Test a bad SmtpUTF8Mailbox name constraint

We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)

test/certs/bad-othername-namec-inter.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZSb290
+IDIwHhcNMjEwNjAyMTMwMzExWhcNMjEwNzAyMTMwMzExWjAPMQ0wCwYDVQQDDARS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvfhnjWl5hnF1ecJv
+kq21AWOfHhPsQT/5juFA/v/goAFatKr40+k7Jy3qQ79FRLBf2l4yMun8K7ZPMFfV
+q7q3SliOmLqRq0Uf1Eyh8KdQTWc5QIhNttlDaP8EMDuoTJK2NIUTenV/y5errWNJ
+l1a8l+kbI6PuKTyziAi524Hja7BH4nQ5rk2vb3nc4vlRAYZtke2MMeHSxZhvkZj/
+UtAfAu2Ql9auc6sfViGuaBc4sShS2F7rmQnJmmf0+qW6y9VoYV68HC7EsO22UDXd
+aYhY2To9al04rdL0rDDw018Z8VbcW6lwPOkgfbpQDl9fvuFFfxb/2t7soRsAcuKr
++gbWmQIDAQABoy4wLDAPBgNVHRMBAf8EBTADAQH/MBkGA1UdHgQSMBCgDDAKgQgu
+Zm9vLmNvbaEAMA0GCSqGSIb3DQEBCwUAA4IBAQCA9aWhpHdUM/9yx0HRgkW5M8IS
+zc83Fzbhv3/32s8H2gplxq+XqfIIdoOosgnaEi01ynPncG6IWqj4hfOuoyoorZA3
+cmubAjkHrTu8VaMgZL43SwvyWda7atpCOo7rGdz+LL9hH/jcwhLtEqoB+Tdj6wOp
+1O14ndCLi0XXoBezsCpmGtjF7aIunsu6yxJN7b/nTcKh/XSAxjpsa6GlNXTbfJyL
+BAUiksQ1KTiW8LyF9IRjckpkf1RH9pqBD8vVeunEpXOUPGOfseL5AAXbvYI6iN70
+aCxKkiRwqX7ZK0lL9Oh+hhaVqqdPnGxb+O3ZX/88FvKvWiicnftMx56lzv4H
+-----END CERTIFICATE-----

test/certs/bad-othername-namec-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArQTbBNa+PaMZw/guenN8vEa/Q8dhG0jnwSt78qkaXt1a/CKp
+M/NWG1FL9TnOa0j3mjrZJ9/ePzd8TfJw8arpNToFL9rZ6eqs3QB45OIf0gAIvkN4
+NNre7UInM9CpdiMdNf/jldJWi8yPIyogDOrhB5mtAVJfCsd9cn4JmMncqQcZ0Mto
+Jjm10y+Nn6Li1efV9zQ974M8KY14vhPyxGklqiRWM/+M3UzhhklCdxyYLGpp9tou
+KjwaO3nnGQ1lqgbJIfs0ciRHdcrh/CkK5zSySpCeep1NumjwzmN7s+jPtjoBmbWW
+jc3KFnEfTBet3FgXXath2fpxKYZSHD044/63kQIDAQABAoIBACx6oxOLYTzXQThw
+BQLVzatZRLJX/07UXz/5vdOURYM9xLYs8vK4C9rZ+3z/b2GFUKIFnu3xT2FRElO3
+j/GQzoMwd0TmLj9EZUwrYuj0eNmzyIuhLLXpzoWQDCP18Jq+TDQlpIxPlpA59lJD
+8hlgCJm7mA5O7sAGqOlWHYF545BQJq/wNcsgKjLZ4y5Ef8SRT9v/JZOVhCMTX4pV
+kn67XTQ9qNH51E963QCMOxa4DSHeduZWLpEwBbpJpXvVLKuUmb8JYWfgjdAjtm3W
+qyQzjeGnjX1ZNkvBIBmfYYZ99pNtoy/tdbb0G87GYNf/WHFUtckU1/IqPeMuG5Q1
+8m8SGwECgYEA3FwGueYji4IFL9lyIgccnzssQ2lQ4Xh75R1JMKvi3usFFPby38EY
+z8Fpyqa/vLQtg+6ne5L1Qxl2U4Vqyzw3RKNOONkCd0qCIG7/NDRoxUmE+6ojHrbi
+4F5sTPZDmGrwGdVKUjeVK/nKIHTDyZjuJl9Mb6BG0xZj6waFnQxGoT0CgYEAyQCy
+mmLC8GjtvTHGDjlDAI+OZbJGal0UdE0VMxQuVJwxDAB5QMhXX+DvF/tYqnPtwMMy
+n4QXkiy4dRqlJfcmtwHpBoTsfApwxSyw38WJR9mUCVWaOC06CEBSquIe0WhmAZMO
+je79veqJlZjYI7S/px7Jaje5NVTWFVztPHciLOUCgYBpNIJ9lJOZ0myZiK5F8rFG
+kGC0mn5j9zrnixDbbOT22qvlc3VHQJCQ992DRBM8i6VDXNiXVfVEoM5uV79B4rDc
+Uz9QQsM7otX3mCa9jNwMfOpBoNv9mQE+b7YzFEv3Y+7X1o4SLLlKcop+7mBfSmVA
+6rS6goHt272+grGd5jN+XQKBgBIsCvmkNiWQBvZU2qgMiz8wu1n8XRteoOvG0ETW
+7T1fBZwlKtEti6CycEtFwQVgB72mqBv90De57U9BAm9FQe3HsW6Sc+Le+sUIvlDs
+xfWF+TlC0PeFNzrpvc+PM+QQwTAhQG6ajbwuyROKRvgrbixIv0LoGMl2iwhRZ21R
+A/j1AoGBAJqUpT30dWSSDnUMir0TNnD//01+0R2eu8EPQu9h443KuKP9nf4GCJ9s
+qP3MKE0iKmsQ6ybPkCDc+mbViFqY5LQOssffHCMwWjv4vVnJt6N5SqNT5T2+Ctxy
+ZVwsbqSjxBsew6jBA8aDpI2igcBaZhBl8+ZmQph+723N3iBk1FXl
+-----END RSA PRIVATE KEY-----

test/certs/bad-othername-namec.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAbWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MB4XDTIxMDYwMjEzNDIzNVoXDTIxMDcwMjEzNDIzNVowDTELMAkGA1UEAwwCRUUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtBNsE1r49oxnD+C56c3y8
+Rr9Dx2EbSOfBK3vyqRpe3Vr8Iqkz81YbUUv1Oc5rSPeaOtkn394/N3xN8nDxquk1
+OgUv2tnp6qzdAHjk4h/SAAi+Q3g02t7tQicz0Kl2Ix01/+OV0laLzI8jKiAM6uEH
+ma0BUl8Kx31yfgmYydypBxnQy2gmObXTL42fouLV59X3ND3vgzwpjXi+E/LEaSWq
+JFYz/4zdTOGGSUJ3HJgsamn22i4qPBo7eecZDWWqBskh+zRyJEd1yuH8KQrnNLJK
+kJ56nU26aPDOY3uz6M+2OgGZtZaNzcoWcR9MF63cWBddq2HZ+nEphlIcPTjj/reR
+AgMBAAGjNjA0MAwGA1UdEwEB/wQCMAAwJAYDVR0RBB0wG6AOBggrBgEFBQcICaAC
+BQCCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAa12YtetxpZT+llksQiec
+acdRVyWupsENMHeE+hHcDwc09M3c6JvjF0YB03cVBSRRra8MCV4pNNK1fGSfKb0Q
+0ZE06bM6v+rjJW/CdUeb7yoq1Vk60ppevbDsf+EmSq76kGJoocYh88qLpL7QVINQ
+G0fcuMfBs2oTonJbIGcXWSrj5yIaZMRrARlp97ynR6phArufKblBYk1NQIJZUO+V
+IItENBfAPe4QZMnvjFO+hqmLzvVAz0480iNMa1++RmO66TxYi7b+nKGIUtonTGpt
+HspWZDtnB+y+qd6WbH1Yev5BoZLxdQAm4CFIESB4DrDBBV3QZPlVF0ZrLWFqMpBr
+Uw==
+-----END CERTIFICATE-----

test/recipes/25-test_verify.t

@@ -11,7 +11,7 @@ use strict;
 use warnings;
 
 use File::Spec::Functions qw/canonpath/;
-use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
+use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips with/;
 use OpenSSL::Test::Utils;
 
 setup("test_verify");
@@ -28,7 +28,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 155;
+plan tests => 156;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -369,6 +369,13 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
 ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
    "Name constraints nested DNS name excluded");
 
+#Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 2; } },
+   sub {
+      ok(verify("bad-othername-namec", "", ["bad-othername-namec-inter"], [], "-partial_chain"),
+         "Name constraints bad othername name constraint");
+   });
+
 ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
     "Accept PSS signature using SHA1 at auth level 0");