]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/certcrl/testSubjects/trustSettings/trustSettings.scr
Security-57031.1.35.tar.gz
[apple/security.git] / SecurityTests / clxutils / certcrl / testSubjects / trustSettings / trustSettings.scr
1 #
2 # TrustSettings tests.
3 #
4 # This must be run with trustSettingsTest.keychain in your KC search path
5 # and userTrustSettings.plist as your per-user or admin trust settings.
6 #
7 # A script to recreate userTrustSettings.plist is in the makeTrustSettings
8 # script in this directory; the result can be imported into your user-domain
9 # settings via security trust-settings-import.
10 #
11 # See the buildAndTest script in this directory for al all-in-one op.
12 #
13 globals
14 allowUnverified = true
15 crlNetFetchEnable = false
16 certNetFetchEnable = false
17 useSystemAnchors = false
18 end
19
20 #
21 # Note: with TrustSettings disabled, we pass in roots as root certs;
22 # with TrustSettings enabled, we pass roots as regular certs if we
23 # want success.
24 #
25
26 #
27 # debugRoot and localhost, with allowed HOSTNAME_MISMATCH test
28 #
29 test = "Ensure localhost.cer fails with TrustSettings disabled"
30 useTrustSettings = false
31 cert = localhost.cer
32 cert = debugRoot.cer
33 sslHost = localhost
34 verifyTime = 20060601000000
35 error = CSSMERR_TP_INVALID_ANCHOR_CERT
36 # IS_IN_INPUT_CERTS | IS_ROOT
37 certstatus = 1:0x14
38 end
39
40 test = "localhost.cer with TrustSettings enabled"
41 useTrustSettings = true
42 cert = localhost.cer
43 cert = debugRoot.cer
44 sslHost = localhost
45 verifyTime = 20060601000000
46 # IS_IN_INPUT_CERTS
47 certstatus = 0:0x4
48 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST
49 certstatus = 1:0x254
50 end
51
52 test = "localhost.cer with allowedError HOSTNAME_MISMATCH"
53 useTrustSettings = true
54 cert = localhost.cer
55 cert = debugRoot.cer
56 sslHost = 127.0.0.1
57 verifyTime = 20060601000000
58 # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
59 certstatus = 0:0x844
60 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST
61 certstatus = 1:0x254
62 # Detected and logged but not a fatal error due to TrustSettings
63 certerror = 0:CSSMERR_APPLETP_HOSTNAME_MISMATCH
64 end
65
66 #
67 # Software Update Signing with allowed CS_BAD_CERT_CHAIN_LENGTH test
68 #
69 test = "SWUSigning, normal, no TrustSettings"
70 useTrustSettings = false
71 cert = csLeaf.cer
72 cert = csCA.cer
73 root = csRoot.cer
74 policy = swuSign
75 verifyTime = 20060601000000
76 # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
77 certstatus = 2:0x18
78 end
79
80 test = "SWUSigning, normal, TrustSettings"
81 useTrustSettings = true
82 cert = csLeaf.cer
83 cert = csCA.cer
84 cert = csRoot.cer
85 policy = swuSign
86 verifyTime = 20060601000000
87 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
88 certstatus = 2:254
89 end
90
91 # note no per-cert status of CS_BAD_CERT_CHAIN_LENGTH, it applies
92 # to the whole chain
93 test = "SWUSigning, allowed bad path length"
94 useTrustSettings = true
95 cert = csLeafShortPath.cer
96 cert = csRoot.cer
97 policy = swuSign
98 verifyTime = 20060601000000
99 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
100 certstatus = 1:0x254
101 # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
102 certstatus = 0:0x844
103 end
104
105 #
106 # CRL testing with allowed CSSMERR_TP_CERT_REVOKED test
107 # see documentation in clxutils/makeCrl/testFiles/crlTime.scr for info
108 # on certs and CRLs.
109 #
110 test = "revoked by CRL, no TrustSettings, expect failure"
111 useTrustSettings = false
112 requireCrlForAll = true
113 revokePolicy = crl
114 cert = crlTestLeaf.cer
115 root = crlTestRoot.cer
116 crl = crl.crl
117 # Normal revocation case.
118 verifyTime = 20060418090559Z
119 error = CSSMERR_TP_CERT_REVOKED
120 certerror = 0:CSSMERR_TP_CERT_REVOKED
121 # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
122 certstatus = 1:0x18
123 end
124
125 test = "revoked by CRL, TrustSettings, expect success"
126 useTrustSettings = true
127 requireCrlForAll = true
128 revokePolicy = crl
129 cert = crlTestLeaf.cer
130 cert = crlTestRoot.cer
131 crl = crl.crl
132 # Normal revocation case.
133 verifyTime = 20060418090559Z
134 # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR
135 certstatus = 0:0x844
136 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST
137 certstatus = 1:0x254
138 certerror = 0:CSSMERR_TP_CERT_REVOKED
139 end
140
141 #
142 # dmitch@apple.com Thawte with test of default setting = deny for SMIME
143 #
144 test = "dmitch@apple.com Thawte, no TrustSettings"
145 useTrustSettings = false
146 useSystemAnchors = true
147 cert = dmitchAppleThawte.cer
148 cert = thawteCA.cer
149 policy = smime
150 verifyTime = 20060601000000
151 senderEmail = dmitch@apple.com
152 # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT
153 certstatus = 2:0x18
154 end
155
156 test = "dmitch@apple.com Thawte, TrustSettings, generic"
157 useTrustSettings = true
158 useSystemAnchors = true
159 cert = dmitchAppleThawte.cer
160 cert = thawteCA.cer
161 verifyTime = 20060601000000
162 # IS_ROOT | TRUST_SETTINGS_FOUND_SYSTEM | TRUST_SETTINGS_TRUST
163 certstatus = 2:0x310
164 end
165
166 test = "dmitch@apple.com Thawte, TrustSettings, SMIME, fail due to default Deny setting"
167 useTrustSettings = true
168 useSystemAnchors = true
169 cert = dmitchAppleThawte.cer
170 cert = thawteCA.cer
171 senderEmail = dmitch@apple.com
172 verifyTime = 20060601000000
173 # IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_DENY
174 certstatus = 2:0x450
175 error = CSSMERR_APPLETP_TRUST_SETTING_DENY
176 end