Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid certificate policy is rejected. Specifically we are checking that a leaf certificate with an invalid policy is detected. Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20587)
author: Matt Caswell <matt@openssl.org> 2023-03-07 17:07:57 +0000
committer: Tomas Mraz <tomas@openssl.org> 2023-03-28 14:01:58 +0200
commit: dda529ecc2d085488eef60235ef553dc5fd6e6dc (patch)
tree: 9824b58cf0a60653d9753adcf2c88cca24bee9fb /test/recipes
parent: 1dd43e0709fece299b15208f36cc7c76209ba0bb (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 2a4c36e86d..818c9ac50d 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 164;
+plan tests => 166;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -516,3 +516,14 @@ SKIP: {
     ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])),
        'Mixed key + cert file test');
 }
+
+# Certificate Policies
+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
+          "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
+          "-explicit_policy"),
+   "Certificate policy");
+
+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
+           "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
+           "-explicit_policy"),
+   "Bad certificate policy");
author	Matt Caswell <matt@openssl.org>	2023-03-07 17:07:57 +0000
committer	Tomas Mraz <tomas@openssl.org>	2023-03-28 14:01:58 +0200
commit	dda529ecc2d085488eef60235ef553dc5fd6e6dc (patch)
tree	9824b58cf0a60653d9753adcf2c88cca24bee9fb /test/recipes
parent	1dd43e0709fece299b15208f36cc7c76209ba0bb (diff)