diff --git a/data_files/Makefile b/data_files/Makefile
index 6dae31d19e..71af55db51 100644
--- a/data_files/Makefile
+++ b/data_files/Makefile
@@ -260,6 +260,9 @@ parse_input/test-ca-unsupported_policy.crt: $(test_ca_key_file_rsa) test-ca.req.
 parse_input/test-ca-unsupported_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
 	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_unsupported_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
 
+parse_input/test-ca-name_constraints_dns_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256
+	$(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions name_constraints_dns_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@
+
 test-ca.req_ec.sha256: $(test_ca_key_file_ec)
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL, O=PolarSSL, CN=Polarssl Test EC CA" md=SHA256
 all_intermediate += test-ca.req_ec.sha256
@@ -472,6 +475,9 @@ all_final += server5-selfsigned.crt
 parse_input/server5-othername.crt.der: server5.key
 	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -outform der -out $@
 
+parse_input/server5-bp_eid.crt.der: server5.key
+	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions bp_eid_san -days 3650 -sha256 -key $< -outform der -out $@
+
 parse_input/server5-nonprintable_othername.crt.der: server5.key
 	$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -outform der -out $@
 
diff --git a/data_files/parse_input/server5-bp_eid.crt.der b/data_files/parse_input/server5-bp_eid.crt.der
new file mode 100644
index 0000000000..dd5ef37e4d
Binary files /dev/null and b/data_files/parse_input/server5-bp_eid.crt.der differ
diff --git a/data_files/parse_input/test-ca-name_constraints_dns_ec.crt b/data_files/parse_input/test-ca-name_constraints_dns_ec.crt
new file mode 100644
index 0000000000..7f8c84a7fa
--- /dev/null
+++ b/data_files/parse_input/test-ca-name_constraints_dns_ec.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICDDCCAZOgAwIBAgIBADAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MjUwMTEwMTY0NTMzWhcNMzUwMTExMTY0NTMzWjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxHDAaBgNVBAMME1BvbGFyc3NsIFRlc3QgRUMgQ0EwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAATD2is0QTdYL4dW/vyJuilDS07gbsMOV1MzOVjU
+UrSRlTkLI99fFyRiSPwalSnOLC2HwohSgK/Waqsh3bjTHG5YuMrosmmO80GtKcO0
+X3WnR2/VGSlVaZpTOyC0ZhZgMx6jZTBjMAwGA1UdEwQFMAMBAf8wNAYDVR0eAQH/
+BCowKKAQMA6CDC5leGFtcGxlLmNvbaEUMBKCEC5iYWQuZXhhbXBsZS5jb20wHQYD
+VR0OBBYEFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAoGCCqGSM49BAMCA2cAMGQCMBA4
+TTpDxUBuIcgYHs5orNFZitk1T14CL6XiC/JEd4MZ5bqLo6HmSB9M+Yj01D8C9QIw
+fYvj6Cl6W9P/sQze5V8iCqCBr6qQvnEdmeNP7DRxIfMulElBS6W4iRlu0i0nup2G
+-----END CERTIFICATE-----
diff --git a/data_files/test-ca.opensslconf b/data_files/test-ca.opensslconf
index 0340e9e276..85256a291e 100644
--- a/data_files/test-ca.opensslconf
+++ b/data_files/test-ca.opensslconf
@@ -20,6 +20,9 @@ basicConstraints = CA:true
 [othername_san]
 subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
 
+[bp_eid_san]
+subjectAltName=otherName:1.3.6.1.5.5.7.8.11;IA5:"ipn:977000.100.0"
+
 [nonprintable_othername_san]
 subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name
 
@@ -116,6 +119,10 @@ subjectAltName=dirName:dirname_sect
 [two_directorynames]
 subjectAltName=dirName:dirname_sect, dirName:dirname_to_malform
 
+[name_constraints_dns_ca]
+basicConstraints = CA:true
+nameConstraints=critical, permitted;DNS:.example.com, excluded;DNS:.bad.example.com
+
 [dirname_sect]
 C=UK
 O=Mbed TLS