Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional testcases #174

Open
4 of 16 tasks
woodruffw opened this issue Jan 17, 2024 · 2 comments
Open
4 of 16 tasks

Additional testcases #174

woodruffw opened this issue Jan 17, 2024 · 2 comments
Labels
component:tests 🧪 Unit and integration tests

Comments

@woodruffw
Copy link
Collaborator

woodruffw commented Jan 17, 2024
edited
Loading

#1 is old and not super well organized, so I'm copying things that haven't yet been done into this new issue.

RFC 5280

  • implementations should reject EC keys not in namedCurve format (see Add an explicit curve test #173)
  • implementations should reject v1 certificates that contain v3 extensions
  • implementations should reject DNS Name Constraints of the form .foo (leading period is valid in URI constraints and others, but not in DNS constraints) (PyCA harness, fix SAN #207)
  • implementations should reject OtherName OIDs that they don't know (limbo: add othername NC testcase #228)
  • implementations should check the time type:
    • 1950 <= validity < 2050 should be UTCTime
    • validity < 1950 || validity >= 2050 should be GeneralizedTime

CABF

  • 7.1.4.3: If present, Subject.commonName MUST contain exactly one entry that is one of the values contained in the subjectAltName extension, and MUST be encoded as follows
    • For IPv4 addresses, must be an IPv4Address per RFC 3986 S. 3.2.2
    • For IPv6 addresses, must be be encoded in the text representation specified in RFC 5952 S. 4.
    • For FQDNs or wildcard domain names, must be a char-for-char copy of the dNSName entry from subjectAltName; P-labels must not be converted to their Unicode representation.
  • 7.1.2.7.6 and 7.1.2.7.10: extKeyUsage is required in subscriber certificates, and MUST contain id-kp-serverAuth (MAY contain id-kp-clientAuth), and MUST NOT contain any other id-kp-*, anyExtendedKeyUsage, or the Precertificate Signing Certificate OID (1.3.6.1.4.1.11129.2.4.4)
  • 7.1.2.10.6: CA EKUs are similar to subscriber cert EKUs

Regressions

General

  • Implementations should (generally) not be permissive around times close to expiries (e.g. a cert that expired 5 seconds before validation should generally not be accepted)

Client verification

  • Implementations should treat the *@example.com email NC as a literal email address with an inbox of *, not as a wildcard pattern for example.com.

Other test suites
@woodruffw woodruffw added the component:tests 🧪 Unit and integration tests label Jan 17, 2024
@woodruffw woodruffw mentioned this issue Jan 17, 2024
Closed
24 tasks
@alex
Copy link
Collaborator

alex commented Feb 18, 2024

We need a test case for DoS in name constraint handling: openssl/openssl#4393

@woodruffw
Copy link
Collaborator Author

We need a test case for DoS in name constraint handling: openssl/openssl#4393

Opened #204 for these. Will investigate why OpenSSL appears to pass its own DoS test.

@woodruffw woodruffw mentioned this issue Mar 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:tests 🧪 Unit and integration tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex @woodruffw