pkits-test.pl 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905
  1. #! /usr/bin/env perl
  2. # Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the OpenSSL license (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. # Perl utility to run PKITS tests for RFC3280 compliance.
  9. my $ossl_path;
  10. if ( -f "../apps/openssl" ) {
  11. $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
  12. }
  13. elsif ( -f "..\\out32dll\\openssl.exe" ) {
  14. $ossl_path = "..\\out32dll\\openssl.exe";
  15. }
  16. elsif ( -f "..\\out32\\openssl.exe" ) {
  17. $ossl_path = "..\\out32\\openssl.exe";
  18. }
  19. else {
  20. die "Can't find OpenSSL executable";
  21. }
  22. my $pkitsdir = "pkits/smime";
  23. my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
  24. die "Can't find PKITS test data" if !-d $pkitsdir;
  25. my $nist1 = "2.16.840.1.101.3.2.1.48.1";
  26. my $nist2 = "2.16.840.1.101.3.2.1.48.2";
  27. my $nist3 = "2.16.840.1.101.3.2.1.48.3";
  28. my $nist4 = "2.16.840.1.101.3.2.1.48.4";
  29. my $nist5 = "2.16.840.1.101.3.2.1.48.5";
  30. my $nist6 = "2.16.840.1.101.3.2.1.48.6";
  31. my $apolicy = "X509v3 Any Policy";
  32. # This table contains the chapter headings of the accompanying PKITS
  33. # document. They provide useful informational output and their names
  34. # can be converted into the filename to test.
  35. my @testlists = (
  36. [ "4.1", "Signature Verification" ],
  37. [ "4.1.1", "Valid Signatures Test1", 0 ],
  38. [ "4.1.2", "Invalid CA Signature Test2", 7 ],
  39. [ "4.1.3", "Invalid EE Signature Test3", 7 ],
  40. [ "4.1.4", "Valid DSA Signatures Test4", 0 ],
  41. [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ],
  42. [ "4.1.6", "Invalid DSA Signature Test6", 7 ],
  43. [ "4.2", "Validity Periods" ],
  44. [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ],
  45. [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ],
  46. [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ],
  47. [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ],
  48. [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ],
  49. [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ],
  50. [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ],
  51. [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ],
  52. [ "4.3", "Verifying Name Chaining" ],
  53. [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ],
  54. [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ],
  55. [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ],
  56. [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ],
  57. [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ],
  58. [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ],
  59. [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
  60. [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ],
  61. [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ],
  62. [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
  63. [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ],
  64. [ "4.4", "Basic Certificate Revocation Tests" ],
  65. [ "4.4.1", "Missing CRL Test1", 3 ],
  66. [ "4.4.2", "Invalid Revoked CA Test2", 23 ],
  67. [ "4.4.3", "Invalid Revoked EE Test3", 23 ],
  68. [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ],
  69. [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
  70. [ "4.4.6", "Invalid Wrong CRL Test6", 3 ],
  71. [ "4.4.7", "Valid Two CRLs Test7", 0 ],
  72. # The test document suggests these should return certificate revoked...
  73. # Subsequent discussion has concluded they should not due to unhandle
  74. # critical CRL extensions.
  75. [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
  76. [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
  77. [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ],
  78. [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ],
  79. [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ],
  80. [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ],
  81. [ "4.4.14", "Valid Negative Serial Number Test14", 0 ],
  82. [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ],
  83. [ "4.4.16", "Valid Long Serial Number Test16", 0 ],
  84. [ "4.4.17", "Valid Long Serial Number Test17", 0 ],
  85. [ "4.4.18", "Invalid Long Serial Number Test18", 23 ],
  86. [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ],
  87. [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
  88. # CRL path is revoked so get a CRL path validation error
  89. [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ],
  90. [ "4.5", "Verifying Paths with Self-Issued Certificates" ],
  91. [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ],
  92. [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ],
  93. [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ],
  94. [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ],
  95. [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ],
  96. [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ],
  97. [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ],
  98. [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ],
  99. [ "4.6", "Verifying Basic Constraints" ],
  100. [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ],
  101. [ "4.6.2", "Invalid cA False Test2", 24 ],
  102. [ "4.6.3", "Invalid cA False Test3", 24 ],
  103. [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ],
  104. [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ],
  105. [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ],
  106. [ "4.6.7", "Valid pathLenConstraint Test7", 0 ],
  107. [ "4.6.8", "Valid pathLenConstraint Test8", 0 ],
  108. [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ],
  109. [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ],
  110. [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ],
  111. [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ],
  112. [ "4.6.13", "Valid pathLenConstraint Test13", 0 ],
  113. [ "4.6.14", "Valid pathLenConstraint Test14", 0 ],
  114. [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ],
  115. [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ],
  116. [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ],
  117. [ "4.7", "Key Usage" ],
  118. [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ],
  119. [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
  120. [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ],
  121. [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ],
  122. [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ],
  123. # Certificate policy tests need special handling. They can have several
  124. # sub tests and we need to check the outputs are correct.
  125. [ "4.8", "Certificate Policies" ],
  126. [
  127. "4.8.1.1",
  128. "All Certificates Same Policy Test1",
  129. "-policy anyPolicy -explicit_policy",
  130. "True", $nist1, $nist1, 0
  131. ],
  132. [
  133. "4.8.1.2",
  134. "All Certificates Same Policy Test1",
  135. "-policy $nist1 -explicit_policy",
  136. "True", $nist1, $nist1, 0
  137. ],
  138. [
  139. "4.8.1.3",
  140. "All Certificates Same Policy Test1",
  141. "-policy $nist2 -explicit_policy",
  142. "True", $nist1, "<empty>", 43
  143. ],
  144. [
  145. "4.8.1.4",
  146. "All Certificates Same Policy Test1",
  147. "-policy $nist1 -policy $nist2 -explicit_policy",
  148. "True", $nist1, $nist1, 0
  149. ],
  150. [
  151. "4.8.2.1",
  152. "All Certificates No Policies Test2",
  153. "-policy anyPolicy",
  154. "False", "<empty>", "<empty>", 0
  155. ],
  156. [
  157. "4.8.2.2",
  158. "All Certificates No Policies Test2",
  159. "-policy anyPolicy -explicit_policy",
  160. "True", "<empty>", "<empty>", 43
  161. ],
  162. [
  163. "4.8.3.1",
  164. "Different Policies Test3",
  165. "-policy anyPolicy",
  166. "False", "<empty>", "<empty>", 0
  167. ],
  168. [
  169. "4.8.3.2",
  170. "Different Policies Test3",
  171. "-policy anyPolicy -explicit_policy",
  172. "True", "<empty>", "<empty>", 43
  173. ],
  174. [
  175. "4.8.3.3",
  176. "Different Policies Test3",
  177. "-policy $nist1 -policy $nist2 -explicit_policy",
  178. "True", "<empty>", "<empty>", 43
  179. ],
  180. [
  181. "4.8.4",
  182. "Different Policies Test4",
  183. "-policy anyPolicy",
  184. "True", "<empty>", "<empty>", 43
  185. ],
  186. [
  187. "4.8.5",
  188. "Different Policies Test5",
  189. "-policy anyPolicy",
  190. "True", "<empty>", "<empty>", 43
  191. ],
  192. [
  193. "4.8.6.1",
  194. "Overlapping Policies Test6",
  195. "-policy anyPolicy",
  196. "True", $nist1, $nist1, 0
  197. ],
  198. [
  199. "4.8.6.2",
  200. "Overlapping Policies Test6",
  201. "-policy $nist1",
  202. "True", $nist1, $nist1, 0
  203. ],
  204. [
  205. "4.8.6.3",
  206. "Overlapping Policies Test6",
  207. "-policy $nist2",
  208. "True", $nist1, "<empty>", 43
  209. ],
  210. [
  211. "4.8.7",
  212. "Different Policies Test7",
  213. "-policy anyPolicy",
  214. "True", "<empty>", "<empty>", 43
  215. ],
  216. [
  217. "4.8.8",
  218. "Different Policies Test8",
  219. "-policy anyPolicy",
  220. "True", "<empty>", "<empty>", 43
  221. ],
  222. [
  223. "4.8.9",
  224. "Different Policies Test9",
  225. "-policy anyPolicy",
  226. "True", "<empty>", "<empty>", 43
  227. ],
  228. [
  229. "4.8.10.1",
  230. "All Certificates Same Policies Test10",
  231. "-policy $nist1",
  232. "True", "$nist1:$nist2", "$nist1", 0
  233. ],
  234. [
  235. "4.8.10.2",
  236. "All Certificates Same Policies Test10",
  237. "-policy $nist2",
  238. "True", "$nist1:$nist2", "$nist2", 0
  239. ],
  240. [
  241. "4.8.10.3",
  242. "All Certificates Same Policies Test10",
  243. "-policy anyPolicy",
  244. "True", "$nist1:$nist2", "$nist1:$nist2", 0
  245. ],
  246. [
  247. "4.8.11.1",
  248. "All Certificates AnyPolicy Test11",
  249. "-policy anyPolicy",
  250. "True", "$apolicy", "$apolicy", 0
  251. ],
  252. [
  253. "4.8.11.2",
  254. "All Certificates AnyPolicy Test11",
  255. "-policy $nist1",
  256. "True", "$apolicy", "$nist1", 0
  257. ],
  258. [
  259. "4.8.12",
  260. "Different Policies Test12",
  261. "-policy anyPolicy",
  262. "True", "<empty>", "<empty>", 43
  263. ],
  264. [
  265. "4.8.13.1",
  266. "All Certificates Same Policies Test13",
  267. "-policy $nist1",
  268. "True", "$nist1:$nist2:$nist3", "$nist1", 0
  269. ],
  270. [
  271. "4.8.13.2",
  272. "All Certificates Same Policies Test13",
  273. "-policy $nist2",
  274. "True", "$nist1:$nist2:$nist3", "$nist2", 0
  275. ],
  276. [
  277. "4.8.13.3",
  278. "All Certificates Same Policies Test13",
  279. "-policy $nist3",
  280. "True", "$nist1:$nist2:$nist3", "$nist3", 0
  281. ],
  282. [
  283. "4.8.14.1", "AnyPolicy Test14",
  284. "-policy $nist1", "True",
  285. "$nist1", "$nist1",
  286. 0
  287. ],
  288. [
  289. "4.8.14.2", "AnyPolicy Test14",
  290. "-policy $nist2", "True",
  291. "$nist1", "<empty>",
  292. 43
  293. ],
  294. [
  295. "4.8.15",
  296. "User Notice Qualifier Test15",
  297. "-policy anyPolicy",
  298. "False", "$nist1", "$nist1", 0
  299. ],
  300. [
  301. "4.8.16",
  302. "User Notice Qualifier Test16",
  303. "-policy anyPolicy",
  304. "False", "$nist1", "$nist1", 0
  305. ],
  306. [
  307. "4.8.17",
  308. "User Notice Qualifier Test17",
  309. "-policy anyPolicy",
  310. "False", "$nist1", "$nist1", 0
  311. ],
  312. [
  313. "4.8.18.1",
  314. "User Notice Qualifier Test18",
  315. "-policy $nist1",
  316. "True", "$nist1:$nist2", "$nist1", 0
  317. ],
  318. [
  319. "4.8.18.2",
  320. "User Notice Qualifier Test18",
  321. "-policy $nist2",
  322. "True", "$nist1:$nist2", "$nist2", 0
  323. ],
  324. [
  325. "4.8.19",
  326. "User Notice Qualifier Test19",
  327. "-policy anyPolicy",
  328. "False", "$nist1", "$nist1", 0
  329. ],
  330. [
  331. "4.8.20",
  332. "CPS Pointer Qualifier Test20",
  333. "-policy anyPolicy -explicit_policy",
  334. "True", "$nist1", "$nist1", 0
  335. ],
  336. [ "4.9", "Require Explicit Policy" ],
  337. [
  338. "4.9.1",
  339. "Valid RequireExplicitPolicy Test1",
  340. "-policy anyPolicy",
  341. "False", "<empty>", "<empty>", 0
  342. ],
  343. [
  344. "4.9.2",
  345. "Valid RequireExplicitPolicy Test2",
  346. "-policy anyPolicy",
  347. "False", "<empty>", "<empty>", 0
  348. ],
  349. [
  350. "4.9.3",
  351. "Invalid RequireExplicitPolicy Test3",
  352. "-policy anyPolicy",
  353. "True", "<empty>", "<empty>", 43
  354. ],
  355. [
  356. "4.9.4",
  357. "Valid RequireExplicitPolicy Test4",
  358. "-policy anyPolicy",
  359. "True", "$nist1", "$nist1", 0
  360. ],
  361. [
  362. "4.9.5",
  363. "Invalid RequireExplicitPolicy Test5",
  364. "-policy anyPolicy",
  365. "True", "<empty>", "<empty>", 43
  366. ],
  367. [
  368. "4.9.6",
  369. "Valid Self-Issued requireExplicitPolicy Test6",
  370. "-policy anyPolicy",
  371. "False", "<empty>", "<empty>", 0
  372. ],
  373. [
  374. "4.9.7",
  375. "Invalid Self-Issued requireExplicitPolicy Test7",
  376. "-policy anyPolicy",
  377. "True", "<empty>", "<empty>", 43
  378. ],
  379. [
  380. "4.9.8",
  381. "Invalid Self-Issued requireExplicitPolicy Test8",
  382. "-policy anyPolicy",
  383. "True", "<empty>", "<empty>", 43
  384. ],
  385. [ "4.10", "Policy Mappings" ],
  386. [
  387. "4.10.1.1",
  388. "Valid Policy Mapping Test1",
  389. "-policy $nist1",
  390. "True", "$nist1", "$nist1", 0
  391. ],
  392. [
  393. "4.10.1.2",
  394. "Valid Policy Mapping Test1",
  395. "-policy $nist2",
  396. "True", "$nist1", "<empty>", 43
  397. ],
  398. [
  399. "4.10.1.3",
  400. "Valid Policy Mapping Test1",
  401. "-policy anyPolicy -inhibit_map",
  402. "True", "<empty>", "<empty>", 43
  403. ],
  404. [
  405. "4.10.2.1",
  406. "Invalid Policy Mapping Test2",
  407. "-policy anyPolicy",
  408. "True", "<empty>", "<empty>", 43
  409. ],
  410. [
  411. "4.10.2.2",
  412. "Invalid Policy Mapping Test2",
  413. "-policy anyPolicy -inhibit_map",
  414. "True", "<empty>", "<empty>", 43
  415. ],
  416. [
  417. "4.10.3.1",
  418. "Valid Policy Mapping Test3",
  419. "-policy $nist1",
  420. "True", "$nist2", "<empty>", 43
  421. ],
  422. [
  423. "4.10.3.2",
  424. "Valid Policy Mapping Test3",
  425. "-policy $nist2",
  426. "True", "$nist2", "$nist2", 0
  427. ],
  428. [
  429. "4.10.4",
  430. "Invalid Policy Mapping Test4",
  431. "-policy anyPolicy",
  432. "True", "<empty>", "<empty>", 43
  433. ],
  434. [
  435. "4.10.5.1",
  436. "Valid Policy Mapping Test5",
  437. "-policy $nist1",
  438. "True", "$nist1", "$nist1", 0
  439. ],
  440. [
  441. "4.10.5.2",
  442. "Valid Policy Mapping Test5",
  443. "-policy $nist6",
  444. "True", "$nist1", "<empty>", 43
  445. ],
  446. [
  447. "4.10.6.1",
  448. "Valid Policy Mapping Test6",
  449. "-policy $nist1",
  450. "True", "$nist1", "$nist1", 0
  451. ],
  452. [
  453. "4.10.6.2",
  454. "Valid Policy Mapping Test6",
  455. "-policy $nist6",
  456. "True", "$nist1", "<empty>", 43
  457. ],
  458. [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
  459. [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ],
  460. [
  461. "4.10.9",
  462. "Valid Policy Mapping Test9",
  463. "-policy anyPolicy",
  464. "True", "$nist1", "$nist1", 0
  465. ],
  466. [
  467. "4.10.10",
  468. "Invalid Policy Mapping Test10",
  469. "-policy anyPolicy",
  470. "True", "<empty>", "<empty>", 43
  471. ],
  472. [
  473. "4.10.11",
  474. "Valid Policy Mapping Test11",
  475. "-policy anyPolicy",
  476. "True", "$nist1", "$nist1", 0
  477. ],
  478. # TODO: check notice display
  479. [
  480. "4.10.12.1",
  481. "Valid Policy Mapping Test12",
  482. "-policy $nist1",
  483. "True", "$nist1:$nist2", "$nist1", 0
  484. ],
  485. # TODO: check notice display
  486. [
  487. "4.10.12.2",
  488. "Valid Policy Mapping Test12",
  489. "-policy $nist2",
  490. "True", "$nist1:$nist2", "$nist2", 0
  491. ],
  492. [
  493. "4.10.13",
  494. "Valid Policy Mapping Test13",
  495. "-policy anyPolicy",
  496. "True", "$nist1", "$nist1", 0
  497. ],
  498. # TODO: check notice display
  499. [
  500. "4.10.14",
  501. "Valid Policy Mapping Test14",
  502. "-policy anyPolicy",
  503. "True", "$nist1", "$nist1", 0
  504. ],
  505. [ "4.11", "Inhibit Policy Mapping" ],
  506. [
  507. "4.11.1",
  508. "Invalid inhibitPolicyMapping Test1",
  509. "-policy anyPolicy",
  510. "True", "<empty>", "<empty>", 43
  511. ],
  512. [
  513. "4.11.2",
  514. "Valid inhibitPolicyMapping Test2",
  515. "-policy anyPolicy",
  516. "True", "$nist1", "$nist1", 0
  517. ],
  518. [
  519. "4.11.3",
  520. "Invalid inhibitPolicyMapping Test3",
  521. "-policy anyPolicy",
  522. "True", "<empty>", "<empty>", 43
  523. ],
  524. [
  525. "4.11.4",
  526. "Valid inhibitPolicyMapping Test4",
  527. "-policy anyPolicy",
  528. "True", "$nist2", "$nist2", 0
  529. ],
  530. [
  531. "4.11.5",
  532. "Invalid inhibitPolicyMapping Test5",
  533. "-policy anyPolicy",
  534. "True", "<empty>", "<empty>", 43
  535. ],
  536. [
  537. "4.11.6",
  538. "Invalid inhibitPolicyMapping Test6",
  539. "-policy anyPolicy",
  540. "True", "<empty>", "<empty>", 43
  541. ],
  542. [
  543. "4.11.7",
  544. "Valid Self-Issued inhibitPolicyMapping Test7",
  545. "-policy anyPolicy",
  546. "True", "$nist1", "$nist1", 0
  547. ],
  548. [
  549. "4.11.8",
  550. "Invalid Self-Issued inhibitPolicyMapping Test8",
  551. "-policy anyPolicy",
  552. "True", "<empty>", "<empty>", 43
  553. ],
  554. [
  555. "4.11.9",
  556. "Invalid Self-Issued inhibitPolicyMapping Test9",
  557. "-policy anyPolicy",
  558. "True", "<empty>", "<empty>", 43
  559. ],
  560. [
  561. "4.11.10",
  562. "Invalid Self-Issued inhibitPolicyMapping Test10",
  563. "-policy anyPolicy",
  564. "True", "<empty>", "<empty>", 43
  565. ],
  566. [
  567. "4.11.11",
  568. "Invalid Self-Issued inhibitPolicyMapping Test11",
  569. "-policy anyPolicy",
  570. "True", "<empty>", "<empty>", 43
  571. ],
  572. [ "4.12", "Inhibit Any Policy" ],
  573. [
  574. "4.12.1",
  575. "Invalid inhibitAnyPolicy Test1",
  576. "-policy anyPolicy",
  577. "True", "<empty>", "<empty>", 43
  578. ],
  579. [
  580. "4.12.2",
  581. "Valid inhibitAnyPolicy Test2",
  582. "-policy anyPolicy",
  583. "True", "$nist1", "$nist1", 0
  584. ],
  585. [
  586. "4.12.3.1",
  587. "inhibitAnyPolicy Test3",
  588. "-policy anyPolicy",
  589. "True", "$nist1", "$nist1", 0
  590. ],
  591. [
  592. "4.12.3.2",
  593. "inhibitAnyPolicy Test3",
  594. "-policy anyPolicy -inhibit_any",
  595. "True", "<empty>", "<empty>", 43
  596. ],
  597. [
  598. "4.12.4",
  599. "Invalid inhibitAnyPolicy Test4",
  600. "-policy anyPolicy",
  601. "True", "<empty>", "<empty>", 43
  602. ],
  603. [
  604. "4.12.5",
  605. "Invalid inhibitAnyPolicy Test5",
  606. "-policy anyPolicy",
  607. "True", "<empty>", "<empty>", 43
  608. ],
  609. [
  610. "4.12.6",
  611. "Invalid inhibitAnyPolicy Test6",
  612. "-policy anyPolicy",
  613. "True", "<empty>", "<empty>", 43
  614. ],
  615. [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ],
  616. [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ],
  617. [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ],
  618. [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ],
  619. [ "4.13", "Name Constraints" ],
  620. [ "4.13.1", "Valid DN nameConstraints Test1", 0 ],
  621. [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ],
  622. [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ],
  623. [ "4.13.4", "Valid DN nameConstraints Test4", 0 ],
  624. [ "4.13.5", "Valid DN nameConstraints Test5", 0 ],
  625. [ "4.13.6", "Valid DN nameConstraints Test6", 0 ],
  626. [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ],
  627. [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ],
  628. [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ],
  629. [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ],
  630. [ "4.13.11", "Valid DN nameConstraints Test11", 0 ],
  631. [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ],
  632. [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ],
  633. [ "4.13.14", "Valid DN nameConstraints Test14", 0 ],
  634. [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ],
  635. [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ],
  636. [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ],
  637. [ "4.13.18", "Valid DN nameConstraints Test18", 0 ],
  638. [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ],
  639. [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
  640. [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ],
  641. [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ],
  642. [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ],
  643. [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ],
  644. [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ],
  645. [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ],
  646. [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ],
  647. [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ],
  648. [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ],
  649. [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ],
  650. [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ],
  651. [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ],
  652. [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ],
  653. [ "4.13.34", "Valid URI nameConstraints Test34", 0 ],
  654. [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ],
  655. [ "4.13.36", "Valid URI nameConstraints Test36", 0 ],
  656. [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ],
  657. [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ],
  658. [ "4.14", "Distribution Points" ],
  659. [ "4.14.1", "Valid distributionPoint Test1", 0 ],
  660. [ "4.14.2", "Invalid distributionPoint Test2", 23 ],
  661. [ "4.14.3", "Invalid distributionPoint Test3", 44 ],
  662. [ "4.14.4", "Valid distributionPoint Test4", 0 ],
  663. [ "4.14.5", "Valid distributionPoint Test5", 0 ],
  664. [ "4.14.6", "Invalid distributionPoint Test6", 23 ],
  665. [ "4.14.7", "Valid distributionPoint Test7", 0 ],
  666. [ "4.14.8", "Invalid distributionPoint Test8", 44 ],
  667. [ "4.14.9", "Invalid distributionPoint Test9", 44 ],
  668. [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ],
  669. [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ],
  670. [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ],
  671. [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ],
  672. [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ],
  673. [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ],
  674. [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ],
  675. [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ],
  676. [ "4.14.18", "Valid onlySomeReasons Test18", 0 ],
  677. [ "4.14.19", "Valid onlySomeReasons Test19", 0 ],
  678. [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ],
  679. [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ],
  680. [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ],
  681. [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ],
  682. [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ],
  683. [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ],
  684. [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ],
  685. [ "4.14.27", "Invalid cRLIssuer Test27", 3 ],
  686. [ "4.14.28", "Valid cRLIssuer Test28", 0 ],
  687. [ "4.14.29", "Valid cRLIssuer Test29", 0 ],
  688. # Although this test is valid it has a circular dependency. As a result
  689. # an attempt is made to recursively checks a CRL path and rejected due to
  690. # a CRL path validation error. PKITS notes suggest this test does not
  691. # need to be run due to this issue.
  692. [ "4.14.30", "Valid cRLIssuer Test30", 54 ],
  693. [ "4.14.31", "Invalid cRLIssuer Test31", 23 ],
  694. [ "4.14.32", "Invalid cRLIssuer Test32", 23 ],
  695. [ "4.14.33", "Valid cRLIssuer Test33", 0 ],
  696. [ "4.14.34", "Invalid cRLIssuer Test34", 23 ],
  697. [ "4.14.35", "Invalid cRLIssuer Test35", 44 ],
  698. [ "4.15", "Delta-CRLs" ],
  699. [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ],
  700. [ "4.15.2", "Valid delta-CRL Test2", 0 ],
  701. [ "4.15.3", "Invalid delta-CRL Test3", 23 ],
  702. [ "4.15.4", "Invalid delta-CRL Test4", 23 ],
  703. [ "4.15.5", "Valid delta-CRL Test5", 0 ],
  704. [ "4.15.6", "Invalid delta-CRL Test6", 23 ],
  705. [ "4.15.7", "Valid delta-CRL Test7", 0 ],
  706. [ "4.15.8", "Valid delta-CRL Test8", 0 ],
  707. [ "4.15.9", "Invalid delta-CRL Test9", 23 ],
  708. [ "4.15.10", "Invalid delta-CRL Test10", 12 ],
  709. [ "4.16", "Private Certificate Extensions" ],
  710. [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
  711. [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ],
  712. );
  713. my $verbose = 1;
  714. my $numtest = 0;
  715. my $numfail = 0;
  716. my $ossl = "ossl/apps/openssl";
  717. my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
  718. $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
  719. # Check for expiry of trust anchor
  720. system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
  721. if ($? == 256)
  722. {
  723. print STDERR "WARNING: using older expired data\n";
  724. $ossl_cmd .= "-attime 1291940972 ";
  725. }
  726. $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
  727. system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
  728. die "Can't create trust anchor file" if $?;
  729. print "Running PKITS tests:\n" if $verbose;
  730. foreach (@testlists) {
  731. my $argnum = @$_;
  732. if ( $argnum == 2 ) {
  733. my ( $tnum, $title ) = @$_;
  734. print "$tnum $title\n" if $verbose;
  735. }
  736. elsif ( $argnum == 3 ) {
  737. my ( $tnum, $title, $exp_ret ) = @$_;
  738. my $filename = $title;
  739. $exp_ret += 32 if $exp_ret;
  740. $filename =~ tr/ -//d;
  741. $filename = "Signed${filename}.eml";
  742. if ( !-f "$pkitsdir/$filename" ) {
  743. print "\"$filename\" not found\n";
  744. }
  745. else {
  746. my $ret;
  747. my $test_fail = 0;
  748. my $errmsg = "";
  749. my $cmd = $ossl_cmd;
  750. $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
  751. my $cmdout = `$cmd`;
  752. $ret = $? >> 8;
  753. if ( $? & 0xff ) {
  754. $errmsg .= "Abnormal OpenSSL termination\n";
  755. $test_fail = 1;
  756. }
  757. if ( $exp_ret != $ret ) {
  758. $errmsg .= "Return code:$ret, ";
  759. $errmsg .= "expected $exp_ret\n";
  760. $test_fail = 1;
  761. }
  762. if ($test_fail) {
  763. print "$tnum $title : Failed!\n";
  764. print "Filename: $pkitsdir/$filename\n";
  765. print $errmsg;
  766. print "Command output:\n$cmdout\n";
  767. $numfail++;
  768. }
  769. $numtest++;
  770. }
  771. }
  772. elsif ( $argnum == 7 ) {
  773. my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
  774. = @$_;
  775. my $filename = $title;
  776. $exp_ret += 32 if $exp_ret;
  777. $filename =~ tr/ -//d;
  778. $filename = "Signed${filename}.eml";
  779. if ( !-f "$pkitsdir/$filename" ) {
  780. print "\"$filename\" not found\n";
  781. }
  782. else {
  783. my $ret;
  784. my $cmdout = "";
  785. my $errmsg = "";
  786. my $epol = "";
  787. my $aset = "";
  788. my $uset = "";
  789. my $pol = -1;
  790. my $test_fail = 0;
  791. my $cmd = $ossl_cmd;
  792. $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
  793. @oparr = `$cmd`;
  794. $ret = $? >> 8;
  795. if ( $? & 0xff ) {
  796. $errmsg .= "Abnormal OpenSSL termination\n";
  797. $test_fail = 1;
  798. }
  799. foreach (@oparr) {
  800. my $test_failed = 0;
  801. $cmdout .= $_;
  802. if (/^Require explicit Policy: (.*)$/) {
  803. $epol = $1;
  804. }
  805. if (/^Authority Policies/) {
  806. if (/empty/) {
  807. $aset = "<empty>";
  808. }
  809. else {
  810. $pol = 1;
  811. }
  812. }
  813. $test_fail = 1 if (/leak/i);
  814. if (/^User Policies/) {
  815. if (/empty/) {
  816. $uset = "<empty>";
  817. }
  818. else {
  819. $pol = 2;
  820. }
  821. }
  822. if (/\s+Policy: (.*)$/) {
  823. if ( $pol == 1 ) {
  824. $aset .= ":" if $aset ne "";
  825. $aset .= $1;
  826. }
  827. elsif ( $pol == 2 ) {
  828. $uset .= ":" if $uset ne "";
  829. $uset .= $1;
  830. }
  831. }
  832. }
  833. if ( $epol ne $exp_epol ) {
  834. $errmsg .= "Explicit policy:$epol, ";
  835. $errmsg .= "expected $exp_epol\n";
  836. $test_fail = 1;
  837. }
  838. if ( $aset ne $exp_aset ) {
  839. $errmsg .= "Authority policy set :$aset, ";
  840. $errmsg .= "expected $exp_aset\n";
  841. $test_fail = 1;
  842. }
  843. if ( $uset ne $exp_uset ) {
  844. $errmsg .= "User policy set :$uset, ";
  845. $errmsg .= "expected $exp_uset\n";
  846. $test_fail = 1;
  847. }
  848. if ( $exp_ret != $ret ) {
  849. print "Return code:$ret, expected $exp_ret\n";
  850. $test_fail = 1;
  851. }
  852. if ($test_fail) {
  853. print "$tnum $title : Failed!\n";
  854. print "Filename: $pkitsdir/$filename\n";
  855. print "Command output:\n$cmdout\n";
  856. $numfail++;
  857. }
  858. $numtest++;
  859. }
  860. }
  861. }
  862. if ($numfail) {
  863. print "$numfail tests failed out of $numtest\n";
  864. }
  865. else {
  866. print "All Tests Successful.\n";
  867. }
  868. unlink "pkitsta.pem";