]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b538487)
tests: test mtls also w/ clientAuth EKU only
authorYedaya Katsman <yedaya.ka@gmail.com>
Fri, 30 May 2025 15:59:14 +0000 (18:59 +0300)
committerDaniel Stenberg <daniel@haxx.se>
Sat, 31 May 2025 13:20:25 +0000 (15:20 +0200)
The google chrome root program will stop allowing roots that have both
clientAuth and ServerAuth [1].

In one of the mtls tests, use a certificate with only the clientAuth
EKU.

[1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store

Closes #17493

tests/certs/Makefile.inc patch | blob | blame | history
tests/certs/test-client-eku-only.prm [new file with mode: 0644] patch | blob
tests/data/test2088 patch | blob | blame | history

diff --git a/tests/certs/Makefile.inc b/tests/certs/Makefile.inc
index e2ecb1924b4a6bae520a43d2eddfeb25005879d9..cc9514c20681af3c1ffa20d2103b3e96782f908d 100644 (file)
--- a/tests/certs/Makefile.inc
+++ b/tests/certs/Makefile.inc
@@ -31,7 +31,8 @@ CERTCONFIGS = \
   test-localhost0h.prm \
   test-localhost-san-first.prm \
   test-localhost-san-last.prm \
-  test-client-cert.prm
+  test-client-cert.prm \
+  test-client-eku-only.prm
 
 GENERATEDCERTS = \
   test-ca.cacert \
diff --git a/tests/certs/test-client-eku-only.prm b/tests/certs/test-client-eku-only.prm
new file mode 100644 (file)
index 0000000..c4e61ee
--- /dev/null
+++ b/tests/certs/test-client-eku-only.prm
@@ -0,0 +1,34 @@
+extensions = x509v3
+
+[ x509v3 ]
+subjectAltName          = DNS:localhost
+keyUsage                = keyEncipherment,digitalSignature,keyAgreement
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+basicConstraints        = CA:false
+authorityInfoAccess     = @issuer_info
+crlDistributionPoints   = @crl_info
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+authorityInfoAccess     = @issuer_info
+
+[ issuer_info ]
+caIssuers;URI.0         = http://test.curl.se/ca/EdelCurlRoot.cer
+
+[ crl_info ]
+URI.0                   = http://test.curl.se/ca/EdelCurlRoot.crl
+
+[ req ]
+distinguished_name      = req_DN
+default_md              = sha256
+string_mask             = utf8only
+
+[ req_DN ]
+countryName             = "Country Name is Northern Nowhere"
+countryName_value       = NN
+organizationName        = "Organization Name"
+organizationName_value  = Edel Curl Arctic Illudium Research Cloud
+commonName              = "Common Name"
+commonName_value        = localhost
diff --git a/tests/data/test2088 b/tests/data/test2088
index 9a584fd63f50f7cbcc402f0215c78239657994f9..485b4297fdadb68cd50051eedeaa4dac2e8daf4d 100644 (file)
--- a/tests/data/test2088
+++ b/tests/data/test2088
@@ -37,7 +37,7 @@ https-mtls
 HTTPS GET with client authentication (mtls)
 </name>
 <command>
---cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-cert.crt --key %CERTDIR/certs/test-client-cert.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
+--cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-eku-only.crt --key %CERTDIR/certs/test-client-eku-only.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
 </command>
 </client>
 
Mirror of https://github.com/curl/curl.git