tests: Adds new tests missingissuer and missingissuer_aia

Signed-off-by: Sahana Prasad <sahana@redhat.com>

5 files changed, 784 insertions, 2 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 11a083c637..7cdf828e0c 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -32,7 +32,7 @@ SUBDIRS += suite
 endif
 
 EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
-	ocsp-common.h cmocka-common.h virt-time.h \
+	ocsp-common.h cmocka-common.h virt-time.h test-chains-issuer.h test-chains-issuer-aia.h \
 	certs/ca-cert-ecc.pem  certs/cert-ecc256.pem  certs/cert-ecc521.pem \
 	certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem hex.h \
 	certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
@@ -144,7 +144,7 @@ ctests += tls13/no-auto-send-ticket
 
 ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniqueid tls-neg-ext-key \
 	 mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \
-	 hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \
+	 hostname-check cve-2008-4989 pkcs12_s2k chainverify missingissuer missingissuer_aia record-sizes-range \
 	 crq_key_id x509sign-verify sign-verify cve-2009-1415 cve-2009-1416		\
 	 tls10-server-kx-neg tls11-server-kx-neg tls12-server-kx-neg ssl30-server-kx-neg \
 	 tls12-cipher-neg tls11-cipher-neg tls10-cipher-neg ssl30-cipher-neg \
diff --git a/tests/missingissuer.c b/tests/missingissuer.c
new file mode 100644
index 0000000000..49fef8f7b3
--- /dev/null
+++ b/tests/missingissuer.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2008-2014 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+#include "utils.h"
+#include "test-chains-issuer.h"
+
+#define DEFAULT_THEN 1256803113
+static time_t then = DEFAULT_THEN;
+
+/* GnuTLS internally calls time() to find out the current time when
+   verifying certificates.  To avoid a time bomb, we hard code the
+   current time.  This should work fine on systems where the library
+   call to time is resolved at run-time.  */
+static time_t mytime(time_t * t)
+{
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+static int getissuer_callback(gnutls_x509_trust_list_t tlist,
+			      const gnutls_x509_crt_t crt)
+{
+	gnutls_x509_crt_t issuer;
+	gnutls_datum_t tmp;
+	int ret;
+
+	ret = gnutls_x509_crt_init(&issuer);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		return -1;
+	}
+
+	tmp.data = (unsigned char *)missing_cert_insert;
+	tmp.size = strlen(missing_cert_insert);
+
+	ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		gnutls_x509_crt_deinit(issuer);
+		return -1;
+	}
+
+	/* This transfers the ownership of `issuer` to `tlist`. */
+	ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		gnutls_x509_crt_deinit(issuer);
+		return -1;
+	}
+
+	assert(gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0);
+
+	if (debug)
+		printf("\t Certificate missing issuer is: %.*s\n",
+				tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+
+	assert(gnutls_x509_crt_print(issuer, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0);
+
+	if (debug)
+		printf("\t Appended issuer certificate is: %.*s\n",
+				tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+	return 0;
+
+}
+
+void doit(void)
+{
+	int exit_val = 0;
+	int ret;
+	gnutls_x509_trust_list_t tl;
+	unsigned int verify_status;
+	gnutls_x509_crt_t certs[MAX_CHAIN];
+	gnutls_x509_crt_t ca;
+	gnutls_datum_t tmp;
+	size_t j;
+
+	/* The overloading of time() seems to work in linux (ELF?)
+	 * systems only. Disable it on windows.
+	 */
+#ifdef _WIN32
+	exit(77);
+#endif
+
+	ret = global_init();
+	if (ret != 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	gnutls_global_set_time_function(mytime);
+	gnutls_global_set_log_function(tls_log_func);
+
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	for (j = 0; j < MAX_CHAIN; j++) {
+		if (debug > 2)
+			printf("\tAdding certificate %d...", (int)j);
+
+		ret = gnutls_x509_crt_init(&certs[j]);
+		if (ret < 0) {
+			fprintf(stderr,
+					"gnutls_x509_crt_init[%d]: %s\n",
+					(int)j, gnutls_strerror(ret));
+			exit(1);
+		}
+
+		tmp.data = (unsigned char *)missing_issuer_chain[j];
+		tmp.size = strlen(missing_issuer_chain[j]);
+
+		ret =
+			gnutls_x509_crt_import(certs[j], &tmp,
+					GNUTLS_X509_FMT_PEM);
+		if (debug > 2)
+			printf("done\n");
+		if (ret < 0) {
+			fprintf(stderr,
+					"gnutls_x509_crt_import[%d]: %s\n",
+					(int)j,
+					gnutls_strerror(ret));
+			exit(1);
+		}
+
+		gnutls_x509_crt_print(certs[j],
+				GNUTLS_CRT_PRINT_ONELINE, &tmp);
+		if (debug)
+			printf("\tCertificate %d: %.*s\n", (int)j,
+					tmp.size, tmp.data);
+		gnutls_free(tmp.data);
+	}
+
+	if (debug > 2)
+		printf("\tAdding CA certificate...");
+
+	ret = gnutls_x509_crt_init(&ca);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_init: %s\n",
+				gnutls_strerror(ret));
+		exit(1);
+	}
+
+	tmp.data = (unsigned char *)missing_issuer_chain[MAX_CHAIN-1];
+	tmp.size = strlen(missing_issuer_chain[MAX_CHAIN-1]);
+
+	ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_import: %s\n",
+				gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (debug > 2)
+		printf("done\n");
+
+	gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp);
+	if (debug)
+		printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+
+	if (debug)
+		printf("\tVerifying...");
+
+	gnutls_x509_trust_list_init(&tl, 0);
+
+	ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
+	if (ret != 1) {
+		fail("gnutls_x509_trust_list_add_trust_mem\n");
+		exit(1);
+	}
+
+	gnutls_x509_trust_list_set_getissuer_function(tl, getissuer_callback);
+
+	ret = gnutls_x509_trust_list_verify_crt(tl, certs, MAX_CHAIN,
+			0,
+			&verify_status,
+			NULL);
+	if (ret < 0) {
+		fprintf(stderr,
+				"gnutls_x509_crt_list_verify: %s\n", gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (debug)
+		printf("\tCleanup...");
+
+	gnutls_x509_trust_list_deinit(tl, 1);
+
+	for (j = 0; j < MAX_CHAIN; j++)
+		gnutls_x509_crt_deinit(certs[j]);
+
+	if (debug)
+		printf("done\n\n\n");
+
+	gnutls_global_deinit();
+
+	if (debug)
+		printf("Exit status...%d\n", exit_val);
+
+	exit(exit_val);
+}
diff --git a/tests/missingissuer_aia.c b/tests/missingissuer_aia.c
new file mode 100644
index 0000000000..8ed534b24c
--- /dev/null
+++ b/tests/missingissuer_aia.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2008-2014 Free Software Foundation, Inc.
+ *
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+#include "utils.h"
+#include "test-chains-issuer-aia.h"
+
+#define DEFAULT_THEN 1256803113
+static time_t then = DEFAULT_THEN;
+
+/* GnuTLS internally calls time() to find out the current time when
+   verifying certificates.  To avoid a time bomb, we hard code the
+   current time.  This should work fine on systems where the library
+   call to time is resolved at run-time.  */
+static time_t mytime(time_t * t)
+{
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+static int getissuer_callback(gnutls_x509_trust_list_t tlist,
+			      const gnutls_x509_crt_t crt)
+{
+	int ret;
+	gnutls_x509_crt_t issuer;
+	gnutls_datum_t aia;
+	gnutls_datum_t tmp;
+
+	assert(gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0);
+
+	if (debug)
+		printf("\t Certificate missing issuer is: %.*s\n",
+				tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+
+	ret = gnutls_x509_crt_init(&issuer);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		return -1;
+	}
+
+	ret = gnutls_x509_crt_get_authority_info_access(crt, 1,
+			GNUTLS_IA_CAISSUERS_URI, &aia, NULL);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		gnutls_free(aia.data);
+		return -1;
+	}
+
+	if (debug)
+		printf("\t AIA URI from the cert is: %s\n", aia.data);
+	gnutls_free(aia.data);
+
+	/* Download the cert from the above URI and append it to issuer */
+
+	tmp.data = (unsigned char *)missing_cert_aia_insert;
+	tmp.size = strlen(missing_cert_aia_insert);
+
+	ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		gnutls_x509_crt_deinit(issuer);
+		return -1;
+	}
+
+	/* This transfers the ownership of `issuer` to `tlist`. */
+	ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0);
+	if (ret < 0) {
+		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+		gnutls_x509_crt_deinit(issuer);
+		return -1;
+	}
+
+	assert(gnutls_x509_crt_print(issuer, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0);
+
+	if (debug)
+		printf("\t Appended missing certificate is: %.*s\n",
+				tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+	return 0;
+}
+
+void doit(void)
+{
+	int exit_val = 0;
+	int ret;
+	gnutls_x509_trust_list_t tl;
+	unsigned int verify_status;
+	gnutls_x509_crt_t certs[MAX_CHAIN];
+	gnutls_x509_crt_t ca;
+	gnutls_datum_t tmp;
+	size_t j;
+
+	/* The overloading of time() seems to work in linux (ELF?)
+	 * systems only. Disable it on windows.
+	 */
+#ifdef _WIN32
+	exit(77);
+#endif
+
+	ret = global_init();
+	if (ret != 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	gnutls_global_set_time_function(mytime);
+	gnutls_global_set_log_function(tls_log_func);
+
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	for (j = 0; j < MAX_CHAIN; j++) {
+		if (debug > 2)
+			printf("\tAdding certificate %d...", (int)j);
+
+		ret = gnutls_x509_crt_init(&certs[j]);
+		if (ret < 0) {
+			fprintf(stderr,
+					"gnutls_x509_crt_init[%d]: %s\n",
+					(int)j, gnutls_strerror(ret));
+			exit(1);
+		}
+
+		tmp.data = (unsigned char *)missing_cert_aia[j];
+		tmp.size = strlen(missing_cert_aia[j]);
+
+		ret =
+			gnutls_x509_crt_import(certs[j], &tmp,
+					GNUTLS_X509_FMT_PEM);
+		if (debug > 2)
+			printf("done\n");
+		if (ret < 0) {
+			fprintf(stderr,
+					"gnutls_x509_crt_import[%d]: %s\n",
+					(int)j,
+					gnutls_strerror(ret));
+			exit(1);
+		}
+
+		gnutls_x509_crt_print(certs[j],
+				GNUTLS_CRT_PRINT_ONELINE, &tmp);
+		if (debug)
+			printf("\tCertificate %d: %.*s\n", (int)j,
+					tmp.size, tmp.data);
+		gnutls_free(tmp.data);
+	}
+
+	if (debug > 2)
+		printf("\tAdding CA certificate...");
+
+	ret = gnutls_x509_crt_init(&ca);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_init: %s\n",
+				gnutls_strerror(ret));
+		exit(1);
+	}
+
+	tmp.data = (unsigned char *)missing_cert_aia[MAX_CHAIN-1];
+	tmp.size = strlen(missing_cert_aia[MAX_CHAIN-1]);
+
+	ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fprintf(stderr, "gnutls_x509_crt_import: %s\n",
+				gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (debug > 2)
+		printf("done\n");
+
+	gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp);
+	if (debug)
+		printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data);
+	gnutls_free(tmp.data);
+
+	if (debug)
+		printf("\tVerifying...");
+
+	gnutls_x509_trust_list_init(&tl, 0);
+
+	ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
+	if (ret != 1) {
+		fail("gnutls_x509_trust_list_add_trust_mem\n");
+		exit(1);
+	}
+
+	gnutls_x509_trust_list_set_getissuer_function(tl, getissuer_callback);
+
+	ret = gnutls_x509_trust_list_verify_crt(tl, certs, MAX_CHAIN,
+			0,
+			&verify_status,
+			NULL);
+	if (ret < 0) {
+		fprintf(stderr,
+				"gnutls_x509_crt_list_verify: %s\n", gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (debug)
+		printf("\tCleanup...");
+
+	gnutls_x509_trust_list_deinit(tl, 1);
+
+	for (j = 0; j < MAX_CHAIN; j++)
+		gnutls_x509_crt_deinit(certs[j]);
+
+	if (debug)
+		printf("done\n\n\n");
+
+	gnutls_global_deinit();
+
+	if (debug)
+		printf("Exit status...%d\n", exit_val);
+
+	exit(exit_val);
+}
diff --git a/tests/test-chains-issuer-aia.h b/tests/test-chains-issuer-aia.h
new file mode 100644
index 0000000000..ca75fd3b7c
--- /dev/null
+++ b/tests/test-chains-issuer-aia.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2008-2014 Free Software Foundation, Inc.
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Authors: Simon Josefsson, Nikos Mavrogiannopoulos, Martin Ukrop
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H
+#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H
+
+/* *INDENT-OFF* */
+
+#define MAX_CHAIN 1
+
+static const char *missing_cert_aia[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN\n"
+	"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E\n"
+	"aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN\n"
+	"MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p\n"
+	"YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g\n"
+	"VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA\n"
+	"A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s\n"
+	"wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn\n"
+	"n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8\n"
+	"U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP\n"
+	"R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn\n"
+	"hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV\n"
+	"HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp\n"
+	"cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t\n"
+	"MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n"
+	"awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et\n"
+	"c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh\n"
+	"LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH\n"
+	"AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG\n"
+	"AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t\n"
+	"MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl\n"
+	"cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE\n"
+	"AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO\n"
+	"HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7\n"
+	"SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ\n"
+	"VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi\n"
+	"Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s\n"
+	"GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U\n"
+	"iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p\n"
+	"vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG\n"
+	"9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64\n"
+	"xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4\n"
+	"RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te\n"
+	"uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz\n"
+	"MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP\n"
+	"CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==\n"
+	"-----END CERTIFICATE-----\n"
+};
+
+static const char *missing_cert_aia_insert = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh\n"
+	"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+	"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
+	"QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT\n"
+	"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg\n"
+	"U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
+	"ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83\n"
+	"nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd\n"
+	"KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f\n"
+	"/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX\n"
+	"kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0\n"
+	"/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C\n"
+	"AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY\n"
+	"aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6\n"
+	"Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1\n"
+	"oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD\n"
+	"QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v\n"
+	"d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh\n"
+	"xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB\n"
+	"CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl\n"
+	"5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA\n"
+	"8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC\n"
+	"2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit\n"
+	"c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0\n"
+	"j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz\n"
+	"-----END CERTIFICATE-----\n"
+};
+
+#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+#  pragma GCC diagnostic pop
+#endif
+
+/* *INDENT-ON* */
+
+#endif /* GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H */
diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
new file mode 100644
index 0000000000..730a31fed4
--- /dev/null
+++ b/tests/test-chains-issuer.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2008-2014 Free Software Foundation, Inc.
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Authors: Simon Josefsson, Nikos Mavrogiannopoulos, Martin Ukrop
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
+
+/* *INDENT-OFF* */
+
+#define MAX_CHAIN 6
+
+static const char *missing_issuer_chain[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"AUAwDzENMAsGA1UEAxMEQ0EtNTAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTYwgZswEAYHKoZIzj0CAQYFK4EEACMD\n"
+	"gYYABAHZ3W5jpYq15WI7tVZxWCT3YtYMEj4xJSdO/ubHV0NnrlQ7+Q95R32qcA2w\n"
+	"4gyPif+M/Au4Towr/RA+b+qgMvD0fQFmNeWkNB/TSW2RNm7uHQU7N66tbrNWvjyS\n"
+	"BZeLB/V03ZWe+rO4cfrPiqtBv9N08k9uMNNCeMlatJNqj0BoFRxhBaN3MHUwDAYD\n"
+	"VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA\n"
+	"ADAdBgNVHQ4EFgQUMnSJQI2iHiVoxE1XSByQ9QFrG0owHwYDVR0jBBgwFoAUu9ao\n"
+	"G/58Y/+czHPyWo3C+vs9pFkwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGh\n"
+	"GjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEBAAfhLT1jQsc9yk4k\n"
+	"myAAMIXYD1THMkasGZiIv2TLJSLeKc4Rvzvrb/iywwrMdaBHs5sJoyk7amMwemc7\n"
+	"WA2+A2uTeLeDG3ev4r5stNRLyL0HSOr7da+BshUiHJgeihp1Qglm0AUqV5X69i5t\n"
+	"5woB5KENnYfoAWaYmXa1EPRh2xb2XDI0uCHg1bPljg61/T2cJZ4VfkOvsKgFAI4p\n"
+	"lAKQCZSKbEY1oWDdDhVcSipYu2E88RXczvcnEQV3C3p6CGcf8xclZdZIwMAyXYAK\n"
+	"oNccbSIfDlN4iD+2bztCRWHD6hWL1NJsFqmv3Ts8eYU8z8J8NdhtCXr76lFkFmDx\n"
+	"+lfZEv4=\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDojCCAlqgAwIBAgIUHRb3xJ2ZGqqgdC/pBq/sDtAwvtowPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"AUAwDzENMAsGA1UEAxMEQ0EtNDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtNTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n"
+	"AQoCggEBAMZqQ7I1HAxkxuwGQBch/jZTWLXRUtWBjlpREnp0wFt+quJOZkKNYrlL\n"
+	"9sngiRknsbEIfJMB2XfoK6m9SwRN/qoxewOrnK9YONG9dj0p30qiseshXIs6ZoMl\n"
+	"v9fZA77UraCtTbX6Xwk/+Or6SuSK2lyz0R5O14xBa5ubpm2Q8XTE9A1SAGx61ofC\n"
+	"Dzfvefp+m3QCy+3K+Yn05VKPxswznuVwM/oJDGzJJhD6/uNPpm5CZoPtcW14Eitu\n"
+	"ip51Ej1VE4lJRBHAtUSOrd3Hks6YasK7Uvu0HjpqW7PqaIhJIR7ofzbXX2vBwVj2\n"
+	"Qlwozk4cVCP7XO3VrVu/GCdSL+G3RAUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS71qgb/nxj/5zMc/JajcL6+z2k\n"
+	"WTAfBgNVHSMEGDAWgBQPB7C8f3nco30et23Lhw7QMTaLYzA9BgkqhkiG9w0BAQow\n"
+	"MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+	"QAOCAQEAl90uQvD0lne4jseHNfu8XCIZmCSxaNhF3SD73TwlGERbRjtIKz34Y6hC\n"
+	"z5bZ4tCGnkKAtdHLIGwOnaLSXDvzmUSkQmJmG0QMaDGsVpVXEZD/7+yyIxOcV1iK\n"
+	"XveeQysCKsDEfdrfn1mACQj8eC4lL9KJcHptHdTSLfa58MV2Qe5smCIByXxendO5\n"
+	"UQHZy5UrzWAdtO7y75vXeXynsXAqcE4TTNjdFiCnn6Q5/pVyW14kepfjaOzQFP7H\n"
+	"QlnHtgQDRAlQuB1aGseb6jn2Joy33itpBthvtgBosZIqsMyPoX5YzjqZUSjfPZOP\n"
+	"/aOd/5HR4ZPDWfHdIWbXogYX0ndhNg==\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDojCCAlqgAwIBAgIUGybZZ1e/iFUKafPdh8xUbh7YVnwwPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"AUAwDzENMAsGA1UEAxMEQ0EtMzAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtNDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n"
+	"AQoCggEBAM0vsCM3XxZVHmxOdY2ndCoUHnrlLameRZcEupa77oAXBw9J2ysTIY1v\n"
+	"uP7GbBru4JnBhdem1xL37z0/a5O9+5Rw4SNHNw8Z2jPtWSJd+XwfBshQnX66IvSv\n"
+	"M0etutgO/lZwFq7E4yGI7LS1sGWvVhmjMLT1Yb3j/b8SXeSHyp9J0NdJ1spjjekg\n"
+	"bdiMUOo6Tt1gnZsgLdH6Cbmw4sm/+EGjsPOYdBI0kHW5qqLnIzW/io0NMnRsDBEk\n"
+	"HgXNEMhXZL/qEQfrcSCxjlqB126aALHIvN5TKBrssfE6zn9m96A9qCRJuKGP9NPm\n"
+	"4AFkV1yylCUTUkIRkbqPlI4i1vf8jfcCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBQPB7C8f3nco30et23Lhw7QMTaL\n"
+	"YzAfBgNVHSMEGDAWgBRjNOT1/2J+aAVCl/aO+EQke/8oETA9BgkqhkiG9w0BAQow\n"
+	"MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+	"QAOCAQEAsKDivFD4DflylFdG4zijGrtq/zfSKTiNWxZsLKbMwLoG+Km3dy0HWfUq\n"
+	"TUETPEfQlpXc2Tg1tGxFepAPavVeMIy/MV3SsmjRA3f+PNWjaZUxa9+Jd1y6ONwK\n"
+	"wQ7s/JNNk/SZt4bKjX9GrTscZmOVtrwpZ6uQBHITScsr4V431G6wojZ09iEG0yFQ\n"
+	"ZD8ECn2ZOPVQXIswa75NelcGKup838HoDIjQ3vIvrx8rqf5HRg4t9mXzjECzXHVy\n"
+	"8wDamoE3fLAZZX2RxOWnHfjI8qB83qYyR5kN002EFJ/e060SPia1rTHyLqLngRtq\n"
+	"xgR9bRjZf++h/dg6L87b26J5KdDafw==\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDojCCAlqgAwIBAgIUVd3TT33d1fy/8INiIKhudYmRE5swPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"AUAwDzENMAsGA1UEAxMEQ0EtMTAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtMjCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n"
+	"AQoCggEBANN3n02MYdl70xAq39SUtcMcNR9Zpe6m4SkHcL/1T4YEpWxqqez1tDW3\n"
+	"1My9Std/sE1e63Q+XJdZhKz1v2KM48iMMeEtJRtriSMxp3KyHQwOxV5L/C5yudYG\n"
+	"3DW0XwrIFL5uXn0z27vYTJ+63RFD4K6Np3ROa2EnHuTcb1pAlrGK1erUzuD8gg7m\n"
+	"mIwxfS7KSeUSmZiXVACNVGmAekClRIf1kMjMqNL6eQ2laNcg7W7RCaIghk58E4Ej\n"
+	"/dyNWTgUUoHla8X4Za/JNXDVHdj5VKIfK8xQkc6aN8Ip5rm9J94yLay27QZdHPQn\n"
+	"AlHEW6IAyRgj/lo+yk1RUigjko62t+0CAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBTVuTCwy3TqMVX2Bvdj/wcoYSTG\n"
+	"/zAfBgNVHSMEGDAWgBS/OulsZ80Bb9MpqM/M1lCC8bO2AzA9BgkqhkiG9w0BAQow\n"
+	"MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+	"QAOCAQEAfi/KKbJUsdvS/XDqR6T8VHNhX8lMOGdzHltjBdXdxsWlr2mRolILhyZf\n"
+	"1/wf58b1OE4AlxbwH+S/vWrQ2KVwBfWxtTJXqAMSvHIF3Tq8bIghvhK8CmZG/I49\n"
+	"FTYE+42MFBr6f5SNp9Q+ZUcjSK5DO7yNiyKDFfNffFGxHmnmGj2LhgyrvYA/aNyB\n"
+	"2ichlfihcKkExGBN44ODoK+8/W8oiMt541AvPyJxTJjxWjeJ42EBXO+J5k8wRuCu\n"
+	"nXCW5OjnEIExXGKZLlieH4t8kUyHlrTlHO7spiqA/QM7GUtBQfJTLdPFmvHU3Jtw\n"
+	"qGN2PrhXyLoaUfIpNbWO9Jmj2GYaWg==\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIICxjCCAiegAwIBAgIUKnsCQlR0jpxEnpzqxbi+Y2rqwpMwCgYIKoZIzj0EAwQw\n"
+	"DzENMAsGA1UEAxMEQ0EtMDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIzNTk1\n"
+	"OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgB\n"
+	"ZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCCAQoC\n"
+	"ggEBAOqrWIctrZ7mabfoFuMsT/B2kK4vWAGX32SGQdoDKdy+O0jGJN8/vGnbaOWN\n"
+	"k6sR/eNx+13LahbiLl3dzyecdJ6BeDBokjiRXtDzZN3IdrR6KZ5NjqcMiVBgztoq\n"
+	"gkOglhcixU2cMlSFYCozfvf3i4YElJzSP4XdJbLaPcsHmywny52s06vf64SbNhQy\n"
+	"GucRYO0VqRUVCNpvPyyGlkODlDQuzNsd5nIQZ5WR1bQLTYsVoHVfpLx+Su7BAV05\n"
+	"D5XiGQVGw7kkp4VKHrMhQ0VY+34xmahQvnoqfPEBG9jjfy6psI0oa52JS3FBWF8u\n"
+	"psUiFD2iqQy+efQX44gAdrrnkt0CAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAP\n"
+	"BgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS/OulsZ80Bb9MpqM/M1lCC8bO2AzAf\n"
+	"BgNVHSMEGDAWgBRBWngghShY2X+P7m45LPH1V4p5czAKBggqhkjOPQQDBAOBjAAw\n"
+	"gYgCQgHnvF1Dq32xBBEME4UlVsVeOflvGw5Sr/hVhbUZ1KfAQIV2ZuBuvJNMBrj8\n"
+	"Pzi/nhRuV8vH5xabyQb9RYVcJ8oilQJCAdduIVVvL6DmUBOJfz1znsxPA5JCBBY2\n"
+	"pAOhFZBrNXE2zZrgttgR6TG4Obst1fQzL3RsmqAYAuWSpKPNz6Hdq+kl\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIB7TCCAU6gAwIBAgIUWmldb3tGP48wFh5P/cmVytYv5JcwCgYIKoZIzj0EAwQw\n"
+	"DzENMAsGA1UEAxMEQ0EtMDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIzNTk1\n"
+	"OVowDzENMAsGA1UEAxMEQ0EtMDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAarU\n"
+	"aZXDJBYLdRdjV43Nq+slYxPPn877UBJ63K6GQF1poMaSFFJ7qSXi4lJngh7ueCVq\n"
+	"mJvNH54KbqkPryfCKjUbAZnIQa/8zpPbrZ4iAP6d+Mb6qIkX8j3BP1f6Ap0WTmQk\n"
+	"s5QHCkJFGNqqljut/RQgnbTUbQcGHCNmUx4g0BZv03+Qo0MwQTAPBgNVHRMBAf8E\n"
+	"BTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFEFaeCCFKFjZf4/ubjks\n"
+	"8fVXinlzMAoGCCqGSM49BAMEA4GMADCBiAJCAcmtP2IVnOTF2wHhfUn13qsUpqyc\n"
+	"3kCI1ueg75NgR7xgpL9JQ1CnPaUbCp+5ROKf5IHn8f1jjZIu45WpiWhnZDkkAkIA\n"
+	"pCTZn7t7memhMJUqrHGywx2gR9fgID/REZUZdVe9KcTzWvwSrbffDMCcf10SpM6C\n"
+	"/YXiDLiWNiK+WV8Z557eWKI=\n"
+	"-----END CERTIFICATE-----\n"
+};
+
+static const char *missing_cert_insert = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDojCCAlqgAwIBAgIUHRkWa8ZOaRrqjxigoEhxJHMLM2UwPQYJKoZIhvcNAQEK\n"
+	"MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n"
+	"AUAwDzENMAsGA1UEAxMEQ0EtMjAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n"
+	"NTk1OVowDzENMAsGA1UEAxMEQ0EtMzCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n"
+	"hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n"
+	"AQoCggEBAMNSjDqpdcx+02E2vKRB78Z6rYRTuYHeXZGIsVz3LXHxplNYtSlM0MN4\n"
+	"cj0mHj2Rctxk7o6vsQm37ayvO4mquvgPiwtivq+qPv98ZTIuVYkPE4NEPru7Uec+\n"
+	"HQO3faRym4VAzpH+CllMraeaSjQLfAKqXw60UHF+b+ovJXKWbb+keahXT6lWxuxY\n"
+	"pm5vbcDg0Ez++9TJcA0MiPKtk4SMgnmr+2vXAE0tE5PRX9NS7AWPyEg82q+ph2kj\n"
+	"zu5VWoqZp/EwMI6VfLJeemY726LyyOpIqBGWwsUXPn5NdxLla58zHDFggd7/Z/l9\n"
+	"aBfozSdrqW3sWeYzgGxeZmnc5Vm/r6ECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n"
+	"/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRjNOT1/2J+aAVCl/aO+EQke/8o\n"
+	"ETAfBgNVHSMEGDAWgBTVuTCwy3TqMVX2Bvdj/wcoYSTG/zA9BgkqhkiG9w0BAQow\n"
+	"MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n"
+	"QAOCAQEAbIw3qtl/QAMJ7OmBPqSMtZv9TaLxfUh7FrqfsKjXBQGVX6/7heO+wCwJ\n"
+	"/1vi2yFUc7uoB3ivEKzUQvtP7Nu6WMM64pAfYadGIk4TYV+tgXF4FJ8FHjTek+Lv\n"
+	"jTu7jvLbRSHkBQFimWorPfgf15nlXSCBtejEwvDLXlptLbKEa3q7VFXDzCyeiKGb\n"
+	"IHRozrAP5qiyIjYFJevXrZ/7bWDwMcJrB0uSQN9TD2mJjNXTCHu3GYnEmnu7KRpb\n"
+	"M3OdswIyjIFYvwlYGe2+GbigSaMZY9KCHR7vkJ1JGdxfh+CADcbL4fwj3kOpyEoe\n"
+	"TTqtWQ93AfQnd2Vm3/SAr/+jSuMbSA==\n"
+	"-----END CERTIFICATE-----\n"
+};
+
+#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+#  pragma GCC diagnostic pop
+#endif
+
+/* *INDENT-ON* */
+
+#endif /* GNUTLS_TESTS_TEST_CHAINS_ISSUER_H */