[thirdparty/openssl.git] / test / recipes / 25-test_verify.t

#! /usr/bin/perl

use strict;
use warnings;

use File::Spec::Functions qw/canonpath/;
use OpenSSL::Test qw/:DEFAULT top_file/;

setup("test_verify");

sub verify {
    my ($cert, $vname, $trusted, $untrusted, @opts) = @_;
    my @args = qw(openssl verify -verify_name);
    my @path = qw(test certs);
    push(@args, "$vname", @opts);
    for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) }
    for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) }
    push(@args, top_file(@path, "$cert.pem"));
    run(app([@args]));
}

plan tests => 29;

# Canonical success
ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),
   "verify valid chain");

# Root CA variants
ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),
   "Trusted certs not subject to CA:true checks");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),
   "fail wrong root key");
ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),
   "fail wrong root DN");
ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),
   "accept right EKU");
ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),
   "fail rejected EKU");
ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),
   "fail wrong EKU");

# CA variants
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),
   "fail non-CA");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),
   "fail wrong CA key");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),
   "fail wrong CA DN");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),
   "fail wrong CA issuer");
ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),
   "fail untrusted partial");
ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),
   "fail untrusted EKU partial");
ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),
   "accept trusted EKU partial");
ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),
   "fail rejected EKU partial");
ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),
   "fail wrong EKU partial");

# EE variants
ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
   "accept client cert");
ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong leaf purpose");
ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong leaf purpose");
ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong CA key");
ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong CA name");
ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail expired leaf");
ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),
   "accept last-resort direct leaf match");
ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),
   "accept last-resort direct leaf match");
ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),
   "fail last-resort direct leaf non-match");
ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),
   "accept direct match with trusted EKU");
ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),
   "reject direct match with rejected EKU");
ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),
   "accept direct match with trusted EKU");
ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),
   "reject direct match with rejected EKU");
Commit	Line	Data
4650de3e RL	1	#! /usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5
	6	use File::Spec::Functions qw/canonpath/;
9c626317	7	use OpenSSL::Test qw/:DEFAULT top_file/;
4650de3e RL	8
	9	setup("test_verify");
	10
6e8beabc VD	11	sub verify {
	12	my ($cert, $vname, $trusted, $untrusted, @opts) = @_;
	13	my @args = qw(openssl verify -verify_name);
	14	my @path = qw(test certs);
	15	push(@args, "$vname", @opts);
9c626317 RL	16	for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) }
	17	for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) }
	18	push(@args, top_file(@path, "$cert.pem"));
6e8beabc VD	19	run(app([@args]));
6e8beabc VD	20	}
4ada8be2	21
6e8beabc	22	plan tests => 29;
4650de3e	23
6e8beabc VD	24	# Canonical success
	25	ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),
	26	"verify valid chain");
	27
	28	# Root CA variants
	29	ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),
	30	"Trusted certs not subject to CA:true checks");
	31	ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),
	32	"fail wrong root key");
	33	ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),
	34	"fail wrong root DN");
	35	ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),
	36	"accept right EKU");
	37	ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),
	38	"fail rejected EKU");
	39	ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),
	40	"fail wrong EKU");
	41
	42	# CA variants
	43	ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),
	44	"fail non-CA");
	45	ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),
	46	"fail wrong CA key");
	47	ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),
	48	"fail wrong CA DN");
	49	ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),
	50	"fail wrong CA issuer");
	51	ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),
	52	"fail untrusted partial");
	53	ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),
	54	"fail untrusted EKU partial");
	55	ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),
	56	"accept trusted EKU partial");
	57	ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),
	58	"fail rejected EKU partial");
	59	ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),
	60	"fail wrong EKU partial");
	61
	62	# EE variants
	63	ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
	64	"accept client cert");
	65	ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
	66	"fail wrong leaf purpose");
	67	ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
	68	"fail wrong leaf purpose");
	69	ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
	70	"fail wrong CA key");
	71	ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
	72	"fail wrong CA name");
	73	ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
	74	"fail expired leaf");
	75	ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),
	76	"accept last-resort direct leaf match");
	77	ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),
	78	"accept last-resort direct leaf match");
	79	ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),
	80	"fail last-resort direct leaf non-match");
	81	ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),
	82	"accept direct match with trusted EKU");
	83	ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),
	84	"reject direct match with rejected EKU");
	85	ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),
	86	"accept direct match with trusted EKU");
	87	ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),
88	"reject direct match with rejected EKU");