diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-11 09:09:29 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-09-17 17:15:15 +0200 |
commit | cccf532fef10aaa2d682227061b8828a1eb2c031 (patch) | |
tree | eebff041321fc8ca671a21369395370e806175d2 /test | |
parent | fe2f8aecfe4a0de483334bf671a8eb4f14444c00 (diff) |
Disallow certs with explicit curve in verification chain
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
Diffstat (limited to 'test')
-rw-r--r-- | test/certs/ca-cert-ec-explicit.pem | 19 | ||||
-rw-r--r-- | test/certs/ca-cert-ec-named.pem | 14 | ||||
-rw-r--r-- | test/certs/ca-key-ec-explicit.pem | 10 | ||||
-rw-r--r-- | test/certs/ca-key-ec-named.pem | 5 | ||||
-rw-r--r-- | test/certs/ee-cert-ec-explicit.pem | 16 | ||||
-rw-r--r-- | test/certs/ee-cert-ec-named-explicit.pem | 11 | ||||
-rw-r--r-- | test/certs/ee-cert-ec-named-named.pem | 11 | ||||
-rw-r--r-- | test/certs/ee-key-ec-explicit.pem | 10 | ||||
-rw-r--r-- | test/certs/ee-key-ec-named-explicit.pem | 5 | ||||
-rw-r--r-- | test/certs/ee-key-ec-named-named.pem | 5 | ||||
-rwxr-xr-x | test/certs/setup.sh | 10 | ||||
-rw-r--r-- | test/recipes/25-test_verify.t | 17 |
12 files changed, 132 insertions, 1 deletions
diff --git a/test/certs/ca-cert-ec-explicit.pem b/test/certs/ca-cert-ec-explicit.pem new file mode 100644 index 0000000000..d741ecdb65 --- /dev/null +++ b/test/certs/ca-cert-ec-explicit.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMDkxNTEzMDY0MVoYDzIxMjAwOTE2MTMwNjQxWjANMQswCQYDVQQD +DAJDQTCCAUswggEDBgcqhkjOPQIBMIH3AgEBMCwGByqGSM49AQECIQD/////AAAA +AQAAAAAAAAAAAAAAAP///////////////zBbBCD/////AAAAAQAAAAAAAAAAAAAA +AP///////////////AQgWsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEsD +FQDEnTYIhucEk2pmeOETnSa3gZ9+kARBBGsX0fLhLEJH+Lzm5WOkQPJ3A32BLesz +oPShOUXYmMKWT+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfUCIQD///// +AAAAAP//////////vOb6racXnoTzucrC/GMlUQIBAQNCAASlXna3kSD/Yol3RA5I +icjIxYb9UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM +5NDco1MwUTAdBgNVHQ4EFgQUFk6ucH6gMXeadmuV7a1iWEnU/CIwHwYDVR0jBBgw +FoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG +9w0BAQsFAAOCAQEAdyUgfT0eAsZzoHFXoWN5uqi0MHuhLI37TEzkH5h7iTpDQJTQ +F0SjbawfM/nxxUekRW3mjFu3lft+VA7yC0OTNBLffan/vTh+HGOvvYZSMJYgKrMG +PRWgDId+n9RTcQCf+91cISvOazHixRiJG7JfRLdNZsAE+miw4HgPLFboTwpxtTDJ +zJ4ssBC6P+5IHwBCtNMiilJMMMzuSaZa5iSo6M9AdXWfcQN3uhW1lgQOLOlKLcbo +3UhW1GMMhTTeytM5aylbKhRsnL7ozmS44zsKZ25YaQxgjdKitFjVN6j7eyQ7C9J2 +bLXgl3APweLQbGGs0zv08Ad0SCCKYLHK6mMJqg== +-----END CERTIFICATE----- diff --git a/test/certs/ca-cert-ec-named.pem b/test/certs/ca-cert-ec-named.pem new file mode 100644 index 0000000000..5fbe251afb --- /dev/null +++ b/test/certs/ca-cert-ec-named.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJDCCAQygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMDkxNTEzMDY1MFoYDzIxMjAwOTE2MTMwNjUwWjANMQswCQYDVQQD +DAJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPt+MXCi9+wztEvmdG2EVSk7 +bAiJMXJXW/u0NbcGCrrbhO1NJSHHV3Lks888sqeSPh/bif/ASJ0HX+VarMUoFIKj +UzBRMB0GA1UdDgQWBBRjigU5REz8Lwf1iD6mALVhsHIanjAfBgNVHSMEGDAWgBSO +9SWvHptrhD18gJrJU5xNcvejUjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQCQs9wpblefb2C9a7usGL1DJjWJQIFHtUf+6p/KPgEV7LF138ECjL5s +0AWRd8Q8SbsBH49j2r3LLLMkvFglyRaN+FF+TCC/UQtclTb4+HgLsUT2xSU8U2cY +SOnzNB5AX/qAAsdOGqOjivPtGXcXFexDKPsw3n+3rJgymBP6hbLagb47IabNhot5 +bMM6S+bmfpMwfsm885zr5vG2Gg9FjjH94Vx4I7eRLkjCS88gkIR1J35ecHFteOdo +idOaCHQddYiKukBzgdjtTxSDXKffkaybylrwOZ8VBlQd3zC7s02d+riHCnroLnnE +cwYLlJ5z6jN7zoPZ55yX/EmA0RVny2le +-----END CERTIFICATE----- diff --git a/test/certs/ca-key-ec-explicit.pem b/test/certs/ca-key-ec-explicit.pem new file mode 100644 index 0000000000..08add31ca5 --- /dev/null +++ b/test/certs/ca-key-ec-explicit.pem @@ -0,0 +1,10 @@ +-----BEGIN PRIVATE KEY----- +MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg +9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A +AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgdEf20fpuqEZU +tZ4ORoq4vb5ETV4a6QOl/iGnDQt++/ihRANCAASlXna3kSD/Yol3RA5IicjIxYb9 +UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM5NDc +-----END PRIVATE KEY----- diff --git a/test/certs/ca-key-ec-named.pem b/test/certs/ca-key-ec-named.pem new file mode 100644 index 0000000000..cff7a64e84 --- /dev/null +++ b/test/certs/ca-key-ec-named.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCTrYrMKcyV49+w4B +TWr2WTZsMM4aFpaYulKAuhiuQ7mhRANCAAT7fjFwovfsM7RL5nRthFUpO2wIiTFy +V1v7tDW3Bgq624TtTSUhx1dy5LPPPLKnkj4f24n/wEidB1/lWqzFKBSC +-----END PRIVATE KEY----- diff --git a/test/certs/ee-cert-ec-explicit.pem b/test/certs/ee-cert-ec-explicit.pem new file mode 100644 index 0000000000..eccb3342ca --- /dev/null +++ b/test/certs/ee-cert-ec-explicit.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChzCCAi6gAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y +MDA5MTUxMzE0MzlaGA8yMTIwMDkxNjEzMTQzOVowGTEXMBUGA1UEAwwOc2VydmVy +LmV4YW1wbGUwggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEBAiEA//// +/wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg/////wAAAAEAAAAAAAAA +AAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n +0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9 +gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA +/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQEDQgAE+7TDP7C9VqQP +TnqoJc/Fvf/N45BX+lBfmfiGBeRKtSsvrERUlymzQ4/nxVtymozAgFxQ0my998HH +TSVCj7Sq56N9MHswHQYDVR0OBBYEFKKwEfKYhNv6fbQf0Xd0te7J3GZdMB8GA1Ud +IwQYMBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAww +CgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwCgYIKoZIzj0E +AwIDRwAwRAIgb4UITAOFlATeaayWQX9r5gf61qcnzT7TjXCekf7ww9oCIBDltg/u +ZvS9gqviMFuPjTuk/FhsCTAUzTT7WmgcWeH7 +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-named-explicit.pem b/test/certs/ee-cert-ec-named-explicit.pem new file mode 100644 index 0000000000..db13c0e5ef --- /dev/null +++ b/test/certs/ee-cert-ec-named-explicit.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBlDCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y +MDA5MTUxMzE0NDVaGA8yMTIwMDkxNjEzMTQ0NVowGTEXMBUGA1UEAwwOc2VydmVy +LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv5PnMStW/Wx9lpvjl +JTsFIjc2wBv14sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEst +tYKzo30wezAdBgNVHQ4EFgQUmb/qcE413hkpmtjEMyRZZFcN1TYwHwYDVR0jBBgw +FoAUFk6ucH6gMXeadmuV7a1iWEnU/CIwCQYDVR0TBAIwADATBgNVHSUEDDAKBggr +BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNI +ADBFAiEA9y6J8rdAbO0mDZscIb8rIn6HgxBW4WAqTlFeZeHjjOYCIAmt2ldyObOL +tXaiaxYX3WAOR1vmfzsdrkCAOCfAkpbo +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-named-named.pem b/test/certs/ee-cert-ec-named-named.pem new file mode 100644 index 0000000000..0730febf46 --- /dev/null +++ b/test/certs/ee-cert-ec-named-named.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBkzCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y +MDA5MTUxNDEwNDhaGA8yMTIwMDkxNjE0MTA0OFowGTEXMBUGA1UEAwwOc2VydmVy +LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS0YU57+RFRWxr/frnL ++vOYkY3h9roKnvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ3 +5b0Po30wezAdBgNVHQ4EFgQUypypuZrUl0BEmbuhfJpo3QFNIvUwHwYDVR0jBBgw +FoAUY4oFOURM/C8H9Yg+pgC1YbByGp4wCQYDVR0TBAIwADATBgNVHSUEDDAKBggr +BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNH +ADBEAiAEkKD7H5uxQ4YbQOiN4evbu5RCV5W7TVE80iBfcY5u4wIgGcwr++lVNX0Q +CTT+M3ukDjOA8OEvKUz1TiDuRAQ29qU= +-----END CERTIFICATE----- diff --git a/test/certs/ee-key-ec-explicit.pem b/test/certs/ee-key-ec-explicit.pem new file mode 100644 index 0000000000..d847d85dbe --- /dev/null +++ b/test/certs/ee-key-ec-explicit.pem @@ -0,0 +1,10 @@ +-----BEGIN PRIVATE KEY----- +MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg +9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A +AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQg0cmpcTcEYG5G +ZaVkGjtsBc3sLZn1EuV9qNK2qx6iNzmhRANCAAT7tMM/sL1WpA9Oeqglz8W9/83j +kFf6UF+Z+IYF5Eq1Ky+sRFSXKbNDj+fFW3KajMCAXFDSbL33wcdNJUKPtKrn +-----END PRIVATE KEY----- diff --git a/test/certs/ee-key-ec-named-explicit.pem b/test/certs/ee-key-ec-named-explicit.pem new file mode 100644 index 0000000000..28f81e9569 --- /dev/null +++ b/test/certs/ee-key-ec-named-explicit.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2ue+X5ZFJPJPQG2E +WQY4ALv2PkPp2Gy6KrMiokgmjkehRANCAAQv5PnMStW/Wx9lpvjlJTsFIjc2wBv1 +4sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEsttYKz +-----END PRIVATE KEY----- diff --git a/test/certs/ee-key-ec-named-named.pem b/test/certs/ee-key-ec-named-named.pem new file mode 100644 index 0000000000..d627bcf0dd --- /dev/null +++ b/test/certs/ee-key-ec-named-named.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGSoneIKG3//ujXGu +/EoJdNhpKZj026EF/YQ5FblUBWahRANCAAS0YU57+RFRWxr/frnL+vOYkY3h9roK +nvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ35b0P +-----END PRIVATE KEY----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 369fef4f43..6839e60674 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -116,6 +116,10 @@ openssl x509 -in ca-cert-md5.pem -trustout \ # CA has 768-bit key OPENSSL_KEYBITS=768 \ ./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert +# EC cert with explicit curve +./mkcert.sh genca "CA" ca-key-ec-explicit ca-cert-ec-explicit root-key root-cert +# EC cert with named curve +./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert # client intermediate ca: cca-cert # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth @@ -184,6 +188,12 @@ OPENSSL_SIGALG=md5 \ # 768-bit leaf key OPENSSL_KEYBITS=768 \ ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert +# EC cert with explicit curve signed by named curve ca +./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-named +# EC cert with named curve signed by explicit curve ca +./mkcert.sh genee server.example ee-key-ec-named ee-cert-ec-named ca-key-ec-explicit ca-cert-ec-explicit +# EC cert with named curve signed by named curve ca +./mkcert.sh genee server.example ee-key-ec-namnam ee-cert-ec-namnam ca-key-ec-named ca-cert-ec-named # self-signed end-entity cert with explicit keyUsage not including KeyCertSign openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500 diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index aaa7fa3d90..6d8f78c978 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 145; +plan tests => 148; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -280,6 +280,21 @@ ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), "reject md5 leaf at auth level 1"); +# Explicit vs named curve tests +SKIP: { + skip "EC is not supported by this OpenSSL build", 3 + if disabled("ec"); + ok(!verify("ee-cert-ec-explicit", "sslserver", ["root-cert"], + ["ca-cert-ec-named"]), + "reject explicit curve leaf with named curve intermediate"); + ok(!verify("ee-cert-ec-named-explicit", "sslserver", ["root-cert"], + ["ca-cert-ec-explicit"]), + "reject named curve leaf with explicit curve intermediate"); + ok(verify("ee-cert-ec-named-named", "sslserver", ["root-cert"], + ["ca-cert-ec-named"]), + "accept named curve leaf with named curve intermediate"); +} + # Depth tests, note the depth limit bounds the number of CA certificates # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf # chain, depth = 1 is sufficient, but depth == 0 is not. |