1# 2# test for Radar 4515141: perform cert verify with CRL checking one second before and 3# one second after the cert was revoked; the former should succeed, the latter should fail 4# 5# leaf cert 6# not before 20060417191040Z 19:10:40 Apr 17, 2006 7# not after 20160414191040Z 19:10:40 Apr 14, 2016 8# 9# root cert 10# not before 20060417190954Z 19:10:40 Apr 17, 2006 11# not after 20160414190954Z 19:10:40 Apr 14, 2016 12# 13# CRL: not valid until well after leaf cert was created, valid for 10 years, revocation 14# 12 hours after CRL is created 15# 16# % makeCrl -s crlTestLeaf.cer -i crlTestRoot.cer -o crl.crl -n 315360000 -r 43200 17# ...wrote 282 bytes to crl.crl. 18# 19# this update 20060417210558Z 21:05:58 Apr 17, 2006 20# next update 20160414210558Z 21:05:58 Apr 14, 2016 21# cert revoked 20060418090558Z 09:05:58 Apr 18, 2006 22# 23# Test cert at revoke + 1 ==> fail 20060418090559Z 24# Test cert at revoke - 1 ==> OK 20060418090557Z 25# Test cert at create with CRL ==> OK 20060417191040Z (before revocation, before CRL) 26# Test cert at create w/o CRL ==> OK 20060417191040Z 27# Test cert at create-1 w/o CRL - not yet valid 20060417191039Z 28# Test cert at not after w/o CRL - OK 20160414191040Z 29# Test cert at not after + 1 - fail 20160414191041Z 30# 31# Certs were generated from CA in keychain, crlKeychain.keychain, pwd = crlKeychain, 32# in clxutils/makeCrl/testFiles. 33# 34 35globals 36certNetFetchEnable = false 37crlNetFetchEnable = false 38useSystemAnchors = false 39allowUnverified = true 40end 41 42test = "basic, no CRL" 43requireCrlForAll = false 44cert = crlTestLeaf.cer 45root = crlTestRoot.cer 46end 47 48# 49# This is a handy place to test the corner cases of notBefore and notAfter. 50# I don't believe these have ever been tested right to the second. 51# 52test = "basic, no CRL, at NotBefore" 53requireCrlForAll = false 54cert = crlTestLeaf.cer 55root = crlTestRoot.cer 56verifyTime = 20060417191040Z 57end 58 59test = "basic, no CRL, before NotBefore, expect fail" 60requireCrlForAll = false 61cert = crlTestLeaf.cer 62root = crlTestRoot.cer 63verifyTime = 20060417191039Z 64error = CSSMERR_TP_CERT_NOT_VALID_YET 65# CSSM_CERT_STATUS_NOT_VALID_YET | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS 66certstatus = 0:0x06 67end 68 69# 70# Note root was created before leaf so we assume it will be expired at 71# the time of the leaf cert's NotAfter. 72# 73test = "basic, no CRL, at NotAfter" 74requireCrlForAll = false 75cert = crlTestLeaf.cer 76root = crlTestRoot.cer 77verifyTime = 20160414191040Z 78allowExpiredRoot = true 79end 80 81test = "basic, no CRL, at NotAfter plus 1, expect fail" 82requireCrlForAll = false 83cert = crlTestLeaf.cer 84root = crlTestRoot.cer 85verifyTime = 20160414191041Z 86error = CSSMERR_TP_CERT_EXPIRED 87# CSSM_CERT_STATUS_EXPIRED | CSSM_CERT_STATUS_IS_IN_INPUT_CERTS 88certstatus = 0:0x05 89end 90 91# 92# Begin CRL testing. 93# 94test = "CRL, prior to revocation, within CRL validity" 95requireCrlForAll = true 96revokePolicy = crl 97cert = crlTestLeaf.cer 98root = crlTestRoot.cer 99crl = crl.crl 100# One second before revocation 101verifyTime = 20060418090557Z 102end 103 104# 105# This ensures that we verify the CRL itself at 'now' instead of the 106# cert verification time. 107# 108test = "CRL, prior to revocation, before CRL validity" 109requireCrlForAll = true 110revokePolicy = crl 111cert = crlTestLeaf.cer 112root = crlTestRoot.cer 113crl = crl.crl 114# Leaf create/notBefore time, definitely before the CRL is valid. 115verifyTime = 20060417191040Z 116end 117 118test = "CRL, subsequent to revocation" 119requireCrlForAll = true 120revokePolicy = crl 121cert = crlTestLeaf.cer 122root = crlTestRoot.cer 123crl = crl.crl 124# Normal revocation case. 125verifyTime = 20060418090559Z 126error = CSSMERR_TP_CERT_REVOKED 127certerror = 0:CSSMERR_TP_CERT_REVOKED 128end 129