tests: introduced verification constraints checks for PKCS#7 structures

That is, key purpose checks and more elaborate time checks.

8 files changed, 408 insertions, 5 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index fb8c3ddd9e..adbb345d3b 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -58,12 +58,14 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/ca-secret.gpg data/srv-public.gpg data/srv-public-127.0.0.1-signed.gpg	\
 	data/srv-public-localhost-signed.gpg data/selfsigs/alice-mallory-badsig18.pub \
 	data/selfsigs/alice-mallory-irrelevantsig.pub data/selfsigs/alice-mallory-nosig18.pub \
-	data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12
+	data/selfsigs/alice.pub data/key-utf8-1.p12 data/key-utf8-2.p12 \
+	data/code-signing-ca.pem data/code-signing-cert.pem
 
 dist_check_SCRIPTS = pathlen aki certtool invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
 	provable-dh userid sha2-test sha2-dsa-test provable-privkey-dsa2048 \
-	provable-privkey-rsa2048 provable-privkey-gen-default
+	provable-privkey-rsa2048 provable-privkey-gen-default pkcs7-constraints \
+	pkcs7-constraints2
 
 if WANT_TEST_SUITE
 dist_check_SCRIPTS += provable-dh-default
diff --git a/tests/cert-tests/data/code-signing-ca.pem b/tests/cert-tests/data/code-signing-ca.pem
new file mode 100644
index 0000000000..30d5c8f0a1
--- /dev/null
+++ b/tests/cert-tests/data/code-signing-ca.pem
@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIID4jCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w
+MCAXDTEwMDIyNzE1MjE0MloYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDEwRD
+QS0wMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0QHh//JKi30BDok3
+1lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ubmyryuo+Hss0RSZruSbxrYIMTFTIYtd56
+d4/2CFT7OYsIjaf5vb7oMfITT1epnYnKxuBekfIAHjRlxXf5hddDQ9vsLmkr7wlT
+zVyVX7fUYz1WuEiSVNHui+69idEZHAuwuz0P+kRoHJA8O2D8S71w01V0969yerOo
+Rqq2za9HCWcGrKHSAwY8ce01YsFJj6ozVfrt3khXrLpNosd72oEupC+p4zGABdT9
+6GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6R
+OdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZaBu4Tftzn71kYQ0JTBK06QLp43eArSSeo
+IDyR6V7+rsaq23c0l2AFeGzSwCxUpcga4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/O
+M4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2ZN+GrueP+xcJojNxJAgMBAAGjRzBFMA8G
+A1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFB8W
+FXxAZlq94LBofKwIfsW3krrlMA0GCSqGSIb3DQEBCwUAA4IBgQBPG/pba5oHECfJ
+1Z4q5FSO8AYG+v/KaaP0XSdsQOpxRW0/yYvWdGfGSd8NcFNYwBxDRPF6758cE72E
+uSPF5EDH1rZDHsxQhUl5lwmBcP69hlLCeMzsWHsJmobqpv9hIbi+zb37CGQrOXwq
++0qc3tqQjw7979j1SfifLF/eo5DxWiJFgL7t2IjvJsIUTi5MdYVeiLn0WzVGvQ4h
+yYlvBF/yg1YOvxHunbapL3hCImnzhCFQ/qFe0w+VjgkK9Fuz18lyYfxBoqziyMhR
+9aBAjsHoAqZtnSLLFHYl4wh6dHjxAUr5r1GwO4cQGK7+dP1m8cVQoQfCPeQLE8GZ
+aZwk/of7ywtjSEMJNMKP3NmKkGzoD48iIhtMbfZ+bXG4JWM8VD9bEw0JSf/ymCGV
+Q+S+SiTqWSzb6Eq/rTkHa5IT1pFLySIZcsgjkw82VXSe4PEzlaFKTYePG1NU1Y3n
+nrJ60/+PwcCFh7oVcZ0MTfuZmZxnhdID0cvxFd0VAo22Hxofbnw=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEA0QHh//JKi30BDok31lzQFhXhthwyc5aG/O6jW3LfxYD0I6Ub
+myryuo+Hss0RSZruSbxrYIMTFTIYtd56d4/2CFT7OYsIjaf5vb7oMfITT1epnYnK
+xuBekfIAHjRlxXf5hddDQ9vsLmkr7wlTzVyVX7fUYz1WuEiSVNHui+69idEZHAuw
+uz0P+kRoHJA8O2D8S71w01V0969yerOoRqq2za9HCWcGrKHSAwY8ce01YsFJj6oz
+Vfrt3khXrLpNosd72oEupC+p4zGABdT96GaMh47yX5jkCeh/ZTz8Ek3S6t5ryRi5
+UoyrD/bg5VHaW5SF3AUzgUKs9biV/K6ROdqO7nk3xf37IQUHG3WZyUYpZ9LZLJZa
+Bu4Tftzn71kYQ0JTBK06QLp43eArSSeoIDyR6V7+rsaq23c0l2AFeGzSwCxUpcga
+4o5FrKLSEcEcgDJ8sxXr8KTjBKVg8k/OM4T3xpAp0ZKR4sGJMB7sw8mmXkpICc2Z
+N+GrueP+xcJojNxJAgMBAAECggGBAK4EGEuGSoSKpmeY3bGPgvzwaQW7wlG0oV1T
+vxTzttX1AM/wtuRhRMkJmZzH2j3jTcR8qRYo66l5FVPPET4c0WasgqKtXIi8s1VE
+7oQvHd6wiRsOT5N32aU/zNNZIubfdhP2Xx3PrHwTuq2BoZFZJVEVeDLMLjiuy47t
+XuSI+KwXOQW9wf6S34uqithFSrDRlh3lc1uxSfqyy+jXTiLQHfVwmv98FPWEoZs9
+BPSB4DIB5iJEPgu3KXcp2j2Iu/zsgnPPSxvzYATguVB/zZ5TbsGuxNI519pj/9N2
+q/Y+8/9xJKp9Rmn5rRpDpojhvR5YVqkMo7+2uBcY/X2OfKxf9yNXbsRfV9KxfqDk
+CXHcMx4hP7dgVweAFa3cc4mNSLmExbKEd0RtwZHedyzGG9TE1l6n0rTBrTOAtHda
+EqrI9Q9cGhdQRKzIx4o5c3uD07I2r+1xoPZzCI0eEglzo+oSriJIvr4Mgwla7xWI
+kK74R8W6Wx0QWB/9iHC6GV6kGQDCAQKBwQDu8ecDftQ/Onk6KjbBcm9XfnVM3ER9
+BKkWgmWvl9QOdNBYU2Hd7RrHAhjmILauyUp+62nNnGKxPLujLnVIicLtiGnivqQC
+Sd2wEu1/tw6e4groQUxPD+c6kSXvGKUW+QKOvnGmQ4CkfBIST16TJrEMNvSBr5/B
+A2LlufI5lPT8aMiF/mZfVS5axzOnmR7weggwK3T5kf/nw0JT5b28RuL1ck31Cb75
+EQezK4YkB+n5qgjBHM3bo6tO18s+YIVDlwkCgcEA3+zy8mmRh9SPjmJaM7bxoUHn
+Q5oY1Umd6DH1uGi2qMe9cB1Dfcy8BomhKVrDgU4Hyo0Gc8oPaCsKiPYWy+pbYQ5L
+o5JhsxWXhXfIqumWgvodXE03dLc405tFIyiSoaaCHaKVMotlp2781CBhjxJTfiKu
+IL1i11C4lEpgcoE4uGP57irU7oFAesdM9osGi7UV+op/72mOWRkEEixHOmTIIvyN
+e9MCBIVrmW5GM8Tp0oIwQ5V88nmmNxliZlA8HStBAoHAVxKbxnBPVAMw7fs4HOJg
+pJeWkz2pT42FOIioGYbQZbw3uBgaj865dU/UVvgQ2jzMAtgypBSa+k9RaTOi1Z4u
+BHUzcMdb6OGWAXXESkgg8dEZfG1fK2h2MKd4FVr7vhVb0zyfGaF7nXUA+N8nbaQp
+3HOiQigHpURgo6pRFJ6tb9WXTQzZrV/TFo2Ey0xHNAakOTl81P1ZLdG/t+b+bz+9
+sQfIVMUKbKTCE46GwVaI8sv9iLHAaouH/6EvlTmDFpBRAoHAMHCQiZH+slRwDYwH
+GULM+GZKQdx23MTFDPKpxg+Y2+ABgdxCulbsoblqDIke27zmgJGLQMcIGC+fYsth
+WRFEXTV7dVH4IoZcNboYxagsL/8tFMd7ZJsyBsyC4z0moyNi6EhAYCO5hMPEm5q5
+n/qF5zZXVqvBUvSaSTHhtUNw4qp16WiIkWOScDzm0Dp42wX8UCtfy4mZCnsX31qG
+ugINLUxWyt91g0bdZN5u/0nsjuYszKHs2oMoSqkKGTnoFyNBAoHBALrm0k/JNOWb
+5Z9toqLnpzTM5hJQwQdzQFjuEyQa9DrC15kojjU4rwstVTRxVm+SJMoqWFbxPGe3
+28ijA0q226EdRnOP4d+xvapN5+1cQCAlfYKp7zC58smnC5dsIkVMoRGtMq4upZYH
+rMQUYRcsjnjBf8hi3yyOyj4ENUMjsT4LZntfBKzc6Mv9PhoVWMPjndKxZFUJCwwE
+hvmwhInAUuxIP18v/KkrgsZLva9xp6UARnB6Gpe3bFMLOWNb621Qgw==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/cert-tests/data/code-signing-cert.pem b/tests/cert-tests/data/code-signing-cert.pem
new file mode 100644
index 0000000000..0d04f13a15
--- /dev/null
+++ b/tests/cert-tests/data/code-signing-cert.pem
@@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAoqgAwIBAgIMWAXZ+AOk7Jxgz3G8MA0GCSqGSIb3DQEBCwUAMA8xDTAL
+BgNVBAMTBENBLTAwHhcNMTQwMjI3MTUyMTQyWhcNMTYwMjI3MTUyMTQyWjAXMRUw
+EwYDVQQDEwxjb2RlIHNpZ25pbmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
+AoIBgQDSnOotbRouMDqya42qSS20QLVxRfIfER8RtF/51S75Wxfdx9hgfre0Ldg+
+tNwbo0Je2vVta/OwDO1L/RsAc+//PSeuMVH0wIZZmGR3HpbY13spcwYJEuapIOkJ
+LCy4jhllyTK8h8WI17mMf5WCzcfcH70ISZAUMGqrVOaTuviBcf8S5/sG251R+5ft
+dBzz/sVV8GTSkGmn0LyihwzNyJ+5AhgsoKI5HJXU+ThNvJ0oUTIW/oh1qZMcdZdO
+aCInIgeOLDj9K0CAw/E1Jfe05SccEzMQwY+zFhIUwzzKHPvIfLNkW6eHJca2zNgI
+/CfSNtdwCSFkYykUduQveANM5+7/+jtbbUywfoz/2CY6WYsoarcPec8xlSbNBVmo
+L5sfYoPRn+9MyuozV8UFlPupqc5AKYrMZXkwbud/KT6+Y/vrtU+ktpndJjhEB7Ot
+4Y+WlqKml3QnLJWmyfbzTnXmB4FINMj/2Jl/Ay1BB45CBDpY0Z7uGm08FPi4hNaS
+UTVlihMCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcD
+AzAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBQR8od2h7W6lKTua1ZH3WTtTklw
+0jAfBgNVHSMEGDAWgBQfFhV8QGZaveCwaHysCH7Ft5K65TANBgkqhkiG9w0BAQsF
+AAOCAYEAvcUiycPKmDMquWBWw62FZPhA/kjUrIuyGChxxsv+pt4al6SNzcuXGfDJ
+Us4Z0pwnMsvoy69HZFDyhkQ3uclgeYmR4rz0uNLrjvBoPlxK1gYPdqbN/gA8SvTi
+y5yr/XnVriMzs6HpaWh0zGAuzaVbpRo79Ba+VPJsbSHETzM4iKzhxp+8WA2G0yaD
+zw70KL0SzYh6QlhARtSAZ+3VDFFAAYHIpJr1qg5OS6AmPezUhE135iwvIGiBv3sh
+aFIxEVGFIKkzelmpT5lq1qjQocV/KrJzrGYMshhJ847BWMROT1fXq/jL+lg38J0A
+yy8pMCO1eYr9+7Dfea/OubGWcQPIGE+2XzUSPzLXJHrteq7y2dt2NLbto/QVsD41
+hFxvxKwfVSKhrUtuymaBynPfTo9ObFb4Y+BvxDnfYSp+myuNXNWocDGVsc+kFlhs
+syKjkVJhZNTAP7LC8lYRIb42FOsJ6CiRmpXNj5/UIoXgjsMVF/4eIClvbqSui50Q
+vKWlsnP1
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEA0pzqLW0aLjA6smuNqkkttEC1cUXyHxEfEbRf+dUu+VsX3cfY
+YH63tC3YPrTcG6NCXtr1bWvzsAztS/0bAHPv/z0nrjFR9MCGWZhkdx6W2Nd7KXMG
+CRLmqSDpCSwsuI4ZZckyvIfFiNe5jH+Vgs3H3B+9CEmQFDBqq1Tmk7r4gXH/Euf7
+BtudUfuX7XQc8/7FVfBk0pBpp9C8oocMzcifuQIYLKCiORyV1Pk4TbydKFEyFv6I
+damTHHWXTmgiJyIHjiw4/StAgMPxNSX3tOUnHBMzEMGPsxYSFMM8yhz7yHyzZFun
+hyXGtszYCPwn0jbXcAkhZGMpFHbkL3gDTOfu//o7W21MsH6M/9gmOlmLKGq3D3nP
+MZUmzQVZqC+bH2KD0Z/vTMrqM1fFBZT7qanOQCmKzGV5MG7nfyk+vmP767VPpLaZ
+3SY4RAezreGPlpaippd0JyyVpsn280515geBSDTI/9iZfwMtQQeOQgQ6WNGe7hpt
+PBT4uITWklE1ZYoTAgMBAAECggGAOpt5uuxaVbIME2xEfrdgZYGAPCYnqyd7itSz
+xHTjXnZP3OJovulkO1pqi4COo445wOWTWECrDjl6qyOiqOyaQ1+END/7O217tWDn
+zBISDgNgfXdJnarJzxSeZHQLecvpG17ypG3vtRW6x3MVatHSpNmcI7s8wbF7bXPx
+ufhUgMj1HxC41P6194NYkrY1/FvQFAsSM1oGXLGEXIHSOU1zzOrdSUXl/piKxToY
+xeEPppF5q9ZmqL9odYnvcd0ea99W032FM7kkbNT6ycYzRmQEx7c+tAWlx7nqn9it
+5f6oMJJwjSu+ZAm8YgZh4zQogWWL7+YYIrNQNoL74RG4EVPCupvrn/Z13XUK6N0e
+qtCJeam/jsPsANL1rcu1te5wkzGJgs6KHrbrtKthoibJ73ivGxy46zWRJTNjFx9l
+mCM5B5Img1vJizmFeCs2dFHXAi9Lx/t8IKHdydFjAAyZ4a0paz3HfmpHBWKFsm5J
+4DgWU+WXqSsu+uftmiCz9d5e7lJJAoHBAPRyn0vX9a9GpM4olgaEtmBJh/UWA3s3
+otzxwOgeXJgWnWEkccPBMkNXFRO5LPO3oriakidBi3k0Q8rFaYuJ1Vf4v3WHJPZc
+pOBYiTsOeQihjiSQdtrS6syborWGQyFsJnnbpSjoKTfb5RisSTev3Di5u5bqcgU/
+TMOoPvB3rBR92Z6K5n9ZD+XrFJwAIGfFVqRaxLZLItfGRJkBkvvzDZsuGoGOScS5
+FkcpFRSxRHWu2Ifdlz0ARUuV8+5uEVZBTQKBwQDckPPPMS3m0hNbl3D5P4GYn605
+Vxn9njHEAWlCfnGbPhsSTT2nw/jdJp60jHEVlDOAyKpDf3wkz1iQMO9sx9fYASv/
+stY9u/12ERNKkqvmqhsjxTAgFWYeAyoS2N4DIGWQXWWCcOsvPREwb9ym6q29bxtr
+PKs9tTVRsnwrEFRZfsUTWPyV1ngBkVVk5MVGHYjUMM7iEHQsucOnnCDitauGaAx4
+kPSdng9wSelJXw2VJSrlfSOfOIRmQtd8iSn5SN8CgcAtdsgT1hW2xL/QLBJDIhm9
+bM+hkLeTCjT7POdxBHyaONKKh7m0+9C6X47m/TDUH1pfVThLntAu+b6GDxNjRX5t
+fzE0za7dNzvfEfhsCHQQW+PQ/yFr74CGD4hClLcVl0TMs0JTimJoJjjEzv5LIiUm
+U70FA5OzUCOZ3Efgd5GEuidoalMWal0fmQpbPVbJlhVYOh2N/gl78j896eIJhBoK
+u5docytbMEVpdMWb9KBT9vIEyvze9pbsyPX2aXhF/50CgcBWF+pi7HJbT5KoxLMf
+Ry+h0GoAIMSPX2lTda2Ne+eCTjqo6SdwzajdQc7e8JbPcnqsASecky10/M438jHy
+hwr0UHjJJRhFHpTvufiKujeJIMrZKoX/b/rdKiUJGEeIduPN9vbBdKwIU1DbVD6P
+lLjeYXkVYagBvTKjwgR/lq8mA7qPM8PcBMvw6LapXDa4iJy5HpgSW5PNRXFegi2/
+8GOUYhbEFOi2gVTLYr5Bmm2l0s0sqKz34Eql099ix/NvT4cCgcBg1KRXwvz/U8pI
+mP9FcUKCL9CkRiPPzsjGv6qs2nvzUXaR5Bb/sX5cvKHNxlkgxYpvgH0oSJTfk0js
+zceyce2B8VGBNzPW4O9L1JOZXH6vwBWsbEJM04neYQipu8ytZO4zjLWdOHd/9g/v
+x7hmweYs7oL+lVlEPY2QfnqPBG2hlETuccsVgEQ+4i/gDuJIVHFlqgbyHmoKJaN5
+s7oeXUTQfAMXdjKkWGrgS9dbDpTXdcfPeg2cC0K1DvYWpcS9bJ8=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7
index 31a8eb9998..9e1b607038 100755
--- a/tests/cert-tests/pkcs7
+++ b/tests/cert-tests/pkcs7
@@ -26,8 +26,12 @@ DIFF="${DIFF:-diff -b -B}"
 if ! test -z "${VALGRIND}"; then
 	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
 fi
-OUTFILE=out-pkcs7.tmp
-OUTFILE2=out2-pkcs7.tmp
+OUTFILE=out-pkcs7.$$.tmp
+OUTFILE2=out2-pkcs7.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
 
 for FILE in single-ca.p7b full.p7b; do
 ${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/data/${FILE}"|grep -v "Signing time" >"${OUTFILE}"
@@ -49,6 +53,36 @@ done
 # check signatures
 
 for FILE in full.p7b; do
+# check validation with date prior to CA issuance
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 verification succeeded with invalid date (1)"
+	exit 1
+fi
+
+# check validation with date prior to intermediate cert issuance
+datefudge -s "2011-5-28 08:38:00 UTC" \
+${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 verification succeeded with invalid date (2)"
+	exit 1
+fi
+
+# check validation with date after intermediate cert issuance
+datefudge -s "2038-10-12" \
+${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 verification succeeded with invalid date (3)"
+	exit 1
+fi
+
 ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
 rc=$?
 
diff --git a/tests/cert-tests/pkcs7-constraints b/tests/cert-tests/pkcs7-constraints
new file mode 100755
index 0000000000..8b786b6d82
--- /dev/null
+++ b/tests/cert-tests/pkcs7-constraints
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+OUTFILE=out-pkcs7.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+
+
+FILE="signing"
+echo "test: $FILE"
+${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey  "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed"
+	exit ${rc}
+fi
+
+FILE="signing-verify-no-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (0)"
+	exit ${rc}
+fi
+
+FILE="signing-verify-valid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (1)"
+	exit ${rc}
+fi
+
+FILE="signing-verify-invalid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (2)"
+	exit 1
+fi
+
+FILE="signing-verify-invalid-date-1"
+echo ""
+echo "test: $FILE"
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (3)"
+	exit 1
+fi
+
+FILE="signing-verify-invalid-date-2"
+echo ""
+echo "test: $FILE"
+datefudge -s "2018-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (4)"
+	exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0
diff --git a/tests/cert-tests/pkcs7-constraints2 b/tests/cert-tests/pkcs7-constraints2
new file mode 100755
index 0000000000..a31961f78e
--- /dev/null
+++ b/tests/cert-tests/pkcs7-constraints2
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+#set -e
+
+srcdir="${srcdir:-.}"
+CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+DIFF="${DIFF:-diff -b -B}"
+if ! test -z "${VALGRIND}"; then
+	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15"
+fi
+OUTFILE=out-pkcs7.$$.tmp
+
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+
+
+FILE="signing"
+echo "test: $FILE"
+${VALGRIND} "${CERTTOOL}" --p7-sign --p7-include-cert --load-privkey  "${srcdir}/data/code-signing-cert.pem" --load-certificate "${srcdir}/data/code-signing-cert.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed"
+	exit ${rc}
+fi
+
+FILE="signing-verify-no-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (0)"
+	exit ${rc}
+fi
+
+FILE="signing-verify-valid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (1)"
+	exit ${rc}
+fi
+
+FILE="signing-verify-invalid-purpose"
+echo ""
+echo "test: $FILE"
+datefudge -s "2015-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (2)"
+	exit 1
+fi
+
+FILE="signing-verify-invalid-date-1"
+echo ""
+echo "test: $FILE"
+datefudge -s "2011-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (3)"
+	exit 1
+fi
+
+FILE="signing-verify-invalid-date-2"
+echo ""
+echo "test: $FILE"
+datefudge -s "2018-1-10" \
+${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "${FILE}: PKCS7 struct signing failed verification (4)"
+	exit 1
+fi
+
+rm -f "${OUTFILE}"
+
+exit 0
diff --git a/tests/pkcs7-gen.c b/tests/pkcs7-gen.c
index f7c51a9afc..a96cef7f58 100644
--- a/tests/pkcs7-gen.c
+++ b/tests/pkcs7-gen.c
@@ -68,6 +68,16 @@ static char pem1_key[] =
 const gnutls_datum_t cert = {(void *) pem1_cert, sizeof(pem1_cert)-1};
 const gnutls_datum_t key = {(void *) pem1_key, sizeof(pem1_key)-1};
 
+static time_t mytime(time_t * t)
+{
+	time_t then = 1199142000;
+
+	if (t)
+		*t = then;
+
+	return then;
+}
+
 static void tls_log_func(int level, const char *str)
 {
 	fprintf(stderr, "%s |<%d>| %s", "err", level, str);
@@ -89,6 +99,7 @@ void doit(void)
 	char *oid;
 	gnutls_datum_t data;
 
+	gnutls_global_set_time_function(mytime);
 	gnutls_global_set_log_function(tls_log_func);
 	if (debug)
 		gnutls_global_set_log_level(6);
diff --git a/tests/suite/pkcs7-cat b/tests/suite/pkcs7-cat
index 6e32375cf2..a034b0c487 100755
--- a/tests/suite/pkcs7-cat
+++ b/tests/suite/pkcs7-cat
@@ -28,12 +28,26 @@ if ! test -z "${VALGRIND}"; then
 fi
 OUTFILE=out-pkcs7.$$.tmp
 
+. ${srcdir}/../scripts/common.sh
+
+check_for_datefudge
+
 #try verification
+datefudge -s "2010-10-10" \
+${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem"
+rc=$?
+
+if test "${rc}" = "0"; then
+	echo "PKCS7 verification succeeded with invalid date"
+	exit 1
+fi
+
+datefudge -s "2016-10-10" \
 ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/ca.pem"
 rc=$?
 
 if test "${rc}" != "0"; then
-	echo "${FILE}: PKCS7 verification failed"
+	echo "PKCS7 verification failed"
 	exit ${rc}
 fi