Check for trailing data in extensions.

X509V3_EXT_d2i should notice if an extension has extra data at the end.

Update-Note: Some previously accepted invalid certicates may be
rejected, either in certificate verification or in X509_get_ext_d2i.

Bug: 352
Change-Id: Iacbb74a52d15bf3318b4cb8271d44b0f0a2df137
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50285
Reviewed-by: Adam Langley <agl@google.com>

crypto/err/x509v3.errordata

@@ -53,6 +53,7 @@ X509V3,150,POLICY_PATH_LENGTH
 X509V3,151,POLICY_PATH_LENGTH_ALREADY_DEFINED
 X509V3,152,POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY
 X509V3,153,SECTION_NOT_FOUND
+X509V3,164,TRAILING_DATA_IN_EXTENSION
 X509V3,154,UNABLE_TO_GET_ISSUER_DETAILS
 X509V3,155,UNABLE_TO_GET_ISSUER_KEYID
 X509V3,156,UNKNOWN_BIT_STRING_ARGUMENT

crypto/x509/test/invalid_extension_intermediate.pem

@@ -1,10 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBdTCCARugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnjCCAUOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjODA2MA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjYDBeMA4G
 A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MAoGCCqGSM49BAMCA0gAMEUCIDkCS9RrLeO556C9apswg90ZdI2kn3ru31bp
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAKBggq
-a4Rqp82BAiEAqJn5GbUzqjVaI5UthWdcu1zmpdTJntbheeNstXa7k+E=
+hkjOPQQDAgNJADBGAiEA0XamFS9fNIkvjN4muFP3EYEuO3/y+WiNhewBtusrhD0C
+IQCmTHE7J6c+Pvtv4Ro2S/I3Pypr8sJNWdezoE5Okhf4Gw==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_authority_key_identifier.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnTCCAUKgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjXzBdMA4G
 A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdIwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEAl5TMKihFw6jD
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDgYDVR0jBAdJTlZBTElEMAoGCCqG
-ajc1I7R177t3d4HyW7qCB/M3PHu9HDsCIDI0oBBsuXAHX43N1Jx8LO0sMAzujYom
+SM49BAMCA0kAMEYCIQDKVSKO0wAESfYL/ZRzKj3rBxolJ9+GHKxNTXnmf7w6sAIh
-/NZn/qBanQnZ
+AM0mSwKy1M+w7th5s0XhfImVfpi+V4Xxbtz8AWN6Grfm
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_basic_constraints.pem

@@ -1,10 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBdTCCARqgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnDCCAUKgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjNzA1MA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjXzBdMA4G
-A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHRMEB0lOVkFM
+A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAVBgNVHQ4EDgQMaW50
-SUQwCgYIKoZIzj0EAwIDSQAwRgIhAK/zCwmg3s63Ndeg9piiBbMsUF6ZPcNFltEa
+ZXJtZWRpYXRlMA8GA1UdIwQIMAaABHJvb3QwDgYDVR0TBAdJTlZBTElEMAoGCCqG
-3cKSMPthAiEAkMq/CmljQigMgXVWOhacYeRLyzZyi2i9hOjrCeKFuno=
+SM49BAMCA0gAMEUCIARJW0WA3S/H8amVP7H8BLJj6AnNocXOC4FkQY1YNNdSAiEA
+/Y4tQ2nvQhDuBGxdkDfR5wyYLOuS+t/CWIiV3A63VsM=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_ext_key_usage.pem

@@ -1,10 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBbzCCARagAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBmTCCAT6gAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjMzAxMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjWzBZMA4G
-A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdJQQHSU5WQUxJRDAK
+A1UdDwEB/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MBUGA1UdDgQOBAxpbnRlcm1l
-BggqhkjOPQQDAgNHADBEAiAGr6/3ad6TX4h/HgD5oFiifT7SsRzYVD1yvfyHEYRI
+ZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNVHSUEB0lOVkFMSUQwCgYIKoZIzj0E
-qgIgYDbO0XKLN9kSUF8ZBaLPyC1AIbw+m9cQy4/GaJuzxH4=
+AwIDSQAwRgIhALzNOt3jZR7ZP0DWt0hw3SRu5l8dcKYy49xVNIY3D8OuAiEA4KHg
+Sfy+XLtLvVG9Tnbbh3XS+iLHiDUsYCGivpTAb44=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_key_usage.pem

@@ -1,10 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBdDCCARugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBnTCCAUOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjODA2MBMG
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjYDBeMBMG
-A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PBAdJTlZB
+A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wFQYDVR0OBA4EDGlu
-TElEMAoGCCqGSM49BAMCA0cAMEQCIE1gJ4wr8D0UPRfhQ5sx1WJWEOc+IEtktigk
+dGVybWVkaWF0ZTAPBgNVHSMECDAGgARyb290MA4GA1UdDwQHSU5WQUxJRDAKBggq
-giSupcouAiBFa441h0NvODAwsb39sQ/uaUhucb11vwKSZItwViMp/w==
+hkjOPQQDAgNIADBFAiEAtoKHHh57yauGrcGren78p+jqfq41XmuwaF6vQ7BfmxQC
+IHCPCJcys8DqJOXId0F6fyk/Dk7jixFnmwW8S5E8N+Ee
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_name_constraints.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBrDCCAVOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjcDBuMA4G
 A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdHgQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiB7QedoT6bEccGY
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNV
-/Pofovdtfdzl/AXCtbJjiu59Yt3UTAIhANdfkR5PShTke3o9diKz6G/cVvL9jkF2
+HR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgFTYJwndHsZh13cYj4EfDZFNe
-SKzPRxnRVxNo
+ckt9rkRJjEP7nDGyD44CIAE6M7HDjbJRjJbYsAfc45ax00i9htFjb88t6AJyDU9M
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_subject_alt_name.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBhDCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBrjCCAVOgAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjcDBuMA4G
 A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdEQQHSU5WQUxJRDAKBggqhkjOPQQDAgNHADBEAiA4J8X4tb775IOP
+AQH/MBUGA1UdDgQOBAxpbnRlcm1lZGlhdGUwDwYDVR0jBAgwBoAEcm9vdDAOBgNV
-gBZ8BjlQZXPaRAgO/0d8a5Bgb5j0awIgN1i84TX34Dm8SjArcZLN38mm0zbrvEY0
+HREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAI49whD5azejKejI1xowdbu7
-wILouqC75wI=
+LHeT2wNanCCU+KCOoBFPAiEAoog5xR90Z2lWsLJEPWiw7WLJMNuZBDINLNVDCA5d
+D0k=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_intermediate_subject_key_identifier.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBljCCATygAwIBAgIBAjAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowKjEoMCYGA1UEAxMfSW52YWxpZCBFeHRlbnNpb25zIEludGVybWVkaWF0ZTBZ
 MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI6fKiM3jFLkLyAn88cvlw4SwxuygRj
-opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjSDBGMA4G
+opP3FFBKHyUQvh3VVvfqSpSCSmp50QiajQ6Dg7CTpVZVVH+bguT7JTCjWTBXMA4G
 A1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDgQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiBXToga6ILFNSXj
+AQH/MA8GA1UdIwQIMAaABHJvb3QwDgYDVR0OBAdJTlZBTElEMAoGCCqGSM49BAMC
-FiwI/ZaZvJubBHzMcrEXtIv85ybV3wIhAL3DMOezrq+dSjf+RdshlTDKwvTY8QYX
+A0gAMEUCIDsbBMbAWuJq9VnfrSjLBTK6TSfskt3i0ns2y/9FEW04AiEAkjyacdGb
-ehvRzctnYHTd
+sk1wvjrVc5ny6O96NvUGkdO1/GNdPNKPYWQ=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBhzCCASygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBzzCCAXagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GaMIGXMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
-EzARgg93d3cuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAJ1DkyH6QYsM
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
-bxN/aXhKYGFc1upPpxfHrzmVrVrYq34GAiEAgzAn1bws7mwi4fTBJ4XY44OisCi6
+d3cuZXhhbXBsZS5jb20wHgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAK
-gPDLe2H4Esop38o=
+BggqhkjOPQQDAgNHADBEAiAJtROn4TOAvfttoQJ6RsqnsaR1WaP+CKzWXjARJxtQ
+LwIgGmbRenVTFx8ho17JY8ncV5qaJqc0EXN56twt9SccKqE=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_authority_key_identifier.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBljCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIByDCCAW2gAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GRMIGOMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0jBAdJTlZBTElEMAoGCCqGSM49BAMC
+DgQGBARsZWFmMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAeBgNVHR4EFzAV
-A0gAMEUCIDCqsRJC3IrUHxm5txOfnjrpGmoeSvr1EhVFDhHCuV6GAiEAwJ15sf7y
+oBMwEYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdIwQHSU5WQUxJRDAKBggqhkjOPQQD
-+CGw0rzYTLUHw4nc5aJC9oKOhypg3SrQeGw=
+AgNJADBGAiEAj6hhgnfiI0zt38N98eQsfJCJ8ZGkLfH+69OOUISls2QCIQDtyWhN
+L/7L787+zkUazG4HvZ/YHO7hbWQAfMQVbk/iRA==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_basic_constraints.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBiDCCAS6gAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIB0zCCAXigAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1MwUTAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GcMIGZMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPd3d3LmV4YW1w
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATANBgNVHQ4EBgQEbGVhZjAXBgNV
-bGUuY29tMA4GA1UdEwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEA6btgd6HI
+HSMEEDAOgAxpbnRlcm1lZGlhdGUwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
-SCvxfnaHqhAiBjLl665JJC/wpSejPlxFmI0CIGZ7pLkRuQKv132ffDBmobAsBBnT
+MB4GA1UdHgQXMBWgEzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0TBAdJTlZBTElE
-YXmJWAHc4rsJCYEx
+MAoGCCqGSM49BAMCA0kAMEYCIQDo/XMevx8IdL+LOl55riE3otGDWKDDPgaZKA43
+snAJAwIhAJtgm2YNclXG1i8PzrSqZ5Y5mvBMgtjTfW/7ld7ED3pK
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_ext_key_usage.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCASegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIByzCCAXGgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo0wwSjAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GVMIGSMA4GA1UdDwEB
-BAMCAgQwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
+/wQEAwICBDAMBgNVHRMBAf8EAjAAMA0GA1UdDgQGBARsZWFmMBcGA1UdIwQQMA6A
-DgYDVR0lBAdJTlZBTElEMAoGCCqGSM49BAMCA0gAMEUCIH3jx0mZhPAY2QZHYVPQ
+DGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wHgYDVR0e
-ld6RNFGris9CFCD8AMOaZTR+AiEAgr4hSxoIm3g/CVeQkDORqgSrXU0AuVvQL2KO
+BBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHSUEB0lOVkFMSUQwCgYIKoZI
-NM5UG1Q=
+zj0EAwIDSAAwRQIhAJwe+EZy9v2fW6bYAE8T2NEJjc0SDLoHshJOae3yOYMoAiB1
+kTrY4iuQKBwbbAokFgnHr+Ev1aXcmjRn0sJFDesUAw==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_key_usage.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBhjCCASygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBzzCCAXagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzATBgNVHSUEDDAK
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GaMIGXMBMGA1UdJQQM
-BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxl
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBGxlYWYwFwYDVR0j
-LmNvbTAOBgNVHQ8EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgPoSLUcWwjnDx
+BBAwDoAMaW50ZXJtZWRpYXRlMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAe
-3N+DJPzpgHRRSZtJz6w5njQ+zcyQvrQCIQDThWHI9F5s6xQN42stFw0sasdWFc/9
+BgNVHR4EFzAVoBMwEYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdDwQHSU5WQUxJRDAK
-No9QQf1zbGfGDw==
+BggqhkjOPQQDAgNHADBEAiAoWszkhUlrT+vn0BqkA8yuuyCQ7HvK8KQOJsvzFYkS
+qwIgbzwpATgcK7hhRG+GIO8v/MWqomOLExlQYcGIPPODHH0=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_name_constraints.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBljCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBvzCCAWagAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GKMIGHMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0eBAdJTlZBTElEMAoGCCqGSM49BAMC
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
-A0gAMEUCIQCYofdTDXH2HIpc/ZSI6IQVCM0L0/QbKbEOGeAwDtikGAIgV48ECoAt
+d3cuZXhhbXBsZS5jb20wDgYDVR0eBAdJTlZBTElEMAoGCCqGSM49BAMCA0cAMEQC
-8maDdh8y9qj/TZe6XA39BzkjtsLKhecCuV8=
+IDBcHYVfj62g5y2gP/TTvH3VQr4XG/QNZLL6N8H/A8arAiB95102dlC8zVt4beDe
+ejD7/YA0FNMSgEnAZ1VgzPejxA==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_subject_alt_name.pem

@@ -1,10 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBeTCCASCgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIBxTCCAWqgAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo0UwQzAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GOMIGLMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAOBgNVHREE
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
-B0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgDatlhmjkW4lgYc/eyrqJp1kxKrL8
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAeBgNVHR4EFzAVoBMw
-0WkPsmdUZmXiI1QCIC1bl+3ponxSaCvn81xKrQzuIq2OzWxy2PTHyNbPnGcz
+EYIPd3d3LmV4YW1wbGUuY29tMA4GA1UdEQQHSU5WQUxJRDAKBggqhkjOPQQDAgNJ
+ADBGAiEAurYkjuxVgkxbmI1D+qM5RGXPPs7V74okqeQdURcL7HACIQDGNT6gcPDw
+Ax2Hm5GK3H5UrNEmD1K4IOxfKl9zguiffQ==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_leaf_subject_key_identifier.pem

@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
 IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
 MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
-EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2EwXzAOBgNVHQ8BAf8E
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBcGA1Ud
-EzARgg93d3cuZXhhbXBsZS5jb20wDgYDVR0OBAdJTlZBTElEMAoGCCqGSM49BAMC
+IwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
-A0kAMEYCIQDNfoYMjJUzrw2qxHKwopCt9lTQIfOCJDzndJwHLSI97gIhAIDRRWkU
+HgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ4EB0lOVkFMSUQw
-OpOxpzO5zJtvsPSuFJTPtFi6dKwyZA0VVX5m
+CgYIKoZIzj0EAwIDSQAwRgIhAOgBejpWnjlxO/K8FMTGO7J+sHS6PAQohwvEgLmT
+KWhMAiEAuc5uRycxN44gGka2Of9zw09o50sKgS1Ckv+VhkDqgbg=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBbjCCAROgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfDCCASKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozgwNjAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0cwRTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAKBggq
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
-hkjOPQQDAgNJADBGAiEAkLonK/c0Wai8LSe6Nhf3ln+dpPxIQD9z0e2bXzgp3ZgC
+HQ4EBgQEcm9vdDAKBggqhkjOPQQDAgNIADBFAiBd9AxKvRMSY7ll42h5jjYh5QtK
-IQDUjv8fhl6szNN6cV4NElVrsuFRigAvt6Z5M132Ybgavw==
+Yu3fxeME1IeivVNzQAIhAPov0l/2FYwZmMGI9ihR3iD/8petRfp4E9JLQQd3TgL5
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_authority_key_identifier.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
-HSMEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgO/L4Oi8esLDZ5HQgVYd/GUey
+HQ4EBgQEcm9vdDAOBgNVHSMEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhAMVD
-8yPPRUkfr8+ZH5YJ724CIQCToZDd4kEPRmwjS6R20n5qrDElE4SDBq8cmJEToh57
+OFcNzmPEdD2dJ3KWRGR15vQbXEXvimZgJdKtXdbLAiBfJOocLiQfPU7Nk3Qo0Ti1
-3Q==
+En0QfUATxx8DNR15cfcupQ==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_basic_constraints.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBazCCARKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBejCCASGgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozcwNTAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0YwRDAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0TBAdJTlZBTElEMAoGCCqG
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYDVR0OBAYEBHJvb3QwDgYDVR0T
-SM49BAMCA0cAMEQCICRNoNJx8TOSe4FKoB7EdfvG56/zvzVK8F4SDV35nbfTAiAF
+BAdJTlZBTElEMAoGCCqGSM49BAMCA0cAMEQCIB2OGsfTIUGaJ3iTXv2oung5pLKH
-QjSD7CDdbaRQymgX3ojBbAP3hj1fFbCzopKR7UUvxQ==
+VExVqc+KbnIyDbnaAiBwgxjlX+01/ERfGguz+W+00m4IZlzbyAp4dEs4rW9AXw==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_ext_key_usage.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBaDCCAQ6gAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBeDCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozMwMTAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0IwQDAOBgNVHQ8BAf8E
-BAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHSUEB0lOVkFMSUQwCgYIKoZIzj0E
+BAMCAgQwDwYDVR0TAQH/BAUwAwEB/zANBgNVHQ4EBgQEcm9vdDAOBgNVHSUEB0lO
-AwIDSAAwRQIgVjuDRpd+kVlqUDJcX899ZsAoIvkSPxo/lCVJ+ae28BkCIQD/9Aig
+VkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAIY8RxbluUZ2M2PPy5IHnvdXRaQdIq3Z
-0CaivgJ8Z6mUW9ozp6ClMPfSpCEUtrhm/dg2og==
+DFg9LwkxXl8NAiEAzdE/F19Upl4E7LmdnmGXz8BxhNB6e5CxiJJEdeexCn8=
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_key_usage.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBbjCCAROgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfDCCASKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjoltozgwNjATBgNVHSUEDDAK
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0cwRTATBgNVHSUEDDAK
-BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwQHSU5WQUxJRDAKBggq
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GA1UdDgQGBARyb290MA4GA1Ud
-hkjOPQQDAgNJADBGAiEAmX21h0WJPZ8VjGRaGwYWAh2q7iS0Wzm+besT06qgnPwC
+DwQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiEAt0anuhA0pecFMnlB4+M9lcy6
-IQCEF2G9d/DaDL7H9aw51xA0B+WwHBN5r1kx6b9A5pJVtg==
+VZsopjCniyHxfaaf1jQCICPaxHg+ztBFtOjCsr8nbgSy/JWYejF1uTjLYZKj5z6I
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_name_constraints.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBizCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
-HR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhALYRk6SPzWoKF3wLI6N+bWh/
+HQ4EBgQEcm9vdDAOBgNVHR4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgHa/R
-iap7zpRrAZqmL3EDTlitAiB0CFMk9r5h/RDkvrP4Z+JZKum9ZVbGew73cdjDVBA3
+i3/yXzHD61xU8mVWSnH39FP5V0mzcHqxKvGSlk4CICsg1HCVLPvYIVUd0Kc8bv6h
-dA==
+uu6UUup8MlUdFrRJaOus
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_subject_alt_name.pem

@@ -1,10 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBfDCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
-B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
+B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto1cwVTAOBgNVHQ8BAf8E
-BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zANBgNV
-HREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDRwAwRAIgZKRMQGAIoUuzwYQS8UNkuTI5
+HQ4EBgQEcm9vdDAOBgNVHREEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgZ12y
-H9kJYpOGZhZ3esyfvC4CIAsJGY8kgzzFpLwd3e9Zp6WAPK/snDzF9Tb4KL+GB85n
+9EulwmfqICXtykhGr9Pjfcdg6SacCreLx7454cYCIQCQkP5Ji2SW1Huzp6hE1oHw
+XwNwxFXV6XMJ+NylMYoJ3w==
 -----END CERTIFICATE-----

crypto/x509/test/invalid_extension_root_subject_key_identifier.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBfjCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
+MIIBfTCCASOgAwIBAgIBATAKBggqhkjOPQQDAjAiMSAwHgYDVQQDExdJbnZhbGlk
 IEV4dGVuc2lvbnMgUm9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAw
 MFowIjEgMB4GA1UEAxMXSW52YWxpZCBFeHRlbnNpb25zIFJvb3QwWTATBgcqhkjO
 PQIBBggqhkjOPQMBBwNCAAQmdqXYl1GvY7y3jcTTK6MVXIQr44TqChRYI6IeV9tI
 B6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolto0gwRjAOBgNVHQ8BAf8E
 BAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSQAwRgIhAJbUNO8zfK439VpI2rrG9gTl
+HQ4EB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIhAOOhlyJ15KAUZlokr35Y51mJ
-fjunP2fKsz3EK8NUtS12AiEA1m9Uzb+sUTCGhAlGEsDkjFbp3SCbvbWn7YhzqJkR
+Ic8V3490rloGXldPJajUAiADevilj44K19daaJCFDSIRByO23doY7AmoeLt6YgNJ
-xvQ=
+DQ==
 -----END CERTIFICATE-----

crypto/x509/test/make_invalid_extensions.go

@@ -59,7 +59,7 @@ type templateAndKey struct {
 	key      *ecdsa.PrivateKey
 }
 
-func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) {
+func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) []byte {
 	cert, err := x509.CreateCertificate(rand.Reader, &subject.template, &issuer.template, &subject.key.PublicKey, issuer.key)
 	if err != nil {
 		panic(err)
@@ -73,6 +73,7 @@ func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) {
 	if err != nil {
 		panic(err)
 	}
+	return cert
 }
 
 func main() {
@@ -96,6 +97,7 @@ func main() {
 			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 			KeyUsage:              x509.KeyUsageCertSign,
 			SignatureAlgorithm:    x509.ECDSAWithSHA256,
+			SubjectKeyId:          []byte("root"),
 		},
 		key: rootKey,
 	}
@@ -110,6 +112,7 @@ func main() {
 			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 			KeyUsage:              x509.KeyUsageCertSign,
 			SignatureAlgorithm:    x509.ECDSAWithSHA256,
+			SubjectKeyId:          []byte("intermediate"),
 		},
 		key: intermediateKey,
 	}
@@ -125,6 +128,8 @@ func main() {
 			KeyUsage:              x509.KeyUsageCertSign,
 			SignatureAlgorithm:    x509.ECDSAWithSHA256,
 			DNSNames:              []string{"www.example.com"},
+			SubjectKeyId:          []byte("leaf"),
+			PermittedDNSDomains:   []string{"www.example.com"},
 		},
 		key: leafKey,
 	}
@@ -132,10 +137,15 @@ func main() {
 	// Generate a valid certificate chain from the templates.
 	generateCertificateOrPanic("invalid_extension_root.pem", &root, &root)
 	generateCertificateOrPanic("invalid_extension_intermediate.pem", &intermediate, &root)
-	generateCertificateOrPanic("invalid_extension_leaf.pem", &leaf, &intermediate)
+	leafDER := generateCertificateOrPanic("invalid_extension_leaf.pem", &leaf, &intermediate)
 
-	// Make copies of each of the three certificates with invalid extensions.
+	leafCert, err := x509.ParseCertificate(leafDER)
-	// These copies may be substituted into the valid chain.
+	if err != nil {
+		panic(err)
+	}
+
+	// Make copies of the certificates with invalid extensions. These copies may
+	// be substituted into the valid chain.
 	for _, ext := range extensions {
 		invalidExtension := []pkix.Extension{{Id: ext.oid, Value: []byte("INVALID")}}
 
@@ -150,6 +160,24 @@ func main() {
 		leafInvalid := leaf
 		leafInvalid.template.ExtraExtensions = invalidExtension
 		generateCertificateOrPanic(fmt.Sprintf("invalid_extension_leaf_%s.pem", ext.name), &leafInvalid, &intermediate)
+
+		// Additionally generate a copy of the leaf certificate with extra data in
+		// the extension.
+		var trailingDataExtension []pkix.Extension
+		for _, leafExt := range leafCert.Extensions {
+			if leafExt.Id.Equal(ext.oid) {
+				newValue := make([]byte, len(leafExt.Value)+1)
+				copy(newValue, leafExt.Value)
+				trailingDataExtension = append(trailingDataExtension, pkix.Extension{Id: ext.oid, Critical: leafExt.Critical, Value: newValue})
+			}
+		}
+		if len(trailingDataExtension) != 1 {
+			panic(fmt.Sprintf("could not find sample extension %s", ext.name))
+		}
+
+		leafTrailingData := leaf
+		leafTrailingData.template.ExtraExtensions = trailingDataExtension
+		generateCertificateOrPanic(fmt.Sprintf("trailing_data_leaf_%s.pem", ext.name), &leafTrailingData, &intermediate)
 	}
 }
 

crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAeBgNVHR4EFzAV
+oBMwEYIPd3d3LmV4YW1wbGUuY29tMBgGA1UdIwQRMA6ADGludGVybWVkaWF0ZQAw
+CgYIKoZIzj0EAwIDSQAwRgIhAJepDBm/DoCSSUe2wqmNTjSJxbdQ2I9abl66G7Fs
+6mguAiEAnlJysXppr3jMa5yOFEXRNGRVoBKr6GS/MvCwbeuIXvg=
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_basic_constraints.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATANBgNVHQ4EBgQEbGVhZjAXBgNV
+HSMEEDAOgAxpbnRlcm1lZGlhdGUwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MB4GA1UdHgQXMBWgEzARgg93d3cuZXhhbXBsZS5jb20wDQYDVR0TAQH/BAMwAAAw
+CgYIKoZIzj0EAwIDSAAwRQIgB1c3+kIZdUX0w3ULyHU4ybkbnlpvhNZDEpqWueYU
+8C4CIQCdJv6LWwvdGNQ9FJxQhHpmZUaB7k/rqih3BYxR50m54A==
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_ext_key_usage.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDAMBgNVHRMBAf8EAjAAMA0GA1UdDgQGBARsZWFmMBcGA1UdIwQQMA6A
+DGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wHgYDVR0e
+BBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAUBgNVHSUEDTAKBggrBgEFBQcDAQAw
+CgYIKoZIzj0EAwIDSAAwRQIgORtSwqcycbej93AjlQp5UNCkHVIfvRcekoqAyX8d
+G9sCIQCQHEk/0/BK/KCigzr8UyCyjniemH99Ka0O9nGF8xoBmQ==
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_key_usage.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYDVR0OBAYEBGxlYWYwFwYDVR0j
+BBAwDoAMaW50ZXJtZWRpYXRlMBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLmNvbTAe
+BgNVHR4EFzAVoBMwEYIPd3d3LmV4YW1wbGUuY29tMA8GA1UdDwEB/wQFAwICBAAw
+CgYIKoZIzj0EAwIDSQAwRgIhAPlqfHIXlF4u9YZclOy8GQAAyE/lVQTSvZT9psfe
+KA7wAiEAt4/kRnYsDJLmJC2g4YwQlVVzIdmaII4GvsDqtPFtcBw=
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_name_constraints.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93
+d3cuZXhhbXBsZS5jb20wHwYDVR0eBBgwFaATMBGCD3d3dy5leGFtcGxlLmNvbQAw
+CgYIKoZIzj0EAwIDSAAwRQIgTevxULZ+ge4Vb3FHa0xFQD1pdiXxHrwkCU81GHgd
+khMCIQCTahPY69HhJNemXhCKX6cNU9ciRqo5ZIijleHXafLOnQ==
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_subject_alt_name.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GA1Ud
+DgQGBARsZWFmMBcGA1UdIwQQMA6ADGludGVybWVkaWF0ZTAeBgNVHR4EFzAVoBMw
+EYIPd3d3LmV4YW1wbGUuY29tMBsGA1UdEQQUMBGCD3d3dy5leGFtcGxlLmNvbQAw
+CgYIKoZIzj0EAwIDRwAwRAIgB5sQf45OpqWJqqKgPHMwB0tOcOv9K6FLdEQM3rLl
+tkcCIAFMvtwlvfIzbw1V6leaXucRfKrI6I2gqq9jyC+RdiMZ
+-----END CERTIFICATE-----

crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXegAwIBAgIBAzAKBggqhkjOPQQDAjAqMSgwJgYDVQQDEx9JbnZhbGlk
+IEV4dGVuc2lvbnMgSW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAw
+MTAxMDAwMDAwWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZR
+EvmcBCJBjVIREacRqI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GbMIGYMA4GA1UdDwEB
+/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBcGA1Ud
+IwQQMA6ADGludGVybWVkaWF0ZTAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20w
+HgYDVR0eBBcwFaATMBGCD3d3dy5leGFtcGxlLmNvbTAOBgNVHQ4EBwQEbGVhZgAw
+CgYIKoZIzj0EAwIDRwAwRAIgZX4OegSkMvAY822XIS91eOzMhwt8jMS5aAp+jPwh
+S/sCICiNfc8gZkH72TTz8NYdKPJ20R9l4k42tDSz5DLabc78
+-----END CERTIFICATE-----

crypto/x509/x509_test.cc

@@ -2719,10 +2719,21 @@ TEST(X509Test, InvalidExtensions) {
             .c_str());
     ASSERT_TRUE(invalid_leaf);
 
+    bssl::UniquePtr<X509> trailing_leaf = CertFromPEM(
+        GetTestData((std::string("crypto/x509/test/trailing_data_leaf_") +
+                     ext + ".pem")
+                        .c_str())
+            .c_str());
+    ASSERT_TRUE(trailing_leaf);
+
     EXPECT_EQ(
         X509_V_ERR_INVALID_EXTENSION,
         Verify(invalid_leaf.get(), {root.get()}, {intermediate.get()}, {}));
 
+    EXPECT_EQ(
+        X509_V_ERR_INVALID_EXTENSION,
+        Verify(trailing_leaf.get(), {root.get()}, {intermediate.get()}, {}));
+
     // If the invalid extension is on an intermediate or root,
     // |X509_verify_cert| notices by way of being unable to build a path to
     // a valid issuer.

crypto/x509v3/v3_lib.c

@@ -213,10 +213,27 @@ void *X509V3_EXT_d2i(const X509_EXTENSION *ext)
     if (!(method = X509V3_EXT_get(ext)))
         return NULL;
     p = ext->value->data;
-    if (method->it)
+    void *ret;
-        return ASN1_item_d2i(NULL, &p, ext->value->length,
+    if (method->it) {
+        ret = ASN1_item_d2i(NULL, &p, ext->value->length,
                             ASN1_ITEM_ptr(method->it));
-    return method->d2i(NULL, &p, ext->value->length);
+    } else {
+        ret = method->d2i(NULL, &p, ext->value->length);
+    }
+    if (ret == NULL) {
+        return NULL;
+    }
+    /* Check for trailing data. */
+    if (p != ext->value->data + ext->value->length) {
+        if (method->it) {
+            ASN1_item_free(ret, ASN1_ITEM_ptr(method->it));
+        } else {
+            method->ext_free(ret);
+        }
+        OPENSSL_PUT_ERROR(X509V3, X509V3_R_TRAILING_DATA_IN_EXTENSION);
+        return NULL;
+    }
+    return ret;
 }
 
 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, int nid,

include/openssl/x509v3.h

@@ -1016,5 +1016,6 @@ BSSL_NAMESPACE_END
 #define X509V3_R_UNSUPPORTED_TYPE 161
 #define X509V3_R_USER_TOO_LONG 162
 #define X509V3_R_INVALID_VALUE 163
+#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164
 
 #endif

sources.cmake

@@ -104,6 +104,13 @@ set(
   crypto/x509/test/some_names1.pem
   crypto/x509/test/some_names2.pem
   crypto/x509/test/some_names3.pem
+  crypto/x509/test/trailing_data_leaf_authority_key_identifier.pem
+  crypto/x509/test/trailing_data_leaf_basic_constraints.pem
+  crypto/x509/test/trailing_data_leaf_ext_key_usage.pem
+  crypto/x509/test/trailing_data_leaf_key_usage.pem
+  crypto/x509/test/trailing_data_leaf_name_constraints.pem
+  crypto/x509/test/trailing_data_leaf_subject_alt_name.pem
+  crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem
   third_party/wycheproof_testvectors/aes_cbc_pkcs5_test.txt
   third_party/wycheproof_testvectors/aes_cmac_test.txt
   third_party/wycheproof_testvectors/aes_gcm_siv_test.txt