Lines Matching refs:cert
21 my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
28 push(@args, srctop_file(@path, "$cert.pem"));
35 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
39 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
41 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
43 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
45 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
47 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
52 ok(verify("ee-cert-noncrit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
54 ok(!verify("ee-cert-crit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
56 ok(verify("ee-cert-ocsp-nocheck", "", ["root-cert"], ["ca-cert"]),
61 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
63 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
65 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
67 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
69 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
72 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
74 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
76 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
79 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
81 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
83 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
86 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
88 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
90 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
93 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
95 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
97 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
100 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
102 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
104 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
110 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
111 [qw(ca-cert)]),
113 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
114 [qw(ca-cert)]),
116 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
117 [qw(ca-cert)]),
119 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
120 [qw(ca-cert)]),
124 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
126 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
128 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
130 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
132 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
134 ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),
136 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
138 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
140 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
142 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
144 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
146 ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"),
148 ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]),
150 ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
152 ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
154 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
156 ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
158 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
160 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
162 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
164 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
166 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
168 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
174 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
176 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
178 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
180 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
182 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
184 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
186 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
188 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
190 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
192 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
194 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
196 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
198 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
200 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
202 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
204 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
206 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
208 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
210 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
214 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
216 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
218 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
220 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
222 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
224 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
226 ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
230 ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
232 ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
234 ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
240 ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
242 ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
246 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
247 "fail to accept proxy cert without -allow_proxy_certs");
248 ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
250 "accept proxy cert 1");
251 ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
253 "accept proxy cert 2");
254 ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
256 "fail proxy cert with incorrect subject");
257 ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
259 "fail proxy cert with incorrect pathlen");
260 ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
262 "accept proxy cert missing proxy policy");
263 ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
265 "failed proxy cert where last CN was added as a multivalue RDN component");
268 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
270 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
272 ok(verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
274 ok(!verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"]),
276 ok(verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
278 ok(!verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"]),
280 ok(verify("ee-cert-768", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
282 ok(!verify("ee-cert-768", "", ["root-cert"], ["ca-cert"]),
285 ok(verify("ee-cert", "", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
287 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-auth_level", "2"),
289 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
291 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"]),
293 ok(verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
295 ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]),
302 ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
303 ["ca-cert-ec-named"]),
305 ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"],
306 ["ca-cert-ec-explicit"]),
308 ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
309 ["ca-cert-ec-named"]),
329 ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
330 ["ca-cert-ec-named"], @prov),
332 ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"],
333 ["ca-cert-ec-explicit"], @prov),
335 ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
336 ["ca-cert-ec-named"], @prov),
346 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
348 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
350 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
352 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
357 ok(verify("alt1-cert", "", ["root-cert"], ["ncca1-cert"], ),
360 ok(verify("alt2-cert", "", ["root-cert"], ["ncca2-cert"], ),
363 ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
366 ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
369 ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ),
372 ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
375 ok(!verify("badalt1-cert", "", ["root-cert"], ["ncca1-cert"], ),
378 ok(!verify("badalt2-cert", "", ["root-cert"], ["ncca2-cert"], ),
381 ok(!verify("badalt3-cert", "", ["root-cert"], ["ncca1-cert"], ),
384 ok(!verify("badalt4-cert", "", ["root-cert"], ["ncca1-cert"], ),
387 ok(!verify("badalt5-cert", "", ["root-cert"], ["ncca1-cert"], ),
390 ok(!verify("badalt6-cert", "", ["root-cert"], ["ncca1-cert"], ),
393 ok(!verify("badalt7-cert", "", ["root-cert"], ["ncca1-cert"], ),
396 ok(!verify("badalt8-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
399 ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
402 ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
405 ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
416 ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
419 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
422 ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
425 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
428 ok(verify("ee-pss-cert", "", ["root-cert"], ["ca-pss-cert"], ),
430 ok(!verify("ee-pss-wrong1.5-cert", "", ["root-cert"], ["ca-pss-cert"], ),
446 ok(verify("root-cert-rsa2", "", ["root-cert-rsa2"], [], "-check_ss_sig"),
450 "accept trusted self-signed EE cert excluding key usage keyCertSign");
452 "accept trusted self-signed EE cert with key usage keyCertSign also when strict");
460 "accept X25519 EE cert issued by trusted Ed25519 self-signed CA cert");
463 "reject X25519 EE cert in strict mode since AKID is missing");
469 "accept trusted Ed25519 self-signed CA cert");
472 "fail trusted Ed25519-signed self-issued X25519 cert");
475 "accept last-resort direct leaf match Ed25519-signed self-issued cert");
482 ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "distid:1234567812345678"),
484 ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "hexdistid:31323334353637383132333435363738"),
489 my $cert_file = srctop_file('test', 'certs', 'root-cert.pem');
503 'Mixed cert + key file test');
517 'Mixed key + cert file test');
521 ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
526 ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
Indexes created Sun Mar 01 05:31:48 UTC 2026