From: Dr. David von Oheimb <dev@ddvo.net>
Date: Tue, 6 Jan 2026 11:35:44 +0000 (+0100)
Subject: 25-test_req.t: add test cases pointing out that we won't fix #19095
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9a188b5eff0ce501d553bd2ff2f32b7c8defbfbf;p=thirdparty%2Fopenssl.git

25-test_req.t: add test cases pointing out that we won't fix #19095

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:34 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
---

diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 49fde8f0565..1f4cb803b5b 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_req");
 
-plan tests => 116;
+plan tests => 121;
 
 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
 
@@ -554,14 +554,23 @@ sub has_keyUsage {
     my $expect = shift @_;
     cert_contains($cert, "Key Usage", $expect);
 }
-sub strict_verify {
+sub verify {
+    my $strict = shift @_;
     my $cert = shift @_;
     my $expect = shift @_;
     my $trusted = shift @_;
     $trusted = $cert unless $trusted;
-    ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
+    my @cmd = ("openssl", "verify");
+    push(@cmd, "-x509_strict") if $strict;
+    ok(run(app([@cmd, "-trusted", $trusted,
                 "-partial_chain", $cert])) == $expect,
-       "strict verify allow $cert");
+       ($strict ? "strict " : "")." verify ".
+       ($expect ? "accept" : "reject")." $cert");
+}
+
+sub strict_verify {
+    unshift @_, 1;
+    return verify(@_);
 }
 
 my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
@@ -721,7 +730,7 @@ generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:a
     "-in", srctop_file(@certs, "x509-check.csr"));
 cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
 
-# AKID of not self-issued certs
+# AKID of not self-issued end-entity certs
 
 $cert = "regular_v3_EE_default_KIDs_no_other_exts.pem";
 generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem"));
@@ -747,6 +756,20 @@ has_SKID($cert, 1);
 has_AKID($cert, 0);
 strict_verify($cert, 0, $ca_cert);
 
+# weird self-issued end-entity cert without SKID/AKID signed by CA, as in #19095
+$cert = "self-issued_v3_EE_no_KIDs_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+              "-addext", "authorityKeyIdentifier = none",
+              "-key", srctop_file(@certs, "ee-key.pem"));
+cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
+# variant self-issued end-entity cert with only AKID signed by CA, which conforms to RFC 5280
+$cert = "self-issued_v3_EE_only_AKID_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+              "-key", srctop_file(@certs, "ee-key.pem"));
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
 
 # Key Usage