CA-404640 XSI-1781 accept in PEM key/cert in any order

We have so far hard-coded the exectation that in a PEM file a private
key is followed by a certficate but this is actually not required by the
PEM standard and let to a failure in XSI-1781.

This is a simple fix first collects all keys and certificates while
skipping over other content and the uses the first key and certificate.

Signed-off-by: Christian Lindig <[email protected]>

ocaml/gencert/pem.ml

@@ -24,6 +24,10 @@ let data = take_while1 is_data
 
 type kind = RSA | EC | OTHER
 
+type block = Key of string | Cert of string
+
+let fail_fmt fmt = Printf.ksprintf (fun str -> fail str) fmt
+
 let kind =
   string " RSA " *> return RSA
   <|> string " EC " *> return EC
@@ -60,24 +64,39 @@ let key =
   key_footer kind *> return (String.concat "" [header kind; body; footer kind])
   <?> "key"
 
-let line = take_till is_eol *> end_of_line
-
-(* try to read a key, or skip a line and try again *)
-let until_key = fix (fun m -> key <|> line *> m) <?> "until_key"
-
 let cert =
   cert_header >>= fun hd ->
   data >>= fun body ->
   cert_footer >>= fun tl -> return (String.concat "" [hd; body; tl]) <?> "cert"
 
-(* try to read a cert, or skip a line and try again *)
-let until_cert = fix (fun m -> cert <|> line *> m) <?> "until_cert"
+let line = take_till is_eol *> end_of_line
 
+let any_block =
+  cert >>= (fun c -> return (Cert c)) <|> (key >>= fun k -> return (Key k))
+
+(* this skips over junk until we succeed finding the next block *)
+let block = fix (fun m -> any_block <|> line *> m) <?> "until_block"
+
+(* collect and tag all blocks *)
+let blocks = many block <?> "PEM blocks"
+
+(* decompose blocks into certs and keys *)
 let pem =
-  until_key >>= fun private_key ->
-  until_cert >>= fun host_cert ->
-  many until_cert >>= fun other_certs ->
-  many end_of_line *> return {private_key; host_cert; other_certs} <?> "pem"
+  let ( let* ) = ( >>= ) in
+  let strip = function Cert c -> c | Key k -> k in
+  blocks >>= fun bs ->
+  match List.partition (function Key _ -> true | Cert _ -> false) bs with
+  | [Key k], Cert c :: xs ->
+      return {private_key= k; host_cert= c; other_certs= List.map strip xs}
+  | [_], [] ->
+      let* p = pos in
+      fail_fmt "PEM is lacking a certificate (at offset %d)" p
+  | [], _ ->
+      let* p = pos in
+      fail_fmt "PEM is missing a private key (at offset %d)" p
+  | _ :: _, _ ->
+      let* p = pos in
+      fail_fmt "PEM has more than one private key (at offset %d)" p
 
 let defer f = Fun.protect ~finally:f
 
@@ -86,6 +105,10 @@ let read_file path =
   defer (fun () -> close_in ic) @@ fun () ->
   really_input_string ic (in_channel_length ic)
 
+let _parse_with t path =
+  let consume = Consume.Prefix in
+  read_file path |> parse_string ~consume t
+
 let parse_string str =
   let consume = Consume.Prefix in
   parse_string ~consume pem str

ocaml/gencert/test_data/pems/fail-06.pem

@@ -1,4 +1,74 @@
------BEGIN RSA PRIVATE KEY-----
+This fails because we have two keys (rather than just one).
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7lI5jUArCqncH
+tzcSFK+OJgXMv16Ai0sjsLKmxUVCnlElen/0VEIyTWwsHeB+oxxDluGE8zhB9bSI
+r3C1xHEUgtgj+gf6/A0Qnl/fIGkhuOFsPoholxXXGk2QkPQlGrE9FRxFNGQpIur0
+eniepJw4K+SMqAaGUvdwWfe44pYjOsmAS3IWLERdpjxcupgvHLwEnk+4zheypp93
+iVvmqwrX8okLiJJZap1ew6EgKzeK2mw9HUed4d0AGKCkAhghzGTl/IsLz4QOOFes
+rY4awQwzK1SwBvF49xAuOiRbURdzt+K7GsoN0lm5P8CxZmrDSGpGR1BICrMSatSG
+N0NuOCJ9AgMBAAECggEATgm51VKZ0+Kew5Twjzo9bqGawPVHsiYDK9H+yL5+inij
+gTWrhTWxxvq/KDwoS//6n3ipAd2UQNmfo5qQIsIJtawUsaw4V4Fh6BrIcGUUV3KK
+8lG/bHoZOz0cfFCKewv5mJH4z/q9awk6ypVG3yb+kmoDHiJsy7Pmr0IpFn+qxMg1
+EYZU91G10DguXekciRtNcZJRL0wCQR3s2OwDdQUC+XIotvAsKiuhWl++MLwn42ad
+EwhzLuLd312qWg58ByCcNq8/XJkHJUbKDTWmBRGopWRliduP+Kb6vJZ16KL0G2B+
+OKuTQxMOzVVmumXdEVj3kH54cjpn7kCq9jwhhSJiQQKBgQD94ZFOzsUzZfmNlDZ3
+hFmkFuFpQCacH58FQX/vD6JQ84HwEHJx69aHYI6olCNaKcNwMhsOw+0KqBRWZnCf
+A6oMWUf3pkogV5JZJy7DyHNOmkfI/w8NcWtqJ03pCoA237f5RH0sul2ady9BVzsJ
+/8rb3B5uDw8+XesnG8Ryj6BCsQKBgQD9rhKfHxJgsZUzyassIumYcLTefgdoeCq5
+awd+YaM9jrGGN1ty8dTEzo3rbovnz8y+ZJMzaDRbCUeNTQjKDox8mWffRTpjxcks
+rJzImY7coBdnZT8K4C5OMoeCAr30FI1veXBk/XFfr56h1X8QbmM2kuJwpsf5bOaf
+CTfL2q2XjQKBgHem4pvYuXoC2n1OV+k2GCVMn0nCcS/tez234/qgTKiISzoAFl/4
+fW/qIvHyd0LcIf7zrmrkDgiStJsPxo465N7TCSb/WToq649W9yRQiX+HGMPy6X41
+cSFjisWFLG4wO/2fuLrmzoypFT1fRjTtOAcsk67dLBsBmn0hChHP/QDRAoGASXS7
+XaogpzEk1A8kaq5dV8/i/74cpQqOzIwKanUZULzd+NBUwa72/loVTEQBbQmF7ueu
+nCcjae0A9BCHaALYeUfuhP9Fzhg6jZ4Z9BhK/uW4gS8XFy4dGnWVOXdTy7ab0din
+TAb7akqvM4tftMFSJz5XJWmV5Eq9aPXBW10iAQ0CgYBl6PsdqWBjvPnqX3NCyAGH
+ZO4iUcrqODdeTcKpILgqBmh9/IepClgCtwW1Iluna7QTDtVqotKcft1BtHJzeKWT
+6TvCgje2k0RWo6TkzroaF74lyAojzWOrmuq+skVbWTiebc4bCA1KtLMLaQHIEtdo
+FIPEq03cDKVNDCgABw4mkw==
+-----END PRIVATE KEY-----
+
+
+-----BEGIN PRIVATE KEY-----
 MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7lI5jUArCqncH
 tzcSFK+OJgXMv16Ai0sjsLKmxUVCnlElen/0VEIyTWwsHeB+oxxDluGE8zhB9bSI
 r3C1xHEUgtgj+gf6/A0Qnl/fIGkhuOFsPoholxXXGk2QkPQlGrE9FRxFNGQpIur0
@@ -25,8 +95,26 @@ TAb7akqvM4tftMFSJz5XJWmV5Eq9aPXBW10iAQ0CgYBl6PsdqWBjvPnqX3NCyAGH
 ZO4iUcrqODdeTcKpILgqBmh9/IepClgCtwW1Iluna7QTDtVqotKcft1BtHJzeKWT
 6TvCgje2k0RWo6TkzroaF74lyAojzWOrmuq+skVbWTiebc4bCA1KtLMLaQHIEtdo
 FIPEq03cDKVNDCgABw4mkw==
------END EC PRIVATE KEY-----
+-----END PRIVATE KEY-----
 
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
 
 -----BEGIN CERTIFICATE-----
 MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
@@ -47,3 +135,4 @@ erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
 JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
 -----END CERTIFICATE-----
 
+

ocaml/gencert/test_data/pems/pass-06.pem

@@ -0,0 +1,109 @@
+Multiple certificates and one key.
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7lI5jUArCqncH
+tzcSFK+OJgXMv16Ai0sjsLKmxUVCnlElen/0VEIyTWwsHeB+oxxDluGE8zhB9bSI
+r3C1xHEUgtgj+gf6/A0Qnl/fIGkhuOFsPoholxXXGk2QkPQlGrE9FRxFNGQpIur0
+eniepJw4K+SMqAaGUvdwWfe44pYjOsmAS3IWLERdpjxcupgvHLwEnk+4zheypp93
+iVvmqwrX8okLiJJZap1ew6EgKzeK2mw9HUed4d0AGKCkAhghzGTl/IsLz4QOOFes
+rY4awQwzK1SwBvF49xAuOiRbURdzt+K7GsoN0lm5P8CxZmrDSGpGR1BICrMSatSG
+N0NuOCJ9AgMBAAECggEATgm51VKZ0+Kew5Twjzo9bqGawPVHsiYDK9H+yL5+inij
+gTWrhTWxxvq/KDwoS//6n3ipAd2UQNmfo5qQIsIJtawUsaw4V4Fh6BrIcGUUV3KK
+8lG/bHoZOz0cfFCKewv5mJH4z/q9awk6ypVG3yb+kmoDHiJsy7Pmr0IpFn+qxMg1
+EYZU91G10DguXekciRtNcZJRL0wCQR3s2OwDdQUC+XIotvAsKiuhWl++MLwn42ad
+EwhzLuLd312qWg58ByCcNq8/XJkHJUbKDTWmBRGopWRliduP+Kb6vJZ16KL0G2B+
+OKuTQxMOzVVmumXdEVj3kH54cjpn7kCq9jwhhSJiQQKBgQD94ZFOzsUzZfmNlDZ3
+hFmkFuFpQCacH58FQX/vD6JQ84HwEHJx69aHYI6olCNaKcNwMhsOw+0KqBRWZnCf
+A6oMWUf3pkogV5JZJy7DyHNOmkfI/w8NcWtqJ03pCoA237f5RH0sul2ady9BVzsJ
+/8rb3B5uDw8+XesnG8Ryj6BCsQKBgQD9rhKfHxJgsZUzyassIumYcLTefgdoeCq5
+awd+YaM9jrGGN1ty8dTEzo3rbovnz8y+ZJMzaDRbCUeNTQjKDox8mWffRTpjxcks
+rJzImY7coBdnZT8K4C5OMoeCAr30FI1veXBk/XFfr56h1X8QbmM2kuJwpsf5bOaf
+CTfL2q2XjQKBgHem4pvYuXoC2n1OV+k2GCVMn0nCcS/tez234/qgTKiISzoAFl/4
+fW/qIvHyd0LcIf7zrmrkDgiStJsPxo465N7TCSb/WToq649W9yRQiX+HGMPy6X41
+cSFjisWFLG4wO/2fuLrmzoypFT1fRjTtOAcsk67dLBsBmn0hChHP/QDRAoGASXS7
+XaogpzEk1A8kaq5dV8/i/74cpQqOzIwKanUZULzd+NBUwa72/loVTEQBbQmF7ueu
+nCcjae0A9BCHaALYeUfuhP9Fzhg6jZ4Z9BhK/uW4gS8XFy4dGnWVOXdTy7ab0din
+TAb7akqvM4tftMFSJz5XJWmV5Eq9aPXBW10iAQ0CgYBl6PsdqWBjvPnqX3NCyAGH
+ZO4iUcrqODdeTcKpILgqBmh9/IepClgCtwW1Iluna7QTDtVqotKcft1BtHJzeKWT
+6TvCgje2k0RWo6TkzroaF74lyAojzWOrmuq+skVbWTiebc4bCA1KtLMLaQHIEtdo
+FIPEq03cDKVNDCgABw4mkw==
+-----END PRIVATE KEY-----
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
+MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
+gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
++vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
+hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
+WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
+ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
+oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
+AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
+LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
+GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
+erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
+/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
+JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
+-----END CERTIFICATE-----
+
+

ocaml/gencert/test_data/pems/pass-xsi-1781-reformat.pem

@@ -0,0 +1,51 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7qKYiCfucgzLI
+X78/NTAtFXA97Cp3PfnQwpi90tF0YmWUObOdVdxP2FHvUTyMhItpvimsvztX503D
+C0Q7lI9/omK3AbPPy51lhRCKTMiz8ic2fmiHU9lePmkZMZJv0p/eHgAIcOmIl5Kc
+uvoKvOutLnFTRKrYhUQMu2eyBz0f8rzY/4yhLLNflkQUJ3zc3W0jeMuAUei7Zmtz
+jpj+s3Ll5rwzVYG3xLbndzpCR7NaP5uZcchByhsirohR90m3dQtrFdtLTkiDJ8vJ
+hW7z3AzAA0Btw/CtH1/Ef/rHt3XHKGMJoJ3nQ2zRvSutdrRSAknNqYONe0hyrLvy
+MRGno7SjAgMBAAECggEANHjKw1fRQAk7aOXE3xKrPt/wu4/Oq/rrYGEZPnK1WHqu
+9oxP2d2JNdZBys4HRS9GoDGpC4GJQWIOz0vWL2ax3Tl1qsBSG/dOMnXLkzA3KoG6
+TzV3WueqLvz6fC3tSVE2nG/9CF8yHZxsRWDOy7PZnloPG/5mWxagWYMJUrFNeSH2
+nXd40Rff5uM43OzKtiOOzoKv2bKlKReyJVcI98MkyqSbUiie6qO1/NqrOUhq7rsV
+zFmbtjy8UL4gXR2VVz0itb/w/iV/SDVHdMQ36obo8EM9eyxUFu4QPscrbK0FvjHV
+lsKTnzu1zj/fm68NafXDy/KL5I9jethsj8ReNaQzoQKBgQDLkaIxBtNtAZfcFK7S
+dXtR7fIQfUTtgDrxznYXPqCkCy/0wp53hj7aShX2C/rfFQVElBUPkf2E/P6v7Xnf
+b+M/Zj6TH7XYbScoVu+8cqfIm1ySd3evK4GoqGIUiJeuSYEfeLqZSTp1XxO05lGb
+ZmAEtZUHor24Co9HIV/3P86EcwKBgQDr/fqn6b6V1O64r7/cnOmWhW1+5MjoWO2K
++y0fSutrPMOFK4ItJIk4Q5JbHA42cwyYRMe+oElGXzWJXGbqxyorFhW0Er/+roTa
+6GXwNrRkdA3S0rgPAE7IS42WLDsAO9/muiZJ4heXtk8i0xDoyy3Y8UQ/6hR4h1px
+jtn9Bs4zEQKBgBdW+TuZxr/mwNyQ2oJyydLY7zoIwtBgNWHoBA4iNhTY24S6k6Ss
+laQ9fksZkIfnRxVXzRpd6K1IvIK7PY/qqilotZ/0sMrBqQ2s+gunMamEdpasb+J7
+oIAP3j7wckOfVdif5PUSOkuevQmupoiksjmYACBB/nKNc2P6ZaBZhnoVAoGBAJuc
+4z777BeCzFNuWJaRxZniq9wj4rMLiL+/dvaOgYQ6EjdrBDDeSbmXHRgE/P48iQ6T
+NB9oNEk6GORV0Ot5nz3AF1mhj4bR73smCaoHeJZQzJi7KHGD429CGr/utI0n7jGH
+iB3p/2Kj7bTp9tl6uOW32ihHI26C2knNR8MITMnxAoGAZ+Dpg1a6u2ZMTSgOn9Vc
+pECwENGtOQP4RKyXmnq3ET5ykx1hMMCf9uoA09TXDRuJ/20hVfsAGvLZdbQq/9DL
+C3bckcoalhy8RXC/OV9c6SC/xgoYiggxmZtzV34wnQSLM4Cr+Q/lhOaj7sop6iJi
+apYRps2sXbUdu3pDTub/zSI=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUZeSD7KNhTFOoqpI7cWxxWcN417EwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
+CUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2ZXIx
+FDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI1MDExNDE1NDIwMFoXDTM1MDExMjE1
+NDIwMFowcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNV
+BAcMCUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2
+ZXIxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAu6imIgn7nIMyyF+/PzUwLRVwPewqdz350MKYvdLRdGJllDmznVXc
+T9hR71E8jISLab4prL87V+dNwwtEO5SPf6JitwGzz8udZYUQikzIs/InNn5oh1PZ
+Xj5pGTGSb9Kf3h4ACHDpiJeSnLr6CrzrrS5xU0Sq2IVEDLtnsgc9H/K82P+MoSyz
+X5ZEFCd83N1tI3jLgFHou2Zrc46Y/rNy5ea8M1WBt8S253c6QkezWj+bmXHIQcob
+Iq6IUfdJt3ULaxXbS05IgyfLyYVu89wMwANAbcPwrR9fxH/6x7d1xyhjCaCd50Ns
+0b0rrXa0UgJJzamDjXtIcqy78jERp6O0owIDAQABo1MwUTAdBgNVHQ4EFgQUK3or
+CHusUjk/eheKHz6JMuYQBkAwHwYDVR0jBBgwFoAUK3orCHusUjk/eheKHz6JMuYQ
+BkAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATq7rhHQE3xSk
+NUsD1dIFUwz7NJ1eIbdNQ8kJGybcTkIsBY9PrUcrnXFozEE05dZaZizCK/F0To3v
+903kVAwaBe04sZuIqAVDHAjewH2yfCAIRkgA6RPnSHio6NTCLMi3Ukqrhj5bIFGy
+eqcAKy0akXeV3uLIKKY/ZdNpPRP5gW2UZpC+p9ZBEcVDNKAWEK+GVLDar1MLdyIp
+XyCp4wimx4iK+TyXEYKRK7G5+/HPtYOU2OrHtuUFnppz4G5/QuyuDO7yDAJaK8X/
+9hIuR4tcxzt3FdBMVXju5PViMpKbpw5XslbGxdAFFCSrkSRvzYw98tq7HkUB5IyV
+OgjjLNHdJg==
+-----END CERTIFICATE-----