Add tests for client certificate edge cases

- client_cert_no_cn: Tests certificate without Common Name field,
  covering the cn_size == 0 branch in get_client_cert_cn()
- client_cert_untrusted: Tests certificate not in trust store,
  covering the status != 0 branch in is_client_cert_verified()

Also adds the new test certificate files to configure.ac.

Author: etr

configure.ac

@@ -302,6 +302,10 @@ AC_CONFIG_FILES([test/key.pem:test/key.pem])
 AC_CONFIG_FILES([test/test_root_ca.pem:test/test_root_ca.pem])
 AC_CONFIG_FILES([test/client_cert.pem:test/client_cert.pem])
 AC_CONFIG_FILES([test/client_key.pem:test/client_key.pem])
+AC_CONFIG_FILES([test/client_cert_no_cn.pem:test/client_cert_no_cn.pem])
+AC_CONFIG_FILES([test/client_key_no_cn.pem:test/client_key_no_cn.pem])
+AC_CONFIG_FILES([test/client_cert_untrusted.pem:test/client_cert_untrusted.pem])
+AC_CONFIG_FILES([test/client_key_untrusted.pem:test/client_key_untrusted.pem])
 AC_CONFIG_FILES([test/libhttpserver.supp:test/libhttpserver.supp])
 AC_CONFIG_FILES([examples/cert.pem:examples/cert.pem])
 AC_CONFIG_FILES([examples/key.pem:examples/key.pem])

test/client_cert_no_cn.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUZxrdiFzIPZz71PW6KGhQgzUJYY0wDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UECgwTVGVzdCBPcmcgV2l0aG91dCBDTjAeFw0yNjAyMDUwMDAy
+NTFaFw0zNjAyMDMwMDAyNTFaMB4xHDAaBgNVBAoME1Rlc3QgT3JnIFdpdGhvdXQg
+Q04wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClSmDXcECe5ID3F/yb
+PB7XrT2jGZq51MLnfv+WSRrj4ORuae03VhrCUw1oqodxZgwU89xtjkfLX8iItH3E
+20RfhVj/GBZuHw+7iGyNP5dHiSiYq5bfNFbpNI/yO3/NEKflALQ0DZDjeGaZhv08
+wWDRkea//oFJfGeJM6IRcmXv0MG7woZohkQfobfvnj8plMl0PAkHGEcnZFhauvjB
+d4d/TcmZhuDfRychP2HRy4UhqKuisa0wvLvE7KN4OZsegRYIIVKMDWl6odquzyD7
+KE6POT+BTv7WoCP3UWlYJtX27kx8iJMFNWGUv2DGllBY4Q9o1rhJr5pFBtd873Xh
+wE29AgMBAAGjUzBRMB0GA1UdDgQWBBQdtRld75yAChAw/rcfqtTB0Prq/TAfBgNV
+HSMEGDAWgBQdtRld75yAChAw/rcfqtTB0Prq/TAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQB9ynRcMBZp2jkekBsvtyyydp4OKWBwXhiLX5jJWMKL
+GqEm9quqM7iH+W7trxRz1GHrqkHRz37TUp8jU9mnDZ7aaXIbhBu4RMnao36O3R6d
+lA43mN+4ZTUecsJAY9hR4X3+oLLndrLlmte8NkpwKNIuo32XEfu97wXUuEP5W17s
+GJh3EGh7lrz8TS4GO4Oek/qK+6dgDhHLQcmqoRUnBj1mb+0ffcsWTyWFRD9W2oyW
+L1S1t/Q6L4sJEIzvU1qUtO5kiWBsd3uq5oZibKYdU1nYs9nucFE8Fers+qafqbKR
+wHHH4vsiZVIU1n7yqG4kLi5uL4KO5XcYJmjANB0lEM8r
+-----END CERTIFICATE-----

test/client_cert_untrusted.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAi+gAwIBAgIUGKzbXdmC0G8pSeYuFwMoWQCHYuEwDQYJKoZIhvcNAQEL
+BQAwMzEZMBcGA1UEAwwQVW50cnVzdGVkIENsaWVudDEWMBQGA1UECgwNVW50cnVz
+dGVkIE9yZzAeFw0yNjAyMDUwMDAyNTdaFw0zNjAyMDMwMDAyNTdaMDMxGTAXBgNV
+BAMMEFVudHJ1c3RlZCBDbGllbnQxFjAUBgNVBAoMDVVudHJ1c3RlZCBPcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT9JwyKk5xPhz5aHlYkN1u4jCm
+SeIavIicQCbYgcmCwFgdH0i+fP1s2MrcZgeEoiqN4VK8zmxtpj1QME0KGAImwn9k
+ffROftIQ0pdebIvImD/QWmR+bNCXQYWmyX6c52ESKPrCSVPstHj1r2pOCHA0j/s0
+4V1gMNI/snv4CxZ+H+JGBikE+ycvZYTgZa3HiAjm9rtQu1zU5blwuZ2NhUumkdfB
+cc/oC+6yxUiPaD84poLefmF9vdqmGKEIWxWQB+Ijvll1iieEf47lOqxokLWWWsxH
+bfWOGagzdQJKHzeDj76KjfTbSTsMsIyCxAbJU2K53ccCLlQYYHzn1h1zaQntAgMB
+AAGjUzBRMB0GA1UdDgQWBBS3oS6d4JFK/ZrF4uDyAxqP8BDJCDAfBgNVHSMEGDAW
+gBS3oS6d4JFK/ZrF4uDyAxqP8BDJCDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBrltJfDg26jzDEsWoqJM7/xuYM5EVebbIiFUQgM7AWPtFGewbM
+cb9TPPHRMx3izv2E95JWaQ0YXSuxkGISkJQEisTPzssIDQfrpcAyZdMgR5XSWKVC
+t8ychNwE7rKdJfRGMoXrqAD4R1h0NQpl0V86rwieA23voBOK/5xE6ja0JIsso8YG
+mQpqxPROxtpJ4J59BnwQnhhZ66GQ+HpqTN1cc8Pl0kqVzBvwnkeiz6/6h4qX6dVQ
+eI0OA9LARB1uYqK9sTdZ2KA45rJLXDsOeWB/WAs0ZOSMQSO5qkFYA1FkPpwc+mcR
+ckU7IZOyPFf4Xr98Jbaf+LFcq8WsCA10xzJ2
+-----END CERTIFICATE-----

test/client_key_no_cn.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClSmDXcECe5ID3
+F/ybPB7XrT2jGZq51MLnfv+WSRrj4ORuae03VhrCUw1oqodxZgwU89xtjkfLX8iI
+tH3E20RfhVj/GBZuHw+7iGyNP5dHiSiYq5bfNFbpNI/yO3/NEKflALQ0DZDjeGaZ
+hv08wWDRkea//oFJfGeJM6IRcmXv0MG7woZohkQfobfvnj8plMl0PAkHGEcnZFha
+uvjBd4d/TcmZhuDfRychP2HRy4UhqKuisa0wvLvE7KN4OZsegRYIIVKMDWl6odqu
+zyD7KE6POT+BTv7WoCP3UWlYJtX27kx8iJMFNWGUv2DGllBY4Q9o1rhJr5pFBtd8
+73XhwE29AgMBAAECggEAGBo28eNkAOd4KM/eHXLQWongDYr7xXJRc3lQ4sTJP4Z5
+OOKIXUPYhhKfR25qbq4/P8TplS4kqPLQJqMPHegNWdJzjksgZjFwVVvI3HXz5NIK
+0exfhS+4Jqxr+xoTAj+WA+4s2NRLluflKikFf1kBeb3JRKDjkGgsHtUhImMomyX9
+Q9GaElwM6AQTKRxChlmglxnErgYip59l/ECaGiU/sSMK5vmqiOLeBk7r++xjOFcH
+9JbBDVKJT+0urwYn8Istwe7UnoYStPUwIVjBlcvI1d+5k3OuLsJ0QJ8ThXBIN9Pn
+wMBHsR/vkC06I1eS4htaJEdrCS/R+MQUXHaP9f6o3wKBgQDPE6kh4fBj44L7SAi+
+ooKwJrNOE20IVR7LSPQ1ZfWoQVSkqv/hpZyN+zlFOpLepLNVpzR3/XXAUg1LRJSU
+lvN+fRSjGQO2uNgt/APs5+wsZvwtuQHfPgh4zcNtr5GqxLVhH7V5YgEZ02SWSlmx
+c9x+ETQ6zhV05sRfYh44DZKK1wKBgQDMV2rKhbK7oI/3HVU/TyWFkvWJK/t79Uuu
+wFoPpKf0oqnImzOGb8EMi/ecjEgktRKUnBB/hY3tQIZCB3LaOujIp/OVY3Saa1Gb
+s1G1QlTvhgWbLHEHeZvA4qolmEYnNxgupmWounrICk3bd5Hr0zX8K2fzKPAlDs4O
+65r/bK4NiwKBgQC0vNNFWH/Jn3zmN8QyJ4NrnguoHLpwqGK9SYqkxL46QfNP2lSG
+LVdMcTZWXz5rh1NjchIQnK/W0Yb65/vLCUmzYBbQF/gu1n0Q/cKrVu3C/4whmDWz
+FOCuF+H37WJ1q0UoZVWugUS2ttQ3fON2R8ruWbO9k7wUkYpaOjhn8iiydwKBgGSw
+9tiRBT/boNVeSPGHaK/neMJ9P9EXUJHuCvMGahTsSsmlYMBwNSqflgY4QhyEdYFx
+XdfY0dUFJKNI1FmhCbBGworslTq6g148AJlW9E+LNRv/zDqovA1SJBGedYNBbNMf
+/5wjN/l2ymLJCsiwLTvzj6eMlrlMEFHd22TeAu59AoGAVWK/s5loFUk0XUrkRC6m
+Ys28G2jTHsgwPvfIBRIsoiN1j4w2rrMw/79tpBscCQK6v5Z7jCiahOz1Xe8fNkId
+Z8oiErDKKOiUY86umg421mhuwzBU+gXsiHuBYrdH3e3aw+fGYyMNpbFdRvJVy2lv
+pm+6ev0dkUX/fjUl3UNydW8=
+-----END PRIVATE KEY-----

test/client_key_untrusted.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCT9JwyKk5xPhz5
+aHlYkN1u4jCmSeIavIicQCbYgcmCwFgdH0i+fP1s2MrcZgeEoiqN4VK8zmxtpj1Q
+ME0KGAImwn9kffROftIQ0pdebIvImD/QWmR+bNCXQYWmyX6c52ESKPrCSVPstHj1
+r2pOCHA0j/s04V1gMNI/snv4CxZ+H+JGBikE+ycvZYTgZa3HiAjm9rtQu1zU5blw
+uZ2NhUumkdfBcc/oC+6yxUiPaD84poLefmF9vdqmGKEIWxWQB+Ijvll1iieEf47l
+OqxokLWWWsxHbfWOGagzdQJKHzeDj76KjfTbSTsMsIyCxAbJU2K53ccCLlQYYHzn
+1h1zaQntAgMBAAECggEACwdw8qG0tzxUwe1yc5JY71XCdU2MopxAkrqK1W4srKfU
+lFcrVQfRhwuiE6EyGPD9uxXQ1ReOKEj8HmjQqq/0zm7b5Yx+FFvfzOE7PLlasi6n
+Pct/MkK/nzGDL6uq2dy69QpDpw1QSZTVGiYOsUJvxXtLfpBOJZ1+DsF/UZOCBGS+
+9/xC7gU3bGDhjAgzgPBhyO+WVPLORvV6/mRVQalB7MiH/kgZDKZi0dZ50qgCyc95
+CUnrf7Mck0c782SN7rN3W4ZAKWb8YaWCtGUGYpwk7E/eIw23eCNQZjeLB21w4uge
+7rCSRzEFy1DeLgWWSPnNfHO59fJ3ii31aHQWRu1YAQKBgQDQ7JJ/S+FWMEkso7A1
+qNraAzyyFYXMeV79/VSbFWO1dT0+mxfG9LekAGzF7BLOwW7mKM+iJqWaSg1Up9GU
+FDINV8R4s1+0syKdBLNrd02qGYkqaSs1A75q2n2ExvJsBwNXcUtHjcUIL3ui56aH
+RpMX3GomYCC6ormw4nFENWTlJQKBgQC1SytEA5LS3okrZzzCilnBr2SOBjBdQrxK
+D2CgVqwE0/8blmqy5w/ZE/Rn44RirQmhAG1g7qS+WQy8cvTBUCnqXov9kAtnL7oP
+0iZFA5Mjo2o80wT+1haZolUMqHXchC5nBXGUBcwulZdZdFmjo3H64vpHQLQE9D7a
+f06OmpzLKQKBgCpv41H4F81qAXMPzLsZkVq3TZzewk7GWIU+7/CQZ7B0H/yXhDzl
+eGfXrkCFs0xL/jrCD2rgbsLoR8zqSafKcmBDc6UQyl/qAx3h1o/9q8jhZvs2YZBj
+MkqCFvzhbFyFECiy2peuNFd1TafJZgoUS8yM+QLSg9NlOlKzrE4uilABAoGAOTv7
+8sL2DWB4CZ3UDs7Cu2T15+iISEkTTIZCSRxTvkp3VWxNTyGnXS7xkALB/q0GRy/t
+WBa/J+DRJoVcQ9NdCELFC034a6Ejqm776fnQ8AVdOsqb3yATjnkzRIXCf9WzGI8d
+Zk/WQDa1y2XyDrlA+KXDwc7phk7dsPlUAa1KJtECgYBW8MlkBt76OEg+J0ZMgBVU
+ze4fuCAEtFbetd7DjsId4rSqsawWaJZX0ZRo8gZsLUrNM3hcZfZTELF2uL5eNhMu
+t/ig52WfLVHwmtVAdIIbDdyKFO/4mY84IbWjAmYI08SvBb+Mk5KTJR80B8idVM3D
+Yge1bloM2atDhO63yM1LwA==
+-----END PRIVATE KEY-----

test/integ/ws_start_stop.cpp

@@ -1134,6 +1134,86 @@ LT_BEGIN_AUTO_TEST(ws_start_stop_suite, client_cert_fingerprint)
     ws.stop();
 LT_END_AUTO_TEST(client_cert_fingerprint)
 
+// Test client certificate without CN field (covers cn_size == 0 branch)
+LT_BEGIN_AUTO_TEST(ws_start_stop_suite, client_cert_no_cn)
+    int port = PORT + 51;
+    httpserver::webserver ws = httpserver::create_webserver(port)
+        .use_ssl()
+        .https_mem_key(ROOT "/key.pem")
+        .https_mem_cert(ROOT "/cert.pem")
+        .https_mem_trust(ROOT "/client_cert_no_cn.pem");
+    client_cert_info_resource cert_info;
+    LT_ASSERT_EQ(true, ws.register_resource("cert_info", &cert_info));
+    try {
+        ws.start(false);
+    } catch (const std::exception& e) {
+        LT_CHECK_EQ(1, 1);
+        return;
+    }
+    curl_global_init(CURL_GLOBAL_ALL);
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    std::string url = "https://localhost:" + std::to_string(port) + "/cert_info";
+    curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+    curl_easy_setopt(curl, CURLOPT_SSLCERT, ROOT "/client_cert_no_cn.pem");
+    curl_easy_setopt(curl, CURLOPT_SSLKEY, ROOT "/client_key_no_cn.pem");
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    // Certificate has no CN, so CN should be empty but other fields should work
+    LT_CHECK_NEQ(s.find("HAS_CLIENT_CERT"), std::string::npos);
+    LT_CHECK_NEQ(s.find("CN:"), std::string::npos);  // CN field present but empty
+    // DN should contain "O=Test Org Without CN"
+    LT_CHECK_NEQ(s.find("Test Org Without CN"), std::string::npos);
+    curl_easy_cleanup(curl);
+    ws.stop();
+LT_END_AUTO_TEST(client_cert_no_cn)
+
+// Test client certificate that fails verification (covers status != 0 branch)
+LT_BEGIN_AUTO_TEST(ws_start_stop_suite, client_cert_untrusted)
+    int port = PORT + 52;
+    // Don't add untrusted cert to trust store - verification should fail
+    httpserver::webserver ws = httpserver::create_webserver(port)
+        .use_ssl()
+        .https_mem_key(ROOT "/key.pem")
+        .https_mem_cert(ROOT "/cert.pem")
+        .https_mem_trust(ROOT "/client_cert.pem");  // Only trust the original client cert
+    client_cert_info_resource cert_info;
+    LT_ASSERT_EQ(true, ws.register_resource("cert_info", &cert_info));
+    try {
+        ws.start(false);
+    } catch (const std::exception& e) {
+        LT_CHECK_EQ(1, 1);
+        return;
+    }
+    curl_global_init(CURL_GLOBAL_ALL);
+    std::string s;
+    CURL *curl = curl_easy_init();
+    CURLcode res;
+    std::string url = "https://localhost:" + std::to_string(port) + "/cert_info";
+    curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+    // Use the untrusted certificate
+    curl_easy_setopt(curl, CURLOPT_SSLCERT, ROOT "/client_cert_untrusted.pem");
+    curl_easy_setopt(curl, CURLOPT_SSLKEY, ROOT "/client_key_untrusted.pem");
+    res = curl_easy_perform(curl);
+    LT_ASSERT_EQ(res, 0);
+    // Certificate is present but should NOT be verified (untrusted)
+    LT_CHECK_NEQ(s.find("HAS_CLIENT_CERT"), std::string::npos);
+    LT_CHECK_NEQ(s.find("VERIFIED:no"), std::string::npos);
+    curl_easy_cleanup(curl);
+    ws.stop();
+LT_END_AUTO_TEST(client_cert_untrusted)
+
 // Test SNI callback configuration
 LT_BEGIN_AUTO_TEST(ws_start_stop_suite, sni_callback_setup)
     int port = PORT + 50;