diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-15 00:10:27 +0100 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-21 01:04:11 +0100 |
| commit | 6e8beabcd4b9450a3a7358bf5668b2bc70580517 (patch) | |
| tree | 190f569a62a1e84e220a7b85a09a0d3f3a39d832 /test/recipes | |
| parent | Reject when explicit trust EKU are set and none match. (diff) | |
| download | openssl-6e8beabcd4b9450a3a7358bf5668b2bc70580517.tar.xz openssl-6e8beabcd4b9450a3a7358bf5668b2bc70580517.zip | |
More X509_verify_cert() tests via verify(1).
Still need tests for trusted-first and tests that probe construction
of alternate chains.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test/recipes')
| -rw-r--r-- | test/recipes/25-test_verify.t | 85 |
1 files changed, 80 insertions, 5 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 923bda0c4f..1059878683 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -8,10 +8,85 @@ use OpenSSL::Test qw/:DEFAULT top_dir top_file/; setup("test_verify"); -plan skip_all => "no rehash.time was found." - unless (-f top_file("rehash.time")); +# Note for now, at most one trusted and one untrusted PEM file can be +# specified. The verify(1) option parser does not accumulate content +# from multiple trusted or untrusted files. +# +sub verify { + my ($cert, $vname, $trusted, $untrusted, @opts) = @_; + my @args = qw(openssl verify -verify_name); + my @path = qw(test certs); + push(@args, "$vname", @opts); + for (@$trusted) { push(@args, "-trusted", top_dir(@path, "$_.pem")) } + for (@$untrusted) { push(@args, "-untrusted", top_dir(@path, "$_.pem")) } + push(@args, top_dir(@path, "$cert.pem")); + run(app([@args])); +} -plan tests => 1; +plan tests => 29; -ok(run(app(["openssl", "verify", "-CApath", top_dir("certs", "demo"), - glob(top_file("certs", "demo", "*.pem"))])), "verifying demo certs"); +# Canonical success +ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]), + "verify valid chain"); + +# Root CA variants +ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]), + "Trusted certs not subject to CA:true checks"); +ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]), + "fail wrong root key"); +ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]), + "fail wrong root DN"); +ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]), + "accept right EKU"); +ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]), + "fail rejected EKU"); +ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]), + "fail wrong EKU"); + +# CA variants +ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]), + "fail non-CA"); +ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]), + "fail wrong CA key"); +ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]), + "fail wrong CA DN"); +ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]), + "fail wrong CA issuer"); +ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"), + "fail untrusted partial"); +ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"), + "fail untrusted EKU partial"); +ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"), + "accept trusted EKU partial"); +ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"), + "fail rejected EKU partial"); +ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"), + "fail wrong EKU partial"); + +# EE variants +ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), + "accept client cert"); +ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong leaf purpose"); +ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong leaf purpose"); +ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong CA key"); +ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong CA name"); +ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), + "fail expired leaf"); +ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"), + "accept last-resort direct leaf match"); +ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"), + "accept last-resort direct leaf match"); +ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"), + "fail last-resort direct leaf non-match"); +ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"), + "accept direct match with trusted EKU"); +ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"), + "reject direct match with rejected EKU"); +ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"), + "accept direct match with trusted EKU"); +ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"), + "reject direct match with rejected EKU"); |