]> git.saurik.com Git - apple/security.git/blame - SecurityTests/clxutils/certcrl/testSubjects/trustSettings/trustSettings.scr
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-57031.30.12.tar.gz
[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / trustSettings / trustSettings.scr
CommitLineData
d8f41ccd
A		 1#
2# TrustSettings tests.
3#
4# This must be run with trustSettingsTest.keychain in your KC search path
5# and userTrustSettings.plist as your per-user or admin trust settings.
6#
7# A script to recreate userTrustSettings.plist is in the makeTrustSettings
8# script in this directory; the result can be imported into your user-domain
9# settings via security trust-settings-import.
10#
11# See the buildAndTest script in this directory for al all-in-one op.
12#
13globals
14allowUnverified = true
15crlNetFetchEnable = false
16certNetFetchEnable = false
17useSystemAnchors = false
18end
19
20#
21# Note: with TrustSettings disabled, we pass in roots as root certs;
22# with TrustSettings enabled, we pass roots as regular certs if we
23# want success.
24#
25
26#
27# debugRoot and localhost, with allowed HOSTNAME_MISMATCH test
28#
29test = "Ensure localhost.cer fails with TrustSettings disabled"
30useTrustSettings = false
31cert = localhost.cer
32cert = debugRoot.cer
33sslHost = localhost
34verifyTime = 20060601000000
35error = CSSMERR_TP_INVALID_ANCHOR_CERT
36# IS_IN_INPUT_CERTS | IS_ROOT
37certstatus = 1:0x14
38end
39
40test = "localhost.cer with TrustSettings enabled"
41useTrustSettings = true
42cert = localhost.cer
43cert = debugRoot.cer
44sslHost = localhost
45verifyTime = 20060601000000
46# IS_IN_INPUT_CERTS
47certstatus = 0:0x4
48# IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST
49certstatus = 1:0x254
50end
51
52test = "localhost.cer with allowedError HOSTNAME_MISMATCH"
53useTrustSettings = true
54cert = localhost.cer
55cert = debugRoot.cer
56sslHost = 127.0.0.1
57verifyTime = 20060601000000
58# IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
59certstatus = 0:0x844
60# IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST
61certstatus = 1:0x254
62# Detected and logged but not a fatal error due to TrustSettings
63certerror = 0:CSSMERR_APPLETP_HOSTNAME_MISMATCH
64end
65
66#
67# Software Update Signing with allowed CS_BAD_CERT_CHAIN_LENGTH test
68#
69test = "SWUSigning, normal, no TrustSettings"
70useTrustSettings = false
71cert = csLeaf.cer
72cert = csCA.cer
73root = csRoot.cer
74policy = swuSign
75verifyTime = 20060601000000
76# CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
77certstatus = 2:0x18
78end
79
80test = "SWUSigning, normal, TrustSettings"
81useTrustSettings = true
82cert = csLeaf.cer
83cert = csCA.cer
84cert = csRoot.cer
85policy = swuSign
86verifyTime = 20060601000000
87# IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
88certstatus = 2:254
89end
90
91# note no per-cert status of CS_BAD_CERT_CHAIN_LENGTH, it applies
92# to the whole chain
93test = "SWUSigning, allowed bad path length"
94useTrustSettings = true
95cert = csLeafShortPath.cer
96cert = csRoot.cer
97policy = swuSign
98verifyTime = 20060601000000
99# IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
100certstatus = 1:0x254
101# IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
102certstatus = 0:0x844
103end
104
105#
106# CRL testing with allowed CSSMERR_TP_CERT_REVOKED test
107# see documentation in clxutils/makeCrl/testFiles/crlTime.scr for info
108# on certs and CRLs.
109#
110test = "revoked by CRL, no TrustSettings, expect failure"
111useTrustSettings = false
112requireCrlForAll = true
113revokePolicy = crl
114cert = crlTestLeaf.cer
115root = crlTestRoot.cer
116crl = crl.crl
117# Normal revocation case.
118verifyTime = 20060418090559Z
119error = CSSMERR_TP_CERT_REVOKED
120certerror = 0:CSSMERR_TP_CERT_REVOKED
121# CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
122certstatus = 1:0x18
123end
124
125test = "revoked by CRL, TrustSettings, expect success"
126useTrustSettings = true
127requireCrlForAll = true
128revokePolicy = crl
129cert = crlTestLeaf.cer
130cert = crlTestRoot.cer
131crl = crl.crl
132# Normal revocation case.
133verifyTime = 20060418090559Z
134# IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
135certstatus = 0:0x844
136# IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
137certstatus = 1:0x254
138certerror = 0:CSSMERR_TP_CERT_REVOKED
139end
140
141#
142# dmitch@apple.com Thawte with test of default setting = deny for SMIME
143#
144test = "dmitch@apple.com Thawte, no TrustSettings"
145useTrustSettings = false
146useSystemAnchors = true
147cert = dmitchAppleThawte.cer
148cert = thawteCA.cer
149policy = smime
150verifyTime = 20060601000000
151senderEmail = dmitch@apple.com
152# CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
153certstatus = 2:0x18
154end
155
156test = "dmitch@apple.com Thawte, TrustSettings, generic"
157useTrustSettings = true
158useSystemAnchors = true
159cert = dmitchAppleThawte.cer
160cert = thawteCA.cer
161verifyTime = 20060601000000
162# IS_ROOT | TRUST_SETTINGS_FOUND_SYSTEM | TRUST_SETTINGS_TRUST
163certstatus = 2:0x310
164end
165
166test = "dmitch@apple.com Thawte, TrustSettings, SMIME, fail due to default Deny setting"
167useTrustSettings = true
168useSystemAnchors = true
169cert = dmitchAppleThawte.cer
170cert = thawteCA.cer
171senderEmail = dmitch@apple.com
172verifyTime = 20060601000000
173# IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_DENY
174certstatus = 2:0x450
175error = CSSMERR_APPLETP_TRUST_SETTING_DENY
176end
mirror of Security