From eafae99fd14060795330ecbb42af9f98d1ddc978 Mon Sep 17 00:00:00 2001 From: tb <> Date: Mon, 14 Mar 2022 21:30:48 +0000 Subject: Add a few regress test cases for name constraints. From Alex Wilson --- src/regress/lib/libcrypto/CA/Makefile | 6 +++--- src/regress/lib/libcrypto/CA/intermediate.cnf | 6 +++++- src/regress/lib/libcrypto/CA/root.cnf | 18 +++++++++++++++++- 3 files changed, 25 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/regress/lib/libcrypto/CA/Makefile b/src/regress/lib/libcrypto/CA/Makefile index 3616b132bf..d430121d14 100644 --- a/src/regress/lib/libcrypto/CA/Makefile +++ b/src/regress/lib/libcrypto/CA/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2020/12/26 14:42:09 bluhm Exp $ +# $OpenBSD: Makefile,v 1.4 2022/03/14 21:30:48 tb Exp $ CLEANFILES += *.pem *.serial *.txt *.attr *.old @@ -59,7 +59,7 @@ server.key.pem: stamp-clean server.csr.pem: intermediate.cnf server.key.pem # server req openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ - -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \ + -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA' \ -key server.key.pem -out server.csr.pem # Sign server key @@ -77,7 +77,7 @@ client.key.pem: stamp-clean client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem # client req openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ - -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \ + -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA' \ -key client.key.pem -out client.csr.pem # Sign client key diff --git a/src/regress/lib/libcrypto/CA/intermediate.cnf b/src/regress/lib/libcrypto/CA/intermediate.cnf index bbf189d268..d0057ca13f 100644 --- a/src/regress/lib/libcrypto/CA/intermediate.cnf +++ b/src/regress/lib/libcrypto/CA/intermediate.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: intermediate.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $ +# $OpenBSD: intermediate.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $ # For regression tests default_ca = CA_regress @@ -105,6 +105,10 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection +subjectAltName = critical, @usr_san + +[ usr_san ] +email.0 = evilsoandsos@test.openbsd.org [ server_cert ] # Extensions for server certificates (`man x509v3_config`). diff --git a/src/regress/lib/libcrypto/CA/root.cnf b/src/regress/lib/libcrypto/CA/root.cnf index 506542e943..30a442f136 100644 --- a/src/regress/lib/libcrypto/CA/root.cnf +++ b/src/regress/lib/libcrypto/CA/root.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: root.cnf,v 1.3 2020/12/26 00:48:56 bluhm Exp $ +# $OpenBSD: root.cnf,v 1.4 2022/03/14 21:30:48 tb Exp $ # For regression tests default_ca = CA_regress @@ -95,6 +95,22 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign +nameConstraints = critical, @ca_name_constraints + +[ ca_name_constraints ] +permitted;DNS.0 = .openbsd.org +permitted;DNS.1 = client +permitted;email.0 = openbsd.org +permitted;email.1 = @test.openbsd.org +permitted;URI.0 = .openbsd.org +permitted;dirName.0 = openbsd_dn +permitted;otherName.0 = 1.3.6.1.4.1.311.20.2.3;UTF8:@openbsd.org +excluded;IP.0 = 0.0.0.0/0.0.0.0 +excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 + +[ openbsd_dn ] +C = CA +O = OpenBSD [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). -- cgit v1.2.3-55-g6feb