aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2021-05-09 08:50:27 -0400
committerJack Lloyd <[email protected]>2021-05-09 08:50:27 -0400
commit8f03527d3bfec45d9ef51cf8a95795b069b00e2a (patch)
tree67381db195488ff2d57974815c856e122daac482 /src
parentdd18d8f1c7991c3b408b26fdd2b7e8c1688d350d (diff)
parentbba47e860fc772bb2d37f60f6e82fa22d7d6bc14 (diff)
Merge GH #2739 Fix name constraint bugs
Diffstat (limited to 'src')
-rw-r--r--src/lib/utils/parsing.cpp4
-rw-r--r--src/lib/utils/parsing.h2
-rw-r--r--src/lib/x509/name_constraint.cpp8
-rw-r--r--src/lib/x509/x509_ext.cpp11
-rw-r--r--src/tests/data/x509/bsi/expected.txt2
-rw-r--r--src/tests/data/x509/misc/name_constraint_ci/int.pem101
-rw-r--r--src/tests/data/x509/misc/name_constraint_ci/leaf.pem45
-rw-r--r--src/tests/data/x509/misc/name_constraint_ci/root.pem33
-rw-r--r--src/tests/data/x509/misc/nc_skip_self/int.pem30
-rw-r--r--src/tests/data/x509/misc/nc_skip_self/leaf.pem29
-rw-r--r--src/tests/data/x509/misc/nc_skip_self/root.pem29
-rw-r--r--src/tests/test_x509_path.cpp92
12 files changed, 371 insertions, 15 deletions
diff --git a/src/lib/utils/parsing.cpp b/src/lib/utils/parsing.cpp
index 8004dbdd0..ff3d4ac0a 100644
--- a/src/lib/utils/parsing.cpp
+++ b/src/lib/utils/parsing.cpp
@@ -324,8 +324,6 @@ std::string replace_char(const std::string& str, char from_char, char to_char)
return out;
}
-namespace {
-
std::string tolower_string(const std::string& in)
{
std::string s = in;
@@ -338,8 +336,6 @@ std::string tolower_string(const std::string& in)
return s;
}
-}
-
bool host_wildcard_match(const std::string& issued_, const std::string& host_)
{
const std::string issued = tolower_string(issued_);
diff --git a/src/lib/utils/parsing.h b/src/lib/utils/parsing.h
index 216dbc822..d2c0b5f8c 100644
--- a/src/lib/utils/parsing.h
+++ b/src/lib/utils/parsing.h
@@ -167,6 +167,8 @@ std::map<std::string, std::string> BOTAN_PUBLIC_API(2,8) read_kv(const std::stri
std::string BOTAN_PUBLIC_API(2,0) clean_ws(const std::string& s);
+std::string tolower_string(const std::string& s);
+
/**
* Check if the given hostname is a match for the specified wildcard
*/
diff --git a/src/lib/x509/name_constraint.cpp b/src/lib/x509/name_constraint.cpp
index 91c644068..c9045729d 100644
--- a/src/lib/x509/name_constraint.cpp
+++ b/src/lib/x509/name_constraint.cpp
@@ -165,17 +165,19 @@ bool GeneralName::matches_dns(const std::string& nam) const
{
if(nam.size() == name().size())
{
- return nam == name();
+ return tolower_string(nam) == tolower_string(name());
}
else if(name().size() > nam.size())
{
+ // The constraint is longer than the issued name: not possibly a match
return false;
}
else // name.size() < nam.size()
{
- std::string constr = name().front() == '.' ? name() : "." + name();
// constr is suffix of nam
- return constr == nam.substr(nam.size() - constr.size(), constr.size());
+ const std::string constr = name().front() == '.' ? name() : "." + name();
+ const std::string substr = nam.substr(nam.size() - constr.size(), constr.size());
+ return tolower_string(constr) == tolower_string(substr);
}
}
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index 7809b5617..e81e15c18 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -657,20 +657,17 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert
{
if(!m_name_constraints.permitted().empty() || !m_name_constraints.excluded().empty())
{
- if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
+ if(!subject.is_CA_cert())
+ {
cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
+ }
const bool issuer_name_constraint_critical =
issuer.is_critical("X509v3.NameConstraints");
- const bool at_self_signed_root = (pos == cert_path.size() - 1);
-
// Check that all subordinate certs pass the name constraint
- for(size_t j = 0; j <= pos; ++j)
+ for(size_t j = 0; j < pos; ++j)
{
- if(pos == j && at_self_signed_root)
- continue;
-
bool permitted = m_name_constraints.permitted().empty();
bool failed = false;
diff --git a/src/tests/data/x509/bsi/expected.txt b/src/tests/data/x509/bsi/expected.txt
index 9099ab58a..a3f957a81 100644
--- a/src/tests/data/x509/bsi/expected.txt
+++ b/src/tests/data/x509/bsi/expected.txt
@@ -48,7 +48,7 @@ cert_path_ext_12$Certificate contains duplicate policy
cert_path_ext_13$Unknown critical extension encountered
cert_path_ext_14$Unknown critical extension encountered
cert_path_ext_15$Certificate does not pass name constraint
-cert_path_ext_16$Certificate does not pass name constraint
+cert_path_ext_16$Verified
#cert_path_ext_17$
cert_path_ext_18$Unknown critical extension encountered
cert_path_ext_19$Unknown critical extension encountered
diff --git a/src/tests/data/x509/misc/name_constraint_ci/int.pem b/src/tests/data/x509/misc/name_constraint_ci/int.pem
new file mode 100644
index 000000000..e72186198
--- /dev/null
+++ b/src/tests/data/x509/misc/name_constraint_ci/int.pem
@@ -0,0 +1,101 @@
+-----BEGIN CERTIFICATE-----
+MIISZjCCEE6gAwIBAgIQL+DBBkUO02gMUQKcjFQSXTANBgkqhkiG9w0BAQsFADBr
+MQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMg
+Uy5wLkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0
+aW9uIFJvb3QgQ0EwHhcNMTkwNjEzMDc0ODQ3WhcNMjkwNjEyMDc0ODQ3WjCBkDEL
+MAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEgcGVy
+IGwnSXRhbGlhIERpZ2l0YWxlMTcwNQYDVQQLDC5BcmVhIFNvbHV6aW9uaSBwZXIg
+bGEgUHViYmxpY2EgQW1taW5pc3RyYXppb25lMREwDwYDVQQDDAhBZ0lEIENBMTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2n0Xri8wepI2AarzJVG5E
+9/kQpXhuLbX3sQgN0RjTfhvPB9fwXRrfvar5upsWGvwPuUB2Z3A2jseDa1hbvHee
+fkkfjKT/UkUidqZEKprb176t/zJoNVI7lgRCjjz90ByVjUHIFuwQUHOVMbfHyeBW
+pTQrzYsxnofRKRep3ZESLlhKaln4/8/rSICxnD8KpeTQ41Qn8VYpj0RV0NU0+k9V
+gR9C/K4zX1z4AonMemcRP/8B1XFyjk2LaqUXHt8LBw6Wb+OYO+n9rXKT8pDyr9/z
+d+kSJxxI2gvooye7Xt3xJGqODkpZru3Q3Gb5c8T2UZ2mnKZwOciN4p/5tcOaC1cC
+AwEAAaOCDd4wgg3aMIIL2gYDVR0eBIIL0TCCC82ggguXMA2BC2FnaWQuZ292Lml0
+MBmBF2NlcnQuaW5mb3JtYXRpY2EuYWNpLml0MBGBD2NlcnQuaW50ZXJuby5pdDAM
+gQplbWFyY2hlLml0MBCBDmZhc3R3ZWItcGVjLml0MBWBE2dlc3RvcmVwZWMudW5p
+bmEuaXQwDIEKa21haWxlci5pdDAOgQxsZWdhbG1haWwuaXQwEIEOcGNlcnQuc29n
+ZWkuaXQwEIEOcGVjLmFjdGFsaXMuaXQwEIEOcGVjLmFuY2l0ZWwuaXQwDoEMcGVj
+LmFydWJhLml0MBaBFHBlYy5iYXNpbGljYXRhbmV0Lml0MA+BDXBlYy1lbWFpbC5j
+b20wEoEQcGVjLnBvc3RlY2VydC5pdDAWgRRwZWMucG9zdGVpdGFsaWFuZS5pdDAV
+gRNwZWMucnVwYXIucHVnbGlhLml0MBaBFHBvc3RhY2VydC5jZWRhY3JpLml0MB+B
+HXBvc3RhY2VydGlmaWNhdGEubm90YXJpYXRvLml0MBKBEHBvc3RhY2VydC5pdC5u
+ZXQwDoEMcG9zdGVjZXJ0Lml0MBWBE3NpY3VyZXp6YXBvc3RhbGUuaXQwEIEOdGVs
+ZWNvbXBvc3QuaXQwF4EVdHJ1c3RlZG1haWwuaW50ZXNhLml0MAyBCnR3dGNlcnQu
+aXQwEYEPenVjY2hldHRpcGVjLml0MBCBDmNlcnQuaW50ZXNhLml0MBaBFGNlcnRt
+YWlsLmtwbnF3ZXN0Lml0MBWBE2NlcnRtYWlsLmlyaWRlb3MuaXQwGoEYcHVwZWMu
+aW5mb3JtYXRpY2EuYWNpLml0MBmBF3Byby5zaWN1cmV6emFwb3N0YWxlLml0MBCB
+DnBlYy5iaWxsNG1lLml0MBGBD3BlYy5ub3RhcnRlbC5pdDATghFhZ2VuZGFkaWdp
+dGFsZS5pdDASghBhZ2lkLWNhMS10ZXN0Lml0MAmCB2FnaWQuaXQwCYIHYWlwYS5p
+dDANggtjZXJ0LXNwYy5pdDAOggxjcmNpdGFsaWEuaXQwHIIaZGlmZW5zb3JlY2l2
+aWNvZGlnaXRhbGUuaXQwEoIQZGlnaXRhbGFnZW5kYS5pdDAMggpkaWdpdHBhLml0
+MAiCBmdvdi5pdDALgglpdGFsaWEuaXQwCoIIY25pcGEuaXQwDIIKY2VydC1wYS5p
+dDANggtpbmRpY2VwYS5pdDBQpE4wTDELMAkGA1UEBhMCSVQxDTALBgNVBAgMBFJv
+bWExDTALBgNVBAcMBFJvbWExHzAdBgNVBAoMFkFDSSBJbmZvcm1hdGljYSBTLnAu
+QS4wWaRXMFUxCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQH
+DBBQb250ZSBTYW4gUGlldHJvMRkwFwYDVQQKDBBBcnViYSBQRUMgUy5wLkEuMFek
+VTBTMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9u
+dGUgU2FuIFBpZXRybzEXMBUGA1UECgwOQWN0YWxpcyBTLnAuQS4wV6RVMFMxCzAJ
+BgNVBAYTAklUMQ0wCwYDVQQIDARSb21hMQ0wCwYDVQQHDARSb21hMSYwJAYDVQQK
+DB1BZ2VuemlhIHBlciBsJ0l0YWxpYSBEaWdpdGFsZTBIpEYwRDELMAkGA1UEBhMC
+SVQxDTALBgNVBAgMBFJvbWExDTALBgNVBAcMBFJvbWExFzAVBgNVBAoMDkFuY2l0
+ZWwgUy5wLkEuME+kTTBLMQswCQYDVQQGEwJJVDEOMAwGA1UECAwFUGFybWExEzAR
+BgNVBAcMCkNvbGxlY2NoaW8xFzAVBgNVBAoMDkNlZGFjcmkgUy5wLkEuMFukWTBX
+MQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEqMCgG
+A1UECgwhQ29uc2lnbGlvIE5hemlvbmFsZSBkZWwgTm90YXJpYXRvMEykSjBIMQsw
+CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xFzAV
+BgNVBAoMDkZhc3R3ZWIgUy5wLkEuMEqkSDBGMQswCQYDVQQGEwJJVDEPMA0GA1UE
+CAwGTWlsYW5vMQ8wDQYDVQQHDAZBc3NhZ28xFTATBgNVBAoMDElUbmV0IFMuci5s
+LjBPpE0wSzELMAkGA1UEBhMCSVQxDzANBgNVBAgMBlRvcmlubzEPMA0GA1UEBwwG
+VG9yaW5vMRowGAYDVQQKDBFJbi5UZS5TLkEuIFMucC5BLjBJpEcwRTELMAkGA1UE
+BhMCSVQxDTALBgNVBAgMBFJvbWExDTALBgNVBAcMBFJvbWExGDAWBgNVBAoMD0lu
+Zm9DZXJ0IFMucC5BLjBSpFAwTjELMAkGA1UEBhMCSVQxDTALBgNVBAgMBEJhcmkx
+EjAQBgNVBAcMCVZhbGVuemFubzEcMBoGA1UECgwTSW5ub3ZhUHVnbGlhIFMucC5B
+LjBRpE8wTTELMAkGA1UEBhMCSVQxDzANBgNVBAgMBkFuY29uYTETMBEGA1UEBwwK
+U2VuaWdhbGxpYTEYMBYGA1UECgwPTmFtaXJpYWwgUy5wLkEuME+kTTBLMQswCQYD
+VQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEeMBwGA1UECgwV
+UG9zdGUgSXRhbGlhbmUgUy5wLkEuMFKkUDBOMQswCQYDVQQGEwJJVDEQMA4GA1UE
+CAwHUG90ZW56YTEQMA4GA1UEBwwHUG90ZW56YTEbMBkGA1UECgwSUmVnaW9uZSBC
+YXNpbGljYXRhMEykSjBIMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGQW5jb25hMQ8w
+DQYDVQQHDAZBbmNvbmExFzAVBgNVBAoMDlJlZ2lvbmUgTWFyY2hlME+kTTBLMQsw
+CQYDVQQGEwJJVDEQMA4GA1UECAwHRmlyZW56ZTEQMA4GA1UEBwwHRmlyZW56ZTEY
+MBYGA1UECgwPUmVnaXN0ZXIgUy5wLkEuMEakRDBCMQswCQYDVQQGEwJJVDENMAsG
+A1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEVMBMGA1UECgwMU29nZWkgUy5wLkEu
+MEikRjBEMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZN
+aWxhbm8xEzARBgNVBAoMClRXVCBTLnAuQS4wZaRjMGExCzAJBgNVBAYTAklUMQ0w
+CwYDVQQIDARSb21hMRAwDgYDVQQHDAdQb21lemlhMTEwLwYDVQQKDChUZWxlY29t
+IEl0YWxpYSBUcnVzdCBUZWNobm9sb2dpZXMgUy5yLmwuMGqkaDBmMQswCQYDVQQG
+EwJJVDEPMA0GA1UECAwGTmFwb2xpMQ8wDQYDVQQHDAZOYXBvbGkxNTAzBgNVBAoM
+LFVOSVZFUlNJVEEgREVHTEkgU1RVREkgREkgTkFQT0xJIEZFREVSSUNPIElJMEqk
+SDBGMQswCQYDVQQGEwJJVDENMAsGA1UECAwETG9kaTENMAsGA1UEBwwETG9kaTEZ
+MBcGA1UECgwQWnVjY2hldHRpIFMucC5BLjBUpFIwUDELMAkGA1UEBhMCSVQxDzAN
+BgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMR8wHQYDVQQKDBZLUE5RV0VT
+VCBJVEFMSUEgUy5yLmwuMEykSjBIMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWls
+YW5vMQ8wDQYDVQQHDAZNaWxhbm8xFzAVBgNVBAoMDklSSURFT1MgUy5wLkEuMEmk
+RzBFMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEY
+MBYGA1UECgwPTm90YXJ0ZWwgUy5wLkEuoTAwCocIAAAAAAAAAAAwIocgAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwQQYIKwYBBQUHAQEENTAzMDEGCCsG
+AQUFBzABhiVodHRwOi8vb2NzcDA3LmFjdGFsaXMuaXQvVkEvQVVUSC1ST09UMB0G
+A1UdDgQWBBSl/YUFDsPx1mVKIGzi201gkyuKoDASBgNVHRMBAf8ECDAGAQH/AgEA
+MB8GA1UdIwQYMBaAFFLYiDrIn3hm7YnzezhwlMkCAjbQME4GA1UdIARHMEUwQwYF
+K0wQAwEwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5hZ2lkLmdvdi5pdC9jZXJ0
+aWZpY2F0aS1maXJtYS1wZWMwgeMGA1UdHwSB2zCB2DCBlqCBk6CBkIaBjWxkYXA6
+Ly9sZGFwMDcuYWN0YWxpcy5pdC9jbiUzZEFjdGFsaXMlMjBBdXRoZW50aWNhdGlv
+biUyMFJvb3QlMjBDQSxvJTNkQWN0YWxpcyUyMFMucC5BLiUyZjAzMzU4NTIwOTY3
+LGMlM2RJVD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTA9oDugOYY3
+aHR0cDovL2NybDA3LmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRILVJPT1QvZ2V0
+TGFzdENSTDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQAInLD/Nl6k9fMhVS3df3nb/IpdsgeT
+EFsUA1I4o7VvhL03S+fk3QhFYOtL1dHNgJS1zlFu3EMYy7C6YDE2a8DQLvKJx3Uk
+yeyBHoMQRCHVSg+lQJQxFOuGn/28zZYNvJN1DvgOgEdEsYOipAAL5TBu8Oz7ixDd
+Wgxipd44wW0AGkhvow4amL5qp7VLxqawXlCE9PdLXzfP0j3OHqUcNCTBCXEAZrPP
+5I3QmbHwRhncviAcFNrPYqzNKul9EUrYaYR0BquS9YHVjlhJr+n/NL56tX7YqrwB
+gHHGa7XpgmVRhdlvDO5sKhIvIM1Pc13aQowkG6g6uLkG1PYBJjt8nFxwUsHSbLdW
+9QEaQctP2UC6FzvU/LH3WVI7mPRq7+bXKDQNdhT7KOElE/FLWbPl2yYk8uKe5Ok3
+YlbyjGVC+h7kehPgv5Y1iasUpZjVte2etEcSI1s7lbprKYt+UdaxiE7qvp/ilaO4
+P1ZHiZUXCbg3wjks00A1WOaxAKsmx9KF8JWKsU6arBT3kDCsoXksBb0KvYG/d0sa
+X3c9UeTthGTN8TyHaHuwTJ7Z3LljOJNsOyYbwvk57LybrFgY3WpcTHaztoL+3c9N
+/odBXgJeM1DKlLZMQ5r1HiRiwnQOaK3htK+B41EaLeu7WXZpN/t4xqA8RxYyYlWd
+vJe1SacGDfVcCw==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/name_constraint_ci/leaf.pem b/src/tests/data/x509/misc/name_constraint_ci/leaf.pem
new file mode 100644
index 000000000..8dbba412e
--- /dev/null
+++ b/src/tests/data/x509/misc/name_constraint_ci/leaf.pem
@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIH8TCCBtmgAwIBAgIQQD1ha3ZylOCFLxKULwH9ojANBgkqhkiG9w0BAQsFADCB
+kDELMAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWExJjAkBgNVBAoMHUFnZW56aWEg
+cGVyIGwnSXRhbGlhIERpZ2l0YWxlMTcwNQYDVQQLDC5BcmVhIFNvbHV6aW9uaSBw
+ZXIgbGEgUHViYmxpY2EgQW1taW5pc3RyYXppb25lMREwDwYDVQQDDAhBZ0lEIENB
+MTAeFw0yMDAxMjIwODE2MDFaFw0yMjAxMjEwODE2MDFaMIGSMQswCQYDVQQGEwJJ
+VDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTEmMCQGA1UECgwdQWdlbnpp
+YSBwZXIgbCdJdGFsaWEgRGlnaXRhbGUxGjAYBgNVBAsMEUFNQklFTlRJIENPTExB
+VURPMSEwHwYDVQQDDBhJTkRJQ0VQQS1DT0xMQVVETy5HT1YuSVQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1Rv8z5xQ2pMEI3m17bIaDPgpBCNCdxXL7
+LtWSDM2KjHP1NVjuPSA4ASLuPsk6AkB8m0ZJgJKFntzww0IK65cTQPXK51aQZtX9
+Vc7SYykAw5/xpfPR5H/VJfN3xwsN8uasTAiFT0wzZCRtDIpkc2vrdhn0ktndoxUp
+Zm5GT0pRw+8AmhZ+hO+C7xgDZ5CimwHRskJf3UE8HOFhHtIottA9kx1pYVv9iojo
+F+e/H3LGGuHl63p9/2gyjf3/3ZPaA9gtZpN6tnbiv0KOOEMVSvHXnmwtcg/JX3Sr
+Yg2W/93zcSH8IFQks2MuN1rbCv1/ckGXK0F496UPxOqYYA3PiddXAgMBAAGjggRB
+MIIEPTA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9jYTEuYWdp
+ZC5nb3YuaXQvT0NTUDAdBgNVHQ4EFgQUqwTNv2lZ57PeXI/MXinOPUX808owHwYD
+VR0jBBgwFoAUpf2FBQ7D8dZlSiBs4ttNYJMriqAwWQYDVR0gBFIwUDAIBgZngQwB
+AgIwRAYGK0wQAwEDMDowOAYIKwYBBQUHAgEWLGh0dHA6Ly93d3cuYWdpZC5nb3Yu
+aXQvY2VydGlmaWNhdGktZmlybWEtcGVjMIHgBgNVHR8EgdgwgdUwgbCgga2ggaqG
+gadsZGFwOi8vY2ExLmFnaWQuZ292Lml0L2NuPUFnSUQlMjBDQTEsb3U9QXJlYSUy
+MFNvbHV6aW9uaSUyMHBlciUyMGxhJTIwUHViYmxpY2ElMjBBbW1pbmlzdHJhemlv
+bmUsbz1BZ2VuemlhJTIwcGVyJTIwbCUyN0l0YWxpYSUyMERpZ2l0YWxlLEM9SVQ/
+Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAgoB6gHIYaaHR0cDovL2NhMS5hZ2lk
+Lmdvdi5pdC9DUkwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
+BggrBgEFBQcDATCB0gYDVR0RBIHKMIHHghtjYS5pbmRpY2VwYS1jb2xsYXVkby5n
+b3YuaXSCHHd3dy5pbmRpY2VwYS1jb2xsYXVkby5nb3YuaXSCG3d3dy5nZW9kYXRp
+LWNvbGxhdWRvLmdvdi5pdIIgZ292ZXJuYW5jZS1jb2xsYXVkby5pY3NwYy5nb3Yu
+aXSCF2dlb2RhdGktY29sbGF1ZG8uZ292Lml0ghhJTkRJQ0VQQS1DT0xMQVVETy5H
+T1YuSVSCGGluZGljZXBhLWNvbGxhdWRvLmdvdi5pdDCCAX4GCisGAQQB1nkCBAIE
+ggFuBIIBagFoAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFv
+zFu92gAABAMARzBFAiA5SwL52cTLwjeFcNEbES5LE1wA260wvnPPeVF9zQEa/gIh
+AOS8weXMlVrkJ4rZgFmf9H7cF6OHiSANl/QDMGr4JJLGAHUAQcjKsd8iRkoQxqE6
+CUKHXk4xixsD6+tLx2jwkGKWBvYAAAFvzFu/GgAABAMARjBEAiBqxfN3vRyoxsmT
+4H2f1x+h5902T2bpYlLI2Kk7eTC6nwIgYUGSvmOtlPOuK62g6rvZoNvXLTVZ5DjX
+VlYSeGHvgs4AdwAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAW/M
+W8BMAAAEAwBIMEYCIQDqnpR2rF1G64aUHtSFSCOV/Mpo0pVwGw7UFskxeFigQwIh
+AMSJFNXBWNzJ1BAYzeJ4BsjGm+pspA3It3fitblscotrMA0GCSqGSIb3DQEBCwUA
+A4IBAQC+6qFPoMSejF6LC4iqJEFtzzLCzM8TDYEliHEtwj7fU8+rIDUSp9MgeCkl
+IB2iDXhW7rzTMfAMEc0MhuFmMgr8q7hH0GtdodSGIbJv41nZSXbDUIfLWZYO2u/v
+qbG8d0a5tU07KmZy7Q0mAlFOAA3OhXD9kHuLutMcvJf6XpFqHHXkDy88G/8hYhRr
+aMlXhP/uoyZ2dm5N/vMzo4pmOhuu5JF7Zjc97N/cHsmpixTgICjCXCehwby4nzEG
+ExJmdpxW2LD9UGduWYMVU5SARR2Atq+6UKaHmiehoUFWmm5Gkb18OfTFsQPTT2Y2
+tN5L9MD1jWDYoR1Yexg4LBV7gs/P
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/name_constraint_ci/root.pem b/src/tests/data/x509/misc/name_constraint_ci/root.pem
new file mode 100644
index 000000000..5762f37e6
--- /dev/null
+++ b/src/tests/data/x509/misc/name_constraint_ci/root.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
+BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
+MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290
+IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC
+SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
+ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv
+UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX
+4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9
+KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/
+gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb
+rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ
+51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F
+be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe
+KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F
+v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn
+fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7
+jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz
+ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt
+ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL
+e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70
+jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz
+WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V
+SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j
+pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX
+X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok
+fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R
+K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU
+ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU
+LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT
+LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/nc_skip_self/int.pem b/src/tests/data/x509/misc/nc_skip_self/int.pem
new file mode 100644
index 000000000..209bda324
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/int.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLjCCAxagAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMQswCQYDVQQGEwJDWjEP
+MA0GA1UEBwwGUHJhZ3VlMRMwEQYDVQQKDApUZXN0Um9vdENBMB4XDTIxMDUwNDEw
+NDY0MVoXDTIyMDUwNDEwNDY0MVowOzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlBy
+YWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEA03ZbIxKV+vGe2Uo/052UEarHfylH0eHbFXcedfb/
+Py8y7+cIz4ZtsLoo2XRMoLVvnJglOcSPR72riLknrQ6jo8hktdAr+8JntmasnkR7
+xJBafk8xZZzvRQ/DwNEzq9uASRWrLJpmPP7+SinQWUa8n5dZ+cdCJoLhocPBxvd4
+ZxbyFsiQ9ttjJm8cF8VJN1KM4lpRweNZJdxuezdVxUzEV1dpr5QyY8cQWStJBzP1
+nKpXm9D3vawuOfP1hJ6QYET7pIvpzNuRW5pEnSjegoDieTFxp7cz2giGAE/uKe3L
+P45xT6IrH+oaHYiMEla1mwW1i5NJKNpPVqI7LLjVPSsqCRRjsgQrFuDxkX88UjsM
+f0F1/YY/xwppd9ha2Zv3KXsF4dDFAiLGzj3MhkXFrEvbs6cdetoDFPmrBbP7B7GY
+2HK1BuqbxmmWjLnmUoO0zX8NMIkA3PbKZEzVeUlVuoxQ8lxwLlF3zmyJna7Nyuud
+K/cW9mIhChJib++HcoHxyWPwD13aD1mnHoW4xFGCSVc48qjRQ530bKo8P6yRBSHa
+fDtcjhcTa5svGHx7uK9z/ZRI9FAIOxu+zJnOiCq7LCKIF9RiBzLuww9YpC0ZEZYu
+KMPu+/PfDVnnI4TxdKtXa7iJeJosc+SEUnzBFUa4FRlMB3GVnk7xkXQfrJ6y8XJG
+r1MCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAwBgNVHR4BAf8EJjAkoCIwIKQe
+MBwxCzAJBgNVBAYTAkNaMQ0wCwYDVQQHDARCcm5vMA0GCSqGSIb3DQEBCwUAA4IC
+AQBjL9/LijOxwU9iJ/BV68CEpxWj0OD9qfGknnroS4XSNkgll9exqjI7WBWCyOls
+SDyN2NgFrOqRj5vh6x/UhuEjfrYoJBDgyZM0sA2ZLRd1Cnno2xlnodNHUZxeUvl4
+hm/wecmO8fN36LiZfc6PAsEJ9Z4uh/a7QHDKNpy+egenQcpM7LFjCU+bMGP8Xp/u
+l09LXmb4kqeYp9ljpf6biMPPMmORlYEtn8+C3i4AR/uWWu2eEjcrB5ImcyTnCzBu
+4Tm4qjCDo2wRbFGnm/nXyOx7C6+Ay0pNO/DWSB21qexK13mKkgB+D3G9hVH5pOIu
+elu7Zw9pl2qsTnH5iM8SHK2vZPeWPYiI68uCqAKiVRCRkt3GWVn1XH1Jff3Hyyku
+Z9KC/pSTZW3IyAxsk2wIhVHK8W95Uy0WRLvioxYvJrCGfuRG5vBE0Ix2/yRtUXGZ
+ze4+tWFRCPc7qdVURPMpwkla3U7BQoSk77q6b0crsDqs2NLPEdAOle+TdTAhXlZY
+9HNm8l/ZrXFFbJiYVT5GnMvKZxMx60u4+WKwiVa0MOrn1Cp0peMds9ab9gTtN9n+
+5CnpKYsf4OQY47PGS65Ef4q2D4h8nK0ufoDTMZyDz8BkSknztFfvSISAR942f0RD
+5CZP6FCUJ10K02umvACjXlMhJntrwXXeofs+k4W2YLVxjw==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/nc_skip_self/leaf.pem b/src/tests/data/x509/misc/nc_skip_self/leaf.pem
new file mode 100644
index 000000000..dd1991acd
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/leaf.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE4DCCAsgCAQEwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCQ1oxDzANBgNV
+BAcMBlByYWd1ZTEbMBkGA1UECgwSVGVzdEludGVybWVkaWF0ZUNBMB4XDTIxMDUw
+NDEwNDY0MloXDTIyMDUwNDEwNDY0MlowMTELMAkGA1UEBhMCQ1oxDTALBgNVBAcM
+BEJybm8xEzARBgNVBAoMClRlc3RTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDNE0EdswXQphxPwaYXukZB3oIsZZ76TsRk+L2eVutpLT1L3W+Q
+0phTOmwjTguL365ZXllLN3hbPwLgjZzWG2T4sBPLGhSxkasuLk+2YrSg0Qz0iML5
+3wGQtV6KGqb/giPWTbtexelcrfL/3B3ejzIFvkuiQXxzfimNZyg3i4JVMmnKkj2A
+Kq4pcJRFx3vzkAptcnJc+UQQpjYcizjvBm3+9XALeNlEbwoj//ySP1OtrZVwpbzq
+ARGe4LjkTuBr/T9DhTEVAKW4NQGdUPJV54mkoP/hQ1G0r3qpaAC9i4UtLXCy7o63
+R0vVsIOi+JNyoxeO3XRqt0rV2U1DLwpAj0k1dhNCWQIys4Ufep4AKxGHjkYUznaA
+A27NxNSaAnc1g4rTteMkiDW+Ao32/J3NikW7sA+tOpklvrQ+jysIGkXjvVjMylsu
+BO80bhrm8JSyWuL1KPTe1nLjECewYm9TuxAyiQTglBaHoJOrfyvd5Tu9gNopIhdR
+WwXb2ajxLAqgqOhtfrV+fcvLIucP5B+dcAixdVnOFk62Vi4kyZLRgkK80JvhtdLu
+xZWiCemmTxaG/6SYvpu3QmYcY7ee8I2hG05chGyCg7Zcnf4CVasMCgfbYgkt6Tzw
+CzVZFEVDBbEjWQeEegQmVRVrfqHbmHm3ge6AyekSfAoHlv6IsRImJZta6QIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4ICAQAlcVI/elokcYZg1N+WEf+9SV3XakivfHFVTf0w
+y9RlJ8HRaYN/Nnreo6RK+ps/RflNJi4+ncQazCzTOIchC2Wiaf0h3HspZ4N78j1y
+rsT6LAm+eakzazl45pqVcJQ8jeTrjqOFerK+tQd9NQbsqkzmnQ2WmpFwDXdwY/T6
+H/TpwGwUTgYK/UW9WqgWCpTNDVfU6tYTD0KrlnnnPu2vtniLD4fJq/3NaESOrMCC
+zNonH1dpIYERyu0l27rRw0zuexSyAAL0fd8OGdtpfeE7RbptCxwVmwz6/klluKOb
+8YV53T4HnwKYtLmD+UMPdWAVzj4TdOSDTuOxQhu+NwjPMYKvMF2phN4v1BpVgUuy
+m4HfuEpfHmHKsNPFJWZ9E28bbUJ39+LtARf3pqUL66V3CAlNodi6tpWqz4b3nPo+
+JznOox/ujntISe1ziNL6lHdGUFn9QaLQiXyIYZLNqheJ2GX4cHnKfzZxp/KqRBRA
+Z/kUtHSAyL/LSJ3fAHxRdGmSiBP37PmDw7i11w9kd4EPK2EkiqZtmiQtDrsOQfh1
+0SeP4DHf3n7VoyGBDfpiC1WFnSafbMG+tOl7QuRX4RCJrVQWjFT73q0MCciryK7Z
+TsUM+yHjDZY33k/kvevptczjWk1dxQ5Napr4ayW4jWvdWV55/lLYmhC8JP6La+1h
+j50djA==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/misc/nc_skip_self/root.pem b/src/tests/data/x509/misc/nc_skip_self/root.pem
new file mode 100644
index 000000000..27f99ee35
--- /dev/null
+++ b/src/tests/data/x509/misc/nc_skip_self/root.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBzCCAu+gAwIBAgIUF/jloc5zNYR3gyPGyMfuC4Qf5cEwDQYJKoZIhvcNAQEL
+BQAwMzELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTETMBEGA1UECgwKVGVz
+dFJvb3RDQTAeFw0yMTA1MDQxMDQ2MzhaFw0yMjA1MDQxMDQ2MzhaMDMxCzAJBgNV
+BAYTAkNaMQ8wDQYDVQQHDAZQcmFndWUxEzARBgNVBAoMClRlc3RSb290Q0EwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSmObXNfY3NDTfYwTykRtTaJs9
+tw4qqw6oXQc5FSK7Itwo90i7VjyTa+yVWulRGyqeSGanqvbZeSuF6ZB4tVmTi+gH
+HlxBnT0zamYNdR4Yo5OzhXGyuaXuACTCj5N0OtMTjlOS0qsxTnsD8lgUHY0dUWpq
+e2JsduiS+fXuE6tde0IAH3Rr47gTHPlXsAYl2T48s+3pv9MY5MGSSusakDXqjdLB
+mnfhoOCfbBWm61GNHBfVVFx6MAEAM8r6fTR0OZxynhcocT5yAbrKz72jLtT+savO
+5ehq1vawpsgX3CmS4WmClnVEoOPh80a1F1aAr4bvcK2GmFLiBLIKZpGAiQLZe1QE
+9Y/Q361zmY9ghQOldTFi7ZK3Bx8B/3hBS+1lQFrw+NlOqqkf3RruDfz04SRZYlKx
+HrY1DEBcPDRYPEmA4QyGm079Pi+IoZzj2ZGUAegBPhd3wG9qeDoM9lB7wdCq3C9V
+j4QQIzcfuecGTEbXD4n6r5gMhW+64LVZ2mDHf3sntc1wO/weBqpGYeX6s3pFIEvR
+f1meuMEploIRYcT0wdIVld0p2nJQXZV2pxNcZ9SWns9AFEvdjb8VMQsuSjit6qxP
+pMarNHkl0a3X7QWUwuWQz6hU7aIDCrXzmk9+ZDs8U5lQaSldyBdAsFMtHTX5s7PH
+VDFg/DHzUW2pk1lNvQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4ICAQDIMLGZgY7TC6rY0zV+MXVC873zz03A58Bd6osCBxrCkIn3aG5h
+4OJ5s6+KmvzhXcb5TnPhHQso+ZCKdl4RJ3byzlH1gPhK+fPFIcivL3L/5P9OvdYQ
+CXPK4vs9sH99YRWM6DsaO4GY9gg/g0gv7VSS4J91d6Mo6G1kQWer+h2YyJH2lO1T
+2CnWYEto0KqztSixDrcBzSpAjvsZfzLNQJlp1IOoRTWgNyWGBztV6blEFu309M7U
+05M+HiZQPu5q0/HQjXy2+uwzcasc3+YD6F/fdFuyCVLa8Bh10PG2mSG98j5QaSw2
+J6z+g4Mb0AgzzcjYRTIMt8ghMYyjstVjzK4UqXlL9/T4xKehFZcc/GQ+5xO/XdI1
+zCSe10+crNiuETRPArE2P5NvqHXKkcuSv7iuFmzc+VJC6Lj3t1sMUIKMCLrQYgXT
+HL91GxX3AhWoLqobr9s4y14oP1CG/TqxQMdXqs7NAs+dJYcY9waFPlgMxzrVKcy3
+Z3thAcqBC6xDr8Ctx7uX7zqdNXZQfGnz2wVW/GSDFpvmmqWnwHiqABkEPMvzmNb/
+OCcmRc45PclyhLc/aMudJTsB36e9Tt/UCWe+iDorsizY4u4Fe+4ujlkyQWgYfvUl
+txvJF3BvCIHwTlFAECgg6Je5qu6yWu4T+P4zPhWj1RaYA1i7cuXTXwKKKg==
+-----END CERTIFICATE-----
diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp
index 3adc917d4..727d063d6 100644
--- a/src/tests/test_x509_path.cpp
+++ b/src/tests/test_x509_path.cpp
@@ -640,6 +640,98 @@ std::vector<Test::Result> Validate_Name_Constraint_SAN_Test::run()
BOTAN_REGISTER_TEST("x509", "x509_name_constraint_san", Validate_Name_Constraint_SAN_Test);
+class Validate_Name_Constraint_CaseInsensitive final : public Test
+ {
+ public:
+ std::vector<Test::Result> run() override;
+ };
+
+std::vector<Test::Result> Validate_Name_Constraint_CaseInsensitive::run()
+ {
+ if(Botan::has_filesystem_impl() == false)
+ {
+ return {Test::Result::Note("Path validation",
+ "Skipping due to missing filesystem access")};
+ }
+
+ std::vector<Test::Result> results;
+
+ const std::string root_crt = Test::data_file("/x509/misc/name_constraint_ci/root.pem");
+ const std::string int_crt = Test::data_file("/x509/misc/name_constraint_ci/int.pem");
+ const std::string ee_crt = Test::data_file("/x509/misc/name_constraint_ci/leaf.pem");
+
+ auto validation_time =
+ Botan::calendar_point(2021, 5, 8, 1, 0, 0).to_std_timepoint();
+
+ Botan::X509_Certificate root(root_crt);
+ Botan::X509_Certificate intermediate(int_crt);
+ Botan::X509_Certificate ee_cert(ee_crt);
+
+ Botan::Certificate_Store_In_Memory trusted;
+ trusted.add_certificate(root);
+
+ std::vector<Botan::X509_Certificate> chain = { ee_cert, intermediate };
+
+ Botan::Path_Validation_Restrictions restrictions;
+ Botan::Path_Validation_Result validation_result =
+ Botan::x509_path_validate(chain, restrictions, trusted, "",
+ Botan::Usage_Type::UNSPECIFIED, validation_time);
+
+ Test::Result result("DNS name constraints are case insensitive");
+ result.test_eq("Path validation succeeded",
+ validation_result.successful_validation(), true);
+
+ return {result};
+ }
+
+BOTAN_REGISTER_TEST("x509", "x509_name_constraint_ci", Validate_Name_Constraint_CaseInsensitive);
+
+class Validate_Name_Constraint_NoCheckSelf final : public Test
+ {
+ public:
+ std::vector<Test::Result> run() override;
+ };
+
+std::vector<Test::Result> Validate_Name_Constraint_NoCheckSelf::run()
+ {
+ if(Botan::has_filesystem_impl() == false)
+ {
+ return {Test::Result::Note("Path validation",
+ "Skipping due to missing filesystem access")};
+ }
+
+ std::vector<Test::Result> results;
+
+ const std::string root_crt = Test::data_file("/x509/misc/nc_skip_self/root.pem");
+ const std::string int_crt = Test::data_file("/x509/misc/nc_skip_self/int.pem");
+ const std::string ee_crt = Test::data_file("/x509/misc/nc_skip_self/leaf.pem");
+
+ auto validation_time =
+ Botan::calendar_point(2021, 5, 8, 1, 0, 0).to_std_timepoint();
+
+ Botan::X509_Certificate root(root_crt);
+ Botan::X509_Certificate intermediate(int_crt);
+ Botan::X509_Certificate ee_cert(ee_crt);
+
+ Botan::Certificate_Store_In_Memory trusted;
+ trusted.add_certificate(root);
+
+ std::vector<Botan::X509_Certificate> chain = { ee_cert, intermediate };
+
+ Botan::Path_Validation_Restrictions restrictions;
+ Botan::Path_Validation_Result validation_result =
+ Botan::x509_path_validate(chain, restrictions, trusted, "",
+ Botan::Usage_Type::UNSPECIFIED, validation_time);
+
+ Test::Result result("Name constraints do not apply to the certificate which includes them");
+ result.test_eq("Path validation succeeded",
+ validation_result.successful_validation(), true);
+
+ return {result};
+ }
+
+BOTAN_REGISTER_TEST("x509", "x509_name_constraint_no_check_self", Validate_Name_Constraint_NoCheckSelf);
+
class BSI_Path_Validation_Tests final : public Test
{