summaryrefslogtreecommitdiffstats
path: root/tests/pkits
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2004-08-17 17:26:22 +0200
committerWerner Koch <wk@gnupg.org>2004-08-17 17:26:22 +0200
commit066352a6a555ec60d4a7e117ced0c87e2467fe7e (patch)
tree006f724112a198bf31d3f691a9562a52b182d22b /tests/pkits
parent(cmd_encrypt): Use DEFAULT_RECPLIST and not recplist (diff)
downloadgnupg2-066352a6a555ec60d4a7e117ced0c87e2467fe7e.tar.xz
gnupg2-066352a6a555ec60d4a7e117ced0c87e2467fe7e.zip
* import.c (check_and_store): Do a full validation if
--with-validation is set. * certchain.c (gpgsm_basic_cert_check): Print more detailed error messages. * certcheck.c (do_encode_md): Partly support DSA. Add new arg PKALGO. Changed all callers to pass it. (pk_algo_from_sexp): New. tests/pkits: New directory
Diffstat (limited to 'tests/pkits')
-rw-r--r--tests/pkits/ChangeLog18
-rw-r--r--tests/pkits/Makefile.am69
-rw-r--r--tests/pkits/PKITS_data.tar.bz2bin0 -> 1155744 bytes
-rw-r--r--tests/pkits/README9
-rw-r--r--tests/pkits/common.sh135
-rwxr-xr-xtests/pkits/import-all-certs53
-rw-r--r--tests/pkits/import-all-certs.data490
-rwxr-xr-xtests/pkits/inittests94
-rwxr-xr-xtests/pkits/runtest4
-rwxr-xr-xtests/pkits/validate-all-certs55
10 files changed, 927 insertions, 0 deletions
diff --git a/tests/pkits/ChangeLog b/tests/pkits/ChangeLog
new file mode 100644
index 000000000..2f0b7ba0e
--- /dev/null
+++ b/tests/pkits/ChangeLog
@@ -0,0 +1,18 @@
+2004-08-16 Werner Koch <wk@g10code.de>
+
+ Started implementing PKITS based tests.
+
+
+ Copyright 2004 Free Software Foundation, Inc.
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am
new file mode 100644
index 000000000..41fdec497
--- /dev/null
+++ b/tests/pkits/Makefile.am
@@ -0,0 +1,69 @@
+# Makefile.am - tests using NIST's PKITS
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+## Process this file with automake to produce Makefile.in
+
+GPGSM = ../../sm/gpgsm
+
+TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
+ LD_LIBRARY_PATH=$$(seen=0; \
+ for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
+ do \
+ if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
+ then \
+ if test $$seen = 0; \
+ then \
+ seen=1; \
+ else \
+ printf ":"; \
+ fi; \
+ printf "%s" "$${i}" | sed 's/^-L//'; \
+ fi; \
+ done; \
+ if test $$seen != 0 \
+ && test x$${LD_LIBRARY_PATH} != x; \
+ then \
+ printf ":"; \
+ fi; \
+ printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
+
+
+
+testscripts = import-all-certs validate-all-certs
+
+
+
+EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts)
+ import-all-certs.data
+
+TESTS = $(testscripts)
+
+CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log
+
+DISTCLEANFILES = pubring.kbx~ random_seed
+
+all-local: inittests.stamp
+
+clean-local:
+ srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests --clean
+
+inittests.stamp: inittests
+ srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
+ echo timestamp >./inittests.stamp
+
diff --git a/tests/pkits/PKITS_data.tar.bz2 b/tests/pkits/PKITS_data.tar.bz2
new file mode 100644
index 000000000..0604f2286
--- /dev/null
+++ b/tests/pkits/PKITS_data.tar.bz2
Binary files differ
diff --git a/tests/pkits/README b/tests/pkits/README
new file mode 100644
index 000000000..a4290fe1f
--- /dev/null
+++ b/tests/pkits/README
@@ -0,0 +1,9 @@
+tests/pkits/README
+
+These are tests based on NIST's Public Key Interoperability Test Suite
+(PKITS) as downloaded on 2004-08-16 from
+http://csrc.nist.gov/pki/testing/x509paths.html .
+
+README - this file.
+PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball.
+Makefile.am - Part of our build system.
diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh
new file mode 100644
index 000000000..5e773ea5d
--- /dev/null
+++ b/tests/pkits/common.sh
@@ -0,0 +1,135 @@
+#!/bin/sh
+# common.sh - common defs for all tests -*- sh -*-
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+# reset some environment variables because we do not want to test locals
+export LANG=C
+export LANGUAGE=C
+export LC_ALL=C
+
+
+[ "$VERBOSE" = yes ] && set -x
+[ -z "$srcdir" ] && srcdir="."
+[ -z "$top_srcdir" ] && top_srcdir=".."
+[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
+
+
+if [ "$GNUPGHOME" != "`pwd`" ]; then
+ echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+ exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+ echo "inittests: please unset GPG_AGENT_INFO" >&2
+ exit 1
+fi
+
+
+
+#--------------------------------
+#------ utility functions -------
+#--------------------------------
+
+echo_n_init=no
+echo_n () {
+ if test "$echo_n_init" = "no"; then
+ if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+ if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+ echo_n_n=
+ echo_n_c='
+'
+ else
+ echo_n_n='-n'
+ echo_n_c=
+ fi
+ else
+ echo_n_n=
+ echo_n_c='\c'
+ fi
+ echo_n_init=yes
+ fi
+ echo $echo_n_n "${1}$echo_n_c"
+}
+
+fatal () {
+ echo "$pgmname: fatal:" $* >&2
+ exit 1;
+}
+
+error () {
+ echo "$pgmname:" $* >&2
+ exit 1
+}
+
+info () {
+ echo "$pgmname:" $* >&2
+}
+
+info_n () {
+ $echo_n "$pgmname:" $* >&2
+}
+
+pass () {
+ echo "PASS: " $* >&2
+ pass_count=`expr ${pass_count} + 1`
+}
+
+fail () {
+ echo "FAIL: " $* >&2
+ fail_count=`expr ${fail_count} + 1`
+}
+
+unresolved () {
+ echo "UNRESOLVED: " $* >&2
+ unresolved_count=`expr ${unresolved_count} + 1`
+}
+
+unsupported () {
+ echo "UNSUPPORTED: " $* >&2
+ unsupported_count=`expr ${unsupported_count} + 1`
+}
+
+
+final_result () {
+ [ $pass_count = 0 ] || info "$pass_count tests passed"
+ [ $fail_count = 0 ] || info "$fail_count tests failed"
+ [ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved"
+ [ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported"
+ if [ $fail_count = 0 ]; then
+ info "all tests passed"
+ else
+ exit 1
+ fi
+}
+
+set -e
+
+pgmname=`basename $0`
+
+pass_count=0
+fail_count=0
+unresolved_count=0
+unsupported_count=0
+
+
+#trap cleanup SIGHUP SIGINT SIGQUIT
+exec 2> ${pgmname}.log
+
+:
+# end
diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs
new file mode 100755
index 000000000..d1af5fb03
--- /dev/null
+++ b/tests/pkits/import-all-certs
@@ -0,0 +1,53 @@
+#!/bin/sh
+# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+. ${srcdir:-.}/common.sh || exit 2
+
+while read flag dummy name; do
+ case $flag in \#*) continue;; esac
+ [ -z "$flag" ] && continue;
+
+ if ${GPGSM} -q --import certs/$name ; then
+ if [ "$flag" = 'p' ]; then
+ pass "importing certificate \`$name' succeeded"
+ elif [ "$flag" = 'f' ]; then
+ fail "importing certificate \`$name' succeeded"
+ elif [ "$flag" = '?' ]; then
+ unresolved "importing certificate \`$name' succeeded"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "importing certificate \`$name' succeeded"
+ else
+ info "importing certificate \`$name' succeeded - (flag=$flag)"
+ fi
+ else
+ if [ "$flag" = 'p' ]; then
+ fail "importing certificate \`$name' failed"
+ elif [ "$flag" = 'f' ]; then
+ pass "importing certificate \`$name' failed"
+ elif [ "$flag" = '?' ]; then
+ unresolved "importing certificate \`$name' failed"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "importing certificate \`$name' failed"
+ else
+ info "importing certificate \`$name' failed - (flag=$flag)"
+ fi
+ fi
+done < $srcdir/import-all-certs.data
+
+final_result
diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data
new file mode 100644
index 000000000..18708aa61
--- /dev/null
+++ b/tests/pkits/import-all-certs.data
@@ -0,0 +1,490 @@
+# The first column is for the basic import test, the second for a
+# validation test.
+
+# Make sure that the root certificate is imported first
+p p TrustAnchorRootCertificate.crt
+
+p p AllCertificatesNoPoliciesTest2EE.crt
+p p AllCertificatesSamePoliciesTest10EE.crt
+p p AllCertificatesSamePoliciesTest13EE.crt
+p p AllCertificatesanyPolicyTest11EE.crt
+p p AnyPolicyTest14EE.crt
+p p BadCRLIssuerNameCACert.crt
+p p BadCRLSignatureCACert.crt
+f f BadSignedCACert.crt
+p f BadnotAfterDateCACert.crt
+
+# UTC: "470101120100Z" i.e. not before 2047-01-01
+p f BadnotBeforeDateCACert.crt
+
+p p BasicSelfIssuedCRLSigningKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt
+
+p p BasicSelfIssuedNewKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt
+
+p p BasicSelfIssuedOldKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt
+
+p p CPSPointerQualifierTest20EE.crt
+
+u u DSACACert.crt
+u u DSAParametersInheritedCACert.crt
+
+p p DifferentPoliciesTest12EE.crt
+p p DifferentPoliciesTest3EE.crt
+p p DifferentPoliciesTest4EE.crt
+p p DifferentPoliciesTest5EE.crt
+p p DifferentPoliciesTest7EE.crt
+p p DifferentPoliciesTest8EE.crt
+p p DifferentPoliciesTest9EE.crt
+p p GeneralizedTimeCRLnextUpdateCACert.crt
+p p GoodCACert.crt
+p p GoodsubCACert.crt
+
+# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
+# is not supported
+p u GoodsubCAPanyPolicyMapping1to2CACert.crt
+
+# fixme: gpgme does not fail for it.
+p f InvalidBadCRLIssuerNameTest5EE.crt
+
+p f InvalidBadCRLSignatureTest4EE.crt
+p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+
+f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+
+p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+
+f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+
+p f InvalidCASignatureTest2EE.crt
+
+p f InvalidCAnotAfterDateTest5EE.crt
+p f InvalidCAnotBeforeDateTest1EE.crt
+p f InvalidDNSnameConstraintsTest31EE.crt
+p f InvalidDNSnameConstraintsTest33EE.crt
+p f InvalidDNSnameConstraintsTest38EE.crt
+p f InvalidDNandRFC822nameConstraintsTest28EE.crt
+p f InvalidDNandRFC822nameConstraintsTest29EE.crt
+p f InvalidDNnameConstraintsTest10EE.crt
+p f InvalidDNnameConstraintsTest12EE.crt
+p f InvalidDNnameConstraintsTest13EE.crt
+p f InvalidDNnameConstraintsTest15EE.crt
+p f InvalidDNnameConstraintsTest16EE.crt
+p f InvalidDNnameConstraintsTest17EE.crt
+
+f f InvalidDNnameConstraintsTest20EE.crt
+
+p f InvalidDNnameConstraintsTest2EE.crt
+p f InvalidDNnameConstraintsTest3EE.crt
+p f InvalidDNnameConstraintsTest7EE.crt
+p f InvalidDNnameConstraintsTest8EE.crt
+p f InvalidDNnameConstraintsTest9EE.crt
+
+u u InvalidDSASignatureTest6EE.crt
+
+f f InvalidEESignatureTest3EE.crt
+
+p f InvalidEEnotAfterDateTest6EE.crt
+p f InvalidEEnotBeforeDateTest2EE.crt
+p f InvalidIDPwithindirectCRLTest23EE.crt
+p f InvalidIDPwithindirectCRLTest26EE.crt
+p f InvalidLongSerialNumberTest18EE.crt
+p f InvalidMappingFromanyPolicyTest7EE.crt
+p f InvalidMappingToanyPolicyTest8EE.crt
+p f InvalidMissingCRLTest1EE.crt
+p f InvalidMissingbasicConstraintsTest1EE.crt
+p f InvalidNameChainingOrderTest2EE.crt
+p f InvalidNameChainingTest1EE.crt
+p f InvalidNegativeSerialNumberTest15EE.crt
+p f InvalidOldCRLnextUpdateTest11EE.crt
+p f InvalidPolicyMappingTest10EE.crt
+p f InvalidPolicyMappingTest2EE.crt
+p f InvalidPolicyMappingTest4EE.crt
+p f InvalidRFC822nameConstraintsTest22EE.crt
+p f InvalidRFC822nameConstraintsTest24EE.crt
+p f InvalidRFC822nameConstraintsTest26EE.crt
+p f InvalidRevokedCATest2EE.crt
+p f InvalidRevokedEETest3EE.crt
+
+f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+
+p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+p f InvalidSelfIssuedpathLenConstraintTest16EE.crt
+p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+
+f f InvalidSeparateCertificateandCRLKeysTest20EE.crt
+f f InvalidSeparateCertificateandCRLKeysTest21EE.crt
+
+p f InvalidURInameConstraintsTest35EE.crt
+p f InvalidURInameConstraintsTest37EE.crt
+p f InvalidUnknownCRLEntryExtensionTest8EE.crt
+p f InvalidUnknownCRLExtensionTest10EE.crt
+p f InvalidUnknownCRLExtensionTest9EE.crt
+p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+p f InvalidWrongCRLTest6EE.crt
+p f InvalidcAFalseTest2EE.crt
+p f InvalidcAFalseTest3EE.crt
+p f InvalidcRLIssuerTest27EE.crt
+p f InvalidcRLIssuerTest31EE.crt
+p f InvalidcRLIssuerTest32EE.crt
+p f InvalidcRLIssuerTest34EE.crt
+p f InvalidcRLIssuerTest35EE.crt
+p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+p f InvaliddeltaCRLTest10EE.crt
+p f InvaliddeltaCRLTest3EE.crt
+p f InvaliddeltaCRLTest4EE.crt
+p f InvaliddeltaCRLTest6EE.crt
+p f InvaliddeltaCRLTest9EE.crt
+p f InvaliddistributionPointTest2EE.crt
+p f InvaliddistributionPointTest3EE.crt
+p f InvaliddistributionPointTest6EE.crt
+p f InvaliddistributionPointTest8EE.crt
+p f InvaliddistributionPointTest9EE.crt
+p f InvalidinhibitAnyPolicyTest1EE.crt
+p f InvalidinhibitAnyPolicyTest4EE.crt
+p f InvalidinhibitAnyPolicyTest5EE.crt
+p f InvalidinhibitAnyPolicyTest6EE.crt
+p f InvalidinhibitPolicyMappingTest1EE.crt
+p f InvalidinhibitPolicyMappingTest3EE.crt
+p f InvalidinhibitPolicyMappingTest5EE.crt
+p f InvalidinhibitPolicyMappingTest6EE.crt
+p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+p f InvalidonlyContainsAttributeCertsTest14EE.crt
+p f InvalidonlyContainsCACertsTest12EE.crt
+p f InvalidonlyContainsUserCertsTest11EE.crt
+p f InvalidonlySomeReasonsTest15EE.crt
+p f InvalidonlySomeReasonsTest16EE.crt
+p f InvalidonlySomeReasonsTest17EE.crt
+p f InvalidonlySomeReasonsTest20EE.crt
+p f InvalidonlySomeReasonsTest21EE.crt
+p f InvalidpathLenConstraintTest10EE.crt
+p f InvalidpathLenConstraintTest11EE.crt
+p f InvalidpathLenConstraintTest12EE.crt
+p f InvalidpathLenConstraintTest5EE.crt
+p f InvalidpathLenConstraintTest6EE.crt
+p f InvalidpathLenConstraintTest9EE.crt
+p f Invalidpre2000CRLnextUpdateTest12EE.crt
+p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+p f InvalidrequireExplicitPolicyTest3EE.crt
+p f InvalidrequireExplicitPolicyTest5EE.crt
+p p LongSerialNumberCACert.crt
+p p Mapping1to2CACert.crt
+p p MappingFromanyPolicyCACert.crt
+p p MappingToanyPolicyCACert.crt
+p p MissingbasicConstraintsCACert.crt
+p p NameOrderingCACert.crt
+p p NegativeSerialNumberCACert.crt
+p p NoCRLCACert.crt
+p p NoPoliciesCACert.crt
+p p NoissuingDistributionPointCACert.crt
+p p OldCRLnextUpdateCACert.crt
+p p OverlappingPoliciesTest6EE.crt
+p p P12Mapping1to3CACert.crt
+p p P12Mapping1to3subCACert.crt
+p p P12Mapping1to3subsubCACert.crt
+p p P1Mapping1to234CACert.crt
+p p P1Mapping1to234subCACert.crt
+p p P1anyPolicyMapping1to2CACert.crt
+p p PanyPolicyMapping1to2CACert.crt
+p p PoliciesP1234CACert.crt
+p p PoliciesP1234subCAP123Cert.crt
+p p PoliciesP1234subsubCAP123P12Cert.crt
+p p PoliciesP123CACert.crt
+p p PoliciesP123subCAP12Cert.crt
+p p PoliciesP123subsubCAP12P1Cert.crt
+p p PoliciesP123subsubCAP12P2Cert.crt
+p p PoliciesP123subsubsubCAP12P2P1Cert.crt
+p p PoliciesP12CACert.crt
+p p PoliciesP12subCAP1Cert.crt
+p p PoliciesP12subsubCAP1P2Cert.crt
+p p PoliciesP2subCA2Cert.crt
+p p PoliciesP2subCACert.crt
+p p PoliciesP3CACert.crt
+p p RFC3280MandatoryAttributeTypesCACert.crt
+p p RFC3280OptionalAttributeTypesCACert.crt
+p p RevokedsubCACert.crt
+p p RolloverfromPrintableStringtoUTF8StringCACert.crt
+p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
+p p SeparateCertificateandCRLKeysCRLSigningCert.crt
+p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+p p TwoCRLsCACert.crt
+p p UIDCACert.crt
+p p UTF8StringCaseInsensitiveMatchCACert.crt
+p p UTF8StringEncodedNamesCACert.crt
+p p UnknownCRLEntryExtensionCACert.crt
+p p UnknownCRLExtensionCACert.crt
+p p UserNoticeQualifierTest15EE.crt
+p p UserNoticeQualifierTest16EE.crt
+p p UserNoticeQualifierTest17EE.crt
+p p UserNoticeQualifierTest18EE.crt
+p p UserNoticeQualifierTest19EE.crt
+p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt
+
+p p ValidBasicSelfIssuedNewWithOldTest4EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt
+
+p p ValidCertificatePathTest1EE.crt
+p p ValidDNSnameConstraintsTest30EE.crt
+p p ValidDNSnameConstraintsTest32EE.crt
+p p ValidDNandRFC822nameConstraintsTest27EE.crt
+p p ValidDNnameConstraintsTest11EE.crt
+
+# This certificate has an empty subject sequence. Our parser does not
+# support this yet and it is unlikely that gpgsm will be able to cope
+# with it at all.
+u u ValidDNnameConstraintsTest14EE.crt
+
+p p ValidDNnameConstraintsTest18EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidDNnameConstraintsTest19EE.crt
+
+p p ValidDNnameConstraintsTest1EE.crt
+p p ValidDNnameConstraintsTest4EE.crt
+p p ValidDNnameConstraintsTest5EE.crt
+p p ValidDNnameConstraintsTest6EE.crt
+
+u p ValidDSAParameterInheritanceTest5EE.crt
+u p ValidDSASignaturesTest4EE.crt
+
+p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+p p ValidGeneralizedTimenotAfterDateTest8EE.crt
+p p ValidGeneralizedTimenotBeforeDateTest4EE.crt
+p p ValidIDPwithindirectCRLTest22EE.crt
+p p ValidIDPwithindirectCRLTest24EE.crt
+p p ValidIDPwithindirectCRLTest25EE.crt
+p p ValidLongSerialNumberTest16EE.crt
+p p ValidLongSerialNumberTest17EE.crt
+p p ValidNameChainingCapitalizationTest5EE.crt
+p p ValidNameChainingWhitespaceTest3EE.crt
+p p ValidNameChainingWhitespaceTest4EE.crt
+p p ValidNameUIDsTest6EE.crt
+p p ValidNegativeSerialNumberTest14EE.crt
+p p ValidNoissuingDistributionPointTest10EE.crt
+p p ValidPolicyMappingTest11EE.crt
+p p ValidPolicyMappingTest12EE.crt
+p p ValidPolicyMappingTest13EE.crt
+p p ValidPolicyMappingTest14EE.crt
+p p ValidPolicyMappingTest1EE.crt
+p p ValidPolicyMappingTest3EE.crt
+p p ValidPolicyMappingTest5EE.crt
+p p ValidPolicyMappingTest6EE.crt
+p p ValidPolicyMappingTest9EE.crt
+p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+p p ValidRFC3280OptionalAttributeTypesTest8EE.crt
+p p ValidRFC822nameConstraintsTest21EE.crt
+p p ValidRFC822nameConstraintsTest23EE.crt
+p p ValidRFC822nameConstraintsTest25EE.crt
+p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSelfIssuedpathLenConstraintTest15EE.crt
+
+p p ValidSelfIssuedpathLenConstraintTest17EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSeparateCertificateandCRLKeysTest19EE.crt
+
+p p ValidTwoCRLsTest7EE.crt
+p p ValidURInameConstraintsTest34EE.crt
+p p ValidURInameConstraintsTest36EE.crt
+p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+p p ValidUTF8StringEncodedNamesTest9EE.crt
+p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+p p ValidbasicConstraintsNotCriticalTest4EE.crt
+p p ValidcRLIssuerTest28EE.crt
+p p ValidcRLIssuerTest29EE.crt
+p p ValidcRLIssuerTest30EE.crt
+p p ValidcRLIssuerTest33EE.crt
+p p ValiddeltaCRLTest2EE.crt
+p p ValiddeltaCRLTest5EE.crt
+p p ValiddeltaCRLTest7EE.crt
+p p ValiddeltaCRLTest8EE.crt
+p p ValiddistributionPointTest1EE.crt
+p p ValiddistributionPointTest4EE.crt
+p p ValiddistributionPointTest5EE.crt
+p p ValiddistributionPointTest7EE.crt
+p p ValidinhibitAnyPolicyTest2EE.crt
+p p ValidinhibitPolicyMappingTest2EE.crt
+p p ValidinhibitPolicyMappingTest4EE.crt
+p p ValidkeyUsageNotCriticalTest3EE.crt
+p p ValidonlyContainsCACertsTest13EE.crt
+p p ValidonlySomeReasonsTest18EE.crt
+p p ValidonlySomeReasonsTest19EE.crt
+p p ValidpathLenConstraintTest13EE.crt
+p p ValidpathLenConstraintTest14EE.crt
+p p ValidpathLenConstraintTest7EE.crt
+p p ValidpathLenConstraintTest8EE.crt
+p p Validpre2000UTCnotBeforeDateTest3EE.crt
+p p ValidrequireExplicitPolicyTest1EE.crt
+p p ValidrequireExplicitPolicyTest2EE.crt
+p p ValidrequireExplicitPolicyTest4EE.crt
+p p WrongCRLCACert.crt
+p p anyPolicyCACert.crt
+p p basicConstraintsCriticalcAFalseCACert.crt
+p p basicConstraintsNotCriticalCACert.crt
+p p basicConstraintsNotCriticalcAFalseCACert.crt
+p p deltaCRLCA1Cert.crt
+p p deltaCRLCA2Cert.crt
+p p deltaCRLCA3Cert.crt
+p p deltaCRLIndicatorNoBaseCACert.crt
+p p distributionPoint1CACert.crt
+p p distributionPoint2CACert.crt
+p p indirectCRLCA1Cert.crt
+p p indirectCRLCA2Cert.crt
+p p indirectCRLCA3Cert.crt
+p p indirectCRLCA3cRLIssuerCert.crt
+p p indirectCRLCA4Cert.crt
+p p indirectCRLCA4cRLIssuerCert.crt
+p p indirectCRLCA5Cert.crt
+p p indirectCRLCA6Cert.crt
+p p inhibitAnyPolicy0CACert.crt
+p p inhibitAnyPolicy1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitAnyPolicy1SelfIssuedCACert.crt
+? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+
+p p inhibitAnyPolicy1subCA1Cert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitAnyPolicy1subCA2Cert.crt
+
+p p inhibitAnyPolicy1subCAIAP5Cert.crt
+p p inhibitAnyPolicy1subsubCA2Cert.crt
+p p inhibitAnyPolicy5CACert.crt
+p p inhibitAnyPolicy5subCACert.crt
+p p inhibitAnyPolicy5subsubCACert.crt
+p p inhibitAnyPolicyTest3EE.crt
+p p inhibitPolicyMapping0CACert.crt
+p p inhibitPolicyMapping0subCACert.crt
+p p inhibitPolicyMapping1P12CACert.crt
+p p inhibitPolicyMapping1P12subCACert.crt
+p p inhibitPolicyMapping1P12subCAIPM5Cert.crt
+p p inhibitPolicyMapping1P12subsubCACert.crt
+p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
+p p inhibitPolicyMapping1P1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt
+? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
+? ? inhibitPolicyMapping1P1subCACert.crt
+
+p p inhibitPolicyMapping1P1subsubCACert.crt
+p p inhibitPolicyMapping5CACert.crt
+p p inhibitPolicyMapping5subCACert.crt
+p p inhibitPolicyMapping5subsubCACert.crt
+p p inhibitPolicyMapping5subsubsubCACert.crt
+p p keyUsageCriticalcRLSignFalseCACert.crt
+p p keyUsageCriticalkeyCertSignFalseCACert.crt
+p p keyUsageNotCriticalCACert.crt
+p p keyUsageNotCriticalcRLSignFalseCACert.crt
+p p keyUsageNotCriticalkeyCertSignFalseCACert.crt
+p p nameConstraintsDN1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? nameConstraintsDN1SelfIssuedCACert.crt
+
+p p nameConstraintsDN1subCA1Cert.crt
+p p nameConstraintsDN1subCA2Cert.crt
+p p nameConstraintsDN1subCA3Cert.crt
+p p nameConstraintsDN2CACert.crt
+p p nameConstraintsDN3CACert.crt
+p p nameConstraintsDN3subCA1Cert.crt
+p p nameConstraintsDN3subCA2Cert.crt
+p p nameConstraintsDN4CACert.crt
+p p nameConstraintsDN5CACert.crt
+p p nameConstraintsDNS1CACert.crt
+p p nameConstraintsDNS2CACert.crt
+p p nameConstraintsRFC822CA1Cert.crt
+p p nameConstraintsRFC822CA2Cert.crt
+p p nameConstraintsRFC822CA3Cert.crt
+p p nameConstraintsURI1CACert.crt
+p p nameConstraintsURI2CACert.crt
+p p onlyContainsAttributeCertsCACert.crt
+p p onlyContainsCACertsCACert.crt
+p p onlyContainsUserCertsCACert.crt
+p p onlySomeReasonsCA1Cert.crt
+p p onlySomeReasonsCA2Cert.crt
+p p onlySomeReasonsCA3Cert.crt
+p p onlySomeReasonsCA4Cert.crt
+p p pathLenConstraint0CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? pathLenConstraint0SelfIssuedCACert.crt
+? ? pathLenConstraint0subCA2Cert.crt
+
+p p pathLenConstraint0subCACert.crt
+p p pathLenConstraint1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? pathLenConstraint1SelfIssuedCACert.crt
+? ? pathLenConstraint1SelfIssuedsubCACert.crt
+? ? pathLenConstraint1subCACert.crt
+
+p p pathLenConstraint6CACert.crt
+p p pathLenConstraint6subCA0Cert.crt
+p p pathLenConstraint6subCA1Cert.crt
+p p pathLenConstraint6subCA4Cert.crt
+p p pathLenConstraint6subsubCA00Cert.crt
+p p pathLenConstraint6subsubCA11Cert.crt
+p p pathLenConstraint6subsubCA41Cert.crt
+p p pathLenConstraint6subsubsubCA11XCert.crt
+p p pathLenConstraint6subsubsubCA41XCert.crt
+p p pre2000CRLnextUpdateCACert.crt
+p p requireExplicitPolicy0CACert.crt
+p p requireExplicitPolicy0subCACert.crt
+p p requireExplicitPolicy0subsubCACert.crt
+p p requireExplicitPolicy0subsubsubCACert.crt
+p p requireExplicitPolicy10CACert.crt
+p p requireExplicitPolicy10subCACert.crt
+p p requireExplicitPolicy10subsubCACert.crt
+p p requireExplicitPolicy10subsubsubCACert.crt
+p p requireExplicitPolicy2CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? requireExplicitPolicy2SelfIssuedCACert.crt
+? ? requireExplicitPolicy2SelfIssuedsubCACert.crt
+? ? requireExplicitPolicy2subCACert.crt
+
+p p requireExplicitPolicy4CACert.crt
+p p requireExplicitPolicy4subCACert.crt
+p p requireExplicitPolicy4subsubCACert.crt
+p p requireExplicitPolicy4subsubsubCACert.crt
+p p requireExplicitPolicy5CACert.crt
+p p requireExplicitPolicy5subCACert.crt
+p p requireExplicitPolicy5subsubCACert.crt
+p p requireExplicitPolicy5subsubsubCACert.crt
+p p requireExplicitPolicy7CACert.crt
+p p requireExplicitPolicy7subCARE2Cert.crt
+p p requireExplicitPolicy7subsubCARE2RE4Cert.crt
+p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
+
diff --git a/tests/pkits/inittests b/tests/pkits/inittests
new file mode 100755
index 000000000..6af16de03
--- /dev/null
+++ b/tests/pkits/inittests
@@ -0,0 +1,94 @@
+#!/bin/sh
+# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+set -e
+
+
+clean_files='
+ReadMe.txt pkits.ldif
+gpgsm.conf gpg-agent.conf trustlist.txt policies.txt pubring.kbx
+msg msg.sig msg.unsig
+'
+
+[ -z "$srcdir" ] && srcdir=.
+[ -z "$GPGSM" ] && GPGSM=../../sm/gpgsm
+
+if [ -f $srcdir/README ] \
+ && grep tests/pkits/README README >/dev/null 2>&1; then
+ :
+else
+ # During make distclean the Makefile has already been removed,
+ # so we need this extra test.
+ if ! grep gnupg-test-pkits-directory testdir.stamp >/dev/null 2>&1; then
+ echo "inittests: please cd to the tests/pkits directory first" >&2
+ exit 1
+ fi
+fi
+
+if [ "$1" = "--clean" ]; then
+ if [ -d private-keys-v1.d ]; then
+ rm private-keys-v1.d/* 2>/dev/null || true
+ rmdir private-keys-v1.d
+ fi
+ rm ${clean_files} testdir.stamp 2>/dev/null || true
+ for i in certs certpairs crls pkcs12 smime; do
+ if [ -d $i ]; then
+ rm $i/* 2>/dev/null || true
+ rmdir $i
+ fi
+ done
+ exit 0
+fi
+
+if [ "$GNUPGHOME" != "`pwd`" ]; then
+ echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+ exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+ echo "inittests: please unset GPG_AGENT_INFO" >&2
+ exit 1
+fi
+
+if ! bunzip2 -c PKITS_data.tar.bz2 | tar xf - ; then
+ echo "inittests: failed to untar the test data" >&2
+ exit 1
+fi
+
+
+# A stamp file used with --clean
+echo gnupg-test-pkits-directory > testdir.stamp
+
+
+# Create the configuration scripts
+cat > gpgsm.conf <<EOF
+no-secmem-warning
+no-greeting
+batch
+disable-crl-checks
+agent-program ../../agent/gpg-agent
+EOF
+
+# Fixme: we need to write a dummy pinentry program
+cat > gpg-agent.conf <<EOF
+no-grab
+EOF
+
+# Mark the root CA trusted
+cat > trustlist.txt <<EOF
+# /CN=Trust Anchor/O=Test Certificates/C=US
+66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF S
+EOF
+
+# Define the standard policies as NIST test-policy-1
+#cat >policies.txt <<EOF
+#2.16.840.1.101.3.2.1.48.1
+#EOF
diff --git a/tests/pkits/runtest b/tests/pkits/runtest
new file mode 100755
index 000000000..f054a3498
--- /dev/null
+++ b/tests/pkits/runtest
@@ -0,0 +1,4 @@
+#!/bin/sh
+[ -x "$1" ] && exec $1 $2
+exec sh $1 $2
+
diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs
new file mode 100755
index 000000000..f482fdb51
--- /dev/null
+++ b/tests/pkits/validate-all-certs
@@ -0,0 +1,55 @@
+#!/bin/sh
+# validate-all-certs -*- sh -*-
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+. ${srcdir:-.}/common.sh || exit 2
+
+while read dummy flag name; do
+ case $dummy in \#*) continue;; esac
+ [ -z "$dummy" ] && continue;
+
+ if ${GPGSM} -q --import --with-validation --disable-crl-checks \
+ certs/$name ; then
+ if [ "$flag" = 'p' ]; then
+ pass "validating certificate \`$name' succeeded"
+ elif [ "$flag" = 'f' ]; then
+ fail "validating certificate \`$name' succeeded"
+ elif [ "$flag" = '?' ]; then
+ unresolved "validating certificate \`$name' succeeded"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "validating certificate \`$name' succeeded"
+ else
+ info "validating certificate \`$name' succeeded - (flag=$flag)"
+ fi
+ else
+ if [ "$flag" = 'p' ]; then
+ fail "validating certificate \`$name' failed"
+ elif [ "$flag" = 'f' ]; then
+ pass "validating certificate \`$name' failed"
+ elif [ "$flag" = '?' ]; then
+ unresolved "validating certificate \`$name' failed"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "validating certificate \`$name' failed"
+ else
+ info "validating certificate \`$name' failed - (flag=$flag)"
+ fi
+ fi
+done < $srcdir/import-all-certs.data
+
+final_result