6 use File::Spec::Functions qw/canonpath/;
7 use OpenSSL::Test qw/:DEFAULT srctop_file/;
12 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
13 my @args = qw(openssl verify -purpose);
14 my @path = qw(test certs);
15 push(@args, "$purpose", @opts);
16 for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) }
17 for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) }
18 push(@args, srctop_file(@path, "$cert.pem"));
25 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
26 "accept compat trust");
29 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
30 "fail trusted non-ca root");
31 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
32 "fail server trust non-ca root");
33 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
34 "fail wildcard trust non-ca root");
35 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
36 "fail wrong root key");
37 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
38 "fail wrong root DN");
40 # Explicit trust/purpose combinations
42 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
43 "accept server purpose");
44 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
45 "fail client purpose");
46 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
47 "accept server trust");
48 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
49 "accept server trust with server purpose");
50 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
51 "accept server trust with client purpose");
53 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
54 "accept wildcard trust");
55 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
56 "accept wildcard trust with server purpose");
57 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
58 "accept wildcard trust with client purpose");
59 # Inapplicable mistrust
60 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
61 "accept client mistrust");
62 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
63 "accept client mistrust with server purpose");
64 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
65 "fail client mistrust with client purpose");
67 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
69 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
70 "fail client trust with server purpose");
71 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
72 "fail client trust with client purpose");
74 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
76 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
77 "fail server mistrust with server purpose");
78 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
79 "fail server mistrust with client purpose");
81 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
82 "fail wildcard mistrust");
83 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
84 "fail wildcard mistrust with server purpose");
85 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
86 "fail wildcard mistrust with client purpose");
88 # Check that trusted-first is on by setting up paths to different roots
89 # depending on whether the intermediate is the trusted or untrusted one.
91 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
93 "accept trusted-first path");
94 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
96 "accept trusted-first path with server trust");
97 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
99 "fail trusted-first path with server mistrust");
100 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
102 "fail trusted-first path with client trust");
105 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
106 "fail non-CA untrusted intermediate");
107 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
108 "fail non-CA untrusted intermediate");
109 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
110 "fail non-CA trust-store intermediate");
111 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
112 "fail non-CA trust-store intermediate");
113 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
114 "fail non-CA server trust intermediate");
115 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),
116 "fail non-CA wildcard trust intermediate");
117 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
118 "fail wrong intermediate CA key");
119 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
120 "fail wrong intermediate CA DN");
121 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
122 "fail wrong intermediate CA issuer");
123 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
124 "fail untrusted partial chain");
125 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
126 "accept trusted partial chain");
127 ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
128 "accept partial chain with server purpose");
129 ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
130 "fail partial chain with client purpose");
131 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
132 "accept server trust partial chain");
133 ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
134 "accept server trust client purpose partial chain");
135 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
136 "accept client mistrust partial chain");
137 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
138 "accept wildcard trust partial chain");
139 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
140 "fail untrusted partial issuer with ignored server trust");
141 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
142 "fail server mistrust partial chain");
143 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
144 "fail client trust partial chain");
145 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
146 "fail wildcard mistrust partial chain");
148 # We now test auxiliary trust even for intermediate trusted certs without
149 # -partial_chain. Note that "-trusted_first" is now always on and cannot
151 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
152 "accept server trust");
153 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
154 "accept wildcard trust");
155 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
156 "accept server purpose");
157 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
158 "accept server trust and purpose");
159 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
160 "accept wildcard trust and server purpose");
161 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
162 "accept client mistrust and server purpose");
163 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
164 "accept server trust and client purpose");
165 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
166 "accept wildcard trust and client purpose");
167 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
168 "fail client purpose");
169 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
170 "fail wildcard mistrust");
171 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
172 "fail server mistrust");
173 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
174 "fail client trust");
175 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
176 "fail client trust and server purpose");
177 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
178 "fail client trust and client purpose");
179 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
180 "fail server mistrust and client purpose");
181 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
182 "fail client mistrust and client purpose");
183 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
184 "fail server mistrust and server purpose");
185 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
186 "fail wildcard mistrust and server purpose");
187 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
188 "fail wildcard mistrust and client purpose");
191 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
192 "accept client chain");
193 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
194 "fail server leaf purpose");
195 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
196 "fail client leaf purpose");
197 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
198 "fail wrong intermediate CA key");
199 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
200 "fail wrong intermediate CA DN");
201 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
202 "fail expired leaf");
203 ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
204 "accept last-resort direct leaf match");
205 ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
206 "accept last-resort direct leaf match");
207 ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
208 "fail last-resort direct leaf non-match");
209 ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
210 "accept direct match with server trust");
211 ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
212 "fail direct match with server mistrust");
213 ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
214 "accept direct match with client trust");
215 ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
216 "reject direct match with client mistrust");