From 3cb55fe47c3398b81956e4fe20c4004524d47519 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 3 Apr 2020 10:24:40 +0200 Subject: [PATCH] Add test cases for the non CA certificate with pathlen:0 Accept verification without -x509_strict and reject it with it. Reviewed-by: Bernd Edlinger Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/11463) --- test/certs/ee-pathlen.pem | 17 +++++++++++++++++ test/certs/setup.sh | 4 +++- test/recipes/25-test_verify.t | 6 +++++- 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 test/certs/ee-pathlen.pem diff --git a/test/certs/ee-pathlen.pem b/test/certs/ee-pathlen.pem new file mode 100644 index 0000000000..0bcae1d7bd --- /dev/null +++ b/test/certs/ee-pathlen.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMDA0MDMwODA0MTVaGA8yMTIwMDQwNDA4MDQxNVowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjEDAOMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcNAQEL +BQADggEBAApOUnWWd09I0ts3xa1oK7eakc+fKTF4d7pbGznFNONaCR3KFRgnBVlG +Bm8/oehrrQ28Ad3XPSug34DQQ5kM6JIuaddx50/n4Xkgj8/fgXVA0HXizOJ3QpKC +IojLVajXlQHhpo72VUQuNOha0UxG9daYjS20iXRhanTm9rUz7qQZEugVQCiR0z/f +9NgM7FU9UaSidzH3gZu/Ufc4Ggn6nZV7LM9sf4IUV+KszS1VpcK+9phAmsB6BaAi +cFXvVXZjTNualQgPyPwOD8c+vVCIfIemfF5TZ6fyqpOjprWQAphwrTtfNDSmqRTz +FRhDf+vJERQclgUtg37EgWGKtnNQeRY= +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index d58d0d789b..f4f3e046f0 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -154,7 +154,7 @@ openssl x509 -in sca-cert.pem -trustout \ -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem # Primary leaf cert: ee-cert -# ee variants: expired, issuer-key2, issuer-name2 +# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth # purpose variants: client # @@ -163,6 +163,8 @@ openssl x509 -in sca-cert.pem -trustout \ ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2 ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 ./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert +./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ + -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # openssl x509 -in ee-cert.pem -trustout \ -addtrust serverAuth -out ee+serverAuth.pem diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index c0de243708..3df2b5c370 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 137; +plan tests => 139; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -222,6 +222,10 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), "accept direct match with client trust"); ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), "reject direct match with client mistrust"); +ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]), + "accept non-ca with pathlen:0 by default"); +ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"), + "reject non-ca with pathlen:0 with strict flag"); # Proxy certificates ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), -- 2.25.1