/E2rC6zpUvdFiy2p6J7Xpo2cu3wMIV
+QL1te4aHVQhWsijV7LoaS3452NOnknxiNxXFWk2POwPHL1i6rmS7MlQwqDlLBilj
+O2R4YZGjmRg69zr9xJJGQQnroFEagKdhedSJ2y+lqwxl1Kb+Lp0+SOVesxfjfoeZ
+y0ctY7IJZksM0htETT6fhfJKSbMfM2uRL3FJkv1QyexnIlwmZxZgUyYAJemTZJBY
+BbAhhmTRswhp5FWdfFbYez7cV9AIhtNCoGcNQuQ+wL9OmIQbmZjFUqLIcHVyX1xA
+Zj5Jh6aybmnJTdXyIwUP3RdkHrD5JW8+d/0xMm1G89PtDJ6Q2+D3drtTB7A3ruUD
+uyDhYtpyY9m940miAsvByK2jIUlA0hLb+9+1oiWcWarl7IwxpjP8CUG6nAF7BU6v
+J/Hbikx0XMfycYp1EsQYUP4ku+S/PoJsMNU4bt248E+dDALxoyQN1Z41sYILBz4Y
+ga6z4zCA5+66ug8z2yMbC4bCo0FZxuJLcw+Ok05+PT0fW9Z3egpybXVwwY4wc6vs
+-----END RSA PRIVATE KEY-----
--- a/tests/certs/legacy.p12
+++ b/tests/certs/legacy.p12
--- a/tests/certs/password.txt
+++ b/tests/certs/password.txt
@ -0,0 +1 @@
+passme
--- a/tests/certs/revoked.pem
+++ b/tests/certs/revoked.pem
@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIUSXAaPeUatfheDTFo77LnMBHgyeMwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMG0xCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UE
+AwwHUmV2b2tlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvripJQt3G9OnsDjZ
+2X8lsursYnhlw9u19TK9VMHla6e03TxumCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7
+wZjyRi79orfMcgencTKTNE/WCV/u6RwIylxJpLlVSGjRBD09W+8wdU21pDTSvaLf
+ibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNVunllGPGjVk2rZ4RnFrpScWyGXHqLT+iR
+g+t0pMi9S/bOhEV30f/v4HZfCx76qmlxl7QGIpJriXo+svaIe15gTb2CAstKp77N
+q8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ8CcnZf+/A3PJKLopOWII9z0l/kbB
+Imv7kwIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJ
+bNX/agQ/dTAfBgNVHSMEGDAWgBTj+r+NhAm1UfwIiw2e39lirWFyCzATBgNVHSUE
+DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAK/bCZPrxN+5HGQjZLIQg
+jKfjTRL5xwBGs8+VW4i+xnaA14pyZjDlYzASmCE/ZiryVSMJ7fuQ0TVXGtz3N7PM
+v9pRgtcohs62NJZ5dIrq4f/Op1bii29pAA8+2EHPJUyFBt23vyvlI/dBpkgQG6mi
+OUEsXQ+Q2LUD4OOJffkc/gowXcB4WFjrtFAUuu9HeZUNzV5Mm5FQTGm9nCnWsDIb
+b7Yx08hMy+6jtvkNPCDcFnos2bsipmVN4fCXkm5LPZNyMFoWReDbIKWASXaao2hN
+gzWhwWsPlAGAlBPMVWEo3k2Cz/entbAijoyqS2koN4mZABy7m5+vfzFw/yvh1/lu
+8w==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
+LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
+CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
+nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
+0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
+ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
+HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
+JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
+FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
+Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
+xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
+yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
+-----END CERTIFICATE-----
--- a/tests/certs/revoked_crldp.pem
+++ b/tests/certs/revoked_crldp.pem
@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIIEDDCCAvSgAwIBAgIUMXc8FF4DEhJ/0czsG3SrcZS4GCYwDQYJKoZIhvcNAQEL
+BQAwZzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMMFkludGVybWVkaWF0
+ZSBDQSBDUkwgRFAwHhcNMTgwMTAxMDAwMDAwWhcNMjQxMjMxMDAwMDAwWjB7MQsw
+CQYDVQQGEwJQTDEVMBMGA1UECgwMb3NzbHNpZ25jb2RlMQwwCgYDVQQLDANDU1Ax
+HjAcBgNVBAMMFVJldm9rZWQgWDUwOXYzIENSTCBEUDEnMCUGCSqGSIb3DQEJARYY
+b3NzbHNpZ25jb2RlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAvripJQt3G9OnsDjZ2X8lsursYnhlw9u19TK9VMHla6e03TxumCfG
+WM43QiD2UWk3Y46Waz9Keh2UTpk7wZjyRi79orfMcgencTKTNE/WCV/u6RwIylxJ
+pLlVSGjRBD09W+8wdU21pDTSvaLfibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNVunll
+GPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0pMi9S/bOhEV30f/v4HZfCx76qmlxl7QG
+IpJriXo+svaIe15gTb2CAstKp77Nq8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ
+8CcnZf+/A3PJKLopOWII9z0l/kbBImv7kwIDAQABo4GbMIGYMAkGA1UdEwQCMAAw
+HQYDVR0OBBYEFFXlCCy6ReT1s+awA4ls1f9qBD91MB8GA1UdIwQYMBaAFGG7QDpJ
+x45ort5fDjQFGN/O5BYvMBMGA1UdJQQMMAoGCCsGAQUFBwMDMDYGA1UdHwQvMC0w
+K6ApoCeGJWh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvaW50ZXJtZWRpYXRlQ0EwDQYJ
+KoZIhvcNAQELBQADggEBALwDivFFBjB7AkLO1jPJFyJnq8C0gadoYq0Dq5roAFMq
+Lirl0LGsdFTrZ2ljKOzNrFVfw4EQHedDCsKCtsgOXG1xxLQczwsuBcIaWGzSdW15
+iNz+IKjHXSNOLEUvVcO6N6s1rt5U15lynaXFSdskBgJYA7vq6uA8RTWzhQC7aCv8
+n3Tbpe8c7j6/y5NThffBu/YZypMoraZvPohCDfMZoFNT5GYXNWSeq7gipxtaCHcK
+OdWBi5yajIZL05hg29y7r677KBbvo07EykhxQ10zEnskzuqc7hCCsuDrXbmt5brv
+REYpeGvJAu0YrFg9yLSl8FJwk/XUzGvxa2MLPyL/sj4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
+nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
+UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
+n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
+J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
+W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
+Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
+AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
+RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
+4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
+QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
+Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
+CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
+-----END CERTIFICATE-----
--- a/tests/certs/tsa-chain.pem
+++ b/tests/certs/tsa-chain.pem
@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIEMzCCAxugAwIBAgIUBxGrWWn+gk2O0nxUeOQvpcu0HUQwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
+dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA4TH03boCmDQwjaKbM/a06WBe9dJKt3wzdyXZhBT6GX4WefAg
+ZvomQSUQnPCqFzGygIAGbBWlMlOtzNO32CMSXrtwkzou5BUEcuW3xqxDp0wTClKk
+finDmTXjWLX5L+HnGtuQLU8s4iXgVUzqg6FRuce+WndPgG+MQPW4WzePu5uY0tWi
+Xh7Y/HgwZCTiDihm2dFhLLX3wCM1jqggvmBasbFyztoTsUYMYKbGPVWuG8p5+h1t
+BWVHFEBhAx9GNe6NiiJ0smAEmne1SBeY44iZwM871O9NVEWe5IyRRm0/Vu+dty48
+rZfzL4PuakxuSTUI1Q7Fh7Xuo9SqvGwB6WejYwIDAQABo4HvMIHsMAwGA1UdEwEB
+/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFHnEl41jHza4
+2tqVE1fctzcQRFMNMB8GA1UdIwQYMBaAFE6fD2uX/Q6n9KjFBO5tB++jGixmMC0G
+A1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvVFNBQ0EwVQYD
+VR0eBE4wTKAYMAqCCHRlc3QuY29tMAqCCHRlc3Qub3JnoTAwCocIAAAAAAAAAAAw
+IocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEL
+BQADggEBAKMnM+tX2AM6g9SSAbgAz25vHRs+/hzZN2EMZOz+ZsNZufRwRbDH4eC5
+mm+s9PKw99vk/67vJk+IxfOLsZSleRX6h7DqXKhh5j8S/IPfOuIxWUfQGMlnfHNt
+IdePg1vIQCwcj998e0NIdnioSnGrKRay0A1Y+7zY+9B8/sRCAamyAFyqjG5UG70q
+NOZcuG52+ZHYfA3poW4MTBWTi+k9tK786RpRWj+I1ORBAJIFZ1SRzPQ5QL4XqE14
+iKowHAJbo1/X6Xr/SW2B+oC+p5jmONRi/rwHnUEqWbkbi+CKWdlI+7HTApncofLi
+JVHLUWz0r6IIp0mHrMwoI94yZBVXje0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIUf2df9lAckuBxsAT7UktJTpH8H3EwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
+dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH7Zl2oFIq75eVCHtPSH5apYifPyFvIAnB
+J8D3/ylM+Ll5X0/mBkyU5yR7CN0T+WsroWmkkGLuDbrqRrGG30Zs6/DIgHnLn25l
+rM/6C4B3TApIoBPLqLWaYd0EUwn5hyh5vJdolzCwZtr3swS1BZ23WlPXXWIO8F+m
+E5QZiFWqjufoHWECyoa3OwJ+U/UcR+Tr/HnlBXaZswTJdr91R9imWZgAE6EF6qM5
+ZnzNqgsjKPIN62FIcL3SD57CcR8fYvOAHGlY9r/CoDMuAs64wp/+oovC4J8WHvqV
+xg/z32V7osNq4ko9IArTDESj1ZlL33uVGy/GnTAMZv1CKFMrCfMNAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE6fD2uX/Q6n9KjFBO5tB++jGixm
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEArE8W97mfL9a8NcaX
+UmJwiBsoA8zGQ1uWV051JHuW+YbC1az2pRR0kXOLkXeCNhwHfxb8pvEjOToa341K
+5NYFSRPJVkR09AaF7KjuLzZO821roxbZPPbS8GsFGJ5GbLe6F8EW06rCyLN03Y2q
+bOAQvAof421193HIO0baBWE13QsLk2wQEYyB/Yld3919ub9plQLxapojRdK2s+cY
+Juftt8hE3UDlfQkpnVbIpU4Q/LFtPztfxkcd9rkz/kujH+juBd2UnirjK3n86ReU
+1MM2QvtnMlXyZiXHujrOkWGS57KaYdkDAV98zWk9Bx7g6K97cy0JPdBq2cnucUJw
+0mCOiQ==
+-----END CERTIFICATE-----
--- a/tests/certs/tsa-serial
+++ b/tests/certs/tsa-serial
@ -0,0 +1 @@
+55c4d523e595564af0ab635fd1e3aaba
--- a/tests/client_http.py
+++ b/tests/client_http.py
@ -0,0 +1,50 @@
+"""Implementation of a HTTP client"""
+
+import os
+import sys
+import http.client
+
+RESULT_PATH = os.getcwd()
+LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
+PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
+
+
+def main() -> None:
+    """Creating a POST Request"""
+    ret = 0
+    try:
+        with open(PORT_LOG, 'r') as file:
+            port = file.readline()
+        conn = http.client.HTTPConnection('localhost', port)
+        conn.request('POST', '/kill_server')
+        response = conn.getresponse()
+        print("HTTP status code:", response.getcode(), end=', ')
+        try:
+            text = response.read()
+            print(text.decode("UTF-8"), end='', flush=True)
+        except OSError as err:
+            print(f"Warning: {err}")
+        conn.close()
+    except OSError as err:
+        print(f"OSError: {err}")
+        ret = err.errno
+    except Exception as err: # pylint: disable=broad-except
+        print(f"HTTP client error: {err}")
+        ret = err
+    finally:
+        sys.exit(ret)
+
+
+if __name__ == '__main__':
+    main()
+
+
+# pylint: disable=pointless-string-statement
+"""
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+"""
--- a/tests/conf/.gitignore
+++ b/tests/conf/.gitignore
@ -0,0 +1 @@
+*.log
--- a/tests/conf/makecerts.sh
+++ b/tests/conf/makecerts.sh
@ -0,0 +1,424 @@
+#!/bin/bash
+
+result=0
+
+test_result() {
+  if test "$1" -eq 0
+    then
+      printf "Succeeded\n" >> "makecerts.log"
+    else
+      printf "Failed\n" >> "makecerts.log"
+    fi
+}
+
+make_certs() {
+  password=passme
+  result_path=$(pwd)
+  cd $(dirname "$0")
+  script_path=$(pwd)
+  cd "${result_path}"
+  mkdir "tmp/"
+
+################################################################################
+# OpenSSL settings
+################################################################################
+
+  if test -n "$1"
+    then
+      OPENSSL="$1/bin/openssl"
+      export LD_LIBRARY_PATH="$1/lib:$1/lib64"
+    else
+      OPENSSL=openssl
+    fi
+
+  mkdir "CA/" 2>> "makecerts.log" 1>&2
+  touch "CA/index.txt"
+  echo -n "unique_subject = no" > "CA/index.txt.attr"
+  $OPENSSL rand -hex 16 > "CA/serial"
+  $OPENSSL rand -hex 16 > "tmp/tsa-serial"
+  echo 1001 > "CA/crlnumber"
+  date > "makecerts.log"
+  "$OPENSSL" version 2>> "makecerts.log" 1>&2
+  echo -n "$password" > tmp/password.txt
+
+################################################################################
+# Root CA certificate
+################################################################################
+
+  printf "\nGenerate root CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/CA.key \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/CA.key -out tmp/CACert.pem \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+################################################################################
+# Private RSA keys
+################################################################################
+
+  printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to DER format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to PVK format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+################################################################################
+# Intermediate CA certificates
+################################################################################
+
+  CONF="${script_path}/openssl_intermediate.cnf"
+
+  printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/intermediateCA.key \
+        2>> "makecerts.log" 1>&2
+    TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA.key -out CA/intermediateCA.csr \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA.csr -out CA/intermediateCA.cer \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  "$OPENSSL" x509 -in CA/intermediateCA.cer -out tmp/intermediateCA.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \
+      -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked.csr -out CA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/revoked.cer -out tmp/revoked.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke CA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/revoked.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/cross.key \
+      2>> "makecerts.log" 1>&2
+  TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key CA/cross.key -out tmp/crosscert.pem \
+       -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
+       2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate code signing certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/cert.csr -out CA/cert.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/cert.cer -out tmp/cert.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
+  "$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/cert.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
+  "$OPENSSL" crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  ssl_version=$("$OPENSSL" version)
+  if test "${ssl_version:8:1}" -eq 3
+  then
+    printf "\nConvert the certificate and the key into legacy PKCS#12 container with\
+ RC2-40-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
+    "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/legacy.p12 -passout pass:"$password" \
+        -keypbe rc2-40-cbc -certpbe rc2-40-cbc -legacy \
+        2>> "makecerts.log" 1>&2
+  else
+    printf "\nConvert the certificate and the key into legacy PKCS#12 container with\
+ RC2-40-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
+    "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/legacy.p12 -passout pass:"$password" \
+        -keypbe rc2-40-cbc -certpbe rc2-40-cbc \
+        2>> "makecerts.log" 1>&2
+  fi
+  test_result $?
+
+  printf "\nConvert the certificate and the key into a PKCS#12 container with\
+  AES-256-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
+  "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \
+      -keypbe aes-256-cbc -certpbe aes-256-cbc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate expired certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/expired.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in CA/expired.csr -out CA/expired.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/expired.cer -out tmp/expired.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
+  cat tmp/intermediateCA.pem >> tmp/expired.pem 2>> "makecerts.log"
+  test_result $?
+
+
+################################################################################
+# Intermediate CA certificates with CRL distribution point
+################################################################################
+
+  CONF="${script_path}/openssl_intermediate_crldp.cnf"
+
+  printf "\nGenerate intermediate CA certificate with CRL distribution point\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/intermediateCA_crldp.key \
+        2>> "makecerts.log" 1>&2
+    TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate_crldp.cnf"
+    "$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA_crldp.key -out CA/intermediateCA_crldp.csr \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA CRL DP" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA_crldp.csr -out CA/intermediateCA_crldp.cer \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  "$OPENSSL" x509 -in CA/intermediateCA_crldp.cer -out tmp/intermediateCA_crldp.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate a certificate with X509v3 CRL Distribution Points extension to revoke\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked_crldp.csr \
+      -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked X509v3 CRL DP/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked_crldp.csr -out CA/revoked_crldp.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/revoked_crldp.cer -out tmp/revoked_crldp.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke CA/revoked_crldp.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
+  cat tmp/intermediateCA_crldp.pem >> tmp/revoked_crldp.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate_crldp.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL_crldp.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nConvert CRL file from PEM to DER (for CRL Distribution Points server to use) \n" >> "makecerts.log"
+  "$OPENSSL" crl -in tmp/CACertCRL_crldp.pem -inform PEM -out tmp/CACertCRL.der -outform DER \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate code signing certificate with X509v3 CRL Distribution Points extension\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert_crldp.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate X509v3 CRL DP/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/cert_crldp.csr -out CA/cert_crldp.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/cert_crldp.cer -out tmp/cert_crldp.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
+  cat tmp/intermediateCA_crldp.pem >> tmp/cert_crldp.pem 2>> "makecerts.log"
+  test_result $?
+
+################################################################################
+# Time Stamp Authority certificates
+################################################################################
+  printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/TSACA.key \
+      2>> "makecerts.log" 1>&2
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_tsa_root.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/TSACA.key -out tmp/TSACA.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate TSA certificate to revoke\n" >> "makecerts.log"
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA_revoked.key -out CA/TSA_revoked.csr \
+      -subj "/C=PL/O=osslsigncode/OU=TSA/CN=Revoked/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/TSA_revoked.csr -out CA/TSA_revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/TSA_revoked.cer -out tmp/TSA_revoked.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke CA/TSA_revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate TSA CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_tsa_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/TSACertCRL.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nConvert TSA CRL file from PEM to DER (for CRL Distribution Points server to use)\n" >> "makecerts.log"
+  "$OPENSSL" crl -in tmp/TSACertCRL.pem -inform PEM -out tmp/TSACertCRL.der -outform DER \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate TSA certificate\n" >> "makecerts.log"
+  CONF="${script_path}/openssl_tsa.cnf"
+  "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/TSA.csr -out CA/TSA.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/TSA.cer -out tmp/TSA.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log"
+  cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
+
+################################################################################
+# Copy new files
+################################################################################
+
+  if test -s tmp/CACert.pem \
+      -a -s tmp/intermediateCA.pem -a -s tmp/intermediateCA_crldp.pem \
+      -a -s tmp/CACertCRL.pem -a -s tmp/CACertCRL.der \
+      -a -s tmp/TSACertCRL.pem -a -s tmp/TSACertCRL.der \
+      -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
+      -a -s tmp/cert.pem -a -s tmp/cert.der -a -s tmp/cert.spc \
+      -a -s tmp/cert.p12 -a -s tmp/legacy.p12 -a -s tmp/cert_crldp.pem\
+      -a -s tmp/crosscert.pem -a -s tmp/expired.pem \
+      -a -s tmp/revoked.pem -a -s tmp/revoked_crldp.pem \
+      -a -s tmp/TSA_revoked.pem \
+      -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem
+  then
+    mkdir -p "../certs"
+    cp tmp/* ../certs
+    printf "%s" "Keys & certificates successfully generated"
+  else
+    printf "%s" "Error logs ${result_path}/makecerts.log"
+    result=1
+  fi
+
+################################################################################
+# Remove the working directory
+################################################################################
+
+  rm -rf "CA/"
+  rm -rf "tmp/"
+
+  exit "$result"
+}
+
+
+################################################################################
+# Tests requirement and make certs
+################################################################################
+
+if test -n "$(command -v faketime)"
+  then
+    make_certs "$1"
+    result=$?
+  else
+    printf "%s" "faketime not found in \$PATH, please install faketime package"
+    result=1
+  fi
+
+exit "$result"
--- a/tests/conf/openssl_intermediate.cnf
+++ b/tests/conf/openssl_intermediate.cnf
@ -0,0 +1,73 @@
+# OpenSSL intermediate CA configuration file
+
+[ default ]
+name                            = intermediateCA
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+rand_serial                     = yes
+private_key                     = $dir/CA/$name.key
+certificate                     = $dir/tmp/$name.pem
+crlnumber                       = $dir/CA/crlnumber
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_loose
+default_startdate               = 180101000000Z
+default_enddate                 = 241231000000Z
+x509_extensions                 = v3_req
+email_in_dn                     = yes
+default_days                    = 2200
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+distinguished_name              = req_distinguished_name
+x509_extensions                 = usr_extensions
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
+[ usr_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ v3_req ]
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName                     = optional
+stateOrProvinceName             = optional
+localityName                    = optional
+organizationName                = optional
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
--- a/tests/conf/openssl_intermediate_crldp.cnf
+++ b/tests/conf/openssl_intermediate_crldp.cnf
@ -0,0 +1,79 @@
+# OpenSSL intermediate CA configuration file
+
+[ default ]
+name                            = intermediateCA
+default_ca                      = CA_default
+crl_url                         = http://127.0.0.1:19254/$name
+
+[ CA_default ]
+# Directory and file locations
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+rand_serial                     = yes
+private_key                     = $dir/CA/$name\_crldp.key
+certificate                     = $dir/tmp/$name\_crldp.pem
+crlnumber                       = $dir/CA/crlnumber
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_loose
+default_startdate               = 180101000000Z
+default_enddate                 = 241231000000Z
+x509_extensions                 = v3_req
+email_in_dn                     = yes
+default_days                    = 2200
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+distinguished_name              = req_distinguished_name
+x509_extensions                 = usr_extensions
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
+[ usr_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ v3_req ]
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+crlDistributionPoints           = @crl_info
+
+[ crl_info ]
+# X509v3 CRL Distribution Points extension
+URI.0                           = $crl_url
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName                     = optional
+stateOrProvinceName             = optional
+localityName                    = optional
+organizationName                = optional
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
--- a/tests/conf/openssl_root.cnf
+++ b/tests/conf/openssl_root.cnf
@ -0,0 +1,65 @@
+# OpenSSL root CA configuration file
+
+[ ca ]
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+rand_serial                     = yes
+private_key                     = $dir/CA/CA.key
+certificate                     = $dir/tmp/CACert.pem
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_match
+default_startdate               = 180101000000Z
+default_enddate                 = 260101000000Z
+x509_extensions                 = v3_intermediate_ca
+email_in_dn                     = yes
+default_days                    = 3000
+unique_subject                  = no
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+x509_extensions                 = ca_extensions
+distinguished_name              = req_distinguished_name
+
+[ ca_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = critical, CA:true
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`)
+basicConstraints                = critical, CA:true, pathlen:0
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ policy_match ]
+countryName                     = match
+organizationName                = match
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
--- a/tests/conf/openssl_tsa.cnf
+++ b/tests/conf/openssl_tsa.cnf
@ -0,0 +1,46 @@
+# OpenSSL Timestamp Authority configuration file
+
+oid_section                     = new_oids
+
+[ new_oids ]
+tsa_policy1                     = 1.2.3.4.1
+tsa_policy2                     = 1.2.3.4.5.6
+tsa_policy3                     = 1.2.3.4.5.7
+
+[ req ]
+# Options for the `req` tool
+default_bits                    = 2048
+encrypt_key                     = yes
+default_md                      = sha256
+utf8                            = yes
+string_mask                     = utf8only
+prompt                          = no
+distinguished_name              = ca_distinguished_name
+
+[ ca_distinguished_name ]
+countryName                     = "PL"
+organizationName                = "osslsigncode"
+organizationalUnitName          = "Timestamp Authority"
+commonName                      = "Test TSA"
+
+
+# Time Stamping Authority command "openssl-ts"
+
+[ tsa ]
+default_tsa                     = tsa_config
+
+[ tsa_config ]
+dir                             = ./Testing/certs
+signer_cert                     = $dir/TSA.pem
+signer_key                      = $dir/TSA.key
+certs                           = $dir/tsa-chain.pem
+serial                          = $dir/tsa-serial
+default_policy                  = tsa_policy1
+other_policies                  = tsa_policy2, tsa_policy3
+signer_digest                   = sha256
+digests                         = sha256, sha384, sha512
+accuracy                        = secs:1, millisecs:500, microsecs:100
+ordering                        = yes
+tsa_name                        = yes
+ess_cert_id_chain               = yes
+ess_cert_id_alg                 = sha256
--- a/tests/conf/openssl_tsa_root.cnf
+++ b/tests/conf/openssl_tsa_root.cnf
@ -0,0 +1,83 @@
+# OpenSSL Root Timestamp Authority configuration file
+
+[ default ]
+name                            = TSACA
+domain_suffix                   = timestampauthority
+crl_url                         = http://127.0.0.1:19254/$name
+name_opt                        = utf8, esc_ctrl, multiline, lname, align
+default_ca                      = CA_default
+
+[ CA_default ]
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+crlnumber                       = $dir/CA/crlnumber
+crl_extensions                  = crl_ext
+rand_serial                     = yes
+private_key                     = $dir/CA/$name.key
+certificate                     = $dir/tmp/$name.pem
+default_md                      = sha256
+default_days                    = 3650
+default_crl_days                = 365
+policy                          = policy_match
+default_startdate               = 20180101000000Z
+default_enddate                 = 20280101000000Z
+unique_subject                  = no
+email_in_dn                     = no
+x509_extensions                 = tsa_extensions
+
+[ policy_match ]
+countryName                     = match
+stateOrProvinceName             = optional
+organizationName                = match
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ tsa_extensions ]
+basicConstraints                = critical, CA:false
+extendedKeyUsage                = critical, timeStamping
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always
+crlDistributionPoints           = @crl_info
+nameConstraints                 = @name_constraints
+
+[ crl_info ]
+# X509v3 CRL Distribution Points extension
+URI.0                           = $crl_url
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
+[ name_constraints ]
+permitted;DNS.0=test.com
+permitted;DNS.1=test.org
+excluded;IP.0=0.0.0.0/0.0.0.0
+excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
+
+[ req ]
+# Options for the `req` tool
+default_bits                    = 2048
+encrypt_key                     = yes
+default_md                      = sha256
+utf8                            = yes
+string_mask                     = utf8only
+prompt                          = no
+distinguished_name              = ca_distinguished_name
+x509_extensions                 = ca_extensions
+
+[ ca_distinguished_name ]
+countryName                     = "PL"
+organizationName                = "osslsigncode"
+organizationalUnitName          = "Timestamp Authority Root CA"
+commonName                      = "TSA Root CA"
+
+[ ca_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = critical, CA:true
+subjectKeyIdentifier            = hash
+keyUsage                        = critical, keyCertSign, cRLSign
--- a/tests/files/unsigned.cat
+++ b/tests/files/unsigned.cat
--- a/tests/files/unsigned.ex_
+++ b/tests/files/unsigned.ex_
--- a/tests/files/unsigned.exe
+++ b/tests/files/unsigned.exe
--- a/tests/files/unsigned.msi
+++ b/tests/files/unsigned.msi
--- a/tests/server_http.py
+++ b/tests/server_http.py
@ -0,0 +1,156 @@
+"""Implementation of a HTTP server"""
+
+import argparse
+import os
+import subprocess
+import sys
+import threading
+from urllib.parse import urlparse
+from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
+
+RESULT_PATH = os.getcwd()
+FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
+CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
+CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
+LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
+REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
+RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
+CACRL = os.path.join(CERTS_PATH, "./CACertCRL.der")
+TSACRL = os.path.join(CERTS_PATH, "./TSACertCRL.der")
+OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
+PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
+
+
+OPENSSL_TS = ["openssl", "ts",
+    "-reply", "-config", OPENSSL_CONF,
+    "-passin", "pass:passme",
+    "-queryfile", REQUEST,
+    "-out", RESPONS]
+
+
+class RequestHandler(SimpleHTTPRequestHandler):
+    """Handle the HTTP POST request that arrive at the server"""
+
+    def __init__(self, request, client_address, server):
+        # Save the server handle
+        self.server = server
+        SimpleHTTPRequestHandler.__init__(self, request, client_address, server)
+
+    def do_GET(self): # pylint: disable=invalid-name
+        """"Serves the GET request type"""
+        try:
+            url = urlparse(self.path)
+            self.send_response(200)
+            self.send_header("Content-type", "application/crl")
+            self.end_headers()
+            # Read the file and send the contents
+            if url.path == "/intermediateCA":
+                with open(CACRL, 'rb') as file:
+                    resp_data = file.read()
+            if url.path == "/TSACA":
+                with open(TSACRL, 'rb') as file:
+                    resp_data = file.read()
+            self.wfile.write(resp_data)
+        except Exception as err: # pylint: disable=broad-except
+            print(f"HTTP GET request error: {err}")
+
+    def do_POST(self): # pylint: disable=invalid-name
+        """"Serves the POST request type"""
+        try:
+            url = urlparse(self.path)
+            self.send_response(200)
+            if url.path == "/kill_server":
+                self.log_message(f"Deleting file: {PORT_LOG}")
+                os.remove(f"{PORT_LOG}")
+                self.send_header('Content-type', 'text/plain')
+                self.end_headers()
+                self.wfile.write(bytes('Shutting down HTTP server', 'utf-8'))
+                self.server.shutdown()
+            else:
+                content_length = int(self.headers['Content-Length'])
+                post_data = self.rfile.read(content_length)
+                with open(REQUEST, mode="wb") as file:
+                    file.write(post_data)
+                openssl = subprocess.run(OPENSSL_TS,
+                    check=True, universal_newlines=True)
+                openssl.check_returncode()
+                self.send_header("Content-type", "application/timestamp-reply")
+                self.end_headers()
+                resp_data = None
+                with open(RESPONS, mode="rb") as file:
+                    resp_data = file.read()
+                self.wfile.write(resp_data)
+        except Exception as err: # pylint: disable=broad-except
+            print(f"HTTP POST request error: {err}")
+
+
+class HttpServerThread():
+    """TSA server thread handler"""
+    # pylint: disable=too-few-public-methods
+
+    def __init__(self):
+        self.server = None
+        self.server_thread = None
+
+    def start_server(self, port) -> (int):
+        """Starting HTTP server on localhost and a random available port for binding"""
+        self.server = ThreadingHTTPServer(('localhost', port), RequestHandler)
+        self.server_thread = threading.Thread(target=self.server.serve_forever)
+        self.server_thread.start()
+        hostname, port = self.server.server_address[:2]
+        print(f"HTTP server started, URL http://{hostname}:{port}")
+        return port
+
+
+def main() -> None:
+    """Start HTTP server"""
+    ret = 0
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--port",
+        type=int,
+        default=0,
+        help="port number"
+    )
+    args = parser.parse_args()
+    try:
+        server = HttpServerThread()
+        port = server.start_server(args.port)
+        with open(PORT_LOG, mode="w") as file:
+            file.write("{}".format(port))
+    except OSError as err:
+        print(f"OSError: {err}")
+        ret = err.errno
+    finally:
+        sys.exit(ret)
+
+
+if __name__ == '__main__':
+    try:
+        fpid = os.fork()
+        if fpid > 0:
+            sys.exit(0)
+    except OSError as ferr:
+        print(f"Fork #1 failed: {ferr.errno} {ferr.strerror}")
+        sys.exit(1)
+
+    try:
+        fpid = os.fork()
+        if fpid > 0:
+            sys.exit(0)
+    except OSError as ferr:
+        print(f"Fork #2 failed: {ferr.errno} {ferr.strerror}")
+        sys.exit(1)
+
+    # Start the daemon main loop
+    main()
+
+
+# pylint: disable=pointless-string-statement
+"""Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+"""
--- a/tests/server_http.pyw
+++ b/tests/server_http.pyw
@ -0,0 +1,133 @@
+"""Windows: Implementation of a HTTP server"""
+
+import os
+import subprocess
+import sys
+import threading
+from urllib.parse import urlparse
+from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
+
+RESULT_PATH = os.getcwd()
+FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
+CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
+CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
+LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
+REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
+RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
+CACRL = os.path.join(CERTS_PATH, "./CACertCRL.der")
+TSACRL = os.path.join(CERTS_PATH, "./TSACertCRL.der")
+OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
+SERVER_LOG = os.path.join(LOGS_PATH, "./server.log")
+PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
+
+
+OPENSSL_TS = ["openssl", "ts",
+    "-reply", "-config", OPENSSL_CONF,
+    "-passin", "pass:passme",
+    "-queryfile", REQUEST,
+    "-out", RESPONS]
+
+
+class RequestHandler(SimpleHTTPRequestHandler):
+    """Handle the HTTP POST request that arrive at the server"""
+
+    def __init__(self, request, client_address, server):
+        # Save the server handle
+        self.server = server
+        SimpleHTTPRequestHandler.__init__(self, request, client_address, server)
+
+    def do_GET(self): # pylint: disable=invalid-name
+        """"Serves the GET request type"""
+        try:
+            url = urlparse(self.path)
+            self.send_response(200)
+            self.send_header("Content-type", "application/crl")
+            self.end_headers()
+            # Read the file and send the contents
+            if url.path == "/intermediateCA":
+                with open(CACRL, 'rb') as file:
+                    resp_data = file.read()
+            if url.path == "/TSACA":
+                with open(TSACRL, 'rb') as file:
+                    resp_data = file.read()
+            self.wfile.write(resp_data)
+        except Exception as err: # pylint: disable=broad-except
+            print(f"HTTP GET request error: {err}")
+
+    def do_POST(self): # pylint: disable=invalid-name
+        """"Serves the POST request type"""
+        try:
+            url = urlparse(self.path)
+            self.send_response(200)
+            if url.path == "/kill_server":
+                self.log_message(f"Deleting file: {PORT_LOG}")
+                os.remove(f"{PORT_LOG}")
+                self.send_header('Content-type', 'text/plain')
+                self.end_headers()
+                self.wfile.write(bytes('Shutting down HTTP server', 'utf-8'))
+                self.server.shutdown()
+            else:
+                content_length = int(self.headers['Content-Length'])
+                post_data = self.rfile.read(content_length)
+                with open(REQUEST, mode="wb") as file:
+                    file.write(post_data)
+                openssl = subprocess.run(OPENSSL_TS,
+                    check=True, universal_newlines=True)
+                openssl.check_returncode()
+                self.send_header("Content-type", "application/timestamp-reply")
+                self.end_headers()
+                resp_data = None
+                with open(RESPONS, mode="rb") as file:
+                    resp_data = file.read()
+                self.wfile.write(resp_data)
+        except Exception as err: # pylint: disable=broad-except
+            print(f"HTTP POST request error: {err}")
+
+
+class HttpServerThread():
+    """TSA server thread handler"""
+    # pylint: disable=too-few-public-methods
+
+    def __init__(self):
+        self.server = None
+        self.server_thread = None
+
+    def start_server(self) -> (int):
+        """Starting HTTP server on localhost and a random available port for binding"""
+        self.server = ThreadingHTTPServer(('localhost', 19254), RequestHandler)
+        self.server_thread = threading.Thread(target=self.server.serve_forever)
+        self.server_thread.start()
+        hostname, port = self.server.server_address[:2]
+        print(f"HTTP server started, URL http://{hostname}:{port}")
+        return port
+
+
+def main() -> None:
+    """Start HTTP server"""
+    ret = 0
+    try:
+        sys.stdout = open(SERVER_LOG, "w")
+        sys.stderr = open(SERVER_LOG, "a")
+        server = HttpServerThread()
+        port = server.start_server()
+        with open(PORT_LOG, mode="w") as file:
+            file.write("{}".format(port))
+    except OSError as err:
+        print(f"OSError: {err}")
+        ret = err.errno
+    finally:
+        sys.exit(ret)
+
+
+if __name__ == '__main__':
+    main()
+
+
+# pylint: disable=pointless-string-statement
+"""Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+"""
--- a/tests/sources/a
+++ b/tests/sources/a
@ -0,0 +1 @@
+aaa
--- a/tests/sources/b
+++ b/tests/sources/b
@ -0,0 +1 @@
+bbb
--- a/tests/sources/c
+++ b/tests/sources/c
@ -0,0 +1 @@
+ccc
--- a/tests/sources/good.cat
+++ b/tests/sources/good.cat
--- a/tests/sources/myapp.c
+++ b/tests/sources/myapp.c
@ -0,0 +1,6 @@
+#include <stdio.h>
+
+void main(void)
+{
+    printf("Hello world!");
+}
--- a/tests/sources/sample.wxs
+++ b/tests/sources/sample.wxs
@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<!--https://wiki.gnome.org/msitools/HowTo/CreateMSI-->
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='ABCDDCBA-86C7-4D14-AEC0-86416A69ABDE' UpgradeCode='ABCDDCBA-7349-453F-94F6-BCB5110BA4FD'
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+    <Package Id='*' Keywords='Installer' Description="Acme's Foobar 1.0 Installer"
+      Comments='Foobar is a registered trademark of Acme Ltd.' Manufacturer='Acme Ltd.'
+      InstallerVersion='100' Languages='1033' Compressed='yes' SummaryCodepage='1252' />
+
+    <Media Id='1' Cabinet='Sample.cab' EmbedCab='yes' DiskPrompt="CD-ROM #1" />
+    <Property Id='DiskPrompt' Value="Acme's Foobar 1.0 Installation [1]" />
+
+    <Directory Id='TARGETDIR' Name='SourceDir'>
+      <Directory Id='ProgramFilesFolder' Name='PFiles'>
+        <Directory Id='Acme' Name='Acme'>
+          <Directory Id='INSTALLDIR' Name='Foobar 1.0'>
+
+            <Component Id='MainExecutable' Guid='ABCDDCBA-83F1-4F22-985B-FDB3C8ABD471'>
+              <File Id='FoobarEXE' Name='FoobarAppl10.exe' DiskId='1' Source='FoobarAppl10.exe' KeyPath='yes'/>
+            </Component>
+
+          </Directory>
+        </Directory>
+      </Directory>
+    </Directory>
+
+    <Feature Id='Complete' Level='1'>
+      <ComponentRef Id='MainExecutable' />
+    </Feature>
+
+  </Product>
+</Wix>
--- a/tests/testsign.sh
+++ b/tests/testsign.sh
@ -1,74 +0,0 @@
-#!/bin/sh
-
-rm -f putty*.exe
-
-PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe"
-[ -f putty.exe ] || wget -q -O putty.exe $PUTTY_URL
-[ -f putty.exe ] || curl -o putty.exe $PUTTY_URL
-
-if [ ! -f putty.exe ]; then
-    echo "FAIL: Couldn't download putty.exe"
-    exit 1
-fi
-
-rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
-
-keytool -genkey \
-	-alias selfsigned -keysize 2048 -keyalg RSA -keypass passme -storepass passme -keystore key.ks << EOF
-John Doe
-ACME In
-ACME
-Springfield
-LaLaLand
-SE
-yes
-EOF
-
-
-echo "Converting key/cert to PKCS12 container"
-keytool -importkeystore \
-	-srckeystore key.ks -srcstoretype JKS -srckeypass passme -srcstorepass passme -srcalias selfsigned \
-	-destkeystore key.p12 -deststoretype PKCS12 -destkeypass passme -deststorepass passme
-
-rm -f key.ks
-
-echo "Converting key to PEM format"
-openssl pkcs12 -in key.p12 -passin pass:passme -nocerts -nodes -out key.pem
-echo "Converting key to PEM format (with password)"
-openssl rsa -in key.pem -out keyp.pem -passout pass:passme
-echo "Converting key to DER format"
-openssl rsa -in key.pem -outform DER -out key.der -passout pass:passme
-echo "Converting key to PVK format"
-openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk -passout pass:passme
-
-echo "Converting cert to PEM format"
-openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem
-echo "Converting cert to SPC format"
-openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
-
-
-../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe
-../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe
-../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe
-../osslsigncode sign -certs cert.spc -key key.der putty.exe putty4.exe
-../osslsigncode sign -pkcs12 key.p12 -pass passme putty.exe putty5.exe
-../osslsigncode sign -certs cert.spc -key key.pvk -pass passme putty.exe putty6.exe
-
-rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
-
-echo ""
-echo ""
-
-check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l`
-cmp putty1.exe putty2.exe && \
-	cmp putty2.exe putty3.exe && \
-	cmp putty3.exe putty4.exe && \
-	cmp putty4.exe putty5.exe && \
-	cmp putty5.exe putty6.exe
-if [ $? -ne 0 ]; then
-	echo "Failure is not an option."
-else
-	echo "Yes, it works."
-fi
-
-
--- a/vcpkg.json
+++ b/vcpkg.json
@ -0,0 +1,12 @@
+{
+    "name": "osslsigncode",
+    "version-string": "2.4",
+    "dependencies": [
+        "openssl",
+        "curl",
+        {
+            "name": "python3",
+            "platform": "!(windows & static) & !osx"
+        }
+    ]
+}