Add CABF CN/SAN compliance test cases by jvdprng · Pull Request #533 · C2SP/x509-limbo

jvdprng · 2025-12-31T21:21:55Z

Adds 9 test cases to verify CABF Baseline Requirements Section 7.1.4.3 compliance, which mandates that commonName must exactly match a SAN entry when present.

The following scenarios are tested (all should result in rejection):

cabf_cn_ipv4_hex_mismatch: IPv4 hex format CN vs dotted-decimal SAN
cabf_cn_ipv4_leading_zeros_mismatch: IPv4 with leading zeros vs canonical form
cabf_cn_ipv6_uppercase_mismatch: IPv6 uppercase vs lowercase
cabf_cn_ipv6_uncompressed_mismatch: IPv6 uncompressed vs RFC 5952 compressed
cabf_cn_ipv6_non_rfc5952_mismatch: IPv6 non-RFC 5952 compliant formatting
cabf_cn_punycode_vs_utf8_mismatch: Different punycode domains
cabf_cn_utf8_vs_punycode_mismatch: UTF-8 CN vs punycode SAN
cabf_cn_not_in_san: CN not matching any SAN entry
cabf_cn_case_mismatch: CN matching SAN with different case

The docstring for each test case includes a reference to the specific section in the CABF requirements (or one of its references) that is violated when accepting the corresponding cert.

🤖 Generated with Claude Code

which mandates that commonName must exactly match a SAN entry when present. Tests cover: - IPv4 format mismatches (hex, leading zeros) - IPv6 format variations (uppercase, uncompressed, non-RFC 5952) - IDN encoding mismatches (punycode vs UTF-8) - General CN/SAN mismatches and case sensitivity 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

jvdprng · 2025-12-31T21:46:00Z

Since the bot cannot run when the PR comes from a fork, here is a copy from our fork for informational purposes:

New testcases

There are new testcases in this change.

openssl-3.5.4

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

pyca-cryptography-46.0.3

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	chain built successfully
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	chain built successfully

rust-webpki

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SKIPPED	implementation requires DNS peer names
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SKIPPED	implementation requires DNS peer names
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SKIPPED	implementation requires DNS peer names
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SKIPPED	implementation requires DNS peer names
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SKIPPED	implementation requires DNS peer names
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

openssl-3.6.0

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

gnutls-certtool-3.8.3

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	Chain verification output: Verified. The certificate is trusted.

certvalidator-0.11.1

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

gocryptox509-go1.25.4

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	validation: chain built
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	validation: chain built

openssl-3.2.6

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

openssl-3.0.18

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

openssl-3.4.3

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

rustls-webpki

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

openssl-3.3.5

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

openssl-1.1

Testcase	Expected Result	Actual Result	Context
`webpki::cn::cabf-cn-ipv6-uncompressed-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-uppercase-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-leading-zeros-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-punycode-not-in-san`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv6-non-rfc5952-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-ipv4-hex-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-utf8-vs-punycode-mismatch`	FAILURE	SUCCESS	None
`webpki::cn::cabf-cn-case-mismatch`	FAILURE	SUCCESS	None

woodruffw · 2026-01-02T16:50:36Z

limbo/testcases/webpki/cn.py

+
+
+@testcase
+def cabf_cn_ipv4_hex_mismatch(builder: Builder) -> None:


nit: could we remove the cabf_cn_ prefix from these tests? The harness should auto-prefix these by their namespace, e.g. ipv4_hex_mismatch should become webpki::cn::ipv4-hex-mismatch.

Done in 8fd563e

woodruffw

Thanks @jvdprng! This looks good to me overall, one nitpick about testcase naming 🙂

woodruffw

Thanks!

woodruffw reviewed Jan 2, 2026

View reviewed changes

woodruffw approved these changes Jan 2, 2026

View reviewed changes

Remove cabf_cn prefix from testcase names and regenerate limbo.json

8fd563e

woodruffw approved these changes Jan 5, 2026

View reviewed changes

woodruffw merged commit a97d5e6 into C2SP:main Jan 5, 2026
8 of 9 checks passed

woodruffw mentioned this pull request Jan 10, 2026

Bump x509-limbo and/or wycheproof in CI pyca/cryptography#14127

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CABF CN/SAN compliance test cases#533

Add CABF CN/SAN compliance test cases#533
woodruffw merged 2 commits intoC2SP:mainfrom
trail-of-forks:add-testcase-cabf-cn-san-compliance

jvdprng commented Dec 31, 2025

Uh oh!

jvdprng commented Dec 31, 2025

Uh oh!

woodruffw Jan 2, 2026

Uh oh!

jvdprng Jan 2, 2026

Uh oh!

woodruffw left a comment

Uh oh!

woodruffw left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants



		@testcase
		def cabf_cn_ipv4_hex_mismatch(builder: Builder) -> None:

Conversation

jvdprng commented Dec 31, 2025

Uh oh!

jvdprng commented Dec 31, 2025

New testcases

openssl-3.5.4

pyca-cryptography-46.0.3

rust-webpki

openssl-3.6.0

gnutls-certtool-3.8.3

certvalidator-0.11.1

gocryptox509-go1.25.4

openssl-3.2.6

openssl-3.0.18

openssl-3.4.3

rustls-webpki

openssl-3.3.5

openssl-1.1

Uh oh!

woodruffw Jan 2, 2026

Choose a reason for hiding this comment

Uh oh!

jvdprng Jan 2, 2026

Choose a reason for hiding this comment

Uh oh!

woodruffw left a comment

Choose a reason for hiding this comment

Uh oh!

woodruffw left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants