]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
a28d06f3 | 2 | # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. |
596d6b7e | 3 | # |
909f1a2e | 4 | # Licensed under the Apache License 2.0 (the "License"). You may not use |
596d6b7e RS |
5 | # this file except in compliance with the License. You can obtain a copy |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
4650de3e RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use File::Spec::Functions qw/canonpath/; | |
d4458e59 | 14 | use File::Copy; |
f7346cab | 15 | use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir ok_nofips with/; |
978b700b | 16 | use OpenSSL::Test::Utils; |
4650de3e RL |
17 | |
18 | setup("test_verify"); | |
19 | ||
6e8beabc | 20 | sub verify { |
0daccd4d | 21 | my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; |
6e8beabc | 22 | my @path = qw(test certs); |
97b59744 DDO |
23 | my @args = qw(openssl verify -auth_level 1); |
24 | push(@args, "-purpose", $purpose) if $purpose ne ""; | |
25 | push(@args, @opts); | |
42e0ccdf RL |
26 | for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) } |
27 | for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) } | |
28 | push(@args, srctop_file(@path, "$cert.pem")); | |
6e8beabc VD |
29 | run(app([@args])); |
30 | } | |
4ada8be2 | 31 | |
591feddc | 32 | plan tests => 185; |
4650de3e | 33 | |
6e8beabc | 34 | # Canonical success |
0daccd4d | 35 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), |
33cc5dde | 36 | "accept compat trust"); |
6e8beabc VD |
37 | |
38 | # Root CA variants | |
0daccd4d | 39 | ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), |
33cc5dde | 40 | "fail trusted non-ca root"); |
1d852772 VD |
41 | ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), |
42 | "fail server trust non-ca root"); | |
43 | ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]), | |
44 | "fail wildcard trust non-ca root"); | |
0daccd4d | 45 | ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), |
6e8beabc | 46 | "fail wrong root key"); |
0daccd4d | 47 | ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), |
6e8beabc | 48 | "fail wrong root DN"); |
33cc5dde | 49 | |
4ff993d7 DDO |
50 | # Critical extensions |
51 | ||
97b59744 | 52 | ok(verify("ee-cert-noncrit-unknown-ext", "", ["root-cert"], ["ca-cert"]), |
4ff993d7 | 53 | "accept non-critical unknown extension"); |
97b59744 | 54 | ok(!verify("ee-cert-crit-unknown-ext", "", ["root-cert"], ["ca-cert"]), |
4ff993d7 | 55 | "reject critical unknown extension"); |
97b59744 | 56 | ok(verify("ee-cert-ocsp-nocheck", "", ["root-cert"], ["ca-cert"]), |
4ff993d7 DDO |
57 | "accept critical OCSP No Check"); |
58 | ||
33cc5dde VD |
59 | # Explicit trust/purpose combinations |
60 | # | |
61 | ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), | |
62 | "accept server purpose"); | |
63 | ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), | |
64 | "fail client purpose"); | |
0daccd4d | 65 | ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), |
33cc5dde VD |
66 | "accept server trust"); |
67 | ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), | |
68 | "accept server trust with server purpose"); | |
69 | ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), | |
70 | "accept server trust with client purpose"); | |
71 | # Wildcard trust | |
0daccd4d | 72 | ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
73 | "accept wildcard trust"); |
74 | ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), | |
75 | "accept wildcard trust with server purpose"); | |
76 | ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), | |
77 | "accept wildcard trust with client purpose"); | |
78 | # Inapplicable mistrust | |
79 | ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), | |
80 | "accept client mistrust"); | |
81 | ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), | |
82 | "accept client mistrust with server purpose"); | |
83 | ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), | |
84 | "fail client mistrust with client purpose"); | |
85 | # Inapplicable trust | |
86 | ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), | |
87 | "fail client trust"); | |
88 | ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), | |
89 | "fail client trust with server purpose"); | |
90 | ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), | |
91 | "fail client trust with client purpose"); | |
92 | # Server mistrust | |
0daccd4d | 93 | ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), |
6e8beabc | 94 | "fail rejected EKU"); |
33cc5dde VD |
95 | ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), |
96 | "fail server mistrust with server purpose"); | |
97 | ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), | |
98 | "fail server mistrust with client purpose"); | |
99 | # Wildcard mistrust | |
0daccd4d | 100 | ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
101 | "fail wildcard mistrust"); |
102 | ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), | |
103 | "fail wildcard mistrust with server purpose"); | |
104 | ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), | |
105 | "fail wildcard mistrust with client purpose"); | |
6e8beabc | 106 | |
0daccd4d VD |
107 | # Check that trusted-first is on by setting up paths to different roots |
108 | # depending on whether the intermediate is the trusted or untrusted one. | |
109 | # | |
110 | ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], | |
111 | [qw(ca-cert)]), | |
33cc5dde | 112 | "accept trusted-first path"); |
0daccd4d VD |
113 | ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], |
114 | [qw(ca-cert)]), | |
33cc5dde | 115 | "accept trusted-first path with server trust"); |
0daccd4d VD |
116 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], |
117 | [qw(ca-cert)]), | |
33cc5dde | 118 | "fail trusted-first path with server mistrust"); |
0daccd4d VD |
119 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], |
120 | [qw(ca-cert)]), | |
33cc5dde | 121 | "fail trusted-first path with client trust"); |
0daccd4d | 122 | |
6e8beabc | 123 | # CA variants |
0daccd4d | 124 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), |
1d852772 | 125 | "fail non-CA untrusted intermediate"); |
4d9e33ac VD |
126 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]), |
127 | "fail non-CA untrusted intermediate"); | |
1d852772 | 128 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []), |
4d9e33ac VD |
129 | "fail non-CA trust-store intermediate"); |
130 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []), | |
131 | "fail non-CA trust-store intermediate"); | |
1d852772 VD |
132 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []), |
133 | "fail non-CA server trust intermediate"); | |
134 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []), | |
135 | "fail non-CA wildcard trust intermediate"); | |
0daccd4d | 136 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), |
33cc5dde | 137 | "fail wrong intermediate CA key"); |
0daccd4d | 138 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), |
33cc5dde | 139 | "fail wrong intermediate CA DN"); |
0daccd4d | 140 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), |
33cc5dde | 141 | "fail wrong intermediate CA issuer"); |
0daccd4d | 142 | ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), |
33cc5dde VD |
143 | "fail untrusted partial chain"); |
144 | ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), | |
145 | "accept trusted partial chain"); | |
3bed88a3 DDO |
146 | ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"), |
147 | "reject expired trusted partial chain"); # this check is beyond RFC 5280 | |
148 | ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]), | |
149 | "reject expired trusted root"); # this check is beyond RFC 5280 | |
33cc5dde VD |
150 | ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), |
151 | "accept partial chain with server purpose"); | |
152 | ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), | |
153 | "fail partial chain with client purpose"); | |
0daccd4d | 154 | ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), |
33cc5dde VD |
155 | "accept server trust partial chain"); |
156 | ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), | |
157 | "accept server trust client purpose partial chain"); | |
158 | ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), | |
159 | "accept client mistrust partial chain"); | |
160 | ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), | |
161 | "accept wildcard trust partial chain"); | |
162 | ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), | |
163 | "fail untrusted partial issuer with ignored server trust"); | |
0daccd4d | 164 | ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), |
33cc5dde | 165 | "fail server mistrust partial chain"); |
0daccd4d | 166 | ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), |
33cc5dde VD |
167 | "fail client trust partial chain"); |
168 | ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), | |
169 | "fail wildcard mistrust partial chain"); | |
6e8beabc | 170 | |
0daccd4d VD |
171 | # We now test auxiliary trust even for intermediate trusted certs without |
172 | # -partial_chain. Note that "-trusted_first" is now always on and cannot | |
173 | # be disabled. | |
174 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), | |
33cc5dde VD |
175 | "accept server trust"); |
176 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), | |
177 | "accept wildcard trust"); | |
178 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), | |
179 | "accept server purpose"); | |
180 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]), | |
181 | "accept server trust and purpose"); | |
182 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), | |
183 | "accept wildcard trust and server purpose"); | |
184 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]), | |
185 | "accept client mistrust and server purpose"); | |
186 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]), | |
187 | "accept server trust and client purpose"); | |
188 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), | |
189 | "accept wildcard trust and client purpose"); | |
190 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), | |
191 | "fail client purpose"); | |
192 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), | |
193 | "fail wildcard mistrust"); | |
0daccd4d | 194 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), |
33cc5dde | 195 | "fail server mistrust"); |
0daccd4d | 196 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), |
33cc5dde VD |
197 | "fail client trust"); |
198 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]), | |
199 | "fail client trust and server purpose"); | |
200 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]), | |
201 | "fail client trust and client purpose"); | |
202 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]), | |
203 | "fail server mistrust and client purpose"); | |
204 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]), | |
205 | "fail client mistrust and client purpose"); | |
206 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]), | |
207 | "fail server mistrust and server purpose"); | |
208 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), | |
209 | "fail wildcard mistrust and server purpose"); | |
210 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), | |
211 | "fail wildcard mistrust and client purpose"); | |
0daccd4d | 212 | |
6e8beabc | 213 | # EE variants |
0daccd4d | 214 | ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 215 | "accept client chain"); |
0daccd4d | 216 | ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 217 | "fail server leaf purpose"); |
0daccd4d | 218 | ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 219 | "fail client leaf purpose"); |
0daccd4d | 220 | ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 221 | "fail wrong intermediate CA key"); |
0daccd4d | 222 | ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 223 | "fail wrong intermediate CA DN"); |
0daccd4d | 224 | ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
6e8beabc | 225 | "fail expired leaf"); |
0daccd4d | 226 | ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), |
6e8beabc | 227 | "accept last-resort direct leaf match"); |
0daccd4d | 228 | ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 229 | "accept last-resort direct leaf match"); |
0daccd4d | 230 | ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 231 | "fail last-resort direct leaf non-match"); |
0daccd4d | 232 | ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), |
33cc5dde | 233 | "accept direct match with server trust"); |
0daccd4d | 234 | ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), |
33cc5dde | 235 | "fail direct match with server mistrust"); |
0daccd4d | 236 | ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), |
33cc5dde | 237 | "accept direct match with client trust"); |
0daccd4d | 238 | ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), |
33cc5dde | 239 | "reject direct match with client mistrust"); |
3cb55fe4 TM |
240 | ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
241 | "accept non-ca with pathlen:0 by default"); | |
242 | ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"), | |
243 | "reject non-ca with pathlen:0 with strict flag"); | |
fbb82a60 | 244 | |
386ab7f1 LJ |
245 | # EE veaiants wrt timestamp signing |
246 | ok(verify("ee-timestampsign-CABforum", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
247 | "accept timestampsign according to CAB forum"); | |
248 | ok(!verify("ee-timestampsign-CABforum-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
249 | "fail timestampsign according to CAB forum with extendedKeyUsage not critical"); | |
250 | ok(!verify("ee-timestampsign-CABforum-serverauth", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
251 | "fail timestampsign according to CAB forum with serverAuth"); | |
252 | ok(!verify("ee-timestampsign-CABforum-anyextkeyusage", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
253 | "fail timestampsign according to CAB forum with anyExtendedKeyUsage"); | |
254 | ok(!verify("ee-timestampsign-CABforum-crlsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
255 | "fail timestampsign according to CAB forum with cRLSign"); | |
256 | ok(!verify("ee-timestampsign-CABforum-keycertsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
257 | "fail timestampsign according to CAB forum with keyCertSign"); | |
258 | ok(verify("ee-timestampsign-rfc3161", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
259 | "accept timestampsign according to RFC 3161"); | |
260 | ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
261 | "fail timestampsign according to RFC 3161 with extendedKeyUsage not critical"); | |
262 | ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), | |
263 | "accept timestampsign according to RFC 3161 with digitalSignature"); | |
264 | ||
61a97676 LJ |
265 | # EE variants wrt code signing |
266 | ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
267 | "accept codesign"); | |
268 | ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
269 | "fail codesign with additional serverAuth"); | |
270 | ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
271 | "fail codesign with additional anyExtendedKeyUsage"); | |
272 | ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
273 | "fail codesign with additional cRLSign"); | |
274 | ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
275 | "fail codesign with additional keyCertSign"); | |
276 | ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
277 | "fail codesign without critical KU"); | |
278 | ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
279 | "fail sslserver as code sign"); | |
280 | ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
281 | "fail sslclient as codesign"); | |
282 | ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
283 | "fail timestampsign according to CAB forum as codesign"); | |
284 | ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]), | |
285 | "fail timestampsign according to RFC 3161 as codesign"); | |
286 | ||
aa951ef3 RL |
287 | # Proxy certificates |
288 | ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), | |
289 | "fail to accept proxy cert without -allow_proxy_certs"); | |
290 | ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], | |
291 | "-allow_proxy_certs"), | |
292 | "accept proxy cert 1"); | |
293 | ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
294 | "-allow_proxy_certs"), | |
295 | "accept proxy cert 2"); | |
296 | ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
297 | "-allow_proxy_certs"), | |
298 | "fail proxy cert with incorrect subject"); | |
299 | ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
300 | "-allow_proxy_certs"), | |
301 | "fail proxy cert with incorrect pathlen"); | |
302 | ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
303 | "-allow_proxy_certs"), | |
304 | "accept proxy cert missing proxy policy"); | |
305 | ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
306 | "-allow_proxy_certs"), | |
307 | "failed proxy cert where last CN was added as a multivalue RDN component"); | |
308 | ||
fbb82a60 | 309 | # Security level tests |
97b59744 | 310 | ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), |
fbb82a60 | 311 | "accept RSA 2048 chain at auth level 2"); |
97b59744 | 312 | ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "3"), |
fbb82a60 | 313 | "reject RSA 2048 root at auth level 3"); |
97b59744 | 314 | ok(verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"), |
fbb82a60 | 315 | "accept RSA 768 root at auth level 0"); |
97b59744 | 316 | ok(!verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"]), |
fbb82a60 | 317 | "reject RSA 768 root at auth level 1"); |
97b59744 | 318 | ok(verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"), |
fbb82a60 | 319 | "accept RSA 768 intermediate at auth level 0"); |
97b59744 | 320 | ok(!verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"]), |
fbb82a60 | 321 | "reject RSA 768 intermediate at auth level 1"); |
97b59744 | 322 | ok(verify("ee-cert-768", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"), |
fbb82a60 | 323 | "accept RSA 768 leaf at auth level 0"); |
97b59744 | 324 | ok(!verify("ee-cert-768", "", ["root-cert"], ["ca-cert"]), |
fbb82a60 VD |
325 | "reject RSA 768 leaf at auth level 1"); |
326 | # | |
97b59744 | 327 | ok(verify("ee-cert", "", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"), |
fbb82a60 | 328 | "accept md5 self-signed TA at auth level 2"); |
97b59744 | 329 | ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-auth_level", "2"), |
fbb82a60 | 330 | "accept md5 intermediate TA at auth level 2"); |
97b59744 | 331 | ok(verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"), |
fbb82a60 | 332 | "accept md5 intermediate at auth level 0"); |
97b59744 | 333 | ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"]), |
fbb82a60 | 334 | "reject md5 intermediate at auth level 1"); |
97b59744 | 335 | ok(verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"), |
fbb82a60 | 336 | "accept md5 leaf at auth level 0"); |
97b59744 | 337 | ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]), |
fbb82a60 VD |
338 | "reject md5 leaf at auth level 1"); |
339 | ||
cccf532f TM |
340 | # Explicit vs named curve tests |
341 | SKIP: { | |
342 | skip "EC is not supported by this OpenSSL build", 3 | |
343 | if disabled("ec"); | |
97b59744 | 344 | ok(!verify("ee-cert-ec-explicit", "", ["root-cert"], |
cccf532f TM |
345 | ["ca-cert-ec-named"]), |
346 | "reject explicit curve leaf with named curve intermediate"); | |
97b59744 | 347 | ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"], |
cccf532f TM |
348 | ["ca-cert-ec-explicit"]), |
349 | "reject named curve leaf with explicit curve intermediate"); | |
97b59744 | 350 | ok(verify("ee-cert-ec-named-named", "", ["root-cert"], |
cccf532f TM |
351 | ["ca-cert-ec-named"]), |
352 | "accept named curve leaf with named curve intermediate"); | |
353 | } | |
f7346cab TM |
354 | # Same as above but with base provider used for decoding |
355 | SKIP: { | |
356 | my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); | |
f7346cab TM |
357 | my $provconf = srctop_file("test", "fips-and-base.cnf"); |
358 | my $provpath = bldtop_dir("providers"); | |
359 | my @prov = ("-provider-path", $provpath); | |
e1289d90 TM |
360 | |
361 | skip "EC is not supported or FIPS is disabled", 3 | |
362 | if disabled("ec") || $no_fips; | |
363 | ||
364 | run(test(["fips_version_test", "-config", $provconf, ">3.0.0"]), | |
365 | capture => 1, statusvar => \my $exit); | |
366 | skip "FIPS provider version is too old", 3 | |
367 | if !$exit; | |
368 | ||
f7346cab TM |
369 | $ENV{OPENSSL_CONF} = $provconf; |
370 | ||
371 | ok(!verify("ee-cert-ec-explicit", "", ["root-cert"], | |
372 | ["ca-cert-ec-named"], @prov), | |
373 | "reject explicit curve leaf with named curve intermediate w/fips"); | |
374 | ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"], | |
375 | ["ca-cert-ec-explicit"], @prov), | |
376 | "reject named curve leaf with explicit curve intermediate w/fips"); | |
377 | ok(verify("ee-cert-ec-named-named", "", ["root-cert"], | |
378 | ["ca-cert-ec-named"], @prov), | |
379 | "accept named curve leaf with named curve intermediate w/fips"); | |
380 | ||
381 | delete $ENV{OPENSSL_CONF}; | |
382 | } | |
cccf532f | 383 | |
fbb82a60 VD |
384 | # Depth tests, note the depth limit bounds the number of CA certificates |
385 | # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf | |
386 | # chain, depth = 1 is sufficient, but depth == 0 is not. | |
387 | # | |
97b59744 | 388 | ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "2"), |
fbb82a60 | 389 | "accept chain with verify_depth 2"); |
97b59744 | 390 | ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "1"), |
fbb82a60 | 391 | "accept chain with verify_depth 1"); |
97b59744 DDO |
392 | ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "0"), |
393 | "reject chain with verify_depth 0"); | |
394 | ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-verify_depth", "0"), | |
fbb82a60 | 395 | "accept md5 intermediate TA with verify_depth 0"); |
d83b7e1a DSH |
396 | |
397 | # Name Constraints tests. | |
398 | ||
97b59744 | 399 | ok(verify("alt1-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
400 | "Name Constraints everything permitted"); |
401 | ||
97b59744 | 402 | ok(verify("alt2-cert", "", ["root-cert"], ["ncca2-cert"], ), |
d83b7e1a DSH |
403 | "Name Constraints nothing excluded"); |
404 | ||
97b59744 | 405 | ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), |
d83b7e1a DSH |
406 | "Name Constraints nested test all permitted"); |
407 | ||
97b59744 | 408 | ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d02d80b2 VD |
409 | "Name Constraints CNs permitted"); |
410 | ||
0fcf2351 MC |
411 | ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ), |
412 | "Name Constraints CNs permitted - no SAN extension"); | |
413 | ||
97b59744 | 414 | ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d02d80b2 VD |
415 | "Name Constraints CNs not permitted"); |
416 | ||
97b59744 | 417 | ok(!verify("badalt1-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
418 | "Name Constraints hostname not permitted"); |
419 | ||
97b59744 | 420 | ok(!verify("badalt2-cert", "", ["root-cert"], ["ncca2-cert"], ), |
d83b7e1a DSH |
421 | "Name Constraints hostname excluded"); |
422 | ||
97b59744 | 423 | ok(!verify("badalt3-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
424 | "Name Constraints email address not permitted"); |
425 | ||
97b59744 | 426 | ok(!verify("badalt4-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
427 | "Name Constraints subject email address not permitted"); |
428 | ||
97b59744 | 429 | ok(!verify("badalt5-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
430 | "Name Constraints IP address not permitted"); |
431 | ||
97b59744 | 432 | ok(!verify("badalt6-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
433 | "Name Constraints CN hostname not permitted"); |
434 | ||
97b59744 | 435 | ok(!verify("badalt7-cert", "", ["root-cert"], ["ncca1-cert"], ), |
d83b7e1a DSH |
436 | "Name Constraints CN BMPSTRING hostname not permitted"); |
437 | ||
97b59744 | 438 | ok(!verify("badalt8-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), |
46f4e1be | 439 | "Name constraints nested DNS name not permitted 1"); |
d83b7e1a | 440 | |
97b59744 | 441 | ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), |
46f4e1be | 442 | "Name constraints nested DNS name not permitted 2"); |
d83b7e1a | 443 | |
97b59744 | 444 | ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), |
46f4e1be | 445 | "Name constraints nested DNS name excluded"); |
451a0c3d | 446 | |
96e77bd3 TM |
447 | ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ), |
448 | "CVE-2022-4203 type confusion test"); | |
449 | ||
f43f9d63 MC |
450 | #Check that we get the expected failure return code |
451 | with({ exit_checker => sub { return shift == 2; } }, | |
65a97b2c DDO |
452 | sub { |
453 | ok(verify("bad-othername-namec", "", ["bad-othername-namec-inter"], [], | |
454 | "-partial_chain", "-attime", "1623060000"), | |
455 | "Name constraints bad othername name constraint"); | |
456 | }); | |
f43f9d63 | 457 | |
97b59744 | 458 | ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"), |
b744f915 | 459 | "Accept PSS signature using SHA1 at auth level 0"); |
451a0c3d | 460 | |
97b59744 | 461 | ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), |
451a0c3d DSH |
462 | "CA with PSS signature using SHA256"); |
463 | ||
97b59744 | 464 | ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), |
b744f915 | 465 | "Reject PSS signature using SHA1 and auth level 1"); |
451a0c3d | 466 | |
97b59744 | 467 | ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), |
451a0c3d | 468 | "PSS signature using SHA256 and auth level 2"); |
4328dd41 | 469 | |
97b59744 | 470 | ok(verify("ee-pss-cert", "", ["root-cert"], ["ca-pss-cert"], ), |
199df4a9 | 471 | "CA PSS signature"); |
97b59744 | 472 | ok(!verify("ee-pss-wrong1.5-cert", "", ["root-cert"], ["ca-pss-cert"], ), |
199df4a9 DDO |
473 | "CA producing regular PKCS#1 v1.5 signature with PSA-PSS key"); |
474 | ||
97b59744 | 475 | ok(!verify("many-names1", "", ["many-constraints"], ["many-constraints"], ), |
8545051c | 476 | "Too many names and constraints to check (1)"); |
97b59744 | 477 | ok(!verify("many-names2", "", ["many-constraints"], ["many-constraints"], ), |
8545051c | 478 | "Too many names and constraints to check (2)"); |
97b59744 | 479 | ok(!verify("many-names3", "", ["many-constraints"], ["many-constraints"], ), |
8545051c DB |
480 | "Too many names and constraints to check (3)"); |
481 | ||
97b59744 | 482 | ok(verify("some-names1", "", ["many-constraints"], ["many-constraints"], ), |
8545051c | 483 | "Not too many names and constraints to check (1)"); |
97b59744 | 484 | ok(verify("some-names2", "", ["many-constraints"], ["many-constraints"], ), |
8545051c | 485 | "Not too many names and constraints to check (2)"); |
97b59744 | 486 | ok(verify("some-names2", "", ["many-constraints"], ["many-constraints"], ), |
8545051c | 487 | "Not too many names and constraints to check (3)"); |
97b59744 | 488 | ok(verify("root-cert-rsa2", "", ["root-cert-rsa2"], [], "-check_ss_sig"), |
1f483a69 | 489 | "Public Key Algorithm rsa instead of rsaEncryption"); |
8545051c | 490 | |
07e84e67 | 491 | ok(verify("ee-self-signed", "", ["ee-self-signed"], [], "-attime", "1593565200"), |
97b59744 | 492 | "accept trusted self-signed EE cert excluding key usage keyCertSign"); |
320fc032 DDO |
493 | ok(verify("ee-ss-with-keyCertSign", "", ["ee-ss-with-keyCertSign"], []), |
494 | "accept trusted self-signed EE cert with key usage keyCertSign also when strict"); | |
0e7b1383 | 495 | |
978b700b | 496 | SKIP: { |
1e41dadf | 497 | skip "Ed25519 is not supported by this OpenSSL build", 6 |
c602fadc | 498 | if disabled("ec"); |
978b700b DSH |
499 | |
500 | # ED25519 certificate from draft-ietf-curdle-pkix-04 | |
97b59744 | 501 | ok(verify("ee-ed25519", "", ["root-ed25519"], []), |
ade08735 | 502 | "accept X25519 EE cert issued by trusted Ed25519 self-signed CA cert"); |
978b700b | 503 | |
97b59744 | 504 | ok(!verify("ee-ed25519", "", ["root-ed25519"], [], "-x509_strict"), |
1e41dadf DDO |
505 | "reject X25519 EE cert in strict mode since AKID is missing"); |
506 | ||
97b59744 | 507 | ok(!verify("root-ed25519", "", ["ee-ed25519"], []), |
da1f88bf DDO |
508 | "fail Ed25519 CA and EE certs swapped"); |
509 | ||
97b59744 | 510 | ok(verify("root-ed25519", "", ["root-ed25519"], []), |
da1f88bf DDO |
511 | "accept trusted Ed25519 self-signed CA cert"); |
512 | ||
97b59744 | 513 | ok(!verify("ee-ed25519", "", ["ee-ed25519"], []), |
da1f88bf DDO |
514 | "fail trusted Ed25519-signed self-issued X25519 cert"); |
515 | ||
97b59744 | 516 | ok(verify("ee-ed25519", "", ["ee-ed25519"], [], "-partial_chain"), |
da1f88bf DDO |
517 | "accept last-resort direct leaf match Ed25519-signed self-issued cert"); |
518 | ||
978b700b | 519 | } |
317ba78f PY |
520 | |
521 | SKIP: { | |
97b59744 | 522 | skip "SM2 is not supported by this OpenSSL build", 2 if disabled("sm2"); |
317ba78f | 523 | |
97b59744 | 524 | ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "distid:1234567812345678"), |
317ba78f | 525 | "SM2 ID test"); |
97b59744 | 526 | ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "hexdistid:31323334353637383132333435363738"), |
317ba78f PY |
527 | "SM2 hex ID test"); |
528 | } | |
d4458e59 RL |
529 | |
530 | # Mixed content tests | |
531 | my $cert_file = srctop_file('test', 'certs', 'root-cert.pem'); | |
532 | my $rsa_file = srctop_file('test', 'certs', 'key-pass-12345.pem'); | |
533 | ||
534 | SKIP: { | |
535 | my $certplusrsa_file = 'certplusrsa.pem'; | |
536 | my $certplusrsa; | |
537 | ||
538 | skip "Couldn't create certplusrsa.pem", 1 | |
539 | unless ( open $certplusrsa, '>', $certplusrsa_file | |
540 | and copy($cert_file, $certplusrsa) | |
3dd74e21 RL |
541 | and copy($rsa_file, $certplusrsa) |
542 | and close $certplusrsa ); | |
d4458e59 RL |
543 | |
544 | ok(run(app([ qw(openssl verify -trusted), $certplusrsa_file, $cert_file ])), | |
545 | 'Mixed cert + key file test'); | |
546 | } | |
547 | ||
548 | SKIP: { | |
549 | my $rsapluscert_file = 'rsapluscert.pem'; | |
550 | my $rsapluscert; | |
551 | ||
552 | skip "Couldn't create rsapluscert.pem", 1 | |
553 | unless ( open $rsapluscert, '>', $rsapluscert_file | |
554 | and copy($rsa_file, $rsapluscert) | |
3dd74e21 RL |
555 | and copy($cert_file, $rsapluscert) |
556 | and close $rsapluscert ); | |
d4458e59 RL |
557 | |
558 | ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), | |
559 | 'Mixed key + cert file test'); | |
560 | } | |
591feddc MC |
561 | |
562 | # Certificate Policies | |
563 | ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], | |
564 | "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", | |
565 | "-explicit_policy"), | |
566 | "Certificate policy"); | |
567 | ||
568 | ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], | |
569 | "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", | |
570 | "-explicit_policy"), | |
571 | "Bad certificate policy"); |