New commits:
commit bdc60e9956b8629a9062358d987e8be3d4f39a1e
Merge: 3dc715fb24 3e52428f80
Author: Andrew Cagney <[email protected]>
Date: Sun Mar 9 11:31:58 2025 -0400
testing x509: add NSS certs playing with basic constraints
close #2079 add intermediate with broken BC
Merge commit '3e52428f80d6eb0a4d37e6cc0d51c481b7c7a9c2'
commit 3e52428f80d6eb0a4d37e6cc0d51c481b7c7a9c2
Author: Andrew Cagney <[email protected]>
Date: Sat Mar 8 21:25:56 2025 -0500
testing x509: add x509-profile-03-basic-constraints
This tries to test:
5.1.3.9. BasicConstraints
The PKIX certificate profile mandates that CA certificates contain
this extension and that it be marked critical. IKE implementations
SHOULD reject CA certificates that do not contain this extension.
For backwards compatibility, implementations may accept such
certificates if explicitly configured to do so, but the default for
this setting MUST be to reject such certificates.
Which I find vague, so is interpreted as:
- Basic Constraints don't matter on end certs, so anything like:
west-bc-missing
west-bc-n
west-bc-n-critical
west-bc-y-critical
works
- Intermediate and Root Certs need bc=ca=y
(but since NSS supports basic constraints, critical doesn't matter)
A cert chain is tested where the intermediate has no BC:
west-bc-missing-chain-int
west-bc-missing-chain-end
and it should fail.
commit 2618dfdb8735f16766ed31b0e5d147c65b334a1c
Author: Andrew Cagney <[email protected]>
Date: Sat Mar 8 21:26:17 2025 -0500
testing x509: generate BC certs using NSS
west-bc-missing
west-bc-ca-n
west-bc-ca-n-critical
west-bc-ca-y-critical
west-bc-missing-chain-end (signed by west-bc-missing-chain-int)
commit 49451c0f02b1835a64d92dde22b9b09ef0b58870
Author: Andrew Cagney <[email protected]>
Date: Sat Mar 8 20:43:30 2025 -0500
testing x509: drop is-not-CA basic constraint from end certs
It isn't needed.
_______________________________________________
Swan-commit mailing list -- [email protected]
To unsubscribe send an email to [email protected]
