Test `rfc5280::nc::permitted-dn-match` puts SAN for example.com in the root cert

[randombit]

Thanks for this useful test suite.

The test rfc5280::nc::permitted-dn-match does something that was quite surprising to me; it specifies that we should attempt a match against "example.com", and a SAN for "example.com" does exist - but in the root cert, not the leaf.

OpenSSL seems to agree that the SAN in a CA certificate does not apply to a leaf

$ openssl verify -verify_hostname example.com -CAfile root.crt leaf.crt
CN=foo
error 62 at 0 depth lookup: hostname mismatch
error leaf.crt: verification failed

If there is some wording somewhere that the SAN in a CA certificate does apply also to all certificates that that CA issues, I would appreciate a reference. I don't see anything that suggests this in RFC 5280 for example.

[woodruffw]

Thanks for the report!

Yeah, I think this testcase is slightly wrong -- rfc5280::nc::permitted-dn-match is not supposed to be testing DNS SANs at all, but instead only testing DN SANs. The intended testcase is the following:

leaf (SAN: CN=foo) -> root (SAN: none, Subject: CN=foo, NC: Permitted: CN=foo)

(The corresponding DNS SAN test is rfc5280::nc::permitted-dns-match.)

I'll attempt to fix this later today!

[woodruffw]

Fixed with #287, thanks again!