14 files changed, 1002 insertions, 707 deletions
diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj
index 0df3859b4..df7df9f5a 100644
--- a/crypto/crypto.csproj
+++ b/crypto/crypto.csproj
@@ -3039,6 +3039,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\IBlockResult.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\IBufferedCipher.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -3104,11 +3109,21 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\IStreamCalculator.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\IStreamCipher.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\IVerifier.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\IWrapper.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -4454,6 +4469,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\tls\ByteQueueStream.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\tls\CertChainType.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -11600,6 +11620,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "test\src\crypto\tls\test\ByteQueueStreamTest.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "test\src\crypto\tls\test\DtlsProtocolTest.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -11690,6 +11715,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "test\src\crypto\tls\test\TlsProtocolNonBlockingTest.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "test\src\crypto\tls\test\TlsPskProtocolTest.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
diff --git a/crypto/src/crypto/tls/AbstractTlsContext.cs b/crypto/src/crypto/tls/AbstractTlsContext.cs
index e283ee58c..ae7efc64d 100644
--- a/crypto/src/crypto/tls/AbstractTlsContext.cs
+++ b/crypto/src/crypto/tls/AbstractTlsContext.cs
@@ -12,10 +12,21 @@ namespace Org.BouncyCastle.Crypto.Tls
     {
         private static long counter = Times.NanoTime();
 
+#if NETCF_1_0
+        private static object counterLock = new object();
+        private static long NextCounterValue()
+        {
+            lock (counterLock)
+            {
+                return ++counter;
+            }
+        }
+#else
         private static long NextCounterValue()
         {
             return Interlocked.Increment(ref counter);
         }
+#endif
 
         private readonly IRandomGenerator mNonceRandom;
         private readonly SecureRandom mSecureRandom;
@@ -26,7 +37,7 @@ namespace Org.BouncyCastle.Crypto.Tls
         private TlsSession mSession = null;
         private object mUserObject = null;
 
-       internal AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters)
+        internal AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters)
         {
             IDigest d = TlsUtilities.CreateHash(HashAlgorithm.sha256);
             byte[] seed = new byte[d.GetDigestSize()];
diff --git a/crypto/src/crypto/tls/ByteQueueStream.cs b/crypto/src/crypto/tls/ByteQueueStream.cs
new file mode 100644
index 000000000..bf603e006
--- /dev/null
+++ b/crypto/src/crypto/tls/ByteQueueStream.cs
@@ -0,0 +1,114 @@
+using System;
+using System.IO;
+
+namespace Org.BouncyCastle.Crypto.Tls
+{
+    public class ByteQueueStream
+        : Stream
+    {
+        private readonly ByteQueue buffer;
+
+        public ByteQueueStream()
+        {
+            this.buffer = new ByteQueue();
+        }
+
+        public virtual int Available
+        {
+            get { return buffer.Available; }
+        }
+
+        public override bool CanRead
+        {
+            get { return true; }
+        }
+
+        public override bool CanSeek
+        {
+            get { return false; }
+        }
+
+        public override bool CanWrite
+        {
+            get { return true; }
+        }
+
+        public override void Close()
+        {
+        }
+
+        public override void Flush()
+        {
+        }
+
+        public override long Length
+        {
+            get { throw new NotSupportedException(); }
+        }
+
+        public virtual int Peek(byte[] buf)
+        {
+            int bytesToRead = System.Math.Min(buffer.Available, buf.Length);
+            buffer.Read(buf, 0, bytesToRead, 0);
+            return bytesToRead;
+        }
+
+        public override long Position
+        {
+            get { throw new NotSupportedException(); }
+            set { throw new NotSupportedException(); }
+        }
+
+        public virtual int Read(byte[] buf)
+        {
+            return Read(buf, 0, buf.Length);
+        }
+
+        public override int Read(byte[] buf, int off, int len)
+        {
+            int bytesToRead = System.Math.Min(buffer.Available, len);
+            buffer.RemoveData(buf, off, bytesToRead, 0);
+            return bytesToRead;
+        }
+
+        public override int ReadByte()
+        {
+            if (buffer.Available == 0)
+                return -1;
+
+            return buffer.RemoveData(1, 0)[0] & 0xFF;
+        }
+
+        public override long Seek(long offset, SeekOrigin origin)
+        {
+            throw new NotSupportedException();
+        }
+
+        public override void SetLength(long value)
+        {
+            throw new NotSupportedException();
+        }
+
+        public virtual int Skip(int n)
+        {
+            int bytesToSkip = System.Math.Min(buffer.Available, n);
+            buffer.RemoveData(bytesToSkip);
+            return bytesToSkip;
+        }
+
+        public virtual void Write(byte[] buf)
+        {
+            buffer.AddData(buf, 0, buf.Length);
+        }
+
+        public override void Write(byte[] buf, int off, int len)
+        {
+            buffer.AddData(buf, off, len);
+        }
+
+        public override void WriteByte(byte b)
+        {
+            buffer.AddData(new byte[]{ b }, 0, 1);
+        }
+    }
+}
diff --git a/crypto/src/crypto/tls/RecordStream.cs b/crypto/src/crypto/tls/RecordStream.cs
index db5b158bc..6f3fc41c6 100644
--- a/crypto/src/crypto/tls/RecordStream.cs
+++ b/crypto/src/crypto/tls/RecordStream.cs
@@ -8,6 +8,11 @@ namespace Org.BouncyCastle.Crypto.Tls
     {
         private const int DEFAULT_PLAINTEXT_LIMIT = (1 << 14);
 
+        internal const int TLS_HEADER_SIZE = 5;
+        internal const int TLS_HEADER_TYPE_OFFSET = 0;
+        internal const int TLS_HEADER_VERSION_OFFSET = 1;
+        internal const int TLS_HEADER_LENGTH_OFFSET = 3;
+
         private TlsProtocol mHandler;
         private Stream mInput;
         private Stream mOutput;
@@ -116,11 +121,11 @@ namespace Org.BouncyCastle.Crypto.Tls
 
         internal virtual bool ReadRecord()
         {
-            byte[] recordHeader = TlsUtilities.ReadAllOrNothing(5, mInput);
+            byte[] recordHeader = TlsUtilities.ReadAllOrNothing(TLS_HEADER_SIZE, mInput);
             if (recordHeader == null)
                 return false;
 
-            byte type = TlsUtilities.ReadUint8(recordHeader, 0);
+            byte type = TlsUtilities.ReadUint8(recordHeader, TLS_HEADER_TYPE_OFFSET);
 
             /*
              * RFC 5246 6. If a TLS implementation receives an unexpected record type, it MUST send an
@@ -130,13 +135,13 @@ namespace Org.BouncyCastle.Crypto.Tls
 
             if (!mRestrictReadVersion)
             {
-                int version = TlsUtilities.ReadVersionRaw(recordHeader, 1);
+                int version = TlsUtilities.ReadVersionRaw(recordHeader, TLS_HEADER_VERSION_OFFSET);
                 if ((version & 0xffffff00) != 0x0300)
                     throw new TlsFatalAlert(AlertDescription.illegal_parameter);
             }
             else
             {
-                ProtocolVersion version = TlsUtilities.ReadVersion(recordHeader, 1);
+                ProtocolVersion version = TlsUtilities.ReadVersion(recordHeader, TLS_HEADER_VERSION_OFFSET);
                 if (mReadVersion == null)
                 {
                     mReadVersion = version;
@@ -147,7 +152,7 @@ namespace Org.BouncyCastle.Crypto.Tls
                 }
             }
 
-            int length = TlsUtilities.ReadUint16(recordHeader, 3);
+            int length = TlsUtilities.ReadUint16(recordHeader, TLS_HEADER_LENGTH_OFFSET);
             byte[] plaintext = DecodeAndVerify(type, mInput, length);
             mHandler.ProcessRecord(type, plaintext, 0, plaintext.Length);
             return true;
@@ -247,11 +252,11 @@ namespace Org.BouncyCastle.Crypto.Tls
              */
             CheckLength(ciphertext.Length, mCiphertextLimit, AlertDescription.internal_error);
 
-            byte[] record = new byte[ciphertext.Length + 5];
-            TlsUtilities.WriteUint8(type, record, 0);
-            TlsUtilities.WriteVersion(mWriteVersion, record, 1);
-            TlsUtilities.WriteUint16(ciphertext.Length, record, 3);
-            Array.Copy(ciphertext, 0, record, 5, ciphertext.Length);
+            byte[] record = new byte[ciphertext.Length + TLS_HEADER_SIZE];
+            TlsUtilities.WriteUint8(type, record, TLS_HEADER_TYPE_OFFSET);
+            TlsUtilities.WriteVersion(mWriteVersion, record, TLS_HEADER_VERSION_OFFSET);
+            TlsUtilities.WriteUint16(ciphertext.Length, record, TLS_HEADER_LENGTH_OFFSET);
+            Array.Copy(ciphertext, 0, record, TLS_HEADER_SIZE, ciphertext.Length);
             mOutput.Write(record, 0, record.Length);
             mOutput.Flush();
         }
diff --git a/crypto/src/crypto/tls/TlsClientProtocol.cs b/crypto/src/crypto/tls/TlsClientProtocol.cs
index 7b8439acc..14c1cf4a4 100644
--- a/crypto/src/crypto/tls/TlsClientProtocol.cs
+++ b/crypto/src/crypto/tls/TlsClientProtocol.cs
@@ -21,21 +21,56 @@ namespace Org.BouncyCastle.Crypto.Tls
         protected CertificateStatus mCertificateStatus = null;
         protected CertificateRequest mCertificateRequest = null;
 
+        /**
+         * Constructor for blocking mode.
+         * @param stream The bi-directional stream of data to/from the server
+         * @param secureRandom Random number generator for various cryptographic functions
+         */
         public TlsClientProtocol(Stream stream, SecureRandom secureRandom)
-            :   base(stream, secureRandom)
+            : base(stream, secureRandom)
         {
         }
 
+        /**
+         * Constructor for blocking mode.
+         * @param input The stream of data from the server
+         * @param output The stream of data to the server
+         * @param secureRandom Random number generator for various cryptographic functions
+         */
         public TlsClientProtocol(Stream input, Stream output, SecureRandom secureRandom)
-            :   base(input, output, secureRandom)
+            : base(input, output, secureRandom)
+        {
+        }
+
+        /**
+         * Constructor for non-blocking mode.<br>
+         * <br>
+         * When data is received, use {@link #offerInput(java.nio.ByteBuffer)} to
+         * provide the received ciphertext, then use
+         * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br>
+         * <br>
+         * Similarly, when data needs to be sent, use
+         * {@link #offerOutput(byte[], int, int)} to provide the cleartext, then use
+         * {@link #readOutput(byte[], int, int)} to get the corresponding
+         * ciphertext.
+         * 
+         * @param secureRandom
+         *            Random number generator for various cryptographic functions
+         */
+        public TlsClientProtocol(SecureRandom secureRandom)
+            : base(secureRandom)
         {
         }
 
         /**
-         * Initiates a TLS handshake in the role of client
+         * Initiates a TLS handshake in the role of client.<br>
+         * <br>
+         * In blocking mode, this will not return until the handshake is complete.
+         * In non-blocking mode, use {@link TlsPeer#NotifyHandshakeComplete()} to
+         * receive a callback when the handshake is complete.
          *
          * @param tlsClient The {@link TlsClient} to use for the handshake.
-         * @throws IOException If handshake was not successful.
+         * @throws IOException If in blocking mode and handshake was not successful.
          */
         public virtual void Connect(TlsClient tlsClient)
         {
@@ -71,7 +106,7 @@ namespace Org.BouncyCastle.Crypto.Tls
             SendClientHelloMessage();
             this.mConnectionState = CS_CLIENT_HELLO;
 
-            CompleteHandshake();
+            BlockForHandshake();
         }
 
         protected override void CleanupHandshake()
@@ -116,6 +151,7 @@ namespace Org.BouncyCastle.Crypto.Tls
                 this.mConnectionState = CS_CLIENT_FINISHED;
                 this.mConnectionState = CS_END;
 
+                CompleteHandshake();
                 return;
             }
 
@@ -208,6 +244,8 @@ namespace Org.BouncyCastle.Crypto.Tls
                     ProcessFinishedMessage(buf);
                     this.mConnectionState = CS_SERVER_FINISHED;
                     this.mConnectionState = CS_END;
+
+                    CompleteHandshake();
                     break;
                 }
                 default:
diff --git a/crypto/src/crypto/tls/TlsProtocol.cs b/crypto/src/crypto/tls/TlsProtocol.cs
index 8eb7beb3f..7acc34d3c 100644
--- a/crypto/src/crypto/tls/TlsProtocol.cs
+++ b/crypto/src/crypto/tls/TlsProtocol.cs
@@ -72,6 +72,10 @@ namespace Org.BouncyCastle.Crypto.Tls
         protected bool mAllowCertificateStatus = false;
         protected bool mExpectSessionTicket = false;
 
+        protected bool mBlocking = true;
+        protected ByteQueueStream mInputBuffers = null;
+        protected ByteQueueStream mOutputBuffer = null;
+
         public TlsProtocol(Stream stream, SecureRandom secureRandom)
             :   this(stream, stream, secureRandom)
         {
@@ -83,6 +87,15 @@ namespace Org.BouncyCastle.Crypto.Tls
             this.mSecureRandom = secureRandom;
         }
 
+        public TlsProtocol(SecureRandom secureRandom)
+        {
+            this.mBlocking = false;
+            this.mInputBuffers = new ByteQueueStream();
+            this.mOutputBuffer = new ByteQueueStream();
+            this.mRecordStream = new RecordStream(this, mInputBuffers, mOutputBuffer);
+            this.mSecureRandom = secureRandom;
+        }
+
         protected abstract TlsContext Context { get; }
 
         internal abstract AbstractTlsContext ContextAdmin { get; }
@@ -140,13 +153,10 @@ namespace Org.BouncyCastle.Crypto.Tls
             this.mExpectSessionTicket = false;
         }
 
-        protected virtual void CompleteHandshake()
+        protected virtual void BlockForHandshake()
         {
-            try
+            if (mBlocking)
             {
-                /*
-                 * We will now read data, until we have completed the handshake.
-                 */
                 while (this.mConnectionState != CS_END)
                 {
                     if (this.mClosed)
@@ -156,7 +166,13 @@ namespace Org.BouncyCastle.Crypto.Tls
 
                     SafeReadRecord();
                 }
+            }
+        }
 
+        protected virtual void CompleteHandshake()
+        {
+            try
+            {
                 this.mRecordStream.FinaliseHandshake();
 
                 this.mSplitApplicationDataRecords = !TlsUtilities.IsTlsV11(Context);
@@ -168,7 +184,10 @@ namespace Org.BouncyCastle.Crypto.Tls
                 {
                     this.mAppDataReady = true;
 
-                    this.mTlsStream = new TlsStream(this);
+                    if (mBlocking)
+                    {
+                        this.mTlsStream = new TlsStream(this);
+                    }
                 }
 
                 if (this.mTlsSession != null)
@@ -573,9 +592,156 @@ namespace Org.BouncyCastle.Crypto.Tls
         }
 
         /// <summary>The secure bidirectional stream for this connection</summary>
+        /// <remarks>Only allowed in blocking mode.</remarks>
         public virtual Stream Stream
         {
-            get { return this.mTlsStream; }
+            get
+            {
+                if (!mBlocking)
+                    throw new InvalidOperationException("Cannot use Stream in non-blocking mode! Use OfferInput()/OfferOutput() instead.");
+                return this.mTlsStream;
+            }
+        }
+
+        /**
+         * Offer input from an arbitrary source. Only allowed in non-blocking mode.<br>
+         * <br>
+         * After this method returns, the input buffer is "owned" by this object. Other code
+         * must not attempt to do anything with it.<br>
+         * <br>
+         * This method will decrypt and process all records that are fully available.
+         * If only part of a record is available, the buffer will be retained until the
+         * remainder of the record is offered.<br>
+         * <br>
+         * If any records containing application data were processed, the decrypted data
+         * can be obtained using {@link #readInput(byte[], int, int)}. If any records
+         * containing protocol data were processed, a response may have been generated.
+         * You should always check to see if there is any available output after calling
+         * this method by calling {@link #getAvailableOutputBytes()}.
+         * @param input The input buffer to offer
+         * @throws IOException If an error occurs while decrypting or processing a record
+         */
+        public virtual void OfferInput(byte[] input)
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use OfferInput() in blocking mode! Use Stream instead.");
+            if (mClosed)
+                throw new IOException("Connection is closed, cannot accept any more input");
+
+            mInputBuffers.Write(input);
+
+            // loop while there are enough bytes to read the length of the next record
+            while (mInputBuffers.Available >= RecordStream.TLS_HEADER_SIZE)
+            {
+                byte[] header = new byte[RecordStream.TLS_HEADER_SIZE];
+                mInputBuffers.Peek(header);
+
+                int totalLength = TlsUtilities.ReadUint16(header, RecordStream.TLS_HEADER_LENGTH_OFFSET) + RecordStream.TLS_HEADER_SIZE;
+                if (mInputBuffers.Available < totalLength)
+                {
+                    // not enough bytes to read a whole record
+                    break;
+                }
+
+                SafeReadRecord();
+            }
+        }
+
+        /**
+         * Gets the amount of received application data. A call to {@link #readInput(byte[], int, int)}
+         * is guaranteed to be able to return at least this much data.<br>
+         * <br>
+         * Only allowed in non-blocking mode.
+         * @return The number of bytes of available application data
+         */
+        public virtual int GetAvailableInputBytes()
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use GetAvailableInputBytes() in blocking mode! Use ApplicationDataAvailable() instead.");
+
+            return ApplicationDataAvailable();
+        }
+
+        /**
+         * Retrieves received application data. Use {@link #getAvailableInputBytes()} to check
+         * how much application data is currently available. This method functions similarly to
+         * {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data
+         * is available, nothing will be copied and zero will be returned.<br>
+         * <br>
+         * Only allowed in non-blocking mode.
+         * @param buffer The buffer to hold the application data
+         * @param offset The start offset in the buffer at which the data is written
+         * @param length The maximum number of bytes to read
+         * @return The total number of bytes copied to the buffer. May be less than the
+         *          length specified if the length was greater than the amount of available data.
+         */
+        public virtual int ReadInput(byte[] buffer, int offset, int length)
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use ReadInput() in blocking mode! Use Stream instead.");
+
+            return ReadApplicationData(buffer, offset, System.Math.Min(length, ApplicationDataAvailable()));
+        }
+
+        /**
+         * Offer output from an arbitrary source. Only allowed in non-blocking mode.<br>
+         * <br>
+         * After this method returns, the specified section of the buffer will have been
+         * processed. Use {@link #readOutput(byte[], int, int)} to get the bytes to
+         * transmit to the other peer.<br>
+         * <br>
+         * This method must not be called until after the handshake is complete! Attempting
+         * to call it before the handshake is complete will result in an exception.
+         * @param buffer The buffer containing application data to encrypt
+         * @param offset The offset at which to begin reading data
+         * @param length The number of bytes of data to read
+         * @throws IOException If an error occurs encrypting the data, or the handshake is not complete
+         */
+        public virtual void OfferOutput(byte[] buffer, int offset, int length)
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use OfferOutput() in blocking mode! Use Stream instead.");
+            if (!mAppDataReady)
+                throw new IOException("Application data cannot be sent until the handshake is complete!");
+
+            WriteData(buffer, offset, length);
+        }
+
+        /**
+         * Gets the amount of encrypted data available to be sent. A call to
+         * {@link #readOutput(byte[], int, int)} is guaranteed to be able to return at
+         * least this much data.<br>
+         * <br>
+         * Only allowed in non-blocking mode.
+         * @return The number of bytes of available encrypted data
+         */
+        public virtual int GetAvailableOutputBytes()
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use GetAvailableOutputBytes() in blocking mode! Use Stream instead.");
+
+            return mOutputBuffer.Available;
+        }
+
+        /**
+         * Retrieves encrypted data to be sent. Use {@link #getAvailableOutputBytes()} to check
+         * how much encrypted data is currently available. This method functions similarly to
+         * {@link InputStream#read(byte[], int, int)}, except that it never blocks. If no data
+         * is available, nothing will be copied and zero will be returned.<br>
+         * <br>
+         * Only allowed in non-blocking mode.
+         * @param buffer The buffer to hold the encrypted data
+         * @param offset The start offset in the buffer at which the data is written
+         * @param length The maximum number of bytes to read
+         * @return The total number of bytes copied to the buffer. May be less than the
+         *          length specified if the length was greater than the amount of available data.
+         */
+        public virtual int ReadOutput(byte[] buffer, int offset, int length)
+        {
+            if (mBlocking)
+                throw new InvalidOperationException("Cannot use ReadOutput() in blocking mode! Use Stream instead.");
+
+            return mOutputBuffer.Read(buffer, offset, length);
         }
 
         /**
@@ -764,7 +930,7 @@ namespace Org.BouncyCastle.Crypto.Tls
             mRecordStream.Flush();
         }
 
-        protected internal virtual bool IsClosed
+        public virtual bool IsClosed
         {
             get { return mClosed; }
         }
diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs
index b73cb5a30..27f7a1dfd 100644
--- a/crypto/src/crypto/tls/TlsServerProtocol.cs
+++ b/crypto/src/crypto/tls/TlsServerProtocol.cs
@@ -22,21 +22,57 @@ namespace Org.BouncyCastle.Crypto.Tls
         protected short mClientCertificateType = -1;
         protected TlsHandshakeHash mPrepareFinishHash = null;
 
+        /**
+         * Constructor for blocking mode.
+         * @param stream The bi-directional stream of data to/from the client
+         * @param output The stream of data to the client
+         * @param secureRandom Random number generator for various cryptographic functions
+         */
         public TlsServerProtocol(Stream stream, SecureRandom secureRandom)
-            :   base(stream, secureRandom)
+            : base(stream, secureRandom)
         {
         }
 
+        /**
+         * Constructor for blocking mode.
+         * @param input The stream of data from the client
+         * @param output The stream of data to the client
+         * @param secureRandom Random number generator for various cryptographic functions
+         */
         public TlsServerProtocol(Stream input, Stream output, SecureRandom secureRandom)
-            :   base(input, output, secureRandom)
+            : base(input, output, secureRandom)
+        {
+        }
+
+        /**
+         * Constructor for non-blocking mode.<br>
+         * <br>
+         * When data is received, use {@link #offerInput(java.nio.ByteBuffer)} to
+         * provide the received ciphertext, then use
+         * {@link #readInput(byte[], int, int)} to read the corresponding cleartext.<br>
+         * <br>
+         * Similarly, when data needs to be sent, use
+         * {@link #offerOutput(byte[], int, int)} to provide the cleartext, then use
+         * {@link #readOutput(byte[], int, int)} to get the corresponding
+         * ciphertext.
+         * 
+         * @param secureRandom
+         *            Random number generator for various cryptographic functions
+         */
+        public TlsServerProtocol(SecureRandom secureRandom)
+            : base(secureRandom)
         {
         }
 
         /**
-         * Receives a TLS handshake in the role of server
+         * Receives a TLS handshake in the role of server.<br>
+         * <br>
+         * In blocking mode, this will not return until the handshake is complete.
+         * In non-blocking mode, use {@link TlsPeer#notifyHandshakeComplete()} to
+         * receive a callback when the handshake is complete.
          *
-         * @param mTlsServer
-         * @throws IOException If handshake was not successful.
+         * @param tlsServer
+         * @throws IOException If in blocking mode and handshake was not successful.
          */
         public virtual void Accept(TlsServer tlsServer)
         {
@@ -60,7 +96,7 @@ namespace Org.BouncyCastle.Crypto.Tls
 
             this.mRecordStream.SetRestrictReadVersion(false);
 
-            CompleteHandshake();
+            BlockForHandshake();
         }
 
         protected override void CleanupHandshake()
@@ -329,6 +365,8 @@ namespace Org.BouncyCastle.Crypto.Tls
                     SendFinishedMessage();
                     this.mConnectionState = CS_SERVER_FINISHED;
                     this.mConnectionState = CS_END;
+
+                    CompleteHandshake();
                     break;
                 }
                 default:
diff --git a/crypto/src/security/SecureRandom.cs b/crypto/src/security/SecureRandom.cs
index f46427a5c..137a471c1 100644
--- a/crypto/src/security/SecureRandom.cs
+++ b/crypto/src/security/SecureRandom.cs
@@ -13,12 +13,16 @@ namespace Org.BouncyCastle.Security
     {
         private static long counter = Times.NanoTime();
 
+#if NETCF_1_0
+        private static object counterLock = new object();
         private static long NextCounterValue()
         {
-            return Interlocked.Increment(ref counter);
+            lock (counterLock)
+            {
+                return ++counter;
+            }
         }
 
-#if NETCF_1_0
         private static readonly SecureRandom[] master = { null };
         private static SecureRandom Master
         {
@@ -43,6 +47,11 @@ namespace Org.BouncyCastle.Security
             }
         }
 #else
+        private static long NextCounterValue()
+        {
+            return Interlocked.Increment(ref counter);
+        }
+
         private static readonly SecureRandom master = new SecureRandom(new CryptoApiRandomGenerator());
         private static SecureRandom Master
         {
diff --git a/crypto/test/src/cms/test/CMSTestUtil.cs b/crypto/test/src/cms/test/CMSTestUtil.cs
index ef7f9169f..69f7c2983 100644
--- a/crypto/test/src/cms/test/CMSTestUtil.cs
+++ b/crypto/test/src/cms/test/CMSTestUtil.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections;
 using System.IO;
 using System.Text;
 
@@ -12,6 +13,7 @@ using Org.BouncyCastle.Utilities.Encoders;
 using Org.BouncyCastle.Utilities.IO;
 using Org.BouncyCastle.X509;
 using Org.BouncyCastle.X509.Extension;
+using Org.BouncyCastle.X509.Store;
 
 namespace Org.BouncyCastle.Cms.Tests
 {
@@ -450,7 +452,40 @@ namespace Org.BouncyCastle.Cms.Tests
 		*  INTERNAL METHODS
 		*
 		*/
-		private static AuthorityKeyIdentifier CreateAuthorityKeyId(
+        internal static IX509Store MakeAttrCertStore(params IX509AttributeCertificate[] attrCerts)
+        {
+            IList attrCertList = new ArrayList();
+            foreach (IX509AttributeCertificate attrCert in attrCerts)
+            {
+                attrCertList.Add(attrCert);
+            }
+
+            return X509StoreFactory.Create("AttributeCertificate/Collection", new X509CollectionStoreParameters(attrCertList));
+        }
+
+        internal static IX509Store MakeCertStore(params X509Certificate[] certs)
+        {
+            IList certList = new ArrayList();
+            foreach (X509Certificate cert in certs)
+            {
+                certList.Add(cert);
+            }
+
+            return X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList));
+        }
+
+        internal static IX509Store MakeCrlStore(params X509Crl[] crls)
+        {
+            IList crlList = new ArrayList();
+            foreach (X509Crl crl in crls)
+            {
+                crlList.Add(crl);
+            }
+
+            return X509StoreFactory.Create("CRL/Collection", new X509CollectionStoreParameters(crlList));
+        }
+
+        private static AuthorityKeyIdentifier CreateAuthorityKeyId(
 			AsymmetricKeyParameter _pubKey)
 		{
 			SubjectPublicKeyInfo _info = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(_pubKey);
diff --git a/crypto/test/src/cms/test/MiscDataStreamTest.cs b/crypto/test/src/cms/test/MiscDataStreamTest.cs
index f958d058f..4cb19884b 100644
--- a/crypto/test/src/cms/test/MiscDataStreamTest.cs
+++ b/crypto/test/src/cms/test/MiscDataStreamTest.cs
@@ -207,15 +207,12 @@ namespace Org.BouncyCastle.Cms.Tests
 
 			sp.GetSignedContent().Drain();
 
-			//
-			// compute expected content digest
-			//
-			IDigest md = DigestUtilities.GetDigest("SHA1");
-			byte[] cDataOutBytes = cDataOut.ToArray();
-			md.BlockUpdate(cDataOutBytes, 0, cDataOutBytes.Length);
-			byte[] hash = DigestUtilities.DoFinal(md);
-
-			VerifySignatures(sp, hash);
+            byte[] cDataOutBytes = cDataOut.ToArray();
+
+            // compute expected content digest
+            byte[] hash = DigestUtilities.CalculateDigest("SHA1", cDataOutBytes);
+
+            VerifySignatures(sp, hash);
 		}
 	}
 }
diff --git a/crypto/test/src/cms/test/SignedDataStreamTest.cs b/crypto/test/src/cms/test/SignedDataStreamTest.cs
index 96f3f125d..2131938e7 100644
--- a/crypto/test/src/cms/test/SignedDataStreamTest.cs
+++ b/crypto/test/src/cms/test/SignedDataStreamTest.cs
@@ -233,112 +233,74 @@ namespace Org.BouncyCastle.Cms.Tests
 			VerifySignatures(sp);
 		}
 
-//		[Test]
-//		public void TestSha1WithRsaNoAttributes()
-//		{
-//			IList certList = new ArrayList();
-//			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes(TestMessage));
-//
-//			certList.Add(OrigCert);
-//			certList.Add(SignCert);
-//
-//			IX509Store x509Certs = X509StoreFactory.Create(
-//				"Certificate/Collection",
-//				new X509CollectionStoreParameters(certList));
-//
-//			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
-//
-//			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-//
-//			gen.AddCertificates(x509Certs);
-//
-//			CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
-//
-//			CmsSignedDataParser sp = new CmsSignedDataParser(
-//				new CmsTypedStream(new MemoryStream(Encoding.ASCII.GetBytes(TestMessage), false)), s.GetEncoded());
-//
-//			sp.GetSignedContent().Drain();
-//
-//			//
-//			// compute expected content digest
-//			//
-//			IDigest md = DigestUtilities.GetDigest("SHA1");
-//
-//			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
-//			md.BlockUpdate(testBytes, 0, testBytes.Length);
-//			byte[] hash = DigestUtilities.DoFinal(md);
-//
-//			VerifySignatures(sp, hash);
-//		}
+        //[Test]
+        //public void TestSha1WithRsaNoAttributes()
+        //{
+        //    CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes(TestMessage));
 
-//		[Test]
-//		public void TestDsaNoAttributes()
-//		{
-//			IList certList = new ArrayList();
-//			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes(TestMessage));
-//
-//			certList.Add(OrigDsaCert);
-//			certList.Add(SignCert);
-//
-//			IX509Store x509Certs = X509StoreFactory.Create(
-//				"Certificate/Collection",
-//				new X509CollectionStoreParameters(certList));
-//
-//			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
-//
-//			gen.AddSigner(OrigDsaKP.Private, OrigDsaCert, CmsSignedDataGenerator.DigestSha1);
-//
-//			gen.AddCertificates(x509Certs);
-//
-//			CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
-//
-//			CmsSignedDataParser sp = new CmsSignedDataParser(
-//				new CmsTypedStream(
-//				new MemoryStream(Encoding.ASCII.GetBytes(TestMessage), false)),
-//				s.GetEncoded());
-//
-//			sp.GetSignedContent().Drain();
-//
-//			//
-//			// compute expected content digest
-//			//
-//			IDigest md = DigestUtilities.GetDigest("SHA1");
-//
-//			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
-//			md.BlockUpdate(testBytes, 0, testBytes.Length);
-//			byte[] hash = DigestUtilities.DoFinal(md);
-//
-//			VerifySignatures(sp, hash);
-//		}
+        //    IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
+
+        //    CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+        //    gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
+        //    gen.AddCertificates(x509Certs);
+
+        //    CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
+
+        //    CmsSignedDataParser sp = new CmsSignedDataParser(
+        //        new CmsTypedStream(new MemoryStream(Encoding.ASCII.GetBytes(TestMessage), false)), s.GetEncoded());
+
+        //    sp.GetSignedContent().Drain();
+
+        //    byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+
+        //    // compute expected content digest
+        //    byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
+
+        //    VerifySignatures(sp, hash);
+        //}
+
+        //[Test]
+        //public void TestDsaNoAttributes()
+        //{
+        //    CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes(TestMessage));
+
+        //    IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigDsaCert, SignCert);
+
+        //    CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+        //    gen.AddSigner(OrigDsaKP.Private, OrigDsaCert, CmsSignedDataGenerator.DigestSha1);
+        //    gen.AddCertificates(x509Certs);
+
+        //    CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
+
+        //    CmsSignedDataParser sp = new CmsSignedDataParser(
+        //        new CmsTypedStream(
+        //        new MemoryStream(Encoding.ASCII.GetBytes(TestMessage), false)),
+        //        s.GetEncoded());
+
+        //    sp.GetSignedContent().Drain();
+
+        //    byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+
+        //    // compute expected content digest
+        //    byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
+
+        //    VerifySignatures(sp, hash);
+        //}
 
 		[Test]
 		public void TestSha1WithRsa()
 		{
-			IList certList = new ArrayList();
-			IList crlList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			crlList.Add(SignCrl);
-			crlList.Add(OrigCrl);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-			IX509Store x509Crls = X509StoreFactory.Create(
-				"CRL/Collection",
-				new X509CollectionStoreParameters(crlList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
+            IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 			gen.AddCrls(x509Crls);
 
-			Stream sigOut = gen.Open(bOut);
+            Stream sigOut = gen.Open(bOut);
 
 			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 			sigOut.Write(testBytes, 0, testBytes.Length);
@@ -352,41 +314,33 @@ namespace Org.BouncyCastle.Cms.Tests
 
 			sp.GetSignedContent().Drain();
 
-			//
-			// compute expected content digest
-			//
-			IDigest md = DigestUtilities.GetDigest("SHA1");
-			md.BlockUpdate(testBytes, 0, testBytes.Length);
-			byte[] hash = DigestUtilities.DoFinal(md);
+            // compute expected content digest
+            byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
 
-			VerifySignatures(sp, hash);
+            VerifySignatures(sp, hash);
 
 			//
 			// try using existing signer
 			//
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigners(sp.GetSignerInfos());
-
 			gen.AddCertificates(sp.GetCertificates("Collection"));
 			gen.AddCrls(sp.GetCrls("Collection"));
 
-			bOut.SetLength(0);
-
-			sigOut = gen.Open(bOut, true);
+            bOut.SetLength(0);
 
+            sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			VerifyEncodedData(bOut);
+            VerifyEncodedData(bOut);
 
-			//
+            //
 			// look for the CRLs
 			//
 			ArrayList col = new ArrayList(x509Crls.GetMatches(null));
 
-			Assert.AreEqual(2, col.Count);
+            Assert.AreEqual(2, col.Count);
 			Assert.IsTrue(col.Contains(SignCrl));
 			Assert.IsTrue(col.Contains(OrigCrl));
 		}
@@ -394,80 +348,53 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSha1WithRsaNonData()
 		{
-			IList certList = new ArrayList();
-			IList crlList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			crlList.Add(SignCrl);
-			crlList.Add(OrigCrl);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-			IX509Store x509Crls = X509StoreFactory.Create(
-				"CRL/Collection",
-				new X509CollectionStoreParameters(crlList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
+            IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 			gen.AddCrls(x509Crls);
 
-			Stream sigOut = gen.Open(bOut, "1.2.3.4", true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+            Stream sigOut = gen.Open(bOut, "1.2.3.4", true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
-			CmsTypedStream stream = sp.GetSignedContent();
+            CmsTypedStream stream = sp.GetSignedContent();
 
 			Assert.AreEqual("1.2.3.4", stream.ContentType);
 
 			stream.Drain();
 
-			//
-			// compute expected content digest
-			//
-			IDigest md = DigestUtilities.GetDigest("SHA1");
-			md.BlockUpdate(testBytes, 0, testBytes.Length);
-			byte[] hash = DigestUtilities.DoFinal(md);
+            // compute expected content digest
+            byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
 
-			VerifySignatures(sp, hash);
+            VerifySignatures(sp, hash);
 		}
 
-		[Test]
+        [Test]
 		public void TestSha1AndMD5WithRsa()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddDigests(CmsSignedDataStreamGenerator.DigestSha1,
 				CmsSignedDataStreamGenerator.DigestMD5);
 
-			Stream sigOut = gen.Open(bOut);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+            Stream sigOut = gen.Open(bOut);
 			sigOut.Write(testBytes, 0, testBytes.Length);
 
 			gen.AddCertificates(x509Certs);
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestMD5);
 
@@ -486,39 +413,29 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSha1WithRsaEncapsulatedBufferedStream()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
-			//
+            //
 			// find unbuffered length
 			//
 			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
 			Stream sigOut = gen.Open(bOut, true);
-
 			for (int i = 0; i != 2000; i++)
 			{
 				sigOut.WriteByte((byte)(i & 0xff));
 			}
-
 			sigOut.Close();
 
 			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
-			sp.GetSignedContent().Drain();
+            sp.GetSignedContent().Drain();
 
-			VerifySignatures(sp);
+            VerifySignatures(sp);
 
 			int unbufferedLength = bOut.ToArray().Length;
 
@@ -528,9 +445,7 @@ namespace Org.BouncyCastle.Cms.Tests
 			bOut.SetLength(0);
 
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
 			sigOut = gen.Open(bOut, true);
@@ -541,10 +456,10 @@ namespace Org.BouncyCastle.Cms.Tests
 				data[i] = (byte)(i & 0xff);
 			}
 
-			Streams.PipeAll(new MemoryStream(data, false), sigOut);
+            Streams.PipeAll(new MemoryStream(data, false), sigOut);
 			sigOut.Close();
 
-			VerifyEncodedData(bOut);
+            VerifyEncodedData(bOut);
 
 			Assert.AreEqual(unbufferedLength, bOut.ToArray().Length);
 		}
@@ -552,23 +467,15 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSha1WithRsaEncapsulatedBuffered()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			//
 			// find unbuffered length
 			//
 			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
 			Stream sigOut = gen.Open(bOut, true);
@@ -594,14 +501,11 @@ namespace Org.BouncyCastle.Cms.Tests
 			bOut.SetLength(0);
 
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.SetBufferSize(300);
-
-			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
+            gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
 			gen.AddCertificates(x509Certs);
 
-			sigOut = gen.Open(bOut, true);
+            sigOut = gen.Open(bOut, true);
 
 			for (int i = 0; i != 2000; i++)
 			{
@@ -618,38 +522,29 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSha1WithRsaEncapsulated()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+            Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
 			sp.GetSignedContent().Drain();
 
 			VerifySignatures(sp);
 
-			byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1];
+            byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1];
 
-			ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners());
+            ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners());
 
 			AttributeTable table = ((SignerInformation) signers[0]).SignedAttributes;
 			Asn1.Cms.Attribute hash = table[CmsAttributes.MessageDigest];
@@ -660,26 +555,22 @@ namespace Org.BouncyCastle.Cms.Tests
 			// try using existing signer
 			//
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigners(sp.GetSignerInfos());
-
 			gen.AddCertificates(sp.GetCertificates("Collection"));
 			gen.AddCrls(sp.GetCrls("Collection"));
 
-			bOut.SetLength(0);
-
-			sigOut = gen.Open(bOut, true);
+            bOut.SetLength(0);
 
+            sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedData sd = new CmsSignedData(
+            CmsSignedData sd = new CmsSignedData(
 				new CmsProcessableByteArray(testBytes), bOut.ToArray());
 
-			Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count);
+            Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count);
 
-			VerifyEncodedData(bOut);
+            VerifyEncodedData(bOut);
 		}
 
 		private static readonly DerObjectIdentifier dummyOid1 = new DerObjectIdentifier("1.2.3");
@@ -718,32 +609,23 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 	    public void TestSha1WithRsaEncapsulatedSubjectKeyID()
 	    {
-	        IList certList = new ArrayList();
 	        MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 	        gen.AddSigner(OrigKP.Private,
 				CmsTestUtil.CreateSubjectKeyId(OrigCert.GetPublicKey()).GetKeyIdentifier(),
 				CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
-
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
-			sigOut.Write(testBytes, 0, testBytes.Length);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
+            Stream sigOut = gen.Open(bOut, true);
+            sigOut.Write(testBytes, 0, testBytes.Length);
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
 			sp.GetSignedContent().Drain();
 
@@ -762,55 +644,42 @@ namespace Org.BouncyCastle.Cms.Tests
 			// try using existing signer
 			//
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigners(sp.GetSignerInfos());
-
-//			gen.AddCertificatesAndCRLs(sp.getCertificatesAndCRLs("Collection", "BC"));
+//			gen.AddCertificatesAndCRLs(sp.GetCertificatesAndCrls("Collection", "BC"));
 			gen.AddCertificates(sp.GetCertificates("Collection"));
 
-			bOut.SetLength(0);
-
-			sigOut = gen.Open(bOut, true);
+            bOut.SetLength(0);
 
+            sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray());
+            CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray());
 
 			Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count);
 
 	        VerifyEncodedData(bOut);
 	    }
 
-		[Test]
+        [Test]
 		public void TestAttributeGenerators()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			CmsAttributeTableGenerator signedGen = new SignedGenAttributeTableGenerator();
 			CmsAttributeTableGenerator unsignedGen = new UnsignedGenAttributeTableGenerator();
 
-			gen.AddSigner(OrigKP.Private, OrigCert,
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            gen.AddSigner(OrigKP.Private, OrigCert,
 				CmsSignedDataStreamGenerator.DigestSha1, signedGen, unsignedGen);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+			Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
 			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
@@ -826,59 +695,44 @@ namespace Org.BouncyCastle.Cms.Tests
 
 			foreach (SignerInformation signer in signers.GetSigners())
 			{
-				checkAttribute(signer.GetContentDigest(), signer.SignedAttributes[dummyOid1]);
-				checkAttribute(signer.GetSignature(), signer.UnsignedAttributes[dummyOid2]);
+				CheckAttribute(signer.GetContentDigest(), signer.SignedAttributes[dummyOid1]);
+				CheckAttribute(signer.GetSignature(), signer.UnsignedAttributes[dummyOid2]);
 			}
 		}
 
-		private void checkAttribute(
-			byte[]				expected,
-			Asn1.Cms.Attribute	attr)
+		private void CheckAttribute(byte[] expected, Asn1.Cms.Attribute	attr)
 		{
 			DerOctetString value = (DerOctetString)attr.AttrValues[0];
 
-			Assert.AreEqual(new DerOctetString(expected), value);
+            Assert.AreEqual(new DerOctetString(expected), value);
 		}
 
-		[Test]
+        [Test]
 		public void TestWithAttributeCertificate()
 		{
-			IList certList = new ArrayList();
-
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate();
+            IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate();
 
-			ArrayList attrCerts = new ArrayList();
-			attrCerts.Add(attrCert);
-			IX509Store store = X509StoreFactory.Create(
-				"AttributeCertificate/Collection",
-				new X509CollectionStoreParameters(attrCerts));
+            IX509Store store = CmsTestUtil.MakeAttrCertStore(attrCert);
 
-			gen.AddAttributeCertificates(store);
+            gen.AddAttributeCertificates(store);
 
-			MemoryStream bOut = new MemoryStream();
+            MemoryStream bOut = new MemoryStream();
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+			Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
-			sp.GetSignedContent().Drain();
+            sp.GetSignedContent().Drain();
 
 			Assert.AreEqual(4, sp.Version);
 
@@ -894,27 +748,17 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSignerStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 			byte[] data = Encoding.ASCII.GetBytes(TestMessage);
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
 			Stream sigOut = gen.Open(bOut, false);
-
 			sigOut.Write(data, 0, data.Length);
-
 			sigOut.Close();
 
 			CheckSigParseable(bOut.ToArray());
@@ -927,18 +771,15 @@ namespace Org.BouncyCastle.Cms.Tests
 			bOut.SetLength(0);
 
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224);
 
-			gen.AddCertificates(x509Certs);
+            gen.AddCertificates(x509Certs);
 
 			sigOut = gen.Open(bOut);
-
 			sigOut.Write(data, 0, data.Length);
-
 			sigOut.Close();
 
-			CheckSigParseable(bOut.ToArray());
+            CheckSigParseable(bOut.ToArray());
 
 			CmsSignedData sd = new CmsSignedData(bOut.ToArray());
 
@@ -953,7 +794,7 @@ namespace Org.BouncyCastle.Cms.Tests
 
 			IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator();
 			signerEnum.MoveNext();
-			SignerInformation signer = (SignerInformation) signerEnum.Current;
+			SignerInformation signer = (SignerInformation)signerEnum.Current;
 
 			Assert.AreEqual(signer.DigestAlgOid, CmsSignedDataStreamGenerator.DigestSha224);
 
@@ -968,27 +809,18 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestEncapsulatedSignerStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+			Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
 			//
@@ -999,20 +831,16 @@ namespace Org.BouncyCastle.Cms.Tests
 			bOut.SetLength(0);
 
 			gen = new CmsSignedDataStreamGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224);
-
 			gen.AddCertificates(x509Certs);
 
-			sigOut = gen.Open(bOut, true);
-
+            sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedData sd = new CmsSignedData(bOut.ToArray());
+            CmsSignedData sd = new CmsSignedData(bOut.ToArray());
 
-			//
+            //
 			// replace signer
 			//
 			MemoryStream newOut = new MemoryStream();
@@ -1037,40 +865,25 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 			byte[] data = Encoding.ASCII.GetBytes(TestMessage);
 
-			certList.Add(OrigDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigDsaCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut);
-
+            Stream sigOut = gen.Open(bOut);
 			sigOut.Write(data, 0, data.Length);
-
 			sigOut.Close();
 
-			CheckSigParseable(bOut.ToArray());
+            CheckSigParseable(bOut.ToArray());
 
-			//
+            //
 			// create new certstore with the right certificates
 			//
-			certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			//
 			// replace certs
@@ -1090,14 +903,9 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestEncapsulatedCertStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigDsaCert);
 
 			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 
@@ -1115,15 +923,9 @@ namespace Org.BouncyCastle.Cms.Tests
 			//
 			// create new certstore with the right certificates
 			//
-			certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
+            x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
-			x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			//
+            //
 			// replace certs
 			//
 			MemoryStream original = new MemoryStream(bOut.ToArray(), false);
@@ -1141,30 +943,21 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertOrdering1()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+			Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
 			sp.GetSignedContent().Drain();
 			x509Certs = sp.GetCertificates("Collection");
@@ -1178,32 +971,23 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertOrdering2()
 		{
-			IList certList = new ArrayList();
 			MemoryStream bOut = new MemoryStream();
 
-			certList.Add(SignCert);
-			certList.Add(OrigCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert, OrigCert);
 
+            CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			Stream sigOut = gen.Open(bOut, true);
+            byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
 
-			byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
+            Stream sigOut = gen.Open(bOut, true);
 			sigOut.Write(testBytes, 0, testBytes.Length);
-
 			sigOut.Close();
 
-			CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
+            CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
 
-			sp.GetSignedContent().Drain();
+            sp.GetSignedContent().Drain();
 			x509Certs = sp.GetCertificates("Collection");
 			ArrayList a = new ArrayList(x509Certs.GetMatches(null));
 
@@ -1215,13 +999,7 @@ namespace Org.BouncyCastle.Cms.Tests
         [Test]
         public void TestCertsOnly()
         {
-            IList certList = new ArrayList();
-            certList.Add(OrigCert);
-            certList.Add(SignCert);
-
-            IX509Store x509Certs = X509StoreFactory.Create(
-                "Certificate/Collection",
-                new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
             MemoryStream bOut = new MemoryStream();
 
diff --git a/crypto/test/src/cms/test/SignedDataTest.cs b/crypto/test/src/cms/test/SignedDataTest.cs
index 96f00eadc..0c176bdeb 100644
--- a/crypto/test/src/cms/test/SignedDataTest.cs
+++ b/crypto/test/src/cms/test/SignedDataTest.cs
@@ -413,64 +413,37 @@ namespace Org.BouncyCastle.Cms.Tests
 			byte[] data = Encoding.ASCII.GetBytes("Hello World!");
 			CmsProcessable msg = new CmsProcessableByteArray(data);
 
-			IList certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestMD5);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData s = gen.Generate(msg);
+            CmsSignedData s = gen.Generate(msg);
 
 			IDictionary hashes = new Hashtable();
-			hashes.Add(CmsSignedDataGenerator.DigestSha1, CalculateHash("SHA1", data));
-			hashes.Add(CmsSignedDataGenerator.DigestMD5, CalculateHash("MD5", data));
+			hashes.Add(CmsSignedDataGenerator.DigestSha1, DigestUtilities.CalculateDigest("SHA1", data));
+            hashes.Add(CmsSignedDataGenerator.DigestMD5, DigestUtilities.CalculateDigest("MD5", data));
 
 			s = new CmsSignedData(hashes, s.GetEncoded());
 
 			VerifySignatures(s, null);
 		}
 
-		private byte[] CalculateHash(
-			string	digestName,
-			byte[]	data)
-		{
-			IDigest digest = DigestUtilities.GetDigest(digestName);
-			digest.BlockUpdate(data, 0, data.Length);
-			return DigestUtilities.DoFinal(digest);
-		}
-
-		[Test]
+        [Test]
 		public void TestSha1AndMD5WithRsaEncapsulatedRepeated()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestMD5);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData s = gen.Generate(msg, true);
+            CmsSignedData s = gen.Generate(msg, true);
 
 			s = new CmsSignedData(ContentInfo.GetInstance(Asn1Object.FromByteArray(s.GetEncoded())));
 
@@ -550,73 +523,50 @@ namespace Org.BouncyCastle.Cms.Tests
 		}
 
 		// NB: C# build doesn't support "no attributes" version of CmsSignedDataGenerator.Generate
-//		[Test]
-//		public void TestSha1WithRsaNoAttributes()
-//		{
-//			IList certList = new ArrayList();
-//			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello world!"));
-//
-//			certList.Add(OrigCert);
-//			certList.Add(SignCert);
-//
-//			IX509Store x509Certs = X509StoreFactory.Create(
-//				"Certificate/Collection",
-//				new X509CollectionStoreParameters(certList));
-//
-//			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
-//
-//			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-//
-//			gen.AddCertificates(x509Certs);
-//
-//			CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
-//
-//			//
-//			// compute expected content digest
-//			//
-//			IDigest md = DigestUtilities.GetDigest("SHA1");
-//
-//			byte[] testBytes = Encoding.ASCII.GetBytes("Hello world!");
-//			md.BlockUpdate(testBytes, 0, testBytes.Length);
-//			byte[] hash = DigestUtilities.DoFinal(md);
-//
-//			VerifySignatures(s, hash);
-//		}
+        //[Test]
+        //public void TestSha1WithRsaNoAttributes()
+        //{
+        //    CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello world!"));
+
+        //    IX509Store x509Certs = MakeCertStore(OrigCert, SignCert);
+
+        //    CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+        //    gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
+        //    gen.AddCertificates(x509Certs);
+
+        //    CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false, false);
+
+        //    byte[] testBytes = Encoding.ASCII.GetBytes("Hello world!");
+
+        //    // compute expected content digest
+        //    byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
+
+        //    VerifySignatures(s, hash);
+        //}
 
 		[Test]
 		public void TestSha1WithRsaAndAttributeTable()
 		{
 			byte[] testBytes = Encoding.ASCII.GetBytes("Hello world!");
-
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(testBytes);
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
-
-			IDigest md = DigestUtilities.GetDigest("SHA1");
-			md.BlockUpdate(testBytes, 0, testBytes.Length);
-			byte[] hash = DigestUtilities.DoFinal(md);
+            byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
 
 			Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute(CmsAttributes.MessageDigest,
 				new DerSet(new DerOctetString(hash)));
 
 			Asn1EncodableVector v = new Asn1EncodableVector(attr);
 
-			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1,
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            gen.AddSigner(SignKP.Private, SignCert, CmsSignedDataGenerator.DigestSha1,
 				new AttributeTable(v), null);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, null, false);
+            CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, null, false);
 
-			//
+            //
 			// the signature is detached, so need to add msg before passing on
 			//
 			s = new CmsSignedData(msg, s.GetEncoded());
@@ -772,26 +722,13 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSha1WithRsaCounterSignature()
 		{
-			IList certList = new ArrayList();
-			IList crlList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(SignCert);
-			certList.Add(OrigCert);
-
-			crlList.Add(SignCrl);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-			IX509Store x509Crls = X509StoreFactory.Create(
-				"CRL/Collection",
-				new X509CollectionStoreParameters(crlList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert, OrigCert);
+            IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(SignKP.Private, SignCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 			gen.AddCrls(x509Crls);
 
@@ -825,33 +762,21 @@ namespace Org.BouncyCastle.Cms.Tests
 			string	digestName,
 			string	digestOID)
 		{
-			IList certList = new ArrayList();
 			byte[] msgBytes = Encoding.ASCII.GetBytes("Hello World!");
 			CmsProcessable msg = new CmsProcessableByteArray(msgBytes);
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.EncryptionRsaPss, digestOID);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false);
+            CmsSignedData s = gen.Generate(CmsSignedDataGenerator.Data, msg, false);
 
-			//
-			// compute expected content digest
-			//
-			IDigest md = DigestUtilities.GetDigest(digestName);
-			md.BlockUpdate(msgBytes, 0, msgBytes.Length);
-			byte[] expectedDigest = DigestUtilities.DoFinal(md);
+            // compute expected content digest
+            byte[] expectedDigest = DigestUtilities.CalculateDigest(digestName, msgBytes);
 
-			VerifySignatures(s, expectedDigest);
+            VerifySignatures(s, expectedDigest);
 		}
 
 		private void SubjectKeyIDTest(
@@ -859,32 +784,19 @@ namespace Org.BouncyCastle.Cms.Tests
 			X509Certificate			signatureCert,
 			string					digestAlgorithm)
 		{
-			IList certList = new ArrayList();
-			IList crlList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(signatureCert);
-			certList.Add(OrigCert);
-
-			crlList.Add(SignCrl);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-			IX509Store x509Crls = X509StoreFactory.Create(
-				"CRL/Collection",
-				new X509CollectionStoreParameters(crlList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(signatureCert, OrigCert);
+            IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(signaturePair.Private,
 				CmsTestUtil.CreateSubjectKeyId(signatureCert.GetPublicKey()).GetKeyIdentifier(),
 				digestAlgorithm);
-
 			gen.AddCertificates(x509Certs);
 			gen.AddCrls(x509Crls);
 
-			CmsSignedData s = gen.Generate(msg, true);
+            CmsSignedData s = gen.Generate(msg, true);
 
 			Assert.AreEqual(3, s.Version);
 
@@ -962,26 +874,13 @@ namespace Org.BouncyCastle.Cms.Tests
 			X509Certificate			signatureCert,
 			string					digestAlgorithm)
 		{
-			IList certList = new ArrayList();
-			IList crlList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(signatureCert);
-			certList.Add(OrigCert);
-
-			crlList.Add(SignCrl);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-			IX509Store x509Crls = X509StoreFactory.Create(
-				"CRL/Collection",
-				new X509CollectionStoreParameters(crlList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(signatureCert, OrigCert);
+            IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(signaturePair.Private, signatureCert, digestAlgorithm);
-
 			gen.AddCertificates(x509Certs);
 			gen.AddCrls(x509Crls);
 
@@ -1105,22 +1004,13 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestNullContentWithSigner()
 		{
-			IList certList = new ArrayList();
-
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData s = gen.Generate(null, false);
+            CmsSignedData s = gen.Generate(null, false);
 
 			s = new CmsSignedData(ContentInfo.GetInstance(Asn1Object.FromByteArray(s.GetEncoded())));
 
@@ -1130,29 +1020,17 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestWithAttributeCertificate()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(SignDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignDsaCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate();
-
-			ArrayList attrCerts = new ArrayList();
-			attrCerts.Add(attrCert);
+            IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate();
 
-			IX509Store store = X509StoreFactory.Create(
-				"AttributeCertificate/Collection",
-				new X509CollectionStoreParameters(attrCerts));
+            IX509Store store = CmsTestUtil.MakeAttrCertStore(attrCert);
 
 			gen.AddAttributeCertificates(store);
 
@@ -1171,13 +1049,7 @@ namespace Org.BouncyCastle.Cms.Tests
 			//
 			// create new certstore
 			//
-			certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
 			//
 			// replace certs
@@ -1190,35 +1062,22 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(SignDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignDsaCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData sd = gen.Generate(msg);
+            CmsSignedData sd = gen.Generate(msg);
 
 			//
 			// create new certstore
 			//
-			certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
+            x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
-			x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			//
+            //
 			// replace certs
 			//
 			sd = CmsSignedData.ReplaceCertificatesAndCrls(sd, x509Certs, null, null);
@@ -1229,35 +1088,22 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestEncapsulatedCertStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(SignDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignDsaCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData sd = gen.Generate(msg, true);
+            CmsSignedData sd = gen.Generate(msg, true);
 
 			//
 			// create new certstore
 			//
-			certList = new ArrayList();
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
+            x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
-			//
+            //
 			// replace certs
 			//
 			sd = CmsSignedData.ReplaceCertificatesAndCrls(sd, x509Certs, null, null);
@@ -1268,24 +1114,15 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertOrdering1()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-			certList.Add(SignDsaCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert, SignDsaCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData sd = gen.Generate(msg, true);
+            CmsSignedData sd = gen.Generate(msg, true);
 
 			x509Certs = sd.GetCertificates("Collection");
 			ArrayList a = new ArrayList(x509Certs.GetMatches(null));
@@ -1299,29 +1136,20 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestCertOrdering2()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(SignCert);
-			certList.Add(SignDsaCert);
-			certList.Add(OrigCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-	
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert, SignDsaCert, OrigCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
 			CmsSignedData sd = gen.Generate(msg, true);
 
-			x509Certs = sd.GetCertificates("Collection");
-			ArrayList a = new ArrayList(x509Certs.GetMatches(null));
+            x509Certs = sd.GetCertificates("Collection");
+            ArrayList a = new ArrayList(x509Certs.GetMatches(null));
 
-			Assert.AreEqual(3, a.Count);
+            Assert.AreEqual(3, a.Count);
 			Assert.AreEqual(SignCert, a[0]);
 			Assert.AreEqual(SignDsaCert, a[1]);
 			Assert.AreEqual(OrigCert, a[2]);
@@ -1330,36 +1158,26 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestSignerStoreReplacement()
 		{
-			IList certList = new ArrayList();
 			CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!"));
 
-			certList.Add(OrigCert);
-			certList.Add(SignCert);
-
-			IX509Store x509Certs = X509StoreFactory.Create(
-				"Certificate/Collection",
-				new X509CollectionStoreParameters(certList));
-
-			CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
+            IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
 
+            CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData original = gen.Generate(msg, true);
+            CmsSignedData original = gen.Generate(msg, true);
 
-			//
+            //
 			// create new Signer
 			//
 			gen = new CmsSignedDataGenerator();
-
 			gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha224);
-
 			gen.AddCertificates(x509Certs);
 
-			CmsSignedData newSD = gen.Generate(msg, true);
+            CmsSignedData newSD = gen.Generate(msg, true);
 
-			//
+            //
 			// replace signer
 			//
 			CmsSignedData sd = CmsSignedData.ReplaceSigners(original, newSD.GetSignerInfos());
@@ -1382,17 +1200,17 @@ namespace Org.BouncyCastle.Cms.Tests
 		[Test]
 		public void TestEncapsulatedSamples()
 		{
-			doTestSample("PSSSignDataSHA1Enc.sig");
-			doTestSample("PSSSignDataSHA256Enc.sig");
-			doTestSample("PSSSignDataSHA512Enc.sig");
+			DoTestSample("PSSSignDataSHA1Enc.sig");
+			DoTestSample("PSSSignDataSHA256Enc.sig");
+			DoTestSample("PSSSignDataSHA512Enc.sig");
 		}
 
 		[Test]
 		public void TestSamples()
 		{
-			doTestSample("PSSSignData.data", "PSSSignDataSHA1.sig");
-			doTestSample("PSSSignData.data", "PSSSignDataSHA256.sig");
-			doTestSample("PSSSignData.data", "PSSSignDataSHA512.sig");
+			DoTestSample("PSSSignData.data", "PSSSignDataSHA1.sig");
+			DoTestSample("PSSSignData.data", "PSSSignDataSHA256.sig");
+			DoTestSample("PSSSignData.data", "PSSSignDataSHA512.sig");
 		}
 
 		[Test]
@@ -1421,31 +1239,27 @@ namespace Org.BouncyCastle.Cms.Tests
 			VerifySignatures(sig);
 		}
 
-		private void doTestSample(
-			string sigName)
+		private void DoTestSample(string sigName)
 		{
 			CmsSignedData sig = new CmsSignedData(GetInput(sigName));
 			VerifySignatures(sig);
 		}
 
-		private void doTestSample(
-			string	messageName,
-			string	sigName)
+        private void DoTestSample(string messageName, string sigName)
 		{
 			CmsSignedData sig = new CmsSignedData(
 				new CmsProcessableByteArray(GetInput(messageName)),
 				GetInput(sigName));
 
-			VerifySignatures(sig);
+            VerifySignatures(sig);
 		}
 
-		private byte[] GetInput(
-			string name)
+        private byte[] GetInput(string name)
 		{
 			return Streams.ReadAll(SimpleTest.GetTestDataAsStream("cms.sigs." + name));
 		}
 
-		[Test]
+        [Test]
 		public void TestForMultipleCounterSignatures()
 		{
 			CmsSignedData sd = new CmsSignedData(xtraCounterSig);
@@ -1476,5 +1290,5 @@ namespace Org.BouncyCastle.Cms.Tests
 				Assert.IsTrue(signer.Verify(cert));
 			}
 		}
-	}
+    }
 }
diff --git a/crypto/test/src/crypto/tls/test/ByteQueueStreamTest.cs b/crypto/test/src/crypto/tls/test/ByteQueueStreamTest.cs
new file mode 100644
index 000000000..1d68a5215
--- /dev/null
+++ b/crypto/test/src/crypto/tls/test/ByteQueueStreamTest.cs
@@ -0,0 +1,134 @@
+using System;
+
+using NUnit.Framework;
+
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Tls.Tests
+{
+    [TestFixture]
+    public class ByteQueueStreamTest
+    {
+        [Test]
+        public void TestAvailable()
+        {
+            ByteQueueStream input = new ByteQueueStream();
+
+            // buffer is empty
+            Assert.AreEqual(0, input.Available);
+
+            // after adding once
+            input.Write(new byte[10]);
+            Assert.AreEqual(10, input.Available);
+
+            // after adding more than once
+            input.Write(new byte[5]);
+            Assert.AreEqual(15, input.Available);
+
+            // after reading a single byte
+            input.ReadByte();
+            Assert.AreEqual(14, input.Available);
+
+            // after reading into a byte array
+            input.Read(new byte[4]);
+            Assert.AreEqual(10, input.Available);
+
+            input.Close(); // so compiler doesn't whine about a resource leak
+        }
+
+        [Test]
+        public void TestSkip()
+        {
+            ByteQueueStream input = new ByteQueueStream();
+
+            // skip when buffer is empty
+            Assert.AreEqual(0, input.Skip(10));
+
+            // skip equal to available
+            input.Write(new byte[2]);
+            Assert.AreEqual(2, input.Skip(2));
+            Assert.AreEqual(0, input.Available);
+
+            // skip less than available
+            input.Write(new byte[10]);
+            Assert.AreEqual(5, input.Skip(5));
+            Assert.AreEqual(5, input.Available);
+
+            // skip more than available
+            Assert.AreEqual(5, input.Skip(20));
+            Assert.AreEqual(0, input.Available);
+
+            input.Close();// so compiler doesn't whine about a resource leak
+        }
+
+        [Test]
+        public void TestRead()
+        {
+            ByteQueueStream input = new ByteQueueStream();
+            input.Write(new byte[] { 0x01, 0x02 });
+            input.Write(new byte[]{ 0x03 });
+
+            Assert.AreEqual(0x01, input.ReadByte());
+            Assert.AreEqual(0x02, input.ReadByte());
+            Assert.AreEqual(0x03, input.ReadByte());
+            Assert.AreEqual(-1, input.ReadByte());
+
+            input.Close(); // so compiler doesn't whine about a resource leak
+        }
+
+        [Test]
+        public void TestReadArray()
+        {
+            ByteQueueStream input = new ByteQueueStream();
+            input.Write(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 });
+
+            byte[] buffer = new byte[5];
+
+            // read less than available into specified position
+            Assert.AreEqual(1, input.Read(buffer, 2, 1));
+            AssertArrayEquals(new byte[]{ 0x00, 0x00, 0x01, 0x00, 0x00 }, buffer);
+
+            // read equal to available
+            Assert.AreEqual(5, input.Read(buffer));
+            AssertArrayEquals(new byte[]{ 0x02, 0x03, 0x04, 0x05, 0x06 }, buffer);
+
+            // read more than available
+            input.Write(new byte[]{ 0x01, 0x02, 0x03 });
+            Assert.AreEqual(3, input.Read(buffer));
+            AssertArrayEquals(new byte[]{ 0x01, 0x02, 0x03, 0x05, 0x06 }, buffer);
+
+            input.Close(); // so compiler doesn't whine about a resource leak
+        }
+
+        [Test]
+        public void TestPeek()
+        {
+            ByteQueueStream input = new ByteQueueStream();
+
+            byte[] buffer = new byte[5];
+
+            // peek more than available
+            Assert.AreEqual(0, input.Peek(buffer));
+            AssertArrayEquals(new byte[]{ 0x00, 0x00, 0x00, 0x00, 0x00 }, buffer);
+
+            // peek less than available
+            input.Write(new byte[]{ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 });
+            Assert.AreEqual(5, input.Peek(buffer));
+            AssertArrayEquals(new byte[]{ 0x01, 0x02, 0x03, 0x04, 0x05 }, buffer);
+            Assert.AreEqual(6, input.Available);
+
+            // peek equal to available
+            input.ReadByte();
+            Assert.AreEqual(5, input.Peek(buffer));
+            AssertArrayEquals(new byte[]{ 0x02, 0x03, 0x04, 0x05, 0x06 }, buffer);
+            Assert.AreEqual(5, input.Available);
+
+            input.Close(); // so compiler doesn't whine about a resource leak
+        }
+
+        private static void AssertArrayEquals(byte[] a, byte[] b)
+        {
+            Assert.IsTrue(Arrays.AreEqual(a, b));
+        }
+    }
+}
diff --git a/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs b/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs
new file mode 100644
index 000000000..5fe0f32ad
--- /dev/null
+++ b/crypto/test/src/crypto/tls/test/TlsProtocolNonBlockingTest.cs
@@ -0,0 +1,126 @@
+using System;
+using System.IO;
+
+using NUnit.Framework;
+
+using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Tls.Tests
+{
+    [TestFixture]
+    public class TlsProtocolNonBlockingTest
+    {
+        [Test]
+        public void TestClientServerFragmented()
+        {
+            // tests if it's really non-blocking when partial records arrive
+            DoTestClientServer(true);
+        }
+
+        [Test]
+        public void TestClientServerNonFragmented()
+        {
+            DoTestClientServer(false);
+        }
+
+        private static void DoTestClientServer(bool fragment)
+        {
+            SecureRandom secureRandom = new SecureRandom();
+
+            TlsClientProtocol clientProtocol = new TlsClientProtocol(secureRandom);
+            TlsServerProtocol serverProtocol = new TlsServerProtocol(secureRandom);
+
+            clientProtocol.Connect(new MockTlsClient(null));
+            serverProtocol.Accept(new MockTlsServer());
+
+            // pump handshake
+            bool hadDataFromServer = true;
+            bool hadDataFromClient = true;
+            while (hadDataFromServer || hadDataFromClient)
+            {
+                hadDataFromServer = PumpData(serverProtocol, clientProtocol, fragment);
+                hadDataFromClient = PumpData(clientProtocol, serverProtocol, fragment);
+            }
+
+            // send data in both directions
+            byte[] data = new byte[1024];
+            secureRandom.NextBytes(data);
+            WriteAndRead(clientProtocol, serverProtocol, data, fragment);
+            WriteAndRead(serverProtocol, clientProtocol, data, fragment);
+
+            // close the connection
+            clientProtocol.Close();
+            PumpData(clientProtocol, serverProtocol, fragment);
+            CheckClosed(serverProtocol);
+            CheckClosed(clientProtocol);
+        }
+
+        private static void WriteAndRead(TlsProtocol writer, TlsProtocol reader, byte[] data, bool fragment)
+        {
+            int dataSize = data.Length;
+            writer.OfferOutput(data, 0, dataSize);
+            PumpData(writer, reader, fragment);
+
+            Assert.AreEqual(dataSize, reader.GetAvailableInputBytes());
+            byte[] readData = new byte[dataSize];
+            reader.ReadInput(readData, 0, dataSize);
+            AssertArrayEquals(data, readData);
+        }
+
+        private static bool PumpData(TlsProtocol from, TlsProtocol to, bool fragment)
+        {
+            int byteCount = from.GetAvailableOutputBytes();
+            if (byteCount == 0)
+            {
+                return false;
+            }
+
+            if (fragment)
+            {
+                while (from.GetAvailableOutputBytes() > 0)
+                {
+                    byte[] buffer = new byte[1];
+                    from.ReadOutput(buffer, 0, 1);
+                    to.OfferInput(buffer);
+                }
+            }
+            else
+            {
+                byte[] buffer = new byte[byteCount];
+                from.ReadOutput(buffer, 0, buffer.Length);
+                to.OfferInput(buffer);
+            }
+
+            return true;
+        }
+
+        private static void CheckClosed(TlsProtocol protocol)
+        {
+            Assert.IsTrue(protocol.IsClosed);
+
+            try
+            {
+                protocol.OfferInput(new byte[10]);
+                Assert.Fail("Input was accepted after close");
+            }
+            catch (IOException e)
+            {
+            }
+
+            try
+            {
+                protocol.OfferOutput(new byte[10], 0, 10);
+                Assert.Fail("Output was accepted after close");
+            }
+            catch (IOException e)
+            {
+            }
+        }
+
+        private static void AssertArrayEquals(byte[] a, byte[] b)
+        {
+            Assert.IsTrue(Arrays.AreEqual(a, b));
+        }
+    }
+}