--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAjmgAwIBAgIUZxTKBh9L8ApVNcsI5ontnHRbv8wwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMB0xGzAZBgNVBAMMEmVlLXNlbGYtc2lnbmVkLXBzczAgFw0yNDA2MTcx
+MTA5NTRaGA8yMTI0MDYxODExMDk1NFowHTEbMBkGA1UEAwwSZWUtc2VsZi1zaWdu
+ZWQtcHNzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7b
+LA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8N
+xkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7C
+NqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqC
+GxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0do
+pynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+
+eTQfSokftwIDAQABo1MwUTAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6Iw
+HwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB
+/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEI
+MA0GCWCGSAFlAwQCAQUAogMCASADggEBADjXHPnAha0YQKFCfQZqy8LLgxoQDbfP
+5XKQJ8/FfeJXO9yjEmqOEoWM/QQIlM1gpepOOw8ZRhxcwx93eO+XtvJUA3bW+H73
+jwnqiX5mu1SpA/2IHcifxuOuXUwUh7vtOJGFATHusAn7dS3+tnJSkS+6pvSsJjDu
+0x3fV8rLq1gL9gOC2MdzkLxyp7xmdgibQMI+PyPNgU1e1Qm88Cp5dVNRMdgQ+3CL
+E3h7qfSpSkUCM9rNBc2/rqavQ/UPq5H6r8R9gYd9yR7uGL88B9QI4DQDR8T6x9JG
+0ebWYLuH2xWP9Njl2IbwN3uqQSeRSSqy7UlNo51O+nkvU1vCJGy6aXw=
+-----END CERTIFICATE-----
# self-signed end-entity cert with explicit keyUsage not including KeyCertSign
openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
+# self-signed end-entity cert signed with RSA-PSS
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed-pss -out ee-self-signed-pss.pem -days 36525 \
+ -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+
# Proxy certificates, off of ee-client
# Start with some good ones
./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
* https://www.openssl.org/source/license.html
*/
+#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_get1/set1_RSA */
+
#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+#include "crypto/x509.h" /* x509_st definition */
#include "testutil.h"
static EVP_PKEY *pubkey = NULL;
return ret;
}
+static int test_asn1_item_verify(void)
+{
+ int ret = 0;
+ BIO *bio = NULL;
+ X509 *x509 = NULL;
+ const char *certfile;
+ const ASN1_BIT_STRING *sig = NULL;
+ const X509_ALGOR *alg = NULL;
+ EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ RSA *rsa = NULL;
+#endif
+
+ if (!TEST_ptr(certfile = test_get_argument(0))
+ || !TEST_ptr(bio = BIO_new_file(certfile, "r"))
+ || !TEST_ptr(x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))
+ || !TEST_ptr(pkey = X509_get0_pubkey(x509)))
+ goto err;
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ /* Issue #24575 requires legacy key but the test is useful anyway */
+ if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey)))
+ goto err;
+
+ if (!TEST_int_gt(EVP_PKEY_set1_RSA(pkey, rsa), 0))
+ goto err;
+#endif
+
+ X509_get0_signature(&sig, &alg, x509);
+
+ if (!TEST_int_gt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+ (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+ &x509->cert_info, pkey), 0))
+ goto err;
+
+ ERR_set_mark();
+ if (!TEST_int_lt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+ (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+ NULL, pkey), 0)) {
+ ERR_clear_last_mark();
+ goto err;
+ }
+ ERR_pop_to_mark();
+
+ ret = 1;
+
+ err:
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ RSA_free(rsa);
+#endif
+ X509_free(x509);
+ BIO_free(bio);
+ return ret;
+}
+
+OPT_TEST_DECLARE_USAGE("<pss-self-signed-cert.pem>\n")
+
int setup_tests(void)
{
const unsigned char *p;
+ int cnt;
+
+ cnt = test_get_argument_count();
+ if (cnt != 1) {
+ TEST_error("Must specify a certificate file self-signed with RSA-PSS.\n");
+ return 0;
+ }
p = pubkeydata;
pubkey = d2i_PUBKEY(NULL, &p, sizeof(pubkeydata));
ADD_TEST(test_x509_tbs_cache);
ADD_TEST(test_x509_crl_tbs_cache);
+ ADD_TEST(test_asn1_item_verify);
return 1;
}
projects / thirdparty / openssl.git / commitdiff
