tests: Add DNS name constraints tests

- One chaintest with empty permitted intersection.
- Merge testset with 2 permitted constraints with empty intersection (intersected list is completely empty).
- Merge testset with 3 permitted constraints, 2 of which have empty intersection.
- Merge testset with 2 permitted constraints with empty intersection and one constraints of different type that remains (intersected list is not empty).
- Enhance failing function with suite number for easier comprehension.

2 files changed, 293 insertions, 23 deletions

diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c
index 6487bed225..76430fb80b 100644
--- a/tests/name-constraints-merge.c
+++ b/tests/name-constraints-merge.c
@@ -47,12 +47,15 @@ static void check_for_error(int ret) {
 #define NAME_ACCEPTED 1
 #define NAME_REJECTED 0
 
-static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) {
+static void check_test_result(int suite, int ret, int expected_outcome,
+							  gnutls_datum_t *tested_data) {
 	if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) {
 		if (expected_outcome == NAME_ACCEPTED) {
-			fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data);
+			fail("Checking \"%.*s\" should have succeeded (suite %d).\n",
+				 tested_data->size, tested_data->data, suite);
 		} else {
-			fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data);
+			fail("Checking \"%.*s\" should have failed (suite %d).\n",
+				 tested_data->size, tested_data->data, suite);
 		}
 	}
 }
@@ -69,13 +72,13 @@ static void tls_log_func(int level, const char *str)
 
 void doit(void)
 {
-	int ret;
+	int ret, suite;
 	gnutls_x509_name_constraints_t nc1, nc2;
 	gnutls_datum_t name;
 
 	gnutls_global_set_log_function(tls_log_func);
 	if (debug)
-		gnutls_global_set_log_level(6);
+		gnutls_global_set_log_level(1000);
 
 	/* 0: test the merge permitted name constraints
 	 * NC1: permitted DNS org
@@ -84,6 +87,7 @@ void doit(void)
 	 * NC2: permitted DNS org
 	 *      permitted DNS aaa.bbb.ccc.com
 	 */
+	suite = 0;
 
 	ret = gnutls_x509_name_constraints_init(&nc1);
 	check_for_error(ret);
@@ -117,52 +121,52 @@ void doit(void)
 	/* unrelated */
 	set_name("xxx.example.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("example.org", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_ACCEPTED, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
 
 	set_name("com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("xxx.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	/* check intersection of permitted */
 	set_name("xxx.aaa.bbb.ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_ACCEPTED, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
 
 	set_name("aaa.bbb.ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_ACCEPTED, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
 
 	set_name("xxx.bbb.ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("xxx.ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
-	check_test_result(ret, NAME_ACCEPTED, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
 
 	set_name("xxx.ccc.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	gnutls_x509_name_constraints_deinit(nc1);
 	gnutls_x509_name_constraints_deinit(nc2);
@@ -171,6 +175,7 @@ void doit(void)
 	 * NC1: denied DNS example.com
 	 * NC2: denied DNS example.net
 	 */
+	suite = 1;
 
 	ret = gnutls_x509_name_constraints_init(&nc1);
 	check_for_error(ret);
@@ -191,27 +196,181 @@ void doit(void)
 
 	set_name("xxx.example.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("xxx.example.net", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("example.com", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("example.net", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_REJECTED, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
 
 	set_name("example.org", &name);
 	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
-	check_test_result(ret, NAME_ACCEPTED, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
 
 	gnutls_x509_name_constraints_deinit(nc1);
 	gnutls_x509_name_constraints_deinit(nc2);
 
+	/* 2: test permitted constraints with empty intersection
+	 *    (no permitted nodes remain)
+	 * NC1: permitted DNS one.example.com
+	 * NC2: permitted DNS two.example.com
+	 */
+	suite = 2;
+
+	ret = gnutls_x509_name_constraints_init(&nc1);
+	check_for_error(ret);
+
+	ret = gnutls_x509_name_constraints_init(&nc2);
+	check_for_error(ret);
+
+	set_name("one.example.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	set_name("two.example.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+	check_for_error(ret);
+
+	set_name("one.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("two.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("three.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("org", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	gnutls_x509_name_constraints_deinit(nc1);
+	gnutls_x509_name_constraints_deinit(nc2);
+
+	/* 3: test more permitted constraints, some with empty intersection
+	 * NC1: permitted DNS foo.com
+	 *      permitted DNS bar.com
+	 *      permitted email redhat.com
+	 * NC2: permitted DNS sub.foo.com
+	 */
+	suite = 3;
+
+	ret = gnutls_x509_name_constraints_init(&nc1);
+	check_for_error(ret);
+
+	ret = gnutls_x509_name_constraints_init(&nc2);
+	check_for_error(ret);
+
+	set_name("foo.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	set_name("bar.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	set_name("sub.foo.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+	check_for_error(ret);
+
+	set_name("foo.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("bar.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("sub.foo.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_ACCEPTED, &name);
+
+	set_name("anothersub.foo.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	gnutls_x509_name_constraints_deinit(nc1);
+	gnutls_x509_name_constraints_deinit(nc2);
+
+	/* 4: test permitted constraints with empty intersection
+	 *    almost identical to 2, but extra name constraint of different type
+	 *    that remains after intersection
+	 * NC1: permitted DNS three.example.com
+	 *      permitted email redhat.com
+	 * NC2: permitted DNS four.example.com
+	 */
+	suite = 4;
+
+	ret = gnutls_x509_name_constraints_init(&nc1);
+	check_for_error(ret);
+
+	ret = gnutls_x509_name_constraints_init(&nc2);
+	check_for_error(ret);
+
+	set_name("three.example.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	set_name("redhat.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name);
+	check_for_error(ret);
+
+	set_name("four.example.com", &name);
+	ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+	check_for_error(ret);
+
+	set_name("three.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("four.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("five.example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("example.com", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	set_name("org", &name);
+	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(suite, ret, NAME_REJECTED, &name);
+
+	gnutls_x509_name_constraints_deinit(nc1);
+	gnutls_x509_name_constraints_deinit(nc2);
+
+	/* Test footer */
+
 	if (debug)
 		success("Test success.\n");
 }
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 521100b5cb..8f7088c3c2 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -303,9 +303,119 @@ static const char *modified2[] = {
     "-----END CERTIFICATE-----\n"
 };
 
+/* Empty intersection of 2 permitted DNS names,
+ * non-intuitive contraints order (more specific higher) */
+static const char *nc_bad0[] = {
+  /* Alternative DNSname: two.example.org */
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIIEJzCCAo+gAwIBAgIMV4T0BxqceieCt/KBMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+  "BgNVBAMTBENBLTIwIBcNMTYwNzEyMTM0MzM1WhgPOTk5OTEyMzEyMzU5NTlaMBMx\n"
+  "ETAPBgNVBAMTCHNlcnZlci0zMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC\n"
+  "AYEAm1IOBuzu9Pya9O3FKhQKus22xPlm+fVex8EV+p3IymnZGZUlDeTX5OcxCOm4\n"
+  "G87KNl/UQjgCB6n2FPiIYFbH9skxyvW8ZlG+M4so5yg7mwRjB8QPe0yEOLyxaLaa\n"
+  "uNp9icjtPJgPpIrEgppevfiP4iXrRGakzpjayazVCDTp9+XAhdWEi43mN6fgpM8V\n"
+  "Yc5sstkEueCjIfhApBzReMTvEUs3jCtmpqIvm07zVLpCh3sWh5MPSZtcw6UiKZdb\n"
+  "rRoaypznSkQDGQXCTZ92gSnkg0m86OIOHNQcxLXqfbrNJ7QZBf1wpi04s4DHNHSC\n"
+  "k9TpKe/dbDO4vgMgBNrcZ/9B7y95Pe+XJawG3klGhz2zGG7DmvWNygtUcM9nqk/P\n"
+  "f7TQhwsU4McmyxvVb09OVwk/2zEaPswv6MFvoxOskcQ5aYhJZs6wLDG3hh8yE4fr\n"
+  "BBvJb53flMnuSIWLfzeGUg4eeS8xP7ORApwLM0K0VGLaT4V9lpmWFLot0hv7XAcH\n"
+  "jeTVAgMBAAGjfTB7MAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdHdvLmV4YW1w\n"
+  "bGUub3JnMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFERr13TeLMJ3q5QS2W4O\n"
+  "HiqwpM0RMB8GA1UdIwQYMBaAFDTfJRBdiC6+QinO/HA/E7TWxeHrMA0GCSqGSIb3\n"
+  "DQEBCwUAA4IBgQAiOgI7RgzjDBHgliXb2Q9iuCq/o/08Fz2he8AzTJ0fw+Xd+g40\n"
+  "HWnhZZxlnSq/XFircrHwLuMyG2B6HJ9gXWg7SI/5PG9fVz0USC0tcxKzA87iB2sx\n"
+  "KWzdfmzBM32ioTFEisH9YQqCVXc3Umol15r3dAZsKGRKQzYjVG8APJS4LYZTX918\n"
+  "Yg06jCmp+ZhyRHVhQ1NbrX9geOK8tuZoTQ/10iI1+eIF50a43qA0H8YDuyQbrZA3\n"
+  "ECdVIQVCUQTVlTx+JMl7DoZnm+m+BrisAAuq/4TeJwm2Es3IF4SPB/pwaZyx8YnK\n"
+  "xqne/auI6Rq7nfsi3owxBjjX1YamlmM6UWdvIsejsy92im2G0+J5s55yw+fCGXE5\n"
+  "5mItHVWOiviaPa95NU3NeD8RkUUFI568GM8GnIcSfJi1yxed8UApbCiZMbIIN8fl\n"
+  "5mMgyZv2QJXbJxhIiCQixn8nYsj2iaJu9Ns6zd5cFaQSmQxIEUfCiNZ9kO0xwpor\n"
+  "tHWgZdawxv2CfGg=\n"
+  "-----END CERTIFICATE-----\n",
+  /* Name Constraints (critical):
+    Permitted: DNSname: example.org */
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIIEIDCCAoigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0x\n"
+  "MCAXDTE2MDcxMjEzNDMzNVoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+  "QS0yMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtpx8p5POIgdnDbBr\n"
+  "fH1kByvm2PP+iN4UJhJYY1V7EMiucC/CU5HoYhi/KpBwoY+28oaISEMr0KEf/3rv\n"
+  "CTZRBxuqxCboK6+u/dDOlyYeM0dU57jpKmgCrETLMq92QaIEhNzv88cTaWP0OGzv\n"
+  "2klLqim5AJC2J/XWqHGprfdhf9GCWurMT+km7LPIClDHfwnmrPHuNhelfPCVzKpO\n"
+  "9S9+Lq5KpaV45DRQtMve5NjUju1q9LotEeEdlu5bnomIK3SyfS+n5AZnLNVAqmMg\n"
+  "kSB1ymtWqn4wiw3hCBz8biSlkeowdh37cm3j0za27R3IjFnIQLD44Ena3pTU8v+P\n"
+  "4/k1OML8UWXpigP5QuTSASx0fXiShHf3baY1HnEqULfYvi+IUb6wMs/3f13NVVBE\n"
+  "z+LsjiWlwqB0fK5lefO32cEDvtSMlIxgt3FUDCo3/rLAh4ZorURONh4MUWiODTSl\n"
+  "417JOLB/miH37jodViv6zfbtTvw/+GbZM9TnvHlzqvZj5nLFAgMBAAGjgYQwgYEw\n"
+  "DwYDVR0TAQH/BAUwAwEB/zAdBgNVHR4BAf8EEzARoA8wDYILZXhhbXBsZS5vcmcw\n"
+  "DwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUNN8lEF2ILr5CKc78cD8TtNbF4esw\n"
+  "HwYDVR0jBBgwFoAU4SfGxDtCWqGQsk7xBIooEZNCoMYwDQYJKoZIhvcNAQELBQAD\n"
+  "ggGBABJZw4MHkE+8Fg+r/ET/kJ0n0NtsB57O3ogPpe/0/EWpsEJsjnRzimfu5NjS\n"
+  "PIcEKk/l2Ij8vbmDxb1uNsZmeYphdjb+w/D44OnxahxeLELwZPHWpJLvuf5S8bsz\n"
+  "Z0bZFNkDUXYbKDX8kWr1gNCKURBS344fRfe8HzZsG68stouvCuOh5pvre7mGGMJI\n"
+  "5/OMISmQiKIGLpUi1YOSRM25VMZ6GnzgYiN/bcZU1ph+R0lQv7/RRZ7oiaYmFBTi\n"
+  "FfWIE2hsJla3mbhCnUUp18MpRu4+gPirCVhNQ+ii9FPklcIhXxOrq6cqfX/YAcWO\n"
+  "uF70tZK/+Z7UXqGYJeQ8pdmlzjNGSH7Q6D+QKNAjZ+Ovb7zEh3NmyTT2XEykMR6+\n"
+  "bQYaGGcRu8Uvz4wHDaqeUuF/vgTiFaJ8kwNGX8Xb1x+ok5QrJAKZzvy59kojz8L0\n"
+  "ukQ6SqsvZ6SkJRbHHEh39YPNdC66O58KTiayjKgxQmVHsMOhraI1+YmPntCNBqNN\n"
+  "AvhLDg==\n"
+  "-----END CERTIFICATE-----\n",
+  /* Name Constraints (critical):
+    Permitted: DNSname: one.example.com */
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIIEJDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+  "MCAXDTE2MDcxMjEzNDMzNFoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+  "QS0xMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAt7EPrrm4e4JEPXVI\n"
+  "3s6eNQCyQv24LU9HD+7hDMEOFf//DoHeb8QqSDJdiCk+Hax5ydKZR2h4HZRmj5HO\n"
+  "s6nxh0AWL645fKcvfk9Oj3r1roLWxH9Kk/UR246s7FcujhDzEz3LEOZUedeMY2CS\n"
+  "tyjPLsKoP0jiDslRk0Yt4m7OfayB71B26qq92SzRr2YlMvf6AWHEiZhCRqVNidDV\n"
+  "LxdMwqIkO8s93DN8Kw74X8U5o5vTjmmDiW1HVrqsxOuImnjQ4qTUiDv0JbzTQbTp\n"
+  "uPOlJ5u/qMTK1jsGDcgfnojHLrsyuuTPR4v6Rmebpi0HHrT2PkxLeGtQEUxM7TeS\n"
+  "Ccq+eva9zm4UngonS2/nkfYawLDkP3XQ7cJQueNKLC5etDr9NqhFaD624InblWGy\n"
+  "V7jtEJRwRPH9FeMG7HyWb4BHYz36dCsMLbsCrCLIH8H7r/1nswVxlL5SRwiL06fK\n"
+  "11pwae1uyNgQuvjno4zHKM5V+mJe1Tz//2X3bfb7crFPQgsxAgMBAAGjgYgwgYUw\n"
+  "DwYDVR0TAQH/BAUwAwEB/zAhBgNVHR4BAf8EFzAVoBMwEYIPb25lLmV4YW1wbGUu\n"
+  "Y29tMA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFOEnxsQ7QlqhkLJO8QSKKBGT\n"
+  "QqDGMB8GA1UdIwQYMBaAFJm3gYrByx1mGmb4CnWXtNzxwGapMA0GCSqGSIb3DQEB\n"
+  "CwUAA4IBgQAU53SjH5nO+ah/pAQaIDuxaJ6yaFWt1ZuW8riu/dTqn9vI0R4K6WCh\n"
+  "EZ/rf4Z4YWMLm0+wI/+1CbFHtuZ9savA4qx7rtXQw5mF1JTEBsBM/chiXZ50euKW\n"
+  "DRE2e8egOESxDQWk5cnaAxtbiRYXu/KYGqFcGeRvSoy85gIwfjBtweYn+rOwM9Yi\n"
+  "9JsrKwsdFlzvzB6+ozDMCHncqtkU3DqI9QD80oP033z45EJxWxOhd6YhnrZN9SKp\n"
+  "E/lnc/XuY3NflVE5PGT5efrfGkAfbp2fWPfvc2PP0Lh172zoPy3mBwcXpWdij+H2\n"
+  "JCzwEqzxQzLpACtFy0kwq9HhzfgcdbbFmUbNweIf30eVG0XQ35myZy9Q1LQINhaj\n"
+  "UN0Ao7qtLUtC8z5DlUFMuEHQBLhFkmuRHJHCkFRqLO0nHFYmKxtQ2nNmbHt1909s\n"
+  "I20OEegNTFV8luCbFahoILckFlsbep9P4d0wOMjZuJkLyModK7Yx+CdOpq6/Cegg\n"
+  "gt+aIvJzHEY=\n"
+  "-----END CERTIFICATE-----\n",
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIID3jCCAkagAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
+  "MCAXDTE2MDcxMjEzNDMzM1oYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD\n"
+  "QS0wMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmmrn3nN2bIFYipZN\n"
+  "ED4nbWSc0ZYDbo8VzqjCKNVhMbYJlu07tV0qDK/1IDHf9awo5AladB4NEH3oJi9c\n"
+  "sCtiBtJ9UnqD+gxsJFNtpOfNRfelOE8R7suXAxDxJto7YLtXnLCcMx+UMkhlDfVi\n"
+  "Yy5Hqua//+EFyffokOPJ0/JCxFvTd9ldbNnxgLL27yDJBL1e4SMSw03/wKoLS0nW\n"
+  "Sjzcu1+Y2sdj6CNVDtZjGmDLMNtyykX4BDz71PrlR1euktkuHS1HMthQdj3rSWjU\n"
+  "Rehe7LxjYG548SpnIVA93EOfDyqLhjpKUL8+rA0cKBIsaJK+TyUNQ8XYa98djBAj\n"
+  "gjRYRsPkZt/FH2BTg+4XSHWMrmfEbxyxqAf6euUkY4Z+Y2xkUHQl5GdYk44Rb/+4\n"
+  "NxSBBKSj+6SqK2f0o3WTHXwJTeX+B0rV2x507hFqf6lRGzwzffrXKqH3yxfqbycl\n"
+  "XlahOiBJ1xKNrR0XGeq9yPcrWv/RYvYt4JJp9OV1U2Mz3DRRAgMBAAGjQzBBMA8G\n"
+  "A1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUmbeBisHL\n"
+  "HWYaZvgKdZe03PHAZqkwDQYJKoZIhvcNAQELBQADggGBABaf05+i07lJI74gv87t\n"
+  "87BuaYEvySlQuUqycCvEs31RXFxJQhpHS7RvqPw6vqDv418SZwd/hNaC7a1JU0gL\n"
+  "Zuha61y9u6/HbmeCBSgXYcd+4M/2oPz6WcJ9uoOZk8D2NxafubVtyXH26O6tMEnK\n"
+  "0JJuV6q7fsqvIHf+tvRs/fTD7gKtyAsj1OoO3EjkRRQPnHOR4anXr1jxDFvldHEs\n"
+  "qhlibWotfyvS4BvSk8nEo+/hrXs86cQDqCg1bbbz04sTQVHW1/kCKYl7c/HQGnTT\n"
+  "I3Yc7pFq7n5sNP31XN1a8VaGiKseNXmxjhS9XlIvQ1qB5ObE+Dm0tWQbrDo73udb\n"
+  "dW+I2/Pcij0tGBi8Cxe/PZKv5wio4NpWGTNiF6PMSaUp+lqX2iLYfjjl7osr3Hph\n"
+  "gnwxlST3q0Av0+91jCfj6IZ9YRHLakceaRxcj8zLoVGpQqTdJjuH4Sy7nKoL58G1\n"
+  "96Asqk2NsUztvRfw5pYFoe7ZUgsa4M+0/nZxOPd2UeodMA==\n"
+  "-----END CERTIFICATE-----\n",
+  NULL
+};
+
 static const char *nc_bad1[] = {
 /* DNSname: localhost
-   DNSname: www.example.com */
+   DNSname: www.example.com
+   Common name: (empty) */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDSzCCAjOgAwIBAgIMU/xqxDpxZ3J5cUcrMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
 "BgNVBAMTBENBLTEwIhgPMjAxNDA4MjYxMTA4NTJaGA85OTk5MTIzMTIzNTk1OVow\n"
@@ -2353,6 +2463,7 @@ static struct
   { "ecc cert not ok (due to profile)", ecc_cert, &ecc_cert[1], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_SUITEB192), 
   	GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL},
   { "name constraints chain ok1", nc_good1, &nc_good1[4], 0, 0, NULL, 1412850586},
+  { "name constraints: 2 constraints, non-intuitive order", nc_bad0, &nc_bad0[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1468920734},
   { "name constraints chain bad1", nc_bad1, &nc_bad1[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
   { "name constraints chain bad2", nc_bad2, &nc_bad2[4], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},
   { "name constraints chain bad3", nc_bad3, &nc_bad3[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, NULL, 1412850586},