diff options
author | Jack Lloyd <[email protected]> | 2021-05-09 08:50:27 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2021-05-09 08:50:27 -0400 |
commit | 8f03527d3bfec45d9ef51cf8a95795b069b00e2a (patch) | |
tree | 67381db195488ff2d57974815c856e122daac482 /src | |
parent | dd18d8f1c7991c3b408b26fdd2b7e8c1688d350d (diff) | |
parent | bba47e860fc772bb2d37f60f6e82fa22d7d6bc14 (diff) |
Merge GH #2739 Fix name constraint bugs
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/utils/parsing.cpp | 4 | ||||
-rw-r--r-- | src/lib/utils/parsing.h | 2 | ||||
-rw-r--r-- | src/lib/x509/name_constraint.cpp | 8 | ||||
-rw-r--r-- | src/lib/x509/x509_ext.cpp | 11 | ||||
-rw-r--r-- | src/tests/data/x509/bsi/expected.txt | 2 | ||||
-rw-r--r-- | src/tests/data/x509/misc/name_constraint_ci/int.pem | 101 | ||||
-rw-r--r-- | src/tests/data/x509/misc/name_constraint_ci/leaf.pem | 45 | ||||
-rw-r--r-- | src/tests/data/x509/misc/name_constraint_ci/root.pem | 33 | ||||
-rw-r--r-- | src/tests/data/x509/misc/nc_skip_self/int.pem | 30 | ||||
-rw-r--r-- | src/tests/data/x509/misc/nc_skip_self/leaf.pem | 29 | ||||
-rw-r--r-- | src/tests/data/x509/misc/nc_skip_self/root.pem | 29 | ||||
-rw-r--r-- | src/tests/test_x509_path.cpp | 92 |
12 files changed, 371 insertions, 15 deletions
diff --git a/src/lib/utils/parsing.cpp b/src/lib/utils/parsing.cpp index 8004dbdd0..ff3d4ac0a 100644 --- a/src/lib/utils/parsing.cpp +++ b/src/lib/utils/parsing.cpp @@ -324,8 +324,6 @@ std::string replace_char(const std::string& str, char from_char, char to_char) return out; } -namespace { - std::string tolower_string(const std::string& in) { std::string s = in; @@ -338,8 +336,6 @@ std::string tolower_string(const std::string& in) return s; } -} - bool host_wildcard_match(const std::string& issued_, const std::string& host_) { const std::string issued = tolower_string(issued_); diff --git a/src/lib/utils/parsing.h b/src/lib/utils/parsing.h index 216dbc822..d2c0b5f8c 100644 --- a/src/lib/utils/parsing.h +++ b/src/lib/utils/parsing.h @@ -167,6 +167,8 @@ std::map<std::string, std::string> BOTAN_PUBLIC_API(2,8) read_kv(const std::stri std::string BOTAN_PUBLIC_API(2,0) clean_ws(const std::string& s); +std::string tolower_string(const std::string& s); + /** * Check if the given hostname is a match for the specified wildcard */ diff --git a/src/lib/x509/name_constraint.cpp b/src/lib/x509/name_constraint.cpp index 91c644068..c9045729d 100644 --- a/src/lib/x509/name_constraint.cpp +++ b/src/lib/x509/name_constraint.cpp @@ -165,17 +165,19 @@ bool GeneralName::matches_dns(const std::string& nam) const { if(nam.size() == name().size()) { - return nam == name(); + return tolower_string(nam) == tolower_string(name()); } else if(name().size() > nam.size()) { + // The constraint is longer than the issued name: not possibly a match return false; } else // name.size() < nam.size() { - std::string constr = name().front() == '.' ? name() : "." + name(); // constr is suffix of nam - return constr == nam.substr(nam.size() - constr.size(), constr.size()); + const std::string constr = name().front() == '.' ? name() : "." + name(); + const std::string substr = nam.substr(nam.size() - constr.size(), constr.size()); + return tolower_string(constr) == tolower_string(substr); } } diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index 7809b5617..e81e15c18 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -657,20 +657,17 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert { if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty()) { - if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints")) + if(!subject.is_CA_cert()) + { cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR); + } const bool issuer_name_constraint_critical = issuer.is_critical("X509v3.NameConstraints"); - const bool at_self_signed_root = (pos == cert_path.size() - 1); - // Check that all subordinate certs pass the name constraint - for(size_t j = 0; j <= pos; ++j) + for(size_t j = 0; j < pos; ++j) { - if(pos == j && at_self_signed_root) - continue; - bool permitted = m_name_constraints.permitted().empty(); bool failed = false; diff --git a/src/tests/data/x509/bsi/expected.txt b/src/tests/data/x509/bsi/expected.txt index 9099ab58a..a3f957a81 100644 --- a/src/tests/data/x509/bsi/expected.txt +++ b/src/tests/data/x509/bsi/expected.txt @@ -48,7 +48,7 @@ cert_path_ext_12$Certificate contains duplicate policy cert_path_ext_13$Unknown critical extension encountered cert_path_ext_14$Unknown critical extension encountered cert_path_ext_15$Certificate does not pass name constraint -cert_path_ext_16$Certificate does not pass name constraint +cert_path_ext_16$Verified #cert_path_ext_17$ cert_path_ext_18$Unknown critical extension encountered cert_path_ext_19$Unknown critical extension encountered diff --git a/src/tests/data/x509/misc/name_constraint_ci/int.pem b/src/tests/data/x509/misc/name_constraint_ci/int.pem new file mode 100644 index 000000000..e72186198 --- /dev/null +++ b/src/tests/data/x509/misc/name_constraint_ci/int.pem @@ -0,0 +1,101 @@ +-----BEGIN CERTIFICATE----- +MIISZjCCEE6gAwIBAgIQL+DBBkUO02gMUQKcjFQSXTANBgkqhkiG9w0BAQsFADBr +MQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMg +Uy5wLkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0 +aW9uIFJvb3QgQ0EwHhcNMTkwNjEzMDc0ODQ3WhcNMjkwNjEyMDc0ODQ3WjCBkDEL +MAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEgcGVy +IGwnSXRhbGlhIERpZ2l0YWxlMTcwNQYDVQQLDC5BcmVhIFNvbHV6aW9uaSBwZXIg +bGEgUHViYmxpY2EgQW1taW5pc3RyYXppb25lMREwDwYDVQQDDAhBZ0lEIENBMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2n0Xri8wepI2AarzJVG5E +9/kQpXhuLbX3sQgN0RjTfhvPB9fwXRrfvar5upsWGvwPuUB2Z3A2jseDa1hbvHee +fkkfjKT/UkUidqZEKprb176t/zJoNVI7lgRCjjz90ByVjUHIFuwQUHOVMbfHyeBW +pTQrzYsxnofRKRep3ZESLlhKaln4/8/rSICxnD8KpeTQ41Qn8VYpj0RV0NU0+k9V +gR9C/K4zX1z4AonMemcRP/8B1XFyjk2LaqUXHt8LBw6Wb+OYO+n9rXKT8pDyr9/z +d+kSJxxI2gvooye7Xt3xJGqODkpZru3Q3Gb5c8T2UZ2mnKZwOciN4p/5tcOaC1cC +AwEAAaOCDd4wgg3aMIIL2gYDVR0eBIIL0TCCC82ggguXMA2BC2FnaWQuZ292Lml0 +MBmBF2NlcnQuaW5mb3JtYXRpY2EuYWNpLml0MBGBD2NlcnQuaW50ZXJuby5pdDAM +gQplbWFyY2hlLml0MBCBDmZhc3R3ZWItcGVjLml0MBWBE2dlc3RvcmVwZWMudW5p +bmEuaXQwDIEKa21haWxlci5pdDAOgQxsZWdhbG1haWwuaXQwEIEOcGNlcnQuc29n +ZWkuaXQwEIEOcGVjLmFjdGFsaXMuaXQwEIEOcGVjLmFuY2l0ZWwuaXQwDoEMcGVj +LmFydWJhLml0MBaBFHBlYy5iYXNpbGljYXRhbmV0Lml0MA+BDXBlYy1lbWFpbC5j +b20wEoEQcGVjLnBvc3RlY2VydC5pdDAWgRRwZWMucG9zdGVpdGFsaWFuZS5pdDAV +gRNwZWMucnVwYXIucHVnbGlhLml0MBaBFHBvc3RhY2VydC5jZWRhY3JpLml0MB+B +HXBvc3RhY2VydGlmaWNhdGEubm90YXJpYXRvLml0MBKBEHBvc3RhY2VydC5pdC5u +ZXQwDoEMcG9zdGVjZXJ0Lml0MBWBE3NpY3VyZXp6YXBvc3RhbGUuaXQwEIEOdGVs +ZWNvbXBvc3QuaXQwF4EVdHJ1c3RlZG1haWwuaW50ZXNhLml0MAyBCnR3dGNlcnQu +aXQwEYEPenVjY2hldHRpcGVjLml0MBCBDmNlcnQuaW50ZXNhLml0MBaBFGNlcnRt +YWlsLmtwbnF3ZXN0Lml0MBWBE2NlcnRtYWlsLmlyaWRlb3MuaXQwGoEYcHVwZWMu +aW5mb3JtYXRpY2EuYWNpLml0MBmBF3Byby5zaWN1cmV6emFwb3N0YWxlLml0MBCB +DnBlYy5iaWxsNG1lLml0MBGBD3BlYy5ub3RhcnRlbC5pdDATghFhZ2VuZGFkaWdp +dGFsZS5pdDASghBhZ2lkLWNhMS10ZXN0Lml0MAmCB2FnaWQuaXQwCYIHYWlwYS5p +dDANggtjZXJ0LXNwYy5pdDAOggxjcmNpdGFsaWEuaXQwHIIaZGlmZW5zb3JlY2l2 +aWNvZGlnaXRhbGUuaXQwEoIQZGlnaXRhbGFnZW5kYS5pdDAMggpkaWdpdHBhLml0 +MAiCBmdvdi5pdDALgglpdGFsaWEuaXQwCoIIY25pcGEuaXQwDIIKY2VydC1wYS5p +dDANggtpbmRpY2VwYS5pdDBQpE4wTDELMAkGA1UEBhMCSVQxDTALBgNVBAgMBFJv +bWExDTALBgNVBAcMBFJvbWExHzAdBgNVBAoMFkFDSSBJbmZvcm1hdGljYSBTLnAu +QS4wWaRXMFUxCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQH +DBBQb250ZSBTYW4gUGlldHJvMRkwFwYDVQQKDBBBcnViYSBQRUMgUy5wLkEuMFek +VTBTMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9u +dGUgU2FuIFBpZXRybzEXMBUGA1UECgwOQWN0YWxpcyBTLnAuQS4wV6RVMFMxCzAJ +BgNVBAYTAklUMQ0wCwYDVQQIDARSb21hMQ0wCwYDVQQHDARSb21hMSYwJAYDVQQK +DB1BZ2VuemlhIHBlciBsJ0l0YWxpYSBEaWdpdGFsZTBIpEYwRDELMAkGA1UEBhMC +SVQxDTALBgNVBAgMBFJvbWExDTALBgNVBAcMBFJvbWExFzAVBgNVBAoMDkFuY2l0 +ZWwgUy5wLkEuME+kTTBLMQswCQYDVQQGEwJJVDEOMAwGA1UECAwFUGFybWExEzAR +BgNVBAcMCkNvbGxlY2NoaW8xFzAVBgNVBAoMDkNlZGFjcmkgUy5wLkEuMFukWTBX +MQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEqMCgG +A1UECgwhQ29uc2lnbGlvIE5hemlvbmFsZSBkZWwgTm90YXJpYXRvMEykSjBIMQsw +CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xFzAV +BgNVBAoMDkZhc3R3ZWIgUy5wLkEuMEqkSDBGMQswCQYDVQQGEwJJVDEPMA0GA1UE +CAwGTWlsYW5vMQ8wDQYDVQQHDAZBc3NhZ28xFTATBgNVBAoMDElUbmV0IFMuci5s +LjBPpE0wSzELMAkGA1UEBhMCSVQxDzANBgNVBAgMBlRvcmlubzEPMA0GA1UEBwwG +VG9yaW5vMRowGAYDVQQKDBFJbi5UZS5TLkEuIFMucC5BLjBJpEcwRTELMAkGA1UE +BhMCSVQxDTALBgNVBAgMBFJvbWExDTALBgNVBAcMBFJvbWExGDAWBgNVBAoMD0lu +Zm9DZXJ0IFMucC5BLjBSpFAwTjELMAkGA1UEBhMCSVQxDTALBgNVBAgMBEJhcmkx +EjAQBgNVBAcMCVZhbGVuemFubzEcMBoGA1UECgwTSW5ub3ZhUHVnbGlhIFMucC5B +LjBRpE8wTTELMAkGA1UEBhMCSVQxDzANBgNVBAgMBkFuY29uYTETMBEGA1UEBwwK +U2VuaWdhbGxpYTEYMBYGA1UECgwPTmFtaXJpYWwgUy5wLkEuME+kTTBLMQswCQYD +VQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEeMBwGA1UECgwV +UG9zdGUgSXRhbGlhbmUgUy5wLkEuMFKkUDBOMQswCQYDVQQGEwJJVDEQMA4GA1UE +CAwHUG90ZW56YTEQMA4GA1UEBwwHUG90ZW56YTEbMBkGA1UECgwSUmVnaW9uZSBC +YXNpbGljYXRhMEykSjBIMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGQW5jb25hMQ8w +DQYDVQQHDAZBbmNvbmExFzAVBgNVBAoMDlJlZ2lvbmUgTWFyY2hlME+kTTBLMQsw +CQYDVQQGEwJJVDEQMA4GA1UECAwHRmlyZW56ZTEQMA4GA1UEBwwHRmlyZW56ZTEY +MBYGA1UECgwPUmVnaXN0ZXIgUy5wLkEuMEakRDBCMQswCQYDVQQGEwJJVDENMAsG +A1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEVMBMGA1UECgwMU29nZWkgUy5wLkEu +MEikRjBEMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZN +aWxhbm8xEzARBgNVBAoMClRXVCBTLnAuQS4wZaRjMGExCzAJBgNVBAYTAklUMQ0w +CwYDVQQIDARSb21hMRAwDgYDVQQHDAdQb21lemlhMTEwLwYDVQQKDChUZWxlY29t +IEl0YWxpYSBUcnVzdCBUZWNobm9sb2dpZXMgUy5yLmwuMGqkaDBmMQswCQYDVQQG +EwJJVDEPMA0GA1UECAwGTmFwb2xpMQ8wDQYDVQQHDAZOYXBvbGkxNTAzBgNVBAoM +LFVOSVZFUlNJVEEgREVHTEkgU1RVREkgREkgTkFQT0xJIEZFREVSSUNPIElJMEqk +SDBGMQswCQYDVQQGEwJJVDENMAsGA1UECAwETG9kaTENMAsGA1UEBwwETG9kaTEZ +MBcGA1UECgwQWnVjY2hldHRpIFMucC5BLjBUpFIwUDELMAkGA1UEBhMCSVQxDzAN +BgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMR8wHQYDVQQKDBZLUE5RV0VT +VCBJVEFMSUEgUy5yLmwuMEykSjBIMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWls +YW5vMQ8wDQYDVQQHDAZNaWxhbm8xFzAVBgNVBAoMDklSSURFT1MgUy5wLkEuMEmk +RzBFMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEY +MBYGA1UECgwPTm90YXJ0ZWwgUy5wLkEuoTAwCocIAAAAAAAAAAAwIocgAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwQQYIKwYBBQUHAQEENTAzMDEGCCsG +AQUFBzABhiVodHRwOi8vb2NzcDA3LmFjdGFsaXMuaXQvVkEvQVVUSC1ST09UMB0G +A1UdDgQWBBSl/YUFDsPx1mVKIGzi201gkyuKoDASBgNVHRMBAf8ECDAGAQH/AgEA +MB8GA1UdIwQYMBaAFFLYiDrIn3hm7YnzezhwlMkCAjbQME4GA1UdIARHMEUwQwYF +K0wQAwEwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5hZ2lkLmdvdi5pdC9jZXJ0 +aWZpY2F0aS1maXJtYS1wZWMwgeMGA1UdHwSB2zCB2DCBlqCBk6CBkIaBjWxkYXA6 +Ly9sZGFwMDcuYWN0YWxpcy5pdC9jbiUzZEFjdGFsaXMlMjBBdXRoZW50aWNhdGlv +biUyMFJvb3QlMjBDQSxvJTNkQWN0YWxpcyUyMFMucC5BLiUyZjAzMzU4NTIwOTY3 +LGMlM2RJVD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTA9oDugOYY3 +aHR0cDovL2NybDA3LmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRILVJPT1QvZ2V0 +TGFzdENSTDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG +AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQAInLD/Nl6k9fMhVS3df3nb/IpdsgeT +EFsUA1I4o7VvhL03S+fk3QhFYOtL1dHNgJS1zlFu3EMYy7C6YDE2a8DQLvKJx3Uk +yeyBHoMQRCHVSg+lQJQxFOuGn/28zZYNvJN1DvgOgEdEsYOipAAL5TBu8Oz7ixDd +Wgxipd44wW0AGkhvow4amL5qp7VLxqawXlCE9PdLXzfP0j3OHqUcNCTBCXEAZrPP +5I3QmbHwRhncviAcFNrPYqzNKul9EUrYaYR0BquS9YHVjlhJr+n/NL56tX7YqrwB +gHHGa7XpgmVRhdlvDO5sKhIvIM1Pc13aQowkG6g6uLkG1PYBJjt8nFxwUsHSbLdW +9QEaQctP2UC6FzvU/LH3WVI7mPRq7+bXKDQNdhT7KOElE/FLWbPl2yYk8uKe5Ok3 +YlbyjGVC+h7kehPgv5Y1iasUpZjVte2etEcSI1s7lbprKYt+UdaxiE7qvp/ilaO4 +P1ZHiZUXCbg3wjks00A1WOaxAKsmx9KF8JWKsU6arBT3kDCsoXksBb0KvYG/d0sa +X3c9UeTthGTN8TyHaHuwTJ7Z3LljOJNsOyYbwvk57LybrFgY3WpcTHaztoL+3c9N +/odBXgJeM1DKlLZMQ5r1HiRiwnQOaK3htK+B41EaLeu7WXZpN/t4xqA8RxYyYlWd +vJe1SacGDfVcCw== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/misc/name_constraint_ci/leaf.pem b/src/tests/data/x509/misc/name_constraint_ci/leaf.pem new file mode 100644 index 000000000..8dbba412e --- /dev/null +++ b/src/tests/data/x509/misc/name_constraint_ci/leaf.pem @@ -0,0 +1,45 @@ +-----BEGIN CERTIFICATE----- +MIIH8TCCBtmgAwIBAgIQQD1ha3ZylOCFLxKULwH9ojANBgkqhkiG9w0BAQsFADCB +kDELMAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEg +cGVyIGwnSXRhbGlhIERpZ2l0YWxlMTcwNQYDVQQLDC5BcmVhIFNvbHV6aW9uaSBw +ZXIgbGEgUHViYmxpY2EgQW1taW5pc3RyYXppb25lMREwDwYDVQQDDAhBZ0lEIENB +MTAeFw0yMDAxMjIwODE2MDFaFw0yMjAxMjEwODE2MDFaMIGSMQswCQYDVQQGEwJJ +VDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEmMCQGA1UECgwdQWdlbnpp +YSBwZXIgbCdJdGFsaWEgRGlnaXRhbGUxGjAYBgNVBAsMEUFNQklFTlRJIENPTExB +VURPMSEwHwYDVQQDDBhJTkRJQ0VQQS1DT0xMQVVETy5HT1YuSVQwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1Rv8z5xQ2pMEI3m17bIaDPgpBCNCdxXL7 +LtWSDM2KjHP1NVjuPSA4ASLuPsk6AkB8m0ZJgJKFntzww0IK65cTQPXK51aQZtX9 +Vc7SYykAw5/xpfPR5H/VJfN3xwsN8uasTAiFT0wzZCRtDIpkc2vrdhn0ktndoxUp +Zm5GT0pRw+8AmhZ+hO+C7xgDZ5CimwHRskJf3UE8HOFhHtIottA9kx1pYVv9iojo +F+e/H3LGGuHl63p9/2gyjf3/3ZPaA9gtZpN6tnbiv0KOOEMVSvHXnmwtcg/JX3Sr +Yg2W/93zcSH8IFQks2MuN1rbCv1/ckGXK0F496UPxOqYYA3PiddXAgMBAAGjggRB +MIIEPTA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9jYTEuYWdp +ZC5nb3YuaXQvT0NTUDAdBgNVHQ4EFgQUqwTNv2lZ57PeXI/MXinOPUX808owHwYD +VR0jBBgwFoAUpf2FBQ7D8dZlSiBs4ttNYJMriqAwWQYDVR0gBFIwUDAIBgZngQwB +AgIwRAYGK0wQAwEDMDowOAYIKwYBBQUHAgEWLGh0dHA6Ly93d3cuYWdpZC5nb3Yu +aXQvY2VydGlmaWNhdGktZmlybWEtcGVjMIHgBgNVHR8EgdgwgdUwgbCgga2ggaqG +gadsZGFwOi8vY2ExLmFnaWQuZ292Lml0L2NuPUFnSUQlMjBDQTEsb3U9QXJlYSUy +MFNvbHV6aW9uaSUyMHBlciUyMGxhJTIwUHViYmxpY2ElMjBBbW1pbmlzdHJhemlv +bmUsbz1BZ2VuemlhJTIwcGVyJTIwbCUyN0l0YWxpYSUyMERpZ2l0YWxlLEM9SVQ/ +Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAgoB6gHIYaaHR0cDovL2NhMS5hZ2lk +Lmdvdi5pdC9DUkwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC +BggrBgEFBQcDATCB0gYDVR0RBIHKMIHHghtjYS5pbmRpY2VwYS1jb2xsYXVkby5n +b3YuaXSCHHd3dy5pbmRpY2VwYS1jb2xsYXVkby5nb3YuaXSCG3d3dy5nZW9kYXRp +LWNvbGxhdWRvLmdvdi5pdIIgZ292ZXJuYW5jZS1jb2xsYXVkby5pY3NwYy5nb3Yu +aXSCF2dlb2RhdGktY29sbGF1ZG8uZ292Lml0ghhJTkRJQ0VQQS1DT0xMQVVETy5H +T1YuSVSCGGluZGljZXBhLWNvbGxhdWRvLmdvdi5pdDCCAX4GCisGAQQB1nkCBAIE +ggFuBIIBagFoAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFv +zFu92gAABAMARzBFAiA5SwL52cTLwjeFcNEbES5LE1wA260wvnPPeVF9zQEa/gIh +AOS8weXMlVrkJ4rZgFmf9H7cF6OHiSANl/QDMGr4JJLGAHUAQcjKsd8iRkoQxqE6 +CUKHXk4xixsD6+tLx2jwkGKWBvYAAAFvzFu/GgAABAMARjBEAiBqxfN3vRyoxsmT +4H2f1x+h5902T2bpYlLI2Kk7eTC6nwIgYUGSvmOtlPOuK62g6rvZoNvXLTVZ5DjX +VlYSeGHvgs4AdwAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAW/M +W8BMAAAEAwBIMEYCIQDqnpR2rF1G64aUHtSFSCOV/Mpo0pVwGw7UFskxeFigQwIh +AMSJFNXBWNzJ1BAYzeJ4BsjGm+pspA3It3fitblscotrMA0GCSqGSIb3DQEBCwUA +A4IBAQC+6qFPoMSejF6LC4iqJEFtzzLCzM8TDYEliHEtwj7fU8+rIDUSp9MgeCkl +IB2iDXhW7rzTMfAMEc0MhuFmMgr8q7hH0GtdodSGIbJv41nZSXbDUIfLWZYO2u/v +qbG8d0a5tU07KmZy7Q0mAlFOAA3OhXD9kHuLutMcvJf6XpFqHHXkDy88G/8hYhRr +aMlXhP/uoyZ2dm5N/vMzo4pmOhuu5JF7Zjc97N/cHsmpixTgICjCXCehwby4nzEG +ExJmdpxW2LD9UGduWYMVU5SARR2Atq+6UKaHmiehoUFWmm5Gkb18OfTFsQPTT2Y2 +tN5L9MD1jWDYoR1Yexg4LBV7gs/P +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/misc/name_constraint_ci/root.pem b/src/tests/data/x509/misc/name_constraint_ci/root.pem new file mode 100644 index 000000000..5762f37e6 --- /dev/null +++ b/src/tests/data/x509/misc/name_constraint_ci/root.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w +MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 +IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC +SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 +ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv +UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX +4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9 +KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/ +gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb +rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ +51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F +be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe +KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F +v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn +fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7 +jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz +ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt +ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL +e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70 +jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz +WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V +SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j +pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX +X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok +fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R +K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU +ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU +LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT +LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/misc/nc_skip_self/int.pem b/src/tests/data/x509/misc/nc_skip_self/int.pem new file mode 100644 index 000000000..209bda324 --- /dev/null +++ b/src/tests/data/x509/misc/nc_skip_self/int.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFLjCCAxagAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMQswCQYDVQQGEwJDWjEP +MA0GA1UEBwwGUHJhZ3VlMRMwEQYDVQQKDApUZXN0Um9vdENBMB4XDTIxMDUwNDEw +NDY0MVoXDTIyMDUwNDEwNDY0MVowOzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlBy +YWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEA03ZbIxKV+vGe2Uo/052UEarHfylH0eHbFXcedfb/ +Py8y7+cIz4ZtsLoo2XRMoLVvnJglOcSPR72riLknrQ6jo8hktdAr+8JntmasnkR7 +xJBafk8xZZzvRQ/DwNEzq9uASRWrLJpmPP7+SinQWUa8n5dZ+cdCJoLhocPBxvd4 +ZxbyFsiQ9ttjJm8cF8VJN1KM4lpRweNZJdxuezdVxUzEV1dpr5QyY8cQWStJBzP1 +nKpXm9D3vawuOfP1hJ6QYET7pIvpzNuRW5pEnSjegoDieTFxp7cz2giGAE/uKe3L +P45xT6IrH+oaHYiMEla1mwW1i5NJKNpPVqI7LLjVPSsqCRRjsgQrFuDxkX88UjsM +f0F1/YY/xwppd9ha2Zv3KXsF4dDFAiLGzj3MhkXFrEvbs6cdetoDFPmrBbP7B7GY +2HK1BuqbxmmWjLnmUoO0zX8NMIkA3PbKZEzVeUlVuoxQ8lxwLlF3zmyJna7Nyuud +K/cW9mIhChJib++HcoHxyWPwD13aD1mnHoW4xFGCSVc48qjRQ530bKo8P6yRBSHa +fDtcjhcTa5svGHx7uK9z/ZRI9FAIOxu+zJnOiCq7LCKIF9RiBzLuww9YpC0ZEZYu +KMPu+/PfDVnnI4TxdKtXa7iJeJosc+SEUnzBFUa4FRlMB3GVnk7xkXQfrJ6y8XJG +r1MCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAwBgNVHR4BAf8EJjAkoCIwIKQe +MBwxCzAJBgNVBAYTAkNaMQ0wCwYDVQQHDARCcm5vMA0GCSqGSIb3DQEBCwUAA4IC +AQBjL9/LijOxwU9iJ/BV68CEpxWj0OD9qfGknnroS4XSNkgll9exqjI7WBWCyOls +SDyN2NgFrOqRj5vh6x/UhuEjfrYoJBDgyZM0sA2ZLRd1Cnno2xlnodNHUZxeUvl4 +hm/wecmO8fN36LiZfc6PAsEJ9Z4uh/a7QHDKNpy+egenQcpM7LFjCU+bMGP8Xp/u +l09LXmb4kqeYp9ljpf6biMPPMmORlYEtn8+C3i4AR/uWWu2eEjcrB5ImcyTnCzBu +4Tm4qjCDo2wRbFGnm/nXyOx7C6+Ay0pNO/DWSB21qexK13mKkgB+D3G9hVH5pOIu +elu7Zw9pl2qsTnH5iM8SHK2vZPeWPYiI68uCqAKiVRCRkt3GWVn1XH1Jff3Hyyku +Z9KC/pSTZW3IyAxsk2wIhVHK8W95Uy0WRLvioxYvJrCGfuRG5vBE0Ix2/yRtUXGZ +ze4+tWFRCPc7qdVURPMpwkla3U7BQoSk77q6b0crsDqs2NLPEdAOle+TdTAhXlZY +9HNm8l/ZrXFFbJiYVT5GnMvKZxMx60u4+WKwiVa0MOrn1Cp0peMds9ab9gTtN9n+ +5CnpKYsf4OQY47PGS65Ef4q2D4h8nK0ufoDTMZyDz8BkSknztFfvSISAR942f0RD +5CZP6FCUJ10K02umvACjXlMhJntrwXXeofs+k4W2YLVxjw== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/misc/nc_skip_self/leaf.pem b/src/tests/data/x509/misc/nc_skip_self/leaf.pem new file mode 100644 index 000000000..dd1991acd --- /dev/null +++ b/src/tests/data/x509/misc/nc_skip_self/leaf.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE4DCCAsgCAQEwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCQ1oxDzANBgNV +BAcMBlByYWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIxMDUw +NDEwNDY0MloXDTIyMDUwNDEwNDY0MlowMTELMAkGA1UEBhMCQ1oxDTALBgNVBAcM +BEJybm8xEzARBgNVBAoMClRlc3RTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDNE0EdswXQphxPwaYXukZB3oIsZZ76TsRk+L2eVutpLT1L3W+Q +0phTOmwjTguL365ZXllLN3hbPwLgjZzWG2T4sBPLGhSxkasuLk+2YrSg0Qz0iML5 +3wGQtV6KGqb/giPWTbtexelcrfL/3B3ejzIFvkuiQXxzfimNZyg3i4JVMmnKkj2A +Kq4pcJRFx3vzkAptcnJc+UQQpjYcizjvBm3+9XALeNlEbwoj//ySP1OtrZVwpbzq +ARGe4LjkTuBr/T9DhTEVAKW4NQGdUPJV54mkoP/hQ1G0r3qpaAC9i4UtLXCy7o63 +R0vVsIOi+JNyoxeO3XRqt0rV2U1DLwpAj0k1dhNCWQIys4Ufep4AKxGHjkYUznaA +A27NxNSaAnc1g4rTteMkiDW+Ao32/J3NikW7sA+tOpklvrQ+jysIGkXjvVjMylsu +BO80bhrm8JSyWuL1KPTe1nLjECewYm9TuxAyiQTglBaHoJOrfyvd5Tu9gNopIhdR +WwXb2ajxLAqgqOhtfrV+fcvLIucP5B+dcAixdVnOFk62Vi4kyZLRgkK80JvhtdLu +xZWiCemmTxaG/6SYvpu3QmYcY7ee8I2hG05chGyCg7Zcnf4CVasMCgfbYgkt6Tzw +CzVZFEVDBbEjWQeEegQmVRVrfqHbmHm3ge6AyekSfAoHlv6IsRImJZta6QIDAQAB +MA0GCSqGSIb3DQEBCwUAA4ICAQAlcVI/elokcYZg1N+WEf+9SV3XakivfHFVTf0w +y9RlJ8HRaYN/Nnreo6RK+ps/RflNJi4+ncQazCzTOIchC2Wiaf0h3HspZ4N78j1y +rsT6LAm+eakzazl45pqVcJQ8jeTrjqOFerK+tQd9NQbsqkzmnQ2WmpFwDXdwY/T6 +H/TpwGwUTgYK/UW9WqgWCpTNDVfU6tYTD0KrlnnnPu2vtniLD4fJq/3NaESOrMCC +zNonH1dpIYERyu0l27rRw0zuexSyAAL0fd8OGdtpfeE7RbptCxwVmwz6/klluKOb +8YV53T4HnwKYtLmD+UMPdWAVzj4TdOSDTuOxQhu+NwjPMYKvMF2phN4v1BpVgUuy +m4HfuEpfHmHKsNPFJWZ9E28bbUJ39+LtARf3pqUL66V3CAlNodi6tpWqz4b3nPo+ +JznOox/ujntISe1ziNL6lHdGUFn9QaLQiXyIYZLNqheJ2GX4cHnKfzZxp/KqRBRA +Z/kUtHSAyL/LSJ3fAHxRdGmSiBP37PmDw7i11w9kd4EPK2EkiqZtmiQtDrsOQfh1 +0SeP4DHf3n7VoyGBDfpiC1WFnSafbMG+tOl7QuRX4RCJrVQWjFT73q0MCciryK7Z +TsUM+yHjDZY33k/kvevptczjWk1dxQ5Napr4ayW4jWvdWV55/lLYmhC8JP6La+1h +j50djA== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/misc/nc_skip_self/root.pem b/src/tests/data/x509/misc/nc_skip_self/root.pem new file mode 100644 index 000000000..27f99ee35 --- /dev/null +++ b/src/tests/data/x509/misc/nc_skip_self/root.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBzCCAu+gAwIBAgIUF/jloc5zNYR3gyPGyMfuC4Qf5cEwDQYJKoZIhvcNAQEL +BQAwMzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTETMBEGA1UECgwKVGVz +dFJvb3RDQTAeFw0yMTA1MDQxMDQ2MzhaFw0yMjA1MDQxMDQ2MzhaMDMxCzAJBgNV +BAYTAkNaMQ8wDQYDVQQHDAZQcmFndWUxEzARBgNVBAoMClRlc3RSb290Q0EwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSmObXNfY3NDTfYwTykRtTaJs9 +tw4qqw6oXQc5FSK7Itwo90i7VjyTa+yVWulRGyqeSGanqvbZeSuF6ZB4tVmTi+gH +HlxBnT0zamYNdR4Yo5OzhXGyuaXuACTCj5N0OtMTjlOS0qsxTnsD8lgUHY0dUWpq +e2JsduiS+fXuE6tde0IAH3Rr47gTHPlXsAYl2T48s+3pv9MY5MGSSusakDXqjdLB +mnfhoOCfbBWm61GNHBfVVFx6MAEAM8r6fTR0OZxynhcocT5yAbrKz72jLtT+savO +5ehq1vawpsgX3CmS4WmClnVEoOPh80a1F1aAr4bvcK2GmFLiBLIKZpGAiQLZe1QE +9Y/Q361zmY9ghQOldTFi7ZK3Bx8B/3hBS+1lQFrw+NlOqqkf3RruDfz04SRZYlKx +HrY1DEBcPDRYPEmA4QyGm079Pi+IoZzj2ZGUAegBPhd3wG9qeDoM9lB7wdCq3C9V +j4QQIzcfuecGTEbXD4n6r5gMhW+64LVZ2mDHf3sntc1wO/weBqpGYeX6s3pFIEvR +f1meuMEploIRYcT0wdIVld0p2nJQXZV2pxNcZ9SWns9AFEvdjb8VMQsuSjit6qxP +pMarNHkl0a3X7QWUwuWQz6hU7aIDCrXzmk9+ZDs8U5lQaSldyBdAsFMtHTX5s7PH +VDFg/DHzUW2pk1lNvQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4ICAQDIMLGZgY7TC6rY0zV+MXVC873zz03A58Bd6osCBxrCkIn3aG5h +4OJ5s6+KmvzhXcb5TnPhHQso+ZCKdl4RJ3byzlH1gPhK+fPFIcivL3L/5P9OvdYQ +CXPK4vs9sH99YRWM6DsaO4GY9gg/g0gv7VSS4J91d6Mo6G1kQWer+h2YyJH2lO1T +2CnWYEto0KqztSixDrcBzSpAjvsZfzLNQJlp1IOoRTWgNyWGBztV6blEFu309M7U +05M+HiZQPu5q0/HQjXy2+uwzcasc3+YD6F/fdFuyCVLa8Bh10PG2mSG98j5QaSw2 +J6z+g4Mb0AgzzcjYRTIMt8ghMYyjstVjzK4UqXlL9/T4xKehFZcc/GQ+5xO/XdI1 +zCSe10+crNiuETRPArE2P5NvqHXKkcuSv7iuFmzc+VJC6Lj3t1sMUIKMCLrQYgXT +HL91GxX3AhWoLqobr9s4y14oP1CG/TqxQMdXqs7NAs+dJYcY9waFPlgMxzrVKcy3 +Z3thAcqBC6xDr8Ctx7uX7zqdNXZQfGnz2wVW/GSDFpvmmqWnwHiqABkEPMvzmNb/ +OCcmRc45PclyhLc/aMudJTsB36e9Tt/UCWe+iDorsizY4u4Fe+4ujlkyQWgYfvUl +txvJF3BvCIHwTlFAECgg6Je5qu6yWu4T+P4zPhWj1RaYA1i7cuXTXwKKKg== +-----END CERTIFICATE----- diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp index 3adc917d4..727d063d6 100644 --- a/src/tests/test_x509_path.cpp +++ b/src/tests/test_x509_path.cpp @@ -640,6 +640,98 @@ std::vector<Test::Result> Validate_Name_Constraint_SAN_Test::run() BOTAN_REGISTER_TEST("x509", "x509_name_constraint_san", Validate_Name_Constraint_SAN_Test); +class Validate_Name_Constraint_CaseInsensitive final : public Test + { + public: + std::vector<Test::Result> run() override; + }; + +std::vector<Test::Result> Validate_Name_Constraint_CaseInsensitive::run() + { + if(Botan::has_filesystem_impl() == false) + { + return {Test::Result::Note("Path validation", + "Skipping due to missing filesystem access")}; + } + + std::vector<Test::Result> results; + + const std::string root_crt = Test::data_file("/x509/misc/name_constraint_ci/root.pem"); + const std::string int_crt = Test::data_file("/x509/misc/name_constraint_ci/int.pem"); + const std::string ee_crt = Test::data_file("/x509/misc/name_constraint_ci/leaf.pem"); + + auto validation_time = + Botan::calendar_point(2021, 5, 8, 1, 0, 0).to_std_timepoint(); + + Botan::X509_Certificate root(root_crt); + Botan::X509_Certificate intermediate(int_crt); + Botan::X509_Certificate ee_cert(ee_crt); + + Botan::Certificate_Store_In_Memory trusted; + trusted.add_certificate(root); + + std::vector<Botan::X509_Certificate> chain = { ee_cert, intermediate }; + + Botan::Path_Validation_Restrictions restrictions; + Botan::Path_Validation_Result validation_result = + Botan::x509_path_validate(chain, restrictions, trusted, "", + Botan::Usage_Type::UNSPECIFIED, validation_time); + + Test::Result result("DNS name constraints are case insensitive"); + result.test_eq("Path validation succeeded", + validation_result.successful_validation(), true); + + return {result}; + } + +BOTAN_REGISTER_TEST("x509", "x509_name_constraint_ci", Validate_Name_Constraint_CaseInsensitive); + +class Validate_Name_Constraint_NoCheckSelf final : public Test + { + public: + std::vector<Test::Result> run() override; + }; + +std::vector<Test::Result> Validate_Name_Constraint_NoCheckSelf::run() + { + if(Botan::has_filesystem_impl() == false) + { + return {Test::Result::Note("Path validation", + "Skipping due to missing filesystem access")}; + } + + std::vector<Test::Result> results; + + const std::string root_crt = Test::data_file("/x509/misc/nc_skip_self/root.pem"); + const std::string int_crt = Test::data_file("/x509/misc/nc_skip_self/int.pem"); + const std::string ee_crt = Test::data_file("/x509/misc/nc_skip_self/leaf.pem"); + + auto validation_time = + Botan::calendar_point(2021, 5, 8, 1, 0, 0).to_std_timepoint(); + + Botan::X509_Certificate root(root_crt); + Botan::X509_Certificate intermediate(int_crt); + Botan::X509_Certificate ee_cert(ee_crt); + + Botan::Certificate_Store_In_Memory trusted; + trusted.add_certificate(root); + + std::vector<Botan::X509_Certificate> chain = { ee_cert, intermediate }; + + Botan::Path_Validation_Restrictions restrictions; + Botan::Path_Validation_Result validation_result = + Botan::x509_path_validate(chain, restrictions, trusted, "", + Botan::Usage_Type::UNSPECIFIED, validation_time); + + Test::Result result("Name constraints do not apply to the certificate which includes them"); + result.test_eq("Path validation succeeded", + validation_result.successful_validation(), true); + + return {result}; + } + +BOTAN_REGISTER_TEST("x509", "x509_name_constraint_no_check_self", Validate_Name_Constraint_NoCheckSelf); + class BSI_Path_Validation_Tests final : public Test { |