From a6dad932f429f3ae4635ba7d800b1e36bf479af1 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 29 Jun 2023 16:33:03 +0200
Subject: [PATCH] sm: Complete rewrite of the PKCS#12 parser

* sm/minip12.c: Reworked most of the parser.
(p12_set_verbosity): Add arg debug and change all callers.

* sm/t-minip12.c: New.
* sm/Makefile.am (module_maint): Add it.

* tests/samplekeys/Description-p12: New.
* tests/samplekeys/t5793-openssl.pfx: New from T5793.
* tests/samplekeys/t5793-test.pfx: Ditto.
* tests/samplekeys/Description-p12: Add them.
* tests/Makefile.am (EXTRA_DIST): Add samplekeys.
--

GnuPG-bug-id: 6536
Backported_from: 101433dfb42b333e48427baf9dd58ac4787c9786
Backported_from: 5f694dc0be994e8cd3bc009139d1349f3b1fcf62
---
 NEWS                               |    9 +
 sm/Makefile.am                     |   20 +
 sm/gpgsm.c                         |    2 +-
 sm/minip12.c                       | 2171 +++++++++++++++++-----------
 sm/minip12.h                       |    2 +-
 sm/t-minip12.c                     |  789 ++++++++++
 tests/Makefile.am                  |    6 +
 tests/samplekeys/Description-p12   |   32 +
 tests/samplekeys/README            |    8 +-
 tests/samplekeys/t5793-openssl.pfx |  Bin 0 -> 4285 bytes
 tests/samplekeys/t5793-test.pfx    |  Bin 0 -> 4328 bytes
 11 files changed, 2207 insertions(+), 832 deletions(-)
 create mode 100644 sm/t-minip12.c
 create mode 100644 tests/samplekeys/Description-p12
 create mode 100644 tests/samplekeys/t5793-openssl.pfx
 create mode 100644 tests/samplekeys/t5793-test.pfx

diff --git a/NEWS b/NEWS
index 9facb4448..7a423906d 100644
--- a/NEWS
+++ b/NEWS
@@ -26,8 +26,17 @@ Noteworthy changes in version 2.2.42 (unreleased)
 
   * gpgsm: Also announce AES256-CBC in signatures.  [rGaa397fdcdb21]
 
+  * gpgsm: Major rewrite of the PKCS#12 parser.  [T6536]
+
   * dirmngr: New option --ignore-crl-extensions.  [T6545]
 
+  * wkd: Use export-clean for gpg-wks-client's --mirror and --create
+    commands.  [rG505e770b4c]
+
+  * wkd: Make --add-revocs the default in gpg-wks-client.  New option
+    --no-add-revocs.  [rG67d57fae3f]
+
+
   Release-info: https://dev.gnupg.org/T6307
 
 
diff --git a/sm/Makefile.am b/sm/Makefile.am
index ee0e91dbf..db8b35ea8 100644
--- a/sm/Makefile.am
+++ b/sm/Makefile.am
@@ -21,6 +21,13 @@ EXTRA_DIST = ChangeLog-2011 \
              gpgsm-w32info.rc gpgsm.w32-manifest.in
 
 bin_PROGRAMS = gpgsm
+noinst_PROGRAMS = $(module_tests) $(module_maint_tests)
+
+if DISABLE_TESTS
+TESTS =
+else
+TESTS = $(module_tests)
+endif
 
 AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) $(LIBASSUAN_CFLAGS)
 
@@ -68,6 +75,19 @@ gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a \
 gpgsm_LDFLAGS = $(extra_bin_ldflags)
 gpgsm_DEPENDENCIES = $(gpgsm_rc_objs)
 
+module_tests = t-minip12
+module_maint_tests =
+
+t_common_src =
+t_common_ldadd = $(libcommon) $(LIBGCRYPT_LIBS) $(KSBA_LIBS) \
+                 $(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV)
+
+
+t_minip12_CFLAGS = -DWITHOUT_NPTH=1 \
+	           $(LIBGCRYPT_CFLAGS) $(KSBA_CFLAGS) $(GPG_ERROR_CFLAGS)
+t_minip12_SOURCES = $(t_common_src) t-minip12.c minip12.c
+t_minip12_LDADD   = $(t_common_ldadd) $(NETLIBS)
+
 
 # Make sure that all libs are build before we use them.  This is
 # important for things like make -j2.
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 4606c5aa9..acd3ca933 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -773,7 +773,7 @@ set_debug (void)
 
   /* minip12.c may be used outside of GnuPG, thus we don't have the
    * opt structure over there.  */
-  p12_set_verbosity (opt.verbose);
+  p12_set_verbosity (opt.verbose, opt.debug);
 }
 
 
diff --git a/sm/minip12.c b/sm/minip12.c
index 695c60ff1..b50ad58ca 100644
--- a/sm/minip12.c
+++ b/sm/minip12.c
@@ -1,7 +1,7 @@
 /* minip12.c - A minimal pkcs-12 implementation.
  * Copyright (C) 2002, 2003, 2004, 2006, 2011 Free Software Foundation, Inc.
  * Copyright (C) 2014 Werner Koch
- * Copyright (C) 2022 g10 Code GmbH
+ * Copyright (C) 2022, 2023 g10 Code GmbH
  *
  * This file is part of GnuPG.
  *
@@ -78,6 +78,8 @@ static unsigned char const oid_pkcs5PBES2[9] = {
   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0D };
 static unsigned char const oid_aes128_CBC[9] = {
   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02 };
+static unsigned char const oid_aes256_CBC[9] = {
+  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A };
 
 static unsigned char const oid_rsaEncryption[9] = {
   0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 };
@@ -143,6 +145,45 @@ struct tag_info
   int ndef;              /* It is an indefinite length */
 };
 
+
+#define TLV_MAX_DEPTH 20
+
+
+struct bufferlist_s
+{
+  struct bufferlist_s *next;
+  char *buffer;
+};
+
+
+/* An object to control the ASN.1 parsing.  */
+struct tlv_ctx_s
+{
+  /* The current buffer we are working on and its length. */
+  const unsigned char *buffer;
+  size_t bufsize;
+
+  size_t offset;       /* The current offset into this buffer.   */
+  int in_ndef;         /* Flag indicating that we are in a NDEF. */
+  int pending;         /* The last tlv_next has not yet been processed.  */
+
+  struct tag_info ti;  /* The current tag.  */
+  gpg_error_t lasterr; /* Last error from tlv function.  */
+  const char *lastfunc;/* Name of last called function.  */
+
+  struct bufferlist_s *bufferlist;  /* To keep track of amlloced buffers. */
+
+  unsigned int pop_count;/* Number of pops by tlv_next.  */
+  unsigned int stacklen; /* Used size of the stack.  */
+  struct {
+    const unsigned char *buffer;  /* Saved value of BUFFER.   */
+    size_t bufsize;               /* Saved value of BUFSIZE.  */
+    size_t offset;                /* Saved value of OFFSET.   */
+    int    in_ndef;               /* Saved IN_NDEF flag.  */
+  } stack[TLV_MAX_DEPTH];
+};
+
+
 /* Parser communication object.  */
 struct p12_parse_ctx_s
 {
@@ -167,24 +208,31 @@ struct p12_parse_ctx_s
 static int opt_verbose;
 
 
+static unsigned char *cram_octet_string (const unsigned char *input,
+                                         size_t length, size_t *r_newlength);
+
+
+
+
 void
-p12_set_verbosity (int verbose)
+p12_set_verbosity (int verbose, int debug)
 {
-  opt_verbose = verbose;
+  opt_verbose = !!verbose;
+  if (debug)
+    opt_verbose = 2;
 }
 
 
-#if 0
 static void
 dump_tag_info (const char *text, struct tag_info *ti)
 {
-  log_debug ("p12_parse(%s): ti.class=%d tag=%lu len=%zu nhdr=%zu %s%s\n",
-             text,
-             ti->class, ti->tag, ti->length, ti->nhdr,
-             ti->is_constructed?" cons":"",
-             ti->ndef?" ndef":"");
+  if (opt_verbose > 1)
+    log_debug ("p12_parse(%s): ti.class=%d tag=%lu len=%zu nhdr=%zu %s%s\n",
+               text,
+               ti->class, ti->tag, ti->length, ti->nhdr,
+               ti->is_constructed?" cons":"",
+               ti->ndef?" ndef":"");
 }
-#endif
 
 
 /* Wrapper around tlv_builder_add_ptr to add an OID.  When we
@@ -279,6 +327,7 @@ builder_add_mpi (tlv_builder_t tb, int class, int tag, gcry_mpi_t mpi,
 }
 
 
+
 /* Parse the buffer at the address BUFFER which is of SIZE and return
  * the tag and the length part from the TLV triplet.  Update BUFFER
  * and SIZE on success.  Checks that the encoded length does not
@@ -306,38 +355,479 @@ parse_tag (unsigned char const **buffer, size_t *size, struct tag_info *ti)
 }
 
 
+/* Create a new TLV object.  */
+static struct tlv_ctx_s *
+tlv_new (const unsigned char *buffer, size_t bufsize)
+{
+  struct tlv_ctx_s *tlv;
+  tlv = xtrycalloc (1, sizeof *tlv);
+  if (tlv)
+    {
+      tlv->buffer = buffer;
+      tlv->bufsize = bufsize;
+    }
+  return tlv;
+}
+
+
+/* This function can be used to store a malloced buffer into the TLV
+ * object.  Ownership of BUFFER is thus transferred to TLV.  This
+ * buffer will then only be released by tlv_release. */
+static gpg_error_t
+tlv_register_buffer (struct tlv_ctx_s *tlv, char *buffer)
+{
+  struct bufferlist_s *item;
+
+  item = xtrycalloc (1, sizeof *item);
+  if (!item)
+    return gpg_error_from_syserror ();
+  item->buffer = buffer;
+  item->next = tlv->bufferlist;
+  tlv->bufferlist = item;
+  return 0;
+}
+
+
+static void
+tlv_release (struct tlv_ctx_s *tlv)
+{
+  if (!tlv)
+    return;
+  while (tlv->bufferlist)
+    {
+      struct bufferlist_s *save = tlv->bufferlist->next;
+      xfree (tlv->bufferlist->buffer);
+      xfree (tlv->bufferlist);
+      tlv->bufferlist = save;
+    }
+  xfree (tlv);
+}
+
+
+/* Helper for tlv_next and tlv_peek.  */
+static gpg_error_t
+_tlv_peek (struct tlv_ctx_s *tlv, size_t *r_n)
+{
+  const unsigned char *p;
+
+  if (tlv->offset > tlv->bufsize)
+    return gpg_error (GPG_ERR_BUG);
+  p = tlv->buffer + tlv->offset;
+  *r_n = tlv->bufsize - tlv->offset;
+  return parse_tag (&p, r_n, &tlv->ti);
+}
+
+
+/* Helper for tlv_expect_sequence and tlv_expect_context_tag.  */
+static gpg_error_t
+_tlv_push (struct tlv_ctx_s *tlv)
+{
+  if (tlv->stacklen >= TLV_MAX_DEPTH)
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_MANY));
+  tlv->stack[tlv->stacklen].buffer  = tlv->buffer;
+  tlv->stack[tlv->stacklen].bufsize = tlv->bufsize;
+  tlv->stack[tlv->stacklen].offset  = tlv->offset;
+  tlv->stack[tlv->stacklen].in_ndef = tlv->in_ndef;
+  tlv->stacklen++;
+  tlv->buffer += tlv->offset;
+  tlv->bufsize = tlv->ti.length;
+  tlv->offset  = 0;
+  tlv->in_ndef = tlv->ti.ndef;
+  return 0;
+}
+
+
+/* Helper for tlv_next.  */
+static gpg_error_t
+_tlv_pop (struct tlv_ctx_s *tlv)
+{
+  size_t saveoff;
+
+  if (!tlv->stacklen)
+    return gpg_error (GPG_ERR_EOF);
+
+  saveoff = tlv->offset;
+
+  tlv->stacklen--;
+  tlv->buffer  = tlv->stack[tlv->stacklen].buffer;
+  tlv->bufsize = tlv->stack[tlv->stacklen].bufsize;
+  tlv->offset  = tlv->stack[tlv->stacklen].offset;
+  tlv->in_ndef = tlv->stack[tlv->stacklen].in_ndef;
+
+  /* Move offset of the container to the end of the container. */
+  tlv->offset += saveoff;
+  if (tlv->offset > tlv->bufsize)
+    return gpg_error (GPG_ERR_INV_BER);
+
+  tlv->pop_count++;
+  return 0;
+}
+
+
+/* Parse the next tag and value.  Also detect the end of a container;
+ * tlv_popped() can be used to detect this.  */
+static gpg_error_t
+tlv_next (struct tlv_ctx_s *tlv)
+{
+  gpg_error_t err;
+  size_t n;
+
+  tlv->pop_count = 0;
+  tlv->lasterr = 0;
+  tlv->lastfunc = __func__;
+  if (tlv->pending)
+    {
+      tlv->pending = 0;
+      return 0;
+    }
+
+  if (!tlv->in_ndef && tlv->offset == tlv->bufsize)
+    {
+      /* We are at the end of a container.  Pop the stack.  */
+      do
+        err = _tlv_pop (tlv);
+      while (!err && !tlv->in_ndef && tlv->offset == tlv->bufsize);
+      if (err)
+        return (tlv->lasterr = err);
+    }
+
+  err = _tlv_peek (tlv, &n);
+  if (err)
+    return err;
+  if (tlv->in_ndef && (tlv->ti.class == CLASS_UNIVERSAL
+                       && !tlv->ti.tag && !tlv->ti.is_constructed))
+    {
+      /* End tag while in ndef container.  Skip the tag, and pop.  */
+      tlv->offset += n - (tlv->bufsize - tlv->offset);
+      err = _tlv_pop (tlv);
+      /* FIXME: We need to peek whether there is another end tag and
+       *        pop again.  We can't modify the TLV object, though.  */
+      if (err)
+        return (tlv->lasterr = err);
+    }
+
+  /* Set offset to the value of the TLV.  */
+  tlv->offset += tlv->bufsize - tlv->offset - n;
+  dump_tag_info ("tlv_next", &tlv->ti);
+  return 0;
+}
+
+
+/* Return the current neting level of the TLV object.  */
+static unsigned int
+tlv_level (struct tlv_ctx_s *tlv)
+{
+  return tlv->stacklen;
+}
+
+
+/* If called right after tlv_next the number of container levels
+ * popped are returned.  */
+static unsigned int
+tlv_popped (struct tlv_ctx_s *tlv)
+{
+  return tlv->pop_count;
+}
+
+
+/* Set a flag to indicate that the last tlv_next has not yet been
+ * consumed.  */
+static void
+tlv_set_pending (struct tlv_ctx_s *tlv)
+{
+  tlv->pending = 1;
+}
+
+
+/* Skip over the value of the current tag.  */
+static void
+tlv_skip (struct tlv_ctx_s *tlv)
+{
+  tlv->lastfunc = __func__;
+  tlv->offset += tlv->ti.length;
+}
+
+
+/* Expect that the current tag is a sequence and setup the context for
+ * processing.  */
+static gpg_error_t
+tlv_expect_sequence (struct tlv_ctx_s *tlv)
+{
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_SEQUENCE
+        && tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  return _tlv_push (tlv);
+}
+
+/* Variant of tlv_expect_sequence to be used for the ouyter sequence
+ * of an object which might have padding after the ASN.1 data.  */
+static gpg_error_t
+tlv_expect_top_sequence (struct tlv_ctx_s *tlv)
+{
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_SEQUENCE
+        && tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  tlv->bufsize = tlv->ti.nhdr + tlv->ti.length;
+  return _tlv_push (tlv);
+}
+
+
+/* Expect that the current tag is a context tag and setup the context
+ * for processing.  The tag of the context is returned at R_TAG.  */
+static gpg_error_t
+tlv_expect_context_tag (struct tlv_ctx_s *tlv, int *r_tag)
+{
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_CONTEXT && tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  *r_tag = tlv->ti.tag;
+  return _tlv_push (tlv);
+}
+
+
+/* Expect that the current tag is a SET and setup the context for
+ * processing.  */
+static gpg_error_t
+tlv_expect_set (struct tlv_ctx_s *tlv)
+{
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_SET
+        && tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  return _tlv_push (tlv);
+}
+
+
+/* Expect an object of CLASS with TAG and store its value at
+ * (R_DATA,R_DATALEN).  Then skip over its value to the next tag.
+ * Note that the stored value is not allocated but points into
+ * TLV.  */
+static gpg_error_t
+tlv_expect_object (struct tlv_ctx_s *tlv, int class, int tag,
+                   unsigned char const **r_data, size_t *r_datalen)
+{
+  gpg_error_t err;
+  const unsigned char *p;
+
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == class && tlv->ti.tag == tag))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  p = tlv->buffer + tlv->offset;
+  if (!tlv->ti.length)
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_SHORT));
+
+  if (class == CLASS_CONTEXT && tag == 0 && tlv->ti.is_constructed)
+    {
+      char *newbuffer;
+
+      newbuffer = cram_octet_string (p, tlv->ti.length, r_datalen);
+      if (!newbuffer)
+        return (tlv->lasterr = gpg_error (GPG_ERR_BAD_BER));
+      err = tlv_register_buffer (tlv, newbuffer);
+      if (err)
+        {
+          xfree (newbuffer);
+          return (tlv->lasterr = err);
+        }
+      *r_data = newbuffer;
+    }
+  else
+    {
+      *r_data = p;
+      *r_datalen = tlv->ti.length;
+    }
+
+  tlv->offset += tlv->ti.length;
+  return 0;
+}
+
+
+/* Expect that the current tag is an object string and store its value
+ * at (R_DATA,R_DATALEN).  Then skip over its value to the next tag.
+ * Note that the stored value are not allocated but point into TLV.
+ * If ENCAPSULATES is set the octet string is used as a new
+ * container.  R_DATA and R_DATALEN are optional. */
+static gpg_error_t
+tlv_expect_octet_string (struct tlv_ctx_s *tlv, int encapsulates,
+                         unsigned char const **r_data, size_t *r_datalen)
+{
+  gpg_error_t err;
+  const unsigned char *p;
+  size_t n;
+
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_OCTET_STRING
+        && (!tlv->ti.is_constructed || encapsulates)))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  p = tlv->buffer + tlv->offset;
+  if (!(n=tlv->ti.length))
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_SHORT));
+
+  if (encapsulates && tlv->ti.is_constructed)
+    {
+      char *newbuffer;
+
+      newbuffer = cram_octet_string (p, n, r_datalen);
+      if (!newbuffer)
+        return (tlv->lasterr = gpg_error (GPG_ERR_BAD_BER));
+      err = tlv_register_buffer (tlv, newbuffer);
+      if (err)
+        {
+          xfree (newbuffer);
+          return (tlv->lasterr = err);
+        }
+      *r_data = newbuffer;
+    }
+  else
+    {
+      if (r_data)
+        *r_data = p;
+      if (r_datalen)
+        *r_datalen = tlv->ti.length;
+    }
+  if (encapsulates)
+    return _tlv_push (tlv);
+
+  tlv->offset += tlv->ti.length;
+  return 0;
+}
+
+
+/* Expect a NULL tag.  */
+static gpg_error_t
+tlv_expect_null (struct tlv_ctx_s *tlv)
+{
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_NULL
+        && !tlv->ti.is_constructed && !tlv->ti.length))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  return 0;
+}
+
+
+/* Expect that the current tag is an integer and return its value at
+ * R_VALUE.  Then skip over its value to the next tag. */
+static gpg_error_t
+tlv_expect_integer (struct tlv_ctx_s *tlv, int *r_value)
+{
+  const unsigned char *p;
+  size_t n;
+  int value;
+
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_INTEGER
+        && !tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  p = tlv->buffer + tlv->offset;
+  if (!(n=tlv->ti.length))
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_SHORT));
+
+  /* We currently support only positive values.  */
+  if ((*p & 0x80))
+    return (tlv->lasterr = gpg_error (GPG_ERR_ERANGE));
+
+  for (value = 0; n; n--)
+    {
+      value <<= 8;
+      value |= (*p++) & 0xff;
+      if (value < 0)
+        return (tlv->lasterr = gpg_error (GPG_ERR_EOVERFLOW));
+    }
+  *r_value = value;
+  tlv->offset += tlv->ti.length;
+  return 0;
+}
+
+
+/* Variant of tlv_expect_integer which returns an MPI.  If IGNORE_ZERO
+ * is set a value of 0 is ignored and R_VALUE not changed and the
+ * function returns GPG_ERR_FALSE.  No check for negative encoded
+ * integers is doe because the old code here worked the same and we
+ * can't foreclose invalid encoded PKCS#12 stuff - after all it is
+ * PKCS#12 see https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html */
+static gpg_error_t
+tlv_expect_mpinteger (struct tlv_ctx_s *tlv, int ignore_zero,
+                      gcry_mpi_t *r_value)
+{
+  const unsigned char *p;
+  size_t n;
+
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_INTEGER
+        && !tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  p = tlv->buffer + tlv->offset;
+  if (!(n=tlv->ti.length))
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_SHORT));
+
+  tlv->offset += tlv->ti.length;
+  if (ignore_zero && n == 1 && !*p)
+    return gpg_error (GPG_ERR_FALSE);
+
+  return gcry_mpi_scan (r_value, GCRYMPI_FMT_USG, p, n, NULL);
+}
+
+
+/* Expect that the current tag is an object id and store its value at
+ * (R_OID,R_OIDLEN).  Then skip over its value to the next tag.  Note
+ * that the stored value is not allocated but points into TLV. */
+static gpg_error_t
+tlv_expect_object_id (struct tlv_ctx_s *tlv,
+                      unsigned char const **r_oid, size_t *r_oidlen)
+{
+  const unsigned char *p;
+  size_t n;
+
+  tlv->lastfunc = __func__;
+  if (!(tlv->ti.class == CLASS_UNIVERSAL && tlv->ti.tag == TAG_OBJECT_ID
+        && !tlv->ti.is_constructed))
+    return (tlv->lasterr = gpg_error (GPG_ERR_INV_OBJ));
+  p = tlv->buffer + tlv->offset;
+  if (!(n=tlv->ti.length))
+    return (tlv->lasterr = gpg_error (GPG_ERR_TOO_SHORT));
+
+  *r_oid = p;
+  *r_oidlen = tlv->ti.length;
+  tlv->offset += tlv->ti.length;
+  return 0;
+}
+
+
+
 /* Given an ASN.1 chunk of a structure like:
-
-     24 NDEF:       OCTET STRING  -- This is not passed to us
-     04    1:         OCTET STRING  -- INPUT point s to here
-            :           30
-     04    1:         OCTET STRING
-            :           80
-          [...]
-     04    2:         OCTET STRING
-            :           00 00
-            :         } -- This denotes a Null tag and are the last
-                        -- two bytes in INPUT.
-
-   Create a new buffer with the content of that octet string.  INPUT
-   is the original buffer with a length as stored at LENGTH.  Returns
-   NULL on error or a new malloced buffer with the length of this new
-   buffer stored at LENGTH and the number of bytes parsed from input
-   are added to the value stored at INPUT_CONSUMED.  INPUT_CONSUMED is
-   allowed to be passed as NULL if the caller is not interested in
-   this value. */
+ *
+ *   24 NDEF:       OCTET STRING  -- This is not passed to us
+ *   04    1:         OCTET STRING  -- INPUT point s to here
+ *          :           30
+ *   04    1:         OCTET STRING
+ *          :           80
+ *        [...]
+ *   04    2:         OCTET STRING
+ *          :           00 00
+ *          :         } -- This denotes a Null tag and are the last
+ *                      -- two bytes in INPUT.
+ *
+ * The example is from Mozilla Firefox 1.0.4 which actually exports
+ * certs as single byte chunks of octet strings.
+ *
+ * Create a new buffer with the content of that octet string.  INPUT
+ * is the original buffer with a LENGTH.  Returns
+ * NULL on error or a new malloced buffer with its actual used length
+ * stored at R_NEWLENGTH.    */
 static unsigned char *
-cram_octet_string (const unsigned char *input, size_t *length,
-                   size_t *input_consumed)
+cram_octet_string (const unsigned char *input, size_t length,
+                   size_t *r_newlength)
 {
   const unsigned char *s = input;
-  size_t n = *length;
+  size_t n = length;
   unsigned char *output, *d;
   struct tag_info ti;
 
   /* Allocate output buf.  We know that it won't be longer than the
      input buffer. */
-  d = output = gcry_malloc (n);
+  d = output = gcry_malloc (length);
   if (!output)
     goto bailout;
 
@@ -360,20 +850,15 @@ cram_octet_string (const unsigned char *input, size_t *length,
     }
 
 
-  *length = d - output;
-  if (input_consumed)
-    *input_consumed += s - input;
+  *r_newlength = d - output;
   return output;
 
  bailout:
-  if (input_consumed)
-    *input_consumed += s - input;
   gcry_free (output);
   return NULL;
 }
 
 
-
 static int
 string_to_key (int id, char *salt, size_t saltlen, int iter, const char *pw,
                int req_keylen, unsigned char *keybuf)
@@ -561,7 +1046,7 @@ crypt_block (unsigned char *buffer, size_t length, char *salt, size_t saltlen,
       return;
     }
 
-  if (cipher_algo == GCRY_CIPHER_AES128
+  if ((cipher_algo == GCRY_CIPHER_AES128 || cipher_algo == GCRY_CIPHER_AES256)
       ? set_key_iv_pbes2 (chd, salt, saltlen, iter, iv, ivlen, pw, cipher_algo)
       : set_key_iv (chd, salt, saltlen, iter, pw,
                     cipher_algo == GCRY_CIPHER_RFC2268_40? 5:24))
@@ -708,482 +1193,477 @@ bag_decrypted_data_p (const void *plaintext, size_t length)
 
 
 static int
-parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx,
-                          const unsigned char *buffer, size_t length,
-                          int startoffset, size_t *r_consumed)
+parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, struct tlv_ctx_s *tlv)
 {
-  struct tag_info ti;
-  const unsigned char *p = buffer;
-  const unsigned char *p_start = buffer;
-  size_t n = length;
+  gpg_error_t err = 0;
   const char *where;
+  const unsigned char *oid;
+  size_t oidlen;
+  const unsigned char *data;
+  size_t datalen;
+  int intval;
   char salt[20];
   size_t saltlen;
   char iv[16];
   unsigned int iter;
   unsigned char *plain = NULL;
-  unsigned char *cram_buffer = NULL;
-  size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
   int is_3des = 0;
   int is_pbes2 = 0;
+  int is_aes256 = 0;
   int keyelem_count;
+  int renewed_tlv = 0;
+  int loopcount;
+  unsigned int startlevel;
 
-  where = "start";
-  if (parse_tag (&p, &n, &ti))
+  where = "bag.encryptedData";
+  if (opt_verbose)
+    log_info ("processing %s\n", where);
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
+  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
 
   where = "bag.encryptedData.version";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_INTEGER || ti.length != 1 || *p != 0)
+  if ((err = tlv_expect_integer (tlv, &intval)))
     goto bailout;
-  p++; n--;
-  if (parse_tag (&p, &n, &ti))
+  if (intval)
+    {
+      err = gpg_error (GPG_ERR_INV_VALUE);
+      goto bailout;
+    }
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
 
   where = "bag.encryptedData.data";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_OBJECT_ID || ti.length != DIM(oid_data)
-      || memcmp (p, oid_data, DIM(oid_data)))
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+    goto bailout;
+  if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
     goto bailout;
-  p += DIM(oid_data);
-  n -= DIM(oid_data);
 
   where = "bag.encryptedData.keyinfo";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (!ti.class && ti.tag == TAG_OBJECT_ID
-      && ti.length == DIM(oid_pbeWithSHAAnd40BitRC2_CBC)
-      && !memcmp (p, oid_pbeWithSHAAnd40BitRC2_CBC,
-                  DIM(oid_pbeWithSHAAnd40BitRC2_CBC)))
-    {
-      p += DIM(oid_pbeWithSHAAnd40BitRC2_CBC);
-      n -= DIM(oid_pbeWithSHAAnd40BitRC2_CBC);
-    }
-  else if (!ti.class && ti.tag == TAG_OBJECT_ID
-      && ti.length == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
-      && !memcmp (p, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
-                  DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
-    {
-      p += DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
-      n -= DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
-      is_3des = 1;
-    }
-  else if (!ti.class && ti.tag == TAG_OBJECT_ID
-           && ti.length == DIM(oid_pkcs5PBES2)
-           && !memcmp (p, oid_pkcs5PBES2, ti.length))
-    {
-      p += ti.length;
-      n -= ti.length;
-      is_pbes2 = 1;
-    }
-  else
+  if (tlv_expect_sequence (tlv))
     goto bailout;
 
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+    goto bailout;
+  if (oidlen == DIM(oid_pbeWithSHAAnd40BitRC2_CBC)
+      && !memcmp (oid, oid_pbeWithSHAAnd40BitRC2_CBC,
+                  DIM(oid_pbeWithSHAAnd40BitRC2_CBC)))
+    ;
+  else if (oidlen == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
+           && !memcmp (oid, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
+                       DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
+    is_3des = 1;
+  else if (oidlen == DIM(oid_pkcs5PBES2)
+           && !memcmp (oid, oid_pkcs5PBES2, oidlen))
+    is_pbes2 = 1;
+  else
+    {
+      err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
+      goto bailout;
+    }
+
+  /*FIXME: This code is duplicated in parse_shrouded_key_bag.  */
   if (is_pbes2)
     {
       where = "pkcs5PBES2-params";
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
-        goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OBJECT_ID
-            && ti.length == DIM(oid_pkcs5PBKDF2)
-            && !memcmp (p, oid_pkcs5PBKDF2, ti.length)))
-        goto bailout; /* Not PBKDF2.  */
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
-        goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OCTET_STRING
-            && ti.length >= 8 && ti.length < sizeof salt))
-        goto bailout;  /* No salt or unsupported length.  */
-      saltlen = ti.length;
-      memcpy (salt, p, saltlen);
-      p += saltlen;
-      n -= saltlen;
 
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_INTEGER && ti.length))
-        goto bailout;  /* No valid iteration count.  */
-      for (iter=0; ti.length; ti.length--)
+      if (tlv_expect_sequence (tlv))
+        goto bailout;
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
+        goto bailout;
+      if (oidlen != DIM(oid_pkcs5PBKDF2)
+          || memcmp (oid, oid_pkcs5PBKDF2, oidlen))
         {
-          iter <<= 8;
-          iter |= (*p++) & 0xff;
-          n--;
+          err = gpg_error (GPG_ERR_INV_BER); /* Not PBKDF2.  */
+          goto bailout;
         }
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_sequence (tlv))
+        goto bailout;
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
+        goto bailout;
+      if (datalen < 8 || datalen > sizeof salt)
+        {
+          log_info ("bad length of salt (%zu)\n", datalen);
+          err = gpg_error (GPG_ERR_INV_LENGTH);
+          goto bailout;
+        }
+      saltlen = datalen;
+      memcpy (salt, data, saltlen);
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if ((err = tlv_expect_integer (tlv, &intval)))
+        goto bailout;
+      if (!intval) /* Not a valid iteration count.  */
+        {
+          err = gpg_error (GPG_ERR_INV_VALUE);
+          goto bailout;
+        }
+      iter = intval;
+
       /* Note: We don't support the optional parameters but assume
          that the algorithmIdentifier follows. */
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
+
+      if (tlv_next (tlv))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OBJECT_ID
-            && ti.length == DIM(oid_aes128_CBC)
-            && !memcmp (p, oid_aes128_CBC, ti.length)))
-        goto bailout; /* Not AES-128.  */
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OCTET_STRING && ti.length == sizeof iv))
-        goto bailout; /* Bad IV.  */
-      memcpy (iv, p, sizeof iv);
-      p += sizeof iv;
-      n -= sizeof iv;
+
+      if (oidlen == DIM(oid_aes128_CBC)
+          && !memcmp (oid, oid_aes128_CBC, oidlen))
+        ;
+      else if (oidlen == DIM(oid_aes256_CBC)
+               && !memcmp (oid, oid_aes256_CBC, oidlen))
+        is_aes256 = 1;
+      else
+        {
+          gpgrt_log_printhex (oid, oidlen, "cipher algo:");
+          err = gpg_error (GPG_ERR_CIPHER_ALGO);
+          goto bailout;
+        }
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
+        goto bailout;
+      if (datalen != sizeof iv)
+        {
+          err = gpg_error (GPG_ERR_INV_LENGTH);
+          goto bailout; /* Bad IV.  */
+        }
+      memcpy (iv, data, datalen);
     }
   else
     {
       where = "rc2or3des-params";
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
+
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_OCTET_STRING
-          || ti.length < 8 || ti.length > 20 )
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
         goto bailout;
-      saltlen = ti.length;
-      memcpy (salt, p, saltlen);
-      p += saltlen;
-      n -= saltlen;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_INTEGER || !ti.length )
-        goto bailout;
-      for (iter=0; ti.length; ti.length--)
+      if (datalen < 8 || datalen > 20)
         {
-          iter <<= 8;
-          iter |= (*p++) & 0xff;
-          n--;
+          log_info ("bad length of salt (%zu) for 3DES\n", datalen);
+          err = gpg_error (GPG_ERR_INV_LENGTH);
+          goto bailout;
         }
+      saltlen = datalen;
+      memcpy (salt, data, saltlen);
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if ((err = tlv_expect_integer (tlv, &intval)))
+        goto bailout;
+      if (!intval)
+        {
+          err = gpg_error (GPG_ERR_INV_VALUE);
+          goto bailout;
+        }
+      iter = intval;
     }
 
   where = "rc2or3desoraes-ciphertext";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
 
-  consumed = p - p_start;
-  if (ti.class == CLASS_CONTEXT && ti.tag == 0 && ti.is_constructed && ti.ndef)
-    {
-      /* Mozilla exported certs now come with single byte chunks of
-         octet strings.  (Mozilla Firefox 1.0.4).  Arghh. */
-      where = "cram-rc2or3des-ciphertext";
-      cram_buffer = cram_octet_string ( p, &n, &consumed);
-      if (!cram_buffer)
-        goto bailout;
-      p = p_start = cram_buffer;
-      if (r_consumed)
-        *r_consumed = consumed;
-      r_consumed = NULL; /* Donot update that value on return. */
-      ti.length = n;
-    }
-  else if (ti.class == CLASS_CONTEXT && ti.tag == 0 && ti.is_constructed)
-    {
-      where = "octets-rc2or3des-ciphertext";
-      n = ti.length;
-      cram_buffer = cram_octet_string ( p, &n, &consumed);
-      if (!cram_buffer)
-        goto bailout;
-      p = p_start = cram_buffer;
-      if (r_consumed)
-        *r_consumed = consumed;
-      r_consumed = NULL; /* Do not update that value on return. */
-      ti.length = n;
-    }
-  else if (ti.class == CLASS_CONTEXT && ti.tag == 0 && ti.length )
-    ;
-  else
+  if (tlv_expect_object (tlv, CLASS_CONTEXT, 0, &data, &datalen))
     goto bailout;
 
   if (opt_verbose)
-    log_info ("%lu bytes of %s encrypted text\n",ti.length,
-              is_pbes2?"AES128":is_3des?"3DES":"RC2");
+    log_info ("%zu bytes of %s encrypted text\n", datalen,
+              is_pbes2?(is_aes256?"AES256":"AES128"):is_3des?"3DES":"RC2");
 
-  plain = gcry_malloc_secure (ti.length);
+  plain = gcry_malloc_secure (datalen);
   if (!plain)
     {
+      err = gpg_error_from_syserror ();
       log_error ("error allocating decryption buffer\n");
       goto bailout;
     }
-  decrypt_block (p, plain, ti.length, salt, saltlen, iter,
+  decrypt_block (data, plain, datalen, salt, saltlen, iter,
                  iv, is_pbes2?16:0, ctx->password,
-                 is_pbes2 ? GCRY_CIPHER_AES128 :
+                 is_pbes2 ? (is_aes256?GCRY_CIPHER_AES256:GCRY_CIPHER_AES128) :
                  is_3des  ? GCRY_CIPHER_3DES : GCRY_CIPHER_RFC2268_40,
                  bag_decrypted_data_p);
-  n = ti.length;
-  startoffset = 0;
-  p_start = p = plain;
 
-  where = "outer.outer.seq";
-  if (parse_tag (&p, &n, &ti))
+  /* We do not need the TLV anymore and allocated a new one.  */
+  where = "bag.encryptedData.decrypted-text";
+  tlv = tlv_new (plain, datalen);
+  if (!tlv)
+    {
+      err = gpg_error_from_syserror ();
+      goto bailout;
+    }
+  renewed_tlv = 1;
+
+  if (tlv_next (tlv))
     {
       ctx->badpass = 1;
       goto bailout;
     }
-  if (ti.class || ti.tag != TAG_SEQUENCE)
-    {
-      ctx->badpass = 1;
-      goto bailout;
-    }
-
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_expect_top_sequence (tlv))
     {
       ctx->badpass = 1;
       goto bailout;
     }
 
   /* Loop over all certificates inside the bag. */
-  while (n)
+  loopcount = 0;
+  startlevel = tlv_level (tlv);
+  while (!(err = tlv_next (tlv)) && tlv_level (tlv) == startlevel)
     {
       int iscrlbag = 0;
       int iskeybag = 0;
 
+      loopcount++;
       where = "certbag.nextcert";
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
 
-      where = "certbag.objectidentifier";
-      if (parse_tag (&p, &n, &ti))
+      where = "certbag.oid";
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_OBJECT_ID)
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
         goto bailout;
-      if ( ti.length == DIM(oid_pkcs_12_CertBag)
-           && !memcmp (p, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
-        {
-          p += DIM(oid_pkcs_12_CertBag);
-          n -= DIM(oid_pkcs_12_CertBag);
-        }
-      else if ( ti.length == DIM(oid_pkcs_12_CrlBag)
-           && !memcmp (p, oid_pkcs_12_CrlBag, DIM(oid_pkcs_12_CrlBag)))
-        {
-          p += DIM(oid_pkcs_12_CrlBag);
-          n -= DIM(oid_pkcs_12_CrlBag);
-          iscrlbag = 1;
-        }
-      else if ( ti.length == DIM(oid_pkcs_12_keyBag)
-           && !memcmp (p, oid_pkcs_12_keyBag, DIM(oid_pkcs_12_keyBag)))
+      if (oidlen == DIM(oid_pkcs_12_CertBag)
+          && !memcmp (oid, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
+        ;
+      else if (oidlen == DIM(oid_pkcs_12_CrlBag)
+               && !memcmp (oid, oid_pkcs_12_CrlBag, DIM(oid_pkcs_12_CrlBag)))
+        iscrlbag = 1;
+      else if (oidlen == DIM(oid_pkcs_12_keyBag)
+               && !memcmp (oid, oid_pkcs_12_keyBag, DIM(oid_pkcs_12_keyBag)))
         {
           /* The TrustedMIME plugin for MS Outlook started to create
              files with just one outer 3DES encrypted container and
              inside the certificates as well as the key. */
-          p += DIM(oid_pkcs_12_keyBag);
-          n -= DIM(oid_pkcs_12_keyBag);
           iskeybag = 1;
         }
       else
-        goto bailout;
+        {
+          gpgrt_log_printhex (oid, oidlen, "cert bag type OID:");
+          err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+          goto bailout;
+        }
 
       where = "certbag.before.certheader";
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class != CLASS_CONTEXT || ti.tag)
+      if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
         goto bailout;
+
       if (iscrlbag)
         {
           log_info ("skipping unsupported crlBag\n");
-          p += ti.length;
-          n -= ti.length;
         }
       else if (iskeybag && ctx->privatekey)
         {
           log_info ("one keyBag already processed; skipping this one\n");
-          p += ti.length;
-          n -= ti.length;
         }
       else if (iskeybag)
         {
-          int len;
-
           if (opt_verbose)
             log_info ("processing simple keyBag\n");
 
-          /* Fixme: This code is duplicated from parse_bag_data.  */
-          if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
+          if (tlv_next (tlv))
             goto bailout;
-          if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
-              || ti.length != 1 || *p)
+          if (tlv_expect_sequence (tlv))
             goto bailout;
-          p++; n--;
-          if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
-            goto bailout;
-          len = ti.length;
-          if (parse_tag (&p, &n, &ti))
-            goto bailout;
-          if (len < ti.nhdr)
-            goto bailout;
-          len -= ti.nhdr;
-          if (ti.class || ti.tag != TAG_OBJECT_ID
-              || ti.length != DIM(oid_rsaEncryption)
-              || memcmp (p, oid_rsaEncryption,
-                         DIM(oid_rsaEncryption)))
-            goto bailout;
-          p += DIM (oid_rsaEncryption);
-          n -= DIM (oid_rsaEncryption);
-          if (len < ti.length)
-            goto bailout;
-          len -= ti.length;
-          if (n < len)
-            goto bailout;
-          p += len;
-          n -= len;
-          if ( parse_tag (&p, &n, &ti)
-               || ti.class || ti.tag != TAG_OCTET_STRING)
-            goto bailout;
-          if ( parse_tag (&p, &n, &ti)
-               || ti.class || ti.tag != TAG_SEQUENCE)
-            goto bailout;
-          len = ti.length;
 
-          log_assert (!ctx->privatekey);
+          if (tlv_next (tlv))
+            goto bailout;
+          if ((err = tlv_expect_integer (tlv, &intval)))
+            goto bailout;
+          if (intval)
+            {
+              err = gpg_error (GPG_ERR_INV_VALUE);
+              goto bailout;
+            }
+
+          if (tlv_next (tlv))
+            goto bailout;
+          if (tlv_expect_sequence (tlv))
+            goto bailout;
+
+          if (tlv_next (tlv))
+            goto bailout;
+          if (tlv_expect_object_id (tlv, &oid, &oidlen))
+            goto bailout;
+          if (oidlen != DIM(oid_rsaEncryption)
+              || memcmp (oid, oid_rsaEncryption, oidlen))
+            {
+              err = gpg_error (GPG_ERR_PUBKEY_ALGO);
+              goto bailout;
+            }
+
+          /* We ignore the next octet string.  */
+          if (tlv_next (tlv))
+            goto bailout;
+          if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
+            goto bailout;
+
+          if (tlv_next (tlv))
+            goto bailout;
+          if (tlv_expect_sequence (tlv))
+            goto bailout;
+
+          if (ctx->privatekey)
+            {
+              err = gpg_error (GPG_ERR_DUP_VALUE);
+              log_error ("a private key has already been received\n");
+              goto bailout;
+            }
           ctx->privatekey = gcry_calloc (10, sizeof *ctx->privatekey);
           if (!ctx->privatekey)
             {
+              err = gpg_error_from_syserror ();
               log_error ("error allocating private key element array\n");
               goto bailout;
             }
-          keyelem_count = 0;
 
           where = "reading.keybag.key-parameters";
-          for (keyelem_count = 0; len && keyelem_count < 9;)
+          keyelem_count = 0;
+          while (!(err = tlv_next (tlv)) && !tlv_popped (tlv))
             {
-              if ( parse_tag (&p, &n, &ti)
-                   || ti.class || ti.tag != TAG_INTEGER)
-                goto bailout;
-              if (len < ti.nhdr)
-                goto bailout;
-              len -= ti.nhdr;
-              if (len < ti.length)
-                goto bailout;
-              len -= ti.length;
-              if (!keyelem_count && ti.length == 1 && !*p)
-                ; /* ignore the very first one if it is a 0 */
-              else
+              if (keyelem_count >= 9)
                 {
-                  int rc;
-
-                  rc = gcry_mpi_scan (ctx->privatekey+keyelem_count,
-                                      GCRYMPI_FMT_USG, p,
-                                      ti.length, NULL);
-                  if (rc)
-                    {
-                      log_error ("error parsing key parameter: %s\n",
-                                 gpg_strerror (rc));
-                      goto bailout;
-                    }
-                  keyelem_count++;
+                  err = gpg_error (GPG_ERR_TOO_MANY);
+                  goto bailout;
                 }
-              p += ti.length;
-              n -= ti.length;
+
+              err = tlv_expect_mpinteger (tlv, !keyelem_count,
+                                          ctx->privatekey+keyelem_count);
+              if (!keyelem_count && gpg_err_code (err) == GPG_ERR_FALSE)
+                ; /* Ignore the first value iff it is zero. */
+              else if (err)
+                {
+                  log_error ("error parsing RSA key parameter %d: %s\n",
+                             keyelem_count, gpg_strerror (err));
+                  goto bailout;
+                }
+              if (opt_verbose > 1)
+                log_debug ("RSA key parameter %d found\n", keyelem_count);
+              keyelem_count++;
             }
-          if (len)
+          if (err && gpg_err_code (err) != GPG_ERR_EOF)
             goto bailout;
+          err = 0;
         }
       else
         {
           if (opt_verbose)
             log_info ("processing certBag\n");
-          if (parse_tag (&p, &n, &ti))
+
+          if (tlv_next (tlv))
             goto bailout;
-          if (ti.class || ti.tag != TAG_SEQUENCE)
+          if (tlv_expect_sequence (tlv))
             goto bailout;
-          if (parse_tag (&p, &n, &ti))
+
+          if (tlv_next (tlv))
             goto bailout;
-          if (ti.class || ti.tag != TAG_OBJECT_ID
-              || ti.length != DIM(oid_x509Certificate_for_pkcs_12)
-              || memcmp (p, oid_x509Certificate_for_pkcs_12,
+          if (tlv_expect_object_id (tlv, &oid, &oidlen))
+            goto bailout;
+          if (oidlen != DIM(oid_x509Certificate_for_pkcs_12)
+              || memcmp (oid, oid_x509Certificate_for_pkcs_12,
                          DIM(oid_x509Certificate_for_pkcs_12)))
-            goto bailout;
-          p += DIM(oid_x509Certificate_for_pkcs_12);
-          n -= DIM(oid_x509Certificate_for_pkcs_12);
+            {
+              err = gpg_error (GPG_ERR_UNSUPPORTED_CERT);
+              goto bailout;
+            }
 
           where = "certbag.before.octetstring";
-          if (parse_tag (&p, &n, &ti))
+          if (tlv_next (tlv))
             goto bailout;
-          if (ti.class != CLASS_CONTEXT || ti.tag)
+          if (tlv_expect_context_tag (tlv, &intval))
             goto bailout;
-          if (parse_tag (&p, &n, &ti))
+          if (intval)
+            {
+              err = gpg_error (GPG_ERR_BAD_BER);
+              goto bailout;
+            }
+
+          if (tlv_next (tlv))
             goto bailout;
-          if (ti.class || ti.tag != TAG_OCTET_STRING || ti.ndef)
+          if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
             goto bailout;
 
           /* Return the certificate. */
           if (ctx->certcb)
-            ctx->certcb (ctx->certcbarg, p, ti.length);
-
-          p += ti.length;
-          n -= ti.length;
+            ctx->certcb (ctx->certcbarg, data, datalen);
         }
 
-      /* Ugly hack to cope with the padding: Forget about the rest if
-         that is less or equal to the cipher's block length.  We can
-         reasonable assume that all valid data will be longer than
-         just one block. */
-      if (n <= (is_pbes2? 16:8))
-        n = 0;
-
       /* Skip the optional SET with the pkcs12 cert attributes. */
-      if (n)
-        {
-          where = "bag.attributes";
-          if (parse_tag (&p, &n, &ti))
-            goto bailout;
-          if (!ti.class && ti.tag == TAG_SEQUENCE)
-            ; /* No attributes. */
-          else if (!ti.class && ti.tag == TAG_SET && !ti.ndef)
-            { /* The optional SET. */
-              p += ti.length;
-              n -= ti.length;
-              if (n <= (is_pbes2?16:8))
-                n = 0;
-              if (n && parse_tag (&p, &n, &ti))
-                goto bailout;
-            }
-          else
-            goto bailout;
+      where = "bag.attribute_set";
+      err = tlv_next (tlv);
+      if (gpg_err_code (err) == GPG_ERR_EOF)
+        break;
+      if (err)
+        goto bailout;
+      err = tlv_expect_set (tlv);
+      if (!err)
+        { /* This is the optional set of attributes.  Skip it. */
+          tlv_skip (tlv);
+          if (opt_verbose)
+            log_info ("skipping bag.attribute_set\n");
         }
+      else if (gpg_err_code (err) == GPG_ERR_INV_OBJ)
+        tlv_set_pending (tlv); /* The next tlv_next will be skipped.  */
+      else
+        goto bailout;
     }
+  if (err && gpg_err_code (err) != GPG_ERR_EOF)
+    {
+      if (!loopcount)  /* The first while(tlv_next) failed.  */
+        ctx->badpass = 1;
+      goto bailout;
+    }
+  err = 0;
 
-  if (r_consumed)
-    *r_consumed = consumed;
+ leave:
+  if (renewed_tlv)
+    tlv_release (tlv);
   gcry_free (plain);
-  gcry_free (cram_buffer);
-  return 0;
-
- bailout:
-  if (r_consumed)
-    *r_consumed = consumed;
-  gcry_free (plain);
-  gcry_free (cram_buffer);
-  log_error ("encryptedData error at \"%s\", offset %u\n",
-             where, (unsigned int)((p - p_start)+startoffset));
   if (ctx->badpass)
     {
       /* Note, that the following string might be used by other programs
@@ -1191,7 +1671,19 @@ parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx,
          translated or changed. */
       log_error ("possibly bad passphrase given\n");
     }
-  return -1;
+  return err;
+
+ bailout:
+  if (!err)
+    err = gpg_error (GPG_ERR_GENERAL);
+  log_error ("%s(%s): offset %u.%zu (%s): %s - %s\n",
+             __func__, where,
+             tlv? tlv->stacklen : 0,
+             tlv? tlv->offset : 0,
+             tlv? tlv->lastfunc : "",
+             tlv ? gpg_strerror (tlv->lasterr) : "init failed",
+             gpg_strerror (err));
+  goto leave;
 }
 
 
@@ -1223,363 +1715,437 @@ bag_data_p (const void *plaintext, size_t length)
 
 
 static gpg_error_t
-parse_shrouded_key_bag (struct p12_parse_ctx_s *ctx,
-                        const unsigned char *buffer, size_t length,
-                        int startoffset,
-                        size_t *r_consumed)
+parse_shrouded_key_bag (struct p12_parse_ctx_s *ctx, struct tlv_ctx_s *tlv)
 {
   gpg_error_t err = 0;
-  struct tag_info ti;
-  const unsigned char *p = buffer;
-  const unsigned char *p_start = buffer;
-  size_t n = length;
   const char *where;
+  const unsigned char *oid;
+  size_t oidlen;
+  const unsigned char *data;
+  size_t datalen;
+  int intval;
   char salt[20];
   size_t saltlen;
   char iv[16];
   unsigned int iter;
-  int len;
+  struct tlv_ctx_s *saved_tlv = NULL;
+  int renewed_tlv = 0;  /* True if the TLV must be released.  */
   unsigned char *plain = NULL;
-  unsigned char *cram_buffer = NULL;
-  size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
   int is_pbes2 = 0;
-  int keyelem_count = 0;
+  int is_aes256 = 0;
 
   where = "shrouded_key_bag";
-  if (parse_tag (&p, &n, &ti))
+  if (opt_verbose)
+    log_info ("processing %s\n", where);
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
+  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  where = "shrouded_key_bag.cipherinfo";
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class == 0 && ti.tag == TAG_OBJECT_ID
-      && ti.length == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
-      && !memcmp (p, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+    goto bailout;
+
+  if (oidlen == DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)
+      && !memcmp (oid, oid_pbeWithSHAAnd3_KeyTripleDES_CBC,
                   DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC)))
-    {
-      p += DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
-      n -= DIM(oid_pbeWithSHAAnd3_KeyTripleDES_CBC);
-    }
-  else if (ti.class == 0 && ti.tag == TAG_OBJECT_ID
-           && ti.length == DIM(oid_pkcs5PBES2)
-           && !memcmp (p, oid_pkcs5PBES2, DIM(oid_pkcs5PBES2)))
-    {
-      p += DIM(oid_pkcs5PBES2);
-      n -= DIM(oid_pkcs5PBES2);
-      is_pbes2 = 1;
-    }
+    ; /* Standard cipher.  */
+  else if (oidlen == DIM(oid_pkcs5PBES2)
+           && !memcmp (oid, oid_pkcs5PBES2, DIM(oid_pkcs5PBES2)))
+    is_pbes2 = 1;
   else
-    goto bailout;
+    {
+      err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
+      goto bailout;
+    }
 
   if (is_pbes2)
     {
       where = "shrouded_key_bag.pkcs5PBES2-params";
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
-        goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OBJECT_ID
-            && ti.length == DIM(oid_pkcs5PBKDF2)
-            && !memcmp (p, oid_pkcs5PBKDF2, ti.length)))
-        goto bailout; /* Not PBKDF2.  */
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
-        goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OCTET_STRING
-            && ti.length >= 8 && ti.length < sizeof salt))
-        goto bailout;  /* No salt or unsupported length.  */
-      saltlen = ti.length;
-      memcpy (salt, p, saltlen);
-      p += saltlen;
-      n -= saltlen;
 
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_INTEGER && ti.length))
-        goto bailout;  /* No valid iteration count.  */
-      for (iter=0; ti.length; ti.length--)
+      if (tlv_expect_sequence (tlv))
+        goto bailout;
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
+        goto bailout;
+      if (!(oidlen == DIM(oid_pkcs5PBKDF2)
+            && !memcmp (oid, oid_pkcs5PBKDF2, oidlen)))
+        goto bailout; /* Not PBKDF2.  */
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_sequence (tlv))
+        goto bailout;
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
+        goto bailout;
+      if (datalen < 8 || datalen > sizeof salt)
         {
-          iter <<= 8;
-          iter |= (*p++) & 0xff;
-          n--;
+          log_info ("bad length of salt (%zu) for AES\n", datalen);
+          err = gpg_error (GPG_ERR_INV_LENGTH);
+          goto bailout;
         }
+      saltlen = datalen;
+      memcpy (salt, data, saltlen);
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if ((err = tlv_expect_integer (tlv, &intval)))
+        goto bailout;
+      if (!intval) /* Not a valid iteration count.  */
+        {
+          err = gpg_error (GPG_ERR_INV_VALUE);
+          goto bailout;
+        }
+      iter = intval;
+
       /* Note: We don't support the optional parameters but assume
          that the algorithmIdentifier follows. */
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
+
+      if (tlv_next (tlv))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OBJECT_ID
-            && ti.length == DIM(oid_aes128_CBC)
-            && !memcmp (p, oid_aes128_CBC, ti.length)))
-        goto bailout; /* Not AES-128.  */
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
         goto bailout;
-      if (!(!ti.class && ti.tag == TAG_OCTET_STRING && ti.length == sizeof iv))
+      if (oidlen == DIM(oid_aes128_CBC)
+          && !memcmp (oid, oid_aes128_CBC, oidlen))
+        ;
+      else if (oidlen == DIM(oid_aes256_CBC)
+               && !memcmp (oid, oid_aes256_CBC, oidlen))
+        is_aes256 = 1;
+      else
+        {
+          gpgrt_log_printhex (oid, oidlen, "cipher is:");
+          err = gpg_error (GPG_ERR_CIPHER_ALGO);
+          goto bailout;
+        }
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
+        goto bailout;
+      if (datalen != sizeof iv)
         goto bailout; /* Bad IV.  */
-      memcpy (iv, p, sizeof iv);
-      p += sizeof iv;
-      n -= sizeof iv;
+      memcpy (iv, data, datalen);
     }
   else
     {
       where = "shrouded_key_bag.3des-params";
-      if (parse_tag (&p, &n, &ti))
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-      if (parse_tag (&p, &n, &ti))
+
+      if (tlv_next (tlv))
         goto bailout;
-      if (ti.class || ti.tag != TAG_OCTET_STRING
-          || ti.length < 8 || ti.length > 20)
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
         goto bailout;
-      saltlen = ti.length;
-      memcpy (salt, p, saltlen);
-      p += saltlen;
-      n -= saltlen;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (ti.class || ti.tag != TAG_INTEGER || !ti.length )
-        goto bailout;
-      for (iter=0; ti.length; ti.length--)
+      if (datalen < 8 || datalen > 20)
         {
-          iter <<= 8;
-          iter |= (*p++) & 0xff;
-          n--;
+          log_info ("bad length of salt (%zu) for 3DES\n", datalen);
+          err = gpg_error (GPG_ERR_INV_LENGTH);
+          goto bailout;
         }
+      saltlen = datalen;
+      memcpy (salt, data, saltlen);
+
+      if (tlv_next (tlv))
+        goto bailout;
+      if ((err = tlv_expect_integer (tlv, &intval)))
+        goto bailout;
+      if (!intval)
+        {
+          err = gpg_error (GPG_ERR_INV_VALUE);
+          goto bailout;
+        }
+      iter = intval;
     }
 
   where = "shrouded_key_bag.3desoraes-ciphertext";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_OCTET_STRING || !ti.length )
+  if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
     goto bailout;
 
   if (opt_verbose)
-    log_info ("%lu bytes of %s encrypted text\n",
-              ti.length, is_pbes2? "AES128":"3DES");
+    log_info ("%zu bytes of %s encrypted text\n",
+              datalen, is_pbes2? (is_aes256?"AES256":"AES128"):"3DES");
+
+  plain = gcry_malloc_secure (datalen);
 
-  plain = gcry_malloc_secure (ti.length);
   if (!plain)
     {
+      err = gpg_error_from_syserror ();
       log_error ("error allocating decryption buffer\n");
       goto bailout;
     }
-  consumed += p - p_start + ti.length;
-  decrypt_block (p, plain, ti.length, salt, saltlen, iter,
+  decrypt_block (data, plain, datalen, salt, saltlen, iter,
                  iv, is_pbes2? 16:0, ctx->password,
-                 is_pbes2? GCRY_CIPHER_AES128 : GCRY_CIPHER_3DES,
+                 is_pbes2 ? (is_aes256?GCRY_CIPHER_AES256:GCRY_CIPHER_AES128)
+                          : GCRY_CIPHER_3DES,
                  bag_data_p);
-  n = ti.length;
-  startoffset = 0;
-  p_start = p = plain;
 
+
+  /* We do not need the TLV anymore and allocated a new one.  */
   where = "shrouded_key_bag.decrypted-text";
-  if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER
-      || ti.length != 1 || *p)
-    goto bailout;
-  p++; n--;
-  if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  len = ti.length;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (len < ti.nhdr)
-    goto bailout;
-  len -= ti.nhdr;
-  if (ti.class || ti.tag != TAG_OBJECT_ID)
-    goto bailout;
-  /* gpgrt_log_printhex (p, ti.length, "OID:"); */
-  if (ti.length == DIM(oid_rsaEncryption)
-      && !memcmp (p, oid_rsaEncryption, DIM(oid_rsaEncryption)))
+  saved_tlv = tlv;
+  tlv = tlv_new (plain, datalen);
+  if (!tlv)
     {
-      p += DIM (oid_rsaEncryption);
-      n -= DIM (oid_rsaEncryption);
+      err = gpg_error_from_syserror ();
+      goto bailout;
     }
-  else if (ti.length == DIM(oid_pcPublicKey)
-           && !memcmp (p, oid_pcPublicKey, DIM(oid_pcPublicKey)))
+  renewed_tlv = 1;
+  if (opt_verbose > 1)
+    log_debug ("new parser context\n");
+
+  if (tlv_next (tlv))
+    {
+      ctx->badpass = 1;
+      goto bailout;
+    }
+  if (tlv_expect_top_sequence (tlv))
+    {
+      ctx->badpass = 1;
+      goto bailout;
+    }
+
+  if (tlv_next (tlv))
+    {
+      ctx->badpass = 1;
+      goto bailout;
+    }
+  if ((err = tlv_expect_integer (tlv, &intval)))
+    {
+      ctx->badpass = 1;
+      goto bailout;
+    }
+  if (intval)
+    {
+      ctx->badpass = 1;
+      err = gpg_error (GPG_ERR_INV_VALUE);
+      goto bailout;
+    }
+
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_sequence (tlv))
+    goto bailout;
+
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+    goto bailout;
+  if (oidlen == DIM(oid_rsaEncryption)
+      && !memcmp (oid, oid_rsaEncryption, oidlen))
+    {
+      if (opt_verbose > 1)
+        log_debug ("RSA parameters\n");
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_null (tlv))
+        tlv_set_pending (tlv);  /* NULL tag missing - ignore this.  */
+    }
+  else if (oidlen == DIM(oid_pcPublicKey)
+           && !memcmp (oid, oid_pcPublicKey, oidlen))
     {
       /* See RFC-5915 for the format.  */
-      p += DIM (oid_pcPublicKey);
-      n -= DIM (oid_pcPublicKey);
-      if (len < ti.length)
+      if (tlv_next (tlv))
         goto bailout;
-      len -= ti.length;
-      if (n < len)
-        goto bailout;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      /* gpgrt_log_debug ("ti=%d/%lu len=%lu\n",ti.class,ti.tag,ti.length); */
-      if (len < ti.nhdr)
-        goto bailout;
-      len -= ti.nhdr;
-      if (ti.class || ti.tag != TAG_OBJECT_ID)
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
         goto bailout;
       ksba_free (ctx->curve);
-      ctx->curve = ksba_oid_to_str (p, ti.length);
+      ctx->curve = ksba_oid_to_str (oid, oidlen);
       if (!ctx->curve)
-        goto bailout;
-      /* log_debug ("OID of curve is: %s\n", curve); */
-      p += ti.length;
-      n -= ti.length;
+        {
+          err = gpg_error (GPG_ERR_INV_OID_STRING);
+          goto bailout;
+        }
+      if (opt_verbose > 1)
+        log_debug ("OID of curve is: %s\n", ctx->curve);
     }
-  else
+  else /* Unknown key format */
+    {
+      gpgrt_log_printhex (oid, oidlen, "key format OID:");
+      err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+      goto bailout;
+    }
+
+  /* An octet string to encapsulate the key elements.  */
+  if (tlv_next (tlv))
     goto bailout;
-  if (len < ti.length)
+  if (tlv_expect_octet_string (tlv, 1, &data, &datalen))
     goto bailout;
-  len -= ti.length;
-  if (n < len)
+
+  if (tlv_next (tlv))
     goto bailout;
-  p += len;
-  n -= len;
-  if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_OCTET_STRING)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
-  if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  len = ti.length;
 
   if (ctx->privatekey)
     {
-      log_error ("a key has already been received\n");
+      err = gpg_error (GPG_ERR_DUP_VALUE);
+      log_error ("a private key has already been received\n");
       goto bailout;
     }
   ctx->privatekey = gcry_calloc (10, sizeof *ctx->privatekey);
   if (!ctx->privatekey)
     {
-
+      err = gpg_error_from_syserror ();
       log_error ("error allocating privatekey element array\n");
       goto bailout;
     }
-  keyelem_count = 0;
 
   where = "shrouded_key_bag.reading.key-parameters";
   if (ctx->curve)  /* ECC case.  */
     {
-      if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER)
+      if (tlv_next (tlv))
         goto bailout;
-      if (len < ti.nhdr)
+      if ((err = tlv_expect_integer (tlv, &intval)))
         goto bailout;
-      len -= ti.nhdr;
-      if (len < ti.length)
-        goto bailout;
-      len -= ti.length;
-      if (ti.length != 1 && *p != 1)
+      if (intval != 1)
         {
+          err = gpg_error (GPG_ERR_INV_VALUE);
           log_error ("error parsing private ecPublicKey parameter: %s\n",
                      "bad version");
           goto bailout;
         }
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_OCTET_STRING)
+
+      if (tlv_next (tlv))
         goto bailout;
-      if (len < ti.nhdr)
+      if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
         goto bailout;
-      len -= ti.nhdr;
-      if (len < ti.length)
-        goto bailout;
-      len -= ti.length;
-      /* log_printhex (p, ti.length, "ecc q="); */
+      if (opt_verbose > 1)
+        log_printhex (data, datalen, "ecc q=");
       err = gcry_mpi_scan (ctx->privatekey, GCRYMPI_FMT_USG,
-                           p, ti.length, NULL);
+                           data, datalen, NULL);
       if (err)
         {
           log_error ("error parsing key parameter: %s\n", gpg_strerror (err));
           goto bailout;
         }
-      p += ti.length;
-      n -= ti.length;
-
-      len = 0;  /* Skip the rest.  */
     }
   else  /* RSA case */
     {
-      for (keyelem_count=0; len && keyelem_count < 9;)
+      int keyelem_count = 0;
+      int firstparam = 1;
+
+      while (!(err = tlv_next (tlv)) && !tlv_popped (tlv))
         {
-          if (parse_tag (&p, &n, &ti) || ti.class || ti.tag != TAG_INTEGER)
-            goto bailout;
-          if (len < ti.nhdr)
-            goto bailout;
-          len -= ti.nhdr;
-          if (len < ti.length)
-            goto bailout;
-          len -= ti.length;
-          if (!keyelem_count && ti.length == 1 && !*p)
-            ; /* ignore the very first one if it is a 0 */
+          if (keyelem_count >= 9)
+            {
+              err = gpg_error (GPG_ERR_TOO_MANY);
+              goto bailout;
+            }
+
+          err = tlv_expect_mpinteger (tlv, firstparam,
+                                      ctx->privatekey+keyelem_count);
+          if (firstparam && gpg_err_code (err) == GPG_ERR_FALSE)
+            ; /* Ignore the first value iff it is zero. */
+          else if (err)
+            {
+              log_error ("error parsing RSA key parameter %d: %s\n",
+                         keyelem_count, gpg_strerror (err));
+              goto bailout;
+            }
           else
             {
-              err = gcry_mpi_scan (ctx->privatekey+keyelem_count,
-                                  GCRYMPI_FMT_USG, p, ti.length, NULL);
-              if (err)
-                {
-                  log_error ("error parsing key parameter: %s\n",
-                             gpg_strerror (err));
-                  goto bailout;
-                }
+              if (opt_verbose > 1)
+                log_debug ("RSA key parameter %d found\n", keyelem_count);
               keyelem_count++;
             }
-          p += ti.length;
-          n -= ti.length;
+          firstparam = 0;
         }
+      if (err && gpg_err_code (err) != GPG_ERR_EOF)
+        goto bailout;
+      err = 0;
     }
-  if (len)
+
+  if (opt_verbose > 1)
+    log_debug ("restoring parser context\n");
+  tlv_release (tlv);
+  renewed_tlv = 0;
+  tlv = saved_tlv;
+
+  where = "shrouded_key_bag.attribute_set";
+  err = tlv_next (tlv);
+  if (gpg_err_code (err) == GPG_ERR_EOF)
+    goto leave;
+  if (err)
+    goto bailout;
+  err = tlv_expect_set (tlv);
+  if (!err)
+    { /* This is the optional set of attributes.  Skip it. */
+      tlv_skip (tlv);
+      if (opt_verbose)
+        log_info ("skipping %s\n", where);
+    }
+  else if (gpg_err_code (err) == GPG_ERR_INV_OBJ)
+    tlv_set_pending (tlv); /* The next tlv_next will be skipped.  */
+  else /* Other error.  */
     goto bailout;
 
-  goto leave;
-
- bailout:
-  gcry_free (plain);
-  log_error ("data error at \"%s\", offset %zu\n",
-              where, (size_t)((p - p_start) + startoffset));
-  if (!err)
-    err = gpg_error (GPG_ERR_GENERAL);
 
  leave:
-  gcry_free (cram_buffer);
-  if (r_consumed)
-    *r_consumed = consumed;
+  gcry_free (plain);
+  if (renewed_tlv)
+    {
+      tlv_release (tlv);
+      if (opt_verbose > 1)
+        log_debug ("parser context released\n");
+    }
   return err;
+
+ bailout:
+  if (!err)
+    err = gpg_error (GPG_ERR_GENERAL);
+  log_error ("%s(%s): offset %u.%zu (%s): %s - %s\n",
+             __func__, where,
+             tlv? tlv->stacklen : 0,
+             tlv? tlv->offset : 0,
+             tlv? tlv->lastfunc : "",
+             tlv ? gpg_strerror (tlv->lasterr) : "init failed",
+             gpg_strerror (err));
+  goto leave;
 }
 
 
 static gpg_error_t
-parse_cert_bag (struct p12_parse_ctx_s *ctx,
-                const unsigned char *buffer, size_t length,
-                int startoffset,
-                size_t *r_consumed)
+parse_cert_bag (struct p12_parse_ctx_s *ctx, struct tlv_ctx_s *tlv)
 {
   gpg_error_t err = 0;
-  struct tag_info ti;
-  const unsigned char *p = buffer;
-  const unsigned char *p_start = buffer;
-  size_t n = length;
   const char *where;
-  size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
+  int intval;
+  const unsigned char *oid;
+  size_t oidlen;
+  const unsigned char *data;
+  size_t datalen;
 
   if (opt_verbose)
     log_info ("processing certBag\n");
@@ -1590,181 +2156,182 @@ parse_cert_bag (struct p12_parse_ctx_s *ctx,
    *      OBJECT IDENTIFIER pkcs-12-certBag
    */
   where = "certbag.before.certheader";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
+  if (tlv_expect_context_tag (tlv, &intval))
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+  if (intval)
+    {
+      err = gpg_error (GPG_ERR_INV_VALUE);
+      goto bailout;
+    }
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_OBJECT_ID
-      || ti.length != DIM(oid_x509Certificate_for_pkcs_12)
-      || memcmp (p, oid_x509Certificate_for_pkcs_12,
-                 DIM(oid_x509Certificate_for_pkcs_12)))
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
     goto bailout;
-  p += DIM(oid_x509Certificate_for_pkcs_12);
-  n -= DIM(oid_x509Certificate_for_pkcs_12);
+  if (oidlen != DIM(oid_x509Certificate_for_pkcs_12)
+      || memcmp (oid, oid_x509Certificate_for_pkcs_12, oidlen))
+    goto bailout;
+
 
   /* Expect:
    *  [0]
    *    OCTET STRING encapsulates -- the certificates
    */
   where = "certbag.before.octetstring";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
+  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
     goto bailout;
-  if (parse_tag (&p, &n, &ti))
+
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_OCTET_STRING || ti.ndef)
+  if (tlv_expect_octet_string (tlv, 0, &data, &datalen))
     goto bailout;
 
   /* Return the certificate from the octet string. */
   if (ctx->certcb)
-     ctx->certcb (ctx->certcbarg, p, ti.length);
+     ctx->certcb (ctx->certcbarg, data, datalen);
 
-  p += ti.length;
-  n -= ti.length;
-
-  if (!n)
-    goto leave;  /* ready.  */
-
-  /* Expect:
+  /* Expect optional:
    *  SET
    *    SEQUENCE  -- we actually ignore this.
    */
   where = "certbag.attribute_set";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (!ti.class && ti.tag == TAG_SET && !ti.ndef)
-    { /* Comsume the optional SET. */
-      p += ti.length;
-      n -= ti.length;
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
+  err = tlv_expect_set (tlv);
+  if (!err)
+    { /* This is the optional set of attributes.  Skip it. */
+      tlv_skip (tlv);
+      if (opt_verbose)
+        log_info ("skipping certbag.attribute_set\n");
     }
-
-  goto leave;
-
- bailout:
-  log_error ( "data error at \"%s\", offset %u\n",
-              where, (unsigned int)((p - p_start) + startoffset));
-  err = gpg_error (GPG_ERR_GENERAL);
+  else if (gpg_err_code (err) == GPG_ERR_INV_OBJ)
+    tlv_set_pending (tlv); /* The next tlv_next will be skipped.  */
+  else
+    goto bailout;
 
  leave:
-  if (r_consumed)
-    *r_consumed = consumed;
   return err;
+
+ bailout:
+  log_error ("%s(%s): offset %u.%zu (%s): %s - %s\n",
+             __func__, where,
+             tlv? tlv->stacklen : 0,
+             tlv? tlv->offset : 0,
+             tlv? tlv->lastfunc : "",
+             tlv ? gpg_strerror (tlv->lasterr) : "init failed",
+             gpg_strerror (err));
+  if (!err)
+    err = gpg_error (GPG_ERR_GENERAL);
+  goto leave;
 }
 
 
 static gpg_error_t
-parse_bag_data (struct p12_parse_ctx_s *ctx,
-                const unsigned char *buffer, size_t length, int startoffset,
-                size_t *r_consumed)
+parse_bag_data (struct p12_parse_ctx_s *ctx, struct tlv_ctx_s *tlv)
 {
   gpg_error_t err = 0;
-  struct tag_info ti;
-  const unsigned char *p = buffer;
-  const unsigned char *p_start = buffer;
-  size_t n = length;
   const char *where;
-  unsigned char *cram_buffer = NULL;
-  size_t consumed = 0; /* Number of bytes consumed from the original buffer. */
+  int intval;
+  const unsigned char *oid;
+  size_t oidlen;
+  unsigned int startlevel;
+
+  if (opt_verbose)
+    log_info ("processing bag data\n");
 
   /* Expect:
    * [0]
    *   OCTET STRING, encapsulates
    */
   where = "data";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.class || ti.tag != TAG_OCTET_STRING)
+  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
     goto bailout;
 
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_octet_string (tlv, 1, NULL, NULL))
+    goto bailout;
 
-  consumed = p - p_start;
-  if (ti.is_constructed && ti.ndef)
-    {
-      /* Mozilla exported certs now come with single byte chunks of
-         octet strings.  (Mozilla Firefox 1.0.4).  Arghh. */
-      where = "data.cram_os";
-      cram_buffer = cram_octet_string ( p, &n, &consumed);
-      if (!cram_buffer)
-        goto bailout;
-      p = p_start = cram_buffer;
-      if (r_consumed)
-        *r_consumed = consumed;
-      r_consumed = NULL; /* Ugly hack to not update that value on return. */
-    }
 
   /* Expect:
    * SEQUENCE
-   *   SEQUENCE
    */
-  where = "data.2seqs";
-  if (parse_tag (&p, &n, &ti))
+  where = "data.outerseqs";
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.class || ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
 
-  /* Expect:
-   * OBJECT IDENTIFIER
-   */
-  where = "data.oid";
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.class || ti.tag != TAG_OBJECT_ID)
-    goto bailout;
-
-  /* Now divert to the actual parser.  */
-  if (ti.length == DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
-      && !memcmp (p, oid_pkcs_12_pkcs_8ShroudedKeyBag,
-                 DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
+  startlevel = tlv_level (tlv);
+  while (!(err = tlv_next (tlv)) && tlv_level (tlv) == startlevel)
     {
-      p += DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag);
-      n -= DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag);
-
-      if (parse_shrouded_key_bag (ctx, p, n,
-                                  startoffset + (p - p_start), r_consumed))
+      /* Expect:
+       * SEQUENCE
+       */
+      where = "data.innerseqs";
+      if (tlv_expect_sequence (tlv))
         goto bailout;
-    }
-  else if ( ti.length == DIM(oid_pkcs_12_CertBag)
-            && !memcmp (p, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
-    {
-      p += DIM(oid_pkcs_12_CertBag);
-      n -= DIM(oid_pkcs_12_CertBag);
 
-      if (parse_cert_bag (ctx, p, n,
-                          startoffset + (p - p_start), r_consumed))
+      /* Expect:
+       * OBJECT IDENTIFIER
+       */
+      where = "data.oid";
+      if (tlv_next (tlv))
         goto bailout;
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
+        goto bailout;
+
+      /* Divert to the actual parser.  */
+      if (oidlen == DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
+          && !memcmp (oid, oid_pkcs_12_pkcs_8ShroudedKeyBag,
+                      DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
+        {
+          if ((err = parse_shrouded_key_bag (ctx, tlv)))
+            goto bailout;
+        }
+      else if (oidlen == DIM(oid_pkcs_12_CertBag)
+                && !memcmp (oid, oid_pkcs_12_CertBag, DIM(oid_pkcs_12_CertBag)))
+        {
+          if ((err = parse_cert_bag (ctx, tlv)))
+            goto bailout;
+        }
+      else
+        {
+          tlv_skip (tlv);
+          log_info ("unknown inner data type - skipped\n");
+        }
     }
-  else
+  if (err && gpg_err_code (err) != GPG_ERR_EOF)
     goto bailout;
-
-  goto leave;
-
- bailout:
-  log_error ( "data error at \"%s\", offset %u\n",
-              where, (unsigned int)((p - p_start) + startoffset));
-  err = gpg_error (GPG_ERR_GENERAL);
+  err = 0;
+  if (tlv_popped (tlv))
+    tlv_set_pending (tlv);
 
  leave:
-  gcry_free (cram_buffer);
-  if (r_consumed) /* Store the number of consumed bytes unless already done. */
-    *r_consumed = consumed;
   return err;
+
+ bailout:
+  if (!err)
+    err = gpg_error (GPG_ERR_GENERAL);
+  log_error ("%s(%s): offset %u.%zu (%s): %s - %s\n",
+             __func__, where,
+             tlv? tlv->stacklen : 0,
+             tlv? tlv->offset : 0,
+             tlv? tlv->lastfunc : "",
+             tlv ? gpg_strerror (tlv->lasterr) : "init failed",
+             gpg_strerror (err));
+  goto leave;
 }
 
 
@@ -1772,7 +2339,7 @@ parse_bag_data (struct p12_parse_ctx_s *ctx,
    secret key parameters.  This is a very limited implementation in
    that it is only able to look for 3DES encoded encryptedData and
    tries to extract the first private key object it finds.  In case of
-   an error NULL is returned. CERTCB and CERRTCBARG are used to pass
+   an error NULL is returned. CERTCB and CERTCBARG are used to pass
    X.509 certificates back to the caller.  If R_CURVE is not NULL and
    an ECC key was found the OID of the curve is stored there. */
 gcry_mpi_t *
@@ -1780,16 +2347,14 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
            void (*certcb)(void*, const unsigned char*, size_t),
            void *certcbarg, int *r_badpass, char **r_curve)
 {
-  struct tag_info ti;
-  const unsigned char *p = buffer;
-  const unsigned char *p_start = buffer;
-  size_t n = length;
-  const char *where;
-  int bagseqlength, len;
-  int bagseqndef, lenndef;
-  unsigned char *cram_buffer = NULL;
-  size_t consumed;
+  gpg_error_t err = 0;
+  const char *where = "";
+  struct tlv_ctx_s *tlv;
   struct p12_parse_ctx_s ctx = { NULL };
+  const unsigned char *oid;
+  size_t oidlen;
+  int intval;
+  unsigned int startlevel;
 
   *r_badpass = 0;
 
@@ -1797,146 +2362,100 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
   ctx.certcbarg = certcbarg;
   ctx.password = pw;
 
+  tlv = tlv_new (buffer, length);
+  if (!tlv)
+    {
+      err = gpg_error_from_syserror ();
+      goto bailout;
+    }
 
   where = "pfx";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
 
   where = "pfxVersion";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_INTEGER || ti.length != 1 || *p != 3)
+  if (tlv_expect_integer (tlv, &intval) || intval != 3)
     goto bailout;
-  p++; n--;
 
   where = "authSave";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.tag != TAG_SEQUENCE)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.tag != TAG_OBJECT_ID || ti.length != DIM(oid_data)
-      || memcmp (p, oid_data, DIM(oid_data)))
-    goto bailout;
-  p += DIM(oid_data);
-  n -= DIM(oid_data);
-
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.class != CLASS_CONTEXT || ti.tag)
-    goto bailout;
-  if (parse_tag (&p, &n, &ti))
-    goto bailout;
-  if (ti.class != CLASS_UNIVERSAL || ti.tag != TAG_OCTET_STRING)
+  if (tlv_expect_sequence (tlv))
+    goto bailout;
+
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+    goto bailout;
+  if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
+    goto bailout;
+
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
+    goto bailout;
+
+  if (tlv_next (tlv))
+    goto bailout;
+  if (tlv_expect_octet_string (tlv, 1, NULL, NULL))
     goto bailout;
 
-  if (ti.is_constructed && ti.ndef)
-    {
-      /* Mozilla exported certs now come with single byte chunks of
-         octet strings.  (Mozilla Firefox 1.0.4).  Arghh. */
-      where = "cram-bags";
-      cram_buffer = cram_octet_string ( p, &n, NULL);
-      if (!cram_buffer)
-        goto bailout;
-      p = p_start = cram_buffer;
-    }
 
   where = "bags";
-  if (parse_tag (&p, &n, &ti))
+  if (tlv_next (tlv))
     goto bailout;
-  if (ti.class != CLASS_UNIVERSAL || ti.tag != TAG_SEQUENCE)
+  if (tlv_expect_sequence (tlv))
     goto bailout;
-  bagseqndef = ti.ndef;
-  bagseqlength = ti.length;
-  while (bagseqlength || bagseqndef)
+
+  startlevel = tlv_level (tlv);
+  while (!(err = tlv_next (tlv)) && tlv_level (tlv) == startlevel)
     {
-      /* log_debug ("p12_parse: at offset %ld\n", (p - p_start)); */
       where = "bag-sequence";
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (bagseqndef && ti.class == CLASS_UNIVERSAL
-          && !ti.tag && !ti.is_constructed)
-        break; /* Ready */
-      if (ti.class != CLASS_UNIVERSAL || ti.tag != TAG_SEQUENCE)
+      if (tlv_expect_sequence (tlv))
         goto bailout;
 
-      if (!bagseqndef)
+      if (tlv_next (tlv))
+        goto bailout;
+      if (tlv_expect_object_id (tlv, &oid, &oidlen))
+        goto bailout;
+
+      if (oidlen == DIM(oid_encryptedData)
+          && !memcmp (oid, oid_encryptedData, DIM(oid_encryptedData)))
         {
-          if (bagseqlength < ti.nhdr)
-            goto bailout;
-          bagseqlength -= ti.nhdr;
-          if (bagseqlength < ti.length)
-            goto bailout;
-          bagseqlength -= ti.length;
-        }
-      lenndef = ti.ndef;
-      len = ti.length;
-
-      if (parse_tag (&p, &n, &ti))
-        goto bailout;
-      if (lenndef)
-        len = ti.nhdr;
-      else
-        len -= ti.nhdr;
-
-      if (ti.tag == TAG_OBJECT_ID && ti.length == DIM(oid_encryptedData)
-          && !memcmp (p, oid_encryptedData, DIM(oid_encryptedData)))
-        {
-
-          p += DIM(oid_encryptedData);
-          n -= DIM(oid_encryptedData);
-          if (!lenndef)
-            len -= DIM(oid_encryptedData);
           where = "bag.encryptedData";
-          consumed = 0;
-          if (parse_bag_encrypted_data (&ctx, p, n, (p - p_start), &consumed))
-            {
-              *r_badpass = ctx.badpass;
-              goto bailout;
-            }
-          if (lenndef)
-            len += consumed;
-        }
-      else if (ti.tag == TAG_OBJECT_ID && ti.length == DIM(oid_data)
-               && !memcmp (p, oid_data, DIM(oid_data)))
-        {
-          p += DIM(oid_data);
-          n -= DIM(oid_data);
-          if (!lenndef)
-            len -= DIM(oid_data);
-
-          where = "bag.data";
-          consumed = 0;
-          if (parse_bag_data (&ctx, p, n, (p - p_start), &consumed))
+          if ((err=parse_bag_encrypted_data (&ctx, tlv)))
+            goto bailout;
+        }
+      else if (oidlen == DIM(oid_data)
+               && !memcmp (oid, oid_data, DIM(oid_data)))
+        {
+          where = "bag.data";
+          if ((err=parse_bag_data (&ctx, tlv)))
+            goto bailout;
+        }
+      else if (oidlen == DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)
+          && !memcmp (oid, oid_pkcs_12_pkcs_8ShroudedKeyBag,
+                      DIM(oid_pkcs_12_pkcs_8ShroudedKeyBag)))
+        {
+          where = "bag.shroudedkeybag";
+          if ((err = parse_shrouded_key_bag (&ctx, tlv)))
             goto bailout;
-          if (lenndef)
-            len += consumed;
         }
       else
         {
+          tlv_skip (tlv);
           log_info ("unknown outer bag type - skipped\n");
-          p += ti.length;
-          n -= ti.length;
-        }
-
-      if (len < 0 || len > n)
-        goto bailout;
-      p += len;
-      n -= len;
-      if (lenndef)
-        {
-          /* Need to skip the Null Tag. */
-          if (parse_tag (&p, &n, &ti))
-            goto bailout;
-          if (!(ti.class == CLASS_UNIVERSAL && !ti.tag && !ti.is_constructed))
-            goto bailout;
         }
     }
+  if (err && gpg_err_code (err) != GPG_ERR_EOF)
+    goto bailout;
+  err = 0;
 
-  gcry_free (cram_buffer);
+  tlv_release (tlv);
   if (r_curve)
     *r_curve = ctx.curve;
   else
@@ -1945,8 +2464,14 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
   return ctx.privatekey;
 
  bailout:
-  log_error ("error at \"%s\", offset %u\n",
-             where, (unsigned int)(p - p_start));
+  *r_badpass = ctx.badpass;
+  log_error ("%s(%s): offset %u.%zu (%s): %s - %s\n",
+             __func__, where,
+             tlv? tlv->stacklen : 0,
+             tlv? tlv->offset : 0,
+             tlv? tlv->lastfunc : "",
+             tlv ? gpg_strerror (tlv->lasterr) : "init failed",
+             gpg_strerror (err));
   if (ctx.privatekey)
     {
       int i;
@@ -1956,7 +2481,7 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
       gcry_free (ctx.privatekey);
       ctx.privatekey = NULL;
     }
-  gcry_free (cram_buffer);
+  tlv_release (tlv);
   gcry_free (ctx.curve);
   if (r_curve)
     *r_curve = NULL;
diff --git a/sm/minip12.h b/sm/minip12.h
index 84c5f5f79..654cab0e6 100644
--- a/sm/minip12.h
+++ b/sm/minip12.h
@@ -23,7 +23,7 @@
 #include <gcrypt.h>
 
 
-void p12_set_verbosity (int verbose);
+void p12_set_verbosity (int verbose, int debug);
 
 gcry_mpi_t *p12_parse (const unsigned char *buffer, size_t length,
                        const char *pw,
diff --git a/sm/t-minip12.c b/sm/t-minip12.c
new file mode 100644
index 000000000..d6a9954ab
--- /dev/null
+++ b/sm/t-minip12.c
@@ -0,0 +1,789 @@
+/* t-minip12.c - Test driver for minip12.c
+ * Copyright (C) 2020, 2023 g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <ctype.h>
+
+#include "../common/util.h"
+#include "minip12.h"
+
+
+#define PGM "t-minip12"
+
+static int verbose;
+static int debug;
+static int any_error;
+
+static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
+static void err (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+static void inf (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+/* static void dbg (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); */
+static void printresult (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
+static char *my_xstrconcat (const char *s1, ...) GPGRT_ATTR_SENTINEL(0);
+
+#define xstrconcat my_xstrconcat
+#define trim_spaces(a) my_trim_spaces ((a))
+#define my_isascii(c) (!((c) & 0x80))
+
+
+
+
+
+/* Print diagnostic message and exit with failure. */
+static void
+die (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  fflush (stdout);
+  fprintf (stderr, "%s: ", PGM);
+
+  va_start (arg_ptr, format);
+  vfprintf (stderr, format, arg_ptr);
+  va_end (arg_ptr);
+  if (!*format || format[strlen(format)-1] != '\n')
+    putc ('\n', stderr);
+
+  exit (1);
+}
+
+
+/* Print diagnostic message. */
+static void
+err (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  any_error = 1;
+
+  fflush (stdout);
+  fprintf (stderr, "%s: ", PGM);
+
+  va_start (arg_ptr, format);
+  vfprintf (stderr, format, arg_ptr);
+  va_end (arg_ptr);
+  if (!*format || format[strlen(format)-1] != '\n')
+    putc ('\n', stderr);
+}
+
+
+/* Print an info message. */
+static void
+inf (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  if (verbose)
+    {
+      fprintf (stderr, "%s: ", PGM);
+
+      va_start (arg_ptr, format);
+      vfprintf (stderr, format, arg_ptr);
+      va_end (arg_ptr);
+      if (!*format || format[strlen(format)-1] != '\n')
+        putc ('\n', stderr);
+    }
+}
+
+
+/* Print a debug message. */
+/* static void */
+/* dbg (const char *format, ...) */
+/* { */
+/*   va_list arg_ptr; */
+
+/*   if (debug) */
+/*     { */
+/*       fprintf (stderr, "%s: DBG: ", PGM); */
+
+/*       va_start (arg_ptr, format); */
+/*       vfprintf (stderr, format, arg_ptr); */
+/*       va_end (arg_ptr); */
+/*       if (!*format || format[strlen(format)-1] != '\n') */
+/*         putc ('\n', stderr); */
+/*     } */
+/* } */
+
+
+/* Print a result line to stdout.  */
+static void
+printresult (const char *format, ...)
+{
+  va_list arg_ptr;
+
+  fflush (stdout);
+#ifdef HAVE_FLOCKFILE
+  flockfile (stdout);
+#endif
+  va_start (arg_ptr, format);
+  vfprintf (stdout, format, arg_ptr);
+  if (*format && format[strlen(format)-1] != '\n')
+    putc ('\n', stdout);
+  va_end (arg_ptr);
+  fflush (stdout);
+#ifdef HAVE_FLOCKFILE
+  funlockfile (stdout);
+#endif
+}
+
+
+/* Helper for xstrconcat and strconcat.  */
+static char *
+do_strconcat (int xmode, const char *s1, va_list arg_ptr)
+{
+  const char *argv[48];
+  size_t argc;
+  size_t needed;
+  char *buffer, *p;
+
+  argc = 0;
+  argv[argc++] = s1;
+  needed = strlen (s1);
+  while (((argv[argc] = va_arg (arg_ptr, const char *))))
+    {
+      needed += strlen (argv[argc]);
+      if (argc >= DIM (argv)-1)
+        die ("too may args for strconcat\n");
+      argc++;
+    }
+  needed++;
+  buffer = xmode? xmalloc (needed) : malloc (needed);
+  for (p = buffer, argc=0; argv[argc]; argc++)
+    p = stpcpy (p, argv[argc]);
+
+  return buffer;
+}
+
+
+/* Concatenate the string S1 with all the following strings up to a
+   NULL.  Returns a malloced buffer with the new string or dies on error. */
+static char *
+my_xstrconcat (const char *s1, ...)
+{
+  va_list arg_ptr;
+  char *result;
+
+  if (!s1)
+    result = xstrdup ("");
+  else
+    {
+      va_start (arg_ptr, s1);
+      result = do_strconcat (1, s1, arg_ptr);
+      va_end (arg_ptr);
+    }
+  return result;
+}
+
+
+static char *
+my_trim_spaces (char *str )
+{
+  char *string, *p, *mark;
+
+  string = str;
+  for (p=string; *p && isspace (*(unsigned char *)p) ; p++)
+    ;
+  for (mark=NULL; (*string = *p); string++, p++ )
+    if (isspace (*(unsigned char *)p))
+      {
+        if (!mark)
+          mark = string;
+      }
+    else
+      mark = NULL;
+  if (mark)
+    *mark = '\0';
+
+  return str ;
+}
+
+
+/* Prepend FNAME with the srcdir environment variable's value and
+ * return an allocated filename.  */
+static char *
+prepend_srcdir (const char *fname)
+{
+  static const char *srcdir;
+
+  if (!srcdir && !(srcdir = getenv ("srcdir")))
+    return xstrdup (fname);
+  else
+    return xstrconcat (srcdir, "/", fname, NULL);
+}
+
+
+/* (BUFFER,BUFLEN) and return a malloced hexstring.  */
+static char *
+hash_buffer (const void *buffer, size_t buflen)
+{
+  unsigned char hash[20];
+  char *result;
+  int i;
+
+  gcry_md_hash_buffer (GCRY_MD_SHA1, hash, buffer, buflen);
+  result = xmalloc (41);
+  for (i=0; i < 20; i++)
+    snprintf (result + 2*i, 3, "%02x", hash[i]);
+  return result;
+}
+
+
+/* Read next line but skip over empty and comment lines.  Caller must
+   xfree the result.  */
+static char *
+read_textline (FILE *fp, int *lineno)
+{
+  char line[4096];
+  char *p;
+
+  do
+    {
+      if (!fgets (line, sizeof line, fp))
+        {
+          if (feof (fp))
+            return NULL;
+          die ("error reading input line: %s\n", strerror (errno));
+        }
+      ++*lineno;
+      p = strchr (line, '\n');
+      if (!p)
+        die ("input line %d not terminated or too long\n", *lineno);
+      *p = 0;
+      for (p--;p > line && my_isascii (*p) && isspace (*p); p--)
+        *p = 0;
+    }
+  while (!*line || *line == '#');
+  return xstrdup (line);
+}
+
+
+/* Copy the data after the tag to BUFFER.  BUFFER will be allocated as
+   needed.  */
+static void
+copy_data (char **buffer, const char *line, int lineno)
+{
+  const char *s;
+
+  xfree (*buffer);
+  *buffer = NULL;
+
+  s = strchr (line, ':');
+  if (!s)
+    {
+      err ("syntax error at input line %d", lineno);
+      return;
+    }
+  for (s++; my_isascii (*s) && isspace (*s); s++)
+    ;
+  *buffer = xstrdup (s);
+}
+
+
+static void
+hexdowncase (char *string)
+{
+  char *p;
+
+  if (string)
+    for (p=string; *p; p++)
+      if (my_isascii (*p))
+        *p = tolower (*p);
+}
+
+
+/* Return the value of the variable VARNAME from ~/.gnupg-autogen.rc
+ * or NULL if it does not exists or is empty.  */
+static char *
+value_from_gnupg_autogen_rc (const char *varname)
+{
+  const char *home;
+  char *fname;
+  FILE *fp;
+  char *line = NULL;
+  char *p;
+  int lineno = 0;
+
+  if (!(home = getenv ("HOME")))
+    home = "";
+  fname = xstrconcat (home, "/.gnupg-autogen.rc", NULL);
+  fp = fopen (fname, "r");
+  if (!fp)
+    goto leave;
+
+  while ((line = read_textline (fp, &lineno)))
+    {
+      p = strchr (line, '=');
+      if (p)
+        {
+          *p++ = 0;
+          trim_spaces (line);
+          if (!strcmp (line, varname))
+            {
+              trim_spaces (p);
+              if (*p)
+                {
+                  memmove (line, p, strlen (p)+1);
+                  if (*line == '~' && line[1] == '/')
+                    {
+                      p = xstrconcat (home, line+1, NULL);
+                      xfree (line);
+                      line = p;
+                    }
+                  break; /* found.  */
+                }
+            }
+        }
+      xfree (line);
+    }
+
+ leave:
+  if (fp)
+    fclose (fp);
+  xfree (fname);
+  return line;
+}
+
+
+static void
+cert_cb (void *opaque, const unsigned char *cert, size_t certlen)
+{
+  (void)opaque;
+  (void)cert;
+
+  if (verbose)
+    log_info ("got a certificate of %zu bytes length\n", certlen);
+}
+
+
+/* Parse one PKCS#12 file.   Returns zero on success.  */
+static int
+one_file (const char *name, const char *pass)
+{
+  FILE *fp;
+  struct stat st;
+  unsigned char *buf;
+  size_t buflen;
+  gcry_mpi_t *result;
+  int badpass;
+  char *curve = NULL;
+
+  fp = fopen (name, "rb");
+  if (!fp)
+    {
+      fprintf (stderr, PGM": can't open '%s': %s\n", name, strerror (errno));
+      return 1;
+    }
+
+  if (fstat (fileno(fp), &st))
+    {
+      fprintf (stderr, PGM": can't stat '%s': %s\n", name, strerror (errno));
+      return 1;
+    }
+
+  buflen = st.st_size;
+  buf = xmalloc (buflen+1);
+  if (fread (buf, buflen, 1, fp) != 1)
+    {
+      fprintf (stderr, "error reading '%s': %s\n", name, strerror (errno));
+      return 1;
+    }
+  fclose (fp);
+
+  result = p12_parse (buf, buflen, pass, cert_cb, NULL, &badpass, &curve);
+  if (result)
+    {
+      int i, rc;
+      unsigned char *tmpbuf;
+
+      if (curve)
+        log_info ("curve: %s\n", curve);
+      for (i=0; result[i]; i++)
+        {
+          rc = gcry_mpi_aprint (GCRYMPI_FMT_HEX, &tmpbuf, NULL, result[i]);
+          if (rc)
+            log_error ("%d: [error printing number: %s]\n",
+                       i, gpg_strerror (rc));
+          else
+            {
+              log_info ("%d: %s\n", i, tmpbuf);
+              gcry_free (tmpbuf);
+            }
+        }
+    }
+  if (badpass)
+    log_error ("Bad password given?\n");
+
+  xfree (buf);
+  return 0;
+}
+
+
+static void
+cert_collect_cb (void *opaque, const unsigned char *cert, size_t certlen)
+{
+  char **certstr = opaque;
+  char *hash, *save;
+
+  hash = hash_buffer (cert, certlen);
+  if (*certstr)
+    {
+      save = *certstr;
+      *certstr = xstrconcat (save, ",", hash, NULL);
+      xfree (save);
+      xfree (hash);
+    }
+  else
+    *certstr = hash;
+}
+
+
+static int
+run_one_test (const char *name, const char *desc, const char *pass,
+              const char *certexpected, const char *keyexpected)
+{
+  FILE *fp;
+  struct stat st;
+  unsigned char *buf;
+  size_t buflen;
+  gcry_mpi_t *result;
+  int badpass;
+  char *curve = NULL;
+  char *resulthash = NULL;
+  char *p;
+  char *certstr = NULL;
+  int ret;
+
+  inf ("testing '%s' (%s)", name , desc? desc:"");
+  fp = fopen (name, "rb");
+  if (!fp)
+    {
+      err ("can't open '%s': %s\n", name, strerror (errno));
+      printresult ("FAIL: %s - test file not found\n", name);
+      return 1;
+    }
+
+  if (fstat (fileno (fp), &st))
+    {
+      err ("can't stat '%s': %s\n", name, strerror (errno));
+      printresult ("FAIL: %s - error stating test file\n", name);
+      fclose (fp);
+      return 1;
+    }
+
+  buflen = st.st_size;
+  buf = xmalloc (buflen+1);
+  if (fread (buf, buflen, 1, fp) != 1)
+    {
+      err ("error reading '%s': %s\n", name, strerror (errno));
+      printresult ("FAIL: %s - error reading test file\n", name);
+      fclose (fp);
+      xfree (buf);
+      return 1;
+    }
+  fclose (fp);
+
+  result = p12_parse (buf, buflen, pass? pass:"", cert_collect_cb, &certstr,
+                      &badpass, &curve);
+  if (result)
+    {
+      int i, rc;
+      char *tmpstring;
+      unsigned char *tmpbuf;
+      char numbuf[20];
+
+      if (curve)
+        {
+          if (verbose > 1)
+            inf ("curve: %s\n", curve);
+          tmpstring = xstrconcat ("curve:", curve, "\n", NULL);
+        }
+      else
+        tmpstring = xstrdup ("\n");
+      for (i=0; result[i]; i++)
+        {
+          rc = gcry_mpi_aprint (GCRYMPI_FMT_HEX, &tmpbuf, NULL, result[i]);
+          if (rc)
+            die ("result %d: [error printing number: %s]\n",
+                 i, gpg_strerror (rc));
+          else
+            {
+              if (verbose > 1)
+                inf ("result %d: %s\n", i, tmpbuf);
+              snprintf (numbuf, sizeof numbuf, "%d:", i);
+              p = xstrconcat (tmpstring, numbuf, tmpbuf, "\n", NULL);
+              xfree (tmpstring);
+              tmpstring = p;
+              gcry_free (tmpbuf);
+            }
+        }
+
+      resulthash = hash_buffer (tmpstring, strlen (tmpstring));
+      xfree (tmpstring);
+    }
+
+  if (verbose > 1)
+    {
+      inf ("cert(exp)=%s", certexpected);
+      inf ("cert(got)=%s", certstr? certstr:"[null]");
+      inf ("key(exp)=%s", keyexpected);
+      inf ("key(got)=%s", resulthash? resulthash:"[null]");
+    }
+
+  ret = 1;
+  if (!result)
+    printresult ("FAIL: %s - error from parser\n", name);
+  else if (certexpected && !certstr)
+    printresult ("FAIL: %s - expected certs but got none\n", name);
+  else if (!certexpected && certstr)
+    printresult ("FAIL: %s - no certs expected but got one\n", name);
+  else if (certexpected && certstr && strcmp (certexpected, certstr))
+    printresult ("FAIL: %s - certs not as expected\n", name);
+  else if (keyexpected && !resulthash)
+    printresult ("FAIL: %s - expected key but got none\n", name);
+  else if (!keyexpected && resulthash)
+    printresult ("FAIL: %s - key not expected but got one\n", name);
+  else if (keyexpected && resulthash && strcmp (keyexpected, resulthash))
+    printresult ("FAIL: %s - keys not as expected\n", name);
+  else
+    {
+      printresult ("PASS: %s\n", name);
+      ret = 0;
+    }
+
+  if (result)
+    {
+      int i;
+      for (i=0; result[i]; i++)
+        gcry_mpi_release (result[i]);
+      gcry_free (result);
+    }
+  xfree (certstr);
+  xfree (resulthash);
+  xfree (curve);
+  xfree (buf);
+  return ret;
+}
+
+
+/* Run a regression test using the Info take from DESCFNAME.  */
+static int
+run_tests_from_file (const char *descfname)
+{
+  FILE *fp;
+  char *descdir;
+  int lineno, ntests;
+  char *line;
+  char *name = NULL;
+  char *desc = NULL;
+  char *pass = NULL;
+  char *cert = NULL;
+  char *key = NULL;
+  int ret = 0;
+  char *p;
+
+  inf ("Running tests from '%s'", descfname);
+  descdir = xstrdup (descfname);
+  p = strrchr (descdir, '/');
+  if (p)
+    *p = 0;
+  else
+    {
+      xfree (descdir);
+      descdir = xstrdup (".");
+    }
+
+  fp = fopen (descfname, "r");
+  if (!fp)
+    die ("error opening '%s': %s\n", descfname, strerror (errno));
+
+  lineno = ntests = 0;
+  while ((line = read_textline (fp, &lineno)))
+    {
+      if (!strncmp (line, "Name:", 5))
+        {
+          if (name)
+            ret |= run_one_test (name, desc, pass, cert, key);
+          xfree (cert); cert = NULL;
+          xfree (desc); desc = NULL;
+          xfree (pass); pass = NULL;
+          xfree (key);  key = NULL;
+          copy_data (&name, line, lineno);
+          if (name)
+            {
+              p = xstrconcat (descdir, "/", name, NULL);
+              xfree (name);
+              name = p;
+            }
+        }
+      else if (!strncmp (line, "Desc:", 5))
+        copy_data (&desc, line, lineno);
+      else if (!strncmp (line, "Pass:", 5))
+        copy_data (&pass, line, lineno);
+      else if (!strncmp (line, "Cert:", 5))
+        {
+          p = NULL;
+          copy_data (&p, line, lineno);
+          hexdowncase (p);
+          if (p && cert)
+            {
+              char *save = cert;
+              cert = xstrconcat (save, ",", p, NULL);
+              xfree (save);
+              xfree (p);
+            }
+          else
+            cert = p;
+        }
+      else if (!strncmp (line, "Key:", 4))
+        {
+          copy_data (&key, line, lineno);
+          hexdowncase (key);
+        }
+      else
+        inf ("%s:%d: unknown tag ignored", descfname, lineno);
+
+      xfree (line);
+    }
+  if (name)
+    ret |= run_one_test (name, desc, pass, cert, key);
+  xfree (name);
+  xfree (desc);
+  xfree (pass);
+  xfree (cert);
+  xfree (key);
+
+  fclose (fp);
+  xfree (descdir);
+  return ret;
+}
+
+
+
+int
+main (int argc, char **argv)
+{
+  int last_argc = -1;
+  char const *name = NULL;
+  char const *pass = NULL;
+  int ret;
+  int no_extra = 0;
+
+  if (argc)
+    { argc--; argv++; }
+  while (argc && last_argc != argc )
+    {
+      last_argc = argc;
+      if (!strcmp (*argv, "--"))
+        {
+          argc--; argv++;
+          break;
+        }
+      else if (!strcmp (*argv, "--help"))
+        {
+          fputs ("usage: " PGM " <pkcs12file> [<passphrase>]\n"
+                 "Without <pkcs12file> a regression test is run\n"
+                 "Options:\n"
+                 "  --no-extra          do not run extra tests\n"
+                 "  --verbose           print timings etc.\n"
+                 "                      given twice shows more\n"
+                 "  --debug             flyswatter\n"
+                 , stdout);
+          exit (0);
+        }
+      else if (!strcmp (*argv, "--no-extra"))
+        {
+          no_extra = 1;
+          argc--; argv++;
+        }
+      else if (!strcmp (*argv, "--verbose"))
+        {
+          verbose++;
+          argc--; argv++;
+        }
+      else if (!strcmp (*argv, "--debug"))
+        {
+          verbose += 2;
+          debug++;
+          argc--; argv++;
+        }
+      else if (!strncmp (*argv, "--", 2))
+        {
+          fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
+          exit (1);
+        }
+    }
+
+  if (!argc)
+    {
+      name = NULL;
+      pass = NULL;
+    }
+  else if (argc == 1)
+    {
+      name = argv[0];
+      pass = "";
+    }
+  else if (argc == 2)
+    {
+      name = argv[0];
+      pass = argv[1];
+    }
+  else
+    {
+      fprintf (stderr, "usage: " PGM " [<file> [<passphrase>]]\n");
+      exit (1);
+    }
+
+  gcry_control (GCRYCTL_DISABLE_SECMEM, NULL);
+  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL);
+
+  if (name)
+    {
+      p12_set_verbosity (verbose, debug);
+      ret = one_file (name, pass);
+    }
+  else
+    {
+      char *descfname, *p;
+
+      if (verbose > 1)
+        p12_set_verbosity (verbose > 1? (verbose - 1):0, debug);
+      descfname = prepend_srcdir ("../tests/samplekeys/Description-p12");
+      ret = run_tests_from_file (descfname);
+      xfree (descfname);
+
+      /* Check whether we have non-public regression test cases. */
+      p = no_extra? NULL:value_from_gnupg_autogen_rc ("GNUPG_EXTRA_TESTS_DIR");
+      if (p)
+        {
+          descfname = xstrconcat  (p, "/pkcs12/Description", NULL);
+          xfree (p);
+          ret |= run_tests_from_file (descfname);
+          xfree (descfname);
+        }
+    }
+
+  return ret;
+}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 65978ae3f..bf246bf7d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -39,12 +39,18 @@ EXTRA_DIST = runtest inittests $(testscripts) ChangeLog-2011 \
              fake-pinentries/fake-pinentry.pl  \
              fake-pinentries/fake-pinentry.py  \
              fake-pinentries/fake-pinentry.sh  \
+	     samplekeys/Description-p12 \
 	     samplekeys/steed-self-signing-nonthority.pem \
 	     samplekeys/68A638998DFABAC510EA645CE34F9686B2EDF7EA.key \
              samplekeys/32100C27173EF6E9C4E9A25D3D69F86D37A4F939.key \
              samplekeys/cert_g10code_pete1.pem \
              samplekeys/cert_g10code_test1.pem \
              samplekeys/cert_g10code_theo1.pem \
+             samplekeys/ov-user.p12 \
+             samplekeys/ov-server.p12 \
+             samplekeys/opensc-test.p12 \
+             samplekeys/t5793-openssl.pfx \
+             samplekeys/t5793-test.pfx \
 	     run-tests.scm
 
 # We used to run $(testscripts) here but these asschk scripts are not
diff --git a/tests/samplekeys/Description-p12 b/tests/samplekeys/Description-p12
new file mode 100644
index 000000000..f882de9ea
--- /dev/null
+++ b/tests/samplekeys/Description-p12
@@ -0,0 +1,32 @@
+# Description-p12  - Machine readable description of our P12 test vectors
+
+Name: ov-user.p12
+Desc: Private test key from www.openvalidation.org
+Pass: start
+Cert: 4753a910e0c8b4caa8663ca0e4273a884eb5397d
+Key:  93be89edd11214ab74280d988a665b6beef876c5
+
+Name: ov-server.p12
+Desc: Private test key from www.openvalidation.org
+Pass: start
+Cert: 1997fadf6cc1af03e4845c4cba38fb2397315143
+Key:  63b1d7233e75c3a462cb4b8ea3ad285e8ecba91c
+
+Name: opensc-test.p12
+Desc: PKCS#12 key and certificates taken from OpenSC (RC2+3DES,PKCS#8)
+Pass: password
+Cert: 115abfc3ae554092a57ade74177fedf9459af5d2
+Cert: a0d6d318952c313ff8c33cd3f629647ff1de76b3
+Key:  5a36c61706367ecdb52e8779e3a32bbac1069fa1
+
+Name: t5793-openssl.pfx
+Desc: self-signed key issued keys
+Pass: test
+Cert: 80348a438e4b803b99e708da0b7fdd0659dedd15
+Key:  c271e44ab4fb19ca1aae71102ea4d7292ccc981d
+
+Name: t5793-test.pfx
+Desc: QuaVadis format of t5793-openssl
+Pass: test
+Cert: 80348a438e4b803b99e708da0b7fdd0659dedd15
+Key:  c271e44ab4fb19ca1aae71102ea4d7292ccc981d
diff --git a/tests/samplekeys/README b/tests/samplekeys/README
index 65255cb61..14bbf2bdc 100644
--- a/tests/samplekeys/README
+++ b/tests/samplekeys/README
@@ -1,10 +1,5 @@
 This is a collection of keys we use with the regression tests.
-
-opensc-tests.p12   PKCS#12 key and certificates taken from OpenSC.
-		   Passphrase is "password"
-
-ov-user.p12        Private tests keys from www.openvalidation.org.
-ov-server.p12      Passphrase for both is "start"
+For the *.p12 files see Description-p12
 
 ossl-rentec-user.pem  An OpenSSL generated user certificate using a
                       bunch of attributes and DC RDNs.
@@ -21,4 +16,3 @@ steed-self-signing-nonthority.pem
                    The STEED Self-Signing Nonthority.
 68A638998DFABAC510EA645CE34F9686B2EDF7EA.key
                    The private Key of The STEED Self-Signing Nonthority.
-
diff --git a/tests/samplekeys/t5793-openssl.pfx b/tests/samplekeys/t5793-openssl.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..0f1beed0fb3edbcec8a8298096fac4c333606496
GIT binary patch
literal 4285
zcmY+GWmFW5vxkY@r9(=(L8MbbS}8$+mu`urV+nx;=?0NlQjkuGrE^881qtb1N>WOe
zMqrogd(OT0fA5DmbI$WSGau&}(Fn>8JY0Oy2+B|p5r2$E%oQ0f0d8Rgr6(YQ((NyH
z5{&>A{3ikxMu1ZOqC`AgoWCvlKMAfVGl=-VH<03jM9Be!y4(ZunJSghczA?3VG$sc
z#uv4MPwPBKfoEU_re)y>VU{l*_7}$6*I9clKx>=#YdhDz1jkPWRpp)p4ErDeye!mk
zDJ*o8H!L-oS32SCTX%Va^3PO>%`@MIu8DEWo18idhW8kD7WHPyaeze|5)>J>V;&OK
zKGXBfsl-~K@1Bw|)6wI*9uSWy3@@rG$s||4j<Iy{WlHPLnopp0l$4Hbx`YzSPcu`)
z(YZf3=&`S7$47FA`AAxeJAi_X6YVlCpY8Wc8D&NX3b7+75VlRDH0Pf0YR+it>TDy!
z-x~VIj_5E+RZM+`nlUEwCGOd3LnCCt>tW#MCfghy>o(^)on(%bBZyXTR<Kv_&tZm(
zajr$FS@=qGN5S0qr%%BSPHIA9!pmV6kHu)&Y5Joh{4;gc&G2@HiWfQrhz@aYo2~?Y
z{94mM`?qq#wR;kaye1svGsZ^hM{y>J-7X%fiwwWAiRcpC0XplF1ee-T{^|Fdm!FK)
z^BfnOqFg>)5gw`;!1j@PnszwoWH1GooY;D4(&YB`O$tF1>_I=+FR*W*Pu_8ikT#Jm
z)Q1V=_V3OySx5iw%Spxze$u-b!dg-ve+9jHuU|3SE>mzctaq3VQ}qXEptl%eauUXI
zbJn=M&K3Z>Nc<ZI2mnZ>E>X8uy6G%C5aZ9Boq|!ka+^t9zflTGOA$5WrgSb*8OFHy
z6@gnn6U?*l4@5Ntl8>+Ky&!RHU01SFN6(%B^_UK9t6(@q0$JAMibp?D)nyF;r6=L}
z(W{(ox}Qu3LRMwMo3E+rw0}p5!OR^WJYw5fvUuS(B;f3b;@3}6ZH~O&dlpFG1^Gn%
zZB6YJ<CVgQY{riR#>LE@pA7_d3rEBiO+2jIrjj1S<Yc)n50g5-)HtQ<>Un)es7)Yq
z`iiu5YE1`&M$<0<8|)$N!aj=nE@O$(`n(%-St$zQ0eLsA&s!q)Qbh}tPP5FhX!h=U
zSk2Ox5-Q?4Rjns9>w2esjJB0Gx~^=`E(UaS1CS@Bb5rr)BHu7pQPe13&wD5Ma<5Tm
z=05n~ax|6Q`vDaZ_sOmJnoo!MuV3ZPicK%6Q9na0D+k`dIiWf@nQ=!<^;3+6qUlme
zR9E~K13;H~4L)#(vD%}o`fd-u8{2%ZKttS9fvW6kI_vflMsioJSbC(qM3?NPhOI&?
z`@rCb;rjl&tF2|5khc;stT@3<I2fFXZKmN&qHpQe)f~a`&YRkOCngRlWc(=eQ1WeC
z!r`GZf=~CwlY(^phTk~3tdXfE{le#WJPBakY+kVy`-(bCP4qavj4?fgCnij&tXl#a
zyBgOsRT5VSjRcIyEgs$Vcw8-lWiVX`M*&Am+RPpV2BQDbMD2b$Ffm)J7t%}t1Tcs7
z5EKh_TSy#6A$HWlNlOVl3^}DyWpa97?|BW896t~y5SmfiJoA0;Q9vN_(t<{A(Tmw2
z3xsDagNp30X$oJWxE*x<P4#D6@q@pFX#47g?u?ZTCjQRTh$}hSWy`rr`%h@=6h_&e
zw!unVBZ^p&7JPB*+&#8-VlHz)$6rA_q#-hgbgyk;O1~mhZAl5Kn#Pg$`-h!wG3V@_
zMI5C#=j4VqZPO9e#p=Z;&8SswqodL+H{UrSp&NLm9O7~LWhUeDl_ychx&|wY^;8{S
zGbV!>H(7kA+HFuoOXqU=#CB95brzv8F4W}92VaQ#N^Ji)+vZWgO@@wX*;C&i;x}*<
zY<U9!VVtmdd5IE3x=R;#$;0a|gU}&AgGF*c?5DzpLlMHwb0fq|IQu+%Ed>M2yIWBj
zcODJoQr_$Ht|MG_Wvy}*x?>w?Wofe>YqorR6H%^xd1v|&H?w6cqw+zews1mAPi`<H
zbeHk;m-TmtS=Dz6T<+ThD;pM-tm{DwaqHWN%c%4GAmeI{fQ5qg-PJ44YhJBMP3<Ud
z%U}~}8T={2N0ad1Wj?w0#O@>AmTEUD3G3uTics}k;wKAxba=lem!grOUDL_cLyZ&V
zI%HZNu=)I2yN00&hrTd}<}7Y=@V>qDKMYkt*dCF=6S(w0a`>jcO|9RAPorS&h8*on
ztDX~dngtyV%nk@+$yc4YU^3)SW;~19-A@t*(r(tpvAyP)dIQr7g60erTG`S4u5f-*
zo@sl2X@iy;UeO4mp8q4F!U&>9Km-x|FRuDq<sg#((GoE(-rvyUFLe2Tw!;6{R+HVF
zN82Q(4*%Nf@3@A7xJ@|b9Z#qsN7SwJ;vPbw_6^Ht`pz9|R-3urfi_X{!gs71il5Vm
zE^D!`ye11sqg_N2iDJqdL0@}{-gtXF4$dFHC(OSW(*4-tBZJbbnB3zrlYQT4zL&8V
zUC0k)H^xNSt-rE=If)NKc_yhyaekgEg={aJ&<hfza|XOfI<OMCt~B;vII-fWSCxRC
zI9%Ci%%5e?=o!F5SU-M8_%uA_<N7dlf5EmTPTedvb@5=P&bju3U@nNo>s?upx|46l
zNfC>{X^rB<pvmAjrI_DB2NNp%$E)XyOM%5Z3lrSS68FxR_#OP`X?Eul-f=6{!t75*
z`ZkUXg*C_=cgw|Im@NLtM;F?H3X;R?z4+3<Z+R*&lh{NRIIe>`FD`_ryR3=)Hf=n?
z@hZsL%ket~A69J?;iyNFdzsyj8*H-)<_uyKs=15ZcnC#H;V*0nIFMiTs86a^LvIz*
zn*4q?!(9VbQyDgKZH(_Et@61*iAEfd04`%o_-M!4QFH~)O8%ze)eHAF`tZFIQ@G)9
zg}wpOqK%}?Z&_FZNCnesHupyx!NNzy+(VP6UyY4r9ixL_+M8w9n4{T!;wI0C{aPnp
zzv9TJGFjd3wLvIP2c<6PSf=%JCRFTvkajEaX^BUl;(q)0&=1w?UWok^u~g!L`U6P%
zP_3Rc@amD0aDjgIYbEJ*^#m@q@k|5kWAEb*C-X=G_4f~YeU|gS736qVbenv^7Q21H
zlK7g9!`6aJk1yhA%VIKahKA`t2-Zm%rXKImKqLY)Mmb<v6lN!8dQ(&#g?0h*ye`mA
zuYm_U;gZRC^<@2~UdB-5b|Icv2BF;!f@gY*+Rwt2pbdWF%(8nUd#ExjJ6dY5q5kQW
z^@R4LWwr;LADvZPDP4=RZ*{qk;&U#C37a@bh;Hfrz@rnq9XS(*j-1*r8Nb+F>O`)u
z^-ez6AEN73Y3NDZ<$fOBUoz=SkT<fkuIZ2ys-E#X)XerZ#V1lC#1y}SBH%MhjYp*H
zlv#hw>dO7sF?bgB@Yroexl2ab7aw<`2Gx@ze3I~-Z7v@h9u?rb;X8{;J}L?g-A&YW
zOL=>)bY7!K>u}hh`)Fdvpw(wz<vu?wTpg)2K5cYozHKZ*x9STUX-s{(Fu&c23q^Jn
zG11OQD$PAVQk~sQ?(d&~oyu!g`O9TwZPC`(fOYW;<JU^>U#D^s@#U*DEu@X|1`KGm
zti{new(UNJ9_Lj=GVdq9c_%x@JiC-)E^HsJE42K~`gd^FSM#=ig2>$h8a;OVMJ$WC
z<U8Bi55b8x)BL0$lu)-Wzjm}?Py*eA=?1|%f?+?;i9WN)QPUQ(bA0%G*_HSk@%oJ_
zxa3cG(xJZ9d!wpf!a|BY(3VC!$H#uQgv5uQ<s(|hSAjBjmE&I^rKdu+3f)9*HrEpA
zT&Bp^(hG5X_W;5ojp0Ir)oQ;gtKzuBI-?JiB${lk+8&f|M7^~EtvkC6_yWg}pQ0Pz
z3eo&e{qS4C#vvhQyq_JV6ZH2p-_;uV9PL^plEP+ID=6qoA-Bd9xvSV9AnQJM!N4BK
zV^+e7g9$TRP{w*<*5he(j+L*24vPsfS$KUX*WoD}$J!9C%GyB}rU%OXjQcfTWwaD@
z-CgkcISRU#<Qgr+l!kxO^z-PHQ@fZd8N(jRBYq#A#P8RKTh=#R4b(Q!6Xe*@;5@jz
zG?1jH*K>1Qd<!@P1=8^+GozCf8_xwY9PXI)L%HhtE)yj#ixpsND>$Q1wra&1To_`o
zo@@Ssg~y7{;=ok)tj;{{Id)wqv}Yx_Uu<(k=csq2^X^jzvM+41)hp~^^X9YNW8jn_
z`nC&K?)gRTgV5?T4vwT_sfgnE*mY4gxZqd+WM?5nlNC*`8RakhkAC;)jgYH)q}w4X
zI6mGyc5~aYv?H#Xs2=`8A{3X!kBux=CKPUP^E=*GRRFVZPyDV~_d3mwI)|$yl_Q@l
zQrcVE7y;9ld%~L1X#O&u8a%k>9TYT}cPFc4JI3jA*>a5|w9PKdeCjIe&=ti#HGpD1
zFMEFgEa$X7bAZ#ut%rLliNsKxU0<%>Vdi+<lzR>|_)ODvc-DkZ*c#^ob$rpOl^P^n
zHYH^YOg$P&1vjr>S#y4|$EgBRe*co?M&ODjTN3D&s8!p&U_FfkMmE~@PoIo+*SwAq
zdp616>`eY<qB|hh_I}cvK&{t3t6M$PriQt7C2b`ZW6u?K=x64jwmw?o5?lT~4fBqx
zA~TS7SujB513r_ZK(1V<_DH@!P4}4fER`?~U4!HWmBLawmUipT^q$?gNpnO)hR0AU
zS<Tpg7k}2ulZxEO0Ud7&h~{QxZo(_KU0dAJg|j5&Bq6%<*QjUffsEBt@mTXgBcJL!
zUrcnYM#C#3BaJCmdafc4c_xL=q%;$uSf65Iac;ipKQeYP4_k_MrrP^VjL-ckDU&@a
zLn13)NY|MO8%kSPr$}vT>E)^XOq%?9E3Xcr_B!r@1L2$TFdCfYx9_jguawF8D4)wf
zxDjPMlf~n9DcjM66%$`w^LR-60%o+omvtnYNQ{2Rxe@&6XVqC~w)l|h*fJ|lAS#2u
ziYcSQOn)$I7MvDHyEZ$*w?tB|v`(tda`$wBkvGAI0RyJ_-NwZ@x;+vmIfLVxMnZ+I
zgLX%6hs(K!z?NzqD{t>D3N+tlf`uM_q3GK_LNig0Ln0<>Zpfk`I!-`6SJSfB(J)E_
z2xmG~L2%og#q?Vx*Y1nWewfkKH94;!a^kD$)z3%+@`C2)p0#2eqdZ9u0SGlClfcZa
zD-l0pE=$}WWiN(#H3Y?^Vul-blFrsouo9V=<zI&}i+5}(FSLbyOs)CW-ZyrxvL;)c
zvK&Y|ruMQ@@$~UAaSN;ENO97S2EiZO6AkIfM^0sjoAc@S8pU5fGe5+UqR(_keh}9~
zK6JGy4@;}K$Ubp;{svZ|BWv&8xe&XtHzv9~r<2Vh7{}WGikU{e7`iC=#CS~n**Esl
zqztGMw8Y}$9Ypd`4?#6AVo4zXz6sf@=N-WC)0vi8u3K*bF3stD*q(da%omI!pW?B+
zDw!{|pGO+&uJF-~)@a8KxU!M;N>QX$L#B`<b3Z1F8+@bmv}nLQ4q8QsC&nYn^}pX4
z5v>><fF?{b;YE^GnC!=0!X=W>6_Dxb3azM^D2FH!2q-{~kH-ka0nkX>9QPB{ox8C_
cujDZ|LX+opIQ||~Ct}N@Gm9v{f4{W<0(8<s-T(jq

literal 0
HcmV?d00001

diff --git a/tests/samplekeys/t5793-test.pfx b/tests/samplekeys/t5793-test.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..c8b256f1966fa5a8ef675d8790da27c5976dfa54
GIT binary patch
literal 4328
zcmY+HWmFX2*2V{z89Jn-8$>!4BvoPr1^#q9z|b*-q;!Kw3@J#bbk~Sd0}|3bl%$jl
zjljU=uJyk6uKQu1eb(>U&;ELzBN9rnfs2DD5=v1HCgh8RL|%~M;N#?lQe*)`Dbnw8
zvPdZ5#{Wo!)4))|@q7I9z6QX=|K}nh!okf8C3Lxm4kAooqW{PD%gKNQ<DDD_o5V&o
zxVQv>dpks4%pwH)o;yg7J^b2!eg`RE^_KYyUHcZ4#bTzruSJ9`?>!4d;Y-TEdDZP}
zxA9z(2nXRf!pM?(@VBn~x9%>F19C?12y*TOwLUd@NTan&$9K4mWj@rK?4<5Q<ne*n
z46xx=tFNtJjpKpQuJKBe9A74i;G1(tbOQJ(9KJ8(_soSa%M85dj?CF>mBoFIY%VMy
zvnLr-+Pa89mQO#B9(7N7IX_O^ow06+Q8kKAoIRMTv9J0lkOgLTdtdCYYUi1Hl+Vn6
zT&XbDZ`l7`G4hY#-k1{K;qvMHf?vVb+!)uQ_?`VZUK`(Ovel`$d-PI;5ZjZXp0xu#
zAqc7Mc8Taq!}*^%m^@2xZbC?{8*j>w4cF(3#1`SXwyUuAvok@e4k)45x`it&MhR7Q
zK6*p%!J>gC7<P$wF1Gr4b=zo&J%Q^7scqk`J@mmy;>~UF+mM}gsg5gG_*}~;H+cPO
ztakKWPNHAOu`sxiFwfxx$LX`feK`%xs)yTF4kAhcOF8Qb7cZS#=t6dmjH>kpOLcTn
zrY*$9UW-EFAWDRKqlq_09}zMv>Kv3X`Fdm|{Sf1i&{!|N#2!rV5;eGn?pE3Hcol>_
zl}_(;uJT8_+9-DTjHE$dFruSo{WY42jtgCS6n0yG1bwVnbwlnZiY5{D)$YMl2CB5B
zKo^e`g>rQ=-Y80~s>X7%j;86}K6XEBvoi_9SN-sy+hZ~Ndv2zCX{X`W+XAPrx5S>t
zqllG&qQkRjn&QaRtARmUFp_0lnz740$Pb0Yj!^WO<p*1d8eQdAgku~)+;4I<QYxzh
z>~Kh>-MZ5MP%UD~vpSGZ%=|G<djV73`K>3xiavE-VoWkSLp$i=TQ-d3PF?NO3+R}}
zqea#S9G~o!94Q<NGOo3_4q`IT2MHS3i3zW1|5iuDy4!NZ4jkCEo-=&4I@b(aUFjZw
zuscB8tyI?)x6Sn;qPK9|6F+-sYgNrAGe|Y{Pmr<Y8}iR2gvbd#8wKDOv<kOy@iCLm
zi1~%{??c!$`r)C|)bkGM=bm^tW0mNxOrfLL7pyZmw;|!ao@<`d=!Ap(prGwIEvLkH
zr;4YQ3N$wRby|<cwsf04c9rgOf<shMildYIHzu0~!nDhth@twVr*pHL?KnQDj(kR%
zDG9}y7YEAI>j}NRV~ArpwQ_IS)btIS+De!fUS7;f(cPOQ4np1>rG~lWVIJQ;^`@0*
zTHBWGr#^?-rD06F32)!aj4(|vB$^0WhiC~dK7;-VNdIQi@{d26lW)DtcCWBm0jFGh
zOY1%?&SH{}1dJB!)Z){K(DRR_9Wz?PUq#aIX4}!F<=d)R!nY3hUo1KjeJ5JIQic`&
z4T;~^G5?@n{#!^;q06VK-pcl|mn8wwzH7;l`r(D2^iA35S9sB}prw2#p_9d>cnYTx
z>W$P~H18ddARjWAr@LI?Rc>Aoy<emMk%Cx_wOPZ3;;o3g2C#W+n;wt<5dKSK?Ry@E
z@2MAFGt3|`(3t0otyHYeZrb}QeUF1}(>M~u)N&~~T@n1+fIMsY)*r;OdpoCV4dON~
zWC37<jpv@<x?)#js5K9tU;6JC5Ma}BdyXzc64wqj;GAVu{SJ%|p7%2BR(_LKm)CN3
zz~f`j?O2elHx*SJ{6*c%tyx0lV5De(cqoVbvwsw`TN`3lTX)e{RY!-PX+;fqaDJ{U
zK}V<U<TU>dxDWQD<x60~#4FUF@~7I|FzEzw*7BamiJuq9BUY9G!%sG<MC%;rBX3<-
zyan<O73{@8No?uu*<3ShT6P%MGFY$Z`jF;9_fY%I=QdPN@OZOZ@ZS2>7puph2|dhp
z2afEEv#bX}6({WM@rRP31u;>pA}ZAa-@Fs-1(6Nr)ZNAuzwthK-C@=OFKSUv`{;m}
z7?Y^=P1~Zj=nBHx>X+g{ILuzGq*2mA)w)-IVmy`kvAfnp?;Eu)lf9@iISZ56b4bIa
z+@%bV2p!ocEQ$3duVScR{VVSN{{7iEGK!WX93JOQmjJ;{HW{X4M;V)raJGp)G}CGE
zhdodU2lT|Inl^eh#7$8+lKkZIeDwx9!{hY4YY)O}l%mPKB6P%BKjWwAiAgGh5O-J<
z7Sl6!LE>|--n@o#e6<FYgD8G{O?Sd~#E>rVcZyf3Y@e|lM}xxZt$HVqMmj6sM2bEe
z=WDbldpp+Yn`L=7?vAh0?VR4J8e~z))V!3u6os|s4Bq!LwozFfE_8@0`H_r$&sm!0
zN3$s4tMn0%(Uw0;Hb`SAhrhCO1UgMAL`_>KaYiY>kaA12abtAHX3(HE1d-;}lT1)C
z@ZQFoHg}~Y^RU6h7y%==SeP1cODtFBH?*pmV>9ECojEI1)3qRmiiwz8lYV`ViW^UC
zL=>d%wZ1-Nf`yJVpIweo{tF59SkSFU0g)IN@8n-;tH_5<`CAjMJ%$FS-V_uGE@gpX
zr7xvwjD_^1OreRA>+0IsO26XAzg^3z!l~R2JE}p|>oEvwz~Z|P7bzFd$#^MVNW;01
z#oXfsqgIKV5d@`U-yE~KNqT&zG=3DfB^Zhi{{UPGeDX4H&oiEXNO@?M9?c(~%2&>q
zT57D*pFRys_M=&u9^zdfE>T=1QDwe)I>*2h>p_o&QU7V-WEkEY3YM4xI3^QQVrqOk
zBQ`^19Rm>yRkmf<cc!^&@6up`55JQ4Y#v}3DMsO;W0hB=5pYdAkhY^y@tX()g)W>U
zg)%pwWyW;!ouXss*?KQR|KgI2M*ubU&FJD+m@Zjv;|td+QTAc(_=iBGioT&=+Qx;j
z7ZIl!&d=hPgFFxcQOU@`x~=$=)uUVSH0<K<{mA(n*2I?@LLNp?-jxsa?aM3)rpL^C
zQnpFmER@_myo_8zDw&cTbi@ADkF5y@wB^DkGD1vvb-MLqE}xm~10?CvoKYXev{4To
zElPruOV2Wn>|VS@lxoUYJGak8t?i76EY4_VFbhPp^uA`IRxR+Emv~|@BKGV%+i-lU
zkD^bZ>8BgG#G@|!3LfMFf6iS4s$1LLm;RSM4U=rA_FT0Thy8wQ)^#Iq06;F$WpP;|
zM{qZrB+6O-lM{{pmJ?`cE&a8Ea5F?Yk2q~NGMx){rT8?z&m`KXoB&r8BEtEfbVf)c
zN(-b8mWX{BuO2M(X`5hyIA{rMw7f(k!v5bOYEfzyO29jSHNfNk6a-k^-`oN3L_)!(
z{~5vu=Y@hZ?okRZ4&c6h{I7!ZKj9Ai?{KHZ)hCyxR2K2?aCh&60z+|5>t9w0JgspZ
z2A#m@85e~@g_ys(Sf3eeUZ(FffuI&2R<<rZ@eiL0D9b+a9rQo~d6=oHC2xJ!d4iJ?
zc%)+Ay>phsFZn_l*Esck;F1WZq`|H&cW{S(YhHVr3;@bs6DLo#9B~n^@R*!!Od?VT
z|8SLvoQxRVc7eN0V0qBx@rGG)H4H`buM(TLRy_Qm;gXt`DdLJ~FSRs?t$lBR|6@<r
zwohbmlcD4$XCOH%2gYGkF2n2hbF?unIM50|SI9D%!h~zKqcOFiqrHU`Z)4yeE5iMF
zWl_~BDu&3gS2!ojb@lK$w}*aT8Z0xpp)K|`nhETQ2XOU(^Z>VjUxV~#qnz`S)749j
zZMid}pFaoK*r^DP2rUMiJ{F~6qwb9e^-j}LHOAc<D41*GC)~%mZn)t8`FjO|@owg-
z*651McN?>jOC1@i9R`dOIh{RH6&`$T5!xZJ1+v#74k)ss_}l9>D>ojc?K&ztL9w{M
zBs5UjciThaYSd<<nab#Ecx36OMxE8&GcM>8YYqO%c6R&L=gE8aA(95tx!Pd<tlsSz
zMrg#Jp3DSn|7Y#9fm<`G!*AfXA9PBmTcvXk2DSGy5X#;_2xfymGBb7*Cv%0%?PLzP
zjl#RKfdfI5s^T>(MeFu5eUaWw8Hrd0U?>oF;WQPudZp-}oG4<<MPXm4G>CQZ%7-<7
z!JlR3>kF^*BO6`Xc}Z;BysBufikUtFX*2FwmLmZ9{OQn9g@a${isCw;;**e^h-Hoz
zt<Oe%fy>e%jhB=)8h^q?5hk_|9<gpMn7(ux;J3F$^XViiH-=sAJoCeMgMX&_zM}G)
z;X-~$CiUkY!+cuTuR46IxdWoo25y#3BMBEGGSV!Ehw<%SEA3LWwB5cSRmM=6J^31%
zRYv{(!zpLLHMYQ3ArA!|hmklb9iBDX^h9|v-|VaA7fqo%Ng}z5$LS`w7`Dz@MCHQQ
zLQ0|<W%Vc2tJ=ps43=eAT8^yG&ib^nd{IY5GZQhee9vGO5%e%`*9W`m#cuufv|ZTV
z`EU}O`vXcsuA^(Q6^}NP-@i-j6&hYqp??LMmG!-?=J3%3q(vVv)=n_wiKIxzQ(o|y
z_JJH`A-u3Q1C>YVwVf_rSC%<$etI~^{N))Hw9wW<1~NzWC_0p!c!$h6#8SSQt*`&%
zU~TWs#m1sV;5+e17C=A)01Ft~WE@N*{GI}>U=N6~U)Sh4GPFq~<wKhUk!@NM3=S0I
zf4(ai7ohFc`_91$MI{;b3Z33?$HKHSctn@1OKZ&3Fr#?V26S-l$Y8<ZPH~^8<>;=7
z!stAoFyN5v{J~9^%f&oQ8ry-i<+nAXN$Wyl;X0oTRqiJJ;xg2`;f>@VAX9J`et}@8
zsrY_4a!VzIqzK<dk3$MwEUW$Pjz<s0{u5~kryi!sHraI_2Ku4SO{rz)-I#RK!MIRq
zbXad?L&yU8b-(=|%D<ZmAHBszT9?nXrp%?WF*mOIoCygI8}{WIe}kGQu+Ob&>deI;
z;Y12Fu(NCX&XJWP6X`u#zEYwAi0}-`xvGgV<$^%DDKW5o5+LXG4;$@#=E)ti7+PV*
z&Ix1GqA8+vs~r<RrBb$u2~Rd#e{YBKS;H-27mLm*HXM~JI|@J4(p{RbrEL3_Iv&8V
z&g?nSYJnzPIF-#IvZ4g5G7AQCqQ_r7_)6GQX!+OPGMl{GaNv-JE$PEPULAYxhC2`#
z%z=oJ6ED=GJ$G=H*uU)14I1#$ohJiEea@@f7baLg)kjW+u+6enk<%mGI~AmGW-%bn
z=Q};_H3W-}Eai@ZH>`cl%q`H7MzhCPp(PsUH%6au(wa6>%N~?z2*oyaWd$(!Y%?7H
zhW@abR(>zf>AZ=*v}Rhyvg$t<y}F4!4?oTEH>iO4&gHglFJHJ`@~DriX@ql`1sF<6
z<4q7e8n6CS?2&ax<UG`ArgEheyGk~o;G?=t^ki;_7Wen~LIf(PV=|#)pnj}GlT_UW
zF`H9mRW~qZ(-Umdn9gMa+qIVZhrZnZwoADGs9NeDSv(`phUV`=$KeQPJ@(dxW!EuU
zwcNHkCL5%I#Orn(7%A!(6Rv61_GfWjDJN(_RJRGXR@dkZzcE#bMrL@oBZQBHd(xUu
zO1G(!M?_SFU4#$};wQtyWdH$y)KV6Qz4$e!PRtQY*-Z653A38)_um6MBD4Gx({QhU
HKTH1tx;#!u

literal 0
HcmV?d00001