25-test_verify.t: add test for trusted root excluding key usage KeyCertSign

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18764)

diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 5bd87087cc1f303bbdb90872e18ee94fafae9cdf..9619e26a5da6d865eb8356ac6ac7846dda8ea551 100755 (executable)
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -223,6 +223,8 @@ OPENSSL_KEYBITS=4096 \
 OPENSSL_KEYBITS=8192 \
 ./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert
 
+# root CA cert with explicit keyUsage not including KeyCertSign
+openssl req -new -x509 -key root-key.pem -subj /CN="Root CA" -out root-no-KeyCertSign.pem -addext keyUsage=digitalSignature -days 36525
 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign
 openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
 

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index f3fae34b47e7363bd2a238234430556666ba643d..3c798e54a519100fd2765c14920ba21d98e5478c 100644 (file)
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -30,7 +30,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 205;
+plan tests => 206;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -39,6 +39,8 @@ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
 # Root CA variants
 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
    "fail trusted non-ca root");
+ok(!verify("ee-cert", "sslserver", [qw(root-no-KeyCertSign)], [qw(ca-cert)]),
+   "fail trusted root excluding key usage KeyCertSign");
 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
    "fail server trust non-ca root");
 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),