[openssl/openssl] a4e726: Generate some certificates with the certificatePol...

Matt Caswell noreply at github.com
Tue Mar 28 11:42:45 UTC 2023 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: a4e726428608e352283d745cb0716248d29ecf26
      https://github.com/openssl/openssl/commit/a4e726428608e352283d745cb0716248d29ecf26
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    A test/certs/ca-pol-cert.pem
    A test/certs/ee-cert-policies-bad.pem
    A test/certs/ee-cert-policies.pem
    M test/certs/mkcert.sh
    M test/certs/setup.sh

  Log Message:
  -----------
  Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)


  Commit: e4142ec43bcc08ffdb090580e24c24a7da302a32
      https://github.com/openssl/openssl/commit/e4142ec43bcc08ffdb090580e24c24a7da302a32
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M crypto/x509/x509_vfy.c

  Log Message:
  -----------
  Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)


  Commit: 591feddc61f113827883ad8bae05109ee01ccd41
      https://github.com/openssl/openssl/commit/591feddc61f113827883ad8bae05109ee01ccd41
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M test/recipes/25-test_verify.t

  Log Message:
  -----------
  Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)


  Commit: 986f9a674d49d1e13459e04bd721237c721c44f4
      https://github.com/openssl/openssl/commit/986f9a674d49d1e13459e04bd721237c721c44f4
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md

  Log Message:
  -----------
  Updated CHANGES.md and NEWS.md for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)


Compare: https://github.com/openssl/openssl/compare/864c70e43ea5...986f9a674d49

More information about the openssl-commits mailing list