]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/certcrl/testSubjects/ocspFromSsl/ocspssl.scr
Security-57031.10.10.tar.gz
[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / ocspFromSsl / ocspssl.scr
1 #
2 # OCSP verfication of certs obtained from SSL sites
3 #
4 globals
5 certNetFetchEnable = false
6 useSystemAnchors = true
7 allowUnverified = true
8 # alternate these two on successful runs, flip either one for failure
9 requireOcspIfPresent = false
10 requireOcspForAll = false
11 cacheDisable = false
12 end
13 ###
14 ### all these (until further notice) do OCSP via ocsp.verisign.com
15 ###
16 echo "================================="
17 test = "www.amazon.com"
18 revokePolicy = ocsp
19 cert = amazon_v3.100.cer
20 cert = amazon_v3.101.cer
21 sslHost = www.amazon.com
22 requireOcspIfPresent = true
23 end
24 echo "================================="
25 test = "www.cduniverse.com"
26 revokePolicy = ocsp
27 cert = cduniverse_v3.100.cer
28 cert = cduniverse_v3.101.cer
29 sslHost = www.cduniverse.com
30 requireOcspForAll = false
31 end
32 echo "================================="
33 test = "store.apple.com, allowing unverified"
34 revokePolicy = ocsp
35 # leaf has ocsp accessMethod in AIA, intermediate doesn't
36 requireOcspIfPresent = true
37 cert = apple_v3.100.cer
38 cert = apple_v3.101.cer
39 sslHost = store.apple.com
40 certerror = 1:APPLETP_OCSP_UNAVAILABLE
41 end
42 echo "================================="
43 test = "store.apple.com, require OCSP if present"
44 revokePolicy = ocsp
45 # leaf has ocsp accessMethod in AIA, intermediate doesn't
46 requireOcspIfPresent = true
47 cert = apple_v3.100.cer
48 cert = apple_v3.101.cer
49 sslHost = store.apple.com
50 certerror = 1:APPLETP_OCSP_UNAVAILABLE
51 end
52 echo "================================="
53 test = "store.apple.com, require OCSP for all, fail"
54 revokePolicy = ocsp
55 # leaf has ocsp accessMethod in AIA, intermediate doesn't
56 requireOcspForAll = true
57 cert = apple_v3.100.cer
58 cert = apple_v3.101.cer
59 sslHost = store.apple.com
60 certerror = 1:APPLETP_OCSP_UNAVAILABLE
61 error = APPLETP_OCSP_UNAVAILABLE
62 end
63 echo "================================="
64 test = "store.apple.com, require OCSP if present, disable net, fail"
65 revokePolicy = ocsp
66 # leaf has ocsp accessMethod in AIA, intermediate doesn't
67 requireOcspIfPresent = true
68 ocspNetFetchDisable = true
69 cacheDisable = true
70 cert = apple_v3.100.cer
71 cert = apple_v3.101.cer
72 sslHost = store.apple.com
73 certerror = 1:APPLETP_OCSP_UNAVAILABLE
74 error = APPLETP_OCSP_UNAVAILABLE
75 end
76 echo "================================="
77 test = "www.verisign.com"
78 revokePolicy = ocsp
79 # leaf has ocsp accessMethod in AIA, 2nd intermediate doesn't
80 cert = verisign_v3.100.cer
81 cert = verisign_v3.101.cer
82 cert = verisign_v3.102.cer
83 sslHost = www.verisign.com
84 certerror = 2:APPLETP_OCSP_UNAVAILABLE
85 end
86 echo "================================="
87 test = "accounts.key.com"
88 revokePolicy = ocsp
89 # leaf has ocsp accessMethod in AIA, intermediate doesn't
90 cert = keybank_v3.100.cer
91 cert = keybank_v3.101.cer
92 #
93 # This one is the root, which SSL server sent us.
94 # Leave it in for variety.
95 #
96 cert = keybank_v3.102.cer
97 sslHost = accounts.key.com
98 certerror = 1:APPLETP_OCSP_UNAVAILABLE
99 end
100 echo "================================="
101 test = "secure.authorize.net"
102 revokePolicy = ocsp
103 # This started working on 10/19/07.
104 # The intermedaite has had an AIA for a while - maybe the URL it
105 # pointed to just didn't work before today?
106 # OLD COMMENT -- leaf has ocsp accessMethod in AIA, intermediate doesn't
107 cert = secauth_v3.100.cer
108 cert = secauth_v3.101.cer
109 sslHost = secure.authorize.net
110 # deleted 10/19/07 certerror = 1:APPLETP_OCSP_UNAVAILABLE
111 end
112 ###
113 ### OCSP via ocsp.thawte.com
114 ###
115 # proteron deleted
116 #
117 # misc. others
118 #
119 echo "================================="
120 test = "www.wellsfargo.com"
121 revokePolicy = ocsp
122 requireOcspIfPresent = true
123 cert = wellsfargo_v3.100.cer
124 cert = wellsfargo_v3.101.cer
125 sslHost = www.wellsfargo.com
126 end
127 echo "================================="
128 test = "www.certum.pl"
129 revokePolicy = ocsp
130 requireOcspIfPresent = true
131 cert = certum_v3.100.cer
132 cert = certum_v3.101.cer
133 sslHost = www.certum.pl
134 # this, because we don't have the root, instead of APPLETP_OCSP_BAD_RESPONSE
135 # which Radar 4158052 causes
136 error = TP_NOT_TRUSTED
137 end