SecurityTests/clxutils/certcrl/testSubjects/expiredRoot/expiredRoot.scr

   1 # test handling of expired root, per 3300879
   2 #
   3 # This uses two certs we got from store.apple.com and an old expired root
   4 # which verifies them.
   5 #
   6 # The leaf cert is going to expire on April 1 2007; the intermediate cert is
   7 # going to expire on Oct 24, 2011. To replace them just grab new certs from
   8 # store.apple.com, or any other site with a cert chain originating with
   9 # Verisign's Class 3 Public Primary Certification Authority.
  10 #
  11 globals
  12 allowUnverified = true
  13 crlNetFetchEnable = false
  14 certNetFetchEnable = false
  15 useSystemAnchors = false
  16 end
  17 #
  18 # Simulate pre-3300879 failure, expired root in anchors
  19 #
  20 test = test1
  21 echo Expired root as anchor
  22 #cert = iproj_v3.100.cer
  23 #cert = iproj_v3.101.cer
  24 cert = applestore_v3.100.cer
  25 cert = applestore_v3.101.cer
  26 root = iproj_v3.102.cer
  27 sslHost = store.apple.com
  28 error = CSSMERR_TP_CERT_EXPIRED
  29 # EXPIRED  IS_IN_ANCHORS  IS_ROOT
  30 certstatus = 2:0x19
  31 end
  32 #
  33 # Simulate pre-3300879 failure, expired root not in anchors
  34 #
  35 test = test2
  36 echo Expired root not in (empty) anchors
  37 cert = applestore_v3.100.cer
  38 cert = applestore_v3.101.cer
  39 cert = iproj_v3.102.cer
  40 sslHost = store.apple.com
  41 error = CSSMERR_TP_INVALID_ANCHOR_CERT
  42 # EXPIRED  IS_IN_INPUT_CERTS  IS_ROOT
  43 certstatus = 2:0x15
  44 end
  45 #
  46 # Ensure that this expired root successfully verifies the chain
  47 #
  48 test = test3
  49 echo Expired root passed as anchor, explicitly allowing expired root
  50 cert = applestore_v3.100.cer
  51 cert = applestore_v3.101.cer
  52 root = iproj_v3.102.cer
  53 allowExpiredRoot = true
  54 sslHost = store.apple.com
  55 end
  56
  57 #
  58 test = test4
  59 echo Expired root in input chain, should be ignored in favor of system anchor
  60 useSystemAnchors = true
  61 cert = applestore_v3.100.cer
  62 cert = applestore_v3.101.cer
  63 cert = iproj_v3.102.cer
  64 sslHost = store.apple.com
  65 # IS_IN_ANCHORS  IS_ROOT
  66 certstatus = 2:0x18
  67 end
  68
  69 test = test5
  70 echo Expired root in input chain, should be ignored in favor of system anchor, Trust Settings
  71 useSystemAnchors = true
  72 useTrustSettings = true
  73 cert = applestore_v3.100.cer
  74 cert = applestore_v3.101.cer
  75 cert = iproj_v3.102.cer
  76 sslHost = store.apple.com
  77 # IS_ROOT  TRUST_SETTINGS_FOUND_SYSTEM  TRUST_SETTINGS_TRUST
  78 certstatus = 2:0x310
  79 end