[openssl/openssl] 7fab3c: Add Version Check for CSR Verification

Fri, 21 Jun 2024 13:26:07 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 7fab3c7d61b0064dcf50db39fb490970c60d9a34
      
https://github.com/openssl/openssl/commit/7fab3c7d61b0064dcf50db39fb490970c60d9a34
  Author: erbsland-dev <git...@erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    M crypto/err/openssl.txt
    M crypto/x509/x509_err.c
    M crypto/x509/x_all.c
    M include/openssl/x509err.h

  Log Message:
  -----------
  Add Version Check for CSR Verification

Fixes #5738: This change introduces a check for the version number of a CSR 
document before its signature is verified. If the version number is not 1 
(encoded as zero), the verification function fails with an 
`X509_R_UNSUPPORTED_VERSION` error.

To minimize impact, this check is only applied when verifying a certificate 
signing request using the `-verify` argument, resulting in a `X509_REQ_verify` 
call. This ensures that malformed certificate requests are rejected by a 
certification authority, enhancing security and preventing potential issues.

Reviewed-by: Neil Horman <nhor...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


  Commit: 895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4
      
https://github.com/openssl/openssl/commit/895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4
  Author: erbsland-dev <git...@erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    M test/build.info
    A test/recipes/60-test_x509_req.t
    A test/x509_req_test.c

  Log Message:
  -----------
  Add Test for Verification Failure on Incorrect X509 Version

Tests #5738: Introduce a new test to verify that a malformed X509 request with 
the version field set to version 6 fails either early when reading from data or 
later when `X509_REQ_verify` is called.
Adding a new test recipe `60-test_x509_req.t`

Reviewed-by: Neil Horman <nhor...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


  Commit: 7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5
      
https://github.com/openssl/openssl/commit/7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5
  Author: erbsland-dev <git...@erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    A test/certs/x509-req-detect-invalid-version.pem
    M test/recipes/60-test_x509_req.t
    M test/x509_req_test.c

  Log Message:
  -----------
  Make x509_req_test ANSI Compatible

Update the `x509_req_test` to ensure ANSI compatibility. The integrated 
certificate string was too long, so the PEM certificate has been moved to 
`certs/x509-req-detect-invalid-version.pem`. The test have been updated to load 
this certificate from the file on disk.

Reviewed-by: Neil Horman <nhor...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


Compare: https://github.com/openssl/openssl/compare/03448ba21b5e...7d2c0a4b1feb

To unsubscribe from these emails, change your notification settings at 
https://github.com/openssl/openssl/settings/notifications

Reply via email to