Add a CLIENT_AUTH_STRICT_LEAF and SERVER_AUTH_STRICT_LEAF which do STRICT requirements on the leaf certificate, and not STRICT on the rest of the chain. Bug: 721 Change-Id: Ieec5940c0ab40aa7ea9e8fe192e5734326b976c3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/67787 Reviewed-by: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/gen/sources.cmake b/gen/sources.cmake index 927363d..6c8b176 100644 --- a/gen/sources.cmake +++ b/gen/sources.cmake
@@ -2150,14 +2150,18 @@ pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem + pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test + pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem + pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test + pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem @@ -2371,8 +2375,10 @@ pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem + pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test + pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test @@ -2383,12 +2389,15 @@ pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem + pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test + pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem + pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test @@ -2411,6 +2420,7 @@ pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test + pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test
diff --git a/gen/sources.json b/gen/sources.json index 1fe6517..77b1343 100644 --- a/gen/sources.json +++ b/gen/sources.json
@@ -2091,14 +2091,18 @@ "pki/testdata/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/main.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/any.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem", + "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth.test", + "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/any.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem", + "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test", + "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test", "pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem", @@ -2312,8 +2316,10 @@ "pki/testdata/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/any.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/chain.pem", + "pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth.test", + "pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/any.test", @@ -2324,12 +2330,15 @@ "pki/testdata/verify_certificate_chain_unittest/target-eku-clientauth/serverauth.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/any.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/chain.pem", + "pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth.test", + "pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-none/any.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-none/chain.pem", + "pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth.test", "pki/testdata/verify_certificate_chain_unittest/target-eku-none/serverauth-strict.test", @@ -2352,6 +2361,7 @@ "pki/testdata/verify_certificate_chain_unittest/target-msapplicationpolicies-no-eku/main.test", "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/chain.pem", "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/main.test", + "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test", "pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict.test", "pki/testdata/verify_certificate_chain_unittest/target-only/chain.pem", "pki/testdata/verify_certificate_chain_unittest/target-only/trusted_anchor.test",
diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc index 490fba5..0615008 100644 --- a/pki/test_helpers.cc +++ b/pki/test_helpers.cc
@@ -305,6 +305,10 @@ test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT; } else if (value == "CLIENT_AUTH_STRICT") { test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT; + } else if (value == "SERVER_AUTH_STRICT_LEAF") { + test->key_purpose = KeyPurpose::SERVER_AUTH_STRICT_LEAF; + } else if (value == "CLIENT_AUTH_STRICT_LEAF") { + test->key_purpose = KeyPurpose::CLIENT_AUTH_STRICT_LEAF; } else { ADD_FAILURE() << "Unrecognized key_purpose: " << value; return false;
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test new file mode 100644 index 0000000..267df5c --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: CLIENT_AUTH_STRICT_LEAF +expected_errors:
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test new file mode 100644 index 0000000..47b307a --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: SERVER_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=1 (CN=Intermediate) ----- +WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage +
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test new file mode 100644 index 0000000..267df5c --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth-strict-leaf.test
@@ -0,0 +1,5 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: CLIENT_AUTH_STRICT_LEAF +expected_errors:
diff --git a/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test new file mode 100644 index 0000000..64393a3 --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth-strict-leaf.test
@@ -0,0 +1,8 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: SERVER_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=1 (CN=Intermediate) ----- +ERROR: The extended key usage does not include server auth +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test new file mode 100644 index 0000000..f32749d --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: CLIENT_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +WARNING: The extended key usage does not include client auth but instead includes anyExtendedKeyUsage +ERROR: The extended key usage does not include client auth +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test new file mode 100644 index 0000000..1c13dcb --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-any/serverauth-strict-leaf.test
@@ -0,0 +1,9 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: SERVER_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +WARNING: The extended key usage does not include server auth but instead includes anyExtendeKeyUsage +ERROR: The extended key usage does not include server auth +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test new file mode 100644 index 0000000..87253df --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/clientauth-strict-leaf.test
@@ -0,0 +1,10 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: CLIENT_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +ERROR: The extended key usage includes code signing which is not permitted for this use +ERROR: The extended key usage includes OCSP signing which is not permitted for this use +ERROR: The extended key usage includes time stamping which is not permitted for this use +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test new file mode 100644 index 0000000..b1cff00 --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-many/serverauth-strict-leaf.test
@@ -0,0 +1,10 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: SERVER_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +ERROR: The extended key usage includes code signing which is not permitted for this use +ERROR: The extended key usage includes OCSP signing which is not permitted for this use +ERROR: The extended key usage includes time stamping which is not permitted for this use +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test new file mode 100644 index 0000000..ef15a68 --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-eku-none/clientauth-strict-leaf.test
@@ -0,0 +1,9 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: CLIENT_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +WARNING: Certificate does not have extended key usage +ERROR: The extended key usage does not include client auth +
diff --git a/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test b/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test new file mode 100644 index 0000000..f4c98ae --- /dev/null +++ b/pki/testdata/verify_certificate_chain_unittest/target-not-end-entity/strict-leaf.test
@@ -0,0 +1,10 @@ +chain: chain.pem +last_cert_trust: TRUSTED_ANCHOR +utc_time: DEFAULT +key_purpose: SERVER_AUTH_STRICT_LEAF +expected_errors: +----- Certificate i=0 (CN=Target) ----- +WARNING: Certificate does not have extended key usage +ERROR: The extended key usage does not include server auth +ERROR: Certificate has Basic Constraints indicating it is a CA when it should not be a CA +
diff --git a/pki/verify_certificate_chain.cc b/pki/verify_certificate_chain.cc index c42f757..f83aef8 100644 --- a/pki/verify_certificate_chain.cc +++ b/pki/verify_certificate_chain.cc
@@ -229,6 +229,23 @@ } } + // Apply strict only to leaf certificates in these cases. + if (required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT_LEAF) { + if (!is_target_cert) { + required_key_purpose = KeyPurpose::CLIENT_AUTH; + } else { + required_key_purpose = KeyPurpose::CLIENT_AUTH_STRICT; + } + } + + if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT_LEAF) { + if (!is_target_cert) { + required_key_purpose = KeyPurpose::SERVER_AUTH; + } else { + required_key_purpose = KeyPurpose::SERVER_AUTH_STRICT; + } + } + auto add_error_if_strict = [&](CertErrorId id) { if (required_key_purpose == KeyPurpose::SERVER_AUTH_STRICT || required_key_purpose == KeyPurpose::CLIENT_AUTH_STRICT) { @@ -300,6 +317,8 @@ switch (required_key_purpose) { case KeyPurpose::ANY_EKU: + case KeyPurpose::CLIENT_AUTH_STRICT_LEAF: + case KeyPurpose::SERVER_AUTH_STRICT_LEAF: assert(0); // NOTREACHED return; case KeyPurpose::SERVER_AUTH: @@ -1192,6 +1211,8 @@ break; case KeyPurpose::SERVER_AUTH_STRICT: case KeyPurpose::CLIENT_AUTH_STRICT: + case KeyPurpose::CLIENT_AUTH_STRICT_LEAF: + case KeyPurpose::SERVER_AUTH_STRICT_LEAF: errors->AddError(cert_errors::kTargetCertShouldNotBeCa); break; }
diff --git a/pki/verify_certificate_chain.h b/pki/verify_certificate_chain.h index 6c4cccf..9510fa9 100644 --- a/pki/verify_certificate_chain.h +++ b/pki/verify_certificate_chain.h
@@ -30,8 +30,10 @@ CLIENT_AUTH, SERVER_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in // certificate. + SERVER_AUTH_STRICT_LEAF, // Same as above, but only for leaf cert. CLIENT_AUTH_STRICT, // Skip ANY_EKU when checking, require EKU present in // certificate. + CLIENT_AUTH_STRICT_LEAF, // Same as above, but only for leaf ce }; enum class InitialExplicitPolicy {
diff --git a/pki/verify_certificate_chain_typed_unittest.h b/pki/verify_certificate_chain_typed_unittest.h index e22788c..95b3976 100644 --- a/pki/verify_certificate_chain_typed_unittest.h +++ b/pki/verify_certificate_chain_typed_unittest.h
@@ -140,6 +140,7 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetNotEndEntity) { this->RunTest("target-not-end-entity/main.test"); this->RunTest("target-not-end-entity/strict.test"); + this->RunTest("target-not-end-entity/strict-leaf.test"); } TYPED_TEST_P(VerifyCertificateChainSingleRootTest, KeyUsage) { @@ -166,12 +167,16 @@ this->RunTest("intermediate-eku-clientauth/serverauth.test"); this->RunTest("intermediate-eku-clientauth/clientauth.test"); this->RunTest("intermediate-eku-clientauth/serverauth-strict.test"); + this->RunTest("intermediate-eku-clientauth/serverauth-strict-leaf.test"); this->RunTest("intermediate-eku-clientauth/clientauth-strict.test"); + this->RunTest("intermediate-eku-clientauth/clientauth-strict-leaf.test"); this->RunTest("intermediate-eku-any-and-clientauth/any.test"); this->RunTest("intermediate-eku-any-and-clientauth/serverauth.test"); this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict.test"); + this->RunTest("intermediate-eku-any-and-clientauth/serverauth-strict-leaf.test"); this->RunTest("intermediate-eku-any-and-clientauth/clientauth.test"); this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict.test"); + this->RunTest("intermediate-eku-any-and-clientauth/clientauth-strict-leaf.test"); this->RunTest("target-eku-clientauth/any.test"); this->RunTest("target-eku-clientauth/serverauth.test"); this->RunTest("target-eku-clientauth/clientauth.test"); @@ -179,19 +184,24 @@ this->RunTest("target-eku-clientauth/clientauth-strict.test"); this->RunTest("target-eku-any/any.test"); this->RunTest("target-eku-any/serverauth.test"); + this->RunTest("target-eku-any/serverauth-strict-leaf.test"); this->RunTest("target-eku-any/clientauth.test"); this->RunTest("target-eku-any/serverauth-strict.test"); this->RunTest("target-eku-any/clientauth-strict.test"); + this->RunTest("target-eku-any/clientauth-strict-leaf.test"); this->RunTest("target-eku-many/any.test"); this->RunTest("target-eku-many/serverauth.test"); this->RunTest("target-eku-many/clientauth.test"); this->RunTest("target-eku-many/serverauth-strict.test"); + this->RunTest("target-eku-many/serverauth-strict-leaf.test"); this->RunTest("target-eku-many/clientauth-strict.test"); + this->RunTest("target-eku-many/clientauth-strict-leaf.test"); this->RunTest("target-eku-none/any.test"); this->RunTest("target-eku-none/serverauth.test"); this->RunTest("target-eku-none/clientauth.test"); this->RunTest("target-eku-none/serverauth-strict.test"); this->RunTest("target-eku-none/clientauth-strict.test"); + this->RunTest("target-eku-none/clientauth-strict-leaf.test"); this->RunTest("root-eku-clientauth/serverauth.test"); this->RunTest("root-eku-clientauth/serverauth-strict.test"); this->RunTest("root-eku-clientauth/serverauth-ta-with-constraints.test");