Add a CLIENT_AUTH_STRICT_LEAF and SERVER_AUTH_STRICT_LEAF which
do STRICT requirements on the leaf certificate, and not STRICT on
the rest of the chain.
Bug: 721
Change-Id: Ieec5940c0ab40aa7ea9e8fe192e5734326b976c3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67787
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/gen/sources.cmake b/gen/sources.cmake
index 927363d..6c8b176 100644
--- a/gen/sources.cmake
+++ b/gen/sources.cmake
@@ -2150,14 +2150,18 @@
pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem
@@ -2371,8 +2375,10 @@
pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test
@@ -2383,12 +2389,15 @@
pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test
+ pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test
pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test
@@ -2411,6 +2420,7 @@
pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test
+ pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test
pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem
pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test
diff --git a/gen/sources.json b/gen/sources.json
index 1fe6517..77b1343 100644
--- a/gen/sources.json
+++ b/gen/sources.json
@@ -2091,14 +2091,18 @@
"pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem",
@@ -2312,8 +2316,10 @@
"pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test",
@@ -2324,12 +2330,15 @@
"pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test",
"pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test",
@@ -2352,6 +2361,7 @@
"pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test",
+ "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test",
"pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test",
"pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem",
"pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test",
diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc
index 490fba5..0615008 100644
--- a/pki/test_helpers.cc
+++ b/pki/test_helpers.cc
@@ -305,6 +305,10 @@
test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT;
} else if (value == "CLIENT_AUTH_STRICT") {
test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT;
+ } else if (value == "SERVER_AUTH_STRICT_LEAF") {
+ test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT_LEAF;
+ } else if (value == "CLIENT_AUTH_STRICT_LEAF") {
+ test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT_LEAF;
} else {
ADD_FAILURE() << "Unrecognized key_purpose: " << value;
return false;
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
new file mode 100644
index 0000000..267df5c
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
new file mode 100644
index 0000000..47b307a
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
new file mode 100644
index 0000000..267df5c
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
new file mode 100644
index 0000000..64393a3
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+ERROR: The extended key usage does not include server auth
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
new file mode 100644
index 0000000..f32749d
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: The extended key usage does not include client auth but instead includes anyExtendedKeyUsage
+ERROR: The extended key usage does not include client auth
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
new file mode 100644
index 0000000..1c13dcb
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage
+ERROR: The extended key usage does not include server auth
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
new file mode 100644
index 0000000..87253df
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+ERROR: The extended key usage includes code signing which is not permitted for this use
+ERROR: The extended key usage includes OCSP signing which is not permitted for this use
+ERROR: The extended key usage includes time stamping which is not permitted for this use
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
new file mode 100644
index 0000000..b1cff00
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+ERROR: The extended key usage includes code signing which is not permitted for this use
+ERROR: The extended key usage includes OCSP signing which is not permitted for this use
+ERROR: The extended key usage includes time stamping which is not permitted for this use
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
new file mode 100644
index 0000000..ef15a68
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: CLIENT_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: Certificate does not have extended key usage
+ERROR: The extended key usage does not include client auth
+
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
new file mode 100644
index 0000000..f4c98ae
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
@@ -0,0 +1,10 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH_STRICT_LEAF
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+WARNING: Certificate does not have extended key usage
+ERROR: The extended key usage does not include server auth
+ERROR: Certificate has Basic Constraints indicating it is a CA when it should not be a CA
+
diff --git a/pki/verify_certificate_chain.cc b/pki/verify_certificate_chain.cc
index c42f757..f83aef8 100644
--- a/pki/verify_certificate_chain.cc
+++ b/pki/verify_certificate_chain.cc
@@ -229,6 +229,23 @@
}
}
+ // Apply strict only to leaf certificates in these cases.
+ if (required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT_LEAF) {
+ if (!is_target_cert) {
+ required_key_purpose = KeyPurpose::CLIENT_AUTH;
+ } else {
+ required_key_purpose = KeyPurpose::CLIENT_AUTH_STRICT;
+ }
+ }
+
+ if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT_LEAF) {
+ if (!is_target_cert) {
+ required_key_purpose = KeyPurpose::SERVER_AUTH;
+ } else {
+ required_key_purpose = KeyPurpose::SERVER_AUTH_STRICT;
+ }
+ }
+
auto add_error_if_strict = [&](CertErrorId id) {
if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT ||
required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT) {
@@ -300,6 +317,8 @@
switch (required_key_purpose) {
case KeyPurpose::ANY_EKU:
+ case KeyPurpose::CLIENT_AUTH_STRICT_LEAF:
+ case KeyPurpose::SERVER_AUTH_STRICT_LEAF:
assert(0); // NOTREACHED
return;
case KeyPurpose::SERVER_AUTH:
@@ -1192,6 +1211,8 @@
break;
case KeyPurpose::SERVER_AUTH_STRICT:
case KeyPurpose::CLIENT_AUTH_STRICT:
+ case KeyPurpose::CLIENT_AUTH_STRICT_LEAF:
+ case KeyPurpose::SERVER_AUTH_STRICT_LEAF:
errors->AddError(cert_errors::kTargetCertShouldNotBeCa);
break;
}
diff --git a/pki/verify_certificate_chain.h b/pki/verify_certificate_chain.h
index 6c4cccf..9510fa9 100644
--- a/pki/verify_certificate_chain.h
+++ b/pki/verify_certificate_chain.h
@@ -30,8 +30,10 @@
CLIENT_AUTH,
SERVER_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in
// certificate.
+ SERVER_AUTH_STRICT_LEAF, // Same as above, but only for leaf cert.
CLIENT_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in
// certificate.
+ CLIENT_AUTH_STRICT_LEAF, // Same as above, but only for leaf ce
};
enum class InitialExplicitPolicy {
diff --git a/pki/verify_certificate_chain_typed_unittest.h b/pki/verify_certificate_chain_typed_unittest.h
index e22788c..95b3976 100644
--- a/pki/verify_certificate_chain_typed_unittest.h
+++ b/pki/verify_certificate_chain_typed_unittest.h
@@ -140,6 +140,7 @@
TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetNotEndEntity) {
this->RunTest("target-not-end-entity/main.test");
this->RunTest("target-not-end-entity/strict.test");
+ this->RunTest("target-not-end-entity/strict-leaf.test");
}
TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyUsage) {
@@ -166,12 +167,16 @@
this->RunTest("intermediate-eku-clientauth/serverauth.test");
this->RunTest("intermediate-eku-clientauth/clientauth.test");
this->RunTest("intermediate-eku-clientauth/serverauth-strict.test");
+ this->RunTest("intermediate-eku-clientauth/serverauth-strict-leaf.test");
this->RunTest("intermediate-eku-clientauth/clientauth-strict.test");
+ this->RunTest("intermediate-eku-clientauth/clientauth-strict-leaf.test");
this->RunTest("intermediate-eku-any-and-clientauth/any.test");
this->RunTest("intermediate-eku-any-and-clientauth/serverauth.test");
this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict.test");
+ this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test");
this->RunTest("intermediate-eku-any-and-clientauth/clientauth.test");
this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict.test");
+ this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test");
this->RunTest("target-eku-clientauth/any.test");
this->RunTest("target-eku-clientauth/serverauth.test");
this->RunTest("target-eku-clientauth/clientauth.test");
@@ -179,19 +184,24 @@
this->RunTest("target-eku-clientauth/clientauth-strict.test");
this->RunTest("target-eku-any/any.test");
this->RunTest("target-eku-any/serverauth.test");
+ this->RunTest("target-eku-any/serverauth-strict-leaf.test");
this->RunTest("target-eku-any/clientauth.test");
this->RunTest("target-eku-any/serverauth-strict.test");
this->RunTest("target-eku-any/clientauth-strict.test");
+ this->RunTest("target-eku-any/clientauth-strict-leaf.test");
this->RunTest("target-eku-many/any.test");
this->RunTest("target-eku-many/serverauth.test");
this->RunTest("target-eku-many/clientauth.test");
this->RunTest("target-eku-many/serverauth-strict.test");
+ this->RunTest("target-eku-many/serverauth-strict-leaf.test");
this->RunTest("target-eku-many/clientauth-strict.test");
+ this->RunTest("target-eku-many/clientauth-strict-leaf.test");
this->RunTest("target-eku-none/any.test");
this->RunTest("target-eku-none/serverauth.test");
this->RunTest("target-eku-none/clientauth.test");
this->RunTest("target-eku-none/serverauth-strict.test");
this->RunTest("target-eku-none/clientauth-strict.test");
+ this->RunTest("target-eku-none/clientauth-strict-leaf.test");
this->RunTest("root-eku-clientauth/serverauth.test");
this->RunTest("root-eku-clientauth/serverauth-strict.test");
this->RunTest("root-eku-clientauth/serverauth-ta-with-constraints.test");
