]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/pkits-test.pl
Following the license change, modify the boilerplates in test/
[thirdparty/openssl.git] / test / pkits-test.pl
1 #! /usr/bin/env perl
2 # Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 # Perl utility to run PKITS tests for RFC3280 compliance.
10
11 my $ossl_path;
12
13 if ( -f "../apps/openssl" ) {
14 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
15 }
16 elsif ( -f "..\\out32dll\\openssl.exe" ) {
17 $ossl_path = "..\\out32dll\\openssl.exe";
18 }
19 elsif ( -f "..\\out32\\openssl.exe" ) {
20 $ossl_path = "..\\out32\\openssl.exe";
21 }
22 else {
23 die "Can't find OpenSSL executable";
24 }
25
26 my $pkitsdir = "pkits/smime";
27 my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
28
29 die "Can't find PKITS test data" if !-d $pkitsdir;
30
31 my $nist1 = "2.16.840.1.101.3.2.1.48.1";
32 my $nist2 = "2.16.840.1.101.3.2.1.48.2";
33 my $nist3 = "2.16.840.1.101.3.2.1.48.3";
34 my $nist4 = "2.16.840.1.101.3.2.1.48.4";
35 my $nist5 = "2.16.840.1.101.3.2.1.48.5";
36 my $nist6 = "2.16.840.1.101.3.2.1.48.6";
37
38 my $apolicy = "X509v3 Any Policy";
39
40 # This table contains the chapter headings of the accompanying PKITS
41 # document. They provide useful informational output and their names
42 # can be converted into the filename to test.
43
44 my @testlists = (
45 [ "4.1", "Signature Verification" ],
46 [ "4.1.1", "Valid Signatures Test1", 0 ],
47 [ "4.1.2", "Invalid CA Signature Test2", 7 ],
48 [ "4.1.3", "Invalid EE Signature Test3", 7 ],
49 [ "4.1.4", "Valid DSA Signatures Test4", 0 ],
50 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ],
51 [ "4.1.6", "Invalid DSA Signature Test6", 7 ],
52 [ "4.2", "Validity Periods" ],
53 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ],
54 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ],
55 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ],
56 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ],
57 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ],
58 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ],
59 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ],
60 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ],
61 [ "4.3", "Verifying Name Chaining" ],
62 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ],
63 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ],
64 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ],
65 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ],
66 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ],
67 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ],
68 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
69 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ],
70 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ],
71 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
72 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ],
73 [ "4.4", "Basic Certificate Revocation Tests" ],
74 [ "4.4.1", "Missing CRL Test1", 3 ],
75 [ "4.4.2", "Invalid Revoked CA Test2", 23 ],
76 [ "4.4.3", "Invalid Revoked EE Test3", 23 ],
77 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ],
78 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
79 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ],
80 [ "4.4.7", "Valid Two CRLs Test7", 0 ],
81
82 # The test document suggests these should return certificate revoked...
83 # Subsequent discussion has concluded they should not due to unhandle
84 # critical CRL extensions.
85 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
86 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
87
88 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ],
89 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ],
90 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ],
91 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ],
92 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ],
93 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ],
94 [ "4.4.16", "Valid Long Serial Number Test16", 0 ],
95 [ "4.4.17", "Valid Long Serial Number Test17", 0 ],
96 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ],
97 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ],
98 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
99
100 # CRL path is revoked so get a CRL path validation error
101 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ],
102 [ "4.5", "Verifying Paths with Self-Issued Certificates" ],
103 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ],
104 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ],
105 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ],
106 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ],
107 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ],
108 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ],
109 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ],
110 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ],
111 [ "4.6", "Verifying Basic Constraints" ],
112 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ],
113 [ "4.6.2", "Invalid cA False Test2", 24 ],
114 [ "4.6.3", "Invalid cA False Test3", 24 ],
115 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ],
116 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ],
117 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ],
118 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ],
119 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ],
120 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ],
121 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ],
122 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ],
123 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ],
124 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ],
125 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ],
126 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ],
127 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ],
128 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ],
129 [ "4.7", "Key Usage" ],
130 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ],
131 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
132 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ],
133 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ],
134 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ],
135
136 # Certificate policy tests need special handling. They can have several
137 # sub tests and we need to check the outputs are correct.
138
139 [ "4.8", "Certificate Policies" ],
140 [
141 "4.8.1.1",
142 "All Certificates Same Policy Test1",
143 "-policy anyPolicy -explicit_policy",
144 "True", $nist1, $nist1, 0
145 ],
146 [
147 "4.8.1.2",
148 "All Certificates Same Policy Test1",
149 "-policy $nist1 -explicit_policy",
150 "True", $nist1, $nist1, 0
151 ],
152 [
153 "4.8.1.3",
154 "All Certificates Same Policy Test1",
155 "-policy $nist2 -explicit_policy",
156 "True", $nist1, "<empty>", 43
157 ],
158 [
159 "4.8.1.4",
160 "All Certificates Same Policy Test1",
161 "-policy $nist1 -policy $nist2 -explicit_policy",
162 "True", $nist1, $nist1, 0
163 ],
164 [
165 "4.8.2.1",
166 "All Certificates No Policies Test2",
167 "-policy anyPolicy",
168 "False", "<empty>", "<empty>", 0
169 ],
170 [
171 "4.8.2.2",
172 "All Certificates No Policies Test2",
173 "-policy anyPolicy -explicit_policy",
174 "True", "<empty>", "<empty>", 43
175 ],
176 [
177 "4.8.3.1",
178 "Different Policies Test3",
179 "-policy anyPolicy",
180 "False", "<empty>", "<empty>", 0
181 ],
182 [
183 "4.8.3.2",
184 "Different Policies Test3",
185 "-policy anyPolicy -explicit_policy",
186 "True", "<empty>", "<empty>", 43
187 ],
188 [
189 "4.8.3.3",
190 "Different Policies Test3",
191 "-policy $nist1 -policy $nist2 -explicit_policy",
192 "True", "<empty>", "<empty>", 43
193 ],
194
195 [
196 "4.8.4",
197 "Different Policies Test4",
198 "-policy anyPolicy",
199 "True", "<empty>", "<empty>", 43
200 ],
201 [
202 "4.8.5",
203 "Different Policies Test5",
204 "-policy anyPolicy",
205 "True", "<empty>", "<empty>", 43
206 ],
207 [
208 "4.8.6.1",
209 "Overlapping Policies Test6",
210 "-policy anyPolicy",
211 "True", $nist1, $nist1, 0
212 ],
213 [
214 "4.8.6.2",
215 "Overlapping Policies Test6",
216 "-policy $nist1",
217 "True", $nist1, $nist1, 0
218 ],
219 [
220 "4.8.6.3",
221 "Overlapping Policies Test6",
222 "-policy $nist2",
223 "True", $nist1, "<empty>", 43
224 ],
225 [
226 "4.8.7",
227 "Different Policies Test7",
228 "-policy anyPolicy",
229 "True", "<empty>", "<empty>", 43
230 ],
231 [
232 "4.8.8",
233 "Different Policies Test8",
234 "-policy anyPolicy",
235 "True", "<empty>", "<empty>", 43
236 ],
237 [
238 "4.8.9",
239 "Different Policies Test9",
240 "-policy anyPolicy",
241 "True", "<empty>", "<empty>", 43
242 ],
243 [
244 "4.8.10.1",
245 "All Certificates Same Policies Test10",
246 "-policy $nist1",
247 "True", "$nist1:$nist2", "$nist1", 0
248 ],
249 [
250 "4.8.10.2",
251 "All Certificates Same Policies Test10",
252 "-policy $nist2",
253 "True", "$nist1:$nist2", "$nist2", 0
254 ],
255 [
256 "4.8.10.3",
257 "All Certificates Same Policies Test10",
258 "-policy anyPolicy",
259 "True", "$nist1:$nist2", "$nist1:$nist2", 0
260 ],
261 [
262 "4.8.11.1",
263 "All Certificates AnyPolicy Test11",
264 "-policy anyPolicy",
265 "True", "$apolicy", "$apolicy", 0
266 ],
267 [
268 "4.8.11.2",
269 "All Certificates AnyPolicy Test11",
270 "-policy $nist1",
271 "True", "$apolicy", "$nist1", 0
272 ],
273 [
274 "4.8.12",
275 "Different Policies Test12",
276 "-policy anyPolicy",
277 "True", "<empty>", "<empty>", 43
278 ],
279 [
280 "4.8.13.1",
281 "All Certificates Same Policies Test13",
282 "-policy $nist1",
283 "True", "$nist1:$nist2:$nist3", "$nist1", 0
284 ],
285 [
286 "4.8.13.2",
287 "All Certificates Same Policies Test13",
288 "-policy $nist2",
289 "True", "$nist1:$nist2:$nist3", "$nist2", 0
290 ],
291 [
292 "4.8.13.3",
293 "All Certificates Same Policies Test13",
294 "-policy $nist3",
295 "True", "$nist1:$nist2:$nist3", "$nist3", 0
296 ],
297 [
298 "4.8.14.1", "AnyPolicy Test14",
299 "-policy $nist1", "True",
300 "$nist1", "$nist1",
301 0
302 ],
303 [
304 "4.8.14.2", "AnyPolicy Test14",
305 "-policy $nist2", "True",
306 "$nist1", "<empty>",
307 43
308 ],
309 [
310 "4.8.15",
311 "User Notice Qualifier Test15",
312 "-policy anyPolicy",
313 "False", "$nist1", "$nist1", 0
314 ],
315 [
316 "4.8.16",
317 "User Notice Qualifier Test16",
318 "-policy anyPolicy",
319 "False", "$nist1", "$nist1", 0
320 ],
321 [
322 "4.8.17",
323 "User Notice Qualifier Test17",
324 "-policy anyPolicy",
325 "False", "$nist1", "$nist1", 0
326 ],
327 [
328 "4.8.18.1",
329 "User Notice Qualifier Test18",
330 "-policy $nist1",
331 "True", "$nist1:$nist2", "$nist1", 0
332 ],
333 [
334 "4.8.18.2",
335 "User Notice Qualifier Test18",
336 "-policy $nist2",
337 "True", "$nist1:$nist2", "$nist2", 0
338 ],
339 [
340 "4.8.19",
341 "User Notice Qualifier Test19",
342 "-policy anyPolicy",
343 "False", "$nist1", "$nist1", 0
344 ],
345 [
346 "4.8.20",
347 "CPS Pointer Qualifier Test20",
348 "-policy anyPolicy -explicit_policy",
349 "True", "$nist1", "$nist1", 0
350 ],
351 [ "4.9", "Require Explicit Policy" ],
352 [
353 "4.9.1",
354 "Valid RequireExplicitPolicy Test1",
355 "-policy anyPolicy",
356 "False", "<empty>", "<empty>", 0
357 ],
358 [
359 "4.9.2",
360 "Valid RequireExplicitPolicy Test2",
361 "-policy anyPolicy",
362 "False", "<empty>", "<empty>", 0
363 ],
364 [
365 "4.9.3",
366 "Invalid RequireExplicitPolicy Test3",
367 "-policy anyPolicy",
368 "True", "<empty>", "<empty>", 43
369 ],
370 [
371 "4.9.4",
372 "Valid RequireExplicitPolicy Test4",
373 "-policy anyPolicy",
374 "True", "$nist1", "$nist1", 0
375 ],
376 [
377 "4.9.5",
378 "Invalid RequireExplicitPolicy Test5",
379 "-policy anyPolicy",
380 "True", "<empty>", "<empty>", 43
381 ],
382 [
383 "4.9.6",
384 "Valid Self-Issued requireExplicitPolicy Test6",
385 "-policy anyPolicy",
386 "False", "<empty>", "<empty>", 0
387 ],
388 [
389 "4.9.7",
390 "Invalid Self-Issued requireExplicitPolicy Test7",
391 "-policy anyPolicy",
392 "True", "<empty>", "<empty>", 43
393 ],
394 [
395 "4.9.8",
396 "Invalid Self-Issued requireExplicitPolicy Test8",
397 "-policy anyPolicy",
398 "True", "<empty>", "<empty>", 43
399 ],
400 [ "4.10", "Policy Mappings" ],
401 [
402 "4.10.1.1",
403 "Valid Policy Mapping Test1",
404 "-policy $nist1",
405 "True", "$nist1", "$nist1", 0
406 ],
407 [
408 "4.10.1.2",
409 "Valid Policy Mapping Test1",
410 "-policy $nist2",
411 "True", "$nist1", "<empty>", 43
412 ],
413 [
414 "4.10.1.3",
415 "Valid Policy Mapping Test1",
416 "-policy anyPolicy -inhibit_map",
417 "True", "<empty>", "<empty>", 43
418 ],
419 [
420 "4.10.2.1",
421 "Invalid Policy Mapping Test2",
422 "-policy anyPolicy",
423 "True", "<empty>", "<empty>", 43
424 ],
425 [
426 "4.10.2.2",
427 "Invalid Policy Mapping Test2",
428 "-policy anyPolicy -inhibit_map",
429 "True", "<empty>", "<empty>", 43
430 ],
431 [
432 "4.10.3.1",
433 "Valid Policy Mapping Test3",
434 "-policy $nist1",
435 "True", "$nist2", "<empty>", 43
436 ],
437 [
438 "4.10.3.2",
439 "Valid Policy Mapping Test3",
440 "-policy $nist2",
441 "True", "$nist2", "$nist2", 0
442 ],
443 [
444 "4.10.4",
445 "Invalid Policy Mapping Test4",
446 "-policy anyPolicy",
447 "True", "<empty>", "<empty>", 43
448 ],
449 [
450 "4.10.5.1",
451 "Valid Policy Mapping Test5",
452 "-policy $nist1",
453 "True", "$nist1", "$nist1", 0
454 ],
455 [
456 "4.10.5.2",
457 "Valid Policy Mapping Test5",
458 "-policy $nist6",
459 "True", "$nist1", "<empty>", 43
460 ],
461 [
462 "4.10.6.1",
463 "Valid Policy Mapping Test6",
464 "-policy $nist1",
465 "True", "$nist1", "$nist1", 0
466 ],
467 [
468 "4.10.6.2",
469 "Valid Policy Mapping Test6",
470 "-policy $nist6",
471 "True", "$nist1", "<empty>", 43
472 ],
473 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
474 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ],
475 [
476 "4.10.9",
477 "Valid Policy Mapping Test9",
478 "-policy anyPolicy",
479 "True", "$nist1", "$nist1", 0
480 ],
481 [
482 "4.10.10",
483 "Invalid Policy Mapping Test10",
484 "-policy anyPolicy",
485 "True", "<empty>", "<empty>", 43
486 ],
487 [
488 "4.10.11",
489 "Valid Policy Mapping Test11",
490 "-policy anyPolicy",
491 "True", "$nist1", "$nist1", 0
492 ],
493
494 # TODO: check notice display
495 [
496 "4.10.12.1",
497 "Valid Policy Mapping Test12",
498 "-policy $nist1",
499 "True", "$nist1:$nist2", "$nist1", 0
500 ],
501
502 # TODO: check notice display
503 [
504 "4.10.12.2",
505 "Valid Policy Mapping Test12",
506 "-policy $nist2",
507 "True", "$nist1:$nist2", "$nist2", 0
508 ],
509 [
510 "4.10.13",
511 "Valid Policy Mapping Test13",
512 "-policy anyPolicy",
513 "True", "$nist1", "$nist1", 0
514 ],
515
516 # TODO: check notice display
517 [
518 "4.10.14",
519 "Valid Policy Mapping Test14",
520 "-policy anyPolicy",
521 "True", "$nist1", "$nist1", 0
522 ],
523 [ "4.11", "Inhibit Policy Mapping" ],
524 [
525 "4.11.1",
526 "Invalid inhibitPolicyMapping Test1",
527 "-policy anyPolicy",
528 "True", "<empty>", "<empty>", 43
529 ],
530 [
531 "4.11.2",
532 "Valid inhibitPolicyMapping Test2",
533 "-policy anyPolicy",
534 "True", "$nist1", "$nist1", 0
535 ],
536 [
537 "4.11.3",
538 "Invalid inhibitPolicyMapping Test3",
539 "-policy anyPolicy",
540 "True", "<empty>", "<empty>", 43
541 ],
542 [
543 "4.11.4",
544 "Valid inhibitPolicyMapping Test4",
545 "-policy anyPolicy",
546 "True", "$nist2", "$nist2", 0
547 ],
548 [
549 "4.11.5",
550 "Invalid inhibitPolicyMapping Test5",
551 "-policy anyPolicy",
552 "True", "<empty>", "<empty>", 43
553 ],
554 [
555 "4.11.6",
556 "Invalid inhibitPolicyMapping Test6",
557 "-policy anyPolicy",
558 "True", "<empty>", "<empty>", 43
559 ],
560 [
561 "4.11.7",
562 "Valid Self-Issued inhibitPolicyMapping Test7",
563 "-policy anyPolicy",
564 "True", "$nist1", "$nist1", 0
565 ],
566 [
567 "4.11.8",
568 "Invalid Self-Issued inhibitPolicyMapping Test8",
569 "-policy anyPolicy",
570 "True", "<empty>", "<empty>", 43
571 ],
572 [
573 "4.11.9",
574 "Invalid Self-Issued inhibitPolicyMapping Test9",
575 "-policy anyPolicy",
576 "True", "<empty>", "<empty>", 43
577 ],
578 [
579 "4.11.10",
580 "Invalid Self-Issued inhibitPolicyMapping Test10",
581 "-policy anyPolicy",
582 "True", "<empty>", "<empty>", 43
583 ],
584 [
585 "4.11.11",
586 "Invalid Self-Issued inhibitPolicyMapping Test11",
587 "-policy anyPolicy",
588 "True", "<empty>", "<empty>", 43
589 ],
590 [ "4.12", "Inhibit Any Policy" ],
591 [
592 "4.12.1",
593 "Invalid inhibitAnyPolicy Test1",
594 "-policy anyPolicy",
595 "True", "<empty>", "<empty>", 43
596 ],
597 [
598 "4.12.2",
599 "Valid inhibitAnyPolicy Test2",
600 "-policy anyPolicy",
601 "True", "$nist1", "$nist1", 0
602 ],
603 [
604 "4.12.3.1",
605 "inhibitAnyPolicy Test3",
606 "-policy anyPolicy",
607 "True", "$nist1", "$nist1", 0
608 ],
609 [
610 "4.12.3.2",
611 "inhibitAnyPolicy Test3",
612 "-policy anyPolicy -inhibit_any",
613 "True", "<empty>", "<empty>", 43
614 ],
615 [
616 "4.12.4",
617 "Invalid inhibitAnyPolicy Test4",
618 "-policy anyPolicy",
619 "True", "<empty>", "<empty>", 43
620 ],
621 [
622 "4.12.5",
623 "Invalid inhibitAnyPolicy Test5",
624 "-policy anyPolicy",
625 "True", "<empty>", "<empty>", 43
626 ],
627 [
628 "4.12.6",
629 "Invalid inhibitAnyPolicy Test6",
630 "-policy anyPolicy",
631 "True", "<empty>", "<empty>", 43
632 ],
633 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ],
634 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ],
635 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ],
636 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ],
637 [ "4.13", "Name Constraints" ],
638 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ],
639 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ],
640 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ],
641 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ],
642 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ],
643 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ],
644 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ],
645 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ],
646 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ],
647 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ],
648 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ],
649 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ],
650 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ],
651 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ],
652 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ],
653 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ],
654 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ],
655 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ],
656 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ],
657 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
658 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ],
659 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ],
660 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ],
661 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ],
662 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ],
663 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ],
664 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ],
665 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ],
666 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ],
667 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ],
668 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ],
669 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ],
670 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ],
671 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ],
672 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ],
673 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ],
674 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ],
675 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ],
676 [ "4.14", "Distribution Points" ],
677 [ "4.14.1", "Valid distributionPoint Test1", 0 ],
678 [ "4.14.2", "Invalid distributionPoint Test2", 23 ],
679 [ "4.14.3", "Invalid distributionPoint Test3", 44 ],
680 [ "4.14.4", "Valid distributionPoint Test4", 0 ],
681 [ "4.14.5", "Valid distributionPoint Test5", 0 ],
682 [ "4.14.6", "Invalid distributionPoint Test6", 23 ],
683 [ "4.14.7", "Valid distributionPoint Test7", 0 ],
684 [ "4.14.8", "Invalid distributionPoint Test8", 44 ],
685 [ "4.14.9", "Invalid distributionPoint Test9", 44 ],
686 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ],
687 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ],
688 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ],
689 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ],
690 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ],
691 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ],
692 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ],
693 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ],
694 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ],
695 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ],
696 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ],
697 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ],
698 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ],
699 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ],
700 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ],
701 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ],
702 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ],
703 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ],
704 [ "4.14.28", "Valid cRLIssuer Test28", 0 ],
705 [ "4.14.29", "Valid cRLIssuer Test29", 0 ],
706
707 # Although this test is valid it has a circular dependency. As a result
708 # an attempt is made to recursively checks a CRL path and rejected due to
709 # a CRL path validation error. PKITS notes suggest this test does not
710 # need to be run due to this issue.
711 [ "4.14.30", "Valid cRLIssuer Test30", 54 ],
712 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ],
713 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ],
714 [ "4.14.33", "Valid cRLIssuer Test33", 0 ],
715 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ],
716 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ],
717 [ "4.15", "Delta-CRLs" ],
718 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ],
719 [ "4.15.2", "Valid delta-CRL Test2", 0 ],
720 [ "4.15.3", "Invalid delta-CRL Test3", 23 ],
721 [ "4.15.4", "Invalid delta-CRL Test4", 23 ],
722 [ "4.15.5", "Valid delta-CRL Test5", 0 ],
723 [ "4.15.6", "Invalid delta-CRL Test6", 23 ],
724 [ "4.15.7", "Valid delta-CRL Test7", 0 ],
725 [ "4.15.8", "Valid delta-CRL Test8", 0 ],
726 [ "4.15.9", "Invalid delta-CRL Test9", 23 ],
727 [ "4.15.10", "Invalid delta-CRL Test10", 12 ],
728 [ "4.16", "Private Certificate Extensions" ],
729 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
730 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ],
731 );
732
733
734 my $verbose = 1;
735
736 my $numtest = 0;
737 my $numfail = 0;
738
739 my $ossl = "ossl/apps/openssl";
740
741 my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
742 $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
743
744 # Check for expiry of trust anchor
745 system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
746 if ($? == 256)
747 {
748 print STDERR "WARNING: using older expired data\n";
749 $ossl_cmd .= "-attime 1291940972 ";
750 }
751
752 $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
753
754 system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
755
756 die "Can't create trust anchor file" if $?;
757
758 print "Running PKITS tests:\n" if $verbose;
759
760 foreach (@testlists) {
761 my $argnum = @$_;
762 if ( $argnum == 2 ) {
763 my ( $tnum, $title ) = @$_;
764 print "$tnum $title\n" if $verbose;
765 }
766 elsif ( $argnum == 3 ) {
767 my ( $tnum, $title, $exp_ret ) = @$_;
768 my $filename = $title;
769 $exp_ret += 32 if $exp_ret;
770 $filename =~ tr/ -//d;
771 $filename = "Signed${filename}.eml";
772 if ( !-f "$pkitsdir/$filename" ) {
773 print "\"$filename\" not found\n";
774 }
775 else {
776 my $ret;
777 my $test_fail = 0;
778 my $errmsg = "";
779 my $cmd = $ossl_cmd;
780 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
781 my $cmdout = `$cmd`;
782 $ret = $? >> 8;
783 if ( $? & 0xff ) {
784 $errmsg .= "Abnormal OpenSSL termination\n";
785 $test_fail = 1;
786 }
787 if ( $exp_ret != $ret ) {
788 $errmsg .= "Return code:$ret, ";
789 $errmsg .= "expected $exp_ret\n";
790 $test_fail = 1;
791 }
792 if ($test_fail) {
793 print "$tnum $title : Failed!\n";
794 print "Filename: $pkitsdir/$filename\n";
795 print $errmsg;
796 print "Command output:\n$cmdout\n";
797 $numfail++;
798 }
799 $numtest++;
800 }
801 }
802 elsif ( $argnum == 7 ) {
803 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
804 = @$_;
805 my $filename = $title;
806 $exp_ret += 32 if $exp_ret;
807 $filename =~ tr/ -//d;
808 $filename = "Signed${filename}.eml";
809 if ( !-f "$pkitsdir/$filename" ) {
810 print "\"$filename\" not found\n";
811 }
812 else {
813 my $ret;
814 my $cmdout = "";
815 my $errmsg = "";
816 my $epol = "";
817 my $aset = "";
818 my $uset = "";
819 my $pol = -1;
820 my $test_fail = 0;
821 my $cmd = $ossl_cmd;
822 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
823 @oparr = `$cmd`;
824 $ret = $? >> 8;
825
826 if ( $? & 0xff ) {
827 $errmsg .= "Abnormal OpenSSL termination\n";
828 $test_fail = 1;
829 }
830 foreach (@oparr) {
831 my $test_failed = 0;
832 $cmdout .= $_;
833 if (/^Require explicit Policy: (.*)$/) {
834 $epol = $1;
835 }
836 if (/^Authority Policies/) {
837 if (/empty/) {
838 $aset = "<empty>";
839 }
840 else {
841 $pol = 1;
842 }
843 }
844 $test_fail = 1 if (/leak/i);
845 if (/^User Policies/) {
846 if (/empty/) {
847 $uset = "<empty>";
848 }
849 else {
850 $pol = 2;
851 }
852 }
853 if (/\s+Policy: (.*)$/) {
854 if ( $pol == 1 ) {
855 $aset .= ":" if $aset ne "";
856 $aset .= $1;
857 }
858 elsif ( $pol == 2 ) {
859 $uset .= ":" if $uset ne "";
860 $uset .= $1;
861 }
862 }
863 }
864
865 if ( $epol ne $exp_epol ) {
866 $errmsg .= "Explicit policy:$epol, ";
867 $errmsg .= "expected $exp_epol\n";
868 $test_fail = 1;
869 }
870 if ( $aset ne $exp_aset ) {
871 $errmsg .= "Authority policy set :$aset, ";
872 $errmsg .= "expected $exp_aset\n";
873 $test_fail = 1;
874 }
875 if ( $uset ne $exp_uset ) {
876 $errmsg .= "User policy set :$uset, ";
877 $errmsg .= "expected $exp_uset\n";
878 $test_fail = 1;
879 }
880
881 if ( $exp_ret != $ret ) {
882 print "Return code:$ret, expected $exp_ret\n";
883 $test_fail = 1;
884 }
885
886 if ($test_fail) {
887 print "$tnum $title : Failed!\n";
888 print "Filename: $pkitsdir/$filename\n";
889 print "Command output:\n$cmdout\n";
890 $numfail++;
891 }
892 $numtest++;
893 }
894 }
895 }
896
897 if ($numfail) {
898 print "$numfail tests failed out of $numtest\n";
899 }
900 else {
901 print "All Tests Successful.\n";
902 }
903
904 unlink "pkitsta.pem";
905