From 2b18a8b0c5b315083c49664101a103572d5592b6 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 20 May 2025 16:34:10 +0200 Subject: [PATCH 58/59] apps/x509.c: Fix the -addreject option adding trust instead of rejection Fixes CVE-2025-4575 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27672) --- apps/x509.c | 2 +- test/recipes/25-test_x509.t | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index fdae8f383a..0c340c15b3 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -465,7 +465,7 @@ int x509_main(int argc, char **argv) prog, opt_arg()); goto opthelp; } - if (!sk_ASN1_OBJECT_push(trust, objtmp)) + if (!sk_ASN1_OBJECT_push(reject, objtmp)) goto end; trustout = 1; break; diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 09b61708ff..dfa0a428f5 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 134; +plan tests => 138; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE", && run(app(["openssl", "verify", "-no_check_time", "-trusted", $ca, "-partial_chain", $caout]))); +# test trust decoration +ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection", + "-out", "ca-trusted.pem"]))); +cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection", + 1, 'trusted use - E-mail Protection'); +ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection", + "-out", "ca-rejected.pem"]))); +cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection", + 1, 'rejected use - E-mail Protection'); + subtest 'x509 -- x.509 v1 certificate' => sub { tconversion( -type => 'x509', -prefix => 'x509v1', -in => srctop_file("test", "testx509.pem") ); -- 2.49.0