443     my $cert = shift @_;
444     my $ss = $cert =~ m/self-signed/;
445     my $is_ca = $cert =~ m/CA/;
450                "-subj", "/CN=$cn", @_, "-out", $cert);
453     ok(run(app([@cmd])), "generate $cert");
457     my $cert = shift @_;
459     cert_contains($cert, "Key Usage", $expect);
462     my $cert = shift @_;
465     $trusted = $cert unless $trusted;
467                 "-partial_chain", $cert])) == $expect,
468        "strict verify allow $cert");
477 my $cert = "self-signed_default_SKID_no_explicit_exts.pem";
478 generate_cert($cert);
479 has_version($cert, 3);
480 has_SKID($cert, 1); # SKID added, though no explicit extensions given
481 has_AKID($cert, 0);
483 my $cert = "self-signed_v3_CA_hash_SKID.pem";
484 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash");
485 has_SKID($cert, 1); # explicit hash SKID
487 $cert = "self-signed_v3_CA_no_SKID.pem";
488 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
489 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
492 $cert = "self-signed_v3_CA_given_SKID.pem";
493 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = 45");
494 cert_contains($cert, "Subject Key Identifier: 45 ", 1); # given SKID
495 strict_verify($cert, 1);
499 $cert = "self-signed_v1_CA_no_KIDs.pem";
500 generate_cert($cert, "-x509v1");
501 has_version($cert, 1);
502 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
511 $cert = "self-signed_v3_CA_no_AKID.pem";
512 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = none");
513 has_AKID($cert, 0); # forced no AKID
515 $cert = "self-signed_v3_CA_explicit_AKID.pem";
516 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid");
517 has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced
519 $cert = "self-signed_v3_CA_forced_AKID.pem";
520 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always");
521 cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # forced AKID, AKID == SKID
522 strict_verify($cert, 1);
524 $cert = "self-signed_v3_CA_issuer_AKID.pem";
525 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer");
526 has_AKID($cert, 0); # suppressed AKID since not forced
528 $cert = "self-signed_v3_CA_forced_issuer_AKID.pem";
529 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always");
530 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID
532 $cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem";
533 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer");
534 has_AKID($cert, 0); # AKID not present because not forced and cert self-signed
536 $cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem";
537 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always");
538 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, …
540 $cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem";
541 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer");
542 has_AKID($cert, 1); # AKID with keyid forced
543 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 0); # no issuer AKID
545 $cert = "self-signed_v3_CA_forced_keyid_forced_issuer_AKID.pem";
546 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always");
547 cert_contains($cert, "Authority Key Identifier: keyid(:[0-9A-Fa-f]{2})+ DirName:/CN=CA serial:", 1)…
549 $cert = "self-signed_v3_EE_wrong_keyUsage.pem";
550 generate_cert($cert, "-addext", "keyUsage = keyCertSign");
555 $cert = "self-issued_x509_v3_CA_default_KIDs.pem";
560              "-out", $cert)])), "generate using x509: $cert");
561 cert_contains($cert, "Issuer: CN=test .*? Subject: CN=test", 1);
562 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
563 strict_verify($cert, 1);
565 $cert = "self-issued_v3_CA_default_KIDs.pem";
566 generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
568 cert_contains($cert, "Issuer: CN=CA .*? Subject: CN=CA", 1);
569 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
570 strict_verify($cert, 1);
572 $cert = "self-issued_v3_CA_no_AKID.pem";
573 generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
575 has_version($cert, 3);
576 has_SKID($cert, 1); # SKID added, though no explicit extensions given
577 has_AKID($cert, 0);
578 strict_verify($cert, 1);
580 $cert = "self-issued_v3_CA_explicit_AKID.pem";
581 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid",
583 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
584 strict_verify($cert, 1);
586 $cert = "self-issued_v3_CA_forced_AKID.pem";
587 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always",
589 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
591 $cert = "self-issued_v3_CA_issuer_AKID.pem";
592 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer",
594 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
596 $cert = "self-issued_v3_CA_forced_issuer_AKID.pem";
597 generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always",
599 cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # just issuer AKID
601 $cert = "self-issued_v3_CA_keyid_issuer_AKID.pem";
602 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer",
604 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID, not forced
606 $cert = "self-issued_v3_CA_keyid_forced_issuer_AKID.pem";
607 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid, issuer:always",
609 cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, with forced issuer
611 $cert = "self-issued_v3_CA_forced_keyid_and_issuer_AKID.pem";
612 generate_cert($cert, "-addext", "authorityKeyIdentifier = keyid:always, issuer:always",
614 cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both forced
618 $cert = "regular_v3_EE_default_KIDs_no_other_exts.pem";
619 generate_cert($cert, "-key", srctop_file(@certs, "ee-key.pem"));
620 has_version($cert, 3);
621 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
623 $cert = "regular_v3_EE_default_KIDs.pem";
624 generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
626 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
627 strict_verify($cert, 1, $ca_cert);
629 $cert = "regular_v3_EE_copied_exts_default_KIDs.pem";
630 generate_cert($cert, "-copy_extensions", "copy",
632 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
633 strict_verify($cert, 1);
635 $cert = "v3_EE_no_AKID.pem";
636 generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
638 has_SKID($cert, 1);
639 has_AKID($cert, 0);
640 strict_verify($cert, 0, $ca_cert);
645 $cert = "self-signed_CA_no_keyUsage.pem";
646 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
647 has_keyUsage($cert, 0);
648 $cert = "self-signed_CA_with_keyUsages.pem";
649 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
651 has_keyUsage($cert, 1);
666 my $cert = "self-signed_explicit_date.pem";
672             "-out", $cert]))
674 && (grep { defined $today{$_} } get_not_before_date($cert))
675 && (grep { defined $today{$_} } get_not_after_date($cert)), "explicit start and end dates");

Last Index update Fri Nov 22 14:03:13 UTC 2024

Dedicated to & Maintained by Room-11