Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only CSR version 1 (encoded as 0) is allowed by PKIX standards #747

Merged
merged 1 commit into from
Apr 26, 2024

Commits on Apr 26, 2024

  1. Only CSR version 1 (encoded as 0) is allowed by PKIX standards

    RFC 2986, section 4.1 only defines version 1 for CSRs. This version
    is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
    to anything but 1 fails.
    
    Do not attempt to generate a CSR with invalid version (which now fails)
    and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
    subject rather than using an invalid version.
    
    This commit fixes the following error.
    
    ```
     2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
    X509_REQ_set_version: passed invalid argument
    /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
    /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
    /home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
    `test_version'
         40:     req = OpenSSL::X509::Request.new(req.to_der)
         41:     assert_equal(0, req.version)
         42:
      => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
         44:     assert_equal(1, req.version)
         45:     req = OpenSSL::X509::Request.new(req.to_der)
         46:     assert_equal(1, req.version)
    ```
    job authored and botovq committed Apr 26, 2024
    Configuration menu
    Copy the full SHA
    c06fdeb View commit details
    Browse the repository at this point in the history