]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/certcrl/testSubjects/expiredCerts/expiredCerts.scr
Security-57031.1.35.tar.gz
[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / expiredCerts / expiredCerts.scr
1 #
2 # test handling of expired certs, Radar 3622125.
3 #
4
5 globals
6 allowUnverified = true
7 crlNetFetchEnable = false
8 certNetFetchEnable = false
9 useSystemAnchors = false
10 end
11
12 test = "Basic sanity check"
13 cert = ecGoodLeaf.cer
14 cert = ecGoodCA.cer
15 root = ecGoodRoot.cer
16 # IS_IN_ANCHORS IS_ROOT
17 certstatus = 2:0x18
18 end
19
20 #
21 # verify that each of the three expired certs really is expired
22 #
23 test = "Verify expired leaf"
24 cert = ecExpiredLeaf.cer
25 cert = ecGoodCA.cer
26 root = ecGoodRoot.cer
27 error = CSSMERR_TP_CERT_EXPIRED
28 # EXPIRED IS_IN_INPUT_CERTS
29 certstatus = 0:0x5
30 end
31
32 test = "Verify expired CA"
33 cert = ecGoodLeaf.cer
34 cert = ecExpiredCA.cer
35 root = ecGoodRoot.cer
36 error = CSSMERR_TP_CERT_EXPIRED
37 # EXPIRED IS_IN_INPUT_CERTS
38 certstatus = 1:0x5
39 end
40
41 test = "Verify expired Root"
42 cert = ecGoodLeaf.cer
43 cert = ecGoodCA.cer
44 root = ecExpiredRoot.cer
45 error = CSSMERR_TP_CERT_EXPIRED
46 # EXPIRED CSSM_CERT_STATUS_IS_ROOT CSSM_CERT_STATUS_IS_IN_ANCHORS
47 certstatus = 2:0x19
48 end
49
50 #
51 # Verify expired cert recovery for each cert (not leaf though)
52 #
53 test = "Verify recovery from expired CA"
54 cert = ecGoodLeaf.cer
55 cert = ecExpiredCA.cer
56 cert = ecGoodCA.cer
57 root = ecGoodRoot.cer
58 # IS_IN_INPUT_CERTS
59 certstatus = 1:0x4
60 # IS_IN_ANCHORS IS_ROOT
61 certstatus = 2:0x18
62 end
63
64 test = "Verify recovery from expired Root in input certs"
65 cert = ecGoodLeaf.cer
66 cert = ecGoodCA.cer
67 cert = ecExpiredRoot.cer
68 root = ecGoodRoot.cer
69 # IS_IN_INPUT_CERTS
70 certstatus = 1:0x4
71 # IS_IN_ANCHORS IS_ROOT
72 certstatus = 2:0x18
73 end
74
75 test = "Verify recovery from expired Root in anchors"
76 cert = ecGoodLeaf.cer
77 cert = ecGoodCA.cer
78 root = ecExpiredRoot.cer
79 root = ecGoodRoot.cer
80 # IS_IN_INPUT_CERTS
81 certstatus = 1:0x4
82 # IS_IN_ANCHORS IS_ROOT
83 certstatus = 2:0x18
84 end
85
86 #
87 # Verify recovery from expired cert in input with good one in DLDB
88 #
89 test = "Expired CA in input certs, good one in DLDB"
90 cert = ecGoodLeaf.cer
91 cert = ecExpiredCA.cer
92 root = ecGoodRoot.cer
93 # Verify !IS_IN_INPUT_CERTS
94 certstatus = 1:0x0
95 certDb = goodCA.keychain
96 end
97
98 test = "Expired root in input certs, good one in DLDB"
99 cert = ecGoodLeaf.cer
100 cert = ecGoodCA.cer
101 cert = ecExpiredRoot.cer
102 root = ecGoodRoot.cer
103 certDb = goodRoot.keychain
104 # IS_IN_INPUT_CERTS
105 certstatus = 1:0x4
106 # IS_IN_ANCHORS IS_ROOT
107 certstatus = 2:0x18
108 end
109
110 #
111 # Verify recovery from expired cert in DLDB with good one in DLDB
112 #
113 test = "Expired CA in DLDB, good one in DLDB"
114 cert = ecGoodLeaf.cer
115 root = ecGoodRoot.cer
116 certDb = expiredCA.keychain
117 # Verify !IS_IN_INPUT_CERTS
118 certstatus = 1:0x0
119 certDb = goodCA.keychain
120 end
121
122 test = "Expired root in DLDB, good one in DLDB"
123 cert = ecGoodLeaf.cer
124 cert = ecGoodCA.cer
125 root = ecGoodRoot.cer
126 certDb = expiredRoot.keychain
127 certDb = goodRoot.keychain
128 # IS_IN_INPUT_CERTS
129 certstatus = 1:0x4
130 # IS_IN_ANCHORS IS_ROOT
131 certstatus = 2:0x18
132 end
133
134 #
135 # Verify recovery with both good and expired CA in inputs AND DLDB
136 #
137 test = "Expired and good CA and root in both inputs and DLDBs"
138 cert = ecGoodLeaf.cer
139 cert = ecExpiredCA.cer
140 cert = ecExpiredRoot.cer
141 # throw this in too!
142 root = ecExpiredRoot.cer
143 root = ecGoodRoot.cer
144 certDb = expiredCA.keychain
145 certDb = expiredRoot.keychain
146 certDb = goodCA.keychain
147 end