openssl/test/recipes/25-test_verify.t

#! /usr/bin/perl

use strict;
use warnings;

use File::Spec::Functions qw/canonpath/;
use OpenSSL::Test qw/:DEFAULT top_dir top_file/;

setup("test_verify");

sub verify {
    my ($cert, $vname, $trusted, $untrusted, @opts) = @_;
    my @args = qw(openssl verify -verify_name);
    my @path = qw(test certs);
    push(@args, "$vname", @opts);
    for (@$trusted) { push(@args, "-trusted", top_dir(@path, "$_.pem")) }
    for (@$untrusted) { push(@args, "-untrusted", top_dir(@path, "$_.pem")) }
    push(@args, top_dir(@path, "$cert.pem"));
    run(app([@args]));
}

plan tests => 29;

# Canonical success
ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),
   "verify valid chain");

# Root CA variants
ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),
   "Trusted certs not subject to CA:true checks");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),
   "fail wrong root key");
ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),
   "fail wrong root DN");
ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),
   "accept right EKU");
ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),
   "fail rejected EKU");
ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),
   "fail wrong EKU");

# CA variants
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),
   "fail non-CA");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),
   "fail wrong CA key");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),
   "fail wrong CA DN");
ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),
   "fail wrong CA issuer");
ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),
   "fail untrusted partial");
ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),
   "fail untrusted EKU partial");
ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),
   "accept trusted EKU partial");
ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),
   "fail rejected EKU partial");
ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),
   "fail wrong EKU partial");

# EE variants
ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
   "accept client cert");
ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong leaf purpose");
ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong leaf purpose");
ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong CA key");
ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail wrong CA name");
ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
   "fail expired leaf");
ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),
   "accept last-resort direct leaf match");
ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),
   "accept last-resort direct leaf match");
ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),
   "fail last-resort direct leaf non-match");
ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),
   "accept direct match with trusted EKU");
ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),
   "reject direct match with rejected EKU");
ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),
   "accept direct match with trusted EKU");
ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),
   "reject direct match with rejected EKU");
Add recipes for tests related to certificates Some of them make use of recipes/tconversion.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-04-18 02:15:22 +08:00			`#! /usr/bin/perl`

			`use strict;`
			`use warnings;`

			`use File::Spec::Functions qw/canonpath/;`
			`use OpenSSL::Test qw/:DEFAULT top_dir top_file/;`

			`setup("test_verify");`

More X509_verify_cert() tests via verify(1). Still need tests for trusted-first and tests that probe construction of alternate chains. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 07:10:27 +08:00			`sub verify {`
			`my ($cert, $vname, $trusted, $untrusted, @opts) = @_;`
			`my @args = qw(openssl verify -verify_name);`
			`my @path = qw(test certs);`
			`push(@args, "$vname", @opts);`
			`for (@$trusted) { push(@args, "-trusted", top_dir(@path, "$_.pem")) }`
			`for (@$untrusted) { push(@args, "-untrusted", top_dir(@path, "$_.pem")) }`
			`push(@args, top_dir(@path, "$cert.pem"));`
			`run(app([@args]));`
			`}`
Test suite: minimal required to get mingw 'make test' work under Linux. (part by Alessandro Ghedini) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-10-13 04:16:07 +08:00
More X509_verify_cert() tests via verify(1). Still need tests for trusted-first and tests that probe construction of alternate chains. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 07:10:27 +08:00			`plan tests => 29;`
Add recipes for tests related to certificates Some of them make use of recipes/tconversion.pl. Reviewed-by: Rich Salz <rsalz@openssl.org> 2015-04-18 02:15:22 +08:00
More X509_verify_cert() tests via verify(1). Still need tests for trusted-first and tests that probe construction of alternate chains. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-01-15 07:10:27 +08:00			`# Canonical success`
			`ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),`
			`"verify valid chain");`

			`# Root CA variants`
			`ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),`
			`"Trusted certs not subject to CA:true checks");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),`
			`"fail wrong root key");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),`
			`"fail wrong root DN");`
			`ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),`
			`"accept right EKU");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),`
			`"fail rejected EKU");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),`
			`"fail wrong EKU");`

			`# CA variants`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),`
			`"fail non-CA");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),`
			`"fail wrong CA key");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),`
			`"fail wrong CA DN");`
			`ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),`
			`"fail wrong CA issuer");`
			`ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),`
			`"fail untrusted partial");`
			`ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),`
			`"fail untrusted EKU partial");`
			`ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),`
			`"accept trusted EKU partial");`
			`ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),`
			`"fail rejected EKU partial");`
			`ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),`
			`"fail wrong EKU partial");`

			`# EE variants`
			`ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),`
			`"accept client cert");`
			`ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),`
			`"fail wrong leaf purpose");`
			`ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),`
			`"fail wrong leaf purpose");`
			`ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),`
			`"fail wrong CA key");`
			`ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),`
			`"fail wrong CA name");`
			`ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),`
			`"fail expired leaf");`
			`ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),`
			`"accept last-resort direct leaf match");`
			`ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),`
			`"accept last-resort direct leaf match");`
			`ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),`
			`"fail last-resort direct leaf non-match");`
			`ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),`
			`"accept direct match with trusted EKU");`
			`ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),`
			`"reject direct match with rejected EKU");`
			`ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),`
			`"accept direct match with trusted EKU");`
			`ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),`
			`"reject direct match with rejected EKU");`