adds tests for CVEs 2025/2026

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb  7 13:05:48 2026
(Merged from https://github.com/openssl/openssl/pull/29932)

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index ff720894c9bf19f2ae18cbab51d990967af44c6e..329f3a134bcc80c852a7b141e491d1136c508fc5 100644 (file)
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
-plan tests => $no_fips ? 53 : 59;
+plan tests => $no_fips ? 58 : 69;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -199,7 +199,7 @@ for my $instance (sort keys %pbmac1_tests) {
                 "-passin", "pass:1234"], stderr => "${pbmac1_id}_info.txt")),
         "test_export_pkcs12_${pbmac1_id}_info");
         open DATA, "${pbmac1_id}_info.txt";
-        my @match = grep /$lookup/, <DATA>;
+        @match = grep /$lookup/, <DATA>;
         close DATA;
         ok(scalar @match > 0 ? 1 : 0, "test_export_pkcs12_${pbmac1_id}_info");
     }
@@ -361,4 +361,118 @@ ok(run(test(["pkcs12_api_test",
              "-has-cert", 1,
              ])), "Test pkcs12_parse()");
 
+# Test against CVE-2025-69421, octet parameter is expected, but
+# NULL is being received and dereferenced
+
+unless ($no_fips) {
+    my $file = "sha256mac_cert.oct-is-null.p12";
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            my @output = run(app(["openssl", "storeutl", "-certs", "-text",
+                                  "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                                  capture => 1, stderr => "outerr.txt");
+            open DATA, "outerr.txt";
+            my @match = grep /PKCS12_item_decrypt_d2i_ex:passed a null parameter/, <DATA>;
+            close DATA;
+            ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2025-69421 - null parameter, sha256mac");
+            }
+        );
+}
+
+{
+    my $file = "pbmac1_cert.oct-is-null.p12";
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+     with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            my @output = run(app(["openssl", "storeutl", "-certs", "-text",
+                                  "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                                  capture => 1, stderr => "outerr.txt");
+            open DATA, "outerr.txt";
+            my @match = grep /PKCS12_item_decrypt_d2i_ex:passed a null parameter/, <DATA>;
+            close DATA;
+            ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2025-69421 - null parameter, pbmac1");
+            }
+        );
+}
+
+# Test against CVE-2026-22795 , missing ASN1_TYPE validation in cert
+unless ($no_fips) {
+    for my $file ("BOOLEAN-in-friendlyName-of-cert-pkcs12-sha256mac.p12",
+                  "BOOLEAN-in-localKeyID-of-cert-pkcs12-sha256mac.p12"
+                  )
+    {
+        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+        with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            my @output = run(app(["openssl", "storeutl", "-certs", "-text",
+                        "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                        capture => 1, stderr => "outerr.txt");
+            open DATA, "outerr.txt";
+            my @match = grep /:PKCS12_parse:parse error:/, <DATA>;
+            close DATA;
+            ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2026-22795 , missing ASN1_TYPE validation in cert, sha256mac");
+            }
+        );
+    }
+}
+
+for my $file ("BOOLEAN-in-friendlyName-of-cert-pbmac1.p12",
+              "BOOLEAN-in-localKeyID-of-cert-pbmac1.p12"
+              )
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            my @output = run(app(["openssl", "storeutl", "-certs", "-text",
+                        "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                        capture => 1, stderr => "outerr.txt");
+            open DATA, "outerr.txt";
+            my @match = grep /:PKCS12_parse:parse error:/, <DATA>;
+            close DATA;
+            ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2026-22795 , missing ASN1_TYPE validation in cert, pbmac1");
+        }
+    );
+}
+
+# Test against CVE-2026-22795, missing ASN1_TYPE validation in keys
+unless ($no_fips) {
+    for my $file ("BOOLEAN-in-friendlyName-of-key-pkcs12-sha256mac.p12",
+                  "BOOLEAN-in-localKeyID-of-key-pkcs12-sha256mac.p12"
+                  )
+    {
+        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+
+                my @output = run(app(["openssl", "storeutl", "-keys", "-text",
+                            "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                            capture => 1, stderr => "outerr.txt");
+                open DATA, "outerr.txt";
+                my @match = grep /:PKCS12_parse:parse error:/, <DATA>;
+                close DATA;
+                ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2026-22795 , missing ASN1_TYPE validation in keys, sha256mac");
+            }
+        );
+    }
+}
+
+for my $file ("BOOLEAN-in-friendlyName-of-key-pbmac1.p12",
+              "BOOLEAN-in-localKeyID-of-key-pbmac1.p12"
+              )
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            my @output = run(app(["openssl", "storeutl", "-keys", "-text",
+                        "-passin", "pass:RedHatEnterpriseLinux10.0", $path]),
+                        capture => 1, stderr => "outerr.txt");
+            open DATA, "outerr.txt";
+            my @match = grep /:PKCS12_parse:parse error:/, <DATA>;
+            close DATA;
+            ok(scalar @match > 0 ? 0 : 1, "Test against CVE-2026-22795 , missing ASN1_TYPE validation in keys, pbmac1");
+        }
+    );
+}
+
 SetConsoleOutputCP($savedcp) if (defined($savedcp));

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pbmac1.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pbmac1.p12
new file mode 100644 (file)
index 0000000..c2438e9
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pbmac1.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pkcs12-sha256mac.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pkcs12-sha256mac.p12
new file mode 100644 (file)
index 0000000..b531f66
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-cert-pkcs12-sha256mac.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pbmac1.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pbmac1.p12
new file mode 100644 (file)
index 0000000..02d2334
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pbmac1.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pkcs12-sha256mac.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pkcs12-sha256mac.p12
new file mode 100644 (file)
index 0000000..15edc18
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-friendlyName-of-key-pkcs12-sha256mac.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pbmac1.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pbmac1.p12
new file mode 100644 (file)
index 0000000..dc82f4d
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pbmac1.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pkcs12-sha256mac.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pkcs12-sha256mac.p12
new file mode 100644 (file)
index 0000000..5754b52
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-cert-pkcs12-sha256mac.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pbmac1.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pbmac1.p12
new file mode 100644 (file)
index 0000000..c71ed5b
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pbmac1.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pkcs12-sha256mac.p12 b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pkcs12-sha256mac.p12
new file mode 100644 (file)
index 0000000..6bfabc1
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/BOOLEAN-in-localKeyID-of-key-pkcs12-sha256mac.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_cert.oct-is-null.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_cert.oct-is-null.p12
new file mode 100644 (file)
index 0000000..47e2e86
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_cert.oct-is-null.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/sha256mac_cert.oct-is-null.p12 b/test/recipes/80-test_pkcs12_data/sha256mac_cert.oct-is-null.p12
new file mode 100644 (file)
index 0000000..099fb00
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/sha256mac_cert.oct-is-null.p12 differ