From: Bob Beck <beck@openssl.org>
Date: Thu, 26 Mar 2026 20:07:06 +0000 (-0600)
Subject: Add a test for a bogus SMTPUTF8 name constraint in a cert.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=945cc69f5448b9da2a0ae8ac1e55efa45a442d12;p=thirdparty%2Fopenssl.git

Add a test for a bogus SMTPUTF8 name constraint in a cert.

We will reject these.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May  7 16:09:48 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
---

diff --git a/test/certs/bad-cert-smtputf8-name-constraints.pem b/test/certs/bad-cert-smtputf8-name-constraints.pem
new file mode 100644
index 00000000000..7eb48f1ec76
--- /dev/null
+++ b/test/certs/bad-cert-smtputf8-name-constraints.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIETjCCAzagAwIBAgIUAfHYT2xCH+Q2ONGkBpeu1yo4uYAwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkFCMSMwIQYDVQQKDBpIb25lc3Qg
+Qm9icyBUcnVzdCBTZXJ2aWNlczE+MDwGA1UEAww1Qm9ndXMgQ0EgY2VydCB3aXRo
+IEludmFsaWQgU01UUFV0ZjggTmFtZSBDb25zdHJhaW50cy4wIBcNMjYwMzI2MTk0
+MzEwWhgPMjA1MzA4MTAxOTQzMTBaMH8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJB
+QjEjMCEGA1UECgwaSG9uZXN0IEJvYnMgVHJ1c3QgU2VydmljZXMxPjA8BgNVBAMM
+NUJvZ3VzIENBIGNlcnQgd2l0aCBJbnZhbGlkIFNNVFBVdGY4IE5hbWUgQ29uc3Ry
+YWludHMuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Gfh95qTUIgQ
+8bTQJ9XIw4ZKYawQSL3eydsdZwIoqLPub323BlgExxDW/rkHOiYA+btBnBdKWPMc
+WXYcjMMVnHD4/bAwglgtEPSIlPH0GQWITdr9ISZt5BPISt21xzzVxEYwSAnQfIOG
+q3wXv2XO3C4lTnz4YRsRhh7Nbg1n6eLSEldi7EEtIx0cUv7RqiPkRhitpAdlhcN4
+hS2WGDtjmuMXOLLkt5kfme2il3i/f/OvOYHcGev8VEbe9ucAse70RjNtsrIGtHRa
+U5JNILo3GVRi5tIp56zdnnzW+HMdAyHNeB1KPEdMC7YP1FQEz2u58la6dhT2LPJj
+j3y8h1im2QIDAQABo4G/MIG8MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
+BAQDAgGGMB0GA1UdDgQWBBQBGPQWxNM5dhZBl0LVtI8EFHlDvjAfBgNVHSMEGDAW
+gBQBGPQWxNM5dhZBl0LVtI8EFHlDvjBWBgNVHR4BAf8ETDBKoCMwIaAfBggrBgEF
+BQcICaATDBFiZWNrQGxpYnJlc3NsLm9yZ6EjMCGgHwYIKwYBBQUHCAmgEwwRYmVj
+a0BsaWJyZXNzbC5vcmcwDQYJKoZIhvcNAQELBQADggEBAMCHstK2G8xzoG2EscY+
+BQVJ3nOuk33/Q7s9sdXFEyrN0F9a1pWE/pKdqplgZTN6buGXym+iSV4mA3+9/Aty
+BFa3vZoOnN3Td9gWDpIqyUtgEtjrGpAmPLvymalVlHBDsm67rMO+b3hXz9ioGNWT
+ii5JFtcqltTasz7ePXYJxQjBByMOVd/tvb6Nn2QIvr841zOjhC9Bp0OZsWs6qAbw
+Dg/yHnrSZOvPV8c+qKco7zqlGpTZtnTU05dIztoQU6RcBjV9nAUQy6LZp3XtF4/h
+MIMydgmxi52aUY5NFccfBoZdM4m7caEvwACBhpTNtBrdr16L+0SIPHjr4Vat9ruJ
+/8A=
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 51d3f8ffc60..30a637a3e9b 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -30,7 +30,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 216;
+plan tests => 217;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -473,6 +473,10 @@ ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
 ok(verify("nc-uri-cert", "", ["root-cert"], ["ncca4-cert"], ),
    "Name constraints URI with userinfo");
 
+ok(!verify("bad-cert-smtputf8-name-constraints", "root-cert", ["bad-cert-smtputf8-name-constraints"], [],
+	  "-partial_chain", "-attime", "1623060000"),
+   "Name constraints bad othername name constraint");
+
 #Check that we get the expected failure return code
 with({ exit_checker => sub { return shift == 2; } },
      sub {