Check for trailing data in extensions.
X509V3_EXT_d2i should notice if an extension has extra data at the end.
Update-Note: Some previously accepted invalid certicates may be
rejected, either in certificate verification or in X509_get_ext_d2i.
Bug: 352
Change-Id: Iacbb74a52d15bf3318b4cb8271d44b0f0a2df137
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50285
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/err/x509v3.errordata b/crypto/err/x509v3.errordata
index 492259c..80264fb 100644
--- a/crypto/err/x509v3.errordata
+++ b/crypto/err/x509v3.errordata
@@ -53,6 +53,7 @@
X509V3,151,POLICY_PATH_LENGTH_ALREADY_DEFINED
X509V3,152,POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY
X509V3,153,SECTION_NOT_FOUND
+X509V3,164,TRAILING_DATA_IN_EXTENSION
X509V3,154,UNABLE_TO_GET_ISSUER_DETAILS
X509V3,155,UNABLE_TO_GET_ISSUER_KEYID
X509V3,156,UNKNOWN_BIT_STRING_ARGUMENT
diff --git a/crypto/x509/test/invalid_extension_intermediate.pem b/crypto/x509/test/invalid_extension_intermediate.pem
index b86865f..b59a4d0 100644
--- a/crypto/x509/test/invalid_extension_intermediate.pem
+++ b/crypto/x509/test/invalid_extension_intermediate.pem
@@ -1,10 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBdTCCARugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnjCCAUOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjODA2MA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjYDBeMA4G
A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIDkCS9RrLeO556C9apswg90ZdI2kn3ru31bp
-a4Rqp82BAiEAqJn5GbUzqjVaI5UthWdcu1zmpdTJntbheeNstXa7k+E=
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAKBggq
+hkjOPQQDAgNJADBGAiEA0XamFS9fNIkvjN4muFP3EYEuO3/y+WiNhewBtusrhD0C
+IQCmTHE7J6c+Pvtv4Ro2S/I3Pypr8sJNWdezoE5Okhf4Gw==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_authority_key_identifier.pem b/crypto/x509/test/invalid_extension_intermediate_authority_key_identifier.pem
index 595703c..aa1a805 100644
--- a/crypto/x509/test/invalid_extension_intermediate_authority_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_authority_key_identifier.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnTCCAUKgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjXzBdMA4G
A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdIwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEAl5TMKihFw6jD
-ajc1I7R177t3d4HyW7qCB/M3PHu9HDsCIDI0oBBsuXAHX43N1Jx8LO0sMAzujYom
-/NZn/qBanQnZ
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDgYDVR0jBAdJTlZBTElEMAoGCCqG
+SM49BAMCA0kAMEYCIQDKVSKO0wAESfYL/ZRzKj3rBxolJ9+GHKxNTXnmf7w6sAIh
+AM0mSwKy1M+w7th5s0XhfImVfpi+V4Xxbtz8AWN6Grfm
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_basic_constraints.pem b/crypto/x509/test/invalid_extension_intermediate_basic_constraints.pem
index 32f09f5..bb74144 100644
--- a/crypto/x509/test/invalid_extension_intermediate_basic_constraints.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_basic_constraints.pem
@@ -1,10 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBdTCCARqgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnDCCAUKgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjNzA1MA4G
-A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHRMEB0lOVkFM
-SUQwCgYIKoZIzj0EAwIDSQAwRgIhAK/zCwmg3s63Ndeg9piiBbMsUF6ZPcNFltEa
-3cKSMPthAiEAkMq/CmljQigMgXVWOhacYeRLyzZyi2i9hOjrCeKFuno=
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjXzBdMA4G
+A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAVBgNVHQ4EDgQMaW50
+ZXJtZWRpYXRlMA8GA1UdIwQIMAaABHJvb3QwDgYDVR0TBAdJTlZBTElEMAoGCCqG
+SM49BAMCA0gAMEUCIARJW0WA3S/H8amVP7H8BLJj6AnNocXOC4FkQY1YNNdSAiEA
+/Y4tQ2nvQhDuBGxdkDfR5wyYLOuS+t/CWIiV3A63VsM=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_ext_key_usage.pem b/crypto/x509/test/invalid_extension_intermediate_ext_key_usage.pem
index 20ff382..2423e26 100644
--- a/crypto/x509/test/invalid_extension_intermediate_ext_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_ext_key_usage.pem
@@ -1,10 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBbzCCARagAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBmTCCAT6gAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjMzAxMA4G
-A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdJQQHSU5WQUxJRDAK
-BggqhkjOPQQDAgNHADBEAiAGr6/3ad6TX4h/HgD5oFiifT7SsRzYVD1yvfyHEYRI
-qgIgYDbO0XKLN9kSUF8ZBaLPyC1AIbw+m9cQy4/GaJuzxH4=
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjWzBZMA4G
+A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MBUGA1UdDgQOBAxpbnRlcm1l
+ZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNVHSUEB0lOVkFMSUQwCgYIKoZIzj0E
+AwIDSQAwRgIhALzNOt3jZR7ZP0DWt0hw3SRu5l8dcKYy49xVNIY3D8OuAiEA4KHg
+Sfy+XLtLvVG9Tnbbh3XS+iLHiDUsYCGivpTAb44=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_key_usage.pem b/crypto/x509/test/invalid_extension_intermediate_key_usage.pem
index c31596c..10c35cb 100644
--- a/crypto/x509/test/invalid_extension_intermediate_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_key_usage.pem
@@ -1,10 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBdDCCARugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnTCCAUOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjODA2MBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PBAdJTlZB
-TElEMAoGCCqGSM49BAMCA0cAMEQCIE1gJ4wr8D0UPRfhQ5sx1WJWEOc+IEtktigk
-giSupcouAiBFa441h0NvODAwsb39sQ/uaUhucb11vwKSZItwViMp/w==
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjYDBeMBMG
+A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wFQYDVR0OBA4EDGlu
+dGVybWVkaWF0ZTAPBgNVHSMECDAGgARyb290MA4GA1UdDwQHSU5WQUxJRDAKBggq
+hkjOPQQDAgNIADBFAiEAtoKHHh57yauGrcGren78p+jqfq41XmuwaF6vQ7BfmxQC
+IHCPCJcys8DqJOXId0F6fyk/Dk7jixFnmwW8S5E8N+Ee
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_name_constraints.pem b/crypto/x509/test/invalid_extension_intermediate_name_constraints.pem
index 82c83a9..a28c751 100644
--- a/crypto/x509/test/invalid_extension_intermediate_name_constraints.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_name_constraints.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBrDCCAVOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjcDBuMA4G
A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdHgQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiB7QedoT6bEccGY
-/Pofovdtfdzl/AXCtbJjiu59Yt3UTAIhANdfkR5PShTke3o9diKz6G/cVvL9jkF2
-SKzPRxnRVxNo
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNV
+HR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgFTYJwndHsZh13cYj4EfDZFNe
+ckt9rkRJjEP7nDGyD44CIAE6M7HDjbJRjJbYsAfc45ax00i9htFjb88t6AJyDU9M
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_subject_alt_name.pem b/crypto/x509/test/invalid_extension_intermediate_subject_alt_name.pem
index 6fd9bf6..b0cc064 100644
--- a/crypto/x509/test/invalid_extension_intermediate_subject_alt_name.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_subject_alt_name.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBhDCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBrjCCAVOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjcDBuMA4G
A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdEQQHSU5WQUxJRDAKBggqhkjOPQQDAgNHADBEAiA4J8X4tb775IOP
-gBZ8BjlQZXPaRAgO/0d8a5Bgb5j0awIgN1i84TX34Dm8SjArcZLN38mm0zbrvEY0
-wILouqC75wI=
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNV
+HREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAI49whD5azejKejI1xowdbu7
+LHeT2wNanCCU+KCOoBFPAiEAoog5xR90Z2lWsLJEPWiw7WLJMNuZBDINLNVDCA5d
+D0k=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_intermediate_subject_key_identifier.pem b/crypto/x509/test/invalid_extension_intermediate_subject_key_identifier.pem
index a440757..e586b70 100644
--- a/crypto/x509/test/invalid_extension_intermediate_subject_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_intermediate_subject_key_identifier.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBljCCATygAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjWTBXMA4G
A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDgQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiBXToga6ILFNSXj
-FiwI/ZaZvJubBHzMcrEXtIv85ybV3wIhAL3DMOezrq+dSjf+RdshlTDKwvTY8QYX
-ehvRzctnYHTd
+AQH/MA8GA1UdIwQIMAaABHJvb3QwDgYDVR0OBAdJTlZBTElEMAoGCCqGSM49BAMC
+A0gAMEUCIDsbBMbAWuJq9VnfrSjLBTK6TSfskt3i0ns2y/9FEW04AiEAkjyacdGb
+sk1wvjrVc5ny6O96NvUGkdO1/GNdPNKPYWQ=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf.pem b/crypto/x509/test/invalid_extension_leaf.pem
index 14bcb5a..d7491dc 100644
--- a/crypto/x509/test/invalid_extension_leaf.pem
+++ b/crypto/x509/test/invalid_extension_leaf.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBhzCCASygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBzzCCAXagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
-EzARgg93d3cuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ1DkyH6QYsM
-bxN/aXhKYGFc1upPpxfHrzmVrVrYq34GAiEAgzAn1bws7mwi4fTBJ4XY44OisCi6
-gPDLe2H4Esop38o=
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GaMIGXMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
+d3cuZXhhbXBsZS5jb20wHgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAK
+BggqhkjOPQQDAgNHADBEAiAJtROn4TOAvfttoQJ6RsqnsaR1WaP+CKzWXjARJxtQ
+LwIgGmbRenVTFx8ho17JY8ncV5qaJqc0EXN56twt9SccKqE=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_authority_key_identifier.pem b/crypto/x509/test/invalid_extension_leaf_authority_key_identifier.pem
index 166b89c..a4d013e 100644
--- a/crypto/x509/test/invalid_extension_leaf_authority_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_leaf_authority_key_identifier.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBljCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIByDCCAW2gAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0jBAdJTlZBTElEMAoGCCqGSM49BAMC
-A0gAMEUCIDCqsRJC3IrUHxm5txOfnjrpGmoeSvr1EhVFDhHCuV6GAiEAwJ15sf7y
-+CGw0rzYTLUHw4nc5aJC9oKOhypg3SrQeGw=
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GRMIGOMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAeBgNVHR4EFzAV
+oBMwEYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdIwQHSU5WQUxJRDAKBggqhkjOPQQD
+AgNJADBGAiEAj6hhgnfiI0zt38N98eQsfJCJ8ZGkLfH+69OOUISls2QCIQDtyWhN
+L/7L787+zkUazG4HvZ/YHO7hbWQAfMQVbk/iRA==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_basic_constraints.pem b/crypto/x509/test/invalid_extension_leaf_basic_constraints.pem
index 611f7cb..f987971 100644
--- a/crypto/x509/test/invalid_extension_leaf_basic_constraints.pem
+++ b/crypto/x509/test/invalid_extension_leaf_basic_constraints.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBiDCCAS6gAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIB0zCCAXigAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1MwUTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPd3d3LmV4YW1w
-bGUuY29tMA4GA1UdEwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEA6btgd6HI
-SCvxfnaHqhAiBjLl665JJC/wpSejPlxFmI0CIGZ7pLkRuQKv132ffDBmobAsBBnT
-YXmJWAHc4rsJCYEx
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GcMIGZMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATANBgNVHQ4EBgQEbGVhZjAXBgNV
+HSMEEDAOgAxpbnRlcm1lZGlhdGUwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MB4GA1UdHgQXMBWgEzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0TBAdJTlZBTElE
+MAoGCCqGSM49BAMCA0kAMEYCIQDo/XMevx8IdL+LOl55riE3otGDWKDDPgaZKA43
+snAJAwIhAJtgm2YNclXG1i8PzrSqZ5Y5mvBMgtjTfW/7ld7ED3pK
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_ext_key_usage.pem b/crypto/x509/test/invalid_extension_leaf_ext_key_usage.pem
index 2fa34ee..a8dd8c5 100644
--- a/crypto/x509/test/invalid_extension_leaf_ext_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_leaf_ext_key_usage.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBgTCCASegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIByzCCAXGgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo0wwSjAOBgNVHQ8BAf8E
-BAMCAgQwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
-DgYDVR0lBAdJTlZBTElEMAoGCCqGSM49BAMCA0gAMEUCIH3jx0mZhPAY2QZHYVPQ
-ld6RNFGris9CFCD8AMOaZTR+AiEAgr4hSxoIm3g/CVeQkDORqgSrXU0AuVvQL2KO
-NM5UG1Q=
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GVMIGSMA4GA1UdDwEB
+/wQEAwICBDAMBgNVHRMBAf8EAjAAMA0GA1UdDgQGBARsZWFmMBcGA1UdIwQQMA6A
+DGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wHgYDVR0e
+BBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHSUEB0lOVkFMSUQwCgYIKoZI
+zj0EAwIDSAAwRQIhAJwe+EZy9v2fW6bYAE8T2NEJjc0SDLoHshJOae3yOYMoAiB1
+kTrY4iuQKBwbbAokFgnHr+Ev1aXcmjRn0sJFDesUAw==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_key_usage.pem b/crypto/x509/test/invalid_extension_leaf_key_usage.pem
index 82c7cf0..e1ed36c 100644
--- a/crypto/x509/test/invalid_extension_leaf_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_leaf_key_usage.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBhjCCASygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBzzCCAXagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzATBgNVHSUEDDAK
-BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxl
-LmNvbTAOBgNVHQ8EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgPoSLUcWwjnDx
-3N+DJPzpgHRRSZtJz6w5njQ+zcyQvrQCIQDThWHI9F5s6xQN42stFw0sasdWFc/9
-No9QQf1zbGfGDw==
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GaMIGXMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBGxlYWYwFwYDVR0j
+BBAwDoAMaW50ZXJtZWRpYXRlMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAe
+BgNVHR4EFzAVoBMwEYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdDwQHSU5WQUxJRDAK
+BggqhkjOPQQDAgNHADBEAiAoWszkhUlrT+vn0BqkA8yuuyCQ7HvK8KQOJsvzFYkS
+qwIgbzwpATgcK7hhRG+GIO8v/MWqomOLExlQYcGIPPODHH0=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_name_constraints.pem b/crypto/x509/test/invalid_extension_leaf_name_constraints.pem
index f4e6105..0e90447 100644
--- a/crypto/x509/test/invalid_extension_leaf_name_constraints.pem
+++ b/crypto/x509/test/invalid_extension_leaf_name_constraints.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBljCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBvzCCAWagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0eBAdJTlZBTElEMAoGCCqGSM49BAMC
-A0gAMEUCIQCYofdTDXH2HIpc/ZSI6IQVCM0L0/QbKbEOGeAwDtikGAIgV48ECoAt
-8maDdh8y9qj/TZe6XA39BzkjtsLKhecCuV8=
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GKMIGHMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
+d3cuZXhhbXBsZS5jb20wDgYDVR0eBAdJTlZBTElEMAoGCCqGSM49BAMCA0cAMEQC
+IDBcHYVfj62g5y2gP/TTvH3VQr4XG/QNZLL6N8H/A8arAiB95102dlC8zVt4beDe
+ejD7/YA0FNMSgEnAZ1VgzPejxA==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_subject_alt_name.pem b/crypto/x509/test/invalid_extension_leaf_subject_alt_name.pem
index eae65f4..a6aa9a9 100644
--- a/crypto/x509/test/invalid_extension_leaf_subject_alt_name.pem
+++ b/crypto/x509/test/invalid_extension_leaf_subject_alt_name.pem
@@ -1,10 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBeTCCASCgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBxTCCAWqgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo0UwQzAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAOBgNVHREE
-B0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgDatlhmjkW4lgYc/eyrqJp1kxKrL8
-0WkPsmdUZmXiI1QCIC1bl+3ponxSaCvn81xKrQzuIq2OzWxy2PTHyNbPnGcz
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GOMIGLMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAeBgNVHR4EFzAVoBMw
+EYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdEQQHSU5WQUxJRDAKBggqhkjOPQQDAgNJ
+ADBGAiEAurYkjuxVgkxbmI1D+qM5RGXPPs7V74okqeQdURcL7HACIQDGNT6gcPDw
+Ax2Hm5GK3H5UrNEmD1K4IOxfKl9zguiffQ==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_leaf_subject_key_identifier.pem b/crypto/x509/test/invalid_extension_leaf_subject_key_identifier.pem
index d082bf8..1640d14 100644
--- a/crypto/x509/test/invalid_extension_leaf_subject_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_leaf_subject_key_identifier.pem
@@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
-MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0OBAdJTlZBTElEMAoGCCqGSM49BAMC
-A0kAMEYCIQDNfoYMjJUzrw2qxHKwopCt9lTQIfOCJDzndJwHLSI97gIhAIDRRWkU
-OpOxpzO5zJtvsPSuFJTPtFi6dKwyZA0VVX5m
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBcGA1Ud
+IwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
+HgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ4EB0lOVkFMSUQw
+CgYIKoZIzj0EAwIDSQAwRgIhAOgBejpWnjlxO/K8FMTGO7J+sHS6PAQohwvEgLmT
+KWhMAiEAuc5uRycxN44gGka2Of9zw09o50sKgS1Ckv+VhkDqgbg=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root.pem b/crypto/x509/test/invalid_extension_root.pem
index 9236111..2e211e2 100644
--- a/crypto/x509/test/invalid_extension_root.pem
+++ b/crypto/x509/test/invalid_extension_root.pem
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBbjCCAROgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfDCCASKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozgwNjAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAKBggq
-hkjOPQQDAgNJADBGAiEAkLonK/c0Wai8LSe6Nhf3ln+dpPxIQD9z0e2bXzgp3ZgC
-IQDUjv8fhl6szNN6cV4NElVrsuFRigAvt6Z5M132Ybgavw==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0cwRTAOBgNVHQ8BAf8E
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
+HQ4EBgQEcm9vdDAKBggqhkjOPQQDAgNIADBFAiBd9AxKvRMSY7ll42h5jjYh5QtK
+Yu3fxeME1IeivVNzQAIhAPov0l/2FYwZmMGI9ihR3iD/8petRfp4E9JLQQd3TgL5
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_authority_key_identifier.pem b/crypto/x509/test/invalid_extension_root_authority_key_identifier.pem
index c2321b7..5c365b4 100644
--- a/crypto/x509/test/invalid_extension_root_authority_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_root_authority_key_identifier.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HSMEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgO/L4Oi8esLDZ5HQgVYd/GUey
-8yPPRUkfr8+ZH5YJ724CIQCToZDd4kEPRmwjS6R20n5qrDElE4SDBq8cmJEToh57
-3Q==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
+HQ4EBgQEcm9vdDAOBgNVHSMEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhAMVD
+OFcNzmPEdD2dJ3KWRGR15vQbXEXvimZgJdKtXdbLAiBfJOocLiQfPU7Nk3Qo0Ti1
+En0QfUATxx8DNR15cfcupQ==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_basic_constraints.pem b/crypto/x509/test/invalid_extension_root_basic_constraints.pem
index 4e507b3..54a54b6 100644
--- a/crypto/x509/test/invalid_extension_root_basic_constraints.pem
+++ b/crypto/x509/test/invalid_extension_root_basic_constraints.pem
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBazCCARKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBejCCASGgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozcwNTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0TBAdJTlZBTElEMAoGCCqG
-SM49BAMCA0cAMEQCICRNoNJx8TOSe4FKoB7EdfvG56/zvzVK8F4SDV35nbfTAiAF
-QjSD7CDdbaRQymgX3ojBbAP3hj1fFbCzopKR7UUvxQ==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0YwRDAOBgNVHQ8BAf8E
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYDVR0OBAYEBHJvb3QwDgYDVR0T
+BAdJTlZBTElEMAoGCCqGSM49BAMCA0cAMEQCIB2OGsfTIUGaJ3iTXv2oung5pLKH
+VExVqc+KbnIyDbnaAiBwgxjlX+01/ERfGguz+W+00m4IZlzbyAp4dEs4rW9AXw==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_ext_key_usage.pem b/crypto/x509/test/invalid_extension_root_ext_key_usage.pem
index 17ac3a2..eaa6292 100644
--- a/crypto/x509/test/invalid_extension_root_ext_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_root_ext_key_usage.pem
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBaDCCAQ6gAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBeDCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozMwMTAOBgNVHQ8BAf8E
-BAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHSUEB0lOVkFMSUQwCgYIKoZIzj0E
-AwIDSAAwRQIgVjuDRpd+kVlqUDJcX899ZsAoIvkSPxo/lCVJ+ae28BkCIQD/9Aig
-0CaivgJ8Z6mUW9ozp6ClMPfSpCEUtrhm/dg2og==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0IwQDAOBgNVHQ8BAf8E
+BAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgNVHQ4EBgQEcm9vdDAOBgNVHSUEB0lO
+VkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAIY8RxbluUZ2M2PPy5IHnvdXRaQdIq3Z
+DFg9LwkxXl8NAiEAzdE/F19Upl4E7LmdnmGXz8BxhNB6e5CxiJJEdeexCn8=
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_key_usage.pem b/crypto/x509/test/invalid_extension_root_key_usage.pem
index 92ac0c6..4447d94 100644
--- a/crypto/x509/test/invalid_extension_root_key_usage.pem
+++ b/crypto/x509/test/invalid_extension_root_key_usage.pem
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
-MIIBbjCCAROgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfDCCASKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozgwNjATBgNVHSUEDDAK
-BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwQHSU5WQUxJRDAKBggq
-hkjOPQQDAgNJADBGAiEAmX21h0WJPZ8VjGRaGwYWAh2q7iS0Wzm+besT06qgnPwC
-IQCEF2G9d/DaDL7H9aw51xA0B+WwHBN5r1kx6b9A5pJVtg==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0cwRTATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GA1UdDgQGBARyb290MA4GA1Ud
+DwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEAt0anuhA0pecFMnlB4+M9lcy6
+VZsopjCniyHxfaaf1jQCICPaxHg+ztBFtOjCsr8nbgSy/JWYejF1uTjLYZKj5z6I
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_name_constraints.pem b/crypto/x509/test/invalid_extension_root_name_constraints.pem
index 3511236..73ca983 100644
--- a/crypto/x509/test/invalid_extension_root_name_constraints.pem
+++ b/crypto/x509/test/invalid_extension_root_name_constraints.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBizCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhALYRk6SPzWoKF3wLI6N+bWh/
-iap7zpRrAZqmL3EDTlitAiB0CFMk9r5h/RDkvrP4Z+JZKum9ZVbGew73cdjDVBA3
-dA==
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
+HQ4EBgQEcm9vdDAOBgNVHR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgHa/R
+i3/yXzHD61xU8mVWSnH39FP5V0mzcHqxKvGSlk4CICsg1HCVLPvYIVUd0Kc8bv6h
+uu6UUup8MlUdFrRJaOus
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_subject_alt_name.pem b/crypto/x509/test/invalid_extension_root_subject_alt_name.pem
index 0604bf6..bdf9ab4 100644
--- a/crypto/x509/test/invalid_extension_root_subject_alt_name.pem
+++ b/crypto/x509/test/invalid_extension_root_subject_alt_name.pem
@@ -1,10 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBfDCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgZKRMQGAIoUuzwYQS8UNkuTI5
-H9kJYpOGZhZ3esyfvC4CIAsJGY8kgzzFpLwd3e9Zp6WAPK/snDzF9Tb4KL+GB85n
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
+HQ4EBgQEcm9vdDAOBgNVHREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgZ12y
+9EulwmfqICXtykhGr9Pjfcdg6SacCreLx7454cYCIQCQkP5Ji2SW1Huzp6hE1oHw
+XwNwxFXV6XMJ+NylMYoJ3w==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/invalid_extension_root_subject_key_identifier.pem b/crypto/x509/test/invalid_extension_root_subject_key_identifier.pem
index eb17a7e..18c4cce 100644
--- a/crypto/x509/test/invalid_extension_root_subject_key_identifier.pem
+++ b/crypto/x509/test/invalid_extension_root_subject_key_identifier.pem
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
-MIIBfjCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAJbUNO8zfK439VpI2rrG9gTl
-fjunP2fKsz3EK8NUtS12AiEA1m9Uzb+sUTCGhAlGEsDkjFbp3SCbvbWn7YhzqJkR
-xvQ=
+HQ4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhAOOhlyJ15KAUZlokr35Y51mJ
+Ic8V3490rloGXldPJajUAiADevilj44K19daaJCFDSIRByO23doY7AmoeLt6YgNJ
+DQ==
-----END CERTIFICATE-----
diff --git a/crypto/x509/test/make_invalid_extensions.go b/crypto/x509/test/make_invalid_extensions.go
index 3d20942..d0c2cee 100644
--- a/crypto/x509/test/make_invalid_extensions.go
+++ b/crypto/x509/test/make_invalid_extensions.go
@@ -59,7 +59,7 @@
key *ecdsa.PrivateKey
}
-func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) {
+func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) []byte {
cert, err := x509.CreateCertificate(rand.Reader, &subject.template, &issuer.template, &subject.key.PublicKey, issuer.key)
if err != nil {
panic(err)
@@ -73,6 +73,7 @@
if err != nil {
panic(err)
}
+ return cert
}
func main() {
@@ -96,6 +97,7 @@
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageCertSign,
SignatureAlgorithm: x509.ECDSAWithSHA256,
+ SubjectKeyId: []byte("root"),
},
key: rootKey,
}
@@ -110,6 +112,7 @@
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageCertSign,
SignatureAlgorithm: x509.ECDSAWithSHA256,
+ SubjectKeyId: []byte("intermediate"),
},
key: intermediateKey,
}
@@ -125,6 +128,8 @@
KeyUsage: x509.KeyUsageCertSign,
SignatureAlgorithm: x509.ECDSAWithSHA256,
DNSNames: []string{"www.example.com"},
+ SubjectKeyId: []byte("leaf"),
+ PermittedDNSDomains: []string{"www.example.com"},
},
key: leafKey,
}
@@ -132,10 +137,15 @@
// Generate a valid certificate chain from the templates.
generateCertificateOrPanic("invalid_extension_root.pem", &root, &root)
generateCertificateOrPanic("invalid_extension_intermediate.pem", &intermediate, &root)
- generateCertificateOrPanic("invalid_extension_leaf.pem", &leaf, &intermediate)
+ leafDER := generateCertificateOrPanic("invalid_extension_leaf.pem", &leaf, &intermediate)
- // Make copies of each of the three certificates with invalid extensions.
- // These copies may be substituted into the valid chain.
+ leafCert, err := x509.ParseCertificate(leafDER)
+ if err != nil {
+ panic(err)
+ }
+
+ // Make copies of the certificates with invalid extensions. These copies may
+ // be substituted into the valid chain.
for _, ext := range extensions {
invalidExtension := []pkix.Extension{{Id: ext.oid, Value: []byte("INVALID")}}
@@ -150,6 +160,24 @@
leafInvalid := leaf
leafInvalid.template.ExtraExtensions = invalidExtension
generateCertificateOrPanic(fmt.Sprintf("invalid_extension_leaf_%s.pem", ext.name), &leafInvalid, &intermediate)
+
+ // Additionally generate a copy of the leaf certificate with extra data in
+ // the extension.
+ var trailingDataExtension []pkix.Extension
+ for _, leafExt := range leafCert.Extensions {
+ if leafExt.Id.Equal(ext.oid) {
+ newValue := make([]byte, len(leafExt.Value)+1)
+ copy(newValue, leafExt.Value)
+ trailingDataExtension = append(trailingDataExtension, pkix.Extension{Id: ext.oid, Critical: leafExt.Critical, Value: newValue})
+ }
+ }
+ if len(trailingDataExtension) != 1 {
+ panic(fmt.Sprintf("could not find sample extension %s", ext.name))
+ }
+
+ leafTrailingData := leaf
+ leafTrailingData.template.ExtraExtensions = trailingDataExtension
+ generateCertificateOrPanic(fmt.Sprintf("trailing_data_leaf_%s.pem", ext.name), &leafTrailingData, &intermediate)
}
}
diff --git a/crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem b/crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem
new file mode 100644
index 0000000..39ecde4
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAeBgNVHR4EFzAV
+oBMwEYIPd3d3LmV4YW1wbGUuY29tMBgGA1UdIwQRMA6ADGludGVybWVkaWF0ZQAw
+CgYIKoZIzj0EAwIDSQAwRgIhAJepDBm/DoCSSUe2wqmNTjSJxbdQ2I9abl66G7Fs
+6mguAiEAnlJysXppr3jMa5yOFEXRNGRVoBKr6GS/MvCwbeuIXvg=
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_basic_constraints.pem b/crypto/x509/test/trailing_data_leaf_basic_constraints.pem
new file mode 100644
index 0000000..14419d6
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_basic_constraints.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATANBgNVHQ4EBgQEbGVhZjAXBgNV
+HSMEEDAOgAxpbnRlcm1lZGlhdGUwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MB4GA1UdHgQXMBWgEzARgg93d3cuZXhhbXBsZS5jb20wDQYDVR0TAQH/BAMwAAAw
+CgYIKoZIzj0EAwIDSAAwRQIgB1c3+kIZdUX0w3ULyHU4ybkbnlpvhNZDEpqWueYU
+8C4CIQCdJv6LWwvdGNQ9FJxQhHpmZUaB7k/rqih3BYxR50m54A==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_ext_key_usage.pem b/crypto/x509/test/trailing_data_leaf_ext_key_usage.pem
new file mode 100644
index 0000000..e0f11a0
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_ext_key_usage.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDAMBgNVHRMBAf8EAjAAMA0GA1UdDgQGBARsZWFmMBcGA1UdIwQQMA6A
+DGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wHgYDVR0e
+BBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAUBgNVHSUEDTAKBggrBgEFBQcDAQAw
+CgYIKoZIzj0EAwIDSAAwRQIgORtSwqcycbej93AjlQp5UNCkHVIfvRcekoqAyX8d
+G9sCIQCQHEk/0/BK/KCigzr8UyCyjniemH99Ka0O9nGF8xoBmQ==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_key_usage.pem b/crypto/x509/test/trailing_data_leaf_key_usage.pem
new file mode 100644
index 0000000..759636f
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_key_usage.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBGxlYWYwFwYDVR0j
+BBAwDoAMaW50ZXJtZWRpYXRlMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAe
+BgNVHR4EFzAVoBMwEYIPd3d3LmV4YW1wbGUuY29tMA8GA1UdDwEB/wQFAwICBAAw
+CgYIKoZIzj0EAwIDSQAwRgIhAPlqfHIXlF4u9YZclOy8GQAAyE/lVQTSvZT9psfe
+KA7wAiEAt4/kRnYsDJLmJC2g4YwQlVVzIdmaII4GvsDqtPFtcBw=
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_name_constraints.pem b/crypto/x509/test/trailing_data_leaf_name_constraints.pem
new file mode 100644
index 0000000..bfb7d2b
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_name_constraints.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
+d3cuZXhhbXBsZS5jb20wHwYDVR0eBBgwFaATMBGCD3d3dy5leGFtcGxlLmNvbQAw
+CgYIKoZIzj0EAwIDSAAwRQIgTevxULZ+ge4Vb3FHa0xFQD1pdiXxHrwkCU81GHgd
+khMCIQCTahPY69HhJNemXhCKX6cNU9ciRqo5ZIijleHXafLOnQ==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_subject_alt_name.pem b/crypto/x509/test/trailing_data_leaf_subject_alt_name.pem
new file mode 100644
index 0000000..82cc493
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_subject_alt_name.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAeBgNVHR4EFzAVoBMw
+EYIPd3d3LmV4YW1wbGUuY29tMBsGA1UdEQQUMBGCD3d3dy5leGFtcGxlLmNvbQAw
+CgYIKoZIzj0EAwIDRwAwRAIgB5sQf45OpqWJqqKgPHMwB0tOcOv9K6FLdEQM3rLl
+tkcCIAFMvtwlvfIzbw1V6leaXucRfKrI6I2gqq9jyC+RdiMZ
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem b/crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem
new file mode 100644
index 0000000..e610bdf
--- /dev/null
+++ b/crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBcGA1Ud
+IwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
+HgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ4EBwQEbGVhZgAw
+CgYIKoZIzj0EAwIDRwAwRAIgZX4OegSkMvAY822XIS91eOzMhwt8jMS5aAp+jPwh
+S/sCICiNfc8gZkH72TTz8NYdKPJ20R9l4k42tDSz5DLabc78
+-----END CERTIFICATE-----
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 32b9af6..36d2a27 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -2719,10 +2719,21 @@
.c_str());
ASSERT_TRUE(invalid_leaf);
+ bssl::UniquePtr<X509> trailing_leaf = CertFromPEM(
+ GetTestData((std::string("crypto/x509/test/trailing_data_leaf_") +
+ ext + ".pem")
+ .c_str())
+ .c_str());
+ ASSERT_TRUE(trailing_leaf);
+
EXPECT_EQ(
X509_V_ERR_INVALID_EXTENSION,
Verify(invalid_leaf.get(), {root.get()}, {intermediate.get()}, {}));
+ EXPECT_EQ(
+ X509_V_ERR_INVALID_EXTENSION,
+ Verify(trailing_leaf.get(), {root.get()}, {intermediate.get()}, {}));
+
// If the invalid extension is on an intermediate or root,
// |X509_verify_cert| notices by way of being unable to build a path to
// a valid issuer.
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 3fb0285..1b57f67 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -213,10 +213,27 @@
if (!(method = X509V3_EXT_get(ext)))
return NULL;
p = ext->value->data;
- if (method->it)
- return ASN1_item_d2i(NULL, &p, ext->value->length,
- ASN1_ITEM_ptr(method->it));
- return method->d2i(NULL, &p, ext->value->length);
+ void *ret;
+ if (method->it) {
+ ret = ASN1_item_d2i(NULL, &p, ext->value->length,
+ ASN1_ITEM_ptr(method->it));
+ } else {
+ ret = method->d2i(NULL, &p, ext->value->length);
+ }
+ if (ret == NULL) {
+ return NULL;
+ }
+ /* Check for trailing data. */
+ if (p != ext->value->data + ext->value->length) {
+ if (method->it) {
+ ASN1_item_free(ret, ASN1_ITEM_ptr(method->it));
+ } else {
+ method->ext_free(ret);
+ }
+ OPENSSL_PUT_ERROR(X509V3, X509V3_R_TRAILING_DATA_IN_EXTENSION);
+ return NULL;
+ }
+ return ret;
}
void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, int nid,
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 9c86b90..acff637 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -1016,5 +1016,6 @@
#define X509V3_R_UNSUPPORTED_TYPE 161
#define X509V3_R_USER_TOO_LONG 162
#define X509V3_R_INVALID_VALUE 163
+#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164
#endif
diff --git a/sources.cmake b/sources.cmake
index ef9cac1..3d3465f 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -104,6 +104,13 @@
crypto/x509/test/some_names1.pem
crypto/x509/test/some_names2.pem
crypto/x509/test/some_names3.pem
+ crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem
+ crypto/x509/test/trailing_data_leaf_basic_constraints.pem
+ crypto/x509/test/trailing_data_leaf_ext_key_usage.pem
+ crypto/x509/test/trailing_data_leaf_key_usage.pem
+ crypto/x509/test/trailing_data_leaf_name_constraints.pem
+ crypto/x509/test/trailing_data_leaf_subject_alt_name.pem
+ crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem
third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
third_party/wycheproof_testvectors/aes_cmac_test.txt
third_party/wycheproof_testvectors/aes_gcm_siv_test.txt
