]>
Commit | Line | Data |
---|---|---|
1 | #! /usr/bin/env perl | |
2 | # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | ||
10 | use strict; | |
11 | use warnings; | |
12 | ||
13 | use File::Spec::Functions qw/canonpath/; | |
14 | use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/; | |
15 | use OpenSSL::Test::Utils; | |
16 | ||
17 | setup("test_verify"); | |
18 | ||
19 | sub verify { | |
20 | my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; | |
21 | my @args = qw(openssl verify -auth_level 1 -purpose); | |
22 | my @path = qw(test certs); | |
23 | push(@args, "$purpose", @opts); | |
24 | for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) } | |
25 | for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) } | |
26 | push(@args, srctop_file(@path, "$cert.pem")); | |
27 | run(app([@args])); | |
28 | } | |
29 | ||
30 | plan tests => 137; | |
31 | ||
32 | # Canonical success | |
33 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), | |
34 | "accept compat trust"); | |
35 | ||
36 | # Root CA variants | |
37 | ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), | |
38 | "fail trusted non-ca root"); | |
39 | ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), | |
40 | "fail server trust non-ca root"); | |
41 | ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]), | |
42 | "fail wildcard trust non-ca root"); | |
43 | ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), | |
44 | "fail wrong root key"); | |
45 | ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), | |
46 | "fail wrong root DN"); | |
47 | ||
48 | # Explicit trust/purpose combinations | |
49 | # | |
50 | ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), | |
51 | "accept server purpose"); | |
52 | ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), | |
53 | "fail client purpose"); | |
54 | ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), | |
55 | "accept server trust"); | |
56 | ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), | |
57 | "accept server trust with server purpose"); | |
58 | ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), | |
59 | "accept server trust with client purpose"); | |
60 | # Wildcard trust | |
61 | ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), | |
62 | "accept wildcard trust"); | |
63 | ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), | |
64 | "accept wildcard trust with server purpose"); | |
65 | ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), | |
66 | "accept wildcard trust with client purpose"); | |
67 | # Inapplicable mistrust | |
68 | ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), | |
69 | "accept client mistrust"); | |
70 | ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), | |
71 | "accept client mistrust with server purpose"); | |
72 | ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), | |
73 | "fail client mistrust with client purpose"); | |
74 | # Inapplicable trust | |
75 | ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), | |
76 | "fail client trust"); | |
77 | ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), | |
78 | "fail client trust with server purpose"); | |
79 | ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), | |
80 | "fail client trust with client purpose"); | |
81 | # Server mistrust | |
82 | ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), | |
83 | "fail rejected EKU"); | |
84 | ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), | |
85 | "fail server mistrust with server purpose"); | |
86 | ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), | |
87 | "fail server mistrust with client purpose"); | |
88 | # Wildcard mistrust | |
89 | ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), | |
90 | "fail wildcard mistrust"); | |
91 | ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), | |
92 | "fail wildcard mistrust with server purpose"); | |
93 | ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), | |
94 | "fail wildcard mistrust with client purpose"); | |
95 | ||
96 | # Check that trusted-first is on by setting up paths to different roots | |
97 | # depending on whether the intermediate is the trusted or untrusted one. | |
98 | # | |
99 | ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], | |
100 | [qw(ca-cert)]), | |
101 | "accept trusted-first path"); | |
102 | ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], | |
103 | [qw(ca-cert)]), | |
104 | "accept trusted-first path with server trust"); | |
105 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], | |
106 | [qw(ca-cert)]), | |
107 | "fail trusted-first path with server mistrust"); | |
108 | ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], | |
109 | [qw(ca-cert)]), | |
110 | "fail trusted-first path with client trust"); | |
111 | ||
112 | # CA variants | |
113 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), | |
114 | "fail non-CA untrusted intermediate"); | |
115 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]), | |
116 | "fail non-CA untrusted intermediate"); | |
117 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []), | |
118 | "fail non-CA trust-store intermediate"); | |
119 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []), | |
120 | "fail non-CA trust-store intermediate"); | |
121 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []), | |
122 | "fail non-CA server trust intermediate"); | |
123 | ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []), | |
124 | "fail non-CA wildcard trust intermediate"); | |
125 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), | |
126 | "fail wrong intermediate CA key"); | |
127 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), | |
128 | "fail wrong intermediate CA DN"); | |
129 | ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), | |
130 | "fail wrong intermediate CA issuer"); | |
131 | ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), | |
132 | "fail untrusted partial chain"); | |
133 | ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), | |
134 | "accept trusted partial chain"); | |
135 | ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), | |
136 | "accept partial chain with server purpose"); | |
137 | ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), | |
138 | "fail partial chain with client purpose"); | |
139 | ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), | |
140 | "accept server trust partial chain"); | |
141 | ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), | |
142 | "accept server trust client purpose partial chain"); | |
143 | ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), | |
144 | "accept client mistrust partial chain"); | |
145 | ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), | |
146 | "accept wildcard trust partial chain"); | |
147 | ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), | |
148 | "fail untrusted partial issuer with ignored server trust"); | |
149 | ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), | |
150 | "fail server mistrust partial chain"); | |
151 | ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), | |
152 | "fail client trust partial chain"); | |
153 | ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), | |
154 | "fail wildcard mistrust partial chain"); | |
155 | ||
156 | # We now test auxiliary trust even for intermediate trusted certs without | |
157 | # -partial_chain. Note that "-trusted_first" is now always on and cannot | |
158 | # be disabled. | |
159 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), | |
160 | "accept server trust"); | |
161 | ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), | |
162 | "accept wildcard trust"); | |
163 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), | |
164 | "accept server purpose"); | |
165 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]), | |
166 | "accept server trust and purpose"); | |
167 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), | |
168 | "accept wildcard trust and server purpose"); | |
169 | ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]), | |
170 | "accept client mistrust and server purpose"); | |
171 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]), | |
172 | "accept server trust and client purpose"); | |
173 | ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), | |
174 | "accept wildcard trust and client purpose"); | |
175 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), | |
176 | "fail client purpose"); | |
177 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), | |
178 | "fail wildcard mistrust"); | |
179 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), | |
180 | "fail server mistrust"); | |
181 | ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), | |
182 | "fail client trust"); | |
183 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]), | |
184 | "fail client trust and server purpose"); | |
185 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]), | |
186 | "fail client trust and client purpose"); | |
187 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]), | |
188 | "fail server mistrust and client purpose"); | |
189 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]), | |
190 | "fail client mistrust and client purpose"); | |
191 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]), | |
192 | "fail server mistrust and server purpose"); | |
193 | ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), | |
194 | "fail wildcard mistrust and server purpose"); | |
195 | ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), | |
196 | "fail wildcard mistrust and client purpose"); | |
197 | ||
198 | # EE variants | |
199 | ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), | |
200 | "accept client chain"); | |
201 | ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), | |
202 | "fail server leaf purpose"); | |
203 | ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), | |
204 | "fail client leaf purpose"); | |
205 | ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), | |
206 | "fail wrong intermediate CA key"); | |
207 | ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), | |
208 | "fail wrong intermediate CA DN"); | |
209 | ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), | |
210 | "fail expired leaf"); | |
211 | ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), | |
212 | "accept last-resort direct leaf match"); | |
213 | ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), | |
214 | "accept last-resort direct leaf match"); | |
215 | ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), | |
216 | "fail last-resort direct leaf non-match"); | |
217 | ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), | |
218 | "accept direct match with server trust"); | |
219 | ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), | |
220 | "fail direct match with server mistrust"); | |
221 | ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), | |
222 | "accept direct match with client trust"); | |
223 | ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), | |
224 | "reject direct match with client mistrust"); | |
225 | ||
226 | # Proxy certificates | |
227 | ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), | |
228 | "fail to accept proxy cert without -allow_proxy_certs"); | |
229 | ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], | |
230 | "-allow_proxy_certs"), | |
231 | "accept proxy cert 1"); | |
232 | ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
233 | "-allow_proxy_certs"), | |
234 | "accept proxy cert 2"); | |
235 | ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
236 | "-allow_proxy_certs"), | |
237 | "fail proxy cert with incorrect subject"); | |
238 | ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
239 | "-allow_proxy_certs"), | |
240 | "fail proxy cert with incorrect pathlen"); | |
241 | ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
242 | "-allow_proxy_certs"), | |
243 | "accept proxy cert missing proxy policy"); | |
244 | ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], | |
245 | "-allow_proxy_certs"), | |
246 | "failed proxy cert where last CN was added as a multivalue RDN component"); | |
247 | ||
248 | # Security level tests | |
249 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), | |
250 | "accept RSA 2048 chain at auth level 2"); | |
251 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), | |
252 | "reject RSA 2048 root at auth level 3"); | |
253 | ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"), | |
254 | "accept RSA 768 root at auth level 0"); | |
255 | ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]), | |
256 | "reject RSA 768 root at auth level 1"); | |
257 | ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"), | |
258 | "accept RSA 768 intermediate at auth level 0"); | |
259 | ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]), | |
260 | "reject RSA 768 intermediate at auth level 1"); | |
261 | ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
262 | "accept RSA 768 leaf at auth level 0"); | |
263 | ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]), | |
264 | "reject RSA 768 leaf at auth level 1"); | |
265 | # | |
266 | ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"), | |
267 | "accept md5 self-signed TA at auth level 2"); | |
268 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"), | |
269 | "accept md5 intermediate TA at auth level 2"); | |
270 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"), | |
271 | "accept md5 intermediate at auth level 0"); | |
272 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]), | |
273 | "reject md5 intermediate at auth level 1"); | |
274 | ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
275 | "accept md5 leaf at auth level 0"); | |
276 | ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), | |
277 | "reject md5 leaf at auth level 1"); | |
278 | ||
279 | # Depth tests, note the depth limit bounds the number of CA certificates | |
280 | # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf | |
281 | # chain, depth = 1 is sufficient, but depth == 0 is not. | |
282 | # | |
283 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"), | |
284 | "accept chain with verify_depth 2"); | |
285 | ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"), | |
286 | "accept chain with verify_depth 1"); | |
287 | ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"), | |
288 | "accept chain with verify_depth 0"); | |
289 | ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"), | |
290 | "accept md5 intermediate TA with verify_depth 0"); | |
291 | ||
292 | # Name Constraints tests. | |
293 | ||
294 | ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
295 | "Name Constraints everything permitted"); | |
296 | ||
297 | ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), | |
298 | "Name Constraints nothing excluded"); | |
299 | ||
300 | ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
301 | "Name Constraints nested test all permitted"); | |
302 | ||
303 | ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
304 | "Name Constraints CNs permitted"); | |
305 | ||
306 | ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
307 | "Name Constraints CNs not permitted"); | |
308 | ||
309 | ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
310 | "Name Constraints hostname not permitted"); | |
311 | ||
312 | ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), | |
313 | "Name Constraints hostname excluded"); | |
314 | ||
315 | ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
316 | "Name Constraints email address not permitted"); | |
317 | ||
318 | ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
319 | "Name Constraints subject email address not permitted"); | |
320 | ||
321 | ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
322 | "Name Constraints IP address not permitted"); | |
323 | ||
324 | ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
325 | "Name Constraints CN hostname not permitted"); | |
326 | ||
327 | ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), | |
328 | "Name Constraints CN BMPSTRING hostname not permitted"); | |
329 | ||
330 | ok(!verify("badalt8-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
331 | "Name constraints nested DNS name not permitted 1"); | |
332 | ||
333 | ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
334 | "Name constraints nested DNS name not permitted 2"); | |
335 | ||
336 | ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), | |
337 | "Name constraints nested DNS name excluded"); | |
338 | ||
339 | ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), | |
340 | "Accept PSS signature using SHA1 at auth level 0"); | |
341 | ||
342 | ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), | |
343 | "CA with PSS signature using SHA256"); | |
344 | ||
345 | ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "1"), | |
346 | "Reject PSS signature using SHA1 and auth level 1"); | |
347 | ||
348 | ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), | |
349 | "PSS signature using SHA256 and auth level 2"); | |
350 | ||
351 | ok(!verify("many-names1", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
352 | "Too many names and constraints to check (1)"); | |
353 | ok(!verify("many-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
354 | "Too many names and constraints to check (2)"); | |
355 | ok(!verify("many-names3", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
356 | "Too many names and constraints to check (3)"); | |
357 | ||
358 | ok(verify("some-names1", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
359 | "Not too many names and constraints to check (1)"); | |
360 | ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
361 | "Not too many names and constraints to check (2)"); | |
362 | ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), | |
363 | "Not too many names and constraints to check (3)"); | |
364 | ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), | |
365 | "Public Key Algorithm rsa instead of rsaEncryption"); | |
366 | ||
367 | SKIP: { | |
368 | skip "Ed25519 is not supported by this OpenSSL build", 1 | |
369 | if disabled("ec"); | |
370 | ||
371 | # ED25519 certificate from draft-ietf-curdle-pkix-04 | |
372 | ok(verify("ee-ed25519", "sslserver", ["root-ed25519"], []), | |
373 | "ED25519 signature"); | |
374 | ||
375 | } | |
376 | ||
377 | SKIP: { | |
378 | skip "SM2 is not supported by this OpenSSL build", 2 | |
379 | if disabled("sm2"); | |
380 | ||
381 | # Test '-sm2-id' and '-sm2-hex-id' option | |
382 | ok_nofips(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-id", "1234567812345678"), | |
383 | "SM2 ID test"); | |
384 | ok_nofips(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-hex-id", | |
385 | "31323334353637383132333435363738"), | |
386 | "SM2 hex ID test"); | |
387 | } |