badssl.com icon indicating copy to clipboard operation
badssl.com copied to clipboard

Published 20 hours ago verified publisher icon chromium

Add test for a cert signed by a non-CA certificate that's otherwise trustworthy.

Open flarn2006 opened this issue 4 years ago • 2 comments

That is, the hierarchy would be something like:

DigiCert Global Root CA (trusted root)
|- DigiCert SHA2 Secure Server CA (valid subordinate CA)
   |- *.badssl.com (valid certificate, not a CA)
       |- constraint-fail.badssl.com (would be valid, except *.badssl.com is not a CA)

You could also add a second version of the test where the third entry (the subordinate CA that isn't actually a CA) is for an entirely different domain, to be more comprehensive.

flarn2006 avatar Dec 08 '20 21:12 flarn2006

This is a neat idea!

lgarron avatar Dec 08 '20 21:12 lgarron

Thanks! There's a known case of a failure to check that flag as well; thankfully it seems to only have had positive effects—see KaeruTeam/nds-constraint.

flarn2006 avatar Dec 08 '20 22:12 flarn2006