[openssl/openssl] d2f0d0: Generate some certificates with the certificatePol...

Matt Caswell noreply at github.com
Tue Mar 28 12:04:43 UTC 2023 

  Branch: refs/heads/openssl-3.0
  Home:   https://github.com/openssl/openssl
  Commit: d2f0d05807fc70c68dcc22bcc6979147782d4adf
      https://github.com/openssl/openssl/commit/d2f0d05807fc70c68dcc22bcc6979147782d4adf
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    A test/certs/ca-pol-cert.pem
    A test/certs/ee-cert-policies-bad.pem
    A test/certs/ee-cert-policies.pem
    M test/certs/mkcert.sh
    M test/certs/setup.sh

  Log Message:
  -----------
  Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)


  Commit: 1dd43e0709fece299b15208f36cc7c76209ba0bb
      https://github.com/openssl/openssl/commit/1dd43e0709fece299b15208f36cc7c76209ba0bb
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M crypto/x509/x509_vfy.c

  Log Message:
  -----------
  Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)


  Commit: dda529ecc2d085488eef60235ef553dc5fd6e6dc
      https://github.com/openssl/openssl/commit/dda529ecc2d085488eef60235ef553dc5fd6e6dc
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M test/recipes/25-test_verify.t

  Log Message:
  -----------
  Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)


  Commit: 9a1410bd393c594f852222392c36bc7895d82d57
      https://github.com/openssl/openssl/commit/9a1410bd393c594f852222392c36bc7895d82d57
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md

  Log Message:
  -----------
  Updated CHANGES.md and NEWS.md for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20587)


Compare: https://github.com/openssl/openssl/compare/4e7823014409...9a1410bd393c

More information about the openssl-commits mailing list