X509: add tests for purpose code signing in verify application

Correct configuration according to CA Browser forum:
  KU: critical,digitalSignature
  XKU: codeSiging

Note: I did not find any other document formally defining the requirements
for code signing certificates.

Some combinations are explicitly forbidden, some flags can be ignored

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

test/certs/ee-codesign-anyextkeyusage.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjM0MDNaGA8yMTIyMDYxNjE2MzQwM1owGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjeDB2MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAZBgNVHSUEEjAQBggrBgEFBQcDAwYEVR0lADANBgkq
+hkiG9w0BAQsFAAOCAQEASlEaV64VMZE4Kj8ITpm8Xb418tbiLmuDEHZiZXOc9gRg
+YNnxpP0ammixIlvDtGM9Liahg5yTwj78Hd6ejxcSLm5sckhA+WkhosAm2aelkVEA
+kG0uqo2JOYd7RHh6rzvSCYfLX8gg9eqzq8qWw7Lbg9wyfC5V1Q+zYkuEQ4bBc5WT
+iqh1Zad4Lp9yFsMTEbo8aKL3Ayu0ehR1OrKjRrHbk9q2XafZRoa41mjNEHvQ7KkW
+PGkczOapAXRJRm7pRzI5m3lj07ITwdWiliu9Uv8KRKxkOunmSIGVBkeNMf7gGBiA
+1k4+o8wcWcQZmsP6RxEvSm6k5610oHi0z0CVgijghw==
+-----END CERTIFICATE-----

test/certs/ee-codesign-crlsign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIBgjATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAaFJ20GAgOe8aS9FOHzBwnQWT8m0tqrRysb/iAVmrK1z3o5Jz3vBw
+a5v1aMpWX19tp5tdIRqiGw0aAje8ZKBf4mK1Z9qZLmx+bat8Q4Re2s9wP67TUMfF
+SKvCYLNws5zcDnt31Ckpnu+kLm6GIxlYy7q+DBJxzuPCkVLZTSRhFJPs9pyn2jHt
+tGsQgkOAhOTKbldM9N66z+IqZJ3zXmmkrSVw45qDB50QpmaCJza1expIMderN/lh
+j/ijMGyZOZXH4KkNCGxROyw0iHB7nZ5IdXLbpDDycJkixmmUBNjBh5huxgfzwGHT
+ePW/iHQzvEzUWZJf3cx9GKRj5z2lJf9tPA==
+-----END CERTIFICATE-----

test/certs/ee-codesign-keycertsign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAGdAVHnk43W8f69NaXm/uddssUCiHln+gWON5n2fSZ5DC8eaUs/kt
+hr+HonB4cl+MvEeLUKN5Zmt4BRpqf2tlncy4qhoIzl99LlQs01IO2hoIYkc9/gRW
+xcyOAvRACEO3AlOLlKO00VjYfSc4zyf40LSme/DQOz9CWaAjOdpjF/AlWK5lHyB4
+Ra2EscTBE4kgrPiTQp5WG4mbbZ+H7Rd8dFrFY6/ZdmhqMCn04MUCtjfWFtPk6zAl
+DY/MqhvkZNTfHfvI9+jmiUG3+dpcDmrjL/IgtBlZjFTKroOdXVjMj0j1oUvhSjWB
+s1OhZ5bfbu9ZfwqQ0FqW3vzmJFENHxZmXg==
+-----END CERTIFICATE-----

test/certs/ee-codesign-noncritical.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNDI0MDBaGA8yMTIyMDYxNjE0MjQwMFowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjbzBtMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAAIP8ClZRmnDKLnyPPizy2Cf9SS5pp+tYxp4WlRCbbsPyF97GTRDY64Uk
+dyoD91h+PEj6UW5N8ZbDkpRL8k3wCd3a2jSJEQl//o/L4ZwdewTQxXtyyQrsh3Or
+HdgPg3qQllkJqkB6dlLCv8TsUXCiRkYuzE8x3ul0DjAfAiczwoFnhe+gXLJw74Lz
+PQm41X56AMgkv+yVGhfLgsN03Tppd25blExT35DDlsJx0OkZcZibU9dNA2ZFaT4X
+fIS0GL+9Pb/nm8b4UCcJDcNBut/TQnDZR5DysgrXCh0dXBFH5XZCczetbw4pW87I
+vIgtz2if2ZzhbxAfWRBCa7razHVNIQ==
+-----END CERTIFICATE-----

test/certs/ee-codesign-serverauth.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNjA1NDFaGA8yMTIyMDYxNjE2MDU0MVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjfDB6MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAwYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACt152hE0idWgezHBdihPN9dm7fWysPt3WemRlEX
+pK/g5OxfmkgfdazyKJi1I6ym5eEaCV9HFnPBtZYli50Paztwm26tEyh0ud/Bnybq
+X83ejhqyb3GJUTW3fkucNkKRlRto8C6zKfohS7+iwdBkIsxcGCJGYROKYJOGUiSZ
+thOnVnVqglSLa37iS6oJOK2CQ1AHP4GTcgVMBL7W1fSFvrVj0GsgnifnsLWkCfLL
+qlK6WXdpiJnjfgYmKfetglLknhGa7TGb0HIULyJ8hF4iVw08KLSH+os5fINizKbt
+NjNoFebf6p842zU9EH8tF/m+CkCPAHpGOsrc1+bf77jpmX4=
+-----END CERTIFICATE-----

test/certs/ee-codesign.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMjA2MTUxNDIyMDZaGA8yMTIyMDYxNjE0MjIwNlowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAcewR/upUpqoeTqgF/9c+kKBLee3hRBxWZciK0kkjb1y2jo+4yI9h
+0pe4Dk8mOVhR/r5pbFnz/MKzWkNXI/TMmpZDru1bM7ELBhwNoRE/pMriNA/0dopB
+7txO1DPkcEU0gsTOWbhUPlu1E87FsVzWQ1EmLy1GCwVf60AZmeQgo1nEopTZF5iq
+HNv9nkr3OB4MZCqk6UhWlwvWRDZnQuEoFDgg+HnmFJxfXavS3/q4q/YAlgfLbtPp
+AZDhOL2XxgSmkIDfQX5sO9BT594mvZS0u9dk2VwdLlaGGsaB4lxUcD1uekaI2ivO
+3sSdH6Ucc1agUAlQQWjXoPTcSEkti4kJaQ==
+-----END CERTIFICATE-----

test/certs/mkcert.sh

@@ -233,12 +233,14 @@ geneealt() {
 genee() {
     local OPTIND=1
     local purpose=serverAuth
+    local ku=
 
-    while getopts p: o
+    while getopts p:k: o
     do
         case $o in
         p) purpose="$OPTARG";;
-        *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
+        k) ku="keyUsage = $OPTARG";;
+        *) echo "Usage: $0 genee [-k KU] [-p EKU] cn keyname certname cakeyname cacertname" >&2
            return 1;;
         esac
     done
@@ -254,6 +256,7 @@ genee() {
 	    "subjectKeyIdentifier = hash" \
 	    "authorityKeyIdentifier = keyid, issuer" \
 	    "basicConstraints = CA:false" \
+            "$ku" \
 	    "extendedKeyUsage = $purpose" \
 	    "subjectAltName = @alts" "DNS=${cn}")
     csr=$(req "$key" "CN = $cn") || return 1

test/certs/setup.sh

@@ -185,6 +185,14 @@ openssl x509 -in ee-client.pem -trustout \
 ./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert
 ./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert
 
+# code signing certificate
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature server.example ee-key ee-codesign ca-key ca-cert
+./mkcert.sh genee -p codeSigning,serverAuth -k critical,digitalSignature server.example ee-key ee-codesign-serverauth ca-key ca-cert
+./mkcert.sh genee -p codeSigning,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-codesign-anyextkeyusage ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature,cRLSign server.example ee-key ee-codesign-crlsign ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k critical,digitalSignature,keyCertSign server.example ee-key ee-codesign-keycertsign ca-key ca-cert
+./mkcert.sh genee -p codeSigning -k digitalSignature server.example ee-key ee-codesign-noncritical ca-key ca-cert
+
 # Leaf cert security level variants
 # MD5 issuer signature
 OPENSSL_SIGALG=md5 \

test/recipes/25-test_verify.t

@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 172;
+plan tests => 182;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -262,6 +262,28 @@ ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert
 ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
    "accept timestampsign according to RFC 3161 with digitalSignature");
 
+# EE variants wrt code signing
+ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "accept codesign");
+ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail codesign with additional serverAuth");
+ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail codesign with additional anyExtendedKeyUsage");
+ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail codesign with additional cRLSign");
+ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail codesign with additional keyCertSign");
+ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail codesign without critical KU");
+ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail sslserver as code sign");
+ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail sslclient as codesign");
+ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to CAB forum as codesign");
+ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]),
+   "fail timestampsign according to RFC 3161 as codesign");
+
 # Proxy certificates
 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
    "fail to accept proxy cert without -allow_proxy_certs");