Add test cases for verification of time stamping certificates

Test makes sure, that both time stamping certificate according to rfc3161 (no
requirements for keyUsage extension) and according to CAB forum (keyUsage
extension must be digitalSignature and be set critical) are accepted. Misuse
cases as stated in CAB forum are rejected, only exeption is a missing
"critial" flag on keyUsage.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from #18597)

(cherry picked from commit 386ab7f)

test/certs/ee-timestampsign-CABforum-anyextkeyusage.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHjCCAgagAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjezB5MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAcBgNVHSUBAf8EEjAQBggrBgEFBQcDCAYEVR0lADAN
+BgkqhkiG9w0BAQsFAAOCAQEARF7Aal4usByz7BIWnjqvTNoXQBwGOZ+5nuENUbqr
+OcMrWTmA9huqOiseVG665VGE+eLvOi6wSZv+8OEWS4nxwmEFkegMDIyQufP85xN2
+XDtsZNiFk1Wwtq7B29F/kZSqL8py650CAQZhqgHCawlvAFj6Datf8OYsqRmdLvjH
+DpySBOiv06rtCHR4ThEhvou9Tln6Tb6Ap+sq3/pu4Nf4q/ureqCaSQTS+ayvMuAb
+Cg+75Xgvl6nOQSPLkI6YoeA1F0o/51elldCbtfTZM+74btrDnclT3Pyrkp+E63eS
+FcNZWN5nxYl5VZGC9DaoO3+3b6VYQoyROBS5tW0ztf5BeA==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-CABforum-crlsign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIBgjAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG
+9w0BAQsFAAOCAQEAKlm2VpIAqs6OEBh8+J8N+wGjn4lzB92H8nPr+UsxeVzbFJAY
+ESu9CJFWW9iPjzk6tCu2qwbCQd8jmMbgwHRVekafW6Cpit3qhIE+GZ5bmM7OmRnT
+ueNWtMYoh/V+rNtpZcoTvPDcxHuEmh/kKgxqTrZ/7+SlusO2ita6GfOrWgD4Xc3h
+djQ1WTSEG/G8PHSnYZ7YEvBhFHAHblaN2AgawexM/mcoWQgOEcQTouMk98zdStp2
++N+oNmRO4FbKy/vkrSQNly6P+EZKI2ZJ6f6cRB5LDdCXyPcjCC/JqL4/Ota2xnJU
+4RX9/X+Uxvvfsc/6dmqy2orJ4KxSlgaHS0Ip2A==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-CABforum-keycertsign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIChDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG
+9w0BAQsFAAOCAQEAXSCrYzwK4/ZfXgURG9nxn1ZJtx/z2TdEyebe6f5YmZE14VxU
+cQbLynkydPSntmn60IQWABtueFlTpqOXEfQOxDosN8Nd3L4TkgG/a8mJbuTdfho6
+3NizJzkIxUW7nWiMjrSpkr082HPX/FCbRcg/2oSCOJb5Ap9ZvHpCKtowXGRwcAMW
+Yvw5pJDDntklTIWiKqTMo5poKRi4v8Sk/Dh7EwLi8l3e6BlHVx5aBh6l7REj0Stm
+j/0HbIBHYLK8+hR32uwA7KoZivgaXxvl0A1DsMGuLZjH+yUd2n7yibqln/Dc2NV8
+aXefMwNqGYnAufJijTmiSdR+CkMex4RYDQgdwQ==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-CABforum-noncritxku.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDCDANBgkqhkiG9w0B
+AQsFAAOCAQEAjQfg65wHwxrd5jBi/Y50BVWb3uvHM/n8y/weOoWP5YXQTUbVqbNT
+cxy2SrfDMK4wh5YErwgO9C0yHGBL7fXvnqBqSDnMM2lh9D7DnOQ4K02ZyZLjzkXH
+3oprmYKbGSAsifGPuAUhfw8bvhbH1i+gNDxK1g0TcuQhfQ//3vUwIsp5e8ADaFIg
+4qCNhvMnv/VkfEpg5hBeVOYSv2ITVhLwkvIKjxEIbfOxj2muglw3fwFhLlAUKp/t
+f4i8+OHIMVCQIPpceA/cwmh7HPpLiaQ4EJBWHynb03RwZ8RqZL2tGzg/pZQsjggj
+kiZlT3EwSpQjqgBPNLY9DPWMDBCnY+DPWw==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-CABforum-serverauth.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjfzB9MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDCAYIKwYBBQUH
+AwEwDQYJKoZIhvcNAQELBQADggEBACT1ybiBVe+mNC+DSH+8ZG0Ih96OKLiyPNL4
+fA+uCzpn4Ey2cPAnPK/7w0V77dGs7Phpc0LPBj/kVfybhZvJVJDgjnXcdbK1JxUC
+zKMRMFP38cE7wyYgsAR6bZilMMsdWAvA+BERd1DoAkePEB3F0/NUj0EP6bDiWE6F
+ZtvVyqQYSpmu6VkrxR9lOhUpEzHddNTz2V7QvGcI+8zValG++IluvPHbRL/lFsvV
+QjmzuMW8d3+oVycC53bWO6Lj0yX/h6DwP8Tj50w2OgUnV+CmXaxbLNF2sMjM8Omp
+YzVRJg2Vqu02KI6QYnwvLHNR6JjGw+OJYHF1DY+GDEEN24BOK8k=
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-CABforum.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG
+9w0BAQsFAAOCAQEAkWshPdAJh5hdpXTqFx3o6UinpCxszJyupHjFzpOoW8FXafva
+AgHDjHnbnS7t/haUHb8bDh3qYUBgJM6QvJS2O6rZd1ZRV3+dFevePUcwQXu4w6Zp
+vX9GS4v/grpiqc2LKqLekuWIkyxJ0sLjDHcAPb8KTpquCWVWsX9qxPjujyxXBlTc
+s9vPQU1j6utbqWPm7LAURebJCNBxHz/IgC0gp+1ln7LP97gkGz/bDQYOLeDsNXz4
+3YpIyRoSTJTnjeotfXhYL2Sak2z0KGtZS5S2BgDv0xjYMprGbJ7JbbSty1Os0I8w
+Wfw9muf+O/IStl6or/QbWRde6sTr4En7BdObWg==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-rfc3161-digsig.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0B
+AQsFAAOCAQEAUHC/kPMTXWZHVsHbIYuqitxgvfplpvTf9FEeoo7RjzY4Zb9xymOt
+EeBHfz0HMMIz6c0eV/Y0cfqEBSWf263qRTN+b1XgFaAP30JII3Okxfv7ul8kxvD2
+f22z4+h471FkeH4ZvQ6tD1mwiBcZbXm9g4fRn+WIQfhNY+JaKkespA7diG8i1hSm
+/3wc0k/U155vBAmrfIGyUFZzewkt18qnOYQVEw+TPHeV5yd6yrbUQs55CafqEwFV
+U9Fb781PIXAw2lKMnoID9/Mm9k5HlQgJ5+bYlRQQhfvfHVv/1WHDlwxE+1L9t1g3
+khZmeRPu1hDAMS5TFaO2lHTRvTTUexsICw==
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-rfc3161-noncritxku.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjYjBgMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQBrivg4yDW+
+SeLTjEPEhVmSHgJ7CTnU6wJxZKXDLGhTi3dB7yrBMMy7F0Vmbz/Pg+xxZIsOeMzt
+uPi196nfbilHN+sIjn847i06KJgTuQhr13lzy3ky3UIQ5TIWWfaEkz/+mr7zcRD3
+i37GpPSTWOpbmNsZELHuowtpaHLCnaG0SGJoKLJX/DOUsRNKyAHL3eFPwF+w89dK
+7YMikdPWW39gLcjCLMtI0M179a8woW1oNHAUCsIUabiRLI8GzUumyO2hPqhTXRMq
+FKABr+H2uuRN+MPTZun9g/QLZBqY4sADDI3ko7OYWHwjYeDaqzNWs1T6R7d7+SsO
+ws2OW3INcQC8
+-----END CERTIFICATE-----

test/certs/ee-timestampsign-rfc3161.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjZTBjMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQB7UIs8
+nTM63TDe8tO+isxz5d0WWIn/DCdBPw9t2BNJ4KsgaaP6TPLeQBU4M5+fp7kNV5Re
+mphQxwl/DMTvMtbqkVVrN2HOTXYoLi/SoOck7oGU+YwOhocxAZHxvZlqrUxCVZEb
+kQOsosfFNE0PhPdF2UuHC8h/wmjEb1hgSAz2JlKzW2dATb8OOm+5iqzSQwGB0nKj
+cGTo+K0DDYGrL9iZnGpjT6S4Nhk8opfrCgJyd/E2BB050yrhU/7QUAtBpSt3rdke
+V6LiW+y6+CiH4OpEnxtuWI42Bq8KBxFgMNOhOvC2dBcmciE6oPFslOLCF17DzEPO
+9YE9aULDF/HfXbMR
+-----END CERTIFICATE-----

test/certs/setup.sh

@@ -174,6 +174,17 @@ openssl x509 -in ee-client.pem -trustout \
 openssl x509 -in ee-client.pem -trustout \
     -addreject clientAuth -out ee-clientAuth.pem
 
+# time stamping certificates
+./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum ca-key ca-cert
+./mkcert.sh genee -p timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-noncritxku ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping,serverAuth -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-serverauth ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-anyextkeyusage ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,cRLSign server.example ee-key ee-timestampsign-CABforum-crlsign ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,keyCertSign server.example ee-key ee-timestampsign-CABforum-keycertsign ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping server.example ee-key ee-timestampsign-rfc3161 ca-key ca-cert
+./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert
+./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert
+
 # Leaf cert security level variants
 # MD5 issuer signature
 OPENSSL_SIGALG=md5 \

test/recipes/25-test_verify.t

@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 163;
+plan tests => 172;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -242,6 +242,26 @@ ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
 ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
    "reject non-ca with pathlen:0 with strict flag");
 
+# EE veaiants wrt timestamp signing
+ok(verify("ee-timestampsign-CABforum", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "accept timestampsign according to CAB forum");
+ok(!verify("ee-timestampsign-CABforum-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum with extendedKeyUsage not critical");
+ok(!verify("ee-timestampsign-CABforum-serverauth", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum with serverAuth");
+ok(!verify("ee-timestampsign-CABforum-anyextkeyusage", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum with anyExtendedKeyUsage");
+ok(!verify("ee-timestampsign-CABforum-crlsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum with cRLSign");
+ok(!verify("ee-timestampsign-CABforum-keycertsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum with keyCertSign");
+ok(verify("ee-timestampsign-rfc3161", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "accept timestampsign according to RFC 3161");
+ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to RFC 3161 with extendedKeyUsage not critical");
+ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
+   "accept timestampsign according to RFC 3161 with digitalSignature");
+
 # Proxy certificates
 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
    "fail to accept proxy cert without -allow_proxy_certs");