From d6463ea4b304e64ebfaf1e9a5da648a9952279f6 Mon Sep 17 00:00:00 2001
From: Brian Sipos <brian.sipos@jhuapl.edu>
Date: Fri, 10 Jan 2025 11:50:28 -0500
Subject: [PATCH] Add test CA config with nameConstraints extension

---
 data_files/Makefile                                 |  3 +++
 .../parse_input/test-ca-name_constraints_dns_ec.crt | 13 +++++++++++++
 data_files/test-ca.opensslconf                      |  4 ++++
 3 files changed, 20 insertions(+)
 create mode 100644 data_files/parse_input/test-ca-name_constraints_dns_ec.crt

diff --git a/data_files/Makefile b/data_files/Makefile
index 6dae31d19e..87d8a7971a 100644
--- a/data_files/Makefile
+++ b/data_files/Makefile
@@ -260,6 +260,9 @@ parse_input/test-ca-unsupported_policy.crt: $(test_ca_key_file_rsa) test-ca.req.
 parse_input/test-ca-unsupported_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
 	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
 
+parse_input/test-ca-name_constraints_dns_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
+	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions name_constraints_dns_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
+
 test-ca.req_ec.sha256: $(test_ca_key_file_ec)
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL, O=PolarSSL, CN=Polarssl Test EC CA" md=SHA256
 all_intermediate += test-ca.req_ec.sha256
diff --git a/data_files/parse_input/test-ca-name_constraints_dns_ec.crt b/data_files/parse_input/test-ca-name_constraints_dns_ec.crt
new file mode 100644
index 0000000000..7f8c84a7fa
--- /dev/null
+++ b/data_files/parse_input/test-ca-name_constraints_dns_ec.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICDDCCAZOgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjUwMTEwMTY0NTMzWhcNMzUwMTExMTY0NTMzWjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
+UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
+X3WnR2/VGSlVaZpTOyC0ZhZgMx6jZTBjMAwGA1UdEwQFMAMBAf8wNAYDVR0eAQH/
+BCowKKAQMA6CDC5leGFtcGxlLmNvbaEUMBKCEC5iYWQuZXhhbXBsZS5jb20wHQYD
+VR0OBBYEFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAoGCCqGSM49BAMCA2cAMGQCMBA4
+TTpDxUBuIcgYHs5orNFZitk1T14CL6XiC/JEd4MZ5bqLo6HmSB9M+Yj01D8C9QIw
+fYvj6Cl6W9P/sQze5V8iCqCBr6qQvnEdmeNP7DRxIfMulElBS6W4iRlu0i0nup2G
+-----END CERTIFICATE-----
diff --git a/data_files/test-ca.opensslconf b/data_files/test-ca.opensslconf
index 0340e9e276..271f886705 100644
--- a/data_files/test-ca.opensslconf
+++ b/data_files/test-ca.opensslconf
@@ -116,6 +116,10 @@ subjectAltName=dirName:dirname_sect
 [two_directorynames]
 subjectAltName=dirName:dirname_sect, dirName:dirname_to_malform
 
+[name_constraints_dns_ca]
+basicConstraints = CA:true
+nameConstraints=critical, permitted;DNS:.example.com, excluded;DNS:.bad.example.com
+
 [dirname_sect]
 C=UK
 O=Mbed TLS