diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-06-27 16:16:12 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-11 07:42:22 +0200 |
| commit | 1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e (patch) | |
| tree | 3dae7b7b2ad8bf6e4db27dd8eb52230d7bdae1c1 /test | |
| parent | b0a4cbead384e2ac8dbb697795ace242e1b07c18 (diff) | |
Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/25-test_verify.t | 7 | ||||
| -rw-r--r-- | test/testx509.pem | 16 |
2 files changed, 13 insertions, 10 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 42d44dcdce..aaa7fa3d90 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 144; +plan tests => 145; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -372,13 +372,16 @@ ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig" "accept trusted self-signed EE cert excluding key usage keyCertSign"); SKIP: { - skip "Ed25519 is not supported by this OpenSSL build", 5 + skip "Ed25519 is not supported by this OpenSSL build", 6 if disabled("ec"); # ED25519 certificate from draft-ietf-curdle-pkix-04 ok(verify("ee-ed25519", "sslserver", ["root-ed25519"], []), "accept X25519 EE cert issued by trusted Ed25519 self-signed CA cert"); + ok(!verify("ee-ed25519", "sslserver", ["root-ed25519"], [], "-x509_strict"), + "reject X25519 EE cert in strict mode since AKID is missing"); + ok(!verify("root-ed25519", "sslserver", ["ee-ed25519"], []), "fail Ed25519 CA and EE certs swapped"); diff --git a/test/testx509.pem b/test/testx509.pem index 8a85d14964..e0c7a1f9af 100644 --- a/test/testx509.pem +++ b/test/testx509.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV -BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz -MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM -RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF -AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO -/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE -Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ -zl9HYIMxATFyqSiD9jsx +MIIBczCCAR0CFEqkMs9xq0qfdNflIpoqdDaOU/ThMA0GCSqGSIb3DQEBBAUAMDox +CzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxHTAbBgNVBAMMFFNTTGVheSByc2Eg +dGVzdCBjZXJ0MCAXDTIwMDczMTE3MTM0NVoYDzIxMjAwNzA3MTcxMzQ1WjA6MQsw +CQYDVQQGEwJBVTEMMAoGA1UECAwDUUxEMR0wGwYDVQQDDBRTU0xlYXkgcnNhIHRl +c3QgY2VydDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDUZKgYSMuJdiw2aIQIG4LD +vm9HbUnyJyj6WgPkpw98dVKTj0jo3F6n/e3anYzvSpOiPkTuvw209yslzJs40Sf7 +AgMBAAEwDQYJKoZIhvcNAQEEBQADQQBV1bQAvyLvJQrNt7WEKmo/inigwjsvQYwd +nxmV6zWhqpQZmo86/ixumUa6zTlq+y4+wiiFngMZ7Bt0O769Nlzx -----END CERTIFICATE----- |