tests: verify that unsupported name constraints are properly handled

3 files changed, 96 insertions, 3 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 55101c5319..2dc1befbec 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -32,12 +32,14 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
 	email-certs/chain.invalid.example.com email-certs/chain.test.example.com-2 \
 	single-ca.p7b single-ca.p7b.out full.p7b full.p7b.out detached.p7b \
 	pkcs7-detached.txt p7-combined.out template-generalized.pem \
-	template-generalized.tmpl privkey1.pem privkey2.pem privkey3.pem
+	template-generalized.tmpl privkey1.pem privkey2.pem privkey3.pem \
+	name-constraints-ip.pem
 
 dist_check_SCRIPTS = pathlen aki template-test pem-decoding dane crq certtool invalid-sig email \
-	pkcs7 privkey-import
+	pkcs7 privkey-import name-constraints
 
-TESTS = pathlen aki pem-decoding certtool invalid-sig email pkcs7 privkey-import
+TESTS = pathlen aki pem-decoding certtool invalid-sig email pkcs7 privkey-import \
+	name-constraints
 
 if ENABLE_NON_SUITEB_CURVES
 TESTS += crq
diff --git a/tests/cert-tests/name-constraints b/tests/cert-tests/name-constraints
new file mode 100755
index 0000000000..358fcf15e8
--- /dev/null
+++ b/tests/cert-tests/name-constraints
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF=$"{DIFF:-diff}"
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
+fi
+
+${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/name-constraints-ip.pem"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "name constraints test 1 failed"
+	exit 1
+fi
+
+exit 0
diff --git a/tests/cert-tests/name-constraints-ip.pem b/tests/cert-tests/name-constraints-ip.pem
new file mode 100644
index 0000000000..0201035e6f
--- /dev/null
+++ b/tests/cert-tests/name-constraints-ip.pem
@@ -0,0 +1,53 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAnCgAwIBAgIQOsmz/d7cf+WhNKylxDbm1zANBgkqhkiG9w0BAQUFADBj
+MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRm9vIEJhciBJbmMuMRkwFwYDVQQDDBBG
+b28gQmFyIFN1YiBDQSAxMSIwIAYDVQQLDBlQdWJsaWMgS2V5IEluZnJhc3RydWN0
+dXJlMB4XDTE1MDYzMDEyMzUzMVoXDTE2MDYyOTEyMzUzMVowPjELMAkGA1UEBhMC
+VVMxFTATBgNVBAoMDEZvbyBCYXIgSW5jLjEYMBYGA1UEAwwPYmF6ei5mb29iYXIu
+Y29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANr+wWT56hU7b5ftwyXueAA8FSEi
+Fk9jkWuPciwZvpyGbJ2+TpVKrDB6ba2BKU86V1HZ/p6kuo8j0zpYKlNRZj0CAwEA
+AaOCASMwggEfMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFL4ylKjM+AApHAF8Gfys
+rJygnvK9MD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL2NhMS5w
+a2kuZm9vYmFyLmNvbS9jYTEuY3J0MB8GA1UdIwQYMBaAFPncgjKS65+7jLsJYWtU
++W7ykYN4MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jYTEucGtpLmZvb2Jhci5j
+b20vY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
+CCsGAQUFBwMBMC0GA1UdEQQmMCSCEXVwZGF0ZS5mb29iYXIuY29tgg9teC5mb29i
+YXIuZW1haWwwDQYJKoZIhvcNAQEFBQADQQBdSaiErl6zvgmWqjHKhHhfEkpFgkan
+k5iydgbkmq0bJmjGZNuWgWeVwmj78ZUseCJ2Y99Wa6kd16tpeaxNV72I
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICPTCCAeegAwIBAgIQVoZzMQsSdNz+dz6vSFdYNTANBgkqhkiG9w0BAQUFADBi
+MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRm9vIEJhciBJbmMuMRgwFgYDVQQDDA9G
+b28gQmFyIFJvb3QgQ0ExIjAgBgNVBAsMGVB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1
+cmUwHhcNMTUwNjMwMTIzMDU0WhcNMjUwNjI3MTIzMDU0WjBiMQswCQYDVQQGEwJV
+UzEVMBMGA1UECgwMRm9vIEJhciBJbmMuMRgwFgYDVQQDDA9Gb28gQmFyIFJvb3Qg
+Q0ExIjAgBgNVBAsMGVB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUwXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEAvLHbrZg3Td1Jn3OjQJrIK55w4s94oR4jsJ+J9L+axDM1
+zHe2Uz43mzkB3x3sBqtQfEcYjHIDglDoV49N4qQZ+wIDAQABo3kwdzAPBgNVHRMB
+Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzDdTJbyDAsAqhkaC
+YKCAf305/uMwNQYDVR0eBC4wLKAqMCikJjAkMQswCQYDVQQGEwJVUzEVMBMGA1UE
+CgwMRm9vIEJhciBJbmMuMA0GCSqGSIb3DQEBBQUAA0EAQhDKO09nYdp782z3M/4Q
+2M4iXaLJlJ86h1kDzawl9n+y8cvrSEH4lx+5kBizXSzCorTtu53EAI/0HuJ0Q4I1
+9A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAxugAwIBAgIQVoZzMQsSdNz+dz6vSFdYNjANBgkqhkiG9w0BAQUFADBi
+MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRm9vIEJhciBJbmMuMRgwFgYDVQQDDA9G
+b28gQmFyIFJvb3QgQ0ExIjAgBgNVBAsMGVB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1
+cmUwHhcNMTUwNjMwMTIzMTEyWhcNMjUwNjI3MTIzMTEyWjBjMQswCQYDVQQGEwJV
+UzEVMBMGA1UECgwMRm9vIEJhciBJbmMuMRkwFwYDVQQDDBBGb28gQmFyIFN1YiBD
+QSAxMSIwIAYDVQQLDBlQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlMFwwDQYJKoZI
+hvcNAQEBBQADSwAwSAJBALrV5pk76M4Pc72m1N1xmlTXN3BD0hTV+AgO106NWx6e
+t07sCG1OgJ7pfjF+/nLenOcH3rYOkPzGRAUmvPgc3ocCAwEAAaOCAaowggGmMBIG
+A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFPncgjKS65+7jLsJYWtU+W7ykYN4
+MD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5mb29iYXIu
+Y29tL3Jvb3QtY2EuY3J0MB8GA1UdIwQYMBaAFMw3UyW8gwLAKoZGgmCggH99Of7j
+MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9wa2kuZm9vYmFyLmNvbS9yb290LWNh
+LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
+BwMBMIGtBgNVHR4EgaUwgaKgSDAMggpmb29iYXIuY29tMA6CDGZvb2Jhci5lbWFp
+bDAopCYwJDELMAkGA1UEBhMCVVMxFTATBgNVBAoMDEZvbyBCYXIgSW5jLqFWMBCC
+Dnd3dy5mb29iYXIuY29tMBKCEHd3dy5mb29iYXIuZW1haWwwCocIAAAAAAAAAAAw
+IocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEF
+BQADQQABhwF9me3nTbl8WwZnTrrjv8jK6Axqow6L2c506lASXVgOvsX/rM7aA8s5
+aynkhFxFYr3O/tRqwU1M9OMUwZ1h
+-----END CERTIFICATE-----