test/recipes/25-test_verify.t

   1 #! /usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use File::Spec::Functions qw/canonpath/;
   7 use OpenSSL::Test qw/:DEFAULT top_file/;
   8
   9 setup("test_verify");
  10
  11 sub verify {
  12     my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
  13     my @args = qw(openssl verify -purpose);
  14     my @path = qw(test certs);
  15     push(@args, "$purpose", @opts);
  16     for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) }
  17     for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) }
  18     push(@args, top_file(@path, "$cert.pem"));
  19     run(app([@args]));
  20 }
  21
  22 plan tests => 38;
  23
  24 # Canonical success
  25 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
  26    "verify valid chain");
  27
  28 # Root CA variants
  29 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
  30    "Trusted CA certs now subject to CA:true checks");
  31 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
  32    "fail wrong root key");
  33 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
  34    "fail wrong root DN");
  35 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
  36    "accept right EKU");
  37 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
  38    "accept anyEKU");
  39 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
  40    "fail rejected EKU");
  41 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
  42    "fail rejected anyEKU");
  43 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
  44    "fail wrong EKU");
  45
  46 # Check that trusted-first is on by setting up paths to different roots
  47 # depending on whether the intermediate is the trusted or untrusted one.
  48 #
  49 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
  50           [qw(ca-cert)]),
  51    "verify trusted-first path");
  52 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
  53           [qw(ca-cert)]),
  54    "verify trusted-first path right EKU");
  55 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
  56            [qw(ca-cert)]),
  57    "fail trusted-first path rejected EKU");
  58 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
  59            [qw(ca-cert)]),
  60    "fail trusted-first path wrong EKU");
  61
  62 # CA variants
  63 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
  64    "fail non-CA");
  65 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
  66    "fail wrong CA key");
  67 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
  68    "fail wrong CA DN");
  69 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
  70    "fail wrong CA issuer");
  71 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
  72    "fail untrusted partial");
  73 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
  74    "fail untrusted EKU partial");
  75 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
  76    "accept trusted EKU partial");
  77 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
  78    "fail rejected EKU partial");
  79 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
  80    "fail wrong EKU partial");
  81
  82 # We now test auxiliary trust even for intermediate trusted certs without
  83 # -partial_chain.  Note that "-trusted_first" is now always on and cannot
  84 # be disabled.
  85 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
  86    "accept trusted EKU");
  87 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
  88    "fail rejected EKU");
  89 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
  90    "fail wrong EKU");
  91
  92 # EE variants
  93 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
  94    "accept client cert");
  95 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
  96    "fail wrong leaf purpose");
  97 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
  98    "fail wrong leaf purpose");
  99 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
 100    "fail wrong CA key");
 101 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
 102    "fail wrong CA name");
 103 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
 104    "fail expired leaf");
 105 ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
 106    "accept last-resort direct leaf match");
 107 ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
 108    "accept last-resort direct leaf match");
 109 ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
 110    "fail last-resort direct leaf non-match");
 111 ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
 112    "accept direct match with trusted EKU");
 113 ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
 114    "reject direct match with rejected EKU");
 115 ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
 116    "accept direct match with trusted EKU");
 117 ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
 118    "reject direct match with rejected EKU");