26 files changed, 283 insertions, 161 deletions

diff --git a/NEWS b/NEWS
index fe1c6035af..834cd629dd 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ See the end for copying conditions.
 ** API and ABI modifications:
 GNUTLS_CIPHER_AES_128_SIV: Added
 GNUTLS_CIPHER_AES_256_SIV: Added
+gnutls_pkcs7_print_signature_info: Added
 
 * Version 3.6.13 (released 2020-03-31)
 
diff --git a/devel/libgnutls-latest-x86_64.abi b/devel/libgnutls-latest-x86_64.abi
index cc44d1898e..8e5e787950 100644
--- a/devel/libgnutls-latest-x86_64.abi
+++ b/devel/libgnutls-latest-x86_64.abi
@@ -599,6 +599,7 @@
     <elf-symbol name='gnutls_pkcs7_import' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='gnutls_pkcs7_init' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='gnutls_pkcs7_print' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
+    <elf-symbol name='gnutls_pkcs7_print_signature_info' version='GNUTLS_3_6_14' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='gnutls_pkcs7_set_crl' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='gnutls_pkcs7_set_crl_raw' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='gnutls_pkcs7_set_crt' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
diff --git a/devel/symbols.last b/devel/symbols.last
index 080f7f2954..c5c279c42a 100644
--- a/devel/symbols.last
+++ b/devel/symbols.last
@@ -565,6 +565,7 @@ gnutls_pkcs7_get_signature_info@GNUTLS_3_4
 gnutls_pkcs7_import@GNUTLS_3_4
 gnutls_pkcs7_init@GNUTLS_3_4
 gnutls_pkcs7_print@GNUTLS_3_4
+gnutls_pkcs7_print_signature_info@GNUTLS_3_6_14
 gnutls_pkcs7_set_crl@GNUTLS_3_4
 gnutls_pkcs7_set_crl_raw@GNUTLS_3_4
 gnutls_pkcs7_set_crt@GNUTLS_3_4
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 83d851220c..01f7cd6fc1 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1539,6 +1539,8 @@ FUNCS += functions/gnutls_pkcs7_init
 FUNCS += functions/gnutls_pkcs7_init.short
 FUNCS += functions/gnutls_pkcs7_print
 FUNCS += functions/gnutls_pkcs7_print.short
+FUNCS += functions/gnutls_pkcs7_print_signature_info
+FUNCS += functions/gnutls_pkcs7_print_signature_info.short
 FUNCS += functions/gnutls_pkcs7_set_crl
 FUNCS += functions/gnutls_pkcs7_set_crl.short
 FUNCS += functions/gnutls_pkcs7_set_crl_raw
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 18f382ee45..552130afa4 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -571,6 +571,7 @@ APIMANS += gnutls_pkcs7_get_signature_info.3
 APIMANS += gnutls_pkcs7_import.3
 APIMANS += gnutls_pkcs7_init.3
 APIMANS += gnutls_pkcs7_print.3
+APIMANS += gnutls_pkcs7_print_signature_info.3
 APIMANS += gnutls_pkcs7_set_crl.3
 APIMANS += gnutls_pkcs7_set_crl_raw.3
 APIMANS += gnutls_pkcs7_set_crt.3
diff --git a/lib/includes/gnutls/pkcs7.h b/lib/includes/gnutls/pkcs7.h
index 8a6c2034f0..58ea4aaf81 100644
--- a/lib/includes/gnutls/pkcs7.h
+++ b/lib/includes/gnutls/pkcs7.h
@@ -144,6 +144,10 @@ int gnutls_pkcs7_print(gnutls_pkcs7_t pkcs7,
 		       gnutls_certificate_print_formats_t format,
 		       gnutls_datum_t * out);
 
+int gnutls_pkcs7_print_signature_info(gnutls_pkcs7_signature_info_st * info,
+				      gnutls_certificate_print_formats_t format,
+				      gnutls_datum_t * out);
+
 /* *INDENT-OFF* */
 #ifdef __cplusplus
 }
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 512e403bb6..ac6be479f1 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1328,6 +1328,7 @@ GNUTLS_3_6_14
 {
  global:
 	gnutls_ext_get_name2;
+	gnutls_pkcs7_print_signature_info;
 } GNUTLS_3_6_13;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 15ad4b4e9a..ccf403b007 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
 	nettle_mpz_get_str_256 (length, data, *k);
 }
 
+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+{
+	if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
+		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+	}
+
+	memset(data, 0xAA, length);
+}
+
 static void
 ecc_scalar_zclear (struct ecc_scalar *s)
 {
@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_RSA:
 		{
 			struct rsa_public_key pub;
+			nettle_random_func *random_func;
 
 			ret = _rsa_params_to_pubkey(pk_params, &pub);
 			if (ret < 0) {
@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
 				goto cleanup;
 			}
 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
 			ret =
-			    rsa_encrypt(&pub, NULL, rnd_nonce_func,
+			    rsa_encrypt(&pub, NULL, random_func,
 					plaintext->size, plaintext->data,
 					p);
 			if (ret == 0 || HAVE_LIB_ERROR()) {
@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
 			struct rsa_public_key pub;
 			size_t length;
 			bigint_t c;
+			nettle_random_func *random_func;
 
 			_rsa_params_to_privkey(pk_params, &priv);
 			ret = _rsa_params_to_pubkey(pk_params, &pub);
@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
 				goto cleanup;
 			}
 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
 			ret =
-			    rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
+			    rsa_decrypt_tr(&pub, &priv, NULL, random_func,
 					   &length, plaintext->data,
 					   TOMPZ(c));
 			_gnutls_mpi_release(&c);
@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
 	bigint_t c;
 	uint32_t is_err;
 	int ret;
+	nettle_random_func *random_func;
 
 	if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
 		gnutls_assert();
@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
 		return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
 	}
 
-	ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
+	if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+		random_func = rnd_nonce_func_fallback;
+	else
+		random_func = rnd_nonce_func;
+	ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
 			     plaintext_size, plaintext, TOMPZ(c));
 	/* after this point, any conditional on failure that cause differences
 	 * in execution may create a timing or cache access pattern side
@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 		{
 			struct rsa_private_key priv;
 			struct rsa_public_key pub;
+			nettle_random_func *random_func;
 			mpz_t s;
 
 			_rsa_params_to_privkey(pk_params, &priv);
@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
 			mpz_init(s);
 
+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+				random_func = rnd_nonce_func_fallback;
+			else
+				random_func = rnd_nonce_func;
 			ret =
-			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
+			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
 					      vdata->size, vdata->data, s);
 			if (ret == 0 || HAVE_LIB_ERROR()) {
 				gnutls_assert();
diff --git a/lib/x509/common.c b/lib/x509/common.c
index c8ea6657c7..a1f6d62e13 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -39,19 +39,9 @@ static int
 data2hex(const void *data, size_t data_size,
 	 gnutls_datum_t *out);
 
-struct oid_to_string {
-	const char *oid;
-	unsigned oid_size;
-	const char *ldap_desc;
-	unsigned ldap_desc_size;
-	const char *asn_desc;	/* description in the pkix file if complex type */
-	unsigned int etype;	/* the libtasn1 ASN1_ETYPE or INVALID
-				 * if cannot be simply parsed */
-};
-
 #define ENTRY(oid, ldap, asn, etype) {oid, sizeof(oid)-1, ldap, sizeof(ldap)-1, asn, etype}
 
-/* when there is no ldap description */
+/* when there is no name description */
 #define ENTRY_ND(oid, asn, etype) {oid, sizeof(oid)-1, NULL, 0, asn, etype}
 
 /* This list contains all the OIDs that may be
@@ -144,18 +134,18 @@ static const struct oid_to_string _oid2str[] = {
 	{NULL, 0, NULL, 0, NULL, 0}
 };
 
-static const struct oid_to_string *get_oid_entry(const char *oid)
+const struct oid_to_string *_gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid)
 {
 	unsigned int i = 0;
 	unsigned len = strlen(oid);
 
 	do {
-		if (len == _oid2str[i].oid_size &&
-			strcmp(_oid2str[i].oid, oid) == 0)
-			return &_oid2str[i];
+		if (len == ots[i].oid_size &&
+			strcmp(ots[i].oid, oid) == 0)
+			return &ots[i];
 		i++;
 	}
-	while (_oid2str[i].oid != NULL);
+	while (ots[i].oid != NULL);
 
 	return NULL;
 }
@@ -165,9 +155,9 @@ const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len)
 	unsigned int i = 0;
 
 	do {
-		if ((_oid2str[i].ldap_desc != NULL) &&
-		    (str_len == _oid2str[i].ldap_desc_size) &&
-		    (c_strncasecmp(_oid2str[i].ldap_desc, str, str_len) ==
+		if ((_oid2str[i].name_desc != NULL) &&
+		    (str_len == _oid2str[i].name_desc_size) &&
+		    (c_strncasecmp(_oid2str[i].name_desc, str, str_len) ==
 		     0))
 			return _oid2str[i].oid;
 		i++;
@@ -242,18 +232,7 @@ static int str_escape(const gnutls_datum_t * str, gnutls_datum_t * escaped)
  **/
 int gnutls_x509_dn_oid_known(const char *oid)
 {
-	unsigned int i = 0;
-	unsigned len = strlen(oid);
-
-	do {
-		if (len == _oid2str[i].oid_size &&
-			strcmp(_oid2str[i].oid, oid) == 0)
-			return 1;
-		i++;
-	}
-	while (_oid2str[i].oid != NULL);
-
-	return 0;
+	return _gnutls_oid_get_entry(_oid2str, oid) != NULL;
 }
 
 /**
@@ -272,17 +251,10 @@ int gnutls_x509_dn_oid_known(const char *oid)
  **/
 const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags)
 {
-	unsigned int i = 0;
-	unsigned len = strlen(oid);
-
-	do {
-		if ((_oid2str[i].oid_size == len) &&
-			strcmp(_oid2str[i].oid, oid) == 0 && _oid2str[i].ldap_desc != NULL)
-			return _oid2str[i].ldap_desc;
-		i++;
-	}
-	while (_oid2str[i].oid != NULL);
+	const struct oid_to_string *entry =_gnutls_oid_get_entry(_oid2str, oid);
 
+	if (entry && entry->name_desc)
+		return entry->name_desc;
 	if (flags & GNUTLS_X509_DN_OID_RETURN_OID)
 		return oid;
 	else
@@ -450,7 +422,7 @@ _gnutls_x509_dn_to_string(const char *oid, void *value,
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	oentry = get_oid_entry(oid);
+	oentry = _gnutls_oid_get_entry(_oid2str, oid);
 	if (oentry == NULL) {	/* unknown OID -> hex */
  unknown_oid:
 		ret = data2hex(value, value_size, str);
@@ -1469,7 +1441,7 @@ _gnutls_x509_encode_and_write_attribute(const char *given_oid,
 	int result;
 	const struct oid_to_string *oentry;
 
-	oentry = get_oid_entry(given_oid);
+	oentry = _gnutls_oid_get_entry(_oid2str, given_oid);
 	if (oentry == NULL) {
 		gnutls_assert();
 		_gnutls_debug_log("Cannot find OID: %s\n", given_oid);
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 54ded21188..483bd1de6c 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -114,6 +114,18 @@
 #define ASN1_NULL "\x05\x00"
 #define ASN1_NULL_SIZE 2
 
+struct oid_to_string {
+	const char *oid;
+	unsigned oid_size;
+	const char *name_desc;
+	unsigned name_desc_size;
+	const char *asn_desc;	/* description in the pkix file if complex type */
+	unsigned int etype;	/* the libtasn1 ASN1_ETYPE or INVALID
+				 * if cannot be simply parsed */
+};
+
+const struct oid_to_string *_gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid);
+
 int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim,
 			  int force_general);
 int
diff --git a/lib/x509/output.c b/lib/x509/output.c
index 8084b92b29..705e8babfa 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -448,7 +448,9 @@ print_aki_gn_serial(gnutls_buffer_st * str, gnutls_x509_aki_t aki)
 	err =
 	    gnutls_x509_aki_get_cert_issuer(aki,
 					    0, &alt_type, &san, &other_oid, &serial);
-	if (err < 0) {
+	if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+		return;
+	} else if (err < 0) {
 		addf(str, "error: gnutls_x509_aki_get_cert_issuer: %s\n",
 		     gnutls_strerror(err));
 		return;
@@ -481,10 +483,11 @@ static void print_aki(gnutls_buffer_st * str, gnutls_datum_t *der)
 		goto cleanup;
 	}
 
+	/* Check if an alternative name is there */
+	print_aki_gn_serial(str, aki);
+
 	err = gnutls_x509_aki_get_id(aki, &id);
 	if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-		/* Check if an alternative name is there */
-		print_aki_gn_serial(str, aki);
 		goto cleanup;
 	} else if (err < 0) {
 		addf(str, "error: gnutls_x509_aki_get_id: %s\n",
@@ -959,6 +962,27 @@ hexdump:
 	adds(str, "\n");
 }
 
+#define ENTRY(oid, name) {oid, sizeof(oid)-1, name, sizeof(name)-1, NULL, 0}
+
+static const struct oid_to_string cp_oid2str[] = {
+	ENTRY("2.5.29.32.0", "anyPolicy"),
+
+	ENTRY("2.23.140.1.2.1", "CA/B Domain Validated"),
+	ENTRY("2.23.140.1.2.2", "CA/B Organization Validated"),
+	ENTRY("2.23.140.1.2.3", "CA/B Individual Validated"),
+	ENTRY("2.23.140.1.1", "CA/B Extended Validation"),
+
+	/* draft-deremin-rfc4491-bis */
+	ENTRY("1.2.643.100.113.1", "Russian security class KC1"),
+	ENTRY("1.2.643.100.113.2", "Russian security class KC2"),
+	ENTRY("1.2.643.100.113.3", "Russian security class KC3"),
+	ENTRY("1.2.643.100.113.4", "Russian security class KB1"),
+	ENTRY("1.2.643.100.113.5", "Russian security class KB2"),
+	ENTRY("1.2.643.100.113.6", "Russian security class KA1"),
+
+	{NULL, 0, NULL, 0},
+};
+
 struct ext_indexes_st {
 	int san;
 	int ian;
@@ -1011,6 +1035,7 @@ static void print_extension(gnutls_buffer_st * str, const char *prefix,
 		struct gnutls_x509_policy_st policy;
 		gnutls_x509_policies_t policies;
 		const char *name;
+		const struct oid_to_string *entry;
 		int x;
 
 		err = gnutls_x509_policies_init(&policies);
@@ -1050,7 +1075,11 @@ static void print_extension(gnutls_buffer_st * str, const char *prefix,
 				     critical ? _("critical") :
 				     _("not critical"));
 
-			addf(str, "%s\t\t\t%s\n", prefix, policy.oid);
+			entry = _gnutls_oid_get_entry(cp_oid2str, policy.oid);
+			if (entry != NULL && entry->name_desc != NULL)
+				addf(str, "%s\t\t\t%s (%s)\n", prefix, policy.oid, entry->name_desc);
+			else
+				addf(str, "%s\t\t\t%s\n", prefix, policy.oid);
 			for (j = 0; j < policy.qualifiers; j++) {
 				if (policy.qualifier[j].type ==
 				    GNUTLS_X509_QUALIFIER_URI)
@@ -1233,6 +1262,22 @@ static void print_extension(gnutls_buffer_st * str, const char *prefix,
 			 critical ? _("critical") : _("not critical"));
 
 		print_issuer_sign_tool(str, prefix, der);
+	} else if (strcmp(oid, "2.5.4.3") == 0) {
+		int ret;
+		gnutls_datum_t tmp = {NULL, 0};
+
+		addf(str, _("%s\t\tCommon Name (%s):\n"),
+				prefix,
+				critical ? _("critical") : _("not critical"));
+
+		ret = _gnutls_x509_decode_string(ASN1_ETYPE_PRINTABLE_STRING, der->data, der->size, &tmp, 0);
+		if (ret < 0) {
+			addf(str, "error: x509_decode_string: %s\n",
+					gnutls_strerror(ret));
+		} else {
+			addf(str, "%s\t\t\t%s\n", prefix, tmp.data);
+			gnutls_free(tmp.data);
+		}
 	} else {
 		addf(str, _("%s\t\tUnknown extension %s (%s):\n"),
 		     prefix, oid,
diff --git a/lib/x509/pkcs7-output.c b/lib/x509/pkcs7-output.c
index bf5dbac837..3d686df228 100644
--- a/lib/x509/pkcs7-output.c
+++ b/lib/x509/pkcs7-output.c
@@ -64,6 +64,31 @@ static void print_dn(gnutls_buffer_st * str, const char *prefix,
 	gnutls_free(output.data);
 }
 
+/* Do not encode ASN1 and type for now */
+#define ENTRY(oid, name, type) {oid, sizeof(oid)-1, name, sizeof(name)-1, NULL, type}
+#define ENTRY2(oid, name) {oid, sizeof(oid)-1, name, sizeof(name)-1, NULL, ASN1_ETYPE_INVALID}
+
+static const struct oid_to_string pkcs7_attrs[] = {
+	ENTRY ("1.2.840.113549.1.9.3", "contentType", ASN1_ETYPE_OBJECT_ID),
+	ENTRY ("1.2.840.113549.1.9.4", "messageDigest", ASN1_ETYPE_OCTET_STRING),
+	ENTRY ("1.2.840.113549.1.9.5", "signingTime", ASN1_ETYPE_INVALID),
+	ENTRY2("1.2.840.113549.1.9.6", "countersignature"),
+	ENTRY2("1.2.840.113549.1.9.15", "smimeCapabilities"),
+
+	ENTRY2("1.2.840.113549.1.9.16.2.1", "aa-receiptRequest"),
+	ENTRY2("1.2.840.113549.1.9.16.2.2", "aa-securityLabel"),
+	ENTRY2("1.2.840.113549.1.9.16.2.3", "aa-mlExpandHistory"),
+	ENTRY2("1.2.840.113549.1.9.16.2.4", "aa-contentHint"),
+	ENTRY2("1.2.840.113549.1.9.16.2.9", "aa-equivalentLabels"),
+	ENTRY2("1.2.840.113549.1.9.16.2.10", "aa-contentReference"),
+	ENTRY2("1.2.840.113549.1.9.16.2.11", "aa-encrypKeyPref"),
+	ENTRY2("1.2.840.113549.1.9.16.2.12", "aa-signingCertificate"),
+	ENTRY2("1.2.840.113549.1.9.16.2.19", "aa-ets-otherSigCert"),
+	ENTRY2("1.2.840.113549.1.9.16.2.47", "aa-signingCertificateV2"),
+
+	{NULL, 0, NULL, 0, NULL, 0}
+};
+
 static void print_raw(gnutls_buffer_st * str, const char *prefix,
 		      const gnutls_datum_t * raw)
 {
@@ -94,6 +119,7 @@ static void print_pkcs7_info(gnutls_pkcs7_signature_info_st * info,
 	char s[42];
 	size_t max;
 	int ret;
+	const struct oid_to_string * entry;
 
 	if (info->issuer_dn.size > 0)
 		print_dn(str, "\tSigner's issuer DN", &info->issuer_dn);
@@ -130,7 +156,9 @@ static void print_pkcs7_info(gnutls_pkcs7_signature_info_st * info,
 				if (i == 0)
 					addf(str, "\tSigned Attributes:\n");
 
-				snprintf(prefix, sizeof(prefix), "\t\t%s", oid);
+				entry = _gnutls_oid_get_entry(pkcs7_attrs, oid);
+				snprintf(prefix, sizeof(prefix), "\t\t%s",
+						(entry && entry->name_desc) ? entry->name_desc : oid);
 				print_raw(str, prefix, &data);
 				gnutls_free(data.data);
 			}
@@ -145,7 +173,9 @@ static void print_pkcs7_info(gnutls_pkcs7_signature_info_st * info,
 				if (i == 0)
 					addf(str, "\tUnsigned Attributes:\n");
 
-				snprintf(prefix, sizeof(prefix), "\t\t%s", oid);
+				entry = _gnutls_oid_get_entry(pkcs7_attrs, oid);
+				snprintf(prefix, sizeof(prefix), "\t\t%s",
+						(entry && entry->name_desc) ? entry->name_desc : oid);
 				print_raw(str, prefix, &data);
 				gnutls_free(data.data);
 			}
@@ -155,6 +185,37 @@ static void print_pkcs7_info(gnutls_pkcs7_signature_info_st * info,
 }
 
 /**
+ * gnutls_pkcs7_print_signature_info:
+ * @info: The PKCS7 signature info struct to be printed
+ * @format: Indicate the format to use
+ * @out: Newly allocated datum with null terminated string.
+ *
+ * This function will pretty print a PKCS #7 signature info structure, suitable
+ * for display to a human.
+ *
+ * Currently the supported formats are %GNUTLS_CRT_PRINT_FULL and
+ * %GNUTLS_CRT_PRINT_COMPACT.
+ *
+ * The output @out needs to be deallocated using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.6.14
+ **/
+int gnutls_pkcs7_print_signature_info(gnutls_pkcs7_signature_info_st * info,
+				      gnutls_certificate_print_formats_t format,
+				      gnutls_datum_t * out)
+{
+	gnutls_buffer_st str;
+
+	_gnutls_buffer_init(&str);
+	print_pkcs7_info(info, &str, format);
+
+	return _gnutls_buffer_to_datum(&str, out, 1);
+}
+
+/**
  * gnutls_pkcs7_crt_print:
  * @pkcs7: The PKCS7 struct to be printed
  * @format: Indicate the format to use
diff --git a/src/certtool.c b/src/certtool.c
index b65359c27c..a46f774114 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2624,94 +2624,20 @@ void verify_crl(common_info_st * cinfo)
 	app_exit(rc);
 }
 
-static void print_dn(const char *prefix, const gnutls_datum_t *raw)
-{
-	gnutls_x509_dn_t dn = NULL;
-	gnutls_datum_t str = {NULL, 0};
-	int ret;
-
-	ret = gnutls_x509_dn_init(&dn);
-	if (ret < 0)
-		return;
-
-	ret = gnutls_x509_dn_import(dn, raw);
-	if (ret < 0)
-		goto cleanup;
-
-	ret = gnutls_x509_dn_get_str2(dn, &str, 0);
-	if (ret < 0)
-		goto cleanup;
-
-	fprintf(outfile, "%s: %s\n", prefix, str.data);
-
- cleanup:
-	gnutls_x509_dn_deinit(dn);
-	gnutls_free(str.data);
-}
-
-static void print_raw(const char *prefix, const gnutls_datum_t *raw)
+static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st *info, common_info_st *cinfo)
 {
 	int ret;
-	gnutls_datum_t tmp;
+	gnutls_datum_t str;
 
-	if (raw->data == NULL || raw->size == 0)
-		return;
-
-	ret = gnutls_hex_encode2(raw, &tmp);
+	ret = gnutls_pkcs7_print_signature_info(info, GNUTLS_CRT_PRINT_COMPACT, &str);
 	if (ret < 0) {
-		fprintf(stderr, "gnutls_hex_encode2: %s\n",
-			gnutls_strerror(ret));
+		fprintf(stderr, "printing error: %s\n",
+				gnutls_strerror(ret));
 		app_exit(1);
 	}
 
-	fprintf(outfile, "%s: %s\n", prefix, tmp.data);
-	gnutls_free(tmp.data);
-}
-
-static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st *info, common_info_st *cinfo)
-{
-	unsigned i;
-	char *oid;
-	gnutls_datum_t data;
-	char prefix[128];
-	int ret;
-	char timebuf[SIMPLE_CTIME_BUF_SIZE];
-
-	print_dn("\tSigner's issuer DN", &info->issuer_dn);
-	print_raw("\tSigner's serial", &info->signer_serial);
-	print_raw("\tSigner's issuer key ID", &info->issuer_keyid);
-	if (info->signing_time != -1)
-		fprintf(outfile, "\tSigning time: %s\n", simple_ctime(&info->signing_time, timebuf));
-
-	fprintf(outfile, "\tSignature Algorithm: %s\n", gnutls_sign_get_name(info->algo));
-
-	if (info->signed_attrs) {
-		for (i=0;;i++) {
-			ret = gnutls_pkcs7_get_attr(info->signed_attrs, i, &oid, &data, 0);
-			if (ret < 0)
-				break;
-			if (i==0)
-				fprintf(outfile, "\tSigned Attributes:\n");
-
-			snprintf(prefix, sizeof(prefix), "\t\t%s", oid);
-			print_raw(prefix, &data);
-			gnutls_free(data.data);
-		}
-	}
-	if (info->unsigned_attrs) {
-		for (i=0;;i++) {
-			ret = gnutls_pkcs7_get_attr(info->unsigned_attrs, i, &oid, &data, 0);
-			if (ret < 0)
-				break;
-			if (i==0)
-				fprintf(outfile, "\tUnsigned Attributes:\n");
-
-			snprintf(prefix, sizeof(prefix), "\t\t%s", oid);
-			print_raw(prefix, &data);
-			gnutls_free(data.data);
-		}
-	}
-	fprintf(outfile, "\n");
+	fprintf(outfile, "%s", str.data);
+	gnutls_free(str.data);
 }
 
 void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data)
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 87d9314363..17886ef7c5 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -101,7 +101,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \
 	data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \
 	templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \
-	data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem
+	data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem data/commonName.cer
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool
index e604634678..3494aaacbe 100755
--- a/tests/cert-tests/certtool
+++ b/tests/cert-tests/certtool
@@ -153,6 +153,18 @@ if test $? = 0;then
 	exit 1
 fi
 
+${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/commonName.cer" | grep -v "Not After:" > ${TMPFILE1}
+if test $? != 0;then
+	echo "commonName cert output failed"
+	exit 1
+fi
+
+${DIFF} "${srcdir}/data/commonName.cer" ${TMPFILE1}
+if test $? != 0;then
+	exit 1
+fi
+
+
 rm -f ${TMPFILE1} ${TMPFILE2}
 
 export TZ="UTC"
diff --git a/tests/cert-tests/data/commonName.cer b/tests/cert-tests/data/commonName.cer
new file mode 100644
index 0000000000..91d02fdd85
--- /dev/null
+++ b/tests/cert-tests/data/commonName.cer
@@ -0,0 +1,52 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 06376c00aa00648a11cfb8d4aa5c35f4
+	Issuer: CN=Root Agency
+	Validity:
+		Not Before: Tue May 28 22:02:59 UTC 1996
+	Subject: CN=Root Agency
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: Export (512 bits)
+		Modulus (bits 512):
+			00:81:55:22:b9:8a:a4:6f:ed:d6:e7:d9:66:0f:55:bc
+			d7:cd:d5:bc:4e:40:02:21:a2:b1:f7:87:30:85:5e:d2
+			f2:44:b9:dc:9b:75:b6:fb:46:5f:42:b6:9d:23:36:0b
+			de:54:0f:cd:bd:1f:99:2a:10:58:11:cb:40:cb:b5:a7
+			41
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Common Name (not critical):
+			For Testing Purposes Only Sample Software Publishing Credentials Agency
+		Unknown extension 2.5.29.1 (not critical):
+			ASCII: 0>.....-...O..a!..dc..0.1.0...U....Root Agency...7l...d......\5.
+			Hexdump: 303e801012e4092d061d1d4f008d6121dc166463a1183016311430120603550403130b526f6f74204167656e6379821006376c00aa00648a11cfb8d4aa5c35f4
+	Signature Algorithm: RSA-MD5
+warning: signed using a broken signature algorithm that can be forged.
+	Signature:
+		2d:2e:3e:7b:89:42:89:3f:a8:21:17:fa:f0:f5:c3:95
+		db:62:69:5b:c9:dc:c1:b3:fa:f0:c4:6f:6f:64:9a:bd
+		e7:1b:25:68:72:83:67:bd:56:b0:8d:01:bd:2a:f7:cc
+		4b:bd:87:a5:ba:87:20:4c:42:11:41:ad:10:17:3b:8c
+Other Information:
+	Fingerprint:
+		sha1:fee449ee0e3965a5246f000e87fde2a065fd89d4
+		sha256:8b13dbb25eb339a630c76c810d14b44b552e68dc10a93e82e754da23f858774a
+	Public Key ID:
+		sha1:38596dac2a46c9002309905e1f02c1fb5df724cd
+		sha256:73a97a992bfd29b91ef23175b367db9c561c516f634f759e3d430230a3d0695c
+	Public Key PIN:
+		pin-sha256:c6l6mSv9Kbke8jF1s2fbnFYcUW9jT3WePUMCMKPQaVw=
+
+-----BEGIN CERTIFICATE-----
+MIIByjCCAXSgAwIBAgIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFADAW
+MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw05NjA1MjgyMjAyNTlaFw0zOTEyMzEy
+MzU5NTlaMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MFswDQYJKoZIhvcNAQEBBQAD
+SgAwRwJAgVUiuYqkb+3W59lmD1W8183VvE5AAiGisfeHMIVe0vJEudybdbb7Rl9C
+tp0jNgveVA/NvR+ZKhBYEctAy7WnQQIDAQABo4GeMIGbMFAGA1UEAwRJE0dGb3Ig
+VGVzdGluZyBQdXJwb3NlcyBPbmx5IFNhbXBsZSBTb2Z0d2FyZSBQdWJsaXNoaW5n
+IENyZWRlbnRpYWxzIEFnZW5jeTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRj
+oRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJ
+KoZIhvcNAQEEBQADQQAtLj57iUKJP6ghF/rw9cOV22JpW8ncwbP68MRvb2Savecb
+JWhyg2e9VrCNAb0q98xLvYeluocgTEIRQa0QFzuM
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/data/full.p7b.out b/tests/cert-tests/data/full.p7b.out
index fc200f5e17..c4dd043e33 100644
--- a/tests/cert-tests/data/full.p7b.out
+++ b/tests/cert-tests/data/full.p7b.out
@@ -3,10 +3,10 @@ Signers:
 	Signer's serial: 4de0b4ca
 	Signature Algorithm: RSA-SHA256
 	Signed Attributes:
-		1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
-		1.2.840.113549.1.9.4: 0420ca23e4b39a242dcece33fc776b6c9195595700f92201de19426d2d505576210f
-		1.2.840.113549.1.9.5: 170d3135303630313139323232325a
-		1.2.840.113549.1.9.3: 06092a864886f70d010701
+		smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
+		messageDigest: 0420ca23e4b39a242dcece33fc776b6c9195595700f92201de19426d2d505576210f
+		signingTime: 170d3135303630313139323232325a
+		contentType: 06092a864886f70d010701
 
 Number of certificates: 2
 
diff --git a/tests/cert-tests/data/grfc.crt b/tests/cert-tests/data/grfc.crt
index c7af541b5f..0b06f778b8 100644
--- a/tests/cert-tests/data/grfc.crt
+++ b/tests/cert-tests/data/grfc.crt
@@ -37,9 +37,9 @@ X.509 Certificate Information:
 			ASCII: ...
 			Hexdump: 020100
 		Certificate Policies (not critical):
-			1.2.643.100.113.1
-			1.2.643.100.113.2
-			2.5.29.32.0
+			1.2.643.100.113.1 (Russian security class KC1)
+			1.2.643.100.113.2 (Russian security class KC2)
+			2.5.29.32.0 (anyPolicy)
 	Signature Algorithm: GOSTR341001
 	Signature:
 		bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0
diff --git a/tests/cert-tests/data/long-oids.pem b/tests/cert-tests/data/long-oids.pem
index 0306f536b9..15e8b3ed24 100644
--- a/tests/cert-tests/data/long-oids.pem
+++ b/tests/cert-tests/data/long-oids.pem
@@ -36,6 +36,8 @@ X.509 Certificate Information:
 			Key encipherment.
 			Data encipherment.
 		Authority Key Identifier (not critical):
+			directoryName: CN=sat-r220-10.lab.eng.rdu2.redhat.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US
+			serial: 00a4e7caebbe435dcc
 			caca62860405f0f59b38d22c3c8c650fc6baa53c
 		Subject Key Identifier (not critical):
 			0e8d7b53ba5a9e9244e56458a1db8347053e32d3
diff --git a/tests/cert-tests/data/openssl-keyid.p7b.out b/tests/cert-tests/data/openssl-keyid.p7b.out
index 3eefda94c6..de622ea1fe 100644
--- a/tests/cert-tests/data/openssl-keyid.p7b.out
+++ b/tests/cert-tests/data/openssl-keyid.p7b.out
@@ -2,10 +2,10 @@ Signers:
 	Signer's issuer key ID: 7607584ceab529f52d80068c834a820d09ec93de
 	Signature Algorithm: RSA-SHA256
 	Signed Attributes:
-		1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
-		1.2.840.113549.1.9.4: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4
-		1.2.840.113549.1.9.5: 170d3136313132343135353132375a
-		1.2.840.113549.1.9.3: 06092a864886f70d010701
+		smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
+		messageDigest: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4
+		signingTime: 170d3136313132343135353132375a
+		contentType: 06092a864886f70d010701
 
 Number of certificates: 2
 
diff --git a/tests/cert-tests/data/openssl.p7b.out b/tests/cert-tests/data/openssl.p7b.out
index 6330451477..6d2e69d2ea 100644
--- a/tests/cert-tests/data/openssl.p7b.out
+++ b/tests/cert-tests/data/openssl.p7b.out
@@ -3,10 +3,10 @@ Signers:
 	Signer's serial: 5838027a15510d5a
 	Signature Algorithm: ECDSA-SHA256
 	Signed Attributes:
-		1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
-		1.2.840.113549.1.9.4: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4
-		1.2.840.113549.1.9.5: 170d3136313132353039333233305a
-		1.2.840.113549.1.9.3: 06092a864886f70d010701
+		smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
+		messageDigest: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4
+		signingTime: 170d3136313132353039333233305a
+		contentType: 06092a864886f70d010701
 
 Number of certificates: 2
 
diff --git a/tests/cert-tests/data/single-ca.p7b.out b/tests/cert-tests/data/single-ca.p7b.out
index 35744628b8..bb7425e285 100644
--- a/tests/cert-tests/data/single-ca.p7b.out
+++ b/tests/cert-tests/data/single-ca.p7b.out
@@ -3,10 +3,10 @@ Signers:
 	Signer's serial: 00
 	Signature Algorithm: RSA-SHA256
 	Signed Attributes:
-		1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
-		1.2.840.113549.1.9.4: 0420aadc1955c030f723e9d89ed9d486b4eef5b0d1c6945be0dd6b7b340d42928ec9
-		1.2.840.113549.1.9.5: 170d3135303533313036343633385a
-		1.2.840.113549.1.9.3: 06092a864886f70d010701
+		smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128
+		messageDigest: 0420aadc1955c030f723e9d89ed9d486b4eef5b0d1c6945be0dd6b7b340d42928ec9
+		signingTime: 170d3135303533313036343633385a
+		contentType: 06092a864886f70d010701
 
 Number of certificates: 1
 
diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7
index eed9f068a2..35d438107e 100755
--- a/tests/cert-tests/pkcs7
+++ b/tests/cert-tests/pkcs7
@@ -265,7 +265,7 @@ if test "${rc}" != "0"; then
 fi
 
 ${VALGRIND} "${CERTTOOL}" --p7-info --infile "${OUTFILE}" >"${OUTFILE2}"
-grep '1.2.840.113549.1.9.3: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
+grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
 if test $? != 0;then
 	echo "Content-Type was not set in attributes"
 	exit 1
diff --git a/tests/cert-tests/pkcs7-eddsa b/tests/cert-tests/pkcs7-eddsa
index 3ceee482b2..1fd767bd73 100755
--- a/tests/cert-tests/pkcs7-eddsa
+++ b/tests/cert-tests/pkcs7-eddsa
@@ -97,7 +97,7 @@ if test "${rc}" != "0"; then
 fi
 
 ${VALGRIND} "${CERTTOOL}" --p7-info --infile "${OUTFILE}" >"${OUTFILE2}"
-grep '1.2.840.113549.1.9.3: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
+grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1
 if test $? != 0;then
 	echo "Content-Type was not set in attributes"
 	exit 1
diff --git a/tests/data/test1.cat.out b/tests/data/test1.cat.out
index 1a0c955228..d5b20765b4 100644
--- a/tests/data/test1.cat.out
+++ b/tests/data/test1.cat.out
@@ -5,11 +5,11 @@ Signers:
 	Signature Algorithm: RSA-SHA1
 	Signed Attributes:
 		1.3.6.1.4.1.311.2.1.12: 3064a030802e004800650077006c006500740074002d005000610063006b00610072006400200043006f006d00700061006e0079a130802e687474703a2f2f7777772e6d6963726f736f66742e636f6d2f776864632f68636c2f64656661756c742e6d737078
-		1.2.840.113549.1.9.4: 04141c448883117564c1fe830b2833c0ef6b83030c0e
+		messageDigest: 04141c448883117564c1fe830b2833c0ef6b83030c0e
 		1.3.6.1.4.1.311.2.1.11: 300c060a2b060104018237020115
-		1.2.840.113549.1.9.3: 06092b0601040182370a01
+		contentType: 06092b0601040182370a01
 	Unsigned Attributes:
-		1.2.840.113549.1.9.6: 3082021102010130818e3077310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f66742054696d652d5374616d7020504341021333000000af5347776c1bf1a3020000000000af300906052b0e03021a0500a05d301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3136303931333231313930395a302306092a864886f70d01090431160414d488cf8097e0d20f170aa7cff5414d9dc2f28f7b300d06092a864886f70d01010505000482010016dcd01f53ac52f8f37898f02352716c9de8dcdee53a2dfb243d503b31f252878e54c5716cd2f2237b82a1269322c50ed304c00a85e50c47b3ce43b2dfff9d1d8032541e28216281e715407b8cbe565fee869aa0e6fb6f421c1c5516c7fead80c1c2117998b0a754bb0683971d78a864707349514121bf2158305d672f8800ea02bd266c198afc22449f4579d7f0db337919accd8f8093539e1d24e5c89c0c1f9734ea8f9bec2ce9ff9f22f9649069b759ba05967742615a3953645572eddb4c5006b6fd4c6226beded0038548ed82d3993b17b473ca75e9891d524be5c39ec422d7a78baaa475bf1aa0e196d7db1858edcacea1ef34b2655772ab8fca3c7766
+		countersignature: 3082021102010130818e3077310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f66742054696d652d5374616d7020504341021333000000af5347776c1bf1a3020000000000af300906052b0e03021a0500a05d301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3136303931333231313930395a302306092a864886f70d01090431160414d488cf8097e0d20f170aa7cff5414d9dc2f28f7b300d06092a864886f70d01010505000482010016dcd01f53ac52f8f37898f02352716c9de8dcdee53a2dfb243d503b31f252878e54c5716cd2f2237b82a1269322c50ed304c00a85e50c47b3ce43b2dfff9d1d8032541e28216281e715407b8cbe565fee869aa0e6fb6f421c1c5516c7fead80c1c2117998b0a754bb0683971d78a864707349514121bf2158305d672f8800ea02bd266c198afc22449f4579d7f0db337919accd8f8093539e1d24e5c89c0c1f9734ea8f9bec2ce9ff9f22f9649069b759ba05967742615a3953645572eddb4c5006b6fd4c6226beded0038548ed82d3993b17b473ca75e9891d524be5c39ec422d7a78baaa475bf1aa0e196d7db1858edcacea1ef34b2655772ab8fca3c7766
 
 Number of certificates: 4
 
diff --git a/tests/data/test2.cat.out b/tests/data/test2.cat.out
index aead58067c..aec0af9ada 100644
--- a/tests/data/test2.cat.out
+++ b/tests/data/test2.cat.out
@@ -4,9 +4,9 @@ Signers:
 	Signer's serial: 1656c8b2bf9bb3b24e6f3411cdcff0b5
 	Signature Algorithm: RSA-SHA1
 	Signed Attributes:
-		1.2.840.113549.1.9.4: 041490608f08aab36bbeef8cb509bef6e60385058afa
+		messageDigest: 041490608f08aab36bbeef8cb509bef6e60385058afa
 		1.3.6.1.4.1.311.2.1.11: 300c060a2b060104018237020115
-		1.2.840.113549.1.9.3: 06092b0601040182370a01
+		contentType: 06092b0601040182370a01
 		1.3.6.1.4.1.311.2.1.12: 3000
 
 Number of certificates: 1