6 use File::Spec::Functions qw/canonpath/;
7 use OpenSSL::Test qw/:DEFAULT top_dir top_file/;
11 # Note for now, at most one trusted and one untrusted PEM file can be
12 # specified. The verify(1) option parser does not accumulate content
13 # from multiple trusted or untrusted files.
16 my ($cert, $vname, $trusted, $untrusted, @opts) = @_;
17 my @args = qw(openssl verify -verify_name);
18 my @path = qw(test certs);
19 push(@args, "$vname", @opts);
20 for (@$trusted) { push(@args, "-trusted", top_dir(@path, "$_.pem")) }
21 for (@$untrusted) { push(@args, "-untrusted", top_dir(@path, "$_.pem")) }
22 push(@args, top_dir(@path, "$cert.pem"));
29 ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),
30 "verify valid chain");
33 ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),
34 "Trusted certs not subject to CA:true checks");
35 ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),
36 "fail wrong root key");
37 ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),
38 "fail wrong root DN");
39 ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),
41 ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),
43 ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),
47 ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),
49 ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),
51 ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),
53 ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),
54 "fail wrong CA issuer");
55 ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),
56 "fail untrusted partial");
57 ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),
58 "fail untrusted EKU partial");
59 ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),
60 "accept trusted EKU partial");
61 ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),
62 "fail rejected EKU partial");
63 ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),
64 "fail wrong EKU partial");
67 ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
68 "accept client cert");
69 ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
70 "fail wrong leaf purpose");
71 ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
72 "fail wrong leaf purpose");
73 ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
75 ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
76 "fail wrong CA name");
77 ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
79 ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),
80 "accept last-resort direct leaf match");
81 ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),
82 "accept last-resort direct leaf match");
83 ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),
84 "fail last-resort direct leaf non-match");
85 ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),
86 "accept direct match with trusted EKU");
87 ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),
88 "reject direct match with rejected EKU");
89 ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),
90 "accept direct match with trusted EKU");
91 ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),
92 "reject direct match with rejected EKU");