From 2f0b4974dfbd9bc71e1164e0742fc7fdb2b2b70e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 17 Jun 2024 12:19:45 +0200
Subject: Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)
---
 test/certs/ee-self-signed-pss.pem | 21 +++++++++++++++++++++
 test/certs/setup.sh               |  4 ++++
 2 files changed, 25 insertions(+)
 create mode 100644 test/certs/ee-self-signed-pss.pem

(limited to 'test/certs')

diff --git a/test/certs/ee-self-signed-pss.pem b/test/certs/ee-self-signed-pss.pem
new file mode 100644
index 0000000000..fab433321c
--- /dev/null
+++ b/test/certs/ee-self-signed-pss.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAjmgAwIBAgIUZxTKBh9L8ApVNcsI5ontnHRbv8wwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMB0xGzAZBgNVBAMMEmVlLXNlbGYtc2lnbmVkLXBzczAgFw0yNDA2MTcx
+MTA5NTRaGA8yMTI0MDYxODExMDk1NFowHTEbMBkGA1UEAwwSZWUtc2VsZi1zaWdu
+ZWQtcHNzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7b
+LA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8N
+xkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7C
+NqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqC
+GxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0do
+pynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+
+eTQfSokftwIDAQABo1MwUTAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6Iw
+HwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB
+/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEI
+MA0GCWCGSAFlAwQCAQUAogMCASADggEBADjXHPnAha0YQKFCfQZqy8LLgxoQDbfP
+5XKQJ8/FfeJXO9yjEmqOEoWM/QQIlM1gpepOOw8ZRhxcwx93eO+XtvJUA3bW+H73
+jwnqiX5mu1SpA/2IHcifxuOuXUwUh7vtOJGFATHusAn7dS3+tnJSkS+6pvSsJjDu
+0x3fV8rLq1gL9gOC2MdzkLxyp7xmdgibQMI+PyPNgU1e1Qm88Cp5dVNRMdgQ+3CL
+E3h7qfSpSkUCM9rNBc2/rqavQ/UPq5H6r8R9gYd9yR7uGL88B9QI4DQDR8T6x9JG
+0ebWYLuH2xWP9Njl2IbwN3uqQSeRSSqy7UlNo51O+nkvU1vCJGy6aXw=
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d517384301..4280ac3a8d 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -226,6 +226,10 @@ OPENSSL_KEYBITS=8192 \
 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign
 openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
 
+# self-signed end-entity cert signed with RSA-PSS
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed-pss -out ee-self-signed-pss.pem -days 36525 \
+    -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+
 # Proxy certificates, off of ee-client
 # Start with some good ones
 ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
-- 
cgit v1.2.3