[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / expiredRoot / expiredRoot.scr

# test handling of expired root, per 3300879
#
# This uses two certs we got from store.apple.com and an old expired root 
# which verifies them.
#
# The leaf cert is going to expire on April 1 2007; the intermediate cert is
# going to expire on Oct 24, 2011. To replace them just grab new certs from
# store.apple.com, or any other site with a cert chain originating with 
# Verisign's Class 3 Public Primary Certification Authority. 
#
globals
allowUnverified = true
crlNetFetchEnable = false
certNetFetchEnable = false
useSystemAnchors = false
end
#
# Simulate pre-3300879 failure, expired root in anchors
#
test = test1
echo Expired root as anchor
#cert = iproj_v3.100.cer
#cert = iproj_v3.101.cer
cert = applestore_v3.100.cer
cert = applestore_v3.101.cer
root = iproj_v3.102.cer
sslHost = store.apple.com
error = CSSMERR_TP_CERT_EXPIRED
# EXPIRED  IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x19
end
#
# Simulate pre-3300879 failure, expired root not in anchors
#
test = test2
echo Expired root not in (empty) anchors
cert = applestore_v3.100.cer
cert = applestore_v3.101.cer
cert = iproj_v3.102.cer
sslHost = store.apple.com
error = CSSMERR_TP_INVALID_ANCHOR_CERT
# EXPIRED  IS_IN_INPUT_CERTS  IS_ROOT
certstatus = 2:0x15
end
#
# Ensure that this expired root successfully verifies the chain
#
test = test3
echo Expired root passed as anchor, explicitly allowing expired root
cert = applestore_v3.100.cer
cert = applestore_v3.101.cer
root = iproj_v3.102.cer
allowExpiredRoot = true
sslHost = store.apple.com
end

#
test = test4
echo Expired root in input chain, should be ignored in favor of system anchor
useSystemAnchors = true
cert = applestore_v3.100.cer
cert = applestore_v3.101.cer
cert = iproj_v3.102.cer
sslHost = store.apple.com
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

test = test5
echo Expired root in input chain, should be ignored in favor of system anchor, Trust Settings
useSystemAnchors = true
useTrustSettings = true
cert = applestore_v3.100.cer
cert = applestore_v3.101.cer
cert = iproj_v3.102.cer
sslHost = store.apple.com
# IS_ROOT  TRUST_SETTINGS_FOUND_SYSTEM  TRUST_SETTINGS_TRUST
certstatus = 2:0x310
end
Commit	Line	Data
d8f41ccd A	1	# test handling of expired root, per 3300879
	2	#
	3	# This uses two certs we got from store.apple.com and an old expired root
	4	# which verifies them.
	5	#
	6	# The leaf cert is going to expire on April 1 2007; the intermediate cert is
	7	# going to expire on Oct 24, 2011. To replace them just grab new certs from
	8	# store.apple.com, or any other site with a cert chain originating with
	9	# Verisign's Class 3 Public Primary Certification Authority.
	10	#
	11	globals
	12	allowUnverified = true
	13	crlNetFetchEnable = false
	14	certNetFetchEnable = false
	15	useSystemAnchors = false
	16	end
	17	#
	18	# Simulate pre-3300879 failure, expired root in anchors
	19	#
	20	test = test1
	21	echo Expired root as anchor
	22	#cert = iproj_v3.100.cer
	23	#cert = iproj_v3.101.cer
	24	cert = applestore_v3.100.cer
	25	cert = applestore_v3.101.cer
	26	root = iproj_v3.102.cer
	27	sslHost = store.apple.com
	28	error = CSSMERR_TP_CERT_EXPIRED
	29	# EXPIRED IS_IN_ANCHORS IS_ROOT
	30	certstatus = 2:0x19
	31	end
	32	#
	33	# Simulate pre-3300879 failure, expired root not in anchors
	34	#
	35	test = test2
	36	echo Expired root not in (empty) anchors
	37	cert = applestore_v3.100.cer
	38	cert = applestore_v3.101.cer
	39	cert = iproj_v3.102.cer
	40	sslHost = store.apple.com
	41	error = CSSMERR_TP_INVALID_ANCHOR_CERT
	42	# EXPIRED IS_IN_INPUT_CERTS IS_ROOT
	43	certstatus = 2:0x15
	44	end
	45	#
	46	# Ensure that this expired root successfully verifies the chain
	47	#
	48	test = test3
	49	echo Expired root passed as anchor, explicitly allowing expired root
	50	cert = applestore_v3.100.cer
	51	cert = applestore_v3.101.cer
	52	root = iproj_v3.102.cer
	53	allowExpiredRoot = true
	54	sslHost = store.apple.com
	55	end
	56
	57	#
	58	test = test4
	59	echo Expired root in input chain, should be ignored in favor of system anchor
	60	useSystemAnchors = true
	61	cert = applestore_v3.100.cer
	62	cert = applestore_v3.101.cer
	63	cert = iproj_v3.102.cer
	64	sslHost = store.apple.com
65	# IS_IN_ANCHORS IS_ROOT
66	certstatus = 2:0x18
67	end
68
69	test = test5
70	echo Expired root in input chain, should be ignored in favor of system anchor, Trust Settings
71	useSystemAnchors = true
72	useTrustSettings = true
73	cert = applestore_v3.100.cer
74	cert = applestore_v3.101.cer
75	cert = iproj_v3.102.cer
76	sslHost = store.apple.com
77	# IS_ROOT TRUST_SETTINGS_FOUND_SYSTEM TRUST_SETTINGS_TRUST
78	certstatus = 2:0x310
79	end