[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Jan 28 14:05:42 UTC 2021


The branch master has been updated
       via  199df4a93f74617612abd9419ad6cf00d9c34bc3 (commit)
       via  03f5c8930c0c04ab0c9b7d243b893db234e494b2 (commit)
       via  26a44ad04b2c6dfca8d3bc445840e2d52531e178 (commit)
      from  302e63cbe51769999d42422934a3b3e9ada8fd66 (commit)


- Log -----------------------------------------------------------------
commit 199df4a93f74617612abd9419ad6cf00d9c34bc3
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Jan 26 11:53:15 2021 +0100

    check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS
    
    This is an upstream fix for #13931
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13968)

commit 03f5c8930c0c04ab0c9b7d243b893db234e494b2
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Jan 27 10:30:58 2021 +0100

    Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13968)

commit 26a44ad04b2c6dfca8d3bc445840e2d52531e178
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Jan 27 10:30:03 2021 +0100

    obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption')
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13968)

-----------------------------------------------------------------------

Summary of changes:
 crypto/objects/obj_xref.h           |  2 +-
 crypto/objects/obj_xref.txt         |  2 +-
 crypto/rsa/rsa_ameth.c              |  2 +-
 crypto/x509/v3_purp.c               | 18 ++++++++++--------
 test/certs/ca-pss-cert.pem          | 21 +++++++++++++++++++++
 test/certs/ca-pss-key.pem           | 28 ++++++++++++++++++++++++++++
 test/certs/ee-pss-cert.pem          | 21 +++++++++++++++++++++
 test/certs/ee-pss-wrong1.5-cert.pem | 19 +++++++++++++++++++
 test/certs/mkcert.sh                | 22 +++++++++++++++++-----
 test/certs/setup.sh                 | 15 +++++++++++----
 test/recipes/25-test_verify.t       |  7 ++++++-
 11 files changed, 136 insertions(+), 21 deletions(-)
 create mode 100644 test/certs/ca-pss-cert.pem
 create mode 100644 test/certs/ca-pss-key.pem
 create mode 100644 test/certs/ee-pss-cert.pem
 create mode 100644 test/certs/ee-pss-wrong1.5-cert.pem

diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index 0f8a05652e..21a193ee98 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -53,7 +53,7 @@ static const nid_triple sigoid_srt[] = {
      NID_id_GostR3410_94_cc},
     {NID_id_GostR3411_94_with_GostR3410_2001_cc, NID_id_GostR3411_94,
      NID_id_GostR3410_2001_cc},
-    {NID_rsassaPss, NID_undef, NID_rsaEncryption},
+    {NID_rsassaPss, NID_undef, NID_rsassaPss},
     {NID_dhSinglePass_stdDH_sha1kdf_scheme, NID_sha1, NID_dh_std_kdf},
     {NID_dhSinglePass_stdDH_sha224kdf_scheme, NID_sha224, NID_dh_std_kdf},
     {NID_dhSinglePass_stdDH_sha256kdf_scheme, NID_sha256, NID_dh_std_kdf},
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index f3dd8ed318..2a61d4db59 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -20,7 +20,7 @@ RSA_SHA3_512		sha3_512 rsaEncryption
 # For PSS the digest algorithm can vary and depends on the included
 # AlgorithmIdentifier. The digest "undef" indicates the public key
 # method should handle this explicitly.
-rsassaPss		undef	rsaEncryption
+rsassaPss		undef	rsassaPss
 ED25519		    undef	ED25519
 ED448		    undef	ED448
 
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 43c9d046d2..852facf577 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -1108,7 +1108,7 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
      0, 0,
      rsa_item_verify,
      rsa_item_sign,
-     0,
+     rsa_sig_info_set,
      rsa_pkey_check,
 
      0, 0,
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index e8aa941a45..3226d6838f 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -362,18 +362,20 @@ static int setup_crldp(X509 *x)
 }
 
 /* Check that issuer public key algorithm matches subject signature algorithm */
-static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
+static int check_sig_alg_match(const EVP_PKEY *issuer_key, const X509 *subject)
 {
-    int pkey_nid;
+    int signer_nid, subj_sig_nid;
 
-    if (pkey == NULL)
+    if (issuer_key == NULL)
         return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
+    signer_nid = EVP_PKEY_base_id(issuer_key);
     if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
-                            NULL, &pkey_nid) == 0)
-        return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
-    if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey))
-        return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
-    return X509_V_OK;
+                            NULL, &subj_sig_nid) == 0)
+         return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+    if (signer_nid == EVP_PKEY_type(subj_sig_nid)
+        || (signer_nid == NID_rsaEncryption && subj_sig_nid == NID_rsassaPss))
+        return X509_V_OK;
+    return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
 }
 
 #define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
diff --git a/test/certs/ca-pss-cert.pem b/test/certs/ca-pss-cert.pem
new file mode 100644
index 0000000000..566b63a800
--- /dev/null
+++ b/test/certs/ca-pss-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAhagAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTIxMDEyNjEwMDUwOFoYDzIxMjEwMTI3MTAwNTA4WjARMQ8wDQYDVQQD
+DAZDQS1QU1MwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtclsFtJOQgAC
+ZxTPn2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivw
+epDaiu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJ
+t+8psfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaR
+fmU7tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4h
+gwnjXASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0Eybjyk
+gyAu7Zlf/wIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAd
+BgNVHQ4EFgQUGfmhA/VcxWkh7VUBHxUdHHQLgrAwHwYDVR0jBBgwFoAUjvUlrx6b
+a4Q9fICayVOcTXL3o1IwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY
+BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAF6rSSBj+dkv0UGuE1El
+lB9zVpqVlV72RY8gAkmSJmbzblHEO/PYV/UnNJ2C2IXEhAQaE0xKCg+WC2RO56oc
+qZc6UXBCN8G9rJKVxgXVbciP4pQYN6POpmhJfQqzNPwzTADt3HY6X9gQtyG0fuQF
+OPDc+mXjRvBrcYMkAgYiKe+oA45WDWYpIvipWVQ3xP/BSGJqrdKx5SOrJA72+BLM
+bPbD3tBC2SVirDjv0N926Wcb/JQFkM+5YY2/yKNybstngr4Pb1T/tESsIZvGG2Tk
+3IhBl1dJtC9gpGTRa8NzQvcmPK9VUjWtv5YNA+FxD9FTxGibh7Aw1fbFCV91Qjc3
+JQQ=
+-----END CERTIFICATE-----
diff --git a/test/certs/ca-pss-key.pem b/test/certs/ca-pss-key.pem
new file mode 100644
index 0000000000..9270c36484
--- /dev/null
+++ b/test/certs/ca-pss-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADALBgkqhkiG9w0BAQoEggSpMIIEpQIBAAKCAQEAtclsFtJOQgACZxTP
+n2T2ksmibRNVAnEfVCgfJxsPN3aEERgqqhWbC4LmGHRIIjQ9DpobarydJivwepDa
+iu11rgwXgenIobIVvVr2+L3ngalYdkwmmPVImNN8Ef575ybE/kVgTu9X37DJt+8p
+sfVGeFg4RKykOi7SfPCSKHKSeZUXPj9AYwZDw4HX2rhstRopXAmUzz2/uAaRfmU7
+tYOG5qhfMUpP+Ce0ZBlLE9JjasY+d20/mDFuvFEc5qjfzNqv/7okyBjaWB4hgwnj
+XASrqKlqHKVU1UyrJc76yAniimy+IoXKAELetIJGSN15GYaWJcAIs0EybjykgyAu
+7Zlf/wIDAQABAoIBAErkiNt+GS+nwVWmhUMt3UfsOjal2EgBQt7xCKSbyVEYSqCg
+TDN2Y0IC07kPbwhobR8u7kyzGCs5vwE/3EmQOwNRh/3FyxqSu9IfP9CKrG4GzqMu
+DFjH9PjBaEQhi/pXRqFbA6qBgLpvoytcJNlkK3w5HDVuytoNoDpJAm4XhbEAwVG2
+u3De40lPKXBFaGjSrUQETnrm0Fhj+J7+VMheQZVjEHwMIOmbIDcckV0OSIWn00XG
+/Md0y0i/U8S0TkP9sVC+cKkKMCNL+BJYf5YucUIna/9PgBD36RRRq2D0e8/iP8m+
+ftnmW7fxlL2neTZ2sAS+4sm7sOoudaeAta+JoEECgYEA5ZjbBJf+FhyFOBFRoYow
+OHP+JfU7rdi8n5GpNswVmtNx3FK+eoUz+PlXTluUydS3L40ba7/mzYFzAZETF6YO
+Z8STkmvLxRTDzvZoE0SCJQAcG9I1oVWMufDVnHvljflH+IBjvMQM527dfFgaebvD
+TkRvnCup2oV3uT430++15K0CgYEAyrESfgP5f9+zZqz30N+QTWHZCzCUqSDcGhke
+Irvjs5tSrCQibbSGkGNHZ/V019K8rKJQlvNbEEzlRRcohuqIuUPgPmXBbbruqCBP
+a1+DD/HRg6BrTsNo67SbUJ6EsV5D80Ie76Yzye3By7E71xvFzFxbMwcwPFHBDViR
+m4oRwNsCgYEAtdb/N78tVNPXytUkot0wXbW4RtXYI1Lx6StTKnwubEYk+otqIt1W
+kUzhkcTEralUQEvwuMDvCjoJHOeKiINTC2pMOn43j+pnPoY3XXM35BgXKw2svg9k
+emu8ssgJwgz5rF37ICjh03Yh4vZgWaOVBmr7PmPyjYiBjuwxCSDkHa0CgYEAkqwP
+9aBqq131NBd2PG+KvHRR2wcMjFZ672e9puTPoOiEqox7XWeE+Hbe9RtpscONRF8w
+cgsnmmQKhDR93yNYTLgRTRXVItJiYMcAsXIsJR2XvugWvqgpBGds/Km426CbCyyN
+tl1OnJCv6/YUl1RBjeBHHmXVQdDnIgE1XJhMwIECgYEAt4zgPqswoicfDBqakP6X
+ZND0s7fiki2YBmXyASIoUACnpJEWsOOEJrAcW7xtgXgjNxKdk1JqYV3ggU8wgCvv
+9Ugsx0FiuPmIBhYNZMWIItNmpYqPm8KbEwIPqChs9OA+5FREFwFjJgGK2ublfmVj
+dN2I3LilMIXTE4/MQ8Lhcjc=
+-----END PRIVATE KEY-----
diff --git a/test/certs/ee-pss-cert.pem b/test/certs/ee-pss-cert.pem
new file mode 100644
index 0000000000..e908783b55
--- /dev/null
+++ b/test/certs/ee-pss-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAiygAwIBAgIBAjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEa
+MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIDARMQ8wDQYDVQQDDAZDQS1Q
+U1MwIBcNMjEwMTI2MTAwNjMzWhgPMjEyMTAxMjcxMDA2MzNaMBExDzANBgNVBAMM
+BkVFLVBTUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e
+2ywP1XP74reoG3p1YCvUfTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//
+DcZD/jE0+CjYdemju4iC76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aO
+wjagEf/AWTX9SRzdHEIzBniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5Zq
+ghsVi9GZq+Seb5Sq0pblV/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktH
+aKcpxz9K4iIntO+QY9fv0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h
+/nk0H0qJH7cCAwEAAaN1MHMwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOi
+MB8GA1UdIwQYMBaAFBn5oQP1XMVpIe1VAR8VHRx0C4KwMAkGA1UdEwQCMAAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwEwEQYDVR0RBAowCIIGRUUtUFNTMD0GCSqGSIb3DQEB
+CjAwoA0wCwYJYIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaID
+AgEgA4IBAQCzCXb5XpMvhuwWso9wj4B8AJjCugMlGdrLXIj3ueqyS1qSEcFp1meO
+9jMDCjAkitTdZjf3gqEghC/joUd+XAw3JfOPOl36WlNrm9bwZTnfnCYFRrdprfMo
+Q1Kqy9SNvDeHZZVcGeU3PZSt+EabmR9mQODg/qfpa9/3WktzFbvxlPOS7Tb0n2tn
+vQnTmyrmGN2/o8X1qGQgETw5bH3csKgsPh668zN/gv3DxNN0EVACLaOSahNsNQa7
+KCcl1ez5KcFc0QIlQajhorTYOIeTb8UmR4wdy5C4Nd9P5OKv1sQvVO9PtswAv/s7
+Vs48cDO1+ASn0KjN41hXN5+fOIlNqOeU
+-----END CERTIFICATE-----
diff --git a/test/certs/ee-pss-wrong1.5-cert.pem b/test/certs/ee-pss-wrong1.5-cert.pem
new file mode 100644
index 0000000000..e4b9ba8307
--- /dev/null
+++ b/test/certs/ee-pss-wrong1.5-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgygAwIBAgIBAjALBgkqhkiG9w0BAQswETEPMA0GA1UEAwwGQ0EtUFNT
+MCAXDTIxMDEyNzA2NTIzMloYDzIxMjEwMTI4MDY1MjMyWjAaMRgwFgYDVQQDDA9F
+RS1QU1Mtd3JvbmcxLjUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo
+/4lYYYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0
+LLuT5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsI
+Vl1lDz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1K
+xMY1U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr
+3zG5ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNG
+T4tniIQPYf55NB9KiR+3AgMBAAGjfjB8MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWO
+B5gil+FzojAfBgNVHSMEGDAWgBQZ+aED9VzFaSHtVQEfFR0cdAuCsDAJBgNVHRME
+AjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQTMBGCD0VFLVBTUy13cm9u
+ZzEuNTALBgkqhkiG9w0BAQsDggEBAJYxCmTZfgjCfhf1r4dS+nebCM1qQ2WsOvwS
+SXSMOxVs0sRc2KUjiTR00j/pgASaRVPauom5y+Qp6J2NUUBcwkQhGbQPDr8pdmWv
+NPXX3UwfIl2gO9Bo5z0G0BOZmhCgNqbHcuJrW1tLRLwQWHsqm7gcqIq+/0Wsz5SA
+QETZfmMbPAlj+aotLJmc2UvcGyz7jAeEJ3xIikey9c8HK73c4UyXepeUckQKsTRe
+hs6+TluxaJerm3/1MRTOrq9aBGxoxNUc5cpJDZFF1rG9BtQgXxyGpiItkZX60N/3
+P1js8/l2FH8fEcb63WeChKMmqnw18fQUmunVyZWvsFiQVRHterM=
+-----END CERTIFICATE-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index be8668c964..3b7f4e5f03 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -116,6 +116,19 @@ genroot() {
 }
 
 genca() {
+    local OPTIND=1
+    local purpose=
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
     local cn=$1; shift
     local key=$1; shift
     local cert=$1; shift
@@ -127,17 +140,16 @@ genca() {
     local akid="authorityKeyIdentifier = keyid"
 
     exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid")
-    for eku in "$@"
-    do
-        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
-    done
+    if [ -n "$purpose" ]; then
+        exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose")
+    fi
     if [ -n "$NC" ]; then
         exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
     fi
     csr=$(req "$key" "CN = $cn") || return 1
     echo "$csr" |
         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
-	    -set_serial 2 -days "${DAYS}"
+	    -set_serial 2 -days "${DAYS}" "$@"
 }
 
 gen_nonbc_ca() {
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 0ac44fbe79..07b9007674 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -125,7 +125,7 @@ OPENSSL_KEYBITS=768 \
 # client intermediate ca: cca-cert
 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
 #
-./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
+./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
 #
 openssl x509 -in cca-cert.pem -trustout \
     -addtrust serverAuth -out cca+serverAuth.pem
@@ -143,7 +143,7 @@ openssl x509 -in cca-cert.pem -trustout \
 # server intermediate ca: sca-cert
 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
 #
-./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
+./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
 #
 openssl x509 -in sca-cert.pem -trustout \
     -addtrust serverAuth -out sca+serverAuth.pem
@@ -392,9 +392,16 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
 # SHA1
 ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
     -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
-# SHA256
+# EE SHA256
 ./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \
-    -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+            -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+# CA-PSS
+./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \
+            -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
+./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \
+            -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
+# Should not have been possible to produce, see issue #13968:
+#./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256
 
 OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
     "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 5293530b22..15bdda91e2 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 153;
+plan tests => 155;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -380,6 +380,11 @@ ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_l
 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
 
+ok(verify("ee-pss-cert", "sslserver", ["root-cert"], ["ca-pss-cert"], ),
+    "CA PSS signature");
+ok(!verify("ee-pss-wrong1.5-cert", "sslserver", ["root-cert"], ["ca-pss-cert"], ),
+    "CA producing regular PKCS#1 v1.5 signature with PSA-PSS key");
+
 ok(!verify("many-names1", "sslserver", ["many-constraints"], ["many-constraints"], ),
     "Too many names and constraints to check (1)");
 ok(!verify("many-names2", "sslserver", ["many-constraints"], ["many-constraints"], ),


More information about the openssl-commits mailing list