[openssl] master update

Wed, 09 Jun 2021 07:07:01 -0700 

The branch master has been updated
       via  320fc032b98cc452c5dc96600b16da40b155123b (commit)
       via  80070e478a780c0b28ffad6fae6828ef060ebe1d (commit)
       via  65a97b2c38c224f47e313868e01f58138d934478 (commit)
      from  d63053bbdfa226c85e9cec06c35283296e254a84 (commit)


- Log -----------------------------------------------------------------
commit 320fc032b98cc452c5dc96600b16da40b155123b
Author: Dr. David von Oheimb <david.von.ohe...@siemens.com>
Date:   Tue Jun 8 11:54:20 2021 +0200

    25-test_verify.t: Add test case: accept trusted self-signed EE cert with 
key usage keyCertSign also when strict
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15656)

commit 80070e478a780c0b28ffad6fae6828ef060ebe1d
Author: Dr. David von Oheimb <david.von.ohe...@siemens.com>
Date:   Tue Jun 8 11:23:34 2021 +0200

    test/certs/mkcert.sh: Correct description of geneealt parameters
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15656)

commit 65a97b2c38c224f47e313868e01f58138d934478
Author: Dr. David von Oheimb <david.von.ohe...@siemens.com>
Date:   Mon Jun 7 12:16:25 2021 +0200

    25-test_verify.t: Prevent expiration of test case 'Name constraints bad 
othername name constraint'
    
    Reviewed-by: Tomas Mraz <to...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15656)

-----------------------------------------------------------------------

Summary of changes:
 test/certs/ee-ss-with-keyCertSign.pem | 19 +++++++++++++++++++
 test/certs/mkcert.sh                  |  4 ++--
 test/recipes/25-test_verify.t         | 13 ++++++++-----
 3 files changed, 29 insertions(+), 7 deletions(-)
 create mode 100644 test/certs/ee-ss-with-keyCertSign.pem

diff --git a/test/certs/ee-ss-with-keyCertSign.pem 
b/test/certs/ee-ss-with-keyCertSign.pem
new file mode 100644
index 0000000000..a2f3bbe3b6
--- /dev/null
+++ b/test/certs/ee-ss-with-keyCertSign.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNFRSB3
+aXRoIGtleUNlcnRTaWduMCAXDTIxMDYwODA5MzYyMFoYDzIxMjEwNjA5MDkzNjIw
+WjAeMRwwGgYDVQQDDBNFRSB3aXRoIGtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7bLA/Vc/vit6gbenVgK9R9PHN2ta7e
+ky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8NxkP+MTT4KNh16aO7iILvo3LiU2IF
+RU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7CNqAR/8BZNf1JHN0cQjMGeK4EOCPl
+53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqCGxWL0Zmr5J5vlKrSluVX+4yRZIo8
+JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0dopynHP0riIie075Bj1+/Qckk+W625
+G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+eTQfSokftwIDAQABo1owWDAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIChDAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfh
+c6IwHwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDQYJKoZIhvcNAQEL
+BQADggEBAJGmRJpl4aa34SRZPb02TMTYCU/ieL6wqNJ2qXHinJQtHRuvEIVVaW4c
+k3u/hNftu0ZtI2Y/dxQ2tybA4qP1ICkGU6VWAMJLSH83Fvz+6WsQB69zWNAwvVtz
+8BVggIEv13RdZbpn10h3lNeLejBGAzYbwLMWpsjYHSNsYC5aqpg+y7mgPyuRDjRR
+N26FdQjJEe9Px92h32dK6xxTS2LCiqHlimQCq+gRP/97rZLXNoyHLC6cfGCJpsEV
+fFAH44emO2ouODBrQqZRvn+SV7ubWTTeJwY/aK+Wdvu/w3mEwNNDCDqCfE6c6p9h
+zAk0no0/4w1o15ua7N+j/9q4iGJxx3k=
+-----END CERTIFICATE-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 3b7f4e5f03..8ccf7bc6e3 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -195,11 +195,11 @@ genpc() {
         -set_serial 2 -days "${DAYS}"
 }
 
-# Usage: $0 geneealt keyname certname eekeyname eecertname alt1 alt2 ...
+# Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ...
 #
 # Note: takes csr on stdin, so must be used with $0 req like this:
 #
-# $0 req keyname dn | $0 geneealt keyname certname eekeyname eecertname alt ...
+# $0 req keyname dn | $0 geneealt keyname certname cakeyname cacertname alt ...
 geneealt() {
     local key=$1; shift
     local cert=$1; shift
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 3ed408b795..269b2ba4aa 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -28,7 +28,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 156;
+plan tests => 157;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -371,10 +371,11 @@ ok(!verify("badalt10-cert", "", ["root-cert"], 
["ncca1-cert", "ncca3-cert"], ),
 
 #Check that we get the expected failure return code
 with({ exit_checker => sub { return shift == 2; } },
-   sub {
-      ok(verify("bad-othername-namec", "", ["bad-othername-namec-inter"], [], 
"-partial_chain"),
-         "Name constraints bad othername name constraint");
-   });
+     sub {
+         ok(verify("bad-othername-namec", "", ["bad-othername-namec-inter"], 
[],
+                   "-partial_chain", "-attime", "1623060000"),
+            "Name constraints bad othername name constraint");
+     });
 
 ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", 
"0"),
     "Accept PSS signature using SHA1 at auth level 0");
@@ -411,6 +412,8 @@ ok(verify("root-cert-rsa2", "", ["root-cert-rsa2"], [], 
"-check_ss_sig"),
 
 ok(verify("ee-self-signed", "", ["ee-self-signed"], [], "-attime", 
"1593565200"),
    "accept trusted self-signed EE cert excluding key usage keyCertSign");
+ok(verify("ee-ss-with-keyCertSign", "", ["ee-ss-with-keyCertSign"], []),
+   "accept trusted self-signed EE cert with key usage keyCertSign also when 
strict");
 
 SKIP: {
     skip "Ed25519 is not supported by this OpenSSL build", 6

Reply via email to