/** 
 * @file llsechandler_basic_test.cpp
 * @author Roxie
 * @date 2009-02-10
 * @brief Test the 'basic' sec handler functions
 *
 * $LicenseInfo:firstyear=2005&license=viewerlgpl$
 * Second Life Viewer Source Code
 * Copyright (C) 2010, Linden Research, Inc.
 * 
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation;
 * version 2.1 of the License only.
 * 
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 * 
 * Linden Research, Inc., 945 Battery Street, San Francisco, CA  94111  USA
 * $/LicenseInfo$
 */
#include "../llviewerprecompiledheaders.h"
#include "../test/lltut.h"
#include "../llsecapi.h"
#include "../llsechandler_basic.h"
#include "../../llxml/llcontrol.h"
#include "../llviewernetwork.h"
#include "lluuid.h"
#include "lldate.h"
#include "llxorcipher.h"
#include "apr_base64.h"
#include <vector>
#include <ios>
#include <llsdserialize.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include "llxorcipher.h"
#include <openssl/ossl_typ.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/asn1.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "../llmachineid.h"

#define ensure_throws(str, exc_type, cert, func, ...) \
try \
{ \
func(__VA_ARGS__); \
fail("throws, " str); \
} \
catch(exc_type& except) \
{ \
LLSD cert_data; \
cert->getLLSD(cert_data); \
ensure("Exception cert is incorrect for " str, valueCompareLLSD(except.getCertData(), cert_data)); \
}

extern bool _cert_hostname_wildcard_match(const std::string& hostname, const std::string& wildcard_string);

//----------------------------------------------------------------------------               
// Mock objects for the dependencies of the code we're testing                               

std::string gFirstName;
std::string gLastName;
LLControlGroup::LLControlGroup(const std::string& name)
: LLInstanceTracker<LLControlGroup, std::string>(name) {}
LLControlGroup::~LLControlGroup() {}
LLControlVariable* LLControlGroup::declareString(const std::string& name,
                                   const std::string& initial_val,
                                   const std::string& comment,
                                   LLControlVariable::ePersist persist) {return NULL;}
void LLControlGroup::setString(const std::string& name, const std::string& val){}
std::string LLControlGroup::getString(const std::string& name)
{

	if (name == "FirstName")
		return gFirstName;
	else if (name == "LastName")
		return gLastName;
	return "";
}

// Stub for --no-verify-ssl-cert
BOOL LLControlGroup::getBOOL(const std::string& name) { return FALSE; }

LLSD LLCredential::getLoginParams()
{
	LLSD result = LLSD::emptyMap();
	
	// legacy credential
	result["passwd"] = "$1$testpasssd";
	result["first"] = "myfirst";
	result["last"] ="mylast";
	return result;
}

void LLCredential::identifierType(std::string &idType)
{
}

void LLCredential::authenticatorType(std::string &idType)
{
}


LLControlGroup gSavedSettings("test");
unsigned char gMACAddress[MAC_ADDRESS_BYTES] = {77,21,46,31,89,2};


S32 LLMachineID::getUniqueID(unsigned char *unique_id, size_t len)
{
	memcpy(unique_id, gMACAddress, len);
	return 1;
}
S32 LLMachineID::getLegacyID(unsigned char *unique_id, size_t len)
{
    return 0;
}
S32 LLMachineID::init() { return 1; }
	

LLCertException::LLCertException(const LLSD& cert_data, const std::string& msg)
    : LLException(msg),
    mCertData(cert_data)
{
    LL_WARNS("SECAPI") << "Certificate Error: " << msg << LL_ENDL;
}


// -------------------------------------------------------------------------------------------
// TUT
// -------------------------------------------------------------------------------------------
namespace tut
{
    const std::string mPemTestCert(
        "Certificate:\n"
        "    Data:\n"
        "        Version: 3 (0x2)\n"
        "        Serial Number:\n"
        "            04:00:00:00:00:01:15:4b:5a:c3:94\n"
        "    Signature Algorithm: sha1WithRSAEncryption\n"
        "        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA\n"
        "        Validity\n"
        "            Not Before: Sep  1 12:00:00 1998 GMT\n"
        "            Not After : Jan 28 12:00:00 2028 GMT\n"
        "        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA\n"
        "        Subject Public Key Info:\n"
        "            Public Key Algorithm: rsaEncryption\n"
        "                Public-Key: (2048 bit)\n"
        "                Modulus:\n"
        "                    00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:\n"
        "                    83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:\n"
        "                    63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:\n"
        "                    8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:\n"
        "                    70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:\n"
        "                    15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:\n"
        "                    6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:\n"
        "                    89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:\n"
        "                    54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:\n"
        "                    92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:\n"
        "                    75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:\n"
        "                    c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:\n"
        "                    bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:\n"
        "                    ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:\n"
        "                    63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:\n"
        "                    48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:\n"
        "                    07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:\n"
        "                    90:cf\n"
        "                Exponent: 65537 (0x10001)\n"
        "        X509v3 extensions:\n"
        "            X509v3 Key Usage: critical\n"
        "                Certificate Sign, CRL Sign\n"
        "            X509v3 Basic Constraints: critical\n"
        "                CA:TRUE\n"
        "            X509v3 Subject Key Identifier: \n"
        "                60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B\n"
        "    Signature Algorithm: sha1WithRSAEncryption\n"
        "         d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:\n"
        "         7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:\n"
        "         08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:\n"
        "         f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:\n"
        "         56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:\n"
        "         94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:\n"
        "         8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:\n"
        "         64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:\n"
        "         2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:\n"
        "         c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:\n"
        "         5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:\n"
        "         e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:\n"
        "         e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:\n"
        "         a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:\n"
        "         29:26:69:e0\n"
        "-----BEGIN CERTIFICATE-----\n"
        "MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG\n"
        "A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\n"
        "b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw\n"
        "MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\n"
        "YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT\n"
        "aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ\n"
        "jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp\n"
        "xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp\n"
        "1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG\n"
        "snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ\n"
        "U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8\n"
        "9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E\n"
        "BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B\n"
        "AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz\n"
        "yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE\n"
        "38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP\n"
        "AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad\n"
        "DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME\n"
        "HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n"
        "-----END CERTIFICATE-----\n"
                                   );

    /*
     * The following certificates were generated using the instructions at
     * https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html
     * with the exception that the server certificate has a longer expiration time, and the full text
     * expansion was included in the certificates.
     */
    const std::string mPemRootCert(
        "Certificate:\n"
        "    Data:\n"
        "        Version: 3 (0x2)\n"
        "        Serial Number:\n"
        "            82:2f:8f:eb:8d:06:24:b0\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "        Issuer: C=US, ST=California, L=San Francisco, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Root CA/emailAddress=noreply@lindenlab.com\n"
        "        Validity\n"
        "            Not Before: May 22 22:19:45 2018 GMT\n"
        "            Not After : May 17 22:19:45 2038 GMT\n"
        "        Subject: C=US, ST=California, L=San Francisco, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Root CA/emailAddress=noreply@lindenlab.com\n"
        "        Subject Public Key Info:\n"
        "            Public Key Algorithm: rsaEncryption\n"
        "                Public-Key: (4096 bit)\n"
        "                Modulus:\n"
        "                    00:bd:e0:79:dd:3b:a6:ac:87:d0:39:f0:58:c7:a4:\n"
        "                    42:42:f6:5f:93:b0:36:04:b5:e2:d5:f7:2a:c0:6c:\n"
        "                    a0:13:d2:1e:02:81:57:02:50:4c:57:b7:ef:27:9e:\n"
        "                    f6:f1:f1:30:30:72:1e:57:34:e5:3f:82:3c:21:c4:\n"
        "                    66:d2:73:63:6c:91:e6:dd:49:9e:9c:b1:34:6a:81:\n"
        "                    45:a1:6e:c4:50:28:f2:d8:e3:fe:80:2f:83:aa:28:\n"
        "                    91:b4:8c:57:c9:f1:16:d9:0c:87:3c:25:80:a0:81:\n"
        "                    8d:71:f2:96:e2:16:f1:97:c4:b0:d8:53:bb:13:6c:\n"
        "                    73:54:2f:29:94:85:cf:86:6e:75:71:ad:39:e3:fc:\n"
        "                    39:12:53:93:1c:ce:39:e0:33:da:49:b7:3d:af:b0:\n"
        "                    37:ce:77:09:03:27:32:70:c0:9c:7f:9c:89:ce:90:\n"
        "                    45:b0:7d:94:8b:ff:13:27:ba:88:7f:ae:c4:aa:73:\n"
        "                    d5:47:b8:87:69:89:80:0c:c1:22:18:78:c2:0d:47:\n"
        "                    d9:10:ff:80:79:0d:46:71:ec:d9:ba:c9:f3:77:fd:\n"
        "                    92:6d:1f:0f:d9:54:18:6d:f6:72:24:5c:5c:3d:43:\n"
        "                    49:35:3e:1c:28:de:7e:44:dc:29:c3:9f:62:04:46:\n"
        "                    aa:c4:e6:69:6a:15:f8:e3:74:1c:14:e9:f4:97:7c:\n"
        "                    30:6c:d4:28:fc:2a:0e:1d:6d:39:2e:1d:f9:17:43:\n"
        "                    35:5d:23:e7:ba:e3:a8:e9:97:6b:3c:3e:23:ef:d8:\n"
        "                    bc:fb:7a:57:37:39:93:59:03:fc:78:ca:b1:31:ef:\n"
        "                    26:19:ed:56:e1:63:c3:ad:99:80:5b:47:b5:03:35:\n"
        "                    5f:fe:6a:a6:21:63:ec:50:fb:4e:c9:f9:ae:a5:66:\n"
        "                    d0:55:33:8d:e6:c5:50:5a:c6:8f:5c:34:45:a7:72:\n"
        "                    da:50:f6:66:4c:19:f5:d1:e4:fb:11:8b:a1:b5:4e:\n"
        "                    09:43:81:3d:39:28:86:3b:fe:07:28:97:02:b5:3a:\n"
        "                    07:5f:4a:20:80:1a:7d:a4:8c:f7:6c:f6:c5:9b:f6:\n"
        "                    61:e5:c7:b0:c3:d5:58:38:7b:bb:47:1e:34:d6:16:\n"
        "                    55:c5:d2:6c:b0:93:77:b1:90:69:06:b1:53:cb:1b:\n"
        "                    84:71:cf:b8:87:1b:1e:44:35:b4:2b:bb:04:59:58:\n"
        "                    0b:e8:93:d8:ae:21:9b:b1:1c:89:30:ae:11:80:77:\n"
        "                    cc:16:f3:d6:35:ed:a1:b3:70:b3:4f:cd:a1:56:99:\n"
        "                    ee:0e:c0:00:a4:09:70:c3:5b:0b:be:a1:07:18:dd:\n"
        "                    c6:f4:6d:8b:58:bc:f9:bb:4b:01:2c:f6:cc:2c:9b:\n"
        "                    87:0e:b1:4f:9c:10:be:fc:45:e2:a4:ec:7e:fc:ff:\n"
        "                    45:b8:53\n"
        "                Exponent: 65537 (0x10001)\n"
        "        X509v3 extensions:\n"
        "            X509v3 Subject Key Identifier: \n"
        "                8A:22:C6:9C:2E:11:F3:40:0C:CE:82:0C:22:59:FF:F8:7F:D0:B9:13\n"
        "            X509v3 Authority Key Identifier: \n"
        "                keyid:8A:22:C6:9C:2E:11:F3:40:0C:CE:82:0C:22:59:FF:F8:7F:D0:B9:13\n"
        "\n"
        "            X509v3 Basic Constraints: critical\n"
        "                CA:TRUE\n"
        "            X509v3 Key Usage: critical\n"
        "                Digital Signature, Certificate Sign, CRL Sign\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "         b3:cb:33:eb:0e:02:64:f4:55:9a:3d:03:9a:cf:6a:4c:18:43:\n"
        "         f7:42:cb:65:dc:61:52:e5:9f:2f:42:97:3c:93:16:22:d4:af:\n"
        "         ae:b2:0f:c3:9b:ef:e0:cc:ee:b6:b1:69:a3:d8:da:26:c3:ad:\n"
        "         3b:c5:64:dc:9f:d4:c2:53:4b:91:6d:c4:92:09:0b:ac:f0:99:\n"
        "         be:6f:b9:3c:03:4a:6d:9f:01:5d:ec:5a:9a:f3:a7:e5:3b:2c:\n"
        "         99:57:7d:7e:25:15:68:20:12:30:96:16:86:f5:db:74:90:60:\n"
        "         fe:8b:df:99:f6:f7:62:49:9f:bc:8d:45:23:0a:c8:73:b8:79:\n"
        "         80:3c:b9:e5:72:85:4b:b3:81:66:74:a2:72:92:4c:44:fd:7b:\n"
        "         46:2e:21:a2:a9:81:a2:f3:26:4d:e3:89:7d:78:b0:c6:6f:b5:\n"
        "         87:cb:ee:25:ed:27:1f:75:13:fa:6d:e9:37:73:ad:07:bb:af:\n"
        "         d3:6c:87:ea:02:01:70:bd:53:aa:ce:39:2c:d4:66:39:33:aa:\n"
        "         d1:9c:ee:67:e3:a9:45:d2:7b:2e:54:09:af:70:5f:3f:5a:67:\n"
        "         2e:6c:72:ef:e0:9d:92:28:4a:df:ba:0b:b7:23:ca:5b:04:11:\n"
        "         45:d1:51:e9:ea:c9:ec:54:fa:34:46:ae:fc:dc:6c:f8:1e:2c:\n"
        "         9e:f4:71:51:8d:b5:a1:26:9a:13:30:be:1e:41:25:59:58:05:\n"
        "         2c:64:c8:f9:5e:38:ae:dc:93:b0:8a:d6:38:74:02:cb:ce:ce:\n"
        "         95:31:76:f6:7c:bf:a4:a1:8e:27:fd:ca:74:82:d1:e1:4d:b6:\n"
        "         48:51:fa:c5:17:59:22:a3:84:be:82:c8:83:ec:61:a0:f4:ee:\n"
        "         2c:e3:a3:ea:e5:51:c9:d3:4f:db:85:bd:ba:7a:52:14:b6:03:\n"
        "         ed:43:17:d8:d7:1c:22:5e:c9:56:d9:d6:81:96:11:e3:5e:01:\n"
        "         40:91:30:09:da:a3:5f:d3:27:60:e5:9d:6c:da:d0:f0:39:01:\n"
        "         23:4a:a6:15:7a:4a:82:eb:ec:72:4a:1d:36:dc:6f:83:c4:85:\n"
        "         84:b5:8d:cd:09:e5:12:63:f3:21:56:c8:64:6b:db:b8:cf:d4:\n"
        "         df:ca:a8:24:8e:df:8d:63:a5:96:84:bf:ff:8b:7e:46:7a:f0:\n"
        "         c7:73:7c:70:8a:f5:17:d0:ac:c8:89:1e:d7:89:42:0f:4d:66:\n"
        "         c4:d8:bb:36:a8:ae:ca:e1:cf:e2:88:f6:cf:b0:44:4a:5f:81:\n"
        "         50:4b:d6:28:81:cd:6c:f0:ec:e6:09:08:f2:59:91:a2:69:ac:\n"
        "         c7:81:fa:ab:61:3e:db:6f:f6:7f:db:1a:9e:b9:5d:cc:cc:33:\n"
        "         fa:95:c6:f7:8d:4b:30:f3\n"
        "-----BEGIN CERTIFICATE-----\n"
        "MIIGXDCCBESgAwIBAgIJAIIvj+uNBiSwMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD\n"
        "VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j\n"
        "aXNjbzETMBEGA1UECgwKTGluZGVuIExhYjEgMB4GA1UECwwXU2Vjb25kIExpZmUg\n"
        "RW5naW5lZXJpbmcxITAfBgNVBAMMGEludGVncmF0aW9uIFRlc3QgUm9vdCBDQTEk\n"
        "MCIGCSqGSIb3DQEJARYVbm9yZXBseUBsaW5kZW5sYWIuY29tMB4XDTE4MDUyMjIy\n"
        "MTk0NVoXDTM4MDUxNzIyMTk0NVowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD\n"
        "YWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApMaW5k\n"
        "ZW4gTGFiMSAwHgYDVQQLDBdTZWNvbmQgTGlmZSBFbmdpbmVlcmluZzEhMB8GA1UE\n"
        "AwwYSW50ZWdyYXRpb24gVGVzdCBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVub3Jl\n"
        "cGx5QGxpbmRlbmxhYi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n"
        "AQC94HndO6ash9A58FjHpEJC9l+TsDYEteLV9yrAbKAT0h4CgVcCUExXt+8nnvbx\n"
        "8TAwch5XNOU/gjwhxGbSc2NskebdSZ6csTRqgUWhbsRQKPLY4/6AL4OqKJG0jFfJ\n"
        "8RbZDIc8JYCggY1x8pbiFvGXxLDYU7sTbHNULymUhc+GbnVxrTnj/DkSU5Mczjng\n"
        "M9pJtz2vsDfOdwkDJzJwwJx/nInOkEWwfZSL/xMnuoh/rsSqc9VHuIdpiYAMwSIY\n"
        "eMINR9kQ/4B5DUZx7Nm6yfN3/ZJtHw/ZVBht9nIkXFw9Q0k1Phwo3n5E3CnDn2IE\n"
        "RqrE5mlqFfjjdBwU6fSXfDBs1Cj8Kg4dbTkuHfkXQzVdI+e646jpl2s8PiPv2Lz7\n"
        "elc3OZNZA/x4yrEx7yYZ7VbhY8OtmYBbR7UDNV/+aqYhY+xQ+07J+a6lZtBVM43m\n"
        "xVBaxo9cNEWnctpQ9mZMGfXR5PsRi6G1TglDgT05KIY7/gcolwK1OgdfSiCAGn2k\n"
        "jPds9sWb9mHlx7DD1Vg4e7tHHjTWFlXF0mywk3exkGkGsVPLG4Rxz7iHGx5ENbQr\n"
        "uwRZWAvok9iuIZuxHIkwrhGAd8wW89Y17aGzcLNPzaFWme4OwACkCXDDWwu+oQcY\n"
        "3cb0bYtYvPm7SwEs9swsm4cOsU+cEL78ReKk7H78/0W4UwIDAQABo2MwYTAdBgNV\n"
        "HQ4EFgQUiiLGnC4R80AMzoIMIln/+H/QuRMwHwYDVR0jBBgwFoAUiiLGnC4R80AM\n"
        "zoIMIln/+H/QuRMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJ\n"
        "KoZIhvcNAQELBQADggIBALPLM+sOAmT0VZo9A5rPakwYQ/dCy2XcYVLlny9ClzyT\n"
        "FiLUr66yD8Ob7+DM7raxaaPY2ibDrTvFZNyf1MJTS5FtxJIJC6zwmb5vuTwDSm2f\n"
        "AV3sWprzp+U7LJlXfX4lFWggEjCWFob123SQYP6L35n292JJn7yNRSMKyHO4eYA8\n"
        "ueVyhUuzgWZ0onKSTET9e0YuIaKpgaLzJk3jiX14sMZvtYfL7iXtJx91E/pt6Tdz\n"
        "rQe7r9Nsh+oCAXC9U6rOOSzUZjkzqtGc7mfjqUXSey5UCa9wXz9aZy5scu/gnZIo\n"
        "St+6C7cjylsEEUXRUenqyexU+jRGrvzcbPgeLJ70cVGNtaEmmhMwvh5BJVlYBSxk\n"
        "yPleOK7ck7CK1jh0AsvOzpUxdvZ8v6Shjif9ynSC0eFNtkhR+sUXWSKjhL6CyIPs\n"
        "YaD07izjo+rlUcnTT9uFvbp6UhS2A+1DF9jXHCJeyVbZ1oGWEeNeAUCRMAnao1/T\n"
        "J2DlnWza0PA5ASNKphV6SoLr7HJKHTbcb4PEhYS1jc0J5RJj8yFWyGRr27jP1N/K\n"
        "qCSO341jpZaEv/+LfkZ68MdzfHCK9RfQrMiJHteJQg9NZsTYuzaorsrhz+KI9s+w\n"
        "REpfgVBL1iiBzWzw7OYJCPJZkaJprMeB+qthPttv9n/bGp65XczMM/qVxveNSzDz\n"
        "-----END CERTIFICATE-----\n"
                                   );            

    const std::string mPemIntermediateCert(
        "Certificate:\n"
        "    Data:\n"
        "        Version: 3 (0x2)\n"
        "        Serial Number: 4096 (0x1000)\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "        Issuer: C=US, ST=California, L=San Francisco, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Root CA/emailAddress=noreply@lindenlab.com\n"
        "        Validity\n"
        "            Not Before: May 22 22:39:08 2018 GMT\n"
        "            Not After : May 19 22:39:08 2028 GMT\n"
        "        Subject: C=US, ST=California, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Intermediate CA/emailAddress=noreply@lindenlab.com\n"
        "        Subject Public Key Info:\n"
        "            Public Key Algorithm: rsaEncryption\n"
        "                Public-Key: (4096 bit)\n"
        "                Modulus:\n"
        "                    00:ce:a3:70:e2:c4:fb:4b:97:90:a1:30:bb:c1:1b:\n"
        "                    13:b9:aa:7e:46:17:a3:26:8d:69:3f:5e:73:95:e8:\n"
        "                    6a:b1:0a:b4:8f:50:65:e3:c6:5c:39:24:34:df:0b:\n"
        "                    b7:cc:ce:62:0c:36:5a:12:2c:fe:35:4c:e9:1c:ac:\n"
        "                    80:5e:24:99:d7:aa:bd:be:48:c0:62:64:77:36:88:\n"
        "                    66:ce:f4:a8:dd:d2:76:24:62:90:55:41:fc:1d:13:\n"
        "                    4e:a7:4e:57:bc:a8:a4:59:4b:2c:5a:1c:d8:cc:16:\n"
        "                    de:e8:88:30:c9:95:df:2f:a6:14:28:0f:eb:34:46:\n"
        "                    12:58:ba:da:0e:e6:de:9c:15:f6:f4:e3:9f:74:aa:\n"
        "                    70:89:79:8b:e9:5a:7b:18:54:15:94:3a:23:0a:65:\n"
        "                    78:05:d9:33:90:2a:ce:15:18:0d:52:fc:5c:31:65:\n"
        "                    20:d0:12:37:8c:11:80:ba:d4:b0:82:73:00:4b:49:\n"
        "                    be:cb:d6:bc:e7:cd:61:f3:00:98:99:74:5a:37:81:\n"
        "                    49:96:7e:14:01:1b:86:d2:d0:06:94:40:63:63:46:\n"
        "                    11:fc:33:5c:bd:3a:5e:d4:e5:44:47:64:50:bd:a6:\n"
        "                    97:55:70:64:9b:26:cc:de:20:82:90:6a:83:41:9c:\n"
        "                    6f:71:47:14:be:cb:68:7c:85:be:ef:2e:76:12:19:\n"
        "                    d3:c9:87:32:b4:ac:60:20:16:28:2d:af:bc:e8:01:\n"
        "                    c6:7f:fb:d8:11:d5:f4:b7:14:bd:27:08:5b:72:be:\n"
        "                    09:e0:91:c8:9c:7b:b4:b3:12:ef:32:36:be:b1:b9:\n"
        "                    a2:b7:e3:69:47:30:76:ba:9c:9b:19:99:4d:53:dd:\n"
        "                    5c:e8:2c:f1:b2:64:69:cf:15:bd:f8:bb:58:95:73:\n"
        "                    58:38:95:b4:7a:cf:84:29:a6:c2:db:f0:bd:ef:97:\n"
        "                    26:d4:99:ac:d7:c7:be:b0:0d:11:f4:26:86:2d:77:\n"
        "                    42:52:25:d7:56:c7:e3:97:b1:36:5c:97:71:d0:9b:\n"
        "                    f5:b5:50:8d:f9:ff:fb:10:77:3c:b5:53:6d:a1:43:\n"
        "                    35:a9:03:32:05:ab:d7:f5:d1:19:bd:5f:92:a3:00:\n"
        "                    2a:79:37:a4:76:4f:e9:32:0d:e4:86:bb:ea:c3:1a:\n"
        "                    c5:33:e8:16:d4:a5:d8:e0:e8:bb:c2:f0:22:15:e2:\n"
        "                    d9:8c:ae:ac:7d:2b:bf:eb:a3:4c:3b:29:1d:94:ac:\n"
        "                    a3:bb:6d:ba:6d:03:91:03:cf:46:12:c4:66:21:c5:\n"
        "                    c6:67:d8:11:19:79:01:0e:6e:84:1c:76:6f:11:3d:\n"
        "                    eb:94:89:c5:6a:26:1f:cd:e0:11:8b:51:ee:99:35:\n"
        "                    69:e5:7f:0b:77:2a:94:e4:4b:64:b9:83:04:30:05:\n"
        "                    e4:a2:e3\n"
        "                Exponent: 65537 (0x10001)\n"
        "        X509v3 extensions:\n"
        "            X509v3 Subject Key Identifier: \n"
        "                83:21:DE:EC:C0:79:03:6D:1E:83:F3:E5:97:29:D5:5A:C0:96:40:FA\n"
        "            X509v3 Authority Key Identifier: \n"
        "                keyid:8A:22:C6:9C:2E:11:F3:40:0C:CE:82:0C:22:59:FF:F8:7F:D0:B9:13\n"
        "\n"
        "            X509v3 Basic Constraints: critical\n"
        "                CA:TRUE, pathlen:0\n"
        "            X509v3 Key Usage: critical\n"
        "                Digital Signature, Certificate Sign, CRL Sign\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "         a3:6c:85:9a:2e:4e:7e:5d:83:63:0f:f5:4f:a9:7d:ec:0e:6f:\n"
        "         ae:d7:ba:df:64:e0:46:0e:3d:da:18:15:2c:f3:73:ca:81:b1:\n"
        "         10:d9:53:14:21:7d:72:5c:94:88:a5:9d:ad:ab:45:42:c6:64:\n"
        "         a9:d9:2e:4e:29:47:2c:b1:95:07:b7:62:48:68:1f:68:13:1c:\n"
        "         d2:a0:fb:5e:38:24:4a:82:0a:87:c9:93:20:43:7e:e9:f9:79:\n"
        "         ef:03:a2:bd:9e:24:6b:0a:01:5e:4a:36:c5:7d:7a:fe:d6:aa:\n"
        "         2f:c2:8c:38:8a:99:3c:b0:6a:e5:60:be:56:d6:eb:60:03:55:\n"
        "         24:42:a0:1a:fa:91:24:a3:53:15:75:5d:c8:eb:7c:1e:68:5a:\n"
        "         7e:13:34:e3:85:37:1c:76:3f:77:67:1b:ed:1b:52:17:fc:4a:\n"
        "         a3:e2:74:84:80:2c:69:fc:dd:7d:26:97:c4:2a:69:7d:9c:dc:\n"
        "         61:97:70:29:a7:3f:2b:5b:2b:22:51:fd:fe:6a:5d:f9:e7:14:\n"
        "         48:b7:2d:c8:33:58:fc:f2:5f:27:f7:26:16:be:be:b5:aa:a2:\n"
        "         64:53:3c:69:e8:b5:61:eb:ab:91:a5:b4:09:9b:f6:98:b8:5c:\n"
        "         5b:24:2f:93:f5:2b:9c:8c:58:fb:26:3f:67:53:d7:42:64:e8:\n"
        "         79:77:73:41:4e:e3:02:39:0b:b6:68:97:8b:84:e8:1d:83:a8:\n"
        "         15:f1:06:46:47:80:42:5e:14:e2:61:8a:76:84:d5:d4:71:7f:\n"
        "         4e:ff:d9:74:87:ff:32:c5:87:20:0a:d4:59:40:3e:d8:17:ef:\n"
        "         da:65:e9:0a:51:fe:1e:c3:46:91:d2:ee:e4:23:57:97:87:d4:\n"
        "         a6:a5:eb:ef:81:6a:d8:8c:d6:1f:8e:b1:18:4c:6b:89:32:55:\n"
        "         53:68:26:9e:bb:03:be:2c:e9:8b:ff:97:9c:1c:ac:28:c3:9f:\n"
        "         0b:b7:93:23:24:31:63:e4:19:13:f2:bb:08:71:b7:c5:c5:c4:\n"
        "         10:ff:dc:fc:33:54:a4:5e:ec:a3:fe:0a:80:ca:9c:bc:95:6f:\n"
        "         5f:39:91:3b:61:69:16:94:0f:57:4b:fc:4b:b1:be:72:98:5d:\n"
        "         10:f9:08:a7:d6:e0:e8:3d:5d:54:7d:fa:4b:6a:dd:98:41:ed:\n"
        "         84:a1:39:67:5c:6c:7f:0c:b0:e1:98:c1:14:ed:fe:1e:e8:05:\n"
        "         8d:7f:6a:24:cb:1b:05:42:0d:7f:13:ba:ca:b5:91:db:a5:f0:\n"
        "         40:2b:70:7a:2a:a5:5d:ed:56:0c:f0:c2:72:ee:63:dd:cb:5d:\n"
        "         76:f6:08:e6:e6:30:ef:3a:b2:16:34:41:a4:e1:30:14:bc:c7:\n"
        "         f9:23:3a:1a:70:df:b8:cc\n"
        "-----BEGIN CERTIFICATE-----\n"
        "MIIGSDCCBDCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgboxCzAJBgNVBAYTAlVT\n"
        "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw\n"
        "EQYDVQQKDApMaW5kZW4gTGFiMSAwHgYDVQQLDBdTZWNvbmQgTGlmZSBFbmdpbmVl\n"
        "cmluZzEhMB8GA1UEAwwYSW50ZWdyYXRpb24gVGVzdCBSb290IENBMSQwIgYJKoZI\n"
        "hvcNAQkBFhVub3JlcGx5QGxpbmRlbmxhYi5jb20wHhcNMTgwNTIyMjIzOTA4WhcN\n"
        "MjgwNTE5MjIzOTA4WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju\n"
        "aWExEzARBgNVBAoMCkxpbmRlbiBMYWIxIDAeBgNVBAsMF1NlY29uZCBMaWZlIEVu\n"
        "Z2luZWVyaW5nMSkwJwYDVQQDDCBJbnRlZ3JhdGlvbiBUZXN0IEludGVybWVkaWF0\n"
        "ZSBDQTEkMCIGCSqGSIb3DQEJARYVbm9yZXBseUBsaW5kZW5sYWIuY29tMIICIjAN\n"
        "BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzqNw4sT7S5eQoTC7wRsTuap+Rhej\n"
        "Jo1pP15zlehqsQq0j1Bl48ZcOSQ03wu3zM5iDDZaEiz+NUzpHKyAXiSZ16q9vkjA\n"
        "YmR3NohmzvSo3dJ2JGKQVUH8HRNOp05XvKikWUssWhzYzBbe6IgwyZXfL6YUKA/r\n"
        "NEYSWLraDubenBX29OOfdKpwiXmL6Vp7GFQVlDojCmV4BdkzkCrOFRgNUvxcMWUg\n"
        "0BI3jBGAutSwgnMAS0m+y9a8581h8wCYmXRaN4FJln4UARuG0tAGlEBjY0YR/DNc\n"
        "vTpe1OVER2RQvaaXVXBkmybM3iCCkGqDQZxvcUcUvstofIW+7y52EhnTyYcytKxg\n"
        "IBYoLa+86AHGf/vYEdX0txS9Jwhbcr4J4JHInHu0sxLvMja+sbmit+NpRzB2upyb\n"
        "GZlNU91c6CzxsmRpzxW9+LtYlXNYOJW0es+EKabC2/C975cm1Jms18e+sA0R9CaG\n"
        "LXdCUiXXVsfjl7E2XJdx0Jv1tVCN+f/7EHc8tVNtoUM1qQMyBavX9dEZvV+SowAq\n"
        "eTekdk/pMg3khrvqwxrFM+gW1KXY4Oi7wvAiFeLZjK6sfSu/66NMOykdlKyju226\n"
        "bQORA89GEsRmIcXGZ9gRGXkBDm6EHHZvET3rlInFaiYfzeARi1HumTVp5X8LdyqU\n"
        "5EtkuYMEMAXkouMCAwEAAaNmMGQwHQYDVR0OBBYEFIMh3uzAeQNtHoPz5Zcp1VrA\n"
        "lkD6MB8GA1UdIwQYMBaAFIoixpwuEfNADM6CDCJZ//h/0LkTMBIGA1UdEwEB/wQI\n"
        "MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCjbIWa\n"
        "Lk5+XYNjD/VPqX3sDm+u17rfZOBGDj3aGBUs83PKgbEQ2VMUIX1yXJSIpZ2tq0VC\n"
        "xmSp2S5OKUcssZUHt2JIaB9oExzSoPteOCRKggqHyZMgQ37p+XnvA6K9niRrCgFe\n"
        "SjbFfXr+1qovwow4ipk8sGrlYL5W1utgA1UkQqAa+pEko1MVdV3I63weaFp+EzTj\n"
        "hTccdj93ZxvtG1IX/Eqj4nSEgCxp/N19JpfEKml9nNxhl3Appz8rWysiUf3+al35\n"
        "5xRIty3IM1j88l8n9yYWvr61qqJkUzxp6LVh66uRpbQJm/aYuFxbJC+T9SucjFj7\n"
        "Jj9nU9dCZOh5d3NBTuMCOQu2aJeLhOgdg6gV8QZGR4BCXhTiYYp2hNXUcX9O/9l0\n"
        "h/8yxYcgCtRZQD7YF+/aZekKUf4ew0aR0u7kI1eXh9SmpevvgWrYjNYfjrEYTGuJ\n"
        "MlVTaCaeuwO+LOmL/5ecHKwow58Lt5MjJDFj5BkT8rsIcbfFxcQQ/9z8M1SkXuyj\n"
        "/gqAypy8lW9fOZE7YWkWlA9XS/xLsb5ymF0Q+Qin1uDoPV1UffpLat2YQe2EoTln\n"
        "XGx/DLDhmMEU7f4e6AWNf2okyxsFQg1/E7rKtZHbpfBAK3B6KqVd7VYM8MJy7mPd\n"
        "y1129gjm5jDvOrIWNEGk4TAUvMf5IzoacN+4zA==\n"
        "-----END CERTIFICATE-----\n"
                                           );

    const std::string mPemChildCert(
        "Certificate:\n"
        "    Data:\n"
        "        Version: 3 (0x2)\n"
        "        Serial Number: 4096 (0x1000)\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "        Issuer: C=US, ST=California, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Intermediate CA/emailAddress=noreply@lindenlab.com\n"
        "        Validity\n"
        "            Not Before: May 22 22:58:15 2018 GMT\n"
        "            Not After : Jul 19 22:58:15 2024 GMT\n"
        "        Subject: C=US, ST=California, L=San Francisco, O=Linden Lab, OU=Second Life Engineering, CN=Integration Test Server Cert/emailAddress=noreply@lindenlab.com\n"
        "        Subject Public Key Info:\n"
        "            Public Key Algorithm: rsaEncryption\n"
        "                Public-Key: (2048 bit)\n"
        "                Modulus:\n"
        "                    00:bf:a1:1c:76:82:4a:10:1d:25:0e:02:e2:7a:64:\n"
        "                    54:c7:94:c5:c0:98:d5:35:f3:cb:cb:30:ba:31:9c:\n"
        "                    bd:4c:2f:4a:4e:24:03:4b:87:5c:c1:5c:fe:d9:89:\n"
        "                    3b:cb:01:bc:eb:a5:b7:78:dc:b3:58:e5:78:a7:15:\n"
        "                    34:50:30:aa:16:3a:b2:94:17:6d:1e:7f:b2:70:1e:\n"
        "                    96:41:bb:1d:e3:22:80:fa:dc:00:6a:fb:34:3e:67:\n"
        "                    e7:c2:21:2f:1b:d3:af:04:49:91:eb:bb:60:e0:26:\n"
        "                    52:75:28:8a:08:5b:91:56:4e:51:50:40:51:70:af:\n"
        "                    cb:80:66:c8:59:e9:e2:48:a8:62:d0:26:67:80:0a:\n"
        "                    12:16:d1:f6:15:9e:1f:f5:92:37:f3:c9:2f:03:9e:\n"
        "                    22:f6:60:5a:76:45:8c:01:2c:99:54:72:19:db:b7:\n"
        "                    72:e6:5a:69:f3:e9:31:65:5d:0f:c7:5c:9c:17:29:\n"
        "                    71:14:7f:db:47:c9:1e:65:a2:41:b0:2f:14:17:ec:\n"
        "                    4b:25:f2:43:8f:b4:a3:8d:37:1a:07:34:b3:29:bb:\n"
        "                    8a:44:8e:84:08:a2:1b:76:7a:cb:c2:39:2f:6e:e3:\n"
        "                    fc:d6:91:b5:1f:ce:58:91:57:70:35:6e:25:a9:48:\n"
        "                    0e:07:cf:4e:dd:16:42:65:cf:8a:42:b3:27:e6:fe:\n"
        "                    6a:e3\n"
        "                Exponent: 65537 (0x10001)\n"
        "        X509v3 extensions:\n"
        "            X509v3 Basic Constraints: \n"
        "                CA:FALSE\n"
        "            Netscape Cert Type: \n"
        "                SSL Server\n"
        "            Netscape Comment: \n"
        "                OpenSSL Generated Server Certificate\n"
        "            X509v3 Subject Key Identifier: \n"
        "                BB:59:9F:DE:6B:51:A7:6C:B3:6D:5B:8B:42:F7:B1:65:77:17:A4:E4\n"
        "            X509v3 Authority Key Identifier: \n"
        "                keyid:83:21:DE:EC:C0:79:03:6D:1E:83:F3:E5:97:29:D5:5A:C0:96:40:FA\n"
        "                DirName:/C=US/ST=California/L=San Francisco/O=Linden Lab/OU=Second Life Engineering/CN=Integration Test Root CA/emailAddress=noreply@lindenlab.com\n"
        "                serial:10:00\n"
        "\n"
        "            X509v3 Key Usage: critical\n"
        "                Digital Signature, Key Encipherment\n"
        "            X509v3 Extended Key Usage: \n"
        "                TLS Web Server Authentication\n"
        "    Signature Algorithm: sha256WithRSAEncryption\n"
        "         18:a6:58:55:9b:d4:af:7d:8a:27:d3:28:3a:4c:4b:42:4e:f0:\n"
        "         30:d6:d9:95:11:48:12:0a:96:40:d9:2b:21:39:c5:d4:8d:e5:\n"
        "         10:bc:68:78:69:0b:9f:15:4a:0b:f1:ab:99:45:0c:20:5f:27:\n"
        "         df:e7:14:2d:4a:30:f2:c2:8d:37:73:36:1a:27:55:5a:08:5f:\n"
        "         71:a1:5e:05:83:b2:59:fe:02:5e:d7:4a:30:15:23:58:04:cf:\n"
        "         48:cc:b0:71:88:9c:6b:57:f0:04:0a:d3:a0:64:6b:ee:f3:5f:\n"
        "         ea:ac:e1:2b:b9:7f:79:b8:db:ce:72:48:72:db:c8:5c:38:72:\n"
        "         31:55:d0:ff:6b:bd:73:23:a7:30:18:5d:ed:47:18:0a:67:8e:\n"
        "         53:32:0e:99:9b:96:72:45:7f:c6:00:2c:5d:1a:97:53:75:3a:\n"
        "         0b:49:3d:3a:00:37:14:67:0c:28:97:34:87:aa:c5:32:e4:ae:\n"
        "         34:83:12:4a:10:f7:0e:74:d4:5f:73:bd:ef:0c:b7:d8:0a:7d:\n"
        "         8e:8d:5a:48:bd:f4:8e:7b:f9:4a:15:3b:61:c9:5e:40:59:6e:\n"
        "         c7:a8:a4:02:28:72:c5:54:8c:77:f4:55:a7:86:c0:38:a0:68:\n"
        "         19:da:0f:72:5a:a9:7e:69:9f:9c:3a:d6:66:aa:e1:f4:fd:f9:\n"
        "         b8:4b:6c:71:9e:f0:38:02:c7:6a:9e:dc:e6:fb:ef:23:59:4f:\n"
        "         5c:84:0a:df:ea:86:1f:fd:0e:5c:fa:c4:e5:50:1c:10:cf:89:\n"
        "         4e:08:0e:4c:4b:61:1a:49:12:f7:e9:4b:17:71:43:7b:6d:b6:\n"
        "         b5:9f:d4:3b:c7:88:53:48:63:b6:00:80:8f:49:0a:c5:7e:58:\n"
        "         ac:78:d8:b9:06:b0:bc:86:e2:2e:48:5b:c3:24:fa:aa:72:d8:\n"
        "         ec:f6:c7:91:9f:0f:c8:b5:fd:2b:b2:a7:bc:2f:40:20:2b:47:\n"
        "         e0:d1:1d:94:52:6f:6b:be:12:b6:8c:dc:11:db:71:e6:19:ef:\n"
        "         a8:71:8b:ad:d3:32:c0:1c:a4:3f:b3:0f:af:e5:50:e1:ff:41:\n"
        "         a4:b7:6f:57:71:af:fd:16:4c:e8:24:b3:99:1b:cf:12:8f:43:\n"
        "         05:80:ba:18:19:0a:a5:ec:49:81:41:4c:7e:28:b2:21:f2:59:\n"
        "         6e:4a:ed:de:f9:fa:99:85:60:1f:e6:c2:42:5c:08:00:3c:84:\n"
        "         06:a9:24:d4:cf:7b:6e:1b:59:1d:f4:70:16:03:a1:e0:0b:00:\n"
        "         95:5c:39:03:fc:9d:1c:8e:f7:59:0c:61:47:f6:7f:07:22:48:\n"
        "         83:40:ac:e1:98:5f:c7:be:05:d5:29:2b:bf:0d:03:0e:e9:5e:\n"
        "         2b:dd:09:18:fe:5e:30:61\n"
        "-----BEGIN CERTIFICATE-----\n"
        "MIIGbjCCBFagAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgaoxCzAJBgNVBAYTAlVT\n"
        "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApMaW5kZW4gTGFiMSAwHgYD\n"
        "VQQLDBdTZWNvbmQgTGlmZSBFbmdpbmVlcmluZzEpMCcGA1UEAwwgSW50ZWdyYXRp\n"
        "b24gVGVzdCBJbnRlcm1lZGlhdGUgQ0ExJDAiBgkqhkiG9w0BCQEWFW5vcmVwbHlA\n"
        "bGluZGVubGFiLmNvbTAeFw0xODA1MjIyMjU4MTVaFw0yNDA3MTkyMjU4MTVaMIG+\n"
        "MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu\n"
        "IEZyYW5jaXNjbzETMBEGA1UECgwKTGluZGVuIExhYjEgMB4GA1UECwwXU2Vjb25k\n"
        "IExpZmUgRW5naW5lZXJpbmcxJTAjBgNVBAMMHEludGVncmF0aW9uIFRlc3QgU2Vy\n"
        "dmVyIENlcnQxJDAiBgkqhkiG9w0BCQEWFW5vcmVwbHlAbGluZGVubGFiLmNvbTCC\n"
        "ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+hHHaCShAdJQ4C4npkVMeU\n"
        "xcCY1TXzy8swujGcvUwvSk4kA0uHXMFc/tmJO8sBvOult3jcs1jleKcVNFAwqhY6\n"
        "spQXbR5/snAelkG7HeMigPrcAGr7ND5n58IhLxvTrwRJkeu7YOAmUnUoighbkVZO\n"
        "UVBAUXCvy4BmyFnp4kioYtAmZ4AKEhbR9hWeH/WSN/PJLwOeIvZgWnZFjAEsmVRy\n"
        "Gdu3cuZaafPpMWVdD8dcnBcpcRR/20fJHmWiQbAvFBfsSyXyQ4+0o403Ggc0sym7\n"
        "ikSOhAiiG3Z6y8I5L27j/NaRtR/OWJFXcDVuJalIDgfPTt0WQmXPikKzJ+b+auMC\n"
        "AwEAAaOCAYYwggGCMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG\n"
        "SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw\n"
        "HQYDVR0OBBYEFLtZn95rUadss21bi0L3sWV3F6TkMIHoBgNVHSMEgeAwgd2AFIMh\n"
        "3uzAeQNtHoPz5Zcp1VrAlkD6oYHApIG9MIG6MQswCQYDVQQGEwJVUzETMBEGA1UE\n"
        "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n"
        "TGluZGVuIExhYjEgMB4GA1UECwwXU2Vjb25kIExpZmUgRW5naW5lZXJpbmcxITAf\n"
        "BgNVBAMMGEludGVncmF0aW9uIFRlc3QgUm9vdCBDQTEkMCIGCSqGSIb3DQEJARYV\n"
        "bm9yZXBseUBsaW5kZW5sYWIuY29tggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\n"
        "BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBABimWFWb1K99iifTKDpM\n"
        "S0JO8DDW2ZURSBIKlkDZKyE5xdSN5RC8aHhpC58VSgvxq5lFDCBfJ9/nFC1KMPLC\n"
        "jTdzNhonVVoIX3GhXgWDsln+Al7XSjAVI1gEz0jMsHGInGtX8AQK06Bka+7zX+qs\n"
        "4Su5f3m4285ySHLbyFw4cjFV0P9rvXMjpzAYXe1HGApnjlMyDpmblnJFf8YALF0a\n"
        "l1N1OgtJPToANxRnDCiXNIeqxTLkrjSDEkoQ9w501F9zve8Mt9gKfY6NWki99I57\n"
        "+UoVO2HJXkBZbseopAIocsVUjHf0VaeGwDigaBnaD3JaqX5pn5w61maq4fT9+bhL\n"
        "bHGe8DgCx2qe3Ob77yNZT1yECt/qhh/9Dlz6xOVQHBDPiU4IDkxLYRpJEvfpSxdx\n"
        "Q3tttrWf1DvHiFNIY7YAgI9JCsV+WKx42LkGsLyG4i5IW8Mk+qpy2Oz2x5GfD8i1\n"
        "/Suyp7wvQCArR+DRHZRSb2u+EraM3BHbceYZ76hxi63TMsAcpD+zD6/lUOH/QaS3\n"
        "b1dxr/0WTOgks5kbzxKPQwWAuhgZCqXsSYFBTH4osiHyWW5K7d75+pmFYB/mwkJc\n"
        "CAA8hAapJNTPe24bWR30cBYDoeALAJVcOQP8nRyO91kMYUf2fwciSINArOGYX8e+\n"
        "BdUpK78NAw7pXivdCRj+XjBh\n"
        "-----END CERTIFICATE-----\n"
                                    );
        
	// Test wrapper declaration : wrapping nothing for the moment
	struct sechandler_basic_test
	{
		X509 *mX509TestCert, *mX509RootCert, *mX509IntermediateCert, *mX509ChildCert;
        LLSD mValidationDate;
        
		sechandler_basic_test()
		{
            LLMachineID::init();
			OpenSSL_add_all_algorithms();
			OpenSSL_add_all_ciphers();
			OpenSSL_add_all_digests();	
			ERR_load_crypto_strings();
			gFirstName = "";
			gLastName = "";
            mValidationDate[CERT_VALIDATION_DATE] = LLDate("2017-04-11T00:00:00.00Z");
			LLFile::remove("test_password.dat");
			LLFile::remove("sechandler_settings.tmp");			

			mX509TestCert = NULL;
			mX509RootCert = NULL;
			mX509IntermediateCert = NULL;
			mX509ChildCert = NULL;

            // Read each of the 4 Pem certs and store in mX509*Cert pointers
			BIO * validation_bio;
            validation_bio = BIO_new_mem_buf((void*)mPemTestCert.c_str(), mPemTestCert.length());			
			PEM_read_bio_X509(validation_bio, &mX509TestCert, 0, NULL);
			BIO_free(validation_bio);

			validation_bio = BIO_new_mem_buf((void*)mPemRootCert.c_str(), mPemRootCert.length());
			PEM_read_bio_X509(validation_bio, &mX509RootCert, 0, NULL);
			BIO_free(validation_bio);

			validation_bio = BIO_new_mem_buf((void*)mPemIntermediateCert.c_str(), mPemIntermediateCert.length());
			PEM_read_bio_X509(validation_bio, &mX509IntermediateCert, 0, NULL);
			BIO_free(validation_bio);	

			validation_bio = BIO_new_mem_buf((void*)mPemChildCert.c_str(), mPemChildCert.length());
			PEM_read_bio_X509(validation_bio, &mX509ChildCert, 0, NULL);
			BIO_free(validation_bio);				
		}
		~sechandler_basic_test()
		{
			LLFile::remove("test_password.dat");
			LLFile::remove("sechandler_settings.tmp");
			LLFile::remove("mycertstore.pem");
			X509_free(mX509TestCert);
			X509_free(mX509RootCert);
			X509_free(mX509IntermediateCert);
			X509_free(mX509ChildCert);
		}
	};
	
	// Tut templating thingamagic: test group, object and test instance
	typedef test_group<sechandler_basic_test> sechandler_basic_test_factory;
	typedef sechandler_basic_test_factory::object sechandler_basic_test_object;
	tut::sechandler_basic_test_factory tut_test("LLSecHandler");
	
	// ---------------------------------------------------------------------------------------
	// Test functions 
	// ---------------------------------------------------------------------------------------
	// test cert data retrieval
	template<> template<>
	void sechandler_basic_test_object::test<1>()
	{
        try
        {
            LLPointer<LLBasicCertificate> test_cert(new LLBasicCertificate(mPemTestCert, &mValidationDate));
            LL_INFOS() << "ok" << LL_ENDL;
        }
        catch (LLCertException& cert_exception)
        {
            LL_INFOS() << "cert ex: " << cert_exception.getCertData() << LL_ENDL;
            fail("cert exception");
        }
        catch (...)
        {
            LOG_UNHANDLED_EXCEPTION("test 1");
            fail("other exception");
        }
    }
    
    template<> template<>
    void sechandler_basic_test_object::test<2>()
    {
		LLPointer<LLCertificate> test_cert(new LLBasicCertificate(mPemChildCert, &mValidationDate));
    
		LLSD llsd_cert;
		test_cert->getLLSD(llsd_cert);
		//std::ostringstream llsd_value;
		//llsd_value << LLSDOStreamer<LLSDNotationFormatter>(llsd_cert) << std::endl;
		LL_DEBUGS() << "test 1 cert " << llsd_cert << LL_ENDL;
        
		ensure_equals("Issuer Name/commonName", (std::string)llsd_cert["issuer_name"]["commonName"], "Integration Test Intermediate CA");
		ensure_equals("Issuer Name/countryName", (std::string)llsd_cert["issuer_name"]["countryName"], "US");
		ensure_equals("Issuer Name/state", (std::string)llsd_cert["issuer_name"]["stateOrProvinceName"], "California");
		ensure_equals("Issuer Name/org name", (std::string)llsd_cert["issuer_name"]["organizationName"], "Linden Lab");
		ensure_equals("Issuer Name/org unit", (std::string)llsd_cert["issuer_name"]["organizationalUnitName"], "Second Life Engineering");
		ensure_equals("Issuer name string", (std::string)llsd_cert["issuer_name_string"],
                      "emailAddress=noreply@lindenlab.com,CN=Integration Test Intermediate CA,OU=Second Life Engineering,O=Linden Lab,ST=California,C=US");
		ensure_equals("subject Name/commonName", (std::string)llsd_cert["subject_name"]["commonName"],
                      "Integration Test Server Cert");
		ensure_equals("subject Name/countryName", (std::string)llsd_cert["subject_name"]["countryName"], "US");
		ensure_equals("subject Name/state", (std::string)llsd_cert["subject_name"]["stateOrProvinceName"], "California");
		ensure_equals("subject Name/localityName", (std::string)llsd_cert["subject_name"]["localityName"], "San Francisco");
		ensure_equals("subject Name/org name", (std::string)llsd_cert["subject_name"]["organizationName"], "Linden Lab");
		ensure_equals("subjectName/org unit", 
			   (std::string)llsd_cert["subject_name"]["organizationalUnitName"], "Second Life Engineering");

		ensure_equals("subject name string", 
			   (std::string)llsd_cert["subject_name_string"],
                      "emailAddress=noreply@lindenlab.com,CN=Integration Test Server Cert,OU=Second Life Engineering,O=Linden Lab,L=San Francisco,ST=California,C=US");
		ensure_equals("serial number", (std::string)llsd_cert["serial_number"], "1000");
		ensure_equals("valid from", (std::string)llsd_cert["valid_from"], "2018-05-22T22:58:15Z");
		ensure_equals("valid to", (std::string)llsd_cert["valid_to"], "2024-07-19T22:58:15Z");
		LLSD expectedKeyUsage = LLSD::emptyArray();
		expectedKeyUsage.append(LLSD((std::string)"digitalSignature"));
		expectedKeyUsage.append(LLSD((std::string)"keyEncipherment"));
		ensure("key usage", valueCompareLLSD(llsd_cert["keyUsage"], expectedKeyUsage));
		ensure_equals("basic constraints", llsd_cert["basicConstraints"]["CA"].asInteger(), 0);
		
		ensure("x509 is equal", !X509_cmp(mX509ChildCert, test_cert->getOpenSSLX509()));
	}

	
	// test protected data
	template<> template<>
	void sechandler_basic_test_object::test<3>()
	{
		std::string protected_data = "sUSh3wj77NG9oAMyt3XIhaej3KLZhLZWFZvI6rIGmwUUOmmelrRg0NI9rkOj8ZDpTPxpwToaBT5u"
		"GQhakdaGLJznr9bHr4/6HIC1bouKj4n2rs4TL6j2WSjto114QdlNfLsE8cbbE+ghww58g8SeyLQO"
		"nyzXoz+/PBz0HD5SMFDuObccoPW24gmqYySz8YoEWhSwO0pUtEEqOjVRsAJgF5wLAtJZDeuilGsq"
		"4ZT9Y4wZ9Rh8nnF3fDUL6IGamHe1ClXM1jgBu10F6UMhZbnH4C3aJ2E9+LiOntU+l3iCb2MpkEpr"
		"82r2ZAMwIrpnirL/xoYoyz7MJQYwUuMvBPToZJrxNSsjI+S2Z+I3iEJAELMAAA==";
		
		std::vector<U8> binary_data(apr_base64_decode_len(protected_data.c_str()));
		apr_base64_decode_binary(&binary_data[0], protected_data.c_str());

		LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES);
		cipher.decrypt(&binary_data[0], 16);
		unsigned char unique_id[MAC_ADDRESS_BYTES];
        LLMachineID::getUniqueID(unique_id, sizeof(unique_id));
		LLXORCipher cipher2(unique_id, sizeof(unique_id));
		cipher2.encrypt(&binary_data[0], 16);
		std::ofstream temp_file("sechandler_settings.tmp", std::ofstream::binary);
		temp_file.write((const char *)&binary_data[0], binary_data.size());
		temp_file.close();

		LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp",
																		   "test_password.dat");
		handler->init();																		
		// data retrieval for existing data
		LLSD data = handler->getProtectedData("test_data_type", "test_data_id");


		ensure_equals("retrieve existing data1", (std::string)data["data1"], "test_data_1");
		ensure_equals("retrieve existing data2", (std::string)data["data2"], "test_data_2");
		ensure_equals("retrieve existing data3", (std::string)data["data3"]["elem1"], "test element1");
		
		// data storage
		LLSD store_data = LLSD::emptyMap();
		store_data["store_data1"] = "test_store_data1";
		store_data["store_data2"] = 27;
		store_data["store_data3"] = LLSD::emptyMap();
		store_data["store_data3"]["subelem1"] = "test_subelem1";
		
		handler->setProtectedData("test_data_type", "test_data_id1", store_data);
		data = handler->getProtectedData("test_data_type", "test_data_id");
		
		data = handler->getProtectedData("test_data_type", "test_data_id");
		// verify no overwrite of existing data
		ensure_equals("verify no overwrite 1", (std::string)data["data1"], "test_data_1");
		ensure_equals("verify no overwrite 2", (std::string)data["data2"], "test_data_2");
		ensure_equals("verify no overwrite 3", (std::string)data["data3"]["elem1"], "test element1");
		
		// verify written data is good
		data = handler->getProtectedData("test_data_type", "test_data_id1");
		ensure_equals("verify stored data1", (std::string)data["store_data1"], "test_store_data1");
		ensure_equals("verify stored data2", (int)data["store_data2"], 27);
		ensure_equals("verify stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1");
		
		// verify overwrite works
		handler->setProtectedData("test_data_type", "test_data_id", store_data);	
		data = handler->getProtectedData("test_data_type", "test_data_id");
		ensure_equals("verify overwrite stored data1", (std::string)data["store_data1"], "test_store_data1");
		ensure_equals("verify overwrite stored data2", (int)data["store_data2"], 27);
		ensure_equals("verify overwrite stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1");
		
		// verify other datatype doesn't conflict
		store_data["store_data3"] = "test_store_data3";
		store_data["store_data4"] = 28;
		store_data["store_data5"] = LLSD::emptyMap();
		store_data["store_data5"]["subelem2"] = "test_subelem2";
		
		handler->setProtectedData("test_data_type1", "test_data_id", store_data);	
		data = handler->getProtectedData("test_data_type1", "test_data_id");
		ensure_equals("verify datatype stored data3", (std::string)data["store_data3"], "test_store_data3");
		ensure_equals("verify datatype stored data4", (int)data["store_data4"], 28);
		ensure_equals("verify datatype stored data5", (std::string)data["store_data5"]["subelem2"], "test_subelem2");	
		
		// test data not found

		data = handler->getProtectedData("test_data_type1", "test_data_not_found");
		ensure("not found", data.isUndefined());

		// cause a 'write' by using 'LLPointer' to delete then instantiate a handler
		handler = NULL;
		handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat");
		handler->init();

		data = handler->getProtectedData("test_data_type1", "test_data_id");
		ensure_equals("verify datatype stored data3a", (std::string)data["store_data3"], "test_store_data3");
		ensure_equals("verify datatype stored data4a", (int)data["store_data4"], 28);
		ensure_equals("verify datatype stored data5a", (std::string)data["store_data5"]["subelem2"], "test_subelem2");	
		
		// rewrite the initial file to verify reloads
		handler = NULL;
		std::ofstream temp_file2("sechandler_settings.tmp", std::ofstream::binary);
		temp_file2.write((const char *)&binary_data[0], binary_data.size());
		temp_file2.close();
		
		// cause a 'write'
		handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat");
		handler->init();		
		data = handler->getProtectedData("test_data_type1", "test_data_id");
		ensure("not found", data.isUndefined());
		
		handler->deleteProtectedData("test_data_type", "test_data_id");
		ensure("Deleted data not found", handler->getProtectedData("test_data_type", "test_data_id").isUndefined());
		
		LLFile::remove("sechandler_settings.tmp");
		handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat");
		handler->init();		
		data = handler->getProtectedData("test_data_type1", "test_data_id");
		ensure("not found", data.isUndefined());
		handler = NULL;
		
		ensure(LLFile::isfile("sechandler_settings.tmp"));
	}
	
	// test credenitals
	template<> template<>
	void sechandler_basic_test_object::test<4>()
	{
		LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat");
		handler->init();

		LLSD my_id = LLSD::emptyMap();
		LLSD my_authenticator = LLSD::emptyMap();
		my_id["type"] = "test_type";
		my_id["username"] = "testuser@lindenlab.com";
		my_authenticator["type"] = "test_auth";
		my_authenticator["creds"] = "12345";

		// test creation of credentials		
		LLPointer<LLCredential> my_cred = handler->createCredential("my_grid", my_id, my_authenticator);

		// test retrieval of credential components
		ensure_equals("basic credential creation: identifier", my_id, my_cred->getIdentifier());
		ensure_equals("basic credential creation: authenticator", my_authenticator, my_cred->getAuthenticator());
		ensure_equals("basic credential creation: grid", "my_grid", my_cred->getGrid());
		
		// test setting/overwriting of credential components
		my_id["first_name"] = "firstname";
		my_id.erase("username");
		my_authenticator.erase("creds");
		my_authenticator["hash"] = "6563245";
		
		my_cred->setCredentialData(my_id, my_authenticator);
		ensure_equals("set credential data: identifier", my_id, my_cred->getIdentifier());
		ensure_equals("set credential data: authenticator", my_authenticator, my_cred->getAuthenticator());
		ensure_equals("set credential data: grid", "my_grid", my_cred->getGrid());		
			
		// test loading of a credential, that hasn't been saved, without
		// any legacy saved credential data
		LLPointer<LLCredential> my_new_cred = handler->loadCredential("my_grid2");
		ensure("unknown credential load test", my_new_cred->getIdentifier().isMap());
		ensure("unknown credential load test", !my_new_cred->getIdentifier().has("type"));		
		ensure("unknown credential load test", my_new_cred->getAuthenticator().isMap());
		ensure("unknown credential load test", !my_new_cred->getAuthenticator().has("type"));	
		// test saving of a credential
		handler->saveCredential(my_cred, true);

		// test loading of a known credential
		my_new_cred = handler->loadCredential("my_grid");
		ensure_equals("load a known credential: identifier", my_id, my_new_cred->getIdentifier());
		ensure_equals("load a known credential: authenticator",my_authenticator, my_new_cred->getAuthenticator());
		ensure_equals("load a known credential: grid", "my_grid", my_cred->getGrid());
	
		// test deletion of a credential
		handler->deleteCredential(my_new_cred);

		ensure("delete credential: identifier", my_new_cred->getIdentifier().isUndefined());
		ensure("delete credentialt: authenticator", my_new_cred->getIdentifier().isUndefined());
		ensure_equals("delete credential: grid", "my_grid", my_cred->getGrid());		
		// load unknown cred
		
		my_new_cred = handler->loadCredential("my_grid");
		ensure("deleted credential load test", my_new_cred->getIdentifier().isMap());
		ensure("deleted credential load test", !my_new_cred->getIdentifier().has("type"));		
		ensure("deleted credential load test", my_new_cred->getAuthenticator().isMap());
		ensure("deleted credential load test", !my_new_cred->getAuthenticator().has("type"));
		
		// test loading of an unknown credential with legacy saved username, but without
		// saved password
		gFirstName = "myfirstname";
		gLastName = "mylastname";
		my_new_cred = handler->loadCredential("my_legacy_grid");
		ensure_equals("legacy credential with no password: type", 
					  (const std::string)my_new_cred->getIdentifier()["type"], "agent");
		ensure_equals("legacy credential with no password: first_name", 
					  (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname");
		ensure_equals("legacy credential with no password: last_name",
					  (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname");
		
		ensure("legacy credential with no password: no authenticator", my_new_cred->getAuthenticator().isUndefined());
		
		// test loading of an unknown credential with legacy saved password and username

		std::string hashed_password = "fSQcLG03eyIWJmkzfyYaKm81dSweLmsxeSAYKGE7fSQ=";		
		int length = apr_base64_decode_len(hashed_password.c_str());
		std::vector<char> decoded_password(length);
		apr_base64_decode(&decoded_password[0], hashed_password.c_str());
		LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES);
		cipher.decrypt((U8*)&decoded_password[0], length);
		unsigned char unique_id[MAC_ADDRESS_BYTES];
		LLMachineID::getUniqueID(unique_id, sizeof(unique_id));
		LLXORCipher cipher2(unique_id, sizeof(unique_id));
		cipher2.encrypt((U8*)&decoded_password[0], length);
		llofstream password_file("test_password.dat", std::ofstream::binary);
		password_file.write(&decoded_password[0], length); 
		password_file.close();
		
		my_new_cred = handler->loadCredential("my_legacy_grid2");		
		ensure_equals("legacy credential with password: type", 
					  (const std::string)my_new_cred->getIdentifier()["type"], "agent");
		ensure_equals("legacy credential with password: first_name", 
					  (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname");
		ensure_equals("legacy credential with password: last_name",
					  (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname");
		
		LLSD legacy_authenticator = my_new_cred->getAuthenticator();
		ensure_equals("legacy credential with password: type", 
					  (std::string)legacy_authenticator["type"], 
					  "hash");
		ensure_equals("legacy credential with password: algorithm", 
					  (std::string)legacy_authenticator["algorithm"], 
					  "md5");	
		ensure_equals("legacy credential with password: algorithm", 
					  (std::string)legacy_authenticator["secret"], 
					  "01234567890123456789012345678901");
		
		// test creation of credentials		
		my_cred = handler->createCredential("mysavedgrid", my_id, my_authenticator);
		// test save without saving authenticator. 		
		handler->saveCredential(my_cred, FALSE);
		my_new_cred = handler->loadCredential("mysavedgrid");	
		ensure_equals("saved credential without auth", 
					  (const std::string)my_new_cred->getIdentifier()["type"], "test_type");
		ensure("no authenticator values were saved", my_new_cred->getAuthenticator().isUndefined());
	}

	// test cert vector
	template<> template<>
	void sechandler_basic_test_object::test<5>()
	{
		// validate create from empty vector
		LLPointer<LLBasicCertificateVector> test_vector = new LLBasicCertificateVector();
		ensure_equals("when loading with nothing, we should result in no certs in vector", test_vector->size(), 0);
		
		test_vector->add(new LLBasicCertificate(mPemTestCert, &mValidationDate));
		ensure_equals("one element in vector", test_vector->size(), 1);
		test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate));
		ensure_equals("two elements in vector after add", test_vector->size(), 2);
		
        // add duplicate; should be a no-op (and log at DEBUG level)
		test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate));
		ensure_equals("two elements in vector after re-add", test_vector->size(), 2);

		// validate order
		X509* test_cert = (*test_vector)[0]->getOpenSSLX509();		
		ensure("first cert added remains first cert", !X509_cmp(test_cert, mX509TestCert));
		X509_free(test_cert);
		
		test_cert = (*test_vector)[1]->getOpenSSLX509();	
		ensure("second cert is second cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);		
		
		//
		// validate iterator
		//
		LLBasicCertificateVector::iterator current_cert = test_vector->begin();
		LLBasicCertificateVector::iterator copy_current_cert = current_cert;
		// operator++(int)
		ensure("validate iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[0]);
		ensure("validate 2nd iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[1]);
		ensure("validate end iterator++", current_cert == test_vector->end());
		
		// copy 
		ensure("validate copy iterator element in vector is expected cert", *copy_current_cert == (*test_vector)[0]);		
		
		// operator--(int)
		current_cert--;
		ensure("validate iterator-- element in vector is expected cert", *current_cert-- == (*test_vector)[1]);		
		ensure("validate iterator-- element in vector is expected cert", *current_cert == (*test_vector)[0]);
		
		ensure("begin iterator is equal", current_cert == test_vector->begin());
		
		// operator++
		ensure("validate ++iterator element in vector is expected cert", *++current_cert == (*test_vector)[1]);				
		ensure("end of cert vector after ++iterator", ++current_cert == test_vector->end());
		// operator--
		ensure("validate --iterator element in vector is expected cert", *--current_cert == (*test_vector)[1]);		
		ensure("validate 2nd --iterator element in vector is expected cert", *--current_cert == (*test_vector)[0]);		
		
		test_vector->erase(test_vector->begin());
		ensure_equals("one element in store after remove", test_vector->size(), 1);
		test_cert = (*test_vector)[0]->getOpenSSLX509();
		ensure("Child cert remains", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		
		// validate insert
		test_vector->insert(test_vector->begin(), new LLBasicCertificate(mPemIntermediateCert, &mValidationDate));
		test_cert = (*test_vector)[0]->getOpenSSLX509();
		ensure_equals("two elements in store after insert", test_vector->size(), 2);
		ensure("validate intermediate cert was inserted at first position", !X509_cmp(test_cert, mX509IntermediateCert));
		X509_free(test_cert);
		test_cert = (*test_vector)[1]->getOpenSSLX509();
		ensure("validate child cert still there", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);

		//validate find
		LLSD find_info = LLSD::emptyMap();
		find_info["subjectKeyIdentifier"] = "bb:59:9f:de:6b:51:a7:6c:b3:6d:5b:8b:42:f7:b1:65:77:17:a4:e4";
		LLBasicCertificateVector::iterator found_cert = test_vector->find(find_info);
		ensure("found some cert", found_cert != test_vector->end());
        X509* found_x509 = (*found_cert).get()->getOpenSSLX509();
		ensure("child cert was found", !X509_cmp(found_x509, mX509ChildCert));
		X509_free(found_x509);

		find_info["subjectKeyIdentifier"] = "00:00:00:00"; // bogus 
		current_cert =test_vector->find(find_info);
		ensure("didn't find cert", current_cert == test_vector->end());		
	}	
	
	// test cert store
	template<> template<>
	void sechandler_basic_test_object::test<6>()
	{
		// validate load with nothing
		LLFile::remove("mycertstore.pem");
		LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem");
		ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0);
		
		// validate load with empty file
		test_store->save();
		test_store = NULL;
		test_store = new LLBasicCertificateStore("mycertstore.pem");
		ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0);
		test_store=NULL;
		
		// instantiate a cert store from a file
		llofstream certstorefile("mycertstore.pem", std::ios::out);
		certstorefile << mPemChildCert << std::endl << mPemTestCert << std::endl;
		certstorefile.close();
		// validate loaded certs
		test_store = new LLBasicCertificateStore("mycertstore.pem");
		ensure_equals("two elements in store", test_store->size(), 2);
		
		// operator[]
		X509* test_cert = (*test_store)[0]->getOpenSSLX509();

		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		test_cert = (*test_store)[1]->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert));	
		X509_free(test_cert);


		// validate save
		LLFile::remove("mycertstore.pem");
		test_store->save();
		test_store = NULL;
		test_store = new LLBasicCertificateStore("mycertstore.pem");
		ensure_equals("two elements in store after save", test_store->size(), 2);				
		LLCertificateStore::iterator current_cert = test_store->begin();		
		test_cert = (*current_cert)->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		current_cert++;
		X509_free(test_cert);
		test_cert = (*current_cert)->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert));	
		X509_free(test_cert);
		current_cert++;
		ensure("end of cert store", current_cert == test_store->end());
		
	}
	
	// cert name wildcard matching
	template<> template<>
	void sechandler_basic_test_object::test<7>()
	{
		ensure("simple name match", 
			   _cert_hostname_wildcard_match("foo", "foo"));

		ensure("simple name match, with end period", 
			   _cert_hostname_wildcard_match("foo.", "foo."));
		
		ensure("simple name match, with begin period", 
			   _cert_hostname_wildcard_match(".foo", ".foo"));		

		ensure("simple name match, with mismatched period cn", 
			   _cert_hostname_wildcard_match("foo.", "foo"));	
		
		ensure("simple name match, with mismatched period hostname", 
			   _cert_hostname_wildcard_match("foo", "foo."));	
		
		ensure("simple name match, with subdomain", 
			   _cert_hostname_wildcard_match("foo.bar", "foo.bar"));	
		
		ensure("stutter name match", 
			   _cert_hostname_wildcard_match("foobbbbfoo", "foo*bbbfoo"));			
		
		ensure("simple name match, with beginning wildcard", 
			   _cert_hostname_wildcard_match("foobar", "*bar"));	
		
		ensure("simple name match, with ending wildcard", 
			   _cert_hostname_wildcard_match("foobar", "foo*"));
		
		ensure("simple name match, with beginning null wildcard", 
			   _cert_hostname_wildcard_match("foobar", "*foobar"));			

		ensure("simple name match, with ending null wildcard", 
			   _cert_hostname_wildcard_match("foobar", "foobar*"));
		
		ensure("simple name match, with embedded wildcard", 
			   _cert_hostname_wildcard_match("foobar", "f*r"));		
		
		ensure("simple name match, with embedded null wildcard", 
			   _cert_hostname_wildcard_match("foobar", "foo*bar"));

		ensure("simple name match, with dual embedded wildcard", 
			   _cert_hostname_wildcard_match("foobar", "f*o*ar"));		

		ensure("simple name mismatch", 
			   !_cert_hostname_wildcard_match("bar", "foo"));
		
		ensure("simple name mismatch, with end period", 
			   !_cert_hostname_wildcard_match("foobar.", "foo."));
		
		ensure("simple name mismatch, with begin period", 
			   !_cert_hostname_wildcard_match(".foobar", ".foo"));		
		
		ensure("simple name mismatch, with subdomain", 
			   !_cert_hostname_wildcard_match("foobar.bar", "foo.bar"));	
		
		ensure("simple name mismatch, with beginning wildcard", 
			   !_cert_hostname_wildcard_match("foobara", "*bar"));	
		
		ensure("simple name mismatch, with ending wildcard", 
			   !_cert_hostname_wildcard_match("oobar", "foo*"));
		
		ensure("simple name mismatch, with embedded wildcard", 
			   !_cert_hostname_wildcard_match("oobar", "f*r"));		
		
		ensure("simple name mismatch, with dual embedded wildcard", 
			   !_cert_hostname_wildcard_match("foobar", "f*d*ar"));
		
		ensure("simple wildcard", 
			   _cert_hostname_wildcard_match("foobar", "*"));
		
		ensure("long domain", 
			   _cert_hostname_wildcard_match("foo.bar.com", "foo.bar.com"));
		
		ensure("long domain with multiple wildcards", 
			   _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com"));	

		ensure("end periods", 
			   _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com."));	
		
		ensure("match end period", 
			   _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com"));
		
		ensure("match end period2", 
			   _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com."));
		
		ensure("wildcard mismatch", 
			   !_cert_hostname_wildcard_match("bar.com", "*.bar.com"));	
		
		ensure("wildcard match", 
			   _cert_hostname_wildcard_match("foo.bar.com", "*.bar.com"));	

		ensure("wildcard match", 
			   _cert_hostname_wildcard_match("foo.foo.bar.com", "*.bar.com"));	
		
		ensure("wildcard match", 
			   _cert_hostname_wildcard_match("foo.foo.bar.com", "*.*.com"));
		
		ensure("wildcard mismatch", 
			   !_cert_hostname_wildcard_match("foo.foo.bar.com", "*.foo.com"));			
	}
	
	// test cert chain
	template<> template<>
	void sechandler_basic_test_object::test<8>()
	{
		// validate create from empty chain
		LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL);
		ensure_equals("when loading with nothing, we should result in no certs in chain", test_chain->size(), 0);

		// Single cert in the chain.
		X509_STORE_CTX *test_store = X509_STORE_CTX_new();
        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
        X509_STORE_CTX_set0_untrusted(test_store, NULL);
		test_chain = new LLBasicCertificateChain(test_store);
		X509_STORE_CTX_free(test_store);
		ensure_equals("two elements in store", test_chain->size(), 1);		
		X509* test_cert = (*test_chain)[0]->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);		
		
		// cert + CA
		
		test_store = X509_STORE_CTX_new();
        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
		test_chain = new LLBasicCertificateChain(test_store);
		X509_STORE_CTX_free(test_store);
		ensure_equals("two elements in store", test_chain->size(), 2);	
		test_cert = (*test_chain)[0]->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		test_cert = (*test_chain)[1]->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert));	
		X509_free(test_cert);

		// cert + nonrelated
		
		test_store = X509_STORE_CTX_new();
        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
		test_chain = new LLBasicCertificateChain(test_store);
		X509_STORE_CTX_free(test_store);
		ensure_equals("two elements in store", test_chain->size(), 1);	
		test_cert = (*test_chain)[0]->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		
		// cert + CA + nonrelated
		test_store = X509_STORE_CTX_new();
        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
		test_chain = new LLBasicCertificateChain(test_store);
		X509_STORE_CTX_free(test_store);
		ensure_equals("two elements in store", test_chain->size(), 2);	
		test_cert = (*test_chain)[0]->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		test_cert = (*test_chain)[1]->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert));	
		X509_free(test_cert);

		// cert + intermediate + CA 
		test_store = X509_STORE_CTX_new();
        X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
        X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
		sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509RootCert);
		test_chain = new LLBasicCertificateChain(test_store);
		X509_STORE_CTX_free(test_store);
		ensure_equals("three elements in store", test_chain->size(), 3);	
		test_cert = (*test_chain)[0]->getOpenSSLX509();
		ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert));
		X509_free(test_cert);
		test_cert = (*test_chain)[1]->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert));	
		X509_free(test_cert);

		test_cert = (*test_chain)[2]->getOpenSSLX509();
		ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509RootCert));	
		X509_free(test_cert);		
	}

	// test cert validation
	template<> template<>
	void sechandler_basic_test_object::test<9>()
	{
		// start with a trusted store with our known root cert
		LLFile::remove("mycertstore.pem");
		LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem");
		test_store->add(new LLBasicCertificate(mX509RootCert, &mValidationDate));
		LLSD validation_params;
		
		// validate basic trust for a chain containing only the intermediate cert.  (1 deep)
		LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL);

		test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate));

		test_store->validate(0, test_chain, validation_params);

		// add the root certificate to the chain and revalidate
		test_chain->add(new LLBasicCertificate(mX509RootCert, &mValidationDate));	
		test_store->validate(0, test_chain, validation_params);

		// add the child cert at the head of the chain, and revalidate (3 deep chain)
		test_chain->insert(test_chain->begin(), new LLBasicCertificate(mX509ChildCert, &mValidationDate));
		test_store->validate(0, test_chain, validation_params);

		// basic failure cases
		test_chain = new LLBasicCertificateChain(NULL);
		//validate with only the child cert in chain, but child cert was previously
		// trusted
		test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate));
		
		// validate without the trust flag.
		test_store->validate(VALIDATION_POLICY_TRUSTED, test_chain, validation_params);	
		
		// Validate with child cert but no parent, and no parent in CA store
		test_store = new LLBasicCertificateStore("mycertstore.pem");
		ensure_throws("no CA, with only a child cert", 
					  LLCertValidationTrustException, 
					  (*test_chain)[0],
					  test_store->validate, 
					  VALIDATION_POLICY_TRUSTED, 
					  test_chain, 
					  validation_params);


		// validate without the trust flag.
		test_store->validate(0, test_chain, validation_params);		

		// clear out the store
		test_store = new LLBasicCertificateStore("mycertstore.pem");
		// append the intermediate cert
		test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate));		
		ensure_throws("no CA, with child and intermediate certs", 
					  LLCertValidationTrustException, 
					  (*test_chain)[1],
					  test_store->validate, 
					  VALIDATION_POLICY_TRUSTED | VALIDATION_POLICY_TRUSTED, 
					  test_chain, 
					  validation_params);
		// validate without the trust flag
		test_store->validate(0, test_chain, validation_params);

		// Test time validity
		LLSD child_info;
		((*test_chain)[0])->getLLSD(child_info);
		validation_params = LLSD::emptyMap();
		validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() + 1.0);  
		test_store->validate(VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED,
                             test_chain, validation_params);

		validation_params = LLSD::emptyMap();		
		validation_params[CERT_VALIDATION_DATE] = child_info[CERT_VALID_FROM].asDate();
		
		validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() - 1.0);
 		
		// test not yet valid
		ensure_throws("Child cert not yet valid" , 
					  LLCertValidationExpirationException, 
					  (*test_chain)[0],
					  test_store->validate, 
					  VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, 
					  test_chain, 
					  validation_params);	
		validation_params = LLSD::emptyMap();		
		validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_TO].asDate().secondsSinceEpoch() + 1.0);
 		
		// test cert expired
		ensure_throws("Child cert expired", 
					  LLCertValidationExpirationException, 
					  (*test_chain)[0],
					  test_store->validate, 
					  VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, 
					  test_chain, 
					  validation_params);

		// test SSL KU
		// validate basic trust for a chain containing child and intermediate.
		test_chain = new LLBasicCertificateChain(NULL);
		test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate));
		test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate));
		test_store->validate(VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED,
                             test_chain, validation_params);	

		test_chain = new LLBasicCertificateChain(NULL);
		test_chain->add(new LLBasicCertificate(mX509TestCert, &mValidationDate));

		test_store = new LLBasicCertificateStore("mycertstore.pem");		
		ensure_throws("Cert doesn't have ku", 
					  LLCertKeyUsageValidationException, 
					  (*test_chain)[0],
					  test_store->validate, 
					  VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED, 
					  test_chain, 
					  validation_params);
		
		test_store->validate(0, test_chain, validation_params);	
	}

};