diff options
author | Richard Levitte <levitte@openssl.org> | 2016-06-19 10:56:37 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2016-06-20 21:34:37 +0200 |
commit | aa951ef3d745aa0c32b984fd9be2cc21382b97f6 (patch) | |
tree | 54de3ac57ec66538b3f0e2ceb30e10429adf2592 /test | |
parent | 8dfb2021d1f191c0ed8a81af08913b12d5c021fa (diff) |
Add verification of proxy certs to 25-test_verify.t
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/25-test_verify.t | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 172eecbe7d..5cc5ce8b2e 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -26,7 +26,7 @@ sub verify { run(app([@args])); } -plan tests => 101; +plan tests => 108; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -222,6 +222,28 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), "reject direct match with client mistrust"); +# Proxy certificates +ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), + "fail to accept proxy cert without -allow_proxy_certs"); +ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert 1"); +ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert 2"); +ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "fail proxy cert with incorrect subject"); +ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "fail proxy cert with incorrect pathlen"); +ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert missing proxy policy"); +ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)], + "-allow_proxy_certs"), + "failed proxy cert where last CN was added as a multivalue RDN component"); + # Security level tests ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), "accept RSA 2048 chain at auth level 2"); |