diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-28 03:01:45 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:23:23 -0500 |
commit | 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch) | |
tree | 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /test | |
parent | 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff) |
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/certs/root+anyEKU.pem | 18 | ||||
-rw-r--r-- | test/certs/root-anyEKU.pem | 18 | ||||
-rw-r--r-- | test/certs/root2+clientAuth.pem | 19 | ||||
-rw-r--r-- | test/certs/root2+serverAuth.pem | 19 | ||||
-rw-r--r-- | test/certs/root2-serverAuth.pem | 19 | ||||
-rwxr-xr-x | test/certs/setup.sh | 12 | ||||
-rw-r--r-- | test/recipes/25-test_verify.t | 98 |
7 files changed, 168 insertions, 35 deletions
diff --git a/test/certs/root+anyEKU.pem b/test/certs/root+anyEKU.pem new file mode 100644 index 0000000000..97e0732189 --- /dev/null +++ b/test/certs/root+anyEKU.pem @@ -0,0 +1,18 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw +bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2 +UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY +mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg +Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO +bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8DAIMAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/root-anyEKU.pem b/test/certs/root-anyEKU.pem new file mode 100644 index 0000000000..712b1f572a --- /dev/null +++ b/test/certs/root-anyEKU.pem @@ -0,0 +1,18 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 +o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw +bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2 +UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY +mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg +Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO +bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8DAIoAYGBFUdJQA= +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/root2+clientAuth.pem b/test/certs/root2+clientAuth.pem new file mode 100644 index 0000000000..41355b040e --- /dev/null +++ b/test/certs/root2+clientAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5 +wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+ +R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp +/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU +/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6 +7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv +akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y +Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv +NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+ +qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM +o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+ +zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y +9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMMAoGCCsGAQUF +BwMC +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/root2+serverAuth.pem b/test/certs/root2+serverAuth.pem new file mode 100644 index 0000000000..52053f1bf6 --- /dev/null +++ b/test/certs/root2+serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5 +wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+ +R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp +/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU +/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6 +7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv +akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y +Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv +NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+ +qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM +o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+ +zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y +9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMMAoGCCsGAQUF +BwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/root2-serverAuth.pem b/test/certs/root2-serverAuth.pem new file mode 100644 index 0000000000..dae848a1a9 --- /dev/null +++ b/test/certs/root2-serverAuth.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5 +wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+ +R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp +/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU +/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6 +7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv +akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y +Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv +NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+ +qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM +o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+ +zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y +9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMoAoGCCsGAQUF +BwMB +-----END TRUSTED CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index b50f7e3015..795ff4aa0f 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -2,7 +2,7 @@ # Primary root: root-cert # root certs variants: CA:false, key2, DN2 -# trust variants: +serverAuth -serverAuth +clientAuth +# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU # ./mkcert.sh genroot "Root CA" root-key root-cert ./mkcert.sh genss "Root CA" root-key root-nonca @@ -15,6 +15,16 @@ openssl x509 -in root-cert.pem -trustout \ -addreject serverAuth -out root-serverAuth.pem openssl x509 -in root-cert.pem -trustout \ -addtrust clientAuth -out root+clientAuth.pem +openssl x509 -in root-cert.pem -trustout \ + -addreject anyExtendedKeyUsage -out root-anyEKU.pem +openssl x509 -in root-cert.pem -trustout \ + -addtrust anyExtendedKeyUsage -out root+anyEKU.pem +openssl x509 -in root-cert2.pem -trustout \ + -addtrust serverAuth -out root2+serverAuth.pem +openssl x509 -in root-cert2.pem -trustout \ + -addreject serverAuth -out root2-serverAuth.pem +openssl x509 -in root-cert2.pem -trustout \ + -addtrust clientAuth -out root2+clientAuth.pem # Primary intermediate ca: ca-cert # ca variants: CA:false, key2, DN2, issuer2, expired diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 56d83077d4..93d993dcdc 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -9,80 +9,110 @@ use OpenSSL::Test qw/:DEFAULT top_file/; setup("test_verify"); sub verify { - my ($cert, $vname, $trusted, $untrusted, @opts) = @_; - my @args = qw(openssl verify -verify_name); + my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; + my @args = qw(openssl verify -purpose); my @path = qw(test certs); - push(@args, "$vname", @opts); + push(@args, "$purpose", @opts); for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) } for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) } push(@args, top_file(@path, "$cert.pem")); run(app([@args])); } -plan tests => 29; +plan tests => 38; # Canonical success -ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]), +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), "verify valid chain"); # Root CA variants -ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]), - "Trusted certs not subject to CA:true checks"); -ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]), +ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), + "Trusted CA certs now subject to CA:true checks"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), "fail wrong root key"); -ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]), +ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), "fail wrong root DN"); -ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]), +ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), "accept right EKU"); -ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]), +ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), + "accept anyEKU"); +ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), "fail rejected EKU"); -ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]), +ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), + "fail rejected anyEKU"); +ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), "fail wrong EKU"); +# Check that trusted-first is on by setting up paths to different roots +# depending on whether the intermediate is the trusted or untrusted one. +# +ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], + [qw(ca-cert)]), + "verify trusted-first path"); +ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], + [qw(ca-cert)]), + "verify trusted-first path right EKU"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], + [qw(ca-cert)]), + "fail trusted-first path rejected EKU"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], + [qw(ca-cert)]), + "fail trusted-first path wrong EKU"); + # CA variants -ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]), +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), "fail non-CA"); -ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]), +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), "fail wrong CA key"); -ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]), +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), "fail wrong CA DN"); -ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]), +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), "fail wrong CA issuer"); -ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), "fail untrusted partial"); -ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), "fail untrusted EKU partial"); -ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"), +ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), "accept trusted EKU partial"); -ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), "fail rejected EKU partial"); -ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), "fail wrong EKU partial"); +# We now test auxiliary trust even for intermediate trusted certs without +# -partial_chain. Note that "-trusted_first" is now always on and cannot +# be disabled. +ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), + "accept trusted EKU"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]), + "fail rejected EKU"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]), + "fail wrong EKU"); + # EE variants -ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), +ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), "accept client cert"); -ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), +ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), "fail wrong leaf purpose"); -ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]), +ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), "fail wrong leaf purpose"); -ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), +ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), "fail wrong CA key"); -ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), +ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), "fail wrong CA name"); -ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]), +ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), "fail expired leaf"); -ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"), +ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), "accept last-resort direct leaf match"); -ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"), +ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), "accept last-resort direct leaf match"); -ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), "fail last-resort direct leaf non-match"); -ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"), +ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), "accept direct match with trusted EKU"); -ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"), +ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), "reject direct match with rejected EKU"); -ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"), +ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), "accept direct match with trusted EKU"); -ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"), +ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), "reject direct match with rejected EKU"); |