1# test/pkits-test.pl 2# Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3# project. 4# 5# ==================================================================== 6# Copyright (c) 2008 The OpenSSL Project. All rights reserved. 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 15# 2. Redistributions in binary form must reproduce the above copyright 16# notice, this list of conditions and the following disclaimer in 17# the documentation and/or other materials provided with the 18# distribution. 19# 20# 3. All advertising materials mentioning features or use of this 21# software must display the following acknowledgment: 22# "This product includes software developed by the OpenSSL Project 23# for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24# 25# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26# endorse or promote products derived from this software without 27# prior written permission. For written permission, please contact 28# licensing@OpenSSL.org. 29# 30# 5. Products derived from this software may not be called "OpenSSL" 31# nor may "OpenSSL" appear in their names without prior written 32# permission of the OpenSSL Project. 33# 34# 6. Redistributions of any form whatsoever must retain the following 35# acknowledgment: 36# "This product includes software developed by the OpenSSL Project 37# for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38# 39# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50# OF THE POSSIBILITY OF SUCH DAMAGE. 51# ==================================================================== 52 53# Perl utility to run PKITS tests for RFC3280 compliance. 54 55my $ossl_path; 56 57if ( -f "../apps/openssl" ) { 58 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl"; 59} 60elsif ( -f "..\\out32dll\\openssl.exe" ) { 61 $ossl_path = "..\\out32dll\\openssl.exe"; 62} 63elsif ( -f "..\\out32\\openssl.exe" ) { 64 $ossl_path = "..\\out32\\openssl.exe"; 65} 66else { 67 die "Can't find OpenSSL executable"; 68} 69 70my $pkitsdir = "pkits/smime"; 71my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt"; 72 73die "Can't find PKITS test data" if !-d $pkitsdir; 74 75my $nist1 = "2.16.840.1.101.3.2.1.48.1"; 76my $nist2 = "2.16.840.1.101.3.2.1.48.2"; 77my $nist3 = "2.16.840.1.101.3.2.1.48.3"; 78my $nist4 = "2.16.840.1.101.3.2.1.48.4"; 79my $nist5 = "2.16.840.1.101.3.2.1.48.5"; 80my $nist6 = "2.16.840.1.101.3.2.1.48.6"; 81 82my $apolicy = "X509v3 Any Policy"; 83 84# This table contains the chapter headings of the accompanying PKITS 85# document. They provide useful informational output and their names 86# can be converted into the filename to test. 87 88my @testlists = ( 89 [ "4.1", "Signature Verification" ], 90 [ "4.1.1", "Valid Signatures Test1", 0 ], 91 [ "4.1.2", "Invalid CA Signature Test2", 7 ], 92 [ "4.1.3", "Invalid EE Signature Test3", 7 ], 93 [ "4.1.4", "Valid DSA Signatures Test4", 0 ], 94 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ], 95 [ "4.1.6", "Invalid DSA Signature Test6", 7 ], 96 [ "4.2", "Validity Periods" ], 97 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ], 98 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ], 99 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ], 100 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ], 101 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ], 102 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ], 103 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ], 104 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ], 105 [ "4.3", "Verifying Name Chaining" ], 106 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ], 107 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ], 108 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ], 109 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ], 110 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ], 111 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ], 112 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ], 113 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ], 114 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ], 115 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ], 116 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ], 117 [ "4.4", "Basic Certificate Revocation Tests" ], 118 [ "4.4.1", "Missing CRL Test1", 3 ], 119 [ "4.4.2", "Invalid Revoked CA Test2", 23 ], 120 [ "4.4.3", "Invalid Revoked EE Test3", 23 ], 121 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ], 122 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ], 123 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ], 124 [ "4.4.7", "Valid Two CRLs Test7", 0 ], 125 126 # The test document suggests these should return certificate revoked... 127 # Subsquent discussion has concluded they should not due to unhandle 128 # critical CRL extensions. 129 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ], 130 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ], 131 132 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ], 133 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ], 134 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ], 135 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ], 136 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ], 137 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ], 138 [ "4.4.16", "Valid Long Serial Number Test16", 0 ], 139 [ "4.4.17", "Valid Long Serial Number Test17", 0 ], 140 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ], 141 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ], 142 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ], 143 144 # CRL path is revoked so get a CRL path validation error 145 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ], 146 [ "4.5", "Verifying Paths with Self-Issued Certificates" ], 147 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ], 148 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ], 149 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ], 150 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ], 151 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ], 152 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ], 153 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ], 154 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ], 155 [ "4.6", "Verifying Basic Constraints" ], 156 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ], 157 [ "4.6.2", "Invalid cA False Test2", 24 ], 158 [ "4.6.3", "Invalid cA False Test3", 24 ], 159 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ], 160 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ], 161 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ], 162 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ], 163 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ], 164 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ], 165 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ], 166 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ], 167 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ], 168 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ], 169 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ], 170 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ], 171 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ], 172 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ], 173 [ "4.7", "Key Usage" ], 174 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ], 175 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ], 176 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ], 177 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ], 178 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ], 179 180 # Certificate policy tests need special handling. They can have several 181 # sub tests and we need to check the outputs are correct. 182 183 [ "4.8", "Certificate Policies" ], 184 [ 185 "4.8.1.1", 186 "All Certificates Same Policy Test1", 187 "-policy anyPolicy -explicit_policy", 188 "True", $nist1, $nist1, 0 189 ], 190 [ 191 "4.8.1.2", 192 "All Certificates Same Policy Test1", 193 "-policy $nist1 -explicit_policy", 194 "True", $nist1, $nist1, 0 195 ], 196 [ 197 "4.8.1.3", 198 "All Certificates Same Policy Test1", 199 "-policy $nist2 -explicit_policy", 200 "True", $nist1, "<empty>", 43 201 ], 202 [ 203 "4.8.1.4", 204 "All Certificates Same Policy Test1", 205 "-policy $nist1 -policy $nist2 -explicit_policy", 206 "True", $nist1, $nist1, 0 207 ], 208 [ 209 "4.8.2.1", 210 "All Certificates No Policies Test2", 211 "-policy anyPolicy", 212 "False", "<empty>", "<empty>", 0 213 ], 214 [ 215 "4.8.2.2", 216 "All Certificates No Policies Test2", 217 "-policy anyPolicy -explicit_policy", 218 "True", "<empty>", "<empty>", 43 219 ], 220 [ 221 "4.8.3.1", 222 "Different Policies Test3", 223 "-policy anyPolicy", 224 "False", "<empty>", "<empty>", 0 225 ], 226 [ 227 "4.8.3.2", 228 "Different Policies Test3", 229 "-policy anyPolicy -explicit_policy", 230 "True", "<empty>", "<empty>", 43 231 ], 232 [ 233 "4.8.3.3", 234 "Different Policies Test3", 235 "-policy $nist1 -policy $nist2 -explicit_policy", 236 "True", "<empty>", "<empty>", 43 237 ], 238 239 [ 240 "4.8.4", 241 "Different Policies Test4", 242 "-policy anyPolicy", 243 "True", "<empty>", "<empty>", 43 244 ], 245 [ 246 "4.8.5", 247 "Different Policies Test5", 248 "-policy anyPolicy", 249 "True", "<empty>", "<empty>", 43 250 ], 251 [ 252 "4.8.6.1", 253 "Overlapping Policies Test6", 254 "-policy anyPolicy", 255 "True", $nist1, $nist1, 0 256 ], 257 [ 258 "4.8.6.2", 259 "Overlapping Policies Test6", 260 "-policy $nist1", 261 "True", $nist1, $nist1, 0 262 ], 263 [ 264 "4.8.6.3", 265 "Overlapping Policies Test6", 266 "-policy $nist2", 267 "True", $nist1, "<empty>", 43 268 ], 269 [ 270 "4.8.7", 271 "Different Policies Test7", 272 "-policy anyPolicy", 273 "True", "<empty>", "<empty>", 43 274 ], 275 [ 276 "4.8.8", 277 "Different Policies Test8", 278 "-policy anyPolicy", 279 "True", "<empty>", "<empty>", 43 280 ], 281 [ 282 "4.8.9", 283 "Different Policies Test9", 284 "-policy anyPolicy", 285 "True", "<empty>", "<empty>", 43 286 ], 287 [ 288 "4.8.10.1", 289 "All Certificates Same Policies Test10", 290 "-policy $nist1", 291 "True", "$nist1:$nist2", "$nist1", 0 292 ], 293 [ 294 "4.8.10.2", 295 "All Certificates Same Policies Test10", 296 "-policy $nist2", 297 "True", "$nist1:$nist2", "$nist2", 0 298 ], 299 [ 300 "4.8.10.3", 301 "All Certificates Same Policies Test10", 302 "-policy anyPolicy", 303 "True", "$nist1:$nist2", "$nist1:$nist2", 0 304 ], 305 [ 306 "4.8.11.1", 307 "All Certificates AnyPolicy Test11", 308 "-policy anyPolicy", 309 "True", "$apolicy", "$apolicy", 0 310 ], 311 [ 312 "4.8.11.2", 313 "All Certificates AnyPolicy Test11", 314 "-policy $nist1", 315 "True", "$apolicy", "$nist1", 0 316 ], 317 [ 318 "4.8.12", 319 "Different Policies Test12", 320 "-policy anyPolicy", 321 "True", "<empty>", "<empty>", 43 322 ], 323 [ 324 "4.8.13.1", 325 "All Certificates Same Policies Test13", 326 "-policy $nist1", 327 "True", "$nist1:$nist2:$nist3", "$nist1", 0 328 ], 329 [ 330 "4.8.13.2", 331 "All Certificates Same Policies Test13", 332 "-policy $nist2", 333 "True", "$nist1:$nist2:$nist3", "$nist2", 0 334 ], 335 [ 336 "4.8.13.3", 337 "All Certificates Same Policies Test13", 338 "-policy $nist3", 339 "True", "$nist1:$nist2:$nist3", "$nist3", 0 340 ], 341 [ 342 "4.8.14.1", "AnyPolicy Test14", 343 "-policy $nist1", "True", 344 "$nist1", "$nist1", 345 0 346 ], 347 [ 348 "4.8.14.2", "AnyPolicy Test14", 349 "-policy $nist2", "True", 350 "$nist1", "<empty>", 351 43 352 ], 353 [ 354 "4.8.15", 355 "User Notice Qualifier Test15", 356 "-policy anyPolicy", 357 "False", "$nist1", "$nist1", 0 358 ], 359 [ 360 "4.8.16", 361 "User Notice Qualifier Test16", 362 "-policy anyPolicy", 363 "False", "$nist1", "$nist1", 0 364 ], 365 [ 366 "4.8.17", 367 "User Notice Qualifier Test17", 368 "-policy anyPolicy", 369 "False", "$nist1", "$nist1", 0 370 ], 371 [ 372 "4.8.18.1", 373 "User Notice Qualifier Test18", 374 "-policy $nist1", 375 "True", "$nist1:$nist2", "$nist1", 0 376 ], 377 [ 378 "4.8.18.2", 379 "User Notice Qualifier Test18", 380 "-policy $nist2", 381 "True", "$nist1:$nist2", "$nist2", 0 382 ], 383 [ 384 "4.8.19", 385 "User Notice Qualifier Test19", 386 "-policy anyPolicy", 387 "False", "$nist1", "$nist1", 0 388 ], 389 [ 390 "4.8.20", 391 "CPS Pointer Qualifier Test20", 392 "-policy anyPolicy -explicit_policy", 393 "True", "$nist1", "$nist1", 0 394 ], 395 [ "4.9", "Require Explicit Policy" ], 396 [ 397 "4.9.1", 398 "Valid RequireExplicitPolicy Test1", 399 "-policy anyPolicy", 400 "False", "<empty>", "<empty>", 0 401 ], 402 [ 403 "4.9.2", 404 "Valid RequireExplicitPolicy Test2", 405 "-policy anyPolicy", 406 "False", "<empty>", "<empty>", 0 407 ], 408 [ 409 "4.9.3", 410 "Invalid RequireExplicitPolicy Test3", 411 "-policy anyPolicy", 412 "True", "<empty>", "<empty>", 43 413 ], 414 [ 415 "4.9.4", 416 "Valid RequireExplicitPolicy Test4", 417 "-policy anyPolicy", 418 "True", "$nist1", "$nist1", 0 419 ], 420 [ 421 "4.9.5", 422 "Invalid RequireExplicitPolicy Test5", 423 "-policy anyPolicy", 424 "True", "<empty>", "<empty>", 43 425 ], 426 [ 427 "4.9.6", 428 "Valid Self-Issued requireExplicitPolicy Test6", 429 "-policy anyPolicy", 430 "False", "<empty>", "<empty>", 0 431 ], 432 [ 433 "4.9.7", 434 "Invalid Self-Issued requireExplicitPolicy Test7", 435 "-policy anyPolicy", 436 "True", "<empty>", "<empty>", 43 437 ], 438 [ 439 "4.9.8", 440 "Invalid Self-Issued requireExplicitPolicy Test8", 441 "-policy anyPolicy", 442 "True", "<empty>", "<empty>", 43 443 ], 444 [ "4.10", "Policy Mappings" ], 445 [ 446 "4.10.1.1", 447 "Valid Policy Mapping Test1", 448 "-policy $nist1", 449 "True", "$nist1", "$nist1", 0 450 ], 451 [ 452 "4.10.1.2", 453 "Valid Policy Mapping Test1", 454 "-policy $nist2", 455 "True", "$nist1", "<empty>", 43 456 ], 457 [ 458 "4.10.1.3", 459 "Valid Policy Mapping Test1", 460 "-policy anyPolicy -inhibit_map", 461 "True", "<empty>", "<empty>", 43 462 ], 463 [ 464 "4.10.2.1", 465 "Invalid Policy Mapping Test2", 466 "-policy anyPolicy", 467 "True", "<empty>", "<empty>", 43 468 ], 469 [ 470 "4.10.2.2", 471 "Invalid Policy Mapping Test2", 472 "-policy anyPolicy -inhibit_map", 473 "True", "<empty>", "<empty>", 43 474 ], 475 [ 476 "4.10.3.1", 477 "Valid Policy Mapping Test3", 478 "-policy $nist1", 479 "True", "$nist2", "<empty>", 43 480 ], 481 [ 482 "4.10.3.2", 483 "Valid Policy Mapping Test3", 484 "-policy $nist2", 485 "True", "$nist2", "$nist2", 0 486 ], 487 [ 488 "4.10.4", 489 "Invalid Policy Mapping Test4", 490 "-policy anyPolicy", 491 "True", "<empty>", "<empty>", 43 492 ], 493 [ 494 "4.10.5.1", 495 "Valid Policy Mapping Test5", 496 "-policy $nist1", 497 "True", "$nist1", "$nist1", 0 498 ], 499 [ 500 "4.10.5.2", 501 "Valid Policy Mapping Test5", 502 "-policy $nist6", 503 "True", "$nist1", "<empty>", 43 504 ], 505 [ 506 "4.10.6.1", 507 "Valid Policy Mapping Test6", 508 "-policy $nist1", 509 "True", "$nist1", "$nist1", 0 510 ], 511 [ 512 "4.10.6.2", 513 "Valid Policy Mapping Test6", 514 "-policy $nist6", 515 "True", "$nist1", "<empty>", 43 516 ], 517 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ], 518 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ], 519 [ 520 "4.10.9", 521 "Valid Policy Mapping Test9", 522 "-policy anyPolicy", 523 "True", "$nist1", "$nist1", 0 524 ], 525 [ 526 "4.10.10", 527 "Invalid Policy Mapping Test10", 528 "-policy anyPolicy", 529 "True", "<empty>", "<empty>", 43 530 ], 531 [ 532 "4.10.11", 533 "Valid Policy Mapping Test11", 534 "-policy anyPolicy", 535 "True", "$nist1", "$nist1", 0 536 ], 537 538 # TODO: check notice display 539 [ 540 "4.10.12.1", 541 "Valid Policy Mapping Test12", 542 "-policy $nist1", 543 "True", "$nist1:$nist2", "$nist1", 0 544 ], 545 546 # TODO: check notice display 547 [ 548 "4.10.12.2", 549 "Valid Policy Mapping Test12", 550 "-policy $nist2", 551 "True", "$nist1:$nist2", "$nist2", 0 552 ], 553 [ 554 "4.10.13", 555 "Valid Policy Mapping Test13", 556 "-policy anyPolicy", 557 "True", "$nist1", "$nist1", 0 558 ], 559 560 # TODO: check notice display 561 [ 562 "4.10.14", 563 "Valid Policy Mapping Test14", 564 "-policy anyPolicy", 565 "True", "$nist1", "$nist1", 0 566 ], 567 [ "4.11", "Inhibit Policy Mapping" ], 568 [ 569 "4.11.1", 570 "Invalid inhibitPolicyMapping Test1", 571 "-policy anyPolicy", 572 "True", "<empty>", "<empty>", 43 573 ], 574 [ 575 "4.11.2", 576 "Valid inhibitPolicyMapping Test2", 577 "-policy anyPolicy", 578 "True", "$nist1", "$nist1", 0 579 ], 580 [ 581 "4.11.3", 582 "Invalid inhibitPolicyMapping Test3", 583 "-policy anyPolicy", 584 "True", "<empty>", "<empty>", 43 585 ], 586 [ 587 "4.11.4", 588 "Valid inhibitPolicyMapping Test4", 589 "-policy anyPolicy", 590 "True", "$nist2", "$nist2", 0 591 ], 592 [ 593 "4.11.5", 594 "Invalid inhibitPolicyMapping Test5", 595 "-policy anyPolicy", 596 "True", "<empty>", "<empty>", 43 597 ], 598 [ 599 "4.11.6", 600 "Invalid inhibitPolicyMapping Test6", 601 "-policy anyPolicy", 602 "True", "<empty>", "<empty>", 43 603 ], 604 [ 605 "4.11.7", 606 "Valid Self-Issued inhibitPolicyMapping Test7", 607 "-policy anyPolicy", 608 "True", "$nist1", "$nist1", 0 609 ], 610 [ 611 "4.11.8", 612 "Invalid Self-Issued inhibitPolicyMapping Test8", 613 "-policy anyPolicy", 614 "True", "<empty>", "<empty>", 43 615 ], 616 [ 617 "4.11.9", 618 "Invalid Self-Issued inhibitPolicyMapping Test9", 619 "-policy anyPolicy", 620 "True", "<empty>", "<empty>", 43 621 ], 622 [ 623 "4.11.10", 624 "Invalid Self-Issued inhibitPolicyMapping Test10", 625 "-policy anyPolicy", 626 "True", "<empty>", "<empty>", 43 627 ], 628 [ 629 "4.11.11", 630 "Invalid Self-Issued inhibitPolicyMapping Test11", 631 "-policy anyPolicy", 632 "True", "<empty>", "<empty>", 43 633 ], 634 [ "4.12", "Inhibit Any Policy" ], 635 [ 636 "4.12.1", 637 "Invalid inhibitAnyPolicy Test1", 638 "-policy anyPolicy", 639 "True", "<empty>", "<empty>", 43 640 ], 641 [ 642 "4.12.2", 643 "Valid inhibitAnyPolicy Test2", 644 "-policy anyPolicy", 645 "True", "$nist1", "$nist1", 0 646 ], 647 [ 648 "4.12.3.1", 649 "inhibitAnyPolicy Test3", 650 "-policy anyPolicy", 651 "True", "$nist1", "$nist1", 0 652 ], 653 [ 654 "4.12.3.2", 655 "inhibitAnyPolicy Test3", 656 "-policy anyPolicy -inhibit_any", 657 "True", "<empty>", "<empty>", 43 658 ], 659 [ 660 "4.12.4", 661 "Invalid inhibitAnyPolicy Test4", 662 "-policy anyPolicy", 663 "True", "<empty>", "<empty>", 43 664 ], 665 [ 666 "4.12.5", 667 "Invalid inhibitAnyPolicy Test5", 668 "-policy anyPolicy", 669 "True", "<empty>", "<empty>", 43 670 ], 671 [ 672 "4.12.6", 673 "Invalid inhibitAnyPolicy Test6", 674 "-policy anyPolicy", 675 "True", "<empty>", "<empty>", 43 676 ], 677 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ], 678 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ], 679 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ], 680 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ], 681 [ "4.13", "Name Constraints" ], 682 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ], 683 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ], 684 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ], 685 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ], 686 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ], 687 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ], 688 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ], 689 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ], 690 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ], 691 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ], 692 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ], 693 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ], 694 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ], 695 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ], 696 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ], 697 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ], 698 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ], 699 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ], 700 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ], 701 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ], 702 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ], 703 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ], 704 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ], 705 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ], 706 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ], 707 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ], 708 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ], 709 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ], 710 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ], 711 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ], 712 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ], 713 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ], 714 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ], 715 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ], 716 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ], 717 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ], 718 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ], 719 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ], 720 [ "4.14", "Distribution Points" ], 721 [ "4.14.1", "Valid distributionPoint Test1", 0 ], 722 [ "4.14.2", "Invalid distributionPoint Test2", 23 ], 723 [ "4.14.3", "Invalid distributionPoint Test3", 44 ], 724 [ "4.14.4", "Valid distributionPoint Test4", 0 ], 725 [ "4.14.5", "Valid distributionPoint Test5", 0 ], 726 [ "4.14.6", "Invalid distributionPoint Test6", 23 ], 727 [ "4.14.7", "Valid distributionPoint Test7", 0 ], 728 [ "4.14.8", "Invalid distributionPoint Test8", 44 ], 729 [ "4.14.9", "Invalid distributionPoint Test9", 44 ], 730 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ], 731 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ], 732 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ], 733 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ], 734 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ], 735 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ], 736 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ], 737 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ], 738 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ], 739 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ], 740 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ], 741 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ], 742 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ], 743 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ], 744 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ], 745 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ], 746 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ], 747 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ], 748 [ "4.14.28", "Valid cRLIssuer Test28", 0 ], 749 [ "4.14.29", "Valid cRLIssuer Test29", 0 ], 750 751 # Although this test is valid it has a circular dependency. As a result 752 # an attempt is made to reursively checks a CRL path and rejected due to 753 # a CRL path validation error. PKITS notes suggest this test does not 754 # need to be run due to this issue. 755 [ "4.14.30", "Valid cRLIssuer Test30", 54 ], 756 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ], 757 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ], 758 [ "4.14.33", "Valid cRLIssuer Test33", 0 ], 759 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ], 760 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ], 761 [ "4.15", "Delta-CRLs" ], 762 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ], 763 [ "4.15.2", "Valid delta-CRL Test2", 0 ], 764 [ "4.15.3", "Invalid delta-CRL Test3", 23 ], 765 [ "4.15.4", "Invalid delta-CRL Test4", 23 ], 766 [ "4.15.5", "Valid delta-CRL Test5", 0 ], 767 [ "4.15.6", "Invalid delta-CRL Test6", 23 ], 768 [ "4.15.7", "Valid delta-CRL Test7", 0 ], 769 [ "4.15.8", "Valid delta-CRL Test8", 0 ], 770 [ "4.15.9", "Invalid delta-CRL Test9", 23 ], 771 [ "4.15.10", "Invalid delta-CRL Test10", 12 ], 772 [ "4.16", "Private Certificate Extensions" ], 773 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ], 774 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ], 775); 776 777 778my $verbose = 1; 779 780my $numtest = 0; 781my $numfail = 0; 782 783my $ossl = "ossl/apps/openssl"; 784 785my $ossl_cmd = "$ossl_path cms -verify -verify_retcode "; 786$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict "; 787 788# Check for expiry of trust anchor 789system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0"; 790if ($? == 256) 791 { 792 print STDERR "WARNING: using older expired data\n"; 793 $ossl_cmd .= "-attime 1291940972 "; 794 } 795 796$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 "; 797 798system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem"; 799 800die "Can't create trust anchor file" if $?; 801 802print "Running PKITS tests:\n" if $verbose; 803 804foreach (@testlists) { 805 my $argnum = @$_; 806 if ( $argnum == 2 ) { 807 my ( $tnum, $title ) = @$_; 808 print "$tnum $title\n" if $verbose; 809 } 810 elsif ( $argnum == 3 ) { 811 my ( $tnum, $title, $exp_ret ) = @$_; 812 my $filename = $title; 813 $exp_ret += 32 if $exp_ret; 814 $filename =~ tr/ -//d; 815 $filename = "Signed${filename}.eml"; 816 if ( !-f "$pkitsdir/$filename" ) { 817 print "\"$filename\" not found\n"; 818 } 819 else { 820 my $ret; 821 my $test_fail = 0; 822 my $errmsg = ""; 823 my $cmd = $ossl_cmd; 824 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy"; 825 my $cmdout = `$cmd`; 826 $ret = $? >> 8; 827 if ( $? & 0xff ) { 828 $errmsg .= "Abnormal OpenSSL termination\n"; 829 $test_fail = 1; 830 } 831 if ( $exp_ret != $ret ) { 832 $errmsg .= "Return code:$ret, "; 833 $errmsg .= "expected $exp_ret\n"; 834 $test_fail = 1; 835 } 836 if ($test_fail) { 837 print "$tnum $title : Failed!\n"; 838 print "Filename: $pkitsdir/$filename\n"; 839 print $errmsg; 840 print "Command output:\n$cmdout\n"; 841 $numfail++; 842 } 843 $numtest++; 844 } 845 } 846 elsif ( $argnum == 7 ) { 847 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret ) 848 = @$_; 849 my $filename = $title; 850 $exp_ret += 32 if $exp_ret; 851 $filename =~ tr/ -//d; 852 $filename = "Signed${filename}.eml"; 853 if ( !-f "$pkitsdir/$filename" ) { 854 print "\"$filename\" not found\n"; 855 } 856 else { 857 my $ret; 858 my $cmdout = ""; 859 my $errmsg = ""; 860 my $epol = ""; 861 my $aset = ""; 862 my $uset = ""; 863 my $pol = -1; 864 my $test_fail = 0; 865 my $cmd = $ossl_cmd; 866 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print"; 867 @oparr = `$cmd`; 868 $ret = $? >> 8; 869 870 if ( $? & 0xff ) { 871 $errmsg .= "Abnormal OpenSSL termination\n"; 872 $test_fail = 1; 873 } 874 foreach (@oparr) { 875 my $test_failed = 0; 876 $cmdout .= $_; 877 if (/^Require explicit Policy: (.*)$/) { 878 $epol = $1; 879 } 880 if (/^Authority Policies/) { 881 if (/empty/) { 882 $aset = "<empty>"; 883 } 884 else { 885 $pol = 1; 886 } 887 } 888 $test_fail = 1 if (/leak/i); 889 if (/^User Policies/) { 890 if (/empty/) { 891 $uset = "<empty>"; 892 } 893 else { 894 $pol = 2; 895 } 896 } 897 if (/\s+Policy: (.*)$/) { 898 if ( $pol == 1 ) { 899 $aset .= ":" if $aset ne ""; 900 $aset .= $1; 901 } 902 elsif ( $pol == 2 ) { 903 $uset .= ":" if $uset ne ""; 904 $uset .= $1; 905 } 906 } 907 } 908 909 if ( $epol ne $exp_epol ) { 910 $errmsg .= "Explicit policy:$epol, "; 911 $errmsg .= "expected $exp_epol\n"; 912 $test_fail = 1; 913 } 914 if ( $aset ne $exp_aset ) { 915 $errmsg .= "Authority policy set :$aset, "; 916 $errmsg .= "expected $exp_aset\n"; 917 $test_fail = 1; 918 } 919 if ( $uset ne $exp_uset ) { 920 $errmsg .= "User policy set :$uset, "; 921 $errmsg .= "expected $exp_uset\n"; 922 $test_fail = 1; 923 } 924 925 if ( $exp_ret != $ret ) { 926 print "Return code:$ret, expected $exp_ret\n"; 927 $test_fail = 1; 928 } 929 930 if ($test_fail) { 931 print "$tnum $title : Failed!\n"; 932 print "Filename: $pkitsdir/$filename\n"; 933 print "Command output:\n$cmdout\n"; 934 $numfail++; 935 } 936 $numtest++; 937 } 938 } 939} 940 941if ($numfail) { 942 print "$numfail tests failed out of $numtest\n"; 943} 944else { 945 print "All Tests Successful.\n"; 946} 947 948unlink "pkitsta.pem"; 949 950