aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key
diff options
context:
space:
mode:
Diffstat (limited to 'lib/public_key')
-rw-r--r--lib/public_key/AUTHORS5
-rw-r--r--lib/public_key/Makefile39
-rwxr-xr-xlib/public_key/asn1/DSS.asn120
-rw-r--r--lib/public_key/asn1/Makefile113
-rw-r--r--lib/public_key/asn1/OTP-PKIX.asn1709
-rw-r--r--lib/public_key/asn1/OTP-PUB-KEY.asn1config2
-rw-r--r--lib/public_key/asn1/OTP-PUB-KEY.set.asn7
-rwxr-xr-xlib/public_key/asn1/PKCS-1.asn1116
-rw-r--r--lib/public_key/asn1/PKIX1Algorithms88.asn1235
-rw-r--r--lib/public_key/asn1/PKIX1Explicit88.asn1619
-rw-r--r--lib/public_key/asn1/PKIX1Implicit88.asn1349
-rw-r--r--lib/public_key/asn1/PKIXAttributeCertificate.asn1189
-rw-r--r--lib/public_key/asn1/README51
-rw-r--r--lib/public_key/doc/html/.gitignore0
-rw-r--r--lib/public_key/doc/man3/.gitignore0
-rw-r--r--lib/public_key/doc/pdf/.gitignore0
-rw-r--r--lib/public_key/doc/src/Makefile227
-rw-r--r--lib/public_key/doc/src/book.xml51
-rw-r--r--lib/public_key/doc/src/cert_records.xml612
-rw-r--r--lib/public_key/doc/src/fascicules.xml19
-rw-r--r--lib/public_key/doc/src/introduction.xml52
-rw-r--r--lib/public_key/doc/src/make.dep21
-rw-r--r--lib/public_key/doc/src/note.gifbin0 -> 1539 bytes
-rw-r--r--lib/public_key/doc/src/notes.xml120
-rw-r--r--lib/public_key/doc/src/part.xml42
-rw-r--r--lib/public_key/doc/src/part_notes.xml38
-rw-r--r--lib/public_key/doc/src/public_key.xml317
-rw-r--r--lib/public_key/doc/src/public_key_records.xml99
-rw-r--r--lib/public_key/doc/src/ref_man.xml43
-rw-r--r--lib/public_key/ebin/.gitignore0
-rw-r--r--lib/public_key/include/public_key.hrl62
-rw-r--r--lib/public_key/info2
-rw-r--r--lib/public_key/src/Makefile112
-rw-r--r--lib/public_key/src/pubkey_cert.erl988
-rw-r--r--lib/public_key/src/pubkey_cert_records.erl538
-rw-r--r--lib/public_key/src/pubkey_crypto.erl137
-rw-r--r--lib/public_key/src/pubkey_pem.erl192
-rw-r--r--lib/public_key/src/public_key.app.src16
-rw-r--r--lib/public_key/src/public_key.appup.src6
-rw-r--r--lib/public_key/src/public_key.erl411
-rw-r--r--lib/public_key/test/Makefile83
-rw-r--r--lib/public_key/test/pkits_SUITE.erl604
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crtbin0 -> 572 bytes
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem107
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem120
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem170
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem170
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem170
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem211
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem210
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem263
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest8.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedNewWithOldTest5.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedOldWithNewTest2.pem134
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCASignatureTest2.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotAfterDateTest5.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotBeforeDateTest1.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest31.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest33.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest38.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest28.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest29.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest10.pem113
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest12.pem166
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest13.pem166
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest15.pem164
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest16.pem164
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest17.pem163
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest2.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest3.pem114
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest7.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest8.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest9.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDSASignatureTest6.pem104
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEESignatureTest3.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotAfterDateTest6.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotBeforeDateTest2.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest23.pem116
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest26.pem137
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidLongSerialNumberTest18.pem115
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingFromanyPolicyTest7.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingToanyPolicyTest8.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMissingbasicConstraintsTest1.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingEETest1.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingOrderTest2.pem113
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNegativeSerialNumberTest15.pem114
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidOldCRLnextUpdateTest11.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest10.pem172
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest2.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest4.pem214
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest22.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest24.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest26.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest3.pem262
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest5.pem266
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedCATest2.pem170
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedEETest3.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedDNnameConstraintsTest20.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest10.pem178
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest8.pem230
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest10.pem200
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest11.pem200
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest8.pem233
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest9.pem233
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedpathLenConstraintTest16.pem179
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest7.pem178
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest8.pem197
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest20.pem134
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest21.pem129
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest35.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest37.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLEntryExtensionTest8.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest10.pem117
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest9.pem117
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCriticalCertificateExtensionTest2.pem58
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidWrongCRLTest6.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest2.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest3.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest27.pem140
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest31.pem226
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest32.pem226
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest34.pem205
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest35.pem207
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLIndicatorNoBaseTest1.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest10.pem150
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest3.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest4.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest6.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest9.pem162
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest2.pem123
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest3.pem123
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest6.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest8.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest9.pem117
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest1.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest4.pem159
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest5.pem210
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest6.pem159
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest1.pem161
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest3.pem216
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest5.pem264
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest6.pem217
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalcRLSignFalseTest4.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalkeyCertSignFalseTest1.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsAttributeCertsTest14.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsCACertsCRLTest12.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsUserCertsCRLTest11.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest15.pem156
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest16.pem156
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest17.pem146
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest20.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest21.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest10.pem211
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest11.pem262
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest12.pem263
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest5.pem159
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest6.pem160
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest9.pem210
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000CRLnextUpdateTest12.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000UTCEEnotAfterDateTest7.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/MissingCRLTest1.pem76
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/OverlappingPoliciesTest6.pem214
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest15.pem59
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest16.pem124
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest17.pem121
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest18.pem115
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest19.pem64
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedCRLSigningKeyTest6.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest3.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest4.pem175
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedOldWithNewTest1.pem134
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest30.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest32.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNandRFC822nameConstraintsTest27.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest1.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest11.pem113
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest14.pem165
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest18.pem162
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest4.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest5.pem115
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest6.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSAParameterInheritanceTest5.pem141
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSASignaturesTest4.pem104
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimeCRLnextUpdateTest13.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotAfterDateTest8.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotBeforeDateTest4.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest22.pem116
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest24.pem137
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest25.pem137
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest16.pem115
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest17.pem115
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingCapitalizationTest5.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingUIDsTest6.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest3.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest4.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNegativeSerialNumberTest14.pem114
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNoissuingDistributionPointTest10.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest1.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest11.pem172
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest12.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest13.pem117
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest14.pem117
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest3.pem214
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest5.pem163
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest6.pem163
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest9.pem109
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280MandatoryAttributeTypesTest7.pem113
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280OptionalAttributeTypesTest8.pem114
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest21.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest23.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest25.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest1.pem264
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest2.pem262
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest4.pem262
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRolloverfromPrintableStringtoUTF8StringTest10.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedDNnameConstraintsTest19.pem130
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest7.pem178
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest9.pem197
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitPolicyMappingTest7.pem180
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest15.pem127
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest17.pem197
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedrequireExplicitPolicyTest6.pem127
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSeparateCertificateandCRLKeysTest19.pem134
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSignaturesTest1.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidTwoCRLsTest7.pem146
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest34.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest36.pem111
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringCaseInsensitiveMatchTest11.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringEncodedNamesTest9.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUnknownNotCriticalCertificateExtensionTest1.pem58
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidbasicConstraintsNotCriticalTest4.pem110
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest28.pem178
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest29.pem176
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest30.pem143
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest33.pem226
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest2.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest5.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest7.pem190
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest8.pem162
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest1.pem123
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest4.pem121
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest5.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest7.pem120
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest2.pem162
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest4.pem216
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidkeyUsageNotCriticalTest3.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlyContainsCACertsCRLTest13.pem112
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest18.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest19.pem167
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest13.pem262
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest14.pem263
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest7.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest8.pem108
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Validpre2000UTCnotBeforeDateTest3.pem119
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/certs.pem118
-rw-r--r--lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/inhibitAnyPolicyTest3.pem159
-rw-r--r--lib/public_key/test/public_key.spec2
-rw-r--r--lib/public_key/test/public_key_SUITE.erl260
-rw-r--r--lib/public_key/test/public_key_SUITE_data/cacerts.pem43
-rw-r--r--lib/public_key/test/public_key_SUITE_data/client_cert.pem22
-rw-r--r--lib/public_key/test/public_key_SUITE_data/client_key.pem15
-rw-r--r--lib/public_key/test/public_key_SUITE_data/dh.pem4
-rw-r--r--lib/public_key/test/public_key_SUITE_data/dsa.pem12
-rw-r--r--lib/public_key/test/public_key_SUITE_data/req.pem12
-rw-r--r--lib/public_key/test/public_key_SUITE_data/rsa.pem16
-rw-r--r--lib/public_key/test/public_key_SUITE_data/server_cert.pem22
-rw-r--r--lib/public_key/test/public_key_SUITE_data/server_key.pem15
-rw-r--r--lib/public_key/vsn.mk6
280 files changed, 40277 insertions, 0 deletions
diff --git a/lib/public_key/AUTHORS b/lib/public_key/AUTHORS
new file mode 100644
index 0000000000..bb524037cf
--- /dev/null
+++ b/lib/public_key/AUTHORS
@@ -0,0 +1,5 @@
+Original author:
+Ingela Anderton Andin
+
+Contributors:
+Dan Gudmundsson \ No newline at end of file
diff --git a/lib/public_key/Makefile b/lib/public_key/Makefile
new file mode 100644
index 0000000000..c679678b60
--- /dev/null
+++ b/lib/public_key/Makefile
@@ -0,0 +1,39 @@
+#
+# %CopyrightBegin%
+#
+# Copyright Ericsson AB 2008-2009. All Rights Reserved.
+#
+# The contents of this file are subject to the Erlang Public License,
+# Version 1.1, (the "License"); you may not use this file except in
+# compliance with the License. You should have received a copy of the
+# Erlang Public License along with this software. If not, it can be
+# retrieved online at http://www.erlang.org/.
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+#
+# %CopyrightEnd%
+#
+
+#
+include $(ERL_TOP)/make/target.mk
+include $(ERL_TOP)/make/$(TARGET)/otp.mk
+
+# ----------------------------------------------------
+# Macros
+# ----------------------------------------------------
+
+SUB_DIRECTORIES = asn1 src doc/src
+
+include vsn.mk
+VSN = $(PUBLIC_KEY_VSN)
+
+SPECIAL_TARGETS =
+
+# ----------------------------------------------------
+# Default Subdir Targets
+# ----------------------------------------------------
+include $(ERL_TOP)/make/otp_subdir.mk
+
diff --git a/lib/public_key/asn1/DSS.asn1 b/lib/public_key/asn1/DSS.asn1
new file mode 100755
index 0000000000..77aca3808b
--- /dev/null
+++ b/lib/public_key/asn1/DSS.asn1
@@ -0,0 +1,20 @@
+DSS DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL
+-- All types and values defined in this module are exported for use
+-- in other ASN.1 modules.
+
+DSAPrivateKey ::= SEQUENCE {
+ version INTEGER,
+ p INTEGER, -- p
+ q INTEGER, -- q
+ g INTEGER, -- q
+ y INTEGER, -- y
+ x INTEGER -- x
+}
+
+END
+
+
diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile
new file mode 100644
index 0000000000..fbea701be9
--- /dev/null
+++ b/lib/public_key/asn1/Makefile
@@ -0,0 +1,113 @@
+#
+# %CopyrightBegin%
+#
+# Copyright Ericsson AB 2008-2009. All Rights Reserved.
+#
+# The contents of this file are subject to the Erlang Public License,
+# Version 1.1, (the "License"); you may not use this file except in
+# compliance with the License. You should have received a copy of the
+# Erlang Public License along with this software. If not, it can be
+# retrieved online at http://www.erlang.org/.
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+#
+# %CopyrightEnd%
+#
+
+include $(ERL_TOP)/make/target.mk
+include $(ERL_TOP)/make/$(TARGET)/otp.mk
+
+# ----------------------------------------------------
+# Application version
+# ----------------------------------------------------
+include ../vsn.mk
+VSN=$(PUBLIC_KEY_VSN)
+
+# ----------------------------------------------------
+# Release directory specification
+# ----------------------------------------------------
+RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN)
+
+# ----------------------------------------------------
+# Common Macros
+# ----------------------------------------------------
+
+.SUFFIXES: .asn1
+.PRECIOUS: %.erl
+
+ASN_TOP = OTP-PUB-KEY
+ASN_MODULES = PKIX1Explicit88 PKIX1Implicit88 PKIX1Algorithms88 \
+ PKIXAttributeCertificate OTP-PKIX
+ASN_ASNS = $(ASN_MODULES:%=%.asn1)
+ASN_ERLS = $(ASN_TOP).erl
+ASN_HRLS = $(ASN_TOP).hrl
+ASN_CONFIGS = OTP-PUB-KEY.asn1config
+ASN_DBS = $(ASN_MODULES:%=%.asn1db) OTP-PUB-KEY.asn1db
+ASN_TABLES = $(ASN_MODULES:%=%.table)
+
+GEN_MODULES =
+GEN_ERLS = $(GEN_MODULES:%=%.erl)
+ERL_MODULES = $(ASN_TOP) $(GEN_MODULES)
+
+TARGET_FILES= $(ERL_MODULES:%=$(EBIN)/%.$(EMULATOR))
+
+HRL_FILES = $(ASN_HRLS:%=$(INCLUDE)/%)
+
+INCLUDE = ../include
+EBIN = ../ebin
+
+# ----------------------------------------------------
+# FLAGS
+# ----------------------------------------------------
+EXTRA_ERLC_FLAGS =
+ERL_COMPILE_FLAGS += $(EXTRA_ERLC_FLAGS)
+
+ASN_FLAGS = -bber_bin +der +compact_bit_string +optimize +noobj +asn1config +inline
+
+# ----------------------------------------------------
+# Targets
+# ----------------------------------------------------
+
+debug opt: $(TARGET_FILES) $(HRL_FILES)
+
+clean:
+ -rm -f $(ASN_ERLS) $(GEN_ERLS) $(ASN_HRLS) $(HRL_FILES) $(ASN_DBS) \
+ $(ASN_TABLES) $(TARGET_FILES) *.beam *~
+
+docs:
+
+%.erl: %.set.asn
+ erlc $(ASN_FLAGS) $<
+
+$(HRL_FILES): $(ASN_HRLS)
+ cp -p $(ASN_HRLS) $(INCLUDE)
+
+# ----------------------------------------------------
+# Release Target
+# ----------------------------------------------------
+include $(ERL_TOP)/make/otp_release_targets.mk
+
+release_spec: opt
+ $(INSTALL_DIR) $(RELSYSDIR)/include
+ $(INSTALL_DATA) $(HRL_FILES) $(RELSYSDIR)/include
+ $(INSTALL_DIR) $(RELSYSDIR)/asn1
+ $(INSTALL_DATA) $(ASN_ASNS) $(ASN_ERLS) $(ASN_HRLS) $(ASN_CONFIGS) \
+ $(GEN_ERLS) $(RELSYSDIR)/asn1
+ $(INSTALL_DIR) $(RELSYSDIR)/ebin
+ $(INSTALL_DATA) $(TARGET_FILES) $(RELSYSDIR)/ebin
+
+release_docs_spec:
+
+#
+# Dependencies
+
+$(EBIN)/OTP-PUB-KEY.beam: OTP-PUB-KEY.erl OTP-PUB-KEY.hrl
+OTP-PUB-KEY.erl OTP-PUB-KEY.hrl: OTP-PUB-KEY.asn1db
+OTP-PUB-KEY.asn1db: PKIX1Algorithms88.asn1 \
+ PKIX1Explicit88.asn1 \
+ PKIX1Implicit88.asn1 \
+ PKIXAttributeCertificate.asn1 \
+ OTP-PKIX.asn1
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
new file mode 100644
index 0000000000..2bcacc0990
--- /dev/null
+++ b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -0,0 +1,709 @@
+OTP-PKIX {iso(1) identified-organization(3) dod(6) internet(1)
+ private(4) enterprices(1) ericsson(193) otp(19) ssl(10)
+ pkix1(1)}
+
+DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL
+
+IMPORTS
+ -- Certificate (parts of)
+ Version,
+ CertificateSerialNumber,
+ --AlgorithmIdentifier,
+ Validity,
+ UniqueIdentifier,
+
+ -- AttribyteTypeAndValue
+ Name,
+ AttributeType,
+ id-at-name,
+ id-at-surname,
+ id-at-givenName,
+ id-at-initials,
+ id-at-generationQualifier, X520name,
+ id-at-commonName, X520CommonName,
+ id-at-localityName, X520LocalityName,
+ id-at-stateOrProvinceName, X520StateOrProvinceName,
+ id-at-organizationName, X520OrganizationName,
+ id-at-organizationalUnitName, X520OrganizationalUnitName,
+ id-at-title, X520Title,
+ id-at-dnQualifier, X520dnQualifier,
+ id-at-countryName, X520countryName,
+ id-at-serialNumber, X520SerialNumber,
+ id-at-pseudonym, X520Pseudonym,
+ id-domainComponent, DomainComponent,
+ id-emailAddress, EmailAddress,
+
+ -- Extension Attributes
+ common-name, CommonName,
+ teletex-common-name, TeletexCommonName,
+ teletex-personal-name, TeletexPersonalName,
+ pds-name, PDSName,
+ physical-delivery-country-name, PhysicalDeliveryCountryName,
+ postal-code, PostalCode,
+ physical-delivery-office-name, PhysicalDeliveryOfficeName,
+ physical-delivery-office-number, PhysicalDeliveryOfficeNumber,
+ extension-OR-address-components, ExtensionORAddressComponents,
+ physical-delivery-personal-name, PhysicalDeliveryPersonalName,
+ physical-delivery-organization-name, PhysicalDeliveryOrganizationName,
+ extension-physical-delivery-address-components,
+ ExtensionPhysicalDeliveryAddressComponents,
+ unformatted-postal-address, UnformattedPostalAddress,
+ street-address, StreetAddress,
+ post-office-box-address, PostOfficeBoxAddress,
+ poste-restante-address, PosteRestanteAddress,
+ unique-postal-name, UniquePostalName,
+ local-postal-attributes, LocalPostalAttributes,
+ extended-network-address, ExtendedNetworkAddress,
+ terminal-type, TerminalType,
+ teletex-domain-defined-attributes, TeletexDomainDefinedAttributes
+
+ FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-pkix1-explicit(18) }
+
+ -- Extensions
+ id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier,
+ id-ce-subjectKeyIdentifier, SubjectKeyIdentifier,
+ id-ce-keyUsage, KeyUsage,
+ id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod,
+ id-ce-certificatePolicies, CertificatePolicies,
+ id-ce-policyMappings, PolicyMappings,
+ id-ce-subjectAltName, SubjectAltName,
+ id-ce-issuerAltName, IssuerAltName,
+ id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes,
+ id-ce-basicConstraints, BasicConstraints,
+ id-ce-nameConstraints, NameConstraints,
+ id-ce-policyConstraints, PolicyConstraints,
+ id-ce-cRLDistributionPoints, CRLDistributionPoints,
+ id-ce-extKeyUsage, ExtKeyUsageSyntax,
+ id-ce-inhibitAnyPolicy, InhibitAnyPolicy,
+ id-ce-freshestCRL, FreshestCRL,
+ id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax,
+ id-pe-subjectInfoAccess, SubjectInfoAccessSyntax,
+ id-ce-cRLNumber, CRLNumber,
+ id-ce-issuingDistributionPoint, IssuingDistributionPoint,
+ id-ce-deltaCRLIndicator, BaseCRLNumber,
+ id-ce-cRLReasons, CRLReason,
+ id-ce-certificateIssuer, CertificateIssuer,
+ id-ce-holdInstructionCode, HoldInstructionCode,
+ id-ce-invalidityDate, InvalidityDate
+
+ FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-pkix1-implicit(19) }
+
+ --Keys and Signatures
+ id-dsa, Dss-Parms, DSAPublicKey,
+ id-dsa-with-sha1,
+ md2WithRSAEncryption,
+ md5WithRSAEncryption,
+ sha1WithRSAEncryption,
+ rsaEncryption, RSAPublicKey,
+ dhpublicnumber, DomainParameters, DHPublicKey,
+ id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey,
+ ecdsa-with-SHA1,
+ prime-field, Prime-p,
+ characteristic-two-field, --Characteristic-two,
+ gnBasis,
+ tpBasis, Trinomial,
+ ppBasis, Pentanomial,
+ id-ecPublicKey, EcpkParameters, ECPoint
+ FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms(17) };
+
+--
+-- Certificate
+--
+
+OTPCertificate ::= SEQUENCE {
+ tbsCertificate OTPTBSCertificate,
+ signatureAlgorithm SignatureAlgorithm,
+ signature BIT STRING }
+
+OTPTBSCertificate ::= SEQUENCE {
+ version [0] Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature SignatureAlgorithm,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo OTPSubjectPublicKeyInfo,
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ extensions [3] Extensions OPTIONAL
+ -- If present, version MUST be v3 -- }
+
+
+-- Attribute type and values
+--
+
+ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS {
+ &id AttributeType UNIQUE,
+ &Type }
+ WITH SYNTAX {
+ ID &id
+ TYPE &Type }
+
+OTPAttributeTypeAndValue ::= SEQUENCE {
+ type ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id
+ ({SupportedAttributeTypeAndValues}),
+ value ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type
+ ({SupportedAttributeTypeAndValues}{@type}) }
+
+SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::=
+ { name | surname | givenName | initials | generationQualifier |
+ commonName | localityName | stateOrProvinceName | organizationName |
+ organizationalUnitName | title | dnQualifier | countryName |
+ serialNumber | pseudonym | domainComponent | emailAddress }
+
+name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-name
+ TYPE X520name }
+
+surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-surname
+ TYPE X520name }
+
+givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-givenName
+ TYPE X520name }
+
+initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-initials
+ TYPE X520name }
+
+generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-generationQualifier
+ TYPE X520name }
+
+commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-commonName
+ TYPE X520CommonName }
+
+localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-localityName
+ TYPE X520LocalityName }
+
+stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-stateOrProvinceName
+ TYPE X520StateOrProvinceName }
+
+organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-organizationName
+ TYPE X520OrganizationName }
+
+organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-organizationalUnitName
+ TYPE X520OrganizationalUnitName }
+
+title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-title
+ TYPE X520Title }
+
+dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-dnQualifier
+ TYPE X520dnQualifier }
+
+countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-countryName
+ TYPE X520countryName }
+
+serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-serialNumber
+ TYPE X520SerialNumber }
+
+pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-at-pseudonym
+ TYPE X520Pseudonym }
+
+domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-domainComponent
+ TYPE DomainComponent }
+
+emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= {
+ ID id-emailAddress
+ TYPE EmailAddress }
+
+--
+-- Signature and Public Key Algorithms
+--
+
+OTPOLDSubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm SEQUENCE {
+ algo PUBLIC-KEY-ALGORITHM-CLASS.&id
+ ({SupportedPublicKeyAlgorithms}),
+ parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
+ ({SupportedPublicKeyAlgorithms}{@.algo})
+ OPTIONAL
+ },
+ subjectPublicKey PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType
+ ({SupportedPublicKeyAlgorithms}{@algorithm.algo}) }
+
+OTPSubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm PublicKeyAlgorithm,
+ subjectPublicKey BIT STRING }
+
+
+-- The following is needed for conversion of SubjectPublicKeyInfo.
+
+OTPSubjectPublicKeyInfo-Any ::= SEQUENCE {
+ algorithm PublicKeyAlgorithm,
+ subjectPublicKey ANY }
+
+
+SIGNATURE-ALGORITHM-CLASS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL }
+ WITH SYNTAX {
+ ID &id
+ [TYPE &Type] }
+
+PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL,
+ &PublicKeyType OPTIONAL }
+ WITH SYNTAX {
+ ID &id
+ [TYPE &Type]
+ [PUBLIC-KEY-TYPE &PublicKeyType] }
+
+SignatureAlgorithm ::= SEQUENCE {
+ algorithm SIGNATURE-ALGORITHM-CLASS.&id
+ ({SupportedSignatureAlgorithms}),
+ parameters SIGNATURE-ALGORITHM-CLASS.&Type
+ ({SupportedSignatureAlgorithms}{@algorithm})
+ OPTIONAL }
+
+SignatureAlgorithm-Any ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY OPTIONAL }
+
+PublicKeyAlgorithm ::= SEQUENCE {
+ algorithm PUBLIC-KEY-ALGORITHM-CLASS.&id
+ ({SupportedPublicKeyAlgorithms}),
+ parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type
+ ({SupportedPublicKeyAlgorithms}{@algorithm})
+ OPTIONAL }
+
+SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
+ dsa-with-sha1 | md2-with-rsa-encryption |
+ md5-with-rsa-encryption | sha1-with-rsa-encryption |
+ ecdsa-with-sha1 }
+
+SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ dsa | rsa-encryption | dh | kea | ec-public-key }
+
+ -- DSA Keys and Signatures
+
+ -- SubjectPublicKeyInfo:
+
+ dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ ID id-dsa
+ TYPE Dss-Parms -- XXX Must be OPTIONAL
+ PUBLIC-KEY-TYPE DSAPublicKey }
+
+ -- Certificate.signatureAlgorithm
+
+ dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
+ ID id-dsa-with-sha1
+ TYPE NULL } -- XXX Must be empty and not NULL
+
+ --
+ -- RSA Keys and Signatures
+ --
+
+ -- Certificate.signatureAlgorithm
+
+ md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
+ ID md2WithRSAEncryption
+ TYPE NULL }
+
+ md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
+ ID md5WithRSAEncryption
+ TYPE NULL }
+
+ sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
+ ID sha1WithRSAEncryption
+ TYPE NULL }
+
+ -- Certificate.signature
+ -- See PKCS #1 (RFC 2313). XXX
+
+ -- SubjectPublicKeyInfo:
+
+ rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ ID rsaEncryption
+ TYPE NULL
+ PUBLIC-KEY-TYPE RSAPublicKey }
+
+ --
+ -- Diffie-Hellman Keys
+ --
+
+ -- SubjectPublicKeyInfo:
+
+ dh PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ ID dhpublicnumber
+ TYPE DomainParameters
+ PUBLIC-KEY-TYPE DHPublicKey }
+
+ -- There are no Diffie-Hellman signature algorithms
+
+ --
+ -- KEA Keys
+ --
+
+ -- SubjectPublicKeyInfo:
+
+ KEA-PublicKey ::= INTEGER
+
+ kea PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ ID id-keyExchangeAlgorithm
+ TYPE KEA-Parms-Id
+ PUBLIC-KEY-TYPE KEA-PublicKey }
+
+ -- There are no KEA signature algorithms
+
+ --
+ -- Elliptic Curve Keys, Signatures, and Curves
+ --
+
+ -- Certificate.signatureAlgorithm
+
+ ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
+ ID ecdsa-with-SHA1
+ TYPE NULL } -- XXX Must be empty and not NULL
+
+ FIELD-ID-CLASS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type }
+ WITH SYNTAX {
+ ID &id
+ TYPE &Type }
+
+ OTPFieldID ::= SEQUENCE { -- Finite field
+ fieldType FIELD-ID-CLASS.&id({SupportedFieldIds}),
+ parameters FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) }
+
+ SupportedFieldIds FIELD-ID-CLASS ::= {
+ field-prime-field | field-characteristic-two }
+
+ field-prime-field FIELD-ID-CLASS ::= {
+ ID prime-field
+ TYPE Prime-p }
+
+ CHARACTERISTIC-TWO-CLASS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type }
+ WITH SYNTAX {
+ ID &id
+ TYPE &Type }
+
+ OTPCharacteristic-two ::= SEQUENCE { -- Finite field
+ m INTEGER, -- Field size 2^m
+ basis CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}),
+ parameters CHARACTERISTIC-TWO-CLASS.&Type
+ ({SupportedCharacteristicTwos}{@basis}) }
+
+ SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= {
+ gn-basis | tp-basis | pp-basis }
+
+ field-characteristic-two FIELD-ID-CLASS ::= {
+ ID characteristic-two-field
+ TYPE Characteristic-two }
+
+ gn-basis CHARACTERISTIC-TWO-CLASS ::= {
+ ID gnBasis
+ TYPE NULL }
+
+ tp-basis CHARACTERISTIC-TWO-CLASS ::= {
+ ID tpBasis
+ TYPE Trinomial }
+
+ pp-basis CHARACTERISTIC-TWO-CLASS ::= {
+ ID ppBasis
+ TYPE Pentanomial }
+
+ -- SubjectPublicKeyInfo.algorithm
+
+ ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= {
+ ID id-ecPublicKey
+ TYPE EcpkParameters
+ PUBLIC-KEY-TYPE ECPoint }
+
+--
+-- Extension Attributes
+--
+
+EXTENSION-ATTRIBUTE-CLASS ::= CLASS {
+ &id INTEGER UNIQUE,
+ &Type }
+ WITH SYNTAX {
+ ID &id
+ TYPE &Type }
+
+OTPExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute
+
+-- XXX Below we should have extension-attribute-type and extension-
+-- attribute-value but Erlang ASN1 does not like it.
+OTPExtensionAttribute ::= SEQUENCE {
+ extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id
+ ({SupportedExtensionAttributes}),
+ extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type
+ ({SupportedExtensionAttributes}{@extensionAttributeType}) }
+
+SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= {
+ x400-common-name |
+ x400-teletex-common-name |
+ x400-teletex-personal-name |
+ x400-pds-name |
+ x400-physical-delivery-country-name |
+ x400-postal-code |
+ x400-physical-delivery-office-name |
+ x400-physical-delivery-office-number |
+ x400-extension-OR-address-components |
+ x400-physical-delivery-personal-name |
+ x400-physical-delivery-organization-name |
+ x400-extension-physical-delivery-address-components |
+ x400-unformatted-postal-address |
+ x400-street-address |
+ x400-post-office-box-address |
+ x400-poste-restante-address |
+ x400-unique-postal-name |
+ x400-local-postal-attributes |
+ x400-extended-network-address |
+ x400-terminal-type |
+ x400-teletex-domain-defined-attributes }
+
+-- Extension types and attribute values
+
+x400-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID common-name
+ TYPE CommonName }
+
+x400-teletex-common-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID teletex-common-name
+ TYPE TeletexCommonName }
+
+x400-teletex-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID teletex-personal-name
+ TYPE TeletexPersonalName }
+
+x400-pds-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID pds-name
+ TYPE PDSName }
+
+x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID physical-delivery-country-name
+ TYPE PhysicalDeliveryCountryName }
+
+x400-postal-code EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID postal-code
+ TYPE PostalCode }
+
+x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID physical-delivery-office-name
+ TYPE PhysicalDeliveryOfficeName }
+
+x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID physical-delivery-office-number
+ TYPE PhysicalDeliveryOfficeNumber }
+
+x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID extension-OR-address-components
+ TYPE ExtensionORAddressComponents }
+
+x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID physical-delivery-personal-name
+ TYPE PhysicalDeliveryPersonalName }
+
+x400-physical-delivery-organization-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID physical-delivery-organization-name
+ TYPE PhysicalDeliveryOrganizationName }
+
+x400-extension-physical-delivery-address-components
+ EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID extension-physical-delivery-address-components
+ TYPE ExtensionPhysicalDeliveryAddressComponents }
+
+x400-unformatted-postal-address EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID unformatted-postal-address
+ TYPE UnformattedPostalAddress }
+
+x400-street-address EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID street-address
+ TYPE StreetAddress }
+
+x400-post-office-box-address EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID post-office-box-address
+ TYPE PostOfficeBoxAddress }
+
+x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID poste-restante-address
+ TYPE PosteRestanteAddress }
+
+x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID unique-postal-name
+ TYPE UniquePostalName }
+
+x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID local-postal-attributes
+ TYPE LocalPostalAttributes }
+
+x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID extended-network-address
+ TYPE ExtendedNetworkAddress }
+
+x400-terminal-type EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID terminal-type
+ TYPE TerminalType }
+
+x400-teletex-domain-defined-attributes EXTENSION-ATTRIBUTE-CLASS ::= {
+ ID teletex-domain-defined-attributes
+ TYPE TeletexDomainDefinedAttributes }
+
+-- Extensions
+
+OTPExtensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+EXTENSION-CLASS ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL}
+ WITH SYNTAX {
+ ID &id
+ [TYPE &Type] }
+
+OTPExtension ::= SEQUENCE {
+ extnID EXTENSION-CLASS.&id({SupportedExtensions}),
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) }
+
+-- The following is needed for conversion between Extension and Extension-Cd
+
+ObjId ::= OBJECT IDENTIFIER
+Boolean ::= BOOLEAN
+Any ::= ANY
+
+Extension-Any ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue ANY }
+
+SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier |
+ subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod |
+ certificatePolicies | policyMappings | subjectAltName |
+ issuerAltName | subjectDirectoryAttributes | basicConstraints |
+ nameConstraints | policyConstraints | cRLDistributionPoints |
+ extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess |
+ subjectInfoAccess | cRLNumber | issuingDistributionPoint |
+ deltaCRLIndicator | cRLReasons | certificateIssuer |
+ holdInstructionCode | invalidityDate }
+
+authorityKeyIdentifier EXTENSION-CLASS ::= {
+ ID id-ce-authorityKeyIdentifier
+ TYPE AuthorityKeyIdentifier }
+
+subjectKeyIdentifier EXTENSION-CLASS ::= {
+ ID id-ce-subjectKeyIdentifier
+ TYPE SubjectKeyIdentifier }
+
+keyUsage EXTENSION-CLASS ::= {
+ ID id-ce-keyUsage
+ TYPE KeyUsage }
+
+privateKeyUsagePeriod EXTENSION-CLASS ::= {
+ ID id-ce-privateKeyUsagePeriod
+ TYPE PrivateKeyUsagePeriod }
+
+certificatePolicies EXTENSION-CLASS ::= {
+ ID id-ce-certificatePolicies
+ TYPE CertificatePolicies }
+
+policyMappings EXTENSION-CLASS ::= {
+ ID id-ce-policyMappings
+ TYPE PolicyMappings }
+
+subjectAltName EXTENSION-CLASS ::= {
+ ID id-ce-subjectAltName
+ TYPE SubjectAltName }
+
+issuerAltName EXTENSION-CLASS ::= {
+ ID id-ce-issuerAltName
+ TYPE IssuerAltName }
+
+subjectDirectoryAttributes EXTENSION-CLASS ::= {
+ ID id-ce-subjectDirectoryAttributes
+ TYPE SubjectDirectoryAttributes }
+
+basicConstraints EXTENSION-CLASS ::= {
+ ID id-ce-basicConstraints
+ TYPE BasicConstraints }
+
+nameConstraints EXTENSION-CLASS ::= {
+ ID id-ce-nameConstraints
+ TYPE NameConstraints }
+
+policyConstraints EXTENSION-CLASS ::= {
+ ID id-ce-policyConstraints
+ TYPE PolicyConstraints }
+
+cRLDistributionPoints EXTENSION-CLASS ::= {
+ ID id-ce-cRLDistributionPoints
+ TYPE CRLDistributionPoints }
+
+extKeyUsage EXTENSION-CLASS ::= {
+ ID id-ce-extKeyUsage
+ TYPE ExtKeyUsageSyntax }
+
+inhibitAnyPolicy EXTENSION-CLASS ::= {
+ ID id-ce-inhibitAnyPolicy
+ TYPE InhibitAnyPolicy }
+
+freshestCRL EXTENSION-CLASS ::= {
+ ID id-ce-freshestCRL
+ TYPE FreshestCRL }
+
+authorityInfoAccess EXTENSION-CLASS ::= {
+ ID id-pe-authorityInfoAccess
+ TYPE AuthorityInfoAccessSyntax }
+
+subjectInfoAccess EXTENSION-CLASS ::= {
+ ID id-pe-subjectInfoAccess
+ TYPE SubjectInfoAccessSyntax }
+
+cRLNumber EXTENSION-CLASS ::= {
+ ID id-ce-cRLNumber
+ TYPE CRLNumber }
+
+issuingDistributionPoint EXTENSION-CLASS ::= {
+ ID id-ce-issuingDistributionPoint
+ TYPE IssuingDistributionPoint }
+
+deltaCRLIndicator EXTENSION-CLASS ::= {
+ ID id-ce-deltaCRLIndicator
+ TYPE BaseCRLNumber }
+
+cRLReasons EXTENSION-CLASS ::= {
+ ID id-ce-cRLReasons
+ TYPE CRLReason }
+
+certificateIssuer EXTENSION-CLASS ::= {
+ ID id-ce-certificateIssuer
+ TYPE CertificateIssuer }
+
+holdInstructionCode EXTENSION-CLASS ::= {
+ ID id-ce-holdInstructionCode
+ TYPE HoldInstructionCode }
+
+invalidityDate EXTENSION-CLASS ::= {
+ ID id-ce-invalidityDate
+ TYPE InvalidityDate }
+
+END
diff --git a/lib/public_key/asn1/OTP-PUB-KEY.asn1config b/lib/public_key/asn1/OTP-PUB-KEY.asn1config
new file mode 100644
index 0000000000..86f4c54748
--- /dev/null
+++ b/lib/public_key/asn1/OTP-PUB-KEY.asn1config
@@ -0,0 +1,2 @@
+{exclusive_decode,{'OTP-PUB-KEY',
+ [{decode_TBSCert_exclusive,['Certificate',[{tbsCertificate,undecoded}]]}]}}.
diff --git a/lib/public_key/asn1/OTP-PUB-KEY.set.asn b/lib/public_key/asn1/OTP-PUB-KEY.set.asn
new file mode 100644
index 0000000000..2f9ccd6b0e
--- /dev/null
+++ b/lib/public_key/asn1/OTP-PUB-KEY.set.asn
@@ -0,0 +1,7 @@
+OTP-PKIX.asn1
+PKIX1Explicit88.asn1
+PKIX1Implicit88.asn1
+PKIXAttributeCertificate.asn1
+PKIX1Algorithms88.asn1
+PKCS-1.asn1
+DSS.asn1
diff --git a/lib/public_key/asn1/PKCS-1.asn1 b/lib/public_key/asn1/PKCS-1.asn1
new file mode 100755
index 0000000000..b06f5efa9d
--- /dev/null
+++ b/lib/public_key/asn1/PKCS-1.asn1
@@ -0,0 +1,116 @@
+PKCS-1 {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
+ modules(0) pkcs-1(1)
+}
+
+-- $Revision: 1.1 $
+
+DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+--IMPORTS id-sha256, id-sha384, id-sha512
+-- FROM NIST-SHA2 {
+-- joint-iso-itu-t(2) country(16) us(840) organization(1)
+-- gov(101) csor(3) nistalgorithm(4) modules(0) sha2(1)
+-- };
+
+pkcs-1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1
+}
+
+rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
+
+id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
+
+id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }
+
+id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
+
+md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
+md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
+sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
+sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
+sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
+sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
+
+id-sha1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3)
+ algorithms(2) 26
+}
+
+id-md2 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2
+}
+
+id-md5 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5
+}
+
+id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
+
+
+RSAPublicKey ::= SEQUENCE {
+ modulus INTEGER, -- n
+ publicExponent INTEGER -- e
+}
+
+RSAPrivateKey ::= SEQUENCE {
+ version Version,
+ modulus INTEGER, -- n
+ publicExponent INTEGER, -- e
+ privateExponent INTEGER, -- d
+ prime1 INTEGER, -- p
+ prime2 INTEGER, -- q
+ exponent1 INTEGER, -- d mod (p-1)
+ exponent2 INTEGER, -- d mod (q-1)
+ coefficient INTEGER, -- (inverse of q) mod p
+ otherPrimeInfos OtherPrimeInfos OPTIONAL
+}
+
+Version ::= INTEGER { two-prime(0), multi(1) }
+ (CONSTRAINED BY {
+ -- version must be multi if otherPrimeInfos present --
+ })
+
+OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo
+
+OtherPrimeInfo ::= SEQUENCE {
+ prime INTEGER, -- ri
+ exponent INTEGER, -- di
+ coefficient INTEGER -- ti
+}
+
+Algorithm ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL
+}
+
+AlgorithmNull ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters NULL
+}
+
+
+RSASSA-PSS-params ::= SEQUENCE {
+ hashAlgorithm [0] Algorithm, -- DEFAULT sha1,
+ maskGenAlgorithm [1] Algorithm, -- DEFAULT mgf1SHA1,
+ saltLength [2] INTEGER DEFAULT 20,
+ trailerField [3] TrailerField DEFAULT trailerFieldBC
+}
+
+TrailerField ::= INTEGER { trailerFieldBC(1) }
+
+DigestInfo ::= SEQUENCE {
+ digestAlgorithm Algorithm,
+ digest OCTET STRING
+}
+
+DigestInfoNull ::= SEQUENCE {
+ digestAlgorithm AlgorithmNull,
+ digest OCTET STRING
+}
+
+
+END -- PKCS1Definitions
+
diff --git a/lib/public_key/asn1/PKIX1Algorithms88.asn1 b/lib/public_key/asn1/PKIX1Algorithms88.asn1
new file mode 100644
index 0000000000..f895b6d0cd
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Algorithms88.asn1
@@ -0,0 +1,235 @@
+ PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-pkix1-algorithms(17) }
+
+ DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ -- EXPORTS All;
+
+ -- IMPORTS NONE;
+
+ --
+ -- One-way Hash Functions
+ -- md2, md5, id-sha1 see PKCS-1
+
+ --
+ -- DSA Keys and Signatures
+ --
+
+ -- OID for DSA public key
+
+ id-dsa OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+
+ -- encoding for DSA public key
+
+ DSAPublicKey ::= INTEGER -- public key, y
+
+ Dss-Parms ::= SEQUENCE {
+ p INTEGER,
+ q INTEGER,
+ g INTEGER }
+
+ -- OID for DSA signature generated with SHA-1 hash
+
+ id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+
+ -- encoding for DSA signature generated with SHA-1 hash
+
+ Dss-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER }
+
+ --
+ -- RSA Keys and Signatures, see PKCS-1
+ --
+
+ --
+ -- Diffie-Hellman Keys
+ --
+
+ dhpublicnumber OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) ansi-x942(10046)
+ number-type(2) 1 }
+
+ -- encoding for DSA public key
+
+ DHPublicKey ::= INTEGER -- public key, y = g^x mod p
+
+ DomainParameters ::= SEQUENCE {
+ p INTEGER, -- odd prime, p=jq +1
+ g INTEGER, -- generator, g
+ q INTEGER, -- factor of p-1
+ j INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ validationParms ValidationParms OPTIONAL }
+
+ ValidationParms ::= SEQUENCE {
+ seed BIT STRING,
+ pgenCounter INTEGER }
+
+ --
+ -- KEA Keys
+ --
+
+ id-keyExchangeAlgorithm OBJECT IDENTIFIER ::=
+ { 2 16 840 1 101 2 1 1 22 }
+
+ KEA-Parms-Id ::= OCTET STRING
+
+ --
+ -- Elliptic Curve Keys, Signatures, and Curves
+ --
+
+ ansi-X9-62 OBJECT IDENTIFIER ::= {
+ iso(1) member-body(2) us(840) 10045 }
+
+ FieldID ::= SEQUENCE { -- Finite field
+ fieldType OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY fieldType }
+
+ -- Arc for ECDSA signature OIDS
+
+ id-ecSigType OBJECT IDENTIFIER ::= { ansi-X9-62 signatures(4) }
+
+ -- OID for ECDSA signatures with SHA-1
+
+ ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 }
+
+ -- OID for an elliptic curve signature
+ -- format for the value of an ECDSA signature value
+
+ ECDSA-Sig-Value ::= SEQUENCE {
+ r INTEGER,
+ s INTEGER }
+
+ -- recognized field type OIDs are defined in the following arc
+
+ id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) }
+
+ -- where fieldType is prime-field, the parameters are of type Prime-p
+
+ prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+
+ Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime
+
+ -- where fieldType is characteristic-two-field, the parameters are
+ -- of type Characteristic-two
+
+ characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 }
+
+ Characteristic-two ::= SEQUENCE {
+ m INTEGER, -- Field size 2^m
+ basis OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY basis }
+
+ -- recognized basis type OIDs are defined in the following arc
+
+ id-characteristic-two-basis OBJECT IDENTIFIER ::= {
+ characteristic-two-field basisType(3) }
+
+ -- gnbasis is identified by OID gnBasis and indicates
+ -- parameters are NULL
+
+ gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
+
+ -- parameters for this basis are NULL
+
+ -- trinomial basis is identified by OID tpBasis and indicates
+ -- parameters of type Pentanomial
+
+ tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 }
+
+ -- Trinomial basis representation of F2^m
+ -- Integer k for reduction polynomial xm + xk + 1
+
+ Trinomial ::= INTEGER
+
+ -- for pentanomial basis is identified by OID ppBasis and indicates
+ -- parameters of type Pentanomial
+
+ ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 }
+
+ -- Pentanomial basis representation of F2^m
+ -- reduction polynomial integers k1, k2, k3
+ -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1
+
+ Pentanomial ::= SEQUENCE {
+ k1 INTEGER,
+ k2 INTEGER,
+ k3 INTEGER }
+
+ -- The object identifiers gnBasis, tpBasis and ppBasis name
+ -- three kinds of basis for characteristic-two finite fields
+
+ FieldElement ::= OCTET STRING -- Finite field element
+
+ ECPoint ::= OCTET STRING -- Elliptic curve point
+
+ -- Elliptic Curve parameters may be specified explicitly,
+ -- specified implicitly through a "named curve", or
+ -- inherited from the CA
+
+ EcpkParameters ::= CHOICE {
+ ecParameters ECParameters,
+ namedCurve OBJECT IDENTIFIER,
+ implicitlyCA NULL }
+
+ ECParameters ::= SEQUENCE { -- Elliptic curve parameters
+ version ECPVer,
+ fieldID FieldID,
+ curve Curve,
+ base ECPoint, -- Base point G
+ order INTEGER, -- Order n of the base point
+ cofactor INTEGER OPTIONAL } -- The integer h = #E(Fq)/n
+
+ ECPVer ::= INTEGER {ecpVer1(1)}
+
+ Curve ::= SEQUENCE {
+ a FieldElement, -- Elliptic curve coefficient a
+ b FieldElement, -- Elliptic curve coefficient b
+ seed BIT STRING OPTIONAL }
+
+ id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) }
+
+ id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
+
+ -- Named Elliptic Curves in ANSI X9.62.
+
+ ellipticCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) }
+
+ c-TwoCurve OBJECT IDENTIFIER ::= {
+ ellipticCurve characteristicTwo(0) }
+
+ c2pnb163v1 OBJECT IDENTIFIER ::= { c-TwoCurve 1 }
+ c2pnb163v2 OBJECT IDENTIFIER ::= { c-TwoCurve 2 }
+ c2pnb163v3 OBJECT IDENTIFIER ::= { c-TwoCurve 3 }
+ c2pnb176w1 OBJECT IDENTIFIER ::= { c-TwoCurve 4 }
+ c2tnb191v1 OBJECT IDENTIFIER ::= { c-TwoCurve 5 }
+ c2tnb191v2 OBJECT IDENTIFIER ::= { c-TwoCurve 6 }
+ c2tnb191v3 OBJECT IDENTIFIER ::= { c-TwoCurve 7 }
+ c2onb191v4 OBJECT IDENTIFIER ::= { c-TwoCurve 8 }
+ c2onb191v5 OBJECT IDENTIFIER ::= { c-TwoCurve 9 }
+ c2pnb208w1 OBJECT IDENTIFIER ::= { c-TwoCurve 10 }
+ c2tnb239v1 OBJECT IDENTIFIER ::= { c-TwoCurve 11 }
+ c2tnb239v2 OBJECT IDENTIFIER ::= { c-TwoCurve 12 }
+ c2tnb239v3 OBJECT IDENTIFIER ::= { c-TwoCurve 13 }
+ c2onb239v4 OBJECT IDENTIFIER ::= { c-TwoCurve 14 }
+ c2onb239v5 OBJECT IDENTIFIER ::= { c-TwoCurve 15 }
+ c2pnb272w1 OBJECT IDENTIFIER ::= { c-TwoCurve 16 }
+ c2pnb304w1 OBJECT IDENTIFIER ::= { c-TwoCurve 17 }
+ c2tnb359v1 OBJECT IDENTIFIER ::= { c-TwoCurve 18 }
+ c2pnb368w1 OBJECT IDENTIFIER ::= { c-TwoCurve 19 }
+ c2tnb431r1 OBJECT IDENTIFIER ::= { c-TwoCurve 20 }
+
+ primeCurve OBJECT IDENTIFIER ::= { ellipticCurve prime(1) }
+
+ prime192v1 OBJECT IDENTIFIER ::= { primeCurve 1 }
+ prime192v2 OBJECT IDENTIFIER ::= { primeCurve 2 }
+ prime192v3 OBJECT IDENTIFIER ::= { primeCurve 3 }
+ prime239v1 OBJECT IDENTIFIER ::= { primeCurve 4 }
+ prime239v2 OBJECT IDENTIFIER ::= { primeCurve 5 }
+ prime239v3 OBJECT IDENTIFIER ::= { primeCurve 6 }
+ prime256v1 OBJECT IDENTIFIER ::= { primeCurve 7 }
+
+ END
diff --git a/lib/public_key/asn1/PKIX1Explicit88.asn1 b/lib/public_key/asn1/PKIX1Explicit88.asn1
new file mode 100644
index 0000000000..03e9da3e05
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Explicit88.asn1
@@ -0,0 +1,619 @@
+PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
+
+DEFINITIONS EXPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL --
+
+-- IMPORTS NONE --
+
+-- UNIVERSAL Types defined in 1993 and 1998 ASN.1
+-- and required by this specification
+
+-- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+ -- UniversalString is defined in ASN.1:1993
+
+-- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+ -- BMPString is the subtype of UniversalString and models
+ -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
+
+-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+ -- The content of this type conforms to RFC 2279.
+
+-- PKIX specific OIDs
+
+id-pkix OBJECT IDENTIFIER ::=
+ { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) }
+
+-- PKIX arcs
+
+id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
+ -- arc for private certificate extensions
+id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ -- arc for policy qualifier types
+id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+ -- arc for extended key purpose OIDS
+id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+ -- arc for access descriptors
+
+-- policyQualifierIds for Internet policy qualifiers
+
+id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ -- OID for CPS qualifier
+id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ -- OID for user notice qualifier
+
+-- access descriptor definitions
+
+id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
+id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
+id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
+
+-- attribute data types
+
+Attribute ::= SEQUENCE {
+ type AttributeType,
+ values SET OF AttributeValue }
+ -- at least one value is required
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY
+
+AttributeTypeAndValue ::= SEQUENCE {
+ type AttributeType,
+ value AttributeValue }
+
+-- suggested naming attributes: Definition of the following
+-- information object set may be augmented to meet local
+-- requirements. Note that deleting members of the set may
+-- prevent interoperability with conforming implementations.
+-- presented in pairs: the AttributeType followed by the
+-- type definition for the corresponding AttributeValue
+--Arc for standard naming attributes
+id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+
+-- Naming attributes of type X520name
+
+id-at-name AttributeType ::= { id-at 41 }
+id-at-surname AttributeType ::= { id-at 4 }
+id-at-givenName AttributeType ::= { id-at 42 }
+id-at-initials AttributeType ::= { id-at 43 }
+id-at-generationQualifier AttributeType ::= { id-at 44 }
+
+X520name ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-name)),
+ printableString PrintableString (SIZE (1..ub-name)),
+ universalString UniversalString (SIZE (1..ub-name)),
+ utf8String UTF8String (SIZE (1..ub-name)),
+ bmpString BMPString (SIZE (1..ub-name)) }
+
+-- Naming attributes of type X520CommonName
+
+id-at-commonName AttributeType ::= { id-at 3 }
+
+X520CommonName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-common-name)),
+ printableString PrintableString (SIZE (1..ub-common-name)),
+ universalString UniversalString (SIZE (1..ub-common-name)),
+ utf8String UTF8String (SIZE (1..ub-common-name)),
+ bmpString BMPString (SIZE (1..ub-common-name)) }
+
+-- Naming attributes of type X520LocalityName
+
+id-at-localityName AttributeType ::= { id-at 7 }
+
+X520LocalityName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-locality-name)),
+ printableString PrintableString (SIZE (1..ub-locality-name)),
+ universalString UniversalString (SIZE (1..ub-locality-name)),
+ utf8String UTF8String (SIZE (1..ub-locality-name)),
+ bmpString BMPString (SIZE (1..ub-locality-name)) }
+
+-- Naming attributes of type X520StateOrProvinceName
+
+id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
+
+X520StateOrProvinceName ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-state-name)),
+ printableString PrintableString (SIZE (1..ub-state-name)),
+ universalString UniversalString (SIZE (1..ub-state-name)),
+ utf8String UTF8String (SIZE (1..ub-state-name)),
+ bmpString BMPString (SIZE(1..ub-state-name)) }
+
+-- Naming attributes of type X520OrganizationName
+
+id-at-organizationName AttributeType ::= { id-at 10 }
+
+X520OrganizationName ::= CHOICE {
+ teletexString TeletexString
+ (SIZE (1..ub-organization-name)),
+ printableString PrintableString
+ (SIZE (1..ub-organization-name)),
+ universalString UniversalString
+ (SIZE (1..ub-organization-name)),
+ utf8String UTF8String
+ (SIZE (1..ub-organization-name)),
+ bmpString BMPString
+ (SIZE (1..ub-organization-name)) }
+
+-- Naming attributes of type X520OrganizationalUnitName
+
+id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+
+X520OrganizationalUnitName ::= CHOICE {
+ teletexString TeletexString
+ (SIZE (1..ub-organizational-unit-name)),
+ printableString PrintableString
+ (SIZE (1..ub-organizational-unit-name)),
+ universalString UniversalString
+ (SIZE (1..ub-organizational-unit-name)),
+ utf8String UTF8String
+ (SIZE (1..ub-organizational-unit-name)),
+ bmpString BMPString
+ (SIZE (1..ub-organizational-unit-name)) }
+
+-- Naming attributes of type X520Title
+
+id-at-title AttributeType ::= { id-at 12 }
+
+X520Title ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-title)),
+ printableString PrintableString (SIZE (1..ub-title)),
+ universalString UniversalString (SIZE (1..ub-title)),
+ utf8String UTF8String (SIZE (1..ub-title)),
+ bmpString BMPString (SIZE (1..ub-title)) }
+
+-- Naming attributes of type X520dnQualifier
+
+id-at-dnQualifier AttributeType ::= { id-at 46 }
+
+X520dnQualifier ::= PrintableString
+
+-- Naming attributes of type X520countryName (digraph from IS 3166)
+
+id-at-countryName AttributeType ::= { id-at 6 }
+
+X520countryName ::= PrintableString (SIZE (2))
+
+-- Naming attributes of type X520SerialNumber
+
+id-at-serialNumber AttributeType ::= { id-at 5 }
+
+X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number))
+
+-- Naming attributes of type X520Pseudonym
+
+id-at-pseudonym AttributeType ::= { id-at 65 }
+
+X520Pseudonym ::= CHOICE {
+ teletexString TeletexString (SIZE (1..ub-pseudonym)),
+ printableString PrintableString (SIZE (1..ub-pseudonym)),
+ universalString UniversalString (SIZE (1..ub-pseudonym)),
+ utf8String UTF8String (SIZE (1..ub-pseudonym)),
+ bmpString BMPString (SIZE (1..ub-pseudonym)) }
+
+-- Naming attributes of type DomainComponent (from RFC 2247)
+
+id-domainComponent AttributeType ::=
+ { 0 9 2342 19200300 100 1 25 }
+
+DomainComponent ::= IA5String
+
+-- Legacy attributes
+
+pkcs-9 OBJECT IDENTIFIER ::=
+ { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+
+id-emailAddress AttributeType ::= { pkcs-9 1 }
+
+EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length))
+
+-- naming data types --
+
+Name ::= CHOICE { -- only one possibility for now --
+ rdnSequence RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+DistinguishedName ::= RDNSequence
+
+RelativeDistinguishedName ::=
+ SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+
+-- Directory string type --
+
+DirectoryString ::= CHOICE {
+ teletexString TeletexString (SIZE (1..MAX)),
+ printableString PrintableString (SIZE (1..MAX)),
+ universalString UniversalString (SIZE (1..MAX)),
+ utf8String UTF8String (SIZE (1..MAX)),
+ bmpString BMPString (SIZE (1..MAX)) }
+
+-- certificate and CRL specific structures begin here
+
+Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertificate ::= SEQUENCE {
+ version [0] Version DEFAULT v1,
+ serialNumber CertificateSerialNumber,
+ signature AlgorithmIdentifier,
+ issuer Name,
+ validity Validity,
+ subject Name,
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ -- If present, version MUST be v2 or v3
+ extensions [3] Extensions OPTIONAL
+ -- If present, version MUST be v3 -- }
+
+Version ::= INTEGER { v1(0), v2(1), v3(2) }
+
+CertificateSerialNumber ::= INTEGER
+
+Validity ::= SEQUENCE {
+ notBefore Time,
+ notAfter Time }
+
+Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime }
+
+UniqueIdentifier ::= BIT STRING
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING }
+
+Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+
+Extension ::= SEQUENCE {
+ extnID OBJECT IDENTIFIER,
+ critical BOOLEAN DEFAULT FALSE,
+ extnValue OCTET STRING }
+
+-- CRL structures
+
+CertificateList ::= SEQUENCE {
+ tbsCertList TBSCertList,
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING }
+
+TBSCertList ::= SEQUENCE {
+ version Version OPTIONAL,
+ -- if present, MUST be v2
+ signature AlgorithmIdentifier,
+ issuer Name,
+ thisUpdate Time,
+ nextUpdate Time OPTIONAL,
+ revokedCertificates SEQUENCE OF SEQUENCE {
+ userCertificate CertificateSerialNumber,
+ revocationDate Time,
+ crlEntryExtensions Extensions OPTIONAL
+ -- if present, MUST be v2
+ } OPTIONAL,
+ crlExtensions [0] Extensions OPTIONAL }
+ -- if present, MUST be v2
+
+-- Version, Time, CertificateSerialNumber, and Extensions were
+-- defined earlier for use in the certificate structure
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER,
+ parameters ANY DEFINED BY algorithm OPTIONAL }
+ -- contains a value of the type
+ -- registered for use with the
+ -- algorithm object identifier value
+
+-- X.400 address syntax starts here
+
+ORAddress ::= SEQUENCE {
+ built-in-standard-attributes BuiltInStandardAttributes,
+ built-in-domain-defined-attributes
+ BuiltInDomainDefinedAttributes OPTIONAL,
+ -- see also teletex-domain-defined-attributes
+ extension-attributes ExtensionAttributes OPTIONAL }
+
+-- Built-in Standard Attributes
+
+BuiltInStandardAttributes ::= SEQUENCE {
+ country-name CountryName OPTIONAL,
+ administration-domain-name AdministrationDomainName OPTIONAL,
+ network-address [0] IMPLICIT NetworkAddress OPTIONAL,
+ -- see also extended-network-address
+ terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
+ private-domain-name [2] PrivateDomainName OPTIONAL,
+ organization-name [3] IMPLICIT OrganizationName OPTIONAL,
+ -- see also teletex-organization-name
+ numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
+ OPTIONAL,
+ personal-name [5] IMPLICIT PersonalName OPTIONAL,
+ -- see also teletex-personal-name
+ organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
+ OPTIONAL }
+ -- see also teletex-organizational-unit-names
+
+CountryName ::= [APPLICATION 1] CHOICE {
+ x121-dcc-code NumericString
+ (SIZE (ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ numeric NumericString (SIZE (0..ub-domain-name-length)),
+ printable PrintableString (SIZE (0..ub-domain-name-length)) }
+
+NetworkAddress ::= X121Address -- see also extended-network-address
+
+X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+
+TerminalIdentifier ::= PrintableString (SIZE
+(1..ub-terminal-id-length))
+
+PrivateDomainName ::= CHOICE {
+ numeric NumericString (SIZE (1..ub-domain-name-length)),
+ printable PrintableString (SIZE (1..ub-domain-name-length)) }
+
+OrganizationName ::= PrintableString
+ (SIZE (1..ub-organization-name-length))
+ -- see also teletex-organization-name
+
+NumericUserIdentifier ::= NumericString
+ (SIZE (1..ub-numeric-user-id-length))
+
+PersonalName ::= SET {
+ surname [0] IMPLICIT PrintableString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT PrintableString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT PrintableString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT PrintableString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL }
+ -- see also teletex-personal-name
+
+OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ OF OrganizationalUnitName
+ -- see also teletex-organizational-unit-names
+
+OrganizationalUnitName ::= PrintableString (SIZE
+ (1..ub-organizational-unit-name-length))
+
+-- Built-in Domain-defined Attributes
+
+BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF
+ BuiltInDomainDefinedAttribute
+
+BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ type PrintableString (SIZE
+ (1..ub-domain-defined-attribute-type-length)),
+ value PrintableString (SIZE
+ (1..ub-domain-defined-attribute-value-length)) }
+
+-- Extension Attributes
+
+ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ ExtensionAttribute
+
+ExtensionAttribute ::= SEQUENCE {
+ extension-attribute-type [0] IMPLICIT INTEGER
+ (0..ub-extension-attributes),
+ extension-attribute-value [1]
+ ANY DEFINED BY extension-attribute-type }
+
+-- Extension types and attribute values
+
+common-name INTEGER ::= 1
+
+CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+
+teletex-common-name INTEGER ::= 2
+
+TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+
+teletex-organization-name INTEGER ::= 3
+
+TeletexOrganizationName ::=
+ TeletexString (SIZE (1..ub-organization-name-length))
+
+teletex-personal-name INTEGER ::= 4
+
+TeletexPersonalName ::= SET {
+ surname [0] IMPLICIT TeletexString
+ (SIZE (1..ub-surname-length)),
+ given-name [1] IMPLICIT TeletexString
+ (SIZE (1..ub-given-name-length)) OPTIONAL,
+ initials [2] IMPLICIT TeletexString
+ (SIZE (1..ub-initials-length)) OPTIONAL,
+ generation-qualifier [3] IMPLICIT TeletexString
+ (SIZE (1..ub-generation-qualifier-length))
+ OPTIONAL }
+
+teletex-organizational-unit-names INTEGER ::= 5
+
+TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+
+TeletexOrganizationalUnitName ::= TeletexString
+ (SIZE (1..ub-organizational-unit-name-length))
+
+pds-name INTEGER ::= 7
+
+PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+
+physical-delivery-country-name INTEGER ::= 8
+
+PhysicalDeliveryCountryName ::= CHOICE {
+ x121-dcc-code NumericString (SIZE
+(ub-country-name-numeric-length)),
+ iso-3166-alpha2-code PrintableString
+ (SIZE (ub-country-name-alpha-length)) }
+
+postal-code INTEGER ::= 9
+
+PostalCode ::= CHOICE {
+ numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+
+physical-delivery-office-name INTEGER ::= 10
+
+PhysicalDeliveryOfficeName ::= PDSParameter
+
+physical-delivery-office-number INTEGER ::= 11
+
+PhysicalDeliveryOfficeNumber ::= PDSParameter
+
+extension-OR-address-components INTEGER ::= 12
+
+ExtensionORAddressComponents ::= PDSParameter
+
+physical-delivery-personal-name INTEGER ::= 13
+
+PhysicalDeliveryPersonalName ::= PDSParameter
+
+physical-delivery-organization-name INTEGER ::= 14
+
+PhysicalDeliveryOrganizationName ::= PDSParameter
+
+extension-physical-delivery-address-components INTEGER ::= 15
+
+ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
+
+unformatted-postal-address INTEGER ::= 16
+
+UnformattedPostalAddress ::= SET {
+ printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
+ OF PrintableString (SIZE (1..ub-pds-parameter-length))
+ OPTIONAL,
+ teletex-string TeletexString
+ (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+
+street-address INTEGER ::= 17
+
+StreetAddress ::= PDSParameter
+
+post-office-box-address INTEGER ::= 18
+
+PostOfficeBoxAddress ::= PDSParameter
+
+poste-restante-address INTEGER ::= 19
+
+PosteRestanteAddress ::= PDSParameter
+
+unique-postal-name INTEGER ::= 20
+
+UniquePostalName ::= PDSParameter
+
+local-postal-attributes INTEGER ::= 21
+
+LocalPostalAttributes ::= PDSParameter
+
+PDSParameter ::= SET {
+ printable-string PrintableString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ teletex-string TeletexString
+ (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+
+extended-network-address INTEGER ::= 22
+
+ExtendedNetworkAddress ::= CHOICE {
+ e163-4-address SEQUENCE {
+ number [0] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-number-length)),
+ sub-address [1] IMPLICIT NumericString
+ (SIZE (1..ub-e163-4-sub-address-length))
+ OPTIONAL },
+ psap-address [0] IMPLICIT PresentationAddress }
+
+PresentationAddress ::= SEQUENCE {
+ pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
+ sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
+ tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
+ nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+
+terminal-type INTEGER ::= 23
+
+TerminalType ::= INTEGER {
+ telex (3),
+ teletex (4),
+ g3-facsimile (5),
+ g4-facsimile (6),
+ ia5-terminal (7),
+ videotex (8) } (0..ub-integer-options)
+
+-- Extension Domain-defined Attributes
+
+teletex-domain-defined-attributes INTEGER ::= 6
+
+TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+
+TeletexDomainDefinedAttribute ::= SEQUENCE {
+ type TeletexString
+ (SIZE (1..ub-domain-defined-attribute-type-length)),
+ value TeletexString
+ (SIZE (1..ub-domain-defined-attribute-value-length)) }
+
+-- specifications of Upper Bounds MUST be regarded as mandatory
+-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
+-- Upper Bounds
+
+-- Upper Bounds
+ub-name INTEGER ::= 32768
+ub-common-name INTEGER ::= 64
+ub-locality-name INTEGER ::= 128
+ub-state-name INTEGER ::= 128
+ub-organization-name INTEGER ::= 64
+ub-organizational-unit-name INTEGER ::= 64
+ub-title INTEGER ::= 64
+ub-serial-number INTEGER ::= 64
+ub-match INTEGER ::= 128
+ub-emailaddress-length INTEGER ::= 255
+ub-common-name-length INTEGER ::= 64
+ub-country-name-alpha-length INTEGER ::= 2
+ub-country-name-numeric-length INTEGER ::= 3
+ub-domain-defined-attributes INTEGER ::= 4
+ub-domain-defined-attribute-type-length INTEGER ::= 8
+ub-domain-defined-attribute-value-length INTEGER ::= 128
+ub-domain-name-length INTEGER ::= 16
+ub-extension-attributes INTEGER ::= 256
+ub-e163-4-number-length INTEGER ::= 15
+ub-e163-4-sub-address-length INTEGER ::= 40
+ub-generation-qualifier-length INTEGER ::= 3
+ub-given-name-length INTEGER ::= 16
+ub-initials-length INTEGER ::= 5
+ub-integer-options INTEGER ::= 256
+ub-numeric-user-id-length INTEGER ::= 32
+ub-organization-name-length INTEGER ::= 64
+ub-organizational-unit-name-length INTEGER ::= 32
+ub-organizational-units INTEGER ::= 4
+ub-pds-name-length INTEGER ::= 16
+ub-pds-parameter-length INTEGER ::= 30
+ub-pds-physical-address-lines INTEGER ::= 6
+ub-postal-code-length INTEGER ::= 16
+ub-pseudonym INTEGER ::= 128
+ub-surname-length INTEGER ::= 40
+ub-terminal-id-length INTEGER ::= 24
+ub-unformatted-address-length INTEGER ::= 180
+ub-x121-address-length INTEGER ::= 16
+
+-- Note - upper bounds on string types, such as TeletexString, are
+-- measured in characters. Excepting PrintableString or IA5String, a
+-- significantly greater number of octets will be required to hold
+-- such a value. As a minimum, 16 octets, or twice the specified
+-- upper bound, whichever is the larger, should be allowed for
+-- TeletexString. For UTF8String or UniversalString at least four
+-- times the upper bound should be allowed.
+
+END
diff --git a/lib/public_key/asn1/PKIX1Implicit88.asn1 b/lib/public_key/asn1/PKIX1Implicit88.asn1
new file mode 100644
index 0000000000..ced270baf6
--- /dev/null
+++ b/lib/public_key/asn1/PKIX1Implicit88.asn1
@@ -0,0 +1,349 @@
+PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
+
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+-- EXPORTS ALL --
+
+IMPORTS
+ id-pe, id-kp, id-qt-unotice, id-qt-cps,
+ -- delete following line if "new" types are supported --
+ -- BMPString,
+ -- UTF8String, end "new" types --
+ ORAddress, Name, RelativeDistinguishedName,
+ CertificateSerialNumber, Attribute, DirectoryString
+ FROM PKIX1Explicit88 { iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5) pkix(7)
+ id-mod(0) id-pkix1-explicit(18) };
+
+
+-- ISO arc for standard certificate and CRL extensions
+
+id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29}
+
+-- authority key identifier OID and syntax
+
+id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ -- authorityCertIssuer and authorityCertSerialNumber MUST both
+ -- be present or both be absent
+
+KeyIdentifier ::= OCTET STRING
+
+-- subject key identifier OID and syntax
+
+id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
+
+SubjectKeyIdentifier ::= KeyIdentifier
+
+-- key usage extension OID and syntax
+
+id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
+
+KeyUsage ::= BIT STRING {
+ digitalSignature (0),
+ nonRepudiation (1),
+ keyEncipherment (2),
+ dataEncipherment (3),
+ keyAgreement (4),
+ keyCertSign (5),
+ cRLSign (6),
+ encipherOnly (7),
+ decipherOnly (8) }
+
+-- private key usage period extension OID and syntax
+
+id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
+
+PrivateKeyUsagePeriod ::= SEQUENCE {
+ notBefore [0] GeneralizedTime OPTIONAL,
+ notAfter [1] GeneralizedTime OPTIONAL }
+ -- either notBefore or notAfter MUST be present
+
+-- certificate policies extension OID and syntax
+
+id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
+
+anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
+
+CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+
+PolicyInformation ::= SEQUENCE {
+ policyIdentifier CertPolicyId,
+ policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ PolicyQualifierInfo OPTIONAL }
+
+CertPolicyId ::= OBJECT IDENTIFIER
+
+PolicyQualifierInfo ::= SEQUENCE {
+ policyQualifierId PolicyQualifierId,
+ qualifier ANY DEFINED BY policyQualifierId }
+
+-- Implementations that recognize additional policy qualifiers MUST
+-- augment the following definition for PolicyQualifierId
+
+PolicyQualifierId ::=
+ OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+
+-- CPS pointer qualifier
+
+CPSuri ::= IA5String
+
+-- user notice qualifier
+
+UserNotice ::= SEQUENCE {
+ noticeRef NoticeReference OPTIONAL,
+ explicitText DisplayText OPTIONAL}
+
+NoticeReference ::= SEQUENCE {
+ organization DisplayText,
+ noticeNumbers SEQUENCE OF INTEGER }
+
+DisplayText ::= CHOICE {
+ ia5String IA5String (SIZE (1..200)),
+ visibleString VisibleString (SIZE (1..200)),
+ bmpString BMPString (SIZE (1..200)),
+ utf8String UTF8String (SIZE (1..200)) }
+
+-- policy mapping extension OID and syntax
+
+id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
+
+PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ issuerDomainPolicy CertPolicyId,
+ subjectDomainPolicy CertPolicyId }
+
+-- subject alternative name extension OID and syntax
+
+id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
+
+SubjectAltName ::= GeneralNames
+
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] AnotherName,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ORAddress,
+ directoryName [4] Name,
+ ediPartyName [5] EDIPartyName,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER }
+
+-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
+-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
+
+AnotherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER,
+ value [0] EXPLICIT ANY DEFINED BY type-id }
+
+EDIPartyName ::= SEQUENCE {
+ nameAssigner [0] DirectoryString OPTIONAL,
+ partyName [1] DirectoryString }
+
+-- issuer alternative name extension OID and syntax
+
+id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
+
+IssuerAltName ::= GeneralNames
+
+id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
+
+SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+
+-- basic constraints extension OID and syntax
+
+id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
+
+BasicConstraints ::= SEQUENCE {
+ cA BOOLEAN DEFAULT FALSE,
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+
+-- name constraints extension OID and syntax
+
+id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
+
+NameConstraints ::= SEQUENCE {
+ permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+
+GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+
+GeneralSubtree ::= SEQUENCE {
+ base GeneralName,
+ minimum [0] BaseDistance DEFAULT 0,
+ maximum [1] BaseDistance OPTIONAL }
+
+BaseDistance ::= INTEGER (0..MAX)
+
+-- policy constraints extension OID and syntax
+
+id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
+
+PolicyConstraints ::= SEQUENCE {
+ requireExplicitPolicy [0] SkipCerts OPTIONAL,
+ inhibitPolicyMapping [1] SkipCerts OPTIONAL }
+
+SkipCerts ::= INTEGER (0..MAX)
+
+-- CRL distribution points extension OID and syntax
+
+id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
+
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+DistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL }
+
+DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
+
+ReasonFlags ::= BIT STRING {
+ unused (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ privilegeWithdrawn (7),
+ aACompromise (8) }
+
+-- extended key usage extension OID and syntax
+
+id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+
+ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+
+
+KeyPurposeId ::= OBJECT IDENTIFIER
+
+-- permit unspecified key uses
+
+anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
+
+-- extended key purpose OIDs
+
+id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
+id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
+id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
+id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
+id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
+
+-- inhibit any policy OID and syntax
+
+id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
+
+InhibitAnyPolicy ::= SkipCerts
+
+-- freshest (delta)CRL extension OID and syntax
+
+id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 }
+
+FreshestCRL ::= CRLDistributionPoints
+
+-- authority info access
+
+id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+
+AuthorityInfoAccessSyntax ::=
+ SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+AccessDescription ::= SEQUENCE {
+ accessMethod OBJECT IDENTIFIER,
+ accessLocation GeneralName }
+
+-- subject info access
+
+id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
+
+SubjectInfoAccessSyntax ::=
+ SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+-- CRL number extension OID and syntax
+
+id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+
+CRLNumber ::= INTEGER (0..MAX)
+
+-- issuing distribution point extension OID and syntax
+
+id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+
+IssuingDistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
+ onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
+ onlySomeReasons [3] ReasonFlags OPTIONAL,
+ indirectCRL [4] BOOLEAN DEFAULT FALSE,
+ onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+
+id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+
+BaseCRLNumber ::= CRLNumber
+
+-- CRL reasons extension OID and syntax
+
+id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+
+CRLReason ::= ENUMERATED {
+ unspecified (0),
+ keyCompromise (1),
+ cACompromise (2),
+ affiliationChanged (3),
+ superseded (4),
+ cessationOfOperation (5),
+ certificateHold (6),
+ removeFromCRL (8),
+ privilegeWithdrawn (9),
+ aACompromise (10) }
+
+-- certificate issuer CRL entry extension OID and syntax
+
+id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+
+CertificateIssuer ::= GeneralNames
+
+-- hold instruction extension OID and syntax
+
+id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+
+HoldInstructionCode ::= OBJECT IDENTIFIER
+
+-- ANSI x9 holdinstructions
+
+-- ANSI x9 arc holdinstruction arc
+
+holdInstruction OBJECT IDENTIFIER ::=
+ {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
+
+-- ANSI X9 holdinstructions referenced by this standard
+
+id-holdinstruction-none OBJECT IDENTIFIER ::=
+ {holdInstruction 1} -- deprecated
+
+id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+ {holdInstruction 2}
+
+id-holdinstruction-reject OBJECT IDENTIFIER ::=
+ {holdInstruction 3}
+
+-- invalidity date CRL entry extension OID and syntax
+
+id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+
+InvalidityDate ::= GeneralizedTime
+
+END
diff --git a/lib/public_key/asn1/PKIXAttributeCertificate.asn1 b/lib/public_key/asn1/PKIXAttributeCertificate.asn1
new file mode 100644
index 0000000000..7d93e6b37e
--- /dev/null
+++ b/lib/public_key/asn1/PKIXAttributeCertificate.asn1
@@ -0,0 +1,189 @@
+ PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-mod-attribute-cert(12)}
+
+ DEFINITIONS IMPLICIT TAGS ::=
+
+ BEGIN
+
+ -- EXPORTS ALL --
+
+ IMPORTS
+
+ -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
+ -- PKIX Certificate Extensions
+ Attribute, AlgorithmIdentifier, CertificateSerialNumber,
+ Extensions, UniqueIdentifier,
+ id-pkix, id-pe, id-kp, id-ad, id-at
+ FROM PKIX1Explicit88 {iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5)
+ pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
+
+ GeneralName, GeneralNames, id-ce
+ FROM PKIX1Implicit88 {iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) mechanisms(5)
+ pkix(7) id-mod(0) id-pkix1-implicit-88(2)} ;
+
+ id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
+ id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
+ id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
+ id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
+
+ id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
+ id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
+ id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
+ id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
+ id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
+ -- { id-aca 5 } is reserved
+ id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
+
+ id-at-role OBJECT IDENTIFIER ::= { id-at 72}
+ id-at-clearance OBJECT IDENTIFIER ::=
+ { joint-iso-ccitt(2) ds(5) module(1)
+ selected-attribute-types(5) clearance (55) }
+
+ -- Uncomment this if using a 1988 level ASN.1 compiler
+ -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+
+ AttributeCertificate ::= SEQUENCE {
+ acinfo AttributeCertificateInfo,
+ signatureAlgorithm AlgorithmIdentifier,
+ signatureValue BIT STRING
+ }
+
+ AttributeCertificateInfo ::= SEQUENCE {
+ version AttCertVersion, -- version is v2
+ holder Holder,
+ issuer AttCertIssuer,
+ signature AlgorithmIdentifier,
+ serialNumber CertificateSerialNumber,
+ attrCertValidityPeriod AttCertValidityPeriod,
+ attributes SEQUENCE OF Attribute,
+ issuerUniqueID UniqueIdentifier OPTIONAL,
+ extensions Extensions OPTIONAL
+ }
+
+ AttCertVersion ::= INTEGER { v2(1) }
+
+ Holder ::= SEQUENCE {
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ -- the issuer and serial number of
+ -- the holder's Public Key Certificate
+ entityName [1] GeneralNames OPTIONAL,
+ -- the name of the claimant or role
+ objectDigestInfo [2] ObjectDigestInfo OPTIONAL
+ -- used to directly authenticate the
+ -- holder, for example, an executable
+ }
+
+ ObjectDigestInfo ::= SEQUENCE {
+ digestedObjectType ENUMERATED {
+ publicKey (0),
+ publicKeyCert (1),
+ otherObjectTypes (2) },
+ -- otherObjectTypes MUST NOT
+ -- MUST NOT be used in this profile
+ otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
+ digestAlgorithm AlgorithmIdentifier,
+ objectDigest BIT STRING
+ }
+
+ AttCertIssuer ::= CHOICE {
+ v1Form GeneralNames, -- MUST NOT be used in this
+ -- profile
+ v2Form [0] V2Form -- v2 only
+ }
+
+ V2Form ::= SEQUENCE {
+ issuerName GeneralNames OPTIONAL,
+ baseCertificateID [0] IssuerSerial OPTIONAL,
+ objectDigestInfo [1] ObjectDigestInfo OPTIONAL
+ -- issuerName MUST be present in this profile
+ -- baseCertificateID and objectDigestInfo MUST
+ -- NOT be present in this profile
+ }
+
+ IssuerSerial ::= SEQUENCE {
+ issuer GeneralNames,
+ serial CertificateSerialNumber,
+ issuerUID UniqueIdentifier OPTIONAL
+ }
+
+ AttCertValidityPeriod ::= SEQUENCE {
+ notBeforeTime GeneralizedTime,
+ notAfterTime GeneralizedTime
+ }
+
+ Targets ::= SEQUENCE OF Target
+
+ Target ::= CHOICE {
+ targetName [0] GeneralName,
+ targetGroup [1] GeneralName,
+ targetCert [2] TargetCert
+ }
+
+ TargetCert ::= SEQUENCE {
+ targetCertificate IssuerSerial,
+ targetName GeneralName OPTIONAL,
+ certDigestInfo ObjectDigestInfo OPTIONAL
+ }
+
+ IetfAttrSyntax ::= SEQUENCE {
+ policyAuthority[0] GeneralNames OPTIONAL,
+ values SEQUENCE OF CHOICE {
+ octets OCTET STRING,
+ oid OBJECT IDENTIFIER,
+ string UTF8String
+ }
+ }
+
+ SvceAuthInfo ::= SEQUENCE {
+ service GeneralName,
+ ident GeneralName,
+ authInfo OCTET STRING OPTIONAL
+ }
+
+ RoleSyntax ::= SEQUENCE {
+ roleAuthority [0] GeneralNames OPTIONAL,
+ roleName [1] GeneralName
+ }
+
+ Clearance ::= SEQUENCE {
+ policyId [0] OBJECT IDENTIFIER,
+ classList [1] ClassList DEFAULT {unclassified},
+ securityCategories
+ [2] SET OF SecurityCategory OPTIONAL
+ }
+
+ ClassList ::= BIT STRING {
+ unmarked (0),
+ unclassified (1),
+ restricted (2),
+ confidential (3),
+ secret (4),
+ topSecret (5)
+ }
+
+ SecurityCategory ::= SEQUENCE {
+ type [0] IMPLICIT OBJECT IDENTIFIER,
+ value [1] ANY DEFINED BY type
+ }
+
+ AAControls ::= SEQUENCE {
+ pathLenConstraint INTEGER (0..MAX) OPTIONAL,
+ permittedAttrs [0] AttrSpec OPTIONAL,
+ excludedAttrs [1] AttrSpec OPTIONAL,
+ permitUnSpecified BOOLEAN DEFAULT TRUE
+ }
+
+ AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
+
+ ACClearAttrs ::= SEQUENCE {
+ acIssuer GeneralName,
+ acSerial INTEGER,
+ attrs SEQUENCE OF Attribute
+ }
+
+ ProxyInfo ::= SEQUENCE OF Targets
+
+ END
diff --git a/lib/public_key/asn1/README b/lib/public_key/asn1/README
new file mode 100644
index 0000000000..5fb8cf9725
--- /dev/null
+++ b/lib/public_key/asn1/README
@@ -0,0 +1,51 @@
+The files
+
+ PKIX1Algorithms88.asn1
+ PKIX1Explicit88.asn1
+ PKIX1Implicit88.asn1
+ PKIXAttributeCertificate.asn1
+
+are from RFCs 3279, 3280 and 3281.
+
+We have edited PKIX1Explicit88.asn1, PKIX1Implicit88.asn1, and
+PKIXAttributeCertificate.asn1 as follows:
+
+
+1. Removal of definition of UniversalString and BMPString:
+
+diff -r1.1 PKIX1Explicit88.asn1
+15c15
+< UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+---
+> -- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
+18c18
+< BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+---
+> -- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
+
+
+2. Removal of definition of BMPString:
+
+diff -r1.1 PKIX1Implicit88.asn1
+13c13,14
+< BMPString, UTF8String, -- end "new" types --
+---
+> -- BMPString,
+> UTF8String, -- end "new" types --
+
+
+3. Addition of definition of UTF8String, and correction of a typo.
+
+diff -r1.1 PKIXAttributeCertificate.asn1
+46c46
+< -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+---
+> UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
+55c55
+< version AttCertVersion -- version is v2,
+---
+> version AttCertVersion, -- version is v2
+
+4. Defenitions of publuic keys from PKCS-1.asn1 present in
+PKIX1Algorithms88.asn1 where removed as we take them directly from
+PKCS-1.asn1 \ No newline at end of file
diff --git a/lib/public_key/doc/html/.gitignore b/lib/public_key/doc/html/.gitignore
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/lib/public_key/doc/html/.gitignore
diff --git a/lib/public_key/doc/man3/.gitignore b/lib/public_key/doc/man3/.gitignore
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/lib/public_key/doc/man3/.gitignore
diff --git a/lib/public_key/doc/pdf/.gitignore b/lib/public_key/doc/pdf/.gitignore
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/lib/public_key/doc/pdf/.gitignore
diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile
new file mode 100644
index 0000000000..08d1396cca
--- /dev/null
+++ b/lib/public_key/doc/src/Makefile
@@ -0,0 +1,227 @@
+#
+# %CopyrightBegin%
+#
+# Copyright Ericsson AB 2008-2009. All Rights Reserved.
+#
+# The contents of this file are subject to the Erlang Public License,
+# Version 1.1, (the "License"); you may not use this file except in
+# compliance with the License. You should have received a copy of the
+# Erlang Public License along with this software. If not, it can be
+# retrieved online at http://www.erlang.org/.
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+#
+# %CopyrightEnd%
+#
+
+#
+include $(ERL_TOP)/make/target.mk
+include $(ERL_TOP)/make/$(TARGET)/otp.mk
+
+# ----------------------------------------------------
+# Application version
+# ----------------------------------------------------
+include ../../vsn.mk
+VSN=$(PUBLIC_KEY_VSN)
+APPLICATION=public_key
+
+# ----------------------------------------------------
+# Include dependency
+# ----------------------------------------------------
+
+ifndef DOCSUPPORT
+include make.dep
+endif
+
+# ----------------------------------------------------
+# Release directory specification
+# ----------------------------------------------------
+RELSYSDIR = $(RELEASE_PATH)/lib/$(APPLICATION)-$(VSN)
+# ----------------------------------------------------
+# Target Specs
+# ----------------------------------------------------
+XML_APPLICATION_FILES = ref_man.xml
+XML_REF3_FILES = public_key.xml
+XML_REF6_FILES =
+
+XML_PART_FILES = part.xml part_notes.xml
+XML_CHAPTER_FILES = \
+ introduction.xml \
+ public_key_records.xml \
+ cert_records.xml \
+ notes.xml
+
+BOOK_FILES = book.xml
+
+GIF_FILES = note.gif
+
+# ----------------------------------------------------
+
+TOP_HTML_FILES =
+
+HTML_FILES = $(XML_APPLICATION_FILES:%.xml=$(HTMLDIR)/%.html) \
+ $(XML_PART_FILES:%.xml=$(HTMLDIR)/%.html)
+
+INFO_FILE = ../../info
+
+EXTRA_FILES = \
+ $(DEFAULT_GIF_FILES) \
+ $(DEFAULT_HTML_FILES) \
+ $(XML_REF3_FILES:%.xml=$(HTMLDIR)/%.html) \
+ $(XML_CHAPTER_FILES:%.xml=$(HTMLDIR)/%.html)
+
+MAN3_FILES = $(XML_REF3_FILES:%.xml=$(MAN3DIR)/%.3)
+
+ifdef DOCSUPPORT
+
+HTML_REF_MAN_FILE = $(HTMLDIR)/index.html
+
+TOP_PDF_FILE = $(PDFDIR)/$(APPLICATION)-$(VSN).pdf
+
+else
+
+TEX_FILES_BOOK = \
+ $(BOOK_FILES:%.xml=%.tex)
+TEX_FILES_REF_MAN = $(XML_REF3_FILES:%.xml=%.tex) \
+ $(XML_APPLICATION_FILES:%.xml=%.tex)
+TEX_FILES_USERS_GUIDE = \
+ $(XML_PART_FILES:%.xml=%.tex) \
+ $(XML_CHAPTER_FILES:%.xml=%.tex)
+
+TOP_PDF_FILE = public_key-$(VSN).pdf
+TOP_PS_FILE = public_key-$(VSN).ps
+
+$(TOP_PDF_FILE): book.dvi ../../vsn.mk
+ $(DVI2PS) $(DVIPS_FLAGS) -f $< | $(DISTILL) $(DISTILL_FLAGS) > $@
+
+$(TOP_PS_FILE): book.dvi ../../vsn.mk
+ $(DVI2PS) $(DVIPS_FLAGS) -f $< > $@
+
+endif
+
+# ----------------------------------------------------
+# FLAGS
+# ----------------------------------------------------
+XML_FLAGS +=
+DVIPS_FLAGS +=
+
+# ----------------------------------------------------
+# Targets
+# ----------------------------------------------------
+$(HTMLDIR)/%.gif: %.gif
+ $(INSTALL_DATA) $< $@
+
+ifdef DOCSUPPORT
+
+docs: pdf html man
+
+$(TOP_PDF_FILE): $(XML_FILES)
+
+pdf: $(TOP_PDF_FILE)
+
+html: gifs $(HTML_REF_MAN_FILE)
+
+clean clean_docs:
+ rm -rf $(HTMLDIR)/*
+ rm -f $(MAN3DIR)/*
+ rm -f $(TOP_PDF_FILE) $(TOP_PDF_FILE:%.pdf=%.fo)
+ rm -f errs core *~
+
+else
+
+ifeq ($(DOCTYPE),pdf)
+docs: pdf
+else
+ifeq ($(DOCTYPE),ps)
+docs: ps
+else
+docs: html gifs man
+endif
+endif
+
+pdf: $(TOP_PDF_FILE)
+
+ps: $(TOP_PS_FILE)
+
+html: $(HTML_FILES)
+
+clean clean_docs clean_tex:
+ rm -f $(TEX_FILES_USERS_GUIDE) $(TEX_FILES_REF_MAN) $(TEX_FILES_BOOK)
+ rm -f $(HTML_FILES) $(MAN3_FILES)
+ rm -f $(TOP_PDF_FILE) $(TOP_PS_FILE)
+ rm -f errs core *~ min_head.gif \
+ $(LATEX_CLEAN)
+
+endif
+
+man: $(MAN3_FILES)
+
+gifs: $(GIF_FILES:%=$(HTMLDIR)/%)
+
+debug opt:
+
+
+# ----------------------------------------------------
+# Release Target
+# ----------------------------------------------------
+include $(ERL_TOP)/make/otp_release_targets.mk
+
+ifdef DOCSUPPORT
+
+release_docs_spec: docs
+ $(INSTALL_DIR) $(RELSYSDIR)/doc/pdf
+ $(INSTALL_DATA) $(TOP_PDF_FILE) $(RELSYSDIR)/doc/pdf
+ $(INSTALL_DIR) $(RELSYSDIR)/doc/html
+ $(INSTALL_DATA) $(HTMLDIR)/* \
+ $(RELSYSDIR)/doc/html
+ $(INSTALL_DATA) $(INFO_FILE) $(RELSYSDIR)
+ $(INSTALL_DIR) $(RELEASE_PATH)/man/man3
+ $(INSTALL_DATA) $(MAN3DIR)/* $(RELEASE_PATH)/man/man3
+else
+
+ifeq ($(DOCTYPE),pdf)
+release_docs_spec: pdf
+ $(INSTALL_DIR) $(RELEASE_PATH)/pdf
+ $(INSTALL_DATA) $(TOP_PDF_FILE) $(RELEASE_PATH)/pdf
+else
+ifeq ($(DOCTYPE),ps)
+release_docs_spec: ps
+ $(INSTALL_DIR) $(RELEASE_PATH)/ps
+ $(INSTALL_DATA) $(TOP_PS_FILE) $(RELEASE_PATH)/ps
+else
+release_docs_spec: docs
+ $(INSTALL_DIR) $(RELSYSDIR)/doc/html
+ $(INSTALL_DATA) $(GIF_FILES) $(EXTRA_FILES) $(HTML_FILES) \
+ $(RELSYSDIR)/doc/html
+ $(INSTALL_DATA) $(INFO_FILE) $(RELSYSDIR)
+ $(INSTALL_DIR) $(RELEASE_PATH)/man/man3
+ $(INSTALL_DATA) $(MAN3_FILES) $(RELEASE_PATH)/man/man3
+endif
+endif
+
+endif
+
+release_spec:
+
+info:
+ @echo "GIF_FILES:\n$(GIF_FILES)"
+ @echo ""
+ @echo "EXTRA_FILES:\n$(EXTRA_FILES)"
+ @echo ""
+ @echo "HTML_FILES:\n$(HTML_FILES)"
+ @echo ""
+ @echo "TOP_HTML_FILES:\n$(TOP_HTML_FILES)"
+ @echo ""
+ @echo "DEFAULT_GIF_FILES:\n$(DEFAULT_GIF_FILES)"
+ @echo ""
+ @echo "DEFAULT_HTML_FILES:\n$(DEFAULT_HTML_FILES)"
+ @echo ""
+ @echo "XML_REF3_FILES:\n$(XML_REF3_FILES)"
+ @echo ""
+ @echo "XML_REF6_FILES:\n$(XML_REF6_FILES)"
+ @echo ""
+ @echo "XML_CHAPTER_FILES:\n$(XML_CHAPTER_FILES)"
+ @echo ""
diff --git a/lib/public_key/doc/src/book.xml b/lib/public_key/doc/src/book.xml
new file mode 100644
index 0000000000..d3b8c7a2c7
--- /dev/null
+++ b/lib/public_key/doc/src/book.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE book SYSTEM "book.dtd">
+
+<book xmlns:xi="http://www.w3.org/2001/XInclude">
+ <header titlestyle="normal">
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <docno></docno>
+ <date>2008-01-22</date>
+ <rev></rev>
+ <file>book.sgml</file>
+ </header>
+ <insidecover>
+ </insidecover>
+ <pagetext>public_key</pagetext>
+ <preamble>
+ <contents level="2"></contents>
+ </preamble>
+ <parts lift="no">
+ <xi:include href="part.xml"/>
+ </parts>
+ <applications>
+ <xi:include href="ref_man.xml"/>
+ </applications>
+ <releasenotes>
+ <xi:include href="notes.xml"/>
+ </releasenotes>
+ <listofterms></listofterms>
+ <index></index>
+</book>
+
diff --git a/lib/public_key/doc/src/cert_records.xml b/lib/public_key/doc/src/cert_records.xml
new file mode 100644
index 0000000000..8fb4ea5fd0
--- /dev/null
+++ b/lib/public_key/doc/src/cert_records.xml
@@ -0,0 +1,612 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>Certificate records</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <responsible></responsible>
+ <docno></docno>
+ <approved></approved>
+ <checked></checked>
+ <date>2008-02-06</date>
+ <rev>A</rev>
+ <file>cert_records.xml</file>
+ </header>
+
+ <p>This chapter briefly describes erlang records derived from asn1
+ specifications used to handle X509 certificates. The intent is to
+ describe the data types and not to specify the meaning of each
+ component for this we refer you to RFC 3280.
+ </p>
+
+ <p>Use the following include directive to get access to the
+ records and constant macros described in the following sections.</p>
+
+ <code> -include_lib("public_key/include/public_key.hrl"). </code>
+
+ <section>
+ <title>Common Data Types</title>
+
+ <p>Common non standard erlang
+ data types used to described the record fields in the
+ below sections are defined in <seealso
+ marker="public_key">public key reference manual </seealso> or
+ follows here.</p>
+
+ <p><c>time() = uct_time() | general_time()</c></p>
+
+ <p><c>uct_time() = {utcTime, "YYMMDDHHMMSSZ"} </c></p>
+
+ <p><c>general_time() = {generalTime, "YYYYMMDDHHMMSSZ"} </c></p>
+
+ <p><c>
+ general_name() = {rfc822Name, string()} | {dNSName, string()}
+ | {x400Address, string()} | {directoryName,
+ {rdnSequence, [#AttributeTypeAndValue'{}]}} |
+ | {eidPartyName, special_string()}
+ | {eidPartyName, special_string(), special_string()}
+ | {uniformResourceIdentifier, string()} | {ipAddress, string()} |
+ {registeredId, oid()} | {otherName, term()}
+ </c></p>
+
+ <p><c>
+ special_string() =
+ {teletexString, string()} | {printableString, string()} |
+ {universalString, string()} | {utf8String, string()} |
+ {bmpString, string()}
+ </c></p>
+
+ <p><c>
+ dist_reason() = unused | keyCompromise | cACompromise |
+ affiliationChanged | superseded | cessationOfOperation |
+ certificateHold | privilegeWithdrawn |
+ aACompromise
+ </c></p>
+ </section>
+
+ <section>
+ <title> PKIX Certificates</title>
+<code>
+#'Certificate'{
+ tbsCertificate, % #'TBSCertificate'{}
+ signatureAlgorithm, % #'AlgorithmIdentifier'{}
+ signature % {0, binary()} - asn1 compact bitstring
+ }.
+
+#'TBSCertificate'{
+ version, % v1 | v2 | v3
+ serialNumber, % integer()
+ signature, % #'AlgorithmIdentifier'{}
+ issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
+ validity, % #'Validity'{}
+ subject, % {rdnSequence, [#AttributeTypeAndValue'{}]}
+ subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{}
+ issuerUniqueID, % binary() | asn1_novalue
+ subjectUniqueID, % binary() | asn1_novalue
+ extensions % [#'Extension'{}]
+ }.
+
+#'AlgorithmIdentifier'{
+ algorithm, % oid()
+ parameters % asn1_der_encoded()
+ }.
+#'SignatureAlgorithm'{
+ algorithm, % id_signature_algorithm()
+ parameters % public_key_params()
+ }.
+</code>
+
+<p><c> id_signature_algorithm() = ?oid_name_as_erlang_atom</c> for available
+oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
+<table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-dsa-with-sha1</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">md2WithRSAEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">md5WithRSAEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">sha1WithRSAEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ </row>
+ <tcaption>Signature algorithm oids </tcaption>
+</table>
+
+<code>
+#'AttributeTypeAndValue'{
+ type, % id_attributes()
+ value % term()
+ }.
+</code>
+
+<p><c>id_attributes() = ?oid_name_as_erlang_atom</c>
+for available oid names see table below. Ex: ?'id-at-name'</p>
+<table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ <cell align="left" valign="middle">Value type</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-name</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-surname</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-givenName</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-initials </cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-generationQualifier</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-commonName</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-localityName</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-stateOrProvinceName</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-organizationName</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-title</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-dnQualifier</cell>
+ <cell align="left" valign="middle">{printableString, string()}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-countryName</cell>
+ <cell align="left" valign="middle">{printableString, string()}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-serialNumber</cell>
+ <cell align="left" valign="middle">{printableString, string()}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-at-pseudonym</cell>
+ <cell align="left" valign="middle">special_string()</cell>
+ </row>
+ <tcaption>Attribute oids </tcaption>
+</table>
+
+<code>
+#'Validity'{
+ notBefore, % time()
+ notAfter % time()
+ }.
+
+#'SubjectPublicKeyInfo'{
+ algorithm, % #AlgorithmIdentifier{}
+ subjectPublicKey % binary()
+ }.
+
+#'SubjectPublicKeyInfoAlgorithm'{
+ algorithm, % id_public_key_algorithm()
+ parameters % public_key_params()
+ }.
+</code>
+
+<p><c> id_public_key_algorithm() = ?oid_name_as_erlang_atom</c> for available
+oid names see table below. Ex: ?'id-dsa'</p>
+<table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">rsaEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-dsa</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">dhpublicnumber</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-keyExchangeAlgorithm</cell>
+ </row>
+ <tcaption>Public key algorithm oids </tcaption>
+</table>
+
+
+<code>
+#'Extension'{
+ extnID, % id_extensions() | oid()
+ critical, % boolean()
+ extnValue % asn1_der_encoded()
+ }.
+</code>
+
+<p><c>id_extensions() = ?oid_name_as_erlang_atom</c> for
+available oid names see tables. Ex: ?'id-ce-authorityKeyIdentifier'<seealso
+marker="#StdCertExt">Standard Certificate Extensions</seealso>,
+ <seealso
+ marker="#PrivIntExt">Private Internet Extensions</seealso>, <seealso
+ marker="#CRLCertExt">CRL Extensions</seealso> and
+ <seealso
+ marker="#CRLEntryExt">CRL Entry Extensions</seealso>.
+</p>
+
+</section>
+
+<section>
+ <marker id="StdCertExt"></marker>
+ <title>Standard certificate extensions</title>
+
+ <table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ <cell align="left" valign="middle">Value type</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-authorityKeyIdentifier</cell>
+ <cell align="left" valign="middle">#'AuthorityKeyIdentifier'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-subjectKeyIdentifier</cell>
+ <cell align="left" valign="middle">oid()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-keyUsage</cell>
+ <cell align="left" valign="middle"> [key_usage()]</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-privateKeyUsagePeriod</cell>
+ <cell align="left" valign="middle">#'PrivateKeyUsagePeriod'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-certificatePolicies</cell>
+ <cell align="left" valign="middle">#'PolicyInformation'{}</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-policyMappings</cell>
+ <cell align="left" valign="middle">#'PolicyMappings_SEQOF'{}</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-subjectAltName</cell>
+ <cell align="left" valign="middle">general_name()</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-issuerAltName</cell>
+ <cell align="left" valign="middle">general_name()</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-subjectDirectoryAttributes</cell>
+ <cell align="left" valign="middle"> [#'Attribute'{}]</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-basicConstraints</cell>
+ <cell align="left" valign="middle">#'BasicConstraints'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-nameConstraints</cell>
+ <cell align="left" valign="middle">#'NameConstraints'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-policyConstraints</cell>
+ <cell align="left" valign="middle">#'PolicyConstraints'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-extKeyUsage</cell>
+ <cell align="left" valign="middle">[id_key_purpose()]</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-cRLDistributionPoints</cell>
+ <cell align="left" valign="middle">#'DistributionPoint'{}</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-inhibitAnyPolicy</cell>
+ <cell align="left" valign="middle">integer()</cell>
+ </row>
+
+ <row>
+ <cell align="left" valign="middle">id-ce-freshestCRL</cell>
+ <cell align="left" valign="middle">[#'DistributionPoint'{}]</cell>
+ </row>
+
+
+ <tcaption>Standard Certificate Extensions</tcaption>
+ </table>
+
+ <p><c>
+ key_usage() = digitalSignature | nonRepudiation | keyEncipherment|
+ dataEncipherment | keyAgreement | keyCertSign | cRLSign | encipherOnly |
+ decipherOnly
+ </c></p>
+
+ <p><c> id_key_purpose() = ?oid_name_as_erlang_atom</c> for available
+oid names see table below. Ex: ?'id-kp-serverAuth'</p>
+
+<table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-serverAuth</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-clientAuth</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-codeSigning</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-emailProtection</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-timeStamping</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-kp-OCSPSigning</cell>
+ </row>
+ <tcaption>Key purpose oids </tcaption>
+</table>
+
+ <code>
+#'AuthorityKeyIdentifier'{
+ keyIdentifier, % oid()
+ authorityCertIssuer, % general_name()
+ authorityCertSerialNumber % integer()
+ }.
+
+#'PrivateKeyUsagePeriod'{
+ notBefore, % general_time()
+ notAfter % general_time()
+ }.
+
+#'PolicyInformation'{
+ policyIdentifier, % oid()
+ policyQualifiers % [#PolicyQualifierInfo{}]
+ }.
+
+#'PolicyQualifierInfo'{
+ policyQualifierId, % oid()
+ qualifier % string() | #'UserNotice'{}
+ }.
+
+#'UserNotice'{
+ noticeRef, % #'NoticeReference'{}
+ explicitText % string()
+ }.
+
+#'NoticeReference'{
+ organization, % string()
+ noticeNumbers % [integer()]
+ }.
+
+#'PolicyMappings_SEQOF'{
+ issuerDomainPolicy, % oid()
+ subjectDomainPolicy % oid()
+ }.
+
+#'Attribute'{
+ type, % oid()
+ values % [asn1_der_encoded()]
+ }).
+
+#'BasicConstraints'{
+ cA, % boolean()
+ pathLenConstraint % integer()
+ }).
+
+#'NameConstraints'{
+ permittedSubtrees, % [#'GeneralSubtree'{}]
+ excludedSubtrees % [#'GeneralSubtree'{}]
+ }).
+
+#'GeneralSubtree'{
+ base, % general_name()
+ minimum, % integer()
+ maximum % integer()
+ }).
+
+#'PolicyConstraints'{
+ requireExplicitPolicy, % integer()
+ inhibitPolicyMapping % integer()
+ }).
+
+#'DistributionPoint'{
+ distributionPoint, % general_name() | [#AttributeTypeAndValue{}]
+ reasons, % [dist_reason()]
+ cRLIssuer % general_name()
+ }).
+</code>
+
+</section>
+
+ <section>
+ <marker id="PrivIntExt"></marker>
+ <title>Private Internet Extensions</title>
+
+ <table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ <cell align="left" valign="middle">Value type</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-pe-authorityInfoAccess</cell>
+ <cell align="left" valign="middle">[#'AccessDescription'{}]</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-pe-subjectInfoAccess</cell>
+ <cell align="left" valign="middle">[#'AccessDescription'{}]</cell>
+ </row>
+ <tcaption>Private Internet Extensions</tcaption>
+ </table>
+
+<code>
+#'AccessDescription'{
+ accessMethod, % oid()
+ accessLocation % general_name()
+ }).
+</code>
+
+ </section>
+
+<section>
+ <title> CRL and CRL Extensions Profile</title>
+
+ <code>
+#'CertificateList'{
+ tbsCertList, % #'TBSCertList{}
+ signatureAlgorithm, % #'AlgorithmIdentifier'{}
+ signature % {0, binary()} - asn1 compact bitstring
+ }).
+
+#'TBSCertList'{
+ version, % v2 (if defined)
+ signature, % #AlgorithmIdentifier{}
+ issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]}
+ thisUpdate, % time()
+ nextUpdate, % time()
+ revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}]
+ crlExtensions % [#'Extension'{}]
+ }).
+
+#'TBSCertList_revokedCertificates_SEQOF'{
+ userCertificate, % integer()
+ revocationDate, % timer()
+ crlEntryExtensions % [#'Extension'{}]
+ }).
+ </code>
+
+ <section>
+ <marker id="CRLCertExt"></marker>
+ <title>CRL Extensions </title>
+
+ <table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ <cell align="left" valign="middle">Value type</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-authorityKeyIdentifier</cell>
+ <cell align="left" valign="middle">#'AuthorityKeyIdentifier{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-issuerAltName</cell>
+ <cell align="left" valign="middle">{rdnSequence, [#AttributeTypeAndValue'{}]}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-cRLNumber</cell>
+ <cell align="left" valign="middle">integer()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-deltaCRLIndicator</cell>
+ <cell align="left" valign="middle">integer()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-issuingDistributionPoint</cell>
+ <cell align="left" valign="middle">#'IssuingDistributionPoint'{}</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-freshestCRL</cell>
+ <cell align="left" valign="middle">[#'Distributionpoint'{}]</cell>
+ </row>
+
+ <tcaption>CRL Extensions</tcaption>
+ </table>
+
+ <code>
+#'IssuingDistributionPoint'{
+ distributionPoint, % general_name() | [#AttributeTypeAndValue'{}]
+ onlyContainsUserCerts, % boolean()
+ onlyContainsCACerts, % boolean()
+ onlySomeReasons, % [dist_reason()]
+ indirectCRL, % boolean()
+ onlyContainsAttributeCerts % boolean()
+ }).
+ </code>
+ </section>
+
+ <section>
+ <marker id="CRLEntryExt"></marker>
+ <title> CRL Entry Extensions </title>
+
+ <table>
+ <row>
+ <cell align="left" valign="middle">OID name</cell>
+ <cell align="left" valign="middle">Value type</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-cRLReason</cell>
+ <cell align="left" valign="middle">crl_reason()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-holdInstructionCode</cell>
+ <cell align="left" valign="middle">oid()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-invalidityDate</cell>
+ <cell align="left" valign="middle">general_time()</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">id-ce-certificateIssuer</cell>
+ <cell align="left" valign="middle">general_name()</cell>
+ </row>
+ <tcaption>CRL Entry Extensions</tcaption>
+ </table>
+ <p><c>
+ crl_reason() = unspecified | keyCompromise | cACompromise |
+ affiliationChanged | superseded | cessationOfOperation |
+ certificateHold | removeFromCRL | privilegeWithdrawn |
+ aACompromise
+ </c></p>
+ </section>
+
+</section>
+</chapter>
diff --git a/lib/public_key/doc/src/fascicules.xml b/lib/public_key/doc/src/fascicules.xml
new file mode 100644
index 0000000000..5f41826c56
--- /dev/null
+++ b/lib/public_key/doc/src/fascicules.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE fascicules SYSTEM "fascicules.dtd">
+
+<fascicules>
+ <fascicule file="usersguide" href="part_frame.html" entry="no">
+ User's Guide
+ </fascicule>
+ <fascicule file="ref_man" href="ref_man_frame.html" entry="yes">
+ Reference Manual
+ </fascicule>
+ <fascicule file="release_notes" href="part_notes_frame.html" entry="no">
+ Release Notes
+ </fascicule>
+ <fascicule file="" href="../../../../doc/print.html" entry="no">
+ Off-Print
+ </fascicule>
+</fascicules>
+
+
diff --git a/lib/public_key/doc/src/introduction.xml b/lib/public_key/doc/src/introduction.xml
new file mode 100644
index 0000000000..71488e435a
--- /dev/null
+++ b/lib/public_key/doc/src/introduction.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>Introduction</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <responsible></responsible>
+ <docno></docno>
+ <approved></approved>
+ <checked></checked>
+ <date>2008-01-22</date>
+ <rev>A</rev>
+ <file>introduction.xml</file>
+ </header>
+
+ <section>
+ <title>Purpose</title>
+ <p> This application provides an API to public key infrastructure
+ from RFC 3280 (X.509 certificates) and public key formats defined
+ by the PKCS-standard.</p>
+ </section>
+
+ <section>
+ <title>Prerequisites</title>
+ <p>It is assumed that the reader is familiar with the Erlang
+ programming language, concepts of OTP and has a basic understanding
+ of the concepts of using public keys.</p>
+ </section>
+
+</chapter>
+
diff --git a/lib/public_key/doc/src/make.dep b/lib/public_key/doc/src/make.dep
new file mode 100644
index 0000000000..2675556f1b
--- /dev/null
+++ b/lib/public_key/doc/src/make.dep
@@ -0,0 +1,21 @@
+# ----------------------------------------------------
+# >>>> Do not edit this file <<<<
+# This file was automaticly generated by
+# /home/otp/bin/docdepend
+# ----------------------------------------------------
+
+
+# ----------------------------------------------------
+# TeX files that the DVI file depend on
+# ----------------------------------------------------
+
+book.dvi: book.tex cert_records.tex introduction.tex \
+ part.tex public_key.tex public_key_records.tex \
+ ref_man.tex
+
+# ----------------------------------------------------
+# Source inlined when transforming from source to LaTeX
+# ----------------------------------------------------
+
+book.tex: ref_man.xml
+
diff --git a/lib/public_key/doc/src/note.gif b/lib/public_key/doc/src/note.gif
new file mode 100644
index 0000000000..6fffe30419
--- /dev/null
+++ b/lib/public_key/doc/src/note.gif
Binary files differ
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
new file mode 100644
index 0000000000..822f8bdb66
--- /dev/null
+++ b/lib/public_key/doc/src/notes.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key Release Notes</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <responsible>Ingela Anderton Andin</responsible>
+ <docno></docno>
+ <approved></approved>
+ <checked></checked>
+ <date>2008-01-22</date>
+ <rev>A</rev>
+ <file>notes.xml</file>
+ </header>
+
+
+ <section><title>Public_Key 0.4</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ The documentation is now built with open source tools
+ (xsltproc and fop) that exists on most platforms. One
+ visible change is that the frames are removed.</p>
+ <p>
+ Own Id: OTP-8250</p>
+ </item>
+ </list>
+ </section>
+
+ </section>
+
+ <section><title>Public_Key 0.3</title>
+
+ <section><title>Fixed Bugs and Malfunctions</title>
+ <list>
+ <item>
+ <p>
+ Unknown attributes in certificates are left encoded
+ instead of crashing. Patch by Will "wglozer" thanks.</p>
+ <p>
+ Own Id: OTP-8100</p>
+ </item>
+ </list>
+ </section>
+
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ Allow public_key:pem_to_der/[1,2] to take a binary as
+ argument in addition to a filename. Patch by Geoff Cant,
+ thanks.</p>
+ <p>
+ Own Id: OTP-8142</p>
+ </item>
+ </list>
+ </section>
+
+ </section>
+
+<section><title>Public_Key 0.2</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ X509 certificate handling has been extended and improved
+ as a result of more extensive testing of both the ssl
+ and public_key application. Even more extensions of the
+ certificate handling is yet to be implemented.</p>
+ <p>
+ Own Id: OTP-7860</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+<section><title>Public_Key 0.1</title>
+
+ <section><title>Improvements and New Features</title>
+ <list>
+ <item>
+ <p>
+ First version.</p>
+ <p>
+ Own Id: OTP-7637</p>
+ </item>
+ </list>
+ </section>
+
+</section>
+
+
+</chapter>
+
diff --git a/lib/public_key/doc/src/part.xml b/lib/public_key/doc/src/part.xml
new file mode 100644
index 0000000000..b85fa063ce
--- /dev/null
+++ b/lib/public_key/doc/src/part.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE part SYSTEM "part.dtd">
+
+<part xmlns:xi="http://www.w3.org/2001/XInclude">
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key User's Guide</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <docno></docno>
+ <date>2008-01-22</date>
+ <rev></rev>
+ <file>part.xml</file>
+ </header>
+ <description>
+ <p> This application provides an API to public key infrastructure
+ from RFC 3280 (X.509 certificates) and some public key formats defined
+ by the PKCS-standard. </p>
+ </description>
+ <xi:include href="introduction.xml"/>
+ <xi:include href="public_key_records.xml"/>
+ <xi:include href="cert_records.xml"/>
+</part>
+
diff --git a/lib/public_key/doc/src/part_notes.xml b/lib/public_key/doc/src/part_notes.xml
new file mode 100644
index 0000000000..37ca516bc8
--- /dev/null
+++ b/lib/public_key/doc/src/part_notes.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE part SYSTEM "part.dtd">
+
+<part xmlns:xi="http://www.w3.org/2001/XInclude">
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key Release Notes</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <docno></docno>
+ <date>2008-01-22</date>
+ <rev></rev>
+ </header>
+ <description>
+ <p></p>
+ </description>
+ <xi:include href="notes.xml"/>
+</part>
+
+
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
new file mode 100644
index 0000000000..dc9a96906f
--- /dev/null
+++ b/lib/public_key/doc/src/public_key.xml
@@ -0,0 +1,317 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE erlref SYSTEM "erlref.dtd">
+
+<erlref>
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <responsible></responsible>
+ <docno></docno>
+ <date></date>
+ <rev></rev>
+ </header>
+ <module>public_key</module>
+ <modulesummary> API module for public key infrastructure.</modulesummary>
+ <description>
+ <p>This module provides functions to handle public key infrastructure
+ from RFC 3280 - X.509 certificates (will later be upgraded to RFC 5280)
+ and some parts of the PKCS-standard.
+ Currently this application is mainly used by the new
+ ssl implementation. The API is yet under construction
+ and only a few of the functions are currently documented and thereby supported.
+ </p>
+ </description>
+
+ <section>
+ <title>COMMON DATA TYPES </title>
+
+ <note><p>All records used in this manual
+ <!-- except #policy_tree_node{} -->
+ are generated from asn1 specifications
+ and are documented in the User's Guide. See <seealso
+ marker="public_key_records">Public key records</seealso> and <seealso
+ marker="cert_records">X.509 Certificate records</seealso>.
+ </p></note>
+
+ <p>Use the following include directive to get access to the
+ records and constant macros described here and in the User's Guide.</p>
+
+ <code> -include_lib("public_key/include/public_key.hrl"). </code>
+
+ <p><em>Data Types </em></p>
+
+ <p><c>boolean() = true | false</c></p>
+
+ <p><c>string = [bytes()]</c></p>
+
+ <p><c>asn1_der_encoded() = binary() | [bytes()]</c></p>
+
+ <p><c>der_bin() = binary() </c></p>
+
+ <p><c>oid() - a tuple of integers
+ as generated by the asn1 compiler.</c></p>
+
+ <p><c>public_key() = rsa_public_key() | dsa_public_key()</c></p>
+
+ <p><c>rsa_public_key() = #'RSAPublicKey'{}</c></p>
+
+ <p><c>rsa_private_key() = #'RSAPrivateKey'{} </c></p>
+
+ <p><c>dsa_public_key() = integer() </c></p>
+
+ <p><c>public_key_params() = dsa_key_params() </c></p>
+
+ <p><c>dsa_key_params() = #'Dss-Parms'{} </c></p>
+
+ <p><c>private_key() = rsa_private_key() | dsa_private_key()</c></p>
+
+ <p><c>rsa_private_key() = #'RSAPrivateKey'{} </c></p>
+
+ <p><c>dsa_private_key() = #'DSAPrivateKey'{}</c></p>
+
+ <p><c>x509_certificate() = "#Certificate{}"</c></p>
+
+ <p><c>x509_tbs_certificate() = #'TBSCertificate'{} </c></p>
+
+<!-- <p><c>policy_tree() = [Root, Children]</c></p> -->
+
+<!-- <p><c>Root = #policy_tree_node{}</c></p> -->
+
+<!-- <p><c>Children = [] | policy_tree()</c></p> -->
+
+<!-- <p> The policy_tree_node record has the following fields:</p> -->
+
+<!-- <taglist> -->
+
+<!-- <tag>valid_policy</tag> -->
+<!-- <item> Is a single policy OID representing a -->
+<!-- valid policy for the path of length x.</item> -->
+
+<!-- <tag>qualifier_set</tag> -->
+<!-- <item>A set of policy qualifiers associated -->
+<!-- with the valid policy in certificate x.</item> -->
+
+<!-- <tag>critically_indicator</tag> -->
+<!-- <item>The critically_indicator indicates whether the -->
+<!-- certificate policy extension in certificate x was marked as -->
+<!-- critical. </item> -->
+
+<!-- <tag>expected_policy_set</tag> -->
+<!-- <item>The expected_policy_set contains one or more policy OIDs -->
+<!-- that would satisfy this policy in the certificate x+1. </item> -->
+<!-- </taglist> -->
+ </section>
+
+<funcs>
+ <func>
+ <name>decode_private_key(KeyInfo) -> </name>
+ <name>decode_private_key(KeyInfo, Password) -> {ok, PrivateKey} | {error, Reason}</name>
+ <fsummary> Decodes an asn1 der encoded private key.</fsummary>
+ <type>
+ <v> KeyInfo = {KeyType, der_bin(), ChipherInfo} </v>
+ <d> As returned from pem_to_der/1 for private keys</d>
+ <v> KeyType = rsa_private_key | dsa_private_key </v>
+ <v> ChipherInfo = opaque() | no_encryption </v>
+ <d> ChipherInfo may contain encryption parameters if the private key is password
+ protected, these are opaque to the user just pass the value returned by pem_to_der/1
+ to this function.</d>
+ <v> Password = string() </v>
+ <d>Must be specified if CipherInfo =/= no_encryption</d>
+ <v> PrivateKey = private_key() </v>
+ <v> Reason = term() </v>
+ </type>
+ <desc>
+ <p>Decodes an asn1 der encoded private key.</p>
+ </desc>
+ </func>
+
+ <func>
+ <name>pem_to_der(File) -> {ok, [Entry]}</name>
+ <fsummary>Reads a PEM file and translates it into its asn1 der
+ encoded parts.</fsummary>
+ <type>
+ <v>File = path()</v>
+ <v>Password = string()</v>
+ <v>Entry = {entry_type(), der_bin(), CipherInfo}</v>
+ <v> ChipherInfo = opaque() | no_encryption </v>
+ <d> ChipherInfo may contain encryption parameters if the private key is password
+ protected, these will be handled by the function decode_private_key/2. </d>
+ <v>entry_type() = cert | cert_req | rsa_private_key | dsa_private_key |
+ dh_params </v>
+ </type>
+ <desc>
+ <p>Reads a PEM file and translates it into its asn1 der
+ encoded parts.</p>
+ </desc>
+ </func>
+
+ <func>
+ <name>pkix_decode_cert(Cert, Type) -> {ok, DecodedCert} | {error, Reason}</name>
+ <fsummary> Decodes an asn1 der encoded pkix certificate. </fsummary>
+ <type>
+ <v>Cert = asn1_der_encoded() </v>
+ <v>Type = plain | otp</v>
+ <v>DecodeCert = x509_certificate() </v>
+ <d>When type is specified as otp the asn1 spec OTP-PKIX.asn1 is used to decode known
+ extensions and enhance the signature field in
+ #'Certificate'{} and '#TBSCertificate'{}. This is currently used by the new ssl
+ implementation but not documented and supported for the public_key application.</d>
+ <v>Reason = term() </v>
+ </type>
+ <desc>
+ <p> Decodes an asn1 encoded pkix certificate.</p>
+ </desc>
+ </func>
+
+<!-- <func> -->
+<!-- <name> pkix_encode_cert(Cert) -> {ok, EncodedCert} | {error, Reason}</name> -->
+<!-- <fsummary>Encodes a certificate record using asn1. </fsummary> -->
+<!-- <type> -->
+<!-- <v>Cert = x509_certificate() </v> -->
+<!-- <v>EncodedCert = asn1_der_encoded() </v> -->
+<!-- <v>Reason = term() </v> -->
+<!-- </type> -->
+<!-- <desc> -->
+<!-- <p> Encodes a certificate record using asn1.</p> -->
+<!-- </desc> -->
+<!-- </func> -->
+
+<!-- <func> -->
+<!-- <name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, Result} | {error, Reason}</name> -->
+
+<!-- <fsummary>Performs a basic path validation according to RFC 3280</fsummary> -->
+<!-- <type> -->
+<!-- <v>TrustedCert = asn1_der_encoded()</v> -->
+<!-- <v>CertChain = [asn1_der_encoded()]</v> -->
+<!-- <v>Options = [{Option, Value}]</v> -->
+<!-- <v>Result = {{algorithm(), public_key(), -->
+<!-- public_key_params()}, policy_tree()}</v> -->
+<!-- </type> -->
+
+<!-- <desc> -->
+<!-- <p>Available options are: </p> -->
+<!-- <taglist> -->
+<!-- <tag>{validate_extension_fun, fun()}</tag> -->
+<!-- <item> A fun behaving according to the following outline: -->
+<!-- <code> -->
+<!-- [...] -->
+<!-- ValidateExtensionFun = fun(Extensions, UserState) -> -->
+<!-- validate_extensions(Extensions, UserState, []) -->
+<!-- end, -->
+<!-- [...] -->
+
+<!-- validate_extensions([], UserState, UnknowExtension) -> -->
+<!-- {UserState, UnknowExtension}; -->
+<!-- validate_extensions([#'Extension'{} = Ext | Rest], UserState, UnknowExtension) -> -->
+<!-- case valid_extension(Ext) of -->
+<!-- {true, NewUserState} -> -->
+<!-- validate_extensions(Rest, NewUserState, UnknowExtension); -->
+<!-- unknown -> -->
+<!-- validate_extensions(Rest, UserState, [Ext | UnknowExtension]); -->
+<!-- {false, Reason} -> -->
+<!-- throw(bad_cert, Reason) -->
+<!-- end. -->
+<!-- </code> -->
+
+<!-- </item> -->
+
+<!-- <tag>{policy_set, [oid()]}</tag> -->
+<!-- <item>A set of certificate policy -->
+<!-- identifiers naming the policies that are acceptable to the -->
+<!-- certificate user. If the user is not concerned about -->
+<!-- certificate policy there is no need -->
+<!-- to set this option. Defaults to the -->
+<!-- special value [?anyPolicy]. -->
+<!-- </item> -->
+
+<!-- <tag>{policy_mapping, boolean()}</tag> -->
+<!-- <item>Indicates if policy -->
+<!-- mapping, initially, is allowed in the certification path. -->
+<!-- Defaults to false. -->
+<!-- </item> -->
+
+<!-- <tag> {explicit_policy, boolean()}</tag> -->
+<!-- <item>Indicates if the path, initially, must be -->
+<!-- valid for at least one of the certificate policies in the user -->
+<!-- specified policy set. -->
+<!-- Defaults to false. -->
+<!-- </item> -->
+
+<!-- <tag>{inhibit_any_policy, boolean()}</tag> -->
+<!-- <item>Indicates whether the anyPolicy OID, initially, should -->
+<!-- be processed if it is included in a certificate. -->
+<!-- Defaults to false. -->
+<!-- </item> -->
+
+<!-- </taglist> -->
+
+<!-- <p>Performs a basic path validation according to RFC 3280, -->
+<!-- e.i. signature validation, time validation, issuer validation, -->
+<!-- alternative subject name validation, CRL validation, policy -->
+<!-- validation and checks that no unknown extensions -->
+<!-- are marked as critical. The option <c>validate_extension_fun</c> -->
+<!-- may be used to validate application specific extensions. If -->
+<!-- a validation criteria is found to be invalid the validation process -->
+<!-- will immediately be stopped and this functions will return -->
+<!-- {error, Reason}. -->
+<!-- </p> -->
+<!-- </desc> -->
+<!-- </func> -->
+
+<!-- <func> -->
+<!-- <name>sign(DigestOrTBSCert, Key) -> </name> -->
+<!-- <name>sign(DigestOrTBSCert, Key, KeyParams) -> {ok, SignatureOrDerCert} | {error, Reason}</name> -->
+<!-- <fsummary>Signs Digest/Certificate using Key.</fsummary> -->
+<!-- <type> -->
+<!-- <v>DigestOrTBSCert = binary() | x509_tbs_certificate()</v> -->
+<!-- <v>Key = private_key()</v> -->
+<!-- <v>SignatureORDerCert = binary() | der_bin() </v> -->
+<!-- <v>Reason = term() </v> -->
+<!-- </type> -->
+<!-- <desc> -->
+<!-- <p> Signs Digest/Certificate using Key, in the later -->
+<!-- case a der encoded x509_certificate() will be returned. </p> -->
+<!-- </desc> -->
+<!-- </func> -->
+
+<!-- <func> -->
+<!-- <name>verify_signature(Digest, Signature, Key) -> </name> -->
+<!-- <name>verify_signature(DerCert, Key, KeyParams) -> </name> -->
+<!-- <name>verify_signature(Digest, Signature, Key, Params) -> Verified </name> -->
+<!-- <fsummary> Verifies the signature. </fsummary> -->
+<!-- <type> -->
+<!-- <v>Digest = binary() </v> -->
+<!-- <v>DerCert = der_bin() </v> -->
+<!-- <v>Signature = binary() </v> -->
+<!-- <v>Key = public_key() </v> -->
+<!-- <v>Params = key_params()</v> -->
+<!-- <v>Verified = boolean()</v> -->
+<!-- </type> -->
+<!-- <desc> -->
+<!-- <p> Verifies the signature Signature. If the key is an rsa-key no -->
+<!-- paramters are neeed.</p> -->
+<!-- </desc> -->
+<!-- </func> -->
+</funcs>
+
+</erlref>
diff --git a/lib/public_key/doc/src/public_key_records.xml b/lib/public_key/doc/src/public_key_records.xml
new file mode 100644
index 0000000000..45b7106859
--- /dev/null
+++ b/lib/public_key/doc/src/public_key_records.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE chapter SYSTEM "chapter.dtd">
+
+<chapter>
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>Public key records</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <responsible></responsible>
+ <docno></docno>
+ <approved></approved>
+ <checked></checked>
+ <date>2008-02-06</date>
+ <rev>A</rev>
+ <file>public_key_records.xml</file>
+ </header>
+
+ <p>This chapter briefly describes Erlang records derived from asn1
+ specifications used to handle public and private keys. The intent
+ is to describe the data types and not to specify the meaning of
+ each component for this we refer you to the relevant standards and RFCs.</p>
+
+ <p>Use the following include directive to get access to the
+ records and constant macros used in the following sections.</p>
+
+ <code> -include_lib("public_key/include/public_key.hrl"). </code>
+
+ <section>
+ <title>RSA as defined by the PKCS-1 standard and RFC 3447.</title>
+
+ <code>
+#'RSAPublicKey'{
+ modulus, % integer()
+ publicExponent % integer()
+ }.
+
+#'RSAPrivateKey'{
+ version, % two-prime | multi
+ modulus, % integer()
+ publicExponent, % integer()
+ privateExponent, % integer()
+ prime1, % integer()
+ prime2, % integer()
+ exponent1, % integer()
+ exponent2, % integer()
+ coefficient, % integer()
+ otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE
+ }.
+
+#'OtherPrimeInfo'{
+ prime, % integer()
+ exponent, % integer()
+ coefficient % integer()
+ }.
+ </code>
+
+ </section>
+
+ <section>
+ <title>DSA as defined by Digital Signature Standard (NIST FIPS PUB 186-2)
+ </title>
+
+ <code>
+#'DSAPrivateKey',{
+ version, % integer()
+ p, % integer()
+ q, % integer()
+ g, % integer()
+ y, % integer()
+ x % integer()
+ }.
+
+#'Dss-Parms',{
+ p, % integer()
+ q, % integer()
+ g % integer()
+ }.
+ </code>
+ </section>
+</chapter>
diff --git a/lib/public_key/doc/src/ref_man.xml b/lib/public_key/doc/src/ref_man.xml
new file mode 100644
index 0000000000..0f11281d05
--- /dev/null
+++ b/lib/public_key/doc/src/ref_man.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="latin1" ?>
+<!DOCTYPE application SYSTEM "application.dtd">
+
+<application xmlns:xi="http://www.w3.org/2001/XInclude">
+ <header>
+ <copyright>
+ <year>2008</year>
+ <year>2008</year>
+ <holder>Ericsson AB, All Rights Reserved</holder>
+ </copyright>
+ <legalnotice>
+ The contents of this file are subject to the Erlang Public License,
+ Version 1.1, (the "License"); you may not use this file except in
+ compliance with the License. You should have received a copy of the
+ Erlang Public License along with this software. If not, it can be
+ retrieved online at http://www.erlang.org/.
+
+ Software distributed under the License is distributed on an "AS IS"
+ basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+ the License for the specific language governing rights and limitations
+ under the License.
+
+ The Initial Developer of the Original Code is Ericsson AB.
+ </legalnotice>
+
+ <title>public_key Reference Manual</title>
+ <prepared>Ingela Anderton Andin</prepared>
+ <docno></docno>
+ <date>2008-01-22</date>
+ <rev></rev>
+ <file>ref_man.xml</file>
+ </header>
+ <description>
+ <p> Provides functions to handle public key infrastructure
+ from RFC 3280 (X.509 certificates) and some parts of the PKCS-standard.
+ </p>
+ </description>
+ <xi:include href="public_key.xml"/>
+</application>
+
+
+
+
diff --git a/lib/public_key/ebin/.gitignore b/lib/public_key/ebin/.gitignore
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/lib/public_key/ebin/.gitignore
diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl
new file mode 100644
index 0000000000..fbce10f0eb
--- /dev/null
+++ b/lib/public_key/include/public_key.hrl
@@ -0,0 +1,62 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-ifndef(public_key).
+-define(public_key, true).
+
+-include("OTP-PUB-KEY.hrl").
+
+-record('SubjectPublicKeyInfoAlgorithm', {
+ algorithm,
+ parameters = asn1_NOVALUE}).
+
+-record(path_validation_state, {
+ valid_policy_tree,
+ explicit_policy,
+ inhibit_any_policy,
+ policy_mapping,
+ cert_num,
+ last_cert = false,
+ permitted_subtrees = no_constraints, %% Name constraints
+ excluded_subtrees = [], %% Name constraints
+ working_public_key_algorithm,
+ working_public_key,
+ working_public_key_parameters,
+ working_issuer_name,
+ max_path_length,
+ acc_errors, %% If verify_none option is set
+ user_state
+ }).
+
+-record(policy_tree_node, {
+ valid_policy,
+ qualifier_set,
+ criticality_indicator,
+ expected_policy_set
+ }).
+
+-record(revoke_state, {
+ reasons_mask,
+ cert_status,
+ interim_reasons_mask
+ }).
+
+-endif. % -ifdef(public_key).
diff --git a/lib/public_key/info b/lib/public_key/info
new file mode 100644
index 0000000000..0fa0248a7f
--- /dev/null
+++ b/lib/public_key/info
@@ -0,0 +1,2 @@
+group: comm
+short: API to public key infrastructure.
diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile
new file mode 100644
index 0000000000..c30399f33a
--- /dev/null
+++ b/lib/public_key/src/Makefile
@@ -0,0 +1,112 @@
+#
+# %CopyrightBegin%
+#
+# Copyright Ericsson AB 2008-2009. All Rights Reserved.
+#
+# The contents of this file are subject to the Erlang Public License,
+# Version 1.1, (the "License"); you may not use this file except in
+# compliance with the License. You should have received a copy of the
+# Erlang Public License along with this software. If not, it can be
+# retrieved online at http://www.erlang.org/.
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+#
+# %CopyrightEnd%
+#
+
+#
+include $(ERL_TOP)/make/target.mk
+include $(ERL_TOP)/make/$(TARGET)/otp.mk
+
+# ----------------------------------------------------
+# Application version
+# ----------------------------------------------------
+include ../vsn.mk
+
+VSN = $(PUBLIC_KEY_VSN)
+APP_VSN = "public_key-$(VSN)"
+
+
+# ----------------------------------------------------
+# Release directory specification
+# ----------------------------------------------------
+RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN)
+
+# ----------------------------------------------------
+# Target Specs
+# ----------------------------------------------------
+MODULES = \
+ public_key \
+ pubkey_pem \
+ pubkey_cert \
+ pubkey_cert_records \
+ pubkey_crypto
+
+HRL_FILES = $(INCLUDE)/public_key.hrl
+
+INTERNAL_HRL_FILES =
+
+ERL_FILES = $(MODULES:%=%.erl)
+
+TARGET_FILES= $(MODULES:%=$(EBIN)/%.$(EMULATOR))
+
+APP_FILE= public_key.app
+APPUP_FILE= public_key.appup
+
+APP_SRC= $(APP_FILE).src
+APP_TARGET= $(EBIN)/$(APP_FILE)
+APPUP_SRC= $(APPUP_FILE).src
+APPUP_TARGET= $(EBIN)/$(APPUP_FILE)
+
+INCLUDE = ../include
+# ----------------------------------------------------
+# INETS FLAGS
+# ----------------------------------------------------
+PUB_KEY_FLAGS =
+
+# ----------------------------------------------------
+# FLAGS
+# ----------------------------------------------------
+PUB_KEY_ERL_FLAGS += -I $(INCLUDE) -I ../asn1/
+
+ERL_COMPILE_FLAGS += $(PUB_KEY_ERL_FLAGS) \
+ $(PUB_KEY_FLAGS) \
+ +'{parse_transform,sys_pre_attributes}' \
+ +'{attribute,insert,app_vsn,$(APP_VSN)}'
+
+# ----------------------------------------------------
+# Targets
+# ----------------------------------------------------
+
+debug opt: $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(HRL_FILES)
+
+clean:
+ rm -f $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET)
+ rm -f core
+
+docs:
+
+$(APP_TARGET): $(APP_SRC) ../vsn.mk
+ sed -e 's;%VSN%;$(VSN);' $< > $@
+
+$(APPUP_TARGET): $(APPUP_SRC) ../vsn.mk
+ sed -e 's;%VSN%;$(VSN);' $< > $@
+
+# ----------------------------------------------------
+# Release Target
+# ----------------------------------------------------
+include $(ERL_TOP)/make/otp_release_targets.mk
+
+release_spec: opt
+ $(INSTALL_DIR) $(RELSYSDIR)/src
+ $(INSTALL_DATA) $(INTERNAL_HRL_FILES) $(ERL_FILES) $(RELSYSDIR)/src
+ $(INSTALL_DIR) $(RELSYSDIR)/include
+ $(INSTALL_DATA) $(HRL_FILES) $(RELSYSDIR)/include
+ $(INSTALL_DIR) $(RELSYSDIR)/ebin
+ $(INSTALL_DATA) $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(RELSYSDIR)/ebin
+
+release_docs_spec:
+
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
new file mode 100644
index 0000000000..0ccc74799c
--- /dev/null
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -0,0 +1,988 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(pubkey_cert).
+
+-include("public_key.hrl").
+
+-export([verify_signature/3,
+ init_validation_state/3, prepare_for_next_cert/2,
+ validate_time/3, validate_signature/6,
+ validate_issuer/4, validate_names/6,
+ validate_revoked_status/3, validate_extensions/4,
+ validate_unknown_extensions/3,
+ normalize_general_name/1, digest_type/1, digest/2, is_self_signed/1,
+ is_issuer/2, issuer_id/2, is_fixed_dh_cert/1]).
+
+-define(NULL, 0).
+
+%%====================================================================
+%% Internal application API
+%%====================================================================
+
+verify_signature(DerCert, Key, KeyParams) ->
+ {ok, OtpCert} = pubkey_cert_records:decode_cert(DerCert, otp),
+ verify_signature(OtpCert, DerCert, Key, KeyParams).
+
+init_validation_state(#'OTPCertificate'{} = OtpCert, DefaultPathLen,
+ Options) ->
+ PolicyTree = #policy_tree_node{valid_policy = ?anyPolicy,
+ qualifier_set = [],
+ criticality_indicator = false,
+ expected_policy_set = [?anyPolicy]},
+ MaxLen = proplists:get_value(max_path_length, Options, DefaultPathLen),
+ ExplicitPolicy = policy_indicator(MaxLen,
+ proplists:get_value(explicit_policy, Options, false)),
+ InhibitAnyPolicy = policy_indicator(MaxLen,
+ proplists:get_value(inhibit_any_policy,
+ Options, false)),
+ PolicyMapping = policy_indicator(MaxLen,
+ proplists:get_value(policy_mapping, Options, false)),
+ AccErrors = proplists:get_value(acc_errors, Options, []),
+ State = #path_validation_state{max_path_length = MaxLen,
+ valid_policy_tree = PolicyTree,
+ explicit_policy = ExplicitPolicy,
+ inhibit_any_policy = InhibitAnyPolicy,
+ policy_mapping = PolicyMapping,
+ acc_errors = AccErrors,
+ cert_num = 0},
+ prepare_for_next_cert(OtpCert, State).
+
+prepare_for_next_cert(OtpCert, ValidationState = #path_validation_state{
+ working_public_key_algorithm = PrevAlgo,
+ working_public_key_parameters =
+ PrevParams}) ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ Issuer = TBSCert#'OTPTBSCertificate'.subject,
+
+ {Algorithm, PublicKey, PublicKeyParams0} =
+ public_key_info(TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
+ ValidationState),
+ PublicKeyParams =
+ case PublicKeyParams0 of
+ 'NULL' when Algorithm =:= PrevAlgo ->
+ PrevParams;
+ asn1_NOVALUE when Algorithm =:= PrevAlgo ->
+ PrevParams;
+ _ -> PublicKeyParams0
+ end,
+
+ ValidationState#path_validation_state{
+ working_public_key_algorithm = Algorithm,
+ working_public_key = PublicKey,
+ working_public_key_parameters = PublicKeyParams,
+ working_issuer_name = Issuer,
+ cert_num = ValidationState#path_validation_state.cert_num + 1
+ }.
+
+validate_time(OtpCert, AccErr, Verify) ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ {'Validity', NotBeforeStr, NotAfterStr}
+ = TBSCert#'OTPTBSCertificate'.validity,
+ Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()),
+ NotBefore = time_str_2_gregorian_sec(NotBeforeStr),
+ NotAfter = time_str_2_gregorian_sec(NotAfterStr),
+
+ case ((NotBefore =< Now) and (Now =< NotAfter)) of
+ true ->
+ AccErr;
+ false ->
+ not_valid({bad_cert, cert_expired}, Verify, AccErr)
+ end.
+
+validate_issuer(OtpCert, Issuer, AccErr, Verify) ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ case is_issuer(Issuer, TBSCert#'OTPTBSCertificate'.issuer) of
+ true ->
+ AccErr;
+ _ ->
+ not_valid({bad_cert, invalid_issuer}, Verify, AccErr)
+ end.
+
+validate_signature(OtpCert, DerCert, Key, KeyParams,
+ AccErr, Verify) ->
+
+ case verify_signature(OtpCert, DerCert, Key, KeyParams) of
+ true ->
+ AccErr;
+ false ->
+ not_valid({bad_cert, invalid_signature}, Verify, AccErr)
+ end.
+
+validate_names(OtpCert, Permit, Exclude, Last, AccErr, Verify) ->
+ case is_self_signed(OtpCert) andalso (not Last) of
+ true ->
+ ok;
+ false ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ Subject = TBSCert#'OTPTBSCertificate'.subject,
+ AltSubject =
+ select_extension(?'id-ce-subjectAltName',
+ TBSCert#'OTPTBSCertificate'.extensions),
+
+ EmailAddress = extract_email(Subject),
+ Name = [{directoryName, Subject}|EmailAddress],
+
+ AltNames = case AltSubject of
+ undefined -> [];
+ _ -> AltSubject#'Extension'.extnValue
+ end,
+
+ case (is_permitted(Name, Permit) andalso
+ is_permitted(AltNames, Permit) andalso
+ (not is_excluded(Name, Exclude)) andalso
+ (not is_excluded(AltNames, Exclude))) of
+ true ->
+ AccErr;
+ false ->
+ not_valid({bad_cert, name_not_permitted},
+ Verify, AccErr)
+ end
+ end.
+
+
+%% See rfc3280 4.1.2.6 Subject: regarding emails.
+extract_email({rdnSequence, List}) ->
+ extract_email2(List).
+extract_email2([[#'AttributeTypeAndValue'{type=?'id-emailAddress',
+ value=Mail}]|_]) ->
+ [{rfc822Name, Mail}];
+extract_email2([_|Rest]) ->
+ extract_email2(Rest);
+extract_email2([]) -> [].
+
+validate_revoked_status(_OtpCert, _Verify, AccErr) ->
+ %% true |
+ %% throw({bad_cert, cert_revoked})
+ AccErr.
+
+validate_extensions(OtpCert, ValidationState, Verify, AccErr) ->
+ TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+ Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+ validate_extensions(Extensions, ValidationState, no_basic_constraint,
+ is_self_signed(OtpCert), [], Verify, AccErr).
+
+validate_unknown_extensions([], AccErr, _Verify) ->
+ AccErr;
+validate_unknown_extensions([#'Extension'{critical = true} | _],
+ AccErr, Verify) ->
+ not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr);
+validate_unknown_extensions([#'Extension'{critical = false} | Rest],
+ AccErr, Verify) ->
+ validate_unknown_extensions(Rest, AccErr, Verify).
+
+normalize_general_name({rdnSequence, Issuer}) ->
+ NormIssuer = normalize_general_name(Issuer),
+ {rdnSequence, NormIssuer};
+
+normalize_general_name(Issuer) ->
+ Normalize = fun([{Description, Type, {printableString, Value}}]) ->
+ NewValue = string:to_lower(strip_spaces(Value)),
+ {Description, Type, {printableString, NewValue}};
+ (Atter) ->
+ Atter
+ end,
+ lists:sort(lists:map(Normalize, Issuer)).
+
+is_self_signed(#'OTPCertificate'{tbsCertificate=
+ #'OTPTBSCertificate'{issuer = Issuer,
+ subject = Subject}}) ->
+ is_issuer(Issuer, Subject).
+
+is_issuer({rdnSequence, Issuer}, {rdnSequence, Candidate}) ->
+ is_dir_name(Issuer, Candidate, true).
+
+issuer_id(Otpcert, other) ->
+ TBSCert = Otpcert#'OTPCertificate'.tbsCertificate,
+ Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+ case select_extension(?'id-ce-authorityKeyIdentifier', Extensions) of
+ undefined ->
+ {error, issuer_not_found};
+ AuthKeyExt ->
+ cert_auth_key_id(AuthKeyExt#'Extension'.extnValue)
+ end;
+
+issuer_id(Otpcert, self) ->
+ TBSCert = Otpcert#'OTPCertificate'.tbsCertificate,
+ Issuer = TBSCert#'OTPTBSCertificate'.issuer,
+ SerialNr = TBSCert#'OTPTBSCertificate'.serialNumber,
+ {ok, {SerialNr, normalize_general_name(Issuer)}}.
+
+
+is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate =
+ #'OTPTBSCertificate'{subjectPublicKeyInfo =
+ SubjectPublicKeyInfo,
+ extensions =
+ Extensions}}) ->
+ is_fixed_dh_cert(SubjectPublicKeyInfo, Extensions).
+
+%%--------------------------------------------------------------------
+%%% Internal functions
+%%--------------------------------------------------------------------
+
+not_valid(Error, true, _) ->
+ throw(Error);
+not_valid(Error, false, AccErrors) ->
+ [Error | AccErrors].
+
+verify_signature(OtpCert, DerCert, Key, KeyParams) ->
+ %% Signature is an ASN1 compact bit string
+ {0, Signature} = OtpCert#'OTPCertificate'.signature,
+ SigAlgRec = OtpCert#'OTPCertificate'.signatureAlgorithm,
+ SigAlg = SigAlgRec#'SignatureAlgorithm'.algorithm,
+ EncTBSCert = encoded_tbs_cert(DerCert),
+ verify(SigAlg, EncTBSCert, Signature, Key, KeyParams).
+
+verify(Alg, PlainText, Signature, Key, KeyParams) ->
+ public_key:verify_signature(PlainText, digest_type(Alg),
+ Signature, Key, KeyParams).
+
+encoded_tbs_cert(Cert) ->
+ {ok, PKIXCert} =
+ 'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert),
+ {'Certificate',
+ {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
+ EncodedTBSCert.
+
+digest_type(?sha1WithRSAEncryption) ->
+ sha;
+digest_type(?md5WithRSAEncryption) ->
+ md5;
+digest_type(?'id-dsa-with-sha1') ->
+ sha.
+
+digest(?sha1WithRSAEncryption, Msg) ->
+ crypto:sha(Msg);
+digest(?md5WithRSAEncryption, Msg) ->
+ crypto:md5(Msg);
+digest(?'id-dsa-with-sha1', Msg) ->
+ crypto:sha(Msg).
+
+public_key_info(PublicKeyInfo,
+ #path_validation_state{working_public_key_algorithm =
+ WorkingAlgorithm,
+ working_public_key_parameters =
+ WorkingParams}) ->
+ PublicKey = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey,
+ AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm,
+
+ PublicKeyParams = AlgInfo#'PublicKeyAlgorithm'.parameters,
+ Algorithm = AlgInfo#'PublicKeyAlgorithm'.algorithm,
+
+ NewPublicKeyParams =
+ case PublicKeyParams of
+ 'NULL' when WorkingAlgorithm == Algorithm ->
+ WorkingParams;
+ _ ->
+ PublicKeyParams
+ end,
+ {Algorithm, PublicKey, NewPublicKeyParams}.
+
+time_str_2_gregorian_sec({utcTime, [Y1,Y2,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,Z]}) ->
+ case list_to_integer([Y1,Y2]) of
+ N when N >= 50 ->
+ time_str_2_gregorian_sec({generalTime,
+ [$1,$9,Y1,Y2,M1,M2,D1,D2,
+ H1,H2,M3,M4,S1,S2,Z]});
+ _ ->
+ time_str_2_gregorian_sec({generalTime,
+ [$2,$0,Y1,Y2,M1,M2,D1,D2,
+ H1,H2,M3,M4,S1,S2,Z]})
+ end;
+
+time_str_2_gregorian_sec({_,[Y1,Y2,Y3,Y4,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,$Z]}) ->
+ Year = list_to_integer([Y1, Y2, Y3, Y4]),
+ Month = list_to_integer([M1, M2]),
+ Day = list_to_integer([D1, D2]),
+ Hour = list_to_integer([H1, H2]),
+ Min = list_to_integer([M3, M4]),
+ Sec = list_to_integer([S1, S2]),
+ calendar:datetime_to_gregorian_seconds({{Year, Month, Day},
+ {Hour, Min, Sec}}).
+
+is_dir_name([], [], _Exact) -> true;
+is_dir_name([H|R1],[H|R2], Exact) -> is_dir_name(R1,R2, Exact);
+is_dir_name([[{'AttributeTypeAndValue', Type, What1}]|Rest1],
+ [[{'AttributeTypeAndValue', Type, What2}]|Rest2],Exact) ->
+ case is_dir_name2(What1,What2) of
+ true -> is_dir_name(Rest1,Rest2,Exact);
+ false -> false
+ end;
+is_dir_name([{'AttributeTypeAndValue', Type, What1}|Rest1],
+ [{'AttributeTypeAndValue', Type, What2}|Rest2], Exact) ->
+ case is_dir_name2(What1,What2) of
+ true -> is_dir_name(Rest1,Rest2,Exact);
+ false -> false
+ end;
+is_dir_name(_,[],false) ->
+ true;
+is_dir_name(_,_,_) ->
+ false.
+
+is_dir_name2(Value, Value) -> true;
+is_dir_name2({printableString, Value1}, {printableString, Value2}) ->
+ string:to_lower(strip_spaces(Value1)) =:=
+ string:to_lower(strip_spaces(Value2));
+is_dir_name2({utf8String, Value1}, String) -> %% BUGBUG FIX UTF8 conv
+ is_dir_name2({printableString, binary_to_list(Value1)}, String);
+is_dir_name2(String, {utf8String, Value1}) -> %% BUGBUG FIX UTF8 conv
+ is_dir_name2(String, {printableString, binary_to_list(Value1)});
+is_dir_name2(_, _) ->
+ false.
+
+cert_auth_key_id(#'AuthorityKeyIdentifier'{authorityCertIssuer
+ = asn1_NOVALUE}) ->
+ {error, issuer_not_found};
+cert_auth_key_id(#'AuthorityKeyIdentifier'{authorityCertIssuer =
+ AuthCertIssuer,
+ authorityCertSerialNumber =
+ SerialNr}) ->
+ {ok, {SerialNr, decode_general_name(AuthCertIssuer)}}.
+
+decode_general_name([{directoryName, Issuer}]) ->
+ normalize_general_name(Issuer).
+
+%% Strip all leading and trailing spaces and make
+%% sure there is no double spaces in between.
+strip_spaces(String) ->
+ NewString =
+ lists:foldl(fun(Char, Acc) -> Acc ++ Char ++ " " end, [],
+ string:tokens(String, " ")),
+ string:strip(NewString).
+
+select_extension(_, []) ->
+ undefined;
+select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
+ Extension;
+select_extension(Id, [_ | Extensions]) ->
+ select_extension(Id, Extensions).
+
+%% No extensions present
+validate_extensions(asn1_NOVALUE, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr) ->
+ validate_extensions([], ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+validate_extensions([], ValidationState, basic_constraint, _SelfSigned,
+ UnknownExtensions, _Verify, AccErr) ->
+ {ValidationState, UnknownExtensions, AccErr};
+validate_extensions([], ValidationState =
+ #path_validation_state{max_path_length = Len,
+ last_cert = Last},
+ no_basic_constraint, SelfSigned, UnknownExtensions,
+ Verify, AccErr0) ->
+ case Last of
+ true when SelfSigned ->
+ {ValidationState, UnknownExtensions, AccErr0};
+ true ->
+ {ValidationState#path_validation_state{max_path_length = Len - 1},
+ UnknownExtensions, AccErr0};
+ %% basic_constraint must appear in certs used for digital sign
+ %% see 4.2.1.10 in rfc 3280
+ false ->
+ AccErr = not_valid({bad_cert, missing_basic_constraint},
+ Verify, AccErr0),
+ case SelfSigned of
+ true ->
+ {ValidationState, UnknownExtensions, AccErr};
+ false ->
+ {ValidationState#path_validation_state{max_path_length =
+ Len - 1},
+ UnknownExtensions, AccErr}
+ end
+ end;
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-basicConstraints',
+ extnValue =
+ #'BasicConstraints'{cA = true,
+ pathLenConstraint = N}} |
+ Rest],
+ ValidationState =
+ #path_validation_state{max_path_length = Len}, _,
+ SelfSigned, UnknownExtensions, Verify, AccErr) ->
+ Length = if SelfSigned -> min(N, Len);
+ true -> min(N, Len-1)
+ end,
+ validate_extensions(Rest,
+ ValidationState#path_validation_state{max_path_length =
+ Length},
+ basic_constraint, SelfSigned, UnknownExtensions,
+ Verify, AccErr);
+%% The pathLenConstraint field is meaningful only if cA is set to
+%% TRUE.
+validate_extensions([#'Extension'{extnID = ?'id-ce-basicConstraints',
+ extnValue =
+ #'BasicConstraints'{cA = false}} |
+ Rest], ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr) ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+%%
+validate_extensions([#'Extension'{extnID = ?'id-ce-keyUsage',
+ extnValue = KeyUse
+ } | Rest],
+ #path_validation_state{last_cert=Last} = ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr0) ->
+ case Last orelse is_valid_key_usage(KeyUse, keyCertSign) of
+ true ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify,
+ AccErr0);
+ false ->
+ AccErr = not_valid({bad_cert, invalid_key_usage}, Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify,
+ AccErr)
+ end;
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage',
+ extnValue = KeyUse,
+ critical = true} | Rest],
+ #path_validation_state{} = ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions, Verify,
+ AccErr0) ->
+ case is_valid_extkey_usage(KeyUse) of
+ true ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions,
+ Verify, AccErr0);
+ false ->
+ AccErr =
+ not_valid({bad_cert, invalid_ext_key_usage}, Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr)
+ end;
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-subjectAltName',
+ extnValue = Names} | Rest],
+ ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr0) ->
+ case validate_subject_alt_names(Names) of
+ true when Names =/= [] ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify,
+ AccErr0);
+ _ ->
+ AccErr =
+ not_valid({bad_cert, invalid_subject_altname},
+ Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify,
+ AccErr)
+ end;
+
+%% This extension SHOULD NOT be marked critical. Its value
+%% does not have to be further validated at this point.
+validate_extensions([#'Extension'{extnID = ?'id-ce-issuerAltName',
+ extnValue = _} | Rest],
+ ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr) ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+%% This extension MUST NOT be marked critical.Its value
+%% does not have to be further validated at this point.
+validate_extensions([#'Extension'{extnID = Id,
+ extnValue = _,
+ critical = false} | Rest],
+ ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr)
+ when Id == ?'id-ce-subjectKeyIdentifier';
+ Id == ?'id-ce-authorityKeyIdentifier'->
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-nameConstraints',
+ extnValue = NameConst} | Rest],
+ ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr) ->
+ Permitted = NameConst#'NameConstraints'.permittedSubtrees,
+ Excluded = NameConst#'NameConstraints'.excludedSubtrees,
+
+ NewValidationState = add_name_constraints(Permitted, Excluded,
+ ValidationState),
+
+ validate_extensions(Rest, NewValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-certificatePolicies',
+ critical = true} | Rest], ValidationState,
+ ExistBasicCon, SelfSigned,
+ UnknownExtensions, Verify, AccErr0) ->
+ %% TODO: Remove this clause when policy handling is
+ %% fully implemented
+ AccErr =
+ not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-certificatePolicies',
+ extnValue = #'PolicyInformation'{
+ policyIdentifier = Id,
+ policyQualifiers = Qualifier}}
+ | Rest], #path_validation_state{valid_policy_tree = Tree}
+ = ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr) ->
+
+ %% TODO: Policy imp incomplete
+ NewTree = process_policy_tree(Id, Qualifier, Tree),
+
+ validate_extensions(Rest,
+ ValidationState#path_validation_state{
+ valid_policy_tree = NewTree},
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr);
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-policyConstraints',
+ critical = true} | Rest], ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions, Verify,
+ AccErr0) ->
+ %% TODO: Remove this clause when policy handling is
+ %% fully implemented
+ AccErr =
+ not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+validate_extensions([#'Extension'{extnID = ?'id-ce-policyConstraints',
+ extnValue = #'PolicyConstraints'{
+ requireExplicitPolicy = ExpPolicy,
+ inhibitPolicyMapping = MapPolicy}}
+ | Rest], ValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr) ->
+
+ %% TODO: Policy imp incomplete
+ NewValidationState = add_policy_constraints(ExpPolicy, MapPolicy,
+ ValidationState),
+
+ validate_extensions(Rest, NewValidationState, ExistBasicCon,
+ SelfSigned, UnknownExtensions, Verify, AccErr);
+
+validate_extensions([Extension | Rest], ValidationState,
+ ExistBasicCon, SelfSigned, UnknownExtensions,
+ Verify, AccErr) ->
+ validate_extensions(Rest, ValidationState, ExistBasicCon, SelfSigned,
+ [Extension | UnknownExtensions], Verify, AccErr).
+
+is_valid_key_usage(KeyUse, Use) ->
+ lists:member(Use, KeyUse).
+
+is_valid_extkey_usage(?'id-kp-clientAuth') ->
+ true;
+is_valid_extkey_usage(?'id-kp-serverAuth') ->
+ true;
+is_valid_extkey_usage(_) ->
+ false.
+
+validate_subject_alt_names([]) ->
+ true;
+validate_subject_alt_names([AltName | Rest]) ->
+ case is_valid_subject_alt_name(AltName) of
+ true ->
+ validate_subject_alt_names(Rest);
+ false ->
+ false
+ end.
+
+is_valid_subject_alt_name({Name, Value}) when Name == rfc822Name;
+ Name == dNSName ->
+ case Value of
+ "" ->
+ false;
+ _ ->
+ true
+ end;
+
+is_valid_subject_alt_name({iPAdress, Addr}) ->
+ case length(Addr) of
+ 4 -> %ipv4
+ true;
+ 16 -> %ipv6
+ true;
+ _ ->
+ false
+ end;
+is_valid_subject_alt_name({uniformResourceIdentifier, URI}) ->
+ is_valid_uri(URI);
+
+is_valid_subject_alt_name({directoryName, _}) ->
+ true;
+is_valid_subject_alt_name({_, [_|_]}) ->
+ true;
+is_valid_subject_alt_name({_, _}) ->
+ false.
+
+min(N, M) when N =< M ->
+ N;
+min(_, M) ->
+ M.
+
+is_ip_address(Address) ->
+ case inet_parse:address(Address) of
+ {ok, _} ->
+ true;
+ _ ->
+ false
+ end.
+
+is_fully_qualified_name(_Name) ->
+ true.
+
+is_valid_uri(AbsURI) ->
+ case split_uri(AbsURI) of
+ incomplete ->
+ false;
+ {StrScheme, _, Host, _, _} ->
+ case string:to_lower(StrScheme) of
+ Scheme when Scheme =:= "http"; Scheme =:= "ftp" ->
+ is_valid_host(Host);
+ _ ->
+ false
+ end
+ end.
+
+is_valid_host(Host) ->
+ case is_ip_address(Host) of
+ true ->
+ true;
+ false ->
+ is_fully_qualified_name(Host)
+ end.
+
+%% Could have a more general split URI in stdlib? Maybe when
+%% regexs are improved. Needed also in inets!
+split_uri(Uri) ->
+ case split_uri(Uri, ":", {error, no_scheme}, 1, 1) of
+ {error, no_scheme} ->
+ incomplete;
+ {StrScheme, "//" ++ URIPart} ->
+ {Authority, PathQuery} =
+ split_auth_path(URIPart),
+ {UserInfo, HostPort} =
+ split_uri(Authority, "@", {"", Authority}, 1, 1),
+ {Host, Port} =
+ split_uri(HostPort, ":", {HostPort, dummy_port}, 1, 1),
+ {StrScheme, UserInfo, Host, Port, PathQuery}
+ end.
+
+split_auth_path(URIPart) ->
+ case split_uri(URIPart, "/", URIPart, 1, 0) of
+ Split = {_, _} ->
+ Split;
+ URIPart ->
+ case split_uri(URIPart, "\\?", URIPart, 1, 0) of
+ Split = {_, _} ->
+ Split;
+ URIPart ->
+ {URIPart,""}
+ end
+ end.
+
+split_uri(UriPart, SplitChar, NoMatchResult, SkipLeft, SkipRight) ->
+ case regexp:first_match(UriPart, SplitChar) of
+ {match, Match, _} ->
+ {string:substr(UriPart, 1, Match - SkipLeft),
+ string:substr(UriPart, Match + SkipRight, length(UriPart))};
+ nomatch ->
+ NoMatchResult
+ end.
+
+is_rdnSeq({rdnSequence,[]}, {rdnSequence,[none]}) ->
+ true;
+is_rdnSeq({rdnSequence,DirName}, {rdnSequence,Permitted}) ->
+ is_dir_name(DirName, Permitted, false).
+
+is_permitted(_, no_constraints) ->
+ true;
+is_permitted(Names, Constraints) ->
+ is_valid_name(Names, Constraints, true).
+
+is_excluded([], _) ->
+ false;
+is_excluded(Names, Constraints) ->
+ is_valid_name(Names, Constraints, false).
+
+is_valid_name([], _, Default) ->
+ Default;
+is_valid_name([{Type, Name} | Rest], Constraints, Default) ->
+ case type_subtree_names(Type, Constraints) of
+ [_|_] = ConstraintNames ->
+ case match_name(Type, Name, ConstraintNames) of
+ Default ->
+ is_valid_name(Rest, Constraints, Default);
+ Fail ->
+ Fail
+ end;
+ [] ->
+ is_valid_name(Rest, Constraints,Default)
+ end.
+
+add_name_constraints(NewPermittedTrees, NewExcludedTrees,
+ #path_validation_state{
+ permitted_subtrees = PermittedTrees,
+ excluded_subtrees = ExcludedTrees} =
+ ValidationState) ->
+ NewPermitted = subtree_intersection(NewPermittedTrees, PermittedTrees),
+ NewExcluded = subtree_union(NewExcludedTrees, ExcludedTrees),
+ ValidationState#path_validation_state{permitted_subtrees = NewPermitted,
+ excluded_subtrees = NewExcluded}.
+subtree_union(asn1_NOVALUE, Trees) ->
+ Trees;
+subtree_union(Trees1, Trees2) ->
+ Trees1 ++ Trees2.
+
+subtree_intersection(asn1_NOVALUE, Trees) ->
+ Trees;
+subtree_intersection(List, no_constraints) ->
+ List;
+subtree_intersection([Tree | Trees1], Trees2) ->
+ Trees = is_in_intersection(Tree, Trees2),
+ subtree_intersection(Trees1, Trees);
+subtree_intersection([], TreesInt) ->
+ TreesInt.
+
+is_in_intersection(#'GeneralSubtree'{base =
+ {directoryName, {rdnSequence, Name1}}}
+ = Name,
+ [#'GeneralSubtree'{base =
+ {directoryName, {rdnSequence, Name2}}}
+ | Trees]) ->
+ case is_dir_name(Name1, Name2, false) of
+ true ->
+ [Name|Trees];
+ false ->
+ [Name#'GeneralSubtree'{base =
+ {directoryName, {rdnSequence,[none]}}}
+ | Trees]
+ end;
+is_in_intersection(#'GeneralSubtree'{base = {ipAdress, Ip}},
+ Trees = [#'GeneralSubtree'{base = {ipAdress, Ip}} | _]) ->
+ %% BUGBUG
+ Trees;
+is_in_intersection(#'GeneralSubtree'{base = {x400Address, OrAddr1}} = Addr,
+ [#'GeneralSubtree'{base = {x400Address, OrAddr2}}
+ | Trees]) ->
+ case is_or_address(OrAddr1, OrAddr2) of
+ true ->
+ [Addr|Trees];
+ false ->
+ [#'GeneralSubtree'{base = {x400Address, ""}} | Trees]
+ end;
+
+is_in_intersection(#'GeneralSubtree'{base = {Type, Name1}} = Name,
+ [#'GeneralSubtree'{base = {Type, Name2}}
+ | Trees]) ->
+ case case_insensitive_match(Name1, Name2) of
+ true ->
+ [Name|Trees];
+ false ->
+ [#'GeneralSubtree'{base = {Type, ""}} | Trees]
+ end;
+is_in_intersection(New, []) ->
+ [New];
+is_in_intersection(Name, [Other | IntCandidates]) ->
+ [Other|is_in_intersection(Name, IntCandidates)].
+
+type_subtree_names(Type, SubTrees) ->
+ [Name || #'GeneralSubtree'{base = {TreeType, Name}} <- SubTrees,
+ TreeType =:= Type].
+
+match_name(rfc822Name, Name, [PermittedName | Rest]) ->
+ match_name(fun is_valid_host_or_domain/2, Name, PermittedName, Rest);
+
+match_name(directoryName, DirName, [PermittedName | Rest]) ->
+ match_name(fun is_rdnSeq/2, DirName, PermittedName, Rest);
+
+match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) ->
+ case split_uri(URI) of
+ incomplete ->
+ false;
+ {_, _, Host, _, _} ->
+ match_name(fun is_valid_host_or_domain/2, Host,
+ PermittedName, Rest)
+ end;
+
+match_name(emailAddress, Name, [PermittedName | Rest]) ->
+ Fun = fun(Email, PermittedEmail) ->
+ is_valid_email_address(Email, PermittedEmail,
+ string:tokens(PermittedEmail,"@"))
+ end,
+ match_name(Fun, Name, PermittedName, Rest);
+
+match_name(dNSName, Name, [PermittedName | Rest]) ->
+ Fun = fun(Domain, [$.|Domain]) -> true;
+ (Name1,Name2) ->
+ lists:suffix(string:to_lower(Name2),
+ string:to_lower(Name1))
+ end,
+ match_name(Fun, Name, [$.|PermittedName], Rest);
+
+match_name(x400Address, OrAddress, [PermittedAddr | Rest]) ->
+ match_name(fun is_or_address/2, OrAddress, PermittedAddr, Rest);
+
+match_name(ipAdress, IP, [PermittedIP | Rest]) ->
+ Fun = fun([IP1, IP2, IP3, IP4],
+ [IP5, IP6, IP7, IP8, M1, M2, M3, M4]) ->
+ is_permitted_ip([IP1, IP2, IP3, IP4],
+ [IP5, IP6, IP7, IP8],
+ [M1, M2, M3, M4]);
+ ([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
+ IP9, IP10, IP11, IP12, IP13, IP14, IP15, IP16],
+ [IP17, IP18, IP19, IP20, IP21, IP22, IP23, IP24,
+ IP25, IP26, IP27, IP28, IP29, IP30, IP31, IP32,
+ M1, M2, M3, M4, M5, M6, M7, M8,
+ M9, M10, M11, M12, M13, M14, M15, M16]) ->
+ is_permitted_ip([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
+ IP9, IP10, IP11, IP12, IP13,
+ IP14, IP15, IP16],
+ [IP17, IP18, IP19, IP20, IP21, IP22, IP23,
+ IP24,IP25, IP26, IP27, IP28, IP29, IP30,
+ IP31, IP32],
+ [M1, M2, M3, M4, M5, M6, M7, M8, M9, M10,
+ M11, M12, M13, M14, M15, M16]);
+ (_,_) ->
+ false
+ end,
+ match_name(Fun, IP, PermittedIP, Rest).
+
+match_name(Fun, Name, PermittedName, []) ->
+ Fun(Name, PermittedName);
+match_name(Fun, Name, PermittedName, [Head | Tail]) ->
+ case Fun(Name, PermittedName) of
+ true ->
+ true;
+ false ->
+ match_name(Fun, Name, Head, Tail)
+ end.
+
+is_permitted_ip([], [], []) ->
+ true;
+is_permitted_ip([CandidatIp | CandidatIpRest],
+ [PermittedIp | PermittedIpRest], [Mask | MaskRest] ) ->
+ case mask_cmp(CandidatIp, PermittedIp, Mask) of
+ true ->
+ is_permitted_ip(CandidatIpRest, PermittedIpRest, MaskRest);
+ false ->
+ false
+ end.
+
+mask_cmp(Canditate, Permitted, Mask) ->
+ (Canditate band Mask) == Permitted.
+
+is_valid_host_or_domain(Canditate, [$.|_] = Permitted) ->
+ is_suffix(Permitted, Canditate);
+is_valid_host_or_domain(Canditate, Permitted) ->
+ case string:tokens(Canditate,"@") of
+ [CanditateHost] ->
+ case_insensitive_match(CanditateHost, Permitted);
+ [_, CanditateHost] ->
+ case_insensitive_match(CanditateHost, Permitted)
+ end.
+is_valid_email_address(Canditate, [$.|Permitted], [_]) ->
+ is_suffix(Permitted, Canditate);
+
+is_valid_email_address(Canditate, PermittedHost, [_]) ->
+ [_ , CanditateHost] = string:tokens(Canditate,"@"),
+ case_insensitive_match(CanditateHost, PermittedHost);
+
+is_valid_email_address(Canditate, Permitted, [_, _]) ->
+ case_insensitive_match(Canditate, Permitted).
+
+is_suffix(Suffix, Str) ->
+ lists:suffix(string:to_lower(Suffix), string:to_lower(Str)).
+case_insensitive_match(Str1, Str2) ->
+ string:to_lower(Str1) == string:to_lower(Str2).
+
+is_or_address(Address, Canditate) ->
+ %% TODO: Is case_insensitive_match sufficient?
+ %% study rfc2156 probably need more a complex check.
+ is_double_quoted(Address) andalso
+ is_double_quoted(Canditate) andalso
+ case_insensitive_match(Address, Canditate).
+
+is_double_quoted(["\"" | Tail]) ->
+ is_double_quote(lists:last(Tail));
+is_double_quoted("%22" ++ Tail) ->
+ case lists:reverse(Tail) of
+ [A, B, C | _] ->
+ is_double_quote([C, B, A]);
+ _ ->
+ false
+ end;
+
+is_double_quoted(_) ->
+ false.
+
+is_double_quote("%22") ->
+ true;
+is_double_quote("\"") ->
+ true;
+is_double_quote(_) ->
+ false.
+
+add_policy_constraints(ExpPolicy, MapPolicy,
+ #path_validation_state{cert_num = CertNum,
+ explicit_policy = CurExpPolicy,
+ policy_mapping = CurMapPolicy} =
+ ValidationState) ->
+
+ NewExpPolicy = policy_constraint(CurExpPolicy, ExpPolicy, CertNum),
+ NewMapPolicy = policy_constraint(CurMapPolicy, MapPolicy, CertNum),
+
+ ValidationState#path_validation_state{explicit_policy = NewExpPolicy,
+ policy_mapping = NewMapPolicy}.
+
+policy_constraint(Current, asn1_NOVALUE, _) ->
+ Current;
+policy_constraint(Current, New, CertNum) ->
+ min(Current, New + CertNum).
+
+process_policy_tree(_,_, ?NULL) ->
+ ?NULL;
+process_policy_tree(_Id, _Qualifier, Tree) ->
+ %% TODO real imp.
+ Tree.
+
+policy_indicator(_, true) ->
+ 0;
+policy_indicator(N, false) ->
+ N + 1.
+
+is_fixed_dh_cert(PublicKeyInfo, Extensions) ->
+ AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm,
+ Algorithm = AlgInfo#'PublicKeyAlgorithm'.algorithm,
+
+ case select_extension(?'id-ce-keyUsage', Extensions) of
+ undefined ->
+ is_dh(Algorithm);
+ #'Extension'{extnValue=KeyUse} ->
+ is_dh(Algorithm) andalso is_valid_key_usage(KeyUse, keyAgreement)
+ end.
+
+is_dh(?'dhpublicnumber')->
+ true;
+is_dh(_) ->
+ false.
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
new file mode 100644
index 0000000000..36b7c47a9c
--- /dev/null
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -0,0 +1,538 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(pubkey_cert_records).
+
+-include("public_key.hrl").
+
+-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]).
+
+-export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code.
+
+%%====================================================================
+%% Internal application API
+%%====================================================================
+
+decode_cert(DerCert, plain) ->
+ 'OTP-PUB-KEY':decode('Certificate', DerCert);
+decode_cert(DerCert, otp) ->
+ {ok, Cert} = 'OTP-PUB-KEY':decode('OTPCertificate', DerCert),
+ {ok, decode_all_otp(Cert)}.
+
+old_decode_cert(DerCert, otp) ->
+ {ok, Cert} = 'OTP-PUB-KEY':decode('Certificate', DerCert),
+ {ok, plain_to_otp(Cert)}.
+
+old_encode_cert(Cert) ->
+ PlainCert = otp_to_plain(Cert),
+ {ok, EncCert} = 'OTP-PUB-KEY':encode('Certificate', PlainCert),
+ list_to_binary(EncCert).
+
+
+encode_cert(Cert = #'Certificate'{}) ->
+ {ok, EncCert} = 'OTP-PUB-KEY':encode('Certificate', Cert),
+ list_to_binary(EncCert);
+encode_cert(C = #'OTPCertificate'{tbsCertificate = TBS =
+ #'OTPTBSCertificate'{
+ issuer=Issuer0,
+ subject=Subject0,
+ subjectPublicKeyInfo=Spki0,
+ extensions=Exts0}
+ }) ->
+ Issuer = transform(Issuer0,encode),
+ Subject = transform(Subject0,encode),
+ Spki = encode_supportedPublicKey(Spki0),
+ Exts = encode_extensions(Exts0),
+ %% io:format("Extensions ~p~n",[Exts]),
+ Cert = C#'OTPCertificate'{tbsCertificate=
+ TBS#'OTPTBSCertificate'{
+ issuer=Issuer, subject=Subject,
+ subjectPublicKeyInfo=Spki,
+ extensions=Exts}},
+ {ok, EncCert} = 'OTP-PUB-KEY':encode('OTPCertificate', Cert),
+ list_to_binary(EncCert).
+
+encode_tbs_cert(TBS = #'OTPTBSCertificate'{
+ issuer=Issuer0,
+ subject=Subject0,
+ subjectPublicKeyInfo=Spki0,
+ extensions=Exts0}) ->
+ Issuer = transform(Issuer0,encode),
+ Subject = transform(Subject0,encode),
+ Spki = encode_supportedPublicKey(Spki0),
+ Exts = encode_extensions(Exts0),
+ TBSCert = TBS#'OTPTBSCertificate'{issuer=Issuer,subject=Subject,
+ subjectPublicKeyInfo=Spki,extensions=Exts},
+ {ok, EncTBSCert} = 'OTP-PUB-KEY':encode('OTPTBSCertificate', TBSCert),
+ list_to_binary(EncTBSCert).
+
+%%--------------------------------------------------------------------
+%%% Internal functions
+%%--------------------------------------------------------------------
+
+decode_all_otp(C = #'OTPCertificate'{tbsCertificate = TBS =
+ #'OTPTBSCertificate'{
+ issuer=Issuer0,
+ subject=Subject0,
+ subjectPublicKeyInfo=Spki0,
+ extensions=Exts0}
+ }) ->
+ Issuer = transform(Issuer0,decode),
+ Subject = transform(Subject0,decode),
+ Spki = decode_supportedPublicKey(Spki0),
+ Exts = decode_extensions(Exts0),
+ %% io:format("Extensions ~p~n",[Exts]),
+ C#'OTPCertificate'{tbsCertificate=
+ TBS#'OTPTBSCertificate'{
+ issuer=Issuer, subject=Subject,
+ subjectPublicKeyInfo=Spki,extensions=Exts}}.
+
+
+%%% SubjectPublicKey
+supportedPublicKeyAlgorithms(?'rsaEncryption') -> 'RSAPublicKey';
+supportedPublicKeyAlgorithms(?'id-dsa') -> 'DSAPublicKey';
+supportedPublicKeyAlgorithms(?'dhpublicnumber') -> 'DHPublicKey';
+supportedPublicKeyAlgorithms(?'id-keyExchangeAlgorithm') -> 'KEA-PublicKey';
+supportedPublicKeyAlgorithms(?'id-ecPublicKey') -> 'ECPoint'.
+
+decode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
+ #'PublicKeyAlgorithm'{algorithm=Algo},
+ subjectPublicKey = {0,SPK0}}) ->
+ Type = supportedPublicKeyAlgorithms(Algo),
+ {ok, SPK} = 'OTP-PUB-KEY':decode(Type, SPK0),
+ #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}.
+
+encode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA =
+ #'PublicKeyAlgorithm'{algorithm=Algo},
+ subjectPublicKey = SPK0}) ->
+ Type = supportedPublicKeyAlgorithms(Algo),
+ {ok, SPK} = 'OTP-PUB-KEY':encode(Type, SPK0),
+ #'OTPSubjectPublicKeyInfo'{subjectPublicKey = {0,list_to_binary(SPK)}, algorithm=PA}.
+
+%%% Extensions
+
+extension_id(?'id-ce-authorityKeyIdentifier') -> 'AuthorityKeyIdentifier';
+extension_id(?'id-ce-subjectKeyIdentifier') -> 'SubjectKeyIdentifier';
+extension_id(?'id-ce-keyUsage') -> 'KeyUsage';
+extension_id(?'id-ce-privateKeyUsagePeriod') -> 'PrivateKeyUsagePeriod';
+extension_id(?'id-ce-certificatePolicies') -> 'CertificatePolicies';
+extension_id(?'id-ce-policyMappings') -> 'PolicyMappings';
+extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName';
+extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName';
+extension_id(?'id-ce-subjectDirectoryAttributes') -> 'SubjectDirectoryAttributes';
+extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints';
+extension_id(?'id-ce-nameConstraints') -> 'NameConstraints';
+extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints';
+extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints';
+extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax';
+extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy';
+extension_id(?'id-ce-freshestCRL') -> 'FreshestCRL';
+%% Missing in public_key doc
+extension_id(?'id-pe-authorityInfoAccess') -> 'AuthorityInfoAccessSyntax';
+extension_id(?'id-pe-subjectInfoAccess') -> 'SubjectInfoAccessSyntax';
+extension_id(?'id-ce-cRLNumber') -> 'CRLNumber';
+extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint';
+extension_id(?'id-ce-deltaCRLIndicator') -> 'BaseCRLNumber';
+extension_id(?'id-ce-cRLReasons') -> 'CRLReason';
+extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer';
+extension_id(?'id-ce-holdInstructionCode') -> 'HoldInstructionCode';
+extension_id(?'id-ce-invalidityDate') -> 'InvalidityDate';
+extension_id(_) ->
+ undefined.
+
+
+decode_extensions(asn1_NOVALUE) ->
+ asn1_NOVALUE;
+
+decode_extensions(Exts) ->
+ lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
+ case extension_id(Id) of
+ undefined -> Ext;
+ Type ->
+ {ok, Value} = 'OTP-PUB-KEY':decode(Type, list_to_binary(Value0)),
+ Ext#'Extension'{extnValue=transform(Value,decode)}
+ end
+ end, Exts).
+
+encode_extensions(asn1_NOVALUE) ->
+ asn1_NOVALUE;
+
+encode_extensions(Exts) ->
+ lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
+ case extension_id(Id) of
+ undefined -> Ext;
+ Type ->
+ Value1 = transform(Value0,encode),
+ {ok, Value} = 'OTP-PUB-KEY':encode(Type, Value1),
+ Ext#'Extension'{extnValue=list_to_binary(Value)}
+ end
+ end, Exts).
+
+transform(#'AttributeTypeAndValue'{type=Id,value=Value0} = ATAV, Func) ->
+ {ok, Value} =
+ case attribute_type(Id) of
+ Type when is_atom(Type) -> 'OTP-PUB-KEY':Func(Type, Value0);
+ _UnknownType -> {ok, Value0}
+ end,
+ ATAV#'AttributeTypeAndValue'{value=Value};
+transform(AKI = #'AuthorityKeyIdentifier'{authorityCertIssuer=ACI},Func) ->
+ AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=transform(ACI,Func)};
+transform(List = [{directoryName, _}],Func) ->
+ [{directoryName, transform(Value,Func)} || {directoryName, Value} <- List];
+transform({directoryName, Value},Func) ->
+ {directoryName, transform(Value,Func)};
+transform({rdnSequence, SeqList},Func) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) -> transform(Element,Func) end, Seq)
+ end, SeqList)};
+%% transform(List = [{rdnSequence, _}|_],Func) ->
+%% lists:map(fun(Element) -> transform(Element,Func) end, List);
+transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}, Func) ->
+ Res = #'NameConstraints'{permittedSubtrees=transform_sub_tree(Permitted,Func),
+ excludedSubtrees=transform_sub_tree(Excluded,Func)},
+%% io:format("~p~n",[Res]),
+ Res;
+transform(Other,_) ->
+ Other.
+transform_sub_tree(asn1_NOVALUE,_) -> asn1_NOVALUE;
+transform_sub_tree(TreeList,Func) ->
+ [Tree#'GeneralSubtree'{base=transform(Name,Func)} ||
+ Tree = #'GeneralSubtree'{base=Name} <- TreeList].
+
+attribute_type(?'id-at-name') -> 'X520name';
+attribute_type(?'id-at-surname') -> 'X520name';
+attribute_type(?'id-at-givenName') -> 'X520name';
+attribute_type(?'id-at-initials') -> 'X520name';
+attribute_type(?'id-at-generationQualifier') -> 'X520name';
+attribute_type(?'id-at-commonName') -> 'X520CommonName';
+attribute_type(?'id-at-localityName') -> 'X520LocalityName';
+attribute_type(?'id-at-stateOrProvinceName') -> 'X520StateOrProvinceName';
+attribute_type(?'id-at-organizationName') -> 'X520OrganizationName';
+attribute_type(?'id-at-organizationalUnitName') -> 'X520OrganizationalUnitName';
+attribute_type(?'id-at-title') -> 'X520Title';
+attribute_type(?'id-at-dnQualifier') -> 'X520dnQualifier';
+attribute_type(?'id-at-countryName') -> 'X520countryName';
+attribute_type(?'id-at-serialNumber') -> 'X520SerialNumber';
+attribute_type(?'id-at-pseudonym') -> 'X520Pseudonym';
+attribute_type(?'id-domainComponent') -> 'DomainComponent';
+attribute_type(?'id-emailAddress') -> 'EmailAddress';
+attribute_type(Type) -> Type.
+
+%%% Old code transforms
+
+plain_to_otp(#'Certificate'{tbsCertificate = TBSCert,
+ signatureAlgorithm = SigAlg,
+ signature = Signature} = Cert) ->
+ Cert#'Certificate'{tbsCertificate = plain_to_otp(TBSCert),
+ signatureAlgorithm = plain_to_otp(SigAlg),
+ signature = plain_to_otp(Signature)};
+
+plain_to_otp(#'TBSCertificate'{signature = Signature,
+ issuer = Issuer,
+ subject = Subject,
+ subjectPublicKeyInfo = SPubKeyInfo,
+ extensions = Extensions} = TBSCert) ->
+
+ TBSCert#'TBSCertificate'{signature = plain_to_otp(Signature),
+ issuer = plain_to_otp(Issuer),
+ subject =
+ plain_to_otp(Subject),
+ subjectPublicKeyInfo =
+ plain_to_otp(SPubKeyInfo),
+ extensions =
+ plain_to_otp_extensions(Extensions)
+ };
+
+plain_to_otp(#'AlgorithmIdentifier'{algorithm = Algorithm,
+ parameters = Params}) ->
+ SignAlgAny =
+ #'SignatureAlgorithm-Any'{algorithm = Algorithm,
+ parameters = Params},
+ {ok, AnyEnc} = 'OTP-PUB-KEY':encode('SignatureAlgorithm-Any',
+ SignAlgAny),
+ {ok, SignAlg} = 'OTP-PUB-KEY':decode('SignatureAlgorithm',
+ list_to_binary(AnyEnc)),
+ SignAlg;
+
+plain_to_otp({rdnSequence, SeqList}) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) ->
+ plain_to_otp(Element)
+ end,
+ Seq)
+ end, SeqList)};
+
+plain_to_otp(#'AttributeTypeAndValue'{} = ATAV) ->
+ {ok, ATAVEnc} =
+ 'OTP-PUB-KEY':encode('AttributeTypeAndValue', ATAV),
+ {ok, ATAVDec} = 'OTP-PUB-KEY':decode('OTPAttributeTypeAndValue',
+ list_to_binary(ATAVEnc)),
+ #'AttributeTypeAndValue'{type = ATAVDec#'OTPAttributeTypeAndValue'.type,
+ value =
+ ATAVDec#'OTPAttributeTypeAndValue'.value};
+
+plain_to_otp(#'SubjectPublicKeyInfo'{algorithm =
+ #'AlgorithmIdentifier'{algorithm
+ = Algo,
+ parameters =
+ Params},
+ subjectPublicKey = PublicKey}) ->
+
+ AnyAlgo = #'PublicKeyAlgorithm'{algorithm = Algo,
+ parameters = Params},
+ {0, AnyKey} = PublicKey,
+ AnyDec = #'OTPSubjectPublicKeyInfo-Any'{algorithm = AnyAlgo,
+ subjectPublicKey = AnyKey},
+ {ok, AnyEnc} =
+ 'OTP-PUB-KEY':encode('OTPSubjectPublicKeyInfo-Any', AnyDec),
+ {ok, InfoDec} = 'OTP-PUB-KEY':decode('OTPOLDSubjectPublicKeyInfo',
+ list_to_binary(AnyEnc)),
+
+ AlgorithmDec = InfoDec#'OTPOLDSubjectPublicKeyInfo'.algorithm,
+ AlgoDec = AlgorithmDec#'OTPOLDSubjectPublicKeyInfo_algorithm'.algo,
+ NewParams = AlgorithmDec#'OTPOLDSubjectPublicKeyInfo_algorithm'.parameters,
+ PublicKeyDec = InfoDec#'OTPOLDSubjectPublicKeyInfo'.subjectPublicKey,
+ NewAlgorithmDec =
+ #'SubjectPublicKeyInfoAlgorithm'{algorithm = AlgoDec,
+ parameters = NewParams},
+ #'SubjectPublicKeyInfo'{algorithm = NewAlgorithmDec,
+ subjectPublicKey = PublicKeyDec
+ };
+
+plain_to_otp(#'Extension'{extnID = ExtID,
+ critical = Critical,
+ extnValue = Value})
+ when ExtID == ?'id-ce-authorityKeyIdentifier';
+ ExtID == ?'id-ce-subjectKeyIdentifier';
+ ExtID == ?'id-ce-keyUsage';
+ ExtID == ?'id-ce-privateKeyUsagePeriod';
+ ExtID == ?'id-ce-certificatePolicies';
+ ExtID == ?'id-ce-policyMappings';
+ ExtID == ?'id-ce-subjectAltName';
+ ExtID == ?'id-ce-issuerAltName';
+ ExtID == ?'id-ce-subjectDirectoryAttributes';
+ ExtID == ?'id-ce-basicConstraints';
+ ExtID == ?'id-ce-nameConstraints';
+ ExtID == ?'id-ce-policyConstraints';
+ ExtID == ?'id-ce-extKeyUsage';
+ ExtID == ?'id-ce-cRLDistributionPoints';
+ ExtID == ?'id-ce-inhibitAnyPolicy';
+ ExtID == ?'id-ce-freshestCRL' ->
+ ExtAny = #'Extension-Any'{extnID = ExtID,
+ critical = Critical,
+ extnValue = Value},
+ {ok, AnyEnc} = 'OTP-PUB-KEY':encode('Extension-Any', ExtAny),
+ {ok, ExtDec} = 'OTP-PUB-KEY':decode('OTPExtension',
+ list_to_binary(AnyEnc)),
+
+ ExtValue = plain_to_otp_extension_value(ExtID,
+ ExtDec#'OTPExtension'.extnValue),
+ #'Extension'{extnID = ExtID,
+ critical = ExtDec#'OTPExtension'.critical,
+ extnValue = ExtValue};
+
+plain_to_otp(#'Extension'{} = Ext) ->
+ Ext;
+
+plain_to_otp(#'AuthorityKeyIdentifier'{} = Ext) ->
+ CertIssuer = Ext#'AuthorityKeyIdentifier'.authorityCertIssuer,
+ Ext#'AuthorityKeyIdentifier'{authorityCertIssuer =
+ plain_to_otp(CertIssuer)};
+
+
+plain_to_otp([{directoryName, Value}]) ->
+ [{directoryName, plain_to_otp(Value)}];
+
+plain_to_otp(Value) ->
+ Value.
+
+otp_to_plain(#'Certificate'{tbsCertificate = TBSCert,
+ signatureAlgorithm = SigAlg,
+ signature = Signature} = Cert) ->
+ Cert#'Certificate'{tbsCertificate = otp_to_plain(TBSCert),
+ signatureAlgorithm =
+ otp_to_plain(SigAlg),
+ signature = otp_to_plain(Signature)};
+
+otp_to_plain(#'TBSCertificate'{signature = Signature,
+ issuer = Issuer,
+ subject = Subject,
+ subjectPublicKeyInfo = SPubKeyInfo,
+ extensions = Extensions} = TBSCert) ->
+
+ TBSCert#'TBSCertificate'{signature = otp_to_plain(Signature),
+ issuer = otp_to_plain(Issuer),
+ subject =
+ otp_to_plain(Subject),
+ subjectPublicKeyInfo =
+ otp_to_plain(SPubKeyInfo),
+ extensions = otp_to_plain_extensions(Extensions)
+ };
+
+otp_to_plain(#'SignatureAlgorithm'{} = SignAlg) ->
+ {ok, EncSignAlg} = 'OTP-PUB-KEY':encode('SignatureAlgorithm', SignAlg),
+ {ok, #'SignatureAlgorithm-Any'{algorithm = Algorithm,
+ parameters = Params}} =
+ 'OTP-PUB-KEY':decode('SignatureAlgorithm-Any',
+ list_to_binary(EncSignAlg)),
+ #'AlgorithmIdentifier'{algorithm = Algorithm,
+ parameters = Params};
+
+otp_to_plain({rdnSequence, SeqList}) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) ->
+ otp_to_plain(Element)
+ end,
+ Seq)
+ end, SeqList)};
+
+otp_to_plain(#'AttributeTypeAndValue'{type = Type, value = Value}) ->
+ {ok, ATAVEnc} =
+ 'OTP-PUB-KEY':encode('OTPAttributeTypeAndValue',
+ #'OTPAttributeTypeAndValue'{type = Type,
+ value = Value}),
+ {ok, ATAVDec} = 'OTP-PUB-KEY':decode('AttributeTypeAndValue',
+ list_to_binary(ATAVEnc)),
+ ATAVDec;
+
+otp_to_plain(#'SubjectPublicKeyInfo'{algorithm =
+ #'SubjectPublicKeyInfoAlgorithm'{
+ algorithm = Algo,
+ parameters =
+ Params},
+ subjectPublicKey = PublicKey}) ->
+
+ OtpAlgo = #'OTPOLDSubjectPublicKeyInfo_algorithm'{algo = Algo,
+ parameters = Params},
+ OtpDec = #'OTPOLDSubjectPublicKeyInfo'{algorithm = OtpAlgo,
+ subjectPublicKey = PublicKey},
+ {ok, OtpEnc} =
+ 'OTP-PUB-KEY':encode('OTPOLDSubjectPublicKeyInfo', OtpDec),
+
+ {ok, AnyDec} = 'OTP-PUB-KEY':decode('OTPSubjectPublicKeyInfo-Any',
+ list_to_binary(OtpEnc)),
+
+ #'OTPSubjectPublicKeyInfo-Any'{algorithm = #'PublicKeyAlgorithm'{
+ algorithm = NewAlgo,
+ parameters = NewParams},
+ subjectPublicKey = Bin} = AnyDec,
+
+ #'SubjectPublicKeyInfo'{algorithm =
+ #'AlgorithmIdentifier'{
+ algorithm = NewAlgo,
+ parameters = plain_key_params(NewParams)},
+ subjectPublicKey =
+ {0, Bin}
+ };
+
+otp_to_plain(#'Extension'{extnID = ExtID,
+ extnValue = Value} = Ext) ->
+ ExtValue =
+ otp_to_plain_extension_value(ExtID, Value),
+
+ Ext#'Extension'{extnValue = ExtValue};
+
+otp_to_plain(#'AuthorityKeyIdentifier'{} = Ext) ->
+ CertIssuer = Ext#'AuthorityKeyIdentifier'.authorityCertIssuer,
+ Ext#'AuthorityKeyIdentifier'{authorityCertIssuer =
+ otp_to_plain(CertIssuer)};
+
+otp_to_plain([{directoryName, Value}]) ->
+ [{directoryName, otp_to_plain(Value)}];
+
+otp_to_plain(Value) ->
+ Value.
+
+plain_key_params('NULL') ->
+ <<5,0>>;
+plain_key_params(Value) ->
+ Value.
+
+plain_to_otp_extension_value(?'id-ce-authorityKeyIdentifier', Value) ->
+ plain_to_otp(Value);
+plain_to_otp_extension_value(_, Value) ->
+ Value.
+
+plain_to_otp_extensions(Exts) when is_list(Exts) ->
+ lists:map(fun(Ext) -> plain_to_otp(Ext) end, Exts).
+
+otp_to_plain_extension_value(?'id-ce-authorityKeyIdentifier', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('AuthorityKeyIdentifier',
+ otp_to_plain(Value)),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-subjectKeyIdentifier', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectKeyIdentifier', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-keyUsage', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('KeyUsage', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-privateKeyUsagePeriod', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('PrivateKeyUsagePeriod', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-certificatePolicies', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('CertificatePolicies', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-policyMappings', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('PolicyMappings', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-subjectAltName', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectAltName', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-issuerAltName', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('IssuerAltName', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-subjectDirectoryAttributes', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectDirectoryAttributes', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-basicConstraints', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('BasicConstraints', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-nameConstraints', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('NameConstraints', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-policyConstraints', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('PolicyConstraints', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-extKeyUsage', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('ExtKeyUsage', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-cRLDistributionPoints', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('CRLDistributionPoints', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-inhibitAnyPolicy', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('InhibitAnyPolicy', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(?'id-ce-freshestCRL', Value) ->
+ {ok, Enc} = 'OTP-PUB-KEY':encode('FreshestCRL', Value),
+ otp_to_plain_extension_value_format(Enc);
+otp_to_plain_extension_value(_Id, Value) ->
+ Value.
+
+otp_to_plain_extension_value_format(Value) ->
+ list_to_binary(Value).
+
+otp_to_plain_extensions(Exts) when is_list(Exts) ->
+ lists:map(fun(Ext) ->
+ otp_to_plain(Ext)
+ end, Exts).
diff --git a/lib/public_key/src/pubkey_crypto.erl b/lib/public_key/src/pubkey_crypto.erl
new file mode 100644
index 0000000000..fe4e97fcc5
--- /dev/null
+++ b/lib/public_key/src/pubkey_crypto.erl
@@ -0,0 +1,137 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+%% Description: Functions that call the crypto driver.
+
+-module(pubkey_crypto).
+
+-include("public_key.hrl").
+
+-export([encrypt_public/3, decrypt_private/3,
+ encrypt_private/3, decrypt_public/3,
+ sign/2, sign/3, verify/5]).
+
+-define(UINT32(X), X:32/unsigned-big-integer).
+
+%%====================================================================
+%% Internal application API
+%%====================================================================
+
+%%--------------------------------------------------------------------
+%% Function: encrypt(PlainText, Key, Padding) -> Encrypted
+%%
+%% PlainText = binary()
+%% Key = rsa_public_key() | rsa_private_key()
+%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding
+%% Encrypted = binary()
+%%
+%% Description: Public key encrypts PlainText.
+%%--------------------------------------------------------------------
+encrypt_public(PlainText, #'RSAPublicKey'{modulus=N,publicExponent=E},Padding) ->
+ crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],Padding);
+encrypt_public(PlainText, #'RSAPrivateKey'{modulus=N,publicExponent=E},Padding) ->
+ crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],Padding).
+
+encrypt_private(PlainText, #'RSAPrivateKey'{modulus = N,
+ publicExponent = E,
+ privateExponent = D}, Padding) ->
+ crypto:rsa_private_encrypt(PlainText, [crypto:mpint(E),
+ crypto:mpint(N),
+ crypto:mpint(D)], Padding).
+
+%%--------------------------------------------------------------------
+%% Function: decrypt(CipherText, Key) -> PlainText
+%%
+%% ChipherText = binary()
+%% Key = rsa_private_key()
+%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding
+%% PlainText = binary()
+%%
+%% Description: Uses private key to decrypt public key encrypted data.
+%%--------------------------------------------------------------------
+decrypt_private(CipherText,
+ #'RSAPrivateKey'{modulus = N,publicExponent = E,privateExponent = D},
+ Padding) ->
+ crypto:rsa_private_decrypt(CipherText,
+ [crypto:mpint(E), crypto:mpint(N),crypto:mpint(D)],
+ Padding).
+decrypt_public(CipherText, #'RSAPublicKey'{modulus = N, publicExponent = E}, Padding) ->
+ crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)], Padding);
+decrypt_public(CipherText, #'RSAPrivateKey'{modulus = N, publicExponent = E}, Padding) ->
+ crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)], Padding).
+
+%%--------------------------------------------------------------------
+%% Function: sign(PlainText, Key) ->
+%% sign(DigestType, PlainText, Key) -> Signature
+%%
+%% DigestType = sha | md5
+%% PlainText = binary()
+%% Key = rsa_private_key() | dsa_private_key()
+%% Signature = binary()
+%%
+%% Description: Signs PlainText using Key.
+%%--------------------------------------------------------------------
+sign(PlainText, Digest) ->
+ sign(sha, PlainText, Digest).
+
+sign(DigestType, PlainText, #'RSAPrivateKey'{modulus = N, publicExponent = E,
+ privateExponent = D}) ->
+ crypto:rsa_sign(DigestType, sized_binary(PlainText), [crypto:mpint(E),
+ crypto:mpint(N),
+ crypto:mpint(D)]);
+
+sign(sha, PlainText, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X}) ->
+ crypto:dss_sign(sized_binary(PlainText),
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(X)]).
+
+%%--------------------------------------------------------------------
+%% Function: verify(DigestType, PlainText, Signature, Key) -> true | false
+%%
+%% DigestType = sha | md5
+%% PlainText = binary()
+%% Signature = binary()
+%% Key = rsa_public_key() | dsa_public_key()
+%%
+%% Description: Verifies the signature <Signature>.
+%%--------------------------------------------------------------------
+verify(DigestType, PlainText, Signature,
+ #'RSAPublicKey'{modulus = Mod, publicExponent = Exp}, _) ->
+ crypto:rsa_verify(DigestType,
+ sized_binary(PlainText),
+ sized_binary(Signature),
+ [crypto:mpint(Exp), crypto:mpint(Mod)]);
+
+verify(sha, PlainText, Signature, Key, #'Dss-Parms'{p = P, q = Q, g = G}) ->
+ crypto:dss_verify(sized_binary(PlainText),
+ sized_binary(Signature),
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(Key)]).
+
+%%--------------------------------------------------------------------
+%%% Internal functions
+%%--------------------------------------------------------------------
+
+sized_binary(Binary) when is_binary(Binary) ->
+ Size = size(Binary),
+ <<?UINT32(Size), Binary/binary>>;
+sized_binary(List) ->
+ sized_binary(list_to_binary(List)).
+
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
new file mode 100644
index 0000000000..abd46fa00e
--- /dev/null
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -0,0 +1,192 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+%%% Description: Reading and writing of PEM type encoded files.
+%% PEM encoded files have the following structure:
+%%
+%% <text>
+%% -----BEGIN SOMETHING-----<CR><LF>
+%% <Base64 encoding line><CR><LF>
+%% <Base64 encoding line><CR><LF>
+%% ...
+%% -----END SOMETHING-----<CR><LF>
+%% <text>
+%%
+%% A file can contain several BEGIN/END blocks. Text lines between
+%% blocks are ignored.
+%%
+%% The encoding is divided into lines separated by <NL>, and each line
+%% is precisely 64 characters long (excluding the <NL> characters,
+%% except the last line which 64 characters long or shorter. <NL> may
+%% follow the last line.
+
+-module(pubkey_pem).
+
+-export([read_file/1, read_file/2, write_file/2, decode/2]).
+-export([decode_key/2]).
+
+-define(ENCODED_LINE_LENGTH, 64).
+
+%%====================================================================
+%% Internal application API
+%%====================================================================
+read_file(File) ->
+ read_file(File, no_passwd).
+
+read_file(File, Passwd) ->
+ {ok, Bin} = file:read_file(File),
+ decode(Bin, Passwd).
+
+write_file(File, Ds) ->
+ file:write_file(File, encode_file(Ds)).
+
+decode_key({_Type, Bin, not_encrypted}, _) ->
+ Bin;
+decode_key({_Type, Bin, {Chipher,Salt}}, Password) ->
+ decode_key(Bin, Password, Chipher, Salt).
+
+decode(Bin, Passwd) ->
+ decode_file(split_bin(Bin), Passwd).
+
+%%--------------------------------------------------------------------
+%%% Internal functions
+%%--------------------------------------------------------------------
+
+split_bin(Bin) ->
+ split_bin(0, Bin).
+
+split_bin(N, Bin) ->
+ case Bin of
+ <<Line:N/binary, "\r\n", Rest/binary>> ->
+ [Line | split_bin(0, Rest)];
+ <<Line:N/binary, "\n", Rest/binary>> ->
+ [Line | split_bin(0, Rest)];
+ <<Line:N/binary>> ->
+ [Line];
+ _ ->
+ split_bin(N+1, Bin)
+ end.
+
+decode_file(Bin, Passwd) ->
+ decode_file(Bin, [], [Passwd]).
+
+decode_file([<<"-----BEGIN CERTIFICATE REQUEST-----", _/binary>>|Rest], Ens, Info) ->
+ decode_file2(Rest, [], Ens, cert_req, Info);
+decode_file([<<"-----BEGIN CERTIFICATE-----", _/binary>>|Rest], Ens, Info) ->
+ decode_file2(Rest, [], Ens, cert, Info);
+decode_file([<<"-----BEGIN RSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) ->
+ decode_file2(Rest, [], Ens, rsa_private_key, Info);
+decode_file([<<"-----BEGIN DSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) ->
+ decode_file2(Rest, [], Ens, dsa_private_key, Info);
+decode_file([<<"-----BEGIN DH PARAMETERS-----", _/binary>>|Rest], Ens, Info) ->
+ decode_file2(Rest, [], Ens, dh_params, Info);
+decode_file([_|Rest], Ens, Info) ->
+ decode_file(Rest, Ens, Info);
+decode_file([], Ens, _Info) ->
+ {ok, lists:reverse(Ens)}.
+
+decode_file2([<<"Proc-Type: 4,ENCRYPTED", _/binary>>| Rest0], RLs, Ens, Tag, Info0) ->
+ [InfoLine|Rest] = Rest0,
+ Info = dek_info(InfoLine, Info0),
+ decode_file2(Rest, RLs, Ens, Tag, Info);
+decode_file2([<<"-----END", _/binary>>| Rest], RLs, Ens, Tag, Info0) ->
+ Cs = erlang:iolist_to_binary(lists:reverse(RLs)),
+ Bin = base64:mime_decode(Cs),
+ case Info0 of
+ [Password, Cipher, SaltHex | Info1] ->
+ Salt = unhex(SaltHex),
+ Enc = {Cipher, Salt},
+ Decoded = decode_key(Bin, Password, Cipher, Salt),
+ decode_file(Rest, [{Tag, Decoded, Enc}| Ens], Info1);
+ _ ->
+ decode_file(Rest, [{Tag, Bin, not_encrypted}| Ens], Info0)
+ end;
+decode_file2([L|Rest], RLs, Ens, Tag, Info0) ->
+ decode_file2(Rest, [L|RLs], Ens, Tag, Info0);
+decode_file2([], _, Ens, _, _) ->
+ {ok, lists:reverse(Ens)}.
+
+%% TODO Support same as decode_file
+encode_file(Ds) ->
+ lists:map(
+ fun({cert, Bin}) ->
+ %% PKIX (X.509)
+ ["-----BEGIN CERTIFICATE-----\n",
+ b64encode_and_split(Bin),
+ "-----END CERTIFICATE-----\n\n"];
+ ({cert_req, Bin}) ->
+ %% PKCS#10
+ ["-----BEGIN CERTIFICATE REQUEST-----\n",
+ b64encode_and_split(Bin),
+ "-----END CERTIFICATE REQUEST-----\n\n"];
+ ({rsa_private_key, Bin}) ->
+ %% PKCS#?
+ ["XXX Following key assumed not encrypted\n",
+ "-----BEGIN RSA PRIVATE KEY-----\n",
+ b64encode_and_split(Bin),
+ "-----END RSA PRIVATE KEY-----\n\n"]
+ end, Ds).
+
+dek_info(Line0, Info) ->
+ Line = binary_to_list(Line0),
+ [_, DekInfo0] = string:tokens(Line, ": "),
+ DekInfo1 = string:tokens(DekInfo0, ",\n"),
+ Info ++ DekInfo1.
+
+unhex(S) ->
+ unhex(S, []).
+
+unhex("", Acc) ->
+ lists:reverse(Acc);
+unhex([D1, D2 | Rest], Acc) ->
+ unhex(Rest, [erlang:list_to_integer([D1, D2], 16) | Acc]).
+
+decode_key(Data, no_passwd, _Alg, _Salt) ->
+ Data;
+decode_key(Data, Password, "DES-CBC", Salt) ->
+ Key = password_to_key(Password, Salt, 8),
+ IV = Salt,
+ crypto:des_cbc_decrypt(Key, IV, Data);
+decode_key(Data, Password, "DES-EDE3-CBC", Salt) ->
+ Key = password_to_key(Password, Salt, 24),
+ IV = Salt,
+ <<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
+ crypto:des_ede3_cbc_decrypt(Key1, Key2, Key3, IV, Data).
+
+password_to_key(Data, Salt, KeyLen) ->
+ <<Key:KeyLen/binary, _/binary>> =
+ password_to_key(<<>>, Data, Salt, KeyLen, <<>>),
+ Key.
+
+password_to_key(_, _, _, Len, Acc) when Len =< 0 ->
+ Acc;
+password_to_key(Prev, Data, Salt, Len, Acc) ->
+ M = crypto:md5([Prev, Data, Salt]),
+ password_to_key(M, Data, Salt, Len - size(M), <<Acc/binary, M/binary>>).
+
+b64encode_and_split(Bin) ->
+ split_lines(base64:encode(Bin)).
+
+split_lines(<<Text:?ENCODED_LINE_LENGTH/binary, Rest/binary>>) ->
+ [Text, $\n | split_lines(Rest)];
+split_lines(Bin) ->
+ [Bin, $\n].
+
diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src
new file mode 100644
index 0000000000..edede7c874
--- /dev/null
+++ b/lib/public_key/src/public_key.app.src
@@ -0,0 +1,16 @@
+{application, public_key,
+ [{description, "Public key infrastructure"},
+ {vsn, "%VSN%"},
+ {modules, [
+ public_key,
+ pubkey_pem,
+ pubkey_crypto,
+ pubkey_cert,
+ pubkey_cert_records,
+ 'OTP-PUB-KEY'
+ ]},
+ {applications, [crypto, kernel, stdlib]},
+ {registered, []},
+ {env, []}
+ ]
+}. \ No newline at end of file
diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src
new file mode 100644
index 0000000000..8d33482f11
--- /dev/null
+++ b/lib/public_key/src/public_key.appup.src
@@ -0,0 +1,6 @@
+%% -*- erlang -*-
+{"%VSN%",
+ [
+ ],
+ [
+ ]}.
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
new file mode 100644
index 0000000000..b0b0b7a832
--- /dev/null
+++ b/lib/public_key/src/public_key.erl
@@ -0,0 +1,411 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(public_key).
+
+-include("public_key.hrl").
+
+-export([decode_private_key/1, decode_private_key/2,
+ decrypt_private/2, decrypt_private/3, encrypt_public/2,
+ encrypt_public/3, decrypt_public/2, decrypt_public/3,
+ encrypt_private/2, encrypt_private/3,
+ sign/2, sign/3,
+ verify_signature/3, verify_signature/4, verify_signature/5,
+ pem_to_der/1, pem_to_der/2,
+ pkix_decode_cert/2, pkix_encode_cert/1,
+ pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1,
+ pkix_issuer_id/2,
+ pkix_is_issuer/2, pkix_normalize_general_name/1,
+ pkix_path_validation/3
+ ]).
+
+%%====================================================================
+%% API
+%%====================================================================
+
+%%--------------------------------------------------------------------
+%% Function: decode_private_key(KeyInfo [,Password]) ->
+%% {ok, PrivateKey} | {error, Reason}
+%%
+%% KeyInfo = {Type, der_bin(), ChipherInfo} - as returned from
+%% pem_to_der/[1,2] for private keys
+%% Type = rsa_private_key | dsa_private_key
+%% ChipherInfo = opaque() | no_encryption
+%%
+%% Description: Decodes an asn1 der encoded private key.
+%%--------------------------------------------------------------------
+decode_private_key(KeyInfo) ->
+ decode_private_key(KeyInfo, no_passwd).
+
+decode_private_key(KeyInfo = {rsa_private_key, _, _}, Password) ->
+ DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
+ 'OTP-PUB-KEY':decode('RSAPrivateKey', DerEncoded);
+decode_private_key(KeyInfo = {dsa_private_key, _, _}, Password) ->
+ DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
+ 'OTP-PUB-KEY':decode('DSAPrivateKey', DerEncoded).
+
+%%--------------------------------------------------------------------
+%% Function: decrypt_private(CipherText, Key) ->
+%% decrypt_private(CipherText, Key, Options) -> PlainTex
+%% decrypt_public(CipherText, Key) ->
+%% decrypt_public(CipherText, Key, Options) -> PlainTex
+%%
+%% CipherText = binary()
+%% Key = rsa_key()
+%% PlainText = binary()
+%%
+%% Description: Decrypts <CipherText>.
+%%--------------------------------------------------------------------
+decrypt_private(CipherText, Key) ->
+ decrypt_private(CipherText, Key, []).
+decrypt_private(CipherText, Key, Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
+ pubkey_crypto:decrypt_private(CipherText, Key, Padding).
+
+decrypt_public(CipherText, Key) ->
+ decrypt_public(CipherText, Key, []).
+decrypt_public(CipherText, Key, Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
+ pubkey_crypto:decrypt_public(CipherText, Key, Padding).
+
+%%--------------------------------------------------------------------
+%% Function: encrypt_public(PlainText, Key, Options) -> CipherText
+%% encrypt_private(PlainText, Key, Options) -> CipherText
+%%
+%% PlainText = iolist()
+%% Key = rsa_private_key()
+%% CipherText = binary()
+%%
+%% Description: Encrypts <Plain>
+%%--------------------------------------------------------------------
+encrypt_public(PlainText, Key) ->
+ encrypt_public(PlainText, Key, []).
+encrypt_public(PlainText, Key, Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_oaep_padding),
+ pubkey_crypto:encrypt_public(PlainText, Key, Padding).
+
+encrypt_private(PlainText, Key) ->
+ encrypt_private(PlainText, Key, []).
+encrypt_private(PlainText, Key, Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_oaep_padding),
+ pubkey_crypto:encrypt_private(PlainText, Key, Padding).
+
+%%--------------------------------------------------------------------
+%% Function: pem_to_der(CertSource) ->
+%% pem_to_der(CertSource, Password) -> {ok, [Entry]} |
+%% {error, Reason}
+%%
+%% CertSource = File | CertData
+%% CertData = binary()
+%% File = path()
+%% Password = string()
+%% Entry = {entry_type(), der_bin(), ChipherInfo}
+%% ChipherInfo = opague() | no_encryption
+%% der_bin() = binary()
+%% entry_type() = cert | cert_req | rsa_private_key | dsa_private_key
+%% dh_params
+%%
+%% Description: decode PEM binary data or a PEM file and return
+%% entries as asn1 der encoded entities. Currently supported entry
+%% types are certificates, certificate requests, rsa private keys and
+%% dsa private keys. In the case of a key entry ChipherInfo will be
+%% used by decode_private_key/2 if the key is protected by a password.
+%%--------------------------------------------------------------------
+pem_to_der(CertSource) ->
+ pem_to_der(CertSource, no_passwd).
+
+pem_to_der(File, Password) when is_list(File) ->
+ pubkey_pem:read_file(File, Password);
+pem_to_der(PemBin, Password) when is_binary(PemBin) ->
+ pubkey_pem:decode(PemBin, Password).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_decode_cert(BerCert, Type) -> {ok, Cert} | {error, Reason}
+%%
+%% BerCert = binary()
+%% Type = plain | otp
+%% Cert = certificate()
+%%
+%% Description: Decodes an asn1 ber encoded pkix certificate.
+%% otp - Uses OTP-PKIX.asn1 to decode known extensions and
+%% enhance the signature field in #'Certificate'{} and '#TBSCertificate'{}.
+%%--------------------------------------------------------------------
+pkix_decode_cert(BinCert, Type) ->
+ pubkey_cert_records:decode_cert(BinCert, Type).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_encode_cert(Cert) -> {ok, binary()} | {error, Reason}
+%%
+%% Cert = #'Certificate'{}
+%%
+%% Description: Encodes a certificate record using asn1.
+%%--------------------------------------------------------------------
+pkix_encode_cert(Cert) ->
+ pubkey_cert_records:encode_cert(Cert).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_path_validation(TrustedCert, CertChain, Options) ->
+%% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} |
+%% {error, Reason}
+%%
+%% Description: Performs a bacis path validation according to RFC 3280.
+%%--------------------------------------------------------------------
+pkix_path_validation(TrustedCert, CertChain, Options)
+ when is_binary(TrustedCert) ->
+ {ok, OtpCert} = pkix_decode_cert(TrustedCert, otp),
+ pkix_path_validation(OtpCert, CertChain, Options);
+
+pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
+ when is_list(CertChain), is_list(Options) ->
+ MaxPathDefault = length(CertChain),
+ ValidationState = pubkey_cert:init_validation_state(TrustedCert,
+ MaxPathDefault,
+ Options),
+ Fun = proplists:get_value(validate_extensions_fun, Options,
+ fun(Extensions, State, _, AccError) ->
+ {Extensions, State, AccError}
+ end),
+ Verify = proplists:get_value(verify, Options, true),
+ path_validation(CertChain, ValidationState, Fun, Verify).
+%%--------------------------------------------------------------------
+%% Function: pkix_is_fixed_dh_cert(Cert) -> true | false
+%%
+%% Description: Checks if a Certificate is a fixed Diffie-Hellman Cert
+%%--------------------------------------------------------------------
+pkix_is_fixed_dh_cert(#'OTPCertificate'{} = OTPCert) ->
+ pubkey_cert:is_fixed_dh_cert(OTPCert);
+pkix_is_fixed_dh_cert(Cert) when is_binary(Cert) ->
+ {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ pkix_is_fixed_dh_cert(OtpCert).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_is_self_signed(Cert) -> true | false
+%%
+%% Description: Checks if a Certificate is self signed.
+%%--------------------------------------------------------------------
+pkix_is_self_signed(#'OTPCertificate'{} = OTPCert) ->
+ pubkey_cert:is_self_signed(OTPCert);
+pkix_is_self_signed(Cert) when is_binary(Cert) ->
+ {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ pkix_is_self_signed(OtpCert).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_issuer_id(Cert) -> {ok, {SerialNr, Issuer}} | {error, Reason}
+%%
+%% Cert = asn1_der_encoded() | 'OTPCertificate'{}
+%%
+%% Description: Returns the issuer id.
+%%--------------------------------------------------------------------
+pkix_issuer_id(#'OTPCertificate'{} = OtpCert, self) ->
+ pubkey_cert:issuer_id(OtpCert, self);
+
+pkix_issuer_id(#'OTPCertificate'{} = OtpCert, other) ->
+ pubkey_cert:issuer_id(OtpCert, other);
+
+pkix_issuer_id(Cert, Signed) when is_binary(Cert) ->
+ {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ pkix_issuer_id(OtpCert, Signed).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_is_issuer(Cert, IssuerCert) -> true | false
+%%
+%% Cert = asn1_der_encoded() | 'OTPCertificate'{}
+%% IssuerCert = asn1_der_encoded() | 'OTPCertificate'{}
+%%
+%% Description: Checks if <IssuerCert> issued <Cert>.
+%%--------------------------------------------------------------------
+pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) ->
+ {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ pkix_is_issuer(OtpCert, IssuerCert);
+
+pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) ->
+ {ok, OtpIssuerCert} = pkix_decode_cert(IssuerCert, otp),
+ pkix_is_issuer(Cert, OtpIssuerCert);
+
+pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert},
+ #'OTPCertificate'{tbsCertificate = Candidate}) ->
+ pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer,
+ Candidate#'OTPTBSCertificate'.subject).
+
+%%--------------------------------------------------------------------
+%% Function: pkix_normalize_general_name(Issuer) ->
+%%
+%% Issuer = general_name() - see PKIX
+%%
+%% Description: Normalizes a general name so that it can be easily
+%% compared to another genral name.
+%%--------------------------------------------------------------------
+pkix_normalize_general_name(Issuer) ->
+ pubkey_cert:normalize_general_name(Issuer).
+
+%%--------------------------------------------------------------------
+%% Function:sign(Msg, Key) -> {ok, Signature}
+%% sign(Msg, Key, KeyParams) -> {ok, Signature}
+%%
+%% Msg = binary() | #'TBSCertificate'{}
+%% Key = private_key()
+%% KeyParams = key_params()
+%% Signature = binary()
+%%
+%% Description: Signs plaintext Msg or #TBSCertificate{}, in the later
+%% case a der encoded "#Certificate{}" will be returned.
+%%--------------------------------------------------------------------
+sign(Msg, #'RSAPrivateKey'{} = Key) when is_binary(Msg) ->
+ pubkey_crypto:sign(Msg, Key);
+
+sign(Msg, #'DSAPrivateKey'{} = Key) when is_binary(Msg) ->
+ pubkey_crypto:sign(Msg, Key);
+
+sign(#'OTPTBSCertificate'{signature = SigAlg} = TBSCert, Key) ->
+ Msg = pubkey_cert_records:encode_tbs_cert(TBSCert),
+ DigestType = pubkey_cert:digest_type(SigAlg),
+ Signature = pubkey_crypto:sign(DigestType, Msg, Key),
+ Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
+ signatureAlgorithm = SigAlg,
+ signature = {0, Signature}
+ },
+ pkix_encode_cert(Cert).
+
+sign(DigestType, Msg, Key) ->
+ pubkey_crypto:sign(DigestType, Msg, Key).
+
+%%--------------------------------------------------------------------
+%% Function: verify_signature(PlainText, DigestType, Signature, Key) ->
+%% verify_signature(PlainText, DigestType,
+%% Signature, Key, KeyParams) ->
+%% verify_signature(DerCert, Key, KeyParams) ->
+%%
+%% PlainText = binary()
+%% DigestType = md5 | sha
+%% DerCert = asn1_der_encoded()
+%% Signature = binary()
+%% Key = public_key()
+%% KeyParams = key_params()
+%% Verified = boolean()
+%%
+%% Description: Verifies the signature <Signature>.
+%%--------------------------------------------------------------------
+verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key)
+ when is_binary(PlainText), is_binary(Signature), DigestType == sha;
+ DigestType == md5 ->
+ pubkey_crypto:verify(DigestType, PlainText, Signature, Key, undefined).
+
+verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key,
+ KeyParams)
+ when is_binary(PlainText), is_binary(Signature), DigestType == sha;
+ DigestType == md5 ->
+ pubkey_crypto:verify(DigestType, PlainText, Signature, Key, KeyParams);
+verify_signature(PlainText, sha, Signature, Key, #'Dss-Parms'{} = KeyParams)
+ when is_binary(PlainText), is_binary(Signature), is_integer(Key) ->
+ pubkey_crypto:verify(sha, PlainText, Signature, Key, KeyParams).
+
+verify_signature(DerCert, Key, #'Dss-Parms'{} = KeyParams)
+ when is_binary(DerCert), is_integer(Key) ->
+ pubkey_cert:verify_signature(DerCert, Key, KeyParams);
+verify_signature(DerCert, #'RSAPublicKey'{} = Key, KeyParams)
+ when is_binary(DerCert) ->
+ pubkey_cert:verify_signature(DerCert, Key, KeyParams).
+
+%%--------------------------------------------------------------------
+%%% Internal functions
+%%--------------------------------------------------------------------
+path_validation([], #path_validation_state{working_public_key_algorithm
+ = Algorithm,
+ working_public_key =
+ PublicKey,
+ working_public_key_parameters
+ = PublicKeyParams,
+ valid_policy_tree = Tree,
+ acc_errors = AccErrors
+ }, _, _) ->
+ {ok, {{Algorithm, PublicKey, PublicKeyParams}, Tree, AccErrors}};
+
+path_validation([DerCert | Rest], ValidationState = #path_validation_state{
+ max_path_length = Len},
+ Fun, Verify) when Len >= 0 ->
+ try validate(DerCert,
+ ValidationState#path_validation_state{last_cert=Rest=:=[]},
+ Fun, Verify) of
+ #path_validation_state{} = NewValidationState ->
+ path_validation(Rest, NewValidationState, Fun, Verify)
+ catch
+ throw:Reason ->
+ {error, Reason}
+ end;
+
+path_validation(_, _, _, true) ->
+ {error, {bad_cert, max_path_length_reached}};
+
+path_validation(_, #path_validation_state{working_public_key_algorithm
+ = Algorithm,
+ working_public_key =
+ PublicKey,
+ working_public_key_parameters
+ = PublicKeyParams,
+ valid_policy_tree = Tree,
+ acc_errors = AccErrors
+ }, _, false) ->
+ {ok, {{Algorithm, PublicKey, PublicKeyParams}, Tree,
+ [{bad_cert, max_path_length_reached}|AccErrors]}}.
+
+validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
+ working_public_key = Key,
+ working_public_key_parameters =
+ KeyParams,
+ permitted_subtrees = Permit,
+ excluded_subtrees = Exclude,
+ last_cert = Last,
+ user_state = UserState0,
+ acc_errors = AccErr0} =
+ ValidationState0, ValidateExtensionFun, Verify) ->
+ {ok, OtpCert} = pkix_decode_cert(DerCert, otp),
+ %% All validate functions will throw {bad_cert, Reason} if they
+ %% fail and Verify = true if Verify = false errors
+ %% will be accumulated in the validationstate
+ AccErr1 = pubkey_cert:validate_time(OtpCert, AccErr0, Verify),
+
+ AccErr2 = pubkey_cert:validate_issuer(OtpCert, Issuer, AccErr1, Verify),
+
+ AccErr3 = pubkey_cert:validate_names(OtpCert, Permit, Exclude, Last,
+ AccErr2, Verify),
+ AccErr4 =
+ pubkey_cert:validate_revoked_status(OtpCert, Verify, AccErr3),
+
+ {ValidationState1, UnknownExtensions0, AccErr5} =
+ pubkey_cert:validate_extensions(OtpCert, ValidationState0, Verify,
+ AccErr4),
+ %% We want the key_usage extension to be checked before we validate
+ %% the signature.
+ AccErr6 =
+ pubkey_cert:validate_signature(OtpCert, DerCert, Key, KeyParams,
+ AccErr5, Verify),
+
+ {UnknownExtensions, UserState, AccErr7} =
+ ValidateExtensionFun(UnknownExtensions0, UserState0, Verify, AccErr6),
+
+ %% Check that all critical extensions have been handled
+ AccErr =
+ pubkey_cert:validate_unknown_extensions(UnknownExtensions, AccErr7,
+ Verify),
+ ValidationState =
+ ValidationState1#path_validation_state{user_state = UserState,
+ acc_errors = AccErr},
+ pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState).
diff --git a/lib/public_key/test/Makefile b/lib/public_key/test/Makefile
new file mode 100644
index 0000000000..2a4687677c
--- /dev/null
+++ b/lib/public_key/test/Makefile
@@ -0,0 +1,83 @@
+#
+# %CopyrightBegin%
+#
+# Copyright Ericsson AB 2008-2009. All Rights Reserved.
+#
+# The contents of this file are subject to the Erlang Public License,
+# Version 1.1, (the "License"); you may not use this file except in
+# compliance with the License. You should have received a copy of the
+# Erlang Public License along with this software. If not, it can be
+# retrieved online at http://www.erlang.org/.
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+#
+# %CopyrightEnd%
+#
+
+include $(ERL_TOP)/make/target.mk
+include $(ERL_TOP)/make/$(TARGET)/otp.mk
+
+
+INCLUDES= -I. -I$(ERL_TOP)/lib/test_server/include/ -I ../include \
+
+# ----------------------------------------------------
+# Target Specs
+# ----------------------------------------------------
+
+MODULES= \
+ public_key_SUITE \
+ pkits_SUITE
+
+ERL_FILES= $(MODULES:%=%.erl)
+
+HRL_FILES=
+
+TARGET_FILES= \
+ $(MODULES:%=$(EBIN)/%.$(EMULATOR))
+
+SPEC_FILES = public_key.spec
+
+# ----------------------------------------------------
+# Release directory specification
+# ----------------------------------------------------
+RELSYSDIR = $(RELEASE_PATH)/public_key_test
+
+# ----------------------------------------------------
+# FLAGS
+# ----------------------------------------------------
+ERL_COMPILE_FLAGS += $(INCLUDES)
+
+EBIN = .
+
+# ----------------------------------------------------
+# Targets
+# ----------------------------------------------------
+
+tests debug opt: $(TARGET_FILES)
+
+
+clean:
+ rm -f $(TARGET_FILES)
+ rm -f core
+
+docs:
+
+# ----------------------------------------------------
+# Release Target
+# ----------------------------------------------------
+include $(ERL_TOP)/make/otp_release_targets.mk
+
+release_spec: opt
+
+release_tests_spec: opt
+ $(INSTALL_DIR) $(RELSYSDIR)
+ $(INSTALL_DATA) $(SPEC_FILES) $(ERL_FILES) $(HRL_FILES)$(RELSYSDIR)
+ $(INSTALL_DATA) $(TARGET_FILES) $(RELSYSDIR)
+ chmod -f -R u+w $(RELSYSDIR)
+ @tar cf - *_SUITE_data | (cd $(RELSYSDIR); tar xf -)
+release_docs_spec:
+
+
diff --git a/lib/public_key/test/pkits_SUITE.erl b/lib/public_key/test/pkits_SUITE.erl
new file mode 100644
index 0000000000..5d58b39e26
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE.erl
@@ -0,0 +1,604 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+
+%% Se specification here:
+%% http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
+
+-module(pkits_SUITE).
+
+-compile(export_all).
+
+%%-include_lib("public_key/include/public_key.hrl").
+-include("public_key.hrl").
+
+-define(error(Format,Args), error(Format,Args,?FILE,?LINE)).
+-define(warning(Format,Args), warning(Format,Args,?FILE,?LINE)).
+
+-define(CERTS, "pkits/certs").
+-define(MIME, "pkits/smime").
+-define(CONV, "pkits/smime-pem").
+
+-define(NIST1, "2.16.840.1.101.3.2.1.48.1").
+-define(NIST2, "2.16.840.1.101.3.2.1.48.2").
+-define(NIST3, "2.16.840.1.101.3.2.1.48.3").
+-define(NIST4, "2.16.840.1.101.3.2.1.48.4").
+-define(NIST5, "2.16.840.1.101.3.2.1.48.5").
+-define(NIST6, "2.16.840.1.101.3.2.1.48.6").
+
+%%
+all(doc) ->
+ ["PKITS tests for RFC3280 compliance"];
+all(suite) ->
+ [signature_verification,
+ validity_periods,
+ verifying_name_chaining,
+ %% basic_certificate_revocation_tests,
+ verifying_paths_with_self_issued_certificates,
+ verifying_basic_constraints,
+ key_usage,
+%% certificate_policies,
+%% require_explicit_policy,
+%% policy_mappings,
+%% inhibit_policy_mapping,
+%% inhibit_any_policy,
+ name_constraints,
+%% distribution_points,
+%% delta_crls,
+ private_certificate_extensions].
+
+signature_verification(doc) -> [""];
+signature_verification(suite) -> [];
+signature_verification(Config) when is_list(Config) ->
+ run(signature_verification()).
+validity_periods(doc) -> [""];
+validity_periods(suite) -> [];
+validity_periods(Config) when is_list(Config) ->
+ run(validity_periods()).
+verifying_name_chaining(doc) -> [""];
+verifying_name_chaining(suite) -> [];
+verifying_name_chaining(Config) when is_list(Config) ->
+ run(verifying_name_chaining()).
+basic_certificate_revocation_tests(doc) -> [""];
+basic_certificate_revocation_tests(suite) -> [];
+basic_certificate_revocation_tests(Config) when is_list(Config) ->
+ run(basic_certificate_revocation_tests()).
+verifying_paths_with_self_issued_certificates(doc) -> [""];
+verifying_paths_with_self_issued_certificates(suite) -> [];
+verifying_paths_with_self_issued_certificates(Config) when is_list(Config) ->
+ run(verifying_paths_with_self_issued_certificates()).
+verifying_basic_constraints(doc) -> [""];
+verifying_basic_constraints(suite) -> [];
+verifying_basic_constraints(Config) when is_list(Config) ->
+ run(verifying_basic_constraints()).
+key_usage(doc) -> [""];
+key_usage(suite) -> [];
+key_usage(Config) when is_list(Config) ->
+ run(key_usage()).
+certificate_policies(doc) -> [""];
+certificate_policies(suite) -> [];
+certificate_policies(Config) when is_list(Config) ->
+ run(certificate_policies()).
+require_explicit_policy(doc) -> [""];
+require_explicit_policy(suite) -> [];
+require_explicit_policy(Config) when is_list(Config) ->
+ run(require_explicit_policy()).
+policy_mappings(doc) -> [""];
+policy_mappings(suite) -> [];
+policy_mappings(Config) when is_list(Config) ->
+ run(policy_mappings()).
+inhibit_policy_mapping(doc) -> [""];
+inhibit_policy_mapping(suite) -> [];
+inhibit_policy_mapping(Config) when is_list(Config) ->
+ run(inhibit_policy_mapping()).
+inhibit_any_policy(doc) -> [""];
+inhibit_any_policy(suite) -> [];
+inhibit_any_policy(Config) when is_list(Config) ->
+ run(inhibit_any_policy()).
+name_constraints(doc) -> [""];
+name_constraints(suite) -> [];
+name_constraints(Config) when is_list(Config) ->
+ run(name_constraints()).
+distribution_points(doc) -> [""];
+distribution_points(suite) -> [];
+distribution_points(Config) when is_list(Config) ->
+ run(distribution_points()).
+delta_crls(doc) -> [""];
+delta_crls(suite) -> [];
+delta_crls(Config) when is_list(Config) ->
+ run(delta_crls()).
+private_certificate_extensions(doc) -> [""];
+private_certificate_extensions(suite) -> [];
+private_certificate_extensions(Config) when is_list(Config) ->
+ run(private_certificate_extensions()).
+
+run() ->
+ catch crypto:start(),
+ Tests =
+ [signature_verification(),
+ validity_periods(),
+ verifying_name_chaining(),
+ %%basic_certificate_revocation_tests(),
+ verifying_paths_with_self_issued_certificates(),
+ verifying_basic_constraints(),
+ key_usage(),
+ %%certificate_policies(),
+ %%require_explicit_policy(),
+ %%policy_mappings(),
+ %%inhibit_policy_mapping(),
+ %%inhibit_any_policy(),
+ name_constraints(),
+ %distribution_points(),
+ %delta_crls(),
+ private_certificate_extensions()
+ ],
+ run(lists:append(Tests)).
+
+run(Tests) ->
+ File = file(?CERTS,"TrustAnchorRootCertificate.crt"),
+ {ok, TA} = file:read_file(File),
+ run(Tests, TA).
+
+run({Chap, Test, Result}, TA) ->
+ CertChain = sort_chain(read_certs(Test),TA, [], false),
+ try public_key:pkix_path_validation(TA, CertChain, []) of
+ {Result, _} -> ok;
+ {error,Result} when Result =/= ok ->
+ ok;
+ {error,Error} when is_integer(Result) ->
+ ?warning(" ~p~n Got ~p expected ~p~n",[Test, Error, Result]);
+ {error,Error} when Result =/= ok ->
+ ?error(" minor ~p~n Got ~p expected ~p~n",[Test, Error, Result]);
+ {error, Error} ->
+ ?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, Error]),
+ fail;
+ {ok, _} when Result =/= ok ->
+ ?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, ok]),
+ fail
+ catch Type:Reason ->
+ Stack = erlang:get_stacktrace(),
+ io:format("Crash ~p:~p in ~p~n",[Type,Reason,Stack]),
+ io:format(" ~p ~p Expected ~p ~n", [Chap, Test, Result]),
+ exit(crash)
+ end;
+
+run([Test|Rest],TA) ->
+ run(Test,TA),
+ run(Rest,TA);
+run([],_) -> ok.
+
+
+read_certs(Test) ->
+ File = test_file(Test),
+ %% io:format("Read ~p ",[File]),
+ {ok, Ders} = public_key:pem_to_der(File),
+ %% io:format("Ders ~p ~n",[length(Ders)]),
+ [Cert || {cert,Cert,not_encrypted} <- Ders].
+
+test_file(Test) ->
+ file(?CONV, lists:append(string:tokens(Test, " -")) ++ ".pem").
+
+file(Sub,File) ->
+ TestDir = case get(datadir) of
+ undefined -> "./pkits_SUITE_data";
+ Dir when is_list(Dir) ->
+ Dir
+ end,
+ AbsFile = filename:join([TestDir,Sub,File]),
+ case filelib:is_file(AbsFile) of
+ true -> ok;
+ false ->
+ ?error("Couldn't read data from ~p ~n",[AbsFile])
+ end,
+ AbsFile.
+
+sort_chain([First|Certs], TA, Try, Found) ->
+ case public_key:pkix_is_issuer(First,TA) of
+ true ->
+ [First|sort_chain(Certs,First,Try,true)];
+ false ->
+ sort_chain(Certs,TA,[First|Try],Found)
+ end;
+sort_chain([], _, [],_) -> [];
+sort_chain([], Valid, Check, true) ->
+ sort_chain(lists:reverse(Check), Valid, [], false);
+sort_chain([], _Valid, Check, false) ->
+ Check.
+
+signature_verification() ->
+ %% "4.1", "Signature Verification" ,
+ [{ "4.1.1", "Valid Signatures Test1", ok},
+ { "4.1.2", "Invalid CA Signature Test2", {bad_cert,invalid_signature}},
+ { "4.1.3", "Invalid EE Signature Test3", {bad_cert,invalid_signature}},
+ { "4.1.4", "Valid DSA Signatures Test4", ok},
+ { "4.1.5", "Valid DSA Parameter Inheritance Test5", ok},
+ { "4.1.6", "Invalid DSA Signature Test6", {bad_cert,invalid_signature}}].
+validity_periods() ->
+ %% { "4.2", "Validity Periods" },
+ [{ "4.2.1", "Invalid CA notBefore Date Test1", {bad_cert, cert_expired}},
+ { "4.2.2", "Invalid EE notBefore Date Test2", {bad_cert, cert_expired}},
+ { "4.2.3", "Valid pre2000 UTC notBefore Date Test3", ok},
+ { "4.2.4", "Valid GeneralizedTime notBefore Date Test4", ok},
+ { "4.2.5", "Invalid CA notAfter Date Test5", {bad_cert, cert_expired}},
+ { "4.2.6", "Invalid EE notAfter Date Test6", {bad_cert, cert_expired}},
+ { "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", {bad_cert, cert_expired}},
+ { "4.2.8", "Valid GeneralizedTime notAfter Date Test8", ok}].
+verifying_name_chaining() ->
+ %%{ "4.3", "Verifying Name Chaining" },
+ [{ "4.3.1", "Invalid Name Chaining EE Test1", {bad_cert, invalid_issuer}},
+ { "4.3.2", "Invalid Name Chaining Order Test2", {bad_cert, invalid_issuer}},
+ { "4.3.3", "Valid Name Chaining Whitespace Test3", ok},
+ { "4.3.4", "Valid Name Chaining Whitespace Test4", ok},
+ { "4.3.5", "Valid Name Chaining Capitalization Test5", ok},
+ { "4.3.6", "Valid Name Chaining UIDs Test6", ok},
+ { "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", ok},
+ { "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", ok},
+ { "4.3.9", "Valid UTF8String Encoded Names Test9", ok},
+ { "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", ok},
+ { "4.3.11", "Valid UTF8String Case Insensitive Match Test11", ok}].
+basic_certificate_revocation_tests() ->
+ %%{ "4.4", "Basic Certificate Revocation Tests" },
+ [{ "4.4.1", "Missing CRL Test1", 3 },
+ { "4.4.2", "Invalid Revoked CA Test2", 23 },
+ { "4.4.3", "Invalid Revoked EE Test3", 23 },
+ { "4.4.4", "Invalid Bad CRL Signature Test4", 8 },
+ { "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 },
+ { "4.4.6", "Invalid Wrong CRL Test6", 3 },
+ { "4.4.7", "Valid Two CRLs Test7", ok},
+
+ %% The test document suggests these should return certificate revoked...
+ %% Subsquent discussion has concluded they should not due to unhandle
+ %% critical CRL extensions.
+ { "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 },
+ { "4.4.9", "Invalid Unknown CRL Extension Test9", 36 },
+
+ { "4.4.10", "Invalid Unknown CRL Extension Test10", 36 },
+ { "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 },
+ { "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 },
+ { "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", ok},
+ { "4.4.14", "Valid Negative Serial Number Test14", ok},
+ { "4.4.15", "Invalid Negative Serial Number Test15", 23 },
+ { "4.4.16", "Valid Long Serial Number Test16", ok},
+ { "4.4.17", "Valid Long Serial Number Test17", ok},
+ { "4.4.18", "Invalid Long Serial Number Test18", 23 },
+ { "4.4.19", "Valid Separate Certificate and CRL Keys Test19", ok},
+ { "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 },
+
+ %% CRL path is revoked so get a CRL path validation error
+ { "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 }].
+verifying_paths_with_self_issued_certificates() ->
+ %%{ "4.5", "Verifying Paths with Self-Issued Certificates" },
+ [{ "4.5.1", "Valid Basic Self-Issued Old With New Test1", ok},
+ %%{ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 },
+ %%{ "4.5.3", "Valid Basic Self-Issued New With Old Test3", ok},
+ %%{ "4.5.4", "Valid Basic Self-Issued New With Old Test4", ok},
+ { "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 },
+ %%{ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", ok},
+ { "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 },
+ { "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", {bad_cert,invalid_key_usage} }].
+verifying_basic_constraints() ->
+ [%%{ "4.6", "Verifying Basic Constraints" },
+ { "4.6.1", "Invalid Missing basicConstraints Test1",
+ {bad_cert, missing_basic_constraint} },
+ { "4.6.2", "Invalid cA False Test2", {bad_cert, missing_basic_constraint}},
+ { "4.6.3", "Invalid cA False Test3", {bad_cert, missing_basic_constraint}},
+ { "4.6.4", "Valid basicConstraints Not Critical Test4", ok},
+ { "4.6.5", "Invalid pathLenConstraint Test5", {bad_cert, max_path_length_reached}},
+ { "4.6.6", "Invalid pathLenConstraint Test6", {bad_cert, max_path_length_reached}},
+ { "4.6.7", "Valid pathLenConstraint Test7", ok},
+ { "4.6.8", "Valid pathLenConstraint Test8", ok},
+ { "4.6.9", "Invalid pathLenConstraint Test9", {bad_cert, max_path_length_reached}},
+ { "4.6.10", "Invalid pathLenConstraint Test10", {bad_cert, max_path_length_reached}},
+ { "4.6.11", "Invalid pathLenConstraint Test11", {bad_cert, max_path_length_reached}},
+ { "4.6.12", "Invalid pathLenConstraint Test12", {bad_cert, max_path_length_reached}},
+ { "4.6.13", "Valid pathLenConstraint Test13", ok},
+ { "4.6.14", "Valid pathLenConstraint Test14", ok},
+ { "4.6.15", "Valid Self-Issued pathLenConstraint Test15", ok},
+ { "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", {bad_cert, max_path_length_reached}},
+ { "4.6.17", "Valid Self-Issued pathLenConstraint Test17", ok}].
+key_usage() ->
+ %%{ "4.7", "Key Usage" },
+ [{ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", {bad_cert,invalid_key_usage} },
+ { "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", {bad_cert,invalid_key_usage} },
+ { "4.7.3", "Valid keyUsage Not Critical Test3", ok}
+ %%,{ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 }
+ %%,{ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 }
+ ].
+
+%% Certificate policy tests need special handling. They can have several
+%% sub tests and we need to check the outputs are correct.
+
+certificate_policies() ->
+ %%{ "4.8", "Certificate Policies" },
+ [{"4.8.1.1", "All Certificates Same Policy Test1", "-policy anyPolicy -explicit_policy", "True", ?NIST1, ?NIST1, 0},
+ {"4.8.1.2", "All Certificates Same Policy Test1", "-policy ?NIST1 -explicit_policy", "True", ?NIST1, ?NIST1, 0},
+ {"4.8.1.3", "All Certificates Same Policy Test1", "-policy ?NIST2 -explicit_policy", "True", ?NIST1, "<empty>", 43},
+ {"4.8.1.4", "All Certificates Same Policy Test1", "-policy ?NIST1 -policy ?NIST2 -explicit_policy", "True", ?NIST1, ?NIST1, 0},
+ {"4.8.2.1", "All Certificates No Policies Test2", "-policy anyPolicy", "False", "<empty>", "<empty>", 0},
+ {"4.8.2.2", "All Certificates No Policies Test2", "-policy anyPolicy -explicit_policy", "True", "<empty>", "<empty>", 43},
+ {"4.8.3.1", "Different Policies Test3", "-policy anyPolicy", "False", "<empty>", "<empty>", 0},
+ {"4.8.3.2", "Different Policies Test3", "-policy anyPolicy -explicit_policy", "True", "<empty>", "<empty>", 43},
+ {"4.8.3.3", "Different Policies Test3", "-policy ?NIST1 -policy ?NIST2 -explicit_policy", "True", "<empty>", "<empty>", 43},
+ {"4.8.4", "Different Policies Test4", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.5", "Different Policies Test5", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.6.1", "Overlapping Policies Test6", "-policy anyPolicy", "True", ?NIST1, ?NIST1, 0},
+ {"4.8.6.2", "Overlapping Policies Test6", "-policy ?NIST1", "True", ?NIST1, ?NIST1, 0},
+ {"4.8.6.3", "Overlapping Policies Test6", "-policy ?NIST2", "True", ?NIST1, "<empty>", 43},
+ {"4.8.7", "Different Policies Test7", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.8", "Different Policies Test8", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.9", "Different Policies Test9", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.10.1", "All Certificates Same Policies Test10", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0},
+ {"4.8.10.2", "All Certificates Same Policies Test10", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0},
+ {"4.8.10.3", "All Certificates Same Policies Test10", "-policy anyPolicy", "True", "?NIST1:?NIST2", "?NIST1:?NIST2", 0},
+ {"4.8.11.1", "All Certificates AnyPolicy Test11", "-policy anyPolicy", "True", "$apolicy", "$apolicy", 0},
+ {"4.8.11.2", "All Certificates AnyPolicy Test11", "-policy ?NIST1", "True", "$apolicy", "?NIST1", 0},
+ {"4.8.12", "Different Policies Test12", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.8.13.1", "All Certificates Same Policies Test13", "-policy ?NIST1", "True", "?NIST1:?NIST2:?NIST3", "?NIST1", 0},
+ {"4.8.13.2", "All Certificates Same Policies Test13", "-policy ?NIST2", "True", "?NIST1:?NIST2:?NIST3", "?NIST2", 0},
+ {"4.8.13.3", "All Certificates Same Policies Test13", "-policy ?NIST3", "True", "?NIST1:?NIST2:?NIST3", "?NIST3", 0},
+ {"4.8.14.1", "AnyPolicy Test14", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0},
+ {"4.8.14.2", "AnyPolicy Test14", "-policy ?NIST2", "True", "?NIST1", "<empty>", 43},
+ {"4.8.15", "User Notice Qualifier Test15", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0},
+ {"4.8.16", "User Notice Qualifier Test16", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0},
+ {"4.8.17", "User Notice Qualifier Test17", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0},
+ {"4.8.18.1", "User Notice Qualifier Test18", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0},
+ {"4.8.18.2", "User Notice Qualifier Test18", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0},
+ {"4.8.19", "User Notice Qualifier Test19", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0},
+ {"4.8.20", "CPS Pointer Qualifier Test20", "-policy anyPolicy -explicit_policy", "True", "?NIST1", "?NIST1", 0}].
+require_explicit_policy() ->
+ %%{ "4.9", "Require Explicit Policy" },
+ [{"4.9.1", "Valid RequireExplicitPolicy Test1", "-policy anyPolicy", "False", "<empty>", "<empty>", 0},
+ {"4.9.2", "Valid RequireExplicitPolicy Test2", "-policy anyPolicy", "False", "<empty>", "<empty>", 0},
+ {"4.9.3", "Invalid RequireExplicitPolicy Test3", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.9.4", "Valid RequireExplicitPolicy Test4", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.9.5", "Invalid RequireExplicitPolicy Test5", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.9.6", "Valid Self-Issued requireExplicitPolicy Test6", "-policy anyPolicy", "False", "<empty>", "<empty>", 0},
+ {"4.9.7", "Invalid Self-Issued requireExplicitPolicy Test7", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.9.8", "Invalid Self-Issued requireExplicitPolicy Test8", "-policy anyPolicy", "True", "<empty>", "<empty>", 43}].
+policy_mappings() ->
+ %%{ "4.10", "Policy Mappings" },
+ [{"4.10.1.1", "Valid Policy Mapping Test1", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0},
+ {"4.10.1.2", "Valid Policy Mapping Test1", "-policy ?NIST2", "True", "?NIST1", "<empty>", 43},
+ {"4.10.1.3", "Valid Policy Mapping Test1", "-policy anyPolicy -inhibit_map", "True", "<empty>", "<empty>", 43},
+ {"4.10.2.1", "Invalid Policy Mapping Test2", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.10.2.2", "Invalid Policy Mapping Test2", "-policy anyPolicy -inhibit_map", "True", "<empty>", "<empty>", 43},
+ {"4.10.3.1", "Valid Policy Mapping Test3", "-policy ?NIST1", "True", "?NIST2", "<empty>", 43},
+ {"4.10.3.2", "Valid Policy Mapping Test3", "-policy ?NIST2", "True", "?NIST2", "?NIST2", 0},
+ {"4.10.4", "Invalid Policy Mapping Test4", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.10.5.1", "Valid Policy Mapping Test5", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0},
+ {"4.10.5.2", "Valid Policy Mapping Test5", "-policy ?NIST6", "True", "?NIST1", "<empty>", 43},
+ {"4.10.6.1", "Valid Policy Mapping Test6", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0},
+ {"4.10.6.2", "Valid Policy Mapping Test6", "-policy ?NIST6", "True", "?NIST1", "<empty>", 43},
+ { "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 },
+ { "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 },
+ {"4.10.9", "Valid Policy Mapping Test9", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.10.10", "Invalid Policy Mapping Test10", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.10.11", "Valid Policy Mapping Test11", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+
+ %% TODO: check notice display
+ {"4.10.12.1", "Valid Policy Mapping Test12", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0},
+
+ %% TODO: check notice display
+ {"4.10.12.2", "Valid Policy Mapping Test12", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0},
+ {"4.10.13", "Valid Policy Mapping Test13", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+
+ %% TODO: check notice display
+ {"4.10.14", "Valid Policy Mapping Test14", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}].
+
+inhibit_policy_mapping() ->
+ %%{ "4.11", "Inhibit Policy Mapping" },
+ [{"4.11.1", "Invalid inhibitPolicyMapping Test1", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.2", "Valid inhibitPolicyMapping Test2", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.11.3", "Invalid inhibitPolicyMapping Test3", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.4", "Valid inhibitPolicyMapping Test4", "-policy anyPolicy", "True", "?NIST2", "?NIST2", 0},
+ {"4.11.5", "Invalid inhibitPolicyMapping Test5", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.6", "Invalid inhibitPolicyMapping Test6", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.7", "Valid Self-Issued inhibitPolicyMapping Test7", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.11.8", "Invalid Self-Issued inhibitPolicyMapping Test8", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.9", "Invalid Self-Issued inhibitPolicyMapping Test9", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.10", "Invalid Self-Issued inhibitPolicyMapping Test10", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.11.11", "Invalid Self-Issued inhibitPolicyMapping Test11", "-policy anyPolicy", "True", "<empty>", "<empty>", 43}].
+inhibit_any_policy() ->
+ %%{ "4.12", "Inhibit Any Policy" },
+ [{"4.12.1", "Invalid inhibitAnyPolicy Test1", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.12.2", "Valid inhibitAnyPolicy Test2", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.12.3.1", "inhibitAnyPolicy Test3", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0},
+ {"4.12.3.2", "inhibitAnyPolicy Test3", "-policy anyPolicy -inhibit_any", "True", "<empty>", "<empty>", 43},
+ {"4.12.4", "Invalid inhibitAnyPolicy Test4", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.12.5", "Invalid inhibitAnyPolicy Test5", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.12.6", "Invalid inhibitAnyPolicy Test6", "-policy anyPolicy", "True", "<empty>", "<empty>", 43},
+ {"4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", ok},
+ {"4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 },
+ {"4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", ok},
+ {"4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 }].
+
+name_constraints() ->
+ %%{ "4.13", "Name Constraints" },
+ [{ "4.13.1", "Valid DN nameConstraints Test1", ok},
+ { "4.13.2", "Invalid DN nameConstraints Test2", {bad_cert, name_not_permitted}},
+ { "4.13.3", "Invalid DN nameConstraints Test3", {bad_cert, name_not_permitted}},
+ { "4.13.4", "Valid DN nameConstraints Test4", ok},
+ { "4.13.5", "Valid DN nameConstraints Test5", ok},
+ { "4.13.6", "Valid DN nameConstraints Test6", ok},
+ { "4.13.7", "Invalid DN nameConstraints Test7", {bad_cert, name_not_permitted}},
+ { "4.13.8", "Invalid DN nameConstraints Test8", {bad_cert, name_not_permitted}},
+ { "4.13.9", "Invalid DN nameConstraints Test9", {bad_cert, name_not_permitted}},
+ { "4.13.10", "Invalid DN nameConstraints Test10", {bad_cert, name_not_permitted}},
+ { "4.13.11", "Valid DN nameConstraints Test11", ok},
+ { "4.13.12", "Invalid DN nameConstraints Test12", {bad_cert, name_not_permitted}},
+ { "4.13.13", "Invalid DN nameConstraints Test13", {bad_cert, name_not_permitted}},
+ { "4.13.14", "Valid DN nameConstraints Test14", ok},
+ { "4.13.15", "Invalid DN nameConstraints Test15", {bad_cert, name_not_permitted}},
+ { "4.13.16", "Invalid DN nameConstraints Test16", {bad_cert, name_not_permitted}},
+ { "4.13.17", "Invalid DN nameConstraints Test17", {bad_cert, name_not_permitted}},
+ { "4.13.18", "Valid DN nameConstraints Test18", ok},
+ { "4.13.19", "Valid Self-Issued DN nameConstraints Test19", ok},
+ { "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", {bad_cert, name_not_permitted} },
+ { "4.13.21", "Valid RFC822 nameConstraints Test21", ok},
+ { "4.13.22", "Invalid RFC822 nameConstraints Test22", {bad_cert, name_not_permitted} },
+ { "4.13.23", "Valid RFC822 nameConstraints Test23", ok},
+ { "4.13.24", "Invalid RFC822 nameConstraints Test24", {bad_cert, name_not_permitted} },
+ { "4.13.25", "Valid RFC822 nameConstraints Test25", ok},
+ { "4.13.26", "Invalid RFC822 nameConstraints Test26", {bad_cert, name_not_permitted}},
+ { "4.13.27", "Valid DN and RFC822 nameConstraints Test27", ok},
+ { "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", {bad_cert, name_not_permitted} },
+ { "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", {bad_cert, name_not_permitted} },
+ { "4.13.30", "Valid DNS nameConstraints Test30", ok},
+ { "4.13.31", "Invalid DNS nameConstraints Test31", {bad_cert, name_not_permitted} },
+ { "4.13.32", "Valid DNS nameConstraints Test32", ok},
+ { "4.13.33", "Invalid DNS nameConstraints Test33", {bad_cert, name_not_permitted}},
+ { "4.13.34", "Valid URI nameConstraints Test34", ok},
+ { "4.13.35", "Invalid URI nameConstraints Test35", {bad_cert, name_not_permitted} },
+ { "4.13.36", "Valid URI nameConstraints Test36", ok},
+ { "4.13.37", "Invalid URI nameConstraints Test37", {bad_cert, name_not_permitted}},
+ { "4.13.38", "Invalid DNS nameConstraints Test38", {bad_cert, name_not_permitted} }].
+distribution_points() ->
+ %%{ "4.14", "Distribution Points" },
+ [{ "4.14.1", "Valid distributionPoint Test1", ok},
+ { "4.14.2", "Invalid distributionPoint Test2", 23 },
+ { "4.14.3", "Invalid distributionPoint Test3", 44 },
+ { "4.14.4", "Valid distributionPoint Test4", ok},
+ { "4.14.5", "Valid distributionPoint Test5", ok},
+ { "4.14.6", "Invalid distributionPoint Test6", 23 },
+ { "4.14.7", "Valid distributionPoint Test7", ok},
+ { "4.14.8", "Invalid distributionPoint Test8", 44 },
+ { "4.14.9", "Invalid distributionPoint Test9", 44 },
+ { "4.14.10", "Valid No issuingDistributionPoint Test10", ok},
+ { "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 },
+ { "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 },
+ { "4.14.13", "Valid onlyContainsCACerts CRL Test13", ok},
+ { "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 },
+ { "4.14.15", "Invalid onlySomeReasons Test15", 23 },
+ { "4.14.16", "Invalid onlySomeReasons Test16", 23 },
+ { "4.14.17", "Invalid onlySomeReasons Test17", 3 },
+ { "4.14.18", "Valid onlySomeReasons Test18", ok},
+ { "4.14.19", "Valid onlySomeReasons Test19", ok},
+ { "4.14.20", "Invalid onlySomeReasons Test20", 23 },
+ { "4.14.21", "Invalid onlySomeReasons Test21", 23 },
+ { "4.14.22", "Valid IDP with indirectCRL Test22", ok},
+ { "4.14.23", "Invalid IDP with indirectCRL Test23", 23 },
+ { "4.14.24", "Valid IDP with indirectCRL Test24", ok},
+ { "4.14.25", "Valid IDP with indirectCRL Test25", ok},
+ { "4.14.26", "Invalid IDP with indirectCRL Test26", 44 },
+ { "4.14.27", "Invalid cRLIssuer Test27", 3 },
+ { "4.14.28", "Valid cRLIssuer Test28", ok},
+ { "4.14.29", "Valid cRLIssuer Test29", ok},
+
+ %% Although this test is valid it has a circular dependency. As a result
+ %% an attempt is made to reursively checks a CRL path and rejected due to
+ %% a CRL path validation error. PKITS notes suggest this test does not
+ %% need to be run due to this issue.
+ { "4.14.30", "Valid cRLIssuer Test30", 54 },
+ { "4.14.31", "Invalid cRLIssuer Test31", 23 },
+ { "4.14.32", "Invalid cRLIssuer Test32", 23 },
+ { "4.14.33", "Valid cRLIssuer Test33", ok},
+ { "4.14.34", "Invalid cRLIssuer Test34", 23 },
+ { "4.14.35", "Invalid cRLIssuer Test35", 44 }].
+delta_crls() ->
+ %%{ "4.15", "Delta-CRLs" },
+ [{ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 },
+ { "4.15.2", "Valid delta-CRL Test2", ok},
+ { "4.15.3", "Invalid delta-CRL Test3", 23 },
+ { "4.15.4", "Invalid delta-CRL Test4", 23 },
+ { "4.15.5", "Valid delta-CRL Test5", ok},
+ { "4.15.6", "Invalid delta-CRL Test6", 23 },
+ { "4.15.7", "Valid delta-CRL Test7", ok},
+ { "4.15.8", "Valid delta-CRL Test8", ok},
+ { "4.15.9", "Invalid delta-CRL Test9", 23 },
+ { "4.15.10", "Invalid delta-CRL Test10", 12 }].
+private_certificate_extensions() ->
+ %%{ "4.16", "Private Certificate Extensions" },
+ [{ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", ok},
+ { "4.16.2", "Invalid Unknown Critical Certificate Extension Test2",
+ {bad_cert,unknown_critical_extension}}].
+
+
+convert() ->
+ Tests = [signature_verification(),
+ validity_periods(),
+ verifying_name_chaining(),
+ basic_certificate_revocation_tests(),
+ verifying_paths_with_self_issued_certificates(),
+ verifying_basic_constraints(),
+ key_usage(),
+ certificate_policies(),
+ require_explicit_policy(),
+ policy_mappings(),
+ inhibit_policy_mapping(),
+ inhibit_any_policy(),
+ name_constraints(),
+ distribution_points(),
+ delta_crls(),
+ private_certificate_extensions()],
+ [convert(Test) || Test <- lists:flatten(Tests)].
+
+convert({_,Test,_}) ->
+ convert1(Test);
+convert({_,Test,_,_,_,_,_}) ->
+ convert1(Test).
+
+convert1(Test) ->
+ FName = lists:append(string:tokens(Test, " -")),
+ File = filename:join(?MIME, "Signed" ++ FName ++ ".eml"),
+ io:format("Convert ~p~n",[File]),
+ {ok, Mail} = file:read_file(File),
+ Base64 = skip_lines(Mail),
+ %%io:format("~s",[Base64]),
+ Tmp = base64:mime_decode(Base64),
+ file:write_file("pkits/smime-pem/tmp-pkcs7.der", Tmp),
+ Cmd = "openssl pkcs7 -inform der -in pkits/smime-pem/tmp-pkcs7.der"
+ " -print_certs -out pkits/smime-pem/" ++ FName ++ ".pem",
+ case os:cmd(Cmd) of
+ "" -> ok;
+ Err ->
+ io:format("~s",[Err]),
+ erlang:error(bad_cmd)
+ end.
+
+skip_lines(<<"\r\n\r\n", Rest/binary>>) -> Rest;
+skip_lines(<<"\n\n", Rest/binary>>) -> Rest;
+skip_lines(<<_:8, Rest/binary>>) ->
+ skip_lines(Rest).
+
+init_per_testcase(_Func, Config) ->
+ Datadir = proplists:get_value(data_dir, Config),
+ put(datadir, Datadir),
+ Config.
+
+fin_per_testcase(_Func, Config) ->
+ %% Nodes = select_nodes(all, Config, ?FILE, ?LINE),
+ %% rpc:multicall(Nodes, mnesia, lkill, []),
+ Config.
+
+init_per_suite(Config) ->
+ crypto:start(),
+ Config.
+
+end_per_suite(_Config) ->
+ crypto:stop().
+
+error(Format, Args, File0, Line) ->
+ File = filename:basename(File0),
+ Pid = group_leader(),
+ Pid ! {failed, File, Line},
+ io:format(Pid, "~s(~p): ERROR"++Format, [File,Line|Args]).
+
+warning(Format, Args, File0, Line) ->
+ File = filename:basename(File0),
+ io:format("~s(~p): Warning "++Format, [File,Line|Args]).
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt b/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt
new file mode 100644
index 0000000000..21f520ee56
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt
Binary files differ
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem
new file mode 100644
index 0000000000..8f00499440
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=anyPolicy CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfDCCAeWgAwIBAgIBJjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMYW55UG9saWN5
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGOGYJ7e91FozKo0McZ6T1
+zTYa4IXfHqChuqKgri79fgKVZZsKwOyoHWJfsLn6ClknlWE9NJATHZfQp8GfLy9k
+MbdXEKgZQoyWOV2Q0s37ez+I4yuR33JZpxtpKqYQW2fKdhhOdR+DcLwgWUJ4s1Gg
+KCXhxYnC4nfSho/lgR3h/QIDAQABo4GFMIGCMB8GA1UdIwQYMBaAFPts1C2Bnson
+ep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAOBgNV
+HQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMA8GA1UdEwEB/wQFMAMBAf8w
+DAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQA8JxYIM/manOaFxyoO3y+p
+th/jCQFiR6fDo5mhYEOjZuHDWdejSZvNtbpPfNnKmM6W/qI57hZBgVDil9P/CMSi
+wYPJvKl0ofonnhhPd+uMPhJENho/NhWyc1cgruABceTtBP966dRIhejL3K7SewrT
+aV+IWdHVMKREjOXtHakoKQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=All Certificates anyPolicy EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=anyPolicy CA
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBD
+QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMwQWxsIENlcnRp
+ZmljYXRlcyBhbnlQb2xpY3kgRUUgQ2VydGlmaWNhdGUgVGVzdDExMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQDXI8MbFkMJTmeIdP1EpYg8qYdNkQRq1yNQYMHH
+9TxFgw3L7sCGGxJS6PN4SS67CdnNZKNseFT+qAIDIbBw+p6uuAB4PWZEireOFo+s
+PSdbG2Os76qFi12SpIniE64W5aSMzmccMf6RqzuqUROYH8wOzk8w6y+RI2qnkqDx
+0HxJrwIDAQABo2UwYzAfBgNVHSMEGDAWgBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAd
+BgNVHQ4EFgQUC8LFyye3gbbbFeNrasBg1Fq10JYwDgYDVR0PAQH/BAQDAgTwMBEG
+A1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQUFAAOBgQAmASNJNMm+5XfUYE/I
+IhtOmsbGvCrIWyMyhcv7gosAMSsXYU+8CzWpkjP0zS42rEphyqP8zUAWjR/BqUJV
+9uwenHlpNeVflKgq0UVqYeoqc+afpvgLe+2o2Fe81Uz2tQ+LjwRQCm0/dhEVeZ4B
+JutCF8LtmT3hv2RlWp5v1mmG4w==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=anyPolicy CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3E:B3:9E:A2:E4:43:85:FB:67:40:31:86:13:9B:C6:61:ED:86:D5:E2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2a:c3:2d:e7:f3:91:d6:67:7b:66:88:f9:22:e8:64:c9:80:a2:
+ 88:bb:d7:a0:84:a3:75:ab:d5:af:72:d0:fa:1f:ed:4e:42:29:
+ 62:23:32:25:59:4d:a3:45:c1:bc:ae:37:c8:b2:d0:79:00:96:
+ 84:0d:7d:a2:f0:58:d7:c4:99:64:cc:4e:8b:5f:88:f6:6f:cf:
+ ee:39:54:34:8c:7b:0f:e7:43:0b:26:d8:6e:c4:f8:6a:ed:80:
+ 9a:47:d3:38:bb:82:9b:fe:bf:6b:01:6e:c9:e7:8f:3e:cc:b1:
+ 4a:a3:df:86:3a:2d:ca:62:6c:dd:27:a8:51:c2:b4:3f:c5:ba:
+ 90:6c
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBDQRcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUPrOeouRD
+hftnQDGGE5vGYe2G1eIwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAKsMt
+5/OR1md7Zoj5IuhkyYCiiLvXoISjdavVr3LQ+h/tTkIpYiMyJVlNo0XBvK43yLLQ
+eQCWhA19ovBY18SZZMxOi1+I9m/P7jlUNIx7D+dDCybYbsT4au2AmkfTOLuCm/6/
+awFuyeePPsyxSqPfhjotymJs3SeoUcK0P8W6kGw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem
new file mode 100644
index 0000000000..ea336fce35
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem
@@ -0,0 +1,107 @@
+subject=/C=US/O=Test Certificates/CN=No Policies CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICWzCCAcSgAwIBAgIBIjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEXMBUGA1UEAxMOTm8gUG9saWNp
+ZXMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWH/haSHmzYQAYFLKMA
+cbwROk7OaY3N6TMLQIz4yWrwGzpy+kiIDZ2xVPnyHRHp12VlAI5u78kQKAivhpNw
+ovjgrUmE86zb3/OOa341tubElI6Y9G1Y1tnzPCK+hi1vjrHAHr1Glf8VOgZ9ijpU
+SjXOsw5pFlz22uc7BRI7S/K1AgMBAAGjYzBhMB8GA1UdIwQYMBaAFPts1C2Bnson
+ep4NsDzqmryH/0nqMB0GA1UdDgQWBBRTwRQlfeVbPleR+JYOkJ5dxiWoujAOBgNV
+HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBr
+G1ayCZm1VdyAqi1JuxUTt6bQcd8iNR0vvnl49QzjKgCNRqNV69RCH0U4ZST8D57t
+TVN8DJITlnH+Kbid6OWcgkb+vi5C0SPLPNym18RVzKNQtR88lJCByvNbx/CprRYl
+EfsMrs6FA8loVY0rVrUpEsTjVxyDh+fb8GZ3CAJIng==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=All Certificates No Policies EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=No Policies CA
+-----BEGIN CERTIFICATE-----
+MIICbzCCAdigAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDk5vIFBvbGljaWVz
+IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQDEzFBbGwgQ2Vy
+dGlmaWNhdGVzIE5vIFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3QyMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFHIGRAKQBl4eS/EWvFaVcb/7H30je7Yf
+LmXoIYQGeWJZQfXWSsJyXyoaMhf4uLonxy8mi1Ap8vy3Fqc9b55Cm48xatNCao6D
+W6YbSQu9hiSXCMxjXWnrYfi62KywO6I2y5JbT0CZ2PbQO0lFXYKPaTFDKzgf9l4x
+ppvlkUQdsQIDAQABo1IwUDAfBgNVHSMEGDAWgBRTwRQlfeVbPleR+JYOkJ5dxiWo
+ujAdBgNVHQ4EFgQUy5AB5Gdr2u2a+KXtJZFHFSHyopEwDgYDVR0PAQH/BAQDAgTw
+MA0GCSqGSIb3DQEBBQUAA4GBAGk2l02zPeeK5Xca7UysnHmcjV08jAnZw6WqKJlS
+ZK/upXnIu/i4JXjxhC/aBpFDs1foGPEPb7vPwJBq6psJ/qvrL3FxzWnmp08P4iUP
+c7e9vxXYaMIQC3duKeV6SOn5VrpSPYRfchw/i70FJ+QCw9xAvNZ2X45Pzi9k9xUg
+VfLw
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=No Policies CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:53:C1:14:25:7D:E5:5B:3E:57:91:F8:96:0E:90:9E:5D:C6:25:A8:BA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 32:a4:9a:ca:5f:51:9e:91:db:fb:8a:0a:85:9b:64:c7:08:ef:
+ d5:17:43:34:7b:ad:53:90:4d:d1:43:10:f9:47:88:de:f3:78:
+ 67:2a:3a:4b:0e:5c:1a:a5:ee:19:b9:ef:f9:eb:3f:f1:39:2c:
+ 31:ab:e5:14:a7:90:8a:87:71:c6:78:a1:75:df:84:aa:3a:68:
+ 37:8a:ba:65:79:1f:31:93:8c:4e:6a:f1:1c:3b:fb:68:79:34:
+ 55:5b:42:55:8d:f3:2d:9f:f6:47:8d:64:6a:02:84:0b:97:aa:
+ 2c:c6:96:18:ed:b3:b1:a1:62:b4:73:40:83:00:1f:1e:96:ec:
+ d2:ff
+-----BEGIN X509 CRL-----
+MIIBOzCBpQIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDk5vIFBvbGljaWVzIENBFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBRTwRQl
+feVbPleR+JYOkJ5dxiWoujAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQAy
+pJrKX1Gekdv7igqFm2THCO/VF0M0e61TkE3RQxD5R4je83hnKjpLDlwape4Zue/5
+6z/xOSwxq+UUp5CKh3HGeKF134SqOmg3irpleR8xk4xOavEcO/toeTRVW0JVjfMt
+n/ZHjWRqAoQLl6osxpYY7bOxoWK0c0CDAB8eluzS/w==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem
new file mode 100644
index 0000000000..62412e9602
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Policies P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBJTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPUG9saWNpZXMg
+UDEyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5unCMuN8PuVFWbqxO
+/wnIQsciPiEo1GoKWjM6+kb9l3h6wWyWYwmst2c158qcJLY9PxaUMhqQd/SY0Tt9
+WlHXVcE8rMoWSGmFxfK33UpeCtqwz9ugPSWwZkqx2lI/0ozQXgjYb0J9/EoKw1O0
+CxxrdQdPQkyLD4Uxe87/MlpzsQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFPts1C2B
+nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQA42XpgdSGuccd5/MzOQZeTBGl+TAO
+BgNVHQ8BAf8EBAMCAQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFl
+AwIBMAIwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEB
+BQUAA4GBABX9GMyAC90FH8BvpnNh6SDn2MIT7iINc4/9u64d1dxEhqogqcR58khK
+btHyx8YrgbCcqUNS4Xs7ckW5k2VNAd9dG0Chc0uk6rwkv+sD1/zJi8LIGd/3cFjk
+biIVYqPxb7WpKqo97V+43tMFsTqJNBSh+6W14vlP55+Ep5IlxcOm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=All Certificates Same Policies EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=Policies P12 CA
+-----BEGIN CERTIFICATE-----
+MIICmjCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAx
+MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGgxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE9MDsGA1UEAxM0QWxsIENl
+cnRpZmljYXRlcyBTYW1lIFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3QxMDCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmrdM0DTddXChaxuvVK1/9AmbK3pj
+B7nrBT7FrZ4f+6sp0e/vN7kCNEiAaRq1BDUFjyiesHIoL7gVKw96xoYTQ1qdCGZO
+04GFQtVjtBx8SZCDsvjWgaXxs2BPj3ooNV199aMCiKTeNPm1TwL2zpmGRBaV5As8
+X8eCNYjiya9c6jMCAwEAAaN5MHcwHwYDVR0jBBgwFoAUAONl6YHUhrnHHefzMzkG
+XkwRpfkwHQYDVR0OBBYEFMb2N25TEoHRRp8AmP8/XLXv9HDaMA4GA1UdDwEB/wQE
+AwIE8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjANBgkq
+hkiG9w0BAQUFAAOBgQBM+wZzcjByDVKWb9MADcwg0VTmgmhOhSmt3fqhHagC9q3G
+ZY6+OWkM6gCdmw1JBr9JRTHPl1uo/W5dI4OVIupjsct4ObPWx1yn29VM30lyaYDR
+iBhgjOp5tonCixdFbt7pMnviPwsIDKdQLQz0k8m7d/au9BVHVSlyDoqm0I0uSg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:00:E3:65:E9:81:D4:86:B9:C7:1D:E7:F3:33:39:06:5E:4C:11:A5:F9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a2:21:e6:6b:0b:99:66:79:2d:86:a7:9b:cd:37:9b:4d:73:1f:
+ df:91:63:c4:de:55:15:53:b0:32:ac:c8:3c:bd:96:aa:ae:c9:
+ 4f:b2:7c:9d:40:d7:f4:5d:99:8e:fa:2b:44:2d:75:ef:01:38:
+ 86:c8:59:ae:e4:62:e4:83:b4:73:03:34:d1:7f:52:bc:3d:bb:
+ 77:7e:7c:c9:41:09:4c:08:4f:a9:7f:d9:d9:0f:bc:46:9d:05:
+ 70:2f:66:0b:d4:0d:80:ec:11:83:4e:1b:90:95:ad:86:02:77:
+ e8:19:aa:a6:48:29:a3:9f:36:c3:ec:9a:f5:a4:9a:0b:f5:11:
+ 1d:72
+-----BEGIN X509 CRL-----
+MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAxMiBDQRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUAONl
+6YHUhrnHHefzMzkGXkwRpfkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+oiHmawuZZnkthqebzTebTXMf35FjxN5VFVOwMqzIPL2Wqq7JT7J8nUDX9F2Zjvor
+RC117wE4hshZruRi5IO0cwM00X9SvD27d358yUEJTAhPqX/Z2Q+8Rp0FcC9mC9QN
+gOwRg04bkJWthgJ36Bmqpkgpo582w+ya9aSaC/URHXI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem
new file mode 100644
index 0000000000..888f8c117a
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=Policies P123 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg
+UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s
+xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS
+o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5
+ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt
+gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww
+DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB
+ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD
+gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM
+jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext
+cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY
+kko1SxlW
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=All Certificates Same Policies EE Certificate Test13
+issuer=/C=US/O=Test Certificates/CN=Policies P123 CA
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx
+MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBoMQswCQYDVQQG
+EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPTA7BgNVBAMTNEFsbCBD
+ZXJ0aWZpY2F0ZXMgU2FtZSBQb2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTMw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ6RCve4HAIbl7RQiw7tPY3IJ0oT
+KvS2jsUu4eNuzThRoKW0cWW3N+Jk1rkqgaaebVodXrb9cuDFONWRL0X2DZazb5h/
+4FX3obShqywkydsz7vBoixmRXa/oKtIa78h5zQTSDPR0sJeWIikOUJZMIJv4CNw1
+Pwvu3Y3i9CwT6m2fAgMBAAGjgYgwgYUwHwYDVR0jBBgwFoAU0L/Nm9/xkf2Ch1oQ
+z5Cvi7zyxcwwHQYDVR0OBBYEFGqUba1DKQxc60sgeqLAqyOR/22bMA4GA1UdDwEB
+/wQEAwIE8DAzBgNVHSAELDAqMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjAM
+BgpghkgBZQMCATADMA0GCSqGSIb3DQEBBQUAA4GBAAd1diIEB4YaH7gH6DO1vptE
+G2YpbuvISfPDhWjrLI/sLSJTH3l+kC/GE4FDEHJ0Rc76la5gyUbRwX1zTZKHGyxx
+NhuE3i0XkrAlR6xRUJRcb1SgD7JqMzup7ZuFP9h3+txi71G33fMStCxKGa6ijUKd
+LTzImFXGxbWm6SZujuyJ
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b:
+ 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7:
+ 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65:
+ 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81:
+ 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96:
+ 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41:
+ 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04:
+ ef:9d
+-----BEGIN X509 CRL-----
+MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/
+zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p
+qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs
+95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem
new file mode 100644
index 0000000000..de409f5895
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=Valid EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICajCCAdOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlZhbGlkIEVFIENlcnRp
+ZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtpKu/a6Co
+7KcKOymboEA+MmgoryXHT1dxExmQ1lO7yah2L8j8RG6ox5Tr37TV8Y21ti3MopcF
+H+iXDSX31fixsYCZkcpjMI4kbjXmjGOeFKu1vnbBmcb5JBISiUeg22tIRFoJ4zTh
+i3GLVecGijyOVReA5LiPymEKG7fAB3241wIDAQABo2swaTAfBgNVHSMEGDAWgBS3
+LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUOsyUZQyFqTzB4K9RMyoUSI+e
+kVswDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq
+hkiG9w0BAQUFAAOBgQCkaGfCqYi0681n9Dit36lg3U/9gTZoNqPMaAaLUQV3Crzx
+x2MGInhTyKchYydbV8HD89N2jzzYq7J2KM/ZEAfjskCdsj1SiMNkbYZe3rZZOldr
+PCGFgzUGTNakQxkpxU5j7plivQic/OZ7+mMTi0fnjGRi9M+aa744VmH6FgCt1w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem
new file mode 100644
index 0000000000..82576fb4a3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=anyPolicy EE Certificate Test14
+issuer=/C=US/O=Test Certificates/CN=anyPolicy CA
+-----BEGIN CERTIFICATE-----
+MIICdDCCAd2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBD
+QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEoMCYGA1UEAxMfYW55UG9saWN5
+IEVFIENlcnRpZmljYXRlIFRlc3QxNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAosJmcfDGby4vpcrZs7/LeCfqnvDfXgZakoRonLHgudPwLK839x7AtBqsAAsx
+wYNmtj+gGNu9x2hjBOrEFHjxVhCZbr+V2b3NuZ0C2p+OcSZ6nKYxxmgtP9NrTYZs
+MVo8uJ/d9zDXB7/Hflbl2iOtwHe4CpWlWkAcb55leIZdFx0CAwEAAaNrMGkwHwYD
+VR0jBBgwFoAUPrOeouRDhftnQDGGE5vGYe2G1eIwHQYDVR0OBBYEFEAG933vDjVc
+5TJ4xVFIKNj24AmHMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFl
+AwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAHS2x3KJlEZ/YeT5mje964ccV/zmiYkiy
+SP02lLjIQuB7b4R8xS4TYb6lXC18dc0776mMu6BQVqECrBq71A77N5cd5Xuc/+5U
+5ZMyLiowPxjhgjqMOZV6Vno6zYQh+4bdFIqNZ4Wv1l0KyhvD5KU5gBQ6uK/Gbmgx
+gC2356iQiJE=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=anyPolicy CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfDCCAeWgAwIBAgIBJjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMYW55UG9saWN5
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGOGYJ7e91FozKo0McZ6T1
+zTYa4IXfHqChuqKgri79fgKVZZsKwOyoHWJfsLn6ClknlWE9NJATHZfQp8GfLy9k
+MbdXEKgZQoyWOV2Q0s37ez+I4yuR33JZpxtpKqYQW2fKdhhOdR+DcLwgWUJ4s1Gg
+KCXhxYnC4nfSho/lgR3h/QIDAQABo4GFMIGCMB8GA1UdIwQYMBaAFPts1C2Bnson
+ep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAOBgNV
+HQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMA8GA1UdEwEB/wQFMAMBAf8w
+DAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQA8JxYIM/manOaFxyoO3y+p
+th/jCQFiR6fDo5mhYEOjZuHDWdejSZvNtbpPfNnKmM6W/qI57hZBgVDil9P/CMSi
+wYPJvKl0ofonnhhPd+uMPhJENho/NhWyc1cgruABceTtBP966dRIhejL3K7SewrT
+aV+IWdHVMKREjOXtHakoKQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=anyPolicy CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3E:B3:9E:A2:E4:43:85:FB:67:40:31:86:13:9B:C6:61:ED:86:D5:E2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2a:c3:2d:e7:f3:91:d6:67:7b:66:88:f9:22:e8:64:c9:80:a2:
+ 88:bb:d7:a0:84:a3:75:ab:d5:af:72:d0:fa:1f:ed:4e:42:29:
+ 62:23:32:25:59:4d:a3:45:c1:bc:ae:37:c8:b2:d0:79:00:96:
+ 84:0d:7d:a2:f0:58:d7:c4:99:64:cc:4e:8b:5f:88:f6:6f:cf:
+ ee:39:54:34:8c:7b:0f:e7:43:0b:26:d8:6e:c4:f8:6a:ed:80:
+ 9a:47:d3:38:bb:82:9b:fe:bf:6b:01:6e:c9:e7:8f:3e:cc:b1:
+ 4a:a3:df:86:3a:2d:ca:62:6c:dd:27:a8:51:c2:b4:3f:c5:ba:
+ 90:6c
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBDQRcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUPrOeouRD
+hftnQDGGE5vGYe2G1eIwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAKsMt
+5/OR1md7Zoj5IuhkyYCiiLvXoISjdavVr3LQ+h/tTkIpYiMyJVlNo0XBvK43yLLQ
+eQCWhA19ovBY18SZZMxOi1+I9m/P7jlUNIx7D+dDCybYbsT4au2AmkfTOLuCm/6/
+awFuyeePPsyxSqPfhjotymJs3SeoUcK0P8W6kGw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem
new file mode 100644
index 0000000000..bd06526d83
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem
@@ -0,0 +1,120 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=CPS Pointer Qualifier EE Certificate Test20
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICuTCCAiKgAwIBAgIBFTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK0NQUyBQb2ludGVyIFF1
+YWxpZmllciBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjAwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAMoJaBG/FNuQhA4cgeiGiLpg79tevgtM1J+7DRztxWNGR1ETJ2fT
+76YKUm8p81GifGLyp0GPixlRYrORVU04fWNYnx8Zf7rkoCPeVEDinuLDtIrrENam
+41t/iHh8pI2pzuA+AUUT9MOXDyVHFx+hGhjOseGtcUIJB0h641auD/XtAgMBAAGj
+gagwgaUwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYE
+FMLcmlwicNMKSIWer8jYAJSooOpzMA4GA1UdDwEB/wQEAwIE8DBTBgNVHSAETDBK
+MEgGCmCGSAFlAwIBMAEwOjA4BggrBgEFBQcCARYsaHR0cDovL2NzcmMubmlzdC5n
+b3YvY3Nvci9wa2lyZWcuaHRtI3BraXRlc3QwDQYJKoZIhvcNAQEFBQADgYEAfDo9
+XQCL4ynO7TfTvX9MENaHI304AZw1YU+SP2zkPuDd4HxsI1FK04q1NbIaJ+TOVfk3
+Fke0kNKWelXWa4JcqZ8eg1RxzRsqB47a0IdMOcVwwjKNI5U9KkHRvHjCBMip0wjU
+j6Qw2ktcJRAOZf2zsNks/lq7d2+7udwTCiASQ84=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem
new file mode 100644
index 0000000000..4084a4851c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test12
+issuer=/C=US/O=Test Certificates/CN=Policies P3 CA
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDlBvbGljaWVzIFAz
+IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTEwLwYDVQQDEyhEaWZmZXJl
+bnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVzdDEyMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCyCzdT70A8+vsLoViq8TWIYg7Eta6CLxVYgGuIT/jHnsK+
++FbOsG9GIxdLYhdZrrlKG4cAlkpS/6K9L23KfQGiNNjQ4LaWC/geLyNeOOOrnXBk
+nMhffhtlQ4PzTnEtjtr0fUr5iNZtCZpTUSQKxvZfEL8s8HUbsiPagLV9TwXO3QID
+AQABo2swaTAfBgNVHSMEGDAWgBSOvWaPjlVlz1HkWabJKh5iv/elvDAdBgNVHQ4E
+FgQUgYdlKg2WZsyn5n9xnCVxsVRQwz4wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwBDANBgkqhkiG9w0BAQUFAAOBgQA+sKsTmg7nH6jqpWTD
+0+ku3zH37P/CeNynrYlFtFA/3QZZNSeBUtmPEgSANp/iYSgpIOeqcUR+vJZhsIXT
++0wX4SS7+hy3sHAuDmSZ7d4XXowNWmfn2MElY7INaPvTzjRY3+XIeTfMK43LglF5
+sftSt0FIy+7QSZiQwKIX35Hdig==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBJzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEXMBUGA1UEAxMOUG9saWNpZXMg
+UDMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKzB4tlymiLVW8a6Ps0y
+porV4ZwLRY6O21qBHaMeOvMroSc49aMMmsNM5Hq1c37ETR2NROBT065S3xFyQT58
+Q+6gu30masLdypu0ewe1f4waXVKzrOrXleRrha2wyu33duzC9XoU5rLxLJUrPXjd
+F7bYw/NIHmdKb2gKdGDD5ZhlAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAU+2zULYGe
+yid6ng2wPOqavIf/SeowHQYDVR0OBBYEFI69Zo+OVWXPUeRZpskqHmK/96W8MA4G
+A1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/
+BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAGIeHrFlfEpz
+33KeWUQrArkcbXi4ONGl0zsMAelL8FjVyZJqVjBi4/z+31K608b9FleH0H4QlO1V
+pADcQhn+/9ChWXCvHtSUuBsIPFO3WWIdgYTtmSAqxsEq3uwQIR3ku8NoMpgiak6B
+EdVSLx709Z1oHVmuqVn1fYV/0968h9fo
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8E:BD:66:8F:8E:55:65:CF:51:E4:59:A6:C9:2A:1E:62:BF:F7:A5:BC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 70:a1:09:11:c0:05:80:09:b9:cb:96:bd:30:59:49:1e:07:57:
+ d3:9b:e2:f1:41:3f:f5:f1:d7:90:67:ab:db:81:2f:1f:b6:6d:
+ b4:e5:45:ba:94:55:25:9c:e1:11:06:71:a3:dc:ed:1f:6d:eb:
+ 91:33:7f:7d:1f:40:2e:1c:84:1a:c2:45:8a:26:ed:0c:a5:6f:
+ 1c:00:50:99:fd:7b:d1:3a:cf:a0:1a:da:0c:f0:7a:9a:4e:b5:
+ f1:fb:90:9b:ab:54:57:1d:55:ab:b7:c3:a6:c4:27:e9:c8:6b:
+ 83:28:68:cc:9e:0b:f0:99:7e:0a:f5:f2:ca:35:28:7b:78:59:
+ 7c:88
+-----BEGIN X509 CRL-----
+MIIBOzCBpQIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDlBvbGljaWVzIFAzIENBFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBSOvWaP
+jlVlz1HkWabJKh5iv/elvDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQBw
+oQkRwAWACbnLlr0wWUkeB1fTm+LxQT/18deQZ6vbgS8ftm205UW6lFUlnOERBnGj
+3O0fbeuRM399H0AuHIQawkWKJu0MpW8cAFCZ/XvROs+gGtoM8HqaTrXx+5Cbq1RX
+HVWrt8OmxCfpyGuDKGjMngvwmX4K9fLKNSh7eFl8iA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem
new file mode 100644
index 0000000000..81624cdd69
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem
@@ -0,0 +1,170 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P2 subCA
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBEDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBFMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAyIHN1
+YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFuj/BeKqm7wDc+UMIp7Qh
+eY7RqfB/VGqZuKUb5UNpLiXT37UrhteMqYSqBkd76l1qvhhBwRPJt9Nq2tf5slrS
+NJOAnUfF0McB9RUJMGhkITa9As3KZy0u31hre09MUaacltcuJx4irpHKUEjn+qY1
+ZdZ7NNEzH9VXWN+6lARLIQIDAQABo3wwejAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7
+J0TXNTPfmhWUxzAdBgNVHQ4EFgQU5FhKqtjykfUZF2iehQcjbgo0680wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAGilgDaBiDA1cbd6xUxAl/K5DVQ8ack+2fk1
+P8G5fTuQoQtDbWX6eA7Q/nXFXBCj2i1tmJF/q8Pzh1GU6MKQ5f7J5ibEstM1+lgb
+hidM5kd85uVTxTBL7GSS94BSfXFnNOOSWbRTyhSIZRxScCjERfnSfF8yBDRIbFGO
+ma6qPeAC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=Policies P2 subCA
+-----BEGIN CERTIFICATE-----
+MIICgTCCAeqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAy
+IHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowWzELMAkGA1UE
+BhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTAwLgYDVQQDEydEaWZm
+ZXJlbnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVzdDMwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANc03XT9xYcVcwSWI/zfZ5VWnTC4uy5WFMe8/BNL8QuP
+5xFw/xGTjgkS/ABNJJJ+a/RWsi0Q92MSeMbVNkgD0/i94SgjALWOdsg9k4LI3iH1
+ziOZ1OWKjKsJIxgCbTls+JRu7bRi4dnVYHB96WnGFVsVp9xyoS3hUYYwpCFXYLWz
+AgMBAAGjazBpMB8GA1UdIwQYMBaAFORYSqrY8pH1GRdonoUHI24KNOvNMB0GA1Ud
+DgQWBBRyOnvPdzFG1aaQtBqWQiKlfmoaPjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATACMA0GCSqGSIb3DQEBBQUAA4GBACWQn4A03gqLgppl
+ROwBGIIxHZD+wVr9BgoDJj2xwX6NaofqHfhAyVq9hDqEwylmfr0rH6m8PBAgnST0
+CnoWgQEQQ2sESHf6f/7/CTcVLlx8UQDXaTlA22nhmoJG9Y4iOdjdzhgvn/9yYySs
+aTByh3KCB3TV4q9GJw6nUNAmnoOo
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P2 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E4:58:4A:AA:D8:F2:91:F5:19:17:68:9E:85:07:23:6E:0A:34:EB:CD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c3:6b:fd:b1:c9:49:fe:a7:76:33:87:24:1f:f7:df:41:31:b8:
+ 37:15:f2:3c:ae:8e:c7:17:a1:30:ea:a6:53:99:4a:8b:a1:7c:
+ ae:c1:4e:58:81:4f:65:e2:0d:eb:a0:cc:2d:f5:a2:ba:03:ee:
+ 1e:81:1c:64:3a:b1:9f:2b:d2:40:27:69:6f:32:95:fa:85:f7:
+ c8:76:8b:4b:7a:11:12:8d:7c:fa:1f:54:84:d7:ff:72:23:63:
+ 46:55:0a:e4:d2:38:1d:83:2c:57:bb:60:21:dc:44:0d:6a:95:
+ 11:ad:f0:b5:57:82:68:f4:20:37:f4:d7:46:93:cd:c4:c6:90:
+ fd:c1
+-----BEGIN X509 CRL-----
+MIIBPjCBqAIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAyIHN1YkNB
+Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBTk
+WEqq2PKR9RkXaJ6FByNuCjTrzTAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOB
+gQDDa/2xyUn+p3YzhyQf999BMbg3FfI8ro7HF6Ew6qZTmUqLoXyuwU5YgU9l4g3r
+oMwt9aK6A+4egRxkOrGfK9JAJ2lvMpX6hffIdotLehESjXz6H1SE1/9yI2NGVQrk
+0jgdgyxXu2Ah3EQNapURrfC1V4Jo9CA39NdGk83ExpD9wQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem
new file mode 100644
index 0000000000..42c902dac2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem
@@ -0,0 +1,170 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=Good subCA
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0Ew
+HhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBbMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMDAuBgNVBAMTJ0RpZmZlcmVudCBQ
+b2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAo97r9TnN6B3H+x4fSXruIfEelkjmA4Ti1Q93FP3Op0Pfk8ybf7W8
+/meQsMFMMXAVrZ+pwfLj3YvzTspivZUbJGWA4o7r2DwkVkuXr6Rv2n3OhPlCwljb
+TAFxb5S3wOOJ53FHJw33R19R8d3B0CpxKxLK1oXQVOOu0t3UKizFJakCAwEAAaNr
+MGkwHwYDVR0jBBgwFoAUfFxpfJ3IVbEiBSlD+8R7j+rquH0wHQYDVR0OBBYEFOIy
+WsL+F3ByhN7vnBDlbJNEkZS3MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAIwDQYJKoZIhvcNAQEFBQADgYEAVoBWMI/tY2C3bNKXPdDQHwOq
++JplKCmu37pLQlMNSVP8yssW5khRqkKYi48Jz7b21NKFN3w3/0MuV2AxjEA6ROZX
+MBwaIKyeHMRCRDJndHYU3CkOvex/eDDnLXvNxTXuda755S3qZUbhNKRZnLv1iDzH
+KN6TmIq39yQReXlNoNo=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good subCA
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA+MQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPPDgvwjnBtonTcZM5RPe+FqtX3glBmw
+zdb+WOm6gKoAp5euYnW2UZOOjSztJyTUKsmnK3qhKgntDjO8z/ito6Pz0Uo7zoby
+wftFeKr76K0iBIp0t2DJQ4khnA8KjIB7LJp5CKIT1rhPdrLhPbc/r+LcUTZrAfRt
+ZcQkxbznhxZxAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz
+35oVlMcwHQYDVR0OBBYEFHxcaXydyFWxIgUpQ/vEe4/q6rh9MA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAM
+BgNVHSQEBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAI8yIYi19lr+NUCxlq3CXkpZ
+TAgRtU0pqH1VbEootkv0o7apbF2cC8SHB0UDiih/yqZjqw3kHtpbBaf75KHxqoQ4
+PKqoZXt3K4rjiQooU+2cyC+mxI3uegcFjQ444R10jXwv5EqNQ4joXhz5hocJA/PF
+JGFA0gkGm2pMEBR567ka
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:7C:5C:69:7C:9D:C8:55:B1:22:05:29:43:FB:C4:7B:8F:EA:EA:B8:7D
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a1:14:35:58:41:58:4a:93:ea:8a:e7:cc:c1:be:02:22:8c:9a:
+ 21:32:d6:a9:bf:1d:df:7d:60:8c:ba:f2:8c:01:a9:38:a4:94:
+ 8a:6d:69:46:e5:ac:63:48:17:e5:c9:c0:de:df:13:73:c6:ec:
+ 3f:b7:ed:61:a2:6c:42:d8:cf:7a:ff:3b:35:41:8a:04:c8:fe:
+ 85:37:b8:7d:dc:a0:05:35:ba:e0:bb:39:c8:be:2a:79:57:82:
+ db:f1:da:21:e0:c6:54:2b:37:2a:e1:0d:82:aa:2f:47:ab:15:
+ fc:30:11:dd:52:ba:93:cf:bc:46:39:a7:94:29:7d:e0:2a:5c:
+ d4:ce
+-----BEGIN X509 CRL-----
+MIIBNzCBoQIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0EXDTAxMDQx
+OTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHxcaXydyFWx
+IgUpQ/vEe4/q6rh9MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAKEUNVhB
+WEqT6ornzMG+AiKMmiEy1qm/Hd99YIy68owBqTiklIptaUblrGNIF+XJwN7fE3PG
+7D+37WGibELYz3r/OzVBigTI/oU3uH3coAU1uuC7Oci+KnlXgtvx2iHgxlQrNyrh
+DYKqL0erFfwwEd1SupPPvEY5p5QpfeAqXNTO
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem
new file mode 100644
index 0000000000..bb476975c0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem
@@ -0,0 +1,170 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=Policies P2 subCA2
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAy
+IHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNV
+BAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnRGlm
+ZmVyZW50IFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3Q1MIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQCwZH5VW/9MO5bUFBrHnWcQmxnLKiqHAu593o6kFZKt
+zkkYkVCA/vu0Wqgk09UeJz2jQPFuJEFYl/VdkkyS3U5TMdJBBcIHMYpmVTeTJSzP
+G+II79/nOVLpVRfuMtKclAU+oCCJb29oiXRaOFzZjzbXuU/NvSXZu24sVctBtFQA
+DQIDAQABo2swaTAfBgNVHSMEGDAWgBRx6y8V7VGl/4VJjHwa9kumm6SUBjAdBgNV
+HQ4EFgQU0BTRTBvIbX1D6I9/J/Wkp7/iGNwwDgYDVR0PAQH/BAQDAgTwMBcGA1Ud
+IAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAVgTBnKECQtHJE
+rSdkBjW41mPMbdbsbYgsl00518Qv4kS2bIsmMOB4V6kl48oIlmIql2dgUqb0QgvA
+JFFmwyLWdyUy1Ngv1H4tT2i9htTQAG7Yhx619BHqWCfqCiue49ySUsKOefY3ZYuy
+Ew2nYu2yBbFQuBajQDA+6rT6RjvF+Q==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P2 subCA2
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICgzCCAeygAwIBAgIBEjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBGMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAyIHN1
+YkNBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtLTO6yKdiF3dWPmvdMIU
+ljhMl5k5/mSISipm74fsNPvCJOAfdPJa7ZsmCH2mXZeXa5xOUPG9YzcqgSoj8YEa
+L6h9u4t40L+OyapOZKiYykXi9hoZEzCuilIIu3km9rU0jF/hTntZ5QSdE65fM5qn
+iMQnAPkod5ehi3XASsHZu9cCAwEAAaOBizCBiDAfBgNVHSMEGDAWgBS3LqaCy8LI
+vKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUcesvFe1Rpf+FSYx8GvZLppuklAYwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8E
+BTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEApvxtR+QrmkV9
+u+IYUO9+MXgIGn7U3aab9pnQfxH2Dqkx2uPGGYsw3+Md7m0+Y29god0WgGwgrmlS
+9VnFhuDw0Sks4ofgjOWCrO0gK10fO2AHzYMwxcbsaqrIPS0dIkUflnnB6vUPoz1t
+0/y853VkBY8fwZC5lSrXe1j/wkrITt4=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P2 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:71:EB:2F:15:ED:51:A5:FF:85:49:8C:7C:1A:F6:4B:A6:9B:A4:94:06
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0f:c9:61:2b:d8:db:62:52:36:67:85:d2:bf:79:00:4e:44:4c:
+ 3b:2e:a1:0f:58:1d:06:1d:47:bb:2d:b2:3f:62:d5:9c:7d:da:
+ bd:34:86:5d:44:f2:ec:42:d8:cb:37:16:8d:87:d7:73:3b:d1:
+ 82:e3:e9:2c:d6:db:6f:f5:f3:db:d4:11:bf:bf:aa:15:10:7a:
+ 51:76:d6:56:e5:f6:27:00:54:54:87:14:e8:0f:5a:e1:5b:64:
+ 16:53:de:31:1a:69:c2:6b:a5:fe:77:8c:bc:f2:42:d6:ad:84:
+ 6a:f5:bb:94:16:c0:12:64:af:4a:2e:68:64:2f:f5:14:5c:b1:
+ c5:cf
+-----BEGIN X509 CRL-----
+MIIBPzCBqQIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAyIHN1YkNB
+MhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU
+cesvFe1Rpf+FSYx8GvZLppuklAYwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQAD
+gYEAD8lhK9jbYlI2Z4XSv3kATkRMOy6hD1gdBh1Huy2yP2LVnH3avTSGXUTy7ELY
+yzcWjYfXczvRguPpLNbbb/Xz29QRv7+qFRB6UXbWVuX2JwBUVIcU6A9a4VtkFlPe
+MRppwmul/neMvPJC1q2EavW7lBbAEmSvSi5oZC/1FFyxxc8=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem
new file mode 100644
index 0000000000..64913817fc
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem
@@ -0,0 +1,211 @@
+subject=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1
+issuer=/C=US/O=Test Certificates/CN=Policies P123 subCAP12
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAx
+MjMgc3ViQ0FQMTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBPMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMT
+G1BvbGljaWVzIFAxMjMgc3Vic3ViQ0FQMTJQMTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA3JEcFcmqBaOdX0aQIeLKgr184G8kZkUDCWXFVa8Rl8JEbH8nKumt
+oT+D502p0fAxQ/lu67/+Wz9X+0bAwkuPsCzJ1QCXR2UIRpVr1NxN7Rpz/7c6kzfL
+/DJwrly/lSBnj0R0YirNdtTRRbIo0/YEP7P2B0gorC16aSbZViLod4ECAwEAAaN8
+MHowHwYDVR0jBBgwFoAUWocIIfvckxBtmgt8x2qxaEvfVdcwHQYDVR0OBBYEFCOJ
+nPgjYULoGZabFjVqvDC9XoqCMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBE
+8ZcL9nvf0LT9xC+cY0M+u5LPMYNxkecfdmiF5H1xmtqQ+pyLB7lUIyeSE0FWSbFS
+HxkKQAkO31yPfR0lvAkmJS8uVhZf7kiMfNhK/iHQA2LE4ubMmgyfbnAidPaVhPJ/
+waAqgUmU3waTfWo4RyKCWsWN6L95KJNO3HkS5l83zg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P123 subCAP12
+issuer=/C=US/O=Test Certificates/CN=Policies P123 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx
+MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYDVQQG
+EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGlj
+aWVzIFAxMjMgc3ViQ0FQMTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOll
+J21WulD37Mn1rV21nTiHp+5zJm7d2iKVBk051MbS63EnC5jnUm0D6a5QJiQR8Ai2
+tuB17ppJED42WQtI7o8exytiya4Y4BvDOeGlVbVZSGgbk2vjlTzg+caDcAkVSzWD
+YMs02A14NrbFODXEyAyJ7rsOTycvQorNHm6zUBvRAgMBAAGjgYswgYgwHwYDVR0j
+BBgwFoAU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcwwHQYDVR0OBBYEFFqHCCH73JMQbZoL
+fMdqsWhL31XXMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIB
+MAEwDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAD9AiTI21pU5RaP49a5YdThygUEjL+Hvvoq4cbbg7dN3qbjYJBXUruTWyY+c
+pSqrS3q3rUlt99O+9JFqZSX8LCVRMg0yWSlwymdeY8a5EBS099ZFB+r9v4tIndk0
+r1uaX/PyEiMNd+eT8GdxBwl+Jo+AHTvuHx0G9iRwLbS5Es0u
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1
+-----BEGIN CERTIFICATE-----
+MIICnDCCAgWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAx
+MjMgc3Vic3ViQ0FQMTJQMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFsxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4G
+A1UEAxMnRGlmZmVyZW50IFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3Q3MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCq7BLYQUkQ5JoVVov7G3lnh8JAEwYq
+LMbqpRCqw7cUk5pzpmQsxkZs6/Ucuz/aR9dCCaRZJ+YQ8GZSQ+igOWzOfGwugT2P
+1F9uHaqW5hLEm4nKD0sCR7e+SSsZcVLDu43aKeP9M9W+eIiVgBDqqO/sIiP+H9lA
+XGxBY7aZKR9PbQIDAQABo3wwejAfBgNVHSMEGDAWgBQjiZz4I2FC6BmWmxY1arww
+vV6KgjAdBgNVHQ4EFgQU8kOeHdO942r3cR78izbu/QscRBMwDgYDVR0PAQH/BAQD
+AgH2MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4GBAB7JKK79k5557tO3m4Z6Ggwb+wna9YjHdiEEmFrP0CbG
+ydKsCOn176W5roPXJfVz4LNWRaQ1VD9hJBRNk7l7hCgrbazLj9TtrU9RrklDu54/
+tyZH3BQrH0znl+dxlEgYdfzhd0XQhMP4AGAlIzZUANHCnmjRKkqikPNXO5bMpnza
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P123 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg
+UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s
+xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS
+o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5
+ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt
+gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww
+DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB
+ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD
+gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM
+jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext
+cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY
+kko1SxlW
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b:
+ 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7:
+ 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65:
+ 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81:
+ 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96:
+ 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41:
+ 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04:
+ ef:9d
+-----BEGIN X509 CRL-----
+MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/
+zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p
+qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs
+95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 subCAP12
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5A:87:08:21:FB:DC:93:10:6D:9A:0B:7C:C7:6A:B1:68:4B:DF:55:D7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 67:b8:b5:f3:01:89:95:0b:52:9b:23:ed:15:82:33:84:16:99:
+ d5:19:f9:2a:ba:7a:1a:fd:61:2e:32:9b:bf:50:d0:02:cc:b8:
+ 5e:0c:f9:8f:7d:6b:d7:ce:29:7d:cd:9a:0d:01:4a:c9:ef:38:
+ 13:2e:a6:46:a5:13:4a:ba:01:58:71:13:21:6a:52:1a:e5:2f:
+ c8:58:ba:dd:bb:b5:18:3e:a0:5b:94:3a:96:d0:47:05:fa:a4:
+ 84:37:c0:e4:5a:42:31:19:c3:86:cc:42:90:32:85:aa:e4:70:
+ 23:e2:cf:eb:fe:f3:fe:e0:83:17:bc:c4:15:07:0f:b8:c0:d9:
+ 57:d2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAxMjMgc3Vi
+Q0FQMTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFFqHCCH73JMQbZoLfMdqsWhL31XXMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAGe4tfMBiZULUpsj7RWCM4QWmdUZ+Sq6ehr9YS4ym79Q0ALMuF4M+Y99
+a9fOKX3Nmg0BSsnvOBMupkalE0q6AVhxEyFqUhrlL8hYut27tRg+oFuUOpbQRwX6
+pIQ3wORaQjEZw4bMQpAyharkcCPiz+v+8/7ggxe8xBUHD7jA2VfS
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:23:89:9C:F8:23:61:42:E8:19:96:9B:16:35:6A:BC:30:BD:5E:8A:82
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 38:53:72:c0:cb:e3:f9:84:7d:49:58:c4:73:96:61:3f:7d:1a:
+ 78:47:82:fa:be:2b:9a:55:99:d4:73:ad:49:14:9d:a3:3c:5e:
+ 99:66:20:f4:df:d9:c3:d3:03:61:75:0d:18:f6:c4:b8:29:0f:
+ e7:e3:e9:37:f3:0d:e0:74:a0:ef:8e:9f:fa:12:18:20:a2:8a:
+ 3a:bb:72:e6:20:4f:2a:2b:7f:22:5d:56:01:e8:fb:76:fd:62:
+ 44:16:83:a8:7e:53:4d:6a:4a:0c:94:10:64:85:02:07:1d:d3:
+ 28:57:9f:e7:57:65:99:37:99:f4:52:ae:de:5e:4f:5c:e9:08:
+ f2:cc
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAxMjMgc3Vi
+c3ViQ0FQMTJQMRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUI4mc+CNhQugZlpsWNWq8ML1eioIwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAOFNywMvj+YR9SVjEc5ZhP30aeEeC+r4rmlWZ1HOtSRSdozxe
+mWYg9N/Zw9MDYXUNGPbEuCkP5+PpN/MN4HSg746f+hIYIKKKOrty5iBPKit/Il1W
+Aej7dv1iRBaDqH5TTWpKDJQQZIUCBx3TKFef51dlmTeZ9FKu3l5PXOkI8sw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem
new file mode 100644
index 0000000000..0468f302f0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem
@@ -0,0 +1,210 @@
+subject=/C=US/O=Test Certificates/CN=Policies P12 subCAP1
+issuer=/C=US/O=Test Certificates/CN=Policies P12 CA
+-----BEGIN CERTIFICATE-----
+MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAx
+MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUUG9saWNp
+ZXMgUDEyIHN1YkNBUDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKniBOhW
+3+GUH9cLSjfU8TnmUuKC8zu+bx+7Vd8N20wFU83y33ReAvzS9j5mBAT6qqLMg52i
+t5h4ni8MAttxqQivCwZR6U+Mg2KMdHEAbvTp8ya69ZdGzc8StBaJ1OIIRHtRicl2
+Ek85wzHazjfWPtmnO0EaIzJImL3U24pAKDq3AgMBAAGjfDB6MB8GA1UdIwQYMBaA
+FADjZemB1Ia5xx3n8zM5Bl5MEaX5MB0GA1UdDgQWBBRCiBzBeLdD2gCvvd66Q6fl
+tWH/8jAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAYKVZU12G6lcEkxyRYlMJ
+umN4xtytcDe50I4AFgMJlgCcLvupgFN+5QWwSGtdBpSrN3lDBFTUQ/ZrAL3O4nzA
+HaKM6LaBCQS1//FE6qbi2UvRHfp8RoYUH4hM1nzTb7/Za0wsWTwegcz1uOZ4aLQ5
+M7QKfWfzax6EarTJ4jorUQA=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2
+issuer=/C=US/O=Test Certificates/CN=Policies P12 subCAP1
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFBvbGljaWVzIFAx
+MiBzdWJDQVAxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTTELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQDExlQ
+b2xpY2llcyBQMTIgc3Vic3ViQ0FQMVAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCgzy2UzpvEK8JSY1wMRMaoYi/MuP+Hkmtwerm88lsIWe07HlT55nuxjp5/
+vSPZEgCYm+wk0AU87yD2n6OkCJn+oUVbeucGoJSwuTEs7HK0YZq+RyYdzcoZ7Z4Z
+EzNUC2I+vPj01u9NL0XBZLJ7g5h6Au8d3zGEkn6bEPk565LiewIDAQABo3wwejAf
+BgNVHSMEGDAWgBRCiBzBeLdD2gCvvd66Q6fltWH/8jAdBgNVHQ4EFgQUZ+UNjYxs
+KrtVbS3oIqoES3MriCowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI
+AWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAESq+2Cg
+vywkdxLqsugNl7K/+BK8s0yadUr/Q/DZKPALlPRaVW7GzKJ7aCGw1xRiMmkV5Z1Z
+UjSdHXTJetXdNpCfjpVnnrAB9DjkA7RrKI1KTPxhnywtwQNTpD4gceRP6icRwaN6
+7Y/GlL6Fi1LbuHlGF94I9XchvB1mTQ0PF52O
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBJTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPUG9saWNpZXMg
+UDEyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5unCMuN8PuVFWbqxO
+/wnIQsciPiEo1GoKWjM6+kb9l3h6wWyWYwmst2c158qcJLY9PxaUMhqQd/SY0Tt9
+WlHXVcE8rMoWSGmFxfK33UpeCtqwz9ugPSWwZkqx2lI/0ozQXgjYb0J9/EoKw1O0
+CxxrdQdPQkyLD4Uxe87/MlpzsQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFPts1C2B
+nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQA42XpgdSGuccd5/MzOQZeTBGl+TAO
+BgNVHQ8BAf8EBAMCAQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFl
+AwIBMAIwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEB
+BQUAA4GBABX9GMyAC90FH8BvpnNh6SDn2MIT7iINc4/9u64d1dxEhqogqcR58khK
+btHyx8YrgbCcqUNS4Xs7ckW5k2VNAd9dG0Chc0uk6rwkv+sD1/zJi8LIGd/3cFjk
+biIVYqPxb7WpKqo97V+43tMFsTqJNBSh+6W14vlP55+Ep5IlxcOm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2
+-----BEGIN CERTIFICATE-----
+MIICmjCCAgOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVBvbGljaWVzIFAx
+MiBzdWJzdWJDQVAxUDIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBb
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMDAuBgNV
+BAMTJ0RpZmZlcmVudCBQb2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0ODCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxJrMY6Ju+VhfX1vaWidfiPUdCuUMy5lF
+7s2Vle2r9FOQQ8se76y2jPKssqb3XIIG+VLRlS5GMp8T4t6VgLtE+gqb4mcBuIdV
+KMwJtDrYnfNFML4yyCKSvh51ionton2akkJGnJ2POvQ4z7sLXrKKCKcGTWvbVqej
+BwfkNvwk9KcCAwEAAaN8MHowHwYDVR0jBBgwFoAUZ+UNjYxsKrtVbS3oIqoES3Mr
+iCowHQYDVR0OBBYEFOEf7/tJiP53/PPTMiuw+1ENh3KRMA4GA1UdDwEB/wQEAwIB
+9jAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAIwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQUFAAOBgQAkAFezJ/Jf3nv9Kuw+VwXEuX91e8e8wClFff+eY0Af+kXl
+fvUJnXN2TOh1iBU8C21WkavgIS9o8grJb3hbDpS03Yodnt/0151BiCMdLQI02sFK
+mHABJwiZZlLj7peF4avVV4Piw4arjXD7Z1bKYlHOZeTHF1hgS/XINAc8IUsfDQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:00:E3:65:E9:81:D4:86:B9:C7:1D:E7:F3:33:39:06:5E:4C:11:A5:F9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a2:21:e6:6b:0b:99:66:79:2d:86:a7:9b:cd:37:9b:4d:73:1f:
+ df:91:63:c4:de:55:15:53:b0:32:ac:c8:3c:bd:96:aa:ae:c9:
+ 4f:b2:7c:9d:40:d7:f4:5d:99:8e:fa:2b:44:2d:75:ef:01:38:
+ 86:c8:59:ae:e4:62:e4:83:b4:73:03:34:d1:7f:52:bc:3d:bb:
+ 77:7e:7c:c9:41:09:4c:08:4f:a9:7f:d9:d9:0f:bc:46:9d:05:
+ 70:2f:66:0b:d4:0d:80:ec:11:83:4e:1b:90:95:ad:86:02:77:
+ e8:19:aa:a6:48:29:a3:9f:36:c3:ec:9a:f5:a4:9a:0b:f5:11:
+ 1d:72
+-----BEGIN X509 CRL-----
+MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAxMiBDQRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUAONl
+6YHUhrnHHefzMzkGXkwRpfkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+oiHmawuZZnkthqebzTebTXMf35FjxN5VFVOwMqzIPL2Wqq7JT7J8nUDX9F2Zjvor
+RC117wE4hshZruRi5IO0cwM00X9SvD27d358yUEJTAhPqX/Z2Q+8Rp0FcC9mC9QN
+gOwRg04bkJWthgJ36Bmqpkgpo582w+ya9aSaC/URHXI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P12 subCAP1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:42:88:1C:C1:78:B7:43:DA:00:AF:BD:DE:BA:43:A7:E5:B5:61:FF:F2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 38:85:fb:83:ec:f4:d5:e4:42:27:68:d3:d6:5f:c9:d5:60:4a:
+ fc:33:39:94:ce:d9:28:71:4e:fe:aa:e6:61:05:6b:1c:42:96:
+ 56:40:e4:48:e6:96:65:21:17:f2:e6:8e:69:50:6f:44:8f:33:
+ a3:8c:28:e9:f5:85:d6:de:55:bb:03:30:02:eb:bc:49:70:3b:
+ bb:12:c6:f0:8c:8e:d6:5f:3f:30:aa:58:a9:6a:4e:3e:46:a1:
+ f6:76:e7:a8:7d:28:e8:d8:44:32:58:76:88:f0:05:5f:37:27:
+ 03:28:e0:b3:88:c3:75:41:50:81:c2:fe:04:22:be:ea:4a:2b:
+ fc:a1
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFBvbGljaWVzIFAxMiBzdWJD
+QVAxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRCiBzBeLdD2gCvvd66Q6fltWH/8jAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQA4hfuD7PTV5EInaNPWX8nVYEr8MzmUztkocU7+quZhBWscQpZWQORI5pZl
+IRfy5o5pUG9EjzOjjCjp9YXW3lW7AzAC67xJcDu7EsbwjI7WXz8wqlipak4+RqH2
+dueofSjo2EQyWHaI8AVfNycDKOCziMN1QVCBwv4EIr7qSiv8oQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:67:E5:0D:8D:8C:6C:2A:BB:55:6D:2D:E8:22:AA:04:4B:73:2B:88:2A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 25:a2:e2:75:db:ff:f0:10:9c:e2:59:90:7c:f9:c6:8e:63:cc:
+ d4:d1:19:7e:d4:97:09:0e:ea:09:59:88:13:b4:ec:07:f9:58:
+ 7d:fd:87:4e:85:00:16:e2:e4:54:c3:ec:fe:0e:bf:f3:ab:59:
+ af:49:e4:97:ba:c2:df:6e:45:e9:4f:e9:0e:4a:07:41:85:8e:
+ f5:7c:da:c7:21:73:33:37:ff:e1:e0:fc:ae:98:29:f6:04:2d:
+ d1:4b:54:a4:fb:ee:17:ae:4d:73:b9:ff:ca:6e:6d:56:c3:27:
+ d8:d2:b4:d5:9c:c6:3d:40:48:f9:37:8d:2f:22:bb:55:4f:84:
+ 07:65
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVBvbGljaWVzIFAxMiBzdWJz
+dWJDQVAxUDIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFGflDY2MbCq7VW0t6CKqBEtzK4gqMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBACWi4nXb//AQnOJZkHz5xo5jzNTRGX7UlwkO6glZiBO07Af5WH39
+h06FABbi5FTD7P4Ov/OrWa9J5Je6wt9uRelP6Q5KB0GFjvV82schczM3/+Hg/K6Y
+KfYELdFLVKT77heuTXO5/8pubVbDJ9jStNWcxj1ASPk3jS8iu1VPhAdl
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem
new file mode 100644
index 0000000000..4b2ed859a9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem
@@ -0,0 +1,263 @@
+subject=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2
+issuer=/C=US/O=Test Certificates/CN=Policies P123 subCAP12
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAx
+MjMgc3ViQ0FQMTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBPMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMT
+G1BvbGljaWVzIFAxMjMgc3Vic3ViQ0FQMTJQMjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA/QzSHTVMWeTWiSZ9qa++M+UWF0AfCPT9oTdaLUwN0Tnb845G4Jh5
+Ov5u75dfUmAmvRM1brlhZoYZZa3cBvQP+1YoAOosVY1qy4xX/6OE2zqM45IRhyLd
+VlAJ2WJ96jOpb/HV3vodX2vjDndDMMxKRXd0WIHzbC/aZGzWYXwUvfkCAwEAAaN8
+MHowHwYDVR0jBBgwFoAUWocIIfvckxBtmgt8x2qxaEvfVdcwHQYDVR0OBBYEFIvs
+OfOjrm45cGR/aCtNVJAsjgXAMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCg
+uNxU4/XUIM6O0+DSr6607Epm4PaQEAnvLsgMdHGHCLXL0mwL/9sNnSXGQg08zVpa
+k5RjmIGMD+UcMJ28kArNA9u3q4QNB5OXZtrhoPTGhBaBtwR3rL2ZEvQxUw67t2wV
+TpBcguqwCt7IIuNbBOoN3Uilox3T4WptJ/A7+zW8oA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P123 subCAP12
+issuer=/C=US/O=Test Certificates/CN=Policies P123 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx
+MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYDVQQG
+EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGlj
+aWVzIFAxMjMgc3ViQ0FQMTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOll
+J21WulD37Mn1rV21nTiHp+5zJm7d2iKVBk051MbS63EnC5jnUm0D6a5QJiQR8Ai2
+tuB17ppJED42WQtI7o8exytiya4Y4BvDOeGlVbVZSGgbk2vjlTzg+caDcAkVSzWD
+YMs02A14NrbFODXEyAyJ7rsOTycvQorNHm6zUBvRAgMBAAGjgYswgYgwHwYDVR0j
+BBgwFoAU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcwwHQYDVR0OBBYEFFqHCCH73JMQbZoL
+fMdqsWhL31XXMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIB
+MAEwDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAD9AiTI21pU5RaP49a5YdThygUEjL+Hvvoq4cbbg7dN3qbjYJBXUruTWyY+c
+pSqrS3q3rUlt99O+9JFqZSX8LCVRMg0yWSlwymdeY8a5EBS099ZFB+r9v4tIndk0
+r1uaX/PyEiMNd+eT8GdxBwl+Jo+AHTvuHx0G9iRwLbS5Es0u
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIFBvbGljaWVzIFAx
+MjMgc3Vic3Vic3ViQ0FQMTJQMlAxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0
+NTcyMFowWzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVz
+MTAwLgYDVQQDEydEaWZmZXJlbnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKiBlSODZy8jLC4WxxNVbFCA
+SbxY2A4DLV2OXhCjWmUmHQvZhiXk2p/wQCX/9VMcX7XRH9a3JLM9l6ZSEIGVT6lO
+R55lGOjNfpF8x+pGe/t0yPB/6ntPn5e9ZSNhDJDoYkJHfdplTFu2AZLbaVPlysXL
+AoO69sbnDPVxAjxFX2zLAgMBAAGjazBpMB8GA1UdIwQYMBaAFNMqu/C1V0GVUt3P
+qLuSnOARbnO8MB0GA1UdDgQWBBQg7JO9uU0ScBZcuzznmEWH36QRTzAOBgNVHQ8B
+Af8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUA
+A4GBAEeaZ7Bsae+J0lNKAzqJhR4MHfT/5SBBazWGVSwIbpWl02esU9RtrStOTA8d
+zcMp2eLg3KDI+XRsYkxFb+fmJDckIYhGk2g3B9kW1a24k8DetYIqOXtFvleJ55dG
+iROwoCaH8/bW75CMK0alSXqJCAnTq+Pbg5i0nPX0ShJlSjAf
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1
+issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAx
+MjMgc3Vic3ViQ0FQMTJQMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFQxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEpMCcG
+A1UEAxMgUG9saWNpZXMgUDEyMyBzdWJzdWJzdWJDQVAxMlAyUDEwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBAMa9AAnNzFuqJqv1OdC4F1PtY4Lqcc+JJQBnnaIi
+roTN/plb6fUL5m/SFbfSZnf/qQbYUkosko2p0cdF5VrblaCvx7vB6l12at9Zskn4
+wKneBrfSJUVDEgSyWm7mY6t1Fla7OSfywUObt1NWEzq3pyWoSKTIQxpMJ3jnYERr
+/wJ9AgMBAAGjfDB6MB8GA1UdIwQYMBaAFIvsOfOjrm45cGR/aCtNVJAsjgXAMB0G
+A1UdDgQWBBTTKrvwtVdBlVLdz6i7kpzgEW5zvDAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEAgk/D/ABBm/yIi8Qk1ISreDz7OgEaqXoqyrQY9uq3nf/Xzlmrktxe
+C7bEDiYGugly0cHFHGProTJppes2ECdcVmrpXoIHSlbP3WucAOsWcyIW9tfH+Xsk
+HAts3bXwDmfI5WEndwM+p6kMKwRsMT8/q8XJ3ZCNgsu34eoKRWhBzlQ=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P123 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg
+UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s
+xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS
+o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5
+ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt
+gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww
+DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB
+ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD
+gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM
+jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext
+cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY
+kko1SxlW
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b:
+ 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7:
+ 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65:
+ 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81:
+ 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96:
+ 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41:
+ 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04:
+ ef:9d
+-----BEGIN X509 CRL-----
+MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/
+zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p
+qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs
+95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 subCAP12
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5A:87:08:21:FB:DC:93:10:6D:9A:0B:7C:C7:6A:B1:68:4B:DF:55:D7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 67:b8:b5:f3:01:89:95:0b:52:9b:23:ed:15:82:33:84:16:99:
+ d5:19:f9:2a:ba:7a:1a:fd:61:2e:32:9b:bf:50:d0:02:cc:b8:
+ 5e:0c:f9:8f:7d:6b:d7:ce:29:7d:cd:9a:0d:01:4a:c9:ef:38:
+ 13:2e:a6:46:a5:13:4a:ba:01:58:71:13:21:6a:52:1a:e5:2f:
+ c8:58:ba:dd:bb:b5:18:3e:a0:5b:94:3a:96:d0:47:05:fa:a4:
+ 84:37:c0:e4:5a:42:31:19:c3:86:cc:42:90:32:85:aa:e4:70:
+ 23:e2:cf:eb:fe:f3:fe:e0:83:17:bc:c4:15:07:0f:b8:c0:d9:
+ 57:d2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAxMjMgc3Vi
+Q0FQMTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFFqHCCH73JMQbZoLfMdqsWhL31XXMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAGe4tfMBiZULUpsj7RWCM4QWmdUZ+Sq6ehr9YS4ym79Q0ALMuF4M+Y99
+a9fOKX3Nmg0BSsnvOBMupkalE0q6AVhxEyFqUhrlL8hYut27tRg+oFuUOpbQRwX6
+pIQ3wORaQjEZw4bMQpAyharkcCPiz+v+8/7ggxe8xBUHD7jA2VfS
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:EC:39:F3:A3:AE:6E:39:70:64:7F:68:2B:4D:54:90:2C:8E:05:C0
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9a:7c:38:8c:95:0d:e2:8e:c6:fb:4c:43:f5:4f:c6:0f:4b:ec:
+ 2e:bb:a1:8b:67:77:3f:7f:55:8a:02:ed:2a:f0:4e:0a:7c:e8:
+ d8:c1:26:37:47:28:ba:e5:47:de:79:74:30:b4:a1:66:8f:bd:
+ 8e:7d:9a:4f:37:52:71:ad:c6:50:b1:fb:ce:eb:0b:f0:58:54:
+ a8:22:51:9f:d5:d3:92:06:20:35:f6:e2:4b:8e:7f:a8:12:f8:
+ 38:a3:51:fb:cd:92:4b:2d:40:2f:f9:b9:ff:25:4d:f0:7d:9d:
+ 20:00:e3:eb:94:24:fe:05:ed:e2:b3:7e:fc:fb:1b:c1:4e:cf:
+ 9d:30
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAxMjMgc3Vi
+c3ViQ0FQMTJQMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUi+w586OubjlwZH9oK01UkCyOBcAwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAmnw4jJUN4o7G+0xD9U/GD0vsLruhi2d3P39VigLtKvBOCnzo
+2MEmN0couuVH3nl0MLShZo+9jn2aTzdSca3GULH7zusL8FhUqCJRn9XTkgYgNfbi
+S45/qBL4OKNR+82SSy1AL/m5/yVN8H2dIADj65Qk/gXt4rN+/PsbwU7PnTA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D3:2A:BB:F0:B5:57:41:95:52:DD:CF:A8:BB:92:9C:E0:11:6E:73:BC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 37:cf:8e:70:a0:12:c6:cf:ee:13:28:cd:1d:e3:f8:8c:6b:09:
+ fd:d7:31:1a:c3:2c:77:f5:13:3e:ff:6e:b7:23:0d:4d:33:3f:
+ a1:f4:37:4d:c2:84:0f:6d:2a:25:df:40:f8:25:96:40:7a:fb:
+ 59:29:4e:99:c8:8d:63:7b:23:b6:c8:eb:72:70:8e:f3:ca:5a:
+ 2a:36:bb:c6:9a:80:45:63:49:c9:9f:68:32:90:84:e4:a6:ca:
+ 22:52:d9:99:16:fa:34:93:38:ec:ba:f9:81:0d:26:b9:5b:03:
+ 3b:0a:ce:85:43:8e:bd:47:ca:de:50:4b:42:e8:97:91:74:12:
+ ac:5a
+-----BEGIN X509 CRL-----
+MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIFBvbGljaWVzIFAxMjMgc3Vi
+c3Vic3ViQ0FQMTJQMlAxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8w
+LTAfBgNVHSMEGDAWgBTTKrvwtVdBlVLdz6i7kpzgEW5zvDAKBgNVHRQEAwIBATAN
+BgkqhkiG9w0BAQUFAAOBgQA3z45woBLGz+4TKM0d4/iMawn91zEawyx39RM+/263
+Iw1NMz+h9DdNwoQPbSol30D4JZZAevtZKU6ZyI1jeyO2yOtycI7zyloqNrvGmoBF
+Y0nJn2gykITkpsoiUtmZFvo0kzjsuvmBDSa5WwM7Cs6FQ469R8reUEtC6JeRdBKs
+Wg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem
new file mode 100644
index 0000000000..f8cfbfdebc
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Bad CRL Issuer Name CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfDCCAeWgAwIBAgIBCTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWQmFkIENSTCBJ
+c3N1ZXIgTmFtZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8VTZxnGg
+pV60/E3F2RBR9N0VgI/w8ZdVENnRoqcpmY276I2t0UaRM95qNori4u/6Rb6RI6Jy
+BL5dPaJuS4hoVphnqLjMMF+huDF61ov49vcOtMo9Qw7NJYgeoINC4KcUrxvn5O33
+IjvyvGkMbrzczslZh1IaGrquWlS9DQDv3jECAwEAAaN8MHowHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMg02+C1YxZR0VCkMtLFWfhD
+jOBnMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCYg+l+IX369jmWSOMWB2Gw
+tuancmzEylYvy1g4di3sVNNOTRaST6hG6M0QkyVJDpr5wYwDCAu1me4CkJlaRHT9
+RZB8rW2LK9ydBJG5peFQa8QPQv9phrb4Hc7/2xjr0Eq6sUAQOBsCL09IY5pi2jxH
+o4m0vETRDlhl/Lqsc3dLTQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Bad CRL Issuer Name EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=Bad CRL Issuer Name CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFkJhZCBDUkwgSXNz
+dWVyIE5hbWUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBkMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxOTA3BgNVBAMT
+MEludmFsaWQgQmFkIENSTCBJc3N1ZXIgTmFtZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0
+NTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmWwjDb3FCLH56CnXApSXwVHB
+KUEdYLsDL5afA0uwYq3CutM9nFTfpI4wfWoh8z8rbcyzMhNU/b90XnkcJeUlLe4R
+GVC87g/Oh67ONY431E5nS0t2mU3gA5A+QJwCJ5GgkoRJy4aZS7IhIVayya97aITa
+eeInMge1hpOIbhG4RWMCAwEAAaNrMGkwHwYDVR0jBBgwFoAUyDTb4LVjFlHRUKQy
+0sVZ+EOM4GcwHQYDVR0OBBYEFLIo4xfziwpQ8zkzEpaYHC7RAmffMA4GA1UdDwEB
+/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQAD
+gYEAYRbr0XdXa3sve8krgu8sJ/Dj90/LJexPg4kRViyO7965tP3sBCNUAIO1Q8QW
+n27WeL4IjVXDSrspE/72yM2b8MNWJ4phd+PJMkQb+ioBbC8qPrNvnesSKPbqNcDR
+qLz/G2oPMHBWA5zuzG1O2ecxU1MLUV3tY4QxY1oNRuMunPo=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Incorrect CRL Issuer Name
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C8:34:DB:E0:B5:63:16:51:D1:50:A4:32:D2:C5:59:F8:43:8C:E0:67
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2a:95:96:bc:9d:a1:bc:e9:8b:10:db:0c:3a:19:c0:f6:b3:bc:
+ a0:15:ef:97:6c:c5:83:6b:e6:ee:c3:8b:fa:54:c7:86:7b:ba:
+ e8:73:c0:9d:d6:e5:1a:90:74:4c:8c:71:bf:ce:81:e7:36:df:
+ 95:4a:d8:6a:71:e6:16:6a:20:ab:9b:7b:de:eb:c6:ec:2e:83:
+ e9:0d:61:4f:62:df:3b:5f:02:28:98:01:04:5b:d7:19:18:1a:
+ f9:18:63:83:62:2f:de:0b:9f:a8:5a:d4:8b:91:5b:94:cf:bf:
+ 44:d8:18:71:89:fd:99:14:c9:92:7a:a0:6b:ed:15:13:5d:37:
+ 91:fd
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGUluY29ycmVjdCBDUkwgSXNz
+dWVyIE5hbWUXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFMg02+C1YxZR0VCkMtLFWfhDjOBnMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBACqVlrydobzpixDbDDoZwPazvKAV75dsxYNr5u7Di/pUx4Z7uuhz
+wJ3W5RqQdEyMcb/Ogec235VK2Gpx5hZqIKube97rxuwug+kNYU9i3ztfAiiYAQRb
+1xkYGvkYY4NiL94Ln6ha1IuRW5TPv0TYGHGJ/ZkUyZJ6oGvtFRNdN5H9
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem
new file mode 100644
index 0000000000..6fd7c1dc31
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Bad CRL Signature CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUQmFkIENSTCBT
+aWduYXR1cmUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJdogWv9CPXo
+9rQEcxwXXws6b/WT7R/AspFsq4aVO/l7puHNxGIQybx5jK5W55wqPtHa5PPGSpJA
+YkcuKVXL1ZqZh8A+VenvazNg0XoldwJZalTN0AwR3FprLL3cXYIwu8FFFERp8l/S
+YgHz8wHRlA37Ph4a7cU78oLWK0wziElzAgMBAAGjfDB6MB8GA1UdIwQYMBaAFPts
+1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBT7CxX9unvmOEiZWhVgVVCXqjZs
+QzAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAmZ8+7Hn2elBnvNREi2gDIa3P
+POFc8RHEq6ajCkhgeJoQRygSFdfenhTKGtfvet/3j6hBZRHEVI2e8x5yiyBN/ZKV
+SAdRCjXTg99nJJtkkqDhifkO5uUaxfcgj2LFt9DI7/b/jZzlNSD8BXqcifbjAf1s
+IIlWmY0HVZgwucYLmC8=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Bad CRL Signature EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=Bad CRL Signature CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBDUkwgU2ln
+bmF0dXJlIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYjELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTcwNQYDVQQDEy5J
+bnZhbGlkIEJhZCBDUkwgU2lnbmF0dXJlIEVFIENlcnRpZmljYXRlIFRlc3Q0MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQDbS7uYXT/RjXcp9qBIMFgzo5WJJA
+3/1rXCiA/BzowTDl87A4iGOmZ+LEkwpLarYI8mFzGmQAVIlJCn3KlTO4AuTWaMth
+VZPgVZ5gVxVHQbqdb2VZXHVJGYB/yn+PJrghL5uy+kv9qzocq/jUrEHcnvBTQ+iI
+8mutd/z8C/Qy9QIDAQABo2swaTAfBgNVHSMEGDAWgBT7CxX9unvmOEiZWhVgVVCX
+qjZsQzAdBgNVHQ4EFgQUK1L621YMk2XrXnaVZG9PC/61mSYwDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQA5
+Kis0tSW5S+c/zwTmKqh6DTRRISk2nn+KeQSUJdi6YXcuX3YIX/P4SxWNQ46dwKDl
+lNNDVR3u7fiwwYf9BxICorMqY2FhrdFOoGclO1mCpRuBMhmER7hWivrftdi7ekeE
+2aEHKWWnWwzU/qs6Z/6FK9waN4GviF8X+sqt/EHo+A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Bad CRL Signature CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:0B:15:FD:BA:7B:E6:38:48:99:5A:15:60:55:50:97:AA:36:6C:43
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 68:7d:ef:9b:2c:27:82:c2:3c:2f:16:6a:09:27:73:ac:90:da:
+ 2e:66:07:a0:f4:c2:4e:4c:3a:52:02:f7:23:dc:52:f5:3e:2e:
+ 94:29:22:b8:f4:f1:c7:44:85:5e:84:8a:6e:37:5c:84:16:5e:
+ 70:b5:f5:13:81:8e:89:09:b6:48:0e:51:9c:15:94:21:f1:21:
+ e6:38:14:50:a4:c3:85:4c:84:e9:eb:f6:b7:6a:a4:cc:12:02:
+ a5:0f:42:af:9a:1c:d9:c0:4c:98:c3:1c:12:2e:f7:84:d8:fa:
+ 24:4b:68:3c:20:c6:7c:60:78:d6:46:37:68:28:4f:81:c1:b7:
+ 32:30
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBDUkwgU2lnbmF0dXJl
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBT7CxX9unvmOEiZWhVgVVCXqjZsQzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBofe+bLCeCwjwvFmoJJ3OskNouZgeg9MJOTDpSAvcj3FL1Pi6UKSK49PHH
+RIVehIpuN1yEFl5wtfUTgY6JCbZIDlGcFZQh8SHmOBRQpMOFTITp6/a3aqTMEgKl
+D0KvmhzZwEyYwxwSLveE2PokS2g8IMZ8YHjWRjdoKE+BwbcyMA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem
new file mode 100644
index 0000000000..a70e68731c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBFTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEtMCsGA1UEAxMkQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCfjlwgIWm+Taynv+38GP1Yf2hDPMT5pcsPYlRaeFeg7Tsr/GhTZQKB
+qfO7h8J6JjoKD1m1BTcrdiHbRBnn183kxyhljulJLu87gOUt6LlTGTBFeaUhNNxv
+wpzF5uQ7xQcChTE7GF4kxt/oyehJFi9TGtnjdjlSi3LXG/xfQn81GwIDAQABo3ww
+ejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUScn8
+twM8Z20KAJOp5NalHpIftREwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABV8
+zJCN9czUhadFLy10H1usL1xGEcB8SRR3Row0a+Zmj8T9Se71hTgW7LfXQj3bCDJV
+3AyAd+WA4N0y0+eSRWRGNAcMrOeqNp1/Ki6iGNYceZ41Goudsc34StO7symFfatg
+hTr8/7eU6NXu2o9cDREBOJujBK/Uy52E4rx/Faxk
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Basic Self-Issued CRL Signing Key EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMHIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczFHMEUGA1UEAxM+SW52YWxpZCBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2ln
+bmluZyBLZXkgRUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANehtRiWYBhPipRRR0tIxuV4U49+DofUBRVQP5JDT79DtTbKaVOR
+HWgSi30ZrKSm3WkblfZoncF9ZMN/ocoqxeUNXwBqp8/wJYbE6js5YwBGTsfi3UfP
+s14vC1mU4ssE+ogwozLkXRcJGuFtJwNTZcEf43OkjdjLWiIH5DVhj9ZXAgMBAAGj
+azBpMB8GA1UdIwQYMBaAFEnJ/LcDPGdtCgCTqeTWpR6SH7URMB0GA1UdDgQWBBTa
+6ZIK1lgoOotgyyB2SLZbDxCDHDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAA/4ne7fgjMJuty5+P1V3QiH
+TxmpO+boz9+NO3Wc2Nj23sToATQqIcc6W1G3yKbN7uQEXtHgtPcIz5diAIJ8JNQl
+INBUxGlFASTWHNfnNJDgN7lwn4VjSAE7HzEKIJ3+HVTXI6+mdiCl/IYL9q02KSGi
+djAHT73bFgK6ydVH8Cal
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczEtMCsGA1UEAxMkQmFzaWMgU2VsZi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXGyrLR0BviK/81C9C/igI
+9zh+808dGICz2wS1Oh2CWCeYia4J/65Y7XBDRBW1TJbQLdrxt2289Lc/gc9+PW9j
+gwVpGRuYkFf+AwbMgLa1Ro5zqoIbD7WjTu7vgGdDvJmrSVLfSXavpeUBzp37Dsw6
+KzSHcBjPwGes7q3pjfhOMwIDAQABo4HyMIHvMB8GA1UdIwQYMBaAFEnJ/LcDPGdt
+CgCTqeTWpR6SH7URMB0GA1UdDgQWBBQPcsozQ6nEEVGrY9pEhw9hpPS+RzAOBgNV
+HQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIGDBgNVHR8EfDB6
+MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJKoZIhvcNAQEFBQADgYEAjoyS
+h7zhrGkL40stundacKPqIEZ3HyWW0NQhD0wBhWslGAOvlCaf44kuTKggRY6r96sy
+4kWEjvfGu/r/dBgrFaCCGNv0ui5FfXu8WeZ4jvHg7wZbx5ATx5Jpumqbm0PcEYCr
+YnA6WBCstG0lohNV2ohM/wqRFmBB0WL1K+9IdfQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0F:72:CA:33:43:A9:C4:11:51:AB:63:DA:44:87:0F:61:A4:F4:BE:47
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 5c:cd:8f:a3:3d:9e:64:f7:64:73:9c:2c:39:e2:e7:d7:0e:b8:
+ 1c:3e:9b:1d:14:dc:98:c2:8e:5a:1f:e5:47:31:fd:7e:a7:d5:
+ 9f:52:31:c8:10:f7:d0:a2:84:3f:77:c7:f1:ba:7e:24:62:ad:
+ 05:ae:1c:7b:ff:f0:e2:ce:55:f5:27:d3:cc:24:7f:c8:1d:a6:
+ b8:ce:42:05:e1:06:ec:1f:87:4c:d5:69:8d:78:59:d2:33:94:
+ 1c:3b:27:68:80:3d:6f:3d:a6:c7:9f:2b:39:9f:d7:c3:83:eb:
+ 77:bd:cc:7f:96:b3:ad:24:68:99:d1:1a:bf:05:1c:8c:3e:2a:
+ 02:f8
+-----BEGIN X509 CRL-----
+MIIBdTCB3wIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYtSXNzdWVk
+IENSTCBTaWduaW5nIEtleSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjAiMCACAQMXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0j
+BBgwFoAUD3LKM0OpxBFRq2PaRIcPYaT0vkcwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAXM2Poz2eZPdkc5wsOeLn1w64HD6bHRTcmMKOWh/lRzH9fqfVn1Ix
+yBD30KKEP3fH8bp+JGKtBa4ce//w4s5V9SfTzCR/yB2muM5CBeEG7B+HTNVpjXhZ
+0jOUHDsnaIA9bz2mx58rOZ/Xw4Prd73Mf5azrSRomdEavwUcjD4qAvg=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:49:C9:FC:B7:03:3C:67:6D:0A:00:93:A9:E4:D6:A5:1E:92:1F:B5:11
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0x.v.t.r0p1.0...U....US1.0...U.
+..Test Certificates1E0C..U...<Self-Issued Cert DP for Basic Self-Issued CRL Signing Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2e:12:1f:54:36:68:73:b2:5c:f6:11:48:f1:d6:7a:bf:ce:1d:
+ d9:21:7a:96:29:44:bc:83:26:d8:8c:f5:11:36:9a:f1:23:78:
+ 57:00:8b:13:c6:74:57:4d:3d:ba:ee:d4:ac:d4:40:b1:d0:80:
+ 91:f1:06:81:91:ba:a4:f8:1e:c7:6b:d6:20:3c:92:26:23:94:
+ 80:33:df:c7:3b:ac:fc:94:ea:e8:3d:d0:37:c1:d5:e9:ba:53:
+ 83:9e:26:ed:da:fb:10:0a:6e:d8:cd:d7:20:42:2c:d6:7d:18:
+ 32:6b:75:2a:3c:51:03:dd:4d:a1:80:e6:d8:95:6a:2c:b0:b6:
+ 72:31
+-----BEGIN X509 CRL-----
+MIIB2zCCAUQCAQEwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMS0wKwYDVQQDEyRCYXNpYyBTZWxmLUlzc3Vl
+ZCBDUkwgU2lnbmluZyBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqggbcwgbQwHwYDVR0jBBgwFoAUScn8twM8Z20KAJOp5NalHpIftREwCgYDVR0U
+BAMCAQEwgYQGA1UdHAEB/wR6MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0
+IERQIGZvciBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJ
+KoZIhvcNAQEFBQADgYEALhIfVDZoc7Jc9hFI8dZ6v84d2SF6lilEvIMm2Iz1ETaa
+8SN4VwCLE8Z0V009uu7UrNRAsdCAkfEGgZG6pPgex2vWIDySJiOUgDPfxzus/JTq
+6D3QN8HV6bpTg54m7dr7EApu2M3XIEIs1n0YMmt1KjxRA91NoYDm2JVqLLC2cjE=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest8.pem
new file mode 100644
index 0000000000..1865a68006
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest8.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBFTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEtMCsGA1UEAxMkQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCfjlwgIWm+Taynv+38GP1Yf2hDPMT5pcsPYlRaeFeg7Tsr/GhTZQKB
+qfO7h8J6JjoKD1m1BTcrdiHbRBnn183kxyhljulJLu87gOUt6LlTGTBFeaUhNNxv
+wpzF5uQ7xQcChTE7GF4kxt/oyehJFi9TGtnjdjlSi3LXG/xfQn81GwIDAQABo3ww
+ejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUScn8
+twM8Z20KAJOp5NalHpIftREwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABV8
+zJCN9czUhadFLy10H1usL1xGEcB8SRR3Row0a+Zmj8T9Se71hTgW7LfXQj3bCDJV
+3AyAd+WA4N0y0+eSRWRGNAcMrOeqNp1/Ki6iGNYceZ41Goudsc34StO7symFfatg
+hTr8/7eU6NXu2o9cDREBOJujBK/Uy52E4rx/Faxk
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Basic Self-Issued CRL Signing Key EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMHIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczFHMEUGA1UEAxM+SW52YWxpZCBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2ln
+bmluZyBLZXkgRUUgQ2VydGlmaWNhdGUgVGVzdDgwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAKvhIgfCe7osai3K6RoZSmpIrNAB/YJ7ImOrOZihxenRuEczoaGn
+0dC3ajSeX3sg2RIomf4JTDpzcBM2swr8JOcChUwnFzOZ/Fz6Q6OREST65hRxXECk
+GbkjgRrFnTgv3/s/v9Ilt/GbdIcgBxJ1797Fr+rOEDkwld4TGgIAIOO/AgMBAAGj
+azBpMB8GA1UdIwQYMBaAFA9yyjNDqcQRUatj2kSHD2Gk9L5HMB0GA1UdDgQWBBRx
+0uz3/5i8F8pGl1n7xes8mS3ymzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBABvl4GhXI+6jjTcXaeraQVtN
+9WsB0kIXPXptGui6yVAMTsB6MhCgqlhY3xihDUJIIXRy1oV4efSfFO7UbRWOoN5T
+MikwqCAVoLnl3KAZZ4qXuwi6+OIUSXx0m8CfPRNAYdEAHCHJT+KFR8wtY4eAgyVw
+ZVhFDwnSxbqX6ThJ5wdN
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczEtMCsGA1UEAxMkQmFzaWMgU2VsZi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXGyrLR0BviK/81C9C/igI
+9zh+808dGICz2wS1Oh2CWCeYia4J/65Y7XBDRBW1TJbQLdrxt2289Lc/gc9+PW9j
+gwVpGRuYkFf+AwbMgLa1Ro5zqoIbD7WjTu7vgGdDvJmrSVLfSXavpeUBzp37Dsw6
+KzSHcBjPwGes7q3pjfhOMwIDAQABo4HyMIHvMB8GA1UdIwQYMBaAFEnJ/LcDPGdt
+CgCTqeTWpR6SH7URMB0GA1UdDgQWBBQPcsozQ6nEEVGrY9pEhw9hpPS+RzAOBgNV
+HQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIGDBgNVHR8EfDB6
+MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJKoZIhvcNAQEFBQADgYEAjoyS
+h7zhrGkL40stundacKPqIEZ3HyWW0NQhD0wBhWslGAOvlCaf44kuTKggRY6r96sy
+4kWEjvfGu/r/dBgrFaCCGNv0ui5FfXu8WeZ4jvHg7wZbx5ATx5Jpumqbm0PcEYCr
+YnA6WBCstG0lohNV2ohM/wqRFmBB0WL1K+9IdfQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0F:72:CA:33:43:A9:C4:11:51:AB:63:DA:44:87:0F:61:A4:F4:BE:47
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 5c:cd:8f:a3:3d:9e:64:f7:64:73:9c:2c:39:e2:e7:d7:0e:b8:
+ 1c:3e:9b:1d:14:dc:98:c2:8e:5a:1f:e5:47:31:fd:7e:a7:d5:
+ 9f:52:31:c8:10:f7:d0:a2:84:3f:77:c7:f1:ba:7e:24:62:ad:
+ 05:ae:1c:7b:ff:f0:e2:ce:55:f5:27:d3:cc:24:7f:c8:1d:a6:
+ b8:ce:42:05:e1:06:ec:1f:87:4c:d5:69:8d:78:59:d2:33:94:
+ 1c:3b:27:68:80:3d:6f:3d:a6:c7:9f:2b:39:9f:d7:c3:83:eb:
+ 77:bd:cc:7f:96:b3:ad:24:68:99:d1:1a:bf:05:1c:8c:3e:2a:
+ 02:f8
+-----BEGIN X509 CRL-----
+MIIBdTCB3wIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYtSXNzdWVk
+IENSTCBTaWduaW5nIEtleSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjAiMCACAQMXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0j
+BBgwFoAUD3LKM0OpxBFRq2PaRIcPYaT0vkcwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAXM2Poz2eZPdkc5wsOeLn1w64HD6bHRTcmMKOWh/lRzH9fqfVn1Ix
+yBD30KKEP3fH8bp+JGKtBa4ce//w4s5V9SfTzCR/yB2muM5CBeEG7B+HTNVpjXhZ
+0jOUHDsnaIA9bz2mx58rOZ/Xw4Prd73Mf5azrSRomdEavwUcjD4qAvg=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:49:C9:FC:B7:03:3C:67:6D:0A:00:93:A9:E4:D6:A5:1E:92:1F:B5:11
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0x.v.t.r0p1.0...U....US1.0...U.
+..Test Certificates1E0C..U...<Self-Issued Cert DP for Basic Self-Issued CRL Signing Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2e:12:1f:54:36:68:73:b2:5c:f6:11:48:f1:d6:7a:bf:ce:1d:
+ d9:21:7a:96:29:44:bc:83:26:d8:8c:f5:11:36:9a:f1:23:78:
+ 57:00:8b:13:c6:74:57:4d:3d:ba:ee:d4:ac:d4:40:b1:d0:80:
+ 91:f1:06:81:91:ba:a4:f8:1e:c7:6b:d6:20:3c:92:26:23:94:
+ 80:33:df:c7:3b:ac:fc:94:ea:e8:3d:d0:37:c1:d5:e9:ba:53:
+ 83:9e:26:ed:da:fb:10:0a:6e:d8:cd:d7:20:42:2c:d6:7d:18:
+ 32:6b:75:2a:3c:51:03:dd:4d:a1:80:e6:d8:95:6a:2c:b0:b6:
+ 72:31
+-----BEGIN X509 CRL-----
+MIIB2zCCAUQCAQEwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMS0wKwYDVQQDEyRCYXNpYyBTZWxmLUlzc3Vl
+ZCBDUkwgU2lnbmluZyBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqggbcwgbQwHwYDVR0jBBgwFoAUScn8twM8Z20KAJOp5NalHpIftREwCgYDVR0U
+BAMCAQEwgYQGA1UdHAEB/wR6MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0
+IERQIGZvciBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJ
+KoZIhvcNAQEFBQADgYEALhIfVDZoc7Jc9hFI8dZ6v84d2SF6lilEvIMm2Iz1ETaa
+8SN4VwCLE8Z0V009uu7UrNRAsdCAkfEGgZG6pPgex2vWIDySJiOUgDPfxzus/JTq
+6D3QN8HV6bpTg54m7dr7EApu2M3XIEIs1n0YMmt1KjxRA91NoYDm2JVqLLC2cjE=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedNewWithOldTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedNewWithOldTest5.pem
new file mode 100644
index 0000000000..51a795fa99
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedNewWithOldTest5.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBFDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgT2xkIEtleSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+q8Gbt04t1VYDzow3lv3G+lNNQ/gCP0fz7/PBxNPzAwluA2Qzeix8gg74cXMpRe8u
+PosT3EZZ9iK1PyFmcNq+CjzCuvi8d+1gaGS36wkcQBB6g7HiKRQ8ERQ4cEE6CH21
+ntbFzVbn3d+NofzVo6e1AIdHDNPm7G0+F6f034Lo508CAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPqiarnu+k/Fcp11
+00t6bYzkXDkkMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBzQl++7X/MYd9h
+3E0XroNDuD8TflER0UTgWOwN5UO8BXz8j402hmhEPyw66u6R27V7U1/wf8wtCAli
+W7LnTcJKWFy9HKnpibiz50ike8zgsVmv1godVgDn/xvQPRAnWq+OX9Abc+6OTqiw
+aDNRQp2WD1ph+daLu1XQgeAoD4Gajw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Basic Self-Issued New With Old EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBvMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRDBC
+BgNVBAMTO0ludmFsaWQgQmFzaWMgU2VsZi1Jc3N1ZWQgTmV3IFdpdGggT2xkIEVF
+IENlcnRpZmljYXRlIFRlc3Q1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCT
+jnQuWQQfSAPHMxbQs5/JPin7talEYrAwqnyOVuFLu5omsqP9HAX7nkKxNRfOUlP6
+af7Ha9u8C+frLG5WwPmnf9XYIBaisUdEiga8saNMEGChSlZmaPoLD/LTNlCcwCEt
+HaHuhAAN62AgP9WMXsrfctRTccjIaQVsJnnTOCUAqwIDAQABo2swaTAfBgNVHSME
+GDAWgBT6omq57vpPxXKdddNLem2M5Fw5JDAdBgNVHQ4EFgQUUw9DlHqj5ferws7b
+XdljGKM4E7cwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATANBgkqhkiG9w0BAQUFAAOBgQAzzPXRKubQgAmne7+Rqggy+8Ezi3Q7+1cNjILV
+wVSnnVggqbd6C/cOV9P4aw1ljohm6fH5IXxfCpP1UqahccTT/m0482gfIxmCobF4
+MBi/cq6qlhQQIjBxGRkyysQIb911FCME2mVUlLQJbjkgpzl6oMu0M2Lt8m8ypgVf
+YqDhRA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVkIE9sZCBLZXkgQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBALQ4a61C9wpu5W0cACccONm+QLNESmbHtLwy498fByU6
+h5UnHkutUfy7DbIv3rELFXUd2yM5xQI/QuQZ20EjXOZiCSJEcvzfoAyFLrAPf1pN
+xQybX5HhLnJK+oGlwmD4ZatL7oDqV5IhlIS0So7g+SBOCh5lkKdzbH3l6D7nQXSD
+AgMBAAGjgfowgfcwHwYDVR0jBBgwFoAU+qJque76T8VynXXTS3ptjORcOSQwHQYD
+VR0OBBYEFBu6jCGHcwcFmPrrudlvQaRF1YbqMA4GA1UdDwEB/wQEAwIBBjAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zB7BgNVHR8EdDBy
+MHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAHDVnYLXKN//Mu1w
+BZS8DbfQ8p/DlXZ0n9EmdXRzoHXReDWeOaoiHU1H1HNJcLMe4YgEjsttTEBGfsZo
+OvyNNUZ7C/oQymaDykP9W/m1TX3ZVLmx96zj36gCkVPczoG78kQ5zVjoLl5G5BJQ
+4YX3NumsNd2WpHY34K21Cd/KJ5KJ
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:1B:BA:8C:21:87:73:07:05:98:FA:EB:B9:D9:6F:41:A4:45:D5:86:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 62:de:93:8c:36:dd:b2:71:56:bb:4e:e4:32:37:51:de:6e:19:
+ 01:dd:3e:25:8c:d4:81:7e:fc:66:54:74:0d:32:30:d2:11:49:
+ dc:ad:6a:b4:fc:8f:ec:e6:56:fe:e6:ec:53:9e:41:66:31:2c:
+ ee:3a:be:bd:74:34:9b:71:c1:67:1d:3b:28:04:b9:85:e5:72:
+ cd:f0:2b:a7:d9:d5:e3:43:25:4a:52:2e:79:24:52:cf:75:e1:
+ 3c:35:82:d1:5d:1e:f6:05:8b:45:24:67:ed:84:9f:c7:8d:c0:
+ 19:55:5e:52:76:3e:2f:f4:af:13:ae:d8:24:a3:17:68:5d:b5:
+ 45:74
+-----BEGIN X509 CRL-----
+MIIBbTCB1wIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVk
+IE9sZCBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgEE
+Fw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFBu6
+jCGHcwcFmPrrudlvQaRF1YbqMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AGLek4w23bJxVrtO5DI3Ud5uGQHdPiWM1IF+/GZUdA0yMNIRSdytarT8j+zmVv7m
+7FOeQWYxLO46vr10NJtxwWcdOygEuYXlcs3wK6fZ1eNDJUpSLnkkUs914Tw1gtFd
+HvYFi0UkZ+2En8eNwBlVXlJ2Pi/0rxOu2CSjF2hdtUV0
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FA:A2:6A:B9:EE:FA:4F:C5:72:9D:75:D3:4B:7A:6D:8C:E4:5C:39:24
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0p.n.l.j0h1.0...U....US1.0...U.
+..Test Certificates1=0;..U...4Self-Issued Cert DP for Basic Self-Issued Old Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:6b:ec:1f:5b:3d:31:1c:fe:c6:40:ca:e3:c5:52:30:a0:9a:
+ 55:ee:f8:c3:bd:cd:b1:45:d0:7f:44:f6:42:1c:0f:b9:df:8f:
+ 4d:25:0b:ba:5b:bd:0c:68:c2:ce:b0:c4:17:e7:be:81:de:73:
+ 55:5c:6b:d6:3d:e5:e2:18:31:d7:5f:6e:1d:4b:0b:31:cd:44:
+ fe:29:d5:27:77:f5:83:bc:ee:3f:46:31:d5:66:5a:a1:9b:1f:
+ 16:d0:8c:ef:ae:bb:36:75:a4:b3:62:be:16:cd:de:b8:90:bd:
+ 5f:26:1f:a7:d8:1e:59:ce:27:af:ee:ab:de:9d:1d:66:ef:9e:
+ 49:cb
+-----BEGIN X509 CRL-----
+MIIByjCCATMCAQEwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSUwIwYDVQQDExxCYXNpYyBTZWxmLUlzc3Vl
+ZCBPbGQgS2V5IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIGuMIGr
+MB8GA1UdIwQYMBaAFPqiarnu+k/Fcp1100t6bYzkXDkkMAoGA1UdFAQDAgEBMHwG
+A1UdHAEB/wRyMHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBC
+YXNpYyBTZWxmLUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAIxr
+7B9bPTEc/sZAyuPFUjCgmlXu+MO9zbFF0H9E9kIcD7nfj00lC7pbvQxows6wxBfn
+voHec1Vca9Y95eIYMddfbh1LCzHNRP4p1Sd39YO87j9GMdVmWqGbHxbQjO+uuzZ1
+pLNivhbN3riQvV8mH6fYHlnOJ6/uq96dHWbvnknL
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedOldWithNewTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedOldWithNewTest2.pem
new file mode 100644
index 0000000000..e0924953b8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedOldWithNewTest2.pem
@@ -0,0 +1,134 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBEzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgTmV3IEtleSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+tCkygqcMEOy3i8p6ZV3685us1lOugSU4pUMRJNRH/lV2ykesk+JRcQy1s7WS12j9
+GCnSJ919/TgeKLmV3ps1fC1B8HziC0mzBAr+7f5LkJqSf0kS0kfpyLOoO8VSJCip
+/8uENkSkpvX+Lak96OKzhtyvi4KpUdQKfwpg6xUqakECAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFK+5+R3CRRjMuCHi
+p0e8Sb0ZtXgoMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCuRBfDy2gSPp2k
+ZR7OAvt+xDx4toJ9ImImUvJ94AOLd6Uxsi2dvQT5HLrIBrTYsSfQj1pA50XY2F7k
+3eM/+JhYCcyZD9XtAslpOkjwACPJnODFAY8PWC00CcOxGb6q+S/VkrCwvlBeMjev
+IH4bHvAymWsZndBZhcG8gBmDrZMwhQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE5ldyBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVkIE5ldyBLZXkgQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANa7RRhusOV0Ub10qBKMsUMG7QViaonYz0IcJLX0FKEI
+EpTq0SV6NeVjjzmcrSrzjHQfJpkywOHRiMw7XvYunmzlwGSoD6TW1ZUYVDaQbKUT
+oWooVoCzVstf6AsZiJiHQtBt4x4OHap7QRcJdlh7aPhp6TR+zq8gB1HsG8yUlG0x
+AgMBAAGjfDB6MB8GA1UdIwQYMBaAFK+5+R3CRRjMuCHip0e8Sb0ZtXgoMB0GA1Ud
+DgQWBBTJW9PRvwbxAcF5XLtzDY1MRsst2TAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAhIZ09WrNK3jX+b8HugQygNCBEVVfX7TOCCFkmRaxp4R/QBHWvcts0YQT
+6M5ZC6b877id6zRYegHadKekVVqwFbLKEO0MnpD2yGhGgDpbil2HlEaQ9yKQXpGF
+CBx05/e7jkNhk/zGDsBqmNzkozrJOYBohkwUOjVFkAuLyovPhTY=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Basic Self-Issued Old With New EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE5ldyBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBvMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRDBC
+BgNVBAMTO0ludmFsaWQgQmFzaWMgU2VsZi1Jc3N1ZWQgT2xkIFdpdGggTmV3IEVF
+IENlcnRpZmljYXRlIFRlc3QyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv
+b2Xj8btEB2QsPM7mVVrsnON6Aw/LdDQc2nszxDNBn133XQWeVkHORkod3p9DEg4i
+TEdCG+rweF78vMSAhWAucXcFC59NAjUgxMiaIneUK2lKDW3afmmLHzV3nHjlNkj2
+DN/BvUmo3Pp2lhrmdTY1WFfvQdueeiZKbCB5dor8+QIDAQABo2swaTAfBgNVHSME
+GDAWgBTJW9PRvwbxAcF5XLtzDY1MRsst2TAdBgNVHQ4EFgQUJuUNG88pizoZguKT
+iPPiMZLmggYwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATANBgkqhkiG9w0BAQUFAAOBgQDGIVBl9ctXIMIN1Zy2QYgGnP8POYBiHPRkHZwT
+IGhox7QsinsIS/Lc83H8Y4OeUaJWrGGL2HkSTR/eQgSFGwf2u297IhHOwtutllNJ
+MvzlnvuG6uNAfRCuJftf8hSU3ouJoVVCi9CuCg1IhW6Eg61/oFIqZW33Jr6EvI8R
+WDDSrQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AF:B9:F9:1D:C2:45:18:CC:B8:21:E2:A7:47:BC:49:BD:19:B5:78:28
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:fe:c5:db:86:ee:6b:0e:f8:68:85:d2:0d:c1:44:01:d1:33:
+ 5d:9a:42:14:a7:a9:20:bd:38:30:c1:f1:3e:c1:b8:d9:4c:ba:
+ fd:3d:7c:a9:66:5f:94:fa:46:e8:23:94:4e:8d:09:1c:45:6b:
+ 21:ce:b5:cf:3f:e6:18:33:d0:ac:a6:ea:c5:f9:32:6e:75:31:
+ 79:6b:1a:8e:50:05:86:89:f9:f3:e9:8f:67:e7:93:b7:d3:05:
+ b0:9f:2c:97:9c:b7:7e:01:7e:c6:5e:f8:72:4d:11:6b:9d:30:
+ f2:69:df:68:5d:aa:a0:84:f1:07:68:15:fd:93:f6:14:a1:f9:
+ 90:ce
+-----BEGIN X509 CRL-----
+MIIBbTCB1wIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVk
+IE5ldyBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgED
+Fw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFK+5
++R3CRRjMuCHip0e8Sb0ZtXgoMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AHP+xduG7msO+GiF0g3BRAHRM12aQhSnqSC9ODDB8T7BuNlMuv09fKlmX5T6Rugj
+lE6NCRxFayHOtc8/5hgz0Kym6sX5Mm51MXlrGo5QBYaJ+fPpj2fnk7fTBbCfLJec
+t34BfsZe+HJNEWudMPJp32hdqqCE8QdoFf2T9hSh+ZDO
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCASignatureTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCASignatureTest2.pem
new file mode 100644
index 0000000000..520f583902
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCASignatureTest2.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Invalid CA Signature Test2
+issuer=/C=US/O=Test Certificates/CN=Bad Signed CA
+-----BEGIN CERTIFICATE-----
+MIICcDCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMTDUJhZCBTaWduZWQg
+Q0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGkludmFsaWQg
+Q0EgU2lnbmF0dXJlIFRlc3QyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw
+QAB1tOhQDQfPXGHNyIA/wyXWG+GAx10kyG++1vTg81Le2VcCJjiZqVFLmLfBA9n1
+cD4b9zSs2MrdUpnwVRWbHmeVYLW558PktB5UwAoEPQuV73PuRiN3GQQULGgh2AlF
+k8PciufvFGkmYEco5d8AEM9Gv3QIgOKEraQME0I/NQIDAQABo2swaTAfBgNVHSME
+GDAWgBRCG2+XCyN5H8EIV546pgqckIgf2DAdBgNVHQ4EFgQUfIdcwY2/jxziMCvk
+H33rpDMUuV4wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATANBgkqhkiG9w0BAQUFAAOBgQBgBJI+iPa3EWEHQqZr88JOAiU+tMO54vqLZ56J
+visDO48tZuOHCSkrqHvBzsabiTuHjDvcHtivavtV43IyHAnyrajntNrs4lPBJlr3
+XvTn5qVlsmuNGJqUrbxiyeNH/y1OB1Embx/RaoSOy0ffruRpL5PXyFvhn9z30I8f
+2zkCOA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Bad Signed CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICczCCAdygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEExCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEWMBQGA1UEAxMNQmFkIFNpZ25l
+ZCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA16COIB4MAs+kpSoCuSHv
+grtYTFABazGQDi3rvkQzAbL4QlKE64PAaeN4S3E9A1wg7uWYiru7ZM2D4k6grNKR
+3QGx9APutE7yZHZt8Wd2upDOP62BTYHPrP7hWBSDWBmOKi367A3eviObljIH6BeF
+EY6XcgDZg3o5AisPFzKK/pECAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6
+ng2wPOqavIf/SeowHQYDVR0OBBYEFEIbb5cLI3kfwQhXnjqmCpyQiB/YMA4GA1Ud
+DwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQUFAAOBgQASa6C+NTUfhhObLuxx8/8DFxAuEv5l+BQV
+S7NV/MAZBPHBSw89ffEPEfbxBTcBYRI+UP59a/zHrzscTSqri7WoTEy/8tKIegHd
+QDjTSXNL6oYGiQXDJY/r2kQB2mArrcL+KzKkC++gNgrdoJlpk6+4lfaBLiETQNtD
+RBJVYzR5MA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Bad Signed CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:42:1B:6F:97:0B:23:79:1F:C1:08:57:9E:3A:A6:0A:9C:90:88:1F:D8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 11:91:7d:19:a5:03:4e:a7:f1:1f:18:62:94:fa:97:a0:46:41:
+ 96:31:95:19:49:79:a9:e5:f1:84:aa:c8:dc:c8:7f:92:07:e4:
+ fc:66:96:9b:2e:8e:73:aa:ad:70:11:19:fd:8e:be:f2:74:3f:
+ 79:02:5a:e6:2a:67:b4:46:d7:1d:8a:de:c8:d0:b7:cc:f6:85:
+ db:90:a6:46:9c:ad:23:09:47:aa:f0:44:45:63:f5:40:dd:fc:
+ 75:bf:4b:85:2f:fa:74:09:f8:19:8f:29:97:92:ae:34:5c:6e:
+ 6b:6b:40:74:51:58:26:df:95:b7:72:13:3d:b1:76:9a:0a:43:
+ 37:31
+-----BEGIN X509 CRL-----
+MIIBOjCBpAIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMTDUJhZCBTaWduZWQgQ0EXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFEIbb5cL
+I3kfwQhXnjqmCpyQiB/YMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBABGR
+fRmlA06n8R8YYpT6l6BGQZYxlRlJeanl8YSqyNzIf5IH5PxmlpsujnOqrXARGf2O
+vvJ0P3kCWuYqZ7RG1x2K3sjQt8z2hduQpkacrSMJR6rwREVj9UDd/HW/S4Uv+nQJ
++BmPKZeSrjRcbmtrQHRRWCbflbdyEz2xdpoKQzcx
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotAfterDateTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotAfterDateTest5.pem
new file mode 100644
index 0000000000..db8f821780
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotAfterDateTest5.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Bad notAfter Date CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0wMjAxMDExMjAxMDBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUQmFkIG5vdEFm
+dGVyIERhdGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO8t6F1gCSiD
+eAh0EXEEP1RGW1G+zM3TmSeKbm0GLmH4SJp7HbsjBab4wtNEVlOrYMG5phm3dro3
+P6YEmVt0q2yzDo8OkpfbYwJEy6e/vdjF9itss2yajms7qA6xPbggpdYElK4y/1Ei
+o0+nUli6dZQpEz7/V5tSk8S3zvh+lJ+jAgMBAAGjfDB6MB8GA1UdIwQYMBaAFPts
+1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQtDCY+YSMuNxOnyukyqVHgELUF
+MjAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAMDkUbWtYhitXM+mGr3TBaTgM
+IlnMLUMsqxka0EQ7fiEaLtVsOD8CjMRKeNcWo6ZwVfJk7EDOnV4+E1TlAzNp1m9z
+rHB+fc97XJlIaQwOF1WMnjaZl96TO5Tb8FIaebsIeknz2m8IhfZ/EuWPfqs37ZxQ
+b0YPNilIGsUSrT3rTBk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid CA notAfter Date EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=Bad notAfter Date CA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBub3RBZnRl
+ciBEYXRlIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYTELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTYwNAYDVQQDEy1J
+bnZhbGlkIENBIG5vdEFmdGVyIERhdGUgRUUgQ2VydGlmaWNhdGUgVGVzdDUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOhmxDd5kdaDqSlvran3+R64X7ilMaOb
+DINojoBxIW3XAxrXD3TFdV/twdn97GoxEkeh14g1W9IV7RTwfDoVf95tjNli7Zsg
+ye+NVj1gYVV+DdMpxy44biOW6s9l2wRqNqoeE1AFSj2su1PgamWIHiGo4BQkcE5F
+bMwHbJCR8znNAgMBAAGjazBpMB8GA1UdIwQYMBaAFC0MJj5hIy43E6fK6TKpUeAQ
+tQUyMB0GA1UdDgQWBBRsW4S+GLLshXYDAKY/yVcV2NlPtjAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBANJW
+FdT2Ss72xFAtOuGm5EoRp7tP32SI2iyLmeLRi7YeIo/95FVK6xVzjZ8zT3pjyKvx
+7qe2O/cF9SyQssnebmTqLJQxCeWHWzt0BpbI4U9GZJF0vEeqTU/psLhr6p+20T6R
+XmeWECYyRGe0Wmndt5GJ74PBYrUjR5mtDojhKn/o
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Bad notAfter Date CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:2D:0C:26:3E:61:23:2E:37:13:A7:CA:E9:32:A9:51:E0:10:B5:05:32
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a6:dd:d9:bd:87:0d:1d:95:02:a5:1f:92:e9:dd:bc:1f:16:df:
+ b4:5d:31:d9:76:6f:06:90:cf:da:09:6e:f8:15:1e:bd:41:d6:
+ 4f:a3:f4:78:a8:67:96:1d:ef:8a:c1:77:e8:b2:83:81:5e:d0:
+ f3:53:36:a8:78:39:d2:cf:eb:b7:57:e6:13:ac:33:87:9c:19:
+ 64:08:a3:14:5d:71:79:b7:10:88:93:44:a5:32:79:85:fc:fa:
+ a5:a5:81:d6:99:60:2e:a5:2e:2e:6a:60:41:29:70:2a:27:b7:
+ 9b:52:75:fd:9e:06:e2:80:f6:6e:0e:19:39:75:9e:a8:70:b3:
+ ca:d7
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBub3RBZnRlciBEYXRl
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBQtDCY+YSMuNxOnyukyqVHgELUFMjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQCm3dm9hw0dlQKlH5Lp3bwfFt+0XTHZdm8GkM/aCW74FR69QdZPo/R4qGeW
+He+KwXfosoOBXtDzUzaoeDnSz+u3V+YTrDOHnBlkCKMUXXF5txCIk0SlMnmF/Pql
+pYHWmWAupS4uamBBKXAqJ7ebUnX9ngbigPZuDhk5dZ6ocLPK1w==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotBeforeDateTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotBeforeDateTest1.pem
new file mode 100644
index 0000000000..6a9d14d41f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotBeforeDateTest1.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Bad notBefore Date CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw00NzAxMDExMjAxMDBaFw00OTAxMDExMjAxMDBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVQmFkIG5vdEJl
+Zm9yZSBEYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJp+RthgxM
+5Y+NQaGv+L8CNjnEejXyimG9JuXmo6Uc6ZjMhYgIlr3iAA+dcZRCJhsJxY7RXaS4
+q3rRLSR7ROQdjSDNbuGXRht0SGe3MlOoIJEqFVGWppp3BVY4GUwN/s5zmgj/vE+2
+eCwl96Fk8NWIm/qvugmG7+bvAy80zDvMLwIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUHnoz+COKGJwqbE84ItXL/Z2Q
+fVgwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJpC5ygICALpvY5i3Q5a3179
+Ao05EA6N8ZKZHoS49lok81lUMy/MLGY5zQlggicV916WyTdDd2CO8q/lSCMTRO3C
+CrsU9kd4w1V1J/OnfYDuHoRIH0hqowTdm6bEnyMhuq2YnRotAKhkX2g/ekDYuC9A
+Lo8Ispl3HslMbhf/mhGj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid CA notBefore Date EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Bad notBefore Date CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFUJhZCBub3RCZWZv
+cmUgRGF0ZSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBDQSBub3RCZWZvcmUgRGF0ZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuT/PBuMdSN+JtQHVYA67GVmByJJV
+4dw76fphkGkaVX0EhLBs1ZK0jH4H+/rGlzrmDGTT5k2xwYc73ZJOkGDq+5EPnKy2
+0MMuiU34oORcfElE/rYu4tqGwh9aARFDBpjzBNqCNMTR6wD5uIJ1HpZI3KfyuP1b
+sX5KW83tw4qRbmsCAwEAAaNrMGkwHwYDVR0jBBgwFoAUHnoz+COKGJwqbE84ItXL
+/Z2QfVgwHQYDVR0OBBYEFGl/WT2zZWdmw1t+EsACdTdTWeWwMA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEA
+bf33IqIzT3eBs8IJCqw6hFy40WjrIDPUgfNMdPE02k+Z8/0y+QCczqm4PXynRsyk
+Zrn38tggQf2IVs/q+1IJsZS+3FWaj/iucO3twNWqPGqq60uc0xwpRhbIx1V8s1Dt
+1Jh1zD4+KU9o+ai5aN2ErGWfCjBpIlFhwI1XXT0NLKY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Bad notBefore Date CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:1E:7A:33:F8:23:8A:18:9C:2A:6C:4F:38:22:D5:CB:FD:9D:90:7D:58
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8a:4b:5c:e0:02:33:0e:3b:5e:59:a5:2d:7e:5c:16:2d:22:fc:
+ b4:11:aa:00:7f:9c:51:f3:38:85:a3:84:33:3e:68:e5:7a:0d:
+ d9:e1:c7:6a:f9:48:cc:f0:ee:0c:c8:15:b4:41:b7:a6:20:2a:
+ 9d:68:8e:74:dd:b6:ee:eb:03:ae:fa:4d:50:c4:80:e7:7a:6a:
+ 0a:0e:eb:64:ca:a5:a6:64:e4:98:96:75:f1:50:9f:c3:a6:c8:
+ b6:d5:b7:64:7b:8e:ce:40:f2:bc:13:1b:16:52:4a:e5:8b:22:
+ ae:9a:59:a9:e3:a7:44:0a:8f:92:b6:15:76:cc:25:f3:c7:a4:
+ 1c:f0
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFUJhZCBub3RCZWZvcmUgRGF0
+ZSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUHnoz+COKGJwqbE84ItXL/Z2QfVgwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAiktc4AIzDjteWaUtflwWLSL8tBGqAH+cUfM4haOEMz5o5XoN2eHHavlI
+zPDuDMgVtEG3piAqnWiOdN227usDrvpNUMSA53pqCg7rZMqlpmTkmJZ18VCfw6bI
+ttW3ZHuOzkDyvBMbFlJK5YsirppZqeOnRAqPkrYVdswl88ekHPA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest31.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest31.pem
new file mode 100644
index 0000000000..732af1b50b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest31.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBRjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIEROUzEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF4cGWB
+eAaOHCGkAPlmkE9/9XtvEpanIGNf1g0ab0PBnZR8ffY+IK2+rwOeMVtfXmJbaxi/
+Z70teNn94XkPXH6Pmz/pL170Q96CasAsPU2uQC4AtNjkUSeFbSoY7Ul2NaBYqLrW
+yQ7O3jEXdX76KQWqYcihAq1Jw+AEruMq98WrAgMBAAGjgaUwgaIwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFHXnZ0cYCavxiIjbno3V
+F1KO/HN4MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoBgwFoIUdGVzdGNlcnRpZmlj
+YXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAzUV5anoiOD8wQQnetIFcg5wLnNlr
+dPixWje4q2JQcPnqZk3TW9O0GDtWHmZwVoS3PixQlJPHZGvkliTKM9vO7a8J2FDl
+/ZFRNrm2rHFjZxygk+UTwj+SI4CO8kmtSesvV0ViWwNNyfOV/nmvBjqy6pEbTnCD
+pax2/2P2ruVALCk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid DNS nameConstraints EE Certificate Test31
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+-----BEGIN CERTIFICATE-----
+MIICwjCCAiugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBETlMxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIEROUyBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDMxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8Xm5JY/SJcUmQCDr+0GM+
+besWWL+OVllIdYjVus23p+8nx/r0PV4GQIKxh/12lQHPVKesX5OzuXUnlrFs0MNS
+hDKURr8PbBBD9pCKfwqTuDVGjcYNbxgOR7uCxwIWs62VK/yw3NqulTjTxjVba+Ih
+NDJEggvzeyEavzd9UoppGQIDAQABo4GbMIGYMB8GA1UdIwQYMBaAFHXnZ0cYCavx
+iIjbno3VF1KO/HN4MB0GA1UdDgQWBBQvlbhY4sw3ciETxMClyRfo7svC/DAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMC0GA1UdEQQmMCSC
+InRlc3RzZXJ2ZXIuaW52YWxpZGNlcnRpZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEF
+BQADgYEAS0/t3TgdHeRWJY1IdcR6w3gBMrNIweoAzXNnKgrodk3esABKU4lZrMr8
+UMW4sDbD1yNjLhGagmSj+1joyqYLTCh0NYgGbj7xS+zQfAGBdbctVpKYJ1l/pmxe
+CVPOHHU/YkBHnWMouumAnTpEcgbtHTMvsxQNef/pH9IcCBlnOSY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:75:E7:67:47:18:09:AB:F1:88:88:DB:9E:8D:D5:17:52:8E:FC:73:78
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 90:61:77:a1:94:8e:c3:62:6b:dd:eb:ec:3f:0d:e0:dc:1f:b9:
+ 04:fa:e1:74:e4:5d:d2:0a:cb:42:4f:41:9a:a5:91:d4:2d:57:
+ d2:6f:1d:5f:cd:9a:2c:24:5f:3d:21:9f:87:78:17:33:96:09:
+ 1b:d1:bd:f9:50:b7:17:c1:e0:af:50:95:7a:9d:03:9e:2c:95:
+ ef:f2:c2:a2:74:93:d3:9c:c2:73:74:96:90:b0:78:15:69:e5:
+ eb:b4:5d:dd:19:4d:ea:9a:78:af:ae:a4:b5:69:78:58:aa:7d:
+ 5d:9e:05:ee:a8:8d:2d:16:03:86:18:62:6b:cd:67:8c:5e:13:
+ 1d:46
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBE
+TlMxIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBR152dHGAmr8YiI256N1RdSjvxzeDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQCQYXehlI7DYmvd6+w/DeDcH7kE+uF05F3SCstCT0GapZHULVfSbx1f
+zZosJF89IZ+HeBczlgkb0b35ULcXweCvUJV6nQOeLJXv8sKidJPTnMJzdJaQsHgV
+aeXrtF3dGU3qmnivrqS1aXhYqn1dngXuqI0tFgOGGGJrzWeMXhMdRg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest33.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest33.pem
new file mode 100644
index 0000000000..fc1e759012
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest33.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIEROUzIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmefIFU
+RUgrahNMyIfzibuPD5LXv1aF765kc/ROx4BQYuBUZehjaB0G3eHv0wGu5rSJbnoy
+Lpdv0XVvBKEai/K+9iIereljhcwZzKTbHHvAdhCtgImX/Zz/KZ7OU4GZJGkdcj9r
+e/szQBEqTWkWB7hT25WM4ghi5xAz1Tn3foOxAgMBAAGjgagwgaUwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFH6Q3Dvq3pzSm0JE73sa
+zW6PkuC0MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zApBgNVHR4BAf8EHzAdoRswGYIXaW52YWxpZGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAekwpteebcTHJ3RTTqNmNlRsw
+aSa2MtBlaOVNyWi/Qsgy/LO5We9Ahkq56VlKB4WTWCFBdrbbnZ4k1Dpgj+NA8YBD
+Ysuq9KofKqycs+alN4JOOMtKHzbm05wPqkhY1qbBFAUbrEm5felp5drbJys97mCX
+bm7XHTxTuImtWM4ESC4=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid DNS nameConstraints EE Certificate Test33
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBETlMyIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIEROUyBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDMzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxL/NbfBumGy235WIg06BG
+/D3/nRm8g5DewpBeSbgEPD/1yljXiblJ9TItVB7HrbJsewZWk28/396FVXb69SeD
+rmYXPflrEmgQlCp6IT0axE+gS6zTeS6qCAeHVWGLLvKOx6/9j/xqw2zUUDb1kZTy
+IedQLQlkNsdE966MUxr7fwIDAQABo4GQMIGNMB8GA1UdIwQYMBaAFH6Q3Dvq3pzS
+m0JE73sazW6PkuC0MB0GA1UdDgQWBBTg13snqN9OjzwRLPdrP94IHHcERDAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCIGA1UdEQQbMBmC
+F2ludmFsaWRjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBALVLczfP
+n/oPIoeyzrVNW7swi6hL0k/Hp4Ki4rB1HA+cXcuGMJTM1mnk7gLd9Mjjyp0Iz7DP
+82k+Kv+9+EpOWHhwkvAJVJisKGVO4NrUbuxGhoYggP+ig5gsuHAfCAlzLfzQgW+V
+BtejP9VrkYTGxKno9uiIjXfO/VQ9w8pB1Kci
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:7E:90:DC:3B:EA:DE:9C:D2:9B:42:44:EF:7B:1A:CD:6E:8F:92:E0:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 02:f1:3c:9c:25:d8:e5:f3:99:97:72:47:d1:94:a1:f0:11:0a:
+ 8d:ef:9f:4c:c6:3e:93:23:1c:76:92:f7:68:f7:8f:9d:d0:ab:
+ 7d:73:20:ba:f8:ea:1c:90:10:59:01:07:c3:11:36:15:70:b3:
+ e1:80:3f:38:65:42:77:78:95:79:6d:a9:88:c7:54:59:b2:52:
+ 9d:da:5a:58:a1:73:1e:07:78:00:01:67:02:41:9e:82:b4:ab:
+ f3:d1:74:00:8f:ce:fa:78:8b:c5:ff:ca:40:ca:88:90:ac:74:
+ 78:41:4b:60:85:3f:43:31:7e:1c:60:bb:3d:91:09:df:9d:f3:
+ 6a:40
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBE
+TlMyIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBR+kNw76t6c0ptCRO97Gs1uj5LgtDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQAC8TycJdjl85mXckfRlKHwEQqN759Mxj6TIxx2kvdo94+d0Kt9cyC6
++OockBBZAQfDETYVcLPhgD84ZUJ3eJV5bamIx1RZslKd2lpYoXMeB3gAAWcCQZ6C
+tKvz0XQAj876eIvF/8pAyoiQrHR4QUtghT9DMX4cYLs9kQnfnfNqQA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest38.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest38.pem
new file mode 100644
index 0000000000..7930eb4ddc
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest38.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBRjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIEROUzEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF4cGWB
+eAaOHCGkAPlmkE9/9XtvEpanIGNf1g0ab0PBnZR8ffY+IK2+rwOeMVtfXmJbaxi/
+Z70teNn94XkPXH6Pmz/pL170Q96CasAsPU2uQC4AtNjkUSeFbSoY7Ul2NaBYqLrW
+yQ7O3jEXdX76KQWqYcihAq1Jw+AEruMq98WrAgMBAAGjgaUwgaIwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFHXnZ0cYCavxiIjbno3V
+F1KO/HN4MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoBgwFoIUdGVzdGNlcnRpZmlj
+YXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAzUV5anoiOD8wQQnetIFcg5wLnNlr
+dPixWje4q2JQcPnqZk3TW9O0GDtWHmZwVoS3PixQlJPHZGvkliTKM9vO7a8J2FDl
+/ZFRNrm2rHFjZxygk+UTwj+SI4CO8kmtSesvV0ViWwNNyfOV/nmvBjqy6pEbTnCD
+pax2/2P2ruVALCk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid DNS nameConstraints EE Certificate Test38
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+-----BEGIN CERTIFICATE-----
+MIICtjCCAh+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBETlMxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIEROUyBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDM4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLztSKsWY+S4ZhmNgTffbb
+H8aIXhiw0mDQqoBzB40KjeMgX3OEnxCBBmDLNqdQtcMhlcKST+FbcFNUzrWySjDL
+UhFqTes5kgzTAyyIeMKHG/Y8b9D7mNuH3GJmtCWOCcajKBy7g9IuPRTtOu/f217J
+pqw42pwtbI+7PX2v2cTiVwIDAQABo4GPMIGMMB8GA1UdIwQYMBaAFHXnZ0cYCavx
+iIjbno3VF1KO/HN4MB0GA1UdDgQWBBQtwjU8JMdU3wDsp2MQVttA0RtaVTAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCEGA1UdEQQaMBiC
+Fm15dGVzdGNlcnRpZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAYzw7EH4l
+W8Vcu3FH96T5cE/RL5hRpoj2PU440l6/1ScnutWvY2WXwCAhO5LkkyDdE+a8Pv4S
+v5BusKldAEzFQy3H6jlDnK29Z9m/6RNIrskTys2Jqt04I+JWV85ZNVCyTu4px5iY
+SmR9uXP/4hfVB74Ct8bSrOBQVy0te1ZcR08=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:75:E7:67:47:18:09:AB:F1:88:88:DB:9E:8D:D5:17:52:8E:FC:73:78
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 90:61:77:a1:94:8e:c3:62:6b:dd:eb:ec:3f:0d:e0:dc:1f:b9:
+ 04:fa:e1:74:e4:5d:d2:0a:cb:42:4f:41:9a:a5:91:d4:2d:57:
+ d2:6f:1d:5f:cd:9a:2c:24:5f:3d:21:9f:87:78:17:33:96:09:
+ 1b:d1:bd:f9:50:b7:17:c1:e0:af:50:95:7a:9d:03:9e:2c:95:
+ ef:f2:c2:a2:74:93:d3:9c:c2:73:74:96:90:b0:78:15:69:e5:
+ eb:b4:5d:dd:19:4d:ea:9a:78:af:ae:a4:b5:69:78:58:aa:7d:
+ 5d:9e:05:ee:a8:8d:2d:16:03:86:18:62:6b:cd:67:8c:5e:13:
+ 1d:46
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBE
+TlMxIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBR152dHGAmr8YiI256N1RdSjvxzeDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQCQYXehlI7DYmvd6+w/DeDcH7kE+uF05F3SCstCT0GapZHULVfSbx1f
+zZosJF89IZ+HeBczlgkb0b35ULcXweCvUJV6nQOeLJXv8sKidJPTnMJzdJaQsHgV
+aeXrtF3dGU3qmnivrqS1aXhYqn1dngXuqI0tFgOGGGJrzWeMXhMdRg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest28.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest28.pem
new file mode 100644
index 0000000000..18fb09781b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest28.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAjmgAwIBAgIBCjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA37aIkV7sYy0JnIQ6
+oLcZr4T5fsXvU6SzOxBfPrtNDpq884ix+hP3zDxAwCSO5mU0znQe9s5im5Mf9yKK
+0FIXOAHFwMb5M5mAZNwn7Tx0XYxDfBx94lsMvJdBDCddmTB5akZgQF5Iir+Y52y7
+yiWRJM+ZmowFfoi5rp/PgkSOJxsCAwEAAaOBpTCBojAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQUV6v4nCfI0vTmz2+qIAs1ZwSDJGsw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MCYGA1UdHgEB/wQcMBqgGDAWgRR0ZXN0Y2VydGlmaWNhdGVzLmdv
+djANBgkqhkiG9w0BAQUFAAOBgQBlTO2ECGQPZsbXzVHd/rGejurHrD9MHfTQYJCn
+pFjAPq3wSo4qFVopG5gl9s4rdpNU+XvoY5zO8MVxTnfFi5G+y2CWZTG0iIWQmC8b
+ReqDdpVeAV3ictgaDyoU1ApdemyOS2pHV0mgm7vPYCx+17EXzFBphUICViSFv45n
+cu1nCg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Invalid DN and RFC822 nameConstraints EE Certificate Test28
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAm+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMzAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGLMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRy
+ZWUxMUQwQgYDVQQDEztJbnZhbGlkIEROIGFuZCBSRkM4MjIgbmFtZUNvbnN0cmFp
+bnRzIEVFIENlcnRpZmljYXRlIFRlc3QyODCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA5P+v5wlPmnZe/uEH6HyaKnq85ORqBL8HNiSn0EhAtQNHISd/M6VJvcrJ
+YCdSaQbE+A61yEjhCfckVgjt0lY081fJsDvDU757lDPe7SLP5hyrVS+myINWP3V3
+Fnu8BeK5Lz4Ytkx6uvnfE73jdWSregNtKqtyQD7kyLMTFVlVXt0CAwEAAaOBmTCB
+ljAfBgNVHSMEGDAWgBRXq/icJ8jS9ObPb6ogCzVnBIMkazAdBgNVHQ4EFgQUDvHN
+oL4nbNoIN4BmY5QBKMupyFQwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATArBgNVHREEJDAigSBUZXN0MjhFRUBpbnZhbGlkY2VydGlmaWNh
+dGVzLmdvdjANBgkqhkiG9w0BAQUFAAOBgQBtZkdww8Uz1loAnrdjOhd30Om7eO4h
+Ph2kKsyLJm3aeptHUIKnAXrY4+drzXmVlzMcMK0t7VT0CMP2vWSVrzHyUXnGxpsK
+ZGKNRLzdCrr4sEVtsYjGvMK9LzM66kx1CFVbl2IftM7cVEgadA7RyfakTHJJAAQw
+by2klF/gQrv13A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:57:AB:F8:9C:27:C8:D2:F4:E6:CF:6F:AA:20:0B:35:67:04:83:24:6B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9a:01:ff:a2:5a:8d:4a:16:d9:8f:d1:7d:40:a2:bc:eb:6f:fc:
+ 4d:58:3b:b2:03:77:79:60:99:5e:f7:f5:b0:39:62:10:15:8f:
+ 67:ad:12:b7:a6:2c:ef:de:76:3b:90:26:79:b7:1b:7c:3c:25:
+ b7:bd:11:82:78:21:93:5b:11:66:15:e2:e3:d9:77:e6:a1:18:
+ 6d:dc:46:88:f9:13:7f:28:5e:17:95:7b:a6:da:4a:00:c3:44:
+ 8e:f4:00:50:a6:a0:52:86:90:cd:40:54:66:92:30:0a:64:0d:
+ 09:19:17:64:41:33:08:5d:c3:11:b5:ab:d8:61:5e:a2:60:56:
+ a7:d5
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMxcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUV6v4nCfI0vTmz2+q
+IAs1ZwSDJGswCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAmgH/olqNShbZ
+j9F9QKK862/8TVg7sgN3eWCZXvf1sDliEBWPZ60St6Ys7952O5AmebcbfDwlt70R
+gnghk1sRZhXi49l35qEYbdxGiPkTfyheF5V7ptpKAMNEjvQAUKagUoaQzUBUZpIw
+CmQNCRkXZEEzCF3DEbWr2GFeomBWp9U=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest29.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest29.pem
new file mode 100644
index 0000000000..cb31959b73
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest29.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAjmgAwIBAgIBCjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA37aIkV7sYy0JnIQ6
+oLcZr4T5fsXvU6SzOxBfPrtNDpq884ix+hP3zDxAwCSO5mU0znQe9s5im5Mf9yKK
+0FIXOAHFwMb5M5mAZNwn7Tx0XYxDfBx94lsMvJdBDCddmTB5akZgQF5Iir+Y52y7
+yiWRJM+ZmowFfoi5rp/PgkSOJxsCAwEAAaOBpTCBojAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQUV6v4nCfI0vTmz2+qIAs1ZwSDJGsw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MCYGA1UdHgEB/wQcMBqgGDAWgRR0ZXN0Y2VydGlmaWNhdGVzLmdv
+djANBgkqhkiG9w0BAQUFAAOBgQBlTO2ECGQPZsbXzVHd/rGejurHrD9MHfTQYJCn
+pFjAPq3wSo4qFVopG5gl9s4rdpNU+XvoY5zO8MVxTnfFi5G+y2CWZTG0iIWQmC8b
+ReqDdpVeAV3ictgaDyoU1ApdemyOS2pHV0mgm7vPYCx+17EXzFBphUICViSFv45n
+cu1nCg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Invalid DN and RFC822 nameConstraints EE Certificate Test29/[email protected]
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAnGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMzAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIG8MQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRy
+ZWUxMUQwQgYDVQQDEztJbnZhbGlkIEROIGFuZCBSRkM4MjIgbmFtZUNvbnN0cmFp
+bnRzIEVFIENlcnRpZmljYXRlIFRlc3QyOTEvMC0GCSqGSIb3DQEJARYgVGVzdDI5
+RUVAaW52YWxpZGNlcnRpZmljYXRlcy5nb3YwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBANFptsaiuqG58SeSbnVMTNr7XG3kbwY6wtsLkDomOXBGR/46vTeRu4CG
+CaubArviUAJ+JILIVs3bO02m4H6NUk6clLHjb1iou8cA0UR8XHkzJ1ZNmDZJiBJA
+CAqNmtpuolbgToov0SeuLYdDRTwLlkLpjykO6EMiAjI0bs0u769XAgMBAAGjazBp
+MB8GA1UdIwQYMBaAFFer+JwnyNL05s9vqiALNWcEgyRrMB0GA1UdDgQWBBR/JuUf
+MNbcNM7ktf6v5K72qnwyNzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpg
+hkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAHgiOAzfqxYOlP2ugGMXcXWDQai9
+VcfKXZM4zdBV3TmksgiLkZTyhj51RfoZOhQn8RB90lDZYdSqRGnGHuUZW6ejX+A2
+JXWuY3uhE2d2WwJIwYHItLSl+DVv2Jm0Wrv8BFY2PnKaDKJgLG3WM0bp2LKn2dzi
+FXK5SfJJE0q4WU2x
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:57:AB:F8:9C:27:C8:D2:F4:E6:CF:6F:AA:20:0B:35:67:04:83:24:6B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9a:01:ff:a2:5a:8d:4a:16:d9:8f:d1:7d:40:a2:bc:eb:6f:fc:
+ 4d:58:3b:b2:03:77:79:60:99:5e:f7:f5:b0:39:62:10:15:8f:
+ 67:ad:12:b7:a6:2c:ef:de:76:3b:90:26:79:b7:1b:7c:3c:25:
+ b7:bd:11:82:78:21:93:5b:11:66:15:e2:e3:d9:77:e6:a1:18:
+ 6d:dc:46:88:f9:13:7f:28:5e:17:95:7b:a6:da:4a:00:c3:44:
+ 8e:f4:00:50:a6:a0:52:86:90:cd:40:54:66:92:30:0a:64:0d:
+ 09:19:17:64:41:33:08:5d:c3:11:b5:ab:d8:61:5e:a2:60:56:
+ a7:d5
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMxcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUV6v4nCfI0vTmz2+q
+IAs1ZwSDJGswCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAmgH/olqNShbZ
+j9F9QKK862/8TVg7sgN3eWCZXvf1sDliEBWPZ60St6Ys7952O5AmebcbfDwlt70R
+gnghk1sRZhXi49l35qEYbdxGiPkTfyheF5V7ptpKAMNEjvQAUKagUoaQzUBUZpIw
+CmQNCRkXZEEzCF3DEbWr2GFeomBWp9U=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest10.pem
new file mode 100644
index 0000000000..d79077aaba
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest10.pem
@@ -0,0 +1,113 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+-----BEGIN CERTIFICATE-----
+MIICxzCCAjCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjCBmzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQL
+ExFwZXJtaXR0ZWRTdWJ0cmVlMTEZMBcGA1UECxMQZXhjbHVkZWRTdWJ0cmVlMTE5
+MDcGA1UEAxMwSW52YWxpZCBETiBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNh
+dGUgVGVzdDEwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4wtLGQI2aSdxL
+gklYOXIk2EqQgeDaSAj8Qxcobr8rZ0rgMBdG0A4ygWX+jdsMNqu18m+WGLs4W84P
+I3+0QpnI7DrNez1cOAzew7lPKnkDW9tnBqKQaGzafp/L9i/QwFxw7q0/OyJXLNqx
+96I70felgr/e9i6Yk/NzhfHNoKqL1QIDAQABo2swaTAfBgNVHSMEGDAWgBQSNZ+s
+wbmh4zr+8S+6d7IITk1Z7TAdBgNVHQ4EFgQUwaAOiJj2GtamtV9rZWhiH3jfonUw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG
+9w0BAQUFAAOBgQAsM+4rszF68aQzKZtZ+iLup5xun1WT0hwwvbL4qbzJuLAcCNWj
+22+3xcVPnJ/ODouOh8JN6vzYFUIm4Zojsdm6VJQlcf8Avp09vAMUWLyo7ScyNJgi
+/BXluYQ6PfjP/XwskA4RlOGYZ33Ewmh1xaic85c78iFgRWe1UfjmPxvMQA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDRjCCAq+gAwIBAgIBQjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIERONSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxmMyGO18
+wxt7plFRZcGPd5GxKiCL+NJ+O/UB82qQ1+GhwlsBTSo86QNLh9KPIjs3rrARYIo0
+FqA86FPnpIiE/yWOfuQOeI3t6yvWf0XsXvcffhjW6n6sErOqhXX7voiJODZMseiM
+wQ2Md8CcE3j78i6crfbdO6xGp2xNX63VmkMCAwEAAaOCAUQwggFAMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQSNZ+swbmh4zr+8S+6
+d7IITk1Z7TAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wgcMGA1UdHgEB/wSBuDCBtaBLMEmkRzBFMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBl
+cm1pdHRlZFN1YnRyZWUxoWYwZKRiMGAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEaMBgGA1UECxMRcGVybWl0dGVkU3VidHJlZTExGTAX
+BgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTEwDQYJKoZIhvcNAQEFBQADgYEAp32j43pb
+BqBj+2V14kyvmo+pgQ9H/ag1zf7WG4ei+McEkF7yvHSC6nfXJA19r+q2fAnvIU4M
+TriscCGq9oE6qzd3VIQ5wx8eJp8v9SG62gxZe3n1A8gzG37TvTwBOeEgxOKBa/BS
+8MNUbMO2SJwuE2pi9fnMhCgx9JxUQvQLou0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:12:35:9F:AC:C1:B9:A1:E3:3A:FE:F1:2F:BA:77:B2:08:4E:4D:59:ED
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 74:3d:76:85:10:61:c5:e4:1e:19:16:23:27:99:ac:bf:2e:c9:
+ 07:40:7b:fb:45:44:5d:c1:6e:d5:5a:e5:6d:35:d1:4e:9c:e1:
+ b7:21:0c:2a:7b:7f:27:ed:9f:f4:59:15:1c:67:1d:4b:8e:ca:
+ 19:7c:a2:78:22:bf:28:67:31:5f:bf:f3:73:73:ed:c3:9c:fe:
+ 2f:16:56:80:ea:ec:27:dd:7a:85:15:2c:e8:fd:c5:80:2d:ad:
+ 36:ac:8f:39:5b:d9:79:ff:54:82:c6:61:37:e2:b6:07:46:8b:
+ df:2c:86:2b:69:ca:d1:c3:71:4f:3f:c7:e9:4c:c9:23:85:85:
+ 19:9d
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjUgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFBI1n6zBuaHjOv7xL7p3sghOTVntMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAHQ9doUQYcXkHhkWIyeZrL8uyQdAe/tFRF3BbtVa5W010U6c4bchDCp7
+fyftn/RZFRxnHUuOyhl8ongivyhnMV+/83Nz7cOc/i8WVoDq7CfdeoUVLOj9xYAt
+rTasjzlb2Xn/VILGYTfitgdGi98shitpytHDcU8/x+lMySOFhRmd
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest12.pem
new file mode 100644
index 0000000000..4b5c41460e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest12.pem
@@ -0,0 +1,166 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test12
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA1
+-----BEGIN CERTIFICATE-----
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMTAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGAMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRy
+ZWUxMTkwNwYDVQQDEzBJbnZhbGlkIEROIG5hbWVDb25zdHJhaW50cyBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0MTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK3EJPKm
+RDv1REuSTNdGYi/Gay9ESpl/z2BBw2n0WqiF9SLFNEuRfTZ7FQVNFQ0qhoP4V2xa
+YUeaSgmwZNcIdZg159xf8j2Qkc3uGAQoMGmRp4vbcj1Ev5yFXhvVLPnhp5eE8wKx
+u96ZMOfL8M/sxSRrI0zUKEUCMbzK2E0Mr/RBAgMBAAGjazBpMB8GA1UdIwQYMBaA
+FO65z9YvjsiFkwj+EBDuo1BY/kIwMB0GA1UdDgQWBBRlWUYl70WL4wPhhb56CsXD
++SjqmzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0G
+CSqGSIb3DQEBBQUAA4GBAKnGr+IbKqqwN2t7AB4bae9QRHntR6fokA0gcPPMY7qA
+GxZGcA1fClTM+WZKr4AoCiDelOsxy45Pim+0bZUtzqtfhWKulkfgpS5cdPZmNj2r
+UkLeXnjjTjDm5s8YsQovhy20KPc4VoeYRMhkB5Wika28mXV2l0jFTG1VxcDZ2BxV
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA1
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAoigAwIBAgIBBTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtpBRaRDexKAJwtC+
+60QonOrQnFJ3VA/u5f6qj4iI30hKCIXL1aeAM5c2KmzL5gO3Vg7dZWw1f9gW2uaj
+mpHjfGmScQpaIFP7yNbI29PIlN0h8H2o4I6v7zDCteSnYy2qAkDkNLX6fbVENa7f
+eHcx8cvG7W1VNi0PKVQdVBz/PHkCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQU7rnP1i+OyIWTCP4QEO6jUFj+QjAw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MHUGA1UdHgEB/wRrMGmgZzBlpGMwYTELMAkGA1UEBhMCVVMxGjAY
+BgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0ZWRTdWJ0
+cmVlMTEaMBgGA1UECxMRcGVybWl0dGVkU3VidHJlZTIwDQYJKoZIhvcNAQEFBQAD
+gYEAm5m4xlbfmnv2vDQ/hGoNbPv96saVQ2NMhkH3JVSF5lGUWfamMIsH866TS9Jm
+BDWOWMPDF1kL5hLEiGLSWA8ki5s+29AwhYXt0jcwdIbGfGCwVX1w3KF5k1nYv8RR
+FhwwXNlM+EKqqLc1nWgaXnsE8fSRMesdyNjQaJdCqRAYFXI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:EE:B9:CF:D6:2F:8E:C8:85:93:08:FE:10:10:EE:A3:50:58:FE:42:30
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 31:75:7f:a7:8f:25:e4:4b:09:d0:29:6a:68:0c:3c:54:a8:42:
+ d4:f8:f7:6e:be:e5:b0:bb:f1:4a:e5:1d:e7:1d:b8:d6:98:ba:
+ 3c:6f:23:4d:a0:8c:53:2a:5a:13:7e:4f:3c:1b:fc:16:c6:18:
+ 54:05:e5:fe:b6:48:84:fb:c1:0b:7a:ea:bc:44:55:bf:4a:7a:
+ 51:1a:e3:a6:d5:94:0f:37:3c:fa:4d:f8:51:ae:c6:74:de:06:
+ d8:41:69:92:8e:a2:a8:d9:6c:73:98:d1:63:5d:52:61:7d:90:
+ 88:c2:0e:ee:ba:eb:74:c9:19:b8:c8:20:f3:09:a3:50:7f:10:
+ f9:e0
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMRcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU7rnP1i+OyIWTCP4Q
+EO6jUFj+QjAwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAMXV/p48l5EsJ
+0ClqaAw8VKhC1Pj3br7lsLvxSuUd5x241pi6PG8jTaCMUypaE35PPBv8FsYYVAXl
+/rZIhPvBC3rqvERVv0p6URrjptWUDzc8+k34Ua7GdN4G2EFpko6iqNlsc5jRY11S
+YX2QiMIO7rrrdMkZuMgg8wmjUH8Q+eA=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest13.pem
new file mode 100644
index 0000000000..f80308db49
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest13.pem
@@ -0,0 +1,166 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test13
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+-----BEGIN CERTIFICATE-----
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMjAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGAMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRy
+ZWUxMTkwNwYDVQQDEzBJbnZhbGlkIEROIG5hbWVDb25zdHJhaW50cyBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0MTMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKzBUwkX
+ODmjiKuO7MZlzTSc4Re/YVclO6AWzJbjVn1RazUtEisXPWkpv08n2R5ufbWSSnp9
+Q2/iMhNutgXf1w1kQ3tCZ/T3bhIR1c6w/ouwi8ykUP/dQlCo91V9PBaGbA/ARORv
+R5mJqw113jWqok2Mr9xcMe393f7kLFt8yx5fAgMBAAGjazBpMB8GA1UdIwQYMBaA
+FNWvaygNna1IbAyCKv/SaAkvFG1XMB0GA1UdDgQWBBSCt3/nyCSzztm6BrD2K2Fl
+4aJOtjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0G
+CSqGSIb3DQEBBQUAA4GBAJaAuvc9jA52+D7MggYkPmix9SdKXbI3nEcYpIXuzwO2
+hAzPuV6wpHgf4Ol9x+zrbWQ2KVvJ7zXGEKOjbKZb7O7ynb0yqDv9nRbOWIEU4lwD
+Fzj8Pb3n9FnnF7awDloK1pMoqxOXeLWsk7RP+psMqVuAQgVxrYYBbTwQXqMCAmIi
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAmygAwIBAgIBBjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAteRgCqKcIeCHmYMc
+xyzmM+fCjW6MAEl+OFQ9Q7UJ1n9YE0TuaGiSxjTkrTXwDF2JoDwMtC6FoqnvEyEk
+kAxNlM0oiLhRxM9FcNCow3VK458jtPozrIgd/7PAP+FXsqPanD2DRYj4c1gNKSl4
+U/l6HyTj+yV6ax5EkPgQDLQlJksCAwEAAaOB2DCB1TAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQU1a9rKA2drUhsDIIq/9JoCS8UbVcw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMCVVMxGjAY
+BgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0ZWRTdWJ0
+cmVlMjANBgkqhkiG9w0BAQUFAAOBgQANN5YtrqXFWfdpK19qY+rn50d/fYdLaOU5
+dSIAqmnB5woTCXdWF0LUADF4DkPfcWBxbE36lwBuGXBfiInH/5yLRy0Y9cZbtHSg
+QwTIf2a+38pR6QyBniftVBmBTuhO/PV+/kA8gKAZ6X4+vGMv69YjU9avYeS1o+XW
+liQdX8l7vg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D5:AF:6B:28:0D:9D:AD:48:6C:0C:82:2A:FF:D2:68:09:2F:14:6D:57
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ af:f5:73:47:0b:2b:ce:c1:5c:82:7a:07:ed:cd:ce:55:02:85:
+ 34:07:7e:46:10:13:e0:94:7e:8c:27:9c:f5:52:89:55:5b:fc:
+ e9:08:32:b3:54:75:03:c0:ad:8a:b7:e3:fa:5e:73:10:90:5f:
+ 26:ca:6e:1c:e2:68:e4:99:4c:06:38:3b:56:25:ce:82:a5:7a:
+ 3f:0e:c5:a4:78:8b:19:d2:fc:a6:4f:f2:6d:d6:12:5f:69:03:
+ 98:b8:00:c2:0d:4f:9e:47:fd:66:3e:ac:e4:fb:55:f3:4b:bf:
+ 42:54:ce:46:a2:5c:fd:c4:5f:d8:61:5a:61:9b:a1:2c:af:0a:
+ a2:2e
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMhcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU1a9rKA2drUhsDIIq
+/9JoCS8UbVcwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAr/VzRwsrzsFc
+gnoH7c3OVQKFNAd+RhAT4JR+jCec9VKJVVv86Qgys1R1A8Ctirfj+l5zEJBfJspu
+HOJo5JlMBjg7ViXOgqV6Pw7FpHiLGdL8pk/ybdYSX2kDmLgAwg1Pnkf9Zj6s5PtV
+80u/QlTORqJc/cRf2GFaYZuhLK8Koi4=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest15.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest15.pem
new file mode 100644
index 0000000000..bc87ba867d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest15.pem
@@ -0,0 +1,164 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test15
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBETjMgc3ViQ0ExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+fzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYD
+VQQLExBleGNsdWRlZFN1YnRyZWUxMTkwNwYDVQQDEzBJbnZhbGlkIEROIG5hbWVD
+b25zdHJhaW50cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTUwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALLQPz8+2Ja6+sIASgBJ/ylBL061WtWS7vJK/LRNLFf9MyYG
+VjXkjZyk9ZzlafhinCiXgrG77RGH8mVjuSwDNewt+DGGphh4dSnvg/MHRdi+NdSX
+hjVOzH76HO6U0iKSSQCvNPSlTJrPWQkZDfj6AGO+5Pmn5RXRX7vwRuKDSsAdAgMB
+AAGjazBpMB8GA1UdIwQYMBaAFK2SFB0uK9H4irG3IS5+jhlpPDR1MB0GA1UdDgQW
+BBSpk2fPoInUxlgPeiQDw8iOa8Xp6DAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBACfYnz7Xr82ytcccJe6v
++1rv6v8SSi/dupn3lA8ZLFPQiM8Ep2kf5XkmrQCHk498pBRQJirzWX20QQSTv83B
+M9DG721LCvFZuFB17sf03DMGDXw4ISy3bs+3I87HwHyziC9OtryWACWfZ2lAGUpD
+V3U25s5CA62+qbg1jhc5LAKq
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMT
+Gm5hbWVDb25zdHJhaW50cyBETjMgc3ViQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCmh9zeM9BeyKndgrRFYNxn7+qDC4AKVdFmpv1ciqlk3RwU04FCEhC9
+kN1hhqnghWi2XzHZ67kQD/azFMLQZU1b0JTg062pMox1ezyVsZCejrXUK8kMHEnW
+SNSHkU6KnrSC4aHU5jSV8T2uANRsR0wQ80iBfuq+XcyF3r8jVsbpqQIDAQABo4HX
+MIHUMB8GA1UdIwQYMBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMB0GA1UdDgQWBBSt
+khQdLivR+IqxtyEufo4ZaTw0dTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wWAYDVR0eAQH/BE4wTKFKMEik
+RjBEMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAX
+BgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTIwDQYJKoZIhvcNAQEFBQADgYEATe1pMNm0
+Ae3tuDLPpXrBaSog47WFgLklqGnB7xH9+4x4SGehRirWS/0TH839Rbb/rmp0XptG
+ECuOUS+tqrhiMPYmWxv65XMpPfwKHjxj9etcu/MgXytG7l1kFwuHP08zu43BEqRS
+JY0NuHpCTzI4Natc8cB3JTktdUOAF2P22c0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:92:14:1D:2E:2B:D1:F8:8A:B1:B7:21:2E:7E:8E:19:69:3C:34:75
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2e:dc:3c:fd:cc:c2:50:20:4a:d3:de:11:60:93:75:ef:28:af:
+ 87:35:19:c7:47:5e:f2:c0:73:35:5c:47:4a:bd:54:84:f9:04:
+ 30:4c:a1:32:27:85:14:cb:ca:72:9e:77:70:14:ac:20:72:a9:
+ d2:6f:50:b2:ae:b4:29:03:fe:00:c4:92:96:14:68:81:b3:d2:
+ dd:60:41:d5:ee:d5:66:db:b4:f0:d4:5f:a0:6c:93:d8:3e:e7:
+ a2:59:90:af:9f:05:22:b0:1e:f1:67:06:2b:85:eb:dc:a3:16:
+ 13:ad:74:89:dd:db:2a:71:8d:a8:22:8e:2f:f8:ca:7b:15:f3:
+ cf:32
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBE
+TjMgc3ViQ0ExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBStkhQdLivR+IqxtyEufo4ZaTw0dTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQAu3Dz9zMJQIErT3hFgk3XvKK+HNRnHR17ywHM1XEdKvVSE+QQw
+TKEyJ4UUy8pynndwFKwgcqnSb1CyrrQpA/4AxJKWFGiBs9LdYEHV7tVm27Tw1F+g
+bJPYPueiWZCvnwUisB7xZwYrhevcoxYTrXSJ3dsqcY2oIo4v+Mp7FfPPMg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest16.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest16.pem
new file mode 100644
index 0000000000..febf0898f0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest16.pem
@@ -0,0 +1,164 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree2/CN=Invalid DN nameConstraints EE Certificate Test16
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBETjMgc3ViQ0ExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+fzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYD
+VQQLExBleGNsdWRlZFN1YnRyZWUyMTkwNwYDVQQDEzBJbnZhbGlkIEROIG5hbWVD
+b25zdHJhaW50cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTYwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAOHnVdpKkQqlze09wh5nIsO6XQJwHBHVdhdaB5eaMXveb0Vj
+yiVBMk4NTrzIJ/7lL9J/qc4WzXAr1u1AFed4shRiiOEMAT10BXPoDfS3FjPytZC5
+UWXRE49DyE8Ksc9hSa0IBwf77wKXBAIM/ygc8XXYwFLHWy0Nbq1C2mo5AFpFAgMB
+AAGjazBpMB8GA1UdIwQYMBaAFK2SFB0uK9H4irG3IS5+jhlpPDR1MB0GA1UdDgQW
+BBT3GktmXZE00780GNgXA/GoC2kWPzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAJtYdflHLEVQC1ar27ke
+RBKtpwSsi61XphZ/gDlrI7bo3wG41pjy5tvPv8xuIOsC5isYgU8dyjJw3CF5LRdF
+FweDdftBHwQ/zmwL1sWj0h01k2ggA4c0AHDqG1J9gPKRO42rdqcRUQ2wgq1rZSDu
+iaJY1seFNoxyls5MxFF26Gue
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMT
+Gm5hbWVDb25zdHJhaW50cyBETjMgc3ViQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCmh9zeM9BeyKndgrRFYNxn7+qDC4AKVdFmpv1ciqlk3RwU04FCEhC9
+kN1hhqnghWi2XzHZ67kQD/azFMLQZU1b0JTg062pMox1ezyVsZCejrXUK8kMHEnW
+SNSHkU6KnrSC4aHU5jSV8T2uANRsR0wQ80iBfuq+XcyF3r8jVsbpqQIDAQABo4HX
+MIHUMB8GA1UdIwQYMBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMB0GA1UdDgQWBBSt
+khQdLivR+IqxtyEufo4ZaTw0dTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wWAYDVR0eAQH/BE4wTKFKMEik
+RjBEMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAX
+BgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTIwDQYJKoZIhvcNAQEFBQADgYEATe1pMNm0
+Ae3tuDLPpXrBaSog47WFgLklqGnB7xH9+4x4SGehRirWS/0TH839Rbb/rmp0XptG
+ECuOUS+tqrhiMPYmWxv65XMpPfwKHjxj9etcu/MgXytG7l1kFwuHP08zu43BEqRS
+JY0NuHpCTzI4Natc8cB3JTktdUOAF2P22c0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:92:14:1D:2E:2B:D1:F8:8A:B1:B7:21:2E:7E:8E:19:69:3C:34:75
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2e:dc:3c:fd:cc:c2:50:20:4a:d3:de:11:60:93:75:ef:28:af:
+ 87:35:19:c7:47:5e:f2:c0:73:35:5c:47:4a:bd:54:84:f9:04:
+ 30:4c:a1:32:27:85:14:cb:ca:72:9e:77:70:14:ac:20:72:a9:
+ d2:6f:50:b2:ae:b4:29:03:fe:00:c4:92:96:14:68:81:b3:d2:
+ dd:60:41:d5:ee:d5:66:db:b4:f0:d4:5f:a0:6c:93:d8:3e:e7:
+ a2:59:90:af:9f:05:22:b0:1e:f1:67:06:2b:85:eb:dc:a3:16:
+ 13:ad:74:89:dd:db:2a:71:8d:a8:22:8e:2f:f8:ca:7b:15:f3:
+ cf:32
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBE
+TjMgc3ViQ0ExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBStkhQdLivR+IqxtyEufo4ZaTw0dTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQAu3Dz9zMJQIErT3hFgk3XvKK+HNRnHR17ywHM1XEdKvVSE+QQw
+TKEyJ4UUy8pynndwFKwgcqnSb1CyrrQpA/4AxJKWFGiBs9LdYEHV7tVm27Tw1F+g
+bJPYPueiWZCvnwUisB7xZwYrhevcoxYTrXSJ3dsqcY2oIo4v+Mp7FfPPMg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest17.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest17.pem
new file mode 100644
index 0000000000..0c9aa3554b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest17.pem
@@ -0,0 +1,163 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test17
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBETjMgc3ViQ0EyMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+fzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYD
+VQQLExBleGNsdWRlZFN1YnRyZWUxMTkwNwYDVQQDEzBJbnZhbGlkIEROIG5hbWVD
+b25zdHJhaW50cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTcwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANw5GunDquXK+XElcoKtGRzY1ESARSYhxi+qK4BM6L0rxSe5
+tXiajO4Eb379Qv2z7wkn224q4lkLiiry/gmRj27aTjhch3XF5C7E2hIeHz5qGtcu
+uY6vyT4DxweIYibYubyBZC/MCk2YuLtsLiSd5QuyXXmQYZzeyu2SpRax/nXHAgMB
+AAGjazBpMB8GA1UdIwQYMBaAFAtIvihxakgkCjziStQFKuLXHjXvMB0GA1UdDgQW
+BBRFrHYfuo8284F89Fc//hnutkf4KTAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAEPuGBhTmRXtD/1JNHgo
+Jj8yfLsXQzG8AENHe1KZs7Kpj45M3p4u0TGUJI2S3MXh3IY8gEf33t9eQbJIY0s4
+AiUXe1G/CjtDeo5ZkfTpZHRd654czJ9oLQ3c2vczwYEeaeLxQXqEFS0xewIz5udq
+AUVVqV79i9BB/BOmAx9qBkiH
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIICyzCCAjSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMT
+Gm5hbWVDb25zdHJhaW50cyBETjMgc3ViQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDCH3OWCAvPFZXpNTKMN3DoOML+FK32+icT19l0MQXIXBqoJyw8qF2z
+xcl4ahdLxfSFpf8OF3ttKbzN5fk2/Dxue6beAMs0L1r4VUilJaUhOmTMrlYXB6UI
+QX2nzlu6lZbNrI0VFt8qM2C9CdbG+2ZQuJQQO0BtHXWJC9el4t68/QIDAQABo4G8
+MIG5MB8GA1UdIwQYMBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMB0GA1UdDgQWBBQL
+SL4ocWpIJAo84krUBSri1x417zAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wPQYDVR0eAQH/BDMwMaAvMC2k
+KzApMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMwDQYJ
+KoZIhvcNAQEFBQADgYEAV7W8Yarxgw2gPgl0gz1Vz7IdH6ZbzLBpsB0W+gyPTd+R
+toE/N42Efda3DIG5BoxqTj00uc9j2GF5LqBgKaEieenzkv5E6qbTrZ0F/FdX1c17
+DBpRvkchpd4FACNL+FhSq824LEKdBDOx669LmsH664nk6NSPtv04LjUxa+822aw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0B:48:BE:28:71:6A:48:24:0A:3C:E2:4A:D4:05:2A:E2:D7:1E:35:EF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c0:0c:a7:28:80:0d:2c:71:66:4d:67:82:ec:c7:30:4f:48:29:
+ fe:d4:20:82:f2:5c:e6:ef:24:8b:9f:f2:b8:c5:3b:e0:86:53:
+ f4:b5:fc:67:db:b2:1d:45:77:8a:78:47:eb:63:bb:43:b8:14:
+ c0:05:ff:ca:7b:d5:1f:fa:df:e7:7a:a5:39:e7:00:ed:4a:d9:
+ 6d:fd:d1:78:a1:44:f0:71:f4:89:4c:52:d5:ef:99:5c:59:eb:
+ 80:c4:5d:ed:48:2b:5a:55:0b:d1:df:4a:a5:49:69:f1:67:a2:
+ aa:ce:9d:99:9b:74:0f:ec:da:60:d9:3e:14:45:a3:6c:5b:47:
+ fa:d0
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBE
+TjMgc3ViQ0EyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBQLSL4ocWpIJAo84krUBSri1x417zAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQDADKcogA0scWZNZ4LsxzBPSCn+1CCC8lzm7ySLn/K4xTvghlP0
+tfxn27IdRXeKeEfrY7tDuBTABf/Ke9Uf+t/neqU55wDtStlt/dF4oUTwcfSJTFLV
+75lcWeuAxF3tSCtaVQvR30qlSWnxZ6Kqzp2Zm3QP7Npg2T4URaNsW0f60A==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest2.pem
new file mode 100644
index 0000000000..04a7eb62a5
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest2.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB+MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsT
+EGV4Y2x1ZGVkU3VidHJlZTExODA2BgNVBAMTL0ludmFsaWQgRE4gbmFtZUNvbnN0
+cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3QyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCbvVmVPGFgKGPBqkMhQ8HfwsS10dQ7ark92qOnKM0cmOtqxp7Y+5xK
+fVwtP4znhPQr3rGzj2x81FCIghi3hwSRBg2O6DhpFdTAXAwHnM0QkUb29QTNqRfW
+E4jOPciTY/BonXFJXf+VM61ntdAT4aoVshmiy64p2SBUhRYA/QrYuQIDAQABo2sw
+aTAfBgNVHSMEGDAWgBROLqPn2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQU3rps
+AkOOTOy07L8tC4ckaa3lRqMwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQCOtc7hRrlpfYG3VtjPhElE0x7R
+VEiASfooTBrkKHNkajTVNgolaJq1+1UqMpIFCe0KBUL+k9YQgsjDbr3m/oL7ml3x
+9iNWxEjBOH8YRaPvArpcb6HMvMVTdbInB7T/ogFDs2bdUBWt4H2KJLoogGJjLBX/
+NkpGvXdFmxasmv0wkw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest3.pem
new file mode 100644
index 0000000000..7c2b410b91
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest3.pem
@@ -0,0 +1,114 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIDPTCCAqagAwIBAgIBAzANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB/MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTgwNgYDVQQDEy9JbnZhbGlkIEROIG5hbWVDb25z
+dHJhaW50cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MzCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAyUV/VUccWeiLd97UNg9PsfI5JBKyMkLviLCMbEGIggBG9W+5DKyu
+loDjDpVTzzz4pO4/LQqcZgxP61RsM9sdvJTyxHWpU8fEb3CFFPX47WEEdzFEjvay
+iqEorgwgt0OuiDc6ygpjvje94MD9/tn2oXGXiZXf225UPJOAg/4G2CECAwEAAaOB
+/TCB+jAfBgNVHSMEGDAWgBROLqPn2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQU
+XNZp2F2DSh5YkgNExED/5j5eRE4wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATCBjgYDVR0RBIGGMIGDpIGAMH4xCzAJBgNVBAYTAlVTMRow
+GAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UECxMQZXhjbHVkZWRTdWJ0
+cmVlMTE4MDYGA1UEAxMvSW52YWxpZCBETiBuYW1lQ29uc3RyYWludHMgRUUgQ2Vy
+dGlmaWNhdGUgVGVzdDMwDQYJKoZIhvcNAQEFBQADgYEAF0YtbEJ7UriPhjA5X7Ms
+bjlEt6/l18J5LUKX6SdvzojVZW6wSnfiinjESVIMS7+nvplPU1D5y6BBzB2jCHZx
+uxC/Db9r8CeNek1COMl9nvav4pyuA1e+INl/it59qgfHMZ/pBdsYkYKI3B31oinp
+TSHj4AKIIi1y358PHk3BZWw=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest7.pem
new file mode 100644
index 0000000000..66b10244d4
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest7.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB+MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsT
+EGV4Y2x1ZGVkU3VidHJlZTExODA2BgNVBAMTL0ludmFsaWQgRE4gbmFtZUNvbnN0
+cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Q3MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCTL1HBt+N66tLKmFW98QfimYn+8h4asDqh1Q919/M7TSNyoUAS9y3U
+ZCRVwviSwB78P1HReztqDDX7dkKHazvtXY28fVhPwv1lCxj8sh+U3QoprauZoukz
+wx6J56XR40wEckL6qf6l2qNeVTuPEQW21ZRBgPEKIqikZYLjl1c/jQIDAQABo2sw
+aTAfBgNVHSMEGDAWgBSL47hYVp8Dat892Ac7swc24cu2yjAdBgNVHQ4EFgQU8nNR
+dG/7HQqs2Y/HH+yF2vQ6QYUwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQA4Lj7z67AHCPqJNPK30vJT6DzO
+BIMzF5uXn1uLFPibVYwzith0bxt+lS6X+XY0D8JVcCoGvQXIajaOz6SQW1Rjl9d4
+/ZtQK/Fa4aWO/SNJ/mUev7+CaFuSpzVNwU6TyY8mBs3THbFis9zVbllRK8ejAkZz
+CrLUsdP7tsReU49LLA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest8.pem
new file mode 100644
index 0000000000..de2503fe99
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest8.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree1/CN=Invalid DN nameConstraints EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjQgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB+MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsT
+EGV4Y2x1ZGVkU3VidHJlZTExODA2BgNVBAMTL0ludmFsaWQgRE4gbmFtZUNvbnN0
+cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Q4MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDRLWTNLHouiD2wN3hJ0jdnrj4fTjlz2+99l/B+6xTOCtwBUJpACTye
+HIN9D2KKM0Qmh9stFmyS37OoOs2WPy4d6zXJI09x3ENRMHVD4XL8zIYvdc554XCO
+r6r5F4NDD9PXfx7zbY5zIa8xvuuRodLcz7HjxXCATmiy/Ylbq/tAvQIDAQABo2sw
+aTAfBgNVHSMEGDAWgBQzKeiMgEymrSeDjSUCZ8XltnYEzDAdBgNVHQ4EFgQU2i3L
+WI4ETNSzaANnEBgojWiA0sowDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQCF1bG1gRn+77BAUXRG0YGUPMgR
+9DHNB3htuZ16XVRT2TqgE6hFiTROTrYgQekzo37hAKapBXUk09KjbIEZZWimwkzo
+lsh96Mt3Mri/s1KHNnRsPWR7Z9noTDZW2doxIx9IdZnbpceQ/z+E9xHaEZZX2QTU
+oFgdRZWQ6koAHlJt+A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBQTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIERONCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy/f6yuk+
+9T8iA8JCNC3qD0GOvAIXRNgKM4QLcAsVsDZkgrXmmyKyX3e+W5lgLeuzzgLxM9Fc
+Pm1NCRAX+AleMx8MI9Vyii9xcNT3KY90roWbXvSiixffCQyKwgjcNazm4nMgcKcY
+GCrTnvtjwDq4r0ov0chfZ4FYvOdxRXKJIscCAwEAAaOCASYwggEiMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQzKeiMgEymrSeDjSUC
+Z8XltnYEzDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wgaUGA1UdHgEB/wSBmjCBl6GBlDBIpEYwRDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBl
+eGNsdWRlZFN1YnRyZWUxMEikRjBEMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVz
+dCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTIwDQYJKoZI
+hvcNAQEFBQADgYEABIMFw3c0vt6dsO0Lzu4cyBPZB6GobaJ9EVCLCKcuwdvmyMgo
+YamK8D4AEsT88YhCFji3zELvEeg4P8QsRhtIsr0nto5r+CV02degP3F2XAPQr8gw
+qBP/8ejUC0UPnOz3QlkiM4mZ3mN3A3KJPCmPmtRIVst622/8nt4HWGLYi38=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:33:29:E8:8C:80:4C:A6:AD:27:83:8D:25:02:67:C5:E5:B6:76:04:CC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 7d:57:1e:3d:c5:08:85:5b:0a:d1:cb:66:61:ba:9c:ad:1e:d1:
+ 7c:28:1c:08:2f:2e:52:53:18:63:ac:0f:c1:fd:30:d2:f1:90:
+ bd:fa:89:97:c4:2f:73:a9:c7:36:bf:5d:e6:2a:21:f2:d9:81:
+ ae:f3:47:05:14:8c:ec:fc:80:c9:c5:3d:37:cb:5a:e5:8c:56:
+ d7:be:e7:ed:8f:f7:21:0f:d6:6c:e3:f8:cd:dc:c6:bd:70:90:
+ b6:30:bd:d1:76:47:62:33:02:ba:bf:97:41:a1:cf:62:12:21:
+ 4c:1f:d0:49:a8:b7:50:f9:a3:63:40:5e:f9:0b:5b:ac:de:7e:
+ f4:27
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjQgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFDMp6IyATKatJ4ONJQJnxeW2dgTMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAH1XHj3FCIVbCtHLZmG6nK0e0XwoHAgvLlJTGGOsD8H9MNLxkL36iZfE
+L3Opxza/XeYqIfLZga7zRwUUjOz8gMnFPTfLWuWMVte+5+2P9yEP1mzj+M3cxr1w
+kLYwvdF2R2IzArq/l0Ghz2ISIUwf0Emot1D5o2NAXvkLW6zefvQn
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest9.pem
new file mode 100644
index 0000000000..450c232004
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest9.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/OU=excludedSubtree2/CN=Invalid DN nameConstraints EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjQgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB+MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsT
+EGV4Y2x1ZGVkU3VidHJlZTIxODA2BgNVBAMTL0ludmFsaWQgRE4gbmFtZUNvbnN0
+cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Q5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCh34/kUYUgkdgErLgpO39ywlNRcYoZme/9B+Qf6xXvtvQsMVSTRlYj
+SSl7WicS1s0i8wU0jrejAaH4wKVmEKpUXvDAnMWqnRTgL7EN4ni4vaorV9S5/6+A
+qXnmW+4GGg76TP9cj+SQ31mg5DHaHMGc5WeGygDJ0iaYXHqtUczkQwIDAQABo2sw
+aTAfBgNVHSMEGDAWgBQzKeiMgEymrSeDjSUCZ8XltnYEzDAdBgNVHQ4EFgQUWfRX
+bghjCb+4MfpDq1DFnXXWtZkwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQBqpi8ums5mTqAUxfvjuqAIdAzU
+vDfiJ9uAvSRyTLckdIKvbvqgn1xK4LFKEHh98dWr48RosYc8wkofI0wHpwYrhYcP
+y2kgyqtaTrdeSgbBcBibusuagwpz9o25LUTRTMVg9sq+1yJJYlGHGV9LuTnn/ZcP
+vCtQwWgLy74cJC0WvQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBQTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIERONCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy/f6yuk+
+9T8iA8JCNC3qD0GOvAIXRNgKM4QLcAsVsDZkgrXmmyKyX3e+W5lgLeuzzgLxM9Fc
+Pm1NCRAX+AleMx8MI9Vyii9xcNT3KY90roWbXvSiixffCQyKwgjcNazm4nMgcKcY
+GCrTnvtjwDq4r0ov0chfZ4FYvOdxRXKJIscCAwEAAaOCASYwggEiMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQzKeiMgEymrSeDjSUC
+Z8XltnYEzDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wgaUGA1UdHgEB/wSBmjCBl6GBlDBIpEYwRDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBl
+eGNsdWRlZFN1YnRyZWUxMEikRjBEMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVz
+dCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTIwDQYJKoZI
+hvcNAQEFBQADgYEABIMFw3c0vt6dsO0Lzu4cyBPZB6GobaJ9EVCLCKcuwdvmyMgo
+YamK8D4AEsT88YhCFji3zELvEeg4P8QsRhtIsr0nto5r+CV02degP3F2XAPQr8gw
+qBP/8ejUC0UPnOz3QlkiM4mZ3mN3A3KJPCmPmtRIVst622/8nt4HWGLYi38=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN4 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:33:29:E8:8C:80:4C:A6:AD:27:83:8D:25:02:67:C5:E5:B6:76:04:CC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 7d:57:1e:3d:c5:08:85:5b:0a:d1:cb:66:61:ba:9c:ad:1e:d1:
+ 7c:28:1c:08:2f:2e:52:53:18:63:ac:0f:c1:fd:30:d2:f1:90:
+ bd:fa:89:97:c4:2f:73:a9:c7:36:bf:5d:e6:2a:21:f2:d9:81:
+ ae:f3:47:05:14:8c:ec:fc:80:c9:c5:3d:37:cb:5a:e5:8c:56:
+ d7:be:e7:ed:8f:f7:21:0f:d6:6c:e3:f8:cd:dc:c6:bd:70:90:
+ b6:30:bd:d1:76:47:62:33:02:ba:bf:97:41:a1:cf:62:12:21:
+ 4c:1f:d0:49:a8:b7:50:f9:a3:63:40:5e:f9:0b:5b:ac:de:7e:
+ f4:27
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjQgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFDMp6IyATKatJ4ONJQJnxeW2dgTMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAH1XHj3FCIVbCtHLZmG6nK0e0XwoHAgvLlJTGGOsD8H9MNLxkL36iZfE
+L3Opxza/XeYqIfLZga7zRwUUjOz8gMnFPTfLWuWMVte+5+2P9yEP1mzj+M3cxr1w
+kLYwvdF2R2IzArq/l0Ghz2ISIUwf0Emot1D5o2NAXvkLW6zefvQn
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDSASignatureTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDSASignatureTest6.pem
new file mode 100644
index 0000000000..55164dda04
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDSASignatureTest6.pem
@@ -0,0 +1,104 @@
+subject=/C=US/O=Test Certificates/CN=Invalid DSA Signature EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=DSA CA
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAvagAwIBAgIBAzAJBgcqhkjOOAQDMDoxCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEPMA0GA1UEAxMGRFNBIENBMB4XDTAxMDQx
+OTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMTMwMQYDVQQDEypJbnZhbGlkIERTQSBTaWduYXR1
+cmUgRUUgQ2VydGlmaWNhdGUgVGVzdDYwggG2MIIBKwYHKoZIzjgEATCCAR4CgYEA
+vbB6Gzy0SX2N5smRzWMqz0VoZRd5JR2pZblQy69qF7L9wXPemawRZc4n8w8GB+4+
+IDHq2L8Uex+2KP9lRuXNnaUp+C/BCIB1cHBBJwA2Wzqhe0uyoVb9qvDOQuU27zRU
+dymarmOqSfc+ruHC+faJMv+ZaHv5zjRd8XwpZHs0ZK0CFQCXYwgNQsqfF7gNfgA6
+5QUzpC5bwwKBgGBfbUNGPILwforCRr06QOuBEKduLdWEZngS7RkwrK5N12jxDw34
+bvbzjzqlldmdKRu8kUG2bhSV9aF/EzvyppEkVBZ0j4NmnQtO/kvigCL12hmSucnN
+3Ir4+32prJX4ycxuECJYsbU5LPfHicJT9x5o8Yy4IcxJkzfkL/O3WE1KA4GEAAKB
+gC1pr90wK1tDu2BegyCB0M5MOerDtoYTJ+js/5N0yrMApqjdguHSRoq6nyc/33dn
+gAlOKsmYuClo4V9v5sQ1rPYYa4Pt9DL105oCu3uZAlASTSqiUc6FV1IYlEEyErXp
+JM5sYFEtet0LoIq2QvmcbHx3OZXrTS7ZgvKCNwNFBQ3Qo2swaTAdBgNVHQ4EFgQU
+3GZpOXKnsDrffRsT0zC/TrR+oPEwHwYDVR0jBBgwFoAUdBXVJBy9XmWIH+GLCX5/
+6hlITmEwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA4GA1UdDwEB/wQEAwIGwDAJ
+BgcqhkjOOAQDAzAAMC0CFQC8jW6jJtLFOVb/3gB8Ud6zDADC1AIUXggJS+znTQfq
+yuMe+SHndjnV3Gw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=DSA CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAu+gAwIBAgICB9EwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxUcnVzdCBBbmNo
+b3IwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA6MQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBkRTQSBDQTCC
+AbcwggEsBgcqhkjOOAQBMIIBHwKBgQDf5RE+2um2bhDW6p3inTqwR71EAMdWyMxu
+0DOEVkc1PfZUyOPCrbu6dfMvMwym+THsZ+PlmW38KW6qV4hyNOKOAJDgo6xkjsD2
+PB2PtMhKSDBef6qcdiYL2xNzM4OXwMWz5jf1Pv8VDdShLrox+KuH2AvMd5hCbqyT
+mMK9Lns0CwIVAM8GBNj/i+sA6fZcB5Zz/ZZlOi8HAoGBAMzhfLDOkl9j7Di7RLrd
+kjS2Xr5le9hxdwSd7GZ8OwTOtvNS/g+SVQLvThKrXZouL25W83Dsau2bIrioE8sM
+nBbqwQqOISZEpQz5oOxi4HAxzGj1C4WkShtuefTB+TZaOG9O74RT32f9zPdZYo+c
+nM0Qj1ykD5y3B+xg876vfjmYA4GEAAKBgBHyudi+QivFhL6RAhz8jDJyi6hsIdeI
+ihS6MGV1wBw9gmllp6yQehQdhXvlU8Jg/LHPZ6/B8i4IMmo4x5FOO7w8CdD5cW0I
+3ydJjQV02L1G0NtRpVO6h/P6XSWDT38KdeWp44mnQXdjQF8rLITSwXF4CttrVxnh
+5xQMnsT2MjkOo3wwejAdBgNVHQ4EFgQUdBXVJBy9XmWIH+GLCX5/6hlITmEwHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4GBADo7ch93LLrc7PUdW0XOP3+kP+Sywfqf2ApcmOLufmM60siw4rzA
+1ssoITB2Rs3TPQKBiJzMdFKrq8tQ+8TcpXJ9M4SVfbAFB0P0vB4UC2Eg6iSnVJbB
+tsZFj12gpqv5Gawo3yUTw34h3opDGSX1pz6eZUIZBFKpAX5gyIpiEBI2
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c7:32:ea:21:ff:7d:01:d4:f3:d9:c5:a9:ea:04:35:21:81:d2:
+ 13:f2:35:d3:e4:53:c5:03:93:de:a1:2d:25:56:64:bc:52:20:
+ 81:53:69:6a:a6:90:26:38:bd:ed:31:7f:a9:7b:c1:e8:a9:e5:
+ 07:97:82:bb:3e:8a:f9:79:ec:2e:bd:16:4c:31:6b:b6:80:ca:
+ ba:ba:0c:35:0a:d6:08:3c:31:78:fe:d3:3d:06:69:6c:3a:e4:
+ 07:4d:6e:84:21:d3:c3:90:60:8f:99:90:62:a9:16:38:25:2f:
+ 7e:08:5f:2f:cc:59:d7:7d:9b:2f:d8:0b:e7:70:d9:64:f7:01:
+ 38:8d
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU+2zULYGe
+yid6ng2wPOqavIf/SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAxzLq
+If99AdTz2cWp6gQ1IYHSE/I10+RTxQOT3qEtJVZkvFIggVNpaqaQJji97TF/qXvB
+6KnlB5eCuz6K+XnsLr0WTDFrtoDKuroMNQrWCDwxeP7TPQZpbDrkB01uhCHTw5Bg
+j5mQYqkWOCUvfghfL8xZ132bL9gL53DZZPcBOI0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: dsaWithSHA1
+ Issuer: /C=US/O=Test Certificates/CN=DSA CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:74:15:D5:24:1C:BD:5E:65:88:1F:E1:8B:09:7E:7F:EA:19:48:4E:61
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: dsaWithSHA1
+ 30:2c:02:14:46:20:d2:4b:f9:cd:91:09:e9:71:6a:bf:d2:3e:
+ 88:5d:d0:47:ee:aa:02:14:25:ae:d3:6a:ca:3f:a4:54:41:d9:
+ a3:57:74:b3:48:ab:c5:9f:01:f9
+-----BEGIN X509 CRL-----
+MIHYMIGZAgEBMAkGByqGSM44BAMwOjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMQ8wDQYDVQQDEwZEU0EgQ0EXDTAxMDQxOTE0NTcyMFoX
+DTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHQV1SQcvV5liB/hiwl+f+oZ
+SE5hMAoGA1UdFAQDAgEBMAkGByqGSM44BAMDLwAwLAIURiDSS/nNkQnpcWq/0j6I
+XdBH7qoCFCWu02rKP6RUQdmjV3SzSKvFnwH5
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEESignatureTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEESignatureTest3.pem
new file mode 100644
index 0000000000..998b139518
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEESignatureTest3.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=Invalid EE Signature Test3
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGkludmFsaWQgRUUgU2ln
+bmF0dXJlIFRlc3QzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYuEosZMlo
+4XLnLFz0FHAoAVIElosiQpT0Z0p3AtLcG9tCIN83S7m8WXOBhuRBoRLaHQvEnPE0
+n5azBwJ+zhWD4+MglyPcJ1FrO7SPiHOB9UotWr0EG4cjkAVUMrrkFRLfoLIPJqz3
+sNEYnP5qPOe32IGDKbXybjoddfzHbompcwIDAQABo2swaTAfBgNVHSMEGDAWgBS3
+LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUU/uacMtyT3ntU/H7h/8/HstM
+ebcwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq
+hkiG9w0BAQUFAAOBgQBHY2fzJrZTRjpqPLxzU7ZABeS9O/01ZTY/9uYl0JrJsfN4
+WlxaYMtSRcTJceQAvfyrafk1x354iJF+GjW7XIJR9RhGlkQXquT1Pqlv/Z2vpSjq
+glf4JuAbERm1V92qP2Acyiphm+P98Pu21c/Vq9xK3Jh/9/GUSOCmPIhvVG00MA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotAfterDateTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotAfterDateTest6.pem
new file mode 100644
index 0000000000..a9fb2b27fc
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotAfterDateTest6.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid EE notAfter Date EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICfTCCAeagAwIBAgIBBjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMDIwMTAxMTIwMTAwWjBhMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUludmFsaWQgRUUgbm90
+QWZ0ZXIgRGF0ZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0NjCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAyCOeDYaml7SOL+2x9UWcwqcMIR9a0vGlP8Do87TNFZz+wiLZ
+0nMYVMfnQWT28E37L2tcdoZUM7SW8dlvfMfTKIoSKeXUiD4bRftrWVj4/s9Ipb/h
+8Gl9k0GwUmg9gN3LDvdRw2z2CiBtP6xsNJZ9vFW+o5QIhd84r74TPs1H2xECAwEA
+AaNrMGkwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYE
+FP4ipJtrQCKWa5Vq2wk2HfpPnJnGMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAO
+MAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEADdATbChw44x7r1EYA7A2
+1BGzR/9Qmz2Dhd9d1stBum7SiD6Rclpo9A+CfwMmPhzNuaAScE6jL7LGwOYIbKp0
+LczJhPXVy5XLwf+pciCQFDFVc04/qEIugQJm25iQkm6W0E6kpOuwrOlpUU6SRAB8
+AktPedUhRoKNsB06vemChz8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotBeforeDateTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotBeforeDateTest2.pem
new file mode 100644
index 0000000000..6208b7d277
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotBeforeDateTest2.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid EE notBefore Date EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+NDcwMTAxMTIwMTAwWhcNNDkwMTAxMTIwMTAwWjBiMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNzA1BgNVBAMTLkludmFsaWQgRUUgbm90
+QmVmb3JlIERhdGUgRUUgQ2VydGlmaWNhdGUgVGVzdDIwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAM6vu936ab1N3e528zJ2ryTW9quJh45gf03iwH7dWEYsZpO5
+t9UBImXpFR+j74ZQenhHmcgGQNy58Zc4KwbzxnNMnvW7INMVc36TZzdvq5hfXCsV
+SX5gBctkPQ1hgh6LZHLQoUnxJiI7iijUUE6P2p4HfaqfEkh1tQfjivyF2yo1AgMB
+AAGjazBpMB8GA1UdIwQYMBaAFLcupoLLwsi8qHsnRNc1M9+aFZTHMB0GA1UdDgQW
+BBShT/d1PnEn2vh4FZtBbivDFsd2djAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAGYyJnIuxfaHwIyiOnLc
+T3IRt4wcrAOMimrliGD1dHOozDxUnNA2gZqA11JYlTJ6QzScfOQ7Wg8XKu3mxA8u
+c2A/x1cX9PYiJ5Js37f4OBW3/sWTk+X+9G5iS3cDB4e7LDqCdf+Q4eEGlyEZ8xw3
+FgxmIZrL8hh7RlY8QIAMRc3S
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest23.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest23.pem
new file mode 100644
index 0000000000..e8f2b80b3d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest23.pem
@@ -0,0 +1,116 @@
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKnNvKCUbOkr4mNPrV
+EBeh0vWaSj7DMTMuBhMM4N5zT6XkBdghaAMQis36dJASxXYtGiiAY0Wv3oicc66t
+vag7yMp7Iy71oHzCSrw+YF6oBOV+krjeaNIg/5/CGLkMr5KXC3egPap4fv/EQbAD
+ZbMw+Qndc+mnj7AAnfb8i2AJPQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUbMEUX9inLeCGkxlcC/BJuSVb6BwwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABA2o025rmbJVizdycoV/q2zarMz87Ki
+QJimcOjKcZTSmDiAxKCTYzBFWeUZWZqVDm0QbhOThmX5nkaYjiz3vLAgdDDUr6zA
+tYmNsP2oA7ajpSmcze5/VwkBgMKt7Al5w6xT91R0tCltLcppOPJhE85jMd724jTc
+XHLxTJCox/SL
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid IDP with indirectCRL EE Certificate Test23
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA1
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGYxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE7MDkGA1UEAxMySW52YWxp
+ZCBJRFAgd2l0aCBpbmRpcmVjdENSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjMwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJR1Ogq33bnWdnMPT8T7u4psSBkPFbwr
+6mSgwNE1ZPPI3wkF66/zJAKMPK8LTskPhZ9QVaKvAt2MnLz004Yv+rS2N5H+cvTL
+oeXp0h0SbIgwRsgHWNBoOLACifcpIqR+dGuSakGD7dHG+NClC6jVJp8mf9EzxW84
+bjJvdhmADg7LAgMBAAGjazBpMB8GA1UdIwQYMBaAFGzBFF/Ypy3ghpMZXAvwSbkl
+W+gcMB0GA1UdDgQWBBTbRhIag+0VzAQ6Vki6uTqYN+IjxzAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAGxw
+5QQhnpLypGVABOGVcbBYU+WO8Wkdo3htkGA1XHJSVggDQSbnHzX+1V/ETnAicQrh
+6ktOuzBTCLOG5TjmgKKcnS5y7rIndkGZ/3lo3DJydBzVGoLVUs5FWAvuWjIikQZO
+BEymYFtHwJh7iV0ma8n5No+re9BhnsQuWIfS7YXX
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=indirectCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:C1:14:5F:D8:A7:2D:E0:86:93:19:5C:0B:F0:49:B9:25:5B:E8:1C
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6c:ab:91:4b:38:62:8e:f2:48:86:10:a6:b8:b9:c3:c2:28:e5:
+ c1:d8:3b:c5:8c:6f:62:44:37:f6:1e:2f:d4:04:be:ff:bb:28:
+ a4:3c:71:1f:69:58:85:95:60:3c:cc:f7:65:22:4e:9e:44:e2:
+ 6b:45:16:9d:67:ae:da:ff:57:e7:d4:ef:34:cf:1e:86:52:13:
+ 25:77:a7:7d:fc:ec:94:62:bd:b1:76:a9:66:c1:ef:82:bb:3e:
+ 9b:21:c4:ef:49:9b:2a:e8:5a:ef:39:82:ee:da:97:5f:77:89:
+ a6:3e:42:26:77:b2:15:97:c4:db:ee:ca:8c:ad:d2:cf:18:3e:
+ 87:e8
+-----BEGIN X509 CRL-----
+MIIBcTCB2wIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBMRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcy
+MFowDDAKBgNVHRUEAwoBAaBAMD4wHwYDVR0jBBgwFoAUbMEUX9inLeCGkxlcC/BJ
+uSVb6BwwCgYDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4QB/zANBgkqhkiG9w0BAQUF
+AAOBgQBsq5FLOGKO8kiGEKa4ucPCKOXB2DvFjG9iRDf2Hi/UBL7/uyikPHEfaViF
+lWA8zPdlIk6eROJrRRadZ67a/1fn1O80zx6GUhMld6d9/OyUYr2xdqlmwe+Cuz6b
+IcTvSZsq6FrvOYLu2pdfd4mmPkImd7IVl8Tb7sqMrdLPGD6H6A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest26.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest26.pem
new file mode 100644
index 0000000000..ec66261d9d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest26.pem
@@ -0,0 +1,137 @@
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKnNvKCUbOkr4mNPrV
+EBeh0vWaSj7DMTMuBhMM4N5zT6XkBdghaAMQis36dJASxXYtGiiAY0Wv3oicc66t
+vag7yMp7Iy71oHzCSrw+YF6oBOV+krjeaNIg/5/CGLkMr5KXC3egPap4fv/EQbAD
+ZbMw+Qndc+mnj7AAnfb8i2AJPQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUbMEUX9inLeCGkxlcC/BJuSVb6BwwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABA2o025rmbJVizdycoV/q2zarMz87Ki
+QJimcOjKcZTSmDiAxKCTYzBFWeUZWZqVDm0QbhOThmX5nkaYjiz3vLAgdDDUr6zA
+tYmNsP2oA7ajpSmcze5/VwkBgMKt7Al5w6xT91R0tCltLcppOPJhE85jMd724jTc
+XHLxTJCox/SL
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDblDsGRxVahA98R7vE
+/DS4nbSbyoerDINPIyc8wkOtWcS+y+f9O5IIdDJOZm2I5px1PA840SXYHh15o3ZW
+Vn4gFU3AgKF/CWMJ1g79LAYAMnQN/T7kSfuz/0rqhLH9tjz3Qtjt+/zy45YIny80
+7JOBLH3eLX0H2aOmsJUenp5ExQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwa+CD9XTTxDwMWI8WIm5inS7nAEwDgYD
+VR0PAQH/BAQDAgIEMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEvc066az+E8sftMAgkECVeJVw0Mcr2y
+YlJ0SAbZUNaU7KbzXxm3j8Q5v8K8GDy7EB4H0Gyh0vgsbChTAdLip7xQf7V7SetA
+nE66H4ikF/UAhXlSz+E48Qe2+L3w2weGbU3zwmNMeYkI6dmGFMfEut7hL9ak0Ulc
+0meAGzOu5kHt
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid IDP with indirectCRL EE Certificate Test26
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA2
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGYxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE7MDkGA1UEAxMySW52YWxp
+ZCBJRFAgd2l0aCBpbmRpcmVjdENSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjYwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJWG0QMGGkC8v7EYNdgiIW21p0tpEHdc
+A5GWLdFuWvXKCk0fjKc6H/xux8sQgSPzqQkSVwRCvoQZuP8YbELalcOpbU1KN+NY
+xJUjVXB1FZwvz+9tBl8EXV6h+WdvQ5i0H9q5HIhiRqKx3ol2pTbnbE7Tq2lSeFZs
+J9pjj19d2bEvAgMBAAGjgcMwgcAwHwYDVR0jBBgwFoAUwa+CD9XTTxDwMWI8WIm5
+inS7nAEwHQYDVR0OBBYEFNqqzRuM3BRGiQozMByWP0u9kYvjMA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwVQYDVR0fBE4wTDBKokikRjBE
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNV
+BAMTEGluZGlyZWN0Q1JMIENBMXgwDQYJKoZIhvcNAQEFBQADgYEASYGU+PXCspmb
+cqsXmUr/HLCeEc9QXXTDPtkqweBOdgVc27fLaugIkTOEcwkHnxGBst2VRxbG7TXR
+sdcakIKE52+VN4ll8u/oPLs+rp+Fp4Xe9nMj0scOzjcSzBRMTN1VtpVoFUM1Jp5T
+JFEnAXzAMD3ex1dtQYriGo4yHKWcpkc=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=indirectCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:C1:14:5F:D8:A7:2D:E0:86:93:19:5C:0B:F0:49:B9:25:5B:E8:1C
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6c:ab:91:4b:38:62:8e:f2:48:86:10:a6:b8:b9:c3:c2:28:e5:
+ c1:d8:3b:c5:8c:6f:62:44:37:f6:1e:2f:d4:04:be:ff:bb:28:
+ a4:3c:71:1f:69:58:85:95:60:3c:cc:f7:65:22:4e:9e:44:e2:
+ 6b:45:16:9d:67:ae:da:ff:57:e7:d4:ef:34:cf:1e:86:52:13:
+ 25:77:a7:7d:fc:ec:94:62:bd:b1:76:a9:66:c1:ef:82:bb:3e:
+ 9b:21:c4:ef:49:9b:2a:e8:5a:ef:39:82:ee:da:97:5f:77:89:
+ a6:3e:42:26:77:b2:15:97:c4:db:ee:ca:8c:ad:d2:cf:18:3e:
+ 87:e8
+-----BEGIN X509 CRL-----
+MIIBcTCB2wIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBMRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcy
+MFowDDAKBgNVHRUEAwoBAaBAMD4wHwYDVR0jBBgwFoAUbMEUX9inLeCGkxlcC/BJ
+uSVb6BwwCgYDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4QB/zANBgkqhkiG9w0BAQUF
+AAOBgQBsq5FLOGKO8kiGEKa4ucPCKOXB2DvFjG9iRDf2Hi/UBL7/uyikPHEfaViF
+lWA8zPdlIk6eROJrRRadZ67a/1fn1O80zx6GUhMld6d9/OyUYr2xdqlmwe+Cuz6b
+IcTvSZsq6FrvOYLu2pdfd4mmPkImd7IVl8Tb7sqMrdLPGD6H6A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidLongSerialNumberTest18.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidLongSerialNumberTest18.pem
new file mode 100644
index 0000000000..81cb0d51d7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidLongSerialNumberTest18.pem
@@ -0,0 +1,115 @@
+subject=/C=US/O=Test Certificates/CN=Long Serial Number CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBEjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVTG9uZyBTZXJp
+YWwgTnVtYmVyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1mCudsqPk
+irIFe3XQBPzhyyRQyreJH26B3Yg6kYq1Obd6I1j7Ber4BDVyCCAvnS6rNkzsbaJf
++sWVf27Vug0uhasZx/3XGc0DbhZNr5iYknU1LEh8Ccq1Oymq0LPolAHqaJNOaYpb
+K5Fq0P0RDcBK/ENgmtdY0CJrR7MWUTttqQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU3z1I++My57kmUova7PgJT7PH
+36YwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHJqd5P8eBN05uB3+fPCfVjO
+qX7csbAx6X1LNibOoWDlB9Y6fElHQS+i8HDPmIIdC7N/9xoCW/fhzZqb6VKDQXNM
+9pwf6jOJKnNQOaQISdoIvj2Jn1FoE4Bo1SGGQo6ZgCWfXPA1TE93BXTua9Oa+FZ5
+fhG3y3gMYLC6ciKePSDf
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Long Serial Number EE Certificate Test18
+issuer=/C=US/O=Test Certificates/CN=Long Serial Number CA
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgqgAwIBAgIUfwECAwQFBgcICQoLDA0ODxAREhMwDQYJKoZIhvcNAQEF
+BQAwSTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4w
+HAYDVQQDExVMb25nIFNlcmlhbCBOdW1iZXIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcN
+MTEwNDE5MTQ1NzIwWjBkMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0
+aWZpY2F0ZXMxOTA3BgNVBAMTMEludmFsaWQgTG9uZyBTZXJpYWwgTnVtYmVyIEVF
+IENlcnRpZmljYXRlIFRlc3QxODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+2sI1yl0rje3fSYBkT9yPudlTELF0ndMo5oaWr8vE9UjhpBrgSFFtYu6GZAbqeZEB
+i0faI9SWBl06pWZj47auSdPeU0Akrzn6If3Vc2eVJKCtAHQuxnd9dToJDqjIiA0z
+YVT7YTE7zLs9d0HHhDhM/VYqBKqtqrOTEhss0ryQRSsCAwEAAaNrMGkwHwYDVR0j
+BBgwFoAU3z1I++My57kmUova7PgJT7PH36YwHQYDVR0OBBYEFLVbztWeCD3WQICU
+BucmQT4POFoDMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDQYJKoZIhvcNAQEFBQADgYEAZjyhu29ssno3io8WqDGabhCgGRL6lS3tgEsq
+k5sxDXO5xgZf//iGlwXTy8w2H+MZ/SX+2acfmFnALYXcGkK5ZHjKQjMOpJZwF/kB
+mzJP4HDEVY5lsvPyVKYqks4lRkbJOMXVBh3Ub5/ag1eOcTeljYhwU66DUMByVzQP
+1RwAcK8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Long Serial Number CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DF:3D:48:FB:E3:32:E7:B9:26:52:8B:DA:EC:F8:09:4F:B3:C7:DF:A6
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 7F0102030405060708090A0B0C0D0E0F10111213
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 7a:20:63:9e:55:8d:d1:c3:ab:3f:37:97:45:61:6c:a3:21:9f:
+ 83:bd:ce:63:48:7c:a8:ca:36:15:02:3b:1b:51:66:e0:23:df:
+ de:ea:86:72:e6:92:9a:63:c7:0e:31:30:ee:62:83:1c:3e:23:
+ 20:29:23:ec:aa:2e:f6:18:ba:94:45:e7:af:5e:44:0d:3c:2b:
+ 13:6b:8c:7c:7a:6d:a2:f7:b5:9e:ea:d6:f9:9d:4d:31:91:8f:
+ ea:4d:b7:ef:5f:5a:2e:63:fc:37:02:5a:db:a6:3e:de:6b:a7:
+ 84:83:d2:a7:5b:e2:07:85:9f:0a:03:f0:33:53:eb:a3:d1:d4:
+ 16:02
+-----BEGIN X509 CRL-----
+MIIBeTCB4wIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFUxvbmcgU2VyaWFsIE51bWJl
+ciBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA1MDMCFH8BAgMEBQYH
+CAkKCwwNDg8QERITFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8G
+A1UdIwQYMBaAFN89SPvjMue5JlKL2uz4CU+zx9+mMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAHogY55VjdHDqz83l0VhbKMhn4O9zmNIfKjKNhUCOxtRZuAj
+397qhnLmkppjxw4xMO5igxw+IyApI+yqLvYYupRF569eRA08KxNrjHx6baL3tZ7q
+1vmdTTGRj+pNt+9fWi5j/DcCWtumPt5rp4SD0qdb4geFnwoD8DNT66PR1BYC
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingFromanyPolicyTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingFromanyPolicyTest7.pem
new file mode 100644
index 0000000000..792032e282
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingFromanyPolicyTest7.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Mapping From anyPolicy EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=Mapping From anyPolicy CA
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGU1hcHBpbmcgRnJv
+bSBhbnlQb2xpY3kgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBn
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPDA6BgNV
+BAMTM0ludmFsaWQgTWFwcGluZyBGcm9tIGFueVBvbGljeSBFRSBDZXJ0aWZpY2F0
+ZSBUZXN0NzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtfiBNk2i7y/WBuI5
+GCW0+6q3VwFnT3frj/wV+Ie2r2bKy2iasXlilOldX5jcywoO2qcMHUmoeK2eE6rM
+/ffDK4Zd4EhJJ5RJdgoWhjBpfKNGD73JlCIAVGGooCiVx9zJICN9DFl/X6hybpM8
+Gs/BWxcHB7vzpzCGqKwI91lstiUCAwEAAaNrMGkwHwYDVR0jBBgwFoAU98GrNdgv
+hgNaNjdZb8HBpG2kpEgwHQYDVR0OBBYEFNuifbLkKO+WtPZNnKM58l/XwUD6MA4G
+A1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcN
+AQEFBQADgYEAXZ+i/Dd4d11xpuKLT90bOID/badZcsjgBbJ2hTG4JhzrHQN6kxzI
+Xt3L5FBaqgg1SfvC0K6/eex8SDEdEJ5LlbmflMths7r8DICoo3Dyo+y/G6ziqRR7
+fOrYKBk6zhliAHXNqrtQ/fUCCNke/OMk62U7WgbaQuELj+tzZHPHShA=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Mapping From anyPolicy CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICrjCCAhegAwIBAgIBMzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZTWFwcGluZyBG
+cm9tIGFueVBvbGljeSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmMII
+TPwdFq+61dFOwrrjLrVHakDcX3fO14s58oprgJ0Qcm88Fjs1+HyurbqB1r7rySfg
+zIZhJjb6ZZqV4qwd2fyQGhYHSctVTxOfxYc+JnK/eLQ09eCM0Uv2U2e9AyyObT0A
+Gt8DpfnfiMrkyadyKRICC/6dOHLb/OnT82jrw/UCAwEAAaOBqjCBpzAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU98GrNdgvhgNaNjdZ
+b8HBpG2kpEgwDgYDVR0PAQH/BAQDAgEGMBEGA1UdIAQKMAgwBgYEVR0gADAgBgNV
+HSEBAf8EFjAUMBIGBFUdIAAGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAP
+BgNVHSQBAf8EBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAImTlpjaX4CkEQLrZZsd
+iyLe+gkOFWF7maBKcZQcCHDUNuIGFeYmRqB+eXsYqooAvYOUfSz30L709ODiWLH4
+Zm5y79xssrJYzS+sDfDHmNMjKo/U9Dj4nVO+ln6PGGe8PPW7P04gUXcQjJFHCLfh
++czJLt8J7JUOUznIvSEIIsto
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Mapping From anyPolicy CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F7:C1:AB:35:D8:2F:86:03:5A:36:37:59:6F:C1:C1:A4:6D:A4:A4:48
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:b0:d2:68:c9:a0:5c:dd:e8:e0:e1:ed:95:35:cd:01:70:d6:
+ 24:88:d7:37:d3:05:59:04:38:c3:51:64:ca:aa:c4:07:31:80:
+ c5:12:d7:9a:38:5f:67:c7:dd:0b:05:98:71:a1:b3:65:dd:09:
+ cb:87:c5:8a:e2:bf:26:27:0a:56:0b:8d:c3:46:b1:75:4f:f3:
+ 03:5b:3d:ec:84:f9:e1:03:ee:a1:8a:c7:e9:22:6f:29:b2:6b:
+ 64:02:e4:aa:7b:5e:bd:84:fe:af:a9:25:98:7d:7b:b8:f0:ef:
+ 3f:df:f9:26:a6:84:d0:16:6e:b9:2d:bd:15:95:8f:47:7a:a8:
+ 28:28
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGU1hcHBpbmcgRnJvbSBhbnlQ
+b2xpY3kgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFPfBqzXYL4YDWjY3WW/BwaRtpKRIMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAAWw0mjJoFzd6ODh7ZU1zQFw1iSI1zfTBVkEOMNRZMqqxAcxgMUS
+15o4X2fH3QsFmHGhs2XdCcuHxYrivyYnClYLjcNGsXVP8wNbPeyE+eED7qGKx+ki
+bymya2QC5Kp7Xr2E/q+pJZh9e7jw7z/f+SamhNAWbrktvRWVj0d6qCgo
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingToanyPolicyTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingToanyPolicyTest8.pem
new file mode 100644
index 0000000000..9981bba023
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingToanyPolicyTest8.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Mapping To anyPolicy EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=Mapping To anyPolicy CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF01hcHBpbmcgVG8g
+YW55UG9saWN5IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIE1hcHBpbmcgVG8gYW55UG9saWN5IEVFIENlcnRpZmljYXRlIFRl
+c3Q4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bl/gTqVbi6yVtJxnXxNx
+DlekTcCxPmcwCs7HEqTWzpbyvYxgoXfNIP7bjtabs/IK9+SG1YQpqAHt/UFImBzC
+jdgEBzfRwt2eGR4wSeGN09s2jAjT2aq9dbkF+Ib99D2DNKjlPKBbb4GeNWnNEDno
+yf4eZEPAx8P3QSsAfUqocQIDAQABo2UwYzAfBgNVHSMEGDAWgBS6gMx6LKdjWhCr
+Tj+ExFNVCmn6HTAdBgNVHQ4EFgQUm+ENjbV3/gxDFuaWw6Dwa1YRk3swDgYDVR0P
+AQH/BAQDAgTwMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQUFAAOBgQCQ
+H92kSHC9YZU7taUlRQda3eEkg775JMosyIMd1DwSzbT/wRoWU7/6BnsV99dq1Ja8
+2pZn316o7wfz6POeSg/VzNFd4HC+j84NTUMBrFt/SSdoqh1CkUXNAKbqffDzn4gN
+Sry4MX5zRGXwI3GYFol9TnNutj6HQl9Tr3iolkPufg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Mapping To anyPolicy CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICsjCCAhugAwIBAgIBNDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXTWFwcGluZyBU
+byBhbnlQb2xpY3kgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJrojWZR
+mKqz0wTzKWxK+BvdLHiNYkl7deU8v1nJqthPCd0D2ZxiM1IwaskiG9Nm+sO+91AZ
+pk/QFCW8XKa70to819onqj29QyYeO8ukMtlXuLI0pXVjyN4cWxfHH9o5IUH897/t
+hcTbFWYC1+TqZUNaPASnCw67YZejfdZZtD4VAgMBAAGjgbAwga0wHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFLqAzHosp2NaEKtOP4TE
+U1UKafodMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+IAYDVR0hAQH/BBYwFDASBgpghkgBZQMCATABBgRVHSAAMA8GA1UdEwEB/wQFMAMB
+Af8wDwYDVR0kAQH/BAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQC4HMzKV0x+spl2
+wCvBKf+ArCiSCklHEDKpj3HrJ7zIH1lqU73rZjOJQB3hsnSMYEB+ch4DQNDzOQIB
+bGspRwEeTIRjZ1u6CZ9h+kIVu2R4eyfq9mNYOvYFeY/kB/zwrMQnoeJtJ9sQ6IQi
+rwtT53uxl1gZv4pBZRIURDq8KEyoUQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Mapping To anyPolicy CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:BA:80:CC:7A:2C:A7:63:5A:10:AB:4E:3F:84:C4:53:55:0A:69:FA:1D
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:da:09:1f:2a:48:11:8d:5a:7b:8f:a6:74:bc:32:70:4a:03:
+ 30:8b:f1:26:b4:cf:a0:9c:9d:89:84:98:71:48:4f:93:09:59:
+ 08:c0:07:e4:65:bf:12:ca:49:90:3d:36:f3:31:83:3e:34:b3:
+ 9a:df:d3:a4:f6:7d:cb:ee:5b:1e:cf:e0:70:25:94:0e:0e:54:
+ 9c:32:4a:50:41:ea:bf:f4:57:d3:53:02:7c:c7:bc:d4:04:a9:
+ 9f:36:51:04:26:6f:37:1f:62:8a:ea:f7:7b:2f:d1:24:53:17:
+ de:db:e1:ce:89:00:3e:71:23:73:b2:da:af:79:f7:4a:2b:a4:
+ 2a:bb
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF01hcHBpbmcgVG8gYW55UG9s
+aWN5IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBS6gMx6LKdjWhCrTj+ExFNVCmn6HTAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQCS2gkfKkgRjVp7j6Z0vDJwSgMwi/EmtM+gnJ2JhJhxSE+TCVkIwAfk
+Zb8SykmQPTbzMYM+NLOa39Ok9n3L7lsez+BwJZQODlScMkpQQeq/9FfTUwJ8x7zU
+BKmfNlEEJm83H2KK6vd7L9EkUxfe2+HOiQA+cSNzstqvefdKK6Qquw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMissingbasicConstraintsTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMissingbasicConstraintsTest1.pem
new file mode 100644
index 0000000000..77a888caf9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMissingbasicConstraintsTest1.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Missing basicConstraints CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcDCCAdmgAwIBAgIBFjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbTWlzc2luZyBi
+YXNpY0NvbnN0cmFpbnRzIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO
+9yKuCeu6dhjdDO1FYBjOw7a3vWSCZ6ukoQAD5724THVzb548yc2GIGKHC0mWgXiX
+fB6PBIQAwAhwCIetZaZICbOaJLAEgrfYEc2BK1uYPcnPDq3akXxh5lwFwL8N/xT9
+ajSDOeq+fWCIH4K3cgzvQFksXSMBrCLeSqRqpxg7aQIDAQABo2swaTAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQURqBdN9KpBRGTRazt
+XDHnzRcB9gEwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATANBgkqhkiG9w0BAQUFAAOBgQCIvIvzmMIwJ8YV4vFP0812ct/Jsheq3QAcCH22
+0akUpHCoryoLL8cVkdCCP6lG5QD0BdEszwovHnuu6X1kPCe/85mpvlueAMAcr3Wh
+sSZA7vot2fdmAqwje/64fADpW2pI3muEixUfmNSMsjXFzGSFT2tWJ1XNfFAI9EYK
+j0nmiw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Missing basicConstraints EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Missing basicConstraints CA
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG01pc3NpbmcgYmFz
+aWNDb25zdHJhaW50cyBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MGkxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE+MDwG
+A1UEAxM1SW52YWxpZCBNaXNzaW5nIGJhc2ljQ29uc3RyYWludHMgRUUgQ2VydGlm
+aWNhdGUgVGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIu/B3NsTKFd
+3NwujgznvY/HGzG+YIVddeXJ/bIUYqj0gIh6FNebF1p5DnC4tljBvuux5UMrmGOi
+6/MoDmiVL8VyVr87z69Hx4DKUjwmHa8KOQ8L5KcklyNCiqovL+IWvl/ifcvU3tQ2
+olOq4vjYRupu8NdmpY4IZl6UQScR5P6lAgMBAAGjazBpMB8GA1UdIwQYMBaAFEag
+XTfSqQURk0Ws7Vwx580XAfYBMB0GA1UdDgQWBBT7lvAQxDdV8M61puLxGf+ZGq5u
+WDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqG
+SIb3DQEBBQUAA4GBALqhV3pig7Li1sMxfgarLLYB4xxjsbFinx7EtEDlju0sTe3j
+F7e9rh62n7fnZqZ8KSyRCikPu3r3qBCLx2TV+i31inM/GqvU2yrBGdVm9HUi2CSp
+YUePLjOyojWECk+rYNq3vVYFVKJkonzfR3533mruAKakqDJ0PQLTEx84ugv9
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Missing basicConstraints CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:46:A0:5D:37:D2:A9:05:11:93:45:AC:ED:5C:31:E7:CD:17:01:F6:01
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 94:49:47:9b:06:de:66:8d:df:13:40:35:7f:95:83:f5:1c:92:
+ da:0d:33:78:99:cd:9c:34:02:32:14:17:ea:86:48:3a:9e:ba:
+ c6:5a:de:0e:5b:68:0d:1e:9c:f5:07:b6:81:e3:47:fe:29:45:
+ aa:c4:51:01:21:b6:70:ed:1b:28:cd:c1:81:f2:43:e7:12:00:
+ 48:78:7b:6e:28:5f:71:8f:f9:56:2a:22:8f:3a:7c:8b:8b:7c:
+ 8a:f4:2c:23:67:c7:b6:b4:85:02:99:d9:48:01:29:c8:6c:ad:
+ be:24:a7:3a:8e:56:ea:92:4b:e4:8d:d8:9b:f7:17:b3:e9:b5:
+ 87:fa
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG01pc3NpbmcgYmFzaWNDb25z
+dHJhaW50cyBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAURqBdN9KpBRGTRaztXDHnzRcB9gEwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAlElHmwbeZo3fE0A1f5WD9RyS2g0zeJnNnDQCMhQX6oZIOp66
+xlreDltoDR6c9Qe2geNH/ilFqsRRASG2cO0bKM3BgfJD5xIASHh7bihfcY/5Vioi
+jzp8i4t8ivQsI2fHtrSFApnZSAEpyGytviSnOo5W6pJL5I3Ym/cXs+m1h/o=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingEETest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingEETest1.pem
new file mode 100644
index 0000000000..ce0428ec3b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingEETest1.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Name Chaining EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Good CA Root
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBCTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDEdvb2QgQ0EgUm9v
+dDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEzMDEGA1UEAxMqSW52YWxpZCBO
+YW1lIENoYWluaW5nIEVFIENlcnRpZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCtoV9f+SA4KyB9i+bRylcLprvUHWg6W/anXTtNepZjeYRI
+h45BCVfF9mYQIoBvqYkSOdB64I/qUShwGf3kj75YiGotm1AzP/e8A1dIyvdxVT75
+vZwCWaOjqX5wEyaGnXS2u1NDzvZ/5JBtwo1KumaVAd9bLw2nhHAwbJ65Hx1eWwID
+AQABo2swaTAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4E
+FgQU0QFCXwgNnxwQuYUlKF7ehgYiFvYwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQB8cokOobcm6ZNTDk59
+Ieo9rWzeCUeh8ku0vO2bp0hyVadPHfCvXRRFlWZ6WKMTkBXOs/i5gHEtEGB9cLDO
+kmOOHijG06pi9KyYqh54As2hG8wKngUEyOZsIkKK6JfdMx9besNZ5lQlSK3SZpV4
+wTIx6poqzlbJx24yad7rPgiUxg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingOrderTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingOrderTest2.pem
new file mode 100644
index 0000000000..dd9f0a5d86
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingOrderTest2.pem
@@ -0,0 +1,113 @@
+subject=/C=US/O=Test Certificates/OU=Organizational Unit Name 1/OU=Organizational Unit Name 2/CN=Name Ordering CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICwTCCAiqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGOMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAsTGk9yZ2FuaXph
+dGlvbmFsIFVuaXQgTmFtZSAxMSMwIQYDVQQLExpPcmdhbml6YXRpb25hbCBVbml0
+IE5hbWUgMjEZMBcGA1UEAxMQTmFtZSBPcmRlcmluZyBDQTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAz4GBJOnsdl/i9wT8fK6n4zN5AHkLGLTaV9MLbBL5heti
+HmMEj4t80NsHynN8WrNyxjxjeDoAnlUixCHAT6totgzgeWKumN7Pt48lWyP7K9eV
+j0mJ/e0X8EYCrm1idgjBevSpFpC8sT0m7Lgo60wWBrYqKBE2OW2oLqjK2a9itJkC
+AwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0O
+BBYEFP/4JkT0Lojo+NeoS4SRoshoYlphMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAE
+EDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOBgQCrzt7jsc3zpys78suxiiHSl9hYrO0L3UJE4TYhMKsTdu2r1KStNCY1MA05
+8U2gLxTSvnibuRTn81AHALvjm5bd3oiKFRr3ISzo9SkBx6wXO7x23f26giO4h6WR
+Yjce1wWutjpvkyXJWxLqKD5eE2PVqwjujs3eiNAV0KkiQTqZkQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Name Chaining Order EE Certificate Test2
+issuer=/C=US/O=Test Certificates/OU=Organizational Unit Name 2/OU=Organizational Unit Name 1/CN=Name Ordering CA
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAj2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSMwIQYDVQQLExpPcmdhbml6YXRp
+b25hbCBVbml0IE5hbWUgMjEjMCEGA1UECxMaT3JnYW5pemF0aW9uYWwgVW5pdCBO
+YW1lIDExGTAXBgNVBAMTEE5hbWUgT3JkZXJpbmcgQ0EwHhcNMDEwNDE5MTQ1NzIw
+WhcNMTEwNDE5MTQ1NzIwWjBkMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxOTA3BgNVBAMTMEludmFsaWQgTmFtZSBDaGFpbmluZyBPcmRl
+ciBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAlIUiHjq7IwwwfDgHAnDwX3nPnYsaZ6Bu8w8lZNS/15MDdOmQg71tVoCIC0he
+PJBMDiqwuUQ3pbgsavDR26tQnAXGzmJllHIFry4XfdUozW3Du9KUR4eFHDkgiQCj
+IXj4VSgaMAXyDSGO8tQpZvweKQLreeur5220Pf3K7zabhcMCAwEAAaNrMGkwHwYD
+VR0jBBgwFoAU//gmRPQuiOj416hLhJGiyGhiWmEwHQYDVR0OBBYEFEu0FDAWAxWm
+n1pTTcqqIcZ0G7JJMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFl
+AwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAHrnqIOietTCGSRZ38iulDWfnU8JraF8Z
+x0MJGiOWHh5iM21Rfwux8XyoJ022fncuDoZAsUjriRwBn3u0faPPFouOEEVMglWU
+woUFoMYymfDUYmA+kavP7A4gRhSfhi4JJJHdb1AbnNkHbMfIBRSz48wsphGJEyk/
+NE5gmcum3Bg=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=Organizational Unit Name 1/OU=Organizational Unit Name 2/CN=Name Ordering CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FF:F8:26:44:F4:2E:88:E8:F8:D7:A8:4B:84:91:A2:C8:68:62:5A:61
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ b4:c4:1d:56:f0:e3:a4:27:bc:09:13:d4:99:6e:6a:94:5c:0a:
+ 5e:33:09:0a:a0:6c:df:0f:3d:a5:03:15:e8:da:cd:53:10:e0:
+ 26:82:d4:82:34:2e:75:62:f0:8d:a5:b0:17:ba:77:e5:1c:b2:
+ ca:d4:71:78:2c:fb:3c:cb:51:58:4f:1f:b8:90:22:7e:60:c1:
+ 60:03:64:04:58:60:3d:a8:36:c4:37:6e:b4:c1:28:0c:4d:16:
+ 89:5e:31:4b:1a:7d:4d:33:35:8d:0b:92:38:90:f2:70:e1:f4:
+ c6:14:7e:fd:3b:9c:c2:d7:da:8f:ce:1f:6d:36:3b:ce:5e:28:
+ 1b:fb
+-----BEGIN X509 CRL-----
+MIIBiDCB8gIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSMwIQYDVQQLExpPcmdhbml6YXRpb25hbCBV
+bml0IE5hbWUgMTEjMCEGA1UECxMaT3JnYW5pemF0aW9uYWwgVW5pdCBOYW1lIDIx
+GTAXBgNVBAMTEE5hbWUgT3JkZXJpbmcgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQx
+OTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFP/4JkT0Lojo+NeoS4SRoshoYlphMAoG
+A1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBALTEHVbw46QnvAkT1JluapRcCl4z
+CQqgbN8PPaUDFejazVMQ4CaC1II0LnVi8I2lsBe6d+UcssrUcXgs+zzLUVhPH7iQ
+In5gwWADZARYYD2oNsQ3brTBKAxNFoleMUsafU0zNY0LkjiQ8nDh9MYUfv07nMLX
+2o/OH202O85eKBv7
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNegativeSerialNumberTest15.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNegativeSerialNumberTest15.pem
new file mode 100644
index 0000000000..9310adbf42
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNegativeSerialNumberTest15.pem
@@ -0,0 +1,114 @@
+subject=/C=US/O=Test Certificates/CN=Negative Serial Number CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBETANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZTmVnYXRpdmUg
+U2VyaWFsIE51bWJlciBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw5yD
+rVmP3dVETqSrKKVXvXWAnpc5K5Xh6mhHBvy/YpoERigE1MP8A/6eE3mY6OnMJVAh
+QJRWniYBrIDg5zR873cTAbn1O7MwSfs3LLxEO81iAf2k4nFFxAGtQp5AUwx0cQVK
+8oMVty8BEcAkazVA87HQgpycQySqDLmklHNqkncCAwEAAaN8MHowHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJCMpyNNS/fqobISh7nA
+0w4zWMuCMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYz9xXPhMcniA6W0RG
+0A59JbhJJpAZmnLBusWQjWYIZsVit1M1OXc/zDGAP/ik3blednL+t+wbdJc1qg9m
+4bgoXS14lg+6IGMF2VWcoKkDJDIHpkVrdQc9WGNm0qqPyHGW0ggbi5VrBv1potkF
+xBtl1WkY3ZTLuI71pJ15ebGZ/A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Negative Serial Number EE Certificate Test15
+issuer=/C=US/O=Test Certificates/CN=Negative Serial Number CA
+-----BEGIN CERTIFICATE-----
+MIICljCCAf+gAwIBAgIB/zANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGU5lZ2F0aXZlIFNl
+cmlhbCBOdW1iZXIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBo
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPTA7BgNV
+BAMTNEludmFsaWQgTmVnYXRpdmUgU2VyaWFsIE51bWJlciBFRSBDZXJ0aWZpY2F0
+ZSBUZXN0MTUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKczL4/N4jrniwj
+6tO7tR683qVrEG+1DB4XcrWL4wENZS5O2qkppGZD7cOXkGuOemheT0QGmaEtQjOa
+yRVw86jvq4n3iQdSEvRb6C2GtYQ7hFASTBsQn4qKbcldkhv+XQAzLMc65GcFv0l6
+n0xR1miZq8E0mDxBLg9J5iv6abyHAgMBAAGjazBpMB8GA1UdIwQYMBaAFJCMpyNN
+S/fqobISh7nA0w4zWMuCMB0GA1UdDgQWBBR1iOR4fH+ykQ1KqxHgeC1Wl2TuQzAO
+BgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3
+DQEBBQUAA4GBAAAfyUd30ByRjggXgiu4vNE7KBbaY6fbiYYugGriPx/HPPIJM3M9
+3W2m85AhLW9Qt/dpaXQGeICkDfrLrpTCV8MWnedoVwQMBla8v5QNs4pUdkTXuV7R
+9LZqxgeDvUTEadGrNLjZ4WumiFApRA+DRjJE0LsnS58wWtklsYDoHJtH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Negative Serial Number CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:90:8C:A7:23:4D:4B:F7:EA:A1:B2:12:87:B9:C0:D3:0E:33:58:CB:82
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: -01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 7d:55:77:de:74:f8:ae:25:02:35:ad:53:74:92:6f:89:f9:ed:
+ b3:4c:bf:a7:70:b1:0e:20:4a:c3:03:7f:a9:99:01:5b:5a:a0:
+ 67:df:cd:74:08:d6:80:2d:ca:f7:c0:be:9e:68:35:d3:79:89:
+ 45:a7:6e:f2:75:86:e5:28:d0:00:2c:96:14:03:96:eb:75:d0:
+ fa:a7:78:f8:50:e7:70:6b:cc:1a:9d:8a:30:1e:c5:5d:22:a9:
+ ef:dd:07:48:85:87:d6:2f:15:02:d0:07:81:2c:bf:fa:c6:ce:
+ 49:03:44:08:37:f3:f3:79:b1:61:ab:c7:f9:21:29:3f:4f:cb:
+ 36:c0
+-----BEGIN X509 CRL-----
+MIIBajCB1AIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGU5lZ2F0aXZlIFNlcmlhbCBO
+dW1iZXIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgH/Fw0w
+MTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFJCMpyNN
+S/fqobISh7nA0w4zWMuCMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAH1V
+d950+K4lAjWtU3SSb4n57bNMv6dwsQ4gSsMDf6mZAVtaoGffzXQI1oAtyvfAvp5o
+NdN5iUWnbvJ1huUo0AAslhQDlut10PqnePhQ53BrzBqdijAexV0iqe/dB0iFh9Yv
+FQLQB4Esv/rGzkkDRAg38/N5sWGrx/khKT9PyzbA
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidOldCRLnextUpdateTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidOldCRLnextUpdateTest11.pem
new file mode 100644
index 0000000000..43f4c11eeb
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidOldCRLnextUpdateTest11.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Old CRL nextUpdate CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBDjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVT2xkIENSTCBu
+ZXh0VXBkYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3mWvvYS5A
+sFNH3PbxcSFtUQ/3TzWlO4y6wINHN6Ypk9Okpx3uHSwBpkQ1N0htmUhGQYFyhzBx
+ATrb4vlB4KzylhOwfX0F4cYko464NaCZNL7OzwjzOCgZ8097o6RD+Z2vsM0GmOeD
+ycpB9yeqLhC4e30k8dFJqxzCAEJC0Et5swIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwGrz/yOO0EdEUB5DUcJ8XjGJ
+zAcwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADOSGYLxhRxOj7gm33bTOeiQ
+PIlmAlvVtqg+44hgkcovBETHehNU1xBQRF/tdPACobZUA1/0YoyNZTHIY87qLDkJ
+Ks0twBDEHmgmadu+IKhutKIZzHSsU9xVfyipeAX7BfgDDeEaRdyPCan3KO9hpbhS
+CruOE+/WuIQiY2bS2SPs
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Old CRL nextUpdate EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=Old CRL nextUpdate CA
+-----BEGIN CERTIFICATE-----
+MIICjjCCAfegAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFU9sZCBDUkwgbmV4
+dFVwZGF0ZSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMw
+SW52YWxpZCBPbGQgQ1JMIG5leHRVcGRhdGUgRUUgQ2VydGlmaWNhdGUgVGVzdDEx
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvSHDwBMR2xa4zMZPJ+4WCtp4V
+RyIBBXrHretH519ipC4dqURqRrI7/N9ApYs6t/xevUxi+T2rDzXZB8L6x3AhE+BZ
+xOknZ/gpSN3du4ofSeM8DT7vzkwkj9S+bdEcU480Om0P40OwnQUIiR92HM8xO5r1
+qNrXauV14rf3F461HwIDAQABo2swaTAfBgNVHSMEGDAWgBTAavP/I47QR0RQHkNR
+wnxeMYnMBzAdBgNVHQ4EFgQU/pqWPiQxXU/VEoME39jSmPZFApEwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOB
+gQC2hDiZpMieKwCdZ3STNKZnLhmmgmcxMnshFx6iQ2B8XIbpY8fNvTUCPf9MMEvP
+a+1O7EDTEdrQCEpnKZWExBuB5qpOeP6ddjsedieij7YZUsPCn8aYxz3Cc8uBailz
+2ooOjU9ubv3hI/vnWXYKhZZwPdognMfenzqgqVonVkrt7A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Old CRL nextUpdate CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Jan 1 12:01:00 2002 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C0:6A:F3:FF:23:8E:D0:47:44:50:1E:43:51:C2:7C:5E:31:89:CC:07
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 09:dc:b4:50:29:96:87:a1:e0:b8:2e:39:6e:17:6e:95:7c:a2:
+ 45:a8:24:5d:ce:da:6a:00:6f:8c:7a:19:77:5e:d8:d6:ff:63:
+ 12:a5:68:c5:3e:e2:17:87:57:98:08:d7:2b:26:2e:1b:3d:12:
+ 56:39:9c:93:8c:0e:c4:ed:19:af:37:4e:9c:2e:4a:54:85:8b:
+ 54:2f:b2:a5:c9:ca:5a:9c:d2:a7:76:c5:00:1f:92:c0:cb:3e:
+ 1d:0f:69:63:4c:f9:40:fe:40:d7:17:fa:ae:b2:5f:e2:f4:8b:
+ 01:b1:2f:bc:7e:8a:b4:05:1a:97:21:8a:84:66:94:ec:5f:fa:
+ 4d:28
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFU9sZCBDUkwgbmV4dFVwZGF0
+ZSBDQRcNMDEwNDE5MTQ1NzIwWhcNMDIwMTAxMTIwMTAwWqAvMC0wHwYDVR0jBBgw
+FoAUwGrz/yOO0EdEUB5DUcJ8XjGJzAcwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEACdy0UCmWh6HguC45bhdulXyiRagkXc7aagBvjHoZd17Y1v9jEqVoxT7i
+F4dXmAjXKyYuGz0SVjmck4wOxO0ZrzdOnC5KVIWLVC+ypcnKWpzSp3bFAB+SwMs+
+HQ9pY0z5QP5A1xf6rrJf4vSLAbEvvH6KtAUalyGKhGaU7F/6TSg=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest10.pem
new file mode 100644
index 0000000000..3c896b358d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest10.pem
@@ -0,0 +1,172 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Policy Mapping EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0Eg
+UGFueVBvbGljeSBNYXBwaW5nIDF0bzIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBgMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxNTAzBgNVBAMTLEludmFsaWQgUG9saWN5IE1hcHBpbmcgRUUgQ2VydGlmaWNh
+dGUgVGVzdDEwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChB9eTYlpZl1JR
+8TrbGxGjxB92HiDmmZ2KLK8LOAzDhLn6pDzsOGwkyo7M6CDyAoWz/eaCmRD1i6qy
+QKVu2sn162p7KlvlNyd1JYAVIAPjkGR/a8VfCm9q3N/lRKwsSj/GZIek/8iSW/KC
+FdaqSGbsEbHK6Fn8vcQ4Lh4eUroNKwIDAQABo2swaTAfBgNVHSMEGDAWgBSR1+G1
+pJYIkfGicS9m2Sd7SoKTmjAdBgNVHQ4EFgQUqFpT/L04k96R6J+5dQbd8YN6qoMw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG
+9w0BAQUFAAOBgQADIM+40SMZ1r8wWXESNPXd8FCdvGJyWdeFjUA0Ads0pN+XIsnC
+4sPLYgWB1xdrSQyNdrwkLoyy2UGPHgSTwlhlX7NxZHyfxaMZRN1FKRPHs6alDc/M
+603qZ04FrwJd54rHiHLAI5/fgJzZRu5bOUBiDFxW7skEOp/4AiVZG4+8Wg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICtTCCAh6gAwIBAgIBFjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0EgUGFu
+eVBvbGljeSBNYXBwaW5nIDF0bzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ANGY6UqVJ9oB3KneANaPiYS3vFaEAo7CVhPn358boVTv2/wQv8iwT9MvDcASa4Fi
+5kaob+B5k7T8qjNOtxaZJb69UDUDsAYww6r/NK5pkS1KNf7CJZW6/RQC06GsivKO
+kQoudXfGEjAMhmHNuEXS4biTlRuVUXJqLPq2yLwAJPZ1AgMBAAGjga0wgaowHwYD
+VR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYEFJHX4bWklgiR
+8aJxL2bZJ3tKgpOaMA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIAAw
+JgYDVR0hAQH/BBwwGjAYBgpghkgBZQMCATABBgpghkgBZQMCATACMA8GA1UdEwEB
+/wQFMAMBAf8wDAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQBNuXYJvgOn
+wez9J/K4ZZhWpMPo/7Qso2S6BAoJh7QdTymJKxD6nDnPwetIpbQkbEtq+V30ZA+o
+6v+0cntT/I7cm9JKOXMOKn35BODzS8u5UJTDwWc/l5SA0scCSRfTT9LJambCyz+m
+C0/k+v5zw5VpFozVY4FoV4/KnwIhJPuDwg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:91:D7:E1:B5:A4:96:08:91:F1:A2:71:2F:66:D9:27:7B:4A:82:93:9A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 97:e7:b7:e3:46:cf:59:49:72:d2:0e:de:0e:f6:c3:1a:ca:34:
+ 59:50:f1:2d:fb:11:31:f7:bb:b2:f7:dd:0e:fb:bd:6b:7a:7f:
+ e7:dd:02:be:6c:7b:36:1c:49:50:38:d9:85:67:97:a5:0f:84:
+ 49:de:8a:d5:0b:d0:36:fc:6c:4a:82:cb:83:73:ed:1e:af:31:
+ dc:0f:6f:eb:69:18:67:b7:fb:1e:a8:1d:a5:36:84:dd:05:72:
+ 52:f1:51:e1:93:6a:ff:2f:92:6b:7a:c1:67:90:0b:7f:66:0e:
+ f1:83:22:d9:52:5e:f7:58:5d:5c:7a:1b:69:84:91:da:b1:18:
+ 11:c2
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0EgUGFueVBv
+bGljeSBNYXBwaW5nIDF0bzIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFJHX4bWklgiR8aJxL2bZJ3tKgpOaMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAJfnt+NGz1lJctIO3g72wxrKNFlQ8S37ETH3u7L3
+3Q77vWt6f+fdAr5sezYcSVA42YVnl6UPhEneitUL0Db8bEqCy4Nz7R6vMdwPb+tp
+GGe3+x6oHaU2hN0FclLxUeGTav8vkmt6wWeQC39mDvGDItlSXvdYXVx6G2mEkdqx
+GBHC
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest2.pem
new file mode 100644
index 0000000000..43fc124d7d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest2.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Policy Mapping EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=Mapping 1to2 CA
+-----BEGIN CERTIFICATE-----
+MIICgzCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD01hcHBpbmcgMXRv
+MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF8xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE0MDIGA1UEAxMrSW52YWxp
+ZCBQb2xpY3kgTWFwcGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAoadvCebWnauqUaHFp40w4mCV71scsCOfYsKd2A1Z
+qG7a+bY47N5PYZ3U5Ma08y9eYo1tp/KdyjpqVjRyjuThypOpD9w0G+SKNSSO9qWC
+MDvLPUi28tTApRjWztYYwN/g5vFkSu17fxV+2UFjktKI5L7kajObs+ukIn+CZjp2
+ZJsCAwEAAaNrMGkwHwYDVR0jBBgwFoAUNzuKobqNp3SbwOvWOcshDI2jVn0wHQYD
+VR0OBBYEFP3Ru6m0Dy03xmdc1XvYMeSY1zK/MA4GA1UdDwEB/wQEAwIE8DAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAGhBCvmaevxrJ
+N0Kz2kBu8iSaQ909Y6uo5N0DyRRCZQGADpcApXIr7/C/Uu4qBIyC3WTBsx2cxZFV
+5FThscR7x6s7loGSYxVh2GrCKj3t643zzznkIP7iMZxSGBdVJpEsjScMJ/7tXnkp
+IaawhSXoSuDs35Gvi32ldHbXmUh9NvY=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Mapping 1to2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICrTCCAhagAwIBAgIBMDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPTWFwcGluZyAx
+dG8yIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXwTHRx8gVHWtSe1VX
+oLPFQmGX4Y0U4v535jowfMd9254hmwW4VbZzK7rrXGOAimFxGHKwa7mkPEo80MIW
+8YQC5HZs3jaXLh/xsmV1qlzwceCXooef+wu8W0pgoJ63MmY+ZJWiNK2ygRV/EVFF
+x2ii8ZGDW+SKEX2WIYI7JhmcTQIDAQABo4GzMIGwMB8GA1UdIwQYMBaAFPts1C2B
+nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ3O4qhuo2ndJvA69Y5yyEMjaNWfTAO
+BgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB
+/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/
+MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEAphAVDZECciXjDiCta9HU
+ZubezLaRjcl0IaUmTlvuhUqkfGG2x1KhB6QTq7JGCmBrlxL93qhU+8sGW1k26/3p
+c3hc60bKZ5oBG96iN05oLWWF3udbqBESMO7gn1zX14s97qLtuqQAyuERy2L2uOkk
+n/emInqTFTixe284WjHR3XY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Mapping 1to2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:37:3B:8A:A1:BA:8D:A7:74:9B:C0:EB:D6:39:CB:21:0C:8D:A3:56:7D
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 29:63:8c:57:a4:35:bb:2c:2e:a0:1e:7e:c1:e2:0e:39:2c:83:
+ d6:5f:29:3a:03:70:63:aa:1f:42:e8:fd:3f:64:f6:8b:ad:86:
+ 27:c3:a6:5d:48:9d:ef:6d:bc:be:7a:24:a9:6d:b0:4e:4d:58:
+ 4f:52:c8:bf:dc:70:7c:ea:8d:5e:54:12:db:5d:62:c5:63:06:
+ 2e:00:b4:d2:fa:51:6c:da:3f:41:04:36:14:ce:63:b5:46:e6:
+ 7d:10:01:db:50:07:69:82:6a:34:45:0b:38:5e:f2:d5:8b:77:
+ e4:ea:6a:7f:9a:18:fa:74:ed:b4:5a:ba:68:f2:68:c4:d2:55:
+ 17:9e
+-----BEGIN X509 CRL-----
+MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD01hcHBpbmcgMXRvMiBDQRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUNzuK
+obqNp3SbwOvWOcshDI2jVn0wCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+KWOMV6Q1uywuoB5+weIOOSyD1l8pOgNwY6ofQuj9P2T2i62GJ8OmXUid7228vnok
+qW2wTk1YT1LIv9xwfOqNXlQS211ixWMGLgC00vpRbNo/QQQ2FM5jtUbmfRAB21AH
+aYJqNEULOF7y1Yt35Opqf5oY+nTttFq6aPJoxNJVF54=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest4.pem
new file mode 100644
index 0000000000..5c77a406bd
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest4.pem
@@ -0,0 +1,214 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Policy Mapping EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICjTCCAfagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVAxMiBNYXBwaW5n
+IDF0bzMgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBf
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNV
+BAMTK0ludmFsaWQgUG9saWN5IE1hcHBpbmcgRUUgQ2VydGlmaWNhdGUgVGVzdDQw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJprKoJhJkwv9iBN1IYtMV3uRD5s
+uHrGKo8QKVwNvqYLHai3buTlKV5MkXVGAX4jOoo4gsNST1yqaYHmB/PN8gpC5Zei
+k0+5yWdAraOAj6IeMEJzs6Vu9ajsCKNQ/hbc6SBJ7wYIxviyUzvUVS9L7tGbO9ww
++pDzJ+GDcBzAhMJNAgMBAAGjazBpMB8GA1UdIwQYMBaAFPYssbcpta6Vf7D4OUFT
+LS4PBOPHMB0GA1UdDgQWBBSEY/EgMg6/W2kqOBHmu0ZzH+8FdjAOBgNVHQ8BAf8E
+BAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATADMA0GCSqGSIb3DQEBBQUAA4GB
+AI26nbSlHGf56TsealBKtrzfLJm4+UtAODZ+a5qU/JtzajvXGdh66TgEK+NFB83w
+h3OtGs/OQ39fhXosCcXXmXk8mNBj6MokhRptFdnJz+edT9yqz96ufAHZSKpG1Di2
+d9bllknCKDikzWUOGTOiCuHc2n7ymexbgnYnUAdvLw2s
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICvzCCAiigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTUDEyIE1hcHBp
+bmcgMXRvMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmTEwLH6u6mb6
+kvz4ulbBVFC2Ea6WdEv2uH/vNi23mER2Nl+xAbeopiy3OLEiXavvD3uvVjX0bSOH
+BGk2j/ern/Urw6djfKt5V4O3NMYi6Grvfm346kdutjJuBcNlhLOE8mLXUguspocr
+AoAEjrQtuS4Bkb9A5wj3OYy4jr2JhtMCAwEAAaOBwTCBvjAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUreIKE61SbSWszamYogoEaK1y
+rrIwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpg
+hkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEw
+AzAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQAD
+gYEAEelnHhW6SAs3Zj4a5YMVTKDe7vCThen9bA1Awt3yFincViRt5/s2ZyzTN5fr
+Xi+2m42Gm+Anb3D7rpV9IJ/PahHq4yrKSrcAzhT3IcHbuHFNwiw8Z3T+31hhjJUx
+3atYpYOZZPYwuT0inFHJWRfBNA8NGBtqYlxI1C+/ucdy7ik=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+-----BEGIN CERTIFICATE-----
+MIICwTCCAiqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAxMiBNYXBwaW5n
+IDF0bzMgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBNMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMT
+GVAxMiBNYXBwaW5nIDF0bzMgc3Vic3ViQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAJjo4/4TekqllLI7gPzmE2OceB30SRuraEVWVdR/lmFpFTks5fKkqf96
+WjYpnJZwaqE1ZdUQxgeNsswPm4pUAhVmU9IHvqBaM+bNXFsrwBOYYhfZY3xnwcxp
+IZsvkLPuEq1vLwxpn+0zTDOpDGf9zhiTrswEUoGYBwOVqRDaToYdAgMBAAGjgbMw
+gbAwHwYDVR0jBBgwFoAUXcS6eHk0JsNyV9FZ9KPiVKcocdEwHQYDVR0OBBYEFPYs
+sbcpta6Vf7D4OUFTLS4PBOPHMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwG
+CmCGSAFlAwIBMAMwDAYKYIZIAWUDAgEwBDAmBgNVHSEBAf8EHDAaMBgGCmCGSAFl
+AwIBMAQGCmCGSAFlAwIBMAgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOBgQCass0kmtqSdWX5lffBs/tSTSvnGK38REo2IwTFLHduO4cvzAyS7ProbF/J
+al8FtT9mdnl+NpwrH4KlFNu+uti47wFj9xov/kbcmp21DvZ/m8ihmStk4FG2r6Ad
+0gdmVfBYem0mOu/1r/F8deNFP/Dpd8w3KFnv3Dd9wZd/Eb5hrg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5n
+IDF0bzMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAx
+MiBNYXBwaW5nIDF0bzMgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+AMsNrOgngQPHY/5QvmR5y8mHOJJ2T8Vjf+3/DPv5eMF+q11urxfCat4faDdtchBa
+QXOWQ2TEy6tqpR7u8UJ2wnI7phld51gAcT2I8V7swo/EM1Ga1i5bWa5G10vPmZw5
+l7QwqT/D6JkHdthcaJdQrBP9zesYPEp13RFQU9mP5451AgMBAAGjgc0wgcowHwYD
+VR0jBBgwFoAUreIKE61SbSWszamYogoEaK1yrrIwHQYDVR0OBBYEFF3Eunh5NCbD
+clfRWfSj4lSnKHHRMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFl
+AwIBMAIwDAYKYIZIAWUDAgEwBTBABgNVHSEBAf8ENjA0MBgGCmCGSAFlAwIBMAIG
+CmCGSAFlAwIBMAQwGAYKYIZIAWUDAgEwBQYKYIZIAWUDAgEwBzAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHwK+aOYJpXAoXSRQ1o82pqD++jA/uvr
+2eJoXbcch64CAdRNuCA7rQoRAx1nSUgjoLmHcTDrowQzodrVXVmCmYqXxB5XswG6
+z5Oj09NorxHxpAs7E/izElYwEXl5n0NMInD6S2r1SWOnRpGnCL8PYM3gW+xne8rJ
+CZMIMADOWvrc
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:E2:0A:13:AD:52:6D:25:AC:CD:A9:98:A2:0A:04:68:AD:72:AE:B2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 94:34:62:ba:34:51:b4:ad:dd:01:40:fe:3d:eb:bc:6c:7c:89:
+ cb:f0:7e:e5:38:03:50:93:5b:68:ba:d1:ca:14:39:ec:a8:9c:
+ 37:24:c3:0f:01:eb:14:67:8c:07:fc:37:1f:bb:45:b9:4f:5f:
+ 56:ad:f3:85:03:23:a8:bd:93:1c:ca:01:e8:b5:1c:c8:60:18:
+ 13:95:bf:5a:11:11:b2:3c:3c:27:69:bf:97:08:c0:b7:4a:7a:
+ 39:5e:03:2c:67:5a:11:a0:4f:6f:8d:70:4e:e2:b5:31:73:2a:
+ bf:5b:15:af:5b:4e:14:e0:73:5b:f1:2d:cd:bc:75:44:42:d4:
+ da:3b
+-----BEGIN X509 CRL-----
+MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5nIDF0bzMg
+Q0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaA
+FK3iChOtUm0lrM2pmKIKBGitcq6yMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
+A4GBAJQ0Yro0UbSt3QFA/j3rvGx8icvwfuU4A1CTW2i60coUOeyonDckww8B6xRn
+jAf8Nx+7RblPX1at84UDI6i9kxzKAei1HMhgGBOVv1oREbI8PCdpv5cIwLdKejle
+AyxnWhGgT2+NcE7itTFzKr9bFa9bThTgc1vxLc28dURC1No7
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5D:C4:BA:78:79:34:26:C3:72:57:D1:59:F4:A3:E2:54:A7:28:71:D1
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 15:bb:13:8f:22:9e:5f:ae:7d:26:76:5b:6f:8d:8b:a4:37:1d:
+ fa:87:83:61:23:70:ca:f2:bd:ba:ae:72:04:3e:0a:21:70:4e:
+ 01:97:4c:e3:16:d0:ef:d9:31:50:6f:5b:ff:51:10:40:73:82:
+ 0f:f2:00:90:1a:bb:f8:93:68:b9:0c:15:9d:b2:c3:5b:56:73:
+ 52:d3:1c:0f:75:2f:51:5b:40:3f:8b:71:42:54:33:af:55:20:
+ c8:ff:bf:ff:68:43:78:93:55:01:fb:7e:4d:db:a8:57:36:34:
+ df:a2:90:75:bb:fa:23:f3:9f:de:e4:4d:92:30:65:8c:f2:64:
+ e0:01
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAxMiBNYXBwaW5nIDF0bzMg
+c3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFF3Eunh5NCbDclfRWfSj4lSnKHHRMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBABW7E48inl+ufSZ2W2+Ni6Q3HfqHg2EjcMryvbqucgQ+CiFwTgGXTOMW
+0O/ZMVBvW/9REEBzgg/yAJAau/iTaLkMFZ2yw1tWc1LTHA91L1FbQD+LcUJUM69V
+IMj/v/9oQ3iTVQH7fk3bqFc2NN+ikHW7+iPzn97kTZIwZYzyZOAB
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F6:2C:B1:B7:29:B5:AE:95:7F:B0:F8:39:41:53:2D:2E:0F:04:E3:C7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 6f:b3:1a:29:36:35:76:c7:62:11:6e:e9:29:e6:83:8b:5e:bf:
+ 25:ea:4d:71:56:16:50:25:92:68:a8:a2:e9:4d:09:a3:74:36:
+ e2:9b:c1:52:dd:87:0a:64:98:58:da:6a:96:e6:c4:02:90:d8:
+ cd:4c:10:71:4c:98:1d:bb:d4:8d:7d:74:f9:34:3f:98:f7:8a:
+ 5e:eb:bf:7c:8f:90:2a:7b:c4:f3:29:cc:3c:62:a3:f8:08:c2:
+ 0a:ae:35:92:8d:ed:c0:30:a3:f2:a1:c7:7c:a1:68:1d:b0:48:
+ 4d:c1:4f:50:7f:1f:af:c6:f3:a1:d0:ad:8a:1a:78:05:84:6d:
+ d9:7e
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVAxMiBNYXBwaW5nIDF0bzMg
+c3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFPYssbcpta6Vf7D4OUFTLS4PBOPHMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAG+zGik2NXbHYhFu6Snmg4tevyXqTXFWFlAlkmiooulNCaN0NuKb
+wVLdhwpkmFjaapbmxAKQ2M1MEHFMmB271I19dPk0P5j3il7rv3yPkCp7xPMpzDxi
+o/gIwgquNZKN7cAwo/Khx3yhaB2wSE3BT1B/H6/G86HQrYoaeAWEbdl+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest22.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest22.pem
new file mode 100644
index 0000000000..074716e415
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest22.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBQzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOYG
+d2HszTJIsVTazKriCUJ/ExxUo4U4HEZN9+/XVXsQVkZYIzWtyCTC3IFmSAyb9ZED
+Gu3jmF/evXpfNXmxiURUu6W0bLEpIkZiVpPpTKqoJx2EHj+wXOfe31AD0OmKidXP
+66+LVgIJLWGMr3Msbzb4T3gpKb2ynQc2/XnE3RkbAgMBAAGjgaYwgaMwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFON/hXqOojue7rgS
+HXkTqsS9LlmtMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAnBgNVHR4BAf8EHTAboBkwF4EVLnRlc3RjZXJ0
+aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBAJjXEGmrQ1/Muud+NZwajR9x
+it/32SNVvHI+/O7bopout/RnhJudrmsdqGlcSk0KXfcXI22cJOkAYe1M39znxgba
+VitYYLxfsS+3O2pLpMgQMFCZuOJATfAQUlui+dVtPTaIam7jimms5Qam2K2SuZ/t
+eJ2J/rIDHCOrIGktQS8H
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid RFC822 nameConstraints EE Certificate Test22
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0ExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMT0wOwYD
+VQQDEzRJbnZhbGlkIFJGQzgyMiBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNh
+dGUgVGVzdDIyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ3Uy3P0KWoLsX
+XvhOf4ODgEJBTbtvW+xeevCGrTVdm3mG+1Lobp74rIRSpQShRCN+ltNnmEOHPIeJ
+YuV92pX3FQbBX9mz3ZgKznyb9qVBwysiyfX19PBeESDLn+O6Kcvl9XfUu3HdXMQP
+KA+UPU6txM1pbhkvRK5OSG/TBaRI+QIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFON/
+hXqOojue7rgSHXkTqsS9LlmtMB0GA1UdDgQWBBT4EdpzVCY8SgosOEgawdqBAjYT
+5zAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCgGA1Ud
+EQQhMB+BHVRlc3QyMkVFQHRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEB
+BQUAA4GBAENRegfOIUdgTAhpzFZDtmSaJUrYqkW4ft0v2t+flv6Nf+uAjlYMXThj
+7Q4LUtevMKeoFkGX5gnGL7HKo0/QwTPETD0qTCYcQo9uw3SCdVie4kp7X0/w/rHo
+sNUMPAPe86k7l98/xN3/zO6P4o82pX4vp5xqgs5koOZKqExh8kzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E3:7F:85:7A:8E:A2:3B:9E:EE:B8:12:1D:79:13:AA:C4:BD:2E:59:AD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ b4:77:73:f7:12:e7:d7:20:9a:bd:e1:00:a8:b1:6a:7a:65:1e:
+ 8e:56:c9:ca:38:33:7e:d5:37:41:c1:e7:95:a4:81:ab:9b:40:
+ 31:1d:aa:6c:14:f9:19:e4:3f:85:6b:24:ff:d6:bf:cb:fd:27:
+ a9:65:35:5c:b7:6b:82:87:b7:e1:c2:4d:34:ca:42:5c:46:66:
+ 45:11:d2:c0:48:0f:08:8c:b0:a7:58:66:63:9d:ae:0a:68:0a:
+ 5b:5b:ee:fe:12:93:77:03:90:6e:a4:8d:32:2e:56:56:cf:1f:
+ 85:b8:95:52:f7:73:78:5e:d0:04:66:2c:8c:ca:78:36:da:43:
+ 10:07
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0ExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTjf4V6jqI7nu64Eh15E6rEvS5ZrTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQC0d3P3EufXIJq94QCosWp6ZR6OVsnKODN+1TdBweeVpIGrm0Ax
+HapsFPkZ5D+FayT/1r/L/SepZTVct2uCh7fhwk00ykJcRmZFEdLASA8IjLCnWGZj
+na4KaApbW+7+EpN3A5BupI0yLlZWzx+FuJVS93N4XtAEZiyMyng22kMQBw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest24.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest24.pem
new file mode 100644
index 0000000000..10cf51c207
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest24.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPZ
+S8+5+/2AgG2N8tsByPeKGxCC5bOrNXho0b3fSjvK452P3luNUPIf46KvIBU6UYAP
+4rGMqcUdmgFD+PdXq6TMW8bWNuYRICw6c6ni5uyre5bovptoJCsmBw/IqinDoqbO
+Qyoq0YDltds+lSROlTUCA/7qOBHOdwpcjhVfYJSJAgMBAAGjgaUwgaIwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFBQbKzZmdEuTqzFV
+h6QxqzZjbzXJMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoBgwFoEUdGVzdGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAsOYxl05xGFDRHUO8Myp9EM/X
+ahfChzUabmgo1Tqpk+TLbxcZw+GfesxOp+jCd7jtTBJKhB0HeX1vaCVUpURbWEAt
+fuE35slQQr/c9dgwCw/JwBNdkFFT2z/73nDEN96rUK3GYs2OO8OJVMqdKb4iBUxH
+M/bZyCy4CB3+hthr4to=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid RFC822 nameConstraints EE Certificate Test24
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+-----BEGIN CERTIFICATE-----
+MIICzjCCAjegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0EyMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMT0wOwYD
+VQQDEzRJbnZhbGlkIFJGQzgyMiBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNh
+dGUgVGVzdDI0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqPW6bvTBs4Led
+75oTaGYT0mZgPeMvygJtDc882QlIF9vXBnhm4761p+ULe5iKwIWjfjyGva96UcKU
+bFfkfWeMxS+dDwb9v7pBjxCUMp9tTVWIFZDPZJTi/RpNCwPVSN9pE7JxoXKPHZsN
+20WcbrGJtUvvKFhei9eltGndiYkSrQIDAQABo4GhMIGeMB8GA1UdIwQYMBaAFBQb
+KzZmdEuTqzFVh6QxqzZjbzXJMB0GA1UdDgQWBBTyvLyqMRiaUCgziZZt9Dl46omW
+eDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMDMGA1Ud
+EQQsMCqBKFRlc3QyNEVFQG1haWxzZXJ2ZXIudGVzdGNlcnRpZmljYXRlcy5nb3Yw
+DQYJKoZIhvcNAQEFBQADgYEArrFpI+Kiy9ZDD8Q9WoEG1XixP5/icUu/fk+PYsad
+2fU9G82dE2gBtN0L/T5FqgYo7uMY8R/ZDptaB6l/exqrPIGsA7xvvOYBzO8sAPyS
+GZul8SmHmKX117/0ZhZ6Ln9vCMK/IablztFZ+LcEDvpldAu8ro/lW2XXgd/KLdY5
+m8g=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:14:1B:2B:36:66:74:4B:93:AB:31:55:87:A4:31:AB:36:63:6F:35:C9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 47:93:cd:d6:9b:31:b0:dd:6a:d8:c4:e2:5e:3a:73:cd:2b:69:
+ 5c:47:1a:75:56:6b:56:1c:a4:2f:c2:66:4c:6b:a4:9a:86:53:
+ fb:26:39:3e:61:d2:14:1b:85:1e:9c:f0:1e:ac:c8:c1:73:a5:
+ c3:29:1c:c6:12:21:08:4c:4a:5a:d6:1d:21:4e:eb:7d:16:14:
+ a4:a8:18:07:2e:e9:31:ef:39:ce:f8:6e:2b:d7:09:c1:ad:be:
+ 6a:c3:d8:46:24:95:12:ea:cf:2c:c6:84:50:bf:78:31:91:79:
+ 35:8c:02:47:d1:11:0d:aa:55:34:22:d6:d4:a2:ac:be:b8:07:
+ 60:3c
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0EyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBQUGys2ZnRLk6sxVYekMas2Y281yTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQBHk83WmzGw3WrYxOJeOnPNK2lcRxp1VmtWHKQvwmZMa6SahlP7
+Jjk+YdIUG4UenPAerMjBc6XDKRzGEiEITEpa1h0hTut9FhSkqBgHLukx7znO+G4r
+1wnBrb5qw9hGJJUS6s8sxoRQv3gxkXk1jAJH0RENqlU0ItbUoqy+uAdgPA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest26.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest26.pem
new file mode 100644
index 0000000000..05b770b3f2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest26.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMii
+1odFMCSlNLo+1reNBLAhQ3rkRllmPUUfznMkHE+tVOXNCuGNSPuCJPQNO5495PH/
+vsBZUVltMrhOpo00ibzoFrcLwaxj5Gmb8rNV/aPwDiRX8frLslhpw+QEjxMZKP8O
+bdOlItBR3dFauvxrwLz1DUUlG7aX/QoEtws/fE59AgMBAAGjgaUwgaIwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFOq3bporCYA2Z2m1
+jdo1pYY9KXgcMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoRgwFoEUdGVzdGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAcyB2R0h4mQZ671JhQ0r6cmPF
+iaEHtdJL+REJT8yGWiERgT/2wh65vHtCierHK8+0aJ8Wy/nJzUAWcKeGESTPVTey
+IxQg08VdFJIohXm1lvJ3hfzgHIcFPk2tXZvYSk3qYllYHt8tGCoyh4p3q4vpyTou
+HcOOTD0ogzE9KbjD3Dk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid RFC822 nameConstraints EE Certificate Test26
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0EzMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMT0wOwYD
+VQQDEzRJbnZhbGlkIFJGQzgyMiBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNh
+dGUgVGVzdDI2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7jNtdzJgwipTJ
+BBs5x+7Zode/Av/i5gvFc0vC7CQSf8VCYp5gKT5H1lXopLZt6hYd0cr+IuDRVMCU
+ipwl1nRUgnh+5XOWwN83Eu4AVd8B/aAWOngoac5Th0S+Dm4jCE0MNgOEySMKDZEQ
+niPNQo8/t6RyIkKxWqVbIyazMwecSwIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFOq3
+bporCYA2Z2m1jdo1pYY9KXgcMB0GA1UdDgQWBBSUvOjq7LDrQWg4ycgFgZma5kZn
+KjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCgGA1Ud
+EQQhMB+BHVRlc3QyNkVFQHRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEB
+BQUAA4GBAMNNCicEAT2nht/rinoSsxFccd2XKYncNITOUA/eKz2SqXcRPCimQjHn
+CEfGgdPU+/Sw47+dBQ2aFNUmGyJazLIdnx18TczXpVmTIcgyUQGWOkG+RdAeSn15
+kIsvSAdiDQuzrptYG9TvTicyLKcl+FuOCLN+uBJ5FutlSWvMNIpa
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:EA:B7:6E:9A:2B:09:80:36:67:69:B5:8D:DA:35:A5:86:3D:29:78:1C
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:6d:0a:0a:c4:67:91:af:de:5d:89:9f:fc:df:e2:7a:7a:52:
+ 3e:4d:ec:50:b9:46:83:3a:7d:2d:9b:5d:84:8b:6d:ba:bf:4b:
+ 41:74:e3:3b:c1:90:73:a2:83:02:4f:e4:04:b8:b9:7a:70:7b:
+ 0c:bc:59:f7:db:83:93:00:87:98:53:43:a2:71:d5:2f:d0:fe:
+ 2f:c2:46:55:d5:64:54:01:90:72:4f:a2:37:dd:88:b8:3b:63:
+ 24:df:d3:ed:7e:6d:da:2f:57:9b:cc:d7:96:67:48:7e:a5:b0:
+ 6d:cb:c9:5e:e9:78:58:c6:be:f0:cc:b1:16:e3:4a:57:45:86:
+ 90:12
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0EzFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTqt26aKwmANmdptY3aNaWGPSl4HDAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQCMbQoKxGeRr95diZ/83+J6elI+TexQuUaDOn0tm12Ei226v0tB
+dOM7wZBzooMCT+QEuLl6cHsMvFn324OTAIeYU0OicdUv0P4vwkZV1WRUAZByT6I3
+3Yi4O2Mk39Ptfm3aL1ebzNeWZ0h+pbBty8le6XhYxr7wzLEW40pXRYaQEg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest3.pem
new file mode 100644
index 0000000000..1b70f7cd0f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest3.pem
@@ -0,0 +1,262 @@
+subject=/C=US/O=Test Certificates/CN=Invalid requireExplicitPolicy EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubsubCA
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBs
+aWNpdFBvbGljeTQgc3Vic3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBmMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxOzA5BgNVBAMTMkludmFsaWQgcmVxdWlyZUV4cGxpY2l0UG9saWN5IEVFIENl
+cnRpZmljYXRlIFRlc3QzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFGGwB
+xudAxGlVkjikIYygmyMRqHU1E/QoVNlt9Ebezg0wLbnUUkCIPw2HMIMfbDIHeaJN
+eOaIwT3f4QVMET9H4tp5gWQOKRBl8Lj3Qted/du3ZnX85zwGimmHpE5HPLUus1xJ
+FEDvx8tiCGFe/MThjl7mwPANLHMWEQN0JqJhNwIDAQABo1IwUDAfBgNVHSMEGDAW
+gBT3hCvdsfuVH7p6WmLgczEWsirIeTAdBgNVHQ4EFgQUT4ePIvuBwyFLywgAVQDh
+kO/dvOwwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAJkkSBpAtETJ
+/dkW/B+frVBgw9yRjQ5r03xtGarbShYju5enZfbWEg2t8HkbDzyw3b0Upp8GcSyX
+zrbFBiGyo2hxjN8U6j5w+MCd9NJtGEW1C2O8m3S2uP44Zi0rTALMCI1thhoiDezC
++To+oSu15R1fOkNPNHwlpaFpryy8ZJM2
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTQgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBQ
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNV
+BAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTQgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAKa5BuVP6ndJvlLbsZTTbB4nvZWYbY2Ihc7C5sly521U1EBj
+aLheGs9ObXh32aFJ3kZQuAj8VpBEakL9zChjwFkBU7dEWO9OQFf8NV+RD01i6c7g
+NquatLdDUmTvS16/E23aZBNa9jDAQ4nQffOf/cx06GbvOBF80dnNnM8TXve5AgMB
+AAGjfDB6MB8GA1UdIwQYMBaAFCV+kLQN0LLzwRNH8EF577JC5jX7MB0GA1UdDgQW
+BBQjYThxLAlhvqK819WJ1thQPr3rxTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEAzVx4zKfg2OZPg4KGdTVJSzYGD69T0AfuFdTI101IvDNbKuc2SEmpmul33Px4
+z5gMKCZsIpsVXzf4rm6kuxl89PofVdztUuHIivKy5gr4iBt07YDmUNZZfl86CPoF
+7aARp2XRQ0rJCbF1RU0YVWZRyn//oFYyY49Bq1aDelri0WM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5NCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5LYa
+vXx/4T4pOwg2eV0ZZmBRTcjTivfmUhGf4t3BjAXalsDsWFkwmVCVg0jnQW4iuT3s
+a3lq9JO4ZUMcejACcPBO0AyXyrTo6DjXDy7Snf89AIpyDx/ct/WqvnO07ceHwTDO
+CZY11pYLMerONqANweAyCKsio69S35piBx1QqmcCAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUJX6QtA3QsvPBE0fw
+QXnvskLmNfswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQQwDQYJKoZIhvcNAQEF
+BQADgYEAPUNGMb0+cubTj0DAP3jW3mlPGZeGtc6jDLe/Fdrf30Au88GX5G2FJTql
+/I7wFlUgHTGQyHF3Zad9Qfzf6+dO0j9RhlEqgCk5+FqFsboPQ9E8rtCrABUUuovD
+RgkPDAKZsSLR7uQBUDgk0A3OqN1UpiMKKxFz1O1ya8u1DgGWxJU=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subCA
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTQgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBvbGljeTQgc3Vic3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBANF3obVmdl9+Tj44uOFKTDkrdPu/AlUyitHu0YQC
+vsUY7GjYy3dKjm70g7hQfnCtA3XIwm3H1a36Wo41R0Dvj8QJ/8qPhQNejONRzBzB
+jnXx2Lr+bfh3zxebwgUmDyzCkPXj8tjFerVTpxc8aAgfWcSLD6xK9h5OtKy17aME
+zZ9zAgMBAAGjfDB6MB8GA1UdIwQYMBaAFCNhOHEsCWG+orzX1YnW2FA+vevFMB0G
+A1UdDgQWBBS+bKwACUxTlLgb5MIRkSOlqwdjCDAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEAF1/+ajWFOu2Im9slgmi4YnPnqk5oWYqOrOh3yAR44wEchHfHD74/
+ed+jlGZewF+V4QotdYoG8dnld7lbYZzkdtTxcOUr4k/aUgml3yTeb5O8rBXNXytN
+JqEKXEp/ggaG4rKzUyA8zwYm9fIjG1jL0KU/1L9JSMzmwJAmR6aIq0Q=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBs
+aWNpdFBvbGljeTQgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+KzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBvbGljeTQgc3Vic3Vic3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjYqyTd452AWgD9QeSfn+Exc56nVJkK
+dx0FEleM5YEqeEUl33GTd7FRwtkYdznsQzeFYOWbWluYE5Gl3DapcqpMlu2PQmo6
+dZMbzh1Bi2yahE1wWmY15NSjOz3TFAJBZRZk0PgxvohpdPP8LLCwA9zQUlTnpG7D
+LBESzn390XCLAgMBAAGjfDB6MB8GA1UdIwQYMBaAFL5srAAJTFOUuBvkwhGRI6Wr
+B2MIMB0GA1UdDgQWBBT3hCvdsfuVH7p6WmLgczEWsirIeTAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEAJzvxMRdZl5IWypM7YNiMcWqk7GpMuRvozUyoRQq8cA+z
+fdskZk75lh97jsW2RFnP/fyA30/5NAfVuD2R8+TqJaF28jgHOnU/6qTcM5sxnRJ0
+h+icRKt6II8LNfWUQ1zv+pBxfuy/yOrYpw7/7ba2Zeson/cLpa0dhLFNCGEkfbs=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy4 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:25:7E:90:B4:0D:D0:B2:F3:C1:13:47:F0:41:79:EF:B2:42:E6:35:FB
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 98:e7:69:c4:4c:c3:6b:08:80:30:4c:81:3c:d8:b3:06:88:91:
+ e8:a3:c5:d3:c0:35:51:35:f0:16:8e:38:0f:b3:e6:26:20:d1:
+ 45:39:1a:a9:08:be:f0:5f:e1:00:8c:a6:91:54:ff:ec:32:bd:
+ e2:17:92:a3:41:f3:c0:fc:e0:84:86:54:18:ff:b5:89:9d:15:
+ e9:a9:92:a8:96:a7:4e:97:02:2e:d5:e5:e5:f7:70:5a:1e:5d:
+ d2:6f:40:34:f5:c6:63:65:5b:85:c9:b7:6a:4b:60:5a:76:35:
+ 12:01:1c:80:59:9a:d3:1a:a7:27:7d:f4:f8:00:ea:b7:f1:3a:
+ 62:e6
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTQgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFCV+kLQN0LLzwRNH8EF577JC5jX7MAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJjnacRMw2sIgDBMgTzYswaIkeijxdPANVE18BaOOA+z5iYg0UU5
+GqkIvvBf4QCMppFU/+wyveIXkqNB88D84ISGVBj/tYmdFempkqiWp06XAi7V5eX3
+cFoeXdJvQDT1xmNlW4XJt2pLYFp2NRIBHIBZmtMapyd99PgA6rfxOmLm
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy4 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:23:61:38:71:2C:09:61:BE:A2:BC:D7:D5:89:D6:D8:50:3E:BD:EB:C5
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a3:9c:67:02:44:57:a0:9d:d2:78:46:fb:e7:76:bb:66:cc:60:
+ 1c:2c:7a:7e:d6:ec:a4:c2:4d:2c:51:8a:97:1a:e2:c2:7a:0e:
+ e7:7b:4d:79:49:c2:6c:a2:b7:a5:e1:74:64:9a:03:f5:7a:5d:
+ cc:18:2e:25:dd:a2:fd:84:03:ae:d8:cf:1d:17:ea:fa:59:77:
+ 9e:22:3b:7e:97:f5:74:12:34:71:c1:10:6a:4b:03:6e:92:d0:
+ a9:6d:cd:ca:5f:69:7f:c8:b0:b5:97:78:5f:14:b1:34:d3:30:
+ 09:36:f3:03:2e:dd:01:52:33:61:2c:8d:cf:74:01:71:47:9e:
+ f4:66
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTQgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFCNhOHEsCWG+orzX1YnW2FA+vevFMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAKOcZwJEV6Cd0nhG++d2u2bMYBwsen7W7KTCTSxRipca4sJ6
+Dud7TXlJwmyit6XhdGSaA/V6XcwYLiXdov2EA67Yzx0X6vpZd54iO36X9XQSNHHB
+EGpLA26S0KltzcpfaX/IsLWXeF8UsTTTMAk28wMu3QFSM2Esjc90AXFHnvRm
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:BE:6C:AC:00:09:4C:53:94:B8:1B:E4:C2:11:91:23:A5:AB:07:63:08
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 84:fa:09:1f:fe:84:d0:14:26:86:5c:37:6b:2c:31:aa:04:7a:
+ 22:84:ec:b0:df:99:15:99:f0:b7:e9:d6:fc:70:9a:8f:4f:50:
+ d5:24:28:0b:12:79:90:85:69:a3:56:ca:0e:16:79:5e:77:d3:
+ 7a:62:9f:14:58:8a:d5:7d:de:e2:6f:a4:0f:d1:2e:27:ec:25:
+ 82:a2:91:67:0b:44:39:cc:b2:e5:21:49:ac:25:2c:91:df:33:
+ 95:1d:08:6e:ab:8d:8b:fc:2a:59:7b:8d:5d:c2:68:90:c2:a7:
+ 06:00:26:e0:cd:40:6e:f3:37:1f:37:61:f6:6a:50:a1:dd:92:
+ 53:fe
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBv
+bGljeTQgc3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFL5srAAJTFOUuBvkwhGRI6WrB2MIMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAIT6CR/+hNAUJoZcN2ssMaoEeiKE7LDfmRWZ8Lfp1vxw
+mo9PUNUkKAsSeZCFaaNWyg4WeV5303pinxRYitV93uJvpA/RLifsJYKikWcLRDnM
+suUhSawlLJHfM5UdCG6rjYv8Kll7jV3CaJDCpwYAJuDNQG7zNx83YfZqUKHdklP+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy4 subsubsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F7:84:2B:DD:B1:FB:95:1F:BA:7A:5A:62:E0:73:31:16:B2:2A:C8:79
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:e0:f0:e8:75:5d:d6:4f:dc:29:ea:db:22:b6:bb:72:13:f1:
+ ff:b5:e0:03:31:9c:64:d9:3b:2b:4d:78:f7:5e:ab:0b:e5:82:
+ 13:7e:61:18:95:79:42:bb:9d:56:78:dd:9a:01:92:5e:0b:e8:
+ fa:78:b3:b3:e2:4a:9e:d7:d1:30:60:03:7d:31:e4:04:13:61:
+ a0:de:ac:e9:0e:a0:97:16:aa:03:81:40:56:de:36:a8:e2:13:
+ 45:f6:08:72:c2:4e:d3:2d:55:25:9e:0c:dd:da:40:82:d8:75:
+ 01:44:75:35:92:92:fc:79:bb:d8:b1:54:83:7f:ff:13:da:df:
+ 11:ea
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBv
+bGljeTQgc3Vic3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFPeEK92x+5UfunpaYuBzMRayKsh5MAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAAXg8Oh1XdZP3Cnq2yK2u3IT8f+14AMxnGTZOytN
+ePdeqwvlghN+YRiVeUK7nVZ43ZoBkl4L6Pp4s7PiSp7X0TBgA30x5AQTYaDerOkO
+oJcWqgOBQFbeNqjiE0X2CHLCTtMtVSWeDN3aQILYdQFEdTWSkvx5u9ixVIN//xPa
+3xHq
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest5.pem
new file mode 100644
index 0000000000..8eccc6c3b0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest5.pem
@@ -0,0 +1,266 @@
+subject=/C=US/O=Test Certificates/CN=Invalid requireExplicitPolicy EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubsubCARE2RE4
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMTAvBgNVBAMTKHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTcgc3Vic3Vic3ViQ0FSRTJSRTQwHhcNMDEwNDE5MTQ1NzIwWhcN
+MTEwNDE5MTQ1NzIwWjBmMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0
+aWZpY2F0ZXMxOzA5BgNVBAMTMkludmFsaWQgcmVxdWlyZUV4cGxpY2l0UG9saWN5
+IEVFIENlcnRpZmljYXRlIFRlc3Q1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQCg0lngplHQSomxVxizv8r33zMQpbWDB+H13FvEhgFq5KE02tWBVkz7vXAr2hXP
+Y7LVgaGSQIOZqHrbMR+Izv57cGr+79ResVXZ4ulw8qxCgVrA/1Bty6kmyvQiyQZ/
+1z8EARO+Mu2R/XgSx2uCasNmLtgo3Stuop+2coLPfwqW9QIDAQABo1IwUDAfBgNV
+HSMEGDAWgBTnAqvOKOVo6WoEaT4ppTZjcAShmjAdBgNVHQ4EFgQUUj/qKg3WunpK
+bbAcCDrHDB8Awg8wDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAAZO
+rTXTH1bBaJ1hKzh+NWBuI+gHfWUhVlxs3mgw4oCtqqhrbDCBQwA+D5sN/91EPODR
+oEUqrZbyUgTQWas37LqDXhoxm9uvX0Z3521iA5pwllvHgtmrNpPxNE1ylbIT5lLa
+927kjS03tbzpOlbvFj/OTmh4yyPaeL2oJyvDaC3X
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5NyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoN8Q
+UsSTUjVJGaxxoQdGouge30kgdc3+9+sup5NAWj8oyZQiGa/FlrayJlgnNXIO5xbA
+Foe3dhwCEAfsrDIofXlPacb6W9dTxdlh3GwG4GJY9gvfuVfkEb4EaYVyU8J+tmPq
+WDI/P7B03nMhQNNChUFIcuBKaAzDRwqIIGd5I7cCAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnSIV59sBcIhO8mIv
+cMu1wc0QTk0wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQcwDQYJKoZIhvcNAQEF
+BQADgYEAL+ADYS2dJuo7zZ5LoNXv2wNfJcyaTU25ajW4jvi4dN4jwEPgqCfrQ1Vy
+lf1YHDAzKYc6nIZnG031PEqEFTZmuXCcngo+CFmOpT3O8WOb/vHVolb6Cd5MhCZj
+AWkQgkXQ7HW3nIEkPFqNC5ljPrmRkGtu1MjN5jAq70iztFF1hpw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subCARE2
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 CA
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTcgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBT
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNV
+BAMTH3JlcXVpcmVFeHBsaWNpdFBvbGljeTcgc3ViQ0FSRTIwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBAN8u+z8KfD1wxuMq85cY2R9ISBwrx0kSTvHcxkgfd8Hh
+/aOd/f5SUqPS0TsXeUJZ4491ildJLBmeyOsaMXfR1wUCjs1GzCTV2lwmHy1v8TEA
+Y8Zk77Z0xk7JM+Qa6sYNBQDvcqMerys/5ky8Lvqentpzs/rW1L3SBQYg2PfJX3S9
+AgMBAAGjgY4wgYswHwYDVR0jBBgwFoAUnSIV59sBcIhO8mIvcMu1wc0QTk0wHQYD
+VR0OBBYEFOtoCcblL8PzCgZRS7NYc5w5GD9LMA4GA1UdDwEB/wQEAwIBBjAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHSQBAf8E
+BTADgAECMA0GCSqGSIb3DQEBBQUAA4GBACFHfp/nuX3TO1xb40P5+iKE+BZPRduA
+ftJoYKvefkbjxlmMHoUdIUcntVLAyhaJlW797m/y+C+FDfkqtbBUFDjycGuAmFgA
+y59FSYCF8j4X1ghg+neMHyCzvkhN2IokMmzt3IITVLINy17XKITOwuMtJJSaR34A
+e0IQMPlYYnGK
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubsubCARE2RE4
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubCARE2RE4
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTcgc3Vic3ViQ0FSRTJSRTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEw
+NDE5MTQ1NzIwWjBcMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZp
+Y2F0ZXMxMTAvBgNVBAMTKHJlcXVpcmVFeHBsaWNpdFBvbGljeTcgc3Vic3Vic3Vi
+Q0FSRTJSRTQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALo8WG8R0uWydjHS
+XfEB/PfNI/TnhECaPZoH2W5ht/eblnw1w1zAJGFgDQt3USnxkZvjIa/Eud0VJ3KP
+1WFyD2IA40YtxHQsVTWF608T2eRLc1URZ23e/C7Op7EiXdo+YoJ7KwhiUyhNxxS6
+oIa1OQlAEOurYT7cU1BSxe4X+oY5AgMBAAGjfDB6MB8GA1UdIwQYMBaAFMsSDLuK
+o5HnMkT9UFBgNQkdakUmMB0GA1UdDgQWBBTnAqvOKOVo6WoEaT4ppTZjcAShmjAO
+BgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB
+/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAR64KcgRdPGS/TLDzWJlnI2aOww1U
+eFC/9/IQbIeFS6Q6uwO58GzT7DdeGDwBiztdMcGMUx0z0HX9lTVEQu1zWMNnTWuz
+7LJPjucrwXeA/s2vhMTA44l0hgMIJjjiLDOJWm3/gI2DWh0HPOGCo/cRdLeXKiyO
+O9E/0IzZw84Ul+k=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubCARE2RE4
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy7 subCARE2
+-----BEGIN CERTIFICATE-----
+MIICsTCCAhqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBs
+aWNpdFBvbGljeTcgc3ViQ0FSRTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBZMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+LjAsBgNVBAMTJXJlcXVpcmVFeHBsaWNpdFBvbGljeTcgc3Vic3ViQ0FSRTJSRTQw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALR5w4GO7XWupkCybIrksb86Qn9A
+XltnfkZIGhDabLaMyFOrnfcfJnh1RKKwqJfi8/pF7xDxJL301Qud+jUZc78vFUYT
+lMO6u7jmYYl6zLgoshCc4T95EMH8r/qoGx7U4S1o5B9maWm/Xrov12WP7mjPxeBb
+BmWY4BAPOQBt6gS9AgMBAAGjgY4wgYswHwYDVR0jBBgwFoAU62gJxuUvw/MKBlFL
+s1hznDkYP0swHQYDVR0OBBYEFMsSDLuKo5HnMkT9UFBgNQkdakUmMA4GA1UdDwEB
+/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB
+/zAPBgNVHSQBAf8EBTADgAEEMA0GCSqGSIb3DQEBBQUAA4GBACwLeGO55YLNW2d9
+1sZkNe3ulFUkXCfVtxfO7FoO7gvCv9xKjnGOef+hnMFeLj5L4UtOUeekpnipm/51
+pi2QP8O9Vvwt6YtZ57t+ednuOPORQsvh/SaPSo7GT5H6ILwf4E/JaFiAtuwgYJQX
+D9YTw88ufWnBrPQ1yX8ReXseLZPN
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy7 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:22:15:E7:DB:01:70:88:4E:F2:62:2F:70:CB:B5:C1:CD:10:4E:4D
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 95:5b:d2:82:80:08:3a:f4:5f:8a:3a:63:b6:7e:46:e6:49:5f:
+ d1:ea:1e:82:24:cf:15:80:4b:37:bd:f2:e4:b7:28:10:54:eb:
+ 60:d8:3b:e5:be:a0:3e:38:70:aa:d0:7b:0e:98:99:55:9a:0c:
+ 30:2e:8d:86:ce:65:a1:16:5d:60:55:e9:b4:af:c1:a2:df:cb:
+ 63:c7:a3:45:82:85:87:4e:2c:7a:3b:52:e7:3f:37:0b:0b:8a:
+ 41:f2:a8:e8:d9:db:2a:a9:e5:e8:50:4a:bc:f5:51:b2:47:fd:
+ 8c:73:13:57:cf:97:35:dd:0f:08:a3:c7:cb:ac:2a:cb:53:0d:
+ df:45
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTcgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFJ0iFefbAXCITvJiL3DLtcHNEE5NMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJVb0oKACDr0X4o6Y7Z+RuZJX9HqHoIkzxWASze98uS3KBBU62DY
+O+W+oD44cKrQew6YmVWaDDAujYbOZaEWXWBV6bSvwaLfy2PHo0WChYdOLHo7Uuc/
+NwsLikHyqOjZ2yqp5ehQSrz1UbJH/YxzE1fPlzXdDwijx8usKstTDd9F
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy7 subCARE2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:EB:68:09:C6:E5:2F:C3:F3:0A:06:51:4B:B3:58:73:9C:39:18:3F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 00:dc:24:0a:9b:ba:25:d9:fb:09:b0:e6:d8:9c:61:d1:09:f9:
+ f9:d8:09:86:fb:ea:e4:13:5a:c6:0e:0c:53:c6:e2:38:78:70:
+ 1e:6f:39:25:5c:b5:4f:b7:5c:07:7c:1a:7f:b4:8e:0b:7a:b3:
+ 6e:85:c9:88:9a:8d:07:d4:f2:8b:8d:e0:49:f0:86:7e:b7:2b:
+ a2:be:c4:8d:e5:36:03:b4:47:3b:c1:8d:eb:8d:34:3e:a1:97:
+ ce:97:10:84:e9:06:79:72:c1:a1:4c:7a:b3:78:99:97:01:1f:
+ 90:cd:a4:ed:30:2c:df:36:64:46:ff:c1:0a:9d:61:26:89:c7:
+ 40:b2
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBv
+bGljeTcgc3ViQ0FSRTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFOtoCcblL8PzCgZRS7NYc5w5GD9LMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAADcJAqbuiXZ+wmw5ticYdEJ+fnYCYb76uQTWsYODFPG
+4jh4cB5vOSVctU+3XAd8Gn+0jgt6s26FyYiajQfU8ouN4Enwhn63K6K+xI3lNgO0
+RzvBjeuNND6hl86XEITpBnlywaFMerN4mZcBH5DNpO0wLN82ZEb/wQqdYSaJx0Cy
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubCARE2RE4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:CB:12:0C:BB:8A:A3:91:E7:32:44:FD:50:50:60:35:09:1D:6A:45:26
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a6:50:12:5a:4a:b8:b4:85:a7:62:1c:b0:bf:67:05:d6:37:9f:
+ 56:37:ff:51:90:9e:8e:f1:7a:27:03:e2:02:8d:2b:64:0f:fc:
+ db:28:76:69:63:2c:36:63:48:43:12:3f:06:7b:29:87:cf:2d:
+ 7a:05:9f:8b:03:3f:be:fd:e7:0f:fb:5c:19:fb:c1:35:b1:27:
+ 17:dd:00:b4:10:70:f0:92:79:33:0b:05:89:8b:07:c1:96:2e:
+ 72:03:00:ce:db:e7:a0:f6:05:69:15:e4:c7:7f:4a:ba:e7:ff:
+ 9a:f0:6f:98:f9:e9:aa:df:d4:c4:7b:14:d6:1e:8d:a7:83:48:
+ 33:a8
+-----BEGIN X509 CRL-----
+MIIBUjCBvAIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTcgc3Vic3ViQ0FSRTJSRTQXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqgLzAtMB8GA1UdIwQYMBaAFMsSDLuKo5HnMkT9UFBgNQkdakUmMAoGA1UdFAQD
+AgEBMA0GCSqGSIb3DQEBBQUAA4GBAKZQElpKuLSFp2IcsL9nBdY3n1Y3/1GQno7x
+eicD4gKNK2QP/NsodmljLDZjSEMSPwZ7KYfPLXoFn4sDP7795w/7XBn7wTWxJxfd
+ALQQcPCSeTMLBYmLB8GWLnIDAM7b56D2BWkV5Md/Srrn/5rwb5j56arf1MR7FNYe
+jaeDSDOo
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy7 subsubsubCARE2RE4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E7:02:AB:CE:28:E5:68:E9:6A:04:69:3E:29:A5:36:63:70:04:A1:9A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 01:2e:d1:19:d1:46:60:25:13:6f:1e:9c:04:5b:c9:4f:6e:e2:
+ fe:f6:3a:8c:eb:4d:50:cd:03:36:d9:aa:cf:ce:14:30:7e:8a:
+ 0c:24:6d:67:63:c8:87:69:a4:1b:cd:86:aa:d2:3b:40:38:c9:
+ f9:ff:19:47:8d:23:f1:3e:dc:f8:9f:d1:af:30:a5:47:59:cf:
+ 8a:c2:0e:8f:2a:8c:9c:d9:78:63:5d:8c:cf:18:1c:79:fa:13:
+ 0e:3e:f0:8e:0f:97:dc:67:28:af:5f:19:6d:01:87:e5:e0:26:
+ 8d:03:8b:91:f5:69:f6:09:30:f8:5e:d0:79:e2:86:51:36:32:
+ 1f:48
+-----BEGIN X509 CRL-----
+MIIBVTCBvwIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMTAvBgNVBAMTKHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTcgc3Vic3Vic3ViQ0FSRTJSRTQXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0
+NTcyMFqgLzAtMB8GA1UdIwQYMBaAFOcCq84o5WjpagRpPimlNmNwBKGaMAoGA1Ud
+FAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAAEu0RnRRmAlE28enARbyU9u4v72Oozr
+TVDNAzbZqs/OFDB+igwkbWdjyIdppBvNhqrSO0A4yfn/GUeNI/E+3Pif0a8wpUdZ
+z4rCDo8qjJzZeGNdjM8YHHn6Ew4+8I4Pl9xnKK9fGW0Bh+XgJo0Di5H1afYJMPhe
+0HnihlE2Mh9I
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedCATest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedCATest2.pem
new file mode 100644
index 0000000000..da9273524d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedCATest2.pem
@@ -0,0 +1,170 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Revoked subCA
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICbjCCAdegAwIBAgIBDjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBBMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMTDVJldm9rZWQgc3ViQ0Ew
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOOm11GxhTUrNTzIsGL2HeKkXDSY
+fuue6iKn5fTFuhHFBY9sABHgqkRwS7lT9J5OL+Li0oTfq3En9SzqPZ1pTG7nI0tc
+qo/XLks9e9E5GrdjiSPJSvcdETspZ4MKgNIeEQXyX/KqhvOlFuIkvQ6CkB26h0Ys
+ds/2NM1G2HIcqoGdAgMBAAGjfDB6MB8GA1UdIwQYMBaAFLcupoLLwsi8qHsnRNc1
+M9+aFZTHMB0GA1UdDgQWBBR49b1LlhuzLeZAUDLruLRHVAvySDAOBgNVHQ8BAf8E
+BAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADgYEAUGhyEOC1558EMH9u+aVPXS5vZ39mJh2Y719gMZiT
+OXDZsqIbxJ5npOYdL40yZD5vhio5mvpKFm0DtAmAQsp6SF5nTdj9Rn70rqQI0rdN
+9m7nF1ZRRL6YBRkSymloliboDsspsoZUSitT7yMtxcIocV9V0QxcGFSFw1i6W3/H
+OYw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Revoked CA Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=Revoked subCA
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMTDVJldm9rZWQgc3Vi
+Q0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBYMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEludmFsaWQg
+UmV2b2tlZCBDQSBDZXJ0aWZpY2F0ZSBUZXN0MjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA2aktQuUqYvrSvuQR0Y5vu/X29VQgITZB3a39NV5uIZXvWgUWyD1Q
+SGYbtu0YzKSDMzLAeuSgs9c6u4r1wTxno9XgzSJvcaupysi94Eeqqt3OCaJmLg5Z
+sV12741X6CqpUSZ6Tap8rsFqYspyzMExUZqJ0d1zszbDQ9uqfCan5ocCAwEAAaNr
+MGkwHwYDVR0jBBgwFoAUePW9S5Ybsy3mQFAy67i0R1QL8kgwHQYDVR0OBBYEFD7V
+xiNcO7bHOzxBFfhSNMhrEZnyMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEA3uoPgaDGPEy7AddpjA6a7Dm4
+3Mm2CcAZuFUSURGmmoYfaTQldWpf6ySCHr9t7vOm+7Gv607TPdqF1Gw0BU6DpC7h
+Et/uaN0/vE/XHxyYEi3Gfzx//aNgr9ZcDnhr6iGmVAAxjfSmVoq1SYvWo2cskAq1
+UO8Ub1+lilBTCeJDLTo=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Revoked subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:78:F5:BD:4B:96:1B:B3:2D:E6:40:50:32:EB:B8:B4:47:54:0B:F2:48
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 38:13:8b:21:ea:c4:2e:36:3b:d1:23:d0:aa:e8:87:13:62:4b:
+ 63:07:14:68:8d:92:b1:00:5a:22:3a:99:5e:72:a7:92:01:41:
+ b6:b0:85:f0:ff:48:ea:da:58:d2:77:26:c2:e1:56:52:69:45:
+ ca:38:98:f5:ab:9d:1b:4c:fe:9a:30:64:58:64:e3:68:f7:a5:
+ 3f:86:1c:ff:3a:82:bd:56:a7:a3:a2:5b:fb:f7:21:8d:14:98:
+ 0d:00:3b:81:bc:09:3d:94:90:8c:df:4f:6b:14:b5:10:68:3c:
+ 07:cf:e7:06:69:71:4c:0d:b1:7a:53:24:5c:49:8f:fa:05:05:
+ 18:9a
+-----BEGIN X509 CRL-----
+MIIBOjCBpAIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMTDVJldm9rZWQgc3ViQ0EXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHj1vUuW
+G7Mt5kBQMuu4tEdUC/JIMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBADgT
+iyHqxC42O9Ej0KrohxNiS2MHFGiNkrEAWiI6mV5yp5IBQbawhfD/SOraWNJ3JsLh
+VlJpRco4mPWrnRtM/powZFhk42j3pT+GHP86gr1Wp6OiW/v3IY0UmA0AO4G8CT2U
+kIzfT2sUtRBoPAfP5wZpcUwNsXpTJFxJj/oFBRia
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedEETest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedEETest3.pem
new file mode 100644
index 0000000000..1463a6fd34
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedEETest3.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Revoked EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICdDCCAd2gAwIBAgIBDzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBYMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEludmFsaWQgUmV2b2tl
+ZCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEArULgNTYVsg53ILvaQpaeciApmyq6N0bmhjEiwYKYPdZSQ6A5tHN2X0hNYGEf
+Qg37W+OVgufTdQYW9KHRNQDisSLHoFpDaxdeSJbRshvd3iaY70ad01q0/L+mAhoq
+ULHc6QVDrE3PiDd2M2Rt+JNpIMX07CPN/nq8EyiJQUYI5AsCAwEAAaNrMGkwHwYD
+VR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYEFJyIJr6rimQM
+qOzR65FZzrJ1clsAMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFl
+AwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAHLF0HF9GpuEFWTdc4BuejhAejEBiOTAb
+YfTbYZYqwl0l+JU5CtXiOOdbOcY0XNpPI1XwN1HtIhTiFIxjaRLQ8uSd7yExaiJp
+HR2lqTC8A1efBd0eFY2MuknW6tGu3XWv+2I/NKGGyIKfWAwpPZbt3EdRnjKGhfgU
+VixHhlnpHlE=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedDNnameConstraintsTest20.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedDNnameConstraintsTest20.pem
new file mode 100644
index 0000000000..eb302f72da
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedDNnameConstraintsTest20.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBCTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMT
+Fm5hbWVDb25zdHJhaW50cyBETjEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANItJYQvAndzEuOPLnWhU3+T5fsnTmDZ6JJ02F66VAcrpMjpsFaFiojEgiY/
+nfnbJzFwi6A0VjvStsiM6fOFbVY0vALdhKMSl1OJvPspcf6YMW1MUg68akqffpG2
+1zIqiltFmmT4Lvq/yg9+q2A9W7yB68fS6173hf2h+fGzR8JDAgMBAAGjazBpMB8G
+A1UdIwQYMBaAFE4uo+fZ3YungjtBSsOefFkjV05TMB0GA1UdDgQWBBShuvXAVFzy
+kwUMm0EKULQY2GdPITAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAElrFa8GafGokZssZp8xXcrnM2FIcSbd
+JXCXQeSFsH7JvXS+3BT1v+0saEhJou7UQ55B7Z0t6COKHryuC0E0ySNyDAOMHGJy
+nbbqmdyyKeXb8cEzFUWN+jTte+P4bCc7qJW+mBGNMLjWFZ0sD6R//NF/LiS8kDhU
+CSYphECUPTcs
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest10.pem
new file mode 100644
index 0000000000..7462210961
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest10.pem
@@ -0,0 +1,178 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAOJaxR70a7a1EjJOHlf9fG9BEsSto4MGr1bnQLMud29/o1aka1mDrcT4ehXL
+RT2j2lOFHI+7Cv5UrjI2iI/CWsH+z+PM+sB19pJmrqshzC5FwfeHDzFTUsn8D+5R
+WJAx3NZbB++nDKkIIPql/K61Z8VyKD+3k7nNSHvXV+dKCWd3AgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFKeFECzgAW7nVCNqd6KPFwSv++MSMB0GA1UdDgQWBBSryEEAJtDV
+TOYrVmfs74LEwt3yVTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAcBSBfFavoevmu4Jr
+Fzz3LyHSA3rWhajms8ZL6AtVPDfyQaJsZizVZqKYejWLXv3jNCri/c5BBB2XTXdD
+zAQfwr2W2FfXMkNDUWt95C0NOF7NK5Z2XbmFMGaqn8y/rsYv+Zj7zl98yp0efRKw
+JEDyqFgkV/+0sLFjQvvcCdY9ucM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR0wGwYDVQQDExRp
+bmhpYml0QW55UG9saWN5MSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vcxz0dHrlH/i+DaS78z2Y0O98xlH0yo64kCvWxGo//3ZvMZl+wyQwcAOqDnIH20X
+Fi+G9BhwuyzlaqMenvEQFImtvvDspxYtq/xqmTHET1+9rkF0f8Ex8uV9VgGGMJFB
+Kjax2S+jexoGNro4EeLopi6cOXBgeqwkzcpdi0C3ugECAwEAAaN8MHowHwYDVR0j
+BBgwFoAUZtu1lMcFxLM+K5G538io0E0rNEQwHQYDVR0OBBYEFKeFECzgAW7nVCNq
+d6KPFwSv++MSMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGuWkVLrBfOy6K
+Y46FaTMnWYkjBWyjC9mgPrq97h90tejc8Z+5Q7u+WD+f//iSoC19Uy65lnk10g56
+UqaqA7zZQ25N28un3YqnKwS1pWrtUGNiAi3vYPUkmwq+6PJvWAcVl56td6OmQOIO
+hDwXMBUcDUYTCVAMRY5fiMx7ARRmeQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBBTANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UE
+AxMYaW5oaWJpdEFueVBvbGljeTEgc3ViQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCd/67ojjbNifZYVq2WHl1rQRvHb6qWjPGD/UvROusJiCTgq+tLG56G
+Yhb5//E5lAwUUzNZIfrwHml2Pn4iH3vJeRDzhdlPd0IIlP6Q2Dxy2/QrBf7k4luQ
+F9TLihsAH9NuOh1bR/+hB4tV3/E2fvztlVmHOlxbAW/c0xE3jI+WiwIDAQABo3Yw
+dDAfBgNVHSMEGDAWgBSryEEAJtDVTOYrVmfs74LEwt3yVTAdBgNVHQ4EFgQU7253
+ms8B2VtX6DNkqlHmWAPzWTgwDgYDVR0PAQH/BAQDAgH2MBEGA1UdIAQKMAgwBgYE
+VR0gADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACgW+giBnGTr
+WXyUZ38pVKHUK9uAxjpPOw5UZC2krfC4nqifiItuVLJgqbPmvETc+8fGD4hi07Lv
+owJkVeBq0ZQGlYoxtz7z6/gEt46nf+lK5gU+al33eTzgga0845cxLE7kpKRYsyhX
+eCRGC8Cmifmc+1AJ12kj61Ys7XE8P9q+
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AB:C8:41:00:26:D0:D5:4C:E6:2B:56:67:EC:EF:82:C4:C2:DD:F2:55
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:eb:03:68:bb:91:5d:9a:09:2a:f7:5c:73:90:8d:e8:4b:23:
+ 92:c3:d6:b3:8b:81:ba:d2:b9:dc:a1:e4:48:29:a8:98:cf:59:
+ db:2b:1e:de:1a:ce:db:cd:5a:dd:de:f5:f3:91:13:9c:1e:a6:
+ c8:4c:d1:ee:24:10:7c:95:df:a0:ed:4d:f9:a5:16:43:89:af:
+ 18:f6:1c:24:b0:70:9c:62:86:07:f8:0c:e1:61:d6:99:ed:7b:
+ 88:58:9f:79:d6:3a:1e:ba:aa:52:97:13:5e:00:7d:00:ce:9a:
+ d2:34:9f:0d:bc:18:09:f8:10:2d:c5:d2:8f:d7:eb:a9:59:25:
+ 45:1c
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUq8hBACbQ1UzmK1Zn7O+CxMLd8lUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAhesDaLuRXZoJKvdcc5CN6EsjksPWs4uButK53KHkSCmomM9Z2yse
+3hrO281a3d7185ETnB6myEzR7iQQfJXfoO1N+aUWQ4mvGPYcJLBwnGKGB/gM4WHW
+me17iFifedY6HrqqUpcTXgB9AM6a0jSfDbwYCfgQLcXSj9frqVklRRw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest8.pem
new file mode 100644
index 0000000000..c4536e1bc9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest8.pem
@@ -0,0 +1,230 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAOJaxR70a7a1EjJOHlf9fG9BEsSto4MGr1bnQLMud29/o1aka1mDrcT4ehXL
+RT2j2lOFHI+7Cv5UrjI2iI/CWsH+z+PM+sB19pJmrqshzC5FwfeHDzFTUsn8D+5R
+WJAx3NZbB++nDKkIIPql/K61Z8VyKD+3k7nNSHvXV+dKCWd3AgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFKeFECzgAW7nVCNqd6KPFwSv++MSMB0GA1UdDgQWBBSryEEAJtDV
+TOYrVmfs74LEwt3yVTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAcBSBfFavoevmu4Jr
+Fzz3LyHSA3rWhajms8ZL6AtVPDfyQaJsZizVZqKYejWLXv3jNCri/c5BBB2XTXdD
+zAQfwr2W2FfXMkNDUWt95C0NOF7NK5Z2XbmFMGaqn8y/rsYv+Zj7zl98yp0efRKw
+JEDyqFgkV/+0sLFjQvvcCdY9ucM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR0wGwYDVQQDExRp
+bmhpYml0QW55UG9saWN5MSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vcxz0dHrlH/i+DaS78z2Y0O98xlH0yo64kCvWxGo//3ZvMZl+wyQwcAOqDnIH20X
+Fi+G9BhwuyzlaqMenvEQFImtvvDspxYtq/xqmTHET1+9rkF0f8Ex8uV9VgGGMJFB
+Kjax2S+jexoGNro4EeLopi6cOXBgeqwkzcpdi0C3ugECAwEAAaN8MHowHwYDVR0j
+BBgwFoAUZtu1lMcFxLM+K5G538io0E0rNEQwHQYDVR0OBBYEFKeFECzgAW7nVCNq
+d6KPFwSv++MSMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGuWkVLrBfOy6K
+Y46FaTMnWYkjBWyjC9mgPrq97h90tejc8Z+5Q7u+WD+f//iSoC19Uy65lnk10g56
+UqaqA7zZQ25N28un3YqnKwS1pWrtUGNiAi3vYPUkmwq+6PJvWAcVl56td6OmQOIO
+hDwXMBUcDUYTCVAMRY5fiMx7ARRmeQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subsubCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8x
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UE
+AxMbaW5oaWJpdEFueVBvbGljeTEgc3Vic3ViQ0EyMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQCSWo7+2d9aVEIC1GxMTDBcE+ozTf3DLetgbtqH0eb/EK+ZLwVz
+cVTjWrdl1UTfNgUR9FkYIxWkXmme/JXqvYFtYTmNiz0Yj4KGpl25Mi4qoxtRFk2M
+BKLOpp+oY4PsNGSc5CMRc3sfZHeKe8jZK3nA4G5nv0/KELI4m69QKI7u4wIDAQAB
+o3YwdDAfBgNVHSMEGDAWgBSryEEAJtDVTOYrVmfs74LEwt3yVTAdBgNVHQ4EFgQU
+Iskd1THdwnbnw9yS/MCFk6rmzc4wDgYDVR0PAQH/BAQDAgEGMBEGA1UdIAQKMAgw
+BgYEVR0gADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADf72Lgp
+rqTepmy2dScOvurWUGzi/mA303snWu2b/DOnZOn2MJmmN2OIau2+7H9N1CVJDq+9
+gF97Zy3sIukm2yyJ623TL2sO5JeKNIP87CGXEiuU8qe/7BaW8C4dkm9dE0hIq82/
+vPG+JF3KAey6HeGOdaLoj+DyiSWJsJmzb1OC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued inhibitAnyPolicy EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subsubCA2
+-----BEGIN CERTIFICATE-----
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRBbnlQ
+b2xpY3kxIHN1YnN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MG0xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFCMEAG
+A1UEAxM5SW52YWxpZCBTZWxmLUlzc3VlZCBpbmhpYml0QW55UG9saWN5IEVFIENl
+cnRpZmljYXRlIFRlc3Q4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ/9Ia
+17vdObtOssUs8md1zwyBeKcC3f6mFfybdaruKZpzVmuAkDJec9ZV+ye3BJUB/5Vd
+FE+xni7v7HcxxRwnFHLMDEqoBYuAuMxi8tWDpWAT9bG9tlMH27i6in9PqUFDtMba
+A2eI2p7J64Nm+mtNtbwY8obe+0CbvRPJDnBU+wIDAQABo2swaTAfBgNVHSMEGDAW
+gBQiyR3VMd3CdufD3JL8wIWTqubNzjAdBgNVHQ4EFgQUON+KAQ3zmTRqwEhvTM0g
+vMZUZF4wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAN
+BgkqhkiG9w0BAQUFAAOBgQBxH+ujnhDuJ8w84wkOZvsaXK8TaJMO7AkbWriyl9Bm
+rMj0tb0bKud0bFlnK+uuetnpFGNysBArTwGQMpQ8C9KsHDEDVoC5A7TAUXHJgtyG
+geWX6fiC8ZBA/LDkDjqLchdfF2r/Enjo84+EbjA28xHQeJt+AMv2PrX41z7EWjjj
+dA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AB:C8:41:00:26:D0:D5:4C:E6:2B:56:67:EC:EF:82:C4:C2:DD:F2:55
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:eb:03:68:bb:91:5d:9a:09:2a:f7:5c:73:90:8d:e8:4b:23:
+ 92:c3:d6:b3:8b:81:ba:d2:b9:dc:a1:e4:48:29:a8:98:cf:59:
+ db:2b:1e:de:1a:ce:db:cd:5a:dd:de:f5:f3:91:13:9c:1e:a6:
+ c8:4c:d1:ee:24:10:7c:95:df:a0:ed:4d:f9:a5:16:43:89:af:
+ 18:f6:1c:24:b0:70:9c:62:86:07:f8:0c:e1:61:d6:99:ed:7b:
+ 88:58:9f:79:d6:3a:1e:ba:aa:52:97:13:5e:00:7d:00:ce:9a:
+ d2:34:9f:0d:bc:18:09:f8:10:2d:c5:d2:8f:d7:eb:a9:59:25:
+ 45:1c
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUq8hBACbQ1UzmK1Zn7O+CxMLd8lUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAhesDaLuRXZoJKvdcc5CN6EsjksPWs4uButK53KHkSCmomM9Z2yse
+3hrO281a3d7185ETnB6myEzR7iQQfJXfoO1N+aUWQ4mvGPYcJLBwnGKGB/gM4WHW
+me17iFifedY6HrqqUpcTXgB9AM6a0jSfDbwYCfgQLcXSj9frqVklRRw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subsubCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:22:C9:1D:D5:31:DD:C2:76:E7:C3:DC:92:FC:C0:85:93:AA:E6:CD:CE
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1d:88:c0:b5:68:f8:c5:35:0c:66:d2:54:82:7f:06:cd:fb:e4:
+ 14:7b:81:fd:e0:ff:7f:0c:33:e4:b4:07:82:8e:40:8e:46:36:
+ 5c:05:8c:72:bc:b9:83:50:2b:c9:d5:23:08:40:c9:a3:47:ca:
+ cf:41:15:86:1d:a8:fe:50:a9:ec:75:78:c9:d1:6f:94:00:86:
+ c3:05:3d:e4:39:af:b4:a0:9e:07:88:24:fe:66:f9:7b:f5:95:
+ 7c:dc:08:c5:ca:e4:4c:d3:82:bb:6c:de:07:8a:f2:18:71:ff:
+ 8b:d2:a0:95:2d:c4:e2:12:37:bf:12:cc:e9:bb:75:de:16:9f:
+ 86:32
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRBbnlQb2xpY3kx
+IHN1YnN1YkNBMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUIskd1THdwnbnw9yS/MCFk6rmzc4wCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAHYjAtWj4xTUMZtJUgn8GzfvkFHuB/eD/fwwz5LQHgo5AjkY2
+XAWMcry5g1ArydUjCEDJo0fKz0EVhh2o/lCp7HV4ydFvlACGwwU95DmvtKCeB4gk
+/mb5e/WVfNwIxcrkTNOCu2zeB4ryGHH/i9KglS3E4hI3vxLM6bt13hafhjI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest10.pem
new file mode 100644
index 0000000000..5d5bad56aa
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest10.pem
@@ -0,0 +1,200 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+ME8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIG
+A1UEAxMbaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCX3X8GrbxUXCENLok/vrVUA4snN0DJ+ja+Vct+doODtUFE
+99ZdYrT+qEPGAkioxAKElsWQDHoAjlv/TjoSxbV6BURJiMk+pIdN/N3oOtLz9N5y
+emO4Nq8Wv3A6dmTeqV/BvhEmKyKd9h/0Vy3gTP/eIqA8vhyxOpPLAB/gKIIWUwID
+AQABo3wwejAfBgNVHSMEGDAWgBSqaWS1UuWiYwoKoPNqFz8gsgPUtDAdBgNVHQ4E
+FgQUbFzipWxbYKUZ3ncFU1rjNTWvrRswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAImoE0/jphqmO48yRD2BCE5RlbnLVfXqKMbZ61lxs7X2Z2oC7QmmXJ8xH0vu
+YmnqpQTJjLwJc6janX9zk3DIdokB0PPu6HAtSb3GeETMG2tQFA3aeDyg8xjqGNBD
+OHfNDd64bvLnKZWb3bLEPfnZf6WTaRV/x56wf+7+NPg+zJop
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBOjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+643DGHdT8CXwVc2GtZQbRQTdptkiSzy79NPJD2XLU9LpWnrgyGzl4j7xUeYVspxY
+Ws/mpZCQOb2hs8eDfHKisjtcKj8Y8r0S8Csb3dsG19Rmjbg/2SiF5ZMaHzPi0QAk
+m008o0bwHaSBlFHigtvqu563VpgMs52ksx3BV1BKZQIDAQABo4GRMIGOMB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSqaWS1UuWiYwoK
+oPNqFz8gsgPUtDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBATANBgkqhkiG
+9w0BAQUFAAOBgQA3+2MqCUqi2aRGC2CQMzptfla5lfBz0GLy7p1VBIoKLOe6/rAb
+IhVjO2X7pWEJosnjfmKUOggaCctxUuGgA/okQKTXTXQwXJwJNv2qS5lf1AHD4B99
+pZ5ebQ5FJ+RZBB6HiUWabWVfJ41WPI7ceJ8fh/Riau+XJg2KLE8myngRMA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMHIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFH
+MEUGA1UEAxM+SW52YWxpZCBTZWxmLUlzc3VlZCBpbmhpYml0UG9saWN5TWFwcGlu
+ZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALSurY6um4v6Evz2ZZkBR0WlROEOIvWcYk9AFjbvZnEXlHBzmkfiz93q0Bi1
+a98FZyy05zNbGmfXdXDbAuNwWdWnYFJqFQF5yKUTSQOjNNy5afttfVbM3ibrmE52
+KsMfdN73UU2pHclkhpRJ9ex52s3nofBFCXZQVRZzoeOqe/tfAgMBAAGjazBpMB8G
+A1UdIwQYMBaAFEGmJOdLRsqNTr1i/ZUfoEVERdaDMB0GA1UdDgQWBBThQ779KH6I
+bjPzWxJ3ysMVnek3RjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATADMA0GCSqGSIb3DQEBBQUAA4GBAHsSdG99XQKSMIQzQLp/vngNcqtmTCC5
+jBCt3KnnUwJ/Nrk2oEQpRwjetItPwFFYN/IR1MUnb0TtKwr+WqFeMI5MgyzkuiG8
+b8Wi8Nfa+GP+ZaWx9W0hIwlvixhloYr/wO5roHJLmZdiyrUJlEGb/7VLK5ZlmSDd
+LhmwYoEZUDxg
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDlD9RQqLmz1R8mmDv95sxGdTT50F3U2U2PHAx0M0R/
+EmmreJx8mubNNUzKpH+jIQCsgKqAH+CJH/LDeCzow3F/cS0bcKYF/x1hJhJHO+pP
+uBgIa0yNq+hkNY9F+V/b+auEovg9yqIThiE9atAWfL1IRnRW5qpSi7si8qQdGWGt
+iQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFGxc4qVsW2ClGd53BVNa4zU1r60bMB0G
+A1UdDgQWBBS2psHqwFJT34b9ZknktEa+YzMMFTAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEw
+AQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AAjqz5quHRrfjyt+VRbtAM5KfKQS9G5SMsxGGdD/A8Nu5JYAN5FGi9X+RjLqeBzD
+6hmnFNNPFZx9LtO1s4wBoM06zoAddrIISUWehidWkxh7YEJSt4OSQ3fHNO0lgHaC
+WnvV8cZ3JLFezL+4ZDzXUJYoxmGCjerFTfIszoyvBuu6
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICwDCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEn
+MCUGA1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC8nvl2y4d/yNUHP7aG5vOrKPi3d7UXdNZHRGzP
+KFYbJk+OVhNwnX26uR8hCEDDfjBI28f/541hjsDbgy60IS+nCklaPQkS5uD2R6Lq
+9WPZpnSNT+obNGFQqIuE0iQbBIXeXKy/E1lxCIQazKZHl7/QhjIso5/eRagUVF6m
+ahAnsQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFLamwerAUlPfhv1mSeS0Rr5jMwwV
+MB0GA1UdDgQWBBRBpiTnS0bKjU69Yv2VH6BFREXWgzAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAKKfnJVgNVANlABGqhZPFB+MA6EeX9BLJIERR69poKaUCigLoIdovWQx9/sT
+MYvGE/gIulPhyTI2P+UM8yJHPmsucrlDwVwgyTE9WCsfVRZOV/DVqGzvHtpUGetp
+GZVUYWRIJtdAFXq1h04c6KSFenC2BqH6A19N8SkUyT9v8khC
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:69:64:B5:52:E5:A2:63:0A:0A:A0:F3:6A:17:3F:20:B2:03:D4:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:01:00:85:8d:99:b7:5b:7f:63:14:5b:20:de:25:35:78:25:
+ 50:56:9d:78:eb:ac:15:34:90:c7:18:cd:03:ad:4b:80:9f:b2:
+ 09:73:d0:8d:c9:dd:a2:5b:e5:c2:9e:30:ad:09:06:ad:8c:56:
+ 7b:39:76:aa:1e:13:a6:21:2b:68:c4:93:f3:39:fb:7c:7a:f7:
+ 2d:e4:d3:ac:5c:a6:38:07:9e:f5:b7:c2:54:6c:e7:76:9b:2e:
+ 74:5e:cd:83:1f:25:c0:d6:4d:af:ab:29:47:dd:b0:87:79:86:
+ f3:4d:89:80:2c:21:14:68:ec:4d:cd:67:d0:88:94:63:d1:db:
+ f7:a4
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUqmlktVLlomMKCqDzahc/ILID1LQwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAjQEAhY2Zt1t/YxRbIN4lNXglUFadeOusFTSQxxjNA61LgJ+y
+CXPQjcndolvlwp4wrQkGrYxWezl2qh4TpiEraMST8zn7fHr3LeTTrFymOAee9bfC
+VGzndpsudF7Ngx8lwNZNr6spR92wh3mG802JgCwhFGjsTc1n0IiUY9Hb96Q=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:A6:C1:EA:C0:52:53:DF:86:FD:66:49:E4:B4:46:BE:63:33:0C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:fc:6a:e9:aa:6d:46:16:9f:65:05:ec:bb:4a:e3:de:fc:ee:
+ 4b:6a:61:7b:4f:ca:b0:86:90:90:f9:3e:ee:42:70:bf:70:51:
+ 0b:ab:f0:b5:51:4f:78:f2:03:59:1e:5b:01:1d:6f:79:b6:d9:
+ c2:38:83:22:b4:ae:64:06:63:5a:af:04:58:6c:a1:e2:3f:64:
+ ce:f2:24:20:0c:a4:77:52:e1:cc:23:3f:5f:a7:89:20:85:fb:
+ cd:f8:c1:09:98:bb:62:c3:62:0b:75:38:01:b0:93:d6:bf:22:
+ d0:18:ff:04:52:25:72:bc:c9:d4:e5:77:fa:b6:84:9d:bb:d9:
+ 45:a0
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUtqbB6sBSU9+G/WZJ5LRGvmMzDBUwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAqvxq6aptRhafZQXsu0rj3vzuS2phe0/KsIaQkPk+7kJw
+v3BRC6vwtVFPePIDWR5bAR1vebbZwjiDIrSuZAZjWq8EWGyh4j9kzvIkIAykd1Lh
+zCM/X6eJIIX7zfjBCZi7YsNiC3U4AbCT1r8i0Bj/BFIlcrzJ1OV3+raEnbvZRaA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest11.pem
new file mode 100644
index 0000000000..30cfbd8ac3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest11.pem
@@ -0,0 +1,200 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+ME8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIG
+A1UEAxMbaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCX3X8GrbxUXCENLok/vrVUA4snN0DJ+ja+Vct+doODtUFE
+99ZdYrT+qEPGAkioxAKElsWQDHoAjlv/TjoSxbV6BURJiMk+pIdN/N3oOtLz9N5y
+emO4Nq8Wv3A6dmTeqV/BvhEmKyKd9h/0Vy3gTP/eIqA8vhyxOpPLAB/gKIIWUwID
+AQABo3wwejAfBgNVHSMEGDAWgBSqaWS1UuWiYwoKoPNqFz8gsgPUtDAdBgNVHQ4E
+FgQUbFzipWxbYKUZ3ncFU1rjNTWvrRswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAImoE0/jphqmO48yRD2BCE5RlbnLVfXqKMbZ61lxs7X2Z2oC7QmmXJ8xH0vu
+YmnqpQTJjLwJc6janX9zk3DIdokB0PPu6HAtSb3GeETMG2tQFA3aeDyg8xjqGNBD
+OHfNDd64bvLnKZWb3bLEPfnZf6WTaRV/x56wf+7+NPg+zJop
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBOjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+643DGHdT8CXwVc2GtZQbRQTdptkiSzy79NPJD2XLU9LpWnrgyGzl4j7xUeYVspxY
+Ws/mpZCQOb2hs8eDfHKisjtcKj8Y8r0S8Csb3dsG19Rmjbg/2SiF5ZMaHzPi0QAk
+m008o0bwHaSBlFHigtvqu563VpgMs52ksx3BV1BKZQIDAQABo4GRMIGOMB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSqaWS1UuWiYwoK
+oPNqFz8gsgPUtDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBATANBgkqhkiG
+9w0BAQUFAAOBgQA3+2MqCUqi2aRGC2CQMzptfla5lfBz0GLy7p1VBIoKLOe6/rAb
+IhVjO2X7pWEJosnjfmKUOggaCctxUuGgA/okQKTXTXQwXJwJNv2qS5lf1AHD4B99
+pZ5ebQ5FJ+RZBB6HiUWabWVfJ41WPI7ceJ8fh/Riau+XJg2KLE8myngRMA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBBTANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMHIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFH
+MEUGA1UEAxM+SW52YWxpZCBTZWxmLUlzc3VlZCBpbmhpYml0UG9saWN5TWFwcGlu
+ZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBALCdOCljPs8W35hbzEaZA4tSBiEAP7TpJfmh7c+CyK7UORyXxmyvM6U8V4Gs
+PBqmswzgVMkMhosS/Bhk73RmCn38i5dNYizu/3yOGp9piOxNNtktH6bhKyeHq/wM
+hHhgiZhACGBZZDdZFinn4ohF2SmbpxFuugZsJPnX4tj1KZJRAgMBAAGjazBpMB8G
+A1UdIwQYMBaAFEGmJOdLRsqNTr1i/ZUfoEVERdaDMB0GA1UdDgQWBBTTdhSEDG2I
+nAn6zC50pNDdzdZIezAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATACMA0GCSqGSIb3DQEBBQUAA4GBAK/N3uvvde9B7whxXVd4IA0MSe3DHGLK
+n/OBEw3cIXCYST42xPqPV8mkuz82JMTlete1834sdk/ayNFUloeyXzQTAdDg1JoD
+s6Cq3DzqfG1sVcu3wcsYbmpq7zxjXAERJQb2xSOYTvaJC0eb8FSfY6pXWx57qak/
+EPSox/J2fkc6
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDlD9RQqLmz1R8mmDv95sxGdTT50F3U2U2PHAx0M0R/
+EmmreJx8mubNNUzKpH+jIQCsgKqAH+CJH/LDeCzow3F/cS0bcKYF/x1hJhJHO+pP
+uBgIa0yNq+hkNY9F+V/b+auEovg9yqIThiE9atAWfL1IRnRW5qpSi7si8qQdGWGt
+iQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFGxc4qVsW2ClGd53BVNa4zU1r60bMB0G
+A1UdDgQWBBS2psHqwFJT34b9ZknktEa+YzMMFTAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEw
+AQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AAjqz5quHRrfjyt+VRbtAM5KfKQS9G5SMsxGGdD/A8Nu5JYAN5FGi9X+RjLqeBzD
+6hmnFNNPFZx9LtO1s4wBoM06zoAddrIISUWehidWkxh7YEJSt4OSQ3fHNO0lgHaC
+WnvV8cZ3JLFezL+4ZDzXUJYoxmGCjerFTfIszoyvBuu6
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICwDCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEn
+MCUGA1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC8nvl2y4d/yNUHP7aG5vOrKPi3d7UXdNZHRGzP
+KFYbJk+OVhNwnX26uR8hCEDDfjBI28f/541hjsDbgy60IS+nCklaPQkS5uD2R6Lq
+9WPZpnSNT+obNGFQqIuE0iQbBIXeXKy/E1lxCIQazKZHl7/QhjIso5/eRagUVF6m
+ahAnsQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFLamwerAUlPfhv1mSeS0Rr5jMwwV
+MB0GA1UdDgQWBBRBpiTnS0bKjU69Yv2VH6BFREXWgzAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUD
+AgEwAgYKYIZIAWUDAgEwAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAKKfnJVgNVANlABGqhZPFB+MA6EeX9BLJIERR69poKaUCigLoIdovWQx9/sT
+MYvGE/gIulPhyTI2P+UM8yJHPmsucrlDwVwgyTE9WCsfVRZOV/DVqGzvHtpUGetp
+GZVUYWRIJtdAFXq1h04c6KSFenC2BqH6A19N8SkUyT9v8khC
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:69:64:B5:52:E5:A2:63:0A:0A:A0:F3:6A:17:3F:20:B2:03:D4:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:01:00:85:8d:99:b7:5b:7f:63:14:5b:20:de:25:35:78:25:
+ 50:56:9d:78:eb:ac:15:34:90:c7:18:cd:03:ad:4b:80:9f:b2:
+ 09:73:d0:8d:c9:dd:a2:5b:e5:c2:9e:30:ad:09:06:ad:8c:56:
+ 7b:39:76:aa:1e:13:a6:21:2b:68:c4:93:f3:39:fb:7c:7a:f7:
+ 2d:e4:d3:ac:5c:a6:38:07:9e:f5:b7:c2:54:6c:e7:76:9b:2e:
+ 74:5e:cd:83:1f:25:c0:d6:4d:af:ab:29:47:dd:b0:87:79:86:
+ f3:4d:89:80:2c:21:14:68:ec:4d:cd:67:d0:88:94:63:d1:db:
+ f7:a4
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUqmlktVLlomMKCqDzahc/ILID1LQwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAjQEAhY2Zt1t/YxRbIN4lNXglUFadeOusFTSQxxjNA61LgJ+y
+CXPQjcndolvlwp4wrQkGrYxWezl2qh4TpiEraMST8zn7fHr3LeTTrFymOAee9bfC
+VGzndpsudF7Ngx8lwNZNr6spR92wh3mG802JgCwhFGjsTc1n0IiUY9Hb96Q=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:A6:C1:EA:C0:52:53:DF:86:FD:66:49:E4:B4:46:BE:63:33:0C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:fc:6a:e9:aa:6d:46:16:9f:65:05:ec:bb:4a:e3:de:fc:ee:
+ 4b:6a:61:7b:4f:ca:b0:86:90:90:f9:3e:ee:42:70:bf:70:51:
+ 0b:ab:f0:b5:51:4f:78:f2:03:59:1e:5b:01:1d:6f:79:b6:d9:
+ c2:38:83:22:b4:ae:64:06:63:5a:af:04:58:6c:a1:e2:3f:64:
+ ce:f2:24:20:0c:a4:77:52:e1:cc:23:3f:5f:a7:89:20:85:fb:
+ cd:f8:c1:09:98:bb:62:c3:62:0b:75:38:01:b0:93:d6:bf:22:
+ d0:18:ff:04:52:25:72:bc:c9:d4:e5:77:fa:b6:84:9d:bb:d9:
+ 45:a0
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUtqbB6sBSU9+G/WZJ5LRGvmMzDBUwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAqvxq6aptRhafZQXsu0rj3vzuS2phe0/KsIaQkPk+7kJw
+v3BRC6vwtVFPePIDWR5bAR1vebbZwjiDIrSuZAZjWq8EWGyh4j9kzvIkIAykd1Lh
+zCM/X6eJIIX7zfjBCZi7YsNiC3U4AbCT1r8i0Bj/BFIlcrzJ1OV3+raEnbvZRaA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest8.pem
new file mode 100644
index 0000000000..c6ef8e0f7a
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest8.pem
@@ -0,0 +1,233 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+ME8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIG
+A1UEAxMbaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCX3X8GrbxUXCENLok/vrVUA4snN0DJ+ja+Vct+doODtUFE
+99ZdYrT+qEPGAkioxAKElsWQDHoAjlv/TjoSxbV6BURJiMk+pIdN/N3oOtLz9N5y
+emO4Nq8Wv3A6dmTeqV/BvhEmKyKd9h/0Vy3gTP/eIqA8vhyxOpPLAB/gKIIWUwID
+AQABo3wwejAfBgNVHSMEGDAWgBSqaWS1UuWiYwoKoPNqFz8gsgPUtDAdBgNVHQ4E
+FgQUbFzipWxbYKUZ3ncFU1rjNTWvrRswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAImoE0/jphqmO48yRD2BCE5RlbnLVfXqKMbZ61lxs7X2Z2oC7QmmXJ8xH0vu
+YmnqpQTJjLwJc6janX9zk3DIdokB0PPu6HAtSb3GeETMG2tQFA3aeDyg8xjqGNBD
+OHfNDd64bvLnKZWb3bLEPfnZf6WTaRV/x56wf+7+NPg+zJop
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBOjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+643DGHdT8CXwVc2GtZQbRQTdptkiSzy79NPJD2XLU9LpWnrgyGzl4j7xUeYVspxY
+Ws/mpZCQOb2hs8eDfHKisjtcKj8Y8r0S8Csb3dsG19Rmjbg/2SiF5ZMaHzPi0QAk
+m008o0bwHaSBlFHigtvqu563VpgMs52ksx3BV1BKZQIDAQABo4GRMIGOMB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSqaWS1UuWiYwoK
+oPNqFz8gsgPUtDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBATANBgkqhkiG
+9w0BAQUFAAOBgQA3+2MqCUqi2aRGC2CQMzptfla5lfBz0GLy7p1VBIoKLOe6/rAb
+IhVjO2X7pWEJosnjfmKUOggaCctxUuGgA/okQKTXTXQwXJwJNv2qS5lf1AHD4B99
+pZ5ebQ5FJ+RZBB6HiUWabWVfJ41WPI7ceJ8fh/Riau+XJg2KLE8myngRMA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMHExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czFGMEQGA1UEAxM9SW52YWxpZCBTZWxmLUlzc3VlZCBpbmhpYml0UG9saWN5TWFw
+cGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0ODCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA2ZkYyttS3QceAgvQBMI8apGZ8GOGdNJJrZmaGrXTlkDpRqFBGwv5vx0I
+D958BpDYH1LIN7/T0VKWubFI7UIsU8brS5aic8C92RXCvZM2QdGkQKoiWLE66AeH
++Fy35j8Tkrk/hoO764l/U3eQB3MD2u4Hf5NuqRAGcngjWAJyIjsCAwEAAaNrMGkw
+HwYDVR0jBBgwFoAUfpdDpAJ93mWROzcZfSe9EqTz0KMwHQYDVR0OBBYEFDKnsv6Y
+5OcDK1R9UWEjFuJ9ytbxMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAMwDQYJKoZIhvcNAQEFBQADgYEARAcPbJvFFgARsBpZO6o4SSHkn4if
+ZfTlwL3z5foZWrjQ0JDVIBj6uz9n3sP0V/xTfR+ZYVH13WgaoIxBIRMhV8lzW7yu
+d2Zz/d98BA0wwE8C9yxqVUuPje9zLRlmAEVQcYY4eWMlFZz2d8XHyckt/LcrCYrK
+iNQtbHdgmlb3dDM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDlD9RQqLmz1R8mmDv95sxGdTT50F3U2U2PHAx0M0R/
+EmmreJx8mubNNUzKpH+jIQCsgKqAH+CJH/LDeCzow3F/cS0bcKYF/x1hJhJHO+pP
+uBgIa0yNq+hkNY9F+V/b+auEovg9yqIThiE9atAWfL1IRnRW5qpSi7si8qQdGWGt
+iQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFGxc4qVsW2ClGd53BVNa4zU1r60bMB0G
+A1UdDgQWBBS2psHqwFJT34b9ZknktEa+YzMMFTAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEw
+AQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AAjqz5quHRrfjyt+VRbtAM5KfKQS9G5SMsxGGdD/A8Nu5JYAN5FGi9X+RjLqeBzD
+6hmnFNNPFZx9LtO1s4wBoM06zoAddrIISUWehidWkxh7YEJSt4OSQ3fHNO0lgHaC
+WnvV8cZ3JLFezL+4ZDzXUJYoxmGCjerFTfIszoyvBuu6
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMFUxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEq
+MCgGA1UEAxMhaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YnN1YkNBMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzSzQEVqFvTtWkK35YRQKG14a/Ui8zOCix
+lDhIv5FBbG4G15V4laMoRYB38uWxU4/v0K/7UsU7J2ZQZA0iJNgZdYZmM9mMF//t
+37x13Zxd4GcHDbX0FoSgZUNXxSF/AUN86GXCCjrFMhHZAFgqLuYaust5NQdTk9Li
+tSFfyfRl1QIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFLamwerAUlPfhv1mSeS0Rr5j
+MwwVMB0GA1UdDgQWBBR+l0OkAn3eZZE7Nxl9J70SpPPQozAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZI
+AWUDAgEwAgYKYIZIAWUDAgEwAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4GBALHfJ6kZFXxW875Sui9xpPd2/OXVv4ltULYqS4sYa6iAKR2nNl2dwe4x
+g4crvrxXC8Dp29uqsmno4zOqNaSVjEYctbN3htkL/k/QG4Y9GgklkdqZosT2UXV7
+BI1xQXAiQVbBwcABjHTEAoW4flzUO7+GhapXp36TsEUOYA32+n5X
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:69:64:B5:52:E5:A2:63:0A:0A:A0:F3:6A:17:3F:20:B2:03:D4:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:01:00:85:8d:99:b7:5b:7f:63:14:5b:20:de:25:35:78:25:
+ 50:56:9d:78:eb:ac:15:34:90:c7:18:cd:03:ad:4b:80:9f:b2:
+ 09:73:d0:8d:c9:dd:a2:5b:e5:c2:9e:30:ad:09:06:ad:8c:56:
+ 7b:39:76:aa:1e:13:a6:21:2b:68:c4:93:f3:39:fb:7c:7a:f7:
+ 2d:e4:d3:ac:5c:a6:38:07:9e:f5:b7:c2:54:6c:e7:76:9b:2e:
+ 74:5e:cd:83:1f:25:c0:d6:4d:af:ab:29:47:dd:b0:87:79:86:
+ f3:4d:89:80:2c:21:14:68:ec:4d:cd:67:d0:88:94:63:d1:db:
+ f7:a4
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUqmlktVLlomMKCqDzahc/ILID1LQwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAjQEAhY2Zt1t/YxRbIN4lNXglUFadeOusFTSQxxjNA61LgJ+y
+CXPQjcndolvlwp4wrQkGrYxWezl2qh4TpiEraMST8zn7fHr3LeTTrFymOAee9bfC
+VGzndpsudF7Ngx8lwNZNr6spR92wh3mG802JgCwhFGjsTc1n0IiUY9Hb96Q=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:A6:C1:EA:C0:52:53:DF:86:FD:66:49:E4:B4:46:BE:63:33:0C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:fc:6a:e9:aa:6d:46:16:9f:65:05:ec:bb:4a:e3:de:fc:ee:
+ 4b:6a:61:7b:4f:ca:b0:86:90:90:f9:3e:ee:42:70:bf:70:51:
+ 0b:ab:f0:b5:51:4f:78:f2:03:59:1e:5b:01:1d:6f:79:b6:d9:
+ c2:38:83:22:b4:ae:64:06:63:5a:af:04:58:6c:a1:e2:3f:64:
+ ce:f2:24:20:0c:a4:77:52:e1:cc:23:3f:5f:a7:89:20:85:fb:
+ cd:f8:c1:09:98:bb:62:c3:62:0b:75:38:01:b0:93:d6:bf:22:
+ d0:18:ff:04:52:25:72:bc:c9:d4:e5:77:fa:b6:84:9d:bb:d9:
+ 45:a0
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUtqbB6sBSU9+G/WZJ5LRGvmMzDBUwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAqvxq6aptRhafZQXsu0rj3vzuS2phe0/KsIaQkPk+7kJw
+v3BRC6vwtVFPePIDWR5bAR1vebbZwjiDIrSuZAZjWq8EWGyh4j9kzvIkIAykd1Lh
+zCM/X6eJIIX7zfjBCZi7YsNiC3U4AbCT1r8i0Bj/BFIlcrzJ1OV3+raEnbvZRaA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:7E:97:43:A4:02:7D:DE:65:91:3B:37:19:7D:27:BD:12:A4:F3:D0:A3
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 04:cc:f2:b1:f4:89:f0:41:53:c8:66:c7:4d:6f:88:a1:63:45:
+ 28:ff:81:51:07:c0:ef:98:b9:b5:a7:9b:b3:77:d9:1d:ed:f1:
+ 6e:80:66:f4:0d:cf:35:ab:67:18:fd:e0:10:7c:0c:06:50:44:
+ fa:4e:bd:eb:1a:69:b4:e5:80:56:a2:21:b2:8c:0c:36:6d:13:
+ ac:b4:1a:00:86:bb:90:69:00:ff:66:c4:a2:16:bf:e3:70:5f:
+ 2a:dd:c1:78:cf:a8:cf:1c:d3:33:4b:b2:67:6d:16:96:23:3b:
+ 08:68:e3:00:c0:71:88:38:16:17:7e:fd:fb:f7:5a:79:77:f6:
+ 6c:f5
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUfpdDpAJ93mWROzcZfSe9EqTz0KMwCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEABMzysfSJ8EFTyGbHTW+IoWNFKP+BUQfA75i5taeb
+s3fZHe3xboBm9A3PNatnGP3gEHwMBlBE+k696xpptOWAVqIhsowMNm0TrLQaAIa7
+kGkA/2bEoha/43BfKt3BeM+ozxzTM0uyZ20WliM7CGjjAMBxiDgWF379+/daeXf2
+bPU=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest9.pem
new file mode 100644
index 0000000000..ecd49f4f58
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest9.pem
@@ -0,0 +1,233 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+ME8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIG
+A1UEAxMbaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCX3X8GrbxUXCENLok/vrVUA4snN0DJ+ja+Vct+doODtUFE
+99ZdYrT+qEPGAkioxAKElsWQDHoAjlv/TjoSxbV6BURJiMk+pIdN/N3oOtLz9N5y
+emO4Nq8Wv3A6dmTeqV/BvhEmKyKd9h/0Vy3gTP/eIqA8vhyxOpPLAB/gKIIWUwID
+AQABo3wwejAfBgNVHSMEGDAWgBSqaWS1UuWiYwoKoPNqFz8gsgPUtDAdBgNVHQ4E
+FgQUbFzipWxbYKUZ3ncFU1rjNTWvrRswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAImoE0/jphqmO48yRD2BCE5RlbnLVfXqKMbZ61lxs7X2Z2oC7QmmXJ8xH0vu
+YmnqpQTJjLwJc6janX9zk3DIdokB0PPu6HAtSb3GeETMG2tQFA3aeDyg8xjqGNBD
+OHfNDd64bvLnKZWb3bLEPfnZf6WTaRV/x56wf+7+NPg+zJop
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBOjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+643DGHdT8CXwVc2GtZQbRQTdptkiSzy79NPJD2XLU9LpWnrgyGzl4j7xUeYVspxY
+Ws/mpZCQOb2hs8eDfHKisjtcKj8Y8r0S8Csb3dsG19Rmjbg/2SiF5ZMaHzPi0QAk
+m008o0bwHaSBlFHigtvqu563VpgMs52ksx3BV1BKZQIDAQABo4GRMIGOMB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSqaWS1UuWiYwoK
+oPNqFz8gsgPUtDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBATANBgkqhkiG
+9w0BAQUFAAOBgQA3+2MqCUqi2aRGC2CQMzptfla5lfBz0GLy7p1VBIoKLOe6/rAb
+IhVjO2X7pWEJosnjfmKUOggaCctxUuGgA/okQKTXTXQwXJwJNv2qS5lf1AHD4B99
+pZ5ebQ5FJ+RZBB6HiUWabWVfJ41WPI7ceJ8fh/Riau+XJg2KLE8myngRMA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMHExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czFGMEQGA1UEAxM9SW52YWxpZCBTZWxmLUlzc3VlZCBpbmhpYml0UG9saWN5TWFw
+cGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0OTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAylxeQoRBPgPQvR6PrLfrhYdQPa+pAircmIyNSp/en2b65foW6Dvx/sHc
+Y9lLvbx48Dv+XPUR4a0xsGGvX0GBy4GOUv+6nqaFOdce8VYwmIFybQGDaxoqytYo
+bhhZZD8g6dfyWuWMQ5LUt5vyIL2FbCnDevgD/ivnIwBKJFEn/B0CAwEAAaNrMGkw
+HwYDVR0jBBgwFoAUfpdDpAJ93mWROzcZfSe9EqTz0KMwHQYDVR0OBBYEFN+F7ghB
+89TFNj8vas0p8wMYmcU1MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAIwDQYJKoZIhvcNAQEFBQADgYEAKODQTLmhlOsijlIfpBZNXzohZOzj
+J27r0eok4ACPAFNwUCue2GMNerlrKqHiHChov8zvh4AoQDfcZBwRFcGnRMq8QyDn
+EkxvE9P/4Ib7XERwVDPmVPgvQYvcqC7hz7B7oYO7rigckrroh2X2x/tynphxnIRS
+6Mpc00/1Fs34Cv0=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDlD9RQqLmz1R8mmDv95sxGdTT50F3U2U2PHAx0M0R/
+EmmreJx8mubNNUzKpH+jIQCsgKqAH+CJH/LDeCzow3F/cS0bcKYF/x1hJhJHO+pP
+uBgIa0yNq+hkNY9F+V/b+auEovg9yqIThiE9atAWfL1IRnRW5qpSi7si8qQdGWGt
+iQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFGxc4qVsW2ClGd53BVNa4zU1r60bMB0G
+A1UdDgQWBBS2psHqwFJT34b9ZknktEa+YzMMFTAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEw
+AQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AAjqz5quHRrfjyt+VRbtAM5KfKQS9G5SMsxGGdD/A8Nu5JYAN5FGi9X+RjLqeBzD
+6hmnFNNPFZx9LtO1s4wBoM06zoAddrIISUWehidWkxh7YEJSt4OSQ3fHNO0lgHaC
+WnvV8cZ3JLFezL+4ZDzXUJYoxmGCjerFTfIszoyvBuu6
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMFUxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEq
+MCgGA1UEAxMhaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YnN1YkNBMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzSzQEVqFvTtWkK35YRQKG14a/Ui8zOCix
+lDhIv5FBbG4G15V4laMoRYB38uWxU4/v0K/7UsU7J2ZQZA0iJNgZdYZmM9mMF//t
+37x13Zxd4GcHDbX0FoSgZUNXxSF/AUN86GXCCjrFMhHZAFgqLuYaust5NQdTk9Li
+tSFfyfRl1QIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFLamwerAUlPfhv1mSeS0Rr5j
+MwwVMB0GA1UdDgQWBBR+l0OkAn3eZZE7Nxl9J70SpPPQozAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZI
+AWUDAgEwAgYKYIZIAWUDAgEwAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4GBALHfJ6kZFXxW875Sui9xpPd2/OXVv4ltULYqS4sYa6iAKR2nNl2dwe4x
+g4crvrxXC8Dp29uqsmno4zOqNaSVjEYctbN3htkL/k/QG4Y9GgklkdqZosT2UXV7
+BI1xQXAiQVbBwcABjHTEAoW4flzUO7+GhapXp36TsEUOYA32+n5X
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:69:64:B5:52:E5:A2:63:0A:0A:A0:F3:6A:17:3F:20:B2:03:D4:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:01:00:85:8d:99:b7:5b:7f:63:14:5b:20:de:25:35:78:25:
+ 50:56:9d:78:eb:ac:15:34:90:c7:18:cd:03:ad:4b:80:9f:b2:
+ 09:73:d0:8d:c9:dd:a2:5b:e5:c2:9e:30:ad:09:06:ad:8c:56:
+ 7b:39:76:aa:1e:13:a6:21:2b:68:c4:93:f3:39:fb:7c:7a:f7:
+ 2d:e4:d3:ac:5c:a6:38:07:9e:f5:b7:c2:54:6c:e7:76:9b:2e:
+ 74:5e:cd:83:1f:25:c0:d6:4d:af:ab:29:47:dd:b0:87:79:86:
+ f3:4d:89:80:2c:21:14:68:ec:4d:cd:67:d0:88:94:63:d1:db:
+ f7:a4
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUqmlktVLlomMKCqDzahc/ILID1LQwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAjQEAhY2Zt1t/YxRbIN4lNXglUFadeOusFTSQxxjNA61LgJ+y
+CXPQjcndolvlwp4wrQkGrYxWezl2qh4TpiEraMST8zn7fHr3LeTTrFymOAee9bfC
+VGzndpsudF7Ngx8lwNZNr6spR92wh3mG802JgCwhFGjsTc1n0IiUY9Hb96Q=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:A6:C1:EA:C0:52:53:DF:86:FD:66:49:E4:B4:46:BE:63:33:0C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:fc:6a:e9:aa:6d:46:16:9f:65:05:ec:bb:4a:e3:de:fc:ee:
+ 4b:6a:61:7b:4f:ca:b0:86:90:90:f9:3e:ee:42:70:bf:70:51:
+ 0b:ab:f0:b5:51:4f:78:f2:03:59:1e:5b:01:1d:6f:79:b6:d9:
+ c2:38:83:22:b4:ae:64:06:63:5a:af:04:58:6c:a1:e2:3f:64:
+ ce:f2:24:20:0c:a4:77:52:e1:cc:23:3f:5f:a7:89:20:85:fb:
+ cd:f8:c1:09:98:bb:62:c3:62:0b:75:38:01:b0:93:d6:bf:22:
+ d0:18:ff:04:52:25:72:bc:c9:d4:e5:77:fa:b6:84:9d:bb:d9:
+ 45:a0
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUtqbB6sBSU9+G/WZJ5LRGvmMzDBUwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAqvxq6aptRhafZQXsu0rj3vzuS2phe0/KsIaQkPk+7kJw
+v3BRC6vwtVFPePIDWR5bAR1vebbZwjiDIrSuZAZjWq8EWGyh4j9kzvIkIAykd1Lh
+zCM/X6eJIIX7zfjBCZi7YsNiC3U4AbCT1r8i0Bj/BFIlcrzJ1OV3+raEnbvZRaA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:7E:97:43:A4:02:7D:DE:65:91:3B:37:19:7D:27:BD:12:A4:F3:D0:A3
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 04:cc:f2:b1:f4:89:f0:41:53:c8:66:c7:4d:6f:88:a1:63:45:
+ 28:ff:81:51:07:c0:ef:98:b9:b5:a7:9b:b3:77:d9:1d:ed:f1:
+ 6e:80:66:f4:0d:cf:35:ab:67:18:fd:e0:10:7c:0c:06:50:44:
+ fa:4e:bd:eb:1a:69:b4:e5:80:56:a2:21:b2:8c:0c:36:6d:13:
+ ac:b4:1a:00:86:bb:90:69:00:ff:66:c4:a2:16:bf:e3:70:5f:
+ 2a:dd:c1:78:cf:a8:cf:1c:d3:33:4b:b2:67:6d:16:96:23:3b:
+ 08:68:e3:00:c0:71:88:38:16:17:7e:fd:fb:f7:5a:79:77:f6:
+ 6c:f5
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUfpdDpAJ93mWROzcZfSe9EqTz0KMwCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEABMzysfSJ8EFTyGbHTW+IoWNFKP+BUQfA75i5taeb
+s3fZHe3xboBm9A3PNatnGP3gEHwMBlBE+k696xpptOWAVqIhsowMNm0TrLQaAIa7
+kGkA/2bEoha/43BfKt3BeM+ozxzTM0uyZ20WliM7CGjjAMBxiDgWF379+/daeXf2
+bPU=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedpathLenConstraintTest16.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedpathLenConstraintTest16.pem
new file mode 100644
index 0000000000..cec2eaaf87
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedpathLenConstraintTest16.pem
@@ -0,0 +1,179 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMV
+cGF0aExlbkNvbnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDDqMCqoLUxLw5wCcxhD3+5J80k2C5ESu+Co4n3V3Nu2SyzcfKET0wx5QvxYm5V
+bzsntf6IudJpfXgzxHIwJ4i5v+Ycc8NYiqmCNhsW5sFRzhjQDyTWu0fEYm+tmyBv
+FavwXAcp8ptUMElDMAv/bKSD+7MDC9uHZQOmVsY0ndcNUQIDAQABo3wwejAfBgNV
+HSMEGDAWgBQhDLUBdnbTsyqsJvyqpk/y1qFvSzAdBgNVHQ4EFgQUOK0lyEJa1w3p
+SvQY5iylU6RQ9EwwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAA9NjcDXXcF4
+FXkwZWIDYtowLXCpbshsU80nGx0/7QVNApSTnUq9pe0t8qAClcYZuaXgB/uYINl5
+qozAW6KR4wFaNUv6mnm+0ppWeiTnIn5O37IycPbAKVZRhauf3p/cTkZ6RZ3MJ5Q+
+fMTJscvSXtMhU+Q3Pp5PGRXlXhs1zFNp
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA2
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBBjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQwIHN1YkNBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAsFRY6folIcigIrpQ/iMlyqdk9EBMIL6NqCJEqkvun/36zcYeHsPv8t29
+hFHDBrhQT/Fi+9MNOXx0uiJT0cetYETo/HiiAqub27NG0Z82sxwsEiLASEWZ4ctu
+8AIom0mQl11rsK/4z4OemcI4Mxh5j6fCiI1ouogv1Vx4us4ew/UCAwEAAaN8MHow
+HwYDVR0jBBgwFoAUOK0lyEJa1w3pSvQY5iylU6RQ9EwwHQYDVR0OBBYEFAJSemtC
+TrDjzYKlY89uAwAjlIk1MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCFLUIH
+3Nuh+TAs+Kpg/tZTFK3cl2DGM1+W+wnsgn3pQhJnqIYCI/iAuPRs2bJGH1lQ0CTr
+HAQU9y0kmWpsNCzI6k9ZyuLd2w7MdXezVhjpE3iwAQCnVG1vw0MTFGzyR7wMeWp0
+Ejrp6mVdwu8LV6lngeqmNv0QNjYSutrFAsDHUg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued pathLenConstraint EE Certificate Test16
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA2
+-----BEGIN CERTIFICATE-----
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50MCBzdWJDQTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBv
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRDBCBgNV
+BAMTO0ludmFsaWQgU2VsZi1Jc3N1ZWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2Vy
+dGlmaWNhdGUgVGVzdDE2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfnEYg
+5tV8iksMhoNkR/PLNDStGXw9l6sTCiF+m+EF+/pDeN0Y/509SepxvXOZbQ8D7CkB
+PfgmSL8hs0dxdE3Fvf/AjvTFyyjI1q5wkFXd/qWMewquuMMm2j+FWn0fmSoFnyM6
+EEYvKLhqj1QuWiJJN/250ngjuufsh51HnlR/6QIDAQABo2swaTAfBgNVHSMEGDAW
+gBQCUnprQk6w482CpWPPbgMAI5SJNTAdBgNVHQ4EFgQURA7pZi8vxURs7KKf3U9B
+ItsxSAMwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAN
+BgkqhkiG9w0BAQUFAAOBgQAweIEFGj6V0Kr9Dz4wEyhUVK5bf5Frg+J8ap0YnoNT
+EmoLFqQtKPB3MVfcUkXrZAY149XFJJLI0v5VCK2mBN535do/Grxve2MMW8BbmmU4
+FQOKJruMJARneqYEHxbZUEmBvEoIoi4C/2SLxO7hOnhpiK+6UsetU35F19FPfGVp
+UQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:02:52:7A:6B:42:4E:B0:E3:CD:82:A5:63:CF:6E:03:00:23:94:89:35
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 23:10:0e:ae:60:60:7f:db:a0:d8:fe:8e:bb:0e:99:db:df:36:
+ 32:a0:54:7c:1c:ea:79:12:34:f1:a5:cb:75:f7:4b:d6:5d:6e:
+ df:56:9d:c1:d9:a2:a1:ab:7e:53:ac:ab:4f:fb:61:c6:86:bb:
+ 60:ec:f2:44:14:49:22:54:6e:5e:72:96:23:b0:bb:d7:8f:e8:
+ 4b:c1:5e:f1:16:d7:1b:2a:68:ef:ca:25:1c:63:15:21:7b:a3:
+ 80:c3:50:97:f6:41:81:b1:ec:5c:5b:77:b2:df:1c:cc:48:97:
+ 61:56:01:b2:9e:6e:8e:c0:89:05:82:7c:42:1f:61:34:e8:12:
+ c6:72
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+MCBzdWJDQTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFAJSemtCTrDjzYKlY89uAwAjlIk1MAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBACMQDq5gYH/boNj+jrsOmdvfNjKgVHwc6nkSNPGly3X3S9Zdbt9W
+ncHZoqGrflOsq0/7YcaGu2Ds8kQUSSJUbl5yliOwu9eP6EvBXvEW1xsqaO/KJRxj
+FSF7o4DDUJf2QYGx7Fxbd7LfHMxIl2FWAbKebo7AiQWCfEIfYTToEsZy
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest7.pem
new file mode 100644
index 0000000000..317350f047
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest7.pem
@@ -0,0 +1,178 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued requireExplicitPolicy EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjByMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRzBF
+BgNVBAMTPkludmFsaWQgU2VsZi1Jc3N1ZWQgcmVxdWlyZUV4cGxpY2l0UG9saWN5
+IEVFIENlcnRpZmljYXRlIFRlc3Q3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDXic0buOl4pV10DvAMBMgoZ3V0agmq+0F+nQLwUbtdeSIl99vQg0Mm1p7TLuBE
+ABo1EoiXuHlZCog5DA4XokYy6FpTEonY7whLXSUYYCfOzPAvG9v83mIGwoIlGyAf
+r80gVbCuYRpW2LcaqwmGiplI/k7AW4HgDPnPNoTI6wndIwIDAQABo1IwUDAfBgNV
+HSMEGDAWgBTeKdbm40+XHQOoOqbqTeRGX4+CMDAdBgNVHQ4EFgQUq/kyDfFv0NrK
+Hsyq7J+/np0Fn38wDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBADdS
+qEYYNaD9ukw0/coVvMDpPV7exx7R58ORlWTm0f/OMOI/dQv35ePIHaJCgInLtKgZ
+/e6UcxGi76E3j9oFzHjd3B9LIYeleJD5w0oASN+63KCbbtpVphjTo7KdsJUli+Cl
+WZJMNDS1X6486Y2zjJcQZ6F8SWW3+ij1o/JqEyfq
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBN
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNV
+BAMTGXJlcXVpcmVFeHBsaWNpdFBvbGljeTIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALnxr9bA0oGlaihhiPR0d8F/y9ai99F6w8+DtAfGlFtJ4WU3GPih
+ftUTRqZelcu+u6hZgekMwVhjUHyo6sFt5SfbCzJEmjWxI1anTrGAAcH6pG7zF2Z0
+iae8kVE7C8GOgwm+F1Y1RHkw8Wz/UbZ4QGIhzA++KPDi2du40LEGD4BZAgMBAAGj
+fDB6MB8GA1UdIwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMB0GA1UdDgQWBBQT
+5ozBKw9nS0x6HQ62wCFaJJlQhDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+B6X+ALEMO8yG/lXfGuoX4XPyaZrb1A8oWFk2ZNCx9QIzI6CQ0vRfO47TF20iK5wr
+HN8y7yXpJGZcNTa5+697/kRziJ/zrNiL4b4BP6QRxYv+3Edq7FOb842JguqWw6nP
+SfsshPhMilo3C4X3PESiI67m18AlqgJcYcmemF1R6Ng=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBQ
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNV
+BAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTIgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAJ2xj97xq5PBOjaij1jBcMKFCjaRE1wlUR+5Zz8QkwCtipee
+6O1spOPGECu/sOzZ766YgD6B9GrGQsjXYGzHSxnOl8rcgpkeN99/57f2LYSLxKfc
+/qvcMvgHk6SZiGtpkYOvlLl1r1qUMedtPK29920CI0sp5sxygDaL6PgMvtoVAgMB
+AAGjfDB6MB8GA1UdIwQYMBaAFBPmjMErD2dLTHodDrbAIVokmVCEMB0GA1UdDgQW
+BBTeKdbm40+XHQOoOqbqTeRGX4+CMDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEAH0fkK5ieWFtKe6g/7cN3kI240vvPajxZTkTPnacLXOL4nCfA7kkHnhVVIgzP
+liF4TQ60/yMlUBSBBgTV3/AaMaSO4eZlEdLkKchYp9OwrZ9dfyKdJW3wuEFyGKpZ
+6END4vk7F87/ZyFQNkhMPLD890f4ArarDhqw5eHuFoarvxo=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5MiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnrdC
+9sroeA9MJlV1ukIu8XNT9cUF70XCDwxMm5vKZZc2+XVNwgxe4aGse4bPdZ9okZ7y
+2ZMuLyDLEBZaA7GsBzG6snQRgHkmMFS6v+pC3ep9ieqtpnrP3b1f743Y1jFp9zvX
+ZDoddeI/xvYF/73KgiYdTFPLa9ARaKiwpQPMXyECAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUccI8Tjs1Yvclh5+9
+owEeOOAldMgwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQIwDQYJKoZIhvcNAQEF
+BQADgYEADGhYvyIjl02LK5PZdbH9TrAFF66SGgdk+7nl93vr3XB9UnpvJqUfyG55
+ljoX+kKaRd7Z2O+GLTMmH+tqjMQ6bW+7RawMpFVzfhE3EdAr9/K31K6Q6lft8NuP
+wgqhDrrVqYMPa3YM7n+ebATJ0DJ26evfQu5HfIL7Cs/w+CpXi2E=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:71:C2:3C:4E:3B:35:62:F7:25:87:9F:BD:A3:01:1E:38:E0:25:74:C8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 95:0a:96:af:24:83:ca:92:a2:7b:e7:d9:50:bb:49:ec:22:19:
+ 7b:a3:b9:3d:5f:b4:8c:5b:76:25:27:88:6a:26:24:c1:e1:cd:
+ 3e:b6:ef:b4:0f:ef:85:7c:0e:95:9b:13:fa:dd:c0:bf:7c:fe:
+ e1:d9:fc:2a:7a:2f:fd:48:0d:11:58:69:6d:5a:e8:37:26:30:
+ 67:83:83:90:4c:b1:9e:6b:1b:04:d0:8d:60:42:88:13:25:91:
+ ae:42:24:ea:61:ba:5d:34:6a:7c:22:6b:be:cf:2c:e0:67:36:
+ db:28:0e:5c:be:bd:7a:75:3d:ac:cf:3c:9a:44:8e:ca:30:7a:
+ e9:97
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJUKlq8kg8qSonvn2VC7SewiGXujuT1ftIxbdiUniGomJMHhzT62
+77QP74V8DpWbE/rdwL98/uHZ/Cp6L/1IDRFYaW1a6DcmMGeDg5BMsZ5rGwTQjWBC
+iBMlka5CJOphul00anwia77PLOBnNtsoDly+vXp1PazPPJpEjsoweumX
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DE:29:D6:E6:E3:4F:97:1D:03:A8:3A:A6:EA:4D:E4:46:5F:8F:82:30
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:5f:f9:84:20:e3:84:f0:ea:6b:4e:78:c8:18:98:e9:17:56:
+ 9b:ed:99:2f:d5:94:89:60:a0:11:82:40:e0:7f:94:0b:36:76:
+ 9e:1b:88:e2:bb:e2:41:81:cd:f7:66:e4:85:e7:ad:63:d7:e0:
+ 07:7a:9b:4e:54:27:76:49:c4:8d:30:07:c6:ce:6a:e4:b7:d9:
+ f5:9d:94:02:e7:91:5a:17:bb:ef:23:8a:66:20:27:cc:34:f7:
+ 3f:e0:f0:57:43:1e:72:4f:2f:ac:75:48:a6:ab:74:19:95:a1:
+ a2:38:5b:3b:6d:67:4b:69:6b:01:ca:96:b0:76:83:2a:b5:1e:
+ c3:fe
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTIgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFN4p1ubjT5cdA6g6pupN5EZfj4IwMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAIVf+YQg44Tw6mtOeMgYmOkXVpvtmS/VlIlgoBGCQOB/lAs2
+dp4biOK74kGBzfdm5IXnrWPX4Ad6m05UJ3ZJxI0wB8bOauS32fWdlALnkVoXu+8j
+imYgJ8w09z/g8FdDHnJPL6x1SKardBmVoaI4WzttZ0tpawHKlrB2gyq1HsP+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest8.pem
new file mode 100644
index 0000000000..d87c1081b1
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest8.pem
@@ -0,0 +1,197 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Self-Issued requireExplicitPolicy EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjByMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRzBF
+BgNVBAMTPkludmFsaWQgU2VsZi1Jc3N1ZWQgcmVxdWlyZUV4cGxpY2l0UG9saWN5
+IEVFIENlcnRpZmljYXRlIFRlc3Q4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDJsMQQW4ogbj2q9WRWxOqmrcy6BVtHesg3yJh2pcqzUxvNGZWtrZ3M/JI82WbD
+Ns4kgihlmrZZH3sZhjzcdMw/+m05p+rvy7//zB6P1qCRraiYdNJHquzG/7HSnf6f
+i6GdUBsK6YzhP7MtTwfpwVRIUepSCNPIXMVlbIqmh+7fdwIDAQABo1IwUDAfBgNV
+HSMEGDAWgBTTC/BpEgViARafFwSWNmeHq7iGMDAdBgNVHQ4EFgQUjuHoODqDJSoy
+729WEoyqq6oPRNYwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBBQUAA4GBAKvn
+C5ifYeQnv76PvBmEmSAh1whhdRDKTrua+Zl86HgUZZY7/NJl3ny9FyJr0kE9DAN9
++KRem7jju5ciq8gEwArflK87sdGcpAIq+jiPbGFnD698w7EANZIhIefy3d+lcB6k
+LWpjLAY3+ontoTQAB+/iTBtv4mXMzEh/M7kC3CSC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBN
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNV
+BAMTGXJlcXVpcmVFeHBsaWNpdFBvbGljeTIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALnxr9bA0oGlaihhiPR0d8F/y9ai99F6w8+DtAfGlFtJ4WU3GPih
+ftUTRqZelcu+u6hZgekMwVhjUHyo6sFt5SfbCzJEmjWxI1anTrGAAcH6pG7zF2Z0
+iae8kVE7C8GOgwm+F1Y1RHkw8Wz/UbZ4QGIhzA++KPDi2du40LEGD4BZAgMBAAGj
+fDB6MB8GA1UdIwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMB0GA1UdDgQWBBQT
+5ozBKw9nS0x6HQ62wCFaJJlQhDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+B6X+ALEMO8yG/lXfGuoX4XPyaZrb1A8oWFk2ZNCx9QIzI6CQ0vRfO47TF20iK5wr
+HN8y7yXpJGZcNTa5+697/kRziJ/zrNiL4b4BP6QRxYv+3Edq7FOb842JguqWw6nP
+SfsshPhMilo3C4X3PESiI67m18AlqgJcYcmemF1R6Ng=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBAzANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBQ
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNV
+BAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTIgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAJ2xj97xq5PBOjaij1jBcMKFCjaRE1wlUR+5Zz8QkwCtipee
+6O1spOPGECu/sOzZ766YgD6B9GrGQsjXYGzHSxnOl8rcgpkeN99/57f2LYSLxKfc
+/qvcMvgHk6SZiGtpkYOvlLl1r1qUMedtPK29920CI0sp5sxygDaL6PgMvtoVAgMB
+AAGjfDB6MB8GA1UdIwQYMBaAFBPmjMErD2dLTHodDrbAIVokmVCEMB0GA1UdDgQW
+BBTeKdbm40+XHQOoOqbqTeRGX4+CMDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEAH0fkK5ieWFtKe6g/7cN3kI240vvPajxZTkTPnacLXOL4nCfA7kkHnhVVIgzP
+liF4TQ60/yMlUBSBBgTV3/AaMaSO4eZlEdLkKchYp9OwrZ9dfyKdJW3wuEFyGKpZ
+6END4vk7F87/ZyFQNkhMPLD890f4ArarDhqw5eHuFoarvxo=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTIgc3ViQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANKdKlFcL/bTvKva2ieqdnoU22tpCEtz1o0HfL/Pz/O0
+4DV5ZVG6hKXh69ev5TjepWl25LTNShr/q+MzVRAEaZ2nxmlAcK9/bneomo1JEuyi
+nE2YDexqxrA8mvilh7k7KF88FBLM6x62rRoW5Pa3rImUa7BruBnOVENN9FiT+Bzr
+AgMBAAGjfDB6MB8GA1UdIwQYMBaAFN4p1ubjT5cdA6g6pupN5EZfj4IwMB0GA1Ud
+DgQWBBTTC/BpEgViARafFwSWNmeHq7iGMDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAG301e612hE7Pdkp3cuJYqwZjTc3NpGnxXnr9uwU44o7qHInBBN0S9GDe
+L++I1sIIiGLIeCflVfEsrGNpkRdHUM2fpfAR7iI0fOfQE7bnAxzFMRyVXXnBoTu/
+N6DupbEncPs47o/raseXsxSBteu7BkiORxBEOXxGtbCktIZ+tRk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5MiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnrdC
+9sroeA9MJlV1ukIu8XNT9cUF70XCDwxMm5vKZZc2+XVNwgxe4aGse4bPdZ9okZ7y
+2ZMuLyDLEBZaA7GsBzG6snQRgHkmMFS6v+pC3ep9ieqtpnrP3b1f743Y1jFp9zvX
+ZDoddeI/xvYF/73KgiYdTFPLa9ARaKiwpQPMXyECAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUccI8Tjs1Yvclh5+9
+owEeOOAldMgwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQIwDQYJKoZIhvcNAQEF
+BQADgYEADGhYvyIjl02LK5PZdbH9TrAFF66SGgdk+7nl93vr3XB9UnpvJqUfyG55
+ljoX+kKaRd7Z2O+GLTMmH+tqjMQ6bW+7RawMpFVzfhE3EdAr9/K31K6Q6lft8NuP
+wgqhDrrVqYMPa3YM7n+ebATJ0DJ26evfQu5HfIL7Cs/w+CpXi2E=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:71:C2:3C:4E:3B:35:62:F7:25:87:9F:BD:A3:01:1E:38:E0:25:74:C8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 95:0a:96:af:24:83:ca:92:a2:7b:e7:d9:50:bb:49:ec:22:19:
+ 7b:a3:b9:3d:5f:b4:8c:5b:76:25:27:88:6a:26:24:c1:e1:cd:
+ 3e:b6:ef:b4:0f:ef:85:7c:0e:95:9b:13:fa:dd:c0:bf:7c:fe:
+ e1:d9:fc:2a:7a:2f:fd:48:0d:11:58:69:6d:5a:e8:37:26:30:
+ 67:83:83:90:4c:b1:9e:6b:1b:04:d0:8d:60:42:88:13:25:91:
+ ae:42:24:ea:61:ba:5d:34:6a:7c:22:6b:be:cf:2c:e0:67:36:
+ db:28:0e:5c:be:bd:7a:75:3d:ac:cf:3c:9a:44:8e:ca:30:7a:
+ e9:97
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJUKlq8kg8qSonvn2VC7SewiGXujuT1ftIxbdiUniGomJMHhzT62
+77QP74V8DpWbE/rdwL98/uHZ/Cp6L/1IDRFYaW1a6DcmMGeDg5BMsZ5rGwTQjWBC
+iBMlka5CJOphul00anwia77PLOBnNtsoDly+vXp1PazPPJpEjsoweumX
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy2 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DE:29:D6:E6:E3:4F:97:1D:03:A8:3A:A6:EA:4D:E4:46:5F:8F:82:30
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:5f:f9:84:20:e3:84:f0:ea:6b:4e:78:c8:18:98:e9:17:56:
+ 9b:ed:99:2f:d5:94:89:60:a0:11:82:40:e0:7f:94:0b:36:76:
+ 9e:1b:88:e2:bb:e2:41:81:cd:f7:66:e4:85:e7:ad:63:d7:e0:
+ 07:7a:9b:4e:54:27:76:49:c4:8d:30:07:c6:ce:6a:e4:b7:d9:
+ f5:9d:94:02:e7:91:5a:17:bb:ef:23:8a:66:20:27:cc:34:f7:
+ 3f:e0:f0:57:43:1e:72:4f:2f:ac:75:48:a6:ab:74:19:95:a1:
+ a2:38:5b:3b:6d:67:4b:69:6b:01:ca:96:b0:76:83:2a:b5:1e:
+ c3:fe
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTIgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFN4p1ubjT5cdA6g6pupN5EZfj4IwMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAIVf+YQg44Tw6mtOeMgYmOkXVpvtmS/VlIlgoBGCQOB/lAs2
+dp4biOK74kGBzfdm5IXnrWPX4Ad6m05UJ3ZJxI0wB8bOauS32fWdlALnkVoXu+8j
+imYgJ8w09z/g8FdDHnJPL6x1SKardBmVoaI4WzttZ0tpawHKlrB2gyq1HsP+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest20.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest20.pem
new file mode 100644
index 0000000000..8850f5ee64
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest20.pem
@@ -0,0 +1,134 @@
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBZjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAzpVbQYnufknoy1tKbCSY840pKcfP2S+jFm6OFC9hzkLFn9uiYzCV
+rCjczQI8lFfM/4p9rUApMIgp4IUAxCOEcgJuKPKmiuoTwPD9XxbmZ/uv+iaLXqF+
+QVcbDGouj0z6RMNz3KGtf0pbgg+/+/wIK4c0XOIM9wTSK0aJVqweAnECAwEAAaNr
+MGkwHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFIr9
+Qil7WXhSSvdIHHG3xHGKplfbMA4GA1UdDwEB/wQEAwIBAjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAo0h6slmGQJsCsth+yeyOMK3j
+2CqJ9gEajx3fWs7x2JJ8LM4zfbFFYctGPKpXdGRBTO8Dj9lQJCr7i1IMMHTitTa/
+xpjn8E0SQgzvkB/0BnSt7DiwV0LXCdtBlLxOS2Fw9NdvbE7jsuBK2W4KDOPElhHJ
+TKQ0T3TjKv8gwxTq8mw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBZTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAtI4Yuumg8WznOojgeWHVZxG23imfdB9ntiQccDxAnvywEfQv6Vlq
+HNVQ5vsVQfvfUZCad2Nbf42DHRtpmVhlxIhKBjoNu/m6xdvz/A6/kvDvrEg+7M7N
+A2ZRVI0T3Z/mMaPuLHuCzKwU20TF6NonxgZXIbATrppAqRUfSY+UQCsCAwEAAaN8
+MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJtc
+UbwiJzEiQJQJJf/Pg3mto4EZMA4GA1UdDwEB/wQEAwICBDAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBs
+BZsxRaZk1qx3balE6qmVZd7jG6C9Gg/n+I5QfXR75ZIus+0Y6GAviBzywvJ8CDZ3
+kIOOrYolpnycedLS17Jnv4D/IDP6OwvmT6/0XvforKDQlmAk6ioJBRAwHRDYHBZg
+lj8FXyMNUS313Un0l2FXJBhfJNBqb1ZqYwWcmJ2t+w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Separate Certificate and CRL Keys EE Certificate Test20
+issuer=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+-----BEGIN CERTIFICATE-----
+MIICrTCCAhagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENl
+cnRpZmljYXRlIGFuZCBDUkwgS2V5cyBDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEw
+NDE5MTQ1NzIwWjBzMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZp
+Y2F0ZXMxSDBGBgNVBAMTP0ludmFsaWQgU2VwYXJhdGUgQ2VydGlmaWNhdGUgYW5k
+IENSTCBLZXlzIEVFIENlcnRpZmljYXRlIFRlc3QyMDCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA19qbNR+soft39JVcTiKn2OTKmaGswAGUpi1lZGYOE4O7xiq9
+FIlSEq2xDeNXvcOEx0GFhZxKefbPzGp8mxtaGpfnV17G1SS/dCxeGZL4D8FUGlzg
+Q0GmhbMZvgroxNvGQD6X/+kdpA34fc6mtgHcR94KE+O5sYTKO4MhqLczr7cCAwEA
+AaNrMGkwHwYDVR0jBBgwFoAUm1xRvCInMSJAlAkl/8+Dea2jgRkwHQYDVR0OBBYE
+FDep7bd0aDt8e8YpJLYhvRpdGYqPMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAO
+MAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAAMSu/B2VpmHV3q3fxUJ3
+7MbeT000oqwthzAG8xJUMten8hTYui0iB5EdxQXBnai07+ZHPBKZVSu6kya/W/zU
+PbSkjS5Agq5eVUDUjCnuVkjOwQsZGA4V86i3oLxyrYeUgmxUSl2/O2tbonLm2u7o
+jkncAUpUj+Sk1N2wFIiBenI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8A:FD:42:29:7B:59:78:52:4A:F7:48:1C:71:B7:C4:71:8A:A6:57:DB
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:7f:8e:79:fc:1e:57:0e:34:9e:bc:05:3c:28:df:90:bb:1f:
+ c7:f4:6a:a1:95:51:f1:d2:b4:1f:3a:64:41:35:b6:42:62:b7:
+ e7:14:1c:bf:0b:ed:6b:ca:f6:4c:c9:a7:48:ab:42:9e:04:9e:
+ 0a:b5:f1:86:99:0f:b1:7e:6e:dd:d6:a6:b3:b1:3f:fc:79:6a:
+ bf:f0:39:3f:03:ac:69:15:b5:2f:5a:17:12:64:8b:e9:46:9f:
+ 82:09:f2:09:91:90:b4:fd:56:a1:ab:04:79:a0:17:33:26:c6:
+ 49:6a:96:d9:42:8b:44:a5:ed:ad:69:82:63:78:8e:e7:96:1d:
+ 17:2d
+-----BEGIN X509 CRL-----
+MIIBdjCB4AIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENlcnRpZmlj
+YXRlIGFuZCBDUkwgS2V5cyBDQTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowIjAgAgECFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1Ud
+IwQYMBaAFIr9Qil7WXhSSvdIHHG3xHGKplfbMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAAV/jnn8HlcONJ68BTwo35C7H8f0aqGVUfHStB86ZEE1tkJit+cU
+HL8L7WvK9kzJp0irQp4Engq18YaZD7F+bt3WprOxP/x5ar/wOT8DrGkVtS9aFxJk
+i+lGn4IJ8gmRkLT9VqGrBHmgFzMmxklqltlCi0Sl7a1pgmN4jueWHRct
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest21.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest21.pem
new file mode 100644
index 0000000000..10fae293df
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest21.pem
@@ -0,0 +1,129 @@
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBaDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAkE8ewG6H/K9jn0Mr7uh5z08m2Q6L7j8F5TVV2RmRs5Pg7bhbYp84
+NplFussZhcF8atUil4VjtO7lRP7tJU1+whPYfXiGfJD4zPT/Xm6lmDdSFc8R2y0q
+tzJgoGWHlJgV//Pqd+n+UOLGZ5zGu6RW032gStSaTqwSKJZb4teHKEECAwEAAaNr
+MGkwHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFFX8
+0tqrZMOyYTeQKZ7TKM9hKhqnMA4GA1UdDwEB/wQEAwIBAjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAQED5V5G6uHHjObLE3i2wzZcA
+u6p/+2z2HqalTsdJp8Nrbi6HIYSknqTJISfZtamnd7a5yoevYv6NCt2pE35uXibI
+4RppXx1RfRHygFa/owUulclmTIfUnF2OqAvKJ2kIHyaEaS4xOZsH2czU9tHC63Nf
+ps1BS8MMZbABdGW8398=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBZzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA3KYLjNA57lhgkT+vLnGuU5pyEDLnM+ziS9ieLUKICACgJVoWIffi
+mlCwAibbpcCvUUXOXuJafNB0BrgRf40KooyTOQJUckIm4UsMNuth0c0rkM0uT8sO
+dzfZ2OmD4or6Og4QQlHHFnSJJ/Z8sELlzOot8jb1LmpNW+j9DamSUq8CAwEAAaN8
+MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFLgZ
+mHzJeDS0JL5/mP3lo87ejVq+MA4GA1UdDwEB/wQEAwICBDAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCt
+w82gQMooCa5xgbsT0eM6FUdx767nks7Ty/HLHe0EJ6NwKxIV1JQ7QO1A9+B/i3oX
+I4bStXzp7xb6I0F+9vkpjDf/rOLN384olQ5WMvck2yiud7606uYPGPKNY5pK2KbP
+Au452W+m5r1g5hzg7Cp/VolIepWLazfVISLk/D3EuA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Separate Certificate and CRL Keys EE Certificate Test21
+issuer=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA2
+-----BEGIN CERTIFICATE-----
+MIICrTCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENl
+cnRpZmljYXRlIGFuZCBDUkwgS2V5cyBDQTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEw
+NDE5MTQ1NzIwWjBzMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZp
+Y2F0ZXMxSDBGBgNVBAMTP0ludmFsaWQgU2VwYXJhdGUgQ2VydGlmaWNhdGUgYW5k
+IENSTCBLZXlzIEVFIENlcnRpZmljYXRlIFRlc3QyMTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAz5LVC14LIVOAWSDaOhj3dMdR3uhZoXO8IIu2MptactPNTm0y
+vKDMchcc9c33HActpSJH6vGOrl1DWTMfFv7g+lAfhxAyD7/Pe+MY82bUCee/2y3M
+5hlk9MlVlFKCuZ3w3GST1bOxnwIunLQ3OuZw90o88OWQ56udtd1pDlFSs3sCAwEA
+AaNrMGkwHwYDVR0jBBgwFoAUuBmYfMl4NLQkvn+Y/eWjzt6NWr4wHQYDVR0OBBYE
+FIRTaV2lGD+eaFK3LoplVXGjlEG0MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAO
+MAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAX8GUnKuy9YrVyKYhWiNY
+XXNHf78GfFyK+477KeBSUdNQlX3swh3jQZAMgEY0hy/SrunP4TcO/G9Wba1y+O3T
+dO7bBLaMNHNcbnfJZL7py11wtl0BryXFbQWeWQulRw/8AohgtrAzhz4C6KCNZBKl
+x5j9BiH1ClsZAQMLLFjZYEk=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:55:FC:D2:DA:AB:64:C3:B2:61:37:90:29:9E:D3:28:CF:61:2A:1A:A7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:25:e2:82:ca:46:5a:88:06:0d:a4:bb:97:86:32:d8:a0:c7:
+ 8e:04:6d:f3:43:05:d5:a5:e3:87:f6:6f:19:5a:56:49:87:15:
+ c1:f8:26:67:e2:ec:28:c3:e1:3f:ab:aa:ed:3f:40:9a:0d:e0:
+ 16:22:47:ba:3a:c2:b4:ff:ea:5d:80:82:df:68:0d:ad:b0:11:
+ bd:15:3c:1d:1c:56:87:81:2e:d4:e8:cf:53:ac:c0:41:fa:5d:
+ 22:53:3c:f5:6e:25:e4:8f:43:59:c8:17:22:4f:13:da:38:55:
+ dd:92:d3:b0:23:27:8e:c5:85:35:1e:28:e2:a7:6b:79:f9:25:
+ 43:ee
+-----BEGIN X509 CRL-----
+MIIBUjCBvAIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENlcnRpZmlj
+YXRlIGFuZCBDUkwgS2V5cyBDQTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqgLzAtMB8GA1UdIwQYMBaAFFX80tqrZMOyYTeQKZ7TKM9hKhqnMAoGA1UdFAQD
+AgEBMA0GCSqGSIb3DQEBBQUAA4GBAHMl4oLKRlqIBg2ku5eGMtigx44EbfNDBdWl
+44f2bxlaVkmHFcH4Jmfi7CjD4T+rqu0/QJoN4BYiR7o6wrT/6l2Agt9oDa2wEb0V
+PB0cVoeBLtToz1OswEH6XSJTPPVuJeSPQ1nIFyJPE9o4Vd2S07AjJ47FhTUeKOKn
+a3n5JUPu
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest35.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest35.pem
new file mode 100644
index 0000000000..8cda2ecdb0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest35.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqDCCAhGgAwIBAgIBSDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIFVSSTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKxL9gyE
+2WbKCoEEU+RviucDsSOeDHQfoVxci7AD0RhpGDZkMaDQhM+DUHywwIo9zUpLVeGi
+xQNu1+1bQ4SzVBT6k7vcf8ZxPOUI+8WQzMNO5H2/PGz3XGpfIw/RJrRH79ICwZlC
+6QzvSbLJhOtJTQS9kFTECA4AeBzHEN3f0igTAgMBAAGjgaYwgaMwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFKwdFrpLHgtf4rxhruHZ
+ZFp5vkXWMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zAnBgNVHR4BAf8EHTAboBkwF4YVLnRlc3RjZXJ0aWZp
+Y2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBAHbVqbpvjgN0GV8abRGms01xVNHT
+PtqMarG3/zQImm9xDzqUqv81kX/8DOy9I/lo3Mvp83M9B74mEEiTTnxkYEpaSouE
+fE3/VAW8dTJb35NeZcOCNWDQv3eA7bufOVO+4KjEHERlxBfEYlPEkJGSLD98SF62
+OYmmR3Cda8cKBk6p
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid URI nameConstraints EE Certificate Test35
+issuer=/C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+-----BEGIN CERTIFICATE-----
+MIICyDCCAjGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBVUkkxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIFVSSSBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDM1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCq7pFXOed1oA+6DHAsdURi
+YtGnBPvAO55F3hR42UcP8vCvKmdtq0HpJsn34xYHoFPjGctei8AiFVXnj1jrbb8w
+LyDLTRVPFPFHmy3Q956KRU0DteJ8ptI4FRQRT7KeqKADvth4tP91aH2DyFy4MTr4
+wvUfV1mnYKgY7gpfBGlOPQIDAQABo4GhMIGeMB8GA1UdIwQYMBaAFKwdFrpLHgtf
+4rxhruHZZFp5vkXWMB0GA1UdDgQWBBRJujI3sGa+0thW8SoF9JqAlJH04zAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMDMGA1UdEQQsMCqG
+KGh0dHA6Ly90ZXN0Y2VydGlmaWNhdGVzLmdvdi9pbnZhbGlkLmh0bWwwDQYJKoZI
+hvcNAQEFBQADgYEAMZko+lW6d/NUyq1yPydllz9hzKbH8duOaaM8azG14FqmvYnz
+EylKSfh2WuqTwkvpusjhdtr/33S7AFU74OJ9dJy1IgqvLWhD/qCm4fbEq44Ejhr5
+sChHIwMIvecNIEOi6e2R7Ue9ivA2gtFEQCfse4ZVPf/f3MLErRsp1dtITxI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AC:1D:16:BA:4B:1E:0B:5F:E2:BC:61:AE:E1:D9:64:5A:79:BE:45:D6
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:8d:62:fe:d7:4c:f3:06:9a:78:4d:e0:96:d6:4b:12:b3:93:
+ 23:96:6d:00:b6:6b:7f:35:25:e3:94:20:1b:fe:c8:cb:3d:5c:
+ 7b:e8:f3:cf:c3:db:96:d3:62:4e:b7:5b:93:05:11:c3:7f:41:
+ 94:e8:75:d2:8a:67:bf:f3:b0:81:25:22:99:a3:4c:02:9f:1c:
+ 87:1d:b1:20:a6:0f:b7:c8:f2:2b:e5:b2:4d:b4:e1:bc:c3:85:
+ b7:54:29:13:e8:7e:53:ed:d2:cc:a7:95:3f:71:32:5d:3a:09:
+ a1:fe:af:ba:45:14:41:1a:67:fb:8f:46:03:6a:fb:78:26:71:
+ 02:1b
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBV
+UkkxIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBSsHRa6Sx4LX+K8Ya7h2WRaeb5F1jAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBIjWL+10zzBpp4TeCW1ksSs5Mjlm0Atmt/NSXjlCAb/sjLPVx76PPP
+w9uW02JOt1uTBRHDf0GU6HXSime/87CBJSKZo0wCnxyHHbEgpg+3yPIr5bJNtOG8
+w4W3VCkT6H5T7dLMp5U/cTJdOgmh/q+6RRRBGmf7j0YDavt4JnECGw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest37.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest37.pem
new file mode 100644
index 0000000000..8564b40553
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest37.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBSTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIFVSSTIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANCu/tVS
+XB6TUXM4bU2lQ7EKvQrGMy49TSnHlIwEVZ9UNvbSA/ChnCxPIKWiVWlqdqr0evlL
+xdLPxQe6xHuVjkvgFleY6RjA9LqD7YFFvf8AnDD6BV0kIr3itChNI2abON8Dh6IG
++o48bCPAt9bqxCepQbrSn4mYSlcKjyn66Ev7AgMBAAGjgagwgaUwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFIakVWPxjKAjp6e8y2yq
+bdBaxg9aMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zApBgNVHR4BAf8EHzAdoRswGYYXaW52YWxpZGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAXeaQUlCHmmhg1rKHYxVfKaCq
+S574GPbDh1QtQoNmVqFF+yGHse9s4hcYcv7VZB74kYKCFUShbBWl1VcmgPbJLDnc
+MDjP1B35WdH4IGAxCBLHOiuv/1AWL9EfHUdhX2ZoFpJqNty9lFkahCZ6MARJwtS2
+fBh60OItInetzMDECnE=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid URI nameConstraints EE Certificate Test37
+issuer=/C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+-----BEGIN CERTIFICATE-----
+MIICyDCCAjGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBVUkkyIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQD
+EzFJbnZhbGlkIFVSSSBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDM3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7RoVBb6HAXuZfLDEJZHtZ
+ZqQoQWTPZt8PsM1IGx7uBWtoC8OpBufVE0QTJZV7uKwsbPCvIAHlsKsoTgxWMPpG
+83/daynjox1RbmbI9Vlc+tK/SbwbkIVJ7bO65t52t1SDIfnPSxBa24BxP8wPqbCj
+d1alYdvUt+5ERxY6pW+3tQIDAQABo4GhMIGeMB8GA1UdIwQYMBaAFIakVWPxjKAj
+p6e8y2yqbdBaxg9aMB0GA1UdDgQWBBQJ/mqtsTQDfDnYag36Bwgfh5EMFDAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMDMGA1UdEQQsMCqG
+KGZ0cDovL2ludmFsaWRjZXJ0aWZpY2F0ZXMuZ292OjIxL3Rlc3QzNy8wDQYJKoZI
+hvcNAQEFBQADgYEAWfo3+4bDtxvUvo7zJGGkAMWVXpX27OK57XmNG8U6Ge4H9ruL
+S3OImTHGFt4EbUhw7OIxtSSCdT9x3SAg+jLVLn5FZYM3tkPk83lLSgSS1kvoRJNN
+zf69vibTDpsT9yzeMDt0vFKe/YN4RJwfBWm0ty7yrI6uUu3oxcwLsV7+Wbo=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:86:A4:55:63:F1:8C:A0:23:A7:A7:BC:CB:6C:AA:6D:D0:5A:C6:0F:5A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:1d:ee:ad:1d:21:24:88:c7:70:27:82:cf:68:1d:fa:61:18:
+ da:2c:a9:9e:05:0d:b4:7e:e3:ac:49:fc:82:76:d0:6c:80:1c:
+ b3:b0:36:4c:44:da:e9:0e:aa:9a:df:66:1e:0a:80:f4:f0:0c:
+ 84:02:2f:57:47:96:e1:f7:ae:e6:be:85:9e:53:e0:97:1e:9a:
+ 68:7e:f2:32:8c:d7:89:1e:63:dd:3f:47:06:30:44:e3:42:ee:
+ 30:c2:d6:ce:3a:46:4f:6c:8c:e2:43:c3:7e:5a:51:ce:5e:73:
+ 7a:ed:f7:5a:04:a8:0d:f2:f0:67:af:e1:0e:b8:eb:9f:cd:2b:
+ 24:62
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBV
+UkkyIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBSGpFVj8YygI6envMtsqm3QWsYPWjAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBzHe6tHSEkiMdwJ4LPaB36YRjaLKmeBQ20fuOsSfyCdtBsgByzsDZM
+RNrpDqqa32YeCoD08AyEAi9XR5bh967mvoWeU+CXHppofvIyjNeJHmPdP0cGMETj
+Qu4wwtbOOkZPbIziQ8N+WlHOXnN67fdaBKgN8vBnr+EOuOufzSskYg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLEntryExtensionTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLEntryExtensionTest8.pem
new file mode 100644
index 0000000000..0834f93e74
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLEntryExtensionTest8.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=Unknown CRL Entry Extension CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBDDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUGA1UEAxMeVW5rbm93biBD
+UkwgRW50cnkgRXh0ZW5zaW9uIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQC4N3fv71Sg97CctA2gdnDYdBCxvD0dw26KQaNDbFJBOuoUZ2YczhV1669VascT
+67yTxIEcK9/IDZ3YH24KxfGvQ/QPio8W8AMrVyCcHJvX6LyAe8VOYc1STiqxmpxi
+lp0TtHeYT9eIybRSaoqtDChQrkbPKB3unwxZbFwK7EJz+QIDAQABo3wwejAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU9Vvr2srl76qI
+n9lsv1vOk2kRTYAwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAHH0P2ABpSL
+gN0JmwJ5PRblM4ot5qt69t9Qxgui/fn5pIZa+tDA3zKtJx1/S1Sm3gdZb+2A71hS
+3h/LIkmSD7rTwgJTfjtKd2rVxvPhLlvC6Pt+8cOlOAfxT88Q5atXsU0P+7ZMw/4U
+3F6PnahEk6JTNn1ylgi/e3jRoVAew8qv
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Unknown CRL Entry Extension EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=Unknown CRL Entry Extension CA
+-----BEGIN CERTIFICATE-----
+MIICnzCCAgigAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHlVua25vd24gQ1JM
+IEVudHJ5IEV4dGVuc2lvbiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMGwxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFB
+MD8GA1UEAxM4SW52YWxpZCBVbmtub3duIENSTCBFbnRyeSBFeHRlbnNpb24gRUUg
+Q2VydGlmaWNhdGUgVGVzdDgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPIB
+J/eXGbgEoIPq9cvpKM1LhdR/nU/V8FVZG6E6cGIPHhm6FpNthtmafeQMPHMkT4eV
+41lXx8f9O4+xj0BUXNv/WhGhsT1PHxs+VzLNTG2mp4a6gOaLprNo0vi8C0jMfyQ/
+QMqq0d3vM/QmM4H1AJnguuG4xoSFqLZqIAYC1Xb1AgMBAAGjazBpMB8GA1UdIwQY
+MBaAFPVb69rK5e+qiJ/ZbL9bzpNpEU2AMB0GA1UdDgQWBBQoe5/NueRG8dILVNg3
+c7z7YF5PVjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA0GCSqGSIb3DQEBBQUAA4GBADjyBhwUgM1wXGm948RATjxho9tRdPLLVwj3K0Mh
+JSy5uURrxX2u5UUutqr2ZOpMjUcO0KY0qePFA7Oi2i1Wh49awyxUEqYVxRgBxNtB
+sKxMJG/iV6sX+9X3ObXDCG960+AD2q16GmjPiVrqxE3JQE/1dvdEyHduVgugTEpu
+WOKs
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Unknown CRL Entry Extension CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F5:5B:EB:DA:CA:E5:EF:AA:88:9F:D9:6C:BF:5B:CE:93:69:11:4D:80
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.16.840.1.101.2.1.12.2: critical
+ ...
+ Signature Algorithm: sha1WithRSAEncryption
+ 46:89:76:03:d1:a8:eb:7d:04:de:bf:a8:1f:86:48:8a:d9:78:
+ ae:21:21:62:91:3d:ba:79:b0:17:d4:ca:41:ae:d3:43:4c:77:
+ 2d:9e:99:65:93:59:dc:72:dc:d4:90:04:e4:f3:ec:ed:63:bd:
+ 09:59:3c:a8:0b:ae:fa:ef:11:73:b2:a4:9a:e7:6e:c2:fe:11:
+ 04:f1:f5:58:78:95:d2:24:2d:4c:4b:7e:7b:f1:8e:9f:ce:82:
+ 76:be:a5:5e:77:e2:33:10:a5:d1:2a:2a:c8:e2:f5:09:6d:e2:
+ e7:c7:9c:cc:5b:3c:52:29:f4:a0:3d:6e:8a:87:8a:94:2a:65:
+ 74:fb
+-----BEGIN X509 CRL-----
+MIIBhDCB7gIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHlVua25vd24gQ1JMIEVudHJ5
+IEV4dGVuc2lvbiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA3MDUC
+AQEXDTAxMDQxOTE0NTcyMFowITAKBgNVHRUEAwoBATATBglghkgBZQIBDAIBAf8E
+AwIBAKAvMC0wHwYDVR0jBBgwFoAU9Vvr2srl76qIn9lsv1vOk2kRTYAwCgYDVR0U
+BAMCAQEwDQYJKoZIhvcNAQEFBQADgYEARol2A9Go630E3r+oH4ZIitl4riEhYpE9
+unmwF9TKQa7TQ0x3LZ6ZZZNZ3HLc1JAE5PPs7WO9CVk8qAuu+u8Rc7Kkmuduwv4R
+BPH1WHiV0iQtTEt+e/GOn86Cdr6lXnfiMxCl0SoqyOL1CW3i58eczFs8Uin0oD1u
+ioeKlCpldPs=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest10.pem
new file mode 100644
index 0000000000..8dc7416970
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest10.pem
@@ -0,0 +1,117 @@
+subject=/C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBDTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYVW5rbm93biBD
+UkwgRXh0ZW5zaW9uIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCytAs/
+JAs2Ja8c89As83uwUulH9T9tQPZcA7nYHvlyElO2ck8TAyHsxyTJEX3dSXo5IOhG
+VD2Onq3BDeRFf6pu5OMpoQ3OGJbb4q22/qZtN6etR0haIBvS2ftAIPX1mJHU48rv
+TuMEQ0hoVtFxKdyYSeFaw9iBTbcaZdPUCMbnIwIDAQABo3wwejAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUao8V/5j0N/1M9CcF3W7o
+YaFVtKswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAFoi3BNwtKmwgQu7YVgw
+RJCuLiqFCNPny8zbrLdJOyTSB1MqnPBzrnx0E2U6i+5RTiuIUrD5V54/46OcAenb
+ABT5jTygyoV5M03Iy6ZRQ71ZqeX2hc8LeHetvMTN1fZiNOtwt6Qn4LtWGyw5KH34
+KMAytthglbz5meZVb+cbK820
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Unknown CRL Extension EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+-----BEGIN CERTIFICATE-----
+MIIClDCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFVua25vd24gQ1JM
+IEV4dGVuc2lvbiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGcx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE8MDoGA1UE
+AxMzSW52YWxpZCBVbmtub3duIENSTCBFeHRlbnNpb24gRUUgQ2VydGlmaWNhdGUg
+VGVzdDEwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi6/iZeRoibZWIgFQb
+pVXsmxIdt4k56SpvzvPgJPyoxkehfaVCNpZQ9udynRLZaogzk1Js85Xmf+O3MBul
+a/xJq4BU0Mit5jPBDcfqEpOu4ovFBfX7i+nBDbBiS+2v+QkqntokkwaDKKCnDRV2
+qjQdAnTFbFNpkpyO3yhWJ6ASOwIDAQABo2swaTAfBgNVHSMEGDAWgBRqjxX/mPQ3
+/Uz0JwXdbuhhoVW0qzAdBgNVHQ4EFgQUkm2zSID0l7fhHwrbvsB+O9PRHtkwDgYD
+VR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0B
+AQUFAAOBgQCMYaiiImk6MCNreccITRisfSs0mHnXu7opjgpXuD6GcKnQtOhN/52T
+12dfAZMp+ROHHg2hZ1xWY7Uvn5IWbWEepjY0SpyGDsuzLgEO2xXg7DU5n1yxZpao
+mnsYHYHJPrTQK7jpsbutOP27RSNid2jQNfnyDoYsn2uCl6zen1aoCw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:8F:15:FF:98:F4:37:FD:4C:F4:27:05:DD:6E:E8:61:A1:55:B4:AB
+
+ X509v3 CRL Number:
+ 1
+ 2.16.840.1.101.2.1.12.2: critical
+ ...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 87:83:34:a5:84:cb:5a:ea:95:df:cf:c0:15:aa:4a:32:5a:e7:
+ 29:82:92:af:40:f0:c1:5b:0f:f8:4f:c5:ba:af:bf:12:16:85:
+ b2:d9:df:d5:f3:5a:da:bd:15:8a:ec:d3:a1:af:e7:8f:80:48:
+ 54:1f:22:c2:8a:74:9e:c1:c8:5b:33:a4:8f:6a:30:43:91:35:
+ 0b:08:c2:87:c5:5a:b0:b4:30:6c:f4:f7:22:7b:71:b6:ff:7e:
+ 3f:ae:da:aa:b7:d2:4a:a7:10:7c:70:b7:6a:10:85:d1:9f:d1:
+ 5d:bc:36:44:30:32:6c:bc:a6:8e:24:96:62:d6:68:c0:24:13:
+ 55:3a
+-----BEGIN X509 CRL-----
+MIIBfjCB6AIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFVua25vd24gQ1JMIEV4dGVu
+c2lvbiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQEXDTAx
+MDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaBEMEIwHwYDVR0jBBgwFoAUao8V/5j0
+N/1M9CcF3W7oYaFVtKswCgYDVR0UBAMCAQEwEwYJYIZIAWUCAQwCAQH/BAMCAQAw
+DQYJKoZIhvcNAQEFBQADgYEAh4M0pYTLWuqV38/AFapKMlrnKYKSr0DwwVsP+E/F
+uq+/EhaFstnf1fNa2r0ViuzToa/nj4BIVB8iwop0nsHIWzOkj2owQ5E1CwjCh8Va
+sLQwbPT3Intxtv9+P67aqrfSSqcQfHC3ahCF0Z/RXbw2RDAybLymjiSWYtZowCQT
+VTo=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest9.pem
new file mode 100644
index 0000000000..ed2ddac429
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest9.pem
@@ -0,0 +1,117 @@
+subject=/C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBDTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYVW5rbm93biBD
+UkwgRXh0ZW5zaW9uIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCytAs/
+JAs2Ja8c89As83uwUulH9T9tQPZcA7nYHvlyElO2ck8TAyHsxyTJEX3dSXo5IOhG
+VD2Onq3BDeRFf6pu5OMpoQ3OGJbb4q22/qZtN6etR0haIBvS2ftAIPX1mJHU48rv
+TuMEQ0hoVtFxKdyYSeFaw9iBTbcaZdPUCMbnIwIDAQABo3wwejAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUao8V/5j0N/1M9CcF3W7o
+YaFVtKswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAFoi3BNwtKmwgQu7YVgw
+RJCuLiqFCNPny8zbrLdJOyTSB1MqnPBzrnx0E2U6i+5RTiuIUrD5V54/46OcAenb
+ABT5jTygyoV5M03Iy6ZRQ71ZqeX2hc8LeHetvMTN1fZiNOtwt6Qn4LtWGyw5KH34
+KMAytthglbz5meZVb+cbK820
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Unknown CRL Extension EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFVua25vd24gQ1JM
+IEV4dGVuc2lvbiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGYx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE7MDkGA1UE
+AxMySW52YWxpZCBVbmtub3duIENSTCBFeHRlbnNpb24gRUUgQ2VydGlmaWNhdGUg
+VGVzdDkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN5hxrET3bqQkPGYoOqM
+k59f/6Bz8rfuR0w0CP8UqMM+W2xDKIj+J1+sHfl1rsbgm3kKLrIF/DeRgOUS9k+m
+1gTj4NxYqTLXRu3AeqoWe7Z04z8WxqhHyD40VbqJeZgRl960H7nqSS7FUCE5Uhrz
+cBhoLlhH2/lYNtZmNFemPVA9AgMBAAGjazBpMB8GA1UdIwQYMBaAFGqPFf+Y9Df9
+TPQnBd1u6GGhVbSrMB0GA1UdDgQWBBQ/ld8yhWsnGl6nmqhcM8TxDa9n7jAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEB
+BQUAA4GBADFhplcYCh5Wt/vpCzwZMGj0be5RMlPSh+6UWKY8gR+TknXyeyhIN0TU
+R7DRXv/XE6ZRQda9Pslooz1WB/VBez54Sg3EirsB8hK/E+PS//mo0NN5ooOdWb8s
+WqML3eEo3XVs0Fj1mYc+8U4bYRPrtDVO4Mr/SnyKNNCf1O5R+X74
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Unknown CRL Extension CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:8F:15:FF:98:F4:37:FD:4C:F4:27:05:DD:6E:E8:61:A1:55:B4:AB
+
+ X509v3 CRL Number:
+ 1
+ 2.16.840.1.101.2.1.12.2: critical
+ ...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 87:83:34:a5:84:cb:5a:ea:95:df:cf:c0:15:aa:4a:32:5a:e7:
+ 29:82:92:af:40:f0:c1:5b:0f:f8:4f:c5:ba:af:bf:12:16:85:
+ b2:d9:df:d5:f3:5a:da:bd:15:8a:ec:d3:a1:af:e7:8f:80:48:
+ 54:1f:22:c2:8a:74:9e:c1:c8:5b:33:a4:8f:6a:30:43:91:35:
+ 0b:08:c2:87:c5:5a:b0:b4:30:6c:f4:f7:22:7b:71:b6:ff:7e:
+ 3f:ae:da:aa:b7:d2:4a:a7:10:7c:70:b7:6a:10:85:d1:9f:d1:
+ 5d:bc:36:44:30:32:6c:bc:a6:8e:24:96:62:d6:68:c0:24:13:
+ 55:3a
+-----BEGIN X509 CRL-----
+MIIBfjCB6AIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFVua25vd24gQ1JMIEV4dGVu
+c2lvbiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQEXDTAx
+MDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaBEMEIwHwYDVR0jBBgwFoAUao8V/5j0
+N/1M9CcF3W7oYaFVtKswCgYDVR0UBAMCAQEwEwYJYIZIAWUCAQwCAQH/BAMCAQAw
+DQYJKoZIhvcNAQEFBQADgYEAh4M0pYTLWuqV38/AFapKMlrnKYKSr0DwwVsP+E/F
+uq+/EhaFstnf1fNa2r0ViuzToa/nj4BIVB8iwop0nsHIWzOkj2owQ5E1CwjCh8Va
+sLQwbPT3Intxtv9+P67aqrfSSqcQfHC3ahCF0Z/RXbw2RDAybLymjiSWYtZowCQT
+VTo=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCriticalCertificateExtensionTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCriticalCertificateExtensionTest2.pem
new file mode 100644
index 0000000000..bf772ff279
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCriticalCertificateExtensionTest2.pem
@@ -0,0 +1,58 @@
+subject=/C=US/O=Test Certificates/CN=Invalid Unknown Critical Certificate Extension EE Cert Test2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBXzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMHAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFFMEMGA1UEAxM8SW52YWxpZCBV
+bmtub3duIENyaXRpY2FsIENlcnRpZmljYXRlIEV4dGVuc2lvbiBFRSBDZXJ0IFRl
+c3QyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdgE9VN0Ghm/NmN4sGBIWC
+mYNYrK8ADbOxwu75ug/F5jR3Wq3Hlg4aC8SCNQ2h/sEnsGhZ1nsQwF1mDWMvsGrR
+87vV31pE9SlPQvMPG5S9UlqHO0b/4wj057sWoMHSvOcROdgJti2Dzt9p9+ArbK56
+kYAf4TYDVQi/UvCb4TYe9wIDAQABo4GAMH4wHwYDVR0jBBgwFoAU+2zULYGeyid6
+ng2wPOqavIf/SeowHQYDVR0OBBYEFCWr0F6axQ7dDvC4QVdDsvqzwEdgMA4GA1Ud
+DwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwEwYJYIZIAWUCAQwC
+AQH/BAMCAQAwDQYJKoZIhvcNAQEFBQADgYEAC49hK2AAPynegAqkmf6gK9o2lbGR
+G1PQFqTf+zLATRWYbB+S1lvMJEOYcf1/T2arOgWO6xXJHvQ2xvYr6VbfBSnIdhUW
+OoIQIAowM3RWpZaHu9Ze31BXnoiw3AJxmzIzuD5l+4RyE5OeqTtfJK15kOpeJVdH
+aMmBFW2/5/9zl0k=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidWrongCRLTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidWrongCRLTest6.pem
new file mode 100644
index 0000000000..7f10e7695f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidWrongCRLTest6.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Wrong CRL CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBCjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMV3JvbmcgQ1JM
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrjpkZYUtNf/4W6weCyaK0
+JDUtJyXxK8YEL9R2hpnPnGceXRXEkq7XPWyNBAC+lpGPd+mWjvX4A/MAsGHsOiY3
+I35sJHR0ViNoDDIpACYBuNhtFTQ0JHS34zOZR+jG0BYSib4h+svHctlVWGOY3l8F
+lp8EWSm8YZ3kt7kycshWzQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQU1G3jwp/Wffea3VwN0SfwS1Rpd6gwDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAI844RkGSuDIY9HF+gW3Nd6C3sILutA0Zsqw
+Ih0wWh/y9VOV6TNvPd8BlF1i0WkAMcswgqhrODgySpG7fdDlgMTSI/Tz0ObYbsA/
+Dcd3OplmCfRKi8biDWnBn6LdZysZ9uiIOBFyOFr5cfWGlgSctiXxtZc15sju+TTA
+EwWcPVar
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Wrong CRL EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=Wrong CRL CA
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFdyb25nIENSTCBD
+QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEvMC0GA1UEAxMmSW52YWxpZCBX
+cm9uZyBDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDYwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALC3wWGmw5/yOOPg3RNvStJ9JJIfBz6CyFWksquf/4icnW/wL4rx
+hCxN1vNOSiH+IrOgWYTpkpGPiMvbvn4h9I2Ytzimw1O0EPTXFAE6CdJagxdcsFHA
+1UJMR/+666NEypeYmyaFMPduqmcR7rED7TZZgQGhltY2+06s0SghWO1fAgMBAAGj
+azBpMB8GA1UdIwQYMBaAFNRt48Kf1n33mt1cDdEn8EtUaXeoMB0GA1UdDgQWBBTI
+T2I2nkS+ARaPkr3QPXOlb30emTAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAKM9XsZ6SDRWXHk1nyBsa28P
+ItsxtO1B0ZnK4Aboih9fOPg14udmRCVjgc7Z3UCl+F8YXFWKkisitt55o74MCv60
+2vlEaBrRBPMvTpHwqyNIWCcuDYBT4JrfC+iF8RwHtts9c0KUUn/bwXAuvDclEg79
+XUWTzrxsqFVOnMEktZUm
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c7:32:ea:21:ff:7d:01:d4:f3:d9:c5:a9:ea:04:35:21:81:d2:
+ 13:f2:35:d3:e4:53:c5:03:93:de:a1:2d:25:56:64:bc:52:20:
+ 81:53:69:6a:a6:90:26:38:bd:ed:31:7f:a9:7b:c1:e8:a9:e5:
+ 07:97:82:bb:3e:8a:f9:79:ec:2e:bd:16:4c:31:6b:b6:80:ca:
+ ba:ba:0c:35:0a:d6:08:3c:31:78:fe:d3:3d:06:69:6c:3a:e4:
+ 07:4d:6e:84:21:d3:c3:90:60:8f:99:90:62:a9:16:38:25:2f:
+ 7e:08:5f:2f:cc:59:d7:7d:9b:2f:d8:0b:e7:70:d9:64:f7:01:
+ 38:8d
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU+2zULYGe
+yid6ng2wPOqavIf/SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAxzLq
+If99AdTz2cWp6gQ1IYHSE/I10+RTxQOT3qEtJVZkvFIggVNpaqaQJji97TF/qXvB
+6KnlB5eCuz6K+XnsLr0WTDFrtoDKuroMNQrWCDwxeP7TPQZpbDrkB01uhCHTw5Bg
+j5mQYqkWOCUvfghfL8xZ132bL9gL53DZZPcBOI0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest2.pem
new file mode 100644
index 0000000000..f64a9bb06c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest2.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=basicConstraints Critical cA False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBFzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlYmFzaWNDb25z
+dHJhaW50cyBDcml0aWNhbCBjQSBGYWxzZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAsmocvHtIhy06xoGU8RgpDv0nBGXIPSXRG6Poy/+IGxarpbG06NmC
+maF9YsRYKMKl35fIYgRSJXsZQNbNdFp+OP0unEc2gkWnRFkd5UYXaUYUw+1joRBQ
+rv66WNwMkTSpFnzmb0Pvvxw+5Yy8MMzvfYTwnw4GIgLtTrffpS9B4V8CAwEAAaN5
+MHcwHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMdH
+T3Qigo2QmpSYRbO1Q8N1GDbOMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQCYmJK2
+5OMOWxlviglY0yKGvQpDwTyJ4CJmsGGI/rtSjvfFiqHPmq2c/QGm+pAdKMqkhGXN
+FjVPKm8pLqrFbAnWXSG5OeWq5wEMckNe1Qjp91ag5gmWEVwdq86eNxkkA6w/+hjp
+BxoCAT74c74EqPpOX8c6NGlI3VyN0hODzePSHA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cA False EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=basicConstraints Critical cA False CA
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJWJhc2ljQ29uc3Ry
+YWludHMgQ3JpdGljYWwgY0EgRmFsc2UgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEw
+NDE5MTQ1NzIwWjBZMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZp
+Y2F0ZXMxLjAsBgNVBAMTJUludmFsaWQgY0EgRmFsc2UgRUUgQ2VydGlmaWNhdGUg
+VGVzdDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWAnb4eGXIMKqcvxV1N
+I1WYOIgPGw0pmor0ePIVaJFQZALxDndu3IUvzZCuK/m5nBAn3qtGItKULZEqeZx1
+sqbagMshYrHDkntnRShl1luH40b/RdWn0SnkWcYiA+ZTmcUYTV4t0OmgeUzQMtMj
+LRQ76i3JymtkR6MDgbJ6NWQzAgMBAAGjazBpMB8GA1UdIwQYMBaAFMdHT3Qigo2Q
+mpSYRbO1Q8N1GDbOMB0GA1UdDgQWBBTQ3jc8Qy+MJLvnf+0PWJpzZUdgHzAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEB
+BQUAA4GBAKhCguYapRZdH/DcOaj9Mtc/x8+/QbXwwWTyETUNHItDAWqwXgCbEHKN
+tbgWB6IZnzhzWvLcNk0HJrqf8jnYEC3EWj9ruOl7oaCWRuq5uLwtnf6MCI32zjzT
+yJDh7QLWt2STzMDmppGt84nl3PjN8MaQhp2qTJyP9f8ue+n+Ng0D
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=basicConstraints Critical cA False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C7:47:4F:74:22:82:8D:90:9A:94:98:45:B3:B5:43:C3:75:18:36:CE
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 32:bc:12:1f:84:d0:b6:3e:72:a0:fb:d9:75:99:ca:e5:2a:05:
+ 09:e6:c8:27:74:47:1c:dc:0c:d4:9f:bc:9f:b2:62:25:b4:6d:
+ 5b:e5:0b:e8:2a:8e:07:eb:3e:6b:c5:1e:9a:d2:14:fd:89:5b:
+ c3:10:bf:19:77:67:0a:33:45:1b:bc:6c:ed:af:84:30:59:fb:
+ 7c:71:95:63:60:31:9b:9b:0a:ea:77:f1:70:f1:b9:2e:d1:a9:
+ 04:42:66:94:b9:54:48:db:44:56:56:1a:57:5a:01:0e:7c:4d:
+ d7:c0:1f:5c:6f:13:f5:a3:57:88:6a:9a:71:cd:d5:ae:c3:00:
+ b1:28
+-----BEGIN X509 CRL-----
+MIIBUjCBvAIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJWJhc2ljQ29uc3RyYWludHMg
+Q3JpdGljYWwgY0EgRmFsc2UgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqgLzAtMB8GA1UdIwQYMBaAFMdHT3Qigo2QmpSYRbO1Q8N1GDbOMAoGA1UdFAQD
+AgEBMA0GCSqGSIb3DQEBBQUAA4GBADK8Eh+E0LY+cqD72XWZyuUqBQnmyCd0Rxzc
+DNSfvJ+yYiW0bVvlC+gqjgfrPmvFHprSFP2JW8MQvxl3ZwozRRu8bO2vhDBZ+3xx
+lWNgMZubCup38XDxuS7RqQRCZpS5VEjbRFZWGldaAQ58TdfAH1xvE/WjV4hqmnHN
+1a7DALEo
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest3.pem
new file mode 100644
index 0000000000..8784c21050
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest3.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=basicConstraints Not Critical cA False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBGDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEyMDAGA1UEAxMpYmFzaWNDb25z
+dHJhaW50cyBOb3QgQ3JpdGljYWwgY0EgRmFsc2UgQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALebKuy5EJW95AkM4MZ0p12UxwWQqlclzW+C7Ntov96ejAjA
+ciH9FrTh8IzXl99nnQnHHO8O+pZ1jzh8hQx+kAGx6ENV87E9ByTgcNUwSgHgEHX+
+59fIr8RTbdUtF2T1U8iyFM88FkpI682I0GvNDuej65588/P/OAHTmZbqcWrfAgMB
+AAGjdjB0MB8GA1UdIwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQW
+BBTEleK6dmzd47tLaP1CRfgUVOxbzTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADgYEAhjgF
+Diuvic63KpOvuZxczWMf0K//uMCtUxtXXRTI3/Wm4ryKa+yI52FUGhUcNB5wRAES
+R1tJSuphGx6rdcSHZTE95gLo24lnyc+oTZQ3gcK2xouTy3F3CvhmPs9QMMjaqtfn
+NDJKzUyBvAasUQ9SZxk+bifeeSQ/RDzmQxNKHr8=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cA False EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=basicConstraints Not Critical cA False CA
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMjAwBgNVBAMTKWJhc2ljQ29uc3Ry
+YWludHMgTm90IENyaXRpY2FsIGNBIEZhbHNlIENBMB4XDTAxMDQxOTE0NTcyMFoX
+DTExMDQxOTE0NTcyMFowWTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMS4wLAYDVQQDEyVJbnZhbGlkIGNBIEZhbHNlIEVFIENlcnRpZmlj
+YXRlIFRlc3QzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5JEpPUEhR94hD
+geH4nu6tuBiM/sUvTffvOfzdSftTXOQ/4pHuZPXKDz7SrM5gAimRZMXlC0ZngP7z
+9Q7StXqOqMvZI75GjHGYr3S3W56vvCxfDh639L/x3UlhfKqEzn3rMLMDC52lJzcH
+npMqMRIYWdedIvqg6OaxMDj30va12wIDAQABo2swaTAfBgNVHSMEGDAWgBTEleK6
+dmzd47tLaP1CRfgUVOxbzTAdBgNVHQ4EFgQUxBUts6LKOH9HITo2TnmeY1hdGNsw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG
+9w0BAQUFAAOBgQAnnZ9Y8fdKeA3cdodXsQqz302mCLQLH1jhcE7UnfAYrTdecJ5s
+8xxE7AKdNEG7/KUAoSwKDsGw0HBIQDPD62kblZEWKViT4+e4isf4Dy3G31BRbkiu
+bcJsDKzOOdCeCdXJvGXAJ18su8P+4srOddrQuINqRy2YgDG5Rka2WArY2g==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=basicConstraints Not Critical cA False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C4:95:E2:BA:76:6C:DD:E3:BB:4B:68:FD:42:45:F8:14:54:EC:5B:CD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a4:53:e8:4c:ac:c5:d6:66:9f:c8:a6:4c:ad:d2:6f:2e:31:b6:
+ 48:37:6b:9e:e8:76:8a:ff:23:80:3a:49:a2:91:d4:94:0a:bd:
+ 9b:2c:0b:cd:c3:9f:e8:a4:7e:b1:ce:37:ea:23:5c:ff:c2:76:
+ 6e:c4:84:d3:21:2a:ef:7d:2e:fd:71:54:2d:8a:ef:f5:96:73:
+ f1:7a:c9:1a:7c:77:86:b4:df:0c:47:a3:8b:9b:b1:f7:bc:21:
+ 64:6d:19:97:ca:b2:1b:e8:4d:f7:66:c4:78:75:5d:76:b8:7c:
+ 5d:88:f4:ae:b8:6c:27:11:c4:96:09:b2:35:fb:6a:da:f8:fe:
+ 73:df
+-----BEGIN X509 CRL-----
+MIIBVjCBwAIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMjAwBgNVBAMTKWJhc2ljQ29uc3RyYWludHMg
+Tm90IENyaXRpY2FsIGNBIEZhbHNlIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaoC8wLTAfBgNVHSMEGDAWgBTEleK6dmzd47tLaP1CRfgUVOxbzTAKBgNV
+HRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQCkU+hMrMXWZp/Ipkyt0m8uMbZIN2ue
+6HaK/yOAOkmikdSUCr2bLAvNw5/opH6xzjfqI1z/wnZuxITTISrvfS79cVQtiu/1
+lnPxeskafHeGtN8MR6OLm7H3vCFkbRmXyrIb6E33ZsR4dV12uHxdiPSuuGwnEcSW
+CbI1+2ra+P5z3w==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest27.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest27.pem
new file mode 100644
index 0000000000..357566f6e2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest27.pem
@@ -0,0 +1,140 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDblDsGRxVahA98R7vE
+/DS4nbSbyoerDINPIyc8wkOtWcS+y+f9O5IIdDJOZm2I5px1PA840SXYHh15o3ZW
+Vn4gFU3AgKF/CWMJ1g79LAYAMnQN/T7kSfuz/0rqhLH9tjz3Qtjt+/zy45YIny80
+7JOBLH3eLX0H2aOmsJUenp5ExQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwa+CD9XTTxDwMWI8WIm5inS7nAEwDgYD
+VR0PAQH/BAQDAgIEMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEvc066az+E8sftMAgkECVeJVw0Mcr2y
+YlJ0SAbZUNaU7KbzXxm3j8Q5v8K8GDy7EB4H0Gyh0vgsbChTAdLip7xQf7V7SetA
+nE66H4ikF/UAhXlSz+E48Qe2+L3w2weGbU3zwmNMeYkI6dmGFMfEut7hL9ak0Ulc
+0meAGzOu5kHt
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cRLIssuer EE Certificate Test27
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA2
+-----BEGIN CERTIFICATE-----
+MIICzzCCAjigAwIBAgIBBDANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnSW52YWxp
+ZCBjUkxJc3N1ZXIgRUUgQ2VydGlmaWNhdGUgVGVzdDI3MIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDBePXreW7TEQz9U98u5IjkoUpf/CRELuDW4EWLSx0ib7kJ
+njp5do8pREmTX9nvLo1/CiJnv0RRNY4hKwqjR3V+j/2+BT7JDu5T8YuM3MmgWlJt
+G46pHVekb8uXAofDTqMlvAtGTQauE9F3JU7oJ1FJebMo9SRHwIBQvvwnLIn2qQID
+AQABo4G6MIG3MB8GA1UdIwQYMBaAFMGvgg/V008Q8DFiPFiJuYp0u5wBMB0GA1Ud
+DgQWBBRA5ST4jwbcfGOGKDw9sAjuw+hKSzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMEwGA1UdHwRFMEMwQaI/pD0wOzELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRAwDgYDVQQDEwdHb29kIENB
+MA0GCSqGSIb3DQEBBQUAA4GBADHmdwVGWHDLCpX0n65DVgDpC2wWpGgu929rlB5w
+nhGi79lgn3z2a5+3UCaXHQY+vMhJgMFVYoOfmUCNd4cnTgHMtr5Ai9tOS934lj0Z
+xL/XOfx1v6ownw2VOZ5LWxMi2YnYTqC8323wPhcHjTecnE9JprakdJa6q54gsbZR
+j1fs
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest31.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest31.pem
new file mode 100644
index 0000000000..a370fa86a3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest31.pem
@@ -0,0 +1,226 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA5
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx678FWV/yNhQZJRyI
+iaMmsrcrL1oSrYNu6oCM7kFCgk9PSYQRh+4SVNGyvyuQQ74+C4MLKd+GgMPRtHok
+km0S1dv/hLd6qZcVzhL+XHQ+ufLEbZqs1ZXSUfqTJFJpAgu4qLqMS8iZxijRGaDM
+6cQdbVcLMhxTC6sYFzuYtl78gwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlK0S0eEOfsO7N0tBPW1ZgD9EV20wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALAhR+3HUAbz9RiSD7M2UTI/CO2tE7dn
+6zSaQvkfm/UVsDvNLmSaeXS/29C8sHeoEVpmDdGbgCPcMwB3lTNt2pKI5jhr9f7J
+7BE1W43gZMR2YFRrkMX8AhQKVRN5LVpQIKjGMm8CkTPH9ecvH8kGwYcB3qLZwD3H
+sN+wLRApTQTr
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA6
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0E2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/raWoeX0Fp14qkKY
+Ypdts+gzpB6uEBcK8SpAa5FzydBYcIJajJ7MbWLlH1o1nzd27E2YQQPaVuRvB9vS
+4Tih5plnbOXvkaUVh/iohILhb0Q49JWe4JU2yQsphppmzXgUH7C0Zygn3N/fd8JF
+MUxK0kDYmuerHsZ7DDIJsAOTpQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwhs+qhpOwTOKGqpZSQOxZqIc8H0wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACMudfomzqT284TDQDAaT8SdUGpP0bH0
+ofTP/6WODMD3M2+AYgM5ES2McuNKWBx/iifIy42icqmtiP4EjbwjK5JKPJzSSyIF
+/BL1+/TdNfvGBuDBG7qoVzqALx4QeAdCh9tjM9eZQbwVuIIUiI94VPU3hT1OcJRE
+ZCkFIjgPYCPR
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cRLIssuer EE Certificate Test31
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA6
+-----BEGIN CERTIFICATE-----
+MIIDUzCCArygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBNjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnSW52YWxp
+ZCBjUkxJc3N1ZXIgRUUgQ2VydGlmaWNhdGUgVGVzdDMxMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDF62+bmWqsIJDuZD87vUAXArOAHy8ctB87FGlfVI/UMp3x
+SJEM7Bb7cFD9DtWIsr+NcvEGIJIHqxSS+uqbSTkhLRkkQ6V3vZBWw9iK4YCixNHV
+4ngJovgzMWKjjTHBN0+8wtZz2gccx4lD4l8gvC41scMQ7qyQqIX0ByUafTEMAQID
+AQABo4IBPTCCATkwHwYDVR0jBBgwFoAUwhs+qhpOwTOKGqpZSQOxZqIc8H0wHQYD
+VR0OBBYEFDRJXOe+nS5RsQPtEvFYSSZSIXVPMA4GA1UdDwEB/wQEAwIE8DAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwgc0GA1UdHwSBxTCBwjCBv6B0oHKkcDBuMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsT
+D2luZGlyZWN0Q1JMIENBNTEpMCcGA1UEAxMgaW5kaXJlY3QgQ1JMIGZvciBpbmRp
+cmVjdENSTCBDQTaiR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENl
+cnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RDUkwgQ0E1MA0GCSqGSIb3DQEB
+BQUAA4GBAIPT9aAYLcz53VCc4i5LC7bw2UhSE06ovDozPQVlLW7ykaoApryS0aRb
+jRDf/csLFBaDbcmymFBGlYDsnDMv1+R2Azj5eUy4ssEpCYDsKyJnNvY1AD1aldyn
+hwyrIcLgWdU0rmHIT9m+/yLKdk31P8B3WKl6nNEtJVe1hlyeR8Fs
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:AD:12:D1:E1:0E:7E:C3:BB:37:4B:41:3D:6D:59:80:3F:44:57:6D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0..Y...R...N.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA6.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA7.h0f1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51!0...U....CRL1 for indirectCRL CA5...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA7
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 07
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 08
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 09
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0A
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA5
+ Serial Number: 0B
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:49:47:a1:74:fb:1b:35:e7:63:c3:18:3f:ff:34:5b:ba:1c:
+ d3:05:5c:a5:3f:2e:d1:1b:fe:d9:91:8b:25:a9:b1:e2:42:9c:
+ f0:f9:98:c2:ae:94:da:1e:da:b8:38:51:6b:42:c1:6e:c5:9e:
+ 44:bc:3a:b4:36:57:f8:56:a1:ae:4c:04:ca:b6:67:2e:da:ce:
+ 51:b3:17:b7:9e:1d:12:af:54:9d:37:88:d2:58:9f:c1:a6:53:
+ 79:c8:aa:90:45:b2:ff:61:63:e9:5e:2c:7b:4c:6e:a8:71:ab:
+ 7b:10:11:aa:c4:bd:45:ce:9a:09:d5:f7:ac:0d:83:7c:62:3c:
+ c7:af
+-----BEGIN X509 CRL-----
+MIIFfDCCBOUCAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowggLKMCACAQEXDTAxMDQxOTE0
+NTcyMFowDDAKBgNVHRUEAwoBATB1AgECFw0wMTA0MTkxNDU3MjBaMGEwCgYDVR0V
+BAMKAQEwUwYDVR0dAQH/BEkwR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RDUkwgQ0E2MCACAQMX
+DTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBATAgAgEEFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwdQIBBRcNMDEwNDE5MTQ1NzIwWjBhMAoGA1UdFQQDCgEB
+MFMGA1UdHQEB/wRJMEekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNzAgAgEGFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBxcNMDEwNDE5MTQ1NzIwWjAMMAoG
+A1UdFQQDCgEBMHUCAQgXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUEAwoBATBTBgNV
+HR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMRgwFgYDVQQDEw9pbmRpcmVjdENSTCBDQTYwIAIBCRcNMDEwNDE5MTQ1
+NzIwWjAMMAoGA1UdFQQDCgEBMHUCAQoXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUE
+AwoBATBTBgNVHR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUwIAIBCxcN
+MDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIIBnjCCAZowHwYDVR0jBBgwFoAU
+lK0S0eEOfsO7N0tBPW1ZgD9EV20wCgYDVR0UBAMCAQEwggFpBgNVHRwBAf8EggFd
+MIIBWaCCAVKgggFOpHAwbjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E2pHAwbjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENS
+TCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E3
+pGgwZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgw
+FgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxITAfBgNVBAMTGENSTDEgZm9yIGluZGly
+ZWN0Q1JMIENBNYQB/zANBgkqhkiG9w0BAQUFAAOBgQAFSUehdPsbNedjwxg//zRb
+uhzTBVylPy7RG/7ZkYslqbHiQpzw+ZjCrpTaHtq4OFFrQsFuxZ5EvDq0Nlf4VqGu
+TATKtmcu2s5Rsxe3nh0Sr1SdN4jSWJ/BplN5yKqQRbL/YWPpXix7TG6ocat7EBGq
+xL1FzpoJ1fesDYN8YjzHrw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest32.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest32.pem
new file mode 100644
index 0000000000..5dab635a7e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest32.pem
@@ -0,0 +1,226 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA5
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx678FWV/yNhQZJRyI
+iaMmsrcrL1oSrYNu6oCM7kFCgk9PSYQRh+4SVNGyvyuQQ74+C4MLKd+GgMPRtHok
+km0S1dv/hLd6qZcVzhL+XHQ+ufLEbZqs1ZXSUfqTJFJpAgu4qLqMS8iZxijRGaDM
+6cQdbVcLMhxTC6sYFzuYtl78gwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlK0S0eEOfsO7N0tBPW1ZgD9EV20wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALAhR+3HUAbz9RiSD7M2UTI/CO2tE7dn
+6zSaQvkfm/UVsDvNLmSaeXS/29C8sHeoEVpmDdGbgCPcMwB3lTNt2pKI5jhr9f7J
+7BE1W43gZMR2YFRrkMX8AhQKVRN5LVpQIKjGMm8CkTPH9ecvH8kGwYcB3qLZwD3H
+sN+wLRApTQTr
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA6
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0E2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/raWoeX0Fp14qkKY
+Ypdts+gzpB6uEBcK8SpAa5FzydBYcIJajJ7MbWLlH1o1nzd27E2YQQPaVuRvB9vS
+4Tih5plnbOXvkaUVh/iohILhb0Q49JWe4JU2yQsphppmzXgUH7C0Zygn3N/fd8JF
+MUxK0kDYmuerHsZ7DDIJsAOTpQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwhs+qhpOwTOKGqpZSQOxZqIc8H0wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACMudfomzqT284TDQDAaT8SdUGpP0bH0
+ofTP/6WODMD3M2+AYgM5ES2McuNKWBx/iifIy42icqmtiP4EjbwjK5JKPJzSSyIF
+/BL1+/TdNfvGBuDBG7qoVzqALx4QeAdCh9tjM9eZQbwVuIIUiI94VPU3hT1OcJRE
+ZCkFIjgPYCPR
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cRLIssuer EE Certificate Test32
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA6
+-----BEGIN CERTIFICATE-----
+MIIDUzCCArygAwIBAgIBCTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBNjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnSW52YWxp
+ZCBjUkxJc3N1ZXIgRUUgQ2VydGlmaWNhdGUgVGVzdDMyMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDGNK1Y+eOYRm50GYuyrg+CaupAyx1885TUh0lz/2sHwXp2
+OmsLIqfukEyyIfBt/gEHZ4e3CvSb8unsTq/Jlt++srjlPkTPaJAJZmVhhLBS33c/
+L4t1J9CE+W5JEzzQjzhhtAgsOxH4gy6PqQ7MQ3LPRSUFqwtFlOjUaVDekanP/wID
+AQABo4IBPTCCATkwHwYDVR0jBBgwFoAUwhs+qhpOwTOKGqpZSQOxZqIc8H0wHQYD
+VR0OBBYEFCFEpTMSRVJmDIG3biuYZ63bFngaMA4GA1UdDwEB/wQEAwIE8DAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwgc0GA1UdHwSBxTCBwjCBv6B0oHKkcDBuMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsT
+D2luZGlyZWN0Q1JMIENBNTEpMCcGA1UEAxMgaW5kaXJlY3QgQ1JMIGZvciBpbmRp
+cmVjdENSTCBDQTaiR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENl
+cnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RDUkwgQ0E1MA0GCSqGSIb3DQEB
+BQUAA4GBAKZ16nizt2hCVkrf+WfJV1t/frRX9W7Oi4whQqH9BEA2nEZ9LVeGnCAZ
+he10WnY1rXA2JHICijj3YDBoAlOMWtp43Qhv32QJ4dFR08kuSWjvCygSokh9uyoX
+Q/zpF1amF1x/Br/uteHCBILXFFGLLsSauW15U4HWUiJQHob56396
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:AD:12:D1:E1:0E:7E:C3:BB:37:4B:41:3D:6D:59:80:3F:44:57:6D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0..Y...R...N.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA6.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA7.h0f1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51!0...U....CRL1 for indirectCRL CA5...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA7
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 07
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 08
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 09
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0A
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA5
+ Serial Number: 0B
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:49:47:a1:74:fb:1b:35:e7:63:c3:18:3f:ff:34:5b:ba:1c:
+ d3:05:5c:a5:3f:2e:d1:1b:fe:d9:91:8b:25:a9:b1:e2:42:9c:
+ f0:f9:98:c2:ae:94:da:1e:da:b8:38:51:6b:42:c1:6e:c5:9e:
+ 44:bc:3a:b4:36:57:f8:56:a1:ae:4c:04:ca:b6:67:2e:da:ce:
+ 51:b3:17:b7:9e:1d:12:af:54:9d:37:88:d2:58:9f:c1:a6:53:
+ 79:c8:aa:90:45:b2:ff:61:63:e9:5e:2c:7b:4c:6e:a8:71:ab:
+ 7b:10:11:aa:c4:bd:45:ce:9a:09:d5:f7:ac:0d:83:7c:62:3c:
+ c7:af
+-----BEGIN X509 CRL-----
+MIIFfDCCBOUCAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowggLKMCACAQEXDTAxMDQxOTE0
+NTcyMFowDDAKBgNVHRUEAwoBATB1AgECFw0wMTA0MTkxNDU3MjBaMGEwCgYDVR0V
+BAMKAQEwUwYDVR0dAQH/BEkwR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RDUkwgQ0E2MCACAQMX
+DTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBATAgAgEEFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwdQIBBRcNMDEwNDE5MTQ1NzIwWjBhMAoGA1UdFQQDCgEB
+MFMGA1UdHQEB/wRJMEekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNzAgAgEGFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBxcNMDEwNDE5MTQ1NzIwWjAMMAoG
+A1UdFQQDCgEBMHUCAQgXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUEAwoBATBTBgNV
+HR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMRgwFgYDVQQDEw9pbmRpcmVjdENSTCBDQTYwIAIBCRcNMDEwNDE5MTQ1
+NzIwWjAMMAoGA1UdFQQDCgEBMHUCAQoXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUE
+AwoBATBTBgNVHR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUwIAIBCxcN
+MDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIIBnjCCAZowHwYDVR0jBBgwFoAU
+lK0S0eEOfsO7N0tBPW1ZgD9EV20wCgYDVR0UBAMCAQEwggFpBgNVHRwBAf8EggFd
+MIIBWaCCAVKgggFOpHAwbjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E2pHAwbjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENS
+TCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E3
+pGgwZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgw
+FgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxITAfBgNVBAMTGENSTDEgZm9yIGluZGly
+ZWN0Q1JMIENBNYQB/zANBgkqhkiG9w0BAQUFAAOBgQAFSUehdPsbNedjwxg//zRb
+uhzTBVylPy7RG/7ZkYslqbHiQpzw+ZjCrpTaHtq4OFFrQsFuxZ5EvDq0Nlf4VqGu
+TATKtmcu2s5Rsxe3nh0Sr1SdN4jSWJ/BplN5yKqQRbL/YWPpXix7TG6ocat7EBGq
+xL1FzpoJ1fesDYN8YjzHrw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest34.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest34.pem
new file mode 100644
index 0000000000..2e62d70320
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest34.pem
@@ -0,0 +1,205 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA5
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx678FWV/yNhQZJRyI
+iaMmsrcrL1oSrYNu6oCM7kFCgk9PSYQRh+4SVNGyvyuQQ74+C4MLKd+GgMPRtHok
+km0S1dv/hLd6qZcVzhL+XHQ+ufLEbZqs1ZXSUfqTJFJpAgu4qLqMS8iZxijRGaDM
+6cQdbVcLMhxTC6sYFzuYtl78gwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlK0S0eEOfsO7N0tBPW1ZgD9EV20wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALAhR+3HUAbz9RiSD7M2UTI/CO2tE7dn
+6zSaQvkfm/UVsDvNLmSaeXS/29C8sHeoEVpmDdGbgCPcMwB3lTNt2pKI5jhr9f7J
+7BE1W43gZMR2YFRrkMX8AhQKVRN5LVpQIKjGMm8CkTPH9ecvH8kGwYcB3qLZwD3H
+sN+wLRApTQTr
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cRLIssuer EE Certificate Test34
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA5
+-----BEGIN CERTIFICATE-----
+MIIC/DCCAmWgAwIBAgIBCzANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBNTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnSW52YWxp
+ZCBjUkxJc3N1ZXIgRUUgQ2VydGlmaWNhdGUgVGVzdDM0MIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCSaPRkABN56ESU2SA5P4mVXVChuwxsllnznUrRrpaH+L60
+m9Sa11iyGiUqTcGPQbEsPUN8zQQmsjnGSpIMtMRrnkaOTaUmzszVKp9xOuZ5vgSd
+8KeQJjqISqeeJL/oSynuMBOfir1TH2HToo+HetNsfXhumdPDKUojywjZcp1N7wID
+AQABo4HnMIHkMB8GA1UdIwQYMBaAFJStEtHhDn7DuzdLQT1tWYA/RFdtMB0GA1Ud
+DgQWBBQ4QCS2SjHLQtR3kH7i8O8sleHk8DAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMHkGA1UdHwRyMHAwbqBsoGqkaDBmMQswCQYDVQQG
+EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGly
+ZWN0Q1JMIENBNTEhMB8GA1UEAxMYQ1JMMSBmb3IgaW5kaXJlY3RDUkwgQ0E1MA0G
+CSqGSIb3DQEBBQUAA4GBAAppj9RM8AKRmrj/d56ZzOcNlN79bi39iFp7ZuxrkdL7
+ZcnUm4A5y0u2ZoywD1LTUUYh+egAhtpccsYYjmMVQVbEtgwVKorXOwcm6iNmENQ6
+lsZPlEkEXBLlfZLuhPr4Ju+QjaMo7SLAiXOG9lwry8ZFcfAGLIfpLlQyGZ2cnahX
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:AD:12:D1:E1:0E:7E:C3:BB:37:4B:41:3D:6D:59:80:3F:44:57:6D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0..Y...R...N.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA6.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA7.h0f1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51!0...U....CRL1 for indirectCRL CA5...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA7
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 07
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 08
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 09
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0A
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA5
+ Serial Number: 0B
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:49:47:a1:74:fb:1b:35:e7:63:c3:18:3f:ff:34:5b:ba:1c:
+ d3:05:5c:a5:3f:2e:d1:1b:fe:d9:91:8b:25:a9:b1:e2:42:9c:
+ f0:f9:98:c2:ae:94:da:1e:da:b8:38:51:6b:42:c1:6e:c5:9e:
+ 44:bc:3a:b4:36:57:f8:56:a1:ae:4c:04:ca:b6:67:2e:da:ce:
+ 51:b3:17:b7:9e:1d:12:af:54:9d:37:88:d2:58:9f:c1:a6:53:
+ 79:c8:aa:90:45:b2:ff:61:63:e9:5e:2c:7b:4c:6e:a8:71:ab:
+ 7b:10:11:aa:c4:bd:45:ce:9a:09:d5:f7:ac:0d:83:7c:62:3c:
+ c7:af
+-----BEGIN X509 CRL-----
+MIIFfDCCBOUCAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowggLKMCACAQEXDTAxMDQxOTE0
+NTcyMFowDDAKBgNVHRUEAwoBATB1AgECFw0wMTA0MTkxNDU3MjBaMGEwCgYDVR0V
+BAMKAQEwUwYDVR0dAQH/BEkwR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RDUkwgQ0E2MCACAQMX
+DTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBATAgAgEEFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwdQIBBRcNMDEwNDE5MTQ1NzIwWjBhMAoGA1UdFQQDCgEB
+MFMGA1UdHQEB/wRJMEekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNzAgAgEGFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBxcNMDEwNDE5MTQ1NzIwWjAMMAoG
+A1UdFQQDCgEBMHUCAQgXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUEAwoBATBTBgNV
+HR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMRgwFgYDVQQDEw9pbmRpcmVjdENSTCBDQTYwIAIBCRcNMDEwNDE5MTQ1
+NzIwWjAMMAoGA1UdFQQDCgEBMHUCAQoXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUE
+AwoBATBTBgNVHR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUwIAIBCxcN
+MDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIIBnjCCAZowHwYDVR0jBBgwFoAU
+lK0S0eEOfsO7N0tBPW1ZgD9EV20wCgYDVR0UBAMCAQEwggFpBgNVHRwBAf8EggFd
+MIIBWaCCAVKgggFOpHAwbjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E2pHAwbjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENS
+TCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E3
+pGgwZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgw
+FgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxITAfBgNVBAMTGENSTDEgZm9yIGluZGly
+ZWN0Q1JMIENBNYQB/zANBgkqhkiG9w0BAQUFAAOBgQAFSUehdPsbNedjwxg//zRb
+uhzTBVylPy7RG/7ZkYslqbHiQpzw+ZjCrpTaHtq4OFFrQsFuxZ5EvDq0Nlf4VqGu
+TATKtmcu2s5Rsxe3nh0Sr1SdN4jSWJ/BplN5yKqQRbL/YWPpXix7TG6ocat7EBGq
+xL1FzpoJ1fesDYN8YjzHrw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest35.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest35.pem
new file mode 100644
index 0000000000..814ed525f6
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest35.pem
@@ -0,0 +1,207 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA5
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx678FWV/yNhQZJRyI
+iaMmsrcrL1oSrYNu6oCM7kFCgk9PSYQRh+4SVNGyvyuQQ74+C4MLKd+GgMPRtHok
+km0S1dv/hLd6qZcVzhL+XHQ+ufLEbZqs1ZXSUfqTJFJpAgu4qLqMS8iZxijRGaDM
+6cQdbVcLMhxTC6sYFzuYtl78gwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlK0S0eEOfsO7N0tBPW1ZgD9EV20wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALAhR+3HUAbz9RiSD7M2UTI/CO2tE7dn
+6zSaQvkfm/UVsDvNLmSaeXS/29C8sHeoEVpmDdGbgCPcMwB3lTNt2pKI5jhr9f7J
+7BE1W43gZMR2YFRrkMX8AhQKVRN5LVpQIKjGMm8CkTPH9ecvH8kGwYcB3qLZwD3H
+sN+wLRApTQTr
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid cRLIssuer EE Certificate Test35
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA5
+-----BEGIN CERTIFICATE-----
+MIIDSzCCArSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBNTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnSW52YWxp
+ZCBjUkxJc3N1ZXIgRUUgQ2VydGlmaWNhdGUgVGVzdDM1MIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDcad27MapNxZI8cHsmcsbc69H6JrfyxEdrb8jo4H7kREvw
+Ysye/I+06+hyhrY2ziYjoPjk5qwOT6MZoD6a8nysxt+wJwTtwWP7qrrHUrTTM4wZ
+825zHunib1GDGS6NDkRGi3ZZyHgwYGJIpNFvpZ2tYbnQ1YCd+82ApJ/pVK7luwID
+AQABo4IBNTCCATEwHwYDVR0jBBgwFoAUlK0S0eEOfsO7N0tBPW1ZgD9EV20wHQYD
+VR0OBBYEFHF/hceoUsXQv3cfdoCyVLgI9NqMMA4GA1UdDwEB/wQEAwIE8DAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwgcUGA1UdHwSBvTCBujCBt6BsoGqkaDBmMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsT
+D2luZGlyZWN0Q1JMIENBNTEhMB8GA1UEAxMYQ1JMMSBmb3IgaW5kaXJlY3RDUkwg
+Q0E1okekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNjANBgkqhkiG9w0BAQUFAAOBgQAH
+2pRXjertT5rd9nPU9I5ZthZL8EBhTAfMObbfi8/CYJ+Cftct++cBQATBDBr6ho3Z
+TNjd6Qkd1wPPR2EgMk1HWJ6QS4/eQooeTsqstbgz6n/KcMB/+gQeYZbEyFoVu5e6
+C13SPmHSsdy1dtEVVELLreIOhfgSjoMBBQYMCJwffw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:AD:12:D1:E1:0E:7E:C3:BB:37:4B:41:3D:6D:59:80:3F:44:57:6D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0..Y...R...N.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA6.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA7.h0f1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51!0...U....CRL1 for indirectCRL CA5...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA7
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 07
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 08
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 09
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0A
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA5
+ Serial Number: 0B
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:49:47:a1:74:fb:1b:35:e7:63:c3:18:3f:ff:34:5b:ba:1c:
+ d3:05:5c:a5:3f:2e:d1:1b:fe:d9:91:8b:25:a9:b1:e2:42:9c:
+ f0:f9:98:c2:ae:94:da:1e:da:b8:38:51:6b:42:c1:6e:c5:9e:
+ 44:bc:3a:b4:36:57:f8:56:a1:ae:4c:04:ca:b6:67:2e:da:ce:
+ 51:b3:17:b7:9e:1d:12:af:54:9d:37:88:d2:58:9f:c1:a6:53:
+ 79:c8:aa:90:45:b2:ff:61:63:e9:5e:2c:7b:4c:6e:a8:71:ab:
+ 7b:10:11:aa:c4:bd:45:ce:9a:09:d5:f7:ac:0d:83:7c:62:3c:
+ c7:af
+-----BEGIN X509 CRL-----
+MIIFfDCCBOUCAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowggLKMCACAQEXDTAxMDQxOTE0
+NTcyMFowDDAKBgNVHRUEAwoBATB1AgECFw0wMTA0MTkxNDU3MjBaMGEwCgYDVR0V
+BAMKAQEwUwYDVR0dAQH/BEkwR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RDUkwgQ0E2MCACAQMX
+DTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBATAgAgEEFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwdQIBBRcNMDEwNDE5MTQ1NzIwWjBhMAoGA1UdFQQDCgEB
+MFMGA1UdHQEB/wRJMEekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNzAgAgEGFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBxcNMDEwNDE5MTQ1NzIwWjAMMAoG
+A1UdFQQDCgEBMHUCAQgXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUEAwoBATBTBgNV
+HR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMRgwFgYDVQQDEw9pbmRpcmVjdENSTCBDQTYwIAIBCRcNMDEwNDE5MTQ1
+NzIwWjAMMAoGA1UdFQQDCgEBMHUCAQoXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUE
+AwoBATBTBgNVHR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUwIAIBCxcN
+MDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIIBnjCCAZowHwYDVR0jBBgwFoAU
+lK0S0eEOfsO7N0tBPW1ZgD9EV20wCgYDVR0UBAMCAQEwggFpBgNVHRwBAf8EggFd
+MIIBWaCCAVKgggFOpHAwbjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E2pHAwbjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENS
+TCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E3
+pGgwZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgw
+FgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxITAfBgNVBAMTGENSTDEgZm9yIGluZGly
+ZWN0Q1JMIENBNYQB/zANBgkqhkiG9w0BAQUFAAOBgQAFSUehdPsbNedjwxg//zRb
+uhzTBVylPy7RG/7ZkYslqbHiQpzw+ZjCrpTaHtq4OFFrQsFuxZ5EvDq0Nlf4VqGu
+TATKtmcu2s5Rsxe3nh0Sr1SdN4jSWJ/BplN5yKqQRbL/YWPpXix7TG6ocat7EBGq
+xL1FzpoJ1fesDYN8YjzHrw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLIndicatorNoBaseTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLIndicatorNoBaseTest1.pem
new file mode 100644
index 0000000000..3cafe6afb8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLIndicatorNoBaseTest1.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRLIndicator No Base CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBWjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcZGVsdGFDUkxJ
+bmRpY2F0b3IgTm8gQmFzZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+oG4BhBi9qCt4Gbrc/LcngtoFA7DzmY22GBOLt1eBY0FyQGpf4K9UJ/LOfsnV+Q1z
+VMrQi85AV2IqI6mgtxHLyw698P62RlAXRHWMHyj7K/bgc9YjZXUrY7Dy/rAbHaww
+JVlnlNsli3eVdnIPzuxxJ4qRhRgxixJng9IvLPDQaSUCAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFIvW/54p6SweUNEj
+eV1lB9tgcPTTMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQARpTTRRjgFmYIu
+Mnx53B9cpWlZhaDRm9P+XdLuN3Tc4rdqxW3PccPPBB02TbfuXKXNGOQZpKhhF2BR
+oulfvRUkwEfeB7DHQNuEGVct08IknDXryj2KFLPQgWdprgO0hOgZxF1SPuUOh1q7
+iSvok8TmmeNswbnOq7EszJMT6EmnUA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRLIndicator No Base EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=deltaCRLIndicator No Base CA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGRlbHRhQ1JMSW5k
+aWNhdG9yIE5vIEJhc2UgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBqMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPzA9
+BgNVBAMTNkludmFsaWQgZGVsdGFDUkxJbmRpY2F0b3IgTm8gQmFzZSBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvGpcW2w
+QEDfvwR7XCYsQkH0qjyrTAjaWC37qTDFXdVea7SsRiN2tW0REkGLtoF/BGWwq3/K
+KNS47aRTkHkYyNJIlv+1vRXEYxlHI0k6HGfH+50i/40w6T3EzV7RUhcGUGQzP2bT
+K9Bpc6fHT2sjEgqChhY1By2i/j1sQcIt9TMCAwEAAaNrMGkwHwYDVR0jBBgwFoAU
+i9b/ninpLB5Q0SN5XWUH22Bw9NMwHQYDVR0OBBYEFGc/qnf9bJRTuHQc0l5B5FN/
+kKYbMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJ
+KoZIhvcNAQEFBQADgYEADuC/4FucvKYngf2DKlHL2CRM7Io+GiuRab4hlwCc+ma1
+VPQC6R+vlIABlQvMPmw4WG+SuFUDZNUssb8KPHQZdrvlnFHPjim3wRzYsdvAPIJt
+5zncVjkebsrXuA///nNffcUlemq0f871Une/4Vtxe1VBbGzCZ7s8DxQumEH4B6E=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRLIndicator No Base CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:D6:FF:9E:29:E9:2C:1E:50:D1:23:79:5D:65:07:DB:60:70:F4:D3
+
+ X509v3 CRL Number:
+ 1
+ X509v3 Delta CRL Indicator: critical
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:84:e0:d0:5d:12:bb:90:a4:b0:49:2d:9c:98:2f:c5:8f:39:
+ aa:08:09:8d:4a:14:7f:5b:59:00:a0:4d:f2:b6:47:88:33:fb:
+ a8:51:d9:b1:44:71:66:7d:48:c4:02:fe:ee:fd:2b:ab:80:0d:
+ 07:ad:41:d6:51:cb:86:03:c8:8e:99:0a:6e:b3:65:72:65:58:
+ 3b:f1:b9:af:cc:75:ab:ac:7c:59:18:32:59:8e:ca:d9:cd:50:
+ f2:f9:03:d6:4e:41:13:5e:62:2a:e2:3a:98:12:d8:ff:08:cb:
+ 14:6e:1d:69:4d:d6:19:74:cf:b5:2d:c7:2d:3c:60:a6:30:95:
+ 34:4c
+-----BEGIN X509 CRL-----
+MIIBWDCBwgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGRlbHRhQ1JMSW5kaWNhdG9y
+IE5vIEJhc2UgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgPjA8MB8G
+A1UdIwQYMBaAFIvW/54p6SweUNEjeV1lB9tgcPTTMAoGA1UdFAQDAgEBMA0GA1Ud
+GwEB/wQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAHOE4NBdEruQpLBJLZyYL8WPOaoI
+CY1KFH9bWQCgTfK2R4gz+6hR2bFEcWZ9SMQC/u79K6uADQetQdZRy4YDyI6ZCm6z
+ZXJlWDvxua/MdausfFkYMlmOytnNUPL5A9ZOQRNeYiriOpgS2P8IyxRuHWlN1hl0
+z7Utxy08YKYwlTRM
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest10.pem
new file mode 100644
index 0000000000..4ca36378b2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest10.pem
@@ -0,0 +1,150 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA3
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBXTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0EzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyjb9j3IekGOkHy1SMKbO2
+cxwOgq+Yl8JiAoQJk+wbolHouwKi3RFA75+gpgOiN0SeLz08puksttu+6NNeBmlI
+VBHm6vN402CMD2mE5JN9ze88PmgzLW/NusnlGNUoYksZn6JLwIyAMqCq9ftTWh/d
+Dy0s9MipYeAfErZCKqRoewIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQU4hgGT7/eQNb/M10iVoncEPfOcL0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJ3F2hdP5d9HdGajPqfdokQc5GBFeZOqwu0M
+3NB8RwFrC1PmrnRvCZETjCk9bMAlDIYde7XTym3nNwdl2xrMWn6xBBnBtVBU1uAo
+96PxqkGgbm/uFUgMLUlww+CwMtAWfpZylChZNNxZSK40iS4jOlN5JajF1iLB+CTG
+rC1IKMyc
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRL EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA3
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEvMC0GA1UEAxMmSW52YWxpZCBk
+ZWx0YUNSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTAwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAPg+ULgLYvxSkvSwcxwt2gPwS+Snwayze8EhWojhINAcpYlb8sPh
+4OaEgcnDvdOrOUGPIB2D/KOYrKEAqlRmM5zx12ZvpLevcV81RvNfe4FTRCqAqwhK
+Vs+5ktfrGpJxjBVWC0Lds9VitDFQpVoA8ksVekcaTe2bHsI0Ovr0DJiXAgMBAAGj
+ggEXMIIBEzAfBgNVHSMEGDAWgBTiGAZPv95A1v8zXSJWidwQ985wvTAdBgNVHQ4E
+FgQU10CyKhocLN3j/y/kw/ue6MjvEF8wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATBTBgNVHR8ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNS
+TCBDQTMwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYTAlVTMRowGAYDVQQK
+ExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwgQ0EzMA0GCSqG
+SIb3DQEBBQUAA4GBAAUoNQS5AyzkN32ziPcC+VbKBJACILROlR93/RKUabl710wa
+BNk1iOD+MQ9iUwOLXI/bAo5bqQP43gvVFETGio6KpzbsDfofpXMbliYNRyX6NYqy
+38eEMeX/Tu2GvtAwIWPlW2rdCrAl0KS57hwRtpXvyikNxUHoYGmtREmOdFN+
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA3
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E2:18:06:4F:BF:DE:40:D6:FF:33:5D:22:56:89:DC:10:F7:CE:70:BD
+
+ X509v3 CRL Number:
+ 3
+ X509v3 Delta CRL Indicator: critical
+ 2
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 14:8e:0d:04:69:d0:fb:fc:c1:e0:51:af:b2:9c:b1:0e:d6:8d:
+ da:4a:f1:94:a2:23:3e:6f:c9:9c:4d:d6:b0:03:6e:ae:c7:23:
+ fc:6c:69:3e:66:ee:12:fa:2d:b4:12:08:76:16:e7:45:7c:6b:
+ 7c:b5:ca:dd:f3:67:81:c7:78:d0:0a:54:52:05:0e:a9:8e:36:
+ 5c:3e:9b:b7:b5:f1:18:a9:04:61:5a:95:4c:3f:a9:d2:76:c3:
+ 71:dd:2a:9a:78:27:4d:3e:e8:02:93:40:21:42:14:02:a8:0d:
+ 86:f4:27:53:8c:3c:07:ab:d4:70:29:2e:42:6b:db:5a:2d:06:
+ 54:e9
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENBMxcNMDMw
+MTAxMTIwMDAwWhcNMTEwNDE5MTQ1NzIwWqA+MDwwHwYDVR0jBBgwFoAU4hgGT7/e
+QNb/M10iVoncEPfOcL0wCgYDVR0UBAMCAQMwDQYDVR0bAQH/BAMCAQIwDQYJKoZI
+hvcNAQEFBQADgYEAFI4NBGnQ+/zB4FGvspyxDtaN2krxlKIjPm/JnE3WsANurscj
+/GxpPmbuEvottBIIdhbnRXxrfLXK3fNngcd40ApUUgUOqY42XD6bt7XxGKkEYVqV
+TD+p0nbDcd0qmngnTT7oApNAIUIUAqgNhvQnU4w8B6vUcCkuQmvbWi0GVOk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Jan 1 12:00:00 2003 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E2:18:06:4F:BF:DE:40:D6:FF:33:5D:22:56:89:DC:10:F7:CE:70:BD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA3
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 87:f9:64:9d:19:1d:03:e9:68:e0:a8:3b:2a:8a:f2:74:a3:26:
+ 8a:2b:00:7e:6c:b3:4f:ae:70:d1:e3:ad:39:b5:ba:70:25:34:
+ 31:9b:12:06:6e:b2:59:f0:a8:56:24:67:c9:fc:76:54:74:4f:
+ 28:14:6c:7d:51:20:d7:8f:52:69:12:e1:67:2b:3a:d1:70:03:
+ d6:8a:e5:c5:92:1e:61:29:9d:e5:55:c6:54:bb:8a:a9:b4:b7:
+ f6:3b:ee:b1:63:90:a3:39:2c:29:b0:f3:2e:00:1c:f4:dd:76:
+ 46:40:31:0c:7e:29:ab:fb:35:ae:a8:73:8e:ca:a1:23:1c:12:
+ 8e:50
+-----BEGIN X509 CRL-----
+MIIBkDCB+gIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENBMxcNMDEw
+NDE5MTQ1NzIwWhcNMDMwMTAxMTIwMDAwWqCBhTCBgjAfBgNVHSMEGDAWgBTiGAZP
+v95A1v8zXSJWidwQ985wvTAKBgNVHRQEAwIBATBTBgNVHS4ETDBKMEigRqBEpEIw
+QDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYD
+VQQDEwxkZWx0YUNSTCBDQTMwDQYJKoZIhvcNAQEFBQADgYEAh/lknRkdA+lo4Kg7
+KorydKMmiisAfmyzT65w0eOtObW6cCU0MZsSBm6yWfCoViRnyfx2VHRPKBRsfVEg
+149SaRLhZys60XAD1orlxZIeYSmd5VXGVLuKqbS39jvusWOQozksKbDzLgAc9N12
+RkAxDH4pq/s1rqhzjsqhIxwSjlA=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest3.pem
new file mode 100644
index 0000000000..b76c876c1e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest3.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRL EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlSW52YWxpZCBk
+ZWx0YUNSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MzCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAzxx97S8BoEgN9xfoNoA/Llxt6uPlOWZ+ivv604fkNJjK8fwEFgGh
+IX2rOp0JvgxD9GNhW03cAb99VuVWaKCGZetc3qdUF2xWlxxXgYBV1Js2xsyjmGbR
+pqAvaRtcrtlqE6hmltSJmkP92c49XhgCOIkV/KNyODYzPpFNe5RyZ/MCAwEAAaOC
+ARcwggETMB8GA1UdIwQYMBaAFJOPTbzyHNcMriBIrLoyGg3X6A3NMB0GA1UdDgQW
+BBSxLLxeL6rboh2Wk+01TTFMKEr2LTAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMFMGA1UdHwRMMEowSKBGoESkQjBAMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JM
+IENBMTBTBgNVHS4ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZI
+hvcNAQEFBQADgYEAjeR/ZFSYPKsGsR0G5k/dJwEp8GMQM/lG8s5DOWP1JbD8Ebl6
+aao3oD0FCF9jzK+rtRkL1GVRXX48sLANOStAEInSVm06g7LocOuGGb7NRggCbLRY
+rMCjHVqCHM8aJLARHyGGvUlhNfuzWxTNX4Ru6LnhGQmXqvWcGlY4dVv4vUg=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest4.pem
new file mode 100644
index 0000000000..a23bf8d464
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest4.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRL EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlSW52YWxpZCBk
+ZWx0YUNSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEApl35weU2/WxOlBNEikRZQw51mRQgwiHdME99VsoaDgFPYglJARYk
+IQDYMoImgMANlcfHOiVaOAyXU4lXuGmpw8z64BNhazbSkSEl5lHedJaTrG3pwst8
+RIaAAvQbxOYAqrZyDz+9InoAj7ci9+TPhthUrmjkHxs7x/Bmkbmj9pcCAwEAAaOC
+ARcwggETMB8GA1UdIwQYMBaAFJOPTbzyHNcMriBIrLoyGg3X6A3NMB0GA1UdDgQW
+BBSZxHSKiyXXvxkmVXDhDuryYei0YTAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMFMGA1UdHwRMMEowSKBGoESkQjBAMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JM
+IENBMTBTBgNVHS4ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZI
+hvcNAQEFBQADgYEAVQbnMvz/UBEqrjWC/M/CNgiN/9NfiIj2+eYySOYG+HoJrVWC
+qCDdYeXfKIHh8CtoS6s+S+xaYpEschIVX3kOjn/VMGOmvAtWlR3iy0nvVoRUoGDa
+4eBv1NPq2MlQn5L7WsYHJFnJrLx+z9lWgfFYNKPiDY60dVmNPSfFzQpevu8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest6.pem
new file mode 100644
index 0000000000..e918530f97
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest6.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRL EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlSW52YWxpZCBk
+ZWx0YUNSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0NjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAscrNGz91htFkIREH4kXyOxo9/1St8nJA9dIDFUm8mrrSSju1W8oD
+Xp8EeOhyKguxnDGTfGnp5SIrvLUB3IEn2Jjme0QUKtz3lVdWYMNZcyESeKIhz2Hs
+GCFxmYHAzafSbJ4dh9VLWVEkARbN31prGZT9BIls24r6PWhRDanqOZ0CAwEAAaOC
+ARcwggETMB8GA1UdIwQYMBaAFJOPTbzyHNcMriBIrLoyGg3X6A3NMB0GA1UdDgQW
+BBRyJcnOHzbSUbchF1gWSl+d/EKipjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMFMGA1UdHwRMMEowSKBGoESkQjBAMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JM
+IENBMTBTBgNVHS4ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZI
+hvcNAQEFBQADgYEAUGZgoTW4dnlTr4u8+RArHmwDwiSDY0cXQimlo5QXcoeZczkt
+s6hrTXRDO2ZiijUqoKqP+F7hBWROoKc2U9kq0yLfZXxsRBx5atus0zwV9PE2pYS9
+5doAUve+eXvnEBzwjBzlPNoWo0yklkwaVIhBZFY8HS2G8P115VnipQebcZk=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest9.pem
new file mode 100644
index 0000000000..f96feae051
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest9.pem
@@ -0,0 +1,162 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBXDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2MUpxzH8HIqzmAylEvng
+qJvVIxI4xzM8NSpC7P7T2R1dmFXK/19W+m5yqOagB9VxgxP9IYbI2VJ/FrbQSD/+
+afpuHA8++piSAs2e/1BoRagiln3PnQTLemPsmVy00eSLnsw6QRdC0MIZjme0/SHv
+Z6XuWPNvicDyA/Uml2pCqQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUo5OrV2YmbXI6bLyDZaOa/I4MQwswDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAFnKbCQCHJI6HhnaoKJkHKk3dBK/E1DNHc3a
+u9yx3wYdmqwkoG5iKJjssQDLcbLfpjuF7jU9nKbk2gcmOIa5//lgCmUaok4WZSUA
+u8bzMnpiZyzIjjoW78RyuntCMXbZzcs7umsOKfOlDXj4wwsev4E7m5nvP2Qv7hEX
+ECR/9DaG
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid deltaCRL EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA2
+-----BEGIN CERTIFICATE-----
+MIIDKDCCApGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlSW52YWxpZCBk
+ZWx0YUNSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0OTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAuJgOh28x++Wg1L68WeOKQN8XdV1qhrZmuHQgwEWL8HA4HNqPU18v
+laXijT2AqIMjNJs0Ja41CFGbeaiVSNrV7nMsuQAiXTiiS6R8yrRScEd1baqSvzRT
+PPgXoN1qSTYKXXeEYR3dKsHZ2DVAjdlvm/bwIm6lGKGchu4FxwoHCecCAwEAAaOC
+ARcwggETMB8GA1UdIwQYMBaAFKOTq1dmJm1yOmy8g2WjmvyODEMLMB0GA1UdDgQW
+BBRJKQemGd+zHC3BYsO7nLEzQ8rHazAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMFMGA1UdHwRMMEowSKBGoESkQjBAMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JM
+IENBMjBTBgNVHS4ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTIwDQYJKoZI
+hvcNAQEFBQADgYEAf2NJLZQsLgMF9j1YG0b0IP3nQETOE/M1kAExKmgex/QteM25
+DBV4d4vJzuh6DFQxNk91Y9K9bR7qIPlsK31NGGpq4lbct4XgbIlM0+4phq3sORcJ
+AU3cfsMvJwZNmfJ6W22nEhF9Dgd0JNo+9g9FQGlSH6z2O34vBB/jPtkDJEU=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA2
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A3:93:AB:57:66:26:6D:72:3A:6C:BC:83:65:A3:9A:FC:8E:0C:43:0B
+
+ X509v3 CRL Number:
+ 3
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 25:e0:e6:a0:65:11:f0:81:2b:f1:ed:47:8c:1c:a4:dd:79:26:
+ 78:05:22:84:96:35:60:de:7b:13:ec:70:ee:50:3d:ac:d4:9a:
+ 22:fe:e3:9a:77:a4:fb:bb:86:98:21:80:3e:d3:20:85:57:b2:
+ 0f:2e:bd:53:d4:7a:ac:96:02:3e:17:00:67:67:6d:16:01:9d:
+ 93:cb:fc:b6:f1:c2:23:0b:e2:de:c2:02:5a:70:05:34:35:8a:
+ 72:8c:cb:78:ad:62:96:86:50:5d:6c:ba:1a:bb:e5:b8:e8:5f:
+ b6:7c:33:8f:8b:aa:c6:b1:78:a7:e4:56:12:76:09:7a:db:ae:
+ f5:ff
+-----BEGIN X509 CRL-----
+MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENBMhcNMDMw
+MTAxMTIwMDAwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaA+MDwwHwYDVR0jBBgwFoAUo5OrV2YmbXI6bLyDZaOa/I4M
+QwswCgYDVR0UBAMCAQMwDQYDVR0bAQH/BAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+JeDmoGUR8IEr8e1HjByk3XkmeAUihJY1YN57E+xw7lA9rNSaIv7jmnek+7uGmCGA
+PtMghVeyDy69U9R6rJYCPhcAZ2dtFgGdk8v8tvHCIwvi3sICWnAFNDWKcozLeK1i
+loZQXWy6GrvluOhftnwzj4uqxrF4p+RWEnYJetuu9f8=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A3:93:AB:57:66:26:6D:72:3A:6C:BC:83:65:A3:9A:FC:8E:0C:43:0B
+
+ X509v3 CRL Number:
+ 2
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA2
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6a:af:6c:a0:70:12:90:02:5b:70:fd:d4:b6:8d:28:9a:51:5c:
+ fd:04:ed:47:e1:a0:5a:60:e7:41:83:23:ff:a3:e0:c6:b1:fc:
+ 71:db:cb:8e:a7:20:0e:f6:9a:ae:e3:fd:61:33:a6:21:69:4f:
+ 7f:7f:23:cc:33:47:45:23:bc:fc:a1:79:02:31:3f:8d:77:e7:
+ c0:9c:8d:90:ef:6a:9d:38:fe:13:b7:03:dd:ac:36:72:b5:94:
+ e5:7b:43:a8:7a:96:ce:16:bc:55:00:bd:cc:1b:a7:81:93:40:
+ f7:f6:11:bf:c6:dd:7a:ab:32:e5:be:fb:88:32:e2:06:41:9f:
+ 5f:d5
+-----BEGIN X509 CRL-----
+MIIBtTCCAR4CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTIXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQGggYUwgYIwHwYDVR0jBBgwFoAUo5OrV2YmbXI6bLyDZaOa
+/I4MQwswCgYDVR0UBAMCAQIwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFD
+UkwgQ0EyMA0GCSqGSIb3DQEBBQUAA4GBAGqvbKBwEpACW3D91LaNKJpRXP0E7Ufh
+oFpg50GDI/+j4Max/HHby46nIA72mq7j/WEzpiFpT39/I8wzR0UjvPyheQIxP413
+58CcjZDvap04/hO3A92sNnK1lOV7Q6h6ls4WvFUAvcwbp4GTQPf2Eb/G3XqrMuW+
++4gy4gZBn1/V
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest2.pem
new file mode 100644
index 0000000000..e2b8ef58dc
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest2.pem
@@ -0,0 +1,123 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVIDlX8Ue
+jptTAccp199par4Wi+6zdvpzdmUXj6UICGge/S5OJUY6nmBMligfESDLwjhbFB9V
+wm194odW9eAiWfUenAN7i4xIyorZwf5dPqHZVOcv9M3jRBce9j/ZuO8ard6c8Dp+
+UQ7gGH0Avyz4IM9x52TNBjYLthRcxwRPywIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnh8dUFdqhW8b+OZBXut6ujB+
+uvQwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMM6gfNW7Hs8z/E7U5NW/M1Y
+eT2VxqvZaq+HqK/GnxQeJUalPUbLk66F3XU5QmU/gQ/F6wP5yEV8UZALVj7OuJ56
+Vz21USzCSPGXPazeDdBQSx0otXHbKVtamBKYMn+jFqYPuPmNxUWzu4iczvEsBZFK
+0dm+b6846EQQbmI8jNru
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid distributionPoint EE Certificate Test2
+issuer=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBkaXN0cmlidXRpb25Qb2ludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA737UO+PFs1t9bQRYiD1XQvoj5CgT
+W0o3qMiBsk3AhuMx4ozSScw86kyooet/wxn2pJeFuHhNbdmWF5Mz4kyUuTWHl11Z
+T0aauPWb15KkPWKyYGcwMPrh1xNR17ddZWhDJsgvtraLthiXLTiumcoof7LrTWd8
+lR6y9AZzJkxw3aUCAwEAAaOB8zCB8DAfBgNVHSMEGDAWgBSeHx1QV2qFbxv45kFe
+63q6MH669DAdBgNVHQ4EFgQUDby2uXBoHkNmqlHt58+tVdKbG6UwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATCBhAYDVR0fBH0wezB5oHeg
+daRzMHExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEe
+MBwGA1UECxMVZGlzdHJpYnV0aW9uUG9pbnQxIENBMSYwJAYDVQQDEx1DUkwxIG9m
+IGRpc3RyaWJ1dGlvblBvaW50MSBDQTANBgkqhkiG9w0BAQUFAAOBgQDcQ+nXCvsA
+WSXbtnoQr+PKV/BOIwQGVJgCtsiEj3Qt04kNFEDjXnXwsKB4LNclGBe5Hi/PsxLG
+nrxqkXIoArMFjjZe4eNbkZotgOz2xN1lH/e4+5O1Ji7CbuNXbtSABVh4ZJYzZJYu
+d418yGh18wIXgBC0R7QwhHtX5I5tRJPSOA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9E:1F:1D:50:57:6A:85:6F:1B:F8:E6:41:5E:EB:7A:BA:30:7E:BA:F4
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0y.w.u.s0q1.0...U....US1.0...U.
+..Test Certificates1.0...U....distributionPoint1 CA1&0$..U....CRL1 of distributionPoint1 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ bb:36:57:87:39:3f:49:50:07:42:5f:a4:2b:3e:b2:04:52:a9:
+ 1b:dc:5e:8b:c1:6c:47:19:83:1d:5f:81:da:ae:bf:ba:1d:57:
+ 8d:a7:f0:41:bf:d1:40:e3:f8:7f:bf:80:ac:8d:2d:97:15:88:
+ 6c:91:39:87:3d:0d:45:79:a3:b8:41:a2:17:b6:a3:24:cd:a9:
+ 7b:f2:f9:57:b5:98:a0:a7:07:2b:3e:5a:2a:d8:5b:84:7d:25:
+ 75:25:51:9f:58:1e:6f:ea:f9:3a:62:59:e6:54:01:d7:76:91:
+ 2d:0f:b9:f5:2a:ce:0c:46:e4:dd:b1:3c:23:92:a8:67:d2:39:
+ 6a:49
+-----BEGIN X509 CRL-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGggbgwgbUwHwYDVR0jBBgwFoAUnh8dUFdq
+hW8b+OZBXut6ujB+uvQwCgYDVR0UBAMCAQEwgYUGA1UdHAEB/wR7MHmgd6B1pHMw
+cTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYD
+VQQLExVkaXN0cmlidXRpb25Qb2ludDEgQ0ExJjAkBgNVBAMTHUNSTDEgb2YgZGlz
+dHJpYnV0aW9uUG9pbnQxIENBMA0GCSqGSIb3DQEBBQUAA4GBALs2V4c5P0lQB0Jf
+pCs+sgRSqRvcXovBbEcZgx1fgdquv7odV42n8EG/0UDj+H+/gKyNLZcViGyROYc9
+DUV5o7hBohe2oyTNqXvy+Ve1mKCnBys+WirYW4R9JXUlUZ9YHm/q+TpiWeZUAdd2
+kS0PufUqzgxG5N2xPCOSqGfSOWpJ
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest3.pem
new file mode 100644
index 0000000000..2772115950
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest3.pem
@@ -0,0 +1,123 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVIDlX8Ue
+jptTAccp199par4Wi+6zdvpzdmUXj6UICGge/S5OJUY6nmBMligfESDLwjhbFB9V
+wm194odW9eAiWfUenAN7i4xIyorZwf5dPqHZVOcv9M3jRBce9j/ZuO8ard6c8Dp+
+UQ7gGH0Avyz4IM9x52TNBjYLthRcxwRPywIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnh8dUFdqhW8b+OZBXut6ujB+
+uvQwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMM6gfNW7Hs8z/E7U5NW/M1Y
+eT2VxqvZaq+HqK/GnxQeJUalPUbLk66F3XU5QmU/gQ/F6wP5yEV8UZALVj7OuJ56
+Vz21USzCSPGXPazeDdBQSx0otXHbKVtamBKYMn+jFqYPuPmNxUWzu4iczvEsBZFK
+0dm+b6846EQQbmI8jNru
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid distributionPoint EE Certificate Test3
+issuer=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAn6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBkaXN0cmlidXRpb25Qb2ludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MzCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuS5Lgb3o+ul4HsVLgHgzRL9MeLx1
+KnKHTzQ7EedCPCAL/7h2oNWVaOCqaRzy5E4ke3W53AP0lHEyygZjKFnLw2QjEtGj
+1qytIz79bI9YKeHX1pnOldsesBJtKAfb/RBhtwEsieibfV3nFTTckFhqtMWkRX+b
+xgbfcd5yKPMhQRECAwEAAaOB8zCB8DAfBgNVHSMEGDAWgBSeHx1QV2qFbxv45kFe
+63q6MH669DAdBgNVHQ4EFgQUxeG0ipAP1oMfhg4iMi/dmI5iNgcwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATCBhAYDVR0fBH0wezB5oHeg
+daRzMHExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEe
+MBwGA1UECxMVZGlzdHJpYnV0aW9uUG9pbnQxIENBMSYwJAYDVQQDEx1DUkx4IG9m
+IGRpc3RyaWJ1dGlvblBvaW50MSBDQTANBgkqhkiG9w0BAQUFAAOBgQDnY+V8RkGw
++kpIYbTDHFKNX/7Tkk4ZRLWJXXk21ah6V7OqKJblsAWGSOKJa65p4GKLrf+uNvW5
+BuOTRbdFpJrjslIZ87Z8XSdWXo/guQWTLacYkBPfKeimVeBInc2uoKkzt3L3gunO
+zcm1s3DmNsCcQFvuG+GsDDn3xIkTxnTkHQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9E:1F:1D:50:57:6A:85:6F:1B:F8:E6:41:5E:EB:7A:BA:30:7E:BA:F4
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0y.w.u.s0q1.0...U....US1.0...U.
+..Test Certificates1.0...U....distributionPoint1 CA1&0$..U....CRL1 of distributionPoint1 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ bb:36:57:87:39:3f:49:50:07:42:5f:a4:2b:3e:b2:04:52:a9:
+ 1b:dc:5e:8b:c1:6c:47:19:83:1d:5f:81:da:ae:bf:ba:1d:57:
+ 8d:a7:f0:41:bf:d1:40:e3:f8:7f:bf:80:ac:8d:2d:97:15:88:
+ 6c:91:39:87:3d:0d:45:79:a3:b8:41:a2:17:b6:a3:24:cd:a9:
+ 7b:f2:f9:57:b5:98:a0:a7:07:2b:3e:5a:2a:d8:5b:84:7d:25:
+ 75:25:51:9f:58:1e:6f:ea:f9:3a:62:59:e6:54:01:d7:76:91:
+ 2d:0f:b9:f5:2a:ce:0c:46:e4:dd:b1:3c:23:92:a8:67:d2:39:
+ 6a:49
+-----BEGIN X509 CRL-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGggbgwgbUwHwYDVR0jBBgwFoAUnh8dUFdq
+hW8b+OZBXut6ujB+uvQwCgYDVR0UBAMCAQEwgYUGA1UdHAEB/wR7MHmgd6B1pHMw
+cTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYD
+VQQLExVkaXN0cmlidXRpb25Qb2ludDEgQ0ExJjAkBgNVBAMTHUNSTDEgb2YgZGlz
+dHJpYnV0aW9uUG9pbnQxIENBMA0GCSqGSIb3DQEBBQUAA4GBALs2V4c5P0lQB0Jf
+pCs+sgRSqRvcXovBbEcZgx1fgdquv7odV42n8EG/0UDj+H+/gKyNLZcViGyROYc9
+DUV5o7hBohe2oyTNqXvy+Ve1mKCnBys+WirYW4R9JXUlUZ9YHm/q+TpiWeZUAdd2
+kS0PufUqzgxG5N2xPCOSqGfSOWpJ
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest6.pem
new file mode 100644
index 0000000000..0d018c8e11
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest6.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs1jD9UP9Z
+XFXO9pXlwQaq3g11cXEADTlDc+W2RuUiBJXRjOhbt9pBqMwI7EhS41KMALd8ISna
+SAp5DDvmtp2z4X95eoizwZ9O5vtIw6XA7d5EwFr2c89INmIXFw2OA0K2Xj9K7eKK
+u95rUFjJM7qfZueTDyR8/qrUEUUhq+7gtQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUOjSLBeN2WFjEhwSYfX4djKxd
+uU4wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMagar2d/lP05a6g8iDgAc4i
+8GOkbbNIOguMdW9fwv9DvIJyDO/ruRnKgZJdY9osVBqR8pVP1qErhwboe+dIBgLA
+p1yRVbcPKEd/1xXrFhjoH9Wlp6CK6Al0LIJ7iQMoufcUzay6Bux5caNEH06+BnJF
+nhKgwK6jkVuYAf9HHtVh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid distributionPoint EE Certificate Test6
+issuer=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+-----BEGIN CERTIFICATE-----
+MIICxTCCAi6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBkaXN0cmlidXRpb25Qb2ludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0NjCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwbnDywy9lvaPs3ihfyfLPtBoMo+v
+C+fBtx91KNEmBz2ACO825iLx9Cyq+vbSLMDPiBbEbBpUtXDAXuaa6omJ1BnyVp+4
+dDmnpIB7IZm6z2mwQ1/xp1Nse1vb1zxkbDnMVVpkSJTqaTqMUnR5s9ht0XI62DgL
+ZEFlpTiBkCVCWFsCAwEAAaOBozCBoDAfBgNVHSMEGDAWgBQ6NIsF43ZYWMSHBJh9
+fh2MrF25TjAdBgNVHQ4EFgQUNTlA81m7xBu1FOhMV8hYWiP2hpIwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATA1BgNVHR8ELjAsMCqgKKEm
+MCQGA1UEAxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcN
+AQEFBQADgYEANn9ezG9vEUyKzHQDQt0yQTrF9KcG5PUqzKQiaIIzKvEBLX9d/nj5
+N0wEpklLq//fxWFFPlhZS7qsDal+jjkPnccIlgIDLNAYYOXEm05+6eeXXKMKwC9I
+TdJghmMFwSDvbp2s/dnQvjOrHIexlatSbbCEDS9XnSeMmHVJ0lx7aZ8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3A:34:8B:05:E3:76:58:58:C4:87:04:98:7D:7E:1D:8C:AC:5D:B9:4E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0*.(.&0$..U....CRL1 of distributionPoint2 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:94:d4:ed:c7:a8:0e:9d:16:d2:aa:4d:3e:d5:a4:72:af:7f:
+ e7:9e:83:e9:93:a6:92:a3:0e:48:39:60:27:0c:6e:75:4f:e0:
+ 1d:84:89:17:3e:09:85:f8:ac:32:b5:76:76:ab:09:64:95:4e:
+ ef:01:2f:34:69:4e:3d:53:96:7b:05:5e:c9:b4:84:62:a2:06:
+ bd:5f:6e:6f:c8:08:be:8e:d1:4f:33:72:5e:8c:0e:e1:2e:f3:
+ fb:23:7a:3a:34:3e:69:3f:6a:44:e1:a5:fe:cc:5d:60:23:95:
+ a3:48:97:bf:72:dd:2f:ab:fd:59:5c:d2:11:c1:4c:e1:f7:ad:
+ d9:03
+-----BEGIN X509 CRL-----
+MIIBnzCCAQgCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgZzBlMB8GA1UdIwQYMBaAFDo0iwXjdlhY
+xIcEmH1+HYysXblOMAoGA1UdFAQDAgEBMDYGA1UdHAEB/wQsMCqgKKEmMCQGA1UE
+AxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQAD
+gYEAjJTU7ceoDp0W0qpNPtWkcq9/556D6ZOmkqMOSDlgJwxudU/gHYSJFz4Jhfis
+MrV2dqsJZJVO7wEvNGlOPVOWewVeybSEYqIGvV9ub8gIvo7RTzNyXowO4S7z+yN6
+OjQ+aT9qROGl/sxdYCOVo0iXv3LdL6v9WVzSEcFM4fet2QM=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest8.pem
new file mode 100644
index 0000000000..2ccff7ecb8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest8.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs1jD9UP9Z
+XFXO9pXlwQaq3g11cXEADTlDc+W2RuUiBJXRjOhbt9pBqMwI7EhS41KMALd8ISna
+SAp5DDvmtp2z4X95eoizwZ9O5vtIw6XA7d5EwFr2c89INmIXFw2OA0K2Xj9K7eKK
+u95rUFjJM7qfZueTDyR8/qrUEUUhq+7gtQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUOjSLBeN2WFjEhwSYfX4djKxd
+uU4wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMagar2d/lP05a6g8iDgAc4i
+8GOkbbNIOguMdW9fwv9DvIJyDO/ruRnKgZJdY9osVBqR8pVP1qErhwboe+dIBgLA
+p1yRVbcPKEd/1xXrFhjoH9Wlp6CK6Al0LIJ7iQMoufcUzay6Bux5caNEH06+BnJF
+nhKgwK6jkVuYAf9HHtVh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid distributionPoint EE Certificate Test8
+issuer=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAlWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBkaXN0cmlidXRpb25Qb2ludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0ODCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtqwbk/YTst4JgaZksbi+cItOdDg1
+ZDBk0znRRey4EXHLWBRaSV8RAAw9bNbbQEuq8IgHKD2Gny2ObJsV1WXdoGXwz/Kt
+zGLxkxN7VMH/euhCh/0aMr7sO4yRZgC72ub09FOxmDtEynuiurF5+jGJ8FoLHkke
+TMWpLls04hy4ITUCAwEAAaOByjCBxzAfBgNVHSMEGDAWgBQ6NIsF43ZYWMSHBJh9
+fh2MrF25TjAdBgNVHQ4EFgQUsMTcbBp2ScLfBL5qe3q9w9pjVuUwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATBcBgNVHR8EVTBTMFGgT6BN
+pEswSTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4w
+HAYDVQQLExVkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQADgYEA
+lvXRt3px1v5T+WzaqJpecpxWzan+l2WrMC4vCYTcyFyQvQKDZl2jGO2PubJTDLym
+xwenSbt7quBVMKJ9pbXkNe9gFQInbT/3+NMPsI9Kc3Ajn7cfWW8TslHPaxtG5pcM
+XQR5wls8vzdmE9pirEbf4HDsnKBfC5sP1GOAYhIt/Ms=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3A:34:8B:05:E3:76:58:58:C4:87:04:98:7D:7E:1D:8C:AC:5D:B9:4E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0*.(.&0$..U....CRL1 of distributionPoint2 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:94:d4:ed:c7:a8:0e:9d:16:d2:aa:4d:3e:d5:a4:72:af:7f:
+ e7:9e:83:e9:93:a6:92:a3:0e:48:39:60:27:0c:6e:75:4f:e0:
+ 1d:84:89:17:3e:09:85:f8:ac:32:b5:76:76:ab:09:64:95:4e:
+ ef:01:2f:34:69:4e:3d:53:96:7b:05:5e:c9:b4:84:62:a2:06:
+ bd:5f:6e:6f:c8:08:be:8e:d1:4f:33:72:5e:8c:0e:e1:2e:f3:
+ fb:23:7a:3a:34:3e:69:3f:6a:44:e1:a5:fe:cc:5d:60:23:95:
+ a3:48:97:bf:72:dd:2f:ab:fd:59:5c:d2:11:c1:4c:e1:f7:ad:
+ d9:03
+-----BEGIN X509 CRL-----
+MIIBnzCCAQgCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgZzBlMB8GA1UdIwQYMBaAFDo0iwXjdlhY
+xIcEmH1+HYysXblOMAoGA1UdFAQDAgEBMDYGA1UdHAEB/wQsMCqgKKEmMCQGA1UE
+AxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQAD
+gYEAjJTU7ceoDp0W0qpNPtWkcq9/556D6ZOmkqMOSDlgJwxudU/gHYSJFz4Jhfis
+MrV2dqsJZJVO7wEvNGlOPVOWewVeybSEYqIGvV9ub8gIvo7RTzNyXowO4S7z+yN6
+OjQ+aT9qROGl/sxdYCOVo0iXv3LdL6v9WVzSEcFM4fet2QM=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest9.pem
new file mode 100644
index 0000000000..3a3eeefc07
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest9.pem
@@ -0,0 +1,117 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs1jD9UP9Z
+XFXO9pXlwQaq3g11cXEADTlDc+W2RuUiBJXRjOhbt9pBqMwI7EhS41KMALd8ISna
+SAp5DDvmtp2z4X95eoizwZ9O5vtIw6XA7d5EwFr2c89INmIXFw2OA0K2Xj9K7eKK
+u95rUFjJM7qfZueTDyR8/qrUEUUhq+7gtQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUOjSLBeN2WFjEhwSYfX4djKxd
+uU4wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMagar2d/lP05a6g8iDgAc4i
+8GOkbbNIOguMdW9fwv9DvIJyDO/ruRnKgZJdY9osVBqR8pVP1qErhwboe+dIBgLA
+p1yRVbcPKEd/1xXrFhjoH9Wlp6CK6Al0LIJ7iQMoufcUzay6Bux5caNEH06+BnJF
+nhKgwK6jkVuYAf9HHtVh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid distributionPoint EE Certificate Test9
+issuer=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMu
+SW52YWxpZCBkaXN0cmlidXRpb25Qb2ludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0OTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0/suVDtpZX4ZdGIHhrhtDHDiiy4k
+5awaeTNhUVeZhKlIDNnniPSVG5/0Q2JlWvIywo/Ch0y41j/ihleGbI69zoL1p5z8
+hh+yK51J32JdQ5gpc49P1NnVtoNSZApTJt1VUR4LwJv1/AhIksEEOg6YHN3/yq/C
+wVMoMv7wnisqqykCAwEAAaNrMGkwHwYDVR0jBBgwFoAUOjSLBeN2WFjEhwSYfX4d
+jKxduU4wHQYDVR0OBBYEFLYB9DyXTb7g1exMOFd6gOIt97g+MA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEA
+HdkglZQIYTBxilyAJvuFkSrvNo90F3wuIb0FmfVrjH6Hs147bgRF9nsp3sh/VvC4
+gf7pwYRING0tY/RV+n79U2FxHcE3MN6WNGA+GX77LcWth+s3Sa6Hr5QMaUcapGbq
+2B+bkzQUiWX8sXPvX0KWzBmbcY3Aup56MpwytlF7ywQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3A:34:8B:05:E3:76:58:58:C4:87:04:98:7D:7E:1D:8C:AC:5D:B9:4E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0*.(.&0$..U....CRL1 of distributionPoint2 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:94:d4:ed:c7:a8:0e:9d:16:d2:aa:4d:3e:d5:a4:72:af:7f:
+ e7:9e:83:e9:93:a6:92:a3:0e:48:39:60:27:0c:6e:75:4f:e0:
+ 1d:84:89:17:3e:09:85:f8:ac:32:b5:76:76:ab:09:64:95:4e:
+ ef:01:2f:34:69:4e:3d:53:96:7b:05:5e:c9:b4:84:62:a2:06:
+ bd:5f:6e:6f:c8:08:be:8e:d1:4f:33:72:5e:8c:0e:e1:2e:f3:
+ fb:23:7a:3a:34:3e:69:3f:6a:44:e1:a5:fe:cc:5d:60:23:95:
+ a3:48:97:bf:72:dd:2f:ab:fd:59:5c:d2:11:c1:4c:e1:f7:ad:
+ d9:03
+-----BEGIN X509 CRL-----
+MIIBnzCCAQgCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgZzBlMB8GA1UdIwQYMBaAFDo0iwXjdlhY
+xIcEmH1+HYysXblOMAoGA1UdFAQDAgEBMDYGA1UdHAEB/wQsMCqgKKEmMCQGA1UE
+AxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQAD
+gYEAjJTU7ceoDp0W0qpNPtWkcq9/556D6ZOmkqMOSDlgJwxudU/gHYSJFz4Jhfis
+MrV2dqsJZJVO7wEvNGlOPVOWewVeybSEYqIGvV9ub8gIvo7RTzNyXowO4S7z+yN6
+OjQ+aT9qROGl/sxdYCOVo0iXv3LdL6v9WVzSEcFM4fet2QM=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest1.pem
new file mode 100644
index 0000000000..c873549a35
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest1.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitAnyPolicy EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kwIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYTELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTYwNAYDVQQDEy1J
+bnZhbGlkIGluaGliaXRBbnlQb2xpY3kgRUUgQ2VydGlmaWNhdGUgVGVzdDEwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALU75+fsqkoJ1rj9rLPys9PtX999U+V+
+71N40CaTnqxIlY4+U6A/BBm3iqNTQdcyEGo3Buy3OJEELx0+8jI3Sm9ja4iR/4tk
+gi9OYh29Ps0LcRyqUihECPaPFOvI2vEFJId74DFoUPgwNfPD0CzYkm1bYwNcMHwb
+0QMmUcxk8yTDAgMBAAGjZTBjMB8GA1UdIwQYMBaAFJ1AmGAI5sj9XNHYLwvqAOwa
+RQbPMB0GA1UdDgQWBBRgJfQvy84RFEADVPWlCcnfV9YiljAOBgNVHQ8BAf8EBAMC
+BPAwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBBQUAA4GBAI1bh7Hi4BQZ
+w7LpH+0QxTA+hUMNiV3kKdM9vhGFAwm+UbQvTYeIDaIpDxX42Sv2j7Vw9Z9nkMc1
+UyaIcxezk4LAN4vG3WIJiO/eAFuCz49QWhE53AbRVprrra8N/Mzv0yB/8ysQ9fUJ
+AVMgwRz+4Fd2AoK0CWNHeDRUD+IN+enU
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBOzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTAgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALXCzoaXAEbX
+pgMPDk3SCu2nzrt+I18MsI4lg/0oLjQAgPsD0np8LOGHMzo3UBtfJtpV0BXCc+E+
++Ni+ehXFWfA4BXjFc3GdUdJmn7y3F9X7XSIauTE1GSYR2+bMW/IRbmjpMDzldmRs
+WNb40N+jWAxw1h+YN61Pv0MD7Ef2ds0NAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJ1AmGAI5sj9XNHYLwvqAOwa
+RQbPMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEAMA0GCSqG
+SIb3DQEBBQUAA4GBALhhUDb9VolIM2bKpbpat4dNjGrkOmVT/HvGBl+FGwSXa7Mj
+cLgZ3WygZ9gil3l7X+wL7lM9zKpXljV5WNpX+58RclQ2kK7Yk4qcY0tpPEUn8R4/
+9yg64Nferl/2gn9W79ODU3BiBFF/GiAJJ4SiwvLWl/JnPDoQuJv67IS24+Oa
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:40:98:60:08:E6:C8:FD:5C:D1:D8:2F:0B:EA:00:EC:1A:45:06:CF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 60:ab:a2:8a:e3:22:04:cb:95:4a:c5:ca:68:46:70:0a:d0:31:
+ b0:98:cc:ad:4b:23:8c:3e:fc:b4:c7:7a:93:0d:6a:31:68:c4:
+ ff:30:37:7b:5c:48:01:6d:e1:85:f7:d0:9b:73:53:ca:62:36:
+ 00:5c:29:c8:af:a6:40:62:d5:f5:af:32:a9:4a:b6:a2:a7:0b:
+ cb:bb:72:2e:3e:0b:77:64:17:8d:2d:59:2f:fc:cf:2f:1f:a6:
+ 77:83:9a:7c:68:b0:15:f6:5a:63:67:74:b2:3a:fa:74:b8:d3:
+ a9:70:e6:87:04:bc:4c:79:ef:c8:b4:31:70:17:ae:f3:ef:ae:
+ 7a:3b
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kw
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBSdQJhgCObI/VzR2C8L6gDsGkUGzzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBgq6KK4yIEy5VKxcpoRnAK0DGwmMytSyOMPvy0x3qTDWoxaMT/MDd7XEgB
+beGF99Cbc1PKYjYAXCnIr6ZAYtX1rzKpSraipwvLu3IuPgt3ZBeNLVkv/M8vH6Z3
+g5p8aLAV9lpjZ3SyOvp0uNOpcOaHBLxMee/ItDFwF67z7656Ow==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest4.pem
new file mode 100644
index 0000000000..a81968caaa
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest4.pem
@@ -0,0 +1,159 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAMvuM5rrG+hunxSZwR8TVsLND7teVaTAzIxbnJv0xpVvawDeQiN1A+CIdJH8
+TUXrgcfdU+E04StBCqDRBr1+DBMt/PuBDS/I2PcKqBuP6sfkSDr/lPYkbRBI8wZ9
+87H/ke7seqh7cSVORfqg4KupdEE3i2gxONHlTT/7XV0C5aOlAgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFGbbtZTHBcSzPiuRud/IqNBNKzREMB0GA1UdDgQWBBQpIHiUjoSQ
+KUJLfKsOgyq+NVs8FTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAuKZUyh6gvU8Ab5pl
+P79yddRQcx4G1navwUD3YSS7q2rnmqY2ucmHX8H1JsOhQUqvLL81fIqAkWPANAmQ
+K4NU/ZSkkjtfTcJy5oYsVXjz0MyLKOwrt52j8MLZsUW/TIf5e57kPbORC7RQhEr+
+yMDT6AY3En8iF4h8mqMhwnQnO3U=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitAnyPolicy EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGEx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE2MDQGA1UE
+AxMtSW52YWxpZCBpbmhpYml0QW55UG9saWN5IEVFIENlcnRpZmljYXRlIFRlc3Q0
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCulajzJmaByVbyDkLDGhU38CXN
+JW16bKIyjnbsg1tPLvigEcShDVU6jXZt8gRlscw+5nINvdOEYD9l/0QEzonMhVRP
+0GFT8aToKcCcPBlmhIA0PJqChMNZBGp4uitZKXKi8F8lGo09eB84V7bGs5YvP1LK
+J/G7vkncZXQbCUaX0wIDAQABo2UwYzAfBgNVHSMEGDAWgBQpIHiUjoSQKUJLfKsO
+gyq+NVs8FTAdBgNVHQ4EFgQUhUkKnqSDJde1NS49+ClAYeMS9kswDgYDVR0PAQH/
+BAQDAgTwMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQUFAAOBgQDK4Dok
+Sw1YWZrBgRIF5omNPAn9ZimPP/+5QRuYz42bdOl0F3v0uID3CnVfk+7UHbeylW/2
+n2KlU7OeOk5/B/FtFEm9RFaQIoeMkZadszaleUIvZxkrYkkwd///I0T9LzBBKUGV
+gDbif+oCGUYlgqLCQ/aXPDWA0mHKwmHD3FdRoQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:29:20:78:94:8E:84:90:29:42:4B:7C:AB:0E:83:2A:BE:35:5B:3C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 75:3b:42:7f:44:c5:fa:ab:b2:c4:63:ac:10:89:84:e0:50:32:
+ 4b:96:80:48:15:1d:19:1c:b8:49:6d:42:c3:4c:b4:bd:a0:29:
+ e0:14:56:1a:1d:df:92:90:19:27:a0:b7:f3:1b:7a:32:32:2d:
+ cd:ee:29:38:d0:75:8e:8c:51:9d:02:7f:92:a6:af:08:ef:23:
+ 8e:bc:b2:a6:47:36:d1:9c:e6:dd:4b:05:55:1c:56:47:1a:40:
+ 67:4b:01:bd:b4:d0:74:12:5a:97:83:20:d5:4e:a7:d2:bb:ad:
+ 52:a5:ac:13:44:fc:95:1f:d9:70:fa:a2:05:fb:73:e2:9d:15:
+ 61:ac
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUKSB4lI6EkClCS3yrDoMqvjVbPBUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAdTtCf0TF+quyxGOsEImE4FAyS5aASBUdGRy4SW1Cw0y0vaAp4BRW
+Gh3fkpAZJ6C38xt6MjItze4pONB1joxRnQJ/kqavCO8jjryypkc20Zzm3UsFVRxW
+RxpAZ0sBvbTQdBJal4Mg1U6n0rutUqWsE0T8lR/ZcPqiBftz4p0VYaw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest5.pem
new file mode 100644
index 0000000000..20f42c20ac
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest5.pem
@@ -0,0 +1,210 @@
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitAnyPolicy EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGmluaGliaXRBbnlQ
+b2xpY3k1IHN1YnN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+YTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTYwNAYD
+VQQDEy1JbnZhbGlkIGluaGliaXRBbnlQb2xpY3kgRUUgQ2VydGlmaWNhdGUgVGVz
+dDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALJx+sbJu7vInzoWetJ2rz0L
+6GPGRCd/xtyjMfyMSExsWdgxczZPdBMn9ON9XI/ASBPwvhcoq2pB9VqD+g2X9tfV
+y7usPePkKYweFOPmIlrWZb9tAEfTgwkoHYiWEWazYt+6y65407713raA+9DmYQgX
+m9RHrTFiSVJ3Z9RAtBEHAgMBAAGjZTBjMB8GA1UdIwQYMBaAFHMQBPkM9GScsvEb
+je+3VaqkohmvMB0GA1UdDgQWBBQTUueG5HoT3TWlqqICt/b/VK5ROjAOBgNVHQ8B
+Af8EBAMCBPAwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBBQUAA4GBAEp6
+lUPLqrzZI5cW9d33rfE+6PJIi7fI3T6aRuc2eG0GuaiGnwOJvwDXA1uHC2GzbiJZ
+U61janUuTgxWCdE7uDZFU7f4M6Ws0V/RP0BDzWca9mLZenhrmNFYwCp+9ve9QMMx
+6WjbrV0PBuEStbrdAH4wRquSNws7JKnHrpW2O88C
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subCA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF2luaGliaXRBbnlQ
+b2xpY3k1IHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSMwIQYDVQQD
+ExppbmhpYml0QW55UG9saWN5NSBzdWJzdWJDQTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEArf8a4YQqh0caACibKN+ne7IKGYWnwL8N2E4534sCUjlfic+5O3/s
+ELf3kOpyOfw7NMoMTXQcsi+9wtB24eilTbHwdStKU/Mt15FCe5go7GepA2TbdomL
+3mKUocf87YN4pZc8QBPA/hs5sYPbnCx4X2TK2oCNCwvfUgWWhnCN2mMCAwEAAaN8
+MHowHwYDVR0jBBgwFoAUSndiWCMHosO57sdu3+0AiYhNl28wHQYDVR0OBBYEFHMQ
+BPkM9GScsvEbje+3VaqkohmvMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCG
+LcmSqA61BeAN21ekDRt5DAa9UGDAU8Bp/txAT+4H81/dzp5710w8QBHUcViEoL7l
+Znf4/IR4isqKlRS6ctmN/K2BRJ/19TQiYN8JiaZQAluzpLlgMUV4iC+/JwZHnJZu
+2c4mhWPSSBfUqHME3sp4dQxsrZNou/yOwzhTjmsNVw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 CA
+-----BEGIN CERTIFICATE-----
+MIICljCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3k1IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSzELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSAwHgYDVQQDExdp
+bmhpYml0QW55UG9saWN5NSBzdWJDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAqzUjeD5TJL7TtPxRXU0nMcnBDmkPWyIAC1pNu3Tv0XwSE59I5Wr/Ytc+wMkJ
+dM4d1IFPKtN+MlzNv4dHwxOQrb9Fi3ItNVRIOLRIttgQFMvCWl0FTh9svTC8NIUZ
+lKD8zzDoBGD2ZEwHTYX1qLzneeTf3hMN4AyvxDVGekJWsdECAwEAAaOBjDCBiTAf
+BgNVHSMEGDAWgBTGAIxxpplipn/SVG/ybgTKMLU6vzAdBgNVHQ4EFgQUSndiWCMH
+osO57sdu3+0AiYhNl28wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI
+AWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GA1UdNgEB/wQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBABOzlfB8CEJvHMdfoVtuMRmwTdF+Ypyvb6ileMKr9P+8j4gRzVgr
+jZiHkH/a8ODtOat8ADR9USeVUAMIv2LZnw33x6xKWCZNJCwPysTVz72PLIPQ+2c0
+yeOayIZxdJb9hidU7BT4q6FdbFecUUgSZS5FySOod8WI1jYTyHNEZeLa
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy5 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJDz7OZ8u34K
+hjI6cDaSvyyjIWPPGVdObfPls5iLOT434gz5hx3uyX17mOJnw+/5rOgcqatRDJ1I
+mAI1pl0ZUVaaattiyBifI6LONlUpzVOmtr6yotsGY0DiCmtKBJh4geA9jQl/UCou
+of64Smt1vsIL3SqiWkqCg0XFrXpTCCz1AgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMYAjHGmmWKmf9JUb/JuBMow
+tTq/MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEFMA0GCSqG
+SIb3DQEBBQUAA4GBAGt+M+PIMRTWFAO2C58l6vCjg40P4NFF6B3LWjGcpPnRDYP4
+injOp/wD4IVvnXRpIFOq59qlJzmOJJDxCHGB11jkkxJK0v+pi7gvDrDw2av8wznR
+K735aiuC7KCpEy7tQ59Ive9M8PPOuQ+Vd3CgKhv0GuGNb/6M+3cojz0fCNx6
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy5 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C6:00:8C:71:A6:99:62:A6:7F:D2:54:6F:F2:6E:04:CA:30:B5:3A:BF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 4e:c7:09:29:78:ea:ef:43:a3:de:f8:6f:a5:b6:13:f2:ac:8e:
+ 93:7b:ce:f9:4f:12:e3:48:f5:f5:1e:47:b1:39:20:b4:ce:33:
+ ea:bc:72:c1:11:a0:ab:75:59:68:03:68:dd:c8:96:02:1d:73:
+ 7f:fa:39:9d:2a:88:ce:53:d0:3d:73:27:d3:61:6f:d3:75:01:
+ f2:2f:f8:02:cb:d4:00:63:71:eb:0c:84:19:10:d9:ac:48:6d:
+ 77:8f:3a:23:36:9a:63:98:4d:9a:16:bd:bd:08:1d:77:4b:59:
+ 98:21:d2:89:fd:1a:f5:f0:70:86:40:08:c5:be:59:5f:de:a8:
+ fb:f2
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3k1
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBTGAIxxpplipn/SVG/ybgTKMLU6vzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBOxwkpeOrvQ6Pe+G+lthPyrI6Te875TxLjSPX1HkexOSC0zjPqvHLBEaCr
+dVloA2jdyJYCHXN/+jmdKojOU9A9cyfTYW/TdQHyL/gCy9QAY3HrDIQZENmsSG13
+jzojNppjmE2aFr29CB13S1mYIdKJ/Rr18HCGQAjFvllf3qj78g==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4A:77:62:58:23:07:A2:C3:B9:EE:C7:6E:DF:ED:00:89:88:4D:97:6F
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 86:aa:0d:7c:0b:72:97:47:34:6d:6c:97:58:2d:d9:6a:0d:c5:
+ 8c:df:04:31:39:f7:22:cf:a8:20:3f:06:71:91:7b:72:cc:08:
+ ae:bd:b5:c6:21:ec:95:a9:7c:95:8a:4d:b0:f5:ab:ff:0f:bf:
+ 5c:24:8f:01:fd:f6:1b:d2:08:61:ef:d0:8a:6e:84:29:cf:6c:
+ 32:bd:79:b6:bb:e1:cb:71:c9:ef:eb:17:14:fd:ca:87:4d:c9:
+ 54:5b:47:ee:f9:39:c4:9c:c2:fd:64:0e:2b:66:8d:0a:a8:6c:
+ 83:9b:07:e4:fa:5d:8a:34:91:99:e9:9a:0d:34:60:7c:0c:20:
+ ba:44
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF2luaGliaXRBbnlQb2xpY3k1
+IHN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBRKd2JYIweiw7nux27f7QCJiE2XbzAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQCGqg18C3KXRzRtbJdYLdlqDcWM3wQxOfciz6ggPwZxkXtyzAiuvbXG
+IeyVqXyVik2w9av/D79cJI8B/fYb0ghh79CKboQpz2wyvXm2u+HLccnv6xcU/cqH
+TclUW0fu+TnEnML9ZA4rZo0KqGyDmwfk+l2KNJGZ6ZoNNGB8DCC6RA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy5 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:73:10:04:F9:0C:F4:64:9C:B2:F1:1B:8D:EF:B7:55:AA:A4:A2:19:AF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1d:c7:8a:0a:91:d4:7e:b5:29:3b:00:db:72:e0:8f:61:ef:9a:
+ d1:b2:cc:11:bb:06:bb:aa:dd:6b:aa:76:8a:44:f5:57:b4:d2:
+ ae:b5:28:29:7b:eb:06:a6:1c:c9:de:0c:61:d5:f4:6d:df:76:
+ ee:9f:d4:00:6b:29:2d:15:18:e6:cb:02:52:4b:48:38:4c:b1:
+ ed:4e:50:1d:60:68:92:85:86:b5:fb:98:d5:b5:1a:52:ba:a1:
+ 7e:d8:22:fe:b4:f1:04:b6:8b:6d:cc:5f:1f:dd:25:a2:a6:42:
+ f0:13:60:de:bf:2e:fb:d6:38:dd:ed:ec:ea:7c:dd:5d:f0:a7:
+ 4a:c3
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGmluaGliaXRBbnlQb2xpY3k1
+IHN1YnN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBRzEAT5DPRknLLxG43vt1WqpKIZrzAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQAdx4oKkdR+tSk7ANty4I9h75rRsswRuwa7qt1rqnaKRPVXtNKu
+tSgpe+sGphzJ3gxh1fRt33bun9QAayktFRjmywJSS0g4TLHtTlAdYGiShYa1+5jV
+tRpSuqF+2CL+tPEEtottzF8f3SWipkLwE2Devy771jjd7ezqfN1d8KdKww==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest6.pem
new file mode 100644
index 0000000000..ed99033596
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest6.pem
@@ -0,0 +1,159 @@
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitAnyPolicy EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCAIAP5
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBSUFQNTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MGExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE2MDQG
+A1UEAxMtSW52YWxpZCBpbmhpYml0QW55UG9saWN5IEVFIENlcnRpZmljYXRlIFRl
+c3Q2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmovuW9G83CLO5Kfr9ogDW
+3M2PMCzM46Btwj9BIzBg6T+Z0toxnoHQHTRXf2tp8Nj5bLXb66AotgJeHWXGrGxI
+Kjx0w4OKRuhiBVjMsT7gJmbmJ9neH+D6gfc83LPzHtMNrH0OPlfAEiCXGfTeHBug
+bMfQlc3WJ747aWkIv54emwIDAQABo2UwYzAfBgNVHSMEGDAWgBQFKWMS3ubCghc9
+e190DHOosBJvaDAdBgNVHQ4EFgQUswzkrq5gD2HHDjnsZYw9qjeh7WEwDgYDVR0P
+AQH/BAQDAgTwMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQUFAAOBgQBl
+Ndj1mSjoh6od200M/46rSMjCcoQ92FMFygp/7mEK3MomCWTKikCKTp1xDYS20vE6
+R2hCQlhkV2nRYNoSLvYM88uba0diTZDbX+txbiJ1DX82U9f0/zpXhCVLxc962ftK
+ZneaZF9AzYxqTvGS1yOwGFV7jimzg4ZdSKWcUX44+g==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCAIAP5
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICmjCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTzELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSQwIgYDVQQDExtp
+bmhpYml0QW55UG9saWN5MSBzdWJDQUlBUDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBANW9X4Le7QZci9gVhxS6PY2u0Fxe2EtutUH8zZO66QHNyygwW510D4dQ
+tOvvKfuiS+Ciu2PV2zjc2AcL5U1x9j6hGKIl7NbVFo+mZbBV6GzWLP+oaTy8oz69
+BNSDXwFW6FPTOQbaiyRa8f4nXVFl3QQYM8jTdGGS9lalXnxusSE3AgMBAAGjgYww
+gYkwHwYDVR0jBBgwFoAUZtu1lMcFxLM+K5G538io0E0rNEQwHQYDVR0OBBYEFAUp
+YxLe5sKCFz17X3QMc6iwEm9oMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgNVHTYBAf8EAwIBBTANBgkq
+hkiG9w0BAQUFAAOBgQCzfOac7wbFryN6VSS2bfYlcBtdLypBJugZaDururS3VvRk
+Y9SVSAQSh/m+ydbzhZ8LyNw7e7Uj4mjGuyFzznlAHsWxyO0JTPbhUwutJ3QrQhJW
+kIbsGR97otFLnmhZwotzU9dr0LhhJEqeyrM64zPoOT2SyhbooCh7Oh27eUSSjg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCAIAP5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:05:29:63:12:DE:E6:C2:82:17:3D:7B:5F:74:0C:73:A8:B0:12:6F:68
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ cf:a9:d2:6e:1b:81:59:22:25:1b:6b:2a:df:26:ac:ee:64:cf:
+ 2d:65:1b:ad:15:43:22:fd:7b:ec:84:c0:8d:4e:b1:17:dc:9d:
+ ae:d3:45:ba:91:2d:b6:7c:be:a5:80:5c:d6:e2:89:80:fe:54:
+ 8e:15:90:f8:dd:e4:0d:c6:16:c2:24:6e:61:94:44:6a:fe:4d:
+ 44:ac:be:fb:46:4c:c7:3b:24:36:10:c1:d5:9c:89:3e:a6:f8:
+ f3:7e:0c:79:08:65:68:a0:c5:18:30:4c:d3:e4:c1:c8:7e:2d:
+ 9a:65:b6:e0:84:2c:b2:58:e2:fc:96:8f:95:13:cb:e1:e5:fa:
+ e8:9b
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRBbnlQb2xpY3kx
+IHN1YkNBSUFQNRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUBSljEt7mwoIXPXtfdAxzqLASb2gwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAz6nSbhuBWSIlG2sq3yas7mTPLWUbrRVDIv177ITAjU6xF9yd
+rtNFupEttny+pYBc1uKJgP5UjhWQ+N3kDcYWwiRuYZREav5NRKy++0ZMxzskNhDB
+1ZyJPqb4834MeQhlaKDFGDBM0+TByH4tmmW24IQsslji/JaPlRPL4eX66Js=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest1.pem
new file mode 100644
index 0000000000..785448794a
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest1.pem
@@ -0,0 +1,161 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClDCCAf2gAwIBAgIBNzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYaW5oaWJpdFBv
+bGljeU1hcHBpbmcwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQIzx8
+7J8x9DkeOhXlBG/eAUo6B99wk9uPjSwrZ7f+CXzaECXTCOk88n35mahe/lgpBbr8
+ujs9D6bCgS+AVciyqJAtZFW45FX6xjb6fcLzebF4HTOpBYVxkqlJ9nLLCkaBHMIq
+1U5jR8jDZhgTnMBvNm0yBdNFo6Lh6A5d+Gr5jwIDAQABo4GRMIGOMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBRs6ccKAUJAQfXzcI7u
+4dFSXtc3WjAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBADANBgkqhkiG9w0B
+AQUFAAOBgQDR8om42wMsHX434zvF/Yl3Lm4GBdFmFWIiRNpqH5iS8X1lGbi1pEAg
+m37Pvvobd5tcsZd2tsz0/DOTvntZhUdX5rmvN4x0i3JUXb9bOPMDs2iJs5oFF6Iq
+TSk9wJXUwsPy3ltGGWpU817s4uj8HU3tffkyOyc7j1u3l8x2LJWPvA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitPolicyMapping EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping0 subCA
+-----BEGIN CERTIFICATE-----
+MIICozCCAgygAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMCBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MGUxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE6MDgG
+A1UEAxMxSW52YWxpZCBpbmhpYml0UG9saWN5TWFwcGluZyBFRSBDZXJ0aWZpY2F0
+ZSBUZXN0MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsNiBmaKBCN2+twi8
+zZHkggWucFtI5ZszQOXjX8ivFQMOkIaUz2HqFIeurNmSEN2Ta8WHJJ/thRgpUF4l
+p8ovjgthh7/tScnTlJMN60ros1uQl6+qm/dzqn8kQ42EGLA9n6Ut5LuJ8AGCil+L
+9TFs7vbPktHo0h2YcwCvEjyyZRECAwEAAaN5MHcwHwYDVR0jBBgwFoAUMLGv3K7V
+MPIMOabjLBUhOK+ii9AwHQYDVR0OBBYEFDO/lIeGch/Q9DaWzigYcWwKxuVBMA4G
+A1UdDwEB/wQEAwIE8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUD
+AgEwAjANBgkqhkiG9w0BAQUFAAOBgQCKhd9JcXnw+W9w7fb+IhKEeepUh2J7y4w6
+11+U8Skm7KgNeSHdCzQjFMqGyeoJK+XV1j21mGK1YqXrbLjo+fHbHF68tf2rzWTC
+Y2igOFwDQFpFFbqrKbYogBOuqR8TCR3LFH9mypYIqbcfiohQF5XSwMnyNEzDc8WH
+hEapxbpusQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping0 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping0 CA
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRQb2xp
+Y3lNYXBwaW5nMCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8x
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UE
+AxMbaW5oaWJpdFBvbGljeU1hcHBpbmcwIHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDWkQsHOT5qYxFfYJsGV/LbLwMtr5DBFdB/k19gzvAjYpjlKgVD
+MgfJDc/d3WyMB8t5oICqdJDVFEq4JBU+T/J27G89SJusZSRJdmQXogfiXWHSOXtA
+f3Z4IcRxAwjoNJaF6n9LR2q5YTDIoiEK3+h1jhOiNoFwYmvTajzcJ15SKQIDAQAB
+o4GlMIGiMB8GA1UdIwQYMBaAFGzpxwoBQkBB9fNwju7h0VJe1zdaMB0GA1UdDgQW
+BBQwsa/crtUw8gw5puMsFSE4r6KL0DAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZI
+AWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKnjTqcv
+cg3JfloLHCOwWWPdk64BNIs0gLMI584sPNdiQR5bCz4KCoKMzvzIEZDL+kVo6RnR
+l39fdQ1rIbv5lE6nUVlTJNcj5Mq66NMsdVFsz5plRGUN4YpEDhz30hiwjkoo/B6N
+Bs76rDEC1VReVfNcwcglyKXIIEjHTMMsG0GH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:E9:C7:0A:01:42:40:41:F5:F3:70:8E:EE:E1:D1:52:5E:D7:37:5A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ cc:98:13:01:ea:eb:7a:16:12:f0:2e:66:3a:2e:6b:fd:c4:2a:
+ 17:89:46:64:18:5a:ca:d2:00:55:3e:bd:00:bc:ce:f4:76:7e:
+ 68:bf:f2:73:cb:d2:04:b4:e4:b4:21:6b:e0:4e:ea:c5:61:20:
+ 3d:b8:db:61:e2:d5:27:19:48:65:cb:47:d1:66:3b:29:a9:c7:
+ 66:f6:11:09:2c:48:9a:c3:37:a9:b0:74:16:91:b3:d4:ea:90:
+ 2c:af:a8:4a:6a:1f:4e:fb:40:b0:e8:5e:13:58:f6:cb:82:53:
+ 47:43:79:ef:05:89:6b:5e:e9:99:1c:1e:83:07:10:5d:40:ed:
+ f2:06
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRQb2xpY3lNYXBw
+aW5nMCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUbOnHCgFCQEH183CO7uHRUl7XN1owCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAzJgTAerrehYS8C5mOi5r/cQqF4lGZBhaytIAVT69ALzO9HZ+aL/y
+c8vSBLTktCFr4E7qxWEgPbjbYeLVJxlIZctH0WY7KanHZvYRCSxImsM3qbB0FpGz
+1OqQLK+oSmofTvtAsOheE1j2y4JTR0N57wWJa17pmRwegwcQXUDt8gY=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping0 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:30:B1:AF:DC:AE:D5:30:F2:0C:39:A6:E3:2C:15:21:38:AF:A2:8B:D0
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ ce:d5:06:91:52:5b:f0:21:b9:9e:d1:3b:5c:d3:17:a9:f1:b7:
+ 70:51:ab:64:ac:d3:3d:4b:e6:bd:eb:68:fb:0b:45:7e:04:45:
+ 4b:26:b5:fd:ca:66:7f:39:9b:42:2d:bc:1a:56:92:65:39:2a:
+ 28:6b:d3:6a:7e:6a:8f:eb:c6:2c:3f:29:1e:73:75:9e:dd:01:
+ 19:29:e5:d4:5c:fd:d8:ce:15:81:35:f7:8c:45:19:1a:64:35:
+ 79:e2:00:cb:3c:38:56:63:11:38:05:07:c6:1c:c4:27:61:fb:
+ 0e:a8:b1:1a:3c:6f:8c:e9:0f:3c:8e:ab:d7:3a:45:bb:15:4b:
+ 41:60
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMCBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUMLGv3K7VMPIMOabjLBUhOK+ii9AwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAztUGkVJb8CG5ntE7XNMXqfG3cFGrZKzTPUvmveto+wtFfgRF
+Sya1/cpmfzmbQi28GlaSZTkqKGvTan5qj+vGLD8pHnN1nt0BGSnl1Fz92M4VgTX3
+jEUZGmQ1eeIAyzw4VmMROAUHxhzEJ2H7DqixGjxvjOkPPI6r1zpFuxVLQWA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest3.pem
new file mode 100644
index 0000000000..b1fe680fbd
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest3.pem
@@ -0,0 +1,216 @@
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitPolicyMapping EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICnDCCAgWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBlMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxOjA4BgNVBAMTMUludmFsaWQgaW5oaWJpdFBvbGljeU1hcHBpbmcgRUUgQ2Vy
+dGlmaWNhdGUgVGVzdDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKb7DrW9
+Hb+KTJCO7IrKHRUs3FihVXeQr2+m4mUyxOo1SFMZQq+7bojuyImkv08GBbeMXPqV
+RHdNWwVUgMMfynWekNRrlwGFNAfSKd+vxmPUTTqzH6fxQqCRx1CGp4dVV1o9BTES
+DuwmZurFPYEu2/tf6gnxaHBNUUsYqRdztXIZAgMBAAGjazBpMB8GA1UdIwQYMBaA
+FFqTS++Wnq4+QxYmpBgeeYui5pshMB0GA1UdDgQWBBS7Wt9YatmqgSrox0Q7yWRL
+lJU+9zAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAFMA0G
+CSqGSIb3DQEBBQUAA4GBADOVfkwUiMO6wkkOxQ/lMXr+bjJlFLz4nFQx7/YBmUBH
+cn7z1B8KAhf9SlqwOmMSz0OD/1ALmdjyX0oymWVB9RWyQyvvmin7tTZKBW0KdcQZ
+GKmRog0HaZ8rHx37ewB3ANJfyarjBABp9einu4Aj8ak+aePYU1mth1YNGS1YVwfb
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpjCCAg+gAwIBAgIBODANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxMiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+s4T6CQeTrbqUSlSczfx8iMSRK4ip9F4liS7giqCrZeZYEuP+/XoRZKzqmT3G+io6
+zcenL7cegP9DJnTNuZ1nHEoeJTlhQZq00PD1n33OMK0zhMIirByYBpabztuw1dJ0
+MKKcRzJ1AswgccI8seh2W1FXdFo/vGkDOkcD21Se0XUCAwEAAaOBnzCBnDAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUj3Ywg1+jhUuQ
+FB4GBHs3AQUgJmYwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUD
+AgEwATAMBgpghkgBZQMCATACMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgw
+BoABAIEBATANBgkqhkiG9w0BAQUFAAOBgQCXSeQ5mEkpmqCHstAZJbAGVSNrj3ka
+eA0k2v+n7vDeZ+9F8bByDiBBz3RMTqmdZxQ6zroOPsw66HLxv5D7oJImbhyvFrnN
+uxPGh8hvvP67N7UT9cM0RAoIQHmoI+3+o9cqOnTIJWXXPyq5q08yTrUt1lzFyrcK
+wGB7PyQXRRDWjA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+KzApBgNVBAMTImluaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3Vic3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJiRgbTlXD7Tr33rE8bkM1fLhA/0RcC0
+n6UIcVb6xSELqRqVIpXK2C038i/3Ta6+eoiCdjT6kvQwsM9uMBJnB7uePzDzpkSE
+G3Php6MSbnAO+6LPrGFBJ0LNo6yXvsV3HQ1Uwh8iND8Yt37obPJ05PzfU6hSnMgV
+47YDMrmE5h+5AgMBAAGjgbMwgbAwHwYDVR0jBBgwFoAUF3qKMAb26lw2QA2u2J+/
+ub2CzFIwHQYDVR0OBBYEFFqTS++Wnq4+QxYmpBgeeYui5pshMA4GA1UdDwEB/wQE
+AwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAMwDAYKYIZIAWUDAgEwBDAmBgNV
+HSEBAf8EHDAaMBgGCmCGSAFlAwIBMAMGCmCGSAFlAwIBMAUwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQUFAAOBgQCh/ZM7m2L0OxzF6RXxeVUhY5xlTjRO0HGd
+0xOnDkOesSYfCI4gUflMo6/T9Ot67Vnb9mgzwWSEXB6g2R22/3DVR1ord/UgZFKe
+w4llbMnwRS5e3zjqLGsLeWk2ZdyjoD2vmKiFBiX+rlHvaLk+5xYcGEfOupTVqWMO
+OHuz9iinWQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH2luaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBAMX6LszkJcSryGVxfI4egJDv3zFztB0M+jGHKEc8
+uPkbpVlPSjM2LWqUOks/C1q34lfaC6J5O+V3/DmN7GjLpJmdjBDn7k/aqGeE7XHR
+Wns707M/rcEWxPP/ErMQNIsqSkvy92GtwuaG7wsY4a+KyB0YCdqikJr6oK2Cvhwf
+LmC1AgMBAAGjgc0wgcowHwYDVR0jBBgwFoAUj3Ywg1+jhUuQFB4GBHs3AQUgJmYw
+HQYDVR0OBBYEFBd6ijAG9upcNkANrtifv7m9gsxSMA4GA1UdDwEB/wQEAwIBBjAl
+BgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBABgNVHSEBAf8E
+NjA0MBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAMwGAYKYIZIAWUDAgEwAgYKYIZI
+AWUDAgEwBDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAE3ZflJR
+6b/Pwip7bO1ZIkiym+8uTzlT5nx3CF4P5Yyhje4VKVqoAOdljbZoaL5x1Zdd733W
+MxbQk/QP+wziLjZJlnqX+lSxg4wUiSU6mGtDJ1rPwMsbiiVBld7iP5JhFAWoTg0b
+XJ0ZSTHABPtNeMg2desSHwfh2I5WtX3hpXwE
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8F:76:30:83:5F:A3:85:4B:90:14:1E:06:04:7B:37:01:05:20:26:66
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1f:20:b6:9f:f6:68:a0:22:5f:24:73:c0:ac:bc:8b:05:86:58:
+ 7b:97:ad:38:8e:70:61:7c:17:9d:38:21:06:0a:72:b5:41:3c:
+ b6:9a:93:77:6f:e3:15:e6:06:74:67:90:b1:95:56:f2:be:52:
+ 21:6a:de:f7:bf:d9:2c:12:11:9d:dc:f9:ba:46:f9:92:24:75:
+ ef:83:af:a2:8b:3a:79:da:ca:c5:72:a4:7b:19:e1:a2:f7:02:
+ 18:92:eb:a6:1b:74:bc:ba:62:51:d6:9f:69:af:20:34:3d:43:
+ 08:e7:15:da:75:79:b7:81:6e:ae:95:08:cb:7d:e0:3a:50:7e:
+ c1:7e
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFI92MINfo4VLkBQeBgR7NwEFICZmMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAB8gtp/2aKAiXyRzwKy8iwWGWHuXrTiOcGF8F504IQYKcrVB
+PLaak3dv4xXmBnRnkLGVVvK+UiFq3ve/2SwSEZ3c+bpG+ZIkde+Dr6KLOnnaysVy
+pHsZ4aL3AhiS66YbdLy6YlHWn2mvIDQ9QwjnFdp1ebeBbq6VCMt94DpQfsF+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:17:7A:8A:30:06:F6:EA:5C:36:40:0D:AE:D8:9F:BF:B9:BD:82:CC:52
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 01:73:17:d4:24:e8:3a:79:6d:9c:a4:96:74:fd:60:fa:65:82:
+ c6:0a:26:9c:64:d6:f8:c5:01:8e:ce:70:b2:a4:1a:a0:1c:41:
+ df:1e:a2:36:1b:4f:2d:56:6f:ef:e2:fb:e7:84:d3:aa:0c:08:
+ 04:44:67:57:88:8b:34:b1:74:8c:57:96:9b:e2:b7:dc:2e:d4:
+ a3:05:41:bb:24:fa:be:2c:a4:cf:be:0a:aa:8d:64:ff:6f:ee:
+ e1:24:c8:06:8e:15:fb:fd:19:fe:92:d6:55:84:ae:71:58:2c:
+ 6a:65:53:34:39:20:43:1a:5b:20:41:81:00:6c:5c:10:25:b0:
+ 3f:f3
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFBd6ijAG9upcNkANrtifv7m9gsxSMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAAFzF9Qk6Dp5bZyklnT9YPplgsYKJpxk1vjFAY7OcLKk
+GqAcQd8eojYbTy1Wb+/i++eE06oMCAREZ1eIizSxdIxXlpvit9wu1KMFQbsk+r4s
+pM++CqqNZP9v7uEkyAaOFfv9Gf6S1lWErnFYLGplUzQ5IEMaWyBBgQBsXBAlsD/z
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5A:93:4B:EF:96:9E:AE:3E:43:16:26:A4:18:1E:79:8B:A2:E6:9B:21
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 64:90:80:33:7a:e3:e8:e4:66:09:4e:4d:1d:ae:cb:f4:f5:b2:
+ ea:4d:48:24:be:04:8f:39:9e:c1:da:6c:14:fa:0a:a5:be:47:
+ 84:19:27:c0:3e:15:ab:18:78:71:0e:93:e7:6e:c8:05:ea:f2:
+ bd:c3:7b:fc:52:04:be:fc:b2:22:80:81:35:b3:ab:57:7b:23:
+ ca:39:66:ed:47:19:cd:1f:2c:ab:14:4a:28:5d:23:ab:24:7b:
+ e3:51:bb:78:79:05:20:25:ff:13:4f:c5:d1:2c:e1:67:b3:e4:
+ 29:35:2b:1c:5e:aa:01:17:aa:49:bb:04:66:52:a3:1a:7c:0b:
+ f5:57
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFFqTS++Wnq4+QxYmpBgeeYui5pshMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAGSQgDN64+jkZglOTR2uy/T1supNSCS+BI85nsHa
+bBT6CqW+R4QZJ8A+FasYeHEOk+duyAXq8r3De/xSBL78siKAgTWzq1d7I8o5Zu1H
+Gc0fLKsUSihdI6ske+NRu3h5BSAl/xNPxdEs4Wez5Ck1KxxeqgEXqkm7BGZSoxp8
+C/VX
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest5.pem
new file mode 100644
index 0000000000..a14824bcb7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest5.pem
@@ -0,0 +1,264 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subCA
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nNSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmc1IHN1YnN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQCzgPv0jUMseTafKoAOspqZCAtVctNqO5SipAee2vLt
+7PijWRyqmveQUmDdJ5SFkFnevzRHhOINFIhKjygmtJQe0px86XknNJhW6OPICI2M
+jxgzst9Cs5w3cYjsOxsD5+FXzritqz6jSQ8Fa52IhmBYcbRncSOcu2IOGGMOUfLf
+7wIDAQABo3wwejAfBgNVHSMEGDAWgBTvkHRdvSchXG13RCZt3L/7vmNrCzAdBgNV
+HQ4EFgQUBN9qa50ER9oRS3e69lS0UhaUJsowDgYDVR0PAQH/BAQDAgEGMBcGA1Ud
+IAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4GBALo5V4PwqAf314Emx79p7ce/cKrLjdi63pS2BsN4dFQ7TbY4Uru6/0Gc
+lZvOzyBVyvb4KxYTgvmOUkaNIpEe6xyRjHN5oAOEuOOgnXjL6kQz1st793h3WaTA
+hTg1AyHkktBRVhr0g1rCHCsGdrq6HSU9jZqvOOPaWomS+woTciNh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClDCCAf2gAwIBAgIBOTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYaW5oaWJpdFBv
+bGljeU1hcHBpbmc1IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmgb4z
+lKzduO0U0YgdsR69hYe1HUrPtFTUc7C3KMaX2LsYdutgdW5fQ5atnORTBTTRY11C
+G4hIuo7WabxJOcSK9lrleEw58bZjDsNc5/o8xo3cF1zkmc6/DH4P5CGxk0nOzeLY
+XJ9vyj/nZc5i0k6H7NU+cde/s5tknCDntmnf3QIDAQABo4GRMIGOMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBRAFr9wLgI4+Lavp1rZ
+sgNDWZj1TDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBBTANBgkqhkiG9w0B
+AQUFAAOBgQAfLQvmb/5mx+Mi05zSJQyITwTfrw+AMrYezSpljeUZcymBLkK64BCs
+eVXrxImcI3hi3oWPcJL2dt5mmQB/o96qOYkEBbxDD0WQ0rwKgXOODhD+Di5aZPqB
+g9ZeBDxQgveLqLpEh0JL0MwJDLXH8Lca6XVdmPmFuaob3aIOP/zdcQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitPolicyMapping EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubsubCA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xp
+Y3lNYXBwaW5nNSBzdWJzdWJzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMGUxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czE6MDgGA1UEAxMxSW52YWxpZCBpbmhpYml0UG9saWN5TWFwcGluZyBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0NTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqU2HY4J5
+i4TyagwhHyTz6DgQT7GKk0xSor3iKrPjBUTpEVWM041qODnfp8RL42lhZ24okQbQ
+8DoNH5dL/jtH5RsbZnfJnhHL8GDttKjLwHpRVRLbv4IlV4eQoPzTSRR7D0ishs06
+PdRXDoy0+UhNcABrm3ko1gZjAcPRL/ammFMCAwEAAaNrMGkwHwYDVR0jBBgwFoAU
+JLZxrVfA94Sar1a34h5IbPP9rjEwHQYDVR0OBBYEFEqYOSxfq1nokOSM2rwp2uDB
+0O6pMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAIwDQYJ
+KoZIhvcNAQEFBQADgYEASMkNNbv9N1yfYt5C2j3Lmy5rhbrTjrEDjNCJsQ1Pun3c
+qrJCtX52pGRNef3Sabh2W4jOExljobE/P45PdPw5uJtQd7YgGN58cr6wOz08SA2c
+j4vAlaNjcbNW5d3sUX6LgXFOHsamawjTncegVpR7mCY8lqVjxmW9ha9NF7h6ACY=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 CA
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRQb2xp
+Y3lNYXBwaW5nNSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8x
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UE
+AxMbaW5oaWJpdFBvbGljeU1hcHBpbmc1IHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDcDskVa22gKY6hi1NN0qxc3EGcrc7Ef9QD5LomWJ0NbPF2omux
+VOp4diM850F8rFaVpqHpOI6ElWc1K4PYVN+gp/sZ5V6unFR0ixzEvpsPTZa38btH
+kcqGMFfxw/f5HtdvgB1dt09da6xG2UFKxnubgQuxUPEx9FcEYSCrbLq3gQIDAQAB
+o4GOMIGLMB8GA1UdIwQYMBaAFEAWv3AuAjj4tq+nWtmyA0NZmPVMMB0GA1UdDgQW
+BBTvkHRdvSchXG13RCZt3L/7vmNrCzAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0kAQH/BAUwA4EB
+ATANBgkqhkiG9w0BAQUFAAOBgQBNZ4dVlouj30O2fD0c418lyzVO85YIAuof3wDW
+LW4XjH/r40L/BUPDyFJceZXA7Yaym+UuYLZh9RQBEtkplLkcqgezH5GT5EkefBjQ
+CrQFgsqRttLQAuw03v+2I9a8vHY3u0L2puzJQ1l1GkV4gqSAgEv2YVdva0gkq7sQ
+52udtw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nNSBzdWJzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMFUxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEq
+MCgGA1UEAxMhaW5oaWJpdFBvbGljeU1hcHBpbmc1IHN1YnN1YnN1YkNBMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT9hQ7qYK6NHbsH0I4rzox6PZHPasVXKNr
+Er1k+U5DVQ4tuCaZk6QEdBpLSMc4V62MtVl6mu/Zox73h6yvllHZDBuH63fEVFLc
+WWCQ0TejhcMx4wp6A0TVqocawS4C1gMhOeXrYZ18ZWakU8DPVwOb23y4/zseqUt6
+1tXPvs2uwQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFATfamudBEfaEUt3uvZUtFIW
+lCbKMB0GA1UdDgQWBBQktnGtV8D3hJqvVrfiHkhs8/2uMTAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZI
+AWUDAgEwAQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4GBAHwn3D10SDne03e21/XMdNEGPmNE+jCS3S12gtAPbeHa3KxqsmmuBcEv
+ahsKPoF8CtAAPiLUK4M9GqwK5Vf0bsBlduOnF6vSnZQGKp9OQKOhbTfIoLSWRGIF
+TtQX94lVnOBpO+qXCl+FBKm/eUGyAa6/K1s6vwVtNwW2uT1YPKe/
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping5 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:40:16:BF:70:2E:02:38:F8:B6:AF:A7:5A:D9:B2:03:43:59:98:F5:4C
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 6f:3b:6c:aa:51:1a:cf:0c:81:3f:8c:c1:f0:60:03:0a:7f:36:
+ 01:0d:82:fe:71:4a:14:99:5d:f7:cd:33:30:2c:e5:11:0c:8b:
+ 6e:7e:79:6f:56:9a:eb:cc:20:49:44:c0:1d:33:2a:3c:52:98:
+ 3a:dc:32:37:d1:54:16:96:4c:b8:e5:32:39:ae:93:d5:8b:1d:
+ 36:06:b8:bc:05:d5:d9:71:bf:79:4f:b9:45:6d:86:50:38:b1:
+ af:af:68:eb:32:c5:77:86:53:6f:d8:dc:f1:a8:bc:e2:fd:e0:
+ 4b:81:5b:1f:33:7f:9d:2e:45:c9:66:1d:5d:8c:da:ad:79:aa:
+ 8b:7f
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRQb2xpY3lNYXBw
+aW5nNSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUQBa/cC4COPi2r6da2bIDQ1mY9UwwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAbztsqlEazwyBP4zB8GADCn82AQ2C/nFKFJld980zMCzlEQyLbn55
+b1aa68wgSUTAHTMqPFKYOtwyN9FUFpZMuOUyOa6T1YsdNga4vAXV2XG/eU+5RW2G
+UDixr69o6zLFd4ZTb9jc8ai84v3gS4FbHzN/nS5FyWYdXYzarXmqi38=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:EF:90:74:5D:BD:27:21:5C:6D:77:44:26:6D:DC:BF:FB:BE:63:6B:0B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 33:e0:23:55:35:fa:8c:e8:35:21:f8:35:28:a6:2f:57:5b:6b:
+ df:3e:12:97:76:05:15:72:73:5c:da:7b:17:86:63:13:80:19:
+ 33:5e:c8:f6:3b:13:a1:33:e0:06:ed:1a:8e:1f:ef:8a:02:cc:
+ 9e:33:22:c2:b5:94:05:32:98:0e:65:71:02:c4:ae:e8:36:9d:
+ 81:d3:9e:24:51:01:77:ea:d1:a9:a1:e6:04:c5:62:bb:82:2a:
+ 7f:aa:3a:59:a6:72:48:95:07:91:ba:34:20:26:a9:d4:ef:6b:
+ 11:09:57:8e:64:19:29:70:77:34:92:e3:eb:82:9a:c1:ee:a9:
+ 83:32
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nNSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAU75B0Xb0nIVxtd0Qmbdy/+75jawswCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAM+AjVTX6jOg1Ifg1KKYvV1tr3z4Sl3YFFXJzXNp7F4ZjE4AZ
+M17I9jsToTPgBu0ajh/vigLMnjMiwrWUBTKYDmVxAsSu6DadgdOeJFEBd+rRqaHm
+BMViu4Iqf6o6WaZySJUHkbo0ICap1O9rEQlXjmQZKXB3NJLj64Kawe6pgzI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:04:DF:6A:6B:9D:04:47:DA:11:4B:77:BA:F6:54:B4:52:16:94:26:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1c:39:2f:17:f0:d4:ca:3a:70:97:52:46:b0:ed:08:8e:3a:3a:
+ 92:e3:5e:f5:33:4c:73:0a:a8:14:49:ae:ca:d8:90:6f:e1:ec:
+ 23:36:9f:95:e8:a9:d2:b1:6c:2d:99:94:21:f2:6b:7f:98:c8:
+ f4:e7:f0:a8:26:e4:58:e6:a1:f4:68:dc:10:33:a1:c6:c5:0f:
+ a7:a6:7d:1b:4e:cf:6e:b7:72:71:a2:6a:d2:e5:e5:e1:b8:d7:
+ 88:3a:a8:d2:e7:bd:a4:ce:ff:1f:ca:f5:7e:7d:fd:2c:4c:03:
+ 2f:96:87:d8:4b:ba:35:a3:63:e2:87:cd:95:2e:c9:34:97:9c:
+ fe:30
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nNSBzdWJzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUBN9qa50ER9oRS3e69lS0UhaUJsowCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAHDkvF/DUyjpwl1JGsO0Ijjo6kuNe9TNMcwqoFEmuytiQ
+b+HsIzafleip0rFsLZmUIfJrf5jI9OfwqCbkWOah9GjcEDOhxsUPp6Z9G07Pbrdy
+caJq0uXl4bjXiDqo0ue9pM7/H8r1fn39LEwDL5aH2Eu6NaNj4ofNlS7JNJec/jA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping5 subsubsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:24:B6:71:AD:57:C0:F7:84:9A:AF:56:B7:E2:1E:48:6C:F3:FD:AE:31
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 35:d5:ce:cc:ec:10:2e:1a:1a:f7:ff:19:1f:16:bd:7e:46:c2:
+ ea:f8:79:b1:36:48:74:28:e9:6a:68:59:f0:a0:32:c5:9f:64:
+ f4:02:5a:bc:5c:2a:bb:62:10:2f:73:66:a7:cf:de:b7:77:26:
+ 1b:c8:7a:95:6a:2f:1d:e6:3e:db:1b:15:02:3b:fe:bf:e1:5f:
+ 3f:08:29:6b:a7:84:0a:08:46:6f:66:f3:71:84:41:97:8f:96:
+ 02:39:ab:ea:c3:c9:21:99:1f:6f:93:5d:19:4b:df:95:59:60:
+ 0a:71:2b:a9:e6:a1:bc:e0:e4:fc:5e:b4:a6:2c:99:a0:2a:76:
+ cd:d4
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIWluaGliaXRQb2xpY3lNYXBw
+aW5nNSBzdWJzdWJzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUJLZxrVfA94Sar1a34h5IbPP9rjEwCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEANdXOzOwQLhoa9/8ZHxa9fkbC6vh5sTZIdCjpamhZ
+8KAyxZ9k9AJavFwqu2IQL3Nmp8/et3cmG8h6lWovHeY+2xsVAjv+v+FfPwgpa6eE
+CghGb2bzcYRBl4+WAjmr6sPJIZkfb5NdGUvflVlgCnErqeahvODk/F60piyZoCp2
+zdQ=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest6.pem
new file mode 100644
index 0000000000..1e617839c9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest6.pem
@@ -0,0 +1,217 @@
+subject=/C=US/O=Test Certificates/CN=Invalid inhibitPolicyMapping EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCAIPM5
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3Vic3ViQ0FJUE01MB4XDTAxMDQxOTE0NTcyMFoXDTEx
+MDQxOTE0NTcyMFowZTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMTowOAYDVQQDEzFJbnZhbGlkIGluaGliaXRQb2xpY3lNYXBwaW5nIEVF
+IENlcnRpZmljYXRlIFRlc3Q2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+pIyvpHy1AEaR244X+WehPi6kJ4zfm/clYT73uCvd/wtRc1ecFT83WALtOg6iWRxn
+DxQ/Av2+6Sb5BGvOIyHVT/2cJIf325EZ/zxW6u9qb6+u2oWp8PX5ddUbH7yKAmXm
+l3p3cVsZB1GkL4KdBrCQGdF8Khnb5cF5YBSuYEPZXQIDAQABo2swaTAfBgNVHSME
+GDAWgBQkqwNVlYuV1wNEx93/fv32kbGgFjAdBgNVHQ4EFgQUYSBfuS0yhqXL/Jfv
+5l9yYaw12g8wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+AzANBgkqhkiG9w0BAQUFAAOBgQBa/IMv8cgYRBzo8cjsbIb+tzD4986MKnaHn5lL
+SEdCOU8nZTscVwdXEg0N1Bza86ara3HXHtgpLauXgmcA0L7BUkGJty9vIMzqc6LN
+VfDTX5iZoftoIKzFx8AsQio3Y9BlGRGU1NxKWyvrZj+PvT9lXym/Moe+b5pxez8b
+WLtRZw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpjCCAg+gAwIBAgIBODANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxMiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+s4T6CQeTrbqUSlSczfx8iMSRK4ip9F4liS7giqCrZeZYEuP+/XoRZKzqmT3G+io6
+zcenL7cegP9DJnTNuZ1nHEoeJTlhQZq00PD1n33OMK0zhMIirByYBpabztuw1dJ0
+MKKcRzJ1AswgccI8seh2W1FXdFo/vGkDOkcD21Se0XUCAwEAAaOBnzCBnDAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUj3Ywg1+jhUuQ
+FB4GBHs3AQUgJmYwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUD
+AgEwATAMBgpghkgBZQMCATACMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgw
+BoABAIEBATANBgkqhkiG9w0BAQUFAAOBgQCXSeQ5mEkpmqCHstAZJbAGVSNrj3ka
+eA0k2v+n7vDeZ+9F8bByDiBBz3RMTqmdZxQ6zroOPsw66HLxv5D7oJImbhyvFrnN
+uxPGh8hvvP67N7UT9cM0RAoIQHmoI+3+o9cqOnTIJWXXPyq5q08yTrUt1lzFyrcK
+wGB7PyQXRRDWjA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCAIPM5
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+-----BEGIN CERTIFICATE-----
+MIICujCCAiOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBXMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLDAq
+BgNVBAMTI2luaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3ViQ0FJUE01MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg4hWz7PbBhsTO+fpr6qznJLoay+MQhSxm
+gq7gcER+qcx6hOwpIxvX2HUQ/q5RqJ6X539C1HyngpS383VGDqxzWTILMJ9p79He
+5GhleTga2r/BSvq51G4uSJz4iJUJDEhzhQncRKUY65v1L8dz+lh/IHLRBGues3zP
+dWc1cRQ1mQIDAQABo4GcMIGZMB8GA1UdIwQYMBaAFI92MINfo4VLkBQeBgR7NwEF
+ICZmMB0GA1UdDgQWBBTm3o5WsPOWysSqTpK6CZqUqZRwPjAOBgNVHQ8BAf8EBAMC
+AQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwDwYDVR0T
+AQH/BAUwAwEB/zAPBgNVHSQBAf8EBTADgQEFMA0GCSqGSIb3DQEBBQUAA4GBAEge
+Ag2ZoOuHLLqscTmz4NbRwXvWWtesM8lVBhQtShOlAgBpxm6c7kd4e1LMeAPN7yPD
+63DL3mDZnK+qtyvqXaK3uVSMg9CMGsGCqXGDRbmml0nbxbkLNGKYEtkJVzmIR9nZ
+vf0ZHnAqC4006H8s1uFPNIJwjb6hfK6oecY1nqms
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCAIPM5
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCAIPM5
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLDAqBgNVBAMTI2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3ViQ0FJUE01MB4XDTAxMDQxOTE0NTcyMFoXDTExMDQx
+OTE0NTcyMFowWjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMS8wLQYDVQQDEyZpbmhpYml0UG9saWN5TWFwcGluZzEgUDEyIHN1YnN1YkNB
+SVBNNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoWsXQ0sXtSdVHZZ6NBai
+/YaSnuULPstaxcOXjt23ujwGnhffZLbzqoz6crjhOj3j7u5CAl76NNcQPuYi9/EW
+vxys93HyGAbgpl+YZ/zKL61BPTj5sBK4l5NEQoKUoPZsoeTDTXyD3HDWMDlJifXK
+gDYpaao45yFD8N0WCfd8pccCAwEAAaOBszCBsDAfBgNVHSMEGDAWgBTm3o5WsPOW
+ysSqTpK6CZqUqZRwPjAdBgNVHQ4EFgQUJKsDVZWLldcDRMfd/3799pGxoBYwDgYD
+VR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMC
+ATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwAzAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAImakMw5q9O9ghGN6g4TQ/IG
+gI7NgrjqoAKQiqZuD+kmbzSf1sGONmiLK44kykgJ0zZY4xbkoXVOQiNrnqDclNdf
+Za0+Fmvfx9vVTlSoLQGwSHE3oWDKcamton847GkEmnP0RacqUkRkgpZam83tnDEX
+c6eHTCxBYDmTTPuFe4fi
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8F:76:30:83:5F:A3:85:4B:90:14:1E:06:04:7B:37:01:05:20:26:66
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1f:20:b6:9f:f6:68:a0:22:5f:24:73:c0:ac:bc:8b:05:86:58:
+ 7b:97:ad:38:8e:70:61:7c:17:9d:38:21:06:0a:72:b5:41:3c:
+ b6:9a:93:77:6f:e3:15:e6:06:74:67:90:b1:95:56:f2:be:52:
+ 21:6a:de:f7:bf:d9:2c:12:11:9d:dc:f9:ba:46:f9:92:24:75:
+ ef:83:af:a2:8b:3a:79:da:ca:c5:72:a4:7b:19:e1:a2:f7:02:
+ 18:92:eb:a6:1b:74:bc:ba:62:51:d6:9f:69:af:20:34:3d:43:
+ 08:e7:15:da:75:79:b7:81:6e:ae:95:08:cb:7d:e0:3a:50:7e:
+ c1:7e
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFI92MINfo4VLkBQeBgR7NwEFICZmMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAB8gtp/2aKAiXyRzwKy8iwWGWHuXrTiOcGF8F504IQYKcrVB
+PLaak3dv4xXmBnRnkLGVVvK+UiFq3ve/2SwSEZ3c+bpG+ZIkde+Dr6KLOnnaysVy
+pHsZ4aL3AhiS66YbdLy6YlHWn2mvIDQ9QwjnFdp1ebeBbq6VCMt94DpQfsF+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCAIPM5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E6:DE:8E:56:B0:F3:96:CA:C4:AA:4E:92:BA:09:9A:94:A9:94:70:3E
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 14:9f:a7:ad:6e:15:65:a1:9b:cc:49:11:63:ae:0e:76:54:26:
+ 5f:8b:a3:f4:12:98:db:47:80:4f:38:bf:c0:0a:f6:d8:df:b4:
+ 07:7e:06:6a:ae:f2:9c:6a:c2:9c:6a:75:99:df:19:36:ee:d3:
+ de:59:91:32:7f:08:93:c3:31:6c:b1:cd:42:cb:72:74:04:27:
+ 1c:49:66:33:e0:10:8a:99:32:7b:66:6b:8b:8d:48:21:23:6d:
+ 1f:c4:b4:40:d6:8f:76:00:00:9c:6e:a1:bf:90:95:5e:b8:8d:
+ e9:c7:a1:18:f1:bc:5c:28:05:7c:73:72:85:da:f1:a6:00:53:
+ 5c:0e
+-----BEGIN X509 CRL-----
+MIIBUDCBugIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLDAqBgNVBAMTI2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3ViQ0FJUE01Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+oC8wLTAfBgNVHSMEGDAWgBTm3o5WsPOWysSqTpK6CZqUqZRwPjAKBgNVHRQEAwIB
+ATANBgkqhkiG9w0BAQUFAAOBgQAUn6etbhVloZvMSRFjrg52VCZfi6P0EpjbR4BP
+OL/ACvbY37QHfgZqrvKcasKcanWZ3xk27tPeWZEyfwiTwzFssc1Cy3J0BCccSWYz
+4BCKmTJ7ZmuLjUghI20fxLRA1o92AACcbqG/kJVeuI3px6EY8bxcKAV8c3KF2vGm
+AFNcDg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCAIPM5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:24:AB:03:55:95:8B:95:D7:03:44:C7:DD:FF:7E:FD:F6:91:B1:A0:16
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:dc:20:33:f7:b1:e9:f8:9d:47:00:86:08:2e:56:bc:02:0a:
+ e4:46:90:48:a0:cd:37:63:71:fb:69:34:e1:0a:d0:aa:e4:f7:
+ 61:67:46:a7:b8:ba:11:67:30:eb:1b:85:e1:1d:0c:9b:e6:fd:
+ fb:50:ea:c9:f3:e4:19:73:05:85:6b:cc:c3:f0:4a:2b:bc:75:
+ 7e:0f:b4:d1:64:39:b6:38:39:dc:30:77:33:91:b8:77:52:b6:
+ 70:ed:24:b3:34:7a:b8:ef:46:93:78:f7:7e:6d:6a:ae:2e:c8:
+ a0:d7:76:ac:46:47:ff:1e:9d:fa:51:9b:47:cb:06:c3:c6:85:
+ 4c:9e
+-----BEGIN X509 CRL-----
+MIIBUzCBvQIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3Vic3ViQ0FJUE01Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaoC8wLTAfBgNVHSMEGDAWgBQkqwNVlYuV1wNEx93/fv32kbGgFjAKBgNVHRQE
+AwIBATANBgkqhkiG9w0BAQUFAAOBgQAD3CAz97Hp+J1HAIYILla8AgrkRpBIoM03
+Y3H7aTThCtCq5PdhZ0anuLoRZzDrG4XhHQyb5v37UOrJ8+QZcwWFa8zD8EorvHV+
+D7TRZDm2ODncMHczkbh3UrZw7SSzNHq470aTePd+bWquLsig13asRkf/Hp36UZtH
+ywbDxoVMng==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalcRLSignFalseTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalcRLSignFalseTest4.pem
new file mode 100644
index 0000000000..12418ff1a1
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalcRLSignFalseTest4.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=keyUsage Critical cRLSign False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBIDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFYxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczErMCkGA1UEAxMia2V5VXNhZ2Ug
+Q3JpdGljYWwgY1JMU2lnbiBGYWxzZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA4iwG9rt4eJXUwy+UTNrUEq7gFuAYWGYaf0DCMDkLcYPIAwlWow99RTeX
+jXir2B5PC/YcGARB1+bLQDTn7C8R2bilNXujkHWU4w10Vt56sONz+0ASNoIXCPn4
+EFXAneC3z7q9ZONoU4U3MBxMhuepSqGeBWNgh5KI/ICyYI/P61UCAwEAAaN8MHow
+HwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJSB6cRQ
+9gcgcCaUPO/fMC7eP3TNMA4GA1UdDwEB/wQEAwICBDAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBvUd6L
+OoQLwzSqlbFY2JYA5GGxYuAdrT0FxeuRK2wGwiPmNCKn0w8t/wwQTrbPdrENV2Rc
+gzeZ9A5RY/Qs6EogNvy0qfC6lw2aUZsjEFjpPvnXmjb23sL2A3twFUWuoZdy8Wtd
+PTGWD96vq7KEdsMb3IRwUMk0XxyPZ4MUOqtVyg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid keyUsage Critical cRLSign False EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=keyUsage Critical cRLSign False CA
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImtleVVzYWdlIENy
+aXRpY2FsIGNSTFNpZ24gRmFsc2UgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBwMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxRTBDBgNVBAMTPEludmFsaWQga2V5VXNhZ2UgQ3JpdGljYWwgY1JMU2lnbiBG
+YWxzZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAy7qxBfmtCspcqkqi9Slrzqm5Oaxst+HoLMAM77zVMEmIDI2IYsm1+PKV
+WNIdR8whYpz9OvVP16/Ujt4D4902/HLCQGcMfprQ4M7S2ba4Ujvig4fe6SFwVCRs
+YbCOmVA7rHiPEz2uguVgeAkJolSooUz/QEtakvGSEKGO8zhuQFsCAwEAAaNrMGkw
+HwYDVR0jBBgwFoAUlIHpxFD2ByBwJpQ8798wLt4/dM0wHQYDVR0OBBYEFOsTlV2h
+OTNSDv1rZhunjIMov0boMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAgST/vGwENhUdJayqletDgqTapBVi
+mXOpojLaV5Q71AWzCA6oY3D0ATMW3QbzK9OBaDtURLb6zyKPLtx/2jZU3hw1c1Ia
+bIIKe8MPc9VVlABo3GW8vYwKucYZValIq4YAV9AbtFYz+5L+7UAsZC3iU9t5UJ9G
+GftSrxstYAKAeRg=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=keyUsage Critical cRLSign False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:81:E9:C4:50:F6:07:20:70:26:94:3C:EF:DF:30:2E:DE:3F:74:CD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ df:6c:04:71:99:bd:11:54:35:2e:e7:bb:54:60:3c:46:38:0c:
+ cb:d3:e9:06:bd:55:2a:03:35:2b:cf:e5:a3:b6:f1:13:5c:8b:
+ 43:5e:9b:8c:10:8e:c6:82:83:ee:af:1f:50:3a:14:2c:f3:a4:
+ 43:00:90:21:f9:59:4b:15:c4:5c:30:1c:86:75:2a:cb:a1:86:
+ 33:b1:f9:75:46:99:34:07:64:dc:4f:6e:d1:f2:cd:f5:0b:7f:
+ 00:1d:ca:9e:60:0f:93:8a:c5:22:cd:59:46:e5:21:2d:26:ef:
+ 98:ff:6d:50:2a:7d:5e:15:81:4c:b8:3c:ca:9a:1a:b5:1b:6f:
+ 4c:9f
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImtleVVzYWdlIENyaXRpY2Fs
+IGNSTFNpZ24gRmFsc2UgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFJSB6cRQ9gcgcCaUPO/fMC7eP3TNMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAN9sBHGZvRFUNS7nu1RgPEY4DMvT6Qa9VSoDNSvP
+5aO28RNci0Nem4wQjsaCg+6vH1A6FCzzpEMAkCH5WUsVxFwwHIZ1KsuhhjOx+XVG
+mTQHZNxPbtHyzfULfwAdyp5gD5OKxSLNWUblIS0m75j/bVAqfV4VgUy4PMqaGrUb
+b0yf
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalkeyCertSignFalseTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalkeyCertSignFalseTest1.pem
new file mode 100644
index 0000000000..70eca0a203
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalkeyCertSignFalseTest1.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=keyUsage Critical keyCertSign False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBHTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEvMC0GA1UEAxMma2V5VXNhZ2Ug
+Q3JpdGljYWwga2V5Q2VydFNpZ24gRmFsc2UgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALm+L1UcoJG+mviuHuN0sBN3JeuYb9p4T8GP3zMU2o4qU0bwjq9L
+PcOqj8RnfIrHIMUR9kgNmxJVXX+02rORMvzU9LsxdQxFNxN8sokG04ZZv5iqSr4W
+NnG/UD+RYlBLRrHuNx0fDoW1zAac8JO28LeCdhot2Un+J1W8knpYlAt9AgMBAAGj
+fDB6MB8GA1UdIwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSU
+Abz4nHw/6JK2TckGtNNyMU46NzAOBgNVHQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+ifJcYkKWo1wikfXTF8s9sBKQjt+cMW2Kn2+25hF8KBXRmo3lJzJXyKtMQucC/+6W
+rWB4brLC4KiyxVC9OCbEIxlsc9Mx35cgX39iXI5b2BEn/pZt9ceios9WPQYU6t/Y
+D78koBp3ni6yy5WGa3mpU/xh18UaG/8VnfARvbTQcGs=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid keyUsage Critical keyCertSign False EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=keyUsage Critical keyCertSign False CA
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhigAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmtleVVzYWdlIENy
+aXRpY2FsIGtleUNlcnRTaWduIEZhbHNlIENBMB4XDTAxMDQxOTE0NTcyMFoXDTEx
+MDQxOTE0NTcyMFowdDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMUkwRwYDVQQDE0BJbnZhbGlkIGtleVVzYWdlIENyaXRpY2FsIGtleUNl
+cnRTaWduIEZhbHNlIEVFIENlcnRpZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCgVfrVarIrsGAAz+ak13NJrkcspcEeCVsjrOtzHf619eeO
+TDalq7iyspJxTEhn7lG7q/UazRqEp6lBu1fVFkdFBPHi1uuNtyLB80MNy0ztjPAf
+Ct0/wV1jDvNbaCg/TFXflKtDTY+jcVWTOmWMwI6hZwokQ7Csbee02czrHw3gLQID
+AQABo2swaTAfBgNVHSMEGDAWgBSUAbz4nHw/6JK2TckGtNNyMU46NzAdBgNVHQ4E
+FgQU9ghpzs2MqUouYVwzB2XsoCyL6W8wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQADeKlzkdXLEofSM2r4
+SIPYc9g0A4EXIb1h+1YhhYyiuhSRb3zpAHlvgtfDaHu/ic2pHNDRKAjHGf6349p8
+OCAnqQvl9yZIvOa5/N7F13V1Ay+igdgGSPXmKRD76jX5ccQvoEQUQlA9G4P5/qaC
+IonfinaLZXjcklWJuhV/XMzYWA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=keyUsage Critical keyCertSign False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:01:BC:F8:9C:7C:3F:E8:92:B6:4D:C9:06:B4:D3:72:31:4E:3A:37
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 37:7b:99:a3:64:09:89:d3:3b:eb:15:ec:5c:bf:4e:86:74:eb:
+ de:88:f2:7e:33:ee:e1:2a:ed:04:81:bd:f3:bb:33:69:16:ca:
+ f0:89:38:11:1f:5c:11:ba:83:2a:be:e4:8b:ff:12:68:c5:58:
+ d4:fd:cc:fd:58:8f:49:5c:6f:2d:86:7c:1c:86:b8:b9:3b:4d:
+ 47:06:4d:e3:f5:d3:c4:f0:b0:e2:56:41:19:b9:a7:08:77:78:
+ 80:49:55:f9:7d:d7:b0:84:92:28:bb:25:e2:83:75:e2:59:a9:
+ 12:8c:cb:d0:7b:03:c7:30:13:c2:79:d6:c5:9c:f3:73:7d:63:
+ 3a:e0
+-----BEGIN X509 CRL-----
+MIIBUzCBvQIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmtleVVzYWdlIENyaXRpY2Fs
+IGtleUNlcnRTaWduIEZhbHNlIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaoC8wLTAfBgNVHSMEGDAWgBSUAbz4nHw/6JK2TckGtNNyMU46NzAKBgNVHRQE
+AwIBATANBgkqhkiG9w0BAQUFAAOBgQA3e5mjZAmJ0zvrFexcv06GdOveiPJ+M+7h
+Ku0Egb3zuzNpFsrwiTgRH1wRuoMqvuSL/xJoxVjU/cz9WI9JXG8thnwchri5O01H
+Bk3j9dPE8LDiVkEZuacId3iASVX5fdewhJIouyXig3XiWakSjMvQewPHMBPCedbF
+nPNzfWM64A==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem
new file mode 100644
index 0000000000..0efaff7138
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=keyUsage Not Critical cRLSign False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBITANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEvMC0GA1UEAxMma2V5VXNhZ2Ug
+Tm90IENyaXRpY2FsIGNSTFNpZ24gRmFsc2UgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAMLOm8AZjGbhdJ7A5TMeS8YqKDv+sSvYbu/N0xYhBYw9btWqMvhg
+UQRchnPigIMNH270hJTB0xUODgi5kEfd3aMcqP4p7092jT7nGwWiWqMfcOiDob/B
+jwJbfa/pcDWtLtL9gGu3mD5phBMV422/vXk7DNPVTOsm0LK+kYcbkutzAgMBAAGj
+eTB3MB8GA1UdIwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSb
+FqRb5CIAWLVWFP8usoK/Iuj2+DALBgNVHQ8EBAMCAgQwFwYDVR0gBBAwDjAMBgpg
+hkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAXayz
+RGBvRtkZyRHdFZY+3aIHHo7AdgjRSbvWFShHnbrZnd2E8mbkkk5NH7sD6IQygi5b
+6s2ZEpMFRDc8NNSG1Qh5NagIp8Wguyqa8HgSA15CytfKd9nDdIY8NSFPiqXCXIOp
+AXIf+LI9d8QnF/zOuRdKQiX26iVbh/Ofiij5b8s=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid keyUsage Not Critical cRLSign False EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=keyUsage Not Critical cRLSign False CA
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhigAwIBAgIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmtleVVzYWdlIE5v
+dCBDcml0aWNhbCBjUkxTaWduIEZhbHNlIENBMB4XDTAxMDQxOTE0NTcyMFoXDTEx
+MDQxOTE0NTcyMFowdDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMUkwRwYDVQQDE0BJbnZhbGlkIGtleVVzYWdlIE5vdCBDcml0aWNhbCBj
+UkxTaWduIEZhbHNlIEVFIENlcnRpZmljYXRlIFRlc3Q1MIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCniZx3i5eOoYfB4+DHDtBDWS3+uKOzezExgLASJeRuST/z
+FBDywPOCHD9BqbsVdo+fQMjOEBs5C2QePhrQmo36vBpuTGeS6o0ZwnPqZEiR7BDm
+BhaU5GfHWArITIQqqKeGMrcd6inS3EgiNfLoIgErgIYUE2Ay7N3jNAkZ+gHFsQID
+AQABo2swaTAfBgNVHSMEGDAWgBSbFqRb5CIAWLVWFP8usoK/Iuj2+DAdBgNVHQ4E
+FgQUO/h+SZvyJuF7i3RkSFnq+ekut+kwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQB63lqdcOrQ5elffexi
+Pm+erQomlHA4QBd/o7W9oGu3wh9o/OxaXUX+q1y/xsFQPWY8rnd9WX2K/GbDnAkg
+b9VumR4AI31DBsR9ON1LP252rSHzpH5VeLVX4yp+RU1J6VvXAFXD3RgVwYE16JFC
+NKsFf0HL8FRjpLQp9+/qcp6A7Q==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=keyUsage Not Critical cRLSign False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9B:16:A4:5B:E4:22:00:58:B5:56:14:FF:2E:B2:82:BF:22:E8:F6:F8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 09:d0:9f:43:ea:14:8b:96:bc:51:a7:26:e2:ad:a1:d9:85:d4:
+ c4:54:67:72:3b:27:b9:51:74:ca:a5:72:a2:88:21:2d:f0:46:
+ 21:ca:5e:36:02:5f:bb:9c:1f:a4:84:63:64:8a:52:5a:17:b8:
+ d5:5f:3f:d5:73:38:f0:f5:7e:e3:59:80:ef:1a:70:89:da:37:
+ d4:b1:31:4a:94:01:ea:c9:71:98:aa:c4:ae:e2:8c:18:ab:7d:
+ a9:7a:fc:23:1b:57:ee:90:81:0e:29:4b:c6:1f:78:2f:65:4d:
+ 38:df:f9:6e:74:90:71:57:a1:aa:06:4a:8a:a9:15:ab:87:17:
+ 1a:ee
+-----BEGIN X509 CRL-----
+MIIBUzCBvQIBATANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLzAtBgNVBAMTJmtleVVzYWdlIE5vdCBDcml0
+aWNhbCBjUkxTaWduIEZhbHNlIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaoC8wLTAfBgNVHSMEGDAWgBSbFqRb5CIAWLVWFP8usoK/Iuj2+DAKBgNVHRQE
+AwIBATANBgkqhkiG9w0BAQUFAAOBgQAJ0J9D6hSLlrxRpybiraHZhdTEVGdyOye5
+UXTKpXKiiCEt8EYhyl42Al+7nB+khGNkilJaF7jVXz/Vczjw9X7jWYDvGnCJ2jfU
+sTFKlAHqyXGYqsSu4owYq32pevwjG1fukIEOKUvGH3gvZU043/ludJBxV6GqBkqK
+qRWrhxca7g==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2.pem
new file mode 100644
index 0000000000..7fc272ea18
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=keyUsage Not Critical keyCertSign False CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICjTCCAfagAwIBAgIBHjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEzMDEGA1UEAxMqa2V5VXNhZ2Ug
+Tm90IENyaXRpY2FsIGtleUNlcnRTaWduIEZhbHNlIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCo1QPZC5T5F1L7XkkAguXC8vf9C9YbYfj8VbP8CXU6/3EG
+wUPK43eDJfWBzzwk7bgumreNheNFRcFW+dcroOFvVflXXBjj/UR7qkXULMf9DqK4
+dqMYYafyTrI3QrgNfdN06ngaY0qNnXa4Z58ecPAQPnQprJHJ0fDTlwultqudJQID
+AQABo3kwdzAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4E
+FgQU3wy5NIl1eNIjkh7wgSHfwnYXZbQwCwYDVR0PBAQDAgECMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AFYPjvJm9+IVM7cHs7OMJLoeNCnhUL5nlx9HuDLzP6/+0o4V3aQgiP787/zfOBFj
+yWLTLfKqJTkm+8fs+TLFf675Vs2s3dPELXJLvFwgQFYDiSQpV46thD7NLw474dse
+tN1i9Scl7y0RsDHbi9qBIPsRX4UV8/8nawbo9yW8hpqt
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid keyUsage Not Critical keyCertSign False EE Cert Test2
+issuer=/C=US/O=Test Certificates/CN=keyUsage Not Critical keyCertSign False CA
+-----BEGIN CERTIFICATE-----
+MIICsDCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMzAxBgNVBAMTKmtleVVzYWdlIE5v
+dCBDcml0aWNhbCBrZXlDZXJ0U2lnbiBGYWxzZSBDQTAeFw0wMTA0MTkxNDU3MjBa
+Fw0xMTA0MTkxNDU3MjBaMHExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENl
+cnRpZmljYXRlczFGMEQGA1UEAxM9SW52YWxpZCBrZXlVc2FnZSBOb3QgQ3JpdGlj
+YWwga2V5Q2VydFNpZ24gRmFsc2UgRUUgQ2VydCBUZXN0MjCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAp67g5m0ja/YdBc6nUr+UTz3XzQoajL7y9/EF7M0He7yq
+nlQvh/d2kEpE3e0EUZviJtg9L9sxQRgCFWVR+f9rLpPNEBIAZ2HQ83SxFRr+UbfX
+LTOLNaLhasu4lG9LY8DtyYxjrnvmOHkvTk14kD9L+YPJbR9LmCjNHbmoFiNu0Z8C
+AwEAAaNrMGkwHwYDVR0jBBgwFoAU3wy5NIl1eNIjkh7wgSHfwnYXZbQwHQYDVR0O
+BBYEFLkvB65lcMDXjd55uk984ACgePDSMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAE
+EDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAf9WmZ9PcF2mY7Fst
+f0t6wDbfkMenvluK5yTnfZGZi1Xa5WFt+1ifSxYjkxTMTw4DJ5IXWRZNr40+NhCo
+2dvFQbeTEh90GuwSrFOY1LoT6stxoc/OXatyOCuO4rved9tzjRAArQndpnd6Zqsd
+p/cT+7yvFwM9fxMinMUy3p6rR9E=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=keyUsage Not Critical keyCertSign False CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DF:0C:B9:34:89:75:78:D2:23:92:1E:F0:81:21:DF:C2:76:17:65:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9e:b2:db:db:fb:42:09:bb:05:d6:af:1d:1e:b5:2a:e7:88:75:
+ f0:e6:a9:52:0d:ad:a3:4d:a6:64:06:e3:53:b4:39:db:4f:96:
+ 08:5d:ea:da:bb:09:d1:d6:32:53:91:62:ed:33:e9:0d:87:6c:
+ f9:12:a0:4a:c5:e9:e9:6f:d5:d1:02:8f:22:9a:d7:7c:82:d2:
+ 17:48:0c:c3:2a:c2:d9:e5:f7:0e:77:1b:52:e7:1a:9c:2c:7d:
+ 5f:31:a3:aa:90:32:ca:9e:ad:42:ef:b3:9b:cd:11:da:13:36:
+ 7c:cb:85:48:75:59:7e:6c:03:9a:a0:70:e3:19:d4:c1:dd:c5:
+ 7a:3b
+-----BEGIN X509 CRL-----
+MIIBVzCBwQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMzAxBgNVBAMTKmtleVVzYWdlIE5vdCBDcml0
+aWNhbCBrZXlDZXJ0U2lnbiBGYWxzZSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU3wy5NIl1eNIjkh7wgSHfwnYXZbQwCgYD
+VR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAnrLb2/tCCbsF1q8dHrUq54h18Oap
+Ug2to02mZAbjU7Q520+WCF3q2rsJ0dYyU5Fi7TPpDYds+RKgSsXp6W/V0QKPIprX
+fILSF0gMwyrC2eX3DncbUucanCx9XzGjqpAyyp6tQu+zm80R2hM2fMuFSHVZfmwD
+mqBw4xnUwd3Fejs=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsAttributeCertsTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsAttributeCertsTest14.pem
new file mode 100644
index 0000000000..f1d3094eed
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsAttributeCertsTest14.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/CN=onlyContainsAttributeCerts CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgzCCAeygAwIBAgIBTzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFExCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEmMCQGA1UEAxMdb25seUNvbnRh
+aW5zQXR0cmlidXRlQ2VydHMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALSCJ7MnQSSfqf3cAKyFUJRK6CV6MSLa2t9JmoGgpu6snUGfPogvAguvdYP27085
+2+7ZAe2MA5+VRBKl2gtUJeS0qdMlrQyLMw8SBfIuCc0cMrbGnRHqeBPHPVdq1n3b
+xx+pwvDV2egYWx53Vyq72HVv7E6QhdGjEwO41216OFXzAgMBAAGjfDB6MB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBTFKJWbEsMCo9m4
++7Yd323jU625IjAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAH50jqtmZxb9s
+51U/Olz2Z4OskoazeeNVJ0LXvUzF2vYzqBhXseLUd996wDmvQWsoczt8etO5zJdI
+/iXtC61WyqmSDgSSSEvoIAL/xWFYQh1QAjG+FD7qHxfJ5TUiVFUzkQe/nE2wSWYL
+oiZe8DkJHsi/T6sBMbZeNLcXa8CliLI=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlyContainsAttirubteCerts EE Certificate Test14
+issuer=/C=US/O=Test Certificates/CN=onlyContainsAttributeCerts CA
+-----BEGIN CERTIFICATE-----
+MIICnjCCAgegAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHW9ubHlDb250YWlu
+c0F0dHJpYnV0ZUNlcnRzIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowbDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMUEw
+PwYDVQQDEzhJbnZhbGlkIG9ubHlDb250YWluc0F0dGlydWJ0ZUNlcnRzIEVFIENl
+cnRpZmljYXRlIFRlc3QxNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnRFu
+rk1+JntR2FWOywl3/YsAK7L4yrNCEx5T7OIJOPeYo2gQ4HcNYzhCfrs8BnXBgRWm
+SmYiz83DHjDXf1v1EYvmLbuorfhe6oqbZjFFmFSFVYoBBQGoweqSBuEP+Dfz5JCQ
+3j/U5P9kHacuVt5EvNDFuxC2QpNlKDMKVp1kO1ECAwEAAaNrMGkwHwYDVR0jBBgw
+FoAUxSiVmxLDAqPZuPu2Hd9t41OtuSIwHQYDVR0OBBYEFH75KmUzZ/T1lVkx9E97
+tlW7zv91MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DQYJKoZIhvcNAQEFBQADgYEAcnsbImj6Bq19wrmv1lsHuwr0rR9v5AU5A5BvxBGX
+7L9250MNODFbkR2trDXDu8Aj4xDl14ksrH1CW5oqqvhSIN890dWabjEIWXzPJPXm
+Ogj5ekGTXsXnOsbO8CEfvjAvg8zfRVlWuR+mxGvk8qw4t0xB0GIqutURQegGF/zY
+tJ4=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlyContainsAttributeCerts CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C5:28:95:9B:12:C3:02:A3:D9:B8:FB:B6:1D:DF:6D:E3:53:AD:B9:22
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 4d:d0:f1:a7:37:36:13:e4:57:d2:e5:1b:bb:c0:68:35:91:0c:
+ 84:53:55:01:9e:2f:bf:4b:d4:7e:55:4f:ea:6c:71:f4:54:a5:
+ b7:38:50:ac:43:c7:85:b9:13:88:4f:36:5c:35:5c:83:56:49:
+ 1d:ea:d0:34:ce:bf:d6:21:40:f8:4a:62:ee:c4:88:74:f7:05:
+ 13:cc:15:90:46:d3:8e:04:5f:00:2e:ef:1f:43:cf:da:84:d4:
+ 27:b1:22:c6:b5:ad:83:cd:aa:8b:cf:0e:d7:1f:76:37:a6:29:
+ 8e:3a:e7:3f:58:12:8d:2b:77:58:b1:eb:7f:35:6d:96:74:f6:
+ 48:1d
+-----BEGIN X509 CRL-----
+MIIBWzCBxQIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHW9ubHlDb250YWluc0F0dHJp
+YnV0ZUNlcnRzIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoEAwPjAf
+BgNVHSMEGDAWgBTFKJWbEsMCo9m4+7Yd323jU625IjAKBgNVHRQEAwIBATAPBgNV
+HRwBAf8EBTADhQH/MA0GCSqGSIb3DQEBBQUAA4GBAE3Q8ac3NhPkV9LlG7vAaDWR
+DIRTVQGeL79L1H5VT+pscfRUpbc4UKxDx4W5E4hPNlw1XINWSR3q0DTOv9YhQPhK
+Yu7EiHT3BRPMFZBG044EXwAu7x9Dz9qE1CexIsa1rYPNqovPDtcfdjemKY465z9Y
+Eo0rd1ix6381bZZ09kgd
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsCACertsCRLTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsCACertsCRLTest12.pem
new file mode 100644
index 0000000000..14d5cba2f9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsCACertsCRLTest12.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfDCCAeWgAwIBAgIBTjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWb25seUNvbnRh
+aW5zQ0FDZXJ0cyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqP8z3Y0v
+UCVXIVXCpbr+dcdoZFi0UZQPvl77hqqVORSs9FefV5mTeuoDDfhtUYa+O6Wzh2v/
+Yzv1MzPQzePG3eho/6CLs4pzqVWZDzYTG6OXubjPvYT10WykqfaWuivcn5YxbHuA
+cRitNsBAvY1Nq/kPDtsPJz1t5+PDRVO64gsCAwEAAaN8MHowHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPOhB0Zne+mPWavrVYaTyKzk
+VbcYMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGkMUjQFfto4SQpRJ2fAeU
+qXp2dn4kt+s/ITPOIykUFaybQ6eaGRcWN4kTi7IufbSeI7lmaa4SC+bq14tfSf/w
+gJSpwu58pIbPHKN0IgB+9S8eRS8wmB4HcBflmNZz/NX6wJzwJt15ZC+gek+eZGUw
+Qck6L9wt5i1wMFyRwBmAHQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlyContainsCACerts EE Certificate Test12
+issuer=/C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm9ubHlDb250YWlu
+c0NBQ2VydHMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBlMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxOjA4BgNVBAMT
+MUludmFsaWQgb25seUNvbnRhaW5zQ0FDZXJ0cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0
+MTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFmoy4sb7+FLLRfH0FTJkEA
+4DUgy6WKlx+o6gViRTKyicSNbY5GWZ31r5z+B8SyeL0HaAYwkDBBNIJ2tLhSgKCs
+YASvqHqBa8YgpnDs3fh7d7perSH4t7SLblf2Ul9ABuDvFt/lCizK2LXgfDhcdrUU
+D7ZeOZTr59cuMd+tAN+vAgMBAAGjazBpMB8GA1UdIwQYMBaAFPOhB0Zne+mPWavr
+VYaTyKzkVbcYMB0GA1UdDgQWBBSsVnmrX9OpfaLqvFvE4FydtKiYrDAOBgNVHQ8B
+Af8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUA
+A4GBAFqv88cSXJ667X0tM4dQ5AyFGYONJIioud7mI0SXcDeh0Me/J1wmqDmlS7oj
+3vVTE6unv0EjjtEcLJr6FkHqYIksi9Fsuudte8FvQQ7aJEz6nzBpTe+kBINtK59k
+picBSyDN77AoX8AMqoDj39NP9DCaiq7fO3XL2Ei0MF4uG/1Y
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F3:A1:07:46:67:7B:E9:8F:59:AB:EB:55:86:93:C8:AC:E4:55:B7:18
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 54:27:ac:fc:b5:7a:93:93:e7:f2:e9:63:f7:52:ad:20:08:4c:
+ 52:08:62:e6:f6:81:71:1d:72:f4:1d:bf:db:06:52:d6:4f:8b:
+ 86:68:4a:ca:01:4a:fd:b9:7e:5d:7a:df:48:67:36:9b:31:12:
+ dd:13:29:b2:8e:b6:ba:c4:20:31:57:4f:7e:c6:d1:3c:0b:e5:
+ 1c:a0:c2:15:c6:09:5b:77:ca:95:37:31:7d:a8:08:4d:ae:60:
+ 4f:3c:b4:ef:92:9d:f1:11:5f:a1:1b:2d:ff:e6:2e:07:88:4e:
+ 2c:88:54:b8:e1:be:4e:6c:22:90:0e:37:0d:b2:8d:61:21:46:
+ 36:29
+-----BEGIN X509 CRL-----
+MIIBVDCBvgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm9ubHlDb250YWluc0NBQ2Vy
+dHMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgQDA+MB8GA1UdIwQY
+MBaAFPOhB0Zne+mPWavrVYaTyKzkVbcYMAoGA1UdFAQDAgEBMA8GA1UdHAEB/wQF
+MAOCAf8wDQYJKoZIhvcNAQEFBQADgYEAVCes/LV6k5Pn8ulj91KtIAhMUghi5vaB
+cR1y9B2/2wZS1k+LhmhKygFK/bl+XXrfSGc2mzES3RMpso62usQgMVdPfsbRPAvl
+HKDCFcYJW3fKlTcxfagITa5gTzy075Kd8RFfoRst/+YuB4hOLIhUuOG+TmwikA43
+DbKNYSFGNik=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsUserCertsCRLTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsUserCertsCRLTest11.pem
new file mode 100644
index 0000000000..237f79a05e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsUserCertsCRLTest11.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/CN=onlyContainsUserCerts CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBTTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYb25seUNvbnRh
+aW5zVXNlckNlcnRzIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9uYsu
+53u2+DI6YJnVIbUEBXbifJtOvR4Id3dAWtLRtp1J1/cjbUdtunT8MP8UdMiOu5GH
+qkkjCow40bwn18zVUFC+tbTitFHZwkcY6vpoBiYh7kfUGyOWMuGhYDDmL6f1GyGq
+1cPMSG3TI65vxTRu69NqZ6A69+6oecCzEhZwDQIDAQABo3wwejAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUWss3HtJGmFwTlfjfuDr/
+EUCtFfIwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAB4p94csINQawOHlCIzE
+BoDqe6fIaND41iV0Ho1HK5OQyoKdGUAUm3cuoyXOmA++mMrGdqZd+xqQswur3Ve1
+iKj1z3ZAfFHI07GT7nOS9yTHPwIwW1FaFsaMkJyHm5McmiVJ2RVPcuhZM8Hg/O1t
+lEtxFRbVcGf+7bi5eI/HHmmB
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlyContainsUserCerts EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=onlyContainsUserCerts CA
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGG9ubHlDb250YWlu
+c1VzZXJDZXJ0cyBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGcx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE8MDoGA1UE
+AxMzSW52YWxpZCBvbmx5Q29udGFpbnNVc2VyQ2VydHMgRUUgQ2VydGlmaWNhdGUg
+VGVzdDExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgvtvHKcfaEySW+gTB
+goP/idcErgtO4WHFdiTLJV2wwSRVKNwruXMNUfgnsksQ+Tqa24KJWAJpnh44cvcT
+C63piJcmXs35SuSRbS3kefpDW1HmvkZUJ+xEp+jouS6IXKBI+bX0iASJpBC8rDtw
+TdyTa1MWv7veksCshAZr3cxBgQIDAQABo3wwejAfBgNVHSMEGDAWgBRayzce0kaY
+XBOV+N+4Ov8RQK0V8jAdBgNVHQ4EFgQUb0/1XSOZ9YvHmG7rvM8eBcBgOI8wDgYD
+VR0PAQH/BAQDAgH2MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJybyf0fbsSEKPlQbxKeyZBQXdWfQGeo
+1NVyDN87XSKQUe9fech7qiUC4Ua2z7mWrIIbDBylvl7ff0NFiPTK6+tl4Rt+zaX9
+qzA+dIuVr/7NPrlaTSmJglaX5n1/2h/dYhFbJUXe5L5FOpE3uq/Cp83MC5AQzDxR
+UrWoUQdNtOhm
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlyContainsUserCerts CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5A:CB:37:1E:D2:46:98:5C:13:95:F8:DF:B8:3A:FF:11:40:AD:15:F2
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 52:63:40:55:91:4a:88:23:0d:64:84:b4:3e:50:a2:0c:ba:30:
+ 81:b2:86:2f:ce:0e:b5:b7:e0:c2:d5:10:63:82:0e:88:ab:90:
+ d6:a4:df:11:22:96:15:f3:7e:cd:ce:0b:87:54:0b:3f:60:c7:
+ 6b:a6:04:9a:25:8d:51:af:b2:c4:da:f9:d5:63:57:f2:b8:f8:
+ 07:d1:bf:0b:a3:77:a7:e6:e3:87:a0:97:5d:4a:41:07:b9:36:
+ 98:bd:54:93:95:32:d9:7c:07:83:e5:d7:54:77:be:e4:eb:e1:
+ 03:fa:e7:83:fd:78:45:4b:a0:42:87:52:c1:1c:18:06:4f:39:
+ f3:09
+-----BEGIN X509 CRL-----
+MIIBVjCBwAIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGG9ubHlDb250YWluc1VzZXJD
+ZXJ0cyBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqBAMD4wHwYDVR0j
+BBgwFoAUWss3HtJGmFwTlfjfuDr/EUCtFfIwCgYDVR0UBAMCAQEwDwYDVR0cAQH/
+BAUwA4EB/zANBgkqhkiG9w0BAQUFAAOBgQBSY0BVkUqIIw1khLQ+UKIMujCBsoYv
+zg61t+DC1RBjgg6Iq5DWpN8RIpYV837NzguHVAs/YMdrpgSaJY1Rr7LE2vnVY1fy
+uPgH0b8Lo3en5uOHoJddSkEHuTaYvVSTlTLZfAeD5ddUd77k6+ED+ueD/XhFS6BC
+h1LBHBgGTznzCQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest15.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest15.pem
new file mode 100644
index 0000000000..819cc4017f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest15.pem
@@ -0,0 +1,156 @@
+subject=/C=US/O=Test Certificates/CN=onlySomeReasons CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTb25seVNvbWVS
+ZWFzb25zIENBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqY5YemfCgwOg
+IB+hdOlRZFTinhkf1OaHBpkEgH6r2jJPiuhXh30ZT2TwX9aBiEGnnKuHuZmwGUK/
+DCnAfvpZ621Oo7LXsNQFtGDYrh8Rfu93TxunsJNZQ9ZXWEcIjot4YGkbOO8Nu0il
+Z/zLKJKQUSKKBW/5glVtiynAaixm6k0CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFOBimt8FUL0fD1sYSf6+cB3M3Dlu
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCbnkFzDActclPpCRyu9PWbUrnQ
+ZU76d5EXV40N6ma0OBngkU+7TJgmUNS2anUuxF51tkeYvMlqADT7KijrN/rGSipZ
+yVR/ds2UaXdbfIfuFOs5TuVeClJ21BkYQgrmZ90/ti2fgIKn+cA1MQcnthtmtGJx
+1JuSgthIOVfbeMWdCQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlySomeReasons EE Certificate Test15
+issuer=/C=US/O=Test Certificates/CN=onlySomeReasons CA1
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVh
+c29ucyBDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBhMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUlu
+dmFsaWQgb25seVNvbWVSZWFzb25zIEVFIENlcnRpZmljYXRlIFRlc3QxNTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlsynYvXyvl+q7eNnQ1pHRTzYR3jQt0ko
+GQ/U1Q9AsMdHihxgohDFbqyRbq2ODI6t3HGT/h8JPCPLT+dLhvwixeYhgms3m/TJ
++mnXebr5bHI3PjF61Cw/mJe45Ab+arDxdumnvJRtw4EIB5lDwOrD9bHBE/WS1mem
+ndOkBLQNG8UCAwEAAaNrMGkwHwYDVR0jBBgwFoAU4GKa3wVQvR8PWxhJ/r5wHczc
+OW4wHQYDVR0OBBYEFKqEMbmbidNhzPioeu9tHpG1I305MA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAIIqO
+DY8YnDAv4BQddow4PTv5P8bnPkA2Ogs3Du04Lps9gxrBVYHDIT7UQVZ5hzZeXnmW
+rLwQeI2wDJNhjMhemXksv4rrf1pL65em4hQCuwlCsY0Nlc3z5hJjLslTd85fgQXk
+mDYbw0db0b1fRGsA+RkiIRM7ynpuT6753gVv4ho=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E0:62:9A:DF:05:50:BD:1F:0F:5B:18:49:FE:BE:70:1D:CC:DC:39:6E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....`
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:f8:e1:09:a8:5d:d4:4d:a9:18:5c:91:9c:2c:a2:51:7c:dd:
+ 61:bd:4a:38:0c:5c:88:46:56:55:06:29:70:0f:cc:1d:cf:44:
+ d9:9a:b9:11:94:82:53:48:b5:08:4d:19:89:42:c0:ff:7d:42:
+ e0:39:98:43:6f:40:f3:e9:5e:8e:fe:56:3f:f4:4c:60:0e:22:
+ 29:c3:90:7d:2d:ea:d2:96:f1:3d:ce:35:d4:30:72:f2:9b:fc:
+ 86:44:fb:05:b7:3a:08:d2:bc:95:e8:d3:2b:18:a1:64:c9:25:
+ 19:3f:6e:8a:a5:9b:99:e4:f4:ac:1f:f9:ea:72:9c:88:b8:8f:
+ ac:e9
+-----BEGIN X509 CRL-----
+MIIBdjCB4AIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgEBFw0wMTA0MTkx
+NDU3MjBaMAwwCgYDVR0VBAMKAQGgQTA/MB8GA1UdIwQYMBaAFOBimt8FUL0fD1sY
+Sf6+cB3M3DluMAoGA1UdFAQDAgEBMBAGA1UdHAEB/wQGMASDAgVgMA0GCSqGSIb3
+DQEBBQUAA4GBAJn44QmoXdRNqRhckZwsolF83WG9SjgMXIhGVlUGKXAPzB3PRNma
+uRGUglNItQhNGYlCwP99QuA5mENvQPPpXo7+Vj/0TGAOIinDkH0t6tKW8T3ONdQw
+cvKb/IZE+wW3OgjSvJXo0ysYoWTJJRk/boqlm5nk9Kwf+epynIi4j6zp
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E0:62:9A:DF:05:50:BD:1F:0F:5B:18:49:FE:BE:70:1D:CC:DC:39:6E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0......
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 5a:9a:70:59:4f:6b:42:27:d8:2a:70:9e:91:bf:f5:09:c0:2c:
+ 8e:21:5d:6a:76:0f:70:61:ee:f8:20:c3:00:cf:7b:40:78:c5:
+ 25:5d:17:cf:c7:74:61:29:40:93:91:c1:52:68:4c:02:e3:b7:
+ c2:0c:e3:26:ab:fa:2f:e2:0e:70:60:d9:ed:34:ec:72:4b:98:
+ 57:8c:5a:dd:1c:50:d2:6c:44:ee:4b:89:d6:f9:d4:79:64:9f:
+ e7:f2:4f:e9:10:0c:8b:12:c4:ef:e4:2d:f8:8a:c6:94:9a:59:
+ 24:1b:f9:d4:6e:4c:19:4d:ed:4f:3f:e8:b1:29:f6:6e:2e:0c:
+ d1:ef
+-----BEGIN X509 CRL-----
+MIIBdzCB4QIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0MTkx
+NDU3MjBaMAwwCgYDVR0VBAMKAQagQjBAMB8GA1UdIwQYMBaAFOBimt8FUL0fD1sY
+Sf6+cB3M3DluMAoGA1UdFAQDAgEBMBEGA1UdHAEB/wQHMAWDAwefgDANBgkqhkiG
+9w0BAQUFAAOBgQBamnBZT2tCJ9gqcJ6Rv/UJwCyOIV1qdg9wYe74IMMAz3tAeMUl
+XRfPx3RhKUCTkcFSaEwC47fCDOMmq/ov4g5wYNntNOxyS5hXjFrdHFDSbETuS4nW
++dR5ZJ/n8k/pEAyLEsTv5C34isaUmlkkG/nUbkwZTe1PP+ixKfZuLgzR7w==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest16.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest16.pem
new file mode 100644
index 0000000000..76ef3b7b53
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest16.pem
@@ -0,0 +1,156 @@
+subject=/C=US/O=Test Certificates/CN=onlySomeReasons CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTb25seVNvbWVS
+ZWFzb25zIENBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqY5YemfCgwOg
+IB+hdOlRZFTinhkf1OaHBpkEgH6r2jJPiuhXh30ZT2TwX9aBiEGnnKuHuZmwGUK/
+DCnAfvpZ621Oo7LXsNQFtGDYrh8Rfu93TxunsJNZQ9ZXWEcIjot4YGkbOO8Nu0il
+Z/zLKJKQUSKKBW/5glVtiynAaixm6k0CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFOBimt8FUL0fD1sYSf6+cB3M3Dlu
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCbnkFzDActclPpCRyu9PWbUrnQ
+ZU76d5EXV40N6ma0OBngkU+7TJgmUNS2anUuxF51tkeYvMlqADT7KijrN/rGSipZ
+yVR/ds2UaXdbfIfuFOs5TuVeClJ21BkYQgrmZ90/ti2fgIKn+cA1MQcnthtmtGJx
+1JuSgthIOVfbeMWdCQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlySomeReasons EE Certificate Test16
+issuer=/C=US/O=Test Certificates/CN=onlySomeReasons CA1
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVh
+c29ucyBDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBhMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUlu
+dmFsaWQgb25seVNvbWVSZWFzb25zIEVFIENlcnRpZmljYXRlIFRlc3QxNjCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlmAr5pfd8vA/RDJSfo8qPEDAbLwbxhVf
+lv1WYCncGfhiyC77BYzSvBHiEp+84tJW6lBUUEewGRBDKerNZAnqkirYwLYccwav
+76qQJnSFTKmjDS7BofPWH8/bVZXjwjGikKAChuVcBykwZt9zOhFCM4y5wUv1IEHe
+iiDpoHEIPqsCAwEAAaNrMGkwHwYDVR0jBBgwFoAU4GKa3wVQvR8PWxhJ/r5wHczc
+OW4wHQYDVR0OBBYEFJdQKB8LbKa2dsGgu3qroJY+rlmzMA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAG5qf
+f86xb10ogmC7H1f//9eykm6gAA0EWFwyXzjCkIlk9WPjGOTBU3WNURziN5LdblcZ
+Csf3gFtni07sN4ISdLTnJFzuW8Nk9vfmmhV74guH9wvMv4fCVInMBZEaak0bR2dY
+LxvWYJ8K2rgUN4E3A5nNFA81/1xxbwCq7c2koa8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E0:62:9A:DF:05:50:BD:1F:0F:5B:18:49:FE:BE:70:1D:CC:DC:39:6E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....`
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:f8:e1:09:a8:5d:d4:4d:a9:18:5c:91:9c:2c:a2:51:7c:dd:
+ 61:bd:4a:38:0c:5c:88:46:56:55:06:29:70:0f:cc:1d:cf:44:
+ d9:9a:b9:11:94:82:53:48:b5:08:4d:19:89:42:c0:ff:7d:42:
+ e0:39:98:43:6f:40:f3:e9:5e:8e:fe:56:3f:f4:4c:60:0e:22:
+ 29:c3:90:7d:2d:ea:d2:96:f1:3d:ce:35:d4:30:72:f2:9b:fc:
+ 86:44:fb:05:b7:3a:08:d2:bc:95:e8:d3:2b:18:a1:64:c9:25:
+ 19:3f:6e:8a:a5:9b:99:e4:f4:ac:1f:f9:ea:72:9c:88:b8:8f:
+ ac:e9
+-----BEGIN X509 CRL-----
+MIIBdjCB4AIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgEBFw0wMTA0MTkx
+NDU3MjBaMAwwCgYDVR0VBAMKAQGgQTA/MB8GA1UdIwQYMBaAFOBimt8FUL0fD1sY
+Sf6+cB3M3DluMAoGA1UdFAQDAgEBMBAGA1UdHAEB/wQGMASDAgVgMA0GCSqGSIb3
+DQEBBQUAA4GBAJn44QmoXdRNqRhckZwsolF83WG9SjgMXIhGVlUGKXAPzB3PRNma
+uRGUglNItQhNGYlCwP99QuA5mENvQPPpXo7+Vj/0TGAOIinDkH0t6tKW8T3ONdQw
+cvKb/IZE+wW3OgjSvJXo0ysYoWTJJRk/boqlm5nk9Kwf+epynIi4j6zp
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E0:62:9A:DF:05:50:BD:1F:0F:5B:18:49:FE:BE:70:1D:CC:DC:39:6E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0......
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 5a:9a:70:59:4f:6b:42:27:d8:2a:70:9e:91:bf:f5:09:c0:2c:
+ 8e:21:5d:6a:76:0f:70:61:ee:f8:20:c3:00:cf:7b:40:78:c5:
+ 25:5d:17:cf:c7:74:61:29:40:93:91:c1:52:68:4c:02:e3:b7:
+ c2:0c:e3:26:ab:fa:2f:e2:0e:70:60:d9:ed:34:ec:72:4b:98:
+ 57:8c:5a:dd:1c:50:d2:6c:44:ee:4b:89:d6:f9:d4:79:64:9f:
+ e7:f2:4f:e9:10:0c:8b:12:c4:ef:e4:2d:f8:8a:c6:94:9a:59:
+ 24:1b:f9:d4:6e:4c:19:4d:ed:4f:3f:e8:b1:29:f6:6e:2e:0c:
+ d1:ef
+-----BEGIN X509 CRL-----
+MIIBdzCB4QIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0MTkx
+NDU3MjBaMAwwCgYDVR0VBAMKAQagQjBAMB8GA1UdIwQYMBaAFOBimt8FUL0fD1sY
+Sf6+cB3M3DluMAoGA1UdFAQDAgEBMBEGA1UdHAEB/wQHMAWDAwefgDANBgkqhkiG
+9w0BAQUFAAOBgQBamnBZT2tCJ9gqcJ6Rv/UJwCyOIV1qdg9wYe74IMMAz3tAeMUl
+XRfPx3RhKUCTkcFSaEwC47fCDOMmq/ov4g5wYNntNOxyS5hXjFrdHFDSbETuS4nW
++dR5ZJ/n8k/pEAyLEsTv5C34isaUmlkkG/nUbkwZTe1PP+ixKfZuLgzR7w==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest17.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest17.pem
new file mode 100644
index 0000000000..c20945cd91
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest17.pem
@@ -0,0 +1,146 @@
+subject=/C=US/O=Test Certificates/CN=onlySomeReasons CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTb25seVNvbWVS
+ZWFzb25zIENBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxjus5muZnJK+
+vbTiSr7l+wNZkm4bBceUnfDkXaEsbIwJRhzBb2TVPT0Do+y3R/r9DGfLYXxCHohP
+OsEkgaaxsJcVNb560ICl7I/WjFftw3D82YeCiqtUageZZbHBGBpb/utZyPdGLoc+
+F6OmUprS/F3KhP6SSVq5/tN8vYA7dqsCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFKqh79hc2DiyM4fnkx5FQRjQinuN
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAn3+Yq1ETHIYeBdtTuzCeQHWWo
+VC03XoW3PZMLAKJZof8WbYui9I0Mz8eF7Ae1tgk4luOkc+1VEuf9Yj1R3/DnrFYR
+Ws6bImkBgnSYYiUSo1GuqCC6L3FuD7KLs7vaCp+9EfS0igqOXxJwEESXgJixsOkz
+/lp/IH1QU84Vh6fKlw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlySomeReasons EE Certificate Test17
+issuer=/C=US/O=Test Certificates/CN=onlySomeReasons CA2
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVh
+c29ucyBDQTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBhMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUlu
+dmFsaWQgb25seVNvbWVSZWFzb25zIEVFIENlcnRpZmljYXRlIFRlc3QxNzCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr8VCnAdQKISRnLmjaXbkkMYcS02qC5Mj
+4f2jw/FDEJKBWKopXex3k9qR+Dvaz6yGEJoi2wj1sUo8xdChVd1XbjGEYxwkaqpe
+cOPYjHlvVF43YGWYhqWOtohBZfIT5uJi0rxZNApuHARfo6UGBaceSk/DUFbos1ag
+lCxoF4pf+5cCAwEAAaNrMGkwHwYDVR0jBBgwFoAUqqHv2FzYOLIzh+eTHkVBGNCK
+e40wHQYDVR0OBBYEFK5QFuk+bZ4HFuTJCRy2qPFS7YZ6MA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAOShO
+p8bEYTzkGWyiUXPs0fZAQzFbgCpN3Q+ky2VZblbIuJTOToG/UiyIQ2FNCq53oBYe
+ZYiuewxa/WWDunOwx7LwPtcksOo3M5BzFmZEqTKALQryiXj9X3ob3tZJFTpAs+X2
+joJ0q+U06GYvbXscfXdm8nvBNA+r5BczWTlAG/4=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:A1:EF:D8:5C:D8:38:B2:33:87:E7:93:1E:45:41:18:D0:8A:7B:8D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0.....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 38:01:7c:3a:47:fa:d7:7a:f9:a0:3c:17:f8:db:94:e7:1d:a0:
+ fa:47:07:6b:ae:03:68:f4:f8:b4:4c:7b:70:a5:0b:5f:92:8c:
+ b8:c3:32:e9:55:34:38:53:61:ba:d9:3d:dc:8f:39:45:dc:51:
+ 5c:ab:7b:67:80:47:b8:60:6c:88:4b:1a:8a:57:fd:73:69:0a:
+ ff:2d:c3:23:8a:62:ea:31:c3:4a:07:3b:8b:89:a6:dd:4e:e8:
+ 8b:99:67:71:62:92:db:40:1e:af:e0:b4:e1:09:62:1d:42:69:
+ b6:45:64:d8:94:4f:30:40:43:e9:38:3a:59:29:6d:0f:8d:72:
+ 0d:8c
+-----BEGIN X509 CRL-----
+MIIBUjCBvAIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgQTA/MB8GA1UdIwQYMBaA
+FKqh79hc2DiyM4fnkx5FQRjQinuNMAoGA1UdFAQDAgEBMBAGA1UdHAEB/wQGMASD
+AgEGMA0GCSqGSIb3DQEBBQUAA4GBADgBfDpH+td6+aA8F/jblOcdoPpHB2uuA2j0
++LRMe3ClC1+SjLjDMulVNDhTYbrZPdyPOUXcUVyre2eAR7hgbIhLGopX/XNpCv8t
+wyOKYuoxw0oHO4uJpt1O6IuZZ3FikttAHq/gtOEJYh1CabZFZNiUTzBAQ+k4Olkp
+bQ+Ncg2M
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlySomeReasons CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:A1:EF:D8:5C:D8:38:B2:33:87:E7:93:1E:45:41:18:D0:8A:7B:8D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0.....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0e:a8:95:98:a1:9d:34:e4:fd:7f:b4:bf:94:48:d5:42:03:a5:
+ cc:e1:85:55:65:15:c2:e7:cb:33:a1:fd:d8:cd:12:04:92:50:
+ cb:bf:ea:6c:e2:ae:bc:55:48:cf:4a:29:61:6b:42:00:4c:08:
+ 35:f6:49:30:e7:37:94:a7:38:bc:bb:3c:8c:c3:11:ea:11:f3:
+ 0e:bd:9f:8f:a0:32:a2:b9:8a:03:cf:6c:eb:75:d7:5d:5f:f1:
+ fe:97:f7:d8:33:e8:9d:9e:21:b6:8e:ba:2a:63:c1:0c:57:64:
+ dd:90:98:34:4f:db:a1:d1:11:0e:77:13:87:f4:b0:61:c1:36:
+ 1f:c8
+-----BEGIN X509 CRL-----
+MIIBUjCBvAIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE29ubHlTb21lUmVhc29ucyBD
+QTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgQTA/MB8GA1UdIwQYMBaA
+FKqh79hc2DiyM4fnkx5FQRjQinuNMAoGA1UdFAQDAgEBMBAGA1UdHAEB/wQGMASD
+AgMYMA0GCSqGSIb3DQEBBQUAA4GBAA6olZihnTTk/X+0v5RI1UIDpczhhVVlFcLn
+yzOh/djNEgSSUMu/6mzirrxVSM9KKWFrQgBMCDX2STDnN5SnOLy7PIzDEeoR8w69
+n4+gMqK5igPPbOt1111f8f6X99gz6J2eIbaOuipjwQxXZN2QmDRP26HREQ53E4f0
+sGHBNh/I
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest20.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest20.pem
new file mode 100644
index 0000000000..91c6b1fb56
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest20.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UECxMTb25seVNvbWVS
+ZWFzb25zIENBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApawx8YRMPlMQ
+024rS3sld90L6veeiaILQ6LHaLsGJq3VdzR86qrSqOOIC4riSla8gYRwgMxS4ex2
+wjXsRFQbvsG09PcFyRJKJ0NLsY8FiVdShUDwLEohR/cdfL4Z+iCgZdY4iMaILI8a
+MHiBRffd7isOjbgUd8JKQ6DM4ercJksCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFD++QPH3awL7sFnDAKRa4JdUCOkZ
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAzmsqTCqqsyknqgNHYbj4aH461
+hKTEkZRpMSUHjJwKJWFK4fzqdC8DDlCw9rfmNld7RwxcC3/o0J5v3T4KG3C4s9Rr
+eVSmm4Kwvgjmj0tsm0TQbG+B4uLqaFAAmlBTZPYl9ABodUKUP2eKcAL7f98INanN
+/veMciSwQ7N4Ku7Zjw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlySomeReasons EE Certificate Test20
+issuer=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAs2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAsTE29ubHlTb21lUmVh
+c29ucyBDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBhMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUlu
+dmFsaWQgb25seVNvbWVSZWFzb25zIEVFIENlcnRpZmljYXRlIFRlc3QyMDCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo/2deWn2P1temSytp9fRh3t+UZIp62k5
+iNe1RKLHz08HxSTMrPeCRNnJFp5opbLpQEsUk8xludZeIcWGyLtBTN5w46xk04gh
+1Px8Z2+/mnT/ngizwoMvKZf1dqA1/IYacDNHoZB8wlR7iMEa3scvBmFE/B/Ieudc
+hxnOxEhEprUCAwEAAaOCAUQwggFAMB8GA1UdIwQYMBaAFD++QPH3awL7sFnDAKRa
+4JdUCOkZMB0GA1UdDgQWBBT9Hi+HZ9Okq+jLk3TXM424X5IyqzAOBgNVHQ8BAf8E
+BAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIHUBgNVHR8EgcwwgckwYqBc
+oFqkWDBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+HDAaBgNVBAsTE29ubHlTb21lUmVhc29ucyBDQTQxDTALBgNVBAMTBENSTDGBAgVg
+MGOgXKBapFgwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwy
+gQMHn4AwDQYJKoZIhvcNAQEFBQADgYEAEyLMappHZG7NaHTIJRCcyylzQD0od1Bi
+cIsRgkSX4W6BWas7pnbYsIaBtY7SX6PU8lcrIBdjUlKUmzZP+0f08ptO5a4ZPaY3
+mJ7GjPUXPN8T/P8cfpU5A3AlaLam894aWe2vJuwmNlrEs6I0mP20WbXkYjmg2qzP
+joyjMV62Zb4=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0b.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL1...`
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:c9:cf:ae:6b:51:3a:d8:ee:4f:85:3b:a7:18:30:00:6c:cd:
+ 0f:1a:59:06:50:fd:75:49:44:9a:af:71:a5:74:ca:25:02:e1:
+ fe:c2:0b:15:f4:db:0a:8c:7f:ca:9b:de:cd:bf:1a:2d:3e:10:
+ 1a:a9:4a:9b:a9:64:75:01:1c:dc:26:b2:f6:ab:2f:d2:7b:3d:
+ 01:f6:fb:64:a4:c8:53:65:b2:80:5a:1d:22:e7:3b:9c:12:92:
+ 96:01:0d:74:83:d2:72:c3:a6:34:cb:54:bc:75:c4:34:12:c1:
+ 4e:40:2e:e1:28:d7:ea:6d:c1:9a:4b:80:dc:2d:7c:7c:a5:a7:
+ 28:75
+-----BEGIN X509 CRL-----
+MIIB1zCCAUACAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIGgMIGdMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG4GA1UdHAEB/wRkMGKgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgwIFYDANBgkqhkiG
+9w0BAQUFAAOBgQAMyc+ua1E62O5PhTunGDAAbM0PGlkGUP11SUSar3GldMolAuH+
+wgsV9NsKjH/Km97NvxotPhAaqUqbqWR1ARzcJrL2qy/Sez0B9vtkpMhTZbKAWh0i
+5zucEpKWAQ10g9Jyw6Y0y1S8dcQ0EsFOQC7hKNfqbcGaS4DcLXx8pacodQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0c.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL2.....
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Affiliation Changed
+ Signature Algorithm: sha1WithRSAEncryption
+ 3d:11:d9:b5:4a:98:2e:f6:01:84:ec:e5:d7:d5:20:45:06:18:
+ 19:5e:18:1b:89:27:c3:fc:7a:ea:a7:3e:3d:bc:ff:26:f1:69:
+ 90:73:a1:2f:d6:0e:82:36:1b:f7:98:7d:26:2f:07:86:05:58:
+ b4:5f:ce:84:6d:ef:4a:51:e8:40:4a:51:b2:57:46:b6:76:e1:
+ 8f:0e:b8:03:16:88:72:c3:88:74:74:76:38:1d:44:87:88:c2:
+ a5:ce:34:cb:a9:bf:a1:6f:e9:96:e3:a7:ab:3f:be:a5:60:b2:
+ 4b:e2:bb:f8:1b:84:4e:eb:69:ae:01:f2:5a:e9:78:9d:ac:38:
+ 45:4d
+-----BEGIN X509 CRL-----
+MIIB2DCCAUECAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAxcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEDoIGhMIGeMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG8GA1UdHAEB/wRlMGOgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwygwMHn4AwDQYJKoZI
+hvcNAQEFBQADgYEAPRHZtUqYLvYBhOzl19UgRQYYGV4YG4knw/x66qc+Pbz/JvFp
+kHOhL9YOgjYb95h9Ji8HhgVYtF/OhG3vSlHoQEpRsldGtnbhjw64AxaIcsOIdHR2
+OB1Eh4jCpc40y6m/oW/pluOnqz++pWCyS+K7+BuETutprgHyWul4naw4RU0=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest21.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest21.pem
new file mode 100644
index 0000000000..07b5c9b27a
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest21.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UECxMTb25seVNvbWVS
+ZWFzb25zIENBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApawx8YRMPlMQ
+024rS3sld90L6veeiaILQ6LHaLsGJq3VdzR86qrSqOOIC4riSla8gYRwgMxS4ex2
+wjXsRFQbvsG09PcFyRJKJ0NLsY8FiVdShUDwLEohR/cdfL4Z+iCgZdY4iMaILI8a
+MHiBRffd7isOjbgUd8JKQ6DM4ercJksCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFD++QPH3awL7sFnDAKRa4JdUCOkZ
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAzmsqTCqqsyknqgNHYbj4aH461
+hKTEkZRpMSUHjJwKJWFK4fzqdC8DDlCw9rfmNld7RwxcC3/o0J5v3T4KG3C4s9Rr
+eVSmm4Kwvgjmj0tsm0TQbG+B4uLqaFAAmlBTZPYl9ABodUKUP2eKcAL7f98INanN
+/veMciSwQ7N4Ku7Zjw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid onlySomeReasons EE Certificate Test21
+issuer=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAs2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAsTE29ubHlTb21lUmVh
+c29ucyBDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBhMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNjA0BgNVBAMTLUlu
+dmFsaWQgb25seVNvbWVSZWFzb25zIEVFIENlcnRpZmljYXRlIFRlc3QyMTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzgd55Gu4oIU3A4rk6mO8UVYckksUPNUx
+c+r5iyehCTZg5HpsL0JSKVXAlRwGm5Q7YtHJE+teXB2BM0iMSAIZGNX8fktIN8nK
+Lrw3CHA+5ZySf38wiaNzTgw3V7UTBQ01sd50PWuvL+jOm+AcaCMvdcqFJBP0yhCS
+nkdd2MUeY1MCAwEAAaOCAUQwggFAMB8GA1UdIwQYMBaAFD++QPH3awL7sFnDAKRa
+4JdUCOkZMB0GA1UdDgQWBBT41fIkHaXWHPGTFvG2DPuOcjtPXDAOBgNVHQ8BAf8E
+BAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIHUBgNVHR8EgcwwgckwYqBc
+oFqkWDBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+HDAaBgNVBAsTE29ubHlTb21lUmVhc29ucyBDQTQxDTALBgNVBAMTBENSTDGBAgVg
+MGOgXKBapFgwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwy
+gQMHn4AwDQYJKoZIhvcNAQEFBQADgYEANlJq9PF7a+NShO7uJTf788sIG++L3xeT
+OiO5bnuAe91jbQN8l4j+dHxDiT4CdVBdlUPwlENF5rtuKsjSn6baeKMwAo5A6ji0
+7YObkqeg6Be0P6fIKT29KyT17o0bXi7rRTK6PqODvOePJ/kf+x5pMpQrHEutym09
+VmHbVhUkHEA=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0b.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL1...`
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:c9:cf:ae:6b:51:3a:d8:ee:4f:85:3b:a7:18:30:00:6c:cd:
+ 0f:1a:59:06:50:fd:75:49:44:9a:af:71:a5:74:ca:25:02:e1:
+ fe:c2:0b:15:f4:db:0a:8c:7f:ca:9b:de:cd:bf:1a:2d:3e:10:
+ 1a:a9:4a:9b:a9:64:75:01:1c:dc:26:b2:f6:ab:2f:d2:7b:3d:
+ 01:f6:fb:64:a4:c8:53:65:b2:80:5a:1d:22:e7:3b:9c:12:92:
+ 96:01:0d:74:83:d2:72:c3:a6:34:cb:54:bc:75:c4:34:12:c1:
+ 4e:40:2e:e1:28:d7:ea:6d:c1:9a:4b:80:dc:2d:7c:7c:a5:a7:
+ 28:75
+-----BEGIN X509 CRL-----
+MIIB1zCCAUACAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIGgMIGdMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG4GA1UdHAEB/wRkMGKgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgwIFYDANBgkqhkiG
+9w0BAQUFAAOBgQAMyc+ua1E62O5PhTunGDAAbM0PGlkGUP11SUSar3GldMolAuH+
+wgsV9NsKjH/Km97NvxotPhAaqUqbqWR1ARzcJrL2qy/Sez0B9vtkpMhTZbKAWh0i
+5zucEpKWAQ10g9Jyw6Y0y1S8dcQ0EsFOQC7hKNfqbcGaS4DcLXx8pacodQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0c.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL2.....
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Affiliation Changed
+ Signature Algorithm: sha1WithRSAEncryption
+ 3d:11:d9:b5:4a:98:2e:f6:01:84:ec:e5:d7:d5:20:45:06:18:
+ 19:5e:18:1b:89:27:c3:fc:7a:ea:a7:3e:3d:bc:ff:26:f1:69:
+ 90:73:a1:2f:d6:0e:82:36:1b:f7:98:7d:26:2f:07:86:05:58:
+ b4:5f:ce:84:6d:ef:4a:51:e8:40:4a:51:b2:57:46:b6:76:e1:
+ 8f:0e:b8:03:16:88:72:c3:88:74:74:76:38:1d:44:87:88:c2:
+ a5:ce:34:cb:a9:bf:a1:6f:e9:96:e3:a7:ab:3f:be:a5:60:b2:
+ 4b:e2:bb:f8:1b:84:4e:eb:69:ae:01:f2:5a:e9:78:9d:ac:38:
+ 45:4d
+-----BEGIN X509 CRL-----
+MIIB2DCCAUECAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAxcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEDoIGhMIGeMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG8GA1UdHAEB/wRlMGOgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwygwMHn4AwDQYJKoZI
+hvcNAQEFBQADgYEAPRHZtUqYLvYBhOzl19UgRQYYGV4YG4knw/x66qc+Pbz/JvFp
+kHOhL9YOgjYb95h9Ji8HhgVYtF/OhG3vSlHoQEpRsldGtnbhjw64AxaIcsOIdHR2
+OB1Eh4jCpc40y6m/oW/pluOnqz++pWCyS+K7+BuETutprgHyWul4naw4RU0=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest10.pem
new file mode 100644
index 0000000000..1ef60f3971
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest10.pem
@@ -0,0 +1,211 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAt36UX+gq562CFiw9L16IZ/AjJhU0BB9ji/77uw3AfvBGggmikeDq79BD
+yzBFrHys/L5UeXepakX1v+XvlxFjwvc8c226jf6uKEop5KJZDI8aV4byQvc1C8Ol
+MdgZ4pd6ofTl28r1VDkdDt94c7+Gl0CqBo6LawwGmNfSHUWqf6UCAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFAJIeLnM
+AVExdH85KjfCRJN+mGmAMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQCm
+Qa7i6335O64eyxJjXl3U2Bw5wN3JaK9t7f4dJAxfOlcblWbbes+Gk12UCYtxTZDj
+oZ70F4IoGU7JQt5CcdB2yQtctPK+X7A3/Vsxjknm11nCn4IhcU7LDkEiSovBGLR0
+KV3NAqQQhr1WQoY1Uf3Ncpl7b+SaZscZ3r35UJo4iw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTAwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTAwMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC3rH58cOqP9U5iyQflKaVyYw+1LMhr3jDW9/Q3aedlH/TY
+iLmT71FUjHaJMWOCO6sAEYMphrRdIUy82rai3iJgrNtJ21uIFOlmjgwgl9amHX8B
+yT+qgiwLs8kzE6NgPYHgLgbKEIqgZ+AZplCt60tCbeGKLR/WtXrxAIgqU+ar1wID
+AQABo38wfTAfBgNVHSMEGDAWgBQCSHi5zAFRMXR/OSo3wkSTfphpgDAdBgNVHQ4E
+FgQUauYRxUFtrRo+gtywXa3yGfFQzgswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEB
+BQUAA4GBADnBidpEzasWbrLankXCoCaeizozu2dGAMMWpbs02cplC/vIlcr0myWK
+noFSuxUuQa7sMxp72p5r2ziJp5pk1gT2KX/kgOYlQqgbJ4UmARGP7er+zIPulXib
+suMShSCGO1xC+fXppdhPy+YQq8a7Mzi7XKqP5su+aTWw/B3a8ys9
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test10
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+-----BEGIN CERTIFICATE-----
+MIICpjCCAg+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTAwMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowYzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTgw
+NgYDVQQDEy9JbnZhbGlkIHBhdGhMZW5Db25zdHJhaW50IEVFIENlcnRpZmljYXRl
+IFRlc3QxMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr0SfgP3iREpEpoxL
+34yNQOjycTI5wM/Y9YXQ6E26DxRndEt8gy0Nt+w7/WcO0aJ/EA76704ckmtzahRW
+gH7YAntSVCkBwyB8EDt0eBxom9vWRhPmqJgF6PJtcuAZnkISqXfw7zurQN/p1HzT
+iBta6ocTlilBTPujtQ/X4O12W5kCAwEAAaN8MHowHwYDVR0jBBgwFoAUauYRxUFt
+rRo+gtywXa3yGfFQzgswHQYDVR0OBBYEFLsMSzv8dfhgJ3MxRW07FltMDKkGMA4G
+A1UdDwEB/wQEAwIB9jAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAfOH+DXogRwi00dAkv43qzCo23eOg7
+uaaD7fgNVn7RrEYkyc0RZWf1P56IXe9aTM41eVmi1PyblkZ0aXH9e7ShaOW11Jk4
+OpIpx+vR7HqBjW0yqIXES3pbA6Vm26gj1WDuq0oSps0+BxKTL5cHxVlCT9+YES4B
+T1SmCaLl/UdsEA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:02:48:78:B9:CC:01:51:31:74:7F:39:2A:37:C2:44:93:7E:98:69:80
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 44:34:f6:c5:c0:16:f7:24:42:33:a8:e4:ca:74:71:94:76:93:
+ e7:4b:7c:a3:8b:ac:ae:11:ab:46:94:f6:0d:88:b6:e0:96:1f:
+ ab:04:6a:92:b7:6d:4b:aa:6a:b0:13:58:58:a7:7e:06:de:c1:
+ 26:d4:09:e0:7b:a9:e4:dd:73:da:b0:cc:a0:61:ab:c4:c7:cb:
+ c2:e1:66:f9:f2:2a:c2:c9:59:5f:05:c6:74:f8:bd:bb:92:24:
+ 77:12:34:23:7d:95:99:bf:35:e0:6f:cf:2a:b6:19:29:9e:59:
+ d2:0b:2f:07:44:25:66:6a:e9:5a:ed:7f:99:33:b5:3e:65:69:
+ 57:95
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTAXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFAJIeLnMAVExdH85KjfCRJN+mGmAMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAEQ09sXAFvckQjOo5Mp0cZR2k+dLfKOLrK4Rq0aU9g2ItuCWH6sE
+apK3bUuqarATWFinfgbewSbUCeB7qeTdc9qwzKBhq8THy8LhZvnyKsLJWV8FxnT4
+vbuSJHcSNCN9lZm/NeBvzyq2GSmeWdILLwdEJWZq6Vrtf5kztT5laVeV
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:E6:11:C5:41:6D:AD:1A:3E:82:DC:B0:5D:AD:F2:19:F1:50:CE:0B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 42:5b:18:71:be:d6:f0:b4:80:f6:33:3c:cd:99:0d:26:f3:90:
+ 70:42:44:f8:f9:61:72:1c:b3:91:02:0a:14:55:67:d0:1b:23:
+ 06:f0:90:76:49:c6:82:23:70:da:3a:15:95:90:80:aa:8f:0e:
+ fb:4e:5b:9b:66:38:21:14:15:c1:65:71:1d:e5:b6:90:ae:b2:
+ 7a:73:84:9a:1d:3c:f2:2f:65:0a:b4:7f:52:90:a1:1d:37:a6:
+ 24:a8:7f:5e:72:e5:1a:8b:89:31:ac:dc:0a:3a:d2:15:7f:f5:
+ 97:f3:1a:82:d6:fd:74:b5:92:0f:d5:d3:a5:74:1d:a3:7f:62:
+ 1b:c4
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTAwFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBRq5hHFQW2tGj6C3LBdrfIZ8VDOCzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQBCWxhxvtbwtID2MzzNmQ0m85BwQkT4+WFyHLORAgoUVWfQ
+GyMG8JB2ScaCI3DaOhWVkICqjw77TlubZjghFBXBZXEd5baQrrJ6c4SaHTzyL2UK
+tH9SkKEdN6YkqH9ecuUai4kxrNwKOtIVf/WX8xqC1v10tZIP1dOldB2jf2IbxA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest11.pem
new file mode 100644
index 0000000000..259d24610f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest11.pem
@@ -0,0 +1,262 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAmzChDurmjaO/gLW4mwfnkQwkFgDcZvpMdZEqpd4u4+RaoyI7I6LlTFQ+
+wkZ0cnLVA8C/F6+ZqpMXg4s9pb04PuHb0xsgBHFefpSASxTCIBWVOmLq462zY6o8
+Iun/AQo4JVGx175EcIUkcldAg19+3l1NV4fg7BN7waHWiVfIzS0CAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFEQ04VAm
+/zwjDK2/vU7Ge+AMSIqqMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQUFAAOBgQCK
+Fy4Zq2RJVwWE4qzs2QbzST7CRcwqzwlUwH2S53MA3J38uXAEjqjJLyLSG7k9xjYq
+Xwq0hQZIfdeOkSMfSEUl3XWgYfQFGfmHdsUPJ0NX79NXXoyxsfZPRH9LF+CPnv8d
+kwA/on1VypfAuAv4/M6L3p7jFDISJRRGcXRBRB13lA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTExMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDSXWC7L0WLN2ZeSCkEhh0EhpdojjOAr8wqSRoVWRnyzGMM
+swGD3i80PXaZFl1qIeaER7LF0udID27SF6sC5g+kklfiK3UAn0YscNa2U6r27vwO
+2pj95+SfvnAuFgQoO82T4VQtUJnUOB+NAwWHGZ0Y9WiAxus6qNqEVTbr3CcT4wID
+AQABo38wfTAfBgNVHSMEGDAWgBRENOFQJv88Iwytv71OxnvgDEiKqjAdBgNVHQ4E
+FgQUs8D3URQQ9lyaTiyHUFHlkdNYWyswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEB
+BQUAA4GBADYFuhgJI8Nyw7Mhpcq5n2NHNEXkP8g5ibaa86O1I//NQRsXnQ42VQrQ
+UemJMwtYlYjXHCL3MaiZOOXv+jaJDAbAE8zDq1c11WuKYBQ/ABNR+jCYnOlnR4lH
+1Ibtl3Y4v7sEq5V6MyO6DugCihflJSVSOV8UFaYxZQ3cb/AgI41q
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowVTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSow
+KAYDVQQDEyFwYXRoTGVuQ29uc3RyYWludDYgc3Vic3Vic3ViQ0ExMVgwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALXNtkOI9gcg1V1Ecg8VBS17NqL8yaeNOG8h
+VgH8Peay4GsCzxqYOSnPDeBKtlMJ+TAmMmz30FZ4XtEJScvx9yllHjEM85LdyvTM
+ZD6gy7yWApPgkhMipi9vww7JUtH6RrDQmKurTvtx5BhM/lYWlDVSnxX/CmWFm22r
+vwk/Rbz1AgMBAAGjfDB6MB8GA1UdIwQYMBaAFLPA91EUEPZcmk4sh1BR5ZHTWFsr
+MB0GA1UdDgQWBBRqNvBXdT9CFVC16QgdKDfFreIGvDAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADgYEAXlaYIT0dDTF0GGAJ8H41hvUkovy3ge8i7YDWofVBhdt+rEeC
+v0tvUcc+7mPSj3i5flZgJnbXMwS7wNlLhttOpbBMqL5/vWyIcvrgXm3qmXowQF0H
+WuW/WllHgGzQ8tIbGUWcl2bvkFNA5nIeumCrK1vmIgNqYaRUdOH9xuPuvxw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJzdWJDQTExWDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMGMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czE4MDYGA1UEAxMvSW52YWxpZCBwYXRoTGVuQ29uc3RyYWludCBFRSBDZXJ0aWZp
+Y2F0ZSBUZXN0MTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK/Kz6a5RrnL
+VxjtAz2f5jD2LFhGyAiWK8+D2zGdebUqwosPmO1bFaTy4UpTN1y2NDdhbZJ9u6q4
+UyBlEswNHWLbKw2eAhhlj4tL8W7qCcCTiIDusf+/it87dawc9FbLFDa6ZhPQn3zf
+fOKdROTtdR1GLihtxkPeVht0YCU0Y5jBAgMBAAGjazBpMB8GA1UdIwQYMBaAFGo2
+8Fd1P0IVULXpCB0oN8Wt4ga8MB0GA1UdDgQWBBSms0sRlWo2giuUP4b24hz3mOOT
+ZjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqG
+SIb3DQEBBQUAA4GBAGVBiyATRLrOnNHi80uCRg3a7ZWI4275SlflSYwZhFBkGkd2
+C4kyAGKsNrFGtuCpDNM7IgF4xbQweHBODNwwCOfsdc9OahGntqhxeKxUQpDkwc8a
+3Faqn6fs/BnZqkNzepiZdHCsTdiyiiB7LxL9LVo7575vfuB0yBsCk2lGgbkz
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:44:34:E1:50:26:FF:3C:23:0C:AD:BF:BD:4E:C6:7B:E0:0C:48:8A:AA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:23:83:69:3d:e9:a9:b9:0c:9f:fd:64:34:97:b1:1e:e3:c6:
+ 25:62:c4:d5:cb:ee:87:98:04:d6:96:04:0e:7e:96:3b:22:7c:
+ 3f:e7:f6:f8:a5:d4:14:a2:86:2c:10:d6:b6:08:a6:da:2a:3e:
+ 7e:70:f1:d1:e6:a0:6e:55:1c:68:10:4f:65:d2:1f:51:d7:a0:
+ 6b:d7:df:db:7e:2e:f6:8f:5e:64:5e:6a:ca:48:2b:8c:f0:85:
+ 37:f3:70:67:c9:44:c4:8f:7f:ad:93:93:e6:d9:c0:7e:8d:0e:
+ 01:16:01:82:e2:b9:a6:28:1f:3b:e9:0a:d0:ea:d6:23:a1:c4:
+ a5:1a
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFEQ04VAm/zwjDK2/vU7Ge+AMSIqqMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAI0jg2k96am5DJ/9ZDSXsR7jxiVixNXL7oeYBNaWBA5+ljsifD/n
+9vil1BSihiwQ1rYIptoqPn5w8dHmoG5VHGgQT2XSH1HXoGvX39t+LvaPXmReaspI
+K4zwhTfzcGfJRMSPf62Tk+bZwH6NDgEWAYLiuaYoHzvpCtDq1iOhxKUa
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B3:C0:F7:51:14:10:F6:5C:9A:4E:2C:87:50:51:E5:91:D3:58:5B:2B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 5f:3d:a5:ee:09:93:d8:4f:cf:28:3b:05:87:8e:8b:08:7e:2d:
+ 36:0e:c2:f0:cd:54:94:05:54:07:2f:9d:e6:8d:1b:9c:f5:fe:
+ 92:7e:3f:bc:94:d5:fd:82:c0:87:dc:93:32:c8:ab:01:59:3b:
+ 6a:df:8e:af:cb:14:f7:f7:39:50:da:8c:ac:02:7c:97:24:27:
+ ce:11:a9:9b:38:72:6e:32:c4:a1:0a:f3:34:5d:62:9d:f8:ea:
+ 21:1a:bc:0e:22:98:6f:80:25:1f:5c:c4:fe:1e:7b:ff:9c:4a:
+ 83:ec:02:29:db:a0:6e:cb:9e:98:89:33:be:25:8c:2d:48:9d:
+ 70:3d
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBSzwPdRFBD2XJpOLIdQUeWR01hbKzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQBfPaXuCZPYT88oOwWHjosIfi02DsLwzVSUBVQHL53mjRuc
+9f6Sfj+8lNX9gsCH3JMyyKsBWTtq346vyxT39zlQ2oysAnyXJCfOEambOHJuMsSh
+CvM0XWKd+OohGrwOIphvgCUfXMT+Hnv/nEqD7AIp26Buy56YiTO+JYwtSJ1wPQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:36:F0:57:75:3F:42:15:50:B5:E9:08:1D:28:37:C5:AD:E2:06:BC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c1:d4:9f:53:f4:86:55:66:46:ba:2f:82:df:c3:81:ad:52:
+ 95:0f:cb:f0:c0:25:ca:b2:fa:80:c7:b4:50:a3:95:70:ea:01:
+ b1:30:fe:c9:da:a0:b4:fb:a6:9f:55:ec:3f:df:12:37:bb:44:
+ cf:6a:5c:7d:fa:34:93:7c:9d:5f:f0:d6:fc:dc:07:9f:1f:2d:
+ bc:02:3f:80:59:de:31:ba:19:c8:e8:a9:3c:e7:1d:28:e8:cb:
+ f7:4d:e2:f6:26:cd:45:2f:d4:70:77:68:ae:1e:5d:0f:55:c6:
+ fb:f4:5d:64:3c:e0:30:a7:2d:3a:ed:4e:7b:a1:e2:13:70:da:
+ 30:e4
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJzdWJDQTExWBcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUajbwV3U/QhVQtekIHSg3xa3iBrwwCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEAk8HUn1P0hlVmRrovgt/Dga1SlQ/L8MAlyrL6gMe0
+UKOVcOoBsTD+ydqgtPumn1XsP98SN7tEz2pcffo0k3ydX/DW/NwHnx8tvAI/gFne
+MboZyOipPOcdKOjL903i9ibNRS/UcHdorh5dD1XG+/RdZDzgMKctOu1Oe6HiE3Da
+MOQ=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest12.pem
new file mode 100644
index 0000000000..3325707a9b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest12.pem
@@ -0,0 +1,263 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAmzChDurmjaO/gLW4mwfnkQwkFgDcZvpMdZEqpd4u4+RaoyI7I6LlTFQ+
+wkZ0cnLVA8C/F6+ZqpMXg4s9pb04PuHb0xsgBHFefpSASxTCIBWVOmLq462zY6o8
+Iun/AQo4JVGx175EcIUkcldAg19+3l1NV4fg7BN7waHWiVfIzS0CAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFEQ04VAm
+/zwjDK2/vU7Ge+AMSIqqMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQUFAAOBgQCK
+Fy4Zq2RJVwWE4qzs2QbzST7CRcwqzwlUwH2S53MA3J38uXAEjqjJLyLSG7k9xjYq
+Xwq0hQZIfdeOkSMfSEUl3XWgYfQFGfmHdsUPJ0NX79NXXoyxsfZPRH9LF+CPnv8d
+kwA/on1VypfAuAv4/M6L3p7jFDISJRRGcXRBRB13lA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTExMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDSXWC7L0WLN2ZeSCkEhh0EhpdojjOAr8wqSRoVWRnyzGMM
+swGD3i80PXaZFl1qIeaER7LF0udID27SF6sC5g+kklfiK3UAn0YscNa2U6r27vwO
+2pj95+SfvnAuFgQoO82T4VQtUJnUOB+NAwWHGZ0Y9WiAxus6qNqEVTbr3CcT4wID
+AQABo38wfTAfBgNVHSMEGDAWgBRENOFQJv88Iwytv71OxnvgDEiKqjAdBgNVHQ4E
+FgQUs8D3URQQ9lyaTiyHUFHlkdNYWyswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEB
+BQUAA4GBADYFuhgJI8Nyw7Mhpcq5n2NHNEXkP8g5ibaa86O1I//NQRsXnQ42VQrQ
+UemJMwtYlYjXHCL3MaiZOOXv+jaJDAbAE8zDq1c11WuKYBQ/ABNR+jCYnOlnR4lH
+1Ibtl3Y4v7sEq5V6MyO6DugCihflJSVSOV8UFaYxZQ3cb/AgI41q
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowVTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSow
+KAYDVQQDEyFwYXRoTGVuQ29uc3RyYWludDYgc3Vic3Vic3ViQ0ExMVgwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALXNtkOI9gcg1V1Ecg8VBS17NqL8yaeNOG8h
+VgH8Peay4GsCzxqYOSnPDeBKtlMJ+TAmMmz30FZ4XtEJScvx9yllHjEM85LdyvTM
+ZD6gy7yWApPgkhMipi9vww7JUtH6RrDQmKurTvtx5BhM/lYWlDVSnxX/CmWFm22r
+vwk/Rbz1AgMBAAGjfDB6MB8GA1UdIwQYMBaAFLPA91EUEPZcmk4sh1BR5ZHTWFsr
+MB0GA1UdDgQWBBRqNvBXdT9CFVC16QgdKDfFreIGvDAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADgYEAXlaYIT0dDTF0GGAJ8H41hvUkovy3ge8i7YDWofVBhdt+rEeC
+v0tvUcc+7mPSj3i5flZgJnbXMwS7wNlLhttOpbBMqL5/vWyIcvrgXm3qmXowQF0H
+WuW/WllHgGzQ8tIbGUWcl2bvkFNA5nIeumCrK1vmIgNqYaRUdOH9xuPuvxw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test12
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJzdWJDQTExWDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMGMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czE4MDYGA1UEAxMvSW52YWxpZCBwYXRoTGVuQ29uc3RyYWludCBFRSBDZXJ0aWZp
+Y2F0ZSBUZXN0MTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKYWPPc7psjO
+loPqdJ0NVow1+jFLB3yaoLHoJ+72kbII2gHjDiiZqm3e1E8Bqo136BrJlUrf5ZBj
+5G7DoA0OWn12+0bHhTNOEucIAFe/M6DpdHEIRR3l9CA20h4VMN5dUnQlVRt5uzGb
+RWcxgL5F79IUTDI1M2JJz2z8Aj/WIsbRAgMBAAGjfDB6MB8GA1UdIwQYMBaAFGo2
+8Fd1P0IVULXpCB0oN8Wt4ga8MB0GA1UdDgQWBBQfCYLms5akqSyTnpkK+G20CC7J
+7zAOBgNVHQ8BAf8EBAMCAfYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEABeLBzaJ0fJ0vgFUpXxNodli4
+jWo3oP+YW75X3NsMhhl31MbHAyUVw7CCEspHiIIRtSfJCALAaH9Ug7kMFjFDrxTH
+2790IdTodWieyUn/sdU9WWVRXiR7d5M2SVIYwdc6NjmsSVg6m++W99Uv5pBzoTAA
+ClExK3cmR6k5T7cF58Y=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:44:34:E1:50:26:FF:3C:23:0C:AD:BF:BD:4E:C6:7B:E0:0C:48:8A:AA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:23:83:69:3d:e9:a9:b9:0c:9f:fd:64:34:97:b1:1e:e3:c6:
+ 25:62:c4:d5:cb:ee:87:98:04:d6:96:04:0e:7e:96:3b:22:7c:
+ 3f:e7:f6:f8:a5:d4:14:a2:86:2c:10:d6:b6:08:a6:da:2a:3e:
+ 7e:70:f1:d1:e6:a0:6e:55:1c:68:10:4f:65:d2:1f:51:d7:a0:
+ 6b:d7:df:db:7e:2e:f6:8f:5e:64:5e:6a:ca:48:2b:8c:f0:85:
+ 37:f3:70:67:c9:44:c4:8f:7f:ad:93:93:e6:d9:c0:7e:8d:0e:
+ 01:16:01:82:e2:b9:a6:28:1f:3b:e9:0a:d0:ea:d6:23:a1:c4:
+ a5:1a
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFEQ04VAm/zwjDK2/vU7Ge+AMSIqqMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAI0jg2k96am5DJ/9ZDSXsR7jxiVixNXL7oeYBNaWBA5+ljsifD/n
+9vil1BSihiwQ1rYIptoqPn5w8dHmoG5VHGgQT2XSH1HXoGvX39t+LvaPXmReaspI
+K4zwhTfzcGfJRMSPf62Tk+bZwH6NDgEWAYLiuaYoHzvpCtDq1iOhxKUa
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA11
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B3:C0:F7:51:14:10:F6:5C:9A:4E:2C:87:50:51:E5:91:D3:58:5B:2B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 5f:3d:a5:ee:09:93:d8:4f:cf:28:3b:05:87:8e:8b:08:7e:2d:
+ 36:0e:c2:f0:cd:54:94:05:54:07:2f:9d:e6:8d:1b:9c:f5:fe:
+ 92:7e:3f:bc:94:d5:fd:82:c0:87:dc:93:32:c8:ab:01:59:3b:
+ 6a:df:8e:af:cb:14:f7:f7:39:50:da:8c:ac:02:7c:97:24:27:
+ ce:11:a9:9b:38:72:6e:32:c4:a1:0a:f3:34:5d:62:9d:f8:ea:
+ 21:1a:bc:0e:22:98:6f:80:25:1f:5c:c4:fe:1e:7b:ff:9c:4a:
+ 83:ec:02:29:db:a0:6e:cb:9e:98:89:33:be:25:8c:2d:48:9d:
+ 70:3d
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBSzwPdRFBD2XJpOLIdQUeWR01hbKzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQBfPaXuCZPYT88oOwWHjosIfi02DsLwzVSUBVQHL53mjRuc
+9f6Sfj+8lNX9gsCH3JMyyKsBWTtq346vyxT39zlQ2oysAnyXJCfOEambOHJuMsSh
+CvM0XWKd+OohGrwOIphvgCUfXMT+Hnv/nEqD7AIp26Buy56YiTO+JYwtSJ1wPQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA11X
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:36:F0:57:75:3F:42:15:50:B5:E9:08:1D:28:37:C5:AD:E2:06:BC
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c1:d4:9f:53:f4:86:55:66:46:ba:2f:82:df:c3:81:ad:52:
+ 95:0f:cb:f0:c0:25:ca:b2:fa:80:c7:b4:50:a3:95:70:ea:01:
+ b1:30:fe:c9:da:a0:b4:fb:a6:9f:55:ec:3f:df:12:37:bb:44:
+ cf:6a:5c:7d:fa:34:93:7c:9d:5f:f0:d6:fc:dc:07:9f:1f:2d:
+ bc:02:3f:80:59:de:31:ba:19:c8:e8:a9:3c:e7:1d:28:e8:cb:
+ f7:4d:e2:f6:26:cd:45:2f:d4:70:77:68:ae:1e:5d:0f:55:c6:
+ fb:f4:5d:64:3c:e0:30:a7:2d:3a:ed:4e:7b:a1:e2:13:70:da:
+ 30:e4
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJzdWJDQTExWBcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUajbwV3U/QhVQtekIHSg3xa3iBrwwCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEAk8HUn1P0hlVmRrovgt/Dga1SlQ/L8MAlyrL6gMe0
+UKOVcOoBsTD+ydqgtPumn1XsP98SN7tEz2pcffo0k3ydX/DW/NwHnx8tvAI/gFne
+MboZyOipPOcdKOjL903i9ibNRS/UcHdorh5dD1XG+/RdZDzgMKctOu1Oe6HiE3Da
+MOQ=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest5.pem
new file mode 100644
index 0000000000..6f28f19db3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest5.pem
@@ -0,0 +1,159 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMY
+cGF0aExlbkNvbnN0cmFpbnQwIHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQC9F8qrs0xS57Qn1kibsZC0kS6JQNJyITUgX+oGjw6Y9R6Jh9m5WVI7BwMI
+FsyIDhUK42ZsG9b6hMdQyp5NKHZbYOh53VhWzsEAk3veMZvsEyE6K2Ip6SZO1xDq
+ta7FYY4SF+2S3nw8tyJGqXqNEG4Aob2k+QW1L7UgcsPyrAE66QIDAQABo3wwejAf
+BgNVHSMEGDAWgBQhDLUBdnbTsyqsJvyqpk/y1qFvSzAdBgNVHQ4EFgQUjh+rRpwO
+S27n5VeIDCeT/ifW5xIwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI
+AWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADW1rIN2
+092d2UN+8PysNq18Cl0i7qsx9JbK7SUwreNTgbpyw9Uh7HFYzJwBW9ACs94rDhZo
+iqG0u0K4zLTijCS3ixy9sVKVha/+QTy6YxHFcjLmriX4bfiYUjXJPqmmZFExM3vO
+XMyum0wyXdEc+hbuAj1+6WBRec8clffFlRdv
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25z
+dHJhaW50MCBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UE
+AxMuSW52YWxpZCBwYXRoTGVuQ29uc3RyYWludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0
+NTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsZWQnm88nqSXHt/QuMDuN373
+VZ5lU/JhChuvs6DBS9f9L9NFBKtTS7+iq0QmlWuc3qB1RDAUjwAF85QyXYlqujEL
+h22h7CWzEP26t43/megvHJFuT/wCuRBzbTm+fzKTlWI2v7u8YILgQcOxb9vbRKzc
+FpwTBBqlnT//Xqavj98CAwEAAaNrMGkwHwYDVR0jBBgwFoAUjh+rRpwOS27n5VeI
+DCeT/ifW5xIwHQYDVR0OBBYEFDsP7IkBHltfUoRf9AuD3aINP8pHMA4GA1UdDwEB
+/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQAD
+gYEAeuTAbPsAB5hEhGMN18ygmQ2hryyEu5o0OlbfiZbwgOSaNISSeYEUGr/+1uxV
+MHb6zNrauChrz4hTCgHMmhThDhfxHeIlh0bM/xKd1dOmlB9g/WMr59Uy8R6vvo/4
+HZC6bTc4Ukzj7n2maNkUNogPKghLEho3hlGx/dZoxOr59pI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8E:1F:AB:46:9C:0E:4B:6E:E7:E5:57:88:0C:27:93:FE:27:D6:E7:12
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8b:2d:ce:68:13:85:60:64:90:ea:5e:1d:ad:93:65:9c:93:9e:
+ a7:20:49:c9:bc:37:41:b6:05:bb:6e:b9:8e:c6:20:5b:d8:6b:
+ a5:76:f7:d1:40:f0:73:d7:19:68:a4:b0:68:ad:63:f0:b1:b5:
+ a0:52:b8:f6:ec:55:74:22:37:a5:2f:01:c0:af:a9:69:b8:54:
+ e3:0a:3c:06:10:23:3c:0b:7b:0d:e8:6d:ad:9c:36:b3:d3:54:
+ 9c:6f:4d:c2:e6:35:e0:6b:0b:3b:a8:10:3a:86:78:76:1d:17:
+ 08:b6:ec:1e:da:17:a1:3c:1b:ed:a7:e3:41:cf:45:cd:d2:b3:
+ b5:83
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25zdHJhaW50
+MCBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUjh+rRpwOS27n5VeIDCeT/ifW5xIwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAiy3OaBOFYGSQ6l4drZNlnJOepyBJybw3QbYFu265jsYgW9hrpXb3
+0UDwc9cZaKSwaK1j8LG1oFK49uxVdCI3pS8BwK+pabhU4wo8BhAjPAt7DehtrZw2
+s9NUnG9NwuY14GsLO6gQOoZ4dh0XCLbsHtoXoTwb7afjQc9FzdKztYM=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest6.pem
new file mode 100644
index 0000000000..c4fdb25d66
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest6.pem
@@ -0,0 +1,160 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMY
+cGF0aExlbkNvbnN0cmFpbnQwIHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQC9F8qrs0xS57Qn1kibsZC0kS6JQNJyITUgX+oGjw6Y9R6Jh9m5WVI7BwMI
+FsyIDhUK42ZsG9b6hMdQyp5NKHZbYOh53VhWzsEAk3veMZvsEyE6K2Ip6SZO1xDq
+ta7FYY4SF+2S3nw8tyJGqXqNEG4Aob2k+QW1L7UgcsPyrAE66QIDAQABo3wwejAf
+BgNVHSMEGDAWgBQhDLUBdnbTsyqsJvyqpk/y1qFvSzAdBgNVHQ4EFgQUjh+rRpwO
+S27n5VeIDCeT/ifW5xIwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI
+AWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADW1rIN2
+092d2UN+8PysNq18Cl0i7qsx9JbK7SUwreNTgbpyw9Uh7HFYzJwBW9ACs94rDhZo
+iqG0u0K4zLTijCS3ixy9sVKVha/+QTy6YxHFcjLmriX4bfiYUjXJPqmmZFExM3vO
+XMyum0wyXdEc+hbuAj1+6WBRec8clffFlRdv
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25z
+dHJhaW50MCBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UE
+AxMuSW52YWxpZCBwYXRoTGVuQ29uc3RyYWludCBFRSBDZXJ0aWZpY2F0ZSBUZXN0
+NjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqRnKex0cxpUb1ZFo+pXGEX8V
+39ndPC9BNFgD6o0pAqBpYd6zlYIIkQo+rpciQ1vHnizx6WP3ulT6unn4w5UhXCP7
+S9h+TKQt6KFwZNXaCASi/VTEgHt5XLrwqjrhCtIDamjCgEcR1L/VS6N+c+SARpEG
+aWQzmao86RmaEKBaI10CAwEAAaN8MHowHwYDVR0jBBgwFoAUjh+rRpwOS27n5VeI
+DCeT/ifW5xIwHQYDVR0OBBYEFCw8vCsEA7QX0lC4KFyI8IP18fO9MA4GA1UdDwEB
+/wQEAwIB9jAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQUFAAOBgQAUW32gQakGpEtbmPGP8WBo5wdAtIRXbRp/VGK0
+zZZzXsoEoME9XCHEOVvWO09Qcu1VP7hwwnaEqgYGWl1ooUih33plStn8ETtzLcQ6
+BhOfvj216EgmZINuLcozCAusomtXZJ9yRHO0uRveEebjOJYPWqqv3zD9NgKck6cm
+kq1Hlw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8E:1F:AB:46:9C:0E:4B:6E:E7:E5:57:88:0C:27:93:FE:27:D6:E7:12
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8b:2d:ce:68:13:85:60:64:90:ea:5e:1d:ad:93:65:9c:93:9e:
+ a7:20:49:c9:bc:37:41:b6:05:bb:6e:b9:8e:c6:20:5b:d8:6b:
+ a5:76:f7:d1:40:f0:73:d7:19:68:a4:b0:68:ad:63:f0:b1:b5:
+ a0:52:b8:f6:ec:55:74:22:37:a5:2f:01:c0:af:a9:69:b8:54:
+ e3:0a:3c:06:10:23:3c:0b:7b:0d:e8:6d:ad:9c:36:b3:d3:54:
+ 9c:6f:4d:c2:e6:35:e0:6b:0b:3b:a8:10:3a:86:78:76:1d:17:
+ 08:b6:ec:1e:da:17:a1:3c:1b:ed:a7:e3:41:cf:45:cd:d2:b3:
+ b5:83
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25zdHJhaW50
+MCBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUjh+rRpwOS27n5VeIDCeT/ifW5xIwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAiy3OaBOFYGSQ6l4drZNlnJOepyBJybw3QbYFu265jsYgW9hrpXb3
+0UDwc9cZaKSwaK1j8LG1oFK49uxVdCI3pS8BwK+pabhU4wo8BhAjPAt7DehtrZw2
+s9NUnG9NwuY14GsLO6gQOoZ4dh0XCLbsHtoXoTwb7afjQc9FzdKztYM=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest9.pem
new file mode 100644
index 0000000000..8b61201901
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest9.pem
@@ -0,0 +1,210 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAt36UX+gq562CFiw9L16IZ/AjJhU0BB9ji/77uw3AfvBGggmikeDq79BD
+yzBFrHys/L5UeXepakX1v+XvlxFjwvc8c226jf6uKEop5KJZDI8aV4byQvc1C8Ol
+MdgZ4pd6ofTl28r1VDkdDt94c7+Gl0CqBo6LawwGmNfSHUWqf6UCAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFAJIeLnM
+AVExdH85KjfCRJN+mGmAMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQCm
+Qa7i6335O64eyxJjXl3U2Bw5wN3JaK9t7f4dJAxfOlcblWbbes+Gk12UCYtxTZDj
+oZ70F4IoGU7JQt5CcdB2yQtctPK+X7A3/Vsxjknm11nCn4IhcU7LDkEiSovBGLR0
+KV3NAqQQhr1WQoY1Uf3Ncpl7b+SaZscZ3r35UJo4iw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTAwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTAwMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC3rH58cOqP9U5iyQflKaVyYw+1LMhr3jDW9/Q3aedlH/TY
+iLmT71FUjHaJMWOCO6sAEYMphrRdIUy82rai3iJgrNtJ21uIFOlmjgwgl9amHX8B
+yT+qgiwLs8kzE6NgPYHgLgbKEIqgZ+AZplCt60tCbeGKLR/WtXrxAIgqU+ar1wID
+AQABo38wfTAfBgNVHSMEGDAWgBQCSHi5zAFRMXR/OSo3wkSTfphpgDAdBgNVHQ4E
+FgQUauYRxUFtrRo+gtywXa3yGfFQzgswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEB
+BQUAA4GBADnBidpEzasWbrLankXCoCaeizozu2dGAMMWpbs02cplC/vIlcr0myWK
+noFSuxUuQa7sMxp72p5r2ziJp5pk1gT2KX/kgOYlQqgbJ4UmARGP7er+zIPulXib
+suMShSCGO1xC+fXppdhPy+YQq8a7Mzi7XKqP5su+aTWw/B3a8ys9
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pathLenConstraint EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+-----BEGIN CERTIFICATE-----
+MIIClDCCAf2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTAwMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowYjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTcw
+NQYDVQQDEy5JbnZhbGlkIHBhdGhMZW5Db25zdHJhaW50IEVFIENlcnRpZmljYXRl
+IFRlc3Q5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxOmk5mQAdlYGqq0qW
+czN6fmOoFbl/XRAhBs0fzOYu7b06yC5QFIdW3963nkjYahDg/x0F2buDbOSNRvG9
+DPmercWLmz3Sar1KgPxqTCQ5XiTZ0t+20u/oYEM+0anic4RKiQNtuF9Ro4U83wdW
+w8ljyEFY255kWP0HVLh8REn+dQIDAQABo2swaTAfBgNVHSMEGDAWgBRq5hHFQW2t
+Gj6C3LBdrfIZ8VDOCzAdBgNVHQ4EFgQU1Bk+MIR/ztV37I8S8/91EZ2nlYUwDgYD
+VR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0B
+AQUFAAOBgQCWb/JZpNi+GTLgqlUUktJuhFQzGNKwQLHtea991BN5v6GnXYtgGZhJ
+T9plUX42APML+l+b1J6DzyJYlrIw6EXf/1ZtBf0YzmNbJ7robzIjx0+3/EHFeOZ2
+B7X0aaJ6+tt/sgGcLueuSG2C/6j8cnWbKJpAzzocI8hklIO+EWdRWw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA0
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:02:48:78:B9:CC:01:51:31:74:7F:39:2A:37:C2:44:93:7E:98:69:80
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 44:34:f6:c5:c0:16:f7:24:42:33:a8:e4:ca:74:71:94:76:93:
+ e7:4b:7c:a3:8b:ac:ae:11:ab:46:94:f6:0d:88:b6:e0:96:1f:
+ ab:04:6a:92:b7:6d:4b:aa:6a:b0:13:58:58:a7:7e:06:de:c1:
+ 26:d4:09:e0:7b:a9:e4:dd:73:da:b0:cc:a0:61:ab:c4:c7:cb:
+ c2:e1:66:f9:f2:2a:c2:c9:59:5f:05:c6:74:f8:bd:bb:92:24:
+ 77:12:34:23:7d:95:99:bf:35:e0:6f:cf:2a:b6:19:29:9e:59:
+ d2:0b:2f:07:44:25:66:6a:e9:5a:ed:7f:99:33:b5:3e:65:69:
+ 57:95
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTAXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFAJIeLnMAVExdH85KjfCRJN+mGmAMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAEQ09sXAFvckQjOo5Mp0cZR2k+dLfKOLrK4Rq0aU9g2ItuCWH6sE
+apK3bUuqarATWFinfgbewSbUCeB7qeTdc9qwzKBhq8THy8LhZvnyKsLJWV8FxnT4
+vbuSJHcSNCN9lZm/NeBvzyq2GSmeWdILLwdEJWZq6Vrtf5kztT5laVeV
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA00
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6A:E6:11:C5:41:6D:AD:1A:3E:82:DC:B0:5D:AD:F2:19:F1:50:CE:0B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 42:5b:18:71:be:d6:f0:b4:80:f6:33:3c:cd:99:0d:26:f3:90:
+ 70:42:44:f8:f9:61:72:1c:b3:91:02:0a:14:55:67:d0:1b:23:
+ 06:f0:90:76:49:c6:82:23:70:da:3a:15:95:90:80:aa:8f:0e:
+ fb:4e:5b:9b:66:38:21:14:15:c1:65:71:1d:e5:b6:90:ae:b2:
+ 7a:73:84:9a:1d:3c:f2:2f:65:0a:b4:7f:52:90:a1:1d:37:a6:
+ 24:a8:7f:5e:72:e5:1a:8b:89:31:ac:dc:0a:3a:d2:15:7f:f5:
+ 97:f3:1a:82:d6:fd:74:b5:92:0f:d5:d3:a5:74:1d:a3:7f:62:
+ 1b:c4
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTAwFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBRq5hHFQW2tGj6C3LBdrfIZ8VDOCzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQBCWxhxvtbwtID2MzzNmQ0m85BwQkT4+WFyHLORAgoUVWfQ
+GyMG8JB2ScaCI3DaOhWVkICqjw77TlubZjghFBXBZXEd5baQrrJ6c4SaHTzyL2UK
+tH9SkKEdN6YkqH9ecuUai4kxrNwKOtIVf/WX8xqC1v10tZIP1dOldB2jf2IbxA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000CRLnextUpdateTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000CRLnextUpdateTest12.pem
new file mode 100644
index 0000000000..2f78fa8423
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000CRLnextUpdateTest12.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=pre2000 CRL nextUpdate CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBDzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcHJlMjAwMCBD
+UkwgbmV4dFVwZGF0ZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlMZQ
+vRTxm+l3FRtimp7Exo1NygL3qQsF8cpvpQMmM4S+vWWIQcZPBAGfTi4eW4ubaKOh
+UqzxbVtY6R97mA0Ng6GHXIclN5ozja/xJdqdIOz9CsB38IvgyXTTQv3kF7nch9Ir
+xAN+7Bf5oWOdRbN6Y+i5iDHb3j7f3r8EFtXX+EcCAwEAAaN8MHowHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFL16NgTVXQmVv12uq+yk
+UWCNJq9WMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQB9/jemk5S7bYWeZC4Y
+bzwXzQEjfRTlrJ5xIj/cOAWG+BvCzeSkaoi3hw+Ltt/T571j6NoAQu84Mx/Jwbt/
+zNBwu4iMmeaeU5GM+9oTVU8JTOog2ZPGR2Yn1luPQv5LwbPE+mysPaEsM/mTl5cM
+OMB0yUOD5/jo/76IJhN/M48tvw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pre2000 CRL nextUpdate EE Certificate Test12
+issuer=/C=US/O=Test Certificates/CN=pre2000 CRL nextUpdate CA
+-----BEGIN CERTIFICATE-----
+MIICljCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXByZTIwMDAgQ1JM
+IG5leHRVcGRhdGUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBo
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPTA7BgNV
+BAMTNEludmFsaWQgcHJlMjAwMCBDUkwgbmV4dFVwZGF0ZSBFRSBDZXJ0aWZpY2F0
+ZSBUZXN0MTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANBocZCE1yNSbZiU
+rcH9R8bB0cZERzxNK6g7d9v0tUsmbo0Gk2JgSaKG9vBnOpxJhJ3hhSxNmpGpp61Q
+QlGo9louMi1AzibkrqOllW+FgXQImr89cxEicI9taSS9QRSIIKPW3kF4EhuZp4vR
+SksCSxXsghAsSWeDqx9CQG772BiRAgMBAAGjazBpMB8GA1UdIwQYMBaAFL16NgTV
+XQmVv12uq+ykUWCNJq9WMB0GA1UdDgQWBBRtKwIpcpf5JIosL9wN9VKKwAiAWzAO
+BgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3
+DQEBBQUAA4GBAIk3Dg2P1RArTBrVZ/kPeRAld8oPoTdmer7YAloo1Zavmcm5Fcvn
+WmJfONAye0p7jsYSkv6HMK3DL2b4/KEnEDB/Ok9CLOdvoTtptk04CiSXOcQcP9uK
+NY3uZgZoTo2O/lBe6KwA2apKitWtaHf/2Ig9AGhPvMBWtiDmgvpWE4T7
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pre2000 CRL nextUpdate CA
+ Last Update: Jan 1 12:01:00 1998 GMT
+ Next Update: Jan 1 12:01:00 1999 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:BD:7A:36:04:D5:5D:09:95:BF:5D:AE:AB:EC:A4:51:60:8D:26:AF:56
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 3f:41:4b:5b:b5:47:1a:77:7e:2a:87:63:65:06:9e:f7:18:96:
+ 8c:41:41:e6:9a:4f:45:91:ed:dd:8c:b1:d6:1f:e3:41:71:70:
+ ed:98:51:35:e2:24:bb:cd:26:8a:c9:43:f1:4c:58:43:2a:31:
+ 5e:94:a5:5e:09:93:dd:a0:f9:d0:1a:c7:fd:d6:8b:4d:4c:6f:
+ 3c:d7:43:6b:b9:87:8d:c0:fd:f6:5a:a7:4b:f0:74:01:23:fc:
+ 61:24:fb:3d:32:5e:f7:fd:86:de:52:3f:09:2e:b2:f9:b5:99:
+ a2:2d:96:83:2e:b9:a9:99:58:fa:c0:e5:5b:8b:15:fc:0e:d0:
+ 53:32
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXByZTIwMDAgQ1JMIG5leHRV
+cGRhdGUgQ0EXDTk4MDEwMTEyMDEwMFoXDTk5MDEwMTEyMDEwMFqgLzAtMB8GA1Ud
+IwQYMBaAFL16NgTVXQmVv12uq+ykUWCNJq9WMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAD9BS1u1Rxp3fiqHY2UGnvcYloxBQeaaT0WR7d2MsdYf40FxcO2Y
+UTXiJLvNJorJQ/FMWEMqMV6UpV4Jk92g+dAax/3Wi01MbzzXQ2u5h43A/fZap0vw
+dAEj/GEk+z0yXvf9ht5SPwkusvm1maItloMuuamZWPrA5VuLFfwO0FMy
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000UTCEEnotAfterDateTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000UTCEEnotAfterDateTest7.pem
new file mode 100644
index 0000000000..b36583cba8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000UTCEEnotAfterDateTest7.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid pre2000 UTC EE notAfter Date EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBBzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwIBgP
+MTk5NzAxMDExMjAxMDBaFw05OTAxMDExMjAxMDBaMG0xCzAJBgNVBAYTAlVTMRow
+GAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFCMEAGA1UEAxM5SW52YWxpZCBwcmUy
+MDAwIFVUQyBFRSBub3RBZnRlciBEYXRlIEVFIENlcnRpZmljYXRlIFRlc3Q3MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7fxx2WFOac683w9E/iwLeqyFtr0OO
+RdS+onLEY/+HO6DR2uuIPEkhZ8MwxAnnLs+6tichSMDs3WUijbbI0KTEulpVVGVz
+D1Y8zI7z7TEWD1B/oB1pSot67IosuyjfSIOMRr3UlQHRonE2nY04nyFUfb4yYE3F
+GlcCUdTLgIEgSwIDAQABo2swaTAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPf
+mhWUxzAdBgNVHQ4EFgQU5KvHTN9wvcrF55wNiarbUUzd0tswDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAW
+bdxkjCg9Ra6xo4ngUHF/RWRpe2353pvN0p32EjVjMyKTe1p3xZuFzCM9oi/PvMT+
+DlqUJpiiJJa3pDXT3Kh330VeTOYLPaAgRqxqm85gUTM3K+/1aHYOKNzbZCy6180y
+8ARB/lNpi1PO1KeJN1DmmeBdDVuRGte4wUXH+NSjpw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/MissingCRLTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/MissingCRLTest1.pem
new file mode 100644
index 0000000000..fcad66a5a3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/MissingCRLTest1.pem
@@ -0,0 +1,76 @@
+subject=/C=US/O=Test Certificates/CN=No CRL CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbzCCAdigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMD0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczESMBAGA1UEAxMJTm8gQ1JMIENB
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvjr78zG/GobZnKabi/siuJQm7
+6k5APCdB3g3SJzzlYR3ivCQg+7i1pEFgHqLLPTEHOCHunC5EedZUGzUGQX0sXAxr
+KYeCqLS/s0+saOR0HBk/YsOaCwW7v6yBHA3s2XrtK8N4qJg6LdZaGEjUefMfUM7p
+iVQQPpw3uAQmZuYf7wIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA8
+6pq8h/9J6jAdBgNVHQ4EFgQUB6jzF5xOAmiWRcwRmAF9yHg/9SQwDgYDVR0PAQH/
+BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBBQUAA4GBAAWDjIUq/V6y1p4vxO+A1xdmmM8c6yRveH2Lq2CM
+OwmpClTYfhLpqkWwm3WSXd2VvjiPUTgTC5y7EquFuZCCZkgLDVvUW9VplIm3a6I6
+dgZiOZDqnXZ5rC+CHGSszfdDo8gwjJ+vA8AV/CNSGNkkbo/ZQ1n7Ppm8dW/bS+8k
+anSO
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Invalid Missing CRL EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=No CRL CA
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEjAQBgNVBAMTCU5vIENSTCBDQTAe
+Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFwxCzAJBgNVBAYTAlVTMRow
+GAYDVQQKExFUZXN0IENlcnRpZmljYXRlczExMC8GA1UEAxMoSW52YWxpZCBNaXNz
+aW5nIENSTCBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAz8OlGINaG0uEl2RAD7DtTn54qLrlCtUbCKs3O1dr9nEDDohfVU5x
+nLweQfR/m7b9F17BzhHcxFYjfRh26aj4eOQcxHrpBfNMj6U87coAeJ4ERn7okfqM
+lcGlHWS/Wh48iiZvnCvg4jeHhSktwMppTGKIBKmJ2S0L4yKNYCjZ32MCAwEAAaNr
+MGkwHwYDVR0jBBgwFoAUB6jzF5xOAmiWRcwRmAF9yHg/9SQwHQYDVR0OBBYEFJYM
+oy9aXt4kJDgRNj4KDS29NtDXMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAlNJLCSyrRZNUza9eL2Jc6eFS
+bjriRrz8ryND+rn0dnsceIVrXVApplWnVwUjfm8fjOZlNOLM4snxmzRJ+FyTR6z5
+u9nK9TAEkMrGo/NinCET2Y5v4mtxj0E6hJOIaFxfkZoj1mz8BvOYgiEIYxAK65lA
+BNDlWIYdh16AIUEZNAY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/OverlappingPoliciesTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/OverlappingPoliciesTest6.pem
new file mode 100644
index 0000000000..85f0b79c2c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/OverlappingPoliciesTest6.pem
@@ -0,0 +1,214 @@
+subject=/C=US/O=Test Certificates/CN=Policies P1234 subsubCAP123P12
+issuer=/C=US/O=Test Certificates/CN=Policies P1234 subCAP123
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFBvbGljaWVzIFAx
+MjM0IHN1YkNBUDEyMzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFIx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUGA1UE
+AxMeUG9saWNpZXMgUDEyMzQgc3Vic3ViQ0FQMTIzUDEyMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDSpQwaDoPydLNMC8zANHGCiwSSV/p+yyB92D3cy4OofA3o
+E/MneZrL0kkAoaM3sxpkniK7a37+ghg7ydyUw5n9CRxAyNMONSetp9uBB9X1+fZy
+9JVVK2W+5ycWBDxh2YOfyFE/wQBbJK7rIIrqtgUgNi7O+6ppcpbnguodB17MZQID
+AQABo4GLMIGIMB8GA1UdIwQYMBaAFLZ7gxmIHEmBIEPO8oJM80aGKITZMB0GA1Ud
+DgQWBBTMtOdc+dU31FBVf7Ixli7kkaTEaDAOBgNVHQ8BAf8EBAMCAQYwJQYDVR0g
+BB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQUFAAOBgQB4KomH+VcsPxXsULBeuMVL7QtJMD6RoGaCHnL5
+NCdwpt7QE3TVRnWgL88gSXtmMudJ5QIb3ko7PYOsuUhA/6YZvoBvQIdJAnprjYbr
+kxDMfK3PoouD3cQncVSz4xqJ9VcIaH6/oAKGpDt36xSUY2uqOHb1DLO2qmKiStvW
+Cprikw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P1234 subCAP123
+issuer=/C=US/O=Test Certificates/CN=Policies P1234 CA
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAx
+MjM0IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkGA1UE
+BhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhQb2xp
+Y2llcyBQMTIzNCBzdWJDQVAxMjMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALs/TklxdGqU1GnW9LkoRaacXCpRHoy8tYpTUbUhznd5fkjOW5Dyc9HK7DWs8q1q
+aAvU0KeqAEtguNCACjKFeXPyWtQuYKRB5o5G1WXcqy4pYK2CCHsyaa6hf8+kU1Y/
+3VcEuHoDX0WFJ5JFlaRERNagLbzDTjG6KtM4yhcEnTHfAgMBAAGjgZkwgZYwHwYD
+VR0jBBgwFoAUMLt5B08Db7IYg3poQ6v3TKFAcQowHQYDVR0OBBYEFLZ7gxmIHEmB
+IEPO8oJM80aGKITZMA4GA1UdDwEB/wQEAwIBBjAzBgNVHSAELDAqMAwGCmCGSAFl
+AwIBMAEwDAYKYIZIAWUDAgEwAjAMBgpghkgBZQMCATADMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADgYEAM38BPBwz3qjIhPI9byaqLmDkw3tA5mxae/P9
+N6WYYwW+Dm0KyjXs9SQZ3BlHDl/+D9dJYNScOXjKpc3hnrAUT31rGyhC2CwV52mt
+xGukdJIxKOQgucIylxyxF7N5x66TyC5sxJGUh3sjItg6NAOQGMwBwKOz/5zNTdK6
+qDuaEoI=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Overlapping Policies EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=Policies P1234 subsubCAP123P12
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHlBvbGljaWVzIFAx
+MjM0IHN1YnN1YkNBUDEyM1AxMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMF0xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEy
+MDAGA1UEAxMpT3ZlcmxhcHBpbmcgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALT4JJTriZO8+53ZvgYrbg9m
+azzLgmYzgvBJ8/IvzLaXsCv7sw/M2DU/CyOdIPy8g9XchC9QBJrAI65Muvlpf8a0
+CGqWH5AQElXjIkicPMgfC14xd1govVHxaRIrM/g6zNgGPnSivMXOrTm6fMNphEvC
+CnG+SqRQ6oKAkO1k7jWxAgMBAAGjfDB6MB8GA1UdIwQYMBaAFMy051z51TfUUFV/
+sjGWLuSRpMRoMB0GA1UdDgQWBBQLhzG1VDzXbIBJ1rnYkrn+iSfrCTAOBgNVHQ8B
+Af8EBAMCAfYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADgYEACuuacGsxw8Rq6HznT/dvzsw93OA250kOCJei
+8VJbyNw5x61+F9LxLZSBUtYgIfCOid3gUBe8MU0W1r8Qpg1PD4Vgq76l5IWyvH+K
+ACy4A7XpJB8a5zF7OUGexEkFC9RQ45PJ6i4JILtMeMLTR7c0pCkRthg2CW/vIc6a
+Cs1zrEk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Policies P1234 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICsTCCAhqgAwIBAgIBIzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEUxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEaMBgGA1UEAxMRUG9saWNpZXMg
+UDEyMzQgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMUyBhDbDKsFVn2a
+KCxh5Y64ZiH8OTq134EGg3NL8l0mqcA01qEhLCasHMR98sd5xKPtNEQB0kN9jf3d
+Zmv4gop4bAAqPlhvkcJ/KUMPLpLdMBT+1xLAdu1yKh7eKpoIo9vfus0fjH0aOWhT
+Wa7rCSuf+9I6DoDk1gC1Q9k57jDFAgMBAAGjgbUwgbIwHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFDC7eQdPA2+yGIN6aEOr90yhQHEK
+MA4GA1UdDwEB/wQEAwIBBjBBBgNVHSAEOjA4MAwGCmCGSAFlAwIBMAEwDAYKYIZI
+AWUDAgEwAjAMBgpghkgBZQMCATADMAwGCmCGSAFlAwIBMAQwDwYDVR0TAQH/BAUw
+AwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAMoj83UxGqz/rAVr
+SXl/vP2tx92XqrJj7UYRHcHHcTodTHoJ3j+m3MUHwwsoZrqvnhS1HtIqPQsoD9DD
+8Qg+uHFd5EH+Js40QK7zU7mHBOI64Kl8T8xrpgcnlLgXpg2H88at02UvMTDj4Lix
+ANfajLNnQx1htjJhMY3zzIgPApd+
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P1234 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:30:BB:79:07:4F:03:6F:B2:18:83:7A:68:43:AB:F7:4C:A1:40:71:0A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ bb:b2:2e:86:63:50:7a:60:75:e3:ef:14:96:e2:19:21:90:ce:
+ 61:fe:2a:1a:d1:37:59:b0:8f:3d:fe:c3:eb:b9:87:61:3a:7a:
+ f4:ef:3d:46:ce:ef:e4:a7:de:a6:7f:ff:25:1e:78:bd:df:4d:
+ 8b:96:70:ac:47:8c:e4:77:1c:f2:94:3f:bb:36:18:21:35:0d:
+ 10:d9:69:b9:80:42:d0:7e:81:15:55:df:6f:fc:50:b2:9c:b2:
+ 53:0d:b5:0d:6c:69:55:b7:0b:65:84:7a:13:9f:74:8f:52:49:
+ 58:2e:6c:bd:b7:19:b6:34:eb:d3:1d:cc:08:a9:3f:07:04:69:
+ 75:e6
+-----BEGIN X509 CRL-----
+MIIBPjCBqAIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAxMjM0IENB
+Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBQw
+u3kHTwNvshiDemhDq/dMoUBxCjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOB
+gQC7si6GY1B6YHXj7xSW4hkhkM5h/ioa0TdZsI89/sPruYdhOnr07z1Gzu/kp96m
+f/8lHni9302LlnCsR4zkdxzylD+7NhghNQ0Q2Wm5gELQfoEVVd9v/FCynLJTDbUN
+bGlVtwtlhHoTn3SPUklYLmy9txm2NOvTHcwIqT8HBGl15g==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P1234 subCAP123
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:7B:83:19:88:1C:49:81:20:43:CE:F2:82:4C:F3:46:86:28:84:D9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 45:d4:de:34:51:48:6a:d1:4b:e0:d7:2d:55:52:e2:e5:8d:a5:
+ ee:bc:a1:c6:44:0c:9d:b7:61:cb:a2:1c:58:1d:03:a1:cd:8e:
+ e5:9c:28:00:4c:07:c4:0d:ae:a3:b1:c8:aa:8e:8a:59:12:41:
+ 57:b6:fc:db:34:10:a8:e6:c9:cb:0e:5c:28:6f:b5:3a:00:70:
+ 9a:a9:ac:35:83:47:7a:02:24:69:46:26:63:29:0c:c5:51:c3:
+ 92:c6:c2:6d:cf:5e:b8:25:eb:d5:b6:d1:62:87:3b:9b:24:6a:
+ b1:9e:33:a2:96:bb:14:74:21:ad:b7:7f:98:ab:b2:6a:25:2b:
+ 0b:ed
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGFBvbGljaWVzIFAxMjM0IHN1
+YkNBUDEyMxcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUtnuDGYgcSYEgQ87ygkzzRoYohNkwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEARdTeNFFIatFL4NctVVLi5Y2l7ryhxkQMnbdhy6IcWB0Doc2O5Zwo
+AEwHxA2uo7HIqo6KWRJBV7b82zQQqObJyw5cKG+1OgBwmqmsNYNHegIkaUYmYykM
+xVHDksbCbc9euCXr1bbRYoc7myRqsZ4zopa7FHQhrbd/mKuyaiUrC+0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P1234 subsubCAP123P12
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:CC:B4:E7:5C:F9:D5:37:D4:50:55:7F:B2:31:96:2E:E4:91:A4:C4:68
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 5e:89:62:c5:3b:e0:10:f8:22:cd:fd:e2:44:73:c0:23:98:67:
+ 89:29:67:ae:39:3b:53:4c:02:24:85:6a:37:16:1b:a0:c8:fa:
+ ae:0d:02:27:ed:3c:06:8d:e2:ed:35:53:a3:06:f4:a3:ce:6d:
+ 63:d9:86:33:2c:95:ce:47:95:2d:7f:5a:f0:a0:68:79:5a:a8:
+ aa:12:5d:79:b9:4a:bb:a2:5a:85:af:39:1d:aa:b6:a0:18:da:
+ 39:f6:0a:00:f1:0e:2e:fb:62:1f:6f:2d:d9:0e:b7:da:0e:a5:
+ 92:1f:fd:1c:60:73:7d:48:f3:9a:73:2a:14:65:78:2a:9d:7c:
+ 88:5a
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHlBvbGljaWVzIFAxMjM0IHN1
+YnN1YkNBUDEyM1AxMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUzLTnXPnVN9RQVX+yMZYu5JGkxGgwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAXolixTvgEPgizf3iRHPAI5hniSlnrjk7U0wCJIVqNxYb
+oMj6rg0CJ+08Bo3i7TVTowb0o85tY9mGMyyVzkeVLX9a8KBoeVqoqhJdeblKu6Ja
+ha85Haq2oBjaOfYKAPEOLvtiH28t2Q632g6lkh/9HGBzfUjzmnMqFGV4Kp18iFo=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest15.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest15.pem
new file mode 100644
index 0000000000..d22dbe7f91
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest15.pem
@@ -0,0 +1,59 @@
+subject=/C=US/O=Test Certificates/CN=User Notice Qualifier EE Certificate Test15
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAligAwIBAgIBKDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE0MDIGA1UEAxMrVXNlciBOb3Rp
+Y2UgUXVhbGlmaWVyIEVFIENlcnRpZmljYXRlIFRlc3QxNTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA0qDoX3O5t52G/m1yV6MSg0EJQQn8QFWgZUnEutHYAAdA
+GuRrFRXtkbdQkbyePIu4nzj2LCmMAfVM+QlOWLFCnc6/s38tfZDAir7WFHBFyUzB
+gkw+q1a9DIXfaq32yn22txxzus3dqRZJui+5J1DMNLbHPYS1WS7Hu/3dL5ZoR30C
+AwEAAaOB2TCB1jAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNV
+HQ4EFgQUHYqwkDHyipKBoBuH/YaAiORSh0owDgYDVR0PAQH/BAQDAgTwMIGDBgNV
+HSAEfDB6MHgGCmCGSAFlAwIBMAEwajBoBggrBgEFBQcCAjBcGlpxMTogIFRoaXMg
+aXMgdGhlIHVzZXIgbm90aWNlIGZyb20gcXVhbGlmaWVyIDEuICBUaGlzIGNlcnRp
+ZmljYXRlIGlzIGZvciB0ZXN0IHB1cnBvc2VzIG9ubHkwDQYJKoZIhvcNAQEFBQAD
+gYEASWwltYc1aGeHLYySbO4SCTVSgVrZAXfAoa/0RHmL0et8olJXCLdXTMq2/6rI
+gibDeTUDQ2N+5z23QN3hDG+Syz9rDBbj+m3MtvcsvyyXFK62g1NhZxyw1+dFrxwK
+Ci+jbMqXaXsdBG6a9cTYKw2geUpx9ig46FLMyn7idA7OrrY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest16.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest16.pem
new file mode 100644
index 0000000000..df2bc3c515
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest16.pem
@@ -0,0 +1,124 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=User Notice Qualifier EE Certificate Test16
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAs+gAwIBAgIBEzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK1VzZXIgTm90aWNlIFF1
+YWxpZmllciBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTYwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAKCz6DLhyX/EGx3xwNiwBuBXrfpuLfLcaPz4q3aq3BiiJS+f2vwk
+WI3BqpDluVEq7FW5zE6ATQc/K7hIiuRCHCD5ErXMnYb70mtz8xeVjU97316FzK/z
+eQYQMIIpb2JJ4JEU/ZyVNX5NW3W8tjAhuvEp+4brMLxyCM+xmA+S751zAgMBAAGj
+ggFUMIIBUDAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4E
+FgQUQFe42RtzGbaxdkQ6QallbyGIuDAwDgYDVR0PAQH/BAQDAgTwMIH9BgNVHSAE
+gfUwgfIweAYKYIZIAWUDAgEwATBqMGgGCCsGAQUFBwICMFwaWnExOiAgVGhpcyBp
+cyB0aGUgdXNlciBub3RpY2UgZnJvbSBxdWFsaWZpZXIgMS4gIFRoaXMgY2VydGlm
+aWNhdGUgaXMgZm9yIHRlc3QgcHVycG9zZXMgb25seTB2BgpghkgBZQMCATACMGgw
+ZgYIKwYBBQUHAgIwWhpYcTI6ICBUaGlzIGlzIHRoZSB1c2VyIG5vdGljZSBmcm9t
+IHF1YWxpZmllciAyLiAgVGhpcyB1c2VyIG5vdGljZSBzaG91bGQgbm90IGJlIGRp
+c3BsYXllZDANBgkqhkiG9w0BAQUFAAOBgQCrY2KIowGX/5zlQBKmdhF8WiCRnHfd
+VuzeXhc6C3G4YPpYBWQrnhxO88VH8QbvJefBpvRKIYsxu/tyihlkw2Vy5eztflUq
+Jkj5YbDicL/7U3VKfjfp3sW6ZBgqKKLQY2eDHtYup9wBzB/qzny9xfuVIlQQ+ihR
+vMKO1iVYGVLxPg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest17.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest17.pem
new file mode 100644
index 0000000000..de751b01b9
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest17.pem
@@ -0,0 +1,121 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=User Notice Qualifier EE Certificate Test17
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAkygAwIBAgIBFDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK1VzZXIgTm90aWNlIFF1
+YWxpZmllciBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTcwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALG5QbkrUYEf/BsUOmiq+gmSjIMtxbiVJ8G4i1XsVOAFNuJhfPyL
+nhsnhig2d+tp2aJHFnDfMbvmjdmCtwPwqrcuxVO5PhjkLyfFo9Pt7zNCF5xtCkLK
+P7LCEtvtBt5jXh7REsOPlQzQkxng4SxG6VdndW1ZiNAJIDAsONONmetRAgMBAAGj
+gdIwgc8wHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYE
+FM7tf43yWQflUjDL35BzbeLwWXDAMA4GA1UdDwEB/wQEAwIE8DB9BgNVHSAEdjB0
+MHIGBFUdIAAwajBoBggrBgEFBQcCAjBcGlpxMzogIFRoaXMgaXMgdGhlIHVzZXIg
+bm90aWNlIGZyb20gcXVhbGlmaWVyIDMuICBUaGlzIGNlcnRpZmljYXRlIGlzIGZv
+ciB0ZXN0IHB1cnBvc2VzIG9ubHkwDQYJKoZIhvcNAQEFBQADgYEAPium8qIa/cDO
+l7vNWoULaBGP7Z9XxxEyexzl2Y83xGab/xw+KGtbV+6+GiGhCw4qpn7XLidQQ6Xn
+t7D2vKo+KoLg3BAdbt/azb3wf5tYakf//0bv4xQZ7ANzWxxH0gP5VdHaRIcfKXXR
+3kHnu/lecCM8V+F9V8pEU8K3zREtp/8=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest18.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest18.pem
new file mode 100644
index 0000000000..177e92ffad
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest18.pem
@@ -0,0 +1,115 @@
+subject=/C=US/O=Test Certificates/CN=Policies P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBJTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPUG9saWNpZXMg
+UDEyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5unCMuN8PuVFWbqxO
+/wnIQsciPiEo1GoKWjM6+kb9l3h6wWyWYwmst2c158qcJLY9PxaUMhqQd/SY0Tt9
+WlHXVcE8rMoWSGmFxfK33UpeCtqwz9ugPSWwZkqx2lI/0ozQXgjYb0J9/EoKw1O0
+CxxrdQdPQkyLD4Uxe87/MlpzsQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFPts1C2B
+nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQA42XpgdSGuccd5/MzOQZeTBGl+TAO
+BgNVHQ8BAf8EBAMCAQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFl
+AwIBMAIwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEB
+BQUAA4GBABX9GMyAC90FH8BvpnNh6SDn2MIT7iINc4/9u64d1dxEhqogqcR58khK
+btHyx8YrgbCcqUNS4Xs7ckW5k2VNAd9dG0Chc0uk6rwkv+sD1/zJi8LIGd/3cFjk
+biIVYqPxb7WpKqo97V+43tMFsTqJNBSh+6W14vlP55+Ep5IlxcOm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=User Notice Qualifier EE Certificate Test18
+issuer=/C=US/O=Test Certificates/CN=Policies P12 CA
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAy6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAx
+MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF8xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE0MDIGA1UEAxMrVXNlciBO
+b3RpY2UgUXVhbGlmaWVyIEVFIENlcnRpZmljYXRlIFRlc3QxODCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAxkN3itGxxUqfb6j8AgRX2jxaI/oIBzr2RuZsAfon
+x/XVoUmmiSxWDooZhr/PlfubyixNG5VJX2K/ukJ6gfIGMXCAqunKm8/9bXgzZB3T
+i2oIgAy6WnRwKE0cgbedH6fY003jwsQNDt/HilRB+atbEJ/engTxLOIpwBcsN1qj
+rg0CAwEAAaOCAaswggGnMB8GA1UdIwQYMBaAFADjZemB1Ia5xx3n8zM5Bl5MEaX5
+MB0GA1UdDgQWBBT8A5L4pL/8ywpme6U8lushm7qgwzAOBgNVHQ8BAf8EBAMCBPAw
+ggFTBgNVHSAEggFKMIIBRjCBnQYKYIZIAWUDAgEwATCBjjCBiwYIKwYBBQUHAgIw
+fxp9cTQ6ICBUaGlzIGlzIHRoZSB1c2VyIG5vdGljZSBmcm9tIHF1YWxpZmllciA0
+IGFzc29jaWF0ZWQgd2l0aCBOSVNULXRlc3QtcG9saWN5LTEuICBUaGlzIGNlcnRp
+ZmljYXRlIGlzIGZvciB0ZXN0IHB1cnBvc2VzIG9ubHkwgaMGBFUdIAAwgZowgZcG
+CCsGAQUFBwICMIGKGoGHcTU6ICBUaGlzIGlzIHRoZSB1c2VyIG5vdGljZSBmcm9t
+IHF1YWxpZmllciA1IGFzc29jaWF0ZWQgd2l0aCBhbnlQb2xpY3kuICBUaGlzIHVz
+ZXIgbm90aWNlIHNob3VsZCBiZSBhc3NvY2lhdGVkIHdpdGggTklTVC10ZXN0LXBv
+bGljeS0yMA0GCSqGSIb3DQEBBQUAA4GBAGFe+mIs7y5351adHxETDUI8/Oki9cBU
+9ShrYKlpGJn8K0ST8XCe3FhVI/EMMxPJ7a7cYnl/7VQjyrFH9ulMmB3zoFiwbijM
+hfv2DyMPMTMB1pN57MpoBl7NEV0ze1I/u0CKcemqthj2jynTljGeLyJOCAd2Oat/
+J0ohqgkjwhfW
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Policies P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:00:E3:65:E9:81:D4:86:B9:C7:1D:E7:F3:33:39:06:5E:4C:11:A5:F9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a2:21:e6:6b:0b:99:66:79:2d:86:a7:9b:cd:37:9b:4d:73:1f:
+ df:91:63:c4:de:55:15:53:b0:32:ac:c8:3c:bd:96:aa:ae:c9:
+ 4f:b2:7c:9d:40:d7:f4:5d:99:8e:fa:2b:44:2d:75:ef:01:38:
+ 86:c8:59:ae:e4:62:e4:83:b4:73:03:34:d1:7f:52:bc:3d:bb:
+ 77:7e:7c:c9:41:09:4c:08:4f:a9:7f:d9:d9:0f:bc:46:9d:05:
+ 70:2f:66:0b:d4:0d:80:ec:11:83:4e:1b:90:95:ad:86:02:77:
+ e8:19:aa:a6:48:29:a3:9f:36:c3:ec:9a:f5:a4:9a:0b:f5:11:
+ 1d:72
+-----BEGIN X509 CRL-----
+MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAxMiBDQRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUAONl
+6YHUhrnHHefzMzkGXkwRpfkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+oiHmawuZZnkthqebzTebTXMf35FjxN5VFVOwMqzIPL2Wqq7JT7J8nUDX9F2Zjvor
+RC117wE4hshZruRi5IO0cwM00X9SvD27d358yUEJTAhPqX/Z2Q+8Rp0FcC9mC9QN
+gOwRg04bkJWthgJ36Bmqpkgpo582w+ya9aSaC/URHXI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest19.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest19.pem
new file mode 100644
index 0000000000..cdfe8367ae
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest19.pem
@@ -0,0 +1,64 @@
+subject=/C=US/O=Test Certificates/CN=User Notice Qualifier EE Certificate Test19
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIID3DCCA0WgAwIBAgIBKTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE0MDIGA1UEAxMrVXNlciBOb3Rp
+Y2UgUXVhbGlmaWVyIEVFIENlcnRpZmljYXRlIFRlc3QxOTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAmkrJdJV6KkYpFv+9djQ5ybyWHKyjUB8Km9OL5bgATpab
+SN8gXK6Jd/EmkSQLM58dolce8oaizez9cBhO/myxYLK4WQGi/eR1zCWhOYz75f/o
++MUwF1WFbuHvk7JcW6/0e7tI3sxdgtz2k8JDvyDZ6CH3Hb678ZfrlMMuCODEw1sC
+AwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0G
+A1UdDgQWBBR2o4bo1PW8nDTv5jAQJQYPDPfgtTAOBgNVHQ8BAf8EBAMCBPAwggFt
+BgNVHSAEggFkMIIBYDCCAVwGCmCGSAFlAwIBMAEwggFMMIIBSAYIKwYBBQUHAgIw
+ggE6GoIBNnE2OiAgU2VjdGlvbiA0LjIuMS41IG9mIFJGQyAzMjgwIHN0YXRlcyB0
+aGUgbWF4aW11bSBzaXplIG9mIGV4cGxpY2l0VGV4dCBpcyAyMDAgY2hhcmFjdGVy
+cywgYnV0IHdhcm5zIHRoYXQgc29tZSBub24tY29uZm9ybWluZyBDQXMgZXhjZWVk
+IHRoaXMgbGltaXQuICBUaHVzIFJGQyAzMjgwIHN0YXRlcyB0aGF0IGNlcnRpZmlj
+YXRlIHVzZXJzIFNIT1VMRCBncmFjZWZ1bGx5IGhhbmRsZSBleHBsaWNpdFRleHQg
+d2l0aCBtb3JlIHRoYW4gMjAwIGNoYXJhY3RlcnMuICBUaGlzIGV4cGxpY2l0VGV4
+dCBpcyBvdmVyIDIwMCBjaGFyYWN0ZXJzIGxvbmcwDQYJKoZIhvcNAQEFBQADgYEA
+J8J9A+SBJzSCvCFxcnWEMXbjUkKjp4BAEhkrRH5llfYFIwM5+QAqZTFKTvP5mhTj
+eeMD/sF7Ej90V/1wRzadHnmhXe3WRwe09BUVM4Aa4b+/th9PihRNvI7x10+mAuMD
+39/vWkwe5e0DTYQwe0t+8fHohmDgmJ6JkOiccJl0auE=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedCRLSigningKeyTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedCRLSigningKeyTest6.pem
new file mode 100644
index 0000000000..a97ce07ad0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedCRLSigningKeyTest6.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBFTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEtMCsGA1UEAxMkQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCfjlwgIWm+Taynv+38GP1Yf2hDPMT5pcsPYlRaeFeg7Tsr/GhTZQKB
+qfO7h8J6JjoKD1m1BTcrdiHbRBnn183kxyhljulJLu87gOUt6LlTGTBFeaUhNNxv
+wpzF5uQ7xQcChTE7GF4kxt/oyehJFi9TGtnjdjlSi3LXG/xfQn81GwIDAQABo3ww
+ejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUScn8
+twM8Z20KAJOp5NalHpIftREwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABV8
+zJCN9czUhadFLy10H1usL1xGEcB8SRR3Row0a+Zmj8T9Se71hTgW7LfXQj3bCDJV
+3AyAd+WA4N0y0+eSRWRGNAcMrOeqNp1/Ki6iGNYceZ41Goudsc34StO7symFfatg
+hTr8/7eU6NXu2o9cDREBOJujBK/Uy52E4rx/Faxk
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Basic Self-Issued CRL Signing Key EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMHAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczFFMEMGA1UEAxM8VmFsaWQgQmFzaWMgU2VsZi1Jc3N1ZWQgQ1JMIFNpZ25p
+bmcgS2V5IEVFIENlcnRpZmljYXRlIFRlc3Q2MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQC99k/Db5BB/DrP9cxgHHm842L/I4al7GOXLq3eb2h8ego1QdJ9IsNb
+ExIULQIAAGVlTriZ118rlLqlVxj05ehWT5HaDh0ygcNDziiUc4NoLYqE7Vh+wK6V
+z29q5vKajywEjZ0mAsvkfQvi1aBL9DB28K87sCS7xIEAf3zu7znQGwIDAQABo2sw
+aTAfBgNVHSMEGDAWgBRJyfy3AzxnbQoAk6nk1qUekh+1ETAdBgNVHQ4EFgQUNe4s
+lmPDT3wyx9zkVIWEuwRUL10wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAtn7y8N9W/74qmny6jUyLJcq4P
+ni0IjpLLS1hl4RYbKPyeekw3t2Lbuk7jdg9LP2GTY68plnzvHyqcKa0IL+gWvk7j
+6g1SHNMi2utPONRFStefcOubKxjT4c/HZHcPjYVBrmnssH4wzOi8bd8MQ8ZfdQLO
+l3ADkB1F2GjjIofr1A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt
+SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0
+MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj
+YXRlczEtMCsGA1UEAxMkQmFzaWMgU2VsZi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5
+IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXGyrLR0BviK/81C9C/igI
+9zh+808dGICz2wS1Oh2CWCeYia4J/65Y7XBDRBW1TJbQLdrxt2289Lc/gc9+PW9j
+gwVpGRuYkFf+AwbMgLa1Ro5zqoIbD7WjTu7vgGdDvJmrSVLfSXavpeUBzp37Dsw6
+KzSHcBjPwGes7q3pjfhOMwIDAQABo4HyMIHvMB8GA1UdIwQYMBaAFEnJ/LcDPGdt
+CgCTqeTWpR6SH7URMB0GA1UdDgQWBBQPcsozQ6nEEVGrY9pEhw9hpPS+RzAOBgNV
+HQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIGDBgNVHR8EfDB6
+MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJKoZIhvcNAQEFBQADgYEAjoyS
+h7zhrGkL40stundacKPqIEZ3HyWW0NQhD0wBhWslGAOvlCaf44kuTKggRY6r96sy
+4kWEjvfGu/r/dBgrFaCCGNv0ui5FfXu8WeZ4jvHg7wZbx5ATx5Jpumqbm0PcEYCr
+YnA6WBCstG0lohNV2ohM/wqRFmBB0WL1K+9IdfQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0F:72:CA:33:43:A9:C4:11:51:AB:63:DA:44:87:0F:61:A4:F4:BE:47
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 5c:cd:8f:a3:3d:9e:64:f7:64:73:9c:2c:39:e2:e7:d7:0e:b8:
+ 1c:3e:9b:1d:14:dc:98:c2:8e:5a:1f:e5:47:31:fd:7e:a7:d5:
+ 9f:52:31:c8:10:f7:d0:a2:84:3f:77:c7:f1:ba:7e:24:62:ad:
+ 05:ae:1c:7b:ff:f0:e2:ce:55:f5:27:d3:cc:24:7f:c8:1d:a6:
+ b8:ce:42:05:e1:06:ec:1f:87:4c:d5:69:8d:78:59:d2:33:94:
+ 1c:3b:27:68:80:3d:6f:3d:a6:c7:9f:2b:39:9f:d7:c3:83:eb:
+ 77:bd:cc:7f:96:b3:ad:24:68:99:d1:1a:bf:05:1c:8c:3e:2a:
+ 02:f8
+-----BEGIN X509 CRL-----
+MIIBdTCB3wIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYtSXNzdWVk
+IENSTCBTaWduaW5nIEtleSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjAiMCACAQMXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0j
+BBgwFoAUD3LKM0OpxBFRq2PaRIcPYaT0vkcwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAXM2Poz2eZPdkc5wsOeLn1w64HD6bHRTcmMKOWh/lRzH9fqfVn1Ix
+yBD30KKEP3fH8bp+JGKtBa4ce//w4s5V9SfTzCR/yB2muM5CBeEG7B+HTNVpjXhZ
+0jOUHDsnaIA9bz2mx58rOZ/Xw4Prd73Mf5azrSRomdEavwUcjD4qAvg=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:49:C9:FC:B7:03:3C:67:6D:0A:00:93:A9:E4:D6:A5:1E:92:1F:B5:11
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0x.v.t.r0p1.0...U....US1.0...U.
+..Test Certificates1E0C..U...<Self-Issued Cert DP for Basic Self-Issued CRL Signing Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2e:12:1f:54:36:68:73:b2:5c:f6:11:48:f1:d6:7a:bf:ce:1d:
+ d9:21:7a:96:29:44:bc:83:26:d8:8c:f5:11:36:9a:f1:23:78:
+ 57:00:8b:13:c6:74:57:4d:3d:ba:ee:d4:ac:d4:40:b1:d0:80:
+ 91:f1:06:81:91:ba:a4:f8:1e:c7:6b:d6:20:3c:92:26:23:94:
+ 80:33:df:c7:3b:ac:fc:94:ea:e8:3d:d0:37:c1:d5:e9:ba:53:
+ 83:9e:26:ed:da:fb:10:0a:6e:d8:cd:d7:20:42:2c:d6:7d:18:
+ 32:6b:75:2a:3c:51:03:dd:4d:a1:80:e6:d8:95:6a:2c:b0:b6:
+ 72:31
+-----BEGIN X509 CRL-----
+MIIB2zCCAUQCAQEwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMS0wKwYDVQQDEyRCYXNpYyBTZWxmLUlzc3Vl
+ZCBDUkwgU2lnbmluZyBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFqggbcwgbQwHwYDVR0jBBgwFoAUScn8twM8Z20KAJOp5NalHpIftREwCgYDVR0U
+BAMCAQEwgYQGA1UdHAEB/wR6MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0
+IERQIGZvciBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJ
+KoZIhvcNAQEFBQADgYEALhIfVDZoc7Jc9hFI8dZ6v84d2SF6lilEvIMm2Iz1ETaa
+8SN4VwCLE8Z0V009uu7UrNRAsdCAkfEGgZG6pPgex2vWIDySJiOUgDPfxzus/JTq
+6D3QN8HV6bpTg54m7dr7EApu2M3XIEIs1n0YMmt1KjxRA91NoYDm2JVqLLC2cjE=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest3.pem
new file mode 100644
index 0000000000..1e0db3236e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest3.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBFDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgT2xkIEtleSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+q8Gbt04t1VYDzow3lv3G+lNNQ/gCP0fz7/PBxNPzAwluA2Qzeix8gg74cXMpRe8u
+PosT3EZZ9iK1PyFmcNq+CjzCuvi8d+1gaGS36wkcQBB6g7HiKRQ8ERQ4cEE6CH21
+ntbFzVbn3d+NofzVo6e1AIdHDNPm7G0+F6f034Lo508CAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPqiarnu+k/Fcp11
+00t6bYzkXDkkMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBzQl++7X/MYd9h
+3E0XroNDuD8TflER0UTgWOwN5UO8BXz8j402hmhEPyw66u6R27V7U1/wf8wtCAli
+W7LnTcJKWFy9HKnpibiz50ike8zgsVmv1godVgDn/xvQPRAnWq+OX9Abc+6OTqiw
+aDNRQp2WD1ph+daLu1XQgeAoD4Gajw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Basic Self-Issued New With Old EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIICnjCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBtMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxQjBA
+BgNVBAMTOVZhbGlkIEJhc2ljIFNlbGYtSXNzdWVkIE5ldyBXaXRoIE9sZCBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0MzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAln5v
+UhL9o7sN5MyQTZEB3Fhj6lKfzTNHMBCsngHpQqTP8zlmPvaEGpR53N+RNthxaW8K
+XmN4WVFvyXl8eaVl8+U5cewY1K/m/6OqDIZ6kvjXugMkKLbjL7ptsAGx5VoyHs/F
+xy4n0cEOmAXTZ7dbzFqM4xfqJRLqi2CgQUHnb1kCAwEAAaNrMGkwHwYDVR0jBBgw
+FoAUG7qMIYdzBwWY+uu52W9BpEXVhuowHQYDVR0OBBYEFKVAiq/jp5QN4XgK0S+E
+OKaV0NBCMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DQYJKoZIhvcNAQEFBQADgYEAIgeBhcCa3jeEq1F6/+iNWMXRVgzyV3vsDielCRFy
+wKdpYGocHPJG59OSZEHCUsdDRF2n3hhGkEILL4huEgX+oiiOhyGM/Xrr+ACuEIaS
+qfs4gBQ/HrYydCxNN4OHOuLoFDmotodh/lvY9igeeaRZ1AFI7AicI0D4CAqXyLcU
+9WI=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVkIE9sZCBLZXkgQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBALQ4a61C9wpu5W0cACccONm+QLNESmbHtLwy498fByU6
+h5UnHkutUfy7DbIv3rELFXUd2yM5xQI/QuQZ20EjXOZiCSJEcvzfoAyFLrAPf1pN
+xQybX5HhLnJK+oGlwmD4ZatL7oDqV5IhlIS0So7g+SBOCh5lkKdzbH3l6D7nQXSD
+AgMBAAGjgfowgfcwHwYDVR0jBBgwFoAU+qJque76T8VynXXTS3ptjORcOSQwHQYD
+VR0OBBYEFBu6jCGHcwcFmPrrudlvQaRF1YbqMA4GA1UdDwEB/wQEAwIBBjAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zB7BgNVHR8EdDBy
+MHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAHDVnYLXKN//Mu1w
+BZS8DbfQ8p/DlXZ0n9EmdXRzoHXReDWeOaoiHU1H1HNJcLMe4YgEjsttTEBGfsZo
+OvyNNUZ7C/oQymaDykP9W/m1TX3ZVLmx96zj36gCkVPczoG78kQ5zVjoLl5G5BJQ
+4YX3NumsNd2WpHY34K21Cd/KJ5KJ
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:1B:BA:8C:21:87:73:07:05:98:FA:EB:B9:D9:6F:41:A4:45:D5:86:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 62:de:93:8c:36:dd:b2:71:56:bb:4e:e4:32:37:51:de:6e:19:
+ 01:dd:3e:25:8c:d4:81:7e:fc:66:54:74:0d:32:30:d2:11:49:
+ dc:ad:6a:b4:fc:8f:ec:e6:56:fe:e6:ec:53:9e:41:66:31:2c:
+ ee:3a:be:bd:74:34:9b:71:c1:67:1d:3b:28:04:b9:85:e5:72:
+ cd:f0:2b:a7:d9:d5:e3:43:25:4a:52:2e:79:24:52:cf:75:e1:
+ 3c:35:82:d1:5d:1e:f6:05:8b:45:24:67:ed:84:9f:c7:8d:c0:
+ 19:55:5e:52:76:3e:2f:f4:af:13:ae:d8:24:a3:17:68:5d:b5:
+ 45:74
+-----BEGIN X509 CRL-----
+MIIBbTCB1wIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVk
+IE9sZCBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgEE
+Fw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFBu6
+jCGHcwcFmPrrudlvQaRF1YbqMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AGLek4w23bJxVrtO5DI3Ud5uGQHdPiWM1IF+/GZUdA0yMNIRSdytarT8j+zmVv7m
+7FOeQWYxLO46vr10NJtxwWcdOygEuYXlcs3wK6fZ1eNDJUpSLnkkUs914Tw1gtFd
+HvYFi0UkZ+2En8eNwBlVXlJ2Pi/0rxOu2CSjF2hdtUV0
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FA:A2:6A:B9:EE:FA:4F:C5:72:9D:75:D3:4B:7A:6D:8C:E4:5C:39:24
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0p.n.l.j0h1.0...U....US1.0...U.
+..Test Certificates1=0;..U...4Self-Issued Cert DP for Basic Self-Issued Old Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:6b:ec:1f:5b:3d:31:1c:fe:c6:40:ca:e3:c5:52:30:a0:9a:
+ 55:ee:f8:c3:bd:cd:b1:45:d0:7f:44:f6:42:1c:0f:b9:df:8f:
+ 4d:25:0b:ba:5b:bd:0c:68:c2:ce:b0:c4:17:e7:be:81:de:73:
+ 55:5c:6b:d6:3d:e5:e2:18:31:d7:5f:6e:1d:4b:0b:31:cd:44:
+ fe:29:d5:27:77:f5:83:bc:ee:3f:46:31:d5:66:5a:a1:9b:1f:
+ 16:d0:8c:ef:ae:bb:36:75:a4:b3:62:be:16:cd:de:b8:90:bd:
+ 5f:26:1f:a7:d8:1e:59:ce:27:af:ee:ab:de:9d:1d:66:ef:9e:
+ 49:cb
+-----BEGIN X509 CRL-----
+MIIByjCCATMCAQEwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSUwIwYDVQQDExxCYXNpYyBTZWxmLUlzc3Vl
+ZCBPbGQgS2V5IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIGuMIGr
+MB8GA1UdIwQYMBaAFPqiarnu+k/Fcp1100t6bYzkXDkkMAoGA1UdFAQDAgEBMHwG
+A1UdHAEB/wRyMHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBC
+YXNpYyBTZWxmLUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAIxr
+7B9bPTEc/sZAyuPFUjCgmlXu+MO9zbFF0H9E9kIcD7nfj00lC7pbvQxows6wxBfn
+voHec1Vca9Y95eIYMddfbh1LCzHNRP4p1Sd39YO87j9GMdVmWqGbHxbQjO+uuzZ1
+pLNivhbN3riQvV8mH6fYHlnOJ6/uq96dHWbvnknL
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest4.pem
new file mode 100644
index 0000000000..dc7432e631
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest4.pem
@@ -0,0 +1,175 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBFDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgT2xkIEtleSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+q8Gbt04t1VYDzow3lv3G+lNNQ/gCP0fz7/PBxNPzAwluA2Qzeix8gg74cXMpRe8u
+PosT3EZZ9iK1PyFmcNq+CjzCuvi8d+1gaGS36wkcQBB6g7HiKRQ8ERQ4cEE6CH21
+ntbFzVbn3d+NofzVo6e1AIdHDNPm7G0+F6f034Lo508CAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPqiarnu+k/Fcp11
+00t6bYzkXDkkMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBzQl++7X/MYd9h
+3E0XroNDuD8TflER0UTgWOwN5UO8BXz8j402hmhEPyw66u6R27V7U1/wf8wtCAli
+W7LnTcJKWFy9HKnpibiz50ike8zgsVmv1godVgDn/xvQPRAnWq+OX9Abc+6OTqiw
+aDNRQp2WD1ph+daLu1XQgeAoD4Gajw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Basic Self-Issued New With Old EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIICnjCCAgegAwIBAgIBAzANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBtMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxQjBA
+BgNVBAMTOVZhbGlkIEJhc2ljIFNlbGYtSXNzdWVkIE5ldyBXaXRoIE9sZCBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAogdB
+BnysUr/KTFA61NvJ5idc2kOLUlr2Nyx1WK3KTTQwISpC6JWv5b2oERCJDCL7/3g1
+C3k8J0WWk7CG0T6ydQI7A90xJDYMPGdknO2Sc+8vm/JBnwo5Qgfz2X5Oeo0Bedbz
+IDJHs35fj6KCHCxExaw5BHTbxC2cIu9YU35+KTECAwEAAaNrMGkwHwYDVR0jBBgw
+FoAU+qJque76T8VynXXTS3ptjORcOSQwHQYDVR0OBBYEFHx6BhJiF7QEIUB6yCAl
+MoN5MbxqMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DQYJKoZIhvcNAQEFBQADgYEAkmGbvODeNeoPt8PMnRvdgOCxlnqA/pzPuD+JbKui
+VPa3xQM64kKjbdTsq8JU+BtYbgy1Ocx4Lmvv/wdJ5AuIosaWiAfwW/+VVni4f6pq
+lb08+5rRTA6k0Z5lhV2RSx+AomDcQnrwsxgi+LPj2aWfwxPL3RkpQ+gnBnoRdOwI
+Fak=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+-----BEGIN CERTIFICATE-----
+MIIDETCCAnqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE9sZCBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVkIE9sZCBLZXkgQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBALQ4a61C9wpu5W0cACccONm+QLNESmbHtLwy498fByU6
+h5UnHkutUfy7DbIv3rELFXUd2yM5xQI/QuQZ20EjXOZiCSJEcvzfoAyFLrAPf1pN
+xQybX5HhLnJK+oGlwmD4ZatL7oDqV5IhlIS0So7g+SBOCh5lkKdzbH3l6D7nQXSD
+AgMBAAGjgfowgfcwHwYDVR0jBBgwFoAU+qJque76T8VynXXTS3ptjORcOSQwHQYD
+VR0OBBYEFBu6jCGHcwcFmPrrudlvQaRF1YbqMA4GA1UdDwEB/wQEAwIBBjAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zB7BgNVHR8EdDBy
+MHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm
+LUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAHDVnYLXKN//Mu1w
+BZS8DbfQ8p/DlXZ0n9EmdXRzoHXReDWeOaoiHU1H1HNJcLMe4YgEjsttTEBGfsZo
+OvyNNUZ7C/oQymaDykP9W/m1TX3ZVLmx96zj36gCkVPczoG78kQ5zVjoLl5G5BJQ
+4YX3NumsNd2WpHY34K21Cd/KJ5KJ
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:1B:BA:8C:21:87:73:07:05:98:FA:EB:B9:D9:6F:41:A4:45:D5:86:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 62:de:93:8c:36:dd:b2:71:56:bb:4e:e4:32:37:51:de:6e:19:
+ 01:dd:3e:25:8c:d4:81:7e:fc:66:54:74:0d:32:30:d2:11:49:
+ dc:ad:6a:b4:fc:8f:ec:e6:56:fe:e6:ec:53:9e:41:66:31:2c:
+ ee:3a:be:bd:74:34:9b:71:c1:67:1d:3b:28:04:b9:85:e5:72:
+ cd:f0:2b:a7:d9:d5:e3:43:25:4a:52:2e:79:24:52:cf:75:e1:
+ 3c:35:82:d1:5d:1e:f6:05:8b:45:24:67:ed:84:9f:c7:8d:c0:
+ 19:55:5e:52:76:3e:2f:f4:af:13:ae:d8:24:a3:17:68:5d:b5:
+ 45:74
+-----BEGIN X509 CRL-----
+MIIBbTCB1wIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVk
+IE9sZCBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgEE
+Fw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFBu6
+jCGHcwcFmPrrudlvQaRF1YbqMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AGLek4w23bJxVrtO5DI3Ud5uGQHdPiWM1IF+/GZUdA0yMNIRSdytarT8j+zmVv7m
+7FOeQWYxLO46vr10NJtxwWcdOygEuYXlcs3wK6fZ1eNDJUpSLnkkUs914Tw1gtFd
+HvYFi0UkZ+2En8eNwBlVXlJ2Pi/0rxOu2CSjF2hdtUV0
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued Old Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FA:A2:6A:B9:EE:FA:4F:C5:72:9D:75:D3:4B:7A:6D:8C:E4:5C:39:24
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0p.n.l.j0h1.0...U....US1.0...U.
+..Test Certificates1=0;..U...4Self-Issued Cert DP for Basic Self-Issued Old Key CA
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:6b:ec:1f:5b:3d:31:1c:fe:c6:40:ca:e3:c5:52:30:a0:9a:
+ 55:ee:f8:c3:bd:cd:b1:45:d0:7f:44:f6:42:1c:0f:b9:df:8f:
+ 4d:25:0b:ba:5b:bd:0c:68:c2:ce:b0:c4:17:e7:be:81:de:73:
+ 55:5c:6b:d6:3d:e5:e2:18:31:d7:5f:6e:1d:4b:0b:31:cd:44:
+ fe:29:d5:27:77:f5:83:bc:ee:3f:46:31:d5:66:5a:a1:9b:1f:
+ 16:d0:8c:ef:ae:bb:36:75:a4:b3:62:be:16:cd:de:b8:90:bd:
+ 5f:26:1f:a7:d8:1e:59:ce:27:af:ee:ab:de:9d:1d:66:ef:9e:
+ 49:cb
+-----BEGIN X509 CRL-----
+MIIByjCCATMCAQEwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSUwIwYDVQQDExxCYXNpYyBTZWxmLUlzc3Vl
+ZCBPbGQgS2V5IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIGuMIGr
+MB8GA1UdIwQYMBaAFPqiarnu+k/Fcp1100t6bYzkXDkkMAoGA1UdFAQDAgEBMHwG
+A1UdHAEB/wRyMHCgbqBspGowaDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMT0wOwYDVQQDEzRTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBC
+YXNpYyBTZWxmLUlzc3VlZCBPbGQgS2V5IENBMA0GCSqGSIb3DQEBBQUAA4GBAIxr
+7B9bPTEc/sZAyuPFUjCgmlXu+MO9zbFF0H9E9kIcD7nfj00lC7pbvQxows6wxBfn
+voHec1Vca9Y95eIYMddfbh1LCzHNRP4p1Sd39YO87j9GMdVmWqGbHxbQjO+uuzZ1
+pLNivhbN3riQvV8mH6fYHlnOJ6/uq96dHWbvnknL
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedOldWithNewTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedOldWithNewTest1.pem
new file mode 100644
index 0000000000..8a896652d7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedOldWithNewTest1.pem
@@ -0,0 +1,134 @@
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBEzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcQmFzaWMgU2Vs
+Zi1Jc3N1ZWQgTmV3IEtleSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+tCkygqcMEOy3i8p6ZV3685us1lOugSU4pUMRJNRH/lV2ykesk+JRcQy1s7WS12j9
+GCnSJ919/TgeKLmV3ps1fC1B8HziC0mzBAr+7f5LkJqSf0kS0kfpyLOoO8VSJCip
+/8uENkSkpvX+Lak96OKzhtyvi4KpUdQKfwpg6xUqakECAwEAAaN8MHowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFK+5+R3CRRjMuCHi
+p0e8Sb0ZtXgoMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCuRBfDy2gSPp2k
+ZR7OAvt+xDx4toJ9ImImUvJ94AOLd6Uxsi2dvQT5HLrIBrTYsSfQj1pA50XY2F7k
+3eM/+JhYCcyZD9XtAslpOkjwACPJnODFAY8PWC00CcOxGb6q+S/VkrCwvlBeMjev
+IH4bHvAymWsZndBZhcG8gBmDrZMwhQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE5ldyBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBQMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAj
+BgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVkIE5ldyBLZXkgQ0EwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANa7RRhusOV0Ub10qBKMsUMG7QViaonYz0IcJLX0FKEI
+EpTq0SV6NeVjjzmcrSrzjHQfJpkywOHRiMw7XvYunmzlwGSoD6TW1ZUYVDaQbKUT
+oWooVoCzVstf6AsZiJiHQtBt4x4OHap7QRcJdlh7aPhp6TR+zq8gB1HsG8yUlG0x
+AgMBAAGjfDB6MB8GA1UdIwQYMBaAFK+5+R3CRRjMuCHip0e8Sb0ZtXgoMB0GA1Ud
+DgQWBBTJW9PRvwbxAcF5XLtzDY1MRsst2TAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAhIZ09WrNK3jX+b8HugQygNCBEVVfX7TOCCFkmRaxp4R/QBHWvcts0YQT
+6M5ZC6b877id6zRYegHadKekVVqwFbLKEO0MnpD2yGhGgDpbil2HlEaQ9yKQXpGF
+CBx05/e7jkNhk/zGDsBqmNzkozrJOYBohkwUOjVFkAuLyovPhTY=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Basic Self-Issued Old With New EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+-----BEGIN CERTIFICATE-----
+MIICnjCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYt
+SXNzdWVkIE5ldyBLZXkgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBtMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxQjBA
+BgNVBAMTOVZhbGlkIEJhc2ljIFNlbGYtSXNzdWVkIE9sZCBXaXRoIE5ldyBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0MTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArImc
+Yf7s6ea0+dqzWPAcGg4gZE8CjbYlhP964Da56tk10sqLVKHCKxnRYgymvojftLHO
+4WYGhfOfDGxlEex3i/AvnxEqVlwzH0M1fCU7mvycYjZtMSObA4U1mr/MRoO7U2so
+ege9jkx/dSbZIRGY1huIipH8TjGnOmfa56IBLpECAwEAAaNrMGkwHwYDVR0jBBgw
+FoAUyVvT0b8G8QHBeVy7cw2NTEbLLdkwHQYDVR0OBBYEFLKHIZkLlnQV1U2SSzrY
+JQOcna7uMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DQYJKoZIhvcNAQEFBQADgYEAZu2t7x1PqFyZIdjnp2j/D37jnc5xmuhC2UOUuyt2
+WFggO+apFns8iYM3azA0uj819lQexXHqKAZi5tQnMzPcYJgDjb1ix0kUCwiW3v20
+LlHf39XU7HJjfXn5USPwqNvrHcWADkRfL10y0ve+F7tmkESFvb/yF3ZU+t/OBKb4
+Dgs=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued New Key CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AF:B9:F9:1D:C2:45:18:CC:B8:21:E2:A7:47:BC:49:BD:19:B5:78:28
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:fe:c5:db:86:ee:6b:0e:f8:68:85:d2:0d:c1:44:01:d1:33:
+ 5d:9a:42:14:a7:a9:20:bd:38:30:c1:f1:3e:c1:b8:d9:4c:ba:
+ fd:3d:7c:a9:66:5f:94:fa:46:e8:23:94:4e:8d:09:1c:45:6b:
+ 21:ce:b5:cf:3f:e6:18:33:d0:ac:a6:ea:c5:f9:32:6e:75:31:
+ 79:6b:1a:8e:50:05:86:89:f9:f3:e9:8f:67:e7:93:b7:d3:05:
+ b0:9f:2c:97:9c:b7:7e:01:7e:c6:5e:f8:72:4d:11:6b:9d:30:
+ f2:69:df:68:5d:aa:a0:84:f1:07:68:15:fd:93:f6:14:a1:f9:
+ 90:ce
+-----BEGIN X509 CRL-----
+MIIBbTCB1wIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHEJhc2ljIFNlbGYtSXNzdWVk
+IE5ldyBLZXkgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgED
+Fw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFK+5
++R3CRRjMuCHip0e8Sb0ZtXgoMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB
+AHP+xduG7msO+GiF0g3BRAHRM12aQhSnqSC9ODDB8T7BuNlMuv09fKlmX5T6Rugj
+lE6NCRxFayHOtc8/5hgz0Kym6sX5Mm51MXlrGo5QBYaJ+fPpj2fnk7fTBbCfLJec
+t34BfsZe+HJNEWudMPJp32hdqqCE8QdoFf2T9hSh+ZDO
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest30.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest30.pem
new file mode 100644
index 0000000000..cdaee8592d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest30.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpzCCAhCgAwIBAgIBRjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIEROUzEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF4cGWB
+eAaOHCGkAPlmkE9/9XtvEpanIGNf1g0ab0PBnZR8ffY+IK2+rwOeMVtfXmJbaxi/
+Z70teNn94XkPXH6Pmz/pL170Q96CasAsPU2uQC4AtNjkUSeFbSoY7Ul2NaBYqLrW
+yQ7O3jEXdX76KQWqYcihAq1Jw+AEruMq98WrAgMBAAGjgaUwgaIwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFHXnZ0cYCavxiIjbno3V
+F1KO/HN4MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoBgwFoIUdGVzdGNlcnRpZmlj
+YXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAzUV5anoiOD8wQQnetIFcg5wLnNlr
+dPixWje4q2JQcPnqZk3TW9O0GDtWHmZwVoS3PixQlJPHZGvkliTKM9vO7a8J2FDl
+/ZFRNrm2rHFjZxygk+UTwj+SI4CO8kmtSesvV0ViWwNNyfOV/nmvBjqy6pEbTnCD
+pax2/2P2ruVALCk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid DNS nameConstraints EE Certificate Test30
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBETlMxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTgwNgYDVQQD
+Ey9WYWxpZCBETlMgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Qz
+MDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA08C22ZtMqDmJQjt6hWE9rPJX
+rWB8T165lEh/iTleDZqyVWl5PRT8V1PTxkkp5aURAXm8BsNc1b7YFZfdsiMx1bjU
+iBSvqDWP8HtarPF6+J0wsXO8Zxp8OV8kCjU1gA4hLHUvVghURkKoVXwzB2cwhlqm
+iJcKkvv65JpzZPinbCsCAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBR152dHGAmr8YiI
+256N1RdSjvxzeDAdBgNVHQ4EFgQUYmleNHVLgQPdh5BhovyETaAgDeAwDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAqBgNVHREEIzAhgh90
+ZXN0c2VydmVyLnRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GB
+AJCvVAtnYWZDsmocwYuC7e6N0annLwnm6MvbUgS7+KHuXfm1ty9YuZRe3t1SFQxX
+yhuTKj9iERpNsz7ldpdAKftS6PasptiZLlqhi3Z6csOnVtmFErdgN56iJoZgkDlv
+YTSVuG8xVfNBvOTHve/LWxGMlTGPDLMLf0hamDdBTfCK
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DNS1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:75:E7:67:47:18:09:AB:F1:88:88:DB:9E:8D:D5:17:52:8E:FC:73:78
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 90:61:77:a1:94:8e:c3:62:6b:dd:eb:ec:3f:0d:e0:dc:1f:b9:
+ 04:fa:e1:74:e4:5d:d2:0a:cb:42:4f:41:9a:a5:91:d4:2d:57:
+ d2:6f:1d:5f:cd:9a:2c:24:5f:3d:21:9f:87:78:17:33:96:09:
+ 1b:d1:bd:f9:50:b7:17:c1:e0:af:50:95:7a:9d:03:9e:2c:95:
+ ef:f2:c2:a2:74:93:d3:9c:c2:73:74:96:90:b0:78:15:69:e5:
+ eb:b4:5d:dd:19:4d:ea:9a:78:af:ae:a4:b5:69:78:58:aa:7d:
+ 5d:9e:05:ee:a8:8d:2d:16:03:86:18:62:6b:cd:67:8c:5e:13:
+ 1d:46
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBE
+TlMxIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBR152dHGAmr8YiI256N1RdSjvxzeDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQCQYXehlI7DYmvd6+w/DeDcH7kE+uF05F3SCstCT0GapZHULVfSbx1f
+zZosJF89IZ+HeBczlgkb0b35ULcXweCvUJV6nQOeLJXv8sKidJPTnMJzdJaQsHgV
+aeXrtF3dGU3qmnivrqS1aXhYqn1dngXuqI0tFgOGGGJrzWeMXhMdRg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest32.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest32.pem
new file mode 100644
index 0000000000..62413ef929
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest32.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIEROUzIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmefIFU
+RUgrahNMyIfzibuPD5LXv1aF765kc/ROx4BQYuBUZehjaB0G3eHv0wGu5rSJbnoy
+Lpdv0XVvBKEai/K+9iIereljhcwZzKTbHHvAdhCtgImX/Zz/KZ7OU4GZJGkdcj9r
+e/szQBEqTWkWB7hT25WM4ghi5xAz1Tn3foOxAgMBAAGjgagwgaUwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFH6Q3Dvq3pzSm0JE73sa
+zW6PkuC0MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zApBgNVHR4BAf8EHzAdoRswGYIXaW52YWxpZGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAekwpteebcTHJ3RTTqNmNlRsw
+aSa2MtBlaOVNyWi/Qsgy/LO5We9Ahkq56VlKB4WTWCFBdrbbnZ4k1Dpgj+NA8YBD
+Ysuq9KofKqycs+alN4JOOMtKHzbm05wPqkhY1qbBFAUbrEm5felp5drbJys97mCX
+bm7XHTxTuImtWM4ESC4=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid DNS nameConstraints EE Certificate Test32
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBETlMyIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTgwNgYDVQQD
+Ey9WYWxpZCBETlMgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Qz
+MjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA374o7AtX/s5zVHxqAws7oJ0X
+W9efE9ztupuhz0gxjrTuRbVoFj3Z98ikVL8RLG00VdWjgbKd9gWB+UI4GD01A7Wn
+M5bSXi2t5fcyVYPxPjzhrl2gW/DfUYO4U6LHtTqID+ARhddd3Xlz/6WXt+gOLARC
+4zuqAsvNuNpnFbI5yA8CAwEAAaOBmDCBlTAfBgNVHSMEGDAWgBR+kNw76t6c0ptC
+RO97Gs1uj5LgtDAdBgNVHQ4EFgQUpTkqy96R+925D9dnz/clmePZZx0wDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAqBgNVHREEIzAhgh90
+ZXN0c2VydmVyLnRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GB
+ABBLDmNvZzxO6JM+lTiTscA+ikguaFV+BdfdORenOIJYUHV/j5MhzLCcOqh32U/B
+KZqQ9ataMvRSnqfnTHtRCWo19S5qT0QjVjVfYsDfX8QQy2jJ6bI9S5vn4bLO2HUK
+jLOabPS5lyHm10fdN+g59VKHjcBKmkBkngTkhVqVLOxL
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DNS2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:7E:90:DC:3B:EA:DE:9C:D2:9B:42:44:EF:7B:1A:CD:6E:8F:92:E0:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 02:f1:3c:9c:25:d8:e5:f3:99:97:72:47:d1:94:a1:f0:11:0a:
+ 8d:ef:9f:4c:c6:3e:93:23:1c:76:92:f7:68:f7:8f:9d:d0:ab:
+ 7d:73:20:ba:f8:ea:1c:90:10:59:01:07:c3:11:36:15:70:b3:
+ e1:80:3f:38:65:42:77:78:95:79:6d:a9:88:c7:54:59:b2:52:
+ 9d:da:5a:58:a1:73:1e:07:78:00:01:67:02:41:9e:82:b4:ab:
+ f3:d1:74:00:8f:ce:fa:78:8b:c5:ff:ca:40:ca:88:90:ac:74:
+ 78:41:4b:60:85:3f:43:31:7e:1c:60:bb:3d:91:09:df:9d:f3:
+ 6a:40
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBE
+TlMyIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBR+kNw76t6c0ptCRO97Gs1uj5LgtDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQAC8TycJdjl85mXckfRlKHwEQqN759Mxj6TIxx2kvdo94+d0Kt9cyC6
++OockBBZAQfDETYVcLPhgD84ZUJ3eJV5bamIx1RZslKd2lpYoXMeB3gAAWcCQZ6C
+tKvz0XQAj876eIvF/8pAyoiQrHR4QUtghT9DMX4cYLs9kQnfnfNqQA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNandRFC822nameConstraintsTest27.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNandRFC822nameConstraintsTest27.pem
new file mode 100644
index 0000000000..1da7bd70d8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNandRFC822nameConstraintsTest27.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAjmgAwIBAgIBCjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA37aIkV7sYy0JnIQ6
+oLcZr4T5fsXvU6SzOxBfPrtNDpq884ix+hP3zDxAwCSO5mU0znQe9s5im5Mf9yKK
+0FIXOAHFwMb5M5mAZNwn7Tx0XYxDfBx94lsMvJdBDCddmTB5akZgQF5Iir+Y52y7
+yiWRJM+ZmowFfoi5rp/PgkSOJxsCAwEAAaOBpTCBojAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQUV6v4nCfI0vTmz2+qIAs1ZwSDJGsw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MCYGA1UdHgEB/wQcMBqgGDAWgRR0ZXN0Y2VydGlmaWNhdGVzLmdv
+djANBgkqhkiG9w0BAQUFAAOBgQBlTO2ECGQPZsbXzVHd/rGejurHrD9MHfTQYJCn
+pFjAPq3wSo4qFVopG5gl9s4rdpNU+XvoY5zO8MVxTnfFi5G+y2CWZTG0iIWQmC8b
+ReqDdpVeAV3ictgaDyoU1ApdemyOS2pHV0mgm7vPYCx+17EXzFBphUICViSFv45n
+cu1nCg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN and RFC822 nameConstraints EE Certificate Test27
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+-----BEGIN CERTIFICATE-----
+MIIDATCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMzAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGJMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRy
+ZWUxMUIwQAYDVQQDEzlWYWxpZCBETiBhbmQgUkZDODIyIG5hbWVDb25zdHJhaW50
+cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAL23wxEGImwm+05H4yzrxRQXdJBQp/RrfHB1tjFbPIUzr6hR7T+xNjC+3M8r
+Y//0sOjggeDwLkrbhDl5TK9qQUui3Oys3QORkLfvuBIKjHtzUYfyizTV86KvAybY
+dMOrY8sc5zivU0N9+FESFwg/Kv+meXt0vgL9DSe7PsFnaC8fAgMBAAGjgZYwgZMw
+HwYDVR0jBBgwFoAUV6v4nCfI0vTmz2+qIAs1ZwSDJGswHQYDVR0OBBYEFN3zmdIg
+RlRJJv9aNE/zRRJu9+n7MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwKAYDVR0RBCEwH4EdVGVzdDI3RUVAdGVzdGNlcnRpZmljYXRlcy5n
+b3YwDQYJKoZIhvcNAQEFBQADgYEAEiXPBPlFwaHGZ5TqIDXXTXn8ViKz9zfr1imR
+nhJlqZJTu2TlScmSN4vEg6++1wS0vVxiPiwNQkrH78lRNTH56MQOH92DxRyxF40M
+5YJc2GuFb6+ZkSKVWDG6UbkbMxjaZvqd+jnODcW1K2lBl1jHiv61hoNxe6VrNb4i
+m1dYiFQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:57:AB:F8:9C:27:C8:D2:F4:E6:CF:6F:AA:20:0B:35:67:04:83:24:6B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9a:01:ff:a2:5a:8d:4a:16:d9:8f:d1:7d:40:a2:bc:eb:6f:fc:
+ 4d:58:3b:b2:03:77:79:60:99:5e:f7:f5:b0:39:62:10:15:8f:
+ 67:ad:12:b7:a6:2c:ef:de:76:3b:90:26:79:b7:1b:7c:3c:25:
+ b7:bd:11:82:78:21:93:5b:11:66:15:e2:e3:d9:77:e6:a1:18:
+ 6d:dc:46:88:f9:13:7f:28:5e:17:95:7b:a6:da:4a:00:c3:44:
+ 8e:f4:00:50:a6:a0:52:86:90:cd:40:54:66:92:30:0a:64:0d:
+ 09:19:17:64:41:33:08:5d:c3:11:b5:ab:d8:61:5e:a2:60:56:
+ a7:d5
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMxcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUV6v4nCfI0vTmz2+q
+IAs1ZwSDJGswCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAmgH/olqNShbZ
+j9F9QKK862/8TVg7sgN3eWCZXvf1sDliEBWPZ60St6Ys7952O5AmebcbfDwlt70R
+gnghk1sRZhXi49l35qEYbdxGiPkTfyheF5V7ptpKAMNEjvQAUKagUoaQzUBUZpIw
+CmQNCRkXZEEzCF3DEbWr2GFeomBWp9U=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest1.pem
new file mode 100644
index 0000000000..45a7bb6036
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest1.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN nameConstraints EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIICqDCCAhGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB9MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTYwNAYDVQQDEy1WYWxpZCBETiBuYW1lQ29uc3Ry
+YWludHMgRUUgQ2VydGlmaWNhdGUgVGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBALJBCTy1/LSNTMnBOuzrGV4EuZM/iXN4/m+w9j5uwlLzfyPGdceIOSA+
+vOAPdr/9ralb/4Wvr2H7ive/ruSrj338JwY50O9BMowjNWiBs+G30rUMo+lFNoHV
+eUfBE9TZF5MiZMRPH2UiH1QqCHSn8Myeb19XahMyIfCVqISqwIEPAgMBAAGjazBp
+MB8GA1UdIwQYMBaAFE4uo+fZ3YungjtBSsOefFkjV05TMB0GA1UdDgQWBBSa/kUI
+iD544eivJJmZZwWNNFasSDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpg
+hkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAGlp4H06BUnD5PHzz/2nv9PBE7Vc
+UFLCQzhBdC13Ml9hLy/5ZLFWjlxnMKCuL51OVW25ocoUaUubwgvi3crDc4O9p72W
+xYXIEa7PYpuPadAEOKbdZJNB0X1aKWORBpaj6yiK48WMG0UydqIZps0wcfAP3HwK
+yZa23hxUZyeu9lkv
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest11.pem
new file mode 100644
index 0000000000..921ee94669
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest11.pem
@@ -0,0 +1,113 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/OU=permittedSubtree2/CN=Valid DN nameConstraints EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+-----BEGIN CERTIFICATE-----
+MIICxjCCAi+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjCBmjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQL
+ExFwZXJtaXR0ZWRTdWJ0cmVlMTEaMBgGA1UECxMRcGVybWl0dGVkU3VidHJlZTIx
+NzA1BgNVBAMTLlZhbGlkIEROIG5hbWVDb25zdHJhaW50cyBFRSBDZXJ0aWZpY2F0
+ZSBUZXN0MTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJlfx3jHiQnBHgwQ
+XhHjF5QJIB+q+2Mc2w6gHDzym/PiEa5utF2eNcy1cskZiVaLmODreo/HtQpn8Iv+
+YBfTuMT3GDXVTpPFfhVvtm4c7xz+e8QcJhK5TapF4kA4ejKPY8/JzpEtMvIS1tbt
+w4ZQteFe2G55WqBlnMnwK3yQtphFAgMBAAGjazBpMB8GA1UdIwQYMBaAFBI1n6zB
+uaHjOv7xL7p3sghOTVntMB0GA1UdDgQWBBRiLDLb16WReucmARwbU+K2PP+CPjAO
+BgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3
+DQEBBQUAA4GBAD8UOLijF/GmDv8mf/f0lhyLAbW8kylUTYgCUJpSlOL5pbtDoy/d
+9OGqYA3uzDmQJxeaW2dzPwxOjV1IVBVFjA1yBiOpxQrLhc4vDGnVBpYfcvVzy1Dh
+0jntUoxeVGCVSTd5DX1DWqzfQcOvEP3kiPGhodlCrY1udMFkLCuleB7B
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDRjCCAq+gAwIBAgIBQjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIERONSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxmMyGO18
+wxt7plFRZcGPd5GxKiCL+NJ+O/UB82qQ1+GhwlsBTSo86QNLh9KPIjs3rrARYIo0
+FqA86FPnpIiE/yWOfuQOeI3t6yvWf0XsXvcffhjW6n6sErOqhXX7voiJODZMseiM
+wQ2Md8CcE3j78i6crfbdO6xGp2xNX63VmkMCAwEAAaOCAUQwggFAMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQSNZ+swbmh4zr+8S+6
+d7IITk1Z7TAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wgcMGA1UdHgEB/wSBuDCBtaBLMEmkRzBFMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBl
+cm1pdHRlZFN1YnRyZWUxoWYwZKRiMGAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEaMBgGA1UECxMRcGVybWl0dGVkU3VidHJlZTExGTAX
+BgNVBAsTEGV4Y2x1ZGVkU3VidHJlZTEwDQYJKoZIhvcNAQEFBQADgYEAp32j43pb
+BqBj+2V14kyvmo+pgQ9H/ag1zf7WG4ei+McEkF7yvHSC6nfXJA19r+q2fAnvIU4M
+TriscCGq9oE6qzd3VIQ5wx8eJp8v9SG62gxZe3n1A8gzG37TvTwBOeEgxOKBa/BS
+8MNUbMO2SJwuE2pi9fnMhCgx9JxUQvQLou0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN5 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:12:35:9F:AC:C1:B9:A1:E3:3A:FE:F1:2F:BA:77:B2:08:4E:4D:59:ED
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 74:3d:76:85:10:61:c5:e4:1e:19:16:23:27:99:ac:bf:2e:c9:
+ 07:40:7b:fb:45:44:5d:c1:6e:d5:5a:e5:6d:35:d1:4e:9c:e1:
+ b7:21:0c:2a:7b:7f:27:ed:9f:f4:59:15:1c:67:1d:4b:8e:ca:
+ 19:7c:a2:78:22:bf:28:67:31:5f:bf:f3:73:73:ed:c3:9c:fe:
+ 2f:16:56:80:ea:ec:27:dd:7a:85:15:2c:e8:fd:c5:80:2d:ad:
+ 36:ac:8f:39:5b:d9:79:ff:54:82:c6:61:37:e2:b6:07:46:8b:
+ df:2c:86:2b:69:ca:d1:c3:71:4f:3f:c7:e9:4c:c9:23:85:85:
+ 19:9d
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjUgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFBI1n6zBuaHjOv7xL7p3sghOTVntMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAHQ9doUQYcXkHhkWIyeZrL8uyQdAe/tFRF3BbtVa5W010U6c4bchDCp7
+fyftn/RZFRxnHUuOyhl8ongivyhnMV+/83Nz7cOc/i8WVoDq7CfdeoUVLOj9xYAt
+rTasjzlb2Xn/VILGYTfitgdGi98shitpytHDcU8/x+lMySOFhRmd
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest14.pem
new file mode 100644
index 0000000000..320f1d446b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest14.pem
@@ -0,0 +1,165 @@
+subject=
+issuer=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1
+YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMjAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMAAwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAK5n11EFLCX399YnLoDu+WMSsdD5RH6rHhn9p0cp2PAWiwDuXGka
+pOpn/ZgxpgF/Ydw7ASh9/R0rJD0EfAG7rADF6j3ECZntAJmdiO7euB16HhemfpVN
+ZRiCcehJVtTK+G3vptIsyPFsdWYusjaRHdEniqEv0+rI8ZdP2RBn/pn5AgMBAAGj
+ga8wgawwHwYDVR0jBBgwFoAU1a9rKA2drUhsDIIq/9JoCS8UbVcwHQYDVR0OBBYE
+FDv0z/QxqCSlpmLnB0ps7mSrkwUoMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAO
+MAwGCmCGSAFlAwIBMAEwQQYDVR0RAQH/BDcwNYEzVmFsaWRETm5hbWVDb25zdHJh
+aW50c1Rlc3QxNEVFQHRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUA
+A4GBAEfjsvrVypBwFe1Fa4RRq10LsqrrCLc1NPiFR0B2yliqIBq81FAJcdEDNmZq
+D8C5gctYTrk9OgXYKgTzUkO8UGNtOYhDPrz1LyBnpND5D1ggYJe+xur2EX0ilhDO
+iq9+08Vo59/dYFQlttOeyY+LJMNzWqQAxxtf3p89oTOgQfxW
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAmygAwIBAgIBBjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBqMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4x
+IHN1YkNBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAteRgCqKcIeCHmYMc
+xyzmM+fCjW6MAEl+OFQ9Q7UJ1n9YE0TuaGiSxjTkrTXwDF2JoDwMtC6FoqnvEyEk
+kAxNlM0oiLhRxM9FcNCow3VK458jtPozrIgd/7PAP+FXsqPanD2DRYj4c1gNKSl4
+U/l6HyTj+yV6ax5EkPgQDLQlJksCAwEAAaOB2DCB1TAfBgNVHSMEGDAWgBROLqPn
+2d2Lp4I7QUrDnnxZI1dOUzAdBgNVHQ4EFgQU1a9rKA2drUhsDIIq/9JoCS8UbVcw
+DgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMCVVMxGjAY
+BgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0ZWRTdWJ0
+cmVlMjANBgkqhkiG9w0BAQUFAAOBgQANN5YtrqXFWfdpK19qY+rn50d/fYdLaOU5
+dSIAqmnB5woTCXdWF0LUADF4DkPfcWBxbE36lwBuGXBfiInH/5yLRy0Y9cZbtHSg
+QwTIf2a+38pR6QyBniftVBmBTuhO/PV+/kA8gKAZ6X4+vGMv69YjU9avYeS1o+XW
+liQdX8l7vg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=permittedSubtree1/CN=nameConstraints DN1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D5:AF:6B:28:0D:9D:AD:48:6C:0C:82:2A:FF:D2:68:09:2F:14:6D:57
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ af:f5:73:47:0b:2b:ce:c1:5c:82:7a:07:ed:cd:ce:55:02:85:
+ 34:07:7e:46:10:13:e0:94:7e:8c:27:9c:f5:52:89:55:5b:fc:
+ e9:08:32:b3:54:75:03:c0:ad:8a:b7:e3:fa:5e:73:10:90:5f:
+ 26:ca:6e:1c:e2:68:e4:99:4c:06:38:3b:56:25:ce:82:a5:7a:
+ 3f:0e:c5:a4:78:8b:19:d2:fc:a6:4f:f2:6d:d6:12:5f:69:03:
+ 98:b8:00:c2:0d:4f:9e:47:fd:66:3e:ac:e4:fb:55:f3:4b:bf:
+ 42:54:ce:46:a2:5c:fd:c4:5f:d8:61:5a:61:9b:a1:2c:af:0a:
+ a2:2e
+-----BEGIN X509 CRL-----
+MIIBYzCBzQIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsTEXBlcm1pdHRlZFN1YnRyZWUx
+MSMwIQYDVQQDExpuYW1lQ29uc3RyYWludHMgRE4xIHN1YkNBMhcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU1a9rKA2drUhsDIIq
+/9JoCS8UbVcwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAr/VzRwsrzsFc
+gnoH7c3OVQKFNAd+RhAT4JR+jCec9VKJVVv86Qgys1R1A8Ctirfj+l5zEJBfJspu
+HOJo5JlMBjg7ViXOgqV6Pw7FpHiLGdL8pk/ybdYSX2kDmLgAwg1Pnkf9Zj6s5PtV
+80u/QlTORqJc/cRf2GFaYZuhLK8Koi4=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest18.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest18.pem
new file mode 100644
index 0000000000..a9762440d7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest18.pem
@@ -0,0 +1,162 @@
+subject=/C=US/O=Test Certificates/CN=Valid DN nameConstraints EE Certificate Test18
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+-----BEGIN CERTIFICATE-----
+MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBETjMgc3ViQ0EyMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+YjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTcwNQYD
+VQQDEy5WYWxpZCBETiBuYW1lQ29uc3RyYWludHMgRUUgQ2VydGlmaWNhdGUgVGVz
+dDE4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB4Ppc8a/vNVYqFPhznRZF
+lo/ecz5fZXYIuGCaozBBsqZu+6JFjbrAbeA6FbCKH/w1WFNPPTTSvJqSqN4Lw1yG
+yeTCfJoFyUA1wbNUKONsJQgYoOLM+KIuBUpfhZKtHzLrk+NKoCz7pWo52Wy5aQ0A
+B8St+URVVzDNk8Z5+mtaYwIDAQABo2swaTAfBgNVHSMEGDAWgBQLSL4ocWpIJAo8
+4krUBSri1x417zAdBgNVHQ4EFgQUzsfJblSrNLQ6e4Gq3J4kw3O7LYQwDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUF
+AAOBgQC3FQqH6qw98Em37v12rhcPtdOIRWZPs2z9dGJpRJHDBzNoWr2t5pxwnBhZ
+L7Wy8uNRTy6iTNLgDPIPP4sXYlphcnG2SLe8APJUcTE80aikRwFcht0SO+lpiUhn
+FTrjSWJELeehius13WbzhA4NKTjleW5zkvh3mTYww5msepvgrA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIICyzCCAjSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMT
+Gm5hbWVDb25zdHJhaW50cyBETjMgc3ViQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDCH3OWCAvPFZXpNTKMN3DoOML+FK32+icT19l0MQXIXBqoJyw8qF2z
+xcl4ahdLxfSFpf8OF3ttKbzN5fk2/Dxue6beAMs0L1r4VUilJaUhOmTMrlYXB6UI
+QX2nzlu6lZbNrI0VFt8qM2C9CdbG+2ZQuJQQO0BtHXWJC9el4t68/QIDAQABo4G8
+MIG5MB8GA1UdIwQYMBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMB0GA1UdDgQWBBQL
+SL4ocWpIJAo84krUBSri1x417zAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wPQYDVR0eAQH/BDMwMaAvMC2k
+KzApMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMwDQYJ
+KoZIhvcNAQEFBQADgYEAV7W8Yarxgw2gPgl0gz1Vz7IdH6ZbzLBpsB0W+gyPTd+R
+toE/N42Efda3DIG5BoxqTj00uc9j2GF5LqBgKaEieenzkv5E6qbTrZ0F/FdX1c17
+DBpRvkchpd4FACNL+FhSq824LEKdBDOx669LmsH664nk6NSPtv04LjUxa+822aw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0B:48:BE:28:71:6A:48:24:0A:3C:E2:4A:D4:05:2A:E2:D7:1E:35:EF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c0:0c:a7:28:80:0d:2c:71:66:4d:67:82:ec:c7:30:4f:48:29:
+ fe:d4:20:82:f2:5c:e6:ef:24:8b:9f:f2:b8:c5:3b:e0:86:53:
+ f4:b5:fc:67:db:b2:1d:45:77:8a:78:47:eb:63:bb:43:b8:14:
+ c0:05:ff:ca:7b:d5:1f:fa:df:e7:7a:a5:39:e7:00:ed:4a:d9:
+ 6d:fd:d1:78:a1:44:f0:71:f4:89:4c:52:d5:ef:99:5c:59:eb:
+ 80:c4:5d:ed:48:2b:5a:55:0b:d1:df:4a:a5:49:69:f1:67:a2:
+ aa:ce:9d:99:9b:74:0f:ec:da:60:d9:3e:14:45:a3:6c:5b:47:
+ fa:d0
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBE
+TjMgc3ViQ0EyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBQLSL4ocWpIJAo84krUBSri1x417zAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQDADKcogA0scWZNZ4LsxzBPSCn+1CCC8lzm7ySLn/K4xTvghlP0
+tfxn27IdRXeKeEfrY7tDuBTABf/Ke9Uf+t/neqU55wDtStlt/dF4oUTwcfSJTFLV
+75lcWeuAxF3tSCtaVQvR30qlSWnxZ6Kqzp2Zm3QP7Npg2T4URaNsW0f60A==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest4.pem
new file mode 100644
index 0000000000..4ac860600b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest4.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN nameConstraints EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAk2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB9MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTYwNAYDVQQDEy1WYWxpZCBETiBuYW1lQ29uc3Ry
+YWludHMgRUUgQ2VydGlmaWNhdGUgVGVzdDQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBALhZkHcTNlH9LLnLK2xDvZYiDsOUcL9iZsUfTjpcENuDJ8rsXGriZDos
+g2p5cYPr4BQ4895UOQPYJo6M7/4aUnQoc/FwnGfeBNagpCJg+nD8GQNpETK9QR06
+nSxOR4/hBD6YqE8UwAIaHejrmpeTrXankCrcei9nFiquQ0Q+rwWbAgMBAAGjgaYw
+gaMwHwYDVR0jBBgwFoAUTi6j59ndi6eCO0FKw558WSNXTlMwHQYDVR0OBBYEFPG4
+BNfdQjQcDcDbjwsrIcrQPg3UMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwOAYDVR0RBDEwL4EtRE5uYW1lQ29uc3RyYWludHNUZXN0NEVF
+QHRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBAF3XzP3FukeS
+uWBMveZeEBA64M3CPXE4MchDQhtqKcYGa6SlA/t5zpGyFINeThQQrLSuijVGBGr9
+39Hwl9/maACLW3hz5xtL0881tscL2+obZhmF/lGB/e0RrLyGN3Wqql0a+BhEcj/+
+sG0iaxWcpIKdJXNFCi8/rexF7NWS+onw
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest5.pem
new file mode 100644
index 0000000000..7f9a94cce7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest5.pem
@@ -0,0 +1,115 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDKjCCApOgAwIBAgIBPzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtF5CubXL
+7jLiEaC4u7BvRC1Z977doXE+03Y8hW6dFiuPJTcVnlMN2mSck2x6VylflhI7XVIB
+PNiZZeRcEzbCJk3AmJL2NDh/20nxHhEr3jxWLmVeyLg1SXhD6WfJKwuvd61cnQkt
+xvFXQEmlzIxBohRZv/YwermH858cZ4wH/9ECAwEAAaOCASgwggEkMB8GA1UdIwQY
+MBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBShfMTSexMLJgKOUfag
+rNt28dFirTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA8GA1UdEwEB/wQFMAMBAf8wgacGA1UdHgEB/wSBnDCBmaCBljBJpEcwRTELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFw
+ZXJtaXR0ZWRTdWJ0cmVlMTBJpEcwRTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0ZWRTdWJ0cmVlMjANBgkq
+hkiG9w0BAQUFAAOBgQAw7If++YRGfq6fz1Wm8RpFEbKLi3110GORteylvI+G75Hu
+d6luoo/n/arIfKwWChanGI39YZQ4zYhx00qVeQRbUUuLMjkx14XQVntKAG8sI+KE
+mWmt2cip5+XbIJonQDFQAnQWrhAGpw+ilvfv7v2f+9Q87cYLEoIOPHWstobcug==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN nameConstraints EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN2 CA
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB9MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTYwNAYDVQQDEy1WYWxpZCBETiBuYW1lQ29uc3Ry
+YWludHMgRUUgQ2VydGlmaWNhdGUgVGVzdDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAMMSbKt/wrsfhfsOqi60ijsWABK1LY20O0SAKCNKW2LuoK3iYZRMPRMT
+2Oym1z29akHaZ5ftLz/WGQ5JuabuVkg4Gx1xRloNkS0RQlIuRMJfLM2mzlXWH5ud
+oXHeHmwbUiYvWFbmwrx4xZbeSaePIYctisexGIa20LJ67Pd8t6OvAgMBAAGjgfsw
+gfgwHwYDVR0jBBgwFoAUoXzE0nsTCyYCjlH2oKzbdvHRYq0wHQYDVR0OBBYEFMRD
+3dYx5+B/4AavhJ+9quSyY66XMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwgYwGA1UdEQSBhDCBgaR/MH0xCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEaMBgGA1UECxMRcGVybWl0dGVkU3VidHJl
+ZTIxNjA0BgNVBAMTLVZhbGlkIEROIG5hbWVDb25zdHJhaW50cyBFRSBDZXJ0aWZp
+Y2F0ZSBUZXN0NTANBgkqhkiG9w0BAQUFAAOBgQCfVuaBKnayPluCi5d9KyF783Oi
+JpQn0SY2yAfXdRAH3cugsfzlo0rsjHyRPj+g5QW5yabg7uJbj11/tnQ/En7u56cj
+mnDBuLqUFrqkJY3Md+k/bCXomEjddbEGKjV8d54oD8ngld0Oy4+fBPQbNo1apc7K
+LqdooapvnR5Nm8qsWQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A1:7C:C4:D2:7B:13:0B:26:02:8E:51:F6:A0:AC:DB:76:F1:D1:62:AD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 61:8f:48:c3:1c:a7:3f:ae:b4:6b:c3:99:b1:72:4c:ea:6a:b7:
+ e7:93:fc:d6:ef:4b:64:a2:cd:a8:45:04:4c:b5:14:5b:60:24:
+ 83:f1:36:22:75:b9:96:22:2f:48:86:bd:a9:8d:f5:9b:f0:bb:
+ c8:f4:70:13:6d:71:a3:8b:0c:a5:ea:5f:8f:42:45:b7:e0:4d:
+ ee:47:1a:39:53:3a:5a:61:3a:6b:8b:39:26:ca:38:f8:b5:c7:
+ 8d:44:d3:47:7d:68:29:b9:4d:86:af:fc:26:11:da:02:07:63:
+ ff:9a:19:51:33:84:bc:a6:ee:f2:12:61:24:92:86:ae:73:41:
+ 1f:b6
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFKF8xNJ7EwsmAo5R9qCs23bx0WKtMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAGGPSMMcpz+utGvDmbFyTOpqt+eT/NbvS2SizahFBEy1FFtgJIPxNiJ1
+uZYiL0iGvamN9Zvwu8j0cBNtcaOLDKXqX49CRbfgTe5HGjlTOlphOmuLOSbKOPi1
+x41E00d9aCm5TYav/CYR2gIHY/+aGVEzhLym7vISYSSShq5zQR+2
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest6.pem
new file mode 100644
index 0000000000..35f40caf4b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest6.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN nameConstraints EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+-----BEGIN CERTIFICATE-----
+MIICqDCCAhGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB9MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTYwNAYDVQQDEy1WYWxpZCBETiBuYW1lQ29uc3Ry
+YWludHMgRUUgQ2VydGlmaWNhdGUgVGVzdDYwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAOdvJDDcPZf9hCISpQZ3vrpBXxzoFe0eBH7NUTsfOWAh2OGCfOak1DHU
+NApws4o7QUiHWATX1FGzJj9d32W9sROF6qqFJl94jJDinNYS2QeEMZ/T1W7u3+eP
+HZjrIYArjSRN19lgg2VuU5WpIKOXas+cOOQlh/I61dFQjHqyf1W1AgMBAAGjazBp
+MB8GA1UdIwQYMBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMB0GA1UdDgQWBBTohZvb
+MzEoZLMs7htkuG2eUNmvlzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpg
+hkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBABmQhcYL+rwYvVrnWH1LIbYHFhUX
+X0kvvS6SmK7Y+Ea7uDLmhDe5F1QKYmcURJt/Gwhz0xOFOsBCo3Ab4MSIScm00WvI
+3TIXXjLYF4LufXUGle7mdbWcT7SXfd0QVGWbTHDgbVc8SPHmQh3E4r2KVTacFry7
+nbzganMh05d7MTny
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBQDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAti5Odfo3
+pSf6p8iGjNMBwSlKozpyyMbXSxEjpiDvuZpllmjLqoXe6tiWiee19xCly8MnbxXl
+4Pc6BglZNZd+adRIlPrFUPIVmBM51RJLvzQKjiTRPwrPwsJnizD9KLcr0Kf+e9Gi
+LHBlqZM41/0oBCVuAX/5Y5zNNiFhFeOnkNECAwEAAaOB1zCB1DAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUi+O4WFafA2rfPdgHO7MH
+NuHLtsowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFgGA1UdHgEB/wROMEyhSjBIpEYwRDELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRkwFwYDVQQLExBleGNsdWRl
+ZFN1YnRyZWUxMA0GCSqGSIb3DQEBBQUAA4GBALkukW5Jb4GxdEYN7MeIVxnZX8fn
+4Ulh/l6uDFKi+R8UZyMWYp0oi5F0sYQrrsjBwpg/ivfpJtxLh1uMEAWp98vMQPFZ
+Hoo+ma1Ulfh6qAGv8C6EgA5sxWuNO0VrZsMbNsQeqVLXKvkBsYxrUAHXBd5ufqEA
+Wofw3VBcFpqgolnA
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8B:E3:B8:58:56:9F:03:6A:DF:3D:D8:07:3B:B3:07:36:E1:CB:B6:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a9:3e:f9:c3:5c:b0:eb:85:59:db:c9:72:3e:b4:2b:30:6d:22:
+ dc:9c:9f:fc:8a:ad:9b:1d:48:b0:19:9f:47:3e:d2:44:6c:3d:
+ c4:6c:03:bb:82:6c:26:85:eb:7f:1d:9c:48:93:a0:9c:66:25:
+ 85:b1:5e:fe:71:a3:d6:2d:4d:c0:cb:3f:1a:46:fe:ea:31:8a:
+ db:d2:1d:f5:0f:b3:48:ad:0b:48:0a:b4:19:cd:e9:c5:5d:17:
+ 6a:3f:f8:bc:99:39:5b:29:88:2d:7d:0f:b4:be:94:e6:8e:a1:
+ 7e:12:31:2a:46:f9:3c:1f:d1:c2:69:c3:be:62:f4:bb:b0:6b:
+ 16:a2
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFIvjuFhWnwNq3z3YBzuzBzbhy7bKMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAKk++cNcsOuFWdvJcj60KzBtItycn/yKrZsdSLAZn0c+0kRsPcRsA7uC
+bCaF638dnEiToJxmJYWxXv5xo9YtTcDLPxpG/uoxitvSHfUPs0itC0gKtBnN6cVd
+F2o/+LyZOVspiC19D7S+lOaOoX4SMSpG+Twf0cJpw75i9Luwaxai
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSAParameterInheritanceTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSAParameterInheritanceTest5.pem
new file mode 100644
index 0000000000..7b1c148861
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSAParameterInheritanceTest5.pem
@@ -0,0 +1,141 @@
+subject=/C=US/O=Test Certificates/CN=Valid DSA Parameter Inheritance EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=DSA Parameters Inherited CA
+-----BEGIN CERTIFICATE-----
+MIICMjCCAfGgAwIBAgIBATAJBgcqhkjOOAQDME8xCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbRFNBIFBhcmFtZXRlcnMg
+SW5oZXJpdGVkIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowaDEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMT0wOwYDVQQD
+EzRWYWxpZCBEU0EgUGFyYW1ldGVyIEluaGVyaXRhbmNlIEVFIENlcnRpZmljYXRl
+IFRlc3Q1MIGTMAkGByqGSM44BAEDgYUAAoGBAM6LNthcREHH6pqw2JQ5RbNJtGxm
+vdadsOuJvn5b0NszIYMbSpJq13bSo8hLx5uVfEvkGdc0BpoYHdax/d+0xQcq1G2b
+yKxnK+bYJbJhXuvvfEtQJXVoNRneAuD+UX5sAKja0T80w8kTA1/2K0vJMVwExuZb
+OPhYbliV11/6bvxPo2swaTAdBgNVHQ4EFgQUAHhCMlJkgBTrJroWKe1llb8qHx8w
+HwYDVR0jBBgwFoAUXSTuilUa8sbJssK/ivCySU86sxswFwYDVR0gBBAwDjAMBgpg
+hkgBZQMCATABMA4GA1UdDwEB/wQEAwIGwDAJBgcqhkjOOAQDAzAAMC0CFA18iKub
+KQypNt8MvheJ9svsobpgAhUAzoneZ6mJuBahNft2JyeO/YD0xes=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=DSA CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAu+gAwIBAgICB9EwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxUcnVzdCBBbmNo
+b3IwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA6MQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBkRTQSBDQTCC
+AbcwggEsBgcqhkjOOAQBMIIBHwKBgQDf5RE+2um2bhDW6p3inTqwR71EAMdWyMxu
+0DOEVkc1PfZUyOPCrbu6dfMvMwym+THsZ+PlmW38KW6qV4hyNOKOAJDgo6xkjsD2
+PB2PtMhKSDBef6qcdiYL2xNzM4OXwMWz5jf1Pv8VDdShLrox+KuH2AvMd5hCbqyT
+mMK9Lns0CwIVAM8GBNj/i+sA6fZcB5Zz/ZZlOi8HAoGBAMzhfLDOkl9j7Di7RLrd
+kjS2Xr5le9hxdwSd7GZ8OwTOtvNS/g+SVQLvThKrXZouL25W83Dsau2bIrioE8sM
+nBbqwQqOISZEpQz5oOxi4HAxzGj1C4WkShtuefTB+TZaOG9O74RT32f9zPdZYo+c
+nM0Qj1ykD5y3B+xg876vfjmYA4GEAAKBgBHyudi+QivFhL6RAhz8jDJyi6hsIdeI
+ihS6MGV1wBw9gmllp6yQehQdhXvlU8Jg/LHPZ6/B8i4IMmo4x5FOO7w8CdD5cW0I
+3ydJjQV02L1G0NtRpVO6h/P6XSWDT38KdeWp44mnQXdjQF8rLITSwXF4CttrVxnh
+5xQMnsT2MjkOo3wwejAdBgNVHQ4EFgQUdBXVJBy9XmWIH+GLCX5/6hlITmEwHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4GBADo7ch93LLrc7PUdW0XOP3+kP+Sywfqf2ApcmOLufmM60siw4rzA
+1ssoITB2Rs3TPQKBiJzMdFKrq8tQ+8TcpXJ9M4SVfbAFB0P0vB4UC2Eg6iSnVJbB
+tsZFj12gpqv5Gawo3yUTw34h3opDGSX1pz6eZUIZBFKpAX5gyIpiEBI2
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=DSA Parameters Inherited CA
+issuer=/C=US/O=Test Certificates/CN=DSA CA
+-----BEGIN CERTIFICATE-----
+MIICFDCCAdOgAwIBAgIBAjAJBgcqhkjOOAQDMDoxCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEPMA0GA1UEAxMGRFNBIENBMB4XDTAxMDQx
+OTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTzELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMSQwIgYDVQQDExtEU0EgUGFyYW1ldGVycyBJbmhl
+cml0ZWQgQ0EwgZIwCQYHKoZIzjgEAQOBhAACgYBnjEfaDDaBZDn4GjcL8LvUE/1n
+PUDInJLhOolUsPKXpXDQZBekp3yp6ScJZd+gpRz8BNo+3WJr8AztgVdPXSnICFkZ
+DF+NiPD/jLbodQG+EApk31d7i2xW8FPOQ4i5CZkIPJCvAejZMl3tVgLPYNIBOuMK
+K56RQfbHfN5smWMADqN8MHowHQYDVR0OBBYEFF0k7opVGvLGybLCv4rwsklPOrMb
+MB8GA1UdIwQYMBaAFHQV1SQcvV5liB/hiwl+f+oZSE5hMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAJBgcq
+hkjOOAQDAzAAMC0CFQCoWW8xd7Yg7Dab60thCq9E7XK6KQIUbSLhvU0n9i47H9ed
+1lleyyWGItg=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c7:32:ea:21:ff:7d:01:d4:f3:d9:c5:a9:ea:04:35:21:81:d2:
+ 13:f2:35:d3:e4:53:c5:03:93:de:a1:2d:25:56:64:bc:52:20:
+ 81:53:69:6a:a6:90:26:38:bd:ed:31:7f:a9:7b:c1:e8:a9:e5:
+ 07:97:82:bb:3e:8a:f9:79:ec:2e:bd:16:4c:31:6b:b6:80:ca:
+ ba:ba:0c:35:0a:d6:08:3c:31:78:fe:d3:3d:06:69:6c:3a:e4:
+ 07:4d:6e:84:21:d3:c3:90:60:8f:99:90:62:a9:16:38:25:2f:
+ 7e:08:5f:2f:cc:59:d7:7d:9b:2f:d8:0b:e7:70:d9:64:f7:01:
+ 38:8d
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU+2zULYGe
+yid6ng2wPOqavIf/SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAxzLq
+If99AdTz2cWp6gQ1IYHSE/I10+RTxQOT3qEtJVZkvFIggVNpaqaQJji97TF/qXvB
+6KnlB5eCuz6K+XnsLr0WTDFrtoDKuroMNQrWCDwxeP7TPQZpbDrkB01uhCHTw5Bg
+j5mQYqkWOCUvfghfL8xZ132bL9gL53DZZPcBOI0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: dsaWithSHA1
+ Issuer: /C=US/O=Test Certificates/CN=DSA CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:74:15:D5:24:1C:BD:5E:65:88:1F:E1:8B:09:7E:7F:EA:19:48:4E:61
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: dsaWithSHA1
+ 30:2c:02:14:46:20:d2:4b:f9:cd:91:09:e9:71:6a:bf:d2:3e:
+ 88:5d:d0:47:ee:aa:02:14:25:ae:d3:6a:ca:3f:a4:54:41:d9:
+ a3:57:74:b3:48:ab:c5:9f:01:f9
+-----BEGIN X509 CRL-----
+MIHYMIGZAgEBMAkGByqGSM44BAMwOjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMQ8wDQYDVQQDEwZEU0EgQ0EXDTAxMDQxOTE0NTcyMFoX
+DTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHQV1SQcvV5liB/hiwl+f+oZ
+SE5hMAoGA1UdFAQDAgEBMAkGByqGSM44BAMDLwAwLAIURiDSS/nNkQnpcWq/0j6I
+XdBH7qoCFCWu02rKP6RUQdmjV3SzSKvFnwH5
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: dsaWithSHA1
+ Issuer: /C=US/O=Test Certificates/CN=DSA Parameters Inherited CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5D:24:EE:8A:55:1A:F2:C6:C9:B2:C2:BF:8A:F0:B2:49:4F:3A:B3:1B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: dsaWithSHA1
+ 30:2d:02:15:00:89:33:c4:9a:67:b6:d1:05:d2:fa:c6:db:09:
+ a9:f0:01:9c:cb:db:00:02:14:5a:f9:93:bc:2c:9d:fb:be:01:
+ 4b:f1:a2:fb:1d:93:dc:98:05:f4:ab
+-----BEGIN X509 CRL-----
+MIHuMIGuAgEBMAkGByqGSM44BAMwTzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMSQwIgYDVQQDExtEU0EgUGFyYW1ldGVycyBJbmhlcml0
+ZWQgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFF0k7opVGvLGybLCv4rwsklPOrMbMAoGA1UdFAQDAgEBMAkGByqGSM44BAMD
+MAAwLQIVAIkzxJpnttEF0vrG2wmp8AGcy9sAAhRa+ZO8LJ37vgFL8aL7HZPcmAX0
+qw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSASignaturesTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSASignaturesTest4.pem
new file mode 100644
index 0000000000..6482e31df3
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSASignaturesTest4.pem
@@ -0,0 +1,104 @@
+subject=/C=US/O=Test Certificates/CN=Valid DSA Signatures EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=DSA CA
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAvWgAwIBAgIBATAJBgcqhkjOOAQDMDoxCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEPMA0GA1UEAxMGRFNBIENBMB4XDTAxMDQx
+OTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXTELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMTIwMAYDVQQDEylWYWxpZCBEU0EgU2lnbmF0dXJl
+cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCCAbYwggErBgcqhkjOOAQBMIIBHgKBgQDk
+i69AjBXXPXzuA5YSaMEgBegXyp50ZUuaVJcqeDPapcVy6jSzlGhC1Rv9d/CoQp5k
+k5C2wgIxRhN6A2nMmC1WnV4jXyi/rX8P0GmVYlwaBypejHNJfv0SIo5V5VbprnIp
+locIJ9d3Q/CGuAkKGxSl5gPmRXlN6fpTX8EJvX7FwwIVAIA/5PzzTOU+yw8XCipU
+bNBnbA07AoGAZtQWiiCt/tEyn6V/p7PQ6nc/62yi5CnY2Lwh3Zr3zOW0d03f7Nqi
+jJx1Elof/mbTEcLvhEPsqYhuTLpMPzWWx2f8mb0PmSkTkU7YAq7+a69QVqovHrUq
+yO4iRyV4ayHdFD/O8BCB95YdnEG7XkSSXS7GHrjNaciPPzs+0E+iztkDgYQAAoGA
+D1MorDgvPfMRYUHDPafWevf2ATLTIXEQFNXDPk3rGaKMr54IPUEK/8yiR4J6VqGj
+/eyyi7c5tcqgGYWCm5ZoqLtrupCk4a1ltkQx0h4iL1NBT/qc+C/oLEMkFn4r2GT3
+ZPrweUgduQJtkDbM6zYP8jmrfSfs90dv3TPEfk3uJFejazBpMB0GA1UdDgQWBBSz
+M9dRogQNRPudQPESYnGwU/ZpDTAfBgNVHSMEGDAWgBR0FdUkHL1eZYgf4YsJfn/q
+GUhOYTAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDgYDVR0PAQH/BAQDAgbAMAkG
+ByqGSM44BAMDMAAwLQIVAIynyNKZ1ECb+SGSaPMnJglzolkYAhRM/h+AuzCA19hw
+xk52oNmdtPZA6g==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=DSA CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAu+gAwIBAgICB9EwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxUcnVzdCBBbmNo
+b3IwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA6MQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBkRTQSBDQTCC
+AbcwggEsBgcqhkjOOAQBMIIBHwKBgQDf5RE+2um2bhDW6p3inTqwR71EAMdWyMxu
+0DOEVkc1PfZUyOPCrbu6dfMvMwym+THsZ+PlmW38KW6qV4hyNOKOAJDgo6xkjsD2
+PB2PtMhKSDBef6qcdiYL2xNzM4OXwMWz5jf1Pv8VDdShLrox+KuH2AvMd5hCbqyT
+mMK9Lns0CwIVAM8GBNj/i+sA6fZcB5Zz/ZZlOi8HAoGBAMzhfLDOkl9j7Di7RLrd
+kjS2Xr5le9hxdwSd7GZ8OwTOtvNS/g+SVQLvThKrXZouL25W83Dsau2bIrioE8sM
+nBbqwQqOISZEpQz5oOxi4HAxzGj1C4WkShtuefTB+TZaOG9O74RT32f9zPdZYo+c
+nM0Qj1ykD5y3B+xg876vfjmYA4GEAAKBgBHyudi+QivFhL6RAhz8jDJyi6hsIdeI
+ihS6MGV1wBw9gmllp6yQehQdhXvlU8Jg/LHPZ6/B8i4IMmo4x5FOO7w8CdD5cW0I
+3ydJjQV02L1G0NtRpVO6h/P6XSWDT38KdeWp44mnQXdjQF8rLITSwXF4CttrVxnh
+5xQMnsT2MjkOo3wwejAdBgNVHQ4EFgQUdBXVJBy9XmWIH+GLCX5/6hlITmEwHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4GBADo7ch93LLrc7PUdW0XOP3+kP+Sywfqf2ApcmOLufmM60siw4rzA
+1ssoITB2Rs3TPQKBiJzMdFKrq8tQ+8TcpXJ9M4SVfbAFB0P0vB4UC2Eg6iSnVJbB
+tsZFj12gpqv5Gawo3yUTw34h3opDGSX1pz6eZUIZBFKpAX5gyIpiEBI2
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ c7:32:ea:21:ff:7d:01:d4:f3:d9:c5:a9:ea:04:35:21:81:d2:
+ 13:f2:35:d3:e4:53:c5:03:93:de:a1:2d:25:56:64:bc:52:20:
+ 81:53:69:6a:a6:90:26:38:bd:ed:31:7f:a9:7b:c1:e8:a9:e5:
+ 07:97:82:bb:3e:8a:f9:79:ec:2e:bd:16:4c:31:6b:b6:80:ca:
+ ba:ba:0c:35:0a:d6:08:3c:31:78:fe:d3:3d:06:69:6c:3a:e4:
+ 07:4d:6e:84:21:d3:c3:90:60:8f:99:90:62:a9:16:38:25:2f:
+ 7e:08:5f:2f:cc:59:d7:7d:9b:2f:d8:0b:e7:70:d9:64:f7:01:
+ 38:8d
+-----BEGIN X509 CRL-----
+MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU+2zULYGe
+yid6ng2wPOqavIf/SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAxzLq
+If99AdTz2cWp6gQ1IYHSE/I10+RTxQOT3qEtJVZkvFIggVNpaqaQJji97TF/qXvB
+6KnlB5eCuz6K+XnsLr0WTDFrtoDKuroMNQrWCDwxeP7TPQZpbDrkB01uhCHTw5Bg
+j5mQYqkWOCUvfghfL8xZ132bL9gL53DZZPcBOI0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: dsaWithSHA1
+ Issuer: /C=US/O=Test Certificates/CN=DSA CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:74:15:D5:24:1C:BD:5E:65:88:1F:E1:8B:09:7E:7F:EA:19:48:4E:61
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: dsaWithSHA1
+ 30:2c:02:14:46:20:d2:4b:f9:cd:91:09:e9:71:6a:bf:d2:3e:
+ 88:5d:d0:47:ee:aa:02:14:25:ae:d3:6a:ca:3f:a4:54:41:d9:
+ a3:57:74:b3:48:ab:c5:9f:01:f9
+-----BEGIN X509 CRL-----
+MIHYMIGZAgEBMAkGByqGSM44BAMwOjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMQ8wDQYDVQQDEwZEU0EgQ0EXDTAxMDQxOTE0NTcyMFoX
+DTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHQV1SQcvV5liB/hiwl+f+oZ
+SE5hMAoGA1UdFAQDAgEBMAkGByqGSM44BAMDLwAwLAIURiDSS/nNkQnpcWq/0j6I
+XdBH7qoCFCWu02rKP6RUQdmjV3SzSKvFnwH5
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimeCRLnextUpdateTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimeCRLnextUpdateTest13.pem
new file mode 100644
index 0000000000..f15bd0771a
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimeCRLnextUpdateTest13.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=GenerizedTime CRL nextUpdate CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIChTCCAe6gAwIBAgIBEDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEoMCYGA1UEAxMfR2VuZXJpemVk
+VGltZSBDUkwgbmV4dFVwZGF0ZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEA0XVL58x4St3rim3S8J3rxCFsMxohlbSezZsM8cVML4M8JqBA2RCpciqMXQ39
+ySW9Va2Mca/dkW/VCXATp9lG6hGPI9uvz5t42IPrYc/CdCMWnMZYPxolMOUJd8rD
+fRjX+PnPtbMonefHo0LclKZkSs5hLEty2zpam33MNLS4L+0CAwEAAaN8MHowHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFBSGFC5gYrSk
+iBLjiqt4F6Lu0TAaMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFl
+AwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAPS84jJFDI
+dH5hR/XPr96LgBMhK72+PiP/6pgrKYilpao6qSJAf9vIsaWuebDcHUWFO3HcaIwl
+Ku+ejli9fwEZmMcK1l4pj5vf5y4/wYBkWTvnpT65JUGdmuFic0n4c1jEPTkRZPl0
+FVsLl9iYRwWLJH9pq9gaOLZboV3w/HplDg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid GeneralizedTime CRL nextUpdate EE Certificate Test13
+issuer=/C=US/O=Test Certificates/CN=GenerizedTime CRL nextUpdate CA
+-----BEGIN CERTIFICATE-----
+MIICojCCAgugAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH0dlbmVyaXplZFRp
+bWUgQ1JMIG5leHRVcGRhdGUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBuMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+QzBBBgNVBAMTOlZhbGlkIEdlbmVyYWxpemVkVGltZSBDUkwgbmV4dFVwZGF0ZSBF
+RSBDZXJ0aWZpY2F0ZSBUZXN0MTMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+AJ/BW+Rh38aEJHLhyF2rFsHXLa//8UzBuAOpoiJSzFc4gk4FZMbUeMNc7JEG8d3C
+1iCI6ksf+VPWuZsGVLU8GB1Y01lFSaXPp5jmmDeILhOIhmh7/xGJOC0bftMHU2Ub
+STCDgX+yxmVEzoPNpyWc+NIOUxF4dGZcIVeFKPB6cYQlAgMBAAGjazBpMB8GA1Ud
+IwQYMBaAFBSGFC5gYrSkiBLjiqt4F6Lu0TAaMB0GA1UdDgQWBBRAXKg9gLMI1s2l
+71T3v0X4NAK8LzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA0GCSqGSIb3DQEBBQUAA4GBAJODcolMrKSSYYUM8i0NqwfexPIPQ6X+U/WU
+fh7Q4VMoPii7s2hU2MHjdWM/80GnDbNLmNqWBWqymgR+lkYvyvcMSsXr7SC7ZN7T
+PKpw3Hi2bnOFDJDKA/MGWsX+cehwuRKlxmwep3r23H0ctmF6bYpcVusN6NYXVHzt
+jU0bM66N
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=GenerizedTime CRL nextUpdate CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Jan 1 12:01:00 2050 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:14:86:14:2E:60:62:B4:A4:88:12:E3:8A:AB:78:17:A2:EE:D1:30:1A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ ca:4b:74:4e:30:1a:c3:6c:07:22:c9:4e:5b:2a:a1:2b:9c:7a:
+ 82:20:53:df:a4:45:75:15:ab:eb:5a:c2:e8:f2:bf:57:f7:d0:
+ 2e:b1:cc:10:56:0c:be:b2:15:72:e3:b4:c8:0f:90:fd:ce:57:
+ 9c:1d:b6:cb:dc:4d:80:64:ae:49:4f:05:d8:96:1b:a7:ab:aa:
+ 22:61:65:57:63:1b:7f:9c:81:f1:e5:cf:06:b1:6c:00:a1:36:
+ 28:26:97:2f:ef:74:37:e1:89:7e:0f:c8:ec:df:ac:91:f2:e3:
+ f5:01:a5:27:87:dd:29:b9:35:d5:e1:99:91:a5:07:31:24:80:
+ 0c:7d
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH0dlbmVyaXplZFRpbWUgQ1JM
+IG5leHRVcGRhdGUgQ0EXDTAxMDQxOTE0NTcyMFoYDzIwNTAwMTAxMTIwMTAwWqAv
+MC0wHwYDVR0jBBgwFoAUFIYULmBitKSIEuOKq3gXou7RMBowCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEAykt0TjAaw2wHIslOWyqhK5x6giBT36RFdRWr61rC
+6PK/V/fQLrHMEFYMvrIVcuO0yA+Q/c5XnB22y9xNgGSuSU8F2JYbp6uqImFlV2Mb
+f5yB8eXPBrFsAKE2KCaXL+90N+GJfg/I7N+skfLj9QGlJ4fdKbk11eGZkaUHMSSA
+DH0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotAfterDateTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotAfterDateTest8.pem
new file mode 100644
index 0000000000..df9cce1587
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotAfterDateTest8.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid GeneralizedTime notAfter Date EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBCDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwIBcN
+MDEwNDE5MTQ1NzIwWhgPMjA1MDAxMDExMjAxMDBaMGwxCzAJBgNVBAYTAlVTMRow
+GAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFBMD8GA1UEAxM4VmFsaWQgR2VuZXJh
+bGl6ZWRUaW1lIG5vdEFmdGVyIERhdGUgRUUgQ2VydGlmaWNhdGUgVGVzdDgwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALuN3xhLcTamwSrg/7HDqFvodu01X/59
+oI6coV90K3bmWeFUWcw5ZNfns6jjgQE1kexWBJIFACT3kFzmEdQ0Diht+5/uEeSO
+PkOZPDfVFZRsZlKiP4F5JRag4K4+Wfrt8M1vzLcj/TRtui1jpwyXKD/Zjtsye3j8
+MayBGrcgQWbXAgMBAAGjazBpMB8GA1UdIwQYMBaAFLcupoLLwsi8qHsnRNc1M9+a
+FZTHMB0GA1UdDgQWBBSikE0CsoDg9dGVN7xsWnkXPID8kzAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBABG3
+77d7XM2ib5Bv0aVQKTDlDZr1fzLxv0CeJt/o6io7LL8Z9gC0ZdoeiB1nK+unnlu0
+GFMygOHAwKUkKMkkChIGFyYSEPrqQV5811YETya4JBE+Ou3GQ2oKNNL49+HP2yTm
+aWT5eiTEg86gF52K2nPXRNaNGYHgT1+Ez2HeI4pO
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotBeforeDateTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotBeforeDateTest4.pem
new file mode 100644
index 0000000000..8e57181bd2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotBeforeDateTest4.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid GeneralizedTime notBefore Date EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBBTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwIBgP
+MjAwMjAxMDExMjAxMDBaFw0xMTA0MTkxNDU3MjBaMG0xCzAJBgNVBAYTAlVTMRow
+GAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFCMEAGA1UEAxM5VmFsaWQgR2VuZXJh
+bGl6ZWRUaW1lIG5vdEJlZm9yZSBEYXRlIEVFIENlcnRpZmljYXRlIFRlc3Q0MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC95eHxRXrYP2LBGJtgztiha9W1jRBa
+tkZEgkmukmElQlc+Nz/uh5pRNpJbg7b+3Mv6XKMr0qncHxRIaap0sD3MY8CQOeWi
+IHCEtT5XGFy6B6eGpqfdejjnvN4MHVdd9uBaxf0Rbo7JlxXLCT5ZrYMNbK128Toq
+qhp0MV1GpfZ1DwIDAQABo2swaTAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPf
+mhWUxzAdBgNVHQ4EFgQUeJSUUvGhyTgLeYzfK/SqlRZsvacwDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAi
+TR2cFTtIDfG39B3eWiPgzxJebkwj3E1ZcxAxzGcYHoSScb79ueJ4ERjgskZWO7ag
+oNPHokDXVScVCIjeYTG540+aQNawBa6L+HhIMNIuzHw190nKXMOSqPmNk4vbYPwk
+32dtRrn1hIUDujUwTkW5daFxJ25HjyUfVZCMQuwXqA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest22.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest22.pem
new file mode 100644
index 0000000000..ca7dc27428
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest22.pem
@@ -0,0 +1,116 @@
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKnNvKCUbOkr4mNPrV
+EBeh0vWaSj7DMTMuBhMM4N5zT6XkBdghaAMQis36dJASxXYtGiiAY0Wv3oicc66t
+vag7yMp7Iy71oHzCSrw+YF6oBOV+krjeaNIg/5/CGLkMr5KXC3egPap4fv/EQbAD
+ZbMw+Qndc+mnj7AAnfb8i2AJPQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUbMEUX9inLeCGkxlcC/BJuSVb6BwwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABA2o025rmbJVizdycoV/q2zarMz87Ki
+QJimcOjKcZTSmDiAxKCTYzBFWeUZWZqVDm0QbhOThmX5nkaYjiz3vLAgdDDUr6zA
+tYmNsP2oA7ajpSmcze5/VwkBgMKt7Al5w6xT91R0tCltLcppOPJhE85jMd724jTc
+XHLxTJCox/SL
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid IDP with indirectCRL EE Certificate Test22
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA1
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMwVmFsaWQg
+SURQIHdpdGggaW5kaXJlY3RDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDIyMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2H58UKDg/MSuu2itx5AvPDHHk0lMX7Bu3
+X3Vok97lKf6HAIseNFrZecQGe7RtIm3ICK1WFaq9tKE3MutSXNCcZ+CrPj0H/pzt
+jlFAlRN1jpTCSj3rVVAUpL9BCHMWrZ9qf8FVWgWI3YMWw7cgqC45VZxRYN0zyyGm
+pz4tN6pyTwIDAQABo2swaTAfBgNVHSMEGDAWgBRswRRf2Kct4IaTGVwL8Em5JVvo
+HDAdBgNVHQ4EFgQU7rkQZsqGMoKvXfmcukPIoHnHBC0wDgYDVR0PAQH/BAQDAgTw
+MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQBqHSrq
+s+MMY0Cfl9rlm+QyuARye7sTvTM5fQkOs/K3US5mAMfA+ei6Prb+u7FqxUya+Y9s
+6Q0AeDutkLkdJWPbJd7B+HsQCT/fWFvYE74YOOu5DTmtII5zVS5bildOaE/xTw2z
+stQtRX9MHe2JVh7WK/CA+TghpnYDlW+IG/iXjw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=indirectCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:C1:14:5F:D8:A7:2D:E0:86:93:19:5C:0B:F0:49:B9:25:5B:E8:1C
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6c:ab:91:4b:38:62:8e:f2:48:86:10:a6:b8:b9:c3:c2:28:e5:
+ c1:d8:3b:c5:8c:6f:62:44:37:f6:1e:2f:d4:04:be:ff:bb:28:
+ a4:3c:71:1f:69:58:85:95:60:3c:cc:f7:65:22:4e:9e:44:e2:
+ 6b:45:16:9d:67:ae:da:ff:57:e7:d4:ef:34:cf:1e:86:52:13:
+ 25:77:a7:7d:fc:ec:94:62:bd:b1:76:a9:66:c1:ef:82:bb:3e:
+ 9b:21:c4:ef:49:9b:2a:e8:5a:ef:39:82:ee:da:97:5f:77:89:
+ a6:3e:42:26:77:b2:15:97:c4:db:ee:ca:8c:ad:d2:cf:18:3e:
+ 87:e8
+-----BEGIN X509 CRL-----
+MIIBcTCB2wIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBMRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcy
+MFowDDAKBgNVHRUEAwoBAaBAMD4wHwYDVR0jBBgwFoAUbMEUX9inLeCGkxlcC/BJ
+uSVb6BwwCgYDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4QB/zANBgkqhkiG9w0BAQUF
+AAOBgQBsq5FLOGKO8kiGEKa4ucPCKOXB2DvFjG9iRDf2Hi/UBL7/uyikPHEfaViF
+lWA8zPdlIk6eROJrRRadZ67a/1fn1O80zx6GUhMld6d9/OyUYr2xdqlmwe+Cuz6b
+IcTvSZsq6FrvOYLu2pdfd4mmPkImd7IVl8Tb7sqMrdLPGD6H6A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest24.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest24.pem
new file mode 100644
index 0000000000..d069a80b26
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest24.pem
@@ -0,0 +1,137 @@
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKnNvKCUbOkr4mNPrV
+EBeh0vWaSj7DMTMuBhMM4N5zT6XkBdghaAMQis36dJASxXYtGiiAY0Wv3oicc66t
+vag7yMp7Iy71oHzCSrw+YF6oBOV+krjeaNIg/5/CGLkMr5KXC3egPap4fv/EQbAD
+ZbMw+Qndc+mnj7AAnfb8i2AJPQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUbMEUX9inLeCGkxlcC/BJuSVb6BwwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABA2o025rmbJVizdycoV/q2zarMz87Ki
+QJimcOjKcZTSmDiAxKCTYzBFWeUZWZqVDm0QbhOThmX5nkaYjiz3vLAgdDDUr6zA
+tYmNsP2oA7ajpSmcze5/VwkBgMKt7Al5w6xT91R0tCltLcppOPJhE85jMd724jTc
+XHLxTJCox/SL
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDblDsGRxVahA98R7vE
+/DS4nbSbyoerDINPIyc8wkOtWcS+y+f9O5IIdDJOZm2I5px1PA840SXYHh15o3ZW
+Vn4gFU3AgKF/CWMJ1g79LAYAMnQN/T7kSfuz/0rqhLH9tjz3Qtjt+/zy45YIny80
+7JOBLH3eLX0H2aOmsJUenp5ExQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwa+CD9XTTxDwMWI8WIm5inS7nAEwDgYD
+VR0PAQH/BAQDAgIEMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEvc066az+E8sftMAgkECVeJVw0Mcr2y
+YlJ0SAbZUNaU7KbzXxm3j8Q5v8K8GDy7EB4H0Gyh0vgsbChTAdLip7xQf7V7SetA
+nE66H4ikF/UAhXlSz+E48Qe2+L3w2weGbU3zwmNMeYkI6dmGFMfEut7hL9ak0Ulc
+0meAGzOu5kHt
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid IDP with indirectCRL EE Certificate Test24
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA2
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMwVmFsaWQg
+SURQIHdpdGggaW5kaXJlY3RDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDI0MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfPjamOqOBJ5I2GqRFerJm5J5EGXpY0CGA
+2i3yoxIxrL4B6vuDMX7x2Zh7+JRcggTd6xwFetZeJWWLahi51RWjfa3RKfwa3/wJ
+yxCvJJfDAdr0zZE2NjXSKDWBdtYxpqvOo/8TCYIvrzKF6kQG44bZ6biAIC30T9vj
+Kezab2UgwwIDAQABo4HCMIG/MB8GA1UdIwQYMBaAFMGvgg/V008Q8DFiPFiJuYp0
+u5wBMB0GA1UdDgQWBBTmjKLn116swFbGYjGlN4lIL3ZOzTAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMFQGA1UdHwRNMEswSaJHpEUwQzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQD
+Ew9pbmRpcmVjdENSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEAe+QvzalpHWA4qr6K
+kSqLzdboAOHGA4+9IYaqUm3rczXhCZrk9cJmWTX7l3grLw4NMMGYkpvy+K/ZRTo5
+7qatlnIg1IxOuR/FQjQUZa+qvhv261Dlk3dH+QlApPxEZyjwCmu9qlXuQaLRWPVM
+Q5FPPtw73O3MCtrfR0D6/mS5zoY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=indirectCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:C1:14:5F:D8:A7:2D:E0:86:93:19:5C:0B:F0:49:B9:25:5B:E8:1C
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6c:ab:91:4b:38:62:8e:f2:48:86:10:a6:b8:b9:c3:c2:28:e5:
+ c1:d8:3b:c5:8c:6f:62:44:37:f6:1e:2f:d4:04:be:ff:bb:28:
+ a4:3c:71:1f:69:58:85:95:60:3c:cc:f7:65:22:4e:9e:44:e2:
+ 6b:45:16:9d:67:ae:da:ff:57:e7:d4:ef:34:cf:1e:86:52:13:
+ 25:77:a7:7d:fc:ec:94:62:bd:b1:76:a9:66:c1:ef:82:bb:3e:
+ 9b:21:c4:ef:49:9b:2a:e8:5a:ef:39:82:ee:da:97:5f:77:89:
+ a6:3e:42:26:77:b2:15:97:c4:db:ee:ca:8c:ad:d2:cf:18:3e:
+ 87:e8
+-----BEGIN X509 CRL-----
+MIIBcTCB2wIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBMRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcy
+MFowDDAKBgNVHRUEAwoBAaBAMD4wHwYDVR0jBBgwFoAUbMEUX9inLeCGkxlcC/BJ
+uSVb6BwwCgYDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4QB/zANBgkqhkiG9w0BAQUF
+AAOBgQBsq5FLOGKO8kiGEKa4ucPCKOXB2DvFjG9iRDf2Hi/UBL7/uyikPHEfaViF
+lWA8zPdlIk6eROJrRRadZ67a/1fn1O80zx6GUhMld6d9/OyUYr2xdqlmwe+Cuz6b
+IcTvSZsq6FrvOYLu2pdfd4mmPkImd7IVl8Tb7sqMrdLPGD6H6A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest25.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest25.pem
new file mode 100644
index 0000000000..9861f0f70b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest25.pem
@@ -0,0 +1,137 @@
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKnNvKCUbOkr4mNPrV
+EBeh0vWaSj7DMTMuBhMM4N5zT6XkBdghaAMQis36dJASxXYtGiiAY0Wv3oicc66t
+vag7yMp7Iy71oHzCSrw+YF6oBOV+krjeaNIg/5/CGLkMr5KXC3egPap4fv/EQbAD
+ZbMw+Qndc+mnj7AAnfb8i2AJPQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUbMEUX9inLeCGkxlcC/BJuSVb6BwwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABA2o025rmbJVizdycoV/q2zarMz87Ki
+QJimcOjKcZTSmDiAxKCTYzBFWeUZWZqVDm0QbhOThmX5nkaYjiz3vLAgdDDUr6zA
+tYmNsP2oA7ajpSmcze5/VwkBgMKt7Al5w6xT91R0tCltLcppOPJhE85jMd724jTc
+XHLxTJCox/SL
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDblDsGRxVahA98R7vE
+/DS4nbSbyoerDINPIyc8wkOtWcS+y+f9O5IIdDJOZm2I5px1PA840SXYHh15o3ZW
+Vn4gFU3AgKF/CWMJ1g79LAYAMnQN/T7kSfuz/0rqhLH9tjz3Qtjt+/zy45YIny80
+7JOBLH3eLX0H2aOmsJUenp5ExQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwa+CD9XTTxDwMWI8WIm5inS7nAEwDgYD
+VR0PAQH/BAQDAgIEMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEvc066az+E8sftMAgkECVeJVw0Mcr2y
+YlJ0SAbZUNaU7KbzXxm3j8Q5v8K8GDy7EB4H0Gyh0vgsbChTAdLip7xQf7V7SetA
+nE66H4ikF/UAhXlSz+E48Qe2+L3w2weGbU3zwmNMeYkI6dmGFMfEut7hL9ak0Ulc
+0meAGzOu5kHt
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid IDP with indirectCRL EE Certificate Test25
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA2
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAkmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMwVmFsaWQg
+SURQIHdpdGggaW5kaXJlY3RDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDI1MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf0B2LJSDNBUNNk9cwJtpviFO4J0nIRbuc
+O6UsC4jXoQrcgUkZOOcYIT82Yz33dg4bv6K2EXqzJwIfBGq6JGvHrAl3djShH1wO
+qasa6FN6vCnmb2Wo1+7KpwCSlDAWAYhNTcb8tGMYGiOGd4FMhEdA/y4sRqmuJEOZ
+Uw7DglXVewIDAQABo4HCMIG/MB8GA1UdIwQYMBaAFMGvgg/V008Q8DFiPFiJuYp0
+u5wBMB0GA1UdDgQWBBSQlj00h5t1ic1A+gEB0E3NRYLbqjAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMFQGA1UdHwRNMEswSaJHpEUwQzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQD
+Ew9pbmRpcmVjdENSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEAHIf/ZJSSoUe0ahpi
+VXce88mnP2i2KJBuOPFVGyJHSY2wGKtm02kgghm1bSdwVzXOLwTLa223rjc+cZcD
+7lYleZJEOeEnibK+8EgTf0Z/D6VnmIsQD/HHhpkmvB69NWVETkG1VtkmEHkaNDdQ
+2WsP41gX0VujQE2K3UK1KDPPNsI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=indirectCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6C:C1:14:5F:D8:A7:2D:E0:86:93:19:5C:0B:F0:49:B9:25:5B:E8:1C
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6c:ab:91:4b:38:62:8e:f2:48:86:10:a6:b8:b9:c3:c2:28:e5:
+ c1:d8:3b:c5:8c:6f:62:44:37:f6:1e:2f:d4:04:be:ff:bb:28:
+ a4:3c:71:1f:69:58:85:95:60:3c:cc:f7:65:22:4e:9e:44:e2:
+ 6b:45:16:9d:67:ae:da:ff:57:e7:d4:ef:34:cf:1e:86:52:13:
+ 25:77:a7:7d:fc:ec:94:62:bd:b1:76:a9:66:c1:ef:82:bb:3e:
+ 9b:21:c4:ef:49:9b:2a:e8:5a:ef:39:82:ee:da:97:5f:77:89:
+ a6:3e:42:26:77:b2:15:97:c4:db:ee:ca:8c:ad:d2:cf:18:3e:
+ 87:e8
+-----BEGIN X509 CRL-----
+MIIBcTCB2wIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBMRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcy
+MFowDDAKBgNVHRUEAwoBAaBAMD4wHwYDVR0jBBgwFoAUbMEUX9inLeCGkxlcC/BJ
+uSVb6BwwCgYDVR0UBAMCAQEwDwYDVR0cAQH/BAUwA4QB/zANBgkqhkiG9w0BAQUF
+AAOBgQBsq5FLOGKO8kiGEKa4ucPCKOXB2DvFjG9iRDf2Hi/UBL7/uyikPHEfaViF
+lWA8zPdlIk6eROJrRRadZ67a/1fn1O80zx6GUhMld6d9/OyUYr2xdqlmwe+Cuz6b
+IcTvSZsq6FrvOYLu2pdfd4mmPkImd7IVl8Tb7sqMrdLPGD6H6A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest16.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest16.pem
new file mode 100644
index 0000000000..58a9b915a7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest16.pem
@@ -0,0 +1,115 @@
+subject=/C=US/O=Test Certificates/CN=Long Serial Number CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBEjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVTG9uZyBTZXJp
+YWwgTnVtYmVyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1mCudsqPk
+irIFe3XQBPzhyyRQyreJH26B3Yg6kYq1Obd6I1j7Ber4BDVyCCAvnS6rNkzsbaJf
++sWVf27Vug0uhasZx/3XGc0DbhZNr5iYknU1LEh8Ccq1Oymq0LPolAHqaJNOaYpb
+K5Fq0P0RDcBK/ENgmtdY0CJrR7MWUTttqQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU3z1I++My57kmUova7PgJT7PH
+36YwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHJqd5P8eBN05uB3+fPCfVjO
+qX7csbAx6X1LNibOoWDlB9Y6fElHQS+i8HDPmIIdC7N/9xoCW/fhzZqb6VKDQXNM
+9pwf6jOJKnNQOaQISdoIvj2Jn1FoE4Bo1SGGQo6ZgCWfXPA1TE93BXTua9Oa+FZ5
+fhG3y3gMYLC6ciKePSDf
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Long Serial Number EE Certificate Test16
+issuer=/C=US/O=Test Certificates/CN=Long Serial Number CA
+-----BEGIN CERTIFICATE-----
+MIICnzCCAgigAwIBAgIUfwECAwQFBgcICQoLDA0ODxAREhIwDQYJKoZIhvcNAQEF
+BQAwSTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4w
+HAYDVQQDExVMb25nIFNlcmlhbCBOdW1iZXIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcN
+MTEwNDE5MTQ1NzIwWjBiMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0
+aWZpY2F0ZXMxNzA1BgNVBAMTLlZhbGlkIExvbmcgU2VyaWFsIE51bWJlciBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0MTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKtO
+3auJrAWhozm7l0Z1T0lT1bIb6AWcsrX5hHI03QNjnAsiR6TwhLzknLevcqY1FMOd
+3CQ0YGisyl+jQn6u0vn8gQbPvlN+HaEM3KhBED8jqLLcnspGAS6f8oi1dpWNK0fL
+NrOz4DYCp7kQVDXIBmifayg87zrHaz6X4lMhxgxJAgMBAAGjazBpMB8GA1UdIwQY
+MBaAFN89SPvjMue5JlKL2uz4CU+zx9+mMB0GA1UdDgQWBBTJunkp/mY4QxI0f3ob
+s65e11IvhjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA0GCSqGSIb3DQEBBQUAA4GBAENEAZeCPJoLGi9JOR7np7MvjQtU9NWutm2iMthF
+MYTKIG9CmYoDbDGl689tIyEHOSJO576cpCvOoORWfvPNFqUGaDKjTeZ5r43Uq4kM
+G2GcseomSZC95SvZhsH5ZrLkdJLSrOe1B4RiNQV6Dx/EgDr0t/CL0bTNhh5l72LJ
+8cNi
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Long Serial Number CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DF:3D:48:FB:E3:32:E7:B9:26:52:8B:DA:EC:F8:09:4F:B3:C7:DF:A6
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 7F0102030405060708090A0B0C0D0E0F10111213
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 7a:20:63:9e:55:8d:d1:c3:ab:3f:37:97:45:61:6c:a3:21:9f:
+ 83:bd:ce:63:48:7c:a8:ca:36:15:02:3b:1b:51:66:e0:23:df:
+ de:ea:86:72:e6:92:9a:63:c7:0e:31:30:ee:62:83:1c:3e:23:
+ 20:29:23:ec:aa:2e:f6:18:ba:94:45:e7:af:5e:44:0d:3c:2b:
+ 13:6b:8c:7c:7a:6d:a2:f7:b5:9e:ea:d6:f9:9d:4d:31:91:8f:
+ ea:4d:b7:ef:5f:5a:2e:63:fc:37:02:5a:db:a6:3e:de:6b:a7:
+ 84:83:d2:a7:5b:e2:07:85:9f:0a:03:f0:33:53:eb:a3:d1:d4:
+ 16:02
+-----BEGIN X509 CRL-----
+MIIBeTCB4wIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFUxvbmcgU2VyaWFsIE51bWJl
+ciBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA1MDMCFH8BAgMEBQYH
+CAkKCwwNDg8QERITFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8G
+A1UdIwQYMBaAFN89SPvjMue5JlKL2uz4CU+zx9+mMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAHogY55VjdHDqz83l0VhbKMhn4O9zmNIfKjKNhUCOxtRZuAj
+397qhnLmkppjxw4xMO5igxw+IyApI+yqLvYYupRF569eRA08KxNrjHx6baL3tZ7q
+1vmdTTGRj+pNt+9fWi5j/DcCWtumPt5rp4SD0qdb4geFnwoD8DNT66PR1BYC
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest17.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest17.pem
new file mode 100644
index 0000000000..16037a0097
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest17.pem
@@ -0,0 +1,115 @@
+subject=/C=US/O=Test Certificates/CN=Long Serial Number CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBEjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVTG9uZyBTZXJp
+YWwgTnVtYmVyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1mCudsqPk
+irIFe3XQBPzhyyRQyreJH26B3Yg6kYq1Obd6I1j7Ber4BDVyCCAvnS6rNkzsbaJf
++sWVf27Vug0uhasZx/3XGc0DbhZNr5iYknU1LEh8Ccq1Oymq0LPolAHqaJNOaYpb
+K5Fq0P0RDcBK/ENgmtdY0CJrR7MWUTttqQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU3z1I++My57kmUova7PgJT7PH
+36YwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHJqd5P8eBN05uB3+fPCfVjO
+qX7csbAx6X1LNibOoWDlB9Y6fElHQS+i8HDPmIIdC7N/9xoCW/fhzZqb6VKDQXNM
+9pwf6jOJKnNQOaQISdoIvj2Jn1FoE4Bo1SGGQo6ZgCWfXPA1TE93BXTua9Oa+FZ5
+fhG3y3gMYLC6ciKePSDf
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Long Serial Number EE Certificate Test17
+issuer=/C=US/O=Test Certificates/CN=Long Serial Number CA
+-----BEGIN CERTIFICATE-----
+MIICnzCCAgigAwIBAgIUfgECAwQFBgcICQoLDA0ODxAREhMwDQYJKoZIhvcNAQEF
+BQAwSTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4w
+HAYDVQQDExVMb25nIFNlcmlhbCBOdW1iZXIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcN
+MTEwNDE5MTQ1NzIwWjBiMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0
+aWZpY2F0ZXMxNzA1BgNVBAMTLlZhbGlkIExvbmcgU2VyaWFsIE51bWJlciBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0MTcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMmE
+I5A7RJ2dsFgrNGpTKPbTNkMlTeSA0APdg25ehg2jBXRX32Y18+LwdacaCcVFxWIK
+z16aAT/8U/rmoP3+dPkVosnTcbJamr5D5rE2D+QWqHI+4Q0saPg91CxVTkLhxU9R
+Ck1bLkVggnQngeaqCNLIAHuP8N44+V3Pytm+HddRAgMBAAGjazBpMB8GA1UdIwQY
+MBaAFN89SPvjMue5JlKL2uz4CU+zx9+mMB0GA1UdDgQWBBR7xbA1RfoohD3hr0Lj
+5WUT+PO6hDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
+MA0GCSqGSIb3DQEBBQUAA4GBAGGq1mqUIqGhHvuMEEdcLDESbvJ2tSMigxNjqvGi
+zWc/CpxqrWchwxA3zF1/M54g1Shi2IAxIp7lfBJbh6X8o/8Dzhc7Mff3HrrqTrC9
+NUuJEFGx13X8FRoEPgCKkn/kl8fDLfTvJt/Piww6fE8s+5iiXwqaFwGJjSgz0UqW
+re5l
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Long Serial Number CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DF:3D:48:FB:E3:32:E7:B9:26:52:8B:DA:EC:F8:09:4F:B3:C7:DF:A6
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 7F0102030405060708090A0B0C0D0E0F10111213
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 7a:20:63:9e:55:8d:d1:c3:ab:3f:37:97:45:61:6c:a3:21:9f:
+ 83:bd:ce:63:48:7c:a8:ca:36:15:02:3b:1b:51:66:e0:23:df:
+ de:ea:86:72:e6:92:9a:63:c7:0e:31:30:ee:62:83:1c:3e:23:
+ 20:29:23:ec:aa:2e:f6:18:ba:94:45:e7:af:5e:44:0d:3c:2b:
+ 13:6b:8c:7c:7a:6d:a2:f7:b5:9e:ea:d6:f9:9d:4d:31:91:8f:
+ ea:4d:b7:ef:5f:5a:2e:63:fc:37:02:5a:db:a6:3e:de:6b:a7:
+ 84:83:d2:a7:5b:e2:07:85:9f:0a:03:f0:33:53:eb:a3:d1:d4:
+ 16:02
+-----BEGIN X509 CRL-----
+MIIBeTCB4wIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFUxvbmcgU2VyaWFsIE51bWJl
+ciBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA1MDMCFH8BAgMEBQYH
+CAkKCwwNDg8QERITFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8G
+A1UdIwQYMBaAFN89SPvjMue5JlKL2uz4CU+zx9+mMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAHogY55VjdHDqz83l0VhbKMhn4O9zmNIfKjKNhUCOxtRZuAj
+397qhnLmkppjxw4xMO5igxw+IyApI+yqLvYYupRF569eRA08KxNrjHx6baL3tZ7q
+1vmdTTGRj+pNt+9fWi5j/DcCWtumPt5rp4SD0qdb4geFnwoD8DNT66PR1BYC
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingCapitalizationTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingCapitalizationTest5.pem
new file mode 100644
index 0000000000..84006ae155
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingCapitalizationTest5.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Name Chaining Capitalization EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=GOOD CA
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBDTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dPT0QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBrMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxQDA+BgNVBAMTN1ZhbGlkIE5hbWUgQ2hh
+aW5pbmcgQ2FwaXRhbGl6YXRpb24gRUUgQ2VydGlmaWNhdGUgVGVzdDUwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBAKKjNiRlU/b/0kN4KqqM8GCc/XOogauyq9LV
+K5+grKdIS9Hyb8R/YDK9ilsjzU/nYKRdOvMfUs5NYR7H1UhBJ9GMfo5ZJE7zbV6X
+COFLvi5STvmS1FIA1COnOuW0gCI37YuvoILvExZV0MlgOP+maCzYWDsffOoGujMJ
+/tdFTmufAgMBAAGjazBpMB8GA1UdIwQYMBaAFLcupoLLwsi8qHsnRNc1M9+aFZTH
+MB0GA1UdDgQWBBRM7vD5b8j3gITFAx7LZDp4/fhR8DAOBgNVHQ8BAf8EBAMCBPAw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAFXVuDJL
+2xAKqFtse2QAF5GxQIa8VuJCdOuNF/KCTNQ65dWDvBRYuc1O2O0NaeN71B7vbBaR
+fLAM9acjYghtDQd22u/dErDTmKIS2IEY4Z3P1eGlLcNhpV1DsIAe6cQLgm+fY8jS
+1m63U2bt0Fs4nefPvxpkWCeLXOCr7ewDM2Uc
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingUIDsTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingUIDsTest6.pem
new file mode 100644
index 0000000000..224a2cebb5
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingUIDsTest6.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=UID CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcTCCAdqgAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxUcnVzdCBBbmNo
+b3IwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA6MQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBlVJRCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyt5HBgA3udSw3/TzrG90sAN/8wyl
+eDWkGAUc1kYzyzCyNNRMYjTspi391pcr4incsgjvOY3Xc6YT8ajMzFw0R+ur6hbl
+oTYcbzdNNZGzr2w66IMDMntKTpZ2PpUH4XoCvJmNc4xIohL60RqPrGofttwpyfS+
+gxXCpVjsfywnR40CAwEAAYICBSCjfDB6MB8GA1UdIwQYMBaAFPts1C2Bnsonep4N
+sDzqmryH/0nqMB0GA1UdDgQWBBTSZXzCH9kXQYjs1VhEmgfiHMx4FTAOBgNVHQ8B
+Af8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADgYEAJZCA4IQ1YgY/8DcUafiLUKwirRsP5C7cCdMr
+0POcMDPmF5wyw0VuUGqHnAFEvc3VXjHv7KPJjlq0BPN6Zv/mWpumTOEMZNM8ik5u
+2NwuDmexmwkXHhK63MVV+iVsef6nWxx2Xf3ahbbLQgFnMIbLeNzXpIPzyFlQK0V/
+ABcwlzg=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid UIDs EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=UID CA
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBATANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBlVJRCBDQTAeFw0w
+MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFMxCzAJBgNVBAYTAlVTMRowGAYD
+VQQKExFUZXN0IENlcnRpZmljYXRlczEoMCYGA1UEAxMfVmFsaWQgVUlEcyBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0NjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA61z4
+7chYRZr2FRLh+/4cPggLdSkDgQkdFCuflGzLsN21pmtZue3b7qADRSFwnmP5wQ9L
+dOEPzufTiCt3wcPEHCaBCCN0Rr+8iWwww76h7HE0jjU9o7IHje6qAOhc7THvZS3s
+kiVb9Nt1J1/KSPM3oltTENEyjuLaXbI9XIYY/p0CAwEAAYECBSCjazBpMB8GA1Ud
+IwQYMBaAFNJlfMIf2RdBiOzVWESaB+IczHgVMB0GA1UdDgQWBBRMlbVlFGZ1ahlQ
+H8QnvM3PBG+n+DAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA0GCSqGSIb3DQEBBQUAA4GBALXKf4ViSQp8LaI9MVvNFJ5b/YG4jXBpGXXp
+htEyinitf4scZy55fdtqANeG0Ph5y7633SFANNBWS+enHNQu3Nti8boG52chWIzf
+/8vANjunWkn/PVQrI6jXORTFNG+Ia/baFDbpKyjIta1g79QVXdqi7xQ9Neo6r81u
+uhx3rn/V
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=UID CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D2:65:7C:C2:1F:D9:17:41:88:EC:D5:58:44:9A:07:E2:1C:CC:78:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 69:bb:bb:27:78:93:70:70:bc:06:5b:eb:d0:3a:9e:78:3a:e3:
+ dc:8a:0f:8d:77:93:e1:6a:c9:83:f5:64:f8:0c:5f:27:0b:1f:
+ a9:83:a3:c4:f3:87:ea:24:f8:79:41:a4:44:56:1b:93:78:bd:
+ e5:83:d9:60:2f:2e:d0:92:1b:41:2a:90:0c:9f:5f:90:1c:07:
+ 88:98:b4:6b:cb:78:98:da:30:d2:37:d2:44:19:c7:d3:fc:9e:
+ 65:89:2e:f4:77:7d:f5:9f:4b:f7:72:3f:32:d9:90:d8:52:0a:
+ dc:ce:51:81:21:f5:25:59:02:11:34:8f:52:24:ad:0c:0d:69:
+ 2f:2d
+-----BEGIN X509 CRL-----
+MIIBMzCBnQIBATANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxDzANBgNVBAMTBlVJRCBDQRcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU0mV8wh/ZF0GI7NVY
+RJoH4hzMeBUwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAabu7J3iTcHC8
+Blvr0DqeeDrj3IoPjXeT4WrJg/Vk+AxfJwsfqYOjxPOH6iT4eUGkRFYbk3i95YPZ
+YC8u0JIbQSqQDJ9fkBwHiJi0a8t4mNow0jfSRBnH0/yeZYku9Hd99Z9L93I/MtmQ
+2FIK3M5RgSH1JVkCETSPUiStDA1pLy0=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest3.pem
new file mode 100644
index 0000000000..a2b8d417c1
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest3.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Name Chaining Whitespace EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICiDCCAfGgAwIBAgIBCzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSVGVzdCAgQ2VydGlmaWNhdGVzMRQwEgYDVQQDEwtHb29kICAgICBD
+QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE8MDoGA1UEAxMzVmFsaWQgTmFt
+ZSBDaGFpbmluZyBXaGl0ZXNwYWNlIEVFIENlcnRpZmljYXRlIFRlc3QzMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnqTq65lI16x9K+4TSv4Kj5oTA79gcaQ1V
+o1Pov5lyumlF8AxDNIBczzkCmRw0G5yTUG0GK47M9jfAWj3nlYjtQY324wjwcRYX
+TqFCcPr4Aw4VdxQ58+hE/Dve+Q9KgH8XJ7KELJoiN9dCmYcTXnkW+ZNnPYGpAtf8
+2QXDyCwO5QIDAQABo2swaTAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWU
+xzAdBgNVHQ4EFgQU7dgiWtJswE2iwyEUO2QMiVBSZGEwDgYDVR0PAQH/BAQDAgTw
+MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQBYEf4J
+9G7Vag3A4nNIKYSRK1FULS5V4XEpbh7h12s4NjEulFrxn9ZKwSbElwar9CYZIOJl
+sW77M3xjTub/6l2DwT+pBp8smD4WdcN8D9453M0nY3+0de6hU09COr7/AWVzbxzd
+UEHnXWDZu5PRgbj14UJKrqBzQiZAbMRx5b8sAw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest4.pem
new file mode 100644
index 0000000000..771472db84
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest4.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Name Chaining Whitespace EE Certificate Test4
+issuer=/C=US/O=Test Certificates /CN= Good CA
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEd
+MBsGA1UEChMUVGVzdCBDZXJ0aWZpY2F0ZXMgICAxEzARBgNVBAMTCiAgIEdvb2Qg
+Q0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBnMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPDA6BgNVBAMTM1ZhbGlkIE5h
+bWUgQ2hhaW5pbmcgV2hpdGVzcGFjZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtFVzL02aRX103n0ddypzMXb4EZ6au9/l
+Cf7wLoF0u6IHixT05tw1feYoDt23vnfJKOjwqqcqnshCi0k949dyrQeTAnFQXsqp
+aPj1xjdYq3ohEKTObPeGRiyinhMAEZHxTLUyIW3hmjooktV827Bg1l9wIozE3pvw
+XyRbd3rAkFECAwEAAaNrMGkwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oV
+lMcwHQYDVR0OBBYEFHeQkes2kV9nbiKaIemSfMP1WNMPMA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAW5OD
+GSTMa2KPAQpLgH0nrncEH6jRAkyk6il7E2N0bz1KJP1itGDbzdrNTtMTs0rD9waM
+K3JrQGfALXvoj0+PD+Z/AbrpO3WKKuDkKOjIPt4Yyf59K36K0ZLKk6zID6ilR6Em
+0BaM9OimGTwDaij8MOU8FMuwXFgOu/wPciMU18s=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNegativeSerialNumberTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNegativeSerialNumberTest14.pem
new file mode 100644
index 0000000000..9a22bdd53d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNegativeSerialNumberTest14.pem
@@ -0,0 +1,114 @@
+subject=/C=US/O=Test Certificates/CN=Negative Serial Number CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfzCCAeigAwIBAgIBETANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZTmVnYXRpdmUg
+U2VyaWFsIE51bWJlciBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw5yD
+rVmP3dVETqSrKKVXvXWAnpc5K5Xh6mhHBvy/YpoERigE1MP8A/6eE3mY6OnMJVAh
+QJRWniYBrIDg5zR873cTAbn1O7MwSfs3LLxEO81iAf2k4nFFxAGtQp5AUwx0cQVK
+8oMVty8BEcAkazVA87HQgpycQySqDLmklHNqkncCAwEAAaN8MHowHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJCMpyNNS/fqobISh7nA
+0w4zWMuCMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBYz9xXPhMcniA6W0RG
+0A59JbhJJpAZmnLBusWQjWYIZsVit1M1OXc/zDGAP/ik3blednL+t+wbdJc1qg9m
+4bgoXS14lg+6IGMF2VWcoKkDJDIHpkVrdQc9WGNm0qqPyHGW0ggbi5VrBv1potkF
+xBtl1WkY3ZTLuI71pJ15ebGZ/A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Negative Serial Number EE Certificate Test14
+issuer=/C=US/O=Test Certificates/CN=Negative Serial Number CA
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgICAP8wDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQDExlOZWdhdGl2ZSBT
+ZXJpYWwgTnVtYmVyIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+ZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTswOQYD
+VQQDEzJWYWxpZCBOZWdhdGl2ZSBTZXJpYWwgTnVtYmVyIEVFIENlcnRpZmljYXRl
+IFRlc3QxNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyaurbJH9ZU3CCKl1
+jedpYcQntOZVxoXqpoC11EXMnSgUPLtVfWuoClVqZaOYnkz2hX1aomA+hGT62UOh
+f1CSywco7QnAAlWwu42zT5iJabaCruBWz/PqdvWkSWzcrMfuyybPEsil8hgaN0yl
+VNXZvUwPUtfwUndR4UltFdPmJPUCAwEAAaNrMGkwHwYDVR0jBBgwFoAUkIynI01L
+9+qhshKHucDTDjNYy4IwHQYDVR0OBBYEFB28YeqZDPts27Viz5LcntslD4A4MA4G
+A1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcN
+AQEFBQADgYEAJeShrxatt7S4H209vnaUvVpExfX57AGRT2t2QVz6ztEWMt+BGBQN
+FUeSeU03d2ot+fwxxvrmUcG9ofkKIP69tTUgObSRfwC39UjKModur68cBjYqscl8
+d5fI2pAS/xXHK/+OoBBAmHgAiuMMbWhQn7ZCI0qJT/t4eHAjQlh5/SI=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Negative Serial Number CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:90:8C:A7:23:4D:4B:F7:EA:A1:B2:12:87:B9:C0:D3:0E:33:58:CB:82
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: -01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 7d:55:77:de:74:f8:ae:25:02:35:ad:53:74:92:6f:89:f9:ed:
+ b3:4c:bf:a7:70:b1:0e:20:4a:c3:03:7f:a9:99:01:5b:5a:a0:
+ 67:df:cd:74:08:d6:80:2d:ca:f7:c0:be:9e:68:35:d3:79:89:
+ 45:a7:6e:f2:75:86:e5:28:d0:00:2c:96:14:03:96:eb:75:d0:
+ fa:a7:78:f8:50:e7:70:6b:cc:1a:9d:8a:30:1e:c5:5d:22:a9:
+ ef:dd:07:48:85:87:d6:2f:15:02:d0:07:81:2c:bf:fa:c6:ce:
+ 49:03:44:08:37:f3:f3:79:b1:61:ab:c7:f9:21:29:3f:4f:cb:
+ 36:c0
+-----BEGIN X509 CRL-----
+MIIBajCB1AIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGU5lZ2F0aXZlIFNlcmlhbCBO
+dW1iZXIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgH/Fw0w
+MTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1UdIwQYMBaAFJCMpyNN
+S/fqobISh7nA0w4zWMuCMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAH1V
+d950+K4lAjWtU3SSb4n57bNMv6dwsQ4gSsMDf6mZAVtaoGffzXQI1oAtyvfAvp5o
+NdN5iUWnbvJ1huUo0AAslhQDlut10PqnePhQ53BrzBqdijAexV0iqe/dB0iFh9Yv
+FQLQB4Esv/rGzkkDRAg38/N5sWGrx/khKT9PyzbA
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNoissuingDistributionPointTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNoissuingDistributionPointTest10.pem
new file mode 100644
index 0000000000..88bd982c69
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNoissuingDistributionPointTest10.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/OU=No issuingDistributionPoint CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBTDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUGA1UECxMeTm8gaXNzdWlu
+Z0Rpc3RyaWJ1dGlvblBvaW50IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQC+7yNDGaK8AFxVWkjA1JkTRG1Ze29lXbN/99oD+Gw2q2C9yJHbDB2tcVCeM2wJ
+8pbpFvzPv6TEGbmHVkvO32/pu/fhM5cGgzsZxXvEaQi6+Kb0nasof2lHEnO5T8BO
+HGaef+bGmAPcnJWU3QPU6Ni7kv0b9HLPi9BNFdaUGU+65wIDAQABo3wwejAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQULBOPxQ4nI9HR
+Qd/fYYS5T/Ey7DEwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAItv1utyf+4Z
+3pR/ExgGC7oEyQ8VZYYdil+JMtcrqExHY/zVEbgu4Cq1JTu3uC2MGAYO7BD2aVGI
+0g9Ij/ikkEZ2G2mW3Lqar9JL/57BgPyEwIlp9czHYCx4M0tewGXoBeQdmeHK6O+9
+YJS+QJZz/98L8lfp6mHuGoZid1McgVLT
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid No issuingDistributionPoint EE Certificate Test10
+issuer=/C=US/O=Test Certificates/OU=No issuingDistributionPoint CA
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAn6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAsTHk5vIGlzc3VpbmdE
+aXN0cmlidXRpb25Qb2ludCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMGsxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFA
+MD4GA1UEAxM3VmFsaWQgTm8gaXNzdWluZ0Rpc3RyaWJ1dGlvblBvaW50IEVFIENl
+cnRpZmljYXRlIFRlc3QxMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuYMU
+46Qzp+krE4xNOAL0bJYv9lOdlPMvMyU1ObejWulK7jGlVjYtf+KtVV+/BCajxoDZ
+LTSqx7R2RSJMaVQ41OzI3aHD5rR0M/ktYNhTotwcy0tFJQ6nwub0fTsjBLPSZZ6M
+UjGg5tiHZ0c/lBKBJj7BTY61F7kTWO5M7Dgz6XkCAwEAAaOB4TCB3jAfBgNVHSME
+GDAWgBQsE4/FDicj0dFB399hhLlP8TLsMTAdBgNVHQ4EFgQUpv9aWeCQYlWo0eBZ
+Sr+FnrT5hmgwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATBzBgNVHR8EbDBqMGigZqBkpGIwYDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMScwJQYDVQQLEx5ObyBpc3N1aW5nRGlzdHJpYnV0aW9u
+UG9pbnQgQ0ExDDAKBgNVBAMTA0NSTDANBgkqhkiG9w0BAQUFAAOBgQAnygifO5CB
+a6drkb7+IIxC6kXu8iPf648/puVdI4z8+u6p7gNdiaLEFmOPTQ8UDz2ih5aIHHl0
+hC5DWNF5udEHFCzGgMarH2kgkM08thSsxhe0rfAAjGVbGEQWpFWDS0+CXTEYLu2S
+A0fgLzVvlU+60EmmSDdOwNMTeKmElbD6fw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=No issuingDistributionPoint CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:2C:13:8F:C5:0E:27:23:D1:D1:41:DF:DF:61:84:B9:4F:F1:32:EC:31
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:8e:a7:dd:16:a9:a6:c2:0d:1a:ba:ee:cc:e6:7a:59:dd:b1:
+ 9b:f2:70:22:7e:c4:3a:eb:9c:95:0b:63:0c:39:df:67:b8:5e:
+ 14:7c:b8:83:75:d8:de:35:fd:9d:bc:1f:2b:87:89:ae:82:85:
+ de:35:26:ab:f9:40:16:ae:6c:9e:9a:b0:b5:97:5f:c8:19:7e:
+ 7e:de:96:79:0b:7d:df:5c:8d:05:a5:99:fa:b5:bc:ad:f8:af:
+ 9d:7c:75:de:70:73:0e:ae:1e:08:e1:7b:36:8b:23:21:99:bc:
+ 8b:6c:2d:de:90:f3:c5:df:7f:15:c1:69:89:15:a5:b5:09:21:
+ 80:c4
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAsTHk5vIGlzc3VpbmdEaXN0cmli
+dXRpb25Qb2ludCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAULBOPxQ4nI9HRQd/fYYS5T/Ey7DEwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEADI6n3RappsINGrruzOZ6Wd2xm/JwIn7EOuuclQtjDDnf
+Z7heFHy4g3XY3jX9nbwfK4eJroKF3jUmq/lAFq5snpqwtZdfyBl+ft6WeQt931yN
+BaWZ+rW8rfivnXx13nBzDq4eCOF7NosjIZm8i2wt3pDzxd9/FcFpiRWltQkhgMQ=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest1.pem
new file mode 100644
index 0000000000..d149d03e72
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest1.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Mapping 1to2 CA
+-----BEGIN CERTIFICATE-----
+MIICgTCCAeqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD01hcHBpbmcgMXRv
+MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMF0xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEyMDAGA1UEAxMpVmFsaWQg
+UG9saWN5IE1hcHBpbmcgRUUgQ2VydGlmaWNhdGUgVGVzdDEwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBALgTGZf83aaKeqRSCQeN8oi48i9I5mqVX9efN9WkjfAK
+0nLfV0GeAH/Y/LTtj99jOSIb2O1g4ayQ2SHb1v1UzTznfAyhVci9Oo7WBv5b5MMj
++YezniLhIS7ChaLLIXfseVOQx53crjUb+/hfbyPMF4tkeKwNTVkExpxhq3Yp1MLR
+AgMBAAGjazBpMB8GA1UdIwQYMBaAFDc7iqG6jad0m8Dr1jnLIQyNo1Z9MB0GA1Ud
+DgQWBBR4R7AhWkyFIZrXxZjG6W4kxTE3YjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATACMA0GCSqGSIb3DQEBBQUAA4GBAAqwYJLUYNcvDniG
+4QbRntW//ZZ/jickxsLRWl6odrI5ecwfekAm8+zhuhtPTNJE4DvDEpZQDtzyRxQF
+ajMjlWFIZ0TehZVSSLGCX+DXAMgp2YxiDjIH8KsbiFT723q1y02U1RPVFiU4Oik0
++3Cc7V4svmKHw4Dw+GWM/WuMHwJK
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Mapping 1to2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICrTCCAhagAwIBAgIBMDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPTWFwcGluZyAx
+dG8yIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXwTHRx8gVHWtSe1VX
+oLPFQmGX4Y0U4v535jowfMd9254hmwW4VbZzK7rrXGOAimFxGHKwa7mkPEo80MIW
+8YQC5HZs3jaXLh/xsmV1qlzwceCXooef+wu8W0pgoJ63MmY+ZJWiNK2ygRV/EVFF
+x2ii8ZGDW+SKEX2WIYI7JhmcTQIDAQABo4GzMIGwMB8GA1UdIwQYMBaAFPts1C2B
+nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ3O4qhuo2ndJvA69Y5yyEMjaNWfTAO
+BgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB
+/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/
+MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEAphAVDZECciXjDiCta9HU
+ZubezLaRjcl0IaUmTlvuhUqkfGG2x1KhB6QTq7JGCmBrlxL93qhU+8sGW1k26/3p
+c3hc60bKZ5oBG96iN05oLWWF3udbqBESMO7gn1zX14s97qLtuqQAyuERy2L2uOkk
+n/emInqTFTixe284WjHR3XY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Mapping 1to2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:37:3B:8A:A1:BA:8D:A7:74:9B:C0:EB:D6:39:CB:21:0C:8D:A3:56:7D
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 29:63:8c:57:a4:35:bb:2c:2e:a0:1e:7e:c1:e2:0e:39:2c:83:
+ d6:5f:29:3a:03:70:63:aa:1f:42:e8:fd:3f:64:f6:8b:ad:86:
+ 27:c3:a6:5d:48:9d:ef:6d:bc:be:7a:24:a9:6d:b0:4e:4d:58:
+ 4f:52:c8:bf:dc:70:7c:ea:8d:5e:54:12:db:5d:62:c5:63:06:
+ 2e:00:b4:d2:fa:51:6c:da:3f:41:04:36:14:ce:63:b5:46:e6:
+ 7d:10:01:db:50:07:69:82:6a:34:45:0b:38:5e:f2:d5:8b:77:
+ e4:ea:6a:7f:9a:18:fa:74:ed:b4:5a:ba:68:f2:68:c4:d2:55:
+ 17:9e
+-----BEGIN X509 CRL-----
+MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD01hcHBpbmcgMXRvMiBDQRcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUNzuK
+obqNp3SbwOvWOcshDI2jVn0wCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+KWOMV6Q1uywuoB5+weIOOSyD1l8pOgNwY6ofQuj9P2T2i62GJ8OmXUid7228vnok
+qW2wTk1YT1LIv9xwfOqNXlQS211ixWMGLgC00vpRbNo/QQQ2FM5jtUbmfRAB21AH
+aYJqNEULOF7y1Yt35Opqf5oY+nTttFq6aPJoxNJVF54=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest11.pem
new file mode 100644
index 0000000000..fb6f7653a8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest11.pem
@@ -0,0 +1,172 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test11
+issuer=/C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0Eg
+UGFueVBvbGljeSBNYXBwaW5nIDF0bzIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBeMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxMzAxBgNVBAMTKlZhbGlkIFBvbGljeSBNYXBwaW5nIEVFIENlcnRpZmljYXRl
+IFRlc3QxMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqoi/6nU3Hb2K96/H
++9K+tll1HEWk3nCTUyNxX51p/j2CU0KannQFFBA/eohAi2m9L5Yo8awWKb1S3Bya
+vEGNPsdIVYLlSJG9P1epb+In0KNB8zN+UZv9Zrahi/B/3SFS1qUgTV4yLI0/V2n1
+r3YmjyOxr4h+Zqs6X90lEEh4mmsCAwEAAaNrMGkwHwYDVR0jBBgwFoAUkdfhtaSW
+CJHxonEvZtkne0qCk5owHQYDVR0OBBYEFD+Y+xstb3NLUv3ikgoUQ21QbUC7MA4G
+A1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAIwDQYJKoZIhvcN
+AQEFBQADgYEAI17tZ0uZ0tu3HpgcRcjJR6m4HmsRao6CJ+ew7HfvWfVRE3x86Deq
+VFDnp9mCv8VKw0ChV4tPFdkw+ceSsgThjSHvxZbghFC6YnG5Ymj9X/zjl4NCujCQ
+Cw37Mi1UZYryKZ7+qODmExTxKry4nIvSUvYei8wDynu54uzjbKv7Jc8=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICtTCCAh6gAwIBAgIBFjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0EgUGFu
+eVBvbGljeSBNYXBwaW5nIDF0bzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ANGY6UqVJ9oB3KneANaPiYS3vFaEAo7CVhPn358boVTv2/wQv8iwT9MvDcASa4Fi
+5kaob+B5k7T8qjNOtxaZJb69UDUDsAYww6r/NK5pkS1KNf7CJZW6/RQC06GsivKO
+kQoudXfGEjAMhmHNuEXS4biTlRuVUXJqLPq2yLwAJPZ1AgMBAAGjga0wgaowHwYD
+VR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYEFJHX4bWklgiR
+8aJxL2bZJ3tKgpOaMA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIAAw
+JgYDVR0hAQH/BBwwGjAYBgpghkgBZQMCATABBgpghkgBZQMCATACMA8GA1UdEwEB
+/wQFMAMBAf8wDAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQBNuXYJvgOn
+wez9J/K4ZZhWpMPo/7Qso2S6BAoJh7QdTymJKxD6nDnPwetIpbQkbEtq+V30ZA+o
+6v+0cntT/I7cm9JKOXMOKn35BODzS8u5UJTDwWc/l5SA0scCSRfTT9LJambCyz+m
+C0/k+v5zw5VpFozVY4FoV4/KnwIhJPuDwg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good subCA PanyPolicy Mapping 1to2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:91:D7:E1:B5:A4:96:08:91:F1:A2:71:2F:66:D9:27:7B:4A:82:93:9A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 97:e7:b7:e3:46:cf:59:49:72:d2:0e:de:0e:f6:c3:1a:ca:34:
+ 59:50:f1:2d:fb:11:31:f7:bb:b2:f7:dd:0e:fb:bd:6b:7a:7f:
+ e7:dd:02:be:6c:7b:36:1c:49:50:38:d9:85:67:97:a5:0f:84:
+ 49:de:8a:d5:0b:d0:36:fc:6c:4a:82:cb:83:73:ed:1e:af:31:
+ dc:0f:6f:eb:69:18:67:b7:fb:1e:a8:1d:a5:36:84:dd:05:72:
+ 52:f1:51:e1:93:6a:ff:2f:92:6b:7a:c1:67:90:0b:7f:66:0e:
+ f1:83:22:d9:52:5e:f7:58:5d:5c:7a:1b:69:84:91:da:b1:18:
+ 11:c2
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTIkdvb2Qgc3ViQ0EgUGFueVBv
+bGljeSBNYXBwaW5nIDF0bzIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFJHX4bWklgiR8aJxL2bZJ3tKgpOaMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAJfnt+NGz1lJctIO3g72wxrKNFlQ8S37ETH3u7L3
+3Q77vWt6f+fdAr5sezYcSVA42YVnl6UPhEneitUL0Db8bEqCy4Nz7R6vMdwPb+tp
+GGe3+x6oHaU2hN0FclLxUeGTav8vkmt6wWeQC39mDvGDItlSXvdYXVx6G2mEkdqx
+GBHC
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest12.pem
new file mode 100644
index 0000000000..2f35a62def
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest12.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICvzCCAiigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTUDEyIE1hcHBp
+bmcgMXRvMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmTEwLH6u6mb6
+kvz4ulbBVFC2Ea6WdEv2uH/vNi23mER2Nl+xAbeopiy3OLEiXavvD3uvVjX0bSOH
+BGk2j/ern/Urw6djfKt5V4O3NMYi6Grvfm346kdutjJuBcNlhLOE8mLXUguspocr
+AoAEjrQtuS4Bkb9A5wj3OYy4jr2JhtMCAwEAAaOBwTCBvjAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUreIKE61SbSWszamYogoEaK1y
+rrIwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpg
+hkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEw
+AzAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQAD
+gYEAEelnHhW6SAs3Zj4a5YMVTKDe7vCThen9bA1Awt3yFincViRt5/s2ZyzTN5fr
+Xi+2m42Gm+Anb3D7rpV9IJ/PahHq4yrKSrcAzhT3IcHbuHFNwiw8Z3T+31hhjJUx
+3atYpYOZZPYwuT0inFHJWRfBNA8NGBtqYlxI1C+/ucdy7ik=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test12
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+-----BEGIN CERTIFICATE-----
+MIIEKDCCA5GgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5n
+IDF0bzMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBeMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMzAxBgNVBAMTKlZh
+bGlkIFBvbGljeSBNYXBwaW5nIEVFIENlcnRpZmljYXRlIFRlc3QxMjCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAiDGZx3j4WZj3UIYQBpID5IJr0ES7lhC5FAa2
+ErfScZEz3LrPW5r859dobtF5TBB1IGznyZmZBhwl2vmDMTOAJV827Mwn19ELd+Vx
+wAtFUtNszWAw1CQdx+kH+WJka6JxXPNQGWzgn/Q+Cbrq5BStqcZTHtF1NhVX4c+/
+9RdkUesCAwEAAaOCAgswggIHMB8GA1UdIwQYMBaAFK3iChOtUm0lrM2pmKIKBGit
+cq6yMB0GA1UdDgQWBBTkwpjC2Np+iZ8a8Y6b6DTyrLrvrzAOBgNVHQ8BAf8EBAMC
+BPAwggGzBgNVHSAEggGqMIIBpjCB2AYKYIZIAWUDAgEwAzCByTCBxgYIKwYBBQUH
+AgIwgbkagbZxNzogIFRoaXMgaXMgdGhlIHVzZXIgbm90aWNlIGZyb20gcXVhbGlm
+aWVyIDcgYXNzb2NpYXRlZCB3aXRoIE5JU1QtdGVzdC1wb2xpY3ktMy4gIFRoaXMg
+dXNlciBub3RpY2Ugc2hvdWxkIGJlIGRpc3BsYXllZCB3aGVuICBOSVNULXRlc3Qt
+cG9saWN5LTEgaXMgaW4gdGhlIHVzZXItY29uc3RyYWluZWQtcG9saWN5LXNldDCB
+yAYEVR0gADCBvzCBvAYIKwYBBQUHAgIwga8agaxxODogIFRoaXMgaXMgdGhlIHVz
+ZXIgbm90aWNlIGZyb20gcXVhbGlmaWVyIDggYXNzb2NpYXRlZCB3aXRoIGFueVBv
+bGljeS4gIFRoaXMgdXNlciBub3RpY2Ugc2hvdWxkIGJlIGRpc3BsYXllZCB3aGVu
+IE5JU1QtdGVzdC1wb2xpY3ktMiBpcyBpbiB0aGUgdXNlci1jb25zdHJhaW5lZC1w
+b2xpY3ktc2V0MA0GCSqGSIb3DQEBBQUAA4GBACzi00c5I7zzf41Ca5Ln8KYqgDts
+W6Jh0j2NzYtm2W1us5l1tx6UsE5uygoREiVScCXanYaKtiwW5QDqMZb/Uu+izmIW
+QRefqnHnyJqXxKQx8UwS+yNaIjT+ph7SJNF/DQrNwYWtNBD1vKhcNe8MDKWjAr9J
+P7k+rI8qg8ug3og+
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:E2:0A:13:AD:52:6D:25:AC:CD:A9:98:A2:0A:04:68:AD:72:AE:B2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 94:34:62:ba:34:51:b4:ad:dd:01:40:fe:3d:eb:bc:6c:7c:89:
+ cb:f0:7e:e5:38:03:50:93:5b:68:ba:d1:ca:14:39:ec:a8:9c:
+ 37:24:c3:0f:01:eb:14:67:8c:07:fc:37:1f:bb:45:b9:4f:5f:
+ 56:ad:f3:85:03:23:a8:bd:93:1c:ca:01:e8:b5:1c:c8:60:18:
+ 13:95:bf:5a:11:11:b2:3c:3c:27:69:bf:97:08:c0:b7:4a:7a:
+ 39:5e:03:2c:67:5a:11:a0:4f:6f:8d:70:4e:e2:b5:31:73:2a:
+ bf:5b:15:af:5b:4e:14:e0:73:5b:f1:2d:cd:bc:75:44:42:d4:
+ da:3b
+-----BEGIN X509 CRL-----
+MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5nIDF0bzMg
+Q0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaA
+FK3iChOtUm0lrM2pmKIKBGitcq6yMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
+A4GBAJQ0Yro0UbSt3QFA/j3rvGx8icvwfuU4A1CTW2i60coUOeyonDckww8B6xRn
+jAf8Nx+7RblPX1at84UDI6i9kxzKAei1HMhgGBOVv1oREbI8PCdpv5cIwLdKejle
+AyxnWhGgT2+NcE7itTFzKr9bFa9bThTgc1vxLc28dURC1No7
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest13.pem
new file mode 100644
index 0000000000..2399b4163c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest13.pem
@@ -0,0 +1,117 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test13
+issuer=/C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+-----BEGIN CERTIFICATE-----
+MIICjjCCAfegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1AxYW55UG9saWN5
+IE1hcHBpbmcgMXRvMiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MF4xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEzMDEG
+A1UEAxMqVmFsaWQgUG9saWN5IE1hcHBpbmcgRUUgQ2VydGlmaWNhdGUgVGVzdDEz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr5cG4yqBgXjIPkt7dHP/MFNci
+pUHmbTfWoxKfaC+QY/7vElma6sMegYccM49fDN8CJSa7iF0vwS05cS1euHk2PfLF
+nJJamoTpf2iKxjqy6wemAmTH1cnEAtuhyArNadJXjvFmwV8bxyyaFW4GGnMj+yFe
+IJoTD65IuQMOLLg+xwIDAQABo2swaTAfBgNVHSMEGDAWgBQtN9I/nlnZ5r5Xovdr
+DxCCpq0D7jAdBgNVHQ4EFgQU3ZrqolFiawE0EWsHD7qUUa6V4pkwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjANBgkqhkiG9w0BAQUFAAOB
+gQDgNwimYbq6g5crdMRHe8S69POQl1I4Qg6ZD511fwO2OUU/rmIbvqW5faGKHPMq
+Ubun6DrzamYGfx8HCa/vn46jaRVC2tTqXgiy6aWGMHv4MJl1bxS/yR8hqdTEWjG5
+GFkA7UWgU8A3MmmIUaBCs2QK5ZqTmsYuqX2inlGtBcvTrQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIEHjCCA4egAwIBAgIBNjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbUDFhbnlQb2xp
+Y3kgTWFwcGluZyAxdG8yIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDs
+qiRQp8ZU1kWOS/tvtPAlHT9dGf17useanNh/sRHafDBRsOVVlS+kMA8Ti/8uecSP
+PEMznqfzcf7wvC64FNOt2P3rD/W3oZ7MShTLQF6C5mqsh8A4T+DDgdhNG5xtOAfg
+buRxp+A4KybQ7YMzRHnb5Z6UEKCAOv1NmaQpQU6lFQIDAQABo4ICFzCCAhMwHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFC030j+eWdnm
+vlei92sPEIKmrQPuMA4GA1UdDwEB/wQEAwIBBjCCAXgGA1UdIASCAW8wggFrMIG5
+BgpghkgBZQMCATABMIGqMIGnBggrBgEFBQcCAjCBmhqBl3E5OiAgVGhpcyBpcyB0
+aGUgdXNlciBub3RpY2UgZnJvbSBxdWFsaWZpZXIgOSBhc3NvY2lhdGVkIHdpdGgg
+TklTVC10ZXN0LXBvbGljeS0xLiAgVGhpcyB1c2VyIG5vdGljZSBzaG91bGQgYmUg
+ZGlzcGxheWVkIGZvciBWYWxpZCBQb2xpY3kgTWFwcGluZyBUZXN0MTMwgawGBFUd
+IAAwgaMwgaAGCCsGAQUFBwICMIGTGoGQcTEwOiAgVGhpcyBpcyB0aGUgdXNlciBu
+b3RpY2UgZnJvbSBxdWFsaWZpZXIgMTAgYXNzb2NpYXRlZCB3aXRoIGFueVBvbGlj
+eS4gIFRoaXMgdXNlciBub3RpY2Ugc2hvdWxkIGJlIGRpc3BsYXllZCBmb3IgVmFs
+aWQgUG9saWN5IE1hcHBpbmcgVGVzdDE0MCYGA1UdIQEB/wQcMBowGAYKYIZIAWUD
+AgEwAQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAw
+DQYJKoZIhvcNAQEFBQADgYEAqZ6Cif011+oMzp6bcMsfzt9sTBgpT4l35AbTC5sm
+zp3ur8X5X2G604yKkSXe1cf0F+fZSE6zjwizb1YG0owt1eGWSxCdAlkIFRang7OG
+Z93bEKBx3ysDYCKvemx0f3shGqJVVzMBo6JP6JX7Jnn385UdwdKO2dWzVhHXsP+P
+9sY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:2D:37:D2:3F:9E:59:D9:E6:BE:57:A2:F7:6B:0F:10:82:A6:AD:03:EE
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:52:84:5c:c6:67:e1:f5:70:94:c5:af:b8:de:1f:38:dc:b0:
+ 65:8a:69:80:b5:9a:f9:2f:6c:13:8e:83:5a:5b:33:01:1c:d2:
+ a9:c6:c7:09:92:cd:17:9f:bc:f4:30:d8:bf:8e:05:c0:98:d4:
+ dc:be:b5:31:80:76:30:f8:35:48:45:a5:25:2a:92:df:1d:ae:
+ 4c:88:5e:34:d5:ea:39:8c:f2:e4:c7:e4:c1:35:45:3b:6f:6f:
+ f3:81:e3:2f:43:ad:ae:e3:98:3a:7e:0e:48:51:cc:a8:15:38:
+ ce:38:31:9c:36:5e:a0:eb:f5:16:e9:43:a9:5f:77:a4:bc:44:
+ c4:0b
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1AxYW55UG9saWN5IE1hcHBp
+bmcgMXRvMiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAULTfSP55Z2ea+V6L3aw8QgqatA+4wCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAVlKEXMZn4fVwlMWvuN4fONywZYppgLWa+S9sE46DWlszARzS
+qcbHCZLNF5+89DDYv44FwJjU3L61MYB2MPg1SEWlJSqS3x2uTIheNNXqOYzy5Mfk
+wTVFO29v84HjL0OtruOYOn4OSFHMqBU4zjgxnDZeoOv1FulDqV93pLxExAs=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest14.pem
new file mode 100644
index 0000000000..10b7912099
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest14.pem
@@ -0,0 +1,117 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test14
+issuer=/C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+-----BEGIN CERTIFICATE-----
+MIICjjCCAfegAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1AxYW55UG9saWN5
+IE1hcHBpbmcgMXRvMiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MF4xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEzMDEG
+A1UEAxMqVmFsaWQgUG9saWN5IE1hcHBpbmcgRUUgQ2VydGlmaWNhdGUgVGVzdDE0
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw0i1MxqkhMcbORFEu5k6Y4Q0R
+5QY60nT/GZQrbH5OZMueDjhFLTTPfxvN9VWue6NgkPLQ/NgPlm0+DDz0+4dyMi0F
+h93v/27ZAOtBk0eTVvvsCvAyD5EBqW1PWcZHX3oWyaY9AWM2JHrZv8M/toQ4CA2V
+yJOzEOf1bJBfj+SUcQIDAQABo2swaTAfBgNVHSMEGDAWgBQtN9I/nlnZ5r5Xovdr
+DxCCpq0D7jAdBgNVHQ4EFgQUBBCEgvxOOcAPi/H2IhqSJnWk9mgwDgYDVR0PAQH/
+BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOB
+gQAg9tR9jL/eux79Ixd+MLGGfc6YC+FUqLyNErhpSQ7FiCc1jPwAFfyuPLiyBmJS
+k601bFn5fO2LKSSocHH9ezXT+x0XHajvaNlNd2w8YXKtrW5ogwty9q21c4VCuLrE
+ej5cBZPdSyp4RBkdBnjfPc2vRW6x0g3EMA03aYr0Sc712w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIEHjCCA4egAwIBAgIBNjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbUDFhbnlQb2xp
+Y3kgTWFwcGluZyAxdG8yIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDs
+qiRQp8ZU1kWOS/tvtPAlHT9dGf17useanNh/sRHafDBRsOVVlS+kMA8Ti/8uecSP
+PEMznqfzcf7wvC64FNOt2P3rD/W3oZ7MShTLQF6C5mqsh8A4T+DDgdhNG5xtOAfg
+buRxp+A4KybQ7YMzRHnb5Z6UEKCAOv1NmaQpQU6lFQIDAQABo4ICFzCCAhMwHwYD
+VR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFC030j+eWdnm
+vlei92sPEIKmrQPuMA4GA1UdDwEB/wQEAwIBBjCCAXgGA1UdIASCAW8wggFrMIG5
+BgpghkgBZQMCATABMIGqMIGnBggrBgEFBQcCAjCBmhqBl3E5OiAgVGhpcyBpcyB0
+aGUgdXNlciBub3RpY2UgZnJvbSBxdWFsaWZpZXIgOSBhc3NvY2lhdGVkIHdpdGgg
+TklTVC10ZXN0LXBvbGljeS0xLiAgVGhpcyB1c2VyIG5vdGljZSBzaG91bGQgYmUg
+ZGlzcGxheWVkIGZvciBWYWxpZCBQb2xpY3kgTWFwcGluZyBUZXN0MTMwgawGBFUd
+IAAwgaMwgaAGCCsGAQUFBwICMIGTGoGQcTEwOiAgVGhpcyBpcyB0aGUgdXNlciBu
+b3RpY2UgZnJvbSBxdWFsaWZpZXIgMTAgYXNzb2NpYXRlZCB3aXRoIGFueVBvbGlj
+eS4gIFRoaXMgdXNlciBub3RpY2Ugc2hvdWxkIGJlIGRpc3BsYXllZCBmb3IgVmFs
+aWQgUG9saWN5IE1hcHBpbmcgVGVzdDE0MCYGA1UdIQEB/wQcMBowGAYKYIZIAWUD
+AgEwAQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAw
+DQYJKoZIhvcNAQEFBQADgYEAqZ6Cif011+oMzp6bcMsfzt9sTBgpT4l35AbTC5sm
+zp3ur8X5X2G604yKkSXe1cf0F+fZSE6zjwizb1YG0owt1eGWSxCdAlkIFRang7OG
+Z93bEKBx3ysDYCKvemx0f3shGqJVVzMBo6JP6JX7Jnn385UdwdKO2dWzVhHXsP+P
+9sY=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1anyPolicy Mapping 1to2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:2D:37:D2:3F:9E:59:D9:E6:BE:57:A2:F7:6B:0F:10:82:A6:AD:03:EE
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:52:84:5c:c6:67:e1:f5:70:94:c5:af:b8:de:1f:38:dc:b0:
+ 65:8a:69:80:b5:9a:f9:2f:6c:13:8e:83:5a:5b:33:01:1c:d2:
+ a9:c6:c7:09:92:cd:17:9f:bc:f4:30:d8:bf:8e:05:c0:98:d4:
+ dc:be:b5:31:80:76:30:f8:35:48:45:a5:25:2a:92:df:1d:ae:
+ 4c:88:5e:34:d5:ea:39:8c:f2:e4:c7:e4:c1:35:45:3b:6f:6f:
+ f3:81:e3:2f:43:ad:ae:e3:98:3a:7e:0e:48:51:cc:a8:15:38:
+ ce:38:31:9c:36:5e:a0:eb:f5:16:e9:43:a9:5f:77:a4:bc:44:
+ c4:0b
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1AxYW55UG9saWN5IE1hcHBp
+bmcgMXRvMiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAULTfSP55Z2ea+V6L3aw8QgqatA+4wCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAVlKEXMZn4fVwlMWvuN4fONywZYppgLWa+S9sE46DWlszARzS
+qcbHCZLNF5+89DDYv44FwJjU3L61MYB2MPg1SEWlJSqS3x2uTIheNNXqOYzy5Mfk
+wTVFO29v84HjL0OtruOYOn4OSFHMqBU4zjgxnDZeoOv1FulDqV93pLxExAs=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest3.pem
new file mode 100644
index 0000000000..d5af222303
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest3.pem
@@ -0,0 +1,214 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVAxMiBNYXBwaW5n
+IDF0bzMgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBd
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMjAwBgNV
+BAMTKVZhbGlkIFBvbGljeSBNYXBwaW5nIEVFIENlcnRpZmljYXRlIFRlc3QzMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLjaVgcxBArg5ZjazYxWoHTBcfcT/5
+qsS4WoFj+0UELOPixTqQjmJofe3JKjHSI1h9yiTTiyrDVRkKB3DPYLo8zkv7HQeJ
+sleZKw3rgNtSOKuMY/9E5Pex3Q77pOCXZES31n/xZ1BRfCHAkhA6QxSoePkp7Au0
+6R9jYczfn3FZwwIDAQABo2swaTAfBgNVHSMEGDAWgBT2LLG3KbWulX+w+DlBUy0u
+DwTjxzAdBgNVHQ4EFgQUx21mI2aVCGSW1qLGljar1+6L7JUwDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwCDANBgkqhkiG9w0BAQUFAAOBgQAI
+oGNjmv/QvuGxJUK+dcyZqM4egLTHcIlgtNw5QURIbyQz+p0EkQqlEly1G1f6jZg7
+yi0vbf2ng8f39I50HeqyGHay1/H9Koq5m0K+a9GV2mi0huLFL96U7b64ELF0z371
+W/OSduqoyZhrzBnTSuNoiqmlAlV8Z+TXjVSp1HX3Ew==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICvzCCAiigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UEAxMTUDEyIE1hcHBp
+bmcgMXRvMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmTEwLH6u6mb6
+kvz4ulbBVFC2Ea6WdEv2uH/vNi23mER2Nl+xAbeopiy3OLEiXavvD3uvVjX0bSOH
+BGk2j/ern/Urw6djfKt5V4O3NMYi6Grvfm346kdutjJuBcNlhLOE8mLXUguspocr
+AoAEjrQtuS4Bkb9A5wj3OYy4jr2JhtMCAwEAAaOBwTCBvjAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUreIKE61SbSWszamYogoEaK1y
+rrIwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpg
+hkgBZQMCATACMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEw
+AzAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQAD
+gYEAEelnHhW6SAs3Zj4a5YMVTKDe7vCThen9bA1Awt3yFincViRt5/s2ZyzTN5fr
+Xi+2m42Gm+Anb3D7rpV9IJ/PahHq4yrKSrcAzhT3IcHbuHFNwiw8Z3T+31hhjJUx
+3atYpYOZZPYwuT0inFHJWRfBNA8NGBtqYlxI1C+/ucdy7ik=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+-----BEGIN CERTIFICATE-----
+MIICwTCCAiqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAxMiBNYXBwaW5n
+IDF0bzMgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBNMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMT
+GVAxMiBNYXBwaW5nIDF0bzMgc3Vic3ViQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAJjo4/4TekqllLI7gPzmE2OceB30SRuraEVWVdR/lmFpFTks5fKkqf96
+WjYpnJZwaqE1ZdUQxgeNsswPm4pUAhVmU9IHvqBaM+bNXFsrwBOYYhfZY3xnwcxp
+IZsvkLPuEq1vLwxpn+0zTDOpDGf9zhiTrswEUoGYBwOVqRDaToYdAgMBAAGjgbMw
+gbAwHwYDVR0jBBgwFoAUXcS6eHk0JsNyV9FZ9KPiVKcocdEwHQYDVR0OBBYEFPYs
+sbcpta6Vf7D4OUFTLS4PBOPHMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwG
+CmCGSAFlAwIBMAMwDAYKYIZIAWUDAgEwBDAmBgNVHSEBAf8EHDAaMBgGCmCGSAFl
+AwIBMAQGCmCGSAFlAwIBMAgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOBgQCass0kmtqSdWX5lffBs/tSTSvnGK38REo2IwTFLHduO4cvzAyS7ProbF/J
+al8FtT9mdnl+NpwrH4KlFNu+uti47wFj9xov/kbcmp21DvZ/m8ihmStk4FG2r6Ad
+0gdmVfBYem0mOu/1r/F8deNFP/Dpd8w3KFnv3Dd9wZd/Eb5hrg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+issuer=/C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5n
+IDF0bzMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAx
+MiBNYXBwaW5nIDF0bzMgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+AMsNrOgngQPHY/5QvmR5y8mHOJJ2T8Vjf+3/DPv5eMF+q11urxfCat4faDdtchBa
+QXOWQ2TEy6tqpR7u8UJ2wnI7phld51gAcT2I8V7swo/EM1Ga1i5bWa5G10vPmZw5
+l7QwqT/D6JkHdthcaJdQrBP9zesYPEp13RFQU9mP5451AgMBAAGjgc0wgcowHwYD
+VR0jBBgwFoAUreIKE61SbSWszamYogoEaK1yrrIwHQYDVR0OBBYEFF3Eunh5NCbD
+clfRWfSj4lSnKHHRMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFl
+AwIBMAIwDAYKYIZIAWUDAgEwBTBABgNVHSEBAf8ENjA0MBgGCmCGSAFlAwIBMAIG
+CmCGSAFlAwIBMAQwGAYKYIZIAWUDAgEwBQYKYIZIAWUDAgEwBzAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHwK+aOYJpXAoXSRQ1o82pqD++jA/uvr
+2eJoXbcch64CAdRNuCA7rQoRAx1nSUgjoLmHcTDrowQzodrVXVmCmYqXxB5XswG6
+z5Oj09NorxHxpAs7E/izElYwEXl5n0NMInD6S2r1SWOnRpGnCL8PYM3gW+xne8rJ
+CZMIMADOWvrc
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:E2:0A:13:AD:52:6D:25:AC:CD:A9:98:A2:0A:04:68:AD:72:AE:B2
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 94:34:62:ba:34:51:b4:ad:dd:01:40:fe:3d:eb:bc:6c:7c:89:
+ cb:f0:7e:e5:38:03:50:93:5b:68:ba:d1:ca:14:39:ec:a8:9c:
+ 37:24:c3:0f:01:eb:14:67:8c:07:fc:37:1f:bb:45:b9:4f:5f:
+ 56:ad:f3:85:03:23:a8:bd:93:1c:ca:01:e8:b5:1c:c8:60:18:
+ 13:95:bf:5a:11:11:b2:3c:3c:27:69:bf:97:08:c0:b7:4a:7a:
+ 39:5e:03:2c:67:5a:11:a0:4f:6f:8d:70:4e:e2:b5:31:73:2a:
+ bf:5b:15:af:5b:4e:14:e0:73:5b:f1:2d:cd:bc:75:44:42:d4:
+ da:3b
+-----BEGIN X509 CRL-----
+MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAMTE1AxMiBNYXBwaW5nIDF0bzMg
+Q0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaA
+FK3iChOtUm0lrM2pmKIKBGitcq6yMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
+A4GBAJQ0Yro0UbSt3QFA/j3rvGx8icvwfuU4A1CTW2i60coUOeyonDckww8B6xRn
+jAf8Nx+7RblPX1at84UDI6i9kxzKAei1HMhgGBOVv1oREbI8PCdpv5cIwLdKejle
+AyxnWhGgT2+NcE7itTFzKr9bFa9bThTgc1vxLc28dURC1No7
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5D:C4:BA:78:79:34:26:C3:72:57:D1:59:F4:A3:E2:54:A7:28:71:D1
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 15:bb:13:8f:22:9e:5f:ae:7d:26:76:5b:6f:8d:8b:a4:37:1d:
+ fa:87:83:61:23:70:ca:f2:bd:ba:ae:72:04:3e:0a:21:70:4e:
+ 01:97:4c:e3:16:d0:ef:d9:31:50:6f:5b:ff:51:10:40:73:82:
+ 0f:f2:00:90:1a:bb:f8:93:68:b9:0c:15:9d:b2:c3:5b:56:73:
+ 52:d3:1c:0f:75:2f:51:5b:40:3f:8b:71:42:54:33:af:55:20:
+ c8:ff:bf:ff:68:43:78:93:55:01:fb:7e:4d:db:a8:57:36:34:
+ df:a2:90:75:bb:fa:23:f3:9f:de:e4:4d:92:30:65:8c:f2:64:
+ e0:01
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlAxMiBNYXBwaW5nIDF0bzMg
+c3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFF3Eunh5NCbDclfRWfSj4lSnKHHRMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBABW7E48inl+ufSZ2W2+Ni6Q3HfqHg2EjcMryvbqucgQ+CiFwTgGXTOMW
+0O/ZMVBvW/9REEBzgg/yAJAau/iTaLkMFZ2yw1tWc1LTHA91L1FbQD+LcUJUM69V
+IMj/v/9oQ3iTVQH7fk3bqFc2NN+ikHW7+iPzn97kTZIwZYzyZOAB
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P12 Mapping 1to3 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F6:2C:B1:B7:29:B5:AE:95:7F:B0:F8:39:41:53:2D:2E:0F:04:E3:C7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 6f:b3:1a:29:36:35:76:c7:62:11:6e:e9:29:e6:83:8b:5e:bf:
+ 25:ea:4d:71:56:16:50:25:92:68:a8:a2:e9:4d:09:a3:74:36:
+ e2:9b:c1:52:dd:87:0a:64:98:58:da:6a:96:e6:c4:02:90:d8:
+ cd:4c:10:71:4c:98:1d:bb:d4:8d:7d:74:f9:34:3f:98:f7:8a:
+ 5e:eb:bf:7c:8f:90:2a:7b:c4:f3:29:cc:3c:62:a3:f8:08:c2:
+ 0a:ae:35:92:8d:ed:c0:30:a3:f2:a1:c7:7c:a1:68:1d:b0:48:
+ 4d:c1:4f:50:7f:1f:af:c6:f3:a1:d0:ad:8a:1a:78:05:84:6d:
+ d9:7e
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVAxMiBNYXBwaW5nIDF0bzMg
+c3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFPYssbcpta6Vf7D4OUFTLS4PBOPHMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAG+zGik2NXbHYhFu6Snmg4tevyXqTXFWFlAlkmiooulNCaN0NuKb
+wVLdhwpkmFjaapbmxAKQ2M1MEHFMmB271I19dPk0P5j3il7rv3yPkCp7xPMpzDxi
+o/gIwgquNZKN7cAwo/Khx3yhaB2wSE3BT1B/H6/G86HQrYoaeAWEbdl+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest5.pem
new file mode 100644
index 0000000000..d916bbbbbd
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest5.pem
@@ -0,0 +1,163 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF1AxIE1hcHBpbmcg
+MXRvMjM0IHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTIwMAYDVQQD
+EylWYWxpZCBQb2xpY3kgTWFwcGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu7tA0m9E4vxbGx8d41Nw9YFiUAKWV/rI
+5MXmpuTVeWZr5ELloOLZG/UdWxsbxKWX+FmF+RLDfJ4aAfomI+J/gPjv01gXT0PD
+qXqflxdcvCR8kWU08UNs5Dbks3BtWaR+rF3Zrw/gz9cg6d/fGFn48gjtn8LeQz1w
+vqAP8w3woaECAwEAAaNrMGkwHwYDVR0jBBgwFoAUrQ/vHBeBV326g+8R/4doc9Km
+G5cwHQYDVR0OBBYEFJ/3EWzpeGSBUdimPN2Zptp/EZwFMA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAYwDQYJKoZIhvcNAQEFBQADgYEAmh2B
+OoSik/wvehYBZuSGtFC/NOP3yi9x6PCY/pzav9YZKgJZXeEJF78A5SVPFjP5BJcI
+c6ke+EApOv2lHbViBi7ll5xc+xSh1Ko77NOO4yrlFe8+ZiKz+kXizBsfbcKUYtKN
+KHby2pgphWXv93Xe0fIFKYeSWqoKvL3EHjc8Gtk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+issuer=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFAxIE1hcHBpbmcg
+MXRvMjM0IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSzELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSAwHgYDVQQDExdQ
+MSBNYXBwaW5nIDF0bzIzNCBzdWJDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAuxzFRezTkAVZWZReelvBKELugXp5Eq7O4Ye839Rxl3p/kBRLWiFz+bsyeeMl
+YKC2+df3mBhUm5dDtrttv+oGaGL4bquZgb6X5TNxSHDe/D+3BAyxbFn8Qfq642fP
+QvmHsQYWtT+dP5NUxFpss8ElrWi0X2UEzb5ChUalSf2Vde8CAwEAAaOBzTCByjAf
+BgNVHSMEGDAWgBTMp9HShu8hYwWY780byv/gRLPUkDAdBgNVHQ4EFgQUrQ/vHBeB
+V326g+8R/4doc9KmG5cwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZI
+AWUDAgEwAjAMBgpghkgBZQMCATAEMEAGA1UdIQEB/wQ2MDQwGAYKYIZIAWUDAgEw
+AgYKYIZIAWUDAgEwBTAYBgpghkgBZQMCATAEBgpghkgBZQMCATAGMA8GA1UdEwEB
+/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACas+sr4fsuwRW8lWjQQH9NDBg4OC
+4/j/2+haNy4neNyKBSFPg7g/HTOvalwVvR2OoEiVIdh2cLH4ELt3GVucJkB9Nimr
+nV4trKBPR9Cy/UTVzDvDS9NW7FEyTWtlVbTEU4um4rvU+7HkmY4JjaEUbqrdFcRf
+ho4KQe/QkE0wYcU=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBMjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUUDEgTWFwcGlu
+ZyAxdG8yMzQgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkWaQEgKSf0
+Z8Rv+4X37UP7SJyBJFbt6QzzxNxVnCwFX+0X5rL44rsZBya1cg8TN0BvQjpF7hKW
+Ch5A0nARNvvI6cOBqQ5T2UryrVgzPb/dXebSy5e8afDUs8QqRB9dHb/m0AVC+hTd
+mwlok2dgnsm+DdpTaKbgKWi/jjlr8H5BAgMBAAGjgecwgeQwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMyn0dKG7yFjBZjvzRvK/+BE
+s9SQMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwWgYD
+VR0hAQH/BFAwTjAYBgpghkgBZQMCATABBgpghkgBZQMCATACMBgGCmCGSAFlAwIB
+MAEGCmCGSAFlAwIBMAMwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwBDAPBgNVHRMB
+Af8EBTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEAXs0UPa8a
+gMe7mdH0Zuxlka5P2WW5U6NGJTaF88e0d2LNd0rKAIY54kVS6qWRSb4m3fD17BhB
+HYeJt1wRTxJo/oSdKxOYY/2k1BQLH6HyqsgQsOq5V1KTBJSPsCVZxvw7i0dDtw4A
+VH9jyKpEN4XcL3k1hYHJvBU1sH8g1sE6vLQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:CC:A7:D1:D2:86:EF:21:63:05:98:EF:CD:1B:CA:FF:E0:44:B3:D4:90
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 45:0b:74:18:70:b6:d8:66:8a:81:70:d0:a9:21:e0:0b:b5:9d:
+ 71:45:a7:fd:df:50:ee:d6:38:4e:90:ea:eb:a8:84:6b:79:0c:
+ 64:6d:0a:4d:e0:36:20:6b:ec:c6:46:8f:13:13:99:18:21:e7:
+ 44:60:19:de:b4:f5:ea:7e:70:4b:b7:12:b8:4a:1f:5d:9b:b3:
+ 1d:cf:e4:54:5a:a1:8c:6b:ad:fd:51:f3:0c:96:c8:a6:7a:83:
+ f2:a1:dc:3a:a9:84:f6:7f:8f:8e:3f:91:ee:ae:e3:85:9c:7f:
+ 44:b7:92:89:15:77:f3:b3:dc:13:fc:7e:87:0f:e0:d6:55:96:
+ ee:83
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFAxIE1hcHBpbmcgMXRvMjM0
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBTMp9HShu8hYwWY780byv/gRLPUkDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBFC3QYcLbYZoqBcNCpIeALtZ1xRaf931Du1jhOkOrrqIRreQxkbQpN4DYg
+a+zGRo8TE5kYIedEYBnetPXqfnBLtxK4Sh9dm7Mdz+RUWqGMa639UfMMlsimeoPy
+odw6qYT2f4+OP5HuruOFnH9Et5KJFXfzs9wT/H6HD+DWVZbugw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:0F:EF:1C:17:81:57:7D:BA:83:EF:11:FF:87:68:73:D2:A6:1B:97
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 33:53:2c:ad:0e:6e:e9:49:14:44:7d:de:5c:dc:4b:0e:57:35:
+ 35:18:f2:d9:4b:94:c6:38:1e:4e:33:a7:7e:6c:b4:b7:d2:72:
+ 46:03:28:4b:d5:ef:a3:9a:ca:16:33:03:ec:bf:cf:e9:8f:a4:
+ 4a:01:c5:e1:a6:0a:b7:4d:86:ee:08:93:ee:1b:da:ad:da:d7:
+ cd:6a:da:95:eb:62:1f:13:19:30:8f:f5:33:22:fa:7b:2a:c3:
+ 7f:b8:ca:67:24:4e:f6:4e:0f:be:aa:31:23:42:eb:0d:76:9b:
+ f0:64:24:95:f4:b8:62:7b:5e:14:24:fd:6f:6c:8e:82:b3:60:
+ a9:c0
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF1AxIE1hcHBpbmcgMXRvMjM0
+IHN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBStD+8cF4FXfbqD7xH/h2hz0qYblzAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQAzUyytDm7pSRREfd5c3EsOVzU1GPLZS5TGOB5OM6d+bLS30nJGAyhL
+1e+jmsoWMwPsv8/pj6RKAcXhpgq3TYbuCJPuG9qt2tfNatqV62IfExkwj/UzIvp7
+KsN/uMpnJE72Tg++qjEjQusNdpvwZCSV9Lhie14UJP1vbI6Cs2CpwA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest6.pem
new file mode 100644
index 0000000000..665a6357fa
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest6.pem
@@ -0,0 +1,163 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF1AxIE1hcHBpbmcg
+MXRvMjM0IHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXTEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTIwMAYDVQQD
+EylWYWxpZCBQb2xpY3kgTWFwcGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NjCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAg/jjf7HVRt6r4IitgA9kVxN6rVQy1OLQ
+Kelr3lLXIJbXs7XYoUx53Br5c1SDdSaaRfvhKyMl7m53baO33b+MEeB8VfWHt/on
+35CKtGtyDa/IbfzrrwwJqs0rF4H/t7Ngz1b5rrKaEjy4itjNylcyAzJC1Zjer8aJ
+iXyszL9uGc8CAwEAAaNrMGkwHwYDVR0jBBgwFoAUrQ/vHBeBV326g+8R/4doc9Km
+G5cwHQYDVR0OBBYEFOH+LaLyiRCW05OelA2Y/97NYu1gMA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAUwDQYJKoZIhvcNAQEFBQADgYEAZStF
+y/RNVE9ElY/wKLp8pdE/c4L9rucyOPSv/5zhGO4+GiiN39twvGjjMH3ziIauJpuM
+rCb8q+3s22lzkD6/BSLyRNCXM7Mx5CGWDCdHqnkdFf1Ck9ddAG3hF8FkeKjlZ2MA
+j1g2DpZezCE4srw5r+5mXw95piUHxvBxIXnBUJ0=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+issuer=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFAxIE1hcHBpbmcg
+MXRvMjM0IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSzELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSAwHgYDVQQDExdQ
+MSBNYXBwaW5nIDF0bzIzNCBzdWJDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAuxzFRezTkAVZWZReelvBKELugXp5Eq7O4Ye839Rxl3p/kBRLWiFz+bsyeeMl
+YKC2+df3mBhUm5dDtrttv+oGaGL4bquZgb6X5TNxSHDe/D+3BAyxbFn8Qfq642fP
+QvmHsQYWtT+dP5NUxFpss8ElrWi0X2UEzb5ChUalSf2Vde8CAwEAAaOBzTCByjAf
+BgNVHSMEGDAWgBTMp9HShu8hYwWY780byv/gRLPUkDAdBgNVHQ4EFgQUrQ/vHBeB
+V326g+8R/4doc9KmG5cwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZI
+AWUDAgEwAjAMBgpghkgBZQMCATAEMEAGA1UdIQEB/wQ2MDQwGAYKYIZIAWUDAgEw
+AgYKYIZIAWUDAgEwBTAYBgpghkgBZQMCATAEBgpghkgBZQMCATAGMA8GA1UdEwEB
+/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACas+sr4fsuwRW8lWjQQH9NDBg4OC
+4/j/2+haNy4neNyKBSFPg7g/HTOvalwVvR2OoEiVIdh2cLH4ELt3GVucJkB9Nimr
+nV4trKBPR9Cy/UTVzDvDS9NW7FEyTWtlVbTEU4um4rvU+7HkmY4JjaEUbqrdFcRf
+ho4KQe/QkE0wYcU=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIBMjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUUDEgTWFwcGlu
+ZyAxdG8yMzQgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkWaQEgKSf0
+Z8Rv+4X37UP7SJyBJFbt6QzzxNxVnCwFX+0X5rL44rsZBya1cg8TN0BvQjpF7hKW
+Ch5A0nARNvvI6cOBqQ5T2UryrVgzPb/dXebSy5e8afDUs8QqRB9dHb/m0AVC+hTd
+mwlok2dgnsm+DdpTaKbgKWi/jjlr8H5BAgMBAAGjgecwgeQwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMyn0dKG7yFjBZjvzRvK/+BE
+s9SQMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwWgYD
+VR0hAQH/BFAwTjAYBgpghkgBZQMCATABBgpghkgBZQMCATACMBgGCmCGSAFlAwIB
+MAEGCmCGSAFlAwIBMAMwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwBDAPBgNVHRMB
+Af8EBTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEAXs0UPa8a
+gMe7mdH0Zuxlka5P2WW5U6NGJTaF88e0d2LNd0rKAIY54kVS6qWRSb4m3fD17BhB
+HYeJt1wRTxJo/oSdKxOYY/2k1BQLH6HyqsgQsOq5V1KTBJSPsCVZxvw7i0dDtw4A
+VH9jyKpEN4XcL3k1hYHJvBU1sH8g1sE6vLQ=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1 Mapping 1to234 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:CC:A7:D1:D2:86:EF:21:63:05:98:EF:CD:1B:CA:FF:E0:44:B3:D4:90
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 45:0b:74:18:70:b6:d8:66:8a:81:70:d0:a9:21:e0:0b:b5:9d:
+ 71:45:a7:fd:df:50:ee:d6:38:4e:90:ea:eb:a8:84:6b:79:0c:
+ 64:6d:0a:4d:e0:36:20:6b:ec:c6:46:8f:13:13:99:18:21:e7:
+ 44:60:19:de:b4:f5:ea:7e:70:4b:b7:12:b8:4a:1f:5d:9b:b3:
+ 1d:cf:e4:54:5a:a1:8c:6b:ad:fd:51:f3:0c:96:c8:a6:7a:83:
+ f2:a1:dc:3a:a9:84:f6:7f:8f:8e:3f:91:ee:ae:e3:85:9c:7f:
+ 44:b7:92:89:15:77:f3:b3:dc:13:fc:7e:87:0f:e0:d6:55:96:
+ ee:83
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFAxIE1hcHBpbmcgMXRvMjM0
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBTMp9HShu8hYwWY780byv/gRLPUkDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBFC3QYcLbYZoqBcNCpIeALtZ1xRaf931Du1jhOkOrrqIRreQxkbQpN4DYg
+a+zGRo8TE5kYIedEYBnetPXqfnBLtxK4Sh9dm7Mdz+RUWqGMa639UfMMlsimeoPy
+odw6qYT2f4+OP5HuruOFnH9Et5KJFXfzs9wT/H6HD+DWVZbugw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=P1 Mapping 1to234 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AD:0F:EF:1C:17:81:57:7D:BA:83:EF:11:FF:87:68:73:D2:A6:1B:97
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 33:53:2c:ad:0e:6e:e9:49:14:44:7d:de:5c:dc:4b:0e:57:35:
+ 35:18:f2:d9:4b:94:c6:38:1e:4e:33:a7:7e:6c:b4:b7:d2:72:
+ 46:03:28:4b:d5:ef:a3:9a:ca:16:33:03:ec:bf:cf:e9:8f:a4:
+ 4a:01:c5:e1:a6:0a:b7:4d:86:ee:08:93:ee:1b:da:ad:da:d7:
+ cd:6a:da:95:eb:62:1f:13:19:30:8f:f5:33:22:fa:7b:2a:c3:
+ 7f:b8:ca:67:24:4e:f6:4e:0f:be:aa:31:23:42:eb:0d:76:9b:
+ f0:64:24:95:f4:b8:62:7b:5e:14:24:fd:6f:6c:8e:82:b3:60:
+ a9:c0
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF1AxIE1hcHBpbmcgMXRvMjM0
+IHN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBStD+8cF4FXfbqD7xH/h2hz0qYblzAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQAzUyytDm7pSRREfd5c3EsOVzU1GPLZS5TGOB5OM6d+bLS30nJGAyhL
+1e+jmsoWMwPsv8/pj6RKAcXhpgq3TYbuCJPuG9qt2tfNatqV62IfExkwj/UzIvp7
+KsN/uMpnJE72Tg++qjEjQusNdpvwZCSV9Lhie14UJP1vbI6Cs2CpwA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest9.pem
new file mode 100644
index 0000000000..252e920ac8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest9.pem
@@ -0,0 +1,109 @@
+subject=/C=US/O=Test Certificates/CN=Valid Policy Mapping EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=PanyPolicy Mapping 1to2 CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlBhbnlQb2xpY3kg
+TWFwcGluZyAxdG8yIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+XTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTIwMAYD
+VQQDEylWYWxpZCBQb2xpY3kgTWFwcGluZyBFRSBDZXJ0aWZpY2F0ZSBUZXN0OTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2FRrJurp4yzaLVdHeMS3IAQQvUjp
+lPkcXvLpEyQnWVTBYLsXJF9YdVxJJFES2XUxVFTumNnOjc2XcgCuUDwqoUYHPv8P
+UWZuoQ8B2sg8HPNU6G5BHBbtXkzC7lKCDLRshPSgnKngxdmoIDSVDPkz2KBUhbFm
+QZIqhVHE6UPCViUCAwEAAaNrMGkwHwYDVR0jBBgwFoAU0rpPGz5oOOaQ+MHqJa7a
+kq9DNm4wHQYDVR0OBBYEFEhKmk02sJFH9yFXTXKxqodRjaFoMA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEA
+PrcU9aDr57y1wekJ7k+ZJuhDlemNjGY7ggrZcarGL+LsRqkufpgkLpei7Cz13buA
+L/MqHFdc7H7d+GrbF4PAe2NXfcnlJJMLjS9Jw77qSb3aw9eSqYscBFhOxYWNL/Qh
+5GI9hJYugYGFzLxh1Cnl0/Pc8PoBgtaZg7H2hXmlUyQ=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=PanyPolicy Mapping 1to2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICsjCCAhugAwIBAgIBNTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMaUGFueVBvbGlj
+eSBNYXBwaW5nIDF0bzIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPOw
+G+hWDRzfFMkg2CwlHhCBrp/3hveD/ESGWRnpEp1ATKX47bZDyerSn5/9+d2sCsja
+seeR04tpsBmS+o6bUTTy9W5G6gxE/McnS7oH1WJLYNW9e57ckYArd3i85wr+Ecoq
+IaTiDQmy4Ze+TBNA/7CaYTp8agquwDTl40VGqfs1AgMBAAGjga0wgaowHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFNK6Txs+aDjmkPjB
+6iWu2pKvQzZuMA4GA1UdDwEB/wQEAwIBBjARBgNVHSAECjAIMAYGBFUdIAAwJgYD
+VR0hAQH/BBwwGjAYBgpghkgBZQMCATABBgpghkgBZQMCATACMA8GA1UdEwEB/wQF
+MAMBAf8wDAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQBL624FELsxdPKY
+tcreLc/Fz0uWZ7bc3BEIeVTarTWFu536wAOO2Pf4mJdJZ5WVVSYcOJb03Zso6U0G
+h0iYeHFGkXBCrqeOGe1h3zL4ED/C0HYJmPtLcTrtlAwvYq8dq4ABvsqMAUgFrsf4
+JGqkgLsMrbXRCAsLpFver5xKAuQ67A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=PanyPolicy Mapping 1to2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D2:BA:4F:1B:3E:68:38:E6:90:F8:C1:EA:25:AE:DA:92:AF:43:36:6E
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9d:f5:f9:0e:d5:1b:b9:cc:83:35:eb:00:3d:98:52:11:89:63:
+ 79:17:97:0b:9a:f5:0c:35:72:44:ab:2b:97:85:0d:c1:3f:26:
+ 10:15:81:e4:78:88:59:2d:4d:2b:4a:8b:5a:58:e4:2c:82:76:
+ 0f:b0:c3:45:c6:46:34:cc:38:33:da:6b:a0:79:e2:65:2a:3a:
+ 54:8d:69:54:6e:77:32:c1:45:8e:63:de:09:f4:3e:9f:a5:19:
+ 37:25:92:40:f1:aa:57:f2:61:69:e3:3d:e4:05:85:94:ec:29:
+ 51:dd:85:6c:65:c3:83:7a:c4:f9:37:7e:c0:a0:0d:6c:86:2b:
+ 47:7b
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlBhbnlQb2xpY3kgTWFwcGlu
+ZyAxdG8yIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTSuk8bPmg45pD4weolrtqSr0M2bjAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQCd9fkO1Ru5zIM16wA9mFIRiWN5F5cLmvUMNXJEqyuXhQ3BPyYQ
+FYHkeIhZLU0rSotaWOQsgnYPsMNFxkY0zDgz2mugeeJlKjpUjWlUbncywUWOY94J
+9D6fpRk3JZJA8apX8mFp4z3kBYWU7ClR3YVsZcODesT5N37AoA1shitHew==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280MandatoryAttributeTypesTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280MandatoryAttributeTypesTest7.pem
new file mode 100644
index 0000000000..6a94017c06
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280MandatoryAttributeTypesTest7.pem
@@ -0,0 +1,113 @@
+subject=/C=US/O=Test Certificates/DC=gov/DC=testcertificates/ST=Maryland/serialNumber=345/dnQualifier=CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICwTCCAiqgAwIBAgIBYDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGOMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgoJkiaJk/IsZAEZFgNn
+b3YxIDAeBgoJkiaJk/IsZAEZFhB0ZXN0Y2VydGlmaWNhdGVzMREwDwYDVQQIEwhN
+YXJ5bGFuZDEMMAoGA1UEBRMDMzQ1MQswCQYDVQQuEwJDQTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAmPmvvNuLBaXi3cYQQzuNFOtq2aeNq1YZodT/+7SSfjl2
+uz1wsLHI7XjOGOuWrE9N0oNBrARmSYh6WrYCJj1cd8vcj+FTymvx5DWEeqPCDmxU
+EO4e+/R+utHsFmCRzrOOUEqKkiHNGoR3iyrYr5zszJRgRDwf1QiYInu0cLMsHr8C
+AwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0O
+BBYEFKAtjaBcqIIIYio2ok1SyOUsUH0rMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAE
+EDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOBgQCXoXCIH5TuCf84dVOweSMfOdb5MzKTudOw55mU7VgDzMk7vzQIEx3jCeP0
+7h8byDM0i/okjN0Ugm4DzOwxx5lAjs/uGGhGRGBVCJIPQ4QemsX3L24YpqSQKoJj
+K+YL+sz8pdoaqX69dDAyIcZNG2i9L/WEvmacw0AnJZ+Rd06jqw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid RFC3280 Mandatory Attribute Types EE Certificate Test7
+issuer=/C=US/O=Test Certificates/DC=gov/DC=testcertificates/ST=Maryland/serialNumber=345/dnQualifier=CA
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRMwEQYKCZImiZPyLGQBGRYDZ292
+MSAwHgYKCZImiZPyLGQBGRYQdGVzdGNlcnRpZmljYXRlczERMA8GA1UECBMITWFy
+eWxhbmQxDDAKBgNVBAUTAzM0NTELMAkGA1UELhMCQ0EwHhcNMDEwNDE5MTQ1NzIw
+WhcNMTEwNDE5MTQ1NzIwWjBwMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxRTBDBgNVBAMTPFZhbGlkIFJGQzMyODAgTWFuZGF0b3J5IEF0
+dHJpYnV0ZSBUeXBlcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NzCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAn3sUmVtQ1OLPODq7WXtzygEZ0tKb60KjAITF+WQQwfYO
+katDsSHQU19m7Uxi3JX3wKeIZOJLDR14VB8aGUsN6pNaKKFCB1B2pgQsjDZsCLDz
+ckA7lYdIC40Smu+8Nb2IGgncTW1Dye6r36lxhEpAU0cqXdOKkhteDDOW42tuZlMC
+AwEAAaNrMGkwHwYDVR0jBBgwFoAUoC2NoFyogghiKjaiTVLI5SxQfSswHQYDVR0O
+BBYEFHv2CemcO4grJLwWGJqNhA9NXdicMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAE
+EDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAQAimtwbz7YQ8Pm8M
+Cg/LHjRpGXaJL82W85ioX8T7hsFsGlQbHp6uAq/Zkk44mG2ziuI5pJF/HnuAXPiF
+xHcnCfDDpHpNh7deC53/nPf9Co375lZRWlBT233KSL14GTyiBZPipzbsUvJ+7FOp
+alTeRK4fPr3lNDo9SEVo4e97i5w=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/DC=gov/DC=testcertificates/ST=Maryland/serialNumber=345/dnQualifier=CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A0:2D:8D:A0:5C:A8:82:08:62:2A:36:A2:4D:52:C8:E5:2C:50:7D:2B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 52:d1:8a:cb:32:66:cf:87:3e:a9:ea:a2:35:90:42:18:74:4f:
+ 9e:43:5d:6c:73:09:4e:ec:45:68:bf:3d:c3:1a:97:e5:83:66:
+ e0:2a:1c:84:97:8e:d2:29:2a:c6:f2:41:e8:fc:63:3c:8a:5a:
+ 1a:8c:40:eb:c3:12:1d:ef:5e:70:a9:af:d9:dc:89:28:03:76:
+ ff:b6:cb:5e:e0:82:f7:ad:32:3c:60:58:3c:fe:24:3d:9f:68:
+ 79:98:14:e4:0c:80:1a:f7:63:eb:5b:cd:ca:1c:69:80:93:8a:
+ 26:55:e3:ac:b9:05:7e:83:64:d4:3b:11:26:bf:fd:df:5f:3f:
+ 40:30
+-----BEGIN X509 CRL-----
+MIIBiDCB8gIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRMwEQYKCZImiZPyLGQBGRYDZ292MSAwHgYK
+CZImiZPyLGQBGRYQdGVzdGNlcnRpZmljYXRlczERMA8GA1UECBMITWFyeWxhbmQx
+DDAKBgNVBAUTAzM0NTELMAkGA1UELhMCQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQx
+OTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFKAtjaBcqIIIYio2ok1SyOUsUH0rMAoG
+A1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAFLRissyZs+HPqnqojWQQhh0T55D
+XWxzCU7sRWi/PcMal+WDZuAqHISXjtIpKsbyQej8YzyKWhqMQOvDEh3vXnCpr9nc
+iSgDdv+2y17ggvetMjxgWDz+JD2faHmYFOQMgBr3Y+tbzcocaYCTiiZV46y5BX6D
+ZNQ7ESa//d9fP0Aw
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280OptionalAttributeTypesTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280OptionalAttributeTypesTest8.pem
new file mode 100644
index 0000000000..fe5bdf3e6d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280OptionalAttributeTypesTest8.pem
@@ -0,0 +1,114 @@
+subject=/C=US/O=Test Certificates/L=Gaithersburg/GN=John/initials=Q/pseudonym=Fictitious/SN=CA/generationQualifier=III/title=M.D.
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIBYTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMIGaMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAcTDEdhaXRoZXJz
+YnVyZzENMAsGA1UEKhMESm9objEKMAgGA1UEKxMBUTETMBEGA1UEQRMKRmljdGl0
+aW91czELMAkGA1UEBBMCQ0ExDDAKBgNVBCwTA0lJSTENMAsGA1UEDBMETS5ELjCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1rYVbBlFi+aAvBEyC1OHaw1KoNLA
+SbwWJQU2M2R18MJ60p/Et24lC5hPnI9+Iaqa0JSHYJ0hY4qWcweJOtNcTNjAgPe/
+jxsQPIOJeI5j0ZDI79wgvj0F7KLW5QKyDbc220ew+FMR2KptqAPxv4exgICooaiL
+M8sOLdN9u/AqLosCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFK+Bn8wZLBKkY0JXV9dXGmMHX3PRMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQBT6cZaPPoR2jyTsaiykedCd4fttTGC/7nzI5s6/riF
+5nxSRhoLM+h8ha+zN2df1xMZao1Ovp6RQGOPrbuPhz8qwnmYrjZ2fdvj47sj+BQY
+xIO6oUyd/DYYwI/nmq3o5bLBOxZDz3qC3AiNFfcfLPiZ2m0eotP0I78nTtDGGUDc
+Ew==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid RFC3280 Optional Attribute Types EE Certificate Test8
+issuer=/C=US/O=Test Certificates/L=Gaithersburg/GN=John/initials=Q/pseudonym=Fictitious/SN=CA/generationQualifier=III/title=M.D.
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAlSgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQHEwxHYWl0aGVyc2J1
+cmcxDTALBgNVBCoTBEpvaG4xCjAIBgNVBCsTAVExEzARBgNVBEETCkZpY3RpdGlv
+dXMxCzAJBgNVBAQTAkNBMQwwCgYDVQQsEwNJSUkxDTALBgNVBAwTBE0uRC4wHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBvMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRDBCBgNVBAMTO1ZhbGlkIFJGQzMyODAg
+T3B0aW9uYWwgQXR0cmlidXRlIFR5cGVzIEVFIENlcnRpZmljYXRlIFRlc3Q4MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBi40mcnzIqaCI8xmKk/hWOkKWbQLD
+++tbFk6jZC91dhYO3PZy1cPsNYJPSz+xSdp/EQz+8TEGRabX2QloXsHxgRZGersi
+xzDg2uh1LS0/k04o+YxsAwJljkd74tub9b0PRX6MzqsUQgy7SWnPvQ6qKJ1uZ8B3
+UJYb/Jr+Jb0BDQIDAQABo2swaTAfBgNVHSMEGDAWgBSvgZ/MGSwSpGNCV1fXVxpj
+B19z0TAdBgNVHQ4EFgQU1AdzbqWGvXGozwcQ3FLKcM0NhdQwDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQCm
+53CaFal2YrwuX9JDOKgfEISGgoAdQjs+hoh0T9fTKMeyzfuEaajj4gKD7YViPd5Z
+SbbTywQKjzTDTP1PiLf7ti3TbOzHmPCT9sOcSMxn7ws9Q/KV4SvNjpYK8W6YPn6r
+WSMe+VuZypOlb/vWxOgHPP5IIY/4vqVjulA0tcqP5Q==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/L=Gaithersburg/GN=John/initials=Q/pseudonym=Fictitious/SN=CA/generationQualifier=III/title=M.D.
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AF:81:9F:CC:19:2C:12:A4:63:42:57:57:D7:57:1A:63:07:5F:73:D1
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:2d:88:30:eb:90:92:74:63:32:0b:b7:99:52:78:83:ef:a8:
+ 8f:33:89:b8:57:ff:06:f8:f0:41:20:77:9d:be:a9:98:10:12:
+ e3:80:bb:b0:48:d2:57:93:be:3b:b8:64:f6:9a:91:05:05:df:
+ d4:97:6a:a1:c7:29:04:d3:e6:ab:63:83:99:c1:58:87:8e:ee:
+ d7:85:1b:f7:d1:8d:2f:34:c4:a8:77:c3:5d:ff:15:2b:c5:14:
+ 47:f8:04:f4:c0:a1:3a:84:07:0c:a4:97:0f:02:f8:ca:07:52:
+ fe:42:29:ff:e2:9a:01:e0:ac:1f:4f:e1:15:47:6c:71:d9:da:
+ dc:02
+-----BEGIN X509 CRL-----
+MIIBlDCB/gIBATANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQHEwxHYWl0aGVyc2J1cmcxDTAL
+BgNVBCoTBEpvaG4xCjAIBgNVBCsTAVExEzARBgNVBEETCkZpY3RpdGlvdXMxCzAJ
+BgNVBAQTAkNBMQwwCgYDVQQsEwNJSUkxDTALBgNVBAwTBE0uRC4XDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFK+Bn8wZLBKkY0JX
+V9dXGmMHX3PRMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAJItiDDrkJJ0
+YzILt5lSeIPvqI8zibhX/wb48EEgd52+qZgQEuOAu7BI0leTvju4ZPaakQUF39SX
+aqHHKQTT5qtjg5nBWIeO7teFG/fRjS80xKh3w13/FSvFFEf4BPTAoTqEBwyklw8C
++MoHUv5CKf/imgHgrB9P4RVHbHHZ2twC
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest21.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest21.pem
new file mode 100644
index 0000000000..0a271fcdc0
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest21.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBQzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOYG
+d2HszTJIsVTazKriCUJ/ExxUo4U4HEZN9+/XVXsQVkZYIzWtyCTC3IFmSAyb9ZED
+Gu3jmF/evXpfNXmxiURUu6W0bLEpIkZiVpPpTKqoJx2EHj+wXOfe31AD0OmKidXP
+66+LVgIJLWGMr3Msbzb4T3gpKb2ynQc2/XnE3RkbAgMBAAGjgaYwgaMwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFON/hXqOojue7rgS
+HXkTqsS9LlmtMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAnBgNVHR4BAf8EHTAboBkwF4EVLnRlc3RjZXJ0
+aWZpY2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBAJjXEGmrQ1/Muud+NZwajR9x
+it/32SNVvHI+/O7bopout/RnhJudrmsdqGlcSk0KXfcXI22cJOkAYe1M39znxgba
+VitYYLxfsS+3O2pLpMgQMFCZuOJATfAQUlui+dVtPTaIam7jimms5Qam2K2SuZ/t
+eJ2J/rIDHCOrIGktQS8H
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid RFC822 nameConstraints EE Certificate Test21
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+-----BEGIN CERTIFICATE-----
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0ExMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+ZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTswOQYD
+VQQDEzJWYWxpZCBSRkM4MjIgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRl
+IFRlc3QyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmgblTsP6gle2uacP
+DDJPff0VnqgTN1VtCh/uqZINqMtzbfcADz7KNpqETX64spwhD8/3m9yEVpJStgPq
+o/mbcf/G2L3+zkx2t7mQLTy115q304S7KBauhK/aen56yKrHOuUv+qmOSYpqZKwi
+ZbobiLq/CMbUfYx6zaM8Bd59VBsCAwEAAaOBoTCBnjAfBgNVHSMEGDAWgBTjf4V6
+jqI7nu64Eh15E6rEvS5ZrTAdBgNVHQ4EFgQUtCANQs2V6ofUY9VPDtbRD+W3O/sw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAzBgNVHREE
+LDAqgShUZXN0MjFFRUBtYWlsc2VydmVyLnRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0G
+CSqGSIb3DQEBBQUAA4GBAB1qFEM9zKmqItkLPuorp06yLsoL0xL3X+c4ym7JP034
+2kYhJ7SoZFmFbIRB6z472KWbJc17oM9LK6GOt08QBEIHhQk1pZrueBJDrCv8WmR3
+7FHwbkNcRn8DFYiV3//yjYP+bgN142Lj3O9SpuUy/a32bsupo0ykWADqwwY1ntmi
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:E3:7F:85:7A:8E:A2:3B:9E:EE:B8:12:1D:79:13:AA:C4:BD:2E:59:AD
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ b4:77:73:f7:12:e7:d7:20:9a:bd:e1:00:a8:b1:6a:7a:65:1e:
+ 8e:56:c9:ca:38:33:7e:d5:37:41:c1:e7:95:a4:81:ab:9b:40:
+ 31:1d:aa:6c:14:f9:19:e4:3f:85:6b:24:ff:d6:bf:cb:fd:27:
+ a9:65:35:5c:b7:6b:82:87:b7:e1:c2:4d:34:ca:42:5c:46:66:
+ 45:11:d2:c0:48:0f:08:8c:b0:a7:58:66:63:9d:ae:0a:68:0a:
+ 5b:5b:ee:fe:12:93:77:03:90:6e:a4:8d:32:2e:56:56:cf:1f:
+ 85:b8:95:52:f7:73:78:5e:d0:04:66:2c:8c:ca:78:36:da:43:
+ 10:07
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0ExFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTjf4V6jqI7nu64Eh15E6rEvS5ZrTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQC0d3P3EufXIJq94QCosWp6ZR6OVsnKODN+1TdBweeVpIGrm0Ax
+HapsFPkZ5D+FayT/1r/L/SepZTVct2uCh7fhwk00ykJcRmZFEdLASA8IjLCnWGZj
+na4KaApbW+7+EpN3A5BupI0yLlZWzx+FuJVS93N4XtAEZiyMyng22kMQBw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest23.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest23.pem
new file mode 100644
index 0000000000..a73a4af25d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest23.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPZ
+S8+5+/2AgG2N8tsByPeKGxCC5bOrNXho0b3fSjvK452P3luNUPIf46KvIBU6UYAP
+4rGMqcUdmgFD+PdXq6TMW8bWNuYRICw6c6ni5uyre5bovptoJCsmBw/IqinDoqbO
+Qyoq0YDltds+lSROlTUCA/7qOBHOdwpcjhVfYJSJAgMBAAGjgaUwgaIwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFBQbKzZmdEuTqzFV
+h6QxqzZjbzXJMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoBgwFoEUdGVzdGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAsOYxl05xGFDRHUO8Myp9EM/X
+ahfChzUabmgo1Tqpk+TLbxcZw+GfesxOp+jCd7jtTBJKhB0HeX1vaCVUpURbWEAt
+fuE35slQQr/c9dgwCw/JwBNdkFFT2z/73nDEN96rUK3GYs2OO8OJVMqdKb4iBUxH
+M/bZyCy4CB3+hthr4to=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid RFC822 nameConstraints EE Certificate Test23
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+-----BEGIN CERTIFICATE-----
+MIICwTCCAiqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0EyMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+ZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTswOQYD
+VQQDEzJWYWxpZCBSRkM4MjIgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRl
+IFRlc3QyMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo+cdyq6LQoFUo5dS
+h+bsp1TvEaw5776yXg8bXkMcTO+fJGshnWYoTUk7mQwcFnYm5+dQzSLHZTh9dgR5
+5m9ZSKGfmbnSINvGuU7oo9cqEwKrCRzqj/X6MUoyaxQyDW/ft2mTXpPCGrzDaF/S
+52lsNu/rubHKKmmb4EaoVJaWHUMCAwEAAaOBljCBkzAfBgNVHSMEGDAWgBQUGys2
+ZnRLk6sxVYekMas2Y281yTAdBgNVHQ4EFgQUDEZstH+dSCRcJPrmvd6knN2jPfIw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAoBgNVHREE
+ITAfgR1UZXN0MjNFRUB0ZXN0Y2VydGlmaWNhdGVzLmdvdjANBgkqhkiG9w0BAQUF
+AAOBgQB4NROaQv0DDKJDl5t44LQ0cosk4/w98WmDCkXF7RVxhFFMApnHJBOQlEPQ
+CnC/fGcChW/KnYKsDnCSAPJiq4D15SYa9EVMa1rw7wCotCVbvjfJezZrheKmMj0Z
+nxIJIutwJ6pOY3gjJRxCRNx18S1u0vhD93uN36wKM1cuWaA+8A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:14:1B:2B:36:66:74:4B:93:AB:31:55:87:A4:31:AB:36:63:6F:35:C9
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 47:93:cd:d6:9b:31:b0:dd:6a:d8:c4:e2:5e:3a:73:cd:2b:69:
+ 5c:47:1a:75:56:6b:56:1c:a4:2f:c2:66:4c:6b:a4:9a:86:53:
+ fb:26:39:3e:61:d2:14:1b:85:1e:9c:f0:1e:ac:c8:c1:73:a5:
+ c3:29:1c:c6:12:21:08:4c:4a:5a:d6:1d:21:4e:eb:7d:16:14:
+ a4:a8:18:07:2e:e9:31:ef:39:ce:f8:6e:2b:d7:09:c1:ad:be:
+ 6a:c3:d8:46:24:95:12:ea:cf:2c:c6:84:50:bf:78:31:91:79:
+ 35:8c:02:47:d1:11:0d:aa:55:34:22:d6:d4:a2:ac:be:b8:07:
+ 60:3c
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0EyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBQUGys2ZnRLk6sxVYekMas2Y281yTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQBHk83WmzGw3WrYxOJeOnPNK2lcRxp1VmtWHKQvwmZMa6SahlP7
+Jjk+YdIUG4UenPAerMjBc6XDKRzGEiEITEpa1h0hTut9FhSkqBgHLukx7znO+G4r
+1wnBrb5qw9hGJJUS6s8sxoRQv3gxkXk1jAJH0RENqlU0ItbUoqy+uAdgPA==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest25.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest25.pem
new file mode 100644
index 0000000000..10308cf5ee
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest25.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBRTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMabmFtZUNvbnN0
+cmFpbnRzIFJGQzgyMiBDQTMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMii
+1odFMCSlNLo+1reNBLAhQ3rkRllmPUUfznMkHE+tVOXNCuGNSPuCJPQNO5495PH/
+vsBZUVltMrhOpo00ibzoFrcLwaxj5Gmb8rNV/aPwDiRX8frLslhpw+QEjxMZKP8O
+bdOlItBR3dFauvxrwLz1DUUlG7aX/QoEtws/fE59AgMBAAGjgaUwgaIwHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFOq3bporCYA2Z2m1
+jdo1pYY9KXgcMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAmBgNVHR4BAf8EHDAaoRgwFoEUdGVzdGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAcyB2R0h4mQZ671JhQ0r6cmPF
+iaEHtdJL+REJT8yGWiERgT/2wh65vHtCierHK8+0aJ8Wy/nJzUAWcKeGESTPVTey
+IxQg08VdFJIohXm1lvJ3hfzgHIcFPk2tXZvYSk3qYllYHt8tGCoyh4p3q4vpyTou
+HcOOTD0ogzE9KbjD3Dk=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid RFC822 nameConstraints EE Certificate Test25
+issuer=/C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+-----BEGIN CERTIFICATE-----
+MIICzDCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJh
+aW50cyBSRkM4MjIgQ0EzMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+ZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTswOQYD
+VQQDEzJWYWxpZCBSRkM4MjIgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRl
+IFRlc3QyNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjlu9aIQ7cGou9j2L
+/SEtM4QWvsfK7siztqNkNsuSWFgr/pOI6y6+WOa6B1E+I7zZryvHOSmqtpBzPOeU
+RX19iAHjT3Rf8LeCHS75XCCtVUJJJ2+pJn8hON1vHSQGgHzD+kOPIOwj0ihYD1f9
+xUMHM6MiPsEODMVFGitWAPl6P88CAwEAAaOBoTCBnjAfBgNVHSMEGDAWgBTqt26a
+KwmANmdptY3aNaWGPSl4HDAdBgNVHQ4EFgQU/PF5qIYkniJoxi4J3d64bj3SNwUw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAzBgNVHREE
+LDAqgShUZXN0MjVFRUBtYWlsc2VydmVyLnRlc3RjZXJ0aWZpY2F0ZXMuZ292MA0G
+CSqGSIb3DQEBBQUAA4GBAEwywYR5b8qm30lTjdBl+YvBheITfKcGdkhFRgdAZ/qg
+IfBhWHt3xf8SXXLMoEk9jhuyJ9JGSLY6psPYhDhkqswRkPhJgx5yOc2D05JI0CEU
+RSr9LZE439pCWHI/qFp5e0mvQEJthMvapGETXniDUlnihFlzS0Wv7pzlG9JbHmz+
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints RFC822 CA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:EA:B7:6E:9A:2B:09:80:36:67:69:B5:8D:DA:35:A5:86:3D:29:78:1C
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:6d:0a:0a:c4:67:91:af:de:5d:89:9f:fc:df:e2:7a:7a:52:
+ 3e:4d:ec:50:b9:46:83:3a:7d:2d:9b:5d:84:8b:6d:ba:bf:4b:
+ 41:74:e3:3b:c1:90:73:a2:83:02:4f:e4:04:b8:b9:7a:70:7b:
+ 0c:bc:59:f7:db:83:93:00:87:98:53:43:a2:71:d5:2f:d0:fe:
+ 2f:c2:46:55:d5:64:54:01:90:72:4f:a2:37:dd:88:b8:3b:63:
+ 24:df:d3:ed:7e:6d:da:2f:57:9b:cc:d7:96:67:48:7e:a5:b0:
+ 6d:cb:c9:5e:e9:78:58:c6:be:f0:cc:b1:16:e3:4a:57:45:86:
+ 90:12
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGm5hbWVDb25zdHJhaW50cyBS
+RkM4MjIgQ0EzFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTqt26aKwmANmdptY3aNaWGPSl4HDAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQCMbQoKxGeRr95diZ/83+J6elI+TexQuUaDOn0tm12Ei226v0tB
+dOM7wZBzooMCT+QEuLl6cHsMvFn324OTAIeYU0OicdUv0P4vwkZV1WRUAZByT6I3
+3Yi4O2Mk39Ptfm3aL1ebzNeWZ0h+pbBty8le6XhYxr7wzLEW40pXRYaQEg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest1.pem
new file mode 100644
index 0000000000..4ac8a81b17
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest1.pem
@@ -0,0 +1,264 @@
+subject=/C=US/O=Test Certificates/CN=Valid requireExplicitPolicy EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubsubCA
+-----BEGIN CERTIFICATE-----
+MIICgzCCAeygAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLDAqBgNVBAMTI3JlcXVpcmVFeHBs
+aWNpdFBvbGljeTEwIHN1YnN1YnN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQx
+OTE0NTcyMFowZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMTkwNwYDVQQDEzBWYWxpZCByZXF1aXJlRXhwbGljaXRQb2xpY3kgRUUgQ2Vy
+dGlmaWNhdGUgVGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtxfTwK
+0K+ya1KGbTjYgKKhZIQ/LGTa7Dspd7Z5tOgMptNRXcZxWTMotzRgl1ndDpQ6VREk
+JM/VBmbP67g0jwIe2n0QcTFkThPANsyPkdUBXahvmC0VEeIMHnflvqjN4vfK9guc
+6nG0XfBZ4/Jlx6SFvgoO6wm6XNtrMl32qwUjAgMBAAGjUjBQMB8GA1UdIwQYMBaA
+FJTXd8VxKtTTGW/0USC22qwIMuOvMB0GA1UdDgQWBBRUf4tLtvX7PjlUltzRvRgg
+phdo6DAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAnReGZHvu3NJz
+B3B+qMmyfqUmW5eMxNjHymhuRDw3NXTmT7SNUL8O/NC76haxw/5HDE7rVuvGSPl1
+qhciDJOmTF1o09zDDjDM3tlXUvqC2Natm/Xew1+Hy4hfzY90CmlUuUGpKpzQ7SYt
+mHl+zz1o+9Y1jZSK4yDs5xcPnisoUjQ=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 CA
+-----BEGIN CERTIFICATE-----
+MIICkTCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGnJlcXVpcmVFeHBs
+aWNpdFBvbGljeTEwIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFow
+UTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSYwJAYD
+VQQDEx1yZXF1aXJlRXhwbGljaXRQb2xpY3kxMCBzdWJDQTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAvWfbIMg2LdPn/geH8Jo29/G6XSDCQm/MPINuucCdUSjA
+PBSponYKGMQNY//7KhwbVj2hQlgl8U6gw0rvIml4YaZmR3SPUXl2O0BXiiFQX0Qi
+bJ7NRaPcgrg04Fl+W19wk2Q2qGBrc1rMCDSG7ZBzwqtJssJpgkb4GSnoGr9FEKEC
+AwEAAaN8MHowHwYDVR0jBBgwFoAU8+kmmZYGhsTVonvsubClbjYNFUUwHQYDVR0O
+BBYEFKNDYb56GPOuZdF0vMDzMPzWBjqUMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAE
+EDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOBgQCX5vf2fqbgsOCFDqP5acUsKiSiuP31Oj/Fy1e0Y1LBph3ZtxRTkqZGIUI1
+imjbT64NLWvt2MMmfeHOlEU/fSRxevhRT+yRUmfaJuw9NBepK1oxpRtJ5tu5cr7E
+WyJMT/zv3wRloA23Feldchzxg6rqsM1LybyAtXXo67sc/EUxdQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBKjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME4xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEjMCEGA1UEAxMacmVxdWlyZUV4
+cGxpY2l0UG9saWN5MTAgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMyF
+/T/s9w6HU3LcURfJCjhjrP4PxbYbTP/c4wcq8vtx+8gb8P6jkdDvpJms19NcshfK
+DnR2b+cp6PfbAWx31AqcF2ynuU/C06PG/GQvNUhC69RziLxcHSMkThbnbN86ccr6
+d1WWb3Mxlkmtc7AhKHmORoz/Kd0b2Poi7L91o7+VAgMBAAGjgY4wgYswHwYDVR0j
+BBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPPpJpmWBobE1aJ7
+7LmwpW42DRVFMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHSQBAf8EBTADgAEKMA0GCSqGSIb3DQEB
+BQUAA4GBAC0Pv/aS8/3mmgB+R0A7UTvUGedE/M+DOOM5G8+dwZHjApQbuHYZjwQo
+Yrf6759MH9wKAYOcaJTgFJWFJuwjBJuWQuiglk8tcKmufVqHgRlCsrKtz312inHV
+NfxuGrViA3gp1Tr1fiXjG0gcgyT4QEnripDTLKvpHbOtMWZB6hSS
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subCA
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTEwIHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowVDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSkw
+JwYDVQQDEyByZXF1aXJlRXhwbGljaXRQb2xpY3kxMCBzdWJzdWJDQTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAqwkZLQpMq2d0v1R/PA5wl+lyQlnehOszQk2U
+0zfHPGI4vJ1TIZZXYpOjVyfodG1wdwO3RCHLzguwsbk12RVNTls+kF2Wu3LtLtMi
+GSKx/imJiKw+ARw6sqBHmrNE9L/1C/e9rb+Su1kZ6WrtOfSAG8EpySytu9zTbGJF
+1YbZT3cCAwEAAaN8MHowHwYDVR0jBBgwFoAUo0NhvnoY865l0XS8wPMw/NYGOpQw
+HQYDVR0OBBYEFG1oMf35X1L5+y7aRMLPezaZ2P8pMA4GA1UdDwEB/wQEAwIBBjAX
+BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQUFAAOBgQAbOLTRc1DEC+iOWixska5o4gEOfAPSHWymjRYit+VYE3JdjrP9
+2hbIGQSrLlK8QQ0+9VkNsfncjCydV7J6Q3c1rPNCvd6dlfAzy9DfnXADu/vZuxBs
+pJ3B4EuSv23hMHzjoNnv/iGUnzkrLGfMPPYlB9t8jrbySU1lYX8FcD6YCw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICnTCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTEwIHN1YnN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0
+NTcyMFowVzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVz
+MSwwKgYDVQQDEyNyZXF1aXJlRXhwbGljaXRQb2xpY3kxMCBzdWJzdWJzdWJDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuj3CUHlGX/JYo4Qsdmbzns192OxE
+IC1a8Yc7HhN9/IeStb9BATFCI4MyFiHofxoFG+oPzs4nRkOqmOju0VXYhfu+01j4
+LTKp2iwNleLbIe5CZ/PWasj9ixJfWeMe19fszNKvtnBmn+rCIqimOKmKPh7FIMgk
+IImKUwZ2gV41wHkCAwEAAaN8MHowHwYDVR0jBBgwFoAUbWgx/flfUvn7LtpEws97
+NpnY/ykwHQYDVR0OBBYEFJTXd8VxKtTTGW/0USC22qwIMuOvMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCQJ4CoH8d7JguvuXoxhetUWQz+kj/kW1kbW/vjxhHE
+Ux4rnRd8TUhpocdkzp9xRLF8BvZFw4HwwFbys4rENFq/VpPzIFqIW59j1bvSQzjN
+GWZp1MtaQuhSGtzwc4dfCl/1ozQVVkcjpT7n9iZ2JMYNGKLSmmuFMMLGoViVq0vo
+mw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy10 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F3:E9:26:99:96:06:86:C4:D5:A2:7B:EC:B9:B0:A5:6E:36:0D:15:45
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:82:73:e1:99:5d:9f:9c:27:57:43:f6:74:10:b4:76:e1:d6:
+ bf:9a:de:84:8f:9b:0e:a6:ba:9a:98:06:fa:ff:c2:a5:a4:cd:
+ 5f:b9:8d:4b:e1:67:e6:b3:e3:2e:5b:ea:e4:d9:9c:06:42:c0:
+ 96:81:40:e2:99:32:24:c2:7b:d1:47:2d:32:42:c9:7c:cd:09:
+ aa:c8:1b:bc:a4:d8:fe:6d:8c:52:79:d5:81:70:89:78:b1:1e:
+ 11:2e:13:69:45:28:55:66:43:1d:61:40:fc:1a:78:ea:23:98:
+ 44:66:df:15:8e:d1:d5:f9:82:7a:d2:2e:ad:36:8a:03:ff:04:
+ 8e:09
+-----BEGIN X509 CRL-----
+MIIBRzCBsQIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGnJlcXVpcmVFeHBsaWNpdFBv
+bGljeTEwIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNV
+HSMEGDAWgBTz6SaZlgaGxNWie+y5sKVuNg0VRTAKBgNVHRQEAwIBATANBgkqhkiG
+9w0BAQUFAAOBgQAMgnPhmV2fnCdXQ/Z0ELR24da/mt6Ej5sOprqamAb6/8KlpM1f
+uY1L4Wfms+MuW+rk2ZwGQsCWgUDimTIkwnvRRy0yQsl8zQmqyBu8pNj+bYxSedWB
+cIl4sR4RLhNpRShVZkMdYUD8GnjqI5hEZt8VjtHV+YJ60i6tNooD/wSOCQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy10 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A3:43:61:BE:7A:18:F3:AE:65:D1:74:BC:C0:F3:30:FC:D6:06:3A:94
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1e:e5:78:df:47:b6:e0:42:9d:78:6f:f5:38:37:a6:fb:e9:8b:
+ 00:16:34:fe:da:ae:70:4c:b6:b2:3d:53:7c:ef:58:24:b8:87:
+ a5:c0:ca:7c:fd:aa:8d:ba:2e:76:fd:c0:9a:f3:b9:70:a8:43:
+ 13:41:22:1b:51:ff:00:20:32:ae:ab:6d:44:ec:b8:7d:4e:4b:
+ d5:86:83:ea:98:64:cf:0f:dc:f5:2d:52:ee:20:98:a9:49:ad:
+ 06:b6:39:4c:d5:1a:94:a5:22:4e:ad:b5:ad:14:64:49:e5:6e:
+ aa:63:9b:36:28:9f:5f:dc:c1:03:7e:7e:c2:ee:48:63:19:7a:
+ 04:f4
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTEwIHN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBSjQ2G+ehjzrmXRdLzA8zD81gY6lDAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQAe5XjfR7bgQp14b/U4N6b76YsAFjT+2q5wTLayPVN871gk
+uIelwMp8/aqNui52/cCa87lwqEMTQSIbUf8AIDKuq21E7Lh9TkvVhoPqmGTPD9z1
+LVLuIJipSa0GtjlM1RqUpSJOrbWtFGRJ5W6qY5s2KJ9f3MEDfn7C7khjGXoE9A==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:6D:68:31:FD:F9:5F:52:F9:FB:2E:DA:44:C2:CF:7B:36:99:D8:FF:29
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 58:cb:cd:7e:81:ea:55:5b:85:7d:b1:7b:ae:0c:70:90:82:81:
+ aa:5f:e4:5b:99:72:8c:22:bc:2a:ae:3f:d7:0f:94:cc:02:b6:
+ 0f:c3:e9:ab:c2:8b:c1:68:0f:12:ca:f0:7c:1e:31:21:7d:38:
+ 5e:2c:0e:9f:af:89:48:e1:2a:1f:12:e6:2a:b6:59:98:dd:d0:
+ ba:1e:06:b1:c9:85:b8:75:f8:a9:da:e9:25:6c:e4:9c:6a:92:
+ 29:d7:59:fb:f1:80:c4:4c:43:f6:79:5b:60:a7:36:cc:64:22:
+ 5f:f7:d8:8e:ba:1c:a3:59:d2:fe:1d:8d:5c:40:8f:0d:2d:ee:
+ 11:4d
+-----BEGIN X509 CRL-----
+MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTEwIHN1YnN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8w
+LTAfBgNVHSMEGDAWgBRtaDH9+V9S+fsu2kTCz3s2mdj/KTAKBgNVHRQEAwIBATAN
+BgkqhkiG9w0BAQUFAAOBgQBYy81+gepVW4V9sXuuDHCQgoGqX+RbmXKMIrwqrj/X
+D5TMArYPw+mrwovBaA8SyvB8HjEhfTheLA6fr4lI4SofEuYqtlmY3dC6HgaxyYW4
+dfip2uklbOScapIp11n78YDETEP2eVtgpzbMZCJf99iOuhyjWdL+HY1cQI8NLe4R
+TQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy10 subsubsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:D7:77:C5:71:2A:D4:D3:19:6F:F4:51:20:B6:DA:AC:08:32:E3:AF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8e:42:22:a8:c7:94:5a:d3:72:4c:98:eb:58:30:58:63:41:cf:
+ da:f9:9e:f5:6f:3b:4e:30:17:92:8b:a8:30:bc:cb:ac:2d:94:
+ b1:62:ef:b9:69:3e:30:15:01:d4:32:ff:f4:86:c5:5d:8d:41:
+ 46:39:52:a0:df:74:e5:35:c4:e6:08:06:58:94:ba:d1:7e:08:
+ e4:66:e1:65:8d:15:23:3c:e6:de:61:4e:71:5e:5d:24:03:bd:
+ 52:ff:85:a9:ea:7a:63:37:e5:c0:e6:78:4a:71:45:32:18:c7:
+ 7d:2b:90:16:bb:f9:35:cd:a2:ab:c3:8e:c9:db:6e:7e:62:94:
+ 6b:ad
+-----BEGIN X509 CRL-----
+MIIBUDCBugIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLDAqBgNVBAMTI3JlcXVpcmVFeHBsaWNpdFBv
+bGljeTEwIHN1YnN1YnN1YkNBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+oC8wLTAfBgNVHSMEGDAWgBSU13fFcSrU0xlv9FEgttqsCDLjrzAKBgNVHRQEAwIB
+ATANBgkqhkiG9w0BAQUFAAOBgQCOQiKox5Ra03JMmOtYMFhjQc/a+Z71bztOMBeS
+i6gwvMusLZSxYu+5aT4wFQHUMv/0hsVdjUFGOVKg33TlNcTmCAZYlLrRfgjkZuFl
+jRUjPObeYU5xXl0kA71S/4Wp6npjN+XA5nhKcUUyGMd9K5AWu/k1zaKrw47J225+
+YpRrrQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest2.pem
new file mode 100644
index 0000000000..40479f9470
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest2.pem
@@ -0,0 +1,262 @@
+subject=/C=US/O=Test Certificates/CN=Valid requireExplicitPolicy EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubsubCA
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBs
+aWNpdFBvbGljeTUgc3Vic3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBkMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxOTA3BgNVBAMTMFZhbGlkIHJlcXVpcmVFeHBsaWNpdFBvbGljeSBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0MjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo5atW4GH
+rxxchJEUckmfckvxY4c4sEEgPZIouuIcHeQAIjEjMhCqHNWrA7WiQLldqLSridIm
+FWVRxn9/wlv3oMMbBlf6xFLjr24zYTePsIFWBk5ZPbMBKcl7XqfeuF4jJ/vh0lj/
+Bi9W9Imt5ZvJu0EHSkQzm+NNis/Tgd4aWRUCAwEAAaNSMFAwHwYDVR0jBBgwFoAU
+PqkwZi+ntCWIhGfJrZiTFfiWzsUwHQYDVR0OBBYEFDLXXehvdjv0hNKAOrzbFme1
+lGWtMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOBgQBmbv/fgwsL3SAO
+6F4RmXOfTQTewhDfMQDEbwUJOfg7D09LIcIupI+cYY7iqjUq+gUeiAlMlL91ITlp
+oiKGUliex+bhygei8kSfmwT+l09yz3EPxCfdjY1k88ni+TedHBkoK0p7Q/uFG4DP
+Qk7DgGZ57nrx9maK4io59a/VTPM65A==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBQ
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNV
+BAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTUgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBAKzDYQYB3gcpzJVllE1FhnwJXEpyKjubhg5P3MDpRW9YRYSs
+W1O2TYeX633IhRRS8rsJW22Yzp4tN9M6cXqBTHB2+nwHtREHSxeSei31AnAu+2n1
+Q+XNJ9W5DLbdahLtURESEnEQSyViFMMYQjm7rxvORc/D9OIa4u+tx1ESGOGDAgMB
+AAGjfDB6MB8GA1UdIwQYMBaAFNXihi3xK2gXnA9evyu4ZpmeQxu6MB0GA1UdDgQW
+BBSVhouRNrt6b+KEFZDvRY4BJxZruDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEAB/OvefFEki9VuKt6EwjvNLjvjT1581w8qKpdHgDrYthrMm3JIULpn5zaRqyQ
+KIT8uu40HzKHagNpfdHQ1HNuEQ9qwIAQvtqmtJxqIR+kdeKXw78cN+TJzqaHuZu5
+VTidhmlVHaY/50quu7qqGiIQR4bcYrb4vY+adBBgrpcvUCM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBKzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5NSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlU17
+mwFm/6Yf08lbJU8q1FquMr1IaWlav4Qh1/UUFR3cRicBZZvQNTpxTcn1jmaSj8xK
+Gm9pUmbmbJBqiDYX5p1IwR1nmsyXxnaYD3SYadHlmb2emlzu1Dg3l6eKvaNh6h3a
+F0XDS/S+GtadjpVmuWdMIiWWrEVIFfGAL2VFaeUCAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU1eKGLfEraBecD16/
+K7hmmZ5DG7owDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQUwDQYJKoZIhvcNAQEF
+BQADgYEAjjGl1NeCLiMI9MFNgftmCe1ehHkE+Qr4TSJQfw9qZ5p0SRd2aOxq7km6
+ZwhF/E+wsS1CEwLRWaK7LqCmFx+XacoXjJi2XP5UjctH1tKyJx2YBhYrfzNkECJl
+u3KBUohmTd/aICG6oVE5ErcFFE/evv7LioMT94kub91V18EDgCw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subCA
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTUgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBvbGljeTUgc3Vic3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBANALzpI6Vb5grPqiSrzcOrNfPZ5pbbC4jjs89zo1
+RRGcMLQQt5wPHu1OKE6g2WXvikA0ompVqxKG7qeu/bTIcpm3CHowhRigOk/VJkCV
+Zyv9tdLzlWoiW2elI0uJ4BXsW8oU4sTxlx1/QlJbERwv1BwL5BQD3l02LP4vueE/
+U8HpAgMBAAGjfDB6MB8GA1UdIwQYMBaAFJWGi5E2u3pv4oQVkO9FjgEnFmu4MB0G
+A1UdDgQWBBQK52IWqA5PL7e4PyfIo6lfe0ZrpzAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEAmbgnzwSut1UU/jNuzF9ZK+x79DmpTDAv12ASnAPUvZJ8RTQBxYlL
+C/B0gYZsqUnyaEoZAsrSYktMdA2qDedWGFB94d+LVbpHNoNvxQl+0qMTTLh+gO4V
+JIrQ5hj2npLdDHKNi6a91lO83NqsyuITezJ0Nuhbvf9KuApxz069EO8=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBs
+aWNpdFBvbGljeTUgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+KzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBvbGljeTUgc3Vic3Vic3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALw7Jg17lRmWU52pn7qaLPiV7eLBCvpx
+S7uekBx+WtzvAVxUF+iI8whshUqsC4XzNHTs6BvS4QRwpixRMMMWwH/67kGAEADq
+lVYewPK7aMHMdDfCggIukUpy1DVR3KOc7rnVZ2tGKBbCFhAxPMXBgkketIAVJ1V4
++3nRS/QGSxF9AgMBAAGjfDB6MB8GA1UdIwQYMBaAFArnYhaoDk8vt7g/J8ijqV97
+RmunMB0GA1UdDgQWBBQ+qTBmL6e0JYiEZ8mtmJMV+JbOxTAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEArpriBQ3ArOVFh+HujQ+8cIihYFG5ri+SairjawVwbUb4
+HatEUky9Nh9YAxGn1YGdBpintIpQU/0WljldKXxvH2yn6hMCNV5ql4hhorP2YfWL
+8+S80IboVToDPKsEdzeAxs5Xeh3BY9DgJPY9RmDgJcXqb6I+1P2+3GIxGDpF/jM=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy5 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D5:E2:86:2D:F1:2B:68:17:9C:0F:5E:BF:2B:B8:66:99:9E:43:1B:BA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 32:06:95:6e:49:2d:7e:9f:9f:7d:d6:0e:3c:b0:73:4d:2a:d8:
+ 1d:86:f7:2f:61:f5:39:80:c7:b4:e6:3b:8c:90:1c:11:6c:0f:
+ fd:9b:c3:52:b9:aa:2e:bb:8e:25:b9:f6:75:b7:1a:2c:fc:45:
+ 81:54:f6:49:69:e2:78:ef:25:d2:cb:1b:7e:f8:7b:96:d9:37:
+ ba:f4:66:8f:e1:e7:56:96:ef:76:bd:4c:94:0e:fd:a8:35:16:
+ d1:2a:69:28:29:96:18:8b:a5:af:04:00:bc:d9:42:ff:ea:32:
+ 35:9b:3d:57:da:9e:a1:d5:e4:3e:e4:4f:4b:8f:5a:48:47:73:
+ 38:5d
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTUgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFNXihi3xK2gXnA9evyu4ZpmeQxu6MAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBADIGlW5JLX6fn33WDjywc00q2B2G9y9h9TmAx7TmO4yQHBFsD/2b
+w1K5qi67jiW59nW3Giz8RYFU9klp4njvJdLLG374e5bZN7r0Zo/h51aW73a9TJQO
+/ag1FtEqaSgplhiLpa8EALzZQv/qMjWbPVfanqHV5D7kT0uPWkhHczhd
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy5 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:95:86:8B:91:36:BB:7A:6F:E2:84:15:90:EF:45:8E:01:27:16:6B:B8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:84:54:e4:77:a5:7d:03:3d:7c:d0:a6:ea:6b:70:82:11:10:
+ 1b:9a:85:8c:ae:3d:8a:06:a3:2b:cc:a7:77:0c:be:7a:02:bc:
+ 2f:13:07:ff:83:e6:f6:7a:99:1e:a1:af:12:06:c5:ce:1b:f3:
+ 76:77:bc:ef:ef:a2:cb:96:36:3b:fd:b0:ce:5c:ae:30:af:9f:
+ ba:e7:16:e8:f2:66:74:82:6e:75:91:90:b1:59:a9:9e:8b:41:
+ 37:42:0f:1b:a8:4e:73:31:e1:b1:53:fb:8a:3d:ee:d3:e4:77:
+ a8:f8:ea:ea:21:f5:c5:be:1d:b5:e3:79:27:de:c3:d5:45:b0:
+ 87:24
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTUgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFJWGi5E2u3pv4oQVkO9FjgEnFmu4MAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAHOEVOR3pX0DPXzQpuprcIIREBuahYyuPYoGoyvMp3cMvnoC
+vC8TB/+D5vZ6mR6hrxIGxc4b83Z3vO/vosuWNjv9sM5crjCvn7rnFujyZnSCbnWR
+kLFZqZ6LQTdCDxuoTnMx4bFT+4o97tPkd6j46uoh9cW+HbXjeSfew9VFsIck
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:0A:E7:62:16:A8:0E:4F:2F:B7:B8:3F:27:C8:A3:A9:5F:7B:46:6B:A7
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 16:15:3e:47:cd:ae:b2:4b:8b:30:d4:ee:c4:1e:2a:d5:84:bc:
+ ca:b1:2b:a9:d3:37:be:f6:11:d1:1f:60:04:41:72:df:ca:d5:
+ 0b:74:5a:e8:a7:bd:32:25:cb:e8:e4:6d:c7:be:25:c3:63:9c:
+ 43:66:14:4a:0e:f7:ea:e1:83:a4:bf:5e:70:7b:a3:b7:12:c9:
+ 36:fc:99:85:58:0e:66:d2:a0:41:6e:a8:07:2e:f7:45:36:fe:
+ 71:3e:c4:7a:88:e2:0b:c2:c9:dd:30:81:b9:44:48:2a:1d:07:
+ 5a:cc:e1:49:9a:04:a6:5b:c4:6c:2a:f0:3f:8f:3b:04:ea:5d:
+ ab:70
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBv
+bGljeTUgc3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFArnYhaoDk8vt7g/J8ijqV97RmunMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBABYVPkfNrrJLizDU7sQeKtWEvMqxK6nTN772EdEfYARB
+ct/K1Qt0WuinvTIly+jkbce+JcNjnENmFEoO9+rhg6S/XnB7o7cSyTb8mYVYDmbS
+oEFuqAcu90U2/nE+xHqI4gvCyd0wgblESCodB1rM4UmaBKZbxGwq8D+POwTqXatw
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy5 subsubsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3E:A9:30:66:2F:A7:B4:25:88:84:67:C9:AD:98:93:15:F8:96:CE:C5
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0a:d7:14:66:2d:1d:2e:49:9d:35:99:54:76:ee:50:80:e2:37:
+ c3:d5:6a:64:02:f2:b2:12:d6:97:8c:a5:75:e0:a9:9e:3b:46:
+ ca:ce:31:b9:53:fe:fb:99:15:9b:7b:35:68:5c:9a:60:a0:da:
+ a9:2d:d8:1e:b8:89:61:89:01:1b:e4:40:76:fa:b9:62:cf:fe:
+ 87:6c:95:9e:da:19:db:4c:bd:3e:f1:25:57:3b:d3:ab:94:7b:
+ de:5a:ff:55:63:fe:49:ad:3b:45:92:c3:ba:49:79:45:89:3d:
+ 70:75:a9:53:1f:95:d6:c2:11:46:43:76:41:c0:02:49:23:d0:
+ ef:bc
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBv
+bGljeTUgc3Vic3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFD6pMGYvp7QliIRnya2YkxX4ls7FMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAArXFGYtHS5JnTWZVHbuUIDiN8PVamQC8rIS1peM
+pXXgqZ47RsrOMblT/vuZFZt7NWhcmmCg2qkt2B64iWGJARvkQHb6uWLP/odslZ7a
+GdtMvT7xJVc706uUe95a/1Vj/kmtO0WSw7pJeUWJPXB1qVMfldbCEUZDdkHAAkkj
+0O+8
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest4.pem
new file mode 100644
index 0000000000..96f230af53
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest4.pem
@@ -0,0 +1,262 @@
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 CA
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTAgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBQ
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNV
+BAMTHHJlcXVpcmVFeHBsaWNpdFBvbGljeTAgc3ViQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALoSt6pV4IRQVJ5TV99GOGi3yhBt0wvylEs6VYZL0D677yoV
+AIY3CQWXG27SKUYB8SQ1XC+a1sO4M5Q25mdWLXIN+TUmlNJW4BzLGh6B63bGDSnK
+FG+aVvh8ZvHloIu61d5gw3FokPmBeS0NF6XVBsbJMiLn7TdWeSFqYYTw+awhAgMB
+AAGjfDB6MB8GA1UdIwQYMBaAFHdqs2T1sexRei1lhv8CGH4LSo4nMB0GA1UdDgQW
+BBQHH/BwA0diipbRgYmqAFSJ+JxtKTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAw
+DjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEADvf91AyVaeC72JRsi71sKWf3f71NGoRSjxBnKh8VS/G0fIQElDmHHe01TZ3W
+t2zRBZROqLoG10YCxSheQdd0gE0yoqTdcc9l3kr0ZMhgfM4mRPYNL6kma3azT78F
+OqMJAUrnjjMYruGcLm7MLp3Lq2/7NjAN5q3ffuSrtwUwLHY=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5MCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvEVs
+LML3To+EEs99KIoLdE98+LzQkf1wQzrLhuqlF6UH8BJvupeClmchb4TFyXh3mkhT
+/DsdlWlScKGl1KiqKyXIrb5x0AebEDEHylhNhUgn7O/zU7WyuGDE4SU0QNR2T/C0
+mOEbjV9WR06GcmbMCp1GUY7zmfThFrZP2Cfj2PMCAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUd2qzZPWx7FF6LWWG
+/wIYfgtKjicwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQAwDQYJKoZIhvcNAQEF
+BQADgYEAWoBbngBiHa90n2Kdb0iXazi7wmnvtPZxJ2xLA/Ubv9qPzFUwoUM/Ikm8
+6o8sI8TYNuCwwni3ZrQwCfagtNsOeUXp0O86mLIVH7jr9YS2nBtuZdXAnL3lZW5r
+VHXxf0Fnmk+Nx3Frxf7tJfZVGGLCJCabwObF9o6Bgya4GP0FL20=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subCA
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBs
+aWNpdFBvbGljeTAgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBvbGljeTAgc3Vic3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBAMJOPDBu3Iqmav4DjiTzIKi6FmFd6HGBsW+dDPbs
+l6jZbrkDavBUtuqC5RMVJKvOyWY7GYIsUdgoSOJ2YHl38HO6nXhq3OFO8v0r0kU3
+SRPPM7vpiPYf3eMZm5Z77GT5XuGNUPSkepAfxaN1IEAqFoePT7wsGa9Zg77WcLUd
+nEw3AgMBAAGjfDB6MB8GA1UdIwQYMBaAFAcf8HADR2KKltGBiaoAVIn4nG0pMB0G
+A1UdDgQWBBSwQkkzaPMCKs1UIV3mYuFwzqUjQDAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEADXoLz5MBvHFKs5z47OgavmZKJQp+vIcDSOu4QUlIZgmIWcbcI7g9
+GKG0SIg5gXZhwoH3OXx3g5miGPzOi9iFtdkZXAZPX9JHsISpHfB9VcZYTfmW1T49
+ZrnCugvmdUnDLBitS9MKHkyU7zL/ACtlXB82SFbiCS1R8bEfU4Oozf4=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubsubCA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBs
+aWNpdFBvbGljeTAgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+KzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBvbGljeTAgc3Vic3Vic3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANk012Iq+sazBXGTgqICIE0GnFvathib
+YlOHsK/Iop6+DNGleJoAH6bqvS2ZWtkkIKE7WU3nfDUjMVp3IJyr8WDesDKvSJyg
+zy3y0e+XuMv3QtyFXxESXxHmY62UaILPgE9XMgcyAhOnVU4mQe7ScJDAcUeLgjcZ
+fQdBnGGCT/LVAgMBAAGjfDB6MB8GA1UdIwQYMBaAFLBCSTNo8wIqzVQhXeZi4XDO
+pSNAMB0GA1UdDgQWBBRZ1+jibtd5cIJhiBzPFFLktwdJKjAOBgNVHQ8BAf8EBAMC
+AQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEArZnuuewqU0IgdJEU6osnzsuX6E6A4igNSK1ZYUKmhRvn
+eyfrU5kHavTwnM+h7SkVB73S2w+OqHUGin2xIu92RcWzN7NV+oLWldhnYtalSyh1
+KiuKC41mAZweQv1Mrz/+5lIQDOUOtV2JXOjaA+T/JR/qFLo0MoqC+mBxk/w5eDg=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid requireExplicitPolicy EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubsubCA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBs
+aWNpdFBvbGljeTAgc3Vic3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBkMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxOTA3BgNVBAMTMFZhbGlkIHJlcXVpcmVFeHBsaWNpdFBvbGljeSBFRSBDZXJ0
+aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvs6xd2Lv
+4717eCUDGaJKN9HVbjqiBoJd9K18OP5hoJ/iyWNR7u1l+p4xbQNdi8iU8UV1hBrD
+RI2jahY2p/rgx+REkxcyhWXFc0qP5hMqbjUD9IuMyhUrwtSut0la+L/lbKuag7Ry
+pWlMe0FQUjnGev5zpdXCY4U9y2a+7jYuOOsCAwEAAaNrMGkwHwYDVR0jBBgwFoAU
+Wdfo4m7XeXCCYYgczxRS5LcHSSowHQYDVR0OBBYEFEEjHrhpuHHNWtHozi2HzhxK
+KgmLMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJ
+KoZIhvcNAQEFBQADgYEAVpfKjsWKyLdcOfar1+Ejc9eyGUzMXt7F1xXSqdnls/Z7
+RuG7jkY1lvUm1vHhVb2yP/OdC+rwwmx4cjxUAm0dNrE82qZNiRqgaaVO3llJD9zt
+AD5gAi0nJqUdJ7H1b3X6Jt9VGTNlc+0ZAEHnaSID1Ym2pa1433XgPPi1/YflkwE=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:77:6A:B3:64:F5:B1:EC:51:7A:2D:65:86:FF:02:18:7E:0B:4A:8E:27
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9d:78:0f:04:94:97:f9:ad:b6:17:8e:65:dd:6d:ec:65:bb:73:
+ 37:9a:1d:66:51:d7:97:b6:31:fb:62:a4:4a:21:3b:20:97:7a:
+ 4d:aa:ce:d2:95:f7:36:65:77:51:e8:d5:81:0a:b7:62:af:76:
+ 38:b7:77:72:2c:90:0b:8a:7c:31:58:cf:c6:1d:da:24:65:ef:
+ 06:7e:d7:21:96:a1:f2:62:dc:5d:fa:10:37:01:99:7b:14:34:
+ a8:cd:47:a4:cb:5e:ff:0e:b4:58:69:1f:70:f7:3b:2e:7c:77:
+ b4:33:82:7d:18:54:da:f3:5d:dc:5f:a1:1a:96:f6:d9:0b:ca:
+ 9b:a0
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTAgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFHdqs2T1sexRei1lhv8CGH4LSo4nMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJ14DwSUl/mttheOZd1t7GW7czeaHWZR15e2MftipEohOyCXek2q
+ztKV9zZld1Ho1YEKt2Kvdji3d3IskAuKfDFYz8Yd2iRl7wZ+1yGWofJi3F36EDcB
+mXsUNKjNR6TLXv8OtFhpH3D3Oy58d7Qzgn0YVNrzXdxfoRqW9tkLypug
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy0 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:07:1F:F0:70:03:47:62:8A:96:D1:81:89:AA:00:54:89:F8:9C:6D:29
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 7d:a5:df:f8:70:c7:9c:d9:f2:4e:c9:42:63:48:cc:17:87:29:
+ fb:99:c0:2a:11:8b:ce:ce:45:31:58:41:32:1c:39:ff:53:bc:
+ dc:24:df:9a:b5:10:83:8b:a3:aa:cd:3a:23:92:a7:8d:c3:56:
+ 83:19:c1:ed:d8:ad:c0:56:79:fd:c0:6b:bd:e9:bb:56:e6:18:
+ 1d:02:28:91:77:90:15:f2:44:51:61:81:ea:1f:92:a6:89:84:
+ cf:36:c9:e4:f2:6e:a8:01:11:82:96:fa:94:1b:fc:d7:e6:8b:
+ c0:8f:bd:87:30:8c:84:eb:84:3a:e5:21:42:d1:60:82:08:82:
+ 45:2b
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHHJlcXVpcmVFeHBsaWNpdFBv
+bGljeTAgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFAcf8HADR2KKltGBiaoAVIn4nG0pMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAH2l3/hwx5zZ8k7JQmNIzBeHKfuZwCoRi87ORTFYQTIcOf9T
+vNwk35q1EIOLo6rNOiOSp43DVoMZwe3YrcBWef3Aa73pu1bmGB0CKJF3kBXyRFFh
+geofkqaJhM82yeTybqgBEYKW+pQb/Nfmi8CPvYcwjITrhDrlIULRYIIIgkUr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B0:42:49:33:68:F3:02:2A:CD:54:21:5D:E6:62:E1:70:CE:A5:23:40
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 95:8d:6b:ad:bc:a7:38:7a:12:70:e4:e6:bf:06:91:0f:ac:72:
+ f0:da:aa:50:e1:51:a1:8c:d2:d2:00:73:2a:6f:54:04:77:ee:
+ 83:aa:c1:d4:32:cd:70:ca:5c:98:62:3f:a1:6c:4a:af:53:8b:
+ f9:0d:7c:50:17:90:f3:e3:93:4d:c1:3f:2b:59:f0:12:3a:d9:
+ 25:5b:15:3b:71:14:bc:29:b0:2f:b7:93:c6:93:b0:c1:fa:88:
+ c8:2d:ca:fd:03:c1:ec:dd:0b:95:af:8c:d5:7a:0f:41:48:ea:
+ 03:07:6f:57:2e:b3:b8:c6:3e:54:a7:9c:57:4f:27:f4:c3:9c:
+ 25:5d
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH3JlcXVpcmVFeHBsaWNpdFBv
+bGljeTAgc3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFLBCSTNo8wIqzVQhXeZi4XDOpSNAMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAJWNa628pzh6EnDk5r8GkQ+scvDaqlDhUaGM0tIAcypv
+VAR37oOqwdQyzXDKXJhiP6FsSq9Ti/kNfFAXkPPjk03BPytZ8BI62SVbFTtxFLwp
+sC+3k8aTsMH6iMgtyv0DwezdC5WvjNV6D0FI6gMHb1cus7jGPlSnnFdPJ/TDnCVd
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy0 subsubsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:59:D7:E8:E2:6E:D7:79:70:82:61:88:1C:CF:14:52:E4:B7:07:49:2A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ b0:23:c2:ec:e2:e9:c0:87:e9:75:d3:ee:a4:c5:3b:9c:27:c4:
+ ab:b2:67:74:79:f8:5b:cd:4b:20:0b:ee:19:32:8e:8b:d2:e7:
+ 67:5f:da:83:a7:31:09:08:0f:b8:64:2a:08:96:1c:78:db:13:
+ af:77:26:0f:01:3a:e1:98:d7:41:b9:e5:86:9c:b1:36:a8:92:
+ bf:6f:cf:62:13:33:3e:1e:79:02:e5:a6:8f:11:69:fb:1e:86:
+ b9:12:18:67:cf:6e:c6:1e:d8:bb:2f:a0:86:dd:66:c8:0b:71:
+ a5:68:fb:91:9e:f5:ca:58:80:7e:27:18:e0:4e:3a:34:45:23:
+ cc:c1
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTInJlcXVpcmVFeHBsaWNpdFBv
+bGljeTAgc3Vic3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFFnX6OJu13lwgmGIHM8UUuS3B0kqMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBALAjwuzi6cCH6XXT7qTFO5wnxKuyZ3R5+FvNSyAL
+7hkyjovS52df2oOnMQkID7hkKgiWHHjbE693Jg8BOuGY10G55YacsTaokr9vz2IT
+Mz4eeQLlpo8RafsehrkSGGfPbsYe2LsvoIbdZsgLcaVo+5Ge9cpYgH4nGOBOOjRF
+I8zB
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRolloverfromPrintableStringtoUTF8StringTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRolloverfromPrintableStringtoUTF8StringTest10.pem
new file mode 100644
index 0000000000..0f10912926
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRolloverfromPrintableStringtoUTF8StringTest10.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=Rollover from PrintableString to UTF8String CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClDCCAf2gAwIBAgIBYzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE3MDUGA1UEAxMuUm9sbG92ZXIg
+ZnJvbSBQcmludGFibGVTdHJpbmcgdG8gVVRGOFN0cmluZyBDQTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAoNL+uym7FlmTUpQwimiPNXt8IR0+KjdAFbDkTqLk
+zxHkpKBqAjTWzEPRqnhsBmjPfLrS8omVrcKIOBgIbOCoRU098SYWt4/2WRbHhAKF
+kauf7d7NsN4WEDXJmlqiZrJLHDihW686RcpL7luSLrlXVXT1h2dWI08VpDUNrz6P
+L/cCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYD
+VR0OBBYEFDeXpBvbNFU1D8m0TcZ+SxfopIk8MA4GA1UdDwEB/wQEAwIBBjAXBgNV
+HSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQDFX488L1PqURnQTZU0RgicEAHXUj3SLP3buSF/vMC1KHZd9JPnmf2e
+y1OGQ0S+B4lNX9VJEnS5f8w5bU0kcpGYQTPuFrTZvNZtN/4ZIZTLauFkEjM8sa13
+0CNwd0zMj/Dl1nQ2z8/wHLnfClEFmJHTZZ39W0jD/Lfg2hQvn43Tcg==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Rollover PrintableString to UTF8String EE Cert Test10
+issuer=/C=US/O=Test Certificates/CN=Rollover from PrintableString to UTF8String CA
+-----BEGIN CERTIFICATE-----
+MIICsjCCAhugAwIBAgIBATANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEa
+MBgGA1UECgwRVGVzdCBDZXJ0aWZpY2F0ZXMxNzA1BgNVBAMMLlJvbGxvdmVyIGZy
+b20gUHJpbnRhYmxlU3RyaW5nIHRvIFVURjhTdHJpbmcgQ0EwHhcNMDEwNDE5MTQ1
+NzIwWhcNMTEwNDE5MTQ1NzIwWjBvMQswCQYDVQQGEwJVUzEaMBgGA1UECgwRVGVz
+dCBDZXJ0aWZpY2F0ZXMxRDBCBgNVBAMMO1ZhbGlkIFJvbGxvdmVyIFByaW50YWJs
+ZVN0cmluZyB0byBVVEY4U3RyaW5nIEVFIENlcnQgVGVzdDEwMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDDncK1nAho7wt1siRGXkw0eRAeI3uztOfqSwGhT1ih
+XbW47ek9MiPqCRlX1RKOXve8quD7MM0ibzWjiroSxsaeM7gW91nwOZn8V+UfqmJF
+CikNAA17A/y9Nk+IVx8b2VB+Kjixg9HW2ZbqJiSq4Ci9Dkz2mH9sgjI0On0OSLDq
+2wIDAQABo2swaTAfBgNVHSMEGDAWgBQ3l6Qb2zRVNQ/JtE3GfksX6KSJPDAdBgNV
+HQ4EFgQUdLZDDyDir0HSFv0sejwUl8S6IxwwDgYDVR0PAQH/BAQDAgTwMBcGA1Ud
+IAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAcxCi0hkgCRB1w
+uurTKVDyZTQ5ttLsggNpE6uqL+mGyAk/uYcGTxNM1Wx38DDqb+yJnF6CkLRwBk2c
+mEtKFVYwX3s/h+RPe+MO4WBurdVGfxpE3df2wvyYS7WOnd7iRhRirmm8LMoGPLoY
+w40WU1JjVs4Mg8vHt4OpmiFXlrv7nQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Rollover from PrintableString to UTF8String CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:37:97:A4:1B:DB:34:55:35:0F:C9:B4:4D:C6:7E:4B:17:E8:A4:89:3C
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 2a:72:92:90:cd:32:d0:c4:99:63:47:0a:9b:95:28:27:8e:04:
+ 1e:49:38:bc:54:a7:da:f7:2b:58:34:d8:bc:ad:3e:a4:fa:0f:
+ 85:84:fb:49:95:3f:7f:a0:c3:fb:94:07:2a:a9:66:44:e1:10:
+ 04:55:4f:dd:ba:6c:bd:f8:f9:be:0c:de:28:54:fd:cd:f4:50:
+ ac:4c:9e:01:e6:92:bf:11:cd:b6:69:5d:10:f3:3d:25:f9:1e:
+ 7f:2d:d4:04:5e:4e:9e:b4:f2:10:94:1f:30:0d:27:4d:2f:6d:
+ 41:4e:31:ae:20:2a:d8:90:34:32:92:d6:1c:b1:21:99:57:2e:
+ 63:04
+-----BEGIN X509 CRL-----
+MIIBWzCBxQIBATANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEaMBgGA1UE
+CgwRVGVzdCBDZXJ0aWZpY2F0ZXMxNzA1BgNVBAMMLlJvbGxvdmVyIGZyb20gUHJp
+bnRhYmxlU3RyaW5nIHRvIFVURjhTdHJpbmcgQ0EXDTAxMDQxOTE0NTcyMFoXDTEx
+MDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFDeXpBvbNFU1D8m0TcZ+SxfopIk8
+MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBACpykpDNMtDEmWNHCpuVKCeO
+BB5JOLxUp9r3K1g02LytPqT6D4WE+0mVP3+gw/uUByqpZkThEARVT926bL34+b4M
+3ihU/c30UKxMngHmkr8RzbZpXRDzPSX5Hn8t1AReTp608hCUHzANJ00vbUFOMa4g
+KtiQNDKS1hyxIZlXLmME
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedDNnameConstraintsTest19.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedDNnameConstraintsTest19.pem
new file mode 100644
index 0000000000..32e7d402c4
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedDNnameConstraintsTest19.pem
@@ -0,0 +1,130 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIIChjCCAe+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMT
+Fm5hbWVDb25zdHJhaW50cyBETjEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAMqEGhcWtsw26V0XQSph1+hgHUlNVe4yFus4l56oS+MKdra/qys502m3Is9s
+KPNUyWAzPUBCaj37+cC/lnojJTpZw0lyfOSeqDAfbcDMzp39U2ujHbqQ41fGTeIJ
+haOs4hUUIapsmLZ/1iETEyHFfB9ib5oSCPAMvRtDEvNwITDvAgMBAAGjfDB6MB8G
+A1UdIwQYMBaAFE4uo+fZ3YungjtBSsOefFkjV05TMB0GA1UdDgQWBBS3rAnyZ9I5
+cWLbrRE1M5H8lPPz2jAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEALE7Y6U98
+nXWJYm65/DslSMoEgBrKSB8w4Z2y+sE41dhd99EFWOwUV3UFoVk+IPgmvwpdpXcf
+n1CZdWh9MvR7lZ4cBiSRoWLz8D5okZPX1HyarXNSQwJjZv91zs3/xi78DUrOfW5f
+nE5txAvRjHP7PrMcb/gatjC2p9oKDpW6+ro=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=permittedSubtree1/CN=Valid DN nameConstraints EE Certificate Test19
+issuer=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+-----BEGIN CERTIFICATE-----
+MIICqTCCAhKgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJh
+aW50cyBETjEgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjB+MQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAsT
+EXBlcm1pdHRlZFN1YnRyZWUxMTcwNQYDVQQDEy5WYWxpZCBETiBuYW1lQ29uc3Ry
+YWludHMgRUUgQ2VydGlmaWNhdGUgVGVzdDE5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCtryyDuHNmy8nLnEcuJZ6bwOq0A+ka/Kj0Um0Xgd1sop3boX4Rjv1q
+EpvwNZoizR25z5Cw2J3wfdrtm/CtazuoF+2O9M5/g7STTtPUDAhwiR2uRWnRKpUc
+SEQaxHFmfdaPAJI14E5BhrlRRHxHu6kNuENcF5lwuGUcxuL68jhsbQIDAQABo2sw
+aTAfBgNVHSMEGDAWgBS3rAnyZ9I5cWLbrRE1M5H8lPPz2jAdBgNVHQ4EFgQU0BJ9
+iRt74wy57LStnAe8vRiy+8wwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQBX2LLxEBd+in5MEzdLeQNWFBzY
+B9CJ1quGFFe2AfYozACv7MzAiHJj1rU0ik2bjYw3r8mUIOEBuYyi+5syyK97cV8z
+e2FFWRCkUkcOWt2b7AizbFVt0M9IEFnhTsM2nVCeSD+f3wO1IYBzINkqwMqmnejZ
+zThT0HTy6hrX/maRAQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAkKgAwIBAgIBPjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWbmFtZUNvbnN0
+cmFpbnRzIEROMSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnL2vzTK+
+WcGR2rmlezdUTUQkfIvzcTWRIVW2x+BxQPrPfoLqmpYZar4sY8ND0l3pQWcIFsGY
+AYmm2vHULqUxZMW9R/dM3wqstOXd2JJVxvw/v4ajYB5lPNcrv8LyxxjVU2daqlYX
+BCfL9/O6417oYys1UKNtEp6n6HV/ZbEJG70CAwEAAaOB2DCB1TAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUTi6j59ndi6eCO0FKw558
+WSNXTlMwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAP
+BgNVHRMBAf8EBTADAQH/MFkGA1UdHgEB/wRPME2gSzBJpEcwRTELMAkGA1UEBhMC
+VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRowGAYDVQQLExFwZXJtaXR0
+ZWRTdWJ0cmVlMTANBgkqhkiG9w0BAQUFAAOBgQC9ypqhZWCmrISRla+Nxp/vshOs
+UQcyF9Se7PBrkAfl37dg70aSgX0/6Xef8i5v3MRCar6lM8x+coBMHK41VUG9g6VW
+2DAoCG3ajBCj48vN0Gd4dUwvsGAmmVuIwH0R/+2IBMp00341fpjIjUrMpxcxDFwe
+Ve3YFugTb2fMnETR7A==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints DN1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:4E:2E:A3:E7:D9:DD:8B:A7:82:3B:41:4A:C3:9E:7C:59:23:57:4E:53
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 99:8a:59:ed:d0:76:00:b5:5b:70:91:75:a0:4d:60:16:df:72:
+ 71:89:61:43:5b:d4:65:f6:8d:0b:25:39:17:86:6d:1d:c4:cc:
+ 19:3c:20:21:71:5f:a3:5f:d4:52:e6:d1:c4:cb:39:92:65:80:
+ 74:46:a9:5c:7c:7c:c2:4c:1f:8d:fb:aa:bd:4a:de:6a:3b:0a:
+ 29:ba:9c:70:13:84:fd:c7:aa:d3:03:99:f0:93:3a:cf:cb:e2:
+ 39:e9:e3:1b:ff:10:07:a3:51:5c:ff:dd:da:a9:29:05:12:3a:
+ f0:10:a1:d8:9c:5e:ec:0f:c3:02:cd:f9:ab:b2:d0:36:32:0e:
+ e8:eb
+-----BEGIN X509 CRL-----
+MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm5hbWVDb25zdHJhaW50cyBE
+TjEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY
+MBaAFE4uo+fZ3YungjtBSsOefFkjV05TMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAJmKWe3QdgC1W3CRdaBNYBbfcnGJYUNb1GX2jQslOReGbR3EzBk8ICFx
+X6Nf1FLm0cTLOZJlgHRGqVx8fMJMH437qr1K3mo7Cim6nHAThP3HqtMDmfCTOs/L
+4jnp4xv/EAejUVz/3dqpKQUSOvAQodicXuwPwwLN+auy0DYyDujr
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest7.pem
new file mode 100644
index 0000000000..4b8f08b93b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest7.pem
@@ -0,0 +1,178 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAOJaxR70a7a1EjJOHlf9fG9BEsSto4MGr1bnQLMud29/o1aka1mDrcT4ehXL
+RT2j2lOFHI+7Cv5UrjI2iI/CWsH+z+PM+sB19pJmrqshzC5FwfeHDzFTUsn8D+5R
+WJAx3NZbB++nDKkIIPql/K61Z8VyKD+3k7nNSHvXV+dKCWd3AgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFKeFECzgAW7nVCNqd6KPFwSv++MSMB0GA1UdDgQWBBSryEEAJtDV
+TOYrVmfs74LEwt3yVTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAcBSBfFavoevmu4Jr
+Fzz3LyHSA3rWhajms8ZL6AtVPDfyQaJsZizVZqKYejWLXv3jNCri/c5BBB2XTXdD
+zAQfwr2W2FfXMkNDUWt95C0NOF7NK5Z2XbmFMGaqn8y/rsYv+Zj7zl98yp0efRKw
+JEDyqFgkV/+0sLFjQvvcCdY9ucM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR0wGwYDVQQDExRp
+bmhpYml0QW55UG9saWN5MSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vcxz0dHrlH/i+DaS78z2Y0O98xlH0yo64kCvWxGo//3ZvMZl+wyQwcAOqDnIH20X
+Fi+G9BhwuyzlaqMenvEQFImtvvDspxYtq/xqmTHET1+9rkF0f8Ex8uV9VgGGMJFB
+Kjax2S+jexoGNro4EeLopi6cOXBgeqwkzcpdi0C3ugECAwEAAaN8MHowHwYDVR0j
+BBgwFoAUZtu1lMcFxLM+K5G538io0E0rNEQwHQYDVR0OBBYEFKeFECzgAW7nVCNq
+d6KPFwSv++MSMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGuWkVLrBfOy6K
+Y46FaTMnWYkjBWyjC9mgPrq97h90tejc8Z+5Q7u+WD+f//iSoC19Uy65lnk10g56
+UqaqA7zZQ25N28un3YqnKwS1pWrtUGNiAi3vYPUkmwq+6PJvWAcVl56td6OmQOIO
+hDwXMBUcDUYTCVAMRY5fiMx7ARRmeQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued inhibitAnyPolicy EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGsx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFAMD4GA1UE
+AxM3VmFsaWQgU2VsZi1Jc3N1ZWQgaW5oaWJpdEFueVBvbGljeSBFRSBDZXJ0aWZp
+Y2F0ZSBUZXN0NzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6DBDhDh8Fq9l
+WtOenCnLV5XS52CTXaNqy6/fxR6xw6bm0s2p2D0Br1TeO6qn9oxXMMohGo1XU/wk
+hUbde93GnnMNVlPZqTvaGvcq5OjaE9Y7r/QE+P/dSV/mXJsmIbwbba/n4KqgF6yj
+XfJ5QXz2jEVWKIAESIUdsz8i73joVw8CAwEAAaNrMGkwHwYDVR0jBBgwFoAUq8hB
+ACbQ1UzmK1Zn7O+CxMLd8lUwHQYDVR0OBBYEFOlqW20Og/KffGodN27T80jZjAQu
+MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZI
+hvcNAQEFBQADgYEAaRukvyRgU3wxzMNx2864sByNAhV3ujEGeCMnBn3DLfeM5ioo
+PXYjuq2PEs6I+o55xSX1cGwCtcZHay0MGiz292T5DUrhDJoN8nhJ+yNjzsjB2kpv
+zJrDwMEv5liNVCtbsVNMDCBsje+ukkmbmVVVzpRlnmVmwrWsX58V/pX4crU=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AB:C8:41:00:26:D0:D5:4C:E6:2B:56:67:EC:EF:82:C4:C2:DD:F2:55
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:eb:03:68:bb:91:5d:9a:09:2a:f7:5c:73:90:8d:e8:4b:23:
+ 92:c3:d6:b3:8b:81:ba:d2:b9:dc:a1:e4:48:29:a8:98:cf:59:
+ db:2b:1e:de:1a:ce:db:cd:5a:dd:de:f5:f3:91:13:9c:1e:a6:
+ c8:4c:d1:ee:24:10:7c:95:df:a0:ed:4d:f9:a5:16:43:89:af:
+ 18:f6:1c:24:b0:70:9c:62:86:07:f8:0c:e1:61:d6:99:ed:7b:
+ 88:58:9f:79:d6:3a:1e:ba:aa:52:97:13:5e:00:7d:00:ce:9a:
+ d2:34:9f:0d:bc:18:09:f8:10:2d:c5:d2:8f:d7:eb:a9:59:25:
+ 45:1c
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUq8hBACbQ1UzmK1Zn7O+CxMLd8lUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAhesDaLuRXZoJKvdcc5CN6EsjksPWs4uButK53KHkSCmomM9Z2yse
+3hrO281a3d7185ETnB6myEzR7iQQfJXfoO1N+aUWQ4mvGPYcJLBwnGKGB/gM4WHW
+me17iFifedY6HrqqUpcTXgB9AM6a0jSfDbwYCfgQLcXSj9frqVklRRw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest9.pem
new file mode 100644
index 0000000000..2ac5275855
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest9.pem
@@ -0,0 +1,197 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAOJaxR70a7a1EjJOHlf9fG9BEsSto4MGr1bnQLMud29/o1aka1mDrcT4ehXL
+RT2j2lOFHI+7Cv5UrjI2iI/CWsH+z+PM+sB19pJmrqshzC5FwfeHDzFTUsn8D+5R
+WJAx3NZbB++nDKkIIPql/K61Z8VyKD+3k7nNSHvXV+dKCWd3AgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFKeFECzgAW7nVCNqd6KPFwSv++MSMB0GA1UdDgQWBBSryEEAJtDV
+TOYrVmfs74LEwt3yVTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAcBSBfFavoevmu4Jr
+Fzz3LyHSA3rWhajms8ZL6AtVPDfyQaJsZizVZqKYejWLXv3jNCri/c5BBB2XTXdD
+zAQfwr2W2FfXMkNDUWt95C0NOF7NK5Z2XbmFMGaqn8y/rsYv+Zj7zl98yp0efRKw
+JEDyqFgkV/+0sLFjQvvcCdY9ucM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBAzANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowSDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR0wGwYDVQQDExRp
+bmhpYml0QW55UG9saWN5MSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vcxz0dHrlH/i+DaS78z2Y0O98xlH0yo64kCvWxGo//3ZvMZl+wyQwcAOqDnIH20X
+Fi+G9BhwuyzlaqMenvEQFImtvvDspxYtq/xqmTHET1+9rkF0f8Ex8uV9VgGGMJFB
+Kjax2S+jexoGNro4EeLopi6cOXBgeqwkzcpdi0C3ugECAwEAAaN8MHowHwYDVR0j
+BBgwFoAUZtu1lMcFxLM+K5G538io0E0rNEQwHQYDVR0OBBYEFKeFECzgAW7nVCNq
+d6KPFwSv++MSMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGuWkVLrBfOy6K
+Y46FaTMnWYkjBWyjC9mgPrq97h90tejc8Z+5Q7u+WD+f//iSoC19Uy65lnk10g56
+UqaqA7zZQ25N28un3YqnKwS1pWrtUGNiAi3vYPUkmwq+6PJvWAcVl56td6OmQOIO
+hDwXMBUcDUYTCVAMRY5fiMx7ARRmeQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UE
+AxMYaW5oaWJpdEFueVBvbGljeTEgc3ViQ0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCc2RpX4l2ip6DQkyPrZQ5fiP3xdhXT2e4QAznpwy2Z5q9TlYhF0sFw
+yiFNITCwI50K+JrcR/FtOMFTiGkDJdNSD6JJ9KXmV2Ub4/oFXhmdPkkW3+LyckWV
+cpDuhOBoI8E+ni0ZFTuduAa9E8yQX5PKazSSbeERNXFHIdMij7WuxwIDAQABo3Yw
+dDAfBgNVHSMEGDAWgBSryEEAJtDVTOYrVmfs74LEwt3yVTAdBgNVHQ4EFgQU3Ymd
+Zrnid46ozhWkgrKgpMameo8wDgYDVR0PAQH/BAQDAgEGMBEGA1UdIAQKMAgwBgYE
+VR0gADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAM/wnG9l6jp+
+ViHhfrgGuXyp29iH1trRzZVkRtta2Htz5cEy+DfQ1bKtALeOj+3XycvDjFBK3XFX
+Fj5Kq26Wr29hb46xdtNHFdkYvsyfD9Nmh1OvcqEkW0rmMqtr/+z3bTX+qegUtJ4Z
+vjllBLFSy/60sopz/da7BfJiG3vBvoij
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued inhibitAnyPolicy EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGsx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFAMD4GA1UE
+AxM3VmFsaWQgU2VsZi1Jc3N1ZWQgaW5oaWJpdEFueVBvbGljeSBFRSBDZXJ0aWZp
+Y2F0ZSBUZXN0OTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqkkaVxrrWKva
+xC65OTtGWaNoO/KVt03UN4EW/fxbAwU79QI6lYLlcnTOpmNlAU9HVGEvunAZ/RBl
+AtZOKSiAGjuEZPkn37sS6SnhR1ANPyNA0KTI9uXIXDKde2sGXwNSbsiQbDko3vdV
+EIfKC00+2GBB7MxARHUpZZ7kGAP4XIkCAwEAAaNrMGkwHwYDVR0jBBgwFoAU3Ymd
+Zrnid46ozhWkgrKgpMameo8wHQYDVR0OBBYEFJf4i3/rlw5BfP8DOFHqMlOM+3vU
+MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZI
+hvcNAQEFBQADgYEAg9u+FJzES1LZQVxwLZwZZ+9Q7q68jcUqdvzV1I0kFxESgspa
+7a+fTUyYDbMr4qZ9zrMbJDDLkwS8a9vSwZJmfLSZYGECYAuTZFTe5p6CeQyToEfF
+l+MA+CUr5ogWe2dpQQ/OmurKn/idqncuvoIpaWH7fvnpOyKcqo27Q2hUhrA=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AB:C8:41:00:26:D0:D5:4C:E6:2B:56:67:EC:EF:82:C4:C2:DD:F2:55
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 85:eb:03:68:bb:91:5d:9a:09:2a:f7:5c:73:90:8d:e8:4b:23:
+ 92:c3:d6:b3:8b:81:ba:d2:b9:dc:a1:e4:48:29:a8:98:cf:59:
+ db:2b:1e:de:1a:ce:db:cd:5a:dd:de:f5:f3:91:13:9c:1e:a6:
+ c8:4c:d1:ee:24:10:7c:95:df:a0:ed:4d:f9:a5:16:43:89:af:
+ 18:f6:1c:24:b0:70:9c:62:86:07:f8:0c:e1:61:d6:99:ed:7b:
+ 88:58:9f:79:d6:3a:1e:ba:aa:52:97:13:5e:00:7d:00:ce:9a:
+ d2:34:9f:0d:bc:18:09:f8:10:2d:c5:d2:8f:d7:eb:a9:59:25:
+ 45:1c
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUq8hBACbQ1UzmK1Zn7O+CxMLd8lUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAhesDaLuRXZoJKvdcc5CN6EsjksPWs4uButK53KHkSCmomM9Z2yse
+3hrO281a3d7185ETnB6myEzR7iQQfJXfoO1N+aUWQ4mvGPYcJLBwnGKGB/gM4WHW
+me17iFifedY6HrqqUpcTXgB9AM6a0jSfDbwYCfgQLcXSj9frqVklRRw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitPolicyMappingTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitPolicyMappingTest7.pem
new file mode 100644
index 0000000000..0a0596b259
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitPolicyMappingTest7.pem
@@ -0,0 +1,180 @@
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+ME8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIG
+A1UEAxMbaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQCX3X8GrbxUXCENLok/vrVUA4snN0DJ+ja+Vct+doODtUFE
+99ZdYrT+qEPGAkioxAKElsWQDHoAjlv/TjoSxbV6BURJiMk+pIdN/N3oOtLz9N5y
+emO4Nq8Wv3A6dmTeqV/BvhEmKyKd9h/0Vy3gTP/eIqA8vhyxOpPLAB/gKIIWUwID
+AQABo3wwejAfBgNVHSMEGDAWgBSqaWS1UuWiYwoKoPNqFz8gsgPUtDAdBgNVHQ4E
+FgQUbFzipWxbYKUZ3ncFU1rjNTWvrRswDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAImoE0/jphqmO48yRD2BCE5RlbnLVfXqKMbZ61lxs7X2Z2oC7QmmXJ8xH0vu
+YmnqpQTJjLwJc6janX9zk3DIdokB0PPu6HAtSb3GeETMG2tQFA3aeDyg8xjqGNBD
+OHfNDd64bvLnKZWb3bLEPfnZf6WTaRV/x56wf+7+NPg+zJop
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBOjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEkMCIGA1UEAxMbaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA
+643DGHdT8CXwVc2GtZQbRQTdptkiSzy79NPJD2XLU9LpWnrgyGzl4j7xUeYVspxY
+Ws/mpZCQOb2hs8eDfHKisjtcKj8Y8r0S8Csb3dsG19Rmjbg/2SiF5ZMaHzPi0QAk
+m008o0bwHaSBlFHigtvqu563VpgMs52ksx3BV1BKZQIDAQABo4GRMIGOMB8GA1Ud
+IwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBSqaWS1UuWiYwoK
+oPNqFz8gsgPUtDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATABMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgwBoABAIEBATANBgkqhkiG
+9w0BAQUFAAOBgQA3+2MqCUqi2aRGC2CQMzptfla5lfBz0GLy7p1VBIoKLOe6/rAb
+IhVjO2X7pWEJosnjfmKUOggaCctxUuGgA/okQKTXTXQwXJwJNv2qS5lf1AHD4B99
+pZ5ebQ5FJ+RZBB6HiUWabWVfJ41WPI7ceJ8fh/Riau+XJg2KLE8myngRMA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued inhibitPolicyMapping EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+-----BEGIN CERTIFICATE-----
+MIICojCCAgugAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3
+MjBaMG8xCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFE
+MEIGA1UEAxM7VmFsaWQgU2VsZi1Jc3N1ZWQgaW5oaWJpdFBvbGljeU1hcHBpbmcg
+RUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALAZ39MGl31J7AeGVi+NMkr2Za9Sm9LwaUKnv+U+4kjo1pvbj8KegARFAYToj7LF
+KujtuYlkH9HC9PW9p0X0zlfGyLo+jYBaT28HaJodaa2AmpEz0ZxmLsEBnjVNlC/R
++vUNa51CNV85Wv2V/FVkznQSlqdRP/89SCfIL/Rd/rLRAgMBAAGjazBpMB8GA1Ud
+IwQYMBaAFLamwerAUlPfhv1mSeS0Rr5jMwwVMB0GA1UdDgQWBBRFegfFmXt1cyLu
+vHj7WA8p2BokYTAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
+ATACMA0GCSqGSIb3DQEBBQUAA4GBAE1aoLRAB7FVyZHDy+jfyHRnvk2c/hNkhsYQ
+VuxpPqQnt8pCBUl9lUAwlb9W1JoR274/B4pIYmqM869ptHJJjbbNkOBdudX6462F
+v4rtoK+1egfyqLiEcmQNcGSqq7w6tBw1k9DV6t8D1BYvzh6JfN7z+BY4b8dOq5O4
+2eSGt5qS
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+-----BEGIN CERTIFICATE-----
+MIICvTCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa
+MFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEnMCUG
+A1UEAxMeaW5oaWJpdFBvbGljeU1hcHBpbmcxIFAxIHN1YkNBMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQDlD9RQqLmz1R8mmDv95sxGdTT50F3U2U2PHAx0M0R/
+EmmreJx8mubNNUzKpH+jIQCsgKqAH+CJH/LDeCzow3F/cS0bcKYF/x1hJhJHO+pP
+uBgIa0yNq+hkNY9F+V/b+auEovg9yqIThiE9atAWfL1IRnRW5qpSi7si8qQdGWGt
+iQIDAQABo4GlMIGiMB8GA1UdIwQYMBaAFGxc4qVsW2ClGd53BVNa4zU1r60bMB0G
+A1UdDgQWBBS2psHqwFJT34b9ZknktEa+YzMMFTAOBgNVHQ8BAf8EBAMCAQYwFwYD
+VR0gBBAwDjAMBgpghkgBZQMCATABMCYGA1UdIQEB/wQcMBowGAYKYIZIAWUDAgEw
+AQYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
+AAjqz5quHRrfjyt+VRbtAM5KfKQS9G5SMsxGGdD/A8Nu5JYAN5FGi9X+RjLqeBzD
+6hmnFNNPFZx9LtO1s4wBoM06zoAddrIISUWehidWkxh7YEJSt4OSQ3fHNO0lgHaC
+WnvV8cZ3JLFezL+4ZDzXUJYoxmGCjerFTfIszoyvBuu6
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AA:69:64:B5:52:E5:A2:63:0A:0A:A0:F3:6A:17:3F:20:B2:03:D4:B4
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8d:01:00:85:8d:99:b7:5b:7f:63:14:5b:20:de:25:35:78:25:
+ 50:56:9d:78:eb:ac:15:34:90:c7:18:cd:03:ad:4b:80:9f:b2:
+ 09:73:d0:8d:c9:dd:a2:5b:e5:c2:9e:30:ad:09:06:ad:8c:56:
+ 7b:39:76:aa:1e:13:a6:21:2b:68:c4:93:f3:39:fb:7c:7a:f7:
+ 2d:e4:d3:ac:5c:a6:38:07:9e:f5:b7:c2:54:6c:e7:76:9b:2e:
+ 74:5e:cd:83:1f:25:c0:d6:4d:af:ab:29:47:dd:b0:87:79:86:
+ f3:4d:89:80:2c:21:14:68:ec:4d:cd:67:d0:88:94:63:d1:db:
+ f7:a4
+-----BEGIN X509 CRL-----
+MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD
+VR0jBBgwFoAUqmlktVLlomMKCqDzahc/ILID1LQwCgYDVR0UBAMCAQEwDQYJKoZI
+hvcNAQEFBQADgYEAjQEAhY2Zt1t/YxRbIN4lNXglUFadeOusFTSQxxjNA61LgJ+y
+CXPQjcndolvlwp4wrQkGrYxWezl2qh4TpiEraMST8zn7fHr3LeTTrFymOAee9bfC
+VGzndpsudF7Ngx8lwNZNr6spR92wh3mG802JgCwhFGjsTc1n0IiUY9Hb96Q=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B6:A6:C1:EA:C0:52:53:DF:86:FD:66:49:E4:B4:46:BE:63:33:0C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:fc:6a:e9:aa:6d:46:16:9f:65:05:ec:bb:4a:e3:de:fc:ee:
+ 4b:6a:61:7b:4f:ca:b0:86:90:90:f9:3e:ee:42:70:bf:70:51:
+ 0b:ab:f0:b5:51:4f:78:f2:03:59:1e:5b:01:1d:6f:79:b6:d9:
+ c2:38:83:22:b4:ae:64:06:63:5a:af:04:58:6c:a1:e2:3f:64:
+ ce:f2:24:20:0c:a4:77:52:e1:cc:23:3f:5f:a7:89:20:85:fb:
+ cd:f8:c1:09:98:bb:62:c3:62:0b:75:38:01:b0:93:d6:bf:22:
+ d0:18:ff:04:52:25:72:bc:c9:d4:e5:77:fa:b6:84:9d:bb:d9:
+ 45:a0
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJzAlBgNVBAMTHmluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0w
+HwYDVR0jBBgwFoAUtqbB6sBSU9+G/WZJ5LRGvmMzDBUwCgYDVR0UBAMCAQEwDQYJ
+KoZIhvcNAQEFBQADgYEAqvxq6aptRhafZQXsu0rj3vzuS2phe0/KsIaQkPk+7kJw
+v3BRC6vwtVFPePIDWR5bAR1vebbZwjiDIrSuZAZjWq8EWGyh4j9kzvIkIAykd1Lh
+zCM/X6eJIIX7zfjBCZi7YsNiC3U4AbCT1r8i0Bj/BFIlcrzJ1OV3+raEnbvZRaA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest15.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest15.pem
new file mode 100644
index 0000000000..8a81ff92ee
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest15.pem
@@ -0,0 +1,127 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMV
+cGF0aExlbkNvbnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDDqMCqoLUxLw5wCcxhD3+5J80k2C5ESu+Co4n3V3Nu2SyzcfKET0wx5QvxYm5V
+bzsntf6IudJpfXgzxHIwJ4i5v+Ycc8NYiqmCNhsW5sFRzhjQDyTWu0fEYm+tmyBv
+FavwXAcp8ptUMElDMAv/bKSD+7MDC9uHZQOmVsY0ndcNUQIDAQABo3wwejAfBgNV
+HSMEGDAWgBQhDLUBdnbTsyqsJvyqpk/y1qFvSzAdBgNVHQ4EFgQUOK0lyEJa1w3p
+SvQY5iylU6RQ9EwwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAA9NjcDXXcF4
+FXkwZWIDYtowLXCpbshsU80nGx0/7QVNApSTnUq9pe0t8qAClcYZuaXgB/uYINl5
+qozAW6KR4wFaNUv6mnm+0ppWeiTnIn5O37IycPbAKVZRhauf3p/cTkZ6RZ3MJ5Q+
+fMTJscvSXtMhU+Q3Pp5PGRXlXhs1zFNp
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued pathLenConstraint EE Certificate Test15
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMG0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFCMEAGA1UEAxM5
+VmFsaWQgU2VsZi1Jc3N1ZWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlmaWNh
+dGUgVGVzdDE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCb61LTuxE1l5yJ
+QVfNdf8EYvZcAa0KaD4FMFo6vn3YTkLfUAgn2P0/LUtJQmmXciZPTEU9iKaYsV+/
+ZtyT/p8r/UHfo81aRT9dIzwK4sGKK+9KWFi/rPiRQwG5IB3XiQYW/JGTIPgcXg5Y
+dUXWrtqZVN+7ddhQD1d1ttatbEqajQIDAQABo2swaTAfBgNVHSMEGDAWgBQ4rSXI
+QlrXDelK9BjmLKVTpFD0TDAdBgNVHQ4EFgQUS4ujjGGj4+FAN/SRPltJJo/KxqAw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG
+9w0BAQUFAAOBgQBh3iDLcsaywxCRTsUrSXJ+COkZOvwrPiAugkf2KeDXYcrIckKX
+n/+Q3FZeBn0qHNyvGUTLp7yei9kUto1sS0nrShwSV+dn/2zUsL6dr4F9Lfazzvsp
+rIIGkJCHbcJSnMc2b3dBhKr1Oe6MWWnV7OdTVCfjQXeDciB3MTcY1TqedA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest17.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest17.pem
new file mode 100644
index 0000000000..86dae42c9b
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest17.pem
@@ -0,0 +1,197 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBHDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZDGq53SMD
+2pj9pTu5VRCJI+Vm8LxSBkYdxD0jc4IKrbJH1NRh5XCcfeAbJaQ46UJFGEPMa92B
+GOSF60SQg5oIXBDTA/ygWIPFFbfStUt//heg1BfHUHRf14z8JL0HzXDG6xnd+2yK
+FzLzKFu1zexVpeT6nFQr0rjeslXftjJO5wIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU2nOT4PBlmX3Dv7AfJg72Fi0x
+NVkwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBBQUAA4GBAFm1ZyLmtGk/Ml/36K/q
+S3bdDJ4PWyY0OsgJBm4jiiYU7QvQ5G7cyfPW4h8EBaPOg4HSUGJJdqQQdP89e9WS
+JTFOlLoPT910pCDXbuEjILFrPh54Gv0ydO31Yc8Un/Do/qEraDgWzjNU9s/BAJKx
+zeFg0ajkR1p+VLGzDM+n2aQI
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint1 CA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint1 CA
+-----BEGIN CERTIFICATE-----
+MIIChDCCAe2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMV
+cGF0aExlbkNvbnN0cmFpbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDEsgspeWC5HV95asByD3T2Xp92XyIayyvxljyNsuyivQG/zdHVuW0QqDbM9+ua
+rkOgDpqwN93uEtbRdQqq4u0MZ2GXR4k6ZduPsubfFKXBKdgvLBoSm1qhOdO1m7BC
+GYe/0e+uiTYZGfLbJCqUuDraLY/o58qeKUHln2Ex8G4wAQIDAQABo3wwejAfBgNV
+HSMEGDAWgBTac5Pg8GWZfcO/sB8mDvYWLTE1WTAdBgNVHQ4EFgQUC9dNxXZ6/vA1
+xTWKZjIu1jdIF2owDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADwD62Ebsv+1
+RcA3YIonWoTkrnKU9YGmmJf5S9ytmc6cT3phWRpY/sOl+Y0pNRvDsKJeew9ggQWD
+f77Pp+ACX2HvWwSHzclox2iCkxNyX0aNAxa9xun2zKGm2j1Ncb/D2mE9CQemmn0n
+1GxEkjg7psCUxl2FwuTTmRR9UquMxjg8
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint1 subCA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint1 CA
+-----BEGIN CERTIFICATE-----
+MIIChzCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMY
+cGF0aExlbkNvbnN0cmFpbnQxIHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCp1Y+dMUczZ1H6dsRs9hr8yLDsu+xA1vSG+vHgAEPkfkhzItj+7N02gtua
+ye1hSXd/x5xNHOTWUK0CDY2YnHBpqmVO3nMIYmX40BbsRl8eQiEYQS7ES+URwrbW
+LHC23HLYn/R42TA1lkwp3HUa4Nu4eUEXKRMbCVfpxAE0h6brIQIDAQABo3wwejAf
+BgNVHSMEGDAWgBQL103Fdnr+8DXFNYpmMi7WN0gXajAdBgNVHQ4EFgQUYXPbCWI1
+alu4YhJII+f4K948S9swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI
+AWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAB0eGyRF
+KEbsyDnKd8pB+6YhJjQBcdZl9AGLASF4jPmFj2iXuF7gr5rT3UTvquUeEJamAZc1
+L3pHiaPZnxbVJ8hTSD4eUF0YMDd+PzboODwLeBS/5AmWQ0O5qiohjgFTMUq3uvkf
+RWemBcsCiI1KenbGIFTJaNEWKdPrsOrocVJw
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint1 subCA
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint1 subCA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25z
+dHJhaW50MSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UE
+AxMYcGF0aExlbkNvbnN0cmFpbnQxIHN1YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCvkVm0hGNZvdPCElTss6nzgzq7tC28/UHHYKozUaenLdgSaARQnZyi
+w3O5hCVSCtOMmUog52Av5lbkjZxVhCTaWKfrBuPDE2FJSsz2RczG+89ho8676aQ9
+Y5tTt3/mECuV21fCVjRh3IU6O6gTGgPSOxmOyE/lMDXTYFYgsfF7kwIDAQABo3ww
+ejAfBgNVHSMEGDAWgBRhc9sJYjVqW7hiEkgj5/gr3jxL2zAdBgNVHQ4EFgQUVVEA
+f8ZkXgn1BiXGzZK3mreZsTgwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJNK
+lQDUQElDsFY24HDYmUDNg4Vg/CkEB2M9JfI5yZYlOKJrjzECJCY219NFeL9TcyD3
+bJY36GS1ZMz/MI9ocVTU0K5ssZqV4IkBI9hXCFlb+kw5jSgO30RoxXm+Nb0nvzUC
+s5kRJVI8Rdm4ONIstsOmX7w7LBMWrgCPBOZN6zkl
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued pathLenConstraint EE Certificate Test17
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint1 subCA
+-----BEGIN CERTIFICATE-----
+MIICmjCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25z
+dHJhaW50MSBzdWJDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMG0x
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFCMEAGA1UE
+AxM5VmFsaWQgU2VsZi1Jc3N1ZWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlm
+aWNhdGUgVGVzdDE3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNwtcQ87sc
+VaUKAcu3QxtBteOc29FtwvZtv86nDNlJ91gIoFTUq1jKdkWcExlR8lh+Ye0QfIRB
+NIDkDs7+2WB/BwJLNMpaEXDh0qETy/SW3uDN0sOX2H3ik97y0xD5ayXquEXTqgIs
+fNtXesmjTnBt3iitX1DkPwrjuJmQf+co7QIDAQABo2swaTAfBgNVHSMEGDAWgBRV
+UQB/xmReCfUGJcbNkreat5mxODAdBgNVHQ4EFgQUOloj8eT4jSRn3dhhzDfEX13r
+FrswDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq
+hkiG9w0BAQUFAAOBgQA8hwBcf4CCZAko0xnD1MoTNUBfjdvDcXZB+bTB3jnbDXE5
+zSid6bUVBNo+awlLpnQw3drsAgI1G9TcgFOEslX2n4nMP4FZAxsjpyDPSA7Wdj+t
+xb8/kI5UhKZTjNYIL/LXpfWMvzhiMhTzha8PFxoGFM5hGYMXqh0kK/0zhThOEQ==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:DA:73:93:E0:F0:65:99:7D:C3:BF:B0:1F:26:0E:F6:16:2D:31:35:59
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ b4:8c:0a:8a:f7:34:0c:91:f2:7f:29:9a:e6:6f:dc:e6:a2:3d:
+ 90:31:96:5b:53:0d:2b:cd:51:e4:d9:dc:b8:f2:4a:1d:b2:e8:
+ 5e:93:60:85:16:53:48:ef:99:f5:13:20:34:84:95:88:1d:df:
+ 30:94:e4:e7:71:fa:f2:eb:f8:e4:50:6c:fb:7c:e3:b7:29:e6:
+ 91:b7:5e:70:f5:c0:29:ed:50:6c:4d:20:b7:79:e4:a5:63:8f:
+ ec:d7:1b:ac:9f:4a:4c:d9:44:3e:f3:17:fa:5a:f6:2f:b5:f2:
+ 51:f3:b2:82:90:c7:4a:93:8b:27:7a:a8:a1:00:a8:26:3a:eb:
+ ef:4d
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAU2nOT4PBlmX3Dv7AfJg72Fi0xNVkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAtIwKivc0DJHyfyma5m/c5qI9kDGWW1MNK81R5NncuPJKHbLoXpNghRZT
+SO+Z9RMgNISViB3fMJTk53H68uv45FBs+3zjtynmkbdecPXAKe1QbE0gt3nkpWOP
+7NcbrJ9KTNlEPvMX+lr2L7XyUfOygpDHSpOLJ3qooQCoJjrr700=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint1 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:61:73:DB:09:62:35:6A:5B:B8:62:12:48:23:E7:F8:2B:DE:3C:4B:DB
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ a7:22:08:25:d7:e6:5b:3e:63:fa:c3:8f:f2:bd:64:39:45:75:
+ ec:4c:5f:19:85:38:ca:9c:99:03:95:9b:4a:d1:93:62:04:28:
+ bd:18:a9:79:27:31:d8:41:38:7a:c8:ae:81:5a:42:25:e8:46:
+ 84:31:cf:e8:38:ad:f3:a4:3e:a8:4d:71:cc:37:18:89:14:5a:
+ 5b:7f:3e:a0:ad:6f:95:7d:34:1f:3b:6f:ff:a4:a3:58:14:d7:
+ c7:58:e2:d3:bf:33:3d:bd:59:f3:7b:63:fc:57:ab:62:f3:06:
+ 27:72:a7:9c:6d:0f:b4:37:12:0b:8a:02:3b:e0:47:3b:23:a0:
+ 6e:3a
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGHBhdGhMZW5Db25zdHJhaW50
+MSBzdWJDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUYXPbCWI1alu4YhJII+f4K948S9swCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEApyIIJdfmWz5j+sOP8r1kOUV17ExfGYU4ypyZA5WbStGTYgQovRip
+eScx2EE4esiugVpCJehGhDHP6Dit86Q+qE1xzDcYiRRaW38+oK1vlX00Hztv/6Sj
+WBTXx1ji078zPb1Z83tj/FerYvMGJ3KnnG0PtDcSC4oCO+BHOyOgbjo=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedrequireExplicitPolicyTest6.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedrequireExplicitPolicyTest6.pem
new file mode 100644
index 0000000000..6a4851e249
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedrequireExplicitPolicyTest6.pem
@@ -0,0 +1,127 @@
+subject=/C=US/O=Test Certificates/CN=Valid Self-Issued requireExplicitPolicy EE Certificate Test6
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIIChTCCAe6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBw
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxRTBDBgNV
+BAMTPFZhbGlkIFNlbGYtSXNzdWVkIHJlcXVpcmVFeHBsaWNpdFBvbGljeSBFRSBD
+ZXJ0aWZpY2F0ZSBUZXN0NjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoQSf
+MbaUeJHJyhveLx+voUuSWxwNEG56mZ5evCeaSjObXqfeHXkjtfpbQd04wlsSw3CO
+OP2TR4ompdtrgHYGZeSsXW6VhkWz68SG78tn8laoXw3lTMhgrYqAdk+giv71qeBZ
+DYVr+mZTxBnmhrgRiiAQi8fhl9p+Bf89nbW03icCAwEAAaNSMFAwHwYDVR0jBBgw
+FoAUE+aMwSsPZ0tMeh0OtsAhWiSZUIQwHQYDVR0OBBYEFIGUYNMP2TtFxnkarnPH
+B1oeM5PXMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOBgQAXMz/QAcFC
+0oNUODgnlOJdP3lcECIPpmtJbhAmc3UABEXUG9ak3/kkMNENOktNt62qe1/K1c+l
+uYkAMsmUn3oOGYV9Zu77IiiChOYDH6touQtxBGtVTG9Ki/gdaPWfqZdfBs0xkGRg
+7mzJCvRrEXDgQZW0kR3C2LJ9B4f2yt2GlA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBs
+aWNpdFBvbGljeTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBN
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNV
+BAMTGXJlcXVpcmVFeHBsaWNpdFBvbGljeTIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALnxr9bA0oGlaihhiPR0d8F/y9ai99F6w8+DtAfGlFtJ4WU3GPih
+ftUTRqZelcu+u6hZgekMwVhjUHyo6sFt5SfbCzJEmjWxI1anTrGAAcH6pG7zF2Z0
+iae8kVE7C8GOgwm+F1Y1RHkw8Wz/UbZ4QGIhzA++KPDi2du40LEGD4BZAgMBAAGj
+fDB6MB8GA1UdIwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMB0GA1UdDgQWBBQT
+5ozBKw9nS0x6HQ62wCFaJJlQhDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
+B6X+ALEMO8yG/lXfGuoX4XPyaZrb1A8oWFk2ZNCx9QIzI6CQ0vRfO47TF20iK5wr
+HN8y7yXpJGZcNTa5+697/kRziJ/zrNiL4b4BP6QRxYv+3Edq7FOb842JguqWw6nP
+SfsshPhMilo3C4X3PESiI67m18AlqgJcYcmemF1R6Ng=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIBLzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZcmVxdWlyZUV4
+cGxpY2l0UG9saWN5MiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnrdC
+9sroeA9MJlV1ukIu8XNT9cUF70XCDwxMm5vKZZc2+XVNwgxe4aGse4bPdZ9okZ7y
+2ZMuLyDLEBZaA7GsBzG6snQRgHkmMFS6v+pC3ep9ieqtpnrP3b1f743Y1jFp9zvX
+ZDoddeI/xvYF/73KgiYdTFPLa9ARaKiwpQPMXyECAwEAAaOBjjCBizAfBgNVHSME
+GDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUccI8Tjs1Yvclh5+9
+owEeOOAldMgwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
+ATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdJAEB/wQFMAOAAQIwDQYJKoZIhvcNAQEF
+BQADgYEADGhYvyIjl02LK5PZdbH9TrAFF66SGgdk+7nl93vr3XB9UnpvJqUfyG55
+ljoX+kKaRd7Z2O+GLTMmH+tqjMQ6bW+7RawMpFVzfhE3EdAr9/K31K6Q6lft8NuP
+wgqhDrrVqYMPa3YM7n+ebATJ0DJ26evfQu5HfIL7Cs/w+CpXi2E=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=requireExplicitPolicy2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:71:C2:3C:4E:3B:35:62:F7:25:87:9F:BD:A3:01:1E:38:E0:25:74:C8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 95:0a:96:af:24:83:ca:92:a2:7b:e7:d9:50:bb:49:ec:22:19:
+ 7b:a3:b9:3d:5f:b4:8c:5b:76:25:27:88:6a:26:24:c1:e1:cd:
+ 3e:b6:ef:b4:0f:ef:85:7c:0e:95:9b:13:fa:dd:c0:bf:7c:fe:
+ e1:d9:fc:2a:7a:2f:fd:48:0d:11:58:69:6d:5a:e8:37:26:30:
+ 67:83:83:90:4c:b1:9e:6b:1b:04:d0:8d:60:42:88:13:25:91:
+ ae:42:24:ea:61:ba:5d:34:6a:7c:22:6b:be:cf:2c:e0:67:36:
+ db:28:0e:5c:be:bd:7a:75:3d:ac:cf:3c:9a:44:8e:ca:30:7a:
+ e9:97
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXJlcXVpcmVFeHBsaWNpdFBv
+bGljeTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFHHCPE47NWL3JYefvaMBHjjgJXTIMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAJUKlq8kg8qSonvn2VC7SewiGXujuT1ftIxbdiUniGomJMHhzT62
+77QP74V8DpWbE/rdwL98/uHZ/Cp6L/1IDRFYaW1a6DcmMGeDg5BMsZ5rGwTQjWBC
+iBMlka5CJOphul00anwia77PLOBnNtsoDly+vXp1PazPPJpEjsoweumX
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSeparateCertificateandCRLKeysTest19.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSeparateCertificateandCRLKeysTest19.pem
new file mode 100644
index 0000000000..1af71df043
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSeparateCertificateandCRLKeysTest19.pem
@@ -0,0 +1,134 @@
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICejCCAeOgAwIBAgIBZjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAzpVbQYnufknoy1tKbCSY840pKcfP2S+jFm6OFC9hzkLFn9uiYzCV
+rCjczQI8lFfM/4p9rUApMIgp4IUAxCOEcgJuKPKmiuoTwPD9XxbmZ/uv+iaLXqF+
+QVcbDGouj0z6RMNz3KGtf0pbgg+/+/wIK4c0XOIM9wTSK0aJVqweAnECAwEAAaNr
+MGkwHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFIr9
+Qil7WXhSSvdIHHG3xHGKplfbMA4GA1UdDwEB/wQEAwIBAjAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAo0h6slmGQJsCsth+yeyOMK3j
+2CqJ9gEajx3fWs7x2JJ8LM4zfbFFYctGPKpXdGRBTO8Dj9lQJCr7i1IMMHTitTa/
+xpjn8E0SQgzvkB/0BnSt7DiwV0LXCdtBlLxOS2Fw9NdvbE7jsuBK2W4KDOPElhHJ
+TKQ0T3TjKv8gwxTq8mw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBZTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlU2VwYXJhdGUg
+Q2VydGlmaWNhdGUgYW5kIENSTCBLZXlzIENBMTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAtI4Yuumg8WznOojgeWHVZxG23imfdB9ntiQccDxAnvywEfQv6Vlq
+HNVQ5vsVQfvfUZCad2Nbf42DHRtpmVhlxIhKBjoNu/m6xdvz/A6/kvDvrEg+7M7N
+A2ZRVI0T3Z/mMaPuLHuCzKwU20TF6NonxgZXIbATrppAqRUfSY+UQCsCAwEAAaN8
+MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJtc
+UbwiJzEiQJQJJf/Pg3mto4EZMA4GA1UdDwEB/wQEAwICBDAXBgNVHSAEEDAOMAwG
+CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBs
+BZsxRaZk1qx3balE6qmVZd7jG6C9Gg/n+I5QfXR75ZIus+0Y6GAviBzywvJ8CDZ3
+kIOOrYolpnycedLS17Jnv4D/IDP6OwvmT6/0XvforKDQlmAk6ioJBRAwHRDYHBZg
+lj8FXyMNUS313Un0l2FXJBhfJNBqb1ZqYwWcmJ2t+w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Separate Certificate and CRL Keys EE Certificate Test19
+issuer=/C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+-----BEGIN CERTIFICATE-----
+MIICqzCCAhSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENl
+cnRpZmljYXRlIGFuZCBDUkwgS2V5cyBDQTEwHhcNMDEwNDE5MTQ1NzIwWhcNMTEw
+NDE5MTQ1NzIwWjBxMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZp
+Y2F0ZXMxRjBEBgNVBAMTPVZhbGlkIFNlcGFyYXRlIENlcnRpZmljYXRlIGFuZCBD
+UkwgS2V5cyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTkwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAKj1Dg4L1T9e6MNcWCCvYvg+vk54WuF5s2Dxaa0lfcclqzahyLfN
+KqLCp0jCJyvA23IGF2C7I+P4dvjwW9kq0XD7H0Vt7LIjyQIpVyHObshN6gciyIXz
+iZjgaBqf8O+P6XhjAqsNyYSipygh3bX0Gqs/Kjb8qHbw8kdUG3Oq6xTFAgMBAAGj
+azBpMB8GA1UdIwQYMBaAFJtcUbwiJzEiQJQJJf/Pg3mto4EZMB0GA1UdDgQWBBSu
+h3HiE1+nBL/O/8Ce2FdoNLsWhzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAM
+BgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAFL8c81C5Av+LkiNwZqrbjHV
+HFmRSvBpcRFa0WoFd8bNntXow2oh3ygbWRWt3FucJqTq6t4tys+3aNQClu/fcUSS
+IljPUyYAlgSxOTER4P9OYePEC/QtzjAGRH/5Kms56LVZa7lrOl2UpO8dkluoOADI
+hXabE5IQYEEjA26WpmmH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Separate Certificate and CRL Keys CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8A:FD:42:29:7B:59:78:52:4A:F7:48:1C:71:B7:C4:71:8A:A6:57:DB
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:7f:8e:79:fc:1e:57:0e:34:9e:bc:05:3c:28:df:90:bb:1f:
+ c7:f4:6a:a1:95:51:f1:d2:b4:1f:3a:64:41:35:b6:42:62:b7:
+ e7:14:1c:bf:0b:ed:6b:ca:f6:4c:c9:a7:48:ab:42:9e:04:9e:
+ 0a:b5:f1:86:99:0f:b1:7e:6e:dd:d6:a6:b3:b1:3f:fc:79:6a:
+ bf:f0:39:3f:03:ac:69:15:b5:2f:5a:17:12:64:8b:e9:46:9f:
+ 82:09:f2:09:91:90:b4:fd:56:a1:ab:04:79:a0:17:33:26:c6:
+ 49:6a:96:d9:42:8b:44:a5:ed:ad:69:82:63:78:8e:e7:96:1d:
+ 17:2d
+-----BEGIN X509 CRL-----
+MIIBdjCB4AIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLjAsBgNVBAMTJVNlcGFyYXRlIENlcnRpZmlj
+YXRlIGFuZCBDUkwgS2V5cyBDQTEXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowIjAgAgECFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgLzAtMB8GA1Ud
+IwQYMBaAFIr9Qil7WXhSSvdIHHG3xHGKplfbMAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAAV/jnn8HlcONJ68BTwo35C7H8f0aqGVUfHStB86ZEE1tkJit+cU
+HL8L7WvK9kzJp0irQp4Engq18YaZD7F+bt3WprOxP/x5ar/wOT8DrGkVtS9aFxJk
+i+lGn4IJ8gmRkLT9VqGrBHmgFzMmxklqltlCi0Sl7a1pgmN4jueWHRct
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSignaturesTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSignaturesTest1.pem
new file mode 100644
index 0000000000..de409f5895
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSignaturesTest1.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=Valid EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICajCCAdOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlZhbGlkIEVFIENlcnRp
+ZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtpKu/a6Co
+7KcKOymboEA+MmgoryXHT1dxExmQ1lO7yah2L8j8RG6ox5Tr37TV8Y21ti3MopcF
+H+iXDSX31fixsYCZkcpjMI4kbjXmjGOeFKu1vnbBmcb5JBISiUeg22tIRFoJ4zTh
+i3GLVecGijyOVReA5LiPymEKG7fAB3241wIDAQABo2swaTAfBgNVHSMEGDAWgBS3
+LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUOsyUZQyFqTzB4K9RMyoUSI+e
+kVswDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq
+hkiG9w0BAQUFAAOBgQCkaGfCqYi0681n9Dit36lg3U/9gTZoNqPMaAaLUQV3Crzx
+x2MGInhTyKchYydbV8HD89N2jzzYq7J2KM/ZEAfjskCdsj1SiMNkbYZe3rZZOldr
+PCGFgzUGTNakQxkpxU5j7plivQic/OZ7+mMTi0fnjGRi9M+aa744VmH6FgCt1w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidTwoCRLsTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidTwoCRLsTest7.pem
new file mode 100644
index 0000000000..c2940bb425
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidTwoCRLsTest7.pem
@@ -0,0 +1,146 @@
+subject=/C=US/O=Test Certificates/CN=Two CRLs CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcTCCAdqgAwIBAgIBCzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMD8xCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEUMBIGA1UEAxMLVHdvIENSTHMg
+Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANF1dMq4ulaNZm1L3KlBM9wi
+a4eu7sCry3O20zzWCttHHqG1W9UYLqqivx3HTyKvc/acTndqBtaz9HcdrETCRreu
+UjKFAa19JAnjF88BluoZ7A7TjdhsGfsa8gcLUZCN6ZkJJok2wENNh0xdsVhVlmnV
+p9rqIgYFPbZd0tvUp44xAgMBAAGjfDB6MB8GA1UdIwQYMBaAFPts1C2Bnsonep4N
+sDzqmryH/0nqMB0GA1UdDgQWBBQwyOlKAd5DJkEjjFNTjLNHFheOyjAOBgNVHQ8B
+Af8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADgYEAW8JONjczN4V2xpuIs064NZkR/ZEqwuPDedoS
+bQMZtQfK7+587JhXzGM3Hv2INUge/GRWUS6Y0Ra74Z4EU0UjKIM0PfCkokiU9cMg
+APFxIwTaaIfmrFY5FOAr0tvJXX1fwvLB2EEzFoD3m3FT5dKH3fV0l07W+rAzXGXd
+Mhqyx5o=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid Two CRLs EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=Two CRLs CA
+-----BEGIN CERTIFICATE-----
+MIICdzCCAeCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFDASBgNVBAMTC1R3byBDUkxzIENB
+MB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowVzELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSwwKgYDVQQDEyNWYWxpZCBUd28g
+Q1JMcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAiWTa6oG+nNhsn3jFI0IU5eab51kPtxwKr8QO22md2ezjZi0Si3bkH+nL
+d969Tfp3AtKQbsaNJVgYIP+GLylF1YmawBW39kLy8yuACUb9k0OlG02sW8u9SsTJ
+ifK2hvRv/2dGMe6eOR0Rpknk/8CHUgPJHyU3wSewsookv22AcdsCAwEAAaNrMGkw
+HwYDVR0jBBgwFoAUMMjpSgHeQyZBI4xTU4yzRxYXjsowHQYDVR0OBBYEFBVyE7Sc
+ZE9qRg0qsIBnbUWvDEhPMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAb3ltD/JZHS9eilXbrUwx4XAfOxMl
+l62TnSCbUwvD3VvSBp6CSL9/GAcOIQvGvsbyaFCCtCfPwSDw+Ub4vONlBK5+8uGE
+ceErncuILRQcNTwK8U3olehAt6Smh7aEcGBpdeMkSSZhoBSMe0GaIzCeDKELtG5d
+3yyDUN+RlEGX0tE=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Two CRLs CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:30:C8:E9:4A:01:DE:43:26:41:23:8C:53:53:8C:B3:47:16:17:8E:CA
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ af:97:f6:38:91:3b:72:79:fe:fe:8c:3e:65:dc:61:a8:72:ef:
+ 9f:73:2e:dc:16:db:92:3e:2a:dc:ba:32:f9:97:0c:6b:52:32:
+ 0c:7c:8b:89:a2:82:f2:81:6f:30:10:dd:5f:e9:ec:26:c6:35:
+ c1:fa:94:79:ec:4c:9a:9a:82:ab:3f:be:9d:2a:3e:af:d8:e4:
+ 8e:c3:c1:c5:08:81:25:c7:11:83:98:6e:42:89:5e:6f:d6:c7:
+ f8:d2:39:63:34:22:95:56:7f:f2:24:a1:62:18:b6:9e:ff:d4:
+ 0e:30:e1:b7:2c:03:90:70:81:51:bf:74:13:3c:dc:a9:28:55:
+ 98:d5
+-----BEGIN X509 CRL-----
+MIIBODCBogIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFDASBgNVBAMTC1R3byBDUkxzIENBFw0wMTA0
+MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBQwyOlKAd5D
+JkEjjFNTjLNHFheOyjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQCvl/Y4
+kTtyef7+jD5l3GGocu+fcy7cFtuSPircujL5lwxrUjIMfIuJooLygW8wEN1f6ewm
+xjXB+pR57EyamoKrP76dKj6v2OSOw8HFCIElxxGDmG5CiV5v1sf40jljNCKVVn/y
+JKFiGLae/9QOMOG3LAOQcIFRv3QTPNypKFWY1Q==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Bad CRL for Two CRLs CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:30:C8:E9:4A:01:DE:43:26:41:23:8C:53:53:8C:B3:47:16:17:8E:CA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 02:fb:a8:69:0a:aa:8c:4d:f2:07:f4:6a:6b:38:ae:da:15:1a:
+ b8:c0:8b:d2:23:96:1d:3a:fd:d4:82:0f:c5:de:56:ba:c2:59:
+ 8f:9e:97:67:06:1a:d1:4b:d6:24:40:98:4b:b1:c2:85:3c:be:
+ e3:be:28:9a:3e:56:1f:98:4c:9d:68:36:a8:eb:e6:1c:d5:52:
+ de:30:49:e0:76:0b:bf:be:3e:9a:b2:18:f8:de:51:f0:f4:da:
+ 59:48:c5:00:9f:47:21:32:29:d9:f0:1b:75:18:a6:6f:d1:3c:
+ 56:b1:5a:e8:6f:06:ce:ce:5a:4e:97:c2:91:cf:6d:40:63:8f:
+ d5:71
+-----BEGIN X509 CRL-----
+MIIBaDCB0gIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF0JhZCBDUkwgZm9yIFR3byBD
+UkxzIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBARcNMDEw
+NDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAfBgNVHSMEGDAWgBQwyOlKAd5D
+JkEjjFNTjLNHFheOyjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQAC+6hp
+CqqMTfIH9GprOK7aFRq4wIvSI5YdOv3Ugg/F3la6wlmPnpdnBhrRS9YkQJhLscKF
+PL7jviiaPlYfmEydaDao6+Yc1VLeMEngdgu/vj6ashj43lHw9NpZSMUAn0chMinZ
+8Bt1GKZv0TxWsVrobwbOzlpOl8KRz21AY4/VcQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest34.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest34.pem
new file mode 100644
index 0000000000..b7c8ae1749
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest34.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqDCCAhGgAwIBAgIBSDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIFVSSTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKxL9gyE
+2WbKCoEEU+RviucDsSOeDHQfoVxci7AD0RhpGDZkMaDQhM+DUHywwIo9zUpLVeGi
+xQNu1+1bQ4SzVBT6k7vcf8ZxPOUI+8WQzMNO5H2/PGz3XGpfIw/RJrRH79ICwZlC
+6QzvSbLJhOtJTQS9kFTECA4AeBzHEN3f0igTAgMBAAGjgaYwgaMwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFKwdFrpLHgtf4rxhruHZ
+ZFp5vkXWMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zAnBgNVHR4BAf8EHTAboBkwF4YVLnRlc3RjZXJ0aWZp
+Y2F0ZXMuZ292MA0GCSqGSIb3DQEBBQUAA4GBAHbVqbpvjgN0GV8abRGms01xVNHT
+PtqMarG3/zQImm9xDzqUqv81kX/8DOy9I/lo3Mvp83M9B74mEEiTTnxkYEpaSouE
+fE3/VAW8dTJb35NeZcOCNWDQv3eA7bufOVO+4KjEHERlxBfEYlPEkJGSLD98SF62
+OYmmR3Cda8cKBk6p
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid URI nameConstraints EE Certificate Test34
+issuer=/C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+-----BEGIN CERTIFICATE-----
+MIICzzCCAjigAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBVUkkxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTgwNgYDVQQD
+Ey9WYWxpZCBVUkkgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Qz
+NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6FGlp6Xjgc5M7qIkjpaJW/ie
+OIVcl5Qn+CIdaNq7obRCyoLrqT/lyrQKTifbp29aWeS20Q9OnvNHYe0AoQulxnhx
+tId1+3BJ657gMf8FIwZ6y7C1vKus4TE6lYhBXJZtTF5lE1znoTDmaO9u+Ix2/RY4
+lH5oTdCUCHiEdcoOBvsCAwEAAaOBqjCBpzAfBgNVHSMEGDAWgBSsHRa6Sx4LX+K8
+Ya7h2WRaeb5F1jAdBgNVHQ4EFgQUnBltKBL7MT2/JrE+lLcnIG0SKgEwDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATA8BgNVHREENTAzhjFo
+dHRwOi8vdGVzdHNlcnZlci50ZXN0Y2VydGlmaWNhdGVzLmdvdi9pbmRleC5odG1s
+MA0GCSqGSIb3DQEBBQUAA4GBABEni3LRvD7bB0FXjsIor6I+OaDVBV6uWcVuwtmS
+gtVMwBhrnKGi/nw+7E+wJs0Sa7INnkylGFlUzOLEFV1Sa6RYjmo61i4AE32uqzlc
+lNvE/bXQh6ah0Hj/sw2u9bXRn6zgPcf+9yQRsJ+wNYuB3rP2dsxckGRMylL5bDZq
+CfQz
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints URI1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:AC:1D:16:BA:4B:1E:0B:5F:E2:BC:61:AE:E1:D9:64:5A:79:BE:45:D6
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:8d:62:fe:d7:4c:f3:06:9a:78:4d:e0:96:d6:4b:12:b3:93:
+ 23:96:6d:00:b6:6b:7f:35:25:e3:94:20:1b:fe:c8:cb:3d:5c:
+ 7b:e8:f3:cf:c3:db:96:d3:62:4e:b7:5b:93:05:11:c3:7f:41:
+ 94:e8:75:d2:8a:67:bf:f3:b0:81:25:22:99:a3:4c:02:9f:1c:
+ 87:1d:b1:20:a6:0f:b7:c8:f2:2b:e5:b2:4d:b4:e1:bc:c3:85:
+ b7:54:29:13:e8:7e:53:ed:d2:cc:a7:95:3f:71:32:5d:3a:09:
+ a1:fe:af:ba:45:14:41:1a:67:fb:8f:46:03:6a:fb:78:26:71:
+ 02:1b
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBV
+UkkxIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBSsHRa6Sx4LX+K8Ya7h2WRaeb5F1jAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBIjWL+10zzBpp4TeCW1ksSs5Mjlm0Atmt/NSXjlCAb/sjLPVx76PPP
+w9uW02JOt1uTBRHDf0GU6HXSime/87CBJSKZo0wCnxyHHbEgpg+3yPIr5bJNtOG8
+w4W3VCkT6H5T7dLMp5U/cTJdOgmh/q+6RRRBGmf7j0YDavt4JnECGw==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest36.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest36.pem
new file mode 100644
index 0000000000..c13af8a307
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest36.pem
@@ -0,0 +1,111 @@
+subject=/C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICqjCCAhOgAwIBAgIBSTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXbmFtZUNvbnN0
+cmFpbnRzIFVSSTIgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANCu/tVS
+XB6TUXM4bU2lQ7EKvQrGMy49TSnHlIwEVZ9UNvbSA/ChnCxPIKWiVWlqdqr0evlL
+xdLPxQe6xHuVjkvgFleY6RjA9LqD7YFFvf8AnDD6BV0kIr3itChNI2abON8Dh6IG
++o48bCPAt9bqxCepQbrSn4mYSlcKjyn66Ev7AgMBAAGjgagwgaUwHwYDVR0jBBgw
+FoAU+2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFIakVWPxjKAjp6e8y2yq
+bdBaxg9aMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEw
+DwYDVR0TAQH/BAUwAwEB/zApBgNVHR4BAf8EHzAdoRswGYYXaW52YWxpZGNlcnRp
+ZmljYXRlcy5nb3YwDQYJKoZIhvcNAQEFBQADgYEAXeaQUlCHmmhg1rKHYxVfKaCq
+S574GPbDh1QtQoNmVqFF+yGHse9s4hcYcv7VZB74kYKCFUShbBWl1VcmgPbJLDnc
+MDjP1B35WdH4IGAxCBLHOiuv/1AWL9EfHUdhX2ZoFpJqNty9lFkahCZ6MARJwtS2
+fBh60OItInetzMDECnE=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid URI nameConstraints EE Certificate Test36
+issuer=/C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAjugAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJh
+aW50cyBVUkkyIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYzEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTgwNgYDVQQD
+Ey9WYWxpZCBVUkkgbmFtZUNvbnN0cmFpbnRzIEVFIENlcnRpZmljYXRlIFRlc3Qz
+NjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvE7GKi9cq2LoR4nDK2rqmEIH
+MsJ3m6EeWMUWwoRidb2gH7E45Oumq5skRGihWVu15Lokjua+3arteyn8MbuDj+lF
+KcEEP4VLE84+SFaA5KNgDJspoT7+UiBZRELwTxiTK9vPR5VQyTQnc/M9PkfC5rvV
+WbctYK/HJ/r68nmGAQ8CAwEAAaOBrTCBqjAfBgNVHSMEGDAWgBSGpFVj8YygI6en
+vMtsqm3QWsYPWjAdBgNVHQ4EFgQU2X6Y6CoZbpdRkA80xPGNWG1aeZ0wDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATA/BgNVHREEODA2hjRo
+dHRwOi8vdGVzdHNlcnZlci5pbnZhbGlkY2VydGlmaWNhdGVzLmdvdi9pbmRleC5o
+dG1sMA0GCSqGSIb3DQEBBQUAA4GBAG2N3tYbTsRh2FgGR/eAxNmVerY5ooWKrZE/
+MkikG9U+XWgHChNL4eR92wDJVi1h5uVvSyUIF1vEFXVfVxyqG1kz1dqWcFrZHp1I
+w3WD/3qKE0ilWL+AnW7LOOTbTUDevmIwcUAvl9/QiYpexJyeQhzWJ13gh5vwkfiG
+coWXP3GU
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=nameConstraints URI2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:86:A4:55:63:F1:8C:A0:23:A7:A7:BC:CB:6C:AA:6D:D0:5A:C6:0F:5A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 73:1d:ee:ad:1d:21:24:88:c7:70:27:82:cf:68:1d:fa:61:18:
+ da:2c:a9:9e:05:0d:b4:7e:e3:ac:49:fc:82:76:d0:6c:80:1c:
+ b3:b0:36:4c:44:da:e9:0e:aa:9a:df:66:1e:0a:80:f4:f0:0c:
+ 84:02:2f:57:47:96:e1:f7:ae:e6:be:85:9e:53:e0:97:1e:9a:
+ 68:7e:f2:32:8c:d7:89:1e:63:dd:3f:47:06:30:44:e3:42:ee:
+ 30:c2:d6:ce:3a:46:4f:6c:8c:e2:43:c3:7e:5a:51:ce:5e:73:
+ 7a:ed:f7:5a:04:a8:0d:f2:f0:67:af:e1:0e:b8:eb:9f:cd:2b:
+ 24:62
+-----BEGIN X509 CRL-----
+MIIBRDCBrgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIDAeBgNVBAMTF25hbWVDb25zdHJhaW50cyBV
+UkkyIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSME
+GDAWgBSGpFVj8YygI6envMtsqm3QWsYPWjAKBgNVHRQEAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBzHe6tHSEkiMdwJ4LPaB36YRjaLKmeBQ20fuOsSfyCdtBsgByzsDZM
+RNrpDqqa32YeCoD08AyEAi9XR5bh967mvoWeU+CXHppofvIyjNeJHmPdP0cGMETj
+Qu4wwtbOOkZPbIziQ8N+WlHOXnN67fdaBKgN8vBnr+EOuOufzSskYg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringCaseInsensitiveMatchTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringCaseInsensitiveMatchTest11.pem
new file mode 100644
index 0000000000..f91b6dfd97
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringCaseInsensitiveMatchTest11.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=UTF8String Case Insensitive Match CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBZDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKDBFUZXN0IENlcnRpZmljYXRlczEtMCsGA1UEAwwkVVRGOFN0cmlu
+ZyBDYXNlIEluc2Vuc2l0aXZlIE1hdGNoIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCaogvEpeDhTyOkM06wjnLD1JeNedm9VZ+FpIvkkhrhGKskIHcfsNfJ
+EsrLnoSQIj5ocFyxY/76uaSgJcEhTpIj695mSBtyZThgQr07wSGTByiAmO3fR3if
+tMzWdzP9j19QXSUZjQCBNySjtuabFoqgR9OHEmVjly+67Al3yaZDEwIDAQABo3ww
+ejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUNmIV
+KXylwtCEEMdeoxYn36lEE2IwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK
+YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKnn
+dr5r22s30krLGaZ6Ava5zeA3jRRsq/ewoyaGn39VO/MYpqRxPdqlVqLO41PCjwTY
+VjndPhVSfFsQHxANRG4TUD7MBKeNsr3eclIvzCtIb8U9dwHngXeYNlih1ufYUDZ5
+z5oTq4R9mHUGu1Jz/uW9sisBRMbS+2wj+E/3yezC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid UTF8String Case Insensitive Match EE Certificate Test11
+issuer=/C=US/O= test certificates /CN=utf8string case insensitive match CA
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhigAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJVUzEe
+MBwGA1UECgwVICB0ZXN0IGNlcnRpZmljYXRlcyAgMS4wLAYDVQQDDCV1dGY4c3Ry
+aW5nIGNhc2UgIGluc2Vuc2l0aXZlIG1hdGNoIENBMB4XDTAxMDQxOTE0NTcyMFoX
+DTExMDQxOTE0NTcyMFowcTELMAkGA1UEBhMCVVMxGjAYBgNVBAoMEVRlc3QgQ2Vy
+dGlmaWNhdGVzMUYwRAYDVQQDDD1WYWxpZCBVVEY4U3RyaW5nIENhc2UgSW5zZW5z
+aXRpdmUgTWF0Y2ggRUUgQ2VydGlmaWNhdGUgVGVzdDExMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDsol6bNoNnlNAy2lkPsdVM02fDVB5vmtUbTN2DiXfYxICd
+NtMW9orODpZLBLuhHD9L/N+amY5njVAJUpvbdU2cjFMwgn/YfQ/eDXrCDPG2FLaJ
+WA0nRqHFrhBVz6MgJFtpJUz3e1Owsy3U03aq9SthFb/BBFFOtAH6mXnuBjYVTQID
+AQABo2swaTAfBgNVHSMEGDAWgBQ2YhUpfKXC0IQQx16jFiffqUQTYjAdBgNVHQ4E
+FgQUxMF/9KLvn9+5ABPGIN0ZEfq0S6cwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQCLnWS00RFXZcbBCM15
+7+vQE5xrZp4AH8MhcC5CCS7C5F6JkHPcXT5OnCCN+d0cmCCTgolBi+AndeXwen9O
+y/2uq63SVqP/H67rcyoxaGeqSxxZqbowZqboUMBLinSyMq/coqnGbiNjK+K7xXqR
+borsQCmKGqvst1rn2LPNKfKRCA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=UTF8String Case Insensitive Match CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:36:62:15:29:7C:A5:C2:D0:84:10:C7:5E:A3:16:27:DF:A9:44:13:62
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 32:f5:46:0f:c0:5a:10:87:86:95:df:18:69:d7:c8:99:4c:84:
+ 5f:f7:1a:e8:c7:66:27:41:73:a4:72:f6:09:66:a9:f7:cd:62:
+ 22:87:dd:24:94:77:c1:38:e3:9c:cc:70:64:29:b7:d9:76:94:
+ 59:d7:26:43:86:35:63:6b:0b:81:a4:1d:d4:4f:7d:87:6a:b6:
+ bc:68:34:9b:ad:d0:1c:34:3b:72:7c:7f:25:b2:19:03:a1:24:
+ ee:ef:d3:3c:a6:21:cd:79:11:70:d4:6d:5d:c6:67:14:39:17:
+ e2:23:30:76:5b:f7:b5:4e:ce:ed:3e:57:2e:58:1d:cc:ec:ed:
+ b5:52
+-----BEGIN X509 CRL-----
+MIIBUTCBuwIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEaMBgGA1UE
+CgwRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMMJFVURjhTdHJpbmcgQ2FzZSBJ
+bnNlbnNpdGl2ZSBNYXRjaCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WqAvMC0wHwYDVR0jBBgwFoAUNmIVKXylwtCEEMdeoxYn36lEE2IwCgYDVR0UBAMC
+AQEwDQYJKoZIhvcNAQEFBQADgYEAMvVGD8BaEIeGld8YadfImUyEX/ca6MdmJ0Fz
+pHL2CWap981iIofdJJR3wTjjnMxwZCm32XaUWdcmQ4Y1Y2sLgaQd1E99h2q2vGg0
+m63QHDQ7cnx/JbIZA6Ek7u/TPKYhzXkRcNRtXcZnFDkX4iMwdlv3tU7O7T5XLlgd
+zOzttVI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringEncodedNamesTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringEncodedNamesTest9.pem
new file mode 100644
index 0000000000..2857bd3c74
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringEncodedNamesTest9.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=UTF8String CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICczCCAdygAwIBAgIBYjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEExCzAJBgNVBAYTAlVT
+MRowGAYDVQQKDBFUZXN0IENlcnRpZmljYXRlczEWMBQGA1UEAwwNVVRGOFN0cmlu
+ZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwNymUjXTPLYfQm1sbyf8
+QSDxshobqw4r+yna0i1Rj3o7Lu/5vt/vqIPKH2r52EYvuFWBMNKCglyCcqidFgVx
+Z+hsUqJi79uj1DhGgqeSG1/gmyduba9sGud4J6rNhVuz1E/dX5gu81Gi8AgFQj/D
+tC+HMSrP6GKAXVbXsnWBPGkCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6
+ng2wPOqavIf/SeowHQYDVR0OBBYEFNMoQWQMXH4Okw1WMKge9ihlAMr7MA4GA1Ud
+DwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQUFAAOBgQAYI8NaUKFwf+db04baEtgElpS8AhzYiCP9
+H+4pn+6Bp7ZK+3WMdR5HVmHkn0wx3+eRrAO+4sViEZYS7+yJfJvQVqgeVgRWZeuE
+dzIXVT0OLIloElDfgpdZgkkM2Ucdg5Nn52Of3AnZagaFiaNqFRZmC+QYnKif09vj
+8jaUJTJbuw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid UTF8String Encoded Names EE Certificate Test9
+issuer=/C=US/O=Test Certificates/CN=UTF8String CA
+-----BEGIN CERTIFICATE-----
+MIICiTCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEa
+MBgGA1UECgwRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMMDVVURjhTdHJpbmcg
+Q0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBnMQswCQYDVQQGEwJV
+UzEaMBgGA1UECgwRVGVzdCBDZXJ0aWZpY2F0ZXMxPDA6BgNVBAMMM1ZhbGlkIFVU
+RjhTdHJpbmcgRW5jb2RlZCBOYW1lcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0OTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoxNfkgSuZUKuoTrCTE46w8pIE47j18Ul
++ZyQJGplDws8AeUtIXBGxaYs6He2jxJXV6geeAi/DlFhUnNSK1Gavbey2DUkn8Av
+3U5y2+p6S4HtU1FMypUCKcboGqHME6y3rqDQSl7YY03v3wd4PPaKPqvhZtDSG7b/
+QnejyG55zHkCAwEAAaNrMGkwHwYDVR0jBBgwFoAU0yhBZAxcfg6TDVYwqB72KGUA
+yvswHQYDVR0OBBYEFFNv7Je2o4j/89zS0tw/sI8eM4dZMA4GA1UdDwEB/wQEAwIE
+8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAT2NW
+DkK184Mva0VGnLCXsyNVUYV9/6cBxVncmML7X/XlT3c4M7ZjSoL/J+hVyavU+1pN
+SAKfgfyZE6mVa6BOYzL5sBRcvpgJPjZMAEGZ+dwfJUsh2KQvFmEXu8xSBIss4Rgh
+o7OsvrTpSFiidbLgLQW6FeMEivGfw8AZZ2W9+s0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=UTF8String CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D3:28:41:64:0C:5C:7E:0E:93:0D:56:30:A8:1E:F6:28:65:00:CA:FB
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 97:9a:cb:dd:e8:9a:f3:02:96:35:53:29:74:69:84:1f:c9:47:
+ f5:14:71:8a:f0:32:42:64:ae:06:9a:ec:f1:2a:e1:4a:70:d7:
+ 1e:11:fc:b8:f2:9b:6b:38:d6:18:37:5b:74:d7:bc:78:c7:9c:
+ b1:34:c1:76:87:4f:31:43:25:ce:95:52:23:cd:d0:38:c5:f0:
+ 26:b1:13:d1:ca:2b:f1:e1:df:e1:e7:3e:6a:3e:d9:51:60:5f:
+ 6a:78:b2:50:03:45:39:95:40:3d:2d:39:7b:af:97:e3:32:5f:
+ 14:f8:aa:70:ac:49:6d:44:1d:ac:2c:d2:fb:a4:5c:d5:f1:d7:
+ 23:5f
+-----BEGIN X509 CRL-----
+MIIBOjCBpAIBATANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJVUzEaMBgGA1UE
+CgwRVGVzdCBDZXJ0aWZpY2F0ZXMxFjAUBgNVBAMMDVVURjhTdHJpbmcgQ0EXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNMoQWQM
+XH4Okw1WMKge9ihlAMr7MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAJea
+y93omvMCljVTKXRphB/JR/UUcYrwMkJkrgaa7PEq4Upw1x4R/Ljym2s41hg3W3TX
+vHjHnLE0wXaHTzFDJc6VUiPN0DjF8CaxE9HKK/Hh3+HnPmo+2VFgX2p4slADRTmV
+QD0tOXuvl+MyXxT4qnCsSW1EHaws0vukXNXx1yNf
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUnknownNotCriticalCertificateExtensionTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUnknownNotCriticalCertificateExtensionTest1.pem
new file mode 100644
index 0000000000..7d19088eda
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUnknownNotCriticalCertificateExtensionTest1.pem
@@ -0,0 +1,58 @@
+subject=/C=US/O=Test Certificates/CN=Valid Unknown Not Critical Certificate Extension EE Cert Test1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpTCCAg6gAwIBAgIBXjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMHIxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczFHMEUGA1UEAxM+VmFsaWQgVW5r
+bm93biBOb3QgQ3JpdGljYWwgQ2VydGlmaWNhdGUgRXh0ZW5zaW9uIEVFIENlcnQg
+VGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhu9MiazK4MZfZxFp8b
+EqQNtc72SyzLI8gVU6uacEHKLpo7auSD72gD77oJKNLO0wW/lJmBZrr8N6Vb10xG
+UDpyNayjEHhIQ9YGjQ0iFAzwBZdxSba417KwGoZEtWDwXDgHFcJkpdeO0cmvN/WY
+T3hTDuDubTGzkT/z3o7HLBXVAgMBAAGjfTB7MB8GA1UdIwQYMBaAFPts1C2Bnson
+ep4NsDzqmryH/0nqMB0GA1UdDgQWBBT2UVRewjWmpJzpb1mXbOTeaXT6qjAOBgNV
+HQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMBAGCWCGSAFlAgEM
+AgQDAgEAMA0GCSqGSIb3DQEBBQUAA4GBABs3aiPSbahf2RsQXVpA2945ngkKbfef
+RWOSqb+RmLmR3zburW1DXXzu3XSEOB8Ud75OdMvg9MIeKss1EqhEp3Bp4ltMa4+V
+xORBZ1hlK47mQAPiGsshFriTYp1nVfzHfByAFuwYZFLhjJnk2w/nyq5kyQ3AjfpQ
+XaezK4Qnje4K
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidbasicConstraintsNotCriticalTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidbasicConstraintsNotCriticalTest4.pem
new file mode 100644
index 0000000000..8a9c75ecf4
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidbasicConstraintsNotCriticalTest4.pem
@@ -0,0 +1,110 @@
+subject=/C=US/O=Test Certificates/CN=basicConstraints Not Critical CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICgzCCAeygAwIBAgIBGTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFQxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEpMCcGA1UEAxMgYmFzaWNDb25z
+dHJhaW50cyBOb3QgQ3JpdGljYWwgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBANLhA0OA9wRfp95Q7/HTBd7PlWljTlLaWClrNNQ1jWPhuQJN3ww9dy42U/na
+HvOcy9yz2ANw44VJKqLn68rVvypadYoWUNUGPHgHSrhj37Dj/mNkFmw18BcEgpED
+4OIp2vJW00ZLeMt7ItsFh1pxpaHZl4WDHIWKh0BAuw7VBWhpAgMBAAGjeTB3MB8G
+A1UdIwQYMBaAFPts1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBTYuN8r/BQM
+rtcTVstcPg56jM+RCDAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACqRpg4KhHWSs
+qfP23ZQX2hAOVVT/0AqaTcnNCQVLGE4sE16rMPQMZQ4qpb1WAPZIq6gs+P43deDu
+5M4evZgQVheRR7RqQm7/7ZXAiJ4uzAvJjWP5eYg23OyHqPvaK76reyPgde/gegWq
+Lj/0XhyySYlWDr4i138LYLsfUDy2rWw=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid basicConstraints Not Critical EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=basicConstraints Not Critical CA
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIGJhc2ljQ29uc3Ry
+YWludHMgTm90IENyaXRpY2FsIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0
+NTcyMFowbDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVz
+MUEwPwYDVQQDEzhWYWxpZCBiYXNpY0NvbnN0cmFpbnRzIE5vdCBDcml0aWNhbCBF
+RSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+ztwCM4KjCZAusrt0pqJODe24QkEVIKHLb4UAlOxeSbZZ4Ye5BtR5NylouUsMu8Ja
+XKoU+BxIWXmUrP7HSt2+D8HI33xczpxfXCUyYmY/ht58WkhRSur9n3XUBErcVOe1
+xoV/2CNceuS97TvupEAYDKkcK+Uv+gBZpuLyY2jF4ccCAwEAAaNrMGkwHwYDVR0j
+BBgwFoAU2LjfK/wUDK7XE1bLXD4OeozPkQgwHQYDVR0OBBYEFAL9NE678Dg8eh16
+3hZvX02XaVPoMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
+MAEwDQYJKoZIhvcNAQEFBQADgYEAxH3RpgHseEdMz+tdowijXMxxOgAvJ+bDmb4W
+VmA6BBlPljNwDeOJ5mu/qq2HaTbeYYkqxfGw/V0Nv5GoG4Ak0xnSFaVz8+dVEzDN
+Avks85QOwYREyw/sxlpU7uOjlWBOwfkglUJM8UU2ZpBMlJf6sn7bEf5W9w35ZUo8
+Vlf2alk=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=basicConstraints Not Critical CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:D8:B8:DF:2B:FC:14:0C:AE:D7:13:56:CB:5C:3E:0E:7A:8C:CF:91:08
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 9d:dc:8e:45:7e:1c:6d:56:eb:08:bd:04:5c:c7:9d:21:a0:ae:
+ 69:b7:35:a2:b5:31:34:85:f0:0a:92:7d:20:36:2e:32:dc:b9:
+ 8c:cb:ad:39:97:35:3a:9c:d1:68:37:f0:9a:06:ad:da:42:67:
+ 92:30:82:b8:52:db:c5:d5:39:d4:2f:cd:7b:ec:18:43:56:6d:
+ d7:2f:31:9c:59:48:fa:07:af:f9:fd:3a:b7:e0:b2:4b:0a:7c:
+ e9:7b:04:81:75:1f:58:a2:70:bb:30:bb:e2:14:21:0e:34:74:
+ ea:e3:41:e5:d0:c0:b4:7d:51:52:f6:7f:51:13:be:78:96:25:
+ a5:8a
+-----BEGIN X509 CRL-----
+MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIGJhc2ljQ29uc3RyYWludHMg
+Tm90IENyaXRpY2FsIENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8w
+LTAfBgNVHSMEGDAWgBTYuN8r/BQMrtcTVstcPg56jM+RCDAKBgNVHRQEAwIBATAN
+BgkqhkiG9w0BAQUFAAOBgQCd3I5FfhxtVusIvQRcx50hoK5ptzWitTE0hfAKkn0g
+Ni4y3LmMy605lzU6nNFoN/CaBq3aQmeSMIK4UtvF1TnUL8177BhDVm3XLzGcWUj6
+B6/5/Tq34LJLCnzpewSBdR9YonC7MLviFCEONHTq40Hl0MC0fVFS9n9RE754liWl
+ig==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest28.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest28.pem
new file mode 100644
index 0000000000..e788cc4242
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest28.pem
@@ -0,0 +1,178 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA3
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0EzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCb2axnNI56WnvGeocp
+atKwDsPjuFVSHeTtyX3KVU/1U+ST/Jtv0u5WPp4iitAz/ddFiiBj4cwgr9hZYd0Y
+tUyBvGAP8UjJVp55qo1hjMDYyxFRqotx6gH4F7wyfu7s08ERFrtOoT91EwbaTFwG
+go0sbSeXio43GfBdAxDi3INGdwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlii8KaatWJ9nLsfCwZc63+6I6ygwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAM8E4GsQT3eKZHuyNOUIn/7ZFw/9gFX3
+QfyYv5/Qozv19LTpdKCuIJuZAO900NFkfI4m4kjaYB8CGf9Z2P2B3ctXzgdI9uJM
+KmRUnMfzzXGKx+jh+/xkwYi5kduJ2RECX0mqAcOS38OFX3ej7LQWTQ9y3oeqevcS
+aUfi6VDmnLr8
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA3 cRLIssuer
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA3
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAkOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBMzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UECxMZaW5kaXJl
+Y3RDUkwgQ0EzIGNSTElzc3VlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+mHdETkTcRztCRHzlSZJg4afLgOPz/cqZQIIoA4riJ/kHT00t3kf5mRx0Gz8/GWBH
+wYjUk5NlqDoDlmTby3SFHnZac7Ba/+rkiu4Jzdivp+BKAkiTKzIk9eM5KNv+rpUc
+cy3XKWPbz/ox5+OEvn2NhUfVWTe/RbJx1Nq0Mvybh2cCAwEAAaOB0zCB0DAfBgNV
+HSMEGDAWgBSWKLwppq1Yn2cux8LBlzrf7ojrKDAdBgNVHQ4EFgQUsQ4hS7IckqgK
+M04rBolnT6FPHZ8wDgYDVR0PAQH/BAQDAgECMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATBlBgNVHR8EXjBcMFqgWKBWpFQwUjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTMxDTAL
+BgNVBAMTBENSTDEwDQYJKoZIhvcNAQEFBQADgYEAbIFuFqULVZjrhsyragErXnS8
+R/sgqnP5GJcPHn7p87dEkExtxEYL5N4XnDQXhWdnpc9UtAzh7qR3xnE9EvjeaU1r
+lnsdkbJNO7DxTaM5EqLxiy/Rpf+b2rBprv10A0HvPloU9JvnVNHxT/2XA6hMnCsI
+6gImM5yk9Sc/rTitZ6s=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid cRLIssuer EE Certificate Test28
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA3
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAs6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBMzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlVmFsaWQg
+Y1JMSXNzdWVyIEVFIENlcnRpZmljYXRlIFRlc3QyODCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAuwCMHRZqCorqgWJ/3RJzqiuHtyGbyYxGxHWcVZTbw4GSmQtI
+F07KmEPqaz7I/wyMS0+u70yDrhQkfH1Esjmx7/srC+p4oBzZMa3/LiyDo0D63NjA
+3JjOdLwf3YRWGE+4XcPbjHsd486hkCCXw4EF7ZfnscRWgNCe6FEzHy131MkCAwEA
+AaOCAVEwggFNMB8GA1UdIwQYMBaAFJYovCmmrVifZy7HwsGXOt/uiOsoMB0GA1Ud
+DgQWBBT6Yyl3V/7WremGwNkDahqsIxegJjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMIHhBgNVHR8EgdkwgdYwgdOgfqB8pHoweDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlp
+bmRpcmVjdENSTCBDQTMgY1JMSXNzdWVyMSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwg
+Zm9yIGluZGlyZWN0Q1JMIENBM6JRpE8wTTELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTMgY1JM
+SXNzdWVyMA0GCSqGSIb3DQEBBQUAA4GBAIk5myvkEmHvyOOh3ygeeWzpz2aV6o8D
+ojAK/KS84CYsP7f64D8FU/H3JFrTXBNOoRiXpqrV5bzrHcmXgodQWTwOSL2KLzi9
+inTs+pRDbTw1oevK3GAjN5BedRZlgIyJr8d05Knp0YGYoItGYQTQXd22Dlzuoz2P
+L5I8AvoFHSAL
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:96:28:BC:29:A6:AD:58:9F:67:2E:C7:C2:C1:97:3A:DF:EE:88:EB:28
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0Z.X.V.T0R1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA31 0...U....CRL1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 15:65:bb:88:f2:fd:8c:76:6d:92:ae:f5:06:d5:bf:c8:ba:bb:
+ d4:98:de:83:a5:e1:7a:e9:92:96:f7:c2:ce:0c:de:7b:81:7f:
+ a0:32:c8:a4:15:a6:16:e6:51:b1:b2:e5:92:62:ef:46:d3:7c:
+ 5f:37:56:47:5d:3c:12:94:a6:3e:18:59:6b:2c:9e:ac:f0:90:
+ 03:23:84:b1:cd:0f:49:ff:1a:8e:67:62:35:32:68:ed:24:a2:
+ 76:93:5c:b2:80:5d:bc:81:26:ab:02:c0:f4:a1:de:3a:6d:0d:
+ ae:02:66:fb:6e:72:49:59:fe:f1:2f:87:d2:bc:98:10:3e:33:
+ 3d:d5
+-----BEGIN X509 CRL-----
+MIIBpzCCARACAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTMX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqggZgwgZUwHwYDVR0jBBgwFoAU
+lii8KaatWJ9nLsfCwZc63+6I6ygwCgYDVR0UBAMCAQEwZgYDVR0cAQH/BFwwWqBY
+oFakVDBSMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+GDAWBgNVBAsTD2luZGlyZWN0Q1JMIENBMzENMAsGA1UEAxMEQ1JMMTANBgkqhkiG
+9w0BAQUFAAOBgQAVZbuI8v2Mdm2SrvUG1b/IurvUmN6DpeF66ZKW98LODN57gX+g
+MsikFaYW5lGxsuWSYu9G03xfN1ZHXTwSlKY+GFlrLJ6s8JADI4SxzQ9J/xqOZ2I1
+MmjtJKJ2k1yygF28gSarAsD0od46bQ2uAmb7bnJJWf7xL4fSvJgQPjM91Q==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA3 cRLIssuer
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B1:0E:21:4B:B2:1C:92:A8:0A:33:4E:2B:06:89:67:4F:A1:4F:1D:9F
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0...~.|.z0x1.0...U....US1.0...U.
+..Test Certificates1"0 ..U....indirectCRL CA3 cRLIssuer1)0'..U... indirect CRL for indirectCRL CA3...
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 68:34:87:64:55:65:a9:87:47:54:c2:2d:14:48:91:1e:ee:59:
+ f5:ed:d9:06:6d:78:b9:ff:81:8c:5c:02:f5:08:b5:22:90:75:
+ 02:f2:63:62:78:25:4d:6c:2f:1f:a3:58:e2:1f:57:2b:3f:49:
+ 0d:0b:bd:85:02:c5:ac:ad:9d:38:0b:13:46:2c:34:f2:9b:e5:
+ 22:f5:55:cc:63:fb:c2:69:94:14:d7:e5:78:4f:17:4e:16:98:
+ 65:81:cf:9d:72:20:32:78:15:0e:22:af:22:2c:21:c5:7c:db:
+ 8c:31:be:ad:59:c4:81:24:e4:ec:e0:0c:40:4c:2b:95:98:dd:
+ 8f:f4
+-----BEGIN X509 CRL-----
+MIIB3TCCAUYCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTMg
+Y1JMSXNzdWVyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIHEMIHBMB8G
+A1UdIwQYMBaAFLEOIUuyHJKoCjNOKwaJZ0+hTx2fMAoGA1UdFAQDAgEBMIGRBgNV
+HRwBAf8EgYYwgYOgfqB8pHoweDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTMgY1JMSXNzdWVy
+MSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwgZm9yIGluZGlyZWN0Q1JMIENBM4QB/zAN
+BgkqhkiG9w0BAQUFAAOBgQBoNIdkVWWph0dUwi0USJEe7ln17dkGbXi5/4GMXAL1
+CLUikHUC8mNieCVNbC8fo1jiH1crP0kNC72FAsWsrZ04CxNGLDTym+Ui9VXMY/vC
+aZQU1+V4TxdOFphlgc+dciAyeBUOIq8iLCHFfNuMMb6tWcSBJOTs4AxATCuVmN2P
+9A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest29.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest29.pem
new file mode 100644
index 0000000000..4eba759d4e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest29.pem
@@ -0,0 +1,176 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA3
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0EzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCb2axnNI56WnvGeocp
+atKwDsPjuFVSHeTtyX3KVU/1U+ST/Jtv0u5WPp4iitAz/ddFiiBj4cwgr9hZYd0Y
+tUyBvGAP8UjJVp55qo1hjMDYyxFRqotx6gH4F7wyfu7s08ERFrtOoT91EwbaTFwG
+go0sbSeXio43GfBdAxDi3INGdwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlii8KaatWJ9nLsfCwZc63+6I6ygwDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAM8E4GsQT3eKZHuyNOUIn/7ZFw/9gFX3
+QfyYv5/Qozv19LTpdKCuIJuZAO900NFkfI4m4kjaYB8CGf9Z2P2B3ctXzgdI9uJM
+KmRUnMfzzXGKx+jh+/xkwYi5kduJ2RECX0mqAcOS38OFX3ej7LQWTQ9y3oeqevcS
+aUfi6VDmnLr8
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA3 cRLIssuer
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA3
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAkOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBMzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UECxMZaW5kaXJl
+Y3RDUkwgQ0EzIGNSTElzc3VlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+mHdETkTcRztCRHzlSZJg4afLgOPz/cqZQIIoA4riJ/kHT00t3kf5mRx0Gz8/GWBH
+wYjUk5NlqDoDlmTby3SFHnZac7Ba/+rkiu4Jzdivp+BKAkiTKzIk9eM5KNv+rpUc
+cy3XKWPbz/ox5+OEvn2NhUfVWTe/RbJx1Nq0Mvybh2cCAwEAAaOB0zCB0DAfBgNV
+HSMEGDAWgBSWKLwppq1Yn2cux8LBlzrf7ojrKDAdBgNVHQ4EFgQUsQ4hS7IckqgK
+M04rBolnT6FPHZ8wDgYDVR0PAQH/BAQDAgECMBcGA1UdIAQQMA4wDAYKYIZIAWUD
+AgEwATBlBgNVHR8EXjBcMFqgWKBWpFQwUjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTMxDTAL
+BgNVBAMTBENSTDEwDQYJKoZIhvcNAQEFBQADgYEAbIFuFqULVZjrhsyragErXnS8
+R/sgqnP5GJcPHn7p87dEkExtxEYL5N4XnDQXhWdnpc9UtAzh7qR3xnE9EvjeaU1r
+lnsdkbJNO7DxTaM5EqLxiy/Rpf+b2rBprv10A0HvPloU9JvnVNHxT/2XA6hMnCsI
+6gImM5yk9Sc/rTitZ6s=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid cRLIssuer EE Certificate Test29
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA3
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBMzAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlVmFsaWQg
+Y1JMSXNzdWVyIEVFIENlcnRpZmljYXRlIFRlc3QyOTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA3icTqNDmsima/TbMUuvjBhV59GC8zfX3Z3bbHAEH/kipg5Gu
+rREsznRezB5sZVZG9SH3vfWMkugzVFLlYsAsp5Zjon3+ZM7t/JtZJ0pg6XzqsEfZ
+/FCux1F10rMBIsaPzcLtc1At1aWoaqU4ydyam/kDzOEt7f/7WGqGY/ljZVUCAwEA
+AaOB/TCB+jAfBgNVHSMEGDAWgBSWKLwppq1Yn2cux8LBlzrf7ojrKDAdBgNVHQ4E
+FgQU3ZhtNWI1qdWfBti5WKsMkC0xclMwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATCBjgYDVR0fBIGGMIGDMIGAoCuhKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0EzolGkTzBNMQswCQYDVQQGEwJV
+UzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAsTGWluZGlyZWN0
+Q1JMIENBMyBjUkxJc3N1ZXIwDQYJKoZIhvcNAQEFBQADgYEAAJ+7QrDsVr4IL5DF
+k4CE+XFTE1pd3zqHZCCUSiXp4rY5FEPlsErMT9xcEUB3CiHNFLdKRdaxMxeJ0Of4
+oJV5cnM/0QdVM0HkieFFasr9Ad5CdV7ltfgzgV3fgjDr/hsBAIfcD516l2s3oN7L
+PvlIa7CLUa5f5TGAyvyKF9d1sRo=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA3
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:96:28:BC:29:A6:AD:58:9F:67:2E:C7:C2:C1:97:3A:DF:EE:88:EB:28
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0Z.X.V.T0R1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA31 0...U....CRL1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 15:65:bb:88:f2:fd:8c:76:6d:92:ae:f5:06:d5:bf:c8:ba:bb:
+ d4:98:de:83:a5:e1:7a:e9:92:96:f7:c2:ce:0c:de:7b:81:7f:
+ a0:32:c8:a4:15:a6:16:e6:51:b1:b2:e5:92:62:ef:46:d3:7c:
+ 5f:37:56:47:5d:3c:12:94:a6:3e:18:59:6b:2c:9e:ac:f0:90:
+ 03:23:84:b1:cd:0f:49:ff:1a:8e:67:62:35:32:68:ed:24:a2:
+ 76:93:5c:b2:80:5d:bc:81:26:ab:02:c0:f4:a1:de:3a:6d:0d:
+ ae:02:66:fb:6e:72:49:59:fe:f1:2f:87:d2:bc:98:10:3e:33:
+ 3d:d5
+-----BEGIN X509 CRL-----
+MIIBpzCCARACAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTMX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqggZgwgZUwHwYDVR0jBBgwFoAU
+lii8KaatWJ9nLsfCwZc63+6I6ygwCgYDVR0UBAMCAQEwZgYDVR0cAQH/BFwwWqBY
+oFakVDBSMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+GDAWBgNVBAsTD2luZGlyZWN0Q1JMIENBMzENMAsGA1UEAxMEQ1JMMTANBgkqhkiG
+9w0BAQUFAAOBgQAVZbuI8v2Mdm2SrvUG1b/IurvUmN6DpeF66ZKW98LODN57gX+g
+MsikFaYW5lGxsuWSYu9G03xfN1ZHXTwSlKY+GFlrLJ6s8JADI4SxzQ9J/xqOZ2I1
+MmjtJKJ2k1yygF28gSarAsD0od46bQ2uAmb7bnJJWf7xL4fSvJgQPjM91Q==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA3 cRLIssuer
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B1:0E:21:4B:B2:1C:92:A8:0A:33:4E:2B:06:89:67:4F:A1:4F:1D:9F
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0...~.|.z0x1.0...U....US1.0...U.
+..Test Certificates1"0 ..U....indirectCRL CA3 cRLIssuer1)0'..U... indirect CRL for indirectCRL CA3...
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 68:34:87:64:55:65:a9:87:47:54:c2:2d:14:48:91:1e:ee:59:
+ f5:ed:d9:06:6d:78:b9:ff:81:8c:5c:02:f5:08:b5:22:90:75:
+ 02:f2:63:62:78:25:4d:6c:2f:1f:a3:58:e2:1f:57:2b:3f:49:
+ 0d:0b:bd:85:02:c5:ac:ad:9d:38:0b:13:46:2c:34:f2:9b:e5:
+ 22:f5:55:cc:63:fb:c2:69:94:14:d7:e5:78:4f:17:4e:16:98:
+ 65:81:cf:9d:72:20:32:78:15:0e:22:af:22:2c:21:c5:7c:db:
+ 8c:31:be:ad:59:c4:81:24:e4:ec:e0:0c:40:4c:2b:95:98:dd:
+ 8f:f4
+-----BEGIN X509 CRL-----
+MIIB3TCCAUYCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTMg
+Y1JMSXNzdWVyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIHEMIHBMB8G
+A1UdIwQYMBaAFLEOIUuyHJKoCjNOKwaJZ0+hTx2fMAoGA1UdFAQDAgEBMIGRBgNV
+HRwBAf8EgYYwgYOgfqB8pHoweDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTMgY1JMSXNzdWVy
+MSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwgZm9yIGluZGlyZWN0Q1JMIENBM4QB/zAN
+BgkqhkiG9w0BAQUFAAOBgQBoNIdkVWWph0dUwi0USJEe7ln17dkGbXi5/4GMXAL1
+CLUikHUC8mNieCVNbC8fo1jiH1crP0kNC72FAsWsrZ04CxNGLDTym+Ui9VXMY/vC
+aZQU1+V4TxdOFphlgc+dciAyeBUOIq8iLCHFfNuMMb6tWcSBJOTs4AxATCuVmN2P
+9A==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest30.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest30.pem
new file mode 100644
index 0000000000..5fa8620800
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest30.pem
@@ -0,0 +1,143 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA4
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBVzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOomKt58EC5ZhZuQ5l
+1sHzwQGlV0aO6IxFJcWNzxERgALimki0sMEmrMvIg7vymvt/sQE/n4ivjA4Zmi7J
+AvHlOsvgWiM6Kv2pvPkoBbRuOLQz1jrvOXIQlapQc6bsv3Cp8tIpxtNdjHEagqpc
++yL8WWtTTB89P2WOaDjUevZPSQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUrbJDVL6XeFCXxQvyNJPFyECwuScwDgYD
+VR0PAQH/BAQDAgIEMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAFWfQvCC6bO3TFmioOAPr4LLUDYbz8Za
+z26H0RgIrFnUEmrPZF7i4/iQpq6cJmWcOb3M3wI/3IlaUmydTEOBpGGazIlk7NF6
+28v19V7KsugitbLcZJXOtaqbseyfwWgFT3LLvxV8qJqKBhNR3NUJvjdBYU6KlbeE
+rZoFX9Ru0Z0G
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA4 cRLIssuer
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA4
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBNDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UECxMZaW5kaXJl
+Y3RDUkwgQ0E0IGNSTElzc3VlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vVQzOttxelJEVuWmMiwdG3GTEejfYhWdQmYtsSPFQ64V3B1F/SYYykFOPCVAbkZh
+PvFOhkUY0iQCBXi95lpCsWt31O2l5oIhKuzqBU6q86Ymk32qDQBvwtaHAlHRSdfn
+nPsCxWlDQdl5El4WL4/bT60xL1SdwWePNDldrtN7hf8CAwEAAaOCAVEwggFNMB8G
+A1UdIwQYMBaAFK2yQ1S+l3hQl8UL8jSTxchAsLknMB0GA1UdDgQWBBQF35wWai5Z
+gbV2xnj1OQvb/oVaYzAOBgNVHQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAMBgpghkgB
+ZQMCATABMIHhBgNVHR8EgdkwgdYwgdOgfqB8pHoweDELMAkGA1UEBhMCVVMxGjAY
+BgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBD
+QTQgY1JMSXNzdWVyMSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwgZm9yIGluZGlyZWN0
+Q1JMIENBNKJRpE8wTTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTQgY1JMSXNzdWVyMA0GCSqG
+SIb3DQEBBQUAA4GBAFKBu5yoQtqwA+MA/6AboLUyFrryUbT8gm6n5zVA7H5ezmO3
+apxKCgdHPEshKAN+SgO2kto0eE/4s2MF++66pMA+r8TDDmCrOfYVwMHyPVOrBKGM
+n7C+rt0ozZ32wA3d7k57IIsPT/H56TdX07oV5URZKAJ0k5iaPCBBLmF9w6BE
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid cRLIssuer EE Certificate Test30
+issuer=/C=US/O=Test Certificates/OU=indirectCRL CA4
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAs6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JM
+IENBNDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlVmFsaWQg
+Y1JMSXNzdWVyIEVFIENlcnRpZmljYXRlIFRlc3QzMDCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEArCi7o+0oIpxvpPUN8G1Ys04I2kgIPVMldcU0tM/QiAGdPEXG
+j/Hcn9YQZVOGFuuPKge/kZ7wheOIpI91lKkeGqegSWssN1BzgiAJupENTtDlex3I
+FqatuDIln6nXgUp984F42mLPqLcXqSiAzCkJiPz24slUDhJiLWkEE0fWFrkCAwEA
+AaOCAVEwggFNMB8GA1UdIwQYMBaAFK2yQ1S+l3hQl8UL8jSTxchAsLknMB0GA1Ud
+DgQWBBQ4JkHeuoJrm1VjW/qWHf72m1Xm5TAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMIHhBgNVHR8EgdkwgdYwgdOgfqB8pHoweDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlp
+bmRpcmVjdENSTCBDQTQgY1JMSXNzdWVyMSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwg
+Zm9yIGluZGlyZWN0Q1JMIENBNKJRpE8wTTELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
+EVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTQgY1JM
+SXNzdWVyMA0GCSqGSIb3DQEBBQUAA4GBAEGbnAJ6dpMVdHCjEMoVtyK7az1Sxcea
+28kAl/5TcdMNyP/DUgoweDRVQcm7sbJ3se3M0ac/+I9ce78YpS2e+83drRFYDRTg
+4DRD5RJUr6SS0F4tAwyncyaCsTn577sLWSmnkF3SKBiz6QNr83tetioIeXhAUcoI
+0tg5RoGSJkFD
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA4 cRLIssuer
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:05:DF:9C:16:6A:2E:59:81:B5:76:C6:78:F5:39:0B:DB:FE:85:5A:63
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0...~.|.z0x1.0...U....US1.0...U.
+..Test Certificates1"0 ..U....indirectCRL CA4 cRLIssuer1)0'..U... indirect CRL for indirectCRL CA4...
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 8f:7e:a7:21:7b:8e:70:00:d3:23:a8:d7:d5:ce:87:34:44:e0:
+ ad:e2:89:f6:7e:9d:5b:2a:b7:af:57:bf:95:bf:5e:6b:f9:1c:
+ 40:77:87:ea:eb:b1:ad:0c:e1:55:82:93:f0:bb:f6:e5:4c:33:
+ 69:e5:41:c1:c9:6e:ae:b4:98:38:a0:1e:38:e1:20:84:d9:2d:
+ 9f:2f:07:90:7e:30:7c:a1:c5:0d:c3:04:39:aa:97:b5:30:6f:
+ d9:e9:dd:78:d4:f9:49:01:69:93:da:e9:30:2e:ce:5b:89:cd:
+ 5b:c7:48:31:69:bc:06:9a:6a:cc:02:2f:bd:5b:78:b4:c4:ad:
+ 8b:ef
+-----BEGIN X509 CRL-----
+MIIB3TCCAUYCAQEwDQYJKoZIhvcNAQEFBQAwTTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTQg
+Y1JMSXNzdWVyFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoIHEMIHBMB8G
+A1UdIwQYMBaAFAXfnBZqLlmBtXbGePU5C9v+hVpjMAoGA1UdFAQDAgEBMIGRBgNV
+HRwBAf8EgYYwgYOgfqB8pHoweDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3Qg
+Q2VydGlmaWNhdGVzMSIwIAYDVQQLExlpbmRpcmVjdENSTCBDQTQgY1JMSXNzdWVy
+MSkwJwYDVQQDEyBpbmRpcmVjdCBDUkwgZm9yIGluZGlyZWN0Q1JMIENBNIQB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCPfqche45wANMjqNfVzoc0ROCt4on2fp1bKrevV7+V
+v15r+RxAd4fq67GtDOFVgpPwu/blTDNp5UHByW6utJg4oB444SCE2S2fLweQfjB8
+ocUNwwQ5qpe1MG/Z6d141PlJAWmT2ukwLs5bic1bx0gxabwGmmrMAi+9W3i0xK2L
+7w==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest33.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest33.pem
new file mode 100644
index 0000000000..a1d4ca6ebd
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest33.pem
@@ -0,0 +1,226 @@
+subject=/C=US/O=Test Certificates/OU=indirectCRL CA5
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UECxMPaW5kaXJlY3RD
+UkwgQ0E1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx678FWV/yNhQZJRyI
+iaMmsrcrL1oSrYNu6oCM7kFCgk9PSYQRh+4SVNGyvyuQQ74+C4MLKd+GgMPRtHok
+km0S1dv/hLd6qZcVzhL+XHQ+ufLEbZqs1ZXSUfqTJFJpAgu4qLqMS8iZxijRGaDM
+6cQdbVcLMhxTC6sYFzuYtl78gwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUlK0S0eEOfsO7N0tBPW1ZgD9EV20wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALAhR+3HUAbz9RiSD7M2UTI/CO2tE7dn
+6zSaQvkfm/UVsDvNLmSaeXS/29C8sHeoEVpmDdGbgCPcMwB3lTNt2pKI5jhr9f7J
+7BE1W43gZMR2YFRrkMX8AhQKVRN5LVpQIKjGMm8CkTPH9ecvH8kGwYcB3qLZwD3H
+sN+wLRApTQTr
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=indirectCRL CA6
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICdTCCAd6gAwIBAgIBWTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RD
+UkwgQ0E2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5/raWoeX0Fp14qkKY
+Ypdts+gzpB6uEBcK8SpAa5FzydBYcIJajJ7MbWLlH1o1nzd27E2YQQPaVuRvB9vS
+4Tih5plnbOXvkaUVh/iohILhb0Q49JWe4JU2yQsphppmzXgUH7C0Zygn3N/fd8JF
+MUxK0kDYmuerHsZ7DDIJsAOTpQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7K
+J3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUwhs+qhpOwTOKGqpZSQOxZqIc8H0wDgYD
+VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACMudfomzqT284TDQDAaT8SdUGpP0bH0
+ofTP/6WODMD3M2+AYgM5ES2McuNKWBx/iifIy42icqmtiP4EjbwjK5JKPJzSSyIF
+/BL1+/TdNfvGBuDBG7qoVzqALx4QeAdCh9tjM9eZQbwVuIIUiI94VPU3hT1OcJRE
+ZCkFIjgPYCPR
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid cRLIssuer EE Certificate Test33
+issuer=/C=US/O=Test Certificates/CN=indirectCRL CA6
+-----BEGIN CERTIFICATE-----
+MIIDUTCCArqgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JM
+IENBNjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UEAxMlVmFsaWQg
+Y1JMSXNzdWVyIEVFIENlcnRpZmljYXRlIFRlc3QzMzCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA01gBYBQnJrrihQ7wxqFilR6zjimXk5ZbQs9BCX1n/zpBfmwn
+ezaal6qZo9BPsXH+zjp8eicI+kPZSXMUd5JgwwuHYH9+gL7EvKobEJc9WBuhBU5i
+GRSeBq9M0UltbXo5c6hbxl22rmTpqTaehigZ94dujqsPPl5g334rdtPU2IcCAwEA
+AaOCAT0wggE5MB8GA1UdIwQYMBaAFMIbPqoaTsEzihqqWUkDsWaiHPB9MB0GA1Ud
+DgQWBBR8QXrBPNUgzCMGCs9z7zs4nferRzAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g
+BBAwDjAMBgpghkgBZQMCATABMIHNBgNVHR8EgcUwgcIwgb+gdKBypHAwbjELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9p
+bmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJl
+Y3RDUkwgQ0E2okekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0
+aWZpY2F0ZXMxGDAWBgNVBAsTD2luZGlyZWN0Q1JMIENBNTANBgkqhkiG9w0BAQUF
+AAOBgQCTqqePZ3xWbeWlGEO5gbYfjxlqTrTOYOFZoSMlApx3fDkAo2o89IvoGN9N
+hXQDCVtd7MS5g1v2bCGF9TjVKgPMGIJSFGp0QIRRsNdsxRi631JxUFvVz7yE3RgI
+Qjll0EqM4nEceTJaNz6SnQhSjdcOJspkqKXUA1ga7Za2rC8SSA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=indirectCRL CA5
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:94:AD:12:D1:E1:0E:7E:C3:BB:37:4B:41:3D:6D:59:80:3F:44:57:6D
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0..Y...R...N.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA6.p0n1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51)0'..U... indirect CRL for indirectCRL CA7.h0f1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA51!0...U....CRL1 for indirectCRL CA5...
+Revoked Certificates:
+ Serial Number: 01
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA7
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 07
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 08
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA6
+ Serial Number: 09
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0A
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ 2.5.29.29: critical
+ 0G.E0C1.0...U....US1.0...U.
+..Test Certificates1.0...U....indirectCRL CA5
+ Serial Number: 0B
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 05:49:47:a1:74:fb:1b:35:e7:63:c3:18:3f:ff:34:5b:ba:1c:
+ d3:05:5c:a5:3f:2e:d1:1b:fe:d9:91:8b:25:a9:b1:e2:42:9c:
+ f0:f9:98:c2:ae:94:da:1e:da:b8:38:51:6b:42:c1:6e:c5:9e:
+ 44:bc:3a:b4:36:57:f8:56:a1:ae:4c:04:ca:b6:67:2e:da:ce:
+ 51:b3:17:b7:9e:1d:12:af:54:9d:37:88:d2:58:9f:c1:a6:53:
+ 79:c8:aa:90:45:b2:ff:61:63:e9:5e:2c:7b:4c:6e:a8:71:ab:
+ 7b:10:11:aa:c4:bd:45:ce:9a:09:d5:f7:ac:0d:83:7c:62:3c:
+ c7:af
+-----BEGIN X509 CRL-----
+MIIFfDCCBOUCAQEwDQYJKoZIhvcNAQEFBQAwQzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUX
+DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowggLKMCACAQEXDTAxMDQxOTE0
+NTcyMFowDDAKBgNVHRUEAwoBATB1AgECFw0wMTA0MTkxNDU3MjBaMGEwCgYDVR0V
+BAMKAQEwUwYDVR0dAQH/BEkwR6RFMEMxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPaW5kaXJlY3RDUkwgQ0E2MCACAQMX
+DTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBATAgAgEEFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwdQIBBRcNMDEwNDE5MTQ1NzIwWjBhMAoGA1UdFQQDCgEB
+MFMGA1UdHQEB/wRJMEekRTBDMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBD
+ZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD2luZGlyZWN0Q1JMIENBNzAgAgEGFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBxcNMDEwNDE5MTQ1NzIwWjAMMAoG
+A1UdFQQDCgEBMHUCAQgXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUEAwoBATBTBgNV
+HR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlm
+aWNhdGVzMRgwFgYDVQQDEw9pbmRpcmVjdENSTCBDQTYwIAIBCRcNMDEwNDE5MTQ1
+NzIwWjAMMAoGA1UdFQQDCgEBMHUCAQoXDTAxMDQxOTE0NTcyMFowYTAKBgNVHRUE
+AwoBATBTBgNVHR0BAf8ESTBHpEUwQzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRl
+c3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUwIAIBCxcN
+MDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIIBnjCCAZowHwYDVR0jBBgwFoAU
+lK0S0eEOfsO7N0tBPW1ZgD9EV20wCgYDVR0UBAMCAQEwggFpBgNVHRwBAf8EggFd
+MIIBWaCCAVKgggFOpHAwbjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2Vy
+dGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxKTAnBgNVBAMTIGlu
+ZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E2pHAwbjELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgwFgYDVQQLEw9pbmRpcmVjdENS
+TCBDQTUxKTAnBgNVBAMTIGluZGlyZWN0IENSTCBmb3IgaW5kaXJlY3RDUkwgQ0E3
+pGgwZjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRgw
+FgYDVQQLEw9pbmRpcmVjdENSTCBDQTUxITAfBgNVBAMTGENSTDEgZm9yIGluZGly
+ZWN0Q1JMIENBNYQB/zANBgkqhkiG9w0BAQUFAAOBgQAFSUehdPsbNedjwxg//zRb
+uhzTBVylPy7RG/7ZkYslqbHiQpzw+ZjCrpTaHtq4OFFrQsFuxZ5EvDq0Nlf4VqGu
+TATKtmcu2s5Rsxe3nh0Sr1SdN4jSWJ/BplN5yKqQRbL/YWPpXix7TG6ocat7EBGq
+xL1FzpoJ1fesDYN8YjzHrw==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest2.pem
new file mode 100644
index 0000000000..abd16aaee7
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest2.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid deltaCRL EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAo+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEsMCoGA1UEAxMjVmFsaWQgZGVs
+dGFDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBANRKVxWvFldCkmzvNTs41NjJct7Jt2VltlefYPwBuwPuHZveA3TbXj88
+nvKICCqBLZwlhGlAyfZTqFd4gElplVEKvfn/GSNyGGnsAHfZJOqwzyvpIPx/yg61
+ALFj1gsGSesibsgaXOhUVO0N6EVpse2azO8I7qSpXf6f6b+qpSkLAgMBAAGjggEX
+MIIBEzAfBgNVHSMEGDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAdBgNVHQ4EFgQU
+zo7j3tkIY9+L33KkkCzx7XzdaOcwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATBTBgNVHR8ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBD
+QTEwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwgQ0ExMA0GCSqGSIb3
+DQEBBQUAA4GBABBiIdpyc6pIhhnujMn4FXCBcoJtkC5Am8NB/cgPKyhVlUTnp62b
+dbt1zoUI9KJPSlwBuJduPL/Q9hJr1vKHdcFC98iANtf3s7fzzhGF22Nel/qKtlWr
+fldw2WVkIjTSeQV9gmBf3cHAV31JP5/q1rMljeZD448J9Cd46UR05jM2
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest5.pem
new file mode 100644
index 0000000000..57390f882d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest5.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid deltaCRL EE Certificate Test5
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAo+gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEsMCoGA1UEAxMjVmFsaWQgZGVs
+dGFDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBALJoiZyA4CHBqHesCHEPO2Me3gceR6LJTUtoEOGP877OjigufADkFCsN
+m6lEz1zn0JfUOvERm70QxsfYSjpbc3OiPi8v/hbsB0whYBVGe017Qluvyf6ZV2v/
+ItpeUd3v3rw3g3Z+pXGAgLTeDBl6RhbybuoORo2hbpq1hPkhrep7AgMBAAGjggEX
+MIIBEzAfBgNVHSMEGDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAdBgNVHQ4EFgQU
+FouAPbKkYNJGEKJU0p5tKX2BhpEwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATBTBgNVHR8ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBD
+QTEwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwgQ0ExMA0GCSqGSIb3
+DQEBBQUAA4GBAGu61lJXt+1uZ8FoGyPdKeHvT8YKDijsbNtC8azjbqKRIz7ETsfQ
+9nax423fRWHnphLHzSUdbuIdBvWL8aDN0T9ZvNt4A+73SndqlIw7y3ULlw+r+CRs
+UBmBJJSEvo8Bh+4OJCjGoZXDzdGbQ+7TYzZn+asNvDVZE5MN8o8Tcq8r
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest7.pem
new file mode 100644
index 0000000000..9b046d77ae
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest7.pem
@@ -0,0 +1,190 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA1
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBWzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0ExMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAdMOZhkDHEp9KBGE+XuF
+msopQ2J+rJDtUrJ4pDANd3KgvUwmAZnDOopO+3hIw/w6tsB48EJwMCiofofFALAT
+zbGJidQOgpLF2if/SwmyWzUKqB8XirB9z5z0NLfE/0nnUhVQnAJ54W1jOz/+wMfg
+7oWdQC0ZAd1ndBLf+mtqHwIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUk49NvPIc1wyuIEisujIaDdfoDc0wDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAJhiiwAX8BQouosN8thaL0+ZHNhiuQ2gr8Mi
+xgaJCB4DVxE5teLk0eeWz+KVJBQwDdrlK4l0BO595r8cldkYkKJkJl+ZGPbNSDys
+XuVwXGbgfcUNPCeD1UIErQASVfomr3io69Nc62HwaBpTgARQO0wvfnIOFNAQSZH9
+247eEnnm
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid deltaCRL EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA1
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAo+gAwIBAgIBBjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEsMCoGA1UEAxMjVmFsaWQgZGVs
+dGFDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBALU8oom56GYl7ggs8WAyhZeZmMxxsN6Ikht0t6Iydxic3xNbotaUS0iz
+H0tYBYwzuCTMpM8RMBSrU4UlqIE/9V5PuY2dWiHDXVGRawMdE3i4UNzrMS0BlYDz
+zvAw77ifKwmObOm8R1CWg2VCY9xzFWqER3YRDKQTcK5LzjtxP6PZAgMBAAGjggEX
+MIIBEzAfBgNVHSMEGDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAdBgNVHQ4EFgQU
+unt4uPVRHtIAndMWGuDH66dedOcwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATBTBgNVHR8ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBD
+QTEwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwgQ0ExMA0GCSqGSIb3
+DQEBBQUAA4GBAFwV555uqsNA+ZtS8QnVH+RRp5jhYTymacP8yc7G87Hyue8xaNzA
+yj4g3Rxfthlo52FFH0ZiuOKJP4YSvX4jr/BqZyrO5eMNs+ln4gMHn+RVxBdeh4xT
+LgXbQGX8wnks92CCGWUW1vbXUSbpBW43SaT767qDIo7yTASQVQ4jtWHJ
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 2
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 06
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Remove From CRL
+ Signature Algorithm: sha1WithRSAEncryption
+ 63:e6:6b:e9:cf:44:29:c8:8b:e5:8c:ba:ab:26:57:a5:4f:a8:
+ b6:e3:81:35:ff:73:8b:40:e0:79:7a:d7:69:8a:c5:a3:d9:85:
+ 29:ff:ef:e4:7a:4b:f5:36:51:34:79:9a:85:01:cb:ac:03:48:
+ 9e:2d:b7:b6:9e:82:57:b1:0a:b7:49:06:a8:cb:c3:71:2c:71:
+ 58:7d:e1:68:22:6a:11:3d:e6:ac:2a:58:d8:1d:97:3b:46:98:
+ d0:f5:f2:85:85:7f:b5:c7:57:a4:0e:e4:fc:c8:cd:7e:b0:2c:
+ 1d:2d:86:30:1b:06:70:36:33:e0:69:47:60:98:5b:f5:93:35:
+ 90:7a
+-----BEGIN X509 CRL-----
+MIIB1DCCAT0CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAz
+MDEwMTEyMDAwMFoXDTExMDQxOTE0NTcyMFowgYgwIAIBAxcNMDEwNDE5MTQ1NzIw
+WjAMMAoGA1UdFQQDCgEBMCACAQQXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoB
+CDAgAgEFFw0wMTA0MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQEwIAIBBhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEIoD4wPDAfBgNVHSMEGDAWgBSTj0288hzXDK4g
+SKy6MhoN1+gNzTAKBgNVHRQEAwIBAjANBgNVHRsBAf8EAwIBATANBgkqhkiG9w0B
+AQUFAAOBgQBj5mvpz0QpyIvljLqrJlelT6i244E1/3OLQOB5etdpisWj2YUp/+/k
+ekv1NlE0eZqFAcusA0ieLbe2noJXsQq3SQaoy8NxLHFYfeFoImoRPeasKljYHZc7
+RpjQ9fKFhX+1x1ekDuT8yM1+sCwdLYYwGwZwNjPgaUdgmFv1kzWQeg==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:93:8F:4D:BC:F2:1C:D7:0C:AE:20:48:AC:BA:32:1A:0D:D7:E8:0D:CD
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 04
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Serial Number: 05
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Certificate Hold
+ Signature Algorithm: sha1WithRSAEncryption
+ 48:32:1b:da:3a:c2:71:37:ea:24:5a:90:2f:19:b8:9e:00:96:
+ b3:e1:2a:6d:ed:b5:7b:eb:90:30:ac:87:c0:8a:6d:ca:24:f4:
+ 73:dd:bd:b7:f8:cc:55:31:f3:d9:e2:a2:5c:7c:51:60:6d:a0:
+ db:43:12:52:9c:94:fa:10:86:32:e6:a6:7e:ce:e6:c1:00:2e:
+ fe:33:22:b3:5f:66:e9:d3:03:de:05:c4:94:bd:09:2b:1d:2e:
+ 06:86:e8:26:f5:f4:38:39:62:7e:e8:0e:bb:cd:c8:bb:82:92:
+ 71:96:8a:01:73:d7:ef:fa:a5:c2:94:53:e9:2c:34:a7:50:7d:
+ eb:4e
+-----BEGIN X509 CRL-----
+MIIB+TCCAWICAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQEwIAIBBBcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEG
+MCACAQUXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBBqCBhTCBgjAfBgNVHSME
+GDAWgBSTj0288hzXDK4gSKy6MhoN1+gNzTAKBgNVHRQEAwIBATBTBgNVHS4ETDBK
+MEigRqBEpEIwQDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh
+dGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTEwDQYJKoZIhvcNAQEFBQADgYEASDIb
+2jrCcTfqJFqQLxm4ngCWs+Eqbe21e+uQMKyHwIptyiT0c929t/jMVTHz2eKiXHxR
+YG2g20MSUpyU+hCGMuamfs7mwQAu/jMis19m6dMD3gXElL0JKx0uBoboJvX0ODli
+fugOu83Iu4KScZaKAXPX7/qlwpRT6Sw0p1B9604=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest8.pem
new file mode 100644
index 0000000000..2db6c9c39f
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest8.pem
@@ -0,0 +1,162 @@
+subject=/C=US/O=Test Certificates/CN=deltaCRL CA2
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICcjCCAdugAwIBAgIBXDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwg
+Q0EyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2MUpxzH8HIqzmAylEvng
+qJvVIxI4xzM8NSpC7P7T2R1dmFXK/19W+m5yqOagB9VxgxP9IYbI2VJ/FrbQSD/+
+afpuHA8++piSAs2e/1BoRagiln3PnQTLemPsmVy00eSLnsw6QRdC0MIZjme0/SHv
+Z6XuWPNvicDyA/Uml2pCqQIDAQABo3wwejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qe
+DbA86pq8h/9J6jAdBgNVHQ4EFgQUo5OrV2YmbXI6bLyDZaOa/I4MQwswDgYDVR0P
+AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAFnKbCQCHJI6HhnaoKJkHKk3dBK/E1DNHc3a
+u9yx3wYdmqwkoG5iKJjssQDLcbLfpjuF7jU9nKbk2gcmOIa5//lgCmUaok4WZSUA
+u8bzMnpiZyzIjjoW78RyuntCMXbZzcs7umsOKfOlDXj4wwsev4E7m5nvP2Qv7hEX
+ECR/9DaG
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid deltaCRL EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=deltaCRL CA2
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAo+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENB
+MjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEsMCoGA1UEAxMjVmFsaWQgZGVs
+dGFDUkwgRUUgQ2VydGlmaWNhdGUgVGVzdDgwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBANNXQWv/s3VtlajbHeAAaJZ+taow3YYnDMLz9tXUqMSOOKnoHR59ec/A
+1XsEc02zK6rj6cC8db6LqebYOUJ1kpBl3t2oEH25mVFiBhgdYiLGeezrLNiAm2vF
+dBdoOCER9Y5PshspgHG45kPR88sRxRuN+NtvOBQ+rS3ZagNzOydDAgMBAAGjggEX
+MIIBEzAfBgNVHSMEGDAWgBSjk6tXZiZtcjpsvINlo5r8jgxDCzAdBgNVHQ4EFgQU
+rDZIHgyRpXqIY0zNvpsz15jbVrcwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4w
+DAYKYIZIAWUDAgEwATBTBgNVHR8ETDBKMEigRqBEpEIwQDELMAkGA1UEBhMCVVMx
+GjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBD
+QTIwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFU
+ZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFDUkwgQ0EyMA0GCSqGSIb3
+DQEBBQUAA4GBACi9fCMcVs6WjeEeE35GgRLIbCVWQ1PbtOFwwJiaM7f/c4i1F3Kt
+A2BcHex6T21Ea9eSra37uvPdAUSc0Dc3klZS96pU6v0oZtXl07daAhbR8mKRmoPq
+tVcto5YqOd/STL2egFKzNVhfR5UZo1wycobU3FZtmFyr9DFIEKb/mFt0
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA2
+ Last Update: Jan 1 12:00:00 2003 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A3:93:AB:57:66:26:6D:72:3A:6C:BC:83:65:A3:9A:FC:8E:0C:43:0B
+
+ X509v3 CRL Number:
+ 3
+ X509v3 Delta CRL Indicator: critical
+ 1
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 25:e0:e6:a0:65:11:f0:81:2b:f1:ed:47:8c:1c:a4:dd:79:26:
+ 78:05:22:84:96:35:60:de:7b:13:ec:70:ee:50:3d:ac:d4:9a:
+ 22:fe:e3:9a:77:a4:fb:bb:86:98:21:80:3e:d3:20:85:57:b2:
+ 0f:2e:bd:53:d4:7a:ac:96:02:3e:17:00:67:67:6d:16:01:9d:
+ 93:cb:fc:b6:f1:c2:23:0b:e2:de:c2:02:5a:70:05:34:35:8a:
+ 72:8c:cb:78:ad:62:96:86:50:5d:6c:ba:1a:bb:e5:b8:e8:5f:
+ b6:7c:33:8f:8b:aa:c6:b1:78:a7:e4:56:12:76:09:7a:db:ae:
+ f5:ff
+-----BEGIN X509 CRL-----
+MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGRlbHRhQ1JMIENBMhcNMDMw
+MTAxMTIwMDAwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAQIXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaA+MDwwHwYDVR0jBBgwFoAUo5OrV2YmbXI6bLyDZaOa/I4M
+QwswCgYDVR0UBAMCAQMwDQYDVR0bAQH/BAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA
+JeDmoGUR8IEr8e1HjByk3XkmeAUihJY1YN57E+xw7lA9rNSaIv7jmnek+7uGmCGA
+PtMghVeyDy69U9R6rJYCPhcAZ2dtFgGdk8v8tvHCIwvi3sICWnAFNDWKcozLeK1i
+loZQXWy6GrvluOhftnwzj4uqxrF4p+RWEnYJetuu9f8=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=deltaCRL CA2
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:A3:93:AB:57:66:26:6D:72:3A:6C:BC:83:65:A3:9A:FC:8E:0C:43:0B
+
+ X509v3 CRL Number:
+ 2
+ 2.5.29.46:
+..Test Certificates1.0...U....deltaCRL CA2
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 6a:af:6c:a0:70:12:90:02:5b:70:fd:d4:b6:8d:28:9a:51:5c:
+ fd:04:ed:47:e1:a0:5a:60:e7:41:83:23:ff:a3:e0:c6:b1:fc:
+ 71:db:cb:8e:a7:20:0e:f6:9a:ae:e3:fd:61:33:a6:21:69:4f:
+ 7f:7f:23:cc:33:47:45:23:bc:fc:a1:79:02:31:3f:8d:77:e7:
+ c0:9c:8d:90:ef:6a:9d:38:fe:13:b7:03:dd:ac:36:72:b5:94:
+ e5:7b:43:a8:7a:96:ce:16:bc:55:00:bd:cc:1b:a7:81:93:40:
+ f7:f6:11:bf:c6:dd:7a:ab:32:e5:be:fb:88:32:e2:06:41:9f:
+ 5f:d5
+-----BEGIN X509 CRL-----
+MIIBtTCCAR4CAQEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRUwEwYDVQQDEwxkZWx0YUNSTCBDQTIXDTAx
+MDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0MTkxNDU3MjBa
+MAwwCgYDVR0VBAMKAQGggYUwgYIwHwYDVR0jBBgwFoAUo5OrV2YmbXI6bLyDZaOa
+/I4MQwswCgYDVR0UBAMCAQIwUwYDVR0uBEwwSjBIoEagRKRCMEAxCzAJBgNVBAYT
+AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMZGVsdGFD
+UkwgQ0EyMA0GCSqGSIb3DQEBBQUAA4GBAGqvbKBwEpACW3D91LaNKJpRXP0E7Ufh
+oFpg50GDI/+j4Max/HHby46nIA72mq7j/WEzpiFpT39/I8wzR0UjvPyheQIxP413
+58CcjZDvap04/hO3A92sNnK1lOV7Q6h6ls4WvFUAvcwbp4GTQPf2Eb/G3XqrMuW+
++4gy4gZBn1/V
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest1.pem
new file mode 100644
index 0000000000..4d1155f29e
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest1.pem
@@ -0,0 +1,123 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVIDlX8Ue
+jptTAccp199par4Wi+6zdvpzdmUXj6UICGge/S5OJUY6nmBMligfESDLwjhbFB9V
+wm194odW9eAiWfUenAN7i4xIyorZwf5dPqHZVOcv9M3jRBce9j/ZuO8ard6c8Dp+
+UQ7gGH0Avyz4IM9x52TNBjYLthRcxwRPywIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnh8dUFdqhW8b+OZBXut6ujB+
+uvQwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMM6gfNW7Hs8z/E7U5NW/M1Y
+eT2VxqvZaq+HqK/GnxQeJUalPUbLk66F3XU5QmU/gQ/F6wP5yEV8UZALVj7OuJ56
+Vz21USzCSPGXPazeDdBQSx0otXHbKVtamBKYMn+jFqYPuPmNxUWzu4iczvEsBZFK
+0dm+b6846EQQbmI8jNru
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid distributionPoint EE Certificate Test1
+issuer=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgZGlzdHJpYnV0aW9uUG9pbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDEwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN6guztNoD71JstXwHeM6i0zxnyPdZOx
+ZTcQsR+TD2lCqIvhOECxI8GdbfxgHJlvh/2nKd7LKSelitE+3fWW/qKMZ/0YuVru
+PaJZ++CaJDZQma26yjruW5AcBQ0L+V9VYKLoFnGDjtlJrHGbvrv4XZByL19ikrKd
+nt241DXaNxsnAgMBAAGjgfMwgfAwHwYDVR0jBBgwFoAUnh8dUFdqhW8b+OZBXut6
+ujB+uvQwHQYDVR0OBBYEFGrgSYUMuxW8YuQDkUuM8pXH+fGIMA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwgYQGA1UdHwR9MHsweaB3oHWk
+czBxMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAc
+BgNVBAsTFWRpc3RyaWJ1dGlvblBvaW50MSBDQTEmMCQGA1UEAxMdQ1JMMSBvZiBk
+aXN0cmlidXRpb25Qb2ludDEgQ0EwDQYJKoZIhvcNAQEFBQADgYEAaNonr89NlCOf
+B4CPoPAy+I/+jv8FamQoB55nhirAu/W5oZunV0iWLyajzQxSVgMpmrKaIC0cgCwx
+i6XUWy7aAkam0kQMmWzHNSrGEAvMjtYU9+jQj3ZO94LFUlSKsN6Ut1dxXNheb7ML
+YFgoWyPNz0rcb+iy6fjoyxr8fpA5H9Q=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9E:1F:1D:50:57:6A:85:6F:1B:F8:E6:41:5E:EB:7A:BA:30:7E:BA:F4
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0y.w.u.s0q1.0...U....US1.0...U.
+..Test Certificates1.0...U....distributionPoint1 CA1&0$..U....CRL1 of distributionPoint1 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ bb:36:57:87:39:3f:49:50:07:42:5f:a4:2b:3e:b2:04:52:a9:
+ 1b:dc:5e:8b:c1:6c:47:19:83:1d:5f:81:da:ae:bf:ba:1d:57:
+ 8d:a7:f0:41:bf:d1:40:e3:f8:7f:bf:80:ac:8d:2d:97:15:88:
+ 6c:91:39:87:3d:0d:45:79:a3:b8:41:a2:17:b6:a3:24:cd:a9:
+ 7b:f2:f9:57:b5:98:a0:a7:07:2b:3e:5a:2a:d8:5b:84:7d:25:
+ 75:25:51:9f:58:1e:6f:ea:f9:3a:62:59:e6:54:01:d7:76:91:
+ 2d:0f:b9:f5:2a:ce:0c:46:e4:dd:b1:3c:23:92:a8:67:d2:39:
+ 6a:49
+-----BEGIN X509 CRL-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGggbgwgbUwHwYDVR0jBBgwFoAUnh8dUFdq
+hW8b+OZBXut6ujB+uvQwCgYDVR0UBAMCAQEwgYUGA1UdHAEB/wR7MHmgd6B1pHMw
+cTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYD
+VQQLExVkaXN0cmlidXRpb25Qb2ludDEgQ0ExJjAkBgNVBAMTHUNSTDEgb2YgZGlz
+dHJpYnV0aW9uUG9pbnQxIENBMA0GCSqGSIb3DQEBBQUAA4GBALs2V4c5P0lQB0Jf
+pCs+sgRSqRvcXovBbEcZgx1fgdquv7odV42n8EG/0UDj+H+/gKyNLZcViGyROYc9
+DUV5o7hBohe2oyTNqXvy+Ve1mKCnBys+WirYW4R9JXUlUZ9YHm/q+TpiWeZUAdd2
+kS0PufUqzgxG5N2xPCOSqGfSOWpJ
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest4.pem
new file mode 100644
index 0000000000..b910bfa5b8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest4.pem
@@ -0,0 +1,121 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQxIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVIDlX8Ue
+jptTAccp199par4Wi+6zdvpzdmUXj6UICGge/S5OJUY6nmBMligfESDLwjhbFB9V
+wm194odW9eAiWfUenAN7i4xIyorZwf5dPqHZVOcv9M3jRBce9j/ZuO8ard6c8Dp+
+UQ7gGH0Avyz4IM9x52TNBjYLthRcxwRPywIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnh8dUFdqhW8b+OZBXut6ujB+
+uvQwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMM6gfNW7Hs8z/E7U5NW/M1Y
+eT2VxqvZaq+HqK/GnxQeJUalPUbLk66F3XU5QmU/gQ/F6wP5yEV8UZALVj7OuJ56
+Vz21USzCSPGXPazeDdBQSx0otXHbKVtamBKYMn+jFqYPuPmNxUWzu4iczvEsBZFK
+0dm+b6846EQQbmI8jNru
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid distributionPoint EE Certificate Test4
+issuer=/C=US/O=Test Certificates/OU=distributionPoint1 CA
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgZGlzdHJpYnV0aW9uUG9pbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDQwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANJIkOdZRwN8UTl55iM8yHPn50dQHIq8
+HfyujAk6Jv6J99xOf9TR0MdxFPy0pQ+sqafVe30jTmqUVekQqyzewTZvJ3Q2tRoc
+POnbHancXe29FlXNO2PXHA+L7RPpFglcXQjTQTzccRCzmpv2bRO4oGEICTWg7twt
+MiPAc4q4jZbfAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUnh8dUFdqhW8b+OZBXut6
+ujB+uvQwHQYDVR0OBBYEFNbqujjf+uaNLMffRr8p+XZZJNN/MA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwNQYDVR0fBC4wLDAqoCihJjAk
+BgNVBAMTHUNSTDEgb2YgZGlzdHJpYnV0aW9uUG9pbnQxIENBMA0GCSqGSIb3DQEB
+BQUAA4GBAKzWCbFK6I9YapazUsu+6hrCf5Eafd14GQqQOhxwUQNvHdD8IxcTeQoX
+7u5YapjezA6GSz14DxHIZQRtE/cAzSIjRJjDvn3rQdrlwdNXRgjFia9Jknth311/
+GXxAPrAwlxOAuTBFplNC9mG9japtT3qz2BkM/q+MdedGRWtS++30
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9E:1F:1D:50:57:6A:85:6F:1B:F8:E6:41:5E:EB:7A:BA:30:7E:BA:F4
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0y.w.u.s0q1.0...U....US1.0...U.
+..Test Certificates1.0...U....distributionPoint1 CA1&0$..U....CRL1 of distributionPoint1 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ bb:36:57:87:39:3f:49:50:07:42:5f:a4:2b:3e:b2:04:52:a9:
+ 1b:dc:5e:8b:c1:6c:47:19:83:1d:5f:81:da:ae:bf:ba:1d:57:
+ 8d:a7:f0:41:bf:d1:40:e3:f8:7f:bf:80:ac:8d:2d:97:15:88:
+ 6c:91:39:87:3d:0d:45:79:a3:b8:41:a2:17:b6:a3:24:cd:a9:
+ 7b:f2:f9:57:b5:98:a0:a7:07:2b:3e:5a:2a:d8:5b:84:7d:25:
+ 75:25:51:9f:58:1e:6f:ea:f9:3a:62:59:e6:54:01:d7:76:91:
+ 2d:0f:b9:f5:2a:ce:0c:46:e4:dd:b1:3c:23:92:a8:67:d2:39:
+ 6a:49
+-----BEGIN X509 CRL-----
+MIIB8TCCAVoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDEgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGggbgwgbUwHwYDVR0jBBgwFoAUnh8dUFdq
+hW8b+OZBXut6ujB+uvQwCgYDVR0UBAMCAQEwgYUGA1UdHAEB/wR7MHmgd6B1pHMw
+cTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYD
+VQQLExVkaXN0cmlidXRpb25Qb2ludDEgQ0ExJjAkBgNVBAMTHUNSTDEgb2YgZGlz
+dHJpYnV0aW9uUG9pbnQxIENBMA0GCSqGSIb3DQEBBQUAA4GBALs2V4c5P0lQB0Jf
+pCs+sgRSqRvcXovBbEcZgx1fgdquv7odV42n8EG/0UDj+H+/gKyNLZcViGyROYc9
+DUV5o7hBohe2oyTNqXvy+Ve1mKCnBys+WirYW4R9JXUlUZ9YHm/q+TpiWeZUAdd2
+kS0PufUqzgxG5N2xPCOSqGfSOWpJ
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest5.pem
new file mode 100644
index 0000000000..ef20fec499
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest5.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs1jD9UP9Z
+XFXO9pXlwQaq3g11cXEADTlDc+W2RuUiBJXRjOhbt9pBqMwI7EhS41KMALd8ISna
+SAp5DDvmtp2z4X95eoizwZ9O5vtIw6XA7d5EwFr2c89INmIXFw2OA0K2Xj9K7eKK
+u95rUFjJM7qfZueTDyR8/qrUEUUhq+7gtQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUOjSLBeN2WFjEhwSYfX4djKxd
+uU4wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMagar2d/lP05a6g8iDgAc4i
+8GOkbbNIOguMdW9fwv9DvIJyDO/ruRnKgZJdY9osVBqR8pVP1qErhwboe+dIBgLA
+p1yRVbcPKEd/1xXrFhjoH9Wlp6CK6Al0LIJ7iQMoufcUzay6Bux5caNEH06+BnJF
+nhKgwK6jkVuYAf9HHtVh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid distributionPoint EE Certificate Test5
+issuer=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+-----BEGIN CERTIFICATE-----
+MIICwzCCAiygAwIBAgIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgZGlzdHJpYnV0aW9uUG9pbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALIdJpgRzxOKTnCCaASeNoi7icWn2JXA
+bBhMylWHT4WIl7sKHk5BkXh5iSMq81bPtotaxeZ+Ws8HGeZfJkZi3Ea/lo6bRPIp
+XLWXT9bEppiXcWEsQjM1OYGfiqAsPqHLQYmx3QlNndM4/lkMpXScaPwVUH5y1dbF
+oPNUrRztB7TpAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUOjSLBeN2WFjEhwSYfX4d
+jKxduU4wHQYDVR0OBBYEFPcg5CWLrv8FdA/4HseZ3PWB0ri3MA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwNQYDVR0fBC4wLDAqoCihJjAk
+BgNVBAMTHUNSTDEgb2YgZGlzdHJpYnV0aW9uUG9pbnQyIENBMA0GCSqGSIb3DQEB
+BQUAA4GBABOac3w495YGcjA+gy3vEom/LJkN4/GNBM/n4qqPQSBLDfO9llCa+Ocg
+MeRH/D/CyKU7r767Zx5WsPTRtu8hysZQF/B2QMg7wrt4iJxD2VLl1gDrWSgIFEYL
+gmkFWj4cnUEWa3yxc+WoAYbFMCp10pGsfIpttb0KqIUYHGBSBNdX
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3A:34:8B:05:E3:76:58:58:C4:87:04:98:7D:7E:1D:8C:AC:5D:B9:4E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0*.(.&0$..U....CRL1 of distributionPoint2 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:94:d4:ed:c7:a8:0e:9d:16:d2:aa:4d:3e:d5:a4:72:af:7f:
+ e7:9e:83:e9:93:a6:92:a3:0e:48:39:60:27:0c:6e:75:4f:e0:
+ 1d:84:89:17:3e:09:85:f8:ac:32:b5:76:76:ab:09:64:95:4e:
+ ef:01:2f:34:69:4e:3d:53:96:7b:05:5e:c9:b4:84:62:a2:06:
+ bd:5f:6e:6f:c8:08:be:8e:d1:4f:33:72:5e:8c:0e:e1:2e:f3:
+ fb:23:7a:3a:34:3e:69:3f:6a:44:e1:a5:fe:cc:5d:60:23:95:
+ a3:48:97:bf:72:dd:2f:ab:fd:59:5c:d2:11:c1:4c:e1:f7:ad:
+ d9:03
+-----BEGIN X509 CRL-----
+MIIBnzCCAQgCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgZzBlMB8GA1UdIwQYMBaAFDo0iwXjdlhY
+xIcEmH1+HYysXblOMAoGA1UdFAQDAgEBMDYGA1UdHAEB/wQsMCqgKKEmMCQGA1UE
+AxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQAD
+gYEAjJTU7ceoDp0W0qpNPtWkcq9/556D6ZOmkqMOSDlgJwxudU/gHYSJFz4Jhfis
+MrV2dqsJZJVO7wEvNGlOPVOWewVeybSEYqIGvV9ub8gIvo7RTzNyXowO4S7z+yN6
+OjQ+aT9qROGl/sxdYCOVo0iXv3LdL6v9WVzSEcFM4fet2QM=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest7.pem
new file mode 100644
index 0000000000..47a6d35e13
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest7.pem
@@ -0,0 +1,120 @@
+subject=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBSzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UECxMVZGlzdHJpYnV0
+aW9uUG9pbnQyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs1jD9UP9Z
+XFXO9pXlwQaq3g11cXEADTlDc+W2RuUiBJXRjOhbt9pBqMwI7EhS41KMALd8ISna
+SAp5DDvmtp2z4X95eoizwZ9O5vtIw6XA7d5EwFr2c89INmIXFw2OA0K2Xj9K7eKK
+u95rUFjJM7qfZueTDyR8/qrUEUUhq+7gtQIDAQABo3wwejAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUOjSLBeN2WFjEhwSYfX4djKxd
+uU4wDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAMagar2d/lP05a6g8iDgAc4i
+8GOkbbNIOguMdW9fwv9DvIJyDO/ruRnKgZJdY9osVBqR8pVP1qErhwboe+dIBgLA
+p1yRVbcPKEd/1xXrFhjoH9Wlp6CK6Al0LIJ7iQMoufcUzay6Bux5caNEH06+BnJF
+nhKgwK6jkVuYAf9HHtVh
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid distributionPoint EE Certificate Test7
+issuer=/C=US/O=Test Certificates/OU=distributionPoint2 CA
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAnygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAsTFWRpc3RyaWJ1dGlv
+blBvaW50MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgZGlzdHJpYnV0aW9uUG9pbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALJkqBgeil9P1aDGKnKT8h4pjVxykFCh
+VM/tAU8+60Q16CRQ9Bt/7EPt0Qt/mRgxeP51SDX2Sw37dE2Y6aTbGufnxaQbYQIr
+Xt4tEbUHKCx5cTIkR+rQh14970HAccLfsu8j21u+852qqsnXm1liCdwTw20NwfO/
+avIK1efcgtyvAgMBAAGjgfMwgfAwHwYDVR0jBBgwFoAUOjSLBeN2WFjEhwSYfX4d
+jKxduU4wHQYDVR0OBBYEFJFcO0xfyRIlKoio1BzAWLtkBu01MA4GA1UdDwEB/wQE
+AwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwgYQGA1UdHwR9MHsweaB3oHWk
+czBxMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAc
+BgNVBAsTFWRpc3RyaWJ1dGlvblBvaW50MiBDQTEmMCQGA1UEAxMdQ1JMMSBvZiBk
+aXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQADgYEAOPu/fA1dLP+t
+SF2JNufkHRN+2SvhsqtuOTvh/uFByRS+H2bLFMaB2IJQwkCidQ53kf8LNb6iNRtj
+hjVosG5KpEvqx70cRcUSp15fcdMDrjz2tAgiq58Eq/8DgYa+ml+CVRBx1Y6KHsyn
+eeXXuCv+DmdYkhXefbSyXe2lUsCiuR0=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=distributionPoint2 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3A:34:8B:05:E3:76:58:58:C4:87:04:98:7D:7E:1D:8C:AC:5D:B9:4E
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0*.(.&0$..U....CRL1 of distributionPoint2 CA
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 8c:94:d4:ed:c7:a8:0e:9d:16:d2:aa:4d:3e:d5:a4:72:af:7f:
+ e7:9e:83:e9:93:a6:92:a3:0e:48:39:60:27:0c:6e:75:4f:e0:
+ 1d:84:89:17:3e:09:85:f8:ac:32:b5:76:76:ab:09:64:95:4e:
+ ef:01:2f:34:69:4e:3d:53:96:7b:05:5e:c9:b4:84:62:a2:06:
+ bd:5f:6e:6f:c8:08:be:8e:d1:4f:33:72:5e:8c:0e:e1:2e:f3:
+ fb:23:7a:3a:34:3e:69:3f:6a:44:e1:a5:fe:cc:5d:60:23:95:
+ a3:48:97:bf:72:dd:2f:ab:fd:59:5c:d2:11:c1:4c:e1:f7:ad:
+ d9:03
+-----BEGIN X509 CRL-----
+MIIBnzCCAQgCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMR4wHAYDVQQLExVkaXN0cmlidXRpb25Qb2lu
+dDIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowIjAgAgECFw0wMTA0
+MTkxNDU3MjBaMAwwCgYDVR0VBAMKAQGgZzBlMB8GA1UdIwQYMBaAFDo0iwXjdlhY
+xIcEmH1+HYysXblOMAoGA1UdFAQDAgEBMDYGA1UdHAEB/wQsMCqgKKEmMCQGA1UE
+AxMdQ1JMMSBvZiBkaXN0cmlidXRpb25Qb2ludDIgQ0EwDQYJKoZIhvcNAQEFBQAD
+gYEAjJTU7ceoDp0W0qpNPtWkcq9/556D6ZOmkqMOSDlgJwxudU/gHYSJFz4Jhfis
+MrV2dqsJZJVO7wEvNGlOPVOWewVeybSEYqIGvV9ub8gIvo7RTzNyXowO4S7z+yN6
+OjQ+aT9qROGl/sxdYCOVo0iXv3LdL6v9WVzSEcFM4fet2QM=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem
new file mode 100644
index 0000000000..eff7ceaf28
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=Valid inhibitAnyPolicy EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kwIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXzELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTQwMgYDVQQDEytW
+YWxpZCBpbmhpYml0QW55UG9saWN5IEVFIENlcnRpZmljYXRlIFRlc3QyMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8K1Na64KAEx4DG90CIYdXjn9QXftZ/JmM
+hJ7HZotijcxTLAJ3Sz0718AcEoSXtaXQlkw/PDRF6WOd0BjcLM6qzWEkQTWBWyW2
+EOBRbJ8UY8XRijBsOG7ay1rZEV4bomd/6xnNG6TznXujwmBXQZDp2Voyil8OgJiv
+uf+gY0BrnQIDAQABo3MwcTAfBgNVHSMEGDAWgBSdQJhgCObI/VzR2C8L6gDsGkUG
+zzAdBgNVHQ4EFgQUutY+X7TkU+FzLalrhov3rioWEiYwDgYDVR0PAQH/BAQDAgTw
+MB8GA1UdIAQYMBYwBgYEVR0gADAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUA
+A4GBAK2mBSjdik46DSR2Cn9O53Wk3uL54jZEHmH1jLi8eD7zxOU8eE23HWch+P9w
+swVaUJ4SqZfrgpV4+IJ72AMPGXKnAEn633uoNXbe8KFErSzMe3p+fFI4iKt2tMdG
+yPprehhYqGlG4KK5IHzgqcsfYZc989GcPE+Z679GnioPK8Mk
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBOzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTAgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALXCzoaXAEbX
+pgMPDk3SCu2nzrt+I18MsI4lg/0oLjQAgPsD0np8LOGHMzo3UBtfJtpV0BXCc+E+
++Ni+ehXFWfA4BXjFc3GdUdJmn7y3F9X7XSIauTE1GSYR2+bMW/IRbmjpMDzldmRs
+WNb40N+jWAxw1h+YN61Pv0MD7Ef2ds0NAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFJ1AmGAI5sj9XNHYLwvqAOwa
+RQbPMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEAMA0GCSqG
+SIb3DQEBBQUAA4GBALhhUDb9VolIM2bKpbpat4dNjGrkOmVT/HvGBl+FGwSXa7Mj
+cLgZ3WygZ9gil3l7X+wL7lM9zKpXljV5WNpX+58RclQ2kK7Yk4qcY0tpPEUn8R4/
+9yg64Nferl/2gn9W79ODU3BiBFF/GiAJJ4SiwvLWl/JnPDoQuJv67IS24+Oa
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:40:98:60:08:E6:C8:FD:5C:D1:D8:2F:0B:EA:00:EC:1A:45:06:CF
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 60:ab:a2:8a:e3:22:04:cb:95:4a:c5:ca:68:46:70:0a:d0:31:
+ b0:98:cc:ad:4b:23:8c:3e:fc:b4:c7:7a:93:0d:6a:31:68:c4:
+ ff:30:37:7b:5c:48:01:6d:e1:85:f7:d0:9b:73:53:ca:62:36:
+ 00:5c:29:c8:af:a6:40:62:d5:f5:af:32:a9:4a:b6:a2:a7:0b:
+ cb:bb:72:2e:3e:0b:77:64:17:8d:2d:59:2f:fc:cf:2f:1f:a6:
+ 77:83:9a:7c:68:b0:15:f6:5a:63:67:74:b2:3a:fa:74:b8:d3:
+ a9:70:e6:87:04:bc:4c:79:ef:c8:b4:31:70:17:ae:f3:ef:ae:
+ 7a:3b
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kw
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBSdQJhgCObI/VzR2C8L6gDsGkUGzzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQBgq6KK4yIEy5VKxcpoRnAK0DGwmMytSyOMPvy0x3qTDWoxaMT/MDd7XEgB
+beGF99Cbc1PKYjYAXCnIr6ZAYtX1rzKpSraipwvLu3IuPgt3ZBeNLVkv/M8vH6Z3
+g5p8aLAV9lpjZ3SyOvp0uNOpcOaHBLxMee/ItDFwF67z7656Ow==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest2.pem
new file mode 100644
index 0000000000..c9e23ce0b8
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest2.pem
@@ -0,0 +1,162 @@
+subject=/C=US/O=Test Certificates/CN=Valid inhibitPolicyMapping EE Certificate Test2
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBjMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+ODA2BgNVBAMTL1ZhbGlkIGluaGliaXRQb2xpY3lNYXBwaW5nIEVFIENlcnRpZmlj
+YXRlIFRlc3QyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZweShwVjs1qka
+nqPGQOLGlctQ3TXgy/mxMNF5iCtHOwRF1KCW1OU9KloQ3r6+OfgzcZN+flBVpI3e
+jyjOMjfcTTb30YkOQneX5WBmDbG0hNh6eMeguoRuUhkdFGqXR/vCRpMZm54bw85o
+6PrFmUwLluXwBGGzX7qaD0h2mpzycQIDAQABo2swaTAfBgNVHSMEGDAWgBQXeoow
+BvbqXDZADa7Yn7+5vYLMUjAdBgNVHQ4EFgQUGa+XGGh0cFuvb54Rblg0NuJV0T4w
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAzANBgkqhkiG
+9w0BAQUFAAOBgQCtpBN+M2QdihGfroUS+K93c6X4n5STm0IwsSvGEpOHX2tjLKqr
+WGurbAH8XvIJEsO4wlA6NOHbFEYmSYX1otlMNDKu3vQVTDEB7RJWA04YsUuS4BNA
+B+scXAJEWbvQdkoGh5U+aOmX8yST+HWIbW6XgKQmA3qiO4LsJgdmEDB8xw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpjCCAg+gAwIBAgIBODANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxMiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+s4T6CQeTrbqUSlSczfx8iMSRK4ip9F4liS7giqCrZeZYEuP+/XoRZKzqmT3G+io6
+zcenL7cegP9DJnTNuZ1nHEoeJTlhQZq00PD1n33OMK0zhMIirByYBpabztuw1dJ0
+MKKcRzJ1AswgccI8seh2W1FXdFo/vGkDOkcD21Se0XUCAwEAAaOBnzCBnDAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUj3Ywg1+jhUuQ
+FB4GBHs3AQUgJmYwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUD
+AgEwATAMBgpghkgBZQMCATACMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgw
+BoABAIEBATANBgkqhkiG9w0BAQUFAAOBgQCXSeQ5mEkpmqCHstAZJbAGVSNrj3ka
+eA0k2v+n7vDeZ+9F8bByDiBBz3RMTqmdZxQ6zroOPsw66HLxv5D7oJImbhyvFrnN
+uxPGh8hvvP67N7UT9cM0RAoIQHmoI+3+o9cqOnTIJWXXPyq5q08yTrUt1lzFyrcK
+wGB7PyQXRRDWjA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH2luaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBAMX6LszkJcSryGVxfI4egJDv3zFztB0M+jGHKEc8
+uPkbpVlPSjM2LWqUOks/C1q34lfaC6J5O+V3/DmN7GjLpJmdjBDn7k/aqGeE7XHR
+Wns707M/rcEWxPP/ErMQNIsqSkvy92GtwuaG7wsY4a+KyB0YCdqikJr6oK2Cvhwf
+LmC1AgMBAAGjgc0wgcowHwYDVR0jBBgwFoAUj3Ywg1+jhUuQFB4GBHs3AQUgJmYw
+HQYDVR0OBBYEFBd6ijAG9upcNkANrtifv7m9gsxSMA4GA1UdDwEB/wQEAwIBBjAl
+BgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBABgNVHSEBAf8E
+NjA0MBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAMwGAYKYIZIAWUDAgEwAgYKYIZI
+AWUDAgEwBDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAE3ZflJR
+6b/Pwip7bO1ZIkiym+8uTzlT5nx3CF4P5Yyhje4VKVqoAOdljbZoaL5x1Zdd733W
+MxbQk/QP+wziLjZJlnqX+lSxg4wUiSU6mGtDJ1rPwMsbiiVBld7iP5JhFAWoTg0b
+XJ0ZSTHABPtNeMg2desSHwfh2I5WtX3hpXwE
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8F:76:30:83:5F:A3:85:4B:90:14:1E:06:04:7B:37:01:05:20:26:66
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1f:20:b6:9f:f6:68:a0:22:5f:24:73:c0:ac:bc:8b:05:86:58:
+ 7b:97:ad:38:8e:70:61:7c:17:9d:38:21:06:0a:72:b5:41:3c:
+ b6:9a:93:77:6f:e3:15:e6:06:74:67:90:b1:95:56:f2:be:52:
+ 21:6a:de:f7:bf:d9:2c:12:11:9d:dc:f9:ba:46:f9:92:24:75:
+ ef:83:af:a2:8b:3a:79:da:ca:c5:72:a4:7b:19:e1:a2:f7:02:
+ 18:92:eb:a6:1b:74:bc:ba:62:51:d6:9f:69:af:20:34:3d:43:
+ 08:e7:15:da:75:79:b7:81:6e:ae:95:08:cb:7d:e0:3a:50:7e:
+ c1:7e
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFI92MINfo4VLkBQeBgR7NwEFICZmMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAB8gtp/2aKAiXyRzwKy8iwWGWHuXrTiOcGF8F504IQYKcrVB
+PLaak3dv4xXmBnRnkLGVVvK+UiFq3ve/2SwSEZ3c+bpG+ZIkde+Dr6KLOnnaysVy
+pHsZ4aL3AhiS66YbdLy6YlHWn2mvIDQ9QwjnFdp1ebeBbq6VCMt94DpQfsF+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:17:7A:8A:30:06:F6:EA:5C:36:40:0D:AE:D8:9F:BF:B9:BD:82:CC:52
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 01:73:17:d4:24:e8:3a:79:6d:9c:a4:96:74:fd:60:fa:65:82:
+ c6:0a:26:9c:64:d6:f8:c5:01:8e:ce:70:b2:a4:1a:a0:1c:41:
+ df:1e:a2:36:1b:4f:2d:56:6f:ef:e2:fb:e7:84:d3:aa:0c:08:
+ 04:44:67:57:88:8b:34:b1:74:8c:57:96:9b:e2:b7:dc:2e:d4:
+ a3:05:41:bb:24:fa:be:2c:a4:cf:be:0a:aa:8d:64:ff:6f:ee:
+ e1:24:c8:06:8e:15:fb:fd:19:fe:92:d6:55:84:ae:71:58:2c:
+ 6a:65:53:34:39:20:43:1a:5b:20:41:81:00:6c:5c:10:25:b0:
+ 3f:f3
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFBd6ijAG9upcNkANrtifv7m9gsxSMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAAFzF9Qk6Dp5bZyklnT9YPplgsYKJpxk1vjFAY7OcLKk
+GqAcQd8eojYbTy1Wb+/i++eE06oMCAREZ1eIizSxdIxXlpvit9wu1KMFQbsk+r4s
+pM++CqqNZP9v7uEkyAaOFfv9Gf6S1lWErnFYLGplUzQ5IEMaWyBBgQBsXBAlsD/z
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest4.pem
new file mode 100644
index 0000000000..21d384e81c
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest4.pem
@@ -0,0 +1,216 @@
+subject=/C=US/O=Test Certificates/CN=Valid inhibitPolicyMapping EE Certificate Test4
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+-----BEGIN CERTIFICATE-----
+MIICmjCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3Vic3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5
+MTQ1NzIwWjBjMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0
+ZXMxODA2BgNVBAMTL1ZhbGlkIGluaGliaXRQb2xpY3lNYXBwaW5nIEVFIENlcnRp
+ZmljYXRlIFRlc3Q0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMMwNGdAJ0
+vncWniYOninmdOvqbWTU+G3jPbZ4uJULmhWBvap0Hpq8RSJZ8wprenFgK2/epICj
+uFtJZyEtG/3A8PZ3IHYNkWv7srclGdUlotObulycoDHBn9LXI+i/CvUNGvFJldlm
+kQOxqy1Qhto5Gj7cVWa4HiEYfx+7HJPR2QIDAQABo2swaTAfBgNVHSMEGDAWgBRa
+k0vvlp6uPkMWJqQYHnmLouabITAdBgNVHQ4EFgQUFgpn09iEBzTYWYmTqi0RWeEt
+CfYwDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwBDANBgkq
+hkiG9w0BAQUFAAOBgQCCP6oScMpFs5Ak3jAfJkXhwpzciLdF1Mtq/SO8auu0mZ6a
+CfrKh6JL5kshzKbZFbRYqkIidQNW42Iv4et3yLhWZvSVoYkP+EAg0dMs9/Arw2C1
+pqRc5a2mgi1G182TWgEh9rMZDvYPdD+FrzZU55bLtSlt9L8o9y9vz6+dE2MrLQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICpjCCAg+gAwIBAgIBODANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFAxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczElMCMGA1UEAxMcaW5oaWJpdFBv
+bGljeU1hcHBpbmcxIFAxMiBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+s4T6CQeTrbqUSlSczfx8iMSRK4ip9F4liS7giqCrZeZYEuP+/XoRZKzqmT3G+io6
+zcenL7cegP9DJnTNuZ1nHEoeJTlhQZq00PD1n33OMK0zhMIirByYBpabztuw1dJ0
+MKKcRzJ1AswgccI8seh2W1FXdFo/vGkDOkcD21Se0XUCAwEAAaOBnzCBnDAfBgNV
+HSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUj3Ywg1+jhUuQ
+FB4GBHs3AQUgJmYwDgYDVR0PAQH/BAQDAgEGMCUGA1UdIAQeMBwwDAYKYIZIAWUD
+AgEwATAMBgpghkgBZQMCATACMA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0kAQH/BAgw
+BoABAIEBATANBgkqhkiG9w0BAQUFAAOBgQCXSeQ5mEkpmqCHstAZJbAGVSNrj3ka
+eA0k2v+n7vDeZ+9F8bByDiBBz3RMTqmdZxQ6zroOPsw66HLxv5D7oJImbhyvFrnN
+uxPGh8hvvP67N7UT9cM0RAoIQHmoI+3+o9cqOnTIJWXXPyq5q08yTrUt1lzFyrcK
+wGB7PyQXRRDWjA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgc3ViQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1
+NzIwWjBWMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMx
+KzApBgNVBAMTImluaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3Vic3ViQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJiRgbTlXD7Tr33rE8bkM1fLhA/0RcC0
+n6UIcVb6xSELqRqVIpXK2C038i/3Ta6+eoiCdjT6kvQwsM9uMBJnB7uePzDzpkSE
+G3Php6MSbnAO+6LPrGFBJ0LNo6yXvsV3HQ1Uwh8iND8Yt37obPJ05PzfU6hSnMgV
+47YDMrmE5h+5AgMBAAGjgbMwgbAwHwYDVR0jBBgwFoAUF3qKMAb26lw2QA2u2J+/
+ub2CzFIwHQYDVR0OBBYEFFqTS++Wnq4+QxYmpBgeeYui5pshMA4GA1UdDwEB/wQE
+AwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAMwDAYKYIZIAWUDAgEwBDAmBgNV
+HSEBAf8EHDAaMBgGCmCGSAFlAwIBMAMGCmCGSAFlAwIBMAUwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQUFAAOBgQCh/ZM7m2L0OxzF6RXxeVUhY5xlTjRO0HGd
+0xOnDkOesSYfCI4gUflMo6/T9Ot67Vnb9mgzwWSEXB6g2R22/3DVR1ord/UgZFKe
+w4llbMnwRS5e3zjqLGsLeWk2ZdyjoD2vmKiFBiX+rlHvaLk+5xYcGEfOupTVqWMO
+OHuz9iinWQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+issuer=/C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xp
+Y3lNYXBwaW5nMSBQMTIgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw
+WjBTMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAm
+BgNVBAMTH2luaGliaXRQb2xpY3lNYXBwaW5nMSBQMTIgc3ViQ0EwgZ8wDQYJKoZI
+hvcNAQEBBQADgY0AMIGJAoGBAMX6LszkJcSryGVxfI4egJDv3zFztB0M+jGHKEc8
+uPkbpVlPSjM2LWqUOks/C1q34lfaC6J5O+V3/DmN7GjLpJmdjBDn7k/aqGeE7XHR
+Wns707M/rcEWxPP/ErMQNIsqSkvy92GtwuaG7wsY4a+KyB0YCdqikJr6oK2Cvhwf
+LmC1AgMBAAGjgc0wgcowHwYDVR0jBBgwFoAUj3Ywg1+jhUuQFB4GBHs3AQUgJmYw
+HQYDVR0OBBYEFBd6ijAG9upcNkANrtifv7m9gsxSMA4GA1UdDwEB/wQEAwIBBjAl
+BgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBABgNVHSEBAf8E
+NjA0MBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAMwGAYKYIZIAWUDAgEwAgYKYIZI
+AWUDAgEwBDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAE3ZflJR
+6b/Pwip7bO1ZIkiym+8uTzlT5nx3CF4P5Yyhje4VKVqoAOdljbZoaL5x1Zdd733W
+MxbQk/QP+wziLjZJlnqX+lSxg4wUiSU6mGtDJ1rPwMsbiiVBld7iP5JhFAWoTg0b
+XJ0ZSTHABPtNeMg2desSHwfh2I5WtX3hpXwE
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:8F:76:30:83:5F:A3:85:4B:90:14:1E:06:04:7B:37:01:05:20:26:66
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 1f:20:b6:9f:f6:68:a0:22:5f:24:73:c0:ac:bc:8b:05:86:58:
+ 7b:97:ad:38:8e:70:61:7c:17:9d:38:21:06:0a:72:b5:41:3c:
+ b6:9a:93:77:6f:e3:15:e6:06:74:67:90:b1:95:56:f2:be:52:
+ 21:6a:de:f7:bf:d9:2c:12:11:9d:dc:f9:ba:46:f9:92:24:75:
+ ef:83:af:a2:8b:3a:79:da:ca:c5:72:a4:7b:19:e1:a2:f7:02:
+ 18:92:eb:a6:1b:74:bc:ba:62:51:d6:9f:69:af:20:34:3d:43:
+ 08:e7:15:da:75:79:b7:81:6e:ae:95:08:cb:7d:e0:3a:50:7e:
+ c1:7e
+-----BEGIN X509 CRL-----
+MIIBSTCBswIBATANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJTAjBgNVBAMTHGluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8G
+A1UdIwQYMBaAFI92MINfo4VLkBQeBgR7NwEFICZmMAoGA1UdFAQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAB8gtp/2aKAiXyRzwKy8iwWGWHuXrTiOcGF8F504IQYKcrVB
+PLaak3dv4xXmBnRnkLGVVvK+UiFq3ve/2SwSEZ3c+bpG+ZIkde+Dr6KLOnnaysVy
+pHsZ4aL3AhiS66YbdLy6YlHWn2mvIDQ9QwjnFdp1ebeBbq6VCMt94DpQfsF+
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:17:7A:8A:30:06:F6:EA:5C:36:40:0D:AE:D8:9F:BF:B9:BD:82:CC:52
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 01:73:17:d4:24:e8:3a:79:6d:9c:a4:96:74:fd:60:fa:65:82:
+ c6:0a:26:9c:64:d6:f8:c5:01:8e:ce:70:b2:a4:1a:a0:1c:41:
+ df:1e:a2:36:1b:4f:2d:56:6f:ef:e2:fb:e7:84:d3:aa:0c:08:
+ 04:44:67:57:88:8b:34:b1:74:8c:57:96:9b:e2:b7:dc:2e:d4:
+ a3:05:41:bb:24:fa:be:2c:a4:cf:be:0a:aa:8d:64:ff:6f:ee:
+ e1:24:c8:06:8e:15:fb:fd:19:fe:92:d6:55:84:ae:71:58:2c:
+ 6a:65:53:34:39:20:43:1a:5b:20:41:81:00:6c:5c:10:25:b0:
+ 3f:f3
+-----BEGIN X509 CRL-----
+MIIBTDCBtgIBATANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKDAmBgNVBAMTH2luaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAt
+MB8GA1UdIwQYMBaAFBd6ijAG9upcNkANrtifv7m9gsxSMAoGA1UdFAQDAgEBMA0G
+CSqGSIb3DQEBBQUAA4GBAAFzF9Qk6Dp5bZyklnT9YPplgsYKJpxk1vjFAY7OcLKk
+GqAcQd8eojYbTy1Wb+/i++eE06oMCAREZ1eIizSxdIxXlpvit9wu1KMFQbsk+r4s
+pM++CqqNZP9v7uEkyAaOFfv9Gf6S1lWErnFYLGplUzQ5IEMaWyBBgQBsXBAlsD/z
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitPolicyMapping1 P12 subsubCA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:5A:93:4B:EF:96:9E:AE:3E:43:16:26:A4:18:1E:79:8B:A2:E6:9B:21
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 64:90:80:33:7a:e3:e8:e4:66:09:4e:4d:1d:ae:cb:f4:f5:b2:
+ ea:4d:48:24:be:04:8f:39:9e:c1:da:6c:14:fa:0a:a5:be:47:
+ 84:19:27:c0:3e:15:ab:18:78:71:0e:93:e7:6e:c8:05:ea:f2:
+ bd:c3:7b:fc:52:04:be:fc:b2:22:80:81:35:b3:ab:57:7b:23:
+ ca:39:66:ed:47:19:cd:1f:2c:ab:14:4a:28:5d:23:ab:24:7b:
+ e3:51:bb:78:79:05:20:25:ff:13:4f:c5:d1:2c:e1:67:b3:e4:
+ 29:35:2b:1c:5e:aa:01:17:aa:49:bb:04:66:52:a3:1a:7c:0b:
+ f5:57
+-----BEGIN X509 CRL-----
+MIIBTzCBuQIBATANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKzApBgNVBAMTImluaGliaXRQb2xpY3lNYXBw
+aW5nMSBQMTIgc3Vic3ViQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqg
+LzAtMB8GA1UdIwQYMBaAFFqTS++Wnq4+QxYmpBgeeYui5pshMAoGA1UdFAQDAgEB
+MA0GCSqGSIb3DQEBBQUAA4GBAGSQgDN64+jkZglOTR2uy/T1supNSCS+BI85nsHa
+bBT6CqW+R4QZJ8A+FasYeHEOk+duyAXq8r3De/xSBL78siKAgTWzq1d7I8o5Zu1H
+Gc0fLKsUSihdI6ske+NRu3h5BSAl/xNPxdEs4Wez5Ck1KxxeqgEXqkm7BGZSoxp8
+C/VX
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidkeyUsageNotCriticalTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidkeyUsageNotCriticalTest3.pem
new file mode 100644
index 0000000000..3183499812
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidkeyUsageNotCriticalTest3.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=keyUsage Not Critical CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICezCCAeSgAwIBAgIBHzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEwxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEhMB8GA1UEAxMYa2V5VXNhZ2Ug
+Tm90IENyaXRpY2FsIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYlAJy
+nnvLn2glPjCkqnWzCC/bxT/ypoeW3spfvzi+AQuwM+d/bNL1ZouAnps7JPpf4VHp
+ZvSGjeCgLpCvDjnUP6tG/hkQBm8CS9vaqg/65FoI/MpSMHXmVJ9CgUjOkjHp1g47
+2AYniw5lRztaH2tCN25WqZFzar+vdhQG2ZkJNQIDAQABo3kwdzAfBgNVHSMEGDAW
+gBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUzyqhpf1C4jO8MypNmHOz
+2PtVvNgwCwYDVR0PBAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNV
+HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKS4oBKhFhU5vxr4Z547N5er
+YrYR5JU75QnGUZjv7JYCXydlJVuvIhZptrzG/wevhz2VgNSbk/wp8Uw+ra3eqqlq
+QjVFQukh0F4GKMBaiFZ1HUEGILLIpeEq0Pn70Q8EE0H1RsweW1P30qaXZE9050m4
+7h+is62/EaaT31RpTb+G
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid keyUsage Not Critical EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=keyUsage Not Critical CA
+-----BEGIN CERTIFICATE-----
+MIICkTCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGtleVVzYWdlIE5v
+dCBDcml0aWNhbCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UE
+AxMwVmFsaWQga2V5VXNhZ2UgTm90IENyaXRpY2FsIEVFIENlcnRpZmljYXRlIFRl
+c3QzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQifnsA6fOmILXLNZeSJEf
+D8ON1YDI4FjDmGqG8Ob1ITgAWPfxJcWgQXqRwzn/1NXj0faYKeVA5j6VZxSCP7Dz
+D6ZCeGxjgcF1lNF2dqZh268sSsW3ZiesNQ+wG9zaF8YNWvL8iqICgMrjVqdiFbiD
+X8N15gROcCA0lPuKiqlJlwIDAQABo2swaTAfBgNVHSMEGDAWgBTPKqGl/ULiM7wz
+Kk2Yc7PY+1W82DAdBgNVHQ4EFgQUHw6xfNRi0j5jpx9vVSQlS+45UuUwDgYDVR0P
+AQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUF
+AAOBgQADtx2GVXZR3dxm4aGGrvmtdkDkj/20o+75/jzMHss7prirQQdShNtqL02F
+TL2y/PWCf6QbDQgcakwPDez60a7reZ02JKUtwKCa4VJf86gy3BDKKhm+msihYgCj
+ZzkYwS9CoF3dRup5ySq6dvAU6gVzPRJZKOf3MIM/3Vo9hUtmVg==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=keyUsage Not Critical CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:CF:2A:A1:A5:FD:42:E2:33:BC:33:2A:4D:98:73:B3:D8:FB:55:BC:D8
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 3a:4d:11:cb:3c:14:7e:17:ec:4f:14:72:47:1e:98:fe:ba:02:
+ 2c:79:4d:2f:5d:e8:71:fa:35:d3:7f:26:b5:27:1b:23:c0:12:
+ 8d:c5:9c:f7:e1:96:71:d5:7c:6a:e4:40:ed:7d:46:28:a1:91:
+ 99:ab:75:2b:61:a5:c5:4b:d1:63:10:bb:95:bb:4c:ee:a0:8a:
+ 8e:d6:65:14:3c:86:f2:11:8b:0c:4d:6a:3d:e1:a9:e6:12:28:
+ 69:87:1b:eb:e4:9e:d1:45:5c:dd:2b:2f:6e:55:72:e2:69:cd:
+ 88:84:b1:c5:5e:86:44:10:4f:ce:ab:a4:b3:ed:c7:03:58:84:
+ 84:cc
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGtleVVzYWdlIE5vdCBDcml0
+aWNhbCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUzyqhpf1C4jO8MypNmHOz2PtVvNgwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAOk0RyzwUfhfsTxRyRx6Y/roCLHlNL13ocfo1038mtScbI8ASjcWc
+9+GWcdV8auRA7X1GKKGRmat1K2GlxUvRYxC7lbtM7qCKjtZlFDyG8hGLDE1qPeGp
+5hIoaYcb6+Se0UVc3SsvblVy4mnNiISxxV6GRBBPzquks+3HA1iEhMw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlyContainsCACertsCRLTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlyContainsCACertsCRLTest13.pem
new file mode 100644
index 0000000000..fc640e8409
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlyContainsCACertsCRLTest13.pem
@@ -0,0 +1,112 @@
+subject=/C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfDCCAeWgAwIBAgIBTjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWb25seUNvbnRh
+aW5zQ0FDZXJ0cyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqP8z3Y0v
+UCVXIVXCpbr+dcdoZFi0UZQPvl77hqqVORSs9FefV5mTeuoDDfhtUYa+O6Wzh2v/
+Yzv1MzPQzePG3eho/6CLs4pzqVWZDzYTG6OXubjPvYT10WykqfaWuivcn5YxbHuA
+cRitNsBAvY1Nq/kPDtsPJz1t5+PDRVO64gsCAwEAAaN8MHowHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFPOhB0Zne+mPWavrVYaTyKzk
+VbcYMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQDGkMUjQFfto4SQpRJ2fAeU
+qXp2dn4kt+s/ITPOIykUFaybQ6eaGRcWN4kTi7IufbSeI7lmaa4SC+bq14tfSf/w
+gJSpwu58pIbPHKN0IgB+9S8eRS8wmB4HcBflmNZz/NX6wJzwJt15ZC+gek+eZGUw
+Qck6L9wt5i1wMFyRwBmAHQ==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid onlyContainsCACerts EE Certificate Test13
+issuer=/C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+-----BEGIN CERTIFICATE-----
+MIICnzCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm9ubHlDb250YWlu
+c0NBQ2VydHMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBjMQsw
+CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxODA2BgNVBAMT
+L1ZhbGlkIG9ubHlDb250YWluc0NBQ2VydHMgRUUgQ2VydGlmaWNhdGUgVGVzdDEz
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCleZwZx1DWjtQUI6sccnzSSv3J
+scTabLlHXVLbXj57OzT/9XuVVLkRe6ZB95/CCO8YM/bYdtmJEwtT3S7J7jaSI1XM
+NBi9E5Uc2y6RXOEZ4dL8LFJjZYIQNbRUgg2o5rtJ55N7Hp/uA5zJYKH9wtNBXAlj
+i0eULWMWi42zHc/w1wIDAQABo3wwejAfBgNVHSMEGDAWgBTzoQdGZ3vpj1mr61WG
+k8is5FW3GDAdBgNVHQ4EFgQUQrE9JN7MpRBHp0VYS792Fg2IxOMwDgYDVR0PAQH/
+BAQDAgH2MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/
+MA0GCSqGSIb3DQEBBQUAA4GBAI7d4izaGul72X3r0YD8tjwHlxMMBg7/4nO6PrJd
++blNKJwn/eqMJdekiTWjl2E+PKS4nBCBSeFeoboUHLnQ/AHevzxnJiEUK7otOXim
+UFRLlktEMASIbfUjiJrkwmL6JxvDXlbmhJNVlXZI6bRfAxi2XXt6o+ZO0VAFlebG
+iga9
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=onlyContainsCACerts CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F3:A1:07:46:67:7B:E9:8F:59:AB:EB:55:86:93:C8:AC:E4:55:B7:18
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0....
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 54:27:ac:fc:b5:7a:93:93:e7:f2:e9:63:f7:52:ad:20:08:4c:
+ 52:08:62:e6:f6:81:71:1d:72:f4:1d:bf:db:06:52:d6:4f:8b:
+ 86:68:4a:ca:01:4a:fd:b9:7e:5d:7a:df:48:67:36:9b:31:12:
+ dd:13:29:b2:8e:b6:ba:c4:20:31:57:4f:7e:c6:d1:3c:0b:e5:
+ 1c:a0:c2:15:c6:09:5b:77:ca:95:37:31:7d:a8:08:4d:ae:60:
+ 4f:3c:b4:ef:92:9d:f1:11:5f:a1:1b:2d:ff:e6:2e:07:88:4e:
+ 2c:88:54:b8:e1:be:4e:6c:22:90:0e:37:0d:b2:8d:61:21:46:
+ 36:29
+-----BEGIN X509 CRL-----
+MIIBVDCBvgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFm9ubHlDb250YWluc0NBQ2Vy
+dHMgQ0EXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgQDA+MB8GA1UdIwQY
+MBaAFPOhB0Zne+mPWavrVYaTyKzkVbcYMAoGA1UdFAQDAgEBMA8GA1UdHAEB/wQF
+MAOCAf8wDQYJKoZIhvcNAQEFBQADgYEAVCes/LV6k5Pn8ulj91KtIAhMUghi5vaB
+cR1y9B2/2wZS1k+LhmhKygFK/bl+XXrfSGc2mzES3RMpso62usQgMVdPfsbRPAvl
+HKDCFcYJW3fKlTcxfagITa5gTzy075Kd8RFfoRst/+YuB4hOLIhUuOG+TmwikA43
+DbKNYSFGNik=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest18.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest18.pem
new file mode 100644
index 0000000000..580d919aa2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest18.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UECxMTb25seVNvbWVS
+ZWFzb25zIENBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApawx8YRMPlMQ
+024rS3sld90L6veeiaILQ6LHaLsGJq3VdzR86qrSqOOIC4riSla8gYRwgMxS4ex2
+wjXsRFQbvsG09PcFyRJKJ0NLsY8FiVdShUDwLEohR/cdfL4Z+iCgZdY4iMaILI8a
+MHiBRffd7isOjbgUd8JKQ6DM4ercJksCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFD++QPH3awL7sFnDAKRa4JdUCOkZ
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAzmsqTCqqsyknqgNHYbj4aH461
+hKTEkZRpMSUHjJwKJWFK4fzqdC8DDlCw9rfmNld7RwxcC3/o0J5v3T4KG3C4s9Rr
+eVSmm4Kwvgjmj0tsm0TQbG+B4uLqaFAAmlBTZPYl9ABodUKUP2eKcAL7f98INanN
+/veMciSwQ7N4Ku7Zjw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid onlySomeReasons EE Certificate Test19
+issuer=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAsugAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAsTE29ubHlTb21lUmVh
+c29ucyBDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK1Zh
+bGlkIG9ubHlTb21lUmVhc29ucyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTkwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBANbeMMLH+IhNKpE0W5mNqU1YnGXZjAhFNF7V
+hMVHkKyGO+6oluHVdrzxL4CoonF40mpNZdCyVA39nKEW2HV1KB2OQ2cjjOpS+n6l
+1eds3MeBCa3z1kzPbsqkkTH+hdmkHnn7gsQNElk+mALZXM/UC+kIRlHIWSmR+FvK
++gqFZw3ZAgMBAAGjggFEMIIBQDAfBgNVHSMEGDAWgBQ/vkDx92sC+7BZwwCkWuCX
+VAjpGTAdBgNVHQ4EFgQU31n0/apTtgdLpf3g030Om2i0nuswDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATCB1AYDVR0fBIHMMIHJMGKgXKBa
+pFgwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRww
+GgYDVQQLExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgQIFYDBj
+oFygWqRYMFYxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czEcMBoGA1UECxMTb25seVNvbWVSZWFzb25zIENBNDENMAsGA1UEAxMEQ1JMMoED
+B5+AMA0GCSqGSIb3DQEBBQUAA4GBACKZfydulpOlfYkHfr+kYAFm8mWYkFty5+82
+g7UQ34pUUcNlmXy2LAvyOnFBy9LJGLpfyqbaZYLyspSseZrYTfdEYRdba4FWLwEp
+iCqeyzac+D1Hr7uRFVocXyd1ZUKWhdA0gfkORdmeNO4HjY3D1+y75qjNutoqK9et
+6C9d+9jH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0b.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL1...`
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:c9:cf:ae:6b:51:3a:d8:ee:4f:85:3b:a7:18:30:00:6c:cd:
+ 0f:1a:59:06:50:fd:75:49:44:9a:af:71:a5:74:ca:25:02:e1:
+ fe:c2:0b:15:f4:db:0a:8c:7f:ca:9b:de:cd:bf:1a:2d:3e:10:
+ 1a:a9:4a:9b:a9:64:75:01:1c:dc:26:b2:f6:ab:2f:d2:7b:3d:
+ 01:f6:fb:64:a4:c8:53:65:b2:80:5a:1d:22:e7:3b:9c:12:92:
+ 96:01:0d:74:83:d2:72:c3:a6:34:cb:54:bc:75:c4:34:12:c1:
+ 4e:40:2e:e1:28:d7:ea:6d:c1:9a:4b:80:dc:2d:7c:7c:a5:a7:
+ 28:75
+-----BEGIN X509 CRL-----
+MIIB1zCCAUACAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIGgMIGdMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG4GA1UdHAEB/wRkMGKgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgwIFYDANBgkqhkiG
+9w0BAQUFAAOBgQAMyc+ua1E62O5PhTunGDAAbM0PGlkGUP11SUSar3GldMolAuH+
+wgsV9NsKjH/Km97NvxotPhAaqUqbqWR1ARzcJrL2qy/Sez0B9vtkpMhTZbKAWh0i
+5zucEpKWAQ10g9Jyw6Y0y1S8dcQ0EsFOQC7hKNfqbcGaS4DcLXx8pacodQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0c.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL2.....
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Affiliation Changed
+ Signature Algorithm: sha1WithRSAEncryption
+ 3d:11:d9:b5:4a:98:2e:f6:01:84:ec:e5:d7:d5:20:45:06:18:
+ 19:5e:18:1b:89:27:c3:fc:7a:ea:a7:3e:3d:bc:ff:26:f1:69:
+ 90:73:a1:2f:d6:0e:82:36:1b:f7:98:7d:26:2f:07:86:05:58:
+ b4:5f:ce:84:6d:ef:4a:51:e8:40:4a:51:b2:57:46:b6:76:e1:
+ 8f:0e:b8:03:16:88:72:c3:88:74:74:76:38:1d:44:87:88:c2:
+ a5:ce:34:cb:a9:bf:a1:6f:e9:96:e3:a7:ab:3f:be:a5:60:b2:
+ 4b:e2:bb:f8:1b:84:4e:eb:69:ae:01:f2:5a:e9:78:9d:ac:38:
+ 45:4d
+-----BEGIN X509 CRL-----
+MIIB2DCCAUECAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAxcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEDoIGhMIGeMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG8GA1UdHAEB/wRlMGOgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwygwMHn4AwDQYJKoZI
+hvcNAQEFBQADgYEAPRHZtUqYLvYBhOzl19UgRQYYGV4YG4knw/x66qc+Pbz/JvFp
+kHOhL9YOgjYb95h9Ji8HhgVYtF/OhG3vSlHoQEpRsldGtnbhjw64AxaIcsOIdHR2
+OB1Eh4jCpc40y6m/oW/pluOnqz++pWCyS+K7+BuETutprgHyWul4naw4RU0=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest19.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest19.pem
new file mode 100644
index 0000000000..580d919aa2
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest19.pem
@@ -0,0 +1,167 @@
+subject=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICeTCCAeKgAwIBAgIBUzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEcxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEcMBoGA1UECxMTb25seVNvbWVS
+ZWFzb25zIENBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApawx8YRMPlMQ
+024rS3sld90L6veeiaILQ6LHaLsGJq3VdzR86qrSqOOIC4riSla8gYRwgMxS4ex2
+wjXsRFQbvsG09PcFyRJKJ0NLsY8FiVdShUDwLEohR/cdfL4Z+iCgZdY4iMaILI8a
+MHiBRffd7isOjbgUd8JKQ6DM4ercJksCAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zU
+LYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFD++QPH3awL7sFnDAKRa4JdUCOkZ
+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAzmsqTCqqsyknqgNHYbj4aH461
+hKTEkZRpMSUHjJwKJWFK4fzqdC8DDlCw9rfmNld7RwxcC3/o0J5v3T4KG3C4s9Rr
+eVSmm4Kwvgjmj0tsm0TQbG+B4uLqaFAAmlBTZPYl9ABodUKUP2eKcAL7f98INanN
+/veMciSwQ7N4Ku7Zjw==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid onlySomeReasons EE Certificate Test19
+issuer=/C=US/O=Test Certificates/OU=onlySomeReasons CA4
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAsugAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHDAaBgNVBAsTE29ubHlTb21lUmVh
+c29ucyBDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYD
+VQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK1Zh
+bGlkIG9ubHlTb21lUmVhc29ucyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTkwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBANbeMMLH+IhNKpE0W5mNqU1YnGXZjAhFNF7V
+hMVHkKyGO+6oluHVdrzxL4CoonF40mpNZdCyVA39nKEW2HV1KB2OQ2cjjOpS+n6l
+1eds3MeBCa3z1kzPbsqkkTH+hdmkHnn7gsQNElk+mALZXM/UC+kIRlHIWSmR+FvK
++gqFZw3ZAgMBAAGjggFEMIIBQDAfBgNVHSMEGDAWgBQ/vkDx92sC+7BZwwCkWuCX
+VAjpGTAdBgNVHQ4EFgQU31n0/apTtgdLpf3g030Om2i0nuswDgYDVR0PAQH/BAQD
+AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATCB1AYDVR0fBIHMMIHJMGKgXKBa
+pFgwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRww
+GgYDVQQLExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgQIFYDBj
+oFygWqRYMFYxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czEcMBoGA1UECxMTb25seVNvbWVSZWFzb25zIENBNDENMAsGA1UEAxMEQ1JMMoED
+B5+AMA0GCSqGSIb3DQEBBQUAA4GBACKZfydulpOlfYkHfr+kYAFm8mWYkFty5+82
+g7UQ34pUUcNlmXy2LAvyOnFBy9LJGLpfyqbaZYLyspSseZrYTfdEYRdba4FWLwEp
+iCqeyzac+D1Hr7uRFVocXyd1ZUKWhdA0gfkORdmeNO4HjY3D1+y75qjNutoqK9et
+6C9d+9jH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0b.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL1...`
+Revoked Certificates:
+ Serial Number: 02
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 0c:c9:cf:ae:6b:51:3a:d8:ee:4f:85:3b:a7:18:30:00:6c:cd:
+ 0f:1a:59:06:50:fd:75:49:44:9a:af:71:a5:74:ca:25:02:e1:
+ fe:c2:0b:15:f4:db:0a:8c:7f:ca:9b:de:cd:bf:1a:2d:3e:10:
+ 1a:a9:4a:9b:a9:64:75:01:1c:dc:26:b2:f6:ab:2f:d2:7b:3d:
+ 01:f6:fb:64:a4:c8:53:65:b2:80:5a:1d:22:e7:3b:9c:12:92:
+ 96:01:0d:74:83:d2:72:c3:a6:34:cb:54:bc:75:c4:34:12:c1:
+ 4e:40:2e:e1:28:d7:ea:6d:c1:9a:4b:80:dc:2d:7c:7c:a5:a7:
+ 28:75
+-----BEGIN X509 CRL-----
+MIIB1zCCAUACAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAhcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoIGgMIGdMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG4GA1UdHAEB/wRkMGKgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwxgwIFYDANBgkqhkiG
+9w0BAQUFAAOBgQAMyc+ua1E62O5PhTunGDAAbM0PGlkGUP11SUSar3GldMolAuH+
+wgsV9NsKjH/Km97NvxotPhAaqUqbqWR1ARzcJrL2qy/Sez0B9vtkpMhTZbKAWh0i
+5zucEpKWAQ10g9Jyw6Y0y1S8dcQ0EsFOQC7hKNfqbcGaS4DcLXx8pacodQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/OU=onlySomeReasons CA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:3F:BE:40:F1:F7:6B:02:FB:B0:59:C3:00:A4:5A:E0:97:54:08:E9:19
+
+ X509v3 CRL Number:
+ 1
+ 2.5.29.28: critical
+ 0c.\.Z.X0V1.0...U....US1.0...U.
+..Test Certificates1.0...U....onlySomeReasons CA41 0...U....CRL2.....
+Revoked Certificates:
+ Serial Number: 03
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Affiliation Changed
+ Signature Algorithm: sha1WithRSAEncryption
+ 3d:11:d9:b5:4a:98:2e:f6:01:84:ec:e5:d7:d5:20:45:06:18:
+ 19:5e:18:1b:89:27:c3:fc:7a:ea:a7:3e:3d:bc:ff:26:f1:69:
+ 90:73:a1:2f:d6:0e:82:36:1b:f7:98:7d:26:2f:07:86:05:58:
+ b4:5f:ce:84:6d:ef:4a:51:e8:40:4a:51:b2:57:46:b6:76:e1:
+ 8f:0e:b8:03:16:88:72:c3:88:74:74:76:38:1d:44:87:88:c2:
+ a5:ce:34:cb:a9:bf:a1:6f:e9:96:e3:a7:ab:3f:be:a5:60:b2:
+ 4b:e2:bb:f8:1b:84:4e:eb:69:ae:01:f2:5a:e9:78:9d:ac:38:
+ 45:4d
+-----BEGIN X509 CRL-----
+MIIB2DCCAUECAQEwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCVVMxGjAYBgNV
+BAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQLExNvbmx5U29tZVJlYXNvbnMg
+Q0E0Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMCIwIAIBAxcNMDEwNDE5
+MTQ1NzIwWjAMMAoGA1UdFQQDCgEDoIGhMIGeMB8GA1UdIwQYMBaAFD++QPH3awL7
+sFnDAKRa4JdUCOkZMAoGA1UdFAQDAgEBMG8GA1UdHAEB/wRlMGOgXKBapFgwVjEL
+MAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMRwwGgYDVQQL
+ExNvbmx5U29tZVJlYXNvbnMgQ0E0MQ0wCwYDVQQDEwRDUkwygwMHn4AwDQYJKoZI
+hvcNAQEFBQADgYEAPRHZtUqYLvYBhOzl19UgRQYYGV4YG4knw/x66qc+Pbz/JvFp
+kHOhL9YOgjYb95h9Ji8HhgVYtF/OhG3vSlHoQEpRsldGtnbhjw64AxaIcsOIdHR2
+OB1Eh4jCpc40y6m/oW/pluOnqz++pWCyS+K7+BuETutprgHyWul4naw4RU0=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest13.pem
new file mode 100644
index 0000000000..b183ea4aec
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest13.pem
@@ -0,0 +1,262 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAvfifKseM6a2SLDsRFhGp/REqaFlx95O6qTUy4GtxendIFOtyadcv+Krt
+MtbMq5gpTipTi88pg9PZJgu5WNbNCBTw9a4LVmuK7vW7+qc4vKAiHMx1C36i+M/u
+xAyxABnaB/+3GuTXBVh2UaFyc0y742BlOGiJQec4j12Ympn+/D8CAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFEg0CFSm
+7E/ZmBQh7NRjsSNv7Xk+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBBDANBgkqhkiG9w0BAQUFAAOBgQBH
+GNn47Kmou/bb4DJqEWK0rYy18Luf89VyfaGcLrRx55hJopWTol/7VNHK/PcEcYZR
+FvrRx3+j/FmPw7KdZhr7vswlOw+Al6Izo2NpTdI71n9v0mWk0aMnagaU1/HhVCo0
+MFmjWB6hXagaUlj7PMUGxJhJDLGVxim5OsTKsDyQsA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTQxMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDEkec8+m6bpWo+4WFbIZq5Ex3/ooPS1Ag0V67MSbWUopjA
+ZSFFn1jMVuyJwvVJcWhm60beqAFCWAgdUw39yw1AH1ZjF80S0i7gOs1ecJOgcJlH
+l12ROKtYyawcnvh97Riu5uNhddo7GNP8imgxuTm+KCMgA2Yje/3+s+kkJGrmmQID
+AQABo38wfTAfBgNVHSMEGDAWgBRINAhUpuxP2ZgUIezUY7Ejb+15PjAdBgNVHQ4E
+FgQUxsXdPdf7dENAydCq5aEK1oE0ihEwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAHXkSFfYx3eChLIW3r9jR5s+WkJP7zC2MDwTim6sqK9EEdF8u7jpSM7A
+injU005gD9O+daXiOhdTWtO6tHG5lU4F0pz1/gf6NabgsIZcCY5ihmO0sg9yFw2x
+m9ZtI0lrFDJVVMb2TTzSg2BCk/4WrjCu8lyZKeHb3/MPXrhVI6QI
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid pathLenConstraint EE Certificate Test13
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+-----BEGIN CERTIFICATE-----
+MIIClzCCAgCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJzdWJDQTQxWDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMGExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czE2MDQGA1UEAxMtVmFsaWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlmaWNh
+dGUgVGVzdDEzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt+goZGlfBA+Us
+3gYzg2H1q9xTS0jsUbdAWR+UyFhwlPTu9s29bJOQlgYCeMoZsW60iIbUbQjcq5Uz
+cVH3GuHEdnVZi+2PuExwKCPfJd5AlZLlHF2/rXEitua/1jfZeCG2APIo6Fo6MyRm
+DjXSMXVDa+34SxTNsxmRL5mRkAU14wIDAQABo2swaTAfBgNVHSMEGDAWgBQQleeK
+lnT5PPSbBqlJ88GaP85wHzAdBgNVHQ4EFgQUKiHe+m/ll4aKUr4X5q6GcSIkJkEw
+DgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG
+9w0BAQUFAAOBgQBg1xu2EY6shLYeKkVPx8VQMKHQwihQdDRH5Ehqsrgw5t3hALFO
+PjKZ7qdAOOWJA0Y8HmswJswQ9hYMEPkUdGLcE6ssQLySaRecEK5uW5/fWrs451uq
+5hyC55DEHEaJBbvzzBy4eftZcJrQv+QQTxhBH82+/LT02FkYqfjuUPIYSA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTQxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowVTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSow
+KAYDVQQDEyFwYXRoTGVuQ29uc3RyYWludDYgc3Vic3Vic3ViQ0E0MVgwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALlp+FnExwi/Gj0ZI91kqo4pmnqqOhGFj1B7
+BwwpwPKi9bTS4V7SoF/789+rQvetsKPMvlFqlJxAJDAucVf9IcHun+JONgiIUcLB
+o1x/hhXffJx5AKaTGK3lCSkXqT2ivI8QJNTTjDgv3gvwGg97WVPlbOeZEPbwMzlx
+i4oq4uHXAgMBAAGjfDB6MB8GA1UdIwQYMBaAFMbF3T3X+3RDQMnQquWhCtaBNIoR
+MB0GA1UdDgQWBBQQleeKlnT5PPSbBqlJ88GaP85wHzAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADgYEAuzFHa2SgbDIRvfbqmMe+p2l0M4gJMEc3r2caaovmKgfuVyBl
+n0JdZN2rzlYFV4jZbJ0wa89PzLIDtmptUctcO0DO/P+ofx8uAATdFhL4yMmHkK9L
+XVBrdANbZSBZ+8WXKrnvsJArX0vtQax8znEaTUskMtDe6gjzZsb957dYCCU=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:48:34:08:54:A6:EC:4F:D9:98:14:21:EC:D4:63:B1:23:6F:ED:79:3E
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 7a:5e:e4:e2:af:00:5c:48:3a:c2:36:d1:97:10:66:06:b0:04:
+ 8c:37:8b:96:01:b2:c1:bc:b5:3a:8f:b5:44:05:db:84:2a:85:
+ c1:7c:96:fd:b3:6c:1d:47:69:63:e6:a2:d5:6b:29:76:e2:72:
+ e1:4b:6a:d4:06:22:80:cb:58:0a:39:aa:47:45:a0:84:d0:9d:
+ d4:e5:00:13:71:ef:bb:3b:27:b0:e5:93:cf:b2:05:87:43:8d:
+ bc:a5:7a:50:8f:22:43:48:df:9a:e7:cc:8c:3e:54:fd:16:85:
+ 3e:e9:a2:47:4f:f8:ae:94:85:32:4a:88:94:b7:c4:13:62:11:
+ 6c:b8
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTQXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFEg0CFSm7E/ZmBQh7NRjsSNv7Xk+MAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAHpe5OKvAFxIOsI20ZcQZgawBIw3i5YBssG8tTqPtUQF24QqhcF8
+lv2zbB1HaWPmotVrKXbicuFLatQGIoDLWAo5qkdFoITQndTlABNx77s7J7Dlk8+y
+BYdDjbylelCPIkNI35rnzIw+VP0WhT7pokdP+K6UhTJKiJS3xBNiEWy4
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C6:C5:DD:3D:D7:FB:74:43:40:C9:D0:AA:E5:A1:0A:D6:81:34:8A:11
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0e:71:9b:f6:ad:39:6e:d8:be:f8:b2:87:85:75:4b:35:16:3c:
+ e7:52:48:af:e3:b1:7b:6d:1f:2e:59:59:81:af:cc:88:37:3b:
+ 78:f8:4d:7a:81:e6:6e:23:50:4c:80:f2:e9:d5:cf:79:ce:e8:
+ 9e:f8:c4:82:2b:6f:4a:ab:29:bd:5b:34:57:5f:31:5d:3b:a6:
+ b5:da:8f:57:4b:07:e2:5f:e3:f1:b0:8f:25:92:f2:c6:57:26:
+ 9a:4e:36:d9:c9:6b:37:f3:0f:7d:81:b6:2d:6c:f7:c7:76:d7:
+ 3e:29:67:8b:2e:01:9a:f8:90:2c:53:da:a6:c7:6c:b6:56:09:
+ fb:df
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTQxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBTGxd091/t0Q0DJ0KrloQrWgTSKETAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQAOcZv2rTlu2L74soeFdUs1FjznUkiv47F7bR8uWVmBr8yI
+Nzt4+E16geZuI1BMgPLp1c95zuie+MSCK29Kqym9WzRXXzFdO6a12o9XSwfiX+Px
+sI8lkvLGVyaaTjbZyWs38w99gbYtbPfHdtc+KWeLLgGa+JAsU9qmx2y2Vgn73w==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:10:95:E7:8A:96:74:F9:3C:F4:9B:06:A9:49:F3:C1:9A:3F:CE:70:1F
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 06:af:3f:80:68:02:24:ee:c0:3f:33:5b:62:49:01:cf:ee:87:
+ f7:92:49:33:a2:b1:b0:6c:e7:23:7f:4a:8d:2a:1b:e9:31:fc:
+ 04:49:76:f2:f6:92:d2:b3:32:70:50:71:9f:12:ab:03:6c:2d:
+ a7:0f:81:ef:fb:01:3e:3f:09:b8:df:e8:4e:28:c9:5d:fa:a3:
+ ef:64:db:b9:cb:8f:66:a2:b5:ba:17:f3:05:62:5c:8c:5b:75:
+ f6:7e:54:aa:30:59:0d:50:c1:23:90:c9:91:06:49:1e:bf:23:
+ de:88:c6:7a:39:0e:6e:11:cc:44:44:40:2e:08:82:65:e8:74:
+ 9d:60
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJzdWJDQTQxWBcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUEJXnipZ0+Tz0mwapSfPBmj/OcB8wCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEABq8/gGgCJO7APzNbYkkBz+6H95JJM6KxsGznI39K
+jSob6TH8BEl28vaS0rMycFBxnxKrA2wtpw+B7/sBPj8JuN/oTijJXfqj72TbucuP
+ZqK1uhfzBWJcjFt19n5UqjBZDVDBI5DJkQZJHr8j3ojGejkObhHMRERALgiCZeh0
+nWA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest14.pem
new file mode 100644
index 0000000000..fb615f5434
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest14.pem
@@ -0,0 +1,263 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQ2IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfycd4Ehd
+RlHiRJp0MMk0H94GHYCYxpVEzfiC5V9w2M0NWJotHuHxdTvH02XZquFdQptZI0qZ
+AGeBgE3+FBJAGOK0ZxYJgSyscFWBTLGzFZu2Y09siuEwlr5W4z6iByJpFYsEK0JS
+icx7LPYOYyHmFpmDSdcUXwV59VWlaQn5HQIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUnY+0pLeirrl2tR7LH2QWpXoO
+hUowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKJlZqSQSA4tpA42dNOs
+k5r0RU2BrRu2bPXhSEZHD0o46NJlNTNTfCAus4HtZ6GE1AvTIy3smHPGb1O4jth2
+9hYXVqNHIEIlejhxgSE0trBBT5L5vodq5Pu5qoTWPZ2Uu8pdqRvdmypKr7gI5inp
+Cu6s2eBv0+DeibQTg73sQuTj
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+-----BEGIN CERTIFICATE-----
+MIICizCCAfSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50NiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaME0xCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEiMCAGA1UEAxMZ
+cGF0aExlbkNvbnN0cmFpbnQ2IHN1YkNBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAvfifKseM6a2SLDsRFhGp/REqaFlx95O6qTUy4GtxendIFOtyadcv+Krt
+MtbMq5gpTipTi88pg9PZJgu5WNbNCBTw9a4LVmuK7vW7+qc4vKAiHMx1C36i+M/u
+xAyxABnaB/+3GuTXBVh2UaFyc0y742BlOGiJQec4j12Ympn+/D8CAwEAAaN/MH0w
+HwYDVR0jBBgwFoAUnY+0pLeirrl2tR7LH2QWpXoOhUowHQYDVR0OBBYEFEg0CFSm
+7E/ZmBQh7NRjsSNv7Xk+MA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCG
+SAFlAwIBMAEwEgYDVR0TAQH/BAgwBgEB/wIBBDANBgkqhkiG9w0BAQUFAAOBgQBH
+GNn47Kmou/bb4DJqEWK0rYy18Luf89VyfaGcLrRx55hJopWTol/7VNHK/PcEcYZR
+FvrRx3+j/FmPw7KdZhr7vswlOw+Al6Izo2NpTdI71n9v0mWk0aMnagaU1/HhVCo0
+MFmjWB6hXagaUlj7PMUGxJhJDLGVxim5OsTKsDyQsA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+-----BEGIN CERTIFICATE-----
+MIICkzCCAfygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJDQTQwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBR
+MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNV
+BAMTHXBhdGhMZW5Db25zdHJhaW50NiBzdWJzdWJDQTQxMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDEkec8+m6bpWo+4WFbIZq5Ex3/ooPS1Ag0V67MSbWUopjA
+ZSFFn1jMVuyJwvVJcWhm60beqAFCWAgdUw39yw1AH1ZjF80S0i7gOs1ecJOgcJlH
+l12ROKtYyawcnvh97Riu5uNhddo7GNP8imgxuTm+KCMgA2Yje/3+s+kkJGrmmQID
+AQABo38wfTAfBgNVHSMEGDAWgBRINAhUpuxP2ZgUIezUY7Ejb+15PjAdBgNVHQ4E
+FgQUxsXdPdf7dENAydCq5aEK1oE0ihEwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQ
+MA4wDAYKYIZIAWUDAgEwATASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEB
+BQUAA4GBAHXkSFfYx3eChLIW3r9jR5s+WkJP7zC2MDwTim6sqK9EEdF8u7jpSM7A
+injU005gD9O+daXiOhdTWtO6tHG5lU4F0pz1/gf6NabgsIZcCY5ihmO0sg9yFw2x
+m9ZtI0lrFDJVVMb2TTzSg2BCk/4WrjCu8lyZKeHb3/MPXrhVI6QI
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+-----BEGIN CERTIFICATE-----
+MIICmDCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJDQTQxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcy
+MFowVTELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSow
+KAYDVQQDEyFwYXRoTGVuQ29uc3RyYWludDYgc3Vic3Vic3ViQ0E0MVgwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALlp+FnExwi/Gj0ZI91kqo4pmnqqOhGFj1B7
+BwwpwPKi9bTS4V7SoF/789+rQvetsKPMvlFqlJxAJDAucVf9IcHun+JONgiIUcLB
+o1x/hhXffJx5AKaTGK3lCSkXqT2ivI8QJNTTjDgv3gvwGg97WVPlbOeZEPbwMzlx
+i4oq4uHXAgMBAAGjfDB6MB8GA1UdIwQYMBaAFMbF3T3X+3RDQMnQquWhCtaBNIoR
+MB0GA1UdDgQWBBQQleeKlnT5PPSbBqlJ88GaP85wHzAOBgNVHQ8BAf8EBAMCAQYw
+FwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQEFBQADgYEAuzFHa2SgbDIRvfbqmMe+p2l0M4gJMEc3r2caaovmKgfuVyBl
+n0JdZN2rzlYFV4jZbJ0wa89PzLIDtmptUctcO0DO/P+ofx8uAATdFhL4yMmHkK9L
+XVBrdANbZSBZ+8WXKrnvsJArX0vtQax8znEaTUskMtDe6gjzZsb957dYCCU=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid pathLenConstraint EE Certificate Test14
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+-----BEGIN CERTIFICATE-----
+MIICqDCCAhGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25z
+dHJhaW50NiBzdWJzdWJzdWJDQTQxWDAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkx
+NDU3MjBaMGExCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRl
+czE2MDQGA1UEAxMtVmFsaWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlmaWNh
+dGUgVGVzdDE0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTcyx/sZXkB7EZ
+X9U9aJCVucbvSK3QXJ38Ej+ZM7agOIkJnMypA0BzQ43FvxbDlx67ynhH3au4nFw9
+niBIPF0hg9LKJBYQDlFhdCPd441gpnEOtT5abklFPScEoi115OUSsoA94VZwjdmz
+rxb5Scji7OZYKtBZumvQ+YxbZGKi9QIDAQABo3wwejAfBgNVHSMEGDAWgBQQleeK
+lnT5PPSbBqlJ88GaP85wHzAdBgNVHQ4EFgQUSa5vCfYgmh0xBcsnTTGEttOhtX0w
+DgYDVR0PAQH/BAQDAgH2MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABdfALk3+cW2GpEztpvr/6wgOkaJ
+ev+/WwDgW5YTiVGbLZRr+5qrxz8Log4b4Y/OYyrwh+J/gmQFP34wHEm4ReZHcfyD
+4k6Ji2dWxqLaocQVROOZ9n+vqSFC63nNE/ZDNnsUErkEQJdX7f7HMDZoDI0wryrp
+3fLY+NJlyePm6r1M
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:9D:8F:B4:A4:B7:A2:AE:B9:76:B5:1E:CB:1F:64:16:A5:7A:0E:85:4A
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0d:f1:3d:54:c8:22:83:d4:1c:69:d2:12:e3:82:09:7e:b6:c0:
+ af:f4:41:9b:51:c5:04:d4:c5:ca:51:73:5c:c5:14:c5:d6:d0:
+ 11:6c:40:ce:49:e7:80:49:a9:35:94:84:b5:bb:52:37:62:c3:
+ 5e:0e:18:48:57:44:b1:cd:97:a2:44:ef:9f:75:44:16:9e:58:
+ ff:db:7f:18:8e:d5:07:fc:01:64:17:c3:00:79:4d:02:af:dd:
+ 08:88:37:03:be:cc:80:7a:cb:fd:e7:5c:53:03:b1:f2:17:16:
+ 1a:14:25:f4:ea:50:8c:14:ff:58:e9:2f:fe:e4:75:d9:67:78:
+ fa:7a
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+NiBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUnY+0pLeirrl2tR7LH2QWpXoOhUowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEADfE9VMgig9QcadIS44IJfrbAr/RBm1HFBNTFylFzXMUUxdbQEWxAzknn
+gEmpNZSEtbtSN2LDXg4YSFdEsc2XokTvn3VEFp5Y/9t/GI7VB/wBZBfDAHlNAq/d
+CIg3A77MgHrL/edcUwOx8hcWGhQl9OpQjBT/WOkv/uR12Wd4+no=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subCA4
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:48:34:08:54:A6:EC:4F:D9:98:14:21:EC:D4:63:B1:23:6F:ED:79:3E
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 7a:5e:e4:e2:af:00:5c:48:3a:c2:36:d1:97:10:66:06:b0:04:
+ 8c:37:8b:96:01:b2:c1:bc:b5:3a:8f:b5:44:05:db:84:2a:85:
+ c1:7c:96:fd:b3:6c:1d:47:69:63:e6:a2:d5:6b:29:76:e2:72:
+ e1:4b:6a:d4:06:22:80:cb:58:0a:39:aa:47:45:a0:84:d0:9d:
+ d4:e5:00:13:71:ef:bb:3b:27:b0:e5:93:cf:b2:05:87:43:8d:
+ bc:a5:7a:50:8f:22:43:48:df:9a:e7:cc:8c:3e:54:fd:16:85:
+ 3e:e9:a2:47:4f:f8:ae:94:85:32:4a:88:94:b7:c4:13:62:11:
+ 6c:b8
+-----BEGIN X509 CRL-----
+MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJDQTQXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud
+IwQYMBaAFEg0CFSm7E/ZmBQh7NRjsSNv7Xk+MAoGA1UdFAQDAgEBMA0GCSqGSIb3
+DQEBBQUAA4GBAHpe5OKvAFxIOsI20ZcQZgawBIw3i5YBssG8tTqPtUQF24QqhcF8
+lv2zbB1HaWPmotVrKXbicuFLatQGIoDLWAo5qkdFoITQndTlABNx77s7J7Dlk8+y
+BYdDjbylelCPIkNI35rnzIw+VP0WhT7pokdP+K6UhTJKiJS3xBNiEWy4
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubCA41
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:C6:C5:DD:3D:D7:FB:74:43:40:C9:D0:AA:E5:A1:0A:D6:81:34:8A:11
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 0e:71:9b:f6:ad:39:6e:d8:be:f8:b2:87:85:75:4b:35:16:3c:
+ e7:52:48:af:e3:b1:7b:6d:1f:2e:59:59:81:af:cc:88:37:3b:
+ 78:f8:4d:7a:81:e6:6e:23:50:4c:80:f2:e9:d5:cf:79:ce:e8:
+ 9e:f8:c4:82:2b:6f:4a:ab:29:bd:5b:34:57:5f:31:5d:3b:a6:
+ b5:da:8f:57:4b:07:e2:5f:e3:f1:b0:8f:25:92:f2:c6:57:26:
+ 9a:4e:36:d9:c9:6b:37:f3:0f:7d:81:b6:2d:6c:f7:c7:76:d7:
+ 3e:29:67:8b:2e:01:9a:f8:90:2c:53:da:a6:c7:6c:b6:56:09:
+ fb:df
+-----BEGIN X509 CRL-----
+MIIBSjCBtAIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJjAkBgNVBAMTHXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJDQTQxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAf
+BgNVHSMEGDAWgBTGxd091/t0Q0DJ0KrloQrWgTSKETAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQAOcZv2rTlu2L74soeFdUs1FjznUkiv47F7bR8uWVmBr8yI
+Nzt4+E16geZuI1BMgPLp1c95zuie+MSCK29Kqym9WzRXXzFdO6a12o9XSwfiX+Px
+sI8lkvLGVyaaTjbZyWs38w99gbYtbPfHdtc+KWeLLgGa+JAsU9qmx2y2Vgn73w==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint6 subsubsubCA41X
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:10:95:E7:8A:96:74:F9:3C:F4:9B:06:A9:49:F3:C1:9A:3F:CE:70:1F
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 06:af:3f:80:68:02:24:ee:c0:3f:33:5b:62:49:01:cf:ee:87:
+ f7:92:49:33:a2:b1:b0:6c:e7:23:7f:4a:8d:2a:1b:e9:31:fc:
+ 04:49:76:f2:f6:92:d2:b3:32:70:50:71:9f:12:ab:03:6c:2d:
+ a7:0f:81:ef:fb:01:3e:3f:09:b8:df:e8:4e:28:c9:5d:fa:a3:
+ ef:64:db:b9:cb:8f:66:a2:b5:ba:17:f3:05:62:5c:8c:5b:75:
+ f6:7e:54:aa:30:59:0d:50:c1:23:90:c9:91:06:49:1e:bf:23:
+ de:88:c6:7a:39:0e:6e:11:cc:44:44:40:2e:08:82:65:e8:74:
+ 9d:60
+-----BEGIN X509 CRL-----
+MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKjAoBgNVBAMTIXBhdGhMZW5Db25zdHJhaW50
+NiBzdWJzdWJzdWJDQTQxWBcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAv
+MC0wHwYDVR0jBBgwFoAUEJXnipZ0+Tz0mwapSfPBmj/OcB8wCgYDVR0UBAMCAQEw
+DQYJKoZIhvcNAQEFBQADgYEABq8/gGgCJO7APzNbYkkBz+6H95JJM6KxsGznI39K
+jSob6TH8BEl28vaS0rMycFBxnxKrA2wtpw+B7/sBPj8JuN/oTijJXfqj72TbucuP
+ZqK1uhfzBWJcjFt19n5UqjBZDVDBI5DJkQZJHr8j3ojGejkObhHMRERALgiCZeh0
+nWA=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest7.pem
new file mode 100644
index 0000000000..d2ac20b505
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest7.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid pathLenConstraint EE Certificate Test7
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIICijCCAfOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDow4Z8Uorsifrji6RyscEE5DKo3WRY
+S01OJEDMgd8P75udI5umL9+vwJBIoObEUAx5I5UMDxkto9pDvHrRH72cNywar2n2
+4oat6X0JzKOaEzlx0N5E8Tp7LRkF7dcVCIZUGN0qVAJvfMtVQpcbRbLhK96jqOV1
+5uh5OetDHHufAgMBAAGjazBpMB8GA1UdIwQYMBaAFCEMtQF2dtOzKqwm/KqmT/LW
+oW9LMB0GA1UdDgQWBBRscpI4Rhz3vkPw7mtg+y+hic1p2DAOBgNVHQ8BAf8EBAMC
+BPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBACeo
+UDJXue1qGUe8Qxos7w6eQsbzHSXsmNI+t2Hyq+CARypTIgbueoWHfe1HyPsbOrEr
+3U2waZZ8AQzwklkyFUiL4D5Jo/+0coA9hPwmyhF6J/Wa5nOmLex1ZGg3c7J+MVAL
+1qx70Ft4WEm/EWBWCqse0wlEZXsvg5WocxF/xXKC
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest8.pem
new file mode 100644
index 0000000000..4dc31c0a1d
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest8.pem
@@ -0,0 +1,108 @@
+subject=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICfjCCAeegAwIBAgIBGjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEkxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEeMBwGA1UEAxMVcGF0aExlbkNv
+bnN0cmFpbnQwIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCXXXPbNnk
+MU3wxjjwCdA/Pj+lwkDk8WSxKGdOrcPMnFnrCdUnSqEES3K6/T7JRQyv6Y13Rt6w
+LAhrQI94UBcsAAQND4SOPyJUE3PonzcolJQ+EzkSB9qq6cxJokxTvxVTx2VN7bN1
+RJ7FrWovHu/vmKnwsOy3zv41U6KBfuf04QIDAQABo38wfTAfBgNVHSMEGDAWgBT7
+bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUIQy1AXZ207MqrCb8qqZP8tah
+b0swDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATASBgNV
+HRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBAJUd83zrSjxfaGwFdTCt
+BSI1mTeztSKFxIzrWeTxD3C0JHAxt1oM1AN8DQ/Ej8ja3rxhzsFQaWzdi3ixvnGr
+NbjLZH7EPWBPSSC2rTAcvLzVs2AuPsBkv7IKxg7HTJZtLbXDOIatWT+24OuKwTzE
+6cbcSe7zaz5qdojy0B72dLHC
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid pathLenConstraint EE Certificate Test8
+issuer=/C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25z
+dHJhaW50MCBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGAxCzAJ
+BgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE1MDMGA1UEAxMs
+VmFsaWQgcGF0aExlbkNvbnN0cmFpbnQgRUUgQ2VydGlmaWNhdGUgVGVzdDgwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ+d2dQ2by4x3S9c+qiAbIuZy8fID08F
+m7aovaa12yHhqJ3IzwCS1+98Gu23ZZS65gN/dW1buemmT4JpkyJ5eUPiw5HuxN2n
+2pvbRTUJWmEKu1CL4ZdhDaWZJrzu1Nh33imr4KOz+JmYCK+GoYPtgBbWVfCA92B7
+DSHq36MTczl/AgMBAAGjfDB6MB8GA1UdIwQYMBaAFCEMtQF2dtOzKqwm/KqmT/LW
+oW9LMB0GA1UdDgQWBBQOVClwok24sW5DcWf/ad9B25zw3TAOBgNVHQ8BAf8EBAMC
+AfYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADgYEAIy48NtD42z00ZliJ+YZXUEU/rjppUQ19EdKy5ECwUPNl
+/2VPgN43d5eaOB3e4YxFHG8E0PHYy8dNTZo8dlIRRUZzSswCzuJuDYpVi16vVkeO
+N6+gI9xXcd4AMBcbjpyCDuJsSlV5xyIVfgocdocT6kasvJThBiOYDfH7QOWuSfw=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=pathLenConstraint0 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:21:0C:B5:01:76:76:D3:B3:2A:AC:26:FC:AA:A6:4F:F2:D6:A1:6F:4B
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:7b:a5:e5:64:8b:31:64:fa:9f:8f:a3:25:ab:8b:c9:c2:ba:
+ cb:b9:e3:5f:3d:e9:b9:f4:f4:f4:d8:00:4c:cc:9e:5a:36:b3:
+ d3:53:12:aa:d5:ba:ad:94:a5:21:16:c4:9c:ac:3d:3c:e3:2f:
+ 53:69:97:6c:2e:e5:82:98:31:e8:47:f9:8d:dc:ab:e2:8d:ec:
+ b9:3f:b2:61:20:ad:22:24:f6:ff:90:4a:14:92:38:0e:9b:80:
+ 3f:1e:11:f2:d8:7b:fd:d4:0c:90:06:82:2c:48:f8:9e:7e:91:
+ 55:0c:21:e8:dd:95:ac:90:c7:d7:02:af:84:f4:23:08:bb:da:
+ cd:a2
+-----BEGIN X509 CRL-----
+MIIBQjCBrAIBATANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHjAcBgNVBAMTFXBhdGhMZW5Db25zdHJhaW50
+MCBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgw
+FoAUIQy1AXZ207MqrCb8qqZP8tahb0swCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEF
+BQADgYEAVnul5WSLMWT6n4+jJauLycK6y7njXz3pufT09NgATMyeWjaz01MSqtW6
+rZSlIRbEnKw9POMvU2mXbC7lgpgx6Ef5jdyr4o3suT+yYSCtIiT2/5BKFJI4DpuA
+Px4R8th7/dQMkAaCLEj4nn6RVQwh6N2VrJDH1wKvhPQjCLvazaI=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Validpre2000UTCnotBeforeDateTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Validpre2000UTCnotBeforeDateTest3.pem
new file mode 100644
index 0000000000..3f2ffa9bf5
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Validpre2000UTCnotBeforeDateTest3.pem
@@ -0,0 +1,119 @@
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Valid pre2000 UTC notBefore Date EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIIChTCCAe6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+NTAwMTAxMTIwMTAwWhcNMTEwNDE5MTQ1NzIwWjBpMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPjA8BgNVBAMTNVZhbGlkIHByZTIwMDAg
+VVRDIG5vdEJlZm9yZSBEYXRlIEVFIENlcnRpZmljYXRlIFRlc3QzMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQC1uwQ7EgYKGk7IBOZd3vdARgrWUKCEqjpfYUEG
+ZGlsC48omvxCrzR+eJj1q8TeHAsH3dAcpkbNNWCWRHblq9LbqkhpBaMquzvg541B
+TNerg9dj4vjwV0/QYdbvyLVcKBv9iLE0MCJeSLcaseO2vYmNXObSXMTf74BXNR4D
+k7uI9wIDAQABo2swaTAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAd
+BgNVHQ4EFgQU9EsyhAynLAz6iwskm+iASoGKdMowDgYDVR0PAQH/BAQDAgTwMBcG
+A1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQCTLQM+0YBT
+3vure42KCvGYSQpheOtLtv1bLa9TT4kbo18aNRVQwTOnZLtKqKa6etoxJ70rhfO5
+x2uCELzyIkUrAbjyqMYg/0nckc4HTEys4xmbHjiyWPie/lS757sA1trwNRntBn9J
+pdkDmwEqALaRBRH6YH3ybrNMZh5h2CVqFw==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/certs.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/certs.pem
new file mode 100644
index 0000000000..de409f5895
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/certs.pem
@@ -0,0 +1,118 @@
+subject=/C=US/O=Test Certificates/CN=Valid EE Certificate Test1
+issuer=/C=US/O=Test Certificates/CN=Good CA
+-----BEGIN CERTIFICATE-----
+MIICajCCAdOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN
+MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJVUzEaMBgG
+A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlZhbGlkIEVFIENlcnRp
+ZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtpKu/a6Co
+7KcKOymboEA+MmgoryXHT1dxExmQ1lO7yah2L8j8RG6ox5Tr37TV8Y21ti3MopcF
+H+iXDSX31fixsYCZkcpjMI4kbjXmjGOeFKu1vnbBmcb5JBISiUeg22tIRFoJ4zTh
+i3GLVecGijyOVReA5LiPymEKG7fAB3241wIDAQABo2swaTAfBgNVHSMEGDAWgBS3
+LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUOsyUZQyFqTzB4K9RMyoUSI+e
+kVswDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq
+hkiG9w0BAQUFAAOBgQCkaGfCqYi0681n9Dit36lg3U/9gTZoNqPMaAaLUQV3Crzx
+x2MGInhTyKchYydbV8HD89N2jzzYq7J2KM/ZEAfjskCdsj1SiMNkbYZe3rZZOldr
+PCGFgzUGTNakQxkpxU5j7plivQic/OZ7+mMTi0fnjGRi9M+aa744VmH6FgCt1w==
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=Good CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0
+p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2
+IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp
+Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa
+vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE
+AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN
+BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya
+cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg
+3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq
+rA==
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Good CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 0E
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Serial Number: 0F
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90:
+ 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f:
+ 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65:
+ 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1:
+ 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e:
+ b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb:
+ 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85:
+ 92:cd
+-----BEGIN X509 CRL-----
+MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0
+NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD
+VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf
+BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq
+hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE
+MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1
+KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ==
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/inhibitAnyPolicyTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/inhibitAnyPolicyTest3.pem
new file mode 100644
index 0000000000..05c743e5b5
--- /dev/null
+++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/inhibitAnyPolicyTest3.pem
@@ -0,0 +1,159 @@
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+-----BEGIN CERTIFICATE-----
+MIICgDCCAemgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQ
+b2xpY3kxIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTDELMAkG
+A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSEwHwYDVQQDExhp
+bmhpYml0QW55UG9saWN5MSBzdWJDQTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAMvuM5rrG+hunxSZwR8TVsLND7teVaTAzIxbnJv0xpVvawDeQiN1A+CIdJH8
+TUXrgcfdU+E04StBCqDRBr1+DBMt/PuBDS/I2PcKqBuP6sfkSDr/lPYkbRBI8wZ9
+87H/ke7seqh7cSVORfqg4KupdEE3i2gxONHlTT/7XV0C5aOlAgMBAAGjdjB0MB8G
+A1UdIwQYMBaAFGbbtZTHBcSzPiuRud/IqNBNKzREMB0GA1UdDgQWBBQpIHiUjoSQ
+KUJLfKsOgyq+NVs8FTAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAuKZUyh6gvU8Ab5pl
+P79yddRQcx4G1navwUD3YSS7q2rnmqY2ucmHX8H1JsOhQUqvLL81fIqAkWPANAmQ
+K4NU/ZSkkjtfTcJy5oYsVXjz0MyLKOwrt52j8MLZsUW/TIf5e57kPbORC7RQhEr+
+yMDT6AY3En8iF4h8mqMhwnQnO3U=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy EE Certificate Test3
+issuer=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+-----BEGIN CERTIFICATE-----
+MIIChjCCAe+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQ
+b2xpY3kxIHN1YkNBMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFkx
+CzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEuMCwGA1UE
+AxMlaW5oaWJpdEFueVBvbGljeSBFRSBDZXJ0aWZpY2F0ZSBUZXN0MzCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEA5paTjQbj3puhDjZ2oS+VWmYpkB1j3pR42xS6
+DZJFysWv18MFWj06Gcb3VAc4DowyPEHzYQuzdaTQASCQLSX9JskU/ohcioVwGiK5
+S80dAfcGLSVJsvMROXvlapFvgkhM/qqtvyL0ft/bTTMPPkQMqayQPNiS1j1NIOaj
+nLReO+sCAwEAAaNrMGkwHwYDVR0jBBgwFoAUKSB4lI6EkClCS3yrDoMqvjVbPBUw
+HQYDVR0OBBYEFFXoqY9k25OSv29Bm8cxsKCX5ASxMA4GA1UdDwEB/wQEAwIE8DAX
+BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQADgYEARqFA8zrZ
+Fv0+U+IKZbMlVa9p1ILSXSsNk+KlwRjgJRk1l3UQtw6G6NfVhKkgNvqgrj7zcfg6
+zZuuMCad33y5ysIFZ4ohuBtD19Rq5TEp+UqAqMwaewF7AajpU0h+XnLg8v1uPY0j
+a6MimyCJtGwBH9LcptLn/+La3+6ap7ji+nM=
+-----END CERTIFICATE-----
+
+subject=/C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+issuer=/C=US/O=Test Certificates/CN=Trust Anchor
+-----BEGIN CERTIFICATE-----
+MIICmTCCAgKgAwIBAgIBPDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa
+MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv
+cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT
+MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUaW5oaWJpdEFu
+eVBvbGljeTEgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM97WBxcmLvJ
+SCQLpyIPIhnb86f8mT4hWgvgIiFRNZDdlqrMl5D754iGLwoSRYWm6NZzneNuxpXa
+sX+q9JyoOc6/7ZQy37w/cp6Elcq77KWgALd2zRbEAbFOtdy216GpPB+3c9I7msQT
+W6bbzzGuqbTxaEEvWptSCBqXuFY6FR+XAgMBAAGjgZowgZcwHwYDVR0jBBgwFoAU
++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFGbbtZTHBcSzPiuRud/IqNBN
+KzREMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD
+VR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GA1UdNgEB/wQDAgEBMA0GCSqG
+SIb3DQEBBQUAA4GBAJTqlrUt2/8sAjVasjqUiKDtFgaFp8ueEU93bKb/90sW+uxF
+HCyYOqmVYnjKLDGYR0rR9R9hErIFwlqIz3ff2K6cq7ND2uLm8BctGWmvP3s56y7V
+CooCKzBgRilaPqsJw12BrGGjZ4CaYx8ov4puyRW11UjrAcWn/8AIWCmIPuzH
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 CA
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:66:DB:B5:94:C7:05:C4:B3:3E:2B:91:B9:DF:C8:A8:D0:4D:2B:34:44
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 03:a6:22:4b:c0:43:a0:ed:e5:8e:d1:8b:0b:d2:cc:b6:8b:9b:
+ 21:e8:fc:2f:84:a1:cd:3c:a0:bf:73:be:9a:00:f2:b4:90:e5:
+ 15:a0:31:87:2b:61:f0:cd:3e:ad:db:d8:2d:91:db:ba:8f:5c:
+ fd:95:59:36:0c:ba:0b:f1:79:a9:68:96:a1:2e:14:cc:0b:6a:
+ 43:93:0a:80:71:b7:3e:8e:3a:da:74:31:5c:1c:ec:82:b9:3c:
+ 88:ff:6f:51:05:f5:f8:d8:47:c2:9f:3d:3c:5c:98:be:f0:de:
+ 9d:d8:a6:56:e9:53:62:cd:09:56:91:c7:ea:c8:bb:2e:05:a6:
+ 38:b5
+-----BEGIN X509 CRL-----
+MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFGluaGliaXRBbnlQb2xpY3kx
+IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW
+gBRm27WUxwXEsz4rkbnfyKjQTSs0RDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF
+AAOBgQADpiJLwEOg7eWO0YsL0sy2i5sh6PwvhKHNPKC/c76aAPK0kOUVoDGHK2Hw
+zT6t29gtkdu6j1z9lVk2DLoL8XmpaJahLhTMC2pDkwqAcbc+jjradDFcHOyCuTyI
+/29RBfX42EfCnz08XJi+8N6d2KZW6VNizQlWkcfqyLsuBaY4tQ==
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=inhibitAnyPolicy1 subCA1
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:29:20:78:94:8E:84:90:29:42:4B:7C:AB:0E:83:2A:BE:35:5B:3C:15
+
+ X509v3 CRL Number:
+ 1
+No Revoked Certificates.
+ Signature Algorithm: sha1WithRSAEncryption
+ 75:3b:42:7f:44:c5:fa:ab:b2:c4:63:ac:10:89:84:e0:50:32:
+ 4b:96:80:48:15:1d:19:1c:b8:49:6d:42:c3:4c:b4:bd:a0:29:
+ e0:14:56:1a:1d:df:92:90:19:27:a0:b7:f3:1b:7a:32:32:2d:
+ cd:ee:29:38:d0:75:8e:8c:51:9d:02:7f:92:a6:af:08:ef:23:
+ 8e:bc:b2:a6:47:36:d1:9c:e6:dd:4b:05:55:1c:56:47:1a:40:
+ 67:4b:01:bd:b4:d0:74:12:5a:97:83:20:d5:4e:a7:d2:bb:ad:
+ 52:a5:ac:13:44:fc:95:1f:d9:70:fa:a2:05:fb:73:e2:9d:15:
+ 61:ac
+-----BEGIN X509 CRL-----
+MIIBRTCBrwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxITAfBgNVBAMTGGluaGliaXRBbnlQb2xpY3kx
+IHN1YkNBMRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0j
+BBgwFoAUKSB4lI6EkClCS3yrDoMqvjVbPBUwCgYDVR0UBAMCAQEwDQYJKoZIhvcN
+AQEFBQADgYEAdTtCf0TF+quyxGOsEImE4FAyS5aASBUdGRy4SW1Cw0y0vaAp4BRW
+Gh3fkpAZJ6C38xt6MjItze4pONB1joxRnQJ/kqavCO8jjryypkc20Zzm3UsFVRxW
+RxpAZ0sBvbTQdBJal4Mg1U6n0rutUqWsE0T8lR/ZcPqiBftz4p0VYaw=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+ Version 2 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/O=Test Certificates/CN=Trust Anchor
+ Last Update: Apr 19 14:57:20 2001 GMT
+ Next Update: Apr 19 14:57:20 2011 GMT
+ CRL extensions:
+ X509v3 Authority Key Identifier:
+ keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA
+
+ X509v3 CRL Number:
+ 1
+Revoked Certificates:
+ Serial Number: 68
+ Revocation Date: Apr 19 14:57:20 2001 GMT
+ CRL entry extensions:
+ X509v3 CRL Reason Code:
+ Key Compromise
+ Signature Algorithm: sha1WithRSAEncryption
+ 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b:
+ 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31:
+ 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53:
+ 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31:
+ dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7:
+ bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf:
+ 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9:
+ 14:39
+-----BEGIN X509 CRL-----
+MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE
+ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw
+NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow
+DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/
+SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t
+JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4
+cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr
+8tP+qCAxwTN2txwZZU25FDk=
+-----END X509 CRL-----
+
diff --git a/lib/public_key/test/public_key.spec b/lib/public_key/test/public_key.spec
new file mode 100644
index 0000000000..dee9ad44ed
--- /dev/null
+++ b/lib/public_key/test/public_key.spec
@@ -0,0 +1,2 @@
+{topcase, {dir, "../public_key_test"}}.
+
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
new file mode 100644
index 0000000000..93ae6e6eda
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -0,0 +1,260 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+-module(public_key_SUITE).
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+-include("test_server.hrl").
+-include("test_server_line.hrl").
+-include("public_key.hrl").
+
+-define(TIMEOUT, 120000). % 2 min
+
+%% Test server callback functions
+%%--------------------------------------------------------------------
+%% Function: init_per_suite(Config) -> Config
+%% Config - [tuple()]
+%% A list of key/value pairs, holding the test case configuration.
+%% Description: Initialization before the whole suite
+%%
+%% Note: This function is free to add any key/value pairs to the Config
+%% variable, but should NOT alter/remove any existing entries.
+%%--------------------------------------------------------------------
+init_per_suite(Config) ->
+ crypto:start(),
+ Config.
+
+%%--------------------------------------------------------------------
+%% Function: end_per_suite(Config) -> _
+%% Config - [tuple()]
+%% A list of key/value pairs, holding the test case configuration.
+%% Description: Cleanup after the whole suite
+%%--------------------------------------------------------------------
+end_per_suite(_Config) ->
+ crypto:stop().
+
+%%--------------------------------------------------------------------
+%% Function: init_per_testcase(TestCase, Config) -> Config
+%% Case - atom()
+%% Name of the test case that is about to be run.
+%% Config - [tuple()]
+%% A list of key/value pairs, holding the test case configuration.
+%%
+%% Description: Initialization before each test case
+%%
+%% Note: This function is free to add any key/value pairs to the Config
+%% variable, but should NOT alter/remove any existing entries.
+%% Description: Initialization before each test case
+%%--------------------------------------------------------------------
+init_per_testcase(_TestCase, Config0) ->
+ Config = lists:keydelete(watchdog, 1, Config0),
+ Dog = test_server:timetrap(?TIMEOUT),
+ [{watchdog, Dog} | Config].
+
+%%--------------------------------------------------------------------
+%% Function: end_per_testcase(TestCase, Config) -> _
+%% Case - atom()
+%% Name of the test case that is about to be run.
+%% Config - [tuple()]
+%% A list of key/value pairs, holding the test case configuration.
+%% Description: Cleanup after each test case
+%%--------------------------------------------------------------------
+end_per_testcase(_TestCase, Config) ->
+ Dog = ?config(watchdog, Config),
+ case Dog of
+ undefined ->
+ ok;
+ _ ->
+ test_server:timetrap_cancel(Dog)
+ end.
+
+%%--------------------------------------------------------------------
+%% Function: all(Clause) -> TestCases
+%% Clause - atom() - suite | doc
+%% TestCases - [Case]
+%% Case - atom()
+%% Name of a test case.
+%% Description: Returns a list of all test cases in this test suite
+%%--------------------------------------------------------------------
+all(doc) ->
+ ["Test the public_key rsa functionality"];
+
+all(suite) ->
+ [app,
+ pem_to_der,
+ decode_private_key
+%% encrypt_decrypt,
+%% rsa_verify
+%% dsa_verify_sign,
+%% pkix_encode_decode,
+%% pkix_verify_sign,
+%% pkix_path_validation
+ ].
+
+%% Test cases starts here.
+%%--------------------------------------------------------------------
+
+app(doc) ->
+ "Test that the public_key app file is ok";
+app(suite) ->
+ [];
+app(Config) when list(Config) ->
+ ok = test_server:app_test(public_key).
+
+pem_to_der(doc) ->
+ ["Check that supported PEM files are decoded into the expected entry type"];
+pem_to_der(suite) ->
+ [];
+pem_to_der(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok,[{dsa_private_key, _, not_encrypted}]} =
+ public_key:pem_to_der(filename:join(Datadir, "dsa.pem")),
+ {ok,[{rsa_private_key, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "client_key.pem")),
+ {ok,[{rsa_private_key, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "rsa.pem")),
+ {ok,[{rsa_private_key, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "rsa.pem"), "abcd1234"),
+ {ok, Bin0} = file:read_file(filename:join(Datadir, "rsa.pem")),
+ {ok, [{rsa_private_key, _, _}]} = public_key:pem_to_der(Bin0, "abcd1234"),
+
+ {ok,[{dh_params, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "dh.pem")),
+ {ok,[{cert, _, not_encrypted}]} =
+ public_key:pem_to_der(filename:join(Datadir, "client_cert.pem")),
+ {ok,[{cert_req, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "req.pem")),
+ {ok,[{cert, _, _}, {cert, _, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "cacerts.pem")),
+
+ {ok, Bin1} = file:read_file(filename:join(Datadir, "cacerts.pem")),
+ {ok, [{cert, _, _}, {cert, _, _}]} = public_key:pem_to_der(Bin1),
+
+ ok.
+%%--------------------------------------------------------------------
+decode_private_key(doc) ->
+ ["Check that private keys are decode to the expected key type."];
+decode_private_key(suite) ->
+ [];
+decode_private_key(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok,[DsaKey = {dsa_private_key, _DsaKey, _}]} =
+ public_key:pem_to_der(filename:join(Datadir, "dsa.pem")),
+ {ok,[RsaKey = {rsa_private_key, _RsaKey,_}]} =
+ public_key:pem_to_der(filename:join(Datadir, "client_key.pem")),
+ {ok,[ProtectedRsaKey1 = {rsa_private_key, _ProtectedRsaKey1,_}]} =
+ public_key:pem_to_der(filename:join(Datadir, "rsa.pem"), "abcd1234"),
+ {ok,[ProtectedRsaKey2 = {rsa_private_key, _ProtectedRsaKey2,_}]} =
+ public_key:pem_to_der(filename:join(Datadir, "rsa.pem")),
+
+ {ok, #'DSAPrivateKey'{}} = public_key:decode_private_key(DsaKey),
+ {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(RsaKey),
+ {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(ProtectedRsaKey1),
+ {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(ProtectedRsaKey2, "abcd1234"),
+ ok.
+%%--------------------------------------------------------------------
+encrypt_decrypt(doc) ->
+ [""];
+encrypt_decrypt(suite) ->
+ [];
+encrypt_decrypt(Config) when is_list(Config) ->
+ RSAPrivateKey = #'RSAPrivateKey'{publicExponent = 17,
+ modulus = 3233,
+ privateExponent = 2753,
+ prime1 = 61,
+ prime2 = 53,
+ version = 'two-prime'},
+ Msg = <<0,123>>,
+ {ok, Encrypted} = public_key:encrypt(Msg, RSAPrivateKey, [{block_type, 2}]),
+ test_server:format("Expected 855, Encrypted ~p ~n", [Encrypted]),
+ ok.
+
+
+
+
+
+
+
+
+
+%% Datadir = ?config(data_dir, Config),
+%% {ok,[{rsa_private_key, EncKey}]} =
+%% public_key:pem_to_der(filename:join(Datadir, "server_key.pem")),
+%% {ok, Key} = public_key:decode_private_key(EncKey, rsa),
+%% RSAPublicKey = #'RSAPublicKey'{publicExponent =
+%% Key#'RSAPrivateKey'.publicExponent,
+%% modulus = Key#'RSAPrivateKey'.modulus},
+%% {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")),
+%% Hash = crypto:sha(Msg),
+%% {ok, Encrypted} = public_key:encrypt(Hash, Key, [{block_type, 2}]),
+%% test_server:format("Encrypted ~p", [Encrypted]),
+%% {ok, Decrypted} = public_key:decrypt(Encrypted,
+%% RSAPublicKey, [{block_type, 1}]),
+%% test_server:format("Encrypted ~p", [Decrypted]),
+%% true = Encrypted == Decrypted.
+
+%%--------------------------------------------------------------------
+rsa_verify(doc) ->
+ ["Cheks that we can verify an rsa signature."];
+rsa_verify(suite) ->
+ [];
+rsa_verify(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+
+ {ok,[{cert, DerCert}]} =
+ public_key:pem_to_der(filename:join(Datadir, "server_cert.pem")),
+
+ {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp),
+
+ {0, Signature} = OTPCert#'Certificate'.signature,
+ TBSCert = OTPCert#'Certificate'.tbsCertificate,
+
+ #'TBSCertificate'{subjectPublicKeyInfo = Info} = TBSCert,
+
+ #'SubjectPublicKeyInfo'{subjectPublicKey = RSAPublicKey} = Info,
+
+ EncTBSCert = encoded_tbs_cert(DerCert),
+ Digest = crypto:sha(EncTBSCert),
+
+ public_key:verify_signature(Digest, Signature, RSAPublicKey).
+
+
+%% Signature is generated in the following way (in datadir):
+%% openssl dgst -sha1 -binary -out rsa_signature -sign server_key.pem msg.txt
+%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")),
+%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")),
+%% {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")),
+%% Digest = crypto:sha(Msg),
+%% {ok,[{rsa_private_key, EncKey}]} =
+%% public_key:pem_to_der(filename:join(Datadir, "server_key.pem")),
+%% {ok, Key} = public_key:decode_private_key(EncKey, rsa),
+%% RSAPublicKey = #'RSAPublicKey'{publicExponent =
+%% Key#'RSAPrivateKey'.publicExponent,
+%% modulus = Key#'RSAPrivateKey'.modulus},
+
+encoded_tbs_cert(Cert) ->
+ {ok, PKIXCert} =
+ 'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert),
+ {'Certificate',
+ {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
+ EncodedTBSCert.
+
diff --git a/lib/public_key/test/public_key_SUITE_data/cacerts.pem b/lib/public_key/test/public_key_SUITE_data/cacerts.pem
new file mode 100644
index 0000000000..d56b9a8227
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/cacerts.pem
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAlegAwIBAgIJAOaRYda/AniWMA0GCSqGSIb3DQEBBQUAMIGGMREwDwYD
+VQQDEwhlcmxhbmdDQTETMBEGA1UECxMKRXJsYW5nIE9UUDEUMBIGA1UEChMLRXJp
+Y3Nzb24gQUIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxJTAjBgkq
+hkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwHhcNMDgwMTA5MDgyOTI5
+WhcNMDgwMjA4MDgyOTI5WjCBhjERMA8GA1UEAxMIZXJsYW5nQ0ExEzARBgNVBAsT
+CkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMRIwEAYDVQQHEwlTdG9j
+a2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkBFhZwZXRlckBlcml4LmVy
+aWNzc29uLnNlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDL0btNSeda6nac
+HJANkZAzF34pUgKawY21B4WDLGcuwOO6mZbPh1Tw3OVVIaSVHWJRXgxWCeAeaxlp
+ti+ShJEGT5wayWTMs0g03lwEoH0S2EGi4bhawCI7PVUt23CBVRJodisfNqJR+VqD
+BmU3K9Ftd6erWqQo6lxHhce8+0ViiwIDAQABo2IwYDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUG9lBmAYejoT1qLXpnBMa9UrSrTowIQYD
+VR0RBBowGIEWcGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTANBgkqhkiG9w0BAQUFAAOB
+gQCjugej2Jg/L5rqi0maYHilAjTEw22nwNzHn4JixQCU7m9HkIMv2RXa2WiCncqm
+rySo5Ki9TlyMGqwMa1sA31LZBt7L8giCz9BIc4f1fPlUcqQBIu9nebwJSXufCISK
+2X5kM4N0u8rR2TK7fQ1uvaekDtzx1T6zrSYyU7GrgWJfUw==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDyDCCAzGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhjERMA8GA1UEAxMIZXJs
+YW5nQ0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFC
+MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkB
+FhZwZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkyOVoXDTE3MTEx
+NzA4MjkyOVowgYMxDjAMBgNVBAMTBW90cENBMRMwEQYDVQQLEwpFcmxhbmcgT1RQ
+MRQwEgYDVQQKEwtFcmljc3NvbiBBQjELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0
+b2NraG9sbTElMCMGCSqGSIb3DQEJARYWcGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA19NLtRF22E1WAK/1QGF1zg3e1Z6T
+W0W9WAukXc8ATj3Pn4051+9ZHpq9HL++iSGrJHMGrFKbX5DtFpTvecRDPQxBSv4r
+pQgFr4t9K8XBiuAeEurghGKeiysoPqosgapc7OBQQf0hIoKY6ozqJUK3brFcPwXZ
+Weeji79z8TOq7SsCAwEAAaOCAUUwggFBMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P
+BAQDAgEGMB0GA1UdDgQWBBQGq4A0OqS4drK9nS4o5W2R3n0BmzCBuwYDVR0jBIGz
+MIGwgBQb2UGYBh6OhPWotemcExr1StKtOqGBjKSBiTCBhjERMA8GA1UEAxMIZXJs
+YW5nQ0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFC
+MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkB
+FhZwZXRlckBlcml4LmVyaWNzc29uLnNlggkA5pFh1r8CeJYwIQYDVR0RBBowGIEW
+cGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTAhBgNVHRIEGjAYgRZwZXRlckBlcml4LmVy
+aWNzc29uLnNlMA0GCSqGSIb3DQEBBQUAA4GBALeYUWp8zsoZJJ1I93STYAauqvv5
+MovrPeDCzQZKTfrdCgmYGx1/wxYMa1vHbV1QRqEK/ri7He8/sF/5ckXHUqXRKD/q
+vBjIIv/rGixJSueMG2bYyz3r6BU6hw0blnUwzCbvD76Dr2QIRoQsKoWsXnfN5l/D
+zhyxDkq1j6Q3DCIL
+-----END CERTIFICATE-----
+
diff --git a/lib/public_key/test/public_key_SUITE_data/client_cert.pem b/lib/public_key/test/public_key_SUITE_data/client_cert.pem
new file mode 100644
index 0000000000..9017e99fce
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/client_cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAyGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzEOMAwGA1UEAxMFb3Rw
+Q0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMQsw
+CQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xtMSUwIwYJKoZIhvcNAQkBFhZw
+ZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkzMFoXDTE3MTExNzA4
+MjkzMFowgYQxDzANBgNVBAMTBmNsaWVudDETMBEGA1UECxMKRXJsYW5nIE9UUDEU
+MBIGA1UEChMLRXJpY3Nzb24gQUIxCzAJBgNVBAYTAlNFMRIwEAYDVQQHEwlTdG9j
+a2hvbG0xJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPU4RP7c78G+P922PENNeaPWiIm3iwim
+HmQbLRF+Og+tl9pL4JQOFqQKZLq3aK/FYWC2kpZqgYxkwmpaPoXpmy6bIWXcU8G2
+6PBj/flyCJ+sj02zhOXNHW656eA0GZX5ZFDlx30XapLpnxoNCKHO3SvwlSotwr5V
+BuuY3NugIJBDAgMBAAGjggE3MIIBMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd
+BgNVHQ4EFgQUGjssBUjTntYXIh7xfRt7c12j53gwgbMGA1UdIwSBqzCBqIAUBquA
+NDqkuHayvZ0uKOVtkd59AZuhgYykgYkwgYYxETAPBgNVBAMTCGVybGFuZ0NBMRMw
+EQYDVQQLEwpFcmxhbmcgT1RQMRQwEgYDVQQKEwtFcmljc3NvbiBBQjESMBAGA1UE
+BxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTElMCMGCSqGSIb3DQEJARYWcGV0ZXJA
+ZXJpeC5lcmljc3Nvbi5zZYIBATAhBgNVHREEGjAYgRZwZXRlckBlcml4LmVyaWNz
+c29uLnNlMCEGA1UdEgQaMBiBFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwDQYJKoZI
+hvcNAQEFBQADgYEAXQtw43kPebP3h27YEcVUEpWmk46+sgDRvgCO6ZBkws3ctknM
+bCpfFzA/BHjvKsIZuCN1a2DlEi1Men0oq9KEMpKyoDcRI//Qch4vN7mam6XMtA6P
+FOoG6snhSOsFVz3/+hfZAZD2Yt3fZjGosQ1G8Rob/vvZDvQS8sWXMrrWDyo=
+-----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/client_key.pem b/lib/public_key/test/public_key_SUITE_data/client_key.pem
new file mode 100644
index 0000000000..9d7e0dd5fb
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/client_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQD1OET+3O/Bvj/dtjxDTXmj1oiJt4sIph5kGy0RfjoPrZfaS+CU
+DhakCmS6t2ivxWFgtpKWaoGMZMJqWj6F6ZsumyFl3FPBtujwY/35cgifrI9Ns4Tl
+zR1uuengNBmV+WRQ5cd9F2qS6Z8aDQihzt0r8JUqLcK+VQbrmNzboCCQQwIDAQAB
+AoGAPQEyqPTt8JUT7mRXuaacjFXiweAXhp9NEDpyi9eLOjtFe9lElZCrsUOkq47V
+TGUeRKEm9qSodfTbKPoqc8YaBJGJPhUaTAcha+7QcDdfHBvIsgxvU7ePVnlpXRp3
+CCUEMPhlnx6xBoTYP+fRU0e3+xJIPVyVCqX1jAdUMkzfRoECQQD6ux7B1QJAIWyK
+SGkbDUbBilNmzCFNgIpOP6PA+bwfi5d16diTpra5AX09keQABAo/KaP1PdV8Vg0p
+z4P3A7G3AkEA+l+AKG6m0kQTTBMJDqOdVPYwe+5GxunMaqmhokpEbuGsrZBl5Dvd
+WpcBjR7jmenrhKZRIuA+Fz5HPo/UQJPl1QJBAKxstDkeED8j/S2XoFhPKAJ+6t39
+sUVICVTIZQeXdmzHJXCcUSkw8+WEhakqw/3SyW0oaK2FSWQJFWJUZ+8eJj8CQEh3
+xeduB5kKnS9CvzdeghZqX6QvVosSdtlUmfUYW/BgH5PpHKTP8wTaeld3XldZTpMJ
+dKiMkUw2+XYROVUrubUCQD+Na1LhULlpn4ISEtIEfqpdlUhxDgO15Wg8USmsng+x
+ICliVOSQtwaZjm8kwaFt0W7XnpnDxbRs37vIEbIMWak=
+-----END RSA PRIVATE KEY-----
diff --git a/lib/public_key/test/public_key_SUITE_data/dh.pem b/lib/public_key/test/public_key_SUITE_data/dh.pem
new file mode 100644
index 0000000000..c133540b44
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/dh.pem
@@ -0,0 +1,4 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx
+q3YvALe/enMbIq8F3OUmppq3UHwTAgEC
+-----END DH PARAMETERS----- \ No newline at end of file
diff --git a/lib/public_key/test/public_key_SUITE_data/dsa.pem b/lib/public_key/test/public_key_SUITE_data/dsa.pem
new file mode 100644
index 0000000000..58f0a65cba
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/dsa.pem
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQC3s+bZJWOQnRXkzKLPPfaQOouLuLgrbM4Ac63QZOnJeRVas3c1
+jBk0Isp506RrKzhEop8z9OiKfqRteVntjjkcILwsQ/1veWgojdP/jHYl6pbJm6AQ
+ETM7GvkpgRDTd4Bf/rbrhABczl1NatnJhMsES8n2zNiiAVRP0woVmMNnkQIVANUe
+uFb3EPdFwPEjilQ5jANHQc7pAoGBAJSzGD9KW4AZYB0FTt/2rwB5VjayKudi8ZO0
+nTyVoDLz40yvWerL/PJMbAnMnbY7zuN/Y9cqnMJOdBkHPvOpLQVls/d/x5CHZxcq
+mn3n+Jplr5tlKugpUCkvgNALH2o/DMrPh1DIiPqrH3Y0W8iKcG+zF9Z7FXbCswC5
+2TTFtuwNAoGAfEIAb3mLjtFfiF/tsZb4/DGHdWSb6Ir0hFkoBUZ9ymBO70wlfZVS
+QGs240kZtOMpAOpJL1Dy8oH6PUQ+JyacwZIo8fdq19/Kwm6CPrpaEhzErmMvwT2C
+ZJYZ+HOk55ljLkVCiyG7MzEj2+odLKym9yoQsbsJolHzIRpkLk45y4cCFFmAnw67
++basD1iibtNHs9Edfdkm
+-----END DSA PRIVATE KEY-----
diff --git a/lib/public_key/test/public_key_SUITE_data/req.pem b/lib/public_key/test/public_key_SUITE_data/req.pem
new file mode 100644
index 0000000000..86d74d05a3
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/req.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBxTCCAS4CAQAwgYQxDzANBgNVBAMTBmNsaWVudDETMBEGA1UECxMKRXJsYW5n
+IE9UUDEUMBIGA1UEChMLRXJpY3Nzb24gQUIxEjAQBgNVBAcTCVN0b2NraG9sbTEL
+MAkGA1UEBhMCU0UxJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24u
+c2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPU4RP7c78G+P922PENNeaPW
+iIm3iwimHmQbLRF+Og+tl9pL4JQOFqQKZLq3aK/FYWC2kpZqgYxkwmpaPoXpmy6b
+IWXcU8G26PBj/flyCJ+sj02zhOXNHW656eA0GZX5ZFDlx30XapLpnxoNCKHO3Svw
+lSotwr5VBuuY3NugIJBDAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQATS9GOidrC
+bOJ+PuSUpRnDHfZAZANZAd/9v4hW57bMMIQlCEb8CgfPvGKztNMxTH8Xc7VPDTp8
+FWKQ53R29T0IWEochHA5FjJyCVrkZjgZ0qcQUV8aCe9NTB0LW58OWOOwGYjJb8hp
+dL+3RvUr4OchWxMzzF5YmjyUbt8GSpevrg==
+-----END CERTIFICATE REQUEST-----
diff --git a/lib/public_key/test/public_key_SUITE_data/rsa.pem b/lib/public_key/test/public_key_SUITE_data/rsa.pem
new file mode 100644
index 0000000000..88f7d446f2
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/rsa.pem
@@ -0,0 +1,16 @@
+Bag Attributes
+ friendlyName: host_key
+ localKeyID: 68 6F 73 74
+Key Attributes: <No Attributes>
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,6BD965F8BC70B54C
+
+4Gx1y5goD02Aft3DmvlV0Mr7bXd4OR1ZEwk1b2utIXLRMXfDkrK+vHbHhIbGBLOn
+TIhdSxASnNhh7NmaXaTsZ+H/tZSmX+4OkeQOsRfrPj8C81pkXjuxtxhCRuaTWg/R
+VABz7u/4rL2OMIPz9w/dyEWCSZnBoWpbxI20gP/k+/kZgzVbz6mkhMs5Xkf4lFwU
+WnjR498pwlHmMHYwBIEMFBsIvb9JYeEQEZOjxAjUljmhYHB0pMyMBxHjlSSEIN5h
+cSXT0ZxQmT+59FediRRQCDZHuy7Bc/nanUavvs5dk7en+gy2LSVKJ/K16zv6gtoV
+c1MN48wQlCd+tRFVXRsPX3OliTKEwkSNlT7gdyzBaQxt610EAj2YKZVHE7i+d0Sk
+4rQ9iwALjoohWhP8SjcTonZD4kOvhjlRggn1JTGlo6s=
+-----END RSA PRIVATE KEY----- \ No newline at end of file
diff --git a/lib/public_key/test/public_key_SUITE_data/server_cert.pem b/lib/public_key/test/public_key_SUITE_data/server_cert.pem
new file mode 100644
index 0000000000..da68c7a8ab
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/server_cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAyGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBgzEOMAwGA1UEAxMFb3Rw
+Q0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMQsw
+CQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xtMSUwIwYJKoZIhvcNAQkBFhZw
+ZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkzMFoXDTE3MTExNzA4
+MjkzMFowgYQxDzANBgNVBAMTBnNlcnZlcjETMBEGA1UECxMKRXJsYW5nIE9UUDEU
+MBIGA1UEChMLRXJpY3Nzb24gQUIxCzAJBgNVBAYTAlNFMRIwEAYDVQQHEwlTdG9j
+a2hvbG0xJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKR20HPrkDGdiavHUyWwFEQwta2dmtF2
+eQZZi9Xk68UJYbuU7CikHs2srkrwzj0OPIqbp/xOBNzJ7Kch0o4yO6vcEAiSCJ6A
+B4uSM742hrYW4qXgc18K6PqTwSuKr94sn3qQuo4hF/ymCxLrnSicrNpzGOz9A0Lf
+2+Vk6hV0BtdHAgMBAAGjggE3MIIBMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd
+BgNVHQ4EFgQUi19l/qhEwHP/CUeaEjWy4GhOBRIwgbMGA1UdIwSBqzCBqIAUBquA
+NDqkuHayvZ0uKOVtkd59AZuhgYykgYkwgYYxETAPBgNVBAMTCGVybGFuZ0NBMRMw
+EQYDVQQLEwpFcmxhbmcgT1RQMRQwEgYDVQQKEwtFcmljc3NvbiBBQjESMBAGA1UE
+BxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTElMCMGCSqGSIb3DQEJARYWcGV0ZXJA
+ZXJpeC5lcmljc3Nvbi5zZYIBATAhBgNVHREEGjAYgRZwZXRlckBlcml4LmVyaWNz
+c29uLnNlMCEGA1UdEgQaMBiBFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwDQYJKoZI
+hvcNAQEFBQADgYEAzHGutrGMSeC3Di7Z8d65SM7jZLrkkusmL+D2oPVIOGrfZbVu
+yfDKU/nImm99z+lhC/N3JEEpB6PgAYSskfVdBL3LoxbUTaCn/+G3A/G8NfRVIYyA
+NTBeNW6ueNpjnauLzcwpyXpu3vp1VBg8wBePtGTBIbRHRgtwwHRXAddE/Ws=
+-----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/server_key.pem b/lib/public_key/test/public_key_SUITE_data/server_key.pem
new file mode 100644
index 0000000000..d9618da7b7
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/server_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCkdtBz65AxnYmrx1MlsBREMLWtnZrRdnkGWYvV5OvFCWG7lOwo
+pB7NrK5K8M49DjyKm6f8TgTcyeynIdKOMjur3BAIkgiegAeLkjO+Noa2FuKl4HNf
+Cuj6k8Eriq/eLJ96kLqOIRf8pgsS650onKzacxjs/QNC39vlZOoVdAbXRwIDAQAB
+AoGAUsSQx6XnXXDhFhgsGi1xJZg19nf4sC2lXrK2EyEwHmtISjT6XMGr1upulLx3
+rnZ5tW/8rJc/DzZ36Oy2oGVbbaVeS4UJAgv2yRYb7F+am8BACRyEl4ap6nrz5c7G
+E+aSLwFG3INlHiojlhhwB6wv1I+UDRUT+FXJVHTemscUEPECQQDZ0wpra1E86heR
+jgHIBxHHlv1761gFFoJv6iqASOw9+yIctx0KC3Hrc35tiBaFcu5Nqzc8AEkiui8m
+fEEIDfvbAkEAwUmzIWD/6nv34l5W1U3M7atNwvLEepBoTJYf/VENL8dG5nBnVtah
+vZsKPS1VTmqlMTy+THe3u/hS9AgXOOyEBQJAcPExPONnOvtx/wGvwMSRnniWtHMh
+r3mtZlP3d47YF4cod9UmVHf8uIWo7ygZ7VXbZCA7wnuvcDczjXPt0DxX8wJAA6p9
+LkXjtLPTOMTnSrZmC5/zIp5uIZD5mXJDew99e4mBC7/YBeqeOLVnFU/1zT3ykiN/
+zH18y6DjGePJZPf/bQJBAJfnIL4y1rKGhliqhzokYtKURJ4eCR7qzJRkgyya+4UV
+INi6+MZ+mVYkxjGRH8C6+pIUk9TFpMj+1LfHyzMRIxg=
+-----END RSA PRIVATE KEY-----
diff --git a/lib/public_key/vsn.mk b/lib/public_key/vsn.mk
new file mode 100644
index 0000000000..64f0203915
--- /dev/null
+++ b/lib/public_key/vsn.mk
@@ -0,0 +1,6 @@
+PUBLIC_KEY_VSN = 0.4
+
+TICKETS = OTP-8250
+#TICKETS_0.3 = OTP-8100 OTP-8142
+#TICKETS_0.2 = OTP-7860
+#TICKETS_0.1 = OTP-7637 \ No newline at end of file