diff options
author | Matt Caswell <matt@openssl.org> | 2021-12-03 15:28:31 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-12-14 14:28:45 +0000 |
commit | f4bb498a5196f470ea6748f09b6c8b0c0326321c (patch) | |
tree | 48bc187d6ef3db4ae856c95b1eae05891483fca6 /test | |
parent | 26ac3f630a4be31deb4d4dee7f988fe3dabbe887 (diff) |
Add a test case for the name constraints bug
Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/25-test_verify.t | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index bcd823bcfb..700bbd849c 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 159; +plan tests => 160; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -337,6 +337,9 @@ ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), "Name Constraints CNs permitted"); +ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs permitted - no SAN extension"); + ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), "Name Constraints CNs not permitted"); |