Building openssl with RFC 8398 support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The patch was tested against OpenSSL 1.1.1c 

patch -p1 < rfc8398.diff
./config shared
make update 
make
make test

Testing EAI operations
~~~~~~~~~~~~~~~~~~~~~~

Certs for RFC8398 Figure 1 example.

The ca is set according to
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

None of the private keys have a password.

1. Unpack the CA
tar xzf root.tar.gz

2. Update path to the root CA dir according to your settings in the following files:
root/ca/intermediate/openssl_ascii.cnf
root/ca/intermediate/openssl.cnf
root/ca/intermediate/openssl_utf8.cnf
root/ca/openssl.cnf

in the section CA_default

Please look for certs in root/ca/intermediate/certs.  You should see:
  intermediate_one.cert.pem
  intermediate_two.cert.pem
  ca-chain-one.cert.pem
  ca-chain-two.cert.pem
  ca-chain.cert.pem
	www.example.com.cert.pem
  intermediate.cert.pem

interemediate_one.cert.pem has a name constraint: Permitted: elementary.school.example.com
interemediate_two.cert.pem has a name constraint: Permitted: xn--pss25c.example.com

3. Use the commands listed below in your build directory to test the EAI operations
DO NOT specify email addresses for newly created certificates because intermediate ones have
NameConstraints limiting subtrees to ensure we can test subtree violation.

Create CSR, EAI, ASCII domain
LD_LIBRARY_PATH=. apps/openssl req -config root/ca/intermediate/openssl_ascii.cnf -key root/ca/intermediate/private/www.example.com.key.pem -new -sha256 -utf8 -out utf_local_ascii_domain.csr.pem

Create CSR, EAI, UTF8 domain
LD_LIBRARY_PATH=. apps/openssl req -config root/ca/intermediate/openssl_utf8.cnf -key root/ca/intermediate/private/www.example.com.key.pem -new -sha256 -utf8 -out utf_local_utf_domain.csr.pem

Create the certificate, EAI, ASCII domain
LD_LIBRARY_PATH=. ./apps/openssl ca -config root/ca/intermediate/openssl_ascii.cnf -extensions usr_cert -days 375 -notext -md sha256  -in utf_local_ascii_domain.csr.pem -out utf_local_ascii_domain.cert.pem -rand_serial

Create the certificate, EAI, UTF8 domain
LD_LIBRARY_PATH=. ./apps/openssl ca -config root/ca/intermediate/openssl_utf8.cnf -extensions usr_cert -days 375 -notext -md sha256  -in utf_local_utf_domain.csr.pem -out utf_local_utf_domain.cert.pem -rand_serial

Subtree validation (command MUST succeed)
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -CAfile root/ca/intermediate/certs/ca-chain-one.cert.pem utf_local_ascii_domain.cert.pem
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -CAfile root/ca/intermediate/certs/ca-chain-two.cert.pem utf_local_utf_domain.cert.pem

Subtree violation (command MUST fail)
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -CAfile root/ca/intermediate/certs/ca-chain-two.cert.pem utf_local_ascii_domain.cert.pem
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -CAfile root/ca/intermediate/certs/ca-chain-one.cert.pem utf_local_utf_domain.cert.pem

Email address match
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -verify_email 学生@elementary.school.example.com -CAfile root/ca/intermediate/certs/ca-chain-one.cert.pem utf_local_ascii_domain.cert.pem
LD_LIBRARY_PATH=. apps/openssl verify -nameopt utf8 -verify_email 医生@大学.example.com -CAfile root/ca/intermediate/certs/ca-chain-two.cert.pem utf_local_utf_domain.cert.pem

Printing out
LD_LIBRARY_PATH=. apps/openssl x509 -text -in utf_local_ascii_domain.cert.pem
LD_LIBRARY_PATH=. apps/openssl x509 -text -in utf_local_utf_domain.cert.pem