Add a few regress test cases for name constraints.

From Alex Wilson
author: tb <> 2022-03-14 21:30:48 +0000
committer: tb <> 2022-03-14 21:30:48 +0000
commit: 82ef2f98179db11b9dffd5f259aa312fbbe52c07 (patch)
tree: 92535780fe32cf443c8a023a93457adb48add9e1 /src/regress/lib/libcrypto/CA/root.cnf
parent: 2189fd34b7b61fc89bd474d85ac954a2fb1b6d71 (diff)
download: openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.tar.gz
openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.tar.bz2
openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.zip
1 files changed, 17 insertions, 1 deletions
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
index 506542e943..30a442f136 100644
--- a/src/regress/lib/libcrypto/CA/root.cnf
+++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -1,4 +1,4 @@
-#       $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $
+#       $OpenBSD: root.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $
 # For regression tests
 default_ca = CA_regress
@@ -95,6 +95,22 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+nameConstraints = critical, @ca_name_constraints
+[ ca_name_constraints ]
+permitted;DNS.0 = .openbsd.org
+permitted;DNS.1 = client
+permitted;email.0 = openbsd.org
+permitted;email.1 = @test.openbsd.org
+permitted;URI.0 = .openbsd.org
+permitted;dirName.0 = openbsd_dn
+permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org
+excluded;IP.0 = 0.0.0.0/0.0.0.0
+excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
+[ openbsd_dn ]
+C = CA
+O = OpenBSD
 [ usr_cert ]
 # Extensions for client certificates (`man x509v3_config`).
author	tb <>	2022-03-14 21:30:48 +0000
committer	tb <>	2022-03-14 21:30:48 +0000
commit	82ef2f98179db11b9dffd5f259aa312fbbe52c07 (patch)
tree	92535780fe32cf443c8a023a93457adb48add9e1 /src/regress/lib/libcrypto/CA/root.cnf
parent	2189fd34b7b61fc89bd474d85ac954a2fb1b6d71 (diff)
download	openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.tar.gz openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.tar.bz2 openbsd-82ef2f98179db11b9dffd5f259aa312fbbe52c07.zip

diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf index 506542e943..30a442f136 100644 --- a/src/regress/lib/libcrypto/CA/root.cnf +++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -1,4 +1,4 @@
1	# $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $	1	# $OpenBSD: root.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $
2	# For regression tests	2	# For regression tests
3	default_ca = CA_regress	3	default_ca = CA_regress
4		4
@@ -95,6 +95,22 @@ subjectKeyIdentifier = hash
95	authorityKeyIdentifier = keyid:always,issuer	95	authorityKeyIdentifier = keyid:always,issuer
96	basicConstraints = critical, CA:true, pathlen:0	96	basicConstraints = critical, CA:true, pathlen:0
97	keyUsage = critical, digitalSignature, cRLSign, keyCertSign	97	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
		98	nameConstraints = critical, @ca_name_constraints
		99
		100	[ ca_name_constraints ]
		101	permitted;DNS.0 = .openbsd.org
		102	permitted;DNS.1 = client
		103	permitted;email.0 = openbsd.org
		104	permitted;email.1 = @test.openbsd.org
		105	permitted;URI.0 = .openbsd.org
		106	permitted;dirName.0 = openbsd_dn
		107	permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org
		108	excluded;IP.0 = 0.0.0.0/0.0.0.0
		109	excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
		110
		111	[ openbsd_dn ]
		112	C = CA
		113	O = OpenBSD
98		114
99	[ usr_cert ]	115	[ usr_cert ]
100	# Extensions for client certificates (`man x509v3_config`).	116	# Extensions for client certificates (`man x509v3_config`).