Commit dd943486d7 for openssl.org
commit dd943486d7a7ec1e9bbdb1b288c708d7005d0167
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Thu Jun 25 14:44:06 2026 +0200
apps: cover crl signature verification
The CRL signature verification path was not exercised. Add a test that
verifies a CRL signature against its issuer certificate supplied via
-CAfile, -CAstore and -CApath.
Assisted-by: Claude:claude-opus-4-8
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Fri Jul 3 19:26:15 2026
(Merged from https://github.com/openssl/openssl/pull/31736)
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 92101e8d94..6addde4b0b 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -11,11 +11,12 @@ use strict;
use warnings;
use File::Spec;
+use File::Copy;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_crl");
-plan tests => 10;
+plan tests => 11;
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -51,6 +52,39 @@ ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-inform", "PEM",
is(cmp_text($out, srctop_file("test/certs", "cyrillic_crl.utf8")),
0, 'Comparing utf8 output');
+# Verify a CRL's signature against its issuer certificate, supplied via
+# -CAfile, -CAstore and -CApath.
+subtest 'crl signature verification' => sub {
+ plan tests => 4;
+
+ my $crl = srctop_file("test/certs", "delta-crl-as-complete-delta.pem");
+ my $cacert = srctop_file("test/certs", "delta-crl-as-complete-ca.pem");
+
+ ok(run(app(["openssl", "crl", "-noout", "-in", $crl,
+ "-CAfile", $cacert])),
+ "verify CRL signature with -CAfile");
+
+ ok(run(app(["openssl", "crl", "-noout", "-in", $crl,
+ "-CAstore", $cacert])),
+ "verify CRL signature with -CAstore");
+
+ # -CApath needs a rehashed directory, which relies on the rehash command
+ # (not available on platforms without symlink support, e.g. Windows).
+ SKIP: {
+ skip "rehash is not available on this platform", 2
+ unless run(app(["openssl", "rehash", "-help"]));
+
+ my $capath = "crl_capath";
+ mkdir $capath;
+ copy($cacert, File::Spec->catfile($capath, "ca.pem"));
+ ok(run(app(["openssl", "rehash", $capath])),
+ "rehash the -CApath directory");
+ ok(run(app(["openssl", "crl", "-noout", "-in", $crl,
+ "-CApath", $capath])),
+ "verify CRL signature with -CApath");
+ }
+};
+
sub compare1stline {
my ($cmdarray, $str) = @_;
my @lines = run(app($cmdarray), capture => 1);