Add quick test of name constraints

tests/verify.rs

@@ -0,0 +1,49 @@
+use std::convert::TryFrom;
+
+use webpki::{EndEntityCert, KeyUsage, SubjectNameRef, Time};
+use webpki_roots::TLS_SERVER_ROOTS;
+
+#[test]
+fn tubitak_name_constraint_works() {
+    let root = include_bytes!("data/tubitak/root.der");
+    let inter = include_bytes!("data/tubitak/inter.der");
+    let subj = include_bytes!("data/tubitak/subj.der");
+
+    let roots = TLS_SERVER_ROOTS
+        .iter()
+        .map(|ta| webpki::TrustAnchor {
+            subject: ta.subject,
+            spki: ta.spki,
+            name_constraints: ta.name_constraints,
+        })
+        .collect::<Vec<_>>();
+
+    let now = Time::from_seconds_since_unix_epoch(1493668479);
+    let cert = EndEntityCert::try_from(&subj[..]).unwrap();
+    cert.verify_for_usage(
+        ALL_ALGORITHMS,
+        &roots,
+        &[&inter[..], &root[..]],
+        now,
+        KeyUsage::server_auth(),
+        &[],
+    )
+    .unwrap();
+
+    let subject = SubjectNameRef::try_from_ascii_str("testssl.kamusm.gov.tr").unwrap();
+    cert.verify_is_valid_for_subject_name(subject).unwrap();
+}
+
+static ALL_ALGORITHMS: &[&webpki::SignatureAlgorithm] = &[
+    &webpki::ECDSA_P256_SHA256,
+    &webpki::ECDSA_P256_SHA384,
+    &webpki::ECDSA_P384_SHA256,
+    &webpki::ECDSA_P384_SHA384,
+    &webpki::RSA_PKCS1_2048_8192_SHA256,
+    &webpki::RSA_PKCS1_2048_8192_SHA384,
+    &webpki::RSA_PKCS1_2048_8192_SHA512,
+    &webpki::RSA_PKCS1_3072_8192_SHA384,
+    &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+    &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+    &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+];