[openssl/openssl] 1a68a3: crypto/x509/x509_vpm.c: update format of X509_VERI...
Lutz Jänicke
noreply at github.com
Thu Aug 18 08:28:03 UTC 2022
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 1a68a3e42142a2c188f4b69c7337438c89502143
https://github.com/openssl/openssl/commit/1a68a3e42142a2c188f4b69c7337438c89502143
Author: Lutz Jaenicke <ljaenicke at phoenixcontact.com>
Date: 2022-08-18 (Thu, 18 Aug 2022)
Changed paths:
M crypto/x509/x509_vpm.c
Log Message:
-----------
crypto/x509/x509_vpm.c: update format of X509_VERIFY_PARAM default_table
Put "}," on separate lines as suggested in PR #18567
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Commit: 178696d6020878361a088086243d56203e0beaa9
https://github.com/openssl/openssl/commit/178696d6020878361a088086243d56203e0beaa9
Author: Lutz Jaenicke <ljaenicke at phoenixcontact.com>
Date: 2022-08-18 (Thu, 18 Aug 2022)
Changed paths:
M crypto/x509/v3_purp.c
M crypto/x509/x509_vpm.c
M doc/man1/openssl-verification-options.pod
M doc/man3/X509_STORE_CTX_new.pod
M doc/man3/X509_check_purpose.pod
M include/openssl/x509v3.h.in
Log Message:
-----------
X509: Add "code sign" as purpose for verification of certificates
Code signing certificates have other properties as for example described in
CA Browser Forum documents. This leads to "unsupported certificate purpose" errors when
verifying signed objects.
This patch adds the purpose "codesign" to the table in X.509 certificate verification and
the verification parameter "code_sign" to X509_VERIFY_PARAM.
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Commit: 61a97676914df358dd014a9b6fe2ba01b0ebe508
https://github.com/openssl/openssl/commit/61a97676914df358dd014a9b6fe2ba01b0ebe508
Author: Lutz Jaenicke <ljaenicke at phoenixcontact.com>
Date: 2022-08-18 (Thu, 18 Aug 2022)
Changed paths:
A test/certs/ee-codesign-anyextkeyusage.pem
A test/certs/ee-codesign-crlsign.pem
A test/certs/ee-codesign-keycertsign.pem
A test/certs/ee-codesign-noncritical.pem
A test/certs/ee-codesign-serverauth.pem
A test/certs/ee-codesign.pem
M test/certs/mkcert.sh
M test/certs/setup.sh
M test/recipes/25-test_verify.t
Log Message:
-----------
X509: add tests for purpose code signing in verify application
Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging
Note: I did not find any other document formally defining the requirements
for code signing certificates.
Some combinations are explicitly forbidden, some flags can be ignored
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Commit: 19914fec9bac08ca7c7917eddc1b7d1dba67e4a7
https://github.com/openssl/openssl/commit/19914fec9bac08ca7c7917eddc1b7d1dba67e4a7
Author: Lutz Jaenicke <ljaenicke at phoenixcontact.com>
Date: 2022-08-18 (Thu, 18 Aug 2022)
Changed paths:
M test/recipes/80-test_cms.t
M test/smime-certs/ca.cnf
A test/smime-certs/csrsa1.pem
M test/smime-certs/mksmime-certs.sh
Log Message:
-----------
cms: Create test for for purpose verification in cms application
The tests only cover the correct handling of the codesigning purpose in the certificates
in the context of the cms command line tool.
The interpretation of the certificate purpose is tested in the context of the "verify"
app. The correct handling of the cms objects is tested by other tests in 80-test_cms.t.
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)
Compare: https://github.com/openssl/openssl/compare/58135cb3c020...19914fec9bac
More information about the openssl-commits
mailing list