Merge GH #454 X.509 name constraints

author: Jack Lloyd <[email protected]> 2016-03-16 01:27:29 -0400
committer: Jack Lloyd <[email protected]> 2016-03-16 01:27:29 -0400
commit: eba8e2e0f1baf64637acda3f049fa14f79283201 (patch)
tree: a9f5311413629259f8169b80eef87312c8760ee2 /src/tests
parent: 93966abb3c51a77edf867abe7d7388ec542411bb (diff)
parent: efe8e7d46683ceab23889fda7fcbc68303f23d62 (diff)
12 files changed, 289 insertions, 7 deletions
diff --git a/src/tests/data/name_constraint/Invalid_DN_Name_Constraint.crt b/src/tests/data/name_constraint/Invalid_DN_Name_Constraint.crt
new file mode 100644
index 000000000..7c8c0aabc
--- /dev/null
+++ b/src/tests/data/name_constraint/Invalid_DN_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IEROIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDMxNjI1MDBaFw0xNzAzMDMxNjI1
+MDBaMFExCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkJvY2h1
+bTEjMCEGA1UEAxMaSW52YWxpZCBETiBOYW1lIENvbnN0cmFpbnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsHLRRWXgXFv0rpmrqjELvS8jrCjObZkML
+uWHpgJIev59IEXcf/WXQyMNSzSudFB2JKNatyEUxKshD5eGSHYTb5qNPfEBYEMC3
+GCp+yXA3xKd1K7hnKOpdApTKN305K1ubZqkrY9SH2EdtMMfTqPIqTmG8VWtCtlOp
+svK6v8uwI17QdlC0pi39bkR/z2EZfZPkEHgB0rqK37FaWBgLoTsTEb0PL1aZkEYO
+Q8Wyvz7VieakIhDk/QMX22AEp8ig1LI99FvS8o4VOAYgjjCzIKWEos+p/hCYKrCe
+EpZ5GMI0O/13PCDaXRNywo20fhrV3Byzg57WSfsewnd/SztiY5t1AgMBAAEwDQYJ
+KoZIhvcNAQEFBQADggEBABZCqDTZdTy8KgOvpZCUaST52iAHIGFkqhi3XYF1gaj2
+ADgMzonuttj+DAiYzS2wMts+TdrHFVuytmMsbIoWNXtRq/CAoQIg/tmpeb7AB5iS
+LGc5nxf+9nnCW276XmmA2cA8GCfbL0WDPZrfHRsw8jEAtyOP4bQEO3iqNcnQBK63
+nP0fdCfqM9ImN0eVhxA04IkP8d6utC1CoIlDyqqike7+2o+PXCrWlmb/WeZD+Hym
+4eJe8y5Q5YJ6G5F03Z1zuU5SVLKYJImdx1qiTXqUX2qBh4NKmVFgAImJOrbtj1qk
+//pH1Fb3w5xK9akaGcXYTTDUDZu1HM06LbAd0pwlRBI=
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Invalid_Email_Name_Constraint.crt b/src/tests/data/name_constraint/Invalid_Email_Name_Constraint.crt
new file mode 100644
index 000000000..c7083a3dd
--- /dev/null
+++ b/src/tests/data/name_constraint/Invalid_Email_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpSb290
+IEVtYWlsIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDMxNjIxMDBaFw0xNzAzMDMx
+NjIxMDBaMCgxJjAkBgNVBAMTHUludmFsaWQgRW1haWwgTmFtZSBDb25zdHJhaW50
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLQNwVt6i6aYP67ZyaAH
+u/uqKg7P6K9xocb/aSlnfj3A4ee5nmxi3xoCghuXKV4lSXIE68Rppak81dCG9Bou
+x8S5K2DZ20AX11Pk5ulMMZGaQdOPZEBbPIxSqPdWKHwSLtkLxw7F+KN1MdB5lCf0
+YbXn4niqTF8eGrGEcfatYDFOYI5NVwlRHMqPoyv9JaJC68a/njhFV33DM/J1cTvM
+gIMbF8nnUKqfzyGwP1q5A2ep9DmH6LpOzpEzcp3d7DPCTAK7q64vSr/uOALt6Vsg
+LAHAOmberdVB/GUBCqa3F/eDo8s4lw+kdq5ow72hM1jSP7LeRb2OHcUJa3bl1cKj
+cQIDAQABox8wHTAbBgNVHREEFDASgRB0ZXN0QGV4YW1wbGUubmV0MA0GCSqGSIb3
+DQEBBQUAA4IBAQBit9P5NiMg8jjBtoXTBwUHBFA/B/KdxXx2AFsS6rx2xb5m09WG
+joFvv2le+GixwKUHAyseTtYshO+s1HiCSHcnp7j5RfcjMdraJWrACKzmEqA6J+KM
+mSa4opop91JFEY7ydnNqGf9biJ1dxiAs8XQ+ldbMuFxYc5CrNG8uoNvWGFZRegGS
+rR3pLEHeG5waGVExBMzMSIA3k4qIeh1JsiXIorQGwLfSQEPkCVIbRw9dpUOWLmDK
+SIlnL86z+OZDQDScOuLdh9j5mNWNIS9GH+VH7H+f7l8F0y96IbFumzby8DdTZiXf
+MuLW1n9aD7h787KRc6ExRx4qw4uWMl0tXSmd
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Invalid_IP_Name_Constraint.crt b/src/tests/data/name_constraint/Invalid_IP_Name_Constraint.crt
new file mode 100644
index 000000000..fad54841e
--- /dev/null
+++ b/src/tests/data/name_constraint/Invalid_IP_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IElQIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDkxMDUzMDBaFw0xNzAzMDkxMDUz
+MDBaMCUxIzAhBgNVBAMTGkludmFsaWQgSVAgTmFtZSBDb25zdHJhaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPSMstg2PL5m4NlT2sVweNGmpRl1
+2qZaV8VF01WweYdvE0DRw1aNzBzkbeIpbrVdvgxZIPeEOpusQQJPUtBuemMuKoNt
+O2zCEheILKwsESq3YhrXvpgs2679nK62Dfr4PbT1KUfsP4Kruf2cAuHsRO0hhT4i
+tZUcU6JCw5KDPihk+joALcZ4qdeKuAZHSopPlg5LFoRKb2mXDfm6j25bngMiysew
+XdCXeYCoL9+ROthrgz4H3t5mEcSAVS8dwqfjUIZznVlUwYfw5ThqIHJYWZHOOozr
+sgTicfiFKSje/XIGoHmgdrT6HI5ZOufKtXMgpco1vjdnnRuxG99ilYboPQIDAQAB
+oxMwETAPBgNVHREECDAGhwQKAAEDMA0GCSqGSIb3DQEBBQUAA4IBAQAi6yVuppWf
+kPQNWRjW45/6AB/yH9HPN46saVHHuGREaH4kxhmzrEBjS1CdbinvbtHm5SfN3qau
+eUWwabGvgvSBqxRxhV7HyagZTP1rfMDqjkQSICjOM24NJRBn+OxC87kxwtbi8z4d
+zcL4bULErtzZS70A8xuEemEt6LEBSOkrsDfN3sN2UJWQ5ifAgLELXr05FVHyt6Rf
+8xzbu5uvO8nUfRNCYEkrzSAU6oREwYpbJkimpoLiykERRNd6hJmd2xxupBKL6Cf0
+vXk/uaVeiHjchk4cFwpDPgK7PQJlWUb9HVEGjJQY/7STcVMl0Rk9NDmta6kW57q1
+Y6gSmXgGZBt1
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Root_DNS_Name_Constraint.crt b/src/tests/data/name_constraint/Root_DNS_Name_Constraint.crt
new file mode 100644
index 000000000..dd57ded87
--- /dev/null
+++ b/src/tests/data/name_constraint/Root_DNS_Name_Constraint.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDExhSb290
+IEROUyBOYW1lIENvbnN0cmFpbnQwHhcNMTYwMzAzMTYzMzAwWhcNMjYwMzAzMTYz
+MzAwWjAjMSEwHwYDVQQDExhSb290IEROUyBOYW1lIENvbnN0cmFpbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnc8QujqwM6w/QoC8fAEIXrWIf6+IV
+WznKMPwCqogoq1dw+9Url/4yhUqFNWZiPf7h8Cxm2oqLesq0LJ4IQcTrqwDfflZw
+dHiw9Tj6woks5YEq8k4cxDOVjJPftPOL+drVCMDQnpRctEtcNcbOmNFsCrWSGl7t
+bBvhWjARAfQvCfMTILkhJj6Bh3wHdxbxzy5m4rqQuG+gyAzEQBIPbhIYkrjhaFdx
+FUnPmk2uhYXDmpOuln2zuE1BKi/HqG1iytRgm0DfuayrqPKHustUhdcOQdJnxy/q
+3wthcsP6i8YX5eeV332BDXPVijWHJ9AHilGITYfRssUwyoI+sxEZB035AgMBAAGj
+gZIwgY8wDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUcvuTsCu3ovZJQRVo6494
+7kehuVUwCwYDVR0PBAQDAgEGMB0GA1UdHgEB/wQTMBGhDzANggtleGFtcGxlLmNv
+bTARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZp
+Y2F0ZTANBgkqhkiG9w0BAQUFAAOCAQEAB7JEZgAGO3jLaXWFUdV9k1nXvngKR/yV
+AKvr1KIl8f7azR6khnnIY/UpbYQJHSNCKt3J+DEmWzrI8/ayfDW1Ty7/2u+IT0iw
+P44TOFIFSN7q4x1nLiHN1PFZvNc8ENHpqSubqF2ooGWIakSbO1LrmHqVgPMkcMJk
+5tUIcwmlCMOdFvy6ejVjw/l7aawAG+sOLTzjheYeKIngilejPthBhMxsniqVlzCY
+5dTV+jplLzOqOANSyhzhlu0cywJbhifG+Vzq59raPzzk9tXEXKsi3qO0B7J+5Y9f
+fwIHNf8ZZ/4ODDBYS7BHAemgXcXrVMtJfwHQCjracE6RYx5NpzRU1g==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Root_DN_Name_Constraint.crt b/src/tests/data/name_constraint/Root_DN_Name_Constraint.crt
new file mode 100644
index 000000000..7dc1c4c72
--- /dev/null
+++ b/src/tests/data/name_constraint/Root_DN_Name_Constraint.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IEROIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDMxNjIzMDBaFw0yNjAzMDMxNjIz
+MDBaMCIxIDAeBgNVBAMTF1Jvb3QgRE4gTmFtZSBDb25zdHJhaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtbIHfxTBz1AVs6kMHeeOeiNy+RC4EDuT
+ArRrD0NpATiYOM+O0MTwk+pJtlCge77dTEnXEhHfXpYV5MLDvPx4B95v49BGshLn
+2GOUcMuP4rextDb12hr/5oBKksFiWgBuuKc+XwDD8yh7i8KbOtJelWiRg7ge97sr
+Hw6eiPmKlDDmTN39aN5O68YIJfkpDIr08ncLWCC6WRpjMU/eRdYMce6LIaB+bHEx
+P5uwQD10e6XCnOVHaOc3kTmhbivIugrrE7VS4lq+t42amSDf9V4NWZ7d65dvIzGK
+DEics4ZGaizeN3BYMMNfPUfjJ0iqTbPYi+29gkE5/AQKVs1b4b4G/QIDAQABo4GW
+MIGTMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOYXX2m7K9gJL3EE2CtZdlut
+kC6cMAsGA1UdDwQEAwIBBjAhBgNVHR4BAf8EFzAVoRMwEaQPMA0xCzAJBgNVBAYT
+AkRFMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRp
+ZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQALCFfBog6/kTwd1gGBnVhxJ9eKzzVS
+NyOl0T1SVjVHRul9AK8kP/8pyw7GtZE/hdAwSjyYbO6VaOT6muVtiAy9TQrGPSpA
+LPbk9RVLEn0vqnUBUkE3kX2T9WVM4jJqh7CsvO6OPTczCf1EqiJmmNhp91jCAPgX
+C375wkZEEI5thOZnblD5zDWpM+tp3RiIiFUZiZ1IT8ALgT3elFnqNePuOYZ/daaK
++ehnF0gpr0KoLkgZ+HRoXoBIK0rz1TNCDzIfnc2Lx2G/SftBtuoVSp3TgPJO/7SP
+X9zsKBv3St40ZQ8ZUi3DqTwOCFYm6ODbESJPR3uJQhil1XVCr1GlGBYl
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Root_Email_Name_Constraint.crt b/src/tests/data/name_constraint/Root_Email_Name_Constraint.crt
new file mode 100644
index 000000000..d1181a837
--- /dev/null
+++ b/src/tests/data/name_constraint/Root_Email_Name_Constraint.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIBATANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpSb290
+IEVtYWlsIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDMxNjIxMDBaFw0yNjAzMDMx
+NjIxMDBaMCUxIzAhBgNVBAMTGlJvb3QgRW1haWwgTmFtZSBDb25zdHJhaW50MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3fLWMKDgTjWtsla75PAa4yvB
+4LMkiaYfXdKSAE3MNgoY64o1LhajQ0/LrJ8USY/2GLv9vVIufBqFFHwHTiUYiyAM
+odLGphQ/YitGE/ZAkef0NKkzRh5InCQSopP7SntZ//QoqsaJqKgdZl6UN+5eP9SA
+o9AbTDhpZxYmEWpT8Sk+5igBvepr7mBQ7ZAnJnTeGJE/IjrjCx7C2pInV2FxJNph
+3Ou5LpqH3SBFOMnzootP6AWcPIfVgIY9CxJdITReQ7o3vFs/pn08DONV08eH4fDd
+8xJWjNk7GfhhYEKfFP1Fk5CXAwlurPoydVuyU53SA3ICTpnstbUnJGAedUhBnwID
+AQABo4GLMIGIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFL5lAY1YFiV6918j
+DM0v+NcRNuV/MAsGA1UdDwQEAwIBBjAWBgNVHR4BAf8EDDAKoAgwBoEELmNvbTAR
+BglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0
+ZTANBgkqhkiG9w0BAQUFAAOCAQEA2QfSxzwYMYdSzs4Ntsda3mhroewzjf//LYbg
+DxXYw6QocnMkQnp3JIokaoTlcvh0FnqlxwVeXI7DYssNFBeEM9tkl9/KTqNWzZxq
+R3Ui5jpW3wuEnIJLN3Z3xnhH1dTXKlnuYc28aQuwmMySemJ6PD06HbntJRcu8qCY
+XbEHlwRoueGtFsRyHylOcdFrSS4XWKcSZ0O4dd2GdDYy1oSo5B/7uad/OBV7lAX9
+iww0t64k+grM/mM+OgBJTj9cQCR0CP0cAVsVdSCw0y1asvoc7ainpEuYWT7H/3/d
+uG1lewFoWdDXkSkppwLO1h2wvkffBmzPgnjfkZ/ByLGeBLk2og==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Root_IP_Name_Constraint.crt b/src/tests/data/name_constraint/Root_IP_Name_Constraint.crt
new file mode 100644
index 000000000..580ce508c
--- /dev/null
+++ b/src/tests/data/name_constraint/Root_IP_Name_Constraint.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IElQIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDkxMDQ5MDBaFw0yNjAzMDkxMDQ5
+MDBaMCIxIDAeBgNVBAMTF1Jvb3QgSVAgTmFtZSBDb25zdHJhaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0qbHmORvktt3Z3/wu+RgO3bSqIb1tIKy
+QVOCAFz52gpFoI1PL7Sqs+O6rz9iQN57ntIpBw9WfydMk98UWFOsM5ICLci4J5jz
+gm0Go8clJRe/gL1q3ORRgM8CPAdt8eZrvZzO3SM1rhUC5QLjzzdCs+xzBmiJRzq0
+hyiQZl6FSlQEwrGuBfPKFuRA56zYyXISLftm2wHwXK+9sF/sErghaFUUDIGfalfs
+6TnsdvghrTlkcTfHg1ftsXq8YnxuCS+yWuKhbiMcoj7eNaGmc4/qY4oyxMkciprN
+Jir4eowwSklG7RR6tEz32K2yfUaOlx206KtT9r4AAwaNX7VX8RZ5qwIDAQABo4GP
+MIGMMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHJ0ggZC8ZUlgwPyCQZHM7sQ
+DcE9MAsGA1UdDwQEAwIBBjAaBgNVHR4BAf8EEDAOoAwwCocIwKgAAP//AAAwEQYJ
+YIZIAYb4QgEBBAQDAgAHMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUw
+DQYJKoZIhvcNAQEFBQADggEBAL2zm2nBuKk/OH32bdzAy8TILh+b2ZiiGCWy+7QQ
+CCfRyKpCb6zoMq6uTqlFmXoQ5iUFih51fleP3qeQ4H3mMqIqoThPA1suQzgha/O8
+jO6TIFYIo3+XTSfleGNpNUxfm8SqsZc0K6huerZZJW8e89dMddHxFa43T/RLKGpY
+P6VIu0JIweavOZTsUcd0JAqCSEnlyTJF3o5hP3thfbZMUZxgXM9sV4ucVBUE/o+U
+q3JMWLkE5OxrRG37z8+5yIOZi7Y8uOKncueUvyTzyHPp9S5SUombIOg/K8NoaCEt
+HkqILLcDJAihb7/odRS35Zw8ZPDVHCL0LtS1c2zEVnXbETc=
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Valid_DNS_Name_Constraint.crt b/src/tests/data/name_constraint/Valid_DNS_Name_Constraint.crt
new file mode 100644
index 000000000..77d30879a
--- /dev/null
+++ b/src/tests/data/name_constraint/Valid_DNS_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDExhSb290
+IEROUyBOYW1lIENvbnN0cmFpbnQwHhcNMTYwMzAzMTY0MzAwWhcNMTcwMzAzMTY0
+MzAwWjAkMSIwIAYDVQQDExlWYWxpZCBETlMgTmFtZSBDb25zdHJhaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxPaa6o2mZoq85YKSUYWFP9Ttl8Ux
+X+hDEKzvVS9+V0dbdAE0WHLxZnq22UAVsQ/a2RlYcXGMGOyztJ+zTKqjyeSadNat
+gIyh0BD3B2xhKxz1Zf2ZixVWZcwu5t/ZcboIF4Q8IKgiEzPUjcWRErk88ldMh7Zt
+9vIZMcGNnlzCWeuk7I91WoS9qs5mLXRecL/SrGm2gS+ByhirNNpSlPMC+4hvFShE
+/Z82BEM2gqR6YOsfGjlz65DBqAfME8Pd/IWuHA9sb1t6s0/dTCYQ5RWoCkKBHe9Q
+CWtBK7MezgYcJqFFzPlMjMS1K/z51RXBHOetxqsommSJiKg189NKX0xYhwIDAQAB
+oxswGTAXBgNVHREEEDAOggxhZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADggEB
+AErxPj6k5vksK5msdV+0dCFr3j7L/qCBU5vAwuGQF+qW7P/3tG2GKbsTtDW64fDn
+coWDA3P/LU9Rat4qh36VGVOlAOfGLxfA6QbFeGpIj9oQ+LLQrcWovELGaQoXMJly
+r4VRpCzoe4B2xDp1ivJo5tprwmskRiL1kRkVauQ9tlCn1b0EyDfr2iX4CEZESlDm
+my7BVAM6zOGBMs76R8mobP8YtB7zRsC5EVuvDz0j0YDfPKTedMKtP1Po+sYfNmHy
+4EBgYjdh83zOzUXhG4qxaAn7LlnEjzrI+b22ouKXucXShNeEtQdBa6QSAWlAyqyS
+MxdsIT7d9oSqYMIBvWHx89I=
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Valid_DN_Name_Constraint.crt b/src/tests/data/name_constraint/Valid_DN_Name_Constraint.crt
new file mode 100644
index 000000000..c3575b376
--- /dev/null
+++ b/src/tests/data/name_constraint/Valid_DN_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IEROIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDMxNjI0MDBaFw0xNzAzMDMxNjI0
+MDBaME8xCzAJBgNVBAYTAlVLMQwwCgYDVQQIEwNYWFgxDzANBgNVBAcTBkxvbmRv
+bjEhMB8GA1UEAxMYVmFsaWQgRE4gTmFtZSBDb25zdHJhaW50MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEApu0vAiLdowRssVHCzK31e3A3vso8wECeBY/1
+esASJqMjusWjxPq9tp002KT+1CAYD0Du6I6KPjAXUp38AXglQTcA/JjL3LTQrGXw
+DCwL1vzK6WzJew6beQnyskscbAQ+iPxzsWn7Nb9fCUQF5fSoZBVP06KEh4Q3dgxb
+feYbGQC3cZIR93YHUm2wiO27mCE9xx7xwqIGux+V/Kzt4+tsUpduJn/tPGJVUq9n
+oCmSb8rW9B0pbtwXt1QmxjShBGodXefExY8JAmkNmOLxARCgddyK0Xmoyl7Teo+L
+BBtosdV23VNe3L+oQi/OAb1pn82u1hOgbQhttUyzlungnsWjfwIDAQABMA0GCSqG
+SIb3DQEBBQUAA4IBAQBwWrY+5e+tjYokgNpWZHV3buxqOt2CAjN7FvPcd6adJeDV
+GFcBjCGX2qmh1AvqYXliBZTl9rh406Wfz7ssBAzPrxlgyAPInSCfrAbPIH+wpx2G
+DR2xNp+uybtIPXMH8LRSGuRZIkaWAvFTKtJMDq96xXUt0iPZJ7gUDS26QQnTFKqz
+/ctGxQgno7R+0/8OT/FjwRV2zesB9PI1vJA2Vo082cPyLrSnc4B1/awJy1GGnSyr
+XwCyrwYVU17fjhyjYRpIWF4W9WGRbzSOCCRZvxtxPvTpMeC83hDr0i5ZzgjNrxjg
+gwheK0rKj14494bf3S3WHQBsFKuoQ/2/kNbzr/OW
+-----END CERTIFICATE-----
diff --git a/src/tests/data/name_constraint/Valid_IP_Name_Constraint.crt b/src/tests/data/name_constraint/Valid_IP_Name_Constraint.crt
new file mode 100644
index 000000000..76a461ec4
--- /dev/null
+++ b/src/tests/data/name_constraint/Valid_IP_Name_Constraint.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExdSb290
+IElQIE5hbWUgQ29uc3RyYWludDAeFw0xNjAzMDkxMDUyMDBaFw0xNzAzMDkxMDUy
+MDBaMCMxITAfBgNVBAMTGFZhbGlkIElQIE5hbWUgQ29uc3RyYWludDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALYPp5KI+Bhr+jJwg33UWg1Pdr8hbBCg
+AWWyulQW++LlmjnlhGNGOTBW8L4p4rCBbBJ5EHgsLdOpm24fFw4G/yj4cakQKZyf
+1eIgvJ5nHmFSTJH2TNWZppeRCK2zbFa3ZaBuiOoyNPVsFii35NLVNiHy8xjRDerw
+SjkB9PIxwdB5/jZiAYU5FPE8Y1zsaIXOIC+RaPygdt/qwnsDrqqJLQDCuN7WLeYO
+zxZfs306z1FT7uZOfOEzfFrqS9ZiQA5ZhWc38IhmkGDdjJlZtKb6abLdDHR/QjWH
+upnm/wJ+w2AtBfhIU1aLHSduX8MVvJRRSkAl68o6HJUKRayWA+5t8ksCAwEAAaMT
+MBEwDwYDVR0RBAgwBocEwKgBATANBgkqhkiG9w0BAQUFAAOCAQEAa4ZrteRtAghe
+Lvwr1hgg+MKG3U3+1kq9VWbM6TbjcB6YuWWbWD/pPeMeq3k8+5xDw7eTWLkYyyAL
+nyFSKUHhYppabmkvtxmYpwIzqdhrm7a3Ej+3FDwAjvjgB2DoT60oQ6TB6P1do43O
+LcnAIDOmuknAml5wz8jndNHGcYPy2oJLq0lzWjVxmdhF3KbfSTa50yj9CeXkLD1C
+Dvf53AVpcsQXxI92omp+OFvx5d7uc8iIE2KD2d0gKGw0vZPQsdA0VMDwTxcSNbeZ
+KlMIV0lhRVLX41vjU9J+Ax7Izt4EymoMD8UWqI/w1Hv2RwHvy3IGNOjPsMVCs06A
+2dWXjqwbWg==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509test/expected.txt b/src/tests/data/x509test/expected.txt
index 67e2937eb..23cc9daf1 100644
--- a/src/tests/data/x509test/expected.txt
+++ b/src/tests/data/x509test/expected.txt
@@ -10,6 +10,10 @@ InvalidKeyUsage.pem:Invalid usage
 InvalidName.pem:Certificate does not match provided name
 InvalidNameAltName.pem:Certificate does not match provided name
 InvalidNameAltNameWithSubj.pem:Certificate does not match provided name
+InvalidNameConstraintExclude.pem:Certificate does not pass name constraint
+InvalidNameConstraintPermit.pem:Certificate does not pass name constraint
+InvalidNameConstraintPermitRight.pem:Certificate does not pass name constraint
+InvalidNameConstraintPermitThenExclude.pem:Certificate does not pass name constraint
 InvalidNotAfter.pem:Certificate has expired
 InvalidNotAfterChained.pem:Certificate has expired
 InvalidSelfSign.pem:Cannot establish trust
@@ -28,16 +32,10 @@ MissingIntCAExtensions.pem:CA certificate not allowed to issue certs
 ValidAltName.pem:Verified
 ValidCert.pem:Verified
 ValidChained.pem:Verified
+ValidNameConstraint.pem:Verified
 ValidIntCALen.pem:Verified
 ValidWildcard.pem:Verified
 
 # Need to fix date settings in x509test and regen
 #InvalidNotBefore.pem:Certificate is not yet valid
 #InvalidNotBeforeChained.pem:Certificate is not yet valid
-
-# Missing name constraints
-InvalidNameConstraintExclude.pem:Certificate issuer not found
-InvalidNameConstraintPermit.pem:Certificate issuer not found
-InvalidNameConstraintPermitRight.pem:Certificate issuer not found
-InvalidNameConstraintPermitThenExclude.pem:Certificate issuer not found
-ValidNameConstraint.pem:Certificate issuer not found
diff --git a/src/tests/test_name_constraint.cpp b/src/tests/test_name_constraint.cpp
new file mode 100644
index 000000000..01bdfc3ef
--- /dev/null
+++ b/src/tests/test_name_constraint.cpp
@@ -0,0 +1,96 @@
+/*
+* (C) 2015,2016 Kai Michaelis
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include "tests.h"
+
+#if defined(BOTAN_HAS_X509_CERTIFICATES)
+  #include <botan/x509path.h>
+  #include <botan/internal/filesystem.h>
+#endif
+
+#include <algorithm>
+#include <fstream>
+#include <iomanip>
+#include <string>
+#include <vector>
+#include <map>
+#include <cstdlib>
+
+namespace Botan_Tests {
+
+namespace {
+
+#if defined(BOTAN_HAS_X509_CERTIFICATES)
+
+class Name_Constraint_Tests : public Test
+   {
+   public:
+      std::vector<Test::Result> run() override
+         {
+         const std::vector<std::tuple<std::string,std::string,std::string,std::string>> test_cases = {
+         std::make_tuple(
+            "Root_Email_Name_Constraint.crt",
+            "Invalid_Email_Name_Constraint.crt",
+            "Invalid Email Name Constraint",
+            "Certificate does not pass name constraint"),
+         std::make_tuple(
+            "Root_DN_Name_Constraint.crt",
+            "Invalid_DN_Name_Constraint.crt",
+            "Invalid DN Name Constraint",
+            "Certificate does not pass name constraint"),
+         std::make_tuple(
+            "Root_DN_Name_Constraint.crt",
+            "Valid_DN_Name_Constraint.crt",
+            "Valid DN Name Constraint",
+            "Verified"),
+         std::make_tuple(
+            "Root_DNS_Name_Constraint.crt",
+            "Valid_DNS_Name_Constraint.crt",
+            "aexample.com",
+            "Verified"),
+         std::make_tuple(
+            "Root_IP_Name_Constraint.crt",
+            "Valid_IP_Name_Constraint.crt",
+            "Valid IP Name Constraint",
+            "Verified"),
+         std::make_tuple(
+            "Root_IP_Name_Constraint.crt",
+            "Invalid_IP_Name_Constraint.crt",
+            "Invalid IP Name Constraint",
+            "Certificate does not pass name constraint"),
+         };
+         std::vector<Test::Result> results;
+         const Botan::Path_Validation_Restrictions default_restrictions;
+
+         for(const auto& t: test_cases)
+            {
+            Botan::X509_Certificate root(Test::data_file("name_constraint/" + std::get<0>(t)));
+            Botan::X509_Certificate sub(Test::data_file("name_constraint/" + std::get<1>(t)));
+            Botan::Certificate_Store_In_Memory trusted;
+            Test::Result result("X509v3 Name Constraints: " + std::get<1>(t));
+
+            trusted.add_certificate(root);
+            Botan::Path_Validation_Result path_result = Botan::x509_path_validate(
+               sub, default_restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH);
+
+            if(path_result.successful_validation() && path_result.trust_root() != root)
+               path_result = Botan::Path_Validation_Result(Botan::Certificate_Status_Code::CANNOT_ESTABLISH_TRUST);
+
+            result.test_eq("validation result", path_result.result_string(), std::get<3>(t));
+            results.push_back(result);
+            }
+
+         return results;
+         }
+   };
+
+BOTAN_REGISTER_TEST("x509_path_name_constraint", Name_Constraint_Tests);
+
+#endif
+
+}
+
+}
author	Jack Lloyd <[email protected]>	2016-03-16 01:27:29 -0400
committer	Jack Lloyd <[email protected]>	2016-03-16 01:27:29 -0400
commit	eba8e2e0f1baf64637acda3f049fa14f79283201 (patch)
tree	a9f5311413629259f8169b80eef87312c8760ee2 /src/tests
parent	93966abb3c51a77edf867abe7d7388ec542411bb (diff)
parent	efe8e7d46683ceab23889fda7fcbc68303f23d62 (diff)