Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3, because the leaf certificate is always part of the presented chain, so the certificate is only validated as well-formed, and then discarded, but the TLSA record is of course still used after the validation step. Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0 Reported by Claus Assmann. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22821)
2023-11-25 13:26:20 -05:00 · 2023-11-25 13:26:20 -05:00 · f636e7e6bd
commit f636e7e6bd
parent 870f26e66a
2 changed files with 158 additions and 51 deletions
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -340,8 +340,19 @@ static int dane_tlsa_add(SSL_DANE *dane,
            }

            if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
+                /*
+                 * The Full(0) certificate decodes to a seemingly valid X.509
+                 * object with a plausible key, so the TLSA record is well
+                 * formed.  However, we don't actually need the certifiate for
+                 * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
+                 * certificate is always presented by the peer.  We discard the
+                 * certificate, and just use the TLSA data as an opaque blob
+                 * for matching the raw presented DER octets.
+                 *
+                 * DO NOT FREE `t` here, it will be added to the TLSA record
+                 * list below!
+                 */
                X509_free(cert);
-                tlsa_free(t);
                break;
            }

--- a/test/danetest.in
+++ b/test/danetest.in
@ -50,7 +50,7 @@

 # 1
 1 1 1 0 0
-3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
+3 0 0 3081ec308193a003020102020101300a06082a8648ce3d0403023000301e170d3135313231343030313033345a170d3135313231333030313033345a30003059301306072a8648ce3d020106082a8648ce3d03010703420004c5a4ffa008eebc0369b974799f9479cb47360544fafc02c4204fb3df31e88a1a4f18c85831e93f985c5b231094541b4316b5cb1c9c0c950886fe1143f39f6109300a06082a8648ce3d040302034800304502206ae7b7a870df21081e9a9896020aaf8560984875c812b36d671631abc879f872022100b0889ad2b3814ee64bddd5a7f6a98dea43cb435049469cb50a4404cbdeee1fd6
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -65,7 +65,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 # 2
 1 1 1 0 0
-3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
+3 1 0 3059301306072a8648ce3d020106082a8648ce3d03010703420004c5a4ffa008eebc0369b974799f9479cb47360544fafc02c4204fb3df31e88a1a4f18c85831e93f985c5b231094541b4316b5cb1c9c0c950886fe1143f39f6109
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -80,7 +80,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 # 3
 1 1 1 0 0
-3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
+3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -95,7 +95,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 # 4
 1 1 1 0 0
-3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
+3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -109,8 +109,8 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
 -----END CERTIFICATE-----

 # 5
-1 1 1 65 -1
-3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
+1 1 1 0 0
+3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -124,8 +124,8 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
 -----END CERTIFICATE-----

 # 6
-1 1 1 65 -1
-3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
+1 1 1 0 0
+3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -140,7 +140,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 # 7
 1 1 1 65 -1
-3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
+3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
 subject=
 issuer=
 notBefore=Dec 14 00:10:34 2015 GMT
@ -155,6 +155,36 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 # 8
 1 1 1 65 -1
+3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
+subject=
+issuer=
+notBefore=Dec 14 00:10:34 2015 GMT
+notAfter=Dec 13 00:10:34 2015 GMT
+-----BEGIN CERTIFICATE-----
+MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNTEyMTQwMDEwMzRaFw0x
+NTEyMTMwMDEwMzRaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATFpP+gCO68
+A2m5dHmflHnLRzYFRPr8AsQgT7PfMeiKGk8YyFgx6T+YXFsjEJRUG0MWtcscnAyV
+CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
+yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
+-----END CERTIFICATE-----
+
+# 9
+1 1 1 65 -1
+3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
+subject=
+issuer=
+notBefore=Dec 14 00:10:34 2015 GMT
+notAfter=Dec 13 00:10:34 2015 GMT
+-----BEGIN CERTIFICATE-----
+MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNTEyMTQwMDEwMzRaFw0x
+NTEyMTMwMDEwMzRaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATFpP+gCO68
+A2m5dHmflHnLRzYFRPr8AsQgT7PfMeiKGk8YyFgx6T+YXFsjEJRUG0MWtcscnAyV
+CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
+yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
+-----END CERTIFICATE-----
+
+# 10
+1 1 1 65 -1
 3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A4
 subject=
 issuer=
@ -170,7 +200,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=

 ## -- DANE-?? chain tests --

-# 9
+# 11
 1 3 0 0 0
 3 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
 subject= /CN=example.com
@ -217,7 +247,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 10
+# 12
 1 3 0 0 0
 3 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
 subject= /CN=example.com
@ -264,7 +294,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 11
+# 13
 1 3 0 0 0
 3 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
 subject= /CN=example.com
@ -311,7 +341,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 12
+# 14
 1 3 0 0 0
 3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
 subject= /CN=example.com
@ -358,7 +388,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 13
+# 15
 1 3 0 0 1
 2 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
 subject= /CN=example.com
@ -405,7 +435,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 14
+# 16
 1 3 0 0 1
 2 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
 subject= /CN=example.com
@ -452,7 +482,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 15
+# 17
 1 3 0 0 1
 2 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
 subject= /CN=example.com
@ -499,7 +529,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 16
+# 18
 1 3 0 0 1
 2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
 subject= /CN=example.com
@ -546,7 +576,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 17
+# 19
 1 3 0 0 2
 2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
 subject= /CN=example.com
@ -593,7 +623,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 18
+# 20
 1 3 0 0 2
 2 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
 subject= /CN=example.com
@ -640,7 +670,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 19
+# 21
 1 3 0 0 2
 2 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
 subject= /CN=example.com
@ -687,7 +717,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 20
+# 22
 1 3 0 0 2
 2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
 subject= /CN=example.com
@ -736,7 +766,73 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF

 ## -- PKIX-?? chain tests --

-# 21
+# 23
+1 2 0 0 0
+1 0 0 308201943082013ba003020102020102300a06082a8648ce3d04030230143112301006035504030c094973737565722043413020170d3135313231333233323335325a180f33303135303431353233323335325a30163114301206035504030c0b6578616d706c652e636f6d3059301306072a8648ce3d020106082a8648ce3d03010703420004664995f47bde35e7b4de48b258e9e8a07adebbdb863b3d06f481a1946c83da9f56cff4d9389b855d2f364b1585b0c734fcfa263026964ff5a4308b3fc879bdb8a37a3078301d0603551d0e041604145b20ca417d9088c7a4c017cb6c0c1c739bb07d8a301f0603551d230418301680147ab75a3cd295ca5df7c5150916e18ff5cc376a1530090603551d130402300030130603551d25040c300a06082b0601050507030130160603551d11040f300d820b6578616d706c652e636f6d300a06082a8648ce3d0403020347003044021f21c9032a5c8a93872d3f4aef321a9574dd956d43bd93c369944c72d6902858022100c8b3290d7af37e571a84d704dbad339d2987d41852dc5936f212947063911181
+subject= /CN=example.com
+issuer= /CN=Issuer CA
+notBefore=Dec 13 23:23:52 2015 GMT
+notAfter=Apr 15 23:23:52 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATugAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlJc3N1ZXIg
+Q0EwIBcNMTUxMjEzMjMyMzUyWhgPMzAxNTA0MTUyMzIzNTJaMBYxFDASBgNVBAMM
+C2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZkmV9HveNee0
+3kiyWOnooHreu9uGOz0G9IGhlGyD2p9Wz/TZOJuFXS82SxWFsMc0/PomMCaWT/Wk
+MIs/yHm9uKN6MHgwHQYDVR0OBBYEFFsgykF9kIjHpMAXy2wMHHObsH2KMB8GA1Ud
+IwQYMBaAFHq3WjzSlcpd98UVCRbhj/XMN2oVMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
+GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
+-----END CERTIFICATE-----
+subject= /CN=Issuer CA
+issuer= /CN=Root CA
+notBefore=Dec 13 23:20:09 2015 GMT
+notAfter=Apr 15 23:20:09 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
+MCAXDTE1MTIxMzIzMjAwOVoYDzMwMTUwNDE1MjMyMDA5WjAUMRIwEAYDVQQDDAlJ
+c3N1ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR9S64YtJ9dxp0KPIXG
+aj4hGd6Sz60IH61VwS1RDsl7bADhNpWo2XE1SP5g3xVXM5BDPiob2S20t6oBbsYY
+XcWvo1AwTjAdBgNVHQ4EFgQUerdaPNKVyl33xRUJFuGP9cw3ahUwHwYDVR0jBBgw
+FoAU5L1AXwUqgg3fmIP5PX0/kKrscj8wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
+GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
+-----END CERTIFICATE-----
+
+# 24
+1 2 0 0 0
+1 1 0 3059301306072a8648ce3d020106082a8648ce3d03010703420004664995f47bde35e7b4de48b258e9e8a07adebbdb863b3d06f481a1946c83da9f56cff4d9389b855d2f364b1585b0c734fcfa263026964ff5a4308b3fc879bdb8
+subject= /CN=example.com
+issuer= /CN=Issuer CA
+notBefore=Dec 13 23:23:52 2015 GMT
+notAfter=Apr 15 23:23:52 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATugAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlJc3N1ZXIg
+Q0EwIBcNMTUxMjEzMjMyMzUyWhgPMzAxNTA0MTUyMzIzNTJaMBYxFDASBgNVBAMM
+C2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZkmV9HveNee0
+3kiyWOnooHreu9uGOz0G9IGhlGyD2p9Wz/TZOJuFXS82SxWFsMc0/PomMCaWT/Wk
+MIs/yHm9uKN6MHgwHQYDVR0OBBYEFFsgykF9kIjHpMAXy2wMHHObsH2KMB8GA1Ud
+IwQYMBaAFHq3WjzSlcpd98UVCRbhj/XMN2oVMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
+GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
+-----END CERTIFICATE-----
+subject= /CN=Issuer CA
+issuer= /CN=Root CA
+notBefore=Dec 13 23:20:09 2015 GMT
+notAfter=Apr 15 23:20:09 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
+MCAXDTE1MTIxMzIzMjAwOVoYDzMwMTUwNDE1MjMyMDA5WjAUMRIwEAYDVQQDDAlJ
+c3N1ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR9S64YtJ9dxp0KPIXG
+aj4hGd6Sz60IH61VwS1RDsl7bADhNpWo2XE1SP5g3xVXM5BDPiob2S20t6oBbsYY
+XcWvo1AwTjAdBgNVHQ4EFgQUerdaPNKVyl33xRUJFuGP9cw3ahUwHwYDVR0jBBgw
+FoAU5L1AXwUqgg3fmIP5PX0/kKrscj8wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
+GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
+-----END CERTIFICATE-----
+
+# 25
 1 2 0 0 0
 1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
 subject= /CN=example.com
@ -769,7 +865,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 22
+# 26
 1 2 0 0 0
 1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
 subject= /CN=example.com
@ -802,7 +898,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 23
+# 27
 1 3 0 0 0
 1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
 subject= /CN=example.com
@ -849,7 +945,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 24
+# 28
 1 3 0 0 0
 1 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
 subject= /CN=example.com
@ -896,7 +992,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 25
+# 29
 1 2 0 0 1
 0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
 subject= /CN=example.com
@ -929,7 +1025,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 26
+# 30
 1 2 0 0 1
 0 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
 subject= /CN=example.com
@ -962,7 +1058,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 27
+# 31
 1 3 0 0 1
 0 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
 subject= /CN=example.com
@ -1009,7 +1105,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 28
+# 32
 1 3 0 0 1
 0 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
 subject= /CN=example.com
@ -1056,7 +1152,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 29
+# 33
 1 2 0 0 2
 0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
 subject= /CN=example.com
@ -1089,7 +1185,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 30
+# 34
 1 2 0 0 2
 0 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
 subject= /CN=example.com
@ -1122,7 +1218,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 31
+# 35
 1 3 0 0 2
 0 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
 subject= /CN=example.com
@ -1169,7 +1265,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 32
+# 36
 1 3 0 0 2
 0 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
 subject= /CN=example.com
@ -1218,7 +1314,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF

 ## -- PKIX-?? chain failures --

-# 33
+# 37
 # Missing intermediate CA
 1 1 0 20 0
 1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
@ -1238,7 +1334,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
 GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
 -----END CERTIFICATE-----

-# 34
+# 38
 # Missing PKIX intermediate, provided via DNS
 2 1 0 0 0
 1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
@ -1259,7 +1355,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
 GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
 -----END CERTIFICATE-----

-# 35
+# 39
 # Wrong leaf digest
 1 3 0 65 -1
 1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9924
@ -1307,7 +1403,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 36
+# 40
 # Wrong intermediate digest
 1 2 0 65 -1
 0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBE
@ -1341,7 +1437,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 37
+# 41
 # Wrong root digest
 1 2 0 65 -1
 0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3D
@ -1377,7 +1473,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==

 ## -- Mixed usage cases

-# 38
+# 42
 # DANE-EE(3) beats DANE-TA(2)
 1 3 0 0 0
 3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
@ -1426,7 +1522,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 39
+# 43
 # DANE-TA(2) depth 1 beats DANE-TA(2) depth 2
 1 3 0 0 1
 2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
@ -1475,7 +1571,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 40
+# 44
 # DANE-TA(2) depth 2 beats PKIX-TA(0) depth 1
 1 3 0 0 2
 2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
@ -1524,7 +1620,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 41
+# 45
 # DANE-TA(2) depth 2 beats PKIX-EE depth 0
 1 3 0 0 2
 2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
@ -1573,7 +1669,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
 vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
 -----END CERTIFICATE-----

-# 42
+# 46
 # DANE-TA(2) Full(0) root "from DNS":
 1 2 0 0 2
 2 0 0 308201643082010BA003020102020101300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233313330385A180F33303135303431353233313330385A30123110300E06035504030C07526F6F742043413059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76CA350304E301D0603551D0E04160414E4BD405F052A820DDF9883F93D7D3F90AAEC723F301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D040302034700304402206869E6AA9F9B4D4BF308091A5A7AB2C30E3619B0D75E528819468E4BB926F4C9022017F1B8458611966FBC109CAED3582966BF25FC0598EABA6C793C58DCC3537CC5
@ -1607,7 +1703,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 43
+# 47
 # DANE-TA(2) Full(0) intermediate "from DNS":
 1 1 0 0 1
 2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
@ -1627,7 +1723,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
 GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
 -----END CERTIFICATE-----

-# 44
+# 48
 # DANE-TA(2) SPKI(1) Full(0) intermediate "from DNS":
 1 1 0 0 0
 2 1 0 3059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AF
@ -1647,7 +1743,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
 GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
 -----END CERTIFICATE-----

-# 45
+# 49
 # DANE-TA(2) SPKI(1) Full(0) root "from DNS":
 1 2 0 0 1
 2 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76C
@ -1681,7 +1777,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
 GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
 -----END CERTIFICATE-----

-# 46
+# 50
 # Mismatched name "example.org", should still succeed given a
 # DANE-EE(3) match.
 1 3 1 0 0
@ -1730,7 +1826,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
 fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
 -----END CERTIFICATE-----

-# 47
+# 51
 # Mismatched name "example.org", should fail despite a DANE-TA(2)
 # match for the intermediate CA.
 1 3 0 62 1
@ -1779,7 +1875,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
 fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
 -----END CERTIFICATE-----

-# 48
+# 52
 # Mismatched name "example.org", should fail despite a DANE-TA(2)
 # match for the root CA.
 1 3 0 62 2
@ -1828,7 +1924,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
 fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
 -----END CERTIFICATE-----

-# 49
+# 53
 # Mismatched name "example.org", should fail when name checks
 # are not disabled for DANE-EE(3).
 1 3 0 62 0