Lines Matching refs:ca
33 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
36 # Root CA variants
37 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
38 "fail trusted non-ca root");
39 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
40 "fail server trust non-ca root");
41 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
42 "fail wildcard trust non-ca root");
43 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
45 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
50 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
52 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
54 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
56 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
58 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
61 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
63 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
65 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
68 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
70 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
72 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
75 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
77 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
79 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
82 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
84 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
86 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
89 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
91 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
93 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
99 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
100 [qw(ca-cert)]),
102 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
103 [qw(ca-cert)]),
105 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
106 [qw(ca-cert)]),
108 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
109 [qw(ca-cert)]),
112 # CA variants
113 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
114 "fail non-CA untrusted intermediate");
115 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
116 "fail non-CA untrusted intermediate");
117 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
118 "fail non-CA trust-store intermediate");
119 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
120 "fail non-CA trust-store intermediate");
122 "fail non-CA server trust intermediate");
124 "fail non-CA wildcard trust intermediate");
125 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
126 "fail wrong intermediate CA key");
127 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
128 "fail wrong intermediate CA DN");
129 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
130 "fail wrong intermediate CA issuer");
131 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
133 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
135 ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"),
137 ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]),
143 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
147 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
149 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
151 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
153 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
155 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
157 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
163 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
165 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
167 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
169 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
171 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
173 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
175 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
177 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
179 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
181 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
183 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
185 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
187 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
189 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
191 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
193 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
195 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
197 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
199 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
203 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
205 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
207 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
209 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
210 "fail wrong intermediate CA key");
211 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
212 "fail wrong intermediate CA DN");
213 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
229 ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
230 "accept non-ca with pathlen:0 by default");
231 ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
232 "reject non-ca with pathlen:0 with strict flag");
235 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
237 ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
240 ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
243 ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
246 ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
249 ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
252 ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
257 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
259 ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
261 ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
263 ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]),
265 ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
267 ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]),
269 ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
271 ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]),
274 ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
276 ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"),
278 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
280 ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]),
282 ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
284 ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]),
292 ["ca-cert-ec-named"]),
295 ["ca-cert-ec-explicit"]),
298 ["ca-cert-ec-named"], "-x509_strict"),
301 ["ca-cert-ec-explicit"], "-x509_strict"),
304 ["ca-cert-ec-named"], "-x509_strict"),
308 # Depth tests, note the depth limit bounds the number of CA certificates
309 # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
312 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
314 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
316 ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
318 ok(verify("ee-cert", "sslserver", ["ca
368 ok(verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
371 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
372 "CA with PSS signature using SHA256");
374 ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
377 ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
380 ok(verify("ee-pss-cert", "sslserver", ["root-cert"], ["ca-pss-cert"], ),
381 "CA PSS signature");
Indexes created Sun Apr 12 00:22:20 UTC 2026