timlegge/07-verify-trusted-cert.t

## 07-verify-trusted-cert.t
use v5.30.0;
use strict;
use warnings;
use Crypt::OpenSSL::Verify 0.19;
use Crypt::OpenSSL::X509;
use Data::Dumper;
use File::Slurp qw{ write_file };
use Test::More;

my $cert = '-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgISBKvb7lZfJ+anmZPDiyGC5n8mMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MDIwNDUzNDVaFw0y
MDA5MzAwNDUzNDVaMCIxIDAeBgNVBAMTF2NlcnR0ZXN0LmF1dGhtaWx0ZXIub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrChPKWSLbu/BsHMxlQw
0GYri1m54sKNz1+4P1SFblNGirGninlQQShU8vh2tEbyc4yz4BuxVIPwzphfZeor
DM0e8z+wRRxqBRba2w0MrBdakguy60uTQ4524FussURmD3KH30uRkBRx9iZtGnmL
1++TKP35tI9QXkyt0geueznnqabn9LDNcEppJQr1e5873PSAk/c9tWySzLp3WVsz
fz1gm9/9gUVJmBUzEjRJ7tJecr8rEefwVD8XtTg9nymhaZSqIkew2hCGs8J5CIZr
u6uYIG5wafYo3z22D1lE8L5AJE7iV/3DEOe616JrAu51Ca3oQ2w/auUwSz0qrRse
XQIDAQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQofMao+hK3QqTM
DLFNsa766mZMjDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMCIGA1UdEQQbMBmCF2NlcnR0ZXN0LmF1dGhtaWx0ZXIub3Jn
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB
9ASB8QDvAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFzDhaN
PAAABAMARzBFAiEAjifq/iB2uolifymeNVxM8ctl5pN9K9sqhzDb1CNS/eICIDZa
YG82H33mRLKivXikD/cGQJInR2sHtMKwcM8vm4KiAHUAB7dcG+V9aP/xsMYdIxXH
uuZXfFeUt2ruvGE6GmnTohwAAAFzDhaNQQAABAMARjBEAiApOj4X/hLCcrnjsNzK
Bw4GqcLtxioTRmBgKrDnjrS1iAIgP9Ife/K+UYTv/LnfvnGtQPEJjQp4Uxug1wR1
oHI+lzowDQYJKoZIhvcNAQELBQADggEBACiq15KRA8hBVbLMZQGU3TLRXwS0SJQm
nft8nB1Uqo2DRvFs/8MsHyIR7WY5la2RNkj+BsnzxVXwToyBwwYA47Sngg+tHJFg
5WxXiufQiI1DMjAmyB1c/2BRHlkTupbBuAM+sxX27thlJTqpAqZ/6htj0HvVbKtJ
0UTCUsO79OfQuPynE9ZUF+WkSzaxwxy/SGeNbknJA77zypS8dag3QAelquyh5HS+
mKQVdxj8PviBgIFHrsFu3hPnjn/JoGEy6SVwQrq6JK77+2Yy/WZYzDKDVX/gsK5E
NMB6KCKo9fhxPSXX0gFtSOmXuPV+mO/Dag8Tu81habjidLK8/tE9s1E=
-----END CERTIFICATE-----';

my $intermediate = '-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----';

write_file('intermediate.pem', $intermediate);
write_file('cert.pem', $cert);

say 'OpenSSL verification:';
my $ret;
eval {
    $ret = `openssl verify -CAfile intermediate.pem cert.pem`;
};
ok($ret =~ 'OK', "OpenSSL verification = OK");

say 'Crypt::OpenSSL::Verify verification:';
my $verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>0});
my $cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
my $verify = $verifier->verify($cert_object);
ok($verify, "Crypt::OpenSSL::Verify verification - OK");

$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
$verify = $verifier->verify($cert_object);
ok($verify, "Crypt::OpenSSL::Verify strict verification - OK");

say 'OpenSSL verification - noCApath:';
eval {
    $ret = `openssl verify -no-CApath -CAfile intermediate.pem cert.pem  2>&1`;
};
ok ($ret =~ /error 2 at 1 depth lookup: .* issuer certificate/s, "OpenSSL verification no-CApath");

$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem', {noCApath =>1, strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
eval {
    $ret = $verifier->verify($cert_object);
};
ok($ret =~ /error 2 at 1 depth lookup: .* issuer certificate/s, "Crypt::OpenSSL::Verify - noCApath failed to find root");


say 'OpenSSL verification intermediate - noCAfile & noCApath:';
eval {
    $ret = `openssl verify -no-CApath -no-CAfile intermediate.pem  2>&1`;
};
ok ($ret =~ /error 20 at 0 depth lookup: unable to get local issuer certificate/s, "OpenSSL verification intermediate no-CAfile & no-CApath");

$verifier = Crypt::OpenSSL::Verify->new('', {noCAfile =>1,  noCApath =>1, strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($intermediate);
eval {
    $ret = $verifier->verify($cert_object);
};
ok($ret =~ /error 20 at 0 depth lookup: unable to get local issuer certificate/s, "Crypt::OpenSSL::Verify intermediate - noCAfile & noCApath failed to find root");


done_testing;
	use v5.30.0;
	use strict;
	use warnings;
	use Crypt::OpenSSL::Verify 0.19;
	use Crypt::OpenSSL::X509;
	use Data::Dumper;
	use File::Slurp qw{ write_file };
	use Test::More;

	my $cert = '-----BEGIN CERTIFICATE-----
	MIIFZTCCBE2gAwIBAgISBKvb7lZfJ+anmZPDiyGC5n8mMA0GCSqGSIb3DQEBCwUA
	MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
	ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MDIwNDUzNDVaFw0y
	MDA5MzAwNDUzNDVaMCIxIDAeBgNVBAMTF2NlcnR0ZXN0LmF1dGhtaWx0ZXIub3Jn
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrChPKWSLbu/BsHMxlQw
	0GYri1m54sKNz1+4P1SFblNGirGninlQQShU8vh2tEbyc4yz4BuxVIPwzphfZeor
	DM0e8z+wRRxqBRba2w0MrBdakguy60uTQ4524FussURmD3KH30uRkBRx9iZtGnmL
	1++TKP35tI9QXkyt0geueznnqabn9LDNcEppJQr1e5873PSAk/c9tWySzLp3WVsz
	fz1gm9/9gUVJmBUzEjRJ7tJecr8rEefwVD8XtTg9nymhaZSqIkew2hCGs8J5CIZr
	u6uYIG5wafYo3z22D1lE8L5AJE7iV/3DEOe616JrAu51Ca3oQ2w/auUwSz0qrRse
	XQIDAQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
	BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQofMao+hK3QqTM
	DLFNsa766mZMjDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
	BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
	ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
	ZW5jcnlwdC5vcmcvMCIGA1UdEQQbMBmCF2NlcnR0ZXN0LmF1dGhtaWx0ZXIub3Jn
	MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
	AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB
	9ASB8QDvAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFzDhaN
	PAAABAMARzBFAiEAjifq/iB2uolifymeNVxM8ctl5pN9K9sqhzDb1CNS/eICIDZa
	YG82H33mRLKivXikD/cGQJInR2sHtMKwcM8vm4KiAHUAB7dcG+V9aP/xsMYdIxXH
	uuZXfFeUt2ruvGE6GmnTohwAAAFzDhaNQQAABAMARjBEAiApOj4X/hLCcrnjsNzK
	Bw4GqcLtxioTRmBgKrDnjrS1iAIgP9Ife/K+UYTv/LnfvnGtQPEJjQp4Uxug1wR1
	oHI+lzowDQYJKoZIhvcNAQELBQADggEBACiq15KRA8hBVbLMZQGU3TLRXwS0SJQm
	nft8nB1Uqo2DRvFs/8MsHyIR7WY5la2RNkj+BsnzxVXwToyBwwYA47Sngg+tHJFg
	5WxXiufQiI1DMjAmyB1c/2BRHlkTupbBuAM+sxX27thlJTqpAqZ/6htj0HvVbKtJ
	0UTCUsO79OfQuPynE9ZUF+WkSzaxwxy/SGeNbknJA77zypS8dag3QAelquyh5HS+
	mKQVdxj8PviBgIFHrsFu3hPnjn/JoGEy6SVwQrq6JK77+2Yy/WZYzDKDVX/gsK5E
	NMB6KCKo9fhxPSXX0gFtSOmXuPV+mO/Dag8Tu81habjidLK8/tE9s1E=
	-----END CERTIFICATE-----';

	my $intermediate = '-----BEGIN CERTIFICATE-----
	MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
	DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
	SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
	GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
	AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
	q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
	SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
	Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
	a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
	/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
	AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
	CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
	bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
	c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
	VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
	ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
	MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
	Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
	AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
	uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
	wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
	X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
	PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
	KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
	-----END CERTIFICATE-----';

	write_file('intermediate.pem', $intermediate);
	write_file('cert.pem', $cert);

	say 'OpenSSL verification:';
	my $ret;
	eval {
	$ret = `openssl verify -CAfile intermediate.pem cert.pem`;
	};
	ok($ret =~ 'OK', "OpenSSL verification = OK");

	say 'Crypt::OpenSSL::Verify verification:';
	my $verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>0});
	my $cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
	my $verify = $verifier->verify($cert_object);
	ok($verify, "Crypt::OpenSSL::Verify verification - OK");

	$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>1});
	$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
	$verify = $verifier->verify($cert_object);
	ok($verify, "Crypt::OpenSSL::Verify strict verification - OK");

	say 'OpenSSL verification - noCApath:';
	eval {
	$ret = `openssl verify -no-CApath -CAfile intermediate.pem cert.pem 2>&1`;
	};
	ok ($ret =~ /error 2 at 1 depth lookup: .* issuer certificate/s, "OpenSSL verification no-CApath");

	$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem', {noCApath =>1, strict_certs=>1});
	$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
	eval {
	$ret = $verifier->verify($cert_object);
	};
	ok($ret =~ /error 2 at 1 depth lookup: .* issuer certificate/s, "Crypt::OpenSSL::Verify - noCApath failed to find root");


	say 'OpenSSL verification intermediate - noCAfile & noCApath:';
	eval {
	$ret = `openssl verify -no-CApath -no-CAfile intermediate.pem 2>&1`;
	};
	ok ($ret =~ /error 20 at 0 depth lookup: unable to get local issuer certificate/s, "OpenSSL verification intermediate no-CAfile & no-CApath");

	$verifier = Crypt::OpenSSL::Verify->new('', {noCAfile =>1, noCApath =>1, strict_certs=>1});
	$cert_object = Crypt::OpenSSL::X509->new_from_string($intermediate);
	eval {
	$ret = $verifier->verify($cert_object);
	};
	ok($ret =~ /error 20 at 0 depth lookup: unable to get local issuer certificate/s, "Crypt::OpenSSL::Verify intermediate - noCAfile & noCApath failed to find root");


	done_testing;
No results found