Closed randombit closed 3 months ago
Thanks for the report!
Yeah, I think this testcase is slightly wrong -- rfc5280::nc::permitted-dn-match
is not supposed to be testing DNS SANs at all, but instead only testing DN SANs. The intended testcase is the following:
leaf (SAN: CN=foo) -> root (SAN: none, Subject: CN=foo, NC: Permitted: CN=foo)
(The corresponding DNS SAN test is rfc5280::nc::permitted-dns-match
.)
I'll attempt to fix this later today!
Fixed with #287, thanks again!
Thanks for this useful test suite.
The test
rfc5280::nc::permitted-dn-match
does something that was quite surprising to me; it specifies that we should attempt a match against "example.com", and a SAN for "example.com" does exist - but in the root cert, not the leaf.OpenSSL seems to agree that the SAN in a CA certificate does not apply to a leaf
If there is some wording somewhere that the SAN in a CA certificate does apply also to all certificates that that CA issues, I would appreciate a reference. I don't see anything that suggests this in RFC 5280 for example.