From 57a2d16e60f7eb0ebfdedd82cb5e4e5fc198faf1 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 1 Nov 2023 16:38:48 -0400
Subject: [PATCH] tests: add LE chain test to verification_real_world

In particular this testcase ensures that we can validate a chain from
EE->intermediate->trust anchor for a chain where one or more
certificates (in this case, the intermediate) are missing an authority
information access (AIA) extension that specifies an OCSP access method
and URI.
---
 .../letsencrypt_org_valid_1.crt                  | Bin 0 -> 1137 bytes
 .../letsencrypt_org_valid_2.crt                  | Bin 0 -> 1306 bytes
 .../letsencrypt_org_valid_3.crt                  | Bin 0 -> 1380 bytes
 src/tests/verification_real_world/mod.rs         |  15 +++++++++++++++
 4 files changed, 15 insertions(+)
 create mode 100644 src/tests/verification_real_world/letsencrypt_org_valid_1.crt
 create mode 100644 src/tests/verification_real_world/letsencrypt_org_valid_2.crt
 create mode 100644 src/tests/verification_real_world/letsencrypt_org_valid_3.crt

diff --git a/src/tests/verification_real_world/letsencrypt_org_valid_1.crt b/src/tests/verification_real_world/letsencrypt_org_valid_1.crt
new file mode 100644
index 0000000000000000000000000000000000000000..4dbed56cf492480e6f2b59bbf47b584aa0cc1362
GIT binary patch
literal 1137
zcmXqLV#zgVVh&xv%*4pVB*c7eugSqP6;12juR9zibm#jFHUnNZPOUbNw(q=*jNGgY
z21bV52Apinp)72|OrgPsVg@204wo>mPil#Jv4U$}a#3YL2}}{QFjJ7Rft)z6k+FfL
zk)@G=iGh(x6o_kRWMl#68b=w37z!B(fQ(@l=FCY2nxL0olx`4dAk4-NwECPa6C)c3
zn8D1*&g{g%a@q3XvX`uX&d$qS{r`=-(9{2OLN0eQUTip^$ND;9*$#<qNyRA@Yu;Qr
zJ6rvZ{5%uSJ03sP|2iDtWhj2kefzgv&*CPg6oV$F1Oq;xrLz2tjQ?3!n3>oc3}iuk
zRThw^IJDUqSy|bcfmTCVOa?q4X<?9ZCIbeDVm=lz7Lf(#oE6V~5IfXVAF%7l!hNg6
zqn;WV$b%Fsvq%_-HHe7lZ5H1i5q5fA0H?z<`So+VMGhS^2!)x<$jIVp;BKG@;~Oxx
ziDs0P6j<r&7a8m2>mh<f39f{xO$?zV6QM-kARlC}AWMcpS`#8LoA`55ONv233yd7S
z<osMz0bp=9@s^jDBg|<MhHz0eVF-faNf>0I0t=4;mjMSGTY4i8BNL-R6C)EF7ck&h
z7_U__u`sbTer9R>!0?WtlwrHwZ<YIVe0P<8vOKyg;!95KAE)zG^G%P;ljUqweY<5Q
z0|R5%qer_!85mfY8Qct9m=q#{Ex&Bxid6Fbw=mlI)_JdaF=47*X(yR{t<_EUg^H&!
zDI_m(@tikVtR%Ze^q#=3o4s@YwsBesD{I}l8+2sDui5fIYpaZULT+r=-KOx$;z5wy
z%NDT$BjHwG>r2`Pt-==vy$*s}I|X5FywLvW)GPz1)~AnFehR(3anr<xsWJ!qFNtqA
zs7Y12Z_A`mCu(`n;{L+m37KwD8C|}<ef$Cq8|M_yp1+%+;<G|u6k6V4ZenC)2<<<-
zUA|99cm`vD+PC$wZU3F-CacdVm}<bb$ot(*-uqteuX)dkr&~@rc}eQ3#fKPYPuJsT
zvobQI8=V9%P4GA4(KB3netG1I^OesElUFro@~OT5WvR=&Xi8bi@?4M2D-Ks(Eq7qu
zbvn{#?y?q%!tnU?l`{G}zrOi*_~$Q)+2(%?dxPu*PI)gqt!Det+W$mgceLl0>FMWw
zb6Wp!zk6t>AA{8T4dUCP<~q%qFx^sFSie0i{6M_0<d%ehy~nCo8`|vj?B5c+>?*_2
z3b$Fw@A?#e?P~sRt@rkyO+oYQgR$~O8y!o^@{fcny;EQL&$jPkR8bp;>nhWA%?r1g
KS<U$Tycqz5#+DTT

literal 0
HcmV?d00001

diff --git a/src/tests/verification_real_world/letsencrypt_org_valid_2.crt b/src/tests/verification_real_world/letsencrypt_org_valid_2.crt
new file mode 100644
index 0000000000000000000000000000000000000000..2d66ea723ea4f983874b3ffacdf612bd90e150d7
GIT binary patch
literal 1306
zcmXqLVihxJV*0m$nTe5!NswWpHiy@F9*O0_->&JYE{~5g;AP{~YV&CO&dbQi&B|cl
zZ^&)H$;KSY!Y0fV8f>U(pbp}22`hN!m82HsrIsiJrzV#cWtLPb1f>?ICKe@UD7Y8p
zmlha`8VG}wG7Ix~1_!w-1m)+KC`1?<$cghB85md^m>7UT6p(9bU}<P-Xa?d(85p5j
zC}to6v5?m%wM4yG!8I?rsIs60rifXXDahEMiBSpJ-HfaZ%uS5^3_x)%rY1&4hTTk}
z8fU&Om~xq4=uL0vq{Ba&KF(ZL<<zk}R&CW*?VU$`Hm>i>{#klr@pXRpDI%e!;XU(K
zEV7jR+GOLj(l76;^<ll+y$3eLe2%nu{`P$4hbV68eFvtfsJ8zyFWfBrTxQL~+3#;Z
zv33n|owo8|@HvwcLGQM%d)t36q2STdkk#9A`KB**Fv-@wyeI8-nn}&C?C$<>&6z(8
z#AA0A<^OIxy7p3Agsu4T=bXDgYJYFLbMRJS>=n1iXV$77?AVi#UYfS~qr~?`G0%ek
zTXk%6U;1BI;?)e!a{IZ#KhHBh{kp6`Tx5OnlK(R|Po8@xcsbiYk5<`*nd?+bcMG2h
zV*dIzaAEgtQ6^?a2FArrj2yraVKLwX2B<7QBjbM-7GNT1Gmr)GRarnG&7sZ4$jZvj
z%mimK8VG@;g+a<W4A_7a6C(pe3m=OZi-?HcX7TM2VW-yxa5_AbUq827<j^q#d5{)m
z76}8f29e4wk<Y5PJ$=Gh+`!RsLMr0h%h`DbMlkak8Clc}R1B10d;_L7v5b<E0xNy}
z3PZh2y_{5FeCy>GrR#$eo~%5Jf`OcY%mS$e637aZkrgU|Y*%2BHjp&nU}H;f<Y8oD
z1SSt|px;;+o9+X>0^%a4a^@zWr&>?>x!W!N-s;l2=W2SzrWwg=OMT_0*&3%7h3Gae
zcy;*g4~6~lXSNqGY|pd)7B}VI6NUN9-gj?ee!gg{n9am<Ti#kSJ+D#ia(|YZXYcmq
z=7)1rwBLoC6WY_G?!DvS4E;sx&lXPf;@Ey-hjKNGF2_%faJ%N4EXG{!iWQtq>W8&X
z%-(q}=2Oav1N$lu`1j?y@Wf5pt@piK;Nc5d7tPy|3U8BlD*g~sn=(0kfov+vK`y0r
z0=&-C7fQ(2J$TS&zBOv&UW5JZdD>e475$`H4}X=I{vmG7;iWsWKIrYSHs1Np``(#9
zPu90^x7i;EbvFB!@z6{>t8eDT|4SW~n`}RDA=%Q@vNZ40uCf!8nO?5+&JjPy!*p|R
z<L~*~Gp?|uZf>$I5B||t$-I`!kiAsP`9|pUq9dAo-;c!loml7AVsQOaYrMq5%H7Z7
z3cA@JwoN{~v;R(Fp{myU`)^ePf-<@%-FbR#>*HIs7us`L6b;ukef_<2^@&b#+lM|+
zE%?6e)!sX;QRMa2+qMeJ>mn~d`VsLndWXl^e=+`In*ZcNmDisT+|c`~X7U7a{l9A#
zak{(Ne|WiJ`+p7J45Mr5adMf9C-3+=w_Bh4Qjqhqe53GGU!%tR7QwBtb+KuhuXfyh
uGIi_Otzkk=XOH+DQ?+mj$bEB;AyneuOV5-mey66-*%E!Ac*W`+?uP)U>;Po|

literal 0
HcmV?d00001

diff --git a/src/tests/verification_real_world/letsencrypt_org_valid_3.crt b/src/tests/verification_real_world/letsencrypt_org_valid_3.crt
new file mode 100644
index 0000000000000000000000000000000000000000..79a33ba5908c84a1d790715853f435daee569995
GIT binary patch
literal 1380
zcmZ8hX;4#F7|qM_2mwM&*eu$Fr2?YKjgd_dWM4Hxumr^pF+@P)OL%!<8I(e(5iA&|
zqJoT;#TJS}2W4?ki&C*_of<7=P#~<b2z3RiQc06qXPo}J_ni5@@0@Suo(oi@WS}BO
zR1xqH9#7i@WjT2DOb1<hn%Ur&LTLvUu<2@bgnGdOg3L%b5WsZ?jxb>xk;1SKNl#73
zL{gR@JrxmQN>sv%N0kbU6)a<OZGpA1iol?T2;y0BGMRx6WC?lTQ(KF5T)<rixIWzV
zfVbTM*8?9O;ClZH0iSCIOpUED1HVncbptN%)mV`TCP5Ji#u7-xN;DnIVZ})l5)mp+
zV}+wKrJQRG81E&`BL#8c?=^*7pu#(TyaYtT5mb0foPnp{Rd@*3IOVLEv+{aXdB#1#
zb;Y5d2HJ<bkCq^Q6A4w>3(BsVrTIO`YaHLTUzetqh8$~a7QeHi@9kthc*3o8$h*(;
z>xh^i%o)0PNl$;_a4P!xVRc4&)b8C<O`e~;v(e2Fel>n=BEM-gTGL*US4Q~u_wbYZ
zD<Yf(Q{GK{imZ@*KQf^tA8UKW(R!EW666l{%9p_Jt)^-4k@(z<4ZrKivgo{fW>fms
zEcV=m+^FFg`e)|yQi5C6h`@Q4@$l*LPTIw&l7Qk`QLOI#A(OH>amFlrRJNnMV5B%{
zeU3EqneWkEITQV7PjOatYiT1?-9y?Do5l8p`h{N}<4wvnp5)_`qh2R0Je6k_sc7@c
z$}5C7k)*zYK~l@=-oWYeQ08%pW#7;rSLsX-j;pQoLHYH1)08YE+^gfa^NC-io&FN-
zE$)T`-TV{%2UpEI-(FU?y*6eOGpxFzwQfT!qV_#=0Ij2wvJ?OGkIl9=BWOys9MT2<
z+^7}N3KISAn@@(fGWG`_!!F*zCXX;7vKI90$nb12>9`I+QbfDTxBUA9$%kud-Bfow
zt`-vQYYGX0)xD$__FZky>-VdD!|Eee7Y$^d%IswB`EKKK&5ZY}6x}U%3yQ0Lp?}mm
zsK-(3vU4P7$!=0!)VO8h;ny2(4!Xo5`YS2(ykI__0O6oo6%+<kP!O;*JfW2g2+|Wt
zfM7TP)ks(x38En(Fo=f9?l43mnLrRR0Bi)lA27hHIcXRs-@xIB<Z=Z&Jw<|G#yqga
zvV9!XkN^cIMS&SFVo^4aE%y=wrg69v(GJ+;TivK@KAXEH<8A*)^iie$hIR76Vj74y
z7O;q$K{O!4aB6`$goi)?Y-X@Pgj7QYqYwaq{lNnsvT^*+gV<ofsI@km%a%$og#;0!
zIdY6GLsNmDaVnGO0SvLL;#93wyMJgxrT_D7NN*gUA0Hej<ORpYu*IkptTc90i8e&5
zoR-9i+_uN#kRqR4bn6r0>*-45<E$Az41x-Ra1;ejdIHf?<FrkKC6n9XMo#^hrt>z1
zV7;~Lu{7wita7e}-xX3sR^FX4skGXKWb0;KI((AmYpRjY%j7gc^X2g$wKYGxLp>+v
zx>+8)H+>?{;f&IjORWv6(Bs!${@~;~*<1Z<D)~`W@R|nuW6ayS`E%(z8S^{TLdQFs
zw~fnF_jM(7hxr8FJ1i^|?yFcznDV4Pr#dyfD>|tiOQM!Vwzk@OJYaWjIrz+O_~17)
zu&>n3$uxN&6dyyk^POI#>IOpo5|%eTxf&W;U9@xeoh90|Om%Bnkj3Kk?3fy-J53w&
detY&nbKg{?>MOX?eQGZsGWX76zZsnL`3L9%8WsQm

literal 0
HcmV?d00001

diff --git a/src/tests/verification_real_world/mod.rs b/src/tests/verification_real_world/mod.rs
index 80314d76..6af3fc74 100644
--- a/src/tests/verification_real_world/mod.rs
+++ b/src/tests/verification_real_world/mod.rs
@@ -77,6 +77,14 @@ const VALID_UNRELATED_CHAIN: &[&[u8]] = &[
     include_bytes!("agilebits_com_valid_4.crt"),
 ];
 
+const LETSENCRYPT_ORG: &str = "letsencrypt.org";
+
+const VALID_LETSENCRYPT_ORG_CHAIN: &[&[u8]] = &[
+    include_bytes!("letsencrypt_org_valid_1.crt"),
+    include_bytes!("letsencrypt_org_valid_2.crt"),
+    include_bytes!("letsencrypt_org_valid_3.crt"),
+];
+
 macro_rules! real_world_test_cases {
     { $( $name:ident => $test_case:expr ),+ , } => {
         real_world_test_cases!(@ $($name => $test_case),+,);
@@ -202,6 +210,13 @@ real_world_test_cases! {
         expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)),
         other_error: no_error!(),
     },
+    letsencrypt => TestCase {
+        reference_id: LETSENCRYPT_ORG,
+        chain: VALID_LETSENCRYPT_ORG_CHAIN,
+        stapled_ocsp: None,
+        expected_result: Ok(()),
+        other_error: no_error!(),
+    },
 
     // OCSP stapling works.
     //