Commit f908737d58 for openssl.org
commit f908737d5823d7f0c3714a819df7b5affb45952d
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Thu Jun 25 12:51:49 2026 +0200
apps: cover x509 DER key/cert input formats
The -keyform, -CAform and -CAkeyform options were not covered. Add a
test that self-signs a CSR with a DER-encoded key and signs a CSR with
a DER-encoded CA cert and CA key.
Assisted-by: Claude:claude-opus-4-8
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Fri Jul 3 19:40:27 2026
(Merged from https://github.com/openssl/openssl/pull/31733)
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index d438de0fe2..de467569f2 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text/;
setup("test_x509");
-plan tests => 151;
+plan tests => 152;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -709,3 +709,42 @@ ok(!run(app(["openssl", "x509", "-multi", "-checkend",
# Bad parse still returns non-zero
ok(!run(app(["openssl", "x509", "-checkend", "60", "-in", $c_key])),
"Bad parse with -checkend returns non-zero");
+
+# Signing using DER-encoded key and CA cert/key inputs,
+# exercising -keyform, -CAform and -CAkeyform
+subtest 'x509 signing with DER -keyform, -CAform and -CAkeyform' => sub {
+ plan tests => 6;
+
+ my $csr = srctop_file(@certs, "x509-check.csr");
+ my $signkey_der = "x509-check-key.der";
+ my $cacert_der = "ca-cert.der";
+ my $cakey_der = "ca-key.der";
+
+ # self-sign the CSR with a DER-encoded signing key
+ ok(run(app(["openssl", "pkey",
+ "-in", srctop_file(@certs, "x509-check-key.pem"),
+ "-outform", "DER", "-out", $signkey_der])),
+ "convert signing key to DER");
+ ok(run(app(["openssl", "x509", "-req", "-in", $csr,
+ "-signkey", $signkey_der, "-keyform", "DER",
+ "-out", "x509-self-der.pem"])),
+ "self-sign CSR with -keyform DER");
+
+ # sign the CSR with a DER-encoded CA cert and CA key
+ ok(run(app(["openssl", "x509",
+ "-in", srctop_file(@certs, "ca-cert.pem"),
+ "-outform", "DER", "-out", $cacert_der])),
+ "convert CA cert to DER");
+ ok(run(app(["openssl", "pkey",
+ "-in", srctop_file(@certs, "ca-key.pem"),
+ "-outform", "DER", "-out", $cakey_der])),
+ "convert CA key to DER");
+ my $caout = "ca-issued-der.pem";
+ ok(run(app(["openssl", "x509", "-req", "-in", $csr,
+ "-CA", $cacert_der, "-CAform", "DER",
+ "-CAkey", $cakey_der, "-CAkeyform", "DER",
+ "-CAcreateserial", "-text", "-out", $caout])),
+ "sign CSR with -CAform DER and -CAkeyform DER");
+ ok(get_issuer($caout) =~ /CN=CA/,
+ "issuer of CA-signed cert matches DER CA cert");
+};