openbsd/src/regress/lib/libcrypto/x509, branch OPENBSD_7_0

openbsd/src/regress/lib/libcrypto/x509, branch OPENBSD_7_0_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_0_BASE 2021-09-03T08:58:53+00:00 Call the callback on success in new verifier in a compatible way 2021-09-03T08:58:53+00:00 beck 2021-09-03T08:58:53+00:00 urn:sha1:eabb493f0d6e4fe79346324ce6f5ac67a874928a when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@ Add a regression test to verify that we call the callback in the same 2021-09-01T08:12:15+00:00 beck 2021-09-01T08:12:15+00:00 urn:sha1:58948ae23ded8c8d6308bb4043df68acb129f402 order on success for both the legacy and the new verifier, This avoids problems as seen in perl's regression tests for some of the crazy things net:ssleay does. This is currently marked as expected to fail, it will be expected to succeed after a forthcoming commit from me. Only remove the directories if there's an obj/ or obj@ 2021-08-28T15:20:19+00:00 tb 2021-08-28T15:20:19+00:00 urn:sha1:85f20fa45d1130a2aa32f8f5fe0ba6c32b1e36ac Add a pass using the modern vfy with by_dir roots, code by me, script to 2021-08-28T15:13:50+00:00 beck 2021-08-28T15:13:50+00:00 urn:sha1:a9bc25bbe78953b4cf099bd81d7b5bdfb4dd43ce generate certdirs by jsing, and make chicken sacrifies by tb. ok tb@ jsing@ Add regress test testing having the root cert in the intermediate bundle 2021-08-27T16:15:42+00:00 beck 2021-08-27T16:15:42+00:00 urn:sha1:0336be9fd5ead50a0c4ba8ea66044979d6c1b473 Relax SAN DNSname validation and constraints to permit non leading * 2021-04-27T03:35:29+00:00 beck 2021-04-27T03:35:29+00:00 urn:sha1:6b2e11072ab9080846b3abc7527db20e0b4df852 wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards). ok jsing@, tb@ Don't leak verify and store contexts. 2020-11-18T06:56:07+00:00 tb 2020-11-18T06:56:07+00:00 urn:sha1:87eb79e4866bd8df5384279f38727e40de157d37 catch unset error when validation fails. 2020-10-26T12:11:47+00:00 beck 2020-10-26T12:11:47+00:00 urn:sha1:393560d6830a3c756a88e4275aaa6132e770aa55 Don't leak bundle_file and cert_file paths at the end. 2020-10-10T10:19:45+00:00 tb 2020-10-10T10:19:45+00:00 urn:sha1:f1cd34c34dcd89aa470c2819614fd1a16c30b58a Read cert.pem once and reuse it instead of reading it twice per test cert 2020-10-08T14:38:09+00:00 tb 2020-10-08T14:38:09+00:00 urn:sha1:5ab42e6c362fd1022c5c0028bf55964b0a89e595 chain. It only takes a few dozens of ms to read it, but doing this 7290 times adds up to a few minutes run time. This way, the test completes in a handful of seconds. Diagnosed by jsing, ok beck