From 0e7b1383e138ce3fa66c5bd0ea4a9cb35487436c Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 24 Dec 2019 11:25:15 +0100 Subject: Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued() Move check that cert signing is allowed from x509v3_cache_extensions() to where it belongs: internal_verify(), generalize it for proxy cert signing. Correct and simplify check_issued(), now checking self-issued (not: self-signed). Add test case to 25-test_verify.t that demonstrates successful fix Fixes #1418 Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/10587) --- test/certs/ee-self-signed.pem | 18 ++++++++++++++++++ test/certs/setup.sh | 3 +++ 2 files changed, 21 insertions(+) create mode 100644 test/certs/ee-self-signed.pem (limited to 'test/certs') diff --git a/test/certs/ee-self-signed.pem b/test/certs/ee-self-signed.pem new file mode 100644 index 0000000000..ad1e37ba0e --- /dev/null +++ b/test/certs/ee-self-signed.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAbegAwIBAgIUBP7iEKPlKuinZGQNFxSY3IBIb0swDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwHhcNMjAwNjI4MTA1MTQ1WhcN +MjAwNzI4MTA1MTQ1WjAZMRcwFQYDVQQDDA5lZS1zZWxmLXNpZ25lZDCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU +fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC +76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz +BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl +V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv +0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaMP +MA0wCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBiLmIUCGb+hmRGbmpO +lDqEwiRVdxHBs4OSb3IA9QgU1QKUDRqn7q27RRelmzTXllubZZcX3K6o+dunRW5G +d3f3FVr+3Z7wnmkQtC2y3NWtGuWNczss+6rMLzKvla5CjRiNPlSvluMNpcs7BJxI +ppk1LxlaiYlQkDW32OPyxzXWDNv1ZkphcOcoCkHAagnq9x1SszvLTjAlo5XpYrm5 +CPgBOEnVwFCgne5Ab4QPTgkxPh/Ta508I/FKaPLJqci1EfGKipZkS7mMGTUJEeVK +wZrn4z7RiTfJ4PdqO5iv8eOpt03fqdPEXQWe8DrKyfGM6/e369FaXMFhcd2ZxZy2 +WHoc +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index f4f3e046f0..d1c56bb56d 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -185,6 +185,9 @@ OPENSSL_SIGALG=md5 \ OPENSSL_KEYBITS=768 \ ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert +# self-signed end-entity cert with explicit keyUsage not including KeyCertSign +openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature + # Proxy certificates, off of ee-client # Start with some good ones ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ -- cgit v1.2.3