From 6f4c0c98aa6e346875622c54a6b14e72c10cad7c Mon Sep 17 00:00:00 2001 From: beck Date: Fri, 27 Aug 2021 16:15:42 +0000 Subject: [PATCH] Add regress test testing having the root cert in the intermediate bundle --- regress/lib/libcrypto/certs/2c/bundle.pem | 65 +++++++++++++++++++++++ regress/lib/libcrypto/certs/2c/roots.pem | 21 ++++++++ regress/lib/libcrypto/certs/README | 3 ++ regress/lib/libcrypto/certs/make-certs.sh | 2 + regress/lib/libcrypto/x509/verify.c | 6 ++- 5 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 regress/lib/libcrypto/certs/2c/bundle.pem create mode 100644 regress/lib/libcrypto/certs/2c/roots.pem diff --git a/regress/lib/libcrypto/certs/2c/bundle.pem b/regress/lib/libcrypto/certs/2c/bundle.pem new file mode 100644 index 00000000000..f45b11274fb --- /dev/null +++ b/regress/lib/libcrypto/certs/2c/bundle.pem @@ -0,0 +1,65 @@ +subject= CN = LibreSSL Test Server 1 +issuer= CN = LibreSSL Test Intermediate CA 1 +subject= CN = LibreSSL Test Root CA 1 +issuer= CN = LibreSSL Test Root CA 1 +subject= CN = LibreSSL Test Intermediate CA 1 +issuer= CN = LibreSSL Test Root CA 1 +-----BEGIN CERTIFICATE----- +MIIDLjCCAhagAwIBAgIJAPZu+6cw2jdwMA0GCSqGSIb3DQEBCwUAMCoxKDAmBgNV +BAMMH0xpYnJlU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBIDEwHhcNMjEwODI3MTYx +MDQ1WhcNMzEwODI1MTYxMDQ1WjAhMR8wHQYDVQQDDBZMaWJyZVNTTCBUZXN0IFNl +cnZlciAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dWqojtfaPJV +PuOthfyXAUt/EloMyut0RiorzcCjOnyUia+/t9svAZ1ZhzUgRuaxLRK9Uil7n5Al +Sn7DTm/KFbTDVcUYR6V9/Zf6aW0lRsNxgBEARKuvLc55CGRCxaqoZi+0J/x343lU +SFsnbNNz8ZEe/ukpTzJHUwKf4WSTp9QxVEKhMNyYngItkf0QIiwCcDxHxGvZ5y1F +MKznU/2AVy7niwh92RnpI2N0icOymMDq62f1QGr5IX/ODRP6PeYN8P1dfAjcaX7q +SpxsjxNLp9pvejlqdcZccTPN7YA32zk8ithR6Q6lja1tj49MYeAGxT2ESXkVNzMU +dBKUBrLh9QIDAQABo2AwXjAdBgNVHQ4EFgQU62sFe6VLA3HGIecPuYggaD8Exwcw +HwYDVR0jBBgwFoAUnf73tYa3Dw0RY7l+odx7TeXtYyUwDAYDVR0TAQH/BAIwADAO +BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGGy1Q5hWYg4iqhvkTUA +w5UC4qNUoGmGsoAoASVtOHcW9VLXfwgtQ9zPYISPuIbt6jh9QV375Zda2IqZUCQi +nBpIUg2nWGZoNawWUUnsho9NdFGtKIj0kKuiKm3doN6Xb6pFASg1n4dxRO2dAa3d +UyJ1TlSGAKPlMxw8WcsTrokwdj58sQQTTDxWGhI7IFV4wfA9cV45ykNI1sxzz5pl +5zGhuB9PycoF4B7bDlhJMw31wijQ5sTT3wuAk7lgWTsISS6JtzNq/wXL/mwvaXGU +XIXzVcEffccojngT/3MUNx9a+OeChermKVk+rptk/allf1teIuFvGCyKvZvfCSoT +y4o= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDKjCCAhKgAwIBAgIJAJJZtdkNyWp9MA0GCSqGSIb3DQEBCwUAMCIxIDAeBgNV +BAMMF0xpYnJlU1NMIFRlc3QgUm9vdCBDQSAxMB4XDTIxMDgyNzE2MTA0NVoXDTMx +MDgyNTE2MTA0NVowIjEgMB4GA1UEAwwXTGlicmVTU0wgVGVzdCBSb290IENBIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSrmg0Xwwl9qZM5nnIJgG+ +HlRIOtFMh8OqZy17oHdwJbgYiQxEdU6TxpzXtt2F5zlbjF+cXCRo2361X753qlSc +UkUUru2y82Qmibrqmw96ziifBed91d5U5OINdzCCcow4sgoXU4gDPJF0O1okvV/z +woXgVblS5uVYSs0Lh6yE9RydV8RiPS0VRPGIyt2g+l1MJ3tyrhy/FUtUdxOXkPA+ +Hu5xI+WP/XUctD1WYBjbZFbOiXobf/HGkOwbnqijCTX0LU5g+Q6EWoyXPIYaH3us +I1kPYJefpKJ3QpQWWXKuLFQcvMjL0IP3zN/0IFpZmnBAzAyO0xs7+tjjwJlEGAed +AgMBAAGjYzBhMB0GA1UdDgQWBBSSJjZwiPxzph27rjn0IW2AVw4QrzAfBgNVHSME +GDAWgBSSJjZwiPxzph27rjn0IW2AVw4QrzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAesOq9J/tbU01E1kjBKkOK/nA +GOaW5ZFtmAvod8m59TWurzoslSKbUw0pKKl1XO70xAaGot1f8PMjdRh0SkGSvkE2 +Z+r3IhKw063YWSApjcy6+Jcf/ONbFvihKsb+rgl+WFFHQzLDaPSAWYtCU2p/ap0h +M1KPP80M2jf4zx9nhIypJ4t9cEspVbn4aVu+17a0avYNm+JtOCLeXelRdJgopbzR +ItWgvCm7QXVYgPMEOj9OenMp9LL3BCs7xw2CnMUAI9hBRejTTGou5LSPrjvgX39w +UhD/tIZ8/7L/z7KdDYFDfSsacwl2UX15khZ0zkAm/E0rrIiH5/yJ6S8PelszqQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDMjCCAhqgAwIBAgIJAPZu+6cw2jdvMA0GCSqGSIb3DQEBCwUAMCIxIDAeBgNV +BAMMF0xpYnJlU1NMIFRlc3QgUm9vdCBDQSAxMB4XDTIxMDgyNzE2MTA0NVoXDTMx +MDgyNTE2MTA0NVowKjEoMCYGA1UEAwwfTGlicmVTU0wgVGVzdCBJbnRlcm1lZGlh +dGUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8EPpwdyr8A +bwQ8BLnUWpj3hbZui0Ge2GYlfuE3IxoJTuup/Z5aRuZMrfa1kfh5aBYiU8Xo/Ap5 +a8+ikVEOr5693/PBQ7Mc6UkU/0eha1bRreyCfBO6VMFdGvAS1vixjkLgtlhGqpPQ +Wod5cJolW2cPrZ9/YD0Z2WULXN0JX0speDUPde7QZbIEcwwG35BNvpUtpNpxOhXx +naWdoweuAJj+aywsZMLmcWc5E0xnUE/gKmcQecnTjv07sJNM1/EDT51hXYkoT4mf +IsnSTEqfCyyPvoAUamu1AddxCmSbHHSRj/xVfy0LF4uyU/gLGxltvhqgcGes6Bd6 +S2bjbJCTic8CAwEAAaNjMGEwHQYDVR0OBBYEFJ3+97WGtw8NEWO5fqHce03l7WMl +MB8GA1UdIwQYMBaAFJImNnCI/HOmHbuuOfQhbYBXDhCvMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAEJTY+STw65PB/ +r5nM8sDsD+1JVz/a+QIyX7ikWiNykWIY78gDtdHN4dQEAazcQv26N0y2YjQZ/UWe +DdZ03rWhX4/lWraWrf1xLCfDtlq5OV59vuLPAaG6nkZ0cUhyUMqjbH3/0jHBaGF2 +T9eCsNI4k7wbth6WCdUqiJ7SUEpP2b/tRpwlRThoK947vuWIodqbejN/UldKnXkH +AHuKRzJi9oa3D78JZHprOTx1MZ/8bNmuM/ksBZ2S+RKCZY2cZmm5Dn18OCaq0wf8 +CvgasC1QHSR4gdwY3a7D7wL1onYAnljgh7hOej8Dmp2EjD4kSZEu+SbLWDIZ7u14 +8n7FQbR6 +-----END CERTIFICATE----- diff --git a/regress/lib/libcrypto/certs/2c/roots.pem b/regress/lib/libcrypto/certs/2c/roots.pem new file mode 100644 index 00000000000..ed5b6dc9e62 --- /dev/null +++ b/regress/lib/libcrypto/certs/2c/roots.pem @@ -0,0 +1,21 @@ +subject= CN = LibreSSL Test Root CA 1 +issuer= CN = LibreSSL Test Root CA 1 +-----BEGIN CERTIFICATE----- +MIIDKjCCAhKgAwIBAgIJAJJZtdkNyWp9MA0GCSqGSIb3DQEBCwUAMCIxIDAeBgNV +BAMMF0xpYnJlU1NMIFRlc3QgUm9vdCBDQSAxMB4XDTIxMDgyNzE2MTA0NVoXDTMx +MDgyNTE2MTA0NVowIjEgMB4GA1UEAwwXTGlicmVTU0wgVGVzdCBSb290IENBIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSrmg0Xwwl9qZM5nnIJgG+ +HlRIOtFMh8OqZy17oHdwJbgYiQxEdU6TxpzXtt2F5zlbjF+cXCRo2361X753qlSc +UkUUru2y82Qmibrqmw96ziifBed91d5U5OINdzCCcow4sgoXU4gDPJF0O1okvV/z +woXgVblS5uVYSs0Lh6yE9RydV8RiPS0VRPGIyt2g+l1MJ3tyrhy/FUtUdxOXkPA+ +Hu5xI+WP/XUctD1WYBjbZFbOiXobf/HGkOwbnqijCTX0LU5g+Q6EWoyXPIYaH3us +I1kPYJefpKJ3QpQWWXKuLFQcvMjL0IP3zN/0IFpZmnBAzAyO0xs7+tjjwJlEGAed +AgMBAAGjYzBhMB0GA1UdDgQWBBSSJjZwiPxzph27rjn0IW2AVw4QrzAfBgNVHSME +GDAWgBSSJjZwiPxzph27rjn0IW2AVw4QrzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAesOq9J/tbU01E1kjBKkOK/nA +GOaW5ZFtmAvod8m59TWurzoslSKbUw0pKKl1XO70xAaGot1f8PMjdRh0SkGSvkE2 +Z+r3IhKw063YWSApjcy6+Jcf/ONbFvihKsb+rgl+WFFHQzLDaPSAWYtCU2p/ap0h +M1KPP80M2jf4zx9nhIypJ4t9cEspVbn4aVu+17a0avYNm+JtOCLeXelRdJgopbzR +ItWgvCm7QXVYgPMEOj9OenMp9LL3BCs7xw2CnMUAI9hBRejTTGou5LSPrjvgX39w +UhD/tIZ8/7L/z7KdDYFDfSsacwl2UX15khZ0zkAm/E0rrIiH5/yJ6S8PelszqQ== +-----END CERTIFICATE----- diff --git a/regress/lib/libcrypto/certs/README b/regress/lib/libcrypto/certs/README index 0d6fa7d48a2..93165249ec4 100644 --- a/regress/lib/libcrypto/certs/README +++ b/regress/lib/libcrypto/certs/README @@ -12,6 +12,9 @@ intermediate certificates are contained in a bundle.pem file. 2b. Same as (2a), however the intermediate is missing which should prevent verification. + + 2c. Same as (2a), however the intermediate and root are in the intermediate + bundle, (should verify) 3a. A leaf certificate signed by three intermediates, the last of which is signed by a root certificate (should verify). diff --git a/regress/lib/libcrypto/certs/make-certs.sh b/regress/lib/libcrypto/certs/make-certs.sh index b34a547ba25..3854ff13e04 100644 --- a/regress/lib/libcrypto/certs/make-certs.sh +++ b/regress/lib/libcrypto/certs/make-certs.sh @@ -223,6 +223,8 @@ create_root_bundle "./2a/roots.pem" "ca-root" create_bundle "./2a/bundle.pem" "server-1" "ca-int-1" create_root_bundle "./2b/roots.pem" "ca-root" create_bundle "./2b/bundle.pem" "server-1" +create_root_bundle "./2c/roots.pem" "ca-root" +create_bundle "./2c/bundle.pem" "server-1" "ca-root" "ca-int-1" # Scenarios 3a, 3b, 3c, 3d and 3e. reset diff --git a/regress/lib/libcrypto/x509/verify.c b/regress/lib/libcrypto/x509/verify.c index 9ef68cd5ab0..259854ef12f 100644 --- a/regress/lib/libcrypto/x509/verify.c +++ b/regress/lib/libcrypto/x509/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.5 2020/11/18 06:56:07 tb Exp $ */ +/* $OpenBSD: verify.c,v 1.6 2021/08/27 16:15:42 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -238,6 +238,10 @@ struct verify_cert_test verify_cert_tests[] = { .id = "2b", .want_chains = 0, }, + { + .id = "2c", + .want_chains = 1, + }, { .id = "3a", .want_chains = 1, -- 2.20.1