SecurityTests/clxutils/certcrl/testSubjects/expiredCerts/expiredCerts.scr

   1 #
   2 # test handling of expired certs, Radar 3622125.
   3 #
   4
   5 globals
   6 allowUnverified = true
   7 crlNetFetchEnable = false
   8 certNetFetchEnable = false
   9 useSystemAnchors = false
  10 end
  11
  12 test = "Basic sanity check"
  13 cert = ecGoodLeaf.cer
  14 cert = ecGoodCA.cer
  15 root = ecGoodRoot.cer
  16 # IS_IN_ANCHORS  IS_ROOT
  17 certstatus = 2:0x18
  18 end
  19
  20 #
  21 # verify that each of the three expired certs really is expired
  22 #
  23 test = "Verify expired leaf"
  24 cert = ecExpiredLeaf.cer
  25 cert = ecGoodCA.cer
  26 root = ecGoodRoot.cer
  27 error = CSSMERR_TP_CERT_EXPIRED
  28 # EXPIRED  IS_IN_INPUT_CERTS
  29 certstatus = 0:0x5
  30 end
  31
  32 test = "Verify expired CA"
  33 cert = ecGoodLeaf.cer
  34 cert = ecExpiredCA.cer
  35 root = ecGoodRoot.cer
  36 error = CSSMERR_TP_CERT_EXPIRED
  37 # EXPIRED  IS_IN_INPUT_CERTS
  38 certstatus = 1:0x5
  39 end
  40
  41 test = "Verify expired Root"
  42 cert = ecGoodLeaf.cer
  43 cert = ecGoodCA.cer
  44 root = ecExpiredRoot.cer
  45 error = CSSMERR_TP_CERT_EXPIRED
  46 # EXPIRED  CSSM_CERT_STATUS_IS_ROOT CSSM_CERT_STATUS_IS_IN_ANCHORS
  47 certstatus = 2:0x19
  48 end
  49
  50 #
  51 # Verify expired cert recovery for each cert (not leaf though)
  52 #
  53 test = "Verify recovery from expired CA"
  54 cert = ecGoodLeaf.cer
  55 cert = ecExpiredCA.cer
  56 cert = ecGoodCA.cer
  57 root = ecGoodRoot.cer
  58 # IS_IN_INPUT_CERTS
  59 certstatus = 1:0x4
  60 # IS_IN_ANCHORS  IS_ROOT
  61 certstatus = 2:0x18
  62 end
  63
  64 test = "Verify recovery from expired Root in input certs"
  65 cert = ecGoodLeaf.cer
  66 cert = ecGoodCA.cer
  67 cert = ecExpiredRoot.cer
  68 root = ecGoodRoot.cer
  69 # IS_IN_INPUT_CERTS
  70 certstatus = 1:0x4
  71 # IS_IN_ANCHORS  IS_ROOT
  72 certstatus = 2:0x18
  73 end
  74
  75 test = "Verify recovery from expired Root in anchors"
  76 cert = ecGoodLeaf.cer
  77 cert = ecGoodCA.cer
  78 root = ecExpiredRoot.cer
  79 root = ecGoodRoot.cer
  80 # IS_IN_INPUT_CERTS
  81 certstatus = 1:0x4
  82 # IS_IN_ANCHORS  IS_ROOT
  83 certstatus = 2:0x18
  84 end
  85
  86 #
  87 # Verify recovery from expired cert in input with good one in DLDB
  88 #
  89 test = "Expired CA in input certs, good one in DLDB"
  90 cert = ecGoodLeaf.cer
  91 cert = ecExpiredCA.cer
  92 root = ecGoodRoot.cer
  93 # Verify !IS_IN_INPUT_CERTS
  94 certstatus = 1:0x0
  95 certDb = goodCA.keychain
  96 end
  97
  98 test = "Expired root in input certs, good one in DLDB"
  99 cert = ecGoodLeaf.cer
 100 cert = ecGoodCA.cer
 101 cert = ecExpiredRoot.cer
 102 root = ecGoodRoot.cer
 103 certDb = goodRoot.keychain
 104 # IS_IN_INPUT_CERTS
 105 certstatus = 1:0x4
 106 # IS_IN_ANCHORS  IS_ROOT
 107 certstatus = 2:0x18
 108 end
 109
 110 #
 111 # Verify recovery from expired cert in DLDB with good one in DLDB
 112 #
 113 test = "Expired CA in DLDB, good one in DLDB"
 114 cert = ecGoodLeaf.cer
 115 root = ecGoodRoot.cer
 116 certDb = expiredCA.keychain
 117 # Verify !IS_IN_INPUT_CERTS
 118 certstatus = 1:0x0
 119 certDb = goodCA.keychain
 120 end
 121
 122 test = "Expired root in DLDB, good one in DLDB"
 123 cert = ecGoodLeaf.cer
 124 cert = ecGoodCA.cer
 125 root = ecGoodRoot.cer
 126 certDb = expiredRoot.keychain
 127 certDb = goodRoot.keychain
 128 # IS_IN_INPUT_CERTS
 129 certstatus = 1:0x4
 130 # IS_IN_ANCHORS  IS_ROOT
 131 certstatus = 2:0x18
 132 end
 133
 134 #
 135 # Verify recovery with both good and expired CA in inputs AND DLDB
 136 #
 137 test = "Expired and good CA and root in both inputs and DLDBs"
 138 cert = ecGoodLeaf.cer
 139 cert = ecExpiredCA.cer
 140 cert = ecExpiredRoot.cer
 141 # throw this in too!
 142 root = ecExpiredRoot.cer
 143 root = ecGoodRoot.cer
 144 certDb = expiredCA.keychain
 145 certDb = expiredRoot.keychain
 146 certDb = goodCA.keychain
 147 end