diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-12-24 11:25:15 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-01 11:14:54 +0200 |
commit | 0e7b1383e138ce3fa66c5bd0ea4a9cb35487436c (patch) | |
tree | 9ddb274339a9a7da79ba23c1c85af72e57ef6dc8 /test/recipes | |
parent | d18c7ad66aaaebe10c86127d966f5401bc414d2a (diff) | |
download | openssl-0e7b1383e138ce3fa66c5bd0ea4a9cb35487436c.tar.gz |
Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix
Fixes #1418
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
Diffstat (limited to 'test/recipes')
-rw-r--r-- | test/recipes/25-test_verify.t | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 2997503355..42d44dcdce 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 143; +plan tests => 144; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -368,6 +368,9 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), "Public Key Algorithm rsa instead of rsaEncryption"); + ok(verify("ee-self-signed", "sslserver", ["ee-self-signed"], []), + "accept trusted self-signed EE cert excluding key usage keyCertSign"); + SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 5 if disabled("ec"); |