Add test CA config with nameConstraints extension

Signed-off-by: Brian Sipos <[email protected]>
Mbed-TLS · Jan 10, 2025 · 9cc3006 · 9cc3006
1 parent fe852d3
commit 9cc3006
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/data_files/Makefile b/data_files/Makefile
@@ -260,6 +260,9 @@ parse_input/test-ca-unsupported_policy.crt: $(test_ca_key_file_rsa) test-ca.req.
 parse_input/test-ca-unsupported_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
 	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
 
+parse_input/test-ca-name_constraints_dns_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
+	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions name_constraints_dns_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
+
 test-ca.req_ec.sha256: $(test_ca_key_file_ec)
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL, O=PolarSSL, CN=Polarssl Test EC CA" md=SHA256
 all_intermediate += test-ca.req_ec.sha256

diff --git a/data_files/parse_input/test-ca-name_constraints_dns_ec.crt b/data_files/parse_input/test-ca-name_constraints_dns_ec.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICDDCCAZOgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjUwMTEwMTY0NTMzWhcNMzUwMTExMTY0NTMzWjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
+UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
+X3WnR2/VGSlVaZpTOyC0ZhZgMx6jZTBjMAwGA1UdEwQFMAMBAf8wNAYDVR0eAQH/
+BCowKKAQMA6CDC5leGFtcGxlLmNvbaEUMBKCEC5iYWQuZXhhbXBsZS5jb20wHQYD
+VR0OBBYEFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAoGCCqGSM49BAMCA2cAMGQCMBA4
+TTpDxUBuIcgYHs5orNFZitk1T14CL6XiC/JEd4MZ5bqLo6HmSB9M+Yj01D8C9QIw
+fYvj6Cl6W9P/sQze5V8iCqCBr6qQvnEdmeNP7DRxIfMulElBS6W4iRlu0i0nup2G
+-----END CERTIFICATE-----
diff --git a/data_files/test-ca.opensslconf b/data_files/test-ca.opensslconf
@@ -116,6 +116,10 @@ subjectAltName=dirName:dirname_sect
 [two_directorynames]
 subjectAltName=dirName:dirname_sect, dirName:dirname_to_malform
 
+[name_constraints_dns_ca]
+basicConstraints = CA:true
+nameConstraints=critical, permitted;DNS:.example.com, excluded;DNS:.bad.example.com
+
 [dirname_sect]
 C=UK
 O=Mbed TLS