diff options
author | Neil Horman <nhorman@openssl.org> | 2024-01-02 15:48:00 -0500 |
---|---|---|
committer | Neil Horman <nhorman@openssl.org> | 2024-01-05 14:01:13 -0500 |
commit | a693d69cd8b4b88a81f3e8174dcf90bbed4cbb53 (patch) | |
tree | 03fc5074f65da686504f3de3bf95253637d1f2bf /test | |
parent | 7043f6924a80f3f6f137f680aae4c968d03f3ba3 (diff) |
Validate config options during x509 extension creation
There are several points during x509 extension creation which rely on
configuration options which may have been incorrectly parsed due to
invalid settings. Preform a value check for null in those locations to
avoid various crashes/undefined behaviors
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23183)
(cherry picked from commit bac7e687d71b124b09ad6ad3e15be9b38c08a1ba)
Diffstat (limited to 'test')
-rw-r--r-- | test/invalid-x509.cnf | 6 | ||||
-rw-r--r-- | test/recipes/25-test_x509.t | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/test/invalid-x509.cnf b/test/invalid-x509.cnf new file mode 100644 index 0000000000..f982edb979 --- /dev/null +++ b/test/invalid-x509.cnf @@ -0,0 +1,6 @@ +[ext] +issuerSignTool = signTool +sbgp-autonomousSysNum = AS +issuingDistributionPoint = fullname +sbgp-ipAddrBlock = IPv4-SAFI + diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 95df179bbe..b491acb1da 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 28; +plan tests => 29; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -186,6 +186,14 @@ ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert, # verify issuer is CA ok (get_issuer($a2_cert) =~ /CN = ca.example.com/); +my $in_csr = srctop_file('test', 'certs', 'x509-check.csr'); +my $in_key = srctop_file('test', 'certs', 'x509-check-key.pem'); +my $invextfile = srctop_file('test', 'invalid-x509.cnf'); +# Test that invalid extensions settings fail +ok(!run(app(["openssl", "x509", "-req", "-in", $in_csr, "-signkey", $in_key, + "-out", "/dev/null", "-days", "3650" , "-extensions", "ext", + "-extfile", $invextfile]))); + # Tests for issue #16080 (fixed in 1.1.1o) my $b_key = "b-key.pem"; my $b_csr = "b-cert.csr"; |