Merge pull request #6569 from SparkiDev/pem_der_example

PEM example: new example for convert between PEM and DER
2023-07-03 11:31:36 -07:00
parent ad2621a7a0 f72a6b705f
commit a921ab754d
23 changed files with 1691 additions and 119 deletions
--- a/.gitignore
+++ b/.gitignore
@ -74,6 +74,7 @@ examples/sctp/sctp-server-dtls
 examples/sctp/sctp-client
 examples/sctp/sctp-client-dtls
 examples/asn1/asn1
+examples/pem/pem
 server_ready
 snifftest
 output
--- a/certs/crl/caEccCrl.der
+++ b/certs/crl/caEccCrl.der
--- a/certs/crl/include.am
+++ b/certs/crl/include.am
@ -10,6 +10,7 @@ EXTRA_DIST += \
 	     certs/crl/eccSrvCRL.pem \
 	     certs/crl/eccCliCRL.pem \
 	     certs/crl/crl2.pem \
+	     certs/crl/caEccCrl.der \
 	     certs/crl/caEccCrl.pem \
 	     certs/crl/caEcc384Crl.pem \
 	     certs/crl/wolfssl.cnf \
--- a/certs/csr.dsa.der
+++ b/certs/csr.dsa.der
--- a/certs/ecc-params.der
+++ b/certs/ecc-params.der
@ -0,0 +1 @@
+*<2A>H<EFBFBD>=
--- a/certs/ecc-params.pem
+++ b/certs/ecc-params.pem
@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
--- a/certs/ecc-privkey.der
+++ b/certs/ecc-privkey.der
@ -0,0 +1,2 @@
+01 E<>is<>l<EFBFBD><6C>8[r<><72>Ǭ<EFBFBD><03>S5<04>l(<28>4<EFBFBD><34><EFBFBD>	<09><>
+*<2A>H<EFBFBD>=
--- a/certs/ed25519/eddsa-ed25519.der
+++ b/certs/ed25519/eddsa-ed25519.der
@ -0,0 +1,2 @@
+0%
+ <20><>r<EFBFBD><72>XJն<4A><D5B6><EFBFBD>i<EFBFBD><69>:<3A>|(<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DuXB
--- a/certs/ed25519/eddsa-ed25519.pem
+++ b/certs/ed25519/eddsa-ed25519.pem
@ -0,0 +1,3 @@
+-----BEGIN EDDSA PRIVATE KEY-----
+MCUKAQEEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
+-----END EDDSA PRIVATE KEY-----
--- a/certs/ed25519/include.am
+++ b/certs/ed25519/include.am
@ -27,7 +27,9 @@ EXTRA_DIST += \
         certs/ed25519/server-ed25519-key.der \
         certs/ed25519/server-ed25519-key.pem \
         certs/ed25519/server-ed25519-priv.der \
-         certs/ed25519/server-ed25519-priv.pem
+         certs/ed25519/server-ed25519-priv.pem \
+         certs/ed25519/eddsa-ed25519.der \
+         certs/ed25519/eddsa-ed25519.pem

 EXTRA_DIST += \
         certs/ed25519/gen-ed25519.sh \
--- a/certs/include.am
+++ b/certs/include.am
@ -16,6 +16,9 @@ EXTRA_DIST += \
             certs/client-crl-dist.der \
             certs/ecc-key.pem \
             certs/ecc-keyPub.pem \
+             certs/ecc-params.der \
+             certs/ecc-params.pem \
+             certs/ecc-privkey.der \
             certs/ecc-privkey.pem \
             certs/ecc-privkeyPkcs8.der \
             certs/ecc-privkeyPkcs8.pem \
@ -36,6 +39,7 @@ EXTRA_DIST += \
             certs/server-ecc-rsa.pem \
             certs/server-keyEnc.pem \
             certs/server-key.pem \
+             certs/server-keyPub.der \
             certs/server-keyPub.pem \
             certs/server-keyPkcs8.der \
             certs/server-keyPkcs8Enc12.pem \
@ -59,11 +63,13 @@ EXTRA_DIST += \
             certs/dh4096.pem \
             certs/client-cert-ext.pem \
             certs/csr.attr.der \
+             certs/csr.dsa.der \
             certs/csr.dsa.pem \
             certs/csr.signed.der \
             certs/csr.ext.der \
             certs/entity-no-ca-bool-cert.pem \
             certs/entity-no-ca-bool-key.pem \
+             certs/x942dh2048.der \
             certs/x942dh2048.pem \
             certs/fpki-cert.der \
             certs/rid-cert.der
--- a/certs/server-keyPub.der
+++ b/certs/server-keyPub.der
--- a/certs/x942dh2048.der
+++ b/certs/x942dh2048.der
--- a/examples/asn1/asn1.c
+++ b/examples/asn1/asn1.c
@ -283,7 +283,7 @@ static int PrintPem(FILE* fp, int pem_skip)

 /* Usage lines to show. */
 const char* usage[] = {
-    "asn1 [OPTOIN]... [FILE]",
+    "asn1 [OPTION]... [FILE]",
    "Display a human-readable version of a DER/BER encoding.",
    "",
    "Options:",
@ -317,8 +317,8 @@ static void Usage(void)

 /* Main entry of ASN.1 printing program.
 *
- * @param [in] argc  Count of command line argements.
- * @param [in] argv  Command line argements.
+ * @param [in] argc  Count of command line arguments.
+ * @param [in] argv  Command line arguments.
 * @return  0 on success.
 * @return  1 on failure.
 */
@ -430,7 +430,7 @@ int main(int argc, char* argv[])
            Usage();
            return 0;
        }
-        /* Unknown option dectection. */
+        /* Unknown option detection. */
        else if (argv[0][0] == '-') {
            fprintf(stderr, "Bad option: %s\n", argv[0]);
            Usage();
@ -476,8 +476,8 @@ int main(int argc, char* argv[])

 /* Main entry of ASN.1 printing program.
 *
- * @param [in] argc  Count of command line argements.
- * @param [in] argv  Command line argements.
+ * @param [in] argc  Count of command line arguments.
+ * @param [in] argv  Command line arguments.
 * @return  0 on success.
 * @return  1 on failure.
 */
@ -489,6 +489,5 @@ int main(int argc, char* argv[])
    return 0;
 }

-#endif
-
+#endif /* WOLFSSL_ASN_PRINT */

--- a/examples/include.am
+++ b/examples/include.am
@ -9,4 +9,5 @@ include examples/server/include.am
 include examples/sctp/include.am
 include examples/configs/include.am
 include examples/asn1/include.am
+include examples/pem/include.am
 EXTRA_DIST += examples/README.md
--- a/examples/pem/include.am
+++ b/examples/pem/include.am
@ -0,0 +1,12 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+
+if BUILD_EXAMPLE_ASN1
+noinst_PROGRAMS += examples/pem/pem
+examples_pem_pem_SOURCES = examples/pem/pem.c
+examples_pem_pem_LDADD        = src/libwolfssl@LIBSUFFIX@.la $(LIB_STATIC_ADD)
+examples_pem_pem_DEPENDENCIES = src/libwolfssl@LIBSUFFIX@.la
+endif
+
--- a/examples/pem/pem.c
+++ b/examples/pem/pem.c
--- a/scripts/include.am
+++ b/scripts/include.am
@ -87,6 +87,8 @@ noinst_SCRIPTS+= scripts/unit.test.in
 endif
 endif

+dist_noinst_SCRIPTS+= scripts/pem.test
+
 EXTRA_DIST +=  scripts/sniffer-static-rsa.pcap \
               scripts/sniffer-ipv6.pcap \
               scripts/sniffer-tls13-dh.pcap \
--- a/scripts/pem.test
+++ b/scripts/pem.test
@ -0,0 +1,459 @@
+#!/bin/bash
+
+# pem.test
+# Copyright wolfSSL 2023-2023
+
+tmp_file=./pem_test.$$
+tmp_der_file=./pem_test_out_der.$$
+tmp_pem_file=./pem_test_out_pem.$$
+PEM_EXE=./examples/pem/pem
+ASN1_EXE=./examples/asn1/asn1
+TEST_CNT=0
+TEST_PASS_CNT=0
+TEST_SKIP_CNT=0
+TEST_FAIL_CNT=0
+TEST_FAIL=
+TEST_CASES=()
+RUN_ALL="YES"
+CR=$'\n'
+ENC_STRING="encrypt"
+DER_TO_PEM_STRING="input is DER and output is PEM"
+
+# Cleanup temporaries created during testing.
+do_cleanup() {
+    echo
+    echo "in cleanup"
+
+    if [ -e "$tmp_der_file" ]; then
+        echo -e "removing existing temporary DER output file"
+        rm "$tmp_der_file"
+    fi
+    if [ -e "$tmp_pem_file" ]; then
+        echo -e "removing existing temporary PEM output file"
+        rm "$tmp_pem_file"
+    fi
+    if [ -e "$tmp_file" ]; then
+        echo -e "removing existing temporary output file"
+        rm "$tmp_file"
+    fi
+}
+
+# Called when a signal is trapped.
+do_trap() {
+    echo
+    echo "got trap"
+    do_cleanup
+    exit 1
+}
+
+# Trap keyboard interrupt and termination signal.
+trap do_trap INT TERM
+
+# Check the usage text for a string to determine feature support.
+#
+# @param [in] $1  String to search for,
+# @return  1 when string is found.
+# @return  0 otherwise.
+check_usage_string() {
+    $PEM_EXE -? | grep "$1" >$tmp_file 2>&1
+    if [ "$?" = "0" ]; then
+        return 1
+    fi
+    return 0
+}
+
+# Check whether the test case is to be run.
+# When command line parameters given - only run those.
+#
+# @return  1 when test case is to be run.
+# @return  0 otherwise.
+check_run() {
+    # When RUN_ALL set them all test cases are run.
+    if [ "$RUN_ALL" != "" ]; then
+       return 1
+    else
+       # Check if test case number in list.
+       for T in "${TEST_CASE[@]}"; do
+           if [ "$T" = "$TEST_CNT" ]; then
+               return 1
+           fi
+       done
+       return 0
+    fi
+}
+
+# Setup for new test case.
+#
+# @param [in] $*  Name of test case.
+test_setup() {
+    TEST_CNT=$((TEST_CNT+1))
+    TEST_DESC="$TEST_CNT: $*"
+    FAILED=
+    SKIP=
+
+    if [ "$USAGE_STRING" != "" ]; then
+        # Check usage output for string to see whether we have to skip test case
+        # due to wolfSSL missing features.
+        check_usage_string "$USAGE_STRING"
+        if [ "$?" = "0" ] ; then
+            echo
+            echo "$TEST_DESC"
+            echo "SKIPPED"
+            SKIP="missing feature"
+        fi
+        USAGE_STRING=
+    fi
+
+    if [ "$SKIP" = "" ]; then
+        # Check whether this test case is to be run.
+        check_run
+        if [ "$?" = "1" ]; then
+            echo
+            echo "$TEST_DESC"
+            TEST_PASS_CNT=$((TEST_PASS_CNT+1))
+        else
+            SKIP="not requested"
+        fi
+    fi
+
+    # Handle skipping
+    if [ "$SKIP" != "" ]; then
+        TEST_SKIP_CNT=$((TEST_SKIP_CNT+1))
+    fi
+}
+
+# Handle when a test case failed.
+test_fail() {
+    if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
+        TEST_PASS_CNT=$((TEST_PASS_CNT-1))
+        TEST_FAIL_CNT=$((TEST_FAIL_CNT+1))
+        TEST_FAIL="$TEST_FAIL$CR  $TEST_DESC"
+        FAILED=yes
+    fi
+}
+
+# Use asn1 to check DER produced is valid.
+check_der() {
+    $ASN1_EXE $tmp_der_file >$tmp_file 2>&1
+    if [ "$?" != "0" ]; then
+        echo
+        echo "  DER result bad"
+        test_fail
+    fi
+}
+
+# Convert PEM file to DER
+#
+# @param [in] $*  Command line parameters to pem example.
+convert_to_der() {
+    if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
+        echo "    $PEM_EXE $* -out $tmp_pem_file"
+        $PEM_EXE $* -out $tmp_der_file
+        if [ "$?" != "0" ]; then
+            echo "  Failed to convert to DER"
+            test_fail
+        fi
+        check_der
+    fi
+}
+
+# Compare generated DER file to existing file.
+#
+# @param [in] $1  File to compare to.
+compare_der() {
+    diff $tmp_der_file $1
+    if [ "$?" != "0" ]; then
+        echo "  Created DER file different from expected"
+        test_fail
+    fi
+}
+
+# Convert DER file to PEM
+#
+# PEM_TYPE contains PEM header to encode.
+#
+# @param [in] $*  Command line parameters to pem example.
+convert_to_pem() {
+    if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
+        echo "    $PEM_EXE --der -t \"$PEM_TYPE\" $* -out $tmp_pem_file"
+        $PEM_EXE --der $* -t "$PEM_TYPE" -out $tmp_pem_file
+        if [ "$?" != "0" ]; then
+            test_fail
+        fi
+    fi
+}
+
+# Compare generated PEM file to existing file.
+compare_pem() {
+    diff $tmp_pem_file $1 >$tmp_file 2>&1
+    if [ "$?" != "0" ]; then
+        cat $tmp_file
+        echo
+        echo "  Created PEM file different from expected"
+        test_fail
+    fi
+}
+
+# Convert to and from PEM and DER and compare to file containing expected DER.
+#
+# @param [in] $1  Name of PEM file to read.
+# @param [in] $2  Name of DER file to compare to.
+# @param [in] $3  PEM type expected in PEM file and to place in created PEM
+#                 file.
+pem_der_exp() {
+    if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
+        PEM_FILE=$1
+        DER_FILE=$2
+        PEM_TYPE="$3"
+
+        # Convert PEM to DER
+        convert_to_der -in $PEM_FILE
+        if [ "$FAILED" = "" ]; then
+          # On success, compare to DER file.
+          compare_der $DER_FILE
+        fi
+        # Check if converting from DER to PEM is supported.
+        check_usage_string $DER_TO_PEM_STRING
+        if [ "$?" = "1" ]; then
+            if [ "$FAILED" = "" ]; then
+                # Convert expected DER file to PEM
+                convert_to_pem -in $DER_FILE
+            fi
+            if [ "$FAILED" = "" ]; then
+                # On success, compare to original PEM file.
+                compare_pem $PEM_FILE
+            fi
+        fi
+    fi
+}
+
+# Convert DER to encrypted PEM.
+#
+# @param [in] $@  Command line parameters to pem example when encrypting.
+der_pem_enc() {
+    PEM_TYPE="ENCRYPTED PRIVATE KEY"
+    convert_to_pem -in ./certs/server-key.der -p yassl123 "$@"
+    convert_to_der -in $tmp_pem_file -p yassl123
+}
+
+
+################################################################################
+
+# Check for pem example - can't test without it.
+if [ ! -x $PEM_EXE ]; then
+    echo "PEM example not available, won't run"
+    exit 77
+fi
+# Check for asn1 example - don't want to test without it.
+if [ ! -x $ASN1_EXE ]; then
+    echo "ASN.1 example not available, won't run"
+    exit 77
+fi
+
+# Check the available features compiled into pem example.
+echo "wolfSSL features:"
+check_usage_string $DER_TO_PEM_STRING
+if [ "$?" = "1" ]; then
+    echo "  Conversion from DER to PEM support compiled in."
+else
+    echo "  Conversion from DER to PEM support NOT compiled in."
+fi
+check_usage_string $ENC_STRING
+if [ "$?" = "1" ]; then
+    echo "  Encryption support compiled in."
+else
+    echo "  Encryption support NOT compiled in."
+fi
+echo
+
+# Command line parameters are test cases to run.
+while [ $# -gt 0 ]; do
+    TEST_CASE[${#TEST_CASE[@]}]=$1
+    RUN_ALL=
+    shift 1
+done
+
+
+test_setup "Convert PEM certificate (first of many) to DER"
+convert_to_der -in ./certs/server-cert.pem
+
+test_setup "Convert PEM certificate (second of many) to DER"
+convert_to_der -in ./certs/server-cert.pem --offset 6000
+
+test_setup "RSA private key"
+pem_der_exp ./certs/server-key.pem \
+            ./certs/server-key.der "RSA PRIVATE KEY"
+
+test_setup "RSA public key"
+pem_der_exp ./certs/server-keyPub.pem \
+            ./certs/server-keyPub.der "RSA PUBLIC KEY"
+
+test_setup "DH parameters"
+pem_der_exp ./certs/dh3072.pem \
+            ./certs/dh3072.der "DH PARAMETERS"
+
+test_setup "X9.42 parameters"
+pem_der_exp ./certs/x942dh2048.pem \
+            ./certs/x942dh2048.der "X9.42 DH PARAMETERS"
+
+USAGE_STRING="  DSA PARAMETERS"
+test_setup "DSA parameters"
+pem_der_exp ./certs/dsaparams.pem \
+            ./certs/dsaparams.der "DSA PARAMETERS"
+
+USAGE_STRING="  DSA PRIVATE KEY"
+test_setup "DSA private key"
+pem_der_exp ./certs/1024/dsa1024.pem \
+            ./certs/1024/dsa1024.der "DSA PRIVATE KEY"
+
+USAGE_STRING="  EC PRIVATE KEY"
+test_setup "ECC private key"
+pem_der_exp ./certs/ecc-keyPkcs8.pem \
+            ./certs/ecc-keyPkcs8.der "PRIVATE KEY"
+
+USAGE_STRING="  EC PRIVATE KEY"
+test_setup "EC PRIVATE KEY"
+pem_der_exp ./certs/ecc-privkey.pem \
+            ./certs/ecc-privkey.der "EC PRIVATE KEY"
+
+USAGE_STRING="  EC PARAMETERS"
+test_setup "ECC parameters"
+pem_der_exp ./certs/ecc-params.pem \
+            ./certs/ecc-params.der "EC PARAMETERS"
+
+test_setup "ECC public key"
+pem_der_exp ./certs/ecc-keyPub.pem \
+            ./certs/ecc-keyPub.der "PUBLIC KEY"
+
+test_setup "Ed25519 public key"
+pem_der_exp ./certs/ed25519/client-ed25519-key.pem \
+            ./certs/ed25519/client-ed25519-key.der 'PUBLIC KEY'
+
+test_setup "Ed25519 private key"
+pem_der_exp ./certs/ed25519/client-ed25519-priv.pem \
+            ./certs/ed25519/client-ed25519-priv.der 'PRIVATE KEY'
+
+USAGE_STRING="  EDDSA PRIVATE KEY"
+test_setup "EdDSA private key"
+pem_der_exp ./certs/ed25519/eddsa-ed25519.pem \
+            ./certs/ed25519/eddsa-ed25519.der 'EDDSA PRIVATE KEY'
+
+test_setup "Ed448 public key"
+pem_der_exp ./certs/ed448/client-ed448-key.pem \
+            ./certs/ed448/client-ed448-key.der 'PUBLIC KEY'
+
+test_setup "Ed448 private key"
+pem_der_exp ./certs/ed448/client-ed448-priv.pem \
+            ./certs/ed448/client-ed448-priv.der 'PRIVATE KEY'
+
+USAGE_STRING="  CERTIFICATE REQUEST"
+test_setup "Certificate Request"
+pem_der_exp ./certs/csr.dsa.pem \
+            ./certs/csr.dsa.der 'CERTIFICATE REQUEST'
+
+USAGE_STRING="  X509 CRL"
+test_setup "X509 CRL"
+pem_der_exp ./certs/crl/caEccCrl.pem \
+            ./certs/crl/caEccCrl.der 'X509 CRL'
+
+USAGE_STRING=$ENC_STRING
+test_setup "Encrypted Key with header"
+convert_to_der -in ./certs/server-keyEnc.pem -p yassl123 --padding
+
+USAGE_STRING=$ENC_STRING
+test_setup "Encrypted Key - PKCS#8"
+convert_to_der -in ./certs/server-keyPkcs8Enc.pem -p yassl123
+
+USAGE_STRING=$ENC_STRING
+test_setup "Encrypted Key - PKCS#8 (PKCS#12 PBE)"
+convert_to_der -in ./certs/server-keyPkcs8Enc12.pem -p yassl123
+
+USAGE_STRING="PBES1_MD5_DES"
+test_setup "Encrypted Key - PKCS#8 (PKCS#5 PBES1-MD5-DES)"
+convert_to_der -in ./certs/ecc-keyPkcs8Enc.pem -p yassl123
+
+USAGE_STRING=" DES3"
+test_setup "Encrypted Key - PKCS#8 (PKCS#5v2 PBE-SHA1-DES3)"
+convert_to_der -in ./certs/server-keyPkcs8Enc2.pem -p yassl123
+
+USAGE_STRING="AES-256-CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (Default: PKCS#5 PBES2 AES-256-CBC)"
+der_pem_enc
+
+USAGE_STRING="AES-256-CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 - Large salt"
+der_pem_enc -s 16
+
+USAGE_STRING="AES-256-CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 - 10000 iterations (DER encoding check)"
+der_pem_enc -i 10000
+
+USAGE_STRING="AES-256-CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 - 100 iterations (DER encoding check)"
+der_pem_enc -i 100
+
+USAGE_STRING="AES-128-CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 AES-128-CBC)"
+der_pem_enc --pbe-alg AES-128-CBC
+
+USAGE_STRING="DES"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 DES)"
+der_pem_enc --pbe-alg DES
+
+
+USAGE_STRING="DES3"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 DES3)"
+der_pem_enc --pbe-alg DES3
+
+USAGE_STRING="PBES1_MD5_DES"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES1-MD5-DES)"
+der_pem_enc --pbe PBES1_MD5_DES
+
+USAGE_STRING="PBES1_SHA1_DES"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES1-SHA1-DES)"
+der_pem_enc --pbe PBES1_SHA1_DES
+
+USAGE_STRING="  SHA1_RC4_128"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-RC4-128)"
+der_pem_enc --pbe-ver PKCS12 --pbe SHA1_RC4_128
+
+USAGE_STRING="  SHA1_DES3"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-DES3)"
+der_pem_enc --pbe-ver PKCS12 --pbe SHA1_DES3
+
+USAGE_STRING="SHA1_40RC2_CBC"
+PEM_TYPE="ENCRYPTED PRIVATE KEY"
+test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-40RC2-CBC)"
+der_pem_enc --pbe-ver PKCS12 --pbe SHA1_40RC2_CBC
+
+# Note: PKCS#12 with SHA1_DES doesn't work as we encode as PKCS#5 SHA1_DES as
+# ids are the same
+
+
+# Report results
+echo
+if [ "$TEST_SKIP_CNT" = "0" ]; then
+    echo "RESULT: $TEST_PASS_CNT/$TEST_CNT (pass/total)"
+else
+    echo "RESULT: $TEST_PASS_CNT/$TEST_SKIP_CNT/$TEST_CNT (pass/skip/total)"
+fi
+if [ "$TEST_FAIL_CNT" != "0" ]; then
+    echo "FAILURES ($TEST_FAIL_CNT):$TEST_FAIL"
+else
+    echo "PASSED"
+fi
+
+# Cleanup temporaries
+do_cleanup
+
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -4362,6 +4362,9 @@ static const byte pbeSha1RC4128[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 1};
 #if !defined(NO_DES3) && !defined(NO_SHA)
 static const byte pbeSha1Des3[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 3};
 #endif
+#if defined(WC_RC2) && !defined(NO_SHA)
+static const byte pbe40Rc2Cbc[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 6};
+#endif

 #ifdef HAVE_LIBZ
 /* zlib compression */
@ -5168,6 +5171,13 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                    oid = pbeSha1Des3;
                    *oidSz = sizeof(pbeSha1Des3);
                    break;
+        #endif
+        #if !defined(NO_SHA) && defined(WC_RC2)
+                case PBE_SHA1_40RC2_CBC_SUM:
+                case PBE_SHA1_40RC2_CBC:
+                    oid = pbe40Rc2Cbc;
+                    *oidSz = sizeof(pbe40Rc2Cbc);
+                    break;
        #endif
                case PBES2_SUM:
                case PBES2:
@ -7072,7 +7082,8 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
            oidKeyType);
        if (curveOID != NULL && oidSz > 0) {
            /* ECC key and curveOID set to write. */
-            SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE], curveOID, oidSz);
+            SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_ALGO_OID_CURVE],
+                curveOID, oidSz);
        }
        else {
            /* EC curve OID to encode. */
@ -8161,6 +8172,14 @@ static int GetAlgoV2(int encAlgId, const byte** oid, int *len, int* id,
        *blkSz = 8;
        break;
 #endif
+#if defined(WOLFSSL_AES_128) && defined(HAVE_AES_CBC)
+    case AES128CBCb:
+        *len = sizeof(blkAes128CbcOid);
+        *oid = blkAes128CbcOid;
+        *id = PBE_AES128_CBC;
+        *blkSz = 16;
+        break;
+#endif
 #if defined(WOLFSSL_AES_256) && defined(HAVE_AES_CBC)
    case AES256CBCb:
        *len = sizeof(blkAes256CbcOid);
@ -8230,7 +8249,7 @@ int wc_EncryptPKCS8Key(byte* key, word32 keySz, byte* out, word32* outSz,
        padSz = (word32)((blockSz - ((int)keySz & (blockSz - 1))) &
            (blockSz - 1));
        /* inner = OCT salt INT itt */
-        innerLen = 2 + saltSz + 2 + (itt < 256 ? 1 : 2);
+        innerLen = 2 + saltSz + 2 + ((itt < 256) ? 1 : ((itt < 65536) ? 2 : 3));

        if (version != PKCS5v2) {
            pbeOidBuf = OidFromId((word32)pbeId, oidPBEType, &pbeOidBufSz);
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -45417,7 +45417,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t certpiv_test(void)
        0x0B, 0x01, 0x00,     /* Nonce */
        0x0C, 0x01, 0x00,     /* Signed Nonce */
    };
-    /* PIV certificate data including certificate, info and error dectection. */
+    /* PIV certificate data including certificate, info and error detection. */
    WOLFSSL_SMALL_STACK_STATIC const byte pivCert[] = {
        0x53, 0x09,         /* NIST PIV Cert */
          0x70, 0x02,       /* Certificate */
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -2568,6 +2568,7 @@ enum PBESTypes {

    PBE_SHA1_RC4_128_SUM   = 657,
    PBE_SHA1_DES3_SUM      = 659,
+    PBE_SHA1_40RC2_CBC_SUM = 662,
    PBE_MD5_DES_SUM        = 651,
    PBE_SHA1_DES_SUM       = 658,
    PBES2_SUM              = 661,
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@ -116,6 +116,26 @@ enum Ecc_Sum {
 };


+enum EncPkcs8Types {
+    ENC_PKCS8_VER_PKCS12 = 1,
+    ENC_PKCS8_VER_PKCS5 =  5,
+
+    ENC_PKCS8_PBES2 =  13,
+
+    ENC_PKCS8_PBE_SHA1_RC4_128   = 1,
+    ENC_PKCS8_PBE_SHA1_DES       = 2,
+    ENC_PKCS8_PBE_SHA1_DES3      = 3,
+    ENC_PKCS8_PBE_SHA1_40RC2_CBC = 6,
+
+    ENC_PKCS8_PBES1_MD5_DES      = 3,
+    ENC_PKCS8_PBES1_SHA1_DES     = 10,
+
+    ENC_PKCS8_ALG_AES128CBC = 414,
+    ENC_PKCS8_ALG_AES256CBC = 454,
+    ENC_PKCS8_ALG_DES       = 69,
+    ENC_PKCS8_ALG_DES3      = 652
+};
+
 /* Certificate file Type */
 enum CertType {
    CERT_TYPE       = 0,