Improve certificate handling a bit and fix up tests.encryption

16 files changed, 274 insertions, 10 deletions

diff --git a/test/certificates_test.cc b/test/certificates_test.cc
index 92c6555d..40e550cb 100644
--- a/test/certificates_test.cc
+++ b/test/certificates_test.cc
@@ -21,24 +21,54 @@ BOOST_AUTO_TEST_CASE (certificates)
 {
 	libdcp::CertificateChain c;
 
-	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/data/crypt/ca.self-signed.pem")));
-	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/data/crypt/intermediate.signed.pem")));
-	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/data/crypt/leaf.signed.pem")));
+	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/ref/crypt/ca.self-signed.pem")));
+	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/ref/crypt/intermediate.signed.pem")));
+	c.add (shared_ptr<libdcp::Certificate> (new libdcp::Certificate ("test/ref/crypt/leaf.signed.pem")));
+
+	list<shared_ptr<libdcp::Certificate> > leaf_to_root = c.leaf_to_root ();
+
+	list<shared_ptr<libdcp::Certificate> >::iterator i = leaf_to_root.begin ();
+
+	/* Leaf */
+	BOOST_CHECK_EQUAL (*i, c.leaf ());
 	
 	BOOST_CHECK_EQUAL (
-		c.root()->issuer(),
-		"/O=example.org/OU=example.org/CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION/dnQualifier=rTeK7x+nopFkyphflooz6p2ZM7A="
+		c.leaf()->issuer(),
+		"dnQualifier=bmtwThq3srgxIAeRMjX6BFhgLDw=,CN=.smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
+		);
+
+	BOOST_CHECK_EQUAL (
+		c.leaf()->subject(),
+		"dnQualifier=d95fGDzERNdxfYPgphvAR8A18L4=,CN=CS.smpte-430-2.LEAF.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
 		);
 	
+	++i;
+
+	/* Intermediate */
 	BOOST_CHECK_EQUAL (
-		libdcp::Certificate::name_for_xml (c.root()->issuer()),
-		"dnQualifier=rTeK7x\\+nopFkyphflooz6p2ZM7A=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
+		(*i)->issuer(),
+		"dnQualifier=ndND9A/cODo2rTdrbLVmfQnoaSc=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
+		);
+
+	BOOST_CHECK_EQUAL (
+		(*i)->subject(),
+		"dnQualifier=bmtwThq3srgxIAeRMjX6BFhgLDw=,CN=.smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
+		);
+	
+	++i;
+
+	/* Root */
+	BOOST_CHECK_EQUAL (*i, c.root ());
+	BOOST_CHECK_EQUAL (
+		c.root()->issuer(),
+		"dnQualifier=ndND9A/cODo2rTdrbLVmfQnoaSc=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
 		);
 
 	BOOST_CHECK_EQUAL (c.root()->serial(), "5");
 
 	BOOST_CHECK_EQUAL (
-		libdcp::Certificate::name_for_xml (c.root()->subject()),
-		"dnQualifier=rTeK7x\\+nopFkyphflooz6p2ZM7A=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
+		c.root()->subject(),
+		"dnQualifier=ndND9A/cODo2rTdrbLVmfQnoaSc=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org"
 		);
+
 }
diff --git a/test/ref/crypt/ca.cnf b/test/ref/crypt/ca.cnf
new file mode 100644
index 00000000..99a31f65
--- /dev/null
+++ b/test/ref/crypt/ca.cnf
@@ -0,0 +1,12 @@
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions	= v3_ca
+[ v3_ca ]
+basicConstraints = critical,CA:true,pathlen:3
+keyUsage = keyCertSign,cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+[ req_distinguished_name ]
+O = Unique organization name
+OU = Organization unit
+CN = Entity and dnQualifier
diff --git a/test/ref/crypt/ca.key b/test/ref/crypt/ca.key
new file mode 100644
index 00000000..f42d466b
--- /dev/null
+++ b/test/ref/crypt/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA02fV7twMSs7An/IWlu0LRGRGrjFH6EpG81JjWVGDsM7jr34a
+ksztQaUVSPP5N2c5F0e17FqfEmz7BNe7OVjy8KOLg0q6PV7UQzhRWmdNtxHfaNmb
+6HOm8M/AqZyqYgQdVxzMPQZot6vPOn+ypNEgrG1/TiXlAufxVH8A0mVLPKo0ZF2H
+ds48YBRr2G6JCkltWcJKCyEaCSYUnI0p8E3f2gJXHp33MA1enHIziaYeA7K7tTaQ
+pudL4ufz0a9NLwVzMXQtmIDcljjTOZPCJwYlNLgplplOWEkUnPQN3Fbaysz9VhxN
+ve/EzRaiqYxGvLYDmLmpUnyNqTLQNtxFRteESQIDAQABAoIBAQDNjQab6uUgz4rH
+efGw6easpvt6X3xVRfNant7ud62d+muztN9NoWeHDmZ1upK05e7Czfz7RNmqZsBj
+YwctqWj9xWbfT4dqKIwml9myFwOfXwdkwUEwcVL+jmH8CNI531pP2zZSl6q1+53Q
+eV1Pl+82+HhxmbLkcnVZ/Orlp4vR/L7erCd+66am+DiuxSxHkdcqyTjfRhCCKHS6
+85JO8HypByaZt4Ds3IgXX5TfRv71/ZVHreYXFEUQybFL1Pj9qUq/57AHpH3c/Qg1
+Sc2hVMWA6Pfj9i+R+gCy/MKFOz163NEbN9NvgY7kcqubRiMWU1MOsd9WhqzZrf5Y
+tRFYcZ8pAoGBAPlHyqzLp765Gr1EIGheA/T14Miw3Ymm0rAjiLhR7Kn0sN4MUZon
+Tz5ztxBoZXpANEkhy8IebcFnC0iQ+Q/7h23ZL2O042sy2KuVU0iQ2SANTGuLWHV/
+ChMc+qwtuNmozuJNN3ZTItgS6W/dEwJ+hl0puVBu0q/jFPOHw36Kbvr7AoGBANka
+rmvWvj1czTfcEtFbgQm/PoK5fWReNT//JIvVoe7q2uU1sQ3hgJ1X34KfChb8+0Gx
+yM7ZvxD96342Bj1BPSU7AwoO/D2dBb3HzmZWpnr6o/WX8bJ3GfyBmXBUaxm4G4Ny
+udP5D/2NZEslCx9ouKO/9x9+kX+7Yvx3nC/Zu1qLAoGAXzaUqzt+btK06+XBmxuN
+11qy6PTlKVaW0sA/0Gc6RhA4HhgGcyLgmbIJEjNNz0wGrIhEE3kb4utA3A7Dkt83
+8zUpbKQC2Ucqix8WGHl69UsfDVTEDNzhNDu1Y15zZG+d1cI4lPFcNbvDff6q7CD3
+oU32gkpSHuxVbE9G1GZ7zVECgYEAtWFOMbhCTf/XUADkE9cP8nW9oveXZCA0+teN
+z+nWlUXPRUnbN06b5liA2p9Gjbgjrln6+539vBN4CITYJ5r2m8E2o9OrN0qVfl2M
++gEQq5P1IX0lJ8XLhyM7bxaIN/+RtPtHd2oQyvOyw/kZ1s7l26DItJ5Irt9+LpE7
+gtq0ZUsCgYEAgclUFTYEhZsZcU5JYohMunNcXQBSEK65d+K9Y4hLRpDIAvQUgG9B
+qeplk1D+nZ+mCzc7A/WypI6YNYEV9h/8nbnzu6ZYlbpNzNL9+0JEK+R6NTK4bVQi
+RR1l/1GwHugrvgtpz6E+l6HNvEuR03Yv8IQmGND9tc4Hd26LYVTM1Xc=
+-----END RSA PRIVATE KEY-----
diff --git a/test/ref/crypt/ca.self-signed.pem b/test/ref/crypt/ca.self-signed.pem
new file mode 100644
index 00000000..cc82b5d9
--- /dev/null
+++ b/test/ref/crypt/ca.self-signed.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEdzCCA1+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBgjEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxFDASBgNVBAsTC2V4YW1wbGUub3JnMS0wKwYDVQQDFCQuc21wdGUt
+NDMwLTIuUk9PVC5OT1RfRk9SX1BST0RVQ1RJT04xJTAjBgNVBC4THG5kTkQ5QS9j
+T0RvMnJUZHJiTFZtZlFub2FTYz0wHhcNMTMwNzA4MDkzODU4WhcNMjMwNzA2MDkz
+ODU4WjCBgjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFDASBgNVBAsTC2V4YW1wbGUu
+b3JnMS0wKwYDVQQDFCQuc21wdGUtNDMwLTIuUk9PVC5OT1RfRk9SX1BST0RVQ1RJ
+T04xJTAjBgNVBC4THG5kTkQ5QS9jT0RvMnJUZHJiTFZtZlFub2FTYz0wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTZ9Xu3AxKzsCf8haW7QtEZEauMUfo
+SkbzUmNZUYOwzuOvfhqSzO1BpRVI8/k3ZzkXR7XsWp8SbPsE17s5WPLwo4uDSro9
+XtRDOFFaZ023Ed9o2Zvoc6bwz8CpnKpiBB1XHMw9Bmi3q886f7Kk0SCsbX9OJeUC
+5/FUfwDSZUs8qjRkXYd2zjxgFGvYbokKSW1ZwkoLIRoJJhScjSnwTd/aAlcenfcw
+DV6ccjOJph4Dsru1NpCm50vi5/PRr00vBXMxdC2YgNyWONM5k8InBiU0uCmWmU5Y
+SRSc9A3cVtrKzP1WHE2978TNFqKpjEa8tgOYualSfI2pMtA23EVG14RJAgMBAAGj
+gfUwgfIwEgYDVR0TAQH/BAgwBgEB/wIBAzALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
+FAO0IG2/7I/48h7I8PEygQewCJYoMIGvBgNVHSMEgacwgaSAFAO0IG2/7I/48h7I
+8PEygQewCJYooYGIpIGFMIGCMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEUMBIGA1UE
+CxMLZXhhbXBsZS5vcmcxLTArBgNVBAMUJC5zbXB0ZS00MzAtMi5ST09ULk5PVF9G
+T1JfUFJPRFVDVElPTjElMCMGA1UELhMcbmRORDlBL2NPRG8yclRkcmJMVm1mUW5v
+YVNjPYIBBTANBgkqhkiG9w0BAQsFAAOCAQEAp2V3npo0m7Vmdhpr6mk5UybM16Hx
+M99zoKGUpm6k9PYRk8ysEhD7M8hDuwiiFoRJj1+X8V4HLwNU3JTTQzSl88pMvLg8
+Tyl4ICELg9MN/Eyfnu6iyGDfPzcsuv8xZN53211LobqW+HGK8r+slf5GPDILka8r
+GB7sFRjvq3SEGpqupKI9sJFmvHyQplJ1ixrIkSnTEuBFBrDtQj+cjrqlvRw/dReo
+3uELGe5GyvBcP0hDgrvZQmTdCLQfo4998MMhLDyxvD9/D4jpRcCrLzs2uB3Tw3kT
+1KkAjDA/33J1XCZEkb1ArS2L/I12T0DoSQqb17NE3xccY+6iRFXRMFWDIQ==
+-----END CERTIFICATE-----
diff --git a/test/ref/crypt/ca_dnq b/test/ref/crypt/ca_dnq
new file mode 100644
index 00000000..08d4dbd3
--- /dev/null
+++ b/test/ref/crypt/ca_dnq
@@ -0,0 +1 @@
+A7Qgbb/sj/jyHsjw8TKBB7AIlig=
diff --git a/test/ref/crypt/inter_dnq b/test/ref/crypt/inter_dnq
new file mode 100644
index 00000000..54220da8
--- /dev/null
+++ b/test/ref/crypt/inter_dnq
@@ -0,0 +1 @@
+bmtwThq3srgxIAeRMjX6BFhgLDw=
diff --git a/test/ref/crypt/intermediate.cnf b/test/ref/crypt/intermediate.cnf
new file mode 100644
index 00000000..82473c50
--- /dev/null
+++ b/test/ref/crypt/intermediate.cnf
@@ -0,0 +1,12 @@
+[ default ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+[ v3_ca ]
+basicConstraints = critical,CA:true,pathlen:2
+keyUsage = keyCertSign,cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+[ req_distinguished_name ]
+O = Unique organization name
+OU = Organization unit
+CN = Entity and dnQualifier
diff --git a/test/ref/crypt/intermediate.csr b/test/ref/crypt/intermediate.csr
new file mode 100644
index 00000000..674eb8f8
--- /dev/null
+++ b/test/ref/crypt/intermediate.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC0DCCAbgCAQAwgYoxFDASBgNVBAoTC2V4YW1wbGUub3JnMRQwEgYDVQQLEwtl
+eGFtcGxlLm9yZzE1MDMGA1UEAxQsLnNtcHRlLTQzMC0yLklOVEVSTUVESUFURS5O
+T1RfRk9SX1BST0RVQ1RJT04xJTAjBgNVBC4THGJtdHdUaHEzc3JneElBZVJNalg2
+QkZoZ0xEdz0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKwqWoipez
+PzWLSjUAKB/s1HJwUzUOsYUSA8bzwIL3Bh+LX9JKV5mfKaU1P2WSmhWQfv6SFPvS
+X4grrqrr8OBEJywAa+tZumiZRNb/tMoM2bAsh8okZ6ejsjk6yZ8i+soJ4l/4IKfu
+85LoeLqQJUFGgg6jW1H7OlofQb5mgZZbyNz8X2qg5UFYGOdwK/fdQQNJHBTnXf+G
+S6mcIRIohGNbNwoWC08ZajzP1MTnkS1KYZhpk0igSnPaaUzftv9OLECdVMfkWeT5
+iePngBHFvAoyjORKmQDtxAN7vPA6N7mYy1zMUhnic7NykF/5VWZJRbDuXdXgEJvW
+Ys3wmzz6Cn9pAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAwznL6dOiiqrrXywI
+rBXqRWtm0Wve1d4U1L3e/YlEsXN9SZA3SMFIEhDubb9N/GbXrAABDzRuRPDrhhJH
+m8APTiuL8giLSsahNoODJX83dNpoDPCyZrfErLVMrHJbWIwevjaXQaXfA1hk+edQ
+sOk6XF84XwrjtSJ347fKjFkG64LBtnVUXEKmxCVJPz0GO1rfl52a8sx8eyMYBP/l
+6bK5AO04y9Zts1eM1vvhKaYmyHe6Usd1v3deEVPD7U6bYFdLKQovLyrzKthw0vhf
+1r000VzIICNGxktOz8L7MYTbX8NDKHZe3GHZnkEyNmXtKyUo9RtHUn2lbNHNDqay
+BBermQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/test/ref/crypt/intermediate.key b/test/ref/crypt/intermediate.key
new file mode 100644
index 00000000..37a51756
--- /dev/null
+++ b/test/ref/crypt/intermediate.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAysKlqIqXsz81i0o1ACgf7NRycFM1DrGFEgPG88CC9wYfi1/S
+SleZnymlNT9lkpoVkH7+khT70l+IK66q6/DgRCcsAGvrWbpomUTW/7TKDNmwLIfK
+JGeno7I5OsmfIvrKCeJf+CCn7vOS6Hi6kCVBRoIOo1tR+zpaH0G+ZoGWW8jc/F9q
+oOVBWBjncCv33UEDSRwU513/hkupnCESKIRjWzcKFgtPGWo8z9TE55EtSmGYaZNI
+oEpz2mlM37b/TixAnVTH5Fnk+Ynj54ARxbwKMozkSpkA7cQDe7zwOje5mMtczFIZ
+4nOzcpBf+VVmSUWw7l3V4BCb1mLN8Js8+gp/aQIDAQABAoIBAQDH65KBk12ufHWk
+CKAnrmiEEJlhzXk0Kq8FqznA36GCRcRWnT1w1d0ABYUC8qaJHWqD1ePWT+BYdp+C
+Sq/3AcNvD5ygMciV6Wn3Ldw7tpu+fenqjl0u9hFiI3mwUFqbl+IcStvLgQ90WTAS
+DfAN7t3k0pnyUjmMV+XCigVddwq1JaAD7bJq68pv7vwiCBXQGmcGQ1+be0fTkVVx
+OZfnOX5oWFhcRLYdN8aPU9Im6gjDgYqQVRGvC5fP/S6xZgFrf4w9RuptGq2msPmv
++SunBYmQOiBF31UsG4SdkQ0OPfHaVqAnx4y6zd5pOf95exgrb8iDNeehLvDCWeS7
+FLpedkEdAoGBAObm+mElK9sxT5I+yNRTSxNWb3dSKHA+HLS04mhH1KRN7P1GHJuN
+rpna5m7/Y3iuaw1TMsptBxXn6RgBYSXDwXC9XaocgWCYgvFx/zlDwhLmg0cMoMVW
+bbEeC78Hb/B2f0ZvgDaNIfZrorXgqeI/RfJO7jRZ/NaSRbL3dNz5aamHAoGBAODM
+mZJRQAwbhY9cvDGxeUI3s3lHT6NjWyEfE56QV42B+0r/EHUUCwOCr7opj7kIRC8h
+G0tP3YtblJxGKAqixhcZRDdADwTZ2RrfUQOL84GSlJyizM38STvCohmDpnatp8td
+xptqWnwkad9Pz3YltQsXWsPxRzKJOwgWhyYzZAuPAoGAITaqX1zscQwnyP6U/s24
+Z+CwCfbccEDO+kNmqd9jO/slks0KAmof6mutZ9v+n/Ze2bzU+n8yXLlOMzDHm5oL
+8j6bAYQ2LAHkG/zs3HzdpsBXs9miKqCjCK4svF7CgFFbP3N8etxUPVEAR684YJ3/
+Xrpx0z/6eZbyxaqIudx6kXMCgYEApilVknuQNeLZ9D/9s1WVZca6WHjHeuPj5jWM
+UPYsYSKk1qh2R7QK+AtPTPGPlJtxmsyD2kUsYufMjz6kNkhe15ALhjNJZrKH8X8D
+6PU3hp0MUENd0xwaHZweKXHQR4TQtFeaiCIyw/Q+dZwOoyv4CDy5EIB1ufsJsU7F
+kw0FdC0CgYA7jkt1JbyxGCNTDfq1m5xNSgRLs9DQ7/MKIqOBxumX74PAXwp1YUqH
+Q7Hip448cgbPackjCWCahCP9OZHKO+KX008CJOel7EK59zJJAYb1YktKfMoZACo9
+UQFj+L+Ri3hGzaMX+9GpFL02xGzw4QdZCpzGC/dg3GtI1ieD7gfiKg==
+-----END RSA PRIVATE KEY-----
diff --git a/test/ref/crypt/intermediate.signed.pem b/test/ref/crypt/intermediate.signed.pem
new file mode 100644
index 00000000..750d4cd7
--- /dev/null
+++ b/test/ref/crypt/intermediate.signed.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEfzCCA2egAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBgjEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxFDASBgNVBAsTC2V4YW1wbGUub3JnMS0wKwYDVQQDFCQuc21wdGUt
+NDMwLTIuUk9PVC5OT1RfRk9SX1BST0RVQ1RJT04xJTAjBgNVBC4THG5kTkQ5QS9j
+T0RvMnJUZHJiTFZtZlFub2FTYz0wHhcNMTMwNzA4MDkzODU5WhcNMjMwNzA1MDkz
+ODU5WjCBijEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFDASBgNVBAsTC2V4YW1wbGUu
+b3JnMTUwMwYDVQQDFCwuc21wdGUtNDMwLTIuSU5URVJNRURJQVRFLk5PVF9GT1Jf
+UFJPRFVDVElPTjElMCMGA1UELhMcYm10d1RocTNzcmd4SUFlUk1qWDZCRmhnTER3
+PTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrCpaiKl7M/NYtKNQAo
+H+zUcnBTNQ6xhRIDxvPAgvcGH4tf0kpXmZ8ppTU/ZZKaFZB+/pIU+9JfiCuuquvw
+4EQnLABr61m6aJlE1v+0ygzZsCyHyiRnp6OyOTrJnyL6ygniX/ggp+7zkuh4upAl
+QUaCDqNbUfs6Wh9BvmaBllvI3PxfaqDlQVgY53Ar991BA0kcFOdd/4ZLqZwhEiiE
+Y1s3ChYLTxlqPM/UxOeRLUphmGmTSKBKc9ppTN+2/04sQJ1Ux+RZ5PmJ4+eAEcW8
+CjKM5EqZAO3EA3u88Do3uZjLXMxSGeJzs3KQX/lVZklFsO5d1eAQm9ZizfCbPPoK
+f2kCAwEAAaOB9TCB8jASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwIBBjAd
+BgNVHQ4EFgQUbmtwThq3srgxIAeRMjX6BFhgLDwwga8GA1UdIwSBpzCBpIAUA7Qg
+bb/sj/jyHsjw8TKBB7AIliihgYikgYUwgYIxFDASBgNVBAoTC2V4YW1wbGUub3Jn
+MRQwEgYDVQQLEwtleGFtcGxlLm9yZzEtMCsGA1UEAxQkLnNtcHRlLTQzMC0yLlJP
+T1QuTk9UX0ZPUl9QUk9EVUNUSU9OMSUwIwYDVQQuExxuZE5EOUEvY09EbzJyVGRy
+YkxWbWZRbm9hU2M9ggEFMA0GCSqGSIb3DQEBCwUAA4IBAQBnlzVaMqhuenDQV7Zg
+aMa6IisupI3k9J6Z24fiEOGhCfAp0fiulx2oCSrXlYnJFGe6ndeWWer9UN1h+lAc
+ozKYwxsJx8jSkgwGYX5v8Cn2Sp2/gV5umCcmpZfIExEOZRmjgKzqyr658EyvmrYJ
+nqrig/N8wUWeS5EzMSiE1sVfyIZmUpKhuqmGQUXnftVMCKSrqAh+Au7ndlR77/dm
+ZBJzzX79nn4L9XqghdoFCPRt4rx1CMU26MmiuEzNcYJ3uSJc1SSz5tT69JQvp8Fj
+InhKTMv0wWysEsfE6+aARPtrqAUJBRAG83oP6L0gdJYWJagGFVoZLfjPf+v9JgYZ
+Wo+D
+-----END CERTIFICATE-----
diff --git a/test/ref/crypt/leaf.cnf b/test/ref/crypt/leaf.cnf
new file mode 100644
index 00000000..6b4ebcf8
--- /dev/null
+++ b/test/ref/crypt/leaf.cnf
@@ -0,0 +1,12 @@
+[ default ]
+distinguished_name = req_distinguished_name
+x509_extensions	= v3_ca
+[ v3_ca ]
+basicConstraints = critical,CA:false
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+[ req_distinguished_name ]
+O = Unique organization name
+OU = Organization unit
+CN = Entity and dnQualifier
diff --git a/test/ref/crypt/leaf.csr b/test/ref/crypt/leaf.csr
new file mode 100644
index 00000000..46fa505a
--- /dev/null
+++ b/test/ref/crypt/leaf.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICyjCCAbICAQAwgYQxFDASBgNVBAoTC2V4YW1wbGUub3JnMRQwEgYDVQQLEwtl
+eGFtcGxlLm9yZzEvMC0GA1UEAxQmQ1Muc21wdGUtNDMwLTIuTEVBRi5OT1RfRk9S
+X1BST0RVQ1RJT04xJTAjBgNVBC4THGQ5NWZHRHpFUk5keGZZUGdwaHZBUjhBMThM
+ND0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgCLvRhPtqZZK9dY7Y
+sv0euQ0RCRHQc07iRlL7a/cKduuVKdKQuADiuCyZI82EceCySveWPPEf8y6Aq/e0
+uVIfLByo/GPTpJQK93tpZ9QogZHfdfFnAUH0dzqEIoxw5jEUkhJ8XFySdKByZCNE
++ctNtoJz+L+w4dCIudleZNUh7jdWsT7PNgk7sEGdTteePUwZPPPtxyigvd2nyJK3
+gTsTeYYZUzJOd0gQTd/HzLW08WKA0p08oGjV9cPukWQvuJ0f4M7k+HB/85KNLhl6
+AEKtv3p9Gla/OGHrPtRI57yIpjnEOKvlzhQpjXkmxXDYRLGQ8X3AWkUcLJe3ZhKQ
+NhsdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAoAe5Zidlanz+94iNrjgr/sUE
+OPRWWl/9rnAMU8Y8kVk//WcNG5V3ShlzNUwT7SF64tDd54M5PT0TLb9oQnHArsyH
+QuWYa9C+IwttxwRH90u3gMqolkxhob4V75YYcaHtGDrgawjZ/ZrBePMX5lJThexX
+HBlwWfjlDiIu9tgHxRBn334uwTLJ40T6hw+Hc+E6UzREQ5rdH5bgzMu0FVrX0LVu
++AnjSXjU1KDi3s3o4IjQncAExE6tsdIIGN03oGGeMYwgxR1RKxYqAfT0Tf021ePn
+2SmEAsiDSnmTX+3ienNJ/ZW2AGHFjwlqSgvOCpAVxFuNaQLNUkeU5lYJA0LGjw==
+-----END CERTIFICATE REQUEST-----
diff --git a/test/ref/crypt/leaf.key b/test/ref/crypt/leaf.key
new file mode 100644
index 00000000..1d690452
--- /dev/null
+++ b/test/ref/crypt/leaf.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4Ai70YT7amWSvXWO2LL9HrkNEQkR0HNO4kZS+2v3CnbrlSnS
+kLgA4rgsmSPNhHHgskr3ljzxH/MugKv3tLlSHywcqPxj06SUCvd7aWfUKIGR33Xx
+ZwFB9Hc6hCKMcOYxFJISfFxcknSgcmQjRPnLTbaCc/i/sOHQiLnZXmTVIe43VrE+
+zzYJO7BBnU7Xnj1MGTzz7ccooL3dp8iSt4E7E3mGGVMyTndIEE3fx8y1tPFigNKd
+PKBo1fXD7pFkL7idH+DO5Phwf/OSjS4ZegBCrb96fRpWvzhh6z7USOe8iKY5xDir
+5c4UKY15JsVw2ESxkPF9wFpFHCyXt2YSkDYbHQIDAQABAoIBAEA2QJ7s3qLAOi7T
+Yv35T1Ne9r/LOa/lXNa+EUq+xy/Ype06739LPfW9lArQmDc97Ikts4j8LqBZsxpu
+L7E87KzCl/RXYsVmhogeJuEvQT/a41SJGYfMdHr9MWht/pLdZ3Pd6i56yo2vn80p
+pnI+pma/yOQ0h7zK/Foz6nmDrRLsCuQyqrQScI/PNnt3PvkRGzSDprG8vstuYW1T
++jJkrkdOUDwo4Lj4JkVRG6EhLSLDH1DuUg+uzd5BDmTGuyviDAAf1enC/3ceTWRW
+DnUf9rHb7Hv7U4N0MDDGX5QXaMnSk3IYBLV12m2cBMPVR7nbFVblqmWNGzIWgWF5
+IRgUeAECgYEA8xVgRCUzP2t/td8ZVmXfQwBI48I9/URCajDvPMvaeQy79Byz4RW9
+WMJcJUXSPOXary3szhn2BqFnorByUvCpyenSXnhqI/geJl2Yrdhb0oLX5W/zc3ju
+Fc5lB4dnDTb1W2x/I483E6JDqPE3FsdmJ2L795jYXodwrCsuz87ihXECgYEA6/A7
+aAmPJ4wonCt8qt1vo9eNNIMl8h5fzO0uRpHTqy9YgbUxdWTfA9YhQJU2Bn4vh+AD
+bJm2oNP4XqfPQkYS3FcKNrnYUBmG3DtP0mcBmxmkcWZy/zPeTxkN6S3IQBfAK3i2
+muhTn6nfJo/px1Me4Li2RQUriiKqpXFAYltq6m0CgYBe627uzTPoxNpWs2pacWcv
+65GK1lOMbTYd70PMErIZ6J4QIZEgCHQqj6KZr1z8CKlPFHjOthZ62lX0kj/iITW7
+sYFDAHQ53W4wfwXahIy+c/dIEWIYKhWWEEUlHntgDqDadVBkG01fblJLSv2++Ffs
+c1t+gIGkz/BwWmBqJxgPEQKBgQCtQtJtWS++TAf6f1jipRB50i4I1RKFldamR7rG
+6gn12SP2xJfYbMX1LEdpBOoSpJHFBzWch9j8jA0FfdgPBCSPmH+QprN6RvSpQAkj
+Kq+cNZ10BVcHoBBuJ6j2hr9aidZ+VfxLD7dxNa8Aw4ha7uhrAFohn2VU4JZOPjeY
+wydllQKBgQCgehyGVKemtsB6kNJATruplCzpFeRaDgN2Pc2pGBJtxZzTQhtzwQZ0
+M6uoBPasks0XJsgNGO72dl6g+zN0Hysw7V9bJq2au9w2J21T1uhybpQe2dch54f4
+HOFiXW86Rywb4MnDpXUbfFJaORDutauxJbZqUGLbjNXiHt9CWc89cw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/ref/crypt/leaf.signed.pem b/test/ref/crypt/leaf.signed.pem
new file mode 100644
index 00000000..637d2062
--- /dev/null
+++ b/test/ref/crypt/leaf.signed.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEezCCA2OgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBijEUMBIGA1UEChMLZXhh
+bXBsZS5vcmcxFDASBgNVBAsTC2V4YW1wbGUub3JnMTUwMwYDVQQDFCwuc21wdGUt
+NDMwLTIuSU5URVJNRURJQVRFLk5PVF9GT1JfUFJPRFVDVElPTjElMCMGA1UELhMc
+Ym10d1RocTNzcmd4SUFlUk1qWDZCRmhnTER3PTAeFw0xMzA3MDgwOTM5MDBaFw0y
+MzA3MDQwOTM5MDBaMIGEMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEUMBIGA1UECxML
+ZXhhbXBsZS5vcmcxLzAtBgNVBAMUJkNTLnNtcHRlLTQzMC0yLkxFQUYuTk9UX0ZP
+Ul9QUk9EVUNUSU9OMSUwIwYDVQQuExxkOTVmR0R6RVJOZHhmWVBncGh2QVI4QTE4
+TDQ9MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Ai70YT7amWSvXWO
+2LL9HrkNEQkR0HNO4kZS+2v3CnbrlSnSkLgA4rgsmSPNhHHgskr3ljzxH/MugKv3
+tLlSHywcqPxj06SUCvd7aWfUKIGR33XxZwFB9Hc6hCKMcOYxFJISfFxcknSgcmQj
+RPnLTbaCc/i/sOHQiLnZXmTVIe43VrE+zzYJO7BBnU7Xnj1MGTzz7ccooL3dp8iS
+t4E7E3mGGVMyTndIEE3fx8y1tPFigNKdPKBo1fXD7pFkL7idH+DO5Phwf/OSjS4Z
+egBCrb96fRpWvzhh6z7USOe8iKY5xDir5c4UKY15JsVw2ESxkPF9wFpFHCyXt2YS
+kDYbHQIDAQABo4HvMIHsMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1Ud
+DgQWBBR33l8YPMRE13F9g+CmG8BHwDXwvjCBrwYDVR0jBIGnMIGkgBRua3BOGrey
+uDEgB5EyNfoEWGAsPKGBiKSBhTCBgjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxFDAS
+BgNVBAsTC2V4YW1wbGUub3JnMS0wKwYDVQQDFCQuc21wdGUtNDMwLTIuUk9PVC5O
+T1RfRk9SX1BST0RVQ1RJT04xJTAjBgNVBC4THG5kTkQ5QS9jT0RvMnJUZHJiTFZt
+ZlFub2FTYz2CAQYwDQYJKoZIhvcNAQELBQADggEBAKTd8vC9j06NL727VdnYZEwa
+D4MUTnv1UW5d/FdQR87WpGV+17CKblWGJtLTfFmV9LwcGlys6ZzrLRYpBf+81vYq
+VUhl7rrU7askIiacSlfYx4riv9KH5JLmyLdo7sjX4dhfj5IH/ilan7le1shjEl0P
+UrEgYX1dt5OOnMpzaIRHU+GWVlkY3M5VDdDfMPstuPJ+MeAP1fH0Ylajhc4O5nmu
+hWfXc9qa5bxOLzNDBOsXS8hbnTpUS1qpqzea5NSogdxGIiyk/OluU1ZJJPQhf0iK
+K6U6e4+TpHKVvqUwQcPUw9TcBGIDkwJTtLF48ZhFI9Gv016SmSwUobgcDA9e97o=
+-----END CERTIFICATE-----
diff --git a/test/ref/crypt/leaf_dnq b/test/ref/crypt/leaf_dnq
new file mode 100644
index 00000000..c99bca4d
--- /dev/null
+++ b/test/ref/crypt/leaf_dnq
@@ -0,0 +1 @@
+d95fGDzERNdxfYPgphvAR8A18L4=
diff --git a/test/tests.cc b/test/tests.cc
index 49c6689f..acf3b990 100644
--- a/test/tests.cc
+++ b/test/tests.cc
@@ -79,6 +79,7 @@ static string test_corpus = "../libdcp-test";
 #include "dcp_time_test.cc"
 #include "color_test.cc"
 #include "recovery_test.cc"
+#include "certificates_test.cc"
 
 //BOOST_AUTO_TEST_CASE (crypt_chain)
 //{
@@ -88,4 +89,3 @@ static string test_corpus = "../libdcp-test";
 //}
 
 //#include "encryption_test.cc"
-//#include "certificates_test.cc"