Branch: refs/heads/master Home: https://github.com/openssl/openssl Commit: 1a68a3e42142a2c188f4b69c7337438c89502143 https://github.com/openssl/openssl/commit/1a68a3e42142a2c188f4b69c7337438c89502143 Author: Lutz Jaenicke <ljaeni...@phoenixcontact.com> Date: 2022-08-18 (Thu, 18 Aug 2022)
Changed paths: M crypto/x509/x509_vpm.c Log Message: ----------- crypto/x509/x509_vpm.c: update format of X509_VERIFY_PARAM default_table Put "}," on separate lines as suggested in PR #18567 Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567) Commit: 178696d6020878361a088086243d56203e0beaa9 https://github.com/openssl/openssl/commit/178696d6020878361a088086243d56203e0beaa9 Author: Lutz Jaenicke <ljaeni...@phoenixcontact.com> Date: 2022-08-18 (Thu, 18 Aug 2022) Changed paths: M crypto/x509/v3_purp.c M crypto/x509/x509_vpm.c M doc/man1/openssl-verification-options.pod M doc/man3/X509_STORE_CTX_new.pod M doc/man3/X509_check_purpose.pod M include/openssl/x509v3.h.in Log Message: ----------- X509: Add "code sign" as purpose for verification of certificates Code signing certificates have other properties as for example described in CA Browser Forum documents. This leads to "unsupported certificate purpose" errors when verifying signed objects. This patch adds the purpose "codesign" to the table in X.509 certificate verification and the verification parameter "code_sign" to X509_VERIFY_PARAM. Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567) Commit: 61a97676914df358dd014a9b6fe2ba01b0ebe508 https://github.com/openssl/openssl/commit/61a97676914df358dd014a9b6fe2ba01b0ebe508 Author: Lutz Jaenicke <ljaeni...@phoenixcontact.com> Date: 2022-08-18 (Thu, 18 Aug 2022) Changed paths: A test/certs/ee-codesign-anyextkeyusage.pem A test/certs/ee-codesign-crlsign.pem A test/certs/ee-codesign-keycertsign.pem A test/certs/ee-codesign-noncritical.pem A test/certs/ee-codesign-serverauth.pem A test/certs/ee-codesign.pem M test/certs/mkcert.sh M test/certs/setup.sh M test/recipes/25-test_verify.t Log Message: ----------- X509: add tests for purpose code signing in verify application Correct configuration according to CA Browser forum: KU: critical,digitalSignature XKU: codeSiging Note: I did not find any other document formally defining the requirements for code signing certificates. Some combinations are explicitly forbidden, some flags can be ignored Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567) Commit: 19914fec9bac08ca7c7917eddc1b7d1dba67e4a7 https://github.com/openssl/openssl/commit/19914fec9bac08ca7c7917eddc1b7d1dba67e4a7 Author: Lutz Jaenicke <ljaeni...@phoenixcontact.com> Date: 2022-08-18 (Thu, 18 Aug 2022) Changed paths: M test/recipes/80-test_cms.t M test/smime-certs/ca.cnf A test/smime-certs/csrsa1.pem M test/smime-certs/mksmime-certs.sh Log Message: ----------- cms: Create test for for purpose verification in cms application The tests only cover the correct handling of the codesigning purpose in the certificates in the context of the cms command line tool. The interpretation of the certificate purpose is tested in the context of the "verify" app. The correct handling of the cms objects is tested by other tests in 80-test_cms.t. Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18567) Compare: https://github.com/openssl/openssl/compare/58135cb3c020...19914fec9bac