[openssl] master update
dev at ddvo.net
dev at ddvo.net
Fri Dec 4 15:24:59 UTC 2020
The branch master has been updated
via d7cdb8b60650e29c1f3c3990f3f86b51fde1c308 (commit)
via e99505b4d0b9400c83dddf4d4eed3144e45b38c4 (commit)
via f974b610775443278e5634c285521e82c2e37752 (commit)
from 06f81af8fc5cf04af828487fbd83bff7f3049a3a (commit)
- Log -----------------------------------------------------------------
commit d7cdb8b60650e29c1f3c3990f3f86b51fde1c308
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Dec 3 15:26:48 2020 +0100
test/certs/setup.sh: Fix two glitches
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)
commit e99505b4d0b9400c83dddf4d4eed3144e45b38c4
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Dec 3 11:10:19 2020 +0100
x509_vfy.c: Improve comments (correcting typos etc.)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)
commit f974b610775443278e5634c285521e82c2e37752
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Dec 3 12:00:35 2020 +0100
apps/verify:c: Enable output of multiple verification errors due to -x509_strict
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)
-----------------------------------------------------------------------
Summary of changes:
apps/verify.c | 19 +++++++++++++++++--
crypto/x509/x509_vfy.c | 26 +++++++++++++-------------
test/certs/setup.sh | 6 +++---
3 files changed, 33 insertions(+), 18 deletions(-)
diff --git a/apps/verify.c b/apps/verify.c
index 9a226f0360..ba4a8c283d 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -356,13 +356,28 @@ static int cb(int ok, X509_STORE_CTX *ctx)
case X509_V_ERR_INVALID_CA:
case X509_V_ERR_INVALID_NON_CA:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
- case X509_V_ERR_INVALID_PURPOSE:
case X509_V_ERR_CRL_HAS_EXPIRED:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+ /* errors due to strict conformance checking (-x509_strict) */
+ case X509_V_ERR_INVALID_PURPOSE:
+ case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
+ case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN:
+ case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
+ case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
+ case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA:
+ case X509_V_ERR_ISSUER_NAME_EMPTY:
+ case X509_V_ERR_SUBJECT_NAME_EMPTY:
+ case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL:
+ case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME:
+ case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
+ case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
+ case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
+ case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER:
+ case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER:
+ case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
ok = 1;
}
-
return ok;
}
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index fc470d950e..3a5673b307 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -154,9 +154,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
/*-
* Inform the verify callback of an error.
- * If B<x> is not NULL it is the error cert, otherwise use the chain cert at
- * B<depth>.
- * If B<err> is not X509_V_OK, that's the error value, otherwise leave
+ * If 'x' is not NULL it is the error cert, otherwise use the chain cert at
+ * 'depth'
+ * If 'err' is not X509_V_OK, that's the error value, otherwise leave
* unchanged (presumably set by the caller).
*
* Returns 0 to abort verification with an error, non-zero to continue.
@@ -501,7 +501,7 @@ static int check_chain(X509_STORE_CTX *ctx)
CHECK_CB(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS);
}
/*
- * Do the following set of checks only if strict checking is requrested
+ * Do the following set of checks only if strict checking is requested
* and not for self-issued (including self-signed) EE (non-CA) certs
* because RFC 5280 does not apply to them according RFC 6818 section 2.
*/
@@ -576,7 +576,7 @@ static int check_chain(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
- /* Check pathlen */
+ /* Check path length */
CHECK_CB(i > 1 && x->ex_pathlen != -1
&& plen > x->ex_pathlen + proxy_path_length,
ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED);
@@ -679,7 +679,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
/*
* Check that the last subject component isn't part of a
- * multivalued RDN
+ * multi-valued RDN
*/
if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
last_object_loc))
@@ -1026,7 +1026,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
return 0;
}
- /* Ignore expiry of base CRL is delta is valid */
+ /* Ignore expiration of base CRL is delta is valid */
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
@@ -1230,7 +1230,7 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
if (!(crl->flags & EXFLAG_CRITICAL))
crl_score |= CRL_SCORE_NOCRITICAL;
- /* Check expiry */
+ /* Check expiration */
if (check_crl_time(ctx, crl, 0))
crl_score |= CRL_SCORE_TIME;
@@ -1351,7 +1351,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
/*
* RFC3280 says nothing about the relationship between CRL path and
* certificate path, which could lead to situations where a certificate could
- * be revoked or validated by a CA not authorised to do so. RFC5280 is more
+ * be revoked or validated by a CA not authorized to do so. RFC5280 is more
* strict and states that the two paths must end in the same trust anchor,
* though some discussions remain... until this is resolved we use the
* RFC5280 version
@@ -1804,8 +1804,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
* step (n) we must check any given key usage extension in a CA cert
* when preparing the verification of a certificate issued by it.
* According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3
- * we must not verify a certifiate signature if the key usage of the
- * CA certificate that issued the certificate prohibits signing.
+ * we must not verify a certificate signature if the key usage of
+ * the CA certificate that issued the certificate prohibits signing.
* In case the 'issuing' certificate is the last in the chain and is
* not a CA certificate but a 'self-issued' end-entity cert (i.e.,
* xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply
@@ -2009,7 +2009,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
return 1;
}
-/* Make a delta CRL as the diff between two full CRLs */
+/* Make a delta CRL as the difference between two full CRLs */
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
@@ -3199,7 +3199,7 @@ static int build_chain(X509_STORE_CTX *ctx)
}
/*
- * We've added a new trusted certificate to the chain, recheck
+ * We've added a new trusted certificate to the chain, re-check
* trust. If not done, and not self-signed look deeper.
* Whether or not we're doing "trusted first", we no longer
* look for untrusted certificates from the peer's chain.
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d7cdf06e7f..9aa910dcc2 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash
# Primary root: root-cert
# root cert variants: CA:false, key2, DN2
@@ -169,7 +169,7 @@ openssl x509 -in sca-cert.pem -trustout \
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
- -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
+ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
@@ -211,7 +211,7 @@ OPENSSL_KEYBITS=8192 \
./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert
# self-signed end-entity cert with explicit keyUsage not including KeyCertSign
-openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
# Proxy certificates, off of ee-client
# Start with some good ones
More information about the openssl-commits
mailing list