Add test for a cert signed by a non-CA certificate that's otherwise trustworthy.

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

https://badssl.com

Apache License 2.0

2.83k stars 191 forks source link

Add test for a cert signed by a non-CA certificate that's otherwise trustworthy. #461

Open flarn2006 opened 3 years ago

flarn2006 commented 3 years ago

That is, the hierarchy would be something like:

DigiCert Global Root CA (trusted root)
|- DigiCert SHA2 Secure Server CA (valid subordinate CA)
   |- *.badssl.com (valid certificate, not a CA)
       |- constraint-fail.badssl.com (would be valid, except *.badssl.com is not a CA)

You could also add a second version of the test where the third entry (the subordinate CA that isn't actually a CA) is for an entirely different domain, to be more comprehensive.

lgarron commented 3 years ago

This is a neat idea!

flarn2006 commented 3 years ago

Thanks! There's a known case of a failure to check that flag as well; thankfully it seems to only have had positive effects—see KaeruTeam/nds-constraint.