Add test cases for subscriber certificate ExtKeyUsage requirements (CABF) #4
Description
Context
CABF Baseline Requirements Sections 7.1.2.7.6 and 7.1.2.7.10 specify mandatory Extended Key Usage (EKU) requirements for subscriber (end-entity) TLS certificates:
- MUST contain
id-kp-serverAuth(1.3.6.1.5.5.7.3.1) - MUST NOT contain the precertificate OID
1.3.6.1.4.1.11129.2.4.4 - May contain other key purposes, but serverAuth is mandatory for TLS
Violations can allow unauthorized certificate usage or inclusion of invalid OIDs in production certificates.
Why this matters:
- CABF compliance for publicly-trusted TLS certificates
- Prevents certificates without serverAuth from being accepted for TLS
- Blocks precertificate OIDs from appearing in final certificates
- Security: ensures certificates are explicitly authorized for server authentication
Test Case Description
Create test subscriber certificates with various EKU violations:
Missing serverAuth:
- EKU present but missing id-kp-serverAuth (e.g., only clientAuth) (should REJECT)
- No EKU extension (should REJECT for CABF-compliant validators)
Forbidden OIDs:
- EKU contains precertificate OID
1.3.6.1.4.1.11129.2.4.4(should REJECT) - EKU contains both serverAuth and precert OID (should REJECT)
Valid Cases (for comparison):
- EKU contains only serverAuth (should ACCEPT)
- EKU contains serverAuth plus other valid purposes like clientAuth (should ACCEPT)
Expected validation results: REJECT for missing serverAuth or forbidden OIDs, ACCEPT for valid combinations
Implementation Requirements
Certificate Builder Modifications:
- Add ability to create certificates without EKU extension
- Add ability to create certificates with custom EKU combinations
- Support inclusion of precertificate OID (1.3.6.1.4.1.11129.2.4.4)
Test Harness:
- Test cases should fail validation with error indicating EKU violation
- Valid cases should pass for CABF-compliant validators
Test Case Examples:
cabf::subscriber-eku-missing-serverauthcabf::subscriber-eku-no-extensioncabf::subscriber-eku-precert-oidcabf::subscriber-eku-precert-with-serverauthcabf::subscriber-eku-only-clientauth
References
- CABF Baseline Requirements Section 7.1.2.7.6: Subscriber Certificate EKU
- CABF Baseline Requirements Section 7.1.2.7.10: Subscriber Certificate Additional Requirements
- RFC 5280 Section 4.2.1.12: Extended Key Usage
- RFC 6962: Certificate Transparency (precertificate OID definition)
Acceptance Criteria
- Test cases created for missing serverAuth scenarios
- Test cases created for forbidden precertificate OID
- Test cases validate against x509-limbo schema
- Test cases produce expected results in at least one CABF-compliant harness
- Valid EKU combinations tested as positive controls
- Documentation updated to describe test cases