Added functions to parse authority key identifiers when stored as a 'general name' and serial combo.

6 files changed, 379 insertions, 0 deletions

diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
new file mode 100644
index 0000000000..81042b9f0a
--- /dev/null
+++ b/tests/cert-tests/Makefile.am
@@ -0,0 +1,28 @@
+## Process this file with automake to produce Makefile.in
+# Copyright (C) 2007-2008, 2010, 2012 Free Software Foundation, Inc.
+#
+# Author: Simon Josefsson
+#
+# This file is part of GnuTLS.
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem
+
+dist_check_SCRIPTS = pathlen aki
+
+TESTS = pathlen aki
+
+TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT)
diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki
new file mode 100755
index 0000000000..e0722a0532
--- /dev/null
+++ b/tests/cert-tests/aki
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Copyright (C) 2006-2008, 2010, 2012 Free Software Foundation, Inc.
+#
+# Author: Simon Josefsson
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+set -e
+
+srcdir=${srcdir:-.}
+CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
+
+$CERTTOOL --certificate-info --infile $srcdir/aki-cert.pem \
+	  --outfile tmp-aki.pem
+
+diff $srcdir/aki-cert.pem tmp-aki.pem
+rc=$?
+
+rm -f tmp-aki.pem
+
+# We're done.
+if test "$rc" != "0"; then
+  exit $rc
+fi
+
+exit 0
diff --git a/tests/cert-tests/aki-cert.pem b/tests/cert-tests/aki-cert.pem
new file mode 100644
index 0000000000..b7a4c324c4
--- /dev/null
+++ b/tests/cert-tests/aki-cert.pem
@@ -0,0 +1,117 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 6e4ffab3c5e669c4d167c992abe858c4
+	Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - G2,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network
+	Validity:
+		Not Before: Wed Mar 25 00:00:00 UTC 2009
+		Not After: Sun Mar 24 23:59:59 UTC 2019
+	Subject: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)09,CN=VeriSign Class 3 Secure Server CA - G2
+	Subject Public Key Algorithm: RSA
+	Certificate Security Level: Legacy (2048 bits)
+		Modulus (bits 2048):
+			00:d4:56:8f:57:3b:37:28:a6:40:63:d2:95:d5:05:74
+			da:b5:19:6a:96:d6:71:57:2f:e2:c0:34:8c:a0:95:b3
+			8c:e1:37:24:f3:2e:ed:43:45:05:8e:89:d7:fa:da:4a
+			b5:f8:3e:8d:4e:c7:f9:49:50:45:37:40:9f:74:aa:a0
+			51:55:61:f1:60:84:89:a5:9e:80:8d:2f:b0:21:aa:45
+			82:c4:cf:b4:14:7f:47:15:20:28:82:b0:68:12:c0:ae
+			5c:07:d7:f6:59:cc:cb:62:56:5c:4d:49:ff:26:88:ab
+			54:51:3a:2f:4a:da:0e:98:e2:89:72:b9:fc:f7:68:3c
+			c4:1f:39:7a:cb:17:81:f3:0c:ad:0f:dc:61:62:1b:10
+			0b:04:1e:29:18:71:5e:62:cb:43:de:be:31:ba:71:02
+			19:4e:26:a9:51:da:8c:64:69:03:de:9c:fd:7d:fd:7b
+			61:bc:fc:84:7c:88:5c:b4:c3:7b:ed:5f:2b:46:12:f1
+			fd:00:01:9a:8b:5b:e9:a3:05:2e:8f:2e:5b:de:f3:1b
+			78:f8:66:91:08:c0:5e:ce:d5:b0:36:ca:d4:a8:7b:a0
+			7d:f9:30:7a:bf:f8:dd:19:51:2b:20:ba:fe:a7:cf:a1
+			4e:b0:67:f5:80:aa:2b:83:2e:d2:8e:54:89:8e:1e:29
+			0b
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Authority Information Access (not critical):
+			Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
+			Access Location URI: http://ocsp.verisign.com
+		Basic Constraints (critical):
+			Certificate Authority (CA): TRUE
+			Path Length Constraint: 0
+		Unknown extension 2.5.29.32 (not critical):
+			ASCII: 0g0e..`.H...E....0V0(..+.........https://www.verisign.com/cps0*..+.......0...https://www.verisign.com/rpa
+			Hexdump: 30673065060b6086480186f845010717033056302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f637073302a06082b06010505070202301e1a1c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061
+		CRL Distribution points (not critical):
+			URI: http://crl.verisign.com/pca3-g2.crl
+		Key Usage (critical):
+			Certificate signing.
+			CRL signing.
+		Unknown extension 1.3.6.1.5.5.7.1.12 (not critical):
+			ASCII: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
+			Hexdump: 305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966
+		Subject Alternative Name (not critical):
+			directoryName: CN=Class3CA2048-1-52
+		Subject Key Identifier (not critical):
+			a5ef0b11cec04103a34a659048b21ce0572d7d47
+		Authority Key Identifier (not critical):
+error: get_authority_key_id: Unsupported extension in X.509 certificate.
+	Signature Algorithm: RSA-SHA1
+	Signature:
+		63:74:2f:3d:53:aa:2f:97:ec:26:11:66:1a:fe:f1:de
+		41:27:19:d2:7f:d8:c1:1c:f9:e2:38:56:3a:1f:90:ae
+		39:c5:20:75:ab:f8:6c:2d:67:1f:29:c2:21:d7:14:88
+		63:4b:b0:9b:27:63:91:f8:f0:a3:01:24:b6:fb:8f:e3
+		3d:02:0b:6f:54:fe:d4:cc:db:d6:85:bf:7c:95:1e:5e
+		62:11:c1:d9:09:9c:42:b9:b2:d4:aa:2d:98:3a:23:60
+		cc:a2:9a:f1:6e:e8:cf:8e:d1:1a:3c:5e:19:c5:d7:9b
+		35:b0:02:23:24:e5:05:b8:d5:88:e3:e0:fa:b9:f4:5f
+Other Information:
+	SHA-1 fingerprint:
+		62f3c89771da4ce01a91fc13e02b6057b4547a1d
+	Public Key Id:
+		df622ed0fe6a65a8df5b62840c826ac5b372235f
+	Public key's random art:
+		+--[ RSA 2048]----+
+		|                 |
+		|  ..             |
+		|  .+. .          |
+		| .. o. o .       |
+		|.+ + E .S..      |
+		|. = o . ooo.     |
+		|   .   + o* o    |
+		|      . += +     |
+		|       oo+=.     |
+		+-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIGLDCCBZWgAwIBAgIQbk/6s8XmacTRZ8mSq+hYxDANBgkqhkiG9w0BAQUFADCB
+wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
+EzNDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
+IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
+dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
+cmswHhcNMDkwMzI1MDAwMDAwWhcNMTkwMzI0MjM1OTU5WjCBtTELMAkGA1UEBhMC
+VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
+cnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93
+d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xh
+c3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDUVo9XOzcopkBj0pXVBXTatRlqltZxVy/iwDSMoJWzjOE3JPMu
+7UNFBY6J1/raSrX4Po1Ox/lJUEU3QJ90qqBRVWHxYISJpZ6AjS+wIapFgsTPtBR/
+RxUgKIKwaBLArlwH1/ZZzMtiVlxNSf8miKtUUTovStoOmOKJcrn892g8xB85essX
+gfMMrQ/cYWIbEAsEHikYcV5iy0PevjG6cQIZTiapUdqMZGkD3pz9ff17Ybz8hHyI
+XLTDe+1fK0YS8f0AAZqLW+mjBS6PLlve8xt4+GaRCMBeztWwNsrUqHugffkwer/4
+3RlRKyC6/qfPoU6wZ/WAqiuDLtKOVImOHikLAgMBAAGjggKpMIICpTA0BggrBgEF
+BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTAS
+BgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMwVjAo
+BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggrBgEF
+BQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdHwQtMCsw
+KaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzIuY3JsMA4GA1Ud
+DwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYw
+ITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9n
+by52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjApBgNVHREEIjAgpB4wHDEaMBgGA1UE
+AxMRQ2xhc3MzQ0EyMDQ4LTEtNTIwHQYDVR0OBBYEFKXvCxHOwEEDo0plkEiyHOBX
+LX1HMIHnBgNVHSMEgd8wgdyhgcekgcQwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQK
+Ew5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
+eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5
+OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
+VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrghB92f4Hz6getxB5Z/uniTTGMA0G
+CSqGSIb3DQEBBQUAA4GBAGN0Lz1Tqi+X7CYRZhr+8d5BJxnSf9jBHPniOFY6H5Cu
+OcUgdav4bC1nHynCIdcUiGNLsJsnY5H48KMBJLb7j+M9AgtvVP7UzNvWhb98lR5e
+YhHB2QmcQrmy1KotmDojYMyimvFu6M+O0Ro8XhnF15s1sAIjJOUFuNWI4+D6ufRf
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/ca-no-pathlen.pem b/tests/cert-tests/ca-no-pathlen.pem
new file mode 100644
index 0000000000..76ec72bde2
--- /dev/null
+++ b/tests/cert-tests/ca-no-pathlen.pem
@@ -0,0 +1,57 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 00
+	Issuer: O=GnuTLS test certificate
+	Validity:
+		Not Before: Fri Jan 26 10:00:04 UTC 2007
+		Not After: Sat Jan 27 10:00:06 UTC 2007
+	Subject: O=GnuTLS test certificate
+	Subject Public Key Algorithm: RSA
+	Certificate Security Level: Weak (512 bits)
+		Modulus (bits 512):
+			00:a1:63:53:6b:54:95:ac:3c:a4:4b:4b:6a:ba:c0:9c
+			11:ad:28:dd:03:a8:c0:f4:17:bf:18:cd:9f:b3:5a:d1
+			de:21:41:db:a3:d2:6c:f9:66:87:69:7c:50:07:81:66
+			41:28:c9:99:e2:eb:cc:57:53:9d:0c:b1:94:6f:ef:eb
+			17
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Basic Constraints (critical):
+			Certificate Authority (CA): TRUE
+		Subject Key Identifier (not critical):
+			3f00012df1304b60a3b0306cab0e93fe0158801b
+	Signature Algorithm: RSA-SHA1
+	Signature:
+		9b:c1:b6:d9:df:2c:b1:1d:dd:da:14:19:94:b3:7c:12
+		e9:33:a5:2e:b5:c0:82:1d:45:7a:bf:73:b9:30:74:9d
+		f3:6e:7e:4c:f3:8d:ed:2a:f8:3f:39:04:ef:a4:fd:e3
+		fc:cb:ba:1f:2a:1d:ad:f3:f9:68:39:f4:6d:1f:6a:15
+Other Information:
+	SHA-1 fingerprint:
+		f3ddd5478b80b142200b50c9eb2ee37061b09ed6
+	Public Key Id:
+		f268df0e814c0302ed338e146f57421dba44f06c
+	Public key's random art:
+		+--[ RSA  512]----+
+		|.o..+o...        |
+		| ...+o.o         |
+		| .o  E=          |
+		| .+oo+.o         |
+		|.o.o..+ S        |
+		|. .    + .       |
+		|      o o        |
+		|     . . o       |
+		|        ..o      |
+		+-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIBYDCCAQygAwIBAgIBADALBgkqhkiG9w0BAQUwIjEgMB4GA1UEChMXR251VExT
+IHRlc3QgY2VydGlmaWNhdGUwHhcNMDcwMTI2MTAwMDA0WhcNMDcwMTI3MTAwMDA2
+WjAiMSAwHgYDVQQKExdHbnVUTFMgdGVzdCBjZXJ0aWZpY2F0ZTBZMAsGCSqGSIb3
+DQEBAQNKADBHAkChY1NrVJWsPKRLS2q6wJwRrSjdA6jA9Be/GM2fs1rR3iFB26PS
+bPlmh2l8UAeBZkEoyZni68xXU50MsZRv7+sXAgMBAAGjMjAwMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFD8AAS3xMEtgo7AwbKsOk/4BWIAbMAsGCSqGSIb3DQEB
+BQNBAJvBttnfLLEd3doUGZSzfBLpM6UutcCCHUV6v3O5MHSd825+TPON7Sr4PzkE
+76T94/zLuh8qHa3z+Wg59G0fahU=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/no-ca-or-pathlen.pem b/tests/cert-tests/no-ca-or-pathlen.pem
new file mode 100644
index 0000000000..086feb45ca
--- /dev/null
+++ b/tests/cert-tests/no-ca-or-pathlen.pem
@@ -0,0 +1,92 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 2e103703df46859d7a550da659618538
+	Issuer: O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=www.verisign.com/repository/RPA Incorp. By Ref.\,LIAB.LTD(c)98,CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
+	Validity:
+		Not Before: Mon Jun 26 00:00:00 UTC 2000
+		Not After: Fri Aug 25 23:59:59 UTC 2000
+	Subject: O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98,OU=Persona Not Validated,OU=Digital ID Class 1 - Netscape,CN=Simon Josefsson,EMAIL=simon@josefsson.org
+	Subject Public Key Algorithm: RSA
+	Certificate Security Level: Weak (1024 bits)
+		Modulus (bits 1024):
+			00:c9:0c:ce:8a:fe:71:46:9b:ca:1d:e5:90:12:a5:11
+			0b:c6:2d:c4:33:c6:19:e8:60:59:4e:3f:64:3d:e4:f7
+			7b:b0:be:f9:10:07:e9:7c:a6:c6:5a:51:33:24:97:7b
+			a3:e1:08:b4:52:b6:06:10:7d:65:df:6e:52:bd:81:3f
+			39:ad:b3:ad:17:13:88:22:e7:43:8c:39:b7:c2:c4:ba
+			4a:8b:54:15:49:55:a4:4d:cc:00:56:7b:c8:63:4e:37
+			de:fb:79:0f:45:dc:e9:5c:cd:70:f0:64:42:35:84:db
+			e6:59:a4:cb:4b:fe:0f:47:28:0c:35:11:a9:40:fc:ba
+			a5
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Basic Constraints (not critical):
+			Certificate Authority (CA): FALSE
+		Unknown extension 2.5.29.32 (not critical):
+			ASCII: 0;09..`.H...E....0*0(..+.........https://www.verisign.com/rpa
+			Hexdump: 303b3039060b6086480186f84501070108302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061
+		Unknown extension 2.16.840.1.113730.1.1 (not critical):
+			ASCII: ....
+			Hexdump: 03020780
+		Unknown extension 2.16.840.1.113733.1.6.3 (not critical):
+			ASCII: .vd4652bd63f2047029298763c9d2f275069c7359bed1b059da75bc4bc9701747da5d5e4141beadb2bd2e88317af7bf5d5114997a3bf45f8f3ea450c
+			Hexdump: 167664343635326264363366323034373032393239383736336339643266323735303639633733353962656431623035396461373562633462633937303137343764613564356534313431626561646232626432653838333137616637626635643531313439393761336266343566386633656134353063
+		CRL Distribution points (not critical):
+			URI: http://crl.verisign.com/class1.crl
+	Signature Algorithm: RSA-MD5
+warning: signed using a broken signature algorithm that can be forged.
+	Signature:
+		09:38:2f:57:9e:91:a4:d2:42:d9:d7:44:c1:d8:17:14
+		49:00:69:9f:6b:e4:95:93:35:fd:96:76:ff:8b:bf:9e
+		dd:05:6b:82:b2:f3:af:0f:f8:a0:2f:8d:65:08:27:54
+		d4:8f:47:79:c9:be:d9:f9:ce:af:7f:2a:06:17:26:f3
+		b9:e6:74:ba:b9:35:3e:36:56:5d:41:9c:ce:68:fc:db
+		c5:31:42:09:32:37:e7:b7:2e:a4:c5:51:e5:fe:e5:45
+		59:0c:44:ca:ce:ad:77:24:52:b4:78:5f:cc:4f:15:a7
+		8f:20:81:56:65:08:50:37:75:bc:a2:11:82:72:48:76
+Other Information:
+	SHA-1 fingerprint:
+		8f735c5ddefd723f59b6a3bb2ac0522470c0182f
+	Public Key Id:
+		1e09d707d4e3651b84dcb6c68a828d2affef7ec3
+	Public key's random art:
+		+--[ RSA 1024]----+
+		|         .oo +.  |
+		|         . .= *  |
+		|      . . ...* + |
+		|       o . .. =  |
+		|       +S  . o   |
+		|      o.o.. .    |
+		|     .  .o       |
+		|  . .     E      |
+		|   o...++. .     |
+		+-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIEhDCCA+2gAwIBAgIQLhA3A99GhZ16VQ2mWWGFODANBgkqhkiG9w0BAQQFADCB
+zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
+dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
+eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1Zl
+cmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
+Tm90IFZhbGlkYXRlZDAeFw0wMDA2MjYwMDAwMDBaFw0wMDA4MjUyMzU5NTlaMIIB
+CDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
+dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
+eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl
+cnNvbmEgTm90IFZhbGlkYXRlZDEmMCQGA1UECxMdRGlnaXRhbCBJRCBDbGFzcyAx
+IC0gTmV0c2NhcGUxGDAWBgNVBAMUD1NpbW9uIEpvc2Vmc3NvbjEiMCAGCSqGSIb3
+DQEJARYTc2ltb25Aam9zZWZzc29uLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAyQzOiv5xRpvKHeWQEqURC8YtxDPGGehgWU4/ZD3k93uwvvkQB+l8psZa
+UTMkl3uj4Qi0UrYGEH1l325SvYE/Oa2zrRcTiCLnQ4w5t8LEukqLVBVJVaRNzABW
+e8hjTjfe+3kPRdzpXM1w8GRCNYTb5lmky0v+D0coDDURqUD8uqUCAwEAAaOCASYw
+ggEiMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcBCDAqMCgGCCsG
+AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBEGCWCGSAGG+EIB
+AQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2
+M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdkYTVkNWU0
+MTQxYmVhZGIyYmQyZTg4MzE3YWY3YmY1ZDUxMTQ5OTdhM2JmNDVmOGYzZWE0NTBj
+MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNz
+MS5jcmwwDQYJKoZIhvcNAQEEBQADgYEACTgvV56RpNJC2ddEwdgXFEkAaZ9r5JWT
+Nf2Wdv+Lv57dBWuCsvOvD/igL41lCCdU1I9Hecm+2fnOr38qBhcm87nmdLq5NT42
+Vl1BnM5o/NvFMUIJMjfnty6kxVHl/uVFWQxEys6tdyRStHhfzE8Vp48ggVZlCFA3
+dbyiEYJySHY=
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen
new file mode 100755
index 0000000000..c7d994cc57
--- /dev/null
+++ b/tests/cert-tests/pathlen
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Copyright (C) 2006-2008, 2010, 2012 Free Software Foundation, Inc.
+#
+# Author: Simon Josefsson
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+set -e
+
+srcdir=${srcdir:-.}
+CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT}
+
+$CERTTOOL --certificate-info --infile $srcdir/ca-no-pathlen.pem \
+	  --outfile new-ca-no-pathlen.pem
+$CERTTOOL --certificate-info --infile $srcdir/no-ca-or-pathlen.pem \
+	  --outfile new-no-ca-or-pathlen.pem
+
+diff $srcdir/ca-no-pathlen.pem new-ca-no-pathlen.pem
+rc1=$?
+diff $srcdir/no-ca-or-pathlen.pem new-no-ca-or-pathlen.pem
+rc2=$?
+
+rm -f new-ca-no-pathlen.pem new-no-ca-or-pathlen.pem
+
+# We're done.
+if test "$rc1" != "0"; then
+  exit $rc1
+fi
+exit $rc2