#
61a97676 |
| 15-Jun-2022 |
Lutz Jaenicke |
X509: add tests for purpose code signing in verify application Correct configuration according to CA Browser forum: KU: critical,digitalSignature XKU: codeSiging Note: I
X509: add tests for purpose code signing in verify application Correct configuration according to CA Browser forum: KU: critical,digitalSignature XKU: codeSiging Note: I did not find any other document formally defining the requirements for code signing certificates. Some combinations are explicitly forbidden, some flags can be ignored Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567)
show more ...
|
#
3269c8bd |
| 02-Dec-2021 |
Matt Caswell |
Add a new Name Constraints test cert Add a cert which complies with the name constraints but has no SAN extension Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
#
80070e47 |
| 08-Jun-2021 |
Dr. David von Oheimb |
test/certs/mkcert.sh: Correct description of geneealt parameters Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15656)
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
199df4a9 |
| 26-Jan-2021 |
Dr. David von Oheimb |
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fro
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13968)
show more ...
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
9495cfbc |
| 12-Dec-2020 |
Dr. David von Oheimb |
make various test CA certs RFC 5280 compliant w.r.t. X509 extensions Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13719)
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
#
cf61b97d |
| 23-Sep-2020 |
Tomas Mraz |
Generate a certificate with critical id-pkix-ocsp-nocheck extension Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/1294
Generate a certificate with critical id-pkix-ocsp-nocheck extension Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12947)
show more ...
|
Revision tags: OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1 |
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
4d9e8c95 |
| 22-Jan-2020 |
Kurt Roeckx |
Create a new embeddedSCTs1 that's signed using SHA256 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> GH: #10786
|
Revision tags: OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
#
39d9ea5e |
| 08-Aug-2019 |
Matt Caswell |
Add Restricted PSS certificate and key Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl
Add Restricted PSS certificate and key Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553)
show more ...
|
Revision tags: OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
#
909f1a2e |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in test/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767)
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3 |
|
#
b0edda11 |
| 20-Mar-2018 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5689)
|
Revision tags: OpenSSL_1_1_1-pre2 |
|
#
fe93b010 |
| 27-Feb-2018 |
Matt Caswell |
Update tests for TLS Ed448 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5470)
|
Revision tags: OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n |
|
#
46f4e1be |
| 12-Nov-2017 |
Josh Soref |
Many spelling fixes/typo's corrected. Around 138 distinct errors found and fixed; thanks! Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org>
Many spelling fixes/typo's corrected. Around 138 distinct errors found and fixed; thanks! Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3459)
show more ...
|
Revision tags: OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
#
624265c6 |
| 15-Jun-2017 |
Rich Salz |
Cleanup some copyright stuff Remove some incorrect copyright references. Move copyright to standard place Add OpenSSL copyright where missing. Remove copyrighted file that we don
Cleanup some copyright stuff Remove some incorrect copyright references. Move copyright to standard place Add OpenSSL copyright where missing. Remove copyrighted file that we don't use any more Remove Itanium assembler for RC4 and MD5 (assembler versions of old and weak algorithms for an old chip) Standardize apps/rehash copyright comment; approved by Timo Put dual-copyright notice on mkcert Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3691)
show more ...
|
#
bc88fc79 |
| 14-Jun-2017 |
Dr. Stephen Henson |
Ed25519 support for mkcert.sh Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3585)
|
Revision tags: OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16 |
|
#
0c8736f4 |
| 17-Feb-2017 |
Dr. Stephen Henson |
Add DSA support to mkcert.sh Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2667)
|
Revision tags: OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a, OpenSSL_1_1_0, OpenSSL_1_1_0-pre6 |
|
#
d83b7e1a |
| 22-Jun-2016 |
Dr. Stephen Henson |
Extend mkcert.sh to support nameConstraints generation and more complex subject alternate names. Add nameConstraints tests incluing DNS, IP and email tests both in subject alt name e
Extend mkcert.sh to support nameConstraints generation and more complex subject alternate names. Add nameConstraints tests incluing DNS, IP and email tests both in subject alt name extension and subject name. Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
615dd78b |
| 23-Jun-2016 |
Viktor Dukhovni |
Drop extraneous printf argument in mkcert.sh Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
b58614d7 |
| 22-Jun-2016 |
Dr. Stephen Henson |
Fix generation of expired CA certificate. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
Revision tags: OpenSSL-fips-2_0_13 |
|
#
71c8cd20 |
| 19-Jun-2016 |
Richard Levitte |
Make it possible to generate proxy certs with test/certs/mkcert.sh This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values.
Make it possible to generate proxy certs with test/certs/mkcert.sh This extends 'req' to take more than one DN component, and to take them as full DN components and not just CN values. All other commands are changed to pass "CN = $cn" instead of just a CN value. This adds 'genpc', which differs from the other 'gen*' commands by not calling 'req', and expect the result from 'req' to come through stdin. Finally, test/certs/setup.sh gets the commands needed to generate a few proxy certificates. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
show more ...
|
#
a7be5759 |
| 13-Jun-2016 |
Rich Salz |
RT3809: basicConstraints is critical This is really a security bugfix, not enhancement any more. Everyone knows critical extensions. Reviewed-by: Dr. Stephen Henson <steve@opens
RT3809: basicConstraints is critical This is really a security bugfix, not enhancement any more. Everyone knows critical extensions. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_0_1t, OpenSSL_1_0_2h, OpenSSL_1_1_0-pre5 |
|
#
fbb82a60 |
| 19-Mar-2016 |
Viktor Dukhovni |
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is auto
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
#
4d9e33ac |
| 29-Mar-2016 |
Viktor Dukhovni |
Require intermediate CAs to have basicConstraints CA:true. Previously, it was sufficient to have certSign in keyUsage when the basicConstraints extension was missing. That is still acce
Require intermediate CAs to have basicConstraints CA:true. Previously, it was sufficient to have certSign in keyUsage when the basicConstraints extension was missing. That is still accepted in a trust anchor, but is no longer accepted in an intermediate CA. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_1_0-pre4, OpenSSL_1_0_1s, OpenSSL_1_0_2g, OpenSSL_1_1_0-pre3, OpenSSL-fips-2_0_12 |
|
#
c0a445a9 |
| 08-Feb-2016 |
Viktor Dukhovni |
Suppress DANE TLSA reflection when verification fails As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else
Suppress DANE TLSA reflection when verification fails As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else when verification fails. However, this only happened when verification failed during chain construction. Errors in verification of the constructed chain did not have the intended effect on these functions. This commit updates the functions to check for verify_result == X509_V_OK, and no longer erases any accumulated match information when chain construction fails. Sophisticated developers can, with care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA info even when verification fail. They must of course first check and save the real error, and restore the original error as quickly as possible. Hiding by default seems to be the safer interface. Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED. This also changes the "-brief" output from s_client to include verification results and TLSA match information. Mentioned session resumption in code example in SSL_CTX_dane_enable(3). Also mentioned that depths returned are relative to the verified chain which is now available via SSL_get0_verified_chain(3). Added a few more test-cases to danetest, that exercise the new code. Resolved thread safety issue in use of static buffer in X509_verify_cert_error_string(). Fixed long-stating issue in apps/s_cb.c which always sets verify_error to either X509_V_OK or "chain to long", code elsewhere (e.g. s_time.c), seems to expect the actual error. [ The new chain construction code is expected to correctly generate "chain too long" errors, so at some point we need to drop the work-arounds, once SSL_set_verify_depth() is also fixed to propagate the depth to X509_STORE_CTX reliably. ] Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|