- note('Some of them may turn out being invalid, which is fine.');
- foreach my $auth (('A', 'B', 'C', 'BC')) {
- foreach my $cond (('A', 'B', 'C', 'A|B&!C')) {
- # Exit code 3 is when ssltest couldn't parse the condition
- with({ exit_checker => sub { my $x = shift;
- return
- ($x == 1 || $x == 3) ? 0 : 1; } },
- sub {
- testssl($a1, $a2, $a3,
- "-proxy", "-proxy_auth", $auth,
- "-proxy_cond", $cond);
- });
- }
+
+ # We happen to know that certP1.ss has policy letters "AB" and
+ # certP2.ss has policy letters "BC". However, because certP2.ss
+ # has certP1.ss as issuer, when it's used, both their policy
+ # letters get combined into just "B".
+ # The policy letter(s) then get filtered with the given auth letter
+ # in the table below, and the result gets tested with the given
+ # condition. For details, read ssltest.c
+ #
+ # certfilename => [ [ auth, cond, expected result ] ... ]
+ my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ],
+ [ [ 'A', 'B' ], 0 ],
+ [ [ 'A', 'C' ], 0 ],
+ [ [ 'A', 'A|B&!C' ], 1 ],
+ [ [ 'B', 'A' ], 0 ],
+ [ [ 'B', 'B' ], 1 ],
+ [ [ 'B', 'C' ], 0 ],
+ [ [ 'B', 'A|B&!C' ], 1 ],
+ [ [ 'C', 'A' ], 0 ],
+ [ [ 'C', 'B' ], 0 ],
+ [ [ 'C', 'C' ], 0 ],
+ [ [ 'C', 'A|B&!C' ], 0 ],
+ [ [ 'BC', 'A' ], 0 ],
+ [ [ 'BC', 'B' ], 1 ],
+ [ [ 'BC', 'C' ], 0 ],
+ [ [ 'BC', 'A|B&!C' ], 1 ] ],
+ "certP2.ss" => [ [ [ 'A', 'A' ], 0 ],
+ [ [ 'A', 'B' ], 0 ],
+ [ [ 'A', 'C' ], 0 ],
+ [ [ 'A', 'A|B&!C' ], 0 ],
+ [ [ 'B', 'A' ], 0 ],
+ [ [ 'B', 'B' ], 1 ],
+ [ [ 'B', 'C' ], 0 ],
+ [ [ 'B', 'A|B&!C' ], 1 ],
+ [ [ 'C', 'A' ], 0 ],
+ [ [ 'C', 'B' ], 0 ],
+ [ [ 'C', 'C' ], 0 ],
+ [ [ 'C', 'A|B&!C' ], 0 ],
+ [ [ 'BC', 'A' ], 0 ],
+ [ [ 'BC', 'B' ], 1 ],
+ [ [ 'BC', 'C' ], 0 ],
+ [ [ 'BC', 'A|B&!C' ], 1 ] ] );
+
+ foreach (@{$expected{$cert}}) {
+ my $auth = $_->[0]->[0];
+ my $cond = $_->[0]->[1];
+ my $res = $_->[1];
+ is(run(test([@ssltest, "-ssl3", "-server_auth", @CA,
+ "-proxy", "-proxy_auth", $auth,
+ "-proxy_cond", $cond])), $res,
+ "test tlsv1, server auth, proxy auth $auth and cond $cond (expect "
+ .($res ? "success" : "failure").")");