Add test cases for CA certificate ExtKeyUsage requirements (CABF) #5
Description
Context
CABF Baseline Requirements Section 7.1.2.10.6 specifies Extended Key Usage (EKU) requirements for CA certificates that are similar to subscriber certificate requirements:
- MUST contain
id-kp-serverAuthif the CA will issue TLS server certificates - MUST NOT contain the precertificate OID
1.3.6.1.4.1.11129.2.4.4 - If EKU is present, it restricts what types of certificates the CA can issue
Why this matters:
- CABF compliance for publicly-trusted CA certificates
- Prevents CAs without proper authorization from issuing TLS certificates
- Blocks precertificate OIDs from appearing in CA certificates
- Enforces proper certificate hierarchy constraints
Test Case Description
Create test CA certificates with various EKU violations:
Missing serverAuth:
- CA cert with EKU but missing id-kp-serverAuth attempting to issue TLS certs (should REJECT)
- CA cert with EKU containing only clientAuth attempting to issue serverAuth certs (should REJECT)
Forbidden OIDs:
- CA cert with precertificate OID
1.3.6.1.4.1.11129.2.4.4(should REJECT) - CA cert with both serverAuth and precert OID (should REJECT)
EKU Constraint Violations:
- CA cert without EKU issuing subscriber cert with serverAuth (should ACCEPT - unrestricted)
- CA cert with serverAuth EKU issuing subscriber cert with serverAuth (should ACCEPT)
- CA cert with clientAuth EKU only issuing subscriber cert with serverAuth (should REJECT - EKU violation)
Expected validation results: REJECT for missing required serverAuth, forbidden OIDs, or EKU constraint violations
Implementation Requirements
Certificate Builder Modifications:
- Add ability to create CA certificates with various EKU combinations
- Support certificate chains where CA EKU restricts issued certificate types
- Support inclusion of precertificate OID in CA certificates
Test Harness:
- Test cases should fail validation with error indicating CA EKU violation
- Test chain validation where CA EKU doesn't permit issued certificate's EKU
Test Case Examples:
cabf::ca-eku-missing-serverauthcabf::ca-eku-precert-oidcabf::ca-eku-constraint-violationcabf::ca-eku-only-clientauth-issues-serverauth
References
- CABF Baseline Requirements Section 7.1.2.10.6: CA Certificate EKU
- RFC 5280 Section 4.2.1.12: Extended Key Usage
- RFC 6962: Certificate Transparency (precertificate OID definition)
Acceptance Criteria
- Test cases created for CA missing serverAuth scenarios
- Test cases created for forbidden precertificate OID in CA certs
- Test cases created for EKU constraint violations in certificate chains
- Test cases validate against x509-limbo schema
- Test cases produce expected results in at least one CABF-compliant harness
- Documentation updated to describe test cases