Add CABF Subscriber EKU test cases

[jvdprng]

This PR adds test cases for CABF Baseline Requirements 7.1.2.7.10 regarding subscriber Extended Key Usage (EKU) validation.

There are 8 new test cases:

• ee_clientauth_only: Tests rejection when only clientAuth is present (serverAuth is missing)
• ee_precertificate_only: Tests rejection when only precertificate OID is present (serverAuth is missing)
• ee_precertificate_with_serverauth: Tests rejection of serverAuth and precertificate OID
• ee_serverauth_with_additional: Tests acceptance when serverAuth and clientAuth are present
• ee_codesigning_with_serverauth: Tests rejection of serverAuth and codeSigning
• ee_emailprotection_with_serverauth: Tests rejection of serverAuth and emailProtection
• ee_timestamping_with_serverauth: Tests rejection of serverAuth and timeStamping
• ee_ocspsigning_with_serverauth: Tests rejection of serverAuth and OCSPSigning

🤖 Generated with Claude Code

[jvdprng]

Since the bot cannot run when the PR comes from a fork, here is a copy from our fork for informational purposes:

New testcases

There are new testcases in this change.

openssl-3.5.4

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

pyca-cryptography-46.0.3

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-clientauth-only	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)
webpki::eku::ee-precertificate-only	FAILURE	SKIPPED	testcase skipped (explicit unsupported feature)

rust-webpki

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	RequiredEkuNotFound
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	RequiredEkuNotFound

openssl-3.6.0

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

gnutls-certtool-3.8.3

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-clientauth-only	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SKIPPED	custom EKUs not yet supported
webpki::eku::ee-precertificate-only	FAILURE	SKIPPED	custom EKUs not yet supported

certvalidator-0.11.1

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	The X.509 certificate provided is not valid for securing TLS connections
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	The X.509 certificate provided is not valid for securing TLS connections

gocryptox509-go1.25.4

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	validation: chain built
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	validation: chain built
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	validation: chain built
webpki::eku::ee-clientauth-only	FAILURE	FAILURE
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	validation: chain built
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	validation: chain built
webpki::eku::ee-precertificate-only	FAILURE	FAILURE

openssl-3.2.6

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

openssl-3.0.18

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

openssl-3.4.3

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

rustls-webpki

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	RequiredEkuNotFoundContext(RequiredEkuNotFoundContext { required: KeyPurposeId(1.3.6.1.5.5.7.3.1), present: [KeyPurposeId(1.3.6.1.5.5.7.3.2)] })
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	RequiredEkuNotFoundContext(RequiredEkuNotFoundContext { required: KeyPurposeId(1.3.6.1.5.5.7.3.1), present: [KeyPurposeId(1.3.6.1.4.1.22137.2.4.4)] })

openssl-3.3.5

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsuitable certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsuitable certificate purpose

openssl-1.1

Testcase	Expected Result	Actual Result	Context
webpki::eku::ee-serverauth-with-additional	SUCCESS	SUCCESS	None
webpki::eku::ee-codesigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-emailprotection-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-ocspsigning-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-clientauth-only	FAILURE	FAILURE	unsupported certificate purpose
webpki::eku::ee-precertificate-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-timestamping-with-serverauth	FAILURE	SUCCESS	None
webpki::eku::ee-precertificate-only	FAILURE	FAILURE	unsupported certificate purpose