Lines Matching refs:cert
23 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
29 push(@args, srctop_file(@certspath, "$cert.pem"));
36 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
40 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
42 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
44 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
46 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
48 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
53 ok(verify("ee-cert-noncrit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
55 ok(!verify("ee-cert-crit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
57 ok(verify("ee-cert-ocsp-nocheck", "", ["root-cert"], ["ca-cert"]),
62 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
64 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
66 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
68 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
70 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
73 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
75 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
77 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
80 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
82 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
84 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
87 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
89 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
91 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
94 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
96 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
98 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
101 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
103 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
105 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
111 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
112 [qw(ca-cert)]),
114 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
115 [qw(ca-cert)]),
117 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
118 [qw(ca-cert)]),
120 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
121 [qw(ca-cert)]),
125 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
127 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
129 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
131 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
133 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
135 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),
137 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
139 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
141 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
143 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
145 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
147 ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"),
149 ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]),
151 ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
153 ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
155 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
157 ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
159 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
161 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
163 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
165 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
167 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
169 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
175 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
177 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
179 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
181 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
183 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
185 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
187 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
189 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
191 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
193 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
195 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
197 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
199 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
201 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
203 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
205 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
207 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
209 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
211 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
215 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
217 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
219 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
221 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
223 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
225 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
227 ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
231 ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
233 ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
235 ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
241 ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
243 ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
247 ok(verify("ee-timestampsign-CABforum", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
249 ok(!verify("ee-timestampsign-CABforum-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
251 ok(!verify("ee-timestampsign-CABforum-serverauth", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
253 ok(!verify("ee-timestampsign-CABforum-anyextkeyusage", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
255 ok(!verify("ee-timestampsign-CABforum-crlsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
257 ok(!verify("ee-timestampsign-CABforum-keycertsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
259 ok(verify("ee-timestampsign-rfc3161", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
261 ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
263 ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
267 ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
269 ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]),
271 ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]),
273 ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
275 ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
277 ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]),
279 ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]),
281 ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]),
283 ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]),
285 ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]),
289 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
290 "fail to accept proxy cert without -allow_proxy_certs");
291 ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
293 "accept proxy cert 1");
294 ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
296 "accept proxy cert 2");
297 ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
299 "fail proxy cert with incorrect subject");
300 ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
302 "fail proxy cert with incorrect pathlen");
303 ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
305 "accept proxy cert missing proxy policy");
306 ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
308 "failed proxy cert where last CN was added as a multivalue RDN component");
311 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
313 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
315 ok(verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
317 ok(!verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"]),
319 ok(verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
321 ok(!verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"]),
323 ok(verify("ee-cert-768", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
325 ok(!verify("ee-cert-768", "", ["root-cert"], ["ca-cert"]),
328 ok(verify("ee-cert", "", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
330 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-auth_level", "2"),
332 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
334 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"]),
336 ok(verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
338 ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]),
345 ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
346 ["ca-cert-ec-named"]),
348 ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"],
349 ["ca-cert-ec-explicit"]),
351 ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
352 ["ca-cert-ec-named"]),
354 ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], ),
355 "accept cert generated with EC and SHA3-224");
356 ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], ),
357 "accept cert generated with EC and SHA3-256");
358 ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], ),
359 "accept cert generated with EC and SHA3-384");
360 ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], ),
361 "accept cert generated with EC and SHA3-512");
375 ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
376 "accept cert generated with EC and SHA3-224 w/fips");
377 ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
378 "accept cert generated with EC and SHA3-256 w/fips");
379 ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
380 "accept cert generated with EC and SHA3-384 w/fips");
381 ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
382 "accept cert generated with EC and SHA3-512 w/fips");
393 ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
394 ["ca-cert-ec-named"], @prov),
396 ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"],
397 ["ca-cert-ec-explicit"], @prov),
399 ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
400 ["ca-cert-ec-named"], @prov),
409 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
411 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
413 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
415 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
420 ok(verify("alt1-cert", "", ["root-cert"], ["ncca1-cert"], ),
423 ok(verify("alt2-cert", "", ["root-cert"], ["ncca2-cert"], ),
426 ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
429 ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
432 ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ),
435 ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
438 ok(!verify("badalt1-cert", "", ["root-cert"], ["ncca1-cert"], ),
441 ok(!verify("badalt2-cert", "", ["root-cert"], ["ncca2-cert"], ),
444 ok(!verify("badalt3-cert", "", ["root-cert"], ["ncca1-cert"], ),
447 ok(!verify("badalt4-cert", "", ["root-cert"], ["ncca1-cert"], ),
450 ok(!verify("badalt5-cert", "", ["root-cert"], ["ncca1-cert"], ),
453 ok(!verify("badalt6-cert", "", ["root-cert"], ["ncca1-cert"], ),
456 ok(!verify("badalt7-cert", "", ["root-cert"], ["ncca1-cert"], ),
459 ok(!verify("badalt8-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
462 ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
465 ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
468 ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
471 ok(verify("nc-uri-cert", "", ["root-cert"], ["ncca4-cert"], ),
482 ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
485 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
488 ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
491 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
494 ok(verify("ee-pss-cert", "", ["root-cert"], ["ca-pss-cert"], ),
496 ok(!verify("ee-pss-wrong1.5-cert", "", ["root-cert"], ["ca-pss-cert"], ),
512 ok(verify("root-cert-rsa2", "", ["root-cert-rsa2"], [], "-check_ss_sig"),
516 "accept trusted self-signed EE cert excluding key usage keyCertSign");
518 "accept trusted self-signed EE cert with key usage keyCertSign also when strict");
526 "accept X25519 EE cert issued by trusted Ed25519 self-signed CA cert");
529 "reject X25519 EE cert in strict mode since AKID is missing");
535 "accept trusted Ed25519 self-signed CA cert");
538 "fail trusted Ed25519-signed self-issued X25519 cert");
541 "accept last-resort direct leaf match Ed25519-signed self-issued cert");
548 ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "distid:1234567812345678"),
550 ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "hexdistid:31323334353637383132333435363738"),
555 my $cert_file = srctop_file('test', 'certs', 'root-cert.pem');
569 'Mixed cert + key file test');
583 'Mixed key + cert file test');
587 ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
592 ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
598 my $rootcertname = "root-cert";
609 my $foo_file = "foo:cert.pem";
613 my $foo_file = "cert.pem";
Indexes created Sun Mar 01 05:31:48 UTC 2026