[openssl/openssl] 7fab3c: Add Version Check for CSR Verification

Tobias Erbsland noreply at github.com
Fri Jun 21 20:25:55 UTC 2024 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 7fab3c7d61b0064dcf50db39fb490970c60d9a34
      https://github.com/openssl/openssl/commit/7fab3c7d61b0064dcf50db39fb490970c60d9a34
  Author: erbsland-dev <github at erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    M crypto/err/openssl.txt
    M crypto/x509/x509_err.c
    M crypto/x509/x_all.c
    M include/openssl/x509err.h

  Log Message:
  -----------
  Add Version Check for CSR Verification

Fixes #5738: This change introduces a check for the version number of a CSR document before its signature is verified. If the version number is not 1 (encoded as zero), the verification function fails with an `X509_R_UNSUPPORTED_VERSION` error.

To minimize impact, this check is only applied when verifying a certificate signing request using the `-verify` argument, resulting in a `X509_REQ_verify` call. This ensures that malformed certificate requests are rejected by a certification authority, enhancing security and preventing potential issues.

Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


  Commit: 895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4
      https://github.com/openssl/openssl/commit/895ecd0ce86c17fc696ad58c9f4b2ac1b821c5d4
  Author: erbsland-dev <github at erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    M test/build.info
    A test/recipes/60-test_x509_req.t
    A test/x509_req_test.c

  Log Message:
  -----------
  Add Test for Verification Failure on Incorrect X509 Version

Tests #5738: Introduce a new test to verify that a malformed X509 request with the version field set to version 6 fails either early when reading from data or later when `X509_REQ_verify` is called.
Adding a new test recipe `60-test_x509_req.t`

Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


  Commit: 7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5
      https://github.com/openssl/openssl/commit/7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5
  Author: erbsland-dev <github at erbsland.dev>
  Date:   2024-06-21 (Fri, 21 Jun 2024)

  Changed paths:
    A test/certs/x509-req-detect-invalid-version.pem
    M test/recipes/60-test_x509_req.t
    M test/x509_req_test.c

  Log Message:
  -----------
  Make x509_req_test ANSI Compatible

Update the `x509_req_test` to ensure ANSI compatibility. The integrated certificate string was too long, so the PEM certificate has been moved to `certs/x509-req-detect-invalid-version.pem`. The test have been updated to load this certificate from the file on disk.

Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24677)


Compare: https://github.com/openssl/openssl/compare/03448ba21b5e...7d2c0a4b1feb

To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications

More information about the openssl-commits mailing list