secToolVerify   [plain text]

#! /bin/csh -f
#
# Test SecurityTool's cert-verify comand. 
#
set QUIET=NO
set QUIET_ARG=
while ( $#argv > 0 )
    switch ( "$argv[1]" )
        case -q:
			set QUIET=YES
            set QUIET_ARG=-q
            shift
            breaksw
        default:
            Echo "Usage: secToolVerify [-q]"
            exit(1)
    endsw
end

set VFY_CMD="security verify-cert $QUIET_ARG"
# can't specify quiet when expecting & verifying an error
set VFY_CMD_NQ="security verify-cert"

set ERRFILE=/tmp/secToolVerifyError

#
# When this cert expires, replace it like so:
# sslViewer - f amazon
#
set cmd = "$VFY_CMD -c amazon_v3.100.cer -p ssl -s www.amazon.com"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# no policy spec --> default --> basic
set cmd = "$VFY_CMD -c amazon_v3.100.cer"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# and the explicit basic policy 
set cmd = "$VFY_CMD -c amazon_v3.100.cer -p basic"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# smime - replace this with a good Thawte cert when it expires
# This gets an intermediate from a keychain
set cmd = "$VFY_CMD -c dmitchThawte2007.cer -p smime -e dmitch@apple.com"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# SW Update policy, multiple certs
set cmd = "$VFY_CMD -c AppleQuickTime.pem -c AppleSWUPDATE.pem -p swUpdate"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# IPSec policy, explicit root
set cmd = "$VFY_CMD -c vpn-gateway.vpntrial.com.cer -r VPNTrialCA.cer -p IPSec"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# just a root
set cmd = "$VFY_CMD -r serverbasic.crt"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

set cmd = "$VFY_CMD -c applestore_v3.100.cer -c applestore_v3.101.cer -p ssl -s store.apple.com"
if($QUIET == NO) then
	echo $cmd
endif
$cmd || exit(1)

# expired root
set cmd = "$VFY_CMD_NQ -r iproj_v3.102.cer"
if($QUIET == NO) then
	echo $cmd
endif
rm -f $ERRFILE
$cmd >& $ERRFILE
if($status == 0) then
	echo "Expected error when evaluating expired iproj_v3.102.cer"
	exit(1)
endif
grep CSSMERR_TP_CERT_EXPIRED $ERRFILE > /dev/null
if($status != 0) then
	echo Expected CSSMERR_TP_CERT_EXPIRED, got `cat $ERRFILE`
	exit(1)
endif

# expired email leaf
# This gets an intermediate from a keychain
set cmd = "$VFY_CMD_NQ -c dmitchThawte2005.cer -p smime -e dmitch@apple.com"
if($QUIET == NO) then
	echo $cmd
endif
rm -f $ERRFILE
$cmd >& $ERRFILE
if($status == 0) then
	echo "Expected error when evaluating expired dmitchThawte2005.cer"
	exit(1)
endif
grep CSSMERR_TP_CERT_EXPIRED $ERRFILE > /dev/null
if($status != 0) then
	echo Expected CSSMERR_TP_CERT_EXPIRED, got `cat $ERRFILE`
	exit(1)
endif

# Test "no keychains" option
set cmd = "$VFY_CMD_NQ -c dmitchThawte2007.cer -p smime -e dmitch@apple.com -n"
if($QUIET == NO) then
	echo $cmd
endif
rm -f $ERRFILE
$cmd >& $ERRFILE
if($status == 0) then
	echo "Expected error when evaluating expired dmitchThawte2007.cer"
	exit(1)
endif
grep CSSMERR_TP_NOT_TRUSTED $ERRFILE > /dev/null
if($status != 0) then
	echo Expected CSSMERR_TP_NOT_TRUSTED, got `cat $ERRFILE`
	exit(1)
endif

# Test -k option, giving a bogus keychain, to ensure that no real keychains are searched
set cmd = "$VFY_CMD_NQ -c dmitchThawte2007.cer -p smime -e dmitch@apple.com -k confabulate"
if($QUIET == NO) then
	echo $cmd
endif
rm -f $ERRFILE
$cmd >& $ERRFILE
if($status == 0) then
	echo "Expected error when evaluating expired dmitchThawte2007.cer"
	exit(1)
endif
grep CSSMERR_TP_NOT_TRUSTED $ERRFILE > /dev/null
if($status != 0) then
	echo Expected CSSMERR_TP_NOT_TRUSTED, got `cat $ERRFILE`
	exit(1)
endif

echo ...secToolVerify succeeded.