tests: EAP-TLS with intermediate CAs and OCSP multi

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests/hwsim/auth_serv/iCA-server/ca-and-root.pem

@@ -0,0 +1,125 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162867 (0xd8d3e3a6cbe3ccf3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:de:58:ac:e3:d8:7e:40:f6:84:2a:49:24:49:5a:
+                    f7:c8:23:08:b9:6c:d9:07:01:69:8f:77:28:71:42:
+                    a2:eb:ae:86:10:c6:31:61:9a:14:88:44:0a:68:bf:
+                    6e:a2:46:41:e9:6f:a2:89:fb:0b:f3:e1:b8:30:bf:
+                    e5:80:5e:f9:61:8d:6e:ac:e2:f7:28:e7:9e:44:28:
+                    b8:e4:6e:87:76:a9:d7:ac:ed:11:3f:de:c3:dd:41:
+                    c3:45:82:09:c3:a7:4c:e6:df:2b:88:1e:44:ce:e2:
+                    a7:29:53:f6:13:96:ad:6c:2e:93:00:28:42:77:bc:
+                    73:6e:86:e7:5b:e8:eb:e9:37:1d:63:e7:ea:05:5a:
+                    71:28:f0:81:0b:4c:3f:dd:73:f8:db:13:a8:f0:5f:
+                    6f:6f:e5:1b:c7:94:7f:57:c5:dc:66:26:0c:5a:71:
+                    7a:e3:d2:3e:7a:a6:59:46:03:61:78:89:84:3d:ef:
+                    22:9c:f8:c2:22:75:c4:0c:ef:fb:e4:fa:6f:b8:11:
+                    db:aa:92:9b:6c:23:4e:6e:e5:55:d2:41:47:18:95:
+                    c6:7d:17:be:6d:ab:39:a1:38:61:fd:f9:22:95:69:
+                    f3:9e:28:fd:8a:c8:58:72:3c:91:c2:22:d9:fb:b2:
+                    54:0f:9a:17:27:88:df:60:f5:de:fc:95:9f:25:c6:
+                    64:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         bd:22:63:3d:a7:e5:ce:c9:f5:66:1f:77:5f:d5:24:e3:68:dc:
+         a4:07:80:3e:5e:b1:2c:96:88:39:ad:00:4c:aa:9d:0b:ed:f3:
+         6d:df:9d:2f:97:d2:77:8b:ba:d0:9c:0f:a6:5e:60:b8:0f:e1:
+         96:b1:61:25:48:69:81:64:a8:5c:82:58:0b:f3:d0:a9:4e:8b:
+         90:fc:2f:67:57:da:72:dc:3c:eb:c2:20:19:05:8d:42:0d:14:
+         cf:00:db:59:00:ea:f0:76:3e:ca:85:b1:05:e5:b8:5f:0b:46:
+         c7:3c:a1:d9:5c:4d:b9:24:e7:d6:2b:3d:0d:eb:c3:88:d8:3a:
+         f6:60
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIJANjT46bL48zzMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMD4xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVkaWF0ZSBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5YrOPYfkD2hCpJJEla98gjCLls2QcB
+aY93KHFCouuuhhDGMWGaFIhECmi/bqJGQelvoon7C/PhuDC/5YBe+WGNbqzi9yjn
+nkQouORuh3ap16ztET/ew91Bw0WCCcOnTObfK4geRM7ipylT9hOWrWwukwAoQne8
+c26G51vo6+k3HWPn6gVacSjwgQtMP91z+NsTqPBfb2/lG8eUf1fF3GYmDFpxeuPS
+PnqmWUYDYXiJhD3vIpz4wiJ1xAzv++T6b7gR26qSm2wjTm7lVdJBRxiVxn0Xvm2r
+OaE4Yf35IpVp854o/YrIWHI8kcIi2fuyVA+aFyeI32D13vyVnyXGZIECAwEAAaNm
+MGQwHQYDVR0OBBYEFIQJi1UffS8PKNec7FROnxGXVdm5MB8GA1UdIwQYMBaAFLiS
+3v2KGLMww59V8zNdtMgpikEUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAL0iYz2n5c7J9WYfd1/VJONo3KQHgD5e
+sSyWiDmtAEyqnQvt823fnS+X0neLutCcD6ZeYLgP4ZaxYSVIaYFkqFyCWAvz0KlO
+i5D8L2dX2nLcPOvCIBkFjUINFM8A21kA6vB2PsqFsQXluF8LRsc8odlcTbkk59Yr
+PQ3rw4jYOvZg
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162817 (0xd8d3e3a6cbe3ccc1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Jun 29 16:41:22 2013 GMT
+            Not After : Jun 27 16:41:22 2023 GMT
+        Subject: C=FI, O=w1.fi, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:be:1e:86:e4:79:03:c1:d1:94:d5:d4:b3:b1:28:
+                    90:76:fb:b8:a6:cd:6d:1c:d1:48:f4:08:9a:67:ff:
+                    f9:a6:54:b1:19:29:df:29:1b:cd:f1:6f:66:01:e7:
+                    db:79:ce:c0:39:2a:25:13:26:94:0c:2c:7b:5a:2c:
+                    81:0f:94:ee:51:d0:75:e6:46:db:17:46:a7:15:8b:
+                    0e:57:0f:b0:54:76:63:12:ca:86:18:bc:1a:c3:16:
+                    c0:70:09:d6:6b:43:39:b8:98:29:46:ac:cb:6a:ad:
+                    38:88:3b:07:dc:81:cd:3a:f6:1d:f6:2f:ef:1d:d7:
+                    ae:8a:b6:d1:e7:b3:15:02:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         1a:cf:77:60:44:43:c4:55:0e:99:e0:89:aa:b9:d3:7b:32:b7:
+         5c:9c:7c:ca:fe:8c:d4:94:c6:5e:f3:83:19:5f:29:59:68:a4:
+         4f:dc:04:2e:b8:71:c0:6d:3b:ae:01:e4:b9:88:99:cc:ce:82:
+         be:6a:28:c2:ac:6a:94:c6:87:90:ed:85:3c:10:71:c5:ff:3c:
+         70:64:e2:41:62:31:ea:86:7b:11:8c:93:ea:c6:f3:f3:4e:f9:
+         d4:f2:81:90:d7:f4:fa:a1:91:6e:d4:dd:15:3e:26:3b:ac:1e:
+         c3:c2:1f:ed:bb:34:bf:cb:b2:67:c6:c6:51:e8:51:22:b4:f3:
+         92:e8
+-----BEGIN CERTIFICATE-----
+MIICLDCCAZWgAwIBAgIJANjT46bL48zBMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xMzA2
+MjkxNjQxMjJaFw0yMzA2MjcxNjQxMjJaMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAvh6G5HkDwdGU1dSzsSiQdvu4ps1tHNFI9AiaZ//5plSxGSnfKRvN8W9m
+Aefbec7AOSolEyaUDCx7WiyBD5TuUdB15kbbF0anFYsOVw+wVHZjEsqGGLwawxbA
+cAnWa0M5uJgpRqzLaq04iDsH3IHNOvYd9i/vHdeuirbR57MVArkCAwEAAaNQME4w
+HQYDVR0OBBYEFLiS3v2KGLMww59V8zNdtMgpikEUMB8GA1UdIwQYMBaAFLiS3v2K
+GLMww59V8zNdtMgpikEUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+Gs93YERDxFUOmeCJqrnTezK3XJx8yv6M1JTGXvODGV8pWWikT9wELrhxwG07rgHk
+uYiZzM6CvmoowqxqlMaHkO2FPBBxxf88cGTiQWIx6oZ7EYyT6sbz80751PKBkNf0
++qGRbtTdFT4mO6wew8If7bs0v8uyZ8bGUehRIrTzkug=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/cacert.pem

@@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162867 (0xd8d3e3a6cbe3ccf3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:de:58:ac:e3:d8:7e:40:f6:84:2a:49:24:49:5a:
+                    f7:c8:23:08:b9:6c:d9:07:01:69:8f:77:28:71:42:
+                    a2:eb:ae:86:10:c6:31:61:9a:14:88:44:0a:68:bf:
+                    6e:a2:46:41:e9:6f:a2:89:fb:0b:f3:e1:b8:30:bf:
+                    e5:80:5e:f9:61:8d:6e:ac:e2:f7:28:e7:9e:44:28:
+                    b8:e4:6e:87:76:a9:d7:ac:ed:11:3f:de:c3:dd:41:
+                    c3:45:82:09:c3:a7:4c:e6:df:2b:88:1e:44:ce:e2:
+                    a7:29:53:f6:13:96:ad:6c:2e:93:00:28:42:77:bc:
+                    73:6e:86:e7:5b:e8:eb:e9:37:1d:63:e7:ea:05:5a:
+                    71:28:f0:81:0b:4c:3f:dd:73:f8:db:13:a8:f0:5f:
+                    6f:6f:e5:1b:c7:94:7f:57:c5:dc:66:26:0c:5a:71:
+                    7a:e3:d2:3e:7a:a6:59:46:03:61:78:89:84:3d:ef:
+                    22:9c:f8:c2:22:75:c4:0c:ef:fb:e4:fa:6f:b8:11:
+                    db:aa:92:9b:6c:23:4e:6e:e5:55:d2:41:47:18:95:
+                    c6:7d:17:be:6d:ab:39:a1:38:61:fd:f9:22:95:69:
+                    f3:9e:28:fd:8a:c8:58:72:3c:91:c2:22:d9:fb:b2:
+                    54:0f:9a:17:27:88:df:60:f5:de:fc:95:9f:25:c6:
+                    64:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         bd:22:63:3d:a7:e5:ce:c9:f5:66:1f:77:5f:d5:24:e3:68:dc:
+         a4:07:80:3e:5e:b1:2c:96:88:39:ad:00:4c:aa:9d:0b:ed:f3:
+         6d:df:9d:2f:97:d2:77:8b:ba:d0:9c:0f:a6:5e:60:b8:0f:e1:
+         96:b1:61:25:48:69:81:64:a8:5c:82:58:0b:f3:d0:a9:4e:8b:
+         90:fc:2f:67:57:da:72:dc:3c:eb:c2:20:19:05:8d:42:0d:14:
+         cf:00:db:59:00:ea:f0:76:3e:ca:85:b1:05:e5:b8:5f:0b:46:
+         c7:3c:a1:d9:5c:4d:b9:24:e7:d6:2b:3d:0d:eb:c3:88:d8:3a:
+         f6:60
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIJANjT46bL48zzMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMD4xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVkaWF0ZSBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5YrOPYfkD2hCpJJEla98gjCLls2QcB
+aY93KHFCouuuhhDGMWGaFIhECmi/bqJGQelvoon7C/PhuDC/5YBe+WGNbqzi9yjn
+nkQouORuh3ap16ztET/ew91Bw0WCCcOnTObfK4geRM7ipylT9hOWrWwukwAoQne8
+c26G51vo6+k3HWPn6gVacSjwgQtMP91z+NsTqPBfb2/lG8eUf1fF3GYmDFpxeuPS
+PnqmWUYDYXiJhD3vIpz4wiJ1xAzv++T6b7gR26qSm2wjTm7lVdJBRxiVxn0Xvm2r
+OaE4Yf35IpVp854o/YrIWHI8kcIi2fuyVA+aFyeI32D13vyVnyXGZIECAwEAAaNm
+MGQwHQYDVR0OBBYEFIQJi1UffS8PKNec7FROnxGXVdm5MB8GA1UdIwQYMBaAFLiS
+3v2KGLMww59V8zNdtMgpikEUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAL0iYz2n5c7J9WYfd1/VJONo3KQHgD5e
+sSyWiDmtAEyqnQvt823fnS+X0neLutCcD6ZeYLgP4ZaxYSVIaYFkqFyCWAvz0KlO
+i5D8L2dX2nLcPOvCIBkFjUINFM8A21kA6vB2PsqFsQXluF8LRsc8odlcTbkk59Yr
+PQ3rw4jYOvZg
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/careq.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICljCCAX4CAQAwUTELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4w
+DAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVkaWF0ZSBDQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5YrOPYfkD2hCpJJEla98gj
+CLls2QcBaY93KHFCouuuhhDGMWGaFIhECmi/bqJGQelvoon7C/PhuDC/5YBe+WGN
+bqzi9yjnnkQouORuh3ap16ztET/ew91Bw0WCCcOnTObfK4geRM7ipylT9hOWrWwu
+kwAoQne8c26G51vo6+k3HWPn6gVacSjwgQtMP91z+NsTqPBfb2/lG8eUf1fF3GYm
+DFpxeuPSPnqmWUYDYXiJhD3vIpz4wiJ1xAzv++T6b7gR26qSm2wjTm7lVdJBRxiV
+xn0Xvm2rOaE4Yf35IpVp854o/YrIWHI8kcIi2fuyVA+aFyeI32D13vyVnyXGZIEC
+AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCdd8AniQQQA4urnrqdR9hQlFY5JxUU
+OtGqkRGb8pTJAfxU8hgmAhbHmPw7qhNnZNqr2i/p8A1UcwCuU7Sx2StszIjyuEQJ
+SteaUpvLUWM/KrlqBH4VTcHFGsZWEJ+gMhBJwJuET6mtZFdm84HALJClIysx973p
+d6i92H93ew3RuMF/erMnCPNjt0Pe8QWU/tpwsVD/SBGbqg8PCShqySNO9P+P1pAb
+wIPInq3ox2E6RStFnIY8MES5sTUFWAxh3MNYY8OuVcuun2R0Yk0jy/wmmaWzcXS+
+sOj48LNyptGk8SAS1Yxu8lUfj3p77eZZqUqLorj/hdoqfnMOnCx7NOww
+-----END CERTIFICATE REQUEST-----

tests/hwsim/auth_serv/iCA-server/index.txt

@@ -0,0 +1,2 @@
+V	251220193736Z		8020A0407F798AB8	unknown	/C=FI/O=w1.fi/CN=server.w1.fi
+R	251220193736Z	151223193736Z	8020A0407F798AB9	unknown	/C=FI/O=w1.fi/CN=server-revoked.w1.fi

tests/hwsim/auth_serv/iCA-server/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

tests/hwsim/auth_serv/iCA-server/newcerts/8020A0407F798AB8.pem

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539704 (0x8020a0407f798ab8)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:88:a5:93:02:5b:bc:54:68:46:fa:73:7d:33:
+                    30:47:45:5c:49:5f:3c:51:5f:9b:fe:c5:14:10:26:
+                    3d:0f:e3:c2:b2:17:84:d3:3e:12:a8:b2:7b:02:1a:
+                    8a:8b:e9:f4:41:1e:fc:f3:49:2d:c6:d4:88:27:81:
+                    d0:86:f3:b9:c0:0a:2a:28:45:00:32:c3:18:22:f6:
+                    99:37:f1:74:8d:ac:54:47:73:e5:b6:d3:e7:f8:80:
+                    99:75:f5:19:19:eb:19:70:df:92:53:b1:61:38:ff:
+                    7f:cf:8b:bd:e1:7f:50:5b:d0:95:30:a3:37:6b:8a:
+                    72:06:a7:e8:39:e2:a4:78:43:98:91:cd:30:88:34:
+                    5b:aa:9e:a2:9f:26:d5:e1:5b:86:4d:01:a4:c2:65:
+                    cd:27:94:be:e2:f5:73:5d:c4:60:98:f1:75:11:94:
+                    09:0d:9d:04:7f:ef:1a:9d:5f:f0:4a:3f:88:d7:76:
+                    2e:9b:d6:2a:c6:94:09:37:0a:37:24:92:91:9d:18:
+                    0f:ea:4e:d4:e4:9d:45:38:5a:ba:d8:df:b6:15:6f:
+                    ac:ff:6c:41:ac:d7:c0:0a:55:ec:81:ca:9a:59:40:
+                    55:8b:a4:77:13:df:fa:c3:b5:ee:ef:87:41:8d:94:
+                    d0:c0:96:41:b4:3a:04:b6:6b:6a:56:93:f4:67:7e:
+                    27:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                4B:81:85:B4:88:41:0D:D4:15:D3:48:0E:F4:A9:99:14:2D:B1:DB:93
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         49:2a:14:22:16:2c:12:f5:4e:06:f3:c2:1e:ac:54:07:5d:86:
+         16:3e:6c:a0:73:e1:a6:d7:c3:49:1f:80:0d:b6:54:22:77:ce:
+         39:dd:f6:f6:9f:62:ff:d5:27:7f:c3:92:73:b9:a7:ce:87:5a:
+         e3:bc:52:b3:0a:99:eb:91:56:b6:78:01:c3:0e:4b:ca:8a:04:
+         ee:5c:56:05:ef:7a:cb:21:f9:eb:8a:38:12:50:c7:6e:a8:1f:
+         0e:81:81:a6:2d:ea:35:94:24:db:76:77:df:ea:41:4c:af:7e:
+         29:9d:d5:e6:e3:12:78:19:92:ed:35:b9:99:19:a9:d6:cb:f8:
+         a7:21:fb:8e:a7:39:dc:e1:ab:3d:ba:12:87:ba:1c:08:e6:8a:
+         21:96:44:44:8a:61:0f:70:00:d0:cb:63:93:a4:fa:cc:75:a3:
+         fd:e8:af:33:24:80:4a:d9:b9:2a:a1:20:0b:62:0b:17:6c:9a:
+         7c:8b:fd:9e:ff:be:b2:51:5e:e9:3a:cc:28:22:63:44:69:7f:
+         6d:1f:08:14:a4:32:d0:1f:f9:c3:8d:28:1a:76:12:00:3c:b3:
+         38:13:ca:67:17:79:c6:de:5d:b7:9d:f8:e3:64:f7:b3:a0:5c:
+         e5:6e:fc:10:f3:53:d6:70:38:c2:6f:87:ab:07:1c:64:ff:30:
+         d8:3a:1e:75
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIJAIAgoEB/eYq4MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDQxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEVMBMGA1UEAwwMc2VydmVyLncxLmZpMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IilkwJbvFRoRvpzfTMwR0Vc
+SV88UV+b/sUUECY9D+PCsheE0z4SqLJ7AhqKi+n0QR7880ktxtSIJ4HQhvO5wAoq
+KEUAMsMYIvaZN/F0jaxUR3PlttPn+ICZdfUZGesZcN+SU7FhOP9/z4u94X9QW9CV
+MKM3a4pyBqfoOeKkeEOYkc0wiDRbqp6inybV4VuGTQGkwmXNJ5S+4vVzXcRgmPF1
+EZQJDZ0Ef+8anV/wSj+I13Yum9YqxpQJNwo3JJKRnRgP6k7U5J1FOFq62N+2FW+s
+/2xBrNfAClXsgcqaWUBVi6R3E9/6w7Xu74dBjZTQwJZBtDoEtmtqVpP0Z34n4QID
+AQABo4GSMIGPMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEuBhbSIQQ3UFdNIDvSp
+mRQtsduTMB8GA1UdIwQYMBaAFIQJi1UffS8PKNec7FROnxGXVdm5MBoGA1UdEQEB
+/wQQMA6CDHNlcnZlci53MS5maTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAEkqFCIWLBL1Tgbzwh6sVAddhhY+
+bKBz4abXw0kfgA22VCJ3zjnd9vafYv/VJ3/DknO5p86HWuO8UrMKmeuRVrZ4AcMO
+S8qKBO5cVgXvessh+euKOBJQx26oHw6BgaYt6jWUJNt2d9/qQUyvfimd1ebjEngZ
+ku01uZkZqdbL+Kch+46nOdzhqz26Eoe6HAjmiiGWRESKYQ9wANDLY5Ok+sx1o/3o
+rzMkgErZuSqhIAtiCxdsmnyL/Z7/vrJRXuk6zCgiY0Rpf20fCBSkMtAf+cONKBp2
+EgA8szgTymcXecbeXbed+ONk97OgXOVu/BDzU9ZwOMJvh6sHHGT/MNg6HnU=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/newcerts/8020A0407F798AB9.pem

@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539705 (0x8020a0407f798ab9)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server-revoked.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:5c:ae:06:36:4a:65:e0:db:0b:3c:28:13:08:
+                    8b:90:66:43:6f:c8:b2:3b:fa:41:bd:1a:10:10:fb:
+                    e9:05:6a:ba:42:90:4d:2e:cf:b1:b9:c3:73:f5:fc:
+                    ac:4c:18:e9:44:73:69:5e:2d:83:63:d1:29:e5:59:
+                    55:a8:bf:b0:1c:7a:0d:17:18:b0:38:21:af:cb:6d:
+                    a9:6b:9d:a2:88:0e:1c:ee:1a:a5:9f:3c:27:ea:fe:
+                    8f:9b:94:df:12:3c:34:bb:bf:6c:d0:6c:6b:46:ad:
+                    bc:ff:88:ae:d8:4d:8b:9f:34:50:25:c4:96:be:25:
+                    42:06:c8:b3:8e:21:a5:fd:a3:82:f9:74:78:46:56:
+                    8d:0b:f0:c4:fa:1a:0e:f5:34:22:53:fd:43:37:a3:
+                    47:fd:9f:a2:bc:d0:60:25:a8:db:93:f7:0c:88:fe:
+                    79:52:f2:07:f1:de:fc:66:6e:fe:da:10:76:6c:d0:
+                    87:8c:ef:dd:40:6d:82:7c:d1:39:b2:17:d6:07:cf:
+                    1a:5a:39:12:ed:49:4f:d9:c7:91:40:ab:73:f7:54:
+                    3c:a5:7d:9f:bb:0c:47:77:0e:d9:61:e5:1b:14:65:
+                    4e:38:c5:a7:8a:ee:32:be:05:25:94:a0:7f:96:09:
+                    59:1b:04:08:42:6b:50:6b:95:7a:78:f6:ec:f4:f6:
+                    4d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0D:49:37:45:42:77:90:25:BA:9B:67:DB:F6:DC:61:D2:53:5B:C6:BC
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server-revoked.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         22:c6:72:08:84:a9:e9:19:77:ea:6a:06:68:43:8b:e7:72:af:
+         9c:a2:47:b9:6f:b6:cb:11:17:89:0a:42:52:14:58:9e:3c:01:
+         fd:e7:fc:a2:0d:85:a5:b5:8c:27:d5:5e:b2:47:05:05:f9:56:
+         b6:0b:e2:28:f3:1d:75:5e:13:eb:ec:a0:76:2b:d9:ed:99:84:
+         08:6d:64:71:13:b6:02:81:b3:c2:7e:b8:b6:00:98:4f:26:ea:
+         f1:67:5b:35:2a:26:d0:ca:a8:fb:eb:21:fb:f1:d6:5a:63:42:
+         01:5f:b3:59:3d:f8:e0:4d:94:3a:3a:82:46:02:9d:81:2c:ef:
+         e5:46:c7:99:f4:2f:43:ad:85:fc:2c:ca:0b:6b:48:01:ac:d7:
+         f7:da:0e:16:c4:10:18:14:83:9c:85:90:75:ef:66:9f:65:42:
+         e5:e7:8c:16:ac:f6:60:61:d7:5f:a0:21:cd:8a:85:d4:a0:f2:
+         8e:17:0e:38:5e:31:12:ac:24:b5:67:61:9d:15:84:0b:fc:84:
+         8a:d4:29:90:3d:4b:23:48:19:6b:f7:26:1f:fe:b9:b9:f1:6e:
+         70:ac:ec:31:60:be:7d:6f:58:7e:c1:47:61:a7:b0:4b:b2:fd:
+         62:06:c5:97:43:28:39:a5:c5:60:51:c0:46:9d:6b:e4:1a:ed:
+         0c:a6:51:8a
+-----BEGIN CERTIFICATE-----
+MIIDmDCCAoCgAwIBAgIJAIAgoEB/eYq5MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUc2VydmVyLXJldm9rZWQu
+dzEuZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsXK4GNkpl4NsL
+PCgTCIuQZkNvyLI7+kG9GhAQ++kFarpCkE0uz7G5w3P1/KxMGOlEc2leLYNj0Snl
+WVWov7Aceg0XGLA4Ia/LbalrnaKIDhzuGqWfPCfq/o+blN8SPDS7v2zQbGtGrbz/
+iK7YTYufNFAlxJa+JUIGyLOOIaX9o4L5dHhGVo0L8MT6Gg71NCJT/UM3o0f9n6K8
+0GAlqNuT9wyI/nlS8gfx3vxmbv7aEHZs0IeM791AbYJ80TmyF9YHzxpaORLtSU/Z
+x5FAq3P3VDylfZ+7DEd3Dtlh5RsUZU44xaeK7jK+BSWUoH+WCVkbBAhCa1BrlXp4
+9uz09k1DAgMBAAGjgZowgZcwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUDUk3RUJ3
+kCW6m2fb9txh0lNbxrwwHwYDVR0jBBgwFoAUhAmLVR99Lw8o15zsVE6fEZdV2bkw
+IgYDVR0RAQH/BBgwFoIUc2VydmVyLXJldm9rZWQudzEuZmkwFgYDVR0lAQH/BAww
+CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQAixnII
+hKnpGXfqagZoQ4vncq+coke5b7bLEReJCkJSFFiePAH95/yiDYWltYwn1V6yRwUF
++Va2C+Io8x11XhPr7KB2K9ntmYQIbWRxE7YCgbPCfri2AJhPJurxZ1s1KibQyqj7
+6yH78dZaY0IBX7NZPfjgTZQ6OoJGAp2BLO/lRseZ9C9DrYX8LMoLa0gBrNf32g4W
+xBAYFIOchZB172afZULl54wWrPZgYddfoCHNioXUoPKOFw44XjESrCS1Z2GdFYQL
+/ISK1CmQPUsjSBlr9yYf/rm58W5wrOwxYL59b1h+wUdhp7BLsv1iBsWXQyg5pcVg
+UcBGnWvkGu0MplGK
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/private/cakey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeWKzj2H5A9oQq
+SSRJWvfIIwi5bNkHAWmPdyhxQqLrroYQxjFhmhSIRApov26iRkHpb6KJ+wvz4bgw
+v+WAXvlhjW6s4vco555EKLjkbod2qdes7RE/3sPdQcNFggnDp0zm3yuIHkTO4qcp
+U/YTlq1sLpMAKEJ3vHNuhudb6OvpNx1j5+oFWnEo8IELTD/dc/jbE6jwX29v5RvH
+lH9XxdxmJgxacXrj0j56pllGA2F4iYQ97yKc+MIidcQM7/vk+m+4EduqkptsI05u
+5VXSQUcYlcZ9F75tqzmhOGH9+SKVafOeKP2KyFhyPJHCItn7slQPmhcniN9g9d78
+lZ8lxmSBAgMBAAECggEAYEOYJtVWZB3WvtAH69J8sKOqZU1g8Q2FfF2kntSw4MUg
+uiZ0vsMM3KpIr20iIxOz+bMhdgfA9wfkzQZoAJod8kRfhG6Hf6g3916CHjRUZeXG
+wNGqxDJYLnUIbBGO1KycOOCqYjZoqAGtSdFWGskDsHDBqDHGBT0L5PB3Pm2rpb4u
+JQV2Dcvqjf8MfDBGsyKx7+L+EtMXhcgUCQ4vRtvCvNV+Xl4wL37l1/OkfIPTWkQE
+FpkBMy+/cvB8H6rmlAxp6t8EV9rbgyt9OW86+gf1q4U7VM6VUXFGjFvGwji9OkgA
+UnwrdX0IryG/ruuKzIb6eBEb5hRoluGqHphptiX8IQKBgQD5/QazeInpiHkfZpm5
+obgLYtLHkQuewVIZVFhVAle07AaZ2748lRMu/UHo0YITS1mLK8AA7xVi+NjwIbg0
+WpoBQ4V6k7U/+PfLygFYbTB+vTreH6Za/zIpEXjYudemt5Xgjva+YEM5/rYNkNgH
+d0Dcbuq1D5OgsEWs/S3jlPzWJQKBgQDjsXrj1wO8yYokv9kGETVN9604lYFNfTnD
+HwAcEanCa+Ist6TpMZOK7QV78rmR5bxymLKI6UPCvrdqhLb+BuTl2GrSvrSeNwk4
+zAHi25MapTQxssJMtom88htbBIJ/P+0iEXKKXIRzIi0UXRNfoE5lwQZlHUdFHtlK
+xUvnrgXALQKBgQCva2JcZeVAvsdfxXtxy41+T+Zgq+Nfj4CwzYL+hBpPlqA7Lvub
+P3CqtISffwSrzWAUTKr6/MohHUX9m2vLMRiIcn0juqqhLW+UzTeMeXJiPR8l50ew
+6wqjzuLiEebF0mWVojx68sm51IajllRBSOl2xU5lp3yMcaUy8qZU4KNbEQKBgBnu
+lLhuPJa7vWgCEY2HWDLRCoFvRZK1uGZomXKY8GScNN4y7C1C4DLqW72KH2hmadgD
+XBILvxPm9KzFALJdxqQGyePGpHuAeSRm17AmodJfDlq6qTZjc7x5NnRfRx2HAlLm
++cyYTN1v/wJat2Ikt8kO+tN5SiytHsJNRh/UygLhAoGAXctGrFNl7a/cg0b7zr8O
+0t7UcaqXRpYHFTOaijL3WkI7Ps4us14lmkWvkM1iUjCyPtBCRNeYXu5HxENIn4p5
+RixqYvO1DO/9TYNL/fXReqtVEgYz8ygAmasRf7NSJxO1ByhCiJ+rxRXCTFic/GPU
+k5WGvSSepCUM2RpqXVWsm44=
+-----END PRIVATE KEY-----

tests/hwsim/auth_serv/iCA-server/serial

@@ -0,0 +1 @@
+8020A0407F798ABA

tests/hwsim/auth_serv/iCA-server/server-revoked.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsXK4GNkpl4NsL
+PCgTCIuQZkNvyLI7+kG9GhAQ++kFarpCkE0uz7G5w3P1/KxMGOlEc2leLYNj0Snl
+WVWov7Aceg0XGLA4Ia/LbalrnaKIDhzuGqWfPCfq/o+blN8SPDS7v2zQbGtGrbz/
+iK7YTYufNFAlxJa+JUIGyLOOIaX9o4L5dHhGVo0L8MT6Gg71NCJT/UM3o0f9n6K8
+0GAlqNuT9wyI/nlS8gfx3vxmbv7aEHZs0IeM791AbYJ80TmyF9YHzxpaORLtSU/Z
+x5FAq3P3VDylfZ+7DEd3Dtlh5RsUZU44xaeK7jK+BSWUoH+WCVkbBAhCa1BrlXp4
+9uz09k1DAgMBAAECggEBAIodPemGaXlXg85t5uLRjxwnhdQ2KvQ6paDFGKizY1bO
+3e/mt6JSFWT4hJxRWzMjJxCNtpobuFQsz/iS7DvrVlCLUJ/4TYS9IaPN/NtaFloV
+jQMS4TJGvunkD+koktOG4O6tBqHArvmU0ISm3ww+nyn0fmC1NeGp802CV7cFqYAi
+y5QT6FhBZYRGj8v+YH9I06Os+tr6C0tKdy5J5nMrbHa64XZulHn/McbeDImtnBfy
+5aLOMIZjlat6nYjMC9dhAuDXKXodnmBW4Jq889UVbg+kgtu9r8Uga5Wx+IBKiieM
+vjHOtJPCb4fHTjCl19G7D5WsXy4r/JNQyUQXlSLpO+kCgYEA4cTzLQ5D8WVsUBOp
+cOZBi93AdbQvbbC7HhkMiFACmhs1cQhgvMXVgjdxt1NcX33tZ9kK8dnx41kp0/ey
+/8JEJM5DI1RFqPIBkXi50RY32uazi7azoSAx0xvmkXvdpTdBUB5BjMHbqzxQZhgH
+D4gtC93o2C53z1StE0Dr37b3zNcCgYEAw3EA+PN+y6Y5e13GLC9M0NSK1gFutCEK
+RqhpCWG1NqJgKMcDTaqPyb74ky9JkAVlFA7WQUUOHInbY+ZCnRLRpgNzbvOgQd33
+g7e5kyHcYsdizZrn3qRKPqocmtFNIjs6xNYufdbMvEU66E752WQOq+TZI89vYkPB
+E0uEyzcq6XUCgYAEIWVNirhFf1SG9oUgEqZaV7lArgY8HIKf31dyWvxhM2Q76CpU
+6c2pLzh+YSEMgjJItxjTKeiZ/zSbsylsMnKqtbdWuyD3IU5UCgBkSeLFt3jLcpFA
+vmUK9rS2Lqz0a9lfDN6oI5fQPy89Xu0qJJSmZe3vnpIEkgkElCh8lE1eSwKBgQC4
+Y7oeJmSfMEGVMcDRWQLpF02xYIKYcX+ncCZBEq0MUZ/VeQWV1fB4z7Ln8jo+Jcja
+ZrEfvU32AN463zhDx0iCj0juCe5NlmR6IfF0bgLmMuT1xEs0k930RzxbmFJklGr6
+4HPWh7x7d/l+yVwSDMOGy49NqNyWYgQb9yjfLTpQLQKBgAM+hF/wgbDpA7GGP1ww
+c9kouaXkylPHJWab28Gr2Ef9ixZjQ/RQrcc71H8e4/ZFAgTN0hclxQMdH2mo6ocC
+cEyxajAci8QaX7RDKZUppsP9vbZk+7HTgyaCo2vh5xOPAeeTzOPhFSoxUhFfj+cP
+Ybdr61y8Ug/YwixvsB0eZtLt
+-----END PRIVATE KEY-----

tests/hwsim/auth_serv/iCA-server/server-revoked.pem

@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539705 (0x8020a0407f798ab9)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server-revoked.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:5c:ae:06:36:4a:65:e0:db:0b:3c:28:13:08:
+                    8b:90:66:43:6f:c8:b2:3b:fa:41:bd:1a:10:10:fb:
+                    e9:05:6a:ba:42:90:4d:2e:cf:b1:b9:c3:73:f5:fc:
+                    ac:4c:18:e9:44:73:69:5e:2d:83:63:d1:29:e5:59:
+                    55:a8:bf:b0:1c:7a:0d:17:18:b0:38:21:af:cb:6d:
+                    a9:6b:9d:a2:88:0e:1c:ee:1a:a5:9f:3c:27:ea:fe:
+                    8f:9b:94:df:12:3c:34:bb:bf:6c:d0:6c:6b:46:ad:
+                    bc:ff:88:ae:d8:4d:8b:9f:34:50:25:c4:96:be:25:
+                    42:06:c8:b3:8e:21:a5:fd:a3:82:f9:74:78:46:56:
+                    8d:0b:f0:c4:fa:1a:0e:f5:34:22:53:fd:43:37:a3:
+                    47:fd:9f:a2:bc:d0:60:25:a8:db:93:f7:0c:88:fe:
+                    79:52:f2:07:f1:de:fc:66:6e:fe:da:10:76:6c:d0:
+                    87:8c:ef:dd:40:6d:82:7c:d1:39:b2:17:d6:07:cf:
+                    1a:5a:39:12:ed:49:4f:d9:c7:91:40:ab:73:f7:54:
+                    3c:a5:7d:9f:bb:0c:47:77:0e:d9:61:e5:1b:14:65:
+                    4e:38:c5:a7:8a:ee:32:be:05:25:94:a0:7f:96:09:
+                    59:1b:04:08:42:6b:50:6b:95:7a:78:f6:ec:f4:f6:
+                    4d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0D:49:37:45:42:77:90:25:BA:9B:67:DB:F6:DC:61:D2:53:5B:C6:BC
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server-revoked.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         22:c6:72:08:84:a9:e9:19:77:ea:6a:06:68:43:8b:e7:72:af:
+         9c:a2:47:b9:6f:b6:cb:11:17:89:0a:42:52:14:58:9e:3c:01:
+         fd:e7:fc:a2:0d:85:a5:b5:8c:27:d5:5e:b2:47:05:05:f9:56:
+         b6:0b:e2:28:f3:1d:75:5e:13:eb:ec:a0:76:2b:d9:ed:99:84:
+         08:6d:64:71:13:b6:02:81:b3:c2:7e:b8:b6:00:98:4f:26:ea:
+         f1:67:5b:35:2a:26:d0:ca:a8:fb:eb:21:fb:f1:d6:5a:63:42:
+         01:5f:b3:59:3d:f8:e0:4d:94:3a:3a:82:46:02:9d:81:2c:ef:
+         e5:46:c7:99:f4:2f:43:ad:85:fc:2c:ca:0b:6b:48:01:ac:d7:
+         f7:da:0e:16:c4:10:18:14:83:9c:85:90:75:ef:66:9f:65:42:
+         e5:e7:8c:16:ac:f6:60:61:d7:5f:a0:21:cd:8a:85:d4:a0:f2:
+         8e:17:0e:38:5e:31:12:ac:24:b5:67:61:9d:15:84:0b:fc:84:
+         8a:d4:29:90:3d:4b:23:48:19:6b:f7:26:1f:fe:b9:b9:f1:6e:
+         70:ac:ec:31:60:be:7d:6f:58:7e:c1:47:61:a7:b0:4b:b2:fd:
+         62:06:c5:97:43:28:39:a5:c5:60:51:c0:46:9d:6b:e4:1a:ed:
+         0c:a6:51:8a
+-----BEGIN CERTIFICATE-----
+MIIDmDCCAoCgAwIBAgIJAIAgoEB/eYq5MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUc2VydmVyLXJldm9rZWQu
+dzEuZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsXK4GNkpl4NsL
+PCgTCIuQZkNvyLI7+kG9GhAQ++kFarpCkE0uz7G5w3P1/KxMGOlEc2leLYNj0Snl
+WVWov7Aceg0XGLA4Ia/LbalrnaKIDhzuGqWfPCfq/o+blN8SPDS7v2zQbGtGrbz/
+iK7YTYufNFAlxJa+JUIGyLOOIaX9o4L5dHhGVo0L8MT6Gg71NCJT/UM3o0f9n6K8
+0GAlqNuT9wyI/nlS8gfx3vxmbv7aEHZs0IeM791AbYJ80TmyF9YHzxpaORLtSU/Z
+x5FAq3P3VDylfZ+7DEd3Dtlh5RsUZU44xaeK7jK+BSWUoH+WCVkbBAhCa1BrlXp4
+9uz09k1DAgMBAAGjgZowgZcwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUDUk3RUJ3
+kCW6m2fb9txh0lNbxrwwHwYDVR0jBBgwFoAUhAmLVR99Lw8o15zsVE6fEZdV2bkw
+IgYDVR0RAQH/BBgwFoIUc2VydmVyLXJldm9rZWQudzEuZmkwFgYDVR0lAQH/BAww
+CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQAixnII
+hKnpGXfqagZoQ4vncq+coke5b7bLEReJCkJSFFiePAH95/yiDYWltYwn1V6yRwUF
++Va2C+Io8x11XhPr7KB2K9ntmYQIbWRxE7YCgbPCfri2AJhPJurxZ1s1KibQyqj7
+6yH78dZaY0IBX7NZPfjgTZQ6OoJGAp2BLO/lRseZ9C9DrYX8LMoLa0gBrNf32g4W
+xBAYFIOchZB172afZULl54wWrPZgYddfoCHNioXUoPKOFw44XjESrCS1Z2GdFYQL
+/ISK1CmQPUsjSBlr9yYf/rm58W5wrOwxYL59b1h+wUdhp7BLsv1iBsWXQyg5pcVg
+UcBGnWvkGu0MplGK
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/server-revoked.req

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIClDCCAXwCAQAwTzELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4w
+DAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUc2VydmVyLXJldm9rZWQudzEuZmkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsXK4GNkpl4NsLPCgTCIuQZkNv
+yLI7+kG9GhAQ++kFarpCkE0uz7G5w3P1/KxMGOlEc2leLYNj0SnlWVWov7Aceg0X
+GLA4Ia/LbalrnaKIDhzuGqWfPCfq/o+blN8SPDS7v2zQbGtGrbz/iK7YTYufNFAl
+xJa+JUIGyLOOIaX9o4L5dHhGVo0L8MT6Gg71NCJT/UM3o0f9n6K80GAlqNuT9wyI
+/nlS8gfx3vxmbv7aEHZs0IeM791AbYJ80TmyF9YHzxpaORLtSU/Zx5FAq3P3VDyl
+fZ+7DEd3Dtlh5RsUZU44xaeK7jK+BSWUoH+WCVkbBAhCa1BrlXp49uz09k1DAgMB
+AAGgADANBgkqhkiG9w0BAQsFAAOCAQEAUcB51hlCnud4M8uQMv74+6VpPykm7srA
+f+kX1or6J1hRrpdUENDydBG/WavyKJmJ4FEb+SS3K+BDoLCObGwazOcFPvJWlT8S
+8h8vX5BC+zqLqqjtBv6BJ6Wkb3s/3yhMpGJtrEHShxQTagkqsqSV+nRcnqR/9Ufw
+/pHVZ+2sc0Q+dzY+aOmHw+XKkczeI73/j8odhf+a5yTyt6DmUgPRsCOhrBPAlakb
+rHzhfnziYI2pS4/q8Ok5LyFAiBjYp5HFvHEwfjb/3o4bLFTpbDDsJoeyX0ddFFhb
+fZUhqGHYHMIGR5RXJ685RXg39f7PN8/YPIq4wAjGb9qpkwCbqUJPOA==
+-----END CERTIFICATE REQUEST-----

tests/hwsim/auth_serv/iCA-server/server-revoked_and_ica.pem

@@ -0,0 +1,155 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162867 (0xd8d3e3a6cbe3ccf3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:de:58:ac:e3:d8:7e:40:f6:84:2a:49:24:49:5a:
+                    f7:c8:23:08:b9:6c:d9:07:01:69:8f:77:28:71:42:
+                    a2:eb:ae:86:10:c6:31:61:9a:14:88:44:0a:68:bf:
+                    6e:a2:46:41:e9:6f:a2:89:fb:0b:f3:e1:b8:30:bf:
+                    e5:80:5e:f9:61:8d:6e:ac:e2:f7:28:e7:9e:44:28:
+                    b8:e4:6e:87:76:a9:d7:ac:ed:11:3f:de:c3:dd:41:
+                    c3:45:82:09:c3:a7:4c:e6:df:2b:88:1e:44:ce:e2:
+                    a7:29:53:f6:13:96:ad:6c:2e:93:00:28:42:77:bc:
+                    73:6e:86:e7:5b:e8:eb:e9:37:1d:63:e7:ea:05:5a:
+                    71:28:f0:81:0b:4c:3f:dd:73:f8:db:13:a8:f0:5f:
+                    6f:6f:e5:1b:c7:94:7f:57:c5:dc:66:26:0c:5a:71:
+                    7a:e3:d2:3e:7a:a6:59:46:03:61:78:89:84:3d:ef:
+                    22:9c:f8:c2:22:75:c4:0c:ef:fb:e4:fa:6f:b8:11:
+                    db:aa:92:9b:6c:23:4e:6e:e5:55:d2:41:47:18:95:
+                    c6:7d:17:be:6d:ab:39:a1:38:61:fd:f9:22:95:69:
+                    f3:9e:28:fd:8a:c8:58:72:3c:91:c2:22:d9:fb:b2:
+                    54:0f:9a:17:27:88:df:60:f5:de:fc:95:9f:25:c6:
+                    64:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         bd:22:63:3d:a7:e5:ce:c9:f5:66:1f:77:5f:d5:24:e3:68:dc:
+         a4:07:80:3e:5e:b1:2c:96:88:39:ad:00:4c:aa:9d:0b:ed:f3:
+         6d:df:9d:2f:97:d2:77:8b:ba:d0:9c:0f:a6:5e:60:b8:0f:e1:
+         96:b1:61:25:48:69:81:64:a8:5c:82:58:0b:f3:d0:a9:4e:8b:
+         90:fc:2f:67:57:da:72:dc:3c:eb:c2:20:19:05:8d:42:0d:14:
+         cf:00:db:59:00:ea:f0:76:3e:ca:85:b1:05:e5:b8:5f:0b:46:
+         c7:3c:a1:d9:5c:4d:b9:24:e7:d6:2b:3d:0d:eb:c3:88:d8:3a:
+         f6:60
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIJANjT46bL48zzMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMD4xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVkaWF0ZSBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5YrOPYfkD2hCpJJEla98gjCLls2QcB
+aY93KHFCouuuhhDGMWGaFIhECmi/bqJGQelvoon7C/PhuDC/5YBe+WGNbqzi9yjn
+nkQouORuh3ap16ztET/ew91Bw0WCCcOnTObfK4geRM7ipylT9hOWrWwukwAoQne8
+c26G51vo6+k3HWPn6gVacSjwgQtMP91z+NsTqPBfb2/lG8eUf1fF3GYmDFpxeuPS
+PnqmWUYDYXiJhD3vIpz4wiJ1xAzv++T6b7gR26qSm2wjTm7lVdJBRxiVxn0Xvm2r
+OaE4Yf35IpVp854o/YrIWHI8kcIi2fuyVA+aFyeI32D13vyVnyXGZIECAwEAAaNm
+MGQwHQYDVR0OBBYEFIQJi1UffS8PKNec7FROnxGXVdm5MB8GA1UdIwQYMBaAFLiS
+3v2KGLMww59V8zNdtMgpikEUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAL0iYz2n5c7J9WYfd1/VJONo3KQHgD5e
+sSyWiDmtAEyqnQvt823fnS+X0neLutCcD6ZeYLgP4ZaxYSVIaYFkqFyCWAvz0KlO
+i5D8L2dX2nLcPOvCIBkFjUINFM8A21kA6vB2PsqFsQXluF8LRsc8odlcTbkk59Yr
+PQ3rw4jYOvZg
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539705 (0x8020a0407f798ab9)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server-revoked.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:5c:ae:06:36:4a:65:e0:db:0b:3c:28:13:08:
+                    8b:90:66:43:6f:c8:b2:3b:fa:41:bd:1a:10:10:fb:
+                    e9:05:6a:ba:42:90:4d:2e:cf:b1:b9:c3:73:f5:fc:
+                    ac:4c:18:e9:44:73:69:5e:2d:83:63:d1:29:e5:59:
+                    55:a8:bf:b0:1c:7a:0d:17:18:b0:38:21:af:cb:6d:
+                    a9:6b:9d:a2:88:0e:1c:ee:1a:a5:9f:3c:27:ea:fe:
+                    8f:9b:94:df:12:3c:34:bb:bf:6c:d0:6c:6b:46:ad:
+                    bc:ff:88:ae:d8:4d:8b:9f:34:50:25:c4:96:be:25:
+                    42:06:c8:b3:8e:21:a5:fd:a3:82:f9:74:78:46:56:
+                    8d:0b:f0:c4:fa:1a:0e:f5:34:22:53:fd:43:37:a3:
+                    47:fd:9f:a2:bc:d0:60:25:a8:db:93:f7:0c:88:fe:
+                    79:52:f2:07:f1:de:fc:66:6e:fe:da:10:76:6c:d0:
+                    87:8c:ef:dd:40:6d:82:7c:d1:39:b2:17:d6:07:cf:
+                    1a:5a:39:12:ed:49:4f:d9:c7:91:40:ab:73:f7:54:
+                    3c:a5:7d:9f:bb:0c:47:77:0e:d9:61:e5:1b:14:65:
+                    4e:38:c5:a7:8a:ee:32:be:05:25:94:a0:7f:96:09:
+                    59:1b:04:08:42:6b:50:6b:95:7a:78:f6:ec:f4:f6:
+                    4d:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                0D:49:37:45:42:77:90:25:BA:9B:67:DB:F6:DC:61:D2:53:5B:C6:BC
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server-revoked.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         22:c6:72:08:84:a9:e9:19:77:ea:6a:06:68:43:8b:e7:72:af:
+         9c:a2:47:b9:6f:b6:cb:11:17:89:0a:42:52:14:58:9e:3c:01:
+         fd:e7:fc:a2:0d:85:a5:b5:8c:27:d5:5e:b2:47:05:05:f9:56:
+         b6:0b:e2:28:f3:1d:75:5e:13:eb:ec:a0:76:2b:d9:ed:99:84:
+         08:6d:64:71:13:b6:02:81:b3:c2:7e:b8:b6:00:98:4f:26:ea:
+         f1:67:5b:35:2a:26:d0:ca:a8:fb:eb:21:fb:f1:d6:5a:63:42:
+         01:5f:b3:59:3d:f8:e0:4d:94:3a:3a:82:46:02:9d:81:2c:ef:
+         e5:46:c7:99:f4:2f:43:ad:85:fc:2c:ca:0b:6b:48:01:ac:d7:
+         f7:da:0e:16:c4:10:18:14:83:9c:85:90:75:ef:66:9f:65:42:
+         e5:e7:8c:16:ac:f6:60:61:d7:5f:a0:21:cd:8a:85:d4:a0:f2:
+         8e:17:0e:38:5e:31:12:ac:24:b5:67:61:9d:15:84:0b:fc:84:
+         8a:d4:29:90:3d:4b:23:48:19:6b:f7:26:1f:fe:b9:b9:f1:6e:
+         70:ac:ec:31:60:be:7d:6f:58:7e:c1:47:61:a7:b0:4b:b2:fd:
+         62:06:c5:97:43:28:39:a5:c5:60:51:c0:46:9d:6b:e4:1a:ed:
+         0c:a6:51:8a
+-----BEGIN CERTIFICATE-----
+MIIDmDCCAoCgAwIBAgIJAIAgoEB/eYq5MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUc2VydmVyLXJldm9rZWQu
+dzEuZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsXK4GNkpl4NsL
+PCgTCIuQZkNvyLI7+kG9GhAQ++kFarpCkE0uz7G5w3P1/KxMGOlEc2leLYNj0Snl
+WVWov7Aceg0XGLA4Ia/LbalrnaKIDhzuGqWfPCfq/o+blN8SPDS7v2zQbGtGrbz/
+iK7YTYufNFAlxJa+JUIGyLOOIaX9o4L5dHhGVo0L8MT6Gg71NCJT/UM3o0f9n6K8
+0GAlqNuT9wyI/nlS8gfx3vxmbv7aEHZs0IeM791AbYJ80TmyF9YHzxpaORLtSU/Z
+x5FAq3P3VDylfZ+7DEd3Dtlh5RsUZU44xaeK7jK+BSWUoH+WCVkbBAhCa1BrlXp4
+9uz09k1DAgMBAAGjgZowgZcwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUDUk3RUJ3
+kCW6m2fb9txh0lNbxrwwHwYDVR0jBBgwFoAUhAmLVR99Lw8o15zsVE6fEZdV2bkw
+IgYDVR0RAQH/BBgwFoIUc2VydmVyLXJldm9rZWQudzEuZmkwFgYDVR0lAQH/BAww
+CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQAixnII
+hKnpGXfqagZoQ4vncq+coke5b7bLEReJCkJSFFiePAH95/yiDYWltYwn1V6yRwUF
++Va2C+Io8x11XhPr7KB2K9ntmYQIbWRxE7YCgbPCfri2AJhPJurxZ1s1KibQyqj7
+6yH78dZaY0IBX7NZPfjgTZQ6OoJGAp2BLO/lRseZ9C9DrYX8LMoLa0gBrNf32g4W
+xBAYFIOchZB172afZULl54wWrPZgYddfoCHNioXUoPKOFw44XjESrCS1Z2GdFYQL
+/ISK1CmQPUsjSBlr9yYf/rm58W5wrOwxYL59b1h+wUdhp7BLsv1iBsWXQyg5pcVg
+UcBGnWvkGu0MplGK
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkiKWTAlu8VGhG
++nN9MzBHRVxJXzxRX5v+xRQQJj0P48KyF4TTPhKosnsCGoqL6fRBHvzzSS3G1Ign
+gdCG87nACiooRQAywxgi9pk38XSNrFRHc+W20+f4gJl19RkZ6xlw35JTsWE4/3/P
+i73hf1Bb0JUwozdrinIGp+g54qR4Q5iRzTCINFuqnqKfJtXhW4ZNAaTCZc0nlL7i
+9XNdxGCY8XURlAkNnQR/7xqdX/BKP4jXdi6b1irGlAk3CjckkpGdGA/qTtTknUU4
+WrrY37YVb6z/bEGs18AKVeyByppZQFWLpHcT3/rDte7vh0GNlNDAlkG0OgS2a2pW
+k/RnfifhAgMBAAECggEAA+GSNknu9ubUEoiEV5b79enmpFRauOMPyibcrV2I4fEz
+SET/+3ptZLILRsDeo3uoq0Z0c0lF3r+TRGB/Axu2ht1lU+PAGhyYF1fqyDlwiktn
+7wK33wAAS4cblBZCg98rQnB5krRLe2VTbVnpMqAv5C9JqVbMRSZHw3csiXcg5e3v
+urH5A90pwFY/1DG68JS+HCLxvorO5EIfeTSBg1F54FHBCQ6Yjr232uXAUez5hv5/
+zX6oxw2zarKMgNiosy5FCoGEUECCfvM2tiXjfZ0DBmZgF/c6Alg+J8gYFVJzSX+x
+xAyL9o3LYddSdDnGBiMm4SU8oUxvnUgrZ+xhnyL69QKBgQD9717EmTLKBna4wX+d
+PM03yIv2ZpFESd4VuxZMyTOO64CMD75n1V/r1V44xIQa7M5QwfD+NmTjW/QyJ0EN
+F5mJYavXc56nlV4wVQJC2/NnyOScjKEIXu/QmEPwTm/NqEqCFs6XGpftigjB+FIO
+Te/PmOVFSDCE+JkOF3Fls55iMwKBgQDmZGW/duaEL4qMnDO51hSz+qv9mZNXoPzg
+DWzmraOikp1zSTjaLzRy6w8bbHTqTZDG68hJ/knW2boD0pDqmuUzS6ADnV7P0fVT
+mOolwmKdGO3axyIsStuhPKaaHv28X0+y2qhUkK7hYJ2yeZIQ/259D75g0BNozjO5
+1sKEsW+BmwKBgBgZu9jU4WkjK+llFAOMXb3Jnt8H5QmiKR3O39Lx1Z7e4xhn9h5M
+tgnf+k1Q+WjEyOAJSCIYb4LUm1yXNSlU8BGF35VXN9uX5ZSYvNoznepfurLQ9geh
+WwllKi2IhDv0mP23xGu67mhxDVu7ga4x32zIihoFO/Wi0oPv3adVYNbZAoGBAOMF
+VwVdYjQqrHl1ibq66teWUFeqNvgIGGWmlQKRY0bU9fUd17mW/jWmzdIWAvbFy71X
+pJrUyWm+TX9qw4WJcAQlpt0o+r4Jg5YGfeMLMiTe5bHIuzGt6dFtdDU2CIzP1jbF
+I02A6/IFRB8TkAzTxcnR86RuJFIHrgyXREGAngG1AoGBAOR/fBPsVAf2MsfGyX7l
+JpHkHgfmAldfRammmGxV2c+NJ/cWjkN/1p8KaiqINP08FemC7Rxvu8Nhm50qOLRM
+iq2KeDCaHoUp9waX7T+WzKbT+jEdcyXeu2DlN8AIyTNjDrVyZil0NbZfQFbR8nWR
+0VX+Eq8Oxrl+pRza/6f62K7s
+-----END PRIVATE KEY-----

tests/hwsim/auth_serv/iCA-server/server.pem

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539704 (0x8020a0407f798ab8)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:88:a5:93:02:5b:bc:54:68:46:fa:73:7d:33:
+                    30:47:45:5c:49:5f:3c:51:5f:9b:fe:c5:14:10:26:
+                    3d:0f:e3:c2:b2:17:84:d3:3e:12:a8:b2:7b:02:1a:
+                    8a:8b:e9:f4:41:1e:fc:f3:49:2d:c6:d4:88:27:81:
+                    d0:86:f3:b9:c0:0a:2a:28:45:00:32:c3:18:22:f6:
+                    99:37:f1:74:8d:ac:54:47:73:e5:b6:d3:e7:f8:80:
+                    99:75:f5:19:19:eb:19:70:df:92:53:b1:61:38:ff:
+                    7f:cf:8b:bd:e1:7f:50:5b:d0:95:30:a3:37:6b:8a:
+                    72:06:a7:e8:39:e2:a4:78:43:98:91:cd:30:88:34:
+                    5b:aa:9e:a2:9f:26:d5:e1:5b:86:4d:01:a4:c2:65:
+                    cd:27:94:be:e2:f5:73:5d:c4:60:98:f1:75:11:94:
+                    09:0d:9d:04:7f:ef:1a:9d:5f:f0:4a:3f:88:d7:76:
+                    2e:9b:d6:2a:c6:94:09:37:0a:37:24:92:91:9d:18:
+                    0f:ea:4e:d4:e4:9d:45:38:5a:ba:d8:df:b6:15:6f:
+                    ac:ff:6c:41:ac:d7:c0:0a:55:ec:81:ca:9a:59:40:
+                    55:8b:a4:77:13:df:fa:c3:b5:ee:ef:87:41:8d:94:
+                    d0:c0:96:41:b4:3a:04:b6:6b:6a:56:93:f4:67:7e:
+                    27:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                4B:81:85:B4:88:41:0D:D4:15:D3:48:0E:F4:A9:99:14:2D:B1:DB:93
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         49:2a:14:22:16:2c:12:f5:4e:06:f3:c2:1e:ac:54:07:5d:86:
+         16:3e:6c:a0:73:e1:a6:d7:c3:49:1f:80:0d:b6:54:22:77:ce:
+         39:dd:f6:f6:9f:62:ff:d5:27:7f:c3:92:73:b9:a7:ce:87:5a:
+         e3:bc:52:b3:0a:99:eb:91:56:b6:78:01:c3:0e:4b:ca:8a:04:
+         ee:5c:56:05:ef:7a:cb:21:f9:eb:8a:38:12:50:c7:6e:a8:1f:
+         0e:81:81:a6:2d:ea:35:94:24:db:76:77:df:ea:41:4c:af:7e:
+         29:9d:d5:e6:e3:12:78:19:92:ed:35:b9:99:19:a9:d6:cb:f8:
+         a7:21:fb:8e:a7:39:dc:e1:ab:3d:ba:12:87:ba:1c:08:e6:8a:
+         21:96:44:44:8a:61:0f:70:00:d0:cb:63:93:a4:fa:cc:75:a3:
+         fd:e8:af:33:24:80:4a:d9:b9:2a:a1:20:0b:62:0b:17:6c:9a:
+         7c:8b:fd:9e:ff:be:b2:51:5e:e9:3a:cc:28:22:63:44:69:7f:
+         6d:1f:08:14:a4:32:d0:1f:f9:c3:8d:28:1a:76:12:00:3c:b3:
+         38:13:ca:67:17:79:c6:de:5d:b7:9d:f8:e3:64:f7:b3:a0:5c:
+         e5:6e:fc:10:f3:53:d6:70:38:c2:6f:87:ab:07:1c:64:ff:30:
+         d8:3a:1e:75
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIJAIAgoEB/eYq4MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDQxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEVMBMGA1UEAwwMc2VydmVyLncxLmZpMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IilkwJbvFRoRvpzfTMwR0Vc
+SV88UV+b/sUUECY9D+PCsheE0z4SqLJ7AhqKi+n0QR7880ktxtSIJ4HQhvO5wAoq
+KEUAMsMYIvaZN/F0jaxUR3PlttPn+ICZdfUZGesZcN+SU7FhOP9/z4u94X9QW9CV
+MKM3a4pyBqfoOeKkeEOYkc0wiDRbqp6inybV4VuGTQGkwmXNJ5S+4vVzXcRgmPF1
+EZQJDZ0Ef+8anV/wSj+I13Yum9YqxpQJNwo3JJKRnRgP6k7U5J1FOFq62N+2FW+s
+/2xBrNfAClXsgcqaWUBVi6R3E9/6w7Xu74dBjZTQwJZBtDoEtmtqVpP0Z34n4QID
+AQABo4GSMIGPMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEuBhbSIQQ3UFdNIDvSp
+mRQtsduTMB8GA1UdIwQYMBaAFIQJi1UffS8PKNec7FROnxGXVdm5MBoGA1UdEQEB
+/wQQMA6CDHNlcnZlci53MS5maTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAEkqFCIWLBL1Tgbzwh6sVAddhhY+
+bKBz4abXw0kfgA22VCJ3zjnd9vafYv/VJ3/DknO5p86HWuO8UrMKmeuRVrZ4AcMO
+S8qKBO5cVgXvessh+euKOBJQx26oHw6BgaYt6jWUJNt2d9/qQUyvfimd1ebjEngZ
+ku01uZkZqdbL+Kch+46nOdzhqz26Eoe6HAjmiiGWRESKYQ9wANDLY5Ok+sx1o/3o
+rzMkgErZuSqhIAtiCxdsmnyL/Z7/vrJRXuk6zCgiY0Rpf20fCBSkMtAf+cONKBp2
+EgA8szgTymcXecbeXbed+ONk97OgXOVu/BDzU9ZwOMJvh6sHHGT/MNg6HnU=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-server/server.req

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICjDCCAXQCAQAwRzELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4w
+DAYDVQQKDAV3MS5maTEVMBMGA1UEAwwMc2VydmVyLncxLmZpMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IilkwJbvFRoRvpzfTMwR0VcSV88UV+b/sUU
+ECY9D+PCsheE0z4SqLJ7AhqKi+n0QR7880ktxtSIJ4HQhvO5wAoqKEUAMsMYIvaZ
+N/F0jaxUR3PlttPn+ICZdfUZGesZcN+SU7FhOP9/z4u94X9QW9CVMKM3a4pyBqfo
+OeKkeEOYkc0wiDRbqp6inybV4VuGTQGkwmXNJ5S+4vVzXcRgmPF1EZQJDZ0Ef+8a
+nV/wSj+I13Yum9YqxpQJNwo3JJKRnRgP6k7U5J1FOFq62N+2FW+s/2xBrNfAClXs
+gcqaWUBVi6R3E9/6w7Xu74dBjZTQwJZBtDoEtmtqVpP0Z34n4QIDAQABoAAwDQYJ
+KoZIhvcNAQELBQADggEBAE+hOOVtzHJvvrjl21A/gmdj5kRHYCijOGJ53ipY9mFX
+aIK9+kJ0Jrlm9cZGbxwTMwJpAyk+7yPl3K0euoToXf+vdLnYds/HGRonN66pXqmD
+QRZXGp6j58mBcmfiU1OB+6XRcLsYITaOaU9AvJ0jg9wkHISrN5uxfDG9QH//YYQ6
+aWzBfjUPAa+2trlmvI4tpC+w7sDHLa5WB5yBDm7HZ6UGwU5R7aMIZn2Hpe1BZS1u
+Xo86qqJpbt6RvR5QEb6+79+8fmt3onQvZ28+wheUdcUin0G/JP7Lfo9/tNzU/29v
+YJopHLeK1zNc6+lBwRTJiDbLC726H5dqZgxu9NNl8zg=
+-----END CERTIFICATE REQUEST-----

tests/hwsim/auth_serv/iCA-server/server_and_ica.pem

@@ -0,0 +1,154 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9232555434986539704 (0x8020a0407f798ab8)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=server.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e4:88:a5:93:02:5b:bc:54:68:46:fa:73:7d:33:
+                    30:47:45:5c:49:5f:3c:51:5f:9b:fe:c5:14:10:26:
+                    3d:0f:e3:c2:b2:17:84:d3:3e:12:a8:b2:7b:02:1a:
+                    8a:8b:e9:f4:41:1e:fc:f3:49:2d:c6:d4:88:27:81:
+                    d0:86:f3:b9:c0:0a:2a:28:45:00:32:c3:18:22:f6:
+                    99:37:f1:74:8d:ac:54:47:73:e5:b6:d3:e7:f8:80:
+                    99:75:f5:19:19:eb:19:70:df:92:53:b1:61:38:ff:
+                    7f:cf:8b:bd:e1:7f:50:5b:d0:95:30:a3:37:6b:8a:
+                    72:06:a7:e8:39:e2:a4:78:43:98:91:cd:30:88:34:
+                    5b:aa:9e:a2:9f:26:d5:e1:5b:86:4d:01:a4:c2:65:
+                    cd:27:94:be:e2:f5:73:5d:c4:60:98:f1:75:11:94:
+                    09:0d:9d:04:7f:ef:1a:9d:5f:f0:4a:3f:88:d7:76:
+                    2e:9b:d6:2a:c6:94:09:37:0a:37:24:92:91:9d:18:
+                    0f:ea:4e:d4:e4:9d:45:38:5a:ba:d8:df:b6:15:6f:
+                    ac:ff:6c:41:ac:d7:c0:0a:55:ec:81:ca:9a:59:40:
+                    55:8b:a4:77:13:df:fa:c3:b5:ee:ef:87:41:8d:94:
+                    d0:c0:96:41:b4:3a:04:b6:6b:6a:56:93:f4:67:7e:
+                    27:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                4B:81:85:B4:88:41:0D:D4:15:D3:48:0E:F4:A9:99:14:2D:B1:DB:93
+            X509v3 Authority Key Identifier: 
+                keyid:84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+
+            X509v3 Subject Alternative Name: critical
+                DNS:server.w1.fi
+            X509v3 Extended Key Usage: critical
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         49:2a:14:22:16:2c:12:f5:4e:06:f3:c2:1e:ac:54:07:5d:86:
+         16:3e:6c:a0:73:e1:a6:d7:c3:49:1f:80:0d:b6:54:22:77:ce:
+         39:dd:f6:f6:9f:62:ff:d5:27:7f:c3:92:73:b9:a7:ce:87:5a:
+         e3:bc:52:b3:0a:99:eb:91:56:b6:78:01:c3:0e:4b:ca:8a:04:
+         ee:5c:56:05:ef:7a:cb:21:f9:eb:8a:38:12:50:c7:6e:a8:1f:
+         0e:81:81:a6:2d:ea:35:94:24:db:76:77:df:ea:41:4c:af:7e:
+         29:9d:d5:e6:e3:12:78:19:92:ed:35:b9:99:19:a9:d6:cb:f8:
+         a7:21:fb:8e:a7:39:dc:e1:ab:3d:ba:12:87:ba:1c:08:e6:8a:
+         21:96:44:44:8a:61:0f:70:00:d0:cb:63:93:a4:fa:cc:75:a3:
+         fd:e8:af:33:24:80:4a:d9:b9:2a:a1:20:0b:62:0b:17:6c:9a:
+         7c:8b:fd:9e:ff:be:b2:51:5e:e9:3a:cc:28:22:63:44:69:7f:
+         6d:1f:08:14:a4:32:d0:1f:f9:c3:8d:28:1a:76:12:00:3c:b3:
+         38:13:ca:67:17:79:c6:de:5d:b7:9d:f8:e3:64:f7:b3:a0:5c:
+         e5:6e:fc:10:f3:53:d6:70:38:c2:6f:87:ab:07:1c:64:ff:30:
+         d8:3a:1e:75
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIJAIAgoEB/eYq4MA0GCSqGSIb3DQEBCwUAMD4xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVk
+aWF0ZSBDQTAeFw0xNTEyMjMxOTM3MzZaFw0yNTEyMjAxOTM3MzZaMDQxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEVMBMGA1UEAwwMc2VydmVyLncxLmZpMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IilkwJbvFRoRvpzfTMwR0Vc
+SV88UV+b/sUUECY9D+PCsheE0z4SqLJ7AhqKi+n0QR7880ktxtSIJ4HQhvO5wAoq
+KEUAMsMYIvaZN/F0jaxUR3PlttPn+ICZdfUZGesZcN+SU7FhOP9/z4u94X9QW9CV
+MKM3a4pyBqfoOeKkeEOYkc0wiDRbqp6inybV4VuGTQGkwmXNJ5S+4vVzXcRgmPF1
+EZQJDZ0Ef+8anV/wSj+I13Yum9YqxpQJNwo3JJKRnRgP6k7U5J1FOFq62N+2FW+s
+/2xBrNfAClXsgcqaWUBVi6R3E9/6w7Xu74dBjZTQwJZBtDoEtmtqVpP0Z34n4QID
+AQABo4GSMIGPMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEuBhbSIQQ3UFdNIDvSp
+mRQtsduTMB8GA1UdIwQYMBaAFIQJi1UffS8PKNec7FROnxGXVdm5MBoGA1UdEQEB
+/wQQMA6CDHNlcnZlci53MS5maTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAEkqFCIWLBL1Tgbzwh6sVAddhhY+
+bKBz4abXw0kfgA22VCJ3zjnd9vafYv/VJ3/DknO5p86HWuO8UrMKmeuRVrZ4AcMO
+S8qKBO5cVgXvessh+euKOBJQx26oHw6BgaYt6jWUJNt2d9/qQUyvfimd1ebjEngZ
+ku01uZkZqdbL+Kch+46nOdzhqz26Eoe6HAjmiiGWRESKYQ9wANDLY5Ok+sx1o/3o
+rzMkgErZuSqhIAtiCxdsmnyL/Z7/vrJRXuk6zCgiY0Rpf20fCBSkMtAf+cONKBp2
+EgA8szgTymcXecbeXbed+ONk97OgXOVu/BDzU9ZwOMJvh6sHHGT/MNg6HnU=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162867 (0xd8d3e3a6cbe3ccf3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=Server Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:de:58:ac:e3:d8:7e:40:f6:84:2a:49:24:49:5a:
+                    f7:c8:23:08:b9:6c:d9:07:01:69:8f:77:28:71:42:
+                    a2:eb:ae:86:10:c6:31:61:9a:14:88:44:0a:68:bf:
+                    6e:a2:46:41:e9:6f:a2:89:fb:0b:f3:e1:b8:30:bf:
+                    e5:80:5e:f9:61:8d:6e:ac:e2:f7:28:e7:9e:44:28:
+                    b8:e4:6e:87:76:a9:d7:ac:ed:11:3f:de:c3:dd:41:
+                    c3:45:82:09:c3:a7:4c:e6:df:2b:88:1e:44:ce:e2:
+                    a7:29:53:f6:13:96:ad:6c:2e:93:00:28:42:77:bc:
+                    73:6e:86:e7:5b:e8:eb:e9:37:1d:63:e7:ea:05:5a:
+                    71:28:f0:81:0b:4c:3f:dd:73:f8:db:13:a8:f0:5f:
+                    6f:6f:e5:1b:c7:94:7f:57:c5:dc:66:26:0c:5a:71:
+                    7a:e3:d2:3e:7a:a6:59:46:03:61:78:89:84:3d:ef:
+                    22:9c:f8:c2:22:75:c4:0c:ef:fb:e4:fa:6f:b8:11:
+                    db:aa:92:9b:6c:23:4e:6e:e5:55:d2:41:47:18:95:
+                    c6:7d:17:be:6d:ab:39:a1:38:61:fd:f9:22:95:69:
+                    f3:9e:28:fd:8a:c8:58:72:3c:91:c2:22:d9:fb:b2:
+                    54:0f:9a:17:27:88:df:60:f5:de:fc:95:9f:25:c6:
+                    64:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                84:09:8B:55:1F:7D:2F:0F:28:D7:9C:EC:54:4E:9F:11:97:55:D9:B9
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         bd:22:63:3d:a7:e5:ce:c9:f5:66:1f:77:5f:d5:24:e3:68:dc:
+         a4:07:80:3e:5e:b1:2c:96:88:39:ad:00:4c:aa:9d:0b:ed:f3:
+         6d:df:9d:2f:97:d2:77:8b:ba:d0:9c:0f:a6:5e:60:b8:0f:e1:
+         96:b1:61:25:48:69:81:64:a8:5c:82:58:0b:f3:d0:a9:4e:8b:
+         90:fc:2f:67:57:da:72:dc:3c:eb:c2:20:19:05:8d:42:0d:14:
+         cf:00:db:59:00:ea:f0:76:3e:ca:85:b1:05:e5:b8:5f:0b:46:
+         c7:3c:a1:d9:5c:4d:b9:24:e7:d6:2b:3d:0d:eb:c3:88:d8:3a:
+         f6:60
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIJANjT46bL48zzMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMD4xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVybWVkaWF0ZSBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5YrOPYfkD2hCpJJEla98gjCLls2QcB
+aY93KHFCouuuhhDGMWGaFIhECmi/bqJGQelvoon7C/PhuDC/5YBe+WGNbqzi9yjn
+nkQouORuh3ap16ztET/ew91Bw0WCCcOnTObfK4geRM7ipylT9hOWrWwukwAoQne8
+c26G51vo6+k3HWPn6gVacSjwgQtMP91z+NsTqPBfb2/lG8eUf1fF3GYmDFpxeuPS
+PnqmWUYDYXiJhD3vIpz4wiJ1xAzv++T6b7gR26qSm2wjTm7lVdJBRxiVxn0Xvm2r
+OaE4Yf35IpVp854o/YrIWHI8kcIi2fuyVA+aFyeI32D13vyVnyXGZIECAwEAAaNm
+MGQwHQYDVR0OBBYEFIQJi1UffS8PKNec7FROnxGXVdm5MB8GA1UdIwQYMBaAFLiS
+3v2KGLMww59V8zNdtMgpikEUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBAL0iYz2n5c7J9WYfd1/VJONo3KQHgD5e
+sSyWiDmtAEyqnQvt823fnS+X0neLutCcD6ZeYLgP4ZaxYSVIaYFkqFyCWAvz0KlO
+i5D8L2dX2nLcPOvCIBkFjUINFM8A21kA6vB2PsqFsQXluF8LRsc8odlcTbkk59Yr
+PQ3rw4jYOvZg
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-user/ca-and-root.pem

@@ -0,0 +1,125 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=User Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
+                    f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
+                    67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
+                    9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
+                    f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
+                    9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
+                    ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
+                    10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
+                    11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
+                    67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
+                    c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
+                    e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
+                    df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
+                    6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
+                    43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
+                    6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
+                    65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
+                    fe:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
+         31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
+         1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
+         6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
+         7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
+         07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
+         3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
+         8f:fa
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
+kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
+Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
+9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
+2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
+rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
+MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
+ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
+FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
+5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
+4kDSzfuP+g==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162817 (0xd8d3e3a6cbe3ccc1)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Jun 29 16:41:22 2013 GMT
+            Not After : Jun 27 16:41:22 2023 GMT
+        Subject: C=FI, O=w1.fi, CN=Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:be:1e:86:e4:79:03:c1:d1:94:d5:d4:b3:b1:28:
+                    90:76:fb:b8:a6:cd:6d:1c:d1:48:f4:08:9a:67:ff:
+                    f9:a6:54:b1:19:29:df:29:1b:cd:f1:6f:66:01:e7:
+                    db:79:ce:c0:39:2a:25:13:26:94:0c:2c:7b:5a:2c:
+                    81:0f:94:ee:51:d0:75:e6:46:db:17:46:a7:15:8b:
+                    0e:57:0f:b0:54:76:63:12:ca:86:18:bc:1a:c3:16:
+                    c0:70:09:d6:6b:43:39:b8:98:29:46:ac:cb:6a:ad:
+                    38:88:3b:07:dc:81:cd:3a:f6:1d:f6:2f:ef:1d:d7:
+                    ae:8a:b6:d1:e7:b3:15:02:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         1a:cf:77:60:44:43:c4:55:0e:99:e0:89:aa:b9:d3:7b:32:b7:
+         5c:9c:7c:ca:fe:8c:d4:94:c6:5e:f3:83:19:5f:29:59:68:a4:
+         4f:dc:04:2e:b8:71:c0:6d:3b:ae:01:e4:b9:88:99:cc:ce:82:
+         be:6a:28:c2:ac:6a:94:c6:87:90:ed:85:3c:10:71:c5:ff:3c:
+         70:64:e2:41:62:31:ea:86:7b:11:8c:93:ea:c6:f3:f3:4e:f9:
+         d4:f2:81:90:d7:f4:fa:a1:91:6e:d4:dd:15:3e:26:3b:ac:1e:
+         c3:c2:1f:ed:bb:34:bf:cb:b2:67:c6:c6:51:e8:51:22:b4:f3:
+         92:e8
+-----BEGIN CERTIFICATE-----
+MIICLDCCAZWgAwIBAgIJANjT46bL48zBMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xMzA2
+MjkxNjQxMjJaFw0yMzA2MjcxNjQxMjJaMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAvh6G5HkDwdGU1dSzsSiQdvu4ps1tHNFI9AiaZ//5plSxGSnfKRvN8W9m
+Aefbec7AOSolEyaUDCx7WiyBD5TuUdB15kbbF0anFYsOVw+wVHZjEsqGGLwawxbA
+cAnWa0M5uJgpRqzLaq04iDsH3IHNOvYd9i/vHdeuirbR57MVArkCAwEAAaNQME4w
+HQYDVR0OBBYEFLiS3v2KGLMww59V8zNdtMgpikEUMB8GA1UdIwQYMBaAFLiS3v2K
+GLMww59V8zNdtMgpikEUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+Gs93YERDxFUOmeCJqrnTezK3XJx8yv6M1JTGXvODGV8pWWikT9wELrhxwG07rgHk
+uYiZzM6CvmoowqxqlMaHkO2FPBBxxf88cGTiQWIx6oZ7EYyT6sbz80751PKBkNf0
++qGRbtTdFT4mO6wew8If7bs0v8uyZ8bGUehRIrTzkug=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-user/cacert.pem

@@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=User Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
+                    f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
+                    67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
+                    9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
+                    f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
+                    9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
+                    ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
+                    10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
+                    11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
+                    67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
+                    c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
+                    e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
+                    df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
+                    6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
+                    43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
+                    6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
+                    65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
+                    fe:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
+         31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
+         1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
+         6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
+         7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
+         07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
+         3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
+         8f:fa
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
+kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
+Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
+9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
+2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
+rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
+MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
+ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
+FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
+5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
+4kDSzfuP+g==
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-user/careq.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIClDCCAXwCAQAwTzELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4w
+DAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqm
+cpH1cGVXkUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I
+7QHKJ3QcDp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOth
+ff1ooRFv9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwF
+TOVWZNQI2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OB
+iMPYqqlgrKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMB
+AAGgADANBgkqhkiG9w0BAQsFAAOCAQEAKYOesAY0nFSXY1Ez8q5cGRUa0YZWic1l
+NwF05zIFoD3loCWRiayzINJqwXvUO29X0c8W35hTIGHyGUzcc0iwtrjphlmpuimN
+AzL+NG1+TwfEQi+LL+e0lJnl2PIZkIN4cQDgTSdejU40sNRPWzD8w8EYHYAOJ4oU
+0TXfrIRJWBDZKFtjO2fcknf1beGN79ZOHxc6pCFdZ7pM2w3+mKbfysnVBZkDwavG
+SlIdL23QcD3Uj0vOrU+oOSGQKXamZrjjpmu647bcQ5XQr8kZbXWu6A4G24bxZ2rw
+S7Z7DVvLqGxJgSl8b72otGJqkszHiul2ZKHy25flrtGM0SBU+k9FEQ==
+-----END CERTIFICATE REQUEST-----

tests/hwsim/auth_serv/iCA-user/index.txt

@@ -0,0 +1 @@
+V	251220193736Z		E153BA3A7605DA1E	unknown	/C=FI/O=w1.fi/CN=user.w1.fi

tests/hwsim/auth_serv/iCA-user/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes

tests/hwsim/auth_serv/iCA-user/newcerts/E153BA3A7605DA1E.pem

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16236525841851734558 (0xe153ba3a7605da1e)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=User Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=user.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:86:20:e5:06:5a:a8:47:2d:c9:5e:25:24:f7:
+                    bf:a6:b6:44:50:99:8c:95:b5:6a:ad:74:b6:ba:ee:
+                    31:5e:b2:20:60:9a:b4:93:55:6d:15:0b:dc:5a:27:
+                    3f:df:c1:92:18:59:66:10:eb:47:1c:35:1f:08:dd:
+                    eb:25:bd:21:9c:2d:48:34:5f:97:18:dc:83:28:db:
+                    14:8c:16:3b:5a:36:6a:50:63:e9:3b:e0:37:fd:f6:
+                    a0:d6:40:af:ef:1e:99:1d:88:c1:4f:4b:92:25:53:
+                    28:cb:c4:b7:ce:ca:ca:26:af:2d:f7:e4:62:79:48:
+                    49:6a:82:33:b0:a6:c6:a5:17:33:88:93:77:36:b2:
+                    77:61:e0:55:de:2e:75:15:92:4c:e7:bf:11:ea:33:
+                    03:1e:4a:e6:18:38:16:34:f5:d9:ed:f8:0c:17:6f:
+                    78:65:ae:14:18:a3:0f:08:b6:e2:87:02:e4:eb:0f:
+                    fb:81:d9:4b:90:ff:b3:fa:0f:d3:04:4d:b0:99:b4:
+                    2b:5e:fb:ad:04:2b:a7:d6:36:0d:17:e0:be:c0:43:
+                    cf:e5:2e:f0:8e:87:88:60:b3:22:d8:03:59:53:50:
+                    a6:69:ce:de:d0:c9:2e:f7:6d:9a:59:4d:99:dc:4b:
+                    3c:c2:15:8f:27:64:23:34:14:34:af:41:76:a5:6a:
+                    9a:0f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                3E:35:E0:F9:A3:1E:2C:FA:DD:E7:8B:CE:58:06:38:20:5D:5E:71:D2
+            X509v3 Authority Key Identifier: 
+                keyid:AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+
+            X509v3 Subject Alternative Name: critical
+                DNS:user.w1.fi
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         7b:e9:eb:d7:d4:60:a8:08:62:71:61:dd:42:7d:e5:88:f4:24:
+         bb:3f:6b:a9:16:64:2d:fb:ce:8e:55:1c:f5:7e:b4:c3:74:de:
+         96:e4:59:32:f4:aa:74:e2:ac:43:28:06:54:5d:f7:fe:87:31:
+         3d:ac:45:d5:1c:51:7f:8c:f9:37:0b:66:94:a7:22:5f:d1:55:
+         bf:a4:82:c7:0a:50:bb:c7:18:cf:df:47:81:00:c4:d2:d7:12:
+         b0:83:2d:67:3f:80:b8:be:6f:c9:c5:76:9a:87:ef:3a:f6:0d:
+         4f:24:d8:e7:06:6c:6e:ff:dc:5e:6e:21:a1:e7:26:f6:94:44:
+         69:f4:b2:36:38:08:b1:df:07:fa:7a:53:b8:60:db:63:4b:4f:
+         e6:2a:42:ff:29:68:b5:99:3a:36:eb:26:05:76:d2:ab:e6:d0:
+         7c:af:8c:a0:20:8b:50:6c:3b:bc:1a:53:6d:a7:c8:70:97:21:
+         56:02:24:04:9b:63:2a:5d:b8:8c:e4:bf:e9:8f:58:cd:6e:99:
+         47:3c:02:7b:63:67:c1:c7:32:53:cc:d5:cb:e9:a0:39:ef:f8:
+         44:b7:f3:57:0c:b5:a7:23:3f:16:28:c6:02:14:b6:80:d8:33:
+         42:0c:81:5c:ac:3f:13:d0:5b:4a:66:9f:33:ee:ac:56:fe:37:
+         17:2b:03:40
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIJAOFTujp2BdoeMA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlh
+dGUgQ0EwHhcNMTUxMjIzMTkzNzM2WhcNMjUxMjIwMTkzNzM2WjAyMQswCQYDVQQG
+EwJGSTEOMAwGA1UECgwFdzEuZmkxEzARBgNVBAMMCnVzZXIudzEuZmkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAhiDlBlqoRy3JXiUk97+mtkRQmYyV
+tWqtdLa67jFesiBgmrSTVW0VC9xaJz/fwZIYWWYQ60ccNR8I3eslvSGcLUg0X5cY
+3IMo2xSMFjtaNmpQY+k74Df99qDWQK/vHpkdiMFPS5IlUyjLxLfOysomry335GJ5
+SElqgjOwpsalFzOIk3c2sndh4FXeLnUVkkznvxHqMwMeSuYYOBY09dnt+AwXb3hl
+rhQYow8ItuKHAuTrD/uB2UuQ/7P6D9METbCZtCte+60EK6fWNg0X4L7AQ8/lLvCO
+h4hgsyLYA1lTUKZpzt7QyS73bZpZTZncSzzCFY8nZCM0FDSvQXalapoPAgMBAAGj
+gYowgYcwCQYDVR0TBAIwADAdBgNVHQ4EFgQUPjXg+aMeLPrd54vOWAY4IF1ecdIw
+HwYDVR0jBBgwFoAUrMT2B56y5fFmfEAFCKrc74pg2sEwGAYDVR0RAQH/BA4wDIIK
+dXNlci53MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCBaAwDQYJ
+KoZIhvcNAQELBQADggEBAHvp69fUYKgIYnFh3UJ95Yj0JLs/a6kWZC37zo5VHPV+
+tMN03pbkWTL0qnTirEMoBlRd9/6HMT2sRdUcUX+M+TcLZpSnIl/RVb+kgscKULvH
+GM/fR4EAxNLXErCDLWc/gLi+b8nFdpqH7zr2DU8k2OcGbG7/3F5uIaHnJvaURGn0
+sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
+yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
+PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-user/private/cakey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDKg30ZiNdlpH3
+oL6xsPeeruqmcpH1cGVXkUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuy
+nfBYYuqjim/I7QHKJ3QcDp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAu
+gaudBLovtOthff1ooRFv9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5
+On5sOPhfHOwFTOVWZNQI2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chu
+Wr/rprjA90OBiMPYqqlgrKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7b
+IopJsf5PAgMBAAECggEAMQpcP1F7CYVQYH0P7e6eCk3BwNmBO79md76WQtAYdOcr
+XRvSYpA4RTD7n1ynQMUrrI3tozsGJvcShSuSvWL9uuKKfF6x2G5ZisNRkqq8gahr
+aH2e1LxENp5pcslO9MIJegv8Etdz5y3qJwWGbgpGDr7TdsgF6Uiv7QXUof6zs5h3
+dri5y4tIbv+/OrEL9pz0x0wR1wFZ24huLLd+I4qHW+nSVynzRsb7dH76vvJRcj+o
+UUIXx0QASoiFyhTPL3kSIcLcwRW1WEkqQXSENj3765CewhpOVcbzUZQiHjPVdOmg
+6+CRptOGJMh5SGHzAbeABwkgeQ4LGWnPdL9B0ZClYQKBgQDk6tGncCWYELelrt9q
+D/bzTvTZADzxYKuOUmyiu9Wr6Lx3nbfJupf0kZSGZuTBOjOd8iQkI1edIWTZLgyY
+48oW2EggJTo5xmAaAdz82ItXpI0/Rt71QQqhcxsaT2uLIinBdox8wP6/DbnG57DJ
+6FcHOsVfAFAVk2sM8ZCK1XRjiwKBgQDaQPbUNGXg04D08jk+15FDlPYh/2TJNSc+
+SBOE1j7wlTNGr6Vcg7N34U+I8Zo/ci8CXQVAMlLd7UJR9UhPsU2ptMldziDPEn5d
+28CkoAmfw/vrcE8j12cuKUViJK6E/Fpvmbmb/cKrACj9qHd1QV7kXFemDKPEUlAe
+8zp4EqPYzQKBgB4NphCxbH4WU8Xwu2wVRHqU9xg2K8oUwvEgaRrERj0XhQa/Mg3N
+7X0yT6mFgKrNlVE7JPuJmEsMw0yv+v9niHSPWIi/2nETVjKT5Atd8o1DETgpecQB
+EgA4OGqv2pKdnZXElpUaUVeL2cP/TvpzAln0oUzjoZ/zhq5gWHWhqHIZAoGBANjt
+pyfGKNitAEj2FKX8dvrYLUgfY5qFhUrnMtdeZ1KSyVNhs5dfo9rsjDQOB4U2Rbkw
+oc5r9md0se1qQYRMM2gRM/BTt9J5jDZX/ILkOoycrGEX0OFL8Nc12CuzT+8IMA8q
+mQyNzZZPY26zqoBWCC4sBkYZ3BB+y/nnQV8lD8ulAoGAB0cwM8SWfP+u4M7qWGFV
+Dk448ODrEfwnbSABc6EavEJ0BL5h60AsXhV9FW6nxfB66Yt84DZm6YXS+9MElLVy
+jlql+Gbaj1Wawtwyzwk7Sl/vqtDwCRta+TP98kAm93Y9CVizlRH93kpNCoYAoDrA
+qN+IRKm0VOAaYV4NXrTTMWE=
+-----END PRIVATE KEY-----

tests/hwsim/auth_serv/iCA-user/serial

@@ -0,0 +1 @@
+E153BA3A7605DA1F

tests/hwsim/auth_serv/iCA-user/user.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAhiDlBlqoRy3J
+XiUk97+mtkRQmYyVtWqtdLa67jFesiBgmrSTVW0VC9xaJz/fwZIYWWYQ60ccNR8I
+3eslvSGcLUg0X5cY3IMo2xSMFjtaNmpQY+k74Df99qDWQK/vHpkdiMFPS5IlUyjL
+xLfOysomry335GJ5SElqgjOwpsalFzOIk3c2sndh4FXeLnUVkkznvxHqMwMeSuYY
+OBY09dnt+AwXb3hlrhQYow8ItuKHAuTrD/uB2UuQ/7P6D9METbCZtCte+60EK6fW
+Ng0X4L7AQ8/lLvCOh4hgsyLYA1lTUKZpzt7QyS73bZpZTZncSzzCFY8nZCM0FDSv
+QXalapoPAgMBAAECggEBAItIPkISv8GghTJ6htrg1elRUckR3VBtyDinCI/iRRti
+OORK6DrzAZDJXOhoHuDNVNmCy8GPxYlVsRckHbvWwZsQc31YbqLQ3Z7QKGRUrSnN
+1kpEjfcAduGn7KI0eFPBSjrAtkGcxaV1LT2GGwhjU6567AG8W7Wso1iHy8eQUIQc
+LKRJ6KYpDc019Ly01XRH8mNhmxo3hxpBzMxudiHua/9qXmsRGevsshxQ911wkPdO
+7Yr9bH1YJ7OvwOxxxAkNyRFAhWa7KPzvhsYX6KHEPTfTSv+3GCz5WLI//5NJ6NFB
+3E2ofJOrmxT6EG6hKzyoNzoUwqpbA2BiHhlSVvOjHhECgYEA4pfICLLh40DMdBc9
+LMnPsp7Sv6H1Lcv/SJr0sjI8ESa2WK+XQOKgfB7jxyBHoMYhlr4UxwtgFA2M0cIs
+4tfqv6zNKWmwB8VpUS+1kwaITtny8U4Kb7hQadpE0dXG84kb1aG3dsvK07aSTS6w
+cW/NPZ9mNQhQ1sYsqF0HzuNysvkCgYEA2YJ0qKvLEkzTGcU0y5CLvzb4ZEuhAc7X
+zzHRCNW61mmhNKR3QVEo3vzpKlxF3PbWJUwt0OOUkdyjbRE3yV0d4JCsNH6vRUmD
+CxafENHZgkuCDD9TrDWhSefhWc7ip3unGG8KdnkGYDe1lw7zIJW5g7GS41GORqDV
+gZngtyxJb0cCgYBQL5ZCPctiOFQh4PdtGh2+ACZkWlQBWOeGMg/V36ESELkGuVy1
+QX25btT8apfudS79wVZo+cWOUx06PZTU0cPpAKW5ugTpOxsB9/gxh2ZFQSuP6SYY
+Uwlh7DPebeBx3ltTRl8+Uu/76+fqGFOoUQA4hmgM7FxvJMI48nMI68RzQQKBgQCW
+BgAW8t9PUQPt63Kd0aZCDlVHQE7eY1/A/nhSorCLATJ6j9HdkHAjVcgxOpHJdcuA
+0EltofswnEFwkgarcfmQkdjlIFgd7zVeqYyvWj6vOwuJDQjWZ+tGgZSSkDsPEB/R
+n41U5+b46JPsjBgv6nWZmxpYhkEfAAIjsRIo5XgFMwKBgD6fAKGFelZuJ/W3uUYl
+swb0ks/L3CMmisMmPwafp4C9QB89xV8jtyDNhiIG1nCI54it9mKrPCASoPDrdJR5
+r2/yovQFWk1LIRqcfCjqV/2qVZo5Hdp7Ux/aI8N7/M1eEIgbq+RcZlFTclQ6fppt
+gBDXmqE8gFdegAGqv+OiifB5
+-----END PRIVATE KEY-----

tests/hwsim/auth_serv/iCA-user/user.pem

@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16236525841851734558 (0xe153ba3a7605da1e)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=User Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=user.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:86:20:e5:06:5a:a8:47:2d:c9:5e:25:24:f7:
+                    bf:a6:b6:44:50:99:8c:95:b5:6a:ad:74:b6:ba:ee:
+                    31:5e:b2:20:60:9a:b4:93:55:6d:15:0b:dc:5a:27:
+                    3f:df:c1:92:18:59:66:10:eb:47:1c:35:1f:08:dd:
+                    eb:25:bd:21:9c:2d:48:34:5f:97:18:dc:83:28:db:
+                    14:8c:16:3b:5a:36:6a:50:63:e9:3b:e0:37:fd:f6:
+                    a0:d6:40:af:ef:1e:99:1d:88:c1:4f:4b:92:25:53:
+                    28:cb:c4:b7:ce:ca:ca:26:af:2d:f7:e4:62:79:48:
+                    49:6a:82:33:b0:a6:c6:a5:17:33:88:93:77:36:b2:
+                    77:61:e0:55:de:2e:75:15:92:4c:e7:bf:11:ea:33:
+                    03:1e:4a:e6:18:38:16:34:f5:d9:ed:f8:0c:17:6f:
+                    78:65:ae:14:18:a3:0f:08:b6:e2:87:02:e4:eb:0f:
+                    fb:81:d9:4b:90:ff:b3:fa:0f:d3:04:4d:b0:99:b4:
+                    2b:5e:fb:ad:04:2b:a7:d6:36:0d:17:e0:be:c0:43:
+                    cf:e5:2e:f0:8e:87:88:60:b3:22:d8:03:59:53:50:
+                    a6:69:ce:de:d0:c9:2e:f7:6d:9a:59:4d:99:dc:4b:
+                    3c:c2:15:8f:27:64:23:34:14:34:af:41:76:a5:6a:
+                    9a:0f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                3E:35:E0:F9:A3:1E:2C:FA:DD:E7:8B:CE:58:06:38:20:5D:5E:71:D2
+            X509v3 Authority Key Identifier: 
+                keyid:AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+
+            X509v3 Subject Alternative Name: critical
+                DNS:user.w1.fi
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         7b:e9:eb:d7:d4:60:a8:08:62:71:61:dd:42:7d:e5:88:f4:24:
+         bb:3f:6b:a9:16:64:2d:fb:ce:8e:55:1c:f5:7e:b4:c3:74:de:
+         96:e4:59:32:f4:aa:74:e2:ac:43:28:06:54:5d:f7:fe:87:31:
+         3d:ac:45:d5:1c:51:7f:8c:f9:37:0b:66:94:a7:22:5f:d1:55:
+         bf:a4:82:c7:0a:50:bb:c7:18:cf:df:47:81:00:c4:d2:d7:12:
+         b0:83:2d:67:3f:80:b8:be:6f:c9:c5:76:9a:87:ef:3a:f6:0d:
+         4f:24:d8:e7:06:6c:6e:ff:dc:5e:6e:21:a1:e7:26:f6:94:44:
+         69:f4:b2:36:38:08:b1:df:07:fa:7a:53:b8:60:db:63:4b:4f:
+         e6:2a:42:ff:29:68:b5:99:3a:36:eb:26:05:76:d2:ab:e6:d0:
+         7c:af:8c:a0:20:8b:50:6c:3b:bc:1a:53:6d:a7:c8:70:97:21:
+         56:02:24:04:9b:63:2a:5d:b8:8c:e4:bf:e9:8f:58:cd:6e:99:
+         47:3c:02:7b:63:67:c1:c7:32:53:cc:d5:cb:e9:a0:39:ef:f8:
+         44:b7:f3:57:0c:b5:a7:23:3f:16:28:c6:02:14:b6:80:d8:33:
+         42:0c:81:5c:ac:3f:13:d0:5b:4a:66:9f:33:ee:ac:56:fe:37:
+         17:2b:03:40
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIJAOFTujp2BdoeMA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlh
+dGUgQ0EwHhcNMTUxMjIzMTkzNzM2WhcNMjUxMjIwMTkzNzM2WjAyMQswCQYDVQQG
+EwJGSTEOMAwGA1UECgwFdzEuZmkxEzARBgNVBAMMCnVzZXIudzEuZmkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAhiDlBlqoRy3JXiUk97+mtkRQmYyV
+tWqtdLa67jFesiBgmrSTVW0VC9xaJz/fwZIYWWYQ60ccNR8I3eslvSGcLUg0X5cY
+3IMo2xSMFjtaNmpQY+k74Df99qDWQK/vHpkdiMFPS5IlUyjLxLfOysomry335GJ5
+SElqgjOwpsalFzOIk3c2sndh4FXeLnUVkkznvxHqMwMeSuYYOBY09dnt+AwXb3hl
+rhQYow8ItuKHAuTrD/uB2UuQ/7P6D9METbCZtCte+60EK6fWNg0X4L7AQ8/lLvCO
+h4hgsyLYA1lTUKZpzt7QyS73bZpZTZncSzzCFY8nZCM0FDSvQXalapoPAgMBAAGj
+gYowgYcwCQYDVR0TBAIwADAdBgNVHQ4EFgQUPjXg+aMeLPrd54vOWAY4IF1ecdIw
+HwYDVR0jBBgwFoAUrMT2B56y5fFmfEAFCKrc74pg2sEwGAYDVR0RAQH/BA4wDIIK
+dXNlci53MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCBaAwDQYJ
+KoZIhvcNAQELBQADggEBAHvp69fUYKgIYnFh3UJ95Yj0JLs/a6kWZC37zo5VHPV+
+tMN03pbkWTL0qnTirEMoBlRd9/6HMT2sRdUcUX+M+TcLZpSnIl/RVb+kgscKULvH
+GM/fR4EAxNLXErCDLWc/gLi+b8nFdpqH7zr2DU8k2OcGbG7/3F5uIaHnJvaURGn0
+sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
+yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
+PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/iCA-user/user.req

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4w
+DAYDVQQKDAV3MS5maTETMBEGA1UEAwwKdXNlci53MS5maTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMCGIOUGWqhHLcleJST3v6a2RFCZjJW1aq10trru
+MV6yIGCatJNVbRUL3FonP9/BkhhZZhDrRxw1Hwjd6yW9IZwtSDRflxjcgyjbFIwW
+O1o2alBj6TvgN/32oNZAr+8emR2IwU9LkiVTKMvEt87KyiavLffkYnlISWqCM7Cm
+xqUXM4iTdzayd2HgVd4udRWSTOe/EeozAx5K5hg4FjT12e34DBdveGWuFBijDwi2
+4ocC5OsP+4HZS5D/s/oP0wRNsJm0K177rQQrp9Y2DRfgvsBDz+Uu8I6HiGCzItgD
+WVNQpmnO3tDJLvdtmllNmdxLPMIVjydkIzQUNK9BdqVqmg8CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQCUmkpNMn0zJiThP+5G+GvjE4bf1zBPWCQ2jNu9ve5dAd6+
+og47aR2PAJWUmFYMfFBzAFxAVkXVwAMAzN7npwtSjTW9kVPxYHItrncopEzPjIOQ
+WHSH8nuYxNNYbbkq1/dvivcJVFk8gNCIFvnW8EKgtDfvDlYcyleWnYA343N7eeBc
+ujRiiRrZuADk7VFqWM0TdwUEytP/6FJIhB50Y3yDkGNx1KkAJuCU8eSx/aBg/2Si
+XPxDKAcVsESrCfFnHuaqN1+BXP5QXuuvR5N6EPt+C/Mv1VnV28uSkLzFO4PCN2pD
+ArGZjVzFM6Qegag10DPk8BmDuh3s+NydD29xUfbA
+-----END CERTIFICATE REQUEST-----

tests/hwsim/auth_serv/iCA-user/user_and_ica.pem

@@ -0,0 +1,154 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=User Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
+                    f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
+                    67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
+                    9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
+                    f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
+                    9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
+                    ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
+                    10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
+                    11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
+                    67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
+                    c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
+                    e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
+                    df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
+                    6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
+                    43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
+                    6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
+                    65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
+                    fe:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
+         31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
+         1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
+         6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
+         7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
+         07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
+         3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
+         8f:fa
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
+kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
+Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
+9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
+2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
+rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
+MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
+ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
+FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
+5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
+4kDSzfuP+g==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16236525841851734558 (0xe153ba3a7605da1e)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=User Intermediate CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 20 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=user.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:86:20:e5:06:5a:a8:47:2d:c9:5e:25:24:f7:
+                    bf:a6:b6:44:50:99:8c:95:b5:6a:ad:74:b6:ba:ee:
+                    31:5e:b2:20:60:9a:b4:93:55:6d:15:0b:dc:5a:27:
+                    3f:df:c1:92:18:59:66:10:eb:47:1c:35:1f:08:dd:
+                    eb:25:bd:21:9c:2d:48:34:5f:97:18:dc:83:28:db:
+                    14:8c:16:3b:5a:36:6a:50:63:e9:3b:e0:37:fd:f6:
+                    a0:d6:40:af:ef:1e:99:1d:88:c1:4f:4b:92:25:53:
+                    28:cb:c4:b7:ce:ca:ca:26:af:2d:f7:e4:62:79:48:
+                    49:6a:82:33:b0:a6:c6:a5:17:33:88:93:77:36:b2:
+                    77:61:e0:55:de:2e:75:15:92:4c:e7:bf:11:ea:33:
+                    03:1e:4a:e6:18:38:16:34:f5:d9:ed:f8:0c:17:6f:
+                    78:65:ae:14:18:a3:0f:08:b6:e2:87:02:e4:eb:0f:
+                    fb:81:d9:4b:90:ff:b3:fa:0f:d3:04:4d:b0:99:b4:
+                    2b:5e:fb:ad:04:2b:a7:d6:36:0d:17:e0:be:c0:43:
+                    cf:e5:2e:f0:8e:87:88:60:b3:22:d8:03:59:53:50:
+                    a6:69:ce:de:d0:c9:2e:f7:6d:9a:59:4d:99:dc:4b:
+                    3c:c2:15:8f:27:64:23:34:14:34:af:41:76:a5:6a:
+                    9a:0f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                3E:35:E0:F9:A3:1E:2C:FA:DD:E7:8B:CE:58:06:38:20:5D:5E:71:D2
+            X509v3 Authority Key Identifier: 
+                keyid:AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+
+            X509v3 Subject Alternative Name: critical
+                DNS:user.w1.fi
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha256WithRSAEncryption
+         7b:e9:eb:d7:d4:60:a8:08:62:71:61:dd:42:7d:e5:88:f4:24:
+         bb:3f:6b:a9:16:64:2d:fb:ce:8e:55:1c:f5:7e:b4:c3:74:de:
+         96:e4:59:32:f4:aa:74:e2:ac:43:28:06:54:5d:f7:fe:87:31:
+         3d:ac:45:d5:1c:51:7f:8c:f9:37:0b:66:94:a7:22:5f:d1:55:
+         bf:a4:82:c7:0a:50:bb:c7:18:cf:df:47:81:00:c4:d2:d7:12:
+         b0:83:2d:67:3f:80:b8:be:6f:c9:c5:76:9a:87:ef:3a:f6:0d:
+         4f:24:d8:e7:06:6c:6e:ff:dc:5e:6e:21:a1:e7:26:f6:94:44:
+         69:f4:b2:36:38:08:b1:df:07:fa:7a:53:b8:60:db:63:4b:4f:
+         e6:2a:42:ff:29:68:b5:99:3a:36:eb:26:05:76:d2:ab:e6:d0:
+         7c:af:8c:a0:20:8b:50:6c:3b:bc:1a:53:6d:a7:c8:70:97:21:
+         56:02:24:04:9b:63:2a:5d:b8:8c:e4:bf:e9:8f:58:cd:6e:99:
+         47:3c:02:7b:63:67:c1:c7:32:53:cc:d5:cb:e9:a0:39:ef:f8:
+         44:b7:f3:57:0c:b5:a7:23:3f:16:28:c6:02:14:b6:80:d8:33:
+         42:0c:81:5c:ac:3f:13:d0:5b:4a:66:9f:33:ee:ac:56:fe:37:
+         17:2b:03:40
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIJAOFTujp2BdoeMA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlh
+dGUgQ0EwHhcNMTUxMjIzMTkzNzM2WhcNMjUxMjIwMTkzNzM2WjAyMQswCQYDVQQG
+EwJGSTEOMAwGA1UECgwFdzEuZmkxEzARBgNVBAMMCnVzZXIudzEuZmkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAhiDlBlqoRy3JXiUk97+mtkRQmYyV
+tWqtdLa67jFesiBgmrSTVW0VC9xaJz/fwZIYWWYQ60ccNR8I3eslvSGcLUg0X5cY
+3IMo2xSMFjtaNmpQY+k74Df99qDWQK/vHpkdiMFPS5IlUyjLxLfOysomry335GJ5
+SElqgjOwpsalFzOIk3c2sndh4FXeLnUVkkznvxHqMwMeSuYYOBY09dnt+AwXb3hl
+rhQYow8ItuKHAuTrD/uB2UuQ/7P6D9METbCZtCte+60EK6fWNg0X4L7AQ8/lLvCO
+h4hgsyLYA1lTUKZpzt7QyS73bZpZTZncSzzCFY8nZCM0FDSvQXalapoPAgMBAAGj
+gYowgYcwCQYDVR0TBAIwADAdBgNVHQ4EFgQUPjXg+aMeLPrd54vOWAY4IF1ecdIw
+HwYDVR0jBBgwFoAUrMT2B56y5fFmfEAFCKrc74pg2sEwGAYDVR0RAQH/BA4wDIIK
+dXNlci53MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCBaAwDQYJ
+KoZIhvcNAQELBQADggEBAHvp69fUYKgIYnFh3UJ95Yj0JLs/a6kWZC37zo5VHPV+
+tMN03pbkWTL0qnTirEMoBlRd9/6HMT2sRdUcUX+M+TcLZpSnIl/RVb+kgscKULvH
+GM/fR4EAxNLXErCDLWc/gLi+b8nFdpqH7zr2DU8k2OcGbG7/3F5uIaHnJvaURGn0
+sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
+yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
+PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/ica-generate.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+OPENSSL=openssl
+
+echo
+echo "---[ Intermediate CA - Server ]-----------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/ec-ca/rootCA/" |
+	sed "s/#@CN@/commonName_default = Server Intermediate CA/" \
+	> openssl.cnf.tmp
+mkdir -p iCA-server/certs iCA-server/crl iCA-server/newcerts iCA-server/private
+touch iCA-server/index.txt
+$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/private/cakey.pem -out iCA-server/careq.pem -outform PEM -days 3652 -sha256
+$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-server/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-server/careq.pem
+cat iCA-server/cacert.pem ca.pem  > iCA-server/ca-and-root.pem
+rm openssl.cnf.tmp
+
+echo
+echo "---[ Intermediate CA - User ]-------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/ec-ca/rootCA/" |
+	sed "s/#@CN@/commonName_default = User Intermediate CA/" \
+	> openssl.cnf.tmp
+mkdir -p iCA-user/certs iCA-user/crl iCA-user/newcerts iCA-user/private
+touch iCA-user/index.txt
+$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/private/cakey.pem -out iCA-user/careq.pem -outform PEM -days 3652 -sha256
+$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-user/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-user/careq.pem
+cat iCA-user/cacert.pem ca.pem  > iCA-user/ca-and-root.pem
+rm openssl.cnf.tmp
+
+echo
+echo "---[ Server ]-----------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/ec-ca/iCA-server/" |
+	sed "s/#@CN@/commonName_default = server.w1.fi/" |
+	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
+	> openssl.cnf.tmp
+$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server.key -out iCA-server/server.req -outform PEM -sha256
+$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server.req -out iCA-server/server.pem -extensions ext_server -md sha256
+cat iCA-server/cacert.pem iCA-server/server.pem > iCA-server/server_and_ica.pem
+rm openssl.cnf.tmp
+
+echo
+echo "---[ Server - revoked ]-------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/ec-ca/iCA-server/" |
+	sed "s/#@CN@/commonName_default = server-revoked.w1.fi/" |
+	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server-revoked.w1.fi/" \
+	> openssl.cnf.tmp
+$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server-revoked.key -out iCA-server/server-revoked.req -outform PEM -sha256
+$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server-revoked.req -out iCA-server/server-revoked.pem -extensions ext_server -md sha256
+$OPENSSL ca -config openssl.cnf.tmp -revoke iCA-server/server-revoked.pem -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem
+cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem
+rm openssl.cnf.tmp
+
+echo
+echo "---[ User ]-----------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/ec-ca/iCA-user/" |
+	sed "s/#@CN@/commonName_default = user.w1.fi/" |
+	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:user.w1.fi/" \
+	> openssl.cnf.tmp
+$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
+$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
+cat iCA-user/cacert.pem iCA-user/user.pem > iCA-user/user_and_ica.pem
+rm openssl.cnf.tmp
+
+echo
+echo "---[ Verify ]-----------------------------------------------------------"
+echo
+
+$OPENSSL verify -CAfile ca.pem iCA-server/cacert.pem
+$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
+$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server.pem
+$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server-revoked.pem
+$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
+$OPENSSL verify -CAfile ca.pem -untrusted iCA-user/cacert.pem iCA-user/user.pem

tests/hwsim/auth_serv/rootCA/index.txt

@@ -0,0 +1,2 @@
+V	251222193736Z		D8D3E3A6CBE3CCF3	unknown	/C=FI/O=w1.fi/CN=Server Intermediate CA
+V	251222193736Z		D8D3E3A6CBE3CCF4	unknown	/C=FI/O=w1.fi/CN=User Intermediate CA

tests/hwsim/auth_serv/rootCA/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = no

tests/hwsim/auth_serv/rootCA/serial

@@ -0,0 +1 @@
+D8D3E3A6CBE3CCF5

tests/hwsim/test_ap_eap.py

@@ -3024,6 +3024,248 @@ def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
                    anonymous_identity="ttls", password="password",
                    phase2="auth=PAP", ocsp=1, scan_freq="2412")
 
+def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA"""
+    params = int_eap_server_params()
+    params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
+    params["server_cert"] = "auth_serv/iCA-server/server.pem"
+    params["private_key"] = "auth_serv/iCA-server/server.key"
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                   identity="tls user",
+                   ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                   client_cert="auth_serv/iCA-user/user.pem",
+                   private_key="auth_serv/iCA-user/user.key",
+                   scan_freq="2412")
+
+def root_ocsp(cert):
+    ca = "auth_serv/ca.pem"
+
+    fd2, fn2 = tempfile.mkstemp()
+    os.close(fd2)
+
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
+            "-no_nonce", "-sha256", "-text" ]
+    cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
+                           stderr=subprocess.PIPE)
+    res = cmd.stdout.read() + "\n" + cmd.stderr.read()
+    cmd.stdout.close()
+    cmd.stderr.close()
+    logger.info("OCSP request:\n" + res)
+
+    fd, fn = tempfile.mkstemp()
+    os.close(fd)
+    arg = [ "openssl", "ocsp", "-index", "rootCA/index.txt",
+            "-rsigner", ca, "-rkey", "auth_serv/caa-key.pem",
+            "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
+            "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
+            "-text" ]
+    cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
+                           stderr=subprocess.PIPE)
+    res = cmd.stdout.read() + "\n" + cmd.stderr.read()
+    cmd.stdout.close()
+    cmd.stderr.close()
+    logger.info("OCSP response:\n" + res)
+    os.unlink(fn2)
+    return fn
+
+def ica_ocsp(cert):
+    prefix = "auth_serv/iCA-server/"
+    ca = prefix + "cacert.pem"
+    cert = prefix + cert
+
+    fd2, fn2 = tempfile.mkstemp()
+    os.close(fd2)
+
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
+            "-no_nonce", "-sha256", "-text" ]
+    cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
+                           stderr=subprocess.PIPE)
+    res = cmd.stdout.read() + "\n" + cmd.stderr.read()
+    cmd.stdout.close()
+    cmd.stderr.close()
+    logger.info("OCSP request:\n" + res)
+
+    fd, fn = tempfile.mkstemp()
+    os.close(fd)
+    arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
+            "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
+            "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
+            "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
+            "-text" ]
+    cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
+                           stderr=subprocess.PIPE)
+    res = cmd.stdout.read() + "\n" + cmd.stderr.read()
+    cmd.stdout.close()
+    cmd.stderr.close()
+    logger.info("OCSP response:\n" + res)
+    os.unlink(fn2)
+    return fn
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
+    params = int_eap_server_params()
+    params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
+    params["server_cert"] = "auth_serv/iCA-server/server.pem"
+    params["private_key"] = "auth_serv/iCA-server/server.key"
+    fn = ica_ocsp("server.pem")
+    params["ocsp_stapling_response"] = fn
+    try:
+        hostapd.add_ap(apdev[0]['ifname'], params)
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                       identity="tls user",
+                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       client_cert="auth_serv/iCA-user/user.pem",
+                       private_key="auth_serv/iCA-user/user.key",
+                       scan_freq="2412", ocsp=2)
+    finally:
+        os.unlink(fn)
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
+    params = int_eap_server_params()
+    params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
+    params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
+    params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
+    fn = ica_ocsp("server-revoked.pem")
+    params["ocsp_stapling_response"] = fn
+    try:
+        hostapd.add_ap(apdev[0]['ifname'], params)
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                       identity="tls user",
+                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       client_cert="auth_serv/iCA-user/user.pem",
+                       private_key="auth_serv/iCA-user/user.key",
+                       scan_freq="2412", ocsp=1, wait_connect=False)
+        count = 0
+        while True:
+            ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
+                                    "CTRL-EVENT-EAP-SUCCESS"])
+            if ev is None:
+                raise Exception("Timeout on EAP status")
+            if "CTRL-EVENT-EAP-SUCCESS" in ev:
+                raise Exception("Unexpected EAP-Success")
+            if 'bad certificate status response' in ev:
+                break
+            if 'certificate revoked' in ev:
+                break
+            count = count + 1
+            if count > 10:
+                raise Exception("Unexpected number of EAP status messages")
+
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+        if ev is None:
+            raise Exception("Timeout on EAP failure report")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+    finally:
+        os.unlink(fn)
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
+    check_ocsp_support(dev[0])
+    check_ocsp_multi_support(dev[0])
+
+    params = int_eap_server_params()
+    params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
+    params["server_cert"] = "auth_serv/iCA-server/server.pem"
+    params["private_key"] = "auth_serv/iCA-server/server.key"
+    fn = ica_ocsp("server.pem")
+    params["ocsp_stapling_response"] = fn
+    try:
+        hostapd.add_ap(apdev[0]['ifname'], params)
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                       identity="tls user",
+                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       client_cert="auth_serv/iCA-user/user.pem",
+                       private_key="auth_serv/iCA-user/user.key",
+                       scan_freq="2412", ocsp=3, wait_connect=False)
+        count = 0
+        while True:
+            ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
+                                    "CTRL-EVENT-EAP-SUCCESS"])
+            if ev is None:
+                raise Exception("Timeout on EAP status")
+            if "CTRL-EVENT-EAP-SUCCESS" in ev:
+                raise Exception("Unexpected EAP-Success")
+            if 'bad certificate status response' in ev:
+                break
+            if 'certificate revoked' in ev:
+                break
+            count = count + 1
+            if count > 10:
+                raise Exception("Unexpected number of EAP status messages")
+
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+        if ev is None:
+            raise Exception("Timeout on EAP failure report")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+    finally:
+        os.unlink(fn)
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
+    check_ocsp_support(dev[0])
+    check_ocsp_multi_support(dev[0])
+
+    params = int_eap_server_params()
+    params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
+    params["server_cert"] = "auth_serv/iCA-server/server.pem"
+    params["private_key"] = "auth_serv/iCA-server/server.key"
+    fn = ica_ocsp("server.pem")
+    fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
+    params["ocsp_stapling_response"] = fn
+
+    with open(fn, "r") as f:
+        resp_server = f.read()
+    with open(fn2, "r") as f:
+        resp_ica = f.read()
+
+    fd3, fn3 = tempfile.mkstemp()
+    try:
+        f = os.fdopen(fd3, 'w')
+        f.write(struct.pack(">L", len(resp_server))[1:4])
+        f.write(resp_server)
+        f.write(struct.pack(">L", len(resp_ica))[1:4])
+        f.write(resp_ica)
+        f.close()
+
+        params["ocsp_stapling_response_multi"] = fn3
+
+        hostapd.add_ap(apdev[0]['ifname'], params)
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                       identity="tls user",
+                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       client_cert="auth_serv/iCA-user/user.pem",
+                       private_key="auth_serv/iCA-user/user.key",
+                       scan_freq="2412", ocsp=3, wait_connect=False)
+        count = 0
+        while True:
+            ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
+                                    "CTRL-EVENT-EAP-SUCCESS"])
+            if ev is None:
+                raise Exception("Timeout on EAP status")
+            if "CTRL-EVENT-EAP-SUCCESS" in ev:
+                raise Exception("Unexpected EAP-Success")
+            if 'bad certificate status response' in ev:
+                break
+            if 'certificate revoked' in ev:
+                break
+            count = count + 1
+            if count > 10:
+                raise Exception("Unexpected number of EAP status messages")
+
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+        if ev is None:
+            raise Exception("Timeout on EAP failure report")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+    finally:
+        os.unlink(fn)
+        os.unlink(fn2)
+        os.unlink(fn3)
+
 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
     """EAP-TLS and CA signed OCSP multi response (revoked)"""
     check_ocsp_support(dev[0])