393     my $cert = shift @_;
394     my $ss = $cert =~ m/self-signed/;
395     my $is_ca = $cert =~ m/CA/;
400                "-subj", "/CN=$cn", @_, "-out", $cert);
403     ok(run(app([@cmd])), "generate $cert");
407     my $cert = shift @_;
409     cert_contains($cert, "Key Usage", $expect);
412     my $cert = shift @_;
415     $trusted = $cert unless $trusted;
417                 "-partial_chain", $cert])) == $expect,
418        "strict verify allow $cert");
427 my $cert = "self-signed_default_SKID_no_explicit_exts.pem";
428 generate_cert($cert);
429 has_version($cert, 3);
430 has_SKID($cert, 1); # SKID added, though no explicit extensions given
431 has_AKID($cert, 0);
433 my $cert = "self-signed_v3_CA_hash_SKID.pem";
434 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash");
435 has_SKID($cert, 1); # explicit hash SKID
437 $cert = "self-signed_v3_CA_no_SKID.pem";
438 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
439 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
442 $cert = "self-signed_v3_CA_given_SKID.pem";
443 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45");
444 cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID
445 strict_verify($cert, 1);
449 $cert = "self-signed_v1_CA_no_KIDs.pem";
450 generate_cert($cert, "-x509v1");
451 has_version($cert, 1);
452 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
461 $cert = "self-signed_v3_CA_no_AKID.pem";
462 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none");
463 has_AKID($cert, 0); # forced no AKID
465 $cert = "self-signed_v3_CA_explicit_AKID.pem";
466 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid");
467 has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced
469 $cert = "self-signed_v3_CA_forced_AKID.pem";
470 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always");
471 cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID
472 strict_verify($cert, 1);
474 $cert = "self-signed_v3_CA_issuer_AKID.pem";
475 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer");
476 has_AKID($cert, 0); # suppressed AKID since not forced
478 $cert = "self-signed_v3_CA_forced_issuer_AKID.pem";
479 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always");
480 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID
482 $cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem";
483 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer");
484 has_AKID($cert, 0); # AKID not present because not forced and cert self-signed
486 $cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem";
487 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always");
488 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, …
490 $cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem";
491 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer");
492 has_AKID($cert, 1); # AKID with keyid forced
493 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID
495 $cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem";
496 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always");
497 cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1)…
499 $cert = "self-signed_v3_EE_wrong_keyUsage.pem";
500 generate_cert($cert, "-addext", "keyUsage = keyCertSign");
505 $cert = "self-issued_x509_v3_CA_default_KIDs.pem";
510              "-out", $cert)])), "generate using x509: $cert");
511 cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1);
512 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
513 strict_verify($cert, 1);
515 $cert = "self-issued_v3_CA_default_KIDs.pem";
516 generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
518 cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1);
519 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
520 strict_verify($cert, 1);
522 $cert = "self-issued_v3_CA_no_AKID.pem";
523 generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
525 has_version($cert, 3);
526 has_SKID($cert, 1); # SKID added, though no explicit extensions given
527 has_AKID($cert, 0);
528 strict_verify($cert, 1);
530 $cert = "self-issued_v3_CA_explicit_AKID.pem";
531 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid",
533 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
534 strict_verify($cert, 1);
536 $cert = "self-issued_v3_CA_forced_AKID.pem";
537 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always",
539 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
541 $cert = "self-issued_v3_CA_issuer_AKID.pem";
542 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer",
544 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
546 $cert = "self-issued_v3_CA_forced_issuer_AKID.pem";
547 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always",
549 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
551 $cert = "self-issued_v3_CA_keyid_issuer_AKID.pem";
552 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer",
554 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced
556 $cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem";
557 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always",
559 cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer
561 $cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem";
562 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always",
564 cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
568 $cert = "regular_v3_EE_default_KIDs_no_other_exts.pem";
569 generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem"));
570 has_version($cert, 3);
571 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
573 $cert = "regular_v3_EE_default_KIDs.pem";
574 generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
576 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
577 strict_verify($cert, 1, $ca_cert);
579 $cert = "regular_v3_EE_copied_exts_default_KIDs.pem";
580 generate_cert($cert, "-copy_extensions", "copy",
582 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
583 strict_verify($cert, 1);
585 $cert = "v3_EE_no_AKID.pem";
586 generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
588 has_SKID($cert, 1);
589 has_AKID($cert, 0);
590 strict_verify($cert, 0, $ca_cert);
595 $cert = "self-signed_CA_no_keyUsage.pem";
596 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
597 has_keyUsage($cert, 0);
598 $cert = "self-signed_CA_with_keyUsages.pem";
599 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
601 has_keyUsage($cert, 1);
616 my $cert = "self-signed_explicit_date.pem";
622             "-out", $cert]))
624 && (grep { defined $today{$_} } get_not_before_date($cert))
625 && (grep { defined $today{$_} } get_not_after_date($cert)), "explicit start and end dates");

Last Index update Sat Sep 28 00:04:33 UTC 2024

Dedicated to & Maintained by Room-11