Add a few regress test cases for name constraints.

From Alex Wilson

3 files changed, 25 insertions, 5 deletions

diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile
index 3616b132bf..d430121d14 100644
--- a/src/regress/lib/libcrypto/CA/Makefile
+++ b/src/regress/lib/libcrypto/CA/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.3 2020/12/26 14:42:09 bluhm Exp $
+#       $OpenBSD: Makefile,v 1.4 2022/03/14 21:30:48 tb Exp $
 
 CLEANFILES +=   *.pem *.serial *.txt *.attr *.old
 
@@ -59,7 +59,7 @@ server.key.pem: stamp-clean
 server.csr.pem: intermediate.cnf server.key.pem
         # server req
         openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
-            -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \
+            -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA' \
             -key server.key.pem -out server.csr.pem
 
 # Sign server key
@@ -77,7 +77,7 @@ client.key.pem: stamp-clean
 client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem
         # client req
         openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
-            -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \
+            -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA' \
             -key client.key.pem -out client.csr.pem
 
 # Sign client key
diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf
index bbf189d268..d0057ca13f 100644
--- a/src/regress/lib/libcrypto/CA/intermediate.cnf
+++ b/src/regress/lib/libcrypto/CA/intermediate.cnf
@@ -1,4 +1,4 @@
-#       $OpenBSD: intermediate.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $
+#       $OpenBSD: intermediate.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $
 # For regression tests
 default_ca = CA_regress
 
@@ -105,6 +105,10 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = critical, @usr_san
+
+[ usr_san ]
+email.0 = evilsoandsos@test.openbsd.org
 
 [ server_cert ]
 # Extensions for server certificates (`man x509v3_config`).
diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf
index 506542e943..30a442f136 100644
--- a/src/regress/lib/libcrypto/CA/root.cnf
+++ b/src/regress/lib/libcrypto/CA/root.cnf
@@ -1,4 +1,4 @@
-#       $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $
+#       $OpenBSD: root.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $
 # For regression tests
 default_ca = CA_regress
 
@@ -95,6 +95,22 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+nameConstraints = critical, @ca_name_constraints
+
+[ ca_name_constraints ]
+permitted;DNS.0 = .openbsd.org
+permitted;DNS.1 = client
+permitted;email.0 = openbsd.org
+permitted;email.1 = @test.openbsd.org
+permitted;URI.0 = .openbsd.org
+permitted;dirName.0 = openbsd_dn
+permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org
+excluded;IP.0 = 0.0.0.0/0.0.0.0
+excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
+
+[ openbsd_dn ]
+C = CA
+O = OpenBSD
 
 [ usr_cert ]
 # Extensions for client certificates (`man x509v3_config`).