publishFullContrib: true for ydb

<HIDDEN_URL>
commit_hash:c82a80ac4594723cebf2c7387dec9c60217f603e

11 files changed, 9100 insertions, 0 deletions

diff --git a/contrib/python/pyOpenSSL/py3/patches/01-fix-tests.patch b/contrib/python/pyOpenSSL/py3/patches/01-fix-tests.patch
new file mode 100644
index 0000000000..ab5a02e23c
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/patches/01-fix-tests.patch
@@ -0,0 +1,19 @@
+--- contrib/python/pyOpenSSL/py3/tests/test_ssl.py	(index)
++++ contrib/python/pyOpenSSL/py3/tests/test_ssl.py	(working tree)
+@@ -1279,7 +1279,7 @@ class TestContext(object):
+         reason="set_default_verify_paths appears not to work on Windows.  "
+         "See LP#404343 and LP#404344.",
+     )
+-    def test_set_default_verify_paths(self):
++    def _test_set_default_verify_paths(self):
+         """
+         `Context.set_default_verify_paths` causes the platform-specific CA
+         certificate locations to be used for verification purposes.
+@@ -1927,6 +1927,7 @@ class TestApplicationLayerProtoNegotiation(object):
+         assert server.get_alpn_proto_negotiated() == b"spdy/2"
+         assert client.get_alpn_proto_negotiated() == b"spdy/2"
+ 
++    @pytest.mark.xfail(reason='https://github.com/pyca/pyopenssl/issues/1043')
+     def test_alpn_call_failure(self):
+         """
+         SSL_CTX_set_alpn_protos does not like to be called with an empty
diff --git a/contrib/python/pyOpenSSL/py3/tests/__init__.py b/contrib/python/pyOpenSSL/py3/tests/__init__.py
new file mode 100644
index 0000000000..9b08060ca5
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/__init__.py
@@ -0,0 +1,6 @@
+# Copyright (C) Jean-Paul Calderone
+# See LICENSE for details.
+
+"""
+Package containing unit tests for :py:mod:`OpenSSL`.
+"""
diff --git a/contrib/python/pyOpenSSL/py3/tests/conftest.py b/contrib/python/pyOpenSSL/py3/tests/conftest.py
new file mode 100644
index 0000000000..5bae6b8f71
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/conftest.py
@@ -0,0 +1,26 @@
+# Copyright (c) The pyOpenSSL developers
+# See LICENSE for details.
+
+from tempfile import mktemp
+
+import pytest
+
+
+def pytest_report_header(config):
+    import OpenSSL.SSL
+    import cryptography
+
+    return "OpenSSL: {openssl}\ncryptography: {cryptography}".format(
+        openssl=OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION),
+        cryptography=cryptography.__version__,
+    )
+
+
+@pytest.fixture
+def tmpfile(tmpdir):
+    """
+    Return UTF-8-encoded bytes of a path to a tmp file.
+
+    The file will be cleaned up after the test run.
+    """
+    return mktemp(dir=tmpdir.dirname).encode("utf-8")
diff --git a/contrib/python/pyOpenSSL/py3/tests/memdbg.py b/contrib/python/pyOpenSSL/py3/tests/memdbg.py
new file mode 100644
index 0000000000..590b72d068
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/memdbg.py
@@ -0,0 +1,91 @@
+import sys
+
+import traceback
+
+from cffi import api as _api
+
+
+sys.modules["ssl"] = None
+sys.modules["_hashlib"] = None
+
+
+_ffi = _api.FFI()
+_ffi.cdef(
+    """
+    void *malloc(size_t size);
+    void free(void *ptr);
+    void *realloc(void *ptr, size_t size);
+
+    int  CRYPTO_set_mem_functions(
+        void *(*m)(size_t),void *(*r)(void *,size_t), void (*f)(void *));
+
+    int backtrace(void **buffer, int size);
+    char **backtrace_symbols(void *const *buffer, int size);
+    void backtrace_symbols_fd(void *const *buffer, int size, int fd);
+    """
+)  # noqa
+_api = _ffi.verify(
+    """
+    #include <openssl/crypto.h>
+    #include <stdlib.h>
+    #include <execinfo.h>
+    """,
+    libraries=["crypto"],
+)
+C = _ffi.dlopen(None)
+
+verbose = False
+
+
+def log(s):
+    if verbose:
+        print(s)
+
+
+def _backtrace():
+    buf = _ffi.new("void*[]", 64)
+    result = _api.backtrace(buf, len(buf))
+    strings = _api.backtrace_symbols(buf, result)
+    stack = [_ffi.string(strings[i]) for i in range(result)]
+    C.free(strings)
+    return stack
+
+
+@_ffi.callback("void*(*)(size_t)")
+def malloc(n):
+    memory = C.malloc(n)
+    python_stack = traceback.extract_stack(limit=3)
+    c_stack = _backtrace()
+    heap[memory] = [(n, python_stack, c_stack)]
+    log("malloc(%d) -> %s" % (n, memory))
+    return memory
+
+
+@_ffi.callback("void*(*)(void*, size_t)")
+def realloc(p, n):
+    memory = C.realloc(p, n)
+    old = heap.pop(p)
+
+    python_stack = traceback.extract_stack(limit=3)
+    c_stack = _backtrace()
+
+    old.append((n, python_stack, c_stack))
+    heap[memory] = old
+    log("realloc(0x%x, %d) -> %s" % (int(_ffi.cast("int", p)), n, memory))
+    return memory
+
+
+@_ffi.callback("void(*)(void*)")
+def free(p):
+    if p != _ffi.NULL:
+        C.free(p)
+        del heap[p]
+        log("free(0x%x)" % (int(_ffi.cast("int", p)),))
+
+
+if _api.CRYPTO_set_mem_functions(malloc, realloc, free):
+    log("Enabled memory debugging")
+    heap = {}
+else:
+    log("Failed to enable memory debugging")
+    heap = None
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_crypto.py b/contrib/python/pyOpenSSL/py3/tests/test_crypto.py
new file mode 100644
index 0000000000..ef3429d17f
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/test_crypto.py
@@ -0,0 +1,4466 @@
+# Copyright (c) Jean-Paul Calderone
+# See LICENSE file for details.
+
+"""
+Unit tests for :py:mod:`OpenSSL.crypto`.
+"""
+
+from warnings import simplefilter
+
+import base64
+from subprocess import PIPE, Popen
+from datetime import datetime, timedelta
+import sys
+
+import pytest
+
+from cryptography import x509
+from cryptography.hazmat.backends.openssl.backend import backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+import flaky
+
+from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey
+from OpenSSL.crypto import X509, X509Name
+from OpenSSL.crypto import (
+    X509Store,
+    X509StoreFlags,
+    X509StoreContext,
+    X509StoreContextError,
+)
+from OpenSSL.crypto import X509Req
+from OpenSSL.crypto import X509Extension
+from OpenSSL.crypto import load_certificate, load_privatekey
+from OpenSSL.crypto import load_publickey, dump_publickey
+from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
+from OpenSSL.crypto import dump_certificate, load_certificate_request
+from OpenSSL.crypto import dump_certificate_request, dump_privatekey
+from OpenSSL.crypto import PKCS7, load_pkcs7_data
+from OpenSSL.crypto import PKCS12, load_pkcs12
+from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl
+from OpenSSL.crypto import NetscapeSPKI
+from OpenSSL.crypto import (
+    sign,
+    verify,
+    get_elliptic_curve,
+    get_elliptic_curves,
+)
+
+from OpenSSL._util import ffi as _ffi, lib as _lib
+
+from .util import (
+    EqualityTestsMixin,
+    is_consistent_type,
+    WARNING_TYPE_EXPECTED,
+    NON_ASCII,
+)
+
+
+def normalize_privatekey_pem(pem):
+    return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))
+
+
+GOOD_CIPHER = "blowfish"
+BAD_CIPHER = "zippers"
+
+GOOD_DIGEST = "SHA1"
+BAD_DIGEST = "monkeys"
+
+old_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
+ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
+NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
+MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
+ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
+urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
+2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
+1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
+FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
+VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
+BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
+b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
+hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
+w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
+-----END CERTIFICATE-----
+"""
+
+root_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIE7jCCA1agAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
+ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAwODAyMTcxMTE5
+WhcNNDcxMjIwMTcxMTE5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO
+BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp
+bmcgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALpY5jb+
+S7AUbx9gzN06wkqUeb+eNLTjCOKofiMTn8Y0TqCA2ZyY3XMcNBMaIS7hdFTgmmqt
+fFntYobxLAl/twfbz9AnRaVDh2HyUvHvMBxKn1HSDLALLtqdF0pcXIjP04S7NKPQ
+Umgkv2H0KwcUpYlgjTFtXRiP+7wDSiQeP1YVSriEoE0TXK14F8np6ZKK0oQ+u16d
+Wn3MGQwFzS+Ipgoz0jbi5D2KzmK2dzHdxY8M2Dktkz/W3DUfUwaTohYed2DG39LP
+NUFOxekgXdIZ3vQbDfsEQt27TUzOztbo/BqK7YkRLzzOQFz+dKAxH6Hy6Bu9op7e
+DWS9TfD/+UmDxr3IeoLMpmUBKxmzTC4qpej+W1UuCE12dMo4LoadlkG+/l1oABqd
+Ucf45WgaFk3xpyEuGnDxjs6rqYPoEapIichxN2fgN+jkgH9ed44r0yOoVeG2pmwD
+YFCCxzkmiuzLADlfM1LUzqUNKVFcOakD3iujHEalnDIJsc/znYsqaRvCkQIDAQAB
+o4G7MIG4MB0GA1UdDgQWBBSDVXctXiHxSQwJJOdUCRKNyH4ErjCBiAYDVR0jBIGA
+MH6AFINVdy1eIfFJDAkk51QJEo3IfgSuoVykWjBYMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCSUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAW
+BgNVBAMTD1Rlc3RpbmcgUm9vdCBDQYIIPQzE4MbeufQwDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAYEAFIMFxLHaVDY/nsbYzI7+zxe4GJeUqRIj2g4XK/nF
+6lHLRFL2YP5yJ+Jm4JDkoZqKq/tcEQLIssQS++s6tBSdvFwdY6imfpEZgFPuodrZ
+KbYm4Xuouw09EQCEjPxBOQ1NEcPuwuDtvD6/BOfm3SRFRTq/gQwxKlZ7C/4l8b1+
+OQPIUryqdlFBpyE/M95GzaNdmkQx41PevEih2nqWnbTsXLeiSXLGoubMTxKEK4T+
+J7Ci2KTRJ3SYMgTNU6MNcl7b9Tpw9/KVG80IbpzNQ1LDh3ZtkOfqoou1lmBTeNPu
+g2C/oiW6lVAmZx1TL9gbUtkJ0Q2iW4D9TF+zuYi2qpbVU3RvoqK25x3AuIWf4JOL
+3cTNjJ/3zmGSORRJvcGyvVnL30R+vwpaxvyuqMjz3kBjkK2Z2pvElZMJiZhbGG7k
+MHZQ5A26v0/iQVno6FRv3cQb9EeAZtNHcIEgsNhPZ53XVnwZ58ByvATMLKNN8dWF
+Q+8Bbr7QFxeWvQfHYX2yaQZ/
+-----END CERTIFICATE-----
+"""
+
+root_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
+nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
+sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
+TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
+P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
+PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
+TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
+6OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
+Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
+dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
+JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
+VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
+H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
+BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
+puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
+bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
+/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
+/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
+uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
+ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
+pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
+96U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
+ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
+erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
+xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
+nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
+0NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
+cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
+8QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
++0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
+2qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
+vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
+yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
+3wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
+SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
+4ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
+jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew==
+-----END RSA PRIVATE KEY-----
+"""
+
+root_key_der = base64.b64decode(
+    """
+MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
+nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
+sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
+TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
+P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
+PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
+TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
+6OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
+Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
+dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
+JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
+VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
+H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
+BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
+puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
+bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
+/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
+/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
+uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
+ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
+pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
+96U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
+ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
+erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
+xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
+nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
+0NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
+cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
+8QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
++0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
+2qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
+vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
+yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
+3wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
+SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
+4ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
+jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew=='
+"""
+)
+
+normalized_root_key_pem = normalize_privatekey_pem(root_key_pem)
+
+intermediate_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIEXDCCAsSgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQELBQAw
+WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw
+DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAw
+ODAyMTcxMTIwWhcNNDcxMjIwMTcxMTIwWjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh
+dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIIBojANBgkqhkiG9w0B
+AQEFAAOCAY8AMIIBigKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczL
+Q4jURv5MzyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsH
+p95gzBvgnj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8Az
+AarWu+Ez5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGv
+jSkdT5MA4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9h
+ksK+LAbQKD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkW
+guDyqIvAjlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyY
+pF24EJbisjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/
+CtfI+LLfns4k3G9I+Qgxmpa5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggGBAFVQ3Dmljrnbjys9ZIqcTs/B5ktKUAU2KNMO9TmoFymE
+YhHKbCb5u/CnWq3jtBW6jgkQHrhfY9leUlH87BkB2o16BcSKjHknHZ2MCdEvQvOM
+/nkkMDkOEoRn8mfCCxxgt8Kxf07wHDcnKoeJ3h9BXIl6nyJqJAcVWEJm1d75ayDG
+0Kr0z+LcqMtQqYI0csK/XDQkunlE95qti1HzxW+JeAf6nRkr7RNZLtGmUGAMfyBK
+9A0Db8QLR7O92YEmwoXtp+euN6uDdjw4A7KHjNXMdvqZoRfbZEA9c6XJTBj22h87
+gYUFRVpkNDrC/c9u6WgA943yMgFCwjrlTsmi+uoweT9U5r4TA+dVCDAv943aWCNm
+A+TiuIXlJAHl2PlH7Umu/oMQKDEt+0n4QcQLBZyK3CYU5kg+ms9vOvE19Lhp8HeS
+xqm6dwKpdm7/8EfGNW3s8Gm4KM26mb7dtSdHJFuR/BQ5y/cn4qIMyeGfHvsVew+2
+neyFR2Oc/nUlZMKfyHI+pA==
+-----END CERTIFICATE-----
+"""
+
+intermediate_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczLQ4jURv5M
+zyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsHp95gzBvg
+nj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8AzAarWu+Ez
+5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGvjSkdT5MA
+4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9hksK+LAbQ
+KD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkWguDyqIvA
+jlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyYpF24EJbi
+sjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/CtfI+LLf
+ns4k3G9I+Qgxmpa5AgMBAAECggGAc0i/V4qR5JUCPuyGaCVB7uXzTXbrIQoP+L2S
+0aCCFvX+/LGIaOt9E0mtln8wo+uZHZY9YAzg1EXtsRPQFzjXoY0hNFme15EamdSb
+B0e2dmMTz9w44l7z72PtcH8dkq224ilKthoB5Db9MP9HXrWFj9228QihT/9nWE5b
+Y0++qIZZN9TwS7HQ6q2EIlIj1ohbE0R0O0bH1ifixsGyyOlrLHkhzjgY74Dspy7o
+VGmA6wL7cIoyLU21NT1Kw4LUUvCk3MTd62gIg43qLsoLJ1AVZg9AmLmhZn4HiGZa
+tiE1+Iz70E+qxIXDQTip/EY4qe9HHYM2VccjlMQsLLCw5Y2CJL0xbRUSPkKev+Us
+PyasHgxPP6s5sHTKm0fee+riJrR+CqODGT45CirJr+WjDznlJETgVDW5DmtTWGVW
+2WeBarXdYOn4S+uK3Pe3aTAiE9Uw7KrOdJqrWg89YFnMWw4HlMz0369HCUv5BqSg
+qtrJ7iPJhN5MMhA4Te2Rnc5onqEhAoHBANKmZP4/g5RoYy6Gjkwe9PSgp9URxCJt
+VHiE5r33jXxOMw2lJQD8JVLmWuNTbKEClj6Rd/5OzM2q2icYDu0k/wcX+BgXg5b2
+ozyfjzgnqddKs8SlNd9oc2xiFRLgBkdHI5XFQlcp6vpEM+m47azEw72RtsKObN0g
+PZwSK8RWTj4zCXTdYMdr+gbdOA3fzUztckHLJQeS42JT3XJVSrSzFyXuVgXmdnS9
+bQ2dUfPT+JzwHy/HMmaBDM7fodDgv/XUywKBwQDGrLTomybbfc3ilZv+CZMW7bTy
+pX8ydj6GSIBWLd+7gduQHYqam5gNK2v4BKPVHXMMcRZNIIId3FZztMaP3vkWQXIG
+/bNBnL4Aa8mZFUle1VGoPZxMt1aaVLv3UqWi47ptciA6uZCuc/6si3THTsNr/7kR
+k6A7UmA0CRYWzuezRsbEGRXZCCFGwJm2WCfewjNRqH/I+Kvfj06AddKkwByujfc6
+zQDH/m0QFNAKgEZYvFOL/Yd2cuFhU2OPUO4jFgsCgcBXRbjx3T6WbekpjXXG88xo
+zWa7T/ECkmk8xVMTwUxNA9kC/jimf9C219kv9ZA75OZ6ZaphIiSX0QEw0Tbd6UX/
+ml6fHJ7YHLbklvavPT+QgtKX1hrLxGqNrNUuTMJNJZwIoQErO6KurTMU0hkmSx8N
+myEs2fUgaAsebijT3y3rdxmj4VQHSyT7Uwu2M9LK3FVKDO/6g1DRnA1TISMiWlBs
+1qGtMB5Dn3de/J7Hdjq6SoGhOdYXwb+ctepEr9jX8KECgcAE2nk86XVkjUk3TNJX
+vWIjgEEYYGSgFfVnEGRaNpqtmPmFJsOZDU4EnFfx4iMidKq31hdmYPHsytIt12+2
+WgsZuRWRCCeV5b9agUeWfsehEnMBOigUU7JA6OsCmrlDJm8Kd2xEIv5e1KSXEH0U
+1V6+x6t8u2+Bo3yIKOSqP/m3DnaSmc5H1AQEF3Zp1vN6ZKIeT5B3l2OTfYu8ZaR0
+s+C/fuZYQGPRfuypJOkEKKgPSOJ9m/7wLNRGrWPUP3Th1IsCgcBb2O9ROv793a3x
+PtW4qzkqF69KKc2O/vT819NBQjGopQetOcsY3VHp0eJMv85ut4cCeqScAfdtFIiC
+ScnrBO4JtdE6FkTY1k8el1DrctrUR3PZ2rt3m5k2XfPDGEypH3BReD3dHUe2M99D
++dceH46rKyMXQ2lLA3iyzGE6NyWUTZ6co35/Qm2n8lV9IG1CuX5HVAVrr2osLG93
+zZvFSeTrN2MZvmelhS6aUJCV/PxiQPHlou8vLU6zzfPMSERTjOI=
+-----END RSA PRIVATE KEY-----
+"""
+
+server_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIEKTCCApGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
+VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
+MFoXDTQ3MTIyMDE3MTEyMFowGDEWMBQGA1UEAwwNbG92ZWx5IHNlcnZlcjCCAaIw
+DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKU9txhKg6Nc0dVK9Vv4MYuYP6Hs
+oR483+wC53V8axkfy2TynrBSug8HapeSFW5jwdwcsjaDwEIAugZfRoz0N1vR/Q6T
+OFAYn2hRwlAgUXVk3NXpDNV/QRliGvxhLAVpvu1a4ExfVZoOQyPa8pogDgrUdB3e
+tYmmFHNa09Lv1nyMZWi6t7zH2weq6/Dxpm0BWf+THFcunv9TNfAqmDV5qbxvaUPh
+uvRpN+X2N3tejB8WKt+UmzAXUi3P3OgYimWXwq8Rmorc1rk5j+ksl6qYwZvi7rRV
+g1ZAH7bGhXC9eEU/1Z9q26OhAPdTyJD0pc+G9vMz6VijLRXcgHBUP09lSeqxnNxc
+pWoX6nRdGn6PkDhewHM05iqAE3ZHnc8kSBcRX85SoW5dGOhvvUTs4ePVNTo3vHdQ
+vftTDD+I3rbFnYTKUAzHTPSWGE7LVEiWJ94RKSADXgve0qq8o377UMnY7W3UygSY
+odyUZ29B5EfZ88EpIs/h5NomDv5VcQEoCWN1owIDAQABozYwNDAdBgNVHQ4EFgQU
+g1V3LV4h8UkMCSTnVAkSjch+BK4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
+hvcNAQELBQADggGBACn0LsqO94tk8i+RbG5hryNduem9n8b8doYD97iaux6QLvY/
+A8DFduJtUevZ3OCsRYQSGa3V/ysMzN7/DIUkpRLevZmdw+1L6PGR7peR2xIQ+yEW
+bL88vLjezaYIzMKHJRmN8oP3DQtGJm6U2fMMiEHWqRtULIVpnFppzPI2z7+tDeyg
+PFD2YeiFWoq5lmXStrK+KYPJbhTn0gz4QlGBs7PLY2JMDRSVj6ctkvrpXbC3Rb3m
+qo2FY/y51ACg77Txc6NAmNE6tCknwaUjRQP2MuoYFm5/Z6O9/g49AEVIE101zHqV
+N6SkcTUaXAuQIyZaqwdndfOB4rrFyAkoxTM5OamIQl80hZKf4R5rM7D7Sz8kAWJi
+BPIcewN0XnI6lm+zPAVUAE8dZfgJmJR5ifZHYCuv96EX0RpYsddeik8UmjkZ2/ch
+vRzvRSNNxVC6Zoe6vKNUb89XMtJZqY80WxfWG3Z2Hwf9KvS+2KAH/6MiSMj0RI5F
+SCB2PMQm6DYXwM1EyA==
+-----END CERTIFICATE-----
+"""
+
+server_key_pem = normalize_privatekey_pem(
+    b"""-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEApT23GEqDo1zR1Ur1W/gxi5g/oeyhHjzf7ALndXxrGR/LZPKe
+sFK6Dwdql5IVbmPB3ByyNoPAQgC6Bl9GjPQ3W9H9DpM4UBifaFHCUCBRdWTc1ekM
+1X9BGWIa/GEsBWm+7VrgTF9Vmg5DI9rymiAOCtR0Hd61iaYUc1rT0u/WfIxlaLq3
+vMfbB6rr8PGmbQFZ/5McVy6e/1M18CqYNXmpvG9pQ+G69Gk35fY3e16MHxYq35Sb
+MBdSLc/c6BiKZZfCrxGaitzWuTmP6SyXqpjBm+LutFWDVkAftsaFcL14RT/Vn2rb
+o6EA91PIkPSlz4b28zPpWKMtFdyAcFQ/T2VJ6rGc3FylahfqdF0afo+QOF7AczTm
+KoATdkedzyRIFxFfzlKhbl0Y6G+9ROzh49U1Oje8d1C9+1MMP4jetsWdhMpQDMdM
+9JYYTstUSJYn3hEpIANeC97SqryjfvtQydjtbdTKBJih3JRnb0HkR9nzwSkiz+Hk
+2iYO/lVxASgJY3WjAgMBAAECggGAJST2X5OAe9yFnri25vGn0YVr6G5U2YM9osQU
+W6iYOpGXGx4e5evyvyYfo+rGvoXWMjCRLwf2099t8bjBFzZeq1lM1VXqtraSPtUC
+JRjettDxg3Rb2jI85APVpR4C00SuEpT3DrPvfi3ukcTJ/DNwdKbFY2GI1WRr/HJS
+Y3xebqjwstYmL12Nsu+NEiCAFMjU/kqHeGGWhDakTVSF2p96tE0nEIdRi1eLpTnv
+xt++B87n3FJ/gBP9+SZcth+uHKA8Wr42CqJR3z8b/blICYCd2LABFdZjL4aHfce9
+Xe7UyVoySYC6N0YSbLLfsVu/w/qsYitcTvWCyekX4eT2U9Sdje46LGN4MFJSYy8K
+Qw4hzz6JhUrAiwxPb2MLkq6q7AvdFwVAFl7xuH9J13yuN9x+w4NL9h3hzr4iC7nk
+xVrmme279h1hfuCR1+1Bb0fLvdl5VevT9SZYCg5BCL7JxHGofcBZ3ZE9R9Q7QYVv
+rCKHFZ5tIOkVJk2mcR5NvK6r7ethAoHBAM7BFvBPHgJ5xtny7M9xvaMQD9PZ3zzb
+PUD83lh+DlmLyzKLw2/OblyJgO8ECWUDNR1QkL5khq5Z2t1Kj77Hak7mUUlICbIc
+LKZLiAosuKBo/ps6emRRhIf9NNYR2G1k9GWyk3KicD/htllPl10j64vgBg2M/LQJ
+2Oh95oWMck7RRdWHCwfBjND3YsYoN0hY9GXgr+ByDRQgAacvnpHlFCRmSPqiAJGh
+kPKIRfjLgVFbL1cIj7oHpcModgZr7Dgc/wKBwQDMmVhsmiefTscZSCoCIqXVsJJ0
+edDmIvAl3cFozf9/+5JADjnp/9zcdANNN/oMfynOPx+0R2CygxooZaRKbnHPcVlu
+SCxwaloagNSFVt8lZ2PwybutfdMN8YbU431ypNLJjInI3Z66eHBRDZZZviu5AtoL
+5WYAvFzN502P1IVrJBo0lht7ftQMwM4NAhRaaFrUCrycREwUl0u9PxswmDhignWs
++fyJ93D5aVC1wHjUN9WYTEOM66goZTuSDD8mE10CgcAbl3UiOMy+c9XvvBWSUZGH
+M1uJYCgEjRWNmLFridcMaDWD11cLkrbzrn4AZ7+BNX5fHSNT5UJ7/g3RPmQUh7RO
+Nzpd1zlEBbKHtsi+4tz4u0pPGOzAeoh/RXFJqDQD1VcwQzaeM8NbIxocrRx8F5EV
+p53nLQuEU1QZIsQiym1uy0rQhicYr+HE+V67Jx7JjuV+uw99mnrYVrUhxJ8axUF8
+4hGXMQt2Y+NeGoWMAEyPuOWGbeQQZXjfpISrsrdhfa0CgcEAxqbdRBUpA3Tpu5Jl
+t00M1z5p9M2SFuE1ao61i5z3xrvsdGVbtefH+gRqcD85eYi+fpKrpc7oBGtmqnKF
+4f76YgAcZQeOnlekxLbxocWHRDnuv4wfvYO9uHwZ/fojg3ylbSwXXABSbZsi8o/O
+u7P5n9k0/Pfu4igBs6oxlMU0BaM4DnbwmCe8m+VYKykpud440kjaeJ+XfyanU0hC
+jhw+Iueoehr/KLYn6wJmaxJGP0c3DHh/3gOxcgdYn6VkawPBAoHBAMJ7jfxZJfBO
+i0gDsD9Kz3EkGI8HbBpgC2Cd9DGQR9qTZy1/l/ObM2jwNumJjoHsN8fkha1d6/3n
+01hA4LwLB/SLQHx+7k1749sH7m1FaczWa9eUxNkwFiVTBYIyvbekNfJogLX9pVow
+vEuNe+J8vxLt3gQJ1DUz+2Air8v//OIqQ+akDnPkwiqHDqynNNWO+jq708aUunVT
+TTvknsoT3qT8H/N1FwbCZ14eKV+bXHcv1lVrLdW/DnjDZRpMFa3LSg==
+-----END RSA PRIVATE KEY-----
+"""
+)
+
+intermediate_server_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIEXTCCAsWgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQELBQAw
+ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
+CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
+biBEaWVnbzAeFw0yMDA4MDIxNzExMjBaFw00NzEyMjAxNzExMjBaMG4xHTAbBgNV
+BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
+CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
+biBEaWVnbzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL3UcTxwCsMZ
+qIE+7lolm8t6lT0IYZkE4L7u2qI64m9CvztudqqKYZcrprZobZxqPhqc8IO3CFR2
+nVzwZWxrHCcm6nAzJjVXUFrc4TLsVYYJL1QvKXxr97VIiySU7x6xWrQQsqDtlrb0
+jH59EYFbM2eMk2fBT2X4h6YMXlqyrDjZF6apClXtkdxGJGqR5PCTs4cvrYW7TpIm
+cuJq0S+MRBguZpriM+wOK7cXrqfRPFRzZtPXskpQPSAMDDAOGKl8OZfoVFYzG8KG
+omOa0hcHtgYX2GCDs1g1maY6Haw9bgs041BoApH9aQxehy5dfU39DcFoKSE3dCjR
+FaR6ryCA+f8L1F3xVaHsvX443CYF0/holfsptTjNd1T1z8WR5h1jtY0gJ/ERgcJZ
+UgDRE3lEkTLExS/nuGVfdwnlkxny9jbtYp2YcjYjUkChLtTgz4ommeIdBdDvSu8M
+wWHMtQNxECs5qA5J384cLh11Nd9exWUjiQ9yAZ0qTOzTkdH7VPHfxQIDAQABMA0G
+CSqGSIb3DQEBCwUAA4IBgQA2jC5hJ/+46RLBuaZiJhBawiY+HqybEAZWM/IBGZO4
+UKcRotovU+sb1jg+vpXwePSBPEtQoZce0jN0TKiCdlLM4/9lybAvc6qBLJ0d4VS5
+BU5QsCs9IKyvswAFVipQZi0szYwHk8T145SH/fPao8oznf5ae4a6rK9PyZqT7Ix1
+nnKGffbJs0dY+jlxmx/BPlbsGfTwPL6LexghjvbpbXWUdVLP3gAW6DPCtRd6lhWj
+JvgCkF2SnbQ7GgnPEYi8h09j0c6/sK6jLoNAatJyIlRGE1cdGYZVUlVW/xP6lYM0
+Mi1KKl0ZXOne4vPTtnTBBqrpjdLydH3WM1IxdwSRbmF15OD6BWzzKV4IYUJ21GDh
+YrVrcIeN49pUoKVTTn0Sql8f8mXxJhJ54wo9TKdIGZeuwTZrfWjcjWghXgghXGoP
+RI/I5fk/OMu0Oc06/+xdwCBHCSge0/vxK6fhTu7PxmJhQcZF0sDZyb6LXm2feVkG
+6FsxnsvstVNO3oJdpa8daLs=
+-----END CERTIFICATE-----
+"""
+
+intermediate_server_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvdRxPHAKwxmogT7uWiWby3qVPQhhmQTgvu7aojrib0K/O252
+qophlyumtmhtnGo+Gpzwg7cIVHadXPBlbGscJybqcDMmNVdQWtzhMuxVhgkvVC8p
+fGv3tUiLJJTvHrFatBCyoO2WtvSMfn0RgVszZ4yTZ8FPZfiHpgxeWrKsONkXpqkK
+Ve2R3EYkapHk8JOzhy+thbtOkiZy4mrRL4xEGC5mmuIz7A4rtxeup9E8VHNm09ey
+SlA9IAwMMA4YqXw5l+hUVjMbwoaiY5rSFwe2BhfYYIOzWDWZpjodrD1uCzTjUGgC
+kf1pDF6HLl19Tf0NwWgpITd0KNEVpHqvIID5/wvUXfFVoey9fjjcJgXT+GiV+ym1
+OM13VPXPxZHmHWO1jSAn8RGBwllSANETeUSRMsTFL+e4ZV93CeWTGfL2Nu1inZhy
+NiNSQKEu1ODPiiaZ4h0F0O9K7wzBYcy1A3EQKzmoDknfzhwuHXU1317FZSOJD3IB
+nSpM7NOR0ftU8d/FAgMBAAECggGAYNwla1FALIzLDieuNxE5jXne7GV6Zzm187as
+mFqzb1H/gbO7mQlDAn+jcS+Xvlf3mFy73HloJrDfWqzPE6MTmmag+N8gf9ctiS9r
+OTCd8uZ839ews2vj2PxLAz97Q437WiWq/7I7VN8zUNdAN2DxucRg8nAQs1c8390v
+x9ejSN580u0t+OpfoqWnrzkCOD8lO7V4NOR+EtTLifw3AKvxkuUaNa12ENyqMaJD
+3B1HS1AXB8DnmEOY7OE41sxaiSB44M7tsr31ldUCbEf/A5OZWeCfloP2c2g+Td8s
++sl+AzoGa1HsFOqiqdDw8lKynfT1VukaaCtOr0pGeh6XW65aHRGI0B+mHIEM7yR0
+f2NjfvgejqNekWyJ+XeTcmrPPcSH72F9ansLRpUullAi+6OkPFIiwyKCP/S2sLwh
+cqe3NITfMweWDt7GqgOhz1yWaewXgdruWiFAYAh2JDBtgMWTUwWgkKyFCb4mrI6r
+zqiBpA8Mjm/H17h/dQqF3iRuaZOBAoHBAPDvVseeiGwZjDXuQD9acCBZU23xwevR
+6NVe/FLY1bybgsOBQCApQIWKH72eIHo12ULRMe/uZUo3su9JSCc8Gt8DsQpiZ2a+
+z8rS6uEw/UZGMWeLjcIVK5IeeD7OJ/BXEbwoxVvWLYYgWHpYwY9eqppsMlVqmIHY
+lfRAaepEkU/4euRl1VTFxkU0sYw7Tj+gbFQDydB0NSLIU/x10tlHblT+O5tgBLJh
+kL7II9tyoGaCUjNnACErmi1FA+lNsx1eAwKBwQDJsw+sIhujRHrajCV5dqq5cx3h
+ZQNfamoX6xfXYjNHjkeFnFpHB2w6ffe00q2Kt5+0AaSA295n1vPx6IKzKYMr8kpD
+0Kiv+mlKK5w7lZzdCeoJb8Co2t9viZXrN9lNetXiSZldrg5nlG8Gmi2RKn65vIfp
+ZFc8CExXpQWNMSLJlu2qM8Sjt4h8M880khuTggCeIDbw7YfyanlNhsNpOGv/r+Hd
+3i0BP0Qd1sZWkZ+hp/JJFdvyEh5vINgSABfNJJcCgcEA8LqioVcEBcZM8oG3jdVF
+3PyDQIHieUXFdpOuVvSyMf3LXJ3ivX+aKRNF/YZl+tWc24b7dzhh2hLm5PD6d8E1
+NAiTNsX1fJJAOe4dopz5IuL1b/jezcGrRBbPnCkNfLTyUmcGMmlAGRhubugJlb9H
+hH2AmRmlgW8u/NnzOZADBL1HxLb+vPHS1cj9cRi8aRRXyGX0miPSB4vTZpcu8cvO
+MHvIgMkiSDz1i7mbIiNYorOpgBR066+OH5cqfkwVH82TAoHAO3dZdYyQzXARMIIF
+QmxkJUz1UFCxz93V7btYSh4ftEcUeyX/z9U2aYBeGafLloxQv4eEcqFgTwkm3vmI
+Hz5r9/b1Qk0wjsGrbTyyUTbpCpozsBiMmrv9CCtuUe0jWh6PFKpSVzZL9OnkWfP2
+30fCGQymnX8B4ScpKuXyXxBPi1O+OmIM5Z/k04mK25sAGltHx1cEG8BMRoJxxROo
+ZUtHPBkk5H7ukeGPOaTq0PcaM1UKr9WMBTCmXGk4iwYP/mF9AoHBAOTlFVgGbbjk
+Cp/Wd7IrYCBKlnkIyBUMx5icLcsFmgXWx+Gx1HualD2aZ7kctYOfo+zLEyA6roni
+bSFLrxT4Od4uqwb51iZoJWxO+C3H1i9NoieU5JOnw5Osyl7OMXm3DkaS/N+ipP/b
+3bx1y8/WnGgqWWguXKt2lmgOItaEKrXYr6VZ1Z4upnLtkbxLANnqkQcL9287tXaW
+GPVXEteEXrtPj1f+9QYsMKuTWfaw6XfnBkBHxEZgWR+2hAN2z3c/Eg==
+-----END RSA PRIVATE KEY-----
+"""
+
+client_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIIEJzCCAo+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
+VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
+MVoXDTQ3MTIyMDE3MTEyMVowFjEUMBIGA1UEAwwLdWdseSBjbGllbnQwggGiMA0G
+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGChdOMY164FScJqfiJ5LEtjYOKEg4
+nmMAMGuHIT8wZZEfzaaHhBbypzKq2cPP1qtyHgvtUMM6KOFEj4y9AonqzzdlVxbM
+i6+AvYLWlPoB5r/G1GdslUvXbc7F02B/6sB/+iFXmcdjOjAQcLWxVgUL+1CoeoY1
+awNYmzQueK/T82a/6AYTdrx7XRX4wfxjYb1o3bnnRD/jGSakIylXeUGFsiSNkBs/
+dJMkUONxizAdAE2tW6NhPuE2O0UipzUhdgFnH6WPfJ0J1S7jZ3eQTUrLkFpWSp/Z
+hx/l/Ql9vO0wagHaT2wOiZdKVT8S6V6OPzJ7/H1evCoM6EuSPBC5DDP1nPetCK1v
+uC9kb7Dg6yFPt1CKrVFt0Y6W5Y5/GzisUtvYV/OGtX4DOwL9It68D04Qrvun1t/a
+Dh/c5gKqfqIGHUvUucFmOi6DrRpadfraLZMRGN2ysPjoVwhMgwwSmSWhziQIUfxK
+oyz1CUsyr5Gh5gdifbe1AOYwu6YdtlmhqCsCAwEAAaM2MDQwHQYDVR0OBBYEFINV
+dy1eIfFJDAkk51QJEo3IfgSuMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3
+DQEBCwUAA4IBgQAhAEACc1j6EYoSfVJD8N/FlYfHRizdfVJyrmMnC8ID1vtfrU2z
+S2q+49ja2NyM4Sq+Cf+i+sFfzFG92LayZt9Mc1BnHZMdNzQL7Ynr2nDLxHsHzuYa
+N21/ucTpHEFGLmvQ/eWBMxQQ9TbiNXn+tnnqg46dRzN3vHJp+g5+ijtMcuh007z2
+niiO8F07wlb960XviejWejMC8hBLWlA7i3EjAkDO8RFQnG2Py5cQX9GgmWH1sDy3
+rIsWlU+e46ysSWK/bnudnAlzZMB9KJATVZu5+xmCumH2hLJv5vz+jnKcgU9MBZMO
+cKgNdFUbtRlU/gfTaohmLIuSquunCCrXLsLD8ygbKKXfSPGVo2XkvX3oxqUo6dmA
+LvU4N4sCQGiSzW+a13HBtk3TBZFsJSWUGSW/H7TVFiAonumJKRqRxMOkkB9JxX+V
+9LZBYuBLpOeK4wZ8BUSNlHKnGpDzl0DzdYrGlzWz0jXlLGZ8KMfXAn9h0mOZ+IyK
+eUlgMBYyAspCQzM=
+-----END CERTIFICATE-----
+"""
+
+client_key_pem = normalize_privatekey_pem(
+    b"""-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAxgoXTjGNeuBUnCan4ieSxLY2DihIOJ5jADBrhyE/MGWRH82m
+h4QW8qcyqtnDz9arch4L7VDDOijhRI+MvQKJ6s83ZVcWzIuvgL2C1pT6Aea/xtRn
+bJVL123OxdNgf+rAf/ohV5nHYzowEHC1sVYFC/tQqHqGNWsDWJs0Lniv0/Nmv+gG
+E3a8e10V+MH8Y2G9aN2550Q/4xkmpCMpV3lBhbIkjZAbP3STJFDjcYswHQBNrVuj
+YT7hNjtFIqc1IXYBZx+lj3ydCdUu42d3kE1Ky5BaVkqf2Ycf5f0JfbztMGoB2k9s
+DomXSlU/Eulejj8ye/x9XrwqDOhLkjwQuQwz9Zz3rQitb7gvZG+w4OshT7dQiq1R
+bdGOluWOfxs4rFLb2FfzhrV+AzsC/SLevA9OEK77p9bf2g4f3OYCqn6iBh1L1LnB
+Zjoug60aWnX62i2TERjdsrD46FcITIMMEpkloc4kCFH8SqMs9QlLMq+RoeYHYn23
+tQDmMLumHbZZoagrAgMBAAECggGAAXA5UxwRBv9yHeA5/+6BpmQcaGXqgF7GIU44
+ubaIGvXh4/U+bGWNNR35xDvorC3G+QE23PZlNJrvZ+wS/ZxzG/19TYMga0Podmrp
+9F0Io9LlObB5P9SlxF7LzawHW2Z9F3DdpSE8zX+ysavf5fXV+4xLva2GJAUu9QnL
+izrdLBDsgiBRSvrly4+VhUUDbEVddtGFdCSOwjuAiFipCDWdQDdXBKAzUnaqSu07
+eaulIdDKv6OWwDIQuLAdhG7qd9+/h5MB/rAG8v4bgbHz1H/RZw5VIOuOhfCodzJx
+3Smfh5td21jwJ2RfZYEPNOMtFa9eRFtH2/uRa5jbJiZb8YWIzWy0xCNQpKheSoBO
+wiuMDBS2HCYm2SgEYDdJiE2OkRAk0UwTiUmlmZd0a3NfJ/rfQE+JiDQ28Arj3EZl
+SY/V3KdviM4MbaoX7f9j9sjAe5Rk1M+yI8OsnM/hf77m0CSiJJpLpvgqhMjjT+NI
+aBm1FyTq6qu506d0YUZy+Wr2DRsBAoHBAPfshuOiDXo9UmJxM1mSJQ0rQlxWSWmX
+bIAsPrpKslTFYHk7xbcCbJCqMbHmCsyvYy3oW3SpJs6Vi2wQWuUQmsm0YC7qdkXF
+Fyo2f7vF7roQcXLxVmQRo0OxZ9JpLAZ9DKMEcNfYyUiQiqJmZuIyWKngqBl6OoL2
+8EJSFjTY1tR/nDxGLpZSsqoZJWQGd9B2bK4y6NktDF1GkexCpKaSyXZT612JGPG2
+0gSIwRq1OgZH3SPHevhVMjJtxGue2XARywKBwQDMfZHtdJI9RuurM9UuULZ72SmW
+oLzki3LwFQ/QoS9wrHK+OqQDWH2ddON1PoB4LOCpwB4CC83pMyfxurgLHut6saHL
+hQ5N+h0jUC2pSJOXZSfF2Hx8YHCT7Dga5kmgEy89c1TF48IL2LdUZQQIGZt8+FxM
+4nxT9NFlu/UWY2oftT+ZwFsIock/DYYUKxDXw9YkOmt1lO5u1SKte0NdQ4RhBeqK
+nRADMSS9oKZkSUxkwaDJH2GkUVTyBsF/kmh+dyECgcEA6jy3yRQPxcFwOAAZ8vOo
+PAP2I8WGgNQHOCYVce8nA/6jwocdq2YH6rpST3E4HOFMRFB3MAas2pvh6UyehDOm
++xGHmmv9KLgoxcJN9rvwbC0i8uVfqRYc+dUAcYTaiprVOKP2dYilzAB8ayly5R2K
+NZ5DVCbuZ1Ql9ZMW1gFVH9odY7kvROmHUjyF3jZaN0PcNM12v9HXD72gGudwJs0i
+uMBa7LmeLql7TbtjLvewhcSaA7bx0PS1g33ACapAZ6j3AoHAN2PsGz3wPtjvDTjF
+Df6e730rXrm7cMy1HYMW/ZQrnYGYsx5/PsjBfd0jn6aGdgbx9AkuF6/K3tgUgc3p
+/Fkrv9hN0yr/bO/K5L3bIHegQuoLk/PIBIi69daOe/rVBp8rtKGA3PmMnljdj+as
+6OTG0VsU5V6T/snZzozTHnVfUaduyt7nybbJJGMtZlkj/s31O2r3oKnuy+a/te4l
+mSWovf80QMe6hqLRKOxTJecU4lXwj4oIkNHXCJf74epuk5MBAoHBALyvg90KzMFX
+ZEjdPIXULR6/3rub8yD7LVYbNhhYWGo8GybzsBUC0kczRpRXFnmbq1GDIXQf5A+2
+3ZaGsWzAxLjvL3KwH1LUaXVWwFMOM2n6zTk18XEXrNvp+E5QtPwpO5c4VlPr0cAC
+tTPAmbu6kVPlQ6mKiqlPAsfh0BD2mRVo2cTjZgDotKshb5uCHD8/PnCfOjCXFxOf
+DWjBuR73/r5Bj+ktRoD4V2SFdO6loJwH6B8rsBjD0NbAGs9otKvy+Q==
+-----END RSA PRIVATE KEY-----
+"""
+)
+
+cleartextCertificateRequestPEM = b"""-----BEGIN CERTIFICATE REQUEST-----
+MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
+EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
+ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
+BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
+E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
+xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
+gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
+Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
+oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
+-----END CERTIFICATE REQUEST-----
+"""
+
+encryptedPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,9573604A18579E9E
+
+SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
+a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
+8+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
+mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
++00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
+fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
+tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
+rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
+gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
+o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
+7SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
+MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
+11n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
+-----END RSA PRIVATE KEY-----
+"""
+
+encryptedPrivateKeyPEMPassphrase = b"foobar"
+
+cleartextPrivateKeyPEM = """-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMcRMugJ4kvkOEuT
+AvMFr9+3A6+HAB6nKYcXXZz93ube8rJpBZQEfWn73H10dQiQR/a+rhxYEeLy8dPc
+UkFcGR9miVkukJ59zex7iySJY76bdBD8gyx1LTKrkCstP2XHKEYqgbj+tm7VzJnY
+sQLqoaa5NeyWJnUC3MJympkAS7p3AgMBAAECgYAoBAcNqd75jnjaiETRgVUnTWzK
+PgMCJmwsob/JrSa/lhWHU6Exbe2f/mcGOQDFpesxaIcrX3DJBDkkc2d9h/vsfo5v
+JLk/rbHoItWxwuY5n5raAPeQPToKpTDxDrL6Ejhgcxd19wNht7/XSrYZ+dq3iU6G
+mOEvU2hrnfIW3kwVYQJBAP62G6R0gucNfaKGtHzfR3TN9G/DnCItchF+TxGTtpdh
+Cz32MG+7pirT/0xunekmUIp15QHdRy496sVxWTCooLkCQQDIEwXTAwhLNRGFEs5S
+jSkxNfTVeNiOzlG8jPBJJDAdlLt1gUqjZWnk9yU+itMSGi/6eeuH2n04FFk+SV/T
+7ryvAkB0y0ZDk5VOozX/p2rtc2iNm77A3N4kIdiTQuq4sZXhNgN0pwWwxke8jbcb
+8gEAnqwBwWt//locTxHu9TmjgT8pAkEAlbF16B0atXptM02QxT8MlN8z4gxaqu4/
+RX2FwpOq1FcVsqMbvwj/o+ouGY8wwRiK0TMrQCf/DFhdNTcc1aqHzQJBAKWtq4LI
+uVZjCAuyrqEnt7R1bOiLrar+/ezJPY2z+f2rb1TGr31ztPeFvO3edLw+QdhzwJGp
+QKImYzqMe+zkIOQ=
+-----END PRIVATE KEY-----
+"""
+
+cleartextPublicKeyPEM = b"""-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l
+gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC
+90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+
+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5
+XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS
+8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL
+ywIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+# Some PKCS#7 stuff.  Generated with the openssl command line:
+#
+#    openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
+#
+# with a certificate and key (but the key should be irrelevant) in s.pem
+pkcs7Data = b"""\
+-----BEGIN PKCS7-----
+MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
+BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
+A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
+MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
+cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
+A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
+HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
+SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
+zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
+LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
+A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
+65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
+Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
+Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
+bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
+VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
+/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
+Ho4EzbYCOaEAMQA=
+-----END PKCS7-----
+"""
+
+pkcs7DataASN1 = base64.b64decode(
+    b"""
+MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
+BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
+A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
+MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
+cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
+A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
+HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
+SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
+zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
+LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
+A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
+65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
+Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
+Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
+bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
+VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
+/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
+Ho4EzbYCOaEAMQA=
+"""
+)
+
+crlData = b"""\
+-----BEGIN X509 CRL-----
+MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
+SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
+D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
+MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
+MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
+4dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
+0yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
+vrzEeLDRiiPl92dyyWmu
+-----END X509 CRL-----
+"""
+
+crlDataUnsupportedExtension = b"""\
+-----BEGIN X509 CRL-----
+MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
+BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw
+MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw
+MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn
+MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD
+CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw
+MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
+dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww
+GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE
+BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE
+GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG
+A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5
+LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR
+GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw
+FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx
+MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr
+pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV
+HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx
+MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
+Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw
+WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ
+BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw
+cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw
+WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy
+YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV
+HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV
+UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw
+MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+
+drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c
+oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4
+7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz
+SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y
+C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw
+-----END X509 CRL-----
+"""
+
+
+# A broken RSA private key which can be used to test the error path through
+# PKey.check.
+inconsistentPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh
+5kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx
+OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT
+zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4
+nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2
+HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA
+oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w=
+-----END RSA PRIVATE KEY-----
+"""
+
+# certificate with NULL bytes in subjectAltName and common name
+
+nulbyteSubjectAltNamePEM = b"""-----BEGIN CERTIFICATE-----
+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
+-----END CERTIFICATE-----"""
+
+large_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
+MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH
+hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW
+9PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh
+g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ
+BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7
+TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt
+DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G
+P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk
+M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ
+jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90
+XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7
+sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf
+LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V
+J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t
+GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas
+6mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN
+evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX
+Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i
+ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi
+IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw
+xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7
+nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8
+sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF
+RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x
+j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv
+pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e
+8w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik
+JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4
+iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa
+7kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035
+kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc
+pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ
+8OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm
+vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs
+jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t
++nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN
+ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5
+L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb
+yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH
+AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5
+AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz
+aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT
+w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ
+G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr
+4It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ
+oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O
+Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT
+0ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3
+le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5
+AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave
+vYeU7Ab/
+-----END RSA PRIVATE KEY-----"""
+
+ec_private_key_pem = b"""-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYirTZSx+5O8Y6tlG
+cka6W6btJiocdrdolfcukSoTEk+hRANCAAQkvPNu7Pa1GcsWU4v7ptNfqCJVq8Cx
+zo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDiFqz3
+-----END PRIVATE KEY-----
+"""
+
+ec_root_key_pem = b"""-----BEGIN EC PRIVATE KEY-----
+MIGlAgEBBDEAz/HOBFPYLB0jLWeTpJn4Yc4m/C4mdWymVHBjOmnwiPHKT326iYN/
+ZhmSs+RM94RsoAcGBSuBBAAioWQDYgAEwE5vDdla/nLpWAPAQ0yFGqwLuw4BcN2r
+U+sKab5EAEHzLeceRa8ffncYdCXNoVsBcdob1y66CFZMEWLetPTmGapyWkBAs6/L
+8kUlkU9OsE+7IVo4QQJkgV5gM+Dim1XE
+-----END EC PRIVATE KEY-----
+"""
+
+ec_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
+MIICLTCCAbKgAwIBAgIMWW/hwTl6ufz6/WkCMAoGCCqGSM49BAMDMFgxGDAWBgNV
+BAMTD1Rlc3RpbmcgUm9vdCBDQTEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UEBxMH
+Q2hpY2FnbzELMAkGA1UECBMCSUwxCzAJBgNVBAYTAlVTMCAXDTE3MDcxOTIyNDgz
+M1oYDzk5OTkxMjMxMjM1OTU5WjBYMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0Ex
+EDAOBgNVBAoTB1Rlc3RpbmcxEDAOBgNVBAcTB0NoaWNhZ28xCzAJBgNVBAgTAklM
+MQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABMBObw3ZWv5y6VgD
+wENMhRqsC7sOAXDdq1PrCmm+RABB8y3nHkWvH353GHQlzaFbAXHaG9cuughWTBFi
+3rT05hmqclpAQLOvy/JFJZFPTrBPuyFaOEECZIFeYDPg4ptVxKNDMEEwDwYDVR0T
+AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSoTrF0H2m8RDzB
+MnY2KReEPfz7ZjAKBggqhkjOPQQDAwNpADBmAjEA3+G1oVCxGjYX4iUN93QYcNHe
+e3fJQJwX9+KsHRut6qNZDUbvRbtO1YIAwB4UJZjwAjEAtXCPURS5A4McZHnSwgTi
+Td8GMrwKz0557OxxtKN6uVVy4ACFMqEw0zN/KJI1vxc9
+-----END CERTIFICATE-----"""
+
+rsa_p_not_prime_pem = """
+-----BEGIN RSA PRIVATE KEY-----
+MBsCAQACAS0CAQcCAQACAQ8CAQMCAQACAQACAQA=
+-----END RSA PRIVATE KEY-----
+"""
+
+
+@pytest.fixture
+def x509_data():
+    """
+    Create a new private key and start a certificate request (for a test
+    to finish in one way or another).
+    """
+    # Basic setup stuff to generate a certificate
+    pkey = PKey()
+    pkey.generate_key(TYPE_RSA, 512)
+    req = X509Req()
+    req.set_pubkey(pkey)
+    # Authority good you have.
+    req.get_subject().commonName = "Yoda root CA"
+    x509 = X509()
+    subject = x509.get_subject()
+    subject.commonName = req.get_subject().commonName
+    x509.set_issuer(subject)
+    x509.set_pubkey(pkey)
+    now = datetime.now()
+    expire = datetime.now() + timedelta(days=100)
+    x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode())
+    x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode())
+    yield pkey, x509
+
+
+class TestX509Ext(object):
+    """
+    Tests for `OpenSSL.crypto.X509Extension`.
+    """
+
+    def test_str(self):
+        """
+        The string representation of `X509Extension` instances as
+        returned by `str` includes stuff.
+        """
+        # This isn't necessarily the best string representation.  Perhaps it
+        # will be changed/improved in the future.
+        assert (
+            str(X509Extension(b"basicConstraints", True, b"CA:false"))
+            == "CA:FALSE"
+        )
+
+    def test_type(self):
+        """
+        `X509Extension` can be used to create instances of that type.
+        """
+        assert is_consistent_type(
+            X509Extension,
+            "X509Extension",
+            b"basicConstraints",
+            True,
+            b"CA:true",
+        )
+
+    def test_construction(self):
+        """
+        `X509Extension` accepts an extension type name, a critical flag,
+        and an extension value and returns an `X509Extension` instance.
+        """
+        basic = X509Extension(b"basicConstraints", True, b"CA:true")
+        assert isinstance(basic, X509Extension)
+
+        comment = X509Extension(b"nsComment", False, b"pyOpenSSL unit test")
+        assert isinstance(comment, X509Extension)
+
+    @pytest.mark.parametrize(
+        "type_name, critical, value",
+        [
+            (b"thisIsMadeUp", False, b"hi"),
+            (b"basicConstraints", False, b"blah blah"),
+            # Exercise a weird one (an extension which uses the r2i method).
+            # This exercises the codepath that requires a non-NULL ctx to be
+            # passed to X509V3_EXT_nconf. It can't work now because we provide
+            # no configuration database. It might be made to work in the
+            # future.
+            (
+                b"proxyCertInfo",
+                True,
+                b"language:id-ppl-anyLanguage,pathlen:1,policy:text:AB",
+            ),
+        ],
+    )
+    def test_invalid_extension(self, type_name, critical, value):
+        """
+        `X509Extension` raises something if it is passed a bad
+        extension name or value.
+        """
+        with pytest.raises(Error):
+            X509Extension(type_name, critical, value)
+
+    @pytest.mark.parametrize("critical_flag", [True, False])
+    def test_get_critical(self, critical_flag):
+        """
+        `X509ExtensionType.get_critical` returns the value of the
+        extension's critical flag.
+        """
+        ext = X509Extension(b"basicConstraints", critical_flag, b"CA:true")
+        assert ext.get_critical() == critical_flag
+
+    @pytest.mark.parametrize(
+        "short_name, value",
+        [(b"basicConstraints", b"CA:true"), (b"nsComment", b"foo bar")],
+    )
+    def test_get_short_name(self, short_name, value):
+        """
+        `X509ExtensionType.get_short_name` returns a string giving the
+        short type name of the extension.
+        """
+        ext = X509Extension(short_name, True, value)
+        assert ext.get_short_name() == short_name
+
+    def test_get_data(self):
+        """
+        `X509Extension.get_data` returns a string giving the data of
+        the extension.
+        """
+        ext = X509Extension(b"basicConstraints", True, b"CA:true")
+        # Expect to get back the DER encoded form of CA:true.
+        assert ext.get_data() == b"0\x03\x01\x01\xff"
+
+    def test_unused_subject(self, x509_data):
+        """
+        The `subject` parameter to `X509Extension` may be provided for an
+        extension which does not use it and is ignored in this case.
+        """
+        pkey, x509 = x509_data
+        ext1 = X509Extension(
+            b"basicConstraints", False, b"CA:TRUE", subject=x509
+        )
+        x509.add_extensions([ext1])
+        x509.sign(pkey, "sha1")
+        # This is a little lame.  Can we think of a better way?
+        text = dump_certificate(FILETYPE_TEXT, x509)
+        assert b"X509v3 Basic Constraints:" in text
+        assert b"CA:TRUE" in text
+
+    def test_subject(self, x509_data):
+        """
+        If an extension requires a subject, the `subject` parameter to
+        `X509Extension` provides its value.
+        """
+        pkey, x509 = x509_data
+        ext3 = X509Extension(
+            b"subjectKeyIdentifier", False, b"hash", subject=x509
+        )
+        x509.add_extensions([ext3])
+        x509.sign(pkey, "sha1")
+        text = dump_certificate(FILETYPE_TEXT, x509)
+        assert b"X509v3 Subject Key Identifier:" in text
+
+    def test_missing_subject(self):
+        """
+        If an extension requires a subject and the `subject` parameter
+        is given no value, something happens.
+        """
+        with pytest.raises(Error):
+            X509Extension(b"subjectKeyIdentifier", False, b"hash")
+
+    @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
+    def test_invalid_subject(self, bad_obj):
+        """
+        If the `subject` parameter is given a value which is not an
+        `X509` instance, `TypeError` is raised.
+        """
+        with pytest.raises(TypeError):
+            X509Extension(
+                "basicConstraints", False, "CA:TRUE", subject=bad_obj
+            )
+
+    def test_unused_issuer(self, x509_data):
+        """
+        The `issuer` parameter to `X509Extension` may be provided for an
+        extension which does not use it and is ignored in this case.
+        """
+        pkey, x509 = x509_data
+        ext1 = X509Extension(
+            b"basicConstraints", False, b"CA:TRUE", issuer=x509
+        )
+        x509.add_extensions([ext1])
+        x509.sign(pkey, "sha1")
+        text = dump_certificate(FILETYPE_TEXT, x509)
+        assert b"X509v3 Basic Constraints:" in text
+        assert b"CA:TRUE" in text
+
+    def test_issuer(self, x509_data):
+        """
+        If an extension requires an issuer, the `issuer` parameter to
+        `X509Extension` provides its value.
+        """
+        pkey, x509 = x509_data
+        ext2 = X509Extension(
+            b"authorityKeyIdentifier", False, b"issuer:always", issuer=x509
+        )
+        x509.add_extensions([ext2])
+        x509.sign(pkey, "sha1")
+        text = dump_certificate(FILETYPE_TEXT, x509)
+        assert b"X509v3 Authority Key Identifier:" in text
+        assert b"DirName:/CN=Yoda root CA" in text
+
+    def test_missing_issuer(self):
+        """
+        If an extension requires an issue and the `issuer` parameter is
+        given no value, something happens.
+        """
+        with pytest.raises(Error):
+            X509Extension(
+                b"authorityKeyIdentifier", False, b"keyid:always,issuer:always"
+            )
+
+    @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
+    def test_invalid_issuer(self, bad_obj):
+        """
+        If the `issuer` parameter is given a value which is not an
+        `X509` instance, `TypeError` is raised.
+        """
+        with pytest.raises(TypeError):
+            X509Extension(
+                "basicConstraints",
+                False,
+                "keyid:always,issuer:always",
+                issuer=bad_obj,
+            )
+
+
+class TestPKey(object):
+    """
+    Tests for `OpenSSL.crypto.PKey`.
+    """
+
+    def test_convert_from_cryptography_private_key(self):
+        """
+        PKey.from_cryptography_key creates a proper private PKey.
+        """
+        key = serialization.load_pem_private_key(
+            intermediate_key_pem, None, backend
+        )
+        pkey = PKey.from_cryptography_key(key)
+
+        assert isinstance(pkey, PKey)
+        assert pkey.bits() == key.key_size
+        assert pkey._only_public is False
+        assert pkey._initialized is True
+
+    def test_convert_from_cryptography_public_key(self):
+        """
+        PKey.from_cryptography_key creates a proper public PKey.
+        """
+        key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend)
+        pkey = PKey.from_cryptography_key(key)
+
+        assert isinstance(pkey, PKey)
+        assert pkey.bits() == key.key_size
+        assert pkey._only_public is True
+        assert pkey._initialized is True
+
+    def test_convert_from_cryptography_unsupported_type(self):
+        """
+        PKey.from_cryptography_key raises TypeError with an unsupported type.
+        """
+        key = serialization.load_pem_private_key(
+            ec_private_key_pem, None, backend
+        )
+        with pytest.raises(TypeError):
+            PKey.from_cryptography_key(key)
+
+    def test_convert_public_pkey_to_cryptography_key(self):
+        """
+        PKey.to_cryptography_key creates a proper cryptography public key.
+        """
+        pkey = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
+        key = pkey.to_cryptography_key()
+
+        assert isinstance(key, rsa.RSAPublicKey)
+        assert pkey.bits() == key.key_size
+
+    def test_convert_private_pkey_to_cryptography_key(self):
+        """
+        PKey.to_cryptography_key creates a proper cryptography private key.
+        """
+        pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+        key = pkey.to_cryptography_key()
+
+        assert isinstance(key, rsa.RSAPrivateKey)
+        assert pkey.bits() == key.key_size
+
+    def test_type(self):
+        """
+        `PKey` can be used to create instances of that type.
+        """
+        assert is_consistent_type(PKey, "PKey")
+
+    def test_construction(self):
+        """
+        `PKey` takes no arguments and returns a new `PKey` instance.
+        """
+        key = PKey()
+        assert isinstance(key, PKey)
+
+    def test_pregeneration(self):
+        """
+        `PKey.bits` and `PKey.type` return `0` before the key is generated.
+        `PKey.check` raises `TypeError` before the key is generated.
+        """
+        key = PKey()
+        assert key.type() == 0
+        assert key.bits() == 0
+        with pytest.raises(TypeError):
+            key.check()
+
+    def test_failed_generation(self):
+        """
+        `PKey.generate_key` takes two arguments, the first giving the key type
+        as one of `TYPE_RSA` or `TYPE_DSA` and the second giving the number of
+        bits to generate.  If an invalid type is specified or generation fails,
+        `Error` is raised.  If an invalid number of bits is specified,
+        `ValueError` or `Error` is raised.
+        """
+        key = PKey()
+        with pytest.raises(TypeError):
+            key.generate_key("foo", "bar")
+        with pytest.raises(Error):
+            key.generate_key(-1, 0)
+
+        with pytest.raises(ValueError):
+            key.generate_key(TYPE_RSA, -1)
+        with pytest.raises(ValueError):
+            key.generate_key(TYPE_RSA, 0)
+
+        with pytest.raises(TypeError):
+            key.generate_key(TYPE_RSA, object())
+
+        # XXX RSA generation for small values of bits is fairly buggy in a wide
+        # range of OpenSSL versions.  I need to figure out what the safe lower
+        # bound for a reasonable number of OpenSSL versions is and explicitly
+        # check for that in the wrapper.  The failure behavior is typically an
+        # infinite loop inside OpenSSL.
+
+        # with pytest.raises(Error):
+        #     key.generate_key(TYPE_RSA, 2)
+
+        # XXX DSA generation seems happy with any number of bits.  The DSS
+        # says bits must be between 512 and 1024 inclusive.  OpenSSL's DSA
+        # generator doesn't seem to care about the upper limit at all.  For
+        # the lower limit, it uses 512 if anything smaller is specified.
+        # So, it doesn't seem possible to make generate_key fail for
+        # TYPE_DSA with a bits argument which is at least an int.
+
+        # with pytest.raises(Error):
+        #     key.generate_key(TYPE_DSA, -7)
+
+    def test_rsa_generation(self):
+        """
+        `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a
+        type and a reasonable number of bits.
+        """
+        bits = 512
+        key = PKey()
+        key.generate_key(TYPE_RSA, bits)
+        assert key.type() == TYPE_RSA
+        assert key.bits() == bits
+        assert key.check()
+
+    def test_dsa_generation(self):
+        """
+        `PKey.generate_key` generates a DSA key when passed `TYPE_DSA` as a
+        type and a reasonable number of bits.
+        """
+        # 512 is a magic number.  The DSS (Digital Signature Standard)
+        # allows a minimum of 512 bits for DSA.  DSA_generate_parameters
+        # will silently promote any value below 512 to 512.
+        bits = 512
+        key = PKey()
+        key.generate_key(TYPE_DSA, bits)
+        assert key.type() == TYPE_DSA
+        assert key.bits() == bits
+        with pytest.raises(TypeError):
+            key.check()
+
+    def test_regeneration(self):
+        """
+        `PKey.generate_key` can be called multiple times on the same key to
+        generate new keys.
+        """
+        key = PKey()
+        for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
+            key.generate_key(type, bits)
+            assert key.type() == type
+            assert key.bits() == bits
+
+    def test_inconsistent_key(self):
+        """
+        `PKey.check` returns `Error` if the key is not consistent.
+        """
+        key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM)
+        with pytest.raises(Error):
+            key.check()
+
+    def test_check_public_key(self):
+        """
+        `PKey.check` raises `TypeError` if only the public part of the key
+        is available.
+        """
+        # A trick to get a public-only key
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        cert = X509()
+        cert.set_pubkey(key)
+        pub = cert.get_pubkey()
+        with pytest.raises(TypeError):
+            pub.check()
+
+    def test_check_pr_897(self):
+        """
+        `PKey.check` raises `OpenSSL.crypto.Error` if provided with broken key
+        """
+        pkey = load_privatekey(FILETYPE_PEM, rsa_p_not_prime_pem)
+        with pytest.raises(Error):
+            pkey.check()
+
+
+def x509_name(**attrs):
+    """
+    Return a new X509Name with the given attributes.
+    """
+    # XXX There's no other way to get a new X509Name yet.
+    name = X509().get_subject()
+    attrs = list(attrs.items())
+
+    # Make the order stable - order matters!
+    def key(attr):
+        return attr[1]
+
+    attrs.sort(key=key)
+    for k, v in attrs:
+        setattr(name, k, v)
+    return name
+
+
+class TestX509Name(object):
+    """
+    Unit tests for `OpenSSL.crypto.X509Name`.
+    """
+
+    def test_type(self):
+        """
+        The type of X509Name objects is `X509Name`.
+        """
+        name = x509_name()
+        assert isinstance(name, X509Name)
+
+    def test_only_string_attributes(self):
+        """
+        Attempting to set a non-`str` attribute name on an `X509Name` instance
+        causes `TypeError` to be raised.
+        """
+        name = x509_name()
+        # Beyond these cases, you may also think that unicode should be
+        # rejected.  Sorry, you're wrong.  unicode is automatically converted
+        # to str outside of the control of X509Name, so there's no way to
+        # reject it.
+
+        # Also, this used to test str subclasses, but that test is less
+        # relevant now that the implementation is in Python instead of C.  Also
+        # PyPy automatically converts str subclasses to str when they are
+        # passed to setattr, so we can't test it on PyPy.  Apparently CPython
+        # does this sometimes as well.
+        with pytest.raises(TypeError):
+            setattr(name, None, "hello")
+        with pytest.raises(TypeError):
+            setattr(name, 30, "hello")
+
+    def test_set_invalid_attribute(self):
+        """
+        Attempting to set any attribute name on an `X509Name` instance for
+        which no corresponding NID is defined causes `AttributeError` to be
+        raised.
+        """
+        name = x509_name()
+        with pytest.raises(AttributeError):
+            setattr(name, "no such thing", None)
+
+    def test_attributes(self):
+        """
+        `X509Name` instances have attributes for each standard (?)
+        X509Name field.
+        """
+        name = x509_name()
+        name.commonName = "foo"
+        assert name.commonName == "foo"
+        assert name.CN == "foo"
+
+        name.CN = "baz"
+        assert name.commonName == "baz"
+        assert name.CN == "baz"
+
+        name.commonName = "bar"
+        assert name.commonName == "bar"
+        assert name.CN == "bar"
+
+        name.CN = "quux"
+        assert name.commonName == "quux"
+        assert name.CN == "quux"
+
+        assert name.OU is None
+
+        with pytest.raises(AttributeError):
+            name.foobar
+
+    def test_copy(self):
+        """
+        `X509Name` creates a new `X509Name` instance with all the same
+        attributes as an existing `X509Name` instance when called with one.
+        """
+        name = x509_name(commonName="foo", emailAddress="bar@example.com")
+
+        copy = X509Name(name)
+        assert copy.commonName == "foo"
+        assert copy.emailAddress == "bar@example.com"
+
+        # Mutate the copy and ensure the original is unmodified.
+        copy.commonName = "baz"
+        assert name.commonName == "foo"
+
+        # Mutate the original and ensure the copy is unmodified.
+        name.emailAddress = "quux@example.com"
+        assert copy.emailAddress == "bar@example.com"
+
+    def test_repr(self):
+        """
+        `repr` passed an `X509Name` instance should return a string containing
+        a description of the type and the NIDs which have been set on it.
+        """
+        name = x509_name(commonName="foo", emailAddress="bar")
+        assert repr(name) == "<X509Name object '/emailAddress=bar/CN=foo'>"
+
+    def test_comparison(self):
+        """
+        `X509Name` instances should compare based on their NIDs.
+        """
+
+        def _equality(a, b, assert_true, assert_false):
+            assert_true(a == b)
+            assert_false(a != b)
+            assert_true(b == a)
+            assert_false(b != a)
+
+        def assert_true(x):
+            assert x
+
+        def assert_false(x):
+            assert not x
+
+        def assert_equal(a, b):
+            _equality(a, b, assert_true, assert_false)
+
+        # Instances compare equal to themselves.
+        name = x509_name()
+        assert_equal(name, name)
+
+        # Empty instances should compare equal to each other.
+        assert_equal(x509_name(), x509_name())
+
+        # Instances with equal NIDs should compare equal to each other.
+        assert_equal(x509_name(commonName="foo"), x509_name(commonName="foo"))
+
+        # Instance with equal NIDs set using different aliases should compare
+        # equal to each other.
+        assert_equal(x509_name(commonName="foo"), x509_name(CN="foo"))
+
+        # Instances with more than one NID with the same values should compare
+        # equal to each other.
+        assert_equal(
+            x509_name(CN="foo", organizationalUnitName="bar"),
+            x509_name(commonName="foo", OU="bar"),
+        )
+
+        def assert_not_equal(a, b):
+            _equality(a, b, assert_false, assert_true)
+
+        # Instances with different values for the same NID should not compare
+        # equal to each other.
+        assert_not_equal(x509_name(CN="foo"), x509_name(CN="bar"))
+
+        # Instances with different NIDs should not compare equal to each other.
+        assert_not_equal(x509_name(CN="foo"), x509_name(OU="foo"))
+
+        assert_not_equal(x509_name(), object())
+
+        def _inequality(a, b, assert_true, assert_false):
+            assert_true(a < b)
+            assert_true(a <= b)
+            assert_true(b > a)
+            assert_true(b >= a)
+            assert_false(a > b)
+            assert_false(a >= b)
+            assert_false(b < a)
+            assert_false(b <= a)
+
+        def assert_less_than(a, b):
+            _inequality(a, b, assert_true, assert_false)
+
+        # An X509Name with a NID with a value which sorts less than the value
+        # of the same NID on another X509Name compares less than the other
+        # X509Name.
+        assert_less_than(x509_name(CN="abc"), x509_name(CN="def"))
+
+        def assert_greater_than(a, b):
+            _inequality(a, b, assert_false, assert_true)
+
+        # An X509Name with a NID with a value which sorts greater than the
+        # value of the same NID on another X509Name compares greater than the
+        # other X509Name.
+        assert_greater_than(x509_name(CN="def"), x509_name(CN="abc"))
+
+    def test_hash(self):
+        """
+        `X509Name.hash` returns an integer hash based on the value of the name.
+        """
+        a = x509_name(CN="foo")
+        b = x509_name(CN="foo")
+        assert a.hash() == b.hash()
+        a.CN = "bar"
+        assert a.hash() != b.hash()
+
+    def test_der(self):
+        """
+        `X509Name.der` returns the DER encoded form of the name.
+        """
+        a = x509_name(CN="foo", C="US")
+        assert (
+            a.der() == b"0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US"
+            b"1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo"
+        )
+
+    def test_get_components(self):
+        """
+        `X509Name.get_components` returns a `list` of two-tuples of `str`
+        giving the NIDs and associated values which make up the name.
+        """
+        a = x509_name()
+        assert a.get_components() == []
+        a.CN = "foo"
+        assert a.get_components() == [(b"CN", b"foo")]
+        a.organizationalUnitName = "bar"
+        assert a.get_components() == [(b"CN", b"foo"), (b"OU", b"bar")]
+
+    def test_load_nul_byte_attribute(self):
+        """
+        An `X509Name` from an `X509` instance loaded from a file can have a
+        NUL byte in the value of one of its attributes.
+        """
+        cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
+        subject = cert.get_subject()
+        assert "null.python.org\x00example.org" == subject.commonName
+
+    def test_load_nul_byte_components(self):
+        """
+        An `X509Name` from an `X509` instance loaded from a file can have a
+        NUL byte in the value of its components
+        """
+        cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
+        subject = cert.get_subject()
+        components = subject.get_components()
+        ccn = [value for name, value in components if name == b"CN"]
+        assert ccn[0] == b"null.python.org\x00example.org"
+
+    def test_set_attribute_failure(self):
+        """
+        If the value of an attribute cannot be set for some reason then
+        `Error` is raised.
+        """
+        name = x509_name()
+        # This value is too long
+        with pytest.raises(Error):
+            setattr(name, "O", b"x" * 512)
+
+
+class _PKeyInteractionTestsMixin:
+    """
+    Tests which involve another thing and a PKey.
+    """
+
+    def signable(self):
+        """
+        Return something with `set_pubkey` and `sign` methods.
+        """
+        raise NotImplementedError()
+
+    def test_sign_with_ungenerated(self):
+        """
+        `X509Req.sign` raises `ValueError` when passed a `PKey` with no parts.
+        """
+        request = self.signable()
+        key = PKey()
+        with pytest.raises(ValueError):
+            request.sign(key, GOOD_DIGEST)
+
+    def test_sign_with_public_key(self):
+        """
+        `X509Req.sign` raises `ValueError` when passed a `PKey` with no private
+        part as the signing key.
+        """
+        request = self.signable()
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        request.set_pubkey(key)
+        pub = request.get_pubkey()
+        with pytest.raises(ValueError):
+            request.sign(pub, GOOD_DIGEST)
+
+    def test_sign_with_unknown_digest(self):
+        """
+        `X509Req.sign` raises `ValueError` when passed a digest name which is
+        not known.
+        """
+        request = self.signable()
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        with pytest.raises(ValueError):
+            request.sign(key, BAD_DIGEST)
+
+    def test_sign(self):
+        """
+        `X509Req.sign` succeeds when passed a private key object and a
+        valid digest function. `X509Req.verify` can be used to check
+        the signature.
+        """
+        request = self.signable()
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        request.set_pubkey(key)
+        request.sign(key, GOOD_DIGEST)
+        # If the type has a verify method, cover that too.
+        if getattr(request, "verify", None) is not None:
+            pub = request.get_pubkey()
+            assert request.verify(pub)
+            # Make another key that won't verify.
+            key = PKey()
+            key.generate_key(TYPE_RSA, 512)
+            with pytest.raises(Error):
+                request.verify(key)
+
+
+class TestX509Req(_PKeyInteractionTestsMixin):
+    """
+    Tests for `OpenSSL.crypto.X509Req`.
+    """
+
+    def signable(self):
+        """
+        Create and return a new `X509Req`.
+        """
+        return X509Req()
+
+    def test_type(self):
+        """
+        `X509Req` can be used to create instances of that type.
+        """
+        assert is_consistent_type(X509Req, "X509Req")
+
+    def test_construction(self):
+        """
+        `X509Req` takes no arguments and returns an `X509Req` instance.
+        """
+        request = X509Req()
+        assert isinstance(request, X509Req)
+
+    def test_version(self):
+        """
+        `X509Req.set_version` sets the X.509 version of the certificate
+        request. `X509Req.get_version` returns the X.509 version of the
+        certificate request. The initial value of the version is 0.
+        """
+        request = X509Req()
+        assert request.get_version() == 0
+        request.set_version(1)
+        assert request.get_version() == 1
+        request.set_version(3)
+        assert request.get_version() == 3
+
+    def test_version_wrong_args(self):
+        """
+        `X509Req.set_version` raises `TypeError` if called with a non-`int`
+        argument.
+        """
+        request = X509Req()
+        with pytest.raises(TypeError):
+            request.set_version("foo")
+
+    def test_get_subject(self):
+        """
+        `X509Req.get_subject` returns an `X509Name` for the subject of the
+        request and which is valid even after the request object is
+        otherwise dead.
+        """
+        request = X509Req()
+        subject = request.get_subject()
+        assert isinstance(subject, X509Name)
+        subject.commonName = "foo"
+        assert request.get_subject().commonName == "foo"
+        del request
+        subject.commonName = "bar"
+        assert subject.commonName == "bar"
+
+    def test_add_extensions(self):
+        """
+        `X509Req.add_extensions` accepts a `list` of `X509Extension` instances
+        and adds them to the X509 request.
+        """
+        request = X509Req()
+        request.add_extensions(
+            [X509Extension(b"basicConstraints", True, b"CA:false")]
+        )
+        exts = request.get_extensions()
+        assert len(exts) == 1
+        assert exts[0].get_short_name() == b"basicConstraints"
+        assert exts[0].get_critical() == 1
+        assert exts[0].get_data() == b"0\x00"
+
+    def test_get_extensions(self):
+        """
+        `X509Req.get_extensions` returns a `list` of extensions added to this
+        X509 request.
+        """
+        request = X509Req()
+        exts = request.get_extensions()
+        assert exts == []
+        request.add_extensions(
+            [
+                X509Extension(b"basicConstraints", True, b"CA:true"),
+                X509Extension(b"keyUsage", False, b"digitalSignature"),
+            ]
+        )
+        exts = request.get_extensions()
+        assert len(exts) == 2
+        assert exts[0].get_short_name() == b"basicConstraints"
+        assert exts[0].get_critical() == 1
+        assert exts[0].get_data() == b"0\x03\x01\x01\xff"
+        assert exts[1].get_short_name() == b"keyUsage"
+        assert exts[1].get_critical() == 0
+        assert exts[1].get_data() == b"\x03\x02\x07\x80"
+        # Requesting it a second time should return the same list
+        exts = request.get_extensions()
+        assert len(exts) == 2
+
+    def test_add_extensions_wrong_args(self):
+        """
+        `X509Req.add_extensions` raises `TypeError` if called with a
+        non-`list`.  Or it raises `ValueError` if called with a `list`
+        containing objects other than `X509Extension` instances.
+        """
+        request = X509Req()
+        with pytest.raises(TypeError):
+            request.add_extensions(object())
+        with pytest.raises(ValueError):
+            request.add_extensions([object()])
+
+    def test_verify_wrong_args(self):
+        """
+        `X509Req.verify` raises `TypeError` if passed anything other than a
+        `PKey` instance as its single argument.
+        """
+        request = X509Req()
+        with pytest.raises(TypeError):
+            request.verify(object())
+
+    def test_verify_uninitialized_key(self):
+        """
+        `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
+        `OpenSSL.crypto.PKey` which contains no key data.
+        """
+        request = X509Req()
+        pkey = PKey()
+        with pytest.raises(Error):
+            request.verify(pkey)
+
+    def test_verify_wrong_key(self):
+        """
+        `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
+        `OpenSSL.crypto.PKey` which does not represent the public part of the
+        key which signed the request.
+        """
+        request = X509Req()
+        pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+        request.set_pubkey(pkey)
+        request.sign(pkey, GOOD_DIGEST)
+        another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
+        with pytest.raises(Error):
+            request.verify(another_pkey)
+
+    def test_verify_success(self):
+        """
+        `X509Req.verify` returns `True` if called with a `OpenSSL.crypto.PKey`
+        which represents the public part of the key which signed the request.
+        """
+        request = X509Req()
+        pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+        request.set_pubkey(pkey)
+        request.sign(pkey, GOOD_DIGEST)
+        assert request.verify(pkey)
+
+    def test_convert_from_cryptography(self):
+        crypto_req = x509.load_pem_x509_csr(
+            cleartextCertificateRequestPEM, backend
+        )
+        req = X509Req.from_cryptography(crypto_req)
+        assert isinstance(req, X509Req)
+
+    def test_convert_from_cryptography_unsupported_type(self):
+        with pytest.raises(TypeError):
+            X509Req.from_cryptography(object())
+
+    def test_convert_to_cryptography_key(self):
+        req = load_certificate_request(
+            FILETYPE_PEM, cleartextCertificateRequestPEM
+        )
+        crypto_req = req.to_cryptography()
+        assert isinstance(crypto_req, x509.CertificateSigningRequest)
+
+
+class TestX509(_PKeyInteractionTestsMixin):
+    """
+    Tests for `OpenSSL.crypto.X509`.
+    """
+
+    pemData = root_cert_pem + root_key_pem
+
+    def signable(self):
+        """
+        Create and return a new `X509`.
+        """
+        certificate = X509()
+        # Fill in placeholder validity values. signable only expects to call
+        # set_pubkey and sign.
+        certificate.gmtime_adj_notBefore(-24 * 60 * 60)
+        certificate.gmtime_adj_notAfter(24 * 60 * 60)
+        return certificate
+
+    def test_type(self):
+        """
+        `X509` can be used to create instances of that type.
+        """
+        assert is_consistent_type(X509, "X509")
+
+    def test_construction(self):
+        """
+        `X509` takes no arguments and returns an instance of `X509`.
+        """
+        certificate = X509()
+        assert isinstance(certificate, X509)
+        assert type(certificate).__name__ == "X509"
+        assert type(certificate) == X509
+
+    def test_set_version_wrong_args(self):
+        """
+        `X509.set_version` raises `TypeError` if invoked with an argument
+        not of type `int`.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.set_version(None)
+
+    def test_version(self):
+        """
+        `X509.set_version` sets the certificate version number.
+        `X509.get_version` retrieves it.
+        """
+        cert = X509()
+        cert.set_version(1234)
+        assert cert.get_version() == 1234
+
+    def test_serial_number(self):
+        """
+        The serial number of an `X509` can be retrieved and
+        modified with `X509.get_serial_number` and
+        `X509.set_serial_number`.
+        """
+        certificate = X509()
+        with pytest.raises(TypeError):
+            certificate.set_serial_number("1")
+        assert certificate.get_serial_number() == 0
+        certificate.set_serial_number(1)
+        assert certificate.get_serial_number() == 1
+        certificate.set_serial_number(2 ** 32 + 1)
+        assert certificate.get_serial_number() == 2 ** 32 + 1
+        certificate.set_serial_number(2 ** 64 + 1)
+        assert certificate.get_serial_number() == 2 ** 64 + 1
+        certificate.set_serial_number(2 ** 128 + 1)
+        assert certificate.get_serial_number() == 2 ** 128 + 1
+
+    def _setBoundTest(self, which):
+        """
+        `X509.set_notBefore` takes a string in the format of an
+        ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
+        validity period to it.
+        """
+        certificate = X509()
+        set = getattr(certificate, "set_not" + which)
+        get = getattr(certificate, "get_not" + which)
+
+        # Starts with no value.
+        assert get() is None
+
+        # GMT (Or is it UTC?) -exarkun
+        when = b"20040203040506Z"
+        set(when)
+        assert get() == when
+
+        # A plus two hours and thirty minutes offset
+        when = b"20040203040506+0530"
+        set(when)
+        assert get() == when
+
+        # A minus one hour fifteen minutes offset
+        when = b"20040203040506-0115"
+        set(when)
+        assert get() == when
+
+        # An invalid string results in a ValueError
+        with pytest.raises(ValueError):
+            set(b"foo bar")
+
+        # The wrong number of arguments results in a TypeError.
+        with pytest.raises(TypeError):
+            set()
+        with pytest.raises(TypeError):
+            set(b"20040203040506Z", b"20040203040506Z")
+        with pytest.raises(TypeError):
+            get(b"foo bar")
+
+    # XXX ASN1_TIME (not GENERALIZEDTIME)
+
+    def test_set_notBefore(self):
+        """
+        `X509.set_notBefore` takes a string in the format of an
+        ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
+        validity period to it.
+        """
+        self._setBoundTest("Before")
+
+    def test_set_notAfter(self):
+        """
+        `X509.set_notAfter` takes a string in the format of an ASN1
+        GENERALIZEDTIME and sets the end of the certificate's validity period
+        to it.
+        """
+        self._setBoundTest("After")
+
+    def test_get_notBefore(self):
+        """
+        `X509.get_notBefore` returns a string in the format of an
+        ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
+        internally.
+        """
+        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+        assert cert.get_notBefore() == b"20090325123658Z"
+
+    def test_get_notAfter(self):
+        """
+        `X509.get_notAfter` returns a string in the format of an
+        ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
+        internally.
+        """
+        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+        assert cert.get_notAfter() == b"20170611123658Z"
+
+    def test_gmtime_adj_notBefore_wrong_args(self):
+        """
+        `X509.gmtime_adj_notBefore` raises `TypeError` if called with a
+        non-`int` argument.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.gmtime_adj_notBefore(None)
+
+    @flaky.flaky
+    def test_gmtime_adj_notBefore(self):
+        """
+        `X509.gmtime_adj_notBefore` changes the not-before timestamp to be the
+        current time plus the number of seconds passed in.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        not_before_min = datetime.utcnow().replace(microsecond=0) + timedelta(
+            seconds=100
+        )
+        cert.gmtime_adj_notBefore(100)
+        not_before = datetime.strptime(
+            cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ"
+        )
+        not_before_max = datetime.utcnow() + timedelta(seconds=100)
+        assert not_before_min <= not_before <= not_before_max
+
+    def test_gmtime_adj_notAfter_wrong_args(self):
+        """
+        `X509.gmtime_adj_notAfter` raises `TypeError` if called with a
+        non-`int` argument.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.gmtime_adj_notAfter(None)
+
+    @flaky.flaky
+    def test_gmtime_adj_notAfter(self):
+        """
+        `X509.gmtime_adj_notAfter` changes the not-after timestamp
+        to be the current time plus the number of seconds passed in.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        not_after_min = datetime.utcnow().replace(microsecond=0) + timedelta(
+            seconds=100
+        )
+        cert.gmtime_adj_notAfter(100)
+        not_after = datetime.strptime(
+            cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ"
+        )
+        not_after_max = datetime.utcnow() + timedelta(seconds=100)
+        assert not_after_min <= not_after <= not_after_max
+
+    def test_has_expired(self):
+        """
+        `X509.has_expired` returns `True` if the certificate's not-after time
+        is in the past.
+        """
+        cert = X509()
+        cert.gmtime_adj_notAfter(-1)
+        assert cert.has_expired()
+
+    def test_has_not_expired(self):
+        """
+        `X509.has_expired` returns `False` if the certificate's not-after time
+        is in the future.
+        """
+        cert = X509()
+        cert.gmtime_adj_notAfter(2)
+        assert not cert.has_expired()
+
+    def test_root_has_not_expired(self):
+        """
+        `X509.has_expired` returns `False` if the certificate's not-after time
+        is in the future.
+        """
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        assert not cert.has_expired()
+
+    def test_digest(self):
+        """
+        `X509.digest` returns a string giving ":"-separated hex-encoded
+        words of the digest of the certificate.
+        """
+        cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
+        assert (
+            # This is MD5 instead of GOOD_DIGEST because the digest algorithm
+            # actually matters to the assertion (ie, another arbitrary, good
+            # digest will not product the same digest).
+            # Digest verified with the command:
+            # openssl x509 -in root_cert.pem -noout -fingerprint -md5
+            cert.digest("MD5")
+            == b"19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"
+        )
+
+    def _extcert(self, pkey, extensions):
+        cert = X509()
+        # Certificates with extensions must be X.509v3, which is encoded with a
+        # version of two.
+        cert.set_version(2)
+        cert.set_pubkey(pkey)
+        cert.get_subject().commonName = "Unit Tests"
+        cert.get_issuer().commonName = "Unit Tests"
+        when = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
+        cert.set_notBefore(when)
+        cert.set_notAfter(when)
+
+        cert.add_extensions(extensions)
+        cert.sign(pkey, "sha1")
+        return load_certificate(
+            FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert)
+        )
+
+    def test_extension_count(self):
+        """
+        `X509.get_extension_count` returns the number of extensions
+        that are present in the certificate.
+        """
+        pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
+        ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
+        key = X509Extension(b"keyUsage", True, b"digitalSignature")
+        subjectAltName = X509Extension(
+            b"subjectAltName", True, b"DNS:example.com"
+        )
+
+        # Try a certificate with no extensions at all.
+        c = self._extcert(pkey, [])
+        assert c.get_extension_count() == 0
+
+        # And a certificate with one
+        c = self._extcert(pkey, [ca])
+        assert c.get_extension_count() == 1
+
+        # And a certificate with several
+        c = self._extcert(pkey, [ca, key, subjectAltName])
+        assert c.get_extension_count() == 3
+
+    def test_get_extension(self):
+        """
+        `X509.get_extension` takes an integer and returns an
+        `X509Extension` corresponding to the extension at that index.
+        """
+        pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
+        ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
+        key = X509Extension(b"keyUsage", True, b"digitalSignature")
+        subjectAltName = X509Extension(
+            b"subjectAltName", False, b"DNS:example.com"
+        )
+
+        cert = self._extcert(pkey, [ca, key, subjectAltName])
+
+        ext = cert.get_extension(0)
+        assert isinstance(ext, X509Extension)
+        assert ext.get_critical()
+        assert ext.get_short_name() == b"basicConstraints"
+
+        ext = cert.get_extension(1)
+        assert isinstance(ext, X509Extension)
+        assert ext.get_critical()
+        assert ext.get_short_name() == b"keyUsage"
+
+        ext = cert.get_extension(2)
+        assert isinstance(ext, X509Extension)
+        assert not ext.get_critical()
+        assert ext.get_short_name() == b"subjectAltName"
+
+        with pytest.raises(IndexError):
+            cert.get_extension(-1)
+        with pytest.raises(IndexError):
+            cert.get_extension(4)
+        with pytest.raises(TypeError):
+            cert.get_extension("hello")
+
+    def test_nullbyte_subjectAltName(self):
+        """
+        The fields of a `subjectAltName` extension on an X509 may contain NUL
+        bytes and this value is reflected in the string representation of the
+        extension object.
+        """
+        cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
+
+        ext = cert.get_extension(3)
+        assert ext.get_short_name() == b"subjectAltName"
+        assert (
+            b"DNS:altnull.python.org\x00example.com, "
+            b"email:null@python.org\x00user@example.org, "
+            b"URI:http://null.python.org\x00http://example.org, "
+            b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"
+            == str(ext).encode("ascii")
+        )
+
+    def test_invalid_digest_algorithm(self):
+        """
+        `X509.digest` raises `ValueError` if called with an unrecognized hash
+        algorithm.
+        """
+        cert = X509()
+        with pytest.raises(ValueError):
+            cert.digest(BAD_DIGEST)
+
+    def test_get_subject(self):
+        """
+        `X509.get_subject` returns an `X509Name` instance.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        subj = cert.get_subject()
+        assert isinstance(subj, X509Name)
+        assert subj.get_components() == [
+            (b"C", b"US"),
+            (b"ST", b"IL"),
+            (b"L", b"Chicago"),
+            (b"O", b"Testing"),
+            (b"CN", b"Testing Root CA"),
+        ]
+
+    def test_set_subject_wrong_args(self):
+        """
+        `X509.set_subject` raises a `TypeError` if called with an argument not
+        of type `X509Name`.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.set_subject(None)
+
+    def test_set_subject(self):
+        """
+        `X509.set_subject` changes the subject of the certificate to the one
+        passed in.
+        """
+        cert = X509()
+        name = cert.get_subject()
+        name.C = "AU"
+        name.OU = "Unit Tests"
+        cert.set_subject(name)
+        assert cert.get_subject().get_components() == [
+            (b"C", b"AU"),
+            (b"OU", b"Unit Tests"),
+        ]
+
+    def test_get_issuer(self):
+        """
+        `X509.get_issuer` returns an `X509Name` instance.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        subj = cert.get_issuer()
+        assert isinstance(subj, X509Name)
+        comp = subj.get_components()
+        assert comp == [
+            (b"C", b"US"),
+            (b"ST", b"IL"),
+            (b"L", b"Chicago"),
+            (b"O", b"Testing"),
+            (b"CN", b"Testing Root CA"),
+        ]
+
+    def test_set_issuer_wrong_args(self):
+        """
+        `X509.set_issuer` raises a `TypeError` if called with an argument not
+        of type `X509Name`.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.set_issuer(None)
+
+    def test_set_issuer(self):
+        """
+        `X509.set_issuer` changes the issuer of the certificate to the
+        one passed in.
+        """
+        cert = X509()
+        name = cert.get_issuer()
+        name.C = "AU"
+        name.OU = "Unit Tests"
+        cert.set_issuer(name)
+        assert cert.get_issuer().get_components() == [
+            (b"C", b"AU"),
+            (b"OU", b"Unit Tests"),
+        ]
+
+    def test_get_pubkey_uninitialized(self):
+        """
+        When called on a certificate with no public key, `X509.get_pubkey`
+        raises `OpenSSL.crypto.Error`.
+        """
+        cert = X509()
+        with pytest.raises(Error):
+            cert.get_pubkey()
+
+    def test_set_pubkey_wrong_type(self):
+        """
+        `X509.set_pubkey` raises `TypeError` when given an object of the
+        wrong type.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.set_pubkey(object())
+
+    def test_subject_name_hash(self):
+        """
+        `X509.subject_name_hash` returns the hash of the certificate's
+        subject name.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        # SHA1
+        assert cert.subject_name_hash() == 3278919224
+
+    def test_get_signature_algorithm(self):
+        """
+        `X509.get_signature_algorithm` returns a string which means
+        the algorithm used to sign the certificate.
+        """
+        cert = load_certificate(FILETYPE_PEM, self.pemData)
+        assert b"sha256WithRSAEncryption" == cert.get_signature_algorithm()
+
+    def test_get_undefined_signature_algorithm(self):
+        """
+        `X509.get_signature_algorithm` raises `ValueError` if the signature
+        algorithm is undefined or unknown.
+        """
+        # This certificate has been modified to indicate a bogus OID in the
+        # signature algorithm field so that OpenSSL does not recognize it.
+        certPEM = b"""\
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
+EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
+cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
+MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG
+EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG
+CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
+AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V
++fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg
+hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT
+FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw
+dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0
+aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA
+MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx
+jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O
+PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN
+tgI5
+-----END CERTIFICATE-----
+"""
+        cert = load_certificate(FILETYPE_PEM, certPEM)
+        with pytest.raises(ValueError):
+            cert.get_signature_algorithm()
+
+    def test_sign_bad_pubkey_type(self):
+        """
+        `X509.sign` raises `TypeError` when called with the wrong type.
+        """
+        cert = X509()
+        with pytest.raises(TypeError):
+            cert.sign(object(), b"sha256")
+
+    def test_convert_from_cryptography(self):
+        crypto_cert = x509.load_pem_x509_certificate(
+            intermediate_cert_pem, backend
+        )
+        cert = X509.from_cryptography(crypto_cert)
+
+        assert isinstance(cert, X509)
+        assert cert.get_version() == crypto_cert.version.value
+
+    def test_convert_from_cryptography_unsupported_type(self):
+        with pytest.raises(TypeError):
+            X509.from_cryptography(object())
+
+    def test_convert_to_cryptography_key(self):
+        cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
+        crypto_cert = cert.to_cryptography()
+
+        assert isinstance(crypto_cert, x509.Certificate)
+        assert crypto_cert.version.value == cert.get_version()
+
+
+class TestX509Store(object):
+    """
+    Test for `OpenSSL.crypto.X509Store`.
+    """
+
+    def test_type(self):
+        """
+        `X509Store` is a type object.
+        """
+        assert is_consistent_type(X509Store, "X509Store")
+
+    def test_add_cert(self):
+        """
+        `X509Store.add_cert` adds a `X509` instance to the certificate store.
+        """
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        store = X509Store()
+        store.add_cert(cert)
+
+    @pytest.mark.parametrize("cert", [None, 1.0, "cert", object()])
+    def test_add_cert_wrong_args(self, cert):
+        """
+        `X509Store.add_cert` raises `TypeError` if passed a non-X509 object
+        as its first argument.
+        """
+        store = X509Store()
+        with pytest.raises(TypeError):
+            store.add_cert(cert)
+
+    def test_add_cert_accepts_duplicate(self):
+        """
+        `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt
+        is made to add the same certificate to the store more than once.
+        """
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        store = X509Store()
+        store.add_cert(cert)
+        store.add_cert(cert)
+
+    @pytest.mark.parametrize(
+        "cafile, capath, call_cafile, call_capath",
+        [
+            (
+                "/cafile" + NON_ASCII,
+                None,
+                b"/cafile" + NON_ASCII.encode(sys.getfilesystemencoding()),
+                _ffi.NULL,
+            ),
+            (
+                b"/cafile" + NON_ASCII.encode("utf-8"),
+                None,
+                b"/cafile" + NON_ASCII.encode("utf-8"),
+                _ffi.NULL,
+            ),
+            (
+                None,
+                "/capath" + NON_ASCII,
+                _ffi.NULL,
+                b"/capath" + NON_ASCII.encode(sys.getfilesystemencoding()),
+            ),
+            (
+                None,
+                b"/capath" + NON_ASCII.encode("utf-8"),
+                _ffi.NULL,
+                b"/capath" + NON_ASCII.encode("utf-8"),
+            ),
+        ],
+    )
+    def test_load_locations_parameters(
+        self, cafile, capath, call_cafile, call_capath, monkeypatch
+    ):
+        class LibMock(object):
+            def load_locations(self, store, cafile, capath):
+                self.cafile = cafile
+                self.capath = capath
+                return 1
+
+        lib_mock = LibMock()
+        monkeypatch.setattr(
+            _lib, "X509_STORE_load_locations", lib_mock.load_locations
+        )
+
+        store = X509Store()
+        store.load_locations(cafile=cafile, capath=capath)
+
+        assert call_cafile == lib_mock.cafile
+        assert call_capath == lib_mock.capath
+
+    def test_load_locations_fails_when_all_args_are_none(self):
+        store = X509Store()
+        with pytest.raises(Error):
+            store.load_locations(None, None)
+
+    def test_load_locations_raises_error_on_failure(self, tmpdir):
+        invalid_ca_file = tmpdir.join("invalid.pem")
+        invalid_ca_file.write("This is not a certificate")
+
+        store = X509Store()
+        with pytest.raises(Error):
+            store.load_locations(cafile=str(invalid_ca_file))
+
+
+class TestPKCS12(object):
+    """
+    Test for `OpenSSL.crypto.PKCS12` and `OpenSSL.crypto.load_pkcs12`.
+    """
+
+    def test_type(self):
+        """
+        `PKCS12` is a type object.
+        """
+        assert is_consistent_type(PKCS12, "PKCS12")
+
+    def test_empty_construction(self):
+        """
+        `PKCS12` returns a new instance of `PKCS12` with no certificate,
+        private key, CA certificates, or friendly name.
+        """
+        p12 = PKCS12()
+        assert None is p12.get_certificate()
+        assert None is p12.get_privatekey()
+        assert None is p12.get_ca_certificates()
+        assert None is p12.get_friendlyname()
+
+    def test_type_errors(self):
+        """
+        The `PKCS12` setter functions (`set_certificate`, `set_privatekey`,
+        `set_ca_certificates`, and `set_friendlyname`) raise `TypeError`
+        when passed objects of types other than those expected.
+        """
+        p12 = PKCS12()
+        for bad_arg in [3, PKey(), X509]:
+            with pytest.raises(TypeError):
+                p12.set_certificate(bad_arg)
+        for bad_arg in [3, "legbone", X509()]:
+            with pytest.raises(TypeError):
+                p12.set_privatekey(bad_arg)
+        for bad_arg in [3, X509(), (3, 4), (PKey(),)]:
+            with pytest.raises(TypeError):
+                p12.set_ca_certificates(bad_arg)
+        for bad_arg in [6, ("foo", "bar")]:
+            with pytest.raises(TypeError):
+                p12.set_friendlyname(bad_arg)
+
+    def test_key_only(self):
+        """
+        A `PKCS12` with only a private key can be exported using
+        `PKCS12.export` and loaded again using `load_pkcs12`.
+        """
+        passwd = b"blah"
+        p12 = PKCS12()
+        pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+        p12.set_privatekey(pkey)
+        assert None is p12.get_certificate()
+        assert pkey == p12.get_privatekey()
+        try:
+            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
+        except Error:
+            # Some versions of OpenSSL will throw an exception
+            # for this nearly useless PKCS12 we tried to generate:
+            # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
+            return
+        p12 = load_pkcs12(dumped_p12, passwd)
+        assert None is p12.get_ca_certificates()
+        assert None is p12.get_certificate()
+
+        # OpenSSL fails to bring the key back to us.  So sad.  Perhaps in the
+        # future this will be improved.
+        assert isinstance(p12.get_privatekey(), (PKey, type(None)))
+
+    def test_cert_only(self):
+        """
+        A `PKCS12` with only a certificate can be exported using
+        `PKCS12.export` and loaded again using `load_pkcs12`.
+        """
+        passwd = b"blah"
+        p12 = PKCS12()
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        p12.set_certificate(cert)
+        assert cert == p12.get_certificate()
+        assert None is p12.get_privatekey()
+        try:
+            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
+        except Error:
+            # Some versions of OpenSSL will throw an exception
+            # for this nearly useless PKCS12 we tried to generate:
+            # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
+            return
+        p12 = load_pkcs12(dumped_p12, passwd)
+        assert None is p12.get_privatekey()
+
+        # OpenSSL fails to bring the cert back to us.  Groany mcgroan.
+        assert isinstance(p12.get_certificate(), (X509, type(None)))
+
+        # Oh ho.  It puts the certificate into the ca certificates list, in
+        # fact.  Totally bogus, I would think.  Nevertheless, let's exploit
+        # that to check to see if it reconstructed the certificate we expected
+        # it to.  At some point, hopefully this will change so that
+        # p12.get_certificate() is actually what returns the loaded
+        # certificate.
+        assert root_cert_pem == dump_certificate(
+            FILETYPE_PEM, p12.get_ca_certificates()[0]
+        )
+
+    def gen_pkcs12(
+        self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None
+    ):
+        """
+        Generate a PKCS12 object with components from PEM.  Verify that the set
+        functions return None.
+        """
+        p12 = PKCS12()
+        if cert_pem:
+            ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
+            assert ret is None
+        if key_pem:
+            ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
+            assert ret is None
+        if ca_pem:
+            ret = p12.set_ca_certificates(
+                (load_certificate(FILETYPE_PEM, ca_pem),)
+            )
+            assert ret is None
+        if friendly_name:
+            ret = p12.set_friendlyname(friendly_name)
+            assert ret is None
+        return p12
+
+    def check_recovery(
+        self, p12_str, key=None, cert=None, ca=None, passwd=b"", extra=()
+    ):
+        """
+        Use openssl program to confirm three components are recoverable from a
+        PKCS12 string.
+        """
+        if key:
+            recovered_key = _runopenssl(
+                p12_str,
+                b"pkcs12",
+                b"-nocerts",
+                b"-nodes",
+                b"-passin",
+                b"pass:" + passwd,
+                *extra
+            )
+            assert recovered_key[-len(key) :] == key
+        if cert:
+            recovered_cert = _runopenssl(
+                p12_str,
+                b"pkcs12",
+                b"-clcerts",
+                b"-nodes",
+                b"-passin",
+                b"pass:" + passwd,
+                b"-nokeys",
+                *extra
+            )
+            assert recovered_cert[-len(cert) :] == cert
+        if ca:
+            recovered_cert = _runopenssl(
+                p12_str,
+                b"pkcs12",
+                b"-cacerts",
+                b"-nodes",
+                b"-passin",
+                b"pass:" + passwd,
+                b"-nokeys",
+                *extra
+            )
+            assert recovered_cert[-len(ca) :] == ca
+
+    def verify_pkcs12_container(self, p12):
+        """
+        Verify that the PKCS#12 container contains the correct client
+        certificate and private key.
+
+        :param p12: The PKCS12 instance to verify.
+        :type p12: `PKCS12`
+        """
+        cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
+        key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
+        assert (client_cert_pem, client_key_pem, None) == (
+            cert_pem,
+            key_pem,
+            p12.get_ca_certificates(),
+        )
+
+    def test_load_pkcs12(self):
+        """
+        A PKCS12 string generated using the openssl command line can be loaded
+        with `load_pkcs12` and its components extracted and examined.
+        """
+        passwd = b"whatever"
+        pem = client_key_pem + client_cert_pem
+        p12_str = _runopenssl(
+            pem,
+            b"pkcs12",
+            b"-export",
+            b"-clcerts",
+            b"-passout",
+            b"pass:" + passwd,
+        )
+        p12 = load_pkcs12(p12_str, passphrase=passwd)
+        self.verify_pkcs12_container(p12)
+
+    def test_load_pkcs12_text_passphrase(self):
+        """
+        A PKCS12 string generated using the openssl command line can be loaded
+        with `load_pkcs12` and its components extracted and examined.
+        Using text as passphrase instead of bytes. DeprecationWarning expected.
+        """
+        pem = client_key_pem + client_cert_pem
+        passwd = b"whatever"
+        p12_str = _runopenssl(
+            pem,
+            b"pkcs12",
+            b"-export",
+            b"-clcerts",
+            b"-passout",
+            b"pass:" + passwd,
+        )
+        with pytest.warns(DeprecationWarning) as w:
+            simplefilter("always")
+            p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii"))
+            msg = "{0} for passphrase is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            )
+            assert msg == str(w[-1].message)
+
+        self.verify_pkcs12_container(p12)
+
+    def test_load_pkcs12_no_passphrase(self):
+        """
+        A PKCS12 string generated using openssl command line can be loaded with
+        `load_pkcs12` without a passphrase and its components extracted
+        and examined.
+        """
+        pem = client_key_pem + client_cert_pem
+        p12_str = _runopenssl(
+            pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:"
+        )
+        p12 = load_pkcs12(p12_str)
+        self.verify_pkcs12_container(p12)
+
+    def _dump_and_load(self, dump_passphrase, load_passphrase):
+        """
+        A helper method to dump and load a PKCS12 object.
+        """
+        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem)
+        dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3)
+        return load_pkcs12(dumped_p12, passphrase=load_passphrase)
+
+    def test_load_pkcs12_null_passphrase_load_empty(self):
+        """
+        A PKCS12 string can be dumped with a null passphrase, loaded with an
+        empty passphrase with `load_pkcs12`, and its components
+        extracted and examined.
+        """
+        self.verify_pkcs12_container(
+            self._dump_and_load(dump_passphrase=None, load_passphrase=b"")
+        )
+
+    def test_load_pkcs12_null_passphrase_load_null(self):
+        """
+        A PKCS12 string can be dumped with a null passphrase, loaded with a
+        null passphrase with `load_pkcs12`, and its components
+        extracted and examined.
+        """
+        self.verify_pkcs12_container(
+            self._dump_and_load(dump_passphrase=None, load_passphrase=None)
+        )
+
+    def test_load_pkcs12_empty_passphrase_load_empty(self):
+        """
+        A PKCS12 string can be dumped with an empty passphrase, loaded with an
+        empty passphrase with `load_pkcs12`, and its components
+        extracted and examined.
+        """
+        self.verify_pkcs12_container(
+            self._dump_and_load(dump_passphrase=b"", load_passphrase=b"")
+        )
+
+    def test_load_pkcs12_empty_passphrase_load_null(self):
+        """
+        A PKCS12 string can be dumped with an empty passphrase, loaded with a
+        null passphrase with `load_pkcs12`, and its components
+        extracted and examined.
+        """
+        self.verify_pkcs12_container(
+            self._dump_and_load(dump_passphrase=b"", load_passphrase=None)
+        )
+
+    def test_load_pkcs12_garbage(self):
+        """
+        `load_pkcs12` raises `OpenSSL.crypto.Error` when passed
+        a string which is not a PKCS12 dump.
+        """
+        passwd = b"whatever"
+        with pytest.raises(Error) as err:
+            load_pkcs12(b"fruit loops", passwd)
+        assert err.value.args[0][0][0] == "asn1 encoding routines"
+        assert len(err.value.args[0][0]) == 3
+
+    def test_replace(self):
+        """
+        `PKCS12.set_certificate` replaces the certificate in a PKCS12
+        cluster. `PKCS12.set_privatekey` replaces the private key.
+        `PKCS12.set_ca_certificates` replaces the CA certificates.
+        """
+        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
+        p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+        p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
+        p12.set_ca_certificates([root_cert])  # not a tuple
+        assert 1 == len(p12.get_ca_certificates())
+        assert root_cert == p12.get_ca_certificates()[0]
+        p12.set_ca_certificates([client_cert, root_cert])
+        assert 2 == len(p12.get_ca_certificates())
+        assert client_cert == p12.get_ca_certificates()[0]
+        assert root_cert == p12.get_ca_certificates()[1]
+
+    def test_friendly_name(self):
+        """
+        The *friendlyName* of a PKCS12 can be set and retrieved via
+        `PKCS12.get_friendlyname` and `PKCS12_set_friendlyname`, and a
+        `PKCS12` with a friendly name set can be dumped with `PKCS12.export`.
+        """
+        passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+        for friendly_name in [b"Serverlicious", None, b"###"]:
+            p12.set_friendlyname(friendly_name)
+            assert p12.get_friendlyname() == friendly_name
+            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
+            reloaded_p12 = load_pkcs12(dumped_p12, passwd)
+            assert p12.get_friendlyname() == reloaded_p12.get_friendlyname()
+            # We would use the openssl program to confirm the friendly
+            # name, but it is not possible.  The pkcs12 command
+            # does not store the friendly name in the cert's
+            # alias, which we could then extract.
+            self.check_recovery(
+                dumped_p12,
+                key=server_key_pem,
+                cert=server_cert_pem,
+                ca=root_cert_pem,
+                passwd=passwd,
+            )
+
+    def test_various_empty_passphrases(self):
+        """
+        Test that missing, None, and '' passphrases are identical for PKCS12
+        export.
+        """
+        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
+        passwd = b""
+        dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
+        dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
+        dumped_p12_nopw = p12.export(iter=9, maciter=4)
+        for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
+            self.check_recovery(
+                dumped_p12,
+                key=client_key_pem,
+                cert=client_cert_pem,
+                ca=root_cert_pem,
+                passwd=passwd,
+            )
+
+    def test_removing_ca_cert(self):
+        """
+        Passing `None` to `PKCS12.set_ca_certificates` removes all CA
+        certificates.
+        """
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+        p12.set_ca_certificates(None)
+        assert None is p12.get_ca_certificates()
+
+    def test_export_without_mac(self):
+        """
+        Exporting a PKCS12 with a `maciter` of `-1` excludes the MAC entirely.
+        """
+        passwd = b"Lake Michigan"
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+        dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
+        self.check_recovery(
+            dumped_p12,
+            key=server_key_pem,
+            cert=server_cert_pem,
+            passwd=passwd,
+            extra=(b"-nomacver",),
+        )
+
+    def test_load_without_mac(self):
+        """
+        Loading a PKCS12 without a MAC does something other than crash.
+        """
+        passwd = b"Lake Michigan"
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+        dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
+        try:
+            recovered_p12 = load_pkcs12(dumped_p12, passwd)
+            # The person who generated this PCKS12 should be flogged,
+            # or better yet we should have a means to determine
+            # whether a PCKS12 had a MAC that was verified.
+            # Anyway, libopenssl chooses to allow it, so the
+            # pyopenssl binding does as well.
+            assert isinstance(recovered_p12, PKCS12)
+        except Error:
+            # Failing here with an exception is preferred as some openssl
+            # versions do.
+            pass
+
+    def test_zero_len_list_for_ca(self):
+        """
+        A PKCS12 with an empty CA certificates list can be exported.
+        """
+        passwd = b"Hobie 18"
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
+        p12.set_ca_certificates([])
+        assert () == p12.get_ca_certificates()
+        dumped_p12 = p12.export(passphrase=passwd, iter=3)
+        self.check_recovery(
+            dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=passwd
+        )
+
+    def test_export_without_args(self):
+        """
+        All the arguments to `PKCS12.export` are optional.
+        """
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+        dumped_p12 = p12.export()  # no args
+        self.check_recovery(
+            dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b""
+        )
+
+    def test_export_without_bytes(self):
+        """
+        Test `PKCS12.export` with text not bytes as passphrase
+        """
+        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
+
+        with pytest.warns(DeprecationWarning) as w:
+            simplefilter("always")
+            dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii"))
+            msg = "{0} for passphrase is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            )
+            assert msg == str(w[-1].message)
+        self.check_recovery(
+            dumped_p12,
+            key=server_key_pem,
+            cert=server_cert_pem,
+            passwd=b"randomtext",
+        )
+
+    def test_key_cert_mismatch(self):
+        """
+        `PKCS12.export` raises an exception when a key and certificate
+        mismatch.
+        """
+        p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
+        with pytest.raises(Error):
+            p12.export()
+
+
+def _runopenssl(pem, *args):
+    """
+    Run the command line openssl tool with the given arguments and write
+    the given PEM to its stdin.  Not safe for quotes.
+    """
+    proc = Popen([b"openssl"] + list(args), stdin=PIPE, stdout=PIPE)
+    proc.stdin.write(pem)
+    proc.stdin.close()
+    output = proc.stdout.read()
+    proc.stdout.close()
+    proc.wait()
+    return output
+
+
+class TestLoadPublicKey(object):
+    """
+    Tests for :func:`load_publickey`.
+    """
+
+    def test_loading_works(self):
+        """
+        load_publickey loads public keys and sets correct attributes.
+        """
+        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
+
+        assert True is key._only_public
+        assert 2048 == key.bits()
+        assert TYPE_RSA == key.type()
+
+    def test_invalid_type(self):
+        """
+        load_publickey doesn't support FILETYPE_TEXT.
+        """
+        with pytest.raises(ValueError):
+            load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM)
+
+    def test_invalid_key_format(self):
+        """
+        load_publickey explodes on incorrect keys.
+        """
+        with pytest.raises(Error):
+            load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM)
+
+    def test_tolerates_unicode_strings(self):
+        """
+        load_publickey works with text strings, not just bytes.
+        """
+        serialized = cleartextPublicKeyPEM.decode("ascii")
+        key = load_publickey(FILETYPE_PEM, serialized)
+        dumped_pem = dump_publickey(FILETYPE_PEM, key)
+
+        assert dumped_pem == cleartextPublicKeyPEM
+
+
+class TestFunction(object):
+    """
+    Tests for free-functions in the `OpenSSL.crypto` module.
+    """
+
+    def test_load_privatekey_invalid_format(self):
+        """
+        `load_privatekey` raises `ValueError` if passed an unknown filetype.
+        """
+        with pytest.raises(ValueError):
+            load_privatekey(100, root_key_pem)
+
+    def test_load_privatekey_invalid_passphrase_type(self):
+        """
+        `load_privatekey` raises `TypeError` if passed a passphrase that is
+        neither a `str` nor a callable.
+        """
+        with pytest.raises(TypeError):
+            load_privatekey(
+                FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object()
+            )
+
+    def test_load_privatekey_wrongPassphrase(self):
+        """
+        `load_privatekey` raises `OpenSSL.crypto.Error` when it is passed an
+        encrypted PEM and an incorrect passphrase.
+        """
+        with pytest.raises(Error) as err:
+            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, b"quack")
+        assert err.value.args[0] != []
+
+    def test_load_privatekey_passphraseWrongType(self):
+        """
+        `load_privatekey` raises `ValueError` when it is passeda passphrase
+        with a private key encoded in a format, that doesn't support
+        encryption.
+        """
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        blob = dump_privatekey(FILETYPE_ASN1, key)
+        with pytest.raises(ValueError):
+            load_privatekey(FILETYPE_ASN1, blob, "secret")
+
+    def test_load_privatekey_passphrase(self):
+        """
+        `load_privatekey` can create a `PKey` object from an encrypted PEM
+        string if given the passphrase.
+        """
+        key = load_privatekey(
+            FILETYPE_PEM,
+            encryptedPrivateKeyPEM,
+            encryptedPrivateKeyPEMPassphrase,
+        )
+        assert isinstance(key, PKey)
+
+    def test_load_privatekey_passphrase_exception(self):
+        """
+        If the passphrase callback raises an exception, that exception is
+        raised by `load_privatekey`.
+        """
+
+        def cb(ignored):
+            raise ArithmeticError
+
+        with pytest.raises(ArithmeticError):
+            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
+
+    def test_load_privatekey_wrongPassphraseCallback(self):
+        """
+        `load_privatekey` raises `OpenSSL.crypto.Error` when it
+        is passed an encrypted PEM and a passphrase callback which returns an
+        incorrect passphrase.
+        """
+        called = []
+
+        def cb(*a):
+            called.append(None)
+            return b"quack"
+
+        with pytest.raises(Error) as err:
+            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
+        assert called
+        assert err.value.args[0] != []
+
+    def test_load_privatekey_passphraseCallback(self):
+        """
+        `load_privatekey` can create a `PKey` object from an encrypted PEM
+        string if given a passphrase callback which returns the correct
+        password.
+        """
+        called = []
+
+        def cb(writing):
+            called.append(writing)
+            return encryptedPrivateKeyPEMPassphrase
+
+        key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
+        assert isinstance(key, PKey)
+        assert called == [False]
+
+    def test_load_privatekey_passphrase_wrong_return_type(self):
+        """
+        `load_privatekey` raises `ValueError` if the passphrase callback
+        returns something other than a byte string.
+        """
+        with pytest.raises(ValueError):
+            load_privatekey(
+                FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3
+            )
+
+    def test_dump_privatekey_wrong_args(self):
+        """
+        `dump_privatekey` raises `TypeError` if called with a `cipher`
+        argument but no `passphrase` argument.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        with pytest.raises(TypeError):
+            dump_privatekey(FILETYPE_PEM, key, cipher=GOOD_CIPHER)
+
+    def test_dump_privatekey_not_rsa_key(self):
+        """
+        `dump_privatekey` raises `TypeError` if called with a key that is
+        not RSA.
+        """
+        key = PKey()
+        key.generate_key(TYPE_DSA, 512)
+        with pytest.raises(TypeError):
+            dump_privatekey(FILETYPE_TEXT, key)
+
+    def test_dump_privatekey_invalid_pkey(self):
+        with pytest.raises(TypeError):
+            dump_privatekey(FILETYPE_TEXT, object())
+
+    def test_dump_privatekey_unknown_cipher(self):
+        """
+        `dump_privatekey` raises `ValueError` if called with an unrecognized
+        cipher name.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        with pytest.raises(ValueError):
+            dump_privatekey(FILETYPE_PEM, key, BAD_CIPHER, "passphrase")
+
+    def test_dump_privatekey_invalid_passphrase_type(self):
+        """
+        `dump_privatekey` raises `TypeError` if called with a passphrase which
+        is neither a `str` nor a callable.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        with pytest.raises(TypeError):
+            dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, object())
+
+    def test_dump_privatekey_invalid_filetype(self):
+        """
+        `dump_privatekey` raises `ValueError` if called with an unrecognized
+        filetype.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 512)
+        with pytest.raises(ValueError):
+            dump_privatekey(100, key)
+
+    def test_load_privatekey_passphrase_callback_length(self):
+        """
+        `crypto.load_privatekey` should raise an error when the passphrase
+        provided by the callback is too long, not silently truncate it.
+        """
+
+        def cb(ignored):
+            return "a" * 1025
+
+        with pytest.raises(ValueError):
+            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
+
+    def test_dump_privatekey_passphrase(self):
+        """
+        `dump_privatekey` writes an encrypted PEM when given a passphrase.
+        """
+        passphrase = b"foo"
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase)
+        assert isinstance(pem, bytes)
+        loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
+        assert isinstance(loadedKey, PKey)
+        assert loadedKey.type() == key.type()
+        assert loadedKey.bits() == key.bits()
+
+    def test_dump_privatekey_passphrase_wrong_type(self):
+        """
+        `dump_privatekey` raises `ValueError` when it is passed a passphrase
+        with a private key encoded in a format, that doesn't support
+        encryption.
+        """
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        with pytest.raises(ValueError):
+            dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret")
+
+    def test_dump_certificate(self):
+        """
+        `dump_certificate` writes PEM, DER, and text.
+        """
+        pemData = root_cert_pem + root_key_pem
+        cert = load_certificate(FILETYPE_PEM, pemData)
+        dumped_pem = dump_certificate(FILETYPE_PEM, cert)
+        assert dumped_pem == root_cert_pem
+        dumped_der = dump_certificate(FILETYPE_ASN1, cert)
+        good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER")
+        assert dumped_der == good_der
+        cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
+        dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
+        assert dumped_pem2 == root_cert_pem
+        dumped_text = dump_certificate(FILETYPE_TEXT, cert)
+        assert len(dumped_text) > 500
+
+    def test_dump_certificate_bad_type(self):
+        """
+        `dump_certificate` raises a `ValueError` if it's called with
+        a bad type.
+        """
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        with pytest.raises(ValueError):
+            dump_certificate(object(), cert)
+
+    def test_dump_privatekey_pem(self):
+        """
+        `dump_privatekey` writes a PEM
+        """
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        assert key.check()
+        dumped_pem = dump_privatekey(FILETYPE_PEM, key)
+        assert dumped_pem == normalized_root_key_pem
+
+    def test_dump_privatekey_asn1(self):
+        """
+        `dump_privatekey` writes a DER
+        """
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+
+        dumped_der = dump_privatekey(FILETYPE_ASN1, key)
+        assert dumped_der == root_key_der
+
+    def test_load_privatekey_asn1(self):
+        """
+        `dump_privatekey` writes a DER
+        """
+        key = load_privatekey(FILETYPE_ASN1, root_key_der)
+        assert key.bits() == 3072
+        assert key.type() == TYPE_RSA
+
+    def test_dump_privatekey_text(self):
+        """
+        `dump_privatekey` writes a text
+        """
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        dumped_text = dump_privatekey(FILETYPE_TEXT, key)
+        assert len(dumped_text) > 500
+
+    def test_dump_publickey_pem(self):
+        """
+        dump_publickey writes a PEM.
+        """
+        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
+        dumped_pem = dump_publickey(FILETYPE_PEM, key)
+        assert dumped_pem == cleartextPublicKeyPEM
+
+    def test_dump_publickey_asn1(self):
+        """
+        dump_publickey writes a DER.
+        """
+        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
+        dumped_der = dump_publickey(FILETYPE_ASN1, key)
+        key2 = load_publickey(FILETYPE_ASN1, dumped_der)
+        dumped_pem2 = dump_publickey(FILETYPE_PEM, key2)
+        assert dumped_pem2 == cleartextPublicKeyPEM
+
+    def test_dump_publickey_invalid_type(self):
+        """
+        dump_publickey doesn't support FILETYPE_TEXT.
+        """
+        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
+
+        with pytest.raises(ValueError):
+            dump_publickey(FILETYPE_TEXT, key)
+
+    def test_dump_certificate_request(self):
+        """
+        `dump_certificate_request` writes a PEM, DER, and text.
+        """
+        req = load_certificate_request(
+            FILETYPE_PEM, cleartextCertificateRequestPEM
+        )
+        dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
+        assert dumped_pem == cleartextCertificateRequestPEM
+        dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
+        good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
+        assert dumped_der == good_der
+        req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
+        dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
+        assert dumped_pem2 == cleartextCertificateRequestPEM
+        dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
+        assert len(dumped_text) > 500
+        with pytest.raises(ValueError):
+            dump_certificate_request(100, req)
+
+    def test_dump_privatekey_passphrase_callback(self):
+        """
+        `dump_privatekey` writes an encrypted PEM when given a callback
+        which returns the correct passphrase.
+        """
+        passphrase = b"foo"
+        called = []
+
+        def cb(writing):
+            called.append(writing)
+            return passphrase
+
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
+        assert isinstance(pem, bytes)
+        assert called == [True]
+        loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
+        assert isinstance(loadedKey, PKey)
+        assert loadedKey.type() == key.type()
+        assert loadedKey.bits() == key.bits()
+
+    def test_dump_privatekey_passphrase_exception(self):
+        """
+        `dump_privatekey` should not overwrite the exception raised
+        by the passphrase callback.
+        """
+
+        def cb(ignored):
+            raise ArithmeticError
+
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        with pytest.raises(ArithmeticError):
+            dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
+
+    def test_dump_privatekey_passphraseCallbackLength(self):
+        """
+        `crypto.dump_privatekey` should raise an error when the passphrase
+        provided by the callback is too long, not silently truncate it.
+        """
+
+        def cb(ignored):
+            return "a" * 1025
+
+        key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        with pytest.raises(ValueError):
+            dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
+
+    def test_dump_privatekey_truncated(self):
+        """
+        `crypto.dump_privatekey` should not truncate a passphrase that contains
+        a null byte.
+        """
+        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
+        passphrase = b"foo\x00bar"
+        truncated_passphrase = passphrase.split(b"\x00", 1)[0]
+
+        # By dumping with the full passphrase load should raise an error if we
+        # try to load using the truncated passphrase. If dump truncated the
+        # passphrase, then we WILL load the privatekey and the test fails
+        encrypted_key_pem = dump_privatekey(
+            FILETYPE_PEM, key, "AES-256-CBC", passphrase
+        )
+        with pytest.raises(Error):
+            load_privatekey(
+                FILETYPE_PEM, encrypted_key_pem, truncated_passphrase
+            )
+
+    def test_load_privatekey_truncated(self):
+        """
+        `crypto.load_privatekey` should not truncate a passphrase that contains
+        a null byte.
+        """
+        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
+        passphrase = b"foo\x00bar"
+        truncated_passphrase = passphrase.split(b"\x00", 1)[0]
+
+        # By dumping using the truncated passphrase load should raise an error
+        # if we try to load using the full passphrase. If load truncated the
+        # passphrase, then we WILL load the privatekey and the test fails
+        encrypted_key_pem = dump_privatekey(
+            FILETYPE_PEM, key, "AES-256-CBC", truncated_passphrase
+        )
+        with pytest.raises(Error):
+            load_privatekey(FILETYPE_PEM, encrypted_key_pem, passphrase)
+
+    def test_load_pkcs7_data_pem(self):
+        """
+        `load_pkcs7_data` accepts a PKCS#7 string and returns an instance of
+        `PKCS`.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert isinstance(pkcs7, PKCS7)
+
+    def test_load_pkcs7_data_asn1(self):
+        """
+        `load_pkcs7_data` accepts a bytes containing ASN1 data representing
+        PKCS#7 and returns an instance of `PKCS7`.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1)
+        assert isinstance(pkcs7, PKCS7)
+
+    def test_load_pkcs7_data_invalid(self):
+        """
+        If the data passed to `load_pkcs7_data` is invalid, `Error` is raised.
+        """
+        with pytest.raises(Error):
+            load_pkcs7_data(FILETYPE_PEM, b"foo")
+
+    def test_load_pkcs7_type_invalid(self):
+        """
+        If the type passed to `load_pkcs7_data`, `ValueError` is raised.
+        """
+        with pytest.raises(ValueError):
+            load_pkcs7_data(object(), b"foo")
+
+
+class TestLoadCertificate(object):
+    """
+    Tests for `load_certificate_request`.
+    """
+
+    def test_bad_file_type(self):
+        """
+        If the file type passed to `load_certificate_request` is neither
+        `FILETYPE_PEM` nor `FILETYPE_ASN1` then `ValueError` is raised.
+        """
+        with pytest.raises(ValueError):
+            load_certificate_request(object(), b"")
+        with pytest.raises(ValueError):
+            load_certificate(object(), b"")
+
+    def test_bad_certificate(self):
+        """
+        If the bytes passed to `load_certificate` are not a valid certificate,
+        an exception is raised.
+        """
+        with pytest.raises(Error):
+            load_certificate(FILETYPE_ASN1, b"lol")
+
+
+class TestPKCS7(object):
+    """
+    Tests for `PKCS7`.
+    """
+
+    def test_type_is_signed(self):
+        """
+        `PKCS7.type_is_signed` returns `True` if the PKCS7 object is of
+        the type *signed*.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert pkcs7.type_is_signed()
+
+    def test_type_is_enveloped(self):
+        """
+        `PKCS7.type_is_enveloped` returns `False` if the PKCS7 object is not
+        of the type *enveloped*.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert not pkcs7.type_is_enveloped()
+
+    def test_type_is_signed_and_enveloped(self):
+        """
+        `PKCS7.type_is_signedAndEnveloped` returns `False`
+        if the PKCS7 object is not of the type *signed and enveloped*.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert not pkcs7.type_is_signedAndEnveloped()
+
+    def test_type_is_data(self):
+        """
+        `PKCS7.type_is_data` returns `False` if the PKCS7 object is not of
+        the type data.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert not pkcs7.type_is_data()
+
+    def test_get_type_name(self):
+        """
+        `PKCS7.get_type_name` returns a `str` giving the
+        type name.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        assert pkcs7.get_type_name() == b"pkcs7-signedData"
+
+    def test_attribute(self):
+        """
+        If an attribute other than one of the methods tested here is accessed
+        on an instance of `PKCS7`, `AttributeError` is raised.
+        """
+        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
+        with pytest.raises(AttributeError):
+            pkcs7.foo
+
+
+class TestNetscapeSPKI(_PKeyInteractionTestsMixin):
+    """
+    Tests for `OpenSSL.crypto.NetscapeSPKI`.
+    """
+
+    def signable(self):
+        """
+        Return a new `NetscapeSPKI` for use with signing tests.
+        """
+        return NetscapeSPKI()
+
+    def test_type(self):
+        """
+        `NetscapeSPKI` can be used to create instances of that type.
+        """
+        assert is_consistent_type(NetscapeSPKI, "NetscapeSPKI")
+
+    def test_construction(self):
+        """
+        `NetscapeSPKI` returns an instance of `NetscapeSPKI`.
+        """
+        nspki = NetscapeSPKI()
+        assert isinstance(nspki, NetscapeSPKI)
+
+    def test_invalid_attribute(self):
+        """
+        Accessing a non-existent attribute of a `NetscapeSPKI` instance
+        causes an `AttributeError` to be raised.
+        """
+        nspki = NetscapeSPKI()
+        with pytest.raises(AttributeError):
+            nspki.foo
+
+    def test_b64_encode(self):
+        """
+        `NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob.
+        """
+        nspki = NetscapeSPKI()
+        pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+        nspki.set_pubkey(pkey)
+        nspki.sign(pkey, GOOD_DIGEST)
+        blob = nspki.b64_encode()
+        assert isinstance(blob, bytes)
+
+
+class TestRevoked(object):
+    """
+    Tests for `OpenSSL.crypto.Revoked`.
+    """
+
+    def test_ignores_unsupported_revoked_cert_extension_get_reason(self):
+        """
+        The get_reason method on the Revoked class checks to see if the
+        extension is NID_crl_reason and should skip it otherwise. This test
+        loads a CRL with extensions it should ignore.
+        """
+        crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
+        revoked = crl.get_revoked()
+        reason = revoked[1].get_reason()
+        assert reason == b"Unspecified"
+
+    def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self):
+        crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
+        revoked = crl.get_revoked()
+        revoked[1].set_reason(None)
+        reason = revoked[1].get_reason()
+        assert reason is None
+
+    def test_construction(self):
+        """
+        Confirm we can create `OpenSSL.crypto.Revoked`.  Check that it is
+        empty.
+        """
+        revoked = Revoked()
+        assert isinstance(revoked, Revoked)
+        assert type(revoked) == Revoked
+        assert revoked.get_serial() == b"00"
+        assert revoked.get_rev_date() is None
+        assert revoked.get_reason() is None
+
+    def test_serial(self):
+        """
+        Confirm we can set and get serial numbers from
+        `OpenSSL.crypto.Revoked`.  Confirm errors are handled with grace.
+        """
+        revoked = Revoked()
+        ret = revoked.set_serial(b"10b")
+        assert ret is None
+        ser = revoked.get_serial()
+        assert ser == b"010B"
+
+        revoked.set_serial(b"31ppp")  # a type error would be nice
+        ser = revoked.get_serial()
+        assert ser == b"31"
+
+        with pytest.raises(ValueError):
+            revoked.set_serial(b"pqrst")
+        with pytest.raises(TypeError):
+            revoked.set_serial(100)
+
+    def test_date(self):
+        """
+        Confirm we can set and get revocation dates from
+        `OpenSSL.crypto.Revoked`.  Confirm errors are handled with grace.
+        """
+        revoked = Revoked()
+        date = revoked.get_rev_date()
+        assert date is None
+
+        now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
+        ret = revoked.set_rev_date(now)
+        assert ret is None
+        date = revoked.get_rev_date()
+        assert date == now
+
+    def test_reason(self):
+        """
+        Confirm we can set and get revocation reasons from
+        `OpenSSL.crypto.Revoked`.  The "get" need to work as "set".
+        Likewise, each reason of all_reasons() must work.
+        """
+        revoked = Revoked()
+        for r in revoked.all_reasons():
+            for x in range(2):
+                ret = revoked.set_reason(r)
+                assert ret is None
+                reason = revoked.get_reason()
+                assert reason.lower().replace(b" ", b"") == r.lower().replace(
+                    b" ", b""
+                )
+                r = reason  # again with the resp of get
+
+        revoked.set_reason(None)
+        assert revoked.get_reason() is None
+
+    @pytest.mark.parametrize("reason", [object(), 1.0, u"foo"])
+    def test_set_reason_wrong_args(self, reason):
+        """
+        `Revoked.set_reason` raises `TypeError` if called with an argument
+        which is neither `None` nor a byte string.
+        """
+        revoked = Revoked()
+        with pytest.raises(TypeError):
+            revoked.set_reason(reason)
+
+    def test_set_reason_invalid_reason(self):
+        """
+        Calling `OpenSSL.crypto.Revoked.set_reason` with an argument which
+        isn't a valid reason results in `ValueError` being raised.
+        """
+        revoked = Revoked()
+        with pytest.raises(ValueError):
+            revoked.set_reason(b"blue")
+
+
+class TestCRL(object):
+    """
+    Tests for `OpenSSL.crypto.CRL`.
+    """
+
+    cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+    pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+
+    root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+    root_key = load_privatekey(FILETYPE_PEM, root_key_pem)
+    intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
+    intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem)
+    intermediate_server_cert = load_certificate(
+        FILETYPE_PEM, intermediate_server_cert_pem
+    )
+    intermediate_server_key = load_privatekey(
+        FILETYPE_PEM, intermediate_server_key_pem
+    )
+
+    def test_construction(self):
+        """
+        Confirm we can create `OpenSSL.crypto.CRL`.  Check
+        that it is empty
+        """
+        crl = CRL()
+        assert isinstance(crl, CRL)
+        assert crl.get_revoked() is None
+
+    def _get_crl(self):
+        """
+        Get a new ``CRL`` with a revocation.
+        """
+        crl = CRL()
+        revoked = Revoked()
+        now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
+        revoked.set_rev_date(now)
+        revoked.set_serial(b"3ab")
+        revoked.set_reason(b"sUpErSeDEd")
+        crl.add_revoked(revoked)
+        return crl
+
+    def test_export_pem(self):
+        """
+        If not passed a format, ``CRL.export`` returns a "PEM" format string
+        representing a serial number, a revoked reason, and certificate issuer
+        information.
+        """
+        # PEM format
+        dumped_crl = self._get_crl().export(
+            self.cert, self.pkey, days=20, digest=b"sha256"
+        )
+        crl = x509.load_pem_x509_crl(dumped_crl, backend)
+        revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+        assert revoked is not None
+        assert crl.issuer == x509.Name(
+            [
+                x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+                x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+                x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+                x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+                x509.NameAttribute(
+                    x509.NameOID.COMMON_NAME, u"Testing Root CA"
+                ),
+            ]
+        )
+
+    def test_export_der(self):
+        """
+        If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a
+        "DER" format string representing a serial number, a revoked reason, and
+        certificate issuer information.
+        """
+        crl = self._get_crl()
+
+        # DER format
+        dumped_crl = self._get_crl().export(
+            self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+        )
+        crl = x509.load_der_x509_crl(dumped_crl, backend)
+        revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+        assert revoked is not None
+        assert crl.issuer == x509.Name(
+            [
+                x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+                x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+                x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+                x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+                x509.NameAttribute(
+                    x509.NameOID.COMMON_NAME, u"Testing Root CA"
+                ),
+            ]
+        )
+
+    def test_export_text(self):
+        """
+        If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a
+        text format string like the one produced by the openssl command line
+        tool.
+        """
+        crl = self._get_crl()
+
+        # text format
+        dumped_text = crl.export(
+            self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
+        )
+        assert len(dumped_text) > 500
+
+    def test_export_custom_digest(self):
+        """
+        If passed the name of a digest function, ``CRL.export`` uses a
+        signature algorithm based on that digest function.
+        """
+        crl = self._get_crl()
+        dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1")
+        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
+        text.index(b"Signature Algorithm: sha1")
+
+    def test_export_md5_digest(self):
+        """
+        If passed md5 as the digest function, ``CRL.export`` uses md5 and does
+        not emit a deprecation warning.
+        """
+        crl = self._get_crl()
+        with pytest.warns(None) as catcher:
+            simplefilter("always")
+        assert 0 == len(catcher)
+        dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5")
+        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
+        text.index(b"Signature Algorithm: md5")
+
+    def test_export_default_digest(self):
+        """
+        If not passed the name of a digest function, ``CRL.export`` raises a
+        ``TypeError``.
+        """
+        crl = self._get_crl()
+        with pytest.raises(TypeError):
+            crl.export(self.cert, self.pkey)
+
+    def test_export_invalid(self):
+        """
+        If `CRL.export` is used with an uninitialized `X509` instance,
+        `OpenSSL.crypto.Error` is raised.
+        """
+        crl = CRL()
+        with pytest.raises(Error):
+            crl.export(X509(), PKey(), digest=b"sha256")
+
+    def test_add_revoked_keyword(self):
+        """
+        `OpenSSL.CRL.add_revoked` accepts its single argument as the
+        ``revoked`` keyword argument.
+        """
+        crl = CRL()
+        revoked = Revoked()
+        revoked.set_serial(b"01")
+        revoked.set_rev_date(b"20160310020145Z")
+        crl.add_revoked(revoked=revoked)
+        assert isinstance(crl.get_revoked()[0], Revoked)
+
+    def test_export_wrong_args(self):
+        """
+        Calling `OpenSSL.CRL.export` with arguments other than the certificate,
+        private key, integer file type, and integer number of days it
+        expects, results in a `TypeError` being raised.
+        """
+        crl = CRL()
+        with pytest.raises(TypeError):
+            crl.export(None, self.pkey, FILETYPE_PEM, 10)
+        with pytest.raises(TypeError):
+            crl.export(self.cert, None, FILETYPE_PEM, 10)
+        with pytest.raises(TypeError):
+            crl.export(self.cert, self.pkey, None, 10)
+        with pytest.raises(TypeError):
+            crl.export(self.cert, FILETYPE_PEM, None)
+
+    def test_export_unknown_filetype(self):
+        """
+        Calling `OpenSSL.CRL.export` with a file type other than
+        `FILETYPE_PEM`, `FILETYPE_ASN1`, or
+        `FILETYPE_TEXT` results in a `ValueError` being raised.
+        """
+        crl = CRL()
+        with pytest.raises(ValueError):
+            crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
+
+    def test_export_unknown_digest(self):
+        """
+        Calling `OpenSSL.CRL.export` with an unsupported digest results
+        in a `ValueError` being raised.
+        """
+        crl = CRL()
+        with pytest.raises(ValueError):
+            crl.export(
+                self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest"
+            )
+
+    def test_get_revoked(self):
+        """
+        Use python to create a simple CRL with two revocations. Get back the
+        `Revoked` using `OpenSSL.CRL.get_revoked` and verify them.
+        """
+        crl = CRL()
+
+        revoked = Revoked()
+        now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
+        revoked.set_rev_date(now)
+        revoked.set_serial(b"3ab")
+        crl.add_revoked(revoked)
+        revoked.set_serial(b"100")
+        revoked.set_reason(b"sUpErSeDEd")
+        crl.add_revoked(revoked)
+
+        revs = crl.get_revoked()
+        assert len(revs) == 2
+        assert type(revs[0]) == Revoked
+        assert type(revs[1]) == Revoked
+        assert revs[0].get_serial() == b"03AB"
+        assert revs[1].get_serial() == b"0100"
+        assert revs[0].get_rev_date() == now
+        assert revs[1].get_rev_date() == now
+
+    def test_load_crl(self):
+        """
+        Load a known CRL and inspect its revocations.  Both EM and DER formats
+        are loaded.
+        """
+        crl = load_crl(FILETYPE_PEM, crlData)
+        revs = crl.get_revoked()
+        assert len(revs) == 2
+        assert revs[0].get_serial() == b"03AB"
+        assert revs[0].get_reason() is None
+        assert revs[1].get_serial() == b"0100"
+        assert revs[1].get_reason() == b"Superseded"
+
+        der = _runopenssl(crlData, b"crl", b"-outform", b"DER")
+        crl = load_crl(FILETYPE_ASN1, der)
+        revs = crl.get_revoked()
+        assert len(revs) == 2
+        assert revs[0].get_serial() == b"03AB"
+        assert revs[0].get_reason() is None
+        assert revs[1].get_serial() == b"0100"
+        assert revs[1].get_reason() == b"Superseded"
+
+    def test_load_crl_bad_filetype(self):
+        """
+        Calling `OpenSSL.crypto.load_crl` with an unknown file type raises a
+        `ValueError`.
+        """
+        with pytest.raises(ValueError):
+            load_crl(100, crlData)
+
+    def test_load_crl_bad_data(self):
+        """
+        Calling `OpenSSL.crypto.load_crl` with file data which can't be loaded
+        raises a `OpenSSL.crypto.Error`.
+        """
+        with pytest.raises(Error):
+            load_crl(FILETYPE_PEM, b"hello, world")
+
+    def test_get_issuer(self):
+        """
+        Load a known CRL and assert its issuer's common name is what we expect
+        from the encoded crlData string.
+        """
+        crl = load_crl(FILETYPE_PEM, crlData)
+        assert isinstance(crl.get_issuer(), X509Name)
+        assert crl.get_issuer().CN == "Testing Root CA"
+
+    def test_dump_crl(self):
+        """
+        The dumped CRL matches the original input.
+        """
+        crl = load_crl(FILETYPE_PEM, crlData)
+        buf = dump_crl(FILETYPE_PEM, crl)
+        assert buf == crlData
+
+    def _make_test_crl(self, issuer_cert, issuer_key, certs=()):
+        """
+        Create a CRL.
+
+        :param list[X509] certs: A list of certificates to revoke.
+        :rtype: CRL
+        """
+        crl = CRL()
+        for cert in certs:
+            revoked = Revoked()
+            # FIXME: This string splicing is an unfortunate implementation
+            # detail that has been reported in
+            # https://github.com/pyca/pyopenssl/issues/258
+            serial = hex(cert.get_serial_number())[2:].encode("utf-8")
+            revoked.set_serial(serial)
+            revoked.set_reason(b"unspecified")
+            revoked.set_rev_date(b"20140601000000Z")
+            crl.add_revoked(revoked)
+        crl.set_version(1)
+        crl.set_lastUpdate(b"20140601000000Z")
+        crl.set_nextUpdate(b"20180601000000Z")
+        crl.sign(issuer_cert, issuer_key, digest=b"sha512")
+        return crl
+
+    def test_verify_with_revoked(self):
+        """
+        `verify_certificate` raises error when an intermediate certificate is
+        revoked.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        root_crl = self._make_test_crl(
+            self.root_cert, self.root_key, certs=[self.intermediate_cert]
+        )
+        intermediate_crl = self._make_test_crl(
+            self.intermediate_cert, self.intermediate_key, certs=[]
+        )
+        store.add_crl(root_crl)
+        store.add_crl(intermediate_crl)
+        store.set_flags(
+            X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
+        )
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(X509StoreContextError) as err:
+            store_ctx.verify_certificate()
+        assert err.value.args[0][2] == "certificate revoked"
+
+    def test_verify_with_missing_crl(self):
+        """
+        `verify_certificate` raises error when an intermediate certificate's
+        CRL is missing.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        root_crl = self._make_test_crl(
+            self.root_cert, self.root_key, certs=[self.intermediate_cert]
+        )
+        store.add_crl(root_crl)
+        store.set_flags(
+            X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
+        )
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(X509StoreContextError) as err:
+            store_ctx.verify_certificate()
+        assert err.value.args[0][2] == "unable to get certificate CRL"
+        assert err.value.certificate.get_subject().CN == "intermediate-service"
+
+    def test_convert_from_cryptography(self):
+        crypto_crl = x509.load_pem_x509_crl(crlData, backend)
+        crl = CRL.from_cryptography(crypto_crl)
+        assert isinstance(crl, CRL)
+
+    def test_convert_from_cryptography_unsupported_type(self):
+        with pytest.raises(TypeError):
+            CRL.from_cryptography(object())
+
+    def test_convert_to_cryptography_key(self):
+        crl = load_crl(FILETYPE_PEM, crlData)
+        crypto_crl = crl.to_cryptography()
+        assert isinstance(crypto_crl, x509.CertificateRevocationList)
+
+
+class TestX509StoreContext(object):
+    """
+    Tests for `OpenSSL.crypto.X509StoreContext`.
+    """
+
+    root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+    intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
+    intermediate_server_cert = load_certificate(
+        FILETYPE_PEM, intermediate_server_cert_pem
+    )
+
+    def test_valid(self):
+        """
+        `verify_certificate` returns ``None`` when called with a certificate
+        and valid chain.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        assert store_ctx.verify_certificate() is None
+
+    def test_reuse(self):
+        """
+        `verify_certificate` can be called multiple times with the same
+        ``X509StoreContext`` instance to produce the same result.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        assert store_ctx.verify_certificate() is None
+        assert store_ctx.verify_certificate() is None
+
+    @pytest.mark.parametrize(
+        "root_cert, chain, verified_cert",
+        [
+            pytest.param(
+                root_cert,
+                [intermediate_cert],
+                intermediate_server_cert,
+                id="intermediate in chain",
+            ),
+            pytest.param(
+                root_cert,
+                [],
+                intermediate_cert,
+                id="empty chain",
+            ),
+            pytest.param(
+                root_cert,
+                [root_cert, intermediate_server_cert, intermediate_cert],
+                intermediate_server_cert,
+                id="extra certs in chain",
+            ),
+        ],
+    )
+    def test_verify_success_with_chain(self, root_cert, chain, verified_cert):
+        store = X509Store()
+        store.add_cert(root_cert)
+        store_ctx = X509StoreContext(store, verified_cert, chain=chain)
+        assert store_ctx.verify_certificate() is None
+
+    def test_valid_untrusted_chain_reuse(self):
+        """
+        `verify_certificate` using an untrusted chain can be called multiple
+        times with the same ``X509StoreContext`` instance to produce the same
+        result.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        chain = [self.intermediate_cert]
+
+        store_ctx = X509StoreContext(
+            store, self.intermediate_server_cert, chain=chain
+        )
+        assert store_ctx.verify_certificate() is None
+        assert store_ctx.verify_certificate() is None
+
+    def test_chain_reference(self):
+        """
+        ``X509StoreContext`` properly keeps references to the untrusted chain
+        certificates.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        chain = [load_certificate(FILETYPE_PEM, intermediate_cert_pem)]
+
+        store_ctx = X509StoreContext(
+            store, self.intermediate_server_cert, chain=chain
+        )
+
+        del chain
+        assert store_ctx.verify_certificate() is None
+
+    @pytest.mark.parametrize(
+        "root_cert, chain, verified_cert",
+        [
+            pytest.param(
+                root_cert,
+                [],
+                intermediate_server_cert,
+                id="intermediate missing",
+            ),
+            pytest.param(
+                None,
+                [intermediate_cert],
+                intermediate_server_cert,
+                id="no trusted root",
+            ),
+            pytest.param(
+                None,
+                [root_cert, intermediate_cert],
+                intermediate_server_cert,
+                id="untrusted root, full chain is available",
+            ),
+            pytest.param(
+                intermediate_cert,
+                [root_cert, intermediate_cert],
+                intermediate_server_cert,
+                id="untrusted root, intermediate is trusted and in chain",
+            ),
+        ],
+    )
+    def test_verify_fail_with_chain(self, root_cert, chain, verified_cert):
+        store = X509Store()
+        if root_cert:
+            store.add_cert(root_cert)
+
+        store_ctx = X509StoreContext(store, verified_cert, chain=chain)
+
+        with pytest.raises(X509StoreContextError):
+            store_ctx.verify_certificate()
+
+    @pytest.mark.parametrize(
+        "chain, expected_error",
+        [
+            pytest.param(
+                [intermediate_cert, "This is not a certificate"],
+                TypeError,
+                id="non-certificate in chain",
+            ),
+            pytest.param(
+                42,
+                TypeError,
+                id="non-list chain",
+            ),
+        ],
+    )
+    def test_untrusted_chain_wrong_args(self, chain, expected_error):
+        """
+        Creating ``X509StoreContext`` with wrong chain raises an exception.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+
+        with pytest.raises(expected_error):
+            X509StoreContext(store, self.intermediate_server_cert, chain=chain)
+
+    def test_failure_building_untrusted_chain_raises(self, monkeypatch):
+        """
+        Creating ``X509StoreContext`` raises ``OpenSSL.crypto.Error`` when
+        the underlying lib fails to add the certificate to the stack.
+        """
+        monkeypatch.setattr(_lib, "sk_X509_push", lambda _stack, _x509: -1)
+
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        chain = [self.intermediate_cert]
+
+        with pytest.raises(Error):
+            X509StoreContext(store, self.intermediate_server_cert, chain=chain)
+
+    def test_trusted_self_signed(self):
+        """
+        `verify_certificate` returns ``None`` when called with a self-signed
+        certificate and itself in the chain.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store_ctx = X509StoreContext(store, self.root_cert)
+        assert store_ctx.verify_certificate() is None
+
+    def test_untrusted_self_signed(self):
+        """
+        `verify_certificate` raises error when a self-signed certificate is
+        verified without itself in the chain.
+        """
+        store = X509Store()
+        store_ctx = X509StoreContext(store, self.root_cert)
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "self signed certificate"
+        assert exc.value.certificate.get_subject().CN == "Testing Root CA"
+
+    def test_invalid_chain_no_root(self):
+        """
+        `verify_certificate` raises error when a root certificate is missing
+        from the chain.
+        """
+        store = X509Store()
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert exc.value.certificate.get_subject().CN == "intermediate"
+
+    def test_invalid_chain_no_intermediate(self):
+        """
+        `verify_certificate` raises error when an intermediate certificate is
+        missing from the chain.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "unable to get local issuer certificate"
+        assert exc.value.certificate.get_subject().CN == "intermediate-service"
+
+    def test_modification_pre_verify(self):
+        """
+        `verify_certificate` can use a store context modified after
+        instantiation.
+        """
+        store_bad = X509Store()
+        store_bad.add_cert(self.intermediate_cert)
+        store_good = X509Store()
+        store_good.add_cert(self.root_cert)
+        store_good.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)
+
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert exc.value.certificate.get_subject().CN == "intermediate"
+
+        store_ctx.set_store(store_good)
+        assert store_ctx.verify_certificate() is None
+
+    def test_verify_with_time(self):
+        """
+        `verify_certificate` raises error when the verification time is
+        set at notAfter.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+
+        expire_time = self.intermediate_server_cert.get_notAfter()
+        expire_datetime = datetime.strptime(
+            expire_time.decode("utf-8"), "%Y%m%d%H%M%SZ"
+        )
+        store.set_time(expire_datetime)
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "certificate has expired"
+
+    def test_get_verified_chain(self):
+        """
+        `get_verified_chain` returns the verified chain.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        chain = store_ctx.get_verified_chain()
+        assert len(chain) == 3
+        intermediate_subject = self.intermediate_server_cert.get_subject()
+        assert chain[0].get_subject() == intermediate_subject
+        assert chain[1].get_subject() == self.intermediate_cert.get_subject()
+        assert chain[2].get_subject() == self.root_cert.get_subject()
+        # Test reuse
+        chain = store_ctx.get_verified_chain()
+        assert len(chain) == 3
+        assert chain[0].get_subject() == intermediate_subject
+        assert chain[1].get_subject() == self.intermediate_cert.get_subject()
+        assert chain[2].get_subject() == self.root_cert.get_subject()
+
+    def test_get_verified_chain_invalid_chain_no_root(self):
+        """
+        `get_verified_chain` raises error when cert verification fails.
+        """
+        store = X509Store()
+        store.add_cert(self.intermediate_cert)
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.get_verified_chain()
+
+        assert exc.value.args[0][2] == "unable to get issuer certificate"
+        assert exc.value.certificate.get_subject().CN == "intermediate"
+
+    @pytest.fixture
+    def root_ca_file(self, tmpdir):
+        return self._create_ca_file(tmpdir, "root_ca_hash_dir", self.root_cert)
+
+    @pytest.fixture
+    def intermediate_ca_file(self, tmpdir):
+        return self._create_ca_file(
+            tmpdir, "intermediate_ca_hash_dir", self.intermediate_cert
+        )
+
+    @staticmethod
+    def _create_ca_file(base_path, hash_directory, cacert):
+        ca_hash = "{:08x}.0".format(cacert.subject_name_hash())
+        cafile = base_path.join(hash_directory, ca_hash)
+        cafile.write_binary(
+            dump_certificate(FILETYPE_PEM, cacert), ensure=True
+        )
+        return cafile
+
+    def test_verify_with_ca_file_location(self, root_ca_file):
+        store = X509Store()
+        store.load_locations(str(root_ca_file))
+
+        store_ctx = X509StoreContext(store, self.intermediate_cert)
+        store_ctx.verify_certificate()
+
+    def test_verify_with_ca_path_location(self, root_ca_file):
+        store = X509Store()
+        store.load_locations(None, str(root_ca_file.dirname))
+
+        store_ctx = X509StoreContext(store, self.intermediate_cert)
+        store_ctx.verify_certificate()
+
+    def test_verify_with_cafile_and_capath(
+        self, root_ca_file, intermediate_ca_file
+    ):
+        store = X509Store()
+        store.load_locations(
+            cafile=str(root_ca_file), capath=str(intermediate_ca_file.dirname)
+        )
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        store_ctx.verify_certificate()
+
+    def test_verify_with_multiple_ca_files(
+        self, root_ca_file, intermediate_ca_file
+    ):
+        store = X509Store()
+        store.load_locations(str(root_ca_file))
+        store.load_locations(str(intermediate_ca_file))
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        store_ctx.verify_certificate()
+
+    def test_verify_failure_with_empty_ca_directory(self, tmpdir):
+        store = X509Store()
+        store.load_locations(None, str(tmpdir))
+
+        store_ctx = X509StoreContext(store, self.intermediate_cert)
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == "unable to get local issuer certificate"
+
+
+class TestSignVerify(object):
+    """
+    Tests for `OpenSSL.crypto.sign` and `OpenSSL.crypto.verify`.
+    """
+
+    def test_sign_verify(self):
+        """
+        `sign` generates a cryptographic signature which `verify` can check.
+        """
+        content = (
+            b"It was a bright cold day in April, and the clocks were striking "
+            b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
+            b"effort to escape the vile wind, slipped quickly through the "
+            b"glass doors of Victory Mansions, though not quickly enough to "
+            b"prevent a swirl of gritty dust from entering along with him."
+        )
+
+        # sign the content with this private key
+        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        # verify the content with this cert
+        good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        # certificate unrelated to priv_key, used to trigger an error
+        bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        for digest in ["md5", "sha1"]:
+            sig = sign(priv_key, content, digest)
+
+            # Verify the signature of content, will throw an exception if
+            # error.
+            verify(good_cert, sig, content, digest)
+
+            # This should fail because the certificate doesn't match the
+            # private key that was used to sign the content.
+            with pytest.raises(Error):
+                verify(bad_cert, sig, content, digest)
+
+            # This should fail because we've "tainted" the content after
+            # signing it.
+            with pytest.raises(Error):
+                verify(good_cert, sig, content + b"tainted", digest)
+
+        # test that unknown digest types fail
+        with pytest.raises(ValueError):
+            sign(priv_key, content, "strange-digest")
+        with pytest.raises(ValueError):
+            verify(good_cert, sig, content, "strange-digest")
+
+    def test_sign_verify_with_text(self):
+        """
+        `sign` generates a cryptographic signature which
+        `verify` can check. Deprecation warnings raised because using
+        text instead of bytes as content
+        """
+        content = (
+            b"It was a bright cold day in April, and the clocks were striking "
+            b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
+            b"effort to escape the vile wind, slipped quickly through the "
+            b"glass doors of Victory Mansions, though not quickly enough to "
+            b"prevent a swirl of gritty dust from entering along with him."
+        ).decode("ascii")
+
+        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        for digest in ["md5", "sha1"]:
+            with pytest.warns(DeprecationWarning) as w:
+                simplefilter("always")
+                sig = sign(priv_key, content, digest)
+            assert "{0} for data is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            ) == str(w[-1].message)
+
+            with pytest.warns(DeprecationWarning) as w:
+                simplefilter("always")
+                verify(cert, sig, content, digest)
+            assert "{0} for data is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            ) == str(w[-1].message)
+
+    def test_sign_verify_ecdsa(self):
+        """
+        `sign` generates a cryptographic signature which `verify` can check.
+        ECDSA Signatures in the X9.62 format may have variable length,
+        different from the length of the private key.
+        """
+        content = (
+            b"It was a bright cold day in April, and the clocks were striking "
+            b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
+            b"effort to escape the vile wind, slipped quickly through the "
+            b"glass doors of Victory Mansions, though not quickly enough to "
+            b"prevent a swirl of gritty dust from entering along with him."
+        )
+        priv_key = load_privatekey(FILETYPE_PEM, ec_root_key_pem)
+        cert = load_certificate(FILETYPE_PEM, ec_root_cert_pem)
+        sig = sign(priv_key, content, "sha1")
+        verify(cert, sig, content, "sha1")
+
+    def test_sign_nulls(self):
+        """
+        `sign` produces a signature for a string with embedded nulls.
+        """
+        content = b"Watch out!  \0  Did you see it?"
+        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
+        good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        sig = sign(priv_key, content, "sha1")
+        verify(good_cert, sig, content, "sha1")
+
+    def test_sign_with_large_key(self):
+        """
+        `sign` produces a signature for a string when using a long key.
+        """
+        content = (
+            b"It was a bright cold day in April, and the clocks were striking "
+            b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
+            b"effort to escape the vile wind, slipped quickly through the "
+            b"glass doors of Victory Mansions, though not quickly enough to "
+            b"prevent a swirl of gritty dust from entering along with him."
+        )
+
+        priv_key = load_privatekey(FILETYPE_PEM, large_key_pem)
+        sign(priv_key, content, "sha1")
+
+
+class TestEllipticCurve(object):
+    """
+    Tests for `_EllipticCurve`, `get_elliptic_curve`, and
+    `get_elliptic_curves`.
+    """
+
+    def test_set(self):
+        """
+        `get_elliptic_curves` returns a `set`.
+        """
+        assert isinstance(get_elliptic_curves(), set)
+
+    def test_a_curve(self):
+        """
+        `get_elliptic_curve` can be used to retrieve a particular supported
+        curve.
+        """
+        curves = get_elliptic_curves()
+        curve = next(iter(curves))
+        assert curve.name == get_elliptic_curve(curve.name).name
+
+    def test_not_a_curve(self):
+        """
+        `get_elliptic_curve` raises `ValueError` if called with a name which
+        does not identify a supported curve.
+        """
+        with pytest.raises(ValueError):
+            get_elliptic_curve(u"this curve was just invented")
+
+    def test_repr(self):
+        """
+        The string representation of a curve object includes simply states the
+        object is a curve and what its name is.
+        """
+        curves = get_elliptic_curves()
+        curve = next(iter(curves))
+        assert "<Curve %r>" % (curve.name,) == repr(curve)
+
+    def test_to_EC_KEY(self):
+        """
+        The curve object can export a version of itself as an EC_KEY* via the
+        private `_EllipticCurve._to_EC_KEY`.
+        """
+        curves = get_elliptic_curves()
+        curve = next(iter(curves))
+        # It's not easy to assert anything about this object.  However, see
+        # leakcheck/crypto.py for a test that demonstrates it at least does
+        # not leak memory.
+        curve._to_EC_KEY()
+
+
+class EllipticCurveFactory(object):
+    """
+    A helper to get the names of two curves.
+    """
+
+    def __init__(self):
+        curves = iter(get_elliptic_curves())
+        self.curve_name = next(curves).name
+        self.another_curve_name = next(curves).name
+
+
+class TestEllipticCurveEquality(EqualityTestsMixin):
+    """
+    Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``.
+    """
+
+    curve_factory = EllipticCurveFactory()
+
+    if curve_factory.curve_name is None:
+        skip = "There are no curves available there can be no curve objects."
+
+    def anInstance(self):
+        """
+        Get the curve object for an arbitrary curve supported by the system.
+        """
+        return get_elliptic_curve(self.curve_factory.curve_name)
+
+    def anotherInstance(self):
+        """
+        Get the curve object for an arbitrary curve supported by the system -
+        but not the one returned by C{anInstance}.
+        """
+        return get_elliptic_curve(self.curve_factory.another_curve_name)
+
+
+class TestEllipticCurveHash(object):
+    """
+    Tests for `_EllipticCurve`'s implementation of hashing (thus use as
+    an item in a `dict` or `set`).
+    """
+
+    curve_factory = EllipticCurveFactory()
+
+    if curve_factory.curve_name is None:
+        skip = "There are no curves available there can be no curve objects."
+
+    def test_contains(self):
+        """
+        The ``in`` operator reports that a `set` containing a curve does
+        contain that curve.
+        """
+        curve = get_elliptic_curve(self.curve_factory.curve_name)
+        curves = set([curve])
+        assert curve in curves
+
+    def test_does_not_contain(self):
+        """
+        The ``in`` operator reports that a `set` not containing a curve
+        does not contain that curve.
+        """
+        curve = get_elliptic_curve(self.curve_factory.curve_name)
+        curves = set(
+            [get_elliptic_curve(self.curve_factory.another_curve_name)]
+        )
+        assert curve not in curves
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_debug.py b/contrib/python/pyOpenSSL/py3/tests/test_debug.py
new file mode 100644
index 0000000000..2d62a3a56a
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/test_debug.py
@@ -0,0 +1,10 @@
+from OpenSSL.debug import _env_info
+from OpenSSL import version
+
+
+def test_debug_info():
+    """
+    Debug info contains correct data.
+    """
+    # Just check a sample we control.
+    assert version.__version__ in _env_info
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_rand.py b/contrib/python/pyOpenSSL/py3/tests/test_rand.py
new file mode 100644
index 0000000000..763d71124c
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/test_rand.py
@@ -0,0 +1,34 @@
+# Copyright (c) Frederick Dean
+# See LICENSE for details.
+
+"""
+Unit tests for `OpenSSL.rand`.
+"""
+
+import pytest
+
+from OpenSSL import rand
+
+
+class TestRand(object):
+    @pytest.mark.parametrize("args", [(b"foo", None), (None, 3)])
+    def test_add_wrong_args(self, args):
+        """
+        `OpenSSL.rand.add` raises `TypeError` if called with arguments not of
+        type `str` and `int`.
+        """
+        with pytest.raises(TypeError):
+            rand.add(*args)
+
+    def test_add(self):
+        """
+        `OpenSSL.rand.add` adds entropy to the PRNG.
+        """
+        rand.add(b"hamburger", 3)
+
+    def test_status(self):
+        """
+        `OpenSSL.rand.status` returns `1` if the PRNG has sufficient entropy,
+        `0` otherwise.
+        """
+        assert rand.status() == 1
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_ssl.py b/contrib/python/pyOpenSSL/py3/tests/test_ssl.py
new file mode 100644
index 0000000000..8bb5a035a7
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/test_ssl.py
@@ -0,0 +1,4245 @@
+# Copyright (C) Jean-Paul Calderone
+# See LICENSE for details.
+
+"""
+Unit tests for :mod:`OpenSSL.SSL`.
+"""
+
+import datetime
+import gc
+import sys
+import uuid
+
+from gc import collect, get_referrers
+from errno import (
+    EAFNOSUPPORT,
+    ECONNREFUSED,
+    EINPROGRESS,
+    EWOULDBLOCK,
+    EPIPE,
+    ESHUTDOWN,
+)
+from sys import platform, getfilesystemencoding
+from socket import AF_INET, AF_INET6, MSG_PEEK, SHUT_RDWR, error, socket
+from os import makedirs
+from os.path import join
+from weakref import ref
+from warnings import simplefilter
+
+import flaky
+
+import pytest
+
+from pretend import raiser
+
+from six import PY2, text_type
+
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
+
+from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM
+from OpenSSL.crypto import PKey, X509, X509Extension, X509Store
+from OpenSSL.crypto import dump_privatekey, load_privatekey
+from OpenSSL.crypto import dump_certificate, load_certificate
+from OpenSSL.crypto import get_elliptic_curves
+
+from OpenSSL.SSL import (
+    OPENSSL_VERSION_NUMBER,
+    SSLEAY_VERSION,
+    SSLEAY_CFLAGS,
+    TLS_METHOD,
+    TLS1_3_VERSION,
+    TLS1_2_VERSION,
+    TLS1_1_VERSION,
+)
+from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
+from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
+from OpenSSL.SSL import (
+    SSLv2_METHOD,
+    SSLv3_METHOD,
+    SSLv23_METHOD,
+    TLSv1_METHOD,
+    TLSv1_1_METHOD,
+    TLSv1_2_METHOD,
+)
+from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3
+from OpenSSL.SSL import (
+    VERIFY_PEER,
+    VERIFY_FAIL_IF_NO_PEER_CERT,
+    VERIFY_CLIENT_ONCE,
+    VERIFY_NONE,
+)
+
+from OpenSSL import SSL
+from OpenSSL.SSL import (
+    SESS_CACHE_OFF,
+    SESS_CACHE_CLIENT,
+    SESS_CACHE_SERVER,
+    SESS_CACHE_BOTH,
+    SESS_CACHE_NO_AUTO_CLEAR,
+    SESS_CACHE_NO_INTERNAL_LOOKUP,
+    SESS_CACHE_NO_INTERNAL_STORE,
+    SESS_CACHE_NO_INTERNAL,
+)
+
+from OpenSSL.SSL import (
+    Error,
+    SysCallError,
+    WantReadError,
+    WantWriteError,
+    ZeroReturnError,
+)
+from OpenSSL.SSL import Context, Session, Connection, SSLeay_version
+from OpenSSL.SSL import _make_requires
+
+from OpenSSL._util import ffi as _ffi, lib as _lib
+
+from OpenSSL.SSL import (
+    OP_NO_QUERY_MTU,
+    OP_COOKIE_EXCHANGE,
+    OP_NO_TICKET,
+    OP_NO_COMPRESSION,
+    MODE_RELEASE_BUFFERS,
+    NO_OVERLAPPING_PROTOCOLS,
+)
+
+from OpenSSL.SSL import (
+    SSL_ST_CONNECT,
+    SSL_ST_ACCEPT,
+    SSL_ST_MASK,
+    SSL_CB_LOOP,
+    SSL_CB_EXIT,
+    SSL_CB_READ,
+    SSL_CB_WRITE,
+    SSL_CB_ALERT,
+    SSL_CB_READ_ALERT,
+    SSL_CB_WRITE_ALERT,
+    SSL_CB_ACCEPT_LOOP,
+    SSL_CB_ACCEPT_EXIT,
+    SSL_CB_CONNECT_LOOP,
+    SSL_CB_CONNECT_EXIT,
+    SSL_CB_HANDSHAKE_START,
+    SSL_CB_HANDSHAKE_DONE,
+)
+
+try:
+    from OpenSSL.SSL import (
+        SSL_ST_INIT,
+        SSL_ST_BEFORE,
+        SSL_ST_OK,
+        SSL_ST_RENEGOTIATE,
+    )
+except ImportError:
+    SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None
+
+try:
+    from OpenSSL.SSL import OP_NO_TLSv1_3
+except ImportError:
+    OP_NO_TLSv1_3 = None
+
+from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type
+from .test_crypto import (
+    client_cert_pem,
+    client_key_pem,
+    server_cert_pem,
+    server_key_pem,
+    root_cert_pem,
+    root_key_pem,
+)
+
+
+# openssl dhparam 2048 -out dh-2048.pem
+dhparam = """\
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA2F5e976d/GjsaCdKv5RMWL/YV7fq1UUWpPAer5fDXflLMVUuYXxE
+3m3ayZob9lbpgEU0jlPAsXHfQPGxpKmvhv+xV26V/DEoukED8JeZUY/z4pigoptl
++8+TYdNNE/rFSZQFXIp+v2D91IEgmHBnZlKFSbKR+p8i0KjExXGjU6ji3S5jkOku
+ogikc7df1Ui0hWNJCmTjExq07aXghk97PsdFSxjdawuG3+vos5bnNoUwPLYlFc/z
+ITYG0KXySiCLi4UDlXTZTz7u/+OYczPEgqa/JPUddbM/kfvaRAnjY38cfQ7qXf8Y
+i5s5yYK7a/0eWxxRr2qraYaUj8RwDpH9CwIBAg==
+-----END DH PARAMETERS-----
+"""
+
+
+skip_if_py3 = pytest.mark.skipif(not PY2, reason="Python 2 only")
+
+
+def socket_any_family():
+    try:
+        return socket(AF_INET)
+    except error as e:
+        if e.errno == EAFNOSUPPORT:
+            return socket(AF_INET6)
+        raise
+
+
+def loopback_address(socket):
+    if socket.family == AF_INET:
+        return "127.0.0.1"
+    else:
+        assert socket.family == AF_INET6
+        return "::1"
+
+
+def join_bytes_or_unicode(prefix, suffix):
+    """
+    Join two path components of either ``bytes`` or ``unicode``.
+
+    The return type is the same as the type of ``prefix``.
+    """
+    # If the types are the same, nothing special is necessary.
+    if type(prefix) == type(suffix):
+        return join(prefix, suffix)
+
+    # Otherwise, coerce suffix to the type of prefix.
+    if isinstance(prefix, text_type):
+        return join(prefix, suffix.decode(getfilesystemencoding()))
+    else:
+        return join(prefix, suffix.encode(getfilesystemencoding()))
+
+
+def verify_cb(conn, cert, errnum, depth, ok):
+    return ok
+
+
+def socket_pair():
+    """
+    Establish and return a pair of network sockets connected to each other.
+    """
+    # Connect a pair of sockets
+    port = socket_any_family()
+    port.bind(("", 0))
+    port.listen(1)
+    client = socket(port.family)
+    client.setblocking(False)
+    client.connect_ex((loopback_address(port), port.getsockname()[1]))
+    client.setblocking(True)
+    server = port.accept()[0]
+
+    # Let's pass some unencrypted data to make sure our socket connection is
+    # fine.  Just one byte, so we don't have to worry about buffers getting
+    # filled up or fragmentation.
+    server.send(b"x")
+    assert client.recv(1024) == b"x"
+    client.send(b"y")
+    assert server.recv(1024) == b"y"
+
+    # Most of our callers want non-blocking sockets, make it easy for them.
+    server.setblocking(False)
+    client.setblocking(False)
+
+    return (server, client)
+
+
+def handshake(client, server):
+    conns = [client, server]
+    while conns:
+        for conn in conns:
+            try:
+                conn.do_handshake()
+            except WantReadError:
+                pass
+            else:
+                conns.remove(conn)
+
+
+def _create_certificate_chain():
+    """
+    Construct and return a chain of certificates.
+
+        1. A new self-signed certificate authority certificate (cacert)
+        2. A new intermediate certificate signed by cacert (icert)
+        3. A new server certificate signed by icert (scert)
+    """
+    caext = X509Extension(b"basicConstraints", False, b"CA:true")
+    not_after_date = datetime.date.today() + datetime.timedelta(days=365)
+    not_after = not_after_date.strftime("%Y%m%d%H%M%SZ").encode("ascii")
+
+    # Step 1
+    cakey = PKey()
+    cakey.generate_key(TYPE_RSA, 2048)
+    cacert = X509()
+    cacert.set_version(2)
+    cacert.get_subject().commonName = "Authority Certificate"
+    cacert.set_issuer(cacert.get_subject())
+    cacert.set_pubkey(cakey)
+    cacert.set_notBefore(b"20000101000000Z")
+    cacert.set_notAfter(not_after)
+    cacert.add_extensions([caext])
+    cacert.set_serial_number(0)
+    cacert.sign(cakey, "sha256")
+
+    # Step 2
+    ikey = PKey()
+    ikey.generate_key(TYPE_RSA, 2048)
+    icert = X509()
+    icert.set_version(2)
+    icert.get_subject().commonName = "Intermediate Certificate"
+    icert.set_issuer(cacert.get_subject())
+    icert.set_pubkey(ikey)
+    icert.set_notBefore(b"20000101000000Z")
+    icert.set_notAfter(not_after)
+    icert.add_extensions([caext])
+    icert.set_serial_number(0)
+    icert.sign(cakey, "sha256")
+
+    # Step 3
+    skey = PKey()
+    skey.generate_key(TYPE_RSA, 2048)
+    scert = X509()
+    scert.set_version(2)
+    scert.get_subject().commonName = "Server Certificate"
+    scert.set_issuer(icert.get_subject())
+    scert.set_pubkey(skey)
+    scert.set_notBefore(b"20000101000000Z")
+    scert.set_notAfter(not_after)
+    scert.add_extensions(
+        [X509Extension(b"basicConstraints", True, b"CA:false")]
+    )
+    scert.set_serial_number(0)
+    scert.sign(ikey, "sha256")
+
+    return [(cakey, cacert), (ikey, icert), (skey, scert)]
+
+
+def loopback_client_factory(socket, version=SSLv23_METHOD):
+    client = Connection(Context(version), socket)
+    client.set_connect_state()
+    return client
+
+
+def loopback_server_factory(socket, version=SSLv23_METHOD):
+    ctx = Context(version)
+    ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+    ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+    server = Connection(ctx, socket)
+    server.set_accept_state()
+    return server
+
+
+def loopback(server_factory=None, client_factory=None):
+    """
+    Create a connected socket pair and force two connected SSL sockets
+    to talk to each other via memory BIOs.
+    """
+    if server_factory is None:
+        server_factory = loopback_server_factory
+    if client_factory is None:
+        client_factory = loopback_client_factory
+
+    (server, client) = socket_pair()
+    server = server_factory(server)
+    client = client_factory(client)
+
+    handshake(client, server)
+
+    server.setblocking(True)
+    client.setblocking(True)
+    return server, client
+
+
+def interact_in_memory(client_conn, server_conn):
+    """
+    Try to read application bytes from each of the two `Connection` objects.
+    Copy bytes back and forth between their send/receive buffers for as long
+    as there is anything to copy.  When there is nothing more to copy,
+    return `None`.  If one of them actually manages to deliver some application
+    bytes, return a two-tuple of the connection from which the bytes were read
+    and the bytes themselves.
+    """
+    wrote = True
+    while wrote:
+        # Loop until neither side has anything to say
+        wrote = False
+
+        # Copy stuff from each side's send buffer to the other side's
+        # receive buffer.
+        for (read, write) in [
+            (client_conn, server_conn),
+            (server_conn, client_conn),
+        ]:
+
+            # Give the side a chance to generate some more bytes, or succeed.
+            try:
+                data = read.recv(2 ** 16)
+            except WantReadError:
+                # It didn't succeed, so we'll hope it generated some output.
+                pass
+            else:
+                # It did succeed, so we'll stop now and let the caller deal
+                # with it.
+                return (read, data)
+
+            while True:
+                # Keep copying as long as there's more stuff there.
+                try:
+                    dirty = read.bio_read(4096)
+                except WantReadError:
+                    # Okay, nothing more waiting to be sent.  Stop
+                    # processing this send buffer.
+                    break
+                else:
+                    # Keep track of the fact that someone generated some
+                    # output.
+                    wrote = True
+                    write.bio_write(dirty)
+
+
+def handshake_in_memory(client_conn, server_conn):
+    """
+    Perform the TLS handshake between two `Connection` instances connected to
+    each other via memory BIOs.
+    """
+    client_conn.set_connect_state()
+    server_conn.set_accept_state()
+
+    for conn in [client_conn, server_conn]:
+        try:
+            conn.do_handshake()
+        except WantReadError:
+            pass
+
+    interact_in_memory(client_conn, server_conn)
+
+
+class TestVersion(object):
+    """
+    Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and
+    `OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.
+    """
+
+    def test_OPENSSL_VERSION_NUMBER(self):
+        """
+        `OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and
+        the patch, fix, minor, and major versions in the nibbles above that.
+        """
+        assert isinstance(OPENSSL_VERSION_NUMBER, int)
+
+    def test_SSLeay_version(self):
+        """
+        `SSLeay_version` takes a version type indicator and returns one of a
+        number of version strings based on that indicator.
+        """
+        versions = {}
+        for t in [
+            SSLEAY_VERSION,
+            SSLEAY_CFLAGS,
+            SSLEAY_BUILT_ON,
+            SSLEAY_PLATFORM,
+            SSLEAY_DIR,
+        ]:
+            version = SSLeay_version(t)
+            versions[version] = t
+            assert isinstance(version, bytes)
+        assert len(versions) == 5
+
+
+@pytest.fixture
+def ca_file(tmpdir):
+    """
+    Create a valid PEM file with CA certificates and return the path.
+    """
+    key = rsa.generate_private_key(
+        public_exponent=65537, key_size=2048, backend=default_backend()
+    )
+    public_key = key.public_key()
+
+    builder = x509.CertificateBuilder()
+    builder = builder.subject_name(
+        x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org")])
+    )
+    builder = builder.issuer_name(
+        x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org")])
+    )
+    one_day = datetime.timedelta(1, 0, 0)
+    builder = builder.not_valid_before(datetime.datetime.today() - one_day)
+    builder = builder.not_valid_after(datetime.datetime.today() + one_day)
+    builder = builder.serial_number(int(uuid.uuid4()))
+    builder = builder.public_key(public_key)
+    builder = builder.add_extension(
+        x509.BasicConstraints(ca=True, path_length=None),
+        critical=True,
+    )
+
+    certificate = builder.sign(
+        private_key=key, algorithm=hashes.SHA256(), backend=default_backend()
+    )
+
+    ca_file = tmpdir.join("test.pem")
+    ca_file.write_binary(
+        certificate.public_bytes(
+            encoding=serialization.Encoding.PEM,
+        )
+    )
+
+    return str(ca_file).encode("ascii")
+
+
+@pytest.fixture
+def context():
+    """
+    A simple "best TLS you can get" context. TLS 1.2+ in any reasonable OpenSSL
+    """
+    return Context(SSLv23_METHOD)
+
+
+class TestContext(object):
+    """
+    Unit tests for `OpenSSL.SSL.Context`.
+    """
+
+    @pytest.mark.parametrize(
+        "cipher_string",
+        [b"hello world:AES128-SHA", u"hello world:AES128-SHA"],
+    )
+    def test_set_cipher_list(self, context, cipher_string):
+        """
+        `Context.set_cipher_list` accepts both byte and unicode strings
+        for naming the ciphers which connections created with the context
+        object will be able to choose from.
+        """
+        context.set_cipher_list(cipher_string)
+        conn = Connection(context, None)
+
+        assert "AES128-SHA" in conn.get_cipher_list()
+
+    def test_set_cipher_list_wrong_type(self, context):
+        """
+        `Context.set_cipher_list` raises `TypeError` when passed a non-string
+        argument.
+        """
+        with pytest.raises(TypeError):
+            context.set_cipher_list(object())
+
+    @flaky.flaky
+    def test_set_cipher_list_no_cipher_match(self, context):
+        """
+        `Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a
+        `"no cipher match"` reason string regardless of the TLS
+        version.
+        """
+        with pytest.raises(Error) as excinfo:
+            context.set_cipher_list(b"imaginary-cipher")
+        assert excinfo.value.args == (
+            [
+                (
+                    "SSL routines",
+                    "SSL_CTX_set_cipher_list",
+                    "no cipher match",
+                )
+            ],
+        )
+
+    def test_load_client_ca(self, context, ca_file):
+        """
+        `Context.load_client_ca` works as far as we can tell.
+        """
+        context.load_client_ca(ca_file)
+
+    def test_load_client_ca_invalid(self, context, tmpdir):
+        """
+        `Context.load_client_ca` raises an Error if the ca file is invalid.
+        """
+        ca_file = tmpdir.join("test.pem")
+        ca_file.write("")
+
+        with pytest.raises(Error) as e:
+            context.load_client_ca(str(ca_file).encode("ascii"))
+
+        assert "PEM routines" == e.value.args[0][0][0]
+
+    def test_load_client_ca_unicode(self, context, ca_file):
+        """
+        Passing the path as unicode raises a warning but works.
+        """
+        pytest.deprecated_call(context.load_client_ca, ca_file.decode("ascii"))
+
+    def test_set_session_id(self, context):
+        """
+        `Context.set_session_id` works as far as we can tell.
+        """
+        context.set_session_id(b"abc")
+
+    def test_set_session_id_fail(self, context):
+        """
+        `Context.set_session_id` errors are propagated.
+        """
+        with pytest.raises(Error) as e:
+            context.set_session_id(b"abc" * 1000)
+
+        assert [
+            (
+                "SSL routines",
+                "SSL_CTX_set_session_id_context",
+                "ssl session id context too long",
+            )
+        ] == e.value.args[0]
+
+    def test_set_session_id_unicode(self, context):
+        """
+        `Context.set_session_id` raises a warning if a unicode string is
+        passed.
+        """
+        pytest.deprecated_call(context.set_session_id, u"abc")
+
+    def test_method(self):
+        """
+        `Context` can be instantiated with one of `SSLv2_METHOD`,
+        `SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,
+        or `TLSv1_2_METHOD`.
+        """
+        methods = [SSLv23_METHOD, TLSv1_METHOD]
+        for meth in methods:
+            Context(meth)
+
+        maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]
+        for meth in maybe:
+            try:
+                Context(meth)
+            except (Error, ValueError):
+                # Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some
+                # don't.  Difficult to say in advance.
+                pass
+
+        with pytest.raises(TypeError):
+            Context("")
+        with pytest.raises(ValueError):
+            Context(10)
+
+    def test_type(self):
+        """
+        `Context` can be used to create instances of that type.
+        """
+        assert is_consistent_type(Context, "Context", TLSv1_METHOD)
+
+    def test_use_privatekey(self):
+        """
+        `Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 1024)
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey(key)
+        with pytest.raises(TypeError):
+            ctx.use_privatekey("")
+
+    def test_use_privatekey_file_missing(self, tmpfile):
+        """
+        `Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed
+        the name of a file which does not exist.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            ctx.use_privatekey_file(tmpfile)
+
+    def _use_privatekey_file_test(self, pemfile, filetype):
+        """
+        Verify that calling ``Context.use_privatekey_file`` with the given
+        arguments does not raise an exception.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 1024)
+
+        with open(pemfile, "wt") as pem:
+            pem.write(dump_privatekey(FILETYPE_PEM, key).decode("ascii"))
+
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey_file(pemfile, filetype)
+
+    @pytest.mark.parametrize("filetype", [object(), "", None, 1.0])
+    def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):
+        """
+        `Context.use_privatekey_file` raises `TypeError` when called with
+        a `filetype` which is not a valid file encoding.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            ctx.use_privatekey_file(tmpfile, filetype)
+
+    def test_use_privatekey_file_bytes(self, tmpfile):
+        """
+        A private key can be specified from a file by passing a ``bytes``
+        instance giving the file name to ``Context.use_privatekey_file``.
+        """
+        self._use_privatekey_file_test(
+            tmpfile + NON_ASCII.encode(getfilesystemencoding()),
+            FILETYPE_PEM,
+        )
+
+    def test_use_privatekey_file_unicode(self, tmpfile):
+        """
+        A private key can be specified from a file by passing a ``unicode``
+        instance giving the file name to ``Context.use_privatekey_file``.
+        """
+        self._use_privatekey_file_test(
+            tmpfile.decode(getfilesystemencoding()) + NON_ASCII,
+            FILETYPE_PEM,
+        )
+
+    def test_use_certificate_wrong_args(self):
+        """
+        `Context.use_certificate_wrong_args` raises `TypeError` when not passed
+        exactly one `OpenSSL.crypto.X509` instance as an argument.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            ctx.use_certificate("hello, world")
+
+    def test_use_certificate_uninitialized(self):
+        """
+        `Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a
+        `OpenSSL.crypto.X509` instance which has not been initialized
+        (ie, which does not actually have any certificate data).
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            ctx.use_certificate(X509())
+
+    def test_use_certificate(self):
+        """
+        `Context.use_certificate` sets the certificate which will be
+        used to identify connections created using the context.
+        """
+        # TODO
+        # Hard to assert anything.  But we could set a privatekey then ask
+        # OpenSSL if the cert and key agree using check_privatekey.  Then as
+        # long as check_privatekey works right we're good...
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_certificate(load_certificate(FILETYPE_PEM, root_cert_pem))
+
+    def test_use_certificate_file_wrong_args(self):
+        """
+        `Context.use_certificate_file` raises `TypeError` if the first
+        argument is not a byte string or the second argument is not an integer.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            ctx.use_certificate_file(object(), FILETYPE_PEM)
+        with pytest.raises(TypeError):
+            ctx.use_certificate_file(b"somefile", object())
+        with pytest.raises(TypeError):
+            ctx.use_certificate_file(object(), FILETYPE_PEM)
+
+    def test_use_certificate_file_missing(self, tmpfile):
+        """
+        `Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed
+        the name of a file which does not exist.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            ctx.use_certificate_file(tmpfile)
+
+    def _use_certificate_file_test(self, certificate_file):
+        """
+        Verify that calling ``Context.use_certificate_file`` with the given
+        filename doesn't raise an exception.
+        """
+        # TODO
+        # Hard to assert anything.  But we could set a privatekey then ask
+        # OpenSSL if the cert and key agree using check_privatekey.  Then as
+        # long as check_privatekey works right we're good...
+        with open(certificate_file, "wb") as pem_file:
+            pem_file.write(root_cert_pem)
+
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_certificate_file(certificate_file)
+
+    def test_use_certificate_file_bytes(self, tmpfile):
+        """
+        `Context.use_certificate_file` sets the certificate (given as a
+        `bytes` filename) which will be used to identify connections created
+        using the context.
+        """
+        filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())
+        self._use_certificate_file_test(filename)
+
+    def test_use_certificate_file_unicode(self, tmpfile):
+        """
+        `Context.use_certificate_file` sets the certificate (given as a
+        `bytes` filename) which will be used to identify connections created
+        using the context.
+        """
+        filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII
+        self._use_certificate_file_test(filename)
+
+    def test_check_privatekey_valid(self):
+        """
+        `Context.check_privatekey` returns `None` if the `Context` instance
+        has been configured to use a matched key and certificate pair.
+        """
+        key = load_privatekey(FILETYPE_PEM, client_key_pem)
+        cert = load_certificate(FILETYPE_PEM, client_cert_pem)
+        context = Context(SSLv23_METHOD)
+        context.use_privatekey(key)
+        context.use_certificate(cert)
+        assert None is context.check_privatekey()
+
+    def test_check_privatekey_invalid(self):
+        """
+        `Context.check_privatekey` raises `Error` if the `Context` instance
+        has been configured to use a key and certificate pair which don't
+        relate to each other.
+        """
+        key = load_privatekey(FILETYPE_PEM, client_key_pem)
+        cert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        context = Context(SSLv23_METHOD)
+        context.use_privatekey(key)
+        context.use_certificate(cert)
+        with pytest.raises(Error):
+            context.check_privatekey()
+
+    def test_app_data(self):
+        """
+        `Context.set_app_data` stores an object for later retrieval
+        using `Context.get_app_data`.
+        """
+        app_data = object()
+        context = Context(SSLv23_METHOD)
+        context.set_app_data(app_data)
+        assert context.get_app_data() is app_data
+
+    def test_set_options_wrong_args(self):
+        """
+        `Context.set_options` raises `TypeError` if called with
+        a non-`int` argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_options(None)
+
+    def test_set_options(self):
+        """
+        `Context.set_options` returns the new options value.
+        """
+        context = Context(SSLv23_METHOD)
+        options = context.set_options(OP_NO_SSLv2)
+        assert options & OP_NO_SSLv2 == OP_NO_SSLv2
+
+    def test_set_mode_wrong_args(self):
+        """
+        `Context.set_mode` raises `TypeError` if called with
+        a non-`int` argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_mode(None)
+
+    def test_set_mode(self):
+        """
+        `Context.set_mode` accepts a mode bitvector and returns the
+        newly set mode.
+        """
+        context = Context(SSLv23_METHOD)
+        assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)
+
+    def test_set_timeout_wrong_args(self):
+        """
+        `Context.set_timeout` raises `TypeError` if called with
+        a non-`int` argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_timeout(None)
+
+    def test_timeout(self):
+        """
+        `Context.set_timeout` sets the session timeout for all connections
+        created using the context object. `Context.get_timeout` retrieves
+        this value.
+        """
+        context = Context(SSLv23_METHOD)
+        context.set_timeout(1234)
+        assert context.get_timeout() == 1234
+
+    def test_set_verify_depth_wrong_args(self):
+        """
+        `Context.set_verify_depth` raises `TypeError` if called with a
+        non-`int` argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_verify_depth(None)
+
+    def test_verify_depth(self):
+        """
+        `Context.set_verify_depth` sets the number of certificates in
+        a chain to follow before giving up.  The value can be retrieved with
+        `Context.get_verify_depth`.
+        """
+        context = Context(SSLv23_METHOD)
+        context.set_verify_depth(11)
+        assert context.get_verify_depth() == 11
+
+    def _write_encrypted_pem(self, passphrase, tmpfile):
+        """
+        Write a new private key out to a new file, encrypted using the given
+        passphrase.  Return the path to the new file.
+        """
+        key = PKey()
+        key.generate_key(TYPE_RSA, 1024)
+        pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
+        with open(tmpfile, "w") as fObj:
+            fObj.write(pem.decode("ascii"))
+        return tmpfile
+
+    def test_set_passwd_cb_wrong_args(self):
+        """
+        `Context.set_passwd_cb` raises `TypeError` if called with a
+        non-callable first argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_passwd_cb(None)
+
+    def test_set_passwd_cb(self, tmpfile):
+        """
+        `Context.set_passwd_cb` accepts a callable which will be invoked when
+        a private key is loaded from an encrypted PEM.
+        """
+        passphrase = b"foobar"
+        pemFile = self._write_encrypted_pem(passphrase, tmpfile)
+        calledWith = []
+
+        def passphraseCallback(maxlen, verify, extra):
+            calledWith.append((maxlen, verify, extra))
+            return passphrase
+
+        context = Context(SSLv23_METHOD)
+        context.set_passwd_cb(passphraseCallback)
+        context.use_privatekey_file(pemFile)
+        assert len(calledWith) == 1
+        assert isinstance(calledWith[0][0], int)
+        assert isinstance(calledWith[0][1], int)
+        assert calledWith[0][2] is None
+
+    def test_passwd_callback_exception(self, tmpfile):
+        """
+        `Context.use_privatekey_file` propagates any exception raised
+        by the passphrase callback.
+        """
+        pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)
+
+        def passphraseCallback(maxlen, verify, extra):
+            raise RuntimeError("Sorry, I am a fail.")
+
+        context = Context(SSLv23_METHOD)
+        context.set_passwd_cb(passphraseCallback)
+        with pytest.raises(RuntimeError):
+            context.use_privatekey_file(pemFile)
+
+    def test_passwd_callback_false(self, tmpfile):
+        """
+        `Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the
+        passphrase callback returns a false value.
+        """
+        pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)
+
+        def passphraseCallback(maxlen, verify, extra):
+            return b""
+
+        context = Context(SSLv23_METHOD)
+        context.set_passwd_cb(passphraseCallback)
+        with pytest.raises(Error):
+            context.use_privatekey_file(pemFile)
+
+    def test_passwd_callback_non_string(self, tmpfile):
+        """
+        `Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the
+        passphrase callback returns a true non-string value.
+        """
+        pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)
+
+        def passphraseCallback(maxlen, verify, extra):
+            return 10
+
+        context = Context(SSLv23_METHOD)
+        context.set_passwd_cb(passphraseCallback)
+        # TODO: Surely this is the wrong error?
+        with pytest.raises(ValueError):
+            context.use_privatekey_file(pemFile)
+
+    def test_passwd_callback_too_long(self, tmpfile):
+        """
+        If the passphrase returned by the passphrase callback returns a string
+        longer than the indicated maximum length, it is truncated.
+        """
+        # A priori knowledge!
+        passphrase = b"x" * 1024
+        pemFile = self._write_encrypted_pem(passphrase, tmpfile)
+
+        def passphraseCallback(maxlen, verify, extra):
+            assert maxlen == 1024
+            return passphrase + b"y"
+
+        context = Context(SSLv23_METHOD)
+        context.set_passwd_cb(passphraseCallback)
+        # This shall succeed because the truncated result is the correct
+        # passphrase.
+        context.use_privatekey_file(pemFile)
+
+    def test_set_info_callback(self):
+        """
+        `Context.set_info_callback` accepts a callable which will be
+        invoked when certain information about an SSL connection is available.
+        """
+        (server, client) = socket_pair()
+
+        clientSSL = Connection(Context(SSLv23_METHOD), client)
+        clientSSL.set_connect_state()
+
+        called = []
+
+        def info(conn, where, ret):
+            called.append((conn, where, ret))
+
+        context = Context(SSLv23_METHOD)
+        context.set_info_callback(info)
+        context.use_certificate(load_certificate(FILETYPE_PEM, root_cert_pem))
+        context.use_privatekey(load_privatekey(FILETYPE_PEM, root_key_pem))
+
+        serverSSL = Connection(context, server)
+        serverSSL.set_accept_state()
+
+        handshake(clientSSL, serverSSL)
+
+        # The callback must always be called with a Connection instance as the
+        # first argument.  It would probably be better to split this into
+        # separate tests for client and server side info callbacks so we could
+        # assert it is called with the right Connection instance.  It would
+        # also be good to assert *something* about `where` and `ret`.
+        notConnections = [
+            conn
+            for (conn, where, ret) in called
+            if not isinstance(conn, Connection)
+        ]
+        assert (
+            [] == notConnections
+        ), "Some info callback arguments were not Connection instances."
+
+    @pytest.mark.skipif(
+        not getattr(_lib, "Cryptography_HAS_KEYLOG", None),
+        reason="SSL_CTX_set_keylog_callback unavailable",
+    )
+    def test_set_keylog_callback(self):
+        """
+        `Context.set_keylog_callback` accepts a callable which will be
+        invoked when key material is generated or received.
+        """
+        called = []
+
+        def keylog(conn, line):
+            called.append((conn, line))
+
+        server_context = Context(TLSv1_2_METHOD)
+        server_context.set_keylog_callback(keylog)
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+
+        client_context = Context(SSLv23_METHOD)
+
+        self._handshake_test(server_context, client_context)
+
+        assert called
+        assert all(isinstance(conn, Connection) for conn, line in called)
+        assert all(b"CLIENT_RANDOM" in line for conn, line in called)
+
+    def test_set_proto_version(self):
+        if OP_NO_TLSv1_3 is None:
+            high_version = TLS1_2_VERSION
+            low_version = TLS1_1_VERSION
+        else:
+            high_version = TLS1_3_VERSION
+            low_version = TLS1_2_VERSION
+
+        server_context = Context(TLS_METHOD)
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        server_context.set_min_proto_version(high_version)
+
+        client_context = Context(TLS_METHOD)
+        client_context.set_max_proto_version(low_version)
+
+        with pytest.raises(Error, match="unsupported protocol"):
+            self._handshake_test(server_context, client_context)
+
+        client_context.set_max_proto_version(0)
+        self._handshake_test(server_context, client_context)
+
+    def _load_verify_locations_test(self, *args):
+        """
+        Create a client context which will verify the peer certificate and call
+        its `load_verify_locations` method with the given arguments.
+        Then connect it to a server and ensure that the handshake succeeds.
+        """
+        (server, client) = socket_pair()
+
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.load_verify_locations(*args)
+        # Require that the server certificate verify properly or the
+        # connection will fail.
+        clientContext.set_verify(
+            VERIFY_PEER,
+            lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
+        )
+
+        clientSSL = Connection(clientContext, client)
+        clientSSL.set_connect_state()
+
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+
+        serverSSL = Connection(serverContext, server)
+        serverSSL.set_accept_state()
+
+        # Without load_verify_locations above, the handshake
+        # will fail:
+        # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
+        #          'certificate verify failed')]
+        handshake(clientSSL, serverSSL)
+
+        cert = clientSSL.get_peer_certificate()
+        assert cert.get_subject().CN == "Testing Root CA"
+
+    def _load_verify_cafile(self, cafile):
+        """
+        Verify that if path to a file containing a certificate is passed to
+        `Context.load_verify_locations` for the ``cafile`` parameter, that
+        certificate is used as a trust root for the purposes of verifying
+        connections created using that `Context`.
+        """
+        with open(cafile, "w") as fObj:
+            fObj.write(root_cert_pem.decode("ascii"))
+
+        self._load_verify_locations_test(cafile)
+
+    def test_load_verify_bytes_cafile(self, tmpfile):
+        """
+        `Context.load_verify_locations` accepts a file name as a `bytes`
+        instance and uses the certificates within for verification purposes.
+        """
+        cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())
+        self._load_verify_cafile(cafile)
+
+    def test_load_verify_unicode_cafile(self, tmpfile):
+        """
+        `Context.load_verify_locations` accepts a file name as a `unicode`
+        instance and uses the certificates within for verification purposes.
+        """
+        self._load_verify_cafile(
+            tmpfile.decode(getfilesystemencoding()) + NON_ASCII
+        )
+
+    def test_load_verify_invalid_file(self, tmpfile):
+        """
+        `Context.load_verify_locations` raises `Error` when passed a
+        non-existent cafile.
+        """
+        clientContext = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            clientContext.load_verify_locations(tmpfile)
+
+    def _load_verify_directory_locations_capath(self, capath):
+        """
+        Verify that if path to a directory containing certificate files is
+        passed to ``Context.load_verify_locations`` for the ``capath``
+        parameter, those certificates are used as trust roots for the purposes
+        of verifying connections created using that ``Context``.
+        """
+        makedirs(capath)
+        # Hash values computed manually with c_rehash to avoid depending on
+        # c_rehash in the test suite.  One is from OpenSSL 0.9.8, the other
+        # from OpenSSL 1.0.0.
+        for name in [b"c7adac82.0", b"c3705638.0"]:
+            cafile = join_bytes_or_unicode(capath, name)
+            with open(cafile, "w") as fObj:
+                fObj.write(root_cert_pem.decode("ascii"))
+
+        self._load_verify_locations_test(None, capath)
+
+    def test_load_verify_directory_bytes_capath(self, tmpfile):
+        """
+        `Context.load_verify_locations` accepts a directory name as a `bytes`
+        instance and uses the certificates within for verification purposes.
+        """
+        self._load_verify_directory_locations_capath(
+            tmpfile + NON_ASCII.encode(getfilesystemencoding())
+        )
+
+    def test_load_verify_directory_unicode_capath(self, tmpfile):
+        """
+        `Context.load_verify_locations` accepts a directory name as a `unicode`
+        instance and uses the certificates within for verification purposes.
+        """
+        self._load_verify_directory_locations_capath(
+            tmpfile.decode(getfilesystemencoding()) + NON_ASCII
+        )
+
+    def test_load_verify_locations_wrong_args(self):
+        """
+        `Context.load_verify_locations` raises `TypeError` if with non-`str`
+        arguments.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.load_verify_locations(object())
+        with pytest.raises(TypeError):
+            context.load_verify_locations(object(), object())
+
+    @pytest.mark.skipif(
+        not platform.startswith("linux"),
+        reason="Loading fallback paths is a linux-specific behavior to "
+        "accommodate pyca/cryptography manylinux1 wheels",
+    )
+    def test_fallback_default_verify_paths(self, monkeypatch):
+        """
+        Test that we load certificates successfully on linux from the fallback
+        path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and
+        _CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the
+        current OpenSSL default is and we disable
+        SSL_CTX_SET_default_verify_paths so that it can't find certs unless
+        it loads via fallback.
+        """
+        context = Context(SSLv23_METHOD)
+        monkeypatch.setattr(
+            _lib, "SSL_CTX_set_default_verify_paths", lambda x: 1
+        )
+        monkeypatch.setattr(
+            SSL,
+            "_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",
+            _ffi.string(_lib.X509_get_default_cert_file()),
+        )
+        monkeypatch.setattr(
+            SSL,
+            "_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",
+            _ffi.string(_lib.X509_get_default_cert_dir()),
+        )
+        context.set_default_verify_paths()
+        store = context.get_cert_store()
+        sk_obj = _lib.X509_STORE_get0_objects(store._store)
+        assert sk_obj != _ffi.NULL
+        num = _lib.sk_X509_OBJECT_num(sk_obj)
+        assert num != 0
+
+    def test_check_env_vars(self, monkeypatch):
+        """
+        Test that we return True/False appropriately if the env vars are set.
+        """
+        context = Context(SSLv23_METHOD)
+        dir_var = "CUSTOM_DIR_VAR"
+        file_var = "CUSTOM_FILE_VAR"
+        assert context._check_env_vars_set(dir_var, file_var) is False
+        monkeypatch.setenv(dir_var, "value")
+        monkeypatch.setenv(file_var, "value")
+        assert context._check_env_vars_set(dir_var, file_var) is True
+        assert context._check_env_vars_set(dir_var, file_var) is True
+
+    def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):
+        """
+        Test that we don't use the fallback path if env vars are set.
+        """
+        context = Context(SSLv23_METHOD)
+        monkeypatch.setattr(
+            _lib, "SSL_CTX_set_default_verify_paths", lambda x: 1
+        )
+        dir_env_var = _ffi.string(_lib.X509_get_default_cert_dir_env()).decode(
+            "ascii"
+        )
+        file_env_var = _ffi.string(
+            _lib.X509_get_default_cert_file_env()
+        ).decode("ascii")
+        monkeypatch.setenv(dir_env_var, "value")
+        monkeypatch.setenv(file_env_var, "value")
+        context.set_default_verify_paths()
+
+        monkeypatch.setattr(
+            context, "_fallback_default_verify_paths", raiser(SystemError)
+        )
+        context.set_default_verify_paths()
+
+    @pytest.mark.skipif(
+        platform == "win32",
+        reason="set_default_verify_paths appears not to work on Windows.  "
+        "See LP#404343 and LP#404344.",
+    )
+    def _test_set_default_verify_paths(self):
+        """
+        `Context.set_default_verify_paths` causes the platform-specific CA
+        certificate locations to be used for verification purposes.
+        """
+        # Testing this requires a server with a certificate signed by one
+        # of the CAs in the platform CA location.  Getting one of those
+        # costs money.  Fortunately (or unfortunately, depending on your
+        # perspective), it's easy to think of a public server on the
+        # internet which has such a certificate.  Connecting to the network
+        # in a unit test is bad, but it's the only way I can think of to
+        # really test this. -exarkun
+        context = Context(SSLv23_METHOD)
+        context.set_default_verify_paths()
+        context.set_verify(
+            VERIFY_PEER,
+            lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
+        )
+
+        client = socket_any_family()
+        client.connect(("encrypted.google.com", 443))
+        clientSSL = Connection(context, client)
+        clientSSL.set_connect_state()
+        clientSSL.set_tlsext_host_name(b"encrypted.google.com")
+        clientSSL.do_handshake()
+        clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")
+        assert clientSSL.recv(1024)
+
+    def test_fallback_path_is_not_file_or_dir(self):
+        """
+        Test that when passed empty arrays or paths that do not exist no
+        errors are raised.
+        """
+        context = Context(SSLv23_METHOD)
+        context._fallback_default_verify_paths([], [])
+        context._fallback_default_verify_paths(["/not/a/file"], ["/not/a/dir"])
+
+    def test_add_extra_chain_cert_invalid_cert(self):
+        """
+        `Context.add_extra_chain_cert` raises `TypeError` if called with an
+        object which is not an instance of `X509`.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.add_extra_chain_cert(object())
+
+    def _handshake_test(self, serverContext, clientContext):
+        """
+        Verify that a client and server created with the given contexts can
+        successfully handshake and communicate.
+        """
+        serverSocket, clientSocket = socket_pair()
+
+        server = Connection(serverContext, serverSocket)
+        server.set_accept_state()
+
+        client = Connection(clientContext, clientSocket)
+        client.set_connect_state()
+
+        # Make them talk to each other.
+        # interact_in_memory(client, server)
+        for _ in range(3):
+            for s in [client, server]:
+                try:
+                    s.do_handshake()
+                except WantReadError:
+                    pass
+
+    def test_set_verify_callback_connection_argument(self):
+        """
+        The first argument passed to the verify callback is the
+        `Connection` instance for which verification is taking place.
+        """
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        serverConnection = Connection(serverContext, None)
+
+        class VerifyCallback(object):
+            def callback(self, connection, *args):
+                self.connection = connection
+                return 1
+
+        verify = VerifyCallback()
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.set_verify(VERIFY_PEER, verify.callback)
+        clientConnection = Connection(clientContext, None)
+        clientConnection.set_connect_state()
+
+        handshake_in_memory(clientConnection, serverConnection)
+
+        assert verify.connection is clientConnection
+
+    def test_x509_in_verify_works(self):
+        """
+        We had a bug where the X509 cert instantiated in the callback wrapper
+        didn't __init__ so it was missing objects needed when calling
+        get_subject. This test sets up a handshake where we call get_subject
+        on the cert provided to the verify callback.
+        """
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+        serverConnection = Connection(serverContext, None)
+
+        def verify_cb_get_subject(conn, cert, errnum, depth, ok):
+            assert cert.get_subject()
+            return 1
+
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.set_verify(VERIFY_PEER, verify_cb_get_subject)
+        clientConnection = Connection(clientContext, None)
+        clientConnection.set_connect_state()
+
+        handshake_in_memory(clientConnection, serverConnection)
+
+    def test_set_verify_callback_exception(self):
+        """
+        If the verify callback passed to `Context.set_verify` raises an
+        exception, verification fails and the exception is propagated to the
+        caller of `Connection.do_handshake`.
+        """
+        serverContext = Context(TLSv1_2_METHOD)
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+
+        clientContext = Context(TLSv1_2_METHOD)
+
+        def verify_callback(*args):
+            raise Exception("silly verify failure")
+
+        clientContext.set_verify(VERIFY_PEER, verify_callback)
+
+        with pytest.raises(Exception) as exc:
+            self._handshake_test(serverContext, clientContext)
+
+        assert "silly verify failure" == str(exc.value)
+
+    def test_set_verify_callback_reference(self):
+        """
+        If the verify callback passed to `Context.set_verify` is set multiple
+        times, the pointers to the old call functions should not be dangling
+        and trigger a segfault.
+        """
+        serverContext = Context(TLSv1_2_METHOD)
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+
+        clientContext = Context(TLSv1_2_METHOD)
+
+        clients = []
+
+        for i in range(5):
+
+            def verify_callback(*args):
+                return True
+
+            serverSocket, clientSocket = socket_pair()
+            client = Connection(clientContext, clientSocket)
+
+            clients.append((serverSocket, client))
+
+            clientContext.set_verify(VERIFY_PEER, verify_callback)
+
+        gc.collect()
+
+        # Make them talk to each other.
+        for serverSocket, client in clients:
+            server = Connection(serverContext, serverSocket)
+            server.set_accept_state()
+            client.set_connect_state()
+
+            for _ in range(5):
+                for s in [client, server]:
+                    try:
+                        s.do_handshake()
+                    except WantReadError:
+                        pass
+
+    @pytest.mark.parametrize("mode", [SSL.VERIFY_PEER, SSL.VERIFY_NONE])
+    def test_set_verify_default_callback(self, mode):
+        """
+        If the verify callback is omitted, the preverify value is used.
+        """
+        serverContext = Context(TLSv1_2_METHOD)
+        serverContext.use_privatekey(
+            load_privatekey(FILETYPE_PEM, root_key_pem)
+        )
+        serverContext.use_certificate(
+            load_certificate(FILETYPE_PEM, root_cert_pem)
+        )
+
+        clientContext = Context(TLSv1_2_METHOD)
+        clientContext.set_verify(mode, None)
+
+        if mode == SSL.VERIFY_PEER:
+            with pytest.raises(Exception) as exc:
+                self._handshake_test(serverContext, clientContext)
+            assert "certificate verify failed" in str(exc.value)
+        else:
+            self._handshake_test(serverContext, clientContext)
+
+    def test_add_extra_chain_cert(self, tmpdir):
+        """
+        `Context.add_extra_chain_cert` accepts an `X509`
+        instance to add to the certificate chain.
+
+        See `_create_certificate_chain` for the details of the
+        certificate chain tested.
+
+        The chain is tested by starting a server with scert and connecting
+        to it with a client which trusts cacert and requires verification to
+        succeed.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        # Dump the CA certificate to a file because that's the only way to load
+        # it as a trusted CA in the client context.
+        for cert, name in [
+            (cacert, "ca.pem"),
+            (icert, "i.pem"),
+            (scert, "s.pem"),
+        ]:
+            with tmpdir.join(name).open("w") as f:
+                f.write(dump_certificate(FILETYPE_PEM, cert).decode("ascii"))
+
+        for key, name in [(cakey, "ca.key"), (ikey, "i.key"), (skey, "s.key")]:
+            with tmpdir.join(name).open("w") as f:
+                f.write(dump_privatekey(FILETYPE_PEM, key).decode("ascii"))
+
+        # Create the server context
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_privatekey(skey)
+        serverContext.use_certificate(scert)
+        # The client already has cacert, we only need to give them icert.
+        serverContext.add_extra_chain_cert(icert)
+
+        # Create the client
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.set_verify(
+            VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb
+        )
+        clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))
+
+        # Try it out.
+        self._handshake_test(serverContext, clientContext)
+
+    def _use_certificate_chain_file_test(self, certdir):
+        """
+        Verify that `Context.use_certificate_chain_file` reads a
+        certificate chain from a specified file.
+
+        The chain is tested by starting a server with scert and connecting to
+        it with a client which trusts cacert and requires verification to
+        succeed.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        makedirs(certdir)
+
+        chainFile = join_bytes_or_unicode(certdir, "chain.pem")
+        caFile = join_bytes_or_unicode(certdir, "ca.pem")
+
+        # Write out the chain file.
+        with open(chainFile, "wb") as fObj:
+            # Most specific to least general.
+            fObj.write(dump_certificate(FILETYPE_PEM, scert))
+            fObj.write(dump_certificate(FILETYPE_PEM, icert))
+            fObj.write(dump_certificate(FILETYPE_PEM, cacert))
+
+        with open(caFile, "w") as fObj:
+            fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode("ascii"))
+
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_certificate_chain_file(chainFile)
+        serverContext.use_privatekey(skey)
+
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.set_verify(
+            VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb
+        )
+        clientContext.load_verify_locations(caFile)
+
+        self._handshake_test(serverContext, clientContext)
+
+    def test_use_certificate_chain_file_bytes(self, tmpfile):
+        """
+        ``Context.use_certificate_chain_file`` accepts the name of a file (as
+        an instance of ``bytes``) to specify additional certificates to use to
+        construct and verify a trust chain.
+        """
+        self._use_certificate_chain_file_test(
+            tmpfile + NON_ASCII.encode(getfilesystemencoding())
+        )
+
+    def test_use_certificate_chain_file_unicode(self, tmpfile):
+        """
+        ``Context.use_certificate_chain_file`` accepts the name of a file (as
+        an instance of ``unicode``) to specify additional certificates to use
+        to construct and verify a trust chain.
+        """
+        self._use_certificate_chain_file_test(
+            tmpfile.decode(getfilesystemencoding()) + NON_ASCII
+        )
+
+    def test_use_certificate_chain_file_wrong_args(self):
+        """
+        `Context.use_certificate_chain_file` raises `TypeError` if passed a
+        non-byte string single argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.use_certificate_chain_file(object())
+
+    def test_use_certificate_chain_file_missing_file(self, tmpfile):
+        """
+        `Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when
+        passed a bad chain file name (for example, the name of a file which
+        does not exist).
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            context.use_certificate_chain_file(tmpfile)
+
+    def test_set_verify_mode(self):
+        """
+        `Context.get_verify_mode` returns the verify mode flags previously
+        passed to `Context.set_verify`.
+        """
+        context = Context(SSLv23_METHOD)
+        assert context.get_verify_mode() == 0
+        context.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE)
+        assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)
+
+    @pytest.mark.parametrize("mode", [None, 1.0, object(), "mode"])
+    def test_set_verify_wrong_mode_arg(self, mode):
+        """
+        `Context.set_verify` raises `TypeError` if the first argument is
+        not an integer.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_verify(mode=mode)
+
+    @pytest.mark.parametrize("callback", [1.0, "mode", ("foo", "bar")])
+    def test_set_verify_wrong_callable_arg(self, callback):
+        """
+        `Context.set_verify` raises `TypeError` if the second argument
+        is not callable.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_verify(mode=VERIFY_PEER, callback=callback)
+
+    def test_load_tmp_dh_wrong_args(self):
+        """
+        `Context.load_tmp_dh` raises `TypeError` if called with a
+        non-`str` argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.load_tmp_dh(object())
+
+    def test_load_tmp_dh_missing_file(self):
+        """
+        `Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the
+        specified file does not exist.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            context.load_tmp_dh(b"hello")
+
+    def _load_tmp_dh_test(self, dhfilename):
+        """
+        Verify that calling ``Context.load_tmp_dh`` with the given filename
+        does not raise an exception.
+        """
+        context = Context(SSLv23_METHOD)
+        with open(dhfilename, "w") as dhfile:
+            dhfile.write(dhparam)
+
+        context.load_tmp_dh(dhfilename)
+
+    def test_load_tmp_dh_bytes(self, tmpfile):
+        """
+        `Context.load_tmp_dh` loads Diffie-Hellman parameters from the
+        specified file (given as ``bytes``).
+        """
+        self._load_tmp_dh_test(
+            tmpfile + NON_ASCII.encode(getfilesystemencoding()),
+        )
+
+    def test_load_tmp_dh_unicode(self, tmpfile):
+        """
+        `Context.load_tmp_dh` loads Diffie-Hellman parameters from the
+        specified file (given as ``unicode``).
+        """
+        self._load_tmp_dh_test(
+            tmpfile.decode(getfilesystemencoding()) + NON_ASCII,
+        )
+
+    def test_set_tmp_ecdh(self):
+        """
+        `Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to
+        the specified curve.
+        """
+        context = Context(SSLv23_METHOD)
+        for curve in get_elliptic_curves():
+            if curve.name.startswith(u"Oakley-"):
+                # Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds
+                # ('bignum routines', 'BN_mod_inverse', 'no inverse') to the
+                # error queue on OpenSSL 1.0.2.
+                continue
+            # The only easily "assertable" thing is that it does not raise an
+            # exception.
+            context.set_tmp_ecdh(curve)
+
+    def test_set_session_cache_mode_wrong_args(self):
+        """
+        `Context.set_session_cache_mode` raises `TypeError` if called with
+        a non-integer argument.
+        called with other than one integer argument.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_session_cache_mode(object())
+
+    def test_session_cache_mode(self):
+        """
+        `Context.set_session_cache_mode` specifies how sessions are cached.
+        The setting can be retrieved via `Context.get_session_cache_mode`.
+        """
+        context = Context(SSLv23_METHOD)
+        context.set_session_cache_mode(SESS_CACHE_OFF)
+        off = context.set_session_cache_mode(SESS_CACHE_BOTH)
+        assert SESS_CACHE_OFF == off
+        assert SESS_CACHE_BOTH == context.get_session_cache_mode()
+
+    def test_get_cert_store(self):
+        """
+        `Context.get_cert_store` returns a `X509Store` instance.
+        """
+        context = Context(SSLv23_METHOD)
+        store = context.get_cert_store()
+        assert isinstance(store, X509Store)
+
+    def test_set_tlsext_use_srtp_not_bytes(self):
+        """
+        `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.
+
+        It raises a TypeError if the list of profiles is not a byte string.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            context.set_tlsext_use_srtp(text_type("SRTP_AES128_CM_SHA1_80"))
+
+    def test_set_tlsext_use_srtp_invalid_profile(self):
+        """
+        `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.
+
+        It raises an Error if the call to OpenSSL fails.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            context.set_tlsext_use_srtp(b"SRTP_BOGUS")
+
+    def test_set_tlsext_use_srtp_valid(self):
+        """
+        `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.
+
+        It does not return anything.
+        """
+        context = Context(SSLv23_METHOD)
+        assert context.set_tlsext_use_srtp(b"SRTP_AES128_CM_SHA1_80") is None
+
+
+class TestServerNameCallback(object):
+    """
+    Tests for `Context.set_tlsext_servername_callback` and its
+    interaction with `Connection`.
+    """
+
+    def test_old_callback_forgotten(self):
+        """
+        If `Context.set_tlsext_servername_callback` is used to specify
+        a new callback, the one it replaces is dereferenced.
+        """
+
+        def callback(connection):  # pragma: no cover
+            pass
+
+        def replacement(connection):  # pragma: no cover
+            pass
+
+        context = Context(SSLv23_METHOD)
+        context.set_tlsext_servername_callback(callback)
+
+        tracker = ref(callback)
+        del callback
+
+        context.set_tlsext_servername_callback(replacement)
+
+        # One run of the garbage collector happens to work on CPython.  PyPy
+        # doesn't collect the underlying object until a second run for whatever
+        # reason.  That's fine, it still demonstrates our code has properly
+        # dropped the reference.
+        collect()
+        collect()
+
+        callback = tracker()
+        if callback is not None:
+            referrers = get_referrers(callback)
+            if len(referrers) > 1:  # pragma: nocover
+                pytest.fail("Some references remain: %r" % (referrers,))
+
+    def test_no_servername(self):
+        """
+        When a client specifies no server name, the callback passed to
+        `Context.set_tlsext_servername_callback` is invoked and the
+        result of `Connection.get_servername` is `None`.
+        """
+        args = []
+
+        def servername(conn):
+            args.append((conn, conn.get_servername()))
+
+        context = Context(SSLv23_METHOD)
+        context.set_tlsext_servername_callback(servername)
+
+        # Lose our reference to it.  The Context is responsible for keeping it
+        # alive now.
+        del servername
+        collect()
+
+        # Necessary to actually accept the connection
+        context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(context, None)
+        server.set_accept_state()
+
+        client = Connection(Context(SSLv23_METHOD), None)
+        client.set_connect_state()
+
+        interact_in_memory(server, client)
+
+        assert args == [(server, None)]
+
+    def test_servername(self):
+        """
+        When a client specifies a server name in its hello message, the
+        callback passed to `Contexts.set_tlsext_servername_callback` is
+        invoked and the result of `Connection.get_servername` is that
+        server name.
+        """
+        args = []
+
+        def servername(conn):
+            args.append((conn, conn.get_servername()))
+
+        context = Context(SSLv23_METHOD)
+        context.set_tlsext_servername_callback(servername)
+
+        # Necessary to actually accept the connection
+        context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(context, None)
+        server.set_accept_state()
+
+        client = Connection(Context(SSLv23_METHOD), None)
+        client.set_connect_state()
+        client.set_tlsext_host_name(b"foo1.example.com")
+
+        interact_in_memory(server, client)
+
+        assert args == [(server, b"foo1.example.com")]
+
+
+class TestApplicationLayerProtoNegotiation(object):
+    """
+    Tests for ALPN in PyOpenSSL.
+    """
+
+    def test_alpn_success(self):
+        """
+        Clients and servers that agree on the negotiated ALPN protocol can
+        correct establish a connection, and the agreed protocol is reported
+        by the connections.
+        """
+        select_args = []
+
+        def select(conn, options):
+            select_args.append((conn, options))
+            return b"spdy/2"
+
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(select)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        interact_in_memory(server, client)
+
+        assert select_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+        assert server.get_alpn_proto_negotiated() == b"spdy/2"
+        assert client.get_alpn_proto_negotiated() == b"spdy/2"
+
+    @pytest.mark.xfail(reason='https://github.com/pyca/pyopenssl/issues/1043')
+    def test_alpn_call_failure(self):
+        """
+        SSL_CTX_set_alpn_protos does not like to be called with an empty
+        protocols list. Ensure that we produce a user-visible error.
+        """
+        context = Context(SSLv23_METHOD)
+        with pytest.raises(Error):
+            context.set_alpn_protos([])
+
+    def test_alpn_set_on_connection(self):
+        """
+        The same as test_alpn_success, but setting the ALPN protocols on
+        the connection rather than the context.
+        """
+        select_args = []
+
+        def select(conn, options):
+            select_args.append((conn, options))
+            return b"spdy/2"
+
+        # Setup the client context but don't set any ALPN protocols.
+        client_context = Context(SSLv23_METHOD)
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(select)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        # Set the ALPN protocols on the client connection.
+        client = Connection(client_context, None)
+        client.set_alpn_protos([b"http/1.1", b"spdy/2"])
+        client.set_connect_state()
+
+        interact_in_memory(server, client)
+
+        assert select_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+        assert server.get_alpn_proto_negotiated() == b"spdy/2"
+        assert client.get_alpn_proto_negotiated() == b"spdy/2"
+
+    def test_alpn_server_fail(self):
+        """
+        When clients and servers cannot agree on what protocol to use next
+        the TLS connection does not get established.
+        """
+        select_args = []
+
+        def select(conn, options):
+            select_args.append((conn, options))
+            return b""
+
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(select)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        # If the client doesn't return anything, the connection will fail.
+        with pytest.raises(Error):
+            interact_in_memory(server, client)
+
+        assert select_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+    def test_alpn_no_server_overlap(self):
+        """
+        A server can allow a TLS handshake to complete without
+        agreeing to an application protocol by returning
+        ``NO_OVERLAPPING_PROTOCOLS``.
+        """
+        refusal_args = []
+
+        def refusal(conn, options):
+            refusal_args.append((conn, options))
+            return NO_OVERLAPPING_PROTOCOLS
+
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(refusal)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        # Do the dance.
+        interact_in_memory(server, client)
+
+        assert refusal_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+        assert client.get_alpn_proto_negotiated() == b""
+
+    def test_alpn_select_cb_returns_invalid_value(self):
+        """
+        If the ALPN selection callback returns anything other than
+        a bytestring or ``NO_OVERLAPPING_PROTOCOLS``, a
+        :py:exc:`TypeError` is raised.
+        """
+        invalid_cb_args = []
+
+        def invalid_cb(conn, options):
+            invalid_cb_args.append((conn, options))
+            return u"can't return unicode"
+
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(invalid_cb)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        # Do the dance.
+        with pytest.raises(TypeError):
+            interact_in_memory(server, client)
+
+        assert invalid_cb_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+        assert client.get_alpn_proto_negotiated() == b""
+
+    def test_alpn_no_server(self):
+        """
+        When clients and servers cannot agree on what protocol to use next
+        because the server doesn't offer ALPN, no protocol is negotiated.
+        """
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        # Do the dance.
+        interact_in_memory(server, client)
+
+        assert client.get_alpn_proto_negotiated() == b""
+
+    def test_alpn_callback_exception(self):
+        """
+        We can handle exceptions in the ALPN select callback.
+        """
+        select_args = []
+
+        def select(conn, options):
+            select_args.append((conn, options))
+            raise TypeError()
+
+        client_context = Context(SSLv23_METHOD)
+        client_context.set_alpn_protos([b"http/1.1", b"spdy/2"])
+
+        server_context = Context(SSLv23_METHOD)
+        server_context.set_alpn_select_callback(select)
+
+        # Necessary to actually accept the connection
+        server_context.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_context.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+
+        # Do a little connection to trigger the logic
+        server = Connection(server_context, None)
+        server.set_accept_state()
+
+        client = Connection(client_context, None)
+        client.set_connect_state()
+
+        with pytest.raises(TypeError):
+            interact_in_memory(server, client)
+        assert select_args == [(server, [b"http/1.1", b"spdy/2"])]
+
+
+class TestSession(object):
+    """
+    Unit tests for :py:obj:`OpenSSL.SSL.Session`.
+    """
+
+    def test_construction(self):
+        """
+        :py:class:`Session` can be constructed with no arguments, creating
+        a new instance of that type.
+        """
+        new_session = Session()
+        assert isinstance(new_session, Session)
+
+
+class TestConnection(object):
+    """
+    Unit tests for `OpenSSL.SSL.Connection`.
+    """
+
+    # XXX get_peer_certificate -> None
+    # XXX sock_shutdown
+    # XXX master_key -> TypeError
+    # XXX server_random -> TypeError
+    # XXX connect -> TypeError
+    # XXX connect_ex -> TypeError
+    # XXX set_connect_state -> TypeError
+    # XXX set_accept_state -> TypeError
+    # XXX do_handshake -> TypeError
+    # XXX bio_read -> TypeError
+    # XXX recv -> TypeError
+    # XXX send -> TypeError
+    # XXX bio_write -> TypeError
+
+    def test_type(self):
+        """
+        `Connection` can be used to create instances of that type.
+        """
+        ctx = Context(SSLv23_METHOD)
+        assert is_consistent_type(Connection, "Connection", ctx, None)
+
+    @pytest.mark.parametrize("bad_context", [object(), "context", None, 1])
+    def test_wrong_args(self, bad_context):
+        """
+        `Connection.__init__` raises `TypeError` if called with a non-`Context`
+        instance argument.
+        """
+        with pytest.raises(TypeError):
+            Connection(bad_context)
+
+    @pytest.mark.parametrize("bad_bio", [object(), None, 1, [1, 2, 3]])
+    def test_bio_write_wrong_args(self, bad_bio):
+        """
+        `Connection.bio_write` raises `TypeError` if called with a non-bytes
+        (or text) argument.
+        """
+        context = Context(SSLv23_METHOD)
+        connection = Connection(context, None)
+        with pytest.raises(TypeError):
+            connection.bio_write(bad_bio)
+
+    def test_bio_write(self):
+        """
+        `Connection.bio_write` does not raise if called with bytes or
+        bytearray, warns if called with text.
+        """
+        context = Context(SSLv23_METHOD)
+        connection = Connection(context, None)
+        connection.bio_write(b"xy")
+        connection.bio_write(bytearray(b"za"))
+        with pytest.warns(DeprecationWarning):
+            connection.bio_write(u"deprecated")
+
+    def test_get_context(self):
+        """
+        `Connection.get_context` returns the `Context` instance used to
+        construct the `Connection` instance.
+        """
+        context = Context(SSLv23_METHOD)
+        connection = Connection(context, None)
+        assert connection.get_context() is context
+
+    def test_set_context_wrong_args(self):
+        """
+        `Connection.set_context` raises `TypeError` if called with a
+        non-`Context` instance argument.
+        """
+        ctx = Context(SSLv23_METHOD)
+        connection = Connection(ctx, None)
+        with pytest.raises(TypeError):
+            connection.set_context(object())
+        with pytest.raises(TypeError):
+            connection.set_context("hello")
+        with pytest.raises(TypeError):
+            connection.set_context(1)
+        assert ctx is connection.get_context()
+
+    def test_set_context(self):
+        """
+        `Connection.set_context` specifies a new `Context` instance to be
+        used for the connection.
+        """
+        original = Context(SSLv23_METHOD)
+        replacement = Context(SSLv23_METHOD)
+        connection = Connection(original, None)
+        connection.set_context(replacement)
+        assert replacement is connection.get_context()
+        # Lose our references to the contexts, just in case the Connection
+        # isn't properly managing its own contributions to their reference
+        # counts.
+        del original, replacement
+        collect()
+
+    def test_set_tlsext_host_name_wrong_args(self):
+        """
+        If `Connection.set_tlsext_host_name` is called with a non-byte string
+        argument or a byte string with an embedded NUL, `TypeError` is raised.
+        """
+        conn = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(TypeError):
+            conn.set_tlsext_host_name(object())
+        with pytest.raises(TypeError):
+            conn.set_tlsext_host_name(b"with\0null")
+
+        if not PY2:
+            # On Python 3.x, don't accidentally implicitly convert from text.
+            with pytest.raises(TypeError):
+                conn.set_tlsext_host_name(b"example.com".decode("ascii"))
+
+    def test_pending(self):
+        """
+        `Connection.pending` returns the number of bytes available for
+        immediate read.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        assert connection.pending() == 0
+
+    def test_peek(self):
+        """
+        `Connection.recv` peeks into the connection if `socket.MSG_PEEK` is
+        passed.
+        """
+        server, client = loopback()
+        server.send(b"xy")
+        assert client.recv(2, MSG_PEEK) == b"xy"
+        assert client.recv(2, MSG_PEEK) == b"xy"
+        assert client.recv(2) == b"xy"
+
+    def test_connect_wrong_args(self):
+        """
+        `Connection.connect` raises `TypeError` if called with a non-address
+        argument.
+        """
+        connection = Connection(Context(SSLv23_METHOD), socket_any_family())
+        with pytest.raises(TypeError):
+            connection.connect(None)
+
+    def test_connect_refused(self):
+        """
+        `Connection.connect` raises `socket.error` if the underlying socket
+        connect method raises it.
+        """
+        client = socket_any_family()
+        context = Context(SSLv23_METHOD)
+        clientSSL = Connection(context, client)
+        # pytest.raises here doesn't work because of a bug in py.test on Python
+        # 2.6: https://github.com/pytest-dev/pytest/issues/988
+        try:
+            clientSSL.connect((loopback_address(client), 1))
+        except error as e:
+            exc = e
+        assert exc.args[0] == ECONNREFUSED
+
+    def test_connect(self):
+        """
+        `Connection.connect` establishes a connection to the specified address.
+        """
+        port = socket_any_family()
+        port.bind(("", 0))
+        port.listen(3)
+
+        clientSSL = Connection(Context(SSLv23_METHOD), socket(port.family))
+        clientSSL.connect((loopback_address(port), port.getsockname()[1]))
+        # XXX An assertion?  Or something?
+
+    @pytest.mark.skipif(
+        platform == "darwin",
+        reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4",
+    )
+    def test_connect_ex(self):
+        """
+        If there is a connection error, `Connection.connect_ex` returns the
+        errno instead of raising an exception.
+        """
+        port = socket_any_family()
+        port.bind(("", 0))
+        port.listen(3)
+
+        clientSSL = Connection(Context(SSLv23_METHOD), socket(port.family))
+        clientSSL.setblocking(False)
+        result = clientSSL.connect_ex(port.getsockname())
+        expected = (EINPROGRESS, EWOULDBLOCK)
+        assert result in expected
+
+    def test_accept(self):
+        """
+        `Connection.accept` accepts a pending connection attempt and returns a
+        tuple of a new `Connection` (the accepted client) and the address the
+        connection originated from.
+        """
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+        port = socket_any_family()
+        portSSL = Connection(ctx, port)
+        portSSL.bind(("", 0))
+        portSSL.listen(3)
+
+        clientSSL = Connection(Context(SSLv23_METHOD), socket(port.family))
+
+        # Calling portSSL.getsockname() here to get the server IP address
+        # sounds great, but frequently fails on Windows.
+        clientSSL.connect((loopback_address(port), portSSL.getsockname()[1]))
+
+        serverSSL, address = portSSL.accept()
+
+        assert isinstance(serverSSL, Connection)
+        assert serverSSL.get_context() is ctx
+        assert address == clientSSL.getsockname()
+
+    def test_shutdown_wrong_args(self):
+        """
+        `Connection.set_shutdown` raises `TypeError` if called with arguments
+        other than integers.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(TypeError):
+            connection.set_shutdown(None)
+
+    def test_shutdown(self):
+        """
+        `Connection.shutdown` performs an SSL-level connection shutdown.
+        """
+        server, client = loopback()
+        assert not server.shutdown()
+        assert server.get_shutdown() == SENT_SHUTDOWN
+        with pytest.raises(ZeroReturnError):
+            client.recv(1024)
+        assert client.get_shutdown() == RECEIVED_SHUTDOWN
+        client.shutdown()
+        assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)
+        with pytest.raises(ZeroReturnError):
+            server.recv(1024)
+        assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)
+
+    def test_shutdown_closed(self):
+        """
+        If the underlying socket is closed, `Connection.shutdown` propagates
+        the write error from the low level write call.
+        """
+        server, client = loopback()
+        server.sock_shutdown(2)
+        with pytest.raises(SysCallError) as exc:
+            server.shutdown()
+        if platform == "win32":
+            assert exc.value.args[0] == ESHUTDOWN
+        else:
+            assert exc.value.args[0] == EPIPE
+
+    def test_shutdown_truncated(self):
+        """
+        If the underlying connection is truncated, `Connection.shutdown`
+        raises an `Error`.
+        """
+        server_ctx = Context(SSLv23_METHOD)
+        client_ctx = Context(SSLv23_METHOD)
+        server_ctx.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_ctx.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+        server = Connection(server_ctx, None)
+        client = Connection(client_ctx, None)
+        handshake_in_memory(client, server)
+        assert not server.shutdown()
+        with pytest.raises(WantReadError):
+            server.shutdown()
+        server.bio_shutdown()
+        with pytest.raises(Error):
+            server.shutdown()
+
+    def test_set_shutdown(self):
+        """
+        `Connection.set_shutdown` sets the state of the SSL connection
+        shutdown process.
+        """
+        connection = Connection(Context(SSLv23_METHOD), socket_any_family())
+        connection.set_shutdown(RECEIVED_SHUTDOWN)
+        assert connection.get_shutdown() == RECEIVED_SHUTDOWN
+
+    def test_state_string(self):
+        """
+        `Connection.state_string` verbosely describes the current state of
+        the `Connection`.
+        """
+        server, client = socket_pair()
+        server = loopback_server_factory(server)
+        client = loopback_client_factory(client)
+
+        assert server.get_state_string() in [
+            b"before/accept initialization",
+            b"before SSL initialization",
+        ]
+        assert client.get_state_string() in [
+            b"before/connect initialization",
+            b"before SSL initialization",
+        ]
+
+    def test_app_data(self):
+        """
+        Any object can be set as app data by passing it to
+        `Connection.set_app_data` and later retrieved with
+        `Connection.get_app_data`.
+        """
+        conn = Connection(Context(SSLv23_METHOD), None)
+        assert None is conn.get_app_data()
+        app_data = object()
+        conn.set_app_data(app_data)
+        assert conn.get_app_data() is app_data
+
+    def test_makefile(self):
+        """
+        `Connection.makefile` is not implemented and calling that
+        method raises `NotImplementedError`.
+        """
+        conn = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(NotImplementedError):
+            conn.makefile()
+
+    def test_get_certificate(self):
+        """
+        `Connection.get_certificate` returns the local certificate.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        context = Context(SSLv23_METHOD)
+        context.use_certificate(scert)
+        client = Connection(context, None)
+        cert = client.get_certificate()
+        assert cert is not None
+        assert "Server Certificate" == cert.get_subject().CN
+
+    def test_get_certificate_none(self):
+        """
+        `Connection.get_certificate` returns the local certificate.
+
+        If there is no certificate, it returns None.
+        """
+        context = Context(SSLv23_METHOD)
+        client = Connection(context, None)
+        cert = client.get_certificate()
+        assert cert is None
+
+    def test_get_peer_cert_chain(self):
+        """
+        `Connection.get_peer_cert_chain` returns a list of certificates
+        which the connected server returned for the certification verification.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_privatekey(skey)
+        serverContext.use_certificate(scert)
+        serverContext.add_extra_chain_cert(icert)
+        serverContext.add_extra_chain_cert(cacert)
+        server = Connection(serverContext, None)
+        server.set_accept_state()
+
+        # Create the client
+        clientContext = Context(SSLv23_METHOD)
+        clientContext.set_verify(VERIFY_NONE, verify_cb)
+        client = Connection(clientContext, None)
+        client.set_connect_state()
+
+        interact_in_memory(client, server)
+
+        chain = client.get_peer_cert_chain()
+        assert len(chain) == 3
+        assert "Server Certificate" == chain[0].get_subject().CN
+        assert "Intermediate Certificate" == chain[1].get_subject().CN
+        assert "Authority Certificate" == chain[2].get_subject().CN
+
+    def test_get_peer_cert_chain_none(self):
+        """
+        `Connection.get_peer_cert_chain` returns `None` if the peer sends
+        no certificate chain.
+        """
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+        server = Connection(ctx, None)
+        server.set_accept_state()
+        client = Connection(Context(SSLv23_METHOD), None)
+        client.set_connect_state()
+        interact_in_memory(client, server)
+        assert None is server.get_peer_cert_chain()
+
+    def test_get_verified_chain(self):
+        """
+        `Connection.get_verified_chain` returns a list of certificates
+        which the connected server returned for the certification verification.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        serverContext = Context(SSLv23_METHOD)
+        serverContext.use_privatekey(skey)
+        serverContext.use_certificate(scert)
+        serverContext.add_extra_chain_cert(icert)
+        serverContext.add_extra_chain_cert(cacert)
+        server = Connection(serverContext, None)
+        server.set_accept_state()
+
+        # Create the client
+        clientContext = Context(SSLv23_METHOD)
+        # cacert is self-signed so the client must trust it for verification
+        # to succeed.
+        clientContext.get_cert_store().add_cert(cacert)
+        clientContext.set_verify(VERIFY_PEER, verify_cb)
+        client = Connection(clientContext, None)
+        client.set_connect_state()
+
+        interact_in_memory(client, server)
+
+        chain = client.get_verified_chain()
+        assert len(chain) == 3
+        assert "Server Certificate" == chain[0].get_subject().CN
+        assert "Intermediate Certificate" == chain[1].get_subject().CN
+        assert "Authority Certificate" == chain[2].get_subject().CN
+
+    def test_get_verified_chain_none(self):
+        """
+        `Connection.get_verified_chain` returns `None` if the peer sends
+        no certificate chain.
+        """
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+        server = Connection(ctx, None)
+        server.set_accept_state()
+        client = Connection(Context(SSLv23_METHOD), None)
+        client.set_connect_state()
+        interact_in_memory(client, server)
+        assert None is server.get_verified_chain()
+
+    def test_get_verified_chain_unconnected(self):
+        """
+        `Connection.get_verified_chain` returns `None` when used with an object
+        which has not been connected.
+        """
+        ctx = Context(SSLv23_METHOD)
+        server = Connection(ctx, None)
+        assert None is server.get_verified_chain()
+
+    def test_get_session_unconnected(self):
+        """
+        `Connection.get_session` returns `None` when used with an object
+        which has not been connected.
+        """
+        ctx = Context(SSLv23_METHOD)
+        server = Connection(ctx, None)
+        session = server.get_session()
+        assert None is session
+
+    def test_server_get_session(self):
+        """
+        On the server side of a connection, `Connection.get_session` returns a
+        `Session` instance representing the SSL session for that connection.
+        """
+        server, client = loopback()
+        session = server.get_session()
+        assert isinstance(session, Session)
+
+    def test_client_get_session(self):
+        """
+        On the client side of a connection, `Connection.get_session`
+        returns a `Session` instance representing the SSL session for
+        that connection.
+        """
+        server, client = loopback()
+        session = client.get_session()
+        assert isinstance(session, Session)
+
+    def test_set_session_wrong_args(self):
+        """
+        `Connection.set_session` raises `TypeError` if called with an object
+        that is not an instance of `Session`.
+        """
+        ctx = Context(SSLv23_METHOD)
+        connection = Connection(ctx, None)
+        with pytest.raises(TypeError):
+            connection.set_session(123)
+        with pytest.raises(TypeError):
+            connection.set_session("hello")
+        with pytest.raises(TypeError):
+            connection.set_session(object())
+
+    def test_client_set_session(self):
+        """
+        `Connection.set_session`, when used prior to a connection being
+        established, accepts a `Session` instance and causes an attempt to
+        re-use the session it represents when the SSL handshake is performed.
+        """
+        key = load_privatekey(FILETYPE_PEM, server_key_pem)
+        cert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        ctx = Context(TLSv1_2_METHOD)
+        ctx.use_privatekey(key)
+        ctx.use_certificate(cert)
+        ctx.set_session_id("unity-test")
+
+        def makeServer(socket):
+            server = Connection(ctx, socket)
+            server.set_accept_state()
+            return server
+
+        originalServer, originalClient = loopback(server_factory=makeServer)
+        originalSession = originalClient.get_session()
+
+        def makeClient(socket):
+            client = loopback_client_factory(socket)
+            client.set_session(originalSession)
+            return client
+
+        resumedServer, resumedClient = loopback(
+            server_factory=makeServer, client_factory=makeClient
+        )
+
+        # This is a proxy: in general, we have no access to any unique
+        # identifier for the session (new enough versions of OpenSSL expose
+        # a hash which could be usable, but "new enough" is very, very new).
+        # Instead, exploit the fact that the master key is re-used if the
+        # session is re-used.  As long as the master key for the two
+        # connections is the same, the session was re-used!
+        assert originalServer.master_key() == resumedServer.master_key()
+
+    def test_set_session_wrong_method(self):
+        """
+        If `Connection.set_session` is passed a `Session` instance associated
+        with a context using a different SSL method than the `Connection`
+        is using, a `OpenSSL.SSL.Error` is raised.
+        """
+        v1 = TLSv1_2_METHOD
+        v2 = TLSv1_METHOD
+
+        key = load_privatekey(FILETYPE_PEM, server_key_pem)
+        cert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        ctx = Context(v1)
+        ctx.use_privatekey(key)
+        ctx.use_certificate(cert)
+        ctx.set_session_id(b"unity-test")
+
+        def makeServer(socket):
+            server = Connection(ctx, socket)
+            server.set_accept_state()
+            return server
+
+        def makeOriginalClient(socket):
+            client = Connection(Context(v1), socket)
+            client.set_connect_state()
+            return client
+
+        originalServer, originalClient = loopback(
+            server_factory=makeServer, client_factory=makeOriginalClient
+        )
+        originalSession = originalClient.get_session()
+
+        def makeClient(socket):
+            # Intentionally use a different, incompatible method here.
+            client = Connection(Context(v2), socket)
+            client.set_connect_state()
+            client.set_session(originalSession)
+            return client
+
+        with pytest.raises(Error):
+            loopback(client_factory=makeClient, server_factory=makeServer)
+
+    def test_wantWriteError(self):
+        """
+        `Connection` methods which generate output raise
+        `OpenSSL.SSL.WantWriteError` if writing to the connection's BIO
+        fail indicating a should-write state.
+        """
+        client_socket, server_socket = socket_pair()
+        # Fill up the client's send buffer so Connection won't be able to write
+        # anything.  Only write a single byte at a time so we can be sure we
+        # completely fill the buffer.  Even though the socket API is allowed to
+        # signal a short write via its return value it seems this doesn't
+        # always happen on all platforms (FreeBSD and OS X particular) for the
+        # very last bit of available buffer space.
+        msg = b"x"
+        for i in range(1024 * 1024 * 64):
+            try:
+                client_socket.send(msg)
+            except error as e:
+                if e.errno == EWOULDBLOCK:
+                    break
+                raise
+        else:
+            pytest.fail(
+                "Failed to fill socket buffer, cannot test BIO want write"
+            )
+
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, client_socket)
+        # Client's speak first, so make it an SSL client
+        conn.set_connect_state()
+        with pytest.raises(WantWriteError):
+            conn.do_handshake()
+
+    # XXX want_read
+
+    def test_get_finished_before_connect(self):
+        """
+        `Connection.get_finished` returns `None` before TLS handshake
+        is completed.
+        """
+        ctx = Context(SSLv23_METHOD)
+        connection = Connection(ctx, None)
+        assert connection.get_finished() is None
+
+    def test_get_peer_finished_before_connect(self):
+        """
+        `Connection.get_peer_finished` returns `None` before TLS handshake
+        is completed.
+        """
+        ctx = Context(SSLv23_METHOD)
+        connection = Connection(ctx, None)
+        assert connection.get_peer_finished() is None
+
+    def test_get_finished(self):
+        """
+        `Connection.get_finished` method returns the TLS Finished message send
+        from client, or server. Finished messages are send during
+        TLS handshake.
+        """
+        server, client = loopback()
+
+        assert server.get_finished() is not None
+        assert len(server.get_finished()) > 0
+
+    def test_get_peer_finished(self):
+        """
+        `Connection.get_peer_finished` method returns the TLS Finished
+        message received from client, or server. Finished messages are send
+        during TLS handshake.
+        """
+        server, client = loopback()
+
+        assert server.get_peer_finished() is not None
+        assert len(server.get_peer_finished()) > 0
+
+    def test_tls_finished_message_symmetry(self):
+        """
+        The TLS Finished message send by server must be the TLS Finished
+        message received by client.
+
+        The TLS Finished message send by client must be the TLS Finished
+        message received by server.
+        """
+        server, client = loopback()
+
+        assert server.get_finished() == client.get_peer_finished()
+        assert client.get_finished() == server.get_peer_finished()
+
+    def test_get_cipher_name_before_connect(self):
+        """
+        `Connection.get_cipher_name` returns `None` if no connection
+        has been established.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        assert conn.get_cipher_name() is None
+
+    def test_get_cipher_name(self):
+        """
+        `Connection.get_cipher_name` returns a `unicode` string giving the
+        name of the currently used cipher.
+        """
+        server, client = loopback()
+        server_cipher_name, client_cipher_name = (
+            server.get_cipher_name(),
+            client.get_cipher_name(),
+        )
+
+        assert isinstance(server_cipher_name, text_type)
+        assert isinstance(client_cipher_name, text_type)
+
+        assert server_cipher_name == client_cipher_name
+
+    def test_get_cipher_version_before_connect(self):
+        """
+        `Connection.get_cipher_version` returns `None` if no connection
+        has been established.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        assert conn.get_cipher_version() is None
+
+    def test_get_cipher_version(self):
+        """
+        `Connection.get_cipher_version` returns a `unicode` string giving
+        the protocol name of the currently used cipher.
+        """
+        server, client = loopback()
+        server_cipher_version, client_cipher_version = (
+            server.get_cipher_version(),
+            client.get_cipher_version(),
+        )
+
+        assert isinstance(server_cipher_version, text_type)
+        assert isinstance(client_cipher_version, text_type)
+
+        assert server_cipher_version == client_cipher_version
+
+    def test_get_cipher_bits_before_connect(self):
+        """
+        `Connection.get_cipher_bits` returns `None` if no connection has
+        been established.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        assert conn.get_cipher_bits() is None
+
+    def test_get_cipher_bits(self):
+        """
+        `Connection.get_cipher_bits` returns the number of secret bits
+        of the currently used cipher.
+        """
+        server, client = loopback()
+        server_cipher_bits, client_cipher_bits = (
+            server.get_cipher_bits(),
+            client.get_cipher_bits(),
+        )
+
+        assert isinstance(server_cipher_bits, int)
+        assert isinstance(client_cipher_bits, int)
+
+        assert server_cipher_bits == client_cipher_bits
+
+    def test_get_protocol_version_name(self):
+        """
+        `Connection.get_protocol_version_name()` returns a string giving the
+        protocol version of the current connection.
+        """
+        server, client = loopback()
+        client_protocol_version_name = client.get_protocol_version_name()
+        server_protocol_version_name = server.get_protocol_version_name()
+
+        assert isinstance(server_protocol_version_name, text_type)
+        assert isinstance(client_protocol_version_name, text_type)
+
+        assert server_protocol_version_name == client_protocol_version_name
+
+    def test_get_protocol_version(self):
+        """
+        `Connection.get_protocol_version()` returns an integer
+        giving the protocol version of the current connection.
+        """
+        server, client = loopback()
+        client_protocol_version = client.get_protocol_version()
+        server_protocol_version = server.get_protocol_version()
+
+        assert isinstance(server_protocol_version, int)
+        assert isinstance(client_protocol_version, int)
+
+        assert server_protocol_version == client_protocol_version
+
+    def test_wantReadError(self):
+        """
+        `Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are
+        no bytes available to be read from the BIO.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        with pytest.raises(WantReadError):
+            conn.bio_read(1024)
+
+    @pytest.mark.parametrize("bufsize", [1.0, None, object(), "bufsize"])
+    def test_bio_read_wrong_args(self, bufsize):
+        """
+        `Connection.bio_read` raises `TypeError` if passed a non-integer
+        argument.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        with pytest.raises(TypeError):
+            conn.bio_read(bufsize)
+
+    def test_buffer_size(self):
+        """
+        `Connection.bio_read` accepts an integer giving the maximum number
+        of bytes to read and return.
+        """
+        ctx = Context(SSLv23_METHOD)
+        conn = Connection(ctx, None)
+        conn.set_connect_state()
+        try:
+            conn.do_handshake()
+        except WantReadError:
+            pass
+        data = conn.bio_read(2)
+        assert 2 == len(data)
+
+
+class TestConnectionGetCipherList(object):
+    """
+    Tests for `Connection.get_cipher_list`.
+    """
+
+    def test_result(self):
+        """
+        `Connection.get_cipher_list` returns a list of `bytes` giving the
+        names of the ciphers which might be used.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        ciphers = connection.get_cipher_list()
+        assert isinstance(ciphers, list)
+        for cipher in ciphers:
+            assert isinstance(cipher, str)
+
+
+class VeryLarge(bytes):
+    """
+    Mock object so that we don't have to allocate 2**31 bytes
+    """
+
+    def __len__(self):
+        return 2 ** 31
+
+
+class TestConnectionSend(object):
+    """
+    Tests for `Connection.send`.
+    """
+
+    def test_wrong_args(self):
+        """
+        When called with arguments other than string argument for its first
+        parameter, `Connection.send` raises `TypeError`.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(TypeError):
+            connection.send(object())
+        with pytest.raises(TypeError):
+            connection.send([1, 2, 3])
+
+    def test_short_bytes(self):
+        """
+        When passed a short byte string, `Connection.send` transmits all of it
+        and returns the number of bytes sent.
+        """
+        server, client = loopback()
+        count = server.send(b"xy")
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    def test_text(self):
+        """
+        When passed a text, `Connection.send` transmits all of it and
+        returns the number of bytes sent. It also raises a DeprecationWarning.
+        """
+        server, client = loopback()
+        with pytest.warns(DeprecationWarning) as w:
+            simplefilter("always")
+            count = server.send(b"xy".decode("ascii"))
+            assert "{0} for buf is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            ) == str(w[-1].message)
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    def test_short_memoryview(self):
+        """
+        When passed a memoryview onto a small number of bytes,
+        `Connection.send` transmits all of them and returns the number
+        of bytes sent.
+        """
+        server, client = loopback()
+        count = server.send(memoryview(b"xy"))
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    def test_short_bytearray(self):
+        """
+        When passed a short bytearray, `Connection.send` transmits all of
+        it and returns the number of bytes sent.
+        """
+        server, client = loopback()
+        count = server.send(bytearray(b"xy"))
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    @skip_if_py3
+    def test_short_buffer(self):
+        """
+        When passed a buffer containing a small number of bytes,
+        `Connection.send` transmits all of them and returns the number
+        of bytes sent.
+        """
+        server, client = loopback()
+        count = server.send(buffer(b"xy"))  # noqa: F821
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    @pytest.mark.skipif(
+        sys.maxsize < 2 ** 31,
+        reason="sys.maxsize < 2**31 - test requires 64 bit",
+    )
+    def test_buf_too_large(self):
+        """
+        When passed a buffer containing >= 2**31 bytes,
+        `Connection.send` bails out as SSL_write only
+        accepts an int for the buffer length.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(ValueError) as exc_info:
+            connection.send(VeryLarge())
+        exc_info.match(r"Cannot send more than .+ bytes at once")
+
+
+def _make_memoryview(size):
+    """
+    Create a new ``memoryview`` wrapped around a ``bytearray`` of the given
+    size.
+    """
+    return memoryview(bytearray(size))
+
+
+class TestConnectionRecvInto(object):
+    """
+    Tests for `Connection.recv_into`.
+    """
+
+    def _no_length_test(self, factory):
+        """
+        Assert that when the given buffer is passed to `Connection.recv_into`,
+        whatever bytes are available to be received that fit into that buffer
+        are written into that buffer.
+        """
+        output_buffer = factory(5)
+
+        server, client = loopback()
+        server.send(b"xy")
+
+        assert client.recv_into(output_buffer) == 2
+        assert output_buffer == bytearray(b"xy\x00\x00\x00")
+
+    def test_bytearray_no_length(self):
+        """
+        `Connection.recv_into` can be passed a `bytearray` instance and data
+        in the receive buffer is written to it.
+        """
+        self._no_length_test(bytearray)
+
+    def _respects_length_test(self, factory):
+        """
+        Assert that when the given buffer is passed to `Connection.recv_into`
+        along with a value for `nbytes` that is less than the size of that
+        buffer, only `nbytes` bytes are written into the buffer.
+        """
+        output_buffer = factory(10)
+
+        server, client = loopback()
+        server.send(b"abcdefghij")
+
+        assert client.recv_into(output_buffer, 5) == 5
+        assert output_buffer == bytearray(b"abcde\x00\x00\x00\x00\x00")
+
+    def test_bytearray_respects_length(self):
+        """
+        When called with a `bytearray` instance, `Connection.recv_into`
+        respects the `nbytes` parameter and doesn't copy in more than that
+        number of bytes.
+        """
+        self._respects_length_test(bytearray)
+
+    def _doesnt_overfill_test(self, factory):
+        """
+        Assert that if there are more bytes available to be read from the
+        receive buffer than would fit into the buffer passed to
+        `Connection.recv_into`, only as many as fit are written into it.
+        """
+        output_buffer = factory(5)
+
+        server, client = loopback()
+        server.send(b"abcdefghij")
+
+        assert client.recv_into(output_buffer) == 5
+        assert output_buffer == bytearray(b"abcde")
+        rest = client.recv(5)
+        assert b"fghij" == rest
+
+    def test_bytearray_doesnt_overfill(self):
+        """
+        When called with a `bytearray` instance, `Connection.recv_into`
+        respects the size of the array and doesn't write more bytes into it
+        than will fit.
+        """
+        self._doesnt_overfill_test(bytearray)
+
+    def test_bytearray_really_doesnt_overfill(self):
+        """
+        When called with a `bytearray` instance and an `nbytes` value that is
+        too large, `Connection.recv_into` respects the size of the array and
+        not the `nbytes` value and doesn't write more bytes into the buffer
+        than will fit.
+        """
+        self._doesnt_overfill_test(bytearray)
+
+    def test_peek(self):
+        server, client = loopback()
+        server.send(b"xy")
+
+        for _ in range(2):
+            output_buffer = bytearray(5)
+            assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2
+            assert output_buffer == bytearray(b"xy\x00\x00\x00")
+
+    def test_memoryview_no_length(self):
+        """
+        `Connection.recv_into` can be passed a `memoryview` instance and data
+        in the receive buffer is written to it.
+        """
+        self._no_length_test(_make_memoryview)
+
+    def test_memoryview_respects_length(self):
+        """
+        When called with a `memoryview` instance, `Connection.recv_into`
+        respects the ``nbytes`` parameter and doesn't copy more than that
+        number of bytes in.
+        """
+        self._respects_length_test(_make_memoryview)
+
+    def test_memoryview_doesnt_overfill(self):
+        """
+        When called with a `memoryview` instance, `Connection.recv_into`
+        respects the size of the array and doesn't write more bytes into it
+        than will fit.
+        """
+        self._doesnt_overfill_test(_make_memoryview)
+
+    def test_memoryview_really_doesnt_overfill(self):
+        """
+        When called with a `memoryview` instance and an `nbytes` value that is
+        too large, `Connection.recv_into` respects the size of the array and
+        not the `nbytes` value and doesn't write more bytes into the buffer
+        than will fit.
+        """
+        self._doesnt_overfill_test(_make_memoryview)
+
+
+class TestConnectionSendall(object):
+    """
+    Tests for `Connection.sendall`.
+    """
+
+    def test_wrong_args(self):
+        """
+        When called with arguments other than a string argument for its first
+        parameter, `Connection.sendall` raises `TypeError`.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        with pytest.raises(TypeError):
+            connection.sendall(object())
+        with pytest.raises(TypeError):
+            connection.sendall([1, 2, 3])
+
+    def test_short(self):
+        """
+        `Connection.sendall` transmits all of the bytes in the string
+        passed to it.
+        """
+        server, client = loopback()
+        server.sendall(b"x")
+        assert client.recv(1) == b"x"
+
+    def test_text(self):
+        """
+        `Connection.sendall` transmits all the content in the string passed
+        to it, raising a DeprecationWarning in case of this being a text.
+        """
+        server, client = loopback()
+        with pytest.warns(DeprecationWarning) as w:
+            simplefilter("always")
+            server.sendall(b"x".decode("ascii"))
+            assert "{0} for buf is no longer accepted, use bytes".format(
+                WARNING_TYPE_EXPECTED
+            ) == str(w[-1].message)
+        assert client.recv(1) == b"x"
+
+    def test_short_memoryview(self):
+        """
+        When passed a memoryview onto a small number of bytes,
+        `Connection.sendall` transmits all of them.
+        """
+        server, client = loopback()
+        server.sendall(memoryview(b"x"))
+        assert client.recv(1) == b"x"
+
+    @skip_if_py3
+    def test_short_buffers(self):
+        """
+        When passed a buffer containing a small number of bytes,
+        `Connection.sendall` transmits all of them.
+        """
+        server, client = loopback()
+        count = server.sendall(buffer(b"xy"))  # noqa: F821
+        assert count == 2
+        assert client.recv(2) == b"xy"
+
+    def test_long(self):
+        """
+        `Connection.sendall` transmits all the bytes in the string passed to it
+        even if this requires multiple calls of an underlying write function.
+        """
+        server, client = loopback()
+        # Should be enough, underlying SSL_write should only do 16k at a time.
+        # On Windows, after 32k of bytes the write will block (forever
+        # - because no one is yet reading).
+        message = b"x" * (1024 * 32 - 1) + b"y"
+        server.sendall(message)
+        accum = []
+        received = 0
+        while received < len(message):
+            data = client.recv(1024)
+            accum.append(data)
+            received += len(data)
+        assert message == b"".join(accum)
+
+    def test_closed(self):
+        """
+        If the underlying socket is closed, `Connection.sendall` propagates the
+        write error from the low level write call.
+        """
+        server, client = loopback()
+        server.sock_shutdown(2)
+        with pytest.raises(SysCallError) as err:
+            server.sendall(b"hello, world")
+        if platform == "win32":
+            assert err.value.args[0] == ESHUTDOWN
+        else:
+            assert err.value.args[0] == EPIPE
+
+
+class TestConnectionRenegotiate(object):
+    """
+    Tests for SSL renegotiation APIs.
+    """
+
+    def test_total_renegotiations(self):
+        """
+        `Connection.total_renegotiations` returns `0` before any renegotiations
+        have happened.
+        """
+        connection = Connection(Context(SSLv23_METHOD), None)
+        assert connection.total_renegotiations() == 0
+
+    def test_renegotiate(self):
+        """
+        Go through a complete renegotiation cycle.
+        """
+        server, client = loopback(
+            lambda s: loopback_server_factory(s, TLSv1_2_METHOD),
+            lambda s: loopback_client_factory(s, TLSv1_2_METHOD),
+        )
+
+        server.send(b"hello world")
+
+        assert b"hello world" == client.recv(len(b"hello world"))
+
+        assert 0 == server.total_renegotiations()
+        assert False is server.renegotiate_pending()
+
+        assert True is server.renegotiate()
+
+        assert True is server.renegotiate_pending()
+
+        server.setblocking(False)
+        client.setblocking(False)
+
+        client.do_handshake()
+        server.do_handshake()
+
+        assert 1 == server.total_renegotiations()
+        while False is server.renegotiate_pending():
+            pass
+
+
+class TestError(object):
+    """
+    Unit tests for `OpenSSL.SSL.Error`.
+    """
+
+    def test_type(self):
+        """
+        `Error` is an exception type.
+        """
+        assert issubclass(Error, Exception)
+        assert Error.__name__ == "Error"
+
+
+class TestConstants(object):
+    """
+    Tests for the values of constants exposed in `OpenSSL.SSL`.
+
+    These are values defined by OpenSSL intended only to be used as flags to
+    OpenSSL APIs.  The only assertions it seems can be made about them is
+    their values.
+    """
+
+    @pytest.mark.skipif(
+        OP_NO_QUERY_MTU is None,
+        reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old",
+    )
+    def test_op_no_query_mtu(self):
+        """
+        The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value
+        of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.
+        """
+        assert OP_NO_QUERY_MTU == 0x1000
+
+    @pytest.mark.skipif(
+        OP_COOKIE_EXCHANGE is None,
+        reason="OP_COOKIE_EXCHANGE unavailable - "
+        "OpenSSL version may be too old",
+    )
+    def test_op_cookie_exchange(self):
+        """
+        The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the
+        value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.
+        """
+        assert OP_COOKIE_EXCHANGE == 0x2000
+
+    @pytest.mark.skipif(
+        OP_NO_TICKET is None,
+        reason="OP_NO_TICKET unavailable - OpenSSL version may be too old",
+    )
+    def test_op_no_ticket(self):
+        """
+        The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of
+        `SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.
+        """
+        assert OP_NO_TICKET == 0x4000
+
+    @pytest.mark.skipif(
+        OP_NO_COMPRESSION is None,
+        reason=(
+            "OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"
+        ),
+    )
+    def test_op_no_compression(self):
+        """
+        The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the
+        value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.
+        """
+        assert OP_NO_COMPRESSION == 0x20000
+
+    def test_sess_cache_off(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of
+        `SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.
+        """
+        assert 0x0 == SESS_CACHE_OFF
+
+    def test_sess_cache_client(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of
+        `SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.
+        """
+        assert 0x1 == SESS_CACHE_CLIENT
+
+    def test_sess_cache_server(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of
+        `SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.
+        """
+        assert 0x2 == SESS_CACHE_SERVER
+
+    def test_sess_cache_both(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of
+        `SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.
+        """
+        assert 0x3 == SESS_CACHE_BOTH
+
+    def test_sess_cache_no_auto_clear(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the
+        value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by
+        `openssl/ssl.h`.
+        """
+        assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR
+
+    def test_sess_cache_no_internal_lookup(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,
+        the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by
+        `openssl/ssl.h`.
+        """
+        assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP
+
+    def test_sess_cache_no_internal_store(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,
+        the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by
+        `openssl/ssl.h`.
+        """
+        assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE
+
+    def test_sess_cache_no_internal(self):
+        """
+        The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the
+        value of `SSL_SESS_CACHE_NO_INTERNAL` defined by
+        `openssl/ssl.h`.
+        """
+        assert 0x300 == SESS_CACHE_NO_INTERNAL
+
+
+class TestMemoryBIO(object):
+    """
+    Tests for `OpenSSL.SSL.Connection` using a memory BIO.
+    """
+
+    def _server(self, sock):
+        """
+        Create a new server-side SSL `Connection` object wrapped around `sock`.
+        """
+        # Create the server side Connection.  This is mostly setup boilerplate
+        # - use TLSv1, use a particular certificate, etc.
+        server_ctx = Context(SSLv23_METHOD)
+        server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)
+        server_ctx.set_verify(
+            VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,
+            verify_cb,
+        )
+        server_store = server_ctx.get_cert_store()
+        server_ctx.use_privatekey(
+            load_privatekey(FILETYPE_PEM, server_key_pem)
+        )
+        server_ctx.use_certificate(
+            load_certificate(FILETYPE_PEM, server_cert_pem)
+        )
+        server_ctx.check_privatekey()
+        server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
+        # Here the Connection is actually created.  If None is passed as the
+        # 2nd parameter, it indicates a memory BIO should be created.
+        server_conn = Connection(server_ctx, sock)
+        server_conn.set_accept_state()
+        return server_conn
+
+    def _client(self, sock):
+        """
+        Create a new client-side SSL `Connection` object wrapped around `sock`.
+        """
+        # Now create the client side Connection.  Similar boilerplate to the
+        # above.
+        client_ctx = Context(SSLv23_METHOD)
+        client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)
+        client_ctx.set_verify(
+            VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,
+            verify_cb,
+        )
+        client_store = client_ctx.get_cert_store()
+        client_ctx.use_privatekey(
+            load_privatekey(FILETYPE_PEM, client_key_pem)
+        )
+        client_ctx.use_certificate(
+            load_certificate(FILETYPE_PEM, client_cert_pem)
+        )
+        client_ctx.check_privatekey()
+        client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
+        client_conn = Connection(client_ctx, sock)
+        client_conn.set_connect_state()
+        return client_conn
+
+    def test_memory_connect(self):
+        """
+        Two `Connection`s which use memory BIOs can be manually connected by
+        reading from the output of each and writing those bytes to the input of
+        the other and in this way establish a connection and exchange
+        application-level bytes with each other.
+        """
+        server_conn = self._server(None)
+        client_conn = self._client(None)
+
+        # There should be no key or nonces yet.
+        assert server_conn.master_key() is None
+        assert server_conn.client_random() is None
+        assert server_conn.server_random() is None
+
+        # First, the handshake needs to happen.  We'll deliver bytes back and
+        # forth between the client and server until neither of them feels like
+        # speaking any more.
+        assert interact_in_memory(client_conn, server_conn) is None
+
+        # Now that the handshake is done, there should be a key and nonces.
+        assert server_conn.master_key() is not None
+        assert server_conn.client_random() is not None
+        assert server_conn.server_random() is not None
+        assert server_conn.client_random() == client_conn.client_random()
+        assert server_conn.server_random() == client_conn.server_random()
+        assert server_conn.client_random() != server_conn.server_random()
+        assert client_conn.client_random() != client_conn.server_random()
+
+        # Export key material for other uses.
+        cekm = client_conn.export_keying_material(b"LABEL", 32)
+        sekm = server_conn.export_keying_material(b"LABEL", 32)
+        assert cekm is not None
+        assert sekm is not None
+        assert cekm == sekm
+        assert len(sekm) == 32
+
+        # Export key material for other uses with additional context.
+        cekmc = client_conn.export_keying_material(b"LABEL", 32, b"CONTEXT")
+        sekmc = server_conn.export_keying_material(b"LABEL", 32, b"CONTEXT")
+        assert cekmc is not None
+        assert sekmc is not None
+        assert cekmc == sekmc
+        assert cekmc != cekm
+        assert sekmc != sekm
+        # Export with alternate label
+        cekmt = client_conn.export_keying_material(b"test", 32, b"CONTEXT")
+        sekmt = server_conn.export_keying_material(b"test", 32, b"CONTEXT")
+        assert cekmc != cekmt
+        assert sekmc != sekmt
+
+        # Here are the bytes we'll try to send.
+        important_message = b"One if by land, two if by sea."
+
+        server_conn.write(important_message)
+        assert interact_in_memory(client_conn, server_conn) == (
+            client_conn,
+            important_message,
+        )
+
+        client_conn.write(important_message[::-1])
+        assert interact_in_memory(client_conn, server_conn) == (
+            server_conn,
+            important_message[::-1],
+        )
+
+    def test_socket_connect(self):
+        """
+        Just like `test_memory_connect` but with an actual socket.
+
+        This is primarily to rule out the memory BIO code as the source of any
+        problems encountered while passing data over a `Connection` (if
+        this test fails, there must be a problem outside the memory BIO code,
+        as no memory BIO is involved here).  Even though this isn't a memory
+        BIO test, it's convenient to have it here.
+        """
+        server_conn, client_conn = loopback()
+
+        important_message = b"Help me Obi Wan Kenobi, you're my only hope."
+        client_conn.send(important_message)
+        msg = server_conn.recv(1024)
+        assert msg == important_message
+
+        # Again in the other direction, just for fun.
+        important_message = important_message[::-1]
+        server_conn.send(important_message)
+        msg = client_conn.recv(1024)
+        assert msg == important_message
+
+    def test_socket_overrides_memory(self):
+        """
+        Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't
+        work on `OpenSSL.SSL.Connection`() that use sockets.
+        """
+        context = Context(SSLv23_METHOD)
+        client = socket_any_family()
+        clientSSL = Connection(context, client)
+        with pytest.raises(TypeError):
+            clientSSL.bio_read(100)
+        with pytest.raises(TypeError):
+            clientSSL.bio_write(b"foo")
+        with pytest.raises(TypeError):
+            clientSSL.bio_shutdown()
+
+    def test_outgoing_overflow(self):
+        """
+        If more bytes than can be written to the memory BIO are passed to
+        `Connection.send` at once, the number of bytes which were written is
+        returned and that many bytes from the beginning of the input can be
+        read from the other end of the connection.
+        """
+        server = self._server(None)
+        client = self._client(None)
+
+        interact_in_memory(client, server)
+
+        size = 2 ** 15
+        sent = client.send(b"x" * size)
+        # Sanity check.  We're trying to test what happens when the entire
+        # input can't be sent.  If the entire input was sent, this test is
+        # meaningless.
+        assert sent < size
+
+        receiver, received = interact_in_memory(client, server)
+        assert receiver is server
+
+        # We can rely on all of these bytes being received at once because
+        # loopback passes 2 ** 16 to recv - more than 2 ** 15.
+        assert len(received) == sent
+
+    def test_shutdown(self):
+        """
+        `Connection.bio_shutdown` signals the end of the data stream
+        from which the `Connection` reads.
+        """
+        server = self._server(None)
+        server.bio_shutdown()
+        with pytest.raises(Error) as err:
+            server.recv(1024)
+        # We don't want WantReadError or ZeroReturnError or anything - it's a
+        # handshake failure.
+        assert type(err.value) in [Error, SysCallError]
+
+    def test_unexpected_EOF(self):
+        """
+        If the connection is lost before an orderly SSL shutdown occurs,
+        `OpenSSL.SSL.SysCallError` is raised with a message of
+        "Unexpected EOF".
+        """
+        server_conn, client_conn = loopback()
+        client_conn.sock_shutdown(SHUT_RDWR)
+        with pytest.raises(SysCallError) as err:
+            server_conn.recv(1024)
+        assert err.value.args == (-1, "Unexpected EOF")
+
+    def _check_client_ca_list(self, func):
+        """
+        Verify the return value of the `get_client_ca_list` method for
+        server and client connections.
+
+        :param func: A function which will be called with the server context
+            before the client and server are connected to each other.  This
+            function should specify a list of CAs for the server to send to the
+            client and return that same list.  The list will be used to verify
+            that `get_client_ca_list` returns the proper value at
+            various times.
+        """
+        server = self._server(None)
+        client = self._client(None)
+        assert client.get_client_ca_list() == []
+        assert server.get_client_ca_list() == []
+        ctx = server.get_context()
+        expected = func(ctx)
+        assert client.get_client_ca_list() == []
+        assert server.get_client_ca_list() == expected
+        interact_in_memory(client, server)
+        assert client.get_client_ca_list() == expected
+        assert server.get_client_ca_list() == expected
+
+    def test_set_client_ca_list_errors(self):
+        """
+        `Context.set_client_ca_list` raises a `TypeError` if called with a
+        non-list or a list that contains objects other than X509Names.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            ctx.set_client_ca_list("spam")
+        with pytest.raises(TypeError):
+            ctx.set_client_ca_list(["spam"])
+
+    def test_set_empty_ca_list(self):
+        """
+        If passed an empty list, `Context.set_client_ca_list` configures the
+        context to send no CA names to the client and, on both the server and
+        client sides, `Connection.get_client_ca_list` returns an empty list
+        after the connection is set up.
+        """
+
+        def no_ca(ctx):
+            ctx.set_client_ca_list([])
+            return []
+
+        self._check_client_ca_list(no_ca)
+
+    def test_set_one_ca_list(self):
+        """
+        If passed a list containing a single X509Name,
+        `Context.set_client_ca_list` configures the context to send
+        that CA name to the client and, on both the server and client sides,
+        `Connection.get_client_ca_list` returns a list containing that
+        X509Name after the connection is set up.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        cadesc = cacert.get_subject()
+
+        def single_ca(ctx):
+            ctx.set_client_ca_list([cadesc])
+            return [cadesc]
+
+        self._check_client_ca_list(single_ca)
+
+    def test_set_multiple_ca_list(self):
+        """
+        If passed a list containing multiple X509Name objects,
+        `Context.set_client_ca_list` configures the context to send
+        those CA names to the client and, on both the server and client sides,
+        `Connection.get_client_ca_list` returns a list containing those
+        X509Names after the connection is set up.
+        """
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        sedesc = secert.get_subject()
+        cldesc = clcert.get_subject()
+
+        def multiple_ca(ctx):
+            L = [sedesc, cldesc]
+            ctx.set_client_ca_list(L)
+            return L
+
+        self._check_client_ca_list(multiple_ca)
+
+    def test_reset_ca_list(self):
+        """
+        If called multiple times, only the X509Names passed to the final call
+        of `Context.set_client_ca_list` are used to configure the CA
+        names sent to the client.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        cadesc = cacert.get_subject()
+        sedesc = secert.get_subject()
+        cldesc = clcert.get_subject()
+
+        def changed_ca(ctx):
+            ctx.set_client_ca_list([sedesc, cldesc])
+            ctx.set_client_ca_list([cadesc])
+            return [cadesc]
+
+        self._check_client_ca_list(changed_ca)
+
+    def test_mutated_ca_list(self):
+        """
+        If the list passed to `Context.set_client_ca_list` is mutated
+        afterwards, this does not affect the list of CA names sent to the
+        client.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        cadesc = cacert.get_subject()
+        sedesc = secert.get_subject()
+
+        def mutated_ca(ctx):
+            L = [cadesc]
+            ctx.set_client_ca_list([cadesc])
+            L.append(sedesc)
+            return [cadesc]
+
+        self._check_client_ca_list(mutated_ca)
+
+    def test_add_client_ca_wrong_args(self):
+        """
+        `Context.add_client_ca` raises `TypeError` if called with
+        a non-X509 object.
+        """
+        ctx = Context(SSLv23_METHOD)
+        with pytest.raises(TypeError):
+            ctx.add_client_ca("spam")
+
+    def test_one_add_client_ca(self):
+        """
+        A certificate's subject can be added as a CA to be sent to the client
+        with `Context.add_client_ca`.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        cadesc = cacert.get_subject()
+
+        def single_ca(ctx):
+            ctx.add_client_ca(cacert)
+            return [cadesc]
+
+        self._check_client_ca_list(single_ca)
+
+    def test_multiple_add_client_ca(self):
+        """
+        Multiple CA names can be sent to the client by calling
+        `Context.add_client_ca` with multiple X509 objects.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        cadesc = cacert.get_subject()
+        sedesc = secert.get_subject()
+
+        def multiple_ca(ctx):
+            ctx.add_client_ca(cacert)
+            ctx.add_client_ca(secert)
+            return [cadesc, sedesc]
+
+        self._check_client_ca_list(multiple_ca)
+
+    def test_set_and_add_client_ca(self):
+        """
+        A call to `Context.set_client_ca_list` followed by a call to
+        `Context.add_client_ca` results in using the CA names from the
+        first call and the CA name from the second call.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        cadesc = cacert.get_subject()
+        sedesc = secert.get_subject()
+        cldesc = clcert.get_subject()
+
+        def mixed_set_add_ca(ctx):
+            ctx.set_client_ca_list([cadesc, sedesc])
+            ctx.add_client_ca(clcert)
+            return [cadesc, sedesc, cldesc]
+
+        self._check_client_ca_list(mixed_set_add_ca)
+
+    def test_set_after_add_client_ca(self):
+        """
+        A call to `Context.set_client_ca_list` after a call to
+        `Context.add_client_ca` replaces the CA name specified by the
+        former call with the names specified by the latter call.
+        """
+        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
+        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
+
+        cadesc = cacert.get_subject()
+        sedesc = secert.get_subject()
+
+        def set_replaces_add_ca(ctx):
+            ctx.add_client_ca(clcert)
+            ctx.set_client_ca_list([cadesc])
+            ctx.add_client_ca(secert)
+            return [cadesc, sedesc]
+
+        self._check_client_ca_list(set_replaces_add_ca)
+
+
+class TestInfoConstants(object):
+    """
+    Tests for assorted constants exposed for use in info callbacks.
+    """
+
+    def test_integers(self):
+        """
+        All of the info constants are integers.
+
+        This is a very weak test.  It would be nice to have one that actually
+        verifies that as certain info events happen, the value passed to the
+        info callback matches up with the constant exposed by OpenSSL.SSL.
+        """
+        for const in [
+            SSL_ST_CONNECT,
+            SSL_ST_ACCEPT,
+            SSL_ST_MASK,
+            SSL_CB_LOOP,
+            SSL_CB_EXIT,
+            SSL_CB_READ,
+            SSL_CB_WRITE,
+            SSL_CB_ALERT,
+            SSL_CB_READ_ALERT,
+            SSL_CB_WRITE_ALERT,
+            SSL_CB_ACCEPT_LOOP,
+            SSL_CB_ACCEPT_EXIT,
+            SSL_CB_CONNECT_LOOP,
+            SSL_CB_CONNECT_EXIT,
+            SSL_CB_HANDSHAKE_START,
+            SSL_CB_HANDSHAKE_DONE,
+        ]:
+            assert isinstance(const, int)
+
+        # These constants don't exist on OpenSSL 1.1.0
+        for const in [
+            SSL_ST_INIT,
+            SSL_ST_BEFORE,
+            SSL_ST_OK,
+            SSL_ST_RENEGOTIATE,
+        ]:
+            assert const is None or isinstance(const, int)
+
+
+class TestRequires(object):
+    """
+    Tests for the decorator factory used to conditionally raise
+    NotImplementedError when older OpenSSLs are used.
+    """
+
+    def test_available(self):
+        """
+        When the OpenSSL functionality is available the decorated functions
+        work appropriately.
+        """
+        feature_guard = _make_requires(True, "Error text")
+        results = []
+
+        @feature_guard
+        def inner():
+            results.append(True)
+            return True
+
+        assert inner() is True
+        assert [True] == results
+
+    def test_unavailable(self):
+        """
+        When the OpenSSL functionality is not available the decorated function
+        does not execute and NotImplementedError is raised.
+        """
+        feature_guard = _make_requires(False, "Error text")
+
+        @feature_guard
+        def inner():  # pragma: nocover
+            pytest.fail("Should not be called")
+
+        with pytest.raises(NotImplementedError) as e:
+            inner()
+
+        assert "Error text" in str(e.value)
+
+
+class TestOCSP(object):
+    """
+    Tests for PyOpenSSL's OCSP stapling support.
+    """
+
+    sample_ocsp_data = b"this is totally ocsp data"
+
+    def _client_connection(self, callback, data, request_ocsp=True):
+        """
+        Builds a client connection suitable for using OCSP.
+
+        :param callback: The callback to register for OCSP.
+        :param data: The opaque data object that will be handed to the
+            OCSP callback.
+        :param request_ocsp: Whether the client will actually ask for OCSP
+            stapling. Useful for testing only.
+        """
+        ctx = Context(SSLv23_METHOD)
+        ctx.set_ocsp_client_callback(callback, data)
+        client = Connection(ctx)
+
+        if request_ocsp:
+            client.request_ocsp()
+
+        client.set_connect_state()
+        return client
+
+    def _server_connection(self, callback, data):
+        """
+        Builds a server connection suitable for using OCSP.
+
+        :param callback: The callback to register for OCSP.
+        :param data: The opaque data object that will be handed to the
+            OCSP callback.
+        """
+        ctx = Context(SSLv23_METHOD)
+        ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+        ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+        ctx.set_ocsp_server_callback(callback, data)
+        server = Connection(ctx)
+        server.set_accept_state()
+        return server
+
+    def test_callbacks_arent_called_by_default(self):
+        """
+        If both the client and the server have registered OCSP callbacks, but
+        the client does not send the OCSP request, neither callback gets
+        called.
+        """
+
+        def ocsp_callback(*args, **kwargs):  # pragma: nocover
+            pytest.fail("Should not be called")
+
+        client = self._client_connection(
+            callback=ocsp_callback, data=None, request_ocsp=False
+        )
+        server = self._server_connection(callback=ocsp_callback, data=None)
+        handshake_in_memory(client, server)
+
+    def test_client_negotiates_without_server(self):
+        """
+        If the client wants to do OCSP but the server does not, the handshake
+        succeeds, and the client callback fires with an empty byte string.
+        """
+        called = []
+
+        def ocsp_callback(conn, ocsp_data, ignored):
+            called.append(ocsp_data)
+            return True
+
+        client = self._client_connection(callback=ocsp_callback, data=None)
+        server = loopback_server_factory(socket=None)
+        handshake_in_memory(client, server)
+
+        assert len(called) == 1
+        assert called[0] == b""
+
+    def test_client_receives_servers_data(self):
+        """
+        The data the server sends in its callback is received by the client.
+        """
+        calls = []
+
+        def server_callback(*args, **kwargs):
+            return self.sample_ocsp_data
+
+        def client_callback(conn, ocsp_data, ignored):
+            calls.append(ocsp_data)
+            return True
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+        handshake_in_memory(client, server)
+
+        assert len(calls) == 1
+        assert calls[0] == self.sample_ocsp_data
+
+    def test_callbacks_are_invoked_with_connections(self):
+        """
+        The first arguments to both callbacks are their respective connections.
+        """
+        client_calls = []
+        server_calls = []
+
+        def client_callback(conn, *args, **kwargs):
+            client_calls.append(conn)
+            return True
+
+        def server_callback(conn, *args, **kwargs):
+            server_calls.append(conn)
+            return self.sample_ocsp_data
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+        handshake_in_memory(client, server)
+
+        assert len(client_calls) == 1
+        assert len(server_calls) == 1
+        assert client_calls[0] is client
+        assert server_calls[0] is server
+
+    def test_opaque_data_is_passed_through(self):
+        """
+        Both callbacks receive an opaque, user-provided piece of data in their
+        callbacks as the final argument.
+        """
+        calls = []
+
+        def server_callback(*args):
+            calls.append(args)
+            return self.sample_ocsp_data
+
+        def client_callback(*args):
+            calls.append(args)
+            return True
+
+        sentinel = object()
+
+        client = self._client_connection(
+            callback=client_callback, data=sentinel
+        )
+        server = self._server_connection(
+            callback=server_callback, data=sentinel
+        )
+        handshake_in_memory(client, server)
+
+        assert len(calls) == 2
+        assert calls[0][-1] is sentinel
+        assert calls[1][-1] is sentinel
+
+    def test_server_returns_empty_string(self):
+        """
+        If the server returns an empty bytestring from its callback, the
+        client callback is called with the empty bytestring.
+        """
+        client_calls = []
+
+        def server_callback(*args):
+            return b""
+
+        def client_callback(conn, ocsp_data, ignored):
+            client_calls.append(ocsp_data)
+            return True
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+        handshake_in_memory(client, server)
+
+        assert len(client_calls) == 1
+        assert client_calls[0] == b""
+
+    def test_client_returns_false_terminates_handshake(self):
+        """
+        If the client returns False from its callback, the handshake fails.
+        """
+
+        def server_callback(*args):
+            return self.sample_ocsp_data
+
+        def client_callback(*args):
+            return False
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+
+        with pytest.raises(Error):
+            handshake_in_memory(client, server)
+
+    def test_exceptions_in_client_bubble_up(self):
+        """
+        The callbacks thrown in the client callback bubble up to the caller.
+        """
+
+        class SentinelException(Exception):
+            pass
+
+        def server_callback(*args):
+            return self.sample_ocsp_data
+
+        def client_callback(*args):
+            raise SentinelException()
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+
+        with pytest.raises(SentinelException):
+            handshake_in_memory(client, server)
+
+    def test_exceptions_in_server_bubble_up(self):
+        """
+        The callbacks thrown in the server callback bubble up to the caller.
+        """
+
+        class SentinelException(Exception):
+            pass
+
+        def server_callback(*args):
+            raise SentinelException()
+
+        def client_callback(*args):  # pragma: nocover
+            pytest.fail("Should not be called")
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+
+        with pytest.raises(SentinelException):
+            handshake_in_memory(client, server)
+
+    def test_server_must_return_bytes(self):
+        """
+        The server callback must return a bytestring, or a TypeError is thrown.
+        """
+
+        def server_callback(*args):
+            return self.sample_ocsp_data.decode("ascii")
+
+        def client_callback(*args):  # pragma: nocover
+            pytest.fail("Should not be called")
+
+        client = self._client_connection(callback=client_callback, data=None)
+        server = self._server_connection(callback=server_callback, data=None)
+
+        with pytest.raises(TypeError):
+            handshake_in_memory(client, server)
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_util.py b/contrib/python/pyOpenSSL/py3/tests/test_util.py
new file mode 100644
index 0000000000..6224448d43
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/test_util.py
@@ -0,0 +1,19 @@
+import pytest
+
+from OpenSSL._util import exception_from_error_queue, lib
+
+
+class TestErrors(object):
+    """
+    Tests for handling of certain OpenSSL error cases.
+    """
+
+    def test_exception_from_error_queue_nonexistent_reason(self):
+        """
+        :func:`exception_from_error_queue` raises ``ValueError`` when it
+        encounters an OpenSSL error code which does not have a reason string.
+        """
+        lib.ERR_put_error(lib.ERR_LIB_EVP, 0, 1112, b"", 10)
+        with pytest.raises(ValueError) as exc:
+            exception_from_error_queue(ValueError)
+        assert exc.value.args[0][0][2] == ""
diff --git a/contrib/python/pyOpenSSL/py3/tests/util.py b/contrib/python/pyOpenSSL/py3/tests/util.py
new file mode 100644
index 0000000000..75d2c8de80
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/util.py
@@ -0,0 +1,160 @@
+# Copyright (C) Jean-Paul Calderone
+# Copyright (C) Twisted Matrix Laboratories.
+# See LICENSE for details.
+"""
+Helpers for the OpenSSL test suite, largely copied from
+U{Twisted<http://twistedmatrix.com/>}.
+"""
+
+from six import PY2
+
+
+# This is the UTF-8 encoding of the SNOWMAN unicode code point.
+NON_ASCII = b"\xe2\x98\x83".decode("utf-8")
+
+
+def is_consistent_type(theType, name, *constructionArgs):
+    """
+    Perform various assertions about *theType* to ensure that it is a
+    well-defined type.  This is useful for extension types, where it's
+    pretty easy to do something wacky.  If something about the type is
+    unusual, an exception will be raised.
+
+    :param theType: The type object about which to make assertions.
+    :param name: A string giving the name of the type.
+    :param constructionArgs: Positional arguments to use with
+        *theType* to create an instance of it.
+    """
+    assert theType.__name__ == name
+    assert isinstance(theType, type)
+    instance = theType(*constructionArgs)
+    assert type(instance) is theType
+    return True
+
+
+class EqualityTestsMixin(object):
+    """
+    A mixin defining tests for the standard implementation of C{==} and C{!=}.
+    """
+
+    def anInstance(self):
+        """
+        Return an instance of the class under test.  Each call to this method
+        must return a different object.  All objects returned must be equal to
+        each other.
+        """
+        raise NotImplementedError()
+
+    def anotherInstance(self):
+        """
+        Return an instance of the class under test.  Each call to this method
+        must return a different object.  The objects must not be equal to the
+        objects returned by C{anInstance}.  They may or may not be equal to
+        each other (they will not be compared against each other).
+        """
+        raise NotImplementedError()
+
+    def test_identicalEq(self):
+        """
+        An object compares equal to itself using the C{==} operator.
+        """
+        o = self.anInstance()
+        assert o == o
+
+    def test_identicalNe(self):
+        """
+        An object doesn't compare not equal to itself using the C{!=} operator.
+        """
+        o = self.anInstance()
+        assert not (o != o)
+
+    def test_sameEq(self):
+        """
+        Two objects that are equal to each other compare equal to each other
+        using the C{==} operator.
+        """
+        a = self.anInstance()
+        b = self.anInstance()
+        assert a == b
+
+    def test_sameNe(self):
+        """
+        Two objects that are equal to each other do not compare not equal to
+        each other using the C{!=} operator.
+        """
+        a = self.anInstance()
+        b = self.anInstance()
+        assert not (a != b)
+
+    def test_differentEq(self):
+        """
+        Two objects that are not equal to each other do not compare equal to
+        each other using the C{==} operator.
+        """
+        a = self.anInstance()
+        b = self.anotherInstance()
+        assert not (a == b)
+
+    def test_differentNe(self):
+        """
+        Two objects that are not equal to each other compare not equal to each
+        other using the C{!=} operator.
+        """
+        a = self.anInstance()
+        b = self.anotherInstance()
+        assert a != b
+
+    def test_anotherTypeEq(self):
+        """
+        The object does not compare equal to an object of an unrelated type
+        (which does not implement the comparison) using the C{==} operator.
+        """
+        a = self.anInstance()
+        b = object()
+        assert not (a == b)
+
+    def test_anotherTypeNe(self):
+        """
+        The object compares not equal to an object of an unrelated type (which
+        does not implement the comparison) using the C{!=} operator.
+        """
+        a = self.anInstance()
+        b = object()
+        assert a != b
+
+    def test_delegatedEq(self):
+        """
+        The result of comparison using C{==} is delegated to the right-hand
+        operand if it is of an unrelated type.
+        """
+
+        class Delegate(object):
+            def __eq__(self, other):
+                # Do something crazy and obvious.
+                return [self]
+
+        a = self.anInstance()
+        b = Delegate()
+        assert (a == b) == [b]
+
+    def test_delegateNe(self):
+        """
+        The result of comparison using C{!=} is delegated to the right-hand
+        operand if it is of an unrelated type.
+        """
+
+        class Delegate(object):
+            def __ne__(self, other):
+                # Do something crazy and obvious.
+                return [self]
+
+        a = self.anInstance()
+        b = Delegate()
+        assert (a != b) == [b]
+
+
+# The type name expected in warnings about using the wrong string type.
+if PY2:
+    WARNING_TYPE_EXPECTED = "unicode"
+else:
+    WARNING_TYPE_EXPECTED = "str"
diff --git a/contrib/python/pyOpenSSL/py3/tests/ya.make b/contrib/python/pyOpenSSL/py3/tests/ya.make
new file mode 100644
index 0000000000..748b91efe2
--- /dev/null
+++ b/contrib/python/pyOpenSSL/py3/tests/ya.make
@@ -0,0 +1,24 @@
+PY3TEST()
+
+SUBSCRIBER(g:python-contrib)
+
+PEERDIR(
+    contrib/python/pyOpenSSL
+    contrib/python/flaky
+    contrib/python/pretend
+)
+
+TEST_SRCS(
+    __init__.py
+    conftest.py
+    test_crypto.py
+    test_debug.py
+    test_rand.py
+    test_ssl.py
+    test_util.py
+    util.py
+)
+
+NO_LINT()
+
+END()