1#! /usr/bin/env perl 2# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9# Perl utility to run PKITS tests for RFC3280 compliance. 10 11my $ossl_path; 12 13if ( -f "../apps/openssl" ) { 14 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl"; 15} 16elsif ( -f "..\\out32dll\\openssl.exe" ) { 17 $ossl_path = "..\\out32dll\\openssl.exe"; 18} 19elsif ( -f "..\\out32\\openssl.exe" ) { 20 $ossl_path = "..\\out32\\openssl.exe"; 21} 22else { 23 die "Can't find OpenSSL executable"; 24} 25 26my $pkitsdir = "pkits/smime"; 27my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt"; 28 29die "Can't find PKITS test data" if !-d $pkitsdir; 30 31my $nist1 = "2.16.840.1.101.3.2.1.48.1"; 32my $nist2 = "2.16.840.1.101.3.2.1.48.2"; 33my $nist3 = "2.16.840.1.101.3.2.1.48.3"; 34my $nist4 = "2.16.840.1.101.3.2.1.48.4"; 35my $nist5 = "2.16.840.1.101.3.2.1.48.5"; 36my $nist6 = "2.16.840.1.101.3.2.1.48.6"; 37 38my $apolicy = "X509v3 Any Policy"; 39 40# This table contains the chapter headings of the accompanying PKITS 41# document. They provide useful informational output and their names 42# can be converted into the filename to test. 43 44my @testlists = ( 45 [ "4.1", "Signature Verification" ], 46 [ "4.1.1", "Valid Signatures Test1", 0 ], 47 [ "4.1.2", "Invalid CA Signature Test2", 7 ], 48 [ "4.1.3", "Invalid EE Signature Test3", 7 ], 49 [ "4.1.4", "Valid DSA Signatures Test4", 0 ], 50 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ], 51 [ "4.1.6", "Invalid DSA Signature Test6", 7 ], 52 [ "4.2", "Validity Periods" ], 53 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ], 54 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ], 55 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ], 56 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ], 57 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ], 58 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ], 59 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ], 60 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ], 61 [ "4.3", "Verifying Name Chaining" ], 62 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ], 63 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ], 64 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ], 65 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ], 66 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ], 67 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ], 68 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ], 69 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ], 70 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ], 71 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ], 72 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ], 73 [ "4.4", "Basic Certificate Revocation Tests" ], 74 [ "4.4.1", "Missing CRL Test1", 3 ], 75 [ "4.4.2", "Invalid Revoked CA Test2", 23 ], 76 [ "4.4.3", "Invalid Revoked EE Test3", 23 ], 77 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ], 78 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ], 79 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ], 80 [ "4.4.7", "Valid Two CRLs Test7", 0 ], 81 82 # The test document suggests these should return certificate revoked... 83 # Subsequent discussion has concluded they should not due to unhandle 84 # critical CRL extensions. 85 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ], 86 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ], 87 88 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ], 89 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ], 90 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ], 91 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ], 92 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ], 93 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ], 94 [ "4.4.16", "Valid Long Serial Number Test16", 0 ], 95 [ "4.4.17", "Valid Long Serial Number Test17", 0 ], 96 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ], 97 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ], 98 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ], 99 100 # CRL path is revoked so get a CRL path validation error 101 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ], 102 [ "4.5", "Verifying Paths with Self-Issued Certificates" ], 103 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ], 104 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ], 105 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ], 106 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ], 107 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ], 108 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ], 109 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ], 110 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ], 111 [ "4.6", "Verifying Basic Constraints" ], 112 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ], 113 [ "4.6.2", "Invalid cA False Test2", 24 ], 114 [ "4.6.3", "Invalid cA False Test3", 24 ], 115 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ], 116 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ], 117 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ], 118 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ], 119 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ], 120 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ], 121 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ], 122 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ], 123 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ], 124 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ], 125 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ], 126 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ], 127 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ], 128 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ], 129 [ "4.7", "Key Usage" ], 130 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ], 131 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ], 132 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ], 133 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ], 134 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ], 135 136 # Certificate policy tests need special handling. They can have several 137 # sub tests and we need to check the outputs are correct. 138 139 [ "4.8", "Certificate Policies" ], 140 [ 141 "4.8.1.1", 142 "All Certificates Same Policy Test1", 143 "-policy anyPolicy -explicit_policy", 144 "True", $nist1, $nist1, 0 145 ], 146 [ 147 "4.8.1.2", 148 "All Certificates Same Policy Test1", 149 "-policy $nist1 -explicit_policy", 150 "True", $nist1, $nist1, 0 151 ], 152 [ 153 "4.8.1.3", 154 "All Certificates Same Policy Test1", 155 "-policy $nist2 -explicit_policy", 156 "True", $nist1, "<empty>", 43 157 ], 158 [ 159 "4.8.1.4", 160 "All Certificates Same Policy Test1", 161 "-policy $nist1 -policy $nist2 -explicit_policy", 162 "True", $nist1, $nist1, 0 163 ], 164 [ 165 "4.8.2.1", 166 "All Certificates No Policies Test2", 167 "-policy anyPolicy", 168 "False", "<empty>", "<empty>", 0 169 ], 170 [ 171 "4.8.2.2", 172 "All Certificates No Policies Test2", 173 "-policy anyPolicy -explicit_policy", 174 "True", "<empty>", "<empty>", 43 175 ], 176 [ 177 "4.8.3.1", 178 "Different Policies Test3", 179 "-policy anyPolicy", 180 "False", "<empty>", "<empty>", 0 181 ], 182 [ 183 "4.8.3.2", 184 "Different Policies Test3", 185 "-policy anyPolicy -explicit_policy", 186 "True", "<empty>", "<empty>", 43 187 ], 188 [ 189 "4.8.3.3", 190 "Different Policies Test3", 191 "-policy $nist1 -policy $nist2 -explicit_policy", 192 "True", "<empty>", "<empty>", 43 193 ], 194 195 [ 196 "4.8.4", 197 "Different Policies Test4", 198 "-policy anyPolicy", 199 "True", "<empty>", "<empty>", 43 200 ], 201 [ 202 "4.8.5", 203 "Different Policies Test5", 204 "-policy anyPolicy", 205 "True", "<empty>", "<empty>", 43 206 ], 207 [ 208 "4.8.6.1", 209 "Overlapping Policies Test6", 210 "-policy anyPolicy", 211 "True", $nist1, $nist1, 0 212 ], 213 [ 214 "4.8.6.2", 215 "Overlapping Policies Test6", 216 "-policy $nist1", 217 "True", $nist1, $nist1, 0 218 ], 219 [ 220 "4.8.6.3", 221 "Overlapping Policies Test6", 222 "-policy $nist2", 223 "True", $nist1, "<empty>", 43 224 ], 225 [ 226 "4.8.7", 227 "Different Policies Test7", 228 "-policy anyPolicy", 229 "True", "<empty>", "<empty>", 43 230 ], 231 [ 232 "4.8.8", 233 "Different Policies Test8", 234 "-policy anyPolicy", 235 "True", "<empty>", "<empty>", 43 236 ], 237 [ 238 "4.8.9", 239 "Different Policies Test9", 240 "-policy anyPolicy", 241 "True", "<empty>", "<empty>", 43 242 ], 243 [ 244 "4.8.10.1", 245 "All Certificates Same Policies Test10", 246 "-policy $nist1", 247 "True", "$nist1:$nist2", "$nist1", 0 248 ], 249 [ 250 "4.8.10.2", 251 "All Certificates Same Policies Test10", 252 "-policy $nist2", 253 "True", "$nist1:$nist2", "$nist2", 0 254 ], 255 [ 256 "4.8.10.3", 257 "All Certificates Same Policies Test10", 258 "-policy anyPolicy", 259 "True", "$nist1:$nist2", "$nist1:$nist2", 0 260 ], 261 [ 262 "4.8.11.1", 263 "All Certificates AnyPolicy Test11", 264 "-policy anyPolicy", 265 "True", "$apolicy", "$apolicy", 0 266 ], 267 [ 268 "4.8.11.2", 269 "All Certificates AnyPolicy Test11", 270 "-policy $nist1", 271 "True", "$apolicy", "$nist1", 0 272 ], 273 [ 274 "4.8.12", 275 "Different Policies Test12", 276 "-policy anyPolicy", 277 "True", "<empty>", "<empty>", 43 278 ], 279 [ 280 "4.8.13.1", 281 "All Certificates Same Policies Test13", 282 "-policy $nist1", 283 "True", "$nist1:$nist2:$nist3", "$nist1", 0 284 ], 285 [ 286 "4.8.13.2", 287 "All Certificates Same Policies Test13", 288 "-policy $nist2", 289 "True", "$nist1:$nist2:$nist3", "$nist2", 0 290 ], 291 [ 292 "4.8.13.3", 293 "All Certificates Same Policies Test13", 294 "-policy $nist3", 295 "True", "$nist1:$nist2:$nist3", "$nist3", 0 296 ], 297 [ 298 "4.8.14.1", "AnyPolicy Test14", 299 "-policy $nist1", "True", 300 "$nist1", "$nist1", 301 0 302 ], 303 [ 304 "4.8.14.2", "AnyPolicy Test14", 305 "-policy $nist2", "True", 306 "$nist1", "<empty>", 307 43 308 ], 309 [ 310 "4.8.15", 311 "User Notice Qualifier Test15", 312 "-policy anyPolicy", 313 "False", "$nist1", "$nist1", 0 314 ], 315 [ 316 "4.8.16", 317 "User Notice Qualifier Test16", 318 "-policy anyPolicy", 319 "False", "$nist1", "$nist1", 0 320 ], 321 [ 322 "4.8.17", 323 "User Notice Qualifier Test17", 324 "-policy anyPolicy", 325 "False", "$nist1", "$nist1", 0 326 ], 327 [ 328 "4.8.18.1", 329 "User Notice Qualifier Test18", 330 "-policy $nist1", 331 "True", "$nist1:$nist2", "$nist1", 0 332 ], 333 [ 334 "4.8.18.2", 335 "User Notice Qualifier Test18", 336 "-policy $nist2", 337 "True", "$nist1:$nist2", "$nist2", 0 338 ], 339 [ 340 "4.8.19", 341 "User Notice Qualifier Test19", 342 "-policy anyPolicy", 343 "False", "$nist1", "$nist1", 0 344 ], 345 [ 346 "4.8.20", 347 "CPS Pointer Qualifier Test20", 348 "-policy anyPolicy -explicit_policy", 349 "True", "$nist1", "$nist1", 0 350 ], 351 [ "4.9", "Require Explicit Policy" ], 352 [ 353 "4.9.1", 354 "Valid RequireExplicitPolicy Test1", 355 "-policy anyPolicy", 356 "False", "<empty>", "<empty>", 0 357 ], 358 [ 359 "4.9.2", 360 "Valid RequireExplicitPolicy Test2", 361 "-policy anyPolicy", 362 "False", "<empty>", "<empty>", 0 363 ], 364 [ 365 "4.9.3", 366 "Invalid RequireExplicitPolicy Test3", 367 "-policy anyPolicy", 368 "True", "<empty>", "<empty>", 43 369 ], 370 [ 371 "4.9.4", 372 "Valid RequireExplicitPolicy Test4", 373 "-policy anyPolicy", 374 "True", "$nist1", "$nist1", 0 375 ], 376 [ 377 "4.9.5", 378 "Invalid RequireExplicitPolicy Test5", 379 "-policy anyPolicy", 380 "True", "<empty>", "<empty>", 43 381 ], 382 [ 383 "4.9.6", 384 "Valid Self-Issued requireExplicitPolicy Test6", 385 "-policy anyPolicy", 386 "False", "<empty>", "<empty>", 0 387 ], 388 [ 389 "4.9.7", 390 "Invalid Self-Issued requireExplicitPolicy Test7", 391 "-policy anyPolicy", 392 "True", "<empty>", "<empty>", 43 393 ], 394 [ 395 "4.9.8", 396 "Invalid Self-Issued requireExplicitPolicy Test8", 397 "-policy anyPolicy", 398 "True", "<empty>", "<empty>", 43 399 ], 400 [ "4.10", "Policy Mappings" ], 401 [ 402 "4.10.1.1", 403 "Valid Policy Mapping Test1", 404 "-policy $nist1", 405 "True", "$nist1", "$nist1", 0 406 ], 407 [ 408 "4.10.1.2", 409 "Valid Policy Mapping Test1", 410 "-policy $nist2", 411 "True", "$nist1", "<empty>", 43 412 ], 413 [ 414 "4.10.1.3", 415 "Valid Policy Mapping Test1", 416 "-policy anyPolicy -inhibit_map", 417 "True", "<empty>", "<empty>", 43 418 ], 419 [ 420 "4.10.2.1", 421 "Invalid Policy Mapping Test2", 422 "-policy anyPolicy", 423 "True", "<empty>", "<empty>", 43 424 ], 425 [ 426 "4.10.2.2", 427 "Invalid Policy Mapping Test2", 428 "-policy anyPolicy -inhibit_map", 429 "True", "<empty>", "<empty>", 43 430 ], 431 [ 432 "4.10.3.1", 433 "Valid Policy Mapping Test3", 434 "-policy $nist1", 435 "True", "$nist2", "<empty>", 43 436 ], 437 [ 438 "4.10.3.2", 439 "Valid Policy Mapping Test3", 440 "-policy $nist2", 441 "True", "$nist2", "$nist2", 0 442 ], 443 [ 444 "4.10.4", 445 "Invalid Policy Mapping Test4", 446 "-policy anyPolicy", 447 "True", "<empty>", "<empty>", 43 448 ], 449 [ 450 "4.10.5.1", 451 "Valid Policy Mapping Test5", 452 "-policy $nist1", 453 "True", "$nist1", "$nist1", 0 454 ], 455 [ 456 "4.10.5.2", 457 "Valid Policy Mapping Test5", 458 "-policy $nist6", 459 "True", "$nist1", "<empty>", 43 460 ], 461 [ 462 "4.10.6.1", 463 "Valid Policy Mapping Test6", 464 "-policy $nist1", 465 "True", "$nist1", "$nist1", 0 466 ], 467 [ 468 "4.10.6.2", 469 "Valid Policy Mapping Test6", 470 "-policy $nist6", 471 "True", "$nist1", "<empty>", 43 472 ], 473 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ], 474 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ], 475 [ 476 "4.10.9", 477 "Valid Policy Mapping Test9", 478 "-policy anyPolicy", 479 "True", "$nist1", "$nist1", 0 480 ], 481 [ 482 "4.10.10", 483 "Invalid Policy Mapping Test10", 484 "-policy anyPolicy", 485 "True", "<empty>", "<empty>", 43 486 ], 487 [ 488 "4.10.11", 489 "Valid Policy Mapping Test11", 490 "-policy anyPolicy", 491 "True", "$nist1", "$nist1", 0 492 ], 493 494 # TODO: check notice display 495 [ 496 "4.10.12.1", 497 "Valid Policy Mapping Test12", 498 "-policy $nist1", 499 "True", "$nist1:$nist2", "$nist1", 0 500 ], 501 502 # TODO: check notice display 503 [ 504 "4.10.12.2", 505 "Valid Policy Mapping Test12", 506 "-policy $nist2", 507 "True", "$nist1:$nist2", "$nist2", 0 508 ], 509 [ 510 "4.10.13", 511 "Valid Policy Mapping Test13", 512 "-policy anyPolicy", 513 "True", "$nist1", "$nist1", 0 514 ], 515 516 # TODO: check notice display 517 [ 518 "4.10.14", 519 "Valid Policy Mapping Test14", 520 "-policy anyPolicy", 521 "True", "$nist1", "$nist1", 0 522 ], 523 [ "4.11", "Inhibit Policy Mapping" ], 524 [ 525 "4.11.1", 526 "Invalid inhibitPolicyMapping Test1", 527 "-policy anyPolicy", 528 "True", "<empty>", "<empty>", 43 529 ], 530 [ 531 "4.11.2", 532 "Valid inhibitPolicyMapping Test2", 533 "-policy anyPolicy", 534 "True", "$nist1", "$nist1", 0 535 ], 536 [ 537 "4.11.3", 538 "Invalid inhibitPolicyMapping Test3", 539 "-policy anyPolicy", 540 "True", "<empty>", "<empty>", 43 541 ], 542 [ 543 "4.11.4", 544 "Valid inhibitPolicyMapping Test4", 545 "-policy anyPolicy", 546 "True", "$nist2", "$nist2", 0 547 ], 548 [ 549 "4.11.5", 550 "Invalid inhibitPolicyMapping Test5", 551 "-policy anyPolicy", 552 "True", "<empty>", "<empty>", 43 553 ], 554 [ 555 "4.11.6", 556 "Invalid inhibitPolicyMapping Test6", 557 "-policy anyPolicy", 558 "True", "<empty>", "<empty>", 43 559 ], 560 [ 561 "4.11.7", 562 "Valid Self-Issued inhibitPolicyMapping Test7", 563 "-policy anyPolicy", 564 "True", "$nist1", "$nist1", 0 565 ], 566 [ 567 "4.11.8", 568 "Invalid Self-Issued inhibitPolicyMapping Test8", 569 "-policy anyPolicy", 570 "True", "<empty>", "<empty>", 43 571 ], 572 [ 573 "4.11.9", 574 "Invalid Self-Issued inhibitPolicyMapping Test9", 575 "-policy anyPolicy", 576 "True", "<empty>", "<empty>", 43 577 ], 578 [ 579 "4.11.10", 580 "Invalid Self-Issued inhibitPolicyMapping Test10", 581 "-policy anyPolicy", 582 "True", "<empty>", "<empty>", 43 583 ], 584 [ 585 "4.11.11", 586 "Invalid Self-Issued inhibitPolicyMapping Test11", 587 "-policy anyPolicy", 588 "True", "<empty>", "<empty>", 43 589 ], 590 [ "4.12", "Inhibit Any Policy" ], 591 [ 592 "4.12.1", 593 "Invalid inhibitAnyPolicy Test1", 594 "-policy anyPolicy", 595 "True", "<empty>", "<empty>", 43 596 ], 597 [ 598 "4.12.2", 599 "Valid inhibitAnyPolicy Test2", 600 "-policy anyPolicy", 601 "True", "$nist1", "$nist1", 0 602 ], 603 [ 604 "4.12.3.1", 605 "inhibitAnyPolicy Test3", 606 "-policy anyPolicy", 607 "True", "$nist1", "$nist1", 0 608 ], 609 [ 610 "4.12.3.2", 611 "inhibitAnyPolicy Test3", 612 "-policy anyPolicy -inhibit_any", 613 "True", "<empty>", "<empty>", 43 614 ], 615 [ 616 "4.12.4", 617 "Invalid inhibitAnyPolicy Test4", 618 "-policy anyPolicy", 619 "True", "<empty>", "<empty>", 43 620 ], 621 [ 622 "4.12.5", 623 "Invalid inhibitAnyPolicy Test5", 624 "-policy anyPolicy", 625 "True", "<empty>", "<empty>", 43 626 ], 627 [ 628 "4.12.6", 629 "Invalid inhibitAnyPolicy Test6", 630 "-policy anyPolicy", 631 "True", "<empty>", "<empty>", 43 632 ], 633 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ], 634 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ], 635 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ], 636 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ], 637 [ "4.13", "Name Constraints" ], 638 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ], 639 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ], 640 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ], 641 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ], 642 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ], 643 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ], 644 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ], 645 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ], 646 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ], 647 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ], 648 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ], 649 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ], 650 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ], 651 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ], 652 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ], 653 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ], 654 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ], 655 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ], 656 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ], 657 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ], 658 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ], 659 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ], 660 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ], 661 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ], 662 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ], 663 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ], 664 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ], 665 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ], 666 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ], 667 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ], 668 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ], 669 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ], 670 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ], 671 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ], 672 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ], 673 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ], 674 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ], 675 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ], 676 [ "4.14", "Distribution Points" ], 677 [ "4.14.1", "Valid distributionPoint Test1", 0 ], 678 [ "4.14.2", "Invalid distributionPoint Test2", 23 ], 679 [ "4.14.3", "Invalid distributionPoint Test3", 44 ], 680 [ "4.14.4", "Valid distributionPoint Test4", 0 ], 681 [ "4.14.5", "Valid distributionPoint Test5", 0 ], 682 [ "4.14.6", "Invalid distributionPoint Test6", 23 ], 683 [ "4.14.7", "Valid distributionPoint Test7", 0 ], 684 [ "4.14.8", "Invalid distributionPoint Test8", 44 ], 685 [ "4.14.9", "Invalid distributionPoint Test9", 44 ], 686 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ], 687 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ], 688 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ], 689 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ], 690 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ], 691 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ], 692 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ], 693 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ], 694 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ], 695 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ], 696 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ], 697 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ], 698 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ], 699 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ], 700 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ], 701 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ], 702 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ], 703 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ], 704 [ "4.14.28", "Valid cRLIssuer Test28", 0 ], 705 [ "4.14.29", "Valid cRLIssuer Test29", 0 ], 706 707 # Although this test is valid it has a circular dependency. As a result 708 # an attempt is made to recursively checks a CRL path and rejected due to 709 # a CRL path validation error. PKITS notes suggest this test does not 710 # need to be run due to this issue. 711 [ "4.14.30", "Valid cRLIssuer Test30", 54 ], 712 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ], 713 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ], 714 [ "4.14.33", "Valid cRLIssuer Test33", 0 ], 715 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ], 716 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ], 717 [ "4.15", "Delta-CRLs" ], 718 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ], 719 [ "4.15.2", "Valid delta-CRL Test2", 0 ], 720 [ "4.15.3", "Invalid delta-CRL Test3", 23 ], 721 [ "4.15.4", "Invalid delta-CRL Test4", 23 ], 722 [ "4.15.5", "Valid delta-CRL Test5", 0 ], 723 [ "4.15.6", "Invalid delta-CRL Test6", 23 ], 724 [ "4.15.7", "Valid delta-CRL Test7", 0 ], 725 [ "4.15.8", "Valid delta-CRL Test8", 0 ], 726 [ "4.15.9", "Invalid delta-CRL Test9", 23 ], 727 [ "4.15.10", "Invalid delta-CRL Test10", 12 ], 728 [ "4.16", "Private Certificate Extensions" ], 729 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ], 730 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ], 731); 732 733 734my $verbose = 1; 735 736my $numtest = 0; 737my $numfail = 0; 738 739my $ossl = "ossl/apps/openssl"; 740 741my $ossl_cmd = "$ossl_path cms -verify -verify_retcode "; 742$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict "; 743 744# Check for expiry of trust anchor 745system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0"; 746if ($? == 256) 747 { 748 print STDERR "WARNING: using older expired data\n"; 749 $ossl_cmd .= "-attime 1291940972 "; 750 } 751 752$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 "; 753 754system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem"; 755 756die "Can't create trust anchor file" if $?; 757 758print "Running PKITS tests:\n" if $verbose; 759 760foreach (@testlists) { 761 my $argnum = @$_; 762 if ( $argnum == 2 ) { 763 my ( $tnum, $title ) = @$_; 764 print "$tnum $title\n" if $verbose; 765 } 766 elsif ( $argnum == 3 ) { 767 my ( $tnum, $title, $exp_ret ) = @$_; 768 my $filename = $title; 769 $exp_ret += 32 if $exp_ret; 770 $filename =~ tr/ -//d; 771 $filename = "Signed${filename}.eml"; 772 if ( !-f "$pkitsdir/$filename" ) { 773 print "\"$filename\" not found\n"; 774 } 775 else { 776 my $ret; 777 my $test_fail = 0; 778 my $errmsg = ""; 779 my $cmd = $ossl_cmd; 780 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy"; 781 my $cmdout = `$cmd`; 782 $ret = $? >> 8; 783 if ( $? & 0xff ) { 784 $errmsg .= "Abnormal OpenSSL termination\n"; 785 $test_fail = 1; 786 } 787 if ( $exp_ret != $ret ) { 788 $errmsg .= "Return code:$ret, "; 789 $errmsg .= "expected $exp_ret\n"; 790 $test_fail = 1; 791 } 792 if ($test_fail) { 793 print "$tnum $title : Failed!\n"; 794 print "Filename: $pkitsdir/$filename\n"; 795 print $errmsg; 796 print "Command output:\n$cmdout\n"; 797 $numfail++; 798 } 799 $numtest++; 800 } 801 } 802 elsif ( $argnum == 7 ) { 803 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret ) 804 = @$_; 805 my $filename = $title; 806 $exp_ret += 32 if $exp_ret; 807 $filename =~ tr/ -//d; 808 $filename = "Signed${filename}.eml"; 809 if ( !-f "$pkitsdir/$filename" ) { 810 print "\"$filename\" not found\n"; 811 } 812 else { 813 my $ret; 814 my $cmdout = ""; 815 my $errmsg = ""; 816 my $epol = ""; 817 my $aset = ""; 818 my $uset = ""; 819 my $pol = -1; 820 my $test_fail = 0; 821 my $cmd = $ossl_cmd; 822 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print"; 823 @oparr = `$cmd`; 824 $ret = $? >> 8; 825 826 if ( $? & 0xff ) { 827 $errmsg .= "Abnormal OpenSSL termination\n"; 828 $test_fail = 1; 829 } 830 foreach (@oparr) { 831 my $test_failed = 0; 832 $cmdout .= $_; 833 if (/^Require explicit Policy: (.*)$/) { 834 $epol = $1; 835 } 836 if (/^Authority Policies/) { 837 if (/empty/) { 838 $aset = "<empty>"; 839 } 840 else { 841 $pol = 1; 842 } 843 } 844 $test_fail = 1 if (/leak/i); 845 if (/^User Policies/) { 846 if (/empty/) { 847 $uset = "<empty>"; 848 } 849 else { 850 $pol = 2; 851 } 852 } 853 if (/\s+Policy: (.*)$/) { 854 if ( $pol == 1 ) { 855 $aset .= ":" if $aset ne ""; 856 $aset .= $1; 857 } 858 elsif ( $pol == 2 ) { 859 $uset .= ":" if $uset ne ""; 860 $uset .= $1; 861 } 862 } 863 } 864 865 if ( $epol ne $exp_epol ) { 866 $errmsg .= "Explicit policy:$epol, "; 867 $errmsg .= "expected $exp_epol\n"; 868 $test_fail = 1; 869 } 870 if ( $aset ne $exp_aset ) { 871 $errmsg .= "Authority policy set :$aset, "; 872 $errmsg .= "expected $exp_aset\n"; 873 $test_fail = 1; 874 } 875 if ( $uset ne $exp_uset ) { 876 $errmsg .= "User policy set :$uset, "; 877 $errmsg .= "expected $exp_uset\n"; 878 $test_fail = 1; 879 } 880 881 if ( $exp_ret != $ret ) { 882 print "Return code:$ret, expected $exp_ret\n"; 883 $test_fail = 1; 884 } 885 886 if ($test_fail) { 887 print "$tnum $title : Failed!\n"; 888 print "Filename: $pkitsdir/$filename\n"; 889 print "Command output:\n$cmdout\n"; 890 $numfail++; 891 } 892 $numtest++; 893 } 894 } 895} 896 897if ($numfail) { 898 print "$numfail tests failed out of $numtest\n"; 899} 900else { 901 print "All Tests Successful.\n"; 902} 903 904unlink "pkitsta.pem"; 905 906