]>
git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/25-test_verify.t
e0257393683bd5dc57f211cda5f3a8ffaedcf25b
6 use File
::Spec
::Functions qw
/canonpath/;
7 use OpenSSL
::Test qw
/:DEFAULT srctop_file/;
12 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
13 my @args = qw(openssl verify -auth_level 1 -purpose);
14 my @path = qw(test certs);
15 push(@args, "$purpose", @opts);
16 for (@
$trusted) { push(@args, "-trusted", srctop_file
(@path, "$_.pem")) }
17 for (@
$untrusted) { push(@args, "-untrusted", srctop_file
(@path, "$_.pem")) }
18 push(@args, srctop_file
(@path, "$cert.pem"));
25 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
26 "accept compat trust");
29 ok
(!verify
("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
30 "fail trusted non-ca root");
31 ok
(!verify
("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
32 "fail server trust non-ca root");
33 ok
(!verify
("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
34 "fail wildcard trust non-ca root");
35 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
36 "fail wrong root key");
37 ok
(!verify
("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
38 "fail wrong root DN");
40 # Explicit trust/purpose combinations
42 ok
(verify
("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
43 "accept server purpose");
44 ok
(!verify
("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
45 "fail client purpose");
46 ok
(verify
("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
47 "accept server trust");
48 ok
(verify
("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
49 "accept server trust with server purpose");
50 ok
(verify
("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
51 "accept server trust with client purpose");
53 ok
(verify
("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
54 "accept wildcard trust");
55 ok
(verify
("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
56 "accept wildcard trust with server purpose");
57 ok
(verify
("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
58 "accept wildcard trust with client purpose");
59 # Inapplicable mistrust
60 ok
(verify
("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
61 "accept client mistrust");
62 ok
(verify
("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
63 "accept client mistrust with server purpose");
64 ok
(!verify
("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
65 "fail client mistrust with client purpose");
67 ok
(!verify
("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
69 ok
(!verify
("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
70 "fail client trust with server purpose");
71 ok
(!verify
("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
72 "fail client trust with client purpose");
74 ok
(!verify
("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
76 ok
(!verify
("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
77 "fail server mistrust with server purpose");
78 ok
(!verify
("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
79 "fail server mistrust with client purpose");
81 ok
(!verify
("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
82 "fail wildcard mistrust");
83 ok
(!verify
("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
84 "fail wildcard mistrust with server purpose");
85 ok
(!verify
("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
86 "fail wildcard mistrust with client purpose");
88 # Check that trusted-first is on by setting up paths to different roots
89 # depending on whether the intermediate is the trusted or untrusted one.
91 ok
(verify
("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
93 "accept trusted-first path");
94 ok
(verify
("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
96 "accept trusted-first path with server trust");
97 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
99 "fail trusted-first path with server mistrust");
100 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
102 "fail trusted-first path with client trust");
105 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
106 "fail non-CA untrusted intermediate");
107 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
108 "fail non-CA untrusted intermediate");
109 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
110 "fail non-CA trust-store intermediate");
111 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
112 "fail non-CA trust-store intermediate");
113 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
114 "fail non-CA server trust intermediate");
115 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),
116 "fail non-CA wildcard trust intermediate");
117 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
118 "fail wrong intermediate CA key");
119 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
120 "fail wrong intermediate CA DN");
121 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
122 "fail wrong intermediate CA issuer");
123 ok
(!verify
("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
124 "fail untrusted partial chain");
125 ok
(verify
("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
126 "accept trusted partial chain");
127 ok
(verify
("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
128 "accept partial chain with server purpose");
129 ok
(!verify
("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
130 "fail partial chain with client purpose");
131 ok
(verify
("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
132 "accept server trust partial chain");
133 ok
(verify
("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
134 "accept server trust client purpose partial chain");
135 ok
(verify
("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
136 "accept client mistrust partial chain");
137 ok
(verify
("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
138 "accept wildcard trust partial chain");
139 ok
(!verify
("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
140 "fail untrusted partial issuer with ignored server trust");
141 ok
(!verify
("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
142 "fail server mistrust partial chain");
143 ok
(!verify
("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
144 "fail client trust partial chain");
145 ok
(!verify
("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
146 "fail wildcard mistrust partial chain");
148 # We now test auxiliary trust even for intermediate trusted certs without
149 # -partial_chain. Note that "-trusted_first" is now always on and cannot
151 ok
(verify
("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
152 "accept server trust");
153 ok
(verify
("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
154 "accept wildcard trust");
155 ok
(verify
("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
156 "accept server purpose");
157 ok
(verify
("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
158 "accept server trust and purpose");
159 ok
(verify
("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
160 "accept wildcard trust and server purpose");
161 ok
(verify
("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
162 "accept client mistrust and server purpose");
163 ok
(verify
("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
164 "accept server trust and client purpose");
165 ok
(verify
("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
166 "accept wildcard trust and client purpose");
167 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
168 "fail client purpose");
169 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
170 "fail wildcard mistrust");
171 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
172 "fail server mistrust");
173 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
174 "fail client trust");
175 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
176 "fail client trust and server purpose");
177 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
178 "fail client trust and client purpose");
179 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
180 "fail server mistrust and client purpose");
181 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
182 "fail client mistrust and client purpose");
183 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
184 "fail server mistrust and server purpose");
185 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
186 "fail wildcard mistrust and server purpose");
187 ok
(!verify
("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
188 "fail wildcard mistrust and client purpose");
191 ok
(verify
("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
192 "accept client chain");
193 ok
(!verify
("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
194 "fail server leaf purpose");
195 ok
(!verify
("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
196 "fail client leaf purpose");
197 ok
(!verify
("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
198 "fail wrong intermediate CA key");
199 ok
(!verify
("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
200 "fail wrong intermediate CA DN");
201 ok
(!verify
("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
202 "fail expired leaf");
203 ok
(verify
("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
204 "accept last-resort direct leaf match");
205 ok
(verify
("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
206 "accept last-resort direct leaf match");
207 ok
(!verify
("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
208 "fail last-resort direct leaf non-match");
209 ok
(verify
("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
210 "accept direct match with server trust");
211 ok
(!verify
("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
212 "fail direct match with server mistrust");
213 ok
(verify
("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
214 "accept direct match with client trust");
215 ok
(!verify
("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
216 "reject direct match with client mistrust");
218 # Security level tests
219 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
220 "accept RSA 2048 chain at auth level 2");
221 ok
(!verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
222 "reject RSA 2048 root at auth level 3");
223 ok
(verify
("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
224 "accept RSA 768 root at auth level 0");
225 ok
(!verify
("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]),
226 "reject RSA 768 root at auth level 1");
227 ok
(verify
("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
228 "accept RSA 768 intermediate at auth level 0");
229 ok
(!verify
("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]),
230 "reject RSA 768 intermediate at auth level 1");
231 ok
(verify
("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
232 "accept RSA 768 leaf at auth level 0");
233 ok
(!verify
("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]),
234 "reject RSA 768 leaf at auth level 1");
236 ok
(verify
("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
237 "accept md5 self-signed TA at auth level 2");
238 ok
(verify
("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"),
239 "accept md5 intermediate TA at auth level 2");
240 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
241 "accept md5 intermediate at auth level 0");
242 ok
(!verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]),
243 "reject md5 intermediate at auth level 1");
244 ok
(verify
("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
245 "accept md5 leaf at auth level 0");
246 ok
(!verify
("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]),
247 "reject md5 leaf at auth level 1");
249 # Depth tests, note the depth limit bounds the number of CA certificates
250 # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
251 # chain, depth = 1 is sufficient, but depth == 0 is not.
253 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
254 "accept chain with verify_depth 2");
255 ok
(verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
256 "accept chain with verify_depth 1");
257 ok
(!verify
("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
258 "accept chain with verify_depth 0");
259 ok
(verify
("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
260 "accept md5 intermediate TA with verify_depth 0");