Hi David,

first off, thanks for the great work with this, it has been invaluable for me. I'm currently writing a validator to detect all kinds of issues with certificates and your test corpus has been a goldmine.

In my implementation I have an issue with xf-ext-altname-invalid-domain.pem -- it might very well be that my understanding is wrong. I still open this up as a ticket because if it turns out to be bogus there'll be public documentation and others might find it before asking :-)

The certificate contains a CN of "*.google.com" and a Subject Alternative Name of "DNS:*.123google.com". The SN/GN indicates:

SN = "RFC5280 s4.2.1.6 'The name MUST be in the preferred name syntax, as specified by Section 3.5 of [RFC1034] and as modified by Section 2.1 of [RFC1123]'"
GN = Subject Alternative Name with invalid domain

The issue here does not seem to be the mismatch between CN/SAN because if a SAN is present it always has precedence (to the best of my knowledge). Therefore the only issue I can see would be the wildcard domainname "*.123google.com". However, I don't see what's wrong with it. Leading digits for labels are okay (e.g., "www.321meins.de" leads to eBay), so maybe I'm missing something super obvious?

Would be very much appreciated if you could point me in the right direction.
Again, thank you so much for x509test.
Cheers,
Joe

Hi David,

hope you are well. I have been coding some more and checking against your great x509test toolkit. I believe I've found an issue in xf-ext-cert-policies-bmp-unotice. In particular, you define the explicitText BMPString as:

  BMPString { "User notice" }  # explicitText

Clearly, this violates the RFC because the type is a BMPString. However, a BMPString is UTF-16, but "User notice" is 11 characters wide. I.e., a proper BMPString parser doesn't even validate the encoded string, but chokes already on the encoding of the string itself. The testcase does pose an invalid certificate, but it does not test not what it should actually test.

It can be easily fixed by either of:

1. Change "User notice" to "User noticex" (or any other valid UTF-16 string)
2. Change BMPString to VisibleString

Thanks & HTH,
All the best,
Joe

As discussed it would be useful if the generated certificates contained real private/public key pairs for the corresponding leaf certificates.

For example, the file tbs/xf-def-invalid-nonminimal-int.tbs includes an ASN.1 INTEGER that has been incorrectly DER-encoded (because it has leading padding). This fragment can no longer be converted into a full invalid certificate because the build tools try to use OpenSSL as part of the conversion.