From 5d0bdf296678a8402386bb702d877776b26397ff Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 20 May 2014 15:11:30 +0200
Subject: [PATCH] Added test for group selection when having a certificate.

---
 tests/Makefile.am                 |   6 +-
 tests/test-group-cert             |  66 +++++++++++
 tests/test-group-cert.config      | 191 ++++++++++++++++++++++++++++++
 tests/test-group-pass             |   2 +-
 tests/test-group-pass.config      |   4 +-
 tests/test-pass-group-cert        |  66 +++++++++++
 tests/test-user-group-cert.config | 191 ++++++++++++++++++++++++++++++
 tests/user-group-cert.pem         |  23 ++++
 tests/user-group-key.pem          | 144 ++++++++++++++++++++++
 9 files changed, 687 insertions(+), 6 deletions(-)
 create mode 100644 tests/test-group-cert
 create mode 100644 tests/test-group-cert.config
 create mode 100755 tests/test-pass-group-cert
 create mode 100644 tests/test-user-group-cert.config
 create mode 100644 tests/user-group-cert.pem
 create mode 100644 tests/user-group-key.pem

diff --git a/tests/Makefile.am b/tests/Makefile.am
index df65a296..2b5c60f8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -2,13 +2,13 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co
 	test1.passwd test-user-cert.config user-cert.pem user-key.pem test3.config test-iroute.config \
 	user-config/test test-pass-script.config test-multi-cookie.config test-pam.config \
 	test-stress.config user-cert-wrong.pem connect-script kill-parent.sh test-group-pass.passwd \
-	test-group-pass.config
+	test-group-pass.config user-group-cert.pem user-group-key.pem test-user-group-cert.config
 
 dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
-	test-multi-cookie test-pam test-stress full-test test-group-pass
+	test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert
 
 TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
-	test-multi-cookie full-test test-group-pass
+	test-multi-cookie full-test test-group-pass test-pass-group-cert
 
 TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
 	top_builddir="$(top_builddir)"
diff --git a/tests/test-group-cert b/tests/test-group-cert
new file mode 100644
index 00000000..270bebe4
--- /dev/null
+++ b/tests/test-group-cert
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PORT=6550
+
+. `dirname $0`/common.sh
+
+echo "Testing local backend with certificate... "
+
+launch_server -d 1 -f -c test-group-cert.config & PID=$!
+wait_server $PID
+
+echo -n "Connecting to obtain cookie (without certificate)... "
+( echo "test" | openconnect --authgroup group1 -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
+	fail $PID "Connected without certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group1 (with certificate)... "
+( echo "test" | openconnect --authgroup group1 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group2 (with certificate)... "
+( echo "test" | openconnect --authgroup group2 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... "
+( echo "test" | openconnect --authgroup group3 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group4 (with certificate)... "
+( echo "test" | openconnect --authgroup group4 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+
+kill $PID
+wait
+
+exit 0
diff --git a/tests/test-group-cert.config b/tests/test-group-cert.config
new file mode 100644
index 00000000..77c5666c
--- /dev/null
+++ b/tests/test-group-cert.config
@@ -0,0 +1,191 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+auth = "certificate"
+#auth = "plain[./test-group.passwd]"
+#auth = "pam"
+
+select-group = group1
+select-group = group2
+
+# The name of the group that if selected it would allow to use
+# the assigned by default group.
+default-select-group = DEFAULT
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 6550
+udp-port = 6550
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = ./ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+cisco-client-compat = true
+
diff --git a/tests/test-group-pass b/tests/test-group-pass
index 72d1ebc7..756ac5ef 100755
--- a/tests/test-group-pass
+++ b/tests/test-group-pass
@@ -20,7 +20,7 @@
 
 SERV="${SERV:-../src/ocserv}"
 srcdir=${srcdir:-.}
-PORT=4444
+PORT=6552
 
 . `dirname $0`/common.sh
 
diff --git a/tests/test-group-pass.config b/tests/test-group-pass.config
index f6510358..ef0b3e87 100644
--- a/tests/test-group-pass.config
+++ b/tests/test-group-pass.config
@@ -26,8 +26,8 @@ max-clients = 16
 max-same-clients = 2
 
 # TCP and UDP port number
-tcp-port = 4444
-udp-port = 4444
+tcp-port = 6552
+udp-port = 6552
 
 # Keepalive in seconds
 keepalive = 32400
diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert
new file mode 100755
index 00000000..140953ee
--- /dev/null
+++ b/tests/test-pass-group-cert
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PORT=6551
+
+. `dirname $0`/common.sh
+
+echo "Testing local backend with username-password and certificate... "
+
+launch_server -d 1 -f -c test-user-group-cert.config & PID=$!
+wait_server $PID
+
+echo -n "Connecting to obtain cookie (without certificate)... "
+( echo "test" | openconnect --authgroup group1 -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
+	fail $PID "Connected without certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group1 (with certificate)... "
+( echo "test" | openconnect --authgroup group1 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group2 (with certificate)... "
+( echo "test" | openconnect --authgroup group2 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... "
+( echo "test" | openconnect --authgroup group3 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) ||
+	fail $PID "Could not connect with certificate!"
+
+echo ok
+
+echo -n "Connecting to obtain cookie - group4 (with certificate)... "
+( echo "test" | openconnect --authgroup group4 -q localhost:$PORT --sslkey ./user-group-key.pem -c ./user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) &&
+	fail $PID "Got cookie when it shouldn't!"
+
+echo ok
+
+kill $PID
+wait
+
+
+exit 0
diff --git a/tests/test-user-group-cert.config b/tests/test-user-group-cert.config
new file mode 100644
index 00000000..b1539e3f
--- /dev/null
+++ b/tests/test-user-group-cert.config
@@ -0,0 +1,191 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+auth = "certificate"
+auth = "plain[./test-group.passwd]"
+#auth = "pam"
+
+select-group = group1
+select-group = group2
+
+# The name of the group that if selected it would allow to use
+# the assigned by default group.
+default-select-group = DEFAULT
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 6551
+udp-port = 6551
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./server-cert.pem
+server-key = ./server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = ./ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+cisco-client-compat = true
+
diff --git a/tests/user-group-cert.pem b/tests/user-group-cert.pem
new file mode 100644
index 00000000..8aef7b69
--- /dev/null
+++ b/tests/user-group-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3DCCApSgAwIBAgIMU3tU9RhMf+MbW2mxMA0GCSqGSIb3DQEBCwUAMA0xCzAJ
+BgNVBAMTAkNBMCIYDzIwMTQwNTIwMTMxMzI1WhgPOTk5OTEyMzEyMzU5NTlaMIGe
+MRQwEgYKCZImiZPyLGQBARMEdGVzdDEPMA0GA1UECxMGZ3JvdXAxMQ8wDQYDVQQL
+EwZncm91cDIxDzANBgNVBAsTBmdyb3VwMzEPMA0GA1UECxMGZ3JvdXA0MQ8wDQYD
+VQQKEwZncm91cDExDzANBgNVBAoTBmdyb3VwMjEPMA0GA1UEChMGZ3JvdXAzMQ8w
+DQYDVQQKEwZncm91cDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe
+qsNOIRSzgtjESfw/Pgo+S97fPvLw5T5EcMjXQBbmhxj5aMSvgIhRlzP7B+e/P0o6
+IB9Rc33Clh9kV5bD2O1h+bGcusInzieL8SjHDysw10bj6fzX7Xt716Z7qExMKhxV
+8I3YBW/0bIKUTyhckAAntEZgenBF5BZPZuZ81ml+dynH6GKvXX6EI0C6HTH+AoUt
+CIORFjPvXrpCAApjepQMsZGdE+5ao/shBuAG/IVb61Nr9wNKJA538U2Eo2dhTjga
+EZK7XUBqLA0nHziyhBsLR3zz9LX+XqXXQjIqsvayKoIVO08owUYs2mub9YW7Bxhv
+zv6+G4QMDFt/O6tMsr/DAgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU1O0/KEuSG0y1
+V8HL6oo44ui9WCowHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgwDQYJ
+KoZIhvcNAQELBQADggExADYzV03MSZgmg2EfTb/kv+AUtqM/+ue2JnBwiDaxqNxG
++tfJgf6pxKS2t4U9PT8PvfIq/QGlBtC+Kc7iTxCRy4LE53+VSe4tU3LOmeCRXQKr
+jULyVU73+ls6xDUXGYGFs3IrzdCvu7wUO7T2sflKMfsKlDqd6iBM9fccbyh+WiFr
+/EVfEVw37CYcH7cDXMpW8RRR+Tfxnn1dYymSDSSgH4aNgAHX91kGXYF2ow0pq3zq
+GwDhvjCoqIVoFpFjF6hPSQOVNE6mW6SX7R+G+aWrmqDFdOiYH4I+gf8itCxRKShD
+yBrEYJAUlAmoBCRGcim0vB/RdUxud1EHQdYCJoTyMB5HbIdNlr7PktKfvd1RWW+Y
+8y26fO+DTJ4y5VZNT2cLWNcrrXeEASq/TYfxCuKoUnk=
+-----END CERTIFICATE-----
diff --git a/tests/user-group-key.pem b/tests/user-group-key.pem
new file mode 100644
index 00000000..978bd2f0
--- /dev/null
+++ b/tests/user-group-key.pem
@@ -0,0 +1,144 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Legacy (2048 bits)
+
+modulus:
+	00:de:aa:c3:4e:21:14:b3:82:d8:c4:49:fc:3f:3e:
+	0a:3e:4b:de:df:3e:f2:f0:e5:3e:44:70:c8:d7:40:
+	16:e6:87:18:f9:68:c4:af:80:88:51:97:33:fb:07:
+	e7:bf:3f:4a:3a:20:1f:51:73:7d:c2:96:1f:64:57:
+	96:c3:d8:ed:61:f9:b1:9c:ba:c2:27:ce:27:8b:f1:
+	28:c7:0f:2b:30:d7:46:e3:e9:fc:d7:ed:7b:7b:d7:
+	a6:7b:a8:4c:4c:2a:1c:55:f0:8d:d8:05:6f:f4:6c:
+	82:94:4f:28:5c:90:00:27:b4:46:60:7a:70:45:e4:
+	16:4f:66:e6:7c:d6:69:7e:77:29:c7:e8:62:af:5d:
+	7e:84:23:40:ba:1d:31:fe:02:85:2d:08:83:91:16:
+	33:ef:5e:ba:42:00:0a:63:7a:94:0c:b1:91:9d:13:
+	ee:5a:a3:fb:21:06:e0:06:fc:85:5b:eb:53:6b:f7:
+	03:4a:24:0e:77:f1:4d:84:a3:67:61:4e:38:1a:11:
+	92:bb:5d:40:6a:2c:0d:27:1f:38:b2:84:1b:0b:47:
+	7c:f3:f4:b5:fe:5e:a5:d7:42:32:2a:b2:f6:b2:2a:
+	82:15:3b:4f:28:c1:46:2c:da:6b:9b:f5:85:bb:07:
+	18:6f:ce:fe:be:1b:84:0c:0c:5b:7f:3b:ab:4c:b2:
+	bf:c3:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	00:83:a8:d6:e8:b8:98:c3:f8:07:72:31:09:0c:e0:
+	03:30:88:ae:14:b4:e4:f3:59:a9:72:d0:79:81:05:
+	2d:45:4b:f6:91:6a:c8:79:b9:77:61:3f:15:86:46:
+	4b:5a:82:f2:c1:e1:c2:82:e7:d6:21:9b:a0:9e:35:
+	48:39:2f:68:55:79:4d:f3:0d:5e:c6:28:98:ab:9f:
+	81:ec:09:e5:10:f1:09:c2:b3:d5:44:5b:f0:9a:ee:
+	8d:4b:2a:dd:4a:5f:cf:f7:64:d0:8a:3d:d4:cf:e2:
+	e5:67:0a:53:24:40:25:47:54:ca:14:3b:f1:6c:f2:
+	0b:db:11:4e:11:dc:b9:ee:03:2f:04:5b:2f:b6:a2:
+	27:72:83:1a:d5:a7:a8:4f:1b:b8:73:fe:73:ce:a5:
+	cc:a9:15:5f:b7:ab:2f:50:86:89:5d:1e:a4:be:ed:
+	00:89:fb:fa:9b:f3:d4:ce:5f:37:b3:91:56:70:16:
+	cf:2e:75:20:23:c2:ad:9d:22:69:bf:fc:c0:08:08:
+	a5:57:d7:31:07:7d:47:81:3e:0a:af:91:8d:2e:f7:
+	5b:8b:58:2b:eb:50:d8:b0:ba:a3:cb:2d:76:0d:99:
+	c6:0a:e8:98:83:e3:7c:a6:c6:6b:12:ff:ba:b8:b1:
+	15:5e:33:f4:78:bd:d5:6f:d8:c4:b2:ae:8e:49:51:
+	db:59:
+
+prime1:
+	00:e1:18:84:de:1d:2a:70:dc:23:eb:d4:6a:54:79:
+	5a:8f:4e:56:c7:76:55:ee:60:d9:fb:23:72:6d:9b:
+	bd:d8:76:0d:e0:18:d4:25:6f:0c:11:99:77:6b:d7:
+	d8:27:1d:d2:9d:15:c4:ee:df:37:dd:fd:c8:fc:e5:
+	16:f5:2e:b9:1e:27:2a:4d:f6:fe:8b:c0:e2:20:ad:
+	20:79:8c:8b:bd:c7:f1:eb:5d:e3:d9:2b:5c:b8:27:
+	cc:0c:3c:74:ef:9e:07:d0:6c:fc:8b:34:83:8e:70:
+	de:5a:6e:60:4d:8d:da:79:7d:34:9e:5a:61:d8:68:
+	03:92:a8:d7:c2:ca:71:15:8d:
+
+prime2:
+	00:fd:3c:e1:77:55:52:cb:c6:25:12:2e:98:83:59:
+	c1:34:b7:a3:79:1f:6c:9e:f5:d5:7d:66:58:22:7a:
+	e4:da:7b:4f:27:5b:0d:d6:9a:1b:ad:5c:27:78:fa:
+	9d:88:90:56:7e:81:13:4a:ee:51:cb:ef:db:2f:23:
+	21:e1:84:73:65:5f:ca:4d:df:b9:17:fd:23:e7:95:
+	9e:74:38:f2:cd:af:6f:94:b3:20:f7:8b:1e:99:84:
+	7f:aa:13:c8:bb:4a:7e:3f:05:40:33:eb:b4:ac:67:
+	1e:b1:0d:cd:26:6a:7e:be:40:c0:d2:14:3c:8a:2b:
+	39:51:38:9e:0c:e2:42:0e:8f:
+
+coefficient:
+	00:bb:09:3f:e0:20:32:d6:ec:d0:c0:3c:7f:f7:d8:
+	14:74:ec:8d:a0:95:05:bd:98:a8:4a:f2:fd:01:d2:
+	2a:80:0b:bb:3e:cd:18:ad:f5:5a:af:d6:14:24:72:
+	01:99:05:38:1e:c1:c2:37:ae:61:c6:72:dc:4b:f7:
+	d6:65:e3:0d:47:ac:51:89:6b:2a:14:d5:88:82:6f:
+	83:1e:1b:50:be:33:cc:43:d0:dd:e0:9c:a4:4c:30:
+	e7:02:f3:36:39:1a:51:a5:dc:db:33:4e:5b:9e:e9:
+	34:51:c0:70:76:f0:16:9f:d9:7f:42:9a:61:d1:68:
+	9b:7c:b9:09:d0:ad:ac:d2:5c:
+
+exp1:
+	00:c9:39:9d:15:de:e6:e0:eb:bb:65:08:88:61:a9:
+	f6:ce:23:8f:2a:52:dc:70:f4:be:09:67:5f:d5:22:
+	a4:2d:8d:23:cc:51:05:dd:cd:0e:f1:f0:ca:b4:6a:
+	c9:bd:f6:48:20:cb:a4:38:92:ee:23:92:cb:89:60:
+	d7:0c:2a:4f:ac:e8:00:46:a0:66:5f:d2:f7:93:94:
+	91:72:77:b5:38:dc:34:a5:5f:52:e0:02:86:a9:ce:
+	51:f8:22:57:bb:1a:00:0c:50:51:d7:b4:03:63:63:
+	fd:32:c4:77:6c:fd:41:f0:d7:80:21:8b:d4:ea:9b:
+	d9:8d:d3:48:c6:c7:29:1e:c5:
+
+exp2:
+	73:c8:3e:1d:dd:78:f9:8a:22:b0:e9:74:f9:b9:33:
+	c8:f2:9d:5f:67:aa:b6:13:18:05:39:a1:da:41:ee:
+	18:a6:80:4e:32:27:65:93:18:4c:6e:f1:ed:32:48:
+	8c:83:d1:c8:0d:23:d1:02:9d:8b:6c:a2:fe:2e:45:
+	f3:62:27:90:95:f7:5d:1b:88:f9:1a:d8:2b:ae:10:
+	c0:7a:b9:28:a9:a9:8e:87:47:ef:66:40:1b:58:a5:
+	36:11:cd:99:34:39:fc:7e:5e:18:5f:10:40:32:f5:
+	a9:65:f2:02:3a:76:b0:6d:d2:bb:3a:5d:63:9e:d7:
+	99:f7:14:ec:37:16:94:a9:
+
+
+Public Key ID: D4:ED:3F:28:4B:92:1B:4C:B5:57:C1:CB:EA:8A:38:E2:E8:BD:58:2A
+Public key's random art:
++--[ RSA 2048]----+
+|             ..  |
+|         . .  .. |
+|        . o .... |
+|       . . o .o  |
+|        S . o.   |
+|       o . ..o   |
+|    .   = o.. o  |
+|E  *. .. * o.  . |
+| o=.+o..o o.     |
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA3qrDTiEUs4LYxEn8Pz4KPkve3z7y8OU+RHDI10AW5ocY+WjE
+r4CIUZcz+wfnvz9KOiAfUXN9wpYfZFeWw9jtYfmxnLrCJ84ni/Eoxw8rMNdG4+n8
+1+17e9eme6hMTCocVfCN2AVv9GyClE8oXJAAJ7RGYHpwReQWT2bmfNZpfncpx+hi
+r11+hCNAuh0x/gKFLQiDkRYz7166QgAKY3qUDLGRnRPuWqP7IQbgBvyFW+tTa/cD
+SiQOd/FNhKNnYU44GhGSu11AaiwNJx84soQbC0d88/S1/l6l10IyKrL2siqCFTtP
+KMFGLNprm/WFuwcYb87+vhuEDAxbfzurTLK/wwIDAQABAoIBAQCDqNbouJjD+Ady
+MQkM4AMwiK4UtOTzWaly0HmBBS1FS/aRash5uXdhPxWGRktagvLB4cKC59Yhm6Ce
+NUg5L2hVeU3zDV7GKJirn4HsCeUQ8QnCs9VEW/Ca7o1LKt1KX8/3ZNCKPdTP4uVn
+ClMkQCVHVMoUO/Fs8gvbEU4R3LnuAy8EWy+2oidygxrVp6hPG7hz/nPOpcypFV+3
+qy9QholdHqS+7QCJ+/qb89TOXzezkVZwFs8udSAjwq2dImm//MAICKVX1zEHfUeB
+PgqvkY0u91uLWCvrUNiwuqPLLXYNmcYK6JiD43ymxmsS/7q4sRVeM/R4vdVv2MSy
+ro5JUdtZAoGBAOEYhN4dKnDcI+vUalR5Wo9OVsd2Ve5g2fsjcm2bvdh2DeAY1CVv
+DBGZd2vX2Ccd0p0VxO7fN939yPzlFvUuuR4nKk32/ovA4iCtIHmMi73H8etd49kr
+XLgnzAw8dO+eB9Bs/Is0g45w3lpuYE2N2nl9NJ5aYdhoA5Ko18LKcRWNAoGBAP08
+4XdVUsvGJRIumINZwTS3o3kfbJ711X1mWCJ65Np7TydbDdaaG61cJ3j6nYiQVn6B
+E0ruUcvv2y8jIeGEc2Vfyk3fuRf9I+eVnnQ48s2vb5SzIPeLHpmEf6oTyLtKfj8F
+QDPrtKxnHrENzSZqfr5AwNIUPIorOVE4ngziQg6PAoGBAMk5nRXe5uDru2UIiGGp
+9s4jjypS3HD0vglnX9UipC2NI8xRBd3NDvHwyrRqyb32SCDLpDiS7iOSy4lg1wwq
+T6zoAEagZl/S95OUkXJ3tTjcNKVfUuAChqnOUfgiV7saAAxQUde0A2Nj/TLEd2z9
+QfDXgCGL1Oqb2Y3TSMbHKR7FAoGAc8g+Hd14+YoisOl0+bkzyPKdX2eqthMYBTmh
+2kHuGKaATjInZZMYTG7x7TJIjIPRyA0j0QKdi2yi/i5F82InkJX3XRuI+RrYK64Q
+wHq5KKmpjodH72ZAG1ilNhHNmTQ5/H5eGF8QQDL1qWXyAjp2sG3SuzpdY57XmfcU
+7DcWlKkCgYEAuwk/4CAy1uzQwDx/99gUdOyNoJUFvZioSvL9AdIqgAu7Ps0YrfVa
+r9YUJHIBmQU4HsHCN65hxnLcS/fWZeMNR6xRiWsqFNWIgm+DHhtQvjPMQ9Dd4Jyk
+TDDnAvM2ORpRpdzbM05bnuk0UcBwdvAWn9l/Qpph0WibfLkJ0K2s0lw=
+-----END RSA PRIVATE KEY-----