#
# test handling of expired certs, Radar 3622125.
#

globals
allowUnverified = true
crlNetFetchEnable = false
certNetFetchEnable = false
useSystemAnchors = false
end

test = "Basic sanity check"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
root = ecGoodRoot.cer
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

#
# verify that each of the three expired certs really is expired
#
test = "Verify expired leaf"
cert = ecExpiredLeaf.cer
cert = ecGoodCA.cer
root = ecGoodRoot.cer
error = CSSMERR_TP_CERT_EXPIRED
# EXPIRED  IS_IN_INPUT_CERTS
certstatus = 0:0x5
end

test = "Verify expired CA"
cert = ecGoodLeaf.cer
cert = ecExpiredCA.cer
root = ecGoodRoot.cer
error = CSSMERR_TP_CERT_EXPIRED
# EXPIRED  IS_IN_INPUT_CERTS
certstatus = 1:0x5
end

test = "Verify expired Root"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
root = ecExpiredRoot.cer
error = CSSMERR_TP_CERT_EXPIRED
# EXPIRED  CSSM_CERT_STATUS_IS_ROOT CSSM_CERT_STATUS_IS_IN_ANCHORS
certstatus = 2:0x19
end

#
# Verify expired cert recovery for each cert (not leaf though)
#
test = "Verify recovery from expired CA"
cert = ecGoodLeaf.cer
cert = ecExpiredCA.cer
cert = ecGoodCA.cer
root = ecGoodRoot.cer
# IS_IN_INPUT_CERTS
certstatus = 1:0x4
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

test = "Verify recovery from expired Root in input certs"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
cert = ecExpiredRoot.cer
root = ecGoodRoot.cer
# IS_IN_INPUT_CERTS
certstatus = 1:0x4
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

test = "Verify recovery from expired Root in anchors"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
root = ecExpiredRoot.cer
root = ecGoodRoot.cer
# IS_IN_INPUT_CERTS
certstatus = 1:0x4
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

# 
# Verify recovery from expired cert in input with good one in DLDB
#
test = "Expired CA in input certs, good one in DLDB"
cert = ecGoodLeaf.cer
cert = ecExpiredCA.cer
root = ecGoodRoot.cer
# Verify !IS_IN_INPUT_CERTS
certstatus = 1:0x0
certDb = goodCA.keychain
end

test = "Expired root in input certs, good one in DLDB"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
cert = ecExpiredRoot.cer
root = ecGoodRoot.cer
certDb = goodRoot.keychain
# IS_IN_INPUT_CERTS
certstatus = 1:0x4
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

#
# Verify recovery from expired cert in DLDB with good one in DLDB
#
test = "Expired CA in DLDB, good one in DLDB"
cert = ecGoodLeaf.cer
root = ecGoodRoot.cer
certDb = expiredCA.keychain
# Verify !IS_IN_INPUT_CERTS
certstatus = 1:0x0
certDb = goodCA.keychain
end

test = "Expired root in DLDB, good one in DLDB"
cert = ecGoodLeaf.cer
cert = ecGoodCA.cer
root = ecGoodRoot.cer
certDb = expiredRoot.keychain
certDb = goodRoot.keychain
# IS_IN_INPUT_CERTS
certstatus = 1:0x4
# IS_IN_ANCHORS  IS_ROOT
certstatus = 2:0x18
end

#
# Verify recovery with both good and expired CA in inputs AND DLDB
#
test = "Expired and good CA and root in both inputs and DLDBs"
cert = ecGoodLeaf.cer
cert = ecExpiredCA.cer
cert = ecExpiredRoot.cer
# throw this in too!
root = ecExpiredRoot.cer
root = ecGoodRoot.cer
certDb = expiredCA.keychain
certDb = expiredRoot.keychain
certDb = goodCA.keychain
end