]>
Commit | Line | Data |
---|---|---|
596d6b7e RS |
1 | #! /usr/bin/env perl |
2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the OpenSSL license (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
4650de3e RL |
9 | |
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use File::Spec::Functions qw/canonpath/; | |
42e0ccdf | 14 | use OpenSSL::Test qw/:DEFAULT srctop_file/; |
4650de3e RL |
15 | |
16 | setup("test_verify"); | |
17 | ||
6e8beabc | 18 | sub verify { |
0daccd4d | 19 | my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; |
fbb82a60 | 20 | my @args = qw(openssl verify -auth_level 1 -purpose); |
6e8beabc | 21 | my @path = qw(test certs); |
0daccd4d | 22 | push(@args, "$purpose", @opts); |
42e0ccdf RL |
23 | for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) } |
24 | for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) } | |
25 | push(@args, srctop_file(@path, "$cert.pem")); | |
6e8beabc VD |
26 | run(app([@args])); |
27 | } | |
4ada8be2 | 28 | |
d83b7e1a | 29 | plan tests => 121; |
4650de3e | 30 | |
6e8beabc | 31 | # Canonical success |
0daccd4d | 32 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), |
33cc5dde | 33 | "accept compat trust"); |
6e8beabc VD |
34 | |
35 | # Root CA variants | |
0daccd4d | 36 | ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), |
33cc5dde | 37 | "fail trusted non-ca root"); |
1d852772 VD |
38 | ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), |
39 | "fail server trust non-ca root"); | |
40 | ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]), | |
41 | "fail wildcard trust non-ca root"); | |
0daccd4d | 42 | ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), |
6e8beabc | 43 | "fail wrong root key"); |
0daccd4d | 44 | ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), |
6e8beabc | 45 | "fail wrong root DN"); |
33cc5dde VD |
46 | |
47 | # Explicit trust/purpose combinations | |
48 | # | |
49 | ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), | |
50 | "accept server purpose"); | |
51 | ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), | |
52 | "fail client purpose"); | |
0daccd4d | 53 | ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), |
33cc5dde VD |
54 | "accept server trust"); |
55 | ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), | |
56 | "accept server trust with server purpose"); | |
57 | ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), | |
58 | "accept server trust with client purpose"); | |
59 | # Wildcard trust | |
0daccd4d | 60 | ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
61 | "accept wildcard trust"); |
62 | ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), | |
63 | "accept wildcard trust with server purpose"); | |
64 | ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), | |
65 | "accept wildcard trust with client purpose"); | |
66 | # Inapplicable mistrust | |
67 | ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), | |
68 | "accept client mistrust"); | |
69 | ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), | |
70 | "accept client mistrust with server purpose"); | |
71 | ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), | |
72 | "fail client mistrust with client purpose"); | |
73 | # Inapplicable trust | |
74 | ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), | |
75 | "fail client trust"); | |
76 | ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), | |
77 | "fail client trust with server purpose"); | |
78 | ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), | |
79 | "fail client trust with client purpose"); | |
80 | # Server mistrust | |
0daccd4d | 81 | ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), |
6e8beabc | 82 | "fail rejected EKU"); |
33cc5dde VD |
83 | ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), |
84 | "fail server mistrust with server purpose"); | |
85 | ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), | |
86 | "fail server mistrust with client purpose"); | |
87 | # Wildcard mistrust | |
0daccd4d | 88 | ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), |
33cc5dde VD |
89 | "fail wildcard mistrust"); |
90 | ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), | |
91 | "fail wildcard mistrust with server purpose"); | |
92 | ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), | |
93 | "fail wildcard mistrust with client purpose"); | |
6e8beabc | 94 | |
0daccd4d VD |
95 | # Check that trusted-first is on by setting up paths to different roots |
96 | # depending on whether the intermediate is the trusted or untrusted one. | |
97 | # | |
98 | ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], | |
99 | [qw(ca-cert)]), | |
33cc5dde | 100 | "accept trusted-first path"); |
0daccd4d VD |
101 | ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], |
102 | [qw(ca-cert)]), | |
33cc5dde | 103 | "accept trusted-first path with server trust"); |
0daccd4d VD |
104 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], |
105 | [qw(ca-cert)]), | |
33cc5dde | 106 | "fail trusted-first path with server mistrust"); |
0daccd4d VD |
107 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], |
108 | [qw(ca-cert)]), | |
33cc5dde | 109 | "fail trusted-first path with client trust"); |
0daccd4d | 110 | |
6e8beabc | 111 | # CA variants |
0daccd4d | 112 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), |
1d852772 | 113 | "fail non-CA untrusted intermediate"); |
4d9e33ac VD |
114 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]), |
115 | "fail non-CA untrusted intermediate"); | |
1d852772 | 116 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []), |
4d9e33ac VD |
117 | "fail non-CA trust-store intermediate"); |
118 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []), | |
119 | "fail non-CA trust-store intermediate"); | |
1d852772 VD |
120 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []), |
121 | "fail non-CA server trust intermediate"); | |
122 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []), | |
123 | "fail non-CA wildcard trust intermediate"); | |
0daccd4d | 124 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), |
33cc5dde | 125 | "fail wrong intermediate CA key"); |
0daccd4d | 126 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), |
33cc5dde | 127 | "fail wrong intermediate CA DN"); |
0daccd4d | 128 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), |
33cc5dde | 129 | "fail wrong intermediate CA issuer"); |
0daccd4d | 130 | ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), |
33cc5dde VD |
131 | "fail untrusted partial chain"); |
132 | ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), | |
133 | "accept trusted partial chain"); | |
134 | ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), | |
135 | "accept partial chain with server purpose"); | |
136 | ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), | |
137 | "fail partial chain with client purpose"); | |
0daccd4d | 138 | ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), |
33cc5dde VD |
139 | "accept server trust partial chain"); |
140 | ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), | |
141 | "accept server trust client purpose partial chain"); | |
142 | ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), | |
143 | "accept client mistrust partial chain"); | |
144 | ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), | |
145 | "accept wildcard trust partial chain"); | |
146 | ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), | |
147 | "fail untrusted partial issuer with ignored server trust"); | |
0daccd4d | 148 | ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), |
33cc5dde | 149 | "fail server mistrust partial chain"); |
0daccd4d | 150 | ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), |
33cc5dde VD |
151 | "fail client trust partial chain"); |
152 | ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), | |
153 | "fail wildcard mistrust partial chain"); | |
6e8beabc | 154 | |
0daccd4d VD |
155 | # We now test auxiliary trust even for intermediate trusted certs without |
156 | # -partial_chain. Note that "-trusted_first" is now always on and cannot | |
157 | # be disabled. | |
158 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), | |
33cc5dde VD |
159 | "accept server trust"); |
160 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), | |
161 | "accept wildcard trust"); | |
162 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), | |
163 | "accept server purpose"); | |
164 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]), | |
165 | "accept server trust and purpose"); | |
166 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), | |
167 | "accept wildcard trust and server purpose"); | |
168 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]), | |
169 | "accept client mistrust and server purpose"); | |
170 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]), | |
171 | "accept server trust and client purpose"); | |
172 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), | |
173 | "accept wildcard trust and client purpose"); | |
174 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), | |
175 | "fail client purpose"); | |
176 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), | |
177 | "fail wildcard mistrust"); | |
0daccd4d | 178 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), |
33cc5dde | 179 | "fail server mistrust"); |
0daccd4d | 180 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), |
33cc5dde VD |
181 | "fail client trust"); |
182 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]), | |
183 | "fail client trust and server purpose"); | |
184 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]), | |
185 | "fail client trust and client purpose"); | |
186 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]), | |
187 | "fail server mistrust and client purpose"); | |
188 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]), | |
189 | "fail client mistrust and client purpose"); | |
190 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]), | |
191 | "fail server mistrust and server purpose"); | |
192 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), | |
193 | "fail wildcard mistrust and server purpose"); | |
194 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), | |
195 | "fail wildcard mistrust and client purpose"); | |
0daccd4d | 196 | |
6e8beabc | 197 | # EE variants |
0daccd4d | 198 | ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 199 | "accept client chain"); |
0daccd4d | 200 | ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 201 | "fail server leaf purpose"); |
0daccd4d | 202 | ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 203 | "fail client leaf purpose"); |
0daccd4d | 204 | ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 205 | "fail wrong intermediate CA key"); |
0daccd4d | 206 | ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
33cc5dde | 207 | "fail wrong intermediate CA DN"); |
0daccd4d | 208 | ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), |
6e8beabc | 209 | "fail expired leaf"); |
0daccd4d | 210 | ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), |
6e8beabc | 211 | "accept last-resort direct leaf match"); |
0daccd4d | 212 | ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 213 | "accept last-resort direct leaf match"); |
0daccd4d | 214 | ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), |
6e8beabc | 215 | "fail last-resort direct leaf non-match"); |
0daccd4d | 216 | ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), |
33cc5dde | 217 | "accept direct match with server trust"); |
0daccd4d | 218 | ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), |
33cc5dde | 219 | "fail direct match with server mistrust"); |
0daccd4d | 220 | ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), |
33cc5dde | 221 | "accept direct match with client trust"); |
0daccd4d | 222 | ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), |
33cc5dde | 223 | "reject direct match with client mistrust"); |
fbb82a60 | 224 | |
aa951ef3 RL |
225 | # Proxy certificates |
226 | ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), | |
227 | "fail to accept proxy cert without -allow_proxy_certs"); | |
228 | ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], | |
229 | "-allow_proxy_certs"), | |
230 | "accept proxy cert 1"); | |
231 | ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
232 | "-allow_proxy_certs"), | |
233 | "accept proxy cert 2"); | |
234 | ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
235 | "-allow_proxy_certs"), | |
236 | "fail proxy cert with incorrect subject"); | |
237 | ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
238 | "-allow_proxy_certs"), | |
239 | "fail proxy cert with incorrect pathlen"); | |
240 | ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
241 | "-allow_proxy_certs"), | |
242 | "accept proxy cert missing proxy policy"); | |
243 | ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
244 | "-allow_proxy_certs"), | |
245 | "failed proxy cert where last CN was added as a multivalue RDN component"); | |
246 | ||
fbb82a60 VD |
247 | # Security level tests |
248 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), | |
249 | "accept RSA 2048 chain at auth level 2"); | |
250 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), | |
251 | "reject RSA 2048 root at auth level 3"); | |
252 | ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"), | |
253 | "accept RSA 768 root at auth level 0"); | |
254 | ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]), | |
255 | "reject RSA 768 root at auth level 1"); | |
256 | ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"), | |
257 | "accept RSA 768 intermediate at auth level 0"); | |
258 | ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]), | |
259 | "reject RSA 768 intermediate at auth level 1"); | |
260 | ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
261 | "accept RSA 768 leaf at auth level 0"); | |
262 | ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]), | |
263 | "reject RSA 768 leaf at auth level 1"); | |
264 | # | |
265 | ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"), | |
266 | "accept md5 self-signed TA at auth level 2"); | |
267 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"), | |
268 | "accept md5 intermediate TA at auth level 2"); | |
269 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"), | |
270 | "accept md5 intermediate at auth level 0"); | |
271 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]), | |
272 | "reject md5 intermediate at auth level 1"); | |
273 | ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
274 | "accept md5 leaf at auth level 0"); | |
275 | ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), | |
276 | "reject md5 leaf at auth level 1"); | |
277 | ||
278 | # Depth tests, note the depth limit bounds the number of CA certificates | |
279 | # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf | |
280 | # chain, depth = 1 is sufficient, but depth == 0 is not. | |
281 | # | |
282 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"), | |
283 | "accept chain with verify_depth 2"); | |
284 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"), | |
285 | "accept chain with verify_depth 1"); | |
286 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"), | |
287 | "accept chain with verify_depth 0"); | |
288 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"), | |
289 | "accept md5 intermediate TA with verify_depth 0"); | |
d83b7e1a DSH |
290 | |
291 | # Name Constraints tests. | |
292 | ||
293 | ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
294 | "Name Constraints everything permitted"); | |
295 | ||
296 | ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), | |
297 | "Name Constraints nothing excluded"); | |
298 | ||
299 | ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
300 | "Name Constraints nested test all permitted"); | |
301 | ||
302 | ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
303 | "Name Constraints hostname not permitted"); | |
304 | ||
305 | ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), | |
306 | "Name Constraints hostname excluded"); | |
307 | ||
308 | ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
309 | "Name Constraints email address not permitted"); | |
310 | ||
311 | ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
312 | "Name Constraints subject email address not permitted"); | |
313 | ||
314 | ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
315 | "Name Constraints IP address not permitted"); | |
316 | ||
317 | ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
318 | "Name Constraints CN hostname not permitted"); | |
319 | ||
320 | ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
321 | "Name Constraints CN BMPSTRING hostname not permitted"); | |
322 | ||
323 | ok(!verify("badalt8-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
324 | "Name constaints nested DNS name not permitted 1"); | |
325 | ||
326 | ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
327 | "Name constaints nested DNS name not permitted 2"); | |
328 | ||
329 | ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
330 | "Name constaints nested DNS name excluded"); |