fix: pass an empty string to host verify without usable identifiers (a…

…ws#3793)

tests/pems/gen_self_signed_cert.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License").
@@ -21,7 +21,9 @@ usage() {
 Options:
 --user-type Server or client depending on intended usage of the cert
 --hash-alg The type of hash algorithm to use to sign the cert in openssl format, ex; sha256
---san A DNS type subject alternative name to add to the cert. Can be repeated.
+--dns A DNS type subject alternative name to add to the cert. Can be repeated.
+--ip An IP type subject alternative name to add to the cert. Can be repeated.
+--uri A URI type subject alternative name to add to the cert. Can be repeated.
 --cn  The CN to add to the cert
 --key-type The type of key for the generated certificate to have. Either rsa or ecdsa.
 --rsa-key-size Size of rsa key for generated certificate.
@@ -31,8 +33,20 @@ Options:
     exit 0;
 }
 
+GETOPT="getopt"
+
+# use gnu-getopt on macos
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    GETOPT="/usr/local/opt/gnu-getopt/bin/getopt"
+
+    if ! [ -x "$(command -v $GETOPT)" ]; then
+      echo 'Error: getopt is not installed. Install with `brew install gnu-getopt`' >&2
+      exit 1
+    fi
+fi
+
 # This only works with gnu getopt.
-PARSED_OPTS=`getopt -o vdn: --long help,user-type:,rsa-key-size:,curve-name:,hash-alg:,san:,cn:,key-type:,prefix: -n 'parse-options' -- "$@"`
+PARSED_OPTS=`$GETOPT -o vdn: --long help,user-type:,rsa-key-size:,curve-name:,hash-alg:,ip:,uri:,dns:,cn:,key-type:,prefix: -n 'parse-options' -- "$@"`
 eval set -- "$PARSED_OPTS"
 
 USER_TYPE="server"
@@ -47,10 +61,10 @@ PREFIX=
 while true; do
   case "$1" in
     --help ) usage ;;
-    # Will be picked up in "cert_config.cfg"
     --cn ) CN="$2" ; shift 2 ;;
-    # Will be picked up in "cert_config.cfg"
-    --san ) SANS="$SANS""DNS:$2,"  ; shift 2 ;;
+    --dns ) SANS="$SANS""DNS:$2,"  ; shift 2 ;;
+    --ip ) SANS="$SANS""IP:$2,"  ; shift 2 ;;
+    --uri ) SANS="$SANS""URI:$2,"  ; shift 2 ;;
     --hash-alg )    HASH_ALG="$2" ; shift 2 ;;
     --key-type ) KEY_TYPE="$2" ; shift 2 ;;
     --rsa-key-size ) RSA_KEY_SIZE="$2" ; shift 2 ;;
@@ -85,16 +99,51 @@ else
     usage ;
 fi
 
-export CN;
-export SANS;
-export KEY_USAGE;
+config="""
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+C = US
+ST = WA
+L = Seattle
+O = Amazon
+OU = s2n
+"""
+
+if [[ ! -z "$CN" ]]; then
+    config+="CN = $CN"
+fi
+
+config+="""
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = $KEY_USAGE
+"""
+
+if [[ ! -z "$SANS" ]]; then
+    config+="subjectAltName = $SANS"
+fi
+
+cert_conf_path=$(mktemp)
+echo "$config" > $cert_conf_path
+
+# append an underscore if there's a prefix
+if [[ ! -z "$PREFIX" ]]; then
+  PREFIX="${PREFIX}_"
+fi
+
 if [ "$KEY_TYPE" == "rsa" ]; then
-    openssl req -x509 -config cert_config.cfg -newkey rsa:${RSA_KEY_SIZE} -${HASH_ALG} -nodes -keyout ${PREFIX}_rsa_key.pem -out ${PREFIX}_rsa_cert.pem -days 36500
+    openssl req -x509 -config "$cert_conf_path" -newkey rsa:${RSA_KEY_SIZE} -${HASH_ALG} -nodes -keyout ${PREFIX}rsa_key.pem -out ${PREFIX}rsa_cert.pem -days 36500
 elif [ "$KEY_TYPE" == "ecdsa" ]; then
-    openssl ecparam -out "${PREFIX}_ecdsa_key.pem" -name "$CURVE_NAME" -genkey
-    openssl req -new -config cert_config.cfg -days 36500 -nodes -x509 -key "${PREFIX}_ecdsa_key.pem" -out "${PREFIX}_ecdsa_cert.pem"
+    openssl ecparam -out "${PREFIX}ecdsa_key.pem" -name "$CURVE_NAME" -genkey
+    openssl req -new -config "$cert_conf_path" -days 36500 -nodes -x509 -key "${PREFIX}ecdsa_key.pem" -out "${PREFIX}ecdsa_cert.pem"
 else
     echo "Incorrect key-type: $KEY_TYPE"
     usage ;
 fi
 
+rm $cert_conf_path
+

tests/pems/sni/generate.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+#  http://aws.amazon.com/apache2.0
+#
+# or in the "license" file accompanying this file. This file is distributed
+# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+# express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+#
+
+set -eu
+
+cd $(dirname $0)
+
+../gen_self_signed_cert.sh --cn '' --prefix 'without_cn'
+../gen_self_signed_cert.sh --ip '::1' --prefix 'ip_v6_lo'
+

tests/pems/sni/ip_v6_lo_rsa_cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIJAOD5lU/xxwjXMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+QW1hem9uMQwwCgYDVQQLDANzMm4xFDASBgNVBAMMC3MyblRlc3RDZXJ0MCAXDTIy
+MTIyMTIzMDIxMloYDzIxMjIxMTI3MjMwMjEyWjBhMQswCQYDVQQGEwJVUzELMAkG
+A1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDzANBgNVBAoMBkFtYXpvbjEMMAoG
+A1UECwwDczJuMRQwEgYDVQQDDAtzMm5UZXN0Q2VydDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKh7GiAitQtr5CUs2p2jV4HRr7nTpkUD+4Wdn319D5sa
+GdE+SfuTJTYgjfBYO9x9r1Ap7/kZyW45BmedbPYoAxuTJpUzMv2w0FXdARnULBOv
+xfScP0GrO9wrF17qJ8p2LpfLj2pMK3ahlgctTq4uOtvneycg3jVDns29pg+7Zs8s
+mPmvybBDxmznYxIDVQN4HskW7NbVdfXOg1jaMh5CF4Txi1wkfL92n4L6PpkirpQG
+RmnaDoXDDX70olE+F+Ug+B62USG+XcLR2pPtWiY2YCWSKuOM/w7pkwnQPNnOQ73I
+EmcdqkgIC/9jG0Wr9hnURL52lkoUentprAkQs/QEq+sCAwEAAaNBMD8wCwYDVR0P
+BAQDAgSwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGA1UdEQQUMBKHEAAAAAAAAAAA
+AAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggEBAE3NMXUBDol52gU7CQmJK+LHgwkx
+97WqfZ8S0xLvfbdD8yR9oKJv/x68K2vYOwNyr+CJxCn0bKNE9YmnF6pp1/+ignKh
+RCmwna0Zd+ILV4V2hgGfDnkPREbs6HcOKMQwmQW1EVQkwq6+wJEDvd8AIUn/Ud+k
+Wu6tfj+UKNbBU81O1iFb80NN+zWh/jUMiH5Ma/suU51S+s6onjZSSpVrcbyV4RTF
+5ELs+yMukcx2gPzMiiK6cay5vNBQJBLUA3stL/OEzEvvljzTqPpG73wDisWKu5Ty
+3YVQg6j4QSgNd6HPhaHzoL8iu+GiefkEXkIvf5pDbX8RB5UkrFOhzn7b1ZI=
+-----END CERTIFICATE-----

tests/pems/sni/ip_v6_lo_rsa_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoexogIrULa+Ql
+LNqdo1eB0a+506ZFA/uFnZ99fQ+bGhnRPkn7kyU2II3wWDvcfa9QKe/5GcluOQZn
+nWz2KAMbkyaVMzL9sNBV3QEZ1CwTr8X0nD9BqzvcKxde6ifKdi6Xy49qTCt2oZYH
+LU6uLjrb53snIN41Q57NvaYPu2bPLJj5r8mwQ8Zs52MSA1UDeB7JFuzW1XX1zoNY
+2jIeQheE8YtcJHy/dp+C+j6ZIq6UBkZp2g6Fww1+9KJRPhflIPgetlEhvl3C0dqT
+7VomNmAlkirjjP8O6ZMJ0DzZzkO9yBJnHapICAv/YxtFq/YZ1ES+dpZKFHp7aawJ
+ELP0BKvrAgMBAAECggEAJUqqK7bC7/Y/l2LoOMAw3FE3XiBUyy3ofFi5NqN50tDi
+Kghpg7+8GtD12d8N0O4Y4duGfFKS3UzN+B1GQu30UiQuBBRDExgR5Q938Omfn/Pm
+ExCKh9SI+WCoWZ/mks+53Gt4IQUfEbEObiQ/KBqfeJEyFyUVSiDfg5aYrR7D0NMo
+E9WqGBW6C195TG+1uKpOzd0bu3FfoB8jjggLL898Np7tQJ76m2MuWr2OkHK7M5OL
+ySmut2Qi4Vw4wFEnDGOLKRHRCr7RT+ckReFQj9bJ+83G+3YYP2oFX+en6BSfiw7a
+0cRza87SdPH1WMFC42Gyd4GoO1OeqCFgCKZRQvTPQQKBgQDfNMyTRjsezr8V19BT
+4TBKMa/aed1xRLv2zdfPwbk39a7uJqQuwrPx9CdLrVAyxA1XzcfuRDaRvpbyL8oM
+TfrlpAKlDVuhfHPY9HXOKyPiF/TgVxn5Pq7J9qLxn4s4i5wUSTPISeaEDyfRd2KR
+cdMFnG5YRKn8KG3zRFJA56/L0QKBgQDBO/rcqVuG4RYu3+UanF43oNQAY01zUUQu
+Nk5+4gvtCmwWvX3Y+bqQgsosK7hM5h/6/Gb6parwV5a5VVb5CHAGU6XDgY7RnbdW
+NXIjhTIn4sUFNLhrVSYNjMmxTrlcl/UuNsZRqfJD7XigjNZw9pAXVVmag5DKJNDe
+rPvUjD32+wKBgBwOmQCSPXA78M0gGbHRhq5s3HwMAYfxaec2LMCSy2N7YIfTF6RB
+GTl6xU2/9WrMNhkpZs5OiMV9PaAn3a/6RWWEXki9Cx2bdTx6TiyiQ5pyBHgGut8X
+wATnGchhk7CB7BaotPeiQnWrKggsh5lcw3fbGAvEZdGqi1ee6O/7r59hAoGBAImL
+ISiaYCzk4P5inlhPv3zHPMA97u5LhUWDoGIOksCab4/MN90O/S5J+pBwWlJaZ58m
+tEJrU/6Zyg6H4U2IJP1L4y0Ddl5cbhiuGF2SPL5JW0Y2XaMAzAJPGW3dBHIVNA8+
+K/ILDwgs63UUarujtbL2LL6gMZrBk+88oFCNtrmrAoGBAMSdMY3VNIwI1olii3Bj
+jMmmFgn15g54FUMxeOO37x/eMpuW3PS4CwGJJ+/wRcMYojyid83eWQfATWlZgm6y
+VAxG7MMMeodMFtE+GVetGQZuHZe5i8+0BPePq/KZAsqvgRqAkrGtpqyq86FCsT2d
+NbFPHRgRax+frX+ELvWJn5H7
+-----END PRIVATE KEY-----

tests/pems/sni/without_cn_rsa_cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIJAK7pb6YIFqitMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+QW1hem9uMQwwCgYDVQQLDANzMm4wIBcNMjIxMjIxMjMwMjEyWhgPMjEyMjExMjcy
+MzAyMTJaMEsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2Vh
+dHRsZTEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANzMm4wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCh8QY5c2ezpzQrkH854LGp6ysFmySZ1rapG3Zs
+8CtqgfnFUjjjyZrcTr0uwy/aEV4AePsxNxbdB80xgtZS+LHl0tmDjgSR62VnrbRJ
+oXCqVEtPY6vs9OFn3dW8nZ5CbkgmHYo58y0lPQvD/WGi1yP/B88oNUIHEYYEnh2j
+XU6EpwzxdNSm1qety7pDbzeY7MLlZsWgOOy88GndMc8A2cIiu63yz4z/6ogKMzZk
+cI3muy2/xjTxK6PTgxik6c/34bE459Gf08KcA4xjqvm/eMNBEzq8NX6NxDZpfz8A
+eh6M7C06PusUJ9Ye9c1yK5NP9Y8X3un7TV0JxuoY1nyCmG4zAgMBAAGjJDAiMAsG
+A1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
+AQEAisRRtBZwo5ftcnPvmeSGcinzjQsRJDOxT7F/Zi54RyWPGrbkJqQCkh7OL5Jt
+6DpHGE4yzSg1nS0yrCLhRAjdcRRRp//2gDobrdnbgl1Nh3CLoFy5/d+0gg7HrthA
+jjTZtqapx54Nye/RUumyD3TZ0Y4TNob8jLUMUshoym3Ua/WY56PCRTVYTO7i/0lG
+Fs9YxOblVqf9rg4eO56092IgGssjuEqWz1ugulE6s0vfUJJFnwKv08ouGdsPTflM
+dMyL4jZx3QoloXMotMIPpWKo/grSyQOUdxTEj8z4UPu/PgB7jQ3WqVp1YDXE4Lrn
+X/pwdBF99AAYgQqpbODByUi8yA==
+-----END CERTIFICATE-----

tests/pems/sni/without_cn_rsa_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCh8QY5c2ezpzQr
+kH854LGp6ysFmySZ1rapG3Zs8CtqgfnFUjjjyZrcTr0uwy/aEV4AePsxNxbdB80x
+gtZS+LHl0tmDjgSR62VnrbRJoXCqVEtPY6vs9OFn3dW8nZ5CbkgmHYo58y0lPQvD
+/WGi1yP/B88oNUIHEYYEnh2jXU6EpwzxdNSm1qety7pDbzeY7MLlZsWgOOy88Gnd
+Mc8A2cIiu63yz4z/6ogKMzZkcI3muy2/xjTxK6PTgxik6c/34bE459Gf08KcA4xj
+qvm/eMNBEzq8NX6NxDZpfz8Aeh6M7C06PusUJ9Ye9c1yK5NP9Y8X3un7TV0JxuoY
+1nyCmG4zAgMBAAECggEABH1jN8qMUH3NQ3vxGxCwvE5J1hD0FdPPIqchRGnwOja6
+Tw81hpM7WOpR8m70763VllvEUxv85UnnFX1UJd7BR+btoukYFVeaayJ0winYrtBB
+ekUAKkSrzy5mU6FnFt5p36yn/W1RjhvALMHkqBgg5lw4ERxQ5VNGDPC5T6Mxnxnb
+RqxqQB2fBSaFugSLWv+6Lo7wK2AqLdoVVDL8F39g7/qbIw1Ld27U+QndCk76DxyO
+eNIg+IyjGeKm+bpyXbkfEdCtjxdd4fKFrPqNlFwKGnvBzD5vsp/ndMvN8FPEwogj
+NhdfRUl+HcvZnONj4rRuAsSDGSUv9OsPoTJNNofpoQKBgQDMhf8npdIainuKDEL4
+qEkZcpSbljbdCIbtIDbi3mYpXGgsiUYkSU9AKNvwsll+198pBP8sS9OzmCloN0mG
+qMFwGobRFQiQboAdeKrUf8eCthJvrOp8n8j1ImdPDZzwXdaiBrLfsYJbMnWQYyI+
+hECM9vytxZKIkAvvXJR8uJDIQwKBgQDKs1ufHy/JMJ8a3WMABptS5p3uieP5KOR1
+y3KjpfpeZSziiOUOcK6qqdpKUiP4FIydQxNtJZwt3mWLLeI115TNCG92FAhYvOJO
+cTzumF3rgv3vjO9vrPIV7OLbyFsgDWzux4q5t1sIVpjWPqhJ7wbD96tygFyzNdFx
+5LQQTA4bUQKBgARAHKdkSNOIYTzjOFkWlj5TJUd+fbFmRfeTndBlMtZVN00FpVGH
+vH/m2XtNGZMLRXYCxpLTGJk45lNmIr8Lrsl3o6mguEbYJQ13voUgCrNquUNc4pqo
+b3K4vlDkRYixSo6feQQxGjZu/AZ+KO4HrZfAYkvyOTNhWv4kfGmDJG8lAoGAWIwT
+aSaBhHz19BFkDv3T2loeAbdA3HYtnvuZ/70g6x19hxRQI4e79ZevYSoSxmuLpaNI
+mDSGzk7JwwvvNqAPQ6X8svM7VjBlF+lFueDbnmchsQS7D+jX9BYAYAxdKlpTDNgk
+VM6xOKpDp8vFTk7ZgL/vqFxEopDPBtbmhfwDaZECgYASkgjeKuForqjgv4Xx1FlF
+4pGf2Uh6ihT8OI2+XHzGSaEH5akE3XqKnaypCqrw+kQJ99Jb7pMjpYShscm5yjiZ
+1zQt1MaW63RXANviywb2sE9B4P8+CnBhKA0FA4kfMfWag3Mu1GY/DsGJZXg9/ywi
+mYyx7jTUomr6renM7bivxA==
+-----END PRIVATE KEY-----

tests/testlib/s2n_testlib.h

@@ -155,8 +155,12 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 #define S2N_OCSP_RESPONSE_WRONG_SIGNER_DER   "../pems/ocsp/ocsp_response_wrong_signer.der"
 #define S2N_OCSP_RESPONSE_CERT               "../pems/ocsp/ocsp_cert.pem"
 
-#define S2N_ALLIGATOR_SAN_CERT "../pems/sni/alligator_cert.pem"
-#define S2N_ALLIGATOR_SAN_KEY  "../pems/sni/alligator_key.pem"
+#define S2N_ALLIGATOR_SAN_CERT  "../pems/sni/alligator_cert.pem"
+#define S2N_ALLIGATOR_SAN_KEY   "../pems/sni/alligator_key.pem"
+#define S2N_IP_V6_LO_RSA_CERT   "../pems/sni/ip_v6_lo_rsa_cert.pem"
+#define S2N_IP_V6_LO_RSA_KEY    "../pems/sni/ip_v6_lo_rsa_key.pem"
+#define S2N_WITHOUT_CN_RSA_CERT "../pems/sni/without_cn_rsa_cert.pem"
+#define S2N_WITHOUT_CN_RSA_KEY  "../pems/sni/without_cn_rsa_key.pem"
 
 #define S2N_DHPARAMS_2048 "../pems/dhparams_2048.pem"
 

tests/unit/s2n_x509_validator_test.c

@@ -1365,6 +1365,70 @@ int main(int argc, char **argv)
         s2n_x509_trust_store_wipe(&trust_store);
     };
 
+    /* test validator in safe mode, with default host name validator. Connection server matches the IPv6 address on the certificate. */
+    {
+        DEFER_CLEANUP(struct s2n_x509_trust_store trust_store = { 0 }, s2n_x509_trust_store_wipe);
+        s2n_x509_trust_store_init_empty(&trust_store);
+        EXPECT_EQUAL(0, s2n_x509_trust_store_from_ca_file(&trust_store, S2N_IP_V6_LO_RSA_CERT, NULL));
+
+        DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
+        s2n_x509_validator_init(&validator, &trust_store, 1);
+
+        DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
+        EXPECT_NOT_NULL(connection);
+
+        /* the provided hostname should be an empty string */
+        struct host_verify_data verify_data = { .callback_invoked = 0, .found_name = 0, .name = "::1" };
+        EXPECT_SUCCESS(s2n_connection_set_verify_host_callback(connection, verify_host_verify_alt, &verify_data));
+
+        DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
+        EXPECT_OK(s2n_test_cert_chain_data_from_pem(
+                connection,
+                S2N_IP_V6_LO_RSA_CERT,
+                &cert_chain_stuffer));
+        uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
+        uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
+        EXPECT_NOT_NULL(chain_data);
+
+        DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
+        EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
+        s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
+        EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type, &public_key_out));
+        EXPECT_EQUAL(S2N_PKEY_TYPE_RSA, pkey_type);
+    };
+
+    /* Server matches the empty string when there are no usable identifiers in the cert. */
+    {
+        DEFER_CLEANUP(struct s2n_x509_trust_store trust_store = { 0 }, s2n_x509_trust_store_wipe);
+        s2n_x509_trust_store_init_empty(&trust_store);
+        EXPECT_EQUAL(0, s2n_x509_trust_store_from_ca_file(&trust_store, S2N_WITHOUT_CN_RSA_CERT, NULL));
+
+        DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
+        s2n_x509_validator_init(&validator, &trust_store, 1);
+
+        DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
+        EXPECT_NOT_NULL(connection);
+
+        /* the provided hostname should be an empty string */
+        struct host_verify_data verify_data = { .callback_invoked = 0, .found_name = 0, .name = "" };
+        EXPECT_SUCCESS(s2n_connection_set_verify_host_callback(connection, verify_host_verify_alt, &verify_data));
+
+        DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
+        EXPECT_OK(s2n_test_cert_chain_data_from_pem(
+                connection,
+                S2N_WITHOUT_CN_RSA_CERT,
+                &cert_chain_stuffer));
+        uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
+        uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
+        EXPECT_NOT_NULL(chain_data);
+
+        DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
+        EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
+        s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
+        EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type, &public_key_out));
+        EXPECT_EQUAL(S2N_PKEY_TYPE_RSA, pkey_type);
+    };
+
     /* test validator in safe mode, with default host name validator. No connection server name supplied. */
     {
         struct s2n_x509_trust_store trust_store;