]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/makeCrl/testFiles/crlTimeTiger.scr
Security-57031.1.35.tar.gz
[apple/security.git] / SecurityTests / clxutils / makeCrl / testFiles / crlTimeTiger.scr
1 #
2 # test for Radar 4515141: perform cert verify with CRL checking one second before and
3 # one second after the cert was revoked; the former should succeed, the latter should fail.
4 #
5 # This version of the script is for Tiger and Chard, without the requireCrlForAll command.
6 #
7 # leaf cert
8 # not before 20060417191040Z 19:10:40 Apr 17, 2006
9 # not after 20160414191040Z 19:10:40 Apr 14, 2016
10 #
11 # root cert
12 # not before 20060417190954Z 19:10:40 Apr 17, 2006
13 # not after 20160414190954Z 19:10:40 Apr 14, 2016
14 #
15 # CRL: not valid until well after leaf cert was created, valid for 10 years, revocation
16 # 12 hours after CRL is created
17 #
18 # % makeCrl -s crlTestLeaf.cer -i crlTestRoot.cer -o crl.crl -n 315360000 -r 43200
19 # ...wrote 282 bytes to crl.crl.
20 #
21 # this update 20060417210558Z 21:05:58 Apr 17, 2006
22 # next update 20160414210558Z 21:05:58 Apr 14, 2016
23 # cert revoked 20060418090558Z 09:05:58 Apr 18, 2006
24 #
25 # Test cert at revoke + 1 ==> fail 20060418090559Z
26 # Test cert at revoke - 1 ==> OK 20060418090557Z
27 # Test cert at create with CRL ==> OK 20060417191040Z (before revocation, before CRL)
28 # Test cert at create w/o CRL ==> OK 20060417191040Z
29 # Test cert at create-1 w/o CRL - not yet valid 20060417191039Z
30 # Test cert at not after w/o CRL - OK 20160414191040Z
31 # Test cert at not after + 1 - fail 20160414191041Z
32 #
33 # Certs were generated from CA in enclosed keychain, crlKeychain.keychaain, pwd = crlKeychain
34 #
35
36 globals
37 certNetFetchEnable = false
38 crlNetFetchEnable = false
39 useSystemAnchors = false
40 end
41
42 test = "basic, no CRL"
43 allowUnverified = true
44 cert = crlTestLeaf.cer
45 root = crlTestRoot.cer
46 end
47
48 #
49 # This is a handy place to test the corner cases of notBefore and notAfter.
50 # I don't believe these have ever been tested right to the second.
51 #
52 test = "basic, no CRL, at NotBefore"
53 allowUnverified = true
54 cert = crlTestLeaf.cer
55 root = crlTestRoot.cer
56 verifyTime = 20060417191040Z
57 end
58
59 test = "basic, no CRL, before NotBefore, expect fail"
60 allowUnverified = true
61 cert = crlTestLeaf.cer
62 root = crlTestRoot.cer
63 verifyTime = 20060417191039Z
64 error = CSSMERR_TP_CERT_NOT_VALID_YET
65 # CSSM_CERT_STATUS_NOT_VALID_YET | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
66 certstatus = 0:0x06
67 end
68
69 #
70 # Note root was created before leaf so we assume it will be expired at
71 # the time of the leaf cert's NotAfter.
72 #
73 test = "basic, no CRL, at NotAfter"
74 allowUnverified = true
75 cert = crlTestLeaf.cer
76 root = crlTestRoot.cer
77 verifyTime = 20160414191040Z
78 allowExpiredRoot = true
79 end
80
81 test = "basic, no CRL, at NotAfter plus 1, expect fail"
82 allowUnverified = true
83 cert = crlTestLeaf.cer
84 root = crlTestRoot.cer
85 verifyTime = 20160414191041Z
86 error = CSSMERR_TP_CERT_EXPIRED
87 # CSSM_CERT_STATUS_EXPIRED | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
88 certstatus = 0:0x05
89 end
90
91 #
92 # Begin CRL testing.
93 #
94 test = "CRL, prior to revocation, within CRL validity"
95 allowUnverified = false
96 revokePolicy = crl
97 cert = crlTestLeaf.cer
98 root = crlTestRoot.cer
99 crl = crl.crl
100 # One second before revocation
101 verifyTime = 20060418090557Z
102 end
103
104 #
105 # This ensures that we verify the CRL itself at 'now' instead of the
106 # cert verification time.
107 #
108 test = "CRL, prior to revocation, before CRL validity"
109 allowUnverified = false
110 revokePolicy = crl
111 cert = crlTestLeaf.cer
112 root = crlTestRoot.cer
113 crl = crl.crl
114 # Leaf create/notBefore time, definitely before the CRL is valid.
115 verifyTime = 20060417191040Z
116 end
117
118 test = "CRL, subsequent to revocation"
119 allowUnverified = false
120 revokePolicy = crl
121 cert = crlTestLeaf.cer
122 root = crlTestRoot.cer
123 crl = crl.crl
124 # Normal revocation case.
125 verifyTime = 20060418090559Z
126 error = TP_CERT_REVOKED
127 certerror = 0:CSSMERR_TP_CERT_REVOKED
128 end