Add an explicit curve test

[woodruffw]

WIP. The idea here is to build a testcase where the chain contains a certificate with an explicit EC point encoding, rather than a namedCurve encoding. This should be rejected by CABF-conforming validators.

Blockers:

• Cryptography (rightfully) doesn't support loading these keys
• I refuse to write this testcase by hand with openssl req I gave up and did it.

[woodruffw]

crypto/x509 also reasonably doesn't allow this, which suggests that I'm asking for two incompatible things (an implementation that's good enough for me to build this testcase with, but bad enough that it'll accept an explicit curve encoding). So I'm shelving this for now.

[github-actions]

No regressions found.

[github-actions]

New testcases

There are new testcases in this change.

gocryptox509-go1.22.0

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE

certvalidator-0.11.1

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	SUCCESS	None

openssl-3.0.13

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	Certificate public key has explicit ECC parameters

openssl-3.2.1

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	Certificate public key has explicit ECC parameters

pyca-cryptography-42.0.5

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	validation failed: CandidatesExhausted(Other("Forbidden public key algorithm: AlgorithmIdentifier { oid: DefinedByMarker(PhantomDataasn1::object_identifier::ObjectIdentifier), params: Ec(SpecifiedCurve(Sequence { data: [2, 1, 1, 48, 44, 6, 7, 42, 134, 72, 206, 61, 1, 1, 2, 33, 0, 255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 48, 91, 4, 32, 255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 252, 4, 32, 90, 198, 53, 216, 170, 58, 147, 231, 179, 235, 189, 85, 118, 152, 134, 188, 101, 29, 6, 176, 204, 83, 176, 246, 59, 206, 60, 62, 39, 210, 96, 75, 3, 21, 0, 196, 157, 54, 8, 134, 231, 4, 147, 106, 102, 120, 225, 19, 157, 38, 183, 129, 159, 126, 144, 4, 65, 4, 107, 23, 209, 242, 225, 44, 66, 71, 248, 188, 230, 229, 99, 164, 64, 242, 119, 3, 125, 129, 45, 235, 51, 160, 244, 161, 57, 69, 216, 152, 194, 150, 79, 227, 66, 226, 254, 26, 127, 155, 142, 231, 235, 74, 124, 15, 158, 22, 43, 206, 51, 87, 107, 49, 94, 206, 203, 182, 64, 104, 55, 191, 81, 245, 2, 33, 0, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 188, 230, 250, 173, 167, 23, 158, 132, 243, 185, 202, 194, 252, 99, 37, 81, 2, 1, 1] })) }"))

rustls-webpki

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	UnsupportedSignatureAlgorithmForPublicKey

rust-webpki

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	UnknownIssuer

openssl-3.1.5

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	Certificate public key has explicit ECC parameters

openssl-1.1

Testcase	Expected Result	Actual Result	Context
webpki::explicit-curve	FAILURE	FAILURE	Certificate public key has explicit ECC parameters

[woodruffw]

validation failed: CandidatesExhausted(Other("Forbidden public key algorithm: AlgorithmIdentifier { oid: DefinedByMarker(PhantomDataasn1::object_identifier::ObjectIdentifier), params: Ec(SpecifiedCurve(Sequence { data: [2, 1, 1, 48, 44, 6, 7, 42, 134, 72, 206, 61, 1, 1, 2, 33, 0, 255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 48, 91, 4, 32, 255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 252, 4, 32, 90, 198, 53, 216, 170, 58, 147, 231, 179, 235, 189, 85, 118, 152, 134, 188, 101, 29, 6, 176, 204, 83, 176, 246, 59, 206, 60, 62, 39, 210, 96, 75, 3, 21, 0, 196, 157, 54, 8, 134, 231, 4, 147, 106, 102, 120, 225, 19, 157, 38, 183, 129, 159, 126, 144, 4, 65, 4, 107, 23, 209, 242, 225, 44, 66, 71, 248, 188, 230, 229, 99, 164, 64, 242, 119, 3, 125, 129, 45, 235, 51, 160, 244, 161, 57, 69, 216, 152, 194, 150, 79, 227, 66, 226, 254, 26, 127, 155, 142, 231, 235, 74, 124, 15, 158, 22, 43, 206, 51, 87, 107, 49, 94, 206, 203, 182, 64, 104, 55, 191, 81, 245, 2, 33, 0, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 188, 230, 250, 173, 167, 23, 158, 132, 243, 185, 202, 194, 252, 99, 37, 81, 2, 1, 1] })) }"))

Maybe I should shorten that error message...