The branch master has been updated via d7cdb8b60650e29c1f3c3990f3f86b51fde1c308 (commit) via e99505b4d0b9400c83dddf4d4eed3144e45b38c4 (commit) via f974b610775443278e5634c285521e82c2e37752 (commit) from 06f81af8fc5cf04af828487fbd83bff7f3049a3a (commit)
- Log ----------------------------------------------------------------- commit d7cdb8b60650e29c1f3c3990f3f86b51fde1c308 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Thu Dec 3 15:26:48 2020 +0100 test/certs/setup.sh: Fix two glitches Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13606) commit e99505b4d0b9400c83dddf4d4eed3144e45b38c4 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Thu Dec 3 11:10:19 2020 +0100 x509_vfy.c: Improve comments (correcting typos etc.) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13606) commit f974b610775443278e5634c285521e82c2e37752 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Thu Dec 3 12:00:35 2020 +0100 apps/verify:c: Enable output of multiple verification errors due to -x509_strict Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13606) ----------------------------------------------------------------------- Summary of changes: apps/verify.c | 19 +++++++++++++++++-- crypto/x509/x509_vfy.c | 26 +++++++++++++------------- test/certs/setup.sh | 6 +++--- 3 files changed, 33 insertions(+), 18 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index 9a226f0360..ba4a8c283d 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -356,13 +356,28 @@ static int cb(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_INVALID_CA: case X509_V_ERR_INVALID_NON_CA: case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_PURPOSE: case X509_V_ERR_CRL_HAS_EXPIRED: case X509_V_ERR_CRL_NOT_YET_VALID: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + /* errors due to strict conformance checking (-x509_strict) */ + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: + case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN: + case X509_V_ERR_CA_BCONS_NOT_CRITICAL: + case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: + case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA: + case X509_V_ERR_ISSUER_NAME_EMPTY: + case X509_V_ERR_SUBJECT_NAME_EMPTY: + case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: + case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME: + case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: + case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER: + case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER: + case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: ok = 1; } - return ok; } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index fc470d950e..3a5673b307 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -154,9 +154,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) /*- * Inform the verify callback of an error. - * If B<x> is not NULL it is the error cert, otherwise use the chain cert at - * B<depth>. - * If B<err> is not X509_V_OK, that's the error value, otherwise leave + * If 'x' is not NULL it is the error cert, otherwise use the chain cert at + * 'depth' + * If 'err' is not X509_V_OK, that's the error value, otherwise leave * unchanged (presumably set by the caller). * * Returns 0 to abort verification with an error, non-zero to continue. @@ -501,7 +501,7 @@ static int check_chain(X509_STORE_CTX *ctx) CHECK_CB(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS); } /* - * Do the following set of checks only if strict checking is requrested + * Do the following set of checks only if strict checking is requested * and not for self-issued (including self-signed) EE (non-CA) certs * because RFC 5280 does not apply to them according RFC 6818 section 2. */ @@ -576,7 +576,7 @@ static int check_chain(X509_STORE_CTX *ctx) /* check_purpose() makes the callback as needed */ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; - /* Check pathlen */ + /* Check path length */ CHECK_CB(i > 1 && x->ex_pathlen != -1 && plen > x->ex_pathlen + proxy_path_length, ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED); @@ -679,7 +679,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) /* * Check that the last subject component isn't part of a - * multivalued RDN + * multi-valued RDN */ if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, last_object_loc)) @@ -1026,7 +1026,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD)) return 0; } - /* Ignore expiry of base CRL is delta is valid */ + /* Ignore expiration of base CRL is delta is valid */ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; @@ -1230,7 +1230,7 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (!(crl->flags & EXFLAG_CRITICAL)) crl_score |= CRL_SCORE_NOCRITICAL; - /* Check expiry */ + /* Check expiration */ if (check_crl_time(ctx, crl, 0)) crl_score |= CRL_SCORE_TIME; @@ -1351,7 +1351,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) /* * RFC3280 says nothing about the relationship between CRL path and * certificate path, which could lead to situations where a certificate could - * be revoked or validated by a CA not authorised to do so. RFC5280 is more + * be revoked or validated by a CA not authorized to do so. RFC5280 is more * strict and states that the two paths must end in the same trust anchor, * though some discussions remain... until this is resolved we use the * RFC5280 version @@ -1804,8 +1804,8 @@ static int internal_verify(X509_STORE_CTX *ctx) * step (n) we must check any given key usage extension in a CA cert * when preparing the verification of a certificate issued by it. * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - * we must not verify a certifiate signature if the key usage of the - * CA certificate that issued the certificate prohibits signing. + * we must not verify a certificate signature if the key usage of + * the CA certificate that issued the certificate prohibits signing. * In case the 'issuing' certificate is the last in the chain and is * not a CA certificate but a 'self-issued' end-entity cert (i.e., * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply @@ -2009,7 +2009,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) return 1; } -/* Make a delta CRL as the diff between two full CRLs */ +/* Make a delta CRL as the difference between two full CRLs */ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, const EVP_MD *md, unsigned int flags) @@ -3199,7 +3199,7 @@ static int build_chain(X509_STORE_CTX *ctx) } /* - * We've added a new trusted certificate to the chain, recheck + * We've added a new trusted certificate to the chain, re-check * trust. If not done, and not self-signed look deeper. * Whether or not we're doing "trusted first", we no longer * look for untrusted certificates from the peer's chain. diff --git a/test/certs/setup.sh b/test/certs/setup.sh index d7cdf06e7f..9aa910dcc2 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -1,4 +1,4 @@ -#! /bin/sh +#! /bin/bash # Primary root: root-cert # root cert variants: CA:false, key2, DN2 @@ -169,7 +169,7 @@ openssl x509 -in sca-cert.pem -trustout \ ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2 ./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \ - -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") + -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here # openssl x509 -in ee-cert.pem -trustout \ -addtrust serverAuth -out ee+serverAuth.pem @@ -211,7 +211,7 @@ OPENSSL_KEYBITS=8192 \ ./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert # self-signed end-entity cert with explicit keyUsage not including KeyCertSign -openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500 +openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525 # Proxy certificates, off of ee-client # Start with some good ones