# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-CERTTOOL=../../src/certtool
+CERTTOOL=../../../src/certtool
SUCCESS=" 1 4 7 12 15 16 17 18 24 26 27 30 33 56 57 62 63 "
FAILURE=" 2 3 5 6 8 9 10 11 13 14 19 20 21 22 23 25 28 29 31 32 54 55 58 59 60 61 "
+KNOWN_BUGS=" 15 16 17 18 19 28 29 31 32 54 55 58 59 60 61 "
+
+cd x509paths
test -d X509tests || tar xfz x509tests.tgz
+mkdir -p chains
+RET=0
i=1
while test -d X509tests/test$i; do
- find X509tests/test$i -name *.crl -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --crl-info --inder --infile > chain$i.pem 2>/dev/null
- find X509tests/test$i -name E*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chain$i.pem 2>/dev/null
+ find X509tests/test$i -name *.crl -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --crl-info --inder --infile > chains/chain$i.pem 2>/dev/null
+ find X509tests/test$i -name E*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null
if test "$i" -gt 1; then
- find X509tests/test$i -name I*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chain$i.pem 2>/dev/null
+ find X509tests/test$i -name I*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null
fi
- find X509tests/test$i -name T*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chain$i.pem 2>/dev/null
- $CERTTOOL -e --infile chain$i.pem > out 2>&1
+ find X509tests/test$i -name T*.crt -print0 |sort -r -z|xargs -n1 --null $CERTTOOL --certificate-info --inder --infile >> chains/chain$i.pem 2>/dev/null
+ $CERTTOOL -e --infile chains/chain$i.pem > out 2>&1
rc=$?
if test $rc != 0; then
echo "Chain $i FATAL failure."
+ RET=1
else
- if echo "$SUCCESS" | grep " $i " > /dev/null 2>&1; then
+ if echo "$KNOWN_BUGS" | grep " $i " > /dev/null 2>&1; then
+ echo "Chain $i verification was skipped due to known bug."
+ elif echo "$SUCCESS" | grep " $i " > /dev/null 2>&1; then
if grep 'Chain verification output:' out | grep -v 'Chain verification output: Verified\.$' > /dev/null 2>&1; then
echo "Chain $i verification failure UNEXPECTED."
+ RET=1
else
echo "Chain $i verification success as expected."
fi
echo "Chain $i verification failure as expected."
else
echo "Chain $i verification success UNEXPECTED. "
+ RET=1
fi
else
echo "Chain $i unclassified."
i=`expr $i + 1`
done
rm -f out
+
+exit $RET
See the PDF for information regarding the self tests. Particular
comments on individual tests below. The 'XXX' marks real bugs.
-Chain 13-14,65: We probably should not fail fatally, although this is
-not a real problem.
-
Chain 15-18: We should succeed, the reason we don't is that we use
memcmp for DN comparisons.
real problem. This is easier to be supported now with the trust_list
that can verify CRLs on addition.
-Chain 54-63: We don't check path length constraints properly. XXX
+Chain 54-55,58-61: We don't check path length constraints properly. XXX