# test handling of expired root, per 3300879 # # This uses two certs we got from store.apple.com and an old expired root # which verifies them. # # The leaf cert is going to expire on April 1 2007; the intermediate cert is # going to expire on Oct 24, 2011. To replace them just grab new certs from # store.apple.com, or any other site with a cert chain originating with # Verisign's Class 3 Public Primary Certification Authority. # globals allowUnverified = true crlNetFetchEnable = false certNetFetchEnable = false useSystemAnchors = false end # # Simulate pre-3300879 failure, expired root in anchors # test = test1 echo Expired root as anchor #cert = iproj_v3.100.cer #cert = iproj_v3.101.cer cert = applestore_v3.100.cer cert = applestore_v3.101.cer root = iproj_v3.102.cer sslHost = store.apple.com error = CSSMERR_TP_CERT_EXPIRED # EXPIRED IS_IN_ANCHORS IS_ROOT certstatus = 2:0x19 end # # Simulate pre-3300879 failure, expired root not in anchors # test = test2 echo Expired root not in (empty) anchors cert = applestore_v3.100.cer cert = applestore_v3.101.cer cert = iproj_v3.102.cer sslHost = store.apple.com error = CSSMERR_TP_INVALID_ANCHOR_CERT # EXPIRED IS_IN_INPUT_CERTS IS_ROOT certstatus = 2:0x15 end # # Ensure that this expired root successfully verifies the chain # test = test3 echo Expired root passed as anchor, explicitly allowing expired root cert = applestore_v3.100.cer cert = applestore_v3.101.cer root = iproj_v3.102.cer allowExpiredRoot = true sslHost = store.apple.com end # test = test4 echo Expired root in input chain, should be ignored in favor of system anchor useSystemAnchors = true cert = applestore_v3.100.cer cert = applestore_v3.101.cer cert = iproj_v3.102.cer sslHost = store.apple.com # IS_IN_ANCHORS IS_ROOT certstatus = 2:0x18 end test = test5 echo Expired root in input chain, should be ignored in favor of system anchor, Trust Settings useSystemAnchors = true useTrustSettings = true cert = applestore_v3.100.cer cert = applestore_v3.101.cer cert = iproj_v3.102.cer sslHost = store.apple.com # IS_ROOT TRUST_SETTINGS_FOUND_SYSTEM TRUST_SETTINGS_TRUST certstatus = 2:0x310 end