projects / apple / security.git / blame
| Commit | Line | Data |
|---|---|---|
| d8f41ccd A |
1 | # |
| 2 | # Verify fix for 3855635, which ensures that CSSM_CERT_STATUS_IS_IN_ANCHORS and | |
| 3 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS are correctly generated for all combinations | |
| 4 | # of conditions they represent. Before the fix, the TP considered these to | |
| 5 | # to be mutually exclusive. | |
| 6 | # | |
| 7 | # | |
| 8 | # Assumes the presence of two certs: one for amazon.com and the root that signed it. | |
| 9 | # The former can be regenerated on expiration via sslViewer's f option. The latter | |
| 10 | # can be recreated with the certChain program. There are also two keychains in | |
| 11 | # this directory, each containing exactly one of those certs. If you recreate the certs | |
| 12 | # be sure to replace the certs in the corresponding keychain. | |
| 13 | # | |
| 60c433a9 | 14 | # Note: since the RSA MD2 root which signed the amazon.com certificate has |
| 5c19dc3a | 15 | # been removed from the System Roots keychain (<rdar://7880748>), |
| 60c433a9 A |
16 | # we are no longer checking the CSSM_CERT_STATUS_IS_IN_ANCHORS bit for that cert. |
| 17 | # | |
| d8f41ccd A |
18 | globals |
| 19 | allowUnverified = true | |
| 20 | crlNetFetchEnable = false | |
| 21 | certNetFetchEnable = false | |
| 22 | useSystemAnchors = true | |
| 23 | end | |
| 24 | ||
| 25 | # Note the amazon cert expired 11/27/2007; let's just keep using | |
| 26 | # it by specifying a verify time. | |
| 27 | ||
| 28 | #test = "Baseline, implicit root, no DLDB" | |
| 29 | #cert = amazon_v3.100.cer | |
| 30 | #verifyTime = 20071120000000 | |
| 31 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 32 | #certstatus = 0:0x4 | |
| 33 | # CSSM_CERT_STATUS_IS_IN_ANCHORS | CSSM_CERT_STATUS_IS_ROOT | |
| 34 | #certstatus = 1:0x18 ### not in anchors any more, so only 1 cert in chain | |
| 35 | #end | |
| 36 | ||
| 37 | #test = "Baseline, explicit root, no DLDB" | |
| 38 | #cert = amazon_v3.100.cer | |
| 39 | #cert = root_1.cer | |
| 40 | #verifyTime = 20071120000000 | |
| 41 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 42 | #certstatus = 0:0x4 | |
| 43 | # CSSM_CERT_STATUS_IS_IN_ANCHORS | CSSM_CERT_STATUS_IS_ROOT | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 44 | # certstatus = 1:0x1C ### not in anchors any more | |
| 45 | # CSSM_CERT_STATUS_IS_ROOT | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 46 | #certstatus = 1:0x14 | |
| 47 | #end | |
| 48 | ||
| 49 | #test = "Leaf is in DB" | |
| 50 | #cert = amazon_v3.100.cer | |
| 51 | #certDb = dbWithLeaf.db | |
| 52 | #verifyTime = 20071120000000 | |
| 53 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 54 | #certstatus = 0:0x4 | |
| 55 | # CSSM_CERT_STATUS_IS_IN_ANCHORS | CSSM_CERT_STATUS_IS_ROOT | |
| 56 | # certstatus = 1:0x18 ### not in anchors any more, so only 1 cert in chain | |
| 57 | #end | |
| 58 | ||
| 59 | #test = "Implicit root is in DB" | |
| 60 | #cert = amazon_v3.100.cer | |
| 61 | #certDb = dbWithRoot.db | |
| 62 | #verifyTime = 20071120000000 | |
| 63 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 64 | #certstatus = 0:0x4 | |
| 65 | # CSSM_CERT_STATUS_IS_IN_ANCHORS | CSSM_CERT_STATUS_IS_ROOT | |
| 66 | #certstatus = 1:0x18 ### not in anchors any more | |
| 67 | # CSSM_CERT_STATUS_IS_ROOT | |
| 68 | #certstatus = 1:0x10 | |
| 69 | #end | |
| 70 | ||
| 71 | #test = "Explicit root is in DB" | |
| 72 | #cert = amazon_v3.100.cer | |
| 73 | #cert = root_1.cer | |
| 74 | #certDb = dbWithRoot.db | |
| 75 | #verifyTime = 20071120000000 | |
| 76 | # CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 77 | #certstatus = 0:0x4 | |
| 78 | # CSSM_CERT_STATUS_IS_IN_ANCHORS | CSSM_CERT_STATUS_IS_ROOT | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 79 | # certstatus = 1:0x1C ### not in anchors any more | |
| 80 | # CSSM_CERT_STATUS_IS_ROOT | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS | |
| 81 | #certstatus = 1:0x14 | |
| 82 | #end | |
| 83 |