Lines Matching full:ca
36 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
39 # Root CA variants
40 ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
41 "fail trusted non-ca root");
42 ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
43 "fail server trust non-ca root");
44 ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
45 "fail wildcard trust non-ca root");
46 ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
48 ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
53 ok(verify("ee-cert-noncrit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
55 ok(!verify("ee-cert-crit-unknown-ext", "", ["root-cert"], ["ca-cert"]),
57 ok(verify("ee-cert-ocsp-nocheck", "", ["root-cert"], ["ca-cert"]),
62 ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
64 ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
66 ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
68 ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
70 ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
73 ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
75 ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
77 ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
80 ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
82 ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
84 ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
87 ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
89 ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
91 ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
94 ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
96 ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
98 ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
101 ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
103 ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
105 ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
111 ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
112 [qw(ca-cert)]),
114 ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
115 [qw(ca-cert)]),
117 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
118 [qw(ca-cert)]),
120 ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
121 [qw(ca-cert)]),
124 # CA variants
125 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
126 "fail non-CA untrusted intermediate");
127 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
128 "fail non-CA untrusted intermediate");
129 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
130 "fail non-CA trust-store intermediate");
131 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
132 "fail non-CA trust-store intermediate");
134 "fail non-CA server trust intermediate");
136 "fail non-CA wildcard trust intermediate");
137 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
138 "fail wrong intermediate CA key");
139 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
140 "fail wrong intermediate CA DN");
141 ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
142 "fail wrong intermediate CA issuer");
143 ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
145 ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
147 ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"),
149 ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]),
155 ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
159 ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
161 ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
163 ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
165 ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
167 ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
169 ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
175 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
177 ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
179 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
181 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
183 ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
185 ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
187 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
189 ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
191 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
193 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
195 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
197 ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
199 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
201 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
203 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
205 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
207 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
209 ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
211 ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
215 ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
217 ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
219 ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
221 ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
222 "fail wrong intermediate CA key");
223 ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
224 "fail wrong intermediate CA DN");
225 ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
241 ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
242 "accept non-ca with pathlen:0 by default");
243 ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
244 "reject non-ca with pathlen:0 with strict flag");
247 ok(verify("ee-timestampsign-CABforum", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
249 ok(!verify("ee-timestampsign-CABforum-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
251 ok(!verify("ee-timestampsign-CABforum-serverauth", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
253 ok(!verify("ee-timestampsign-CABforum-anyextkeyusage", "timestampsign", [qw(root-cert)], [qw(ca-cer…
255 ok(!verify("ee-timestampsign-CABforum-crlsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
257 ok(!verify("ee-timestampsign-CABforum-keycertsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]…
259 ok(verify("ee-timestampsign-rfc3161", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
261 ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
263 ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]),
267 ok(verify("ee-codesign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
269 ok(!verify("ee-codesign-serverauth", "codesign", [qw(root-cert)], [qw(ca-cert)]),
271 ok(!verify("ee-codesign-anyextkeyusage", "codesign", [qw(root-cert)], [qw(ca-cert)]),
273 ok(!verify("ee-codesign-crlsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
275 ok(!verify("ee-codesign-keycertsign", "codesign", [qw(root-cert)], [qw(ca-cert)]),
277 ok(!verify("ee-codesign-noncritical", "codesign", [qw(root-cert)], [qw(ca-cert)]),
279 ok(!verify("ee-cert", "codesign", [qw(root-cert)], [qw(ca-cert)]),
281 ok(!verify("ee-client", "codesign", [qw(root-cert)], [qw(ca-cert)]),
283 ok(!verify("ee-timestampsign-CABforum", "codesign", [qw(root-cert)], [qw(ca-cert)]),
285 ok(!verify("ee-timestampsign-rfc3161", "codesign", [qw(root-cert)], [qw(ca-cert)]),
289 ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
291 ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
294 ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
297 ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
300 ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
303 ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
306 ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
311 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
313 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
315 ok(verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
317 ok(!verify("ee-cert", "", ["root-cert-768"], ["ca-cert-768i"]),
319 ok(verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
321 ok(!verify("ee-cert-768i", "", ["root-cert"], ["ca-cert-768"]),
323 ok(verify("ee-cert-768", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
325 ok(!verify("ee-cert-768", "", ["root-cert"], ["ca-cert"]),
328 ok(verify("ee-cert", "", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
330 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-auth_level", "2"),
332 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
334 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert-md5"]),
336 ok(verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
338 ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]),
346 ["ca-cert-ec-named"]),
349 ["ca-cert-ec-explicit"]),
352 ["ca-cert-ec-named"]),
354 ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], ),
356 ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], ),
358 ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], ),
360 ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], ),
375 ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
377 ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
379 ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
381 ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov),
394 ["ca-cert-ec-named"], @prov),
397 ["ca-cert-ec-explicit"], @prov),
400 ["ca-cert-ec-named"], @prov),
405 # Depth tests, note the depth limit bounds the number of CA certificates
406 # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
409 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
411 ok(verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
413 ok(!verify("ee-cert", "", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
415 ok(verify("ee-cert", "", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
482 ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
485 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
486 "CA with PSS signature using SHA256");
488 ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
491 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
494 ok(verify("ee-pss-cert", "", ["root-cert"], ["ca-pss-cert"], ),
495 "CA PSS signature");
496 ok(!verify("ee-pss-wrong1.5-cert", "", ["root-cert"], ["ca-pss-cert"], ),
497 "CA producing regular PKCS#1 v1.5 signature with PSA-PSS key");
526 "accept X25519 EE cert issued by trusted Ed25519 self-signed CA cert");
532 "fail Ed25519 CA and EE certs swapped");
535 "accept trusted Ed25519 self-signed CA cert");
548 ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "distid:1234567812345678"),
550 …ok_nofips(verify("sm2", "", ["sm2-ca-cert"], [], "-vfyopt", "hexdistid:313233343536373831323334353…
587 ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
592 ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],