From: Richard Levitte <levitte@openssl.org>
Date: Sun, 19 Jun 2016 08:56:37 +0000 (+0200)
Subject: Add verification of proxy certs to 25-test_verify.t
X-Git-Tag: OpenSSL_1_1_0-pre6~380
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=aa951ef3d745aa0c32b984fd9be2cc21382b97f6;hp=8dfb2021d1f191c0ed8a81af08913b12d5c021fa

Add verification of proxy certs to 25-test_verify.t

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
---

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 172eecbe7d..5cc5ce8b2e 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -26,7 +26,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 101;
+plan tests => 108;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -222,6 +222,28 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
 ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
    "reject direct match with client mistrust");
 
+# Proxy certificates
+ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
+   "fail to accept proxy cert without -allow_proxy_certs");
+ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "accept proxy cert 1");
+ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "accept proxy cert 2");
+ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "fail proxy cert with incorrect subject");
+ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "fail proxy cert with incorrect pathlen");
+ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "accept proxy cert missing proxy policy");
+ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
+          "-allow_proxy_certs"),
+   "failed proxy cert where last CN was added as a multivalue RDN component");
+
 # Security level tests
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
    "accept RSA 2048 chain at auth level 2");