Commit Graph

20 Commits

Author SHA1 Message Date
Dr. Stephen Henson
978b700bf9 no-ec fix
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
2017-05-30 20:38:20 +01:00
Dr. Stephen Henson
4328dd4158 Add Ed25519 verify test.
Add Ed25519 certificate verify test using certificate from
draft-ietf-curdle-pkix-04 and custom generated root certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
2017-05-30 20:38:20 +01:00
Dr. Stephen Henson
451a0c3dc8 Add PSS certificate signature tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3301)
2017-04-25 22:12:35 +01:00
Dr. Stephen Henson
d83b7e1a58 Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.

Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Richard Levitte
aa951ef3d7 Add verification of proxy certs to 25-test_verify.t
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-06-20 21:34:37 +02:00
Rich Salz
596d6b7e1c Unified copyright for test recipes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-22 07:58:47 -04:00
Viktor Dukhovni
fbb82a60dc Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-03 11:35:35 -04:00
Viktor Dukhovni
4d9e33acb2 Require intermediate CAs to have basicConstraints CA:true.
Previously, it was sufficient to have certSign in keyUsage when the
basicConstraints extension was missing.  That is still accepted in
a trust anchor, but is no longer accepted in an intermediate CA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:54:34 -04:00
Richard Levitte
42e0ccdfe8 unified build scheme: adjust test framework for out of source build tree
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.

test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own.  Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.

As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-09 11:43:20 +01:00
Viktor Dukhovni
1d85277235 Add tests for non-ca trusted roots and intermediates
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:16 -05:00
Viktor Dukhovni
33cc5dde47 Compat self-signed trust with reject-only aux data
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.

This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).

Added new supported certs and doubled test count from 38 to 76.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:12 -05:00
Viktor Dukhovni
0daccd4dc1 Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:23:23 -05:00
Richard Levitte
9c626317a6 Fix test/recipes/25-test_verify.t
top_dir() are used to create directory names, top_file() should be
used for files.  In a Unixly environment, that doesn't matter, but...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-30 17:10:38 +01:00
Viktor Dukhovni
feb2f53edc Multiple -trusted/-untrusted/-CRLfile options in verify
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.

To that end, change verify(1) to accept these options zero or more
times.  Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.

Improve verify(1) documentation, which could still use some work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:33 -05:00
Viktor Dukhovni
6e8beabcd4 More X509_verify_cert() tests via verify(1).
Still need tests for trusted-first and tests that probe construction
of alternate chains.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:11 -05:00
Viktor Dukhovni
d9e309a675 Fix verify(1) to report failure when verification fails
Regenerated expired test certificates, good for the next 100 years.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-13 17:55:17 -05:00
Andy Polyakov
4ada8be2a6 Test suite: minimal required to get mingw 'make test' work under Linux.
(part by Alessandro Ghedini)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-13 19:46:50 +02:00
Richard Levitte
fd99c6b599 Change OpenSSL::Test to be an extension of Test::More
It became tedious as well as error prone to have all recipes use
Test::More as well as OpenSSL::Test.  The easier way is to make
OpenSSL::Test an extension of Test::More, thereby having all version
checks as well as future checks firmly there.  Additionally, that
allows us to extend existing Test::More functions if the need would
arise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
fb921436f3 Add version numbers on some modules we use.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
4650de3e43 Add recipes for tests related to certificates
Some of them make use of recipes/tconversion.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00