]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/25-test_verify.t
6 use File
::Spec
::Functions qw
/canonpath/;
7 use OpenSSL
::Test qw
/:DEFAULT top_file/;
12 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
13 my @args = qw(openssl verify -purpose);
14 my @path = qw(test certs);
15 push(@args, "$purpose", @opts);
16 for (@
$trusted) { push(@args, "-trusted", top_file
(@path, "$_.pem")) }
17 for (@
$untrusted) { push(@args, "-untrusted", top_file
(@path, "$_.pem")) }
18 push(@args, top_file
(@path, "$cert.pem"));
25 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
26 "verify valid chain");
29 ok
(!verify
("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
30 "Trusted CA certs now subject to CA:true checks");
31 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
32 "fail wrong root key");
33 ok
(!verify
("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
34 "fail wrong root DN");
35 ok
(verify
("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
37 ok
(verify
("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
39 ok
(!verify
("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
41 ok
(!verify
("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
42 "fail rejected anyEKU");
43 ok
(!verify
("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
46 # Check that trusted-first is on by setting up paths to different roots
47 # depending on whether the intermediate is the trusted or untrusted one.
49 ok
(verify
("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
51 "verify trusted-first path");
52 ok
(verify
("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
54 "verify trusted-first path right EKU");
55 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
57 "fail trusted-first path rejected EKU");
58 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
60 "fail trusted-first path wrong EKU");
63 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
65 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
67 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
69 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
70 "fail wrong CA issuer");
71 ok
(!verify
("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
72 "fail untrusted partial");
73 ok
(!verify
("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
74 "fail untrusted EKU partial");
75 ok
(verify
("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
76 "accept trusted EKU partial");
77 ok
(!verify
("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
78 "fail rejected EKU partial");
79 ok
(!verify
("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
80 "fail wrong EKU partial");
82 # We now test auxiliary trust even for intermediate trusted certs without
83 # -partial_chain. Note that "-trusted_first" is now always on and cannot
85 ok
(verify
("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
86 "accept trusted EKU");
87 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
89 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
93 ok
(verify
("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
94 "accept client cert");
95 ok
(!verify
("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
96 "fail wrong leaf purpose");
97 ok
(!verify
("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
98 "fail wrong leaf purpose");
99 ok
(!verify
("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
100 "fail wrong CA key");
101 ok
(!verify
("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
102 "fail wrong CA name");
103 ok
(!verify
("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
104 "fail expired leaf");
105 ok
(verify
("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
106 "accept last-resort direct leaf match");
107 ok
(verify
("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
108 "accept last-resort direct leaf match");
109 ok
(!verify
("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
110 "fail last-resort direct leaf non-match");
111 ok
(verify
("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
112 "accept direct match with trusted EKU");
113 ok
(!verify
("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
114 "reject direct match with rejected EKU");
115 ok
(verify
("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
116 "accept direct match with trusted EKU");
117 ok
(!verify
("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
118 "reject direct match with rejected EKU");