[openssl/openssl] f675d1: Generate some certificates with the certificatePol...

Matt Caswell noreply at github.com
Tue Mar 28 12:12:45 UTC 2023 

  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.com/openssl/openssl
  Commit: f675d164e5d9648c3537a0f5efe1cc2fd232b4a9
      https://github.com/openssl/openssl/commit/f675d164e5d9648c3537a0f5efe1cc2fd232b4a9
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-23 (Thu, 23 Mar 2023)

  Changed paths:
    A test/certs/ca-pol-cert.pem
    A test/certs/ee-cert-policies-bad.pem
    A test/certs/ee-cert-policies.pem
    M test/certs/mkcert.sh
    M test/certs/setup.sh

  Log Message:
  -----------
  Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)


  Commit: b013765abfa80036dc779dd0e50602c57bb3bf95
      https://github.com/openssl/openssl/commit/b013765abfa80036dc779dd0e50602c57bb3bf95
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M crypto/x509/x509_vfy.c

  Log Message:
  -----------
  Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)


  Commit: 23a4cbeb3ad80da3830f760f624599f24236bc38
      https://github.com/openssl/openssl/commit/23a4cbeb3ad80da3830f760f624599f24236bc38
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M test/recipes/25-test_verify.t

  Log Message:
  -----------
  Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)


  Commit: 8bc232b14624b7af01801d7940b7dec59b3ae47d
      https://github.com/openssl/openssl/commit/8bc232b14624b7af01801d7940b7dec59b3ae47d
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M CHANGES
    M NEWS

  Log Message:
  -----------
  Updated CHANGES and NEWS for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)


Compare: https://github.com/openssl/openssl/compare/13e030c60dbb...8bc232b14624

More information about the openssl-commits mailing list