2 # Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 # ====================================================================
6 # Copyright (c) 2008 The OpenSSL Project. All rights reserved.
8 # Redistribution and use in source and binary forms, with or without
9 # modification, are permitted provided that the following conditions
12 # 1. Redistributions of source code must retain the above copyright
13 # notice, this list of conditions and the following disclaimer.
15 # 2. Redistributions in binary form must reproduce the above copyright
16 # notice, this list of conditions and the following disclaimer in
17 # the documentation and/or other materials provided with the
20 # 3. All advertising materials mentioning features or use of this
21 # software must display the following acknowledgment:
22 # "This product includes software developed by the OpenSSL Project
23 # for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 # endorse or promote products derived from this software without
27 # prior written permission. For written permission, please contact
28 # licensing@OpenSSL.org.
30 # 5. Products derived from this software may not be called "OpenSSL"
31 # nor may "OpenSSL" appear in their names without prior written
32 # permission of the OpenSSL Project.
34 # 6. Redistributions of any form whatsoever must retain the following
36 # "This product includes software developed by the OpenSSL Project
37 # for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 # OF THE POSSIBILITY OF SUCH DAMAGE.
51 # ====================================================================
53 # Perl utility to run PKITS tests for RFC3280 compliance.
57 if ( -f
"../apps/openssl" ) {
58 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
60 elsif ( -f
"..\\out32dll\\openssl.exe" ) {
61 $ossl_path = "..\\out32dll\\openssl.exe";
63 elsif ( -f
"..\\out32\\openssl.exe" ) {
64 $ossl_path = "..\\out32\\openssl.exe";
67 die "Can't find OpenSSL executable";
70 my $pkitsdir = "pkits/smime";
71 my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
73 die "Can't find PKITS test data" if !-d
$pkitsdir;
75 my $nist1 = "2.16.840.1.101.3.2.1.48.1";
76 my $nist2 = "2.16.840.1.101.3.2.1.48.2";
77 my $nist3 = "2.16.840.1.101.3.2.1.48.3";
78 my $nist4 = "2.16.840.1.101.3.2.1.48.4";
79 my $nist5 = "2.16.840.1.101.3.2.1.48.5";
80 my $nist6 = "2.16.840.1.101.3.2.1.48.6";
82 my $apolicy = "X509v3 Any Policy";
84 # This table contains the chapter headings of the accompanying PKITS
85 # document. They provide useful informational output and their names
86 # can be converted into the filename to test.
89 [ "4.1", "Signature Verification" ],
90 [ "4.1.1", "Valid Signatures Test1", 0 ],
91 [ "4.1.2", "Invalid CA Signature Test2", 7 ],
92 [ "4.1.3", "Invalid EE Signature Test3", 7 ],
93 [ "4.1.4", "Valid DSA Signatures Test4", 0 ],
94 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ],
95 [ "4.1.6", "Invalid DSA Signature Test6", 7 ],
96 [ "4.2", "Validity Periods" ],
97 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ],
98 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ],
99 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ],
100 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ],
101 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ],
102 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ],
103 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ],
104 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ],
105 [ "4.3", "Verifying Name Chaining" ],
106 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ],
107 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ],
108 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ],
109 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ],
110 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ],
111 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ],
112 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
113 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ],
114 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ],
115 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
116 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ],
117 [ "4.4", "Basic Certificate Revocation Tests" ],
118 [ "4.4.1", "Missing CRL Test1", 3 ],
119 [ "4.4.2", "Invalid Revoked CA Test2", 23 ],
120 [ "4.4.3", "Invalid Revoked EE Test3", 23 ],
121 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ],
122 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
123 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ],
124 [ "4.4.7", "Valid Two CRLs Test7", 0 ],
126 # The test document suggests these should return certificate revoked...
127 # Subsquent discussion has concluded they should not due to unhandle
128 # critical CRL extensions.
129 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
130 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
132 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ],
133 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ],
134 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ],
135 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ],
136 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ],
137 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ],
138 [ "4.4.16", "Valid Long Serial Number Test16", 0 ],
139 [ "4.4.17", "Valid Long Serial Number Test17", 0 ],
140 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ],
141 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ],
142 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
144 # CRL path is revoked so get a CRL path validation error
145 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ],
146 [ "4.5", "Verifying Paths with Self-Issued Certificates" ],
147 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ],
148 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ],
149 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ],
150 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ],
151 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ],
152 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ],
153 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ],
154 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ],
155 [ "4.6", "Verifying Basic Constraints" ],
156 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ],
157 [ "4.6.2", "Invalid cA False Test2", 24 ],
158 [ "4.6.3", "Invalid cA False Test3", 24 ],
159 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ],
160 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ],
161 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ],
162 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ],
163 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ],
164 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ],
165 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ],
166 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ],
167 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ],
168 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ],
169 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ],
170 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ],
171 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ],
172 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ],
173 [ "4.7", "Key Usage" ],
174 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ],
175 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
176 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ],
177 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ],
178 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ],
180 # Certificate policy tests need special handling. They can have several
181 # sub tests and we need to check the outputs are correct.
183 [ "4.8", "Certificate Policies" ],
186 "All Certificates Same Policy Test1",
187 "-policy anyPolicy -explicit_policy",
188 "True", $nist1, $nist1, 0
192 "All Certificates Same Policy Test1",
193 "-policy $nist1 -explicit_policy",
194 "True", $nist1, $nist1, 0
198 "All Certificates Same Policy Test1",
199 "-policy $nist2 -explicit_policy",
200 "True", $nist1, "<empty>", 43
204 "All Certificates Same Policy Test1",
205 "-policy $nist1 -policy $nist2 -explicit_policy",
206 "True", $nist1, $nist1, 0
210 "All Certificates No Policies Test2",
212 "False", "<empty>", "<empty>", 0
216 "All Certificates No Policies Test2",
217 "-policy anyPolicy -explicit_policy",
218 "True", "<empty>", "<empty>", 43
222 "Different Policies Test3",
224 "False", "<empty>", "<empty>", 0
228 "Different Policies Test3",
229 "-policy anyPolicy -explicit_policy",
230 "True", "<empty>", "<empty>", 43
234 "Different Policies Test3",
235 "-policy $nist1 -policy $nist2 -explicit_policy",
236 "True", "<empty>", "<empty>", 43
241 "Different Policies Test4",
243 "True", "<empty>", "<empty>", 43
247 "Different Policies Test5",
249 "True", "<empty>", "<empty>", 43
253 "Overlapping Policies Test6",
255 "True", $nist1, $nist1, 0
259 "Overlapping Policies Test6",
261 "True", $nist1, $nist1, 0
265 "Overlapping Policies Test6",
267 "True", $nist1, "<empty>", 43
271 "Different Policies Test7",
273 "True", "<empty>", "<empty>", 43
277 "Different Policies Test8",
279 "True", "<empty>", "<empty>", 43
283 "Different Policies Test9",
285 "True", "<empty>", "<empty>", 43
289 "All Certificates Same Policies Test10",
291 "True", "$nist1:$nist2", "$nist1", 0
295 "All Certificates Same Policies Test10",
297 "True", "$nist1:$nist2", "$nist2", 0
301 "All Certificates Same Policies Test10",
303 "True", "$nist1:$nist2", "$nist1:$nist2", 0
307 "All Certificates AnyPolicy Test11",
309 "True", "$apolicy", "$apolicy", 0
313 "All Certificates AnyPolicy Test11",
315 "True", "$apolicy", "$nist1", 0
319 "Different Policies Test12",
321 "True", "<empty>", "<empty>", 43
325 "All Certificates Same Policies Test13",
327 "True", "$nist1:$nist2:$nist3", "$nist1", 0
331 "All Certificates Same Policies Test13",
333 "True", "$nist1:$nist2:$nist3", "$nist2", 0
337 "All Certificates Same Policies Test13",
339 "True", "$nist1:$nist2:$nist3", "$nist3", 0
342 "4.8.14.1", "AnyPolicy Test14",
343 "-policy $nist1", "True",
348 "4.8.14.2", "AnyPolicy Test14",
349 "-policy $nist2", "True",
355 "User Notice Qualifier Test15",
357 "False", "$nist1", "$nist1", 0
361 "User Notice Qualifier Test16",
363 "False", "$nist1", "$nist1", 0
367 "User Notice Qualifier Test17",
369 "False", "$nist1", "$nist1", 0
373 "User Notice Qualifier Test18",
375 "True", "$nist1:$nist2", "$nist1", 0
379 "User Notice Qualifier Test18",
381 "True", "$nist1:$nist2", "$nist2", 0
385 "User Notice Qualifier Test19",
387 "False", "$nist1", "$nist1", 0
391 "CPS Pointer Qualifier Test20",
392 "-policy anyPolicy -explicit_policy",
393 "True", "$nist1", "$nist1", 0
395 [ "4.9", "Require Explicit Policy" ],
398 "Valid RequireExplicitPolicy Test1",
400 "False", "<empty>", "<empty>", 0
404 "Valid RequireExplicitPolicy Test2",
406 "False", "<empty>", "<empty>", 0
410 "Invalid RequireExplicitPolicy Test3",
412 "True", "<empty>", "<empty>", 43
416 "Valid RequireExplicitPolicy Test4",
418 "True", "$nist1", "$nist1", 0
422 "Invalid RequireExplicitPolicy Test5",
424 "True", "<empty>", "<empty>", 43
428 "Valid Self-Issued requireExplicitPolicy Test6",
430 "False", "<empty>", "<empty>", 0
434 "Invalid Self-Issued requireExplicitPolicy Test7",
436 "True", "<empty>", "<empty>", 43
440 "Invalid Self-Issued requireExplicitPolicy Test8",
442 "True", "<empty>", "<empty>", 43
444 [ "4.10", "Policy Mappings" ],
447 "Valid Policy Mapping Test1",
449 "True", "$nist1", "$nist1", 0
453 "Valid Policy Mapping Test1",
455 "True", "$nist1", "<empty>", 43
459 "Valid Policy Mapping Test1",
460 "-policy anyPolicy -inhibit_map",
461 "True", "<empty>", "<empty>", 43
465 "Invalid Policy Mapping Test2",
467 "True", "<empty>", "<empty>", 43
471 "Invalid Policy Mapping Test2",
472 "-policy anyPolicy -inhibit_map",
473 "True", "<empty>", "<empty>", 43
477 "Valid Policy Mapping Test3",
479 "True", "$nist2", "<empty>", 43
483 "Valid Policy Mapping Test3",
485 "True", "$nist2", "$nist2", 0
489 "Invalid Policy Mapping Test4",
491 "True", "<empty>", "<empty>", 43
495 "Valid Policy Mapping Test5",
497 "True", "$nist1", "$nist1", 0
501 "Valid Policy Mapping Test5",
503 "True", "$nist1", "<empty>", 43
507 "Valid Policy Mapping Test6",
509 "True", "$nist1", "$nist1", 0
513 "Valid Policy Mapping Test6",
515 "True", "$nist1", "<empty>", 43
517 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
518 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ],
521 "Valid Policy Mapping Test9",
523 "True", "$nist1", "$nist1", 0
527 "Invalid Policy Mapping Test10",
529 "True", "<empty>", "<empty>", 43
533 "Valid Policy Mapping Test11",
535 "True", "$nist1", "$nist1", 0
538 # TODO: check notice display
541 "Valid Policy Mapping Test12",
543 "True", "$nist1:$nist2", "$nist1", 0
546 # TODO: check notice display
549 "Valid Policy Mapping Test12",
551 "True", "$nist1:$nist2", "$nist2", 0
555 "Valid Policy Mapping Test13",
557 "True", "$nist1", "$nist1", 0
560 # TODO: check notice display
563 "Valid Policy Mapping Test14",
565 "True", "$nist1", "$nist1", 0
567 [ "4.11", "Inhibit Policy Mapping" ],
570 "Invalid inhibitPolicyMapping Test1",
572 "True", "<empty>", "<empty>", 43
576 "Valid inhibitPolicyMapping Test2",
578 "True", "$nist1", "$nist1", 0
582 "Invalid inhibitPolicyMapping Test3",
584 "True", "<empty>", "<empty>", 43
588 "Valid inhibitPolicyMapping Test4",
590 "True", "$nist2", "$nist2", 0
594 "Invalid inhibitPolicyMapping Test5",
596 "True", "<empty>", "<empty>", 43
600 "Invalid inhibitPolicyMapping Test6",
602 "True", "<empty>", "<empty>", 43
606 "Valid Self-Issued inhibitPolicyMapping Test7",
608 "True", "$nist1", "$nist1", 0
612 "Invalid Self-Issued inhibitPolicyMapping Test8",
614 "True", "<empty>", "<empty>", 43
618 "Invalid Self-Issued inhibitPolicyMapping Test9",
620 "True", "<empty>", "<empty>", 43
624 "Invalid Self-Issued inhibitPolicyMapping Test10",
626 "True", "<empty>", "<empty>", 43
630 "Invalid Self-Issued inhibitPolicyMapping Test11",
632 "True", "<empty>", "<empty>", 43
634 [ "4.12", "Inhibit Any Policy" ],
637 "Invalid inhibitAnyPolicy Test1",
639 "True", "<empty>", "<empty>", 43
643 "Valid inhibitAnyPolicy Test2",
645 "True", "$nist1", "$nist1", 0
649 "inhibitAnyPolicy Test3",
651 "True", "$nist1", "$nist1", 0
655 "inhibitAnyPolicy Test3",
656 "-policy anyPolicy -inhibit_any",
657 "True", "<empty>", "<empty>", 43
661 "Invalid inhibitAnyPolicy Test4",
663 "True", "<empty>", "<empty>", 43
667 "Invalid inhibitAnyPolicy Test5",
669 "True", "<empty>", "<empty>", 43
673 "Invalid inhibitAnyPolicy Test6",
675 "True", "<empty>", "<empty>", 43
677 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ],
678 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ],
679 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ],
680 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ],
681 [ "4.13", "Name Constraints" ],
682 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ],
683 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ],
684 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ],
685 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ],
686 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ],
687 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ],
688 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ],
689 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ],
690 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ],
691 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ],
692 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ],
693 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ],
694 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ],
695 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ],
696 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ],
697 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ],
698 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ],
699 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ],
700 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ],
701 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
702 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ],
703 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ],
704 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ],
705 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ],
706 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ],
707 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ],
708 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ],
709 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ],
710 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ],
711 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ],
712 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ],
713 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ],
714 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ],
715 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ],
716 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ],
717 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ],
718 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ],
719 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ],
720 [ "4.14", "Distribution Points" ],
721 [ "4.14.1", "Valid distributionPoint Test1", 0 ],
722 [ "4.14.2", "Invalid distributionPoint Test2", 23 ],
723 [ "4.14.3", "Invalid distributionPoint Test3", 44 ],
724 [ "4.14.4", "Valid distributionPoint Test4", 0 ],
725 [ "4.14.5", "Valid distributionPoint Test5", 0 ],
726 [ "4.14.6", "Invalid distributionPoint Test6", 23 ],
727 [ "4.14.7", "Valid distributionPoint Test7", 0 ],
728 [ "4.14.8", "Invalid distributionPoint Test8", 44 ],
729 [ "4.14.9", "Invalid distributionPoint Test9", 44 ],
730 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ],
731 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ],
732 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ],
733 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ],
734 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ],
735 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ],
736 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ],
737 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ],
738 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ],
739 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ],
740 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ],
741 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ],
742 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ],
743 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ],
744 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ],
745 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ],
746 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ],
747 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ],
748 [ "4.14.28", "Valid cRLIssuer Test28", 0 ],
749 [ "4.14.29", "Valid cRLIssuer Test29", 0 ],
751 # Although this test is valid it has a circular dependency. As a result
752 # an attempt is made to reursively checks a CRL path and rejected due to
753 # a CRL path validation error. PKITS notes suggest this test does not
754 # need to be run due to this issue.
755 [ "4.14.30", "Valid cRLIssuer Test30", 54 ],
756 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ],
757 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ],
758 [ "4.14.33", "Valid cRLIssuer Test33", 0 ],
759 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ],
760 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ],
761 [ "4.15", "Delta-CRLs" ],
762 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ],
763 [ "4.15.2", "Valid delta-CRL Test2", 0 ],
764 [ "4.15.3", "Invalid delta-CRL Test3", 23 ],
765 [ "4.15.4", "Invalid delta-CRL Test4", 23 ],
766 [ "4.15.5", "Valid delta-CRL Test5", 0 ],
767 [ "4.15.6", "Invalid delta-CRL Test6", 23 ],
768 [ "4.15.7", "Valid delta-CRL Test7", 0 ],
769 [ "4.15.8", "Valid delta-CRL Test8", 0 ],
770 [ "4.15.9", "Invalid delta-CRL Test9", 23 ],
771 [ "4.15.10", "Invalid delta-CRL Test10", 12 ],
772 [ "4.16", "Private Certificate Extensions" ],
773 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
774 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ],
783 my $ossl = "ossl/apps/openssl";
785 my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
786 $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
788 # Check for expiry of trust anchor
789 system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
792 print STDERR
"WARNING: using older expired data\n";
793 $ossl_cmd .= "-attime 1291940972 ";
796 $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
798 system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
800 die "Can't create trust anchor file" if $?
;
802 print "Running PKITS tests:\n" if $verbose;
804 foreach (@testlists) {
806 if ( $argnum == 2 ) {
807 my ( $tnum, $title ) = @
$_;
808 print "$tnum $title\n" if $verbose;
810 elsif ( $argnum == 3 ) {
811 my ( $tnum, $title, $exp_ret ) = @
$_;
812 my $filename = $title;
813 $exp_ret += 32 if $exp_ret;
814 $filename =~ tr/ -//d;
815 $filename = "Signed${filename}.eml";
816 if ( !-f
"$pkitsdir/$filename" ) {
817 print "\"$filename\" not found\n";
824 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
828 $errmsg .= "Abnormal OpenSSL termination\n";
831 if ( $exp_ret != $ret ) {
832 $errmsg .= "Return code:$ret, ";
833 $errmsg .= "expected $exp_ret\n";
837 print "$tnum $title : Failed!\n";
838 print "Filename: $pkitsdir/$filename\n";
840 print "Command output:\n$cmdout\n";
846 elsif ( $argnum == 7 ) {
847 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
849 my $filename = $title;
850 $exp_ret += 32 if $exp_ret;
851 $filename =~ tr/ -//d;
852 $filename = "Signed${filename}.eml";
853 if ( !-f
"$pkitsdir/$filename" ) {
854 print "\"$filename\" not found\n";
866 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
871 $errmsg .= "Abnormal OpenSSL termination\n";
877 if (/^Require explicit Policy: (.*)$/) {
880 if (/^Authority Policies/) {
888 $test_fail = 1 if (/leak/i);
889 if (/^User Policies/) {
897 if (/\s+Policy: (.*)$/) {
899 $aset .= ":" if $aset ne "";
902 elsif ( $pol == 2 ) {
903 $uset .= ":" if $uset ne "";
909 if ( $epol ne $exp_epol ) {
910 $errmsg .= "Explicit policy:$epol, ";
911 $errmsg .= "expected $exp_epol\n";
914 if ( $aset ne $exp_aset ) {
915 $errmsg .= "Authority policy set :$aset, ";
916 $errmsg .= "expected $exp_aset\n";
919 if ( $uset ne $exp_uset ) {
920 $errmsg .= "User policy set :$uset, ";
921 $errmsg .= "expected $exp_uset\n";
925 if ( $exp_ret != $ret ) {
926 print "Return code:$ret, expected $exp_ret\n";
931 print "$tnum $title : Failed!\n";
932 print "Filename: $pkitsdir/$filename\n";
933 print "Command output:\n$cmdout\n";
942 print "$numfail tests failed out of $numtest\n";
945 print "All Tests Successful.\n";
948 unlink "pkitsta.pem";