Commit d6c49df039 for openssl.org
commit d6c49df0396e9b49c4d2ddd8ae1c39b70d4995d1
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Thu Jul 9 12:18:18 2026 +0200
apps: cover the x509 -sigopt and -vfyopt options
The -sigopt and -vfyopt options of the x509 app were previously
untested. It adds a subtest that signs a certificate from a CSR with
-sigopt rsa_padding_mode:pss and verifies the issued certificate uses
the rsassaPss signature algorithm, and that verifies an SM2 CSR whose
self-signature uses a non-default distinguishing id supplied via
-vfyopt. It also checks that an unknown -sigopt or -vfyopt makes the
command fail.
Assisted-by: Claude:claude-opus-4-8
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jul 13 15:41:57 2026
(Merged from https://github.com/openssl/openssl/pull/31908)
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index de467569f2..736d185de4 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text/;
setup("test_x509");
-plan tests => 152;
+plan tests => 153;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -569,6 +569,61 @@ has_version($b_cert, 3);
has_SKID($b_cert, 1);
has_AKID($b_cert, 1);
+subtest "signing with -sigopt and verifying a CSR with -vfyopt" => sub {
+ plan tests => 6;
+
+ # -sigopt is passed to the signature algorithm; force RSA-PSS padding
+ # and check it ends up in the issued certificate.
+ my $pss_cert = "sigopt-pss.pem";
+ ok(run(app(["openssl", "x509", "-req", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-sigopt", "rsa_padding_mode:pss",
+ "-in", $b_csr, "-out", $pss_cert])),
+ "sign cert from CSR with -sigopt rsa_padding_mode:pss");
+ cert_contains($pss_cert, "Signature Algorithm: rsassaPss", 1,
+ "issued cert is signed with PSS as selected via -sigopt");
+
+ # An unknown -sigopt must abort signing.
+ ok(!run(app(["openssl", "x509", "-req", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-sigopt", "bogus:1",
+ "-in", $b_csr, "-out", "sigopt-bogus.pem"])),
+ "an unknown -sigopt makes signing fail");
+
+ # An unknown -vfyopt must abort CSR verification.
+ ok(!run(app(["openssl", "x509", "-req", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-vfyopt", "bogus:1",
+ "-in", $b_csr, "-out", "vfyopt-bogus.pem"])),
+ "an unknown -vfyopt makes CSR verification fail");
+
+ SKIP: {
+ skip "SM2 is not supported by this OpenSSL build", 2 if disabled("sm2");
+
+ # -vfyopt is used to verify the CSR self-signature. Sign an SM2 CSR
+ # with a non-default distinguishing id so that the id must be supplied
+ # via -vfyopt for verification to succeed.
+ my $sm2_key = "sm2-vfyopt-key.pem";
+ my $sm2_csr = "sm2-vfyopt.csr";
+ my $distid = "0102030405060708";
+ run(app(["openssl", "req", "-new", "-newkey", "sm2",
+ "-keyout", $sm2_key, "-out", $sm2_csr, "-nodes",
+ "-config", $cnf, "-subj", "/CN=SM2",
+ "-sigopt", "distid:$distid"]));
+
+ ok(run(app(["openssl", "x509", "-req", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-vfyopt", "distid:$distid",
+ "-in", $sm2_csr, "-out", "sm2-vfyopt.pem"])),
+ "SM2 CSR verifies when its distid is given via -vfyopt");
+
+ ok(!run(app(["openssl", "x509", "-req", "-CAcreateserial",
+ "-CA", $ca_cert, "-CAkey", $ca_key,
+ "-in", $sm2_csr, "-out", "sm2-novfyopt.pem"])),
+ "SM2 CSR fails to verify without the matching -vfyopt distid");
+ }
+};
+
# Tests for https://github.com/openssl/openssl/issues/10442 (fixed in 1.1.1a)
# (incorrect default `-CAcreateserial` if `-CA` path has a dot in it)
my $folder_with_dot = "test_x509.folder";