Check chain extensions also for trusted certificates

This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

7 files changed, 168 insertions, 35 deletions

diff --git a/test/certs/root+anyEKU.pem b/test/certs/root+anyEKU.pem
new file mode 100644
index 0000000000..97e0732189
--- /dev/null
+++ b/test/certs/root+anyEKU.pem
@@ -0,0 +1,18 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8
+oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS
+feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN
+wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g
+MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u
+aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff
+tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3
+o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw
+bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2
+UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY
+mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg
+Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO
+bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8DAIMAYGBFUdJQA=
+-----END TRUSTED CERTIFICATE-----
diff --git a/test/certs/root-anyEKU.pem b/test/certs/root-anyEKU.pem
new file mode 100644
index 0000000000..712b1f572a
--- /dev/null
+++ b/test/certs/root-anyEKU.pem
@@ -0,0 +1,18 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8
+oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS
+feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN
+wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g
+MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u
+aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff
+tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3
+o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw
+bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2
+UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY
+mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg
+Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO
+bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8DAIoAYGBFUdJQA=
+-----END TRUSTED CERTIFICATE-----
diff --git a/test/certs/root2+clientAuth.pem b/test/certs/root2+clientAuth.pem
new file mode 100644
index 0000000000..41355b040e
--- /dev/null
+++ b/test/certs/root2+clientAuth.pem
@@ -0,0 +1,19 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5
+wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+
+R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp
+/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU
+/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6
+7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv
+akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y
+Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv
+NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+
+qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM
+o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+
+zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y
+9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMMAoGCCsGAQUF
+BwMC
+-----END TRUSTED CERTIFICATE-----
diff --git a/test/certs/root2+serverAuth.pem b/test/certs/root2+serverAuth.pem
new file mode 100644
index 0000000000..52053f1bf6
--- /dev/null
+++ b/test/certs/root2+serverAuth.pem
@@ -0,0 +1,19 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5
+wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+
+R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp
+/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU
+/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6
+7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv
+akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y
+Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv
+NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+
+qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM
+o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+
+zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y
+9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMMAoGCCsGAQUF
+BwMB
+-----END TRUSTED CERTIFICATE-----
diff --git a/test/certs/root2-serverAuth.pem b/test/certs/root2-serverAuth.pem
new file mode 100644
index 0000000000..dae848a1a9
--- /dev/null
+++ b/test/certs/root2-serverAuth.pem
@@ -0,0 +1,19 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5
+wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+
+R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp
+/5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU
+/vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6
+7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv
+akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y
+Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv
+NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+
+qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM
+o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+
+zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y
+9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1zAMoAoGCCsGAQUF
+BwMB
+-----END TRUSTED CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index b50f7e3015..795ff4aa0f 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -2,7 +2,7 @@
 
 # Primary root: root-cert
 # root certs variants: CA:false, key2, DN2
-# trust variants: +serverAuth -serverAuth +clientAuth
+# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
 #
 ./mkcert.sh genroot "Root CA" root-key root-cert
 ./mkcert.sh genss "Root CA" root-key root-nonca
@@ -15,6 +15,16 @@ openssl x509 -in root-cert.pem -trustout \
     -addreject serverAuth -out root-serverAuth.pem
 openssl x509 -in root-cert.pem -trustout \
     -addtrust clientAuth -out root+clientAuth.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addreject anyExtendedKeyUsage -out root-anyEKU.pem
+openssl x509 -in root-cert.pem -trustout \
+    -addtrust anyExtendedKeyUsage -out root+anyEKU.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addtrust serverAuth -out root2+serverAuth.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addreject serverAuth -out root2-serverAuth.pem
+openssl x509 -in root-cert2.pem -trustout \
+    -addtrust clientAuth -out root2+clientAuth.pem
 
 # Primary intermediate ca: ca-cert
 # ca variants: CA:false, key2, DN2, issuer2, expired
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 56d83077d4..93d993dcdc 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -9,80 +9,110 @@ use OpenSSL::Test qw/:DEFAULT top_file/;
 setup("test_verify");
 
 sub verify {
-    my ($cert, $vname, $trusted, $untrusted, @opts) = @_;
-    my @args = qw(openssl verify -verify_name);
+    my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
+    my @args = qw(openssl verify -purpose);
     my @path = qw(test certs);
-    push(@args, "$vname", @opts);
+    push(@args, "$purpose", @opts);
     for (@$trusted) { push(@args, "-trusted", top_file(@path, "$_.pem")) }
     for (@$untrusted) { push(@args, "-untrusted", top_file(@path, "$_.pem")) }
     push(@args, top_file(@path, "$cert.pem"));
     run(app([@args]));
 }
 
-plan tests => 29;
+plan tests => 38;
 
 # Canonical success
-ok(verify("ee-cert", "ssl_server", ["root-cert"], ["ca-cert"]),
+ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
    "verify valid chain");
 
 # Root CA variants
-ok(verify("ee-cert", "ssl_server", [qw(root-nonca)], [qw(ca-cert)]),
-   "Trusted certs not subject to CA:true checks");
-ok(!verify("ee-cert", "ssl_server", [qw(root-cert2)], [qw(ca-cert)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
+   "Trusted CA certs now subject to CA:true checks");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
    "fail wrong root key");
-ok(!verify("ee-cert", "ssl_server", [qw(root-name2)], [qw(ca-cert)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
    "fail wrong root DN");
-ok(verify("ee-cert", "ssl_server", [qw(root+serverAuth)], [qw(ca-cert)]),
+ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
    "accept right EKU");
-ok(!verify("ee-cert", "ssl_server", [qw(root-serverAuth)], [qw(ca-cert)]),
+ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
+   "accept anyEKU");
+ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
    "fail rejected EKU");
-ok(!verify("ee-cert", "ssl_server", [qw(root+clientAuth)], [qw(ca-cert)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
+   "fail rejected anyEKU");
+ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
    "fail wrong EKU");
 
+# Check that trusted-first is on by setting up paths to different roots
+# depending on whether the intermediate is the trusted or untrusted one.
+#
+ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
+          [qw(ca-cert)]),
+   "verify trusted-first path");
+ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
+          [qw(ca-cert)]),
+   "verify trusted-first path right EKU");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
+           [qw(ca-cert)]),
+   "fail trusted-first path rejected EKU");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
+           [qw(ca-cert)]),
+   "fail trusted-first path wrong EKU");
+
 # CA variants
-ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-nonca)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
    "fail non-CA");
-ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-cert2)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
    "fail wrong CA key");
-ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-name2)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
    "fail wrong CA DN");
-ok(!verify("ee-cert", "ssl_server", [qw(root-cert)], [qw(ca-root2)]),
+ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
    "fail wrong CA issuer");
-ok(!verify("ee-cert", "ssl_server", [], [qw(ca-cert)], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
    "fail untrusted partial");
-ok(!verify("ee-cert", "ssl_server", [], [qw(ca+serverAuth)], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
    "fail untrusted EKU partial");
-ok(verify("ee-cert", "ssl_server", [qw(ca+serverAuth)], [], "-partial_chain"),
+ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
    "accept trusted EKU partial");
-ok(!verify("ee-cert", "ssl_server", [qw(ca-serverAuth)], [], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
    "fail rejected EKU partial");
-ok(!verify("ee-cert", "ssl_server", [qw(ca+clientAuth)], [], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
    "fail wrong EKU partial");
 
+# We now test auxiliary trust even for intermediate trusted certs without
+# -partial_chain.  Note that "-trusted_first" is now always on and cannot
+# be disabled.
+ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
+   "accept trusted EKU");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
+   "fail rejected EKU");
+ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
+   "fail wrong EKU");
+
 # EE variants
-ok(verify("ee-client", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
+ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
    "accept client cert");
-ok(!verify("ee-client", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
+ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
    "fail wrong leaf purpose");
-ok(!verify("ee-cert", "ssl_client", [qw(root-cert)], [qw(ca-cert)]),
+ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
    "fail wrong leaf purpose");
-ok(!verify("ee-cert2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
+ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
    "fail wrong CA key");
-ok(!verify("ee-name2", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
+ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
    "fail wrong CA name");
-ok(!verify("ee-expired", "ssl_server", [qw(root-cert)], [qw(ca-cert)]),
+ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
    "fail expired leaf");
-ok(verify("ee-cert", "ssl_server", [qw(ee-cert)], [], "-partial_chain"),
+ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
    "accept last-resort direct leaf match");
-ok(verify("ee-client", "ssl_client", [qw(ee-client)], [], "-partial_chain"),
+ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
    "accept last-resort direct leaf match");
-ok(!verify("ee-cert", "ssl_server", [qw(ee-client)], [], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
    "fail last-resort direct leaf non-match");
-ok(verify("ee-cert", "ssl_server", [qw(ee+serverAuth)], [], "-partial_chain"),
+ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
    "accept direct match with trusted EKU");
-ok(!verify("ee-cert", "ssl_server", [qw(ee-serverAuth)], [], "-partial_chain"),
+ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
    "reject direct match with rejected EKU");
-ok(verify("ee-client", "ssl_client", [qw(ee+clientAuth)], [], "-partial_chain"),
+ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
    "accept direct match with trusted EKU");
-ok(!verify("ee-client", "ssl_client", [qw(ee-clientAuth)], [], "-partial_chain"),
+ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
    "reject direct match with rejected EKU");