Lines Matching refs:cert
50 #define SERVER_CERT "server.cert"
52 #define CA_CERT "ca/cert.pem"
73 char *cert; /* the server cert to present. */
77 /* client cert handling: */
78 int require_cc; /* require a client cert if non-NULL */
79 const char *ca_list; /* file of CA certs to verify client cert against */
116 args->cert, key);
118 ONV(ne_ssl_context_keypair(ctx, args->cert, key),
197 args.cert = ud;
213 ONV(ca == NULL, ("could not load CA cert `%s'", ca_cert));
249 t_context("couldn't load CA cert %s", CA_CERT);
255 t_context("couldn't load server cert %s", SERVER_CERT);
259 /* tests for the encrypted client cert, client.p12 */
288 ne_ssl_certificate *cert;
290 cert = ne_ssl_cert_read("Makefile");
291 ONN("invalid CA cert file loaded successfully", cert != NULL);
293 cert = ne_ssl_cert_read("nonesuch.pem");
294 ONN("non-existent 'nonesuch.pem' loaded successfully", cert != NULL);
296 cert = ne_ssl_cert_read("ssigned.pem");
297 ONN("could not load ssigned.pem", cert == NULL);
298 ne_ssl_cert_free(cert);
317 const ne_ssl_certificate *cert;
337 /* tests for the unencrypted client cert, client2.p12 */
339 ONN("could not load unencrypted cert unclient.p12", cc == NULL);
340 ONN("unencrypted cert marked encrypted?", ne_ssl_clicert_encrypted(cc));
341 cert = ne_ssl_clicert_owner(cc);
342 ONN("client cert had no certificate", cert == NULL);
343 CALL(check_dname(ne_ssl_cert_subject(cert),
346 "client cert subject"));
347 CALL(check_dname(ne_ssl_cert_issuer(cert), CACERT_DNAME,
348 "client cert issuer"));
361 ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
370 /* test for ccert without a cert, ncclient.p12 */
372 ONN("did not fail to load clicert without cert", cc != NULL);
376 ONN("loaded Makefile as client cert!?", cc != NULL);
380 ONN("loaded nonexistent file as client cert!?", cc != NULL);
385 /* Test that 'cert', which is signed by CA_CERT, is accepted
387 static int accept_signed_cert_for_hostname(char *cert, const char *hostname)
390 struct ssl_server_args args = {cert, 0};
398 static int accept_signed_cert(char *cert)
400 return accept_signed_cert_for_hostname(cert, "localhost");
430 args.cert = ud;
463 args.cert = SERVER_CERT;
511 struct ssl_server_args args = {"wildcard.cert", 0};
525 struct ssl_server_args args = {"altname9.cert", 0};
539 return accept_signed_cert("caseless.cert");
546 return accept_signed_cert("altname1.cert");
552 return accept_signed_cert("altname2.cert");
557 return accept_signed_cert("altname3.cert");
564 return accept_signed_cert("altname4.cert");
569 return accept_signed_cert_for_hostname("altname5.cert", "127.0.0.1");
574 return accept_signed_cert_for_hostname("altname7.cert", "localhost");
580 return accept_signed_cert("twocn.cert");
587 return accept_signed_cert("cnfirst.cert");
609 /* Check that the readable subject issuer dnames of 'cert' match
611 static int check_cert_dnames(const ne_ssl_certificate *cert,
614 ONN("no server certificate presented", cert == NULL);
615 CALL(check_dname(ne_ssl_cert_subject(cert), subject, "subject"));
616 return issuer ? check_dname(ne_ssl_cert_issuer(cert), issuer, "issuer") : OK;
621 static int check_cert(void *userdata, int fs, const ne_ssl_certificate *cert)
625 if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL)
640 /* don't give a CA cert; should force the verify callback to be
646 ONN("cert verification never called", ret == 0);
658 static int check_chain(void *userdata, int fs, const ne_ssl_certificate *cert)
662 if (check_cert_dnames(cert, WRONGCN_DNAME, CACERT_DNAME) == FAIL) {
667 cert = ne_ssl_cert_signedby(cert);
668 if (cert == NULL) {
669 t_context("no CA cert in chain");
674 if (check_cert_dnames(cert, CACERT_DNAME, CACERT_DNAME) == FAIL) {
688 struct ssl_server_args args = {"wrongcn.cert", 0};
692 /* The cert is signed by the CA but has a CN mismatch, so will
698 ONN("cert verification never called", ret == 0);
736 /* force verify cert. */
763 static int fail_ssl_request_with_error2(char *cert, char *key, char *cacert,
785 args.cert = cert;
818 static int fail_ssl_request_with_error(char *cert, char *cacert, const char *host,
822 return fail_ssl_request_with_error2(cert, NULL, cacert, host, NULL,
830 static int fail_ssl_request(char *cert, char *cacert, const char *host,
833 return fail_ssl_request_with_error(cert, cacert, host, msg, failures,
838 * cert is passed as CA cert and server cert to fail_ssl_request. */
844 return fail_ssl_request_with_error("wrongcn.cert", "ca/cert.pem", "localhost",
868 char *cert = SRCDIR("nulsan.pem"), *key = SRCDIR("nulsrv.key"),
870 CALL(fail_ssl_request_with_error2(cert, key, ca,
875 ne_free(cert);
904 /* Check that a server cert with a random issuer and self-signed cert
908 return fail_ssl_request_with_error("server.cert", NULL, "localhost",
916 "self-signed cert", NE_SSL_UNTRUSTED);
919 /* Test for failure when a server cert is presented which has no
925 ONN("accepted server cert with missing commonName",
926 any_ssl_request(sess, fail_serve, "missingcn.cert", SERVER_CERT,
939 return fail_ssl_request("altname6.cert", CA_CERT, "127.0.0.1",
940 "bad IP altname cert", NE_SSL_IDMISMATCH);
947 return fail_ssl_request("altname5.cert", CA_CERT, "localhost",
948 "bad IP altname cert", NE_SSL_IDMISMATCH);
953 return fail_ssl_request("altname8.cert", CA_CERT, "localhost",
954 "bad URI altname cert", NE_SSL_IDMISMATCH);
959 return fail_ssl_request("altname9.cert", CA_CERT, "localhost",
965 return fail_ssl_request("wildip.cert", CA_CERT, "127.0.0.1",
971 return fail_ssl_request_with_error("ca1server.cert", "ca1/cert.pem",
979 return fail_ssl_request("ca3server.cert", "ca3/cert.pem", "localhost",
989 args.cert = SERVER_CERT;
1009 /* Callback for client_cert_provider; takes a c. cert as userdata and
1018 /* Test that the on-demand client cert provider callback is used. */
1118 /* Test use of a PKCS#12 cert with an embedded CA cert - fails with <=
1130 ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
1167 * cert was requested. */
1229 * be called twice on the socket after the server cert verification
1238 ONN("server cert verification didn't fail",
1253 /* CA cert is trusted, so no verify callback should be needed. */
1380 ne_ssl_certificate *cert = ne_ssl_cert_read(fn);
1385 ONN("could not load notvalid.pem", cert == NULL);
1387 ONN("failed to digest", ne_ssl_cert_digest(cert, digest));
1388 ne_ssl_cert_free(cert);
1399 ne_ssl_certificate *cert = ne_ssl_cert_read(fname);
1402 ONV(cert == NULL, ("could not read cert `%s'", fname));
1404 id = ne_ssl_cert_identity(cert);
1416 ne_ssl_cert_free(cert);
1427 { "twocn.cert", "localhost" },
1428 { "altname1.cert", "localhost" },
1429 { "altname2.cert", "nohost.example.com" },
1430 { "altname4.cert", "localhost" },
1432 { "altname8.cert", "http://nohost.example.com/" },
1445 ne_ssl_certificate *cert = ne_ssl_cert_read(nul_cn_fn);
1448 ONN("could not read nulcn.pem", cert == NULL);
1450 id = ne_ssl_cert_identity(cert);
1457 ne_ssl_cert_free(cert);
1465 ne_ssl_certificate *cert;
1467 cert = ne_ssl_cert_read(fname);
1468 ONV(cert == NULL, ("could not load cert `%s'", fname));
1471 ne_ssl_cert_validity(cert, NULL, NULL);
1472 ne_ssl_cert_validity(cert, actfrom, NULL);
1473 ne_ssl_cert_validity(cert, NULL, actuntil);
1474 ne_ssl_cert_validity(cert, actfrom, actuntil);
1482 ne_ssl_cert_free(cert);
1489 char *cert = ne_concat(srcdir, "/expired.pem", NULL);
1490 CALL(check_validity(cert,
1492 ne_free(cert);
1493 cert = ne_concat(srcdir, "/notvalid.pem", NULL);
1494 CALL(check_validity(cert,
1496 ne_free(cert);
1511 ONN("issuer and subject names equal for signed cert",
1515 ONN("issuer of signed cert not equal to subject of CA cert",
1523 ONN("issuer and subject names not equal for self-signed cert",
1534 /* N.B. t61subj.cert encodes an ISO-8859-1 string in a T61String
1541 const char *cert;
1544 { "justmail.cert", "blah@example.com", NULL },
1545 { "t61subj.cert", I18N_DNAME, NULL },
1546 { "bmpsubj.cert", I18N_DNAME, NULL },
1547 { "utf8subj.cert", I18N_DNAME, NULL },
1548 { "twoou.cert", "First OU Dept, Second OU Dept, Neon Hackers Ltd, "
1554 ne_ssl_certificate *cert = ne_ssl_cert_read(ts[n].cert);
1555 ONV(cert == NULL, ("could not load cert %s", ts[n].cert));
1556 CALL(check_cert_dnames(cert, ts[n].subjdn, ts[n].issuerdn));
1557 ne_ssl_cert_free(cert);
1563 /* test cert comparisons */
1568 c1 = ne_ssl_cert_read("server.cert");
1569 c2 = ne_ssl_cert_read("server.cert");
1622 /* check export cert data 'actual' against expected data 'expected */
1625 ONN("could not export cert", actual == NULL);
1630 ONV(strcmp(actual, expected), ("exported cert differed from expected:\n"
1641 ne_ssl_certificate *cert, *imp;
1643 CALL(flatten_pem("server.cert", &expected));
1645 cert = ne_ssl_cert_read("server.cert");
1646 ONN("could not load server.cert", cert == NULL);
1648 /* export the cert to and compare it with the PEM file */
1649 actual = ne_ssl_cert_export(cert);
1652 /* import the exported cert data, check it looks the same */
1654 ONN("failed to import exported cert", imp == NULL);
1655 ONN("imported cert was different to original",
1656 ne_ssl_cert_cmp(imp, cert));
1658 /* re-export the imported cert and check that looks the same */
1666 ONN("imported bogus cert from bogus base64", imp != NULL);
1668 ONN("imported bogus cert from valid base64", imp != NULL);
1670 ne_ssl_cert_free(cert);
1681 c1 = ne_ssl_cert_read("server.cert");
1682 ONN("could not load server.cert", c1 == NULL);
1701 /* A verification callback which caches the passed cert. */
1703 const ne_ssl_certificate *cert)
1708 *cache = ne_ssl_cert_export(cert);
1715 /* Test a common use of the SSL API; cache the server cert across
1721 ne_ssl_certificate *cert;
1724 args.cert = "ssigned.pem";
1731 ONN("no cert was cached", cache == NULL);
1733 /* make a real cert */
1734 cert = ne_ssl_cert_import(cache);
1735 ONN("could not import cached cert", cert == NULL);
1740 /* trust the cert */
1741 ne_ssl_trust_cert(sess, cert);
1742 ne_ssl_cert_free(cert);
1825 /* TODO: code paths still to test in cert verification:
1826 * - server cert changes between connections: Mozilla gives