test: add a test for URIs with userinfo

wireapp · Jan 27, 2025 · b44cdb3 · b44cdb3
1 parent 051a3f2
commit b44cdb3
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
@@ -411,6 +411,18 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
     "email.1 = [email protected]" "email.2 = [email protected]" \
     "IP = 127.0.0.1" "IP = 192.168.0.1"
 
+# NC CA4 only permits URIs matching good.org.
+
+NC="permitted;URI:good.org"
+NC=$NC ./mkcert.sh genca "Test NC CA 4" ncca4-key ncca4-cert root-key root-cert
+
+# A certificate with an URI SAN
+./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
+    "CN=Joe Bloggs" | \
+    ./mkcert.sh geneealt nc-uri-key nc-uri-cert ncca4-key ncca4-cert \
+    "URI.1 = foo://%[email protected]" \
+    "URI.2 = bar://[email protected]/baz/quux"
+
 # Certs for CVE-2022-4203 testcase
 
 NC="excluded;otherName:SRVName;UTF8STRING:[email protected]" ./mkcert.sh genca \

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 193;
+plan tests => 194;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -467,6 +467,9 @@ ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
 ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
    "CVE-2022-4203 type confusion test");
 
+ok(verify("nc-uri-cert", "", ["root-cert"], ["ncca4-cert"], ),
+   "Name constraints URI with userinfo");
+
 #Check that we get the expected failure return code
 with({ exit_checker => sub { return shift == 2; } },
      sub {