]>
Commit | Line | Data |
---|---|---|
4650de3e RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use File::Spec::Functions qw/canonpath/; | |
9c626317 | 7 | use OpenSSL::Test qw/:DEFAULT top_file/; |
4650de3e RL |
8 | |
9 | setup("test_verify"); | |
10 | ||
6e8beabc VD |
11 | sub verify { |
12 | my ($cert, $vname, $trusted, $untrusted, @opts) = @_; | |
13 | my @args = qw(openssl verify -verify_name); | |
14 | my @path = qw(test certs); | |
15 | push(@args, "$vname", @opts); | |
9c626317 RL |
16 | for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) } |
17 | for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) } | |
18 | push(@args, top_file(@path, "$cert.pem")); | |
6e8beabc VD |
19 | run(app([@args])); |
20 | } | |
4ada8be2 | 21 | |
6e8beabc | 22 | plan tests => 29; |
4650de3e | 23 | |
6e8beabc VD |
24 | # Canonical success |
25 | ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]), | |
26 | "verify valid chain"); | |
27 | ||
28 | # Root CA variants | |
29 | ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]), | |
30 | "Trusted certs not subject to CA:true checks"); | |
31 | ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]), | |
32 | "fail wrong root key"); | |
33 | ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]), | |
34 | "fail wrong root DN"); | |
35 | ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]), | |
36 | "accept right EKU"); | |
37 | ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]), | |
38 | "fail rejected EKU"); | |
39 | ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]), | |
40 | "fail wrong EKU"); | |
41 | ||
42 | # CA variants | |
43 | ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]), | |
44 | "fail non-CA"); | |
45 | ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]), | |
46 | "fail wrong CA key"); | |
47 | ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]), | |
48 | "fail wrong CA DN"); | |
49 | ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]), | |
50 | "fail wrong CA issuer"); | |
51 | ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"), | |
52 | "fail untrusted partial"); | |
53 | ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"), | |
54 | "fail untrusted EKU partial"); | |
55 | ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"), | |
56 | "accept trusted EKU partial"); | |
57 | ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"), | |
58 | "fail rejected EKU partial"); | |
59 | ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"), | |
60 | "fail wrong EKU partial"); | |
61 | ||
62 | # EE variants | |
63 | ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), | |
64 | "accept client cert"); | |
65 | ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), | |
66 | "fail wrong leaf purpose"); | |
67 | ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), | |
68 | "fail wrong leaf purpose"); | |
69 | ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), | |
70 | "fail wrong CA key"); | |
71 | ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), | |
72 | "fail wrong CA name"); | |
73 | ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), | |
74 | "fail expired leaf"); | |
75 | ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"), | |
76 | "accept last-resort direct leaf match"); | |
77 | ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"), | |
78 | "accept last-resort direct leaf match"); | |
79 | ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"), | |
80 | "fail last-resort direct leaf non-match"); | |
81 | ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"), | |
82 | "accept direct match with trusted EKU"); | |
83 | ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"), | |
84 | "reject direct match with rejected EKU"); | |
85 | ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"), | |
86 | "accept direct match with trusted EKU"); | |
87 | ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"), | |
88 | "reject direct match with rejected EKU"); |