#define NAME_ACCEPTED 1
#define NAME_REJECTED 0
-static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) {
+static void check_test_result(int suite, int ret, int expected_outcome,
+ gnutls_datum_t *tested_data) {
if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) {
if (expected_outcome == NAME_ACCEPTED) {
- fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data);
+ fail("Checking \"%.*s\" should have succeeded (suite %d).\n",
+ tested_data->size, tested_data->data, suite);
} else {
- fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data);
+ fail("Checking \"%.*s\" should have failed (suite %d).\n",
+ tested_data->size, tested_data->data, suite);
}
}
}
void doit(void)
{
- int ret;
+ int ret, suite;
gnutls_x509_name_constraints_t nc1, nc2;
gnutls_datum_t name;
gnutls_global_set_log_function(tls_log_func);
if (debug)
- gnutls_global_set_log_level(6);
+ gnutls_global_set_log_level(1000);
/* 0: test the merge permitted name constraints
* NC1: permitted DNS org
* NC2: permitted DNS org
* permitted DNS aaa.bbb.ccc.com
*/
+ suite = 0;
ret = gnutls_x509_name_constraints_init(&nc1);
check_for_error(ret);
/* unrelated */
set_name("xxx.example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.org", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
/* check intersection of permitted */
set_name("xxx.aaa.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("aaa.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("xxx.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("xxx.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
gnutls_x509_name_constraints_deinit(nc1);
gnutls_x509_name_constraints_deinit(nc2);
* NC1: denied DNS example.com
* NC2: denied DNS example.net
*/
+ suite = 1;
ret = gnutls_x509_name_constraints_init(&nc1);
check_for_error(ret);
set_name("xxx.example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.example.net", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.net", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.org", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
gnutls_x509_name_constraints_deinit(nc1);
gnutls_x509_name_constraints_deinit(nc2);
+ /* 2: test permitted constraints with empty intersection
+ * (no permitted nodes remain)
+ * NC1: permitted DNS one.example.com
+ * NC2: permitted DNS two.example.com
+ */
+ suite = 2;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("one.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("two.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("one.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("two.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("org", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* 3: test more permitted constraints, some with empty intersection
+ * NC1: permitted DNS foo.com
+ * permitted DNS bar.com
+ * permitted email redhat.com
+ * NC2: permitted DNS sub.foo.com
+ */
+ suite = 3;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("foo.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("bar.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("sub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("bar.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("sub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
+
+ set_name("anothersub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* 4: test permitted constraints with empty intersection
+ * almost identical to 2, but extra name constraint of different type
+ * that remains after intersection
+ * NC1: permitted DNS three.example.com
+ * permitted email redhat.com
+ * NC2: permitted DNS four.example.com
+ */
+ suite = 4;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("redhat.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name);
+ check_for_error(ret);
+
+ set_name("four.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("four.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("five.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("org", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* Test footer */
+
if (debug)
success("Test success.\n");
}
"-----END CERTIFICATE-----\n"
};
+/* Empty intersection of 2 permitted DNS names,
+ * non-intuitive contraints order (more specific higher) */
+static const char *nc_bad0[] = {
+ /* Alternative DNSname: two.example.org */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEJzCCAo+gAwIBAgIMV4T0BxqceieCt/KBMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+ "BgNVBAMTBENBLTIwIBcNMTYwNzEyMTM0MzM1WhgPOTk5OTEyMzEyMzU5NTlaMBMx\n"
+ "ETAPBgNVBAMTCHNlcnZlci0zMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC\n"
+ "AYEAm1IOBuzu9Pya9O3FKhQKus22xPlm+fVex8EV+p3IymnZGZUlDeTX5OcxCOm4\n"
+ "G87KNl/UQjgCB6n2FPiIYFbH9skxyvW8ZlG+M4so5yg7mwRjB8QPe0yEOLyxaLaa\n"
+ "uNp9icjtPJgPpIrEgppevfiP4iXrRGakzpjayazVCDTp9+XAhdWEi43mN6fgpM8V\n"
+ "Yc5sstkEueCjIfhApBzReMTvEUs3jCtmpqIvm07zVLpCh3sWh5MPSZtcw6UiKZdb\n"
+ "rRoaypznSkQDGQXCTZ92gSnkg0m86OIOHNQcxLXqfbrNJ7QZBf1wpi04s4DHNHSC\n"
+ "k9TpKe/dbDO4vgMgBNrcZ/9B7y95Pe+XJawG3klGhz2zGG7DmvWNygtUcM9nqk/P\n"
+ "f7TQhwsU4McmyxvVb09OVwk/2zEaPswv6MFvoxOskcQ5aYhJZs6wLDG3hh8yE4fr\n"
+ "BBvJb53flMnuSIWLfzeGUg4eeS8xP7ORApwLM0K0VGLaT4V9lpmWFLot0hv7XAcH\n"
+ "jeTVAgMBAAGjfTB7MAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdHdvLmV4YW1w\n"
+ "bGUub3JnMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFERr13TeLMJ3q5QS2W4O\n"
+ "HiqwpM0RMB8GA1UdIwQYMBaAFDTfJRBdiC6+QinO/HA/E7TWxeHrMA0GCSqGSIb3\n"
+ "DQEBCwUAA4IBgQAiOgI7RgzjDBHgliXb2Q9iuCq/o/08Fz2he8AzTJ0fw+Xd+g40\n"
+ "HWnhZZxlnSq/XFircrHwLuMyG2B6HJ9gXWg7SI/5PG9fVz0USC0tcxKzA87iB2sx\n"
+ "KWzdfmzBM32ioTFEisH9YQqCVXc3Umol15r3dAZsKGRKQzYjVG8APJS4LYZTX918\n"
+ "Yg06jCmp+ZhyRHVhQ1NbrX9geOK8tuZoTQ/10iI1+eIF50a43qA0H8YDuyQbrZA3\n"
+ "ECdVIQVCUQTVlTx+JMl7DoZnm+m+BrisAAuq/4TeJwm2Es3IF4SPB/pwaZyx8YnK\n"
+ "xqne/auI6Rq7nfsi3owxBjjX1YamlmM6UWdvIsejsy92im2G0+J5s55yw+fCGXE5\n"
+ "5mItHVWOiviaPa95NU3NeD8RkUUFI568GM8GnIcSfJi1yxed8UApbCiZMbIIN8fl\n"
+ "5mMgyZv2QJXbJxhIiCQixn8nYsj2iaJu9Ns6zd5cFaQSmQxIEUfCiNZ9kO0xwpor\n"
+ "tHWgZdawxv2CfGg=\n"
+ "-----END CERTIFICATE-----\n",
+ /* Name Constraints (critical):
+ Permitted: DNSname: example.org */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEIDCCAoigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0x\n"
+ "MCAXDTE2MDcxMjEzNDMzNVoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+ "QS0yMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtpx8p5POIgdnDbBr\n"
+ "fH1kByvm2PP+iN4UJhJYY1V7EMiucC/CU5HoYhi/KpBwoY+28oaISEMr0KEf/3rv\n"
+ "CTZRBxuqxCboK6+u/dDOlyYeM0dU57jpKmgCrETLMq92QaIEhNzv88cTaWP0OGzv\n"
+ "2klLqim5AJC2J/XWqHGprfdhf9GCWurMT+km7LPIClDHfwnmrPHuNhelfPCVzKpO\n"
+ "9S9+Lq5KpaV45DRQtMve5NjUju1q9LotEeEdlu5bnomIK3SyfS+n5AZnLNVAqmMg\n"
+ "kSB1ymtWqn4wiw3hCBz8biSlkeowdh37cm3j0za27R3IjFnIQLD44Ena3pTU8v+P\n"
+ "4/k1OML8UWXpigP5QuTSASx0fXiShHf3baY1HnEqULfYvi+IUb6wMs/3f13NVVBE\n"
+ "z+LsjiWlwqB0fK5lefO32cEDvtSMlIxgt3FUDCo3/rLAh4ZorURONh4MUWiODTSl\n"
+ "417JOLB/miH37jodViv6zfbtTvw/+GbZM9TnvHlzqvZj5nLFAgMBAAGjgYQwgYEw\n"
+ "DwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzARoA8wDYILZXhhbXBsZS5vcmcw\n"
+ "DwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUNN8lEF2ILr5CKc78cD8TtNbF4esw\n"
+ "HwYDVR0jBBgwFoAU4SfGxDtCWqGQsk7xBIooEZNCoMYwDQYJKoZIhvcNAQELBQAD\n"
+ "ggGBABJZw4MHkE+8Fg+r/ET/kJ0n0NtsB57O3ogPpe/0/EWpsEJsjnRzimfu5NjS\n"
+ "PIcEKk/l2Ij8vbmDxb1uNsZmeYphdjb+w/D44OnxahxeLELwZPHWpJLvuf5S8bsz\n"
+ "Z0bZFNkDUXYbKDX8kWr1gNCKURBS344fRfe8HzZsG68stouvCuOh5pvre7mGGMJI\n"
+ "5/OMISmQiKIGLpUi1YOSRM25VMZ6GnzgYiN/bcZU1ph+R0lQv7/RRZ7oiaYmFBTi\n"
+ "FfWIE2hsJla3mbhCnUUp18MpRu4+gPirCVhNQ+ii9FPklcIhXxOrq6cqfX/YAcWO\n"
+ "uF70tZK/+Z7UXqGYJeQ8pdmlzjNGSH7Q6D+QKNAjZ+Ovb7zEh3NmyTT2XEykMR6+\n"
+ "bQYaGGcRu8Uvz4wHDaqeUuF/vgTiFaJ8kwNGX8Xb1x+ok5QrJAKZzvy59kojz8L0\n"
+ "ukQ6SqsvZ6SkJRbHHEh39YPNdC66O58KTiayjKgxQmVHsMOhraI1+YmPntCNBqNN\n"
+ "AvhLDg==\n"
+ "-----END CERTIFICATE-----\n",
+ /* Name Constraints (critical):
+ Permitted: DNSname: one.example.com */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEJDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+ "MCAXDTE2MDcxMjEzNDMzNFoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+ "QS0xMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAt7EPrrm4e4JEPXVI\n"
+ "3s6eNQCyQv24LU9HD+7hDMEOFf//DoHeb8QqSDJdiCk+Hax5ydKZR2h4HZRmj5HO\n"
+ "s6nxh0AWL645fKcvfk9Oj3r1roLWxH9Kk/UR246s7FcujhDzEz3LEOZUedeMY2CS\n"
+ "tyjPLsKoP0jiDslRk0Yt4m7OfayB71B26qq92SzRr2YlMvf6AWHEiZhCRqVNidDV\n"
+ "LxdMwqIkO8s93DN8Kw74X8U5o5vTjmmDiW1HVrqsxOuImnjQ4qTUiDv0JbzTQbTp\n"
+ "uPOlJ5u/qMTK1jsGDcgfnojHLrsyuuTPR4v6Rmebpi0HHrT2PkxLeGtQEUxM7TeS\n"
+ "Ccq+eva9zm4UngonS2/nkfYawLDkP3XQ7cJQueNKLC5etDr9NqhFaD624InblWGy\n"
+ "V7jtEJRwRPH9FeMG7HyWb4BHYz36dCsMLbsCrCLIH8H7r/1nswVxlL5SRwiL06fK\n"
+ "11pwae1uyNgQuvjno4zHKM5V+mJe1Tz//2X3bfb7crFPQgsxAgMBAAGjgYgwgYUw\n"
+ "DwYDVR0TAQH/BAUwAwEB/zAhBgNVHR4BAf8EFzAVoBMwEYIPb25lLmV4YW1wbGUu\n"
+ "Y29tMA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFOEnxsQ7QlqhkLJO8QSKKBGT\n"
+ "QqDGMB8GA1UdIwQYMBaAFJm3gYrByx1mGmb4CnWXtNzxwGapMA0GCSqGSIb3DQEB\n"
+ "CwUAA4IBgQAU53SjH5nO+ah/pAQaIDuxaJ6yaFWt1ZuW8riu/dTqn9vI0R4K6WCh\n"
+ "EZ/rf4Z4YWMLm0+wI/+1CbFHtuZ9savA4qx7rtXQw5mF1JTEBsBM/chiXZ50euKW\n"
+ "DRE2e8egOESxDQWk5cnaAxtbiRYXu/KYGqFcGeRvSoy85gIwfjBtweYn+rOwM9Yi\n"
+ "9JsrKwsdFlzvzB6+ozDMCHncqtkU3DqI9QD80oP033z45EJxWxOhd6YhnrZN9SKp\n"
+ "E/lnc/XuY3NflVE5PGT5efrfGkAfbp2fWPfvc2PP0Lh172zoPy3mBwcXpWdij+H2\n"
+ "JCzwEqzxQzLpACtFy0kwq9HhzfgcdbbFmUbNweIf30eVG0XQ35myZy9Q1LQINhaj\n"
+ "UN0Ao7qtLUtC8z5DlUFMuEHQBLhFkmuRHJHCkFRqLO0nHFYmKxtQ2nNmbHt1909s\n"
+ "I20OEegNTFV8luCbFahoILckFlsbep9P4d0wOMjZuJkLyModK7Yx+CdOpq6/Cegg\n"
+ "gt+aIvJzHEY=\n"
+ "-----END CERTIFICATE-----\n",
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIID3jCCAkagAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+ "MCAXDTE2MDcxMjEzNDMzM1oYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+ "QS0wMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmmrn3nN2bIFYipZN\n"
+ "ED4nbWSc0ZYDbo8VzqjCKNVhMbYJlu07tV0qDK/1IDHf9awo5AladB4NEH3oJi9c\n"
+ "sCtiBtJ9UnqD+gxsJFNtpOfNRfelOE8R7suXAxDxJto7YLtXnLCcMx+UMkhlDfVi\n"
+ "Yy5Hqua//+EFyffokOPJ0/JCxFvTd9ldbNnxgLL27yDJBL1e4SMSw03/wKoLS0nW\n"
+ "Sjzcu1+Y2sdj6CNVDtZjGmDLMNtyykX4BDz71PrlR1euktkuHS1HMthQdj3rSWjU\n"
+ "Rehe7LxjYG548SpnIVA93EOfDyqLhjpKUL8+rA0cKBIsaJK+TyUNQ8XYa98djBAj\n"
+ "gjRYRsPkZt/FH2BTg+4XSHWMrmfEbxyxqAf6euUkY4Z+Y2xkUHQl5GdYk44Rb/+4\n"
+ "NxSBBKSj+6SqK2f0o3WTHXwJTeX+B0rV2x507hFqf6lRGzwzffrXKqH3yxfqbycl\n"
+ "XlahOiBJ1xKNrR0XGeq9yPcrWv/RYvYt4JJp9OV1U2Mz3DRRAgMBAAGjQzBBMA8G\n"
+ "A1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUmbeBisHL\n"
+ "HWYaZvgKdZe03PHAZqkwDQYJKoZIhvcNAQELBQADggGBABaf05+i07lJI74gv87t\n"
+ "87BuaYEvySlQuUqycCvEs31RXFxJQhpHS7RvqPw6vqDv418SZwd/hNaC7a1JU0gL\n"
+ "Zuha61y9u6/HbmeCBSgXYcd+4M/2oPz6WcJ9uoOZk8D2NxafubVtyXH26O6tMEnK\n"
+ "0JJuV6q7fsqvIHf+tvRs/fTD7gKtyAsj1OoO3EjkRRQPnHOR4anXr1jxDFvldHEs\n"
+ "qhlibWotfyvS4BvSk8nEo+/hrXs86cQDqCg1bbbz04sTQVHW1/kCKYl7c/HQGnTT\n"
+ "I3Yc7pFq7n5sNP31XN1a8VaGiKseNXmxjhS9XlIvQ1qB5ObE+Dm0tWQbrDo73udb\n"
+ "dW+I2/Pcij0tGBi8Cxe/PZKv5wio4NpWGTNiF6PMSaUp+lqX2iLYfjjl7osr3Hph\n"
+ "gnwxlST3q0Av0+91jCfj6IZ9YRHLakceaRxcj8zLoVGpQqTdJjuH4Sy7nKoL58G1\n"
+ "96Asqk2NsUztvRfw5pYFoe7ZUgsa4M+0/nZxOPd2UeodMA==\n"
+ "-----END CERTIFICATE-----\n",
+ NULL
+};
+
static const char *nc_bad1[] = {
/* DNSname: localhost
- DNSname: www.example.com */
+ DNSname: www.example.com
+ Common name: (empty) */
"-----BEGIN CERTIFICATE-----\n"
"MIIDSzCCAjOgAwIBAgIMU/xqxDpxZ3J5cUcrMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
"BgNVBAMTBENBLTEwIhgPMjAxNDA4MjYxMTA4NTJaGA85OTk5MTIzMTIzNTk1OVow\n"
{ "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192),
GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
{ "name constraints chain ok1", nc_good1, &nc_good1[4], 0, 0, NULL, 1412850586},
+ { "name constraints: 2 constraints, non-intuitive order", nc_bad0, &nc_bad0[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1468920734},
{ "name constraints chain bad1", nc_bad1, &nc_bad1[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
{ "name constraints chain bad2", nc_bad2, &nc_bad2[4], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
{ "name constraints chain bad3", nc_bad3, &nc_bad3[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
projects / thirdparty / gnutls.git / commitdiff
