Skip to content
  1. Jan 21, 2016
    • Viktor Dukhovni's avatar
      Reject when explicit trust EKU are set and none match. · 3342dcea
      Viktor Dukhovni authored
      
      
      Returning untrusted is enough for for full chains that end in
      self-signed roots, because when explicit trust is specified it
      suppresses the default blanket trust of self-signed objects.
      
      But for partial chains, this is not enough, because absent a similar
      trust-self-signed policy, non matching EKUs are indistinguishable
      from lack of EKU constraints.
      
      Therefore, failure to match any trusted purpose must trigger an
      explicit reject.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      3342dcea
    • Viktor Dukhovni's avatar
      Commit pre-generated test_verify certs · 3d6e91c6
      Viktor Dukhovni authored
      
      
      These can be re-generated via:
      
              cd test/certs; ./setup.sh
      
      if need be.  The keys are all RSA 2048-bit keys, but it is possible
      to change that via environment variables.
      
          cd test/certs
          rm -f *-key.pem *-key2.pem
          OPENSSL_KEYALG=rsa OPENSSL_KEYBITS=3072 ./setup.sh
      
          cd test/certs
          rm -f *-key.pem *-key2.pem
          OPENSSL_KEYALG=ecdsa OPENSSL_KEYBITS=secp384r1 ./setup.sh
      
          ...
      
      Keys are re-used if already present, so the environment variables
      are only used when generating any keys that are missing.  Hence
      the "rm -f"
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      3d6e91c6
    • Viktor Dukhovni's avatar
      84783517
  2. Jan 20, 2016
  3. Jan 19, 2016
  4. Jan 18, 2016
  5. Jan 17, 2016
  6. Jan 16, 2016