add regression tests for name constraints. adds necessary certs to test logic

add same DN test

Author: rlm2002

certs/renewcerts.sh

@@ -888,6 +888,17 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
     ############################################################
+    ###### calling gen-nc-ancestor.sh         ##################
+    ############################################################
+    echo "Calling gen-nc-ancestor.sh"
+    echo ""
+    cd ./test/nc-ancestor || { echo "Failed to switch to dir ./test/nc-ancestor"; exit 1; }
+    ./gen-nc-ancestor.sh
+    check_result $? "gen-nc-ancestor.sh"
+    cd ../../ || exit 1
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ############################################################
     ###### generate cms bundles in test directory ##############
     ############################################################
     echo "Generating CMS bundle"

certs/test/include.am

@@ -104,3 +104,12 @@ EXTRA_DIST += \
          certs/test/expired/expired-ca.der \
          certs/test/expired/expired-cert.pem \
          certs/test/expired/expired-cert.der
+
+EXTRA_DIST += \
+         certs/test/nc-ancestor/gen-nc-ancestor.sh \
+         certs/test/nc-ancestor/00-root.cert.pem \
+         certs/test/nc-ancestor/00-uri-permit-ca-permissive.cert.pem \
+         certs/test/nc-ancestor/01-uri-permit-ca.cert.pem \
+         certs/test/nc-ancestor/02-benign-sub-ca.cert.pem \
+         certs/test/nc-ancestor/03-leaf-chain.cert.pem \
+         certs/test/nc-ancestor/03-valid-leaf.cert.pem

certs/test/nc-ancestor/00-root.cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBszCCAVmgAwIBAgIVAJXi3vVvITnmiOESBz9aZSr2FeebMAoGCCqGSM49BAMC
+MDcxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEVMBMGA1UEAwwMTkMg
+VGVzdCBSb290MB4XDTI2MDYxMDIyNDEyMVoXDTI5MDMwNjIyNDEyMVowNzELMAkG
+A1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRUwEwYDVQQDDAxOQyBUZXN0IFJv
+b3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASxhvIYQxpzgpaUMoI+04PSN46R
+kdVFF5nN4f2ifI+m+QkBMrg7dZOGS0Fn31Uw8esgp66J6qn912rWkFLfFad2o0Iw
+QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUakaR
+hB1zSHLZ5x4HovqETbOGflUwCgYIKoZIzj0EAwIDSAAwRQIhAMaH7J1DJvZJ5jif
+Rc1BxlesFk85nss/doH8Aw8LBTIWAiBw603a/kNSZSAnfp8i460kA8ACgZ9lYeQE
+Cs3h03BtwQ==
+-----END CERTIFICATE-----

certs/test/nc-ancestor/00-uri-permit-ca-permissive.cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtTCCAVqgAwIBAgIUYLjQNUilzxwweoDkWt+vCJIGZSAwCgYIKoZIzj0EAwIw
+ODELMAkGA1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRYwFAYDVQQDDA1VUkkg
+UGVybWl0IENBMB4XDTI2MDYxNjE4NTM1N1oXDTI5MDMxMjE4NTM1N1owODELMAkG
+A1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRYwFAYDVQQDDA1VUkkgUGVybWl0
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfrp50Uy5VOuiDZAV1g+GjazW
+VrGrSi01pj1XIUh0Ps99CTlrrZoKMqIORMvLlvp0vRFC/9xPlBVYAYAaGuehzqNC
+MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFGux
+5AbbDYYMEDI3Upw5mOhCYJjIMAoGCCqGSM49BAMCA0kAMEYCIQC33fvrOa+N0g8M
+nGJ6Ra6FnYvaHZFHxP283jIaVkqLiQIhAKIQ/alOoi2Pc/YvaHFse1gVViCekrr0
+JF+/6lYl9eZx
+-----END CERTIFICATE-----

certs/test/nc-ancestor/01-uri-permit-ca.cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAZ2gAwIBAgIVAMWBSaX4LIyu99TUdBqrX7qJfvsNMAoGCCqGSM49BAMC
+MDcxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEVMBMGA1UEAwwMTkMg
+VGVzdCBSb290MB4XDTI2MDYxMDIyNDEyMVoXDTI5MDMwNjIyNDEyMVowODELMAkG
+A1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRYwFAYDVQQDDA1VUkkgUGVybWl0
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1wPAznCjB4X/lwUgJEfJCA3G
+r8+LSBmR7zAi8puv1iAMPJqdXtMgVeiGS0oN86Gl5lLAxuLUOwVZaK/9iF55QqOB
+hDCBgTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU
+2UGgcB/9rFl6Chp6LvNdPChyQOcwHwYDVR0jBBgwFoAUakaRhB1zSHLZ5x4HovqE
+TbOGflUwHgYDVR0eAQH/BBQwEqAQMA6GDC5leGFtcGxlLmNvbTAKBggqhkjOPQQD
+AgNHADBEAiA0ZSgJqvBH8IAW9X/4qkas3aLg/e/mDcXFU3Ll0V6A9QIgW2UxJpPq
+nK+2qXvUEfPfKt9YJhva0NtcHawG99UwCTI=
+-----END CERTIFICATE-----

certs/test/nc-ancestor/02-benign-sub-ca.cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAXygAwIBAgIVAKx8tKw6QphEOtBgHbQMCKaB6jnvMAoGCCqGSM49BAMC
+MDgxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEWMBQGA1UEAwwNVVJJ
+IFBlcm1pdCBDQTAeFw0yNjA2MTAyMjQxMjFaFw0yOTAzMDYyMjQxMjFaMDgxCzAJ
+BgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEWMBQGA1UEAwwNQmVuaWduIFN1
+YiBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCwaQDa0aKS3j1A+YMqdYceA
+mORZW14nICQlx+upj7W+eXG0JQvrRZLw6ROOYbhTaOsU03kzhUx7wo/aOAKdiuej
+YzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQq
+FqZNx/PQ4/hypBU0BAGbw3+whDAfBgNVHSMEGDAWgBTZQaBwH/2sWXoKGnou8108
+KHJA5zAKBggqhkjOPQQDAgNIADBFAiEA38BZ/g1qaUFKPoR7Svum4mr6oN57Pgh+
+DxELpfQHxoACIEEWUBDItBGAC2MPI6as4w7t6Iz/mYWkWgb22ShXgWSs
+-----END CERTIFICATE-----

certs/test/nc-ancestor/03-leaf-chain.cert.pem

@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAcCgAwIBAgIUatTgVUySbR6t3cVQhx1kbrMERb0wCgYIKoZIzj0EAwIw
+ODELMAkGA1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRYwFAYDVQQDDA1CZW5p
+Z24gU3ViIENBMB4XDTI2MDYxMDIyNDEyMVoXDTI5MDMwNjIyNDEyMVowQDELMAkG
+A1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMR4wHAYDVQQDDBVOQyBUZXN0IEF0
+dGFja2VyIExlYWYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATw19KmMSJmcuRm
+6JCpmIULNQouTvnKo/RSM835dwDx3lvhq+XITHyG4jSK6OOSDU3GR3NSXciV2uc3
+QQe43Llio4GfMIGcMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTBzmxwEPtYNq00q3Abzs/mrvzErjAf
+BgNVHSMEGDAWgBQqFqZNx/PQ4/hypBU0BAGbw3+whDAnBgNVHREBAf8EHTAbhhlo
+dHRwczovL2F0dGFja2VyLmNvbS9sZWFmMAoGCCqGSM49BAMCA0kAMEYCIQCNQqLZ
+CljaJx8J9GDnh4Fr4/CGgXfkw0K/IgcQGrt4sAIhAM2XsX/8HCNz/oZDHgvalnrj
++Vr8R3DoFPo6YxvwNvga
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAXygAwIBAgIVAKx8tKw6QphEOtBgHbQMCKaB6jnvMAoGCCqGSM49BAMC
+MDgxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEWMBQGA1UEAwwNVVJJ
+IFBlcm1pdCBDQTAeFw0yNjA2MTAyMjQxMjFaFw0yOTAzMDYyMjQxMjFaMDgxCzAJ
+BgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEWMBQGA1UEAwwNQmVuaWduIFN1
+YiBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCwaQDa0aKS3j1A+YMqdYceA
+mORZW14nICQlx+upj7W+eXG0JQvrRZLw6ROOYbhTaOsU03kzhUx7wo/aOAKdiuej
+YzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQq
+FqZNx/PQ4/hypBU0BAGbw3+whDAfBgNVHSMEGDAWgBTZQaBwH/2sWXoKGnou8108
+KHJA5zAKBggqhkjOPQQDAgNIADBFAiEA38BZ/g1qaUFKPoR7Svum4mr6oN57Pgh+
+DxELpfQHxoACIEEWUBDItBGAC2MPI6as4w7t6Iz/mYWkWgb22ShXgWSs
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAZ2gAwIBAgIVAMWBSaX4LIyu99TUdBqrX7qJfvsNMAoGCCqGSM49BAMC
+MDcxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEVMBMGA1UEAwwMTkMg
+VGVzdCBSb290MB4XDTI2MDYxMDIyNDEyMVoXDTI5MDMwNjIyNDEyMVowODELMAkG
+A1UEBhMCVVMxETAPBgNVBAoMCE5DIFRlc3RzMRYwFAYDVQQDDA1VUkkgUGVybWl0
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1wPAznCjB4X/lwUgJEfJCA3G
+r8+LSBmR7zAi8puv1iAMPJqdXtMgVeiGS0oN86Gl5lLAxuLUOwVZaK/9iF55QqOB
+hDCBgTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU
+2UGgcB/9rFl6Chp6LvNdPChyQOcwHwYDVR0jBBgwFoAUakaRhB1zSHLZ5x4HovqE
+TbOGflUwHgYDVR0eAQH/BBQwEqAQMA6GDC5leGFtcGxlLmNvbTAKBggqhkjOPQQD
+AgNHADBEAiA0ZSgJqvBH8IAW9X/4qkas3aLg/e/mDcXFU3Ll0V6A9QIgW2UxJpPq
+nK+2qXvUEfPfKt9YJhva0NtcHawG99UwCTI=
+-----END CERTIFICATE-----

certs/test/nc-ancestor/03-valid-leaf.cert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGjCCAcCgAwIBAgIVAMoFBI5Onz8UCFQ9o8tJQ6vGWwonMAoGCCqGSM49BAMC
+MDgxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEWMBQGA1UEAwwNQmVu
+aWduIFN1YiBDQTAeFw0yNjA2MTAyMjQxMjFaFw0yOTAzMDYyMjQxMjFaMD0xCzAJ
+BgNVBAYTAlVTMREwDwYDVQQKDAhOQyBUZXN0czEbMBkGA1UEAwwSTkMgVGVzdCBW
+YWxpZCBMZWFmMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUbPrfhvey3eHKtMu
+Nv3ys2G1cwBPUgCez/CmW0SIaxR219reC7gt7x0DKvWHZM6nRUo0bh13lE+dhlCB
+w8n3HKOBoTCBnjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
+DDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUhBa9znRuVy9+W6CgQ8NY3utPy8UwHwYD
+VR0jBBgwFoAUKhamTcfz0OP4cqQVNAQBm8N/sIQwKQYDVR0RAQH/BB8wHYYbaHR0
+cHM6Ly9iZW5pZ24uZXhhbXBsZS5jb20vMAoGCCqGSM49BAMCA0gAMEUCIQCntd7i
+6xUvNiaGyMdzTa4ArJ/yVB9x5oUxlWtgzNMnXQIgb1FJXrLwN7dVDYMT2aApfRno
+tBBJwUIPZR0J946US4M=
+-----END CERTIFICATE-----

certs/test/nc-ancestor/gen-nc-ancestor.sh

@@ -0,0 +1,231 @@
+#!/usr/bin/env bash
+# Regenerate the NameConstraints ancestor-walk test PEMs.
+#
+# Chains produced:
+#
+#  Negative (leaf violates grandparent's URI permit):
+#    00-root -> 01-uri-permit-ca (permits URI:.example.com) ->
+#               02-benign-sub-ca -> 03-leaf (URI:https://attacker.com/leaf)
+#    Emitted as concatenated bundle 03-leaf-chain.cert.pem; only the
+#    leaf is verified by the test, but the bundle order keeps the file
+#    self-documenting.
+#
+#  Positive (chain that should verify successfully):
+#    00-root -> 01-uri-permit-ca -> 02-benign-sub-ca ->
+#               03-valid-leaf (URI:https://benign.example.com/)
+#
+#  SKID disambiguation (same DN as 01-uri-permit-ca, different key, no NC):
+#    self-signed 00-uri-permit-ca-permissive
+#    Sits in the CM as a same-DN distractor; the ancestor walk must use
+#    AKID->SKID lookup (not a name-only walk) to pick the real signer.
+#
+# NotBefore is the current wall-clock time and NotAfter is +1000d, set by
+# openssl's -days 1000 flag. Serial numbers come from openssl's default
+# random generator. Re-running this script rewrites the PEMs with new
+# serials and shifted validity windows; the tests only assert verify
+# behavior, not specific cert bytes.
+
+set -euo pipefail
+
+DIR="$(cd "$(dirname "$0")" && pwd)"
+WORK="$(mktemp -d)"
+trap 'rm -rf "$WORK"' EXIT
+
+cd "$WORK"
+
+CURVE="prime256v1"
+
+# ---- helpers ----
+
+mkkey() {
+    # $1 = key file
+    openssl ecparam -name "$CURVE" -genkey -noout -out "$1"
+}
+
+mkroot() {
+    # $1 = key, $2 = cert out, $3 = subject CN, $4 = ext-file
+    openssl req -new -x509 -key "$1" -out "$2" \
+        -subj "/C=US/O=NC Tests/CN=$3" \
+        -config "$4" -extensions v3_ca \
+        -set_serial "0x$(openssl rand -hex 20)" \
+        -days 1000 -sha256
+}
+
+# Issue a child cert from $issuer_key / $issuer_cert using ext-file $4.
+# $1 child-key  $2 child-csr-subject-CN  $3 out-cert  $4 ext-file  $5 ext-section
+mkchild() {
+    local child_key=$1 cn=$2 out=$3 extfile=$4 extsec=$5
+    openssl req -new -key "$child_key" -out child.csr \
+        -subj "/C=US/O=NC Tests/CN=$cn" -config "$extfile"
+    openssl x509 -req -in child.csr \
+        -CA "$issuer_cert" -CAkey "$issuer_key" \
+        -set_serial "0x$(openssl rand -hex 20)" \
+        -out "$out" -days 1000 -sha256 \
+        -extfile "$extfile" -extensions "$extsec"
+    rm -f child.csr
+}
+
+# ---- ext configs ----
+
+cat > root.cnf <<'EOF'
+[req]
+distinguished_name = dn
+prompt = no
+[dn]
+[v3_ca]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+EOF
+
+cat > uri-permit-ca.cnf <<'EOF'
+[req]
+distinguished_name = dn
+prompt = no
+[dn]
+[v3_uri_permit]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+nameConstraints = critical, permitted;URI:.example.com
+EOF
+
+cat > sub-ca-nonc.cnf <<'EOF'
+[req]
+distinguished_name = dn
+prompt = no
+[dn]
+[v3_sub_ca]
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+EOF
+
+cat > leaf-attacker.cnf <<'EOF'
+[req]
+distinguished_name = dn
+prompt = no
+[dn]
+[v3_leaf_attacker]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+subjectAltName = critical, URI:https://attacker.com/leaf
+EOF
+
+cat > leaf-valid.cnf <<'EOF'
+[req]
+distinguished_name = dn
+prompt = no
+[dn]
+[v3_leaf_valid]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+subjectAltName = critical, URI:https://benign.example.com/
+EOF
+
+# ---- root ----
+
+mkkey root.key
+mkroot root.key 00-root.cert.pem "NC Test Root" root.cnf
+
+# ---- 01 uri-permit-ca (permits URI:.example.com), issued by root ----
+
+mkkey uri-permit-ca.key
+issuer_cert=00-root.cert.pem; issuer_key=root.key
+mkchild uri-permit-ca.key "URI Permit CA" 01-uri-permit-ca.cert.pem \
+    uri-permit-ca.cnf v3_uri_permit
+
+# ---- 01 permissive sibling (same DN as 01-uri-permit-ca, different key,
+#      no NC). Self-signed so it isn't part of any chain of trust; sits
+#      in the CM purely as a same-DN distractor for the ancestor walk's
+#      AKID->SKID disambiguation test.
+#
+# The wolfSSL CM hash-buckets signers by SKID into CA_TABLE_SIZE=11 rows.
+# A name-only lookup (the walk's fallback when AKID disambiguation is
+# broken) iterates rows 0..10 and returns the first match. For the
+# regression test to FAIL when disambiguation is broken, the permissive
+# sibling must land in a row strictly less than the strict variant's so
+# the name-only lookup surfaces it. Iterate key generation until that
+# holds. ----
+
+# Compute the CM row index for a cert's SKID:
+#   row = (first 4 SKID bytes as big-endian word) mod 11
+# Mirrors HashSigner() in src/ssl_certman.c.
+skid_bucket() {
+    local hex
+    hex=$(openssl x509 -in "$1" -noout -ext subjectKeyIdentifier \
+          | grep -E '^[[:space:]]+[A-Fa-f0-9]' | head -1 \
+          | tr -d ' :' | head -c 8)
+    echo $(( 0x$hex % 11 ))
+}
+
+strict_bucket=$(skid_bucket 01-uri-permit-ca.cert.pem)
+if (( strict_bucket == 0 )); then
+    echo "ERROR: strict CA hashed to row 0; cannot place permissive sibling lower." >&2
+    echo "  Rerun the script to rotate the strict CA's SKID." >&2
+    exit 1
+fi
+
+attempts=0
+perm_bucket=$strict_bucket
+while (( attempts < 200 )); do
+    attempts=$(( attempts + 1 ))
+    mkkey uri-permit-ca-permissive.key
+    mkroot uri-permit-ca-permissive.key 00-uri-permit-ca-permissive.cert.pem \
+        "URI Permit CA" root.cnf
+    perm_bucket=$(skid_bucket 00-uri-permit-ca-permissive.cert.pem)
+    if (( perm_bucket < strict_bucket )); then
+        break
+    fi
+done
+if (( perm_bucket >= strict_bucket )); then
+    echo "ERROR: failed to land permissive sibling below row $strict_bucket after $attempts tries." >&2
+    exit 1
+fi
+echo "Permissive sibling: row $perm_bucket < strict row $strict_bucket (after $attempts tries)"
+
+# ---- 02 benign-sub-ca (no NC, no URI SAN), issued by uri-permit-ca ----
+
+mkkey benign-sub-ca.key
+issuer_cert=01-uri-permit-ca.cert.pem; issuer_key=uri-permit-ca.key
+mkchild benign-sub-ca.key "Benign Sub CA" 02-benign-sub-ca.cert.pem \
+    sub-ca-nonc.cnf v3_sub_ca
+
+# ---- 03 leaf (URI:attacker.com/leaf -- violates grandparent's permit) ----
+
+mkkey leaf-attacker.key
+issuer_cert=02-benign-sub-ca.cert.pem; issuer_key=benign-sub-ca.key
+mkchild leaf-attacker.key "NC Test Attacker Leaf" 03-leaf.cert.pem \
+    leaf-attacker.cnf v3_leaf_attacker
+
+# ---- 03 valid-leaf (URI:benign.example.com -- inside permit) ----
+
+mkkey leaf-valid.key
+issuer_cert=02-benign-sub-ca.cert.pem; issuer_key=benign-sub-ca.key
+mkchild leaf-valid.key "NC Test Valid Leaf" 03-valid-leaf.cert.pem \
+    leaf-valid.cnf v3_leaf_valid
+
+# ---- copy into destination ----
+
+cp -f 00-root.cert.pem 01-uri-permit-ca.cert.pem \
+      00-uri-permit-ca-permissive.cert.pem \
+      02-benign-sub-ca.cert.pem 03-valid-leaf.cert.pem \
+      "$DIR/"
+
+# Concatenated bundle (attacker leaf + benign-sub-ca + uri-permit-ca).
+# CertManagerVerify reads only the first PEM block (the leaf); the
+# trailing CAs keep the file self-documenting. Order: leaf first, then
+# ascending issuers.
+cat 03-leaf.cert.pem 02-benign-sub-ca.cert.pem 01-uri-permit-ca.cert.pem \
+    > "$DIR/03-leaf-chain.cert.pem"
+
+echo "Generated chain in $DIR/"
+ls -la "$DIR/"