From: Dr. David von Oheimb Date: Tue, 21 Mar 2023 13:21:45 +0000 (+0100) Subject: 25-test_verify.t: add test for trusted root excluding key usage KeyCertSign X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2bd5e6f338105057efb76f81448269c3034e2a73;p=thirdparty%2Fopenssl.git 25-test_verify.t: add test for trusted root excluding key usage KeyCertSign Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18764) --- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 5bd87087cc1..9619e26a5da 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -223,6 +223,8 @@ OPENSSL_KEYBITS=4096 \ OPENSSL_KEYBITS=8192 \ ./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert +# root CA cert with explicit keyUsage not including KeyCertSign +openssl req -new -x509 -key root-key.pem -subj /CN="Root CA" -out root-no-KeyCertSign.pem -addext keyUsage=digitalSignature -days 36525 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525 diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index f3fae34b47e..3c798e54a51 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -30,7 +30,7 @@ sub verify { run(app([@args])); } -plan tests => 205; +plan tests => 206; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -39,6 +39,8 @@ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), # Root CA variants ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), "fail trusted non-ca root"); +ok(!verify("ee-cert", "sslserver", [qw(root-no-KeyCertSign)], [qw(ca-cert)]), + "fail trusted root excluding key usage KeyCertSign"); ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), "fail server trust non-ca root"); ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),