]>
Commit | Line | Data |
---|---|---|
4650de3e RL |
1 | #! /usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use File::Spec::Functions qw/canonpath/; | |
42e0ccdf | 7 | use OpenSSL::Test qw/:DEFAULT srctop_file/; |
4650de3e RL |
8 | |
9 | setup("test_verify"); | |
10 | ||
6e8beabc | 11 | sub verify { |
0daccd4d | 12 | my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; |
fbb82a60 | 13 | my @args = qw(openssl verify -auth_level 1 -purpose); |
6e8beabc | 14 | my @path = qw(test certs); |
0daccd4d | 15 | push(@args, "$purpose", @opts); |
42e0ccdf RL |
16 | for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) } |
17 | for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) } | |
18 | push(@args, srctop_file(@path, "$cert.pem")); | |
6e8beabc VD |
19 | run(app([@args])); |
20 | } | |
4ada8be2 | 21 | |
fbb82a60 | 22 | plan tests => 101; |
4650de3e | 23 | |
6e8beabc | 24 | # Canonical success |
0daccd4d | 25 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), |
33cc5dde | 26 | "accept compat trust"); |
6e8beabc VD |
27 | |
28 | # Root CA variants | |
0daccd4d | 29 | ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), |
33cc5dde | 30 | "fail trusted non-ca root"); |
1d852772 VD |
31 | ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), |
32 | "fail server trust non-ca root"); | |
33 | ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]), | |
34 | "fail wildcard trust non-ca root"); | |
0daccd4d | 35 | ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), |
6e8beabc | 36 | "fail wrong root key"); |
0daccd4d | 37 | ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), |
6e8beabc | 38 | "fail wrong root DN"); |
33cc5dde VD |
39 | |
40 | # Explicit trust/purpose combinations | |
41 | # | |
42 | ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), | |
43 | "accept server purpose"); | |
44 | ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), | |
45 | "fail client purpose"); | |
0daccd4d | 46 | ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), |
33cc5dde VD |
47 | "accept server trust"); |
48 | ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), | |
49 | "accept server trust with server purpose"); | |
50 | ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), | |
51 | "accept server trust with client purpose"); | |
52 | # Wildcard trust | |
0daccd4d | 53 | ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
54 | "accept wildcard trust"); |
55 | ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), | |
56 | "accept wildcard trust with server purpose"); | |
57 | ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), | |
58 | "accept wildcard trust with client purpose"); | |
59 | # Inapplicable mistrust | |
60 | ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), | |
61 | "accept client mistrust"); | |
62 | ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), | |
63 | "accept client mistrust with server purpose"); | |
64 | ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), | |
65 | "fail client mistrust with client purpose"); | |
66 | # Inapplicable trust | |
67 | ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), | |
68 | "fail client trust"); | |
69 | ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), | |
70 | "fail client trust with server purpose"); | |
71 | ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), | |
72 | "fail client trust with client purpose"); | |
73 | # Server mistrust | |
0daccd4d | 74 | ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), |
6e8beabc | 75 | "fail rejected EKU"); |
33cc5dde VD |
76 | ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), |
77 | "fail server mistrust with server purpose"); | |
78 | ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), | |
79 | "fail server mistrust with client purpose"); | |
80 | # Wildcard mistrust | |
0daccd4d | 81 | ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
82 | "fail wildcard mistrust"); |
83 | ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), | |
84 | "fail wildcard mistrust with server purpose"); | |
85 | ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), | |
86 | "fail wildcard mistrust with client purpose"); | |
6e8beabc | 87 | |
0daccd4d VD |
88 | # Check that trusted-first is on by setting up paths to different roots |
89 | # depending on whether the intermediate is the trusted or untrusted one. | |
90 | # | |
91 | ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], | |
92 | [qw(ca-cert)]), | |
33cc5dde | 93 | "accept trusted-first path"); |
0daccd4d VD |
94 | ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], |
95 | [qw(ca-cert)]), | |
33cc5dde | 96 | "accept trusted-first path with server trust"); |
0daccd4d VD |
97 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], |
98 | [qw(ca-cert)]), | |
33cc5dde | 99 | "fail trusted-first path with server mistrust"); |
0daccd4d VD |
100 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], |
101 | [qw(ca-cert)]), | |
33cc5dde | 102 | "fail trusted-first path with client trust"); |
0daccd4d | 103 | |
6e8beabc | 104 | # CA variants |
0daccd4d | 105 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), |
1d852772 | 106 | "fail non-CA untrusted intermediate"); |
4d9e33ac VD |
107 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]), |
108 | "fail non-CA untrusted intermediate"); | |
1d852772 | 109 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []), |
4d9e33ac VD |
110 | "fail non-CA trust-store intermediate"); |
111 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []), | |
112 | "fail non-CA trust-store intermediate"); | |
1d852772 VD |
113 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []), |
114 | "fail non-CA server trust intermediate"); | |
115 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []), | |
116 | "fail non-CA wildcard trust intermediate"); | |
0daccd4d | 117 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), |
33cc5dde | 118 | "fail wrong intermediate CA key"); |
0daccd4d | 119 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), |
33cc5dde | 120 | "fail wrong intermediate CA DN"); |
0daccd4d | 121 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), |
33cc5dde | 122 | "fail wrong intermediate CA issuer"); |
0daccd4d | 123 | ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), |
33cc5dde VD |
124 | "fail untrusted partial chain"); |
125 | ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), | |
126 | "accept trusted partial chain"); | |
127 | ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), | |
128 | "accept partial chain with server purpose"); | |
129 | ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), | |
130 | "fail partial chain with client purpose"); | |
0daccd4d | 131 | ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), |
33cc5dde VD |
132 | "accept server trust partial chain"); |
133 | ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), | |
134 | "accept server trust client purpose partial chain"); | |
135 | ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), | |
136 | "accept client mistrust partial chain"); | |
137 | ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), | |
138 | "accept wildcard trust partial chain"); | |
139 | ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), | |
140 | "fail untrusted partial issuer with ignored server trust"); | |
0daccd4d | 141 | ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), |
33cc5dde | 142 | "fail server mistrust partial chain"); |
0daccd4d | 143 | ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), |
33cc5dde VD |
144 | "fail client trust partial chain"); |
145 | ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), | |
146 | "fail wildcard mistrust partial chain"); | |
6e8beabc | 147 | |
0daccd4d VD |
148 | # We now test auxiliary trust even for intermediate trusted certs without |
149 | # -partial_chain. Note that "-trusted_first" is now always on and cannot | |
150 | # be disabled. | |
151 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), | |
33cc5dde VD |
152 | "accept server trust"); |
153 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), | |
154 | "accept wildcard trust"); | |
155 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), | |
156 | "accept server purpose"); | |
157 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]), | |
158 | "accept server trust and purpose"); | |
159 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), | |
160 | "accept wildcard trust and server purpose"); | |
161 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]), | |
162 | "accept client mistrust and server purpose"); | |
163 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]), | |
164 | "accept server trust and client purpose"); | |
165 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), | |
166 | "accept wildcard trust and client purpose"); | |
167 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), | |
168 | "fail client purpose"); | |
169 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), | |
170 | "fail wildcard mistrust"); | |
0daccd4d | 171 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), |
33cc5dde | 172 | "fail server mistrust"); |
0daccd4d | 173 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), |
33cc5dde VD |
174 | "fail client trust"); |
175 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]), | |
176 | "fail client trust and server purpose"); | |
177 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]), | |
178 | "fail client trust and client purpose"); | |
179 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]), | |
180 | "fail server mistrust and client purpose"); | |
181 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]), | |
182 | "fail client mistrust and client purpose"); | |
183 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]), | |
184 | "fail server mistrust and server purpose"); | |
185 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), | |
186 | "fail wildcard mistrust and server purpose"); | |
187 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), | |
188 | "fail wildcard mistrust and client purpose"); | |
0daccd4d | 189 | |
6e8beabc | 190 | # EE variants |
0daccd4d | 191 | ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 192 | "accept client chain"); |
0daccd4d | 193 | ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 194 | "fail server leaf purpose"); |
0daccd4d | 195 | ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 196 | "fail client leaf purpose"); |
0daccd4d | 197 | ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 198 | "fail wrong intermediate CA key"); |
0daccd4d | 199 | ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 200 | "fail wrong intermediate CA DN"); |
0daccd4d | 201 | ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
6e8beabc | 202 | "fail expired leaf"); |
0daccd4d | 203 | ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), |
6e8beabc | 204 | "accept last-resort direct leaf match"); |
0daccd4d | 205 | ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 206 | "accept last-resort direct leaf match"); |
0daccd4d | 207 | ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 208 | "fail last-resort direct leaf non-match"); |
0daccd4d | 209 | ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), |
33cc5dde | 210 | "accept direct match with server trust"); |
0daccd4d | 211 | ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), |
33cc5dde | 212 | "fail direct match with server mistrust"); |
0daccd4d | 213 | ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), |
33cc5dde | 214 | "accept direct match with client trust"); |
0daccd4d | 215 | ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), |
33cc5dde | 216 | "reject direct match with client mistrust"); |
fbb82a60 VD |
217 | |
218 | # Security level tests | |
219 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), | |
220 | "accept RSA 2048 chain at auth level 2"); | |
221 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), | |
222 | "reject RSA 2048 root at auth level 3"); | |
223 | ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"), | |
224 | "accept RSA 768 root at auth level 0"); | |
225 | ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]), | |
226 | "reject RSA 768 root at auth level 1"); | |
227 | ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"), | |
228 | "accept RSA 768 intermediate at auth level 0"); | |
229 | ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]), | |
230 | "reject RSA 768 intermediate at auth level 1"); | |
231 | ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
232 | "accept RSA 768 leaf at auth level 0"); | |
233 | ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]), | |
234 | "reject RSA 768 leaf at auth level 1"); | |
235 | # | |
236 | ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"), | |
237 | "accept md5 self-signed TA at auth level 2"); | |
238 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"), | |
239 | "accept md5 intermediate TA at auth level 2"); | |
240 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"), | |
241 | "accept md5 intermediate at auth level 0"); | |
242 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]), | |
243 | "reject md5 intermediate at auth level 1"); | |
244 | ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
245 | "accept md5 leaf at auth level 0"); | |
246 | ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), | |
247 | "reject md5 leaf at auth level 1"); | |
248 | ||
249 | # Depth tests, note the depth limit bounds the number of CA certificates | |
250 | # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf | |
251 | # chain, depth = 1 is sufficient, but depth == 0 is not. | |
252 | # | |
253 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"), | |
254 | "accept chain with verify_depth 2"); | |
255 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"), | |
256 | "accept chain with verify_depth 1"); | |
257 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"), | |
258 | "accept chain with verify_depth 0"); | |
259 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"), | |
260 | "accept md5 intermediate TA with verify_depth 0"); |