A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12549)
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix
Fixes#1418
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
Accept verification without -x509_strict and reject it with it.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
Create a whole chain of Ed488 certificates so that we can use it at security
level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the
Ed488 certificate using SHA256 (128 bit, level 3).
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.
Documentation and test cases are added.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
This follows #8321 which added the SM2 certificate verification feature.
This commit adds some test cases for #8321.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8465)
Some signature algorithms require special treatment for digesting, such
as SM2. This patch adds the ability of handling raw input data in
apps/pkeyutl other than accepting only pre-hashed input data.
Beside, SM2 requries an ID string when signing or verifying a piece of data,
this patch also adds the ability for apps/pkeyutil to specify that ID
string.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.
Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names. Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label. In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Around 138 distinct errors found and fixed; thanks!
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.
Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.
Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
Remove some incorrect copyright references.
Move copyright to standard place
Add OpenSSL copyright where missing.
Remove copyrighted file that we don't use any more
Remove Itanium assembler for RC4 and MD5 (assembler versions of old and
weak algorithms for an old chip)
Standardize apps/rehash copyright comment; approved by Timo
Put dual-copyright notice on mkcert
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3691)
To test X509_check_private_key and relatives.
Add a CSR and corresponding RSA private key to test
X509_REQ_check_private_key function.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
Add Ed25519 certificate verify test using certificate from
draft-ietf-curdle-pkix-04 and custom generated root certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
The CA names should be printed according to user's decision
print_name instead of set of BIO_printf
dump_cert_text instead of set of BIO_printf
Testing cyrillic output of X509_CRL_print_ex
Write and use X509_CRL_print_ex
Reduce usage of X509_NAME_online
Using X509_REQ_print_ex instead of X509_REQ_print
Fix nameopt processing.
Make dump_cert_text nameopt-friendly
Move nameopt getter/setter to apps/apps.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3262)
The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.
These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)
Using a cert with Cyrillic characters, kindly supplied by Dmitry Belyavsky
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2943)
subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values. All other commands
are changed to pass "CN = $cn" instead of just a CN value.
This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.
Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
