From: Yedaya Katsman <yedaya.ka@gmail.com>
Date: Fri, 30 May 2025 15:59:14 +0000 (+0300)
Subject: tests: test mtls also w/ clientAuth EKU only
X-Git-Tag: curl-8_14_1~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2cf19c245eff8ff84e53d6edc27d36bf25439d1b;p=thirdparty%2Fcurl.git

tests: test mtls also w/ clientAuth EKU only

The google chrome root program will stop allowing roots that have both
clientAuth and ServerAuth [1].

In one of the mtls tests, use a certificate with only the clientAuth
EKU.

[1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store

Closes #17493
---

diff --git a/tests/certs/Makefile.inc b/tests/certs/Makefile.inc
index e2ecb1924b..cc9514c206 100644
--- a/tests/certs/Makefile.inc
+++ b/tests/certs/Makefile.inc
@@ -31,7 +31,8 @@ CERTCONFIGS = \
   test-localhost0h.prm \
   test-localhost-san-first.prm \
   test-localhost-san-last.prm \
-  test-client-cert.prm
+  test-client-cert.prm \
+  test-client-eku-only.prm
 
 GENERATEDCERTS = \
   test-ca.cacert \
diff --git a/tests/certs/test-client-eku-only.prm b/tests/certs/test-client-eku-only.prm
new file mode 100644
index 0000000000..c4e61eec46
--- /dev/null
+++ b/tests/certs/test-client-eku-only.prm
@@ -0,0 +1,34 @@
+extensions = x509v3
+
+[ x509v3 ]
+subjectAltName          = DNS:localhost
+keyUsage                = keyEncipherment,digitalSignature,keyAgreement
+extendedKeyUsage        = clientAuth
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid
+basicConstraints        = CA:false
+authorityInfoAccess     = @issuer_info
+crlDistributionPoints   = @crl_info
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+authorityInfoAccess     = @issuer_info
+
+[ issuer_info ]
+caIssuers;URI.0         = http://test.curl.se/ca/EdelCurlRoot.cer
+
+[ crl_info ]
+URI.0                   = http://test.curl.se/ca/EdelCurlRoot.crl
+
+[ req ]
+distinguished_name      = req_DN
+default_md              = sha256
+string_mask             = utf8only
+
+[ req_DN ]
+countryName             = "Country Name is Northern Nowhere"
+countryName_value       = NN
+organizationName        = "Organization Name"
+organizationName_value  = Edel Curl Arctic Illudium Research Cloud
+commonName              = "Common Name"
+commonName_value        = localhost
diff --git a/tests/data/test2088 b/tests/data/test2088
index 9a584fd63f..485b4297fd 100644
--- a/tests/data/test2088
+++ b/tests/data/test2088
@@ -37,7 +37,7 @@ https-mtls
 HTTPS GET with client authentication (mtls)
 </name>
 <command>
---cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-cert.crt --key %CERTDIR/certs/test-client-cert.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
+--cacert %CERTDIR/certs/test-ca.crt --cert %CERTDIR/certs/test-client-eku-only.crt --key %CERTDIR/certs/test-client-eku-only.key https://localhost:%HTTPS-MTLSPORT/%TESTNUMBER
 </command>
 </client>