6 use File::Spec::Functions qw/canonpath/;
7 use OpenSSL::Test qw/:DEFAULT top_file/;
12 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
13 my @args = qw(openssl verify -purpose);
14 my @path = qw(test certs);
15 push(@args, "$purpose", @opts);
16 for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) }
17 for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) }
18 push(@args, top_file(@path, "$cert.pem"));
25 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
26 "accept compat trust");
29 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
30 "fail trusted non-ca root");
31 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
32 "fail wrong root key");
33 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
34 "fail wrong root DN");
36 # Explicit trust/purpose combinations
38 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
39 "accept server purpose");
40 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
41 "fail client purpose");
42 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
43 "accept server trust");
44 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
45 "accept server trust with server purpose");
46 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
47 "accept server trust with client purpose");
49 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
50 "accept wildcard trust");
51 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
52 "accept wildcard trust with server purpose");
53 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
54 "accept wildcard trust with client purpose");
55 # Inapplicable mistrust
56 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
57 "accept client mistrust");
58 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
59 "accept client mistrust with server purpose");
60 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
61 "fail client mistrust with client purpose");
63 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
65 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
66 "fail client trust with server purpose");
67 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
68 "fail client trust with client purpose");
70 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
72 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
73 "fail server mistrust with server purpose");
74 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
75 "fail server mistrust with client purpose");
77 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
78 "fail wildcard mistrust");
79 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
80 "fail wildcard mistrust with server purpose");
81 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
82 "fail wildcard mistrust with client purpose");
84 # Check that trusted-first is on by setting up paths to different roots
85 # depending on whether the intermediate is the trusted or untrusted one.
87 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
89 "accept trusted-first path");
90 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
92 "accept trusted-first path with server trust");
93 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
95 "fail trusted-first path with server mistrust");
96 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
98 "fail trusted-first path with client trust");
101 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
102 "fail non-CA intermediate");
103 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
104 "fail wrong intermediate CA key");
105 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
106 "fail wrong intermediate CA DN");
107 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
108 "fail wrong intermediate CA issuer");
109 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
110 "fail untrusted partial chain");
111 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
112 "accept trusted partial chain");
113 ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
114 "accept partial chain with server purpose");
115 ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
116 "fail partial chain with client purpose");
117 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
118 "accept server trust partial chain");
119 ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
120 "accept server trust client purpose partial chain");
121 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
122 "accept client mistrust partial chain");
123 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
124 "accept wildcard trust partial chain");
125 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
126 "fail untrusted partial issuer with ignored server trust");
127 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
128 "fail server mistrust partial chain");
129 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
130 "fail client trust partial chain");
131 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
132 "fail wildcard mistrust partial chain");
134 # We now test auxiliary trust even for intermediate trusted certs without
135 # -partial_chain. Note that "-trusted_first" is now always on and cannot
137 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
138 "accept server trust");
139 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
140 "accept wildcard trust");
141 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
142 "accept server purpose");
143 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
144 "accept server trust and purpose");
145 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
146 "accept wildcard trust and server purpose");
147 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
148 "accept client mistrust and server purpose");
149 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
150 "accept server trust and client purpose");
151 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
152 "accept wildcard trust and client purpose");
153 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
154 "fail client purpose");
155 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
156 "fail wildcard mistrust");
157 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
158 "fail server mistrust");
159 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
160 "fail client trust");
161 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
162 "fail client trust and server purpose");
163 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
164 "fail client trust and client purpose");
165 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
166 "fail server mistrust and client purpose");
167 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
168 "fail client mistrust and client purpose");
169 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
170 "fail server mistrust and server purpose");
171 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
172 "fail wildcard mistrust and server purpose");
173 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
174 "fail wildcard mistrust and client purpose");
177 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
178 "accept client chain");
179 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
180 "fail server leaf purpose");
181 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
182 "fail client leaf purpose");
183 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
184 "fail wrong intermediate CA key");
185 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
186 "fail wrong intermediate CA DN");
187 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
188 "fail expired leaf");
189 ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
190 "accept last-resort direct leaf match");
191 ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
192 "accept last-resort direct leaf match");
193 ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
194 "fail last-resort direct leaf non-match");
195 ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
196 "accept direct match with server trust");
197 ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
198 "fail direct match with server mistrust");
199 ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
200 "accept direct match with client trust");
201 ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
202 "reject direct match with client mistrust");