[openssl/openssl] 38049a: Generate some certificates with the certificatePol...

Matt Caswell noreply at github.com
Tue Mar 28 11:47:44 UTC 2023 

  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: 38049a07e0d3290a0cfac29cc700236e3a813076
      https://github.com/openssl/openssl/commit/38049a07e0d3290a0cfac29cc700236e3a813076
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    A test/certs/ca-pol-cert.pem
    A test/certs/ee-cert-policies-bad.pem
    A test/certs/ee-cert-policies.pem
    M test/certs/mkcert.sh
    M test/certs/setup.sh

  Log Message:
  -----------
  Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)


  Commit: facfb1ab745646e97a1920977ae4a9965ea61d5c
      https://github.com/openssl/openssl/commit/facfb1ab745646e97a1920977ae4a9965ea61d5c
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M crypto/x509/x509_vfy.c

  Log Message:
  -----------
  Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)


  Commit: e8c359e51ff3372a19a784a8c865f1472774f181
      https://github.com/openssl/openssl/commit/e8c359e51ff3372a19a784a8c865f1472774f181
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M test/recipes/25-test_verify.t

  Log Message:
  -----------
  Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)


  Commit: 07d8baf3367cbbf81877510e5102e6193da4bfe7
      https://github.com/openssl/openssl/commit/07d8baf3367cbbf81877510e5102e6193da4bfe7
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md

  Log Message:
  -----------
  Updated CHANGES.md and NEWS.md for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)


Compare: https://github.com/openssl/openssl/compare/b3cc0cd00e51...07d8baf3367c

More information about the openssl-commits mailing list