]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
tests: updated name constraints checks to not include a CN
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 26 Aug 2014 12:14:09 +0000 (14:14 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 26 Aug 2014 12:31:29 +0000 (14:31 +0200)
tests/test-chains.h

index fd6956140c1832f9afa017b5a959ffc3338dd91f..0af52f0d9ddafdb65b20cb506b7d29894471c4a6 100644 (file)
 #define MAX_CHAIN 10
 
 static const char *nc_bad1[] = {
+/* DNSname: localhost
+   DNSname: www.example.com */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDiTCCAkGgAwIBAgIMUwS5Fgr3eOV9V76jMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
-"BgNVBAMTBENBLTEwIhgPMjAxNDAyMTkxNDAwNTRaGA85OTk5MTIzMTIzNTk1OVow\n"
-"EzERMA8GA1UEAxMIc2VydmVyLTIwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6\n"
-"AoIBMQDBzpbdv7dod/G5JB6eYBtXrvKVibK+qpOlbfS0arSphkyLKDF0341yXAGF\n"
-"7ia6yZz2udrzfKdcsdFzsDyByBxsneLtiUYn4WLwcaqFuoLy8AR4jOgDiPU95+bf\n"
-"f8iw1BSnNEbFvshWECY3TyceLxA3De+w7cxgiie3Q0aEkuw8dZ4+MSXeXe/je/S7\n"
-"OdFY5dXP7iIiqdDlpnPCB6BTfLeUrWOAT4FWM0ngkMijeMEAbPCbTbFw93DeXd2B\n"
-"eQPQ1+Qx/VLbzte3tMFbMVNcQARfaO7u4hEvFEe+QOttE0VH4FqgQdx775mWJ1Kl\n"
-"eDa+Wf9g9+NhSGMLsJ9dE67bK5CKqC+Z3Ff0QWFAc9wD+yeR4+cCVc1dY/MvaULQ\n"
-"Rn1GQIts5amjHyxJvWavfeVTj7sbAgMBAAGjfTB7MAwGA1UdEwEB/wQCMAAwGgYD\n"
-"VR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n"
-"BBYEFIonB7QoBQsSXVVzggEQYQWf/rjQMB8GA1UdIwQYMBaAFJ+td6XNJkYpP6B/\n"
-"VLp6TDmzEhqnMA0GCSqGSIb3DQEBCwUAA4IBMQB737uD1IwtlMPtjA34mprTcK9N\n"
-"rdtWcM3DPBzO5S3ci3XdCn7q3mPjOr42Gvi+71vDdHGBzA7pnGSiJdShWhBvDUT/\n"
-"cCng+pIGYZUyGlK90PJfOxUmJzt/V2WFZMz+cor238HaBu8rw9d7a5NO6qeCN1C0\n"
-"mAWCKhtNhnvJuGb2hNCAOcJJ+x26Wdh3WBkXIdAQn1zYIxAbgC2RrlQE1YtiqWSh\n"
-"orp5kYSqzLENP/XJFnJ5bTxxJIQvBAgn1ZG7Yewv+J5jiF6qePmapHQFebcmvTK+\n"
-"AFFSBYl2QYhanBa9n7YW3IxxIA8ZApbO1XsViCYOUqvpBIbCAeelInKtcmapetfl\n"
-"b++29Bug798FTrFL9b+KE1qfKRwyp7RRRyJXztuHY1ocio50W3TBrScbim9w\n"
+"MIIDSzCCAjOgAwIBAgIMU/xqxDpxZ3J5cUcrMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+"BgNVBAMTBENBLTEwIhgPMjAxNDA4MjYxMTA4NTJaGA85OTk5MTIzMTIzNTk1OVow\n"
+"EzERMA8GA1UEChMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+"AoIBAQDP3GV/JSLCCmx09hJINJZC8fSUBE1IVbZsY/q00rZOw5KwPioLiMOIup7W\n"
+"na8YJ2ama0GJjU86PlJDhBH6soaY24ZCW5kKhvfnSw2TkpW6umL7psvuBslRoMxA\n"
+"t12MpapZDFZixZjV44Bstuyt9sI1ze3au+5C7E4+z40o/3uvbIiN2iz4bPgwPIMu\n"
+"5V/bVTei6uAcu4fNHh/AGnAUJa201QsUhM4+VRFc0XmanjSulySD3obwERDneqab\n"
+"77gnIP6zwuFXxHgucbmzU8DIgVhes2k4v6AB1nPxlpUL5+E+W4XDg4ckGGkfxgcn\n"
+"dGYvuv3pwIyHvb7Z0A8D6bE435cnAgMBAAGjgZ4wgZswDAYDVR0TAQH/BAIwADAl\n"
+"BgNVHREEHjAcgglsb2NhbGhvc3SCD3d3dy5leGFtcGxlLmNvbTATBgNVHSUEDDAK\n"
+"BggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBS5dbTqiPbhe7Fg\n"
+"e/Bs92qsNgWSzjAfBgNVHSMEGDAWgBSgAJcc9Q5KDpAhkrMORPJSboq3vzANBgkq\n"
+"hkiG9w0BAQsFAAOCAQEAdkVCQQ5mCuV5WTqCeH7AtXxYM7IV7q6O7uqirKwDUzGD\n"
+"wB5shurAPMn9IG46O68P+BPLMfwszFDgszNrjuMsKb7hLT5+pVsd6XRQeimPJ5rN\n"
+"/szMfALLAcw8Yxt+1YbxlgUgybFsiK2zdBpAshU+FzMRvFfq9rnqW/VXM0J6ghz3\n"
+"VqLbviOY5KpCLzfG0yM+CTcKXVFau9QZK962AfXzUwaCymw1cRHzQlpdMQtTtcIp\n"
+"nci6MKXViEdeHbPLcZe9+vzSSpFh5u/l47w+2B1oz7mndFFpxkw37zDaVH5yAFxK\n"
+"+5VijiKxH6nmniLUX8Zsv82YBaO0liNb2fOZopxQGQ==\n"
 "-----END CERTIFICATE-----\n",
+/* Name Constraints (critical): (empty) */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDdTCCAi2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTQwMDU0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTEwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCwgr6+sQUmsLMy\n"
-"YZFM02dZAKR2H/ApcVDN/q+LdWATtNs/WHnLtGGB+BGszc3cvOhf3t8kevPcGpD8\n"
-"oeQLUCvHedZiWJDfIMg5IoI1nDg7AZ3LUckFp+bRuLzmadn+yLY1U0FMT6YcNNW8\n"
-"pNeef6padDZzVmu/9VxXRElfsoTvRixz95xf4s7+zr7ear7lQrol633RPg52XK8C\n"
-"eCZfSNl5oNTLZXMrXoNXMbMx4xqXROB0A5VRUX/gVF1ya/aPiItsRCW8iE8i3+4F\n"
-"B0WaUfXDjT9Ivo5k9IKbkiLtNXdc4Pe87lXSgD7IBS84ZxFCxGItz8JwahwOCOyb\n"
-"E12OKaRx0w9RxwojetAdHhyxClU8CvYdg1zn+zYzYQRg4FPeYkjC5HRrDB3xpiYH\n"
-"/A9jj+mdAgMBAAGjeDB2MA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0eAQH/BAgwBqEE\n"
-"MAKCADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSfrXelzSZGKT+gf1S6ekw5\n"
-"sxIapzAfBgNVHSMEGDAWgBSOYIy4FnV8n5ISmXZFTnQtp/qC8DANBgkqhkiG9w0B\n"
-"AQsFAAOCATEAEAWy+NlgXYXtAJnbkfiYoKtiJ/fKL5zds2KBM0MIDpgMAupM6Y8E\n"
-"ax8kgOJiZK7HVvJZDJXv/+40ATCwPWkRN4jzPCIhNize1CiDZQGaqYQb6hFVQZcQ\n"
-"O7ICQQnDiSXh4bCGxHFJmgA3rk46iJsAKZT9FVuD5UdnVtgqJq4BziKGl91TA+g4\n"
-"u61nQlCXe/FCFdAce1gqw8r5ipFSOxJ5zJwgAS4PejNv/kFnsnR6T0aVpwd+p67u\n"
-"mErRoAZWx/3ehjQjfPqATK3fetv+3dvN1dHdM7oMndfdd23XrM24Cx51q83CBqr+\n"
-"TglZMAXXTcv+G7Iyljc+1F3WAq2Y1v+zNRHpMRlCRhqAh0cFuo731E/1t1uViolb\n"
-"okHo5ttt4r16eXhQQeIc7gQmFswojpx7FQ==\n"
+"MIIDFTCCAf2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+"MCIYDzIwMTQwODI2MTEwODUyWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+iPUnEs+qmj2U\n"
+"Rz8plNAE/CpeUxUfNNVonluu4DzulsxAJMN78g+Oqx+ggdkECZxHLISkzErMgiuv\n"
+"bG+nr9yxjyHH2YoOAgzgknar5JkOBkKp1bIvyA950ZSygMFEHX1qoaM+F/1/DKjG\n"
+"NmMCNUpR0c4m+K22s72LnrpMLMmCZU0fnqngb1+F+iZE6emhcX5Z5D0QTJTAeiYK\n"
+"ArnO0rpVEvU0o3nwe3dDrT0YyoCYrzCsCOKUa2wFtkOzLZKJbMBRMflL+fBmtj/Q\n"
+"7xUe7ox62ZEqSD7W+Po48/mIuSOhx7u+yToBZ60wKGz9OkQ/JwykkK5ZgI+nPWGT\n"
+"1au1K4V7AgMBAAGjeDB2MA8GA1UdEwEB/wQFMAMBAf8wEgYDVR0eAQH/BAgwBqEE\n"
+"MAKCADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSgAJcc9Q5KDpAhkrMORPJS\n"
+"boq3vzAfBgNVHSMEGDAWgBQ/lKQpHoyEFz7J+Wn6eT5qxgYQpjANBgkqhkiG9w0B\n"
+"AQsFAAOCAQEAoMeZ0cnHes8bWRHLvrGc6wpwVnxYx2CBF9Xd3k4YMNunwBF9oM+T\n"
+"ZYSMo4k7C1XZ154avBIyiCne3eU7/oHG1nkqY9ndN5LMyL8KFOniETBY3BdKtlGA\n"
+"N+pDiQsrWG6mtqQ+kHFJICnGEDDByGB2eH+oAS+8gNtSfamLuTWYMI6ANjA9OWan\n"
+"rkIA7ta97UiH2flvKRctqvZ0n6Vp3n3aUc53FkAbTnxOCBNCBx/veCgD/r74WbcY\n"
+"jiwh2RE//3D3Oo7zhUlwQEWQSa/7poG5e6bl7oj4JYjpwSmESCYokT83Iqeb9lwO\n"
+"D+dr9zs1tCudW9xz3sUg6IBXhZ4UvegTNg==\n"
 "-----END CERTIFICATE-----\n",
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDQDCCAfigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTQwMDUzWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTAwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCuejonioMDhNat\n"
-"68k+yaeiAF0ohTGwSiHNbXpn0JzfCs8/5PysNDQb+P8wPtuOcYhOCGRXM5ooOzjF\n"
-"4s8hT9uFlI8TOlRw8a22PU3ehTYL8PY98tvftErPw9wndojBZ48sdhA7PeouBjlc\n"
-"J1FSvjw4vB9EImiqwPz9uLNYkWUOcVUXQYb4iNjddbdh5/0vX2X01+L7O/vVcgiD\n"
-"/EnSYsEM/8I4hRUQa7amTTTWPjk4liVBq6TLnAUCumVU2AvkHMkVRMYtvnHPecii\n"
-"IRazQeYSPbBHCvhTOkccM5Osb8OntYxuIoR8l2ZjPgEMRrB6lgHr3uIxZKfn6JRi\n"
-"YVOvPxZPsnWOAm17JuReyTo7kGh15vRvhmhZ7TeWITTDy3CTWvQLSmiSfe12+9F4\n"
-"E4c2v0KLAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUjmCMuBZ1fJ+SEpl2RU50Laf6gvAwDQYJKoZIhvcNAQELBQAD\n"
-"ggExAHS8glOsOKVNI/syYmSpWnaahS6f/Fio5B/VVkQSVNPt9UwF+e6FXIlODiZL\n"
-"lndhuaNqY1OUNiILXBWXxbwuEf6uPdm+nWdu5tlaaJlmyf5cMYx/ChvqUO5RmK8P\n"
-"Dt6oEJBVfkJcqNQQoRYVuTLZvHe+uR87YIHUwBIqAF/2HJAioxpx5BywnLFIeP2A\n"
-"WdzfY+Bh0j6e+gwGpX0sOpOob69G2naqHkhlbTgTboxT4qT22wzS+pvFDfXMxsZN\n"
-"FvBLMRoCrg36Gqnt8Gt9srHg0iVvtM3OYBCwk+eMPfu1sA6wHfVQTP4DqY9nkHSi\n"
-"VCJXNpWIcxuJbJYUiQdobJQc3EnXoI93atVsizbFIymMDh6pV+xBo3IGV/HfaJoi\n"
-"yhagfeusFmAjySf3RCuF8eUsCFA=\n"
-"-----END CERTIFICATE-----\n",
+"MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+"MCIYDzIwMTQwODI2MTEwODUyWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2cd2vlg/9nuzi\n"
+"6S6/qyJRnaUoFutajTwGqfQKZpbqXI7TcFZwKidzAZlZiU+sAvkY8d/9cadlbrde\n"
+"S9HGv31QmexWjgWAMGNpeyiPlXIN8xGzIbZRM3FCih0bnIyibdwgAuU14dUrChGD\n"
+"sQ4SAmRUpThkB8anvC10PIsxfnifBwJI6dGQZb1KOxVOIWg7Gb5tNFkZILBGv8wk\n"
+"cbycIBYC3lRX8svUj9mMiro53f+4ZGbi4DcSLIdw4ebAczfBd+uHM2jkHFZUNuAY\n"
+"7rGZAAuqEh5IE0QHS9CV6mg6Pf9+sLGMBZUbix2sxRntAEyz8+kO7W2zgmKPla4+\n"
+"y54cIUmBAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQUP5SkKR6MhBc+yflp+nk+asYGEKYwDQYJKoZIhvcNAQELBQAD\n"
+"ggEBAC4N4dUoGDTGf93DtjEcZzqGoAd6TsCYy6k5zeYMZFwogfArg0IMurcFDLeN\n"
+"PXe3xl9RiUjbiZMaHWju81kIO34z0NLd705XR9QFEc+xiuZOMmm4SxciAF5xo+Hh\n"
+"Fhc9cVa8Icm2ju86Q4yhJziYrElH8VwHTBE0k+RE1cK65F5PQFGGBlpGm9EMcYTv\n"
+"EQQATPLuWwKRAFNJBx2t3DAeMseo/Iq6Snd/UfdqgLkV61YtbzqL8bu+a8rgMAYz\n"
+"ovgORsI48TlbU4H7YI+vzPO33tRV2m4dOxppMHzv8Ie2LIIfqYn0HRd87c06djEA\n"
+"EpXfXGqxjX5vAtNPO5fGGzghol4=\n"
+"-----END CERTIFICATE-----",
 NULL
 };
 
 static const char *nc_bad2[] = {
+/* DNSname: www.example.com */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDKTCCAhGgAwIBAgIMUwSneRSvmvAA3BCjMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
-"BgNVBAMTBENBLTMwIhgPMjAxNDAyMTkxMjQ1NDVaGA85OTk5MTIzMTIzNTk1OVow\n"
-"EzERMA8GA1UEAxMIc2VydmVyLTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
-"AoIBAQDgdtv7PLH1jsU7rhvPnIMEAvbC+7RWZcsI9qMVCP+UuiZ8tD/u8swrWGeW\n"
-"3Dkbbhohw2dUJzUnCZ1uurb75qmzQvi23UC7j5d1NF0cei1u0P/yVgVauhBVBIy3\n"
-"lJmr/sa7LYmuREln8XKOILnBdRGsVMhxzd0moyCxgPw5AkakEmUSSPFl5MuuoQM0\n"
-"ESNIY2HX361nYSLrzbvH2XjpkXikBsd69OYXT2mQIVTlKJnGWbs1WIQnlxCXRF2x\n"
-"dyrKC1yspa/V2zepAm6krwsYa350+askAtY8e3+cnawVcZ//c1Tv7Q/53WbMNdbi\n"
-"k7XsiRekXJXEhoIygm2cL8TSzmr5AgMBAAGjfTB7MAwGA1UdEwEB/wQCMAAwGgYD\n"
-"VR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n"
-"BBYEFFa85QCBsDo1OuhFL+X6CVVIeh3SMB8GA1UdIwQYMBaAFOfSQZTbK8EYUHmu\n"
-"R372CIe1Bs5vMA0GCSqGSIb3DQEBCwUAA4IBAQABrWwW1PL1KpknTrUxHqXsSdsz\n"
-"+Q8zOf/rl5m72DM/bp/Qk0bgU5qEK3OZorPLTN/r9pNqKj/boc9yadkmcsr0xvLZ\n"
-"cIGwkwQ8dP9KazUUhBPboiTlXC7qGJU/HZ+9G/9MBHy/XVgkWX5OUH2mEIZS7I6E\n"
-"aae2s+vAwYX4Y28L63WJHIyTMO6IavyBWBtFiKCZr5zNN39OhVYe/wRTMrhq7bxR\n"
-"llaf9ys13p+ZPcQW2wzOLf42AhTr9A1p4SG2R0CRuaiOQvCWtGcW8JFcU+7LSlZQ\n"
-"V4bP/+DffjugqGGQQptvaVsNRXv41f4Mdoy7wZYat/FqHBgtZrHXwjTl17yD\n"
+"MIIDQDCCAiigAwIBAgIMU/x5DBI1pGSO2eYZMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+"BgNVBAMTBENBLTMwIhgPMjAxNDA4MjYxMjA5NDhaGA85OTk5MTIzMTIzNTk1OVow\n"
+"EzERMA8GA1UEChMIc2VydmVyLTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+"AoIBAQDL/hbj+RVDQ5sA4VR2FZ+P+/jju7jkUFUovwhCrWpGXFs0WDokcOkcXc3f\n"
+"0yturFWazVEKaaZECiDpGf6iXmNoJA6fPT+G0gPlIL6wh4wKQG+vwVYsX5ZkXOMR\n"
+"sl7BqCpeCChkth54mClEwOYW3WohdXqiJfxoFVdgnisbqkxYtz9aXzYE71cZIFAx\n"
+"nL7V/gY+G/m0iZCdfh7YEDlT+qtLkGyHsyyTxwUH4yyqcsFl4WWG6wAdKF5U69yw\n"
+"uo61J5wpE+yDyS0u4Cjw67d29OIHsT7GAq+fP69vMoEHPvPUM/aA68AycybV2OYt\n"
+"8OJAyZqf/6zvnlrbLuk08kWf1TD3AgMBAAGjgZMwgZAwDAYDVR0TAQH/BAIwADAa\n"
+"BgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwEw\n"
+"DwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUz+XUeM8bwvK3BD7NVRRYSeZSlA0w\n"
+"HwYDVR0jBBgwFoAU/n2NeCCnwHQwFpKwi42A3H+w9W8wDQYJKoZIhvcNAQELBQAD\n"
+"ggEBAPJZO19PhmxQ1ZRDLQWZWxuQgD2Wwy8sS+wnlUo/TZM7+pT5ICjLdEKgETPd\n"
+"HOqgAMQFaUpp5vx1jUBmmKdPOmwEnV/2zbw3GrYwAQjxunXD66iHjYbodl9zBumM\n"
+"NXDGsHnKYNu9sPdQSMLC7OEOrKvEhH2afOvYDORQbSGXh7+3js7Mzggy0NoYtxnK\n"
+"4wqt6g73SFkV82mTQpUBK218ROjuWVBUmWxq2JU+qvsAKbhz+Tjr9+kmFcNBRgmA\n"
+"Zga26uoQhd6YP9DKbCvf3sK4bi6A5NROeLf9BzJHWkGani4F9wOjRmLVnLlB3BPi\n"
+"tHZaLDU9fUnf6I6p3nu6LPTH3JU=\n"
 "-----END CERTIFICATE-----\n",
+/* Name Constraints (critical):
+   Permitted: DNSname: example.com */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0y\n"
-"MCIYDzIwMTQwMjE5MTI0NTQ0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdt0ClpQDZ55Jn\n"
-"q1F6mEg2fXssdYDXeuTW2KbU6T4w8z5Ql0qRHPiKpJgnSLGOgGWQo1wcSJY7MjpG\n"
-"VA8GvWSYaYR6pccFnNdll/VkTruy4CHFZgXU9sEMp+w6YPLu5KbkpOAI9EDO6yZr\n"
-"aOiiCCVS1PKAFrpIU2Kq3cszmwamk3PgXnyfBLC09dBQ6ov3gSXtiuGkx0i0TeN4\n"
-"YcWXhigDu20fvuWQxwvBVhvlDPqddu5qcWRRgyeXIT8R+ZO2+Et89RI6TqFPV+U8\n"
-"8tzFEQkwPoGKAIupnFBmE68nR8DFdtDSXK4No9xZZtdiGHEOPQlGDOtodRDO7ZU8\n"
-"AUg7KduvAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
-"oQ8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQU59JB\n"
-"lNsrwRhQea5HfvYIh7UGzm8wHwYDVR0jBBgwFoAUQypdhNSFXwuHeMlFONBWC797\n"
-"XwswDQYJKoZIhvcNAQELBQADggEBAIJwTFDAZ/ru9DbaAo++2RJU3sykynrdN4D7\n"
-"NP7HqAZc/O+wXjG3rhPz/j4ADjMo/jjPZGvWvC5gtQMB0WTcWR8R7n7kPIb3l9Ac\n"
-"OSkjKFZbRiTDFeTklraMc5SBEMwU8DCvoHVfWqIAeAsx9BGkXot6KbLQFYSaL2Mb\n"
-"+3OuqEKcBPECimMp1rY3acgs+xYkFlNMTsq2PTzfRysDPAfpv6RAD2vuQ1nFQURB\n"
-"vXMmw9be5svlBv5j0kIiEYCgB1kO+HzNSje9F3xxrTvc+IzhRYn23yHHYflX8pWp\n"
-"lic0qllEYK+abjatj25c9n1w5keBdiVYlSxr6F9NVwpYZTmxM5g=\n"
+"MCIYDzIwMTQwODI2MTIwOTQ4WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6kCE6KmDCkagX\n"
+"fvq0rx73h7zn23phJYBmugfp5fPQYIJ1463dGmlFK4Lfkz2V4StgM2mbFFEkcyVC\n"
+"pz+PyeSDgyWJJ/RwG690lLfu5JfNLvwxj/rFNK6rS7EpADew6RgURCpEMt6z1uEk\n"
+"+IQsxKoXQmAcdtc/ubPFWInotg7Avoid0sG69s/+hq/nlGE9A8JMFnsLh/n01d+F\n"
+"9dWsjrNiZ+mfTE8w0MVTq4+8mvmPmnjKsiu0rgqaVTmYpZW5chz9gGrZCr/Wr5CL\n"
+"zPsAYaWie+wo8cR5qMEoX+JPHqM8eP9K1v+uYc03aD3u1/QYdxY73OLn31+jYAqq\n"
+"tRJjgSERAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
+"oA8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQU/n2N\n"
+"eCCnwHQwFpKwi42A3H+w9W8wHwYDVR0jBBgwFoAUJ2ngSf1CqeYVG3eUNcH7Lt6/\n"
+"ECUwDQYJKoZIhvcNAQELBQADggEBAIQruSBUyQ268Js61XT3nlr1Y9HxmKA2DIuM\n"
+"WcAicE1XIpuxDpZ/VmKH0/o2JVR1A7uwSMEnHdShHixMbpYrHRDnZITxs2lsJijE\n"
+"r7YdqadH7EbjDIXv1DJcPnNaeqFPbyXEWqLYoQf6UPBLVRWeKISPN0hMaIZv4Y/X\n"
+"OcBceajAr0XGxASRFDky26M01AVPZoYjgT7vLp835yk9BY5+q0GxlSJl6HbQ5ESA\n"
+"IoC3Limt72niobmvEryQDq7qUUoR7hB1SMKfyX/qktxT3UCBLKXHsp80ECJ2A7Sd\n"
+"YrHjFE6LnWHwGJFYZ1eYKiOjglVRGv3+bNX07bQBWKzRbLWYM+0=\n"
 "-----END CERTIFICATE-----\n",
+/* Name Constraints (critical):
+   Excluded: DNSname: example.com */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDIjCCAgqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0x\n"
-"MCIYDzIwMTQwMjE5MTI0NTQ0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGE+FahQcoLS3M\n"
-"obarta3FoLhnWZIHQmbVMqK+a7DNYDchv6DZs6yPokidgDcL0LsWa0MFLRw9qEsQ\n"
-"fK8eTbck3sXT9PUePnJfeccaRICf8HirRLSoug5w+pqWCQupkLbVNBTgf+Sj2cI6\n"
-"jBprmbrPGeilIIRVkZlQJztkTy0FaXuXsIqWxhaPYZrVsAQpD2S/b/ED7riOFbst\n"
-"rDfR+9ZKLwDAXM0YZwMe2mKiwMrEuGRAVtlxyrUON6+JQbWh7fLUZvminA0LGDsq\n"
-"jWTpvJn5FCZdlIn9aYr8gzunR14vHrffskxqA2SZcKaIxpM5FJrWpY6aT7vZn85C\n"
-"5GDSTqLFAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
-"oA8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUQypd\n"
-"hNSFXwuHeMlFONBWC797XwswHwYDVR0jBBgwFoAUZ+qKfar2spXn7Kf7vYBxQXTR\n"
-"jvwwDQYJKoZIhvcNAQELBQADggEBAKFn26+aT+yius8A6UWKvX5ufkDUH3X6dUi5\n"
-"gUc6tesLvzehwW5Q5kAp+3EA6j8yeLe6PIll9LdY2ry8JrUgPu+ApUCrJ/V0MFPi\n"
-"Tg21FJXpP8+Z9wBhqItXDpRHrXY1ne6MTM3OoJkfaky4kp2gQjQ8CIo3xqk4htc7\n"
-"1p0eSzBpu1a+mlMiwUsnFBCfqTiafmQwaDZOp8Cl8aTilugMCA998di35CC6D5eM\n"
-"k4XITMbyob2+Piy1o/2GNSPtAmIncc/yZ0sTpdqQLzKZn9GojArReu3+dQtTP4XU\n"
-"n3bhMgusV4mkBfIPZPdqkfEw4hCP9teEFd++xrR9iJA20ev+caE=\n"
+"MCIYDzIwMTQwODI2MTIwOTQ4WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUbGpRRMdnTzbG\n"
+"R7J9qYJoHOhgRp3lEa9sBP7/pNNIsEhXmvzBu5J0buJpAfRPmWcoZauKsVrKnE69\n"
+"CFlTDVCIahQ5gtJkGdjrDrQDFFCMnKC04Lhq+EmbASBTn5GRQwJqEUi9xRpj0yOL\n"
+"0XGlMp4JS44eAL4giywzPtOAZaJlr4kdOnSPK2SHFVwQGfQiNmzD5ajmsjM3k4o3\n"
+"R2gXAsudyasQzRAjFyeo2ry7klPUPS5RHJ6B2n87e9kLGrYb8+O9I9FNc/w4J49W\n"
+"AovVr5vcs9Km25jLUn43KDprDhpXddEraz6WyZJRMTZVRRUizET3gmojZFFD4zOQ\n"
+"mneVYerpAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
+"oQ8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUJ2ng\n"
+"Sf1CqeYVG3eUNcH7Lt6/ECUwHwYDVR0jBBgwFoAUyFGHFFLCWYOQTLmh8jJpGyxS\n"
+"bSUwDQYJKoZIhvcNAQELBQADggEBALGFCZXC1KPBBPMtLJNfhNBtBBC4i5q+1Qeo\n"
+"aJL7dKVuBn79WAuND8rvJvrPKpGTmyxkcnqRXSBVH3c+Xi+v5ykLrtHJ2x4TOrmg\n"
+"RBAaBqDuecQ9Ec0dCc5ODKwjdI/wEOGAS4sfrMXzQCv+UJqi2lE0fo/xDmS/azCc\n"
+"WUjFSQOuWnCJIIAIyWlF2bPtdtiaydHKkTcG7c/zwrxRaWE2Q2G+dm+itpJ7sCtx\n"
+"ZFfGMLUl7mDadhiYrxq1SnwrObMwbngPNZyUBi2G7jnXlyFc9X/w6fVIULLxN+bn\n"
+"IzHWcRrBZ/ShdvCStmgbTlKNtvg0LWAk7QWzy2ibaXS5jp2r+Fc=\n"
 "-----END CERTIFICATE-----\n",
+/* Name Constraints (critical):
+   Excluded: DNSname: example.net
+   Excluded: DNSname: example.org */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTI0NTQzWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjC55IwBZ2SIxD\n"
-"hNDjd/c/Ex6upabwLuocu3g5LW6fNhZP7fW4ZZ8eGripXUsQ0xkT4QkqST98vIzh\n"
-"B0U3OOAJVyfHP2bQNkA2iewZRavo+O4YlTT7aDnSkGpx+2tEsKxvQAPB41TjjcaC\n"
-"SlxTQj/Iij3xus9temIiJbbDuW1g694qtlQZmMElkfvLaRw9P4qqPtIn1S19tWnZ\n"
-"TH2IJF6MB8iJghyIJsZ4mRXywIf3B3vXgmSAj7uBQBPnDaUXULC5HtZ+EC+Gi4Wx\n"
-"JHr28fUUDvj+smSUydD8rvIJnH7V8b3BwX0HzvxjCY8bJeUcv9Px7P+98aNPZFXT\n"
-"MRb0vjEnAgMBAAGjgZMwgZAwDwYDVR0TAQH/BAUwAwEB/zAsBgNVHR4BAf8EIjAg\n"
+"MCIYDzIwMTQwODI2MTIwOTQ3WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsnSNH0g4bvAXx\n"
+"zJAfs+XFWpNIpJtD/1H3Ei0ezfH5Ug7GNpHKlYKLCIShqCFj9WSwzSyKNGCHafdt\n"
+"PPhKo9uAo2bSaBZjmzxfqSOGDEXZ+4LlRgSPX2Arc0i97ZsPf0nkWLfrxlTOAQIm\n"
+"DxDNrWlGrCl1dfPiB+EyMzo+++MCdTGEsdEdRFm85QNjOOTiaTeUpUh5G27+hbuk\n"
+"PaRlZ1GHJYlrLHK/2qw9/Mw+gNnfn/Efw+lNeYuQ3tco8IAMN0jB8x1hDfOxTx93\n"
+"mrFzAdGTfsYZc31YapATk2re8IJGeKSCY4XP2HvYZEE1fYdw8ZcqZ/Gv1RdXyxvc\n"
+"6oT5r/PNAgMBAAGjgZMwgZAwDwYDVR0TAQH/BAUwAwEB/zAsBgNVHR4BAf8EIjAg\n"
 "oR4wDYILZXhhbXBsZS5uZXQwDYILZXhhbXBsZS5vcmcwDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUZ+qKfar2spXn7Kf7vYBxQXTRjvwwHwYDVR0jBBgwFoAUugqZ\n"
-"Ywh0FVP0vSv6j/AVcrNERRcwDQYJKoZIhvcNAQELBQADggEBAGKTyzBjwcnnYemJ\n"
-"Hc/W6dvnPTeQgLhBSVHlVbC00OPLduPo+SJXdct6h9Qmh5k8beX4pPW8luC/MwJL\n"
-"1gE34RorZdiEGai0VfB1gZEc0b3tIYmSzElBIJ8eCXu52s09Mrzf++D+uAZkOjdv\n"
-"OHk/qbHNFmQ4dnM0xBMigz+OgeMuCd3GekHhXhI5IP8Qp7L+mfrt9f3xG0wb+kEl\n"
-"echr2S2BCsNXJdlTnCM4yseBTezvBZ1fZzJrY7sL/SQKG/qBOwzNr0f8ZEBabCHp\n"
-"MxvDCac6xF+MjLYjgL46J07778SS9pMbTsSkPUR24RVPefhvq2ZfatB677LEuLi/\n"
-"O6Wgw5U=\n"
+"ADAdBgNVHQ4EFgQUyFGHFFLCWYOQTLmh8jJpGyxSbSUwHwYDVR0jBBgwFoAUTBVq\n"
+"WCSLkLZte75Q9bgKeM851qowDQYJKoZIhvcNAQELBQADggEBAGKVEQfAzrWj8wmQ\n"
+"l4sm+i/pgK0I07jNMvgUDsvAmjlkndWxoX1ROe0Nd2I3d5te0+G9MR6CTOByr8VE\n"
+"NLyXEsrk++BsfLk/0UNFHwq97QLTzzyEXQYQnDza8R1jdlr7XpGZOoWczi08yMAk\n"
+"UiJyq2xaqerTlIYp01T9a3Nb5tWFyUVekJeyJQakj2VLaKkl4hCfK3h/HFBNJ3yf\n"
+"AvBu77wQeh6n8osNDCpW9e1KRAGisDCFrTMUlyxQIK/OXhjLzu7qDKShdNnfNRmc\n"
+"H4W9ODLIm8AX1S0udg9OebPhNWfM2bDFzI/dIX+yHp6q0oepbT11rKG8G+5M25uU\n"
+"AUhTFC4=\n"
 "-----END CERTIFICATE-----\n",
 "-----BEGIN CERTIFICATE-----\n"
 "MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTI0NTQzWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqxhEkeOnCDeFO\n"
-"YVDGaKLLMld5jjcBTM5e5l76tD4JoZidOg6hz2h9T6eLTXEcNW+x9kCThjTHF39i\n"
-"CE3w5yCiRJHDETD8RRIgKlt6AOSmpNhDLUb0C/0FxSQkCITYcoyrHYdDN+jcroCC\n"
-"hDnOt0hPoaJYAZRAXI582GJ57UZl4o/Yk88333Z+4m8+jKNHIrmaMkxnI9u5pULR\n"
-"S9M13YZNEEUKP0qmy/3E++0qXlHXtZfrkRsr1F3GtY1zabfJmUspwHLTrcfnuwKN\n"
-"i2NCA+eHaEKbDS4cmWtSR8vpXWpUmJ/MSGGh1QFTSnTKc2/J66FxspXQauqon38x\n"
-"1j0/6ktTAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUugqZYwh0FVP0vSv6j/AVcrNERRcwDQYJKoZIhvcNAQELBQAD\n"
-"ggEBAFRd7pezulfpZ0MjWxHa6ex7ZB/7azvJ9Guzl5rPoRw8dGXIX+61GZ59inj3\n"
-"00dZy2i8EZzsceihBQeCAxa95hkZsW+LnnqjylIczrj94elkRZI7+rKtQXDmhvQM\n"
-"VnSXgY0zLZ4e6ykZuW9JpltznlMZ980WcXlqEtAnVUCyVuW9gjO/nPnvAeZrGB51\n"
-"bLTu6yisTIGTl0YcYi0GbYiFQwB0FsKiVONu3jcdrxs6J9ER6+l53q6OymgqmR29\n"
-"UPRDV/0PawPjFKisFO06AEttjuAMBHp8oVgCmqKy5vAxPNXSBk7Cj2SgqBOcUDBQ\n"
-"38485vMMQIMGetTHVODGUrx88+M=\n"
+"MCIYDzIwMTQwODI2MTIwOTQ3WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZSS6SaBALkN4W\n"
+"Tao6pqaDmi1edtBskNHdO/lYomElQtIkw6wQHlJjIdjF3vnhEWU9+HOIZrWKth4X\n"
+"u+naDZquOb4GWPq/X6/KBoQ4hq/XZJaFEDPeciNcVeylWVlHi1OeGm8uHZxAK/6d\n"
+"wpGoe/0K+QaLFdbm/srw1LGvCwbLwNDKePX9TgOfVKdZtGZUdDDo6TXUmhNG+QeP\n"
+"7Fv1n2PjQFkXiRwVLgJj06DvR+ft81x2gjEVS+vxWg0+cbJvBI2ItpNGnIWvbwl7\n"
+"BTyNRjvsi7ljFn+SfaRBLXE4aygQFQ9UCHNNYtkBO73BXv/SgcFXzSDDN5ZMfpg9\n"
+"SSWkEApFAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQUTBVqWCSLkLZte75Q9bgKeM851qowDQYJKoZIhvcNAQELBQAD\n"
+"ggEBAH3bezfaVpnyqZRJsZ8sHAIpJWa03mHl/mqRpT0qg45Agzwo7yb5dubiHUBJ\n"
+"BK/kAMhICjHAH+6E5XubGVSFvbzBX1FeKQQgzghN4niosOCLZPUtl8gJGZlsOoCy\n"
+"6HldkxXa26GBZR0NvJb/p83VA7w5Zlp5j7Rp2VkWwRniaPex39dogDX3IwnoZKzL\n"
+"ogyeNQPG2qLDBdZRAVng0eJK1Ml5PHxoEkcFwFsxd4B1cJV0VCMk7X7oEc9qBtUB\n"
+"Ye/bst72puWDK1lBhT6EFhDDbY9xKm7pvUkGx80gWm9JZ0xGCaoM4tyEAaCd9tYZ\n"
+"JFvnIEGJGeGjlRLJZGS4mZ/Q5mI=\n"
 "-----END CERTIFICATE-----\n",
 NULL
 };
 
-static const char *nc_good[] = {
+static const char *nc_bad3[] = {
+/* CN=www.example.com */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDKTCCAhGgAwIBAgIMUwSn0zQhAl6M9tcWMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
-"BgNVBAMTBENBLTMwIhgPMjAxNDAyMTkxMjQ3MTVaGA85OTk5MTIzMTIzNTk1OVow\n"
-"EzERMA8GA1UEAxMIc2VydmVyLTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
-"AoIBAQCuh+z1GAGt/hg+PaqXWPT+7uTzm3H3OoeEXqc6C5lVq3hxJ/FXhBmdeAuU\n"
-"CL8TAeFWl0axBx/JW+5PUpAsi34fWg6ntCnu3Nf/vuK47Mikno9jkOZtSYtzl7eE\n"
-"b/Wawj+GYigo4anUNmyOMhmNZtciOScxV3XozKsAGA9a9jRwmIoTVsRPx8XPiGRY\n"
-"jqKf0FgjW2dQ6unE/l5NPMftk6rgI/AqgtEmwZDnJVjSSjssomSzj8fcqLexzxpX\n"
-"panz3YW+1VK4FvHxc3d5wOxTGh7YvS1c60hME9VafF5PITNjQR2Xw7ckD3sNeX79\n"
-"Fw9cMLdqHOH/OM7YKhG7Z0rCEOttAgMBAAGjfTB7MAwGA1UdEwEB/wQCMAAwGgYD\n"
-"VR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n"
-"BBYEFN8ZiOy1DE22b9ntdV9FTfGv24P+MB8GA1UdIwQYMBaAFFvNPTPRA3lbnpz0\n"
-"LNWkX6XWr6HDMA0GCSqGSIb3DQEBCwUAA4IBAQAn5jt+vV+/AaEqBuYq3kulLzkO\n"
-"EdjMWFDoc/kOIWFtxek61gNo9UaddIwK3YCO5rF/9UwXnoz5FihUoTkUPwn5rcmD\n"
-"IbGiS1KbqwwkGPBa+LevFuXUha1v/6pOo5tmHJnSBHesqw6WgAc/l12PSQOt4m69\n"
-"z3C+td1ZZqDaJXo6ZCJdupLashJzPtN/swMHDA4tDwhMSacrIjuXqPuPouhM1h4+\n"
-"6QN2E6W8S3UALFbQoCiUEtuXhzTT6WeyPr/vc0Ic+PIgAoYjFuTjBOhH7zixktLI\n"
-"snqmVIkaL15fr0UNfc1BKbDhgMk11Ggg+HvASxIWsxTKMyay/wRaUBpQGoCj\n"
+"MIIDPDCCAiSgAwIBAgIMU/xvqR+qZTQTaWIIMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+"BgNVBAMTBENBLTEwIhgPMjAxNDA4MjYxMTI5NDVaGA85OTk5MTIzMTIzNTk1OVow\n"
+"LTEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMREwDwYDVQQKEwhzZXJ2ZXItMjCC\n"
+"ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ46qo4PFrBfYlQXSgtbk/rO\n"
+"0aO8/Gh/bIh4c/JX0RfqC55bnfbkO9SwwR+eU76INyVb1exmd7qsl4R2EgS8V3Gf\n"
+"3K5k4tNecMfxT98MWiuSSp8Q8+affUF5t9TSLujL1dckMlPfH9hdxCYhJGH51mkf\n"
+"wr3oEmwNXsA9OQ8oxq2i8WxQTJGUXkwx/k2L2NRF3L8vjRnXRfKSISkkDXeKYMvo\n"
+"V5ElQwlKo0sonttUIGOVav8Cf4GnFQzSJW+RfANTniGIq16jE+flKz1kQYRLLoeA\n"
+"fgH/1vI1v5xqMURNW/BQlawAE0HGj4MAyfebhsWmhqmcNqGBf1OfHMNdB1vamGkC\n"
+"AwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNV\n"
+"HQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRiCra2BJERmr2/+Klot32criLTbTAfBgNV\n"
+"HSMEGDAWgBToCEW507CZ42L/fn7H+DLcx+zW/DANBgkqhkiG9w0BAQsFAAOCAQEA\n"
+"fsG45/VuJzw5DRbrE6o67T3EgFfPCzr+xc0JmTJSCHvWIx+2O1VspmJiArNTwQ5O\n"
+"l8Hq2Sag9Wi0cyRC8lVKPbC7Im2fZ4m4endOhiEmaOHBCru5bIFRwDvtG3u+yEYI\n"
+"rzRU+6PdwmLYwc+ks8qEqACw772nElJxOWXmYEMtFpYh8eujfzjmUGIJyTotrm72\n"
+"WX8phKA/xogZaSLD21t8u77PE/JEcJ2LXAa9dq6pGYru1vyuRqq8ZeWiVAAqD6hZ\n"
+"cglKk8dLi6esywQMGEGqhRx9y1A0mPZO+M599GOgWTbShUB3pUyaLLLLnD9Dciwq\n"
+"4E4iP9rdfgStOfz12BsKOw==\n"
 "-----END CERTIFICATE-----\n",
+/* Name Constraints (critical):
+   Excluded: DNSname: example.com */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDIjCCAgqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0y\n"
-"MCIYDzIwMTQwMjE5MTI0NzE1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDwB+ra5HyuxFIq\n"
-"C61gqNqmK5ooY7juclsAfhZ5AmdALJHibpVIU89lEhHSJByh+hgAYvG47uRoGZoe\n"
-"R7OWWqKovSi6qPgRZJ+6esIwijnSk+YzBSkCsK6WWEpyMkQ5kSLy0+UioAScI1Kl\n"
-"LoUWCKE/vvXb0FKH4929w13ufLTfgnSqfOmgR2c4zYqhSJBfKWETLc0lkpvGIlt3\n"
-"84Wlr2xdpHeASQt0N7+LvziruzBmdSaHfgO91FxtSUGS2RE2s8xSDhFBmNjjygEz\n"
-"62oUYHjyztwlIeGqKjuf2DD4/nQGMrJxLhrrHICGlmVq2yeSoriZpR6lvtQAg45E\n"
-"qaZFyIgNAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
-"oA8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUW809\n"
-"M9EDeVuenPQs1aRfpdavocMwHwYDVR0jBBgwFoAUYa0SPy1Augq0D4z9KkxXSwGd\n"
-"aLAwDQYJKoZIhvcNAQELBQADggEBAFrEJlcXOiV8/XdpYbX0v1d2VWzROTgDrHoG\n"
-"CQ7QcQke5iM85J6kBcidHPE2Joa6N7a+K3rZy6NeODoCi19k5upBGYdPmqAy3RyM\n"
-"4Loh4f8GGMDXWR2e9iNu1CoF0UEh6mYslWNELvbCKBNZMbC7i1fS5LnEVydsT3X6\n"
-"CHpGSPvE/ouDyzNQZrb8CZFFn+t6Oa1tCLiCHHAjcHlbxJbMd9cmUAxranGGBfCZ\n"
-"UuIMHmxXRzcMEmiIU+1GsE3aEUdMKCN158QhoKRSsdG0wGWAo+3KK3N5ID0ASufa\n"
-"lj9Lx0zGnBoNWwSfzspyZ9c/e5jizSRnkETKERGfQNG9Zm9/CTQ=\n"
+"MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+"MCIYDzIwMTQwODI2MTEyOTQ1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW2Z64Ax+MNj1j\n"
+"2QM9hjP4ybs+mz51vfDAlDVVdh2bzJOHyjTIlzI71QloH9aPuv5d92tTxe7/7afY\n"
+"fWC61AF0WKj7x8h570IW0Zye4ITEnDLlqk5Bn46IP9fWDq5xYVEGMaYT4l409Fyw\n"
+"JUZjfXqMefAXhj55wZoz+WMM0AB5LABlojLkV+iPMVJgfYWhcVijd92Yebp8R2/+\n"
+"z1nF0vQtV01tatWTEiJajPRHZCwVe71rXEf02nYiqCw5RwLZrsug5LZ+K8LoBbeE\n"
+"ezcJT5y8uf4mpTmTj2Po7Kby22yl1wkVV925a2Of7ufDL3d56SIM1foNXAAmlFar\n"
+"M5Y9hIZLAgMBAAGjgYQwgYEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzAR\n"
+"oQ8wDYILZXhhbXBsZS5jb20wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQU6AhF\n"
+"udOwmeNi/35+x/gy3Mfs1vwwHwYDVR0jBBgwFoAUWU1t/YrnYJGhEfuoDj42A4ui\n"
+"j0gwDQYJKoZIhvcNAQELBQADggEBAMj2jjHmYLWxGMkLOIQ/MGtvchZ+v6vmEl7m\n"
+"GaoHkz0sxFeJqs7mwcybvwG4tlHB/PhaLTH4HfN6PLNbRA4oamr3gFsEtd/JRihw\n"
+"X/5CvdJdu/d7uN36yrD5ZTJmt5v1sAXqzkVYXHUSQLOLTIVfwQfUv8IrxTWgbhNI\n"
+"mIi55bjCyOWYzZsZ5kTDNFcBkoYiMks2fVuUdP8xrxoweedVswUdkwg1TyWLikG3\n"
+"47VuQP3eA7+zEkFUeywG89DTOpDURAlvBzaVTjKn++3RgH/A4Wa+MX6HTHXjxBIU\n"
+"1uGcMjhPjc99F81RaYdIlFsQiQ74b5RwdSvGo0e67ssgar0XKgw=\n"
+"-----END CERTIFICATE-----\n",
+"-----BEGIN CERTIFICATE-----\n"
+"MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+"MCIYDzIwMTQwODI2MTEyOTQ1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYTAYDM0lZ+RMg\n"
+"M1M3q4n6H/VebQ1CG1ztkinGzj7eH+fNyi9Wq5EqB/0S7jVPEuD0o5jBrwI6XFoS\n"
+"MQiWtqWHGh47qijX8y/oc75Sn/2b1gGF3zDWM9LygZZW2+QOIrvK5TcU+rAmXKsA\n"
+"765z0nTIbL3vNr9n0yEM3E13tk3Qjqx+OLhJ/ZyLKW+w+BuhLp79LcVtjNnlVfvC\n"
+"nVgLvo69YGdJxhPUjjVqKwTlvptyzELQSSQMenPmvhz2kRXjQ/6jog4tb1qkzfpP\n"
+"eYB0MVgSLeWBgNF3VLTSH06RHvXEQcdP2e3AR67sJxd6UJ4vOo1widQs0yWTZpCB\n"
+"ZJawOPqDAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQUWU1t/YrnYJGhEfuoDj42A4uij0gwDQYJKoZIhvcNAQELBQAD\n"
+"ggEBACUbydVQKZi5ulzn/lQK5x/DZySJflrevZ1plV7BVBhZhlvBO0VARGNn+NW5\n"
+"G9RqY+itmyBbW/Fl43gWiHQynYneK9tYBub7WeJqr9iTX4zvI7V8fk/vbyfVRODX\n"
+"cJ8JzeLYqi6Hm1PK7Q9dz0rgyulXeuCyDeQ4jzoGIm2l7atUoGZB0f9YCJyeV2ew\n"
+"t8jMZr2sSVMgvT87S/EHMe5q5YAJQzDBAadH64icaxW3e03UeH6JYblohsZVQTIE\n"
+"wl60jozIStml73oyocfytsErDdKArrSSHxHaygAqoVu+9O5U90vwK6VDuGF0YzZj\n"
+"ZKOAu2HuFHpCMbYzUYi3FMOUU5k=\n"
+"-----END CERTIFICATE-----\n",
+NULL
+};
+
+static const char *nc_good1[] = {
+/* DNSname: www.example.com */
+"-----BEGIN CERTIFICATE-----\n"
+"MIIDQDCCAiigAwIBAgIMU/xyoxPcYVSaqH7/MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+"BgNVBAMTBENBLTMwIhgPMjAxNDA4MjYxMTQyMjdaGA85OTk5MTIzMTIzNTk1OVow\n"
+"EzERMA8GA1UEChMIc2VydmVyLTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
+"AoIBAQDkemVOFdbhBX1qwjxQHr3LmPktNEVBmXjrIvyp++dN7gCYzubnpiLcBE+B\n"
+"S2b+ppxBYm9ynKijhGrO+lZPCQRXWmqUg4YDfvnEqM4n04dCE98jN4IhwvWZyP3p\n"
+"+U8Ra9mVIBAY2MReo1dcJQHNmo560xzxioHsGNQHAfYgVRHiE5hIXchYbWCkBrKt\n"
+"XOoSSTmfgCF3L22p6S1q143VoKUr/C9zqinZo6feGAiTprj6YH0tHswjGBbxTFLb\n"
+"q3ThbGDR5FNYL5q0FvQRNbjoF4oFitZ3P1Qkrzq7VIJd9k8J1C3g/16U2dDTKqRX\n"
+"ejX7maFZ6oRZJASsRSowEs4wTfRpAgMBAAGjgZMwgZAwDAYDVR0TAQH/BAIwADAa\n"
+"BgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwEw\n"
+"DwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUAEYPmcA7S/KChiet+Z6+RRmogiww\n"
+"HwYDVR0jBBgwFoAUjxZogHO3y4VdOLuibQHsQYdsGgwwDQYJKoZIhvcNAQELBQAD\n"
+"ggEBABlA3npOWwl3eBycaLVOsmdPS+fUwhLnF8hxoyKpHe/33k1nIxd7iiqNZ3iw\n"
+"6pAjnuRUCjajU+mlx6ekrmga8mpmeD6JH0I3lq+mrPeCeFXm8gc1yJpcFJ/C2l4o\n"
+"+3HNY7RJKcfoQxIbiKOtZ6x9E0aYuk3s1Um3Pf8GLwENoou7Stg5qHsLbkN/GBuP\n"
+"n3p/4iqik2k7VblldDe3oCob5vMp0qrAEhlNl2Fn65rcB4+bp1EiC1Z+y6X8DpRb\n"
+"NomKUsOiGcbFjQ4ptT6fePmPHX1mgDCx+5/22cyBUYElefYP7Xzr+C8tqqO3JFKe\n"
+"hqEmQRsll9bkqpu2dh83c3i9u4g=\n"
 "-----END CERTIFICATE-----\n",
+/* - */
+"-----BEGIN CERTIFICATE-----\n"
+"MIIDATCCAemgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0y\n"
+"MCIYDzIwMTQwODI2MTE0MjI3WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/4ofaL+ilmmM+\n"
+"bGaFRy5GYQXtkD8sA3+/GWsunR928fQS68Zh6iWU+gPm52i7Gfbh7piKWA5Tb63w\n"
+"unbS6dPsfPSvgRMZGKJpzxqVcBQAnTS4MuDPlXNg3K3HMyVtbxekII8jFeGEJuCL\n"
+"mBMT4dI48IZRzj+2mir38w2cQPfomaKtjg2jMokG8Z9/4+SU9VJCcY1/yZk8fCbS\n"
+"dBbwhnDq10yvhPCHgX6KMYmoJr28CYgH29Q9sDP1XN3VvAx5X+PtW/6pyF0U5E2e\n"
+"gRzVv7Hr3FJKvytbNxRMCoy2YOyvsTP0fIhiXdtkulTKXyiq4cxA+aYByOu1FjU4\n"
+"NicWbiZ/AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQUjxZogHO3y4VdOLuibQHsQYdsGgwwHwYDVR0jBBgwFoAUwAx0\n"
+"aL2SrsoSZcZUuFlq0O17BSgwDQYJKoZIhvcNAQELBQADggEBAGQvj8SquT31w8JK\n"
+"tHDL4hWOU0EwVwWl4aYsvP17WspiFIIHKApPFfQOD0/Wg9zB48ble5ZSwKA3Vc3B\n"
+"DJgd77HgVAd/Nu1TS5TFDKhpuvFPJVpJ3cqt3pTsVGMzf6GRz5kG3Ly/pBgkqiMG\n"
+"gv6vTlEvzNe4FcnhNBEaRKpK5Hc5+GnxtfVoki3tjG5u+oa9/OwzAT+7IOyiIKHw\n"
+"7F4Cm56QAWMJgVNm329AjZrJLeNuKoQWGueNew4dOe/zlYEaVMG4So74twXQwIAB\n"
+"Zko7+wk6eI4CkI4Zair36s1jLkCF8xnL8FExTT3sg6B6KBHaNUuwc67WPILVuFuc\n"
+"VfVBOd8=\n"
+"-----END CERTIFICATE-----\n",
+/* Name Constraints (critical):
+   Permitted: DNSname: example.com
+   Excluded:  DNSname: example.org
+ */
 "-----BEGIN CERTIFICATE-----\n"
-"MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0x\n"
-"MCIYDzIwMTQwMjE5MTI0NzE1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyvjWWVcORUI1M\n"
-"9IwACxbTQGzVLyWZunx9Ui+RgGjbSuQxbXopW+ElXWCGHYbegflU95zZf2MtsTam\n"
-"6yttESx5rULpEMAvaSV6rjkJEZtc0GN8AHMmCZnDXEqJQenNZOWuNEhquBCGifeD\n"
-"GV6jAGvpkuN7p2iPBLVn74/ta9Vi8I0ZcNlfLkJcjIwOOldJ8Uz7DtZuBWnkEqz3\n"
-"Pu5pmVfP65gFJFFCMe5I0nVgwSJye2VF2PEW977Q9yBTbC8wHESQtyvAcYWm0b5S\n"
-"IeRpN6rPNzS0OE1foBN+JqXhE6gEw7sgtfVixvsSXVlPUFADqJZ+TVXndAbdUOIw\n"
-"ixFKNODDAgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUYa0SPy1Augq0D4z9KkxXSwGdaLAwHwYDVR0jBBgwFoAU7wb/\n"
-"A8DjHcoff+5iq40XgqAnruUwDQYJKoZIhvcNAQELBQADggEBAFCmGqITk+aW16Ua\n"
-"hrtHj2vHPVUyCjfVT3CCRSmUzRZdL/XdeVhL4Bdoj7ebx6JCjewEbm/zdHMl710X\n"
-"HDTHU2ixkPF0uBcr8pop6joa+qe8c+QwI4hgXUSwjRXjJIVunHPy8zzCKJWj/BTf\n"
-"bWuDAkFiIBlW1jDzRh1w3gS0e5Ewx/U9itICJf/OXeCCmOQw+eERFzgfHTXBCDZQ\n"
-"XJ7lJ7md3Oow/DUMrKfO6EGJYDEpAqVsO+TCONQ0OIXRMS0WXYm0Q1qkAaEd3Rfo\n"
-"nU0hoTQwOECbxELG3Acu5zURPpZY51MooupMw0uoWBhSew40Crw/THvWVtZzO08Q\n"
-"Z1hjbl8=\n"
+"MIIDMzCCAhugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0x\n"
+"MCIYDzIwMTQwODI2MTE0MjI3WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIf3as4EONSgWu\n"
+"Mbm9w3DbKd/su1UWlrYrcpVqmU3MKD5jXBxyoThSBWxmq1+wcNDmE1on6pHY1aad\n"
+"k3188JKMC83wEcyQXaiH3DlTYFXXkkI+JJNUGlfAMSoXG248SpoCIOhCETUG03iP\n"
+"Z3AZludaHYsv4akAh1Kl6qn66+bKM53l/YhoQDxhoGaYvO8ZSwKnx5DEiq447jpW\n"
+"M+sUFe38RPaMjHpyc1GRctvQDzJGm+8ZRujYDH+fGNzVDDlRyRnsVanFGNdyfhmy\n"
+"BN2D2+2VEvzAWlaGg2wQN8gF3+luavIVEgETXODZPa5FF7ulmQmhqGrZcw6WtDmY\n"
+"hUbNmbL7AgMBAAGjgZUwgZIwDwYDVR0TAQH/BAUwAwEB/zAuBgNVHR4BAf8EJDAi\n"
+"oA8wDYILZXhhbXBsZS5jb22hDzANggtleGFtcGxlLm9yZzAPBgNVHQ8BAf8EBQMD\n"
+"BwQAMB0GA1UdDgQWBBTADHRovZKuyhJlxlS4WWrQ7XsFKDAfBgNVHSMEGDAWgBTg\n"
+"+khaP8UOjcwSKVxgT+zhh0aWPDANBgkqhkiG9w0BAQsFAAOCAQEASq5yBiib8FPk\n"
+"oRONZ4COgGqjXvigeOBRgbHf9AfagpoYDbOKDQS8Iwt9VHZfJxdcJ1OuM1aQqXlN\n"
+"dUyf+JdR/24Nv1yrhL+dEfRGka6Db96YuPsbetVhNIiMm2teXDIPgGzAKuTm4xPA\n"
+"6zyNVy5AwfDQ5hIZ+EUsfOoerIElNyAbh66law4MWuiv4oyX4u49m5lxLuL6mFpR\n"
+"CIZYWjZMa0MJvWMKGm/AhpfEOkbT58Fg5YmxhnKMk6ps1eR6mh3NgH1IbUqvEYNC\n"
+"eS42X3kAMxEDseBOMths0gxeLL+IHdQpXnAjZppW8zEIcN3yfknul35r8R6Qt9aK\n"
+"q5+/m1ADBw==\n"
 "-----END CERTIFICATE-----\n",
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTI0NzE0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5fZ/i4x9RaEPc\n"
-"NIY260dhNdaVZkBztAPSyDBZhTBXIRRiJwI3rkQvLayfVLMbovVcNl0evsfliI50\n"
-"0EoQyOhaV2hhoUzCQhdfyW4Cg0AiUJ2nARCIyMDBybD4sVEaHTEcrJaYfR6X2+1R\n"
-"Fk3pvN2ub0zBxdG8mvwMKiP8ZoApzZzZovu1kzgiBRXfTczBDlCyJrvfF8E6GMxk\n"
-"lDRgy7M56sOyXjSPEcvL99WWho5zKgRoQ9z/PWtqpXzfDJ1947yKs2gGGAEKPeQ0\n"
-"UnhtCvFGW29FINQGE6GVZ0m32babWCFkvZL9bXH0fH95ulsD6pZONPl1EoT0eSr9\n"
-"bw6uDTf3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQU7wb/A8DjHcoff+5iq40XgqAnruUwHwYDVR0jBBgwFoAUJSoB\n"
-"Zx+Bq4giBE6WypFMma0bnkUwDQYJKoZIhvcNAQELBQADggEBAInI3xPeQ05Ls78i\n"
-"kxytkUKaFZpUSPLPt2utI++eyl9CaoPaejU9JdIG9bWbvfrY6C0qrPSNbfQ3O0MK\n"
-"KJREBBvsdlRY1O20k06nBGxY5hZ+yRRb4tYqoIamHmOn3Giq45K8u4Df6umgUARZ\n"
-"IEBGDssqPoNS+MDIi+GBT9iro/yRfqBfKxj6dRa5+4G6yTy9tMHH1wp3SLeSAn/4\n"
-"6F7nsW6MFbQVAetLgQDCo8hZYSXJuMd6hShtlduhKkAuIM/HpjMKMvw4+8iGpjYt\n"
-"hBYRoD2xtbsZiTv9agtD8q0H2n0lCz9vK6t0cwFVy5K5zqT1h1ZDXFA0IFlgNKpP\n"
-"WbO2kF4=\n"
+"MCIYDzIwMTQwODI2MTE0MjI2WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIe0eOnLaV750K\n"
+"4+mVaAftRrJp8t68KJivcRFpkl0ucQs6gwNf9EsVkHineOR3RXypjJ7Hsv+4PIKp\n"
+"BhEOTprYUKcBaxHK/NIezV6NrO1AwuD6MtJDQF9jGpSy0F3eRUoBCjVYhTl+JxcZ\n"
+"hGHPJd8WMeanQWY4xG4gTwtpjF3tPU5+JGQwLk5SbcLicM2QMG3CapZinOGK3/XC\n"
+"Fjsvf5ZhxnixayhfiX/n9BmeP1yxz7YORNYPlL8z1CcLZqJsyjZnNkVwNvl4ft9I\n"
+"FOKBLoOTSGocHFIFXh5b50GG6QHgvN+TiAwdpfRTUskWVg8VVIh7ymgDoI2jQhk4\n"
+"EeMaZHd/AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQU4PpIWj/FDo3MEilcYE/s4YdGljwwHwYDVR0jBBgwFoAU6XJK\n"
+"EOUYTuioWHG+1YBuz0yPFmowDQYJKoZIhvcNAQELBQADggEBAJOCrGvbeRqPj+uL\n"
+"2FIfbkYZAx2nGl3RVv5ZK2YeDpU1udxLihc6Sr67OZbiA4QMKxwgI7pupuwXmyql\n"
+"vs9dWnNpjzgfc0OqqzVdOFlfw8ew2DQb2sUXCcIkwqXb/pBQ9BvcgdDASu+rm74j\n"
+"JWDZlhcqeVhZROKfpsjsl+lHgZ7kANwHtUJg/WvK8J971hgElqeBO1O97cGkw/in\n"
+"e8ooK9Lxk3Td+WdI8C7juCYiwsGqFEKuj7b6937uzvpFmm1fYDdOHhTMcHTHIVTr\n"
+"uxSSurQ4XSDF6Iuel3+IdpLL79UYJ7Cf4IhBWj0EloF6xWTA6nUYl3gzKpx1Tg1U\n"
+"x2+26YY=\n"
 "-----END CERTIFICATE-----\n",
 "-----BEGIN CERTIFICATE-----\n"
 "MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
-"MCIYDzIwMTQwMjE5MTI0NzE0WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
-"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz3ju9uSZcNTQM\n"
-"dxAOa6UAY3O5ljCqx751te/+nz1Mx0/i9mjuTstq03987YPlDDAdDtW30TQje8J8\n"
-"sMkVMnnMpmqxEjfi71wIS29hQtWH5j1oTs/0d8M0LtdZp9dU+BEZlpYIZSj7vvCt\n"
-"TeBJjpBC/AR8LbM8+gC2BxxT0wXgEIP1It3O5QoaKhRhs7SlD6RNapaQjWrNDE0q\n"
-"loORFMZawncaVS84j+qiD+2dBE4XnM2o7ZLjOwVr5Xxy8yGzW1vucGlcq7ecLRsV\n"
-"qZqOZ3rBwj6gNnGtVdUoapCKMMB+KOOF+RM0Iaybj1CBT1ORwwIhXxvpJJNxbLqs\n"
-"ee2nmV39AgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
-"ADAdBgNVHQ4EFgQUJSoBZx+Bq4giBE6WypFMma0bnkUwDQYJKoZIhvcNAQELBQAD\n"
-"ggEBAKIRanr7UScoQblASm+btwX3oXuXdYe/xT0z6rnKiU7K8jIeX4EcLTyfhp/0\n"
-"v+DvMuVxddq71qXpuFxyTYXyjg6L8Ce0MnwnLz1Wd4uzBqolBq5IvS2PUoO4Ptwg\n"
-"XHny7BIDGK4omMz+TatItmvS4r2Ww9UBbi/0MS6d/om0K8Used9s+fUGPjuMfyC0\n"
-"y3i4Ba3q0G7x6351i9cSRY0cR9JTpVdyD6Jqd4fZq+0CA6/DgZQ6sInkUmSwDdSn\n"
-"RaxXSFegk7++yOHkxODEn+Yf34KRI8RRr7ZsgfolN6b6MpwMymmhoZX3rteH00oX\n"
-"NITdnUmuGlGTxXhiC02UeeZedTg=\n"
+"MCIYDzIwMTQwODI2MTE0MjI2WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
+"BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqLuVrTyiqz+Zs\n"
+"9Qw5V2Z1y1YSWU6aRDMs+34rP2gwT41C69HBh2LLRS04iJUVQydwnEJukwKlTNRn\n"
+"1lEpvWgtYmySWA2SyI4xkVzCXgwv0k7WyLwa39hfNY1rXAqhDTL8VO0nXxi8hCMW\n"
+"ohaXcvsieglhN5uwu6voEdY3Gwtx4V8ysDJ2P9EBo49ZHdpBOv+3YLDxbWZuL/tI\n"
+"nYkBUHHfWGhUHsRsu0EGob3SFnfiooCbE/vtmn9rUuBEQDqOjOg3el/aTPJzcMi/\n"
+"RTz+8ho17ZrQRKHZGKWq9Skank+2X9FZoYKFCUlBm6RVud1R54QYZEIj7W9ujQLN\n"
+"LJrcIwBDAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
+"ADAdBgNVHQ4EFgQU6XJKEOUYTuioWHG+1YBuz0yPFmowDQYJKoZIhvcNAQELBQAD\n"
+"ggEBAEeXYGhZ8fWDpCGfSGEDX8FTqLwfDXxw18ZJjQJwus7bsJ9K/hAXnasXrn0f\n"
+"TJ+uJi8muqzP1V376mSUzlwXIzLZCtbwRdDhJJYRrLvf5zfHxHeDgvDALn+1AduF\n"
+"G/GzCVIFsYNSMdKGwNRp6Ucgl43BPZs6Swn2DXrxxW7Gng+8dvUS2XGLLdH6q1O3\n"
+"U1EgJilng+VXx9Rg3yCs5xDiehASySsM6MN/+v+Ouf9lkoQCEgrtlW5Lb/neOBlA\n"
+"aS8PPQuKkIEggNd8hW88YWQOJXMiCAgFppVp5B1Vbghn9IDJQISx/AXAoDXQvQfE\n"
+"bdOzcKFyDuklHl2IQPnYTFxm/G8=\n"
 "-----END CERTIFICATE-----\n",
 NULL
 };
@@ -1246,9 +1325,10 @@ static struct
        GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
   { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), 
        GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID },
-  { "name constraints chain ok", nc_good, &nc_good[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 },
+  { "name constraints chain ok1", nc_good1, &nc_good1[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, 0 },
   { "name constraints chain bad1", nc_bad1, &nc_bad1[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE},
   { "name constraints chain bad2", nc_bad2, &nc_bad2[4], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE},
+  { "name constraints chain bad3", nc_bad3, &nc_bad3[2], GNUTLS_VERIFY_DISABLE_TIME_CHECKS, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE},
   { NULL, NULL, NULL, 0, 0}
 };
 /* *INDENT-ON* */