Fix handling of wildcards in administrative/unilateral name constraints.

BUG=517258

Review URL: https://codereview.chromium.org/1541953002

Cr-Commit-Position: refs/heads/master@{#366506}
(cherry picked from commit 47b2227948bbc711d043f9884f7de8c0ea547e06)

Review URL: https://codereview.chromium.org/1545393002 .

Cr-Commit-Position: refs/branch-heads/2564@{#438}
Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}

5 files changed, 202 insertions, 192 deletions

diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 0df2033..bdb4b87 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -9,6 +9,7 @@
 #include "base/metrics/histogram.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/sha1.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
@@ -557,7 +558,8 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
       if (i->size() <= (1 /* period before domain */ + domain_length))
         continue;
 
-      const char* suffix = &dns_name[i->size() - domain_length - 1];
+      std::string suffix =
+          base::ToLowerASCII(&(*i)[i->size() - domain_length - 1]);
       if (suffix[0] != '.')
         continue;
       if (memcmp(&suffix[1], domains[j], domain_length) != 0)
@@ -621,41 +623,41 @@ bool CertVerifyProc::HasNameConstraintsViolation(
   };
 
   static const PublicKeyDomainLimitation kLimits[] = {
-    // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
-    // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
-    {
-      {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad,
-       0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
-      kDomainsANSSI,
-    },
-    // C=IN, O=India PKI, CN=CCA India 2007
-    // Expires: July 4th 2015.
-    {
-      {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc,
-       0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
-      kDomainsIndiaCCA,
-    },
-    // C=IN, O=India PKI, CN=CCA India 2011
-    // Expires: March 11 2016.
-    {
-      {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64,
-       0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
-      kDomainsIndiaCCA,
-    },
-    // C=IN, O=India PKI, CN=CCA India 2014
-    // Expires: March 5 2024.
-    {
-      {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed,
-       0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
-      kDomainsIndiaCCA,
-    },
-    // Not a real certificate - just for testing. This is the SPKI hash of
-    // the keys used in net/data/ssl/certificates/name_constraint_*.crt.
-    {
-      {0x61, 0xec, 0x82, 0x8b, 0xdb, 0x5c, 0x78, 0x2a, 0x8f, 0xcc,
-       0x4f, 0x0f, 0x14, 0xbb, 0x85, 0x31, 0x93, 0x9f, 0xf7, 0x3d},
-      kDomainsTest,
-    },
+      // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
+      // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+      {
+          {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad, 0xae,
+           0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
+          kDomainsANSSI,
+      },
+      // C=IN, O=India PKI, CN=CCA India 2007
+      // Expires: July 4th 2015.
+      {
+          {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc, 0xcf,
+           0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
+          kDomainsIndiaCCA,
+      },
+      // C=IN, O=India PKI, CN=CCA India 2011
+      // Expires: March 11 2016.
+      {
+          {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64, 0x52,
+           0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
+          kDomainsIndiaCCA,
+      },
+      // C=IN, O=India PKI, CN=CCA India 2014
+      // Expires: March 5 2024.
+      {
+          {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed, 0x5a,
+           0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
+          kDomainsIndiaCCA,
+      },
+      // Not a real certificate - just for testing. This is the SPKI hash of
+      // the keys used in net/data/ssl/certificates/name_constraint_*.crt.
+      {
+          {0x48, 0x49, 0x4a, 0xc5, 0x5a, 0x3e, 0xcd, 0xc5, 0x62, 0x9f, 0xef,
+           0x23, 0x14, 0xad, 0x05, 0xa9, 0x2a, 0x5c, 0x39, 0xc0},
+          kDomainsTest,
+      },
   };
 
   for (unsigned i = 0; i < arraysize(kLimits); ++i) {
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index a3c1fd8..0ae8d35 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -578,6 +578,11 @@ TEST_F(CertVerifyProcTest, NameConstraintsOk) {
                      &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
+
+  error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
+                 empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
 }
 
 TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
diff --git a/net/data/ssl/certificates/name_constraint_bad.pem b/net/data/ssl/certificates/name_constraint_bad.pem
index e0ec506..9ee785d 100644
--- a/net/data/ssl/certificates/name_constraint_bad.pem
+++ b/net/data/ssl/certificates/name_constraint_bad.pem
@@ -1,30 +1,30 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1+PQy2PX0Zcrp
-0Mvd6ZehbpDi9LKyFtCb4plX7XvGW29JwZQAqQ1dtTX0Ons8GAajeFpo/6YFH30Q
-CK4JbNzv3biXnmzOy6DcMysele8d+9Pa+D5X7YuOnoZNEqYMMCPvCEVPIRJCiIcB
-2KUyn7c472Ctt0drO0umXCtWclzRtTiHmew7/8YC74Y47uIFxvBm4hiRUOVXIyeZ
-u9tJJIhmqBSWfhptKuH/GPVqN9KIqHnJuVD1mmgLBJ5oAh2hceCJFboqSAZ6eNPR
-DHeDmIP4ueJgIJIHm9TIwPpaWp0mQMI1ZQDzoOLTIU2lxJGIkBSnXvcTt+oror3X
-hBgat3tdAgMBAAECggEABykz2uhkzWhQEuFvlF0D5YtnUjcU7SMutGO3axliXIzu
-lTVz8I62gvCFngXLIbNEV5x92lHtI5h4oG/nAWHyU9Ii2HyYhY7H1sKAuORnk4N8
-c8p/EZC8hDFC0behJyuhzl9B8vo3ML0UqwLuhU55tFjfMhbbTaH4uSQ5ZF59vpbV
-BLe+j3+0BWINSi65KrE/V9PAlH0IuSir4YYuFcJApZIMdiXGqb1mnnUn4CkMmmeH
-JvRaYvrxD14T/lzMVzBkR0bez5jYe7syspCe+mmyqIS0mTOw8rQER1vL/DHcyJsG
-inG5IazyDaCvgqNAEKzeh0AC3aoel86lURIlt/TrFQKBgQDrSKIvDDXFpYxtpJYt
-Q+gyUqN/QPwGVL39n7kSpBoFWKsP9eSGKjVfD4PJboYjE0pcoci4ohsOHmyHpaqi
-lAzy4oGd5VqEfu4qz65W7xFwZnMnxLv7OZeHzZG7nw2PIT6k57hNd0/IEndFLHZU
-zBm56Ow/Czkb4HA/IR5RQG4SywKBgQDF/qst7PVtWOm6wJ3boJNl7QasWTRKsNxg
-DkEo76dOwq2BSFTO+WYKWFPsOYrlnHbf3Ni869WB/vGwE8IecOH0Ir39plbRb2nc
-WRW13mljwTET9AGb0/nhPkduYPyN7Gjvy1DTTz5e47rk5881siU8dPCSvgygo9DO
-vy+ZlAtddwKBgQCIGa3ndTKtsAO5cNmGOZ/ZbEAzXk3rA54bVgdipxZ+PTpGs0CL
-82KIKJtdK9ff9kqvps5LL0pjMmopVUWNYgLThP7hbUidGCeBED2TABugX0MBoCX1
-Pu1OmzVPyMO5Jcvs7DWKahf2begcVYnlp2LCTeBK350baQrFGc1FxvVlXQKBgHrS
-y7/2oh1OLdgTCxoml6mAC0a5I6493sebsCJD4McED3wGsc2fewRp3M3KuHZNxJSE
-vNMdfVpiG+39o8scfZ7kOnXyTSMo+UOe48/pg/lE7DwTfzf6nKV06/z2H1WvVT2E
-I8SiAO/+V38OqkUGGQFTDbYKPW0dkjfe9BlSdGZrAoGAfbDe3biBtcMw57AKTf78
-i+dku+lnVkAmPOr1I6nnN2qGUdbXjbV2EE88BSo4OF6TF7C6dwicQuv5PxpozCRM
-NkdqZ7UT2h7JX0KybnrIvHefboG/pK/Jjg9cEBhN1P6y6+pyzWKa7Nc1c0pXRqz6
-FzMv6eiJALyDSTm0ChEm6ug=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDD5m1zsjUwajot
+NE67oL3Ln1Gj5dOIy85u4iS4bA29+3VCpDpFSb8q+atKgK4VM4H41gZ4ilk6T4Nw
+bh0z9PDQBIH8s5Yd0Xkqf3Ji0SDRsqBn+kQ2BXKHjup34lQrCgJ2BPoqle9Aj+Jd
+Z2mjnCB2C5E8it8BYziraCdsXLC8wRBDoWFi6laPMuEd910uTaav4/MZ3y6SBJLm
++Q0URXm5d5msqK7KuAVlgYDdnzS1iRNiGH2fPU/NHw1NMsJyM5b3MEwu72YDzmxS
+9QTpAp5vVPxKbMIhGqkVZpcfEVkB4FMZYueAJtr761dUhzZSSGoB3/D54cghc6ly
+9HySHvFDAgMBAAECggEAfp4WClyZwlQ2i/cuGFm5sr2j7/JhOh64q7ShFU5Jx4ya
+6trpCtWyqN08mGf5nJxxGluDTS/moii4hNe3KljbuSfguGt+0IEO9qfvT+1pcAAr
+a2k34068CuAVrizsR/EtTAjFhPbp7+nP3p0zi1sjJAkv81iy8NunyioEqSZz2Vsw
+ngPFuJeytOgeczoE69yzP1L0BaM46jOKXezXahC31lwtG+U5tLvElU0b/To/7GTg
++u5qnsJ87wHYkOctXvqH+L1JeMkc7RWCo0h4Kbk3ur1kDokjqUV4FGQSaMyIy0PC
+ndk9WZhUV03v+Lsy3gzBM8261HOiTSMRz/+KrYqAOQKBgQD6ET0Hm11FIUFSeM/I
+Dbxb41oN4ODl4YUgGk/9jPX8/ztvrGddh3VGWD4KUVNlWLioBX/t7FH5paGtd6tg
+ZG8X3n48DaJ5h4u95ulAzcVjrkF4aNahy4aMmofdpe4S3+7HwlBcfIocO9WpAtL0
+pzFjlXivLQgUQow67tbG2dYrPQKBgQDIjDWWSqn6kB1zFyI6Hh9HhfFAKCRvCIzQ
+OvqIOCtExP4U4mE0rUY7RWkFrRTDoMmYCwRuCohL1C4p6i/2AwK1mhS8OgPji7YV
+zgYZuw2lSmp1lqzRmiLaOZxLcEKWlHQ1C9Sq606T7YAhgXi3tDfQ53gb1uFDvt1h
+rE3AkU1WfwKBgHZ2EBk4aljDRjSRcqzshNxquVB1xVRhHzV0AYy1aBpvtnJSk6zk
+7JNkXg95My6BdwhxgobtOnAvHIYWeKLzMQV3qwk71EoKAhL1/m1qjSWJeQ5Xa8W9
+qoGU+uPvJPbgCjerP3JwtORnG/Iymki3o1fviPpDNN6UH+YTGr+cli5pAoGBAKnT
+4gU1kR/4LpgpvPhOTdq5mITl+YR1Txl++G2mcy23TBrPYdXD7jd/HeKKoYzQeibh
+HY06KhVcxwMDqD3CaubyZiDHWEe3Jijs4MmlV3bjv6d4Qzz0NBNsuehAVoNBj+7j
+5+IdhdtLQjgddebLHIExosqgev5tgPeXe/hYk49tAoGBALENmfF8ORreFf+aOd4+
+w/CZB2VaN4p0N6I+w2HPRRJO6Rhk0Pe6NtPkxbUS0x/cm+WOpvSbntH1DOjigL8e
+mo+n2Ym+lrtYmEtB/M2C1k29pwaGYMfEIP3URUuYNEpWvTs6AOY7Sp5QN/X/v9ES
+76pTvCiginWRyEeR+6vrDGM8
 -----END PRIVATE KEY-----
 Certificate:
     Data:
@@ -33,37 +33,37 @@ Certificate:
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=Test Root CA
         Validity
-            Not Before: Aug 14 03:05:29 2014 GMT
-            Not After : Aug 11 03:05:29 2024 GMT
+            Not Before: Dec 21 20:35:47 2015 GMT
+            Not After : Dec 18 20:35:47 2025 GMT
         Subject: CN=Leaf certificate
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
-                    00:b5:f8:f4:32:d8:f5:f4:65:ca:e9:d0:cb:dd:e9:
-                    97:a1:6e:90:e2:f4:b2:b2:16:d0:9b:e2:99:57:ed:
-                    7b:c6:5b:6f:49:c1:94:00:a9:0d:5d:b5:35:f4:3a:
-                    7b:3c:18:06:a3:78:5a:68:ff:a6:05:1f:7d:10:08:
-                    ae:09:6c:dc:ef:dd:b8:97:9e:6c:ce:cb:a0:dc:33:
-                    2b:1e:95:ef:1d:fb:d3:da:f8:3e:57:ed:8b:8e:9e:
-                    86:4d:12:a6:0c:30:23:ef:08:45:4f:21:12:42:88:
-                    87:01:d8:a5:32:9f:b7:38:ef:60:ad:b7:47:6b:3b:
-                    4b:a6:5c:2b:56:72:5c:d1:b5:38:87:99:ec:3b:ff:
-                    c6:02:ef:86:38:ee:e2:05:c6:f0:66:e2:18:91:50:
-                    e5:57:23:27:99:bb:db:49:24:88:66:a8:14:96:7e:
-                    1a:6d:2a:e1:ff:18:f5:6a:37:d2:88:a8:79:c9:b9:
-                    50:f5:9a:68:0b:04:9e:68:02:1d:a1:71:e0:89:15:
-                    ba:2a:48:06:7a:78:d3:d1:0c:77:83:98:83:f8:b9:
-                    e2:60:20:92:07:9b:d4:c8:c0:fa:5a:5a:9d:26:40:
-                    c2:35:65:00:f3:a0:e2:d3:21:4d:a5:c4:91:88:90:
-                    14:a7:5e:f7:13:b7:ea:2b:a2:bd:d7:84:18:1a:b7:
-                    7b:5d
+                    00:c3:e6:6d:73:b2:35:30:6a:3a:2d:34:4e:bb:a0:
+                    bd:cb:9f:51:a3:e5:d3:88:cb:ce:6e:e2:24:b8:6c:
+                    0d:bd:fb:75:42:a4:3a:45:49:bf:2a:f9:ab:4a:80:
+                    ae:15:33:81:f8:d6:06:78:8a:59:3a:4f:83:70:6e:
+                    1d:33:f4:f0:d0:04:81:fc:b3:96:1d:d1:79:2a:7f:
+                    72:62:d1:20:d1:b2:a0:67:fa:44:36:05:72:87:8e:
+                    ea:77:e2:54:2b:0a:02:76:04:fa:2a:95:ef:40:8f:
+                    e2:5d:67:69:a3:9c:20:76:0b:91:3c:8a:df:01:63:
+                    38:ab:68:27:6c:5c:b0:bc:c1:10:43:a1:61:62:ea:
+                    56:8f:32:e1:1d:f7:5d:2e:4d:a6:af:e3:f3:19:df:
+                    2e:92:04:92:e6:f9:0d:14:45:79:b9:77:99:ac:a8:
+                    ae:ca:b8:05:65:81:80:dd:9f:34:b5:89:13:62:18:
+                    7d:9f:3d:4f:cd:1f:0d:4d:32:c2:72:33:96:f7:30:
+                    4c:2e:ef:66:03:ce:6c:52:f5:04:e9:02:9e:6f:54:
+                    fc:4a:6c:c2:21:1a:a9:15:66:97:1f:11:59:01:e0:
+                    53:19:62:e7:80:26:da:fb:eb:57:54:87:36:52:48:
+                    6a:01:df:f0:f9:e1:c8:21:73:a9:72:f4:7c:92:1e:
+                    f1:43
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                82:04:1D:BD:05:71:83:6F:F6:98:19:4D:4F:11:46:88:4D:9B:BF:A8
+                64:AD:F5:F3:4B:2D:70:3A:13:B7:0D:D6:8F:9F:82:37:C3:58:73:A8
             X509v3 Authority Key Identifier: 
                 keyid:BC:F7:30:D1:3C:C0:F2:79:FA:EF:9F:C9:6C:5C:93:F3:8A:68:AB:83
 
@@ -72,38 +72,38 @@ Certificate:
             X509v3 Subject Alternative Name: 
                 DNS:test.ExAmPlE.CoM, DNS:test.ExAmPlE.OrG
     Signature Algorithm: sha256WithRSAEncryption
-         a6:90:20:7b:27:40:64:b3:df:ec:56:9e:71:67:02:e7:88:7e:
-         c2:f0:ed:24:19:53:27:c9:97:95:18:76:16:52:4c:78:57:63:
-         4b:3d:17:3d:7f:f3:d6:e2:1e:5a:cd:84:ea:be:0c:82:5d:4e:
-         69:b9:d8:66:a3:a0:2f:e5:50:c8:84:bd:50:15:5f:25:fe:30:
-         a0:41:b6:e6:b6:cf:fc:87:db:23:4e:3e:f4:0e:75:74:3c:9e:
-         f1:d6:af:11:ad:11:80:b0:60:42:06:f5:bf:e4:5f:0c:73:7a:
-         62:49:f2:e5:62:15:f1:8f:bd:ed:34:75:cf:50:11:cc:ee:a3:
-         59:21:22:b7:ec:44:22:f7:98:77:1f:64:50:0f:f3:ab:5a:ff:
-         d2:62:cc:1b:46:81:56:2a:76:00:e0:ff:0e:9e:e0:d4:d0:03:
-         2d:1d:23:c9:d3:a4:f0:2f:a5:b3:30:12:82:46:f0:71:7e:91:
-         b9:1a:ae:3e:25:74:cf:79:35:d2:82:33:55:ac:54:94:43:7f:
-         de:cc:3e:ef:0d:a6:03:2a:c8:f5:8d:3b:ba:d2:97:ed:6d:d5:
-         a9:90:5f:8b:df:3e:d3:be:4b:43:7f:28:ce:9e:3e:90:f7:fb:
-         db:34:21:69:5c:94:f5:32:f0:ba:30:f5:60:4c:1f:3b:9b:43:
-         94:6c:8d:cc
+         af:4e:e7:07:29:47:e4:18:64:96:83:22:3c:21:4c:dc:41:90:
+         c9:28:5b:a7:ce:e9:ad:da:28:04:90:f6:62:c9:6c:0e:a1:98:
+         3a:19:ec:28:f5:b7:cf:07:cd:b3:0c:d0:97:a4:3d:e2:fe:0c:
+         d8:68:f4:cf:57:18:3e:58:f9:ed:1b:2f:f5:11:e4:4d:61:93:
+         b3:f3:1c:bc:53:cf:8b:81:2e:1b:a3:28:f6:df:ae:82:74:99:
+         75:62:51:3d:78:1d:65:3d:eb:0a:7b:60:0e:3a:c7:ff:57:1c:
+         a4:9e:19:66:ef:18:78:b1:d6:1f:27:31:e0:a6:a2:27:42:15:
+         2f:2a:38:e7:4a:0c:3b:8e:4d:c2:a1:27:45:32:0d:c4:b8:51:
+         70:41:a6:1a:2f:13:d0:f8:3d:fa:76:0c:57:ad:3e:86:ec:1c:
+         05:ea:81:d2:33:35:0b:1e:ab:86:2a:94:ee:44:9f:a4:1a:fe:
+         94:0c:7f:f7:e7:17:1f:cc:1c:b8:cc:5a:55:ce:b1:d8:2e:0b:
+         3d:8c:19:fc:c2:6b:da:c8:1d:b7:27:fa:bb:90:04:a6:53:bb:
+         94:7b:cb:a3:ec:80:7e:18:2e:86:aa:41:97:43:c7:25:1f:33:
+         a3:ee:93:00:c5:ec:31:da:0e:40:f2:a2:a9:39:42:a8:e1:65:
+         ed:c7:65:f0
 -----BEGIN CERTIFICATE-----
 MIIDTTCCAjWgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IFJvb3QgQ0EwHhcNMTQwODE0MDMwNTI5WhcNMjQwODExMDMwNTI5WjAbMRkwFwYD
+IFJvb3QgQ0EwHhcNMTUxMjIxMjAzNTQ3WhcNMjUxMjE4MjAzNTQ3WjAbMRkwFwYD
 VQQDExBMZWFmIGNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAtfj0Mtj19GXK6dDL3emXoW6Q4vSyshbQm+KZV+17xltvScGUAKkNXbU1
-9Dp7PBgGo3haaP+mBR99EAiuCWzc7924l55szsug3DMrHpXvHfvT2vg+V+2Ljp6G
-TRKmDDAj7whFTyESQoiHAdilMp+3OO9grbdHaztLplwrVnJc0bU4h5nsO//GAu+G
-OO7iBcbwZuIYkVDlVyMnmbvbSSSIZqgUln4abSrh/xj1ajfSiKh5yblQ9ZpoCwSe
-aAIdoXHgiRW6KkgGenjT0Qx3g5iD+LniYCCSB5vUyMD6WlqdJkDCNWUA86Di0yFN
-pcSRiJAUp173E7fqK6K914QYGrd7XQIDAQABo4GfMIGcMAwGA1UdEwEB/wQCMAAw
-HQYDVR0OBBYEFIIEHb0FcYNv9pgZTU8RRohNm7+oMB8GA1UdIwQYMBaAFLz3MNE8
+CgKCAQEAw+Ztc7I1MGo6LTROu6C9y59Ro+XTiMvObuIkuGwNvft1QqQ6RUm/Kvmr
+SoCuFTOB+NYGeIpZOk+DcG4dM/Tw0ASB/LOWHdF5Kn9yYtEg0bKgZ/pENgVyh47q
+d+JUKwoCdgT6KpXvQI/iXWdpo5wgdguRPIrfAWM4q2gnbFywvMEQQ6FhYupWjzLh
+HfddLk2mr+PzGd8ukgSS5vkNFEV5uXeZrKiuyrgFZYGA3Z80tYkTYhh9nz1PzR8N
+TTLCcjOW9zBMLu9mA85sUvUE6QKeb1T8SmzCIRqpFWaXHxFZAeBTGWLngCba++tX
+VIc2UkhqAd/w+eHIIXOpcvR8kh7xQwIDAQABo4GfMIGcMAwGA1UdEwEB/wQCMAAw
+HQYDVR0OBBYEFGSt9fNLLXA6E7cN1o+fgjfDWHOoMB8GA1UdIwQYMBaAFLz3MNE8
 wPJ5+u+fyWxck/OKaKuDMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAt
 BgNVHREEJjAkghB0ZXN0LkV4QW1QbEUuQ29NghB0ZXN0LkV4QW1QbEUuT3JHMA0G
-CSqGSIb3DQEBCwUAA4IBAQCmkCB7J0Bks9/sVp5xZwLniH7C8O0kGVMnyZeVGHYW
-Ukx4V2NLPRc9f/PW4h5azYTqvgyCXU5pudhmo6Av5VDIhL1QFV8l/jCgQbbmts/8
-h9sjTj70DnV0PJ7x1q8RrRGAsGBCBvW/5F8Mc3piSfLlYhXxj73tNHXPUBHM7qNZ
-ISK37EQi95h3H2RQD/OrWv/SYswbRoFWKnYA4P8OnuDU0AMtHSPJ06TwL6WzMBKC
-RvBxfpG5Gq4+JXTPeTXSgjNVrFSUQ3/ezD7vDaYDKsj1jTu60pftbdWpkF+L3z7T
-vktDfyjOnj6Q9/vbNCFpXJT1MvC6MPVgTB87m0OUbI3M
+CSqGSIb3DQEBCwUAA4IBAQCvTucHKUfkGGSWgyI8IUzcQZDJKFunzumt2igEkPZi
+yWwOoZg6Gewo9bfPB82zDNCXpD3i/gzYaPTPVxg+WPntGy/1EeRNYZOz8xy8U8+L
+gS4boyj2366CdJl1YlE9eB1lPesKe2AOOsf/Vxyknhlm7xh4sdYfJzHgpqInQhUv
+KjjnSgw7jk3CoSdFMg3EuFFwQaYaLxPQ+D36dgxXrT6G7BwF6oHSMzULHquGKpTu
+RJ+kGv6UDH/35xcfzBy4zFpVzrHYLgs9jBn8wmvayB23J/q7kASmU7uUe8uj7IB+
+GC6GqkGXQ8clHzOj7pMAxewx2g5A8qKpOUKo4WXtx2Xw
 -----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/name_constraint_good.pem b/net/data/ssl/certificates/name_constraint_good.pem
index 7dba657..683deeb 100644
--- a/net/data/ssl/certificates/name_constraint_good.pem
+++ b/net/data/ssl/certificates/name_constraint_good.pem
@@ -1,30 +1,30 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1+PQy2PX0Zcrp
-0Mvd6ZehbpDi9LKyFtCb4plX7XvGW29JwZQAqQ1dtTX0Ons8GAajeFpo/6YFH30Q
-CK4JbNzv3biXnmzOy6DcMysele8d+9Pa+D5X7YuOnoZNEqYMMCPvCEVPIRJCiIcB
-2KUyn7c472Ctt0drO0umXCtWclzRtTiHmew7/8YC74Y47uIFxvBm4hiRUOVXIyeZ
-u9tJJIhmqBSWfhptKuH/GPVqN9KIqHnJuVD1mmgLBJ5oAh2hceCJFboqSAZ6eNPR
-DHeDmIP4ueJgIJIHm9TIwPpaWp0mQMI1ZQDzoOLTIU2lxJGIkBSnXvcTt+oror3X
-hBgat3tdAgMBAAECggEABykz2uhkzWhQEuFvlF0D5YtnUjcU7SMutGO3axliXIzu
-lTVz8I62gvCFngXLIbNEV5x92lHtI5h4oG/nAWHyU9Ii2HyYhY7H1sKAuORnk4N8
-c8p/EZC8hDFC0behJyuhzl9B8vo3ML0UqwLuhU55tFjfMhbbTaH4uSQ5ZF59vpbV
-BLe+j3+0BWINSi65KrE/V9PAlH0IuSir4YYuFcJApZIMdiXGqb1mnnUn4CkMmmeH
-JvRaYvrxD14T/lzMVzBkR0bez5jYe7syspCe+mmyqIS0mTOw8rQER1vL/DHcyJsG
-inG5IazyDaCvgqNAEKzeh0AC3aoel86lURIlt/TrFQKBgQDrSKIvDDXFpYxtpJYt
-Q+gyUqN/QPwGVL39n7kSpBoFWKsP9eSGKjVfD4PJboYjE0pcoci4ohsOHmyHpaqi
-lAzy4oGd5VqEfu4qz65W7xFwZnMnxLv7OZeHzZG7nw2PIT6k57hNd0/IEndFLHZU
-zBm56Ow/Czkb4HA/IR5RQG4SywKBgQDF/qst7PVtWOm6wJ3boJNl7QasWTRKsNxg
-DkEo76dOwq2BSFTO+WYKWFPsOYrlnHbf3Ni869WB/vGwE8IecOH0Ir39plbRb2nc
-WRW13mljwTET9AGb0/nhPkduYPyN7Gjvy1DTTz5e47rk5881siU8dPCSvgygo9DO
-vy+ZlAtddwKBgQCIGa3ndTKtsAO5cNmGOZ/ZbEAzXk3rA54bVgdipxZ+PTpGs0CL
-82KIKJtdK9ff9kqvps5LL0pjMmopVUWNYgLThP7hbUidGCeBED2TABugX0MBoCX1
-Pu1OmzVPyMO5Jcvs7DWKahf2begcVYnlp2LCTeBK350baQrFGc1FxvVlXQKBgHrS
-y7/2oh1OLdgTCxoml6mAC0a5I6493sebsCJD4McED3wGsc2fewRp3M3KuHZNxJSE
-vNMdfVpiG+39o8scfZ7kOnXyTSMo+UOe48/pg/lE7DwTfzf6nKV06/z2H1WvVT2E
-I8SiAO/+V38OqkUGGQFTDbYKPW0dkjfe9BlSdGZrAoGAfbDe3biBtcMw57AKTf78
-i+dku+lnVkAmPOr1I6nnN2qGUdbXjbV2EE88BSo4OF6TF7C6dwicQuv5PxpozCRM
-NkdqZ7UT2h7JX0KybnrIvHefboG/pK/Jjg9cEBhN1P6y6+pyzWKa7Nc1c0pXRqz6
-FzMv6eiJALyDSTm0ChEm6ug=
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDD5m1zsjUwajot
+NE67oL3Ln1Gj5dOIy85u4iS4bA29+3VCpDpFSb8q+atKgK4VM4H41gZ4ilk6T4Nw
+bh0z9PDQBIH8s5Yd0Xkqf3Ji0SDRsqBn+kQ2BXKHjup34lQrCgJ2BPoqle9Aj+Jd
+Z2mjnCB2C5E8it8BYziraCdsXLC8wRBDoWFi6laPMuEd910uTaav4/MZ3y6SBJLm
++Q0URXm5d5msqK7KuAVlgYDdnzS1iRNiGH2fPU/NHw1NMsJyM5b3MEwu72YDzmxS
+9QTpAp5vVPxKbMIhGqkVZpcfEVkB4FMZYueAJtr761dUhzZSSGoB3/D54cghc6ly
+9HySHvFDAgMBAAECggEAfp4WClyZwlQ2i/cuGFm5sr2j7/JhOh64q7ShFU5Jx4ya
+6trpCtWyqN08mGf5nJxxGluDTS/moii4hNe3KljbuSfguGt+0IEO9qfvT+1pcAAr
+a2k34068CuAVrizsR/EtTAjFhPbp7+nP3p0zi1sjJAkv81iy8NunyioEqSZz2Vsw
+ngPFuJeytOgeczoE69yzP1L0BaM46jOKXezXahC31lwtG+U5tLvElU0b/To/7GTg
++u5qnsJ87wHYkOctXvqH+L1JeMkc7RWCo0h4Kbk3ur1kDokjqUV4FGQSaMyIy0PC
+ndk9WZhUV03v+Lsy3gzBM8261HOiTSMRz/+KrYqAOQKBgQD6ET0Hm11FIUFSeM/I
+Dbxb41oN4ODl4YUgGk/9jPX8/ztvrGddh3VGWD4KUVNlWLioBX/t7FH5paGtd6tg
+ZG8X3n48DaJ5h4u95ulAzcVjrkF4aNahy4aMmofdpe4S3+7HwlBcfIocO9WpAtL0
+pzFjlXivLQgUQow67tbG2dYrPQKBgQDIjDWWSqn6kB1zFyI6Hh9HhfFAKCRvCIzQ
+OvqIOCtExP4U4mE0rUY7RWkFrRTDoMmYCwRuCohL1C4p6i/2AwK1mhS8OgPji7YV
+zgYZuw2lSmp1lqzRmiLaOZxLcEKWlHQ1C9Sq606T7YAhgXi3tDfQ53gb1uFDvt1h
+rE3AkU1WfwKBgHZ2EBk4aljDRjSRcqzshNxquVB1xVRhHzV0AYy1aBpvtnJSk6zk
+7JNkXg95My6BdwhxgobtOnAvHIYWeKLzMQV3qwk71EoKAhL1/m1qjSWJeQ5Xa8W9
+qoGU+uPvJPbgCjerP3JwtORnG/Iymki3o1fviPpDNN6UH+YTGr+cli5pAoGBAKnT
+4gU1kR/4LpgpvPhOTdq5mITl+YR1Txl++G2mcy23TBrPYdXD7jd/HeKKoYzQeibh
+HY06KhVcxwMDqD3CaubyZiDHWEe3Jijs4MmlV3bjv6d4Qzz0NBNsuehAVoNBj+7j
+5+IdhdtLQjgddebLHIExosqgev5tgPeXe/hYk49tAoGBALENmfF8ORreFf+aOd4+
+w/CZB2VaN4p0N6I+w2HPRRJO6Rhk0Pe6NtPkxbUS0x/cm+WOpvSbntH1DOjigL8e
+mo+n2Ym+lrtYmEtB/M2C1k29pwaGYMfEIP3URUuYNEpWvTs6AOY7Sp5QN/X/v9ES
+76pTvCiginWRyEeR+6vrDGM8
 -----END PRIVATE KEY-----
 Certificate:
     Data:
@@ -33,77 +33,78 @@ Certificate:
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=Test Root CA
         Validity
-            Not Before: Aug 14 03:05:29 2014 GMT
-            Not After : Aug 11 03:05:29 2024 GMT
+            Not Before: Dec 21 20:35:47 2015 GMT
+            Not After : Dec 18 20:35:47 2025 GMT
         Subject: CN=Leaf Certificate
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
-                    00:b5:f8:f4:32:d8:f5:f4:65:ca:e9:d0:cb:dd:e9:
-                    97:a1:6e:90:e2:f4:b2:b2:16:d0:9b:e2:99:57:ed:
-                    7b:c6:5b:6f:49:c1:94:00:a9:0d:5d:b5:35:f4:3a:
-                    7b:3c:18:06:a3:78:5a:68:ff:a6:05:1f:7d:10:08:
-                    ae:09:6c:dc:ef:dd:b8:97:9e:6c:ce:cb:a0:dc:33:
-                    2b:1e:95:ef:1d:fb:d3:da:f8:3e:57:ed:8b:8e:9e:
-                    86:4d:12:a6:0c:30:23:ef:08:45:4f:21:12:42:88:
-                    87:01:d8:a5:32:9f:b7:38:ef:60:ad:b7:47:6b:3b:
-                    4b:a6:5c:2b:56:72:5c:d1:b5:38:87:99:ec:3b:ff:
-                    c6:02:ef:86:38:ee:e2:05:c6:f0:66:e2:18:91:50:
-                    e5:57:23:27:99:bb:db:49:24:88:66:a8:14:96:7e:
-                    1a:6d:2a:e1:ff:18:f5:6a:37:d2:88:a8:79:c9:b9:
-                    50:f5:9a:68:0b:04:9e:68:02:1d:a1:71:e0:89:15:
-                    ba:2a:48:06:7a:78:d3:d1:0c:77:83:98:83:f8:b9:
-                    e2:60:20:92:07:9b:d4:c8:c0:fa:5a:5a:9d:26:40:
-                    c2:35:65:00:f3:a0:e2:d3:21:4d:a5:c4:91:88:90:
-                    14:a7:5e:f7:13:b7:ea:2b:a2:bd:d7:84:18:1a:b7:
-                    7b:5d
+                    00:c3:e6:6d:73:b2:35:30:6a:3a:2d:34:4e:bb:a0:
+                    bd:cb:9f:51:a3:e5:d3:88:cb:ce:6e:e2:24:b8:6c:
+                    0d:bd:fb:75:42:a4:3a:45:49:bf:2a:f9:ab:4a:80:
+                    ae:15:33:81:f8:d6:06:78:8a:59:3a:4f:83:70:6e:
+                    1d:33:f4:f0:d0:04:81:fc:b3:96:1d:d1:79:2a:7f:
+                    72:62:d1:20:d1:b2:a0:67:fa:44:36:05:72:87:8e:
+                    ea:77:e2:54:2b:0a:02:76:04:fa:2a:95:ef:40:8f:
+                    e2:5d:67:69:a3:9c:20:76:0b:91:3c:8a:df:01:63:
+                    38:ab:68:27:6c:5c:b0:bc:c1:10:43:a1:61:62:ea:
+                    56:8f:32:e1:1d:f7:5d:2e:4d:a6:af:e3:f3:19:df:
+                    2e:92:04:92:e6:f9:0d:14:45:79:b9:77:99:ac:a8:
+                    ae:ca:b8:05:65:81:80:dd:9f:34:b5:89:13:62:18:
+                    7d:9f:3d:4f:cd:1f:0d:4d:32:c2:72:33:96:f7:30:
+                    4c:2e:ef:66:03:ce:6c:52:f5:04:e9:02:9e:6f:54:
+                    fc:4a:6c:c2:21:1a:a9:15:66:97:1f:11:59:01:e0:
+                    53:19:62:e7:80:26:da:fb:eb:57:54:87:36:52:48:
+                    6a:01:df:f0:f9:e1:c8:21:73:a9:72:f4:7c:92:1e:
+                    f1:43
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                82:04:1D:BD:05:71:83:6F:F6:98:19:4D:4F:11:46:88:4D:9B:BF:A8
+                64:AD:F5:F3:4B:2D:70:3A:13:B7:0D:D6:8F:9F:82:37:C3:58:73:A8
             X509v3 Authority Key Identifier: 
                 keyid:BC:F7:30:D1:3C:C0:F2:79:FA:EF:9F:C9:6C:5C:93:F3:8A:68:AB:83
 
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
-                DNS:test.ExAmPlE.CoM, DNS:example.notarealtld
+                DNS:test.ExAmPlE.CoM, DNS:example.notarealtld, DNS:*.test2.ExAmPlE.CoM, DNS:*.example2.notarealtld
     Signature Algorithm: sha256WithRSAEncryption
-         36:cf:f0:0a:f6:e9:6b:30:2b:d2:46:1b:c8:e4:4d:d2:2b:4d:
-         0e:45:c8:e0:93:83:bb:f3:37:c2:81:65:fd:ea:cc:72:18:f6:
-         0b:60:a3:a0:7d:80:ca:28:ac:61:ec:bd:3b:e2:80:22:2f:40:
-         6f:a0:0f:33:3c:73:31:58:3e:16:ad:82:69:fe:02:51:e9:0f:
-         64:4f:e7:c9:f7:b6:63:fb:b3:d9:90:b3:18:a0:01:59:73:44:
-         c3:bf:ea:96:a9:9b:71:ef:78:c5:ba:82:30:15:5f:b6:20:3e:
-         ed:57:c4:8b:50:5f:44:8f:41:1e:63:9d:5c:a1:b1:87:d1:96:
-         da:21:21:ac:91:16:66:3a:c8:ca:84:c1:47:52:9f:55:e3:09:
-         82:38:c7:ca:e3:8b:c0:10:e2:d0:aa:c6:b8:de:b8:39:80:8d:
-         49:37:1a:17:7a:90:8e:66:b7:b5:61:c0:85:13:86:ef:37:03:
-         2e:77:ba:8a:eb:3c:82:be:0a:27:51:5e:33:ec:92:33:5d:f5:
-         cf:ed:43:79:41:f5:6e:0f:54:80:a7:a4:a2:bc:84:c5:36:1c:
-         5e:f5:19:b4:89:31:7b:c4:38:54:09:b1:a5:7c:b7:18:95:fc:
-         e1:bf:86:42:fc:0b:41:4c:4a:fd:0b:4c:5d:db:c6:11:a7:0d:
-         99:07:e9:22
+         22:eb:19:0b:53:ae:ac:05:af:4f:70:28:c5:ae:8b:c4:6e:d7:
+         2a:7a:58:a4:44:7b:46:be:6e:01:6c:b6:d0:15:48:51:10:c7:
+         27:ae:8a:de:52:82:91:70:36:dd:d7:55:ac:52:b2:c8:33:53:
+         fc:a1:e3:c1:80:6b:e6:46:fb:9c:0d:09:bf:91:c2:ee:25:77:
+         39:69:7c:d2:f1:95:f0:2d:1e:fd:52:eb:1a:38:60:34:db:f4:
+         43:a2:18:a9:b7:25:14:53:1a:1f:42:97:ab:25:7c:bb:25:88:
+         56:fe:ac:d3:6f:5c:fe:90:e4:99:83:91:74:c0:dc:bb:a2:54:
+         91:16:dd:d9:12:a5:22:6f:7a:1e:18:ab:54:63:18:4d:79:7c:
+         cb:16:78:04:2c:4d:32:13:2c:21:30:c9:22:b3:c7:41:7d:85:
+         0f:9f:91:13:88:dd:b6:35:2e:de:a4:b7:72:d3:a0:f1:64:1c:
+         30:b9:65:9e:4f:f3:5b:2b:7d:42:7b:7c:21:54:bf:c2:b0:02:
+         2f:4e:10:2d:40:11:08:70:36:5c:66:e9:b6:3b:6a:9f:dd:7f:
+         f9:42:04:d0:8c:3c:93:54:5d:9f:d2:34:c4:67:d7:7c:ee:3f:
+         22:4f:71:86:af:b1:79:6f:00:b4:65:60:58:ed:ef:16:cd:e5:
+         97:e0:b8:49
 -----BEGIN CERTIFICATE-----
-MIIDUDCCAjigAwIBAgIBBDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
-IFJvb3QgQ0EwHhcNMTQwODE0MDMwNTI5WhcNMjQwODExMDMwNTI5WjAbMRkwFwYD
+MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IFJvb3QgQ0EwHhcNMTUxMjIxMjAzNTQ3WhcNMjUxMjE4MjAzNTQ3WjAbMRkwFwYD
 VQQDExBMZWFmIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAtfj0Mtj19GXK6dDL3emXoW6Q4vSyshbQm+KZV+17xltvScGUAKkNXbU1
-9Dp7PBgGo3haaP+mBR99EAiuCWzc7924l55szsug3DMrHpXvHfvT2vg+V+2Ljp6G
-TRKmDDAj7whFTyESQoiHAdilMp+3OO9grbdHaztLplwrVnJc0bU4h5nsO//GAu+G
-OO7iBcbwZuIYkVDlVyMnmbvbSSSIZqgUln4abSrh/xj1ajfSiKh5yblQ9ZpoCwSe
-aAIdoXHgiRW6KkgGenjT0Qx3g5iD+LniYCCSB5vUyMD6WlqdJkDCNWUA86Di0yFN
-pcSRiJAUp173E7fqK6K914QYGrd7XQIDAQABo4GiMIGfMAwGA1UdEwEB/wQCMAAw
-HQYDVR0OBBYEFIIEHb0FcYNv9pgZTU8RRohNm7+oMB8GA1UdIwQYMBaAFLz3MNE8
-wPJ5+u+fyWxck/OKaKuDMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAw
-BgNVHREEKTAnghB0ZXN0LkV4QW1QbEUuQ29NghNleGFtcGxlLm5vdGFyZWFsdGxk
-MA0GCSqGSIb3DQEBCwUAA4IBAQA2z/AK9ulrMCvSRhvI5E3SK00ORcjgk4O78zfC
-gWX96sxyGPYLYKOgfYDKKKxh7L074oAiL0BvoA8zPHMxWD4WrYJp/gJR6Q9kT+fJ
-97Zj+7PZkLMYoAFZc0TDv+qWqZtx73jFuoIwFV+2ID7tV8SLUF9Ej0EeY51cobGH
-0ZbaISGskRZmOsjKhMFHUp9V4wmCOMfK44vAEOLQqsa43rg5gI1JNxoXepCOZre1
-YcCFE4bvNwMud7qK6zyCvgonUV4z7JIzXfXP7UN5QfVuD1SAp6SivITFNhxe9Rm0
-iTF7xDhUCbGlfLcYlfzhv4ZC/AtBTEr9C0xd28YRpw2ZB+ki
+CgKCAQEAw+Ztc7I1MGo6LTROu6C9y59Ro+XTiMvObuIkuGwNvft1QqQ6RUm/Kvmr
+SoCuFTOB+NYGeIpZOk+DcG4dM/Tw0ASB/LOWHdF5Kn9yYtEg0bKgZ/pENgVyh47q
+d+JUKwoCdgT6KpXvQI/iXWdpo5wgdguRPIrfAWM4q2gnbFywvMEQQ6FhYupWjzLh
+HfddLk2mr+PzGd8ukgSS5vkNFEV5uXeZrKiuyrgFZYGA3Z80tYkTYhh9nz1PzR8N
+TTLCcjOW9zBMLu9mA85sUvUE6QKeb1T8SmzCIRqpFWaXHxFZAeBTGWLngCba++tX
+VIc2UkhqAd/w+eHIIXOpcvR8kh7xQwIDAQABo4HPMIHMMAwGA1UdEwEB/wQCMAAw
+HQYDVR0OBBYEFGSt9fNLLXA6E7cN1o+fgjfDWHOoMB8GA1UdIwQYMBaAFLz3MNE8
+wPJ5+u+fyWxck/OKaKuDMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBd
+BgNVHREEVjBUghB0ZXN0LkV4QW1QbEUuQ29NghNleGFtcGxlLm5vdGFyZWFsdGxk
+ghMqLnRlc3QyLkV4QW1QbEUuQ29NghYqLmV4YW1wbGUyLm5vdGFyZWFsdGxkMA0G
+CSqGSIb3DQEBCwUAA4IBAQAi6xkLU66sBa9PcCjFrovEbtcqelikRHtGvm4BbLbQ
+FUhREMcnroreUoKRcDbd11WsUrLIM1P8oePBgGvmRvucDQm/kcLuJXc5aXzS8ZXw
+LR79UusaOGA02/RDohiptyUUUxofQperJXy7JYhW/qzTb1z+kOSZg5F0wNy7olSR
+Ft3ZEqUib3oeGKtUYxhNeXzLFngELE0yEywhMMkis8dBfYUPn5ETiN22NS7epLdy
+06DxZBwwuWWeT/NbK31Ce3whVL/CsAIvThAtQBEIcDZcZum2O2qf3X/5QgTQjDyT
+VF2f0jTEZ9d87j8iT3GGr7F5bwC0ZWBY7e8WzeWX4LhJ
 -----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/ca.cnf b/net/data/ssl/scripts/ca.cnf
index 1b78e01..28778a3 100644
--- a/net/data/ssl/scripts/ca.cnf
+++ b/net/data/ssl/scripts/ca.cnf
@@ -59,6 +59,8 @@ DNS.2 = test.ExAmPlE.OrG
 [san_name_constraint_good]
 DNS.1 = test.ExAmPlE.CoM
 DNS.2 = example.notarealtld
+DNS.3 = *.test2.ExAmPlE.CoM
+DNS.4 = *.example2.notarealtld
 
 [ca_cert]
 # Extensions to add when signing a request for an intermediate/CA cert