[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Wed Mar 11 15:05:21 UTC 2020


The branch OpenSSL_1_1_1-stable has been updated
       via  2cb5e08c2cc5217e41b0b22432293b72dcb234b9 (commit)
       via  63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c (commit)
      from  004f570821b1a92cbb733d8e03b54223231bfac3 (commit)


- Log -----------------------------------------------------------------
commit 2cb5e08c2cc5217e41b0b22432293b72dcb234b9
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 9 09:07:11 2020 +0000

    Revert "Create a new embeddedSCTs1 that's signed using SHA256"
    
    This reverts commit b98efebeb2d4265bd6638d5947fe365500121e03.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11282)

commit 63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 9 09:05:27 2020 +0000

    Revert "Stop accepting certificates signed using SHA1 at security level 1"
    
    This reverts commit 68436f0a8964e911eb4f864bc8b31d7ca4d29585.
    
    The OMC did not vote in favour of backporting this to 1.1.1, so this
    change should be reverted.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11282)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                 |  12 --------
 NEWS                                    |   5 +--
 crypto/rsa/rsa_ameth.c                  |  20 +-----------
 crypto/x509/x509_set.c                  |  14 ---------
 test/certs/ct-server-key-public.pem     |   4 ---
 test/certs/ct-server-key.pem            |   5 ---
 test/certs/embeddedSCTs1-key.pem        |  38 ++++++++---------------
 test/certs/embeddedSCTs1.pem            |  35 +++++++++++----------
 test/certs/embeddedSCTs1.sct            |  12 ++++----
 test/certs/embeddedSCTs1.tlssct         | Bin 118 -> 0 bytes
 test/certs/embeddedSCTs1_issuer-key.pem |  15 ---------
 test/certs/embeddedSCTs3.sct            |   2 +-
 test/certs/mkcert.sh                    |  52 --------------------------------
 test/certs/setup.sh                     |   3 --
 test/ct_test.c                          |   6 +---
 test/recipes/25-test_verify.t           |   8 ++---
 16 files changed, 44 insertions(+), 187 deletions(-)
 delete mode 100644 test/certs/ct-server-key-public.pem
 delete mode 100644 test/certs/ct-server-key.pem
 delete mode 100644 test/certs/embeddedSCTs1.tlssct
 delete mode 100644 test/certs/embeddedSCTs1_issuer-key.pem

diff --git a/CHANGES b/CHANGES
index 7e348b078b..8c29dfae55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -21,18 +21,6 @@
      resolve symbols with longer names.
      [Richard Levitte]
 
-  *) X509 certificates signed using SHA1 are no longer allowed at security
-     level 1 and above.
-     In TLS/SSL the default security level is 1. It can be set either
-     using the cipher string with @SECLEVEL, or calling
-     SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
-     a call to SSL_CTX_use_certificate() will fail if the security level is not
-     lowered first.
-     Outside TLS/SSL, the default security level is -1 (effectively 0). It can
-     be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
-     options of the apps.
-     [Kurt Roeckx]
-
   *) Corrected the documentation of the return values from the EVP_DigestSign*
      set of functions.  The documentation mentioned negative values for some
      errors, but this was never the case, so the mention of negative values
diff --git a/NEWS b/NEWS
index 11840cf05b..4af390505d 100644
--- a/NEWS
+++ b/NEWS
@@ -7,10 +7,7 @@
 
   Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [under development]
 
-      o X509 certificates signed using SHA1 are no longer allowed at security
-        level 1 or higher. The default security level for TLS is 1, so
-        certificates signed using SHA1 are by default no longer trusted to
-        authenticate servers or clients.
+      o
 
   Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
 
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index d45d6b5ba3..6692a51ed8 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -855,7 +855,6 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
     uint32_t flags;
     const EVP_MD *mgf1md = NULL, *md = NULL;
     RSA_PSS_PARAMS *pss;
-    int secbits;
 
     /* Sanity check: make sure it is PSS */
     if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS)
@@ -875,24 +874,7 @@ static int rsa_sig_info_set(X509_SIG_INFO *siginf, const X509_ALGOR *sigalg,
     else
         flags = 0;
     /* Note: security bits half number of digest bits */
-    secbits = EVP_MD_size(md) * 4;
-    /*
-     * SHA1 and MD5 are known to be broken. Reduce security bits so that
-     * they're no longer accepted at security level 1. The real values don't
-     * really matter as long as they're lower than 80, which is our security
-     * level 1.
-     * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
-     * 2^63.4
-     * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
-     * puts a chosen-prefix attack for MD5 at 2^39.
-     */
-    if (mdnid == NID_sha1)
-        secbits = 64;
-    else if (mdnid == NID_md5_sha1)
-        secbits = 68;
-    else if (mdnid == NID_md5)
-        secbits = 39;
-    X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, secbits,
+    X509_SIG_INFO_set(siginf, mdnid, EVP_PKEY_RSA_PSS, EVP_MD_size(md) * 4,
                       flags);
     rv = 1;
     err:
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index deb7722c18..164b4e2be1 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -222,20 +222,6 @@ static void x509_sig_info_init(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
         return;
     /* Security bits: half number of bits in digest */
     siginf->secbits = EVP_MD_size(md) * 4;
-    /*
-     * SHA1 and MD5 are known to be broken. Reduce security bits so that
-     * they're no longer accepted at security level 1. The real values don't
-     * really matter as long as they're lower than 80, which is our security
-     * level 1.
-     * https://eprint.iacr.org/2020/014 puts a chosen-prefix attack for SHA1 at
-     * 2^63.4
-     * https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf
-     * puts a chosen-prefix attack for MD5 at 2^39.
-     */
-    if (mdnid == NID_sha1)
-        siginf->secbits = 63;
-    else if (mdnid == NID_md5)
-        siginf->secbits = 39;
     switch (mdnid) {
         case NID_sha1:
         case NID_sha256:
diff --git a/test/certs/ct-server-key-public.pem b/test/certs/ct-server-key-public.pem
deleted file mode 100644
index c35ce3f483..0000000000
--- a/test/certs/ct-server-key-public.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3U
-yEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==
------END PUBLIC KEY-----
diff --git a/test/certs/ct-server-key.pem b/test/certs/ct-server-key.pem
deleted file mode 100644
index ab6a5575bb..0000000000
--- a/test/certs/ct-server-key.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIFLw4uhuCruGKjrS9MoNeXFbypqZe+Sgh+EL1gnRn1d4oAoGCCqGSM49
-AwEHoUQDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pX
-rGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==
------END EC PRIVATE KEY-----
diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
index 28dd206dbe..e3e66d55c5 100644
--- a/test/certs/embeddedSCTs1-key.pem
+++ b/test/certs/embeddedSCTs1-key.pem
@@ -1,27 +1,15 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw
-XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT
-48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ
-b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L
-eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG
-a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm
-tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf
-3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r
-zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF
-nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ
-XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw
-ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ
-S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi
-BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3
-2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn
-MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU
-JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn
-j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA
-jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu
-ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk
-3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P
-o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI
-fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1
-5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP
-RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4=
+MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
+WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
+EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
+AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
+PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
+flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
+X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
+pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
+b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
+9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
+83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
+n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
+1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
 -----END RSA PRIVATE KEY-----
diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem
index d2a111fb82..d1e85120a0 100644
--- a/test/certs/embeddedSCTs1.pem
+++ b/test/certs/embeddedSCTs1.pem
@@ -1,21 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
+MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
 MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy
-NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK
-/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE
-FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI
-0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I
-QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S
-wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB
-CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I
-Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD
-ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI
-/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB
-u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ
-BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR
-RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1
-IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W
-YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw==
+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
+MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu
+c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/
+BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk
+EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw
+FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q
+Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD
+VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w
+DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK
+BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L
+vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw
+KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG
+SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE
+oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr
+5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg
 -----END CERTIFICATE-----
diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct
index 9e413e3dc7..59362dcee1 100644
--- a/test/certs/embeddedSCTs1.sct
+++ b/test/certs/embeddedSCTs1.sct
@@ -2,11 +2,11 @@ Signed Certificate Timestamp:
     Version   : v1 (0x0)
     Log ID    : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
                 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
-    Timestamp : Jan  1 00:00:00.000 2020 GMT
+    Timestamp : Apr  5 17:04:16.275 2013 GMT
     Extensions: none
     Signature : ecdsa-with-SHA256
-                30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A:
-                D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4:
-                BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F:
-                02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7:
-                60:EB:A8:AF:03:5E:C3
+                30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
+                D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
+                E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
+                F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
+                05:51:9D:89:ED:BF:08
\ No newline at end of file
diff --git a/test/certs/embeddedSCTs1.tlssct b/test/certs/embeddedSCTs1.tlssct
deleted file mode 100644
index 0586c94ab0..0000000000
Binary files a/test/certs/embeddedSCTs1.tlssct and /dev/null differ
diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem
deleted file mode 100644
index 9326e38b1e..0000000000
--- a/test/certs/embeddedSCTs1_issuer-key.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR
-yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm
-JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB
-AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK
-QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL
-GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq
-r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr
-4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw
-+mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ
-b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY
-xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN
-lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei
-T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU=
------END RSA PRIVATE KEY-----
diff --git a/test/certs/embeddedSCTs3.sct b/test/certs/embeddedSCTs3.sct
index 579a890a9a..ad1ccf0ffc 100644
--- a/test/certs/embeddedSCTs3.sct
+++ b/test/certs/embeddedSCTs3.sct
@@ -33,4 +33,4 @@ Signed Certificate Timestamp:
                 55:83:D2:9D:E5:A1:8D:B6:3D:A6:73:89:42:32:9C:91:
                 0F:3B:6A:74:02:21:00:86:EE:10:F9:10:E6:7B:17:65:
                 D9:2D:37:53:4A:3B:F0:AE:03:E4:21:76:37:EF:AF:B4:
-                44:2E:2B:F5:5C:C6:91
+                44:2E:2B:F5:5C:C6:91
\ No newline at end of file
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 790d20f8c1..ebb71c1778 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -288,56 +288,4 @@ gennocn() {
 	cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
 }
 
-genct() {
-    local OPTIND=1
-    local purpose=serverAuth
-
-    while getopts p: o
-    do
-        case $o in
-        p) purpose="$OPTARG";;
-        *) echo "Usage: $0 genct [-p EKU] cn keyname certname cakeyname cacertname ctlogkey" >&2
-           return 1;;
-        esac
-    done
-
-    shift $((OPTIND - 1))
-    local cn=$1; shift
-    local key=$1; shift
-    local cert=$1; shift
-    local cakey=$1; shift
-    local ca=$1; shift
-    local logkey=$1; shift
-
-    exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
-	    "subjectKeyIdentifier = hash" \
-	    "authorityKeyIdentifier = keyid, issuer" \
-	    "basicConstraints = CA:false" \
-	    "extendedKeyUsage = $purpose" \
-            "1.3.6.1.4.1.11129.2.4.3 = critical,ASN1:NULL"\
-	    "subjectAltName = @alts" "DNS=${cn}")
-    csr=$(req "$key" "CN = $cn") || return 1
-    echo "$csr" |
-	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-	    -set_serial 2 -days "${DAYS}" "$@"
-    cat ${cert}.pem ${ca}.pem > ${cert}-chain.pem
-    go run github.com/google/certificate-transparency-go/ctutil/sctgen \
-       --log_private_key ${logkey}.pem \
-       --timestamp="2020-01-01T00:00:00Z" \
-       --cert_chain ${cert}-chain.pem \
-       --tls_out ${cert}.tlssct
-    rm ${cert}-chain.pem
-    filesize=$(wc -c <${cert}.tlssct)
-    exts=$(printf "%s\n%s\n%s\n%s\n%s%04X%04X%s\n%s\n[alts]\n%s\n" \
-	    "subjectKeyIdentifier = hash" \
-	    "authorityKeyIdentifier = keyid, issuer" \
-	    "basicConstraints = CA:false" \
-	    "extendedKeyUsage = $purpose" \
-	    "1.3.6.1.4.1.11129.2.4.2 = ASN1:FORMAT:HEX,OCT:" $((filesize+2)) $filesize `xxd -p ${cert}.tlssct | tr -d '\n'` \
-	    "subjectAltName = @alts" "DNS=${cn}")
-    echo "$csr" |
-	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-	    -set_serial 2 -days "${DAYS}" "$@"
-}
-
 "$@"
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d58d0d789b..2d53ea5b08 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -376,9 +376,6 @@ openssl req -new -nodes -subj "/CN=localhost" \
     ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
     server-pss-restrict-cert rootkey rootcert
 
-# CT entry
-./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key
-
 OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
     root-ed448-key root-ed448-cert
 OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
diff --git a/test/ct_test.c b/test/ct_test.c
index 4dd6a67a7c..78d11ca98c 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
     if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
         goto end;
     fixture->test_case_name = test_case_name;
-    fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
+    fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */
     if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
             || !TEST_int_eq(
                     CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
@@ -160,10 +160,6 @@ static int compare_extension_printout(X509_EXTENSION *extension,
                                            X509V3_EXT_DEFAULT, 0)))
         goto end;
 
-    /* Append \n because it's easier to create files that end with one. */
-    if (!TEST_true(BIO_write(text_buffer, "\n", 1)))
-        goto end;
-
     /* Append \0 because we're about to use the buffer contents as a string. */
     if (!TEST_true(BIO_write(text_buffer, "\0", 1)))
         goto end;
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 5e5bc9ef1e..b80a1cde3e 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -336,14 +336,14 @@ ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cer
 ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
    "Name constraints nested DNS name excluded");
 
-ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
-    "Accept PSS signature using SHA1 at auth level 0");
+ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
+    "Certificate PSS signature using SHA1");
 
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
-    "Reject PSS signature using SHA1 and auth level 1");
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+    "Reject PSS signature using SHA1 and auth level 2");
 
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");


More information about the openssl-commits mailing list