Commit 9a188b5eff for openssl.org
commit 9a188b5eff0ce501d553bd2ff2f32b7c8defbfbf
Author: Dr. David von Oheimb <dev@ddvo.net>
Date: Tue Jan 6 12:35:44 2026 +0100
25-test_req.t: add test cases pointing out that we won't fix #19095
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:34 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 49fde8f056..1f4cb803b5 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
-plan tests => 116;
+plan tests => 121;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -554,14 +554,23 @@ sub has_keyUsage {
my $expect = shift @_;
cert_contains($cert, "Key Usage", $expect);
}
-sub strict_verify {
+sub verify {
+ my $strict = shift @_;
my $cert = shift @_;
my $expect = shift @_;
my $trusted = shift @_;
$trusted = $cert unless $trusted;
- ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
+ my @cmd = ("openssl", "verify");
+ push(@cmd, "-x509_strict") if $strict;
+ ok(run(app([@cmd, "-trusted", $trusted,
"-partial_chain", $cert])) == $expect,
- "strict verify allow $cert");
+ ($strict ? "strict " : "")." verify ".
+ ($expect ? "accept" : "reject")." $cert");
+}
+
+sub strict_verify {
+ unshift @_, 1;
+ return verify(@_);
}
my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
@@ -721,7 +730,7 @@ generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:a
"-in", srctop_file(@certs, "x509-check.csr"));
cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
-# AKID of not self-issued certs
+# AKID of not self-issued end-entity certs
$cert = "regular_v3_EE_default_KIDs_no_other_exts.pem";
generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem"));
@@ -747,6 +756,20 @@ has_SKID($cert, 1);
has_AKID($cert, 0);
strict_verify($cert, 0, $ca_cert);
+# weird self-issued end-entity cert without SKID/AKID signed by CA, as in #19095
+$cert = "self-issued_v3_EE_no_KIDs_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+ "-addext", "authorityKeyIdentifier = none",
+ "-key", srctop_file(@certs, "ee-key.pem"));
+cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
+# variant self-issued end-entity cert with only AKID signed by CA, which conforms to RFC 5280
+$cert = "self-issued_v3_EE_only_AKID_signed_by_CA.pem";
+generate_cert($cert, "-addext", "subjectKeyIdentifier = none",
+ "-key", srctop_file(@certs, "ee-key.pem"));
+verify(0, $cert, 0, $ca_cert); # expecting failure because we won't fix #19095
+
# Key Usage