5 files changed, 126 insertions, 62 deletions

diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index 1d2cea6c72..c9db0d3851 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -56,7 +56,7 @@
 make_cert(Opts) ->
     SubjectPrivateKey = get_key(Opts),
     {TBSCert, IssuerKey} = make_tbs(SubjectPrivateKey, Opts),
-    Cert = public_key:sign(TBSCert, IssuerKey),
+    Cert = public_key:pkix_sign(TBSCert, IssuerKey),
     true = verify_signature(Cert, IssuerKey, undef), %% verify that the keys where ok
     {Cert, encode_key(SubjectPrivateKey)}.
 
@@ -66,8 +66,9 @@ make_cert(Opts) ->
 %% @end
 %%--------------------------------------------------------------------
 write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
-    ok = public_key:der_to_pem(filename:join(Dir, FileName ++ ".pem"), [{cert, Cert, not_encrypted}]),
-    ok = public_key:der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
+    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ ".pem"), 
+			       [{'Certificate', Cert, not_encrypted}]),
+    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
 
 %%--------------------------------------------------------------------
 %% @doc Creates a rsa key (OBS: for testing only)
@@ -94,18 +95,14 @@ gen_dsa(LSize,NSize) when is_integer(LSize), is_integer(NSize) ->
 %% @spec (::binary(), ::tuple()) -> ::boolean()
 %% @end
 %%--------------------------------------------------------------------
-verify_signature(DerEncodedCert, DerKey, KeyParams) ->
+verify_signature(DerEncodedCert, DerKey, _KeyParams) ->
     Key = decode_key(DerKey),
     case Key of 
 	#'RSAPrivateKey'{modulus=Mod, publicExponent=Exp} ->
-	    public_key:verify_signature(DerEncodedCert, 
-					#'RSAPublicKey'{modulus=Mod, publicExponent=Exp}, 
-					'NULL');
+	    public_key:pkix_verify(DerEncodedCert, 
+				   #'RSAPublicKey'{modulus=Mod, publicExponent=Exp});
 	#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y} ->
-	    public_key:verify_signature(DerEncodedCert, Y, #'Dss-Parms'{p=P, q=Q, g=G});
-
-	_  ->
-	    public_key:verify_signature(DerEncodedCert, Key, KeyParams)
+	    public_key:pkix_verify(DerEncodedCert, {Y, #'Dss-Parms'{p=P, q=Q, g=G}})
     end.
 
 %%%%%%%%%%%%%%%%%%%%%%%%% Implementation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -132,19 +129,18 @@ decode_key(#'RSAPrivateKey'{} = Key,_) ->
     Key;
 decode_key(#'DSAPrivateKey'{} = Key,_) ->
     Key;
-decode_key(Der = {_,_,_}, Pw) ->
-    {ok, Key} = public_key:decode_private_key(Der, Pw),
-    Key;
-decode_key(FileOrDer, Pw) ->
-    {ok, [KeyInfo]} = public_key:pem_to_der(FileOrDer),
+decode_key(PemEntry = {_,_,_}, Pw) ->
+    public_key:pem_entry_decode(PemEntry, Pw);
+decode_key(PemBin, Pw) ->
+    [KeyInfo] = public_key:pem_decode(PemBin),
     decode_key(KeyInfo, Pw).
 
 encode_key(Key = #'RSAPrivateKey'{}) ->
     {ok, Der} = 'OTP-PUB-KEY':encode('RSAPrivateKey', Key),
-    {rsa_private_key, list_to_binary(Der), not_encrypted};   
+    {'RSAPrivateKey', list_to_binary(Der), not_encrypted};   
 encode_key(Key = #'DSAPrivateKey'{}) ->
     {ok, Der} = 'OTP-PUB-KEY':encode('DSAPrivateKey', Key),
-    {dsa_private_key, list_to_binary(Der), not_encrypted}.
+    {'DSAPrivateKey', list_to_binary(Der), not_encrypted}.
 
 make_tbs(SubjectKey, Opts) ->    
     Version = list_to_atom("v"++integer_to_list(proplists:get_value(version, Opts, 3))),
@@ -178,7 +174,7 @@ issuer(Opts, SubjectKey) ->
     end.
 
 issuer_der(Issuer) ->
-    {ok, Decoded} = public_key:pkix_decode_cert(Issuer, otp),
+    Decoded = public_key:pkix_decode_cert(Issuer, otp),
     #'OTPCertificate'{tbsCertificate=Tbs} = Decoded,
     #'OTPTBSCertificate'{subject=Subject} = Tbs,
     Subject.
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 0cdf33c3e2..3c18a905b4 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -90,8 +90,10 @@ enduser(Root, OpenSSLCmd, CA, User) ->
     KeyFile = filename:join([UsrRoot, "key.pem"]), 
     ReqFile =  filename:join([UsrRoot, "req.pem"]), 
     create_req(Root, OpenSSLCmd, CnfFile, KeyFile, ReqFile),
-    CertFile =  filename:join([UsrRoot, "cert.pem"]), 
-    sign_req(Root, OpenSSLCmd, CA, "user_cert", ReqFile, CertFile).
+    CertFileAllUsage =  filename:join([UsrRoot, "cert.pem"]),
+    sign_req(Root, OpenSSLCmd, CA, "user_cert", ReqFile, CertFileAllUsage),
+    CertFileDigitalSigOnly =  filename:join([UsrRoot, "digital_signature_only_cert.pem"]),
+    sign_req(Root, OpenSSLCmd, CA, "user_cert_digital_signature_only", ReqFile, CertFileDigitalSigOnly).
 
 collect_certs(Root, CAs, Users) ->
     Bins = lists:foldr(
@@ -255,6 +257,7 @@ ca_cnf(CA) ->
      "RANDFILE	        = $dir/private/RAND\n"
      "\n"
      "x509_extensions   = user_cert\n"
+     "unique_subject  = no\n"
      "default_days	= 3600\n"
      "default_md	= sha1\n"
      "preserve	        = no\n"
@@ -279,6 +282,15 @@ ca_cnf(CA) ->
      "issuerAltName	= issuer:copy\n"
      "\n"
 
+     "[user_cert_digital_signature_only]\n"
+     "basicConstraints	= CA:false\n"
+     "keyUsage 		= digitalSignature\n"
+     "subjectKeyIdentifier = hash\n"
+     "authorityKeyIdentifier = keyid,issuer:always\n"
+     "subjectAltName	= email:copy\n"
+     "issuerAltName	= issuer:copy\n"
+     "\n"
+
      "[ca_cert]\n"
      "basicConstraints 	= critical,CA:true\n"
      "keyUsage 		= cRLSign, keyCertSign\n"
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 8a1b90ed98..53142250e8 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -233,7 +233,8 @@ all(suite) ->
      server_renegotiate_reused_session, client_no_wrap_sequence_number,
      server_no_wrap_sequence_number, extended_key_usage,
      validate_extensions_fun, no_authority_key_identifier,
-     invalid_signature_client, invalid_signature_server, cert_expired
+     invalid_signature_client, invalid_signature_server, cert_expired,
+     client_with_cert_cipher_suites_handshake
     ].
 
 %% Test cases starts here.
@@ -578,8 +579,8 @@ peercert(Config) when is_list(Config) ->
 			   {options, ClientOpts}]),
     
     CertFile = proplists:get_value(certfile, ServerOpts),
-    {ok, [{cert, BinCert, _}]} = public_key:pem_to_der(CertFile),
-    {ok, ErlCert} = public_key:pkix_decode_cert(BinCert, otp),
+    [{'Certificate', BinCert, _}]= ssl_test_lib:pem_to_der(CertFile),
+    ErlCert = public_key:pkix_decode_cert(BinCert, otp),
        
     ServerMsg = {{error, no_peercert}, {error, no_peercert}},
     ClientMsg = {{ok, BinCert}, {ok, ErlCert}},
@@ -2525,35 +2526,35 @@ extended_key_usage(Config) when is_list(Config) ->
     PrivDir = ?config(priv_dir, Config),
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), 
-    {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
-    {ok, Key} = public_key:decode_private_key(KeyInfo),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = public_key:pem_entry_decode(KeyEntry),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"),
-    {ok, [{cert, ServerDerCert, _}]} = public_key:pem_to_der(ServerCertFile),
-    {ok, ServerOTPCert} = public_key:pkix_decode_cert(ServerDerCert, otp),
+    [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile),
+    ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp),
     ServerExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-serverAuth']},
     ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate,
     ServerExtensions =  ServerOTPTbsCert#'OTPTBSCertificate'.extensions,
     NewServerOTPTbsCert = ServerOTPTbsCert#'OTPTBSCertificate'{extensions = 
 							       [ServerExtKeyUsageExt | 
 								ServerExtensions]},
-    NewServerDerCert = public_key:sign(NewServerOTPTbsCert, Key), 
-    public_key:der_to_pem(NewServerCertFile, [{cert, NewServerDerCert, not_encrypted}]),
+    NewServerDerCert = public_key:pkix_sign(NewServerOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]),
     NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)],
     
     ClientCertFile = proplists:get_value(certfile, ClientOpts),
     NewClientCertFile = filename:join(PrivDir, "client/new_cert.pem"),
-    {ok, [{cert, ClientDerCert, _}]} = public_key:pem_to_der(ClientCertFile),
-    {ok, ClientOTPCert} = public_key:pkix_decode_cert(ClientDerCert, otp),
+    [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile),
+    ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp),
     ClientExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-clientAuth']},
     ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate,
     ClientExtensions =  ClientOTPTbsCert#'OTPTBSCertificate'.extensions,
     NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions = 
  							       [ClientExtKeyUsageExt |
  								ClientExtensions]},
-    NewClientDerCert = public_key:sign(NewClientOTPTbsCert, Key), 
-    public_key:der_to_pem(NewClientCertFile, [{cert, NewClientDerCert, not_encrypted}]),
+    NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]),
     NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)],
 
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -2621,13 +2622,13 @@ no_authority_key_identifier(Config) when is_list(Config) ->
     PrivDir = ?config(priv_dir, Config),
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
-    {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
-    {ok, Key} = public_key:decode_private_key(KeyInfo),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = public_key:pem_entry_decode(KeyEntry),
 
     CertFile = proplists:get_value(certfile, ServerOpts),
     NewCertFile = filename:join(PrivDir, "server/new_cert.pem"),
-    {ok, [{cert, DerCert, _}]} = public_key:pem_to_der(CertFile),
-    {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp),
+    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    OTPCert = public_key:pkix_decode_cert(DerCert, otp),
     OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate,
     Extensions =  OTPTbsCert#'OTPTBSCertificate'.extensions,
     NewExtensions =  delete_authority_key_extension(Extensions, []),
@@ -2635,8 +2636,8 @@ no_authority_key_identifier(Config) when is_list(Config) ->
 
     test_server:format("Extensions ~p~n, NewExtensions: ~p~n", [Extensions, NewExtensions]),
 
-    NewDerCert = public_key:sign(NewOTPTbsCert, Key), 
-    public_key:der_to_pem(NewCertFile, [{cert, NewDerCert, not_encrypted}]),
+    NewDerCert = public_key:pkix_sign(NewOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]),
     NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)],
 
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -2679,16 +2680,16 @@ invalid_signature_server(Config) when is_list(Config) ->
     PrivDir = ?config(priv_dir, Config),
    
     KeyFile = filename:join(PrivDir, "server/key.pem"),
-    {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
-    {ok, Key} = public_key:decode_private_key(KeyInfo),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = public_key:pem_entry_decode(KeyEntry),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/invalid_cert.pem"),
-    {ok, [{cert, ServerDerCert, _}]} = public_key:pem_to_der(ServerCertFile),
-    {ok, ServerOTPCert} = public_key:pkix_decode_cert(ServerDerCert, otp),
+    [{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile),
+    ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp),
     ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate,
-    NewServerDerCert = public_key:sign(ServerOTPTbsCert, Key), 
-    public_key:der_to_pem(NewServerCertFile, [{cert, NewServerDerCert, not_encrypted}]),
+    NewServerDerCert = public_key:pkix_sign(ServerOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]),
     NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)],
     
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -2719,16 +2720,16 @@ invalid_signature_client(Config) when is_list(Config) ->
     PrivDir = ?config(priv_dir, Config),
    
     KeyFile = filename:join(PrivDir, "client/key.pem"),
-    {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
-    {ok, Key} = public_key:decode_private_key(KeyInfo),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = public_key:pem_entry_decode(KeyEntry),
 
     ClientCertFile = proplists:get_value(certfile, ClientOpts),
     NewClientCertFile = filename:join(PrivDir, "client/invalid_cert.pem"),
-    {ok, [{cert, ClientDerCert, _}]} = public_key:pem_to_der(ClientCertFile),
-    {ok, ClientOTPCert} = public_key:pkix_decode_cert(ClientDerCert, otp),
+    [{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile),
+    ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp),
     ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate,
-    NewClientDerCert = public_key:sign(ClientOTPTbsCert, Key), 
-    public_key:der_to_pem(NewClientCertFile, [{cert, NewClientDerCert, not_encrypted}]),
+    NewClientDerCert = public_key:pkix_sign(ClientOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]),
     NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)],
 
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -2796,13 +2797,13 @@ cert_expired(Config) when is_list(Config) ->
     PrivDir = ?config(priv_dir, Config),
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
-    {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
-    {ok, Key} = public_key:decode_private_key(KeyInfo),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = public_key:pem_entry_decode(KeyEntry),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/expired_cert.pem"),
-    {ok, [{cert, DerCert, _}]} = public_key:pem_to_der(ServerCertFile),
-    {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp),
+    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile),
+    OTPCert = public_key:pkix_decode_cert(DerCert, otp),
     OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate,
 
     {Year, Month, Day} = date(),
@@ -2825,8 +2826,8 @@ cert_expired(Config) when is_list(Config) ->
 		       [OTPTbsCert#'OTPTBSCertificate'.validity, NewValidity]),
 
     NewOTPTbsCert =  OTPTbsCert#'OTPTBSCertificate'{validity = NewValidity},
-    NewServerDerCert = public_key:sign(NewOTPTbsCert, Key), 
-    public_key:der_to_pem(NewServerCertFile, [{cert, NewServerDerCert, not_encrypted}]),
+    NewServerDerCert = public_key:pkix_sign(NewOTPTbsCert, Key), 
+    ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]),
     NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)],
     
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -2849,6 +2850,39 @@ two_digits_str(N) ->
     lists:flatten(io_lib:format("~p", [N])).
 
 %%--------------------------------------------------------------------
+
+client_with_cert_cipher_suites_handshake(doc) ->
+    ["Test that client with a certificate without keyEncipherment usage "
+    " extension can connect to a server with restricted cipher suites "];
+
+client_with_cert_cipher_suites_handshake(suite) ->
+    [];
+
+client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_verification_opts_digital_signature_only, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options, [{active, true},
+						   {ciphers, ssl_test_lib:rsa_non_signed_suites()}
+						   | ServerOpts]}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options, [{active, true}
+						   | ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 send_recv_result(Socket) ->
diff --git a/lib/ssl/test/ssl_packet_SUITE.erl b/lib/ssl/test/ssl_packet_SUITE.erl
index 1b8754afe9..fac84a85cd 100644
--- a/lib/ssl/test/ssl_packet_SUITE.erl
+++ b/lib/ssl/test/ssl_packet_SUITE.erl
@@ -1770,7 +1770,7 @@ packet_asn1_decode(Config) when is_list(Config) ->
     File = proplists:get_value(certfile, ServerOpts),
 
     %% A valid asn1 BER packet (DER is stricter BER)
-    {ok,[{cert, Data, _}]} = public_key:pem_to_der(File),
+    [{'Certificate', Data, _}] = ssl_test_lib:pem_to_der(File),
     
     Server = ssl_test_lib:start_server([{node, ClientNode}, {port, 0},
 					{from, self()},
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index dd0818827a..c7ff015034 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -268,6 +268,8 @@ cert_options(Config) ->
 				      "client", "cacerts.pem"]),
     ClientCertFile = filename:join([?config(priv_dir, Config), 
 				    "client", "cert.pem"]),
+    ClientCertFileDigitalSignatureOnly = filename:join([?config(priv_dir, Config),
+				    "client", "digital_signature_only_cert.pem"]),
     ServerCaCertFile = filename:join([?config(priv_dir, Config), 
 				      "server", "cacerts.pem"]),
     ServerCertFile = filename:join([?config(priv_dir, Config), 
@@ -292,6 +294,10 @@ cert_options(Config) ->
 				{certfile, ClientCertFile},  
 				{keyfile, ClientKeyFile},
 				{ssl_imp, new}]}, 
+     {client_verification_opts_digital_signature_only, [{cacertfile, ClientCaCertFile},
+				{certfile, ClientCertFileDigitalSignatureOnly},
+				{keyfile, ClientKeyFile},
+				{ssl_imp, new}]},
      {server_opts, [{ssl_imp, new},{reuseaddr, true}, 
 		    {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
      {server_verification_opts, [{ssl_imp, new},{reuseaddr, true}, 
@@ -346,9 +352,9 @@ make_dsa_cert_files(RoleStr, Config) ->
     KeyFile = filename:join([?config(priv_dir, Config), 
 				   RoleStr, "dsa_key.pem"]),
     
-    public_key:der_to_pem(CaCertFile, [{cert, CaCert, not_encrypted}]),
-    public_key:der_to_pem(CertFile, [{cert, Cert, not_encrypted}]),
-    public_key:der_to_pem(KeyFile, [CertKey]),
+    der_to_pem(CaCertFile, [{'Certificate', CaCert, not_encrypted}]),
+    der_to_pem(CertFile, [{'Certificate', Cert, not_encrypted}]),
+    der_to_pem(KeyFile, [CertKey]),
     {CaCertFile, CertFile, KeyFile}.
 
 start_upgrade_server(Args) ->
@@ -571,6 +577,14 @@ rsa_suites() ->
 		 end,
 		 ssl:cipher_suites()).
 
+rsa_non_signed_suites() ->
+    lists:filter(fun({rsa, _, _}) ->
+			 true;
+		    (_) ->
+			 false
+		 end,
+		 ssl:cipher_suites()).
+
 dsa_suites() ->
      lists:filter(fun({dhe_dss, _, _}) ->
 			 true;
@@ -601,3 +615,11 @@ openssl_dsa_suites() ->
 				 true
 			 end 
 		 end, Ciphers).
+
+pem_to_der(File) ->
+    {ok, PemBin} = file:read_file(File),
+    public_key:pem_decode(PemBin).
+
+der_to_pem(File, Entries) ->
+    PemBin = public_key:pem_encode(Entries),
+    file:write_file(File, PemBin).