Commit f908737d58 for openssl.org

commit f908737d5823d7f0c3714a819df7b5affb45952d
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date:   Thu Jun 25 12:51:49 2026 +0200

    apps: cover x509 DER key/cert input formats

    The -keyform, -CAform and -CAkeyform options were not covered. Add a
    test that self-signs a CSR with a DER-encoded key and signs a CSR with
    a DER-encoded CA cert and CA key.

    Assisted-by: Claude:claude-opus-4-8

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
    MergeDate: Fri Jul  3 19:40:27 2026
    (Merged from https://github.com/openssl/openssl/pull/31733)

diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index d438de0fe2..de467569f2 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text/;

 setup("test_x509");

-plan tests => 151;
+plan tests => 152;

 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -709,3 +709,42 @@ ok(!run(app(["openssl", "x509", "-multi", "-checkend",
 # Bad parse still returns non-zero
 ok(!run(app(["openssl", "x509", "-checkend", "60", "-in", $c_key])),
     "Bad parse with -checkend returns non-zero");
+
+# Signing using DER-encoded key and CA cert/key inputs,
+# exercising -keyform, -CAform and -CAkeyform
+subtest 'x509 signing with DER -keyform, -CAform and -CAkeyform' => sub {
+    plan tests => 6;
+
+    my $csr = srctop_file(@certs, "x509-check.csr");
+    my $signkey_der = "x509-check-key.der";
+    my $cacert_der = "ca-cert.der";
+    my $cakey_der = "ca-key.der";
+
+    # self-sign the CSR with a DER-encoded signing key
+    ok(run(app(["openssl", "pkey",
+                "-in", srctop_file(@certs, "x509-check-key.pem"),
+                "-outform", "DER", "-out", $signkey_der])),
+       "convert signing key to DER");
+    ok(run(app(["openssl", "x509", "-req", "-in", $csr,
+                "-signkey", $signkey_der, "-keyform", "DER",
+                "-out", "x509-self-der.pem"])),
+       "self-sign CSR with -keyform DER");
+
+    # sign the CSR with a DER-encoded CA cert and CA key
+    ok(run(app(["openssl", "x509",
+                "-in", srctop_file(@certs, "ca-cert.pem"),
+                "-outform", "DER", "-out", $cacert_der])),
+       "convert CA cert to DER");
+    ok(run(app(["openssl", "pkey",
+                "-in", srctop_file(@certs, "ca-key.pem"),
+                "-outform", "DER", "-out", $cakey_der])),
+       "convert CA key to DER");
+    my $caout = "ca-issued-der.pem";
+    ok(run(app(["openssl", "x509", "-req", "-in", $csr,
+                "-CA", $cacert_der, "-CAform", "DER",
+                "-CAkey", $cakey_der, "-CAkeyform", "DER",
+                "-CAcreateserial", "-text", "-out", $caout])),
+       "sign CSR with -CAform DER and -CAkeyform DER");
+    ok(get_issuer($caout) =~ /CN=CA/,
+       "issuer of CA-signed cert matches DER CA cert");
+};