Require intermediate CAs to have basicConstraints CA:true.

                ret = 1;

            break;

        default:

            /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */

            if ((ret == 0)

                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)

                || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)

                    && (ret != 1))) {

                ret = 0;

                ctx->error = X509_V_ERR_INVALID_CA;

-----BEGIN CERTIFICATE-----

MIIC6zCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290

IENBMCAXDTE2MDMzMDAwMDE1N1oYDzIxMTYwMzMxMDAwMTU3WjANMQswCQYDVQQD

DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd

j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz

n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W

l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l

YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc

ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9

CLNNsUcCAwEAAaNPME0wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G

A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAsGA1UdDwQEAwIBBjANBgkq

hkiG9w0BAQsFAAOCAQEAPo7bKKFLbwT3x7dw+OPZMDxwyG1pk5x+5SD7iv45mOzS

5lZ2ByaOH+jnjTfG6beNmTCbfq6RcHqTvD6LXYex5z9KliIL9Fpwh507uGDXmKDN

lM0zmbYhXiWGRwP5NkbB/EppbiSk42l5/ky4gmCH/a9kQfiBW+Gwe3aBwRX6v+5p

BLwH12YrM46DdEL4RHd2H/9rjSaX4X3aaZd9kZsf/yaOU65iQX15cNDfxkKncYQK

K+xjT2S/NLcwslkPzQLCWeWZVBV4Vd+TEjjZA1tFpu5e1oNlJYvGbqjIuUurpoxv

IhsVUfWJEf7KjpFy+kgPyijNYRUBFrMspdb6x771RQ==

-----END CERTIFICATE-----

	    -set_serial 2 -days "${DAYS}"

}

gen_nonbc_ca() {

    local cn=$1; shift

    local key=$1; shift

    local cert=$1; shift

    local cakey=$1; shift

    local cacert=$1; shift

    local skid="subjectKeyIdentifier = hash"

    local akid="authorityKeyIdentifier = keyid"

    exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")

    exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")

    for eku in "$@"

    do

        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")

    done

    csr=$(req "$key" "$cn") || return 1

    echo "$csr" |

        cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \

	    -set_serial 2 -days "${DAYS}"

}

genee() {

    local OPTIND=1

    local purpose=serverAuth

#

./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert

./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert

./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert

./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert

./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert

./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2

    run(app([@args]));

}

plan tests => 81;

plan tests => 83;

# Canonical success

ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),

# CA variants

ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),

   "fail non-CA untrusted intermediate");

ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),

   "fail non-CA untrusted intermediate");

ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),

   "fail non-CA trusted intermediate");

   "fail non-CA trust-store intermediate");

ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),

   "fail non-CA trust-store intermediate");

ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),

   "fail non-CA server trust intermediate");

ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),