From aa951ef3d745aa0c32b984fd9be2cc21382b97f6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 19 Jun 2016 10:56:37 +0200 Subject: [PATCH] Add verification of proxy certs to 25-test_verify.t Reviewed-by: Rich Salz Reviewed-by: Stephen Henson --- test/recipes/25-test_verify.t | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 172eecbe7d..5cc5ce8b2e 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -26,7 +26,7 @@ sub verify { run(app([@args])); } -plan tests => 101; +plan tests => 108; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -222,6 +222,28 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), "reject direct match with client mistrust"); +# Proxy certificates +ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), + "fail to accept proxy cert without -allow_proxy_certs"); +ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert 1"); +ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert 2"); +ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "fail proxy cert with incorrect subject"); +ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "fail proxy cert with incorrect pathlen"); +ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert missing proxy policy"); +ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "failed proxy cert where last CN was added as a multivalue RDN component"); + # Security level tests ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), "accept RSA 2048 chain at auth level 2"); -- 2.25.1