diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-06-22 13:36:08 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2016-07-11 23:30:04 +0100 |
| commit | d83b7e1a580b2f68a041d178e91e9495ec95e383 (patch) | |
| tree | 309c9aaf9658da6106a28bf18ab950fda6e82f82 /test/recipes/25-test_verify.t | |
| parent | 4b0907e3496f78fb817d625e804e78b7db31a66f (diff) | |
| download | openssl-new-d83b7e1a580b2f68a041d178e91e9495ec95e383.tar.gz | |
Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test/recipes/25-test_verify.t')
| -rw-r--r-- | test/recipes/25-test_verify.t | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 5cc5ce8b2e..23f8f32d95 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -26,7 +26,7 @@ sub verify { run(app([@args])); } -plan tests => 108; +plan tests => 121; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -287,3 +287,44 @@ ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "accept chain with verify_depth 0"); ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"), "accept md5 intermediate TA with verify_depth 0"); + +# Name Constraints tests. + +ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints everything permitted"); + +ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), + "Name Constraints nothing excluded"); + +ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name Constraints nested test all permitted"); + +ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints hostname not permitted"); + +ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), + "Name Constraints hostname excluded"); + +ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints email address not permitted"); + +ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints subject email address not permitted"); + +ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints IP address not permitted"); + +ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CN hostname not permitted"); + +ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CN BMPSTRING hostname not permitted"); + +ok(!verify("badalt8-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name not permitted 1"); + +ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name not permitted 2"); + +ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name excluded"); |