# # TrustSettings tests. # # This must be run with trustSettingsTest.keychain in your KC search path # and userTrustSettings.plist as your per-user or admin trust settings. # # A script to recreate userTrustSettings.plist is in the makeTrustSettings # script in this directory; the result can be imported into your user-domain # settings via security trust-settings-import. # # See the buildAndTest script in this directory for al all-in-one op. # globals allowUnverified = true crlNetFetchEnable = false certNetFetchEnable = false useSystemAnchors = false end # # Note: with TrustSettings disabled, we pass in roots as root certs; # with TrustSettings enabled, we pass roots as regular certs if we # want success. # # # debugRoot and localhost, with allowed HOSTNAME_MISMATCH test # test = "Ensure localhost.cer fails with TrustSettings disabled" useTrustSettings = false cert = localhost.cer cert = debugRoot.cer sslHost = localhost verifyTime = 20060601000000 error = CSSMERR_TP_INVALID_ANCHOR_CERT # IS_IN_INPUT_CERTS | IS_ROOT certstatus = 1:0x14 end test = "localhost.cer with TrustSettings enabled" useTrustSettings = true cert = localhost.cer cert = debugRoot.cer sslHost = localhost verifyTime = 20060601000000 # IS_IN_INPUT_CERTS certstatus = 0:0x4 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST certstatus = 1:0x254 end test = "localhost.cer with allowedError HOSTNAME_MISMATCH" useTrustSettings = true cert = localhost.cer cert = debugRoot.cer sslHost = 127.0.0.1 verifyTime = 20060601000000 # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR certstatus = 0:0x844 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTING_TRUST certstatus = 1:0x254 # Detected and logged but not a fatal error due to TrustSettings certerror = 0:CSSMERR_APPLETP_HOSTNAME_MISMATCH end # # Software Update Signing with allowed CS_BAD_CERT_CHAIN_LENGTH test # test = "SWUSigning, normal, no TrustSettings" useTrustSettings = false cert = csLeaf.cer cert = csCA.cer root = csRoot.cer policy = swuSign verifyTime = 20060601000000 # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT certstatus = 2:0x18 end test = "SWUSigning, normal, TrustSettings" useTrustSettings = true cert = csLeaf.cer cert = csCA.cer cert = csRoot.cer policy = swuSign verifyTime = 20060601000000 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST certstatus = 2:254 end # note no per-cert status of CS_BAD_CERT_CHAIN_LENGTH, it applies # to the whole chain test = "SWUSigning, allowed bad path length" useTrustSettings = true cert = csLeafShortPath.cer cert = csRoot.cer policy = swuSign verifyTime = 20060601000000 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST certstatus = 1:0x254 # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR certstatus = 0:0x844 end # # CRL testing with allowed CSSMERR_TP_CERT_REVOKED test # see documentation in clxutils/makeCrl/testFiles/crlTime.scr for info # on certs and CRLs. # test = "revoked by CRL, no TrustSettings, expect failure" useTrustSettings = false requireCrlForAll = true revokePolicy = crl cert = crlTestLeaf.cer root = crlTestRoot.cer crl = crl.crl # Normal revocation case. verifyTime = 20060418090559Z error = CSSMERR_TP_CERT_REVOKED certerror = 0:CSSMERR_TP_CERT_REVOKED # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT certstatus = 1:0x18 end test = "revoked by CRL, TrustSettings, expect success" useTrustSettings = true requireCrlForAll = true revokePolicy = crl cert = crlTestLeaf.cer cert = crlTestRoot.cer crl = crl.crl # Normal revocation case. verifyTime = 20060418090559Z # IS_IN_INPUT_CERTS | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_IGNORED_ERROR certstatus = 0:0x844 # IS_IN_INPUT_CERTS | IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_TRUST certstatus = 1:0x254 certerror = 0:CSSMERR_TP_CERT_REVOKED end # # dmitch@apple.com Thawte with test of default setting = deny for SMIME # test = "dmitch@apple.com Thawte, no TrustSettings" useTrustSettings = false useSystemAnchors = true cert = dmitchAppleThawte.cer cert = thawteCA.cer policy = smime verifyTime = 20060601000000 senderEmail = dmitch@apple.com # CSSM_CERT_STATUS_IS_IN_ANCHORS | IS_ROOT certstatus = 2:0x18 end test = "dmitch@apple.com Thawte, TrustSettings, generic" useTrustSettings = true useSystemAnchors = true cert = dmitchAppleThawte.cer cert = thawteCA.cer verifyTime = 20060601000000 # IS_ROOT | TRUST_SETTINGS_FOUND_SYSTEM | TRUST_SETTINGS_TRUST certstatus = 2:0x310 end test = "dmitch@apple.com Thawte, TrustSettings, SMIME, fail due to default Deny setting" useTrustSettings = true useSystemAnchors = true cert = dmitchAppleThawte.cer cert = thawteCA.cer senderEmail = dmitch@apple.com verifyTime = 20060601000000 # IS_ROOT | TRUST_SETTINGS_FOUND_USER | TRUST_SETTINGS_DENY certstatus = 2:0x450 error = CSSMERR_APPLETP_TRUST_SETTING_DENY end