2 # test for Radar 4515141: perform cert verify with CRL checking one second before and
3 # one second after the cert was revoked; the former should succeed, the latter should fail.
5 # This version of the script is for Tiger and Chard, without the requireCrlForAll command.
8 # not before 20060417191040Z 19:10:40 Apr 17, 2006
9 # not after 20160414191040Z 19:10:40 Apr 14, 2016
12 # not before 20060417190954Z 19:10:40 Apr 17, 2006
13 # not after 20160414190954Z 19:10:40 Apr 14, 2016
15 # CRL: not valid until well after leaf cert was created, valid for 10 years, revocation
16 # 12 hours after CRL is created
18 # % makeCrl -s crlTestLeaf.cer -i crlTestRoot.cer -o crl.crl -n 315360000 -r 43200
19 # ...wrote 282 bytes to crl.crl.
21 # this update 20060417210558Z 21:05:58 Apr 17, 2006
22 # next update 20160414210558Z 21:05:58 Apr 14, 2016
23 # cert revoked 20060418090558Z 09:05:58 Apr 18, 2006
25 # Test cert at revoke + 1 ==> fail 20060418090559Z
26 # Test cert at revoke - 1 ==> OK 20060418090557Z
27 # Test cert at create with CRL ==> OK 20060417191040Z (before revocation, before CRL)
28 # Test cert at create w/o CRL ==> OK 20060417191040Z
29 # Test cert at create-1 w/o CRL - not yet valid 20060417191039Z
30 # Test cert at not after w/o CRL - OK 20160414191040Z
31 # Test cert at not after + 1 - fail 20160414191041Z
33 # Certs were generated from CA in enclosed keychain, crlKeychain.keychaain, pwd = crlKeychain
37 certNetFetchEnable = false
38 crlNetFetchEnable = false
39 useSystemAnchors = false
42 test = "basic, no CRL"
43 allowUnverified = true
44 cert = crlTestLeaf.cer
45 root = crlTestRoot.cer
49 # This is a handy place to test the corner cases of notBefore and notAfter.
50 # I don't believe these have ever been tested right to the second.
52 test = "basic, no CRL, at NotBefore"
53 allowUnverified = true
54 cert = crlTestLeaf.cer
55 root = crlTestRoot.cer
56 verifyTime = 20060417191040Z
59 test = "basic, no CRL, before NotBefore, expect fail"
60 allowUnverified = true
61 cert = crlTestLeaf.cer
62 root = crlTestRoot.cer
63 verifyTime = 20060417191039Z
64 error = CSSMERR_TP_CERT_NOT_VALID_YET
65 # CSSM_CERT_STATUS_NOT_VALID_YET | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
70 # Note root was created before leaf so we assume it will be expired at
71 # the time of the leaf cert's NotAfter.
73 test = "basic, no CRL, at NotAfter"
74 allowUnverified = true
75 cert = crlTestLeaf.cer
76 root = crlTestRoot.cer
77 verifyTime = 20160414191040Z
78 allowExpiredRoot = true
81 test = "basic, no CRL, at NotAfter plus 1, expect fail"
82 allowUnverified = true
83 cert = crlTestLeaf.cer
84 root = crlTestRoot.cer
85 verifyTime = 20160414191041Z
86 error = CSSMERR_TP_CERT_EXPIRED
87 # CSSM_CERT_STATUS_EXPIRED | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
94 test = "CRL, prior to revocation, within CRL validity"
95 allowUnverified = false
97 cert = crlTestLeaf.cer
98 root = crlTestRoot.cer
100 # One second before revocation
101 verifyTime = 20060418090557Z
105 # This ensures that we verify the CRL itself at 'now' instead of the
106 # cert verification time.
108 test = "CRL, prior to revocation, before CRL validity"
109 allowUnverified = false
111 cert = crlTestLeaf.cer
112 root = crlTestRoot.cer
114 # Leaf create/notBefore time, definitely before the CRL is valid.
115 verifyTime = 20060417191040Z
118 test = "CRL, subsequent to revocation"
119 allowUnverified = false
121 cert = crlTestLeaf.cer
122 root = crlTestRoot.cer
124 # Normal revocation case.
125 verifyTime = 20060418090559Z
126 error = TP_CERT_REVOKED
127 certerror = 0:CSSMERR_TP_CERT_REVOKED
projects / apple / security.git / blob