Skip to content

Commit aa4686f

Browse files
cpucpu
committed
update x509-limbo to latest
This brings in several new test cases: * Some new pathological chain building tests sourced from the Go test suite. We pass these as-expected. * A test for CVE-2025-61727, testing a name constraint issue from Go related to excluded subdomain constraints for wildcard leaf SANs. We pass this test as-expected. * Additional PSL wildcard SAN tests. We don't reject these when the test expects we should. This is because they require taking a dependency on the public suffix data, which is both large & frequently changing. We add these tests to our exceptions.json Additionally, upstream fixed a typo in two webpki::rsa test cases that we already had exceptions.json entries for. We update these to match the new name.
1 parent f2e8ab9 commit aa4686f

3 files changed

Lines changed: 14 additions & 4 deletions

File tree

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ untrusted = "0.9"
8383
base64 = "0.22"
8484
bencher = "0.1.5"
8585
chrono = "0.4"
86-
limbo-harness-support = { git = "https://github.com/C2SP/x509-limbo", rev = "700bc657992b688f305f8f3ce08195da04543545" }
86+
limbo-harness-support = { git = "https://github.com/C2SP/x509-limbo", rev = "1983423436313a6605461056470e21242d066416" }
8787
once_cell = "1.17.2"
8888
rcgen = { version = "0.14.7", default-features = false, features = ["aws_lc_rs"] }
8989
rustls-aws-lc-rs = { version = "0.1.0-dev.0" }

third-party/x509-limbo/exceptions.json

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,16 @@
254254
"actual": "SUCCESS",
255255
"reason": "webpki does not enforce CABF requirement that SAN not be critical when subject is non-empty"
256256
},
257+
"webpki::san::public-suffix-multi-label-wildcard-san": {
258+
"expected": "FAILURE",
259+
"actual": "SUCCESS",
260+
"reason": "webpki does not take a public-suffix data dependency to enforce this CABF requirement"
261+
},
262+
"webpki::san::public-suffix-private-namespace-wildcard-san": {
263+
"expected": "FAILURE",
264+
"actual": "SUCCESS",
265+
"reason": "webpki does not take a public-suffix data dependency to enforce this CABF requirement"
266+
},
257267
"webpki::malformed-aia": {
258268
"expected": "FAILURE",
259269
"actual": "SUCCESS",
@@ -274,12 +284,12 @@
274284
"actual": "SUCCESS",
275285
"reason": "webpki does not enforce CABF RSA key size minimum (1024-bit accepted)"
276286
},
277-
"webpki::forbidden-rsa-not-divisable-by-8-in-root": {
287+
"webpki::forbidden-rsa-not-divisible-by-8-in-root": {
278288
"expected": "FAILURE",
279289
"actual": "SUCCESS",
280290
"reason": "webpki does not enforce CABF requirement that RSA key size be divisible by 8"
281291
},
282-
"webpki::forbidden-rsa-key-not-divisable-by-8-in-leaf": {
292+
"webpki::forbidden-rsa-key-not-divisible-by-8-in-leaf": {
283293
"expected": "FAILURE",
284294
"actual": "SUCCESS",
285295
"reason": "webpki does not enforce CABF requirement that RSA key size be divisible by 8"

0 commit comments

Comments
 (0)