History log of /openssl/test/certs/setup.sh (Results 1 – 25 of 40)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 2f0b4974 17-Jun-2024 Tomas Mraz

Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com

Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)

show more ...


# fd27a7e4 22-Sep-2023 Mathieu Tortuyaux

test: add verify test for EC cert signed with SHA3

Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas M

test: add verify test for EC cert signed with SHA3

Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22147)

show more ...


# a4e72642 07-Mar-2023 Matt Caswell

Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl

Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)

show more ...


# 96e77bd3 13-Dec-2022 Tomas Mraz

Add testcase for nc_match_single type confusion

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>


# 61a97676 15-Jun-2022 Lutz Jaenicke

X509: add tests for purpose code signing in verify application

Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging

Note: I

X509: add tests for purpose code signing in verify application

Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging

Note: I did not find any other document formally defining the requirements
for code signing certificates.

Some combinations are explicitly forbidden, some flags can be ignored

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

show more ...


# a148a9b4 08-Jul-2022 Dr. David von Oheimb

test/certs/setup.sh: add missing comment on CA cert variant without basic constraints

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Re

test/certs/setup.sh: add missing comment on CA cert variant without basic constraints

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18758)

show more ...


# 386ab7f1 17-Jun-2022 Lutz Jaenicke

Add test cases for verification of time stamping certificates

Test makes sure, that both time stamping certificate according to rfc3161 (no
requirements for keyUsage extension) and accor

Add test cases for verification of time stamping certificates

Test makes sure, that both time stamping certificate according to rfc3161 (no
requirements for keyUsage extension) and according to CAB forum (keyUsage
extension must be digitalSignature and be set critical) are accepted. Misuse
cases as stated in CAB forum are rejected, only exeption is a missing
"critial" flag on keyUsage.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18597)

show more ...


# 336d92eb 25-Mar-2022 Tomas Mraz

Enable setting SSL_CERT_FLAG_TLS_STRICT with ssl config

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl

Enable setting SSL_CERT_FLAG_TLS_STRICT with ssl config

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17989)

show more ...


# 3269c8bd 02-Dec-2021 Matt Caswell

Add a new Name Constraints test cert

Add a cert which complies with the name constraints but has no
SAN extension

Reviewed-by: Tomas Mraz <tomas@openssl.org>


# 305c77aa 30-Aug-2021 Viktor Dukhovni

Test for DANE cross cert fix

Reviewed-by: Tomáš Mráz <tomas@openssl.org>


Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13
# eca4826a 02-Mar-2021 Dr. David von Oheimb

test/certs/setup.sh: Fix two glitches

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

test/certs/setup.sh: Fix two glitches

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)

show more ...


# 4f449d90 02-Mar-2021 Dr. David von Oheimb

test/certs/setup.sh: structural cleanup

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

test/certs/setup.sh: structural cleanup

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)

show more ...


Revision tags: openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11
# 199df4a9 26-Jan-2021 Dr. David von Oheimb

check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS

This is an upstream fix for #13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fro

check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS

This is an upstream fix for #13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13968)

show more ...


Revision tags: openssl-3.0.0-alpha10
# 9495cfbc 12-Dec-2020 Dr. David von Oheimb

make various test CA certs RFC 5280 compliant w.r.t. X509 extensions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)


Revision tags: OpenSSL_1_1_1i
# d7cdb8b6 03-Dec-2020 Dr. David von Oheimb

test/certs/setup.sh: Fix two glitches

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)


# 3bed88a3 01-Dec-2020 Dr. David von Oheimb

x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the t

x509_vfy.c: Restore rejection of expired trusted (root) certificate

The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.

The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().

Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.

Fixes #13427

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)

show more ...


Revision tags: openssl-3.0.0-alpha9, openssl-3.0.0-alpha8
# b6ae56fd 29-Oct-2020 Matt Caswell

Add some additional test certificates/keys

Add certs with 1024, 3072, 4096 and 8192 bit RSA keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.c

Add some additional test certificates/keys

Add certs with 1024, 3072, 4096 and 8192 bit RSA keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...


Revision tags: openssl-3.0.0-alpha7, OpenSSL_1_1_1h
# 4ff993d7 22-Sep-2020 Dr. David von Oheimb

Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()

Fixes #7761

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/open

Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()

Fixes #7761

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)

show more ...


# cf61b97d 23-Sep-2020 Tomas Mraz

Generate a certificate with critical id-pkix-ocsp-nocheck extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/1294

Generate a certificate with critical id-pkix-ocsp-nocheck extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)

show more ...


# 627ddf7b 18-Sep-2020 Tomas Mraz

Correct certificate and key names for explicit ec param test

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12915)


# cccf532f 11-Sep-2020 Tomas Mraz

Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT.

Fixes #12139

Reviewed-by: David von Oheimb <david.von.oheim

Disallow certs with explicit curve in verification chain

The check is applied only with X509_V_FLAG_X509_STRICT.

Fixes #12139

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)

show more ...


Revision tags: openssl-3.0.0-alpha6
# 5cd99622 28-Jul-2020 Matt Caswell

Fix a test_verify failure

A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.

Reviewed-by

Fix a test_verify failure

A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12549)

show more ...


Revision tags: openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2
# ef898017 11-May-2020 Dr. David von Oheimb

Deprecate -nodes in favor of -noenc in pkcs12 and req app

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://

Deprecate -nodes in favor of -noenc in pkcs12 and req app

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12495)

show more ...


Revision tags: openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e
# 0e7b1383 24-Dec-2019 Dr. David von Oheimb

Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verif

Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix

Fixes #1418

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

show more ...


# 3cb55fe4 03-Apr-2020 Tomas Mraz

Add test cases for the non CA certificate with pathlen:0

Accept verification without -x509_strict and reject it with it.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>

Add test cases for the non CA certificate with pathlen:0

Accept verification without -x509_strict and reject it with it.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)

show more ...


12