diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-01 14:22:16 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-03 15:11:41 +0100 |
commit | 315c47e00bb953abe8892a3c1272289330b29d23 (patch) | |
tree | 06306f2d8657241da73abccdb91873cbd2381916 /test | |
parent | 61168b5b8dde03f3b77ddf5e4b1b81c338c01746 (diff) |
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until version 1.1.1h, yet
commit e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13471
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13585)
Diffstat (limited to 'test')
-rw-r--r-- | test/certs/root-expired.pem | 18 | ||||
-rwxr-xr-x | test/certs/setup.sh | 5 | ||||
-rw-r--r-- | test/recipes/25-test_verify.t | 6 |
3 files changed, 26 insertions, 3 deletions
diff --git a/test/certs/root-expired.pem b/test/certs/root-expired.pem new file mode 100644 index 0000000000..eb5b697ed2 --- /dev/null +++ b/test/certs/root-expired.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMB4XDTIwMTIwMjE0MTYwOVoXDTIwMTIwMTE0MTYwOVowEjEQMA4GA1UEAwwH +Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHmAPUGvKBG +OHkPPx5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3j +IVyk7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcAr +VREXOjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI +0YYqalUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt +9gfNbiuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337Vo +IkN+ZiQjr8UCAwEAAaNTMFEwHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NS +MB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1UdEwEB/wQFMAMB +Af8wDQYJKoZIhvcNAQELBQADggEBAH1uqov7eXVT6GbhJ7foASTQpIaVi4GXIfbS +bYKCb0erWkLfW7EKalOTBp5TjWONSM4mX2OlZag7yq1P1YwMaBA51OkH0Ojic9fX +majK2S/ZyFI6NLoPqN0Uw/K1HHU0DXpK/mf3YdFOEZMf9LVlXR0O6og19HxBmNnN +LhTOQ29IGqNzayHGBi4U8LG+UAe5sxlC+gnnQEPGMrOS1XElybtHIxnqk2LJDvXj +2Dj12TCISD9bQ53oRkudTvTPyvxK6OsnFC/wTBmHk03yxnZdQEKyj9guahiRb+hj +sz4mDWWMmelcr6veEfzzlUZK7aoIrpJmgukhv/Qafwczo38J5U0= +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 2bb01fa13e..04591bcc05 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -1,10 +1,11 @@ -#! /bin/sh +#! /bin/bash # Primary root: root-cert # root cert variants: CA:false, key2, DN2 # trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU # ./mkcert.sh genroot "Root CA" root-key root-cert +DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired ./mkcert.sh genss "Root CA" root-key root-nonca ./mkcert.sh genroot "Root CA" root-key2 root-cert2 ./mkcert.sh genroot "Root Cert 2" root-key root-name2 @@ -168,7 +169,7 @@ openssl x509 -in sca-cert.pem -trustout \ ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 ./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ - -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") + -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here # openssl x509 -in ee-cert.pem -trustout \ -addtrust serverAuth -out ee+serverAuth.pem diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 9b8648e670..1336b8a726 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 143; +plan tests => 145; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -132,6 +132,10 @@ ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), "fail untrusted partial chain"); ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), "accept trusted partial chain"); +ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"), + "reject expired trusted partial chain"); # this check is beyond RFC 5280 +ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]), + "reject expired trusted root"); # this check is beyond RFC 5280 ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), "accept partial chain with server purpose"); ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), |