25-test_req.t: add test cases pointing out that we won't fix #19095

author Dr. David von Oheimb <dev@ddvo.net>

Tue, 6 Jan 2026 11:35:44 +0000 (12:35 +0100)

committer Tomas Mraz <tomas@openssl.org>

Wed, 11 Mar 2026 11:22:27 +0000 (12:22 +0100)
author Dr. David von Oheimb <dev@ddvo.net>
Tue, 6 Jan 2026 11:35:44 +0000 (12:35 +0100)
committer Tomas Mraz <tomas@openssl.org>
Wed, 11 Mar 2026 11:22:27 +0000 (12:22 +0100)
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t

index 49fde8f056518bacab5e841fec7066f98d44470b..1f4cb803b5bff7782c2ea58a7633496d65b3dd58 100644 (file)
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
  
  setup("test_req");
  
-plan tests => 116;
+plan tests => 121;
  
  require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
  
@@ -554,14 +554,23 @@ sub has_keyUsage {
      my $expect = shift @_;
      cert_contains($cert, "Key Usage", $expect);
  }
-sub strict_verify {
+sub verify {
+    my $strict = shift @_;
      my $cert = shift @_;
      my $expect = shift @_;
      my $trusted = shift @_;
      $trusted = $cert unless $trusted;
-    ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
+    my @cmd = ("openssl", "verify");
+    push(@cmd, "-x509_strict") if $strict;
+    ok(run(app([@cmd, "-trusted", $trusted,
                  "-partial_chain", $cert])) == $expect,
-       "strict verify allow $cert");
+       ($strict ? "strict " : "")." verify ".
+       ($expect ? "accept" : "reject")." $cert");
+}
+
+sub strict_verify {
+    unshift @_, 1;
+    return verify(@_);
  }
  
  my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
@@ -721,7 +730,7 @@ generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:a
      "-in", srctop_file(@certs, "x509-check.csr"));
  cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
  
-# AKID of not self-issued certs
+# AKID of not self-issued end-entity certs
  
  $cert = "regular_v3_EE_default_KIDs_no_other_exts.pem";
  generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem"));
@@ -747,6 +756,20 @@ has_SKID($cert, 1);
  has_AKID($cert, 0);
  strict_verify($cert, 0, $ca_cert);
  
+# weird self-issued end-entity cert without SKID/AKID signed by CA, as in #19095
+$cert = "self-issued_v3_EE_no_KIDs_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+              "-addext", "authorityKeyIdentifier = none",
+              "-key", srctop_file(@certs, "ee-key.pem"));
+cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
+# variant self-issued end-entity cert with only AKID signed by CA, which conforms to RFC 5280
+$cert = "self-issued_v3_EE_only_AKID_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+              "-key", srctop_file(@certs, "ee-key.pem"));
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
  
  # Key Usage
author	Dr. David von Oheimb <dev@ddvo.net>
	Tue, 6 Jan 2026 11:35:44 +0000 (12:35 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 11 Mar 2026 11:22:27 +0000 (12:22 +0100)