diff options
author | William Woodruff <william@trailofbits.com> | 2024-01-31 19:26:49 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-31 19:26:49 -0500 |
commit | e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf (patch) | |
tree | 84cc7cca29099642ce783315ee7915b6ca6dd7fa /tests/x509 | |
parent | b39190140facaedf133648b74a968b4eb5e3c83d (diff) | |
download | pyca-cryptography-e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf.zip pyca-cryptography-e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf.tar.gz pyca-cryptography-e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf.tar.bz2 |
verification/policy: tweak key checks (#10311)
* verification/policy: tweak key checks
Needs https://github.com/C2SP/x509-limbo/pull/185.
Signed-off-by: William Woodruff <william@trailofbits.com>
* bump limbo
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
Diffstat (limited to 'tests/x509')
-rw-r--r-- | tests/x509/verification/test_limbo.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 57c4298..edcb0fc 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -27,7 +27,10 @@ LIMBO_UNSUPPORTED_FEATURES = { # Our support for custom EKUs is limited, and we (like most impls.) don't # handle all EKU conditions under CABF. "pedantic-webpki-eku", - # Similarly: contains tests that fail based on a strict reading of RFC 5280 + # Most CABF validators do not enforce the CABF key requirements on + # subscriber keys (i.e., in the leaf certificate). + "pedantic-webpki-subscriber-key", + # Tests that fail based on a strict reading of RFC 5280 # but are widely ignored by validators. "pedantic-rfc5280", # In rare circumstances, CABF relaxes RFC 5280's prescriptions in @@ -64,7 +67,7 @@ LIMBO_SKIP_TESTCASES = { "webpki::aki::root-with-aki-ski-mismatch", # We allow RSA keys that aren't divisible by 8, which is technically # forbidden under CABF. No other implementation checks this either. - "webpki::forbidden-rsa-key-not-divisable-by-8", + "webpki::forbidden-rsa-not-divisable-by-8-in-root", # We disallow CAs in the leaf position, which is explicitly forbidden # by CABF (but implicitly permitted under RFC 5280). This is consistent # with what webpki and rustls do, but inconsistent with Go and OpenSSL. |