summaryrefslogtreecommitdiff
path: root/src/regress/lib/libcrypto/x509 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Call the callback on success in new verifier in a compatible waybeck2021-09-031-3/+1
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Add a regression test to verify that we call the callback in the samebeck2021-09-013-4/+551
| | | | | | | | | order on success for both the legacy and the new verifier, This avoids problems as seen in perl's regression tests for some of the crazy things net:ssleay does. This is currently marked as expected to fail, it will be expected to succeed after a forthcoming commit from me.
* Only remove the directories if there's an obj/ or obj@tb2021-08-281-2/+4
|
* Add a pass using the modern vfy with by_dir roots, code by me, script tobeck2021-08-283-15/+106
| | | | | | generate certdirs by jsing, and make chicken sacrifies by tb. ok tb@ jsing@
* Add regress test testing having the root cert in the intermediate bundlebeck2021-08-271-1/+5
|
* Relax SAN DNSname validation and constraints to permit non leading *beck2021-04-271-8/+4
| | | | | | | | | | | wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards). ok jsing@, tb@
* Don't leak verify and store contexts.tb2020-11-181-1/+3
|
* catch unset error when validation fails.beck2020-10-262-2/+16
|
* Don't leak bundle_file and cert_file paths at the end.tb2020-10-101-1/+3
|
* Read cert.pem once and reuse it instead of reading it twice per test certtb2020-10-081-18/+10
| | | | | | | | chain. It only takes a few dozens of ms to read it, but doing this 7290 times adds up to a few minutes run time. This way, the test completes in a handful of seconds. Diagnosed by jsing, ok beck
* KNFtb2020-10-031-12/+11
|
* typotb2020-10-031-1/+1
|
* spelling, punctuation, whitespacetb2020-10-022-6/+6
|
* Add possibility to link and run this test against the OpenSSL 1.1.1 packagetb2020-10-021-1/+7
| | | | | | using the make variable EOPENSSL11. Suggested by jsing
* Use += and ?= and tidy up whitespacetb2020-10-021-8/+8
|
* Tidy up: no need to link statically against libcrypto and no needtb2020-10-021-4/+4
| | | | to look at its private headers either.
* Make this test compile against OpenSSL 1.1tb2020-10-021-11/+21
| | | | | | | The X509_STORE_CTX struct is opaque in OpenSSL 1.1. To avoid reaching inside it, reuse the trusted certificate store that was just assigned to it and use X509_STORE_CTX_get0_param(3) to access the verification parameters.
* move a misplaced 'goto done;' so that all invalid uris are testedtb2020-09-211-1/+1
|
* add a few short invalid URIs in test_constraints1() that cause earlytb2020-09-211-0/+4
| | | | failure of x509_constraints_uri_host() in x509_constraints_uri()
* Correct a 1 byte read overflow in x509_contraints_uri and addbeck2020-09-201-0/+4
| | | | | | | | regress to catch it in the future. found by Guido Vranken's cryptofuzzer ok tb@
* Move variable declaration to beginning of scope in order to make thistb2020-09-181-3/+4
| | | | test compile and pass on sparc64.
* make this test compile and pass on sparc64 by moving variable declarationstb2020-09-181-4/+9
| | | | to the beginning of the respective scopes (and out of for loops)
* move variable declaration up to top to make this compile and passtb2020-09-181-1/+1
| | | | on sparc64
* Use void function argument to appease gcc 4.2.1tb2020-09-181-1/+1
|
* Change the known output to be the expected output, so that webeck2020-09-141-1421/+1421
| | | | | | no longer ignore the expected failures from the legacy name constraints validation, and will have a regress failure if we regress.
* Use a fixed validation time in these tests so we neverbeck2020-09-141-2/+4
| | | | | have to re-generate these certificates and this should just keep working even if the certs get old
* Add new x509 certificate chain validator in x509_verify.cbeck2020-09-131-9/+90
| | | | | | | | | | | | | | | | | | | The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go). The new validator is not enabled by default with this commit, this will be changed in a follow on commit. The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later. ok tb@ inoguchi@ jsing@
* remove unused include that breaks regressbeck2020-09-121-1/+0
|
* Add x509_constraints.c - a new implementation of x509 name constraints, withbeck2020-09-112-5/+495
| | | | | | | regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit ok jsing@
* Fix perl bugs that had me printing the wrong cert number for errorsbeck2020-07-161-8/+9
|
* The exit code from the perl matters herebeck2020-07-151-1/+3
|
* Don't leak the X509_STOREbeck2020-07-151-1/+3
|
* Add certificate validation tests generated using the tools frombeck2020-07-1510945-0/+444760
| | | | | | | | bettertls.com, and a verification suite to try each certificate in the same manner as the web based tests do using X509_verify. This includes the list of "known" failures today in our validaion code so we can move forward without moving back.
* Add regress for X509_verify() using the new bundles.jsing2020-07-142-3/+369
| | | | | A number of these tests are known to fail due to bugs/incorrect verification implementation.
* When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), returnschwarze2020-06-042-5/+115
| | | | | | | | | | | failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by documented API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This fixes a bug found while working on documentation. OK tb@ and "thanks" bluhm@
* Fix a leak reported by Ben L bobsayshilol () live ! co ! uk.tb2018-11-101-1/+3
|
* test X509_NAME_add_entry_by_txt(3); feedback and OK jsing@schwarze2018-04-073-0/+78
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 21:35:38 +0000