Age | Commit message (Collapse) | Author |
|
constraints
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18758)
(cherry picked from commit a148a9b4f49b0c456d45a39c0d63a52405aa5ea9)
|
|
Namely the smime certificates used in test_cms and the
SM2 certificates will expire soon and affect tests.
Fixes #15179
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18467)
(cherry picked from commit 5d219937d067a761fb871483369a6020c60a3cb8)
|
|
This avoids the need to use SECLEVEL=1 in 12-ct.cnf.in.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18450)
(cherry picked from commit 479b9adb88b9050186c1e9fc94879906f378b14b)
|
|
Fixes #15179
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18444)
(cherry picked from commit 770aea88c3888cc5cb3ebc94ffcef706c68bc1d2)
|
|
When pem_password_cb is used from SSL_CTX, its size
parameter should be equal to PEM_BUFSIZE.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit c7debe811123951a60cdfe73716184ca8fdd79d2)
|
|
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15949)
|
|
usage keyCertSign also when strict
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
|
|
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
|
|
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14647)
|
|
RSA/DSA/EC private key
This is needed to correct d2i_PrivateKey() after it was changed by commit 576892d78f80cf9a.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14647)
|
|
The regression from commit 05458fd was fixed, but there is
no test for that regression. This adds it simply by having
a certificate that we compare for -text output having
a different subject and issuer.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14353)
|
|
Fixes #14294
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14295)
|
|
Removed the related TODOs.
Also adjusted the DH parameters used for the DH test to be acceptable
for FIPS as that now allows only known safe prime parameters.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
|
|
verify RSA-PSS
This is an upstream fix for #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13968)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)
|
|
Fixes #13708
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
|
|
to invalid cert
This is the upstream fix for #13698 reported for v1.1.1
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13755)
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)
|
|
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13427
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)
|
|
Add certs with 1024, 3072, 4096 and 8192 bit RSA keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
|
|
Also adds error output tests on loading key files with unsupported algorithms to 30-test_evp.t
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)
|
|
Fixes #7761
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
|
|
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)
|
|
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12915)
|
|
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12647)
|
|
A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12549)
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12495)
|
|
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix
Fixes #1418
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
|
|
Increasingly certificates seem to have special things in the subjectAltName that have arbitrary strings in them.
E.g. some (now) common in EU export certificates and, for a few years now, certificates issued to medical doctors (in for example the netherlands, the full spec is https://www.uziregister.nl/Media/Default/PDF/20200325%20CA%20model%20pasmodel%20certificaatprofielen%20v10_0.pdf, section 4.8, page 16 for an example of one country).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11599)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
|
|
Accept verification without -x509_strict and reject it with it.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
|
|
Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)
|
|
Create a whole chain of Ed488 certificates so that we can use it at security
level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the
Ed488 certificate using SHA256 (128 bit, level 3).
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786
|
|
Create a PSS certificate with parameter restrictions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9553)
|
|
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.
Documentation and test cases are added.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
|
|
This follows #8321 which added the SM2 certificate verification feature.
This commit adds some test cases for #8321.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
|
|
signature value
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6226)
|