OLD | NEW |
(Empty) | |
| 1 # test/pkits-test.pl |
| 2 # Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 # project. |
| 4 # |
| 5 # ==================================================================== |
| 6 # Copyright (c) 2008 The OpenSSL Project. All rights reserved. |
| 7 # |
| 8 # Redistribution and use in source and binary forms, with or without |
| 9 # modification, are permitted provided that the following conditions |
| 10 # are met: |
| 11 # |
| 12 # 1. Redistributions of source code must retain the above copyright |
| 13 # notice, this list of conditions and the following disclaimer. |
| 14 # |
| 15 # 2. Redistributions in binary form must reproduce the above copyright |
| 16 # notice, this list of conditions and the following disclaimer in |
| 17 # the documentation and/or other materials provided with the |
| 18 # distribution. |
| 19 # |
| 20 # 3. All advertising materials mentioning features or use of this |
| 21 # software must display the following acknowledgment: |
| 22 # "This product includes software developed by the OpenSSL Project |
| 23 # for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
| 24 # |
| 25 # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 26 # endorse or promote products derived from this software without |
| 27 # prior written permission. For written permission, please contact |
| 28 # licensing@OpenSSL.org. |
| 29 # |
| 30 # 5. Products derived from this software may not be called "OpenSSL" |
| 31 # nor may "OpenSSL" appear in their names without prior written |
| 32 # permission of the OpenSSL Project. |
| 33 # |
| 34 # 6. Redistributions of any form whatsoever must retain the following |
| 35 # acknowledgment: |
| 36 # "This product includes software developed by the OpenSSL Project |
| 37 # for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
| 38 # |
| 39 # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 40 # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 41 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 42 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 43 # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 44 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 45 # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 46 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 48 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 49 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 50 # OF THE POSSIBILITY OF SUCH DAMAGE. |
| 51 # ==================================================================== |
| 52 |
| 53 # Perl utility to run PKITS tests for RFC3280 compliance. |
| 54 |
| 55 my $ossl_path; |
| 56 |
| 57 if ( -f "../apps/openssl" ) { |
| 58 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl"; |
| 59 } |
| 60 elsif ( -f "..\\out32dll\\openssl.exe" ) { |
| 61 $ossl_path = "..\\out32dll\\openssl.exe"; |
| 62 } |
| 63 elsif ( -f "..\\out32\\openssl.exe" ) { |
| 64 $ossl_path = "..\\out32\\openssl.exe"; |
| 65 } |
| 66 else { |
| 67 die "Can't find OpenSSL executable"; |
| 68 } |
| 69 |
| 70 my $pkitsdir = "pkits/smime"; |
| 71 my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt"; |
| 72 |
| 73 die "Can't find PKITS test data" if !-d $pkitsdir; |
| 74 |
| 75 my $nist1 = "2.16.840.1.101.3.2.1.48.1"; |
| 76 my $nist2 = "2.16.840.1.101.3.2.1.48.2"; |
| 77 my $nist3 = "2.16.840.1.101.3.2.1.48.3"; |
| 78 my $nist4 = "2.16.840.1.101.3.2.1.48.4"; |
| 79 my $nist5 = "2.16.840.1.101.3.2.1.48.5"; |
| 80 my $nist6 = "2.16.840.1.101.3.2.1.48.6"; |
| 81 |
| 82 my $apolicy = "X509v3 Any Policy"; |
| 83 |
| 84 # This table contains the chapter headings of the accompanying PKITS |
| 85 # document. They provide useful informational output and their names |
| 86 # can be converted into the filename to test. |
| 87 |
| 88 my @testlists = ( |
| 89 [ "4.1", "Signature Verification" ], |
| 90 [ "4.1.1", "Valid Signatures Test1", 0 ], |
| 91 [ "4.1.2", "Invalid CA Signature Test2", 7 ], |
| 92 [ "4.1.3", "Invalid EE Signature Test3", 7 ], |
| 93 [ "4.1.4", "Valid DSA Signatures Test4", 0 ], |
| 94 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ], |
| 95 [ "4.1.6", "Invalid DSA Signature Test6", 7 ], |
| 96 [ "4.2", "Validity Periods" ], |
| 97 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ], |
| 98 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ], |
| 99 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ], |
| 100 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ], |
| 101 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ], |
| 102 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ], |
| 103 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ], |
| 104 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ], |
| 105 [ "4.3", "Verifying Name Chaining" ], |
| 106 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ], |
| 107 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ], |
| 108 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ], |
| 109 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ], |
| 110 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ], |
| 111 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ], |
| 112 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ], |
| 113 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ], |
| 114 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ], |
| 115 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ], |
| 116 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ], |
| 117 [ "4.4", "Basic Certificate Revocation Tests" ], |
| 118 [ "4.4.1", "Missing CRL Test1", 3 ], |
| 119 [ "4.4.2", "Invalid Revoked CA Test2", 23 ], |
| 120 [ "4.4.3", "Invalid Revoked EE Test3", 23 ], |
| 121 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ], |
| 122 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ], |
| 123 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ], |
| 124 [ "4.4.7", "Valid Two CRLs Test7", 0 ], |
| 125 |
| 126 # The test document suggests these should return certificate revoked... |
| 127 # Subsquent discussion has concluded they should not due to unhandle |
| 128 # critical CRL extensions. |
| 129 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ], |
| 130 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ], |
| 131 |
| 132 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ], |
| 133 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ], |
| 134 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ], |
| 135 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ], |
| 136 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ], |
| 137 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ], |
| 138 [ "4.4.16", "Valid Long Serial Number Test16", 0 ], |
| 139 [ "4.4.17", "Valid Long Serial Number Test17", 0 ], |
| 140 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ], |
| 141 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ], |
| 142 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ], |
| 143 |
| 144 # CRL path is revoked so get a CRL path validation error |
| 145 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ], |
| 146 [ "4.5", "Verifying Paths with Self-Issued Certificates" ], |
| 147 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ], |
| 148 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ], |
| 149 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ], |
| 150 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ], |
| 151 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ], |
| 152 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ], |
| 153 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ], |
| 154 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ], |
| 155 [ "4.6", "Verifying Basic Constraints" ], |
| 156 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ], |
| 157 [ "4.6.2", "Invalid cA False Test2", 24 ], |
| 158 [ "4.6.3", "Invalid cA False Test3", 24 ], |
| 159 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ], |
| 160 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ], |
| 161 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ], |
| 162 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ], |
| 163 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ], |
| 164 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ], |
| 165 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ], |
| 166 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ], |
| 167 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ], |
| 168 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ], |
| 169 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ], |
| 170 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ], |
| 171 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ], |
| 172 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ], |
| 173 [ "4.7", "Key Usage" ], |
| 174 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ], |
| 175 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ], |
| 176 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ], |
| 177 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ], |
| 178 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ], |
| 179 |
| 180 # Certificate policy tests need special handling. They can have several |
| 181 # sub tests and we need to check the outputs are correct. |
| 182 |
| 183 [ "4.8", "Certificate Policies" ], |
| 184 [ |
| 185 "4.8.1.1", |
| 186 "All Certificates Same Policy Test1", |
| 187 "-policy anyPolicy -explicit_policy", |
| 188 "True", $nist1, $nist1, 0 |
| 189 ], |
| 190 [ |
| 191 "4.8.1.2", |
| 192 "All Certificates Same Policy Test1", |
| 193 "-policy $nist1 -explicit_policy", |
| 194 "True", $nist1, $nist1, 0 |
| 195 ], |
| 196 [ |
| 197 "4.8.1.3", |
| 198 "All Certificates Same Policy Test1", |
| 199 "-policy $nist2 -explicit_policy", |
| 200 "True", $nist1, "<empty>", 43 |
| 201 ], |
| 202 [ |
| 203 "4.8.1.4", |
| 204 "All Certificates Same Policy Test1", |
| 205 "-policy $nist1 -policy $nist2 -explicit_policy", |
| 206 "True", $nist1, $nist1, 0 |
| 207 ], |
| 208 [ |
| 209 "4.8.2.1", |
| 210 "All Certificates No Policies Test2", |
| 211 "-policy anyPolicy", |
| 212 "False", "<empty>", "<empty>", 0 |
| 213 ], |
| 214 [ |
| 215 "4.8.2.2", |
| 216 "All Certificates No Policies Test2", |
| 217 "-policy anyPolicy -explicit_policy", |
| 218 "True", "<empty>", "<empty>", 43 |
| 219 ], |
| 220 [ |
| 221 "4.8.3.1", |
| 222 "Different Policies Test3", |
| 223 "-policy anyPolicy", |
| 224 "False", "<empty>", "<empty>", 0 |
| 225 ], |
| 226 [ |
| 227 "4.8.3.2", |
| 228 "Different Policies Test3", |
| 229 "-policy anyPolicy -explicit_policy", |
| 230 "True", "<empty>", "<empty>", 43 |
| 231 ], |
| 232 [ |
| 233 "4.8.3.3", |
| 234 "Different Policies Test3", |
| 235 "-policy $nist1 -policy $nist2 -explicit_policy", |
| 236 "True", "<empty>", "<empty>", 43 |
| 237 ], |
| 238 |
| 239 [ |
| 240 "4.8.4", |
| 241 "Different Policies Test4", |
| 242 "-policy anyPolicy", |
| 243 "True", "<empty>", "<empty>", 43 |
| 244 ], |
| 245 [ |
| 246 "4.8.5", |
| 247 "Different Policies Test5", |
| 248 "-policy anyPolicy", |
| 249 "True", "<empty>", "<empty>", 43 |
| 250 ], |
| 251 [ |
| 252 "4.8.6.1", |
| 253 "Overlapping Policies Test6", |
| 254 "-policy anyPolicy", |
| 255 "True", $nist1, $nist1, 0 |
| 256 ], |
| 257 [ |
| 258 "4.8.6.2", |
| 259 "Overlapping Policies Test6", |
| 260 "-policy $nist1", |
| 261 "True", $nist1, $nist1, 0 |
| 262 ], |
| 263 [ |
| 264 "4.8.6.3", |
| 265 "Overlapping Policies Test6", |
| 266 "-policy $nist2", |
| 267 "True", $nist1, "<empty>", 43 |
| 268 ], |
| 269 [ |
| 270 "4.8.7", |
| 271 "Different Policies Test7", |
| 272 "-policy anyPolicy", |
| 273 "True", "<empty>", "<empty>", 43 |
| 274 ], |
| 275 [ |
| 276 "4.8.8", |
| 277 "Different Policies Test8", |
| 278 "-policy anyPolicy", |
| 279 "True", "<empty>", "<empty>", 43 |
| 280 ], |
| 281 [ |
| 282 "4.8.9", |
| 283 "Different Policies Test9", |
| 284 "-policy anyPolicy", |
| 285 "True", "<empty>", "<empty>", 43 |
| 286 ], |
| 287 [ |
| 288 "4.8.10.1", |
| 289 "All Certificates Same Policies Test10", |
| 290 "-policy $nist1", |
| 291 "True", "$nist1:$nist2", "$nist1", 0 |
| 292 ], |
| 293 [ |
| 294 "4.8.10.2", |
| 295 "All Certificates Same Policies Test10", |
| 296 "-policy $nist2", |
| 297 "True", "$nist1:$nist2", "$nist2", 0 |
| 298 ], |
| 299 [ |
| 300 "4.8.10.3", |
| 301 "All Certificates Same Policies Test10", |
| 302 "-policy anyPolicy", |
| 303 "True", "$nist1:$nist2", "$nist1:$nist2", 0 |
| 304 ], |
| 305 [ |
| 306 "4.8.11.1", |
| 307 "All Certificates AnyPolicy Test11", |
| 308 "-policy anyPolicy", |
| 309 "True", "$apolicy", "$apolicy", 0 |
| 310 ], |
| 311 [ |
| 312 "4.8.11.2", |
| 313 "All Certificates AnyPolicy Test11", |
| 314 "-policy $nist1", |
| 315 "True", "$apolicy", "$nist1", 0 |
| 316 ], |
| 317 [ |
| 318 "4.8.12", |
| 319 "Different Policies Test12", |
| 320 "-policy anyPolicy", |
| 321 "True", "<empty>", "<empty>", 43 |
| 322 ], |
| 323 [ |
| 324 "4.8.13.1", |
| 325 "All Certificates Same Policies Test13", |
| 326 "-policy $nist1", |
| 327 "True", "$nist1:$nist2:$nist3", "$nist1", 0 |
| 328 ], |
| 329 [ |
| 330 "4.8.13.2", |
| 331 "All Certificates Same Policies Test13", |
| 332 "-policy $nist2", |
| 333 "True", "$nist1:$nist2:$nist3", "$nist2", 0 |
| 334 ], |
| 335 [ |
| 336 "4.8.13.3", |
| 337 "All Certificates Same Policies Test13", |
| 338 "-policy $nist3", |
| 339 "True", "$nist1:$nist2:$nist3", "$nist3", 0 |
| 340 ], |
| 341 [ |
| 342 "4.8.14.1", "AnyPolicy Test14", |
| 343 "-policy $nist1", "True", |
| 344 "$nist1", "$nist1", |
| 345 0 |
| 346 ], |
| 347 [ |
| 348 "4.8.14.2", "AnyPolicy Test14", |
| 349 "-policy $nist2", "True", |
| 350 "$nist1", "<empty>", |
| 351 43 |
| 352 ], |
| 353 [ |
| 354 "4.8.15", |
| 355 "User Notice Qualifier Test15", |
| 356 "-policy anyPolicy", |
| 357 "False", "$nist1", "$nist1", 0 |
| 358 ], |
| 359 [ |
| 360 "4.8.16", |
| 361 "User Notice Qualifier Test16", |
| 362 "-policy anyPolicy", |
| 363 "False", "$nist1", "$nist1", 0 |
| 364 ], |
| 365 [ |
| 366 "4.8.17", |
| 367 "User Notice Qualifier Test17", |
| 368 "-policy anyPolicy", |
| 369 "False", "$nist1", "$nist1", 0 |
| 370 ], |
| 371 [ |
| 372 "4.8.18.1", |
| 373 "User Notice Qualifier Test18", |
| 374 "-policy $nist1", |
| 375 "True", "$nist1:$nist2", "$nist1", 0 |
| 376 ], |
| 377 [ |
| 378 "4.8.18.2", |
| 379 "User Notice Qualifier Test18", |
| 380 "-policy $nist2", |
| 381 "True", "$nist1:$nist2", "$nist2", 0 |
| 382 ], |
| 383 [ |
| 384 "4.8.19", |
| 385 "User Notice Qualifier Test19", |
| 386 "-policy anyPolicy", |
| 387 "False", "$nist1", "$nist1", 0 |
| 388 ], |
| 389 [ |
| 390 "4.8.20", |
| 391 "CPS Pointer Qualifier Test20", |
| 392 "-policy anyPolicy -explicit_policy", |
| 393 "True", "$nist1", "$nist1", 0 |
| 394 ], |
| 395 [ "4.9", "Require Explicit Policy" ], |
| 396 [ |
| 397 "4.9.1", |
| 398 "Valid RequireExplicitPolicy Test1", |
| 399 "-policy anyPolicy", |
| 400 "False", "<empty>", "<empty>", 0 |
| 401 ], |
| 402 [ |
| 403 "4.9.2", |
| 404 "Valid RequireExplicitPolicy Test2", |
| 405 "-policy anyPolicy", |
| 406 "False", "<empty>", "<empty>", 0 |
| 407 ], |
| 408 [ |
| 409 "4.9.3", |
| 410 "Invalid RequireExplicitPolicy Test3", |
| 411 "-policy anyPolicy", |
| 412 "True", "<empty>", "<empty>", 43 |
| 413 ], |
| 414 [ |
| 415 "4.9.4", |
| 416 "Valid RequireExplicitPolicy Test4", |
| 417 "-policy anyPolicy", |
| 418 "True", "$nist1", "$nist1", 0 |
| 419 ], |
| 420 [ |
| 421 "4.9.5", |
| 422 "Invalid RequireExplicitPolicy Test5", |
| 423 "-policy anyPolicy", |
| 424 "True", "<empty>", "<empty>", 43 |
| 425 ], |
| 426 [ |
| 427 "4.9.6", |
| 428 "Valid Self-Issued requireExplicitPolicy Test6", |
| 429 "-policy anyPolicy", |
| 430 "False", "<empty>", "<empty>", 0 |
| 431 ], |
| 432 [ |
| 433 "4.9.7", |
| 434 "Invalid Self-Issued requireExplicitPolicy Test7", |
| 435 "-policy anyPolicy", |
| 436 "True", "<empty>", "<empty>", 43 |
| 437 ], |
| 438 [ |
| 439 "4.9.8", |
| 440 "Invalid Self-Issued requireExplicitPolicy Test8", |
| 441 "-policy anyPolicy", |
| 442 "True", "<empty>", "<empty>", 43 |
| 443 ], |
| 444 [ "4.10", "Policy Mappings" ], |
| 445 [ |
| 446 "4.10.1.1", |
| 447 "Valid Policy Mapping Test1", |
| 448 "-policy $nist1", |
| 449 "True", "$nist1", "$nist1", 0 |
| 450 ], |
| 451 [ |
| 452 "4.10.1.2", |
| 453 "Valid Policy Mapping Test1", |
| 454 "-policy $nist2", |
| 455 "True", "$nist1", "<empty>", 43 |
| 456 ], |
| 457 [ |
| 458 "4.10.1.3", |
| 459 "Valid Policy Mapping Test1", |
| 460 "-policy anyPolicy -inhibit_map", |
| 461 "True", "<empty>", "<empty>", 43 |
| 462 ], |
| 463 [ |
| 464 "4.10.2.1", |
| 465 "Invalid Policy Mapping Test2", |
| 466 "-policy anyPolicy", |
| 467 "True", "<empty>", "<empty>", 43 |
| 468 ], |
| 469 [ |
| 470 "4.10.2.2", |
| 471 "Invalid Policy Mapping Test2", |
| 472 "-policy anyPolicy -inhibit_map", |
| 473 "True", "<empty>", "<empty>", 43 |
| 474 ], |
| 475 [ |
| 476 "4.10.3.1", |
| 477 "Valid Policy Mapping Test3", |
| 478 "-policy $nist1", |
| 479 "True", "$nist2", "<empty>", 43 |
| 480 ], |
| 481 [ |
| 482 "4.10.3.2", |
| 483 "Valid Policy Mapping Test3", |
| 484 "-policy $nist2", |
| 485 "True", "$nist2", "$nist2", 0 |
| 486 ], |
| 487 [ |
| 488 "4.10.4", |
| 489 "Invalid Policy Mapping Test4", |
| 490 "-policy anyPolicy", |
| 491 "True", "<empty>", "<empty>", 43 |
| 492 ], |
| 493 [ |
| 494 "4.10.5.1", |
| 495 "Valid Policy Mapping Test5", |
| 496 "-policy $nist1", |
| 497 "True", "$nist1", "$nist1", 0 |
| 498 ], |
| 499 [ |
| 500 "4.10.5.2", |
| 501 "Valid Policy Mapping Test5", |
| 502 "-policy $nist6", |
| 503 "True", "$nist1", "<empty>", 43 |
| 504 ], |
| 505 [ |
| 506 "4.10.6.1", |
| 507 "Valid Policy Mapping Test6", |
| 508 "-policy $nist1", |
| 509 "True", "$nist1", "$nist1", 0 |
| 510 ], |
| 511 [ |
| 512 "4.10.6.2", |
| 513 "Valid Policy Mapping Test6", |
| 514 "-policy $nist6", |
| 515 "True", "$nist1", "<empty>", 43 |
| 516 ], |
| 517 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ], |
| 518 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ], |
| 519 [ |
| 520 "4.10.9", |
| 521 "Valid Policy Mapping Test9", |
| 522 "-policy anyPolicy", |
| 523 "True", "$nist1", "$nist1", 0 |
| 524 ], |
| 525 [ |
| 526 "4.10.10", |
| 527 "Invalid Policy Mapping Test10", |
| 528 "-policy anyPolicy", |
| 529 "True", "<empty>", "<empty>", 43 |
| 530 ], |
| 531 [ |
| 532 "4.10.11", |
| 533 "Valid Policy Mapping Test11", |
| 534 "-policy anyPolicy", |
| 535 "True", "$nist1", "$nist1", 0 |
| 536 ], |
| 537 |
| 538 # TODO: check notice display |
| 539 [ |
| 540 "4.10.12.1", |
| 541 "Valid Policy Mapping Test12", |
| 542 "-policy $nist1", |
| 543 "True", "$nist1:$nist2", "$nist1", 0 |
| 544 ], |
| 545 |
| 546 # TODO: check notice display |
| 547 [ |
| 548 "4.10.12.2", |
| 549 "Valid Policy Mapping Test12", |
| 550 "-policy $nist2", |
| 551 "True", "$nist1:$nist2", "$nist2", 0 |
| 552 ], |
| 553 [ |
| 554 "4.10.13", |
| 555 "Valid Policy Mapping Test13", |
| 556 "-policy anyPolicy", |
| 557 "True", "$nist1", "$nist1", 0 |
| 558 ], |
| 559 |
| 560 # TODO: check notice display |
| 561 [ |
| 562 "4.10.14", |
| 563 "Valid Policy Mapping Test14", |
| 564 "-policy anyPolicy", |
| 565 "True", "$nist1", "$nist1", 0 |
| 566 ], |
| 567 [ "4.11", "Inhibit Policy Mapping" ], |
| 568 [ |
| 569 "4.11.1", |
| 570 "Invalid inhibitPolicyMapping Test1", |
| 571 "-policy anyPolicy", |
| 572 "True", "<empty>", "<empty>", 43 |
| 573 ], |
| 574 [ |
| 575 "4.11.2", |
| 576 "Valid inhibitPolicyMapping Test2", |
| 577 "-policy anyPolicy", |
| 578 "True", "$nist1", "$nist1", 0 |
| 579 ], |
| 580 [ |
| 581 "4.11.3", |
| 582 "Invalid inhibitPolicyMapping Test3", |
| 583 "-policy anyPolicy", |
| 584 "True", "<empty>", "<empty>", 43 |
| 585 ], |
| 586 [ |
| 587 "4.11.4", |
| 588 "Valid inhibitPolicyMapping Test4", |
| 589 "-policy anyPolicy", |
| 590 "True", "$nist2", "$nist2", 0 |
| 591 ], |
| 592 [ |
| 593 "4.11.5", |
| 594 "Invalid inhibitPolicyMapping Test5", |
| 595 "-policy anyPolicy", |
| 596 "True", "<empty>", "<empty>", 43 |
| 597 ], |
| 598 [ |
| 599 "4.11.6", |
| 600 "Invalid inhibitPolicyMapping Test6", |
| 601 "-policy anyPolicy", |
| 602 "True", "<empty>", "<empty>", 43 |
| 603 ], |
| 604 [ |
| 605 "4.11.7", |
| 606 "Valid Self-Issued inhibitPolicyMapping Test7", |
| 607 "-policy anyPolicy", |
| 608 "True", "$nist1", "$nist1", 0 |
| 609 ], |
| 610 [ |
| 611 "4.11.8", |
| 612 "Invalid Self-Issued inhibitPolicyMapping Test8", |
| 613 "-policy anyPolicy", |
| 614 "True", "<empty>", "<empty>", 43 |
| 615 ], |
| 616 [ |
| 617 "4.11.9", |
| 618 "Invalid Self-Issued inhibitPolicyMapping Test9", |
| 619 "-policy anyPolicy", |
| 620 "True", "<empty>", "<empty>", 43 |
| 621 ], |
| 622 [ |
| 623 "4.11.10", |
| 624 "Invalid Self-Issued inhibitPolicyMapping Test10", |
| 625 "-policy anyPolicy", |
| 626 "True", "<empty>", "<empty>", 43 |
| 627 ], |
| 628 [ |
| 629 "4.11.11", |
| 630 "Invalid Self-Issued inhibitPolicyMapping Test11", |
| 631 "-policy anyPolicy", |
| 632 "True", "<empty>", "<empty>", 43 |
| 633 ], |
| 634 [ "4.12", "Inhibit Any Policy" ], |
| 635 [ |
| 636 "4.12.1", |
| 637 "Invalid inhibitAnyPolicy Test1", |
| 638 "-policy anyPolicy", |
| 639 "True", "<empty>", "<empty>", 43 |
| 640 ], |
| 641 [ |
| 642 "4.12.2", |
| 643 "Valid inhibitAnyPolicy Test2", |
| 644 "-policy anyPolicy", |
| 645 "True", "$nist1", "$nist1", 0 |
| 646 ], |
| 647 [ |
| 648 "4.12.3.1", |
| 649 "inhibitAnyPolicy Test3", |
| 650 "-policy anyPolicy", |
| 651 "True", "$nist1", "$nist1", 0 |
| 652 ], |
| 653 [ |
| 654 "4.12.3.2", |
| 655 "inhibitAnyPolicy Test3", |
| 656 "-policy anyPolicy -inhibit_any", |
| 657 "True", "<empty>", "<empty>", 43 |
| 658 ], |
| 659 [ |
| 660 "4.12.4", |
| 661 "Invalid inhibitAnyPolicy Test4", |
| 662 "-policy anyPolicy", |
| 663 "True", "<empty>", "<empty>", 43 |
| 664 ], |
| 665 [ |
| 666 "4.12.5", |
| 667 "Invalid inhibitAnyPolicy Test5", |
| 668 "-policy anyPolicy", |
| 669 "True", "<empty>", "<empty>", 43 |
| 670 ], |
| 671 [ |
| 672 "4.12.6", |
| 673 "Invalid inhibitAnyPolicy Test6", |
| 674 "-policy anyPolicy", |
| 675 "True", "<empty>", "<empty>", 43 |
| 676 ], |
| 677 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ], |
| 678 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ], |
| 679 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ], |
| 680 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ], |
| 681 [ "4.13", "Name Constraints" ], |
| 682 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ], |
| 683 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ], |
| 684 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ], |
| 685 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ], |
| 686 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ], |
| 687 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ], |
| 688 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ], |
| 689 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ], |
| 690 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ], |
| 691 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ], |
| 692 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ], |
| 693 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ], |
| 694 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ], |
| 695 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ], |
| 696 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ], |
| 697 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ], |
| 698 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ], |
| 699 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ], |
| 700 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ], |
| 701 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ], |
| 702 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ], |
| 703 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ], |
| 704 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ], |
| 705 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ], |
| 706 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ], |
| 707 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ], |
| 708 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ], |
| 709 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ], |
| 710 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ], |
| 711 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ], |
| 712 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ], |
| 713 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ], |
| 714 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ], |
| 715 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ], |
| 716 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ], |
| 717 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ], |
| 718 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ], |
| 719 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ], |
| 720 [ "4.14", "Distribution Points" ], |
| 721 [ "4.14.1", "Valid distributionPoint Test1", 0 ], |
| 722 [ "4.14.2", "Invalid distributionPoint Test2", 23 ], |
| 723 [ "4.14.3", "Invalid distributionPoint Test3", 44 ], |
| 724 [ "4.14.4", "Valid distributionPoint Test4", 0 ], |
| 725 [ "4.14.5", "Valid distributionPoint Test5", 0 ], |
| 726 [ "4.14.6", "Invalid distributionPoint Test6", 23 ], |
| 727 [ "4.14.7", "Valid distributionPoint Test7", 0 ], |
| 728 [ "4.14.8", "Invalid distributionPoint Test8", 44 ], |
| 729 [ "4.14.9", "Invalid distributionPoint Test9", 44 ], |
| 730 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ], |
| 731 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ], |
| 732 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ], |
| 733 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ], |
| 734 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ], |
| 735 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ], |
| 736 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ], |
| 737 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ], |
| 738 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ], |
| 739 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ], |
| 740 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ], |
| 741 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ], |
| 742 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ], |
| 743 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ], |
| 744 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ], |
| 745 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ], |
| 746 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ], |
| 747 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ], |
| 748 [ "4.14.28", "Valid cRLIssuer Test28", 0 ], |
| 749 [ "4.14.29", "Valid cRLIssuer Test29", 0 ], |
| 750 |
| 751 # Although this test is valid it has a circular dependency. As a result |
| 752 # an attempt is made to reursively checks a CRL path and rejected due to |
| 753 # a CRL path validation error. PKITS notes suggest this test does not |
| 754 # need to be run due to this issue. |
| 755 [ "4.14.30", "Valid cRLIssuer Test30", 54 ], |
| 756 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ], |
| 757 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ], |
| 758 [ "4.14.33", "Valid cRLIssuer Test33", 0 ], |
| 759 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ], |
| 760 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ], |
| 761 [ "4.15", "Delta-CRLs" ], |
| 762 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ], |
| 763 [ "4.15.2", "Valid delta-CRL Test2", 0 ], |
| 764 [ "4.15.3", "Invalid delta-CRL Test3", 23 ], |
| 765 [ "4.15.4", "Invalid delta-CRL Test4", 23 ], |
| 766 [ "4.15.5", "Valid delta-CRL Test5", 0 ], |
| 767 [ "4.15.6", "Invalid delta-CRL Test6", 23 ], |
| 768 [ "4.15.7", "Valid delta-CRL Test7", 0 ], |
| 769 [ "4.15.8", "Valid delta-CRL Test8", 0 ], |
| 770 [ "4.15.9", "Invalid delta-CRL Test9", 23 ], |
| 771 [ "4.15.10", "Invalid delta-CRL Test10", 12 ], |
| 772 [ "4.16", "Private Certificate Extensions" ], |
| 773 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ], |
| 774 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ], |
| 775 ); |
| 776 |
| 777 |
| 778 my $verbose = 1; |
| 779 |
| 780 my $numtest = 0; |
| 781 my $numfail = 0; |
| 782 |
| 783 my $ossl = "ossl/apps/openssl"; |
| 784 |
| 785 my $ossl_cmd = "$ossl_path cms -verify -verify_retcode "; |
| 786 $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict "; |
| 787 $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 "; |
| 788 |
| 789 system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem"; |
| 790 |
| 791 die "Can't create trust anchor file" if $?; |
| 792 |
| 793 print "Running PKITS tests:\n" if $verbose; |
| 794 |
| 795 foreach (@testlists) { |
| 796 my $argnum = @$_; |
| 797 if ( $argnum == 2 ) { |
| 798 my ( $tnum, $title ) = @$_; |
| 799 print "$tnum $title\n" if $verbose; |
| 800 } |
| 801 elsif ( $argnum == 3 ) { |
| 802 my ( $tnum, $title, $exp_ret ) = @$_; |
| 803 my $filename = $title; |
| 804 $exp_ret += 32 if $exp_ret; |
| 805 $filename =~ tr/ -//d; |
| 806 $filename = "Signed${filename}.eml"; |
| 807 if ( !-f "$pkitsdir/$filename" ) { |
| 808 print "\"$filename\" not found\n"; |
| 809 } |
| 810 else { |
| 811 my $ret; |
| 812 my $test_fail = 0; |
| 813 my $errmsg = ""; |
| 814 my $cmd = $ossl_cmd; |
| 815 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy"; |
| 816 my $cmdout = `$cmd`; |
| 817 $ret = $? >> 8; |
| 818 if ( $? & 0xff ) { |
| 819 $errmsg .= "Abnormal OpenSSL termination\n"; |
| 820 $test_fail = 1; |
| 821 } |
| 822 if ( $exp_ret != $ret ) { |
| 823 $errmsg .= "Return code:$ret, "; |
| 824 $errmsg .= "expected $exp_ret\n"; |
| 825 $test_fail = 1; |
| 826 } |
| 827 if ($test_fail) { |
| 828 print "$tnum $title : Failed!\n"; |
| 829 print "Filename: $pkitsdir/$filename\n"; |
| 830 print $errmsg; |
| 831 print "Command output:\n$cmdout\n"; |
| 832 $numfail++; |
| 833 } |
| 834 $numtest++; |
| 835 } |
| 836 } |
| 837 elsif ( $argnum == 7 ) { |
| 838 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret ) |
| 839 = @$_; |
| 840 my $filename = $title; |
| 841 $exp_ret += 32 if $exp_ret; |
| 842 $filename =~ tr/ -//d; |
| 843 $filename = "Signed${filename}.eml"; |
| 844 if ( !-f "$pkitsdir/$filename" ) { |
| 845 print "\"$filename\" not found\n"; |
| 846 } |
| 847 else { |
| 848 my $ret; |
| 849 my $cmdout = ""; |
| 850 my $errmsg = ""; |
| 851 my $epol = ""; |
| 852 my $aset = ""; |
| 853 my $uset = ""; |
| 854 my $pol = -1; |
| 855 my $test_fail = 0; |
| 856 my $cmd = $ossl_cmd; |
| 857 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print"; |
| 858 @oparr = `$cmd`; |
| 859 $ret = $? >> 8; |
| 860 |
| 861 if ( $? & 0xff ) { |
| 862 $errmsg .= "Abnormal OpenSSL termination\n"; |
| 863 $test_fail = 1; |
| 864 } |
| 865 foreach (@oparr) { |
| 866 my $test_failed = 0; |
| 867 $cmdout .= $_; |
| 868 if (/^Require explicit Policy: (.*)$/) { |
| 869 $epol = $1; |
| 870 } |
| 871 if (/^Authority Policies/) { |
| 872 if (/empty/) { |
| 873 $aset = "<empty>"; |
| 874 } |
| 875 else { |
| 876 $pol = 1; |
| 877 } |
| 878 } |
| 879 $test_fail = 1 if (/leak/i); |
| 880 if (/^User Policies/) { |
| 881 if (/empty/) { |
| 882 $uset = "<empty>"; |
| 883 } |
| 884 else { |
| 885 $pol = 2; |
| 886 } |
| 887 } |
| 888 if (/\s+Policy: (.*)$/) { |
| 889 if ( $pol == 1 ) { |
| 890 $aset .= ":" if $aset ne ""; |
| 891 $aset .= $1; |
| 892 } |
| 893 elsif ( $pol == 2 ) { |
| 894 $uset .= ":" if $uset ne ""; |
| 895 $uset .= $1; |
| 896 } |
| 897 } |
| 898 } |
| 899 |
| 900 if ( $epol ne $exp_epol ) { |
| 901 $errmsg .= "Explicit policy:$epol, "; |
| 902 $errmsg .= "expected $exp_epol\n"; |
| 903 $test_fail = 1; |
| 904 } |
| 905 if ( $aset ne $exp_aset ) { |
| 906 $errmsg .= "Authority policy set :$aset, "; |
| 907 $errmsg .= "expected $exp_aset\n"; |
| 908 $test_fail = 1; |
| 909 } |
| 910 if ( $uset ne $exp_uset ) { |
| 911 $errmsg .= "User policy set :$uset, "; |
| 912 $errmsg .= "expected $exp_uset\n"; |
| 913 $test_fail = 1; |
| 914 } |
| 915 |
| 916 if ( $exp_ret != $ret ) { |
| 917 print "Return code:$ret, expected $exp_ret\n"; |
| 918 $test_fail = 1; |
| 919 } |
| 920 |
| 921 if ($test_fail) { |
| 922 print "$tnum $title : Failed!\n"; |
| 923 print "Filename: $pkitsdir/$filename\n"; |
| 924 print "Command output:\n$cmdout\n"; |
| 925 $numfail++; |
| 926 } |
| 927 $numtest++; |
| 928 } |
| 929 } |
| 930 } |
| 931 |
| 932 if ($numfail) { |
| 933 print "$numfail tests failed out of $numtest\n"; |
| 934 } |
| 935 else { |
| 936 print "All Tests Successful.\n"; |
| 937 } |
| 938 |
| 939 unlink "pkitsta.pem"; |
| 940 |
OLD | NEW |