#
d0bf0106 |
| 09-Oct-2023 |
Tomas Mraz |
ECDSA with SHA3 verification does not depend on FIPS provider version Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://git
ECDSA with SHA3 verification does not depend on FIPS provider version Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22322)
show more ...
|
#
fd27a7e4 |
| 22-Sep-2023 |
Mathieu Tortuyaux |
test: add verify test for EC cert signed with SHA3 Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas M
test: add verify test for EC cert signed with SHA3 Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22147)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
4032cd9a |
| 17-Apr-2023 |
Yi Li |
configure: introduce no-ecx to remove ECX related feature This can effectively reduce the binary size for platforms that don't need ECX feature(~100KB). Signed-off-by: Yi Li <yi
configure: introduce no-ecx to remove ECX related feature This can effectively reduce the binary size for platforms that don't need ECX feature(~100KB). Signed-off-by: Yi Li <yi1.li@intel.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20781)
show more ...
|
#
591feddc |
| 07-Mar-2023 |
Matt Caswell |
Add a Certificate Policies Test Test that a valid certificate policy is accepted and that an invalid certificate policy is rejected. Specifically we are checking that a leaf certific
Add a Certificate Policies Test Test that a valid certificate policy is accepted and that an invalid certificate policy is rejected. Specifically we are checking that a leaf certificate with an invalid policy is detected. Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
show more ...
|
#
96e77bd3 |
| 13-Dec-2022 |
Tomas Mraz |
Add testcase for nc_match_single type confusion Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
e1289d90 |
| 13-Sep-2022 |
Tomas Mraz |
With fips provider 3.0.0 skip tests related to explicit curves handling Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by:
With fips provider 3.0.0 skip tests related to explicit curves handling Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19201)
show more ...
|
#
61a97676 |
| 15-Jun-2022 |
Lutz Jaenicke |
X509: add tests for purpose code signing in verify application Correct configuration according to CA Browser forum: KU: critical,digitalSignature XKU: codeSiging Note: I
X509: add tests for purpose code signing in verify application Correct configuration according to CA Browser forum: KU: critical,digitalSignature XKU: codeSiging Note: I did not find any other document formally defining the requirements for code signing certificates. Some combinations are explicitly forbidden, some flags can be ignored Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567)
show more ...
|
#
f7346cab |
| 20-Jun-2022 |
Tomas Mraz |
Test whether decoded-from-explicit survives import/export Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.
Test whether decoded-from-explicit survives import/export Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18609)
show more ...
|
#
386ab7f1 |
| 17-Jun-2022 |
Lutz Jaenicke |
Add test cases for verification of time stamping certificates Test makes sure, that both time stamping certificate according to rfc3161 (no requirements for keyUsage extension) and accor
Add test cases for verification of time stamping certificates Test makes sure, that both time stamping certificate according to rfc3161 (no requirements for keyUsage extension) and according to CAB forum (keyUsage extension must be digitalSignature and be set critical) are accepted. Misuse cases as stated in CAB forum are rejected, only exeption is a missing "critial" flag on keyUsage. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18597)
show more ...
|
#
0fcf2351 |
| 03-Dec-2021 |
Matt Caswell |
Add a test case for the name constraints bug Where a chain has name constraints but a certificate does not have a SAN extension but the CN meets the constraints, then this should be acce
Add a test case for the name constraints bug Where a chain has name constraints but a certificate does not have a SAN extension but the CN meets the constraints, then this should be acceptable. However, and OpenSSL bug meant that an internal error was being reported. This adds a test case for that scenario. Test for CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>
show more ...
|
#
3dd74e21 |
| 06-Sep-2021 |
Richard Levitte |
Fix a few tests that fail on VMS In one spot, files aren't properly closed, so the sub-process program that's supposed to read them can't, because it's locked out. In another sp
Fix a few tests that fail on VMS In one spot, files aren't properly closed, so the sub-process program that's supposed to read them can't, because it's locked out. In another spot, srctop_file() was used where srctop_dir() should be used to properly format a directory specification. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16518) (cherry picked from commit 7364545e0734ad25e08d7d5ad0e2c9dac85d2d0d)
show more ...
|
#
d4458e59f6 |
| 03-Sep-2021 |
Richard Levitte |
test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files Fixes #16224 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/
test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files Fixes #16224 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16466)
show more ...
|
#
c602fadc |
| 18-Jun-2021 |
Pauli |
test: fix indentation Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15824)
|
#
a0430488 |
| 18-Jun-2021 |
Pauli |
test: replace tabs with spaces in test recipes Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/
test: replace tabs with spaces in test recipes Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15824)
show more ...
|
#
320fc032 |
| 08-Jun-2021 |
Dr. David von Oheimb |
25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.co
25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15656)
show more ...
|
#
65a97b2c |
| 07-Jun-2021 |
Dr. David von Oheimb |
25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint' Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/ope
25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint' Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15656)
show more ...
|
#
f43f9d63 |
| 03-Jun-2021 |
Matt Caswell |
Test a bad SmtpUTF8Mailbox name constraint We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox entry, with an intermediate certificate with email name constraints.
Test a bad SmtpUTF8Mailbox name constraint We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox entry, with an intermediate certificate with email name constraints. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15611)
show more ...
|
#
07e84e67 |
| 27-May-2021 |
Dr. David von Oheimb |
ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15499)
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
97b59744 |
| 02-Mar-2021 |
Dr. David von Oheimb |
cleanup where purpose is not needed in 25-test_verify.t Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/
cleanup where purpose is not needed in 25-test_verify.t Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
show more ...
|
Revision tags: openssl-3.0.0-alpha12 |
|
#
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
|
Revision tags: OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
199df4a9 |
| 26-Jan-2021 |
Dr. David von Oheimb |
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fro
check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS This is an upstream fix for #13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13968)
show more ...
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i |
|
#
3bed88a3 |
| 01-Dec-2020 |
Dr. David von Oheimb |
x509_vfy.c: Restore rejection of expired trusted (root) certificate The certificate path validation procedure specified in RFC 5280 does not include checking the validity period of the t
x509_vfy.c: Restore rejection of expired trusted (root) certificate The certificate path validation procedure specified in RFC 5280 does not include checking the validity period of the trusted (root) certificate. Still it is common good practice to perform this check. Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it. The current commit restores the previous behavior. It also removes the cause of that bug, namely counter-intuitive design of the internal function check_issued(), which was complicated by checks that actually belong to some other internal function, namely find_issuer(). Moreover, this commit adds a regression check and proper documentation of the root cert validity period check feature, which had been missing so far. Fixes #13427 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13590)
show more ...
|
Revision tags: openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
#
4ff993d7 |
| 22-Sep-2020 |
Dr. David von Oheimb |
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify() Fixes #7761 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/open
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify() Fixes #7761 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12947)
show more ...
|
#
cccf532f |
| 11-Sep-2020 |
Tomas Mraz |
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheim
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12683)
show more ...
|