openssl/test/certs
Viktor Dukhovni d02d80b2e8 Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:13 -04:00
..
alt1-cert.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
alt1-key.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
alt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
alt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
bad-pc3-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc3-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc4-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad-pc6-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
bad.key
bad.pem
badalt1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt4-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt5-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt6-cert.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
badalt6-key.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
badalt7-cert.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
badalt7-key.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
badalt8-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt8-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt9-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badalt10-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
badcn1-cert.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
badcn1-key.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
ca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca-cert2.pem
ca-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-768i.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-md5-any.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-cert.pem
ca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca-expired.pem
ca-key2.pem
ca-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ca-key.pem
ca-name2.pem
ca-nonbc.pem Require intermediate CAs to have basicConstraints CA:true. 2016-03-29 20:54:34 -04:00
ca-nonca.pem
ca-root2.pem
ca-serverAuth.pem
ca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
ca+clientAuth.pem
ca+serverAuth.pem
cca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cca+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
client-ed448-cert.pem Update tests for TLS Ed448 2018-03-05 11:39:44 +00:00
client-ed448-key.pem Update tests for TLS Ed448 2018-03-05 11:39:44 +00:00
client-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
client-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
croot-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
croot+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
cyrillic_crl.pem Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
cyrillic_crl.utf8 Modify expected output of a CRL to match the changed printout 2017-11-16 01:19:55 +01:00
cyrillic.msb Modify expected output of a certificate to match the changed printout 2017-11-16 01:19:31 +01:00
cyrillic.pem Add test for -nameout output 2017-03-14 15:18:07 -04:00
cyrillic.utf8 Modify expected output of a certificate to match the changed printout 2017-11-16 01:19:31 +01:00
dhp2048.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
ee-cert2.pem
ee-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert-768i.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-cert.pem
ee-client-chain.pem Update client authentication tests 2016-06-03 11:59:46 +02:00
ee-client.pem
ee-clientAuth.pem
ee-ecdsa-client-chain.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ecdsa-key.pem Add ECDSA client certificates 2017-02-16 16:43:44 +00:00
ee-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
ee-expired.pem
ee-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
ee-key.pem
ee-name2.pem
ee-pss-sha1-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-pss-sha256-cert.pem Add certificates with PSS signatures 2017-04-25 22:12:34 +01:00
ee-serverAuth.pem
ee+clientAuth.pem
ee+serverAuth.pem
embeddedSCTs1_issuer.pem CT policy validation 2016-03-01 20:03:25 +00:00
embeddedSCTs1-key.pem Add SSL tests for certificates with embedded SCTs 2017-04-12 19:08:57 +02:00
embeddedSCTs1.pem Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs1.sct Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs3_issuer.pem CT policy validation 2016-03-01 20:03:25 +00:00
embeddedSCTs3.pem Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
embeddedSCTs3.sct Tests for parsing and printing certificates containing SCTs 2016-02-25 13:59:11 -05:00
goodcn1-cert.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
goodcn1-key.pem Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
interCA.key
interCA.pem
leaf.key
leaf.pem
many-constraints.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
many-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
mkcert.sh Update copyright year 2018-03-20 13:08:46 +00:00
nca+anyEKU.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
nca+serverAuth.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
ncca1-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca1-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca2-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca3-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca-cert.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
ncca-key.pem Extend mkcert.sh to support nameConstraints generation and more complex 2016-07-11 23:30:04 +01:00
nroot+anyEKU.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
nroot+serverAuth.pem Add tests for non-ca trusted roots and intermediates 2016-01-31 21:24:16 -05:00
p256-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p256-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-root.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-cert.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
p384-server-key.pem Add P-384 root and P-384, P-256 EE certificates. 2017-02-24 23:30:49 +00:00
pathlen.pem Add some accessor API's 2016-06-08 11:37:06 -04:00
pc1-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc1-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc2-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-cert.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
pc5-key.pem Create some proxy certificates 2016-06-20 21:34:37 +02:00
root2-serverAuth.pem
root2+clientAuth.pem
root2+serverAuth.pem
root-anyEKU.pem
root-cert2.pem
root-cert-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-cert-md5.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-cert.pem
root-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
root-ed25519.pem Add Ed25519 verify test. 2017-05-30 20:38:20 +01:00
root-key2.pem
root-key-768.pem Move peer chain security checks into x509_vfy.c 2016-04-03 11:35:35 -04:00
root-key.pem
root-name2.pem
root-nonca.pem
root-noserver.pem
root-serverAuth.pem
root+anyEKU.pem
root+clientAuth.pem
root+serverAuth.pem
rootCA.key
rootCA.pem
rootcert.pem
rootkey.pem
roots.pem
sca-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sca+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
server-cecdsa-cert.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-cecdsa-key.pem EC certificate with compression point 2017-02-24 23:52:22 +00:00
server-dsa-cert.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-dsa-key.pem Add DH parameters, DSA cert and key 2017-02-17 16:33:12 +00:00
server-ecdsa-cert.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ecdsa-key.pem add ECDSA test server certificate 2017-01-15 00:23:33 +00:00
server-ed448-cert.pem Update tests for TLS Ed448 2018-03-05 11:39:44 +00:00
server-ed448-key.pem Update tests for TLS Ed448 2018-03-05 11:39:44 +00:00
server-ed25519-cert.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-ed25519-key.pem Add Ed25519 EE certificates 2017-06-21 14:11:01 +01:00
server-pss-cert.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-pss-key.pem Add RSA-PSS test certificates 2017-09-20 12:50:23 +01:00
server-trusted.pem
servercert.pem
serverkey.pem
setup.sh Limit scope of CN name constraints 2018-05-23 11:12:13 -04:00
some-names1.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names2.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
some-names3.pem Guard against DoS in name constraints handling. 2017-09-22 22:00:55 +02:00
sroot-anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-cert.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot-serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot+anyEKU.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot+clientAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
sroot+serverAuth.pem Compat self-signed trust with reject-only aux data 2016-01-31 21:24:12 -05:00
subinterCA-ss.pem
subinterCA.key
subinterCA.pem
untrusted.pem
wrongcert.pem
wrongkey.pem
x509-check-key.pem Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00
x509-check.csr Add test cases for X509_check_private_key 2017-06-06 17:50:06 +01:00